From 02cd26f95be94de0e92c0b9b05c242c2b57c4267 Mon Sep 17 00:00:00 2001 From: Sasha Levin Date: Sat, 21 Mar 2026 21:10:47 -0400 Subject: [PATCH] Fixes for all trees Signed-off-by: Sasha Levin --- .../bluetooth-hidp-fix-possible-uaf.patch | 237 +++++++++++ ...ap-disconnect-if-received-packet-s-s.patch | 55 +++ ...ap-disconnect-if-sum-of-payload-size.patch | 39 ++ ...th-smp-make-sm-per-kdu-bi-04-c-happy.patch | 36 ++ ...inter-dereference-in-icmp_tag_valida.patch | 68 +++ ...update-of-skb-tail-in-igc_xmit_frame.patch | 45 ++ ...t-bcmgenet-increase-wol-poll-timeout.patch | 38 ++ ...null-deref-in-bond_debug_rlb_hash_sh.patch | 87 ++++ ...fix-missing-clk_disable_unprepare-in.patch | 57 +++ ...et-macb-fix-uninitialized-rx_fs_lock.patch | 78 ++++ ...l-pointer-dereference-in-rose_transm.patch | 64 +++ ...o-not-perform-pm-inside-suspend-call.patch | 69 +++ ...ink-fix-use-after-free-in-ctnetlink_.patch | 123 ++++++ ...ink-remove-refcounting-in-expectatio.patch | 165 ++++++++ ...ntrack_h323-check-for-zero-length-in.patch | 47 +++ ...ntrack_h323-fix-oob-read-in-decode_i.patch | 48 +++ ...ntrack_sip-fix-content-length-u32-tr.patch | 66 +++ ...-add-seqadj-extension-for-natted-con.patch | 114 +++++ ...-drop-pending-enqueued-packets-on-re.patch | 70 +++ ...drop-pending-enqueued-packets-on-tem.patch | 54 +++ ...e-use-unsigned-int-for-monthday-bit-.patch | 53 +++ ...lidate-individual-option-lengths-in-.patch | 83 ++++ ...-race-condition-related-to-device-re.patch | 126 ++++++ ...lidate-the-handling-of-two-special-c.patch | 133 ++++++ queue-5.10/series | 29 ++ ...ix-race-condition-in-qman_destroy_fq.patch | 92 ++++ ...ull-deref-caused-by-udp_sock_create6.patch | 64 +++ ...ncel-pmsr_free_wk-in-cfg80211_pmsr_w.patch | 51 +++ ...fix-null-deref-in-mesh_matches_local.patch | 81 ++++ ...rn-enomem-instead-of-eagain-if-there.patch | 54 +++ ...ix-previous-acpi_processor_errata_pi.patch | 74 ++++ .../bluetooth-hidp-fix-possible-uaf.patch | 237 +++++++++++ ...ap-disconnect-if-received-packet-s-s.patch | 55 +++ ...ap-disconnect-if-sum-of-payload-size.patch | 39 ++ ...x-rom-version-reading-on-wcn3998-chi.patch | 46 ++ ...th-smp-make-sm-per-kdu-bi-04-c-happy.patch | 36 ++ ...er-fix-misleading-root-drop_level-er.patch | 38 ++ ...i-fix-device_node-reference-leak-in-.patch | 58 +++ ...inter-dereference-in-icmp_tag_valida.patch | 68 +++ ...update-of-skb-tail-in-igc_xmit_frame.patch | 45 ++ ...t-bcmgenet-increase-wol-poll-timeout.patch | 38 ++ ...null-deref-in-bond_debug_rlb_hash_sh.patch | 87 ++++ ...fix-missing-clk_disable_unprepare-in.patch | 59 +++ ...et-macb-fix-uninitialized-rx_fs_lock.patch | 78 ++++ ...-after-free-in-mana_hwc_destroy_chan.patch | 67 +++ ...-mana-improve-the-hwc-error-handling.patch | 218 ++++++++++ ...flow-control-update-with-global_tx_f.patch | 86 ++++ ...l-pointer-dereference-in-rose_transm.patch | 64 +++ ...-dereference-and-uaf-in-smc_tcp_syn_.patch | 208 +++++++++ ...slab-out-of-bounds-issue-in-fallback.patch | 220 ++++++++++ ...e-the-original-clcsock-callback-func.patch | 204 +++++++++ ...o-not-perform-pm-inside-suspend-call.patch | 69 +++ ...ink-fix-use-after-free-in-ctnetlink_.patch | 123 ++++++ ...ink-remove-refcounting-in-expectatio.patch | 165 ++++++++ ...ntrack_h323-check-for-zero-length-in.patch | 47 +++ ...ntrack_h323-fix-oob-read-in-decode_i.patch | 48 +++ ...ntrack_sip-fix-content-length-u32-tr.patch | 66 +++ ...-add-seqadj-extension-for-natted-con.patch | 114 +++++ ...-drop-pending-enqueued-packets-on-re.patch | 70 +++ ...drop-pending-enqueued-packets-on-tem.patch | 54 +++ ...e-use-unsigned-int-for-monthday-bit-.patch | 53 +++ ...lidate-individual-option-lengths-in-.patch | 83 ++++ ...-based-auto-release-via-__free-devic.patch | 72 ++++ ...-race-condition-related-to-device-re.patch | 126 ++++++ ...lidate-the-handling-of-two-special-c.patch | 133 ++++++ queue-5.15/series | 41 ++ ...ix-race-condition-in-qman_destroy_fq.patch | 92 ++++ ...ull-deref-caused-by-udp_sock_create6.patch | 64 +++ ...ncel-pmsr_free_wk-in-cfg80211_pmsr_w.patch | 51 +++ ...fix-null-deref-in-mesh_matches_local.patch | 81 ++++ ...x-static_branch_dec-underflow-for-aq.patch | 112 +++++ ...rn-enomem-instead-of-eagain-if-there.patch | 54 +++ ...ix-previous-acpi_processor_errata_pi.patch | 74 ++++ ...hci_sync-fix-hci_le_create_conn_sync.patch | 52 +++ .../bluetooth-hidp-fix-possible-uaf.patch | 237 +++++++++++ ...ap-disconnect-if-received-packet-s-s.patch | 55 +++ ...ap-disconnect-if-sum-of-payload-size.patch | 39 ++ ...x-rom-version-reading-on-wcn3998-chi.patch | 46 ++ ...th-smp-make-sm-per-kdu-bi-04-c-happy.patch | 36 ++ ...er-fix-misleading-root-drop_level-er.patch | 38 ++ ...i-fix-device_node-reference-leak-in-.patch | 58 +++ ...-vlan-filter-lost-on-add-delete-race.patch | 70 +++ ...inter-dereference-in-icmp_tag_valida.patch | 68 +++ ...update-of-skb-tail-in-igc_xmit_frame.patch | 45 ++ ...t-bcmgenet-increase-wol-poll-timeout.patch | 38 ++ ...null-deref-in-bond_debug_rlb_hash_sh.patch | 87 ++++ ...fix-missing-clk_disable_unprepare-in.patch | 59 +++ ...et-macb-fix-uninitialized-rx_fs_lock.patch | 78 ++++ ...-after-free-in-mana_hwc_destroy_chan.patch | 67 +++ ...flow-control-update-with-global_tx_f.patch | 86 ++++ ...l-pointer-dereference-in-rose_transm.patch | 64 +++ ...-fix-double-free-in-teql_master_xmit.patch | 202 +++++++++ ...-dereference-and-uaf-in-smc_tcp_syn_.patch | 208 +++++++++ ...o-not-perform-pm-inside-suspend-call.patch | 69 +++ ...ink-fix-use-after-free-in-ctnetlink_.patch | 123 ++++++ ...ink-remove-refcounting-in-expectatio.patch | 165 ++++++++ ...ntrack_h323-check-for-zero-length-in.patch | 47 +++ ...ntrack_h323-fix-oob-read-in-decode_i.patch | 48 +++ ...ntrack_sip-fix-content-length-u32-tr.patch | 66 +++ ...les-release-flowtable-after-rcu-grac.patch | 51 +++ ...-add-seqadj-extension-for-natted-con.patch | 114 +++++ ...-drop-pending-enqueued-packets-on-re.patch | 70 +++ ...drop-pending-enqueued-packets-on-tem.patch | 54 +++ ...e-use-unsigned-int-for-monthday-bit-.patch | 53 +++ ...lidate-individual-option-lengths-in-.patch | 83 ++++ ...-race-condition-related-to-device-re.patch | 126 ++++++ ...lidate-the-handling-of-two-special-c.patch | 133 ++++++ queue-6.1/series | 41 ++ ...ix-race-condition-in-qman_destroy_fq.patch | 92 ++++ ...ull-deref-caused-by-udp_sock_create6.patch | 64 +++ ...ncel-pmsr_free_wk-in-cfg80211_pmsr_w.patch | 51 +++ ...fix-null-deref-in-mesh_matches_local.patch | 81 ++++ ...x-static_branch_dec-underflow-for-aq.patch | 112 +++++ ...rn-enomem-instead-of-eagain-if-there.patch | 54 +++ ...ix-previous-acpi_processor_errata_pi.patch | 74 ++++ ...4-dts-renesas-r9a09g057-add-rtc-node.patch | 50 +++ ...sas-r9a09g057-remove-wdt-0-2-3-nodes.patch | 82 ++++ ...hci_sync-fix-hci_le_create_conn_sync.patch | 52 +++ .../bluetooth-hidp-fix-possible-uaf.patch | 237 +++++++++++ ...h-iso-fix-defer-tests-being-unstable.patch | 49 +++ ...fix-use-after-free-in-l2cap_unregist.patch | 90 ++++ ...ap-disconnect-if-received-packet-s-s.patch | 55 +++ ...ap-disconnect-if-sum-of-payload-size.patch | 39 ++ ...ix-list-corruption-and-uaf-in-comman.patch | 67 +++ ...x-rom-version-reading-on-wcn3998-chi.patch | 46 ++ ...th-smp-make-sm-per-kdu-bi-04-c-happy.patch | 36 ++ ...potential-infinite-loop-in-bond_head.patch | 205 +++++++++ ...-race-condition-in-peer_mep-deletion.patch | 75 ++++ ...ntries-when-logging-parent-dir-of-a-.patch | 99 +++++ ...er-fix-misleading-root-drop_level-er.patch | 38 ++ ...-device-node-reference-leak-in-ax45m.patch | 46 ++ ...ix-device-node-leak-in-starlink_cach.patch | 44 ++ ...fter-free-in-init-destroy-rollback-a.patch | 116 +++++ ...-remove-vm_id-argument-in-ffa_rxtx_u.patch | 77 ++++ ...i-fix-device_node-reference-leak-in-.patch | 58 +++ ...-vlan-filter-lost-on-add-delete-race.patch | 70 +++ ...inter-dereference-in-icmp_tag_valida.patch | 68 +++ ...update-of-skb-tail-in-igc_xmit_frame.patch | 45 ++ ...-fault-in-xdp-tx-timestamps-handling.patch | 118 ++++++ ...-unregister_netdevice_notifier-to-mp.patch | 37 ++ ...se-memory-configuration-in-airoha_fe.patch | 51 +++ ...completion-queue-data-in-airoha_qdma.patch | 102 +++++ ...default-pse-reserved-pages-value-bef.patch | 62 +++ ...ove-airoha_dev_stop-in-airoha_remove.patch | 40 ++ ...t-bcmgenet-increase-wol-poll-timeout.patch | 38 ++ ...null-deref-in-bond_debug_rlb_hash_sh.patch | 87 ++++ ...fix-missing-clk_disable_unprepare-in.patch | 59 +++ ...et-macb-fix-uninitialized-rx_fs_lock.patch | 78 ++++ ...-after-free-in-mana_hwc_destroy_chan.patch | 67 +++ ...trict-rtnl-area-to-avoid-a-lock-cycl.patch | 112 +++++ ...ce-condition-during-ipsec-esn-update.patch | 128 ++++++ ...t-concurrent-access-to-ipsec-aso-con.patch | 115 +++++ ...flow-control-update-with-global_tx_f.patch | 86 ++++ ...l-pointer-dereference-in-rose_transm.patch | 64 +++ ...-fix-double-free-in-teql_master_xmit.patch | 202 +++++++++ ...-dereference-and-uaf-in-smc_tcp_syn_.patch | 208 +++++++++ ...o-not-perform-pm-inside-suspend-call.patch | 69 +++ ...add-ndpoffset-to-ndp16-nframes-bound.patch | 65 +++ ...add-ndpoffset-to-ndp32-nframes-bound.patch | 54 +++ ...fer-hook-memory-release-until-rcu-re.patch | 47 +++ ...ink-fix-use-after-free-in-ctnetlink_.patch | 123 ++++++ ...ink-remove-refcounting-in-expectatio.patch | 165 ++++++++ ...ntrack_h323-check-for-zero-length-in.patch | 47 +++ ...ntrack_h323-fix-oob-read-in-decode_i.patch | 48 +++ ...ntrack_sip-fix-content-length-u32-tr.patch | 66 +++ ...les-release-flowtable-after-rcu-grac.patch | 51 +++ ...-drop-pending-enqueued-packets-on-re.patch | 70 +++ ...drop-pending-enqueued-packets-on-tem.patch | 54 +++ ...e-use-unsigned-int-for-monthday-bit-.patch | 53 +++ ...nset-fix-possible-stateful-expressio.patch | 107 +++++ ...lidate-individual-option-lengths-in-.patch | 83 ++++ ...-race-condition-related-to-device-re.patch | 126 ++++++ ...lidate-the-handling-of-two-special-c.patch | 133 ++++++ queue-6.12/series | 68 +++ ...-fix-error-check-for-devm_ioremap_re.patch | 42 ++ ...ix-race-condition-in-qman_destroy_fq.patch | 92 ++++ ...fs-fix-memory-leak-in-mpfs_sys_contr.patch | 70 +++ ...-add-missing-of_node_put-when-return.patch | 39 ++ ...ull-deref-caused-by-udp_sock_create6.patch | 64 +++ ...ncel-pmsr_free_wk-in-cfg80211_pmsr_w.patch | 51 +++ ...fix-null-deref-in-mesh_matches_local.patch | 81 ++++ ...x-static_branch_dec-underflow-for-aq.patch | 112 +++++ ...rn-enomem-instead-of-eagain-if-there.patch | 54 +++ ...ix-previous-acpi_processor_errata_pi.patch | 74 ++++ ...ca-update-the-format-of-arg3-of-_dsm.patch | 37 ++ ...4-dts-renesas-r9a09g057-add-rtc-node.patch | 50 +++ ...sas-r9a09g057-remove-wdt-0-2-3-nodes.patch | 82 ++++ ...s-r9a09g077-fix-cpg-register-region-.patch | 42 ++ ...s-r9a09g087-fix-cpg-register-region-.patch | 42 ++ ...s-rzg3s-smarc-som-set-bypass-for-ver.patch | 73 ++++ ...s-rzt2h-n2h-evk-add-ramp-delay-for-s.patch | 53 +++ ...s-rzv2-evk-cn15-sd-add-ramp-delay-fo.patch | 53 +++ ...hci_sync-fix-hci_le_create_conn_sync.patch | 52 +++ .../bluetooth-hidp-fix-possible-uaf.patch | 237 +++++++++++ ...h-iso-fix-defer-tests-being-unstable.patch | 49 +++ ...fix-use-after-free-in-l2cap_unregist.patch | 90 ++++ ...ap-disconnect-if-received-packet-s-s.patch | 55 +++ ...ap-disconnect-if-sum-of-payload-size.patch | 39 ++ ...ix-list-corruption-and-uaf-in-comman.patch | 67 +++ ...x-rom-version-reading-on-wcn3998-chi.patch | 46 ++ ...th-smp-make-sm-per-kdu-bi-04-c-happy.patch | 36 ++ ...potential-infinite-loop-in-bond_head.patch | 205 +++++++++ ...-race-condition-in-peer_mep-deletion.patch | 75 ++++ ...ntries-when-logging-parent-dir-of-a-.patch | 99 +++++ ...er-fix-misleading-root-drop_level-er.patch | 38 ++ ...-device-node-reference-leak-in-ax45m.patch | 46 ++ ...ix-device-node-leak-in-starlink_cach.patch | 44 ++ ...fter-free-in-init-destroy-rollback-a.patch | 116 +++++ ...-ccp-fix-leaking-the-same-page-twice.patch | 56 +++ ...-remove-vm_id-argument-in-ffa_rxtx_u.patch | 77 ++++ ...i-fix-null-dereference-on-notify-err.patch | 52 +++ ...i-fix-device_node-reference-leak-in-.patch | 58 +++ ...-vlan-filter-lost-on-add-delete-race.patch | 70 +++ ...inter-dereference-in-icmp_tag_valida.patch | 68 +++ ...update-of-skb-tail-in-igc_xmit_frame.patch | 45 ++ ...-fault-in-xdp-tx-timestamps-handling.patch | 118 ++++++ .../libie-prevent-memleak-in-fwlog-code.patch | 152 +++++++ ...-unregister_netdevice_notifier-to-mp.patch | 37 ++ ...lass-name-family-in-pm_nl_create_lis.patch | 39 ++ ...ove-airoha_dev_stop-in-airoha_remove.patch | 40 ++ ...t-bcmgenet-increase-wol-poll-timeout.patch | 38 ++ ...null-deref-in-bond_debug_rlb_hash_sh.patch | 87 ++++ ...fix-missing-clk_disable_unprepare-in.patch | 59 +++ ...et-macb-fix-uninitialized-rx_fs_lock.patch | 78 ++++ ...-after-free-in-mana_hwc_destroy_chan.patch | 67 +++ ...trict-rtnl-area-to-avoid-a-lock-cycl.patch | 112 +++++ ...ce-condition-during-ipsec-esn-update.patch | 128 ++++++ ...t-concurrent-access-to-ipsec-aso-con.patch | 115 +++++ ...flow-control-update-with-global_tx_f.patch | 86 ++++ ...l-pointer-dereference-in-rose_transm.patch | 64 +++ ...-fix-double-free-in-teql_master_xmit.patch | 202 +++++++++ ...tect-from-late-creation-of-hierarchy.patch | 397 ++++++++++++++++++ ...ct-late-read-accesses-to-the-hierarc.patch | 94 +++++ ...-dereference-and-uaf-in-smc_tcp_syn_.patch | 208 +++++++++ ...o-not-perform-pm-inside-suspend-call.patch | 69 +++ ...add-ndpoffset-to-ndp16-nframes-bound.patch | 65 +++ ...add-ndpoffset-to-ndp32-nframes-bound.patch | 54 +++ ...-drop-psp-ext-ref-on-forward-failure.patch | 53 +++ ...fer-hook-memory-release-until-rcu-re.patch | 47 +++ ...ink-fix-use-after-free-in-ctnetlink_.patch | 123 ++++++ ...ntrack_h323-check-for-zero-length-in.patch | 47 +++ ...ntrack_h323-fix-oob-read-in-decode_i.patch | 48 +++ ...ntrack_sip-fix-content-length-u32-tr.patch | 66 +++ ...les-release-flowtable-after-rcu-grac.patch | 51 +++ ...-drop-pending-enqueued-packets-on-re.patch | 70 +++ ...drop-pending-enqueued-packets-on-tem.patch | 54 +++ ...e-use-unsigned-int-for-monthday-bit-.patch | 53 +++ ...nset-fix-possible-stateful-expressio.patch | 107 +++++ ...lidate-individual-option-lengths-in-.patch | 83 ++++ ...-race-condition-related-to-device-re.patch | 126 ++++++ ...lidate-the-handling-of-two-special-c.patch | 133 ++++++ queue-6.18/series | 81 ++++ ...-fix-error-check-for-devm_ioremap_re.patch | 42 ++ ...ix-race-condition-in-qman_destroy_fq.patch | 92 ++++ ...fs-fix-memory-leak-in-mpfs_sys_contr.patch | 70 +++ ...-add-missing-of_node_put-when-return.patch | 39 ++ ...m-remove-refcounting-of-kernel-pages.patch | 93 ++++ ...ull-deref-caused-by-udp_sock_create6.patch | 64 +++ ...ncel-pmsr_free_wk-in-cfg80211_pmsr_w.patch | 51 +++ ...ways-free-skb-on-ieee80211_tx_prepar.patch | 120 ++++++ ...fix-null-deref-in-mesh_matches_local.patch | 81 ++++ ...x-static_branch_dec-underflow-for-aq.patch | 112 +++++ ...emove-keys-after-disabling-beaconing.patch | 56 +++ ...e-jiffies_delta_to_msecs-for-sta_inf.patch | 54 +++ ...rn-enomem-instead-of-eagain-if-there.patch | 54 +++ ...ix-previous-acpi_processor_errata_pi.patch | 74 ++++ ...ca-update-the-format-of-arg3-of-_dsm.patch | 37 ++ ...ix-give-up-gc-if-msg_peek-intervened.patch | 256 +++++++++++ ...s-r8a78000-fix-out-of-range-spi-inte.patch | 99 +++++ ...sas-r9a09g057-remove-wdt-0-2-3-nodes.patch | 82 ++++ ...s-r9a09g077-fix-cpg-register-region-.patch | 42 ++ ...s-r9a09g087-fix-cpg-register-region-.patch | 42 ++ ...s-rzg3s-smarc-som-set-bypass-for-ver.patch | 73 ++++ ...s-rzt2h-n2h-evk-add-ramp-delay-for-s.patch | 53 +++ ...s-rzv2-evk-cn15-sd-add-ramp-delay-fo.patch | 53 +++ ...hci_sync-fix-hci_le_create_conn_sync.patch | 52 +++ .../bluetooth-hidp-fix-possible-uaf.patch | 237 +++++++++++ ...h-iso-fix-defer-tests-being-unstable.patch | 49 +++ ...fix-use-after-free-in-l2cap_unregist.patch | 90 ++++ ...ap-disconnect-if-received-packet-s-s.patch | 55 +++ ...ap-disconnect-if-sum-of-payload-size.patch | 39 ++ ...ix-list-corruption-and-uaf-in-comman.patch | 67 +++ ...x-rom-version-reading-on-wcn3998-chi.patch | 46 ++ ...th-smp-make-sm-per-kdu-bi-04-c-happy.patch | 36 ++ ...potential-infinite-loop-in-bond_head.patch | 205 +++++++++ ...-race-condition-in-peer_mep-deletion.patch | 75 ++++ ...ntries-when-logging-parent-dir-of-a-.patch | 99 +++++ ...er-fix-misleading-root-drop_level-er.patch | 38 ++ ...-device-node-reference-leak-in-ax45m.patch | 46 ++ ...ix-device-node-leak-in-starlink_cach.patch | 44 ++ ...fter-free-in-init-destroy-rollback-a.patch | 116 +++++ ...-ccp-fix-leaking-the-same-page-twice.patch | 56 +++ ...-remove-vm_id-argument-in-ffa_rxtx_u.patch | 77 ++++ ...i-fix-null-dereference-on-notify-err.patch | 52 +++ ...i-fix-device_node-reference-leak-in-.patch | 58 +++ ...-vlan-filter-lost-on-add-delete-race.patch | 70 +++ ...inter-dereference-in-icmp_tag_valida.patch | 68 +++ ...update-of-skb-tail-in-igc_xmit_frame.patch | 45 ++ ...-fault-in-xdp-tx-timestamps-handling.patch | 118 ++++++ ...iptunnel_xmit_stats-to-netdev_pcpu_s.patch | 100 +++++ ...d-null-checks-for-idev-in-srv6-paths.patch | 59 +++ .../libie-prevent-memleak-in-fwlog-code.patch | 152 +++++++ ...-unregister_netdevice_notifier-to-mp.patch | 37 ++ ...lass-name-family-in-pm_nl_create_lis.patch | 39 ++ ...ove-airoha_dev_stop-in-airoha_remove.patch | 40 ++ ...t-bcmgenet-increase-wol-poll-timeout.patch | 38 ++ ...null-deref-in-bond_debug_rlb_hash_sh.patch | 87 ++++ ...fix-missing-clk_disable_unprepare-in.patch | 59 +++ ...et-macb-fix-uninitialized-rx_fs_lock.patch | 78 ++++ ...-after-free-in-mana_hwc_destroy_chan.patch | 67 +++ ...trict-rtnl-area-to-avoid-a-lock-cycl.patch | 112 +++++ ...ce-condition-during-ipsec-esn-update.patch | 128 ++++++ ...t-concurrent-access-to-ipsec-aso-con.patch | 115 +++++ ...flow-control-update-with-global_tx_f.patch | 86 ++++ ...l-pointer-dereference-in-rose_transm.patch | 64 +++ ...-fix-double-free-in-teql_master_xmit.patch | 202 +++++++++ ...tect-from-late-creation-of-hierarchy.patch | 397 ++++++++++++++++++ ...ct-late-read-accesses-to-the-hierarc.patch | 94 +++++ ...-dereference-and-uaf-in-smc_tcp_syn_.patch | 208 +++++++++ ...eth-fix-memory-leak-in-xdp_drop-for-.patch | 53 +++ ...o-not-perform-pm-inside-suspend-call.patch | 69 +++ ...add-ndpoffset-to-ndp16-nframes-bound.patch | 65 +++ ...add-ndpoffset-to-ndp32-nframes-bound.patch | 54 +++ ...-drop-psp-ext-ref-on-forward-failure.patch | 53 +++ ...fer-hook-memory-release-until-rcu-re.patch | 47 +++ ...ack-add-missing-netlink-policy-valid.patch | 64 +++ ...ink-fix-use-after-free-in-ctnetlink_.patch | 123 ++++++ ...ntrack_h323-check-for-zero-length-in.patch | 47 +++ ...ntrack_h323-fix-oob-read-in-decode_i.patch | 48 +++ ...ntrack_sip-fix-content-length-u32-tr.patch | 66 +++ ...w_table_ip-reset-mac-header-before-v.patch | 39 ++ ...les-release-flowtable-after-rcu-grac.patch | 51 +++ ...-drop-pending-enqueued-packets-on-re.patch | 70 +++ ...drop-pending-enqueued-packets-on-tem.patch | 54 +++ ...e-use-unsigned-int-for-monthday-bit-.patch | 53 +++ ...nset-fix-possible-stateful-expressio.patch | 107 +++++ ...lidate-individual-option-lengths-in-.patch | 83 ++++ ...-race-condition-related-to-device-re.patch | 126 ++++++ ...lidate-the-handling-of-two-special-c.patch | 133 ++++++ queue-6.19/series | 87 ++++ ...-fix-error-check-for-devm_ioremap_re.patch | 42 ++ ...ix-race-condition-in-qman_destroy_fq.patch | 92 ++++ ...fs-fix-memory-leak-in-mpfs_sys_contr.patch | 70 +++ ...-add-missing-of_node_put-when-return.patch | 39 ++ ...m-remove-refcounting-of-kernel-pages.patch | 93 ++++ ...ull-deref-caused-by-udp_sock_create6.patch | 64 +++ ...ncel-pmsr_free_wk-in-cfg80211_pmsr_w.patch | 51 +++ ...ways-free-skb-on-ieee80211_tx_prepar.patch | 120 ++++++ ...fix-null-deref-in-mesh_matches_local.patch | 81 ++++ ...x-static_branch_dec-underflow-for-aq.patch | 112 +++++ ...emove-keys-after-disabling-beaconing.patch | 56 +++ ...e-jiffies_delta_to_msecs-for-sta_inf.patch | 54 +++ ...rn-enomem-instead-of-eagain-if-there.patch | 54 +++ ...ix-previous-acpi_processor_errata_pi.patch | 74 ++++ ...hci_sync-fix-hci_le_create_conn_sync.patch | 52 +++ .../bluetooth-hidp-fix-possible-uaf.patch | 237 +++++++++++ ...h-iso-fix-defer-tests-being-unstable.patch | 49 +++ ...fix-use-after-free-in-l2cap_unregist.patch | 90 ++++ ...ap-disconnect-if-received-packet-s-s.patch | 55 +++ ...ap-disconnect-if-sum-of-payload-size.patch | 39 ++ ...x-rom-version-reading-on-wcn3998-chi.patch | 46 ++ ...th-smp-make-sm-per-kdu-bi-04-c-happy.patch | 36 ++ ...ntries-when-logging-parent-dir-of-a-.patch | 99 +++++ ...er-fix-misleading-root-drop_level-er.patch | 38 ++ ...-device-node-reference-leak-in-ax45m.patch | 46 ++ ...fter-free-in-init-destroy-rollback-a.patch | 116 +++++ ...i-fix-device_node-reference-leak-in-.patch | 58 +++ ...-vlan-filter-lost-on-add-delete-race.patch | 70 +++ ...inter-dereference-in-icmp_tag_valida.patch | 68 +++ ...update-of-skb-tail-in-igc_xmit_frame.patch | 45 ++ ...-unregister_netdevice_notifier-to-mp.patch | 37 ++ ...t-bcmgenet-increase-wol-poll-timeout.patch | 38 ++ ...null-deref-in-bond_debug_rlb_hash_sh.patch | 87 ++++ ...fix-missing-clk_disable_unprepare-in.patch | 59 +++ ...et-macb-fix-uninitialized-rx_fs_lock.patch | 78 ++++ ...-after-free-in-mana_hwc_destroy_chan.patch | 67 +++ ...trict-rtnl-area-to-avoid-a-lock-cycl.patch | 112 +++++ ...ce-condition-during-ipsec-esn-update.patch | 128 ++++++ ...t-concurrent-access-to-ipsec-aso-con.patch | 115 +++++ ...flow-control-update-with-global_tx_f.patch | 86 ++++ ...l-pointer-dereference-in-rose_transm.patch | 64 +++ ...-fix-double-free-in-teql_master_xmit.patch | 202 +++++++++ ...-dereference-and-uaf-in-smc_tcp_syn_.patch | 208 +++++++++ ...o-not-perform-pm-inside-suspend-call.patch | 69 +++ ...add-ndpoffset-to-ndp16-nframes-bound.patch | 65 +++ ...add-ndpoffset-to-ndp32-nframes-bound.patch | 54 +++ ...fer-hook-memory-release-until-rcu-re.patch | 47 +++ ...ink-fix-use-after-free-in-ctnetlink_.patch | 123 ++++++ ...ink-remove-refcounting-in-expectatio.patch | 165 ++++++++ ...ntrack_h323-check-for-zero-length-in.patch | 47 +++ ...ntrack_h323-fix-oob-read-in-decode_i.patch | 48 +++ ...ntrack_sip-fix-content-length-u32-tr.patch | 66 +++ ...les-release-flowtable-after-rcu-grac.patch | 51 +++ ...-add-seqadj-extension-for-natted-con.patch | 114 +++++ ...-drop-pending-enqueued-packets-on-re.patch | 70 +++ ...drop-pending-enqueued-packets-on-tem.patch | 54 +++ ...e-use-unsigned-int-for-monthday-bit-.patch | 53 +++ ...lidate-individual-option-lengths-in-.patch | 83 ++++ ...-race-condition-related-to-device-re.patch | 126 ++++++ ...lidate-the-handling-of-two-special-c.patch | 133 ++++++ queue-6.6/series | 53 +++ ...ix-race-condition-in-qman_destroy_fq.patch | 92 ++++ ...ull-deref-caused-by-udp_sock_create6.patch | 64 +++ ...ncel-pmsr_free_wk-in-cfg80211_pmsr_w.patch | 51 +++ ...fix-null-deref-in-mesh_matches_local.patch | 81 ++++ ...x-static_branch_dec-underflow-for-aq.patch | 112 +++++ ...rn-enomem-instead-of-eagain-if-there.patch | 54 +++ 407 files changed, 33189 insertions(+) create mode 100644 queue-5.10/bluetooth-hidp-fix-possible-uaf.patch create mode 100644 queue-5.10/bluetooth-le-l2cap-disconnect-if-received-packet-s-s.patch create mode 100644 queue-5.10/bluetooth-le-l2cap-disconnect-if-sum-of-payload-size.patch create mode 100644 queue-5.10/bluetooth-smp-make-sm-per-kdu-bi-04-c-happy.patch create mode 100644 queue-5.10/icmp-fix-null-pointer-dereference-in-icmp_tag_valida.patch create mode 100644 queue-5.10/igc-fix-missing-update-of-skb-tail-in-igc_xmit_frame.patch create mode 100644 queue-5.10/net-bcmgenet-increase-wol-poll-timeout.patch create mode 100644 queue-5.10/net-bonding-fix-null-deref-in-bond_debug_rlb_hash_sh.patch create mode 100644 queue-5.10/net-dsa-bcm_sf2-fix-missing-clk_disable_unprepare-in.patch create mode 100644 queue-5.10/net-macb-fix-uninitialized-rx_fs_lock.patch create mode 100644 queue-5.10/net-rose-fix-null-pointer-dereference-in-rose_transm.patch create mode 100644 queue-5.10/net-usb-aqc111-do-not-perform-pm-inside-suspend-call.patch create mode 100644 queue-5.10/netfilter-ctnetlink-fix-use-after-free-in-ctnetlink_.patch create mode 100644 queue-5.10/netfilter-ctnetlink-remove-refcounting-in-expectatio.patch create mode 100644 queue-5.10/netfilter-nf_conntrack_h323-check-for-zero-length-in.patch create mode 100644 queue-5.10/netfilter-nf_conntrack_h323-fix-oob-read-in-decode_i.patch create mode 100644 queue-5.10/netfilter-nf_conntrack_sip-fix-content-length-u32-tr.patch create mode 100644 queue-5.10/netfilter-nft_ct-add-seqadj-extension-for-natted-con.patch create mode 100644 queue-5.10/netfilter-nft_ct-drop-pending-enqueued-packets-on-re.patch create mode 100644 queue-5.10/netfilter-xt_ct-drop-pending-enqueued-packets-on-tem.patch create mode 100644 queue-5.10/netfilter-xt_time-use-unsigned-int-for-monthday-bit-.patch create mode 100644 queue-5.10/nfnetlink_osf-validate-individual-option-lengths-in-.patch create mode 100644 queue-5.10/pm-runtime-fix-a-race-condition-related-to-device-re.patch create mode 100644 queue-5.10/sched-idle-consolidate-the-handling-of-two-special-c.patch create mode 100644 queue-5.10/soc-fsl-qbman-fix-race-condition-in-qman_destroy_fq.patch create mode 100644 queue-5.10/udp_tunnel-fix-null-deref-caused-by-udp_sock_create6.patch create mode 100644 queue-5.10/wifi-cfg80211-cancel-pmsr_free_wk-in-cfg80211_pmsr_w.patch create mode 100644 queue-5.10/wifi-mac80211-fix-null-deref-in-mesh_matches_local.patch create mode 100644 queue-5.10/wifi-wlcore-return-enomem-instead-of-eagain-if-there.patch create mode 100644 queue-5.15/acpi-processor-fix-previous-acpi_processor_errata_pi.patch create mode 100644 queue-5.15/bluetooth-hidp-fix-possible-uaf.patch create mode 100644 queue-5.15/bluetooth-le-l2cap-disconnect-if-received-packet-s-s.patch create mode 100644 queue-5.15/bluetooth-le-l2cap-disconnect-if-sum-of-payload-size.patch create mode 100644 queue-5.15/bluetooth-qca-fix-rom-version-reading-on-wcn3998-chi.patch create mode 100644 queue-5.15/bluetooth-smp-make-sm-per-kdu-bi-04-c-happy.patch create mode 100644 queue-5.15/btrfs-tree-checker-fix-misleading-root-drop_level-er.patch create mode 100644 queue-5.15/firmware-arm_scpi-fix-device_node-reference-leak-in-.patch create mode 100644 queue-5.15/icmp-fix-null-pointer-dereference-in-icmp_tag_valida.patch create mode 100644 queue-5.15/igc-fix-missing-update-of-skb-tail-in-igc_xmit_frame.patch create mode 100644 queue-5.15/net-bcmgenet-increase-wol-poll-timeout.patch create mode 100644 queue-5.15/net-bonding-fix-null-deref-in-bond_debug_rlb_hash_sh.patch create mode 100644 queue-5.15/net-dsa-bcm_sf2-fix-missing-clk_disable_unprepare-in.patch create mode 100644 queue-5.15/net-macb-fix-uninitialized-rx_fs_lock.patch create mode 100644 queue-5.15/net-mana-fix-use-after-free-in-mana_hwc_destroy_chan.patch create mode 100644 queue-5.15/net-mana-improve-the-hwc-error-handling.patch create mode 100644 queue-5.15/net-mvpp2-guard-flow-control-update-with-global_tx_f.patch create mode 100644 queue-5.15/net-rose-fix-null-pointer-dereference-in-rose_transm.patch create mode 100644 queue-5.15/net-smc-fix-null-dereference-and-uaf-in-smc_tcp_syn_.patch create mode 100644 queue-5.15/net-smc-fix-slab-out-of-bounds-issue-in-fallback.patch create mode 100644 queue-5.15/net-smc-only-save-the-original-clcsock-callback-func.patch create mode 100644 queue-5.15/net-usb-aqc111-do-not-perform-pm-inside-suspend-call.patch create mode 100644 queue-5.15/netfilter-ctnetlink-fix-use-after-free-in-ctnetlink_.patch create mode 100644 queue-5.15/netfilter-ctnetlink-remove-refcounting-in-expectatio.patch create mode 100644 queue-5.15/netfilter-nf_conntrack_h323-check-for-zero-length-in.patch create mode 100644 queue-5.15/netfilter-nf_conntrack_h323-fix-oob-read-in-decode_i.patch create mode 100644 queue-5.15/netfilter-nf_conntrack_sip-fix-content-length-u32-tr.patch create mode 100644 queue-5.15/netfilter-nft_ct-add-seqadj-extension-for-natted-con.patch create mode 100644 queue-5.15/netfilter-nft_ct-drop-pending-enqueued-packets-on-re.patch create mode 100644 queue-5.15/netfilter-xt_ct-drop-pending-enqueued-packets-on-tem.patch create mode 100644 queue-5.15/netfilter-xt_time-use-unsigned-int-for-monthday-bit-.patch create mode 100644 queue-5.15/nfnetlink_osf-validate-individual-option-lengths-in-.patch create mode 100644 queue-5.15/of-add-cleanup.h-based-auto-release-via-__free-devic.patch create mode 100644 queue-5.15/pm-runtime-fix-a-race-condition-related-to-device-re.patch create mode 100644 queue-5.15/sched-idle-consolidate-the-handling-of-two-special-c.patch create mode 100644 queue-5.15/soc-fsl-qbman-fix-race-condition-in-qman_destroy_fq.patch create mode 100644 queue-5.15/udp_tunnel-fix-null-deref-caused-by-udp_sock_create6.patch create mode 100644 queue-5.15/wifi-cfg80211-cancel-pmsr_free_wk-in-cfg80211_pmsr_w.patch create mode 100644 queue-5.15/wifi-mac80211-fix-null-deref-in-mesh_matches_local.patch create mode 100644 queue-5.15/wifi-mac80211-fix-static_branch_dec-underflow-for-aq.patch create mode 100644 queue-5.15/wifi-wlcore-return-enomem-instead-of-eagain-if-there.patch create mode 100644 queue-6.1/acpi-processor-fix-previous-acpi_processor_errata_pi.patch create mode 100644 queue-6.1/bluetooth-hci_sync-fix-hci_le_create_conn_sync.patch create mode 100644 queue-6.1/bluetooth-hidp-fix-possible-uaf.patch create mode 100644 queue-6.1/bluetooth-le-l2cap-disconnect-if-received-packet-s-s.patch create mode 100644 queue-6.1/bluetooth-le-l2cap-disconnect-if-sum-of-payload-size.patch create mode 100644 queue-6.1/bluetooth-qca-fix-rom-version-reading-on-wcn3998-chi.patch create mode 100644 queue-6.1/bluetooth-smp-make-sm-per-kdu-bi-04-c-happy.patch create mode 100644 queue-6.1/btrfs-tree-checker-fix-misleading-root-drop_level-er.patch create mode 100644 queue-6.1/firmware-arm_scpi-fix-device_node-reference-leak-in-.patch create mode 100644 queue-6.1/iavf-fix-vlan-filter-lost-on-add-delete-race.patch create mode 100644 queue-6.1/icmp-fix-null-pointer-dereference-in-icmp_tag_valida.patch create mode 100644 queue-6.1/igc-fix-missing-update-of-skb-tail-in-igc_xmit_frame.patch create mode 100644 queue-6.1/net-bcmgenet-increase-wol-poll-timeout.patch create mode 100644 queue-6.1/net-bonding-fix-null-deref-in-bond_debug_rlb_hash_sh.patch create mode 100644 queue-6.1/net-dsa-bcm_sf2-fix-missing-clk_disable_unprepare-in.patch create mode 100644 queue-6.1/net-macb-fix-uninitialized-rx_fs_lock.patch create mode 100644 queue-6.1/net-mana-fix-use-after-free-in-mana_hwc_destroy_chan.patch create mode 100644 queue-6.1/net-mvpp2-guard-flow-control-update-with-global_tx_f.patch create mode 100644 queue-6.1/net-rose-fix-null-pointer-dereference-in-rose_transm.patch create mode 100644 queue-6.1/net-sched-teql-fix-double-free-in-teql_master_xmit.patch create mode 100644 queue-6.1/net-smc-fix-null-dereference-and-uaf-in-smc_tcp_syn_.patch create mode 100644 queue-6.1/net-usb-aqc111-do-not-perform-pm-inside-suspend-call.patch create mode 100644 queue-6.1/netfilter-ctnetlink-fix-use-after-free-in-ctnetlink_.patch create mode 100644 queue-6.1/netfilter-ctnetlink-remove-refcounting-in-expectatio.patch create mode 100644 queue-6.1/netfilter-nf_conntrack_h323-check-for-zero-length-in.patch create mode 100644 queue-6.1/netfilter-nf_conntrack_h323-fix-oob-read-in-decode_i.patch create mode 100644 queue-6.1/netfilter-nf_conntrack_sip-fix-content-length-u32-tr.patch create mode 100644 queue-6.1/netfilter-nf_tables-release-flowtable-after-rcu-grac.patch create mode 100644 queue-6.1/netfilter-nft_ct-add-seqadj-extension-for-natted-con.patch create mode 100644 queue-6.1/netfilter-nft_ct-drop-pending-enqueued-packets-on-re.patch create mode 100644 queue-6.1/netfilter-xt_ct-drop-pending-enqueued-packets-on-tem.patch create mode 100644 queue-6.1/netfilter-xt_time-use-unsigned-int-for-monthday-bit-.patch create mode 100644 queue-6.1/nfnetlink_osf-validate-individual-option-lengths-in-.patch create mode 100644 queue-6.1/pm-runtime-fix-a-race-condition-related-to-device-re.patch create mode 100644 queue-6.1/sched-idle-consolidate-the-handling-of-two-special-c.patch create mode 100644 queue-6.1/soc-fsl-qbman-fix-race-condition-in-qman_destroy_fq.patch create mode 100644 queue-6.1/udp_tunnel-fix-null-deref-caused-by-udp_sock_create6.patch create mode 100644 queue-6.1/wifi-cfg80211-cancel-pmsr_free_wk-in-cfg80211_pmsr_w.patch create mode 100644 queue-6.1/wifi-mac80211-fix-null-deref-in-mesh_matches_local.patch create mode 100644 queue-6.1/wifi-mac80211-fix-static_branch_dec-underflow-for-aq.patch create mode 100644 queue-6.1/wifi-wlcore-return-enomem-instead-of-eagain-if-there.patch create mode 100644 queue-6.12/acpi-processor-fix-previous-acpi_processor_errata_pi.patch create mode 100644 queue-6.12/arm64-dts-renesas-r9a09g057-add-rtc-node.patch create mode 100644 queue-6.12/arm64-dts-renesas-r9a09g057-remove-wdt-0-2-3-nodes.patch create mode 100644 queue-6.12/bluetooth-hci_sync-fix-hci_le_create_conn_sync.patch create mode 100644 queue-6.12/bluetooth-hidp-fix-possible-uaf.patch create mode 100644 queue-6.12/bluetooth-iso-fix-defer-tests-being-unstable.patch create mode 100644 queue-6.12/bluetooth-l2cap-fix-use-after-free-in-l2cap_unregist.patch create mode 100644 queue-6.12/bluetooth-le-l2cap-disconnect-if-received-packet-s-s.patch create mode 100644 queue-6.12/bluetooth-le-l2cap-disconnect-if-sum-of-payload-size.patch create mode 100644 queue-6.12/bluetooth-mgmt-fix-list-corruption-and-uaf-in-comman.patch create mode 100644 queue-6.12/bluetooth-qca-fix-rom-version-reading-on-wcn3998-chi.patch create mode 100644 queue-6.12/bluetooth-smp-make-sm-per-kdu-bi-04-c-happy.patch create mode 100644 queue-6.12/bonding-prevent-potential-infinite-loop-in-bond_head.patch create mode 100644 queue-6.12/bridge-cfm-fix-race-condition-in-peer_mep-deletion.patch create mode 100644 queue-6.12/btrfs-log-new-dentries-when-logging-parent-dir-of-a-.patch create mode 100644 queue-6.12/btrfs-tree-checker-fix-misleading-root-drop_level-er.patch create mode 100644 queue-6.12/cache-ax45mp-fix-device-node-reference-leak-in-ax45m.patch create mode 100644 queue-6.12/cache-starfive-fix-device-node-leak-in-starlink_cach.patch create mode 100644 queue-6.12/clsact-fix-use-after-free-in-init-destroy-rollback-a.patch create mode 100644 queue-6.12/firmware-arm_ffa-remove-vm_id-argument-in-ffa_rxtx_u.patch create mode 100644 queue-6.12/firmware-arm_scpi-fix-device_node-reference-leak-in-.patch create mode 100644 queue-6.12/iavf-fix-vlan-filter-lost-on-add-delete-race.patch create mode 100644 queue-6.12/icmp-fix-null-pointer-dereference-in-icmp_tag_valida.patch create mode 100644 queue-6.12/igc-fix-missing-update-of-skb-tail-in-igc_xmit_frame.patch create mode 100644 queue-6.12/igc-fix-page-fault-in-xdp-tx-timestamps-handling.patch create mode 100644 queue-6.12/mpls-add-missing-unregister_netdevice_notifier-to-mp.patch create mode 100644 queue-6.12/net-airoha-fix-pse-memory-configuration-in-airoha_fe.patch create mode 100644 queue-6.12/net-airoha-read-completion-queue-data-in-airoha_qdma.patch create mode 100644 queue-6.12/net-airoha-read-default-pse-reserved-pages-value-bef.patch create mode 100644 queue-6.12/net-airoha-remove-airoha_dev_stop-in-airoha_remove.patch create mode 100644 queue-6.12/net-bcmgenet-increase-wol-poll-timeout.patch create mode 100644 queue-6.12/net-bonding-fix-null-deref-in-bond_debug_rlb_hash_sh.patch create mode 100644 queue-6.12/net-dsa-bcm_sf2-fix-missing-clk_disable_unprepare-in.patch create mode 100644 queue-6.12/net-macb-fix-uninitialized-rx_fs_lock.patch create mode 100644 queue-6.12/net-mana-fix-use-after-free-in-mana_hwc_destroy_chan.patch create mode 100644 queue-6.12/net-mlx5-qos-restrict-rtnl-area-to-avoid-a-lock-cycl.patch create mode 100644 queue-6.12/net-mlx5e-fix-race-condition-during-ipsec-esn-update.patch create mode 100644 queue-6.12/net-mlx5e-prevent-concurrent-access-to-ipsec-aso-con.patch create mode 100644 queue-6.12/net-mvpp2-guard-flow-control-update-with-global_tx_f.patch create mode 100644 queue-6.12/net-rose-fix-null-pointer-dereference-in-rose_transm.patch create mode 100644 queue-6.12/net-sched-teql-fix-double-free-in-teql_master_xmit.patch create mode 100644 queue-6.12/net-smc-fix-null-dereference-and-uaf-in-smc_tcp_syn_.patch create mode 100644 queue-6.12/net-usb-aqc111-do-not-perform-pm-inside-suspend-call.patch create mode 100644 queue-6.12/net-usb-cdc_ncm-add-ndpoffset-to-ndp16-nframes-bound.patch create mode 100644 queue-6.12/net-usb-cdc_ncm-add-ndpoffset-to-ndp32-nframes-bound.patch create mode 100644 queue-6.12/netfilter-bpf-defer-hook-memory-release-until-rcu-re.patch create mode 100644 queue-6.12/netfilter-ctnetlink-fix-use-after-free-in-ctnetlink_.patch create mode 100644 queue-6.12/netfilter-ctnetlink-remove-refcounting-in-expectatio.patch create mode 100644 queue-6.12/netfilter-nf_conntrack_h323-check-for-zero-length-in.patch create mode 100644 queue-6.12/netfilter-nf_conntrack_h323-fix-oob-read-in-decode_i.patch create mode 100644 queue-6.12/netfilter-nf_conntrack_sip-fix-content-length-u32-tr.patch create mode 100644 queue-6.12/netfilter-nf_tables-release-flowtable-after-rcu-grac.patch create mode 100644 queue-6.12/netfilter-nft_ct-drop-pending-enqueued-packets-on-re.patch create mode 100644 queue-6.12/netfilter-xt_ct-drop-pending-enqueued-packets-on-tem.patch create mode 100644 queue-6.12/netfilter-xt_time-use-unsigned-int-for-monthday-bit-.patch create mode 100644 queue-6.12/nf_tables-nft_dynset-fix-possible-stateful-expressio.patch create mode 100644 queue-6.12/nfnetlink_osf-validate-individual-option-lengths-in-.patch create mode 100644 queue-6.12/pm-runtime-fix-a-race-condition-related-to-device-re.patch create mode 100644 queue-6.12/sched-idle-consolidate-the-handling-of-two-special-c.patch create mode 100644 queue-6.12/soc-fsl-cpm1-qmc-fix-error-check-for-devm_ioremap_re.patch create mode 100644 queue-6.12/soc-fsl-qbman-fix-race-condition-in-qman_destroy_fq.patch create mode 100644 queue-6.12/soc-microchip-mpfs-fix-memory-leak-in-mpfs_sys_contr.patch create mode 100644 queue-6.12/soc-rockchip-grf-add-missing-of_node_put-when-return.patch create mode 100644 queue-6.12/udp_tunnel-fix-null-deref-caused-by-udp_sock_create6.patch create mode 100644 queue-6.12/wifi-cfg80211-cancel-pmsr_free_wk-in-cfg80211_pmsr_w.patch create mode 100644 queue-6.12/wifi-mac80211-fix-null-deref-in-mesh_matches_local.patch create mode 100644 queue-6.12/wifi-mac80211-fix-static_branch_dec-underflow-for-aq.patch create mode 100644 queue-6.12/wifi-wlcore-return-enomem-instead-of-eagain-if-there.patch create mode 100644 queue-6.18/acpi-processor-fix-previous-acpi_processor_errata_pi.patch create mode 100644 queue-6.18/acpica-update-the-format-of-arg3-of-_dsm.patch create mode 100644 queue-6.18/arm64-dts-renesas-r9a09g057-add-rtc-node.patch create mode 100644 queue-6.18/arm64-dts-renesas-r9a09g057-remove-wdt-0-2-3-nodes.patch create mode 100644 queue-6.18/arm64-dts-renesas-r9a09g077-fix-cpg-register-region-.patch create mode 100644 queue-6.18/arm64-dts-renesas-r9a09g087-fix-cpg-register-region-.patch create mode 100644 queue-6.18/arm64-dts-renesas-rzg3s-smarc-som-set-bypass-for-ver.patch create mode 100644 queue-6.18/arm64-dts-renesas-rzt2h-n2h-evk-add-ramp-delay-for-s.patch create mode 100644 queue-6.18/arm64-dts-renesas-rzv2-evk-cn15-sd-add-ramp-delay-fo.patch create mode 100644 queue-6.18/bluetooth-hci_sync-fix-hci_le_create_conn_sync.patch create mode 100644 queue-6.18/bluetooth-hidp-fix-possible-uaf.patch create mode 100644 queue-6.18/bluetooth-iso-fix-defer-tests-being-unstable.patch create mode 100644 queue-6.18/bluetooth-l2cap-fix-use-after-free-in-l2cap_unregist.patch create mode 100644 queue-6.18/bluetooth-le-l2cap-disconnect-if-received-packet-s-s.patch create mode 100644 queue-6.18/bluetooth-le-l2cap-disconnect-if-sum-of-payload-size.patch create mode 100644 queue-6.18/bluetooth-mgmt-fix-list-corruption-and-uaf-in-comman.patch create mode 100644 queue-6.18/bluetooth-qca-fix-rom-version-reading-on-wcn3998-chi.patch create mode 100644 queue-6.18/bluetooth-smp-make-sm-per-kdu-bi-04-c-happy.patch create mode 100644 queue-6.18/bonding-prevent-potential-infinite-loop-in-bond_head.patch create mode 100644 queue-6.18/bridge-cfm-fix-race-condition-in-peer_mep-deletion.patch create mode 100644 queue-6.18/btrfs-log-new-dentries-when-logging-parent-dir-of-a-.patch create mode 100644 queue-6.18/btrfs-tree-checker-fix-misleading-root-drop_level-er.patch create mode 100644 queue-6.18/cache-ax45mp-fix-device-node-reference-leak-in-ax45m.patch create mode 100644 queue-6.18/cache-starfive-fix-device-node-leak-in-starlink_cach.patch create mode 100644 queue-6.18/clsact-fix-use-after-free-in-init-destroy-rollback-a.patch create mode 100644 queue-6.18/crypto-ccp-fix-leaking-the-same-page-twice.patch create mode 100644 queue-6.18/firmware-arm_ffa-remove-vm_id-argument-in-ffa_rxtx_u.patch create mode 100644 queue-6.18/firmware-arm_scmi-fix-null-dereference-on-notify-err.patch create mode 100644 queue-6.18/firmware-arm_scpi-fix-device_node-reference-leak-in-.patch create mode 100644 queue-6.18/iavf-fix-vlan-filter-lost-on-add-delete-race.patch create mode 100644 queue-6.18/icmp-fix-null-pointer-dereference-in-icmp_tag_valida.patch create mode 100644 queue-6.18/igc-fix-missing-update-of-skb-tail-in-igc_xmit_frame.patch create mode 100644 queue-6.18/igc-fix-page-fault-in-xdp-tx-timestamps-handling.patch create mode 100644 queue-6.18/libie-prevent-memleak-in-fwlog-code.patch create mode 100644 queue-6.18/mpls-add-missing-unregister_netdevice_notifier-to-mp.patch create mode 100644 queue-6.18/mptcp-fix-lock-class-name-family-in-pm_nl_create_lis.patch create mode 100644 queue-6.18/net-airoha-remove-airoha_dev_stop-in-airoha_remove.patch create mode 100644 queue-6.18/net-bcmgenet-increase-wol-poll-timeout.patch create mode 100644 queue-6.18/net-bonding-fix-null-deref-in-bond_debug_rlb_hash_sh.patch create mode 100644 queue-6.18/net-dsa-bcm_sf2-fix-missing-clk_disable_unprepare-in.patch create mode 100644 queue-6.18/net-macb-fix-uninitialized-rx_fs_lock.patch create mode 100644 queue-6.18/net-mana-fix-use-after-free-in-mana_hwc_destroy_chan.patch create mode 100644 queue-6.18/net-mlx5-qos-restrict-rtnl-area-to-avoid-a-lock-cycl.patch create mode 100644 queue-6.18/net-mlx5e-fix-race-condition-during-ipsec-esn-update.patch create mode 100644 queue-6.18/net-mlx5e-prevent-concurrent-access-to-ipsec-aso-con.patch create mode 100644 queue-6.18/net-mvpp2-guard-flow-control-update-with-global_tx_f.patch create mode 100644 queue-6.18/net-rose-fix-null-pointer-dereference-in-rose_transm.patch create mode 100644 queue-6.18/net-sched-teql-fix-double-free-in-teql_master_xmit.patch create mode 100644 queue-6.18/net-shaper-protect-from-late-creation-of-hierarchy.patch create mode 100644 queue-6.18/net-shaper-protect-late-read-accesses-to-the-hierarc.patch create mode 100644 queue-6.18/net-smc-fix-null-dereference-and-uaf-in-smc_tcp_syn_.patch create mode 100644 queue-6.18/net-usb-aqc111-do-not-perform-pm-inside-suspend-call.patch create mode 100644 queue-6.18/net-usb-cdc_ncm-add-ndpoffset-to-ndp16-nframes-bound.patch create mode 100644 queue-6.18/net-usb-cdc_ncm-add-ndpoffset-to-ndp32-nframes-bound.patch create mode 100644 queue-6.18/netdevsim-drop-psp-ext-ref-on-forward-failure.patch create mode 100644 queue-6.18/netfilter-bpf-defer-hook-memory-release-until-rcu-re.patch create mode 100644 queue-6.18/netfilter-ctnetlink-fix-use-after-free-in-ctnetlink_.patch create mode 100644 queue-6.18/netfilter-nf_conntrack_h323-check-for-zero-length-in.patch create mode 100644 queue-6.18/netfilter-nf_conntrack_h323-fix-oob-read-in-decode_i.patch create mode 100644 queue-6.18/netfilter-nf_conntrack_sip-fix-content-length-u32-tr.patch create mode 100644 queue-6.18/netfilter-nf_tables-release-flowtable-after-rcu-grac.patch create mode 100644 queue-6.18/netfilter-nft_ct-drop-pending-enqueued-packets-on-re.patch create mode 100644 queue-6.18/netfilter-xt_ct-drop-pending-enqueued-packets-on-tem.patch create mode 100644 queue-6.18/netfilter-xt_time-use-unsigned-int-for-monthday-bit-.patch create mode 100644 queue-6.18/nf_tables-nft_dynset-fix-possible-stateful-expressio.patch create mode 100644 queue-6.18/nfnetlink_osf-validate-individual-option-lengths-in-.patch create mode 100644 queue-6.18/pm-runtime-fix-a-race-condition-related-to-device-re.patch create mode 100644 queue-6.18/sched-idle-consolidate-the-handling-of-two-special-c.patch create mode 100644 queue-6.18/soc-fsl-cpm1-qmc-fix-error-check-for-devm_ioremap_re.patch create mode 100644 queue-6.18/soc-fsl-qbman-fix-race-condition-in-qman_destroy_fq.patch create mode 100644 queue-6.18/soc-microchip-mpfs-fix-memory-leak-in-mpfs_sys_contr.patch create mode 100644 queue-6.18/soc-rockchip-grf-add-missing-of_node_put-when-return.patch create mode 100644 queue-6.18/tee-shm-remove-refcounting-of-kernel-pages.patch create mode 100644 queue-6.18/udp_tunnel-fix-null-deref-caused-by-udp_sock_create6.patch create mode 100644 queue-6.18/wifi-cfg80211-cancel-pmsr_free_wk-in-cfg80211_pmsr_w.patch create mode 100644 queue-6.18/wifi-mac80211-always-free-skb-on-ieee80211_tx_prepar.patch create mode 100644 queue-6.18/wifi-mac80211-fix-null-deref-in-mesh_matches_local.patch create mode 100644 queue-6.18/wifi-mac80211-fix-static_branch_dec-underflow-for-aq.patch create mode 100644 queue-6.18/wifi-mac80211-remove-keys-after-disabling-beaconing.patch create mode 100644 queue-6.18/wifi-mac80211-use-jiffies_delta_to_msecs-for-sta_inf.patch create mode 100644 queue-6.18/wifi-wlcore-return-enomem-instead-of-eagain-if-there.patch create mode 100644 queue-6.19/acpi-processor-fix-previous-acpi_processor_errata_pi.patch create mode 100644 queue-6.19/acpica-update-the-format-of-arg3-of-_dsm.patch create mode 100644 queue-6.19/af_unix-give-up-gc-if-msg_peek-intervened.patch create mode 100644 queue-6.19/arm64-dts-renesas-r8a78000-fix-out-of-range-spi-inte.patch create mode 100644 queue-6.19/arm64-dts-renesas-r9a09g057-remove-wdt-0-2-3-nodes.patch create mode 100644 queue-6.19/arm64-dts-renesas-r9a09g077-fix-cpg-register-region-.patch create mode 100644 queue-6.19/arm64-dts-renesas-r9a09g087-fix-cpg-register-region-.patch create mode 100644 queue-6.19/arm64-dts-renesas-rzg3s-smarc-som-set-bypass-for-ver.patch create mode 100644 queue-6.19/arm64-dts-renesas-rzt2h-n2h-evk-add-ramp-delay-for-s.patch create mode 100644 queue-6.19/arm64-dts-renesas-rzv2-evk-cn15-sd-add-ramp-delay-fo.patch create mode 100644 queue-6.19/bluetooth-hci_sync-fix-hci_le_create_conn_sync.patch create mode 100644 queue-6.19/bluetooth-hidp-fix-possible-uaf.patch create mode 100644 queue-6.19/bluetooth-iso-fix-defer-tests-being-unstable.patch create mode 100644 queue-6.19/bluetooth-l2cap-fix-use-after-free-in-l2cap_unregist.patch create mode 100644 queue-6.19/bluetooth-le-l2cap-disconnect-if-received-packet-s-s.patch create mode 100644 queue-6.19/bluetooth-le-l2cap-disconnect-if-sum-of-payload-size.patch create mode 100644 queue-6.19/bluetooth-mgmt-fix-list-corruption-and-uaf-in-comman.patch create mode 100644 queue-6.19/bluetooth-qca-fix-rom-version-reading-on-wcn3998-chi.patch create mode 100644 queue-6.19/bluetooth-smp-make-sm-per-kdu-bi-04-c-happy.patch create mode 100644 queue-6.19/bonding-prevent-potential-infinite-loop-in-bond_head.patch create mode 100644 queue-6.19/bridge-cfm-fix-race-condition-in-peer_mep-deletion.patch create mode 100644 queue-6.19/btrfs-log-new-dentries-when-logging-parent-dir-of-a-.patch create mode 100644 queue-6.19/btrfs-tree-checker-fix-misleading-root-drop_level-er.patch create mode 100644 queue-6.19/cache-ax45mp-fix-device-node-reference-leak-in-ax45m.patch create mode 100644 queue-6.19/cache-starfive-fix-device-node-leak-in-starlink_cach.patch create mode 100644 queue-6.19/clsact-fix-use-after-free-in-init-destroy-rollback-a.patch create mode 100644 queue-6.19/crypto-ccp-fix-leaking-the-same-page-twice.patch create mode 100644 queue-6.19/firmware-arm_ffa-remove-vm_id-argument-in-ffa_rxtx_u.patch create mode 100644 queue-6.19/firmware-arm_scmi-fix-null-dereference-on-notify-err.patch create mode 100644 queue-6.19/firmware-arm_scpi-fix-device_node-reference-leak-in-.patch create mode 100644 queue-6.19/iavf-fix-vlan-filter-lost-on-add-delete-race.patch create mode 100644 queue-6.19/icmp-fix-null-pointer-dereference-in-icmp_tag_valida.patch create mode 100644 queue-6.19/igc-fix-missing-update-of-skb-tail-in-igc_xmit_frame.patch create mode 100644 queue-6.19/igc-fix-page-fault-in-xdp-tx-timestamps-handling.patch create mode 100644 queue-6.19/ip_tunnel-adapt-iptunnel_xmit_stats-to-netdev_pcpu_s.patch create mode 100644 queue-6.19/ipv6-add-null-checks-for-idev-in-srv6-paths.patch create mode 100644 queue-6.19/libie-prevent-memleak-in-fwlog-code.patch create mode 100644 queue-6.19/mpls-add-missing-unregister_netdevice_notifier-to-mp.patch create mode 100644 queue-6.19/mptcp-fix-lock-class-name-family-in-pm_nl_create_lis.patch create mode 100644 queue-6.19/net-airoha-remove-airoha_dev_stop-in-airoha_remove.patch create mode 100644 queue-6.19/net-bcmgenet-increase-wol-poll-timeout.patch create mode 100644 queue-6.19/net-bonding-fix-null-deref-in-bond_debug_rlb_hash_sh.patch create mode 100644 queue-6.19/net-dsa-bcm_sf2-fix-missing-clk_disable_unprepare-in.patch create mode 100644 queue-6.19/net-macb-fix-uninitialized-rx_fs_lock.patch create mode 100644 queue-6.19/net-mana-fix-use-after-free-in-mana_hwc_destroy_chan.patch create mode 100644 queue-6.19/net-mlx5-qos-restrict-rtnl-area-to-avoid-a-lock-cycl.patch create mode 100644 queue-6.19/net-mlx5e-fix-race-condition-during-ipsec-esn-update.patch create mode 100644 queue-6.19/net-mlx5e-prevent-concurrent-access-to-ipsec-aso-con.patch create mode 100644 queue-6.19/net-mvpp2-guard-flow-control-update-with-global_tx_f.patch create mode 100644 queue-6.19/net-rose-fix-null-pointer-dereference-in-rose_transm.patch create mode 100644 queue-6.19/net-sched-teql-fix-double-free-in-teql_master_xmit.patch create mode 100644 queue-6.19/net-shaper-protect-from-late-creation-of-hierarchy.patch create mode 100644 queue-6.19/net-shaper-protect-late-read-accesses-to-the-hierarc.patch create mode 100644 queue-6.19/net-smc-fix-null-dereference-and-uaf-in-smc_tcp_syn_.patch create mode 100644 queue-6.19/net-ti-icssg-prueth-fix-memory-leak-in-xdp_drop-for-.patch create mode 100644 queue-6.19/net-usb-aqc111-do-not-perform-pm-inside-suspend-call.patch create mode 100644 queue-6.19/net-usb-cdc_ncm-add-ndpoffset-to-ndp16-nframes-bound.patch create mode 100644 queue-6.19/net-usb-cdc_ncm-add-ndpoffset-to-ndp32-nframes-bound.patch create mode 100644 queue-6.19/netdevsim-drop-psp-ext-ref-on-forward-failure.patch create mode 100644 queue-6.19/netfilter-bpf-defer-hook-memory-release-until-rcu-re.patch create mode 100644 queue-6.19/netfilter-conntrack-add-missing-netlink-policy-valid.patch create mode 100644 queue-6.19/netfilter-ctnetlink-fix-use-after-free-in-ctnetlink_.patch create mode 100644 queue-6.19/netfilter-nf_conntrack_h323-check-for-zero-length-in.patch create mode 100644 queue-6.19/netfilter-nf_conntrack_h323-fix-oob-read-in-decode_i.patch create mode 100644 queue-6.19/netfilter-nf_conntrack_sip-fix-content-length-u32-tr.patch create mode 100644 queue-6.19/netfilter-nf_flow_table_ip-reset-mac-header-before-v.patch create mode 100644 queue-6.19/netfilter-nf_tables-release-flowtable-after-rcu-grac.patch create mode 100644 queue-6.19/netfilter-nft_ct-drop-pending-enqueued-packets-on-re.patch create mode 100644 queue-6.19/netfilter-xt_ct-drop-pending-enqueued-packets-on-tem.patch create mode 100644 queue-6.19/netfilter-xt_time-use-unsigned-int-for-monthday-bit-.patch create mode 100644 queue-6.19/nf_tables-nft_dynset-fix-possible-stateful-expressio.patch create mode 100644 queue-6.19/nfnetlink_osf-validate-individual-option-lengths-in-.patch create mode 100644 queue-6.19/pm-runtime-fix-a-race-condition-related-to-device-re.patch create mode 100644 queue-6.19/sched-idle-consolidate-the-handling-of-two-special-c.patch create mode 100644 queue-6.19/soc-fsl-cpm1-qmc-fix-error-check-for-devm_ioremap_re.patch create mode 100644 queue-6.19/soc-fsl-qbman-fix-race-condition-in-qman_destroy_fq.patch create mode 100644 queue-6.19/soc-microchip-mpfs-fix-memory-leak-in-mpfs_sys_contr.patch create mode 100644 queue-6.19/soc-rockchip-grf-add-missing-of_node_put-when-return.patch create mode 100644 queue-6.19/tee-shm-remove-refcounting-of-kernel-pages.patch create mode 100644 queue-6.19/udp_tunnel-fix-null-deref-caused-by-udp_sock_create6.patch create mode 100644 queue-6.19/wifi-cfg80211-cancel-pmsr_free_wk-in-cfg80211_pmsr_w.patch create mode 100644 queue-6.19/wifi-mac80211-always-free-skb-on-ieee80211_tx_prepar.patch create mode 100644 queue-6.19/wifi-mac80211-fix-null-deref-in-mesh_matches_local.patch create mode 100644 queue-6.19/wifi-mac80211-fix-static_branch_dec-underflow-for-aq.patch create mode 100644 queue-6.19/wifi-mac80211-remove-keys-after-disabling-beaconing.patch create mode 100644 queue-6.19/wifi-mac80211-use-jiffies_delta_to_msecs-for-sta_inf.patch create mode 100644 queue-6.19/wifi-wlcore-return-enomem-instead-of-eagain-if-there.patch create mode 100644 queue-6.6/acpi-processor-fix-previous-acpi_processor_errata_pi.patch create mode 100644 queue-6.6/bluetooth-hci_sync-fix-hci_le_create_conn_sync.patch create mode 100644 queue-6.6/bluetooth-hidp-fix-possible-uaf.patch create mode 100644 queue-6.6/bluetooth-iso-fix-defer-tests-being-unstable.patch create mode 100644 queue-6.6/bluetooth-l2cap-fix-use-after-free-in-l2cap_unregist.patch create mode 100644 queue-6.6/bluetooth-le-l2cap-disconnect-if-received-packet-s-s.patch create mode 100644 queue-6.6/bluetooth-le-l2cap-disconnect-if-sum-of-payload-size.patch create mode 100644 queue-6.6/bluetooth-qca-fix-rom-version-reading-on-wcn3998-chi.patch create mode 100644 queue-6.6/bluetooth-smp-make-sm-per-kdu-bi-04-c-happy.patch create mode 100644 queue-6.6/btrfs-log-new-dentries-when-logging-parent-dir-of-a-.patch create mode 100644 queue-6.6/btrfs-tree-checker-fix-misleading-root-drop_level-er.patch create mode 100644 queue-6.6/cache-ax45mp-fix-device-node-reference-leak-in-ax45m.patch create mode 100644 queue-6.6/clsact-fix-use-after-free-in-init-destroy-rollback-a.patch create mode 100644 queue-6.6/firmware-arm_scpi-fix-device_node-reference-leak-in-.patch create mode 100644 queue-6.6/iavf-fix-vlan-filter-lost-on-add-delete-race.patch create mode 100644 queue-6.6/icmp-fix-null-pointer-dereference-in-icmp_tag_valida.patch create mode 100644 queue-6.6/igc-fix-missing-update-of-skb-tail-in-igc_xmit_frame.patch create mode 100644 queue-6.6/mpls-add-missing-unregister_netdevice_notifier-to-mp.patch create mode 100644 queue-6.6/net-bcmgenet-increase-wol-poll-timeout.patch create mode 100644 queue-6.6/net-bonding-fix-null-deref-in-bond_debug_rlb_hash_sh.patch create mode 100644 queue-6.6/net-dsa-bcm_sf2-fix-missing-clk_disable_unprepare-in.patch create mode 100644 queue-6.6/net-macb-fix-uninitialized-rx_fs_lock.patch create mode 100644 queue-6.6/net-mana-fix-use-after-free-in-mana_hwc_destroy_chan.patch create mode 100644 queue-6.6/net-mlx5-qos-restrict-rtnl-area-to-avoid-a-lock-cycl.patch create mode 100644 queue-6.6/net-mlx5e-fix-race-condition-during-ipsec-esn-update.patch create mode 100644 queue-6.6/net-mlx5e-prevent-concurrent-access-to-ipsec-aso-con.patch create mode 100644 queue-6.6/net-mvpp2-guard-flow-control-update-with-global_tx_f.patch create mode 100644 queue-6.6/net-rose-fix-null-pointer-dereference-in-rose_transm.patch create mode 100644 queue-6.6/net-sched-teql-fix-double-free-in-teql_master_xmit.patch create mode 100644 queue-6.6/net-smc-fix-null-dereference-and-uaf-in-smc_tcp_syn_.patch create mode 100644 queue-6.6/net-usb-aqc111-do-not-perform-pm-inside-suspend-call.patch create mode 100644 queue-6.6/net-usb-cdc_ncm-add-ndpoffset-to-ndp16-nframes-bound.patch create mode 100644 queue-6.6/net-usb-cdc_ncm-add-ndpoffset-to-ndp32-nframes-bound.patch create mode 100644 queue-6.6/netfilter-bpf-defer-hook-memory-release-until-rcu-re.patch create mode 100644 queue-6.6/netfilter-ctnetlink-fix-use-after-free-in-ctnetlink_.patch create mode 100644 queue-6.6/netfilter-ctnetlink-remove-refcounting-in-expectatio.patch create mode 100644 queue-6.6/netfilter-nf_conntrack_h323-check-for-zero-length-in.patch create mode 100644 queue-6.6/netfilter-nf_conntrack_h323-fix-oob-read-in-decode_i.patch create mode 100644 queue-6.6/netfilter-nf_conntrack_sip-fix-content-length-u32-tr.patch create mode 100644 queue-6.6/netfilter-nf_tables-release-flowtable-after-rcu-grac.patch create mode 100644 queue-6.6/netfilter-nft_ct-add-seqadj-extension-for-natted-con.patch create mode 100644 queue-6.6/netfilter-nft_ct-drop-pending-enqueued-packets-on-re.patch create mode 100644 queue-6.6/netfilter-xt_ct-drop-pending-enqueued-packets-on-tem.patch create mode 100644 queue-6.6/netfilter-xt_time-use-unsigned-int-for-monthday-bit-.patch create mode 100644 queue-6.6/nfnetlink_osf-validate-individual-option-lengths-in-.patch create mode 100644 queue-6.6/pm-runtime-fix-a-race-condition-related-to-device-re.patch create mode 100644 queue-6.6/sched-idle-consolidate-the-handling-of-two-special-c.patch create mode 100644 queue-6.6/soc-fsl-qbman-fix-race-condition-in-qman_destroy_fq.patch create mode 100644 queue-6.6/udp_tunnel-fix-null-deref-caused-by-udp_sock_create6.patch create mode 100644 queue-6.6/wifi-cfg80211-cancel-pmsr_free_wk-in-cfg80211_pmsr_w.patch create mode 100644 queue-6.6/wifi-mac80211-fix-null-deref-in-mesh_matches_local.patch create mode 100644 queue-6.6/wifi-mac80211-fix-static_branch_dec-underflow-for-aq.patch create mode 100644 queue-6.6/wifi-wlcore-return-enomem-instead-of-eagain-if-there.patch diff --git a/queue-5.10/bluetooth-hidp-fix-possible-uaf.patch b/queue-5.10/bluetooth-hidp-fix-possible-uaf.patch new file mode 100644 index 0000000000..c539b21f45 --- /dev/null +++ b/queue-5.10/bluetooth-hidp-fix-possible-uaf.patch @@ -0,0 +1,237 @@ +From 985d3d6ad7d26a45e14a9e2418f9d5981769e23b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 5 Mar 2026 10:17:47 -0500 +Subject: Bluetooth: HIDP: Fix possible UAF + +From: Luiz Augusto von Dentz + +[ Upstream commit dbf666e4fc9bdd975a61bf682b3f75cb0145eedd ] + +This fixes the following trace caused by not dropping l2cap_conn +reference when user->remove callback is called: + +[ 97.809249] l2cap_conn_free: freeing conn ffff88810a171c00 +[ 97.809907] CPU: 1 UID: 0 PID: 1419 Comm: repro_standalon Not tainted 7.0.0-rc1-dirty #14 PREEMPT(lazy) +[ 97.809935] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.17.0-debian-1.17.0-1 04/01/2014 +[ 97.809947] Call Trace: +[ 97.809954] +[ 97.809961] dump_stack_lvl (lib/dump_stack.c:122) +[ 97.809990] l2cap_conn_free (net/bluetooth/l2cap_core.c:1808) +[ 97.810017] l2cap_conn_del (./include/linux/kref.h:66 net/bluetooth/l2cap_core.c:1821 net/bluetooth/l2cap_core.c:1798) +[ 97.810055] l2cap_disconn_cfm (net/bluetooth/l2cap_core.c:7347 (discriminator 1) net/bluetooth/l2cap_core.c:7340 (discriminator 1)) +[ 97.810086] ? __pfx_l2cap_disconn_cfm (net/bluetooth/l2cap_core.c:7341) +[ 97.810117] hci_conn_hash_flush (./include/net/bluetooth/hci_core.h:2152 (discriminator 2) net/bluetooth/hci_conn.c:2644 (discriminator 2)) +[ 97.810148] hci_dev_close_sync (net/bluetooth/hci_sync.c:5360) +[ 97.810180] ? __pfx_hci_dev_close_sync (net/bluetooth/hci_sync.c:5285) +[ 97.810212] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221) +[ 97.810242] ? up_write (./arch/x86/include/asm/atomic64_64.h:87 (discriminator 5) ./include/linux/atomic/atomic-arch-fallback.h:2852 (discriminator 5) ./include/linux/atomic/atomic-long.h:268 (discriminator 5) ./include/linux/atomic/atomic-instrumented.h:3391 (discriminator 5) kernel/locking/rwsem.c:1385 (discriminator 5) kernel/locking/rwsem.c:1643 (discriminator 5)) +[ 97.810267] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221) +[ 97.810290] ? rcu_is_watching (./arch/x86/include/asm/atomic.h:23 ./include/linux/atomic/atomic-arch-fallback.h:457 ./include/linux/context_tracking.h:128 kernel/rcu/tree.c:752) +[ 97.810320] hci_unregister_dev (net/bluetooth/hci_core.c:504 net/bluetooth/hci_core.c:2716) +[ 97.810346] vhci_release (drivers/bluetooth/hci_vhci.c:691) +[ 97.810375] ? __pfx_vhci_release (drivers/bluetooth/hci_vhci.c:678) +[ 97.810404] __fput (fs/file_table.c:470) +[ 97.810430] task_work_run (kernel/task_work.c:235) +[ 97.810451] ? __pfx_task_work_run (kernel/task_work.c:201) +[ 97.810472] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221) +[ 97.810495] ? do_raw_spin_unlock (./include/asm-generic/qspinlock.h:128 (discriminator 5) kernel/locking/spinlock_debug.c:142 (discriminator 5)) +[ 97.810527] do_exit (kernel/exit.c:972) +[ 97.810547] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221) +[ 97.810574] ? __pfx_do_exit (kernel/exit.c:897) +[ 97.810594] ? lock_acquire (kernel/locking/lockdep.c:470 (discriminator 6) kernel/locking/lockdep.c:5870 (discriminator 6) kernel/locking/lockdep.c:5825 (discriminator 6)) +[ 97.810616] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221) +[ 97.810639] ? do_raw_spin_lock (kernel/locking/spinlock_debug.c:95 (discriminator 4) kernel/locking/spinlock_debug.c:118 (discriminator 4)) +[ 97.810664] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221) +[ 97.810688] ? find_held_lock (kernel/locking/lockdep.c:5350 (discriminator 1)) +[ 97.810721] do_group_exit (kernel/exit.c:1093) +[ 97.810745] get_signal (kernel/signal.c:3007 (discriminator 1)) +[ 97.810772] ? security_file_permission (./arch/x86/include/asm/jump_label.h:37 security/security.c:2366) +[ 97.810803] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221) +[ 97.810826] ? vfs_read (fs/read_write.c:555) +[ 97.810854] ? __pfx_get_signal (kernel/signal.c:2800) +[ 97.810880] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221) +[ 97.810905] ? __pfx_vfs_read (fs/read_write.c:555) +[ 97.810932] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221) +[ 97.810960] arch_do_signal_or_restart (arch/x86/kernel/signal.c:337 (discriminator 1)) +[ 97.810990] ? __pfx_arch_do_signal_or_restart (arch/x86/kernel/signal.c:334) +[ 97.811021] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221) +[ 97.811055] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221) +[ 97.811078] ? ksys_read (fs/read_write.c:707) +[ 97.811106] ? __pfx_ksys_read (fs/read_write.c:707) +[ 97.811137] exit_to_user_mode_loop (kernel/entry/common.c:66 kernel/entry/common.c:98) +[ 97.811169] ? rcu_is_watching (./arch/x86/include/asm/atomic.h:23 ./include/linux/atomic/atomic-arch-fallback.h:457 ./include/linux/context_tracking.h:128 kernel/rcu/tree.c:752) +[ 97.811192] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221) +[ 97.811215] ? trace_hardirqs_off (./include/trace/events/preemptirq.h:36 (discriminator 33) kernel/trace/trace_preemptirq.c:95 (discriminator 33) kernel/trace/trace_preemptirq.c:90 (discriminator 33)) +[ 97.811240] do_syscall_64 (./include/linux/irq-entry-common.h:226 ./include/linux/irq-entry-common.h:256 ./include/linux/entry-common.h:325 arch/x86/entry/syscall_64.c:100) +[ 97.811268] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221) +[ 97.811292] ? exc_page_fault (arch/x86/mm/fault.c:1480 (discriminator 3) arch/x86/mm/fault.c:1527 (discriminator 3)) +[ 97.811318] entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130) +[ 97.811338] RIP: 0033:0x445cfe +[ 97.811352] Code: Unable to access opcode bytes at 0x445cd4. + +Code starting with the faulting instruction +=========================================== +[ 97.811360] RSP: 002b:00007f65c41c6dc8 EFLAGS: 00000246 ORIG_RAX: 0000000000000000 +[ 97.811378] RAX: fffffffffffffe00 RBX: 00007f65c41c76c0 RCX: 0000000000445cfe +[ 97.811391] RDX: 0000000000000400 RSI: 00007f65c41c6e40 RDI: 0000000000000004 +[ 97.811403] RBP: 00007f65c41c7250 R08: 0000000000000000 R09: 0000000000000000 +[ 97.811415] R10: 0000000000000000 R11: 0000000000000246 R12: ffffffffffffffe8 +[ 97.811428] R13: 0000000000000000 R14: 00007fff780a8c00 R15: 00007f65c41c76c0 +[ 97.811453] +[ 98.402453] ================================================================== +[ 98.403560] BUG: KASAN: use-after-free in __mutex_lock (kernel/locking/mutex.c:199 kernel/locking/mutex.c:694 kernel/locking/mutex.c:776) +[ 98.404541] Read of size 8 at addr ffff888113ee40a8 by task khidpd_00050004/1430 +[ 98.405361] +[ 98.405563] CPU: 1 UID: 0 PID: 1430 Comm: khidpd_00050004 Not tainted 7.0.0-rc1-dirty #14 PREEMPT(lazy) +[ 98.405588] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.17.0-debian-1.17.0-1 04/01/2014 +[ 98.405600] Call Trace: +[ 98.405607] +[ 98.405614] dump_stack_lvl (lib/dump_stack.c:122) +[ 98.405641] print_report (mm/kasan/report.c:379 mm/kasan/report.c:482) +[ 98.405667] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221) +[ 98.405691] ? __virt_addr_valid (arch/x86/mm/physaddr.c:55) +[ 98.405724] ? __mutex_lock (kernel/locking/mutex.c:199 kernel/locking/mutex.c:694 kernel/locking/mutex.c:776) +[ 98.405748] kasan_report (mm/kasan/report.c:221 mm/kasan/report.c:597) +[ 98.405778] ? __mutex_lock (kernel/locking/mutex.c:199 kernel/locking/mutex.c:694 kernel/locking/mutex.c:776) +[ 98.405807] __mutex_lock (kernel/locking/mutex.c:199 kernel/locking/mutex.c:694 kernel/locking/mutex.c:776) +[ 98.405832] ? do_raw_spin_lock (kernel/locking/spinlock_debug.c:95 (discriminator 4) kernel/locking/spinlock_debug.c:118 (discriminator 4)) +[ 98.405859] ? l2cap_unregister_user (./include/linux/list.h:381 (discriminator 2) net/bluetooth/l2cap_core.c:1723 (discriminator 2)) +[ 98.405888] ? __pfx_do_raw_spin_lock (kernel/locking/spinlock_debug.c:114) +[ 98.405915] ? __pfx___mutex_lock (kernel/locking/mutex.c:775) +[ 98.405939] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221) +[ 98.405963] ? lock_acquire (kernel/locking/lockdep.c:470 (discriminator 6) kernel/locking/lockdep.c:5870 (discriminator 6) kernel/locking/lockdep.c:5825 (discriminator 6)) +[ 98.405984] ? find_held_lock (kernel/locking/lockdep.c:5350 (discriminator 1)) +[ 98.406015] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221) +[ 98.406038] ? lock_release (kernel/locking/lockdep.c:5536 kernel/locking/lockdep.c:5889 kernel/locking/lockdep.c:5875) +[ 98.406061] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221) +[ 98.406085] ? _raw_spin_unlock_irqrestore (./arch/x86/include/asm/irqflags.h:42 ./arch/x86/include/asm/irqflags.h:119 ./arch/x86/include/asm/irqflags.h:159 ./include/linux/spinlock_api_smp.h:178 kernel/locking/spinlock.c:194) +[ 98.406107] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221) +[ 98.406130] ? __timer_delete_sync (kernel/time/timer.c:1592) +[ 98.406158] ? l2cap_unregister_user (./include/linux/list.h:381 (discriminator 2) net/bluetooth/l2cap_core.c:1723 (discriminator 2)) +[ 98.406186] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221) +[ 98.406210] l2cap_unregister_user (./include/linux/list.h:381 (discriminator 2) net/bluetooth/l2cap_core.c:1723 (discriminator 2)) +[ 98.406263] hidp_session_thread (./include/linux/instrumented.h:112 ./include/linux/atomic/atomic-instrumented.h:400 ./include/linux/refcount.h:389 ./include/linux/refcount.h:432 ./include/linux/refcount.h:450 ./include/linux/kref.h:64 net/bluetooth/hidp/core.c:996 net/bluetooth/hidp/core.c:1305) +[ 98.406293] ? __pfx_hidp_session_thread (net/bluetooth/hidp/core.c:1264) +[ 98.406323] ? kthread (kernel/kthread.c:433) +[ 98.406340] ? __pfx_hidp_session_wake_function (net/bluetooth/hidp/core.c:1251) +[ 98.406370] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221) +[ 98.406393] ? find_held_lock (kernel/locking/lockdep.c:5350 (discriminator 1)) +[ 98.406424] ? __pfx_hidp_session_wake_function (net/bluetooth/hidp/core.c:1251) +[ 98.406453] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221) +[ 98.406476] ? trace_hardirqs_on (kernel/trace/trace_preemptirq.c:79 (discriminator 1)) +[ 98.406499] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221) +[ 98.406523] ? kthread (kernel/kthread.c:433) +[ 98.406539] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221) +[ 98.406565] ? kthread (kernel/kthread.c:433) +[ 98.406581] ? __pfx_hidp_session_thread (net/bluetooth/hidp/core.c:1264) +[ 98.406610] kthread (kernel/kthread.c:467) +[ 98.406627] ? __pfx_kthread (kernel/kthread.c:412) +[ 98.406645] ret_from_fork (arch/x86/kernel/process.c:164) +[ 98.406674] ? __pfx_ret_from_fork (arch/x86/kernel/process.c:153) +[ 98.406704] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221) +[ 98.406728] ? __pfx_kthread (kernel/kthread.c:412) +[ 98.406747] ret_from_fork_asm (arch/x86/entry/entry_64.S:258) +[ 98.406774] +[ 98.406780] +[ 98.433693] The buggy address belongs to the physical page: +[ 98.434405] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xffff888113ee7c40 pfn:0x113ee4 +[ 98.435557] flags: 0x200000000000000(node=0|zone=2) +[ 98.436198] raw: 0200000000000000 ffffea0004244308 ffff8881f6f3ebc0 0000000000000000 +[ 98.437195] raw: ffff888113ee7c40 0000000000000000 00000000ffffffff 0000000000000000 +[ 98.438115] page dumped because: kasan: bad access detected +[ 98.438951] +[ 98.439211] Memory state around the buggy address: +[ 98.439871] ffff888113ee3f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc +[ 98.440714] ffff888113ee4000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff +[ 98.441580] >ffff888113ee4080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff +[ 98.442458] ^ +[ 98.443011] ffff888113ee4100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff +[ 98.443889] ffff888113ee4180: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff +[ 98.444768] ================================================================== +[ 98.445719] Disabling lock debugging due to kernel taint +[ 98.448074] l2cap_conn_free: freeing conn ffff88810c22b400 +[ 98.450012] CPU: 1 UID: 0 PID: 1430 Comm: khidpd_00050004 Tainted: G B 7.0.0-rc1-dirty #14 PREEMPT(lazy) +[ 98.450040] Tainted: [B]=BAD_PAGE +[ 98.450047] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.17.0-debian-1.17.0-1 04/01/2014 +[ 98.450059] Call Trace: +[ 98.450065] +[ 98.450071] dump_stack_lvl (lib/dump_stack.c:122) +[ 98.450099] l2cap_conn_free (net/bluetooth/l2cap_core.c:1808) +[ 98.450125] l2cap_conn_put (net/bluetooth/l2cap_core.c:1822) +[ 98.450154] session_free (net/bluetooth/hidp/core.c:990) +[ 98.450181] hidp_session_thread (net/bluetooth/hidp/core.c:1307) +[ 98.450213] ? __pfx_hidp_session_thread (net/bluetooth/hidp/core.c:1264) +[ 98.450271] ? kthread (kernel/kthread.c:433) +[ 98.450293] ? __pfx_hidp_session_wake_function (net/bluetooth/hidp/core.c:1251) +[ 98.450339] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221) +[ 98.450368] ? find_held_lock (kernel/locking/lockdep.c:5350 (discriminator 1)) +[ 98.450406] ? __pfx_hidp_session_wake_function (net/bluetooth/hidp/core.c:1251) +[ 98.450442] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221) +[ 98.450471] ? trace_hardirqs_on (kernel/trace/trace_preemptirq.c:79 (discriminator 1)) +[ 98.450499] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221) +[ 98.450528] ? kthread (kernel/kthread.c:433) +[ 98.450547] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221) +[ 98.450578] ? kthread (kernel/kthread.c:433) +[ 98.450598] ? __pfx_hidp_session_thread (net/bluetooth/hidp/core.c:1264) +[ 98.450637] kthread (kernel/kthread.c:467) +[ 98.450657] ? __pfx_kthread (kernel/kthread.c:412) +[ 98.450680] ret_from_fork (arch/x86/kernel/process.c:164) +[ 98.450715] ? __pfx_ret_from_fork (arch/x86/kernel/process.c:153) +[ 98.450752] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221) +[ 98.450782] ? __pfx_kthread (kernel/kthread.c:412) +[ 98.450804] ret_from_fork_asm (arch/x86/entry/entry_64.S:258) +[ 98.450836] + +Fixes: b4f34d8d9d26 ("Bluetooth: hidp: add new session-management helpers") +Reported-by: soufiane el hachmi +Tested-by: soufiane el hachmi +Signed-off-by: Luiz Augusto von Dentz +Signed-off-by: Sasha Levin +--- + net/bluetooth/hidp/core.c | 16 ++++++++++++++-- + 1 file changed, 14 insertions(+), 2 deletions(-) + +diff --git a/net/bluetooth/hidp/core.c b/net/bluetooth/hidp/core.c +index 3ff870599eb77..068c3c2505170 100644 +--- a/net/bluetooth/hidp/core.c ++++ b/net/bluetooth/hidp/core.c +@@ -987,7 +987,8 @@ static void session_free(struct kref *ref) + skb_queue_purge(&session->intr_transmit); + fput(session->intr_sock->file); + fput(session->ctrl_sock->file); +- l2cap_conn_put(session->conn); ++ if (session->conn) ++ l2cap_conn_put(session->conn); + kfree(session); + } + +@@ -1165,6 +1166,15 @@ static void hidp_session_remove(struct l2cap_conn *conn, + + down_write(&hidp_session_sem); + ++ /* Drop L2CAP reference immediately to indicate that ++ * l2cap_unregister_user() shall not be called as it is already ++ * considered removed. ++ */ ++ if (session->conn) { ++ l2cap_conn_put(session->conn); ++ session->conn = NULL; ++ } ++ + hidp_session_terminate(session); + + cancel_work_sync(&session->dev_init); +@@ -1302,7 +1312,9 @@ static int hidp_session_thread(void *arg) + * Instead, this call has the same semantics as if user-space tried to + * delete the session. + */ +- l2cap_unregister_user(session->conn, &session->user); ++ if (session->conn) ++ l2cap_unregister_user(session->conn, &session->user); ++ + hidp_session_put(session); + + module_put_and_kthread_exit(0); +-- +2.51.0 + diff --git a/queue-5.10/bluetooth-le-l2cap-disconnect-if-received-packet-s-s.patch b/queue-5.10/bluetooth-le-l2cap-disconnect-if-received-packet-s-s.patch new file mode 100644 index 0000000000..9b1ba2d97f --- /dev/null +++ b/queue-5.10/bluetooth-le-l2cap-disconnect-if-received-packet-s-s.patch @@ -0,0 +1,55 @@ +From 9d6961e59b0ca5eedd1521afe3af8d99c0bdbf83 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 25 Feb 2026 18:07:25 +0100 +Subject: Bluetooth: LE L2CAP: Disconnect if received packet's SDU exceeds IMTU + +From: Christian Eggers + +[ Upstream commit e1d9a66889867c232657a9b6f25d451d7c3ab96f ] + +Core 6.0, Vol 3, Part A, 3.4.3: +"If the SDU length field value exceeds the receiver's MTU, the receiver +shall disconnect the channel..." + +This fixes L2CAP/LE/CFC/BV-26-C (running together with 'l2test -r -P +0x0027 -V le_public -I 100'). + +Fixes: aac23bf63659 ("Bluetooth: Implement LE L2CAP reassembly") +Signed-off-by: Christian Eggers +Signed-off-by: Luiz Augusto von Dentz +Signed-off-by: Sasha Levin +--- + net/bluetooth/l2cap_core.c | 10 +++++++--- + 1 file changed, 7 insertions(+), 3 deletions(-) + +diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c +index bac2abce4bd78..9c1d68b1e83b5 100644 +--- a/net/bluetooth/l2cap_core.c ++++ b/net/bluetooth/l2cap_core.c +@@ -7639,8 +7639,10 @@ static int l2cap_ecred_data_rcv(struct l2cap_chan *chan, struct sk_buff *skb) + return -ENOBUFS; + } + +- if (chan->imtu < skb->len) { +- BT_ERR("Too big LE L2CAP PDU"); ++ if (skb->len > chan->imtu) { ++ BT_ERR("Too big LE L2CAP PDU: len %u > %u", skb->len, ++ chan->imtu); ++ l2cap_send_disconn_req(chan, ECONNRESET); + return -ENOBUFS; + } + +@@ -7665,7 +7667,9 @@ static int l2cap_ecred_data_rcv(struct l2cap_chan *chan, struct sk_buff *skb) + sdu_len, skb->len, chan->imtu); + + if (sdu_len > chan->imtu) { +- BT_ERR("Too big LE L2CAP SDU length received"); ++ BT_ERR("Too big LE L2CAP SDU length: len %u > %u", ++ skb->len, sdu_len); ++ l2cap_send_disconn_req(chan, ECONNRESET); + err = -EMSGSIZE; + goto failed; + } +-- +2.51.0 + diff --git a/queue-5.10/bluetooth-le-l2cap-disconnect-if-sum-of-payload-size.patch b/queue-5.10/bluetooth-le-l2cap-disconnect-if-sum-of-payload-size.patch new file mode 100644 index 0000000000..1d8398ad97 --- /dev/null +++ b/queue-5.10/bluetooth-le-l2cap-disconnect-if-sum-of-payload-size.patch @@ -0,0 +1,39 @@ +From ba9d984b5a209e74d4866fdb087ec5342efe413a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 25 Feb 2026 18:07:27 +0100 +Subject: Bluetooth: LE L2CAP: Disconnect if sum of payload sizes exceed SDU + +From: Christian Eggers + +[ Upstream commit b6a2bf43aa37670432843bc73ae2a6288ba4d6f8 ] + +Core 6.0, Vol 3, Part A, 3.4.3: +"... If the sum of the payload sizes for the K-frames exceeds the +specified SDU length, the receiver shall disconnect the channel." + +This fixes L2CAP/LE/CFC/BV-27-C (running together with 'l2test -r -P +0x0027 -V le_public'). + +Fixes: aac23bf63659 ("Bluetooth: Implement LE L2CAP reassembly") +Signed-off-by: Christian Eggers +Signed-off-by: Luiz Augusto von Dentz +Signed-off-by: Sasha Levin +--- + net/bluetooth/l2cap_core.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c +index 9c1d68b1e83b5..ed113cfdce23b 100644 +--- a/net/bluetooth/l2cap_core.c ++++ b/net/bluetooth/l2cap_core.c +@@ -7705,6 +7705,7 @@ static int l2cap_ecred_data_rcv(struct l2cap_chan *chan, struct sk_buff *skb) + + if (chan->sdu->len + skb->len > chan->sdu_len) { + BT_ERR("Too much LE L2CAP data received"); ++ l2cap_send_disconn_req(chan, ECONNRESET); + err = -EINVAL; + goto failed; + } +-- +2.51.0 + diff --git a/queue-5.10/bluetooth-smp-make-sm-per-kdu-bi-04-c-happy.patch b/queue-5.10/bluetooth-smp-make-sm-per-kdu-bi-04-c-happy.patch new file mode 100644 index 0000000000..b4c4be8229 --- /dev/null +++ b/queue-5.10/bluetooth-smp-make-sm-per-kdu-bi-04-c-happy.patch @@ -0,0 +1,36 @@ +From afd083b9f006351f638e913ba1220afb166a48a6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 25 Feb 2026 18:07:28 +0100 +Subject: Bluetooth: SMP: make SM/PER/KDU/BI-04-C happy + +From: Christian Eggers + +[ Upstream commit 0e4d4dcc1a6e82cc6f9abf32193558efa7e1613d ] + +The last test step ("Test with Invalid public key X and Y, all set to +0") expects to get an "DHKEY check failed" instead of "unspecified". + +Fixes: 6d19628f539f ("Bluetooth: SMP: Fail if remote and local public keys are identical") +Signed-off-by: Christian Eggers +Signed-off-by: Luiz Augusto von Dentz +Signed-off-by: Sasha Levin +--- + net/bluetooth/smp.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/bluetooth/smp.c b/net/bluetooth/smp.c +index 79550d115364e..0871dca1ceac9 100644 +--- a/net/bluetooth/smp.c ++++ b/net/bluetooth/smp.c +@@ -2738,7 +2738,7 @@ static int smp_cmd_public_key(struct l2cap_conn *conn, struct sk_buff *skb) + if (!test_bit(SMP_FLAG_DEBUG_KEY, &smp->flags) && + !crypto_memneq(key, smp->local_pk, 64)) { + bt_dev_err(hdev, "Remote and local public keys are identical"); +- return SMP_UNSPECIFIED; ++ return SMP_DHKEY_CHECK_FAILED; + } + + memcpy(smp->remote_pk, key, 64); +-- +2.51.0 + diff --git a/queue-5.10/icmp-fix-null-pointer-dereference-in-icmp_tag_valida.patch b/queue-5.10/icmp-fix-null-pointer-dereference-in-icmp_tag_valida.patch new file mode 100644 index 0000000000..70767c538a --- /dev/null +++ b/queue-5.10/icmp-fix-null-pointer-dereference-in-icmp_tag_valida.patch @@ -0,0 +1,68 @@ +From 4919f88c3e20b81c47e47018ca960685fca4f93b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 18 Mar 2026 21:06:01 +0800 +Subject: icmp: fix NULL pointer dereference in icmp_tag_validation() + +From: Weiming Shi + +[ Upstream commit 614aefe56af8e13331e50220c936fc0689cf5675 ] + +icmp_tag_validation() unconditionally dereferences the result of +rcu_dereference(inet_protos[proto]) without checking for NULL. +The inet_protos[] array is sparse -- only about 15 of 256 protocol +numbers have registered handlers. When ip_no_pmtu_disc is set to 3 +(hardened PMTU mode) and the kernel receives an ICMP Fragmentation +Needed error with a quoted inner IP header containing an unregistered +protocol number, the NULL dereference causes a kernel panic in +softirq context. + + Oops: general protection fault, probably for non-canonical address 0xdffffc0000000002: 0000 [#1] SMP KASAN NOPTI + KASAN: null-ptr-deref in range [0x0000000000000010-0x0000000000000017] + RIP: 0010:icmp_unreach (net/ipv4/icmp.c:1085 net/ipv4/icmp.c:1143) + Call Trace: + + icmp_rcv (net/ipv4/icmp.c:1527) + ip_protocol_deliver_rcu (net/ipv4/ip_input.c:207) + ip_local_deliver_finish (net/ipv4/ip_input.c:242) + ip_local_deliver (net/ipv4/ip_input.c:262) + ip_rcv (net/ipv4/ip_input.c:573) + __netif_receive_skb_one_core (net/core/dev.c:6164) + process_backlog (net/core/dev.c:6628) + handle_softirqs (kernel/softirq.c:561) + + +Add a NULL check before accessing icmp_strict_tag_validation. If the +protocol has no registered handler, return false since it cannot +perform strict tag validation. + +Fixes: 8ed1dc44d3e9 ("ipv4: introduce hardened ip_no_pmtu_disc mode") +Reported-by: Xiang Mei +Signed-off-by: Weiming Shi +Link: https://patch.msgid.link/20260318130558.1050247-4-bestswngs@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/ipv4/icmp.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/net/ipv4/icmp.c b/net/ipv4/icmp.c +index efeeed4f0517e..3c74fecce2382 100644 +--- a/net/ipv4/icmp.c ++++ b/net/ipv4/icmp.c +@@ -844,10 +844,12 @@ static void icmp_socket_deliver(struct sk_buff *skb, u32 info) + + static bool icmp_tag_validation(int proto) + { ++ const struct net_protocol *ipprot; + bool ok; + + rcu_read_lock(); +- ok = rcu_dereference(inet_protos[proto])->icmp_strict_tag_validation; ++ ipprot = rcu_dereference(inet_protos[proto]); ++ ok = ipprot ? ipprot->icmp_strict_tag_validation : false; + rcu_read_unlock(); + return ok; + } +-- +2.51.0 + diff --git a/queue-5.10/igc-fix-missing-update-of-skb-tail-in-igc_xmit_frame.patch b/queue-5.10/igc-fix-missing-update-of-skb-tail-in-igc_xmit_frame.patch new file mode 100644 index 0000000000..37d9b7e6b4 --- /dev/null +++ b/queue-5.10/igc-fix-missing-update-of-skb-tail-in-igc_xmit_frame.patch @@ -0,0 +1,45 @@ +From 23e8f902632e83131fc5803c08ba6cb7b2d48a8a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 14 Feb 2026 19:46:32 +0000 +Subject: igc: fix missing update of skb->tail in igc_xmit_frame() + +From: Kohei Enju + +[ Upstream commit 0ffba246652faf4a36aedc66059c2f94e4c83ea5 ] + +igc_xmit_frame() misses updating skb->tail when the packet size is +shorter than the minimum one. +Use skb_put_padto() in alignment with other Intel Ethernet drivers. + +Fixes: 0507ef8a0372 ("igc: Add transmit and receive fastpath and interrupt handlers") +Signed-off-by: Kohei Enju +Reviewed-by: Simon Horman +Reviewed-by: Paul Menzel +Tested-by: Avigail Dahan +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/igc/igc_main.c | 7 ++----- + 1 file changed, 2 insertions(+), 5 deletions(-) + +diff --git a/drivers/net/ethernet/intel/igc/igc_main.c b/drivers/net/ethernet/intel/igc/igc_main.c +index 7593e8b7469c5..e59de43704b51 100644 +--- a/drivers/net/ethernet/intel/igc/igc_main.c ++++ b/drivers/net/ethernet/intel/igc/igc_main.c +@@ -1522,11 +1522,8 @@ static netdev_tx_t igc_xmit_frame(struct sk_buff *skb, + /* The minimum packet size with TCTL.PSP set is 17 so pad the skb + * in order to meet this minimum size requirement. + */ +- if (skb->len < 17) { +- if (skb_padto(skb, 17)) +- return NETDEV_TX_OK; +- skb->len = 17; +- } ++ if (skb_put_padto(skb, 17)) ++ return NETDEV_TX_OK; + + return igc_xmit_frame_ring(skb, igc_tx_queue_mapping(adapter, skb)); + } +-- +2.51.0 + diff --git a/queue-5.10/net-bcmgenet-increase-wol-poll-timeout.patch b/queue-5.10/net-bcmgenet-increase-wol-poll-timeout.patch new file mode 100644 index 0000000000..dc287e8b37 --- /dev/null +++ b/queue-5.10/net-bcmgenet-increase-wol-poll-timeout.patch @@ -0,0 +1,38 @@ +From 5c34656e58af08f4d83b4b2bd0297a7aa506ad64 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 12 Mar 2026 12:18:52 -0700 +Subject: net: bcmgenet: increase WoL poll timeout + +From: Justin Chen + +[ Upstream commit 6cfc3bc02b977f2fba5f7268e6504d1931a774f7 ] + +Some systems require more than 5ms to get into WoL mode. Increase the +timeout value to 50ms. + +Fixes: c51de7f3976b ("net: bcmgenet: add Wake-on-LAN support code") +Signed-off-by: Justin Chen +Reviewed-by: Florian Fainelli +Link: https://patch.msgid.link/20260312191852.3904571-1-justin.chen@broadcom.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/broadcom/genet/bcmgenet_wol.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/broadcom/genet/bcmgenet_wol.c b/drivers/net/ethernet/broadcom/genet/bcmgenet_wol.c +index 35c12938cb348..ac402631576cc 100644 +--- a/drivers/net/ethernet/broadcom/genet/bcmgenet_wol.c ++++ b/drivers/net/ethernet/broadcom/genet/bcmgenet_wol.c +@@ -102,7 +102,7 @@ static int bcmgenet_poll_wol_status(struct bcmgenet_priv *priv) + while (!(bcmgenet_rbuf_readl(priv, RBUF_STATUS) + & RBUF_STATUS_WOL)) { + retries++; +- if (retries > 5) { ++ if (retries > 50) { + netdev_crit(dev, "polling wol mode timeout\n"); + return -ETIMEDOUT; + } +-- +2.51.0 + diff --git a/queue-5.10/net-bonding-fix-null-deref-in-bond_debug_rlb_hash_sh.patch b/queue-5.10/net-bonding-fix-null-deref-in-bond_debug_rlb_hash_sh.patch new file mode 100644 index 0000000000..7468a92f0f --- /dev/null +++ b/queue-5.10/net-bonding-fix-null-deref-in-bond_debug_rlb_hash_sh.patch @@ -0,0 +1,87 @@ +From 6eac891aefd3c61ee7e29a942c8d2cfa9255f0db Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 16 Mar 2026 17:50:34 -0700 +Subject: net: bonding: fix NULL deref in bond_debug_rlb_hash_show + +From: Xiang Mei + +[ Upstream commit 605b52497bf89b3b154674deb135da98f916e390 ] + +rlb_clear_slave intentionally keeps RLB hash-table entries on +the rx_hashtbl_used_head list with slave set to NULL when no +replacement slave is available. However, bond_debug_rlb_hash_show +visites client_info->slave without checking if it's NULL. + +Other used-list iterators in bond_alb.c already handle this NULL-slave +state safely: + +- rlb_update_client returns early on !client_info->slave +- rlb_req_update_slave_clients, rlb_clear_slave, and rlb_rebalance +compare slave values before visiting +- lb_req_update_subnet_clients continues if slave is NULL + +The following NULL deref crash can be trigger in +bond_debug_rlb_hash_show: + +[ 1.289791] BUG: kernel NULL pointer dereference, address: 0000000000000000 +[ 1.292058] RIP: 0010:bond_debug_rlb_hash_show (drivers/net/bonding/bond_debugfs.c:41) +[ 1.293101] RSP: 0018:ffffc900004a7d00 EFLAGS: 00010286 +[ 1.293333] RAX: 0000000000000000 RBX: ffff888102b48200 RCX: ffff888102b48204 +[ 1.293631] RDX: ffff888102b48200 RSI: ffffffff839daad5 RDI: ffff888102815078 +[ 1.293924] RBP: ffff888102815078 R08: ffff888102b4820e R09: 0000000000000000 +[ 1.294267] R10: 0000000000000000 R11: 0000000000000000 R12: ffff888100f929c0 +[ 1.294564] R13: ffff888100f92a00 R14: 0000000000000001 R15: ffffc900004a7ed8 +[ 1.294864] FS: 0000000001395380(0000) GS:ffff888196e75000(0000) knlGS:0000000000000000 +[ 1.295239] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ 1.295480] CR2: 0000000000000000 CR3: 0000000102adc004 CR4: 0000000000772ef0 +[ 1.295897] Call Trace: +[ 1.296134] seq_read_iter (fs/seq_file.c:231) +[ 1.296341] seq_read (fs/seq_file.c:164) +[ 1.296493] full_proxy_read (fs/debugfs/file.c:378 (discriminator 1)) +[ 1.296658] vfs_read (fs/read_write.c:572) +[ 1.296981] ksys_read (fs/read_write.c:717) +[ 1.297132] do_syscall_64 (arch/x86/entry/syscall_64.c:63 (discriminator 1) arch/x86/entry/syscall_64.c:94 (discriminator 1)) +[ 1.297325] entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130) + +Add a NULL check and print "(none)" for entries with no assigned slave. + +Fixes: caafa84251b88 ("bonding: add the debugfs interface to see RLB hash table") +Reported-by: Weiming Shi +Signed-off-by: Xiang Mei +Link: https://patch.msgid.link/20260317005034.1888794-1-xmei5@asu.edu +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/bonding/bond_debugfs.c | 16 +++++++++++----- + 1 file changed, 11 insertions(+), 5 deletions(-) + +diff --git a/drivers/net/bonding/bond_debugfs.c b/drivers/net/bonding/bond_debugfs.c +index 8b6cf2bf9025a..bb31f986ae592 100644 +--- a/drivers/net/bonding/bond_debugfs.c ++++ b/drivers/net/bonding/bond_debugfs.c +@@ -34,11 +34,17 @@ static int bond_debug_rlb_hash_show(struct seq_file *m, void *v) + for (; hash_index != RLB_NULL_INDEX; + hash_index = client_info->used_next) { + client_info = &(bond_info->rx_hashtbl[hash_index]); +- seq_printf(m, "%-15pI4 %-15pI4 %-17pM %s\n", +- &client_info->ip_src, +- &client_info->ip_dst, +- &client_info->mac_dst, +- client_info->slave->dev->name); ++ if (client_info->slave) ++ seq_printf(m, "%-15pI4 %-15pI4 %-17pM %s\n", ++ &client_info->ip_src, ++ &client_info->ip_dst, ++ &client_info->mac_dst, ++ client_info->slave->dev->name); ++ else ++ seq_printf(m, "%-15pI4 %-15pI4 %-17pM (none)\n", ++ &client_info->ip_src, ++ &client_info->ip_dst, ++ &client_info->mac_dst); + } + + spin_unlock_bh(&bond->mode_lock); +-- +2.51.0 + diff --git a/queue-5.10/net-dsa-bcm_sf2-fix-missing-clk_disable_unprepare-in.patch b/queue-5.10/net-dsa-bcm_sf2-fix-missing-clk_disable_unprepare-in.patch new file mode 100644 index 0000000000..86df0452ed --- /dev/null +++ b/queue-5.10/net-dsa-bcm_sf2-fix-missing-clk_disable_unprepare-in.patch @@ -0,0 +1,57 @@ +From af9f82aaee3bfbfaea7ed08e510ea4339a2ab707 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 18 Mar 2026 08:42:12 +0000 +Subject: net: dsa: bcm_sf2: fix missing clk_disable_unprepare() in error paths + +From: Anas Iqbal + +[ Upstream commit b48731849609cbd8c53785a48976850b443153fd ] + +Smatch reports: +drivers/net/dsa/bcm_sf2.c:997 bcm_sf2_sw_resume() warn: +'priv->clk' from clk_prepare_enable() not released on lines: 983,990. + +The clock enabled by clk_prepare_enable() in bcm_sf2_sw_resume() +is not released if bcm_sf2_sw_rst() or bcm_sf2_cfp_resume() fails. + +Add the missing clk_disable_unprepare() calls in the error paths +to properly release the clock resource. + +Fixes: e9ec5c3bd238 ("net: dsa: bcm_sf2: request and handle clocks") +Reviewed-by: Jonas Gorski +Reviewed-by: Florian Fainelli +Signed-off-by: Anas Iqbal +Link: https://patch.msgid.link/20260318084212.1287-1-mohd.abd.6602@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/dsa/bcm_sf2.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/dsa/bcm_sf2.c b/drivers/net/dsa/bcm_sf2.c +index d0f94a5fae5ae..7c64317e0f191 100644 +--- a/drivers/net/dsa/bcm_sf2.c ++++ b/drivers/net/dsa/bcm_sf2.c +@@ -871,13 +871,17 @@ static int bcm_sf2_sw_resume(struct dsa_switch *ds) + ret = bcm_sf2_sw_rst(priv); + if (ret) { + pr_err("%s: failed to software reset switch\n", __func__); ++ if (!priv->wol_ports_mask) ++ clk_disable_unprepare(priv->clk); + return ret; + } + + ret = bcm_sf2_cfp_resume(ds); +- if (ret) ++ if (ret) { ++ if (!priv->wol_ports_mask) ++ clk_disable_unprepare(priv->clk); + return ret; +- ++ } + if (priv->hw_params.num_gphy == 1) + bcm_sf2_gphy_enable_set(ds, true); + +-- +2.51.0 + diff --git a/queue-5.10/net-macb-fix-uninitialized-rx_fs_lock.patch b/queue-5.10/net-macb-fix-uninitialized-rx_fs_lock.patch new file mode 100644 index 0000000000..c983ca7e0c --- /dev/null +++ b/queue-5.10/net-macb-fix-uninitialized-rx_fs_lock.patch @@ -0,0 +1,78 @@ +From cbe51c17dae4fae0fcf715b9d0a84b750886954a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 16 Mar 2026 13:38:25 +0300 +Subject: net: macb: fix uninitialized rx_fs_lock + +From: Fedor Pchelkin + +[ Upstream commit 34b11cc56e4369bc08b1f4c4a04222d75ed596ce ] + +If hardware doesn't support RX Flow Filters, rx_fs_lock spinlock is not +initialized leading to the following assertion splat triggerable via +set_rxnfc callback. + +INFO: trying to register non-static key. +The code is fine but needs lockdep annotation, or maybe +you didn't initialize this object before use? +turning off the locking correctness validator. +CPU: 1 PID: 949 Comm: syz.0.6 Not tainted 6.1.164+ #113 +Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.16.1-0-g3208b098f51a-prebuilt.qemu.org 04/01/2014 +Call Trace: + + __dump_stack lib/dump_stack.c:88 [inline] + dump_stack_lvl+0x8d/0xba lib/dump_stack.c:106 + assign_lock_key kernel/locking/lockdep.c:974 [inline] + register_lock_class+0x141b/0x17f0 kernel/locking/lockdep.c:1287 + __lock_acquire+0x74f/0x6c40 kernel/locking/lockdep.c:4928 + lock_acquire kernel/locking/lockdep.c:5662 [inline] + lock_acquire+0x190/0x4b0 kernel/locking/lockdep.c:5627 + __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline] + _raw_spin_lock_irqsave+0x33/0x50 kernel/locking/spinlock.c:162 + gem_del_flow_filter drivers/net/ethernet/cadence/macb_main.c:3562 [inline] + gem_set_rxnfc+0x533/0xac0 drivers/net/ethernet/cadence/macb_main.c:3667 + ethtool_set_rxnfc+0x18c/0x280 net/ethtool/ioctl.c:961 + __dev_ethtool net/ethtool/ioctl.c:2956 [inline] + dev_ethtool+0x229c/0x6290 net/ethtool/ioctl.c:3095 + dev_ioctl+0x637/0x1070 net/core/dev_ioctl.c:510 + sock_do_ioctl+0x20d/0x2c0 net/socket.c:1215 + sock_ioctl+0x577/0x6d0 net/socket.c:1320 + vfs_ioctl fs/ioctl.c:51 [inline] + __do_sys_ioctl fs/ioctl.c:870 [inline] + __se_sys_ioctl fs/ioctl.c:856 [inline] + __x64_sys_ioctl+0x18c/0x210 fs/ioctl.c:856 + do_syscall_x64 arch/x86/entry/common.c:46 [inline] + do_syscall_64+0x35/0x80 arch/x86/entry/common.c:76 + entry_SYSCALL_64_after_hwframe+0x6e/0xd8 + +A more straightforward solution would be to always initialize rx_fs_lock, +just like rx_fs_list. However, in this case the driver set_rxnfc callback +would return with a rather confusing error code, e.g. -EINVAL. So deny +set_rxnfc attempts directly if the RX filtering feature is not supported +by hardware. + +Fixes: ae8223de3df5 ("net: macb: Added support for RX filtering") +Signed-off-by: Fedor Pchelkin +Link: https://patch.msgid.link/20260316103826.74506-2-pchelkin@ispras.ru +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/cadence/macb_main.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/net/ethernet/cadence/macb_main.c b/drivers/net/ethernet/cadence/macb_main.c +index c407e8d0eb618..f49e4e0494db3 100644 +--- a/drivers/net/ethernet/cadence/macb_main.c ++++ b/drivers/net/ethernet/cadence/macb_main.c +@@ -3381,6 +3381,9 @@ static int gem_set_rxnfc(struct net_device *netdev, struct ethtool_rxnfc *cmd) + struct macb *bp = netdev_priv(netdev); + int ret; + ++ if (!(netdev->hw_features & NETIF_F_NTUPLE)) ++ return -EOPNOTSUPP; ++ + switch (cmd->cmd) { + case ETHTOOL_SRXCLSRLINS: + if ((cmd->fs.location >= bp->max_tuples) +-- +2.51.0 + diff --git a/queue-5.10/net-rose-fix-null-pointer-dereference-in-rose_transm.patch b/queue-5.10/net-rose-fix-null-pointer-dereference-in-rose_transm.patch new file mode 100644 index 0000000000..541f6b137b --- /dev/null +++ b/queue-5.10/net-rose-fix-null-pointer-dereference-in-rose_transm.patch @@ -0,0 +1,64 @@ +From f1dc84919586550161ee190d98a8b54b62f92022 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 11 Mar 2026 15:06:02 +0800 +Subject: net/rose: fix NULL pointer dereference in rose_transmit_link on + reconnect + +From: Jiayuan Chen + +[ Upstream commit e1f0a18c9564cdb16523c802e2c6fe5874e3d944 ] + +syzkaller reported a bug [1], and the reproducer is available at [2]. + +ROSE sockets use four sk->sk_state values: TCP_CLOSE, TCP_LISTEN, +TCP_SYN_SENT, and TCP_ESTABLISHED. rose_connect() already rejects +calls for TCP_ESTABLISHED (-EISCONN) and TCP_CLOSE with SS_CONNECTING +(-ECONNREFUSED), but lacks a check for TCP_SYN_SENT. + +When rose_connect() is called a second time while the first connection +attempt is still in progress (TCP_SYN_SENT), it overwrites +rose->neighbour via rose_get_neigh(). If that returns NULL, the socket +is left with rose->state == ROSE_STATE_1 but rose->neighbour == NULL. +When the socket is subsequently closed, rose_release() sees +ROSE_STATE_1 and calls rose_write_internal() -> +rose_transmit_link(skb, NULL), causing a NULL pointer dereference. + +Per connect(2), a second connect() while a connection is already in +progress should return -EALREADY. Add this missing check for +TCP_SYN_SENT to complete the state validation in rose_connect(). + +[1] https://syzkaller.appspot.com/bug?extid=d00f90e0af54102fb271 +[2] https://gist.github.com/mrpre/9e6779e0d13e2c66779b1653fef80516 + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Reported-by: syzbot+d00f90e0af54102fb271@syzkaller.appspotmail.com +Closes: https://lore.kernel.org/all/69694d6f.050a0220.58bed.0027.GAE@google.com/T/ +Suggested-by: Eric Dumazet +Signed-off-by: Jiayuan Chen +Reviewed-by: Eric Dumazet +Link: https://patch.msgid.link/20260311070611.76913-1-jiayuan.chen@linux.dev +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/rose/af_rose.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/net/rose/af_rose.c b/net/rose/af_rose.c +index 04173c85d92b5..0130c13f73552 100644 +--- a/net/rose/af_rose.c ++++ b/net/rose/af_rose.c +@@ -808,6 +808,11 @@ static int rose_connect(struct socket *sock, struct sockaddr *uaddr, int addr_le + goto out_release; + } + ++ if (sk->sk_state == TCP_SYN_SENT) { ++ err = -EALREADY; ++ goto out_release; ++ } ++ + sk->sk_state = TCP_CLOSE; + sock->state = SS_UNCONNECTED; + +-- +2.51.0 + diff --git a/queue-5.10/net-usb-aqc111-do-not-perform-pm-inside-suspend-call.patch b/queue-5.10/net-usb-aqc111-do-not-perform-pm-inside-suspend-call.patch new file mode 100644 index 0000000000..fac05187d2 --- /dev/null +++ b/queue-5.10/net-usb-aqc111-do-not-perform-pm-inside-suspend-call.patch @@ -0,0 +1,69 @@ +From 52b2cbb9a715927eaf04e474db8cce33e6d4db4f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 13 Mar 2026 16:16:43 +0200 +Subject: net: usb: aqc111: Do not perform PM inside suspend callback + +From: Nikola Z. Ivanov + +[ Upstream commit 069c8f5aebe4d5224cf62acc7d4b3486091c658a ] + +syzbot reports "task hung in rpm_resume" + +This is caused by aqc111_suspend calling +the PM variant of its write_cmd routine. + +The simplified call trace looks like this: + +rpm_suspend() + usb_suspend_both() - here udev->dev.power.runtime_status == RPM_SUSPENDING + aqc111_suspend() - called for the usb device interface + aqc111_write32_cmd() + usb_autopm_get_interface() + pm_runtime_resume_and_get() + rpm_resume() - here we call rpm_resume() on our parent + rpm_resume() - Here we wait for a status change that will never happen. + +At this point we block another task which holds +rtnl_lock and locks up the whole networking stack. + +Fix this by replacing the write_cmd calls with their _nopm variants + +Reported-by: syzbot+48dc1e8dfc92faf1124c@syzkaller.appspotmail.com +Closes: https://syzkaller.appspot.com/bug?extid=48dc1e8dfc92faf1124c +Fixes: e58ba4544c77 ("net: usb: aqc111: Add support for wake on LAN by MAGIC packet") +Signed-off-by: Nikola Z. Ivanov +Link: https://patch.msgid.link/20260313141643.1181386-1-zlatistiv@gmail.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + drivers/net/usb/aqc111.c | 12 ++++++------ + 1 file changed, 6 insertions(+), 6 deletions(-) + +diff --git a/drivers/net/usb/aqc111.c b/drivers/net/usb/aqc111.c +index ab9431ea295ad..7d38ce2e77017 100644 +--- a/drivers/net/usb/aqc111.c ++++ b/drivers/net/usb/aqc111.c +@@ -1400,14 +1400,14 @@ static int aqc111_suspend(struct usb_interface *intf, pm_message_t message) + aqc111_write16_cmd_nopm(dev, AQ_ACCESS_MAC, + SFR_MEDIUM_STATUS_MODE, 2, ®16); + +- aqc111_write_cmd(dev, AQ_WOL_CFG, 0, 0, +- WOL_CFG_SIZE, &wol_cfg); +- aqc111_write32_cmd(dev, AQ_PHY_OPS, 0, 0, +- &aqc111_data->phy_cfg); ++ aqc111_write_cmd_nopm(dev, AQ_WOL_CFG, 0, 0, ++ WOL_CFG_SIZE, &wol_cfg); ++ aqc111_write32_cmd_nopm(dev, AQ_PHY_OPS, 0, 0, ++ &aqc111_data->phy_cfg); + } else { + aqc111_data->phy_cfg |= AQ_LOW_POWER; +- aqc111_write32_cmd(dev, AQ_PHY_OPS, 0, 0, +- &aqc111_data->phy_cfg); ++ aqc111_write32_cmd_nopm(dev, AQ_PHY_OPS, 0, 0, ++ &aqc111_data->phy_cfg); + + /* Disable RX path */ + aqc111_read16_cmd_nopm(dev, AQ_ACCESS_MAC, +-- +2.51.0 + diff --git a/queue-5.10/netfilter-ctnetlink-fix-use-after-free-in-ctnetlink_.patch b/queue-5.10/netfilter-ctnetlink-fix-use-after-free-in-ctnetlink_.patch new file mode 100644 index 0000000000..311de7abd4 --- /dev/null +++ b/queue-5.10/netfilter-ctnetlink-fix-use-after-free-in-ctnetlink_.patch @@ -0,0 +1,123 @@ +From c7ccddc64f7a7462617e9547e7688e1a8a7314c8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 8 Mar 2026 02:21:37 +0900 +Subject: netfilter: ctnetlink: fix use-after-free in ctnetlink_dump_exp_ct() + +From: Hyunwoo Kim + +[ Upstream commit 5cb81eeda909dbb2def209dd10636b51549a3f8a ] + +ctnetlink_dump_exp_ct() stores a conntrack pointer in cb->data for the +netlink dump callback ctnetlink_exp_ct_dump_table(), but drops the +conntrack reference immediately after netlink_dump_start(). When the +dump spans multiple rounds, the second recvmsg() triggers the dump +callback which dereferences the now-freed conntrack via nfct_help(ct), +leading to a use-after-free on ct->ext. + +The bug is that the netlink_dump_control has no .start or .done +callbacks to manage the conntrack reference across dump rounds. Other +dump functions in the same file (e.g. ctnetlink_get_conntrack) properly +use .start/.done callbacks for this purpose. + +Fix this by adding .start and .done callbacks that hold and release the +conntrack reference for the duration of the dump, and move the +nfct_help() call after the cb->args[0] early-return check in the dump +callback to avoid dereferencing ct->ext unnecessarily. + + BUG: KASAN: slab-use-after-free in ctnetlink_exp_ct_dump_table+0x4f/0x2e0 + Read of size 8 at addr ffff88810597ebf0 by task ctnetlink_poc/133 + + CPU: 1 UID: 0 PID: 133 Comm: ctnetlink_poc Not tainted 7.0.0-rc2+ #3 PREEMPTLAZY + Call Trace: + + ctnetlink_exp_ct_dump_table+0x4f/0x2e0 + netlink_dump+0x333/0x880 + netlink_recvmsg+0x3e2/0x4b0 + ? aa_sk_perm+0x184/0x450 + sock_recvmsg+0xde/0xf0 + + Allocated by task 133: + kmem_cache_alloc_noprof+0x134/0x440 + __nf_conntrack_alloc+0xa8/0x2b0 + ctnetlink_create_conntrack+0xa1/0x900 + ctnetlink_new_conntrack+0x3cf/0x7d0 + nfnetlink_rcv_msg+0x48e/0x510 + netlink_rcv_skb+0xc9/0x1f0 + nfnetlink_rcv+0xdb/0x220 + netlink_unicast+0x3ec/0x590 + netlink_sendmsg+0x397/0x690 + __sys_sendmsg+0xf4/0x180 + + Freed by task 0: + slab_free_after_rcu_debug+0xad/0x1e0 + rcu_core+0x5c3/0x9c0 + +Fixes: e844a928431f ("netfilter: ctnetlink: allow to dump expectation per master conntrack") +Signed-off-by: Hyunwoo Kim +Signed-off-by: Florian Westphal +Signed-off-by: Sasha Levin +--- + net/netfilter/nf_conntrack_netlink.c | 26 +++++++++++++++++++++++++- + 1 file changed, 25 insertions(+), 1 deletion(-) + +diff --git a/net/netfilter/nf_conntrack_netlink.c b/net/netfilter/nf_conntrack_netlink.c +index 98a4c41f6df19..9fe2c5b3523c5 100644 +--- a/net/netfilter/nf_conntrack_netlink.c ++++ b/net/netfilter/nf_conntrack_netlink.c +@@ -3197,7 +3197,7 @@ ctnetlink_exp_ct_dump_table(struct sk_buff *skb, struct netlink_callback *cb) + { + struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh); + struct nf_conn *ct = cb->data; +- struct nf_conn_help *help = nfct_help(ct); ++ struct nf_conn_help *help; + u_int8_t l3proto = nfmsg->nfgen_family; + unsigned long last_id = cb->args[1]; + struct nf_conntrack_expect *exp; +@@ -3205,6 +3205,10 @@ ctnetlink_exp_ct_dump_table(struct sk_buff *skb, struct netlink_callback *cb) + if (cb->args[0]) + return 0; + ++ help = nfct_help(ct); ++ if (!help) ++ return 0; ++ + rcu_read_lock(); + + restart: +@@ -3234,6 +3238,24 @@ ctnetlink_exp_ct_dump_table(struct sk_buff *skb, struct netlink_callback *cb) + return skb->len; + } + ++static int ctnetlink_dump_exp_ct_start(struct netlink_callback *cb) ++{ ++ struct nf_conn *ct = cb->data; ++ ++ if (!refcount_inc_not_zero(&ct->ct_general.use)) ++ return -ENOENT; ++ return 0; ++} ++ ++static int ctnetlink_dump_exp_ct_done(struct netlink_callback *cb) ++{ ++ struct nf_conn *ct = cb->data; ++ ++ if (ct) ++ nf_ct_put(ct); ++ return 0; ++} ++ + static int ctnetlink_dump_exp_ct(struct net *net, struct sock *ctnl, + struct sk_buff *skb, + const struct nlmsghdr *nlh, +@@ -3249,6 +3271,8 @@ static int ctnetlink_dump_exp_ct(struct net *net, struct sock *ctnl, + struct nf_conntrack_zone zone; + struct netlink_dump_control c = { + .dump = ctnetlink_exp_ct_dump_table, ++ .start = ctnetlink_dump_exp_ct_start, ++ .done = ctnetlink_dump_exp_ct_done, + }; + + err = ctnetlink_parse_tuple(cda, &tuple, CTA_EXPECT_MASTER, +-- +2.51.0 + diff --git a/queue-5.10/netfilter-ctnetlink-remove-refcounting-in-expectatio.patch b/queue-5.10/netfilter-ctnetlink-remove-refcounting-in-expectatio.patch new file mode 100644 index 0000000000..cefc39e401 --- /dev/null +++ b/queue-5.10/netfilter-ctnetlink-remove-refcounting-in-expectatio.patch @@ -0,0 +1,165 @@ +From d0150530d0f87112ab6118be3c85c0974a99c88f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 1 Aug 2025 17:25:09 +0200 +Subject: netfilter: ctnetlink: remove refcounting in expectation dumpers + +From: Florian Westphal + +[ Upstream commit 1492e3dcb2be3aa46d1963da96aa9593e4e4db5a ] + +Same pattern as previous patch: do not keep the expectation object +alive via refcount, only store a cookie value and then use that +as the skip hint for dump resumption. + +AFAICS this has the same issue as the one resolved in the conntrack +dumper, when we do + if (!refcount_inc_not_zero(&exp->use)) + +to increment the refcount, there is a chance that exp == last, which +causes a double-increment of the refcount and subsequent memory leak. + +Fixes: cf6994c2b981 ("[NETFILTER]: nf_conntrack_netlink: sync expectation dumping with conntrack table dumping") +Fixes: e844a928431f ("netfilter: ctnetlink: allow to dump expectation per master conntrack") +Signed-off-by: Florian Westphal +Signed-off-by: Pablo Neira Ayuso +Stable-dep-of: 5cb81eeda909 ("netfilter: ctnetlink: fix use-after-free in ctnetlink_dump_exp_ct()") +Signed-off-by: Sasha Levin +--- + net/netfilter/nf_conntrack_netlink.c | 41 ++++++++++++---------------- + 1 file changed, 17 insertions(+), 24 deletions(-) + +diff --git a/net/netfilter/nf_conntrack_netlink.c b/net/netfilter/nf_conntrack_netlink.c +index f622fcad3f503..98a4c41f6df19 100644 +--- a/net/netfilter/nf_conntrack_netlink.c ++++ b/net/netfilter/nf_conntrack_netlink.c +@@ -3137,23 +3137,27 @@ ctnetlink_expect_event(unsigned int events, struct nf_exp_event *item) + return 0; + } + #endif +-static int ctnetlink_exp_done(struct netlink_callback *cb) ++ ++static unsigned long ctnetlink_exp_id(const struct nf_conntrack_expect *exp) + { +- if (cb->args[1]) +- nf_ct_expect_put((struct nf_conntrack_expect *)cb->args[1]); +- return 0; ++ unsigned long id = (unsigned long)exp; ++ ++ id += nf_ct_get_id(exp->master); ++ id += exp->class; ++ ++ return id ? id : 1; + } + + static int + ctnetlink_exp_dump_table(struct sk_buff *skb, struct netlink_callback *cb) + { + struct net *net = sock_net(skb->sk); +- struct nf_conntrack_expect *exp, *last; + struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh); + u_int8_t l3proto = nfmsg->nfgen_family; ++ unsigned long last_id = cb->args[1]; ++ struct nf_conntrack_expect *exp; + + rcu_read_lock(); +- last = (struct nf_conntrack_expect *)cb->args[1]; + for (; cb->args[0] < nf_ct_expect_hsize; cb->args[0]++) { + restart: + hlist_for_each_entry_rcu(exp, &nf_ct_expect_hash[cb->args[0]], +@@ -3165,7 +3169,7 @@ ctnetlink_exp_dump_table(struct sk_buff *skb, struct netlink_callback *cb) + continue; + + if (cb->args[1]) { +- if (exp != last) ++ if (ctnetlink_exp_id(exp) != last_id) + continue; + cb->args[1] = 0; + } +@@ -3174,9 +3178,7 @@ ctnetlink_exp_dump_table(struct sk_buff *skb, struct netlink_callback *cb) + cb->nlh->nlmsg_seq, + IPCTNL_MSG_EXP_NEW, + exp) < 0) { +- if (!refcount_inc_not_zero(&exp->use)) +- continue; +- cb->args[1] = (unsigned long)exp; ++ cb->args[1] = ctnetlink_exp_id(exp); + goto out; + } + } +@@ -3187,32 +3189,30 @@ ctnetlink_exp_dump_table(struct sk_buff *skb, struct netlink_callback *cb) + } + out: + rcu_read_unlock(); +- if (last) +- nf_ct_expect_put(last); +- + return skb->len; + } + + static int + ctnetlink_exp_ct_dump_table(struct sk_buff *skb, struct netlink_callback *cb) + { +- struct nf_conntrack_expect *exp, *last; + struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh); + struct nf_conn *ct = cb->data; + struct nf_conn_help *help = nfct_help(ct); + u_int8_t l3proto = nfmsg->nfgen_family; ++ unsigned long last_id = cb->args[1]; ++ struct nf_conntrack_expect *exp; + + if (cb->args[0]) + return 0; + + rcu_read_lock(); +- last = (struct nf_conntrack_expect *)cb->args[1]; ++ + restart: + hlist_for_each_entry_rcu(exp, &help->expectations, lnode) { + if (l3proto && exp->tuple.src.l3num != l3proto) + continue; + if (cb->args[1]) { +- if (exp != last) ++ if (ctnetlink_exp_id(exp) != last_id) + continue; + cb->args[1] = 0; + } +@@ -3220,9 +3220,7 @@ ctnetlink_exp_ct_dump_table(struct sk_buff *skb, struct netlink_callback *cb) + cb->nlh->nlmsg_seq, + IPCTNL_MSG_EXP_NEW, + exp) < 0) { +- if (!refcount_inc_not_zero(&exp->use)) +- continue; +- cb->args[1] = (unsigned long)exp; ++ cb->args[1] = ctnetlink_exp_id(exp); + goto out; + } + } +@@ -3233,9 +3231,6 @@ ctnetlink_exp_ct_dump_table(struct sk_buff *skb, struct netlink_callback *cb) + cb->args[0] = 1; + out: + rcu_read_unlock(); +- if (last) +- nf_ct_expect_put(last); +- + return skb->len; + } + +@@ -3254,7 +3249,6 @@ static int ctnetlink_dump_exp_ct(struct net *net, struct sock *ctnl, + struct nf_conntrack_zone zone; + struct netlink_dump_control c = { + .dump = ctnetlink_exp_ct_dump_table, +- .done = ctnetlink_exp_done, + }; + + err = ctnetlink_parse_tuple(cda, &tuple, CTA_EXPECT_MASTER, +@@ -3305,7 +3299,6 @@ static int ctnetlink_get_expect(struct net *net, struct sock *ctnl, + else { + struct netlink_dump_control c = { + .dump = ctnetlink_exp_dump_table, +- .done = ctnetlink_exp_done, + }; + return netlink_dump_start(ctnl, skb, nlh, &c); + } +-- +2.51.0 + diff --git a/queue-5.10/netfilter-nf_conntrack_h323-check-for-zero-length-in.patch b/queue-5.10/netfilter-nf_conntrack_h323-check-for-zero-length-in.patch new file mode 100644 index 0000000000..1a7a1aa97e --- /dev/null +++ b/queue-5.10/netfilter-nf_conntrack_h323-check-for-zero-length-in.patch @@ -0,0 +1,47 @@ +From 37c7b46af8afb2127e45327dc3a7befdb3b87388 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 12 Mar 2026 14:49:50 +0000 +Subject: netfilter: nf_conntrack_h323: check for zero length in DecodeQ931() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Jenny Guanni Qu + +[ Upstream commit f173d0f4c0f689173f8cdac79991043a4a89bf66 ] + +In DecodeQ931(), the UserUserIE code path reads a 16-bit length from +the packet, then decrements it by 1 to skip the protocol discriminator +byte before passing it to DecodeH323_UserInformation(). If the encoded +length is 0, the decrement wraps to -1, which is then passed as a +large value to the decoder, leading to an out-of-bounds read. + +Add a check to ensure len is positive after the decrement. + +Fixes: 5e35941d9901 ("[NETFILTER]: Add H.323 conntrack/NAT helper") +Reported-by: Klaudia Kloc +Reported-by: Dawid Moczadło +Tested-by: Jenny Guanni Qu +Signed-off-by: Jenny Guanni Qu +Signed-off-by: Florian Westphal +Signed-off-by: Sasha Levin +--- + net/netfilter/nf_conntrack_h323_asn1.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/net/netfilter/nf_conntrack_h323_asn1.c b/net/netfilter/nf_conntrack_h323_asn1.c +index c972e9488e16f..7b1497ed97d26 100644 +--- a/net/netfilter/nf_conntrack_h323_asn1.c ++++ b/net/netfilter/nf_conntrack_h323_asn1.c +@@ -924,6 +924,8 @@ int DecodeQ931(unsigned char *buf, size_t sz, Q931 *q931) + break; + p++; + len--; ++ if (len <= 0) ++ break; + return DecodeH323_UserInformation(buf, p, len, + &q931->UUIE); + } +-- +2.51.0 + diff --git a/queue-5.10/netfilter-nf_conntrack_h323-fix-oob-read-in-decode_i.patch b/queue-5.10/netfilter-nf_conntrack_h323-fix-oob-read-in-decode_i.patch new file mode 100644 index 0000000000..346a40487f --- /dev/null +++ b/queue-5.10/netfilter-nf_conntrack_h323-fix-oob-read-in-decode_i.patch @@ -0,0 +1,48 @@ +From 02bc845304b0f05e3a0a7123fe9ffa2292597bc0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 12 Mar 2026 02:29:32 +0000 +Subject: netfilter: nf_conntrack_h323: fix OOB read in decode_int() CONS case +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Jenny Guanni Qu + +[ Upstream commit 1e3a3593162c96e8a8de48b1e14f60c3b57fca8a ] + +In decode_int(), the CONS case calls get_bits(bs, 2) to read a length +value, then calls get_uint(bs, len) without checking that len bytes +remain in the buffer. The existing boundary check only validates the +2 bits for get_bits(), not the subsequent 1-4 bytes that get_uint() +reads. This allows a malformed H.323/RAS packet to cause a 1-4 byte +slab-out-of-bounds read. + +Add a boundary check for len bytes after get_bits() and before +get_uint(). + +Fixes: 5e35941d9901 ("[NETFILTER]: Add H.323 conntrack/NAT helper") +Reported-by: Klaudia Kloc +Reported-by: Dawid Moczadło +Signed-off-by: Jenny Guanni Qu +Signed-off-by: Florian Westphal +Signed-off-by: Sasha Levin +--- + net/netfilter/nf_conntrack_h323_asn1.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/net/netfilter/nf_conntrack_h323_asn1.c b/net/netfilter/nf_conntrack_h323_asn1.c +index 62aa22a078769..c972e9488e16f 100644 +--- a/net/netfilter/nf_conntrack_h323_asn1.c ++++ b/net/netfilter/nf_conntrack_h323_asn1.c +@@ -331,6 +331,8 @@ static int decode_int(struct bitstr *bs, const struct field_t *f, + if (nf_h323_error_boundary(bs, 0, 2)) + return H323_ERROR_BOUND; + len = get_bits(bs, 2) + 1; ++ if (nf_h323_error_boundary(bs, len, 0)) ++ return H323_ERROR_BOUND; + BYTE_ALIGN(bs); + if (base && (f->attr & DECODE)) { /* timeToLive */ + unsigned int v = get_uint(bs, len) + f->lb; +-- +2.51.0 + diff --git a/queue-5.10/netfilter-nf_conntrack_sip-fix-content-length-u32-tr.patch b/queue-5.10/netfilter-nf_conntrack_sip-fix-content-length-u32-tr.patch new file mode 100644 index 0000000000..812955b49a --- /dev/null +++ b/queue-5.10/netfilter-nf_conntrack_sip-fix-content-length-u32-tr.patch @@ -0,0 +1,66 @@ +From 5c4095e82eca0c3bd69733e86e7b2f3fcbc046c6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 10 Mar 2026 21:49:01 +0000 +Subject: netfilter: nf_conntrack_sip: fix Content-Length u32 truncation in + sip_help_tcp() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Lukas Johannes Möller + +[ Upstream commit fbce58e719a17aa215c724473fd5baaa4a8dc57c ] + +sip_help_tcp() parses the SIP Content-Length header with +simple_strtoul(), which returns unsigned long, but stores the result in +unsigned int clen. On 64-bit systems, values exceeding UINT_MAX are +silently truncated before computing the SIP message boundary. + +For example, Content-Length 4294967328 (2^32 + 32) is truncated to 32, +causing the parser to miscalculate where the current message ends. The +loop then treats trailing data in the TCP segment as a second SIP +message and processes it through the SDP parser. + +Fix this by changing clen to unsigned long to match the return type of +simple_strtoul(), and reject Content-Length values that exceed the +remaining TCP payload length. + +Fixes: f5b321bd37fb ("netfilter: nf_conntrack_sip: add TCP support") +Signed-off-by: Lukas Johannes Möller +Signed-off-by: Florian Westphal +Signed-off-by: Sasha Levin +--- + net/netfilter/nf_conntrack_sip.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/net/netfilter/nf_conntrack_sip.c b/net/netfilter/nf_conntrack_sip.c +index 751df19fe0f8a..5db17768ec2ad 100644 +--- a/net/netfilter/nf_conntrack_sip.c ++++ b/net/netfilter/nf_conntrack_sip.c +@@ -1529,11 +1529,12 @@ static int sip_help_tcp(struct sk_buff *skb, unsigned int protoff, + { + struct tcphdr *th, _tcph; + unsigned int dataoff, datalen; +- unsigned int matchoff, matchlen, clen; ++ unsigned int matchoff, matchlen; + unsigned int msglen, origlen; + const char *dptr, *end; + s16 diff, tdiff = 0; + int ret = NF_ACCEPT; ++ unsigned long clen; + bool term; + + if (ctinfo != IP_CT_ESTABLISHED && +@@ -1568,6 +1569,9 @@ static int sip_help_tcp(struct sk_buff *skb, unsigned int protoff, + if (dptr + matchoff == end) + break; + ++ if (clen > datalen) ++ break; ++ + term = false; + for (; end + strlen("\r\n\r\n") <= dptr + datalen; end++) { + if (end[0] == '\r' && end[1] == '\n' && +-- +2.51.0 + diff --git a/queue-5.10/netfilter-nft_ct-add-seqadj-extension-for-natted-con.patch b/queue-5.10/netfilter-nft_ct-add-seqadj-extension-for-natted-con.patch new file mode 100644 index 0000000000..8fe517cf22 --- /dev/null +++ b/queue-5.10/netfilter-nft_ct-add-seqadj-extension-for-natted-con.patch @@ -0,0 +1,114 @@ +From b333ff4b01117fa09f18292d5e82ee4cb6b9374a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 24 Oct 2025 18:22:16 +0200 +Subject: netfilter: nft_ct: add seqadj extension for natted connections + +From: Andrii Melnychenko + +[ Upstream commit 90918e3b6404c2a37837b8f11692471b4c512de2 ] + +Sequence adjustment may be required for FTP traffic with PASV/EPSV modes. +due to need to re-write packet payload (IP, port) on the ftp control +connection. This can require changes to the TCP length and expected +seq / ack_seq. + +The easiest way to reproduce this issue is with PASV mode. +Example ruleset: +table inet ftp_nat { + ct helper ftp_helper { + type "ftp" protocol tcp + l3proto inet + } + + chain prerouting { + type filter hook prerouting priority 0; policy accept; + tcp dport 21 ct state new ct helper set "ftp_helper" + } +} +table ip nat { + chain prerouting { + type nat hook prerouting priority -100; policy accept; + tcp dport 21 dnat ip prefix to ip daddr map { + 192.168.100.1 : 192.168.13.2/32 } + } + + chain postrouting { + type nat hook postrouting priority 100 ; policy accept; + tcp sport 21 snat ip prefix to ip saddr map { + 192.168.13.2 : 192.168.100.1/32 } + } +} + +Note that the ftp helper gets assigned *after* the dnat setup. + +The inverse (nat after helper assign) is handled by an existing +check in nf_nat_setup_info() and will not show the problem. + +Topoloy: + + +-------------------+ +----------------------------------+ + | FTP: 192.168.13.2 | <-> | NAT: 192.168.13.3, 192.168.100.1 | + +-------------------+ +----------------------------------+ + | + +-----------------------+ + | Client: 192.168.100.2 | + +-----------------------+ + +ftp nat changes do not work as expected in this case: +Connected to 192.168.100.1. +[..] +ftp> epsv +EPSV/EPRT on IPv4 off. +ftp> ls +227 Entering passive mode (192,168,100,1,209,129). +421 Service not available, remote server has closed connection. + +Kernel logs: +Missing nfct_seqadj_ext_add() setup call +WARNING: CPU: 1 PID: 0 at net/netfilter/nf_conntrack_seqadj.c:41 +[..] + __nf_nat_mangle_tcp_packet+0x100/0x160 [nf_nat] + nf_nat_ftp+0x142/0x280 [nf_nat_ftp] + help+0x4d1/0x880 [nf_conntrack_ftp] + nf_confirm+0x122/0x2e0 [nf_conntrack] + nf_hook_slow+0x3c/0xb0 + .. + +Fix this by adding the required extension when a conntrack helper is assigned +to a connection that has a nat binding. + +Fixes: 1a64edf54f55 ("netfilter: nft_ct: add helper set support") +Signed-off-by: Andrii Melnychenko +Signed-off-by: Florian Westphal +Stable-dep-of: 36eae0956f65 ("netfilter: nft_ct: drop pending enqueued packets on removal") +Signed-off-by: Sasha Levin +--- + net/netfilter/nft_ct.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/net/netfilter/nft_ct.c b/net/netfilter/nft_ct.c +index f95f1dbc48dea..0b194628818a5 100644 +--- a/net/netfilter/nft_ct.c ++++ b/net/netfilter/nft_ct.c +@@ -22,6 +22,7 @@ + #include + #include + #include ++#include + + struct nft_ct { + enum nft_ct_keys key:8; +@@ -1106,6 +1107,10 @@ static void nft_ct_helper_obj_eval(struct nft_object *obj, + if (help) { + rcu_assign_pointer(help->helper, to_assign); + set_bit(IPS_HELPER_BIT, &ct->status); ++ ++ if ((ct->status & IPS_NAT_MASK) && !nfct_seqadj(ct)) ++ if (!nfct_seqadj_ext_add(ct)) ++ regs->verdict.code = NF_DROP; + } + } + +-- +2.51.0 + diff --git a/queue-5.10/netfilter-nft_ct-drop-pending-enqueued-packets-on-re.patch b/queue-5.10/netfilter-nft_ct-drop-pending-enqueued-packets-on-re.patch new file mode 100644 index 0000000000..d3e8669954 --- /dev/null +++ b/queue-5.10/netfilter-nft_ct-drop-pending-enqueued-packets-on-re.patch @@ -0,0 +1,70 @@ +From c96c65c5c94db90d4af9a65b7507c9bd32cd99e5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 12 Mar 2026 13:48:47 +0100 +Subject: netfilter: nft_ct: drop pending enqueued packets on removal + +From: Pablo Neira Ayuso + +[ Upstream commit 36eae0956f659e48d5366d9b083d9417f3263ddc ] + +Packets sitting in nfqueue might hold a reference to: + +- templates that specify the conntrack zone, because a percpu area is + used and module removal is possible. +- conntrack timeout policies and helper, where object removal leave + a stale reference. + +Since these objects can just go away, drop enqueued packets to avoid +stale reference to them. + +If there is a need for finer grain removal, this logic can be revisited +to make selective packet drop upon dependencies. + +Fixes: 7e0b2b57f01d ("netfilter: nft_ct: add ct timeout support") +Reported-by: Yiming Qian +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Florian Westphal +Signed-off-by: Sasha Levin +--- + net/netfilter/nft_ct.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/net/netfilter/nft_ct.c b/net/netfilter/nft_ct.c +index 0b194628818a5..e788d5d9e7aeb 100644 +--- a/net/netfilter/nft_ct.c ++++ b/net/netfilter/nft_ct.c +@@ -23,6 +23,7 @@ + #include + #include + #include ++#include "nf_internals.h" + + struct nft_ct { + enum nft_ct_keys key:8; +@@ -533,6 +534,7 @@ static void __nft_ct_set_destroy(const struct nft_ctx *ctx, struct nft_ct *priv) + #endif + #ifdef CONFIG_NF_CONNTRACK_ZONES + case NFT_CT_ZONE: ++ nf_queue_nf_hook_drop(ctx->net); + mutex_lock(&nft_ct_pcpu_mutex); + if (--nft_ct_pcpu_template_refcnt == 0) + nft_ct_tmpl_put_pcpu(); +@@ -930,6 +932,7 @@ static void nft_ct_timeout_obj_destroy(const struct nft_ctx *ctx, + struct nft_ct_timeout_obj *priv = nft_obj_data(obj); + struct nf_ct_timeout *timeout = priv->timeout; + ++ nf_queue_nf_hook_drop(ctx->net); + nf_ct_untimeout(ctx->net, timeout); + nf_ct_netns_put(ctx->net, ctx->family); + kfree(priv->timeout); +@@ -1062,6 +1065,7 @@ static void nft_ct_helper_obj_destroy(const struct nft_ctx *ctx, + { + struct nft_ct_helper_obj *priv = nft_obj_data(obj); + ++ nf_queue_nf_hook_drop(ctx->net); + if (priv->helper4) + nf_conntrack_helper_put(priv->helper4); + if (priv->helper6) +-- +2.51.0 + diff --git a/queue-5.10/netfilter-xt_ct-drop-pending-enqueued-packets-on-tem.patch b/queue-5.10/netfilter-xt_ct-drop-pending-enqueued-packets-on-tem.patch new file mode 100644 index 0000000000..51c8dd701a --- /dev/null +++ b/queue-5.10/netfilter-xt_ct-drop-pending-enqueued-packets-on-tem.patch @@ -0,0 +1,54 @@ +From 537ac20949e411b1f821ebd5b9a451bae8d50a77 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 12 Mar 2026 13:48:48 +0100 +Subject: netfilter: xt_CT: drop pending enqueued packets on template removal + +From: Pablo Neira Ayuso + +[ Upstream commit f62a218a946b19bb59abdd5361da85fa4606b96b ] + +Templates refer to objects that can go away while packets are sitting in +nfqueue refer to: + +- helper, this can be an issue on module removal. +- timeout policy, nfnetlink_cttimeout might remove it. + +The use of templates with zone and event cache filter are safe, since +this just copies values. + +Flush these enqueued packets in case the template rule gets removed. + +Fixes: 24de58f46516 ("netfilter: xt_CT: allow to attach timeout policy + glue code") +Reported-by: Yiming Qian +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Florian Westphal +Signed-off-by: Sasha Levin +--- + net/netfilter/xt_CT.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/net/netfilter/xt_CT.c b/net/netfilter/xt_CT.c +index ffff1e1f79b91..6ad76f3a956cc 100644 +--- a/net/netfilter/xt_CT.c ++++ b/net/netfilter/xt_CT.c +@@ -16,6 +16,7 @@ + #include + #include + #include ++#include "nf_internals.h" + + static inline int xt_ct_target(struct sk_buff *skb, struct nf_conn *ct) + { +@@ -270,6 +271,9 @@ static void xt_ct_tg_destroy(const struct xt_tgdtor_param *par, + struct nf_conn_help *help; + + if (ct) { ++ if (info->helper[0] || info->timeout[0]) ++ nf_queue_nf_hook_drop(par->net); ++ + help = nfct_help(ct); + if (help) + nf_conntrack_helper_put(help->helper); +-- +2.51.0 + diff --git a/queue-5.10/netfilter-xt_time-use-unsigned-int-for-monthday-bit-.patch b/queue-5.10/netfilter-xt_time-use-unsigned-int-for-monthday-bit-.patch new file mode 100644 index 0000000000..0128da59ea --- /dev/null +++ b/queue-5.10/netfilter-xt_time-use-unsigned-int-for-monthday-bit-.patch @@ -0,0 +1,53 @@ +From 4fd94be20cfff57368223c2ddf0655811890bc11 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 12 Mar 2026 14:59:49 +0000 +Subject: netfilter: xt_time: use unsigned int for monthday bit shift +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Jenny Guanni Qu + +[ Upstream commit 00050ec08cecfda447e1209b388086d76addda3a ] + +The monthday field can be up to 31, and shifting a signed integer 1 +by 31 positions (1 << 31) is undefined behavior in C, as the result +overflows a 32-bit signed int. Use 1U to ensure well-defined behavior +for all valid monthday values. + +Change the weekday shift to 1U as well for consistency. + +Fixes: ee4411a1b1e0 ("[NETFILTER]: x_tables: add xt_time match") +Reported-by: Klaudia Kloc +Reported-by: Dawid Moczadło +Tested-by: Jenny Guanni Qu +Signed-off-by: Jenny Guanni Qu +Signed-off-by: Florian Westphal +Signed-off-by: Sasha Levin +--- + net/netfilter/xt_time.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/net/netfilter/xt_time.c b/net/netfilter/xt_time.c +index 6aa12d0f54e23..61de85e02a40f 100644 +--- a/net/netfilter/xt_time.c ++++ b/net/netfilter/xt_time.c +@@ -227,13 +227,13 @@ time_mt(const struct sk_buff *skb, struct xt_action_param *par) + + localtime_2(¤t_time, stamp); + +- if (!(info->weekdays_match & (1 << current_time.weekday))) ++ if (!(info->weekdays_match & (1U << current_time.weekday))) + return false; + + /* Do not spend time computing monthday if all days match anyway */ + if (info->monthdays_match != XT_TIME_ALL_MONTHDAYS) { + localtime_3(¤t_time, stamp); +- if (!(info->monthdays_match & (1 << current_time.monthday))) ++ if (!(info->monthdays_match & (1U << current_time.monthday))) + return false; + } + +-- +2.51.0 + diff --git a/queue-5.10/nfnetlink_osf-validate-individual-option-lengths-in-.patch b/queue-5.10/nfnetlink_osf-validate-individual-option-lengths-in-.patch new file mode 100644 index 0000000000..39014245eb --- /dev/null +++ b/queue-5.10/nfnetlink_osf-validate-individual-option-lengths-in-.patch @@ -0,0 +1,83 @@ +From df17caf52a3a1f37901215eee58e6ae37fad0655 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 19 Mar 2026 15:32:44 +0800 +Subject: nfnetlink_osf: validate individual option lengths in fingerprints + +From: Weiming Shi + +[ Upstream commit dbdfaae9609629a9569362e3b8f33d0a20fd783c ] + +nfnl_osf_add_callback() validates opt_num bounds and string +NUL-termination but does not check individual option length fields. +A zero-length option causes nf_osf_match_one() to enter the option +matching loop even when foptsize sums to zero, which matches packets +with no TCP options where ctx->optp is NULL: + + Oops: general protection fault + KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007] + RIP: 0010:nf_osf_match_one (net/netfilter/nfnetlink_osf.c:98) + Call Trace: + nf_osf_match (net/netfilter/nfnetlink_osf.c:227) + xt_osf_match_packet (net/netfilter/xt_osf.c:32) + ipt_do_table (net/ipv4/netfilter/ip_tables.c:293) + nf_hook_slow (net/netfilter/core.c:623) + ip_local_deliver (net/ipv4/ip_input.c:262) + ip_rcv (net/ipv4/ip_input.c:573) + +Additionally, an MSS option (kind=2) with length < 4 causes +out-of-bounds reads when nf_osf_match_one() unconditionally accesses +optp[2] and optp[3] for MSS value extraction. While RFC 9293 +section 3.2 specifies that the MSS option is always exactly 4 +bytes (Kind=2, Length=4), the check uses "< 4" rather than +"!= 4" because lengths greater than 4 do not cause memory +safety issues -- the buffer is guaranteed to be at least +foptsize bytes by the ctx->optsize == foptsize check. + +Reject fingerprints where any option has zero length, or where an MSS +option has length less than 4, at add time rather than trusting these +values in the packet matching hot path. + +Fixes: 11eeef41d5f6 ("netfilter: passive OS fingerprint xtables match") +Reported-by: Xiang Mei +Signed-off-by: Weiming Shi +Signed-off-by: Florian Westphal +Signed-off-by: Sasha Levin +--- + net/netfilter/nfnetlink_osf.c | 13 +++++++++++++ + 1 file changed, 13 insertions(+) + +diff --git a/net/netfilter/nfnetlink_osf.c b/net/netfilter/nfnetlink_osf.c +index 573a372e760f4..a2d7bfb4c1a69 100644 +--- a/net/netfilter/nfnetlink_osf.c ++++ b/net/netfilter/nfnetlink_osf.c +@@ -303,7 +303,9 @@ static int nfnl_osf_add_callback(struct net *net, struct sock *ctnl, + { + struct nf_osf_user_finger *f; + struct nf_osf_finger *kf = NULL, *sf; ++ unsigned int tot_opt_len = 0; + int err = 0; ++ int i; + + if (!capable(CAP_NET_ADMIN)) + return -EPERM; +@@ -319,6 +321,17 @@ static int nfnl_osf_add_callback(struct net *net, struct sock *ctnl, + if (f->opt_num > ARRAY_SIZE(f->opt)) + return -EINVAL; + ++ for (i = 0; i < f->opt_num; i++) { ++ if (!f->opt[i].length || f->opt[i].length > MAX_IPOPTLEN) ++ return -EINVAL; ++ if (f->opt[i].kind == OSFOPT_MSS && f->opt[i].length < 4) ++ return -EINVAL; ++ ++ tot_opt_len += f->opt[i].length; ++ if (tot_opt_len > MAX_IPOPTLEN) ++ return -EINVAL; ++ } ++ + if (!memchr(f->genre, 0, MAXGENRELEN) || + !memchr(f->subtype, 0, MAXGENRELEN) || + !memchr(f->version, 0, MAXGENRELEN)) +-- +2.51.0 + diff --git a/queue-5.10/pm-runtime-fix-a-race-condition-related-to-device-re.patch b/queue-5.10/pm-runtime-fix-a-race-condition-related-to-device-re.patch new file mode 100644 index 0000000000..611d2e11cf --- /dev/null +++ b/queue-5.10/pm-runtime-fix-a-race-condition-related-to-device-re.patch @@ -0,0 +1,126 @@ +From 42f882f65a6a454331dddf548027c6f25a04da2f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 12 Mar 2026 11:27:20 -0700 +Subject: PM: runtime: Fix a race condition related to device removal + +From: Bart Van Assche + +[ Upstream commit 29ab768277617452d88c0607c9299cdc63b6e9ff ] + +The following code in pm_runtime_work() may dereference the dev->parent +pointer after the parent device has been freed: + + /* Maybe the parent is now able to suspend. */ + if (parent && !parent->power.ignore_children) { + spin_unlock(&dev->power.lock); + + spin_lock(&parent->power.lock); + rpm_idle(parent, RPM_ASYNC); + spin_unlock(&parent->power.lock); + + spin_lock(&dev->power.lock); + } + +Fix this by inserting a flush_work() call in pm_runtime_remove(). + +Without this patch blktest block/001 triggers the following complaint +sporadically: + +BUG: KASAN: slab-use-after-free in lock_acquire+0x70/0x160 +Read of size 1 at addr ffff88812bef7198 by task kworker/u553:1/3081 +Workqueue: pm pm_runtime_work +Call Trace: + + dump_stack_lvl+0x61/0x80 + print_address_description.constprop.0+0x8b/0x310 + print_report+0xfd/0x1d7 + kasan_report+0xd8/0x1d0 + __kasan_check_byte+0x42/0x60 + lock_acquire.part.0+0x38/0x230 + lock_acquire+0x70/0x160 + _raw_spin_lock+0x36/0x50 + rpm_suspend+0xc6a/0xfe0 + rpm_idle+0x578/0x770 + pm_runtime_work+0xee/0x120 + process_one_work+0xde3/0x1410 + worker_thread+0x5eb/0xfe0 + kthread+0x37b/0x480 + ret_from_fork+0x6cb/0x920 + ret_from_fork_asm+0x11/0x20 + + +Allocated by task 4314: + kasan_save_stack+0x2a/0x50 + kasan_save_track+0x18/0x40 + kasan_save_alloc_info+0x3d/0x50 + __kasan_kmalloc+0xa0/0xb0 + __kmalloc_noprof+0x311/0x990 + scsi_alloc_target+0x122/0xb60 [scsi_mod] + __scsi_scan_target+0x101/0x460 [scsi_mod] + scsi_scan_channel+0x179/0x1c0 [scsi_mod] + scsi_scan_host_selected+0x259/0x2d0 [scsi_mod] + store_scan+0x2d2/0x390 [scsi_mod] + dev_attr_store+0x43/0x80 + sysfs_kf_write+0xde/0x140 + kernfs_fop_write_iter+0x3ef/0x670 + vfs_write+0x506/0x1470 + ksys_write+0xfd/0x230 + __x64_sys_write+0x76/0xc0 + x64_sys_call+0x213/0x1810 + do_syscall_64+0xee/0xfc0 + entry_SYSCALL_64_after_hwframe+0x4b/0x53 + +Freed by task 4314: + kasan_save_stack+0x2a/0x50 + kasan_save_track+0x18/0x40 + kasan_save_free_info+0x3f/0x50 + __kasan_slab_free+0x67/0x80 + kfree+0x225/0x6c0 + scsi_target_dev_release+0x3d/0x60 [scsi_mod] + device_release+0xa3/0x220 + kobject_cleanup+0x105/0x3a0 + kobject_put+0x72/0xd0 + put_device+0x17/0x20 + scsi_device_dev_release+0xacf/0x12c0 [scsi_mod] + device_release+0xa3/0x220 + kobject_cleanup+0x105/0x3a0 + kobject_put+0x72/0xd0 + put_device+0x17/0x20 + scsi_device_put+0x7f/0xc0 [scsi_mod] + sdev_store_delete+0xa5/0x120 [scsi_mod] + dev_attr_store+0x43/0x80 + sysfs_kf_write+0xde/0x140 + kernfs_fop_write_iter+0x3ef/0x670 + vfs_write+0x506/0x1470 + ksys_write+0xfd/0x230 + __x64_sys_write+0x76/0xc0 + x64_sys_call+0x213/0x1810 + +Reported-by: Ming Lei +Closes: https://lore.kernel.org/all/ZxdNvLNI8QaOfD2d@fedora/ +Reported-by: syzbot+6c905ab800f20cf4086c@syzkaller.appspotmail.com +Closes: https://lore.kernel.org/all/68c13942.050a0220.2ff435.000b.GAE@google.com/ +Fixes: 5e928f77a09a ("PM: Introduce core framework for run-time PM of I/O devices (rev. 17)") +Signed-off-by: Bart Van Assche +Link: https://patch.msgid.link/20260312182720.2776083-1-bvanassche@acm.org +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +--- + drivers/base/power/runtime.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/base/power/runtime.c b/drivers/base/power/runtime.c +index d15d033be2c97..ec14c3089e329 100644 +--- a/drivers/base/power/runtime.c ++++ b/drivers/base/power/runtime.c +@@ -1776,6 +1776,7 @@ void pm_runtime_reinit(struct device *dev) + void pm_runtime_remove(struct device *dev) + { + __pm_runtime_disable(dev, false); ++ flush_work(&dev->power.work); + pm_runtime_reinit(dev); + } + +-- +2.51.0 + diff --git a/queue-5.10/sched-idle-consolidate-the-handling-of-two-special-c.patch b/queue-5.10/sched-idle-consolidate-the-handling-of-two-special-c.patch new file mode 100644 index 0000000000..ef360746d7 --- /dev/null +++ b/queue-5.10/sched-idle-consolidate-the-handling-of-two-special-c.patch @@ -0,0 +1,133 @@ +From 620927257ecacd1199ea97c69e111508c112404c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 13 Mar 2026 13:25:41 +0100 +Subject: sched: idle: Consolidate the handling of two special cases + +From: Rafael J. Wysocki + +[ Upstream commit f4c31b07b136839e0fb3026f8a5b6543e3b14d2f ] + +There are two special cases in the idle loop that are handled +inconsistently even though they are analogous. + +The first one is when a cpuidle driver is absent and the default CPU +idle time power management implemented by the architecture code is used. +In that case, the scheduler tick is stopped every time before invoking +default_idle_call(). + +The second one is when a cpuidle driver is present, but there is only +one idle state in its table. In that case, the scheduler tick is never +stopped at all. + +Since each of these approaches has its drawbacks, reconcile them with +the help of one simple heuristic. Namely, stop the tick if the CPU has +been woken up by it in the previous iteration of the idle loop, or let +it tick otherwise. + +Signed-off-by: Rafael J. Wysocki +Reviewed-by: Christian Loehle +Reviewed-by: Frederic Weisbecker +Reviewed-by: Qais Yousef +Reviewed-by: Aboorva Devarajan +Fixes: ed98c3491998 ("sched: idle: Do not stop the tick before cpuidle_idle_call()") +[ rjw: Added Fixes tag, changelog edits ] +Link: https://patch.msgid.link/4741364.LvFx2qVVIh@rafael.j.wysocki +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +--- + kernel/sched/idle.c | 30 +++++++++++++++++++++--------- + 1 file changed, 21 insertions(+), 9 deletions(-) + +diff --git a/kernel/sched/idle.c b/kernel/sched/idle.c +index 8c38b4fe9ee72..50b18ba9ca9cd 100644 +--- a/kernel/sched/idle.c ++++ b/kernel/sched/idle.c +@@ -158,6 +158,14 @@ static int call_cpuidle(struct cpuidle_driver *drv, struct cpuidle_device *dev, + return cpuidle_enter(drv, dev, next_state); + } + ++static void idle_call_stop_or_retain_tick(bool stop_tick) ++{ ++ if (stop_tick || tick_nohz_tick_stopped()) ++ tick_nohz_idle_stop_tick(); ++ else ++ tick_nohz_idle_retain_tick(); ++} ++ + /** + * cpuidle_idle_call - the main idle function + * +@@ -167,7 +175,7 @@ static int call_cpuidle(struct cpuidle_driver *drv, struct cpuidle_device *dev, + * set, and it returns with polling set. If it ever stops polling, it + * must clear the polling bit. + */ +-static void cpuidle_idle_call(void) ++static void cpuidle_idle_call(bool stop_tick) + { + struct cpuidle_device *dev = cpuidle_get_device(); + struct cpuidle_driver *drv = cpuidle_get_cpu_driver(dev); +@@ -189,7 +197,7 @@ static void cpuidle_idle_call(void) + */ + + if (cpuidle_not_available(drv, dev)) { +- tick_nohz_idle_stop_tick(); ++ idle_call_stop_or_retain_tick(stop_tick); + + default_idle_call(); + goto exit_idle; +@@ -224,17 +232,19 @@ static void cpuidle_idle_call(void) + next_state = cpuidle_find_deepest_state(drv, dev, max_latency_ns); + call_cpuidle(drv, dev, next_state); + } else if (drv->state_count > 1) { +- bool stop_tick = true; ++ /* ++ * stop_tick is expected to be true by default by cpuidle ++ * governors, which allows them to select idle states with ++ * target residency above the tick period length. ++ */ ++ stop_tick = true; + + /* + * Ask the cpuidle framework to choose a convenient idle state. + */ + next_state = cpuidle_select(drv, dev, &stop_tick); + +- if (stop_tick || tick_nohz_tick_stopped()) +- tick_nohz_idle_stop_tick(); +- else +- tick_nohz_idle_retain_tick(); ++ idle_call_stop_or_retain_tick(stop_tick); + + entered_state = call_cpuidle(drv, dev, next_state); + /* +@@ -242,7 +252,7 @@ static void cpuidle_idle_call(void) + */ + cpuidle_reflect(dev, entered_state); + } else { +- tick_nohz_idle_retain_tick(); ++ idle_call_stop_or_retain_tick(stop_tick); + + /* + * If there is only a single idle state (or none), there is +@@ -270,6 +280,7 @@ static void cpuidle_idle_call(void) + static void do_idle(void) + { + int cpu = smp_processor_id(); ++ bool got_tick = false; + + /* + * Check if we need to update blocked load +@@ -312,8 +323,9 @@ static void do_idle(void) + tick_nohz_idle_restart_tick(); + cpu_idle_poll(); + } else { +- cpuidle_idle_call(); ++ cpuidle_idle_call(got_tick); + } ++ got_tick = tick_nohz_idle_got_tick(); + arch_cpu_idle_exit(); + } + +-- +2.51.0 + diff --git a/queue-5.10/series b/queue-5.10/series index 5bf27a97d3..d6dad3d184 100644 --- a/queue-5.10/series +++ b/queue-5.10/series @@ -198,3 +198,32 @@ alsa-pcm-fix-use-after-free-on-linked-stream-runtime-in-snd_pcm_drain.patch smb-client-compare-macs-in-constant-time.patch net-tcp-md5-fix-mac-comparison-to-be-constant-time.patch staging-rtl8723bs-fix-null-dereference-in-find_network.patch +soc-fsl-qbman-fix-race-condition-in-qman_destroy_fq.patch +wifi-cfg80211-cancel-pmsr_free_wk-in-cfg80211_pmsr_w.patch +bluetooth-le-l2cap-disconnect-if-received-packet-s-s.patch +bluetooth-le-l2cap-disconnect-if-sum-of-payload-size.patch +bluetooth-smp-make-sm-per-kdu-bi-04-c-happy.patch +bluetooth-hidp-fix-possible-uaf.patch +net-rose-fix-null-pointer-dereference-in-rose_transm.patch +netfilter-ctnetlink-remove-refcounting-in-expectatio.patch +netfilter-ctnetlink-fix-use-after-free-in-ctnetlink_.patch +netfilter-nf_conntrack_sip-fix-content-length-u32-tr.patch +netfilter-nf_conntrack_h323-fix-oob-read-in-decode_i.patch +netfilter-nft_ct-add-seqadj-extension-for-natted-con.patch +netfilter-nft_ct-drop-pending-enqueued-packets-on-re.patch +netfilter-xt_ct-drop-pending-enqueued-packets-on-tem.patch +netfilter-xt_time-use-unsigned-int-for-monthday-bit-.patch +netfilter-nf_conntrack_h323-check-for-zero-length-in.patch +net-bcmgenet-increase-wol-poll-timeout.patch +sched-idle-consolidate-the-handling-of-two-special-c.patch +pm-runtime-fix-a-race-condition-related-to-device-re.patch +net-usb-aqc111-do-not-perform-pm-inside-suspend-call.patch +igc-fix-missing-update-of-skb-tail-in-igc_xmit_frame.patch +wifi-mac80211-fix-null-deref-in-mesh_matches_local.patch +wifi-wlcore-return-enomem-instead-of-eagain-if-there.patch +net-macb-fix-uninitialized-rx_fs_lock.patch +udp_tunnel-fix-null-deref-caused-by-udp_sock_create6.patch +net-bonding-fix-null-deref-in-bond_debug_rlb_hash_sh.patch +nfnetlink_osf-validate-individual-option-lengths-in-.patch +net-dsa-bcm_sf2-fix-missing-clk_disable_unprepare-in.patch +icmp-fix-null-pointer-dereference-in-icmp_tag_valida.patch diff --git a/queue-5.10/soc-fsl-qbman-fix-race-condition-in-qman_destroy_fq.patch b/queue-5.10/soc-fsl-qbman-fix-race-condition-in-qman_destroy_fq.patch new file mode 100644 index 0000000000..48b058c769 --- /dev/null +++ b/queue-5.10/soc-fsl-qbman-fix-race-condition-in-qman_destroy_fq.patch @@ -0,0 +1,92 @@ +From bebc9cba264ce30bcaf9b3ba17ba311978ca203d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 23 Dec 2025 08:25:49 +0100 +Subject: soc: fsl: qbman: fix race condition in qman_destroy_fq + +From: Richard Genoud + +[ Upstream commit 014077044e874e270ec480515edbc1cadb976cf2 ] + +When QMAN_FQ_FLAG_DYNAMIC_FQID is set, there's a race condition between +fq_table[fq->idx] state and freeing/allocating from the pool and +WARN_ON(fq_table[fq->idx]) in qman_create_fq() gets triggered. + +Indeed, we can have: + Thread A Thread B + qman_destroy_fq() qman_create_fq() + qman_release_fqid() + qman_shutdown_fq() + gen_pool_free() + -- At this point, the fqid is available again -- + qman_alloc_fqid() + -- so, we can get the just-freed fqid in thread B -- + fq->fqid = fqid; + fq->idx = fqid * 2; + WARN_ON(fq_table[fq->idx]); + fq_table[fq->idx] = fq; + fq_table[fq->idx] = NULL; + +And adding some logs between qman_release_fqid() and +fq_table[fq->idx] = NULL makes the WARN_ON() trigger a lot more. + +To prevent that, ensure that fq_table[fq->idx] is set to NULL before +gen_pool_free() is called by using smp_wmb(). + +Fixes: c535e923bb97 ("soc/fsl: Introduce DPAA 1.x QMan device driver") +Signed-off-by: Richard Genoud +Tested-by: CHAMPSEIX Thomas +Link: https://lore.kernel.org/r/20251223072549.397625-1-richard.genoud@bootlin.com +Signed-off-by: Christophe Leroy (CS GROUP) +Signed-off-by: Sasha Levin +--- + drivers/soc/fsl/qbman/qman.c | 24 ++++++++++++++++++++++-- + 1 file changed, 22 insertions(+), 2 deletions(-) + +diff --git a/drivers/soc/fsl/qbman/qman.c b/drivers/soc/fsl/qbman/qman.c +index 7abc9b6a04ab6..0309ed2df0d71 100644 +--- a/drivers/soc/fsl/qbman/qman.c ++++ b/drivers/soc/fsl/qbman/qman.c +@@ -1827,6 +1827,8 @@ EXPORT_SYMBOL(qman_create_fq); + + void qman_destroy_fq(struct qman_fq *fq) + { ++ int leaked; ++ + /* + * We don't need to lock the FQ as it is a pre-condition that the FQ be + * quiesced. Instead, run some checks. +@@ -1834,11 +1836,29 @@ void qman_destroy_fq(struct qman_fq *fq) + switch (fq->state) { + case qman_fq_state_parked: + case qman_fq_state_oos: +- if (fq_isset(fq, QMAN_FQ_FLAG_DYNAMIC_FQID)) +- qman_release_fqid(fq->fqid); ++ /* ++ * There's a race condition here on releasing the fqid, ++ * setting the fq_table to NULL, and freeing the fqid. ++ * To prevent it, this order should be respected: ++ */ ++ if (fq_isset(fq, QMAN_FQ_FLAG_DYNAMIC_FQID)) { ++ leaked = qman_shutdown_fq(fq->fqid); ++ if (leaked) ++ pr_debug("FQID %d leaked\n", fq->fqid); ++ } + + DPAA_ASSERT(fq_table[fq->idx]); + fq_table[fq->idx] = NULL; ++ ++ if (fq_isset(fq, QMAN_FQ_FLAG_DYNAMIC_FQID) && !leaked) { ++ /* ++ * fq_table[fq->idx] should be set to null before ++ * freeing fq->fqid otherwise it could by allocated by ++ * qman_alloc_fqid() while still being !NULL ++ */ ++ smp_wmb(); ++ gen_pool_free(qm_fqalloc, fq->fqid | DPAA_GENALLOC_OFF, 1); ++ } + return; + default: + break; +-- +2.51.0 + diff --git a/queue-5.10/udp_tunnel-fix-null-deref-caused-by-udp_sock_create6.patch b/queue-5.10/udp_tunnel-fix-null-deref-caused-by-udp_sock_create6.patch new file mode 100644 index 0000000000..11534c4763 --- /dev/null +++ b/queue-5.10/udp_tunnel-fix-null-deref-caused-by-udp_sock_create6.patch @@ -0,0 +1,64 @@ +From 717c37540b63c68b95fc2b18eb5391a94ed0cf50 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 16 Mar 2026 18:02:41 -0700 +Subject: udp_tunnel: fix NULL deref caused by udp_sock_create6 when + CONFIG_IPV6=n + +From: Xiang Mei + +[ Upstream commit b3a6df291fecf5f8a308953b65ca72b7fc9e015d ] + +When CONFIG_IPV6 is disabled, the udp_sock_create6() function returns 0 +(success) without actually creating a socket. Callers such as +fou_create() then proceed to dereference the uninitialized socket +pointer, resulting in a NULL pointer dereference. + +The captured NULL deref crash: + BUG: kernel NULL pointer dereference, address: 0000000000000018 + RIP: 0010:fou_nl_add_doit (net/ipv4/fou_core.c:590 net/ipv4/fou_core.c:764) + [...] + Call Trace: + + genl_family_rcv_msg_doit.constprop.0 (net/netlink/genetlink.c:1114) + genl_rcv_msg (net/netlink/genetlink.c:1194 net/netlink/genetlink.c:1209) + [...] + netlink_rcv_skb (net/netlink/af_netlink.c:2550) + genl_rcv (net/netlink/genetlink.c:1219) + netlink_unicast (net/netlink/af_netlink.c:1319 net/netlink/af_netlink.c:1344) + netlink_sendmsg (net/netlink/af_netlink.c:1894) + __sock_sendmsg (net/socket.c:727 (discriminator 1) net/socket.c:742 (discriminator 1)) + __sys_sendto (./include/linux/file.h:62 (discriminator 1) ./include/linux/file.h:83 (discriminator 1) net/socket.c:2183 (discriminator 1)) + __x64_sys_sendto (net/socket.c:2213 (discriminator 1) net/socket.c:2209 (discriminator 1) net/socket.c:2209 (discriminator 1)) + do_syscall_64 (arch/x86/entry/syscall_64.c:63 (discriminator 1) arch/x86/entry/syscall_64.c:94 (discriminator 1)) + entry_SYSCALL_64_after_hwframe (net/arch/x86/entry/entry_64.S:130) + +This patch makes udp_sock_create6 return -EPFNOSUPPORT instead, so +callers correctly take their error paths. There is only one caller of +the vulnerable function and only privileged users can trigger it. + +Fixes: fd384412e199b ("udp_tunnel: Seperate ipv6 functions into its own file.") +Reported-by: Weiming Shi +Signed-off-by: Xiang Mei +Link: https://patch.msgid.link/20260317010241.1893893-1-xmei5@asu.edu +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + include/net/udp_tunnel.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/include/net/udp_tunnel.h b/include/net/udp_tunnel.h +index 24ece06bad9ef..97a739c21f1f8 100644 +--- a/include/net/udp_tunnel.h ++++ b/include/net/udp_tunnel.h +@@ -47,7 +47,7 @@ int udp_sock_create6(struct net *net, struct udp_port_cfg *cfg, + static inline int udp_sock_create6(struct net *net, struct udp_port_cfg *cfg, + struct socket **sockp) + { +- return 0; ++ return -EPFNOSUPPORT; + } + #endif + +-- +2.51.0 + diff --git a/queue-5.10/wifi-cfg80211-cancel-pmsr_free_wk-in-cfg80211_pmsr_w.patch b/queue-5.10/wifi-cfg80211-cancel-pmsr_free_wk-in-cfg80211_pmsr_w.patch new file mode 100644 index 0000000000..f116c56cf9 --- /dev/null +++ b/queue-5.10/wifi-cfg80211-cancel-pmsr_free_wk-in-cfg80211_pmsr_w.patch @@ -0,0 +1,51 @@ +From 977d9797a52ca13070255a1410548206c5872985 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 5 Mar 2026 21:36:59 +0530 +Subject: wifi: cfg80211: cancel pmsr_free_wk in cfg80211_pmsr_wdev_down + +From: Peddolla Harshavardhan Reddy + +[ Upstream commit 6dccbc9f3e1d38565dff7730d2b7d1e8b16c9b09 ] + +When the nl80211 socket that originated a PMSR request is +closed, cfg80211_release_pmsr() sets the request's nl_portid +to zero and schedules pmsr_free_wk to process the abort +asynchronously. If the interface is concurrently torn down +before that work runs, cfg80211_pmsr_wdev_down() calls +cfg80211_pmsr_process_abort() directly. However, the already- +scheduled pmsr_free_wk work item remains pending and may run +after the interface has been removed from the driver. This +could cause the driver's abort_pmsr callback to operate on a +torn-down interface, leading to undefined behavior and +potential crashes. + +Cancel pmsr_free_wk synchronously in cfg80211_pmsr_wdev_down() +before calling cfg80211_pmsr_process_abort(). This ensures any +pending or in-progress work is drained before interface teardown +proceeds, preventing the work from invoking the driver abort +callback after the interface is gone. + +Fixes: 9bb7e0f24e7e ("cfg80211: add peer measurement with FTM initiator API") +Signed-off-by: Peddolla Harshavardhan Reddy +Link: https://patch.msgid.link/20260305160712.1263829-3-peddolla.reddy@oss.qualcomm.com +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + net/wireless/pmsr.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/net/wireless/pmsr.c b/net/wireless/pmsr.c +index 7503c7dd71ab5..32cea07b98fd1 100644 +--- a/net/wireless/pmsr.c ++++ b/net/wireless/pmsr.c +@@ -620,6 +620,7 @@ void cfg80211_pmsr_wdev_down(struct wireless_dev *wdev) + } + spin_unlock_bh(&wdev->pmsr_lock); + ++ cancel_work_sync(&wdev->pmsr_free_wk); + if (found) + cfg80211_pmsr_process_abort(wdev); + +-- +2.51.0 + diff --git a/queue-5.10/wifi-mac80211-fix-null-deref-in-mesh_matches_local.patch b/queue-5.10/wifi-mac80211-fix-null-deref-in-mesh_matches_local.patch new file mode 100644 index 0000000000..4d35c667a0 --- /dev/null +++ b/queue-5.10/wifi-mac80211-fix-null-deref-in-mesh_matches_local.patch @@ -0,0 +1,81 @@ +From 3eda2e0b1b17c07a70d12351c2dda1592130c701 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 17 Mar 2026 20:42:44 -0700 +Subject: wifi: mac80211: fix NULL deref in mesh_matches_local() + +From: Xiang Mei + +[ Upstream commit c73bb9a2d33bf81f6eecaa0f474b6c6dbe9855bd ] + +mesh_matches_local() unconditionally dereferences ie->mesh_config to +compare mesh configuration parameters. When called from +mesh_rx_csa_frame(), the parsed action-frame elements may not contain a +Mesh Configuration IE, leaving ie->mesh_config NULL and triggering a +kernel NULL pointer dereference. + +The other two callers are already safe: + - ieee80211_mesh_rx_bcn_presp() checks !elems->mesh_config before + calling mesh_matches_local() + - mesh_plink_get_event() is only reached through + mesh_process_plink_frame(), which checks !elems->mesh_config, too + +mesh_rx_csa_frame() is the only caller that passes raw parsed elements +to mesh_matches_local() without guarding mesh_config. An adjacent +attacker can exploit this by sending a crafted CSA action frame that +includes a valid Mesh ID IE but omits the Mesh Configuration IE, +crashing the kernel. + +The captured crash log: + +Oops: general protection fault, probably for non-canonical address ... +KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007] +Workqueue: events_unbound cfg80211_wiphy_work +[...] +Call Trace: + + ? __pfx_mesh_matches_local (net/mac80211/mesh.c:65) + ieee80211_mesh_rx_queued_mgmt (net/mac80211/mesh.c:1686) + [...] + ieee80211_iface_work (net/mac80211/iface.c:1754 net/mac80211/iface.c:1802) + [...] + cfg80211_wiphy_work (net/wireless/core.c:426) + process_one_work (net/kernel/workqueue.c:3280) + ? assign_work (net/kernel/workqueue.c:1219) + worker_thread (net/kernel/workqueue.c:3352) + ? __pfx_worker_thread (net/kernel/workqueue.c:3385) + kthread (net/kernel/kthread.c:436) + [...] + ret_from_fork_asm (net/arch/x86/entry/entry_64.S:255) + + +This patch adds a NULL check for ie->mesh_config at the top of +mesh_matches_local() to return false early when the Mesh Configuration +IE is absent. + +Fixes: 2e3c8736820b ("mac80211: support functions for mesh") +Reported-by: Weiming Shi +Signed-off-by: Xiang Mei +Link: https://patch.msgid.link/20260318034244.2595020-1-xmei5@asu.edu +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + net/mac80211/mesh.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/net/mac80211/mesh.c b/net/mac80211/mesh.c +index 20b8ff83e3dbd..4b09cd19c4e04 100644 +--- a/net/mac80211/mesh.c ++++ b/net/mac80211/mesh.c +@@ -75,6 +75,9 @@ bool mesh_matches_local(struct ieee80211_sub_if_data *sdata, + * - MDA enabled + * - Power management control on fc + */ ++ if (!ie->mesh_config) ++ return false; ++ + if (!(ifmsh->mesh_id_len == ie->mesh_id_len && + memcmp(ifmsh->mesh_id, ie->mesh_id, ie->mesh_id_len) == 0 && + (ifmsh->mesh_pp_id == ie->mesh_config->meshconf_psel) && +-- +2.51.0 + diff --git a/queue-5.10/wifi-wlcore-return-enomem-instead-of-eagain-if-there.patch b/queue-5.10/wifi-wlcore-return-enomem-instead-of-eagain-if-there.patch new file mode 100644 index 0000000000..a427381494 --- /dev/null +++ b/queue-5.10/wifi-wlcore-return-enomem-instead-of-eagain-if-there.patch @@ -0,0 +1,54 @@ +From 0004147312f909cd1b0002bd36f5aef58a368d26 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 17 Mar 2026 23:46:36 -0700 +Subject: wifi: wlcore: Return -ENOMEM instead of -EAGAIN if there is not + enough headroom + +From: Guenter Roeck + +[ Upstream commit deb353d9bb009638b7762cae2d0b6e8fdbb41a69 ] + +Since upstream commit e75665dd0968 ("wifi: wlcore: ensure skb headroom +before skb_push"), wl1271_tx_allocate() and with it +wl1271_prepare_tx_frame() returns -EAGAIN if pskb_expand_head() fails. +However, in wlcore_tx_work_locked(), a return value of -EAGAIN from +wl1271_prepare_tx_frame() is interpreted as the aggregation buffer being +full. This causes the code to flush the buffer, put the skb back at the +head of the queue, and immediately retry the same skb in a tight while +loop. + +Because wlcore_tx_work_locked() holds wl->mutex, and the retry happens +immediately with GFP_ATOMIC, this will result in an infinite loop and a +CPU soft lockup. Return -ENOMEM instead so the packet is dropped and +the loop terminates. + +The problem was found by an experimental code review agent based on +gemini-3.1-pro while reviewing backports into v6.18.y. + +Assisted-by: Gemini:gemini-3.1-pro +Fixes: e75665dd0968 ("wifi: wlcore: ensure skb headroom before skb_push") +Cc: Peter Astrand +Signed-off-by: Guenter Roeck +Link: https://patch.msgid.link/20260318064636.3065925-1-linux@roeck-us.net +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ti/wlcore/tx.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/wireless/ti/wlcore/tx.c b/drivers/net/wireless/ti/wlcore/tx.c +index e86cc3425e997..ac1411db8e5a8 100644 +--- a/drivers/net/wireless/ti/wlcore/tx.c ++++ b/drivers/net/wireless/ti/wlcore/tx.c +@@ -213,7 +213,7 @@ static int wl1271_tx_allocate(struct wl1271 *wl, struct wl12xx_vif *wlvif, + if (skb_headroom(skb) < (total_len - skb->len) && + pskb_expand_head(skb, (total_len - skb->len), 0, GFP_ATOMIC)) { + wl1271_free_tx_id(wl, id); +- return -EAGAIN; ++ return -ENOMEM; + } + desc = skb_push(skb, total_len - skb->len); + +-- +2.51.0 + diff --git a/queue-5.15/acpi-processor-fix-previous-acpi_processor_errata_pi.patch b/queue-5.15/acpi-processor-fix-previous-acpi_processor_errata_pi.patch new file mode 100644 index 0000000000..5d46059f0b --- /dev/null +++ b/queue-5.15/acpi-processor-fix-previous-acpi_processor_errata_pi.patch @@ -0,0 +1,74 @@ +From f325ba94494d32ab9b4082de067ae32076245fb7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 17 Mar 2026 21:39:05 +0100 +Subject: ACPI: processor: Fix previous acpi_processor_errata_piix4() fix + +From: Rafael J. Wysocki + +[ Upstream commit bf504b229cb8d534eccbaeaa23eba34c05131e25 ] + +After commi f132e089fe89 ("ACPI: processor: Fix NULL-pointer dereference +in acpi_processor_errata_piix4()"), device pointers may be dereferenced +after dropping references to the device objects pointed to by them, +which may cause a use-after-free to occur. + +Moreover, debug messages about enabling the errata may be printed +if the errata flags corresponding to them are unset. + +Address all of these issues by moving message printing to the points +in the code where the errata flags are set. + +Fixes: f132e089fe89 ("ACPI: processor: Fix NULL-pointer dereference in acpi_processor_errata_piix4()") +Reported-by: Guenter Roeck +Closes: https://lore.kernel.org/linux-acpi/938e2206-def5-4b7a-9b2c-d1fd37681d8a@roeck-us.net/ +Reviewed-by: Guenter Roeck +Signed-off-by: Rafael J. Wysocki +Link: https://patch.msgid.link/5975693.DvuYhMxLoT@rafael.j.wysocki +Signed-off-by: Sasha Levin +--- + drivers/acpi/acpi_processor.c | 15 ++++++++------- + 1 file changed, 8 insertions(+), 7 deletions(-) + +diff --git a/drivers/acpi/acpi_processor.c b/drivers/acpi/acpi_processor.c +index 669398045c0fd..07acdaee6ce5c 100644 +--- a/drivers/acpi/acpi_processor.c ++++ b/drivers/acpi/acpi_processor.c +@@ -96,6 +96,10 @@ static int acpi_processor_errata_piix4(struct pci_dev *dev) + PCI_ANY_ID, PCI_ANY_ID, NULL); + if (ide_dev) { + errata.piix4.bmisx = pci_resource_start(ide_dev, 4); ++ if (errata.piix4.bmisx) ++ dev_dbg(&ide_dev->dev, ++ "Bus master activity detection (BM-IDE) erratum enabled\n"); ++ + pci_dev_put(ide_dev); + } + +@@ -114,20 +118,17 @@ static int acpi_processor_errata_piix4(struct pci_dev *dev) + if (isa_dev) { + pci_read_config_byte(isa_dev, 0x76, &value1); + pci_read_config_byte(isa_dev, 0x77, &value2); +- if ((value1 & 0x80) || (value2 & 0x80)) ++ if ((value1 & 0x80) || (value2 & 0x80)) { + errata.piix4.fdma = 1; ++ dev_dbg(&isa_dev->dev, ++ "Type-F DMA livelock erratum (C3 disabled)\n"); ++ } + pci_dev_put(isa_dev); + } + + break; + } + +- if (ide_dev) +- dev_dbg(&ide_dev->dev, "Bus master activity detection (BM-IDE) erratum enabled\n"); +- +- if (isa_dev) +- dev_dbg(&isa_dev->dev, "Type-F DMA livelock erratum (C3 disabled)\n"); +- + return 0; + } + +-- +2.51.0 + diff --git a/queue-5.15/bluetooth-hidp-fix-possible-uaf.patch b/queue-5.15/bluetooth-hidp-fix-possible-uaf.patch new file mode 100644 index 0000000000..52d3e87b3b --- /dev/null +++ b/queue-5.15/bluetooth-hidp-fix-possible-uaf.patch @@ -0,0 +1,237 @@ +From 876f741c9b42a51437c961bd87442fb82243f439 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 5 Mar 2026 10:17:47 -0500 +Subject: Bluetooth: HIDP: Fix possible UAF + +From: Luiz Augusto von Dentz + +[ Upstream commit dbf666e4fc9bdd975a61bf682b3f75cb0145eedd ] + +This fixes the following trace caused by not dropping l2cap_conn +reference when user->remove callback is called: + +[ 97.809249] l2cap_conn_free: freeing conn ffff88810a171c00 +[ 97.809907] CPU: 1 UID: 0 PID: 1419 Comm: repro_standalon Not tainted 7.0.0-rc1-dirty #14 PREEMPT(lazy) +[ 97.809935] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.17.0-debian-1.17.0-1 04/01/2014 +[ 97.809947] Call Trace: +[ 97.809954] +[ 97.809961] dump_stack_lvl (lib/dump_stack.c:122) +[ 97.809990] l2cap_conn_free (net/bluetooth/l2cap_core.c:1808) +[ 97.810017] l2cap_conn_del (./include/linux/kref.h:66 net/bluetooth/l2cap_core.c:1821 net/bluetooth/l2cap_core.c:1798) +[ 97.810055] l2cap_disconn_cfm (net/bluetooth/l2cap_core.c:7347 (discriminator 1) net/bluetooth/l2cap_core.c:7340 (discriminator 1)) +[ 97.810086] ? __pfx_l2cap_disconn_cfm (net/bluetooth/l2cap_core.c:7341) +[ 97.810117] hci_conn_hash_flush (./include/net/bluetooth/hci_core.h:2152 (discriminator 2) net/bluetooth/hci_conn.c:2644 (discriminator 2)) +[ 97.810148] hci_dev_close_sync (net/bluetooth/hci_sync.c:5360) +[ 97.810180] ? __pfx_hci_dev_close_sync (net/bluetooth/hci_sync.c:5285) +[ 97.810212] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221) +[ 97.810242] ? up_write (./arch/x86/include/asm/atomic64_64.h:87 (discriminator 5) ./include/linux/atomic/atomic-arch-fallback.h:2852 (discriminator 5) ./include/linux/atomic/atomic-long.h:268 (discriminator 5) ./include/linux/atomic/atomic-instrumented.h:3391 (discriminator 5) kernel/locking/rwsem.c:1385 (discriminator 5) kernel/locking/rwsem.c:1643 (discriminator 5)) +[ 97.810267] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221) +[ 97.810290] ? rcu_is_watching (./arch/x86/include/asm/atomic.h:23 ./include/linux/atomic/atomic-arch-fallback.h:457 ./include/linux/context_tracking.h:128 kernel/rcu/tree.c:752) +[ 97.810320] hci_unregister_dev (net/bluetooth/hci_core.c:504 net/bluetooth/hci_core.c:2716) +[ 97.810346] vhci_release (drivers/bluetooth/hci_vhci.c:691) +[ 97.810375] ? __pfx_vhci_release (drivers/bluetooth/hci_vhci.c:678) +[ 97.810404] __fput (fs/file_table.c:470) +[ 97.810430] task_work_run (kernel/task_work.c:235) +[ 97.810451] ? __pfx_task_work_run (kernel/task_work.c:201) +[ 97.810472] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221) +[ 97.810495] ? do_raw_spin_unlock (./include/asm-generic/qspinlock.h:128 (discriminator 5) kernel/locking/spinlock_debug.c:142 (discriminator 5)) +[ 97.810527] do_exit (kernel/exit.c:972) +[ 97.810547] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221) +[ 97.810574] ? __pfx_do_exit (kernel/exit.c:897) +[ 97.810594] ? lock_acquire (kernel/locking/lockdep.c:470 (discriminator 6) kernel/locking/lockdep.c:5870 (discriminator 6) kernel/locking/lockdep.c:5825 (discriminator 6)) +[ 97.810616] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221) +[ 97.810639] ? do_raw_spin_lock (kernel/locking/spinlock_debug.c:95 (discriminator 4) kernel/locking/spinlock_debug.c:118 (discriminator 4)) +[ 97.810664] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221) +[ 97.810688] ? find_held_lock (kernel/locking/lockdep.c:5350 (discriminator 1)) +[ 97.810721] do_group_exit (kernel/exit.c:1093) +[ 97.810745] get_signal (kernel/signal.c:3007 (discriminator 1)) +[ 97.810772] ? security_file_permission (./arch/x86/include/asm/jump_label.h:37 security/security.c:2366) +[ 97.810803] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221) +[ 97.810826] ? vfs_read (fs/read_write.c:555) +[ 97.810854] ? __pfx_get_signal (kernel/signal.c:2800) +[ 97.810880] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221) +[ 97.810905] ? __pfx_vfs_read (fs/read_write.c:555) +[ 97.810932] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221) +[ 97.810960] arch_do_signal_or_restart (arch/x86/kernel/signal.c:337 (discriminator 1)) +[ 97.810990] ? __pfx_arch_do_signal_or_restart (arch/x86/kernel/signal.c:334) +[ 97.811021] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221) +[ 97.811055] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221) +[ 97.811078] ? ksys_read (fs/read_write.c:707) +[ 97.811106] ? __pfx_ksys_read (fs/read_write.c:707) +[ 97.811137] exit_to_user_mode_loop (kernel/entry/common.c:66 kernel/entry/common.c:98) +[ 97.811169] ? rcu_is_watching (./arch/x86/include/asm/atomic.h:23 ./include/linux/atomic/atomic-arch-fallback.h:457 ./include/linux/context_tracking.h:128 kernel/rcu/tree.c:752) +[ 97.811192] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221) +[ 97.811215] ? trace_hardirqs_off (./include/trace/events/preemptirq.h:36 (discriminator 33) kernel/trace/trace_preemptirq.c:95 (discriminator 33) kernel/trace/trace_preemptirq.c:90 (discriminator 33)) +[ 97.811240] do_syscall_64 (./include/linux/irq-entry-common.h:226 ./include/linux/irq-entry-common.h:256 ./include/linux/entry-common.h:325 arch/x86/entry/syscall_64.c:100) +[ 97.811268] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221) +[ 97.811292] ? exc_page_fault (arch/x86/mm/fault.c:1480 (discriminator 3) arch/x86/mm/fault.c:1527 (discriminator 3)) +[ 97.811318] entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130) +[ 97.811338] RIP: 0033:0x445cfe +[ 97.811352] Code: Unable to access opcode bytes at 0x445cd4. + +Code starting with the faulting instruction +=========================================== +[ 97.811360] RSP: 002b:00007f65c41c6dc8 EFLAGS: 00000246 ORIG_RAX: 0000000000000000 +[ 97.811378] RAX: fffffffffffffe00 RBX: 00007f65c41c76c0 RCX: 0000000000445cfe +[ 97.811391] RDX: 0000000000000400 RSI: 00007f65c41c6e40 RDI: 0000000000000004 +[ 97.811403] RBP: 00007f65c41c7250 R08: 0000000000000000 R09: 0000000000000000 +[ 97.811415] R10: 0000000000000000 R11: 0000000000000246 R12: ffffffffffffffe8 +[ 97.811428] R13: 0000000000000000 R14: 00007fff780a8c00 R15: 00007f65c41c76c0 +[ 97.811453] +[ 98.402453] ================================================================== +[ 98.403560] BUG: KASAN: use-after-free in __mutex_lock (kernel/locking/mutex.c:199 kernel/locking/mutex.c:694 kernel/locking/mutex.c:776) +[ 98.404541] Read of size 8 at addr ffff888113ee40a8 by task khidpd_00050004/1430 +[ 98.405361] +[ 98.405563] CPU: 1 UID: 0 PID: 1430 Comm: khidpd_00050004 Not tainted 7.0.0-rc1-dirty #14 PREEMPT(lazy) +[ 98.405588] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.17.0-debian-1.17.0-1 04/01/2014 +[ 98.405600] Call Trace: +[ 98.405607] +[ 98.405614] dump_stack_lvl (lib/dump_stack.c:122) +[ 98.405641] print_report (mm/kasan/report.c:379 mm/kasan/report.c:482) +[ 98.405667] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221) +[ 98.405691] ? __virt_addr_valid (arch/x86/mm/physaddr.c:55) +[ 98.405724] ? __mutex_lock (kernel/locking/mutex.c:199 kernel/locking/mutex.c:694 kernel/locking/mutex.c:776) +[ 98.405748] kasan_report (mm/kasan/report.c:221 mm/kasan/report.c:597) +[ 98.405778] ? __mutex_lock (kernel/locking/mutex.c:199 kernel/locking/mutex.c:694 kernel/locking/mutex.c:776) +[ 98.405807] __mutex_lock (kernel/locking/mutex.c:199 kernel/locking/mutex.c:694 kernel/locking/mutex.c:776) +[ 98.405832] ? do_raw_spin_lock (kernel/locking/spinlock_debug.c:95 (discriminator 4) kernel/locking/spinlock_debug.c:118 (discriminator 4)) +[ 98.405859] ? l2cap_unregister_user (./include/linux/list.h:381 (discriminator 2) net/bluetooth/l2cap_core.c:1723 (discriminator 2)) +[ 98.405888] ? __pfx_do_raw_spin_lock (kernel/locking/spinlock_debug.c:114) +[ 98.405915] ? __pfx___mutex_lock (kernel/locking/mutex.c:775) +[ 98.405939] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221) +[ 98.405963] ? lock_acquire (kernel/locking/lockdep.c:470 (discriminator 6) kernel/locking/lockdep.c:5870 (discriminator 6) kernel/locking/lockdep.c:5825 (discriminator 6)) +[ 98.405984] ? find_held_lock (kernel/locking/lockdep.c:5350 (discriminator 1)) +[ 98.406015] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221) +[ 98.406038] ? lock_release (kernel/locking/lockdep.c:5536 kernel/locking/lockdep.c:5889 kernel/locking/lockdep.c:5875) +[ 98.406061] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221) +[ 98.406085] ? _raw_spin_unlock_irqrestore (./arch/x86/include/asm/irqflags.h:42 ./arch/x86/include/asm/irqflags.h:119 ./arch/x86/include/asm/irqflags.h:159 ./include/linux/spinlock_api_smp.h:178 kernel/locking/spinlock.c:194) +[ 98.406107] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221) +[ 98.406130] ? __timer_delete_sync (kernel/time/timer.c:1592) +[ 98.406158] ? l2cap_unregister_user (./include/linux/list.h:381 (discriminator 2) net/bluetooth/l2cap_core.c:1723 (discriminator 2)) +[ 98.406186] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221) +[ 98.406210] l2cap_unregister_user (./include/linux/list.h:381 (discriminator 2) net/bluetooth/l2cap_core.c:1723 (discriminator 2)) +[ 98.406263] hidp_session_thread (./include/linux/instrumented.h:112 ./include/linux/atomic/atomic-instrumented.h:400 ./include/linux/refcount.h:389 ./include/linux/refcount.h:432 ./include/linux/refcount.h:450 ./include/linux/kref.h:64 net/bluetooth/hidp/core.c:996 net/bluetooth/hidp/core.c:1305) +[ 98.406293] ? __pfx_hidp_session_thread (net/bluetooth/hidp/core.c:1264) +[ 98.406323] ? kthread (kernel/kthread.c:433) +[ 98.406340] ? __pfx_hidp_session_wake_function (net/bluetooth/hidp/core.c:1251) +[ 98.406370] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221) +[ 98.406393] ? find_held_lock (kernel/locking/lockdep.c:5350 (discriminator 1)) +[ 98.406424] ? __pfx_hidp_session_wake_function (net/bluetooth/hidp/core.c:1251) +[ 98.406453] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221) +[ 98.406476] ? trace_hardirqs_on (kernel/trace/trace_preemptirq.c:79 (discriminator 1)) +[ 98.406499] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221) +[ 98.406523] ? kthread (kernel/kthread.c:433) +[ 98.406539] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221) +[ 98.406565] ? kthread (kernel/kthread.c:433) +[ 98.406581] ? __pfx_hidp_session_thread (net/bluetooth/hidp/core.c:1264) +[ 98.406610] kthread (kernel/kthread.c:467) +[ 98.406627] ? __pfx_kthread (kernel/kthread.c:412) +[ 98.406645] ret_from_fork (arch/x86/kernel/process.c:164) +[ 98.406674] ? __pfx_ret_from_fork (arch/x86/kernel/process.c:153) +[ 98.406704] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221) +[ 98.406728] ? __pfx_kthread (kernel/kthread.c:412) +[ 98.406747] ret_from_fork_asm (arch/x86/entry/entry_64.S:258) +[ 98.406774] +[ 98.406780] +[ 98.433693] The buggy address belongs to the physical page: +[ 98.434405] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xffff888113ee7c40 pfn:0x113ee4 +[ 98.435557] flags: 0x200000000000000(node=0|zone=2) +[ 98.436198] raw: 0200000000000000 ffffea0004244308 ffff8881f6f3ebc0 0000000000000000 +[ 98.437195] raw: ffff888113ee7c40 0000000000000000 00000000ffffffff 0000000000000000 +[ 98.438115] page dumped because: kasan: bad access detected +[ 98.438951] +[ 98.439211] Memory state around the buggy address: +[ 98.439871] ffff888113ee3f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc +[ 98.440714] ffff888113ee4000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff +[ 98.441580] >ffff888113ee4080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff +[ 98.442458] ^ +[ 98.443011] ffff888113ee4100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff +[ 98.443889] ffff888113ee4180: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff +[ 98.444768] ================================================================== +[ 98.445719] Disabling lock debugging due to kernel taint +[ 98.448074] l2cap_conn_free: freeing conn ffff88810c22b400 +[ 98.450012] CPU: 1 UID: 0 PID: 1430 Comm: khidpd_00050004 Tainted: G B 7.0.0-rc1-dirty #14 PREEMPT(lazy) +[ 98.450040] Tainted: [B]=BAD_PAGE +[ 98.450047] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.17.0-debian-1.17.0-1 04/01/2014 +[ 98.450059] Call Trace: +[ 98.450065] +[ 98.450071] dump_stack_lvl (lib/dump_stack.c:122) +[ 98.450099] l2cap_conn_free (net/bluetooth/l2cap_core.c:1808) +[ 98.450125] l2cap_conn_put (net/bluetooth/l2cap_core.c:1822) +[ 98.450154] session_free (net/bluetooth/hidp/core.c:990) +[ 98.450181] hidp_session_thread (net/bluetooth/hidp/core.c:1307) +[ 98.450213] ? __pfx_hidp_session_thread (net/bluetooth/hidp/core.c:1264) +[ 98.450271] ? kthread (kernel/kthread.c:433) +[ 98.450293] ? __pfx_hidp_session_wake_function (net/bluetooth/hidp/core.c:1251) +[ 98.450339] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221) +[ 98.450368] ? find_held_lock (kernel/locking/lockdep.c:5350 (discriminator 1)) +[ 98.450406] ? __pfx_hidp_session_wake_function (net/bluetooth/hidp/core.c:1251) +[ 98.450442] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221) +[ 98.450471] ? trace_hardirqs_on (kernel/trace/trace_preemptirq.c:79 (discriminator 1)) +[ 98.450499] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221) +[ 98.450528] ? kthread (kernel/kthread.c:433) +[ 98.450547] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221) +[ 98.450578] ? kthread (kernel/kthread.c:433) +[ 98.450598] ? __pfx_hidp_session_thread (net/bluetooth/hidp/core.c:1264) +[ 98.450637] kthread (kernel/kthread.c:467) +[ 98.450657] ? __pfx_kthread (kernel/kthread.c:412) +[ 98.450680] ret_from_fork (arch/x86/kernel/process.c:164) +[ 98.450715] ? __pfx_ret_from_fork (arch/x86/kernel/process.c:153) +[ 98.450752] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221) +[ 98.450782] ? __pfx_kthread (kernel/kthread.c:412) +[ 98.450804] ret_from_fork_asm (arch/x86/entry/entry_64.S:258) +[ 98.450836] + +Fixes: b4f34d8d9d26 ("Bluetooth: hidp: add new session-management helpers") +Reported-by: soufiane el hachmi +Tested-by: soufiane el hachmi +Signed-off-by: Luiz Augusto von Dentz +Signed-off-by: Sasha Levin +--- + net/bluetooth/hidp/core.c | 16 ++++++++++++++-- + 1 file changed, 14 insertions(+), 2 deletions(-) + +diff --git a/net/bluetooth/hidp/core.c b/net/bluetooth/hidp/core.c +index 8ff45fb6f7007..968c02903ab49 100644 +--- a/net/bluetooth/hidp/core.c ++++ b/net/bluetooth/hidp/core.c +@@ -987,7 +987,8 @@ static void session_free(struct kref *ref) + skb_queue_purge(&session->intr_transmit); + fput(session->intr_sock->file); + fput(session->ctrl_sock->file); +- l2cap_conn_put(session->conn); ++ if (session->conn) ++ l2cap_conn_put(session->conn); + kfree(session); + } + +@@ -1165,6 +1166,15 @@ static void hidp_session_remove(struct l2cap_conn *conn, + + down_write(&hidp_session_sem); + ++ /* Drop L2CAP reference immediately to indicate that ++ * l2cap_unregister_user() shall not be called as it is already ++ * considered removed. ++ */ ++ if (session->conn) { ++ l2cap_conn_put(session->conn); ++ session->conn = NULL; ++ } ++ + hidp_session_terminate(session); + + cancel_work_sync(&session->dev_init); +@@ -1302,7 +1312,9 @@ static int hidp_session_thread(void *arg) + * Instead, this call has the same semantics as if user-space tried to + * delete the session. + */ +- l2cap_unregister_user(session->conn, &session->user); ++ if (session->conn) ++ l2cap_unregister_user(session->conn, &session->user); ++ + hidp_session_put(session); + + module_put_and_kthread_exit(0); +-- +2.51.0 + diff --git a/queue-5.15/bluetooth-le-l2cap-disconnect-if-received-packet-s-s.patch b/queue-5.15/bluetooth-le-l2cap-disconnect-if-received-packet-s-s.patch new file mode 100644 index 0000000000..fcdef09cdb --- /dev/null +++ b/queue-5.15/bluetooth-le-l2cap-disconnect-if-received-packet-s-s.patch @@ -0,0 +1,55 @@ +From 5564dd59f533d3f73bbe3df99733f734f70441c4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 25 Feb 2026 18:07:25 +0100 +Subject: Bluetooth: LE L2CAP: Disconnect if received packet's SDU exceeds IMTU + +From: Christian Eggers + +[ Upstream commit e1d9a66889867c232657a9b6f25d451d7c3ab96f ] + +Core 6.0, Vol 3, Part A, 3.4.3: +"If the SDU length field value exceeds the receiver's MTU, the receiver +shall disconnect the channel..." + +This fixes L2CAP/LE/CFC/BV-26-C (running together with 'l2test -r -P +0x0027 -V le_public -I 100'). + +Fixes: aac23bf63659 ("Bluetooth: Implement LE L2CAP reassembly") +Signed-off-by: Christian Eggers +Signed-off-by: Luiz Augusto von Dentz +Signed-off-by: Sasha Levin +--- + net/bluetooth/l2cap_core.c | 10 +++++++--- + 1 file changed, 7 insertions(+), 3 deletions(-) + +diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c +index 740b5468f6dc8..601a4d9e4cdde 100644 +--- a/net/bluetooth/l2cap_core.c ++++ b/net/bluetooth/l2cap_core.c +@@ -7629,8 +7629,10 @@ static int l2cap_ecred_data_rcv(struct l2cap_chan *chan, struct sk_buff *skb) + return -ENOBUFS; + } + +- if (chan->imtu < skb->len) { +- BT_ERR("Too big LE L2CAP PDU"); ++ if (skb->len > chan->imtu) { ++ BT_ERR("Too big LE L2CAP PDU: len %u > %u", skb->len, ++ chan->imtu); ++ l2cap_send_disconn_req(chan, ECONNRESET); + return -ENOBUFS; + } + +@@ -7655,7 +7657,9 @@ static int l2cap_ecred_data_rcv(struct l2cap_chan *chan, struct sk_buff *skb) + sdu_len, skb->len, chan->imtu); + + if (sdu_len > chan->imtu) { +- BT_ERR("Too big LE L2CAP SDU length received"); ++ BT_ERR("Too big LE L2CAP SDU length: len %u > %u", ++ skb->len, sdu_len); ++ l2cap_send_disconn_req(chan, ECONNRESET); + err = -EMSGSIZE; + goto failed; + } +-- +2.51.0 + diff --git a/queue-5.15/bluetooth-le-l2cap-disconnect-if-sum-of-payload-size.patch b/queue-5.15/bluetooth-le-l2cap-disconnect-if-sum-of-payload-size.patch new file mode 100644 index 0000000000..5c10fcbc28 --- /dev/null +++ b/queue-5.15/bluetooth-le-l2cap-disconnect-if-sum-of-payload-size.patch @@ -0,0 +1,39 @@ +From d440c8d7d5eba69e87419acd7b91e0557de8fd0a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 25 Feb 2026 18:07:27 +0100 +Subject: Bluetooth: LE L2CAP: Disconnect if sum of payload sizes exceed SDU + +From: Christian Eggers + +[ Upstream commit b6a2bf43aa37670432843bc73ae2a6288ba4d6f8 ] + +Core 6.0, Vol 3, Part A, 3.4.3: +"... If the sum of the payload sizes for the K-frames exceeds the +specified SDU length, the receiver shall disconnect the channel." + +This fixes L2CAP/LE/CFC/BV-27-C (running together with 'l2test -r -P +0x0027 -V le_public'). + +Fixes: aac23bf63659 ("Bluetooth: Implement LE L2CAP reassembly") +Signed-off-by: Christian Eggers +Signed-off-by: Luiz Augusto von Dentz +Signed-off-by: Sasha Levin +--- + net/bluetooth/l2cap_core.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c +index 601a4d9e4cdde..5010c200b2c41 100644 +--- a/net/bluetooth/l2cap_core.c ++++ b/net/bluetooth/l2cap_core.c +@@ -7695,6 +7695,7 @@ static int l2cap_ecred_data_rcv(struct l2cap_chan *chan, struct sk_buff *skb) + + if (chan->sdu->len + skb->len > chan->sdu_len) { + BT_ERR("Too much LE L2CAP data received"); ++ l2cap_send_disconn_req(chan, ECONNRESET); + err = -EINVAL; + goto failed; + } +-- +2.51.0 + diff --git a/queue-5.15/bluetooth-qca-fix-rom-version-reading-on-wcn3998-chi.patch b/queue-5.15/bluetooth-qca-fix-rom-version-reading-on-wcn3998-chi.patch new file mode 100644 index 0000000000..14235c51bb --- /dev/null +++ b/queue-5.15/bluetooth-qca-fix-rom-version-reading-on-wcn3998-chi.patch @@ -0,0 +1,46 @@ +From 3004bb7ec05c78062ae6188917b76d2e4ab9af18 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 11 Mar 2026 01:02:57 +0200 +Subject: Bluetooth: qca: fix ROM version reading on WCN3998 chips + +From: Dmitry Baryshkov + +[ Upstream commit 99b2c531e0e797119ae1b9195a8764ee98b00e65 ] + +WCN3998 uses a bit different format for rom version: + +[ 5.479978] Bluetooth: hci0: setting up wcn399x +[ 5.633763] Bluetooth: hci0: QCA Product ID :0x0000000a +[ 5.645350] Bluetooth: hci0: QCA SOC Version :0x40010224 +[ 5.650906] Bluetooth: hci0: QCA ROM Version :0x00001001 +[ 5.665173] Bluetooth: hci0: QCA Patch Version:0x00006699 +[ 5.679356] Bluetooth: hci0: QCA controller version 0x02241001 +[ 5.691109] Bluetooth: hci0: QCA Downloading qca/crbtfw21.tlv +[ 6.680102] Bluetooth: hci0: QCA Downloading qca/crnv21.bin +[ 6.842948] Bluetooth: hci0: QCA setup on UART is completed + +Fixes: 523760b7ff88 ("Bluetooth: hci_qca: Added support for WCN3998") +Reviewed-by: Bartosz Golaszewski +Signed-off-by: Dmitry Baryshkov +Signed-off-by: Luiz Augusto von Dentz +Signed-off-by: Sasha Levin +--- + drivers/bluetooth/btqca.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/bluetooth/btqca.c b/drivers/bluetooth/btqca.c +index 78244d53dbe0f..25e98ce4a5af9 100644 +--- a/drivers/bluetooth/btqca.c ++++ b/drivers/bluetooth/btqca.c +@@ -677,6 +677,8 @@ int qca_uart_setup(struct hci_dev *hdev, uint8_t baudrate, + */ + if (soc_type == QCA_WCN3988) + rom_ver = ((soc_ver & 0x00000f00) >> 0x05) | (soc_ver & 0x0000000f); ++ else if (soc_type == QCA_WCN3998) ++ rom_ver = ((soc_ver & 0x0000f000) >> 0x07) | (soc_ver & 0x0000000f); + else + rom_ver = ((soc_ver & 0x00000f00) >> 0x04) | (soc_ver & 0x0000000f); + +-- +2.51.0 + diff --git a/queue-5.15/bluetooth-smp-make-sm-per-kdu-bi-04-c-happy.patch b/queue-5.15/bluetooth-smp-make-sm-per-kdu-bi-04-c-happy.patch new file mode 100644 index 0000000000..e89b23b0fe --- /dev/null +++ b/queue-5.15/bluetooth-smp-make-sm-per-kdu-bi-04-c-happy.patch @@ -0,0 +1,36 @@ +From 9656bce0b7a9a22393ff745ab4cd0deb3ea9e050 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 25 Feb 2026 18:07:28 +0100 +Subject: Bluetooth: SMP: make SM/PER/KDU/BI-04-C happy + +From: Christian Eggers + +[ Upstream commit 0e4d4dcc1a6e82cc6f9abf32193558efa7e1613d ] + +The last test step ("Test with Invalid public key X and Y, all set to +0") expects to get an "DHKEY check failed" instead of "unspecified". + +Fixes: 6d19628f539f ("Bluetooth: SMP: Fail if remote and local public keys are identical") +Signed-off-by: Christian Eggers +Signed-off-by: Luiz Augusto von Dentz +Signed-off-by: Sasha Levin +--- + net/bluetooth/smp.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/bluetooth/smp.c b/net/bluetooth/smp.c +index d1ba41153b66a..1621c24aebf88 100644 +--- a/net/bluetooth/smp.c ++++ b/net/bluetooth/smp.c +@@ -2737,7 +2737,7 @@ static int smp_cmd_public_key(struct l2cap_conn *conn, struct sk_buff *skb) + if (!test_bit(SMP_FLAG_DEBUG_KEY, &smp->flags) && + !crypto_memneq(key, smp->local_pk, 64)) { + bt_dev_err(hdev, "Remote and local public keys are identical"); +- return SMP_UNSPECIFIED; ++ return SMP_DHKEY_CHECK_FAILED; + } + + memcpy(smp->remote_pk, key, 64); +-- +2.51.0 + diff --git a/queue-5.15/btrfs-tree-checker-fix-misleading-root-drop_level-er.patch b/queue-5.15/btrfs-tree-checker-fix-misleading-root-drop_level-er.patch new file mode 100644 index 0000000000..256f409fab --- /dev/null +++ b/queue-5.15/btrfs-tree-checker-fix-misleading-root-drop_level-er.patch @@ -0,0 +1,38 @@ +From b4df6b88cad204631b07b77d5ea64d5c672265f7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 12 Mar 2026 08:33:21 +0800 +Subject: btrfs: tree-checker: fix misleading root drop_level error message + +From: ZhengYuan Huang + +[ Upstream commit fc1cd1f18c34f91e78362f9629ab9fd43b9dcab9 ] + +Fix tree-checker error message to report "invalid root drop_level" +instead of the misleading "invalid root level". + +Fixes: 259ee7754b67 ("btrfs: tree-checker: Add ROOT_ITEM check") +Reviewed-by: Qu Wenruo +Signed-off-by: ZhengYuan Huang +Reviewed-by: David Sterba +Signed-off-by: David Sterba +Signed-off-by: Sasha Levin +--- + fs/btrfs/tree-checker.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/fs/btrfs/tree-checker.c b/fs/btrfs/tree-checker.c +index 86042c1f89f0b..b0afa47032104 100644 +--- a/fs/btrfs/tree-checker.c ++++ b/fs/btrfs/tree-checker.c +@@ -1183,7 +1183,7 @@ static int check_root_item(struct extent_buffer *leaf, struct btrfs_key *key, + } + if (unlikely(btrfs_root_drop_level(&ri) >= BTRFS_MAX_LEVEL)) { + generic_err(leaf, slot, +- "invalid root level, have %u expect [0, %u]", ++ "invalid root drop_level, have %u expect [0, %u]", + btrfs_root_drop_level(&ri), BTRFS_MAX_LEVEL - 1); + return -EUCLEAN; + } +-- +2.51.0 + diff --git a/queue-5.15/firmware-arm_scpi-fix-device_node-reference-leak-in-.patch b/queue-5.15/firmware-arm_scpi-fix-device_node-reference-leak-in-.patch new file mode 100644 index 0000000000..a6e39d9f20 --- /dev/null +++ b/queue-5.15/firmware-arm_scpi-fix-device_node-reference-leak-in-.patch @@ -0,0 +1,58 @@ +From 6710d1ce574000293941adf93e42ca1c6993ef77 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 21 Jan 2026 21:08:19 +0800 +Subject: firmware: arm_scpi: Fix device_node reference leak in probe path + +From: Felix Gu + +[ Upstream commit 879c001afbac3df94160334fe5117c0c83b2cf48 ] + +A device_node reference obtained from the device tree is not released +on all error paths in the arm_scpi probe path. Specifically, a node +returned by of_parse_phandle() could be leaked when the probe failed +after the node was acquired. The probe function returns early and +the shmem reference is not released. + +Use __free(device_node) scope-based cleanup to automatically release +the reference when the variable goes out of scope. + +Fixes: ed7ecb883901 ("firmware: arm_scpi: Add compatibility checks for shmem node") +Signed-off-by: Felix Gu +Message-Id: <20260121-arm_scpi_2-v2-1-702d7fa84acb@gmail.com> +Signed-off-by: Sudeep Holla +Signed-off-by: Sasha Levin +--- + drivers/firmware/arm_scpi.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/drivers/firmware/arm_scpi.c b/drivers/firmware/arm_scpi.c +index 3de25e9d18ef8..2d85e783ae267 100644 +--- a/drivers/firmware/arm_scpi.c ++++ b/drivers/firmware/arm_scpi.c +@@ -18,6 +18,7 @@ + + #include + #include ++#include + #include + #include + #include +@@ -945,13 +946,13 @@ static int scpi_probe(struct platform_device *pdev) + int idx = scpi_drvinfo->num_chans; + struct scpi_chan *pchan = scpi_drvinfo->channels + idx; + struct mbox_client *cl = &pchan->cl; +- struct device_node *shmem = of_parse_phandle(np, "shmem", idx); ++ struct device_node *shmem __free(device_node) = ++ of_parse_phandle(np, "shmem", idx); + + if (!of_match_node(shmem_of_match, shmem)) + return -ENXIO; + + ret = of_address_to_resource(shmem, 0, &res); +- of_node_put(shmem); + if (ret) { + dev_err(dev, "failed to get SCPI payload mem resource\n"); + return ret; +-- +2.51.0 + diff --git a/queue-5.15/icmp-fix-null-pointer-dereference-in-icmp_tag_valida.patch b/queue-5.15/icmp-fix-null-pointer-dereference-in-icmp_tag_valida.patch new file mode 100644 index 0000000000..e3c343e547 --- /dev/null +++ b/queue-5.15/icmp-fix-null-pointer-dereference-in-icmp_tag_valida.patch @@ -0,0 +1,68 @@ +From c6c4165954193e4ecd3e7daf6cc23d3b90cb10c5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 18 Mar 2026 21:06:01 +0800 +Subject: icmp: fix NULL pointer dereference in icmp_tag_validation() + +From: Weiming Shi + +[ Upstream commit 614aefe56af8e13331e50220c936fc0689cf5675 ] + +icmp_tag_validation() unconditionally dereferences the result of +rcu_dereference(inet_protos[proto]) without checking for NULL. +The inet_protos[] array is sparse -- only about 15 of 256 protocol +numbers have registered handlers. When ip_no_pmtu_disc is set to 3 +(hardened PMTU mode) and the kernel receives an ICMP Fragmentation +Needed error with a quoted inner IP header containing an unregistered +protocol number, the NULL dereference causes a kernel panic in +softirq context. + + Oops: general protection fault, probably for non-canonical address 0xdffffc0000000002: 0000 [#1] SMP KASAN NOPTI + KASAN: null-ptr-deref in range [0x0000000000000010-0x0000000000000017] + RIP: 0010:icmp_unreach (net/ipv4/icmp.c:1085 net/ipv4/icmp.c:1143) + Call Trace: + + icmp_rcv (net/ipv4/icmp.c:1527) + ip_protocol_deliver_rcu (net/ipv4/ip_input.c:207) + ip_local_deliver_finish (net/ipv4/ip_input.c:242) + ip_local_deliver (net/ipv4/ip_input.c:262) + ip_rcv (net/ipv4/ip_input.c:573) + __netif_receive_skb_one_core (net/core/dev.c:6164) + process_backlog (net/core/dev.c:6628) + handle_softirqs (kernel/softirq.c:561) + + +Add a NULL check before accessing icmp_strict_tag_validation. If the +protocol has no registered handler, return false since it cannot +perform strict tag validation. + +Fixes: 8ed1dc44d3e9 ("ipv4: introduce hardened ip_no_pmtu_disc mode") +Reported-by: Xiang Mei +Signed-off-by: Weiming Shi +Link: https://patch.msgid.link/20260318130558.1050247-4-bestswngs@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/ipv4/icmp.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/net/ipv4/icmp.c b/net/ipv4/icmp.c +index 8a70e51654264..0215e2510670a 100644 +--- a/net/ipv4/icmp.c ++++ b/net/ipv4/icmp.c +@@ -845,10 +845,12 @@ static void icmp_socket_deliver(struct sk_buff *skb, u32 info) + + static bool icmp_tag_validation(int proto) + { ++ const struct net_protocol *ipprot; + bool ok; + + rcu_read_lock(); +- ok = rcu_dereference(inet_protos[proto])->icmp_strict_tag_validation; ++ ipprot = rcu_dereference(inet_protos[proto]); ++ ok = ipprot ? ipprot->icmp_strict_tag_validation : false; + rcu_read_unlock(); + return ok; + } +-- +2.51.0 + diff --git a/queue-5.15/igc-fix-missing-update-of-skb-tail-in-igc_xmit_frame.patch b/queue-5.15/igc-fix-missing-update-of-skb-tail-in-igc_xmit_frame.patch new file mode 100644 index 0000000000..dc34f61d4f --- /dev/null +++ b/queue-5.15/igc-fix-missing-update-of-skb-tail-in-igc_xmit_frame.patch @@ -0,0 +1,45 @@ +From 2655eb95645c5e359b538b5346c4d2fba30b0c69 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 14 Feb 2026 19:46:32 +0000 +Subject: igc: fix missing update of skb->tail in igc_xmit_frame() + +From: Kohei Enju + +[ Upstream commit 0ffba246652faf4a36aedc66059c2f94e4c83ea5 ] + +igc_xmit_frame() misses updating skb->tail when the packet size is +shorter than the minimum one. +Use skb_put_padto() in alignment with other Intel Ethernet drivers. + +Fixes: 0507ef8a0372 ("igc: Add transmit and receive fastpath and interrupt handlers") +Signed-off-by: Kohei Enju +Reviewed-by: Simon Horman +Reviewed-by: Paul Menzel +Tested-by: Avigail Dahan +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/igc/igc_main.c | 7 ++----- + 1 file changed, 2 insertions(+), 5 deletions(-) + +diff --git a/drivers/net/ethernet/intel/igc/igc_main.c b/drivers/net/ethernet/intel/igc/igc_main.c +index 6a9ad4231b0c2..d2825170c1e1d 100644 +--- a/drivers/net/ethernet/intel/igc/igc_main.c ++++ b/drivers/net/ethernet/intel/igc/igc_main.c +@@ -1666,11 +1666,8 @@ static netdev_tx_t igc_xmit_frame(struct sk_buff *skb, + /* The minimum packet size with TCTL.PSP set is 17 so pad the skb + * in order to meet this minimum size requirement. + */ +- if (skb->len < 17) { +- if (skb_padto(skb, 17)) +- return NETDEV_TX_OK; +- skb->len = 17; +- } ++ if (skb_put_padto(skb, 17)) ++ return NETDEV_TX_OK; + + return igc_xmit_frame_ring(skb, igc_tx_queue_mapping(adapter, skb)); + } +-- +2.51.0 + diff --git a/queue-5.15/net-bcmgenet-increase-wol-poll-timeout.patch b/queue-5.15/net-bcmgenet-increase-wol-poll-timeout.patch new file mode 100644 index 0000000000..8436f4b8cf --- /dev/null +++ b/queue-5.15/net-bcmgenet-increase-wol-poll-timeout.patch @@ -0,0 +1,38 @@ +From 8a7e5de7d06275778907ba6588c7ac708fc10425 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 12 Mar 2026 12:18:52 -0700 +Subject: net: bcmgenet: increase WoL poll timeout + +From: Justin Chen + +[ Upstream commit 6cfc3bc02b977f2fba5f7268e6504d1931a774f7 ] + +Some systems require more than 5ms to get into WoL mode. Increase the +timeout value to 50ms. + +Fixes: c51de7f3976b ("net: bcmgenet: add Wake-on-LAN support code") +Signed-off-by: Justin Chen +Reviewed-by: Florian Fainelli +Link: https://patch.msgid.link/20260312191852.3904571-1-justin.chen@broadcom.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/broadcom/genet/bcmgenet_wol.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/broadcom/genet/bcmgenet_wol.c b/drivers/net/ethernet/broadcom/genet/bcmgenet_wol.c +index 38d41028e98a0..a1126368f9ed7 100644 +--- a/drivers/net/ethernet/broadcom/genet/bcmgenet_wol.c ++++ b/drivers/net/ethernet/broadcom/genet/bcmgenet_wol.c +@@ -101,7 +101,7 @@ static int bcmgenet_poll_wol_status(struct bcmgenet_priv *priv) + while (!(bcmgenet_rbuf_readl(priv, RBUF_STATUS) + & RBUF_STATUS_WOL)) { + retries++; +- if (retries > 5) { ++ if (retries > 50) { + netdev_crit(dev, "polling wol mode timeout\n"); + return -ETIMEDOUT; + } +-- +2.51.0 + diff --git a/queue-5.15/net-bonding-fix-null-deref-in-bond_debug_rlb_hash_sh.patch b/queue-5.15/net-bonding-fix-null-deref-in-bond_debug_rlb_hash_sh.patch new file mode 100644 index 0000000000..19c22cd213 --- /dev/null +++ b/queue-5.15/net-bonding-fix-null-deref-in-bond_debug_rlb_hash_sh.patch @@ -0,0 +1,87 @@ +From 8f7939aa583660bc7fe3a65b758f3be35fb0d5b8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 16 Mar 2026 17:50:34 -0700 +Subject: net: bonding: fix NULL deref in bond_debug_rlb_hash_show + +From: Xiang Mei + +[ Upstream commit 605b52497bf89b3b154674deb135da98f916e390 ] + +rlb_clear_slave intentionally keeps RLB hash-table entries on +the rx_hashtbl_used_head list with slave set to NULL when no +replacement slave is available. However, bond_debug_rlb_hash_show +visites client_info->slave without checking if it's NULL. + +Other used-list iterators in bond_alb.c already handle this NULL-slave +state safely: + +- rlb_update_client returns early on !client_info->slave +- rlb_req_update_slave_clients, rlb_clear_slave, and rlb_rebalance +compare slave values before visiting +- lb_req_update_subnet_clients continues if slave is NULL + +The following NULL deref crash can be trigger in +bond_debug_rlb_hash_show: + +[ 1.289791] BUG: kernel NULL pointer dereference, address: 0000000000000000 +[ 1.292058] RIP: 0010:bond_debug_rlb_hash_show (drivers/net/bonding/bond_debugfs.c:41) +[ 1.293101] RSP: 0018:ffffc900004a7d00 EFLAGS: 00010286 +[ 1.293333] RAX: 0000000000000000 RBX: ffff888102b48200 RCX: ffff888102b48204 +[ 1.293631] RDX: ffff888102b48200 RSI: ffffffff839daad5 RDI: ffff888102815078 +[ 1.293924] RBP: ffff888102815078 R08: ffff888102b4820e R09: 0000000000000000 +[ 1.294267] R10: 0000000000000000 R11: 0000000000000000 R12: ffff888100f929c0 +[ 1.294564] R13: ffff888100f92a00 R14: 0000000000000001 R15: ffffc900004a7ed8 +[ 1.294864] FS: 0000000001395380(0000) GS:ffff888196e75000(0000) knlGS:0000000000000000 +[ 1.295239] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ 1.295480] CR2: 0000000000000000 CR3: 0000000102adc004 CR4: 0000000000772ef0 +[ 1.295897] Call Trace: +[ 1.296134] seq_read_iter (fs/seq_file.c:231) +[ 1.296341] seq_read (fs/seq_file.c:164) +[ 1.296493] full_proxy_read (fs/debugfs/file.c:378 (discriminator 1)) +[ 1.296658] vfs_read (fs/read_write.c:572) +[ 1.296981] ksys_read (fs/read_write.c:717) +[ 1.297132] do_syscall_64 (arch/x86/entry/syscall_64.c:63 (discriminator 1) arch/x86/entry/syscall_64.c:94 (discriminator 1)) +[ 1.297325] entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130) + +Add a NULL check and print "(none)" for entries with no assigned slave. + +Fixes: caafa84251b88 ("bonding: add the debugfs interface to see RLB hash table") +Reported-by: Weiming Shi +Signed-off-by: Xiang Mei +Link: https://patch.msgid.link/20260317005034.1888794-1-xmei5@asu.edu +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/bonding/bond_debugfs.c | 16 +++++++++++----- + 1 file changed, 11 insertions(+), 5 deletions(-) + +diff --git a/drivers/net/bonding/bond_debugfs.c b/drivers/net/bonding/bond_debugfs.c +index 5940945266489..624bf1f745266 100644 +--- a/drivers/net/bonding/bond_debugfs.c ++++ b/drivers/net/bonding/bond_debugfs.c +@@ -34,11 +34,17 @@ static int bond_debug_rlb_hash_show(struct seq_file *m, void *v) + for (; hash_index != RLB_NULL_INDEX; + hash_index = client_info->used_next) { + client_info = &(bond_info->rx_hashtbl[hash_index]); +- seq_printf(m, "%-15pI4 %-15pI4 %-17pM %s\n", +- &client_info->ip_src, +- &client_info->ip_dst, +- &client_info->mac_dst, +- client_info->slave->dev->name); ++ if (client_info->slave) ++ seq_printf(m, "%-15pI4 %-15pI4 %-17pM %s\n", ++ &client_info->ip_src, ++ &client_info->ip_dst, ++ &client_info->mac_dst, ++ client_info->slave->dev->name); ++ else ++ seq_printf(m, "%-15pI4 %-15pI4 %-17pM (none)\n", ++ &client_info->ip_src, ++ &client_info->ip_dst, ++ &client_info->mac_dst); + } + + spin_unlock_bh(&bond->mode_lock); +-- +2.51.0 + diff --git a/queue-5.15/net-dsa-bcm_sf2-fix-missing-clk_disable_unprepare-in.patch b/queue-5.15/net-dsa-bcm_sf2-fix-missing-clk_disable_unprepare-in.patch new file mode 100644 index 0000000000..8423d6050e --- /dev/null +++ b/queue-5.15/net-dsa-bcm_sf2-fix-missing-clk_disable_unprepare-in.patch @@ -0,0 +1,59 @@ +From af8a902676266dfd069809fe24dc394f07e78a32 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 18 Mar 2026 08:42:12 +0000 +Subject: net: dsa: bcm_sf2: fix missing clk_disable_unprepare() in error paths + +From: Anas Iqbal + +[ Upstream commit b48731849609cbd8c53785a48976850b443153fd ] + +Smatch reports: +drivers/net/dsa/bcm_sf2.c:997 bcm_sf2_sw_resume() warn: +'priv->clk' from clk_prepare_enable() not released on lines: 983,990. + +The clock enabled by clk_prepare_enable() in bcm_sf2_sw_resume() +is not released if bcm_sf2_sw_rst() or bcm_sf2_cfp_resume() fails. + +Add the missing clk_disable_unprepare() calls in the error paths +to properly release the clock resource. + +Fixes: e9ec5c3bd238 ("net: dsa: bcm_sf2: request and handle clocks") +Reviewed-by: Jonas Gorski +Reviewed-by: Florian Fainelli +Signed-off-by: Anas Iqbal +Link: https://patch.msgid.link/20260318084212.1287-1-mohd.abd.6602@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/dsa/bcm_sf2.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/dsa/bcm_sf2.c b/drivers/net/dsa/bcm_sf2.c +index f259b0add5b2e..6105f4d8faf06 100644 +--- a/drivers/net/dsa/bcm_sf2.c ++++ b/drivers/net/dsa/bcm_sf2.c +@@ -962,15 +962,19 @@ static int bcm_sf2_sw_resume(struct dsa_switch *ds) + ret = bcm_sf2_sw_rst(priv); + if (ret) { + pr_err("%s: failed to software reset switch\n", __func__); ++ if (!priv->wol_ports_mask) ++ clk_disable_unprepare(priv->clk); + return ret; + } + + bcm_sf2_crossbar_setup(priv); + + ret = bcm_sf2_cfp_resume(ds); +- if (ret) ++ if (ret) { ++ if (!priv->wol_ports_mask) ++ clk_disable_unprepare(priv->clk); + return ret; +- ++ } + if (priv->hw_params.num_gphy == 1) + bcm_sf2_gphy_enable_set(ds, true); + +-- +2.51.0 + diff --git a/queue-5.15/net-macb-fix-uninitialized-rx_fs_lock.patch b/queue-5.15/net-macb-fix-uninitialized-rx_fs_lock.patch new file mode 100644 index 0000000000..dfe12a9c4f --- /dev/null +++ b/queue-5.15/net-macb-fix-uninitialized-rx_fs_lock.patch @@ -0,0 +1,78 @@ +From fe80ca35a81f25571b5beb49004894dc230e6b90 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 16 Mar 2026 13:38:25 +0300 +Subject: net: macb: fix uninitialized rx_fs_lock + +From: Fedor Pchelkin + +[ Upstream commit 34b11cc56e4369bc08b1f4c4a04222d75ed596ce ] + +If hardware doesn't support RX Flow Filters, rx_fs_lock spinlock is not +initialized leading to the following assertion splat triggerable via +set_rxnfc callback. + +INFO: trying to register non-static key. +The code is fine but needs lockdep annotation, or maybe +you didn't initialize this object before use? +turning off the locking correctness validator. +CPU: 1 PID: 949 Comm: syz.0.6 Not tainted 6.1.164+ #113 +Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.16.1-0-g3208b098f51a-prebuilt.qemu.org 04/01/2014 +Call Trace: + + __dump_stack lib/dump_stack.c:88 [inline] + dump_stack_lvl+0x8d/0xba lib/dump_stack.c:106 + assign_lock_key kernel/locking/lockdep.c:974 [inline] + register_lock_class+0x141b/0x17f0 kernel/locking/lockdep.c:1287 + __lock_acquire+0x74f/0x6c40 kernel/locking/lockdep.c:4928 + lock_acquire kernel/locking/lockdep.c:5662 [inline] + lock_acquire+0x190/0x4b0 kernel/locking/lockdep.c:5627 + __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline] + _raw_spin_lock_irqsave+0x33/0x50 kernel/locking/spinlock.c:162 + gem_del_flow_filter drivers/net/ethernet/cadence/macb_main.c:3562 [inline] + gem_set_rxnfc+0x533/0xac0 drivers/net/ethernet/cadence/macb_main.c:3667 + ethtool_set_rxnfc+0x18c/0x280 net/ethtool/ioctl.c:961 + __dev_ethtool net/ethtool/ioctl.c:2956 [inline] + dev_ethtool+0x229c/0x6290 net/ethtool/ioctl.c:3095 + dev_ioctl+0x637/0x1070 net/core/dev_ioctl.c:510 + sock_do_ioctl+0x20d/0x2c0 net/socket.c:1215 + sock_ioctl+0x577/0x6d0 net/socket.c:1320 + vfs_ioctl fs/ioctl.c:51 [inline] + __do_sys_ioctl fs/ioctl.c:870 [inline] + __se_sys_ioctl fs/ioctl.c:856 [inline] + __x64_sys_ioctl+0x18c/0x210 fs/ioctl.c:856 + do_syscall_x64 arch/x86/entry/common.c:46 [inline] + do_syscall_64+0x35/0x80 arch/x86/entry/common.c:76 + entry_SYSCALL_64_after_hwframe+0x6e/0xd8 + +A more straightforward solution would be to always initialize rx_fs_lock, +just like rx_fs_list. However, in this case the driver set_rxnfc callback +would return with a rather confusing error code, e.g. -EINVAL. So deny +set_rxnfc attempts directly if the RX filtering feature is not supported +by hardware. + +Fixes: ae8223de3df5 ("net: macb: Added support for RX filtering") +Signed-off-by: Fedor Pchelkin +Link: https://patch.msgid.link/20260316103826.74506-2-pchelkin@ispras.ru +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/cadence/macb_main.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/net/ethernet/cadence/macb_main.c b/drivers/net/ethernet/cadence/macb_main.c +index d4a4d72460a42..6a3e9082bda8c 100644 +--- a/drivers/net/ethernet/cadence/macb_main.c ++++ b/drivers/net/ethernet/cadence/macb_main.c +@@ -3572,6 +3572,9 @@ static int gem_set_rxnfc(struct net_device *netdev, struct ethtool_rxnfc *cmd) + struct macb *bp = netdev_priv(netdev); + int ret; + ++ if (!(netdev->hw_features & NETIF_F_NTUPLE)) ++ return -EOPNOTSUPP; ++ + switch (cmd->cmd) { + case ETHTOOL_SRXCLSRLINS: + if ((cmd->fs.location >= bp->max_tuples) +-- +2.51.0 + diff --git a/queue-5.15/net-mana-fix-use-after-free-in-mana_hwc_destroy_chan.patch b/queue-5.15/net-mana-fix-use-after-free-in-mana_hwc_destroy_chan.patch new file mode 100644 index 0000000000..c7d644dabc --- /dev/null +++ b/queue-5.15/net-mana-fix-use-after-free-in-mana_hwc_destroy_chan.patch @@ -0,0 +1,67 @@ +From 4fb4b68c1342009e5842511dcef70778473bad48 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 11 Mar 2026 12:22:04 -0700 +Subject: net: mana: fix use-after-free in mana_hwc_destroy_channel() by + reordering teardown + +From: Dipayaan Roy + +[ Upstream commit fa103fc8f56954a60699a29215cb713448a39e87 ] + +A potential race condition exists in mana_hwc_destroy_channel() where +hwc->caller_ctx is freed before the HWC's Completion Queue (CQ) and +Event Queue (EQ) are destroyed. This allows an in-flight CQ interrupt +handler to dereference freed memory, leading to a use-after-free or +NULL pointer dereference in mana_hwc_handle_resp(). + +mana_smc_teardown_hwc() signals the hardware to stop but does not +synchronize against IRQ handlers already executing on other CPUs. The +IRQ synchronization only happens in mana_hwc_destroy_cq() via +mana_gd_destroy_eq() -> mana_gd_deregister_irq(). Since this runs +after kfree(hwc->caller_ctx), a concurrent mana_hwc_rx_event_handler() +can dereference freed caller_ctx (and rxq->msg_buf) in +mana_hwc_handle_resp(). + +Fix this by reordering teardown to reverse-of-creation order: destroy +the TX/RX work queues and CQ/EQ before freeing hwc->caller_ctx. This +ensures all in-flight interrupt handlers complete before the memory they +access is freed. + +Fixes: ca9c54d2d6a5 ("net: mana: Add a driver for Microsoft Azure Network Adapter (MANA)") +Reviewed-by: Haiyang Zhang +Signed-off-by: Dipayaan Roy +Reviewed-by: Simon Horman +Link: https://patch.msgid.link/abHA3AjNtqa1nx9k@linuxonhyperv3.guj3yctzbm1etfxqx2vob5hsef.xx.internal.cloudapp.net +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/microsoft/mana/hw_channel.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/drivers/net/ethernet/microsoft/mana/hw_channel.c b/drivers/net/ethernet/microsoft/mana/hw_channel.c +index 8b027bf6ede90..efd7ae1bab43c 100644 +--- a/drivers/net/ethernet/microsoft/mana/hw_channel.c ++++ b/drivers/net/ethernet/microsoft/mana/hw_channel.c +@@ -749,9 +749,6 @@ void mana_hwc_destroy_channel(struct gdma_context *gc) + gc->max_num_cqs = 0; + } + +- kfree(hwc->caller_ctx); +- hwc->caller_ctx = NULL; +- + if (hwc->txq) + mana_hwc_destroy_wq(hwc, hwc->txq); + +@@ -761,6 +758,9 @@ void mana_hwc_destroy_channel(struct gdma_context *gc) + if (hwc->cq) + mana_hwc_destroy_cq(hwc->gdma_dev->gdma_context, hwc->cq); + ++ kfree(hwc->caller_ctx); ++ hwc->caller_ctx = NULL; ++ + mana_gd_free_res_map(&hwc->inflight_msg_res); + + hwc->num_inflight_msg = 0; +-- +2.51.0 + diff --git a/queue-5.15/net-mana-improve-the-hwc-error-handling.patch b/queue-5.15/net-mana-improve-the-hwc-error-handling.patch new file mode 100644 index 0000000000..fe36c4f77a --- /dev/null +++ b/queue-5.15/net-mana-improve-the-hwc-error-handling.patch @@ -0,0 +1,218 @@ +From 4bb8359550a5b871365e9f5c134df087baba07b2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 29 Oct 2021 17:54:07 -0700 +Subject: net: mana: Improve the HWC error handling + +From: Dexuan Cui + +[ Upstream commit 62ea8b77ed3b7086561765df0226ebc7bb442020 ] + +Currently when the HWC creation fails, the error handling is flawed, +e.g. if mana_hwc_create_channel() -> mana_hwc_establish_channel() fails, +the resources acquired in mana_hwc_init_queues() is not released. + +Enhance mana_hwc_destroy_channel() to do the proper cleanup work and +call it accordingly. + +Signed-off-by: Dexuan Cui +Reviewed-by: Haiyang Zhang +Signed-off-by: David S. Miller +Stable-dep-of: fa103fc8f569 ("net: mana: fix use-after-free in mana_hwc_destroy_channel() by reordering teardown") +Signed-off-by: Sasha Levin +--- + .../net/ethernet/microsoft/mana/gdma_main.c | 4 -- + .../net/ethernet/microsoft/mana/hw_channel.c | 71 ++++++++----------- + 2 files changed, 31 insertions(+), 44 deletions(-) + +diff --git a/drivers/net/ethernet/microsoft/mana/gdma_main.c b/drivers/net/ethernet/microsoft/mana/gdma_main.c +index 7864611f55a77..f3e90313a4487 100644 +--- a/drivers/net/ethernet/microsoft/mana/gdma_main.c ++++ b/drivers/net/ethernet/microsoft/mana/gdma_main.c +@@ -1336,8 +1336,6 @@ static int mana_gd_probe(struct pci_dev *pdev, const struct pci_device_id *ent) + + clean_up_gdma: + mana_hwc_destroy_channel(gc); +- vfree(gc->cq_table); +- gc->cq_table = NULL; + remove_irq: + mana_gd_remove_irqs(pdev); + unmap_bar: +@@ -1360,8 +1358,6 @@ static void mana_gd_remove(struct pci_dev *pdev) + mana_remove(&gc->mana); + + mana_hwc_destroy_channel(gc); +- vfree(gc->cq_table); +- gc->cq_table = NULL; + + mana_gd_remove_irqs(pdev); + +diff --git a/drivers/net/ethernet/microsoft/mana/hw_channel.c b/drivers/net/ethernet/microsoft/mana/hw_channel.c +index 508f83c29f325..8b027bf6ede90 100644 +--- a/drivers/net/ethernet/microsoft/mana/hw_channel.c ++++ b/drivers/net/ethernet/microsoft/mana/hw_channel.c +@@ -315,9 +315,6 @@ static void mana_hwc_comp_event(void *ctx, struct gdma_queue *q_self) + + static void mana_hwc_destroy_cq(struct gdma_context *gc, struct hwc_cq *hwc_cq) + { +- if (!hwc_cq) +- return; +- + kfree(hwc_cq->comp_buf); + + if (hwc_cq->gdma_cq) +@@ -452,9 +449,6 @@ static void mana_hwc_dealloc_dma_buf(struct hw_channel_context *hwc, + static void mana_hwc_destroy_wq(struct hw_channel_context *hwc, + struct hwc_wq *hwc_wq) + { +- if (!hwc_wq) +- return; +- + mana_hwc_dealloc_dma_buf(hwc, hwc_wq->msg_buf); + + if (hwc_wq->gdma_wq) +@@ -627,6 +621,7 @@ static int mana_hwc_establish_channel(struct gdma_context *gc, u16 *q_depth, + *max_req_msg_size = hwc->hwc_init_max_req_msg_size; + *max_resp_msg_size = hwc->hwc_init_max_resp_msg_size; + ++ /* Both were set in mana_hwc_init_event_handler(). */ + if (WARN_ON(cq->id >= gc->max_num_cqs)) + return -EPROTO; + +@@ -642,9 +637,6 @@ static int mana_hwc_establish_channel(struct gdma_context *gc, u16 *q_depth, + static int mana_hwc_init_queues(struct hw_channel_context *hwc, u16 q_depth, + u32 max_req_msg_size, u32 max_resp_msg_size) + { +- struct hwc_wq *hwc_rxq = NULL; +- struct hwc_wq *hwc_txq = NULL; +- struct hwc_cq *hwc_cq = NULL; + int err; + + err = mana_hwc_init_inflight_msg(hwc, q_depth); +@@ -657,44 +649,32 @@ static int mana_hwc_init_queues(struct hw_channel_context *hwc, u16 q_depth, + err = mana_hwc_create_cq(hwc, q_depth * 2, + mana_hwc_init_event_handler, hwc, + mana_hwc_rx_event_handler, hwc, +- mana_hwc_tx_event_handler, hwc, &hwc_cq); ++ mana_hwc_tx_event_handler, hwc, &hwc->cq); + if (err) { + dev_err(hwc->dev, "Failed to create HWC CQ: %d\n", err); + goto out; + } +- hwc->cq = hwc_cq; + + err = mana_hwc_create_wq(hwc, GDMA_RQ, q_depth, max_req_msg_size, +- hwc_cq, &hwc_rxq); ++ hwc->cq, &hwc->rxq); + if (err) { + dev_err(hwc->dev, "Failed to create HWC RQ: %d\n", err); + goto out; + } +- hwc->rxq = hwc_rxq; + + err = mana_hwc_create_wq(hwc, GDMA_SQ, q_depth, max_resp_msg_size, +- hwc_cq, &hwc_txq); ++ hwc->cq, &hwc->txq); + if (err) { + dev_err(hwc->dev, "Failed to create HWC SQ: %d\n", err); + goto out; + } +- hwc->txq = hwc_txq; + + hwc->num_inflight_msg = q_depth; + hwc->max_req_msg_size = max_req_msg_size; + + return 0; + out: +- if (hwc_txq) +- mana_hwc_destroy_wq(hwc, hwc_txq); +- +- if (hwc_rxq) +- mana_hwc_destroy_wq(hwc, hwc_rxq); +- +- if (hwc_cq) +- mana_hwc_destroy_cq(hwc->gdma_dev->gdma_context, hwc_cq); +- +- mana_gd_free_res_map(&hwc->inflight_msg_res); ++ /* mana_hwc_create_channel() will do the cleanup.*/ + return err; + } + +@@ -722,6 +702,9 @@ int mana_hwc_create_channel(struct gdma_context *gc) + gd->pdid = INVALID_PDID; + gd->doorbell = INVALID_DOORBELL; + ++ /* mana_hwc_init_queues() only creates the required data structures, ++ * and doesn't touch the HWC device. ++ */ + err = mana_hwc_init_queues(hwc, HW_CHANNEL_VF_BOOTSTRAP_QUEUE_DEPTH, + HW_CHANNEL_MAX_REQUEST_SIZE, + HW_CHANNEL_MAX_RESPONSE_SIZE); +@@ -747,42 +730,50 @@ int mana_hwc_create_channel(struct gdma_context *gc) + + return 0; + out: +- kfree(hwc); ++ mana_hwc_destroy_channel(gc); + return err; + } + + void mana_hwc_destroy_channel(struct gdma_context *gc) + { + struct hw_channel_context *hwc = gc->hwc.driver_data; +- struct hwc_caller_ctx *ctx; + +- mana_smc_teardown_hwc(&gc->shm_channel, false); ++ if (!hwc) ++ return; ++ ++ /* gc->max_num_cqs is set in mana_hwc_init_event_handler(). If it's ++ * non-zero, the HWC worked and we should tear down the HWC here. ++ */ ++ if (gc->max_num_cqs > 0) { ++ mana_smc_teardown_hwc(&gc->shm_channel, false); ++ gc->max_num_cqs = 0; ++ } + +- ctx = hwc->caller_ctx; +- kfree(ctx); ++ kfree(hwc->caller_ctx); + hwc->caller_ctx = NULL; + +- mana_hwc_destroy_wq(hwc, hwc->txq); +- hwc->txq = NULL; ++ if (hwc->txq) ++ mana_hwc_destroy_wq(hwc, hwc->txq); + +- mana_hwc_destroy_wq(hwc, hwc->rxq); +- hwc->rxq = NULL; ++ if (hwc->rxq) ++ mana_hwc_destroy_wq(hwc, hwc->rxq); + +- mana_hwc_destroy_cq(hwc->gdma_dev->gdma_context, hwc->cq); +- hwc->cq = NULL; ++ if (hwc->cq) ++ mana_hwc_destroy_cq(hwc->gdma_dev->gdma_context, hwc->cq); + + mana_gd_free_res_map(&hwc->inflight_msg_res); + + hwc->num_inflight_msg = 0; + +- if (hwc->gdma_dev->pdid != INVALID_PDID) { +- hwc->gdma_dev->doorbell = INVALID_DOORBELL; +- hwc->gdma_dev->pdid = INVALID_PDID; +- } ++ hwc->gdma_dev->doorbell = INVALID_DOORBELL; ++ hwc->gdma_dev->pdid = INVALID_PDID; + + kfree(hwc); + gc->hwc.driver_data = NULL; + gc->hwc.gdma_context = NULL; ++ ++ vfree(gc->cq_table); ++ gc->cq_table = NULL; + } + + int mana_hwc_send_request(struct hw_channel_context *hwc, u32 req_len, +-- +2.51.0 + diff --git a/queue-5.15/net-mvpp2-guard-flow-control-update-with-global_tx_f.patch b/queue-5.15/net-mvpp2-guard-flow-control-update-with-global_tx_f.patch new file mode 100644 index 0000000000..c269bd5020 --- /dev/null +++ b/queue-5.15/net-mvpp2-guard-flow-control-update-with-global_tx_f.patch @@ -0,0 +1,86 @@ +From 205bbb646b912174e892fb0d67d864fdc03e4d50 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 16 Mar 2026 12:31:01 -0700 +Subject: net: mvpp2: guard flow control update with global_tx_fc in buffer + switching + +From: Muhammad Hammad Ijaz + +[ Upstream commit 8a63baadf08453f66eb582fdb6dd234f72024723 ] + +mvpp2_bm_switch_buffers() unconditionally calls +mvpp2_bm_pool_update_priv_fc() when switching between per-cpu and +shared buffer pool modes. This function programs CM3 flow control +registers via mvpp2_cm3_read()/mvpp2_cm3_write(), which dereference +priv->cm3_base without any NULL check. + +When the CM3 SRAM resource is not present in the device tree (the +third reg entry added by commit 60523583b07c ("dts: marvell: add CM3 +SRAM memory to cp11x ethernet device tree")), priv->cm3_base remains +NULL and priv->global_tx_fc is false. Any operation that triggers +mvpp2_bm_switch_buffers(), for example an MTU change that crosses +the jumbo frame threshold, will crash: + + Unable to handle kernel NULL pointer dereference at + virtual address 0000000000000000 + Mem abort info: + ESR = 0x0000000096000006 + EC = 0x25: DABT (current EL), IL = 32 bits + pc : readl+0x0/0x18 + lr : mvpp2_cm3_read.isra.0+0x14/0x20 + Call trace: + readl+0x0/0x18 + mvpp2_bm_pool_update_fc+0x40/0x12c + mvpp2_bm_pool_update_priv_fc+0x94/0xd8 + mvpp2_bm_switch_buffers.isra.0+0x80/0x1c0 + mvpp2_change_mtu+0x140/0x380 + __dev_set_mtu+0x1c/0x38 + dev_set_mtu_ext+0x78/0x118 + dev_set_mtu+0x48/0xa8 + dev_ifsioc+0x21c/0x43c + dev_ioctl+0x2d8/0x42c + sock_ioctl+0x314/0x378 + +Every other flow control call site in the driver already guards +hardware access with either priv->global_tx_fc or port->tx_fc. +mvpp2_bm_switch_buffers() is the only place that omits this check. + +Add the missing priv->global_tx_fc guard to both the disable and +re-enable calls in mvpp2_bm_switch_buffers(), consistent with the +rest of the driver. + +Fixes: 3a616b92a9d1 ("net: mvpp2: Add TX flow control support for jumbo frames") +Signed-off-by: Muhammad Hammad Ijaz +Reviewed-by: Gunnar Kudrjavets +Link: https://patch.msgid.link/20260316193157.65748-1-mhijaz@amazon.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/marvell/mvpp2/mvpp2_main.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/marvell/mvpp2/mvpp2_main.c b/drivers/net/ethernet/marvell/mvpp2/mvpp2_main.c +index 7fa880e62d096..fdfdd55fdb1dc 100644 +--- a/drivers/net/ethernet/marvell/mvpp2/mvpp2_main.c ++++ b/drivers/net/ethernet/marvell/mvpp2/mvpp2_main.c +@@ -5006,7 +5006,7 @@ static int mvpp2_bm_switch_buffers(struct mvpp2 *priv, bool percpu) + if (priv->percpu_pools) + numbufs = port->nrxqs * 2; + +- if (change_percpu) ++ if (change_percpu && priv->global_tx_fc) + mvpp2_bm_pool_update_priv_fc(priv, false); + + for (i = 0; i < numbufs; i++) +@@ -5023,7 +5023,7 @@ static int mvpp2_bm_switch_buffers(struct mvpp2 *priv, bool percpu) + mvpp2_open(port->dev); + } + +- if (change_percpu) ++ if (change_percpu && priv->global_tx_fc) + mvpp2_bm_pool_update_priv_fc(priv, true); + + return 0; +-- +2.51.0 + diff --git a/queue-5.15/net-rose-fix-null-pointer-dereference-in-rose_transm.patch b/queue-5.15/net-rose-fix-null-pointer-dereference-in-rose_transm.patch new file mode 100644 index 0000000000..0cfb878528 --- /dev/null +++ b/queue-5.15/net-rose-fix-null-pointer-dereference-in-rose_transm.patch @@ -0,0 +1,64 @@ +From 8ae3768eb82b9dd205873dfef648ad8a03d7dad5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 11 Mar 2026 15:06:02 +0800 +Subject: net/rose: fix NULL pointer dereference in rose_transmit_link on + reconnect + +From: Jiayuan Chen + +[ Upstream commit e1f0a18c9564cdb16523c802e2c6fe5874e3d944 ] + +syzkaller reported a bug [1], and the reproducer is available at [2]. + +ROSE sockets use four sk->sk_state values: TCP_CLOSE, TCP_LISTEN, +TCP_SYN_SENT, and TCP_ESTABLISHED. rose_connect() already rejects +calls for TCP_ESTABLISHED (-EISCONN) and TCP_CLOSE with SS_CONNECTING +(-ECONNREFUSED), but lacks a check for TCP_SYN_SENT. + +When rose_connect() is called a second time while the first connection +attempt is still in progress (TCP_SYN_SENT), it overwrites +rose->neighbour via rose_get_neigh(). If that returns NULL, the socket +is left with rose->state == ROSE_STATE_1 but rose->neighbour == NULL. +When the socket is subsequently closed, rose_release() sees +ROSE_STATE_1 and calls rose_write_internal() -> +rose_transmit_link(skb, NULL), causing a NULL pointer dereference. + +Per connect(2), a second connect() while a connection is already in +progress should return -EALREADY. Add this missing check for +TCP_SYN_SENT to complete the state validation in rose_connect(). + +[1] https://syzkaller.appspot.com/bug?extid=d00f90e0af54102fb271 +[2] https://gist.github.com/mrpre/9e6779e0d13e2c66779b1653fef80516 + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Reported-by: syzbot+d00f90e0af54102fb271@syzkaller.appspotmail.com +Closes: https://lore.kernel.org/all/69694d6f.050a0220.58bed.0027.GAE@google.com/T/ +Suggested-by: Eric Dumazet +Signed-off-by: Jiayuan Chen +Reviewed-by: Eric Dumazet +Link: https://patch.msgid.link/20260311070611.76913-1-jiayuan.chen@linux.dev +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/rose/af_rose.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/net/rose/af_rose.c b/net/rose/af_rose.c +index 04173c85d92b5..0130c13f73552 100644 +--- a/net/rose/af_rose.c ++++ b/net/rose/af_rose.c +@@ -808,6 +808,11 @@ static int rose_connect(struct socket *sock, struct sockaddr *uaddr, int addr_le + goto out_release; + } + ++ if (sk->sk_state == TCP_SYN_SENT) { ++ err = -EALREADY; ++ goto out_release; ++ } ++ + sk->sk_state = TCP_CLOSE; + sock->state = SS_UNCONNECTED; + +-- +2.51.0 + diff --git a/queue-5.15/net-smc-fix-null-dereference-and-uaf-in-smc_tcp_syn_.patch b/queue-5.15/net-smc-fix-null-dereference-and-uaf-in-smc_tcp_syn_.patch new file mode 100644 index 0000000000..5767752d7c --- /dev/null +++ b/queue-5.15/net-smc-fix-null-dereference-and-uaf-in-smc_tcp_syn_.patch @@ -0,0 +1,208 @@ +From 4fd19b8be0a7428168905bbcbbee0773b27229b1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 12 Mar 2026 17:29:07 +0800 +Subject: net/smc: fix NULL dereference and UAF in smc_tcp_syn_recv_sock() + +From: Jiayuan Chen + +[ Upstream commit 6d5e4538364b9ceb1ac2941a4deb86650afb3538 ] + +Syzkaller reported a panic in smc_tcp_syn_recv_sock() [1]. + +smc_tcp_syn_recv_sock() is called in the TCP receive path +(softirq) via icsk_af_ops->syn_recv_sock on the clcsock (TCP +listening socket). It reads sk_user_data to get the smc_sock +pointer. However, when the SMC listen socket is being closed +concurrently, smc_close_active() sets clcsock->sk_user_data +to NULL under sk_callback_lock, and then the smc_sock itself +can be freed via sock_put() in smc_release(). + +This leads to two issues: + +1) NULL pointer dereference: sk_user_data is NULL when + accessed. +2) Use-after-free: sk_user_data is read as non-NULL, but the + smc_sock is freed before its fields (e.g., queued_smc_hs, + ori_af_ops) are accessed. + +The race window looks like this (the syzkaller crash [1] +triggers via the SYN cookie path: tcp_get_cookie_sock() -> +smc_tcp_syn_recv_sock(), but the normal tcp_check_req() path +has the same race): + + CPU A (softirq) CPU B (process ctx) + + tcp_v4_rcv() + TCP_NEW_SYN_RECV: + sk = req->rsk_listener + sock_hold(sk) + /* No lock on listener */ + smc_close_active(): + write_lock_bh(cb_lock) + sk_user_data = NULL + write_unlock_bh(cb_lock) + ... + smc_clcsock_release() + sock_put(smc->sk) x2 + -> smc_sock freed! + tcp_check_req() + smc_tcp_syn_recv_sock(): + smc = user_data(sk) + -> NULL or dangling + smc->queued_smc_hs + -> crash! + +Note that the clcsock and smc_sock are two independent objects +with separate refcounts. TCP stack holds a reference on the +clcsock, which keeps it alive, but this does NOT prevent the +smc_sock from being freed. + +Fix this by using RCU and refcount_inc_not_zero() to safely +access smc_sock. Since smc_tcp_syn_recv_sock() is called in +the TCP three-way handshake path, taking read_lock_bh on +sk_callback_lock is too heavy and would not survive a SYN +flood attack. Using rcu_read_lock() is much more lightweight. + +- Set SOCK_RCU_FREE on the SMC listen socket so that + smc_sock freeing is deferred until after the RCU grace + period. This guarantees the memory is still valid when + accessed inside rcu_read_lock(). +- Use rcu_read_lock() to protect reading sk_user_data. +- Use refcount_inc_not_zero(&smc->sk.sk_refcnt) to pin the + smc_sock. If the refcount has already reached zero (close + path completed), it returns false and we bail out safely. + +Note: smc_hs_congested() has a similar lockless read of +sk_user_data without rcu_read_lock(), but it only checks for +NULL and accesses the global smc_hs_wq, never dereferencing +any smc_sock field, so it is not affected. + +Reproducer was verified with mdelay injection and smc_run, +the issue no longer occurs with this patch applied. + +[1] https://syzkaller.appspot.com/bug?extid=827ae2bfb3a3529333e9 + +Fixes: 8270d9c21041 ("net/smc: Limit backlog connections") +Reported-by: syzbot+827ae2bfb3a3529333e9@syzkaller.appspotmail.com +Closes: https://lore.kernel.org/all/67eaf9b8.050a0220.3c3d88.004a.GAE@google.com/T/ +Suggested-by: Eric Dumazet +Reviewed-by: Eric Dumazet +Signed-off-by: Jiayuan Chen +Link: https://patch.msgid.link/20260312092909.48325-1-jiayuan.chen@linux.dev +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/smc/af_smc.c | 23 +++++++++++++++++------ + net/smc/smc.h | 5 +++++ + net/smc/smc_close.c | 2 +- + 3 files changed, 23 insertions(+), 7 deletions(-) + +diff --git a/net/smc/af_smc.c b/net/smc/af_smc.c +index ea1a185327629..5425c46a2e7c7 100644 +--- a/net/smc/af_smc.c ++++ b/net/smc/af_smc.c +@@ -81,7 +81,14 @@ static struct sock *smc_tcp_syn_recv_sock(const struct sock *sk, + struct smc_sock *smc; + struct sock *child; + +- smc = smc_clcsock_user_data(sk); ++ rcu_read_lock(); ++ smc = smc_clcsock_user_data_rcu(sk); ++ if (!smc || !refcount_inc_not_zero(&smc->sk.sk_refcnt)) { ++ rcu_read_unlock(); ++ smc = NULL; ++ goto drop; ++ } ++ rcu_read_unlock(); + + if (READ_ONCE(sk->sk_ack_backlog) + atomic_read(&smc->queued_smc_hs) > + sk->sk_max_ack_backlog) +@@ -103,11 +110,14 @@ static struct sock *smc_tcp_syn_recv_sock(const struct sock *sk, + if (inet_csk(child)->icsk_af_ops == inet_csk(sk)->icsk_af_ops) + inet_csk(child)->icsk_af_ops = smc->ori_af_ops; + } ++ sock_put(&smc->sk); + return child; + + drop: + dst_release(dst); + tcp_listendrop(sk); ++ if (smc) ++ sock_put(&smc->sk); + return NULL; + } + +@@ -175,7 +185,7 @@ static void smc_fback_restore_callbacks(struct smc_sock *smc) + struct sock *clcsk = smc->clcsock->sk; + + write_lock_bh(&clcsk->sk_callback_lock); +- clcsk->sk_user_data = NULL; ++ rcu_assign_sk_user_data(clcsk, NULL); + + smc_clcsock_restore_cb(&clcsk->sk_state_change, &smc->clcsk_state_change); + smc_clcsock_restore_cb(&clcsk->sk_data_ready, &smc->clcsk_data_ready); +@@ -726,7 +736,7 @@ static void smc_fback_replace_callbacks(struct smc_sock *smc) + struct sock *clcsk = smc->clcsock->sk; + + write_lock_bh(&clcsk->sk_callback_lock); +- clcsk->sk_user_data = (void *)((uintptr_t)smc | SK_USER_DATA_NOCOPY); ++ __rcu_assign_sk_user_data_with_flags(clcsk, smc, SK_USER_DATA_NOCOPY); + + smc_clcsock_replace_cb(&clcsk->sk_state_change, smc_fback_state_change, + &smc->clcsk_state_change); +@@ -2168,8 +2178,8 @@ static int smc_listen(struct socket *sock, int backlog) + * smc-specific sk_data_ready function + */ + write_lock_bh(&smc->clcsock->sk->sk_callback_lock); +- smc->clcsock->sk->sk_user_data = +- (void *)((uintptr_t)smc | SK_USER_DATA_NOCOPY); ++ __rcu_assign_sk_user_data_with_flags(smc->clcsock->sk, smc, ++ SK_USER_DATA_NOCOPY); + smc_clcsock_replace_cb(&smc->clcsock->sk->sk_data_ready, + smc_clcsock_data_ready, &smc->clcsk_data_ready); + write_unlock_bh(&smc->clcsock->sk->sk_callback_lock); +@@ -2187,10 +2197,11 @@ static int smc_listen(struct socket *sock, int backlog) + write_lock_bh(&smc->clcsock->sk->sk_callback_lock); + smc_clcsock_restore_cb(&smc->clcsock->sk->sk_data_ready, + &smc->clcsk_data_ready); +- smc->clcsock->sk->sk_user_data = NULL; ++ rcu_assign_sk_user_data(smc->clcsock->sk, NULL); + write_unlock_bh(&smc->clcsock->sk->sk_callback_lock); + goto out; + } ++ sock_set_flag(sk, SOCK_RCU_FREE); + sk->sk_max_ack_backlog = backlog; + sk->sk_ack_backlog = 0; + sk->sk_state = SMC_LISTEN; +diff --git a/net/smc/smc.h b/net/smc/smc.h +index 268dc975249f8..6455371430a3c 100644 +--- a/net/smc/smc.h ++++ b/net/smc/smc.h +@@ -283,6 +283,11 @@ static inline struct smc_sock *smc_clcsock_user_data(const struct sock *clcsk) + ((uintptr_t)clcsk->sk_user_data & ~SK_USER_DATA_NOCOPY); + } + ++static inline struct smc_sock *smc_clcsock_user_data_rcu(const struct sock *clcsk) ++{ ++ return (struct smc_sock *)rcu_dereference_sk_user_data(clcsk); ++} ++ + /* save target_cb in saved_cb, and replace target_cb with new_cb */ + static inline void smc_clcsock_replace_cb(void (**target_cb)(struct sock *), + void (*new_cb)(struct sock *), +diff --git a/net/smc/smc_close.c b/net/smc/smc_close.c +index 313ef522dfab4..e156039ff1e50 100644 +--- a/net/smc/smc_close.c ++++ b/net/smc/smc_close.c +@@ -215,7 +215,7 @@ int smc_close_active(struct smc_sock *smc) + write_lock_bh(&smc->clcsock->sk->sk_callback_lock); + smc_clcsock_restore_cb(&smc->clcsock->sk->sk_data_ready, + &smc->clcsk_data_ready); +- smc->clcsock->sk->sk_user_data = NULL; ++ rcu_assign_sk_user_data(smc->clcsock->sk, NULL); + write_unlock_bh(&smc->clcsock->sk->sk_callback_lock); + rc = kernel_sock_shutdown(smc->clcsock, SHUT_RDWR); + } +-- +2.51.0 + diff --git a/queue-5.15/net-smc-fix-slab-out-of-bounds-issue-in-fallback.patch b/queue-5.15/net-smc-fix-slab-out-of-bounds-issue-in-fallback.patch new file mode 100644 index 0000000000..7a6187f02f --- /dev/null +++ b/queue-5.15/net-smc-fix-slab-out-of-bounds-issue-in-fallback.patch @@ -0,0 +1,220 @@ +From 75c0a11c2e1221cd473307f007a5be31e55dd490 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 22 Apr 2022 15:56:19 +0800 +Subject: net/smc: Fix slab-out-of-bounds issue in fallback + +From: Wen Gu + +[ Upstream commit 0558226cebee256aa3f8ec0cc5a800a10bf120a6 ] + +syzbot reported a slab-out-of-bounds/use-after-free issue, +which was caused by accessing an already freed smc sock in +fallback-specific callback functions of clcsock. + +This patch fixes the issue by restoring fallback-specific +callback functions to original ones and resetting clcsock +sk_user_data to NULL before freeing smc sock. + +Meanwhile, this patch introduces sk_callback_lock to make +the access and assignment to sk_user_data mutually exclusive. + +Reported-by: syzbot+b425899ed22c6943e00b@syzkaller.appspotmail.com +Fixes: 341adeec9ada ("net/smc: Forward wakeup to smc socket waitqueue after fallback") +Link: https://lore.kernel.org/r/00000000000013ca8105d7ae3ada@google.com/ +Signed-off-by: Wen Gu +Acked-by: Karsten Graul +Signed-off-by: Jakub Kicinski +Stable-dep-of: 6d5e4538364b ("net/smc: fix NULL dereference and UAF in smc_tcp_syn_recv_sock()") +Signed-off-by: Sasha Levin +--- + net/smc/af_smc.c | 80 ++++++++++++++++++++++++++++++++------------- + net/smc/smc_close.c | 2 ++ + 2 files changed, 59 insertions(+), 23 deletions(-) + +diff --git a/net/smc/af_smc.c b/net/smc/af_smc.c +index 5c6759d2e271d..ea1a185327629 100644 +--- a/net/smc/af_smc.c ++++ b/net/smc/af_smc.c +@@ -170,11 +170,27 @@ struct proto smc_proto6 = { + }; + EXPORT_SYMBOL_GPL(smc_proto6); + ++static void smc_fback_restore_callbacks(struct smc_sock *smc) ++{ ++ struct sock *clcsk = smc->clcsock->sk; ++ ++ write_lock_bh(&clcsk->sk_callback_lock); ++ clcsk->sk_user_data = NULL; ++ ++ smc_clcsock_restore_cb(&clcsk->sk_state_change, &smc->clcsk_state_change); ++ smc_clcsock_restore_cb(&clcsk->sk_data_ready, &smc->clcsk_data_ready); ++ smc_clcsock_restore_cb(&clcsk->sk_write_space, &smc->clcsk_write_space); ++ smc_clcsock_restore_cb(&clcsk->sk_error_report, &smc->clcsk_error_report); ++ ++ write_unlock_bh(&clcsk->sk_callback_lock); ++} ++ + static void smc_restore_fallback_changes(struct smc_sock *smc) + { + if (smc->clcsock->file) { /* non-accepted sockets have no file yet */ + smc->clcsock->file->private_data = smc->sk.sk_socket; + smc->clcsock->file = NULL; ++ smc_fback_restore_callbacks(smc); + } + } + +@@ -659,48 +675,57 @@ static void smc_fback_forward_wakeup(struct smc_sock *smc, struct sock *clcsk, + + static void smc_fback_state_change(struct sock *clcsk) + { +- struct smc_sock *smc = +- smc_clcsock_user_data(clcsk); ++ struct smc_sock *smc; + +- if (!smc) +- return; +- smc_fback_forward_wakeup(smc, clcsk, smc->clcsk_state_change); ++ read_lock_bh(&clcsk->sk_callback_lock); ++ smc = smc_clcsock_user_data(clcsk); ++ if (smc) ++ smc_fback_forward_wakeup(smc, clcsk, ++ smc->clcsk_state_change); ++ read_unlock_bh(&clcsk->sk_callback_lock); + } + + static void smc_fback_data_ready(struct sock *clcsk) + { +- struct smc_sock *smc = +- smc_clcsock_user_data(clcsk); ++ struct smc_sock *smc; + +- if (!smc) +- return; +- smc_fback_forward_wakeup(smc, clcsk, smc->clcsk_data_ready); ++ read_lock_bh(&clcsk->sk_callback_lock); ++ smc = smc_clcsock_user_data(clcsk); ++ if (smc) ++ smc_fback_forward_wakeup(smc, clcsk, ++ smc->clcsk_data_ready); ++ read_unlock_bh(&clcsk->sk_callback_lock); + } + + static void smc_fback_write_space(struct sock *clcsk) + { +- struct smc_sock *smc = +- smc_clcsock_user_data(clcsk); ++ struct smc_sock *smc; + +- if (!smc) +- return; +- smc_fback_forward_wakeup(smc, clcsk, smc->clcsk_write_space); ++ read_lock_bh(&clcsk->sk_callback_lock); ++ smc = smc_clcsock_user_data(clcsk); ++ if (smc) ++ smc_fback_forward_wakeup(smc, clcsk, ++ smc->clcsk_write_space); ++ read_unlock_bh(&clcsk->sk_callback_lock); + } + + static void smc_fback_error_report(struct sock *clcsk) + { +- struct smc_sock *smc = +- smc_clcsock_user_data(clcsk); ++ struct smc_sock *smc; + +- if (!smc) +- return; +- smc_fback_forward_wakeup(smc, clcsk, smc->clcsk_error_report); ++ read_lock_bh(&clcsk->sk_callback_lock); ++ smc = smc_clcsock_user_data(clcsk); ++ if (smc) ++ smc_fback_forward_wakeup(smc, clcsk, ++ smc->clcsk_error_report); ++ read_unlock_bh(&clcsk->sk_callback_lock); + } + + static void smc_fback_replace_callbacks(struct smc_sock *smc) + { + struct sock *clcsk = smc->clcsock->sk; + ++ write_lock_bh(&clcsk->sk_callback_lock); + clcsk->sk_user_data = (void *)((uintptr_t)smc | SK_USER_DATA_NOCOPY); + + smc_clcsock_replace_cb(&clcsk->sk_state_change, smc_fback_state_change, +@@ -711,6 +736,8 @@ static void smc_fback_replace_callbacks(struct smc_sock *smc) + &smc->clcsk_write_space); + smc_clcsock_replace_cb(&clcsk->sk_error_report, smc_fback_error_report, + &smc->clcsk_error_report); ++ ++ write_unlock_bh(&clcsk->sk_callback_lock); + } + + static int smc_switch_to_fallback(struct smc_sock *smc, int reason_code) +@@ -2095,17 +2122,20 @@ static void smc_tcp_listen_work(struct work_struct *work) + + static void smc_clcsock_data_ready(struct sock *listen_clcsock) + { +- struct smc_sock *lsmc = +- smc_clcsock_user_data(listen_clcsock); ++ struct smc_sock *lsmc; + ++ read_lock_bh(&listen_clcsock->sk_callback_lock); ++ lsmc = smc_clcsock_user_data(listen_clcsock); + if (!lsmc) +- return; ++ goto out; + lsmc->clcsk_data_ready(listen_clcsock); + if (lsmc->sk.sk_state == SMC_LISTEN) { + sock_hold(&lsmc->sk); /* sock_put in smc_tcp_listen_work() */ + if (!queue_work(smc_hs_wq, &lsmc->tcp_listen_work)) + sock_put(&lsmc->sk); + } ++out: ++ read_unlock_bh(&listen_clcsock->sk_callback_lock); + } + + static int smc_listen(struct socket *sock, int backlog) +@@ -2137,10 +2167,12 @@ static int smc_listen(struct socket *sock, int backlog) + /* save original sk_data_ready function and establish + * smc-specific sk_data_ready function + */ ++ write_lock_bh(&smc->clcsock->sk->sk_callback_lock); + smc->clcsock->sk->sk_user_data = + (void *)((uintptr_t)smc | SK_USER_DATA_NOCOPY); + smc_clcsock_replace_cb(&smc->clcsock->sk->sk_data_ready, + smc_clcsock_data_ready, &smc->clcsk_data_ready); ++ write_unlock_bh(&smc->clcsock->sk->sk_callback_lock); + + /* save original ops */ + smc->ori_af_ops = inet_csk(smc->clcsock->sk)->icsk_af_ops; +@@ -2152,9 +2184,11 @@ static int smc_listen(struct socket *sock, int backlog) + + rc = kernel_listen(smc->clcsock, backlog); + if (rc) { ++ write_lock_bh(&smc->clcsock->sk->sk_callback_lock); + smc_clcsock_restore_cb(&smc->clcsock->sk->sk_data_ready, + &smc->clcsk_data_ready); + smc->clcsock->sk->sk_user_data = NULL; ++ write_unlock_bh(&smc->clcsock->sk->sk_callback_lock); + goto out; + } + sk->sk_max_ack_backlog = backlog; +diff --git a/net/smc/smc_close.c b/net/smc/smc_close.c +index 42f9a7cf9e671..313ef522dfab4 100644 +--- a/net/smc/smc_close.c ++++ b/net/smc/smc_close.c +@@ -212,9 +212,11 @@ int smc_close_active(struct smc_sock *smc) + sk->sk_state = SMC_CLOSED; + sk->sk_state_change(sk); /* wake up accept */ + if (smc->clcsock && smc->clcsock->sk) { ++ write_lock_bh(&smc->clcsock->sk->sk_callback_lock); + smc_clcsock_restore_cb(&smc->clcsock->sk->sk_data_ready, + &smc->clcsk_data_ready); + smc->clcsock->sk->sk_user_data = NULL; ++ write_unlock_bh(&smc->clcsock->sk->sk_callback_lock); + rc = kernel_sock_shutdown(smc->clcsock, SHUT_RDWR); + } + smc_close_cleanup_listen(sk); +-- +2.51.0 + diff --git a/queue-5.15/net-smc-only-save-the-original-clcsock-callback-func.patch b/queue-5.15/net-smc-only-save-the-original-clcsock-callback-func.patch new file mode 100644 index 0000000000..e52a3adc65 --- /dev/null +++ b/queue-5.15/net-smc-only-save-the-original-clcsock-callback-func.patch @@ -0,0 +1,204 @@ +From 92ab40790670bfea6f2a706127b4bb697beb4275 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 22 Apr 2022 15:56:18 +0800 +Subject: net/smc: Only save the original clcsock callback functions + +From: Wen Gu + +[ Upstream commit 97b9af7a70936e331170c79040cc9bf20071b566 ] + +Both listen and fallback process will save the current clcsock +callback functions and establish new ones. But if both of them +happen, the saved callback functions will be overwritten. + +So this patch introduces some helpers to ensure that only save +the original callback functions of clcsock. + +Fixes: 341adeec9ada ("net/smc: Forward wakeup to smc socket waitqueue after fallback") +Signed-off-by: Wen Gu +Acked-by: Karsten Graul +Signed-off-by: Jakub Kicinski +Stable-dep-of: 6d5e4538364b ("net/smc: fix NULL dereference and UAF in smc_tcp_syn_recv_sock()") +Signed-off-by: Sasha Levin +--- + net/smc/af_smc.c | 55 +++++++++++++++++++++++++++++---------------- + net/smc/smc.h | 29 ++++++++++++++++++++++++ + net/smc/smc_close.c | 3 ++- + 3 files changed, 67 insertions(+), 20 deletions(-) + +diff --git a/net/smc/af_smc.c b/net/smc/af_smc.c +index 2a642dfbc94a1..5c6759d2e271d 100644 +--- a/net/smc/af_smc.c ++++ b/net/smc/af_smc.c +@@ -300,6 +300,7 @@ static struct sock *smc_sock_alloc(struct net *net, struct socket *sock, + sk->sk_prot->hash(sk); + sk_refcnt_debug_inc(sk); + mutex_init(&smc->clcsock_release_lock); ++ smc_init_saved_callbacks(smc); + + return sk; + } +@@ -696,9 +697,24 @@ static void smc_fback_error_report(struct sock *clcsk) + smc_fback_forward_wakeup(smc, clcsk, smc->clcsk_error_report); + } + ++static void smc_fback_replace_callbacks(struct smc_sock *smc) ++{ ++ struct sock *clcsk = smc->clcsock->sk; ++ ++ clcsk->sk_user_data = (void *)((uintptr_t)smc | SK_USER_DATA_NOCOPY); ++ ++ smc_clcsock_replace_cb(&clcsk->sk_state_change, smc_fback_state_change, ++ &smc->clcsk_state_change); ++ smc_clcsock_replace_cb(&clcsk->sk_data_ready, smc_fback_data_ready, ++ &smc->clcsk_data_ready); ++ smc_clcsock_replace_cb(&clcsk->sk_write_space, smc_fback_write_space, ++ &smc->clcsk_write_space); ++ smc_clcsock_replace_cb(&clcsk->sk_error_report, smc_fback_error_report, ++ &smc->clcsk_error_report); ++} ++ + static int smc_switch_to_fallback(struct smc_sock *smc, int reason_code) + { +- struct sock *clcsk; + int rc = 0; + + mutex_lock(&smc->clcsock_release_lock); +@@ -706,10 +722,7 @@ static int smc_switch_to_fallback(struct smc_sock *smc, int reason_code) + rc = -EBADF; + goto out; + } +- clcsk = smc->clcsock->sk; + +- if (smc->use_fallback) +- goto out; + smc->use_fallback = true; + smc->fallback_rsn = reason_code; + smc_stat_fallback(smc); +@@ -723,18 +736,7 @@ static int smc_switch_to_fallback(struct smc_sock *smc, int reason_code) + * in smc sk->sk_wq and they should be woken up + * as clcsock's wait queue is woken up. + */ +- smc->clcsk_state_change = clcsk->sk_state_change; +- smc->clcsk_data_ready = clcsk->sk_data_ready; +- smc->clcsk_write_space = clcsk->sk_write_space; +- smc->clcsk_error_report = clcsk->sk_error_report; +- +- clcsk->sk_state_change = smc_fback_state_change; +- clcsk->sk_data_ready = smc_fback_data_ready; +- clcsk->sk_write_space = smc_fback_write_space; +- clcsk->sk_error_report = smc_fback_error_report; +- +- smc->clcsock->sk->sk_user_data = +- (void *)((uintptr_t)smc | SK_USER_DATA_NOCOPY); ++ smc_fback_replace_callbacks(smc); + } + out: + mutex_unlock(&smc->clcsock_release_lock); +@@ -1388,6 +1390,19 @@ static int smc_clcsock_accept(struct smc_sock *lsmc, struct smc_sock **new_smc) + * function; switch it back to the original sk_data_ready function + */ + new_clcsock->sk->sk_data_ready = lsmc->clcsk_data_ready; ++ ++ /* if new clcsock has also inherited the fallback-specific callback ++ * functions, switch them back to the original ones. ++ */ ++ if (lsmc->use_fallback) { ++ if (lsmc->clcsk_state_change) ++ new_clcsock->sk->sk_state_change = lsmc->clcsk_state_change; ++ if (lsmc->clcsk_write_space) ++ new_clcsock->sk->sk_write_space = lsmc->clcsk_write_space; ++ if (lsmc->clcsk_error_report) ++ new_clcsock->sk->sk_error_report = lsmc->clcsk_error_report; ++ } ++ + (*new_smc)->clcsock = new_clcsock; + out: + return rc; +@@ -2122,10 +2137,10 @@ static int smc_listen(struct socket *sock, int backlog) + /* save original sk_data_ready function and establish + * smc-specific sk_data_ready function + */ +- smc->clcsk_data_ready = smc->clcsock->sk->sk_data_ready; +- smc->clcsock->sk->sk_data_ready = smc_clcsock_data_ready; + smc->clcsock->sk->sk_user_data = + (void *)((uintptr_t)smc | SK_USER_DATA_NOCOPY); ++ smc_clcsock_replace_cb(&smc->clcsock->sk->sk_data_ready, ++ smc_clcsock_data_ready, &smc->clcsk_data_ready); + + /* save original ops */ + smc->ori_af_ops = inet_csk(smc->clcsock->sk)->icsk_af_ops; +@@ -2137,7 +2152,9 @@ static int smc_listen(struct socket *sock, int backlog) + + rc = kernel_listen(smc->clcsock, backlog); + if (rc) { +- smc->clcsock->sk->sk_data_ready = smc->clcsk_data_ready; ++ smc_clcsock_restore_cb(&smc->clcsock->sk->sk_data_ready, ++ &smc->clcsk_data_ready); ++ smc->clcsock->sk->sk_user_data = NULL; + goto out; + } + sk->sk_max_ack_backlog = backlog; +diff --git a/net/smc/smc.h b/net/smc/smc.h +index 1c00f1bba2cdb..268dc975249f8 100644 +--- a/net/smc/smc.h ++++ b/net/smc/smc.h +@@ -269,12 +269,41 @@ static inline struct smc_sock *smc_sk(const struct sock *sk) + return (struct smc_sock *)sk; + } + ++static inline void smc_init_saved_callbacks(struct smc_sock *smc) ++{ ++ smc->clcsk_state_change = NULL; ++ smc->clcsk_data_ready = NULL; ++ smc->clcsk_write_space = NULL; ++ smc->clcsk_error_report = NULL; ++} ++ + static inline struct smc_sock *smc_clcsock_user_data(const struct sock *clcsk) + { + return (struct smc_sock *) + ((uintptr_t)clcsk->sk_user_data & ~SK_USER_DATA_NOCOPY); + } + ++/* save target_cb in saved_cb, and replace target_cb with new_cb */ ++static inline void smc_clcsock_replace_cb(void (**target_cb)(struct sock *), ++ void (*new_cb)(struct sock *), ++ void (**saved_cb)(struct sock *)) ++{ ++ /* only save once */ ++ if (!*saved_cb) ++ *saved_cb = *target_cb; ++ *target_cb = new_cb; ++} ++ ++/* restore target_cb to saved_cb, and reset saved_cb to NULL */ ++static inline void smc_clcsock_restore_cb(void (**target_cb)(struct sock *), ++ void (**saved_cb)(struct sock *)) ++{ ++ if (!*saved_cb) ++ return; ++ *target_cb = *saved_cb; ++ *saved_cb = NULL; ++} ++ + extern struct workqueue_struct *smc_hs_wq; /* wq for handshake work */ + extern struct workqueue_struct *smc_close_wq; /* wq for close work */ + +diff --git a/net/smc/smc_close.c b/net/smc/smc_close.c +index bcd3ea894555d..42f9a7cf9e671 100644 +--- a/net/smc/smc_close.c ++++ b/net/smc/smc_close.c +@@ -212,7 +212,8 @@ int smc_close_active(struct smc_sock *smc) + sk->sk_state = SMC_CLOSED; + sk->sk_state_change(sk); /* wake up accept */ + if (smc->clcsock && smc->clcsock->sk) { +- smc->clcsock->sk->sk_data_ready = smc->clcsk_data_ready; ++ smc_clcsock_restore_cb(&smc->clcsock->sk->sk_data_ready, ++ &smc->clcsk_data_ready); + smc->clcsock->sk->sk_user_data = NULL; + rc = kernel_sock_shutdown(smc->clcsock, SHUT_RDWR); + } +-- +2.51.0 + diff --git a/queue-5.15/net-usb-aqc111-do-not-perform-pm-inside-suspend-call.patch b/queue-5.15/net-usb-aqc111-do-not-perform-pm-inside-suspend-call.patch new file mode 100644 index 0000000000..baf5e9cebb --- /dev/null +++ b/queue-5.15/net-usb-aqc111-do-not-perform-pm-inside-suspend-call.patch @@ -0,0 +1,69 @@ +From 297e2131710ae158d20fd34a9c623f60241d9b1e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 13 Mar 2026 16:16:43 +0200 +Subject: net: usb: aqc111: Do not perform PM inside suspend callback + +From: Nikola Z. Ivanov + +[ Upstream commit 069c8f5aebe4d5224cf62acc7d4b3486091c658a ] + +syzbot reports "task hung in rpm_resume" + +This is caused by aqc111_suspend calling +the PM variant of its write_cmd routine. + +The simplified call trace looks like this: + +rpm_suspend() + usb_suspend_both() - here udev->dev.power.runtime_status == RPM_SUSPENDING + aqc111_suspend() - called for the usb device interface + aqc111_write32_cmd() + usb_autopm_get_interface() + pm_runtime_resume_and_get() + rpm_resume() - here we call rpm_resume() on our parent + rpm_resume() - Here we wait for a status change that will never happen. + +At this point we block another task which holds +rtnl_lock and locks up the whole networking stack. + +Fix this by replacing the write_cmd calls with their _nopm variants + +Reported-by: syzbot+48dc1e8dfc92faf1124c@syzkaller.appspotmail.com +Closes: https://syzkaller.appspot.com/bug?extid=48dc1e8dfc92faf1124c +Fixes: e58ba4544c77 ("net: usb: aqc111: Add support for wake on LAN by MAGIC packet") +Signed-off-by: Nikola Z. Ivanov +Link: https://patch.msgid.link/20260313141643.1181386-1-zlatistiv@gmail.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + drivers/net/usb/aqc111.c | 12 ++++++------ + 1 file changed, 6 insertions(+), 6 deletions(-) + +diff --git a/drivers/net/usb/aqc111.c b/drivers/net/usb/aqc111.c +index 00aba7e1d0b95..81093c4fb8194 100644 +--- a/drivers/net/usb/aqc111.c ++++ b/drivers/net/usb/aqc111.c +@@ -1400,14 +1400,14 @@ static int aqc111_suspend(struct usb_interface *intf, pm_message_t message) + aqc111_write16_cmd_nopm(dev, AQ_ACCESS_MAC, + SFR_MEDIUM_STATUS_MODE, 2, ®16); + +- aqc111_write_cmd(dev, AQ_WOL_CFG, 0, 0, +- WOL_CFG_SIZE, &wol_cfg); +- aqc111_write32_cmd(dev, AQ_PHY_OPS, 0, 0, +- &aqc111_data->phy_cfg); ++ aqc111_write_cmd_nopm(dev, AQ_WOL_CFG, 0, 0, ++ WOL_CFG_SIZE, &wol_cfg); ++ aqc111_write32_cmd_nopm(dev, AQ_PHY_OPS, 0, 0, ++ &aqc111_data->phy_cfg); + } else { + aqc111_data->phy_cfg |= AQ_LOW_POWER; +- aqc111_write32_cmd(dev, AQ_PHY_OPS, 0, 0, +- &aqc111_data->phy_cfg); ++ aqc111_write32_cmd_nopm(dev, AQ_PHY_OPS, 0, 0, ++ &aqc111_data->phy_cfg); + + /* Disable RX path */ + aqc111_read16_cmd_nopm(dev, AQ_ACCESS_MAC, +-- +2.51.0 + diff --git a/queue-5.15/netfilter-ctnetlink-fix-use-after-free-in-ctnetlink_.patch b/queue-5.15/netfilter-ctnetlink-fix-use-after-free-in-ctnetlink_.patch new file mode 100644 index 0000000000..85dfa63737 --- /dev/null +++ b/queue-5.15/netfilter-ctnetlink-fix-use-after-free-in-ctnetlink_.patch @@ -0,0 +1,123 @@ +From ef5e9ae81ff0dc5ca24b396f7410374d0d91024a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 8 Mar 2026 02:21:37 +0900 +Subject: netfilter: ctnetlink: fix use-after-free in ctnetlink_dump_exp_ct() + +From: Hyunwoo Kim + +[ Upstream commit 5cb81eeda909dbb2def209dd10636b51549a3f8a ] + +ctnetlink_dump_exp_ct() stores a conntrack pointer in cb->data for the +netlink dump callback ctnetlink_exp_ct_dump_table(), but drops the +conntrack reference immediately after netlink_dump_start(). When the +dump spans multiple rounds, the second recvmsg() triggers the dump +callback which dereferences the now-freed conntrack via nfct_help(ct), +leading to a use-after-free on ct->ext. + +The bug is that the netlink_dump_control has no .start or .done +callbacks to manage the conntrack reference across dump rounds. Other +dump functions in the same file (e.g. ctnetlink_get_conntrack) properly +use .start/.done callbacks for this purpose. + +Fix this by adding .start and .done callbacks that hold and release the +conntrack reference for the duration of the dump, and move the +nfct_help() call after the cb->args[0] early-return check in the dump +callback to avoid dereferencing ct->ext unnecessarily. + + BUG: KASAN: slab-use-after-free in ctnetlink_exp_ct_dump_table+0x4f/0x2e0 + Read of size 8 at addr ffff88810597ebf0 by task ctnetlink_poc/133 + + CPU: 1 UID: 0 PID: 133 Comm: ctnetlink_poc Not tainted 7.0.0-rc2+ #3 PREEMPTLAZY + Call Trace: + + ctnetlink_exp_ct_dump_table+0x4f/0x2e0 + netlink_dump+0x333/0x880 + netlink_recvmsg+0x3e2/0x4b0 + ? aa_sk_perm+0x184/0x450 + sock_recvmsg+0xde/0xf0 + + Allocated by task 133: + kmem_cache_alloc_noprof+0x134/0x440 + __nf_conntrack_alloc+0xa8/0x2b0 + ctnetlink_create_conntrack+0xa1/0x900 + ctnetlink_new_conntrack+0x3cf/0x7d0 + nfnetlink_rcv_msg+0x48e/0x510 + netlink_rcv_skb+0xc9/0x1f0 + nfnetlink_rcv+0xdb/0x220 + netlink_unicast+0x3ec/0x590 + netlink_sendmsg+0x397/0x690 + __sys_sendmsg+0xf4/0x180 + + Freed by task 0: + slab_free_after_rcu_debug+0xad/0x1e0 + rcu_core+0x5c3/0x9c0 + +Fixes: e844a928431f ("netfilter: ctnetlink: allow to dump expectation per master conntrack") +Signed-off-by: Hyunwoo Kim +Signed-off-by: Florian Westphal +Signed-off-by: Sasha Levin +--- + net/netfilter/nf_conntrack_netlink.c | 26 +++++++++++++++++++++++++- + 1 file changed, 25 insertions(+), 1 deletion(-) + +diff --git a/net/netfilter/nf_conntrack_netlink.c b/net/netfilter/nf_conntrack_netlink.c +index ba8d2c854fa89..055bff0a04da9 100644 +--- a/net/netfilter/nf_conntrack_netlink.c ++++ b/net/netfilter/nf_conntrack_netlink.c +@@ -3220,7 +3220,7 @@ ctnetlink_exp_ct_dump_table(struct sk_buff *skb, struct netlink_callback *cb) + { + struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh); + struct nf_conn *ct = cb->data; +- struct nf_conn_help *help = nfct_help(ct); ++ struct nf_conn_help *help; + u_int8_t l3proto = nfmsg->nfgen_family; + unsigned long last_id = cb->args[1]; + struct nf_conntrack_expect *exp; +@@ -3228,6 +3228,10 @@ ctnetlink_exp_ct_dump_table(struct sk_buff *skb, struct netlink_callback *cb) + if (cb->args[0]) + return 0; + ++ help = nfct_help(ct); ++ if (!help) ++ return 0; ++ + rcu_read_lock(); + + restart: +@@ -3257,6 +3261,24 @@ ctnetlink_exp_ct_dump_table(struct sk_buff *skb, struct netlink_callback *cb) + return skb->len; + } + ++static int ctnetlink_dump_exp_ct_start(struct netlink_callback *cb) ++{ ++ struct nf_conn *ct = cb->data; ++ ++ if (!refcount_inc_not_zero(&ct->ct_general.use)) ++ return -ENOENT; ++ return 0; ++} ++ ++static int ctnetlink_dump_exp_ct_done(struct netlink_callback *cb) ++{ ++ struct nf_conn *ct = cb->data; ++ ++ if (ct) ++ nf_ct_put(ct); ++ return 0; ++} ++ + static int ctnetlink_dump_exp_ct(struct net *net, struct sock *ctnl, + struct sk_buff *skb, + const struct nlmsghdr *nlh, +@@ -3272,6 +3294,8 @@ static int ctnetlink_dump_exp_ct(struct net *net, struct sock *ctnl, + struct nf_conntrack_zone zone; + struct netlink_dump_control c = { + .dump = ctnetlink_exp_ct_dump_table, ++ .start = ctnetlink_dump_exp_ct_start, ++ .done = ctnetlink_dump_exp_ct_done, + }; + + err = ctnetlink_parse_tuple(cda, &tuple, CTA_EXPECT_MASTER, +-- +2.51.0 + diff --git a/queue-5.15/netfilter-ctnetlink-remove-refcounting-in-expectatio.patch b/queue-5.15/netfilter-ctnetlink-remove-refcounting-in-expectatio.patch new file mode 100644 index 0000000000..1bb378a3a3 --- /dev/null +++ b/queue-5.15/netfilter-ctnetlink-remove-refcounting-in-expectatio.patch @@ -0,0 +1,165 @@ +From 918e25cb1306166ff66f58a081b2075cffe97a60 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 1 Aug 2025 17:25:09 +0200 +Subject: netfilter: ctnetlink: remove refcounting in expectation dumpers + +From: Florian Westphal + +[ Upstream commit 1492e3dcb2be3aa46d1963da96aa9593e4e4db5a ] + +Same pattern as previous patch: do not keep the expectation object +alive via refcount, only store a cookie value and then use that +as the skip hint for dump resumption. + +AFAICS this has the same issue as the one resolved in the conntrack +dumper, when we do + if (!refcount_inc_not_zero(&exp->use)) + +to increment the refcount, there is a chance that exp == last, which +causes a double-increment of the refcount and subsequent memory leak. + +Fixes: cf6994c2b981 ("[NETFILTER]: nf_conntrack_netlink: sync expectation dumping with conntrack table dumping") +Fixes: e844a928431f ("netfilter: ctnetlink: allow to dump expectation per master conntrack") +Signed-off-by: Florian Westphal +Signed-off-by: Pablo Neira Ayuso +Stable-dep-of: 5cb81eeda909 ("netfilter: ctnetlink: fix use-after-free in ctnetlink_dump_exp_ct()") +Signed-off-by: Sasha Levin +--- + net/netfilter/nf_conntrack_netlink.c | 41 ++++++++++++---------------- + 1 file changed, 17 insertions(+), 24 deletions(-) + +diff --git a/net/netfilter/nf_conntrack_netlink.c b/net/netfilter/nf_conntrack_netlink.c +index 50f7531221c38..ba8d2c854fa89 100644 +--- a/net/netfilter/nf_conntrack_netlink.c ++++ b/net/netfilter/nf_conntrack_netlink.c +@@ -3160,23 +3160,27 @@ ctnetlink_expect_event(unsigned int events, const struct nf_exp_event *item) + return 0; + } + #endif +-static int ctnetlink_exp_done(struct netlink_callback *cb) ++ ++static unsigned long ctnetlink_exp_id(const struct nf_conntrack_expect *exp) + { +- if (cb->args[1]) +- nf_ct_expect_put((struct nf_conntrack_expect *)cb->args[1]); +- return 0; ++ unsigned long id = (unsigned long)exp; ++ ++ id += nf_ct_get_id(exp->master); ++ id += exp->class; ++ ++ return id ? id : 1; + } + + static int + ctnetlink_exp_dump_table(struct sk_buff *skb, struct netlink_callback *cb) + { + struct net *net = sock_net(skb->sk); +- struct nf_conntrack_expect *exp, *last; + struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh); + u_int8_t l3proto = nfmsg->nfgen_family; ++ unsigned long last_id = cb->args[1]; ++ struct nf_conntrack_expect *exp; + + rcu_read_lock(); +- last = (struct nf_conntrack_expect *)cb->args[1]; + for (; cb->args[0] < nf_ct_expect_hsize; cb->args[0]++) { + restart: + hlist_for_each_entry_rcu(exp, &nf_ct_expect_hash[cb->args[0]], +@@ -3188,7 +3192,7 @@ ctnetlink_exp_dump_table(struct sk_buff *skb, struct netlink_callback *cb) + continue; + + if (cb->args[1]) { +- if (exp != last) ++ if (ctnetlink_exp_id(exp) != last_id) + continue; + cb->args[1] = 0; + } +@@ -3197,9 +3201,7 @@ ctnetlink_exp_dump_table(struct sk_buff *skb, struct netlink_callback *cb) + cb->nlh->nlmsg_seq, + IPCTNL_MSG_EXP_NEW, + exp) < 0) { +- if (!refcount_inc_not_zero(&exp->use)) +- continue; +- cb->args[1] = (unsigned long)exp; ++ cb->args[1] = ctnetlink_exp_id(exp); + goto out; + } + } +@@ -3210,32 +3212,30 @@ ctnetlink_exp_dump_table(struct sk_buff *skb, struct netlink_callback *cb) + } + out: + rcu_read_unlock(); +- if (last) +- nf_ct_expect_put(last); +- + return skb->len; + } + + static int + ctnetlink_exp_ct_dump_table(struct sk_buff *skb, struct netlink_callback *cb) + { +- struct nf_conntrack_expect *exp, *last; + struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh); + struct nf_conn *ct = cb->data; + struct nf_conn_help *help = nfct_help(ct); + u_int8_t l3proto = nfmsg->nfgen_family; ++ unsigned long last_id = cb->args[1]; ++ struct nf_conntrack_expect *exp; + + if (cb->args[0]) + return 0; + + rcu_read_lock(); +- last = (struct nf_conntrack_expect *)cb->args[1]; ++ + restart: + hlist_for_each_entry_rcu(exp, &help->expectations, lnode) { + if (l3proto && exp->tuple.src.l3num != l3proto) + continue; + if (cb->args[1]) { +- if (exp != last) ++ if (ctnetlink_exp_id(exp) != last_id) + continue; + cb->args[1] = 0; + } +@@ -3243,9 +3243,7 @@ ctnetlink_exp_ct_dump_table(struct sk_buff *skb, struct netlink_callback *cb) + cb->nlh->nlmsg_seq, + IPCTNL_MSG_EXP_NEW, + exp) < 0) { +- if (!refcount_inc_not_zero(&exp->use)) +- continue; +- cb->args[1] = (unsigned long)exp; ++ cb->args[1] = ctnetlink_exp_id(exp); + goto out; + } + } +@@ -3256,9 +3254,6 @@ ctnetlink_exp_ct_dump_table(struct sk_buff *skb, struct netlink_callback *cb) + cb->args[0] = 1; + out: + rcu_read_unlock(); +- if (last) +- nf_ct_expect_put(last); +- + return skb->len; + } + +@@ -3277,7 +3272,6 @@ static int ctnetlink_dump_exp_ct(struct net *net, struct sock *ctnl, + struct nf_conntrack_zone zone; + struct netlink_dump_control c = { + .dump = ctnetlink_exp_ct_dump_table, +- .done = ctnetlink_exp_done, + }; + + err = ctnetlink_parse_tuple(cda, &tuple, CTA_EXPECT_MASTER, +@@ -3327,7 +3321,6 @@ static int ctnetlink_get_expect(struct sk_buff *skb, + else { + struct netlink_dump_control c = { + .dump = ctnetlink_exp_dump_table, +- .done = ctnetlink_exp_done, + }; + return netlink_dump_start(info->sk, skb, info->nlh, &c); + } +-- +2.51.0 + diff --git a/queue-5.15/netfilter-nf_conntrack_h323-check-for-zero-length-in.patch b/queue-5.15/netfilter-nf_conntrack_h323-check-for-zero-length-in.patch new file mode 100644 index 0000000000..b77616a1af --- /dev/null +++ b/queue-5.15/netfilter-nf_conntrack_h323-check-for-zero-length-in.patch @@ -0,0 +1,47 @@ +From 9d5c23b70e75480af831c2505041ffd187db5118 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 12 Mar 2026 14:49:50 +0000 +Subject: netfilter: nf_conntrack_h323: check for zero length in DecodeQ931() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Jenny Guanni Qu + +[ Upstream commit f173d0f4c0f689173f8cdac79991043a4a89bf66 ] + +In DecodeQ931(), the UserUserIE code path reads a 16-bit length from +the packet, then decrements it by 1 to skip the protocol discriminator +byte before passing it to DecodeH323_UserInformation(). If the encoded +length is 0, the decrement wraps to -1, which is then passed as a +large value to the decoder, leading to an out-of-bounds read. + +Add a check to ensure len is positive after the decrement. + +Fixes: 5e35941d9901 ("[NETFILTER]: Add H.323 conntrack/NAT helper") +Reported-by: Klaudia Kloc +Reported-by: Dawid Moczadło +Tested-by: Jenny Guanni Qu +Signed-off-by: Jenny Guanni Qu +Signed-off-by: Florian Westphal +Signed-off-by: Sasha Levin +--- + net/netfilter/nf_conntrack_h323_asn1.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/net/netfilter/nf_conntrack_h323_asn1.c b/net/netfilter/nf_conntrack_h323_asn1.c +index c972e9488e16f..7b1497ed97d26 100644 +--- a/net/netfilter/nf_conntrack_h323_asn1.c ++++ b/net/netfilter/nf_conntrack_h323_asn1.c +@@ -924,6 +924,8 @@ int DecodeQ931(unsigned char *buf, size_t sz, Q931 *q931) + break; + p++; + len--; ++ if (len <= 0) ++ break; + return DecodeH323_UserInformation(buf, p, len, + &q931->UUIE); + } +-- +2.51.0 + diff --git a/queue-5.15/netfilter-nf_conntrack_h323-fix-oob-read-in-decode_i.patch b/queue-5.15/netfilter-nf_conntrack_h323-fix-oob-read-in-decode_i.patch new file mode 100644 index 0000000000..207a350154 --- /dev/null +++ b/queue-5.15/netfilter-nf_conntrack_h323-fix-oob-read-in-decode_i.patch @@ -0,0 +1,48 @@ +From 493951c3fbd82d7b7c4e492183a87ad583f0a488 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 12 Mar 2026 02:29:32 +0000 +Subject: netfilter: nf_conntrack_h323: fix OOB read in decode_int() CONS case +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Jenny Guanni Qu + +[ Upstream commit 1e3a3593162c96e8a8de48b1e14f60c3b57fca8a ] + +In decode_int(), the CONS case calls get_bits(bs, 2) to read a length +value, then calls get_uint(bs, len) without checking that len bytes +remain in the buffer. The existing boundary check only validates the +2 bits for get_bits(), not the subsequent 1-4 bytes that get_uint() +reads. This allows a malformed H.323/RAS packet to cause a 1-4 byte +slab-out-of-bounds read. + +Add a boundary check for len bytes after get_bits() and before +get_uint(). + +Fixes: 5e35941d9901 ("[NETFILTER]: Add H.323 conntrack/NAT helper") +Reported-by: Klaudia Kloc +Reported-by: Dawid Moczadło +Signed-off-by: Jenny Guanni Qu +Signed-off-by: Florian Westphal +Signed-off-by: Sasha Levin +--- + net/netfilter/nf_conntrack_h323_asn1.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/net/netfilter/nf_conntrack_h323_asn1.c b/net/netfilter/nf_conntrack_h323_asn1.c +index 62aa22a078769..c972e9488e16f 100644 +--- a/net/netfilter/nf_conntrack_h323_asn1.c ++++ b/net/netfilter/nf_conntrack_h323_asn1.c +@@ -331,6 +331,8 @@ static int decode_int(struct bitstr *bs, const struct field_t *f, + if (nf_h323_error_boundary(bs, 0, 2)) + return H323_ERROR_BOUND; + len = get_bits(bs, 2) + 1; ++ if (nf_h323_error_boundary(bs, len, 0)) ++ return H323_ERROR_BOUND; + BYTE_ALIGN(bs); + if (base && (f->attr & DECODE)) { /* timeToLive */ + unsigned int v = get_uint(bs, len) + f->lb; +-- +2.51.0 + diff --git a/queue-5.15/netfilter-nf_conntrack_sip-fix-content-length-u32-tr.patch b/queue-5.15/netfilter-nf_conntrack_sip-fix-content-length-u32-tr.patch new file mode 100644 index 0000000000..39e8b8d201 --- /dev/null +++ b/queue-5.15/netfilter-nf_conntrack_sip-fix-content-length-u32-tr.patch @@ -0,0 +1,66 @@ +From b6cbb542b4dc425bbb551add51a480fbb031d7c4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 10 Mar 2026 21:49:01 +0000 +Subject: netfilter: nf_conntrack_sip: fix Content-Length u32 truncation in + sip_help_tcp() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Lukas Johannes Möller + +[ Upstream commit fbce58e719a17aa215c724473fd5baaa4a8dc57c ] + +sip_help_tcp() parses the SIP Content-Length header with +simple_strtoul(), which returns unsigned long, but stores the result in +unsigned int clen. On 64-bit systems, values exceeding UINT_MAX are +silently truncated before computing the SIP message boundary. + +For example, Content-Length 4294967328 (2^32 + 32) is truncated to 32, +causing the parser to miscalculate where the current message ends. The +loop then treats trailing data in the TCP segment as a second SIP +message and processes it through the SDP parser. + +Fix this by changing clen to unsigned long to match the return type of +simple_strtoul(), and reject Content-Length values that exceed the +remaining TCP payload length. + +Fixes: f5b321bd37fb ("netfilter: nf_conntrack_sip: add TCP support") +Signed-off-by: Lukas Johannes Möller +Signed-off-by: Florian Westphal +Signed-off-by: Sasha Levin +--- + net/netfilter/nf_conntrack_sip.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/net/netfilter/nf_conntrack_sip.c b/net/netfilter/nf_conntrack_sip.c +index 751df19fe0f8a..5db17768ec2ad 100644 +--- a/net/netfilter/nf_conntrack_sip.c ++++ b/net/netfilter/nf_conntrack_sip.c +@@ -1529,11 +1529,12 @@ static int sip_help_tcp(struct sk_buff *skb, unsigned int protoff, + { + struct tcphdr *th, _tcph; + unsigned int dataoff, datalen; +- unsigned int matchoff, matchlen, clen; ++ unsigned int matchoff, matchlen; + unsigned int msglen, origlen; + const char *dptr, *end; + s16 diff, tdiff = 0; + int ret = NF_ACCEPT; ++ unsigned long clen; + bool term; + + if (ctinfo != IP_CT_ESTABLISHED && +@@ -1568,6 +1569,9 @@ static int sip_help_tcp(struct sk_buff *skb, unsigned int protoff, + if (dptr + matchoff == end) + break; + ++ if (clen > datalen) ++ break; ++ + term = false; + for (; end + strlen("\r\n\r\n") <= dptr + datalen; end++) { + if (end[0] == '\r' && end[1] == '\n' && +-- +2.51.0 + diff --git a/queue-5.15/netfilter-nft_ct-add-seqadj-extension-for-natted-con.patch b/queue-5.15/netfilter-nft_ct-add-seqadj-extension-for-natted-con.patch new file mode 100644 index 0000000000..4fbda84bda --- /dev/null +++ b/queue-5.15/netfilter-nft_ct-add-seqadj-extension-for-natted-con.patch @@ -0,0 +1,114 @@ +From 38c53a42fcdf1c2fcf70e31a69a8d9d25b067095 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 24 Oct 2025 18:22:16 +0200 +Subject: netfilter: nft_ct: add seqadj extension for natted connections + +From: Andrii Melnychenko + +[ Upstream commit 90918e3b6404c2a37837b8f11692471b4c512de2 ] + +Sequence adjustment may be required for FTP traffic with PASV/EPSV modes. +due to need to re-write packet payload (IP, port) on the ftp control +connection. This can require changes to the TCP length and expected +seq / ack_seq. + +The easiest way to reproduce this issue is with PASV mode. +Example ruleset: +table inet ftp_nat { + ct helper ftp_helper { + type "ftp" protocol tcp + l3proto inet + } + + chain prerouting { + type filter hook prerouting priority 0; policy accept; + tcp dport 21 ct state new ct helper set "ftp_helper" + } +} +table ip nat { + chain prerouting { + type nat hook prerouting priority -100; policy accept; + tcp dport 21 dnat ip prefix to ip daddr map { + 192.168.100.1 : 192.168.13.2/32 } + } + + chain postrouting { + type nat hook postrouting priority 100 ; policy accept; + tcp sport 21 snat ip prefix to ip saddr map { + 192.168.13.2 : 192.168.100.1/32 } + } +} + +Note that the ftp helper gets assigned *after* the dnat setup. + +The inverse (nat after helper assign) is handled by an existing +check in nf_nat_setup_info() and will not show the problem. + +Topoloy: + + +-------------------+ +----------------------------------+ + | FTP: 192.168.13.2 | <-> | NAT: 192.168.13.3, 192.168.100.1 | + +-------------------+ +----------------------------------+ + | + +-----------------------+ + | Client: 192.168.100.2 | + +-----------------------+ + +ftp nat changes do not work as expected in this case: +Connected to 192.168.100.1. +[..] +ftp> epsv +EPSV/EPRT on IPv4 off. +ftp> ls +227 Entering passive mode (192,168,100,1,209,129). +421 Service not available, remote server has closed connection. + +Kernel logs: +Missing nfct_seqadj_ext_add() setup call +WARNING: CPU: 1 PID: 0 at net/netfilter/nf_conntrack_seqadj.c:41 +[..] + __nf_nat_mangle_tcp_packet+0x100/0x160 [nf_nat] + nf_nat_ftp+0x142/0x280 [nf_nat_ftp] + help+0x4d1/0x880 [nf_conntrack_ftp] + nf_confirm+0x122/0x2e0 [nf_conntrack] + nf_hook_slow+0x3c/0xb0 + .. + +Fix this by adding the required extension when a conntrack helper is assigned +to a connection that has a nat binding. + +Fixes: 1a64edf54f55 ("netfilter: nft_ct: add helper set support") +Signed-off-by: Andrii Melnychenko +Signed-off-by: Florian Westphal +Stable-dep-of: 36eae0956f65 ("netfilter: nft_ct: drop pending enqueued packets on removal") +Signed-off-by: Sasha Levin +--- + net/netfilter/nft_ct.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/net/netfilter/nft_ct.c b/net/netfilter/nft_ct.c +index 83bb3f110ea84..3edfdf06bea6a 100644 +--- a/net/netfilter/nft_ct.c ++++ b/net/netfilter/nft_ct.c +@@ -22,6 +22,7 @@ + #include + #include + #include ++#include + + struct nft_ct { + enum nft_ct_keys key:8; +@@ -1109,6 +1110,10 @@ static void nft_ct_helper_obj_eval(struct nft_object *obj, + if (help) { + rcu_assign_pointer(help->helper, to_assign); + set_bit(IPS_HELPER_BIT, &ct->status); ++ ++ if ((ct->status & IPS_NAT_MASK) && !nfct_seqadj(ct)) ++ if (!nfct_seqadj_ext_add(ct)) ++ regs->verdict.code = NF_DROP; + } + } + +-- +2.51.0 + diff --git a/queue-5.15/netfilter-nft_ct-drop-pending-enqueued-packets-on-re.patch b/queue-5.15/netfilter-nft_ct-drop-pending-enqueued-packets-on-re.patch new file mode 100644 index 0000000000..7875fa1598 --- /dev/null +++ b/queue-5.15/netfilter-nft_ct-drop-pending-enqueued-packets-on-re.patch @@ -0,0 +1,70 @@ +From 1253c72732896a7f888630adb2006a3439730f83 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 12 Mar 2026 13:48:47 +0100 +Subject: netfilter: nft_ct: drop pending enqueued packets on removal + +From: Pablo Neira Ayuso + +[ Upstream commit 36eae0956f659e48d5366d9b083d9417f3263ddc ] + +Packets sitting in nfqueue might hold a reference to: + +- templates that specify the conntrack zone, because a percpu area is + used and module removal is possible. +- conntrack timeout policies and helper, where object removal leave + a stale reference. + +Since these objects can just go away, drop enqueued packets to avoid +stale reference to them. + +If there is a need for finer grain removal, this logic can be revisited +to make selective packet drop upon dependencies. + +Fixes: 7e0b2b57f01d ("netfilter: nft_ct: add ct timeout support") +Reported-by: Yiming Qian +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Florian Westphal +Signed-off-by: Sasha Levin +--- + net/netfilter/nft_ct.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/net/netfilter/nft_ct.c b/net/netfilter/nft_ct.c +index 3edfdf06bea6a..9aa66a54e086b 100644 +--- a/net/netfilter/nft_ct.c ++++ b/net/netfilter/nft_ct.c +@@ -23,6 +23,7 @@ + #include + #include + #include ++#include "nf_internals.h" + + struct nft_ct { + enum nft_ct_keys key:8; +@@ -533,6 +534,7 @@ static void __nft_ct_set_destroy(const struct nft_ctx *ctx, struct nft_ct *priv) + #endif + #ifdef CONFIG_NF_CONNTRACK_ZONES + case NFT_CT_ZONE: ++ nf_queue_nf_hook_drop(ctx->net); + mutex_lock(&nft_ct_pcpu_mutex); + if (--nft_ct_pcpu_template_refcnt == 0) + nft_ct_tmpl_put_pcpu(); +@@ -930,6 +932,7 @@ static void nft_ct_timeout_obj_destroy(const struct nft_ctx *ctx, + struct nft_ct_timeout_obj *priv = nft_obj_data(obj); + struct nf_ct_timeout *timeout = priv->timeout; + ++ nf_queue_nf_hook_drop(ctx->net); + nf_ct_untimeout(ctx->net, timeout); + nf_ct_netns_put(ctx->net, ctx->family); + kfree(priv->timeout); +@@ -1065,6 +1068,7 @@ static void nft_ct_helper_obj_destroy(const struct nft_ctx *ctx, + { + struct nft_ct_helper_obj *priv = nft_obj_data(obj); + ++ nf_queue_nf_hook_drop(ctx->net); + if (priv->helper4) + nf_conntrack_helper_put(priv->helper4); + if (priv->helper6) +-- +2.51.0 + diff --git a/queue-5.15/netfilter-xt_ct-drop-pending-enqueued-packets-on-tem.patch b/queue-5.15/netfilter-xt_ct-drop-pending-enqueued-packets-on-tem.patch new file mode 100644 index 0000000000..76a069308c --- /dev/null +++ b/queue-5.15/netfilter-xt_ct-drop-pending-enqueued-packets-on-tem.patch @@ -0,0 +1,54 @@ +From 20a6326f7e5692d6e9d4865462d2c4ad298e4c72 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 12 Mar 2026 13:48:48 +0100 +Subject: netfilter: xt_CT: drop pending enqueued packets on template removal + +From: Pablo Neira Ayuso + +[ Upstream commit f62a218a946b19bb59abdd5361da85fa4606b96b ] + +Templates refer to objects that can go away while packets are sitting in +nfqueue refer to: + +- helper, this can be an issue on module removal. +- timeout policy, nfnetlink_cttimeout might remove it. + +The use of templates with zone and event cache filter are safe, since +this just copies values. + +Flush these enqueued packets in case the template rule gets removed. + +Fixes: 24de58f46516 ("netfilter: xt_CT: allow to attach timeout policy + glue code") +Reported-by: Yiming Qian +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Florian Westphal +Signed-off-by: Sasha Levin +--- + net/netfilter/xt_CT.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/net/netfilter/xt_CT.c b/net/netfilter/xt_CT.c +index 5d19cb059b197..3dd02482b437b 100644 +--- a/net/netfilter/xt_CT.c ++++ b/net/netfilter/xt_CT.c +@@ -16,6 +16,7 @@ + #include + #include + #include ++#include "nf_internals.h" + + static inline int xt_ct_target(struct sk_buff *skb, struct nf_conn *ct) + { +@@ -269,6 +270,9 @@ static void xt_ct_tg_destroy(const struct xt_tgdtor_param *par, + struct nf_conn_help *help; + + if (ct) { ++ if (info->helper[0] || info->timeout[0]) ++ nf_queue_nf_hook_drop(par->net); ++ + help = nfct_help(ct); + if (help) + nf_conntrack_helper_put(help->helper); +-- +2.51.0 + diff --git a/queue-5.15/netfilter-xt_time-use-unsigned-int-for-monthday-bit-.patch b/queue-5.15/netfilter-xt_time-use-unsigned-int-for-monthday-bit-.patch new file mode 100644 index 0000000000..9ccd82ebc8 --- /dev/null +++ b/queue-5.15/netfilter-xt_time-use-unsigned-int-for-monthday-bit-.patch @@ -0,0 +1,53 @@ +From 3d9f6fc6bbc3716633d03a3a1b9086ebf6dede29 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 12 Mar 2026 14:59:49 +0000 +Subject: netfilter: xt_time: use unsigned int for monthday bit shift +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Jenny Guanni Qu + +[ Upstream commit 00050ec08cecfda447e1209b388086d76addda3a ] + +The monthday field can be up to 31, and shifting a signed integer 1 +by 31 positions (1 << 31) is undefined behavior in C, as the result +overflows a 32-bit signed int. Use 1U to ensure well-defined behavior +for all valid monthday values. + +Change the weekday shift to 1U as well for consistency. + +Fixes: ee4411a1b1e0 ("[NETFILTER]: x_tables: add xt_time match") +Reported-by: Klaudia Kloc +Reported-by: Dawid Moczadło +Tested-by: Jenny Guanni Qu +Signed-off-by: Jenny Guanni Qu +Signed-off-by: Florian Westphal +Signed-off-by: Sasha Levin +--- + net/netfilter/xt_time.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/net/netfilter/xt_time.c b/net/netfilter/xt_time.c +index 6aa12d0f54e23..61de85e02a40f 100644 +--- a/net/netfilter/xt_time.c ++++ b/net/netfilter/xt_time.c +@@ -227,13 +227,13 @@ time_mt(const struct sk_buff *skb, struct xt_action_param *par) + + localtime_2(¤t_time, stamp); + +- if (!(info->weekdays_match & (1 << current_time.weekday))) ++ if (!(info->weekdays_match & (1U << current_time.weekday))) + return false; + + /* Do not spend time computing monthday if all days match anyway */ + if (info->monthdays_match != XT_TIME_ALL_MONTHDAYS) { + localtime_3(¤t_time, stamp); +- if (!(info->monthdays_match & (1 << current_time.monthday))) ++ if (!(info->monthdays_match & (1U << current_time.monthday))) + return false; + } + +-- +2.51.0 + diff --git a/queue-5.15/nfnetlink_osf-validate-individual-option-lengths-in-.patch b/queue-5.15/nfnetlink_osf-validate-individual-option-lengths-in-.patch new file mode 100644 index 0000000000..bb11a155ec --- /dev/null +++ b/queue-5.15/nfnetlink_osf-validate-individual-option-lengths-in-.patch @@ -0,0 +1,83 @@ +From bd298356cf15ac648a46af60ad822e3b5829a473 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 19 Mar 2026 15:32:44 +0800 +Subject: nfnetlink_osf: validate individual option lengths in fingerprints + +From: Weiming Shi + +[ Upstream commit dbdfaae9609629a9569362e3b8f33d0a20fd783c ] + +nfnl_osf_add_callback() validates opt_num bounds and string +NUL-termination but does not check individual option length fields. +A zero-length option causes nf_osf_match_one() to enter the option +matching loop even when foptsize sums to zero, which matches packets +with no TCP options where ctx->optp is NULL: + + Oops: general protection fault + KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007] + RIP: 0010:nf_osf_match_one (net/netfilter/nfnetlink_osf.c:98) + Call Trace: + nf_osf_match (net/netfilter/nfnetlink_osf.c:227) + xt_osf_match_packet (net/netfilter/xt_osf.c:32) + ipt_do_table (net/ipv4/netfilter/ip_tables.c:293) + nf_hook_slow (net/netfilter/core.c:623) + ip_local_deliver (net/ipv4/ip_input.c:262) + ip_rcv (net/ipv4/ip_input.c:573) + +Additionally, an MSS option (kind=2) with length < 4 causes +out-of-bounds reads when nf_osf_match_one() unconditionally accesses +optp[2] and optp[3] for MSS value extraction. While RFC 9293 +section 3.2 specifies that the MSS option is always exactly 4 +bytes (Kind=2, Length=4), the check uses "< 4" rather than +"!= 4" because lengths greater than 4 do not cause memory +safety issues -- the buffer is guaranteed to be at least +foptsize bytes by the ctx->optsize == foptsize check. + +Reject fingerprints where any option has zero length, or where an MSS +option has length less than 4, at add time rather than trusting these +values in the packet matching hot path. + +Fixes: 11eeef41d5f6 ("netfilter: passive OS fingerprint xtables match") +Reported-by: Xiang Mei +Signed-off-by: Weiming Shi +Signed-off-by: Florian Westphal +Signed-off-by: Sasha Levin +--- + net/netfilter/nfnetlink_osf.c | 13 +++++++++++++ + 1 file changed, 13 insertions(+) + +diff --git a/net/netfilter/nfnetlink_osf.c b/net/netfilter/nfnetlink_osf.c +index 50723ba082890..da9d5d6de98f4 100644 +--- a/net/netfilter/nfnetlink_osf.c ++++ b/net/netfilter/nfnetlink_osf.c +@@ -302,7 +302,9 @@ static int nfnl_osf_add_callback(struct sk_buff *skb, + { + struct nf_osf_user_finger *f; + struct nf_osf_finger *kf = NULL, *sf; ++ unsigned int tot_opt_len = 0; + int err = 0; ++ int i; + + if (!capable(CAP_NET_ADMIN)) + return -EPERM; +@@ -318,6 +320,17 @@ static int nfnl_osf_add_callback(struct sk_buff *skb, + if (f->opt_num > ARRAY_SIZE(f->opt)) + return -EINVAL; + ++ for (i = 0; i < f->opt_num; i++) { ++ if (!f->opt[i].length || f->opt[i].length > MAX_IPOPTLEN) ++ return -EINVAL; ++ if (f->opt[i].kind == OSFOPT_MSS && f->opt[i].length < 4) ++ return -EINVAL; ++ ++ tot_opt_len += f->opt[i].length; ++ if (tot_opt_len > MAX_IPOPTLEN) ++ return -EINVAL; ++ } ++ + if (!memchr(f->genre, 0, MAXGENRELEN) || + !memchr(f->subtype, 0, MAXGENRELEN) || + !memchr(f->version, 0, MAXGENRELEN)) +-- +2.51.0 + diff --git a/queue-5.15/of-add-cleanup.h-based-auto-release-via-__free-devic.patch b/queue-5.15/of-add-cleanup.h-based-auto-release-via-__free-devic.patch new file mode 100644 index 0000000000..b6357d07e6 --- /dev/null +++ b/queue-5.15/of-add-cleanup.h-based-auto-release-via-__free-devic.patch @@ -0,0 +1,72 @@ +From d212f427919ffe5c67b92071de3eb653f1f83312 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 25 Feb 2024 14:27:11 +0000 +Subject: of: Add cleanup.h based auto release via __free(device_node) markings + +From: Jonathan Cameron + +[ Upstream commit 9448e55d032d99af8e23487f51a542d51b2f1a48 ] + +The recent addition of scope based cleanup support to the kernel +provides a convenient tool to reduce the chances of leaking reference +counts where of_node_put() should have been called in an error path. + +This enables + struct device_node *child __free(device_node) = NULL; + + for_each_child_of_node(np, child) { + if (test) + return test; + } + +with no need for a manual call of of_node_put(). +A following patch will reduce the scope of the child variable to the +for loop, to avoid an issues with ordering of autocleanup, and make it +obvious when this assigned a non NULL value. + +In this simple example the gains are small but there are some very +complex error handling cases buried in these loops that will be +greatly simplified by enabling early returns with out the need +for this manual of_node_put() call. + +Note that there are coccinelle checks in +scripts/coccinelle/iterators/for_each_child.cocci to detect a failure +to call of_node_put(). This new approach does not cause false positives. +Longer term we may want to add scripting to check this new approach is +done correctly with no double of_node_put() calls being introduced due +to the auto cleanup. It may also be useful to script finding places +this new approach is useful. + +Signed-off-by: Jonathan Cameron +Reviewed-by: Rob Herring +Link: https://lore.kernel.org/r/20240225142714.286440-2-jic23@kernel.org +Signed-off-by: Rob Herring +Stable-dep-of: 879c001afbac ("firmware: arm_scpi: Fix device_node reference leak in probe path") +Signed-off-by: Sasha Levin +--- + include/linux/of.h | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/include/linux/of.h b/include/linux/of.h +index 29f657101f4f8..3c840c4879956 100644 +--- a/include/linux/of.h ++++ b/include/linux/of.h +@@ -13,6 +13,7 @@ + */ + #include + #include ++#include + #include + #include + #include +@@ -128,6 +129,7 @@ static inline struct device_node *of_node_get(struct device_node *node) + } + static inline void of_node_put(struct device_node *node) { } + #endif /* !CONFIG_OF_DYNAMIC */ ++DEFINE_FREE(device_node, struct device_node *, if (_T) of_node_put(_T)) + + /* Pointer for first entry in chain of all nodes. */ + extern struct device_node *of_root; +-- +2.51.0 + diff --git a/queue-5.15/pm-runtime-fix-a-race-condition-related-to-device-re.patch b/queue-5.15/pm-runtime-fix-a-race-condition-related-to-device-re.patch new file mode 100644 index 0000000000..0c1542b1c6 --- /dev/null +++ b/queue-5.15/pm-runtime-fix-a-race-condition-related-to-device-re.patch @@ -0,0 +1,126 @@ +From b95d03f667fe6fd5d5ba076394d3d329f2cce2da Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 12 Mar 2026 11:27:20 -0700 +Subject: PM: runtime: Fix a race condition related to device removal + +From: Bart Van Assche + +[ Upstream commit 29ab768277617452d88c0607c9299cdc63b6e9ff ] + +The following code in pm_runtime_work() may dereference the dev->parent +pointer after the parent device has been freed: + + /* Maybe the parent is now able to suspend. */ + if (parent && !parent->power.ignore_children) { + spin_unlock(&dev->power.lock); + + spin_lock(&parent->power.lock); + rpm_idle(parent, RPM_ASYNC); + spin_unlock(&parent->power.lock); + + spin_lock(&dev->power.lock); + } + +Fix this by inserting a flush_work() call in pm_runtime_remove(). + +Without this patch blktest block/001 triggers the following complaint +sporadically: + +BUG: KASAN: slab-use-after-free in lock_acquire+0x70/0x160 +Read of size 1 at addr ffff88812bef7198 by task kworker/u553:1/3081 +Workqueue: pm pm_runtime_work +Call Trace: + + dump_stack_lvl+0x61/0x80 + print_address_description.constprop.0+0x8b/0x310 + print_report+0xfd/0x1d7 + kasan_report+0xd8/0x1d0 + __kasan_check_byte+0x42/0x60 + lock_acquire.part.0+0x38/0x230 + lock_acquire+0x70/0x160 + _raw_spin_lock+0x36/0x50 + rpm_suspend+0xc6a/0xfe0 + rpm_idle+0x578/0x770 + pm_runtime_work+0xee/0x120 + process_one_work+0xde3/0x1410 + worker_thread+0x5eb/0xfe0 + kthread+0x37b/0x480 + ret_from_fork+0x6cb/0x920 + ret_from_fork_asm+0x11/0x20 + + +Allocated by task 4314: + kasan_save_stack+0x2a/0x50 + kasan_save_track+0x18/0x40 + kasan_save_alloc_info+0x3d/0x50 + __kasan_kmalloc+0xa0/0xb0 + __kmalloc_noprof+0x311/0x990 + scsi_alloc_target+0x122/0xb60 [scsi_mod] + __scsi_scan_target+0x101/0x460 [scsi_mod] + scsi_scan_channel+0x179/0x1c0 [scsi_mod] + scsi_scan_host_selected+0x259/0x2d0 [scsi_mod] + store_scan+0x2d2/0x390 [scsi_mod] + dev_attr_store+0x43/0x80 + sysfs_kf_write+0xde/0x140 + kernfs_fop_write_iter+0x3ef/0x670 + vfs_write+0x506/0x1470 + ksys_write+0xfd/0x230 + __x64_sys_write+0x76/0xc0 + x64_sys_call+0x213/0x1810 + do_syscall_64+0xee/0xfc0 + entry_SYSCALL_64_after_hwframe+0x4b/0x53 + +Freed by task 4314: + kasan_save_stack+0x2a/0x50 + kasan_save_track+0x18/0x40 + kasan_save_free_info+0x3f/0x50 + __kasan_slab_free+0x67/0x80 + kfree+0x225/0x6c0 + scsi_target_dev_release+0x3d/0x60 [scsi_mod] + device_release+0xa3/0x220 + kobject_cleanup+0x105/0x3a0 + kobject_put+0x72/0xd0 + put_device+0x17/0x20 + scsi_device_dev_release+0xacf/0x12c0 [scsi_mod] + device_release+0xa3/0x220 + kobject_cleanup+0x105/0x3a0 + kobject_put+0x72/0xd0 + put_device+0x17/0x20 + scsi_device_put+0x7f/0xc0 [scsi_mod] + sdev_store_delete+0xa5/0x120 [scsi_mod] + dev_attr_store+0x43/0x80 + sysfs_kf_write+0xde/0x140 + kernfs_fop_write_iter+0x3ef/0x670 + vfs_write+0x506/0x1470 + ksys_write+0xfd/0x230 + __x64_sys_write+0x76/0xc0 + x64_sys_call+0x213/0x1810 + +Reported-by: Ming Lei +Closes: https://lore.kernel.org/all/ZxdNvLNI8QaOfD2d@fedora/ +Reported-by: syzbot+6c905ab800f20cf4086c@syzkaller.appspotmail.com +Closes: https://lore.kernel.org/all/68c13942.050a0220.2ff435.000b.GAE@google.com/ +Fixes: 5e928f77a09a ("PM: Introduce core framework for run-time PM of I/O devices (rev. 17)") +Signed-off-by: Bart Van Assche +Link: https://patch.msgid.link/20260312182720.2776083-1-bvanassche@acm.org +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +--- + drivers/base/power/runtime.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/base/power/runtime.c b/drivers/base/power/runtime.c +index 7dcf2498965a3..f94d9223ab151 100644 +--- a/drivers/base/power/runtime.c ++++ b/drivers/base/power/runtime.c +@@ -1774,6 +1774,7 @@ void pm_runtime_reinit(struct device *dev) + void pm_runtime_remove(struct device *dev) + { + __pm_runtime_disable(dev, false); ++ flush_work(&dev->power.work); + pm_runtime_reinit(dev); + } + +-- +2.51.0 + diff --git a/queue-5.15/sched-idle-consolidate-the-handling-of-two-special-c.patch b/queue-5.15/sched-idle-consolidate-the-handling-of-two-special-c.patch new file mode 100644 index 0000000000..fd8cc6a1c5 --- /dev/null +++ b/queue-5.15/sched-idle-consolidate-the-handling-of-two-special-c.patch @@ -0,0 +1,133 @@ +From 97972eaf1a4dac5dc97d09195c6a48283af2121d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 13 Mar 2026 13:25:41 +0100 +Subject: sched: idle: Consolidate the handling of two special cases + +From: Rafael J. Wysocki + +[ Upstream commit f4c31b07b136839e0fb3026f8a5b6543e3b14d2f ] + +There are two special cases in the idle loop that are handled +inconsistently even though they are analogous. + +The first one is when a cpuidle driver is absent and the default CPU +idle time power management implemented by the architecture code is used. +In that case, the scheduler tick is stopped every time before invoking +default_idle_call(). + +The second one is when a cpuidle driver is present, but there is only +one idle state in its table. In that case, the scheduler tick is never +stopped at all. + +Since each of these approaches has its drawbacks, reconcile them with +the help of one simple heuristic. Namely, stop the tick if the CPU has +been woken up by it in the previous iteration of the idle loop, or let +it tick otherwise. + +Signed-off-by: Rafael J. Wysocki +Reviewed-by: Christian Loehle +Reviewed-by: Frederic Weisbecker +Reviewed-by: Qais Yousef +Reviewed-by: Aboorva Devarajan +Fixes: ed98c3491998 ("sched: idle: Do not stop the tick before cpuidle_idle_call()") +[ rjw: Added Fixes tag, changelog edits ] +Link: https://patch.msgid.link/4741364.LvFx2qVVIh@rafael.j.wysocki +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +--- + kernel/sched/idle.c | 30 +++++++++++++++++++++--------- + 1 file changed, 21 insertions(+), 9 deletions(-) + +diff --git a/kernel/sched/idle.c b/kernel/sched/idle.c +index 407835d23eacf..f1c58e2fc3b5c 100644 +--- a/kernel/sched/idle.c ++++ b/kernel/sched/idle.c +@@ -158,6 +158,14 @@ static int call_cpuidle(struct cpuidle_driver *drv, struct cpuidle_device *dev, + return cpuidle_enter(drv, dev, next_state); + } + ++static void idle_call_stop_or_retain_tick(bool stop_tick) ++{ ++ if (stop_tick || tick_nohz_tick_stopped()) ++ tick_nohz_idle_stop_tick(); ++ else ++ tick_nohz_idle_retain_tick(); ++} ++ + /** + * cpuidle_idle_call - the main idle function + * +@@ -167,7 +175,7 @@ static int call_cpuidle(struct cpuidle_driver *drv, struct cpuidle_device *dev, + * set, and it returns with polling set. If it ever stops polling, it + * must clear the polling bit. + */ +-static void cpuidle_idle_call(void) ++static void cpuidle_idle_call(bool stop_tick) + { + struct cpuidle_device *dev = cpuidle_get_device(); + struct cpuidle_driver *drv = cpuidle_get_cpu_driver(dev); +@@ -189,7 +197,7 @@ static void cpuidle_idle_call(void) + */ + + if (cpuidle_not_available(drv, dev)) { +- tick_nohz_idle_stop_tick(); ++ idle_call_stop_or_retain_tick(stop_tick); + + default_idle_call(); + goto exit_idle; +@@ -224,17 +232,19 @@ static void cpuidle_idle_call(void) + next_state = cpuidle_find_deepest_state(drv, dev, max_latency_ns); + call_cpuidle(drv, dev, next_state); + } else if (drv->state_count > 1) { +- bool stop_tick = true; ++ /* ++ * stop_tick is expected to be true by default by cpuidle ++ * governors, which allows them to select idle states with ++ * target residency above the tick period length. ++ */ ++ stop_tick = true; + + /* + * Ask the cpuidle framework to choose a convenient idle state. + */ + next_state = cpuidle_select(drv, dev, &stop_tick); + +- if (stop_tick || tick_nohz_tick_stopped()) +- tick_nohz_idle_stop_tick(); +- else +- tick_nohz_idle_retain_tick(); ++ idle_call_stop_or_retain_tick(stop_tick); + + entered_state = call_cpuidle(drv, dev, next_state); + /* +@@ -242,7 +252,7 @@ static void cpuidle_idle_call(void) + */ + cpuidle_reflect(dev, entered_state); + } else { +- tick_nohz_idle_retain_tick(); ++ idle_call_stop_or_retain_tick(stop_tick); + + /* + * If there is only a single idle state (or none), there is +@@ -270,6 +280,7 @@ static void cpuidle_idle_call(void) + static void do_idle(void) + { + int cpu = smp_processor_id(); ++ bool got_tick = false; + + /* + * Check if we need to update blocked load +@@ -312,8 +323,9 @@ static void do_idle(void) + tick_nohz_idle_restart_tick(); + cpu_idle_poll(); + } else { +- cpuidle_idle_call(); ++ cpuidle_idle_call(got_tick); + } ++ got_tick = tick_nohz_idle_got_tick(); + arch_cpu_idle_exit(); + } + +-- +2.51.0 + diff --git a/queue-5.15/series b/queue-5.15/series index fa25b17645..0e1733ad08 100644 --- a/queue-5.15/series +++ b/queue-5.15/series @@ -240,3 +240,44 @@ drm-amd-display-use-gfp_atomic-in-dc_create_stream_for_sink.patch mptcp-pm-avoid-sending-rm_addr-over-same-subflow.patch pmdomain-bcm-bcm2835-power-increase-asb-control-timeout.patch batman-adv-avoid-ogm-aggregation-when-skb-tailroom-is-insufficient.patch +btrfs-tree-checker-fix-misleading-root-drop_level-er.patch +soc-fsl-qbman-fix-race-condition-in-qman_destroy_fq.patch +wifi-mac80211-fix-static_branch_dec-underflow-for-aq.patch +wifi-cfg80211-cancel-pmsr_free_wk-in-cfg80211_pmsr_w.patch +of-add-cleanup.h-based-auto-release-via-__free-devic.patch +firmware-arm_scpi-fix-device_node-reference-leak-in-.patch +bluetooth-le-l2cap-disconnect-if-received-packet-s-s.patch +bluetooth-le-l2cap-disconnect-if-sum-of-payload-size.patch +bluetooth-smp-make-sm-per-kdu-bi-04-c-happy.patch +bluetooth-hidp-fix-possible-uaf.patch +bluetooth-qca-fix-rom-version-reading-on-wcn3998-chi.patch +net-rose-fix-null-pointer-dereference-in-rose_transm.patch +netfilter-ctnetlink-remove-refcounting-in-expectatio.patch +netfilter-ctnetlink-fix-use-after-free-in-ctnetlink_.patch +netfilter-nf_conntrack_sip-fix-content-length-u32-tr.patch +netfilter-nf_conntrack_h323-fix-oob-read-in-decode_i.patch +netfilter-nft_ct-add-seqadj-extension-for-natted-con.patch +netfilter-nft_ct-drop-pending-enqueued-packets-on-re.patch +netfilter-xt_ct-drop-pending-enqueued-packets-on-tem.patch +netfilter-xt_time-use-unsigned-int-for-monthday-bit-.patch +netfilter-nf_conntrack_h323-check-for-zero-length-in.patch +net-bcmgenet-increase-wol-poll-timeout.patch +net-mana-improve-the-hwc-error-handling.patch +net-mana-fix-use-after-free-in-mana_hwc_destroy_chan.patch +sched-idle-consolidate-the-handling-of-two-special-c.patch +pm-runtime-fix-a-race-condition-related-to-device-re.patch +net-smc-only-save-the-original-clcsock-callback-func.patch +net-smc-fix-slab-out-of-bounds-issue-in-fallback.patch +net-smc-fix-null-dereference-and-uaf-in-smc_tcp_syn_.patch +net-usb-aqc111-do-not-perform-pm-inside-suspend-call.patch +igc-fix-missing-update-of-skb-tail-in-igc_xmit_frame.patch +wifi-mac80211-fix-null-deref-in-mesh_matches_local.patch +wifi-wlcore-return-enomem-instead-of-eagain-if-there.patch +acpi-processor-fix-previous-acpi_processor_errata_pi.patch +net-macb-fix-uninitialized-rx_fs_lock.patch +udp_tunnel-fix-null-deref-caused-by-udp_sock_create6.patch +net-bonding-fix-null-deref-in-bond_debug_rlb_hash_sh.patch +nfnetlink_osf-validate-individual-option-lengths-in-.patch +net-mvpp2-guard-flow-control-update-with-global_tx_f.patch +net-dsa-bcm_sf2-fix-missing-clk_disable_unprepare-in.patch +icmp-fix-null-pointer-dereference-in-icmp_tag_valida.patch diff --git a/queue-5.15/soc-fsl-qbman-fix-race-condition-in-qman_destroy_fq.patch b/queue-5.15/soc-fsl-qbman-fix-race-condition-in-qman_destroy_fq.patch new file mode 100644 index 0000000000..87d5d5b619 --- /dev/null +++ b/queue-5.15/soc-fsl-qbman-fix-race-condition-in-qman_destroy_fq.patch @@ -0,0 +1,92 @@ +From b221e472433e513b54b5011d01d74d87bb3dec30 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 23 Dec 2025 08:25:49 +0100 +Subject: soc: fsl: qbman: fix race condition in qman_destroy_fq + +From: Richard Genoud + +[ Upstream commit 014077044e874e270ec480515edbc1cadb976cf2 ] + +When QMAN_FQ_FLAG_DYNAMIC_FQID is set, there's a race condition between +fq_table[fq->idx] state and freeing/allocating from the pool and +WARN_ON(fq_table[fq->idx]) in qman_create_fq() gets triggered. + +Indeed, we can have: + Thread A Thread B + qman_destroy_fq() qman_create_fq() + qman_release_fqid() + qman_shutdown_fq() + gen_pool_free() + -- At this point, the fqid is available again -- + qman_alloc_fqid() + -- so, we can get the just-freed fqid in thread B -- + fq->fqid = fqid; + fq->idx = fqid * 2; + WARN_ON(fq_table[fq->idx]); + fq_table[fq->idx] = fq; + fq_table[fq->idx] = NULL; + +And adding some logs between qman_release_fqid() and +fq_table[fq->idx] = NULL makes the WARN_ON() trigger a lot more. + +To prevent that, ensure that fq_table[fq->idx] is set to NULL before +gen_pool_free() is called by using smp_wmb(). + +Fixes: c535e923bb97 ("soc/fsl: Introduce DPAA 1.x QMan device driver") +Signed-off-by: Richard Genoud +Tested-by: CHAMPSEIX Thomas +Link: https://lore.kernel.org/r/20251223072549.397625-1-richard.genoud@bootlin.com +Signed-off-by: Christophe Leroy (CS GROUP) +Signed-off-by: Sasha Levin +--- + drivers/soc/fsl/qbman/qman.c | 24 ++++++++++++++++++++++-- + 1 file changed, 22 insertions(+), 2 deletions(-) + +diff --git a/drivers/soc/fsl/qbman/qman.c b/drivers/soc/fsl/qbman/qman.c +index 7e9074519ad22..bcbf6bf2e8f45 100644 +--- a/drivers/soc/fsl/qbman/qman.c ++++ b/drivers/soc/fsl/qbman/qman.c +@@ -1827,6 +1827,8 @@ EXPORT_SYMBOL(qman_create_fq); + + void qman_destroy_fq(struct qman_fq *fq) + { ++ int leaked; ++ + /* + * We don't need to lock the FQ as it is a pre-condition that the FQ be + * quiesced. Instead, run some checks. +@@ -1834,11 +1836,29 @@ void qman_destroy_fq(struct qman_fq *fq) + switch (fq->state) { + case qman_fq_state_parked: + case qman_fq_state_oos: +- if (fq_isset(fq, QMAN_FQ_FLAG_DYNAMIC_FQID)) +- qman_release_fqid(fq->fqid); ++ /* ++ * There's a race condition here on releasing the fqid, ++ * setting the fq_table to NULL, and freeing the fqid. ++ * To prevent it, this order should be respected: ++ */ ++ if (fq_isset(fq, QMAN_FQ_FLAG_DYNAMIC_FQID)) { ++ leaked = qman_shutdown_fq(fq->fqid); ++ if (leaked) ++ pr_debug("FQID %d leaked\n", fq->fqid); ++ } + + DPAA_ASSERT(fq_table[fq->idx]); + fq_table[fq->idx] = NULL; ++ ++ if (fq_isset(fq, QMAN_FQ_FLAG_DYNAMIC_FQID) && !leaked) { ++ /* ++ * fq_table[fq->idx] should be set to null before ++ * freeing fq->fqid otherwise it could by allocated by ++ * qman_alloc_fqid() while still being !NULL ++ */ ++ smp_wmb(); ++ gen_pool_free(qm_fqalloc, fq->fqid | DPAA_GENALLOC_OFF, 1); ++ } + return; + default: + break; +-- +2.51.0 + diff --git a/queue-5.15/udp_tunnel-fix-null-deref-caused-by-udp_sock_create6.patch b/queue-5.15/udp_tunnel-fix-null-deref-caused-by-udp_sock_create6.patch new file mode 100644 index 0000000000..2de44b2306 --- /dev/null +++ b/queue-5.15/udp_tunnel-fix-null-deref-caused-by-udp_sock_create6.patch @@ -0,0 +1,64 @@ +From 78583ec5f47fd7a267cea6f399eb6d9f14532911 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 16 Mar 2026 18:02:41 -0700 +Subject: udp_tunnel: fix NULL deref caused by udp_sock_create6 when + CONFIG_IPV6=n + +From: Xiang Mei + +[ Upstream commit b3a6df291fecf5f8a308953b65ca72b7fc9e015d ] + +When CONFIG_IPV6 is disabled, the udp_sock_create6() function returns 0 +(success) without actually creating a socket. Callers such as +fou_create() then proceed to dereference the uninitialized socket +pointer, resulting in a NULL pointer dereference. + +The captured NULL deref crash: + BUG: kernel NULL pointer dereference, address: 0000000000000018 + RIP: 0010:fou_nl_add_doit (net/ipv4/fou_core.c:590 net/ipv4/fou_core.c:764) + [...] + Call Trace: + + genl_family_rcv_msg_doit.constprop.0 (net/netlink/genetlink.c:1114) + genl_rcv_msg (net/netlink/genetlink.c:1194 net/netlink/genetlink.c:1209) + [...] + netlink_rcv_skb (net/netlink/af_netlink.c:2550) + genl_rcv (net/netlink/genetlink.c:1219) + netlink_unicast (net/netlink/af_netlink.c:1319 net/netlink/af_netlink.c:1344) + netlink_sendmsg (net/netlink/af_netlink.c:1894) + __sock_sendmsg (net/socket.c:727 (discriminator 1) net/socket.c:742 (discriminator 1)) + __sys_sendto (./include/linux/file.h:62 (discriminator 1) ./include/linux/file.h:83 (discriminator 1) net/socket.c:2183 (discriminator 1)) + __x64_sys_sendto (net/socket.c:2213 (discriminator 1) net/socket.c:2209 (discriminator 1) net/socket.c:2209 (discriminator 1)) + do_syscall_64 (arch/x86/entry/syscall_64.c:63 (discriminator 1) arch/x86/entry/syscall_64.c:94 (discriminator 1)) + entry_SYSCALL_64_after_hwframe (net/arch/x86/entry/entry_64.S:130) + +This patch makes udp_sock_create6 return -EPFNOSUPPORT instead, so +callers correctly take their error paths. There is only one caller of +the vulnerable function and only privileged users can trigger it. + +Fixes: fd384412e199b ("udp_tunnel: Seperate ipv6 functions into its own file.") +Reported-by: Weiming Shi +Signed-off-by: Xiang Mei +Link: https://patch.msgid.link/20260317010241.1893893-1-xmei5@asu.edu +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + include/net/udp_tunnel.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/include/net/udp_tunnel.h b/include/net/udp_tunnel.h +index 72394f441dad8..b6af537abdc5a 100644 +--- a/include/net/udp_tunnel.h ++++ b/include/net/udp_tunnel.h +@@ -47,7 +47,7 @@ int udp_sock_create6(struct net *net, struct udp_port_cfg *cfg, + static inline int udp_sock_create6(struct net *net, struct udp_port_cfg *cfg, + struct socket **sockp) + { +- return 0; ++ return -EPFNOSUPPORT; + } + #endif + +-- +2.51.0 + diff --git a/queue-5.15/wifi-cfg80211-cancel-pmsr_free_wk-in-cfg80211_pmsr_w.patch b/queue-5.15/wifi-cfg80211-cancel-pmsr_free_wk-in-cfg80211_pmsr_w.patch new file mode 100644 index 0000000000..3aeb67d8ae --- /dev/null +++ b/queue-5.15/wifi-cfg80211-cancel-pmsr_free_wk-in-cfg80211_pmsr_w.patch @@ -0,0 +1,51 @@ +From 207026b86ae5c8a0e40ea5a7bcce8527742803c1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 5 Mar 2026 21:36:59 +0530 +Subject: wifi: cfg80211: cancel pmsr_free_wk in cfg80211_pmsr_wdev_down + +From: Peddolla Harshavardhan Reddy + +[ Upstream commit 6dccbc9f3e1d38565dff7730d2b7d1e8b16c9b09 ] + +When the nl80211 socket that originated a PMSR request is +closed, cfg80211_release_pmsr() sets the request's nl_portid +to zero and schedules pmsr_free_wk to process the abort +asynchronously. If the interface is concurrently torn down +before that work runs, cfg80211_pmsr_wdev_down() calls +cfg80211_pmsr_process_abort() directly. However, the already- +scheduled pmsr_free_wk work item remains pending and may run +after the interface has been removed from the driver. This +could cause the driver's abort_pmsr callback to operate on a +torn-down interface, leading to undefined behavior and +potential crashes. + +Cancel pmsr_free_wk synchronously in cfg80211_pmsr_wdev_down() +before calling cfg80211_pmsr_process_abort(). This ensures any +pending or in-progress work is drained before interface teardown +proceeds, preventing the work from invoking the driver abort +callback after the interface is gone. + +Fixes: 9bb7e0f24e7e ("cfg80211: add peer measurement with FTM initiator API") +Signed-off-by: Peddolla Harshavardhan Reddy +Link: https://patch.msgid.link/20260305160712.1263829-3-peddolla.reddy@oss.qualcomm.com +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + net/wireless/pmsr.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/net/wireless/pmsr.c b/net/wireless/pmsr.c +index 65fa39275f73f..92c62d36e9525 100644 +--- a/net/wireless/pmsr.c ++++ b/net/wireless/pmsr.c +@@ -642,6 +642,7 @@ void cfg80211_pmsr_wdev_down(struct wireless_dev *wdev) + } + spin_unlock_bh(&wdev->pmsr_lock); + ++ cancel_work_sync(&wdev->pmsr_free_wk); + if (found) + cfg80211_pmsr_process_abort(wdev); + +-- +2.51.0 + diff --git a/queue-5.15/wifi-mac80211-fix-null-deref-in-mesh_matches_local.patch b/queue-5.15/wifi-mac80211-fix-null-deref-in-mesh_matches_local.patch new file mode 100644 index 0000000000..a85a52a8cf --- /dev/null +++ b/queue-5.15/wifi-mac80211-fix-null-deref-in-mesh_matches_local.patch @@ -0,0 +1,81 @@ +From 3c6931945e1139e36c71f6c938a21c060833557b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 17 Mar 2026 20:42:44 -0700 +Subject: wifi: mac80211: fix NULL deref in mesh_matches_local() + +From: Xiang Mei + +[ Upstream commit c73bb9a2d33bf81f6eecaa0f474b6c6dbe9855bd ] + +mesh_matches_local() unconditionally dereferences ie->mesh_config to +compare mesh configuration parameters. When called from +mesh_rx_csa_frame(), the parsed action-frame elements may not contain a +Mesh Configuration IE, leaving ie->mesh_config NULL and triggering a +kernel NULL pointer dereference. + +The other two callers are already safe: + - ieee80211_mesh_rx_bcn_presp() checks !elems->mesh_config before + calling mesh_matches_local() + - mesh_plink_get_event() is only reached through + mesh_process_plink_frame(), which checks !elems->mesh_config, too + +mesh_rx_csa_frame() is the only caller that passes raw parsed elements +to mesh_matches_local() without guarding mesh_config. An adjacent +attacker can exploit this by sending a crafted CSA action frame that +includes a valid Mesh ID IE but omits the Mesh Configuration IE, +crashing the kernel. + +The captured crash log: + +Oops: general protection fault, probably for non-canonical address ... +KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007] +Workqueue: events_unbound cfg80211_wiphy_work +[...] +Call Trace: + + ? __pfx_mesh_matches_local (net/mac80211/mesh.c:65) + ieee80211_mesh_rx_queued_mgmt (net/mac80211/mesh.c:1686) + [...] + ieee80211_iface_work (net/mac80211/iface.c:1754 net/mac80211/iface.c:1802) + [...] + cfg80211_wiphy_work (net/wireless/core.c:426) + process_one_work (net/kernel/workqueue.c:3280) + ? assign_work (net/kernel/workqueue.c:1219) + worker_thread (net/kernel/workqueue.c:3352) + ? __pfx_worker_thread (net/kernel/workqueue.c:3385) + kthread (net/kernel/kthread.c:436) + [...] + ret_from_fork_asm (net/arch/x86/entry/entry_64.S:255) + + +This patch adds a NULL check for ie->mesh_config at the top of +mesh_matches_local() to return false early when the Mesh Configuration +IE is absent. + +Fixes: 2e3c8736820b ("mac80211: support functions for mesh") +Reported-by: Weiming Shi +Signed-off-by: Xiang Mei +Link: https://patch.msgid.link/20260318034244.2595020-1-xmei5@asu.edu +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + net/mac80211/mesh.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/net/mac80211/mesh.c b/net/mac80211/mesh.c +index e75f53f08b611..167b0625b1a17 100644 +--- a/net/mac80211/mesh.c ++++ b/net/mac80211/mesh.c +@@ -75,6 +75,9 @@ bool mesh_matches_local(struct ieee80211_sub_if_data *sdata, + * - MDA enabled + * - Power management control on fc + */ ++ if (!ie->mesh_config) ++ return false; ++ + if (!(ifmsh->mesh_id_len == ie->mesh_id_len && + memcmp(ifmsh->mesh_id, ie->mesh_id, ie->mesh_id_len) == 0 && + (ifmsh->mesh_pp_id == ie->mesh_config->meshconf_psel) && +-- +2.51.0 + diff --git a/queue-5.15/wifi-mac80211-fix-static_branch_dec-underflow-for-aq.patch b/queue-5.15/wifi-mac80211-fix-static_branch_dec-underflow-for-aq.patch new file mode 100644 index 0000000000..162e579451 --- /dev/null +++ b/queue-5.15/wifi-mac80211-fix-static_branch_dec-underflow-for-aq.patch @@ -0,0 +1,112 @@ +From 1413c7f1b54b6332f1620b61a4697cd249d4fdb8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 6 Mar 2026 07:24:02 +0000 +Subject: wifi: mac80211: Fix static_branch_dec() underflow for aql_disable. + +From: Kuniyuki Iwashima + +[ Upstream commit b94ae8e0d5fe1bdbbfdc3854ff6ce98f6876a828 ] + +syzbot reported static_branch_dec() underflow in aql_enable_write(). [0] + +The problem is that aql_enable_write() does not serialise concurrent +write()s to the debugfs. + +aql_enable_write() checks static_key_false(&aql_disable.key) and +later calls static_branch_inc() or static_branch_dec(), but the +state may change between the two calls. + +aql_disable does not need to track inc/dec. + +Let's use static_branch_enable() and static_branch_disable(). + +[0]: +val == 0 +WARNING: kernel/jump_label.c:311 at __static_key_slow_dec_cpuslocked.part.0+0x107/0x120 kernel/jump_label.c:311, CPU#0: syz.1.3155/20288 +Modules linked in: +CPU: 0 UID: 0 PID: 20288 Comm: syz.1.3155 Tainted: G U L syzkaller #0 PREEMPT(full) +Tainted: [U]=USER, [L]=SOFTLOCKUP +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/24/2026 +RIP: 0010:__static_key_slow_dec_cpuslocked.part.0+0x107/0x120 kernel/jump_label.c:311 +Code: f2 c9 ff 5b 5d c3 cc cc cc cc e8 54 f2 c9 ff 48 89 df e8 ac f9 ff ff eb ad e8 45 f2 c9 ff 90 0f 0b 90 eb a2 e8 3a f2 c9 ff 90 <0f> 0b 90 eb 97 48 89 df e8 5c 4b 33 00 e9 36 ff ff ff 0f 1f 80 00 +RSP: 0018:ffffc9000b9f7c10 EFLAGS: 00010293 +RAX: 0000000000000000 RBX: ffffffff9b3e5d40 RCX: ffffffff823c57b4 +RDX: ffff8880285a0000 RSI: ffffffff823c5846 RDI: ffff8880285a0000 +RBP: 0000000000000000 R08: 0000000000000005 R09: 0000000000000000 +R10: 0000000000000000 R11: 0000000000000000 R12: 000000000000000a +R13: 1ffff9200173ef88 R14: 0000000000000001 R15: ffffc9000b9f7e98 +FS: 00007f530dd726c0(0000) GS:ffff8881245e3000(0000) knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: 0000200000001140 CR3: 000000007cc4a000 CR4: 00000000003526f0 +Call Trace: + + __static_key_slow_dec_cpuslocked kernel/jump_label.c:297 [inline] + __static_key_slow_dec kernel/jump_label.c:321 [inline] + static_key_slow_dec+0x7c/0xc0 kernel/jump_label.c:336 + aql_enable_write+0x2b2/0x310 net/mac80211/debugfs.c:343 + short_proxy_write+0x133/0x1a0 fs/debugfs/file.c:383 + vfs_write+0x2aa/0x1070 fs/read_write.c:684 + ksys_pwrite64 fs/read_write.c:793 [inline] + __do_sys_pwrite64 fs/read_write.c:801 [inline] + __se_sys_pwrite64 fs/read_write.c:798 [inline] + __x64_sys_pwrite64+0x1eb/0x250 fs/read_write.c:798 + do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] + do_syscall_64+0xc9/0xf80 arch/x86/entry/syscall_64.c:94 + entry_SYSCALL_64_after_hwframe+0x77/0x7f +RIP: 0033:0x7f530cf9aeb9 +Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48 +RSP: 002b:00007f530dd72028 EFLAGS: 00000246 ORIG_RAX: 0000000000000012 +RAX: ffffffffffffffda RBX: 00007f530d215fa0 RCX: 00007f530cf9aeb9 +RDX: 0000000000000003 RSI: 0000000000000000 RDI: 0000000000000010 +RBP: 00007f530d008c1f R08: 0000000000000000 R09: 0000000000000000 +R10: 4200000000000005 R11: 0000000000000246 R12: 0000000000000000 +R13: 00007f530d216038 R14: 00007f530d215fa0 R15: 00007ffde89fb978 + + +Fixes: e908435e402a ("mac80211: introduce aql_enable node in debugfs") +Reported-by: syzbot+feb9ce36a95341bb47a4@syzkaller.appspotmail.com +Closes: https://lore.kernel.org/all/69a8979e.a70a0220.b118c.0025.GAE@google.com/ +Signed-off-by: Kuniyuki Iwashima +Link: https://patch.msgid.link/20260306072405.3649474-1-kuniyu@google.com +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + net/mac80211/debugfs.c | 14 +++++--------- + 1 file changed, 5 insertions(+), 9 deletions(-) + +diff --git a/net/mac80211/debugfs.c b/net/mac80211/debugfs.c +index 8dbfe325ee66f..4bf59033c516b 100644 +--- a/net/mac80211/debugfs.c ++++ b/net/mac80211/debugfs.c +@@ -296,7 +296,6 @@ static ssize_t aql_enable_read(struct file *file, char __user *user_buf, + static ssize_t aql_enable_write(struct file *file, const char __user *user_buf, + size_t count, loff_t *ppos) + { +- bool aql_disabled = static_key_false(&aql_disable.key); + char buf[3]; + size_t len; + +@@ -311,15 +310,12 @@ static ssize_t aql_enable_write(struct file *file, const char __user *user_buf, + if (len > 0 && buf[len - 1] == '\n') + buf[len - 1] = 0; + +- if (buf[0] == '0' && buf[1] == '\0') { +- if (!aql_disabled) +- static_branch_inc(&aql_disable); +- } else if (buf[0] == '1' && buf[1] == '\0') { +- if (aql_disabled) +- static_branch_dec(&aql_disable); +- } else { ++ if (buf[0] == '0' && buf[1] == '\0') ++ static_branch_enable(&aql_disable); ++ else if (buf[0] == '1' && buf[1] == '\0') ++ static_branch_disable(&aql_disable); ++ else + return -EINVAL; +- } + + return count; + } +-- +2.51.0 + diff --git a/queue-5.15/wifi-wlcore-return-enomem-instead-of-eagain-if-there.patch b/queue-5.15/wifi-wlcore-return-enomem-instead-of-eagain-if-there.patch new file mode 100644 index 0000000000..5426fce8de --- /dev/null +++ b/queue-5.15/wifi-wlcore-return-enomem-instead-of-eagain-if-there.patch @@ -0,0 +1,54 @@ +From 2cd3b9658f5de69b86478762bb9cf689eb68b5a9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 17 Mar 2026 23:46:36 -0700 +Subject: wifi: wlcore: Return -ENOMEM instead of -EAGAIN if there is not + enough headroom + +From: Guenter Roeck + +[ Upstream commit deb353d9bb009638b7762cae2d0b6e8fdbb41a69 ] + +Since upstream commit e75665dd0968 ("wifi: wlcore: ensure skb headroom +before skb_push"), wl1271_tx_allocate() and with it +wl1271_prepare_tx_frame() returns -EAGAIN if pskb_expand_head() fails. +However, in wlcore_tx_work_locked(), a return value of -EAGAIN from +wl1271_prepare_tx_frame() is interpreted as the aggregation buffer being +full. This causes the code to flush the buffer, put the skb back at the +head of the queue, and immediately retry the same skb in a tight while +loop. + +Because wlcore_tx_work_locked() holds wl->mutex, and the retry happens +immediately with GFP_ATOMIC, this will result in an infinite loop and a +CPU soft lockup. Return -ENOMEM instead so the packet is dropped and +the loop terminates. + +The problem was found by an experimental code review agent based on +gemini-3.1-pro while reviewing backports into v6.18.y. + +Assisted-by: Gemini:gemini-3.1-pro +Fixes: e75665dd0968 ("wifi: wlcore: ensure skb headroom before skb_push") +Cc: Peter Astrand +Signed-off-by: Guenter Roeck +Link: https://patch.msgid.link/20260318064636.3065925-1-linux@roeck-us.net +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ti/wlcore/tx.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/wireless/ti/wlcore/tx.c b/drivers/net/wireless/ti/wlcore/tx.c +index e86cc3425e997..ac1411db8e5a8 100644 +--- a/drivers/net/wireless/ti/wlcore/tx.c ++++ b/drivers/net/wireless/ti/wlcore/tx.c +@@ -213,7 +213,7 @@ static int wl1271_tx_allocate(struct wl1271 *wl, struct wl12xx_vif *wlvif, + if (skb_headroom(skb) < (total_len - skb->len) && + pskb_expand_head(skb, (total_len - skb->len), 0, GFP_ATOMIC)) { + wl1271_free_tx_id(wl, id); +- return -EAGAIN; ++ return -ENOMEM; + } + desc = skb_push(skb, total_len - skb->len); + +-- +2.51.0 + diff --git a/queue-6.1/acpi-processor-fix-previous-acpi_processor_errata_pi.patch b/queue-6.1/acpi-processor-fix-previous-acpi_processor_errata_pi.patch new file mode 100644 index 0000000000..e07deb7372 --- /dev/null +++ b/queue-6.1/acpi-processor-fix-previous-acpi_processor_errata_pi.patch @@ -0,0 +1,74 @@ +From 2e068fc7bd5175d0d13d98efc8cd30944ed4b496 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 17 Mar 2026 21:39:05 +0100 +Subject: ACPI: processor: Fix previous acpi_processor_errata_piix4() fix + +From: Rafael J. Wysocki + +[ Upstream commit bf504b229cb8d534eccbaeaa23eba34c05131e25 ] + +After commi f132e089fe89 ("ACPI: processor: Fix NULL-pointer dereference +in acpi_processor_errata_piix4()"), device pointers may be dereferenced +after dropping references to the device objects pointed to by them, +which may cause a use-after-free to occur. + +Moreover, debug messages about enabling the errata may be printed +if the errata flags corresponding to them are unset. + +Address all of these issues by moving message printing to the points +in the code where the errata flags are set. + +Fixes: f132e089fe89 ("ACPI: processor: Fix NULL-pointer dereference in acpi_processor_errata_piix4()") +Reported-by: Guenter Roeck +Closes: https://lore.kernel.org/linux-acpi/938e2206-def5-4b7a-9b2c-d1fd37681d8a@roeck-us.net/ +Reviewed-by: Guenter Roeck +Signed-off-by: Rafael J. Wysocki +Link: https://patch.msgid.link/5975693.DvuYhMxLoT@rafael.j.wysocki +Signed-off-by: Sasha Levin +--- + drivers/acpi/acpi_processor.c | 15 ++++++++------- + 1 file changed, 8 insertions(+), 7 deletions(-) + +diff --git a/drivers/acpi/acpi_processor.c b/drivers/acpi/acpi_processor.c +index 669398045c0fd..07acdaee6ce5c 100644 +--- a/drivers/acpi/acpi_processor.c ++++ b/drivers/acpi/acpi_processor.c +@@ -96,6 +96,10 @@ static int acpi_processor_errata_piix4(struct pci_dev *dev) + PCI_ANY_ID, PCI_ANY_ID, NULL); + if (ide_dev) { + errata.piix4.bmisx = pci_resource_start(ide_dev, 4); ++ if (errata.piix4.bmisx) ++ dev_dbg(&ide_dev->dev, ++ "Bus master activity detection (BM-IDE) erratum enabled\n"); ++ + pci_dev_put(ide_dev); + } + +@@ -114,20 +118,17 @@ static int acpi_processor_errata_piix4(struct pci_dev *dev) + if (isa_dev) { + pci_read_config_byte(isa_dev, 0x76, &value1); + pci_read_config_byte(isa_dev, 0x77, &value2); +- if ((value1 & 0x80) || (value2 & 0x80)) ++ if ((value1 & 0x80) || (value2 & 0x80)) { + errata.piix4.fdma = 1; ++ dev_dbg(&isa_dev->dev, ++ "Type-F DMA livelock erratum (C3 disabled)\n"); ++ } + pci_dev_put(isa_dev); + } + + break; + } + +- if (ide_dev) +- dev_dbg(&ide_dev->dev, "Bus master activity detection (BM-IDE) erratum enabled\n"); +- +- if (isa_dev) +- dev_dbg(&isa_dev->dev, "Type-F DMA livelock erratum (C3 disabled)\n"); +- + return 0; + } + +-- +2.51.0 + diff --git a/queue-6.1/bluetooth-hci_sync-fix-hci_le_create_conn_sync.patch b/queue-6.1/bluetooth-hci_sync-fix-hci_le_create_conn_sync.patch new file mode 100644 index 0000000000..da2651a54c --- /dev/null +++ b/queue-6.1/bluetooth-hci_sync-fix-hci_le_create_conn_sync.patch @@ -0,0 +1,52 @@ +From dbad7439dbad473304447307ddc67c8dfc4f2d04 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 5 Mar 2026 14:50:52 +0100 +Subject: Bluetooth: hci_sync: Fix hci_le_create_conn_sync + +From: Michael Grzeschik + +[ Upstream commit 2cabe7ff1001b7a197009cf50ba71701f9cbd354 ] + +While introducing hci_le_create_conn_sync the functionality +of hci_connect_le was ported to hci_le_create_conn_sync including +the disable of the scan before starting the connection. + +When this code was run non synchronously the immediate call that was +setting the flag HCI_LE_SCAN_INTERRUPTED had an impact. Since the +completion handler for the LE_SCAN_DISABLE was not immediately called. +In the completion handler of the LE_SCAN_DISABLE event, this flag is +checked to set the state of the hdev to DISCOVERY_STOPPED. + +With the synchronised approach the later setting of the +HCI_LE_SCAN_INTERRUPTED flag has not the same effect. The completion +handler would immediately fire in the LE_SCAN_DISABLE call, check for +the flag, which is then not yet set and do nothing. + +To fix this issue and make the function call work as before, we move the +setting of the flag HCI_LE_SCAN_INTERRUPTED before disabling the scan. + +Fixes: 8e8b92ee60de ("Bluetooth: hci_sync: Add hci_le_create_conn_sync") +Signed-off-by: Michael Grzeschik +Signed-off-by: Luiz Augusto von Dentz +Signed-off-by: Sasha Levin +--- + net/bluetooth/hci_sync.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/bluetooth/hci_sync.c b/net/bluetooth/hci_sync.c +index 5ad09900f8ff1..01b23fc71e610 100644 +--- a/net/bluetooth/hci_sync.c ++++ b/net/bluetooth/hci_sync.c +@@ -6436,8 +6436,8 @@ int hci_le_create_conn_sync(struct hci_dev *hdev, struct hci_conn *conn) + * state. + */ + if (hci_dev_test_flag(hdev, HCI_LE_SCAN)) { +- hci_scan_disable_sync(hdev); + hci_dev_set_flag(hdev, HCI_LE_SCAN_INTERRUPTED); ++ hci_scan_disable_sync(hdev); + } + + /* Update random address, but set require_privacy to false so +-- +2.51.0 + diff --git a/queue-6.1/bluetooth-hidp-fix-possible-uaf.patch b/queue-6.1/bluetooth-hidp-fix-possible-uaf.patch new file mode 100644 index 0000000000..0e3dde12d6 --- /dev/null +++ b/queue-6.1/bluetooth-hidp-fix-possible-uaf.patch @@ -0,0 +1,237 @@ +From b71ee56228c813f6fc121a3c845b0670edb4660e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 5 Mar 2026 10:17:47 -0500 +Subject: Bluetooth: HIDP: Fix possible UAF + +From: Luiz Augusto von Dentz + +[ Upstream commit dbf666e4fc9bdd975a61bf682b3f75cb0145eedd ] + +This fixes the following trace caused by not dropping l2cap_conn +reference when user->remove callback is called: + +[ 97.809249] l2cap_conn_free: freeing conn ffff88810a171c00 +[ 97.809907] CPU: 1 UID: 0 PID: 1419 Comm: repro_standalon Not tainted 7.0.0-rc1-dirty #14 PREEMPT(lazy) +[ 97.809935] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.17.0-debian-1.17.0-1 04/01/2014 +[ 97.809947] Call Trace: +[ 97.809954] +[ 97.809961] dump_stack_lvl (lib/dump_stack.c:122) +[ 97.809990] l2cap_conn_free (net/bluetooth/l2cap_core.c:1808) +[ 97.810017] l2cap_conn_del (./include/linux/kref.h:66 net/bluetooth/l2cap_core.c:1821 net/bluetooth/l2cap_core.c:1798) +[ 97.810055] l2cap_disconn_cfm (net/bluetooth/l2cap_core.c:7347 (discriminator 1) net/bluetooth/l2cap_core.c:7340 (discriminator 1)) +[ 97.810086] ? __pfx_l2cap_disconn_cfm (net/bluetooth/l2cap_core.c:7341) +[ 97.810117] hci_conn_hash_flush (./include/net/bluetooth/hci_core.h:2152 (discriminator 2) net/bluetooth/hci_conn.c:2644 (discriminator 2)) +[ 97.810148] hci_dev_close_sync (net/bluetooth/hci_sync.c:5360) +[ 97.810180] ? __pfx_hci_dev_close_sync (net/bluetooth/hci_sync.c:5285) +[ 97.810212] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221) +[ 97.810242] ? up_write (./arch/x86/include/asm/atomic64_64.h:87 (discriminator 5) ./include/linux/atomic/atomic-arch-fallback.h:2852 (discriminator 5) ./include/linux/atomic/atomic-long.h:268 (discriminator 5) ./include/linux/atomic/atomic-instrumented.h:3391 (discriminator 5) kernel/locking/rwsem.c:1385 (discriminator 5) kernel/locking/rwsem.c:1643 (discriminator 5)) +[ 97.810267] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221) +[ 97.810290] ? rcu_is_watching (./arch/x86/include/asm/atomic.h:23 ./include/linux/atomic/atomic-arch-fallback.h:457 ./include/linux/context_tracking.h:128 kernel/rcu/tree.c:752) +[ 97.810320] hci_unregister_dev (net/bluetooth/hci_core.c:504 net/bluetooth/hci_core.c:2716) +[ 97.810346] vhci_release (drivers/bluetooth/hci_vhci.c:691) +[ 97.810375] ? __pfx_vhci_release (drivers/bluetooth/hci_vhci.c:678) +[ 97.810404] __fput (fs/file_table.c:470) +[ 97.810430] task_work_run (kernel/task_work.c:235) +[ 97.810451] ? __pfx_task_work_run (kernel/task_work.c:201) +[ 97.810472] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221) +[ 97.810495] ? do_raw_spin_unlock (./include/asm-generic/qspinlock.h:128 (discriminator 5) kernel/locking/spinlock_debug.c:142 (discriminator 5)) +[ 97.810527] do_exit (kernel/exit.c:972) +[ 97.810547] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221) +[ 97.810574] ? __pfx_do_exit (kernel/exit.c:897) +[ 97.810594] ? lock_acquire (kernel/locking/lockdep.c:470 (discriminator 6) kernel/locking/lockdep.c:5870 (discriminator 6) kernel/locking/lockdep.c:5825 (discriminator 6)) +[ 97.810616] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221) +[ 97.810639] ? do_raw_spin_lock (kernel/locking/spinlock_debug.c:95 (discriminator 4) kernel/locking/spinlock_debug.c:118 (discriminator 4)) +[ 97.810664] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221) +[ 97.810688] ? find_held_lock (kernel/locking/lockdep.c:5350 (discriminator 1)) +[ 97.810721] do_group_exit (kernel/exit.c:1093) +[ 97.810745] get_signal (kernel/signal.c:3007 (discriminator 1)) +[ 97.810772] ? security_file_permission (./arch/x86/include/asm/jump_label.h:37 security/security.c:2366) +[ 97.810803] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221) +[ 97.810826] ? vfs_read (fs/read_write.c:555) +[ 97.810854] ? __pfx_get_signal (kernel/signal.c:2800) +[ 97.810880] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221) +[ 97.810905] ? __pfx_vfs_read (fs/read_write.c:555) +[ 97.810932] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221) +[ 97.810960] arch_do_signal_or_restart (arch/x86/kernel/signal.c:337 (discriminator 1)) +[ 97.810990] ? __pfx_arch_do_signal_or_restart (arch/x86/kernel/signal.c:334) +[ 97.811021] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221) +[ 97.811055] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221) +[ 97.811078] ? ksys_read (fs/read_write.c:707) +[ 97.811106] ? __pfx_ksys_read (fs/read_write.c:707) +[ 97.811137] exit_to_user_mode_loop (kernel/entry/common.c:66 kernel/entry/common.c:98) +[ 97.811169] ? rcu_is_watching (./arch/x86/include/asm/atomic.h:23 ./include/linux/atomic/atomic-arch-fallback.h:457 ./include/linux/context_tracking.h:128 kernel/rcu/tree.c:752) +[ 97.811192] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221) +[ 97.811215] ? trace_hardirqs_off (./include/trace/events/preemptirq.h:36 (discriminator 33) kernel/trace/trace_preemptirq.c:95 (discriminator 33) kernel/trace/trace_preemptirq.c:90 (discriminator 33)) +[ 97.811240] do_syscall_64 (./include/linux/irq-entry-common.h:226 ./include/linux/irq-entry-common.h:256 ./include/linux/entry-common.h:325 arch/x86/entry/syscall_64.c:100) +[ 97.811268] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221) +[ 97.811292] ? exc_page_fault (arch/x86/mm/fault.c:1480 (discriminator 3) arch/x86/mm/fault.c:1527 (discriminator 3)) +[ 97.811318] entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130) +[ 97.811338] RIP: 0033:0x445cfe +[ 97.811352] Code: Unable to access opcode bytes at 0x445cd4. + +Code starting with the faulting instruction +=========================================== +[ 97.811360] RSP: 002b:00007f65c41c6dc8 EFLAGS: 00000246 ORIG_RAX: 0000000000000000 +[ 97.811378] RAX: fffffffffffffe00 RBX: 00007f65c41c76c0 RCX: 0000000000445cfe +[ 97.811391] RDX: 0000000000000400 RSI: 00007f65c41c6e40 RDI: 0000000000000004 +[ 97.811403] RBP: 00007f65c41c7250 R08: 0000000000000000 R09: 0000000000000000 +[ 97.811415] R10: 0000000000000000 R11: 0000000000000246 R12: ffffffffffffffe8 +[ 97.811428] R13: 0000000000000000 R14: 00007fff780a8c00 R15: 00007f65c41c76c0 +[ 97.811453] +[ 98.402453] ================================================================== +[ 98.403560] BUG: KASAN: use-after-free in __mutex_lock (kernel/locking/mutex.c:199 kernel/locking/mutex.c:694 kernel/locking/mutex.c:776) +[ 98.404541] Read of size 8 at addr ffff888113ee40a8 by task khidpd_00050004/1430 +[ 98.405361] +[ 98.405563] CPU: 1 UID: 0 PID: 1430 Comm: khidpd_00050004 Not tainted 7.0.0-rc1-dirty #14 PREEMPT(lazy) +[ 98.405588] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.17.0-debian-1.17.0-1 04/01/2014 +[ 98.405600] Call Trace: +[ 98.405607] +[ 98.405614] dump_stack_lvl (lib/dump_stack.c:122) +[ 98.405641] print_report (mm/kasan/report.c:379 mm/kasan/report.c:482) +[ 98.405667] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221) +[ 98.405691] ? __virt_addr_valid (arch/x86/mm/physaddr.c:55) +[ 98.405724] ? __mutex_lock (kernel/locking/mutex.c:199 kernel/locking/mutex.c:694 kernel/locking/mutex.c:776) +[ 98.405748] kasan_report (mm/kasan/report.c:221 mm/kasan/report.c:597) +[ 98.405778] ? __mutex_lock (kernel/locking/mutex.c:199 kernel/locking/mutex.c:694 kernel/locking/mutex.c:776) +[ 98.405807] __mutex_lock (kernel/locking/mutex.c:199 kernel/locking/mutex.c:694 kernel/locking/mutex.c:776) +[ 98.405832] ? do_raw_spin_lock (kernel/locking/spinlock_debug.c:95 (discriminator 4) kernel/locking/spinlock_debug.c:118 (discriminator 4)) +[ 98.405859] ? l2cap_unregister_user (./include/linux/list.h:381 (discriminator 2) net/bluetooth/l2cap_core.c:1723 (discriminator 2)) +[ 98.405888] ? __pfx_do_raw_spin_lock (kernel/locking/spinlock_debug.c:114) +[ 98.405915] ? __pfx___mutex_lock (kernel/locking/mutex.c:775) +[ 98.405939] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221) +[ 98.405963] ? lock_acquire (kernel/locking/lockdep.c:470 (discriminator 6) kernel/locking/lockdep.c:5870 (discriminator 6) kernel/locking/lockdep.c:5825 (discriminator 6)) +[ 98.405984] ? find_held_lock (kernel/locking/lockdep.c:5350 (discriminator 1)) +[ 98.406015] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221) +[ 98.406038] ? lock_release (kernel/locking/lockdep.c:5536 kernel/locking/lockdep.c:5889 kernel/locking/lockdep.c:5875) +[ 98.406061] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221) +[ 98.406085] ? _raw_spin_unlock_irqrestore (./arch/x86/include/asm/irqflags.h:42 ./arch/x86/include/asm/irqflags.h:119 ./arch/x86/include/asm/irqflags.h:159 ./include/linux/spinlock_api_smp.h:178 kernel/locking/spinlock.c:194) +[ 98.406107] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221) +[ 98.406130] ? __timer_delete_sync (kernel/time/timer.c:1592) +[ 98.406158] ? l2cap_unregister_user (./include/linux/list.h:381 (discriminator 2) net/bluetooth/l2cap_core.c:1723 (discriminator 2)) +[ 98.406186] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221) +[ 98.406210] l2cap_unregister_user (./include/linux/list.h:381 (discriminator 2) net/bluetooth/l2cap_core.c:1723 (discriminator 2)) +[ 98.406263] hidp_session_thread (./include/linux/instrumented.h:112 ./include/linux/atomic/atomic-instrumented.h:400 ./include/linux/refcount.h:389 ./include/linux/refcount.h:432 ./include/linux/refcount.h:450 ./include/linux/kref.h:64 net/bluetooth/hidp/core.c:996 net/bluetooth/hidp/core.c:1305) +[ 98.406293] ? __pfx_hidp_session_thread (net/bluetooth/hidp/core.c:1264) +[ 98.406323] ? kthread (kernel/kthread.c:433) +[ 98.406340] ? __pfx_hidp_session_wake_function (net/bluetooth/hidp/core.c:1251) +[ 98.406370] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221) +[ 98.406393] ? find_held_lock (kernel/locking/lockdep.c:5350 (discriminator 1)) +[ 98.406424] ? __pfx_hidp_session_wake_function (net/bluetooth/hidp/core.c:1251) +[ 98.406453] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221) +[ 98.406476] ? trace_hardirqs_on (kernel/trace/trace_preemptirq.c:79 (discriminator 1)) +[ 98.406499] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221) +[ 98.406523] ? kthread (kernel/kthread.c:433) +[ 98.406539] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221) +[ 98.406565] ? kthread (kernel/kthread.c:433) +[ 98.406581] ? __pfx_hidp_session_thread (net/bluetooth/hidp/core.c:1264) +[ 98.406610] kthread (kernel/kthread.c:467) +[ 98.406627] ? __pfx_kthread (kernel/kthread.c:412) +[ 98.406645] ret_from_fork (arch/x86/kernel/process.c:164) +[ 98.406674] ? __pfx_ret_from_fork (arch/x86/kernel/process.c:153) +[ 98.406704] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221) +[ 98.406728] ? __pfx_kthread (kernel/kthread.c:412) +[ 98.406747] ret_from_fork_asm (arch/x86/entry/entry_64.S:258) +[ 98.406774] +[ 98.406780] +[ 98.433693] The buggy address belongs to the physical page: +[ 98.434405] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xffff888113ee7c40 pfn:0x113ee4 +[ 98.435557] flags: 0x200000000000000(node=0|zone=2) +[ 98.436198] raw: 0200000000000000 ffffea0004244308 ffff8881f6f3ebc0 0000000000000000 +[ 98.437195] raw: ffff888113ee7c40 0000000000000000 00000000ffffffff 0000000000000000 +[ 98.438115] page dumped because: kasan: bad access detected +[ 98.438951] +[ 98.439211] Memory state around the buggy address: +[ 98.439871] ffff888113ee3f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc +[ 98.440714] ffff888113ee4000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff +[ 98.441580] >ffff888113ee4080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff +[ 98.442458] ^ +[ 98.443011] ffff888113ee4100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff +[ 98.443889] ffff888113ee4180: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff +[ 98.444768] ================================================================== +[ 98.445719] Disabling lock debugging due to kernel taint +[ 98.448074] l2cap_conn_free: freeing conn ffff88810c22b400 +[ 98.450012] CPU: 1 UID: 0 PID: 1430 Comm: khidpd_00050004 Tainted: G B 7.0.0-rc1-dirty #14 PREEMPT(lazy) +[ 98.450040] Tainted: [B]=BAD_PAGE +[ 98.450047] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.17.0-debian-1.17.0-1 04/01/2014 +[ 98.450059] Call Trace: +[ 98.450065] +[ 98.450071] dump_stack_lvl (lib/dump_stack.c:122) +[ 98.450099] l2cap_conn_free (net/bluetooth/l2cap_core.c:1808) +[ 98.450125] l2cap_conn_put (net/bluetooth/l2cap_core.c:1822) +[ 98.450154] session_free (net/bluetooth/hidp/core.c:990) +[ 98.450181] hidp_session_thread (net/bluetooth/hidp/core.c:1307) +[ 98.450213] ? __pfx_hidp_session_thread (net/bluetooth/hidp/core.c:1264) +[ 98.450271] ? kthread (kernel/kthread.c:433) +[ 98.450293] ? __pfx_hidp_session_wake_function (net/bluetooth/hidp/core.c:1251) +[ 98.450339] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221) +[ 98.450368] ? find_held_lock (kernel/locking/lockdep.c:5350 (discriminator 1)) +[ 98.450406] ? __pfx_hidp_session_wake_function (net/bluetooth/hidp/core.c:1251) +[ 98.450442] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221) +[ 98.450471] ? trace_hardirqs_on (kernel/trace/trace_preemptirq.c:79 (discriminator 1)) +[ 98.450499] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221) +[ 98.450528] ? kthread (kernel/kthread.c:433) +[ 98.450547] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221) +[ 98.450578] ? kthread (kernel/kthread.c:433) +[ 98.450598] ? __pfx_hidp_session_thread (net/bluetooth/hidp/core.c:1264) +[ 98.450637] kthread (kernel/kthread.c:467) +[ 98.450657] ? __pfx_kthread (kernel/kthread.c:412) +[ 98.450680] ret_from_fork (arch/x86/kernel/process.c:164) +[ 98.450715] ? __pfx_ret_from_fork (arch/x86/kernel/process.c:153) +[ 98.450752] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221) +[ 98.450782] ? __pfx_kthread (kernel/kthread.c:412) +[ 98.450804] ret_from_fork_asm (arch/x86/entry/entry_64.S:258) +[ 98.450836] + +Fixes: b4f34d8d9d26 ("Bluetooth: hidp: add new session-management helpers") +Reported-by: soufiane el hachmi +Tested-by: soufiane el hachmi +Signed-off-by: Luiz Augusto von Dentz +Signed-off-by: Sasha Levin +--- + net/bluetooth/hidp/core.c | 16 ++++++++++++++-- + 1 file changed, 14 insertions(+), 2 deletions(-) + +diff --git a/net/bluetooth/hidp/core.c b/net/bluetooth/hidp/core.c +index 82cc15ad963d8..b4e998e743f7a 100644 +--- a/net/bluetooth/hidp/core.c ++++ b/net/bluetooth/hidp/core.c +@@ -987,7 +987,8 @@ static void session_free(struct kref *ref) + skb_queue_purge(&session->intr_transmit); + fput(session->intr_sock->file); + fput(session->ctrl_sock->file); +- l2cap_conn_put(session->conn); ++ if (session->conn) ++ l2cap_conn_put(session->conn); + kfree(session); + } + +@@ -1165,6 +1166,15 @@ static void hidp_session_remove(struct l2cap_conn *conn, + + down_write(&hidp_session_sem); + ++ /* Drop L2CAP reference immediately to indicate that ++ * l2cap_unregister_user() shall not be called as it is already ++ * considered removed. ++ */ ++ if (session->conn) { ++ l2cap_conn_put(session->conn); ++ session->conn = NULL; ++ } ++ + hidp_session_terminate(session); + + cancel_work_sync(&session->dev_init); +@@ -1302,7 +1312,9 @@ static int hidp_session_thread(void *arg) + * Instead, this call has the same semantics as if user-space tried to + * delete the session. + */ +- l2cap_unregister_user(session->conn, &session->user); ++ if (session->conn) ++ l2cap_unregister_user(session->conn, &session->user); ++ + hidp_session_put(session); + + module_put_and_kthread_exit(0); +-- +2.51.0 + diff --git a/queue-6.1/bluetooth-le-l2cap-disconnect-if-received-packet-s-s.patch b/queue-6.1/bluetooth-le-l2cap-disconnect-if-received-packet-s-s.patch new file mode 100644 index 0000000000..fd4da9b6e7 --- /dev/null +++ b/queue-6.1/bluetooth-le-l2cap-disconnect-if-received-packet-s-s.patch @@ -0,0 +1,55 @@ +From 5bba9e5d01b7c653d7ecd6c6269eb9bc58c270c5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 25 Feb 2026 18:07:25 +0100 +Subject: Bluetooth: LE L2CAP: Disconnect if received packet's SDU exceeds IMTU + +From: Christian Eggers + +[ Upstream commit e1d9a66889867c232657a9b6f25d451d7c3ab96f ] + +Core 6.0, Vol 3, Part A, 3.4.3: +"If the SDU length field value exceeds the receiver's MTU, the receiver +shall disconnect the channel..." + +This fixes L2CAP/LE/CFC/BV-26-C (running together with 'l2test -r -P +0x0027 -V le_public -I 100'). + +Fixes: aac23bf63659 ("Bluetooth: Implement LE L2CAP reassembly") +Signed-off-by: Christian Eggers +Signed-off-by: Luiz Augusto von Dentz +Signed-off-by: Sasha Levin +--- + net/bluetooth/l2cap_core.c | 10 +++++++--- + 1 file changed, 7 insertions(+), 3 deletions(-) + +diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c +index 7899600cd3724..db62b4f2c5210 100644 +--- a/net/bluetooth/l2cap_core.c ++++ b/net/bluetooth/l2cap_core.c +@@ -7678,8 +7678,10 @@ static int l2cap_ecred_data_rcv(struct l2cap_chan *chan, struct sk_buff *skb) + return -ENOBUFS; + } + +- if (chan->imtu < skb->len) { +- BT_ERR("Too big LE L2CAP PDU"); ++ if (skb->len > chan->imtu) { ++ BT_ERR("Too big LE L2CAP PDU: len %u > %u", skb->len, ++ chan->imtu); ++ l2cap_send_disconn_req(chan, ECONNRESET); + return -ENOBUFS; + } + +@@ -7705,7 +7707,9 @@ static int l2cap_ecred_data_rcv(struct l2cap_chan *chan, struct sk_buff *skb) + sdu_len, skb->len, chan->imtu); + + if (sdu_len > chan->imtu) { +- BT_ERR("Too big LE L2CAP SDU length received"); ++ BT_ERR("Too big LE L2CAP SDU length: len %u > %u", ++ skb->len, sdu_len); ++ l2cap_send_disconn_req(chan, ECONNRESET); + err = -EMSGSIZE; + goto failed; + } +-- +2.51.0 + diff --git a/queue-6.1/bluetooth-le-l2cap-disconnect-if-sum-of-payload-size.patch b/queue-6.1/bluetooth-le-l2cap-disconnect-if-sum-of-payload-size.patch new file mode 100644 index 0000000000..bd2eaba5bb --- /dev/null +++ b/queue-6.1/bluetooth-le-l2cap-disconnect-if-sum-of-payload-size.patch @@ -0,0 +1,39 @@ +From ba0049d72eff1781d0ea4ffd7eb2ceb200cf9067 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 25 Feb 2026 18:07:27 +0100 +Subject: Bluetooth: LE L2CAP: Disconnect if sum of payload sizes exceed SDU + +From: Christian Eggers + +[ Upstream commit b6a2bf43aa37670432843bc73ae2a6288ba4d6f8 ] + +Core 6.0, Vol 3, Part A, 3.4.3: +"... If the sum of the payload sizes for the K-frames exceeds the +specified SDU length, the receiver shall disconnect the channel." + +This fixes L2CAP/LE/CFC/BV-27-C (running together with 'l2test -r -P +0x0027 -V le_public'). + +Fixes: aac23bf63659 ("Bluetooth: Implement LE L2CAP reassembly") +Signed-off-by: Christian Eggers +Signed-off-by: Luiz Augusto von Dentz +Signed-off-by: Sasha Levin +--- + net/bluetooth/l2cap_core.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c +index db62b4f2c5210..e2ca5d95c96be 100644 +--- a/net/bluetooth/l2cap_core.c ++++ b/net/bluetooth/l2cap_core.c +@@ -7745,6 +7745,7 @@ static int l2cap_ecred_data_rcv(struct l2cap_chan *chan, struct sk_buff *skb) + + if (chan->sdu->len + skb->len > chan->sdu_len) { + BT_ERR("Too much LE L2CAP data received"); ++ l2cap_send_disconn_req(chan, ECONNRESET); + err = -EINVAL; + goto failed; + } +-- +2.51.0 + diff --git a/queue-6.1/bluetooth-qca-fix-rom-version-reading-on-wcn3998-chi.patch b/queue-6.1/bluetooth-qca-fix-rom-version-reading-on-wcn3998-chi.patch new file mode 100644 index 0000000000..051caa737a --- /dev/null +++ b/queue-6.1/bluetooth-qca-fix-rom-version-reading-on-wcn3998-chi.patch @@ -0,0 +1,46 @@ +From 9131170ca8126cce724a415c9e380f667fffaf18 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 11 Mar 2026 01:02:57 +0200 +Subject: Bluetooth: qca: fix ROM version reading on WCN3998 chips + +From: Dmitry Baryshkov + +[ Upstream commit 99b2c531e0e797119ae1b9195a8764ee98b00e65 ] + +WCN3998 uses a bit different format for rom version: + +[ 5.479978] Bluetooth: hci0: setting up wcn399x +[ 5.633763] Bluetooth: hci0: QCA Product ID :0x0000000a +[ 5.645350] Bluetooth: hci0: QCA SOC Version :0x40010224 +[ 5.650906] Bluetooth: hci0: QCA ROM Version :0x00001001 +[ 5.665173] Bluetooth: hci0: QCA Patch Version:0x00006699 +[ 5.679356] Bluetooth: hci0: QCA controller version 0x02241001 +[ 5.691109] Bluetooth: hci0: QCA Downloading qca/crbtfw21.tlv +[ 6.680102] Bluetooth: hci0: QCA Downloading qca/crnv21.bin +[ 6.842948] Bluetooth: hci0: QCA setup on UART is completed + +Fixes: 523760b7ff88 ("Bluetooth: hci_qca: Added support for WCN3998") +Reviewed-by: Bartosz Golaszewski +Signed-off-by: Dmitry Baryshkov +Signed-off-by: Luiz Augusto von Dentz +Signed-off-by: Sasha Levin +--- + drivers/bluetooth/btqca.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/bluetooth/btqca.c b/drivers/bluetooth/btqca.c +index 5651f40db1736..5b34da23adce7 100644 +--- a/drivers/bluetooth/btqca.c ++++ b/drivers/bluetooth/btqca.c +@@ -826,6 +826,8 @@ int qca_uart_setup(struct hci_dev *hdev, uint8_t baudrate, + */ + if (soc_type == QCA_WCN3988) + rom_ver = ((soc_ver & 0x00000f00) >> 0x05) | (soc_ver & 0x0000000f); ++ else if (soc_type == QCA_WCN3998) ++ rom_ver = ((soc_ver & 0x0000f000) >> 0x07) | (soc_ver & 0x0000000f); + else + rom_ver = ((soc_ver & 0x00000f00) >> 0x04) | (soc_ver & 0x0000000f); + +-- +2.51.0 + diff --git a/queue-6.1/bluetooth-smp-make-sm-per-kdu-bi-04-c-happy.patch b/queue-6.1/bluetooth-smp-make-sm-per-kdu-bi-04-c-happy.patch new file mode 100644 index 0000000000..cbe4f397aa --- /dev/null +++ b/queue-6.1/bluetooth-smp-make-sm-per-kdu-bi-04-c-happy.patch @@ -0,0 +1,36 @@ +From c1340322c947ee5b47dc0525b3bcb55b51f8f671 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 25 Feb 2026 18:07:28 +0100 +Subject: Bluetooth: SMP: make SM/PER/KDU/BI-04-C happy + +From: Christian Eggers + +[ Upstream commit 0e4d4dcc1a6e82cc6f9abf32193558efa7e1613d ] + +The last test step ("Test with Invalid public key X and Y, all set to +0") expects to get an "DHKEY check failed" instead of "unspecified". + +Fixes: 6d19628f539f ("Bluetooth: SMP: Fail if remote and local public keys are identical") +Signed-off-by: Christian Eggers +Signed-off-by: Luiz Augusto von Dentz +Signed-off-by: Sasha Levin +--- + net/bluetooth/smp.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/bluetooth/smp.c b/net/bluetooth/smp.c +index d8a77bfe65a62..4241d39393f3e 100644 +--- a/net/bluetooth/smp.c ++++ b/net/bluetooth/smp.c +@@ -2737,7 +2737,7 @@ static int smp_cmd_public_key(struct l2cap_conn *conn, struct sk_buff *skb) + if (!test_bit(SMP_FLAG_DEBUG_KEY, &smp->flags) && + !crypto_memneq(key, smp->local_pk, 64)) { + bt_dev_err(hdev, "Remote and local public keys are identical"); +- return SMP_UNSPECIFIED; ++ return SMP_DHKEY_CHECK_FAILED; + } + + memcpy(smp->remote_pk, key, 64); +-- +2.51.0 + diff --git a/queue-6.1/btrfs-tree-checker-fix-misleading-root-drop_level-er.patch b/queue-6.1/btrfs-tree-checker-fix-misleading-root-drop_level-er.patch new file mode 100644 index 0000000000..46a626402c --- /dev/null +++ b/queue-6.1/btrfs-tree-checker-fix-misleading-root-drop_level-er.patch @@ -0,0 +1,38 @@ +From 7b9f9a461c7c544372d47eb9cb9e57454372db97 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 12 Mar 2026 08:33:21 +0800 +Subject: btrfs: tree-checker: fix misleading root drop_level error message + +From: ZhengYuan Huang + +[ Upstream commit fc1cd1f18c34f91e78362f9629ab9fd43b9dcab9 ] + +Fix tree-checker error message to report "invalid root drop_level" +instead of the misleading "invalid root level". + +Fixes: 259ee7754b67 ("btrfs: tree-checker: Add ROOT_ITEM check") +Reviewed-by: Qu Wenruo +Signed-off-by: ZhengYuan Huang +Reviewed-by: David Sterba +Signed-off-by: David Sterba +Signed-off-by: Sasha Levin +--- + fs/btrfs/tree-checker.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/fs/btrfs/tree-checker.c b/fs/btrfs/tree-checker.c +index d1b6bb8f08dd1..cafd7055ab090 100644 +--- a/fs/btrfs/tree-checker.c ++++ b/fs/btrfs/tree-checker.c +@@ -1200,7 +1200,7 @@ static int check_root_item(struct extent_buffer *leaf, struct btrfs_key *key, + } + if (unlikely(btrfs_root_drop_level(&ri) >= BTRFS_MAX_LEVEL)) { + generic_err(leaf, slot, +- "invalid root level, have %u expect [0, %u]", ++ "invalid root drop_level, have %u expect [0, %u]", + btrfs_root_drop_level(&ri), BTRFS_MAX_LEVEL - 1); + return -EUCLEAN; + } +-- +2.51.0 + diff --git a/queue-6.1/firmware-arm_scpi-fix-device_node-reference-leak-in-.patch b/queue-6.1/firmware-arm_scpi-fix-device_node-reference-leak-in-.patch new file mode 100644 index 0000000000..1f56355012 --- /dev/null +++ b/queue-6.1/firmware-arm_scpi-fix-device_node-reference-leak-in-.patch @@ -0,0 +1,58 @@ +From 5b1aa5d8e909ffb7b4ff91e22256dbc00f982206 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 21 Jan 2026 21:08:19 +0800 +Subject: firmware: arm_scpi: Fix device_node reference leak in probe path + +From: Felix Gu + +[ Upstream commit 879c001afbac3df94160334fe5117c0c83b2cf48 ] + +A device_node reference obtained from the device tree is not released +on all error paths in the arm_scpi probe path. Specifically, a node +returned by of_parse_phandle() could be leaked when the probe failed +after the node was acquired. The probe function returns early and +the shmem reference is not released. + +Use __free(device_node) scope-based cleanup to automatically release +the reference when the variable goes out of scope. + +Fixes: ed7ecb883901 ("firmware: arm_scpi: Add compatibility checks for shmem node") +Signed-off-by: Felix Gu +Message-Id: <20260121-arm_scpi_2-v2-1-702d7fa84acb@gmail.com> +Signed-off-by: Sudeep Holla +Signed-off-by: Sasha Levin +--- + drivers/firmware/arm_scpi.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/drivers/firmware/arm_scpi.c b/drivers/firmware/arm_scpi.c +index 3de25e9d18ef8..2d85e783ae267 100644 +--- a/drivers/firmware/arm_scpi.c ++++ b/drivers/firmware/arm_scpi.c +@@ -18,6 +18,7 @@ + + #include + #include ++#include + #include + #include + #include +@@ -945,13 +946,13 @@ static int scpi_probe(struct platform_device *pdev) + int idx = scpi_drvinfo->num_chans; + struct scpi_chan *pchan = scpi_drvinfo->channels + idx; + struct mbox_client *cl = &pchan->cl; +- struct device_node *shmem = of_parse_phandle(np, "shmem", idx); ++ struct device_node *shmem __free(device_node) = ++ of_parse_phandle(np, "shmem", idx); + + if (!of_match_node(shmem_of_match, shmem)) + return -ENXIO; + + ret = of_address_to_resource(shmem, 0, &res); +- of_node_put(shmem); + if (ret) { + dev_err(dev, "failed to get SCPI payload mem resource\n"); + return ret; +-- +2.51.0 + diff --git a/queue-6.1/iavf-fix-vlan-filter-lost-on-add-delete-race.patch b/queue-6.1/iavf-fix-vlan-filter-lost-on-add-delete-race.patch new file mode 100644 index 0000000000..81882df2fc --- /dev/null +++ b/queue-6.1/iavf-fix-vlan-filter-lost-on-add-delete-race.patch @@ -0,0 +1,70 @@ +From a543a3f9cba3856e6b38aecde65c9efd4650d83f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 25 Feb 2026 11:01:37 +0100 +Subject: iavf: fix VLAN filter lost on add/delete race + +From: Petr Oros + +[ Upstream commit fc9c69be594756b81b54c6bc40803fa6052f35ae ] + +When iavf_add_vlan() finds an existing filter in IAVF_VLAN_REMOVE +state, it transitions the filter to IAVF_VLAN_ACTIVE assuming the +pending delete can simply be cancelled. However, there is no guarantee +that iavf_del_vlans() has not already processed the delete AQ request +and removed the filter from the PF. In that case the filter remains in +the driver's list as IAVF_VLAN_ACTIVE but is no longer programmed on +the NIC. Since iavf_add_vlans() only picks up filters in +IAVF_VLAN_ADD state, the filter is never re-added, and spoof checking +drops all traffic for that VLAN. + + CPU0 CPU1 Workqueue + ---- ---- --------- + iavf_del_vlan(vlan 100) + f->state = REMOVE + schedule AQ_DEL_VLAN + iavf_add_vlan(vlan 100) + f->state = ACTIVE + iavf_del_vlans() + f is ACTIVE, skip + iavf_add_vlans() + f is ACTIVE, skip + + Filter is ACTIVE in driver but absent from NIC. + +Transition to IAVF_VLAN_ADD instead and schedule +IAVF_FLAG_AQ_ADD_VLAN_FILTER so iavf_add_vlans() re-programs the +filter. A duplicate add is idempotent on the PF. + +Fixes: 0c0da0e95105 ("iavf: refactor VLAN filter states") +Signed-off-by: Petr Oros +Tested-by: Rafal Romanowski +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/iavf/iavf_main.c | 9 ++++++--- + 1 file changed, 6 insertions(+), 3 deletions(-) + +diff --git a/drivers/net/ethernet/intel/iavf/iavf_main.c b/drivers/net/ethernet/intel/iavf/iavf_main.c +index 467ad433a47b9..667949e8833bf 100644 +--- a/drivers/net/ethernet/intel/iavf/iavf_main.c ++++ b/drivers/net/ethernet/intel/iavf/iavf_main.c +@@ -831,10 +831,13 @@ iavf_vlan_filter *iavf_add_vlan(struct iavf_adapter *adapter, + adapter->num_vlan_filters++; + iavf_schedule_aq_request(adapter, IAVF_FLAG_AQ_ADD_VLAN_FILTER); + } else if (f->state == IAVF_VLAN_REMOVE) { +- /* IAVF_VLAN_REMOVE means that VLAN wasn't yet removed. +- * We can safely only change the state here. ++ /* Re-add the filter since we cannot tell whether the ++ * pending delete has already been processed by the PF. ++ * A duplicate add is harmless. + */ +- f->state = IAVF_VLAN_ACTIVE; ++ f->state = IAVF_VLAN_ADD; ++ iavf_schedule_aq_request(adapter, ++ IAVF_FLAG_AQ_ADD_VLAN_FILTER); + } + + clearout: +-- +2.51.0 + diff --git a/queue-6.1/icmp-fix-null-pointer-dereference-in-icmp_tag_valida.patch b/queue-6.1/icmp-fix-null-pointer-dereference-in-icmp_tag_valida.patch new file mode 100644 index 0000000000..107813efd3 --- /dev/null +++ b/queue-6.1/icmp-fix-null-pointer-dereference-in-icmp_tag_valida.patch @@ -0,0 +1,68 @@ +From a4a32f8b08857dd701a06e8bf467c75924acbffb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 18 Mar 2026 21:06:01 +0800 +Subject: icmp: fix NULL pointer dereference in icmp_tag_validation() + +From: Weiming Shi + +[ Upstream commit 614aefe56af8e13331e50220c936fc0689cf5675 ] + +icmp_tag_validation() unconditionally dereferences the result of +rcu_dereference(inet_protos[proto]) without checking for NULL. +The inet_protos[] array is sparse -- only about 15 of 256 protocol +numbers have registered handlers. When ip_no_pmtu_disc is set to 3 +(hardened PMTU mode) and the kernel receives an ICMP Fragmentation +Needed error with a quoted inner IP header containing an unregistered +protocol number, the NULL dereference causes a kernel panic in +softirq context. + + Oops: general protection fault, probably for non-canonical address 0xdffffc0000000002: 0000 [#1] SMP KASAN NOPTI + KASAN: null-ptr-deref in range [0x0000000000000010-0x0000000000000017] + RIP: 0010:icmp_unreach (net/ipv4/icmp.c:1085 net/ipv4/icmp.c:1143) + Call Trace: + + icmp_rcv (net/ipv4/icmp.c:1527) + ip_protocol_deliver_rcu (net/ipv4/ip_input.c:207) + ip_local_deliver_finish (net/ipv4/ip_input.c:242) + ip_local_deliver (net/ipv4/ip_input.c:262) + ip_rcv (net/ipv4/ip_input.c:573) + __netif_receive_skb_one_core (net/core/dev.c:6164) + process_backlog (net/core/dev.c:6628) + handle_softirqs (kernel/softirq.c:561) + + +Add a NULL check before accessing icmp_strict_tag_validation. If the +protocol has no registered handler, return false since it cannot +perform strict tag validation. + +Fixes: 8ed1dc44d3e9 ("ipv4: introduce hardened ip_no_pmtu_disc mode") +Reported-by: Xiang Mei +Signed-off-by: Weiming Shi +Link: https://patch.msgid.link/20260318130558.1050247-4-bestswngs@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/ipv4/icmp.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/net/ipv4/icmp.c b/net/ipv4/icmp.c +index 374ec3aba66e3..309d22f2858cc 100644 +--- a/net/ipv4/icmp.c ++++ b/net/ipv4/icmp.c +@@ -864,10 +864,12 @@ static void icmp_socket_deliver(struct sk_buff *skb, u32 info) + + static bool icmp_tag_validation(int proto) + { ++ const struct net_protocol *ipprot; + bool ok; + + rcu_read_lock(); +- ok = rcu_dereference(inet_protos[proto])->icmp_strict_tag_validation; ++ ipprot = rcu_dereference(inet_protos[proto]); ++ ok = ipprot ? ipprot->icmp_strict_tag_validation : false; + rcu_read_unlock(); + return ok; + } +-- +2.51.0 + diff --git a/queue-6.1/igc-fix-missing-update-of-skb-tail-in-igc_xmit_frame.patch b/queue-6.1/igc-fix-missing-update-of-skb-tail-in-igc_xmit_frame.patch new file mode 100644 index 0000000000..eb2e261bbf --- /dev/null +++ b/queue-6.1/igc-fix-missing-update-of-skb-tail-in-igc_xmit_frame.patch @@ -0,0 +1,45 @@ +From ba8bb54044a7f3fa0c3f8a6df64a1bab3322131b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 14 Feb 2026 19:46:32 +0000 +Subject: igc: fix missing update of skb->tail in igc_xmit_frame() + +From: Kohei Enju + +[ Upstream commit 0ffba246652faf4a36aedc66059c2f94e4c83ea5 ] + +igc_xmit_frame() misses updating skb->tail when the packet size is +shorter than the minimum one. +Use skb_put_padto() in alignment with other Intel Ethernet drivers. + +Fixes: 0507ef8a0372 ("igc: Add transmit and receive fastpath and interrupt handlers") +Signed-off-by: Kohei Enju +Reviewed-by: Simon Horman +Reviewed-by: Paul Menzel +Tested-by: Avigail Dahan +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/igc/igc_main.c | 7 ++----- + 1 file changed, 2 insertions(+), 5 deletions(-) + +diff --git a/drivers/net/ethernet/intel/igc/igc_main.c b/drivers/net/ethernet/intel/igc/igc_main.c +index 5bcdb1b7da29a..8f8312a250c83 100644 +--- a/drivers/net/ethernet/intel/igc/igc_main.c ++++ b/drivers/net/ethernet/intel/igc/igc_main.c +@@ -1667,11 +1667,8 @@ static netdev_tx_t igc_xmit_frame(struct sk_buff *skb, + /* The minimum packet size with TCTL.PSP set is 17 so pad the skb + * in order to meet this minimum size requirement. + */ +- if (skb->len < 17) { +- if (skb_padto(skb, 17)) +- return NETDEV_TX_OK; +- skb->len = 17; +- } ++ if (skb_put_padto(skb, 17)) ++ return NETDEV_TX_OK; + + return igc_xmit_frame_ring(skb, igc_tx_queue_mapping(adapter, skb)); + } +-- +2.51.0 + diff --git a/queue-6.1/net-bcmgenet-increase-wol-poll-timeout.patch b/queue-6.1/net-bcmgenet-increase-wol-poll-timeout.patch new file mode 100644 index 0000000000..b58006ac62 --- /dev/null +++ b/queue-6.1/net-bcmgenet-increase-wol-poll-timeout.patch @@ -0,0 +1,38 @@ +From 1157a749abaf5f9b50a936b93f7ee505203702cc Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 12 Mar 2026 12:18:52 -0700 +Subject: net: bcmgenet: increase WoL poll timeout + +From: Justin Chen + +[ Upstream commit 6cfc3bc02b977f2fba5f7268e6504d1931a774f7 ] + +Some systems require more than 5ms to get into WoL mode. Increase the +timeout value to 50ms. + +Fixes: c51de7f3976b ("net: bcmgenet: add Wake-on-LAN support code") +Signed-off-by: Justin Chen +Reviewed-by: Florian Fainelli +Link: https://patch.msgid.link/20260312191852.3904571-1-justin.chen@broadcom.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/broadcom/genet/bcmgenet_wol.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/broadcom/genet/bcmgenet_wol.c b/drivers/net/ethernet/broadcom/genet/bcmgenet_wol.c +index 56781e7214978..3ab506ed94252 100644 +--- a/drivers/net/ethernet/broadcom/genet/bcmgenet_wol.c ++++ b/drivers/net/ethernet/broadcom/genet/bcmgenet_wol.c +@@ -101,7 +101,7 @@ static int bcmgenet_poll_wol_status(struct bcmgenet_priv *priv) + while (!(bcmgenet_rbuf_readl(priv, RBUF_STATUS) + & RBUF_STATUS_WOL)) { + retries++; +- if (retries > 5) { ++ if (retries > 50) { + netdev_crit(dev, "polling wol mode timeout\n"); + return -ETIMEDOUT; + } +-- +2.51.0 + diff --git a/queue-6.1/net-bonding-fix-null-deref-in-bond_debug_rlb_hash_sh.patch b/queue-6.1/net-bonding-fix-null-deref-in-bond_debug_rlb_hash_sh.patch new file mode 100644 index 0000000000..935efedf4d --- /dev/null +++ b/queue-6.1/net-bonding-fix-null-deref-in-bond_debug_rlb_hash_sh.patch @@ -0,0 +1,87 @@ +From 77c64cc649fd1523857ed6941933ca004cfd6918 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 16 Mar 2026 17:50:34 -0700 +Subject: net: bonding: fix NULL deref in bond_debug_rlb_hash_show + +From: Xiang Mei + +[ Upstream commit 605b52497bf89b3b154674deb135da98f916e390 ] + +rlb_clear_slave intentionally keeps RLB hash-table entries on +the rx_hashtbl_used_head list with slave set to NULL when no +replacement slave is available. However, bond_debug_rlb_hash_show +visites client_info->slave without checking if it's NULL. + +Other used-list iterators in bond_alb.c already handle this NULL-slave +state safely: + +- rlb_update_client returns early on !client_info->slave +- rlb_req_update_slave_clients, rlb_clear_slave, and rlb_rebalance +compare slave values before visiting +- lb_req_update_subnet_clients continues if slave is NULL + +The following NULL deref crash can be trigger in +bond_debug_rlb_hash_show: + +[ 1.289791] BUG: kernel NULL pointer dereference, address: 0000000000000000 +[ 1.292058] RIP: 0010:bond_debug_rlb_hash_show (drivers/net/bonding/bond_debugfs.c:41) +[ 1.293101] RSP: 0018:ffffc900004a7d00 EFLAGS: 00010286 +[ 1.293333] RAX: 0000000000000000 RBX: ffff888102b48200 RCX: ffff888102b48204 +[ 1.293631] RDX: ffff888102b48200 RSI: ffffffff839daad5 RDI: ffff888102815078 +[ 1.293924] RBP: ffff888102815078 R08: ffff888102b4820e R09: 0000000000000000 +[ 1.294267] R10: 0000000000000000 R11: 0000000000000000 R12: ffff888100f929c0 +[ 1.294564] R13: ffff888100f92a00 R14: 0000000000000001 R15: ffffc900004a7ed8 +[ 1.294864] FS: 0000000001395380(0000) GS:ffff888196e75000(0000) knlGS:0000000000000000 +[ 1.295239] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ 1.295480] CR2: 0000000000000000 CR3: 0000000102adc004 CR4: 0000000000772ef0 +[ 1.295897] Call Trace: +[ 1.296134] seq_read_iter (fs/seq_file.c:231) +[ 1.296341] seq_read (fs/seq_file.c:164) +[ 1.296493] full_proxy_read (fs/debugfs/file.c:378 (discriminator 1)) +[ 1.296658] vfs_read (fs/read_write.c:572) +[ 1.296981] ksys_read (fs/read_write.c:717) +[ 1.297132] do_syscall_64 (arch/x86/entry/syscall_64.c:63 (discriminator 1) arch/x86/entry/syscall_64.c:94 (discriminator 1)) +[ 1.297325] entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130) + +Add a NULL check and print "(none)" for entries with no assigned slave. + +Fixes: caafa84251b88 ("bonding: add the debugfs interface to see RLB hash table") +Reported-by: Weiming Shi +Signed-off-by: Xiang Mei +Link: https://patch.msgid.link/20260317005034.1888794-1-xmei5@asu.edu +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/bonding/bond_debugfs.c | 16 +++++++++++----- + 1 file changed, 11 insertions(+), 5 deletions(-) + +diff --git a/drivers/net/bonding/bond_debugfs.c b/drivers/net/bonding/bond_debugfs.c +index 5940945266489..624bf1f745266 100644 +--- a/drivers/net/bonding/bond_debugfs.c ++++ b/drivers/net/bonding/bond_debugfs.c +@@ -34,11 +34,17 @@ static int bond_debug_rlb_hash_show(struct seq_file *m, void *v) + for (; hash_index != RLB_NULL_INDEX; + hash_index = client_info->used_next) { + client_info = &(bond_info->rx_hashtbl[hash_index]); +- seq_printf(m, "%-15pI4 %-15pI4 %-17pM %s\n", +- &client_info->ip_src, +- &client_info->ip_dst, +- &client_info->mac_dst, +- client_info->slave->dev->name); ++ if (client_info->slave) ++ seq_printf(m, "%-15pI4 %-15pI4 %-17pM %s\n", ++ &client_info->ip_src, ++ &client_info->ip_dst, ++ &client_info->mac_dst, ++ client_info->slave->dev->name); ++ else ++ seq_printf(m, "%-15pI4 %-15pI4 %-17pM (none)\n", ++ &client_info->ip_src, ++ &client_info->ip_dst, ++ &client_info->mac_dst); + } + + spin_unlock_bh(&bond->mode_lock); +-- +2.51.0 + diff --git a/queue-6.1/net-dsa-bcm_sf2-fix-missing-clk_disable_unprepare-in.patch b/queue-6.1/net-dsa-bcm_sf2-fix-missing-clk_disable_unprepare-in.patch new file mode 100644 index 0000000000..56b55d3261 --- /dev/null +++ b/queue-6.1/net-dsa-bcm_sf2-fix-missing-clk_disable_unprepare-in.patch @@ -0,0 +1,59 @@ +From 85bdbf7bb9d4551bb179a33319b335eacb3d4ee4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 18 Mar 2026 08:42:12 +0000 +Subject: net: dsa: bcm_sf2: fix missing clk_disable_unprepare() in error paths + +From: Anas Iqbal + +[ Upstream commit b48731849609cbd8c53785a48976850b443153fd ] + +Smatch reports: +drivers/net/dsa/bcm_sf2.c:997 bcm_sf2_sw_resume() warn: +'priv->clk' from clk_prepare_enable() not released on lines: 983,990. + +The clock enabled by clk_prepare_enable() in bcm_sf2_sw_resume() +is not released if bcm_sf2_sw_rst() or bcm_sf2_cfp_resume() fails. + +Add the missing clk_disable_unprepare() calls in the error paths +to properly release the clock resource. + +Fixes: e9ec5c3bd238 ("net: dsa: bcm_sf2: request and handle clocks") +Reviewed-by: Jonas Gorski +Reviewed-by: Florian Fainelli +Signed-off-by: Anas Iqbal +Link: https://patch.msgid.link/20260318084212.1287-1-mohd.abd.6602@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/dsa/bcm_sf2.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/dsa/bcm_sf2.c b/drivers/net/dsa/bcm_sf2.c +index 257df16768750..7defcfd1c213f 100644 +--- a/drivers/net/dsa/bcm_sf2.c ++++ b/drivers/net/dsa/bcm_sf2.c +@@ -971,15 +971,19 @@ static int bcm_sf2_sw_resume(struct dsa_switch *ds) + ret = bcm_sf2_sw_rst(priv); + if (ret) { + pr_err("%s: failed to software reset switch\n", __func__); ++ if (!priv->wol_ports_mask) ++ clk_disable_unprepare(priv->clk); + return ret; + } + + bcm_sf2_crossbar_setup(priv); + + ret = bcm_sf2_cfp_resume(ds); +- if (ret) ++ if (ret) { ++ if (!priv->wol_ports_mask) ++ clk_disable_unprepare(priv->clk); + return ret; +- ++ } + if (priv->hw_params.num_gphy == 1) + bcm_sf2_gphy_enable_set(ds, true); + +-- +2.51.0 + diff --git a/queue-6.1/net-macb-fix-uninitialized-rx_fs_lock.patch b/queue-6.1/net-macb-fix-uninitialized-rx_fs_lock.patch new file mode 100644 index 0000000000..e15c51dc70 --- /dev/null +++ b/queue-6.1/net-macb-fix-uninitialized-rx_fs_lock.patch @@ -0,0 +1,78 @@ +From a898679d6de9604edb58ecadd7b213f2fcfeedea Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 16 Mar 2026 13:38:25 +0300 +Subject: net: macb: fix uninitialized rx_fs_lock + +From: Fedor Pchelkin + +[ Upstream commit 34b11cc56e4369bc08b1f4c4a04222d75ed596ce ] + +If hardware doesn't support RX Flow Filters, rx_fs_lock spinlock is not +initialized leading to the following assertion splat triggerable via +set_rxnfc callback. + +INFO: trying to register non-static key. +The code is fine but needs lockdep annotation, or maybe +you didn't initialize this object before use? +turning off the locking correctness validator. +CPU: 1 PID: 949 Comm: syz.0.6 Not tainted 6.1.164+ #113 +Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.16.1-0-g3208b098f51a-prebuilt.qemu.org 04/01/2014 +Call Trace: + + __dump_stack lib/dump_stack.c:88 [inline] + dump_stack_lvl+0x8d/0xba lib/dump_stack.c:106 + assign_lock_key kernel/locking/lockdep.c:974 [inline] + register_lock_class+0x141b/0x17f0 kernel/locking/lockdep.c:1287 + __lock_acquire+0x74f/0x6c40 kernel/locking/lockdep.c:4928 + lock_acquire kernel/locking/lockdep.c:5662 [inline] + lock_acquire+0x190/0x4b0 kernel/locking/lockdep.c:5627 + __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline] + _raw_spin_lock_irqsave+0x33/0x50 kernel/locking/spinlock.c:162 + gem_del_flow_filter drivers/net/ethernet/cadence/macb_main.c:3562 [inline] + gem_set_rxnfc+0x533/0xac0 drivers/net/ethernet/cadence/macb_main.c:3667 + ethtool_set_rxnfc+0x18c/0x280 net/ethtool/ioctl.c:961 + __dev_ethtool net/ethtool/ioctl.c:2956 [inline] + dev_ethtool+0x229c/0x6290 net/ethtool/ioctl.c:3095 + dev_ioctl+0x637/0x1070 net/core/dev_ioctl.c:510 + sock_do_ioctl+0x20d/0x2c0 net/socket.c:1215 + sock_ioctl+0x577/0x6d0 net/socket.c:1320 + vfs_ioctl fs/ioctl.c:51 [inline] + __do_sys_ioctl fs/ioctl.c:870 [inline] + __se_sys_ioctl fs/ioctl.c:856 [inline] + __x64_sys_ioctl+0x18c/0x210 fs/ioctl.c:856 + do_syscall_x64 arch/x86/entry/common.c:46 [inline] + do_syscall_64+0x35/0x80 arch/x86/entry/common.c:76 + entry_SYSCALL_64_after_hwframe+0x6e/0xd8 + +A more straightforward solution would be to always initialize rx_fs_lock, +just like rx_fs_list. However, in this case the driver set_rxnfc callback +would return with a rather confusing error code, e.g. -EINVAL. So deny +set_rxnfc attempts directly if the RX filtering feature is not supported +by hardware. + +Fixes: ae8223de3df5 ("net: macb: Added support for RX filtering") +Signed-off-by: Fedor Pchelkin +Link: https://patch.msgid.link/20260316103826.74506-2-pchelkin@ispras.ru +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/cadence/macb_main.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/net/ethernet/cadence/macb_main.c b/drivers/net/ethernet/cadence/macb_main.c +index 471e3ebd7c5de..412a821148d7b 100644 +--- a/drivers/net/ethernet/cadence/macb_main.c ++++ b/drivers/net/ethernet/cadence/macb_main.c +@@ -3770,6 +3770,9 @@ static int gem_set_rxnfc(struct net_device *netdev, struct ethtool_rxnfc *cmd) + struct macb *bp = netdev_priv(netdev); + int ret; + ++ if (!(netdev->hw_features & NETIF_F_NTUPLE)) ++ return -EOPNOTSUPP; ++ + switch (cmd->cmd) { + case ETHTOOL_SRXCLSRLINS: + if ((cmd->fs.location >= bp->max_tuples) +-- +2.51.0 + diff --git a/queue-6.1/net-mana-fix-use-after-free-in-mana_hwc_destroy_chan.patch b/queue-6.1/net-mana-fix-use-after-free-in-mana_hwc_destroy_chan.patch new file mode 100644 index 0000000000..7ae4b43867 --- /dev/null +++ b/queue-6.1/net-mana-fix-use-after-free-in-mana_hwc_destroy_chan.patch @@ -0,0 +1,67 @@ +From df370264b81f17541353e35641c3044fc387c793 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 11 Mar 2026 12:22:04 -0700 +Subject: net: mana: fix use-after-free in mana_hwc_destroy_channel() by + reordering teardown + +From: Dipayaan Roy + +[ Upstream commit fa103fc8f56954a60699a29215cb713448a39e87 ] + +A potential race condition exists in mana_hwc_destroy_channel() where +hwc->caller_ctx is freed before the HWC's Completion Queue (CQ) and +Event Queue (EQ) are destroyed. This allows an in-flight CQ interrupt +handler to dereference freed memory, leading to a use-after-free or +NULL pointer dereference in mana_hwc_handle_resp(). + +mana_smc_teardown_hwc() signals the hardware to stop but does not +synchronize against IRQ handlers already executing on other CPUs. The +IRQ synchronization only happens in mana_hwc_destroy_cq() via +mana_gd_destroy_eq() -> mana_gd_deregister_irq(). Since this runs +after kfree(hwc->caller_ctx), a concurrent mana_hwc_rx_event_handler() +can dereference freed caller_ctx (and rxq->msg_buf) in +mana_hwc_handle_resp(). + +Fix this by reordering teardown to reverse-of-creation order: destroy +the TX/RX work queues and CQ/EQ before freeing hwc->caller_ctx. This +ensures all in-flight interrupt handlers complete before the memory they +access is freed. + +Fixes: ca9c54d2d6a5 ("net: mana: Add a driver for Microsoft Azure Network Adapter (MANA)") +Reviewed-by: Haiyang Zhang +Signed-off-by: Dipayaan Roy +Reviewed-by: Simon Horman +Link: https://patch.msgid.link/abHA3AjNtqa1nx9k@linuxonhyperv3.guj3yctzbm1etfxqx2vob5hsef.xx.internal.cloudapp.net +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/microsoft/mana/hw_channel.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/drivers/net/ethernet/microsoft/mana/hw_channel.c b/drivers/net/ethernet/microsoft/mana/hw_channel.c +index 66a0552fc8b3a..8111f181f9572 100644 +--- a/drivers/net/ethernet/microsoft/mana/hw_channel.c ++++ b/drivers/net/ethernet/microsoft/mana/hw_channel.c +@@ -757,9 +757,6 @@ void mana_hwc_destroy_channel(struct gdma_context *gc) + gc->max_num_cqs = 0; + } + +- kfree(hwc->caller_ctx); +- hwc->caller_ctx = NULL; +- + if (hwc->txq) + mana_hwc_destroy_wq(hwc, hwc->txq); + +@@ -769,6 +766,9 @@ void mana_hwc_destroy_channel(struct gdma_context *gc) + if (hwc->cq) + mana_hwc_destroy_cq(hwc->gdma_dev->gdma_context, hwc->cq); + ++ kfree(hwc->caller_ctx); ++ hwc->caller_ctx = NULL; ++ + mana_gd_free_res_map(&hwc->inflight_msg_res); + + hwc->num_inflight_msg = 0; +-- +2.51.0 + diff --git a/queue-6.1/net-mvpp2-guard-flow-control-update-with-global_tx_f.patch b/queue-6.1/net-mvpp2-guard-flow-control-update-with-global_tx_f.patch new file mode 100644 index 0000000000..34c27a7c03 --- /dev/null +++ b/queue-6.1/net-mvpp2-guard-flow-control-update-with-global_tx_f.patch @@ -0,0 +1,86 @@ +From d2baa94572f1f8a7044f6c8202d327a7fc49dbdd Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 16 Mar 2026 12:31:01 -0700 +Subject: net: mvpp2: guard flow control update with global_tx_fc in buffer + switching + +From: Muhammad Hammad Ijaz + +[ Upstream commit 8a63baadf08453f66eb582fdb6dd234f72024723 ] + +mvpp2_bm_switch_buffers() unconditionally calls +mvpp2_bm_pool_update_priv_fc() when switching between per-cpu and +shared buffer pool modes. This function programs CM3 flow control +registers via mvpp2_cm3_read()/mvpp2_cm3_write(), which dereference +priv->cm3_base without any NULL check. + +When the CM3 SRAM resource is not present in the device tree (the +third reg entry added by commit 60523583b07c ("dts: marvell: add CM3 +SRAM memory to cp11x ethernet device tree")), priv->cm3_base remains +NULL and priv->global_tx_fc is false. Any operation that triggers +mvpp2_bm_switch_buffers(), for example an MTU change that crosses +the jumbo frame threshold, will crash: + + Unable to handle kernel NULL pointer dereference at + virtual address 0000000000000000 + Mem abort info: + ESR = 0x0000000096000006 + EC = 0x25: DABT (current EL), IL = 32 bits + pc : readl+0x0/0x18 + lr : mvpp2_cm3_read.isra.0+0x14/0x20 + Call trace: + readl+0x0/0x18 + mvpp2_bm_pool_update_fc+0x40/0x12c + mvpp2_bm_pool_update_priv_fc+0x94/0xd8 + mvpp2_bm_switch_buffers.isra.0+0x80/0x1c0 + mvpp2_change_mtu+0x140/0x380 + __dev_set_mtu+0x1c/0x38 + dev_set_mtu_ext+0x78/0x118 + dev_set_mtu+0x48/0xa8 + dev_ifsioc+0x21c/0x43c + dev_ioctl+0x2d8/0x42c + sock_ioctl+0x314/0x378 + +Every other flow control call site in the driver already guards +hardware access with either priv->global_tx_fc or port->tx_fc. +mvpp2_bm_switch_buffers() is the only place that omits this check. + +Add the missing priv->global_tx_fc guard to both the disable and +re-enable calls in mvpp2_bm_switch_buffers(), consistent with the +rest of the driver. + +Fixes: 3a616b92a9d1 ("net: mvpp2: Add TX flow control support for jumbo frames") +Signed-off-by: Muhammad Hammad Ijaz +Reviewed-by: Gunnar Kudrjavets +Link: https://patch.msgid.link/20260316193157.65748-1-mhijaz@amazon.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/marvell/mvpp2/mvpp2_main.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/marvell/mvpp2/mvpp2_main.c b/drivers/net/ethernet/marvell/mvpp2/mvpp2_main.c +index ec69bb90f5740..b42c2c498faa2 100644 +--- a/drivers/net/ethernet/marvell/mvpp2/mvpp2_main.c ++++ b/drivers/net/ethernet/marvell/mvpp2/mvpp2_main.c +@@ -5009,7 +5009,7 @@ static int mvpp2_bm_switch_buffers(struct mvpp2 *priv, bool percpu) + if (priv->percpu_pools) + numbufs = port->nrxqs * 2; + +- if (change_percpu) ++ if (change_percpu && priv->global_tx_fc) + mvpp2_bm_pool_update_priv_fc(priv, false); + + for (i = 0; i < numbufs; i++) +@@ -5026,7 +5026,7 @@ static int mvpp2_bm_switch_buffers(struct mvpp2 *priv, bool percpu) + mvpp2_open(port->dev); + } + +- if (change_percpu) ++ if (change_percpu && priv->global_tx_fc) + mvpp2_bm_pool_update_priv_fc(priv, true); + + return 0; +-- +2.51.0 + diff --git a/queue-6.1/net-rose-fix-null-pointer-dereference-in-rose_transm.patch b/queue-6.1/net-rose-fix-null-pointer-dereference-in-rose_transm.patch new file mode 100644 index 0000000000..d34b28e319 --- /dev/null +++ b/queue-6.1/net-rose-fix-null-pointer-dereference-in-rose_transm.patch @@ -0,0 +1,64 @@ +From 582c62bb6a53027103ca667f16106d565bd739ae Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 11 Mar 2026 15:06:02 +0800 +Subject: net/rose: fix NULL pointer dereference in rose_transmit_link on + reconnect + +From: Jiayuan Chen + +[ Upstream commit e1f0a18c9564cdb16523c802e2c6fe5874e3d944 ] + +syzkaller reported a bug [1], and the reproducer is available at [2]. + +ROSE sockets use four sk->sk_state values: TCP_CLOSE, TCP_LISTEN, +TCP_SYN_SENT, and TCP_ESTABLISHED. rose_connect() already rejects +calls for TCP_ESTABLISHED (-EISCONN) and TCP_CLOSE with SS_CONNECTING +(-ECONNREFUSED), but lacks a check for TCP_SYN_SENT. + +When rose_connect() is called a second time while the first connection +attempt is still in progress (TCP_SYN_SENT), it overwrites +rose->neighbour via rose_get_neigh(). If that returns NULL, the socket +is left with rose->state == ROSE_STATE_1 but rose->neighbour == NULL. +When the socket is subsequently closed, rose_release() sees +ROSE_STATE_1 and calls rose_write_internal() -> +rose_transmit_link(skb, NULL), causing a NULL pointer dereference. + +Per connect(2), a second connect() while a connection is already in +progress should return -EALREADY. Add this missing check for +TCP_SYN_SENT to complete the state validation in rose_connect(). + +[1] https://syzkaller.appspot.com/bug?extid=d00f90e0af54102fb271 +[2] https://gist.github.com/mrpre/9e6779e0d13e2c66779b1653fef80516 + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Reported-by: syzbot+d00f90e0af54102fb271@syzkaller.appspotmail.com +Closes: https://lore.kernel.org/all/69694d6f.050a0220.58bed.0027.GAE@google.com/T/ +Suggested-by: Eric Dumazet +Signed-off-by: Jiayuan Chen +Reviewed-by: Eric Dumazet +Link: https://patch.msgid.link/20260311070611.76913-1-jiayuan.chen@linux.dev +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/rose/af_rose.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/net/rose/af_rose.c b/net/rose/af_rose.c +index d13ec76a1fec3..066e2d91ce3d6 100644 +--- a/net/rose/af_rose.c ++++ b/net/rose/af_rose.c +@@ -810,6 +810,11 @@ static int rose_connect(struct socket *sock, struct sockaddr *uaddr, int addr_le + goto out_release; + } + ++ if (sk->sk_state == TCP_SYN_SENT) { ++ err = -EALREADY; ++ goto out_release; ++ } ++ + sk->sk_state = TCP_CLOSE; + sock->state = SS_UNCONNECTED; + +-- +2.51.0 + diff --git a/queue-6.1/net-sched-teql-fix-double-free-in-teql_master_xmit.patch b/queue-6.1/net-sched-teql-fix-double-free-in-teql_master_xmit.patch new file mode 100644 index 0000000000..7996f708d5 --- /dev/null +++ b/queue-6.1/net-sched-teql-fix-double-free-in-teql_master_xmit.patch @@ -0,0 +1,202 @@ +From 91f77b95bf15763fb1fad47cfbd70007c305b6f7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 15 Mar 2026 11:54:22 -0400 +Subject: net/sched: teql: Fix double-free in teql_master_xmit + +From: Jamal Hadi Salim + +[ Upstream commit 66360460cab63c248ca5b1070a01c0c29133b960 ] + +Whenever a TEQL devices has a lockless Qdisc as root, qdisc_reset should +be called using the seq_lock to avoid racing with the datapath. Failure +to do so may cause crashes like the following: + +[ 238.028993][ T318] BUG: KASAN: double-free in skb_release_data (net/core/skbuff.c:1139) +[ 238.029328][ T318] Free of addr ffff88810c67ec00 by task poc_teql_uaf_ke/318 +[ 238.029749][ T318] +[ 238.029900][ T318] CPU: 3 UID: 0 PID: 318 Comm: poc_teql_ke Not tainted 7.0.0-rc3-00149-ge5b31d988a41 #704 PREEMPT(full) +[ 238.029906][ T318] Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011 +[ 238.029910][ T318] Call Trace: +[ 238.029913][ T318] +[ 238.029916][ T318] dump_stack_lvl (lib/dump_stack.c:122) +[ 238.029928][ T318] print_report (mm/kasan/report.c:379 mm/kasan/report.c:482) +[ 238.029940][ T318] ? skb_release_data (net/core/skbuff.c:1139) +[ 238.029944][ T318] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221) +... +[ 238.029957][ T318] ? skb_release_data (net/core/skbuff.c:1139) +[ 238.029969][ T318] kasan_report_invalid_free (mm/kasan/report.c:221 mm/kasan/report.c:563) +[ 238.029979][ T318] ? skb_release_data (net/core/skbuff.c:1139) +[ 238.029989][ T318] check_slab_allocation (mm/kasan/common.c:231) +[ 238.029995][ T318] kmem_cache_free (mm/slub.c:2637 (discriminator 1) mm/slub.c:6168 (discriminator 1) mm/slub.c:6298 (discriminator 1)) +[ 238.030004][ T318] skb_release_data (net/core/skbuff.c:1139) +... +[ 238.030025][ T318] sk_skb_reason_drop (net/core/skbuff.c:1256) +[ 238.030032][ T318] pfifo_fast_reset (./include/linux/ptr_ring.h:171 ./include/linux/ptr_ring.h:309 ./include/linux/skb_array.h:98 net/sched/sch_generic.c:827) +[ 238.030039][ T318] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221) +... +[ 238.030054][ T318] qdisc_reset (net/sched/sch_generic.c:1034) +[ 238.030062][ T318] teql_destroy (./include/linux/spinlock.h:395 net/sched/sch_teql.c:157) +[ 238.030071][ T318] __qdisc_destroy (./include/net/pkt_sched.h:328 net/sched/sch_generic.c:1077) +[ 238.030077][ T318] qdisc_graft (net/sched/sch_api.c:1062 net/sched/sch_api.c:1053 net/sched/sch_api.c:1159) +[ 238.030089][ T318] ? __pfx_qdisc_graft (net/sched/sch_api.c:1091) +[ 238.030095][ T318] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221) +[ 238.030102][ T318] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221) +[ 238.030106][ T318] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221) +[ 238.030114][ T318] tc_get_qdisc (net/sched/sch_api.c:1529 net/sched/sch_api.c:1556) +... +[ 238.072958][ T318] Allocated by task 303 on cpu 5 at 238.026275s: +[ 238.073392][ T318] kasan_save_stack (mm/kasan/common.c:58) +[ 238.073884][ T318] kasan_save_track (mm/kasan/common.c:64 (discriminator 5) mm/kasan/common.c:79 (discriminator 5)) +[ 238.074230][ T318] __kasan_slab_alloc (mm/kasan/common.c:369) +[ 238.074578][ T318] kmem_cache_alloc_node_noprof (./include/linux/kasan.h:253 mm/slub.c:4542 mm/slub.c:4869 mm/slub.c:4921) +[ 238.076091][ T318] kmalloc_reserve (net/core/skbuff.c:616 (discriminator 107)) +[ 238.076450][ T318] __alloc_skb (net/core/skbuff.c:713) +[ 238.076834][ T318] alloc_skb_with_frags (./include/linux/skbuff.h:1383 net/core/skbuff.c:6763) +[ 238.077178][ T318] sock_alloc_send_pskb (net/core/sock.c:2997) +[ 238.077520][ T318] packet_sendmsg (net/packet/af_packet.c:2926 net/packet/af_packet.c:3019 net/packet/af_packet.c:3108) +[ 238.081469][ T318] +[ 238.081870][ T318] Freed by task 299 on cpu 1 at 238.028496s: +[ 238.082761][ T318] kasan_save_stack (mm/kasan/common.c:58) +[ 238.083481][ T318] kasan_save_track (mm/kasan/common.c:64 (discriminator 5) mm/kasan/common.c:79 (discriminator 5)) +[ 238.085348][ T318] kasan_save_free_info (mm/kasan/generic.c:587 (discriminator 1)) +[ 238.085900][ T318] __kasan_slab_free (mm/kasan/common.c:287) +[ 238.086439][ T318] kmem_cache_free (mm/slub.c:6168 (discriminator 3) mm/slub.c:6298 (discriminator 3)) +[ 238.087007][ T318] skb_release_data (net/core/skbuff.c:1139) +[ 238.087491][ T318] consume_skb (net/core/skbuff.c:1451) +[ 238.087757][ T318] teql_master_xmit (net/sched/sch_teql.c:358) +[ 238.088116][ T318] dev_hard_start_xmit (./include/linux/netdevice.h:5324 ./include/linux/netdevice.h:5333 net/core/dev.c:3871 net/core/dev.c:3887) +[ 238.088468][ T318] sch_direct_xmit (net/sched/sch_generic.c:347) +[ 238.088820][ T318] __qdisc_run (net/sched/sch_generic.c:420 (discriminator 1)) +[ 238.089166][ T318] __dev_queue_xmit (./include/net/sch_generic.h:229 ./include/net/pkt_sched.h:121 ./include/net/pkt_sched.h:117 net/core/dev.c:4196 net/core/dev.c:4802) + +Workflow to reproduce: +1. Initialize a TEQL topology (dummy0 and ifb0 as slaves, teql0 up). +2. Start multiple sender workers continuously transmitting packets + through teql0 to drive teql_master_xmit(). +3. In parallel, repeatedly delete and re-add the root qdisc on + dummy0 and ifb0 via RTNETLINK, forcing frequent teardown and reset activity + (teql_destroy() / qdisc_reset()). +4. After running both workloads concurrently for several iterations, + KASAN reports slab-use-after-free or double-free in the skb free path. + +Fix this by moving dev_reset_queue to sch_generic.h and calling it, instead +of qdisc_reset, in teql_destroy since it handles both the lock and lockless +cases correctly for root qdiscs. + +Fixes: 96009c7d500e ("sched: replace __QDISC_STATE_RUNNING bit with a spin lock") +Reported-by: Xianrui Dong +Tested-by: Xianrui Dong +Co-developed-by: Victor Nogueira +Signed-off-by: Victor Nogueira +Signed-off-by: Jamal Hadi Salim +Link: https://patch.msgid.link/20260315155422.147256-1-jhs@mojatatu.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + include/net/sch_generic.h | 28 ++++++++++++++++++++++++++++ + net/sched/sch_generic.c | 27 --------------------------- + net/sched/sch_teql.c | 7 ++----- + 3 files changed, 30 insertions(+), 32 deletions(-) + +diff --git a/include/net/sch_generic.h b/include/net/sch_generic.h +index 7bb73448de0d3..c5df4b7fe820c 100644 +--- a/include/net/sch_generic.h ++++ b/include/net/sch_generic.h +@@ -662,6 +662,34 @@ void qdisc_destroy(struct Qdisc *qdisc); + void qdisc_put(struct Qdisc *qdisc); + void qdisc_put_unlocked(struct Qdisc *qdisc); + void qdisc_tree_reduce_backlog(struct Qdisc *qdisc, int n, int len); ++ ++static inline void dev_reset_queue(struct net_device *dev, ++ struct netdev_queue *dev_queue, ++ void *_unused) ++{ ++ struct Qdisc *qdisc; ++ bool nolock; ++ ++ qdisc = rtnl_dereference(dev_queue->qdisc_sleeping); ++ if (!qdisc) ++ return; ++ ++ nolock = qdisc->flags & TCQ_F_NOLOCK; ++ ++ if (nolock) ++ spin_lock_bh(&qdisc->seqlock); ++ spin_lock_bh(qdisc_lock(qdisc)); ++ ++ qdisc_reset(qdisc); ++ ++ spin_unlock_bh(qdisc_lock(qdisc)); ++ if (nolock) { ++ clear_bit(__QDISC_STATE_MISSED, &qdisc->state); ++ clear_bit(__QDISC_STATE_DRAINING, &qdisc->state); ++ spin_unlock_bh(&qdisc->seqlock); ++ } ++} ++ + #ifdef CONFIG_NET_SCHED + int qdisc_offload_dump_helper(struct Qdisc *q, enum tc_setup_type type, + void *type_data); +diff --git a/net/sched/sch_generic.c b/net/sched/sch_generic.c +index 1b51b3038b4bd..c7727e9d0ea28 100644 +--- a/net/sched/sch_generic.c ++++ b/net/sched/sch_generic.c +@@ -1290,33 +1290,6 @@ static void dev_deactivate_queue(struct net_device *dev, + } + } + +-static void dev_reset_queue(struct net_device *dev, +- struct netdev_queue *dev_queue, +- void *_unused) +-{ +- struct Qdisc *qdisc; +- bool nolock; +- +- qdisc = rtnl_dereference(dev_queue->qdisc_sleeping); +- if (!qdisc) +- return; +- +- nolock = qdisc->flags & TCQ_F_NOLOCK; +- +- if (nolock) +- spin_lock_bh(&qdisc->seqlock); +- spin_lock_bh(qdisc_lock(qdisc)); +- +- qdisc_reset(qdisc); +- +- spin_unlock_bh(qdisc_lock(qdisc)); +- if (nolock) { +- clear_bit(__QDISC_STATE_MISSED, &qdisc->state); +- clear_bit(__QDISC_STATE_DRAINING, &qdisc->state); +- spin_unlock_bh(&qdisc->seqlock); +- } +-} +- + static bool some_qdisc_is_busy(struct net_device *dev) + { + unsigned int i; +diff --git a/net/sched/sch_teql.c b/net/sched/sch_teql.c +index c89cb6eba27da..efcca26966213 100644 +--- a/net/sched/sch_teql.c ++++ b/net/sched/sch_teql.c +@@ -146,15 +146,12 @@ teql_destroy(struct Qdisc *sch) + master->slaves = NEXT_SLAVE(q); + if (q == master->slaves) { + struct netdev_queue *txq; +- spinlock_t *root_lock; + + txq = netdev_get_tx_queue(master->dev, 0); + master->slaves = NULL; + +- root_lock = qdisc_root_sleeping_lock(rtnl_dereference(txq->qdisc)); +- spin_lock_bh(root_lock); +- qdisc_reset(rtnl_dereference(txq->qdisc)); +- spin_unlock_bh(root_lock); ++ dev_reset_queue(master->dev, ++ txq, NULL); + } + } + skb_queue_purge(&dat->q); +-- +2.51.0 + diff --git a/queue-6.1/net-smc-fix-null-dereference-and-uaf-in-smc_tcp_syn_.patch b/queue-6.1/net-smc-fix-null-dereference-and-uaf-in-smc_tcp_syn_.patch new file mode 100644 index 0000000000..43312d0cdc --- /dev/null +++ b/queue-6.1/net-smc-fix-null-dereference-and-uaf-in-smc_tcp_syn_.patch @@ -0,0 +1,208 @@ +From 0c5bcf1655b3cd6f4a306e51227c529a2d969416 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 12 Mar 2026 17:29:07 +0800 +Subject: net/smc: fix NULL dereference and UAF in smc_tcp_syn_recv_sock() + +From: Jiayuan Chen + +[ Upstream commit 6d5e4538364b9ceb1ac2941a4deb86650afb3538 ] + +Syzkaller reported a panic in smc_tcp_syn_recv_sock() [1]. + +smc_tcp_syn_recv_sock() is called in the TCP receive path +(softirq) via icsk_af_ops->syn_recv_sock on the clcsock (TCP +listening socket). It reads sk_user_data to get the smc_sock +pointer. However, when the SMC listen socket is being closed +concurrently, smc_close_active() sets clcsock->sk_user_data +to NULL under sk_callback_lock, and then the smc_sock itself +can be freed via sock_put() in smc_release(). + +This leads to two issues: + +1) NULL pointer dereference: sk_user_data is NULL when + accessed. +2) Use-after-free: sk_user_data is read as non-NULL, but the + smc_sock is freed before its fields (e.g., queued_smc_hs, + ori_af_ops) are accessed. + +The race window looks like this (the syzkaller crash [1] +triggers via the SYN cookie path: tcp_get_cookie_sock() -> +smc_tcp_syn_recv_sock(), but the normal tcp_check_req() path +has the same race): + + CPU A (softirq) CPU B (process ctx) + + tcp_v4_rcv() + TCP_NEW_SYN_RECV: + sk = req->rsk_listener + sock_hold(sk) + /* No lock on listener */ + smc_close_active(): + write_lock_bh(cb_lock) + sk_user_data = NULL + write_unlock_bh(cb_lock) + ... + smc_clcsock_release() + sock_put(smc->sk) x2 + -> smc_sock freed! + tcp_check_req() + smc_tcp_syn_recv_sock(): + smc = user_data(sk) + -> NULL or dangling + smc->queued_smc_hs + -> crash! + +Note that the clcsock and smc_sock are two independent objects +with separate refcounts. TCP stack holds a reference on the +clcsock, which keeps it alive, but this does NOT prevent the +smc_sock from being freed. + +Fix this by using RCU and refcount_inc_not_zero() to safely +access smc_sock. Since smc_tcp_syn_recv_sock() is called in +the TCP three-way handshake path, taking read_lock_bh on +sk_callback_lock is too heavy and would not survive a SYN +flood attack. Using rcu_read_lock() is much more lightweight. + +- Set SOCK_RCU_FREE on the SMC listen socket so that + smc_sock freeing is deferred until after the RCU grace + period. This guarantees the memory is still valid when + accessed inside rcu_read_lock(). +- Use rcu_read_lock() to protect reading sk_user_data. +- Use refcount_inc_not_zero(&smc->sk.sk_refcnt) to pin the + smc_sock. If the refcount has already reached zero (close + path completed), it returns false and we bail out safely. + +Note: smc_hs_congested() has a similar lockless read of +sk_user_data without rcu_read_lock(), but it only checks for +NULL and accesses the global smc_hs_wq, never dereferencing +any smc_sock field, so it is not affected. + +Reproducer was verified with mdelay injection and smc_run, +the issue no longer occurs with this patch applied. + +[1] https://syzkaller.appspot.com/bug?extid=827ae2bfb3a3529333e9 + +Fixes: 8270d9c21041 ("net/smc: Limit backlog connections") +Reported-by: syzbot+827ae2bfb3a3529333e9@syzkaller.appspotmail.com +Closes: https://lore.kernel.org/all/67eaf9b8.050a0220.3c3d88.004a.GAE@google.com/T/ +Suggested-by: Eric Dumazet +Reviewed-by: Eric Dumazet +Signed-off-by: Jiayuan Chen +Link: https://patch.msgid.link/20260312092909.48325-1-jiayuan.chen@linux.dev +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/smc/af_smc.c | 23 +++++++++++++++++------ + net/smc/smc.h | 5 +++++ + net/smc/smc_close.c | 2 +- + 3 files changed, 23 insertions(+), 7 deletions(-) + +diff --git a/net/smc/af_smc.c b/net/smc/af_smc.c +index c951e5c483b51..a609b220b215d 100644 +--- a/net/smc/af_smc.c ++++ b/net/smc/af_smc.c +@@ -123,7 +123,14 @@ static struct sock *smc_tcp_syn_recv_sock(const struct sock *sk, + struct smc_sock *smc; + struct sock *child; + +- smc = smc_clcsock_user_data(sk); ++ rcu_read_lock(); ++ smc = smc_clcsock_user_data_rcu(sk); ++ if (!smc || !refcount_inc_not_zero(&smc->sk.sk_refcnt)) { ++ rcu_read_unlock(); ++ smc = NULL; ++ goto drop; ++ } ++ rcu_read_unlock(); + + if (READ_ONCE(sk->sk_ack_backlog) + atomic_read(&smc->queued_smc_hs) > + sk->sk_max_ack_backlog) +@@ -145,11 +152,14 @@ static struct sock *smc_tcp_syn_recv_sock(const struct sock *sk, + if (inet_csk(child)->icsk_af_ops == inet_csk(sk)->icsk_af_ops) + inet_csk(child)->icsk_af_ops = smc->ori_af_ops; + } ++ sock_put(&smc->sk); + return child; + + drop: + dst_release(dst); + tcp_listendrop(sk); ++ if (smc) ++ sock_put(&smc->sk); + return NULL; + } + +@@ -248,7 +258,7 @@ static void smc_fback_restore_callbacks(struct smc_sock *smc) + struct sock *clcsk = smc->clcsock->sk; + + write_lock_bh(&clcsk->sk_callback_lock); +- clcsk->sk_user_data = NULL; ++ rcu_assign_sk_user_data(clcsk, NULL); + + smc_clcsock_restore_cb(&clcsk->sk_state_change, &smc->clcsk_state_change); + smc_clcsock_restore_cb(&clcsk->sk_data_ready, &smc->clcsk_data_ready); +@@ -862,7 +872,7 @@ static void smc_fback_replace_callbacks(struct smc_sock *smc) + struct sock *clcsk = smc->clcsock->sk; + + write_lock_bh(&clcsk->sk_callback_lock); +- clcsk->sk_user_data = (void *)((uintptr_t)smc | SK_USER_DATA_NOCOPY); ++ __rcu_assign_sk_user_data_with_flags(clcsk, smc, SK_USER_DATA_NOCOPY); + + smc_clcsock_replace_cb(&clcsk->sk_state_change, smc_fback_state_change, + &smc->clcsk_state_change); +@@ -2550,8 +2560,8 @@ static int smc_listen(struct socket *sock, int backlog) + * smc-specific sk_data_ready function + */ + write_lock_bh(&smc->clcsock->sk->sk_callback_lock); +- smc->clcsock->sk->sk_user_data = +- (void *)((uintptr_t)smc | SK_USER_DATA_NOCOPY); ++ __rcu_assign_sk_user_data_with_flags(smc->clcsock->sk, smc, ++ SK_USER_DATA_NOCOPY); + smc_clcsock_replace_cb(&smc->clcsock->sk->sk_data_ready, + smc_clcsock_data_ready, &smc->clcsk_data_ready); + write_unlock_bh(&smc->clcsock->sk->sk_callback_lock); +@@ -2572,10 +2582,11 @@ static int smc_listen(struct socket *sock, int backlog) + write_lock_bh(&smc->clcsock->sk->sk_callback_lock); + smc_clcsock_restore_cb(&smc->clcsock->sk->sk_data_ready, + &smc->clcsk_data_ready); +- smc->clcsock->sk->sk_user_data = NULL; ++ rcu_assign_sk_user_data(smc->clcsock->sk, NULL); + write_unlock_bh(&smc->clcsock->sk->sk_callback_lock); + goto out; + } ++ sock_set_flag(sk, SOCK_RCU_FREE); + sk->sk_max_ack_backlog = backlog; + sk->sk_ack_backlog = 0; + sk->sk_state = SMC_LISTEN; +diff --git a/net/smc/smc.h b/net/smc/smc.h +index bcb57e60b2155..f480b956c45ef 100644 +--- a/net/smc/smc.h ++++ b/net/smc/smc.h +@@ -302,6 +302,11 @@ static inline struct smc_sock *smc_clcsock_user_data(const struct sock *clcsk) + ((uintptr_t)clcsk->sk_user_data & ~SK_USER_DATA_NOCOPY); + } + ++static inline struct smc_sock *smc_clcsock_user_data_rcu(const struct sock *clcsk) ++{ ++ return (struct smc_sock *)rcu_dereference_sk_user_data(clcsk); ++} ++ + /* save target_cb in saved_cb, and replace target_cb with new_cb */ + static inline void smc_clcsock_replace_cb(void (**target_cb)(struct sock *), + void (*new_cb)(struct sock *), +diff --git a/net/smc/smc_close.c b/net/smc/smc_close.c +index 10219f55aad14..bb0313ef5f7c1 100644 +--- a/net/smc/smc_close.c ++++ b/net/smc/smc_close.c +@@ -218,7 +218,7 @@ int smc_close_active(struct smc_sock *smc) + write_lock_bh(&smc->clcsock->sk->sk_callback_lock); + smc_clcsock_restore_cb(&smc->clcsock->sk->sk_data_ready, + &smc->clcsk_data_ready); +- smc->clcsock->sk->sk_user_data = NULL; ++ rcu_assign_sk_user_data(smc->clcsock->sk, NULL); + write_unlock_bh(&smc->clcsock->sk->sk_callback_lock); + rc = kernel_sock_shutdown(smc->clcsock, SHUT_RDWR); + } +-- +2.51.0 + diff --git a/queue-6.1/net-usb-aqc111-do-not-perform-pm-inside-suspend-call.patch b/queue-6.1/net-usb-aqc111-do-not-perform-pm-inside-suspend-call.patch new file mode 100644 index 0000000000..424766ae3c --- /dev/null +++ b/queue-6.1/net-usb-aqc111-do-not-perform-pm-inside-suspend-call.patch @@ -0,0 +1,69 @@ +From 840156303a6a221a0b6215bc4f16f15812bd1790 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 13 Mar 2026 16:16:43 +0200 +Subject: net: usb: aqc111: Do not perform PM inside suspend callback + +From: Nikola Z. Ivanov + +[ Upstream commit 069c8f5aebe4d5224cf62acc7d4b3486091c658a ] + +syzbot reports "task hung in rpm_resume" + +This is caused by aqc111_suspend calling +the PM variant of its write_cmd routine. + +The simplified call trace looks like this: + +rpm_suspend() + usb_suspend_both() - here udev->dev.power.runtime_status == RPM_SUSPENDING + aqc111_suspend() - called for the usb device interface + aqc111_write32_cmd() + usb_autopm_get_interface() + pm_runtime_resume_and_get() + rpm_resume() - here we call rpm_resume() on our parent + rpm_resume() - Here we wait for a status change that will never happen. + +At this point we block another task which holds +rtnl_lock and locks up the whole networking stack. + +Fix this by replacing the write_cmd calls with their _nopm variants + +Reported-by: syzbot+48dc1e8dfc92faf1124c@syzkaller.appspotmail.com +Closes: https://syzkaller.appspot.com/bug?extid=48dc1e8dfc92faf1124c +Fixes: e58ba4544c77 ("net: usb: aqc111: Add support for wake on LAN by MAGIC packet") +Signed-off-by: Nikola Z. Ivanov +Link: https://patch.msgid.link/20260313141643.1181386-1-zlatistiv@gmail.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + drivers/net/usb/aqc111.c | 12 ++++++------ + 1 file changed, 6 insertions(+), 6 deletions(-) + +diff --git a/drivers/net/usb/aqc111.c b/drivers/net/usb/aqc111.c +index 3ebb1f84d3025..f1820c0d4830f 100644 +--- a/drivers/net/usb/aqc111.c ++++ b/drivers/net/usb/aqc111.c +@@ -1400,14 +1400,14 @@ static int aqc111_suspend(struct usb_interface *intf, pm_message_t message) + aqc111_write16_cmd_nopm(dev, AQ_ACCESS_MAC, + SFR_MEDIUM_STATUS_MODE, 2, ®16); + +- aqc111_write_cmd(dev, AQ_WOL_CFG, 0, 0, +- WOL_CFG_SIZE, &wol_cfg); +- aqc111_write32_cmd(dev, AQ_PHY_OPS, 0, 0, +- &aqc111_data->phy_cfg); ++ aqc111_write_cmd_nopm(dev, AQ_WOL_CFG, 0, 0, ++ WOL_CFG_SIZE, &wol_cfg); ++ aqc111_write32_cmd_nopm(dev, AQ_PHY_OPS, 0, 0, ++ &aqc111_data->phy_cfg); + } else { + aqc111_data->phy_cfg |= AQ_LOW_POWER; +- aqc111_write32_cmd(dev, AQ_PHY_OPS, 0, 0, +- &aqc111_data->phy_cfg); ++ aqc111_write32_cmd_nopm(dev, AQ_PHY_OPS, 0, 0, ++ &aqc111_data->phy_cfg); + + /* Disable RX path */ + aqc111_read16_cmd_nopm(dev, AQ_ACCESS_MAC, +-- +2.51.0 + diff --git a/queue-6.1/netfilter-ctnetlink-fix-use-after-free-in-ctnetlink_.patch b/queue-6.1/netfilter-ctnetlink-fix-use-after-free-in-ctnetlink_.patch new file mode 100644 index 0000000000..d408d9ea5a --- /dev/null +++ b/queue-6.1/netfilter-ctnetlink-fix-use-after-free-in-ctnetlink_.patch @@ -0,0 +1,123 @@ +From a3e0ae3aef193ce25e737123767aeb89047cd590 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 8 Mar 2026 02:21:37 +0900 +Subject: netfilter: ctnetlink: fix use-after-free in ctnetlink_dump_exp_ct() + +From: Hyunwoo Kim + +[ Upstream commit 5cb81eeda909dbb2def209dd10636b51549a3f8a ] + +ctnetlink_dump_exp_ct() stores a conntrack pointer in cb->data for the +netlink dump callback ctnetlink_exp_ct_dump_table(), but drops the +conntrack reference immediately after netlink_dump_start(). When the +dump spans multiple rounds, the second recvmsg() triggers the dump +callback which dereferences the now-freed conntrack via nfct_help(ct), +leading to a use-after-free on ct->ext. + +The bug is that the netlink_dump_control has no .start or .done +callbacks to manage the conntrack reference across dump rounds. Other +dump functions in the same file (e.g. ctnetlink_get_conntrack) properly +use .start/.done callbacks for this purpose. + +Fix this by adding .start and .done callbacks that hold and release the +conntrack reference for the duration of the dump, and move the +nfct_help() call after the cb->args[0] early-return check in the dump +callback to avoid dereferencing ct->ext unnecessarily. + + BUG: KASAN: slab-use-after-free in ctnetlink_exp_ct_dump_table+0x4f/0x2e0 + Read of size 8 at addr ffff88810597ebf0 by task ctnetlink_poc/133 + + CPU: 1 UID: 0 PID: 133 Comm: ctnetlink_poc Not tainted 7.0.0-rc2+ #3 PREEMPTLAZY + Call Trace: + + ctnetlink_exp_ct_dump_table+0x4f/0x2e0 + netlink_dump+0x333/0x880 + netlink_recvmsg+0x3e2/0x4b0 + ? aa_sk_perm+0x184/0x450 + sock_recvmsg+0xde/0xf0 + + Allocated by task 133: + kmem_cache_alloc_noprof+0x134/0x440 + __nf_conntrack_alloc+0xa8/0x2b0 + ctnetlink_create_conntrack+0xa1/0x900 + ctnetlink_new_conntrack+0x3cf/0x7d0 + nfnetlink_rcv_msg+0x48e/0x510 + netlink_rcv_skb+0xc9/0x1f0 + nfnetlink_rcv+0xdb/0x220 + netlink_unicast+0x3ec/0x590 + netlink_sendmsg+0x397/0x690 + __sys_sendmsg+0xf4/0x180 + + Freed by task 0: + slab_free_after_rcu_debug+0xad/0x1e0 + rcu_core+0x5c3/0x9c0 + +Fixes: e844a928431f ("netfilter: ctnetlink: allow to dump expectation per master conntrack") +Signed-off-by: Hyunwoo Kim +Signed-off-by: Florian Westphal +Signed-off-by: Sasha Levin +--- + net/netfilter/nf_conntrack_netlink.c | 26 +++++++++++++++++++++++++- + 1 file changed, 25 insertions(+), 1 deletion(-) + +diff --git a/net/netfilter/nf_conntrack_netlink.c b/net/netfilter/nf_conntrack_netlink.c +index 5bf72773c69f7..30f332bcdc39d 100644 +--- a/net/netfilter/nf_conntrack_netlink.c ++++ b/net/netfilter/nf_conntrack_netlink.c +@@ -3204,7 +3204,7 @@ ctnetlink_exp_ct_dump_table(struct sk_buff *skb, struct netlink_callback *cb) + { + struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh); + struct nf_conn *ct = cb->data; +- struct nf_conn_help *help = nfct_help(ct); ++ struct nf_conn_help *help; + u_int8_t l3proto = nfmsg->nfgen_family; + unsigned long last_id = cb->args[1]; + struct nf_conntrack_expect *exp; +@@ -3212,6 +3212,10 @@ ctnetlink_exp_ct_dump_table(struct sk_buff *skb, struct netlink_callback *cb) + if (cb->args[0]) + return 0; + ++ help = nfct_help(ct); ++ if (!help) ++ return 0; ++ + rcu_read_lock(); + + restart: +@@ -3241,6 +3245,24 @@ ctnetlink_exp_ct_dump_table(struct sk_buff *skb, struct netlink_callback *cb) + return skb->len; + } + ++static int ctnetlink_dump_exp_ct_start(struct netlink_callback *cb) ++{ ++ struct nf_conn *ct = cb->data; ++ ++ if (!refcount_inc_not_zero(&ct->ct_general.use)) ++ return -ENOENT; ++ return 0; ++} ++ ++static int ctnetlink_dump_exp_ct_done(struct netlink_callback *cb) ++{ ++ struct nf_conn *ct = cb->data; ++ ++ if (ct) ++ nf_ct_put(ct); ++ return 0; ++} ++ + static int ctnetlink_dump_exp_ct(struct net *net, struct sock *ctnl, + struct sk_buff *skb, + const struct nlmsghdr *nlh, +@@ -3256,6 +3278,8 @@ static int ctnetlink_dump_exp_ct(struct net *net, struct sock *ctnl, + struct nf_conntrack_zone zone; + struct netlink_dump_control c = { + .dump = ctnetlink_exp_ct_dump_table, ++ .start = ctnetlink_dump_exp_ct_start, ++ .done = ctnetlink_dump_exp_ct_done, + }; + + err = ctnetlink_parse_tuple(cda, &tuple, CTA_EXPECT_MASTER, +-- +2.51.0 + diff --git a/queue-6.1/netfilter-ctnetlink-remove-refcounting-in-expectatio.patch b/queue-6.1/netfilter-ctnetlink-remove-refcounting-in-expectatio.patch new file mode 100644 index 0000000000..2c3380f375 --- /dev/null +++ b/queue-6.1/netfilter-ctnetlink-remove-refcounting-in-expectatio.patch @@ -0,0 +1,165 @@ +From c83a797210aa0cc5e0784152ac62bf3fa8ea95ca Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 1 Aug 2025 17:25:09 +0200 +Subject: netfilter: ctnetlink: remove refcounting in expectation dumpers + +From: Florian Westphal + +[ Upstream commit 1492e3dcb2be3aa46d1963da96aa9593e4e4db5a ] + +Same pattern as previous patch: do not keep the expectation object +alive via refcount, only store a cookie value and then use that +as the skip hint for dump resumption. + +AFAICS this has the same issue as the one resolved in the conntrack +dumper, when we do + if (!refcount_inc_not_zero(&exp->use)) + +to increment the refcount, there is a chance that exp == last, which +causes a double-increment of the refcount and subsequent memory leak. + +Fixes: cf6994c2b981 ("[NETFILTER]: nf_conntrack_netlink: sync expectation dumping with conntrack table dumping") +Fixes: e844a928431f ("netfilter: ctnetlink: allow to dump expectation per master conntrack") +Signed-off-by: Florian Westphal +Signed-off-by: Pablo Neira Ayuso +Stable-dep-of: 5cb81eeda909 ("netfilter: ctnetlink: fix use-after-free in ctnetlink_dump_exp_ct()") +Signed-off-by: Sasha Levin +--- + net/netfilter/nf_conntrack_netlink.c | 41 ++++++++++++---------------- + 1 file changed, 17 insertions(+), 24 deletions(-) + +diff --git a/net/netfilter/nf_conntrack_netlink.c b/net/netfilter/nf_conntrack_netlink.c +index d3e28574ceb94..5bf72773c69f7 100644 +--- a/net/netfilter/nf_conntrack_netlink.c ++++ b/net/netfilter/nf_conntrack_netlink.c +@@ -3144,23 +3144,27 @@ ctnetlink_expect_event(unsigned int events, const struct nf_exp_event *item) + return 0; + } + #endif +-static int ctnetlink_exp_done(struct netlink_callback *cb) ++ ++static unsigned long ctnetlink_exp_id(const struct nf_conntrack_expect *exp) + { +- if (cb->args[1]) +- nf_ct_expect_put((struct nf_conntrack_expect *)cb->args[1]); +- return 0; ++ unsigned long id = (unsigned long)exp; ++ ++ id += nf_ct_get_id(exp->master); ++ id += exp->class; ++ ++ return id ? id : 1; + } + + static int + ctnetlink_exp_dump_table(struct sk_buff *skb, struct netlink_callback *cb) + { + struct net *net = sock_net(skb->sk); +- struct nf_conntrack_expect *exp, *last; + struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh); + u_int8_t l3proto = nfmsg->nfgen_family; ++ unsigned long last_id = cb->args[1]; ++ struct nf_conntrack_expect *exp; + + rcu_read_lock(); +- last = (struct nf_conntrack_expect *)cb->args[1]; + for (; cb->args[0] < nf_ct_expect_hsize; cb->args[0]++) { + restart: + hlist_for_each_entry_rcu(exp, &nf_ct_expect_hash[cb->args[0]], +@@ -3172,7 +3176,7 @@ ctnetlink_exp_dump_table(struct sk_buff *skb, struct netlink_callback *cb) + continue; + + if (cb->args[1]) { +- if (exp != last) ++ if (ctnetlink_exp_id(exp) != last_id) + continue; + cb->args[1] = 0; + } +@@ -3181,9 +3185,7 @@ ctnetlink_exp_dump_table(struct sk_buff *skb, struct netlink_callback *cb) + cb->nlh->nlmsg_seq, + IPCTNL_MSG_EXP_NEW, + exp) < 0) { +- if (!refcount_inc_not_zero(&exp->use)) +- continue; +- cb->args[1] = (unsigned long)exp; ++ cb->args[1] = ctnetlink_exp_id(exp); + goto out; + } + } +@@ -3194,32 +3196,30 @@ ctnetlink_exp_dump_table(struct sk_buff *skb, struct netlink_callback *cb) + } + out: + rcu_read_unlock(); +- if (last) +- nf_ct_expect_put(last); +- + return skb->len; + } + + static int + ctnetlink_exp_ct_dump_table(struct sk_buff *skb, struct netlink_callback *cb) + { +- struct nf_conntrack_expect *exp, *last; + struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh); + struct nf_conn *ct = cb->data; + struct nf_conn_help *help = nfct_help(ct); + u_int8_t l3proto = nfmsg->nfgen_family; ++ unsigned long last_id = cb->args[1]; ++ struct nf_conntrack_expect *exp; + + if (cb->args[0]) + return 0; + + rcu_read_lock(); +- last = (struct nf_conntrack_expect *)cb->args[1]; ++ + restart: + hlist_for_each_entry_rcu(exp, &help->expectations, lnode) { + if (l3proto && exp->tuple.src.l3num != l3proto) + continue; + if (cb->args[1]) { +- if (exp != last) ++ if (ctnetlink_exp_id(exp) != last_id) + continue; + cb->args[1] = 0; + } +@@ -3227,9 +3227,7 @@ ctnetlink_exp_ct_dump_table(struct sk_buff *skb, struct netlink_callback *cb) + cb->nlh->nlmsg_seq, + IPCTNL_MSG_EXP_NEW, + exp) < 0) { +- if (!refcount_inc_not_zero(&exp->use)) +- continue; +- cb->args[1] = (unsigned long)exp; ++ cb->args[1] = ctnetlink_exp_id(exp); + goto out; + } + } +@@ -3240,9 +3238,6 @@ ctnetlink_exp_ct_dump_table(struct sk_buff *skb, struct netlink_callback *cb) + cb->args[0] = 1; + out: + rcu_read_unlock(); +- if (last) +- nf_ct_expect_put(last); +- + return skb->len; + } + +@@ -3261,7 +3256,6 @@ static int ctnetlink_dump_exp_ct(struct net *net, struct sock *ctnl, + struct nf_conntrack_zone zone; + struct netlink_dump_control c = { + .dump = ctnetlink_exp_ct_dump_table, +- .done = ctnetlink_exp_done, + }; + + err = ctnetlink_parse_tuple(cda, &tuple, CTA_EXPECT_MASTER, +@@ -3311,7 +3305,6 @@ static int ctnetlink_get_expect(struct sk_buff *skb, + else { + struct netlink_dump_control c = { + .dump = ctnetlink_exp_dump_table, +- .done = ctnetlink_exp_done, + }; + return netlink_dump_start(info->sk, skb, info->nlh, &c); + } +-- +2.51.0 + diff --git a/queue-6.1/netfilter-nf_conntrack_h323-check-for-zero-length-in.patch b/queue-6.1/netfilter-nf_conntrack_h323-check-for-zero-length-in.patch new file mode 100644 index 0000000000..085c963623 --- /dev/null +++ b/queue-6.1/netfilter-nf_conntrack_h323-check-for-zero-length-in.patch @@ -0,0 +1,47 @@ +From 071a57c17b7b9ea548be69c726a7d5aae10561a7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 12 Mar 2026 14:49:50 +0000 +Subject: netfilter: nf_conntrack_h323: check for zero length in DecodeQ931() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Jenny Guanni Qu + +[ Upstream commit f173d0f4c0f689173f8cdac79991043a4a89bf66 ] + +In DecodeQ931(), the UserUserIE code path reads a 16-bit length from +the packet, then decrements it by 1 to skip the protocol discriminator +byte before passing it to DecodeH323_UserInformation(). If the encoded +length is 0, the decrement wraps to -1, which is then passed as a +large value to the decoder, leading to an out-of-bounds read. + +Add a check to ensure len is positive after the decrement. + +Fixes: 5e35941d9901 ("[NETFILTER]: Add H.323 conntrack/NAT helper") +Reported-by: Klaudia Kloc +Reported-by: Dawid Moczadło +Tested-by: Jenny Guanni Qu +Signed-off-by: Jenny Guanni Qu +Signed-off-by: Florian Westphal +Signed-off-by: Sasha Levin +--- + net/netfilter/nf_conntrack_h323_asn1.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/net/netfilter/nf_conntrack_h323_asn1.c b/net/netfilter/nf_conntrack_h323_asn1.c +index c972e9488e16f..7b1497ed97d26 100644 +--- a/net/netfilter/nf_conntrack_h323_asn1.c ++++ b/net/netfilter/nf_conntrack_h323_asn1.c +@@ -924,6 +924,8 @@ int DecodeQ931(unsigned char *buf, size_t sz, Q931 *q931) + break; + p++; + len--; ++ if (len <= 0) ++ break; + return DecodeH323_UserInformation(buf, p, len, + &q931->UUIE); + } +-- +2.51.0 + diff --git a/queue-6.1/netfilter-nf_conntrack_h323-fix-oob-read-in-decode_i.patch b/queue-6.1/netfilter-nf_conntrack_h323-fix-oob-read-in-decode_i.patch new file mode 100644 index 0000000000..30801943a8 --- /dev/null +++ b/queue-6.1/netfilter-nf_conntrack_h323-fix-oob-read-in-decode_i.patch @@ -0,0 +1,48 @@ +From dcc0d9cc7cb99de26b77e95cadfb71f27ce61f5a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 12 Mar 2026 02:29:32 +0000 +Subject: netfilter: nf_conntrack_h323: fix OOB read in decode_int() CONS case +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Jenny Guanni Qu + +[ Upstream commit 1e3a3593162c96e8a8de48b1e14f60c3b57fca8a ] + +In decode_int(), the CONS case calls get_bits(bs, 2) to read a length +value, then calls get_uint(bs, len) without checking that len bytes +remain in the buffer. The existing boundary check only validates the +2 bits for get_bits(), not the subsequent 1-4 bytes that get_uint() +reads. This allows a malformed H.323/RAS packet to cause a 1-4 byte +slab-out-of-bounds read. + +Add a boundary check for len bytes after get_bits() and before +get_uint(). + +Fixes: 5e35941d9901 ("[NETFILTER]: Add H.323 conntrack/NAT helper") +Reported-by: Klaudia Kloc +Reported-by: Dawid Moczadło +Signed-off-by: Jenny Guanni Qu +Signed-off-by: Florian Westphal +Signed-off-by: Sasha Levin +--- + net/netfilter/nf_conntrack_h323_asn1.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/net/netfilter/nf_conntrack_h323_asn1.c b/net/netfilter/nf_conntrack_h323_asn1.c +index 62aa22a078769..c972e9488e16f 100644 +--- a/net/netfilter/nf_conntrack_h323_asn1.c ++++ b/net/netfilter/nf_conntrack_h323_asn1.c +@@ -331,6 +331,8 @@ static int decode_int(struct bitstr *bs, const struct field_t *f, + if (nf_h323_error_boundary(bs, 0, 2)) + return H323_ERROR_BOUND; + len = get_bits(bs, 2) + 1; ++ if (nf_h323_error_boundary(bs, len, 0)) ++ return H323_ERROR_BOUND; + BYTE_ALIGN(bs); + if (base && (f->attr & DECODE)) { /* timeToLive */ + unsigned int v = get_uint(bs, len) + f->lb; +-- +2.51.0 + diff --git a/queue-6.1/netfilter-nf_conntrack_sip-fix-content-length-u32-tr.patch b/queue-6.1/netfilter-nf_conntrack_sip-fix-content-length-u32-tr.patch new file mode 100644 index 0000000000..5e1a0d1e7e --- /dev/null +++ b/queue-6.1/netfilter-nf_conntrack_sip-fix-content-length-u32-tr.patch @@ -0,0 +1,66 @@ +From 316eb5dc6c9cb5880266b08e203c43567832e305 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 10 Mar 2026 21:49:01 +0000 +Subject: netfilter: nf_conntrack_sip: fix Content-Length u32 truncation in + sip_help_tcp() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Lukas Johannes Möller + +[ Upstream commit fbce58e719a17aa215c724473fd5baaa4a8dc57c ] + +sip_help_tcp() parses the SIP Content-Length header with +simple_strtoul(), which returns unsigned long, but stores the result in +unsigned int clen. On 64-bit systems, values exceeding UINT_MAX are +silently truncated before computing the SIP message boundary. + +For example, Content-Length 4294967328 (2^32 + 32) is truncated to 32, +causing the parser to miscalculate where the current message ends. The +loop then treats trailing data in the TCP segment as a second SIP +message and processes it through the SDP parser. + +Fix this by changing clen to unsigned long to match the return type of +simple_strtoul(), and reject Content-Length values that exceed the +remaining TCP payload length. + +Fixes: f5b321bd37fb ("netfilter: nf_conntrack_sip: add TCP support") +Signed-off-by: Lukas Johannes Möller +Signed-off-by: Florian Westphal +Signed-off-by: Sasha Levin +--- + net/netfilter/nf_conntrack_sip.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/net/netfilter/nf_conntrack_sip.c b/net/netfilter/nf_conntrack_sip.c +index d0eac27f6ba03..657839a58782a 100644 +--- a/net/netfilter/nf_conntrack_sip.c ++++ b/net/netfilter/nf_conntrack_sip.c +@@ -1534,11 +1534,12 @@ static int sip_help_tcp(struct sk_buff *skb, unsigned int protoff, + { + struct tcphdr *th, _tcph; + unsigned int dataoff, datalen; +- unsigned int matchoff, matchlen, clen; ++ unsigned int matchoff, matchlen; + unsigned int msglen, origlen; + const char *dptr, *end; + s16 diff, tdiff = 0; + int ret = NF_ACCEPT; ++ unsigned long clen; + bool term; + + if (ctinfo != IP_CT_ESTABLISHED && +@@ -1573,6 +1574,9 @@ static int sip_help_tcp(struct sk_buff *skb, unsigned int protoff, + if (dptr + matchoff == end) + break; + ++ if (clen > datalen) ++ break; ++ + term = false; + for (; end + strlen("\r\n\r\n") <= dptr + datalen; end++) { + if (end[0] == '\r' && end[1] == '\n' && +-- +2.51.0 + diff --git a/queue-6.1/netfilter-nf_tables-release-flowtable-after-rcu-grac.patch b/queue-6.1/netfilter-nf_tables-release-flowtable-after-rcu-grac.patch new file mode 100644 index 0000000000..17ba232ea2 --- /dev/null +++ b/queue-6.1/netfilter-nf_tables-release-flowtable-after-rcu-grac.patch @@ -0,0 +1,51 @@ +From f78b574210ee9fe3d4910ff5578d4edf08f911fa Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 17 Mar 2026 20:00:26 +0100 +Subject: netfilter: nf_tables: release flowtable after rcu grace period on + error + +From: Pablo Neira Ayuso + +[ Upstream commit d73f4b53aaaea4c95f245e491aa5eeb8a21874ce ] + +Call synchronize_rcu() after unregistering the hooks from error path, +since a hook that already refers to this flowtable can be already +registered, exposing this flowtable to packet path and nfnetlink_hook +control plane. + +This error path is rare, it should only happen by reaching the maximum +number hooks or by failing to set up to hardware offload, just call +synchronize_rcu(). + +There is a check for already used device hooks by different flowtable +that could result in EEXIST at this late stage. The hook parser can be +updated to perform this check earlier to this error path really becomes +rarely exercised. + +Uncovered by KASAN reported as use-after-free from nfnetlink_hook path +when dumping hooks. + +Fixes: 3b49e2e94e6e ("netfilter: nf_tables: add flow table netlink frontend") +Reported-by: Yiming Qian +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Florian Westphal +Signed-off-by: Sasha Levin +--- + net/netfilter/nf_tables_api.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c +index ac36183956515..11a5d5d715d56 100644 +--- a/net/netfilter/nf_tables_api.c ++++ b/net/netfilter/nf_tables_api.c +@@ -8279,6 +8279,7 @@ static int nf_tables_newflowtable(struct sk_buff *skb, + return 0; + + err_flowtable_hooks: ++ synchronize_rcu(); + nft_trans_destroy(trans); + err_flowtable_trans: + nft_hooks_destroy(&flowtable->hook_list); +-- +2.51.0 + diff --git a/queue-6.1/netfilter-nft_ct-add-seqadj-extension-for-natted-con.patch b/queue-6.1/netfilter-nft_ct-add-seqadj-extension-for-natted-con.patch new file mode 100644 index 0000000000..dec961aa67 --- /dev/null +++ b/queue-6.1/netfilter-nft_ct-add-seqadj-extension-for-natted-con.patch @@ -0,0 +1,114 @@ +From 04028d03c0275832a59a645b1d4c5bb64c932766 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 24 Oct 2025 18:22:16 +0200 +Subject: netfilter: nft_ct: add seqadj extension for natted connections + +From: Andrii Melnychenko + +[ Upstream commit 90918e3b6404c2a37837b8f11692471b4c512de2 ] + +Sequence adjustment may be required for FTP traffic with PASV/EPSV modes. +due to need to re-write packet payload (IP, port) on the ftp control +connection. This can require changes to the TCP length and expected +seq / ack_seq. + +The easiest way to reproduce this issue is with PASV mode. +Example ruleset: +table inet ftp_nat { + ct helper ftp_helper { + type "ftp" protocol tcp + l3proto inet + } + + chain prerouting { + type filter hook prerouting priority 0; policy accept; + tcp dport 21 ct state new ct helper set "ftp_helper" + } +} +table ip nat { + chain prerouting { + type nat hook prerouting priority -100; policy accept; + tcp dport 21 dnat ip prefix to ip daddr map { + 192.168.100.1 : 192.168.13.2/32 } + } + + chain postrouting { + type nat hook postrouting priority 100 ; policy accept; + tcp sport 21 snat ip prefix to ip saddr map { + 192.168.13.2 : 192.168.100.1/32 } + } +} + +Note that the ftp helper gets assigned *after* the dnat setup. + +The inverse (nat after helper assign) is handled by an existing +check in nf_nat_setup_info() and will not show the problem. + +Topoloy: + + +-------------------+ +----------------------------------+ + | FTP: 192.168.13.2 | <-> | NAT: 192.168.13.3, 192.168.100.1 | + +-------------------+ +----------------------------------+ + | + +-----------------------+ + | Client: 192.168.100.2 | + +-----------------------+ + +ftp nat changes do not work as expected in this case: +Connected to 192.168.100.1. +[..] +ftp> epsv +EPSV/EPRT on IPv4 off. +ftp> ls +227 Entering passive mode (192,168,100,1,209,129). +421 Service not available, remote server has closed connection. + +Kernel logs: +Missing nfct_seqadj_ext_add() setup call +WARNING: CPU: 1 PID: 0 at net/netfilter/nf_conntrack_seqadj.c:41 +[..] + __nf_nat_mangle_tcp_packet+0x100/0x160 [nf_nat] + nf_nat_ftp+0x142/0x280 [nf_nat_ftp] + help+0x4d1/0x880 [nf_conntrack_ftp] + nf_confirm+0x122/0x2e0 [nf_conntrack] + nf_hook_slow+0x3c/0xb0 + .. + +Fix this by adding the required extension when a conntrack helper is assigned +to a connection that has a nat binding. + +Fixes: 1a64edf54f55 ("netfilter: nft_ct: add helper set support") +Signed-off-by: Andrii Melnychenko +Signed-off-by: Florian Westphal +Stable-dep-of: 36eae0956f65 ("netfilter: nft_ct: drop pending enqueued packets on removal") +Signed-off-by: Sasha Levin +--- + net/netfilter/nft_ct.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/net/netfilter/nft_ct.c b/net/netfilter/nft_ct.c +index 3641043ca8cc5..70783671a2b01 100644 +--- a/net/netfilter/nft_ct.c ++++ b/net/netfilter/nft_ct.c +@@ -22,6 +22,7 @@ + #include + #include + #include ++#include + + struct nft_ct { + enum nft_ct_keys key:8; +@@ -1156,6 +1157,10 @@ static void nft_ct_helper_obj_eval(struct nft_object *obj, + if (help) { + rcu_assign_pointer(help->helper, to_assign); + set_bit(IPS_HELPER_BIT, &ct->status); ++ ++ if ((ct->status & IPS_NAT_MASK) && !nfct_seqadj(ct)) ++ if (!nfct_seqadj_ext_add(ct)) ++ regs->verdict.code = NF_DROP; + } + } + +-- +2.51.0 + diff --git a/queue-6.1/netfilter-nft_ct-drop-pending-enqueued-packets-on-re.patch b/queue-6.1/netfilter-nft_ct-drop-pending-enqueued-packets-on-re.patch new file mode 100644 index 0000000000..b5cd8bda0d --- /dev/null +++ b/queue-6.1/netfilter-nft_ct-drop-pending-enqueued-packets-on-re.patch @@ -0,0 +1,70 @@ +From f5371d510163da0e4de50c2320b908fc381d26bf Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 12 Mar 2026 13:48:47 +0100 +Subject: netfilter: nft_ct: drop pending enqueued packets on removal + +From: Pablo Neira Ayuso + +[ Upstream commit 36eae0956f659e48d5366d9b083d9417f3263ddc ] + +Packets sitting in nfqueue might hold a reference to: + +- templates that specify the conntrack zone, because a percpu area is + used and module removal is possible. +- conntrack timeout policies and helper, where object removal leave + a stale reference. + +Since these objects can just go away, drop enqueued packets to avoid +stale reference to them. + +If there is a need for finer grain removal, this logic can be revisited +to make selective packet drop upon dependencies. + +Fixes: 7e0b2b57f01d ("netfilter: nft_ct: add ct timeout support") +Reported-by: Yiming Qian +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Florian Westphal +Signed-off-by: Sasha Levin +--- + net/netfilter/nft_ct.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/net/netfilter/nft_ct.c b/net/netfilter/nft_ct.c +index 70783671a2b01..c5d78f2525226 100644 +--- a/net/netfilter/nft_ct.c ++++ b/net/netfilter/nft_ct.c +@@ -23,6 +23,7 @@ + #include + #include + #include ++#include "nf_internals.h" + + struct nft_ct { + enum nft_ct_keys key:8; +@@ -537,6 +538,7 @@ static void __nft_ct_set_destroy(const struct nft_ctx *ctx, struct nft_ct *priv) + #endif + #ifdef CONFIG_NF_CONNTRACK_ZONES + case NFT_CT_ZONE: ++ nf_queue_nf_hook_drop(ctx->net); + mutex_lock(&nft_ct_pcpu_mutex); + if (--nft_ct_pcpu_template_refcnt == 0) + nft_ct_tmpl_put_pcpu(); +@@ -980,6 +982,7 @@ static void nft_ct_timeout_obj_destroy(const struct nft_ctx *ctx, + struct nft_ct_timeout_obj *priv = nft_obj_data(obj); + struct nf_ct_timeout *timeout = priv->timeout; + ++ nf_queue_nf_hook_drop(ctx->net); + nf_ct_untimeout(ctx->net, timeout); + nf_ct_netns_put(ctx->net, ctx->family); + kfree(priv->timeout); +@@ -1112,6 +1115,7 @@ static void nft_ct_helper_obj_destroy(const struct nft_ctx *ctx, + { + struct nft_ct_helper_obj *priv = nft_obj_data(obj); + ++ nf_queue_nf_hook_drop(ctx->net); + if (priv->helper4) + nf_conntrack_helper_put(priv->helper4); + if (priv->helper6) +-- +2.51.0 + diff --git a/queue-6.1/netfilter-xt_ct-drop-pending-enqueued-packets-on-tem.patch b/queue-6.1/netfilter-xt_ct-drop-pending-enqueued-packets-on-tem.patch new file mode 100644 index 0000000000..b2c9da5709 --- /dev/null +++ b/queue-6.1/netfilter-xt_ct-drop-pending-enqueued-packets-on-tem.patch @@ -0,0 +1,54 @@ +From 20af8c4f99aa12afd3efacc3fbd25b805a05ec8e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 12 Mar 2026 13:48:48 +0100 +Subject: netfilter: xt_CT: drop pending enqueued packets on template removal + +From: Pablo Neira Ayuso + +[ Upstream commit f62a218a946b19bb59abdd5361da85fa4606b96b ] + +Templates refer to objects that can go away while packets are sitting in +nfqueue refer to: + +- helper, this can be an issue on module removal. +- timeout policy, nfnetlink_cttimeout might remove it. + +The use of templates with zone and event cache filter are safe, since +this just copies values. + +Flush these enqueued packets in case the template rule gets removed. + +Fixes: 24de58f46516 ("netfilter: xt_CT: allow to attach timeout policy + glue code") +Reported-by: Yiming Qian +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Florian Westphal +Signed-off-by: Sasha Levin +--- + net/netfilter/xt_CT.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/net/netfilter/xt_CT.c b/net/netfilter/xt_CT.c +index 3ba94c34297cf..498f5871c84a0 100644 +--- a/net/netfilter/xt_CT.c ++++ b/net/netfilter/xt_CT.c +@@ -16,6 +16,7 @@ + #include + #include + #include ++#include "nf_internals.h" + + static inline int xt_ct_target(struct sk_buff *skb, struct nf_conn *ct) + { +@@ -283,6 +284,9 @@ static void xt_ct_tg_destroy(const struct xt_tgdtor_param *par, + struct nf_conn_help *help; + + if (ct) { ++ if (info->helper[0] || info->timeout[0]) ++ nf_queue_nf_hook_drop(par->net); ++ + help = nfct_help(ct); + xt_ct_put_helper(help); + +-- +2.51.0 + diff --git a/queue-6.1/netfilter-xt_time-use-unsigned-int-for-monthday-bit-.patch b/queue-6.1/netfilter-xt_time-use-unsigned-int-for-monthday-bit-.patch new file mode 100644 index 0000000000..05655420c7 --- /dev/null +++ b/queue-6.1/netfilter-xt_time-use-unsigned-int-for-monthday-bit-.patch @@ -0,0 +1,53 @@ +From 61fcfa34ae1acc0b77ba04117e07d641cd62c921 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 12 Mar 2026 14:59:49 +0000 +Subject: netfilter: xt_time: use unsigned int for monthday bit shift +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Jenny Guanni Qu + +[ Upstream commit 00050ec08cecfda447e1209b388086d76addda3a ] + +The monthday field can be up to 31, and shifting a signed integer 1 +by 31 positions (1 << 31) is undefined behavior in C, as the result +overflows a 32-bit signed int. Use 1U to ensure well-defined behavior +for all valid monthday values. + +Change the weekday shift to 1U as well for consistency. + +Fixes: ee4411a1b1e0 ("[NETFILTER]: x_tables: add xt_time match") +Reported-by: Klaudia Kloc +Reported-by: Dawid Moczadło +Tested-by: Jenny Guanni Qu +Signed-off-by: Jenny Guanni Qu +Signed-off-by: Florian Westphal +Signed-off-by: Sasha Levin +--- + net/netfilter/xt_time.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/net/netfilter/xt_time.c b/net/netfilter/xt_time.c +index 6aa12d0f54e23..61de85e02a40f 100644 +--- a/net/netfilter/xt_time.c ++++ b/net/netfilter/xt_time.c +@@ -227,13 +227,13 @@ time_mt(const struct sk_buff *skb, struct xt_action_param *par) + + localtime_2(¤t_time, stamp); + +- if (!(info->weekdays_match & (1 << current_time.weekday))) ++ if (!(info->weekdays_match & (1U << current_time.weekday))) + return false; + + /* Do not spend time computing monthday if all days match anyway */ + if (info->monthdays_match != XT_TIME_ALL_MONTHDAYS) { + localtime_3(¤t_time, stamp); +- if (!(info->monthdays_match & (1 << current_time.monthday))) ++ if (!(info->monthdays_match & (1U << current_time.monthday))) + return false; + } + +-- +2.51.0 + diff --git a/queue-6.1/nfnetlink_osf-validate-individual-option-lengths-in-.patch b/queue-6.1/nfnetlink_osf-validate-individual-option-lengths-in-.patch new file mode 100644 index 0000000000..9e3d175792 --- /dev/null +++ b/queue-6.1/nfnetlink_osf-validate-individual-option-lengths-in-.patch @@ -0,0 +1,83 @@ +From 42fee72384b0e7eb5ac6b329ad9731677761744c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 19 Mar 2026 15:32:44 +0800 +Subject: nfnetlink_osf: validate individual option lengths in fingerprints + +From: Weiming Shi + +[ Upstream commit dbdfaae9609629a9569362e3b8f33d0a20fd783c ] + +nfnl_osf_add_callback() validates opt_num bounds and string +NUL-termination but does not check individual option length fields. +A zero-length option causes nf_osf_match_one() to enter the option +matching loop even when foptsize sums to zero, which matches packets +with no TCP options where ctx->optp is NULL: + + Oops: general protection fault + KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007] + RIP: 0010:nf_osf_match_one (net/netfilter/nfnetlink_osf.c:98) + Call Trace: + nf_osf_match (net/netfilter/nfnetlink_osf.c:227) + xt_osf_match_packet (net/netfilter/xt_osf.c:32) + ipt_do_table (net/ipv4/netfilter/ip_tables.c:293) + nf_hook_slow (net/netfilter/core.c:623) + ip_local_deliver (net/ipv4/ip_input.c:262) + ip_rcv (net/ipv4/ip_input.c:573) + +Additionally, an MSS option (kind=2) with length < 4 causes +out-of-bounds reads when nf_osf_match_one() unconditionally accesses +optp[2] and optp[3] for MSS value extraction. While RFC 9293 +section 3.2 specifies that the MSS option is always exactly 4 +bytes (Kind=2, Length=4), the check uses "< 4" rather than +"!= 4" because lengths greater than 4 do not cause memory +safety issues -- the buffer is guaranteed to be at least +foptsize bytes by the ctx->optsize == foptsize check. + +Reject fingerprints where any option has zero length, or where an MSS +option has length less than 4, at add time rather than trusting these +values in the packet matching hot path. + +Fixes: 11eeef41d5f6 ("netfilter: passive OS fingerprint xtables match") +Reported-by: Xiang Mei +Signed-off-by: Weiming Shi +Signed-off-by: Florian Westphal +Signed-off-by: Sasha Levin +--- + net/netfilter/nfnetlink_osf.c | 13 +++++++++++++ + 1 file changed, 13 insertions(+) + +diff --git a/net/netfilter/nfnetlink_osf.c b/net/netfilter/nfnetlink_osf.c +index 50723ba082890..da9d5d6de98f4 100644 +--- a/net/netfilter/nfnetlink_osf.c ++++ b/net/netfilter/nfnetlink_osf.c +@@ -302,7 +302,9 @@ static int nfnl_osf_add_callback(struct sk_buff *skb, + { + struct nf_osf_user_finger *f; + struct nf_osf_finger *kf = NULL, *sf; ++ unsigned int tot_opt_len = 0; + int err = 0; ++ int i; + + if (!capable(CAP_NET_ADMIN)) + return -EPERM; +@@ -318,6 +320,17 @@ static int nfnl_osf_add_callback(struct sk_buff *skb, + if (f->opt_num > ARRAY_SIZE(f->opt)) + return -EINVAL; + ++ for (i = 0; i < f->opt_num; i++) { ++ if (!f->opt[i].length || f->opt[i].length > MAX_IPOPTLEN) ++ return -EINVAL; ++ if (f->opt[i].kind == OSFOPT_MSS && f->opt[i].length < 4) ++ return -EINVAL; ++ ++ tot_opt_len += f->opt[i].length; ++ if (tot_opt_len > MAX_IPOPTLEN) ++ return -EINVAL; ++ } ++ + if (!memchr(f->genre, 0, MAXGENRELEN) || + !memchr(f->subtype, 0, MAXGENRELEN) || + !memchr(f->version, 0, MAXGENRELEN)) +-- +2.51.0 + diff --git a/queue-6.1/pm-runtime-fix-a-race-condition-related-to-device-re.patch b/queue-6.1/pm-runtime-fix-a-race-condition-related-to-device-re.patch new file mode 100644 index 0000000000..8fb6b70538 --- /dev/null +++ b/queue-6.1/pm-runtime-fix-a-race-condition-related-to-device-re.patch @@ -0,0 +1,126 @@ +From a70a6417f93dde7e6f9c8bf97019975ae8a13f71 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 12 Mar 2026 11:27:20 -0700 +Subject: PM: runtime: Fix a race condition related to device removal + +From: Bart Van Assche + +[ Upstream commit 29ab768277617452d88c0607c9299cdc63b6e9ff ] + +The following code in pm_runtime_work() may dereference the dev->parent +pointer after the parent device has been freed: + + /* Maybe the parent is now able to suspend. */ + if (parent && !parent->power.ignore_children) { + spin_unlock(&dev->power.lock); + + spin_lock(&parent->power.lock); + rpm_idle(parent, RPM_ASYNC); + spin_unlock(&parent->power.lock); + + spin_lock(&dev->power.lock); + } + +Fix this by inserting a flush_work() call in pm_runtime_remove(). + +Without this patch blktest block/001 triggers the following complaint +sporadically: + +BUG: KASAN: slab-use-after-free in lock_acquire+0x70/0x160 +Read of size 1 at addr ffff88812bef7198 by task kworker/u553:1/3081 +Workqueue: pm pm_runtime_work +Call Trace: + + dump_stack_lvl+0x61/0x80 + print_address_description.constprop.0+0x8b/0x310 + print_report+0xfd/0x1d7 + kasan_report+0xd8/0x1d0 + __kasan_check_byte+0x42/0x60 + lock_acquire.part.0+0x38/0x230 + lock_acquire+0x70/0x160 + _raw_spin_lock+0x36/0x50 + rpm_suspend+0xc6a/0xfe0 + rpm_idle+0x578/0x770 + pm_runtime_work+0xee/0x120 + process_one_work+0xde3/0x1410 + worker_thread+0x5eb/0xfe0 + kthread+0x37b/0x480 + ret_from_fork+0x6cb/0x920 + ret_from_fork_asm+0x11/0x20 + + +Allocated by task 4314: + kasan_save_stack+0x2a/0x50 + kasan_save_track+0x18/0x40 + kasan_save_alloc_info+0x3d/0x50 + __kasan_kmalloc+0xa0/0xb0 + __kmalloc_noprof+0x311/0x990 + scsi_alloc_target+0x122/0xb60 [scsi_mod] + __scsi_scan_target+0x101/0x460 [scsi_mod] + scsi_scan_channel+0x179/0x1c0 [scsi_mod] + scsi_scan_host_selected+0x259/0x2d0 [scsi_mod] + store_scan+0x2d2/0x390 [scsi_mod] + dev_attr_store+0x43/0x80 + sysfs_kf_write+0xde/0x140 + kernfs_fop_write_iter+0x3ef/0x670 + vfs_write+0x506/0x1470 + ksys_write+0xfd/0x230 + __x64_sys_write+0x76/0xc0 + x64_sys_call+0x213/0x1810 + do_syscall_64+0xee/0xfc0 + entry_SYSCALL_64_after_hwframe+0x4b/0x53 + +Freed by task 4314: + kasan_save_stack+0x2a/0x50 + kasan_save_track+0x18/0x40 + kasan_save_free_info+0x3f/0x50 + __kasan_slab_free+0x67/0x80 + kfree+0x225/0x6c0 + scsi_target_dev_release+0x3d/0x60 [scsi_mod] + device_release+0xa3/0x220 + kobject_cleanup+0x105/0x3a0 + kobject_put+0x72/0xd0 + put_device+0x17/0x20 + scsi_device_dev_release+0xacf/0x12c0 [scsi_mod] + device_release+0xa3/0x220 + kobject_cleanup+0x105/0x3a0 + kobject_put+0x72/0xd0 + put_device+0x17/0x20 + scsi_device_put+0x7f/0xc0 [scsi_mod] + sdev_store_delete+0xa5/0x120 [scsi_mod] + dev_attr_store+0x43/0x80 + sysfs_kf_write+0xde/0x140 + kernfs_fop_write_iter+0x3ef/0x670 + vfs_write+0x506/0x1470 + ksys_write+0xfd/0x230 + __x64_sys_write+0x76/0xc0 + x64_sys_call+0x213/0x1810 + +Reported-by: Ming Lei +Closes: https://lore.kernel.org/all/ZxdNvLNI8QaOfD2d@fedora/ +Reported-by: syzbot+6c905ab800f20cf4086c@syzkaller.appspotmail.com +Closes: https://lore.kernel.org/all/68c13942.050a0220.2ff435.000b.GAE@google.com/ +Fixes: 5e928f77a09a ("PM: Introduce core framework for run-time PM of I/O devices (rev. 17)") +Signed-off-by: Bart Van Assche +Link: https://patch.msgid.link/20260312182720.2776083-1-bvanassche@acm.org +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +--- + drivers/base/power/runtime.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/base/power/runtime.c b/drivers/base/power/runtime.c +index ad043709d7f3f..ca86d7bf804ca 100644 +--- a/drivers/base/power/runtime.c ++++ b/drivers/base/power/runtime.c +@@ -1813,6 +1813,7 @@ void pm_runtime_reinit(struct device *dev) + void pm_runtime_remove(struct device *dev) + { + __pm_runtime_disable(dev, false); ++ flush_work(&dev->power.work); + pm_runtime_reinit(dev); + } + +-- +2.51.0 + diff --git a/queue-6.1/sched-idle-consolidate-the-handling-of-two-special-c.patch b/queue-6.1/sched-idle-consolidate-the-handling-of-two-special-c.patch new file mode 100644 index 0000000000..0758bb0594 --- /dev/null +++ b/queue-6.1/sched-idle-consolidate-the-handling-of-two-special-c.patch @@ -0,0 +1,133 @@ +From 10d0a59a3cfc0ea62fd2ce0ce6425c133caa58bd Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 13 Mar 2026 13:25:41 +0100 +Subject: sched: idle: Consolidate the handling of two special cases + +From: Rafael J. Wysocki + +[ Upstream commit f4c31b07b136839e0fb3026f8a5b6543e3b14d2f ] + +There are two special cases in the idle loop that are handled +inconsistently even though they are analogous. + +The first one is when a cpuidle driver is absent and the default CPU +idle time power management implemented by the architecture code is used. +In that case, the scheduler tick is stopped every time before invoking +default_idle_call(). + +The second one is when a cpuidle driver is present, but there is only +one idle state in its table. In that case, the scheduler tick is never +stopped at all. + +Since each of these approaches has its drawbacks, reconcile them with +the help of one simple heuristic. Namely, stop the tick if the CPU has +been woken up by it in the previous iteration of the idle loop, or let +it tick otherwise. + +Signed-off-by: Rafael J. Wysocki +Reviewed-by: Christian Loehle +Reviewed-by: Frederic Weisbecker +Reviewed-by: Qais Yousef +Reviewed-by: Aboorva Devarajan +Fixes: ed98c3491998 ("sched: idle: Do not stop the tick before cpuidle_idle_call()") +[ rjw: Added Fixes tag, changelog edits ] +Link: https://patch.msgid.link/4741364.LvFx2qVVIh@rafael.j.wysocki +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +--- + kernel/sched/idle.c | 30 +++++++++++++++++++++--------- + 1 file changed, 21 insertions(+), 9 deletions(-) + +diff --git a/kernel/sched/idle.c b/kernel/sched/idle.c +index 6ff593a8eeb17..c5c09e0fbbe12 100644 +--- a/kernel/sched/idle.c ++++ b/kernel/sched/idle.c +@@ -155,6 +155,14 @@ static int call_cpuidle(struct cpuidle_driver *drv, struct cpuidle_device *dev, + return cpuidle_enter(drv, dev, next_state); + } + ++static void idle_call_stop_or_retain_tick(bool stop_tick) ++{ ++ if (stop_tick || tick_nohz_tick_stopped()) ++ tick_nohz_idle_stop_tick(); ++ else ++ tick_nohz_idle_retain_tick(); ++} ++ + /** + * cpuidle_idle_call - the main idle function + * +@@ -164,7 +172,7 @@ static int call_cpuidle(struct cpuidle_driver *drv, struct cpuidle_device *dev, + * set, and it returns with polling set. If it ever stops polling, it + * must clear the polling bit. + */ +-static void cpuidle_idle_call(void) ++static void cpuidle_idle_call(bool stop_tick) + { + struct cpuidle_device *dev = cpuidle_get_device(); + struct cpuidle_driver *drv = cpuidle_get_cpu_driver(dev); +@@ -186,7 +194,7 @@ static void cpuidle_idle_call(void) + */ + + if (cpuidle_not_available(drv, dev)) { +- tick_nohz_idle_stop_tick(); ++ idle_call_stop_or_retain_tick(stop_tick); + + default_idle_call(); + goto exit_idle; +@@ -221,17 +229,19 @@ static void cpuidle_idle_call(void) + next_state = cpuidle_find_deepest_state(drv, dev, max_latency_ns); + call_cpuidle(drv, dev, next_state); + } else if (drv->state_count > 1) { +- bool stop_tick = true; ++ /* ++ * stop_tick is expected to be true by default by cpuidle ++ * governors, which allows them to select idle states with ++ * target residency above the tick period length. ++ */ ++ stop_tick = true; + + /* + * Ask the cpuidle framework to choose a convenient idle state. + */ + next_state = cpuidle_select(drv, dev, &stop_tick); + +- if (stop_tick || tick_nohz_tick_stopped()) +- tick_nohz_idle_stop_tick(); +- else +- tick_nohz_idle_retain_tick(); ++ idle_call_stop_or_retain_tick(stop_tick); + + entered_state = call_cpuidle(drv, dev, next_state); + /* +@@ -239,7 +249,7 @@ static void cpuidle_idle_call(void) + */ + cpuidle_reflect(dev, entered_state); + } else { +- tick_nohz_idle_retain_tick(); ++ idle_call_stop_or_retain_tick(stop_tick); + + /* + * If there is only a single idle state (or none), there is +@@ -267,6 +277,7 @@ static void cpuidle_idle_call(void) + static void do_idle(void) + { + int cpu = smp_processor_id(); ++ bool got_tick = false; + + /* + * Check if we need to update blocked load +@@ -309,8 +320,9 @@ static void do_idle(void) + tick_nohz_idle_restart_tick(); + cpu_idle_poll(); + } else { +- cpuidle_idle_call(); ++ cpuidle_idle_call(got_tick); + } ++ got_tick = tick_nohz_idle_got_tick(); + arch_cpu_idle_exit(); + } + +-- +2.51.0 + diff --git a/queue-6.1/series b/queue-6.1/series index ae3a2b0d05..9f8220b3a0 100644 --- a/queue-6.1/series +++ b/queue-6.1/series @@ -396,3 +396,44 @@ drm-amdgpu-drop-redundant-sched-job-cleanup-when-cs-is-aborted.patch net-stmmac-remove-support-for-lpi_intr_o.patch pci-acpi-restrict-program_hpx_type2-to-aer-bits.patch binfmt_misc-restore-write-access-before-closing-files-opened-by-open_exec.patch +btrfs-tree-checker-fix-misleading-root-drop_level-er.patch +soc-fsl-qbman-fix-race-condition-in-qman_destroy_fq.patch +wifi-mac80211-fix-static_branch_dec-underflow-for-aq.patch +wifi-cfg80211-cancel-pmsr_free_wk-in-cfg80211_pmsr_w.patch +firmware-arm_scpi-fix-device_node-reference-leak-in-.patch +bluetooth-le-l2cap-disconnect-if-received-packet-s-s.patch +bluetooth-le-l2cap-disconnect-if-sum-of-payload-size.patch +bluetooth-smp-make-sm-per-kdu-bi-04-c-happy.patch +bluetooth-hci_sync-fix-hci_le_create_conn_sync.patch +bluetooth-hidp-fix-possible-uaf.patch +bluetooth-qca-fix-rom-version-reading-on-wcn3998-chi.patch +net-rose-fix-null-pointer-dereference-in-rose_transm.patch +netfilter-ctnetlink-remove-refcounting-in-expectatio.patch +netfilter-ctnetlink-fix-use-after-free-in-ctnetlink_.patch +netfilter-nf_conntrack_sip-fix-content-length-u32-tr.patch +netfilter-nf_conntrack_h323-fix-oob-read-in-decode_i.patch +netfilter-nft_ct-add-seqadj-extension-for-natted-con.patch +netfilter-nft_ct-drop-pending-enqueued-packets-on-re.patch +netfilter-xt_ct-drop-pending-enqueued-packets-on-tem.patch +netfilter-xt_time-use-unsigned-int-for-monthday-bit-.patch +netfilter-nf_conntrack_h323-check-for-zero-length-in.patch +net-bcmgenet-increase-wol-poll-timeout.patch +net-mana-fix-use-after-free-in-mana_hwc_destroy_chan.patch +sched-idle-consolidate-the-handling-of-two-special-c.patch +pm-runtime-fix-a-race-condition-related-to-device-re.patch +net-smc-fix-null-dereference-and-uaf-in-smc_tcp_syn_.patch +net-sched-teql-fix-double-free-in-teql_master_xmit.patch +net-usb-aqc111-do-not-perform-pm-inside-suspend-call.patch +igc-fix-missing-update-of-skb-tail-in-igc_xmit_frame.patch +iavf-fix-vlan-filter-lost-on-add-delete-race.patch +wifi-mac80211-fix-null-deref-in-mesh_matches_local.patch +wifi-wlcore-return-enomem-instead-of-eagain-if-there.patch +acpi-processor-fix-previous-acpi_processor_errata_pi.patch +net-macb-fix-uninitialized-rx_fs_lock.patch +udp_tunnel-fix-null-deref-caused-by-udp_sock_create6.patch +net-bonding-fix-null-deref-in-bond_debug_rlb_hash_sh.patch +netfilter-nf_tables-release-flowtable-after-rcu-grac.patch +nfnetlink_osf-validate-individual-option-lengths-in-.patch +net-mvpp2-guard-flow-control-update-with-global_tx_f.patch +net-dsa-bcm_sf2-fix-missing-clk_disable_unprepare-in.patch +icmp-fix-null-pointer-dereference-in-icmp_tag_valida.patch diff --git a/queue-6.1/soc-fsl-qbman-fix-race-condition-in-qman_destroy_fq.patch b/queue-6.1/soc-fsl-qbman-fix-race-condition-in-qman_destroy_fq.patch new file mode 100644 index 0000000000..dc546038b6 --- /dev/null +++ b/queue-6.1/soc-fsl-qbman-fix-race-condition-in-qman_destroy_fq.patch @@ -0,0 +1,92 @@ +From 4ccc837e120af6ba02083179ebe035301f41b005 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 23 Dec 2025 08:25:49 +0100 +Subject: soc: fsl: qbman: fix race condition in qman_destroy_fq + +From: Richard Genoud + +[ Upstream commit 014077044e874e270ec480515edbc1cadb976cf2 ] + +When QMAN_FQ_FLAG_DYNAMIC_FQID is set, there's a race condition between +fq_table[fq->idx] state and freeing/allocating from the pool and +WARN_ON(fq_table[fq->idx]) in qman_create_fq() gets triggered. + +Indeed, we can have: + Thread A Thread B + qman_destroy_fq() qman_create_fq() + qman_release_fqid() + qman_shutdown_fq() + gen_pool_free() + -- At this point, the fqid is available again -- + qman_alloc_fqid() + -- so, we can get the just-freed fqid in thread B -- + fq->fqid = fqid; + fq->idx = fqid * 2; + WARN_ON(fq_table[fq->idx]); + fq_table[fq->idx] = fq; + fq_table[fq->idx] = NULL; + +And adding some logs between qman_release_fqid() and +fq_table[fq->idx] = NULL makes the WARN_ON() trigger a lot more. + +To prevent that, ensure that fq_table[fq->idx] is set to NULL before +gen_pool_free() is called by using smp_wmb(). + +Fixes: c535e923bb97 ("soc/fsl: Introduce DPAA 1.x QMan device driver") +Signed-off-by: Richard Genoud +Tested-by: CHAMPSEIX Thomas +Link: https://lore.kernel.org/r/20251223072549.397625-1-richard.genoud@bootlin.com +Signed-off-by: Christophe Leroy (CS GROUP) +Signed-off-by: Sasha Levin +--- + drivers/soc/fsl/qbman/qman.c | 24 ++++++++++++++++++++++-- + 1 file changed, 22 insertions(+), 2 deletions(-) + +diff --git a/drivers/soc/fsl/qbman/qman.c b/drivers/soc/fsl/qbman/qman.c +index 7e9074519ad22..bcbf6bf2e8f45 100644 +--- a/drivers/soc/fsl/qbman/qman.c ++++ b/drivers/soc/fsl/qbman/qman.c +@@ -1827,6 +1827,8 @@ EXPORT_SYMBOL(qman_create_fq); + + void qman_destroy_fq(struct qman_fq *fq) + { ++ int leaked; ++ + /* + * We don't need to lock the FQ as it is a pre-condition that the FQ be + * quiesced. Instead, run some checks. +@@ -1834,11 +1836,29 @@ void qman_destroy_fq(struct qman_fq *fq) + switch (fq->state) { + case qman_fq_state_parked: + case qman_fq_state_oos: +- if (fq_isset(fq, QMAN_FQ_FLAG_DYNAMIC_FQID)) +- qman_release_fqid(fq->fqid); ++ /* ++ * There's a race condition here on releasing the fqid, ++ * setting the fq_table to NULL, and freeing the fqid. ++ * To prevent it, this order should be respected: ++ */ ++ if (fq_isset(fq, QMAN_FQ_FLAG_DYNAMIC_FQID)) { ++ leaked = qman_shutdown_fq(fq->fqid); ++ if (leaked) ++ pr_debug("FQID %d leaked\n", fq->fqid); ++ } + + DPAA_ASSERT(fq_table[fq->idx]); + fq_table[fq->idx] = NULL; ++ ++ if (fq_isset(fq, QMAN_FQ_FLAG_DYNAMIC_FQID) && !leaked) { ++ /* ++ * fq_table[fq->idx] should be set to null before ++ * freeing fq->fqid otherwise it could by allocated by ++ * qman_alloc_fqid() while still being !NULL ++ */ ++ smp_wmb(); ++ gen_pool_free(qm_fqalloc, fq->fqid | DPAA_GENALLOC_OFF, 1); ++ } + return; + default: + break; +-- +2.51.0 + diff --git a/queue-6.1/udp_tunnel-fix-null-deref-caused-by-udp_sock_create6.patch b/queue-6.1/udp_tunnel-fix-null-deref-caused-by-udp_sock_create6.patch new file mode 100644 index 0000000000..c8c3e538c2 --- /dev/null +++ b/queue-6.1/udp_tunnel-fix-null-deref-caused-by-udp_sock_create6.patch @@ -0,0 +1,64 @@ +From 6b049762bae6a73055a9f52bd28201f587564606 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 16 Mar 2026 18:02:41 -0700 +Subject: udp_tunnel: fix NULL deref caused by udp_sock_create6 when + CONFIG_IPV6=n + +From: Xiang Mei + +[ Upstream commit b3a6df291fecf5f8a308953b65ca72b7fc9e015d ] + +When CONFIG_IPV6 is disabled, the udp_sock_create6() function returns 0 +(success) without actually creating a socket. Callers such as +fou_create() then proceed to dereference the uninitialized socket +pointer, resulting in a NULL pointer dereference. + +The captured NULL deref crash: + BUG: kernel NULL pointer dereference, address: 0000000000000018 + RIP: 0010:fou_nl_add_doit (net/ipv4/fou_core.c:590 net/ipv4/fou_core.c:764) + [...] + Call Trace: + + genl_family_rcv_msg_doit.constprop.0 (net/netlink/genetlink.c:1114) + genl_rcv_msg (net/netlink/genetlink.c:1194 net/netlink/genetlink.c:1209) + [...] + netlink_rcv_skb (net/netlink/af_netlink.c:2550) + genl_rcv (net/netlink/genetlink.c:1219) + netlink_unicast (net/netlink/af_netlink.c:1319 net/netlink/af_netlink.c:1344) + netlink_sendmsg (net/netlink/af_netlink.c:1894) + __sock_sendmsg (net/socket.c:727 (discriminator 1) net/socket.c:742 (discriminator 1)) + __sys_sendto (./include/linux/file.h:62 (discriminator 1) ./include/linux/file.h:83 (discriminator 1) net/socket.c:2183 (discriminator 1)) + __x64_sys_sendto (net/socket.c:2213 (discriminator 1) net/socket.c:2209 (discriminator 1) net/socket.c:2209 (discriminator 1)) + do_syscall_64 (arch/x86/entry/syscall_64.c:63 (discriminator 1) arch/x86/entry/syscall_64.c:94 (discriminator 1)) + entry_SYSCALL_64_after_hwframe (net/arch/x86/entry/entry_64.S:130) + +This patch makes udp_sock_create6 return -EPFNOSUPPORT instead, so +callers correctly take their error paths. There is only one caller of +the vulnerable function and only privileged users can trigger it. + +Fixes: fd384412e199b ("udp_tunnel: Seperate ipv6 functions into its own file.") +Reported-by: Weiming Shi +Signed-off-by: Xiang Mei +Link: https://patch.msgid.link/20260317010241.1893893-1-xmei5@asu.edu +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + include/net/udp_tunnel.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/include/net/udp_tunnel.h b/include/net/udp_tunnel.h +index e5f81710b18f4..cd2bd3826d168 100644 +--- a/include/net/udp_tunnel.h ++++ b/include/net/udp_tunnel.h +@@ -47,7 +47,7 @@ int udp_sock_create6(struct net *net, struct udp_port_cfg *cfg, + static inline int udp_sock_create6(struct net *net, struct udp_port_cfg *cfg, + struct socket **sockp) + { +- return 0; ++ return -EPFNOSUPPORT; + } + #endif + +-- +2.51.0 + diff --git a/queue-6.1/wifi-cfg80211-cancel-pmsr_free_wk-in-cfg80211_pmsr_w.patch b/queue-6.1/wifi-cfg80211-cancel-pmsr_free_wk-in-cfg80211_pmsr_w.patch new file mode 100644 index 0000000000..28a1ff5ae9 --- /dev/null +++ b/queue-6.1/wifi-cfg80211-cancel-pmsr_free_wk-in-cfg80211_pmsr_w.patch @@ -0,0 +1,51 @@ +From 1a765511a6441894a6431064d144c8504bd35cd8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 5 Mar 2026 21:36:59 +0530 +Subject: wifi: cfg80211: cancel pmsr_free_wk in cfg80211_pmsr_wdev_down + +From: Peddolla Harshavardhan Reddy + +[ Upstream commit 6dccbc9f3e1d38565dff7730d2b7d1e8b16c9b09 ] + +When the nl80211 socket that originated a PMSR request is +closed, cfg80211_release_pmsr() sets the request's nl_portid +to zero and schedules pmsr_free_wk to process the abort +asynchronously. If the interface is concurrently torn down +before that work runs, cfg80211_pmsr_wdev_down() calls +cfg80211_pmsr_process_abort() directly. However, the already- +scheduled pmsr_free_wk work item remains pending and may run +after the interface has been removed from the driver. This +could cause the driver's abort_pmsr callback to operate on a +torn-down interface, leading to undefined behavior and +potential crashes. + +Cancel pmsr_free_wk synchronously in cfg80211_pmsr_wdev_down() +before calling cfg80211_pmsr_process_abort(). This ensures any +pending or in-progress work is drained before interface teardown +proceeds, preventing the work from invoking the driver abort +callback after the interface is gone. + +Fixes: 9bb7e0f24e7e ("cfg80211: add peer measurement with FTM initiator API") +Signed-off-by: Peddolla Harshavardhan Reddy +Link: https://patch.msgid.link/20260305160712.1263829-3-peddolla.reddy@oss.qualcomm.com +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + net/wireless/pmsr.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/net/wireless/pmsr.c b/net/wireless/pmsr.c +index d26daa0370e71..656464f2de516 100644 +--- a/net/wireless/pmsr.c ++++ b/net/wireless/pmsr.c +@@ -640,6 +640,7 @@ void cfg80211_pmsr_wdev_down(struct wireless_dev *wdev) + } + spin_unlock_bh(&wdev->pmsr_lock); + ++ cancel_work_sync(&wdev->pmsr_free_wk); + if (found) + cfg80211_pmsr_process_abort(wdev); + +-- +2.51.0 + diff --git a/queue-6.1/wifi-mac80211-fix-null-deref-in-mesh_matches_local.patch b/queue-6.1/wifi-mac80211-fix-null-deref-in-mesh_matches_local.patch new file mode 100644 index 0000000000..2497110c86 --- /dev/null +++ b/queue-6.1/wifi-mac80211-fix-null-deref-in-mesh_matches_local.patch @@ -0,0 +1,81 @@ +From 56a0491d0018404db6a433af1e9b6454778ac3d0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 17 Mar 2026 20:42:44 -0700 +Subject: wifi: mac80211: fix NULL deref in mesh_matches_local() + +From: Xiang Mei + +[ Upstream commit c73bb9a2d33bf81f6eecaa0f474b6c6dbe9855bd ] + +mesh_matches_local() unconditionally dereferences ie->mesh_config to +compare mesh configuration parameters. When called from +mesh_rx_csa_frame(), the parsed action-frame elements may not contain a +Mesh Configuration IE, leaving ie->mesh_config NULL and triggering a +kernel NULL pointer dereference. + +The other two callers are already safe: + - ieee80211_mesh_rx_bcn_presp() checks !elems->mesh_config before + calling mesh_matches_local() + - mesh_plink_get_event() is only reached through + mesh_process_plink_frame(), which checks !elems->mesh_config, too + +mesh_rx_csa_frame() is the only caller that passes raw parsed elements +to mesh_matches_local() without guarding mesh_config. An adjacent +attacker can exploit this by sending a crafted CSA action frame that +includes a valid Mesh ID IE but omits the Mesh Configuration IE, +crashing the kernel. + +The captured crash log: + +Oops: general protection fault, probably for non-canonical address ... +KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007] +Workqueue: events_unbound cfg80211_wiphy_work +[...] +Call Trace: + + ? __pfx_mesh_matches_local (net/mac80211/mesh.c:65) + ieee80211_mesh_rx_queued_mgmt (net/mac80211/mesh.c:1686) + [...] + ieee80211_iface_work (net/mac80211/iface.c:1754 net/mac80211/iface.c:1802) + [...] + cfg80211_wiphy_work (net/wireless/core.c:426) + process_one_work (net/kernel/workqueue.c:3280) + ? assign_work (net/kernel/workqueue.c:1219) + worker_thread (net/kernel/workqueue.c:3352) + ? __pfx_worker_thread (net/kernel/workqueue.c:3385) + kthread (net/kernel/kthread.c:436) + [...] + ret_from_fork_asm (net/arch/x86/entry/entry_64.S:255) + + +This patch adds a NULL check for ie->mesh_config at the top of +mesh_matches_local() to return false early when the Mesh Configuration +IE is absent. + +Fixes: 2e3c8736820b ("mac80211: support functions for mesh") +Reported-by: Weiming Shi +Signed-off-by: Xiang Mei +Link: https://patch.msgid.link/20260318034244.2595020-1-xmei5@asu.edu +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + net/mac80211/mesh.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/net/mac80211/mesh.c b/net/mac80211/mesh.c +index 3811486f243a7..1b928cd4545aa 100644 +--- a/net/mac80211/mesh.c ++++ b/net/mac80211/mesh.c +@@ -75,6 +75,9 @@ bool mesh_matches_local(struct ieee80211_sub_if_data *sdata, + * - MDA enabled + * - Power management control on fc + */ ++ if (!ie->mesh_config) ++ return false; ++ + if (!(ifmsh->mesh_id_len == ie->mesh_id_len && + memcmp(ifmsh->mesh_id, ie->mesh_id, ie->mesh_id_len) == 0 && + (ifmsh->mesh_pp_id == ie->mesh_config->meshconf_psel) && +-- +2.51.0 + diff --git a/queue-6.1/wifi-mac80211-fix-static_branch_dec-underflow-for-aq.patch b/queue-6.1/wifi-mac80211-fix-static_branch_dec-underflow-for-aq.patch new file mode 100644 index 0000000000..22a24f4542 --- /dev/null +++ b/queue-6.1/wifi-mac80211-fix-static_branch_dec-underflow-for-aq.patch @@ -0,0 +1,112 @@ +From cc4cc4f02fd5028b3b579cb2efa3d038c168a1f2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 6 Mar 2026 07:24:02 +0000 +Subject: wifi: mac80211: Fix static_branch_dec() underflow for aql_disable. + +From: Kuniyuki Iwashima + +[ Upstream commit b94ae8e0d5fe1bdbbfdc3854ff6ce98f6876a828 ] + +syzbot reported static_branch_dec() underflow in aql_enable_write(). [0] + +The problem is that aql_enable_write() does not serialise concurrent +write()s to the debugfs. + +aql_enable_write() checks static_key_false(&aql_disable.key) and +later calls static_branch_inc() or static_branch_dec(), but the +state may change between the two calls. + +aql_disable does not need to track inc/dec. + +Let's use static_branch_enable() and static_branch_disable(). + +[0]: +val == 0 +WARNING: kernel/jump_label.c:311 at __static_key_slow_dec_cpuslocked.part.0+0x107/0x120 kernel/jump_label.c:311, CPU#0: syz.1.3155/20288 +Modules linked in: +CPU: 0 UID: 0 PID: 20288 Comm: syz.1.3155 Tainted: G U L syzkaller #0 PREEMPT(full) +Tainted: [U]=USER, [L]=SOFTLOCKUP +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/24/2026 +RIP: 0010:__static_key_slow_dec_cpuslocked.part.0+0x107/0x120 kernel/jump_label.c:311 +Code: f2 c9 ff 5b 5d c3 cc cc cc cc e8 54 f2 c9 ff 48 89 df e8 ac f9 ff ff eb ad e8 45 f2 c9 ff 90 0f 0b 90 eb a2 e8 3a f2 c9 ff 90 <0f> 0b 90 eb 97 48 89 df e8 5c 4b 33 00 e9 36 ff ff ff 0f 1f 80 00 +RSP: 0018:ffffc9000b9f7c10 EFLAGS: 00010293 +RAX: 0000000000000000 RBX: ffffffff9b3e5d40 RCX: ffffffff823c57b4 +RDX: ffff8880285a0000 RSI: ffffffff823c5846 RDI: ffff8880285a0000 +RBP: 0000000000000000 R08: 0000000000000005 R09: 0000000000000000 +R10: 0000000000000000 R11: 0000000000000000 R12: 000000000000000a +R13: 1ffff9200173ef88 R14: 0000000000000001 R15: ffffc9000b9f7e98 +FS: 00007f530dd726c0(0000) GS:ffff8881245e3000(0000) knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: 0000200000001140 CR3: 000000007cc4a000 CR4: 00000000003526f0 +Call Trace: + + __static_key_slow_dec_cpuslocked kernel/jump_label.c:297 [inline] + __static_key_slow_dec kernel/jump_label.c:321 [inline] + static_key_slow_dec+0x7c/0xc0 kernel/jump_label.c:336 + aql_enable_write+0x2b2/0x310 net/mac80211/debugfs.c:343 + short_proxy_write+0x133/0x1a0 fs/debugfs/file.c:383 + vfs_write+0x2aa/0x1070 fs/read_write.c:684 + ksys_pwrite64 fs/read_write.c:793 [inline] + __do_sys_pwrite64 fs/read_write.c:801 [inline] + __se_sys_pwrite64 fs/read_write.c:798 [inline] + __x64_sys_pwrite64+0x1eb/0x250 fs/read_write.c:798 + do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] + do_syscall_64+0xc9/0xf80 arch/x86/entry/syscall_64.c:94 + entry_SYSCALL_64_after_hwframe+0x77/0x7f +RIP: 0033:0x7f530cf9aeb9 +Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48 +RSP: 002b:00007f530dd72028 EFLAGS: 00000246 ORIG_RAX: 0000000000000012 +RAX: ffffffffffffffda RBX: 00007f530d215fa0 RCX: 00007f530cf9aeb9 +RDX: 0000000000000003 RSI: 0000000000000000 RDI: 0000000000000010 +RBP: 00007f530d008c1f R08: 0000000000000000 R09: 0000000000000000 +R10: 4200000000000005 R11: 0000000000000246 R12: 0000000000000000 +R13: 00007f530d216038 R14: 00007f530d215fa0 R15: 00007ffde89fb978 + + +Fixes: e908435e402a ("mac80211: introduce aql_enable node in debugfs") +Reported-by: syzbot+feb9ce36a95341bb47a4@syzkaller.appspotmail.com +Closes: https://lore.kernel.org/all/69a8979e.a70a0220.b118c.0025.GAE@google.com/ +Signed-off-by: Kuniyuki Iwashima +Link: https://patch.msgid.link/20260306072405.3649474-1-kuniyu@google.com +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + net/mac80211/debugfs.c | 14 +++++--------- + 1 file changed, 5 insertions(+), 9 deletions(-) + +diff --git a/net/mac80211/debugfs.c b/net/mac80211/debugfs.c +index 78c7d60e8667c..175669aa8e744 100644 +--- a/net/mac80211/debugfs.c ++++ b/net/mac80211/debugfs.c +@@ -326,7 +326,6 @@ static ssize_t aql_enable_read(struct file *file, char __user *user_buf, + static ssize_t aql_enable_write(struct file *file, const char __user *user_buf, + size_t count, loff_t *ppos) + { +- bool aql_disabled = static_key_false(&aql_disable.key); + char buf[3]; + size_t len; + +@@ -341,15 +340,12 @@ static ssize_t aql_enable_write(struct file *file, const char __user *user_buf, + if (len > 0 && buf[len - 1] == '\n') + buf[len - 1] = 0; + +- if (buf[0] == '0' && buf[1] == '\0') { +- if (!aql_disabled) +- static_branch_inc(&aql_disable); +- } else if (buf[0] == '1' && buf[1] == '\0') { +- if (aql_disabled) +- static_branch_dec(&aql_disable); +- } else { ++ if (buf[0] == '0' && buf[1] == '\0') ++ static_branch_enable(&aql_disable); ++ else if (buf[0] == '1' && buf[1] == '\0') ++ static_branch_disable(&aql_disable); ++ else + return -EINVAL; +- } + + return count; + } +-- +2.51.0 + diff --git a/queue-6.1/wifi-wlcore-return-enomem-instead-of-eagain-if-there.patch b/queue-6.1/wifi-wlcore-return-enomem-instead-of-eagain-if-there.patch new file mode 100644 index 0000000000..dec5b0b34c --- /dev/null +++ b/queue-6.1/wifi-wlcore-return-enomem-instead-of-eagain-if-there.patch @@ -0,0 +1,54 @@ +From faacf0ac917bd00b3c2f58795938b97900604f3b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 17 Mar 2026 23:46:36 -0700 +Subject: wifi: wlcore: Return -ENOMEM instead of -EAGAIN if there is not + enough headroom + +From: Guenter Roeck + +[ Upstream commit deb353d9bb009638b7762cae2d0b6e8fdbb41a69 ] + +Since upstream commit e75665dd0968 ("wifi: wlcore: ensure skb headroom +before skb_push"), wl1271_tx_allocate() and with it +wl1271_prepare_tx_frame() returns -EAGAIN if pskb_expand_head() fails. +However, in wlcore_tx_work_locked(), a return value of -EAGAIN from +wl1271_prepare_tx_frame() is interpreted as the aggregation buffer being +full. This causes the code to flush the buffer, put the skb back at the +head of the queue, and immediately retry the same skb in a tight while +loop. + +Because wlcore_tx_work_locked() holds wl->mutex, and the retry happens +immediately with GFP_ATOMIC, this will result in an infinite loop and a +CPU soft lockup. Return -ENOMEM instead so the packet is dropped and +the loop terminates. + +The problem was found by an experimental code review agent based on +gemini-3.1-pro while reviewing backports into v6.18.y. + +Assisted-by: Gemini:gemini-3.1-pro +Fixes: e75665dd0968 ("wifi: wlcore: ensure skb headroom before skb_push") +Cc: Peter Astrand +Signed-off-by: Guenter Roeck +Link: https://patch.msgid.link/20260318064636.3065925-1-linux@roeck-us.net +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ti/wlcore/tx.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/wireless/ti/wlcore/tx.c b/drivers/net/wireless/ti/wlcore/tx.c +index 75ad096676561..1c6373013f66a 100644 +--- a/drivers/net/wireless/ti/wlcore/tx.c ++++ b/drivers/net/wireless/ti/wlcore/tx.c +@@ -213,7 +213,7 @@ static int wl1271_tx_allocate(struct wl1271 *wl, struct wl12xx_vif *wlvif, + if (skb_headroom(skb) < (total_len - skb->len) && + pskb_expand_head(skb, (total_len - skb->len), 0, GFP_ATOMIC)) { + wl1271_free_tx_id(wl, id); +- return -EAGAIN; ++ return -ENOMEM; + } + desc = skb_push(skb, total_len - skb->len); + +-- +2.51.0 + diff --git a/queue-6.12/acpi-processor-fix-previous-acpi_processor_errata_pi.patch b/queue-6.12/acpi-processor-fix-previous-acpi_processor_errata_pi.patch new file mode 100644 index 0000000000..b057f3f872 --- /dev/null +++ b/queue-6.12/acpi-processor-fix-previous-acpi_processor_errata_pi.patch @@ -0,0 +1,74 @@ +From 345ed02682b130c7dba8d3025baca6c57f35dc76 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 17 Mar 2026 21:39:05 +0100 +Subject: ACPI: processor: Fix previous acpi_processor_errata_piix4() fix + +From: Rafael J. Wysocki + +[ Upstream commit bf504b229cb8d534eccbaeaa23eba34c05131e25 ] + +After commi f132e089fe89 ("ACPI: processor: Fix NULL-pointer dereference +in acpi_processor_errata_piix4()"), device pointers may be dereferenced +after dropping references to the device objects pointed to by them, +which may cause a use-after-free to occur. + +Moreover, debug messages about enabling the errata may be printed +if the errata flags corresponding to them are unset. + +Address all of these issues by moving message printing to the points +in the code where the errata flags are set. + +Fixes: f132e089fe89 ("ACPI: processor: Fix NULL-pointer dereference in acpi_processor_errata_piix4()") +Reported-by: Guenter Roeck +Closes: https://lore.kernel.org/linux-acpi/938e2206-def5-4b7a-9b2c-d1fd37681d8a@roeck-us.net/ +Reviewed-by: Guenter Roeck +Signed-off-by: Rafael J. Wysocki +Link: https://patch.msgid.link/5975693.DvuYhMxLoT@rafael.j.wysocki +Signed-off-by: Sasha Levin +--- + drivers/acpi/acpi_processor.c | 15 ++++++++------- + 1 file changed, 8 insertions(+), 7 deletions(-) + +diff --git a/drivers/acpi/acpi_processor.c b/drivers/acpi/acpi_processor.c +index d8674aee28c2e..848a012cd19fb 100644 +--- a/drivers/acpi/acpi_processor.c ++++ b/drivers/acpi/acpi_processor.c +@@ -113,6 +113,10 @@ static int acpi_processor_errata_piix4(struct pci_dev *dev) + PCI_ANY_ID, PCI_ANY_ID, NULL); + if (ide_dev) { + errata.piix4.bmisx = pci_resource_start(ide_dev, 4); ++ if (errata.piix4.bmisx) ++ dev_dbg(&ide_dev->dev, ++ "Bus master activity detection (BM-IDE) erratum enabled\n"); ++ + pci_dev_put(ide_dev); + } + +@@ -131,20 +135,17 @@ static int acpi_processor_errata_piix4(struct pci_dev *dev) + if (isa_dev) { + pci_read_config_byte(isa_dev, 0x76, &value1); + pci_read_config_byte(isa_dev, 0x77, &value2); +- if ((value1 & 0x80) || (value2 & 0x80)) ++ if ((value1 & 0x80) || (value2 & 0x80)) { + errata.piix4.fdma = 1; ++ dev_dbg(&isa_dev->dev, ++ "Type-F DMA livelock erratum (C3 disabled)\n"); ++ } + pci_dev_put(isa_dev); + } + + break; + } + +- if (ide_dev) +- dev_dbg(&ide_dev->dev, "Bus master activity detection (BM-IDE) erratum enabled\n"); +- +- if (isa_dev) +- dev_dbg(&isa_dev->dev, "Type-F DMA livelock erratum (C3 disabled)\n"); +- + return 0; + } + +-- +2.51.0 + diff --git a/queue-6.12/arm64-dts-renesas-r9a09g057-add-rtc-node.patch b/queue-6.12/arm64-dts-renesas-r9a09g057-add-rtc-node.patch new file mode 100644 index 0000000000..8718a8c06f --- /dev/null +++ b/queue-6.12/arm64-dts-renesas-r9a09g057-add-rtc-node.patch @@ -0,0 +1,50 @@ +From 9ae8032d1f7b8a346371128cd30810e47d94b897 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 7 Nov 2025 21:07:05 +0000 +Subject: arm64: dts: renesas: r9a09g057: Add RTC node + +From: Ovidiu Panait + +[ Upstream commit cfc733da4e79018f88d8ac5f3a5306abbba8ef89 ] + +Add RTC node to Renesas RZ/V2H ("R9A09G057") SoC DTSI. + +Signed-off-by: Ovidiu Panait +Reviewed-by: Geert Uytterhoeven +Link: https://patch.msgid.link/20251107210706.45044-4-ovidiu.panait.rb@renesas.com +Signed-off-by: Geert Uytterhoeven +Stable-dep-of: a3f34651de42 ("arm64: dts: renesas: r9a09g057: Remove wdt{0,2,3} nodes") +Signed-off-by: Sasha Levin +--- + arch/arm64/boot/dts/renesas/r9a09g057.dtsi | 15 +++++++++++++++ + 1 file changed, 15 insertions(+) + +diff --git a/arch/arm64/boot/dts/renesas/r9a09g057.dtsi b/arch/arm64/boot/dts/renesas/r9a09g057.dtsi +index 1ad5a1b6917fe..4676ee7561395 100644 +--- a/arch/arm64/boot/dts/renesas/r9a09g057.dtsi ++++ b/arch/arm64/boot/dts/renesas/r9a09g057.dtsi +@@ -241,6 +241,21 @@ wdt3: watchdog@13000400 { + status = "disabled"; + }; + ++ rtc: rtc@11c00800 { ++ compatible = "renesas,r9a09g057-rtca3", "renesas,rz-rtca3"; ++ reg = <0 0x11c00800 0 0x400>; ++ interrupts = , ++ , ++ ; ++ interrupt-names = "alarm", "period", "carry"; ++ clocks = <&cpg CPG_MOD 0x53>, <&rtxin_clk>; ++ clock-names = "bus", "counter"; ++ power-domains = <&cpg>; ++ resets = <&cpg 0x79>, <&cpg 0x7a>; ++ reset-names = "rtc", "rtest"; ++ status = "disabled"; ++ }; ++ + scif: serial@11c01400 { + compatible = "renesas,scif-r9a09g057"; + reg = <0 0x11c01400 0 0x400>; +-- +2.51.0 + diff --git a/queue-6.12/arm64-dts-renesas-r9a09g057-remove-wdt-0-2-3-nodes.patch b/queue-6.12/arm64-dts-renesas-r9a09g057-remove-wdt-0-2-3-nodes.patch new file mode 100644 index 0000000000..41ee62f9b0 --- /dev/null +++ b/queue-6.12/arm64-dts-renesas-r9a09g057-remove-wdt-0-2-3-nodes.patch @@ -0,0 +1,82 @@ +From a745faef23aa13c2b94ae7ed8089da46c7bb20c4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 3 Feb 2026 12:42:46 +0000 +Subject: arm64: dts: renesas: r9a09g057: Remove wdt{0,2,3} nodes + +From: Fabrizio Castro + +[ Upstream commit a3f34651de4287138c0da19ba321ad72622b4af3 ] + +The HW user manual for the Renesas RZ/V2H(P) SoC (a.k.a r9a09g057) +states that only WDT1 is supposed to be accessed by the CA55 cores. +WDT0 is supposed to be used by the CM33 core, WDT2 is supposed +to be used by the CR8 core 0, and WDT3 is supposed to be used +by the CR8 core 1. + +Remove wdt{0,2,3} from the SoC specific device tree to make it +compliant with the specification from the HW manual. + +This change is harmless as there are currently no users of the +wdt{0,2,3} device tree nodes, only the wdt1 node is actually used. + +Fixes: 095105496e7d ("arm64: dts: renesas: r9a09g057: Add WDT0-WDT3 nodes") +Signed-off-by: Fabrizio Castro +Reviewed-by: Geert Uytterhoeven +Link: https://patch.msgid.link/20260203124247.7320-3-fabrizio.castro.jz@renesas.com +Signed-off-by: Geert Uytterhoeven +Signed-off-by: Sasha Levin +--- + arch/arm64/boot/dts/renesas/r9a09g057.dtsi | 30 ---------------------- + 1 file changed, 30 deletions(-) + +diff --git a/arch/arm64/boot/dts/renesas/r9a09g057.dtsi b/arch/arm64/boot/dts/renesas/r9a09g057.dtsi +index 4676ee7561395..5c7b9e296f439 100644 +--- a/arch/arm64/boot/dts/renesas/r9a09g057.dtsi ++++ b/arch/arm64/boot/dts/renesas/r9a09g057.dtsi +@@ -201,16 +201,6 @@ ostm7: timer@12c03000 { + status = "disabled"; + }; + +- wdt0: watchdog@11c00400 { +- compatible = "renesas,r9a09g057-wdt"; +- reg = <0 0x11c00400 0 0x400>; +- clocks = <&cpg CPG_MOD 0x4b>, <&cpg CPG_MOD 0x4c>; +- clock-names = "pclk", "oscclk"; +- resets = <&cpg 0x75>; +- power-domains = <&cpg>; +- status = "disabled"; +- }; +- + wdt1: watchdog@14400000 { + compatible = "renesas,r9a09g057-wdt"; + reg = <0 0x14400000 0 0x400>; +@@ -221,26 +211,6 @@ wdt1: watchdog@14400000 { + status = "disabled"; + }; + +- wdt2: watchdog@13000000 { +- compatible = "renesas,r9a09g057-wdt"; +- reg = <0 0x13000000 0 0x400>; +- clocks = <&cpg CPG_MOD 0x4f>, <&cpg CPG_MOD 0x50>; +- clock-names = "pclk", "oscclk"; +- resets = <&cpg 0x77>; +- power-domains = <&cpg>; +- status = "disabled"; +- }; +- +- wdt3: watchdog@13000400 { +- compatible = "renesas,r9a09g057-wdt"; +- reg = <0 0x13000400 0 0x400>; +- clocks = <&cpg CPG_MOD 0x51>, <&cpg CPG_MOD 0x52>; +- clock-names = "pclk", "oscclk"; +- resets = <&cpg 0x78>; +- power-domains = <&cpg>; +- status = "disabled"; +- }; +- + rtc: rtc@11c00800 { + compatible = "renesas,r9a09g057-rtca3", "renesas,rz-rtca3"; + reg = <0 0x11c00800 0 0x400>; +-- +2.51.0 + diff --git a/queue-6.12/bluetooth-hci_sync-fix-hci_le_create_conn_sync.patch b/queue-6.12/bluetooth-hci_sync-fix-hci_le_create_conn_sync.patch new file mode 100644 index 0000000000..438c104f33 --- /dev/null +++ b/queue-6.12/bluetooth-hci_sync-fix-hci_le_create_conn_sync.patch @@ -0,0 +1,52 @@ +From 7fbbf64ad9d780fbc55d8bb2ab03f5fb617d92e8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 5 Mar 2026 14:50:52 +0100 +Subject: Bluetooth: hci_sync: Fix hci_le_create_conn_sync + +From: Michael Grzeschik + +[ Upstream commit 2cabe7ff1001b7a197009cf50ba71701f9cbd354 ] + +While introducing hci_le_create_conn_sync the functionality +of hci_connect_le was ported to hci_le_create_conn_sync including +the disable of the scan before starting the connection. + +When this code was run non synchronously the immediate call that was +setting the flag HCI_LE_SCAN_INTERRUPTED had an impact. Since the +completion handler for the LE_SCAN_DISABLE was not immediately called. +In the completion handler of the LE_SCAN_DISABLE event, this flag is +checked to set the state of the hdev to DISCOVERY_STOPPED. + +With the synchronised approach the later setting of the +HCI_LE_SCAN_INTERRUPTED flag has not the same effect. The completion +handler would immediately fire in the LE_SCAN_DISABLE call, check for +the flag, which is then not yet set and do nothing. + +To fix this issue and make the function call work as before, we move the +setting of the flag HCI_LE_SCAN_INTERRUPTED before disabling the scan. + +Fixes: 8e8b92ee60de ("Bluetooth: hci_sync: Add hci_le_create_conn_sync") +Signed-off-by: Michael Grzeschik +Signed-off-by: Luiz Augusto von Dentz +Signed-off-by: Sasha Levin +--- + net/bluetooth/hci_sync.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/bluetooth/hci_sync.c b/net/bluetooth/hci_sync.c +index 00de90fee44a7..1656448649b9f 100644 +--- a/net/bluetooth/hci_sync.c ++++ b/net/bluetooth/hci_sync.c +@@ -6552,8 +6552,8 @@ static int hci_le_create_conn_sync(struct hci_dev *hdev, void *data) + * state. + */ + if (hci_dev_test_flag(hdev, HCI_LE_SCAN)) { +- hci_scan_disable_sync(hdev); + hci_dev_set_flag(hdev, HCI_LE_SCAN_INTERRUPTED); ++ hci_scan_disable_sync(hdev); + } + + /* Update random address, but set require_privacy to false so +-- +2.51.0 + diff --git a/queue-6.12/bluetooth-hidp-fix-possible-uaf.patch b/queue-6.12/bluetooth-hidp-fix-possible-uaf.patch new file mode 100644 index 0000000000..9c9ce10c51 --- /dev/null +++ b/queue-6.12/bluetooth-hidp-fix-possible-uaf.patch @@ -0,0 +1,237 @@ +From 81b02ac45d82ed3bd64d09ef5a5bc6aace75afde Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 5 Mar 2026 10:17:47 -0500 +Subject: Bluetooth: HIDP: Fix possible UAF + +From: Luiz Augusto von Dentz + +[ Upstream commit dbf666e4fc9bdd975a61bf682b3f75cb0145eedd ] + +This fixes the following trace caused by not dropping l2cap_conn +reference when user->remove callback is called: + +[ 97.809249] l2cap_conn_free: freeing conn ffff88810a171c00 +[ 97.809907] CPU: 1 UID: 0 PID: 1419 Comm: repro_standalon Not tainted 7.0.0-rc1-dirty #14 PREEMPT(lazy) +[ 97.809935] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.17.0-debian-1.17.0-1 04/01/2014 +[ 97.809947] Call Trace: +[ 97.809954] +[ 97.809961] dump_stack_lvl (lib/dump_stack.c:122) +[ 97.809990] l2cap_conn_free (net/bluetooth/l2cap_core.c:1808) +[ 97.810017] l2cap_conn_del (./include/linux/kref.h:66 net/bluetooth/l2cap_core.c:1821 net/bluetooth/l2cap_core.c:1798) +[ 97.810055] l2cap_disconn_cfm (net/bluetooth/l2cap_core.c:7347 (discriminator 1) net/bluetooth/l2cap_core.c:7340 (discriminator 1)) +[ 97.810086] ? __pfx_l2cap_disconn_cfm (net/bluetooth/l2cap_core.c:7341) +[ 97.810117] hci_conn_hash_flush (./include/net/bluetooth/hci_core.h:2152 (discriminator 2) net/bluetooth/hci_conn.c:2644 (discriminator 2)) +[ 97.810148] hci_dev_close_sync (net/bluetooth/hci_sync.c:5360) +[ 97.810180] ? __pfx_hci_dev_close_sync (net/bluetooth/hci_sync.c:5285) +[ 97.810212] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221) +[ 97.810242] ? up_write (./arch/x86/include/asm/atomic64_64.h:87 (discriminator 5) ./include/linux/atomic/atomic-arch-fallback.h:2852 (discriminator 5) ./include/linux/atomic/atomic-long.h:268 (discriminator 5) ./include/linux/atomic/atomic-instrumented.h:3391 (discriminator 5) kernel/locking/rwsem.c:1385 (discriminator 5) kernel/locking/rwsem.c:1643 (discriminator 5)) +[ 97.810267] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221) +[ 97.810290] ? rcu_is_watching (./arch/x86/include/asm/atomic.h:23 ./include/linux/atomic/atomic-arch-fallback.h:457 ./include/linux/context_tracking.h:128 kernel/rcu/tree.c:752) +[ 97.810320] hci_unregister_dev (net/bluetooth/hci_core.c:504 net/bluetooth/hci_core.c:2716) +[ 97.810346] vhci_release (drivers/bluetooth/hci_vhci.c:691) +[ 97.810375] ? __pfx_vhci_release (drivers/bluetooth/hci_vhci.c:678) +[ 97.810404] __fput (fs/file_table.c:470) +[ 97.810430] task_work_run (kernel/task_work.c:235) +[ 97.810451] ? __pfx_task_work_run (kernel/task_work.c:201) +[ 97.810472] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221) +[ 97.810495] ? do_raw_spin_unlock (./include/asm-generic/qspinlock.h:128 (discriminator 5) kernel/locking/spinlock_debug.c:142 (discriminator 5)) +[ 97.810527] do_exit (kernel/exit.c:972) +[ 97.810547] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221) +[ 97.810574] ? __pfx_do_exit (kernel/exit.c:897) +[ 97.810594] ? lock_acquire (kernel/locking/lockdep.c:470 (discriminator 6) kernel/locking/lockdep.c:5870 (discriminator 6) kernel/locking/lockdep.c:5825 (discriminator 6)) +[ 97.810616] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221) +[ 97.810639] ? do_raw_spin_lock (kernel/locking/spinlock_debug.c:95 (discriminator 4) kernel/locking/spinlock_debug.c:118 (discriminator 4)) +[ 97.810664] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221) +[ 97.810688] ? find_held_lock (kernel/locking/lockdep.c:5350 (discriminator 1)) +[ 97.810721] do_group_exit (kernel/exit.c:1093) +[ 97.810745] get_signal (kernel/signal.c:3007 (discriminator 1)) +[ 97.810772] ? security_file_permission (./arch/x86/include/asm/jump_label.h:37 security/security.c:2366) +[ 97.810803] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221) +[ 97.810826] ? vfs_read (fs/read_write.c:555) +[ 97.810854] ? __pfx_get_signal (kernel/signal.c:2800) +[ 97.810880] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221) +[ 97.810905] ? __pfx_vfs_read (fs/read_write.c:555) +[ 97.810932] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221) +[ 97.810960] arch_do_signal_or_restart (arch/x86/kernel/signal.c:337 (discriminator 1)) +[ 97.810990] ? __pfx_arch_do_signal_or_restart (arch/x86/kernel/signal.c:334) +[ 97.811021] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221) +[ 97.811055] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221) +[ 97.811078] ? ksys_read (fs/read_write.c:707) +[ 97.811106] ? __pfx_ksys_read (fs/read_write.c:707) +[ 97.811137] exit_to_user_mode_loop (kernel/entry/common.c:66 kernel/entry/common.c:98) +[ 97.811169] ? rcu_is_watching (./arch/x86/include/asm/atomic.h:23 ./include/linux/atomic/atomic-arch-fallback.h:457 ./include/linux/context_tracking.h:128 kernel/rcu/tree.c:752) +[ 97.811192] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221) +[ 97.811215] ? trace_hardirqs_off (./include/trace/events/preemptirq.h:36 (discriminator 33) kernel/trace/trace_preemptirq.c:95 (discriminator 33) kernel/trace/trace_preemptirq.c:90 (discriminator 33)) +[ 97.811240] do_syscall_64 (./include/linux/irq-entry-common.h:226 ./include/linux/irq-entry-common.h:256 ./include/linux/entry-common.h:325 arch/x86/entry/syscall_64.c:100) +[ 97.811268] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221) +[ 97.811292] ? exc_page_fault (arch/x86/mm/fault.c:1480 (discriminator 3) arch/x86/mm/fault.c:1527 (discriminator 3)) +[ 97.811318] entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130) +[ 97.811338] RIP: 0033:0x445cfe +[ 97.811352] Code: Unable to access opcode bytes at 0x445cd4. + +Code starting with the faulting instruction +=========================================== +[ 97.811360] RSP: 002b:00007f65c41c6dc8 EFLAGS: 00000246 ORIG_RAX: 0000000000000000 +[ 97.811378] RAX: fffffffffffffe00 RBX: 00007f65c41c76c0 RCX: 0000000000445cfe +[ 97.811391] RDX: 0000000000000400 RSI: 00007f65c41c6e40 RDI: 0000000000000004 +[ 97.811403] RBP: 00007f65c41c7250 R08: 0000000000000000 R09: 0000000000000000 +[ 97.811415] R10: 0000000000000000 R11: 0000000000000246 R12: ffffffffffffffe8 +[ 97.811428] R13: 0000000000000000 R14: 00007fff780a8c00 R15: 00007f65c41c76c0 +[ 97.811453] +[ 98.402453] ================================================================== +[ 98.403560] BUG: KASAN: use-after-free in __mutex_lock (kernel/locking/mutex.c:199 kernel/locking/mutex.c:694 kernel/locking/mutex.c:776) +[ 98.404541] Read of size 8 at addr ffff888113ee40a8 by task khidpd_00050004/1430 +[ 98.405361] +[ 98.405563] CPU: 1 UID: 0 PID: 1430 Comm: khidpd_00050004 Not tainted 7.0.0-rc1-dirty #14 PREEMPT(lazy) +[ 98.405588] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.17.0-debian-1.17.0-1 04/01/2014 +[ 98.405600] Call Trace: +[ 98.405607] +[ 98.405614] dump_stack_lvl (lib/dump_stack.c:122) +[ 98.405641] print_report (mm/kasan/report.c:379 mm/kasan/report.c:482) +[ 98.405667] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221) +[ 98.405691] ? __virt_addr_valid (arch/x86/mm/physaddr.c:55) +[ 98.405724] ? __mutex_lock (kernel/locking/mutex.c:199 kernel/locking/mutex.c:694 kernel/locking/mutex.c:776) +[ 98.405748] kasan_report (mm/kasan/report.c:221 mm/kasan/report.c:597) +[ 98.405778] ? __mutex_lock (kernel/locking/mutex.c:199 kernel/locking/mutex.c:694 kernel/locking/mutex.c:776) +[ 98.405807] __mutex_lock (kernel/locking/mutex.c:199 kernel/locking/mutex.c:694 kernel/locking/mutex.c:776) +[ 98.405832] ? do_raw_spin_lock (kernel/locking/spinlock_debug.c:95 (discriminator 4) kernel/locking/spinlock_debug.c:118 (discriminator 4)) +[ 98.405859] ? l2cap_unregister_user (./include/linux/list.h:381 (discriminator 2) net/bluetooth/l2cap_core.c:1723 (discriminator 2)) +[ 98.405888] ? __pfx_do_raw_spin_lock (kernel/locking/spinlock_debug.c:114) +[ 98.405915] ? __pfx___mutex_lock (kernel/locking/mutex.c:775) +[ 98.405939] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221) +[ 98.405963] ? lock_acquire (kernel/locking/lockdep.c:470 (discriminator 6) kernel/locking/lockdep.c:5870 (discriminator 6) kernel/locking/lockdep.c:5825 (discriminator 6)) +[ 98.405984] ? find_held_lock (kernel/locking/lockdep.c:5350 (discriminator 1)) +[ 98.406015] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221) +[ 98.406038] ? lock_release (kernel/locking/lockdep.c:5536 kernel/locking/lockdep.c:5889 kernel/locking/lockdep.c:5875) +[ 98.406061] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221) +[ 98.406085] ? _raw_spin_unlock_irqrestore (./arch/x86/include/asm/irqflags.h:42 ./arch/x86/include/asm/irqflags.h:119 ./arch/x86/include/asm/irqflags.h:159 ./include/linux/spinlock_api_smp.h:178 kernel/locking/spinlock.c:194) +[ 98.406107] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221) +[ 98.406130] ? __timer_delete_sync (kernel/time/timer.c:1592) +[ 98.406158] ? l2cap_unregister_user (./include/linux/list.h:381 (discriminator 2) net/bluetooth/l2cap_core.c:1723 (discriminator 2)) +[ 98.406186] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221) +[ 98.406210] l2cap_unregister_user (./include/linux/list.h:381 (discriminator 2) net/bluetooth/l2cap_core.c:1723 (discriminator 2)) +[ 98.406263] hidp_session_thread (./include/linux/instrumented.h:112 ./include/linux/atomic/atomic-instrumented.h:400 ./include/linux/refcount.h:389 ./include/linux/refcount.h:432 ./include/linux/refcount.h:450 ./include/linux/kref.h:64 net/bluetooth/hidp/core.c:996 net/bluetooth/hidp/core.c:1305) +[ 98.406293] ? __pfx_hidp_session_thread (net/bluetooth/hidp/core.c:1264) +[ 98.406323] ? kthread (kernel/kthread.c:433) +[ 98.406340] ? __pfx_hidp_session_wake_function (net/bluetooth/hidp/core.c:1251) +[ 98.406370] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221) +[ 98.406393] ? find_held_lock (kernel/locking/lockdep.c:5350 (discriminator 1)) +[ 98.406424] ? __pfx_hidp_session_wake_function (net/bluetooth/hidp/core.c:1251) +[ 98.406453] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221) +[ 98.406476] ? trace_hardirqs_on (kernel/trace/trace_preemptirq.c:79 (discriminator 1)) +[ 98.406499] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221) +[ 98.406523] ? kthread (kernel/kthread.c:433) +[ 98.406539] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221) +[ 98.406565] ? kthread (kernel/kthread.c:433) +[ 98.406581] ? __pfx_hidp_session_thread (net/bluetooth/hidp/core.c:1264) +[ 98.406610] kthread (kernel/kthread.c:467) +[ 98.406627] ? __pfx_kthread (kernel/kthread.c:412) +[ 98.406645] ret_from_fork (arch/x86/kernel/process.c:164) +[ 98.406674] ? __pfx_ret_from_fork (arch/x86/kernel/process.c:153) +[ 98.406704] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221) +[ 98.406728] ? __pfx_kthread (kernel/kthread.c:412) +[ 98.406747] ret_from_fork_asm (arch/x86/entry/entry_64.S:258) +[ 98.406774] +[ 98.406780] +[ 98.433693] The buggy address belongs to the physical page: +[ 98.434405] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xffff888113ee7c40 pfn:0x113ee4 +[ 98.435557] flags: 0x200000000000000(node=0|zone=2) +[ 98.436198] raw: 0200000000000000 ffffea0004244308 ffff8881f6f3ebc0 0000000000000000 +[ 98.437195] raw: ffff888113ee7c40 0000000000000000 00000000ffffffff 0000000000000000 +[ 98.438115] page dumped because: kasan: bad access detected +[ 98.438951] +[ 98.439211] Memory state around the buggy address: +[ 98.439871] ffff888113ee3f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc +[ 98.440714] ffff888113ee4000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff +[ 98.441580] >ffff888113ee4080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff +[ 98.442458] ^ +[ 98.443011] ffff888113ee4100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff +[ 98.443889] ffff888113ee4180: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff +[ 98.444768] ================================================================== +[ 98.445719] Disabling lock debugging due to kernel taint +[ 98.448074] l2cap_conn_free: freeing conn ffff88810c22b400 +[ 98.450012] CPU: 1 UID: 0 PID: 1430 Comm: khidpd_00050004 Tainted: G B 7.0.0-rc1-dirty #14 PREEMPT(lazy) +[ 98.450040] Tainted: [B]=BAD_PAGE +[ 98.450047] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.17.0-debian-1.17.0-1 04/01/2014 +[ 98.450059] Call Trace: +[ 98.450065] +[ 98.450071] dump_stack_lvl (lib/dump_stack.c:122) +[ 98.450099] l2cap_conn_free (net/bluetooth/l2cap_core.c:1808) +[ 98.450125] l2cap_conn_put (net/bluetooth/l2cap_core.c:1822) +[ 98.450154] session_free (net/bluetooth/hidp/core.c:990) +[ 98.450181] hidp_session_thread (net/bluetooth/hidp/core.c:1307) +[ 98.450213] ? __pfx_hidp_session_thread (net/bluetooth/hidp/core.c:1264) +[ 98.450271] ? kthread (kernel/kthread.c:433) +[ 98.450293] ? __pfx_hidp_session_wake_function (net/bluetooth/hidp/core.c:1251) +[ 98.450339] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221) +[ 98.450368] ? find_held_lock (kernel/locking/lockdep.c:5350 (discriminator 1)) +[ 98.450406] ? __pfx_hidp_session_wake_function (net/bluetooth/hidp/core.c:1251) +[ 98.450442] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221) +[ 98.450471] ? trace_hardirqs_on (kernel/trace/trace_preemptirq.c:79 (discriminator 1)) +[ 98.450499] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221) +[ 98.450528] ? kthread (kernel/kthread.c:433) +[ 98.450547] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221) +[ 98.450578] ? kthread (kernel/kthread.c:433) +[ 98.450598] ? __pfx_hidp_session_thread (net/bluetooth/hidp/core.c:1264) +[ 98.450637] kthread (kernel/kthread.c:467) +[ 98.450657] ? __pfx_kthread (kernel/kthread.c:412) +[ 98.450680] ret_from_fork (arch/x86/kernel/process.c:164) +[ 98.450715] ? __pfx_ret_from_fork (arch/x86/kernel/process.c:153) +[ 98.450752] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221) +[ 98.450782] ? __pfx_kthread (kernel/kthread.c:412) +[ 98.450804] ret_from_fork_asm (arch/x86/entry/entry_64.S:258) +[ 98.450836] + +Fixes: b4f34d8d9d26 ("Bluetooth: hidp: add new session-management helpers") +Reported-by: soufiane el hachmi +Tested-by: soufiane el hachmi +Signed-off-by: Luiz Augusto von Dentz +Signed-off-by: Sasha Levin +--- + net/bluetooth/hidp/core.c | 16 ++++++++++++++-- + 1 file changed, 14 insertions(+), 2 deletions(-) + +diff --git a/net/bluetooth/hidp/core.c b/net/bluetooth/hidp/core.c +index 707f229f896a1..40a6f1e20babc 100644 +--- a/net/bluetooth/hidp/core.c ++++ b/net/bluetooth/hidp/core.c +@@ -986,7 +986,8 @@ static void session_free(struct kref *ref) + skb_queue_purge(&session->intr_transmit); + fput(session->intr_sock->file); + fput(session->ctrl_sock->file); +- l2cap_conn_put(session->conn); ++ if (session->conn) ++ l2cap_conn_put(session->conn); + kfree(session); + } + +@@ -1164,6 +1165,15 @@ static void hidp_session_remove(struct l2cap_conn *conn, + + down_write(&hidp_session_sem); + ++ /* Drop L2CAP reference immediately to indicate that ++ * l2cap_unregister_user() shall not be called as it is already ++ * considered removed. ++ */ ++ if (session->conn) { ++ l2cap_conn_put(session->conn); ++ session->conn = NULL; ++ } ++ + hidp_session_terminate(session); + + cancel_work_sync(&session->dev_init); +@@ -1301,7 +1311,9 @@ static int hidp_session_thread(void *arg) + * Instead, this call has the same semantics as if user-space tried to + * delete the session. + */ +- l2cap_unregister_user(session->conn, &session->user); ++ if (session->conn) ++ l2cap_unregister_user(session->conn, &session->user); ++ + hidp_session_put(session); + + module_put_and_kthread_exit(0); +-- +2.51.0 + diff --git a/queue-6.12/bluetooth-iso-fix-defer-tests-being-unstable.patch b/queue-6.12/bluetooth-iso-fix-defer-tests-being-unstable.patch new file mode 100644 index 0000000000..130c7fdeee --- /dev/null +++ b/queue-6.12/bluetooth-iso-fix-defer-tests-being-unstable.patch @@ -0,0 +1,49 @@ +From 4bb988db5f7b002a06dbb9535d34f17cc01f09c5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 27 Feb 2026 15:23:01 -0500 +Subject: Bluetooth: ISO: Fix defer tests being unstable + +From: Luiz Augusto von Dentz + +[ Upstream commit 62bcaa6b351b6dc400f6c6b83762001fd9f5c12d ] + +iso-tester defer tests seem to fail with hci_conn_hash_lookup_cig +being unable to resolve a cig in set_cig_params_sync due a race +where it is run immediatelly before hci_bind_cis is able to set +the QoS settings into the hci_conn object. + +So this moves the assigning of the QoS settings to be done directly +by hci_le_set_cig_params to prevent that from happening again. + +Fixes: 26afbd826ee3 ("Bluetooth: Add initial implementation of CIS connections") +Signed-off-by: Luiz Augusto von Dentz +Signed-off-by: Sasha Levin +--- + net/bluetooth/hci_conn.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/net/bluetooth/hci_conn.c b/net/bluetooth/hci_conn.c +index fa74fac5af778..447d29c67e7c1 100644 +--- a/net/bluetooth/hci_conn.c ++++ b/net/bluetooth/hci_conn.c +@@ -1868,6 +1868,8 @@ static bool hci_le_set_cig_params(struct hci_conn *conn, struct bt_iso_qos *qos) + return false; + + done: ++ conn->iso_qos = *qos; ++ + if (hci_cmd_sync_queue(hdev, set_cig_params_sync, + UINT_PTR(qos->ucast.cig), NULL) < 0) + return false; +@@ -1934,8 +1936,6 @@ struct hci_conn *hci_bind_cis(struct hci_dev *hdev, bdaddr_t *dst, + } + + hci_conn_hold(cis); +- +- cis->iso_qos = *qos; + cis->state = BT_BOUND; + + return cis; +-- +2.51.0 + diff --git a/queue-6.12/bluetooth-l2cap-fix-use-after-free-in-l2cap_unregist.patch b/queue-6.12/bluetooth-l2cap-fix-use-after-free-in-l2cap_unregist.patch new file mode 100644 index 0000000000..7262f07f4c --- /dev/null +++ b/queue-6.12/bluetooth-l2cap-fix-use-after-free-in-l2cap_unregist.patch @@ -0,0 +1,90 @@ +From bdf20a83b68b2a66721c7b341e871774b2cbd790 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 6 Nov 2025 23:50:16 +0530 +Subject: Bluetooth: L2CAP: Fix use-after-free in l2cap_unregister_user + +From: Shaurya Rane + +[ Upstream commit 752a6c9596dd25efd6978a73ff21f3b592668f4a ] + +After commit ab4eedb790ca ("Bluetooth: L2CAP: Fix corrupted list in +hci_chan_del"), l2cap_conn_del() uses conn->lock to protect access to +conn->users. However, l2cap_register_user() and l2cap_unregister_user() +don't use conn->lock, creating a race condition where these functions can +access conn->users and conn->hchan concurrently with l2cap_conn_del(). + +This can lead to use-after-free and list corruption bugs, as reported +by syzbot. + +Fix this by changing l2cap_register_user() and l2cap_unregister_user() +to use conn->lock instead of hci_dev_lock(), ensuring consistent locking +for the l2cap_conn structure. + +Reported-by: syzbot+14b6d57fb728e27ce23c@syzkaller.appspotmail.com +Closes: https://syzkaller.appspot.com/bug?extid=14b6d57fb728e27ce23c +Fixes: ab4eedb790ca ("Bluetooth: L2CAP: Fix corrupted list in hci_chan_del") +Signed-off-by: Shaurya Rane +Signed-off-by: Luiz Augusto von Dentz +Signed-off-by: Sasha Levin +--- + net/bluetooth/l2cap_core.c | 20 ++++++++------------ + 1 file changed, 8 insertions(+), 12 deletions(-) + +diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c +index 560a17d36f7fa..7c131e4640b75 100644 +--- a/net/bluetooth/l2cap_core.c ++++ b/net/bluetooth/l2cap_core.c +@@ -1686,17 +1686,15 @@ static void l2cap_info_timeout(struct work_struct *work) + + int l2cap_register_user(struct l2cap_conn *conn, struct l2cap_user *user) + { +- struct hci_dev *hdev = conn->hcon->hdev; + int ret; + + /* We need to check whether l2cap_conn is registered. If it is not, we +- * must not register the l2cap_user. l2cap_conn_del() is unregisters +- * l2cap_conn objects, but doesn't provide its own locking. Instead, it +- * relies on the parent hci_conn object to be locked. This itself relies +- * on the hci_dev object to be locked. So we must lock the hci device +- * here, too. */ ++ * must not register the l2cap_user. l2cap_conn_del() unregisters ++ * l2cap_conn objects under conn->lock, and we use the same lock here ++ * to protect access to conn->users and conn->hchan. ++ */ + +- hci_dev_lock(hdev); ++ mutex_lock(&conn->lock); + + if (!list_empty(&user->list)) { + ret = -EINVAL; +@@ -1717,16 +1715,14 @@ int l2cap_register_user(struct l2cap_conn *conn, struct l2cap_user *user) + ret = 0; + + out_unlock: +- hci_dev_unlock(hdev); ++ mutex_unlock(&conn->lock); + return ret; + } + EXPORT_SYMBOL(l2cap_register_user); + + void l2cap_unregister_user(struct l2cap_conn *conn, struct l2cap_user *user) + { +- struct hci_dev *hdev = conn->hcon->hdev; +- +- hci_dev_lock(hdev); ++ mutex_lock(&conn->lock); + + if (list_empty(&user->list)) + goto out_unlock; +@@ -1735,7 +1731,7 @@ void l2cap_unregister_user(struct l2cap_conn *conn, struct l2cap_user *user) + user->remove(conn, user); + + out_unlock: +- hci_dev_unlock(hdev); ++ mutex_unlock(&conn->lock); + } + EXPORT_SYMBOL(l2cap_unregister_user); + +-- +2.51.0 + diff --git a/queue-6.12/bluetooth-le-l2cap-disconnect-if-received-packet-s-s.patch b/queue-6.12/bluetooth-le-l2cap-disconnect-if-received-packet-s-s.patch new file mode 100644 index 0000000000..3e91d8748d --- /dev/null +++ b/queue-6.12/bluetooth-le-l2cap-disconnect-if-received-packet-s-s.patch @@ -0,0 +1,55 @@ +From 68e8dcccd275423198d53545a363c14a1e04e5d4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 25 Feb 2026 18:07:25 +0100 +Subject: Bluetooth: LE L2CAP: Disconnect if received packet's SDU exceeds IMTU + +From: Christian Eggers + +[ Upstream commit e1d9a66889867c232657a9b6f25d451d7c3ab96f ] + +Core 6.0, Vol 3, Part A, 3.4.3: +"If the SDU length field value exceeds the receiver's MTU, the receiver +shall disconnect the channel..." + +This fixes L2CAP/LE/CFC/BV-26-C (running together with 'l2test -r -P +0x0027 -V le_public -I 100'). + +Fixes: aac23bf63659 ("Bluetooth: Implement LE L2CAP reassembly") +Signed-off-by: Christian Eggers +Signed-off-by: Luiz Augusto von Dentz +Signed-off-by: Sasha Levin +--- + net/bluetooth/l2cap_core.c | 10 +++++++--- + 1 file changed, 7 insertions(+), 3 deletions(-) + +diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c +index a95949bc36b2a..de8e18fe50557 100644 +--- a/net/bluetooth/l2cap_core.c ++++ b/net/bluetooth/l2cap_core.c +@@ -6619,8 +6619,10 @@ static int l2cap_ecred_data_rcv(struct l2cap_chan *chan, struct sk_buff *skb) + return -ENOBUFS; + } + +- if (chan->imtu < skb->len) { +- BT_ERR("Too big LE L2CAP PDU"); ++ if (skb->len > chan->imtu) { ++ BT_ERR("Too big LE L2CAP PDU: len %u > %u", skb->len, ++ chan->imtu); ++ l2cap_send_disconn_req(chan, ECONNRESET); + return -ENOBUFS; + } + +@@ -6646,7 +6648,9 @@ static int l2cap_ecred_data_rcv(struct l2cap_chan *chan, struct sk_buff *skb) + sdu_len, skb->len, chan->imtu); + + if (sdu_len > chan->imtu) { +- BT_ERR("Too big LE L2CAP SDU length received"); ++ BT_ERR("Too big LE L2CAP SDU length: len %u > %u", ++ skb->len, sdu_len); ++ l2cap_send_disconn_req(chan, ECONNRESET); + err = -EMSGSIZE; + goto failed; + } +-- +2.51.0 + diff --git a/queue-6.12/bluetooth-le-l2cap-disconnect-if-sum-of-payload-size.patch b/queue-6.12/bluetooth-le-l2cap-disconnect-if-sum-of-payload-size.patch new file mode 100644 index 0000000000..ee4cd7fbf2 --- /dev/null +++ b/queue-6.12/bluetooth-le-l2cap-disconnect-if-sum-of-payload-size.patch @@ -0,0 +1,39 @@ +From 018e3aa37e5cbc90c2964335a3bf1e2f9c7d4122 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 25 Feb 2026 18:07:27 +0100 +Subject: Bluetooth: LE L2CAP: Disconnect if sum of payload sizes exceed SDU + +From: Christian Eggers + +[ Upstream commit b6a2bf43aa37670432843bc73ae2a6288ba4d6f8 ] + +Core 6.0, Vol 3, Part A, 3.4.3: +"... If the sum of the payload sizes for the K-frames exceeds the +specified SDU length, the receiver shall disconnect the channel." + +This fixes L2CAP/LE/CFC/BV-27-C (running together with 'l2test -r -P +0x0027 -V le_public'). + +Fixes: aac23bf63659 ("Bluetooth: Implement LE L2CAP reassembly") +Signed-off-by: Christian Eggers +Signed-off-by: Luiz Augusto von Dentz +Signed-off-by: Sasha Levin +--- + net/bluetooth/l2cap_core.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c +index de8e18fe50557..560a17d36f7fa 100644 +--- a/net/bluetooth/l2cap_core.c ++++ b/net/bluetooth/l2cap_core.c +@@ -6686,6 +6686,7 @@ static int l2cap_ecred_data_rcv(struct l2cap_chan *chan, struct sk_buff *skb) + + if (chan->sdu->len + skb->len > chan->sdu_len) { + BT_ERR("Too much LE L2CAP data received"); ++ l2cap_send_disconn_req(chan, ECONNRESET); + err = -EINVAL; + goto failed; + } +-- +2.51.0 + diff --git a/queue-6.12/bluetooth-mgmt-fix-list-corruption-and-uaf-in-comman.patch b/queue-6.12/bluetooth-mgmt-fix-list-corruption-and-uaf-in-comman.patch new file mode 100644 index 0000000000..37952b0187 --- /dev/null +++ b/queue-6.12/bluetooth-mgmt-fix-list-corruption-and-uaf-in-comman.patch @@ -0,0 +1,67 @@ +From f67a9851c159acc0f25250522408290ad88aed94 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 27 Feb 2026 11:03:39 +0000 +Subject: Bluetooth: MGMT: Fix list corruption and UAF in command complete + handlers + +From: Wang Tao + +[ Upstream commit 17f89341cb4281d1da0e2fb0de5406ab7c4e25ef ] + +Commit 302a1f674c00 ("Bluetooth: MGMT: Fix possible UAFs") introduced +mgmt_pending_valid(), which not only validates the pending command but +also unlinks it from the pending list if it is valid. This change in +semantics requires updates to several completion handlers to avoid list +corruption and memory safety issues. + +This patch addresses two left-over issues from the aforementioned rework: + +1. In mgmt_add_adv_patterns_monitor_complete(), mgmt_pending_remove() +is replaced with mgmt_pending_free() in the success path. Since +mgmt_pending_valid() already unlinks the command at the beginning of +the function, calling mgmt_pending_remove() leads to a double list_del() +and subsequent list corruption/kernel panic. + +2. In set_mesh_complete(), the use of mgmt_pending_foreach() in the error +path is removed. Since the current command is already unlinked by +mgmt_pending_valid(), this foreach loop would incorrectly target other +pending mesh commands, potentially freeing them while they are still being +processed concurrently (leading to UAFs). The redundant mgmt_cmd_status() +is also simplified to use cmd->opcode directly. + +Fixes: 302a1f674c00 ("Bluetooth: MGMT: Fix possible UAFs") +Signed-off-by: Wang Tao +Signed-off-by: Luiz Augusto von Dentz +Signed-off-by: Sasha Levin +--- + net/bluetooth/mgmt.c | 7 ++----- + 1 file changed, 2 insertions(+), 5 deletions(-) + +diff --git a/net/bluetooth/mgmt.c b/net/bluetooth/mgmt.c +index 4894e6444900a..b1df591a53805 100644 +--- a/net/bluetooth/mgmt.c ++++ b/net/bluetooth/mgmt.c +@@ -2172,10 +2172,7 @@ static void set_mesh_complete(struct hci_dev *hdev, void *data, int err) + sk = cmd->sk; + + if (status) { +- mgmt_cmd_status(cmd->sk, hdev->id, MGMT_OP_SET_MESH_RECEIVER, +- status); +- mgmt_pending_foreach(MGMT_OP_SET_MESH_RECEIVER, hdev, true, +- cmd_status_rsp, &status); ++ mgmt_cmd_status(cmd->sk, hdev->id, cmd->opcode, status); + goto done; + } + +@@ -5354,7 +5351,7 @@ static void mgmt_add_adv_patterns_monitor_complete(struct hci_dev *hdev, + + mgmt_cmd_complete(cmd->sk, cmd->hdev->id, cmd->opcode, + mgmt_status(status), &rp, sizeof(rp)); +- mgmt_pending_remove(cmd); ++ mgmt_pending_free(cmd); + + hci_dev_unlock(hdev); + bt_dev_dbg(hdev, "add monitor %d complete, status %d", +-- +2.51.0 + diff --git a/queue-6.12/bluetooth-qca-fix-rom-version-reading-on-wcn3998-chi.patch b/queue-6.12/bluetooth-qca-fix-rom-version-reading-on-wcn3998-chi.patch new file mode 100644 index 0000000000..ddfdfada11 --- /dev/null +++ b/queue-6.12/bluetooth-qca-fix-rom-version-reading-on-wcn3998-chi.patch @@ -0,0 +1,46 @@ +From de1733b51d4eea02448d428a89989e0447c8f343 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 11 Mar 2026 01:02:57 +0200 +Subject: Bluetooth: qca: fix ROM version reading on WCN3998 chips + +From: Dmitry Baryshkov + +[ Upstream commit 99b2c531e0e797119ae1b9195a8764ee98b00e65 ] + +WCN3998 uses a bit different format for rom version: + +[ 5.479978] Bluetooth: hci0: setting up wcn399x +[ 5.633763] Bluetooth: hci0: QCA Product ID :0x0000000a +[ 5.645350] Bluetooth: hci0: QCA SOC Version :0x40010224 +[ 5.650906] Bluetooth: hci0: QCA ROM Version :0x00001001 +[ 5.665173] Bluetooth: hci0: QCA Patch Version:0x00006699 +[ 5.679356] Bluetooth: hci0: QCA controller version 0x02241001 +[ 5.691109] Bluetooth: hci0: QCA Downloading qca/crbtfw21.tlv +[ 6.680102] Bluetooth: hci0: QCA Downloading qca/crnv21.bin +[ 6.842948] Bluetooth: hci0: QCA setup on UART is completed + +Fixes: 523760b7ff88 ("Bluetooth: hci_qca: Added support for WCN3998") +Reviewed-by: Bartosz Golaszewski +Signed-off-by: Dmitry Baryshkov +Signed-off-by: Luiz Augusto von Dentz +Signed-off-by: Sasha Levin +--- + drivers/bluetooth/btqca.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/bluetooth/btqca.c b/drivers/bluetooth/btqca.c +index dd2c0485b9848..372427747cd64 100644 +--- a/drivers/bluetooth/btqca.c ++++ b/drivers/bluetooth/btqca.c +@@ -804,6 +804,8 @@ int qca_uart_setup(struct hci_dev *hdev, uint8_t baudrate, + */ + if (soc_type == QCA_WCN3988) + rom_ver = ((soc_ver & 0x00000f00) >> 0x05) | (soc_ver & 0x0000000f); ++ else if (soc_type == QCA_WCN3998) ++ rom_ver = ((soc_ver & 0x0000f000) >> 0x07) | (soc_ver & 0x0000000f); + else + rom_ver = ((soc_ver & 0x00000f00) >> 0x04) | (soc_ver & 0x0000000f); + +-- +2.51.0 + diff --git a/queue-6.12/bluetooth-smp-make-sm-per-kdu-bi-04-c-happy.patch b/queue-6.12/bluetooth-smp-make-sm-per-kdu-bi-04-c-happy.patch new file mode 100644 index 0000000000..feb8bc7856 --- /dev/null +++ b/queue-6.12/bluetooth-smp-make-sm-per-kdu-bi-04-c-happy.patch @@ -0,0 +1,36 @@ +From 48f0ab25920c845873a6c1054f3da9954c030f5a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 25 Feb 2026 18:07:28 +0100 +Subject: Bluetooth: SMP: make SM/PER/KDU/BI-04-C happy + +From: Christian Eggers + +[ Upstream commit 0e4d4dcc1a6e82cc6f9abf32193558efa7e1613d ] + +The last test step ("Test with Invalid public key X and Y, all set to +0") expects to get an "DHKEY check failed" instead of "unspecified". + +Fixes: 6d19628f539f ("Bluetooth: SMP: Fail if remote and local public keys are identical") +Signed-off-by: Christian Eggers +Signed-off-by: Luiz Augusto von Dentz +Signed-off-by: Sasha Levin +--- + net/bluetooth/smp.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/bluetooth/smp.c b/net/bluetooth/smp.c +index 3a33fd06e6a4c..204c5fe3a8d08 100644 +--- a/net/bluetooth/smp.c ++++ b/net/bluetooth/smp.c +@@ -2743,7 +2743,7 @@ static int smp_cmd_public_key(struct l2cap_conn *conn, struct sk_buff *skb) + if (!test_bit(SMP_FLAG_DEBUG_KEY, &smp->flags) && + !crypto_memneq(key, smp->local_pk, 64)) { + bt_dev_err(hdev, "Remote and local public keys are identical"); +- return SMP_UNSPECIFIED; ++ return SMP_DHKEY_CHECK_FAILED; + } + + memcpy(smp->remote_pk, key, 64); +-- +2.51.0 + diff --git a/queue-6.12/bonding-prevent-potential-infinite-loop-in-bond_head.patch b/queue-6.12/bonding-prevent-potential-infinite-loop-in-bond_head.patch new file mode 100644 index 0000000000..1620587dea --- /dev/null +++ b/queue-6.12/bonding-prevent-potential-infinite-loop-in-bond_head.patch @@ -0,0 +1,205 @@ +From 9fd2ab95ca779086eecb6554c53cc191992372fe Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 15 Mar 2026 10:41:52 +0000 +Subject: bonding: prevent potential infinite loop in bond_header_parse() + +From: Eric Dumazet + +[ Upstream commit b7405dcf7385445e10821777143f18c3ce20fa04 ] + +bond_header_parse() can loop if a stack of two bonding devices is setup, +because skb->dev always points to the hierarchy top. + +Add new "const struct net_device *dev" parameter to +(struct header_ops)->parse() method to make sure the recursion +is bounded, and that the final leaf parse method is called. + +Fixes: 950803f72547 ("bonding: fix type confusion in bond_setup_by_slave()") +Signed-off-by: Eric Dumazet +Reviewed-by: Jiayuan Chen +Tested-by: Jiayuan Chen +Cc: Jay Vosburgh +Cc: Andrew Lunn +Link: https://patch.msgid.link/20260315104152.1436867-1-edumazet@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/firewire/net.c | 5 +++-- + drivers/net/bonding/bond_main.c | 8 +++++--- + include/linux/etherdevice.h | 3 ++- + include/linux/if_ether.h | 3 ++- + include/linux/netdevice.h | 6 ++++-- + net/ethernet/eth.c | 9 +++------ + net/ipv4/ip_gre.c | 3 ++- + net/mac802154/iface.c | 4 +++- + net/phonet/af_phonet.c | 5 ++++- + 9 files changed, 28 insertions(+), 18 deletions(-) + +diff --git a/drivers/firewire/net.c b/drivers/firewire/net.c +index 1bf0e15c15408..423ead5fa9c13 100644 +--- a/drivers/firewire/net.c ++++ b/drivers/firewire/net.c +@@ -257,9 +257,10 @@ static void fwnet_header_cache_update(struct hh_cache *hh, + memcpy((u8 *)hh->hh_data + HH_DATA_OFF(FWNET_HLEN), haddr, net->addr_len); + } + +-static int fwnet_header_parse(const struct sk_buff *skb, unsigned char *haddr) ++static int fwnet_header_parse(const struct sk_buff *skb, const struct net_device *dev, ++ unsigned char *haddr) + { +- memcpy(haddr, skb->dev->dev_addr, FWNET_ALEN); ++ memcpy(haddr, dev->dev_addr, FWNET_ALEN); + + return FWNET_ALEN; + } +diff --git a/drivers/net/bonding/bond_main.c b/drivers/net/bonding/bond_main.c +index d11ca46a5b1f7..5035cfa74f1ac 100644 +--- a/drivers/net/bonding/bond_main.c ++++ b/drivers/net/bonding/bond_main.c +@@ -1563,9 +1563,11 @@ static int bond_header_create(struct sk_buff *skb, struct net_device *bond_dev, + return ret; + } + +-static int bond_header_parse(const struct sk_buff *skb, unsigned char *haddr) ++static int bond_header_parse(const struct sk_buff *skb, ++ const struct net_device *dev, ++ unsigned char *haddr) + { +- struct bonding *bond = netdev_priv(skb->dev); ++ struct bonding *bond = netdev_priv(dev); + const struct header_ops *slave_ops; + struct slave *slave; + int ret = 0; +@@ -1575,7 +1577,7 @@ static int bond_header_parse(const struct sk_buff *skb, unsigned char *haddr) + if (slave) { + slave_ops = READ_ONCE(slave->dev->header_ops); + if (slave_ops && slave_ops->parse) +- ret = slave_ops->parse(skb, haddr); ++ ret = slave_ops->parse(skb, slave->dev, haddr); + } + rcu_read_unlock(); + return ret; +diff --git a/include/linux/etherdevice.h b/include/linux/etherdevice.h +index ecf203f010343..a3ae683affa58 100644 +--- a/include/linux/etherdevice.h ++++ b/include/linux/etherdevice.h +@@ -42,7 +42,8 @@ extern const struct header_ops eth_header_ops; + + int eth_header(struct sk_buff *skb, struct net_device *dev, unsigned short type, + const void *daddr, const void *saddr, unsigned len); +-int eth_header_parse(const struct sk_buff *skb, unsigned char *haddr); ++int eth_header_parse(const struct sk_buff *skb, const struct net_device *dev, ++ unsigned char *haddr); + int eth_header_cache(const struct neighbour *neigh, struct hh_cache *hh, + __be16 type); + void eth_header_cache_update(struct hh_cache *hh, const struct net_device *dev, +diff --git a/include/linux/if_ether.h b/include/linux/if_ether.h +index 8a9792a6427ad..47a0feffc1215 100644 +--- a/include/linux/if_ether.h ++++ b/include/linux/if_ether.h +@@ -37,7 +37,8 @@ static inline struct ethhdr *inner_eth_hdr(const struct sk_buff *skb) + return (struct ethhdr *)skb_inner_mac_header(skb); + } + +-int eth_header_parse(const struct sk_buff *skb, unsigned char *haddr); ++int eth_header_parse(const struct sk_buff *skb, const struct net_device *dev, ++ unsigned char *haddr); + + extern ssize_t sysfs_format_mac(char *buf, const unsigned char *addr, int len); + +diff --git a/include/linux/netdevice.h b/include/linux/netdevice.h +index 12edeeb172c4e..fcc1509ca7cb8 100644 +--- a/include/linux/netdevice.h ++++ b/include/linux/netdevice.h +@@ -308,7 +308,9 @@ struct header_ops { + int (*create) (struct sk_buff *skb, struct net_device *dev, + unsigned short type, const void *daddr, + const void *saddr, unsigned int len); +- int (*parse)(const struct sk_buff *skb, unsigned char *haddr); ++ int (*parse)(const struct sk_buff *skb, ++ const struct net_device *dev, ++ unsigned char *haddr); + int (*cache)(const struct neighbour *neigh, struct hh_cache *hh, __be16 type); + void (*cache_update)(struct hh_cache *hh, + const struct net_device *dev, +@@ -3163,7 +3165,7 @@ static inline int dev_parse_header(const struct sk_buff *skb, + + if (!dev->header_ops || !dev->header_ops->parse) + return 0; +- return dev->header_ops->parse(skb, haddr); ++ return dev->header_ops->parse(skb, dev, haddr); + } + + static inline __be16 dev_parse_header_protocol(const struct sk_buff *skb) +diff --git a/net/ethernet/eth.c b/net/ethernet/eth.c +index 43e211e611b16..ca4e3a01237d0 100644 +--- a/net/ethernet/eth.c ++++ b/net/ethernet/eth.c +@@ -193,14 +193,11 @@ __be16 eth_type_trans(struct sk_buff *skb, struct net_device *dev) + } + EXPORT_SYMBOL(eth_type_trans); + +-/** +- * eth_header_parse - extract hardware address from packet +- * @skb: packet to extract header from +- * @haddr: destination buffer +- */ +-int eth_header_parse(const struct sk_buff *skb, unsigned char *haddr) ++int eth_header_parse(const struct sk_buff *skb, const struct net_device *dev, ++ unsigned char *haddr) + { + const struct ethhdr *eth = eth_hdr(skb); ++ + memcpy(haddr, eth->h_source, ETH_ALEN); + return ETH_ALEN; + } +diff --git a/net/ipv4/ip_gre.c b/net/ipv4/ip_gre.c +index be85dbe74ac8c..084556b03a2e2 100644 +--- a/net/ipv4/ip_gre.c ++++ b/net/ipv4/ip_gre.c +@@ -917,7 +917,8 @@ static int ipgre_header(struct sk_buff *skb, struct net_device *dev, + return -(t->hlen + sizeof(*iph)); + } + +-static int ipgre_header_parse(const struct sk_buff *skb, unsigned char *haddr) ++static int ipgre_header_parse(const struct sk_buff *skb, const struct net_device *dev, ++ unsigned char *haddr) + { + const struct iphdr *iph = (const struct iphdr *) skb_mac_header(skb); + memcpy(haddr, &iph->saddr, 4); +diff --git a/net/mac802154/iface.c b/net/mac802154/iface.c +index 9e4631fade90c..000be60d95803 100644 +--- a/net/mac802154/iface.c ++++ b/net/mac802154/iface.c +@@ -469,7 +469,9 @@ static int mac802154_header_create(struct sk_buff *skb, + } + + static int +-mac802154_header_parse(const struct sk_buff *skb, unsigned char *haddr) ++mac802154_header_parse(const struct sk_buff *skb, ++ const struct net_device *dev, ++ unsigned char *haddr) + { + struct ieee802154_hdr hdr; + +diff --git a/net/phonet/af_phonet.c b/net/phonet/af_phonet.c +index a27efa4faa4ef..532ee4e10ba94 100644 +--- a/net/phonet/af_phonet.c ++++ b/net/phonet/af_phonet.c +@@ -129,9 +129,12 @@ static int pn_header_create(struct sk_buff *skb, struct net_device *dev, + return 1; + } + +-static int pn_header_parse(const struct sk_buff *skb, unsigned char *haddr) ++static int pn_header_parse(const struct sk_buff *skb, ++ const struct net_device *dev, ++ unsigned char *haddr) + { + const u8 *media = skb_mac_header(skb); ++ + *haddr = *media; + return 1; + } +-- +2.51.0 + diff --git a/queue-6.12/bridge-cfm-fix-race-condition-in-peer_mep-deletion.patch b/queue-6.12/bridge-cfm-fix-race-condition-in-peer_mep-deletion.patch new file mode 100644 index 0000000000..aab6e0a887 --- /dev/null +++ b/queue-6.12/bridge-cfm-fix-race-condition-in-peer_mep-deletion.patch @@ -0,0 +1,75 @@ +From 533c5d5cd9d9387b5531603e0c417ea9d91fff63 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 11 Mar 2026 03:18:09 +0900 +Subject: bridge: cfm: Fix race condition in peer_mep deletion + +From: Hyunwoo Kim + +[ Upstream commit 3715a00855316066cdda69d43648336367422127 ] + +When a peer MEP is being deleted, cancel_delayed_work_sync() is called +on ccm_rx_dwork before freeing. However, br_cfm_frame_rx() runs in +softirq context under rcu_read_lock (without RTNL) and can re-schedule +ccm_rx_dwork via ccm_rx_timer_start() between cancel_delayed_work_sync() +returning and kfree_rcu() being called. + +The following is a simple race scenario: + + cpu0 cpu1 + +mep_delete_implementation() + cancel_delayed_work_sync(ccm_rx_dwork); + br_cfm_frame_rx() + // peer_mep still in hlist + if (peer_mep->ccm_defect) + ccm_rx_timer_start() + queue_delayed_work(ccm_rx_dwork) + hlist_del_rcu(&peer_mep->head); + kfree_rcu(peer_mep, rcu); + ccm_rx_work_expired() + // on freed peer_mep + +To prevent this, cancel_delayed_work_sync() is replaced with +disable_delayed_work_sync() in both peer MEP deletion paths, so +that subsequent queue_delayed_work() calls from br_cfm_frame_rx() +are silently rejected. + +The cc_peer_disable() helper retains cancel_delayed_work_sync() +because it is also used for the CC enable/disable toggle path where +the work must remain re-schedulable. + +Fixes: dc32cbb3dbd7 ("bridge: cfm: Kernel space implementation of CFM. CCM frame RX added.") +Signed-off-by: Hyunwoo Kim +Reviewed-by: Ido Schimmel +Link: https://patch.msgid.link/abBgYT5K_FI9rD1a@v4bel +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/bridge/br_cfm.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/net/bridge/br_cfm.c b/net/bridge/br_cfm.c +index a3c755d0a09de..ffa571e38c540 100644 +--- a/net/bridge/br_cfm.c ++++ b/net/bridge/br_cfm.c +@@ -576,7 +576,7 @@ static void mep_delete_implementation(struct net_bridge *br, + + /* Empty and free peer MEP list */ + hlist_for_each_entry_safe(peer_mep, n_store, &mep->peer_mep_list, head) { +- cancel_delayed_work_sync(&peer_mep->ccm_rx_dwork); ++ disable_delayed_work_sync(&peer_mep->ccm_rx_dwork); + hlist_del_rcu(&peer_mep->head); + kfree_rcu(peer_mep, rcu); + } +@@ -732,7 +732,7 @@ int br_cfm_cc_peer_mep_remove(struct net_bridge *br, const u32 instance, + return -ENOENT; + } + +- cc_peer_disable(peer_mep); ++ disable_delayed_work_sync(&peer_mep->ccm_rx_dwork); + + hlist_del_rcu(&peer_mep->head); + kfree_rcu(peer_mep, rcu); +-- +2.51.0 + diff --git a/queue-6.12/btrfs-log-new-dentries-when-logging-parent-dir-of-a-.patch b/queue-6.12/btrfs-log-new-dentries-when-logging-parent-dir-of-a-.patch new file mode 100644 index 0000000000..5beb113945 --- /dev/null +++ b/queue-6.12/btrfs-log-new-dentries-when-logging-parent-dir-of-a-.patch @@ -0,0 +1,99 @@ +From 30e3decefb73f64b206301d2a97d1914021dd82b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 3 Mar 2026 16:57:43 +0000 +Subject: btrfs: log new dentries when logging parent dir of a conflicting + inode + +From: Filipe Manana + +[ Upstream commit 9573a365ff9ff45da9222d3fe63695ce562beb24 ] + +If we log the parent directory of a conflicting inode, we are not logging +the new dentries of the directory, so when we finish we have the parent +directory's inode marked as logged but we did not log its new dentries. +As a consequence if the parent directory is explicitly fsynced later and +it does not have any new changes since we logged it, the fsync is a no-op +and after a power failure the new dentries are missing. + +Example scenario: + + $ mkdir foo + + $ sync + + $rmdir foo + + $ mkdir dir1 + $ mkdir dir2 + + # A file with the same name and parent as the directory we just deleted + # and was persisted in a past transaction. So the deleted directory's + # inode is a conflicting inode of this new file's inode. + $ touch foo + + $ ln foo dir2/link + + # The fsync on dir2 will log the parent directory (".") because the + # conflicting inode (deleted directory) does not exists anymore, but it + # it does not log its new dentries (dir1). + $ xfs_io -c "fsync" dir2 + + # This fsync on the parent directory is no-op, since the previous fsync + # logged it (but without logging its new dentries). + $ xfs_io -c "fsync" . + + + + # After log replay dir1 is missing. + +Fix this by ensuring we log new dir dentries whenever we log the parent +directory of a no longer existing conflicting inode. + +A test case for fstests will follow soon. + +Reported-by: Vyacheslav Kovalevsky +Link: https://lore.kernel.org/linux-btrfs/182055fa-e9ce-4089-9f5f-4b8a23e8dd91@gmail.com/ +Fixes: a3baaf0d786e ("Btrfs: fix fsync after succession of renames and unlink/rmdir") +Reviewed-by: Boris Burkov +Signed-off-by: Filipe Manana +Signed-off-by: David Sterba +Signed-off-by: Sasha Levin +--- + fs/btrfs/tree-log.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/fs/btrfs/tree-log.c b/fs/btrfs/tree-log.c +index fa1199fb6b3dd..28dcf8a8997b5 100644 +--- a/fs/btrfs/tree-log.c ++++ b/fs/btrfs/tree-log.c +@@ -5886,6 +5886,7 @@ static int log_conflicting_inodes(struct btrfs_trans_handle *trans, + struct btrfs_root *root, + struct btrfs_log_ctx *ctx) + { ++ const bool orig_log_new_dentries = ctx->log_new_dentries; + int ret = 0; + + /* +@@ -5947,7 +5948,11 @@ static int log_conflicting_inodes(struct btrfs_trans_handle *trans, + * dir index key range logged for the directory. So we + * must make sure the deletion is recorded. + */ ++ ctx->log_new_dentries = false; + ret = btrfs_log_inode(trans, inode, LOG_INODE_ALL, ctx); ++ if (!ret && ctx->log_new_dentries) ++ ret = log_new_dir_dentries(trans, inode, ctx); ++ + btrfs_add_delayed_iput(inode); + if (ret) + break; +@@ -5982,6 +5987,7 @@ static int log_conflicting_inodes(struct btrfs_trans_handle *trans, + break; + } + ++ ctx->log_new_dentries = orig_log_new_dentries; + ctx->logging_conflict_inodes = false; + if (ret) + free_conflicting_inodes(ctx); +-- +2.51.0 + diff --git a/queue-6.12/btrfs-tree-checker-fix-misleading-root-drop_level-er.patch b/queue-6.12/btrfs-tree-checker-fix-misleading-root-drop_level-er.patch new file mode 100644 index 0000000000..a3c0e53f9b --- /dev/null +++ b/queue-6.12/btrfs-tree-checker-fix-misleading-root-drop_level-er.patch @@ -0,0 +1,38 @@ +From ed254ebdc643d4380e0ace97024527e2cb31a923 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 12 Mar 2026 08:33:21 +0800 +Subject: btrfs: tree-checker: fix misleading root drop_level error message + +From: ZhengYuan Huang + +[ Upstream commit fc1cd1f18c34f91e78362f9629ab9fd43b9dcab9 ] + +Fix tree-checker error message to report "invalid root drop_level" +instead of the misleading "invalid root level". + +Fixes: 259ee7754b67 ("btrfs: tree-checker: Add ROOT_ITEM check") +Reviewed-by: Qu Wenruo +Signed-off-by: ZhengYuan Huang +Reviewed-by: David Sterba +Signed-off-by: David Sterba +Signed-off-by: Sasha Levin +--- + fs/btrfs/tree-checker.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/fs/btrfs/tree-checker.c b/fs/btrfs/tree-checker.c +index 60bba7fbeb351..7e9475e2a047b 100644 +--- a/fs/btrfs/tree-checker.c ++++ b/fs/btrfs/tree-checker.c +@@ -1244,7 +1244,7 @@ static int check_root_item(struct extent_buffer *leaf, struct btrfs_key *key, + } + if (unlikely(btrfs_root_drop_level(&ri) >= BTRFS_MAX_LEVEL)) { + generic_err(leaf, slot, +- "invalid root level, have %u expect [0, %u]", ++ "invalid root drop_level, have %u expect [0, %u]", + btrfs_root_drop_level(&ri), BTRFS_MAX_LEVEL - 1); + return -EUCLEAN; + } +-- +2.51.0 + diff --git a/queue-6.12/cache-ax45mp-fix-device-node-reference-leak-in-ax45m.patch b/queue-6.12/cache-ax45mp-fix-device-node-reference-leak-in-ax45m.patch new file mode 100644 index 0000000000..0a6343c6ca --- /dev/null +++ b/queue-6.12/cache-ax45mp-fix-device-node-reference-leak-in-ax45m.patch @@ -0,0 +1,46 @@ +From 4952e8ca24d5a04fde74ebd548acca93ec6ab3f6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 31 Jan 2026 01:49:09 +0800 +Subject: cache: ax45mp: Fix device node reference leak in ax45mp_cache_init() + +From: Felix Gu + +[ Upstream commit 0528a348b04b327a4611e29589beb4c9ae81304a ] + +In ax45mp_cache_init(), of_find_matching_node() returns a device node +with an incremented reference count that must be released with +of_node_put(). The current code fails to call of_node_put() which +causes a reference leak. + +Use the __free(device_node) attribute to ensure automatic cleanup when +the variable goes out of scope. + +Fixes: d34599bcd2e4 ("cache: Add L2 cache management for Andes AX45MP RISC-V core") +Signed-off-by: Felix Gu +Signed-off-by: Conor Dooley +Signed-off-by: Sasha Levin +--- + drivers/cache/ax45mp_cache.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/cache/ax45mp_cache.c b/drivers/cache/ax45mp_cache.c +index 1d7dd3d2c101c..934c5087ec2bd 100644 +--- a/drivers/cache/ax45mp_cache.c ++++ b/drivers/cache/ax45mp_cache.c +@@ -178,11 +178,11 @@ static const struct of_device_id ax45mp_cache_ids[] = { + + static int __init ax45mp_cache_init(void) + { +- struct device_node *np; + struct resource res; + int ret; + +- np = of_find_matching_node(NULL, ax45mp_cache_ids); ++ struct device_node *np __free(device_node) = ++ of_find_matching_node(NULL, ax45mp_cache_ids); + if (!of_device_is_available(np)) + return -ENODEV; + +-- +2.51.0 + diff --git a/queue-6.12/cache-starfive-fix-device-node-leak-in-starlink_cach.patch b/queue-6.12/cache-starfive-fix-device-node-leak-in-starlink_cach.patch new file mode 100644 index 0000000000..9a813d95d9 --- /dev/null +++ b/queue-6.12/cache-starfive-fix-device-node-leak-in-starlink_cach.patch @@ -0,0 +1,44 @@ +From 52d2e36872ed75a2ac5c7d63cb401099c98f0e99 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 31 Jan 2026 01:13:45 +0800 +Subject: cache: starfive: fix device node leak in starlink_cache_init() + +From: Felix Gu + +[ Upstream commit 3c85234b979af71cb9db5eb976ea08a468415767 ] + +of_find_matching_node() returns a device_node with refcount incremented. + +Use __free(device_node) attribute to automatically call of_node_put() +when the variable goes out of scope, preventing the refcount leak. + +Fixes: cabff60ca77d ("cache: Add StarFive StarLink cache management") +Signed-off-by: Felix Gu +Reviewed-by: Jonathan Cameron +Signed-off-by: Conor Dooley +Signed-off-by: Sasha Levin +--- + drivers/cache/starfive_starlink_cache.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/cache/starfive_starlink_cache.c b/drivers/cache/starfive_starlink_cache.c +index 24c7d078ca227..3a25d2d7c70ca 100644 +--- a/drivers/cache/starfive_starlink_cache.c ++++ b/drivers/cache/starfive_starlink_cache.c +@@ -102,11 +102,11 @@ static const struct of_device_id starlink_cache_ids[] = { + + static int __init starlink_cache_init(void) + { +- struct device_node *np; + u32 block_size; + int ret; + +- np = of_find_matching_node(NULL, starlink_cache_ids); ++ struct device_node *np __free(device_node) = ++ of_find_matching_node(NULL, starlink_cache_ids); + if (!of_device_is_available(np)) + return -ENODEV; + +-- +2.51.0 + diff --git a/queue-6.12/clsact-fix-use-after-free-in-init-destroy-rollback-a.patch b/queue-6.12/clsact-fix-use-after-free-in-init-destroy-rollback-a.patch new file mode 100644 index 0000000000..8ad6773d99 --- /dev/null +++ b/queue-6.12/clsact-fix-use-after-free-in-init-destroy-rollback-a.patch @@ -0,0 +1,116 @@ +From 4b4895ebac042d6ae5eeb8dceec184415b1faae8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 13 Mar 2026 07:55:31 +0100 +Subject: clsact: Fix use-after-free in init/destroy rollback asymmetry + +From: Daniel Borkmann + +[ Upstream commit a0671125d4f55e1e98d9bde8a0b671941987e208 ] + +Fix a use-after-free in the clsact qdisc upon init/destroy rollback asymmetry. +The latter is achieved by first fully initializing a clsact instance, and +then in a second step having a replacement failure for the new clsact qdisc +instance. clsact_init() initializes ingress first and then takes care of the +egress part. This can fail midway, for example, via tcf_block_get_ext(). Upon +failure, the kernel will trigger the clsact_destroy() callback. + +Commit 1cb6f0bae504 ("bpf: Fix too early release of tcx_entry") details the +way how the transition is happening. If tcf_block_get_ext on the q->ingress_block +ends up failing, we took the tcx_miniq_inc reference count on the ingress +side, but not yet on the egress side. clsact_destroy() tests whether the +{ingress,egress}_entry was non-NULL. However, even in midway failure on the +replacement, both are in fact non-NULL with a valid egress_entry from the +previous clsact instance. + +What we really need to test for is whether the qdisc instance-specific ingress +or egress side previously got initialized. This adds a small helper for checking +the miniq initialization called mini_qdisc_pair_inited, and utilizes that upon +clsact_destroy() in order to fix the use-after-free scenario. Convert the +ingress_destroy() side as well so both are consistent to each other. + +Fixes: 1cb6f0bae504 ("bpf: Fix too early release of tcx_entry") +Reported-by: Keenan Dong +Signed-off-by: Daniel Borkmann +Cc: Martin KaFai Lau +Acked-by: Martin KaFai Lau +Link: https://patch.msgid.link/20260313065531.98639-1-daniel@iogearbox.net +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + include/net/sch_generic.h | 5 +++++ + net/sched/sch_ingress.c | 14 ++++++++------ + 2 files changed, 13 insertions(+), 6 deletions(-) + +diff --git a/include/net/sch_generic.h b/include/net/sch_generic.h +index 28a7aaa4c0cdf..d3e1f91f81cde 100644 +--- a/include/net/sch_generic.h ++++ b/include/net/sch_generic.h +@@ -1406,6 +1406,11 @@ void mini_qdisc_pair_init(struct mini_Qdisc_pair *miniqp, struct Qdisc *qdisc, + void mini_qdisc_pair_block_init(struct mini_Qdisc_pair *miniqp, + struct tcf_block *block); + ++static inline bool mini_qdisc_pair_inited(struct mini_Qdisc_pair *miniqp) ++{ ++ return !!miniqp->p_miniq; ++} ++ + void mq_change_real_num_tx(struct Qdisc *sch, unsigned int new_real_tx); + + int sch_frag_xmit_hook(struct sk_buff *skb, int (*xmit)(struct sk_buff *skb)); +diff --git a/net/sched/sch_ingress.c b/net/sched/sch_ingress.c +index cc6051d4f2ef8..c3e18bae8fbfc 100644 +--- a/net/sched/sch_ingress.c ++++ b/net/sched/sch_ingress.c +@@ -113,14 +113,15 @@ static void ingress_destroy(struct Qdisc *sch) + { + struct ingress_sched_data *q = qdisc_priv(sch); + struct net_device *dev = qdisc_dev(sch); +- struct bpf_mprog_entry *entry = rtnl_dereference(dev->tcx_ingress); ++ struct bpf_mprog_entry *entry; + + if (sch->parent != TC_H_INGRESS) + return; + + tcf_block_put_ext(q->block, sch, &q->block_info); + +- if (entry) { ++ if (mini_qdisc_pair_inited(&q->miniqp)) { ++ entry = rtnl_dereference(dev->tcx_ingress); + tcx_miniq_dec(entry); + if (!tcx_entry_is_active(entry)) { + tcx_entry_update(dev, NULL, true); +@@ -290,10 +291,9 @@ static int clsact_init(struct Qdisc *sch, struct nlattr *opt, + + static void clsact_destroy(struct Qdisc *sch) + { ++ struct bpf_mprog_entry *ingress_entry, *egress_entry; + struct clsact_sched_data *q = qdisc_priv(sch); + struct net_device *dev = qdisc_dev(sch); +- struct bpf_mprog_entry *ingress_entry = rtnl_dereference(dev->tcx_ingress); +- struct bpf_mprog_entry *egress_entry = rtnl_dereference(dev->tcx_egress); + + if (sch->parent != TC_H_CLSACT) + return; +@@ -301,7 +301,8 @@ static void clsact_destroy(struct Qdisc *sch) + tcf_block_put_ext(q->ingress_block, sch, &q->ingress_block_info); + tcf_block_put_ext(q->egress_block, sch, &q->egress_block_info); + +- if (ingress_entry) { ++ if (mini_qdisc_pair_inited(&q->miniqp_ingress)) { ++ ingress_entry = rtnl_dereference(dev->tcx_ingress); + tcx_miniq_dec(ingress_entry); + if (!tcx_entry_is_active(ingress_entry)) { + tcx_entry_update(dev, NULL, true); +@@ -309,7 +310,8 @@ static void clsact_destroy(struct Qdisc *sch) + } + } + +- if (egress_entry) { ++ if (mini_qdisc_pair_inited(&q->miniqp_egress)) { ++ egress_entry = rtnl_dereference(dev->tcx_egress); + tcx_miniq_dec(egress_entry); + if (!tcx_entry_is_active(egress_entry)) { + tcx_entry_update(dev, NULL, false); +-- +2.51.0 + diff --git a/queue-6.12/firmware-arm_ffa-remove-vm_id-argument-in-ffa_rxtx_u.patch b/queue-6.12/firmware-arm_ffa-remove-vm_id-argument-in-ffa_rxtx_u.patch new file mode 100644 index 0000000000..f1e7c8e389 --- /dev/null +++ b/queue-6.12/firmware-arm_ffa-remove-vm_id-argument-in-ffa_rxtx_u.patch @@ -0,0 +1,77 @@ +From a537951e04626deda029ef0756af8947c7ef6522 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 4 Mar 2026 12:09:53 +0000 +Subject: firmware: arm_ffa: Remove vm_id argument in ffa_rxtx_unmap() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Yeoreum Yun + +[ Upstream commit a4e8473b775160f3ce978f621cf8dea2c7250433 ] + +According to the FF-A specification (DEN0077, v1.1, §13.7), when +FFA_RXTX_UNMAP is invoked from any instance other than non-secure +physical, the w1 register must be zero (MBZ). If a non-zero value is +supplied in this context, the SPMC must return FFA_INVALID_PARAMETER. + +The Arm FF-A driver operates exclusively as a guest or non-secure +physical instance where the partition ID is always zero and is not +invoked from a hypervisor context where w1 carries a VM ID. In this +execution model, the partition ID observed by the driver is always zero, +and passing a VM ID is unnecessary and potentially invalid. + +Remove the vm_id parameter from ffa_rxtx_unmap() and ensure that the +SMC call is issued with w1 implicitly zeroed, as required by the +specification. This prevents invalid parameter errors and aligns the +implementation with the defined FF-A ABI behavior. + +Fixes: 3bbfe9871005 ("firmware: arm_ffa: Add initial Arm FFA driver support") +Signed-off-by: Yeoreum Yun +Message-Id: <20260304120953.847671-1-yeoreum.yun@arm.com> +Signed-off-by: Sudeep Holla +Signed-off-by: Sasha Levin +--- + drivers/firmware/arm_ffa/driver.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/drivers/firmware/arm_ffa/driver.c b/drivers/firmware/arm_ffa/driver.c +index 9516ee870cd25..bec1fbaff7f34 100644 +--- a/drivers/firmware/arm_ffa/driver.c ++++ b/drivers/firmware/arm_ffa/driver.c +@@ -206,12 +206,12 @@ static int ffa_rxtx_map(phys_addr_t tx_buf, phys_addr_t rx_buf, u32 pg_cnt) + return 0; + } + +-static int ffa_rxtx_unmap(u16 vm_id) ++static int ffa_rxtx_unmap(void) + { + ffa_value_t ret; + + invoke_ffa_fn((ffa_value_t){ +- .a0 = FFA_RXTX_UNMAP, .a1 = PACK_TARGET_INFO(vm_id, 0), ++ .a0 = FFA_RXTX_UNMAP, + }, &ret); + + if (ret.a0 == FFA_ERROR) +@@ -1832,7 +1832,7 @@ static int __init ffa_init(void) + + cleanup_notifs: + ffa_notifications_cleanup(); +- ffa_rxtx_unmap(drv_info->vm_id); ++ ffa_rxtx_unmap(); + free_pages: + if (drv_info->tx_buffer) + free_pages_exact(drv_info->tx_buffer, rxtx_bufsz); +@@ -1847,7 +1847,7 @@ static void __exit ffa_exit(void) + { + ffa_notifications_cleanup(); + ffa_partitions_cleanup(); +- ffa_rxtx_unmap(drv_info->vm_id); ++ ffa_rxtx_unmap(); + free_pages_exact(drv_info->tx_buffer, drv_info->rxtx_bufsz); + free_pages_exact(drv_info->rx_buffer, drv_info->rxtx_bufsz); + kfree(drv_info); +-- +2.51.0 + diff --git a/queue-6.12/firmware-arm_scpi-fix-device_node-reference-leak-in-.patch b/queue-6.12/firmware-arm_scpi-fix-device_node-reference-leak-in-.patch new file mode 100644 index 0000000000..af3b96dc49 --- /dev/null +++ b/queue-6.12/firmware-arm_scpi-fix-device_node-reference-leak-in-.patch @@ -0,0 +1,58 @@ +From b2aff40282ecdc3f3d158d2f6754b1173799f892 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 21 Jan 2026 21:08:19 +0800 +Subject: firmware: arm_scpi: Fix device_node reference leak in probe path + +From: Felix Gu + +[ Upstream commit 879c001afbac3df94160334fe5117c0c83b2cf48 ] + +A device_node reference obtained from the device tree is not released +on all error paths in the arm_scpi probe path. Specifically, a node +returned by of_parse_phandle() could be leaked when the probe failed +after the node was acquired. The probe function returns early and +the shmem reference is not released. + +Use __free(device_node) scope-based cleanup to automatically release +the reference when the variable goes out of scope. + +Fixes: ed7ecb883901 ("firmware: arm_scpi: Add compatibility checks for shmem node") +Signed-off-by: Felix Gu +Message-Id: <20260121-arm_scpi_2-v2-1-702d7fa84acb@gmail.com> +Signed-off-by: Sudeep Holla +Signed-off-by: Sasha Levin +--- + drivers/firmware/arm_scpi.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/drivers/firmware/arm_scpi.c b/drivers/firmware/arm_scpi.c +index f4d47577f83ee..2d33771917bb4 100644 +--- a/drivers/firmware/arm_scpi.c ++++ b/drivers/firmware/arm_scpi.c +@@ -18,6 +18,7 @@ + + #include + #include ++#include + #include + #include + #include +@@ -940,13 +941,13 @@ static int scpi_probe(struct platform_device *pdev) + int idx = scpi_drvinfo->num_chans; + struct scpi_chan *pchan = scpi_drvinfo->channels + idx; + struct mbox_client *cl = &pchan->cl; +- struct device_node *shmem = of_parse_phandle(np, "shmem", idx); ++ struct device_node *shmem __free(device_node) = ++ of_parse_phandle(np, "shmem", idx); + + if (!of_match_node(shmem_of_match, shmem)) + return -ENXIO; + + ret = of_address_to_resource(shmem, 0, &res); +- of_node_put(shmem); + if (ret) { + dev_err(dev, "failed to get SCPI payload mem resource\n"); + return ret; +-- +2.51.0 + diff --git a/queue-6.12/iavf-fix-vlan-filter-lost-on-add-delete-race.patch b/queue-6.12/iavf-fix-vlan-filter-lost-on-add-delete-race.patch new file mode 100644 index 0000000000..a9d8e11537 --- /dev/null +++ b/queue-6.12/iavf-fix-vlan-filter-lost-on-add-delete-race.patch @@ -0,0 +1,70 @@ +From 376335457549fca5774f326032a7c05878f3800d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 25 Feb 2026 11:01:37 +0100 +Subject: iavf: fix VLAN filter lost on add/delete race + +From: Petr Oros + +[ Upstream commit fc9c69be594756b81b54c6bc40803fa6052f35ae ] + +When iavf_add_vlan() finds an existing filter in IAVF_VLAN_REMOVE +state, it transitions the filter to IAVF_VLAN_ACTIVE assuming the +pending delete can simply be cancelled. However, there is no guarantee +that iavf_del_vlans() has not already processed the delete AQ request +and removed the filter from the PF. In that case the filter remains in +the driver's list as IAVF_VLAN_ACTIVE but is no longer programmed on +the NIC. Since iavf_add_vlans() only picks up filters in +IAVF_VLAN_ADD state, the filter is never re-added, and spoof checking +drops all traffic for that VLAN. + + CPU0 CPU1 Workqueue + ---- ---- --------- + iavf_del_vlan(vlan 100) + f->state = REMOVE + schedule AQ_DEL_VLAN + iavf_add_vlan(vlan 100) + f->state = ACTIVE + iavf_del_vlans() + f is ACTIVE, skip + iavf_add_vlans() + f is ACTIVE, skip + + Filter is ACTIVE in driver but absent from NIC. + +Transition to IAVF_VLAN_ADD instead and schedule +IAVF_FLAG_AQ_ADD_VLAN_FILTER so iavf_add_vlans() re-programs the +filter. A duplicate add is idempotent on the PF. + +Fixes: 0c0da0e95105 ("iavf: refactor VLAN filter states") +Signed-off-by: Petr Oros +Tested-by: Rafal Romanowski +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/iavf/iavf_main.c | 9 ++++++--- + 1 file changed, 6 insertions(+), 3 deletions(-) + +diff --git a/drivers/net/ethernet/intel/iavf/iavf_main.c b/drivers/net/ethernet/intel/iavf/iavf_main.c +index dcd4f172ddc8a..5f07f37933a04 100644 +--- a/drivers/net/ethernet/intel/iavf/iavf_main.c ++++ b/drivers/net/ethernet/intel/iavf/iavf_main.c +@@ -774,10 +774,13 @@ iavf_vlan_filter *iavf_add_vlan(struct iavf_adapter *adapter, + adapter->num_vlan_filters++; + iavf_schedule_aq_request(adapter, IAVF_FLAG_AQ_ADD_VLAN_FILTER); + } else if (f->state == IAVF_VLAN_REMOVE) { +- /* IAVF_VLAN_REMOVE means that VLAN wasn't yet removed. +- * We can safely only change the state here. ++ /* Re-add the filter since we cannot tell whether the ++ * pending delete has already been processed by the PF. ++ * A duplicate add is harmless. + */ +- f->state = IAVF_VLAN_ACTIVE; ++ f->state = IAVF_VLAN_ADD; ++ iavf_schedule_aq_request(adapter, ++ IAVF_FLAG_AQ_ADD_VLAN_FILTER); + } + + clearout: +-- +2.51.0 + diff --git a/queue-6.12/icmp-fix-null-pointer-dereference-in-icmp_tag_valida.patch b/queue-6.12/icmp-fix-null-pointer-dereference-in-icmp_tag_valida.patch new file mode 100644 index 0000000000..815136d138 --- /dev/null +++ b/queue-6.12/icmp-fix-null-pointer-dereference-in-icmp_tag_valida.patch @@ -0,0 +1,68 @@ +From 6c23571e20241c2d1841dce977903a31b05cff34 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 18 Mar 2026 21:06:01 +0800 +Subject: icmp: fix NULL pointer dereference in icmp_tag_validation() + +From: Weiming Shi + +[ Upstream commit 614aefe56af8e13331e50220c936fc0689cf5675 ] + +icmp_tag_validation() unconditionally dereferences the result of +rcu_dereference(inet_protos[proto]) without checking for NULL. +The inet_protos[] array is sparse -- only about 15 of 256 protocol +numbers have registered handlers. When ip_no_pmtu_disc is set to 3 +(hardened PMTU mode) and the kernel receives an ICMP Fragmentation +Needed error with a quoted inner IP header containing an unregistered +protocol number, the NULL dereference causes a kernel panic in +softirq context. + + Oops: general protection fault, probably for non-canonical address 0xdffffc0000000002: 0000 [#1] SMP KASAN NOPTI + KASAN: null-ptr-deref in range [0x0000000000000010-0x0000000000000017] + RIP: 0010:icmp_unreach (net/ipv4/icmp.c:1085 net/ipv4/icmp.c:1143) + Call Trace: + + icmp_rcv (net/ipv4/icmp.c:1527) + ip_protocol_deliver_rcu (net/ipv4/ip_input.c:207) + ip_local_deliver_finish (net/ipv4/ip_input.c:242) + ip_local_deliver (net/ipv4/ip_input.c:262) + ip_rcv (net/ipv4/ip_input.c:573) + __netif_receive_skb_one_core (net/core/dev.c:6164) + process_backlog (net/core/dev.c:6628) + handle_softirqs (kernel/softirq.c:561) + + +Add a NULL check before accessing icmp_strict_tag_validation. If the +protocol has no registered handler, return false since it cannot +perform strict tag validation. + +Fixes: 8ed1dc44d3e9 ("ipv4: introduce hardened ip_no_pmtu_disc mode") +Reported-by: Xiang Mei +Signed-off-by: Weiming Shi +Link: https://patch.msgid.link/20260318130558.1050247-4-bestswngs@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/ipv4/icmp.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/net/ipv4/icmp.c b/net/ipv4/icmp.c +index 8ab51b51cc9b2..58feb21ff967d 100644 +--- a/net/ipv4/icmp.c ++++ b/net/ipv4/icmp.c +@@ -877,10 +877,12 @@ static void icmp_socket_deliver(struct sk_buff *skb, u32 info) + + static bool icmp_tag_validation(int proto) + { ++ const struct net_protocol *ipprot; + bool ok; + + rcu_read_lock(); +- ok = rcu_dereference(inet_protos[proto])->icmp_strict_tag_validation; ++ ipprot = rcu_dereference(inet_protos[proto]); ++ ok = ipprot ? ipprot->icmp_strict_tag_validation : false; + rcu_read_unlock(); + return ok; + } +-- +2.51.0 + diff --git a/queue-6.12/igc-fix-missing-update-of-skb-tail-in-igc_xmit_frame.patch b/queue-6.12/igc-fix-missing-update-of-skb-tail-in-igc_xmit_frame.patch new file mode 100644 index 0000000000..6c933b8af6 --- /dev/null +++ b/queue-6.12/igc-fix-missing-update-of-skb-tail-in-igc_xmit_frame.patch @@ -0,0 +1,45 @@ +From 96f0ffdd33449931c669635dce7f9985b87caaa5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 14 Feb 2026 19:46:32 +0000 +Subject: igc: fix missing update of skb->tail in igc_xmit_frame() + +From: Kohei Enju + +[ Upstream commit 0ffba246652faf4a36aedc66059c2f94e4c83ea5 ] + +igc_xmit_frame() misses updating skb->tail when the packet size is +shorter than the minimum one. +Use skb_put_padto() in alignment with other Intel Ethernet drivers. + +Fixes: 0507ef8a0372 ("igc: Add transmit and receive fastpath and interrupt handlers") +Signed-off-by: Kohei Enju +Reviewed-by: Simon Horman +Reviewed-by: Paul Menzel +Tested-by: Avigail Dahan +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/igc/igc_main.c | 7 ++----- + 1 file changed, 2 insertions(+), 5 deletions(-) + +diff --git a/drivers/net/ethernet/intel/igc/igc_main.c b/drivers/net/ethernet/intel/igc/igc_main.c +index 18dad521aefcc..65134be59754f 100644 +--- a/drivers/net/ethernet/intel/igc/igc_main.c ++++ b/drivers/net/ethernet/intel/igc/igc_main.c +@@ -1704,11 +1704,8 @@ static netdev_tx_t igc_xmit_frame(struct sk_buff *skb, + /* The minimum packet size with TCTL.PSP set is 17 so pad the skb + * in order to meet this minimum size requirement. + */ +- if (skb->len < 17) { +- if (skb_padto(skb, 17)) +- return NETDEV_TX_OK; +- skb->len = 17; +- } ++ if (skb_put_padto(skb, 17)) ++ return NETDEV_TX_OK; + + return igc_xmit_frame_ring(skb, igc_tx_queue_mapping(adapter, skb)); + } +-- +2.51.0 + diff --git a/queue-6.12/igc-fix-page-fault-in-xdp-tx-timestamps-handling.patch b/queue-6.12/igc-fix-page-fault-in-xdp-tx-timestamps-handling.patch new file mode 100644 index 0000000000..16387a7f91 --- /dev/null +++ b/queue-6.12/igc-fix-page-fault-in-xdp-tx-timestamps-handling.patch @@ -0,0 +1,118 @@ +From 50fa98874afadbfc27e91730677f4794fcb0eb51 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 25 Feb 2026 10:58:29 +0100 +Subject: igc: fix page fault in XDP TX timestamps handling + +From: Zdenek Bouska + +[ Upstream commit 45b33e805bd39f615d9353a7194b2da5281332df ] + +If an XDP application that requested TX timestamping is shutting down +while the link of the interface in use is still up the following kernel +splat is reported: + +[ 883.803618] [ T1554] BUG: unable to handle page fault for address: ffffcfb6200fd008 +... +[ 883.803650] [ T1554] Call Trace: +[ 883.803652] [ T1554] +[ 883.803654] [ T1554] igc_ptp_tx_tstamp_event+0xdf/0x160 [igc] +[ 883.803660] [ T1554] igc_tsync_interrupt+0x2d5/0x300 [igc] +... + +During shutdown of the TX ring the xsk_meta pointers are left behind, so +that the IRQ handler is trying to touch them. + +This issue is now being fixed by cleaning up the stale xsk meta data on +TX shutdown. TX timestamps on other queues remain unaffected. + +Fixes: 15fd021bc427 ("igc: Add Tx hardware timestamp request for AF_XDP zero-copy packet") +Signed-off-by: Zdenek Bouska +Reviewed-by: Paul Menzel +Reviewed-by: Florian Bezdeka +Tested-by: Avigail Dahan +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/igc/igc.h | 2 ++ + drivers/net/ethernet/intel/igc/igc_main.c | 7 +++++ + drivers/net/ethernet/intel/igc/igc_ptp.c | 33 +++++++++++++++++++++++ + 3 files changed, 42 insertions(+) + +diff --git a/drivers/net/ethernet/intel/igc/igc.h b/drivers/net/ethernet/intel/igc/igc.h +index 79d5fc5ac4fce..24949a50037ef 100644 +--- a/drivers/net/ethernet/intel/igc/igc.h ++++ b/drivers/net/ethernet/intel/igc/igc.h +@@ -745,6 +745,8 @@ ktime_t igc_ptp_rx_pktstamp(struct igc_adapter *adapter, __le32 *buf); + int igc_ptp_set_ts_config(struct net_device *netdev, struct ifreq *ifr); + int igc_ptp_get_ts_config(struct net_device *netdev, struct ifreq *ifr); + void igc_ptp_tx_hang(struct igc_adapter *adapter); ++void igc_ptp_clear_xsk_tx_tstamp_queue(struct igc_adapter *adapter, ++ u16 queue_id); + void igc_ptp_read(struct igc_adapter *adapter, struct timespec64 *ts); + void igc_ptp_tx_tstamp_event(struct igc_adapter *adapter); + +diff --git a/drivers/net/ethernet/intel/igc/igc_main.c b/drivers/net/ethernet/intel/igc/igc_main.c +index 65134be59754f..6fcf4fd7ee194 100644 +--- a/drivers/net/ethernet/intel/igc/igc_main.c ++++ b/drivers/net/ethernet/intel/igc/igc_main.c +@@ -264,6 +264,13 @@ static void igc_clean_tx_ring(struct igc_ring *tx_ring) + /* reset next_to_use and next_to_clean */ + tx_ring->next_to_use = 0; + tx_ring->next_to_clean = 0; ++ ++ /* Clear any lingering XSK TX timestamp requests */ ++ if (test_bit(IGC_RING_FLAG_TX_HWTSTAMP, &tx_ring->flags)) { ++ struct igc_adapter *adapter = netdev_priv(tx_ring->netdev); ++ ++ igc_ptp_clear_xsk_tx_tstamp_queue(adapter, tx_ring->queue_index); ++ } + } + + /** +diff --git a/drivers/net/ethernet/intel/igc/igc_ptp.c b/drivers/net/ethernet/intel/igc/igc_ptp.c +index a272d1a29eadb..9ff73e7532e5e 100644 +--- a/drivers/net/ethernet/intel/igc/igc_ptp.c ++++ b/drivers/net/ethernet/intel/igc/igc_ptp.c +@@ -587,6 +587,39 @@ static void igc_ptp_clear_tx_tstamp(struct igc_adapter *adapter) + spin_unlock_irqrestore(&adapter->ptp_tx_lock, flags); + } + ++/** ++ * igc_ptp_clear_xsk_tx_tstamp_queue - Clear pending XSK TX timestamps for a queue ++ * @adapter: Board private structure ++ * @queue_id: TX queue index to clear timestamps for ++ * ++ * Iterates over all TX timestamp registers and releases any pending ++ * timestamp requests associated with the given TX queue. This is ++ * called when an XDP pool is being disabled to ensure no stale ++ * timestamp references remain. ++ */ ++void igc_ptp_clear_xsk_tx_tstamp_queue(struct igc_adapter *adapter, u16 queue_id) ++{ ++ unsigned long flags; ++ int i; ++ ++ spin_lock_irqsave(&adapter->ptp_tx_lock, flags); ++ ++ for (i = 0; i < IGC_MAX_TX_TSTAMP_REGS; i++) { ++ struct igc_tx_timestamp_request *tstamp = &adapter->tx_tstamp[i]; ++ ++ if (tstamp->buffer_type != IGC_TX_BUFFER_TYPE_XSK) ++ continue; ++ if (tstamp->xsk_queue_index != queue_id) ++ continue; ++ if (!tstamp->xsk_tx_buffer) ++ continue; ++ ++ igc_ptp_free_tx_buffer(adapter, tstamp); ++ } ++ ++ spin_unlock_irqrestore(&adapter->ptp_tx_lock, flags); ++} ++ + static void igc_ptp_disable_tx_timestamp(struct igc_adapter *adapter) + { + struct igc_hw *hw = &adapter->hw; +-- +2.51.0 + diff --git a/queue-6.12/mpls-add-missing-unregister_netdevice_notifier-to-mp.patch b/queue-6.12/mpls-add-missing-unregister_netdevice_notifier-to-mp.patch new file mode 100644 index 0000000000..a5198e218f --- /dev/null +++ b/queue-6.12/mpls-add-missing-unregister_netdevice_notifier-to-mp.patch @@ -0,0 +1,37 @@ +From 7c831f5192324eadb5fe050ab6da308f73535517 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 11 Mar 2026 23:35:09 +0100 +Subject: mpls: add missing unregister_netdevice_notifier to mpls_init + +From: Sabrina Dubroca + +[ Upstream commit 99600f79b28c83c68bae199a3d8e95049a758308 ] + +If mpls_init() fails after registering mpls_dev_notifier, it never +gets removed. Add the missing unregister_netdevice_notifier() call to +the error handling path. + +Fixes: 5be2062e3080 ("mpls: Handle error of rtnl_register_module().") +Signed-off-by: Sabrina Dubroca +Link: https://patch.msgid.link/7c55363c4f743d19e2306204a134407c90a69bbb.1773228081.git.sd@queasysnail.net +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/mpls/af_mpls.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/net/mpls/af_mpls.c b/net/mpls/af_mpls.c +index 3373b6b34dc7d..719dabb76ea21 100644 +--- a/net/mpls/af_mpls.c ++++ b/net/mpls/af_mpls.c +@@ -2774,6 +2774,7 @@ static int __init mpls_init(void) + out_unregister_rtnl_af: + rtnl_af_unregister(&mpls_af_ops); + dev_remove_pack(&mpls_packet_type); ++ unregister_netdevice_notifier(&mpls_dev_notifier); + out_unregister_pernet: + unregister_pernet_subsys(&mpls_net_ops); + goto out; +-- +2.51.0 + diff --git a/queue-6.12/net-airoha-fix-pse-memory-configuration-in-airoha_fe.patch b/queue-6.12/net-airoha-fix-pse-memory-configuration-in-airoha_fe.patch new file mode 100644 index 0000000000..688551988b --- /dev/null +++ b/queue-6.12/net-airoha-fix-pse-memory-configuration-in-airoha_fe.patch @@ -0,0 +1,51 @@ +From b614a63ee76d5a6157aa7a87cf2f889eb6f0681d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 1 Oct 2024 12:10:25 +0200 +Subject: net: airoha: fix PSE memory configuration in + airoha_fe_pse_ports_init() + +From: Lorenzo Bianconi + +[ Upstream commit 8e38e08f2c560328a873c35aff1a0dbea6a7d084 ] + +Align PSE memory configuration to vendor SDK. In particular, increase +initial value of PSE reserved memory in airoha_fe_pse_ports_init() +routine by the value used for the second Packet Processor Engine (PPE2) +and do not overwrite the default value. + +Introduced by commit 23020f049327 ("net: airoha: Introduce ethernet support +for EN7581 SoC") + +Signed-off-by: Lorenzo Bianconi +Reviewed-by: Simon Horman +Link: https://patch.msgid.link/20241001-airoha-eth-pse-fix-v2-2-9a56cdffd074@kernel.org +Signed-off-by: Jakub Kicinski +Stable-dep-of: d4a533ad249e ("net: airoha: Remove airoha_dev_stop() in airoha_remove()") +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mediatek/airoha_eth.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/mediatek/airoha_eth.c b/drivers/net/ethernet/mediatek/airoha_eth.c +index 6aa764b542eb5..cd2e888a8c52e 100644 +--- a/drivers/net/ethernet/mediatek/airoha_eth.c ++++ b/drivers/net/ethernet/mediatek/airoha_eth.c +@@ -1172,11 +1172,13 @@ static void airoha_fe_pse_ports_init(struct airoha_eth *eth) + [FE_PSE_PORT_GDM4] = 2, + [FE_PSE_PORT_CDM5] = 2, + }; ++ u32 all_rsv; + int q; + ++ all_rsv = airoha_fe_get_pse_all_rsv(eth); + /* hw misses PPE2 oq rsv */ +- airoha_fe_set(eth, REG_FE_PSE_BUF_SET, +- PSE_RSV_PAGES * pse_port_num_queues[FE_PSE_PORT_PPE2]); ++ all_rsv += PSE_RSV_PAGES * pse_port_num_queues[FE_PSE_PORT_PPE2]; ++ airoha_fe_set(eth, REG_FE_PSE_BUF_SET, all_rsv); + + /* CMD1 */ + for (q = 0; q < pse_port_num_queues[FE_PSE_PORT_CDM1]; q++) +-- +2.51.0 + diff --git a/queue-6.12/net-airoha-read-completion-queue-data-in-airoha_qdma.patch b/queue-6.12/net-airoha-read-completion-queue-data-in-airoha_qdma.patch new file mode 100644 index 0000000000..428923467d --- /dev/null +++ b/queue-6.12/net-airoha-read-completion-queue-data-in-airoha_qdma.patch @@ -0,0 +1,102 @@ +From 116d17b786de0bb22260b305666ad71db532d8e5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 29 Oct 2024 13:17:09 +0100 +Subject: net: airoha: Read completion queue data in airoha_qdma_tx_napi_poll() + +From: Lorenzo Bianconi + +[ Upstream commit 3affa310de523d63e52ea8e2efb3c476df29e414 ] + +In order to avoid any possible race, read completion queue head and +pending entry in airoha_qdma_tx_napi_poll routine instead of doing it in +airoha_irq_handler. Remove unused airoha_tx_irq_queue unused fields. +This is a preliminary patch to add Qdisc offload for airoha_eth driver. + +Signed-off-by: Lorenzo Bianconi +Link: https://patch.msgid.link/20241029-airoha-en7581-tx-napi-work-v1-1-96ad1686b946@kernel.org +Signed-off-by: Jakub Kicinski +Stable-dep-of: d4a533ad249e ("net: airoha: Remove airoha_dev_stop() in airoha_remove()") +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mediatek/airoha_eth.c | 31 +++++++++------------- + 1 file changed, 13 insertions(+), 18 deletions(-) + +diff --git a/drivers/net/ethernet/mediatek/airoha_eth.c b/drivers/net/ethernet/mediatek/airoha_eth.c +index cd2e888a8c52e..1dc051749603e 100644 +--- a/drivers/net/ethernet/mediatek/airoha_eth.c ++++ b/drivers/net/ethernet/mediatek/airoha_eth.c +@@ -752,11 +752,9 @@ struct airoha_tx_irq_queue { + struct airoha_qdma *qdma; + + struct napi_struct napi; +- u32 *q; + + int size; +- int queued; +- u16 head; ++ u32 *q; + }; + + struct airoha_hw_stats { +@@ -1655,25 +1653,31 @@ static int airoha_qdma_init_rx(struct airoha_qdma *qdma) + static int airoha_qdma_tx_napi_poll(struct napi_struct *napi, int budget) + { + struct airoha_tx_irq_queue *irq_q; ++ int id, done = 0, irq_queued; + struct airoha_qdma *qdma; + struct airoha_eth *eth; +- int id, done = 0; ++ u32 status, head; + + irq_q = container_of(napi, struct airoha_tx_irq_queue, napi); + qdma = irq_q->qdma; + id = irq_q - &qdma->q_tx_irq[0]; + eth = qdma->eth; + +- while (irq_q->queued > 0 && done < budget) { +- u32 qid, last, val = irq_q->q[irq_q->head]; ++ status = airoha_qdma_rr(qdma, REG_IRQ_STATUS(id)); ++ head = FIELD_GET(IRQ_HEAD_IDX_MASK, status); ++ head = head % irq_q->size; ++ irq_queued = FIELD_GET(IRQ_ENTRY_LEN_MASK, status); ++ ++ while (irq_queued > 0 && done < budget) { ++ u32 qid, last, val = irq_q->q[head]; + struct airoha_queue *q; + + if (val == 0xff) + break; + +- irq_q->q[irq_q->head] = 0xff; /* mark as done */ +- irq_q->head = (irq_q->head + 1) % irq_q->size; +- irq_q->queued--; ++ irq_q->q[head] = 0xff; /* mark as done */ ++ head = (head + 1) % irq_q->size; ++ irq_queued--; + done++; + + last = FIELD_GET(IRQ_DESC_IDX_MASK, val); +@@ -2023,20 +2027,11 @@ static irqreturn_t airoha_irq_handler(int irq, void *dev_instance) + + if (intr[0] & INT_TX_MASK) { + for (i = 0; i < ARRAY_SIZE(qdma->q_tx_irq); i++) { +- struct airoha_tx_irq_queue *irq_q = &qdma->q_tx_irq[i]; +- u32 status, head; +- + if (!(intr[0] & TX_DONE_INT_MASK(i))) + continue; + + airoha_qdma_irq_disable(qdma, QDMA_INT_REG_IDX0, + TX_DONE_INT_MASK(i)); +- +- status = airoha_qdma_rr(qdma, REG_IRQ_STATUS(i)); +- head = FIELD_GET(IRQ_HEAD_IDX_MASK, status); +- irq_q->head = head % irq_q->size; +- irq_q->queued = FIELD_GET(IRQ_ENTRY_LEN_MASK, status); +- + napi_schedule(&qdma->q_tx_irq[i].napi); + } + } +-- +2.51.0 + diff --git a/queue-6.12/net-airoha-read-default-pse-reserved-pages-value-bef.patch b/queue-6.12/net-airoha-read-default-pse-reserved-pages-value-bef.patch new file mode 100644 index 0000000000..c455a5ec41 --- /dev/null +++ b/queue-6.12/net-airoha-read-default-pse-reserved-pages-value-bef.patch @@ -0,0 +1,62 @@ +From 703ce5c0380843452b4a2024be85a56fd985f45d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 1 Oct 2024 12:10:24 +0200 +Subject: net: airoha: read default PSE reserved pages value before updating + +From: Lorenzo Bianconi + +[ Upstream commit 1f3e7ff4f296af1f4350f457d5bd82bc825e645a ] + +Store the default value for the number of PSE reserved pages in orig_val +at the beginning of airoha_fe_set_pse_oq_rsv routine, before updating it +with airoha_fe_set_pse_queue_rsv_pages(). +Introduce airoha_fe_get_pse_all_rsv utility routine. + +Introduced by commit 23020f049327 ("net: airoha: Introduce ethernet support +for EN7581 SoC") + +Signed-off-by: Lorenzo Bianconi +Reviewed-by: Simon Horman +Link: https://patch.msgid.link/20241001-airoha-eth-pse-fix-v2-1-9a56cdffd074@kernel.org +Signed-off-by: Jakub Kicinski +Stable-dep-of: d4a533ad249e ("net: airoha: Remove airoha_dev_stop() in airoha_remove()") +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mediatek/airoha_eth.c | 14 ++++++++++---- + 1 file changed, 10 insertions(+), 4 deletions(-) + +diff --git a/drivers/net/ethernet/mediatek/airoha_eth.c b/drivers/net/ethernet/mediatek/airoha_eth.c +index 20cf7ba9d7508..6aa764b542eb5 100644 +--- a/drivers/net/ethernet/mediatek/airoha_eth.c ++++ b/drivers/net/ethernet/mediatek/airoha_eth.c +@@ -1116,17 +1116,23 @@ static void airoha_fe_set_pse_queue_rsv_pages(struct airoha_eth *eth, + PSE_CFG_WR_EN_MASK | PSE_CFG_OQRSV_SEL_MASK); + } + ++static u32 airoha_fe_get_pse_all_rsv(struct airoha_eth *eth) ++{ ++ u32 val = airoha_fe_rr(eth, REG_FE_PSE_BUF_SET); ++ ++ return FIELD_GET(PSE_ALLRSV_MASK, val); ++} ++ + static int airoha_fe_set_pse_oq_rsv(struct airoha_eth *eth, + u32 port, u32 queue, u32 val) + { +- u32 orig_val, tmp, all_rsv, fq_limit; ++ u32 orig_val = airoha_fe_get_pse_queue_rsv_pages(eth, port, queue); ++ u32 tmp, all_rsv, fq_limit; + + airoha_fe_set_pse_queue_rsv_pages(eth, port, queue, val); + + /* modify all rsv */ +- orig_val = airoha_fe_get_pse_queue_rsv_pages(eth, port, queue); +- tmp = airoha_fe_rr(eth, REG_FE_PSE_BUF_SET); +- all_rsv = FIELD_GET(PSE_ALLRSV_MASK, tmp); ++ all_rsv = airoha_fe_get_pse_all_rsv(eth); + all_rsv += (val - orig_val); + airoha_fe_rmw(eth, REG_FE_PSE_BUF_SET, PSE_ALLRSV_MASK, + FIELD_PREP(PSE_ALLRSV_MASK, all_rsv)); +-- +2.51.0 + diff --git a/queue-6.12/net-airoha-remove-airoha_dev_stop-in-airoha_remove.patch b/queue-6.12/net-airoha-remove-airoha_dev_stop-in-airoha_remove.patch new file mode 100644 index 0000000000..09c01915b1 --- /dev/null +++ b/queue-6.12/net-airoha-remove-airoha_dev_stop-in-airoha_remove.patch @@ -0,0 +1,40 @@ +From 4bca766c287bcce10708e54d4a9e15d8fef5f2f9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 13 Mar 2026 12:27:00 +0100 +Subject: net: airoha: Remove airoha_dev_stop() in airoha_remove() + +From: Lorenzo Bianconi + +[ Upstream commit d4a533ad249e9fbdc2d0633f2ddd60a5b3a9a4ca ] + +Do not run airoha_dev_stop routine explicitly in airoha_remove() +since ndo_stop() callback is already executed by unregister_netdev() in +__dev_close_many routine if necessary and, doing so, we will end up causing +an underflow in the qdma users atomic counters. Rely on networking subsystem +to stop the device removing the airoha_eth module. + +Fixes: 23020f0493270 ("net: airoha: Introduce ethernet support for EN7581 SoC") +Signed-off-by: Lorenzo Bianconi +Reviewed-by: Simon Horman +Link: https://patch.msgid.link/20260313-airoha-remove-ndo_stop-remove-net-v2-1-67542c3ceeca@kernel.org +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mediatek/airoha_eth.c | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/drivers/net/ethernet/mediatek/airoha_eth.c b/drivers/net/ethernet/mediatek/airoha_eth.c +index 1dc051749603e..da259c4b03fbf 100644 +--- a/drivers/net/ethernet/mediatek/airoha_eth.c ++++ b/drivers/net/ethernet/mediatek/airoha_eth.c +@@ -2784,7 +2784,6 @@ static void airoha_remove(struct platform_device *pdev) + if (!port) + continue; + +- airoha_dev_stop(port->dev); + unregister_netdev(port->dev); + } + free_netdev(eth->napi_dev); +-- +2.51.0 + diff --git a/queue-6.12/net-bcmgenet-increase-wol-poll-timeout.patch b/queue-6.12/net-bcmgenet-increase-wol-poll-timeout.patch new file mode 100644 index 0000000000..55979053b5 --- /dev/null +++ b/queue-6.12/net-bcmgenet-increase-wol-poll-timeout.patch @@ -0,0 +1,38 @@ +From 3405ce68d783ff6797279fca7232342a57ba0bc7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 12 Mar 2026 12:18:52 -0700 +Subject: net: bcmgenet: increase WoL poll timeout + +From: Justin Chen + +[ Upstream commit 6cfc3bc02b977f2fba5f7268e6504d1931a774f7 ] + +Some systems require more than 5ms to get into WoL mode. Increase the +timeout value to 50ms. + +Fixes: c51de7f3976b ("net: bcmgenet: add Wake-on-LAN support code") +Signed-off-by: Justin Chen +Reviewed-by: Florian Fainelli +Link: https://patch.msgid.link/20260312191852.3904571-1-justin.chen@broadcom.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/broadcom/genet/bcmgenet_wol.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/broadcom/genet/bcmgenet_wol.c b/drivers/net/ethernet/broadcom/genet/bcmgenet_wol.c +index 3b082114f2e53..2033fb9d893e0 100644 +--- a/drivers/net/ethernet/broadcom/genet/bcmgenet_wol.c ++++ b/drivers/net/ethernet/broadcom/genet/bcmgenet_wol.c +@@ -123,7 +123,7 @@ static int bcmgenet_poll_wol_status(struct bcmgenet_priv *priv) + while (!(bcmgenet_rbuf_readl(priv, RBUF_STATUS) + & RBUF_STATUS_WOL)) { + retries++; +- if (retries > 5) { ++ if (retries > 50) { + netdev_crit(dev, "polling wol mode timeout\n"); + return -ETIMEDOUT; + } +-- +2.51.0 + diff --git a/queue-6.12/net-bonding-fix-null-deref-in-bond_debug_rlb_hash_sh.patch b/queue-6.12/net-bonding-fix-null-deref-in-bond_debug_rlb_hash_sh.patch new file mode 100644 index 0000000000..abfa0a7917 --- /dev/null +++ b/queue-6.12/net-bonding-fix-null-deref-in-bond_debug_rlb_hash_sh.patch @@ -0,0 +1,87 @@ +From a807199e89dbc3eff0c1c4694b1dc30e61a0e4ff Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 16 Mar 2026 17:50:34 -0700 +Subject: net: bonding: fix NULL deref in bond_debug_rlb_hash_show + +From: Xiang Mei + +[ Upstream commit 605b52497bf89b3b154674deb135da98f916e390 ] + +rlb_clear_slave intentionally keeps RLB hash-table entries on +the rx_hashtbl_used_head list with slave set to NULL when no +replacement slave is available. However, bond_debug_rlb_hash_show +visites client_info->slave without checking if it's NULL. + +Other used-list iterators in bond_alb.c already handle this NULL-slave +state safely: + +- rlb_update_client returns early on !client_info->slave +- rlb_req_update_slave_clients, rlb_clear_slave, and rlb_rebalance +compare slave values before visiting +- lb_req_update_subnet_clients continues if slave is NULL + +The following NULL deref crash can be trigger in +bond_debug_rlb_hash_show: + +[ 1.289791] BUG: kernel NULL pointer dereference, address: 0000000000000000 +[ 1.292058] RIP: 0010:bond_debug_rlb_hash_show (drivers/net/bonding/bond_debugfs.c:41) +[ 1.293101] RSP: 0018:ffffc900004a7d00 EFLAGS: 00010286 +[ 1.293333] RAX: 0000000000000000 RBX: ffff888102b48200 RCX: ffff888102b48204 +[ 1.293631] RDX: ffff888102b48200 RSI: ffffffff839daad5 RDI: ffff888102815078 +[ 1.293924] RBP: ffff888102815078 R08: ffff888102b4820e R09: 0000000000000000 +[ 1.294267] R10: 0000000000000000 R11: 0000000000000000 R12: ffff888100f929c0 +[ 1.294564] R13: ffff888100f92a00 R14: 0000000000000001 R15: ffffc900004a7ed8 +[ 1.294864] FS: 0000000001395380(0000) GS:ffff888196e75000(0000) knlGS:0000000000000000 +[ 1.295239] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ 1.295480] CR2: 0000000000000000 CR3: 0000000102adc004 CR4: 0000000000772ef0 +[ 1.295897] Call Trace: +[ 1.296134] seq_read_iter (fs/seq_file.c:231) +[ 1.296341] seq_read (fs/seq_file.c:164) +[ 1.296493] full_proxy_read (fs/debugfs/file.c:378 (discriminator 1)) +[ 1.296658] vfs_read (fs/read_write.c:572) +[ 1.296981] ksys_read (fs/read_write.c:717) +[ 1.297132] do_syscall_64 (arch/x86/entry/syscall_64.c:63 (discriminator 1) arch/x86/entry/syscall_64.c:94 (discriminator 1)) +[ 1.297325] entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130) + +Add a NULL check and print "(none)" for entries with no assigned slave. + +Fixes: caafa84251b88 ("bonding: add the debugfs interface to see RLB hash table") +Reported-by: Weiming Shi +Signed-off-by: Xiang Mei +Link: https://patch.msgid.link/20260317005034.1888794-1-xmei5@asu.edu +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/bonding/bond_debugfs.c | 16 +++++++++++----- + 1 file changed, 11 insertions(+), 5 deletions(-) + +diff --git a/drivers/net/bonding/bond_debugfs.c b/drivers/net/bonding/bond_debugfs.c +index b19492a7f6ad1..3c1945c3e850a 100644 +--- a/drivers/net/bonding/bond_debugfs.c ++++ b/drivers/net/bonding/bond_debugfs.c +@@ -34,11 +34,17 @@ static int bond_debug_rlb_hash_show(struct seq_file *m, void *v) + for (; hash_index != RLB_NULL_INDEX; + hash_index = client_info->used_next) { + client_info = &(bond_info->rx_hashtbl[hash_index]); +- seq_printf(m, "%-15pI4 %-15pI4 %-17pM %s\n", +- &client_info->ip_src, +- &client_info->ip_dst, +- &client_info->mac_dst, +- client_info->slave->dev->name); ++ if (client_info->slave) ++ seq_printf(m, "%-15pI4 %-15pI4 %-17pM %s\n", ++ &client_info->ip_src, ++ &client_info->ip_dst, ++ &client_info->mac_dst, ++ client_info->slave->dev->name); ++ else ++ seq_printf(m, "%-15pI4 %-15pI4 %-17pM (none)\n", ++ &client_info->ip_src, ++ &client_info->ip_dst, ++ &client_info->mac_dst); + } + + spin_unlock_bh(&bond->mode_lock); +-- +2.51.0 + diff --git a/queue-6.12/net-dsa-bcm_sf2-fix-missing-clk_disable_unprepare-in.patch b/queue-6.12/net-dsa-bcm_sf2-fix-missing-clk_disable_unprepare-in.patch new file mode 100644 index 0000000000..ff5486d791 --- /dev/null +++ b/queue-6.12/net-dsa-bcm_sf2-fix-missing-clk_disable_unprepare-in.patch @@ -0,0 +1,59 @@ +From e573fe9dbf8d5b2f346b8ccd3a4b0d46a3ed5f40 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 18 Mar 2026 08:42:12 +0000 +Subject: net: dsa: bcm_sf2: fix missing clk_disable_unprepare() in error paths + +From: Anas Iqbal + +[ Upstream commit b48731849609cbd8c53785a48976850b443153fd ] + +Smatch reports: +drivers/net/dsa/bcm_sf2.c:997 bcm_sf2_sw_resume() warn: +'priv->clk' from clk_prepare_enable() not released on lines: 983,990. + +The clock enabled by clk_prepare_enable() in bcm_sf2_sw_resume() +is not released if bcm_sf2_sw_rst() or bcm_sf2_cfp_resume() fails. + +Add the missing clk_disable_unprepare() calls in the error paths +to properly release the clock resource. + +Fixes: e9ec5c3bd238 ("net: dsa: bcm_sf2: request and handle clocks") +Reviewed-by: Jonas Gorski +Reviewed-by: Florian Fainelli +Signed-off-by: Anas Iqbal +Link: https://patch.msgid.link/20260318084212.1287-1-mohd.abd.6602@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/dsa/bcm_sf2.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/dsa/bcm_sf2.c b/drivers/net/dsa/bcm_sf2.c +index f1372830d5fa2..e680fff7d23fb 100644 +--- a/drivers/net/dsa/bcm_sf2.c ++++ b/drivers/net/dsa/bcm_sf2.c +@@ -980,15 +980,19 @@ static int bcm_sf2_sw_resume(struct dsa_switch *ds) + ret = bcm_sf2_sw_rst(priv); + if (ret) { + pr_err("%s: failed to software reset switch\n", __func__); ++ if (!priv->wol_ports_mask) ++ clk_disable_unprepare(priv->clk); + return ret; + } + + bcm_sf2_crossbar_setup(priv); + + ret = bcm_sf2_cfp_resume(ds); +- if (ret) ++ if (ret) { ++ if (!priv->wol_ports_mask) ++ clk_disable_unprepare(priv->clk); + return ret; +- ++ } + if (priv->hw_params.num_gphy == 1) + bcm_sf2_gphy_enable_set(ds, true); + +-- +2.51.0 + diff --git a/queue-6.12/net-macb-fix-uninitialized-rx_fs_lock.patch b/queue-6.12/net-macb-fix-uninitialized-rx_fs_lock.patch new file mode 100644 index 0000000000..4620e3d344 --- /dev/null +++ b/queue-6.12/net-macb-fix-uninitialized-rx_fs_lock.patch @@ -0,0 +1,78 @@ +From 5f7786762e6f8360af75da4de8d4c1605b4de857 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 16 Mar 2026 13:38:25 +0300 +Subject: net: macb: fix uninitialized rx_fs_lock + +From: Fedor Pchelkin + +[ Upstream commit 34b11cc56e4369bc08b1f4c4a04222d75ed596ce ] + +If hardware doesn't support RX Flow Filters, rx_fs_lock spinlock is not +initialized leading to the following assertion splat triggerable via +set_rxnfc callback. + +INFO: trying to register non-static key. +The code is fine but needs lockdep annotation, or maybe +you didn't initialize this object before use? +turning off the locking correctness validator. +CPU: 1 PID: 949 Comm: syz.0.6 Not tainted 6.1.164+ #113 +Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.16.1-0-g3208b098f51a-prebuilt.qemu.org 04/01/2014 +Call Trace: + + __dump_stack lib/dump_stack.c:88 [inline] + dump_stack_lvl+0x8d/0xba lib/dump_stack.c:106 + assign_lock_key kernel/locking/lockdep.c:974 [inline] + register_lock_class+0x141b/0x17f0 kernel/locking/lockdep.c:1287 + __lock_acquire+0x74f/0x6c40 kernel/locking/lockdep.c:4928 + lock_acquire kernel/locking/lockdep.c:5662 [inline] + lock_acquire+0x190/0x4b0 kernel/locking/lockdep.c:5627 + __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline] + _raw_spin_lock_irqsave+0x33/0x50 kernel/locking/spinlock.c:162 + gem_del_flow_filter drivers/net/ethernet/cadence/macb_main.c:3562 [inline] + gem_set_rxnfc+0x533/0xac0 drivers/net/ethernet/cadence/macb_main.c:3667 + ethtool_set_rxnfc+0x18c/0x280 net/ethtool/ioctl.c:961 + __dev_ethtool net/ethtool/ioctl.c:2956 [inline] + dev_ethtool+0x229c/0x6290 net/ethtool/ioctl.c:3095 + dev_ioctl+0x637/0x1070 net/core/dev_ioctl.c:510 + sock_do_ioctl+0x20d/0x2c0 net/socket.c:1215 + sock_ioctl+0x577/0x6d0 net/socket.c:1320 + vfs_ioctl fs/ioctl.c:51 [inline] + __do_sys_ioctl fs/ioctl.c:870 [inline] + __se_sys_ioctl fs/ioctl.c:856 [inline] + __x64_sys_ioctl+0x18c/0x210 fs/ioctl.c:856 + do_syscall_x64 arch/x86/entry/common.c:46 [inline] + do_syscall_64+0x35/0x80 arch/x86/entry/common.c:76 + entry_SYSCALL_64_after_hwframe+0x6e/0xd8 + +A more straightforward solution would be to always initialize rx_fs_lock, +just like rx_fs_list. However, in this case the driver set_rxnfc callback +would return with a rather confusing error code, e.g. -EINVAL. So deny +set_rxnfc attempts directly if the RX filtering feature is not supported +by hardware. + +Fixes: ae8223de3df5 ("net: macb: Added support for RX filtering") +Signed-off-by: Fedor Pchelkin +Link: https://patch.msgid.link/20260316103826.74506-2-pchelkin@ispras.ru +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/cadence/macb_main.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/net/ethernet/cadence/macb_main.c b/drivers/net/ethernet/cadence/macb_main.c +index 533bd66fb485c..89aa50893d360 100644 +--- a/drivers/net/ethernet/cadence/macb_main.c ++++ b/drivers/net/ethernet/cadence/macb_main.c +@@ -3845,6 +3845,9 @@ static int gem_set_rxnfc(struct net_device *netdev, struct ethtool_rxnfc *cmd) + struct macb *bp = netdev_priv(netdev); + int ret; + ++ if (!(netdev->hw_features & NETIF_F_NTUPLE)) ++ return -EOPNOTSUPP; ++ + switch (cmd->cmd) { + case ETHTOOL_SRXCLSRLINS: + if ((cmd->fs.location >= bp->max_tuples) +-- +2.51.0 + diff --git a/queue-6.12/net-mana-fix-use-after-free-in-mana_hwc_destroy_chan.patch b/queue-6.12/net-mana-fix-use-after-free-in-mana_hwc_destroy_chan.patch new file mode 100644 index 0000000000..2672721170 --- /dev/null +++ b/queue-6.12/net-mana-fix-use-after-free-in-mana_hwc_destroy_chan.patch @@ -0,0 +1,67 @@ +From 0352881291f9237975e64b00d5ea6a122a8e59fa Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 11 Mar 2026 12:22:04 -0700 +Subject: net: mana: fix use-after-free in mana_hwc_destroy_channel() by + reordering teardown + +From: Dipayaan Roy + +[ Upstream commit fa103fc8f56954a60699a29215cb713448a39e87 ] + +A potential race condition exists in mana_hwc_destroy_channel() where +hwc->caller_ctx is freed before the HWC's Completion Queue (CQ) and +Event Queue (EQ) are destroyed. This allows an in-flight CQ interrupt +handler to dereference freed memory, leading to a use-after-free or +NULL pointer dereference in mana_hwc_handle_resp(). + +mana_smc_teardown_hwc() signals the hardware to stop but does not +synchronize against IRQ handlers already executing on other CPUs. The +IRQ synchronization only happens in mana_hwc_destroy_cq() via +mana_gd_destroy_eq() -> mana_gd_deregister_irq(). Since this runs +after kfree(hwc->caller_ctx), a concurrent mana_hwc_rx_event_handler() +can dereference freed caller_ctx (and rxq->msg_buf) in +mana_hwc_handle_resp(). + +Fix this by reordering teardown to reverse-of-creation order: destroy +the TX/RX work queues and CQ/EQ before freeing hwc->caller_ctx. This +ensures all in-flight interrupt handlers complete before the memory they +access is freed. + +Fixes: ca9c54d2d6a5 ("net: mana: Add a driver for Microsoft Azure Network Adapter (MANA)") +Reviewed-by: Haiyang Zhang +Signed-off-by: Dipayaan Roy +Reviewed-by: Simon Horman +Link: https://patch.msgid.link/abHA3AjNtqa1nx9k@linuxonhyperv3.guj3yctzbm1etfxqx2vob5hsef.xx.internal.cloudapp.net +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/microsoft/mana/hw_channel.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/drivers/net/ethernet/microsoft/mana/hw_channel.c b/drivers/net/ethernet/microsoft/mana/hw_channel.c +index a00f915c51881..e07d0a9529782 100644 +--- a/drivers/net/ethernet/microsoft/mana/hw_channel.c ++++ b/drivers/net/ethernet/microsoft/mana/hw_channel.c +@@ -778,9 +778,6 @@ void mana_hwc_destroy_channel(struct gdma_context *gc) + gc->max_num_cqs = 0; + } + +- kfree(hwc->caller_ctx); +- hwc->caller_ctx = NULL; +- + if (hwc->txq) + mana_hwc_destroy_wq(hwc, hwc->txq); + +@@ -790,6 +787,9 @@ void mana_hwc_destroy_channel(struct gdma_context *gc) + if (hwc->cq) + mana_hwc_destroy_cq(hwc->gdma_dev->gdma_context, hwc->cq); + ++ kfree(hwc->caller_ctx); ++ hwc->caller_ctx = NULL; ++ + mana_gd_free_res_map(&hwc->inflight_msg_res); + + hwc->num_inflight_msg = 0; +-- +2.51.0 + diff --git a/queue-6.12/net-mlx5-qos-restrict-rtnl-area-to-avoid-a-lock-cycl.patch b/queue-6.12/net-mlx5-qos-restrict-rtnl-area-to-avoid-a-lock-cycl.patch new file mode 100644 index 0000000000..89f7a814a4 --- /dev/null +++ b/queue-6.12/net-mlx5-qos-restrict-rtnl-area-to-avoid-a-lock-cycl.patch @@ -0,0 +1,112 @@ +From 647fbee777c8c7a379c6ff6619adb226f497aefe Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 16 Mar 2026 11:46:01 +0200 +Subject: net/mlx5: qos: Restrict RTNL area to avoid a lock cycle + +From: Cosmin Ratiu + +[ Upstream commit b7e3a5d9c0d66b7fb44f63aef3bd734821afa0c8 ] + +A lock dependency cycle exists where: +1. mlx5_ib_roce_init -> mlx5_core_uplink_netdev_event_replay -> +mlx5_blocking_notifier_call_chain (takes notifier_rwsem) -> +mlx5e_mdev_notifier_event -> mlx5_netdev_notifier_register -> +register_netdevice_notifier_dev_net (takes rtnl) +=> notifier_rwsem -> rtnl + +2. mlx5e_probe -> _mlx5e_probe -> +mlx5_core_uplink_netdev_set (takes uplink_netdev_lock) -> +mlx5_blocking_notifier_call_chain (takes notifier_rwsem) +=> uplink_netdev_lock -> notifier_rwsem + +3: devlink_nl_rate_set_doit -> devlink_nl_rate_set -> +mlx5_esw_devlink_rate_leaf_tx_max_set -> esw_qos_devlink_rate_to_mbps -> +mlx5_esw_qos_max_link_speed_get (takes rtnl) -> +mlx5_esw_qos_lag_link_speed_get_locked -> +mlx5_uplink_netdev_get (takes uplink_netdev_lock) +=> rtnl -> uplink_netdev_lock +=> BOOM! (lock cycle) + +Fix that by restricting the rtnl-protected section to just the necessary +part, the call to netdev_master_upper_dev_get and speed querying, so +that the last lock dependency is avoided and the cycle doesn't close. +This is safe because mlx5_uplink_netdev_get uses netdev_hold to keep the +uplink netdev alive while its master device is queried. + +Use this opportunity to rename the ambiguously-named "hold_rtnl_lock" +argument to "take_rtnl" and remove the "_locked" suffix from +mlx5_esw_qos_lag_link_speed_get_locked. + +Fixes: 6b4be64fd9fe ("net/mlx5e: Harden uplink netdev access against device unbind") +Signed-off-by: Cosmin Ratiu +Reviewed-by: Dragos Tatulea +Signed-off-by: Tariq Toukan +Link: https://patch.msgid.link/20260316094603.6999-2-tariqt@nvidia.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + .../net/ethernet/mellanox/mlx5/core/esw/qos.c | 23 ++++++++----------- + 1 file changed, 9 insertions(+), 14 deletions(-) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/esw/qos.c b/drivers/net/ethernet/mellanox/mlx5/core/esw/qos.c +index d8c304427e2ab..8c2e1d881a1a2 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/esw/qos.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/esw/qos.c +@@ -713,24 +713,24 @@ int mlx5_esw_qos_set_vport_rate(struct mlx5_eswitch *esw, struct mlx5_vport *vpo + return err; + } + +-static u32 mlx5_esw_qos_lag_link_speed_get_locked(struct mlx5_core_dev *mdev) ++static u32 mlx5_esw_qos_lag_link_speed_get(struct mlx5_core_dev *mdev, ++ bool take_rtnl) + { + struct ethtool_link_ksettings lksettings; + struct net_device *slave, *master; + u32 speed = SPEED_UNKNOWN; + +- /* Lock ensures a stable reference to master and slave netdevice +- * while port speed of master is queried. +- */ +- ASSERT_RTNL(); +- + slave = mlx5_uplink_netdev_get(mdev); + if (!slave) + goto out; + ++ if (take_rtnl) ++ rtnl_lock(); + master = netdev_master_upper_dev_get(slave); + if (master && !__ethtool_get_link_ksettings(master, &lksettings)) + speed = lksettings.base.speed; ++ if (take_rtnl) ++ rtnl_unlock(); + + out: + mlx5_uplink_netdev_put(mdev, slave); +@@ -738,20 +738,15 @@ static u32 mlx5_esw_qos_lag_link_speed_get_locked(struct mlx5_core_dev *mdev) + } + + static int mlx5_esw_qos_max_link_speed_get(struct mlx5_core_dev *mdev, u32 *link_speed_max, +- bool hold_rtnl_lock, struct netlink_ext_ack *extack) ++ bool take_rtnl, ++ struct netlink_ext_ack *extack) + { + int err; + + if (!mlx5_lag_is_active(mdev)) + goto skip_lag; + +- if (hold_rtnl_lock) +- rtnl_lock(); +- +- *link_speed_max = mlx5_esw_qos_lag_link_speed_get_locked(mdev); +- +- if (hold_rtnl_lock) +- rtnl_unlock(); ++ *link_speed_max = mlx5_esw_qos_lag_link_speed_get(mdev, take_rtnl); + + if (*link_speed_max != (u32)SPEED_UNKNOWN) + return 0; +-- +2.51.0 + diff --git a/queue-6.12/net-mlx5e-fix-race-condition-during-ipsec-esn-update.patch b/queue-6.12/net-mlx5e-fix-race-condition-during-ipsec-esn-update.patch new file mode 100644 index 0000000000..6da6c6a4c3 --- /dev/null +++ b/queue-6.12/net-mlx5e-fix-race-condition-during-ipsec-esn-update.patch @@ -0,0 +1,128 @@ +From e2c81813c58ef277ff63c83bf0a2a3c23a628a9e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 16 Mar 2026 11:46:03 +0200 +Subject: net/mlx5e: Fix race condition during IPSec ESN update + +From: Jianbo Liu + +[ Upstream commit beb6e2e5976a128b0cccf10d158124422210c5ef ] + +In IPSec full offload mode, the device reports an ESN (Extended +Sequence Number) wrap event to the driver. The driver validates this +event by querying the IPSec ASO and checking that the esn_event_arm +field is 0x0, which indicates an event has occurred. After handling +the event, the driver must re-arm the context by setting esn_event_arm +back to 0x1. + +A race condition exists in this handling path. After validating the +event, the driver calls mlx5_accel_esp_modify_xfrm() to update the +kernel's xfrm state. This function temporarily releases and +re-acquires the xfrm state lock. + +So, need to acknowledge the event first by setting esn_event_arm to +0x1. This prevents the driver from reprocessing the same ESN update if +the hardware sends events for other reason. Since the next ESN update +only occurs after nearly 2^31 packets are received, there's no risk of +missing an update, as it will happen long after this handling has +finished. + +Processing the event twice causes the ESN high-order bits (esn_msb) to +be incremented incorrectly. The driver then programs the hardware with +this invalid ESN state, which leads to anti-replay failures and a +complete halt of IPSec traffic. + +Fix this by re-arming the ESN event immediately after it is validated, +before calling mlx5_accel_esp_modify_xfrm(). This ensures that any +spurious, duplicate events are correctly ignored, closing the race +window. + +Fixes: fef06678931f ("net/mlx5e: Fix ESN update kernel panic") +Signed-off-by: Jianbo Liu +Reviewed-by: Leon Romanovsky +Signed-off-by: Tariq Toukan +Link: https://patch.msgid.link/20260316094603.6999-4-tariqt@nvidia.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + .../mlx5/core/en_accel/ipsec_offload.c | 33 ++++++++----------- + 1 file changed, 14 insertions(+), 19 deletions(-) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec_offload.c b/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec_offload.c +index bb2555706d082..40fe3d1e2342c 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec_offload.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec_offload.c +@@ -311,10 +311,11 @@ static void mlx5e_ipsec_aso_update(struct mlx5e_ipsec_sa_entry *sa_entry, + mlx5e_ipsec_aso_query(sa_entry, data); + } + +-static void mlx5e_ipsec_update_esn_state(struct mlx5e_ipsec_sa_entry *sa_entry, +- u32 mode_param) ++static void ++mlx5e_ipsec_update_esn_state(struct mlx5e_ipsec_sa_entry *sa_entry, ++ u32 mode_param, ++ struct mlx5_accel_esp_xfrm_attrs *attrs) + { +- struct mlx5_accel_esp_xfrm_attrs attrs = {}; + struct mlx5_wqe_aso_ctrl_seg data = {}; + + if (mode_param < MLX5E_IPSEC_ESN_SCOPE_MID) { +@@ -324,18 +325,7 @@ static void mlx5e_ipsec_update_esn_state(struct mlx5e_ipsec_sa_entry *sa_entry, + sa_entry->esn_state.overlap = 1; + } + +- mlx5e_ipsec_build_accel_xfrm_attrs(sa_entry, &attrs); +- +- /* It is safe to execute the modify below unlocked since the only flows +- * that could affect this HW object, are create, destroy and this work. +- * +- * Creation flow can't co-exist with this modify work, the destruction +- * flow would cancel this work, and this work is a single entity that +- * can't conflict with it self. +- */ +- spin_unlock_bh(&sa_entry->x->lock); +- mlx5_accel_esp_modify_xfrm(sa_entry, &attrs); +- spin_lock_bh(&sa_entry->x->lock); ++ mlx5e_ipsec_build_accel_xfrm_attrs(sa_entry, attrs); + + data.data_offset_condition_operand = + MLX5_IPSEC_ASO_REMOVE_FLOW_PKT_CNT_OFFSET; +@@ -452,7 +442,9 @@ static void mlx5e_ipsec_handle_event(struct work_struct *_work) + struct mlx5e_ipsec_work *work = + container_of(_work, struct mlx5e_ipsec_work, work); + struct mlx5e_ipsec_sa_entry *sa_entry = work->data; ++ struct mlx5_accel_esp_xfrm_attrs tmp = {}; + struct mlx5_accel_esp_xfrm_attrs *attrs; ++ bool need_modify = false; + int ret; + + attrs = &sa_entry->attrs; +@@ -462,19 +454,22 @@ static void mlx5e_ipsec_handle_event(struct work_struct *_work) + if (ret) + goto unlock; + ++ if (attrs->lft.soft_packet_limit != XFRM_INF) ++ mlx5e_ipsec_handle_limits(sa_entry); ++ + if (attrs->replay_esn.trigger && + !MLX5_GET(ipsec_aso, sa_entry->ctx, esn_event_arm)) { + u32 mode_param = MLX5_GET(ipsec_aso, sa_entry->ctx, + mode_parameter); + +- mlx5e_ipsec_update_esn_state(sa_entry, mode_param); ++ mlx5e_ipsec_update_esn_state(sa_entry, mode_param, &tmp); ++ need_modify = true; + } + +- if (attrs->lft.soft_packet_limit != XFRM_INF) +- mlx5e_ipsec_handle_limits(sa_entry); +- + unlock: + spin_unlock_bh(&sa_entry->x->lock); ++ if (need_modify) ++ mlx5_accel_esp_modify_xfrm(sa_entry, &tmp); + kfree(work); + } + +-- +2.51.0 + diff --git a/queue-6.12/net-mlx5e-prevent-concurrent-access-to-ipsec-aso-con.patch b/queue-6.12/net-mlx5e-prevent-concurrent-access-to-ipsec-aso-con.patch new file mode 100644 index 0000000000..e687c1d04b --- /dev/null +++ b/queue-6.12/net-mlx5e-prevent-concurrent-access-to-ipsec-aso-con.patch @@ -0,0 +1,115 @@ +From 3ba49bdbc10fc82f7bcb2a652bd45eede1588999 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 16 Mar 2026 11:46:02 +0200 +Subject: net/mlx5e: Prevent concurrent access to IPSec ASO context + +From: Jianbo Liu + +[ Upstream commit 99b36850d881e2d65912b2520a1c80d0fcc9429a ] + +The query or updating IPSec offload object is through Access ASO WQE. +The driver uses a single mlx5e_ipsec_aso struct for each PF, which +contains a shared DMA-mapped context for all ASO operations. + +A race condition exists because the ASO spinlock is released before +the hardware has finished processing WQE. If a second operation is +initiated immediately after, it overwrites the shared context in the +DMA area. + +When the first operation's completion is processed later, it reads +this corrupted context, leading to unexpected behavior and incorrect +results. + +This commit fixes the race by introducing a private context within +each IPSec offload object. The shared ASO context is now copied to +this private context while the ASO spinlock is held. Subsequent +processing uses this saved, per-object context, ensuring its integrity +is maintained. + +Fixes: 1ed78fc03307 ("net/mlx5e: Update IPsec soft and hard limits") +Signed-off-by: Jianbo Liu +Reviewed-by: Leon Romanovsky +Signed-off-by: Tariq Toukan +Link: https://patch.msgid.link/20260316094603.6999-3-tariqt@nvidia.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + .../mellanox/mlx5/core/en_accel/ipsec.h | 1 + + .../mellanox/mlx5/core/en_accel/ipsec_offload.c | 17 ++++++++--------- + 2 files changed, 9 insertions(+), 9 deletions(-) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec.h b/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec.h +index a37c8a117d80f..2e5ca1cc29bb3 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec.h ++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec.h +@@ -274,6 +274,7 @@ struct mlx5e_ipsec_sa_entry { + struct mlx5e_ipsec_dwork *dwork; + struct mlx5e_ipsec_limits limits; + u32 rx_mapped_id; ++ u8 ctx[MLX5_ST_SZ_BYTES(ipsec_aso)]; + }; + + struct mlx5_accel_pol_xfrm_attrs { +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec_offload.c b/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec_offload.c +index 820debf3fbbf2..bb2555706d082 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec_offload.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec_offload.c +@@ -371,20 +371,18 @@ static void mlx5e_ipsec_aso_update_soft(struct mlx5e_ipsec_sa_entry *sa_entry, + static void mlx5e_ipsec_handle_limits(struct mlx5e_ipsec_sa_entry *sa_entry) + { + struct mlx5_accel_esp_xfrm_attrs *attrs = &sa_entry->attrs; +- struct mlx5e_ipsec *ipsec = sa_entry->ipsec; +- struct mlx5e_ipsec_aso *aso = ipsec->aso; + bool soft_arm, hard_arm; + u64 hard_cnt; + + lockdep_assert_held(&sa_entry->x->lock); + +- soft_arm = !MLX5_GET(ipsec_aso, aso->ctx, soft_lft_arm); +- hard_arm = !MLX5_GET(ipsec_aso, aso->ctx, hard_lft_arm); ++ soft_arm = !MLX5_GET(ipsec_aso, sa_entry->ctx, soft_lft_arm); ++ hard_arm = !MLX5_GET(ipsec_aso, sa_entry->ctx, hard_lft_arm); + if (!soft_arm && !hard_arm) + /* It is not lifetime event */ + return; + +- hard_cnt = MLX5_GET(ipsec_aso, aso->ctx, remove_flow_pkt_cnt); ++ hard_cnt = MLX5_GET(ipsec_aso, sa_entry->ctx, remove_flow_pkt_cnt); + if (!hard_cnt || hard_arm) { + /* It is possible to see packet counter equal to zero without + * hard limit event armed. Such situation can be if packet +@@ -455,10 +453,8 @@ static void mlx5e_ipsec_handle_event(struct work_struct *_work) + container_of(_work, struct mlx5e_ipsec_work, work); + struct mlx5e_ipsec_sa_entry *sa_entry = work->data; + struct mlx5_accel_esp_xfrm_attrs *attrs; +- struct mlx5e_ipsec_aso *aso; + int ret; + +- aso = sa_entry->ipsec->aso; + attrs = &sa_entry->attrs; + + spin_lock_bh(&sa_entry->x->lock); +@@ -467,8 +463,9 @@ static void mlx5e_ipsec_handle_event(struct work_struct *_work) + goto unlock; + + if (attrs->replay_esn.trigger && +- !MLX5_GET(ipsec_aso, aso->ctx, esn_event_arm)) { +- u32 mode_param = MLX5_GET(ipsec_aso, aso->ctx, mode_parameter); ++ !MLX5_GET(ipsec_aso, sa_entry->ctx, esn_event_arm)) { ++ u32 mode_param = MLX5_GET(ipsec_aso, sa_entry->ctx, ++ mode_parameter); + + mlx5e_ipsec_update_esn_state(sa_entry, mode_param); + } +@@ -630,6 +627,8 @@ int mlx5e_ipsec_aso_query(struct mlx5e_ipsec_sa_entry *sa_entry, + /* We are in atomic context */ + udelay(10); + } while (ret && time_is_after_jiffies(expires)); ++ if (!ret) ++ memcpy(sa_entry->ctx, aso->ctx, MLX5_ST_SZ_BYTES(ipsec_aso)); + spin_unlock_bh(&aso->lock); + return ret; + } +-- +2.51.0 + diff --git a/queue-6.12/net-mvpp2-guard-flow-control-update-with-global_tx_f.patch b/queue-6.12/net-mvpp2-guard-flow-control-update-with-global_tx_f.patch new file mode 100644 index 0000000000..3ffda4ff84 --- /dev/null +++ b/queue-6.12/net-mvpp2-guard-flow-control-update-with-global_tx_f.patch @@ -0,0 +1,86 @@ +From b46c0754e03f307d4da2b360ec14f6376b44433e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 16 Mar 2026 12:31:01 -0700 +Subject: net: mvpp2: guard flow control update with global_tx_fc in buffer + switching + +From: Muhammad Hammad Ijaz + +[ Upstream commit 8a63baadf08453f66eb582fdb6dd234f72024723 ] + +mvpp2_bm_switch_buffers() unconditionally calls +mvpp2_bm_pool_update_priv_fc() when switching between per-cpu and +shared buffer pool modes. This function programs CM3 flow control +registers via mvpp2_cm3_read()/mvpp2_cm3_write(), which dereference +priv->cm3_base without any NULL check. + +When the CM3 SRAM resource is not present in the device tree (the +third reg entry added by commit 60523583b07c ("dts: marvell: add CM3 +SRAM memory to cp11x ethernet device tree")), priv->cm3_base remains +NULL and priv->global_tx_fc is false. Any operation that triggers +mvpp2_bm_switch_buffers(), for example an MTU change that crosses +the jumbo frame threshold, will crash: + + Unable to handle kernel NULL pointer dereference at + virtual address 0000000000000000 + Mem abort info: + ESR = 0x0000000096000006 + EC = 0x25: DABT (current EL), IL = 32 bits + pc : readl+0x0/0x18 + lr : mvpp2_cm3_read.isra.0+0x14/0x20 + Call trace: + readl+0x0/0x18 + mvpp2_bm_pool_update_fc+0x40/0x12c + mvpp2_bm_pool_update_priv_fc+0x94/0xd8 + mvpp2_bm_switch_buffers.isra.0+0x80/0x1c0 + mvpp2_change_mtu+0x140/0x380 + __dev_set_mtu+0x1c/0x38 + dev_set_mtu_ext+0x78/0x118 + dev_set_mtu+0x48/0xa8 + dev_ifsioc+0x21c/0x43c + dev_ioctl+0x2d8/0x42c + sock_ioctl+0x314/0x378 + +Every other flow control call site in the driver already guards +hardware access with either priv->global_tx_fc or port->tx_fc. +mvpp2_bm_switch_buffers() is the only place that omits this check. + +Add the missing priv->global_tx_fc guard to both the disable and +re-enable calls in mvpp2_bm_switch_buffers(), consistent with the +rest of the driver. + +Fixes: 3a616b92a9d1 ("net: mvpp2: Add TX flow control support for jumbo frames") +Signed-off-by: Muhammad Hammad Ijaz +Reviewed-by: Gunnar Kudrjavets +Link: https://patch.msgid.link/20260316193157.65748-1-mhijaz@amazon.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/marvell/mvpp2/mvpp2_main.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/marvell/mvpp2/mvpp2_main.c b/drivers/net/ethernet/marvell/mvpp2/mvpp2_main.c +index 66b5a80c9c28a..51e35c4d9ea97 100644 +--- a/drivers/net/ethernet/marvell/mvpp2/mvpp2_main.c ++++ b/drivers/net/ethernet/marvell/mvpp2/mvpp2_main.c +@@ -5025,7 +5025,7 @@ static int mvpp2_bm_switch_buffers(struct mvpp2 *priv, bool percpu) + if (priv->percpu_pools) + numbufs = port->nrxqs * 2; + +- if (change_percpu) ++ if (change_percpu && priv->global_tx_fc) + mvpp2_bm_pool_update_priv_fc(priv, false); + + for (i = 0; i < numbufs; i++) +@@ -5050,7 +5050,7 @@ static int mvpp2_bm_switch_buffers(struct mvpp2 *priv, bool percpu) + mvpp2_open(port->dev); + } + +- if (change_percpu) ++ if (change_percpu && priv->global_tx_fc) + mvpp2_bm_pool_update_priv_fc(priv, true); + + return 0; +-- +2.51.0 + diff --git a/queue-6.12/net-rose-fix-null-pointer-dereference-in-rose_transm.patch b/queue-6.12/net-rose-fix-null-pointer-dereference-in-rose_transm.patch new file mode 100644 index 0000000000..533bad388a --- /dev/null +++ b/queue-6.12/net-rose-fix-null-pointer-dereference-in-rose_transm.patch @@ -0,0 +1,64 @@ +From d02f536ed05036f518fa5ae2e668015000c6d808 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 11 Mar 2026 15:06:02 +0800 +Subject: net/rose: fix NULL pointer dereference in rose_transmit_link on + reconnect + +From: Jiayuan Chen + +[ Upstream commit e1f0a18c9564cdb16523c802e2c6fe5874e3d944 ] + +syzkaller reported a bug [1], and the reproducer is available at [2]. + +ROSE sockets use four sk->sk_state values: TCP_CLOSE, TCP_LISTEN, +TCP_SYN_SENT, and TCP_ESTABLISHED. rose_connect() already rejects +calls for TCP_ESTABLISHED (-EISCONN) and TCP_CLOSE with SS_CONNECTING +(-ECONNREFUSED), but lacks a check for TCP_SYN_SENT. + +When rose_connect() is called a second time while the first connection +attempt is still in progress (TCP_SYN_SENT), it overwrites +rose->neighbour via rose_get_neigh(). If that returns NULL, the socket +is left with rose->state == ROSE_STATE_1 but rose->neighbour == NULL. +When the socket is subsequently closed, rose_release() sees +ROSE_STATE_1 and calls rose_write_internal() -> +rose_transmit_link(skb, NULL), causing a NULL pointer dereference. + +Per connect(2), a second connect() while a connection is already in +progress should return -EALREADY. Add this missing check for +TCP_SYN_SENT to complete the state validation in rose_connect(). + +[1] https://syzkaller.appspot.com/bug?extid=d00f90e0af54102fb271 +[2] https://gist.github.com/mrpre/9e6779e0d13e2c66779b1653fef80516 + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Reported-by: syzbot+d00f90e0af54102fb271@syzkaller.appspotmail.com +Closes: https://lore.kernel.org/all/69694d6f.050a0220.58bed.0027.GAE@google.com/T/ +Suggested-by: Eric Dumazet +Signed-off-by: Jiayuan Chen +Reviewed-by: Eric Dumazet +Link: https://patch.msgid.link/20260311070611.76913-1-jiayuan.chen@linux.dev +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/rose/af_rose.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/net/rose/af_rose.c b/net/rose/af_rose.c +index 1676c9f4ab848..0223d6c34f0be 100644 +--- a/net/rose/af_rose.c ++++ b/net/rose/af_rose.c +@@ -810,6 +810,11 @@ static int rose_connect(struct socket *sock, struct sockaddr *uaddr, int addr_le + goto out_release; + } + ++ if (sk->sk_state == TCP_SYN_SENT) { ++ err = -EALREADY; ++ goto out_release; ++ } ++ + sk->sk_state = TCP_CLOSE; + sock->state = SS_UNCONNECTED; + +-- +2.51.0 + diff --git a/queue-6.12/net-sched-teql-fix-double-free-in-teql_master_xmit.patch b/queue-6.12/net-sched-teql-fix-double-free-in-teql_master_xmit.patch new file mode 100644 index 0000000000..8a67050026 --- /dev/null +++ b/queue-6.12/net-sched-teql-fix-double-free-in-teql_master_xmit.patch @@ -0,0 +1,202 @@ +From 2223077502871ade1de760952ef7b3002c8f9479 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 15 Mar 2026 11:54:22 -0400 +Subject: net/sched: teql: Fix double-free in teql_master_xmit + +From: Jamal Hadi Salim + +[ Upstream commit 66360460cab63c248ca5b1070a01c0c29133b960 ] + +Whenever a TEQL devices has a lockless Qdisc as root, qdisc_reset should +be called using the seq_lock to avoid racing with the datapath. Failure +to do so may cause crashes like the following: + +[ 238.028993][ T318] BUG: KASAN: double-free in skb_release_data (net/core/skbuff.c:1139) +[ 238.029328][ T318] Free of addr ffff88810c67ec00 by task poc_teql_uaf_ke/318 +[ 238.029749][ T318] +[ 238.029900][ T318] CPU: 3 UID: 0 PID: 318 Comm: poc_teql_ke Not tainted 7.0.0-rc3-00149-ge5b31d988a41 #704 PREEMPT(full) +[ 238.029906][ T318] Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011 +[ 238.029910][ T318] Call Trace: +[ 238.029913][ T318] +[ 238.029916][ T318] dump_stack_lvl (lib/dump_stack.c:122) +[ 238.029928][ T318] print_report (mm/kasan/report.c:379 mm/kasan/report.c:482) +[ 238.029940][ T318] ? skb_release_data (net/core/skbuff.c:1139) +[ 238.029944][ T318] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221) +... +[ 238.029957][ T318] ? skb_release_data (net/core/skbuff.c:1139) +[ 238.029969][ T318] kasan_report_invalid_free (mm/kasan/report.c:221 mm/kasan/report.c:563) +[ 238.029979][ T318] ? skb_release_data (net/core/skbuff.c:1139) +[ 238.029989][ T318] check_slab_allocation (mm/kasan/common.c:231) +[ 238.029995][ T318] kmem_cache_free (mm/slub.c:2637 (discriminator 1) mm/slub.c:6168 (discriminator 1) mm/slub.c:6298 (discriminator 1)) +[ 238.030004][ T318] skb_release_data (net/core/skbuff.c:1139) +... +[ 238.030025][ T318] sk_skb_reason_drop (net/core/skbuff.c:1256) +[ 238.030032][ T318] pfifo_fast_reset (./include/linux/ptr_ring.h:171 ./include/linux/ptr_ring.h:309 ./include/linux/skb_array.h:98 net/sched/sch_generic.c:827) +[ 238.030039][ T318] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221) +... +[ 238.030054][ T318] qdisc_reset (net/sched/sch_generic.c:1034) +[ 238.030062][ T318] teql_destroy (./include/linux/spinlock.h:395 net/sched/sch_teql.c:157) +[ 238.030071][ T318] __qdisc_destroy (./include/net/pkt_sched.h:328 net/sched/sch_generic.c:1077) +[ 238.030077][ T318] qdisc_graft (net/sched/sch_api.c:1062 net/sched/sch_api.c:1053 net/sched/sch_api.c:1159) +[ 238.030089][ T318] ? __pfx_qdisc_graft (net/sched/sch_api.c:1091) +[ 238.030095][ T318] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221) +[ 238.030102][ T318] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221) +[ 238.030106][ T318] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221) +[ 238.030114][ T318] tc_get_qdisc (net/sched/sch_api.c:1529 net/sched/sch_api.c:1556) +... +[ 238.072958][ T318] Allocated by task 303 on cpu 5 at 238.026275s: +[ 238.073392][ T318] kasan_save_stack (mm/kasan/common.c:58) +[ 238.073884][ T318] kasan_save_track (mm/kasan/common.c:64 (discriminator 5) mm/kasan/common.c:79 (discriminator 5)) +[ 238.074230][ T318] __kasan_slab_alloc (mm/kasan/common.c:369) +[ 238.074578][ T318] kmem_cache_alloc_node_noprof (./include/linux/kasan.h:253 mm/slub.c:4542 mm/slub.c:4869 mm/slub.c:4921) +[ 238.076091][ T318] kmalloc_reserve (net/core/skbuff.c:616 (discriminator 107)) +[ 238.076450][ T318] __alloc_skb (net/core/skbuff.c:713) +[ 238.076834][ T318] alloc_skb_with_frags (./include/linux/skbuff.h:1383 net/core/skbuff.c:6763) +[ 238.077178][ T318] sock_alloc_send_pskb (net/core/sock.c:2997) +[ 238.077520][ T318] packet_sendmsg (net/packet/af_packet.c:2926 net/packet/af_packet.c:3019 net/packet/af_packet.c:3108) +[ 238.081469][ T318] +[ 238.081870][ T318] Freed by task 299 on cpu 1 at 238.028496s: +[ 238.082761][ T318] kasan_save_stack (mm/kasan/common.c:58) +[ 238.083481][ T318] kasan_save_track (mm/kasan/common.c:64 (discriminator 5) mm/kasan/common.c:79 (discriminator 5)) +[ 238.085348][ T318] kasan_save_free_info (mm/kasan/generic.c:587 (discriminator 1)) +[ 238.085900][ T318] __kasan_slab_free (mm/kasan/common.c:287) +[ 238.086439][ T318] kmem_cache_free (mm/slub.c:6168 (discriminator 3) mm/slub.c:6298 (discriminator 3)) +[ 238.087007][ T318] skb_release_data (net/core/skbuff.c:1139) +[ 238.087491][ T318] consume_skb (net/core/skbuff.c:1451) +[ 238.087757][ T318] teql_master_xmit (net/sched/sch_teql.c:358) +[ 238.088116][ T318] dev_hard_start_xmit (./include/linux/netdevice.h:5324 ./include/linux/netdevice.h:5333 net/core/dev.c:3871 net/core/dev.c:3887) +[ 238.088468][ T318] sch_direct_xmit (net/sched/sch_generic.c:347) +[ 238.088820][ T318] __qdisc_run (net/sched/sch_generic.c:420 (discriminator 1)) +[ 238.089166][ T318] __dev_queue_xmit (./include/net/sch_generic.h:229 ./include/net/pkt_sched.h:121 ./include/net/pkt_sched.h:117 net/core/dev.c:4196 net/core/dev.c:4802) + +Workflow to reproduce: +1. Initialize a TEQL topology (dummy0 and ifb0 as slaves, teql0 up). +2. Start multiple sender workers continuously transmitting packets + through teql0 to drive teql_master_xmit(). +3. In parallel, repeatedly delete and re-add the root qdisc on + dummy0 and ifb0 via RTNETLINK, forcing frequent teardown and reset activity + (teql_destroy() / qdisc_reset()). +4. After running both workloads concurrently for several iterations, + KASAN reports slab-use-after-free or double-free in the skb free path. + +Fix this by moving dev_reset_queue to sch_generic.h and calling it, instead +of qdisc_reset, in teql_destroy since it handles both the lock and lockless +cases correctly for root qdiscs. + +Fixes: 96009c7d500e ("sched: replace __QDISC_STATE_RUNNING bit with a spin lock") +Reported-by: Xianrui Dong +Tested-by: Xianrui Dong +Co-developed-by: Victor Nogueira +Signed-off-by: Victor Nogueira +Signed-off-by: Jamal Hadi Salim +Link: https://patch.msgid.link/20260315155422.147256-1-jhs@mojatatu.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + include/net/sch_generic.h | 28 ++++++++++++++++++++++++++++ + net/sched/sch_generic.c | 27 --------------------------- + net/sched/sch_teql.c | 7 ++----- + 3 files changed, 30 insertions(+), 32 deletions(-) + +diff --git a/include/net/sch_generic.h b/include/net/sch_generic.h +index 75a0d6095d2eb..28a7aaa4c0cdf 100644 +--- a/include/net/sch_generic.h ++++ b/include/net/sch_generic.h +@@ -696,6 +696,34 @@ void qdisc_destroy(struct Qdisc *qdisc); + void qdisc_put(struct Qdisc *qdisc); + void qdisc_put_unlocked(struct Qdisc *qdisc); + void qdisc_tree_reduce_backlog(struct Qdisc *qdisc, int n, int len); ++ ++static inline void dev_reset_queue(struct net_device *dev, ++ struct netdev_queue *dev_queue, ++ void *_unused) ++{ ++ struct Qdisc *qdisc; ++ bool nolock; ++ ++ qdisc = rtnl_dereference(dev_queue->qdisc_sleeping); ++ if (!qdisc) ++ return; ++ ++ nolock = qdisc->flags & TCQ_F_NOLOCK; ++ ++ if (nolock) ++ spin_lock_bh(&qdisc->seqlock); ++ spin_lock_bh(qdisc_lock(qdisc)); ++ ++ qdisc_reset(qdisc); ++ ++ spin_unlock_bh(qdisc_lock(qdisc)); ++ if (nolock) { ++ clear_bit(__QDISC_STATE_MISSED, &qdisc->state); ++ clear_bit(__QDISC_STATE_DRAINING, &qdisc->state); ++ spin_unlock_bh(&qdisc->seqlock); ++ } ++} ++ + #ifdef CONFIG_NET_SCHED + int qdisc_offload_dump_helper(struct Qdisc *q, enum tc_setup_type type, + void *type_data); +diff --git a/net/sched/sch_generic.c b/net/sched/sch_generic.c +index d27383c54b70b..3e1dbb84bb837 100644 +--- a/net/sched/sch_generic.c ++++ b/net/sched/sch_generic.c +@@ -1297,33 +1297,6 @@ static void dev_deactivate_queue(struct net_device *dev, + } + } + +-static void dev_reset_queue(struct net_device *dev, +- struct netdev_queue *dev_queue, +- void *_unused) +-{ +- struct Qdisc *qdisc; +- bool nolock; +- +- qdisc = rtnl_dereference(dev_queue->qdisc_sleeping); +- if (!qdisc) +- return; +- +- nolock = qdisc->flags & TCQ_F_NOLOCK; +- +- if (nolock) +- spin_lock_bh(&qdisc->seqlock); +- spin_lock_bh(qdisc_lock(qdisc)); +- +- qdisc_reset(qdisc); +- +- spin_unlock_bh(qdisc_lock(qdisc)); +- if (nolock) { +- clear_bit(__QDISC_STATE_MISSED, &qdisc->state); +- clear_bit(__QDISC_STATE_DRAINING, &qdisc->state); +- spin_unlock_bh(&qdisc->seqlock); +- } +-} +- + static bool some_qdisc_is_busy(struct net_device *dev) + { + unsigned int i; +diff --git a/net/sched/sch_teql.c b/net/sched/sch_teql.c +index 783300d8b0197..ec4039a201a2c 100644 +--- a/net/sched/sch_teql.c ++++ b/net/sched/sch_teql.c +@@ -146,15 +146,12 @@ teql_destroy(struct Qdisc *sch) + master->slaves = NEXT_SLAVE(q); + if (q == master->slaves) { + struct netdev_queue *txq; +- spinlock_t *root_lock; + + txq = netdev_get_tx_queue(master->dev, 0); + master->slaves = NULL; + +- root_lock = qdisc_root_sleeping_lock(rtnl_dereference(txq->qdisc)); +- spin_lock_bh(root_lock); +- qdisc_reset(rtnl_dereference(txq->qdisc)); +- spin_unlock_bh(root_lock); ++ dev_reset_queue(master->dev, ++ txq, NULL); + } + } + skb_queue_purge(&dat->q); +-- +2.51.0 + diff --git a/queue-6.12/net-smc-fix-null-dereference-and-uaf-in-smc_tcp_syn_.patch b/queue-6.12/net-smc-fix-null-dereference-and-uaf-in-smc_tcp_syn_.patch new file mode 100644 index 0000000000..df8003669b --- /dev/null +++ b/queue-6.12/net-smc-fix-null-dereference-and-uaf-in-smc_tcp_syn_.patch @@ -0,0 +1,208 @@ +From 9a224a1f62648519410091a3bb00edcdd754f040 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 12 Mar 2026 17:29:07 +0800 +Subject: net/smc: fix NULL dereference and UAF in smc_tcp_syn_recv_sock() + +From: Jiayuan Chen + +[ Upstream commit 6d5e4538364b9ceb1ac2941a4deb86650afb3538 ] + +Syzkaller reported a panic in smc_tcp_syn_recv_sock() [1]. + +smc_tcp_syn_recv_sock() is called in the TCP receive path +(softirq) via icsk_af_ops->syn_recv_sock on the clcsock (TCP +listening socket). It reads sk_user_data to get the smc_sock +pointer. However, when the SMC listen socket is being closed +concurrently, smc_close_active() sets clcsock->sk_user_data +to NULL under sk_callback_lock, and then the smc_sock itself +can be freed via sock_put() in smc_release(). + +This leads to two issues: + +1) NULL pointer dereference: sk_user_data is NULL when + accessed. +2) Use-after-free: sk_user_data is read as non-NULL, but the + smc_sock is freed before its fields (e.g., queued_smc_hs, + ori_af_ops) are accessed. + +The race window looks like this (the syzkaller crash [1] +triggers via the SYN cookie path: tcp_get_cookie_sock() -> +smc_tcp_syn_recv_sock(), but the normal tcp_check_req() path +has the same race): + + CPU A (softirq) CPU B (process ctx) + + tcp_v4_rcv() + TCP_NEW_SYN_RECV: + sk = req->rsk_listener + sock_hold(sk) + /* No lock on listener */ + smc_close_active(): + write_lock_bh(cb_lock) + sk_user_data = NULL + write_unlock_bh(cb_lock) + ... + smc_clcsock_release() + sock_put(smc->sk) x2 + -> smc_sock freed! + tcp_check_req() + smc_tcp_syn_recv_sock(): + smc = user_data(sk) + -> NULL or dangling + smc->queued_smc_hs + -> crash! + +Note that the clcsock and smc_sock are two independent objects +with separate refcounts. TCP stack holds a reference on the +clcsock, which keeps it alive, but this does NOT prevent the +smc_sock from being freed. + +Fix this by using RCU and refcount_inc_not_zero() to safely +access smc_sock. Since smc_tcp_syn_recv_sock() is called in +the TCP three-way handshake path, taking read_lock_bh on +sk_callback_lock is too heavy and would not survive a SYN +flood attack. Using rcu_read_lock() is much more lightweight. + +- Set SOCK_RCU_FREE on the SMC listen socket so that + smc_sock freeing is deferred until after the RCU grace + period. This guarantees the memory is still valid when + accessed inside rcu_read_lock(). +- Use rcu_read_lock() to protect reading sk_user_data. +- Use refcount_inc_not_zero(&smc->sk.sk_refcnt) to pin the + smc_sock. If the refcount has already reached zero (close + path completed), it returns false and we bail out safely. + +Note: smc_hs_congested() has a similar lockless read of +sk_user_data without rcu_read_lock(), but it only checks for +NULL and accesses the global smc_hs_wq, never dereferencing +any smc_sock field, so it is not affected. + +Reproducer was verified with mdelay injection and smc_run, +the issue no longer occurs with this patch applied. + +[1] https://syzkaller.appspot.com/bug?extid=827ae2bfb3a3529333e9 + +Fixes: 8270d9c21041 ("net/smc: Limit backlog connections") +Reported-by: syzbot+827ae2bfb3a3529333e9@syzkaller.appspotmail.com +Closes: https://lore.kernel.org/all/67eaf9b8.050a0220.3c3d88.004a.GAE@google.com/T/ +Suggested-by: Eric Dumazet +Reviewed-by: Eric Dumazet +Signed-off-by: Jiayuan Chen +Link: https://patch.msgid.link/20260312092909.48325-1-jiayuan.chen@linux.dev +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/smc/af_smc.c | 23 +++++++++++++++++------ + net/smc/smc.h | 5 +++++ + net/smc/smc_close.c | 2 +- + 3 files changed, 23 insertions(+), 7 deletions(-) + +diff --git a/net/smc/af_smc.c b/net/smc/af_smc.c +index 02e08ac1da3aa..23bb360ebd07b 100644 +--- a/net/smc/af_smc.c ++++ b/net/smc/af_smc.c +@@ -130,7 +130,14 @@ static struct sock *smc_tcp_syn_recv_sock(const struct sock *sk, + struct smc_sock *smc; + struct sock *child; + +- smc = smc_clcsock_user_data(sk); ++ rcu_read_lock(); ++ smc = smc_clcsock_user_data_rcu(sk); ++ if (!smc || !refcount_inc_not_zero(&smc->sk.sk_refcnt)) { ++ rcu_read_unlock(); ++ smc = NULL; ++ goto drop; ++ } ++ rcu_read_unlock(); + + if (READ_ONCE(sk->sk_ack_backlog) + atomic_read(&smc->queued_smc_hs) > + sk->sk_max_ack_backlog) +@@ -152,11 +159,14 @@ static struct sock *smc_tcp_syn_recv_sock(const struct sock *sk, + if (inet_csk(child)->icsk_af_ops == inet_csk(sk)->icsk_af_ops) + inet_csk(child)->icsk_af_ops = smc->ori_af_ops; + } ++ sock_put(&smc->sk); + return child; + + drop: + dst_release(dst); + tcp_listendrop(sk); ++ if (smc) ++ sock_put(&smc->sk); + return NULL; + } + +@@ -253,7 +263,7 @@ static void smc_fback_restore_callbacks(struct smc_sock *smc) + struct sock *clcsk = smc->clcsock->sk; + + write_lock_bh(&clcsk->sk_callback_lock); +- clcsk->sk_user_data = NULL; ++ rcu_assign_sk_user_data(clcsk, NULL); + + smc_clcsock_restore_cb(&clcsk->sk_state_change, &smc->clcsk_state_change); + smc_clcsock_restore_cb(&clcsk->sk_data_ready, &smc->clcsk_data_ready); +@@ -901,7 +911,7 @@ static void smc_fback_replace_callbacks(struct smc_sock *smc) + struct sock *clcsk = smc->clcsock->sk; + + write_lock_bh(&clcsk->sk_callback_lock); +- clcsk->sk_user_data = (void *)((uintptr_t)smc | SK_USER_DATA_NOCOPY); ++ __rcu_assign_sk_user_data_with_flags(clcsk, smc, SK_USER_DATA_NOCOPY); + + smc_clcsock_replace_cb(&clcsk->sk_state_change, smc_fback_state_change, + &smc->clcsk_state_change); +@@ -2663,8 +2673,8 @@ int smc_listen(struct socket *sock, int backlog) + * smc-specific sk_data_ready function + */ + write_lock_bh(&smc->clcsock->sk->sk_callback_lock); +- smc->clcsock->sk->sk_user_data = +- (void *)((uintptr_t)smc | SK_USER_DATA_NOCOPY); ++ __rcu_assign_sk_user_data_with_flags(smc->clcsock->sk, smc, ++ SK_USER_DATA_NOCOPY); + smc_clcsock_replace_cb(&smc->clcsock->sk->sk_data_ready, + smc_clcsock_data_ready, &smc->clcsk_data_ready); + write_unlock_bh(&smc->clcsock->sk->sk_callback_lock); +@@ -2685,10 +2695,11 @@ int smc_listen(struct socket *sock, int backlog) + write_lock_bh(&smc->clcsock->sk->sk_callback_lock); + smc_clcsock_restore_cb(&smc->clcsock->sk->sk_data_ready, + &smc->clcsk_data_ready); +- smc->clcsock->sk->sk_user_data = NULL; ++ rcu_assign_sk_user_data(smc->clcsock->sk, NULL); + write_unlock_bh(&smc->clcsock->sk->sk_callback_lock); + goto out; + } ++ sock_set_flag(sk, SOCK_RCU_FREE); + sk->sk_max_ack_backlog = backlog; + sk->sk_ack_backlog = 0; + sk->sk_state = SMC_LISTEN; +diff --git a/net/smc/smc.h b/net/smc/smc.h +index 7579f9622e010..f9d364a2167a7 100644 +--- a/net/smc/smc.h ++++ b/net/smc/smc.h +@@ -346,6 +346,11 @@ static inline struct smc_sock *smc_clcsock_user_data(const struct sock *clcsk) + ((uintptr_t)clcsk->sk_user_data & ~SK_USER_DATA_NOCOPY); + } + ++static inline struct smc_sock *smc_clcsock_user_data_rcu(const struct sock *clcsk) ++{ ++ return (struct smc_sock *)rcu_dereference_sk_user_data(clcsk); ++} ++ + /* save target_cb in saved_cb, and replace target_cb with new_cb */ + static inline void smc_clcsock_replace_cb(void (**target_cb)(struct sock *), + void (*new_cb)(struct sock *), +diff --git a/net/smc/smc_close.c b/net/smc/smc_close.c +index 10219f55aad14..bb0313ef5f7c1 100644 +--- a/net/smc/smc_close.c ++++ b/net/smc/smc_close.c +@@ -218,7 +218,7 @@ int smc_close_active(struct smc_sock *smc) + write_lock_bh(&smc->clcsock->sk->sk_callback_lock); + smc_clcsock_restore_cb(&smc->clcsock->sk->sk_data_ready, + &smc->clcsk_data_ready); +- smc->clcsock->sk->sk_user_data = NULL; ++ rcu_assign_sk_user_data(smc->clcsock->sk, NULL); + write_unlock_bh(&smc->clcsock->sk->sk_callback_lock); + rc = kernel_sock_shutdown(smc->clcsock, SHUT_RDWR); + } +-- +2.51.0 + diff --git a/queue-6.12/net-usb-aqc111-do-not-perform-pm-inside-suspend-call.patch b/queue-6.12/net-usb-aqc111-do-not-perform-pm-inside-suspend-call.patch new file mode 100644 index 0000000000..eb0efa1b14 --- /dev/null +++ b/queue-6.12/net-usb-aqc111-do-not-perform-pm-inside-suspend-call.patch @@ -0,0 +1,69 @@ +From 7ec34d6c2d697391c2eeb391ccd62df34a62ee28 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 13 Mar 2026 16:16:43 +0200 +Subject: net: usb: aqc111: Do not perform PM inside suspend callback + +From: Nikola Z. Ivanov + +[ Upstream commit 069c8f5aebe4d5224cf62acc7d4b3486091c658a ] + +syzbot reports "task hung in rpm_resume" + +This is caused by aqc111_suspend calling +the PM variant of its write_cmd routine. + +The simplified call trace looks like this: + +rpm_suspend() + usb_suspend_both() - here udev->dev.power.runtime_status == RPM_SUSPENDING + aqc111_suspend() - called for the usb device interface + aqc111_write32_cmd() + usb_autopm_get_interface() + pm_runtime_resume_and_get() + rpm_resume() - here we call rpm_resume() on our parent + rpm_resume() - Here we wait for a status change that will never happen. + +At this point we block another task which holds +rtnl_lock and locks up the whole networking stack. + +Fix this by replacing the write_cmd calls with their _nopm variants + +Reported-by: syzbot+48dc1e8dfc92faf1124c@syzkaller.appspotmail.com +Closes: https://syzkaller.appspot.com/bug?extid=48dc1e8dfc92faf1124c +Fixes: e58ba4544c77 ("net: usb: aqc111: Add support for wake on LAN by MAGIC packet") +Signed-off-by: Nikola Z. Ivanov +Link: https://patch.msgid.link/20260313141643.1181386-1-zlatistiv@gmail.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + drivers/net/usb/aqc111.c | 12 ++++++------ + 1 file changed, 6 insertions(+), 6 deletions(-) + +diff --git a/drivers/net/usb/aqc111.c b/drivers/net/usb/aqc111.c +index 9201ee10a13f7..d316aa66dbc23 100644 +--- a/drivers/net/usb/aqc111.c ++++ b/drivers/net/usb/aqc111.c +@@ -1400,14 +1400,14 @@ static int aqc111_suspend(struct usb_interface *intf, pm_message_t message) + aqc111_write16_cmd_nopm(dev, AQ_ACCESS_MAC, + SFR_MEDIUM_STATUS_MODE, 2, ®16); + +- aqc111_write_cmd(dev, AQ_WOL_CFG, 0, 0, +- WOL_CFG_SIZE, &wol_cfg); +- aqc111_write32_cmd(dev, AQ_PHY_OPS, 0, 0, +- &aqc111_data->phy_cfg); ++ aqc111_write_cmd_nopm(dev, AQ_WOL_CFG, 0, 0, ++ WOL_CFG_SIZE, &wol_cfg); ++ aqc111_write32_cmd_nopm(dev, AQ_PHY_OPS, 0, 0, ++ &aqc111_data->phy_cfg); + } else { + aqc111_data->phy_cfg |= AQ_LOW_POWER; +- aqc111_write32_cmd(dev, AQ_PHY_OPS, 0, 0, +- &aqc111_data->phy_cfg); ++ aqc111_write32_cmd_nopm(dev, AQ_PHY_OPS, 0, 0, ++ &aqc111_data->phy_cfg); + + /* Disable RX path */ + aqc111_read16_cmd_nopm(dev, AQ_ACCESS_MAC, +-- +2.51.0 + diff --git a/queue-6.12/net-usb-cdc_ncm-add-ndpoffset-to-ndp16-nframes-bound.patch b/queue-6.12/net-usb-cdc_ncm-add-ndpoffset-to-ndp16-nframes-bound.patch new file mode 100644 index 0000000000..1477570ae3 --- /dev/null +++ b/queue-6.12/net-usb-cdc_ncm-add-ndpoffset-to-ndp16-nframes-bound.patch @@ -0,0 +1,65 @@ +From 59d4de4b0bd458c6e1717fc4ad476eccafacaa49 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 13 Mar 2026 22:46:39 -0700 +Subject: net: usb: cdc_ncm: add ndpoffset to NDP16 nframes bounds check + +From: Tobi Gaertner + +[ Upstream commit 2aa8a4fa8d5b7d0e1ebcec100e1a4d80a1f4b21a ] + +cdc_ncm_rx_verify_ndp16() validates that the NDP header and its DPE +entries fit within the skb. The first check correctly accounts for +ndpoffset: + + if ((ndpoffset + sizeof(struct usb_cdc_ncm_ndp16)) > skb_in->len) + +but the second check omits it: + + if ((sizeof(struct usb_cdc_ncm_ndp16) + + ret * (sizeof(struct usb_cdc_ncm_dpe16))) > skb_in->len) + +This validates the DPE array size against the total skb length as if +the NDP were at offset 0, rather than at ndpoffset. When the NDP is +placed near the end of the NTB (large wNdpIndex), the DPE entries can +extend past the skb data buffer even though the check passes. +cdc_ncm_rx_fixup() then reads out-of-bounds memory when iterating +the DPE array. + +Add ndpoffset to the nframes bounds check and use struct_size_t() to +express the NDP-plus-DPE-array size more clearly. + +Fixes: ff06ab13a4cc ("net: cdc_ncm: splitting rx_fixup for code reuse") +Signed-off-by: Tobi Gaertner +Link: https://patch.msgid.link/20260314054640.2895026-2-tob.gaertner@me.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/usb/cdc_ncm.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/usb/cdc_ncm.c b/drivers/net/usb/cdc_ncm.c +index 5c89e03f93d61..a006583e8e085 100644 +--- a/drivers/net/usb/cdc_ncm.c ++++ b/drivers/net/usb/cdc_ncm.c +@@ -1657,6 +1657,7 @@ int cdc_ncm_rx_verify_ndp16(struct sk_buff *skb_in, int ndpoffset) + struct usbnet *dev = netdev_priv(skb_in->dev); + struct usb_cdc_ncm_ndp16 *ndp16; + int ret = -EINVAL; ++ size_t ndp_len; + + if ((ndpoffset + sizeof(struct usb_cdc_ncm_ndp16)) > skb_in->len) { + netif_dbg(dev, rx_err, dev->net, "invalid NDP offset <%u>\n", +@@ -1676,8 +1677,8 @@ int cdc_ncm_rx_verify_ndp16(struct sk_buff *skb_in, int ndpoffset) + sizeof(struct usb_cdc_ncm_dpe16)); + ret--; /* we process NDP entries except for the last one */ + +- if ((sizeof(struct usb_cdc_ncm_ndp16) + +- ret * (sizeof(struct usb_cdc_ncm_dpe16))) > skb_in->len) { ++ ndp_len = struct_size_t(struct usb_cdc_ncm_ndp16, dpe16, ret); ++ if (ndpoffset + ndp_len > skb_in->len) { + netif_dbg(dev, rx_err, dev->net, "Invalid nframes = %d\n", ret); + ret = -EINVAL; + } +-- +2.51.0 + diff --git a/queue-6.12/net-usb-cdc_ncm-add-ndpoffset-to-ndp32-nframes-bound.patch b/queue-6.12/net-usb-cdc_ncm-add-ndpoffset-to-ndp32-nframes-bound.patch new file mode 100644 index 0000000000..3aeec509e6 --- /dev/null +++ b/queue-6.12/net-usb-cdc_ncm-add-ndpoffset-to-ndp32-nframes-bound.patch @@ -0,0 +1,54 @@ +From be60e298711fd984bbaec5fe69940cb131311e27 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 13 Mar 2026 22:46:40 -0700 +Subject: net: usb: cdc_ncm: add ndpoffset to NDP32 nframes bounds check + +From: Tobi Gaertner + +[ Upstream commit 77914255155e68a20aa41175edeecf8121dac391 ] + +The same bounds-check bug fixed for NDP16 in the previous patch also +exists in cdc_ncm_rx_verify_ndp32(). The DPE array size is validated +against the total skb length without accounting for ndpoffset, allowing +out-of-bounds reads when the NDP32 is placed near the end of the NTB. + +Add ndpoffset to the nframes bounds check and use struct_size_t() to +express the NDP-plus-DPE-array size more clearly. + +Compile-tested only. + +Fixes: 0fa81b304a79 ("cdc_ncm: Implement the 32-bit version of NCM Transfer Block") +Signed-off-by: Tobi Gaertner +Link: https://patch.msgid.link/20260314054640.2895026-3-tob.gaertner@me.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/usb/cdc_ncm.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/usb/cdc_ncm.c b/drivers/net/usb/cdc_ncm.c +index a006583e8e085..c00699cd3e350 100644 +--- a/drivers/net/usb/cdc_ncm.c ++++ b/drivers/net/usb/cdc_ncm.c +@@ -1694,6 +1694,7 @@ int cdc_ncm_rx_verify_ndp32(struct sk_buff *skb_in, int ndpoffset) + struct usbnet *dev = netdev_priv(skb_in->dev); + struct usb_cdc_ncm_ndp32 *ndp32; + int ret = -EINVAL; ++ size_t ndp_len; + + if ((ndpoffset + sizeof(struct usb_cdc_ncm_ndp32)) > skb_in->len) { + netif_dbg(dev, rx_err, dev->net, "invalid NDP offset <%u>\n", +@@ -1713,8 +1714,8 @@ int cdc_ncm_rx_verify_ndp32(struct sk_buff *skb_in, int ndpoffset) + sizeof(struct usb_cdc_ncm_dpe32)); + ret--; /* we process NDP entries except for the last one */ + +- if ((sizeof(struct usb_cdc_ncm_ndp32) + +- ret * (sizeof(struct usb_cdc_ncm_dpe32))) > skb_in->len) { ++ ndp_len = struct_size_t(struct usb_cdc_ncm_ndp32, dpe32, ret); ++ if (ndpoffset + ndp_len > skb_in->len) { + netif_dbg(dev, rx_err, dev->net, "Invalid nframes = %d\n", ret); + ret = -EINVAL; + } +-- +2.51.0 + diff --git a/queue-6.12/netfilter-bpf-defer-hook-memory-release-until-rcu-re.patch b/queue-6.12/netfilter-bpf-defer-hook-memory-release-until-rcu-re.patch new file mode 100644 index 0000000000..3c62e47238 --- /dev/null +++ b/queue-6.12/netfilter-bpf-defer-hook-memory-release-until-rcu-re.patch @@ -0,0 +1,47 @@ +From f9030b657e91ad2bc2c970de57c067f6a53da9f8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 17 Mar 2026 12:23:08 +0100 +Subject: netfilter: bpf: defer hook memory release until rcu readers are done + +From: Florian Westphal + +[ Upstream commit 24f90fa3994b992d1a09003a3db2599330a5232a ] + +Yiming Qian reports UaF when concurrent process is dumping hooks via +nfnetlink_hooks: + +BUG: KASAN: slab-use-after-free in nfnl_hook_dump_one.isra.0+0xe71/0x10f0 +Read of size 8 at addr ffff888003edbf88 by task poc/79 +Call Trace: + + nfnl_hook_dump_one.isra.0+0xe71/0x10f0 + netlink_dump+0x554/0x12b0 + nfnl_hook_get+0x176/0x230 + [..] + +Defer release until after concurrent readers have completed. + +Reported-by: Yiming Qian +Fixes: 84601d6ee68a ("bpf: add bpf_link support for BPF_NETFILTER programs") +Signed-off-by: Florian Westphal +Signed-off-by: Sasha Levin +--- + net/netfilter/nf_bpf_link.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/netfilter/nf_bpf_link.c b/net/netfilter/nf_bpf_link.c +index b5e4ca9026a8e..be5e8bd90a3eb 100644 +--- a/net/netfilter/nf_bpf_link.c ++++ b/net/netfilter/nf_bpf_link.c +@@ -170,7 +170,7 @@ static int bpf_nf_link_update(struct bpf_link *link, struct bpf_prog *new_prog, + + static const struct bpf_link_ops bpf_nf_link_lops = { + .release = bpf_nf_link_release, +- .dealloc = bpf_nf_link_dealloc, ++ .dealloc_deferred = bpf_nf_link_dealloc, + .detach = bpf_nf_link_detach, + .show_fdinfo = bpf_nf_link_show_info, + .fill_link_info = bpf_nf_link_fill_link_info, +-- +2.51.0 + diff --git a/queue-6.12/netfilter-ctnetlink-fix-use-after-free-in-ctnetlink_.patch b/queue-6.12/netfilter-ctnetlink-fix-use-after-free-in-ctnetlink_.patch new file mode 100644 index 0000000000..b704dc9c44 --- /dev/null +++ b/queue-6.12/netfilter-ctnetlink-fix-use-after-free-in-ctnetlink_.patch @@ -0,0 +1,123 @@ +From 29bd7f460f16056cbe437e92300d526de95e2b34 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 8 Mar 2026 02:21:37 +0900 +Subject: netfilter: ctnetlink: fix use-after-free in ctnetlink_dump_exp_ct() + +From: Hyunwoo Kim + +[ Upstream commit 5cb81eeda909dbb2def209dd10636b51549a3f8a ] + +ctnetlink_dump_exp_ct() stores a conntrack pointer in cb->data for the +netlink dump callback ctnetlink_exp_ct_dump_table(), but drops the +conntrack reference immediately after netlink_dump_start(). When the +dump spans multiple rounds, the second recvmsg() triggers the dump +callback which dereferences the now-freed conntrack via nfct_help(ct), +leading to a use-after-free on ct->ext. + +The bug is that the netlink_dump_control has no .start or .done +callbacks to manage the conntrack reference across dump rounds. Other +dump functions in the same file (e.g. ctnetlink_get_conntrack) properly +use .start/.done callbacks for this purpose. + +Fix this by adding .start and .done callbacks that hold and release the +conntrack reference for the duration of the dump, and move the +nfct_help() call after the cb->args[0] early-return check in the dump +callback to avoid dereferencing ct->ext unnecessarily. + + BUG: KASAN: slab-use-after-free in ctnetlink_exp_ct_dump_table+0x4f/0x2e0 + Read of size 8 at addr ffff88810597ebf0 by task ctnetlink_poc/133 + + CPU: 1 UID: 0 PID: 133 Comm: ctnetlink_poc Not tainted 7.0.0-rc2+ #3 PREEMPTLAZY + Call Trace: + + ctnetlink_exp_ct_dump_table+0x4f/0x2e0 + netlink_dump+0x333/0x880 + netlink_recvmsg+0x3e2/0x4b0 + ? aa_sk_perm+0x184/0x450 + sock_recvmsg+0xde/0xf0 + + Allocated by task 133: + kmem_cache_alloc_noprof+0x134/0x440 + __nf_conntrack_alloc+0xa8/0x2b0 + ctnetlink_create_conntrack+0xa1/0x900 + ctnetlink_new_conntrack+0x3cf/0x7d0 + nfnetlink_rcv_msg+0x48e/0x510 + netlink_rcv_skb+0xc9/0x1f0 + nfnetlink_rcv+0xdb/0x220 + netlink_unicast+0x3ec/0x590 + netlink_sendmsg+0x397/0x690 + __sys_sendmsg+0xf4/0x180 + + Freed by task 0: + slab_free_after_rcu_debug+0xad/0x1e0 + rcu_core+0x5c3/0x9c0 + +Fixes: e844a928431f ("netfilter: ctnetlink: allow to dump expectation per master conntrack") +Signed-off-by: Hyunwoo Kim +Signed-off-by: Florian Westphal +Signed-off-by: Sasha Levin +--- + net/netfilter/nf_conntrack_netlink.c | 26 +++++++++++++++++++++++++- + 1 file changed, 25 insertions(+), 1 deletion(-) + +diff --git a/net/netfilter/nf_conntrack_netlink.c b/net/netfilter/nf_conntrack_netlink.c +index 13836723223e0..627790fcb6bb0 100644 +--- a/net/netfilter/nf_conntrack_netlink.c ++++ b/net/netfilter/nf_conntrack_netlink.c +@@ -3206,7 +3206,7 @@ ctnetlink_exp_ct_dump_table(struct sk_buff *skb, struct netlink_callback *cb) + { + struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh); + struct nf_conn *ct = cb->data; +- struct nf_conn_help *help = nfct_help(ct); ++ struct nf_conn_help *help; + u_int8_t l3proto = nfmsg->nfgen_family; + unsigned long last_id = cb->args[1]; + struct nf_conntrack_expect *exp; +@@ -3214,6 +3214,10 @@ ctnetlink_exp_ct_dump_table(struct sk_buff *skb, struct netlink_callback *cb) + if (cb->args[0]) + return 0; + ++ help = nfct_help(ct); ++ if (!help) ++ return 0; ++ + rcu_read_lock(); + + restart: +@@ -3243,6 +3247,24 @@ ctnetlink_exp_ct_dump_table(struct sk_buff *skb, struct netlink_callback *cb) + return skb->len; + } + ++static int ctnetlink_dump_exp_ct_start(struct netlink_callback *cb) ++{ ++ struct nf_conn *ct = cb->data; ++ ++ if (!refcount_inc_not_zero(&ct->ct_general.use)) ++ return -ENOENT; ++ return 0; ++} ++ ++static int ctnetlink_dump_exp_ct_done(struct netlink_callback *cb) ++{ ++ struct nf_conn *ct = cb->data; ++ ++ if (ct) ++ nf_ct_put(ct); ++ return 0; ++} ++ + static int ctnetlink_dump_exp_ct(struct net *net, struct sock *ctnl, + struct sk_buff *skb, + const struct nlmsghdr *nlh, +@@ -3258,6 +3280,8 @@ static int ctnetlink_dump_exp_ct(struct net *net, struct sock *ctnl, + struct nf_conntrack_zone zone; + struct netlink_dump_control c = { + .dump = ctnetlink_exp_ct_dump_table, ++ .start = ctnetlink_dump_exp_ct_start, ++ .done = ctnetlink_dump_exp_ct_done, + }; + + err = ctnetlink_parse_tuple(cda, &tuple, CTA_EXPECT_MASTER, +-- +2.51.0 + diff --git a/queue-6.12/netfilter-ctnetlink-remove-refcounting-in-expectatio.patch b/queue-6.12/netfilter-ctnetlink-remove-refcounting-in-expectatio.patch new file mode 100644 index 0000000000..caccc96380 --- /dev/null +++ b/queue-6.12/netfilter-ctnetlink-remove-refcounting-in-expectatio.patch @@ -0,0 +1,165 @@ +From e1bc9463859af7625f2e1342587d1a4d8a969d1e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 1 Aug 2025 17:25:09 +0200 +Subject: netfilter: ctnetlink: remove refcounting in expectation dumpers + +From: Florian Westphal + +[ Upstream commit 1492e3dcb2be3aa46d1963da96aa9593e4e4db5a ] + +Same pattern as previous patch: do not keep the expectation object +alive via refcount, only store a cookie value and then use that +as the skip hint for dump resumption. + +AFAICS this has the same issue as the one resolved in the conntrack +dumper, when we do + if (!refcount_inc_not_zero(&exp->use)) + +to increment the refcount, there is a chance that exp == last, which +causes a double-increment of the refcount and subsequent memory leak. + +Fixes: cf6994c2b981 ("[NETFILTER]: nf_conntrack_netlink: sync expectation dumping with conntrack table dumping") +Fixes: e844a928431f ("netfilter: ctnetlink: allow to dump expectation per master conntrack") +Signed-off-by: Florian Westphal +Signed-off-by: Pablo Neira Ayuso +Stable-dep-of: 5cb81eeda909 ("netfilter: ctnetlink: fix use-after-free in ctnetlink_dump_exp_ct()") +Signed-off-by: Sasha Levin +--- + net/netfilter/nf_conntrack_netlink.c | 41 ++++++++++++---------------- + 1 file changed, 17 insertions(+), 24 deletions(-) + +diff --git a/net/netfilter/nf_conntrack_netlink.c b/net/netfilter/nf_conntrack_netlink.c +index 18a91c031554c..13836723223e0 100644 +--- a/net/netfilter/nf_conntrack_netlink.c ++++ b/net/netfilter/nf_conntrack_netlink.c +@@ -3146,23 +3146,27 @@ ctnetlink_expect_event(unsigned int events, const struct nf_exp_event *item) + return 0; + } + #endif +-static int ctnetlink_exp_done(struct netlink_callback *cb) ++ ++static unsigned long ctnetlink_exp_id(const struct nf_conntrack_expect *exp) + { +- if (cb->args[1]) +- nf_ct_expect_put((struct nf_conntrack_expect *)cb->args[1]); +- return 0; ++ unsigned long id = (unsigned long)exp; ++ ++ id += nf_ct_get_id(exp->master); ++ id += exp->class; ++ ++ return id ? id : 1; + } + + static int + ctnetlink_exp_dump_table(struct sk_buff *skb, struct netlink_callback *cb) + { + struct net *net = sock_net(skb->sk); +- struct nf_conntrack_expect *exp, *last; + struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh); + u_int8_t l3proto = nfmsg->nfgen_family; ++ unsigned long last_id = cb->args[1]; ++ struct nf_conntrack_expect *exp; + + rcu_read_lock(); +- last = (struct nf_conntrack_expect *)cb->args[1]; + for (; cb->args[0] < nf_ct_expect_hsize; cb->args[0]++) { + restart: + hlist_for_each_entry_rcu(exp, &nf_ct_expect_hash[cb->args[0]], +@@ -3174,7 +3178,7 @@ ctnetlink_exp_dump_table(struct sk_buff *skb, struct netlink_callback *cb) + continue; + + if (cb->args[1]) { +- if (exp != last) ++ if (ctnetlink_exp_id(exp) != last_id) + continue; + cb->args[1] = 0; + } +@@ -3183,9 +3187,7 @@ ctnetlink_exp_dump_table(struct sk_buff *skb, struct netlink_callback *cb) + cb->nlh->nlmsg_seq, + IPCTNL_MSG_EXP_NEW, + exp) < 0) { +- if (!refcount_inc_not_zero(&exp->use)) +- continue; +- cb->args[1] = (unsigned long)exp; ++ cb->args[1] = ctnetlink_exp_id(exp); + goto out; + } + } +@@ -3196,32 +3198,30 @@ ctnetlink_exp_dump_table(struct sk_buff *skb, struct netlink_callback *cb) + } + out: + rcu_read_unlock(); +- if (last) +- nf_ct_expect_put(last); +- + return skb->len; + } + + static int + ctnetlink_exp_ct_dump_table(struct sk_buff *skb, struct netlink_callback *cb) + { +- struct nf_conntrack_expect *exp, *last; + struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh); + struct nf_conn *ct = cb->data; + struct nf_conn_help *help = nfct_help(ct); + u_int8_t l3proto = nfmsg->nfgen_family; ++ unsigned long last_id = cb->args[1]; ++ struct nf_conntrack_expect *exp; + + if (cb->args[0]) + return 0; + + rcu_read_lock(); +- last = (struct nf_conntrack_expect *)cb->args[1]; ++ + restart: + hlist_for_each_entry_rcu(exp, &help->expectations, lnode) { + if (l3proto && exp->tuple.src.l3num != l3proto) + continue; + if (cb->args[1]) { +- if (exp != last) ++ if (ctnetlink_exp_id(exp) != last_id) + continue; + cb->args[1] = 0; + } +@@ -3229,9 +3229,7 @@ ctnetlink_exp_ct_dump_table(struct sk_buff *skb, struct netlink_callback *cb) + cb->nlh->nlmsg_seq, + IPCTNL_MSG_EXP_NEW, + exp) < 0) { +- if (!refcount_inc_not_zero(&exp->use)) +- continue; +- cb->args[1] = (unsigned long)exp; ++ cb->args[1] = ctnetlink_exp_id(exp); + goto out; + } + } +@@ -3242,9 +3240,6 @@ ctnetlink_exp_ct_dump_table(struct sk_buff *skb, struct netlink_callback *cb) + cb->args[0] = 1; + out: + rcu_read_unlock(); +- if (last) +- nf_ct_expect_put(last); +- + return skb->len; + } + +@@ -3263,7 +3258,6 @@ static int ctnetlink_dump_exp_ct(struct net *net, struct sock *ctnl, + struct nf_conntrack_zone zone; + struct netlink_dump_control c = { + .dump = ctnetlink_exp_ct_dump_table, +- .done = ctnetlink_exp_done, + }; + + err = ctnetlink_parse_tuple(cda, &tuple, CTA_EXPECT_MASTER, +@@ -3313,7 +3307,6 @@ static int ctnetlink_get_expect(struct sk_buff *skb, + else { + struct netlink_dump_control c = { + .dump = ctnetlink_exp_dump_table, +- .done = ctnetlink_exp_done, + }; + return netlink_dump_start(info->sk, skb, info->nlh, &c); + } +-- +2.51.0 + diff --git a/queue-6.12/netfilter-nf_conntrack_h323-check-for-zero-length-in.patch b/queue-6.12/netfilter-nf_conntrack_h323-check-for-zero-length-in.patch new file mode 100644 index 0000000000..c7931039f2 --- /dev/null +++ b/queue-6.12/netfilter-nf_conntrack_h323-check-for-zero-length-in.patch @@ -0,0 +1,47 @@ +From 8c4a29c35d560d898568474cbbb0f791bacd7f64 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 12 Mar 2026 14:49:50 +0000 +Subject: netfilter: nf_conntrack_h323: check for zero length in DecodeQ931() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Jenny Guanni Qu + +[ Upstream commit f173d0f4c0f689173f8cdac79991043a4a89bf66 ] + +In DecodeQ931(), the UserUserIE code path reads a 16-bit length from +the packet, then decrements it by 1 to skip the protocol discriminator +byte before passing it to DecodeH323_UserInformation(). If the encoded +length is 0, the decrement wraps to -1, which is then passed as a +large value to the decoder, leading to an out-of-bounds read. + +Add a check to ensure len is positive after the decrement. + +Fixes: 5e35941d9901 ("[NETFILTER]: Add H.323 conntrack/NAT helper") +Reported-by: Klaudia Kloc +Reported-by: Dawid Moczadło +Tested-by: Jenny Guanni Qu +Signed-off-by: Jenny Guanni Qu +Signed-off-by: Florian Westphal +Signed-off-by: Sasha Levin +--- + net/netfilter/nf_conntrack_h323_asn1.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/net/netfilter/nf_conntrack_h323_asn1.c b/net/netfilter/nf_conntrack_h323_asn1.c +index c972e9488e16f..7b1497ed97d26 100644 +--- a/net/netfilter/nf_conntrack_h323_asn1.c ++++ b/net/netfilter/nf_conntrack_h323_asn1.c +@@ -924,6 +924,8 @@ int DecodeQ931(unsigned char *buf, size_t sz, Q931 *q931) + break; + p++; + len--; ++ if (len <= 0) ++ break; + return DecodeH323_UserInformation(buf, p, len, + &q931->UUIE); + } +-- +2.51.0 + diff --git a/queue-6.12/netfilter-nf_conntrack_h323-fix-oob-read-in-decode_i.patch b/queue-6.12/netfilter-nf_conntrack_h323-fix-oob-read-in-decode_i.patch new file mode 100644 index 0000000000..110c2d5f58 --- /dev/null +++ b/queue-6.12/netfilter-nf_conntrack_h323-fix-oob-read-in-decode_i.patch @@ -0,0 +1,48 @@ +From 63e2261dbf5931f1b0436797ee0049b5cb7cd306 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 12 Mar 2026 02:29:32 +0000 +Subject: netfilter: nf_conntrack_h323: fix OOB read in decode_int() CONS case +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Jenny Guanni Qu + +[ Upstream commit 1e3a3593162c96e8a8de48b1e14f60c3b57fca8a ] + +In decode_int(), the CONS case calls get_bits(bs, 2) to read a length +value, then calls get_uint(bs, len) without checking that len bytes +remain in the buffer. The existing boundary check only validates the +2 bits for get_bits(), not the subsequent 1-4 bytes that get_uint() +reads. This allows a malformed H.323/RAS packet to cause a 1-4 byte +slab-out-of-bounds read. + +Add a boundary check for len bytes after get_bits() and before +get_uint(). + +Fixes: 5e35941d9901 ("[NETFILTER]: Add H.323 conntrack/NAT helper") +Reported-by: Klaudia Kloc +Reported-by: Dawid Moczadło +Signed-off-by: Jenny Guanni Qu +Signed-off-by: Florian Westphal +Signed-off-by: Sasha Levin +--- + net/netfilter/nf_conntrack_h323_asn1.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/net/netfilter/nf_conntrack_h323_asn1.c b/net/netfilter/nf_conntrack_h323_asn1.c +index 62aa22a078769..c972e9488e16f 100644 +--- a/net/netfilter/nf_conntrack_h323_asn1.c ++++ b/net/netfilter/nf_conntrack_h323_asn1.c +@@ -331,6 +331,8 @@ static int decode_int(struct bitstr *bs, const struct field_t *f, + if (nf_h323_error_boundary(bs, 0, 2)) + return H323_ERROR_BOUND; + len = get_bits(bs, 2) + 1; ++ if (nf_h323_error_boundary(bs, len, 0)) ++ return H323_ERROR_BOUND; + BYTE_ALIGN(bs); + if (base && (f->attr & DECODE)) { /* timeToLive */ + unsigned int v = get_uint(bs, len) + f->lb; +-- +2.51.0 + diff --git a/queue-6.12/netfilter-nf_conntrack_sip-fix-content-length-u32-tr.patch b/queue-6.12/netfilter-nf_conntrack_sip-fix-content-length-u32-tr.patch new file mode 100644 index 0000000000..6514eb858c --- /dev/null +++ b/queue-6.12/netfilter-nf_conntrack_sip-fix-content-length-u32-tr.patch @@ -0,0 +1,66 @@ +From 0b8fd6bcab1a2bd498adf465e6c3a7a0d077e8d2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 10 Mar 2026 21:49:01 +0000 +Subject: netfilter: nf_conntrack_sip: fix Content-Length u32 truncation in + sip_help_tcp() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Lukas Johannes Möller + +[ Upstream commit fbce58e719a17aa215c724473fd5baaa4a8dc57c ] + +sip_help_tcp() parses the SIP Content-Length header with +simple_strtoul(), which returns unsigned long, but stores the result in +unsigned int clen. On 64-bit systems, values exceeding UINT_MAX are +silently truncated before computing the SIP message boundary. + +For example, Content-Length 4294967328 (2^32 + 32) is truncated to 32, +causing the parser to miscalculate where the current message ends. The +loop then treats trailing data in the TCP segment as a second SIP +message and processes it through the SDP parser. + +Fix this by changing clen to unsigned long to match the return type of +simple_strtoul(), and reject Content-Length values that exceed the +remaining TCP payload length. + +Fixes: f5b321bd37fb ("netfilter: nf_conntrack_sip: add TCP support") +Signed-off-by: Lukas Johannes Möller +Signed-off-by: Florian Westphal +Signed-off-by: Sasha Levin +--- + net/netfilter/nf_conntrack_sip.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/net/netfilter/nf_conntrack_sip.c b/net/netfilter/nf_conntrack_sip.c +index d0eac27f6ba03..657839a58782a 100644 +--- a/net/netfilter/nf_conntrack_sip.c ++++ b/net/netfilter/nf_conntrack_sip.c +@@ -1534,11 +1534,12 @@ static int sip_help_tcp(struct sk_buff *skb, unsigned int protoff, + { + struct tcphdr *th, _tcph; + unsigned int dataoff, datalen; +- unsigned int matchoff, matchlen, clen; ++ unsigned int matchoff, matchlen; + unsigned int msglen, origlen; + const char *dptr, *end; + s16 diff, tdiff = 0; + int ret = NF_ACCEPT; ++ unsigned long clen; + bool term; + + if (ctinfo != IP_CT_ESTABLISHED && +@@ -1573,6 +1574,9 @@ static int sip_help_tcp(struct sk_buff *skb, unsigned int protoff, + if (dptr + matchoff == end) + break; + ++ if (clen > datalen) ++ break; ++ + term = false; + for (; end + strlen("\r\n\r\n") <= dptr + datalen; end++) { + if (end[0] == '\r' && end[1] == '\n' && +-- +2.51.0 + diff --git a/queue-6.12/netfilter-nf_tables-release-flowtable-after-rcu-grac.patch b/queue-6.12/netfilter-nf_tables-release-flowtable-after-rcu-grac.patch new file mode 100644 index 0000000000..9daa4516f2 --- /dev/null +++ b/queue-6.12/netfilter-nf_tables-release-flowtable-after-rcu-grac.patch @@ -0,0 +1,51 @@ +From a026fbd705b933a99c272ce8b08cd022c5bbcc97 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 17 Mar 2026 20:00:26 +0100 +Subject: netfilter: nf_tables: release flowtable after rcu grace period on + error + +From: Pablo Neira Ayuso + +[ Upstream commit d73f4b53aaaea4c95f245e491aa5eeb8a21874ce ] + +Call synchronize_rcu() after unregistering the hooks from error path, +since a hook that already refers to this flowtable can be already +registered, exposing this flowtable to packet path and nfnetlink_hook +control plane. + +This error path is rare, it should only happen by reaching the maximum +number hooks or by failing to set up to hardware offload, just call +synchronize_rcu(). + +There is a check for already used device hooks by different flowtable +that could result in EEXIST at this late stage. The hook parser can be +updated to perform this check earlier to this error path really becomes +rarely exercised. + +Uncovered by KASAN reported as use-after-free from nfnetlink_hook path +when dumping hooks. + +Fixes: 3b49e2e94e6e ("netfilter: nf_tables: add flow table netlink frontend") +Reported-by: Yiming Qian +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Florian Westphal +Signed-off-by: Sasha Levin +--- + net/netfilter/nf_tables_api.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c +index 0c12560e94f3b..663c064135181 100644 +--- a/net/netfilter/nf_tables_api.c ++++ b/net/netfilter/nf_tables_api.c +@@ -8966,6 +8966,7 @@ static int nf_tables_newflowtable(struct sk_buff *skb, + return 0; + + err_flowtable_hooks: ++ synchronize_rcu(); + nft_trans_destroy(trans); + err_flowtable_trans: + nft_hooks_destroy(&flowtable->hook_list); +-- +2.51.0 + diff --git a/queue-6.12/netfilter-nft_ct-drop-pending-enqueued-packets-on-re.patch b/queue-6.12/netfilter-nft_ct-drop-pending-enqueued-packets-on-re.patch new file mode 100644 index 0000000000..de4231f785 --- /dev/null +++ b/queue-6.12/netfilter-nft_ct-drop-pending-enqueued-packets-on-re.patch @@ -0,0 +1,70 @@ +From 9607162b6a8af47fa8c363cbbf8473dbb1b08acb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 12 Mar 2026 13:48:47 +0100 +Subject: netfilter: nft_ct: drop pending enqueued packets on removal + +From: Pablo Neira Ayuso + +[ Upstream commit 36eae0956f659e48d5366d9b083d9417f3263ddc ] + +Packets sitting in nfqueue might hold a reference to: + +- templates that specify the conntrack zone, because a percpu area is + used and module removal is possible. +- conntrack timeout policies and helper, where object removal leave + a stale reference. + +Since these objects can just go away, drop enqueued packets to avoid +stale reference to them. + +If there is a need for finer grain removal, this logic can be revisited +to make selective packet drop upon dependencies. + +Fixes: 7e0b2b57f01d ("netfilter: nft_ct: add ct timeout support") +Reported-by: Yiming Qian +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Florian Westphal +Signed-off-by: Sasha Levin +--- + net/netfilter/nft_ct.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/net/netfilter/nft_ct.c b/net/netfilter/nft_ct.c +index 58a6ad7ed7a46..e361de439b773 100644 +--- a/net/netfilter/nft_ct.c ++++ b/net/netfilter/nft_ct.c +@@ -23,6 +23,7 @@ + #include + #include + #include ++#include "nf_internals.h" + + struct nft_ct_helper_obj { + struct nf_conntrack_helper *helper4; +@@ -527,6 +528,7 @@ static void __nft_ct_set_destroy(const struct nft_ctx *ctx, struct nft_ct *priv) + #endif + #ifdef CONFIG_NF_CONNTRACK_ZONES + case NFT_CT_ZONE: ++ nf_queue_nf_hook_drop(ctx->net); + mutex_lock(&nft_ct_pcpu_mutex); + if (--nft_ct_pcpu_template_refcnt == 0) + nft_ct_tmpl_put_pcpu(); +@@ -997,6 +999,7 @@ static void nft_ct_timeout_obj_destroy(const struct nft_ctx *ctx, + struct nft_ct_timeout_obj *priv = nft_obj_data(obj); + struct nf_ct_timeout *timeout = priv->timeout; + ++ nf_queue_nf_hook_drop(ctx->net); + nf_ct_untimeout(ctx->net, timeout); + nf_ct_netns_put(ctx->net, ctx->family); + kfree(priv->timeout); +@@ -1129,6 +1132,7 @@ static void nft_ct_helper_obj_destroy(const struct nft_ctx *ctx, + { + struct nft_ct_helper_obj *priv = nft_obj_data(obj); + ++ nf_queue_nf_hook_drop(ctx->net); + if (priv->helper4) + nf_conntrack_helper_put(priv->helper4); + if (priv->helper6) +-- +2.51.0 + diff --git a/queue-6.12/netfilter-xt_ct-drop-pending-enqueued-packets-on-tem.patch b/queue-6.12/netfilter-xt_ct-drop-pending-enqueued-packets-on-tem.patch new file mode 100644 index 0000000000..3d79973673 --- /dev/null +++ b/queue-6.12/netfilter-xt_ct-drop-pending-enqueued-packets-on-tem.patch @@ -0,0 +1,54 @@ +From afa7928aa65f5ad6645af46715301ac7be5add87 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 12 Mar 2026 13:48:48 +0100 +Subject: netfilter: xt_CT: drop pending enqueued packets on template removal + +From: Pablo Neira Ayuso + +[ Upstream commit f62a218a946b19bb59abdd5361da85fa4606b96b ] + +Templates refer to objects that can go away while packets are sitting in +nfqueue refer to: + +- helper, this can be an issue on module removal. +- timeout policy, nfnetlink_cttimeout might remove it. + +The use of templates with zone and event cache filter are safe, since +this just copies values. + +Flush these enqueued packets in case the template rule gets removed. + +Fixes: 24de58f46516 ("netfilter: xt_CT: allow to attach timeout policy + glue code") +Reported-by: Yiming Qian +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Florian Westphal +Signed-off-by: Sasha Levin +--- + net/netfilter/xt_CT.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/net/netfilter/xt_CT.c b/net/netfilter/xt_CT.c +index 3ba94c34297cf..498f5871c84a0 100644 +--- a/net/netfilter/xt_CT.c ++++ b/net/netfilter/xt_CT.c +@@ -16,6 +16,7 @@ + #include + #include + #include ++#include "nf_internals.h" + + static inline int xt_ct_target(struct sk_buff *skb, struct nf_conn *ct) + { +@@ -283,6 +284,9 @@ static void xt_ct_tg_destroy(const struct xt_tgdtor_param *par, + struct nf_conn_help *help; + + if (ct) { ++ if (info->helper[0] || info->timeout[0]) ++ nf_queue_nf_hook_drop(par->net); ++ + help = nfct_help(ct); + xt_ct_put_helper(help); + +-- +2.51.0 + diff --git a/queue-6.12/netfilter-xt_time-use-unsigned-int-for-monthday-bit-.patch b/queue-6.12/netfilter-xt_time-use-unsigned-int-for-monthday-bit-.patch new file mode 100644 index 0000000000..1cae8967fa --- /dev/null +++ b/queue-6.12/netfilter-xt_time-use-unsigned-int-for-monthday-bit-.patch @@ -0,0 +1,53 @@ +From 26d31a318057476163e2a020829996920b54a463 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 12 Mar 2026 14:59:49 +0000 +Subject: netfilter: xt_time: use unsigned int for monthday bit shift +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Jenny Guanni Qu + +[ Upstream commit 00050ec08cecfda447e1209b388086d76addda3a ] + +The monthday field can be up to 31, and shifting a signed integer 1 +by 31 positions (1 << 31) is undefined behavior in C, as the result +overflows a 32-bit signed int. Use 1U to ensure well-defined behavior +for all valid monthday values. + +Change the weekday shift to 1U as well for consistency. + +Fixes: ee4411a1b1e0 ("[NETFILTER]: x_tables: add xt_time match") +Reported-by: Klaudia Kloc +Reported-by: Dawid Moczadło +Tested-by: Jenny Guanni Qu +Signed-off-by: Jenny Guanni Qu +Signed-off-by: Florian Westphal +Signed-off-by: Sasha Levin +--- + net/netfilter/xt_time.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/net/netfilter/xt_time.c b/net/netfilter/xt_time.c +index 6aa12d0f54e23..61de85e02a40f 100644 +--- a/net/netfilter/xt_time.c ++++ b/net/netfilter/xt_time.c +@@ -227,13 +227,13 @@ time_mt(const struct sk_buff *skb, struct xt_action_param *par) + + localtime_2(¤t_time, stamp); + +- if (!(info->weekdays_match & (1 << current_time.weekday))) ++ if (!(info->weekdays_match & (1U << current_time.weekday))) + return false; + + /* Do not spend time computing monthday if all days match anyway */ + if (info->monthdays_match != XT_TIME_ALL_MONTHDAYS) { + localtime_3(¤t_time, stamp); +- if (!(info->monthdays_match & (1 << current_time.monthday))) ++ if (!(info->monthdays_match & (1U << current_time.monthday))) + return false; + } + +-- +2.51.0 + diff --git a/queue-6.12/nf_tables-nft_dynset-fix-possible-stateful-expressio.patch b/queue-6.12/nf_tables-nft_dynset-fix-possible-stateful-expressio.patch new file mode 100644 index 0000000000..4fc7edc663 --- /dev/null +++ b/queue-6.12/nf_tables-nft_dynset-fix-possible-stateful-expressio.patch @@ -0,0 +1,107 @@ +From 731c558e6025e5888d485c7b4c987b936ca4095a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 12 Mar 2026 12:38:59 +0100 +Subject: nf_tables: nft_dynset: fix possible stateful expression memleak in + error path +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Pablo Neira Ayuso + +[ Upstream commit 0548a13b5a145b16e4da0628b5936baf35f51b43 ] + +If cloning the second stateful expression in the element via GFP_ATOMIC +fails, then the first stateful expression remains in place without being +released. + +   unreferenced object (percpu) 0x607b97e9cab8 (size 16): +     comm "softirq", pid 0, jiffies 4294931867 +     hex dump (first 16 bytes on cpu 3): +       00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 +     backtrace (crc 0): +       pcpu_alloc_noprof+0x453/0xd80 +       nft_counter_clone+0x9c/0x190 [nf_tables] +       nft_expr_clone+0x8f/0x1b0 [nf_tables] +       nft_dynset_new+0x2cb/0x5f0 [nf_tables] +       nft_rhash_update+0x236/0x11c0 [nf_tables] +       nft_dynset_eval+0x11f/0x670 [nf_tables] +       nft_do_chain+0x253/0x1700 [nf_tables] +       nft_do_chain_ipv4+0x18d/0x270 [nf_tables] +       nf_hook_slow+0xaa/0x1e0 +       ip_local_deliver+0x209/0x330 + +Fixes: 563125a73ac3 ("netfilter: nftables: generalize set extension to support for several expressions") +Reported-by: Gurpreet Shergill +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Florian Westphal +Signed-off-by: Sasha Levin +--- + include/net/netfilter/nf_tables.h | 2 ++ + net/netfilter/nf_tables_api.c | 4 ++-- + net/netfilter/nft_dynset.c | 10 +++++++++- + 3 files changed, 13 insertions(+), 3 deletions(-) + +diff --git a/include/net/netfilter/nf_tables.h b/include/net/netfilter/nf_tables.h +index 79296ed87b9b3..36964b86d336d 100644 +--- a/include/net/netfilter/nf_tables.h ++++ b/include/net/netfilter/nf_tables.h +@@ -873,6 +873,8 @@ struct nft_elem_priv *nft_set_elem_init(const struct nft_set *set, + u64 timeout, u64 expiration, gfp_t gfp); + int nft_set_elem_expr_clone(const struct nft_ctx *ctx, struct nft_set *set, + struct nft_expr *expr_array[]); ++void nft_set_elem_expr_destroy(const struct nft_ctx *ctx, ++ struct nft_set_elem_expr *elem_expr); + void nft_set_elem_destroy(const struct nft_set *set, + const struct nft_elem_priv *elem_priv, + bool destroy_expr); +diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c +index 268d00ffee0cb..0c12560e94f3b 100644 +--- a/net/netfilter/nf_tables_api.c ++++ b/net/netfilter/nf_tables_api.c +@@ -6637,8 +6637,8 @@ static void __nft_set_elem_expr_destroy(const struct nft_ctx *ctx, + } + } + +-static void nft_set_elem_expr_destroy(const struct nft_ctx *ctx, +- struct nft_set_elem_expr *elem_expr) ++void nft_set_elem_expr_destroy(const struct nft_ctx *ctx, ++ struct nft_set_elem_expr *elem_expr) + { + struct nft_expr *expr; + u32 size; +diff --git a/net/netfilter/nft_dynset.c b/net/netfilter/nft_dynset.c +index e24493d9e7761..0b3c4f6a8decd 100644 +--- a/net/netfilter/nft_dynset.c ++++ b/net/netfilter/nft_dynset.c +@@ -30,18 +30,26 @@ static int nft_dynset_expr_setup(const struct nft_dynset *priv, + const struct nft_set_ext *ext) + { + struct nft_set_elem_expr *elem_expr = nft_set_ext_expr(ext); ++ struct nft_ctx ctx = { ++ .net = read_pnet(&priv->set->net), ++ .family = priv->set->table->family, ++ }; + struct nft_expr *expr; + int i; + + for (i = 0; i < priv->num_exprs; i++) { + expr = nft_setelem_expr_at(elem_expr, elem_expr->size); + if (nft_expr_clone(expr, priv->expr_array[i], GFP_ATOMIC) < 0) +- return -1; ++ goto err_out; + + elem_expr->size += priv->expr_array[i]->ops->size; + } + + return 0; ++err_out: ++ nft_set_elem_expr_destroy(&ctx, elem_expr); ++ ++ return -1; + } + + static struct nft_elem_priv *nft_dynset_new(struct nft_set *set, +-- +2.51.0 + diff --git a/queue-6.12/nfnetlink_osf-validate-individual-option-lengths-in-.patch b/queue-6.12/nfnetlink_osf-validate-individual-option-lengths-in-.patch new file mode 100644 index 0000000000..719ff39183 --- /dev/null +++ b/queue-6.12/nfnetlink_osf-validate-individual-option-lengths-in-.patch @@ -0,0 +1,83 @@ +From 9bd3c66765e7003ae49bc8c1b4abc6b1086b6468 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 19 Mar 2026 15:32:44 +0800 +Subject: nfnetlink_osf: validate individual option lengths in fingerprints + +From: Weiming Shi + +[ Upstream commit dbdfaae9609629a9569362e3b8f33d0a20fd783c ] + +nfnl_osf_add_callback() validates opt_num bounds and string +NUL-termination but does not check individual option length fields. +A zero-length option causes nf_osf_match_one() to enter the option +matching loop even when foptsize sums to zero, which matches packets +with no TCP options where ctx->optp is NULL: + + Oops: general protection fault + KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007] + RIP: 0010:nf_osf_match_one (net/netfilter/nfnetlink_osf.c:98) + Call Trace: + nf_osf_match (net/netfilter/nfnetlink_osf.c:227) + xt_osf_match_packet (net/netfilter/xt_osf.c:32) + ipt_do_table (net/ipv4/netfilter/ip_tables.c:293) + nf_hook_slow (net/netfilter/core.c:623) + ip_local_deliver (net/ipv4/ip_input.c:262) + ip_rcv (net/ipv4/ip_input.c:573) + +Additionally, an MSS option (kind=2) with length < 4 causes +out-of-bounds reads when nf_osf_match_one() unconditionally accesses +optp[2] and optp[3] for MSS value extraction. While RFC 9293 +section 3.2 specifies that the MSS option is always exactly 4 +bytes (Kind=2, Length=4), the check uses "< 4" rather than +"!= 4" because lengths greater than 4 do not cause memory +safety issues -- the buffer is guaranteed to be at least +foptsize bytes by the ctx->optsize == foptsize check. + +Reject fingerprints where any option has zero length, or where an MSS +option has length less than 4, at add time rather than trusting these +values in the packet matching hot path. + +Fixes: 11eeef41d5f6 ("netfilter: passive OS fingerprint xtables match") +Reported-by: Xiang Mei +Signed-off-by: Weiming Shi +Signed-off-by: Florian Westphal +Signed-off-by: Sasha Levin +--- + net/netfilter/nfnetlink_osf.c | 13 +++++++++++++ + 1 file changed, 13 insertions(+) + +diff --git a/net/netfilter/nfnetlink_osf.c b/net/netfilter/nfnetlink_osf.c +index c0fc431991e88..9fc9544d4bc53 100644 +--- a/net/netfilter/nfnetlink_osf.c ++++ b/net/netfilter/nfnetlink_osf.c +@@ -302,7 +302,9 @@ static int nfnl_osf_add_callback(struct sk_buff *skb, + { + struct nf_osf_user_finger *f; + struct nf_osf_finger *kf = NULL, *sf; ++ unsigned int tot_opt_len = 0; + int err = 0; ++ int i; + + if (!capable(CAP_NET_ADMIN)) + return -EPERM; +@@ -318,6 +320,17 @@ static int nfnl_osf_add_callback(struct sk_buff *skb, + if (f->opt_num > ARRAY_SIZE(f->opt)) + return -EINVAL; + ++ for (i = 0; i < f->opt_num; i++) { ++ if (!f->opt[i].length || f->opt[i].length > MAX_IPOPTLEN) ++ return -EINVAL; ++ if (f->opt[i].kind == OSFOPT_MSS && f->opt[i].length < 4) ++ return -EINVAL; ++ ++ tot_opt_len += f->opt[i].length; ++ if (tot_opt_len > MAX_IPOPTLEN) ++ return -EINVAL; ++ } ++ + if (!memchr(f->genre, 0, MAXGENRELEN) || + !memchr(f->subtype, 0, MAXGENRELEN) || + !memchr(f->version, 0, MAXGENRELEN)) +-- +2.51.0 + diff --git a/queue-6.12/pm-runtime-fix-a-race-condition-related-to-device-re.patch b/queue-6.12/pm-runtime-fix-a-race-condition-related-to-device-re.patch new file mode 100644 index 0000000000..60a40c1fc4 --- /dev/null +++ b/queue-6.12/pm-runtime-fix-a-race-condition-related-to-device-re.patch @@ -0,0 +1,126 @@ +From a75bd5b4dce083f09369c8319e903be57a0ff68f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 12 Mar 2026 11:27:20 -0700 +Subject: PM: runtime: Fix a race condition related to device removal + +From: Bart Van Assche + +[ Upstream commit 29ab768277617452d88c0607c9299cdc63b6e9ff ] + +The following code in pm_runtime_work() may dereference the dev->parent +pointer after the parent device has been freed: + + /* Maybe the parent is now able to suspend. */ + if (parent && !parent->power.ignore_children) { + spin_unlock(&dev->power.lock); + + spin_lock(&parent->power.lock); + rpm_idle(parent, RPM_ASYNC); + spin_unlock(&parent->power.lock); + + spin_lock(&dev->power.lock); + } + +Fix this by inserting a flush_work() call in pm_runtime_remove(). + +Without this patch blktest block/001 triggers the following complaint +sporadically: + +BUG: KASAN: slab-use-after-free in lock_acquire+0x70/0x160 +Read of size 1 at addr ffff88812bef7198 by task kworker/u553:1/3081 +Workqueue: pm pm_runtime_work +Call Trace: + + dump_stack_lvl+0x61/0x80 + print_address_description.constprop.0+0x8b/0x310 + print_report+0xfd/0x1d7 + kasan_report+0xd8/0x1d0 + __kasan_check_byte+0x42/0x60 + lock_acquire.part.0+0x38/0x230 + lock_acquire+0x70/0x160 + _raw_spin_lock+0x36/0x50 + rpm_suspend+0xc6a/0xfe0 + rpm_idle+0x578/0x770 + pm_runtime_work+0xee/0x120 + process_one_work+0xde3/0x1410 + worker_thread+0x5eb/0xfe0 + kthread+0x37b/0x480 + ret_from_fork+0x6cb/0x920 + ret_from_fork_asm+0x11/0x20 + + +Allocated by task 4314: + kasan_save_stack+0x2a/0x50 + kasan_save_track+0x18/0x40 + kasan_save_alloc_info+0x3d/0x50 + __kasan_kmalloc+0xa0/0xb0 + __kmalloc_noprof+0x311/0x990 + scsi_alloc_target+0x122/0xb60 [scsi_mod] + __scsi_scan_target+0x101/0x460 [scsi_mod] + scsi_scan_channel+0x179/0x1c0 [scsi_mod] + scsi_scan_host_selected+0x259/0x2d0 [scsi_mod] + store_scan+0x2d2/0x390 [scsi_mod] + dev_attr_store+0x43/0x80 + sysfs_kf_write+0xde/0x140 + kernfs_fop_write_iter+0x3ef/0x670 + vfs_write+0x506/0x1470 + ksys_write+0xfd/0x230 + __x64_sys_write+0x76/0xc0 + x64_sys_call+0x213/0x1810 + do_syscall_64+0xee/0xfc0 + entry_SYSCALL_64_after_hwframe+0x4b/0x53 + +Freed by task 4314: + kasan_save_stack+0x2a/0x50 + kasan_save_track+0x18/0x40 + kasan_save_free_info+0x3f/0x50 + __kasan_slab_free+0x67/0x80 + kfree+0x225/0x6c0 + scsi_target_dev_release+0x3d/0x60 [scsi_mod] + device_release+0xa3/0x220 + kobject_cleanup+0x105/0x3a0 + kobject_put+0x72/0xd0 + put_device+0x17/0x20 + scsi_device_dev_release+0xacf/0x12c0 [scsi_mod] + device_release+0xa3/0x220 + kobject_cleanup+0x105/0x3a0 + kobject_put+0x72/0xd0 + put_device+0x17/0x20 + scsi_device_put+0x7f/0xc0 [scsi_mod] + sdev_store_delete+0xa5/0x120 [scsi_mod] + dev_attr_store+0x43/0x80 + sysfs_kf_write+0xde/0x140 + kernfs_fop_write_iter+0x3ef/0x670 + vfs_write+0x506/0x1470 + ksys_write+0xfd/0x230 + __x64_sys_write+0x76/0xc0 + x64_sys_call+0x213/0x1810 + +Reported-by: Ming Lei +Closes: https://lore.kernel.org/all/ZxdNvLNI8QaOfD2d@fedora/ +Reported-by: syzbot+6c905ab800f20cf4086c@syzkaller.appspotmail.com +Closes: https://lore.kernel.org/all/68c13942.050a0220.2ff435.000b.GAE@google.com/ +Fixes: 5e928f77a09a ("PM: Introduce core framework for run-time PM of I/O devices (rev. 17)") +Signed-off-by: Bart Van Assche +Link: https://patch.msgid.link/20260312182720.2776083-1-bvanassche@acm.org +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +--- + drivers/base/power/runtime.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/base/power/runtime.c b/drivers/base/power/runtime.c +index 425c44f1e4d31..167ff6f7a3fec 100644 +--- a/drivers/base/power/runtime.c ++++ b/drivers/base/power/runtime.c +@@ -1856,6 +1856,7 @@ void pm_runtime_reinit(struct device *dev) + void pm_runtime_remove(struct device *dev) + { + __pm_runtime_disable(dev, false); ++ flush_work(&dev->power.work); + pm_runtime_reinit(dev); + } + +-- +2.51.0 + diff --git a/queue-6.12/sched-idle-consolidate-the-handling-of-two-special-c.patch b/queue-6.12/sched-idle-consolidate-the-handling-of-two-special-c.patch new file mode 100644 index 0000000000..36fbb33c60 --- /dev/null +++ b/queue-6.12/sched-idle-consolidate-the-handling-of-two-special-c.patch @@ -0,0 +1,133 @@ +From 07b25d52b75d321b66c7dde40d431b4ab65a503a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 13 Mar 2026 13:25:41 +0100 +Subject: sched: idle: Consolidate the handling of two special cases + +From: Rafael J. Wysocki + +[ Upstream commit f4c31b07b136839e0fb3026f8a5b6543e3b14d2f ] + +There are two special cases in the idle loop that are handled +inconsistently even though they are analogous. + +The first one is when a cpuidle driver is absent and the default CPU +idle time power management implemented by the architecture code is used. +In that case, the scheduler tick is stopped every time before invoking +default_idle_call(). + +The second one is when a cpuidle driver is present, but there is only +one idle state in its table. In that case, the scheduler tick is never +stopped at all. + +Since each of these approaches has its drawbacks, reconcile them with +the help of one simple heuristic. Namely, stop the tick if the CPU has +been woken up by it in the previous iteration of the idle loop, or let +it tick otherwise. + +Signed-off-by: Rafael J. Wysocki +Reviewed-by: Christian Loehle +Reviewed-by: Frederic Weisbecker +Reviewed-by: Qais Yousef +Reviewed-by: Aboorva Devarajan +Fixes: ed98c3491998 ("sched: idle: Do not stop the tick before cpuidle_idle_call()") +[ rjw: Added Fixes tag, changelog edits ] +Link: https://patch.msgid.link/4741364.LvFx2qVVIh@rafael.j.wysocki +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +--- + kernel/sched/idle.c | 30 +++++++++++++++++++++--------- + 1 file changed, 21 insertions(+), 9 deletions(-) + +diff --git a/kernel/sched/idle.c b/kernel/sched/idle.c +index b6a072a323a44..1f0f0d9a5a5cf 100644 +--- a/kernel/sched/idle.c ++++ b/kernel/sched/idle.c +@@ -155,6 +155,14 @@ static int call_cpuidle(struct cpuidle_driver *drv, struct cpuidle_device *dev, + return cpuidle_enter(drv, dev, next_state); + } + ++static void idle_call_stop_or_retain_tick(bool stop_tick) ++{ ++ if (stop_tick || tick_nohz_tick_stopped()) ++ tick_nohz_idle_stop_tick(); ++ else ++ tick_nohz_idle_retain_tick(); ++} ++ + /** + * cpuidle_idle_call - the main idle function + * +@@ -164,7 +172,7 @@ static int call_cpuidle(struct cpuidle_driver *drv, struct cpuidle_device *dev, + * set, and it returns with polling set. If it ever stops polling, it + * must clear the polling bit. + */ +-static void cpuidle_idle_call(void) ++static void cpuidle_idle_call(bool stop_tick) + { + struct cpuidle_device *dev = cpuidle_get_device(); + struct cpuidle_driver *drv = cpuidle_get_cpu_driver(dev); +@@ -180,7 +188,7 @@ static void cpuidle_idle_call(void) + } + + if (cpuidle_not_available(drv, dev)) { +- tick_nohz_idle_stop_tick(); ++ idle_call_stop_or_retain_tick(stop_tick); + + default_idle_call(); + goto exit_idle; +@@ -215,17 +223,19 @@ static void cpuidle_idle_call(void) + next_state = cpuidle_find_deepest_state(drv, dev, max_latency_ns); + call_cpuidle(drv, dev, next_state); + } else if (drv->state_count > 1) { +- bool stop_tick = true; ++ /* ++ * stop_tick is expected to be true by default by cpuidle ++ * governors, which allows them to select idle states with ++ * target residency above the tick period length. ++ */ ++ stop_tick = true; + + /* + * Ask the cpuidle framework to choose a convenient idle state. + */ + next_state = cpuidle_select(drv, dev, &stop_tick); + +- if (stop_tick || tick_nohz_tick_stopped()) +- tick_nohz_idle_stop_tick(); +- else +- tick_nohz_idle_retain_tick(); ++ idle_call_stop_or_retain_tick(stop_tick); + + entered_state = call_cpuidle(drv, dev, next_state); + /* +@@ -233,7 +243,7 @@ static void cpuidle_idle_call(void) + */ + cpuidle_reflect(dev, entered_state); + } else { +- tick_nohz_idle_retain_tick(); ++ idle_call_stop_or_retain_tick(stop_tick); + + /* + * If there is only a single idle state (or none), there is +@@ -261,6 +271,7 @@ static void cpuidle_idle_call(void) + static void do_idle(void) + { + int cpu = smp_processor_id(); ++ bool got_tick = false; + + /* + * Check if we need to update blocked load +@@ -332,8 +343,9 @@ static void do_idle(void) + tick_nohz_idle_restart_tick(); + cpu_idle_poll(); + } else { +- cpuidle_idle_call(); ++ cpuidle_idle_call(got_tick); + } ++ got_tick = tick_nohz_idle_got_tick(); + arch_cpu_idle_exit(); + } + +-- +2.51.0 + diff --git a/queue-6.12/series b/queue-6.12/series index 8ef05305c0..62bb07a345 100644 --- a/queue-6.12/series +++ b/queue-6.12/series @@ -363,3 +363,71 @@ drm-xe-open-code-ggtt-mmio-access-protection.patch bluetooth-l2cap-fix-accepting-multiple-l2cap_ecred_conn_req.patch ata-libata-scsi-return-residual-for-emulated-scsi-commands.patch ata-libata-scsi-report-correct-sense-field-pointer-in-ata_scsiop_maint_in.patch +btrfs-log-new-dentries-when-logging-parent-dir-of-a-.patch +btrfs-tree-checker-fix-misleading-root-drop_level-er.patch +soc-microchip-mpfs-fix-memory-leak-in-mpfs_sys_contr.patch +cache-starfive-fix-device-node-leak-in-starlink_cach.patch +cache-ax45mp-fix-device-node-reference-leak-in-ax45m.patch +soc-rockchip-grf-add-missing-of_node_put-when-return.patch +soc-fsl-qbman-fix-race-condition-in-qman_destroy_fq.patch +soc-fsl-cpm1-qmc-fix-error-check-for-devm_ioremap_re.patch +wifi-mac80211-fix-static_branch_dec-underflow-for-aq.patch +wifi-cfg80211-cancel-pmsr_free_wk-in-cfg80211_pmsr_w.patch +arm64-dts-renesas-r9a09g057-add-rtc-node.patch +arm64-dts-renesas-r9a09g057-remove-wdt-0-2-3-nodes.patch +firmware-arm_ffa-remove-vm_id-argument-in-ffa_rxtx_u.patch +firmware-arm_scpi-fix-device_node-reference-leak-in-.patch +bluetooth-le-l2cap-disconnect-if-received-packet-s-s.patch +bluetooth-le-l2cap-disconnect-if-sum-of-payload-size.patch +bluetooth-smp-make-sm-per-kdu-bi-04-c-happy.patch +bluetooth-iso-fix-defer-tests-being-unstable.patch +bluetooth-hci_sync-fix-hci_le_create_conn_sync.patch +bluetooth-mgmt-fix-list-corruption-and-uaf-in-comman.patch +bluetooth-hidp-fix-possible-uaf.patch +bluetooth-l2cap-fix-use-after-free-in-l2cap_unregist.patch +bluetooth-qca-fix-rom-version-reading-on-wcn3998-chi.patch +bridge-cfm-fix-race-condition-in-peer_mep-deletion.patch +net-rose-fix-null-pointer-dereference-in-rose_transm.patch +mpls-add-missing-unregister_netdevice_notifier-to-mp.patch +netfilter-ctnetlink-remove-refcounting-in-expectatio.patch +netfilter-ctnetlink-fix-use-after-free-in-ctnetlink_.patch +netfilter-nf_conntrack_sip-fix-content-length-u32-tr.patch +netfilter-nf_conntrack_h323-fix-oob-read-in-decode_i.patch +nf_tables-nft_dynset-fix-possible-stateful-expressio.patch +netfilter-nft_ct-drop-pending-enqueued-packets-on-re.patch +netfilter-xt_ct-drop-pending-enqueued-packets-on-tem.patch +netfilter-xt_time-use-unsigned-int-for-monthday-bit-.patch +netfilter-nf_conntrack_h323-check-for-zero-length-in.patch +net-bcmgenet-increase-wol-poll-timeout.patch +net-mana-fix-use-after-free-in-mana_hwc_destroy_chan.patch +sched-idle-consolidate-the-handling-of-two-special-c.patch +pm-runtime-fix-a-race-condition-related-to-device-re.patch +bonding-prevent-potential-infinite-loop-in-bond_head.patch +net-smc-fix-null-dereference-and-uaf-in-smc_tcp_syn_.patch +net-sched-teql-fix-double-free-in-teql_master_xmit.patch +net-airoha-read-default-pse-reserved-pages-value-bef.patch +net-airoha-fix-pse-memory-configuration-in-airoha_fe.patch +net-airoha-read-completion-queue-data-in-airoha_qdma.patch +net-airoha-remove-airoha_dev_stop-in-airoha_remove.patch +net-usb-cdc_ncm-add-ndpoffset-to-ndp16-nframes-bound.patch +net-usb-cdc_ncm-add-ndpoffset-to-ndp32-nframes-bound.patch +clsact-fix-use-after-free-in-init-destroy-rollback-a.patch +net-usb-aqc111-do-not-perform-pm-inside-suspend-call.patch +igc-fix-missing-update-of-skb-tail-in-igc_xmit_frame.patch +igc-fix-page-fault-in-xdp-tx-timestamps-handling.patch +iavf-fix-vlan-filter-lost-on-add-delete-race.patch +wifi-mac80211-fix-null-deref-in-mesh_matches_local.patch +wifi-wlcore-return-enomem-instead-of-eagain-if-there.patch +acpi-processor-fix-previous-acpi_processor_errata_pi.patch +net-macb-fix-uninitialized-rx_fs_lock.patch +net-mlx5-qos-restrict-rtnl-area-to-avoid-a-lock-cycl.patch +net-mlx5e-prevent-concurrent-access-to-ipsec-aso-con.patch +net-mlx5e-fix-race-condition-during-ipsec-esn-update.patch +udp_tunnel-fix-null-deref-caused-by-udp_sock_create6.patch +net-bonding-fix-null-deref-in-bond_debug_rlb_hash_sh.patch +netfilter-bpf-defer-hook-memory-release-until-rcu-re.patch +netfilter-nf_tables-release-flowtable-after-rcu-grac.patch +nfnetlink_osf-validate-individual-option-lengths-in-.patch +net-mvpp2-guard-flow-control-update-with-global_tx_f.patch +net-dsa-bcm_sf2-fix-missing-clk_disable_unprepare-in.patch +icmp-fix-null-pointer-dereference-in-icmp_tag_valida.patch diff --git a/queue-6.12/soc-fsl-cpm1-qmc-fix-error-check-for-devm_ioremap_re.patch b/queue-6.12/soc-fsl-cpm1-qmc-fix-error-check-for-devm_ioremap_re.patch new file mode 100644 index 0000000000..54212300de --- /dev/null +++ b/queue-6.12/soc-fsl-cpm1-qmc-fix-error-check-for-devm_ioremap_re.patch @@ -0,0 +1,42 @@ +From 2be19b8c4b8d98196b5b36f96f1a98547c9ec7b8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 9 Feb 2026 09:59:04 +0800 +Subject: soc: fsl: cpm1: qmc: Fix error check for devm_ioremap_resource() in + qmc_qe_init_resources() + +From: Chen Ni + +[ Upstream commit 3f4e403304186d79fddace860360540fc3af97f9 ] + +Fix wrong variable used for error checking after devm_ioremap_resource() +call. The function checks qmc->scc_pram instead of qmc->dpram, which +could lead to incorrect error handling. + +Fixes: eb680d563089 ("soc: fsl: cpm1: qmc: Add support for QUICC Engine (QE) implementation") +Signed-off-by: Chen Ni +Acked-by: Herve Codina +Link: https://lore.kernel.org/r/20260209015904.871269-1-nichen@iscas.ac.cn +Signed-off-by: Christophe Leroy (CS GROUP) +Signed-off-by: Sasha Levin +--- + drivers/soc/fsl/qe/qmc.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/soc/fsl/qe/qmc.c b/drivers/soc/fsl/qe/qmc.c +index 36c0ccc06151f..cc7032a0ad8c3 100644 +--- a/drivers/soc/fsl/qe/qmc.c ++++ b/drivers/soc/fsl/qe/qmc.c +@@ -1777,8 +1777,8 @@ static int qmc_qe_init_resources(struct qmc *qmc, struct platform_device *pdev) + return -EINVAL; + qmc->dpram_offset = res->start - qe_muram_dma(qe_muram_addr(0)); + qmc->dpram = devm_ioremap_resource(qmc->dev, res); +- if (IS_ERR(qmc->scc_pram)) +- return PTR_ERR(qmc->scc_pram); ++ if (IS_ERR(qmc->dpram)) ++ return PTR_ERR(qmc->dpram); + + return 0; + } +-- +2.51.0 + diff --git a/queue-6.12/soc-fsl-qbman-fix-race-condition-in-qman_destroy_fq.patch b/queue-6.12/soc-fsl-qbman-fix-race-condition-in-qman_destroy_fq.patch new file mode 100644 index 0000000000..15af9aa27b --- /dev/null +++ b/queue-6.12/soc-fsl-qbman-fix-race-condition-in-qman_destroy_fq.patch @@ -0,0 +1,92 @@ +From 4a004ad3f18e76733b0e19d1d3323a4860188b96 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 23 Dec 2025 08:25:49 +0100 +Subject: soc: fsl: qbman: fix race condition in qman_destroy_fq + +From: Richard Genoud + +[ Upstream commit 014077044e874e270ec480515edbc1cadb976cf2 ] + +When QMAN_FQ_FLAG_DYNAMIC_FQID is set, there's a race condition between +fq_table[fq->idx] state and freeing/allocating from the pool and +WARN_ON(fq_table[fq->idx]) in qman_create_fq() gets triggered. + +Indeed, we can have: + Thread A Thread B + qman_destroy_fq() qman_create_fq() + qman_release_fqid() + qman_shutdown_fq() + gen_pool_free() + -- At this point, the fqid is available again -- + qman_alloc_fqid() + -- so, we can get the just-freed fqid in thread B -- + fq->fqid = fqid; + fq->idx = fqid * 2; + WARN_ON(fq_table[fq->idx]); + fq_table[fq->idx] = fq; + fq_table[fq->idx] = NULL; + +And adding some logs between qman_release_fqid() and +fq_table[fq->idx] = NULL makes the WARN_ON() trigger a lot more. + +To prevent that, ensure that fq_table[fq->idx] is set to NULL before +gen_pool_free() is called by using smp_wmb(). + +Fixes: c535e923bb97 ("soc/fsl: Introduce DPAA 1.x QMan device driver") +Signed-off-by: Richard Genoud +Tested-by: CHAMPSEIX Thomas +Link: https://lore.kernel.org/r/20251223072549.397625-1-richard.genoud@bootlin.com +Signed-off-by: Christophe Leroy (CS GROUP) +Signed-off-by: Sasha Levin +--- + drivers/soc/fsl/qbman/qman.c | 24 ++++++++++++++++++++++-- + 1 file changed, 22 insertions(+), 2 deletions(-) + +diff --git a/drivers/soc/fsl/qbman/qman.c b/drivers/soc/fsl/qbman/qman.c +index 4dc8aba33d9b7..0791b41913383 100644 +--- a/drivers/soc/fsl/qbman/qman.c ++++ b/drivers/soc/fsl/qbman/qman.c +@@ -1827,6 +1827,8 @@ EXPORT_SYMBOL(qman_create_fq); + + void qman_destroy_fq(struct qman_fq *fq) + { ++ int leaked; ++ + /* + * We don't need to lock the FQ as it is a pre-condition that the FQ be + * quiesced. Instead, run some checks. +@@ -1834,11 +1836,29 @@ void qman_destroy_fq(struct qman_fq *fq) + switch (fq->state) { + case qman_fq_state_parked: + case qman_fq_state_oos: +- if (fq_isset(fq, QMAN_FQ_FLAG_DYNAMIC_FQID)) +- qman_release_fqid(fq->fqid); ++ /* ++ * There's a race condition here on releasing the fqid, ++ * setting the fq_table to NULL, and freeing the fqid. ++ * To prevent it, this order should be respected: ++ */ ++ if (fq_isset(fq, QMAN_FQ_FLAG_DYNAMIC_FQID)) { ++ leaked = qman_shutdown_fq(fq->fqid); ++ if (leaked) ++ pr_debug("FQID %d leaked\n", fq->fqid); ++ } + + DPAA_ASSERT(fq_table[fq->idx]); + fq_table[fq->idx] = NULL; ++ ++ if (fq_isset(fq, QMAN_FQ_FLAG_DYNAMIC_FQID) && !leaked) { ++ /* ++ * fq_table[fq->idx] should be set to null before ++ * freeing fq->fqid otherwise it could by allocated by ++ * qman_alloc_fqid() while still being !NULL ++ */ ++ smp_wmb(); ++ gen_pool_free(qm_fqalloc, fq->fqid | DPAA_GENALLOC_OFF, 1); ++ } + return; + default: + break; +-- +2.51.0 + diff --git a/queue-6.12/soc-microchip-mpfs-fix-memory-leak-in-mpfs_sys_contr.patch b/queue-6.12/soc-microchip-mpfs-fix-memory-leak-in-mpfs_sys_contr.patch new file mode 100644 index 0000000000..75e78801a4 --- /dev/null +++ b/queue-6.12/soc-microchip-mpfs-fix-memory-leak-in-mpfs_sys_contr.patch @@ -0,0 +1,70 @@ +From 97b7353e19f312177103ffad92e206b5b3de7ab9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 28 Dec 2025 12:48:36 +0000 +Subject: soc: microchip: mpfs: Fix memory leak in mpfs_sys_controller_probe() + +From: Zilin Guan + +[ Upstream commit 5a741f8cc6fe62542f955cd8d24933a1b6589cbd ] + +In mpfs_sys_controller_probe(), if of_get_mtd_device_by_node() fails, +the function returns immediately without freeing the allocated memory +for sys_controller, leading to a memory leak. + +Fix this by jumping to the out_free label to ensure the memory is +properly freed. + +Also, consolidate the error handling for the mbox_request_channel() +failure case to use the same label. + +Fixes: 742aa6c563d2 ("soc: microchip: mpfs: enable access to the system controller's flash") +Co-developed-by: Jianhao Xu +Signed-off-by: Jianhao Xu +Signed-off-by: Zilin Guan +Signed-off-by: Conor Dooley +Signed-off-by: Sasha Levin +--- + drivers/soc/microchip/mpfs-sys-controller.c | 13 +++++++++---- + 1 file changed, 9 insertions(+), 4 deletions(-) + +diff --git a/drivers/soc/microchip/mpfs-sys-controller.c b/drivers/soc/microchip/mpfs-sys-controller.c +index 30bc45d17d343..81636cfecd37e 100644 +--- a/drivers/soc/microchip/mpfs-sys-controller.c ++++ b/drivers/soc/microchip/mpfs-sys-controller.c +@@ -142,8 +142,10 @@ static int mpfs_sys_controller_probe(struct platform_device *pdev) + + sys_controller->flash = of_get_mtd_device_by_node(np); + of_node_put(np); +- if (IS_ERR(sys_controller->flash)) +- return dev_err_probe(dev, PTR_ERR(sys_controller->flash), "Failed to get flash\n"); ++ if (IS_ERR(sys_controller->flash)) { ++ ret = dev_err_probe(dev, PTR_ERR(sys_controller->flash), "Failed to get flash\n"); ++ goto out_free; ++ } + + no_flash: + sys_controller->client.dev = dev; +@@ -155,8 +157,7 @@ static int mpfs_sys_controller_probe(struct platform_device *pdev) + if (IS_ERR(sys_controller->chan)) { + ret = dev_err_probe(dev, PTR_ERR(sys_controller->chan), + "Failed to get mbox channel\n"); +- kfree(sys_controller); +- return ret; ++ goto out_free; + } + + init_completion(&sys_controller->c); +@@ -174,6 +175,10 @@ static int mpfs_sys_controller_probe(struct platform_device *pdev) + dev_info(&pdev->dev, "Registered MPFS system controller\n"); + + return 0; ++ ++out_free: ++ kfree(sys_controller); ++ return ret; + } + + static void mpfs_sys_controller_remove(struct platform_device *pdev) +-- +2.51.0 + diff --git a/queue-6.12/soc-rockchip-grf-add-missing-of_node_put-when-return.patch b/queue-6.12/soc-rockchip-grf-add-missing-of_node_put-when-return.patch new file mode 100644 index 0000000000..f5e49e6c87 --- /dev/null +++ b/queue-6.12/soc-rockchip-grf-add-missing-of_node_put-when-return.patch @@ -0,0 +1,39 @@ +From 892c451632fb09279171cc8961b57fddf07afca4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 11 Feb 2026 21:02:37 +0800 +Subject: soc: rockchip: grf: Add missing of_node_put() when returning + +From: Shawn Lin + +[ Upstream commit 24ed11ee5bacf9a9aca18fc6b47667c7f38d578b ] + +Fix the smatch checking: +drivers/soc/rockchip/grf.c:249 rockchip_grf_init() +warn: inconsistent refcounting 'np->kobj.kref.refcount.refs.counter': + +Reported-by: Dan Carpenter +Fixes: 75fb63ae0312 ("soc: rockchip: grf: Support multiple grf to be handled") +Closes: https://lore.kernel.org/all/aYXvgTcUJWQL2can@stanley.mountain/ +Signed-off-by: Shawn Lin +Link: https://patch.msgid.link/1770814957-17762-1-git-send-email-shawn.lin@rock-chips.com +Signed-off-by: Heiko Stuebner +Signed-off-by: Sasha Levin +--- + drivers/soc/rockchip/grf.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/soc/rockchip/grf.c b/drivers/soc/rockchip/grf.c +index dddfe349b3da3..6fd02220abf1d 100644 +--- a/drivers/soc/rockchip/grf.c ++++ b/drivers/soc/rockchip/grf.c +@@ -217,6 +217,7 @@ static int __init rockchip_grf_init(void) + grf = syscon_node_to_regmap(np); + if (IS_ERR(grf)) { + pr_err("%s: could not get grf syscon\n", __func__); ++ of_node_put(np); + return PTR_ERR(grf); + } + +-- +2.51.0 + diff --git a/queue-6.12/udp_tunnel-fix-null-deref-caused-by-udp_sock_create6.patch b/queue-6.12/udp_tunnel-fix-null-deref-caused-by-udp_sock_create6.patch new file mode 100644 index 0000000000..bf31992188 --- /dev/null +++ b/queue-6.12/udp_tunnel-fix-null-deref-caused-by-udp_sock_create6.patch @@ -0,0 +1,64 @@ +From 6db3c182ace290adfe770e64749dc44e69a8df6e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 16 Mar 2026 18:02:41 -0700 +Subject: udp_tunnel: fix NULL deref caused by udp_sock_create6 when + CONFIG_IPV6=n + +From: Xiang Mei + +[ Upstream commit b3a6df291fecf5f8a308953b65ca72b7fc9e015d ] + +When CONFIG_IPV6 is disabled, the udp_sock_create6() function returns 0 +(success) without actually creating a socket. Callers such as +fou_create() then proceed to dereference the uninitialized socket +pointer, resulting in a NULL pointer dereference. + +The captured NULL deref crash: + BUG: kernel NULL pointer dereference, address: 0000000000000018 + RIP: 0010:fou_nl_add_doit (net/ipv4/fou_core.c:590 net/ipv4/fou_core.c:764) + [...] + Call Trace: + + genl_family_rcv_msg_doit.constprop.0 (net/netlink/genetlink.c:1114) + genl_rcv_msg (net/netlink/genetlink.c:1194 net/netlink/genetlink.c:1209) + [...] + netlink_rcv_skb (net/netlink/af_netlink.c:2550) + genl_rcv (net/netlink/genetlink.c:1219) + netlink_unicast (net/netlink/af_netlink.c:1319 net/netlink/af_netlink.c:1344) + netlink_sendmsg (net/netlink/af_netlink.c:1894) + __sock_sendmsg (net/socket.c:727 (discriminator 1) net/socket.c:742 (discriminator 1)) + __sys_sendto (./include/linux/file.h:62 (discriminator 1) ./include/linux/file.h:83 (discriminator 1) net/socket.c:2183 (discriminator 1)) + __x64_sys_sendto (net/socket.c:2213 (discriminator 1) net/socket.c:2209 (discriminator 1) net/socket.c:2209 (discriminator 1)) + do_syscall_64 (arch/x86/entry/syscall_64.c:63 (discriminator 1) arch/x86/entry/syscall_64.c:94 (discriminator 1)) + entry_SYSCALL_64_after_hwframe (net/arch/x86/entry/entry_64.S:130) + +This patch makes udp_sock_create6 return -EPFNOSUPPORT instead, so +callers correctly take their error paths. There is only one caller of +the vulnerable function and only privileged users can trigger it. + +Fixes: fd384412e199b ("udp_tunnel: Seperate ipv6 functions into its own file.") +Reported-by: Weiming Shi +Signed-off-by: Xiang Mei +Link: https://patch.msgid.link/20260317010241.1893893-1-xmei5@asu.edu +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + include/net/udp_tunnel.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/include/net/udp_tunnel.h b/include/net/udp_tunnel.h +index a93dc51f6323e..6e2c5c77031f0 100644 +--- a/include/net/udp_tunnel.h ++++ b/include/net/udp_tunnel.h +@@ -47,7 +47,7 @@ int udp_sock_create6(struct net *net, struct udp_port_cfg *cfg, + static inline int udp_sock_create6(struct net *net, struct udp_port_cfg *cfg, + struct socket **sockp) + { +- return 0; ++ return -EPFNOSUPPORT; + } + #endif + +-- +2.51.0 + diff --git a/queue-6.12/wifi-cfg80211-cancel-pmsr_free_wk-in-cfg80211_pmsr_w.patch b/queue-6.12/wifi-cfg80211-cancel-pmsr_free_wk-in-cfg80211_pmsr_w.patch new file mode 100644 index 0000000000..5d765e4d2c --- /dev/null +++ b/queue-6.12/wifi-cfg80211-cancel-pmsr_free_wk-in-cfg80211_pmsr_w.patch @@ -0,0 +1,51 @@ +From 81bcecfece0af83f8a5326f8bbd4dd7a8531c057 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 5 Mar 2026 21:36:59 +0530 +Subject: wifi: cfg80211: cancel pmsr_free_wk in cfg80211_pmsr_wdev_down + +From: Peddolla Harshavardhan Reddy + +[ Upstream commit 6dccbc9f3e1d38565dff7730d2b7d1e8b16c9b09 ] + +When the nl80211 socket that originated a PMSR request is +closed, cfg80211_release_pmsr() sets the request's nl_portid +to zero and schedules pmsr_free_wk to process the abort +asynchronously. If the interface is concurrently torn down +before that work runs, cfg80211_pmsr_wdev_down() calls +cfg80211_pmsr_process_abort() directly. However, the already- +scheduled pmsr_free_wk work item remains pending and may run +after the interface has been removed from the driver. This +could cause the driver's abort_pmsr callback to operate on a +torn-down interface, leading to undefined behavior and +potential crashes. + +Cancel pmsr_free_wk synchronously in cfg80211_pmsr_wdev_down() +before calling cfg80211_pmsr_process_abort(). This ensures any +pending or in-progress work is drained before interface teardown +proceeds, preventing the work from invoking the driver abort +callback after the interface is gone. + +Fixes: 9bb7e0f24e7e ("cfg80211: add peer measurement with FTM initiator API") +Signed-off-by: Peddolla Harshavardhan Reddy +Link: https://patch.msgid.link/20260305160712.1263829-3-peddolla.reddy@oss.qualcomm.com +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + net/wireless/pmsr.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/net/wireless/pmsr.c b/net/wireless/pmsr.c +index 0396fa19bdf19..d2b61b6ba58db 100644 +--- a/net/wireless/pmsr.c ++++ b/net/wireless/pmsr.c +@@ -647,6 +647,7 @@ void cfg80211_pmsr_wdev_down(struct wireless_dev *wdev) + } + spin_unlock_bh(&wdev->pmsr_lock); + ++ cancel_work_sync(&wdev->pmsr_free_wk); + if (found) + cfg80211_pmsr_process_abort(wdev); + +-- +2.51.0 + diff --git a/queue-6.12/wifi-mac80211-fix-null-deref-in-mesh_matches_local.patch b/queue-6.12/wifi-mac80211-fix-null-deref-in-mesh_matches_local.patch new file mode 100644 index 0000000000..a345d83246 --- /dev/null +++ b/queue-6.12/wifi-mac80211-fix-null-deref-in-mesh_matches_local.patch @@ -0,0 +1,81 @@ +From b907e6dc6112526633836dcb180a9bf02a49ede5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 17 Mar 2026 20:42:44 -0700 +Subject: wifi: mac80211: fix NULL deref in mesh_matches_local() + +From: Xiang Mei + +[ Upstream commit c73bb9a2d33bf81f6eecaa0f474b6c6dbe9855bd ] + +mesh_matches_local() unconditionally dereferences ie->mesh_config to +compare mesh configuration parameters. When called from +mesh_rx_csa_frame(), the parsed action-frame elements may not contain a +Mesh Configuration IE, leaving ie->mesh_config NULL and triggering a +kernel NULL pointer dereference. + +The other two callers are already safe: + - ieee80211_mesh_rx_bcn_presp() checks !elems->mesh_config before + calling mesh_matches_local() + - mesh_plink_get_event() is only reached through + mesh_process_plink_frame(), which checks !elems->mesh_config, too + +mesh_rx_csa_frame() is the only caller that passes raw parsed elements +to mesh_matches_local() without guarding mesh_config. An adjacent +attacker can exploit this by sending a crafted CSA action frame that +includes a valid Mesh ID IE but omits the Mesh Configuration IE, +crashing the kernel. + +The captured crash log: + +Oops: general protection fault, probably for non-canonical address ... +KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007] +Workqueue: events_unbound cfg80211_wiphy_work +[...] +Call Trace: + + ? __pfx_mesh_matches_local (net/mac80211/mesh.c:65) + ieee80211_mesh_rx_queued_mgmt (net/mac80211/mesh.c:1686) + [...] + ieee80211_iface_work (net/mac80211/iface.c:1754 net/mac80211/iface.c:1802) + [...] + cfg80211_wiphy_work (net/wireless/core.c:426) + process_one_work (net/kernel/workqueue.c:3280) + ? assign_work (net/kernel/workqueue.c:1219) + worker_thread (net/kernel/workqueue.c:3352) + ? __pfx_worker_thread (net/kernel/workqueue.c:3385) + kthread (net/kernel/kthread.c:436) + [...] + ret_from_fork_asm (net/arch/x86/entry/entry_64.S:255) + + +This patch adds a NULL check for ie->mesh_config at the top of +mesh_matches_local() to return false early when the Mesh Configuration +IE is absent. + +Fixes: 2e3c8736820b ("mac80211: support functions for mesh") +Reported-by: Weiming Shi +Signed-off-by: Xiang Mei +Link: https://patch.msgid.link/20260318034244.2595020-1-xmei5@asu.edu +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + net/mac80211/mesh.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/net/mac80211/mesh.c b/net/mac80211/mesh.c +index 00bdf36e333e2..253f4b0642842 100644 +--- a/net/mac80211/mesh.c ++++ b/net/mac80211/mesh.c +@@ -78,6 +78,9 @@ bool mesh_matches_local(struct ieee80211_sub_if_data *sdata, + * - MDA enabled + * - Power management control on fc + */ ++ if (!ie->mesh_config) ++ return false; ++ + if (!(ifmsh->mesh_id_len == ie->mesh_id_len && + memcmp(ifmsh->mesh_id, ie->mesh_id, ie->mesh_id_len) == 0 && + (ifmsh->mesh_pp_id == ie->mesh_config->meshconf_psel) && +-- +2.51.0 + diff --git a/queue-6.12/wifi-mac80211-fix-static_branch_dec-underflow-for-aq.patch b/queue-6.12/wifi-mac80211-fix-static_branch_dec-underflow-for-aq.patch new file mode 100644 index 0000000000..7f503653c7 --- /dev/null +++ b/queue-6.12/wifi-mac80211-fix-static_branch_dec-underflow-for-aq.patch @@ -0,0 +1,112 @@ +From 574490de9b78c0211a5c5636bfa907d18c33bc32 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 6 Mar 2026 07:24:02 +0000 +Subject: wifi: mac80211: Fix static_branch_dec() underflow for aql_disable. + +From: Kuniyuki Iwashima + +[ Upstream commit b94ae8e0d5fe1bdbbfdc3854ff6ce98f6876a828 ] + +syzbot reported static_branch_dec() underflow in aql_enable_write(). [0] + +The problem is that aql_enable_write() does not serialise concurrent +write()s to the debugfs. + +aql_enable_write() checks static_key_false(&aql_disable.key) and +later calls static_branch_inc() or static_branch_dec(), but the +state may change between the two calls. + +aql_disable does not need to track inc/dec. + +Let's use static_branch_enable() and static_branch_disable(). + +[0]: +val == 0 +WARNING: kernel/jump_label.c:311 at __static_key_slow_dec_cpuslocked.part.0+0x107/0x120 kernel/jump_label.c:311, CPU#0: syz.1.3155/20288 +Modules linked in: +CPU: 0 UID: 0 PID: 20288 Comm: syz.1.3155 Tainted: G U L syzkaller #0 PREEMPT(full) +Tainted: [U]=USER, [L]=SOFTLOCKUP +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/24/2026 +RIP: 0010:__static_key_slow_dec_cpuslocked.part.0+0x107/0x120 kernel/jump_label.c:311 +Code: f2 c9 ff 5b 5d c3 cc cc cc cc e8 54 f2 c9 ff 48 89 df e8 ac f9 ff ff eb ad e8 45 f2 c9 ff 90 0f 0b 90 eb a2 e8 3a f2 c9 ff 90 <0f> 0b 90 eb 97 48 89 df e8 5c 4b 33 00 e9 36 ff ff ff 0f 1f 80 00 +RSP: 0018:ffffc9000b9f7c10 EFLAGS: 00010293 +RAX: 0000000000000000 RBX: ffffffff9b3e5d40 RCX: ffffffff823c57b4 +RDX: ffff8880285a0000 RSI: ffffffff823c5846 RDI: ffff8880285a0000 +RBP: 0000000000000000 R08: 0000000000000005 R09: 0000000000000000 +R10: 0000000000000000 R11: 0000000000000000 R12: 000000000000000a +R13: 1ffff9200173ef88 R14: 0000000000000001 R15: ffffc9000b9f7e98 +FS: 00007f530dd726c0(0000) GS:ffff8881245e3000(0000) knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: 0000200000001140 CR3: 000000007cc4a000 CR4: 00000000003526f0 +Call Trace: + + __static_key_slow_dec_cpuslocked kernel/jump_label.c:297 [inline] + __static_key_slow_dec kernel/jump_label.c:321 [inline] + static_key_slow_dec+0x7c/0xc0 kernel/jump_label.c:336 + aql_enable_write+0x2b2/0x310 net/mac80211/debugfs.c:343 + short_proxy_write+0x133/0x1a0 fs/debugfs/file.c:383 + vfs_write+0x2aa/0x1070 fs/read_write.c:684 + ksys_pwrite64 fs/read_write.c:793 [inline] + __do_sys_pwrite64 fs/read_write.c:801 [inline] + __se_sys_pwrite64 fs/read_write.c:798 [inline] + __x64_sys_pwrite64+0x1eb/0x250 fs/read_write.c:798 + do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] + do_syscall_64+0xc9/0xf80 arch/x86/entry/syscall_64.c:94 + entry_SYSCALL_64_after_hwframe+0x77/0x7f +RIP: 0033:0x7f530cf9aeb9 +Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48 +RSP: 002b:00007f530dd72028 EFLAGS: 00000246 ORIG_RAX: 0000000000000012 +RAX: ffffffffffffffda RBX: 00007f530d215fa0 RCX: 00007f530cf9aeb9 +RDX: 0000000000000003 RSI: 0000000000000000 RDI: 0000000000000010 +RBP: 00007f530d008c1f R08: 0000000000000000 R09: 0000000000000000 +R10: 4200000000000005 R11: 0000000000000246 R12: 0000000000000000 +R13: 00007f530d216038 R14: 00007f530d215fa0 R15: 00007ffde89fb978 + + +Fixes: e908435e402a ("mac80211: introduce aql_enable node in debugfs") +Reported-by: syzbot+feb9ce36a95341bb47a4@syzkaller.appspotmail.com +Closes: https://lore.kernel.org/all/69a8979e.a70a0220.b118c.0025.GAE@google.com/ +Signed-off-by: Kuniyuki Iwashima +Link: https://patch.msgid.link/20260306072405.3649474-1-kuniyu@google.com +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + net/mac80211/debugfs.c | 14 +++++--------- + 1 file changed, 5 insertions(+), 9 deletions(-) + +diff --git a/net/mac80211/debugfs.c b/net/mac80211/debugfs.c +index a0710ae0e7a49..e9b3b2c7b6faa 100644 +--- a/net/mac80211/debugfs.c ++++ b/net/mac80211/debugfs.c +@@ -327,7 +327,6 @@ static ssize_t aql_enable_read(struct file *file, char __user *user_buf, + static ssize_t aql_enable_write(struct file *file, const char __user *user_buf, + size_t count, loff_t *ppos) + { +- bool aql_disabled = static_key_false(&aql_disable.key); + char buf[3]; + size_t len; + +@@ -342,15 +341,12 @@ static ssize_t aql_enable_write(struct file *file, const char __user *user_buf, + if (len > 0 && buf[len - 1] == '\n') + buf[len - 1] = 0; + +- if (buf[0] == '0' && buf[1] == '\0') { +- if (!aql_disabled) +- static_branch_inc(&aql_disable); +- } else if (buf[0] == '1' && buf[1] == '\0') { +- if (aql_disabled) +- static_branch_dec(&aql_disable); +- } else { ++ if (buf[0] == '0' && buf[1] == '\0') ++ static_branch_enable(&aql_disable); ++ else if (buf[0] == '1' && buf[1] == '\0') ++ static_branch_disable(&aql_disable); ++ else + return -EINVAL; +- } + + return count; + } +-- +2.51.0 + diff --git a/queue-6.12/wifi-wlcore-return-enomem-instead-of-eagain-if-there.patch b/queue-6.12/wifi-wlcore-return-enomem-instead-of-eagain-if-there.patch new file mode 100644 index 0000000000..c3cc26b70b --- /dev/null +++ b/queue-6.12/wifi-wlcore-return-enomem-instead-of-eagain-if-there.patch @@ -0,0 +1,54 @@ +From 97720bc9a80124b8777265df37d6324cde2c5434 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 17 Mar 2026 23:46:36 -0700 +Subject: wifi: wlcore: Return -ENOMEM instead of -EAGAIN if there is not + enough headroom + +From: Guenter Roeck + +[ Upstream commit deb353d9bb009638b7762cae2d0b6e8fdbb41a69 ] + +Since upstream commit e75665dd0968 ("wifi: wlcore: ensure skb headroom +before skb_push"), wl1271_tx_allocate() and with it +wl1271_prepare_tx_frame() returns -EAGAIN if pskb_expand_head() fails. +However, in wlcore_tx_work_locked(), a return value of -EAGAIN from +wl1271_prepare_tx_frame() is interpreted as the aggregation buffer being +full. This causes the code to flush the buffer, put the skb back at the +head of the queue, and immediately retry the same skb in a tight while +loop. + +Because wlcore_tx_work_locked() holds wl->mutex, and the retry happens +immediately with GFP_ATOMIC, this will result in an infinite loop and a +CPU soft lockup. Return -ENOMEM instead so the packet is dropped and +the loop terminates. + +The problem was found by an experimental code review agent based on +gemini-3.1-pro while reviewing backports into v6.18.y. + +Assisted-by: Gemini:gemini-3.1-pro +Fixes: e75665dd0968 ("wifi: wlcore: ensure skb headroom before skb_push") +Cc: Peter Astrand +Signed-off-by: Guenter Roeck +Link: https://patch.msgid.link/20260318064636.3065925-1-linux@roeck-us.net +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ti/wlcore/tx.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/wireless/ti/wlcore/tx.c b/drivers/net/wireless/ti/wlcore/tx.c +index f251627c24c6e..3c0f8f3ba2668 100644 +--- a/drivers/net/wireless/ti/wlcore/tx.c ++++ b/drivers/net/wireless/ti/wlcore/tx.c +@@ -210,7 +210,7 @@ static int wl1271_tx_allocate(struct wl1271 *wl, struct wl12xx_vif *wlvif, + if (skb_headroom(skb) < (total_len - skb->len) && + pskb_expand_head(skb, (total_len - skb->len), 0, GFP_ATOMIC)) { + wl1271_free_tx_id(wl, id); +- return -EAGAIN; ++ return -ENOMEM; + } + desc = skb_push(skb, total_len - skb->len); + +-- +2.51.0 + diff --git a/queue-6.18/acpi-processor-fix-previous-acpi_processor_errata_pi.patch b/queue-6.18/acpi-processor-fix-previous-acpi_processor_errata_pi.patch new file mode 100644 index 0000000000..2276cd363a --- /dev/null +++ b/queue-6.18/acpi-processor-fix-previous-acpi_processor_errata_pi.patch @@ -0,0 +1,74 @@ +From 1f76543ea57b822bb65cfc084eb183a3ab3ef1fa Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 17 Mar 2026 21:39:05 +0100 +Subject: ACPI: processor: Fix previous acpi_processor_errata_piix4() fix + +From: Rafael J. Wysocki + +[ Upstream commit bf504b229cb8d534eccbaeaa23eba34c05131e25 ] + +After commi f132e089fe89 ("ACPI: processor: Fix NULL-pointer dereference +in acpi_processor_errata_piix4()"), device pointers may be dereferenced +after dropping references to the device objects pointed to by them, +which may cause a use-after-free to occur. + +Moreover, debug messages about enabling the errata may be printed +if the errata flags corresponding to them are unset. + +Address all of these issues by moving message printing to the points +in the code where the errata flags are set. + +Fixes: f132e089fe89 ("ACPI: processor: Fix NULL-pointer dereference in acpi_processor_errata_piix4()") +Reported-by: Guenter Roeck +Closes: https://lore.kernel.org/linux-acpi/938e2206-def5-4b7a-9b2c-d1fd37681d8a@roeck-us.net/ +Reviewed-by: Guenter Roeck +Signed-off-by: Rafael J. Wysocki +Link: https://patch.msgid.link/5975693.DvuYhMxLoT@rafael.j.wysocki +Signed-off-by: Sasha Levin +--- + drivers/acpi/acpi_processor.c | 15 ++++++++------- + 1 file changed, 8 insertions(+), 7 deletions(-) + +diff --git a/drivers/acpi/acpi_processor.c b/drivers/acpi/acpi_processor.c +index 85096ce7b658b..5a562e27d3a80 100644 +--- a/drivers/acpi/acpi_processor.c ++++ b/drivers/acpi/acpi_processor.c +@@ -113,6 +113,10 @@ static int acpi_processor_errata_piix4(struct pci_dev *dev) + PCI_ANY_ID, PCI_ANY_ID, NULL); + if (ide_dev) { + errata.piix4.bmisx = pci_resource_start(ide_dev, 4); ++ if (errata.piix4.bmisx) ++ dev_dbg(&ide_dev->dev, ++ "Bus master activity detection (BM-IDE) erratum enabled\n"); ++ + pci_dev_put(ide_dev); + } + +@@ -131,20 +135,17 @@ static int acpi_processor_errata_piix4(struct pci_dev *dev) + if (isa_dev) { + pci_read_config_byte(isa_dev, 0x76, &value1); + pci_read_config_byte(isa_dev, 0x77, &value2); +- if ((value1 & 0x80) || (value2 & 0x80)) ++ if ((value1 & 0x80) || (value2 & 0x80)) { + errata.piix4.fdma = 1; ++ dev_dbg(&isa_dev->dev, ++ "Type-F DMA livelock erratum (C3 disabled)\n"); ++ } + pci_dev_put(isa_dev); + } + + break; + } + +- if (ide_dev) +- dev_dbg(&ide_dev->dev, "Bus master activity detection (BM-IDE) erratum enabled\n"); +- +- if (isa_dev) +- dev_dbg(&isa_dev->dev, "Type-F DMA livelock erratum (C3 disabled)\n"); +- + return 0; + } + +-- +2.51.0 + diff --git a/queue-6.18/acpica-update-the-format-of-arg3-of-_dsm.patch b/queue-6.18/acpica-update-the-format-of-arg3-of-_dsm.patch new file mode 100644 index 0000000000..f6113f64ad --- /dev/null +++ b/queue-6.18/acpica-update-the-format-of-arg3-of-_dsm.patch @@ -0,0 +1,37 @@ +From 6a18c7ba3f38826b8c8079e862a90af533b8968d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 17 Mar 2026 20:34:49 +0100 +Subject: ACPICA: Update the format of Arg3 of _DSM + +From: Saket Dumbre + +[ Upstream commit ab93d7eee94205430fc3b0532557cb0494bf2faf ] + +To get rid of type incompatibility warnings in Linux. + +Fixes: 81f92cff6d42 ("ACPICA: ACPI_TYPE_ANY does not include the package type") +Link: https://github.com/acpica/acpica/commit/4fb74872dcec +Signed-off-by: Saket Dumbre +Signed-off-by: Rafael J. Wysocki +Link: https://patch.msgid.link/12856643.O9o76ZdvQC@rafael.j.wysocki +Signed-off-by: Sasha Levin +--- + drivers/acpi/acpica/acpredef.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/acpi/acpica/acpredef.h b/drivers/acpi/acpica/acpredef.h +index da2c45880cc7e..c9e65c6a20690 100644 +--- a/drivers/acpi/acpica/acpredef.h ++++ b/drivers/acpi/acpica/acpredef.h +@@ -450,7 +450,7 @@ const union acpi_predefined_info acpi_gbl_predefined_methods[] = { + + {{"_DSM", + METHOD_4ARGS(ACPI_TYPE_BUFFER, ACPI_TYPE_INTEGER, ACPI_TYPE_INTEGER, +- ACPI_TYPE_ANY | ACPI_TYPE_PACKAGE) | ++ ACPI_TYPE_PACKAGE | ACPI_TYPE_ANY) | + ARG_COUNT_IS_MINIMUM, + METHOD_RETURNS(ACPI_RTYPE_ALL)}}, /* Must return a value, but it can be of any type */ + +-- +2.51.0 + diff --git a/queue-6.18/arm64-dts-renesas-r9a09g057-add-rtc-node.patch b/queue-6.18/arm64-dts-renesas-r9a09g057-add-rtc-node.patch new file mode 100644 index 0000000000..556b00b404 --- /dev/null +++ b/queue-6.18/arm64-dts-renesas-r9a09g057-add-rtc-node.patch @@ -0,0 +1,50 @@ +From d7ac5205375edfefa4ae842b6e4c16ee1f45050a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 7 Nov 2025 21:07:05 +0000 +Subject: arm64: dts: renesas: r9a09g057: Add RTC node + +From: Ovidiu Panait + +[ Upstream commit cfc733da4e79018f88d8ac5f3a5306abbba8ef89 ] + +Add RTC node to Renesas RZ/V2H ("R9A09G057") SoC DTSI. + +Signed-off-by: Ovidiu Panait +Reviewed-by: Geert Uytterhoeven +Link: https://patch.msgid.link/20251107210706.45044-4-ovidiu.panait.rb@renesas.com +Signed-off-by: Geert Uytterhoeven +Stable-dep-of: a3f34651de42 ("arm64: dts: renesas: r9a09g057: Remove wdt{0,2,3} nodes") +Signed-off-by: Sasha Levin +--- + arch/arm64/boot/dts/renesas/r9a09g057.dtsi | 15 +++++++++++++++ + 1 file changed, 15 insertions(+) + +diff --git a/arch/arm64/boot/dts/renesas/r9a09g057.dtsi b/arch/arm64/boot/dts/renesas/r9a09g057.dtsi +index 630f7a98df386..f59c3040f536a 100644 +--- a/arch/arm64/boot/dts/renesas/r9a09g057.dtsi ++++ b/arch/arm64/boot/dts/renesas/r9a09g057.dtsi +@@ -586,6 +586,21 @@ wdt3: watchdog@13000400 { + status = "disabled"; + }; + ++ rtc: rtc@11c00800 { ++ compatible = "renesas,r9a09g057-rtca3", "renesas,rz-rtca3"; ++ reg = <0 0x11c00800 0 0x400>; ++ interrupts = , ++ , ++ ; ++ interrupt-names = "alarm", "period", "carry"; ++ clocks = <&cpg CPG_MOD 0x53>, <&rtxin_clk>; ++ clock-names = "bus", "counter"; ++ power-domains = <&cpg>; ++ resets = <&cpg 0x79>, <&cpg 0x7a>; ++ reset-names = "rtc", "rtest"; ++ status = "disabled"; ++ }; ++ + scif: serial@11c01400 { + compatible = "renesas,scif-r9a09g057"; + reg = <0 0x11c01400 0 0x400>; +-- +2.51.0 + diff --git a/queue-6.18/arm64-dts-renesas-r9a09g057-remove-wdt-0-2-3-nodes.patch b/queue-6.18/arm64-dts-renesas-r9a09g057-remove-wdt-0-2-3-nodes.patch new file mode 100644 index 0000000000..2d069e1381 --- /dev/null +++ b/queue-6.18/arm64-dts-renesas-r9a09g057-remove-wdt-0-2-3-nodes.patch @@ -0,0 +1,82 @@ +From 00ac1d07b536323be34132d39237adb39d91a285 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 3 Feb 2026 12:42:46 +0000 +Subject: arm64: dts: renesas: r9a09g057: Remove wdt{0,2,3} nodes + +From: Fabrizio Castro + +[ Upstream commit a3f34651de4287138c0da19ba321ad72622b4af3 ] + +The HW user manual for the Renesas RZ/V2H(P) SoC (a.k.a r9a09g057) +states that only WDT1 is supposed to be accessed by the CA55 cores. +WDT0 is supposed to be used by the CM33 core, WDT2 is supposed +to be used by the CR8 core 0, and WDT3 is supposed to be used +by the CR8 core 1. + +Remove wdt{0,2,3} from the SoC specific device tree to make it +compliant with the specification from the HW manual. + +This change is harmless as there are currently no users of the +wdt{0,2,3} device tree nodes, only the wdt1 node is actually used. + +Fixes: 095105496e7d ("arm64: dts: renesas: r9a09g057: Add WDT0-WDT3 nodes") +Signed-off-by: Fabrizio Castro +Reviewed-by: Geert Uytterhoeven +Link: https://patch.msgid.link/20260203124247.7320-3-fabrizio.castro.jz@renesas.com +Signed-off-by: Geert Uytterhoeven +Signed-off-by: Sasha Levin +--- + arch/arm64/boot/dts/renesas/r9a09g057.dtsi | 30 ---------------------- + 1 file changed, 30 deletions(-) + +diff --git a/arch/arm64/boot/dts/renesas/r9a09g057.dtsi b/arch/arm64/boot/dts/renesas/r9a09g057.dtsi +index f59c3040f536a..100d5cab9b12f 100644 +--- a/arch/arm64/boot/dts/renesas/r9a09g057.dtsi ++++ b/arch/arm64/boot/dts/renesas/r9a09g057.dtsi +@@ -546,16 +546,6 @@ ostm7: timer@12c03000 { + status = "disabled"; + }; + +- wdt0: watchdog@11c00400 { +- compatible = "renesas,r9a09g057-wdt"; +- reg = <0 0x11c00400 0 0x400>; +- clocks = <&cpg CPG_MOD 0x4b>, <&cpg CPG_MOD 0x4c>; +- clock-names = "pclk", "oscclk"; +- resets = <&cpg 0x75>; +- power-domains = <&cpg>; +- status = "disabled"; +- }; +- + wdt1: watchdog@14400000 { + compatible = "renesas,r9a09g057-wdt"; + reg = <0 0x14400000 0 0x400>; +@@ -566,26 +556,6 @@ wdt1: watchdog@14400000 { + status = "disabled"; + }; + +- wdt2: watchdog@13000000 { +- compatible = "renesas,r9a09g057-wdt"; +- reg = <0 0x13000000 0 0x400>; +- clocks = <&cpg CPG_MOD 0x4f>, <&cpg CPG_MOD 0x50>; +- clock-names = "pclk", "oscclk"; +- resets = <&cpg 0x77>; +- power-domains = <&cpg>; +- status = "disabled"; +- }; +- +- wdt3: watchdog@13000400 { +- compatible = "renesas,r9a09g057-wdt"; +- reg = <0 0x13000400 0 0x400>; +- clocks = <&cpg CPG_MOD 0x51>, <&cpg CPG_MOD 0x52>; +- clock-names = "pclk", "oscclk"; +- resets = <&cpg 0x78>; +- power-domains = <&cpg>; +- status = "disabled"; +- }; +- + rtc: rtc@11c00800 { + compatible = "renesas,r9a09g057-rtca3", "renesas,rz-rtca3"; + reg = <0 0x11c00800 0 0x400>; +-- +2.51.0 + diff --git a/queue-6.18/arm64-dts-renesas-r9a09g077-fix-cpg-register-region-.patch b/queue-6.18/arm64-dts-renesas-r9a09g077-fix-cpg-register-region-.patch new file mode 100644 index 0000000000..9b57acd942 --- /dev/null +++ b/queue-6.18/arm64-dts-renesas-r9a09g077-fix-cpg-register-region-.patch @@ -0,0 +1,42 @@ +From 30b7c09897af635090aacff2a7b8ef762790389f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 13 Feb 2026 13:17:41 +0000 +Subject: arm64: dts: renesas: r9a09g077: Fix CPG register region sizes + +From: Lad Prabhakar + +[ Upstream commit b12985ceca18bcf67f176883175d544daad5e00e ] + +The CPG register regions were incorrectly sized. Update them to match +the actual hardware specification: + - First region (0x80280000): 0x1000 -> 0x10000 (64kiB) + - Second region (0x81280000): 0x9000 -> 0x10000 (64kiB) + +Fixes: d17b34744f5e4 ("arm64: dts: renesas: Add initial support for the Renesas RZ/T2H SoC") +Signed-off-by: Lad Prabhakar +Reviewed-by: Geert Uytterhoeven +Link: https://patch.msgid.link/20260213131742.3606334-2-prabhakar.mahadev-lad.rj@bp.renesas.com +Signed-off-by: Geert Uytterhoeven +Signed-off-by: Sasha Levin +--- + arch/arm64/boot/dts/renesas/r9a09g077.dtsi | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/arch/arm64/boot/dts/renesas/r9a09g077.dtsi b/arch/arm64/boot/dts/renesas/r9a09g077.dtsi +index 7f1aca218c9fb..06aae2c635676 100644 +--- a/arch/arm64/boot/dts/renesas/r9a09g077.dtsi ++++ b/arch/arm64/boot/dts/renesas/r9a09g077.dtsi +@@ -267,8 +267,8 @@ i2c2: i2c@81008000 { + + cpg: clock-controller@80280000 { + compatible = "renesas,r9a09g077-cpg-mssr"; +- reg = <0 0x80280000 0 0x1000>, +- <0 0x81280000 0 0x9000>; ++ reg = <0 0x80280000 0 0x10000>, ++ <0 0x81280000 0 0x10000>; + clocks = <&extal_clk>; + clock-names = "extal"; + #clock-cells = <2>; +-- +2.51.0 + diff --git a/queue-6.18/arm64-dts-renesas-r9a09g087-fix-cpg-register-region-.patch b/queue-6.18/arm64-dts-renesas-r9a09g087-fix-cpg-register-region-.patch new file mode 100644 index 0000000000..456df74ef7 --- /dev/null +++ b/queue-6.18/arm64-dts-renesas-r9a09g087-fix-cpg-register-region-.patch @@ -0,0 +1,42 @@ +From 83e6fd0b7a6d6b50431733144e43c663702742e5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 13 Feb 2026 13:17:42 +0000 +Subject: arm64: dts: renesas: r9a09g087: Fix CPG register region sizes + +From: Lad Prabhakar + +[ Upstream commit f459672cf3ffd3c062973838951418271aa2ceef ] + +The CPG register regions were incorrectly sized. Update them to match +the actual hardware specification: + - First region (0x80280000): 0x1000 -> 0x10000 (64kiB) + - Second region (0x81280000): 0x9000 -> 0x10000 (64kiB) + +Fixes: 4b3d31f0b81fe ("arm64: dts: renesas: Add initial SoC DTSI for the RZ/N2H SoC") +Signed-off-by: Lad Prabhakar +Reviewed-by: Geert Uytterhoeven +Link: https://patch.msgid.link/20260213131742.3606334-3-prabhakar.mahadev-lad.rj@bp.renesas.com +Signed-off-by: Geert Uytterhoeven +Signed-off-by: Sasha Levin +--- + arch/arm64/boot/dts/renesas/r9a09g087.dtsi | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/arch/arm64/boot/dts/renesas/r9a09g087.dtsi b/arch/arm64/boot/dts/renesas/r9a09g087.dtsi +index f06c19c73adb8..6dd80fa2755e8 100644 +--- a/arch/arm64/boot/dts/renesas/r9a09g087.dtsi ++++ b/arch/arm64/boot/dts/renesas/r9a09g087.dtsi +@@ -267,8 +267,8 @@ i2c2: i2c@81008000 { + + cpg: clock-controller@80280000 { + compatible = "renesas,r9a09g087-cpg-mssr"; +- reg = <0 0x80280000 0 0x1000>, +- <0 0x81280000 0 0x9000>; ++ reg = <0 0x80280000 0 0x10000>, ++ <0 0x81280000 0 0x10000>; + clocks = <&extal_clk>; + clock-names = "extal"; + #clock-cells = <2>; +-- +2.51.0 + diff --git a/queue-6.18/arm64-dts-renesas-rzg3s-smarc-som-set-bypass-for-ver.patch b/queue-6.18/arm64-dts-renesas-rzg3s-smarc-som-set-bypass-for-ver.patch new file mode 100644 index 0000000000..96ac112a8c --- /dev/null +++ b/queue-6.18/arm64-dts-renesas-rzg3s-smarc-som-set-bypass-for-ver.patch @@ -0,0 +1,73 @@ +From 94102eea0426d7d043071e9a8d2ca9afaaa95786 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 2 Mar 2026 15:57:03 +0200 +Subject: arm64: dts: renesas: rzg3s-smarc-som: Set bypass for Versa3 PLL2 +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Claudiu Beznea + +[ Upstream commit 6dcbb6f070cccabc6a13d640a5a84de581fdd761 ] + +The default settings for the Versa3 device on the Renesas RZ/G3S SMARC +SoM board have PLL2 disabled. PLL2 was later enabled together with audio +support, as it is required to support both 44.1 kHz and 48 kHz audio. + +With PLL2 enabled, it was observed that Linux occasionally either hangs +during boot (the last log message being related to the I2C probe) or +randomly crashes. This was mainly reproducible on cold boots. During +debugging, it was also noticed that the Unicode replacement character (�) +sometimes appears on the serial console. Further investigation traced this +to the configuration applied through the Versa3 register at offset 0x1c, +which controls PLL enablement. + +The appearance of the Unicode replacement character suggested an issue +with the SoC reference clock. The RZ/G3S reference clock is provided by +the Versa3 clock generator (REF output). + +After checking with the Renesas Versa3 hardware team, it was found that +this is related to the PLL2 lock bit being set through the +renesas,settings DT property. + +The PLL lock bit must be set to avoid unstable clock output from the PLL. +However, due to the Versa3 hardware design, when a PLL lock bit is set, +all outputs (including the REF clock) are temporarily disabled until the +configured PLLs become stable. + +As an alternative, the bypass bit can be used. This does not interrupt the +PLL2 output or any other Versa3 outputs, but it may result in temporary +instability on PLL2 output while the configuration is applied. Since PLL2 +feeds only the audio path and audio is not used during early boot, this is +acceptable and does not affect system boot. + +Drop the PLL2 lock bit and set the bypass bit instead. + +This has been tested with more than 1000 cold boots. + +Fixes: a94253232b04 ("arm64: dts: renesas: rzg3s-smarc-som: Add versa3 clock generator node") +Signed-off-by: Claudiu Beznea +Reviewed-by: Geert Uytterhoeven +Link: https://patch.msgid.link/20260302135703.162601-1-claudiu.beznea.uj@bp.renesas.com +Signed-off-by: Geert Uytterhoeven +Signed-off-by: Sasha Levin +--- + arch/arm64/boot/dts/renesas/rzg3s-smarc-som.dtsi | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/arm64/boot/dts/renesas/rzg3s-smarc-som.dtsi b/arch/arm64/boot/dts/renesas/rzg3s-smarc-som.dtsi +index 39845faec8943..a5d4d70e83c90 100644 +--- a/arch/arm64/boot/dts/renesas/rzg3s-smarc-som.dtsi ++++ b/arch/arm64/boot/dts/renesas/rzg3s-smarc-som.dtsi +@@ -166,7 +166,7 @@ versa3: clock-generator@68 { + <100000000>; + renesas,settings = [ + 80 00 11 19 4c 42 dc 2f 06 7d 20 1a 5f 1e f2 27 +- 00 40 00 00 00 00 00 00 06 0c 19 02 3f f0 90 86 ++ 00 40 00 00 00 00 00 00 06 0c 19 02 3b f0 90 86 + a0 80 30 30 9c + ]; + }; +-- +2.51.0 + diff --git a/queue-6.18/arm64-dts-renesas-rzt2h-n2h-evk-add-ramp-delay-for-s.patch b/queue-6.18/arm64-dts-renesas-rzt2h-n2h-evk-add-ramp-delay-for-s.patch new file mode 100644 index 0000000000..04a1ce5bae --- /dev/null +++ b/queue-6.18/arm64-dts-renesas-rzt2h-n2h-evk-add-ramp-delay-for-s.patch @@ -0,0 +1,53 @@ +From 45a80b0047e09fac2f5c633d7e36abf82403a418 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 23 Jan 2026 22:59:54 +0000 +Subject: arm64: dts: renesas: rzt2h-n2h-evk: Add ramp delay for SD0 card + regulator + +From: Lad Prabhakar + +[ Upstream commit bb70589b67039e491dd60cf71272884e926a0f95 ] + +Add a ramp delay of 60 uV/us to the vqmmc_sdhi0 voltage regulator to +fix UHS-I SD card detection failures. + +Measurements on CN78 pin 4 showed the actual voltage ramp time to be +21.86ms when switching between 3.3V and 1.8V. A 25ms ramp delay has +been configured to provide adequate margin. The calculation is based +on the voltage delta of 1.5V (3.3V - 1.8V): + 1500000 uV / 60 uV/us = 25000 us (25ms) + +Prior to this patch, UHS-I cards failed to initialize with: + + mmc0: error -110 whilst initialising SD card + +After this patch, UHS-I cards are properly detected on SD0: + + mmc0: new UHS-I speed SDR104 SDXC card at address aaaa + mmcblk0: mmc0:aaaa SR64G 59.5 GiB + +Fixes: d065453e5ee09 ("arm64: dts: renesas: rzt2h-rzn2h-evk: Enable SD card slot") +Signed-off-by: Lad Prabhakar +Reviewed-by: Geert Uytterhoeven +Link: https://patch.msgid.link/20260123225957.1007089-2-prabhakar.mahadev-lad.rj@bp.renesas.com +Signed-off-by: Geert Uytterhoeven +Signed-off-by: Sasha Levin +--- + arch/arm64/boot/dts/renesas/rzt2h-n2h-evk-common.dtsi | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/arch/arm64/boot/dts/renesas/rzt2h-n2h-evk-common.dtsi b/arch/arm64/boot/dts/renesas/rzt2h-n2h-evk-common.dtsi +index 5384a43837c1d..9c6f712a62eff 100644 +--- a/arch/arm64/boot/dts/renesas/rzt2h-n2h-evk-common.dtsi ++++ b/arch/arm64/boot/dts/renesas/rzt2h-n2h-evk-common.dtsi +@@ -49,6 +49,7 @@ vqmmc_sdhi0: regulator-vqmmc-sdhi0 { + regulator-max-microvolt = <3300000>; + gpios-states = <0>; + states = <3300000 0>, <1800000 1>; ++ regulator-ramp-delay = <60>; + }; + #endif + +-- +2.51.0 + diff --git a/queue-6.18/arm64-dts-renesas-rzv2-evk-cn15-sd-add-ramp-delay-fo.patch b/queue-6.18/arm64-dts-renesas-rzv2-evk-cn15-sd-add-ramp-delay-fo.patch new file mode 100644 index 0000000000..85e9f0ee69 --- /dev/null +++ b/queue-6.18/arm64-dts-renesas-rzv2-evk-cn15-sd-add-ramp-delay-fo.patch @@ -0,0 +1,53 @@ +From b0359a7ff4679addf64e49ed26a8f8deaae5f10c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 23 Jan 2026 22:59:57 +0000 +Subject: arm64: dts: renesas: rzv2-evk-cn15-sd: Add ramp delay for SD0 + regulator + +From: Lad Prabhakar + +[ Upstream commit 5c03465ecf6a56b7b261df9594f0e10612f53a50 ] + +Set an appropriate ramp delay for the SD0 I/O voltage regulator in the +CN15 SD overlay to make UHS-I voltage switching reliable during card +initialization. + +This issue was observed on the RZ/V2H EVK, while the same UHS-I cards +worked on the RZ/V2N EVK without problems. Adding the ramp delay makes +the behavior consistent and avoids SD init timeouts. + +Before this change SD0 could fail with: + + mmc0: error -110 whilst initialising SD card + +With the delay in place UHS-I cards enumerate correctly: + + mmc0: new UHS-I speed SDR104 SDXC card at address aaaa + mmcblk0: mmc0:aaaa SR64G 59.5 GiB + mmcblk0: p1 + +Fixes: 3d6c2bc7629c8 ("arm64: dts: renesas: Add CN15 eMMC and SD overlays for RZ/V2H and RZ/V2N EVKs") +Signed-off-by: Lad Prabhakar +Reviewed-by: Geert Uytterhoeven +Link: https://patch.msgid.link/20260123225957.1007089-5-prabhakar.mahadev-lad.rj@bp.renesas.com +Signed-off-by: Geert Uytterhoeven +Signed-off-by: Sasha Levin +--- + arch/arm64/boot/dts/renesas/rzv2-evk-cn15-sd.dtso | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/arch/arm64/boot/dts/renesas/rzv2-evk-cn15-sd.dtso b/arch/arm64/boot/dts/renesas/rzv2-evk-cn15-sd.dtso +index 0af1e0a6c7f48..fc53c1aae3b52 100644 +--- a/arch/arm64/boot/dts/renesas/rzv2-evk-cn15-sd.dtso ++++ b/arch/arm64/boot/dts/renesas/rzv2-evk-cn15-sd.dtso +@@ -25,6 +25,7 @@ + regulator-max-microvolt = <3300000>; + gpios-states = <0>; + states = <3300000 0>, <1800000 1>; ++ regulator-ramp-delay = <60>; + }; + }; + +-- +2.51.0 + diff --git a/queue-6.18/bluetooth-hci_sync-fix-hci_le_create_conn_sync.patch b/queue-6.18/bluetooth-hci_sync-fix-hci_le_create_conn_sync.patch new file mode 100644 index 0000000000..1bb4f055bc --- /dev/null +++ b/queue-6.18/bluetooth-hci_sync-fix-hci_le_create_conn_sync.patch @@ -0,0 +1,52 @@ +From c7a0623f85282d5d7c57c3da9cf5c78bc2c44d3a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 5 Mar 2026 14:50:52 +0100 +Subject: Bluetooth: hci_sync: Fix hci_le_create_conn_sync + +From: Michael Grzeschik + +[ Upstream commit 2cabe7ff1001b7a197009cf50ba71701f9cbd354 ] + +While introducing hci_le_create_conn_sync the functionality +of hci_connect_le was ported to hci_le_create_conn_sync including +the disable of the scan before starting the connection. + +When this code was run non synchronously the immediate call that was +setting the flag HCI_LE_SCAN_INTERRUPTED had an impact. Since the +completion handler for the LE_SCAN_DISABLE was not immediately called. +In the completion handler of the LE_SCAN_DISABLE event, this flag is +checked to set the state of the hdev to DISCOVERY_STOPPED. + +With the synchronised approach the later setting of the +HCI_LE_SCAN_INTERRUPTED flag has not the same effect. The completion +handler would immediately fire in the LE_SCAN_DISABLE call, check for +the flag, which is then not yet set and do nothing. + +To fix this issue and make the function call work as before, we move the +setting of the flag HCI_LE_SCAN_INTERRUPTED before disabling the scan. + +Fixes: 8e8b92ee60de ("Bluetooth: hci_sync: Add hci_le_create_conn_sync") +Signed-off-by: Michael Grzeschik +Signed-off-by: Luiz Augusto von Dentz +Signed-off-by: Sasha Levin +--- + net/bluetooth/hci_sync.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/bluetooth/hci_sync.c b/net/bluetooth/hci_sync.c +index 9f01837250a5e..e94b62844e1ef 100644 +--- a/net/bluetooth/hci_sync.c ++++ b/net/bluetooth/hci_sync.c +@@ -6578,8 +6578,8 @@ static int hci_le_create_conn_sync(struct hci_dev *hdev, void *data) + * state. + */ + if (hci_dev_test_flag(hdev, HCI_LE_SCAN)) { +- hci_scan_disable_sync(hdev); + hci_dev_set_flag(hdev, HCI_LE_SCAN_INTERRUPTED); ++ hci_scan_disable_sync(hdev); + } + + /* Update random address, but set require_privacy to false so +-- +2.51.0 + diff --git a/queue-6.18/bluetooth-hidp-fix-possible-uaf.patch b/queue-6.18/bluetooth-hidp-fix-possible-uaf.patch new file mode 100644 index 0000000000..9f3b2b063d --- /dev/null +++ b/queue-6.18/bluetooth-hidp-fix-possible-uaf.patch @@ -0,0 +1,237 @@ +From 2ef9bdb491152283baf4f099110c78148b6cc953 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 5 Mar 2026 10:17:47 -0500 +Subject: Bluetooth: HIDP: Fix possible UAF + +From: Luiz Augusto von Dentz + +[ Upstream commit dbf666e4fc9bdd975a61bf682b3f75cb0145eedd ] + +This fixes the following trace caused by not dropping l2cap_conn +reference when user->remove callback is called: + +[ 97.809249] l2cap_conn_free: freeing conn ffff88810a171c00 +[ 97.809907] CPU: 1 UID: 0 PID: 1419 Comm: repro_standalon Not tainted 7.0.0-rc1-dirty #14 PREEMPT(lazy) +[ 97.809935] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.17.0-debian-1.17.0-1 04/01/2014 +[ 97.809947] Call Trace: +[ 97.809954] +[ 97.809961] dump_stack_lvl (lib/dump_stack.c:122) +[ 97.809990] l2cap_conn_free (net/bluetooth/l2cap_core.c:1808) +[ 97.810017] l2cap_conn_del (./include/linux/kref.h:66 net/bluetooth/l2cap_core.c:1821 net/bluetooth/l2cap_core.c:1798) +[ 97.810055] l2cap_disconn_cfm (net/bluetooth/l2cap_core.c:7347 (discriminator 1) net/bluetooth/l2cap_core.c:7340 (discriminator 1)) +[ 97.810086] ? __pfx_l2cap_disconn_cfm (net/bluetooth/l2cap_core.c:7341) +[ 97.810117] hci_conn_hash_flush (./include/net/bluetooth/hci_core.h:2152 (discriminator 2) net/bluetooth/hci_conn.c:2644 (discriminator 2)) +[ 97.810148] hci_dev_close_sync (net/bluetooth/hci_sync.c:5360) +[ 97.810180] ? __pfx_hci_dev_close_sync (net/bluetooth/hci_sync.c:5285) +[ 97.810212] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221) +[ 97.810242] ? up_write (./arch/x86/include/asm/atomic64_64.h:87 (discriminator 5) ./include/linux/atomic/atomic-arch-fallback.h:2852 (discriminator 5) ./include/linux/atomic/atomic-long.h:268 (discriminator 5) ./include/linux/atomic/atomic-instrumented.h:3391 (discriminator 5) kernel/locking/rwsem.c:1385 (discriminator 5) kernel/locking/rwsem.c:1643 (discriminator 5)) +[ 97.810267] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221) +[ 97.810290] ? rcu_is_watching (./arch/x86/include/asm/atomic.h:23 ./include/linux/atomic/atomic-arch-fallback.h:457 ./include/linux/context_tracking.h:128 kernel/rcu/tree.c:752) +[ 97.810320] hci_unregister_dev (net/bluetooth/hci_core.c:504 net/bluetooth/hci_core.c:2716) +[ 97.810346] vhci_release (drivers/bluetooth/hci_vhci.c:691) +[ 97.810375] ? __pfx_vhci_release (drivers/bluetooth/hci_vhci.c:678) +[ 97.810404] __fput (fs/file_table.c:470) +[ 97.810430] task_work_run (kernel/task_work.c:235) +[ 97.810451] ? __pfx_task_work_run (kernel/task_work.c:201) +[ 97.810472] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221) +[ 97.810495] ? do_raw_spin_unlock (./include/asm-generic/qspinlock.h:128 (discriminator 5) kernel/locking/spinlock_debug.c:142 (discriminator 5)) +[ 97.810527] do_exit (kernel/exit.c:972) +[ 97.810547] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221) +[ 97.810574] ? __pfx_do_exit (kernel/exit.c:897) +[ 97.810594] ? lock_acquire (kernel/locking/lockdep.c:470 (discriminator 6) kernel/locking/lockdep.c:5870 (discriminator 6) kernel/locking/lockdep.c:5825 (discriminator 6)) +[ 97.810616] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221) +[ 97.810639] ? do_raw_spin_lock (kernel/locking/spinlock_debug.c:95 (discriminator 4) kernel/locking/spinlock_debug.c:118 (discriminator 4)) +[ 97.810664] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221) +[ 97.810688] ? find_held_lock (kernel/locking/lockdep.c:5350 (discriminator 1)) +[ 97.810721] do_group_exit (kernel/exit.c:1093) +[ 97.810745] get_signal (kernel/signal.c:3007 (discriminator 1)) +[ 97.810772] ? security_file_permission (./arch/x86/include/asm/jump_label.h:37 security/security.c:2366) +[ 97.810803] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221) +[ 97.810826] ? vfs_read (fs/read_write.c:555) +[ 97.810854] ? __pfx_get_signal (kernel/signal.c:2800) +[ 97.810880] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221) +[ 97.810905] ? __pfx_vfs_read (fs/read_write.c:555) +[ 97.810932] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221) +[ 97.810960] arch_do_signal_or_restart (arch/x86/kernel/signal.c:337 (discriminator 1)) +[ 97.810990] ? __pfx_arch_do_signal_or_restart (arch/x86/kernel/signal.c:334) +[ 97.811021] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221) +[ 97.811055] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221) +[ 97.811078] ? ksys_read (fs/read_write.c:707) +[ 97.811106] ? __pfx_ksys_read (fs/read_write.c:707) +[ 97.811137] exit_to_user_mode_loop (kernel/entry/common.c:66 kernel/entry/common.c:98) +[ 97.811169] ? rcu_is_watching (./arch/x86/include/asm/atomic.h:23 ./include/linux/atomic/atomic-arch-fallback.h:457 ./include/linux/context_tracking.h:128 kernel/rcu/tree.c:752) +[ 97.811192] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221) +[ 97.811215] ? trace_hardirqs_off (./include/trace/events/preemptirq.h:36 (discriminator 33) kernel/trace/trace_preemptirq.c:95 (discriminator 33) kernel/trace/trace_preemptirq.c:90 (discriminator 33)) +[ 97.811240] do_syscall_64 (./include/linux/irq-entry-common.h:226 ./include/linux/irq-entry-common.h:256 ./include/linux/entry-common.h:325 arch/x86/entry/syscall_64.c:100) +[ 97.811268] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221) +[ 97.811292] ? exc_page_fault (arch/x86/mm/fault.c:1480 (discriminator 3) arch/x86/mm/fault.c:1527 (discriminator 3)) +[ 97.811318] entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130) +[ 97.811338] RIP: 0033:0x445cfe +[ 97.811352] Code: Unable to access opcode bytes at 0x445cd4. + +Code starting with the faulting instruction +=========================================== +[ 97.811360] RSP: 002b:00007f65c41c6dc8 EFLAGS: 00000246 ORIG_RAX: 0000000000000000 +[ 97.811378] RAX: fffffffffffffe00 RBX: 00007f65c41c76c0 RCX: 0000000000445cfe +[ 97.811391] RDX: 0000000000000400 RSI: 00007f65c41c6e40 RDI: 0000000000000004 +[ 97.811403] RBP: 00007f65c41c7250 R08: 0000000000000000 R09: 0000000000000000 +[ 97.811415] R10: 0000000000000000 R11: 0000000000000246 R12: ffffffffffffffe8 +[ 97.811428] R13: 0000000000000000 R14: 00007fff780a8c00 R15: 00007f65c41c76c0 +[ 97.811453] +[ 98.402453] ================================================================== +[ 98.403560] BUG: KASAN: use-after-free in __mutex_lock (kernel/locking/mutex.c:199 kernel/locking/mutex.c:694 kernel/locking/mutex.c:776) +[ 98.404541] Read of size 8 at addr ffff888113ee40a8 by task khidpd_00050004/1430 +[ 98.405361] +[ 98.405563] CPU: 1 UID: 0 PID: 1430 Comm: khidpd_00050004 Not tainted 7.0.0-rc1-dirty #14 PREEMPT(lazy) +[ 98.405588] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.17.0-debian-1.17.0-1 04/01/2014 +[ 98.405600] Call Trace: +[ 98.405607] +[ 98.405614] dump_stack_lvl (lib/dump_stack.c:122) +[ 98.405641] print_report (mm/kasan/report.c:379 mm/kasan/report.c:482) +[ 98.405667] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221) +[ 98.405691] ? __virt_addr_valid (arch/x86/mm/physaddr.c:55) +[ 98.405724] ? __mutex_lock (kernel/locking/mutex.c:199 kernel/locking/mutex.c:694 kernel/locking/mutex.c:776) +[ 98.405748] kasan_report (mm/kasan/report.c:221 mm/kasan/report.c:597) +[ 98.405778] ? __mutex_lock (kernel/locking/mutex.c:199 kernel/locking/mutex.c:694 kernel/locking/mutex.c:776) +[ 98.405807] __mutex_lock (kernel/locking/mutex.c:199 kernel/locking/mutex.c:694 kernel/locking/mutex.c:776) +[ 98.405832] ? do_raw_spin_lock (kernel/locking/spinlock_debug.c:95 (discriminator 4) kernel/locking/spinlock_debug.c:118 (discriminator 4)) +[ 98.405859] ? l2cap_unregister_user (./include/linux/list.h:381 (discriminator 2) net/bluetooth/l2cap_core.c:1723 (discriminator 2)) +[ 98.405888] ? __pfx_do_raw_spin_lock (kernel/locking/spinlock_debug.c:114) +[ 98.405915] ? __pfx___mutex_lock (kernel/locking/mutex.c:775) +[ 98.405939] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221) +[ 98.405963] ? lock_acquire (kernel/locking/lockdep.c:470 (discriminator 6) kernel/locking/lockdep.c:5870 (discriminator 6) kernel/locking/lockdep.c:5825 (discriminator 6)) +[ 98.405984] ? find_held_lock (kernel/locking/lockdep.c:5350 (discriminator 1)) +[ 98.406015] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221) +[ 98.406038] ? lock_release (kernel/locking/lockdep.c:5536 kernel/locking/lockdep.c:5889 kernel/locking/lockdep.c:5875) +[ 98.406061] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221) +[ 98.406085] ? _raw_spin_unlock_irqrestore (./arch/x86/include/asm/irqflags.h:42 ./arch/x86/include/asm/irqflags.h:119 ./arch/x86/include/asm/irqflags.h:159 ./include/linux/spinlock_api_smp.h:178 kernel/locking/spinlock.c:194) +[ 98.406107] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221) +[ 98.406130] ? __timer_delete_sync (kernel/time/timer.c:1592) +[ 98.406158] ? l2cap_unregister_user (./include/linux/list.h:381 (discriminator 2) net/bluetooth/l2cap_core.c:1723 (discriminator 2)) +[ 98.406186] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221) +[ 98.406210] l2cap_unregister_user (./include/linux/list.h:381 (discriminator 2) net/bluetooth/l2cap_core.c:1723 (discriminator 2)) +[ 98.406263] hidp_session_thread (./include/linux/instrumented.h:112 ./include/linux/atomic/atomic-instrumented.h:400 ./include/linux/refcount.h:389 ./include/linux/refcount.h:432 ./include/linux/refcount.h:450 ./include/linux/kref.h:64 net/bluetooth/hidp/core.c:996 net/bluetooth/hidp/core.c:1305) +[ 98.406293] ? __pfx_hidp_session_thread (net/bluetooth/hidp/core.c:1264) +[ 98.406323] ? kthread (kernel/kthread.c:433) +[ 98.406340] ? __pfx_hidp_session_wake_function (net/bluetooth/hidp/core.c:1251) +[ 98.406370] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221) +[ 98.406393] ? find_held_lock (kernel/locking/lockdep.c:5350 (discriminator 1)) +[ 98.406424] ? __pfx_hidp_session_wake_function (net/bluetooth/hidp/core.c:1251) +[ 98.406453] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221) +[ 98.406476] ? trace_hardirqs_on (kernel/trace/trace_preemptirq.c:79 (discriminator 1)) +[ 98.406499] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221) +[ 98.406523] ? kthread (kernel/kthread.c:433) +[ 98.406539] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221) +[ 98.406565] ? kthread (kernel/kthread.c:433) +[ 98.406581] ? __pfx_hidp_session_thread (net/bluetooth/hidp/core.c:1264) +[ 98.406610] kthread (kernel/kthread.c:467) +[ 98.406627] ? __pfx_kthread (kernel/kthread.c:412) +[ 98.406645] ret_from_fork (arch/x86/kernel/process.c:164) +[ 98.406674] ? __pfx_ret_from_fork (arch/x86/kernel/process.c:153) +[ 98.406704] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221) +[ 98.406728] ? __pfx_kthread (kernel/kthread.c:412) +[ 98.406747] ret_from_fork_asm (arch/x86/entry/entry_64.S:258) +[ 98.406774] +[ 98.406780] +[ 98.433693] The buggy address belongs to the physical page: +[ 98.434405] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xffff888113ee7c40 pfn:0x113ee4 +[ 98.435557] flags: 0x200000000000000(node=0|zone=2) +[ 98.436198] raw: 0200000000000000 ffffea0004244308 ffff8881f6f3ebc0 0000000000000000 +[ 98.437195] raw: ffff888113ee7c40 0000000000000000 00000000ffffffff 0000000000000000 +[ 98.438115] page dumped because: kasan: bad access detected +[ 98.438951] +[ 98.439211] Memory state around the buggy address: +[ 98.439871] ffff888113ee3f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc +[ 98.440714] ffff888113ee4000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff +[ 98.441580] >ffff888113ee4080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff +[ 98.442458] ^ +[ 98.443011] ffff888113ee4100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff +[ 98.443889] ffff888113ee4180: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff +[ 98.444768] ================================================================== +[ 98.445719] Disabling lock debugging due to kernel taint +[ 98.448074] l2cap_conn_free: freeing conn ffff88810c22b400 +[ 98.450012] CPU: 1 UID: 0 PID: 1430 Comm: khidpd_00050004 Tainted: G B 7.0.0-rc1-dirty #14 PREEMPT(lazy) +[ 98.450040] Tainted: [B]=BAD_PAGE +[ 98.450047] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.17.0-debian-1.17.0-1 04/01/2014 +[ 98.450059] Call Trace: +[ 98.450065] +[ 98.450071] dump_stack_lvl (lib/dump_stack.c:122) +[ 98.450099] l2cap_conn_free (net/bluetooth/l2cap_core.c:1808) +[ 98.450125] l2cap_conn_put (net/bluetooth/l2cap_core.c:1822) +[ 98.450154] session_free (net/bluetooth/hidp/core.c:990) +[ 98.450181] hidp_session_thread (net/bluetooth/hidp/core.c:1307) +[ 98.450213] ? __pfx_hidp_session_thread (net/bluetooth/hidp/core.c:1264) +[ 98.450271] ? kthread (kernel/kthread.c:433) +[ 98.450293] ? __pfx_hidp_session_wake_function (net/bluetooth/hidp/core.c:1251) +[ 98.450339] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221) +[ 98.450368] ? find_held_lock (kernel/locking/lockdep.c:5350 (discriminator 1)) +[ 98.450406] ? __pfx_hidp_session_wake_function (net/bluetooth/hidp/core.c:1251) +[ 98.450442] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221) +[ 98.450471] ? trace_hardirqs_on (kernel/trace/trace_preemptirq.c:79 (discriminator 1)) +[ 98.450499] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221) +[ 98.450528] ? kthread (kernel/kthread.c:433) +[ 98.450547] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221) +[ 98.450578] ? kthread (kernel/kthread.c:433) +[ 98.450598] ? __pfx_hidp_session_thread (net/bluetooth/hidp/core.c:1264) +[ 98.450637] kthread (kernel/kthread.c:467) +[ 98.450657] ? __pfx_kthread (kernel/kthread.c:412) +[ 98.450680] ret_from_fork (arch/x86/kernel/process.c:164) +[ 98.450715] ? __pfx_ret_from_fork (arch/x86/kernel/process.c:153) +[ 98.450752] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221) +[ 98.450782] ? __pfx_kthread (kernel/kthread.c:412) +[ 98.450804] ret_from_fork_asm (arch/x86/entry/entry_64.S:258) +[ 98.450836] + +Fixes: b4f34d8d9d26 ("Bluetooth: hidp: add new session-management helpers") +Reported-by: soufiane el hachmi +Tested-by: soufiane el hachmi +Signed-off-by: Luiz Augusto von Dentz +Signed-off-by: Sasha Levin +--- + net/bluetooth/hidp/core.c | 16 ++++++++++++++-- + 1 file changed, 14 insertions(+), 2 deletions(-) + +diff --git a/net/bluetooth/hidp/core.c b/net/bluetooth/hidp/core.c +index 6724adce615b6..e0e4003815500 100644 +--- a/net/bluetooth/hidp/core.c ++++ b/net/bluetooth/hidp/core.c +@@ -986,7 +986,8 @@ static void session_free(struct kref *ref) + skb_queue_purge(&session->intr_transmit); + fput(session->intr_sock->file); + fput(session->ctrl_sock->file); +- l2cap_conn_put(session->conn); ++ if (session->conn) ++ l2cap_conn_put(session->conn); + kfree(session); + } + +@@ -1164,6 +1165,15 @@ static void hidp_session_remove(struct l2cap_conn *conn, + + down_write(&hidp_session_sem); + ++ /* Drop L2CAP reference immediately to indicate that ++ * l2cap_unregister_user() shall not be called as it is already ++ * considered removed. ++ */ ++ if (session->conn) { ++ l2cap_conn_put(session->conn); ++ session->conn = NULL; ++ } ++ + hidp_session_terminate(session); + + cancel_work_sync(&session->dev_init); +@@ -1301,7 +1311,9 @@ static int hidp_session_thread(void *arg) + * Instead, this call has the same semantics as if user-space tried to + * delete the session. + */ +- l2cap_unregister_user(session->conn, &session->user); ++ if (session->conn) ++ l2cap_unregister_user(session->conn, &session->user); ++ + hidp_session_put(session); + + module_put_and_kthread_exit(0); +-- +2.51.0 + diff --git a/queue-6.18/bluetooth-iso-fix-defer-tests-being-unstable.patch b/queue-6.18/bluetooth-iso-fix-defer-tests-being-unstable.patch new file mode 100644 index 0000000000..7ca5306689 --- /dev/null +++ b/queue-6.18/bluetooth-iso-fix-defer-tests-being-unstable.patch @@ -0,0 +1,49 @@ +From 624f1e5274df5f56747ac0600d1f793fe2b7c50c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 27 Feb 2026 15:23:01 -0500 +Subject: Bluetooth: ISO: Fix defer tests being unstable + +From: Luiz Augusto von Dentz + +[ Upstream commit 62bcaa6b351b6dc400f6c6b83762001fd9f5c12d ] + +iso-tester defer tests seem to fail with hci_conn_hash_lookup_cig +being unable to resolve a cig in set_cig_params_sync due a race +where it is run immediatelly before hci_bind_cis is able to set +the QoS settings into the hci_conn object. + +So this moves the assigning of the QoS settings to be done directly +by hci_le_set_cig_params to prevent that from happening again. + +Fixes: 26afbd826ee3 ("Bluetooth: Add initial implementation of CIS connections") +Signed-off-by: Luiz Augusto von Dentz +Signed-off-by: Sasha Levin +--- + net/bluetooth/hci_conn.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/net/bluetooth/hci_conn.c b/net/bluetooth/hci_conn.c +index 6a27ac5a751ca..8906526ff32c5 100644 +--- a/net/bluetooth/hci_conn.c ++++ b/net/bluetooth/hci_conn.c +@@ -1927,6 +1927,8 @@ static bool hci_le_set_cig_params(struct hci_conn *conn, struct bt_iso_qos *qos) + return false; + + done: ++ conn->iso_qos = *qos; ++ + if (hci_cmd_sync_queue(hdev, set_cig_params_sync, + UINT_PTR(qos->ucast.cig), NULL) < 0) + return false; +@@ -1996,8 +1998,6 @@ struct hci_conn *hci_bind_cis(struct hci_dev *hdev, bdaddr_t *dst, + } + + hci_conn_hold(cis); +- +- cis->iso_qos = *qos; + cis->state = BT_BOUND; + + return cis; +-- +2.51.0 + diff --git a/queue-6.18/bluetooth-l2cap-fix-use-after-free-in-l2cap_unregist.patch b/queue-6.18/bluetooth-l2cap-fix-use-after-free-in-l2cap_unregist.patch new file mode 100644 index 0000000000..1f69031ba0 --- /dev/null +++ b/queue-6.18/bluetooth-l2cap-fix-use-after-free-in-l2cap_unregist.patch @@ -0,0 +1,90 @@ +From 41954a6dc3673898ea021d494c390ab64509eb50 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 6 Nov 2025 23:50:16 +0530 +Subject: Bluetooth: L2CAP: Fix use-after-free in l2cap_unregister_user + +From: Shaurya Rane + +[ Upstream commit 752a6c9596dd25efd6978a73ff21f3b592668f4a ] + +After commit ab4eedb790ca ("Bluetooth: L2CAP: Fix corrupted list in +hci_chan_del"), l2cap_conn_del() uses conn->lock to protect access to +conn->users. However, l2cap_register_user() and l2cap_unregister_user() +don't use conn->lock, creating a race condition where these functions can +access conn->users and conn->hchan concurrently with l2cap_conn_del(). + +This can lead to use-after-free and list corruption bugs, as reported +by syzbot. + +Fix this by changing l2cap_register_user() and l2cap_unregister_user() +to use conn->lock instead of hci_dev_lock(), ensuring consistent locking +for the l2cap_conn structure. + +Reported-by: syzbot+14b6d57fb728e27ce23c@syzkaller.appspotmail.com +Closes: https://syzkaller.appspot.com/bug?extid=14b6d57fb728e27ce23c +Fixes: ab4eedb790ca ("Bluetooth: L2CAP: Fix corrupted list in hci_chan_del") +Signed-off-by: Shaurya Rane +Signed-off-by: Luiz Augusto von Dentz +Signed-off-by: Sasha Levin +--- + net/bluetooth/l2cap_core.c | 20 ++++++++------------ + 1 file changed, 8 insertions(+), 12 deletions(-) + +diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c +index 05acc2e98f58f..9ea030fc9a9cc 100644 +--- a/net/bluetooth/l2cap_core.c ++++ b/net/bluetooth/l2cap_core.c +@@ -1686,17 +1686,15 @@ static void l2cap_info_timeout(struct work_struct *work) + + int l2cap_register_user(struct l2cap_conn *conn, struct l2cap_user *user) + { +- struct hci_dev *hdev = conn->hcon->hdev; + int ret; + + /* We need to check whether l2cap_conn is registered. If it is not, we +- * must not register the l2cap_user. l2cap_conn_del() is unregisters +- * l2cap_conn objects, but doesn't provide its own locking. Instead, it +- * relies on the parent hci_conn object to be locked. This itself relies +- * on the hci_dev object to be locked. So we must lock the hci device +- * here, too. */ ++ * must not register the l2cap_user. l2cap_conn_del() unregisters ++ * l2cap_conn objects under conn->lock, and we use the same lock here ++ * to protect access to conn->users and conn->hchan. ++ */ + +- hci_dev_lock(hdev); ++ mutex_lock(&conn->lock); + + if (!list_empty(&user->list)) { + ret = -EINVAL; +@@ -1717,16 +1715,14 @@ int l2cap_register_user(struct l2cap_conn *conn, struct l2cap_user *user) + ret = 0; + + out_unlock: +- hci_dev_unlock(hdev); ++ mutex_unlock(&conn->lock); + return ret; + } + EXPORT_SYMBOL(l2cap_register_user); + + void l2cap_unregister_user(struct l2cap_conn *conn, struct l2cap_user *user) + { +- struct hci_dev *hdev = conn->hcon->hdev; +- +- hci_dev_lock(hdev); ++ mutex_lock(&conn->lock); + + if (list_empty(&user->list)) + goto out_unlock; +@@ -1735,7 +1731,7 @@ void l2cap_unregister_user(struct l2cap_conn *conn, struct l2cap_user *user) + user->remove(conn, user); + + out_unlock: +- hci_dev_unlock(hdev); ++ mutex_unlock(&conn->lock); + } + EXPORT_SYMBOL(l2cap_unregister_user); + +-- +2.51.0 + diff --git a/queue-6.18/bluetooth-le-l2cap-disconnect-if-received-packet-s-s.patch b/queue-6.18/bluetooth-le-l2cap-disconnect-if-received-packet-s-s.patch new file mode 100644 index 0000000000..6b259802c4 --- /dev/null +++ b/queue-6.18/bluetooth-le-l2cap-disconnect-if-received-packet-s-s.patch @@ -0,0 +1,55 @@ +From 758b13d8aee8ac360d82d6efa58df92e10d86aa8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 25 Feb 2026 18:07:25 +0100 +Subject: Bluetooth: LE L2CAP: Disconnect if received packet's SDU exceeds IMTU + +From: Christian Eggers + +[ Upstream commit e1d9a66889867c232657a9b6f25d451d7c3ab96f ] + +Core 6.0, Vol 3, Part A, 3.4.3: +"If the SDU length field value exceeds the receiver's MTU, the receiver +shall disconnect the channel..." + +This fixes L2CAP/LE/CFC/BV-26-C (running together with 'l2test -r -P +0x0027 -V le_public -I 100'). + +Fixes: aac23bf63659 ("Bluetooth: Implement LE L2CAP reassembly") +Signed-off-by: Christian Eggers +Signed-off-by: Luiz Augusto von Dentz +Signed-off-by: Sasha Levin +--- + net/bluetooth/l2cap_core.c | 10 +++++++--- + 1 file changed, 7 insertions(+), 3 deletions(-) + +diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c +index 319c87bd795d5..1618fe98dce71 100644 +--- a/net/bluetooth/l2cap_core.c ++++ b/net/bluetooth/l2cap_core.c +@@ -6654,8 +6654,10 @@ static int l2cap_ecred_data_rcv(struct l2cap_chan *chan, struct sk_buff *skb) + return -ENOBUFS; + } + +- if (chan->imtu < skb->len) { +- BT_ERR("Too big LE L2CAP PDU"); ++ if (skb->len > chan->imtu) { ++ BT_ERR("Too big LE L2CAP PDU: len %u > %u", skb->len, ++ chan->imtu); ++ l2cap_send_disconn_req(chan, ECONNRESET); + return -ENOBUFS; + } + +@@ -6681,7 +6683,9 @@ static int l2cap_ecred_data_rcv(struct l2cap_chan *chan, struct sk_buff *skb) + sdu_len, skb->len, chan->imtu); + + if (sdu_len > chan->imtu) { +- BT_ERR("Too big LE L2CAP SDU length received"); ++ BT_ERR("Too big LE L2CAP SDU length: len %u > %u", ++ skb->len, sdu_len); ++ l2cap_send_disconn_req(chan, ECONNRESET); + err = -EMSGSIZE; + goto failed; + } +-- +2.51.0 + diff --git a/queue-6.18/bluetooth-le-l2cap-disconnect-if-sum-of-payload-size.patch b/queue-6.18/bluetooth-le-l2cap-disconnect-if-sum-of-payload-size.patch new file mode 100644 index 0000000000..c77590122c --- /dev/null +++ b/queue-6.18/bluetooth-le-l2cap-disconnect-if-sum-of-payload-size.patch @@ -0,0 +1,39 @@ +From f74fefa1af48f9410a9bedfded7158c3e442aa49 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 25 Feb 2026 18:07:27 +0100 +Subject: Bluetooth: LE L2CAP: Disconnect if sum of payload sizes exceed SDU + +From: Christian Eggers + +[ Upstream commit b6a2bf43aa37670432843bc73ae2a6288ba4d6f8 ] + +Core 6.0, Vol 3, Part A, 3.4.3: +"... If the sum of the payload sizes for the K-frames exceeds the +specified SDU length, the receiver shall disconnect the channel." + +This fixes L2CAP/LE/CFC/BV-27-C (running together with 'l2test -r -P +0x0027 -V le_public'). + +Fixes: aac23bf63659 ("Bluetooth: Implement LE L2CAP reassembly") +Signed-off-by: Christian Eggers +Signed-off-by: Luiz Augusto von Dentz +Signed-off-by: Sasha Levin +--- + net/bluetooth/l2cap_core.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c +index 1618fe98dce71..05acc2e98f58f 100644 +--- a/net/bluetooth/l2cap_core.c ++++ b/net/bluetooth/l2cap_core.c +@@ -6721,6 +6721,7 @@ static int l2cap_ecred_data_rcv(struct l2cap_chan *chan, struct sk_buff *skb) + + if (chan->sdu->len + skb->len > chan->sdu_len) { + BT_ERR("Too much LE L2CAP data received"); ++ l2cap_send_disconn_req(chan, ECONNRESET); + err = -EINVAL; + goto failed; + } +-- +2.51.0 + diff --git a/queue-6.18/bluetooth-mgmt-fix-list-corruption-and-uaf-in-comman.patch b/queue-6.18/bluetooth-mgmt-fix-list-corruption-and-uaf-in-comman.patch new file mode 100644 index 0000000000..3632912ba4 --- /dev/null +++ b/queue-6.18/bluetooth-mgmt-fix-list-corruption-and-uaf-in-comman.patch @@ -0,0 +1,67 @@ +From 609ae8c9a22d8c300ba76dac9f27f890be94f660 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 27 Feb 2026 11:03:39 +0000 +Subject: Bluetooth: MGMT: Fix list corruption and UAF in command complete + handlers + +From: Wang Tao + +[ Upstream commit 17f89341cb4281d1da0e2fb0de5406ab7c4e25ef ] + +Commit 302a1f674c00 ("Bluetooth: MGMT: Fix possible UAFs") introduced +mgmt_pending_valid(), which not only validates the pending command but +also unlinks it from the pending list if it is valid. This change in +semantics requires updates to several completion handlers to avoid list +corruption and memory safety issues. + +This patch addresses two left-over issues from the aforementioned rework: + +1. In mgmt_add_adv_patterns_monitor_complete(), mgmt_pending_remove() +is replaced with mgmt_pending_free() in the success path. Since +mgmt_pending_valid() already unlinks the command at the beginning of +the function, calling mgmt_pending_remove() leads to a double list_del() +and subsequent list corruption/kernel panic. + +2. In set_mesh_complete(), the use of mgmt_pending_foreach() in the error +path is removed. Since the current command is already unlinked by +mgmt_pending_valid(), this foreach loop would incorrectly target other +pending mesh commands, potentially freeing them while they are still being +processed concurrently (leading to UAFs). The redundant mgmt_cmd_status() +is also simplified to use cmd->opcode directly. + +Fixes: 302a1f674c00 ("Bluetooth: MGMT: Fix possible UAFs") +Signed-off-by: Wang Tao +Signed-off-by: Luiz Augusto von Dentz +Signed-off-by: Sasha Levin +--- + net/bluetooth/mgmt.c | 7 ++----- + 1 file changed, 2 insertions(+), 5 deletions(-) + +diff --git a/net/bluetooth/mgmt.c b/net/bluetooth/mgmt.c +index ee2dd26b1b82b..1a270f0b17d9e 100644 +--- a/net/bluetooth/mgmt.c ++++ b/net/bluetooth/mgmt.c +@@ -2183,10 +2183,7 @@ static void set_mesh_complete(struct hci_dev *hdev, void *data, int err) + sk = cmd->sk; + + if (status) { +- mgmt_cmd_status(cmd->sk, hdev->id, MGMT_OP_SET_MESH_RECEIVER, +- status); +- mgmt_pending_foreach(MGMT_OP_SET_MESH_RECEIVER, hdev, true, +- cmd_status_rsp, &status); ++ mgmt_cmd_status(cmd->sk, hdev->id, cmd->opcode, status); + goto done; + } + +@@ -5295,7 +5292,7 @@ static void mgmt_add_adv_patterns_monitor_complete(struct hci_dev *hdev, + + mgmt_cmd_complete(cmd->sk, cmd->hdev->id, cmd->opcode, + mgmt_status(status), &rp, sizeof(rp)); +- mgmt_pending_remove(cmd); ++ mgmt_pending_free(cmd); + + hci_dev_unlock(hdev); + bt_dev_dbg(hdev, "add monitor %d complete, status %d", +-- +2.51.0 + diff --git a/queue-6.18/bluetooth-qca-fix-rom-version-reading-on-wcn3998-chi.patch b/queue-6.18/bluetooth-qca-fix-rom-version-reading-on-wcn3998-chi.patch new file mode 100644 index 0000000000..60e93e0c77 --- /dev/null +++ b/queue-6.18/bluetooth-qca-fix-rom-version-reading-on-wcn3998-chi.patch @@ -0,0 +1,46 @@ +From 9d0812cb096c971bc484c934eb255b2a4871866f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 11 Mar 2026 01:02:57 +0200 +Subject: Bluetooth: qca: fix ROM version reading on WCN3998 chips + +From: Dmitry Baryshkov + +[ Upstream commit 99b2c531e0e797119ae1b9195a8764ee98b00e65 ] + +WCN3998 uses a bit different format for rom version: + +[ 5.479978] Bluetooth: hci0: setting up wcn399x +[ 5.633763] Bluetooth: hci0: QCA Product ID :0x0000000a +[ 5.645350] Bluetooth: hci0: QCA SOC Version :0x40010224 +[ 5.650906] Bluetooth: hci0: QCA ROM Version :0x00001001 +[ 5.665173] Bluetooth: hci0: QCA Patch Version:0x00006699 +[ 5.679356] Bluetooth: hci0: QCA controller version 0x02241001 +[ 5.691109] Bluetooth: hci0: QCA Downloading qca/crbtfw21.tlv +[ 6.680102] Bluetooth: hci0: QCA Downloading qca/crnv21.bin +[ 6.842948] Bluetooth: hci0: QCA setup on UART is completed + +Fixes: 523760b7ff88 ("Bluetooth: hci_qca: Added support for WCN3998") +Reviewed-by: Bartosz Golaszewski +Signed-off-by: Dmitry Baryshkov +Signed-off-by: Luiz Augusto von Dentz +Signed-off-by: Sasha Levin +--- + drivers/bluetooth/btqca.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/bluetooth/btqca.c b/drivers/bluetooth/btqca.c +index 7c958d6065bec..86a48d009d1ba 100644 +--- a/drivers/bluetooth/btqca.c ++++ b/drivers/bluetooth/btqca.c +@@ -804,6 +804,8 @@ int qca_uart_setup(struct hci_dev *hdev, uint8_t baudrate, + */ + if (soc_type == QCA_WCN3988) + rom_ver = ((soc_ver & 0x00000f00) >> 0x05) | (soc_ver & 0x0000000f); ++ else if (soc_type == QCA_WCN3998) ++ rom_ver = ((soc_ver & 0x0000f000) >> 0x07) | (soc_ver & 0x0000000f); + else + rom_ver = ((soc_ver & 0x00000f00) >> 0x04) | (soc_ver & 0x0000000f); + +-- +2.51.0 + diff --git a/queue-6.18/bluetooth-smp-make-sm-per-kdu-bi-04-c-happy.patch b/queue-6.18/bluetooth-smp-make-sm-per-kdu-bi-04-c-happy.patch new file mode 100644 index 0000000000..a9f78cd659 --- /dev/null +++ b/queue-6.18/bluetooth-smp-make-sm-per-kdu-bi-04-c-happy.patch @@ -0,0 +1,36 @@ +From 751cfe2fa827575fa7e3eaac7db6900a39d304d0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 25 Feb 2026 18:07:28 +0100 +Subject: Bluetooth: SMP: make SM/PER/KDU/BI-04-C happy + +From: Christian Eggers + +[ Upstream commit 0e4d4dcc1a6e82cc6f9abf32193558efa7e1613d ] + +The last test step ("Test with Invalid public key X and Y, all set to +0") expects to get an "DHKEY check failed" instead of "unspecified". + +Fixes: 6d19628f539f ("Bluetooth: SMP: Fail if remote and local public keys are identical") +Signed-off-by: Christian Eggers +Signed-off-by: Luiz Augusto von Dentz +Signed-off-by: Sasha Levin +--- + net/bluetooth/smp.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/bluetooth/smp.c b/net/bluetooth/smp.c +index 3a1ce04a7a536..9d96040745897 100644 +--- a/net/bluetooth/smp.c ++++ b/net/bluetooth/smp.c +@@ -2743,7 +2743,7 @@ static int smp_cmd_public_key(struct l2cap_conn *conn, struct sk_buff *skb) + if (!test_bit(SMP_FLAG_DEBUG_KEY, &smp->flags) && + !crypto_memneq(key, smp->local_pk, 64)) { + bt_dev_err(hdev, "Remote and local public keys are identical"); +- return SMP_UNSPECIFIED; ++ return SMP_DHKEY_CHECK_FAILED; + } + + memcpy(smp->remote_pk, key, 64); +-- +2.51.0 + diff --git a/queue-6.18/bonding-prevent-potential-infinite-loop-in-bond_head.patch b/queue-6.18/bonding-prevent-potential-infinite-loop-in-bond_head.patch new file mode 100644 index 0000000000..a464632049 --- /dev/null +++ b/queue-6.18/bonding-prevent-potential-infinite-loop-in-bond_head.patch @@ -0,0 +1,205 @@ +From 566ed90b31cdcc3043c4346c629da8629ea371cc Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 15 Mar 2026 10:41:52 +0000 +Subject: bonding: prevent potential infinite loop in bond_header_parse() + +From: Eric Dumazet + +[ Upstream commit b7405dcf7385445e10821777143f18c3ce20fa04 ] + +bond_header_parse() can loop if a stack of two bonding devices is setup, +because skb->dev always points to the hierarchy top. + +Add new "const struct net_device *dev" parameter to +(struct header_ops)->parse() method to make sure the recursion +is bounded, and that the final leaf parse method is called. + +Fixes: 950803f72547 ("bonding: fix type confusion in bond_setup_by_slave()") +Signed-off-by: Eric Dumazet +Reviewed-by: Jiayuan Chen +Tested-by: Jiayuan Chen +Cc: Jay Vosburgh +Cc: Andrew Lunn +Link: https://patch.msgid.link/20260315104152.1436867-1-edumazet@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/firewire/net.c | 5 +++-- + drivers/net/bonding/bond_main.c | 8 +++++--- + include/linux/etherdevice.h | 3 ++- + include/linux/if_ether.h | 3 ++- + include/linux/netdevice.h | 6 ++++-- + net/ethernet/eth.c | 9 +++------ + net/ipv4/ip_gre.c | 3 ++- + net/mac802154/iface.c | 4 +++- + net/phonet/af_phonet.c | 5 ++++- + 9 files changed, 28 insertions(+), 18 deletions(-) + +diff --git a/drivers/firewire/net.c b/drivers/firewire/net.c +index 6d64467135395..e829454089550 100644 +--- a/drivers/firewire/net.c ++++ b/drivers/firewire/net.c +@@ -257,9 +257,10 @@ static void fwnet_header_cache_update(struct hh_cache *hh, + memcpy((u8 *)hh->hh_data + HH_DATA_OFF(FWNET_HLEN), haddr, net->addr_len); + } + +-static int fwnet_header_parse(const struct sk_buff *skb, unsigned char *haddr) ++static int fwnet_header_parse(const struct sk_buff *skb, const struct net_device *dev, ++ unsigned char *haddr) + { +- memcpy(haddr, skb->dev->dev_addr, FWNET_ALEN); ++ memcpy(haddr, dev->dev_addr, FWNET_ALEN); + + return FWNET_ALEN; + } +diff --git a/drivers/net/bonding/bond_main.c b/drivers/net/bonding/bond_main.c +index e8e261e0cb4e1..106cfe732a15e 100644 +--- a/drivers/net/bonding/bond_main.c ++++ b/drivers/net/bonding/bond_main.c +@@ -1497,9 +1497,11 @@ static int bond_header_create(struct sk_buff *skb, struct net_device *bond_dev, + return ret; + } + +-static int bond_header_parse(const struct sk_buff *skb, unsigned char *haddr) ++static int bond_header_parse(const struct sk_buff *skb, ++ const struct net_device *dev, ++ unsigned char *haddr) + { +- struct bonding *bond = netdev_priv(skb->dev); ++ struct bonding *bond = netdev_priv(dev); + const struct header_ops *slave_ops; + struct slave *slave; + int ret = 0; +@@ -1509,7 +1511,7 @@ static int bond_header_parse(const struct sk_buff *skb, unsigned char *haddr) + if (slave) { + slave_ops = READ_ONCE(slave->dev->header_ops); + if (slave_ops && slave_ops->parse) +- ret = slave_ops->parse(skb, haddr); ++ ret = slave_ops->parse(skb, slave->dev, haddr); + } + rcu_read_unlock(); + return ret; +diff --git a/include/linux/etherdevice.h b/include/linux/etherdevice.h +index 9a1eacf35d370..df8f88f63a706 100644 +--- a/include/linux/etherdevice.h ++++ b/include/linux/etherdevice.h +@@ -42,7 +42,8 @@ extern const struct header_ops eth_header_ops; + + int eth_header(struct sk_buff *skb, struct net_device *dev, unsigned short type, + const void *daddr, const void *saddr, unsigned len); +-int eth_header_parse(const struct sk_buff *skb, unsigned char *haddr); ++int eth_header_parse(const struct sk_buff *skb, const struct net_device *dev, ++ unsigned char *haddr); + int eth_header_cache(const struct neighbour *neigh, struct hh_cache *hh, + __be16 type); + void eth_header_cache_update(struct hh_cache *hh, const struct net_device *dev, +diff --git a/include/linux/if_ether.h b/include/linux/if_ether.h +index 61b7335aa037c..ca9afa824aa4f 100644 +--- a/include/linux/if_ether.h ++++ b/include/linux/if_ether.h +@@ -40,7 +40,8 @@ static inline struct ethhdr *inner_eth_hdr(const struct sk_buff *skb) + return (struct ethhdr *)skb_inner_mac_header(skb); + } + +-int eth_header_parse(const struct sk_buff *skb, unsigned char *haddr); ++int eth_header_parse(const struct sk_buff *skb, const struct net_device *dev, ++ unsigned char *haddr); + + extern ssize_t sysfs_format_mac(char *buf, const unsigned char *addr, int len); + +diff --git a/include/linux/netdevice.h b/include/linux/netdevice.h +index 0f425a1f80409..20bd42fa160c9 100644 +--- a/include/linux/netdevice.h ++++ b/include/linux/netdevice.h +@@ -311,7 +311,9 @@ struct header_ops { + int (*create) (struct sk_buff *skb, struct net_device *dev, + unsigned short type, const void *daddr, + const void *saddr, unsigned int len); +- int (*parse)(const struct sk_buff *skb, unsigned char *haddr); ++ int (*parse)(const struct sk_buff *skb, ++ const struct net_device *dev, ++ unsigned char *haddr); + int (*cache)(const struct neighbour *neigh, struct hh_cache *hh, __be16 type); + void (*cache_update)(struct hh_cache *hh, + const struct net_device *dev, +@@ -3427,7 +3429,7 @@ static inline int dev_parse_header(const struct sk_buff *skb, + + if (!dev->header_ops || !dev->header_ops->parse) + return 0; +- return dev->header_ops->parse(skb, haddr); ++ return dev->header_ops->parse(skb, dev, haddr); + } + + static inline __be16 dev_parse_header_protocol(const struct sk_buff *skb) +diff --git a/net/ethernet/eth.c b/net/ethernet/eth.c +index 43e211e611b16..ca4e3a01237d0 100644 +--- a/net/ethernet/eth.c ++++ b/net/ethernet/eth.c +@@ -193,14 +193,11 @@ __be16 eth_type_trans(struct sk_buff *skb, struct net_device *dev) + } + EXPORT_SYMBOL(eth_type_trans); + +-/** +- * eth_header_parse - extract hardware address from packet +- * @skb: packet to extract header from +- * @haddr: destination buffer +- */ +-int eth_header_parse(const struct sk_buff *skb, unsigned char *haddr) ++int eth_header_parse(const struct sk_buff *skb, const struct net_device *dev, ++ unsigned char *haddr) + { + const struct ethhdr *eth = eth_hdr(skb); ++ + memcpy(haddr, eth->h_source, ETH_ALEN); + return ETH_ALEN; + } +diff --git a/net/ipv4/ip_gre.c b/net/ipv4/ip_gre.c +index e13244729ad8d..35f0baa99d409 100644 +--- a/net/ipv4/ip_gre.c ++++ b/net/ipv4/ip_gre.c +@@ -919,7 +919,8 @@ static int ipgre_header(struct sk_buff *skb, struct net_device *dev, + return -(t->hlen + sizeof(*iph)); + } + +-static int ipgre_header_parse(const struct sk_buff *skb, unsigned char *haddr) ++static int ipgre_header_parse(const struct sk_buff *skb, const struct net_device *dev, ++ unsigned char *haddr) + { + const struct iphdr *iph = (const struct iphdr *) skb_mac_header(skb); + memcpy(haddr, &iph->saddr, 4); +diff --git a/net/mac802154/iface.c b/net/mac802154/iface.c +index 9e4631fade90c..000be60d95803 100644 +--- a/net/mac802154/iface.c ++++ b/net/mac802154/iface.c +@@ -469,7 +469,9 @@ static int mac802154_header_create(struct sk_buff *skb, + } + + static int +-mac802154_header_parse(const struct sk_buff *skb, unsigned char *haddr) ++mac802154_header_parse(const struct sk_buff *skb, ++ const struct net_device *dev, ++ unsigned char *haddr) + { + struct ieee802154_hdr hdr; + +diff --git a/net/phonet/af_phonet.c b/net/phonet/af_phonet.c +index 238a9638d2b0f..d89225d6bfd3b 100644 +--- a/net/phonet/af_phonet.c ++++ b/net/phonet/af_phonet.c +@@ -129,9 +129,12 @@ static int pn_header_create(struct sk_buff *skb, struct net_device *dev, + return 1; + } + +-static int pn_header_parse(const struct sk_buff *skb, unsigned char *haddr) ++static int pn_header_parse(const struct sk_buff *skb, ++ const struct net_device *dev, ++ unsigned char *haddr) + { + const u8 *media = skb_mac_header(skb); ++ + *haddr = *media; + return 1; + } +-- +2.51.0 + diff --git a/queue-6.18/bridge-cfm-fix-race-condition-in-peer_mep-deletion.patch b/queue-6.18/bridge-cfm-fix-race-condition-in-peer_mep-deletion.patch new file mode 100644 index 0000000000..08e884703b --- /dev/null +++ b/queue-6.18/bridge-cfm-fix-race-condition-in-peer_mep-deletion.patch @@ -0,0 +1,75 @@ +From 4f236346a04c7bd36332356d97dd65b3432b0c0e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 11 Mar 2026 03:18:09 +0900 +Subject: bridge: cfm: Fix race condition in peer_mep deletion + +From: Hyunwoo Kim + +[ Upstream commit 3715a00855316066cdda69d43648336367422127 ] + +When a peer MEP is being deleted, cancel_delayed_work_sync() is called +on ccm_rx_dwork before freeing. However, br_cfm_frame_rx() runs in +softirq context under rcu_read_lock (without RTNL) and can re-schedule +ccm_rx_dwork via ccm_rx_timer_start() between cancel_delayed_work_sync() +returning and kfree_rcu() being called. + +The following is a simple race scenario: + + cpu0 cpu1 + +mep_delete_implementation() + cancel_delayed_work_sync(ccm_rx_dwork); + br_cfm_frame_rx() + // peer_mep still in hlist + if (peer_mep->ccm_defect) + ccm_rx_timer_start() + queue_delayed_work(ccm_rx_dwork) + hlist_del_rcu(&peer_mep->head); + kfree_rcu(peer_mep, rcu); + ccm_rx_work_expired() + // on freed peer_mep + +To prevent this, cancel_delayed_work_sync() is replaced with +disable_delayed_work_sync() in both peer MEP deletion paths, so +that subsequent queue_delayed_work() calls from br_cfm_frame_rx() +are silently rejected. + +The cc_peer_disable() helper retains cancel_delayed_work_sync() +because it is also used for the CC enable/disable toggle path where +the work must remain re-schedulable. + +Fixes: dc32cbb3dbd7 ("bridge: cfm: Kernel space implementation of CFM. CCM frame RX added.") +Signed-off-by: Hyunwoo Kim +Reviewed-by: Ido Schimmel +Link: https://patch.msgid.link/abBgYT5K_FI9rD1a@v4bel +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/bridge/br_cfm.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/net/bridge/br_cfm.c b/net/bridge/br_cfm.c +index c2c1c7d44c615..f4ca77d9b0e96 100644 +--- a/net/bridge/br_cfm.c ++++ b/net/bridge/br_cfm.c +@@ -576,7 +576,7 @@ static void mep_delete_implementation(struct net_bridge *br, + + /* Empty and free peer MEP list */ + hlist_for_each_entry_safe(peer_mep, n_store, &mep->peer_mep_list, head) { +- cancel_delayed_work_sync(&peer_mep->ccm_rx_dwork); ++ disable_delayed_work_sync(&peer_mep->ccm_rx_dwork); + hlist_del_rcu(&peer_mep->head); + kfree_rcu(peer_mep, rcu); + } +@@ -732,7 +732,7 @@ int br_cfm_cc_peer_mep_remove(struct net_bridge *br, const u32 instance, + return -ENOENT; + } + +- cc_peer_disable(peer_mep); ++ disable_delayed_work_sync(&peer_mep->ccm_rx_dwork); + + hlist_del_rcu(&peer_mep->head); + kfree_rcu(peer_mep, rcu); +-- +2.51.0 + diff --git a/queue-6.18/btrfs-log-new-dentries-when-logging-parent-dir-of-a-.patch b/queue-6.18/btrfs-log-new-dentries-when-logging-parent-dir-of-a-.patch new file mode 100644 index 0000000000..ce5efc1d90 --- /dev/null +++ b/queue-6.18/btrfs-log-new-dentries-when-logging-parent-dir-of-a-.patch @@ -0,0 +1,99 @@ +From 065ae1f4324ec33eef0aa08f9c7f85f1300af0da Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 3 Mar 2026 16:57:43 +0000 +Subject: btrfs: log new dentries when logging parent dir of a conflicting + inode + +From: Filipe Manana + +[ Upstream commit 9573a365ff9ff45da9222d3fe63695ce562beb24 ] + +If we log the parent directory of a conflicting inode, we are not logging +the new dentries of the directory, so when we finish we have the parent +directory's inode marked as logged but we did not log its new dentries. +As a consequence if the parent directory is explicitly fsynced later and +it does not have any new changes since we logged it, the fsync is a no-op +and after a power failure the new dentries are missing. + +Example scenario: + + $ mkdir foo + + $ sync + + $rmdir foo + + $ mkdir dir1 + $ mkdir dir2 + + # A file with the same name and parent as the directory we just deleted + # and was persisted in a past transaction. So the deleted directory's + # inode is a conflicting inode of this new file's inode. + $ touch foo + + $ ln foo dir2/link + + # The fsync on dir2 will log the parent directory (".") because the + # conflicting inode (deleted directory) does not exists anymore, but it + # it does not log its new dentries (dir1). + $ xfs_io -c "fsync" dir2 + + # This fsync on the parent directory is no-op, since the previous fsync + # logged it (but without logging its new dentries). + $ xfs_io -c "fsync" . + + + + # After log replay dir1 is missing. + +Fix this by ensuring we log new dir dentries whenever we log the parent +directory of a no longer existing conflicting inode. + +A test case for fstests will follow soon. + +Reported-by: Vyacheslav Kovalevsky +Link: https://lore.kernel.org/linux-btrfs/182055fa-e9ce-4089-9f5f-4b8a23e8dd91@gmail.com/ +Fixes: a3baaf0d786e ("Btrfs: fix fsync after succession of renames and unlink/rmdir") +Reviewed-by: Boris Burkov +Signed-off-by: Filipe Manana +Signed-off-by: David Sterba +Signed-off-by: Sasha Levin +--- + fs/btrfs/tree-log.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/fs/btrfs/tree-log.c b/fs/btrfs/tree-log.c +index 6c5db73c3e85f..7505a87522fd7 100644 +--- a/fs/btrfs/tree-log.c ++++ b/fs/btrfs/tree-log.c +@@ -6203,6 +6203,7 @@ static int log_conflicting_inodes(struct btrfs_trans_handle *trans, + struct btrfs_root *root, + struct btrfs_log_ctx *ctx) + { ++ const bool orig_log_new_dentries = ctx->log_new_dentries; + int ret = 0; + + /* +@@ -6264,7 +6265,11 @@ static int log_conflicting_inodes(struct btrfs_trans_handle *trans, + * dir index key range logged for the directory. So we + * must make sure the deletion is recorded. + */ ++ ctx->log_new_dentries = false; + ret = btrfs_log_inode(trans, inode, LOG_INODE_ALL, ctx); ++ if (!ret && ctx->log_new_dentries) ++ ret = log_new_dir_dentries(trans, inode, ctx); ++ + btrfs_add_delayed_iput(inode); + if (ret) + break; +@@ -6299,6 +6304,7 @@ static int log_conflicting_inodes(struct btrfs_trans_handle *trans, + break; + } + ++ ctx->log_new_dentries = orig_log_new_dentries; + ctx->logging_conflict_inodes = false; + if (ret) + free_conflicting_inodes(ctx); +-- +2.51.0 + diff --git a/queue-6.18/btrfs-tree-checker-fix-misleading-root-drop_level-er.patch b/queue-6.18/btrfs-tree-checker-fix-misleading-root-drop_level-er.patch new file mode 100644 index 0000000000..2c752a04e0 --- /dev/null +++ b/queue-6.18/btrfs-tree-checker-fix-misleading-root-drop_level-er.patch @@ -0,0 +1,38 @@ +From 878b412aaa0298ba181559fd29b245c826d4eeb4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 12 Mar 2026 08:33:21 +0800 +Subject: btrfs: tree-checker: fix misleading root drop_level error message + +From: ZhengYuan Huang + +[ Upstream commit fc1cd1f18c34f91e78362f9629ab9fd43b9dcab9 ] + +Fix tree-checker error message to report "invalid root drop_level" +instead of the misleading "invalid root level". + +Fixes: 259ee7754b67 ("btrfs: tree-checker: Add ROOT_ITEM check") +Reviewed-by: Qu Wenruo +Signed-off-by: ZhengYuan Huang +Reviewed-by: David Sterba +Signed-off-by: David Sterba +Signed-off-by: Sasha Levin +--- + fs/btrfs/tree-checker.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/fs/btrfs/tree-checker.c b/fs/btrfs/tree-checker.c +index 420c0f0e17c85..9b11b0a529dba 100644 +--- a/fs/btrfs/tree-checker.c ++++ b/fs/btrfs/tree-checker.c +@@ -1256,7 +1256,7 @@ static int check_root_item(struct extent_buffer *leaf, struct btrfs_key *key, + } + if (unlikely(btrfs_root_drop_level(&ri) >= BTRFS_MAX_LEVEL)) { + generic_err(leaf, slot, +- "invalid root level, have %u expect [0, %u]", ++ "invalid root drop_level, have %u expect [0, %u]", + btrfs_root_drop_level(&ri), BTRFS_MAX_LEVEL - 1); + return -EUCLEAN; + } +-- +2.51.0 + diff --git a/queue-6.18/cache-ax45mp-fix-device-node-reference-leak-in-ax45m.patch b/queue-6.18/cache-ax45mp-fix-device-node-reference-leak-in-ax45m.patch new file mode 100644 index 0000000000..83f2ecedb8 --- /dev/null +++ b/queue-6.18/cache-ax45mp-fix-device-node-reference-leak-in-ax45m.patch @@ -0,0 +1,46 @@ +From 9d6a4bc8ac90354a6bdcbf6d10dc5c5038708be5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 31 Jan 2026 01:49:09 +0800 +Subject: cache: ax45mp: Fix device node reference leak in ax45mp_cache_init() + +From: Felix Gu + +[ Upstream commit 0528a348b04b327a4611e29589beb4c9ae81304a ] + +In ax45mp_cache_init(), of_find_matching_node() returns a device node +with an incremented reference count that must be released with +of_node_put(). The current code fails to call of_node_put() which +causes a reference leak. + +Use the __free(device_node) attribute to ensure automatic cleanup when +the variable goes out of scope. + +Fixes: d34599bcd2e4 ("cache: Add L2 cache management for Andes AX45MP RISC-V core") +Signed-off-by: Felix Gu +Signed-off-by: Conor Dooley +Signed-off-by: Sasha Levin +--- + drivers/cache/ax45mp_cache.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/cache/ax45mp_cache.c b/drivers/cache/ax45mp_cache.c +index 1d7dd3d2c101c..934c5087ec2bd 100644 +--- a/drivers/cache/ax45mp_cache.c ++++ b/drivers/cache/ax45mp_cache.c +@@ -178,11 +178,11 @@ static const struct of_device_id ax45mp_cache_ids[] = { + + static int __init ax45mp_cache_init(void) + { +- struct device_node *np; + struct resource res; + int ret; + +- np = of_find_matching_node(NULL, ax45mp_cache_ids); ++ struct device_node *np __free(device_node) = ++ of_find_matching_node(NULL, ax45mp_cache_ids); + if (!of_device_is_available(np)) + return -ENODEV; + +-- +2.51.0 + diff --git a/queue-6.18/cache-starfive-fix-device-node-leak-in-starlink_cach.patch b/queue-6.18/cache-starfive-fix-device-node-leak-in-starlink_cach.patch new file mode 100644 index 0000000000..06da85a916 --- /dev/null +++ b/queue-6.18/cache-starfive-fix-device-node-leak-in-starlink_cach.patch @@ -0,0 +1,44 @@ +From f8acecc18a6ed86c70e807d36bfcc2f6e38aeda0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 31 Jan 2026 01:13:45 +0800 +Subject: cache: starfive: fix device node leak in starlink_cache_init() + +From: Felix Gu + +[ Upstream commit 3c85234b979af71cb9db5eb976ea08a468415767 ] + +of_find_matching_node() returns a device_node with refcount incremented. + +Use __free(device_node) attribute to automatically call of_node_put() +when the variable goes out of scope, preventing the refcount leak. + +Fixes: cabff60ca77d ("cache: Add StarFive StarLink cache management") +Signed-off-by: Felix Gu +Reviewed-by: Jonathan Cameron +Signed-off-by: Conor Dooley +Signed-off-by: Sasha Levin +--- + drivers/cache/starfive_starlink_cache.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/cache/starfive_starlink_cache.c b/drivers/cache/starfive_starlink_cache.c +index 24c7d078ca227..3a25d2d7c70ca 100644 +--- a/drivers/cache/starfive_starlink_cache.c ++++ b/drivers/cache/starfive_starlink_cache.c +@@ -102,11 +102,11 @@ static const struct of_device_id starlink_cache_ids[] = { + + static int __init starlink_cache_init(void) + { +- struct device_node *np; + u32 block_size; + int ret; + +- np = of_find_matching_node(NULL, starlink_cache_ids); ++ struct device_node *np __free(device_node) = ++ of_find_matching_node(NULL, starlink_cache_ids); + if (!of_device_is_available(np)) + return -ENODEV; + +-- +2.51.0 + diff --git a/queue-6.18/clsact-fix-use-after-free-in-init-destroy-rollback-a.patch b/queue-6.18/clsact-fix-use-after-free-in-init-destroy-rollback-a.patch new file mode 100644 index 0000000000..ff96f1d676 --- /dev/null +++ b/queue-6.18/clsact-fix-use-after-free-in-init-destroy-rollback-a.patch @@ -0,0 +1,116 @@ +From 696867eb8c7ee008db40f6fc4d2fb06c91e0f289 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 13 Mar 2026 07:55:31 +0100 +Subject: clsact: Fix use-after-free in init/destroy rollback asymmetry + +From: Daniel Borkmann + +[ Upstream commit a0671125d4f55e1e98d9bde8a0b671941987e208 ] + +Fix a use-after-free in the clsact qdisc upon init/destroy rollback asymmetry. +The latter is achieved by first fully initializing a clsact instance, and +then in a second step having a replacement failure for the new clsact qdisc +instance. clsact_init() initializes ingress first and then takes care of the +egress part. This can fail midway, for example, via tcf_block_get_ext(). Upon +failure, the kernel will trigger the clsact_destroy() callback. + +Commit 1cb6f0bae504 ("bpf: Fix too early release of tcx_entry") details the +way how the transition is happening. If tcf_block_get_ext on the q->ingress_block +ends up failing, we took the tcx_miniq_inc reference count on the ingress +side, but not yet on the egress side. clsact_destroy() tests whether the +{ingress,egress}_entry was non-NULL. However, even in midway failure on the +replacement, both are in fact non-NULL with a valid egress_entry from the +previous clsact instance. + +What we really need to test for is whether the qdisc instance-specific ingress +or egress side previously got initialized. This adds a small helper for checking +the miniq initialization called mini_qdisc_pair_inited, and utilizes that upon +clsact_destroy() in order to fix the use-after-free scenario. Convert the +ingress_destroy() side as well so both are consistent to each other. + +Fixes: 1cb6f0bae504 ("bpf: Fix too early release of tcx_entry") +Reported-by: Keenan Dong +Signed-off-by: Daniel Borkmann +Cc: Martin KaFai Lau +Acked-by: Martin KaFai Lau +Link: https://patch.msgid.link/20260313065531.98639-1-daniel@iogearbox.net +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + include/net/sch_generic.h | 5 +++++ + net/sched/sch_ingress.c | 14 ++++++++------ + 2 files changed, 13 insertions(+), 6 deletions(-) + +diff --git a/include/net/sch_generic.h b/include/net/sch_generic.h +index 84c86decebdfa..059eb6cb54f13 100644 +--- a/include/net/sch_generic.h ++++ b/include/net/sch_generic.h +@@ -1411,6 +1411,11 @@ void mini_qdisc_pair_init(struct mini_Qdisc_pair *miniqp, struct Qdisc *qdisc, + void mini_qdisc_pair_block_init(struct mini_Qdisc_pair *miniqp, + struct tcf_block *block); + ++static inline bool mini_qdisc_pair_inited(struct mini_Qdisc_pair *miniqp) ++{ ++ return !!miniqp->p_miniq; ++} ++ + void mq_change_real_num_tx(struct Qdisc *sch, unsigned int new_real_tx); + + int sch_frag_xmit_hook(struct sk_buff *skb, int (*xmit)(struct sk_buff *skb)); +diff --git a/net/sched/sch_ingress.c b/net/sched/sch_ingress.c +index cc6051d4f2ef8..c3e18bae8fbfc 100644 +--- a/net/sched/sch_ingress.c ++++ b/net/sched/sch_ingress.c +@@ -113,14 +113,15 @@ static void ingress_destroy(struct Qdisc *sch) + { + struct ingress_sched_data *q = qdisc_priv(sch); + struct net_device *dev = qdisc_dev(sch); +- struct bpf_mprog_entry *entry = rtnl_dereference(dev->tcx_ingress); ++ struct bpf_mprog_entry *entry; + + if (sch->parent != TC_H_INGRESS) + return; + + tcf_block_put_ext(q->block, sch, &q->block_info); + +- if (entry) { ++ if (mini_qdisc_pair_inited(&q->miniqp)) { ++ entry = rtnl_dereference(dev->tcx_ingress); + tcx_miniq_dec(entry); + if (!tcx_entry_is_active(entry)) { + tcx_entry_update(dev, NULL, true); +@@ -290,10 +291,9 @@ static int clsact_init(struct Qdisc *sch, struct nlattr *opt, + + static void clsact_destroy(struct Qdisc *sch) + { ++ struct bpf_mprog_entry *ingress_entry, *egress_entry; + struct clsact_sched_data *q = qdisc_priv(sch); + struct net_device *dev = qdisc_dev(sch); +- struct bpf_mprog_entry *ingress_entry = rtnl_dereference(dev->tcx_ingress); +- struct bpf_mprog_entry *egress_entry = rtnl_dereference(dev->tcx_egress); + + if (sch->parent != TC_H_CLSACT) + return; +@@ -301,7 +301,8 @@ static void clsact_destroy(struct Qdisc *sch) + tcf_block_put_ext(q->ingress_block, sch, &q->ingress_block_info); + tcf_block_put_ext(q->egress_block, sch, &q->egress_block_info); + +- if (ingress_entry) { ++ if (mini_qdisc_pair_inited(&q->miniqp_ingress)) { ++ ingress_entry = rtnl_dereference(dev->tcx_ingress); + tcx_miniq_dec(ingress_entry); + if (!tcx_entry_is_active(ingress_entry)) { + tcx_entry_update(dev, NULL, true); +@@ -309,7 +310,8 @@ static void clsact_destroy(struct Qdisc *sch) + } + } + +- if (egress_entry) { ++ if (mini_qdisc_pair_inited(&q->miniqp_egress)) { ++ egress_entry = rtnl_dereference(dev->tcx_egress); + tcx_miniq_dec(egress_entry); + if (!tcx_entry_is_active(egress_entry)) { + tcx_entry_update(dev, NULL, false); +-- +2.51.0 + diff --git a/queue-6.18/crypto-ccp-fix-leaking-the-same-page-twice.patch b/queue-6.18/crypto-ccp-fix-leaking-the-same-page-twice.patch new file mode 100644 index 0000000000..9d411b8234 --- /dev/null +++ b/queue-6.18/crypto-ccp-fix-leaking-the-same-page-twice.patch @@ -0,0 +1,56 @@ +From fd5d6791a37909029749b82b7ca796e3a975411c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 4 Mar 2026 12:39:34 -0800 +Subject: crypto: ccp - Fix leaking the same page twice + +From: Guenter Roeck + +[ Upstream commit 5c52607c43c397b79a9852ce33fc61de58c3645c ] + +Commit 551120148b67 ("crypto: ccp - Fix a case where SNP_SHUTDOWN is +missed") fixed a case where SNP is left in INIT state if page reclaim +fails. It removes the transition to the INIT state for this command and +adjusts the page state management. + +While doing this, it added a call to snp_leak_pages() after a call to +snp_reclaim_pages() failed. Since snp_reclaim_pages() already calls +snp_leak_pages() internally on the pages it fails to reclaim, calling +it again leaks the exact same page twice. + +Fix by removing the extra call to snp_leak_pages(). + +The problem was found by an experimental code review agent based on +gemini-3.1-pro while reviewing backports into v6.18.y. + +Assisted-by: Gemini:gemini-3.1-pro +Fixes: 551120148b67 ("crypto: ccp - Fix a case where SNP_SHUTDOWN is missed") +Cc: Tycho Andersen (AMD) +Cc: Tom Lendacky +Signed-off-by: Guenter Roeck +Reviewed-by: Tom Lendacky +Reviewed-by: Tycho Andersen (AMD) +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +--- + drivers/crypto/ccp/sev-dev.c | 4 +--- + 1 file changed, 1 insertion(+), 3 deletions(-) + +diff --git a/drivers/crypto/ccp/sev-dev.c b/drivers/crypto/ccp/sev-dev.c +index b8da99bcb2432..86f5ed798d3c7 100644 +--- a/drivers/crypto/ccp/sev-dev.c ++++ b/drivers/crypto/ccp/sev-dev.c +@@ -2381,10 +2381,8 @@ static int sev_ioctl_do_snp_platform_status(struct sev_issue_cmd *argp) + * in Firmware state on failure. Use snp_reclaim_pages() to + * transition either case back to Hypervisor-owned state. + */ +- if (snp_reclaim_pages(__pa(data), 1, true)) { +- snp_leak_pages(__page_to_pfn(status_page), 1); ++ if (snp_reclaim_pages(__pa(data), 1, true)) + return -EFAULT; +- } + } + + if (ret) +-- +2.51.0 + diff --git a/queue-6.18/firmware-arm_ffa-remove-vm_id-argument-in-ffa_rxtx_u.patch b/queue-6.18/firmware-arm_ffa-remove-vm_id-argument-in-ffa_rxtx_u.patch new file mode 100644 index 0000000000..a73067af89 --- /dev/null +++ b/queue-6.18/firmware-arm_ffa-remove-vm_id-argument-in-ffa_rxtx_u.patch @@ -0,0 +1,77 @@ +From e00f30bd63bd6ffa58b8f7e54b243a0297851152 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 4 Mar 2026 12:09:53 +0000 +Subject: firmware: arm_ffa: Remove vm_id argument in ffa_rxtx_unmap() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Yeoreum Yun + +[ Upstream commit a4e8473b775160f3ce978f621cf8dea2c7250433 ] + +According to the FF-A specification (DEN0077, v1.1, §13.7), when +FFA_RXTX_UNMAP is invoked from any instance other than non-secure +physical, the w1 register must be zero (MBZ). If a non-zero value is +supplied in this context, the SPMC must return FFA_INVALID_PARAMETER. + +The Arm FF-A driver operates exclusively as a guest or non-secure +physical instance where the partition ID is always zero and is not +invoked from a hypervisor context where w1 carries a VM ID. In this +execution model, the partition ID observed by the driver is always zero, +and passing a VM ID is unnecessary and potentially invalid. + +Remove the vm_id parameter from ffa_rxtx_unmap() and ensure that the +SMC call is issued with w1 implicitly zeroed, as required by the +specification. This prevents invalid parameter errors and aligns the +implementation with the defined FF-A ABI behavior. + +Fixes: 3bbfe9871005 ("firmware: arm_ffa: Add initial Arm FFA driver support") +Signed-off-by: Yeoreum Yun +Message-Id: <20260304120953.847671-1-yeoreum.yun@arm.com> +Signed-off-by: Sudeep Holla +Signed-off-by: Sasha Levin +--- + drivers/firmware/arm_ffa/driver.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/drivers/firmware/arm_ffa/driver.c b/drivers/firmware/arm_ffa/driver.c +index 11a702e7f641c..f6ceae987acbc 100644 +--- a/drivers/firmware/arm_ffa/driver.c ++++ b/drivers/firmware/arm_ffa/driver.c +@@ -205,12 +205,12 @@ static int ffa_rxtx_map(phys_addr_t tx_buf, phys_addr_t rx_buf, u32 pg_cnt) + return 0; + } + +-static int ffa_rxtx_unmap(u16 vm_id) ++static int ffa_rxtx_unmap(void) + { + ffa_value_t ret; + + invoke_ffa_fn((ffa_value_t){ +- .a0 = FFA_RXTX_UNMAP, .a1 = PACK_TARGET_INFO(vm_id, 0), ++ .a0 = FFA_RXTX_UNMAP, + }, &ret); + + if (ret.a0 == FFA_ERROR) +@@ -2093,7 +2093,7 @@ static int __init ffa_init(void) + + pr_err("failed to setup partitions\n"); + ffa_notifications_cleanup(); +- ffa_rxtx_unmap(drv_info->vm_id); ++ ffa_rxtx_unmap(); + free_pages: + if (drv_info->tx_buffer) + free_pages_exact(drv_info->tx_buffer, rxtx_bufsz); +@@ -2108,7 +2108,7 @@ static void __exit ffa_exit(void) + { + ffa_notifications_cleanup(); + ffa_partitions_cleanup(); +- ffa_rxtx_unmap(drv_info->vm_id); ++ ffa_rxtx_unmap(); + free_pages_exact(drv_info->tx_buffer, drv_info->rxtx_bufsz); + free_pages_exact(drv_info->rx_buffer, drv_info->rxtx_bufsz); + kfree(drv_info); +-- +2.51.0 + diff --git a/queue-6.18/firmware-arm_scmi-fix-null-dereference-on-notify-err.patch b/queue-6.18/firmware-arm_scmi-fix-null-dereference-on-notify-err.patch new file mode 100644 index 0000000000..c4028c8daf --- /dev/null +++ b/queue-6.18/firmware-arm_scmi-fix-null-dereference-on-notify-err.patch @@ -0,0 +1,52 @@ +From 1882f45bfc546a0c72744db88b79e4a00c147f6d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 5 Mar 2026 13:10:11 +0000 +Subject: firmware: arm_scmi: Fix NULL dereference on notify error path + +From: Cristian Marussi + +[ Upstream commit 555317d6100164748f7d09f80142739bd29f0cda ] + +Since commit b5daf93b809d1 ("firmware: arm_scmi: Avoid notifier +registration for unsupported events") the call chains leading to the helper +__scmi_event_handler_get_ops expect an ERR_PTR to be returned on failure to +get an handler for the requested event key, while the current helper can +still return a NULL when no handler could be found or created. + +Fix by forcing an ERR_PTR return value when the handler reference is NULL. + +Fixes: b5daf93b809d1 ("firmware: arm_scmi: Avoid notifier registration for unsupported events") +Signed-off-by: Cristian Marussi +Reviewed-by: Dan Carpenter +Message-Id: <20260305131011.541444-1-cristian.marussi@arm.com> +Signed-off-by: Sudeep Holla +Signed-off-by: Sasha Levin +--- + drivers/firmware/arm_scmi/notify.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/firmware/arm_scmi/notify.c b/drivers/firmware/arm_scmi/notify.c +index dee9f238f6fdd..2047edbdc5f6b 100644 +--- a/drivers/firmware/arm_scmi/notify.c ++++ b/drivers/firmware/arm_scmi/notify.c +@@ -1066,7 +1066,7 @@ static int scmi_register_event_handler(struct scmi_notify_instance *ni, + * since at creation time we usually want to have all setup and ready before + * events really start flowing. + * +- * Return: A properly refcounted handler on Success, NULL on Failure ++ * Return: A properly refcounted handler on Success, ERR_PTR on Failure + */ + static inline struct scmi_event_handler * + __scmi_event_handler_get_ops(struct scmi_notify_instance *ni, +@@ -1113,7 +1113,7 @@ __scmi_event_handler_get_ops(struct scmi_notify_instance *ni, + } + mutex_unlock(&ni->pending_mtx); + +- return hndl; ++ return hndl ?: ERR_PTR(-ENODEV); + } + + static struct scmi_event_handler * +-- +2.51.0 + diff --git a/queue-6.18/firmware-arm_scpi-fix-device_node-reference-leak-in-.patch b/queue-6.18/firmware-arm_scpi-fix-device_node-reference-leak-in-.patch new file mode 100644 index 0000000000..ee2274e0d7 --- /dev/null +++ b/queue-6.18/firmware-arm_scpi-fix-device_node-reference-leak-in-.patch @@ -0,0 +1,58 @@ +From 4e703d4867b01c4242a787bd5966fc9c0c4d0e5b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 21 Jan 2026 21:08:19 +0800 +Subject: firmware: arm_scpi: Fix device_node reference leak in probe path + +From: Felix Gu + +[ Upstream commit 879c001afbac3df94160334fe5117c0c83b2cf48 ] + +A device_node reference obtained from the device tree is not released +on all error paths in the arm_scpi probe path. Specifically, a node +returned by of_parse_phandle() could be leaked when the probe failed +after the node was acquired. The probe function returns early and +the shmem reference is not released. + +Use __free(device_node) scope-based cleanup to automatically release +the reference when the variable goes out of scope. + +Fixes: ed7ecb883901 ("firmware: arm_scpi: Add compatibility checks for shmem node") +Signed-off-by: Felix Gu +Message-Id: <20260121-arm_scpi_2-v2-1-702d7fa84acb@gmail.com> +Signed-off-by: Sudeep Holla +Signed-off-by: Sasha Levin +--- + drivers/firmware/arm_scpi.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/drivers/firmware/arm_scpi.c b/drivers/firmware/arm_scpi.c +index 87c323de17b90..398642cc25d90 100644 +--- a/drivers/firmware/arm_scpi.c ++++ b/drivers/firmware/arm_scpi.c +@@ -18,6 +18,7 @@ + + #include + #include ++#include + #include + #include + #include +@@ -940,13 +941,13 @@ static int scpi_probe(struct platform_device *pdev) + int idx = scpi_drvinfo->num_chans; + struct scpi_chan *pchan = scpi_drvinfo->channels + idx; + struct mbox_client *cl = &pchan->cl; +- struct device_node *shmem = of_parse_phandle(np, "shmem", idx); ++ struct device_node *shmem __free(device_node) = ++ of_parse_phandle(np, "shmem", idx); + + if (!of_match_node(shmem_of_match, shmem)) + return -ENXIO; + + ret = of_address_to_resource(shmem, 0, &res); +- of_node_put(shmem); + if (ret) { + dev_err(dev, "failed to get SCPI payload mem resource\n"); + return ret; +-- +2.51.0 + diff --git a/queue-6.18/iavf-fix-vlan-filter-lost-on-add-delete-race.patch b/queue-6.18/iavf-fix-vlan-filter-lost-on-add-delete-race.patch new file mode 100644 index 0000000000..bf82c73992 --- /dev/null +++ b/queue-6.18/iavf-fix-vlan-filter-lost-on-add-delete-race.patch @@ -0,0 +1,70 @@ +From 33ce1071f6123f32595e973bb77cd6d22d307b42 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 25 Feb 2026 11:01:37 +0100 +Subject: iavf: fix VLAN filter lost on add/delete race + +From: Petr Oros + +[ Upstream commit fc9c69be594756b81b54c6bc40803fa6052f35ae ] + +When iavf_add_vlan() finds an existing filter in IAVF_VLAN_REMOVE +state, it transitions the filter to IAVF_VLAN_ACTIVE assuming the +pending delete can simply be cancelled. However, there is no guarantee +that iavf_del_vlans() has not already processed the delete AQ request +and removed the filter from the PF. In that case the filter remains in +the driver's list as IAVF_VLAN_ACTIVE but is no longer programmed on +the NIC. Since iavf_add_vlans() only picks up filters in +IAVF_VLAN_ADD state, the filter is never re-added, and spoof checking +drops all traffic for that VLAN. + + CPU0 CPU1 Workqueue + ---- ---- --------- + iavf_del_vlan(vlan 100) + f->state = REMOVE + schedule AQ_DEL_VLAN + iavf_add_vlan(vlan 100) + f->state = ACTIVE + iavf_del_vlans() + f is ACTIVE, skip + iavf_add_vlans() + f is ACTIVE, skip + + Filter is ACTIVE in driver but absent from NIC. + +Transition to IAVF_VLAN_ADD instead and schedule +IAVF_FLAG_AQ_ADD_VLAN_FILTER so iavf_add_vlans() re-programs the +filter. A duplicate add is idempotent on the PF. + +Fixes: 0c0da0e95105 ("iavf: refactor VLAN filter states") +Signed-off-by: Petr Oros +Tested-by: Rafal Romanowski +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/iavf/iavf_main.c | 9 ++++++--- + 1 file changed, 6 insertions(+), 3 deletions(-) + +diff --git a/drivers/net/ethernet/intel/iavf/iavf_main.c b/drivers/net/ethernet/intel/iavf/iavf_main.c +index 03ab2a4276bbf..0a72d419782e5 100644 +--- a/drivers/net/ethernet/intel/iavf/iavf_main.c ++++ b/drivers/net/ethernet/intel/iavf/iavf_main.c +@@ -757,10 +757,13 @@ iavf_vlan_filter *iavf_add_vlan(struct iavf_adapter *adapter, + adapter->num_vlan_filters++; + iavf_schedule_aq_request(adapter, IAVF_FLAG_AQ_ADD_VLAN_FILTER); + } else if (f->state == IAVF_VLAN_REMOVE) { +- /* IAVF_VLAN_REMOVE means that VLAN wasn't yet removed. +- * We can safely only change the state here. ++ /* Re-add the filter since we cannot tell whether the ++ * pending delete has already been processed by the PF. ++ * A duplicate add is harmless. + */ +- f->state = IAVF_VLAN_ACTIVE; ++ f->state = IAVF_VLAN_ADD; ++ iavf_schedule_aq_request(adapter, ++ IAVF_FLAG_AQ_ADD_VLAN_FILTER); + } + + clearout: +-- +2.51.0 + diff --git a/queue-6.18/icmp-fix-null-pointer-dereference-in-icmp_tag_valida.patch b/queue-6.18/icmp-fix-null-pointer-dereference-in-icmp_tag_valida.patch new file mode 100644 index 0000000000..d01c643cf4 --- /dev/null +++ b/queue-6.18/icmp-fix-null-pointer-dereference-in-icmp_tag_valida.patch @@ -0,0 +1,68 @@ +From aa8f8c892c42494f6694565cce774a2de93c5ffc Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 18 Mar 2026 21:06:01 +0800 +Subject: icmp: fix NULL pointer dereference in icmp_tag_validation() + +From: Weiming Shi + +[ Upstream commit 614aefe56af8e13331e50220c936fc0689cf5675 ] + +icmp_tag_validation() unconditionally dereferences the result of +rcu_dereference(inet_protos[proto]) without checking for NULL. +The inet_protos[] array is sparse -- only about 15 of 256 protocol +numbers have registered handlers. When ip_no_pmtu_disc is set to 3 +(hardened PMTU mode) and the kernel receives an ICMP Fragmentation +Needed error with a quoted inner IP header containing an unregistered +protocol number, the NULL dereference causes a kernel panic in +softirq context. + + Oops: general protection fault, probably for non-canonical address 0xdffffc0000000002: 0000 [#1] SMP KASAN NOPTI + KASAN: null-ptr-deref in range [0x0000000000000010-0x0000000000000017] + RIP: 0010:icmp_unreach (net/ipv4/icmp.c:1085 net/ipv4/icmp.c:1143) + Call Trace: + + icmp_rcv (net/ipv4/icmp.c:1527) + ip_protocol_deliver_rcu (net/ipv4/ip_input.c:207) + ip_local_deliver_finish (net/ipv4/ip_input.c:242) + ip_local_deliver (net/ipv4/ip_input.c:262) + ip_rcv (net/ipv4/ip_input.c:573) + __netif_receive_skb_one_core (net/core/dev.c:6164) + process_backlog (net/core/dev.c:6628) + handle_softirqs (kernel/softirq.c:561) + + +Add a NULL check before accessing icmp_strict_tag_validation. If the +protocol has no registered handler, return false since it cannot +perform strict tag validation. + +Fixes: 8ed1dc44d3e9 ("ipv4: introduce hardened ip_no_pmtu_disc mode") +Reported-by: Xiang Mei +Signed-off-by: Weiming Shi +Link: https://patch.msgid.link/20260318130558.1050247-4-bestswngs@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/ipv4/icmp.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/net/ipv4/icmp.c b/net/ipv4/icmp.c +index 3e19a5d465b83..b39176b620785 100644 +--- a/net/ipv4/icmp.c ++++ b/net/ipv4/icmp.c +@@ -879,10 +879,12 @@ static void icmp_socket_deliver(struct sk_buff *skb, u32 info) + + static bool icmp_tag_validation(int proto) + { ++ const struct net_protocol *ipprot; + bool ok; + + rcu_read_lock(); +- ok = rcu_dereference(inet_protos[proto])->icmp_strict_tag_validation; ++ ipprot = rcu_dereference(inet_protos[proto]); ++ ok = ipprot ? ipprot->icmp_strict_tag_validation : false; + rcu_read_unlock(); + return ok; + } +-- +2.51.0 + diff --git a/queue-6.18/igc-fix-missing-update-of-skb-tail-in-igc_xmit_frame.patch b/queue-6.18/igc-fix-missing-update-of-skb-tail-in-igc_xmit_frame.patch new file mode 100644 index 0000000000..c8ca714ea3 --- /dev/null +++ b/queue-6.18/igc-fix-missing-update-of-skb-tail-in-igc_xmit_frame.patch @@ -0,0 +1,45 @@ +From 6616fca4919d615bab401a2b68d463f533d299bc Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 14 Feb 2026 19:46:32 +0000 +Subject: igc: fix missing update of skb->tail in igc_xmit_frame() + +From: Kohei Enju + +[ Upstream commit 0ffba246652faf4a36aedc66059c2f94e4c83ea5 ] + +igc_xmit_frame() misses updating skb->tail when the packet size is +shorter than the minimum one. +Use skb_put_padto() in alignment with other Intel Ethernet drivers. + +Fixes: 0507ef8a0372 ("igc: Add transmit and receive fastpath and interrupt handlers") +Signed-off-by: Kohei Enju +Reviewed-by: Simon Horman +Reviewed-by: Paul Menzel +Tested-by: Avigail Dahan +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/igc/igc_main.c | 7 ++----- + 1 file changed, 2 insertions(+), 5 deletions(-) + +diff --git a/drivers/net/ethernet/intel/igc/igc_main.c b/drivers/net/ethernet/intel/igc/igc_main.c +index 89a321a344d26..55d6feccc7745 100644 +--- a/drivers/net/ethernet/intel/igc/igc_main.c ++++ b/drivers/net/ethernet/intel/igc/igc_main.c +@@ -1730,11 +1730,8 @@ static netdev_tx_t igc_xmit_frame(struct sk_buff *skb, + /* The minimum packet size with TCTL.PSP set is 17 so pad the skb + * in order to meet this minimum size requirement. + */ +- if (skb->len < 17) { +- if (skb_padto(skb, 17)) +- return NETDEV_TX_OK; +- skb->len = 17; +- } ++ if (skb_put_padto(skb, 17)) ++ return NETDEV_TX_OK; + + return igc_xmit_frame_ring(skb, igc_tx_queue_mapping(adapter, skb)); + } +-- +2.51.0 + diff --git a/queue-6.18/igc-fix-page-fault-in-xdp-tx-timestamps-handling.patch b/queue-6.18/igc-fix-page-fault-in-xdp-tx-timestamps-handling.patch new file mode 100644 index 0000000000..f4bdcf0583 --- /dev/null +++ b/queue-6.18/igc-fix-page-fault-in-xdp-tx-timestamps-handling.patch @@ -0,0 +1,118 @@ +From c4e5ba49dc845c8323736d8aa8c1f6356de71c1e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 25 Feb 2026 10:58:29 +0100 +Subject: igc: fix page fault in XDP TX timestamps handling + +From: Zdenek Bouska + +[ Upstream commit 45b33e805bd39f615d9353a7194b2da5281332df ] + +If an XDP application that requested TX timestamping is shutting down +while the link of the interface in use is still up the following kernel +splat is reported: + +[ 883.803618] [ T1554] BUG: unable to handle page fault for address: ffffcfb6200fd008 +... +[ 883.803650] [ T1554] Call Trace: +[ 883.803652] [ T1554] +[ 883.803654] [ T1554] igc_ptp_tx_tstamp_event+0xdf/0x160 [igc] +[ 883.803660] [ T1554] igc_tsync_interrupt+0x2d5/0x300 [igc] +... + +During shutdown of the TX ring the xsk_meta pointers are left behind, so +that the IRQ handler is trying to touch them. + +This issue is now being fixed by cleaning up the stale xsk meta data on +TX shutdown. TX timestamps on other queues remain unaffected. + +Fixes: 15fd021bc427 ("igc: Add Tx hardware timestamp request for AF_XDP zero-copy packet") +Signed-off-by: Zdenek Bouska +Reviewed-by: Paul Menzel +Reviewed-by: Florian Bezdeka +Tested-by: Avigail Dahan +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/igc/igc.h | 2 ++ + drivers/net/ethernet/intel/igc/igc_main.c | 7 +++++ + drivers/net/ethernet/intel/igc/igc_ptp.c | 33 +++++++++++++++++++++++ + 3 files changed, 42 insertions(+) + +diff --git a/drivers/net/ethernet/intel/igc/igc.h b/drivers/net/ethernet/intel/igc/igc.h +index a427f05814c1a..17236813965d3 100644 +--- a/drivers/net/ethernet/intel/igc/igc.h ++++ b/drivers/net/ethernet/intel/igc/igc.h +@@ -781,6 +781,8 @@ int igc_ptp_hwtstamp_set(struct net_device *netdev, + struct kernel_hwtstamp_config *config, + struct netlink_ext_ack *extack); + void igc_ptp_tx_hang(struct igc_adapter *adapter); ++void igc_ptp_clear_xsk_tx_tstamp_queue(struct igc_adapter *adapter, ++ u16 queue_id); + void igc_ptp_read(struct igc_adapter *adapter, struct timespec64 *ts); + void igc_ptp_tx_tstamp_event(struct igc_adapter *adapter); + +diff --git a/drivers/net/ethernet/intel/igc/igc_main.c b/drivers/net/ethernet/intel/igc/igc_main.c +index 55d6feccc7745..104d6ab2ce5fa 100644 +--- a/drivers/net/ethernet/intel/igc/igc_main.c ++++ b/drivers/net/ethernet/intel/igc/igc_main.c +@@ -264,6 +264,13 @@ static void igc_clean_tx_ring(struct igc_ring *tx_ring) + /* reset next_to_use and next_to_clean */ + tx_ring->next_to_use = 0; + tx_ring->next_to_clean = 0; ++ ++ /* Clear any lingering XSK TX timestamp requests */ ++ if (test_bit(IGC_RING_FLAG_TX_HWTSTAMP, &tx_ring->flags)) { ++ struct igc_adapter *adapter = netdev_priv(tx_ring->netdev); ++ ++ igc_ptp_clear_xsk_tx_tstamp_queue(adapter, tx_ring->queue_index); ++ } + } + + /** +diff --git a/drivers/net/ethernet/intel/igc/igc_ptp.c b/drivers/net/ethernet/intel/igc/igc_ptp.c +index 7aae83c108fd7..98491346d21b8 100644 +--- a/drivers/net/ethernet/intel/igc/igc_ptp.c ++++ b/drivers/net/ethernet/intel/igc/igc_ptp.c +@@ -576,6 +576,39 @@ static void igc_ptp_clear_tx_tstamp(struct igc_adapter *adapter) + spin_unlock_irqrestore(&adapter->ptp_tx_lock, flags); + } + ++/** ++ * igc_ptp_clear_xsk_tx_tstamp_queue - Clear pending XSK TX timestamps for a queue ++ * @adapter: Board private structure ++ * @queue_id: TX queue index to clear timestamps for ++ * ++ * Iterates over all TX timestamp registers and releases any pending ++ * timestamp requests associated with the given TX queue. This is ++ * called when an XDP pool is being disabled to ensure no stale ++ * timestamp references remain. ++ */ ++void igc_ptp_clear_xsk_tx_tstamp_queue(struct igc_adapter *adapter, u16 queue_id) ++{ ++ unsigned long flags; ++ int i; ++ ++ spin_lock_irqsave(&adapter->ptp_tx_lock, flags); ++ ++ for (i = 0; i < IGC_MAX_TX_TSTAMP_REGS; i++) { ++ struct igc_tx_timestamp_request *tstamp = &adapter->tx_tstamp[i]; ++ ++ if (tstamp->buffer_type != IGC_TX_BUFFER_TYPE_XSK) ++ continue; ++ if (tstamp->xsk_queue_index != queue_id) ++ continue; ++ if (!tstamp->xsk_tx_buffer) ++ continue; ++ ++ igc_ptp_free_tx_buffer(adapter, tstamp); ++ } ++ ++ spin_unlock_irqrestore(&adapter->ptp_tx_lock, flags); ++} ++ + static void igc_ptp_disable_tx_timestamp(struct igc_adapter *adapter) + { + struct igc_hw *hw = &adapter->hw; +-- +2.51.0 + diff --git a/queue-6.18/libie-prevent-memleak-in-fwlog-code.patch b/queue-6.18/libie-prevent-memleak-in-fwlog-code.patch new file mode 100644 index 0000000000..eaaf56388a --- /dev/null +++ b/queue-6.18/libie-prevent-memleak-in-fwlog-code.patch @@ -0,0 +1,152 @@ +From fe7300f8c0868b9c4fcf6053fed3e3f5f4f37182 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 11 Feb 2026 10:10:08 +0100 +Subject: libie: prevent memleak in fwlog code + +From: Michal Swiatkowski + +[ Upstream commit 6850deb61118345996f03b87817b4ae0f2f25c38 ] + +All cmd_buf buffers are allocated and need to be freed after usage. +Add an error unwinding path that properly frees these buffers. + +The memory leak happens whenever fwlog configuration is changed. For +example: + +$echo 256K > /sys/kernel/debug/ixgbe/0000\:32\:00.0/fwlog/log_size + +Fixes: 96a9a9341cda ("ice: configure FW logging") +Reviewed-by: Aleksandr Loktionov +Signed-off-by: Michal Swiatkowski +Reviewed-by: Simon Horman +Tested-by: Rinitha S (A Contingent worker at Intel) +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/libie/fwlog.c | 49 +++++++++++++++++------- + 1 file changed, 36 insertions(+), 13 deletions(-) + +diff --git a/drivers/net/ethernet/intel/libie/fwlog.c b/drivers/net/ethernet/intel/libie/fwlog.c +index 5d890d9d3c4d5..3b32986c2978a 100644 +--- a/drivers/net/ethernet/intel/libie/fwlog.c ++++ b/drivers/net/ethernet/intel/libie/fwlog.c +@@ -433,17 +433,21 @@ libie_debugfs_module_write(struct file *filp, const char __user *buf, + module = libie_find_module_by_dentry(fwlog->debugfs_modules, dentry); + if (module < 0) { + dev_info(dev, "unknown module\n"); +- return -EINVAL; ++ count = -EINVAL; ++ goto free_cmd_buf; + } + + cnt = sscanf(cmd_buf, "%s", user_val); +- if (cnt != 1) +- return -EINVAL; ++ if (cnt != 1) { ++ count = -EINVAL; ++ goto free_cmd_buf; ++ } + + log_level = sysfs_match_string(libie_fwlog_level_string, user_val); + if (log_level < 0) { + dev_info(dev, "unknown log level '%s'\n", user_val); +- return -EINVAL; ++ count = -EINVAL; ++ goto free_cmd_buf; + } + + if (module != LIBIE_AQC_FW_LOG_ID_MAX) { +@@ -458,6 +462,9 @@ libie_debugfs_module_write(struct file *filp, const char __user *buf, + fwlog->cfg.module_entries[i].log_level = log_level; + } + ++free_cmd_buf: ++ kfree(cmd_buf); ++ + return count; + } + +@@ -515,23 +522,31 @@ libie_debugfs_nr_messages_write(struct file *filp, const char __user *buf, + return PTR_ERR(cmd_buf); + + ret = sscanf(cmd_buf, "%s", user_val); +- if (ret != 1) +- return -EINVAL; ++ if (ret != 1) { ++ count = -EINVAL; ++ goto free_cmd_buf; ++ } + + ret = kstrtos16(user_val, 0, &nr_messages); +- if (ret) +- return ret; ++ if (ret) { ++ count = ret; ++ goto free_cmd_buf; ++ } + + if (nr_messages < LIBIE_AQC_FW_LOG_MIN_RESOLUTION || + nr_messages > LIBIE_AQC_FW_LOG_MAX_RESOLUTION) { + dev_err(dev, "Invalid FW log number of messages %d, value must be between %d - %d\n", + nr_messages, LIBIE_AQC_FW_LOG_MIN_RESOLUTION, + LIBIE_AQC_FW_LOG_MAX_RESOLUTION); +- return -EINVAL; ++ count = -EINVAL; ++ goto free_cmd_buf; + } + + fwlog->cfg.log_resolution = nr_messages; + ++free_cmd_buf: ++ kfree(cmd_buf); ++ + return count; + } + +@@ -588,8 +603,10 @@ libie_debugfs_enable_write(struct file *filp, const char __user *buf, + return PTR_ERR(cmd_buf); + + ret = sscanf(cmd_buf, "%s", user_val); +- if (ret != 1) +- return -EINVAL; ++ if (ret != 1) { ++ ret = -EINVAL; ++ goto free_cmd_buf; ++ } + + ret = kstrtobool(user_val, &enable); + if (ret) +@@ -624,6 +641,8 @@ libie_debugfs_enable_write(struct file *filp, const char __user *buf, + */ + if (WARN_ON(ret != (ssize_t)count && ret >= 0)) + ret = -EIO; ++free_cmd_buf: ++ kfree(cmd_buf); + + return ret; + } +@@ -682,8 +701,10 @@ libie_debugfs_log_size_write(struct file *filp, const char __user *buf, + return PTR_ERR(cmd_buf); + + ret = sscanf(cmd_buf, "%s", user_val); +- if (ret != 1) +- return -EINVAL; ++ if (ret != 1) { ++ ret = -EINVAL; ++ goto free_cmd_buf; ++ } + + index = sysfs_match_string(libie_fwlog_log_size, user_val); + if (index < 0) { +@@ -712,6 +733,8 @@ libie_debugfs_log_size_write(struct file *filp, const char __user *buf, + */ + if (WARN_ON(ret != (ssize_t)count && ret >= 0)) + ret = -EIO; ++free_cmd_buf: ++ kfree(cmd_buf); + + return ret; + } +-- +2.51.0 + diff --git a/queue-6.18/mpls-add-missing-unregister_netdevice_notifier-to-mp.patch b/queue-6.18/mpls-add-missing-unregister_netdevice_notifier-to-mp.patch new file mode 100644 index 0000000000..85b82f0609 --- /dev/null +++ b/queue-6.18/mpls-add-missing-unregister_netdevice_notifier-to-mp.patch @@ -0,0 +1,37 @@ +From f7a5d2f4b2787ec5065e30a5c8786a327588e653 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 11 Mar 2026 23:35:09 +0100 +Subject: mpls: add missing unregister_netdevice_notifier to mpls_init + +From: Sabrina Dubroca + +[ Upstream commit 99600f79b28c83c68bae199a3d8e95049a758308 ] + +If mpls_init() fails after registering mpls_dev_notifier, it never +gets removed. Add the missing unregister_netdevice_notifier() call to +the error handling path. + +Fixes: 5be2062e3080 ("mpls: Handle error of rtnl_register_module().") +Signed-off-by: Sabrina Dubroca +Link: https://patch.msgid.link/7c55363c4f743d19e2306204a134407c90a69bbb.1773228081.git.sd@queasysnail.net +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/mpls/af_mpls.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/net/mpls/af_mpls.c b/net/mpls/af_mpls.c +index 25c88cba5c48b..1c70cb26e7ba1 100644 +--- a/net/mpls/af_mpls.c ++++ b/net/mpls/af_mpls.c +@@ -2777,6 +2777,7 @@ static int __init mpls_init(void) + rtnl_af_unregister(&mpls_af_ops); + out_unregister_dev_type: + dev_remove_pack(&mpls_packet_type); ++ unregister_netdevice_notifier(&mpls_dev_notifier); + out_unregister_pernet: + unregister_pernet_subsys(&mpls_net_ops); + goto out; +-- +2.51.0 + diff --git a/queue-6.18/mptcp-fix-lock-class-name-family-in-pm_nl_create_lis.patch b/queue-6.18/mptcp-fix-lock-class-name-family-in-pm_nl_create_lis.patch new file mode 100644 index 0000000000..f00f2435a7 --- /dev/null +++ b/queue-6.18/mptcp-fix-lock-class-name-family-in-pm_nl_create_lis.patch @@ -0,0 +1,39 @@ +From 76a92e8854898e7ea5fc13281752698024b76690 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 19 Mar 2026 19:21:59 +0800 +Subject: MPTCP: fix lock class name family in pm_nl_create_listen_socket + +From: Li Xiasong + +[ Upstream commit 7ab4a7c5d969642782b8a5b608da0dd02aa9f229 ] + +In mptcp_pm_nl_create_listen_socket(), use entry->addr.family +instead of sk->sk_family for lock class setup. The 'sk' parameter +is a netlink socket, not the MPTCP subflow socket being created. + +Fixes: cee4034a3db1 ("mptcp: fix lockdep false positive in mptcp_pm_nl_create_listen_socket()") +Signed-off-by: Li Xiasong +Reviewed-by: Matthieu Baerts (NGI0) +Link: https://patch.msgid.link/20260319112159.3118874-1-lixiasong1@huawei.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/mptcp/pm_kernel.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/mptcp/pm_kernel.c b/net/mptcp/pm_kernel.c +index 6fd393f451bf4..52d15df12f588 100644 +--- a/net/mptcp/pm_kernel.c ++++ b/net/mptcp/pm_kernel.c +@@ -824,7 +824,7 @@ static struct lock_class_key mptcp_keys[2]; + static int mptcp_pm_nl_create_listen_socket(struct sock *sk, + struct mptcp_pm_addr_entry *entry) + { +- bool is_ipv6 = sk->sk_family == AF_INET6; ++ bool is_ipv6 = entry->addr.family == AF_INET6; + int addrlen = sizeof(struct sockaddr_in); + struct sockaddr_storage addr; + struct sock *newsk, *ssk; +-- +2.51.0 + diff --git a/queue-6.18/net-airoha-remove-airoha_dev_stop-in-airoha_remove.patch b/queue-6.18/net-airoha-remove-airoha_dev_stop-in-airoha_remove.patch new file mode 100644 index 0000000000..75fed35397 --- /dev/null +++ b/queue-6.18/net-airoha-remove-airoha_dev_stop-in-airoha_remove.patch @@ -0,0 +1,40 @@ +From fd823402f1afed3ffc5a59ea00c9406b4ef6f546 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 13 Mar 2026 12:27:00 +0100 +Subject: net: airoha: Remove airoha_dev_stop() in airoha_remove() + +From: Lorenzo Bianconi + +[ Upstream commit d4a533ad249e9fbdc2d0633f2ddd60a5b3a9a4ca ] + +Do not run airoha_dev_stop routine explicitly in airoha_remove() +since ndo_stop() callback is already executed by unregister_netdev() in +__dev_close_many routine if necessary and, doing so, we will end up causing +an underflow in the qdma users atomic counters. Rely on networking subsystem +to stop the device removing the airoha_eth module. + +Fixes: 23020f0493270 ("net: airoha: Introduce ethernet support for EN7581 SoC") +Signed-off-by: Lorenzo Bianconi +Reviewed-by: Simon Horman +Link: https://patch.msgid.link/20260313-airoha-remove-ndo_stop-remove-net-v2-1-67542c3ceeca@kernel.org +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/airoha/airoha_eth.c | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/drivers/net/ethernet/airoha/airoha_eth.c b/drivers/net/ethernet/airoha/airoha_eth.c +index 0394ba6a90a9b..b16b9ae7d3311 100644 +--- a/drivers/net/ethernet/airoha/airoha_eth.c ++++ b/drivers/net/ethernet/airoha/airoha_eth.c +@@ -3046,7 +3046,6 @@ static void airoha_remove(struct platform_device *pdev) + if (!port) + continue; + +- airoha_dev_stop(port->dev); + unregister_netdev(port->dev); + airoha_metadata_dst_free(port); + } +-- +2.51.0 + diff --git a/queue-6.18/net-bcmgenet-increase-wol-poll-timeout.patch b/queue-6.18/net-bcmgenet-increase-wol-poll-timeout.patch new file mode 100644 index 0000000000..bdfbaac0f9 --- /dev/null +++ b/queue-6.18/net-bcmgenet-increase-wol-poll-timeout.patch @@ -0,0 +1,38 @@ +From 31333cca8ad9a83d1fb47ca50c99a046798328fe Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 12 Mar 2026 12:18:52 -0700 +Subject: net: bcmgenet: increase WoL poll timeout + +From: Justin Chen + +[ Upstream commit 6cfc3bc02b977f2fba5f7268e6504d1931a774f7 ] + +Some systems require more than 5ms to get into WoL mode. Increase the +timeout value to 50ms. + +Fixes: c51de7f3976b ("net: bcmgenet: add Wake-on-LAN support code") +Signed-off-by: Justin Chen +Reviewed-by: Florian Fainelli +Link: https://patch.msgid.link/20260312191852.3904571-1-justin.chen@broadcom.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/broadcom/genet/bcmgenet_wol.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/broadcom/genet/bcmgenet_wol.c b/drivers/net/ethernet/broadcom/genet/bcmgenet_wol.c +index 8fb5512882980..96d5d4f7f51fe 100644 +--- a/drivers/net/ethernet/broadcom/genet/bcmgenet_wol.c ++++ b/drivers/net/ethernet/broadcom/genet/bcmgenet_wol.c +@@ -123,7 +123,7 @@ static int bcmgenet_poll_wol_status(struct bcmgenet_priv *priv) + while (!(bcmgenet_rbuf_readl(priv, RBUF_STATUS) + & RBUF_STATUS_WOL)) { + retries++; +- if (retries > 5) { ++ if (retries > 50) { + netdev_crit(dev, "polling wol mode timeout\n"); + return -ETIMEDOUT; + } +-- +2.51.0 + diff --git a/queue-6.18/net-bonding-fix-null-deref-in-bond_debug_rlb_hash_sh.patch b/queue-6.18/net-bonding-fix-null-deref-in-bond_debug_rlb_hash_sh.patch new file mode 100644 index 0000000000..3d543f843b --- /dev/null +++ b/queue-6.18/net-bonding-fix-null-deref-in-bond_debug_rlb_hash_sh.patch @@ -0,0 +1,87 @@ +From 982de054bffcaafdb9d5c004ffa22bacc9e508de Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 16 Mar 2026 17:50:34 -0700 +Subject: net: bonding: fix NULL deref in bond_debug_rlb_hash_show + +From: Xiang Mei + +[ Upstream commit 605b52497bf89b3b154674deb135da98f916e390 ] + +rlb_clear_slave intentionally keeps RLB hash-table entries on +the rx_hashtbl_used_head list with slave set to NULL when no +replacement slave is available. However, bond_debug_rlb_hash_show +visites client_info->slave without checking if it's NULL. + +Other used-list iterators in bond_alb.c already handle this NULL-slave +state safely: + +- rlb_update_client returns early on !client_info->slave +- rlb_req_update_slave_clients, rlb_clear_slave, and rlb_rebalance +compare slave values before visiting +- lb_req_update_subnet_clients continues if slave is NULL + +The following NULL deref crash can be trigger in +bond_debug_rlb_hash_show: + +[ 1.289791] BUG: kernel NULL pointer dereference, address: 0000000000000000 +[ 1.292058] RIP: 0010:bond_debug_rlb_hash_show (drivers/net/bonding/bond_debugfs.c:41) +[ 1.293101] RSP: 0018:ffffc900004a7d00 EFLAGS: 00010286 +[ 1.293333] RAX: 0000000000000000 RBX: ffff888102b48200 RCX: ffff888102b48204 +[ 1.293631] RDX: ffff888102b48200 RSI: ffffffff839daad5 RDI: ffff888102815078 +[ 1.293924] RBP: ffff888102815078 R08: ffff888102b4820e R09: 0000000000000000 +[ 1.294267] R10: 0000000000000000 R11: 0000000000000000 R12: ffff888100f929c0 +[ 1.294564] R13: ffff888100f92a00 R14: 0000000000000001 R15: ffffc900004a7ed8 +[ 1.294864] FS: 0000000001395380(0000) GS:ffff888196e75000(0000) knlGS:0000000000000000 +[ 1.295239] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ 1.295480] CR2: 0000000000000000 CR3: 0000000102adc004 CR4: 0000000000772ef0 +[ 1.295897] Call Trace: +[ 1.296134] seq_read_iter (fs/seq_file.c:231) +[ 1.296341] seq_read (fs/seq_file.c:164) +[ 1.296493] full_proxy_read (fs/debugfs/file.c:378 (discriminator 1)) +[ 1.296658] vfs_read (fs/read_write.c:572) +[ 1.296981] ksys_read (fs/read_write.c:717) +[ 1.297132] do_syscall_64 (arch/x86/entry/syscall_64.c:63 (discriminator 1) arch/x86/entry/syscall_64.c:94 (discriminator 1)) +[ 1.297325] entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130) + +Add a NULL check and print "(none)" for entries with no assigned slave. + +Fixes: caafa84251b88 ("bonding: add the debugfs interface to see RLB hash table") +Reported-by: Weiming Shi +Signed-off-by: Xiang Mei +Link: https://patch.msgid.link/20260317005034.1888794-1-xmei5@asu.edu +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/bonding/bond_debugfs.c | 16 +++++++++++----- + 1 file changed, 11 insertions(+), 5 deletions(-) + +diff --git a/drivers/net/bonding/bond_debugfs.c b/drivers/net/bonding/bond_debugfs.c +index 8adbec7c5084a..8967b65f6d840 100644 +--- a/drivers/net/bonding/bond_debugfs.c ++++ b/drivers/net/bonding/bond_debugfs.c +@@ -34,11 +34,17 @@ static int bond_debug_rlb_hash_show(struct seq_file *m, void *v) + for (; hash_index != RLB_NULL_INDEX; + hash_index = client_info->used_next) { + client_info = &(bond_info->rx_hashtbl[hash_index]); +- seq_printf(m, "%-15pI4 %-15pI4 %-17pM %s\n", +- &client_info->ip_src, +- &client_info->ip_dst, +- &client_info->mac_dst, +- client_info->slave->dev->name); ++ if (client_info->slave) ++ seq_printf(m, "%-15pI4 %-15pI4 %-17pM %s\n", ++ &client_info->ip_src, ++ &client_info->ip_dst, ++ &client_info->mac_dst, ++ client_info->slave->dev->name); ++ else ++ seq_printf(m, "%-15pI4 %-15pI4 %-17pM (none)\n", ++ &client_info->ip_src, ++ &client_info->ip_dst, ++ &client_info->mac_dst); + } + + spin_unlock_bh(&bond->mode_lock); +-- +2.51.0 + diff --git a/queue-6.18/net-dsa-bcm_sf2-fix-missing-clk_disable_unprepare-in.patch b/queue-6.18/net-dsa-bcm_sf2-fix-missing-clk_disable_unprepare-in.patch new file mode 100644 index 0000000000..0d90bed2cd --- /dev/null +++ b/queue-6.18/net-dsa-bcm_sf2-fix-missing-clk_disable_unprepare-in.patch @@ -0,0 +1,59 @@ +From ed71fde162ffd081052024f54cc1dbf2951b96de Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 18 Mar 2026 08:42:12 +0000 +Subject: net: dsa: bcm_sf2: fix missing clk_disable_unprepare() in error paths + +From: Anas Iqbal + +[ Upstream commit b48731849609cbd8c53785a48976850b443153fd ] + +Smatch reports: +drivers/net/dsa/bcm_sf2.c:997 bcm_sf2_sw_resume() warn: +'priv->clk' from clk_prepare_enable() not released on lines: 983,990. + +The clock enabled by clk_prepare_enable() in bcm_sf2_sw_resume() +is not released if bcm_sf2_sw_rst() or bcm_sf2_cfp_resume() fails. + +Add the missing clk_disable_unprepare() calls in the error paths +to properly release the clock resource. + +Fixes: e9ec5c3bd238 ("net: dsa: bcm_sf2: request and handle clocks") +Reviewed-by: Jonas Gorski +Reviewed-by: Florian Fainelli +Signed-off-by: Anas Iqbal +Link: https://patch.msgid.link/20260318084212.1287-1-mohd.abd.6602@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/dsa/bcm_sf2.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/dsa/bcm_sf2.c b/drivers/net/dsa/bcm_sf2.c +index 960685596093b..de3efa3ce9a75 100644 +--- a/drivers/net/dsa/bcm_sf2.c ++++ b/drivers/net/dsa/bcm_sf2.c +@@ -980,15 +980,19 @@ static int bcm_sf2_sw_resume(struct dsa_switch *ds) + ret = bcm_sf2_sw_rst(priv); + if (ret) { + pr_err("%s: failed to software reset switch\n", __func__); ++ if (!priv->wol_ports_mask) ++ clk_disable_unprepare(priv->clk); + return ret; + } + + bcm_sf2_crossbar_setup(priv); + + ret = bcm_sf2_cfp_resume(ds); +- if (ret) ++ if (ret) { ++ if (!priv->wol_ports_mask) ++ clk_disable_unprepare(priv->clk); + return ret; +- ++ } + if (priv->hw_params.num_gphy == 1) + bcm_sf2_gphy_enable_set(ds, true); + +-- +2.51.0 + diff --git a/queue-6.18/net-macb-fix-uninitialized-rx_fs_lock.patch b/queue-6.18/net-macb-fix-uninitialized-rx_fs_lock.patch new file mode 100644 index 0000000000..741c1958f1 --- /dev/null +++ b/queue-6.18/net-macb-fix-uninitialized-rx_fs_lock.patch @@ -0,0 +1,78 @@ +From 87b12b0f857ee24fa2be3181df699d8d5574255f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 16 Mar 2026 13:38:25 +0300 +Subject: net: macb: fix uninitialized rx_fs_lock + +From: Fedor Pchelkin + +[ Upstream commit 34b11cc56e4369bc08b1f4c4a04222d75ed596ce ] + +If hardware doesn't support RX Flow Filters, rx_fs_lock spinlock is not +initialized leading to the following assertion splat triggerable via +set_rxnfc callback. + +INFO: trying to register non-static key. +The code is fine but needs lockdep annotation, or maybe +you didn't initialize this object before use? +turning off the locking correctness validator. +CPU: 1 PID: 949 Comm: syz.0.6 Not tainted 6.1.164+ #113 +Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.16.1-0-g3208b098f51a-prebuilt.qemu.org 04/01/2014 +Call Trace: + + __dump_stack lib/dump_stack.c:88 [inline] + dump_stack_lvl+0x8d/0xba lib/dump_stack.c:106 + assign_lock_key kernel/locking/lockdep.c:974 [inline] + register_lock_class+0x141b/0x17f0 kernel/locking/lockdep.c:1287 + __lock_acquire+0x74f/0x6c40 kernel/locking/lockdep.c:4928 + lock_acquire kernel/locking/lockdep.c:5662 [inline] + lock_acquire+0x190/0x4b0 kernel/locking/lockdep.c:5627 + __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline] + _raw_spin_lock_irqsave+0x33/0x50 kernel/locking/spinlock.c:162 + gem_del_flow_filter drivers/net/ethernet/cadence/macb_main.c:3562 [inline] + gem_set_rxnfc+0x533/0xac0 drivers/net/ethernet/cadence/macb_main.c:3667 + ethtool_set_rxnfc+0x18c/0x280 net/ethtool/ioctl.c:961 + __dev_ethtool net/ethtool/ioctl.c:2956 [inline] + dev_ethtool+0x229c/0x6290 net/ethtool/ioctl.c:3095 + dev_ioctl+0x637/0x1070 net/core/dev_ioctl.c:510 + sock_do_ioctl+0x20d/0x2c0 net/socket.c:1215 + sock_ioctl+0x577/0x6d0 net/socket.c:1320 + vfs_ioctl fs/ioctl.c:51 [inline] + __do_sys_ioctl fs/ioctl.c:870 [inline] + __se_sys_ioctl fs/ioctl.c:856 [inline] + __x64_sys_ioctl+0x18c/0x210 fs/ioctl.c:856 + do_syscall_x64 arch/x86/entry/common.c:46 [inline] + do_syscall_64+0x35/0x80 arch/x86/entry/common.c:76 + entry_SYSCALL_64_after_hwframe+0x6e/0xd8 + +A more straightforward solution would be to always initialize rx_fs_lock, +just like rx_fs_list. However, in this case the driver set_rxnfc callback +would return with a rather confusing error code, e.g. -EINVAL. So deny +set_rxnfc attempts directly if the RX filtering feature is not supported +by hardware. + +Fixes: ae8223de3df5 ("net: macb: Added support for RX filtering") +Signed-off-by: Fedor Pchelkin +Link: https://patch.msgid.link/20260316103826.74506-2-pchelkin@ispras.ru +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/cadence/macb_main.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/net/ethernet/cadence/macb_main.c b/drivers/net/ethernet/cadence/macb_main.c +index 1db90df395fc7..4624db166a27b 100644 +--- a/drivers/net/ethernet/cadence/macb_main.c ++++ b/drivers/net/ethernet/cadence/macb_main.c +@@ -4013,6 +4013,9 @@ static int gem_set_rxnfc(struct net_device *netdev, struct ethtool_rxnfc *cmd) + struct macb *bp = netdev_priv(netdev); + int ret; + ++ if (!(netdev->hw_features & NETIF_F_NTUPLE)) ++ return -EOPNOTSUPP; ++ + switch (cmd->cmd) { + case ETHTOOL_SRXCLSRLINS: + if ((cmd->fs.location >= bp->max_tuples) +-- +2.51.0 + diff --git a/queue-6.18/net-mana-fix-use-after-free-in-mana_hwc_destroy_chan.patch b/queue-6.18/net-mana-fix-use-after-free-in-mana_hwc_destroy_chan.patch new file mode 100644 index 0000000000..3dbaae958b --- /dev/null +++ b/queue-6.18/net-mana-fix-use-after-free-in-mana_hwc_destroy_chan.patch @@ -0,0 +1,67 @@ +From 80f02bbbc276f4e80d60baeb8a92add9f092e15d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 11 Mar 2026 12:22:04 -0700 +Subject: net: mana: fix use-after-free in mana_hwc_destroy_channel() by + reordering teardown + +From: Dipayaan Roy + +[ Upstream commit fa103fc8f56954a60699a29215cb713448a39e87 ] + +A potential race condition exists in mana_hwc_destroy_channel() where +hwc->caller_ctx is freed before the HWC's Completion Queue (CQ) and +Event Queue (EQ) are destroyed. This allows an in-flight CQ interrupt +handler to dereference freed memory, leading to a use-after-free or +NULL pointer dereference in mana_hwc_handle_resp(). + +mana_smc_teardown_hwc() signals the hardware to stop but does not +synchronize against IRQ handlers already executing on other CPUs. The +IRQ synchronization only happens in mana_hwc_destroy_cq() via +mana_gd_destroy_eq() -> mana_gd_deregister_irq(). Since this runs +after kfree(hwc->caller_ctx), a concurrent mana_hwc_rx_event_handler() +can dereference freed caller_ctx (and rxq->msg_buf) in +mana_hwc_handle_resp(). + +Fix this by reordering teardown to reverse-of-creation order: destroy +the TX/RX work queues and CQ/EQ before freeing hwc->caller_ctx. This +ensures all in-flight interrupt handlers complete before the memory they +access is freed. + +Fixes: ca9c54d2d6a5 ("net: mana: Add a driver for Microsoft Azure Network Adapter (MANA)") +Reviewed-by: Haiyang Zhang +Signed-off-by: Dipayaan Roy +Reviewed-by: Simon Horman +Link: https://patch.msgid.link/abHA3AjNtqa1nx9k@linuxonhyperv3.guj3yctzbm1etfxqx2vob5hsef.xx.internal.cloudapp.net +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/microsoft/mana/hw_channel.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/drivers/net/ethernet/microsoft/mana/hw_channel.c b/drivers/net/ethernet/microsoft/mana/hw_channel.c +index ada6c78a2bef4..21cddafba5061 100644 +--- a/drivers/net/ethernet/microsoft/mana/hw_channel.c ++++ b/drivers/net/ethernet/microsoft/mana/hw_channel.c +@@ -802,9 +802,6 @@ void mana_hwc_destroy_channel(struct gdma_context *gc) + gc->max_num_cqs = 0; + } + +- kfree(hwc->caller_ctx); +- hwc->caller_ctx = NULL; +- + if (hwc->txq) + mana_hwc_destroy_wq(hwc, hwc->txq); + +@@ -814,6 +811,9 @@ void mana_hwc_destroy_channel(struct gdma_context *gc) + if (hwc->cq) + mana_hwc_destroy_cq(hwc->gdma_dev->gdma_context, hwc->cq); + ++ kfree(hwc->caller_ctx); ++ hwc->caller_ctx = NULL; ++ + mana_gd_free_res_map(&hwc->inflight_msg_res); + + hwc->num_inflight_msg = 0; +-- +2.51.0 + diff --git a/queue-6.18/net-mlx5-qos-restrict-rtnl-area-to-avoid-a-lock-cycl.patch b/queue-6.18/net-mlx5-qos-restrict-rtnl-area-to-avoid-a-lock-cycl.patch new file mode 100644 index 0000000000..b227466468 --- /dev/null +++ b/queue-6.18/net-mlx5-qos-restrict-rtnl-area-to-avoid-a-lock-cycl.patch @@ -0,0 +1,112 @@ +From a9cd1849e78c003b5ea419e35c18362dd45271fb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 16 Mar 2026 11:46:01 +0200 +Subject: net/mlx5: qos: Restrict RTNL area to avoid a lock cycle + +From: Cosmin Ratiu + +[ Upstream commit b7e3a5d9c0d66b7fb44f63aef3bd734821afa0c8 ] + +A lock dependency cycle exists where: +1. mlx5_ib_roce_init -> mlx5_core_uplink_netdev_event_replay -> +mlx5_blocking_notifier_call_chain (takes notifier_rwsem) -> +mlx5e_mdev_notifier_event -> mlx5_netdev_notifier_register -> +register_netdevice_notifier_dev_net (takes rtnl) +=> notifier_rwsem -> rtnl + +2. mlx5e_probe -> _mlx5e_probe -> +mlx5_core_uplink_netdev_set (takes uplink_netdev_lock) -> +mlx5_blocking_notifier_call_chain (takes notifier_rwsem) +=> uplink_netdev_lock -> notifier_rwsem + +3: devlink_nl_rate_set_doit -> devlink_nl_rate_set -> +mlx5_esw_devlink_rate_leaf_tx_max_set -> esw_qos_devlink_rate_to_mbps -> +mlx5_esw_qos_max_link_speed_get (takes rtnl) -> +mlx5_esw_qos_lag_link_speed_get_locked -> +mlx5_uplink_netdev_get (takes uplink_netdev_lock) +=> rtnl -> uplink_netdev_lock +=> BOOM! (lock cycle) + +Fix that by restricting the rtnl-protected section to just the necessary +part, the call to netdev_master_upper_dev_get and speed querying, so +that the last lock dependency is avoided and the cycle doesn't close. +This is safe because mlx5_uplink_netdev_get uses netdev_hold to keep the +uplink netdev alive while its master device is queried. + +Use this opportunity to rename the ambiguously-named "hold_rtnl_lock" +argument to "take_rtnl" and remove the "_locked" suffix from +mlx5_esw_qos_lag_link_speed_get_locked. + +Fixes: 6b4be64fd9fe ("net/mlx5e: Harden uplink netdev access against device unbind") +Signed-off-by: Cosmin Ratiu +Reviewed-by: Dragos Tatulea +Signed-off-by: Tariq Toukan +Link: https://patch.msgid.link/20260316094603.6999-2-tariqt@nvidia.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + .../net/ethernet/mellanox/mlx5/core/esw/qos.c | 23 ++++++++----------- + 1 file changed, 9 insertions(+), 14 deletions(-) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/esw/qos.c b/drivers/net/ethernet/mellanox/mlx5/core/esw/qos.c +index 56e6f54b1e2ed..af58ad72906ff 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/esw/qos.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/esw/qos.c +@@ -1497,24 +1497,24 @@ static int esw_qos_node_enable_tc_arbitration(struct mlx5_esw_sched_node *node, + return err; + } + +-static u32 mlx5_esw_qos_lag_link_speed_get_locked(struct mlx5_core_dev *mdev) ++static u32 mlx5_esw_qos_lag_link_speed_get(struct mlx5_core_dev *mdev, ++ bool take_rtnl) + { + struct ethtool_link_ksettings lksettings; + struct net_device *slave, *master; + u32 speed = SPEED_UNKNOWN; + +- /* Lock ensures a stable reference to master and slave netdevice +- * while port speed of master is queried. +- */ +- ASSERT_RTNL(); +- + slave = mlx5_uplink_netdev_get(mdev); + if (!slave) + goto out; + ++ if (take_rtnl) ++ rtnl_lock(); + master = netdev_master_upper_dev_get(slave); + if (master && !__ethtool_get_link_ksettings(master, &lksettings)) + speed = lksettings.base.speed; ++ if (take_rtnl) ++ rtnl_unlock(); + + out: + mlx5_uplink_netdev_put(mdev, slave); +@@ -1522,20 +1522,15 @@ static u32 mlx5_esw_qos_lag_link_speed_get_locked(struct mlx5_core_dev *mdev) + } + + static int mlx5_esw_qos_max_link_speed_get(struct mlx5_core_dev *mdev, u32 *link_speed_max, +- bool hold_rtnl_lock, struct netlink_ext_ack *extack) ++ bool take_rtnl, ++ struct netlink_ext_ack *extack) + { + int err; + + if (!mlx5_lag_is_active(mdev)) + goto skip_lag; + +- if (hold_rtnl_lock) +- rtnl_lock(); +- +- *link_speed_max = mlx5_esw_qos_lag_link_speed_get_locked(mdev); +- +- if (hold_rtnl_lock) +- rtnl_unlock(); ++ *link_speed_max = mlx5_esw_qos_lag_link_speed_get(mdev, take_rtnl); + + if (*link_speed_max != (u32)SPEED_UNKNOWN) + return 0; +-- +2.51.0 + diff --git a/queue-6.18/net-mlx5e-fix-race-condition-during-ipsec-esn-update.patch b/queue-6.18/net-mlx5e-fix-race-condition-during-ipsec-esn-update.patch new file mode 100644 index 0000000000..d496a26f7a --- /dev/null +++ b/queue-6.18/net-mlx5e-fix-race-condition-during-ipsec-esn-update.patch @@ -0,0 +1,128 @@ +From 9c48f8f5ea3073ba668b76b31f97ace761c925a7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 16 Mar 2026 11:46:03 +0200 +Subject: net/mlx5e: Fix race condition during IPSec ESN update + +From: Jianbo Liu + +[ Upstream commit beb6e2e5976a128b0cccf10d158124422210c5ef ] + +In IPSec full offload mode, the device reports an ESN (Extended +Sequence Number) wrap event to the driver. The driver validates this +event by querying the IPSec ASO and checking that the esn_event_arm +field is 0x0, which indicates an event has occurred. After handling +the event, the driver must re-arm the context by setting esn_event_arm +back to 0x1. + +A race condition exists in this handling path. After validating the +event, the driver calls mlx5_accel_esp_modify_xfrm() to update the +kernel's xfrm state. This function temporarily releases and +re-acquires the xfrm state lock. + +So, need to acknowledge the event first by setting esn_event_arm to +0x1. This prevents the driver from reprocessing the same ESN update if +the hardware sends events for other reason. Since the next ESN update +only occurs after nearly 2^31 packets are received, there's no risk of +missing an update, as it will happen long after this handling has +finished. + +Processing the event twice causes the ESN high-order bits (esn_msb) to +be incremented incorrectly. The driver then programs the hardware with +this invalid ESN state, which leads to anti-replay failures and a +complete halt of IPSec traffic. + +Fix this by re-arming the ESN event immediately after it is validated, +before calling mlx5_accel_esp_modify_xfrm(). This ensures that any +spurious, duplicate events are correctly ignored, closing the race +window. + +Fixes: fef06678931f ("net/mlx5e: Fix ESN update kernel panic") +Signed-off-by: Jianbo Liu +Reviewed-by: Leon Romanovsky +Signed-off-by: Tariq Toukan +Link: https://patch.msgid.link/20260316094603.6999-4-tariqt@nvidia.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + .../mlx5/core/en_accel/ipsec_offload.c | 33 ++++++++----------- + 1 file changed, 14 insertions(+), 19 deletions(-) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec_offload.c b/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec_offload.c +index 2739ff490239d..e0611fa827971 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec_offload.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec_offload.c +@@ -310,10 +310,11 @@ static void mlx5e_ipsec_aso_update(struct mlx5e_ipsec_sa_entry *sa_entry, + mlx5e_ipsec_aso_query(sa_entry, data); + } + +-static void mlx5e_ipsec_update_esn_state(struct mlx5e_ipsec_sa_entry *sa_entry, +- u32 mode_param) ++static void ++mlx5e_ipsec_update_esn_state(struct mlx5e_ipsec_sa_entry *sa_entry, ++ u32 mode_param, ++ struct mlx5_accel_esp_xfrm_attrs *attrs) + { +- struct mlx5_accel_esp_xfrm_attrs attrs = {}; + struct mlx5_wqe_aso_ctrl_seg data = {}; + + if (mode_param < MLX5E_IPSEC_ESN_SCOPE_MID) { +@@ -323,18 +324,7 @@ static void mlx5e_ipsec_update_esn_state(struct mlx5e_ipsec_sa_entry *sa_entry, + sa_entry->esn_state.overlap = 1; + } + +- mlx5e_ipsec_build_accel_xfrm_attrs(sa_entry, &attrs); +- +- /* It is safe to execute the modify below unlocked since the only flows +- * that could affect this HW object, are create, destroy and this work. +- * +- * Creation flow can't co-exist with this modify work, the destruction +- * flow would cancel this work, and this work is a single entity that +- * can't conflict with it self. +- */ +- spin_unlock_bh(&sa_entry->x->lock); +- mlx5_accel_esp_modify_xfrm(sa_entry, &attrs); +- spin_lock_bh(&sa_entry->x->lock); ++ mlx5e_ipsec_build_accel_xfrm_attrs(sa_entry, attrs); + + data.data_offset_condition_operand = + MLX5_IPSEC_ASO_REMOVE_FLOW_PKT_CNT_OFFSET; +@@ -451,7 +441,9 @@ static void mlx5e_ipsec_handle_event(struct work_struct *_work) + struct mlx5e_ipsec_work *work = + container_of(_work, struct mlx5e_ipsec_work, work); + struct mlx5e_ipsec_sa_entry *sa_entry = work->data; ++ struct mlx5_accel_esp_xfrm_attrs tmp = {}; + struct mlx5_accel_esp_xfrm_attrs *attrs; ++ bool need_modify = false; + int ret; + + attrs = &sa_entry->attrs; +@@ -461,19 +453,22 @@ static void mlx5e_ipsec_handle_event(struct work_struct *_work) + if (ret) + goto unlock; + ++ if (attrs->lft.soft_packet_limit != XFRM_INF) ++ mlx5e_ipsec_handle_limits(sa_entry); ++ + if (attrs->replay_esn.trigger && + !MLX5_GET(ipsec_aso, sa_entry->ctx, esn_event_arm)) { + u32 mode_param = MLX5_GET(ipsec_aso, sa_entry->ctx, + mode_parameter); + +- mlx5e_ipsec_update_esn_state(sa_entry, mode_param); ++ mlx5e_ipsec_update_esn_state(sa_entry, mode_param, &tmp); ++ need_modify = true; + } + +- if (attrs->lft.soft_packet_limit != XFRM_INF) +- mlx5e_ipsec_handle_limits(sa_entry); +- + unlock: + spin_unlock_bh(&sa_entry->x->lock); ++ if (need_modify) ++ mlx5_accel_esp_modify_xfrm(sa_entry, &tmp); + kfree(work); + } + +-- +2.51.0 + diff --git a/queue-6.18/net-mlx5e-prevent-concurrent-access-to-ipsec-aso-con.patch b/queue-6.18/net-mlx5e-prevent-concurrent-access-to-ipsec-aso-con.patch new file mode 100644 index 0000000000..4c1988d5fe --- /dev/null +++ b/queue-6.18/net-mlx5e-prevent-concurrent-access-to-ipsec-aso-con.patch @@ -0,0 +1,115 @@ +From 33d203f921c5d580c41523ae8cdc751349d4da72 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 16 Mar 2026 11:46:02 +0200 +Subject: net/mlx5e: Prevent concurrent access to IPSec ASO context + +From: Jianbo Liu + +[ Upstream commit 99b36850d881e2d65912b2520a1c80d0fcc9429a ] + +The query or updating IPSec offload object is through Access ASO WQE. +The driver uses a single mlx5e_ipsec_aso struct for each PF, which +contains a shared DMA-mapped context for all ASO operations. + +A race condition exists because the ASO spinlock is released before +the hardware has finished processing WQE. If a second operation is +initiated immediately after, it overwrites the shared context in the +DMA area. + +When the first operation's completion is processed later, it reads +this corrupted context, leading to unexpected behavior and incorrect +results. + +This commit fixes the race by introducing a private context within +each IPSec offload object. The shared ASO context is now copied to +this private context while the ASO spinlock is held. Subsequent +processing uses this saved, per-object context, ensuring its integrity +is maintained. + +Fixes: 1ed78fc03307 ("net/mlx5e: Update IPsec soft and hard limits") +Signed-off-by: Jianbo Liu +Reviewed-by: Leon Romanovsky +Signed-off-by: Tariq Toukan +Link: https://patch.msgid.link/20260316094603.6999-3-tariqt@nvidia.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + .../mellanox/mlx5/core/en_accel/ipsec.h | 1 + + .../mellanox/mlx5/core/en_accel/ipsec_offload.c | 17 ++++++++--------- + 2 files changed, 9 insertions(+), 9 deletions(-) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec.h b/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec.h +index f8eaaf37963b1..abcbd38db9dbb 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec.h ++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec.h +@@ -287,6 +287,7 @@ struct mlx5e_ipsec_sa_entry { + struct mlx5e_ipsec_dwork *dwork; + struct mlx5e_ipsec_limits limits; + u32 rx_mapped_id; ++ u8 ctx[MLX5_ST_SZ_BYTES(ipsec_aso)]; + }; + + struct mlx5_accel_pol_xfrm_attrs { +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec_offload.c b/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec_offload.c +index ef7322d381af6..2739ff490239d 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec_offload.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec_offload.c +@@ -370,20 +370,18 @@ static void mlx5e_ipsec_aso_update_soft(struct mlx5e_ipsec_sa_entry *sa_entry, + static void mlx5e_ipsec_handle_limits(struct mlx5e_ipsec_sa_entry *sa_entry) + { + struct mlx5_accel_esp_xfrm_attrs *attrs = &sa_entry->attrs; +- struct mlx5e_ipsec *ipsec = sa_entry->ipsec; +- struct mlx5e_ipsec_aso *aso = ipsec->aso; + bool soft_arm, hard_arm; + u64 hard_cnt; + + lockdep_assert_held(&sa_entry->x->lock); + +- soft_arm = !MLX5_GET(ipsec_aso, aso->ctx, soft_lft_arm); +- hard_arm = !MLX5_GET(ipsec_aso, aso->ctx, hard_lft_arm); ++ soft_arm = !MLX5_GET(ipsec_aso, sa_entry->ctx, soft_lft_arm); ++ hard_arm = !MLX5_GET(ipsec_aso, sa_entry->ctx, hard_lft_arm); + if (!soft_arm && !hard_arm) + /* It is not lifetime event */ + return; + +- hard_cnt = MLX5_GET(ipsec_aso, aso->ctx, remove_flow_pkt_cnt); ++ hard_cnt = MLX5_GET(ipsec_aso, sa_entry->ctx, remove_flow_pkt_cnt); + if (!hard_cnt || hard_arm) { + /* It is possible to see packet counter equal to zero without + * hard limit event armed. Such situation can be if packet +@@ -454,10 +452,8 @@ static void mlx5e_ipsec_handle_event(struct work_struct *_work) + container_of(_work, struct mlx5e_ipsec_work, work); + struct mlx5e_ipsec_sa_entry *sa_entry = work->data; + struct mlx5_accel_esp_xfrm_attrs *attrs; +- struct mlx5e_ipsec_aso *aso; + int ret; + +- aso = sa_entry->ipsec->aso; + attrs = &sa_entry->attrs; + + spin_lock_bh(&sa_entry->x->lock); +@@ -466,8 +462,9 @@ static void mlx5e_ipsec_handle_event(struct work_struct *_work) + goto unlock; + + if (attrs->replay_esn.trigger && +- !MLX5_GET(ipsec_aso, aso->ctx, esn_event_arm)) { +- u32 mode_param = MLX5_GET(ipsec_aso, aso->ctx, mode_parameter); ++ !MLX5_GET(ipsec_aso, sa_entry->ctx, esn_event_arm)) { ++ u32 mode_param = MLX5_GET(ipsec_aso, sa_entry->ctx, ++ mode_parameter); + + mlx5e_ipsec_update_esn_state(sa_entry, mode_param); + } +@@ -629,6 +626,8 @@ int mlx5e_ipsec_aso_query(struct mlx5e_ipsec_sa_entry *sa_entry, + /* We are in atomic context */ + udelay(10); + } while (ret && time_is_after_jiffies(expires)); ++ if (!ret) ++ memcpy(sa_entry->ctx, aso->ctx, MLX5_ST_SZ_BYTES(ipsec_aso)); + spin_unlock_bh(&aso->lock); + return ret; + } +-- +2.51.0 + diff --git a/queue-6.18/net-mvpp2-guard-flow-control-update-with-global_tx_f.patch b/queue-6.18/net-mvpp2-guard-flow-control-update-with-global_tx_f.patch new file mode 100644 index 0000000000..2e5babd10c --- /dev/null +++ b/queue-6.18/net-mvpp2-guard-flow-control-update-with-global_tx_f.patch @@ -0,0 +1,86 @@ +From 08f3302f49d6e76eccf4fbd13a37e9a3a0a793b5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 16 Mar 2026 12:31:01 -0700 +Subject: net: mvpp2: guard flow control update with global_tx_fc in buffer + switching + +From: Muhammad Hammad Ijaz + +[ Upstream commit 8a63baadf08453f66eb582fdb6dd234f72024723 ] + +mvpp2_bm_switch_buffers() unconditionally calls +mvpp2_bm_pool_update_priv_fc() when switching between per-cpu and +shared buffer pool modes. This function programs CM3 flow control +registers via mvpp2_cm3_read()/mvpp2_cm3_write(), which dereference +priv->cm3_base without any NULL check. + +When the CM3 SRAM resource is not present in the device tree (the +third reg entry added by commit 60523583b07c ("dts: marvell: add CM3 +SRAM memory to cp11x ethernet device tree")), priv->cm3_base remains +NULL and priv->global_tx_fc is false. Any operation that triggers +mvpp2_bm_switch_buffers(), for example an MTU change that crosses +the jumbo frame threshold, will crash: + + Unable to handle kernel NULL pointer dereference at + virtual address 0000000000000000 + Mem abort info: + ESR = 0x0000000096000006 + EC = 0x25: DABT (current EL), IL = 32 bits + pc : readl+0x0/0x18 + lr : mvpp2_cm3_read.isra.0+0x14/0x20 + Call trace: + readl+0x0/0x18 + mvpp2_bm_pool_update_fc+0x40/0x12c + mvpp2_bm_pool_update_priv_fc+0x94/0xd8 + mvpp2_bm_switch_buffers.isra.0+0x80/0x1c0 + mvpp2_change_mtu+0x140/0x380 + __dev_set_mtu+0x1c/0x38 + dev_set_mtu_ext+0x78/0x118 + dev_set_mtu+0x48/0xa8 + dev_ifsioc+0x21c/0x43c + dev_ioctl+0x2d8/0x42c + sock_ioctl+0x314/0x378 + +Every other flow control call site in the driver already guards +hardware access with either priv->global_tx_fc or port->tx_fc. +mvpp2_bm_switch_buffers() is the only place that omits this check. + +Add the missing priv->global_tx_fc guard to both the disable and +re-enable calls in mvpp2_bm_switch_buffers(), consistent with the +rest of the driver. + +Fixes: 3a616b92a9d1 ("net: mvpp2: Add TX flow control support for jumbo frames") +Signed-off-by: Muhammad Hammad Ijaz +Reviewed-by: Gunnar Kudrjavets +Link: https://patch.msgid.link/20260316193157.65748-1-mhijaz@amazon.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/marvell/mvpp2/mvpp2_main.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/marvell/mvpp2/mvpp2_main.c b/drivers/net/ethernet/marvell/mvpp2/mvpp2_main.c +index ab0c99aa9f9a5..74d44510684bf 100644 +--- a/drivers/net/ethernet/marvell/mvpp2/mvpp2_main.c ++++ b/drivers/net/ethernet/marvell/mvpp2/mvpp2_main.c +@@ -5018,7 +5018,7 @@ static int mvpp2_bm_switch_buffers(struct mvpp2 *priv, bool percpu) + if (priv->percpu_pools) + numbufs = port->nrxqs * 2; + +- if (change_percpu) ++ if (change_percpu && priv->global_tx_fc) + mvpp2_bm_pool_update_priv_fc(priv, false); + + for (i = 0; i < numbufs; i++) +@@ -5043,7 +5043,7 @@ static int mvpp2_bm_switch_buffers(struct mvpp2 *priv, bool percpu) + mvpp2_open(port->dev); + } + +- if (change_percpu) ++ if (change_percpu && priv->global_tx_fc) + mvpp2_bm_pool_update_priv_fc(priv, true); + + return 0; +-- +2.51.0 + diff --git a/queue-6.18/net-rose-fix-null-pointer-dereference-in-rose_transm.patch b/queue-6.18/net-rose-fix-null-pointer-dereference-in-rose_transm.patch new file mode 100644 index 0000000000..ca70a57f29 --- /dev/null +++ b/queue-6.18/net-rose-fix-null-pointer-dereference-in-rose_transm.patch @@ -0,0 +1,64 @@ +From c5d60846da57d1a62089a1b5827f1f96a35cf2ce Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 11 Mar 2026 15:06:02 +0800 +Subject: net/rose: fix NULL pointer dereference in rose_transmit_link on + reconnect + +From: Jiayuan Chen + +[ Upstream commit e1f0a18c9564cdb16523c802e2c6fe5874e3d944 ] + +syzkaller reported a bug [1], and the reproducer is available at [2]. + +ROSE sockets use four sk->sk_state values: TCP_CLOSE, TCP_LISTEN, +TCP_SYN_SENT, and TCP_ESTABLISHED. rose_connect() already rejects +calls for TCP_ESTABLISHED (-EISCONN) and TCP_CLOSE with SS_CONNECTING +(-ECONNREFUSED), but lacks a check for TCP_SYN_SENT. + +When rose_connect() is called a second time while the first connection +attempt is still in progress (TCP_SYN_SENT), it overwrites +rose->neighbour via rose_get_neigh(). If that returns NULL, the socket +is left with rose->state == ROSE_STATE_1 but rose->neighbour == NULL. +When the socket is subsequently closed, rose_release() sees +ROSE_STATE_1 and calls rose_write_internal() -> +rose_transmit_link(skb, NULL), causing a NULL pointer dereference. + +Per connect(2), a second connect() while a connection is already in +progress should return -EALREADY. Add this missing check for +TCP_SYN_SENT to complete the state validation in rose_connect(). + +[1] https://syzkaller.appspot.com/bug?extid=d00f90e0af54102fb271 +[2] https://gist.github.com/mrpre/9e6779e0d13e2c66779b1653fef80516 + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Reported-by: syzbot+d00f90e0af54102fb271@syzkaller.appspotmail.com +Closes: https://lore.kernel.org/all/69694d6f.050a0220.58bed.0027.GAE@google.com/T/ +Suggested-by: Eric Dumazet +Signed-off-by: Jiayuan Chen +Reviewed-by: Eric Dumazet +Link: https://patch.msgid.link/20260311070611.76913-1-jiayuan.chen@linux.dev +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/rose/af_rose.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/net/rose/af_rose.c b/net/rose/af_rose.c +index fad6518e6e39b..53c9bc71f813d 100644 +--- a/net/rose/af_rose.c ++++ b/net/rose/af_rose.c +@@ -810,6 +810,11 @@ static int rose_connect(struct socket *sock, struct sockaddr *uaddr, int addr_le + goto out_release; + } + ++ if (sk->sk_state == TCP_SYN_SENT) { ++ err = -EALREADY; ++ goto out_release; ++ } ++ + sk->sk_state = TCP_CLOSE; + sock->state = SS_UNCONNECTED; + +-- +2.51.0 + diff --git a/queue-6.18/net-sched-teql-fix-double-free-in-teql_master_xmit.patch b/queue-6.18/net-sched-teql-fix-double-free-in-teql_master_xmit.patch new file mode 100644 index 0000000000..0973d8819b --- /dev/null +++ b/queue-6.18/net-sched-teql-fix-double-free-in-teql_master_xmit.patch @@ -0,0 +1,202 @@ +From 12e7491b04d2474c74f1f2345ce23daf784bb705 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 15 Mar 2026 11:54:22 -0400 +Subject: net/sched: teql: Fix double-free in teql_master_xmit + +From: Jamal Hadi Salim + +[ Upstream commit 66360460cab63c248ca5b1070a01c0c29133b960 ] + +Whenever a TEQL devices has a lockless Qdisc as root, qdisc_reset should +be called using the seq_lock to avoid racing with the datapath. Failure +to do so may cause crashes like the following: + +[ 238.028993][ T318] BUG: KASAN: double-free in skb_release_data (net/core/skbuff.c:1139) +[ 238.029328][ T318] Free of addr ffff88810c67ec00 by task poc_teql_uaf_ke/318 +[ 238.029749][ T318] +[ 238.029900][ T318] CPU: 3 UID: 0 PID: 318 Comm: poc_teql_ke Not tainted 7.0.0-rc3-00149-ge5b31d988a41 #704 PREEMPT(full) +[ 238.029906][ T318] Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011 +[ 238.029910][ T318] Call Trace: +[ 238.029913][ T318] +[ 238.029916][ T318] dump_stack_lvl (lib/dump_stack.c:122) +[ 238.029928][ T318] print_report (mm/kasan/report.c:379 mm/kasan/report.c:482) +[ 238.029940][ T318] ? skb_release_data (net/core/skbuff.c:1139) +[ 238.029944][ T318] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221) +... +[ 238.029957][ T318] ? skb_release_data (net/core/skbuff.c:1139) +[ 238.029969][ T318] kasan_report_invalid_free (mm/kasan/report.c:221 mm/kasan/report.c:563) +[ 238.029979][ T318] ? skb_release_data (net/core/skbuff.c:1139) +[ 238.029989][ T318] check_slab_allocation (mm/kasan/common.c:231) +[ 238.029995][ T318] kmem_cache_free (mm/slub.c:2637 (discriminator 1) mm/slub.c:6168 (discriminator 1) mm/slub.c:6298 (discriminator 1)) +[ 238.030004][ T318] skb_release_data (net/core/skbuff.c:1139) +... +[ 238.030025][ T318] sk_skb_reason_drop (net/core/skbuff.c:1256) +[ 238.030032][ T318] pfifo_fast_reset (./include/linux/ptr_ring.h:171 ./include/linux/ptr_ring.h:309 ./include/linux/skb_array.h:98 net/sched/sch_generic.c:827) +[ 238.030039][ T318] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221) +... +[ 238.030054][ T318] qdisc_reset (net/sched/sch_generic.c:1034) +[ 238.030062][ T318] teql_destroy (./include/linux/spinlock.h:395 net/sched/sch_teql.c:157) +[ 238.030071][ T318] __qdisc_destroy (./include/net/pkt_sched.h:328 net/sched/sch_generic.c:1077) +[ 238.030077][ T318] qdisc_graft (net/sched/sch_api.c:1062 net/sched/sch_api.c:1053 net/sched/sch_api.c:1159) +[ 238.030089][ T318] ? __pfx_qdisc_graft (net/sched/sch_api.c:1091) +[ 238.030095][ T318] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221) +[ 238.030102][ T318] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221) +[ 238.030106][ T318] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221) +[ 238.030114][ T318] tc_get_qdisc (net/sched/sch_api.c:1529 net/sched/sch_api.c:1556) +... +[ 238.072958][ T318] Allocated by task 303 on cpu 5 at 238.026275s: +[ 238.073392][ T318] kasan_save_stack (mm/kasan/common.c:58) +[ 238.073884][ T318] kasan_save_track (mm/kasan/common.c:64 (discriminator 5) mm/kasan/common.c:79 (discriminator 5)) +[ 238.074230][ T318] __kasan_slab_alloc (mm/kasan/common.c:369) +[ 238.074578][ T318] kmem_cache_alloc_node_noprof (./include/linux/kasan.h:253 mm/slub.c:4542 mm/slub.c:4869 mm/slub.c:4921) +[ 238.076091][ T318] kmalloc_reserve (net/core/skbuff.c:616 (discriminator 107)) +[ 238.076450][ T318] __alloc_skb (net/core/skbuff.c:713) +[ 238.076834][ T318] alloc_skb_with_frags (./include/linux/skbuff.h:1383 net/core/skbuff.c:6763) +[ 238.077178][ T318] sock_alloc_send_pskb (net/core/sock.c:2997) +[ 238.077520][ T318] packet_sendmsg (net/packet/af_packet.c:2926 net/packet/af_packet.c:3019 net/packet/af_packet.c:3108) +[ 238.081469][ T318] +[ 238.081870][ T318] Freed by task 299 on cpu 1 at 238.028496s: +[ 238.082761][ T318] kasan_save_stack (mm/kasan/common.c:58) +[ 238.083481][ T318] kasan_save_track (mm/kasan/common.c:64 (discriminator 5) mm/kasan/common.c:79 (discriminator 5)) +[ 238.085348][ T318] kasan_save_free_info (mm/kasan/generic.c:587 (discriminator 1)) +[ 238.085900][ T318] __kasan_slab_free (mm/kasan/common.c:287) +[ 238.086439][ T318] kmem_cache_free (mm/slub.c:6168 (discriminator 3) mm/slub.c:6298 (discriminator 3)) +[ 238.087007][ T318] skb_release_data (net/core/skbuff.c:1139) +[ 238.087491][ T318] consume_skb (net/core/skbuff.c:1451) +[ 238.087757][ T318] teql_master_xmit (net/sched/sch_teql.c:358) +[ 238.088116][ T318] dev_hard_start_xmit (./include/linux/netdevice.h:5324 ./include/linux/netdevice.h:5333 net/core/dev.c:3871 net/core/dev.c:3887) +[ 238.088468][ T318] sch_direct_xmit (net/sched/sch_generic.c:347) +[ 238.088820][ T318] __qdisc_run (net/sched/sch_generic.c:420 (discriminator 1)) +[ 238.089166][ T318] __dev_queue_xmit (./include/net/sch_generic.h:229 ./include/net/pkt_sched.h:121 ./include/net/pkt_sched.h:117 net/core/dev.c:4196 net/core/dev.c:4802) + +Workflow to reproduce: +1. Initialize a TEQL topology (dummy0 and ifb0 as slaves, teql0 up). +2. Start multiple sender workers continuously transmitting packets + through teql0 to drive teql_master_xmit(). +3. In parallel, repeatedly delete and re-add the root qdisc on + dummy0 and ifb0 via RTNETLINK, forcing frequent teardown and reset activity + (teql_destroy() / qdisc_reset()). +4. After running both workloads concurrently for several iterations, + KASAN reports slab-use-after-free or double-free in the skb free path. + +Fix this by moving dev_reset_queue to sch_generic.h and calling it, instead +of qdisc_reset, in teql_destroy since it handles both the lock and lockless +cases correctly for root qdiscs. + +Fixes: 96009c7d500e ("sched: replace __QDISC_STATE_RUNNING bit with a spin lock") +Reported-by: Xianrui Dong +Tested-by: Xianrui Dong +Co-developed-by: Victor Nogueira +Signed-off-by: Victor Nogueira +Signed-off-by: Jamal Hadi Salim +Link: https://patch.msgid.link/20260315155422.147256-1-jhs@mojatatu.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + include/net/sch_generic.h | 28 ++++++++++++++++++++++++++++ + net/sched/sch_generic.c | 27 --------------------------- + net/sched/sch_teql.c | 7 ++----- + 3 files changed, 30 insertions(+), 32 deletions(-) + +diff --git a/include/net/sch_generic.h b/include/net/sch_generic.h +index 1518454c906e1..84c86decebdfa 100644 +--- a/include/net/sch_generic.h ++++ b/include/net/sch_generic.h +@@ -696,6 +696,34 @@ void qdisc_destroy(struct Qdisc *qdisc); + void qdisc_put(struct Qdisc *qdisc); + void qdisc_put_unlocked(struct Qdisc *qdisc); + void qdisc_tree_reduce_backlog(struct Qdisc *qdisc, int n, int len); ++ ++static inline void dev_reset_queue(struct net_device *dev, ++ struct netdev_queue *dev_queue, ++ void *_unused) ++{ ++ struct Qdisc *qdisc; ++ bool nolock; ++ ++ qdisc = rtnl_dereference(dev_queue->qdisc_sleeping); ++ if (!qdisc) ++ return; ++ ++ nolock = qdisc->flags & TCQ_F_NOLOCK; ++ ++ if (nolock) ++ spin_lock_bh(&qdisc->seqlock); ++ spin_lock_bh(qdisc_lock(qdisc)); ++ ++ qdisc_reset(qdisc); ++ ++ spin_unlock_bh(qdisc_lock(qdisc)); ++ if (nolock) { ++ clear_bit(__QDISC_STATE_MISSED, &qdisc->state); ++ clear_bit(__QDISC_STATE_DRAINING, &qdisc->state); ++ spin_unlock_bh(&qdisc->seqlock); ++ } ++} ++ + #ifdef CONFIG_NET_SCHED + int qdisc_offload_dump_helper(struct Qdisc *q, enum tc_setup_type type, + void *type_data); +diff --git a/net/sched/sch_generic.c b/net/sched/sch_generic.c +index 7dee9748a56be..30d77ad7b81d2 100644 +--- a/net/sched/sch_generic.c ++++ b/net/sched/sch_generic.c +@@ -1297,33 +1297,6 @@ static void dev_deactivate_queue(struct net_device *dev, + } + } + +-static void dev_reset_queue(struct net_device *dev, +- struct netdev_queue *dev_queue, +- void *_unused) +-{ +- struct Qdisc *qdisc; +- bool nolock; +- +- qdisc = rtnl_dereference(dev_queue->qdisc_sleeping); +- if (!qdisc) +- return; +- +- nolock = qdisc->flags & TCQ_F_NOLOCK; +- +- if (nolock) +- spin_lock_bh(&qdisc->seqlock); +- spin_lock_bh(qdisc_lock(qdisc)); +- +- qdisc_reset(qdisc); +- +- spin_unlock_bh(qdisc_lock(qdisc)); +- if (nolock) { +- clear_bit(__QDISC_STATE_MISSED, &qdisc->state); +- clear_bit(__QDISC_STATE_DRAINING, &qdisc->state); +- spin_unlock_bh(&qdisc->seqlock); +- } +-} +- + static bool some_qdisc_is_busy(struct net_device *dev) + { + unsigned int i; +diff --git a/net/sched/sch_teql.c b/net/sched/sch_teql.c +index 783300d8b0197..ec4039a201a2c 100644 +--- a/net/sched/sch_teql.c ++++ b/net/sched/sch_teql.c +@@ -146,15 +146,12 @@ teql_destroy(struct Qdisc *sch) + master->slaves = NEXT_SLAVE(q); + if (q == master->slaves) { + struct netdev_queue *txq; +- spinlock_t *root_lock; + + txq = netdev_get_tx_queue(master->dev, 0); + master->slaves = NULL; + +- root_lock = qdisc_root_sleeping_lock(rtnl_dereference(txq->qdisc)); +- spin_lock_bh(root_lock); +- qdisc_reset(rtnl_dereference(txq->qdisc)); +- spin_unlock_bh(root_lock); ++ dev_reset_queue(master->dev, ++ txq, NULL); + } + } + skb_queue_purge(&dat->q); +-- +2.51.0 + diff --git a/queue-6.18/net-shaper-protect-from-late-creation-of-hierarchy.patch b/queue-6.18/net-shaper-protect-from-late-creation-of-hierarchy.patch new file mode 100644 index 0000000000..88685ab515 --- /dev/null +++ b/queue-6.18/net-shaper-protect-from-late-creation-of-hierarchy.patch @@ -0,0 +1,397 @@ +From fee8a5a7ef83c2f8b5371c32e5e8fb0dbc355ebe Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 17 Mar 2026 09:10:14 -0700 +Subject: net: shaper: protect from late creation of hierarchy + +From: Jakub Kicinski + +[ Upstream commit d75ec7e8ba1979a1eb0b9211d94d749cdce849c8 ] + +We look up a netdev during prep of Netlink ops (pre- callbacks) +and take a ref to it. Then later in the body of the callback +we take its lock or RCU which are the actual protections. + +The netdev may get unregistered in between the time we take +the ref and the time we lock it. We may allocate the hierarchy +after flush has already run, which would lead to a leak. + +Take the instance lock in pre- already, this saves us from the race +and removes the need for dedicated lock/unlock callbacks completely. +After all, if there's any chance of write happening concurrently +with the flush - we're back to leaking the hierarchy. + +We may take the lock for devices which don't support shapers but +we're only dealing with SET operations here, not taking the lock +would be optimizing for an error case. + +Fixes: 93954b40f6a4 ("net-shapers: implement NL set and delete operations") +Link: https://lore.kernel.org/20260309173450.538026-1-p@1g4.org +Signed-off-by: Jakub Kicinski +Link: https://patch.msgid.link/20260317161014.779569-2-kuba@kernel.org +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + Documentation/netlink/specs/net_shaper.yaml | 12 +- + net/shaper/shaper.c | 134 +++++++++++--------- + net/shaper/shaper_nl_gen.c | 12 +- + net/shaper/shaper_nl_gen.h | 5 + + 4 files changed, 89 insertions(+), 74 deletions(-) + +diff --git a/Documentation/netlink/specs/net_shaper.yaml b/Documentation/netlink/specs/net_shaper.yaml +index 0b1b54be48f92..3f2ad772b64b1 100644 +--- a/Documentation/netlink/specs/net_shaper.yaml ++++ b/Documentation/netlink/specs/net_shaper.yaml +@@ -247,8 +247,8 @@ operations: + flags: [admin-perm] + + do: +- pre: net-shaper-nl-pre-doit +- post: net-shaper-nl-post-doit ++ pre: net-shaper-nl-pre-doit-write ++ post: net-shaper-nl-post-doit-write + request: + attributes: + - ifindex +@@ -278,8 +278,8 @@ operations: + flags: [admin-perm] + + do: +- pre: net-shaper-nl-pre-doit +- post: net-shaper-nl-post-doit ++ pre: net-shaper-nl-pre-doit-write ++ post: net-shaper-nl-post-doit-write + request: + attributes: *ns-binding + +@@ -309,8 +309,8 @@ operations: + flags: [admin-perm] + + do: +- pre: net-shaper-nl-pre-doit +- post: net-shaper-nl-post-doit ++ pre: net-shaper-nl-pre-doit-write ++ post: net-shaper-nl-post-doit-write + request: + attributes: + - ifindex +diff --git a/net/shaper/shaper.c b/net/shaper/shaper.c +index 081dac917dc2d..be9999ab62e39 100644 +--- a/net/shaper/shaper.c ++++ b/net/shaper/shaper.c +@@ -36,24 +36,6 @@ static struct net_shaper_binding *net_shaper_binding_from_ctx(void *ctx) + return &((struct net_shaper_nl_ctx *)ctx)->binding; + } + +-static void net_shaper_lock(struct net_shaper_binding *binding) +-{ +- switch (binding->type) { +- case NET_SHAPER_BINDING_TYPE_NETDEV: +- netdev_lock(binding->netdev); +- break; +- } +-} +- +-static void net_shaper_unlock(struct net_shaper_binding *binding) +-{ +- switch (binding->type) { +- case NET_SHAPER_BINDING_TYPE_NETDEV: +- netdev_unlock(binding->netdev); +- break; +- } +-} +- + static struct net_shaper_hierarchy * + net_shaper_hierarchy(struct net_shaper_binding *binding) + { +@@ -219,12 +201,49 @@ static int net_shaper_ctx_setup(const struct genl_info *info, int type, + return 0; + } + ++/* Like net_shaper_ctx_setup(), but for "write" handlers (never for dumps!) ++ * Acquires the lock protecting the hierarchy (instance lock for netdev). ++ */ ++static int net_shaper_ctx_setup_lock(const struct genl_info *info, int type, ++ struct net_shaper_nl_ctx *ctx) ++{ ++ struct net *ns = genl_info_net(info); ++ struct net_device *dev; ++ int ifindex; ++ ++ if (GENL_REQ_ATTR_CHECK(info, type)) ++ return -EINVAL; ++ ++ ifindex = nla_get_u32(info->attrs[type]); ++ dev = netdev_get_by_index_lock(ns, ifindex); ++ if (!dev) { ++ NL_SET_BAD_ATTR(info->extack, info->attrs[type]); ++ return -ENOENT; ++ } ++ ++ if (!dev->netdev_ops->net_shaper_ops) { ++ NL_SET_BAD_ATTR(info->extack, info->attrs[type]); ++ netdev_unlock(dev); ++ return -EOPNOTSUPP; ++ } ++ ++ ctx->binding.type = NET_SHAPER_BINDING_TYPE_NETDEV; ++ ctx->binding.netdev = dev; ++ return 0; ++} ++ + static void net_shaper_ctx_cleanup(struct net_shaper_nl_ctx *ctx) + { + if (ctx->binding.type == NET_SHAPER_BINDING_TYPE_NETDEV) + netdev_put(ctx->binding.netdev, &ctx->dev_tracker); + } + ++static void net_shaper_ctx_cleanup_unlock(struct net_shaper_nl_ctx *ctx) ++{ ++ if (ctx->binding.type == NET_SHAPER_BINDING_TYPE_NETDEV) ++ netdev_unlock(ctx->binding.netdev); ++} ++ + static u32 net_shaper_handle_to_index(const struct net_shaper_handle *handle) + { + return FIELD_PREP(NET_SHAPER_SCOPE_MASK, handle->scope) | +@@ -278,7 +297,7 @@ net_shaper_lookup(struct net_shaper_binding *binding, + } + + /* Allocate on demand the per device shaper's hierarchy container. +- * Called under the net shaper lock ++ * Called under the lock protecting the hierarchy (instance lock for netdev) + */ + static struct net_shaper_hierarchy * + net_shaper_hierarchy_setup(struct net_shaper_binding *binding) +@@ -697,6 +716,22 @@ void net_shaper_nl_post_doit(const struct genl_split_ops *ops, + net_shaper_generic_post(info); + } + ++int net_shaper_nl_pre_doit_write(const struct genl_split_ops *ops, ++ struct sk_buff *skb, struct genl_info *info) ++{ ++ struct net_shaper_nl_ctx *ctx = (struct net_shaper_nl_ctx *)info->ctx; ++ ++ BUILD_BUG_ON(sizeof(*ctx) > sizeof(info->ctx)); ++ ++ return net_shaper_ctx_setup_lock(info, NET_SHAPER_A_IFINDEX, ctx); ++} ++ ++void net_shaper_nl_post_doit_write(const struct genl_split_ops *ops, ++ struct sk_buff *skb, struct genl_info *info) ++{ ++ net_shaper_ctx_cleanup_unlock((struct net_shaper_nl_ctx *)info->ctx); ++} ++ + int net_shaper_nl_pre_dumpit(struct netlink_callback *cb) + { + struct net_shaper_nl_ctx *ctx = (struct net_shaper_nl_ctx *)cb->ctx; +@@ -824,45 +859,38 @@ int net_shaper_nl_set_doit(struct sk_buff *skb, struct genl_info *info) + + binding = net_shaper_binding_from_ctx(info->ctx); + +- net_shaper_lock(binding); + ret = net_shaper_parse_info(binding, info->attrs, info, &shaper, + &exists); + if (ret) +- goto unlock; ++ return ret; + + if (!exists) + net_shaper_default_parent(&shaper.handle, &shaper.parent); + + hierarchy = net_shaper_hierarchy_setup(binding); +- if (!hierarchy) { +- ret = -ENOMEM; +- goto unlock; +- } ++ if (!hierarchy) ++ return -ENOMEM; + + /* The 'set' operation can't create node-scope shapers. */ + handle = shaper.handle; + if (handle.scope == NET_SHAPER_SCOPE_NODE && +- !net_shaper_lookup(binding, &handle)) { +- ret = -ENOENT; +- goto unlock; +- } ++ !net_shaper_lookup(binding, &handle)) ++ return -ENOENT; + + ret = net_shaper_pre_insert(binding, &handle, info->extack); + if (ret) +- goto unlock; ++ return ret; + + ops = net_shaper_ops(binding); + ret = ops->set(binding, &shaper, info->extack); + if (ret) { + net_shaper_rollback(binding); +- goto unlock; ++ return ret; + } + + net_shaper_commit(binding, 1, &shaper); + +-unlock: +- net_shaper_unlock(binding); +- return ret; ++ return 0; + } + + static int __net_shaper_delete(struct net_shaper_binding *binding, +@@ -1091,35 +1119,26 @@ int net_shaper_nl_delete_doit(struct sk_buff *skb, struct genl_info *info) + + binding = net_shaper_binding_from_ctx(info->ctx); + +- net_shaper_lock(binding); + ret = net_shaper_parse_handle(info->attrs[NET_SHAPER_A_HANDLE], info, + &handle); + if (ret) +- goto unlock; ++ return ret; + + hierarchy = net_shaper_hierarchy(binding); +- if (!hierarchy) { +- ret = -ENOENT; +- goto unlock; +- } ++ if (!hierarchy) ++ return -ENOENT; + + shaper = net_shaper_lookup(binding, &handle); +- if (!shaper) { +- ret = -ENOENT; +- goto unlock; +- } ++ if (!shaper) ++ return -ENOENT; + + if (handle.scope == NET_SHAPER_SCOPE_NODE) { + ret = net_shaper_pre_del_node(binding, shaper, info->extack); + if (ret) +- goto unlock; ++ return ret; + } + +- ret = __net_shaper_delete(binding, shaper, info->extack); +- +-unlock: +- net_shaper_unlock(binding); +- return ret; ++ return __net_shaper_delete(binding, shaper, info->extack); + } + + static int net_shaper_group_send_reply(struct net_shaper_binding *binding, +@@ -1168,21 +1187,17 @@ int net_shaper_nl_group_doit(struct sk_buff *skb, struct genl_info *info) + if (!net_shaper_ops(binding)->group) + return -EOPNOTSUPP; + +- net_shaper_lock(binding); + leaves_count = net_shaper_list_len(info, NET_SHAPER_A_LEAVES); + if (!leaves_count) { + NL_SET_BAD_ATTR(info->extack, + info->attrs[NET_SHAPER_A_LEAVES]); +- ret = -EINVAL; +- goto unlock; ++ return -EINVAL; + } + + leaves = kcalloc(leaves_count, sizeof(struct net_shaper) + + sizeof(struct net_shaper *), GFP_KERNEL); +- if (!leaves) { +- ret = -ENOMEM; +- goto unlock; +- } ++ if (!leaves) ++ return -ENOMEM; + old_nodes = (void *)&leaves[leaves_count]; + + ret = net_shaper_parse_node(binding, info->attrs, info, &node); +@@ -1259,9 +1274,6 @@ int net_shaper_nl_group_doit(struct sk_buff *skb, struct genl_info *info) + + free_leaves: + kfree(leaves); +- +-unlock: +- net_shaper_unlock(binding); + return ret; + + free_msg: +@@ -1371,14 +1383,12 @@ static void net_shaper_flush(struct net_shaper_binding *binding) + if (!hierarchy) + return; + +- net_shaper_lock(binding); + xa_lock(&hierarchy->shapers); + xa_for_each(&hierarchy->shapers, index, cur) { + __xa_erase(&hierarchy->shapers, index); + kfree(cur); + } + xa_unlock(&hierarchy->shapers); +- net_shaper_unlock(binding); + + kfree(hierarchy); + } +diff --git a/net/shaper/shaper_nl_gen.c b/net/shaper/shaper_nl_gen.c +index 204c8ae8c7b14..c52abf13ff0c9 100644 +--- a/net/shaper/shaper_nl_gen.c ++++ b/net/shaper/shaper_nl_gen.c +@@ -98,27 +98,27 @@ static const struct genl_split_ops net_shaper_nl_ops[] = { + }, + { + .cmd = NET_SHAPER_CMD_SET, +- .pre_doit = net_shaper_nl_pre_doit, ++ .pre_doit = net_shaper_nl_pre_doit_write, + .doit = net_shaper_nl_set_doit, +- .post_doit = net_shaper_nl_post_doit, ++ .post_doit = net_shaper_nl_post_doit_write, + .policy = net_shaper_set_nl_policy, + .maxattr = NET_SHAPER_A_IFINDEX, + .flags = GENL_ADMIN_PERM | GENL_CMD_CAP_DO, + }, + { + .cmd = NET_SHAPER_CMD_DELETE, +- .pre_doit = net_shaper_nl_pre_doit, ++ .pre_doit = net_shaper_nl_pre_doit_write, + .doit = net_shaper_nl_delete_doit, +- .post_doit = net_shaper_nl_post_doit, ++ .post_doit = net_shaper_nl_post_doit_write, + .policy = net_shaper_delete_nl_policy, + .maxattr = NET_SHAPER_A_IFINDEX, + .flags = GENL_ADMIN_PERM | GENL_CMD_CAP_DO, + }, + { + .cmd = NET_SHAPER_CMD_GROUP, +- .pre_doit = net_shaper_nl_pre_doit, ++ .pre_doit = net_shaper_nl_pre_doit_write, + .doit = net_shaper_nl_group_doit, +- .post_doit = net_shaper_nl_post_doit, ++ .post_doit = net_shaper_nl_post_doit_write, + .policy = net_shaper_group_nl_policy, + .maxattr = NET_SHAPER_A_LEAVES, + .flags = GENL_ADMIN_PERM | GENL_CMD_CAP_DO, +diff --git a/net/shaper/shaper_nl_gen.h b/net/shaper/shaper_nl_gen.h +index cb7f9026fc239..1e20eebdedd71 100644 +--- a/net/shaper/shaper_nl_gen.h ++++ b/net/shaper/shaper_nl_gen.h +@@ -17,12 +17,17 @@ extern const struct nla_policy net_shaper_leaf_info_nl_policy[NET_SHAPER_A_WEIGH + + int net_shaper_nl_pre_doit(const struct genl_split_ops *ops, + struct sk_buff *skb, struct genl_info *info); ++int net_shaper_nl_pre_doit_write(const struct genl_split_ops *ops, ++ struct sk_buff *skb, struct genl_info *info); + int net_shaper_nl_cap_pre_doit(const struct genl_split_ops *ops, + struct sk_buff *skb, struct genl_info *info); + void + net_shaper_nl_post_doit(const struct genl_split_ops *ops, struct sk_buff *skb, + struct genl_info *info); + void ++net_shaper_nl_post_doit_write(const struct genl_split_ops *ops, ++ struct sk_buff *skb, struct genl_info *info); ++void + net_shaper_nl_cap_post_doit(const struct genl_split_ops *ops, + struct sk_buff *skb, struct genl_info *info); + int net_shaper_nl_pre_dumpit(struct netlink_callback *cb); +-- +2.51.0 + diff --git a/queue-6.18/net-shaper-protect-late-read-accesses-to-the-hierarc.patch b/queue-6.18/net-shaper-protect-late-read-accesses-to-the-hierarc.patch new file mode 100644 index 0000000000..9b5c65e089 --- /dev/null +++ b/queue-6.18/net-shaper-protect-late-read-accesses-to-the-hierarc.patch @@ -0,0 +1,94 @@ +From 398e25075be45d55a2dcf72a23d09179e24f7366 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 17 Mar 2026 09:10:13 -0700 +Subject: net: shaper: protect late read accesses to the hierarchy + +From: Jakub Kicinski + +[ Upstream commit 0f9ea7141f365b4f27226898e62220fb98ef8dc6 ] + +We look up a netdev during prep of Netlink ops (pre- callbacks) +and take a ref to it. Then later in the body of the callback +we take its lock or RCU which are the actual protections. + +This is not proper, a conversion from a ref to a locked netdev +must include a liveness check (a check if the netdev hasn't been +unregistered already). Fix the read cases (those under RCU). +Writes needs a separate change to protect from creating the +hierarchy after flush has already run. + +Fixes: 4b623f9f0f59 ("net-shapers: implement NL get operation") +Reported-by: Paul Moses +Link: https://lore.kernel.org/20260309173450.538026-1-p@1g4.org +Signed-off-by: Jakub Kicinski +Link: https://patch.msgid.link/20260317161014.779569-1-kuba@kernel.org +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + net/shaper/shaper.c | 26 ++++++++++++++++++++++---- + 1 file changed, 22 insertions(+), 4 deletions(-) + +diff --git a/net/shaper/shaper.c b/net/shaper/shaper.c +index 318a0567a6981..081dac917dc2d 100644 +--- a/net/shaper/shaper.c ++++ b/net/shaper/shaper.c +@@ -65,6 +65,21 @@ net_shaper_hierarchy(struct net_shaper_binding *binding) + return NULL; + } + ++static struct net_shaper_hierarchy * ++net_shaper_hierarchy_rcu(struct net_shaper_binding *binding) ++{ ++ /* Readers look up the device and take a ref, then take RCU lock ++ * later at which point netdev may have been unregistered and flushed. ++ * READ_ONCE() pairs with WRITE_ONCE() in net_shaper_hierarchy_setup. ++ */ ++ if (binding->type == NET_SHAPER_BINDING_TYPE_NETDEV && ++ READ_ONCE(binding->netdev->reg_state) <= NETREG_REGISTERED) ++ return READ_ONCE(binding->netdev->net_shaper_hierarchy); ++ ++ /* No other type supported yet. */ ++ return NULL; ++} ++ + static const struct net_shaper_ops * + net_shaper_ops(struct net_shaper_binding *binding) + { +@@ -251,9 +266,10 @@ static struct net_shaper * + net_shaper_lookup(struct net_shaper_binding *binding, + const struct net_shaper_handle *handle) + { +- struct net_shaper_hierarchy *hierarchy = net_shaper_hierarchy(binding); + u32 index = net_shaper_handle_to_index(handle); ++ struct net_shaper_hierarchy *hierarchy; + ++ hierarchy = net_shaper_hierarchy_rcu(binding); + if (!hierarchy || xa_get_mark(&hierarchy->shapers, index, + NET_SHAPER_NOT_VALID)) + return NULL; +@@ -778,17 +794,19 @@ int net_shaper_nl_get_dumpit(struct sk_buff *skb, + + /* Don't error out dumps performed before any set operation. */ + binding = net_shaper_binding_from_ctx(ctx); +- hierarchy = net_shaper_hierarchy(binding); +- if (!hierarchy) +- return 0; + + rcu_read_lock(); ++ hierarchy = net_shaper_hierarchy_rcu(binding); ++ if (!hierarchy) ++ goto out_unlock; ++ + for (; (shaper = xa_find(&hierarchy->shapers, &ctx->start_index, + U32_MAX, XA_PRESENT)); ctx->start_index++) { + ret = net_shaper_fill_one(skb, binding, shaper, info); + if (ret) + break; + } ++out_unlock: + rcu_read_unlock(); + + return ret; +-- +2.51.0 + diff --git a/queue-6.18/net-smc-fix-null-dereference-and-uaf-in-smc_tcp_syn_.patch b/queue-6.18/net-smc-fix-null-dereference-and-uaf-in-smc_tcp_syn_.patch new file mode 100644 index 0000000000..8147e54918 --- /dev/null +++ b/queue-6.18/net-smc-fix-null-dereference-and-uaf-in-smc_tcp_syn_.patch @@ -0,0 +1,208 @@ +From 5eb7a708d74e15f5b0d31e7d19ce2a9c9ce061e2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 12 Mar 2026 17:29:07 +0800 +Subject: net/smc: fix NULL dereference and UAF in smc_tcp_syn_recv_sock() + +From: Jiayuan Chen + +[ Upstream commit 6d5e4538364b9ceb1ac2941a4deb86650afb3538 ] + +Syzkaller reported a panic in smc_tcp_syn_recv_sock() [1]. + +smc_tcp_syn_recv_sock() is called in the TCP receive path +(softirq) via icsk_af_ops->syn_recv_sock on the clcsock (TCP +listening socket). It reads sk_user_data to get the smc_sock +pointer. However, when the SMC listen socket is being closed +concurrently, smc_close_active() sets clcsock->sk_user_data +to NULL under sk_callback_lock, and then the smc_sock itself +can be freed via sock_put() in smc_release(). + +This leads to two issues: + +1) NULL pointer dereference: sk_user_data is NULL when + accessed. +2) Use-after-free: sk_user_data is read as non-NULL, but the + smc_sock is freed before its fields (e.g., queued_smc_hs, + ori_af_ops) are accessed. + +The race window looks like this (the syzkaller crash [1] +triggers via the SYN cookie path: tcp_get_cookie_sock() -> +smc_tcp_syn_recv_sock(), but the normal tcp_check_req() path +has the same race): + + CPU A (softirq) CPU B (process ctx) + + tcp_v4_rcv() + TCP_NEW_SYN_RECV: + sk = req->rsk_listener + sock_hold(sk) + /* No lock on listener */ + smc_close_active(): + write_lock_bh(cb_lock) + sk_user_data = NULL + write_unlock_bh(cb_lock) + ... + smc_clcsock_release() + sock_put(smc->sk) x2 + -> smc_sock freed! + tcp_check_req() + smc_tcp_syn_recv_sock(): + smc = user_data(sk) + -> NULL or dangling + smc->queued_smc_hs + -> crash! + +Note that the clcsock and smc_sock are two independent objects +with separate refcounts. TCP stack holds a reference on the +clcsock, which keeps it alive, but this does NOT prevent the +smc_sock from being freed. + +Fix this by using RCU and refcount_inc_not_zero() to safely +access smc_sock. Since smc_tcp_syn_recv_sock() is called in +the TCP three-way handshake path, taking read_lock_bh on +sk_callback_lock is too heavy and would not survive a SYN +flood attack. Using rcu_read_lock() is much more lightweight. + +- Set SOCK_RCU_FREE on the SMC listen socket so that + smc_sock freeing is deferred until after the RCU grace + period. This guarantees the memory is still valid when + accessed inside rcu_read_lock(). +- Use rcu_read_lock() to protect reading sk_user_data. +- Use refcount_inc_not_zero(&smc->sk.sk_refcnt) to pin the + smc_sock. If the refcount has already reached zero (close + path completed), it returns false and we bail out safely. + +Note: smc_hs_congested() has a similar lockless read of +sk_user_data without rcu_read_lock(), but it only checks for +NULL and accesses the global smc_hs_wq, never dereferencing +any smc_sock field, so it is not affected. + +Reproducer was verified with mdelay injection and smc_run, +the issue no longer occurs with this patch applied. + +[1] https://syzkaller.appspot.com/bug?extid=827ae2bfb3a3529333e9 + +Fixes: 8270d9c21041 ("net/smc: Limit backlog connections") +Reported-by: syzbot+827ae2bfb3a3529333e9@syzkaller.appspotmail.com +Closes: https://lore.kernel.org/all/67eaf9b8.050a0220.3c3d88.004a.GAE@google.com/T/ +Suggested-by: Eric Dumazet +Reviewed-by: Eric Dumazet +Signed-off-by: Jiayuan Chen +Link: https://patch.msgid.link/20260312092909.48325-1-jiayuan.chen@linux.dev +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/smc/af_smc.c | 23 +++++++++++++++++------ + net/smc/smc.h | 5 +++++ + net/smc/smc_close.c | 2 +- + 3 files changed, 23 insertions(+), 7 deletions(-) + +diff --git a/net/smc/af_smc.c b/net/smc/af_smc.c +index efdadb2d8d390..6421c2e1c84de 100644 +--- a/net/smc/af_smc.c ++++ b/net/smc/af_smc.c +@@ -131,7 +131,14 @@ static struct sock *smc_tcp_syn_recv_sock(const struct sock *sk, + struct smc_sock *smc; + struct sock *child; + +- smc = smc_clcsock_user_data(sk); ++ rcu_read_lock(); ++ smc = smc_clcsock_user_data_rcu(sk); ++ if (!smc || !refcount_inc_not_zero(&smc->sk.sk_refcnt)) { ++ rcu_read_unlock(); ++ smc = NULL; ++ goto drop; ++ } ++ rcu_read_unlock(); + + if (READ_ONCE(sk->sk_ack_backlog) + atomic_read(&smc->queued_smc_hs) > + sk->sk_max_ack_backlog) +@@ -153,11 +160,14 @@ static struct sock *smc_tcp_syn_recv_sock(const struct sock *sk, + if (inet_csk(child)->icsk_af_ops == inet_csk(sk)->icsk_af_ops) + inet_csk(child)->icsk_af_ops = smc->ori_af_ops; + } ++ sock_put(&smc->sk); + return child; + + drop: + dst_release(dst); + tcp_listendrop(sk); ++ if (smc) ++ sock_put(&smc->sk); + return NULL; + } + +@@ -254,7 +264,7 @@ static void smc_fback_restore_callbacks(struct smc_sock *smc) + struct sock *clcsk = smc->clcsock->sk; + + write_lock_bh(&clcsk->sk_callback_lock); +- clcsk->sk_user_data = NULL; ++ rcu_assign_sk_user_data(clcsk, NULL); + + smc_clcsock_restore_cb(&clcsk->sk_state_change, &smc->clcsk_state_change); + smc_clcsock_restore_cb(&clcsk->sk_data_ready, &smc->clcsk_data_ready); +@@ -902,7 +912,7 @@ static void smc_fback_replace_callbacks(struct smc_sock *smc) + struct sock *clcsk = smc->clcsock->sk; + + write_lock_bh(&clcsk->sk_callback_lock); +- clcsk->sk_user_data = (void *)((uintptr_t)smc | SK_USER_DATA_NOCOPY); ++ __rcu_assign_sk_user_data_with_flags(clcsk, smc, SK_USER_DATA_NOCOPY); + + smc_clcsock_replace_cb(&clcsk->sk_state_change, smc_fback_state_change, + &smc->clcsk_state_change); +@@ -2665,8 +2675,8 @@ int smc_listen(struct socket *sock, int backlog) + * smc-specific sk_data_ready function + */ + write_lock_bh(&smc->clcsock->sk->sk_callback_lock); +- smc->clcsock->sk->sk_user_data = +- (void *)((uintptr_t)smc | SK_USER_DATA_NOCOPY); ++ __rcu_assign_sk_user_data_with_flags(smc->clcsock->sk, smc, ++ SK_USER_DATA_NOCOPY); + smc_clcsock_replace_cb(&smc->clcsock->sk->sk_data_ready, + smc_clcsock_data_ready, &smc->clcsk_data_ready); + write_unlock_bh(&smc->clcsock->sk->sk_callback_lock); +@@ -2687,10 +2697,11 @@ int smc_listen(struct socket *sock, int backlog) + write_lock_bh(&smc->clcsock->sk->sk_callback_lock); + smc_clcsock_restore_cb(&smc->clcsock->sk->sk_data_ready, + &smc->clcsk_data_ready); +- smc->clcsock->sk->sk_user_data = NULL; ++ rcu_assign_sk_user_data(smc->clcsock->sk, NULL); + write_unlock_bh(&smc->clcsock->sk->sk_callback_lock); + goto out; + } ++ sock_set_flag(sk, SOCK_RCU_FREE); + sk->sk_max_ack_backlog = backlog; + sk->sk_ack_backlog = 0; + sk->sk_state = SMC_LISTEN; +diff --git a/net/smc/smc.h b/net/smc/smc.h +index 2c90849637398..ea45467c11409 100644 +--- a/net/smc/smc.h ++++ b/net/smc/smc.h +@@ -346,6 +346,11 @@ static inline struct smc_sock *smc_clcsock_user_data(const struct sock *clcsk) + ((uintptr_t)clcsk->sk_user_data & ~SK_USER_DATA_NOCOPY); + } + ++static inline struct smc_sock *smc_clcsock_user_data_rcu(const struct sock *clcsk) ++{ ++ return (struct smc_sock *)rcu_dereference_sk_user_data(clcsk); ++} ++ + /* save target_cb in saved_cb, and replace target_cb with new_cb */ + static inline void smc_clcsock_replace_cb(void (**target_cb)(struct sock *), + void (*new_cb)(struct sock *), +diff --git a/net/smc/smc_close.c b/net/smc/smc_close.c +index 10219f55aad14..bb0313ef5f7c1 100644 +--- a/net/smc/smc_close.c ++++ b/net/smc/smc_close.c +@@ -218,7 +218,7 @@ int smc_close_active(struct smc_sock *smc) + write_lock_bh(&smc->clcsock->sk->sk_callback_lock); + smc_clcsock_restore_cb(&smc->clcsock->sk->sk_data_ready, + &smc->clcsk_data_ready); +- smc->clcsock->sk->sk_user_data = NULL; ++ rcu_assign_sk_user_data(smc->clcsock->sk, NULL); + write_unlock_bh(&smc->clcsock->sk->sk_callback_lock); + rc = kernel_sock_shutdown(smc->clcsock, SHUT_RDWR); + } +-- +2.51.0 + diff --git a/queue-6.18/net-usb-aqc111-do-not-perform-pm-inside-suspend-call.patch b/queue-6.18/net-usb-aqc111-do-not-perform-pm-inside-suspend-call.patch new file mode 100644 index 0000000000..a1df3cdf85 --- /dev/null +++ b/queue-6.18/net-usb-aqc111-do-not-perform-pm-inside-suspend-call.patch @@ -0,0 +1,69 @@ +From 74f41f7316f9a4506a48b59a4e1b73293cc06a77 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 13 Mar 2026 16:16:43 +0200 +Subject: net: usb: aqc111: Do not perform PM inside suspend callback + +From: Nikola Z. Ivanov + +[ Upstream commit 069c8f5aebe4d5224cf62acc7d4b3486091c658a ] + +syzbot reports "task hung in rpm_resume" + +This is caused by aqc111_suspend calling +the PM variant of its write_cmd routine. + +The simplified call trace looks like this: + +rpm_suspend() + usb_suspend_both() - here udev->dev.power.runtime_status == RPM_SUSPENDING + aqc111_suspend() - called for the usb device interface + aqc111_write32_cmd() + usb_autopm_get_interface() + pm_runtime_resume_and_get() + rpm_resume() - here we call rpm_resume() on our parent + rpm_resume() - Here we wait for a status change that will never happen. + +At this point we block another task which holds +rtnl_lock and locks up the whole networking stack. + +Fix this by replacing the write_cmd calls with their _nopm variants + +Reported-by: syzbot+48dc1e8dfc92faf1124c@syzkaller.appspotmail.com +Closes: https://syzkaller.appspot.com/bug?extid=48dc1e8dfc92faf1124c +Fixes: e58ba4544c77 ("net: usb: aqc111: Add support for wake on LAN by MAGIC packet") +Signed-off-by: Nikola Z. Ivanov +Link: https://patch.msgid.link/20260313141643.1181386-1-zlatistiv@gmail.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + drivers/net/usb/aqc111.c | 12 ++++++------ + 1 file changed, 6 insertions(+), 6 deletions(-) + +diff --git a/drivers/net/usb/aqc111.c b/drivers/net/usb/aqc111.c +index 9201ee10a13f7..d316aa66dbc23 100644 +--- a/drivers/net/usb/aqc111.c ++++ b/drivers/net/usb/aqc111.c +@@ -1400,14 +1400,14 @@ static int aqc111_suspend(struct usb_interface *intf, pm_message_t message) + aqc111_write16_cmd_nopm(dev, AQ_ACCESS_MAC, + SFR_MEDIUM_STATUS_MODE, 2, ®16); + +- aqc111_write_cmd(dev, AQ_WOL_CFG, 0, 0, +- WOL_CFG_SIZE, &wol_cfg); +- aqc111_write32_cmd(dev, AQ_PHY_OPS, 0, 0, +- &aqc111_data->phy_cfg); ++ aqc111_write_cmd_nopm(dev, AQ_WOL_CFG, 0, 0, ++ WOL_CFG_SIZE, &wol_cfg); ++ aqc111_write32_cmd_nopm(dev, AQ_PHY_OPS, 0, 0, ++ &aqc111_data->phy_cfg); + } else { + aqc111_data->phy_cfg |= AQ_LOW_POWER; +- aqc111_write32_cmd(dev, AQ_PHY_OPS, 0, 0, +- &aqc111_data->phy_cfg); ++ aqc111_write32_cmd_nopm(dev, AQ_PHY_OPS, 0, 0, ++ &aqc111_data->phy_cfg); + + /* Disable RX path */ + aqc111_read16_cmd_nopm(dev, AQ_ACCESS_MAC, +-- +2.51.0 + diff --git a/queue-6.18/net-usb-cdc_ncm-add-ndpoffset-to-ndp16-nframes-bound.patch b/queue-6.18/net-usb-cdc_ncm-add-ndpoffset-to-ndp16-nframes-bound.patch new file mode 100644 index 0000000000..bc64652499 --- /dev/null +++ b/queue-6.18/net-usb-cdc_ncm-add-ndpoffset-to-ndp16-nframes-bound.patch @@ -0,0 +1,65 @@ +From f3ded2204311bc1326a538ad2412107fcff00fac Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 13 Mar 2026 22:46:39 -0700 +Subject: net: usb: cdc_ncm: add ndpoffset to NDP16 nframes bounds check + +From: Tobi Gaertner + +[ Upstream commit 2aa8a4fa8d5b7d0e1ebcec100e1a4d80a1f4b21a ] + +cdc_ncm_rx_verify_ndp16() validates that the NDP header and its DPE +entries fit within the skb. The first check correctly accounts for +ndpoffset: + + if ((ndpoffset + sizeof(struct usb_cdc_ncm_ndp16)) > skb_in->len) + +but the second check omits it: + + if ((sizeof(struct usb_cdc_ncm_ndp16) + + ret * (sizeof(struct usb_cdc_ncm_dpe16))) > skb_in->len) + +This validates the DPE array size against the total skb length as if +the NDP were at offset 0, rather than at ndpoffset. When the NDP is +placed near the end of the NTB (large wNdpIndex), the DPE entries can +extend past the skb data buffer even though the check passes. +cdc_ncm_rx_fixup() then reads out-of-bounds memory when iterating +the DPE array. + +Add ndpoffset to the nframes bounds check and use struct_size_t() to +express the NDP-plus-DPE-array size more clearly. + +Fixes: ff06ab13a4cc ("net: cdc_ncm: splitting rx_fixup for code reuse") +Signed-off-by: Tobi Gaertner +Link: https://patch.msgid.link/20260314054640.2895026-2-tob.gaertner@me.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/usb/cdc_ncm.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/usb/cdc_ncm.c b/drivers/net/usb/cdc_ncm.c +index 5d123df0a866b..a9d0162b5ee01 100644 +--- a/drivers/net/usb/cdc_ncm.c ++++ b/drivers/net/usb/cdc_ncm.c +@@ -1656,6 +1656,7 @@ int cdc_ncm_rx_verify_ndp16(struct sk_buff *skb_in, int ndpoffset) + struct usbnet *dev = netdev_priv(skb_in->dev); + struct usb_cdc_ncm_ndp16 *ndp16; + int ret = -EINVAL; ++ size_t ndp_len; + + if ((ndpoffset + sizeof(struct usb_cdc_ncm_ndp16)) > skb_in->len) { + netif_dbg(dev, rx_err, dev->net, "invalid NDP offset <%u>\n", +@@ -1675,8 +1676,8 @@ int cdc_ncm_rx_verify_ndp16(struct sk_buff *skb_in, int ndpoffset) + sizeof(struct usb_cdc_ncm_dpe16)); + ret--; /* we process NDP entries except for the last one */ + +- if ((sizeof(struct usb_cdc_ncm_ndp16) + +- ret * (sizeof(struct usb_cdc_ncm_dpe16))) > skb_in->len) { ++ ndp_len = struct_size_t(struct usb_cdc_ncm_ndp16, dpe16, ret); ++ if (ndpoffset + ndp_len > skb_in->len) { + netif_dbg(dev, rx_err, dev->net, "Invalid nframes = %d\n", ret); + ret = -EINVAL; + } +-- +2.51.0 + diff --git a/queue-6.18/net-usb-cdc_ncm-add-ndpoffset-to-ndp32-nframes-bound.patch b/queue-6.18/net-usb-cdc_ncm-add-ndpoffset-to-ndp32-nframes-bound.patch new file mode 100644 index 0000000000..6c134a28aa --- /dev/null +++ b/queue-6.18/net-usb-cdc_ncm-add-ndpoffset-to-ndp32-nframes-bound.patch @@ -0,0 +1,54 @@ +From 75a0b9c0fe2c85df60d8ee4189b507bac6c2ae0f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 13 Mar 2026 22:46:40 -0700 +Subject: net: usb: cdc_ncm: add ndpoffset to NDP32 nframes bounds check + +From: Tobi Gaertner + +[ Upstream commit 77914255155e68a20aa41175edeecf8121dac391 ] + +The same bounds-check bug fixed for NDP16 in the previous patch also +exists in cdc_ncm_rx_verify_ndp32(). The DPE array size is validated +against the total skb length without accounting for ndpoffset, allowing +out-of-bounds reads when the NDP32 is placed near the end of the NTB. + +Add ndpoffset to the nframes bounds check and use struct_size_t() to +express the NDP-plus-DPE-array size more clearly. + +Compile-tested only. + +Fixes: 0fa81b304a79 ("cdc_ncm: Implement the 32-bit version of NCM Transfer Block") +Signed-off-by: Tobi Gaertner +Link: https://patch.msgid.link/20260314054640.2895026-3-tob.gaertner@me.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/usb/cdc_ncm.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/usb/cdc_ncm.c b/drivers/net/usb/cdc_ncm.c +index a9d0162b5ee01..81d7e99fc0f09 100644 +--- a/drivers/net/usb/cdc_ncm.c ++++ b/drivers/net/usb/cdc_ncm.c +@@ -1693,6 +1693,7 @@ int cdc_ncm_rx_verify_ndp32(struct sk_buff *skb_in, int ndpoffset) + struct usbnet *dev = netdev_priv(skb_in->dev); + struct usb_cdc_ncm_ndp32 *ndp32; + int ret = -EINVAL; ++ size_t ndp_len; + + if ((ndpoffset + sizeof(struct usb_cdc_ncm_ndp32)) > skb_in->len) { + netif_dbg(dev, rx_err, dev->net, "invalid NDP offset <%u>\n", +@@ -1712,8 +1713,8 @@ int cdc_ncm_rx_verify_ndp32(struct sk_buff *skb_in, int ndpoffset) + sizeof(struct usb_cdc_ncm_dpe32)); + ret--; /* we process NDP entries except for the last one */ + +- if ((sizeof(struct usb_cdc_ncm_ndp32) + +- ret * (sizeof(struct usb_cdc_ncm_dpe32))) > skb_in->len) { ++ ndp_len = struct_size_t(struct usb_cdc_ncm_ndp32, dpe32, ret); ++ if (ndpoffset + ndp_len > skb_in->len) { + netif_dbg(dev, rx_err, dev->net, "Invalid nframes = %d\n", ret); + ret = -EINVAL; + } +-- +2.51.0 + diff --git a/queue-6.18/netdevsim-drop-psp-ext-ref-on-forward-failure.patch b/queue-6.18/netdevsim-drop-psp-ext-ref-on-forward-failure.patch new file mode 100644 index 0000000000..c9c80ab845 --- /dev/null +++ b/queue-6.18/netdevsim-drop-psp-ext-ref-on-forward-failure.patch @@ -0,0 +1,53 @@ +From 45a4a70fa9f4e2b1972950c610fa79e2f4f5817f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 17 Mar 2026 00:14:31 -0600 +Subject: netdevsim: drop PSP ext ref on forward failure + +From: Wesley Atwell + +[ Upstream commit 7d9351435ebba08bbb60f42793175c9dc714d2fb ] + +nsim_do_psp() takes an extra reference to the PSP skb extension so the +extension survives __dev_forward_skb(). That forward path scrubs the skb +and drops attached skb extensions before nsim_psp_handle_ext() can +reattach the PSP metadata. + +If __dev_forward_skb() fails in nsim_forward_skb(), the function returns +before nsim_psp_handle_ext() can attach that extension to the skb, leaving +the extra reference leaked. + +Drop the saved PSP extension reference before returning from the +forward-failure path. Guard the put because plain or non-decapsulated +traffic can also fail forwarding without ever taking the extra PSP +reference. + +Fixes: f857478d6206 ("netdevsim: a basic test PSP implementation") +Signed-off-by: Wesley Atwell +Reviewed-by: Daniel Zahka +Link: https://patch.msgid.link/20260317061431.1482716-1-atwellwea@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/netdevsim/netdev.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/netdevsim/netdev.c b/drivers/net/netdevsim/netdev.c +index fa1d97885caaf..06446b03cd9bc 100644 +--- a/drivers/net/netdevsim/netdev.c ++++ b/drivers/net/netdevsim/netdev.c +@@ -109,8 +109,11 @@ static int nsim_forward_skb(struct net_device *tx_dev, + int ret; + + ret = __dev_forward_skb(rx_dev, skb); +- if (ret) ++ if (ret) { ++ if (psp_ext) ++ __skb_ext_put(psp_ext); + return ret; ++ } + + nsim_psp_handle_ext(skb, psp_ext); + +-- +2.51.0 + diff --git a/queue-6.18/netfilter-bpf-defer-hook-memory-release-until-rcu-re.patch b/queue-6.18/netfilter-bpf-defer-hook-memory-release-until-rcu-re.patch new file mode 100644 index 0000000000..b8d22a9068 --- /dev/null +++ b/queue-6.18/netfilter-bpf-defer-hook-memory-release-until-rcu-re.patch @@ -0,0 +1,47 @@ +From afda3eaf89f937b482605fd8ec32063c4fe48077 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 17 Mar 2026 12:23:08 +0100 +Subject: netfilter: bpf: defer hook memory release until rcu readers are done + +From: Florian Westphal + +[ Upstream commit 24f90fa3994b992d1a09003a3db2599330a5232a ] + +Yiming Qian reports UaF when concurrent process is dumping hooks via +nfnetlink_hooks: + +BUG: KASAN: slab-use-after-free in nfnl_hook_dump_one.isra.0+0xe71/0x10f0 +Read of size 8 at addr ffff888003edbf88 by task poc/79 +Call Trace: + + nfnl_hook_dump_one.isra.0+0xe71/0x10f0 + netlink_dump+0x554/0x12b0 + nfnl_hook_get+0x176/0x230 + [..] + +Defer release until after concurrent readers have completed. + +Reported-by: Yiming Qian +Fixes: 84601d6ee68a ("bpf: add bpf_link support for BPF_NETFILTER programs") +Signed-off-by: Florian Westphal +Signed-off-by: Sasha Levin +--- + net/netfilter/nf_bpf_link.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/netfilter/nf_bpf_link.c b/net/netfilter/nf_bpf_link.c +index 46e667a50d988..248840dbca1b2 100644 +--- a/net/netfilter/nf_bpf_link.c ++++ b/net/netfilter/nf_bpf_link.c +@@ -170,7 +170,7 @@ static int bpf_nf_link_update(struct bpf_link *link, struct bpf_prog *new_prog, + + static const struct bpf_link_ops bpf_nf_link_lops = { + .release = bpf_nf_link_release, +- .dealloc = bpf_nf_link_dealloc, ++ .dealloc_deferred = bpf_nf_link_dealloc, + .detach = bpf_nf_link_detach, + .show_fdinfo = bpf_nf_link_show_info, + .fill_link_info = bpf_nf_link_fill_link_info, +-- +2.51.0 + diff --git a/queue-6.18/netfilter-ctnetlink-fix-use-after-free-in-ctnetlink_.patch b/queue-6.18/netfilter-ctnetlink-fix-use-after-free-in-ctnetlink_.patch new file mode 100644 index 0000000000..c5d38a6e54 --- /dev/null +++ b/queue-6.18/netfilter-ctnetlink-fix-use-after-free-in-ctnetlink_.patch @@ -0,0 +1,123 @@ +From c9078f4c873e19ccc8aecc9e61d72add85e54e48 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 8 Mar 2026 02:21:37 +0900 +Subject: netfilter: ctnetlink: fix use-after-free in ctnetlink_dump_exp_ct() + +From: Hyunwoo Kim + +[ Upstream commit 5cb81eeda909dbb2def209dd10636b51549a3f8a ] + +ctnetlink_dump_exp_ct() stores a conntrack pointer in cb->data for the +netlink dump callback ctnetlink_exp_ct_dump_table(), but drops the +conntrack reference immediately after netlink_dump_start(). When the +dump spans multiple rounds, the second recvmsg() triggers the dump +callback which dereferences the now-freed conntrack via nfct_help(ct), +leading to a use-after-free on ct->ext. + +The bug is that the netlink_dump_control has no .start or .done +callbacks to manage the conntrack reference across dump rounds. Other +dump functions in the same file (e.g. ctnetlink_get_conntrack) properly +use .start/.done callbacks for this purpose. + +Fix this by adding .start and .done callbacks that hold and release the +conntrack reference for the duration of the dump, and move the +nfct_help() call after the cb->args[0] early-return check in the dump +callback to avoid dereferencing ct->ext unnecessarily. + + BUG: KASAN: slab-use-after-free in ctnetlink_exp_ct_dump_table+0x4f/0x2e0 + Read of size 8 at addr ffff88810597ebf0 by task ctnetlink_poc/133 + + CPU: 1 UID: 0 PID: 133 Comm: ctnetlink_poc Not tainted 7.0.0-rc2+ #3 PREEMPTLAZY + Call Trace: + + ctnetlink_exp_ct_dump_table+0x4f/0x2e0 + netlink_dump+0x333/0x880 + netlink_recvmsg+0x3e2/0x4b0 + ? aa_sk_perm+0x184/0x450 + sock_recvmsg+0xde/0xf0 + + Allocated by task 133: + kmem_cache_alloc_noprof+0x134/0x440 + __nf_conntrack_alloc+0xa8/0x2b0 + ctnetlink_create_conntrack+0xa1/0x900 + ctnetlink_new_conntrack+0x3cf/0x7d0 + nfnetlink_rcv_msg+0x48e/0x510 + netlink_rcv_skb+0xc9/0x1f0 + nfnetlink_rcv+0xdb/0x220 + netlink_unicast+0x3ec/0x590 + netlink_sendmsg+0x397/0x690 + __sys_sendmsg+0xf4/0x180 + + Freed by task 0: + slab_free_after_rcu_debug+0xad/0x1e0 + rcu_core+0x5c3/0x9c0 + +Fixes: e844a928431f ("netfilter: ctnetlink: allow to dump expectation per master conntrack") +Signed-off-by: Hyunwoo Kim +Signed-off-by: Florian Westphal +Signed-off-by: Sasha Levin +--- + net/netfilter/nf_conntrack_netlink.c | 26 +++++++++++++++++++++++++- + 1 file changed, 25 insertions(+), 1 deletion(-) + +diff --git a/net/netfilter/nf_conntrack_netlink.c b/net/netfilter/nf_conntrack_netlink.c +index 3a04665adf992..f261dd48973fe 100644 +--- a/net/netfilter/nf_conntrack_netlink.c ++++ b/net/netfilter/nf_conntrack_netlink.c +@@ -3211,7 +3211,7 @@ ctnetlink_exp_ct_dump_table(struct sk_buff *skb, struct netlink_callback *cb) + { + struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh); + struct nf_conn *ct = cb->data; +- struct nf_conn_help *help = nfct_help(ct); ++ struct nf_conn_help *help; + u_int8_t l3proto = nfmsg->nfgen_family; + unsigned long last_id = cb->args[1]; + struct nf_conntrack_expect *exp; +@@ -3219,6 +3219,10 @@ ctnetlink_exp_ct_dump_table(struct sk_buff *skb, struct netlink_callback *cb) + if (cb->args[0]) + return 0; + ++ help = nfct_help(ct); ++ if (!help) ++ return 0; ++ + rcu_read_lock(); + + restart: +@@ -3248,6 +3252,24 @@ ctnetlink_exp_ct_dump_table(struct sk_buff *skb, struct netlink_callback *cb) + return skb->len; + } + ++static int ctnetlink_dump_exp_ct_start(struct netlink_callback *cb) ++{ ++ struct nf_conn *ct = cb->data; ++ ++ if (!refcount_inc_not_zero(&ct->ct_general.use)) ++ return -ENOENT; ++ return 0; ++} ++ ++static int ctnetlink_dump_exp_ct_done(struct netlink_callback *cb) ++{ ++ struct nf_conn *ct = cb->data; ++ ++ if (ct) ++ nf_ct_put(ct); ++ return 0; ++} ++ + static int ctnetlink_dump_exp_ct(struct net *net, struct sock *ctnl, + struct sk_buff *skb, + const struct nlmsghdr *nlh, +@@ -3263,6 +3285,8 @@ static int ctnetlink_dump_exp_ct(struct net *net, struct sock *ctnl, + struct nf_conntrack_zone zone; + struct netlink_dump_control c = { + .dump = ctnetlink_exp_ct_dump_table, ++ .start = ctnetlink_dump_exp_ct_start, ++ .done = ctnetlink_dump_exp_ct_done, + }; + + err = ctnetlink_parse_tuple(cda, &tuple, CTA_EXPECT_MASTER, +-- +2.51.0 + diff --git a/queue-6.18/netfilter-nf_conntrack_h323-check-for-zero-length-in.patch b/queue-6.18/netfilter-nf_conntrack_h323-check-for-zero-length-in.patch new file mode 100644 index 0000000000..efa13791e9 --- /dev/null +++ b/queue-6.18/netfilter-nf_conntrack_h323-check-for-zero-length-in.patch @@ -0,0 +1,47 @@ +From 31cf0bb5ac9647e08268143c44987be2391c25c2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 12 Mar 2026 14:49:50 +0000 +Subject: netfilter: nf_conntrack_h323: check for zero length in DecodeQ931() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Jenny Guanni Qu + +[ Upstream commit f173d0f4c0f689173f8cdac79991043a4a89bf66 ] + +In DecodeQ931(), the UserUserIE code path reads a 16-bit length from +the packet, then decrements it by 1 to skip the protocol discriminator +byte before passing it to DecodeH323_UserInformation(). If the encoded +length is 0, the decrement wraps to -1, which is then passed as a +large value to the decoder, leading to an out-of-bounds read. + +Add a check to ensure len is positive after the decrement. + +Fixes: 5e35941d9901 ("[NETFILTER]: Add H.323 conntrack/NAT helper") +Reported-by: Klaudia Kloc +Reported-by: Dawid Moczadło +Tested-by: Jenny Guanni Qu +Signed-off-by: Jenny Guanni Qu +Signed-off-by: Florian Westphal +Signed-off-by: Sasha Levin +--- + net/netfilter/nf_conntrack_h323_asn1.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/net/netfilter/nf_conntrack_h323_asn1.c b/net/netfilter/nf_conntrack_h323_asn1.c +index c972e9488e16f..7b1497ed97d26 100644 +--- a/net/netfilter/nf_conntrack_h323_asn1.c ++++ b/net/netfilter/nf_conntrack_h323_asn1.c +@@ -924,6 +924,8 @@ int DecodeQ931(unsigned char *buf, size_t sz, Q931 *q931) + break; + p++; + len--; ++ if (len <= 0) ++ break; + return DecodeH323_UserInformation(buf, p, len, + &q931->UUIE); + } +-- +2.51.0 + diff --git a/queue-6.18/netfilter-nf_conntrack_h323-fix-oob-read-in-decode_i.patch b/queue-6.18/netfilter-nf_conntrack_h323-fix-oob-read-in-decode_i.patch new file mode 100644 index 0000000000..2cabcfd3ff --- /dev/null +++ b/queue-6.18/netfilter-nf_conntrack_h323-fix-oob-read-in-decode_i.patch @@ -0,0 +1,48 @@ +From 1fa546c078c617310b491eca5b9b575aa72d645b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 12 Mar 2026 02:29:32 +0000 +Subject: netfilter: nf_conntrack_h323: fix OOB read in decode_int() CONS case +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Jenny Guanni Qu + +[ Upstream commit 1e3a3593162c96e8a8de48b1e14f60c3b57fca8a ] + +In decode_int(), the CONS case calls get_bits(bs, 2) to read a length +value, then calls get_uint(bs, len) without checking that len bytes +remain in the buffer. The existing boundary check only validates the +2 bits for get_bits(), not the subsequent 1-4 bytes that get_uint() +reads. This allows a malformed H.323/RAS packet to cause a 1-4 byte +slab-out-of-bounds read. + +Add a boundary check for len bytes after get_bits() and before +get_uint(). + +Fixes: 5e35941d9901 ("[NETFILTER]: Add H.323 conntrack/NAT helper") +Reported-by: Klaudia Kloc +Reported-by: Dawid Moczadło +Signed-off-by: Jenny Guanni Qu +Signed-off-by: Florian Westphal +Signed-off-by: Sasha Levin +--- + net/netfilter/nf_conntrack_h323_asn1.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/net/netfilter/nf_conntrack_h323_asn1.c b/net/netfilter/nf_conntrack_h323_asn1.c +index 62aa22a078769..c972e9488e16f 100644 +--- a/net/netfilter/nf_conntrack_h323_asn1.c ++++ b/net/netfilter/nf_conntrack_h323_asn1.c +@@ -331,6 +331,8 @@ static int decode_int(struct bitstr *bs, const struct field_t *f, + if (nf_h323_error_boundary(bs, 0, 2)) + return H323_ERROR_BOUND; + len = get_bits(bs, 2) + 1; ++ if (nf_h323_error_boundary(bs, len, 0)) ++ return H323_ERROR_BOUND; + BYTE_ALIGN(bs); + if (base && (f->attr & DECODE)) { /* timeToLive */ + unsigned int v = get_uint(bs, len) + f->lb; +-- +2.51.0 + diff --git a/queue-6.18/netfilter-nf_conntrack_sip-fix-content-length-u32-tr.patch b/queue-6.18/netfilter-nf_conntrack_sip-fix-content-length-u32-tr.patch new file mode 100644 index 0000000000..19471a8f17 --- /dev/null +++ b/queue-6.18/netfilter-nf_conntrack_sip-fix-content-length-u32-tr.patch @@ -0,0 +1,66 @@ +From b6dbf78dfb6a70f6827e7824aedb1fdcbe8f0b5b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 10 Mar 2026 21:49:01 +0000 +Subject: netfilter: nf_conntrack_sip: fix Content-Length u32 truncation in + sip_help_tcp() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Lukas Johannes Möller + +[ Upstream commit fbce58e719a17aa215c724473fd5baaa4a8dc57c ] + +sip_help_tcp() parses the SIP Content-Length header with +simple_strtoul(), which returns unsigned long, but stores the result in +unsigned int clen. On 64-bit systems, values exceeding UINT_MAX are +silently truncated before computing the SIP message boundary. + +For example, Content-Length 4294967328 (2^32 + 32) is truncated to 32, +causing the parser to miscalculate where the current message ends. The +loop then treats trailing data in the TCP segment as a second SIP +message and processes it through the SDP parser. + +Fix this by changing clen to unsigned long to match the return type of +simple_strtoul(), and reject Content-Length values that exceed the +remaining TCP payload length. + +Fixes: f5b321bd37fb ("netfilter: nf_conntrack_sip: add TCP support") +Signed-off-by: Lukas Johannes Möller +Signed-off-by: Florian Westphal +Signed-off-by: Sasha Levin +--- + net/netfilter/nf_conntrack_sip.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/net/netfilter/nf_conntrack_sip.c b/net/netfilter/nf_conntrack_sip.c +index ca748f8dbff13..4ab5ef71d96db 100644 +--- a/net/netfilter/nf_conntrack_sip.c ++++ b/net/netfilter/nf_conntrack_sip.c +@@ -1534,11 +1534,12 @@ static int sip_help_tcp(struct sk_buff *skb, unsigned int protoff, + { + struct tcphdr *th, _tcph; + unsigned int dataoff, datalen; +- unsigned int matchoff, matchlen, clen; ++ unsigned int matchoff, matchlen; + unsigned int msglen, origlen; + const char *dptr, *end; + s16 diff, tdiff = 0; + int ret = NF_ACCEPT; ++ unsigned long clen; + bool term; + + if (ctinfo != IP_CT_ESTABLISHED && +@@ -1573,6 +1574,9 @@ static int sip_help_tcp(struct sk_buff *skb, unsigned int protoff, + if (dptr + matchoff == end) + break; + ++ if (clen > datalen) ++ break; ++ + term = false; + for (; end + strlen("\r\n\r\n") <= dptr + datalen; end++) { + if (end[0] == '\r' && end[1] == '\n' && +-- +2.51.0 + diff --git a/queue-6.18/netfilter-nf_tables-release-flowtable-after-rcu-grac.patch b/queue-6.18/netfilter-nf_tables-release-flowtable-after-rcu-grac.patch new file mode 100644 index 0000000000..153e35cd9a --- /dev/null +++ b/queue-6.18/netfilter-nf_tables-release-flowtable-after-rcu-grac.patch @@ -0,0 +1,51 @@ +From 83525458e33aafd6a0c9dc856f4ea790c29af213 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 17 Mar 2026 20:00:26 +0100 +Subject: netfilter: nf_tables: release flowtable after rcu grace period on + error + +From: Pablo Neira Ayuso + +[ Upstream commit d73f4b53aaaea4c95f245e491aa5eeb8a21874ce ] + +Call synchronize_rcu() after unregistering the hooks from error path, +since a hook that already refers to this flowtable can be already +registered, exposing this flowtable to packet path and nfnetlink_hook +control plane. + +This error path is rare, it should only happen by reaching the maximum +number hooks or by failing to set up to hardware offload, just call +synchronize_rcu(). + +There is a check for already used device hooks by different flowtable +that could result in EEXIST at this late stage. The hook parser can be +updated to perform this check earlier to this error path really becomes +rarely exercised. + +Uncovered by KASAN reported as use-after-free from nfnetlink_hook path +when dumping hooks. + +Fixes: 3b49e2e94e6e ("netfilter: nf_tables: add flow table netlink frontend") +Reported-by: Yiming Qian +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Florian Westphal +Signed-off-by: Sasha Levin +--- + net/netfilter/nf_tables_api.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c +index 0992869b33b35..a6a7fe216396d 100644 +--- a/net/netfilter/nf_tables_api.c ++++ b/net/netfilter/nf_tables_api.c +@@ -9369,6 +9369,7 @@ static int nf_tables_newflowtable(struct sk_buff *skb, + return 0; + + err_flowtable_hooks: ++ synchronize_rcu(); + nft_trans_destroy(trans); + err_flowtable_trans: + nft_hooks_destroy(&flowtable->hook_list); +-- +2.51.0 + diff --git a/queue-6.18/netfilter-nft_ct-drop-pending-enqueued-packets-on-re.patch b/queue-6.18/netfilter-nft_ct-drop-pending-enqueued-packets-on-re.patch new file mode 100644 index 0000000000..68c1095357 --- /dev/null +++ b/queue-6.18/netfilter-nft_ct-drop-pending-enqueued-packets-on-re.patch @@ -0,0 +1,70 @@ +From 277cd18348c5a3eade2f8a7f3530ccbfaf9ef42e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 12 Mar 2026 13:48:47 +0100 +Subject: netfilter: nft_ct: drop pending enqueued packets on removal + +From: Pablo Neira Ayuso + +[ Upstream commit 36eae0956f659e48d5366d9b083d9417f3263ddc ] + +Packets sitting in nfqueue might hold a reference to: + +- templates that specify the conntrack zone, because a percpu area is + used and module removal is possible. +- conntrack timeout policies and helper, where object removal leave + a stale reference. + +Since these objects can just go away, drop enqueued packets to avoid +stale reference to them. + +If there is a need for finer grain removal, this logic can be revisited +to make selective packet drop upon dependencies. + +Fixes: 7e0b2b57f01d ("netfilter: nft_ct: add ct timeout support") +Reported-by: Yiming Qian +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Florian Westphal +Signed-off-by: Sasha Levin +--- + net/netfilter/nft_ct.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/net/netfilter/nft_ct.c b/net/netfilter/nft_ct.c +index 6f2ae7cad7310..db1bf69f87750 100644 +--- a/net/netfilter/nft_ct.c ++++ b/net/netfilter/nft_ct.c +@@ -23,6 +23,7 @@ + #include + #include + #include ++#include "nf_internals.h" + + struct nft_ct_helper_obj { + struct nf_conntrack_helper *helper4; +@@ -543,6 +544,7 @@ static void __nft_ct_set_destroy(const struct nft_ctx *ctx, struct nft_ct *priv) + #endif + #ifdef CONFIG_NF_CONNTRACK_ZONES + case NFT_CT_ZONE: ++ nf_queue_nf_hook_drop(ctx->net); + mutex_lock(&nft_ct_pcpu_mutex); + if (--nft_ct_pcpu_template_refcnt == 0) + nft_ct_tmpl_put_pcpu(); +@@ -1016,6 +1018,7 @@ static void nft_ct_timeout_obj_destroy(const struct nft_ctx *ctx, + struct nft_ct_timeout_obj *priv = nft_obj_data(obj); + struct nf_ct_timeout *timeout = priv->timeout; + ++ nf_queue_nf_hook_drop(ctx->net); + nf_ct_untimeout(ctx->net, timeout); + nf_ct_netns_put(ctx->net, ctx->family); + kfree(priv->timeout); +@@ -1148,6 +1151,7 @@ static void nft_ct_helper_obj_destroy(const struct nft_ctx *ctx, + { + struct nft_ct_helper_obj *priv = nft_obj_data(obj); + ++ nf_queue_nf_hook_drop(ctx->net); + if (priv->helper4) + nf_conntrack_helper_put(priv->helper4); + if (priv->helper6) +-- +2.51.0 + diff --git a/queue-6.18/netfilter-xt_ct-drop-pending-enqueued-packets-on-tem.patch b/queue-6.18/netfilter-xt_ct-drop-pending-enqueued-packets-on-tem.patch new file mode 100644 index 0000000000..7ed1616f9a --- /dev/null +++ b/queue-6.18/netfilter-xt_ct-drop-pending-enqueued-packets-on-tem.patch @@ -0,0 +1,54 @@ +From 63fd4c6bbe511a88fccb70957af8094b69136a9a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 12 Mar 2026 13:48:48 +0100 +Subject: netfilter: xt_CT: drop pending enqueued packets on template removal + +From: Pablo Neira Ayuso + +[ Upstream commit f62a218a946b19bb59abdd5361da85fa4606b96b ] + +Templates refer to objects that can go away while packets are sitting in +nfqueue refer to: + +- helper, this can be an issue on module removal. +- timeout policy, nfnetlink_cttimeout might remove it. + +The use of templates with zone and event cache filter are safe, since +this just copies values. + +Flush these enqueued packets in case the template rule gets removed. + +Fixes: 24de58f46516 ("netfilter: xt_CT: allow to attach timeout policy + glue code") +Reported-by: Yiming Qian +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Florian Westphal +Signed-off-by: Sasha Levin +--- + net/netfilter/xt_CT.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/net/netfilter/xt_CT.c b/net/netfilter/xt_CT.c +index 3ba94c34297cf..498f5871c84a0 100644 +--- a/net/netfilter/xt_CT.c ++++ b/net/netfilter/xt_CT.c +@@ -16,6 +16,7 @@ + #include + #include + #include ++#include "nf_internals.h" + + static inline int xt_ct_target(struct sk_buff *skb, struct nf_conn *ct) + { +@@ -283,6 +284,9 @@ static void xt_ct_tg_destroy(const struct xt_tgdtor_param *par, + struct nf_conn_help *help; + + if (ct) { ++ if (info->helper[0] || info->timeout[0]) ++ nf_queue_nf_hook_drop(par->net); ++ + help = nfct_help(ct); + xt_ct_put_helper(help); + +-- +2.51.0 + diff --git a/queue-6.18/netfilter-xt_time-use-unsigned-int-for-monthday-bit-.patch b/queue-6.18/netfilter-xt_time-use-unsigned-int-for-monthday-bit-.patch new file mode 100644 index 0000000000..f53334701e --- /dev/null +++ b/queue-6.18/netfilter-xt_time-use-unsigned-int-for-monthday-bit-.patch @@ -0,0 +1,53 @@ +From bddaf6758c6f6953d3595275368f65988be8e857 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 12 Mar 2026 14:59:49 +0000 +Subject: netfilter: xt_time: use unsigned int for monthday bit shift +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Jenny Guanni Qu + +[ Upstream commit 00050ec08cecfda447e1209b388086d76addda3a ] + +The monthday field can be up to 31, and shifting a signed integer 1 +by 31 positions (1 << 31) is undefined behavior in C, as the result +overflows a 32-bit signed int. Use 1U to ensure well-defined behavior +for all valid monthday values. + +Change the weekday shift to 1U as well for consistency. + +Fixes: ee4411a1b1e0 ("[NETFILTER]: x_tables: add xt_time match") +Reported-by: Klaudia Kloc +Reported-by: Dawid Moczadło +Tested-by: Jenny Guanni Qu +Signed-off-by: Jenny Guanni Qu +Signed-off-by: Florian Westphal +Signed-off-by: Sasha Levin +--- + net/netfilter/xt_time.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/net/netfilter/xt_time.c b/net/netfilter/xt_time.c +index 6aa12d0f54e23..61de85e02a40f 100644 +--- a/net/netfilter/xt_time.c ++++ b/net/netfilter/xt_time.c +@@ -227,13 +227,13 @@ time_mt(const struct sk_buff *skb, struct xt_action_param *par) + + localtime_2(¤t_time, stamp); + +- if (!(info->weekdays_match & (1 << current_time.weekday))) ++ if (!(info->weekdays_match & (1U << current_time.weekday))) + return false; + + /* Do not spend time computing monthday if all days match anyway */ + if (info->monthdays_match != XT_TIME_ALL_MONTHDAYS) { + localtime_3(¤t_time, stamp); +- if (!(info->monthdays_match & (1 << current_time.monthday))) ++ if (!(info->monthdays_match & (1U << current_time.monthday))) + return false; + } + +-- +2.51.0 + diff --git a/queue-6.18/nf_tables-nft_dynset-fix-possible-stateful-expressio.patch b/queue-6.18/nf_tables-nft_dynset-fix-possible-stateful-expressio.patch new file mode 100644 index 0000000000..74195e14ff --- /dev/null +++ b/queue-6.18/nf_tables-nft_dynset-fix-possible-stateful-expressio.patch @@ -0,0 +1,107 @@ +From 43d258f2b94dc1d08b4bdbe8663601e613a3c00b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 12 Mar 2026 12:38:59 +0100 +Subject: nf_tables: nft_dynset: fix possible stateful expression memleak in + error path +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Pablo Neira Ayuso + +[ Upstream commit 0548a13b5a145b16e4da0628b5936baf35f51b43 ] + +If cloning the second stateful expression in the element via GFP_ATOMIC +fails, then the first stateful expression remains in place without being +released. + +   unreferenced object (percpu) 0x607b97e9cab8 (size 16): +     comm "softirq", pid 0, jiffies 4294931867 +     hex dump (first 16 bytes on cpu 3): +       00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 +     backtrace (crc 0): +       pcpu_alloc_noprof+0x453/0xd80 +       nft_counter_clone+0x9c/0x190 [nf_tables] +       nft_expr_clone+0x8f/0x1b0 [nf_tables] +       nft_dynset_new+0x2cb/0x5f0 [nf_tables] +       nft_rhash_update+0x236/0x11c0 [nf_tables] +       nft_dynset_eval+0x11f/0x670 [nf_tables] +       nft_do_chain+0x253/0x1700 [nf_tables] +       nft_do_chain_ipv4+0x18d/0x270 [nf_tables] +       nf_hook_slow+0xaa/0x1e0 +       ip_local_deliver+0x209/0x330 + +Fixes: 563125a73ac3 ("netfilter: nftables: generalize set extension to support for several expressions") +Reported-by: Gurpreet Shergill +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Florian Westphal +Signed-off-by: Sasha Levin +--- + include/net/netfilter/nf_tables.h | 2 ++ + net/netfilter/nf_tables_api.c | 4 ++-- + net/netfilter/nft_dynset.c | 10 +++++++++- + 3 files changed, 13 insertions(+), 3 deletions(-) + +diff --git a/include/net/netfilter/nf_tables.h b/include/net/netfilter/nf_tables.h +index c18cffafc9696..4dc080f7f27c6 100644 +--- a/include/net/netfilter/nf_tables.h ++++ b/include/net/netfilter/nf_tables.h +@@ -875,6 +875,8 @@ struct nft_elem_priv *nft_set_elem_init(const struct nft_set *set, + u64 timeout, u64 expiration, gfp_t gfp); + int nft_set_elem_expr_clone(const struct nft_ctx *ctx, struct nft_set *set, + struct nft_expr *expr_array[]); ++void nft_set_elem_expr_destroy(const struct nft_ctx *ctx, ++ struct nft_set_elem_expr *elem_expr); + void nft_set_elem_destroy(const struct nft_set *set, + const struct nft_elem_priv *elem_priv, + bool destroy_expr); +diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c +index b6a575ec33159..0992869b33b35 100644 +--- a/net/netfilter/nf_tables_api.c ++++ b/net/netfilter/nf_tables_api.c +@@ -6863,8 +6863,8 @@ static void __nft_set_elem_expr_destroy(const struct nft_ctx *ctx, + } + } + +-static void nft_set_elem_expr_destroy(const struct nft_ctx *ctx, +- struct nft_set_elem_expr *elem_expr) ++void nft_set_elem_expr_destroy(const struct nft_ctx *ctx, ++ struct nft_set_elem_expr *elem_expr) + { + struct nft_expr *expr; + u32 size; +diff --git a/net/netfilter/nft_dynset.c b/net/netfilter/nft_dynset.c +index 7807d81296646..9123277be03ce 100644 +--- a/net/netfilter/nft_dynset.c ++++ b/net/netfilter/nft_dynset.c +@@ -30,18 +30,26 @@ static int nft_dynset_expr_setup(const struct nft_dynset *priv, + const struct nft_set_ext *ext) + { + struct nft_set_elem_expr *elem_expr = nft_set_ext_expr(ext); ++ struct nft_ctx ctx = { ++ .net = read_pnet(&priv->set->net), ++ .family = priv->set->table->family, ++ }; + struct nft_expr *expr; + int i; + + for (i = 0; i < priv->num_exprs; i++) { + expr = nft_setelem_expr_at(elem_expr, elem_expr->size); + if (nft_expr_clone(expr, priv->expr_array[i], GFP_ATOMIC) < 0) +- return -1; ++ goto err_out; + + elem_expr->size += priv->expr_array[i]->ops->size; + } + + return 0; ++err_out: ++ nft_set_elem_expr_destroy(&ctx, elem_expr); ++ ++ return -1; + } + + struct nft_elem_priv *nft_dynset_new(struct nft_set *set, +-- +2.51.0 + diff --git a/queue-6.18/nfnetlink_osf-validate-individual-option-lengths-in-.patch b/queue-6.18/nfnetlink_osf-validate-individual-option-lengths-in-.patch new file mode 100644 index 0000000000..42e27679d3 --- /dev/null +++ b/queue-6.18/nfnetlink_osf-validate-individual-option-lengths-in-.patch @@ -0,0 +1,83 @@ +From c07d011d688c03db2b8f944c110649fcd5fbc706 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 19 Mar 2026 15:32:44 +0800 +Subject: nfnetlink_osf: validate individual option lengths in fingerprints + +From: Weiming Shi + +[ Upstream commit dbdfaae9609629a9569362e3b8f33d0a20fd783c ] + +nfnl_osf_add_callback() validates opt_num bounds and string +NUL-termination but does not check individual option length fields. +A zero-length option causes nf_osf_match_one() to enter the option +matching loop even when foptsize sums to zero, which matches packets +with no TCP options where ctx->optp is NULL: + + Oops: general protection fault + KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007] + RIP: 0010:nf_osf_match_one (net/netfilter/nfnetlink_osf.c:98) + Call Trace: + nf_osf_match (net/netfilter/nfnetlink_osf.c:227) + xt_osf_match_packet (net/netfilter/xt_osf.c:32) + ipt_do_table (net/ipv4/netfilter/ip_tables.c:293) + nf_hook_slow (net/netfilter/core.c:623) + ip_local_deliver (net/ipv4/ip_input.c:262) + ip_rcv (net/ipv4/ip_input.c:573) + +Additionally, an MSS option (kind=2) with length < 4 causes +out-of-bounds reads when nf_osf_match_one() unconditionally accesses +optp[2] and optp[3] for MSS value extraction. While RFC 9293 +section 3.2 specifies that the MSS option is always exactly 4 +bytes (Kind=2, Length=4), the check uses "< 4" rather than +"!= 4" because lengths greater than 4 do not cause memory +safety issues -- the buffer is guaranteed to be at least +foptsize bytes by the ctx->optsize == foptsize check. + +Reject fingerprints where any option has zero length, or where an MSS +option has length less than 4, at add time rather than trusting these +values in the packet matching hot path. + +Fixes: 11eeef41d5f6 ("netfilter: passive OS fingerprint xtables match") +Reported-by: Xiang Mei +Signed-off-by: Weiming Shi +Signed-off-by: Florian Westphal +Signed-off-by: Sasha Levin +--- + net/netfilter/nfnetlink_osf.c | 13 +++++++++++++ + 1 file changed, 13 insertions(+) + +diff --git a/net/netfilter/nfnetlink_osf.c b/net/netfilter/nfnetlink_osf.c +index c0fc431991e88..9fc9544d4bc53 100644 +--- a/net/netfilter/nfnetlink_osf.c ++++ b/net/netfilter/nfnetlink_osf.c +@@ -302,7 +302,9 @@ static int nfnl_osf_add_callback(struct sk_buff *skb, + { + struct nf_osf_user_finger *f; + struct nf_osf_finger *kf = NULL, *sf; ++ unsigned int tot_opt_len = 0; + int err = 0; ++ int i; + + if (!capable(CAP_NET_ADMIN)) + return -EPERM; +@@ -318,6 +320,17 @@ static int nfnl_osf_add_callback(struct sk_buff *skb, + if (f->opt_num > ARRAY_SIZE(f->opt)) + return -EINVAL; + ++ for (i = 0; i < f->opt_num; i++) { ++ if (!f->opt[i].length || f->opt[i].length > MAX_IPOPTLEN) ++ return -EINVAL; ++ if (f->opt[i].kind == OSFOPT_MSS && f->opt[i].length < 4) ++ return -EINVAL; ++ ++ tot_opt_len += f->opt[i].length; ++ if (tot_opt_len > MAX_IPOPTLEN) ++ return -EINVAL; ++ } ++ + if (!memchr(f->genre, 0, MAXGENRELEN) || + !memchr(f->subtype, 0, MAXGENRELEN) || + !memchr(f->version, 0, MAXGENRELEN)) +-- +2.51.0 + diff --git a/queue-6.18/pm-runtime-fix-a-race-condition-related-to-device-re.patch b/queue-6.18/pm-runtime-fix-a-race-condition-related-to-device-re.patch new file mode 100644 index 0000000000..5bdffccaf5 --- /dev/null +++ b/queue-6.18/pm-runtime-fix-a-race-condition-related-to-device-re.patch @@ -0,0 +1,126 @@ +From 5e4c58e0729665198d2c676a31b623504ca7beb9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 12 Mar 2026 11:27:20 -0700 +Subject: PM: runtime: Fix a race condition related to device removal + +From: Bart Van Assche + +[ Upstream commit 29ab768277617452d88c0607c9299cdc63b6e9ff ] + +The following code in pm_runtime_work() may dereference the dev->parent +pointer after the parent device has been freed: + + /* Maybe the parent is now able to suspend. */ + if (parent && !parent->power.ignore_children) { + spin_unlock(&dev->power.lock); + + spin_lock(&parent->power.lock); + rpm_idle(parent, RPM_ASYNC); + spin_unlock(&parent->power.lock); + + spin_lock(&dev->power.lock); + } + +Fix this by inserting a flush_work() call in pm_runtime_remove(). + +Without this patch blktest block/001 triggers the following complaint +sporadically: + +BUG: KASAN: slab-use-after-free in lock_acquire+0x70/0x160 +Read of size 1 at addr ffff88812bef7198 by task kworker/u553:1/3081 +Workqueue: pm pm_runtime_work +Call Trace: + + dump_stack_lvl+0x61/0x80 + print_address_description.constprop.0+0x8b/0x310 + print_report+0xfd/0x1d7 + kasan_report+0xd8/0x1d0 + __kasan_check_byte+0x42/0x60 + lock_acquire.part.0+0x38/0x230 + lock_acquire+0x70/0x160 + _raw_spin_lock+0x36/0x50 + rpm_suspend+0xc6a/0xfe0 + rpm_idle+0x578/0x770 + pm_runtime_work+0xee/0x120 + process_one_work+0xde3/0x1410 + worker_thread+0x5eb/0xfe0 + kthread+0x37b/0x480 + ret_from_fork+0x6cb/0x920 + ret_from_fork_asm+0x11/0x20 + + +Allocated by task 4314: + kasan_save_stack+0x2a/0x50 + kasan_save_track+0x18/0x40 + kasan_save_alloc_info+0x3d/0x50 + __kasan_kmalloc+0xa0/0xb0 + __kmalloc_noprof+0x311/0x990 + scsi_alloc_target+0x122/0xb60 [scsi_mod] + __scsi_scan_target+0x101/0x460 [scsi_mod] + scsi_scan_channel+0x179/0x1c0 [scsi_mod] + scsi_scan_host_selected+0x259/0x2d0 [scsi_mod] + store_scan+0x2d2/0x390 [scsi_mod] + dev_attr_store+0x43/0x80 + sysfs_kf_write+0xde/0x140 + kernfs_fop_write_iter+0x3ef/0x670 + vfs_write+0x506/0x1470 + ksys_write+0xfd/0x230 + __x64_sys_write+0x76/0xc0 + x64_sys_call+0x213/0x1810 + do_syscall_64+0xee/0xfc0 + entry_SYSCALL_64_after_hwframe+0x4b/0x53 + +Freed by task 4314: + kasan_save_stack+0x2a/0x50 + kasan_save_track+0x18/0x40 + kasan_save_free_info+0x3f/0x50 + __kasan_slab_free+0x67/0x80 + kfree+0x225/0x6c0 + scsi_target_dev_release+0x3d/0x60 [scsi_mod] + device_release+0xa3/0x220 + kobject_cleanup+0x105/0x3a0 + kobject_put+0x72/0xd0 + put_device+0x17/0x20 + scsi_device_dev_release+0xacf/0x12c0 [scsi_mod] + device_release+0xa3/0x220 + kobject_cleanup+0x105/0x3a0 + kobject_put+0x72/0xd0 + put_device+0x17/0x20 + scsi_device_put+0x7f/0xc0 [scsi_mod] + sdev_store_delete+0xa5/0x120 [scsi_mod] + dev_attr_store+0x43/0x80 + sysfs_kf_write+0xde/0x140 + kernfs_fop_write_iter+0x3ef/0x670 + vfs_write+0x506/0x1470 + ksys_write+0xfd/0x230 + __x64_sys_write+0x76/0xc0 + x64_sys_call+0x213/0x1810 + +Reported-by: Ming Lei +Closes: https://lore.kernel.org/all/ZxdNvLNI8QaOfD2d@fedora/ +Reported-by: syzbot+6c905ab800f20cf4086c@syzkaller.appspotmail.com +Closes: https://lore.kernel.org/all/68c13942.050a0220.2ff435.000b.GAE@google.com/ +Fixes: 5e928f77a09a ("PM: Introduce core framework for run-time PM of I/O devices (rev. 17)") +Signed-off-by: Bart Van Assche +Link: https://patch.msgid.link/20260312182720.2776083-1-bvanassche@acm.org +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +--- + drivers/base/power/runtime.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/base/power/runtime.c b/drivers/base/power/runtime.c +index e882b5269ebec..6980a8dfced2c 100644 +--- a/drivers/base/power/runtime.c ++++ b/drivers/base/power/runtime.c +@@ -1896,6 +1896,7 @@ void pm_runtime_reinit(struct device *dev) + void pm_runtime_remove(struct device *dev) + { + __pm_runtime_disable(dev, false); ++ flush_work(&dev->power.work); + pm_runtime_reinit(dev); + } + +-- +2.51.0 + diff --git a/queue-6.18/sched-idle-consolidate-the-handling-of-two-special-c.patch b/queue-6.18/sched-idle-consolidate-the-handling-of-two-special-c.patch new file mode 100644 index 0000000000..1f3cac144a --- /dev/null +++ b/queue-6.18/sched-idle-consolidate-the-handling-of-two-special-c.patch @@ -0,0 +1,133 @@ +From 45b8ab24967d51540da53aebd54ca03a7268c0c3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 13 Mar 2026 13:25:41 +0100 +Subject: sched: idle: Consolidate the handling of two special cases + +From: Rafael J. Wysocki + +[ Upstream commit f4c31b07b136839e0fb3026f8a5b6543e3b14d2f ] + +There are two special cases in the idle loop that are handled +inconsistently even though they are analogous. + +The first one is when a cpuidle driver is absent and the default CPU +idle time power management implemented by the architecture code is used. +In that case, the scheduler tick is stopped every time before invoking +default_idle_call(). + +The second one is when a cpuidle driver is present, but there is only +one idle state in its table. In that case, the scheduler tick is never +stopped at all. + +Since each of these approaches has its drawbacks, reconcile them with +the help of one simple heuristic. Namely, stop the tick if the CPU has +been woken up by it in the previous iteration of the idle loop, or let +it tick otherwise. + +Signed-off-by: Rafael J. Wysocki +Reviewed-by: Christian Loehle +Reviewed-by: Frederic Weisbecker +Reviewed-by: Qais Yousef +Reviewed-by: Aboorva Devarajan +Fixes: ed98c3491998 ("sched: idle: Do not stop the tick before cpuidle_idle_call()") +[ rjw: Added Fixes tag, changelog edits ] +Link: https://patch.msgid.link/4741364.LvFx2qVVIh@rafael.j.wysocki +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +--- + kernel/sched/idle.c | 30 +++++++++++++++++++++--------- + 1 file changed, 21 insertions(+), 9 deletions(-) + +diff --git a/kernel/sched/idle.c b/kernel/sched/idle.c +index d9c515da328e5..bf92ae29361ed 100644 +--- a/kernel/sched/idle.c ++++ b/kernel/sched/idle.c +@@ -160,6 +160,14 @@ static int call_cpuidle(struct cpuidle_driver *drv, struct cpuidle_device *dev, + return cpuidle_enter(drv, dev, next_state); + } + ++static void idle_call_stop_or_retain_tick(bool stop_tick) ++{ ++ if (stop_tick || tick_nohz_tick_stopped()) ++ tick_nohz_idle_stop_tick(); ++ else ++ tick_nohz_idle_retain_tick(); ++} ++ + /** + * cpuidle_idle_call - the main idle function + * +@@ -169,7 +177,7 @@ static int call_cpuidle(struct cpuidle_driver *drv, struct cpuidle_device *dev, + * set, and it returns with polling set. If it ever stops polling, it + * must clear the polling bit. + */ +-static void cpuidle_idle_call(void) ++static void cpuidle_idle_call(bool stop_tick) + { + struct cpuidle_device *dev = cpuidle_get_device(); + struct cpuidle_driver *drv = cpuidle_get_cpu_driver(dev); +@@ -185,7 +193,7 @@ static void cpuidle_idle_call(void) + } + + if (cpuidle_not_available(drv, dev)) { +- tick_nohz_idle_stop_tick(); ++ idle_call_stop_or_retain_tick(stop_tick); + + default_idle_call(); + goto exit_idle; +@@ -220,17 +228,19 @@ static void cpuidle_idle_call(void) + next_state = cpuidle_find_deepest_state(drv, dev, max_latency_ns); + call_cpuidle(drv, dev, next_state); + } else if (drv->state_count > 1) { +- bool stop_tick = true; ++ /* ++ * stop_tick is expected to be true by default by cpuidle ++ * governors, which allows them to select idle states with ++ * target residency above the tick period length. ++ */ ++ stop_tick = true; + + /* + * Ask the cpuidle framework to choose a convenient idle state. + */ + next_state = cpuidle_select(drv, dev, &stop_tick); + +- if (stop_tick || tick_nohz_tick_stopped()) +- tick_nohz_idle_stop_tick(); +- else +- tick_nohz_idle_retain_tick(); ++ idle_call_stop_or_retain_tick(stop_tick); + + entered_state = call_cpuidle(drv, dev, next_state); + /* +@@ -238,7 +248,7 @@ static void cpuidle_idle_call(void) + */ + cpuidle_reflect(dev, entered_state); + } else { +- tick_nohz_idle_retain_tick(); ++ idle_call_stop_or_retain_tick(stop_tick); + + /* + * If there is only a single idle state (or none), there is +@@ -266,6 +276,7 @@ static void cpuidle_idle_call(void) + static void do_idle(void) + { + int cpu = smp_processor_id(); ++ bool got_tick = false; + + /* + * Check if we need to update blocked load +@@ -336,8 +347,9 @@ static void do_idle(void) + tick_nohz_idle_restart_tick(); + cpu_idle_poll(); + } else { +- cpuidle_idle_call(); ++ cpuidle_idle_call(got_tick); + } ++ got_tick = tick_nohz_idle_got_tick(); + arch_cpu_idle_exit(); + } + +-- +2.51.0 + diff --git a/queue-6.18/series b/queue-6.18/series index d21ebe4715..ca27111b56 100644 --- a/queue-6.18/series +++ b/queue-6.18/series @@ -96,3 +96,84 @@ drm-xe-oa-allow-reading-after-disabling-oa-stream.patch drm-xe-open-code-ggtt-mmio-access-protection.patch bluetooth-l2cap-fix-accepting-multiple-l2cap_ecred_conn_req.patch drm-i915-psr-compute-psr-entry_setup_frames-into-intel_crtc_state.patch +btrfs-log-new-dentries-when-logging-parent-dir-of-a-.patch +btrfs-tree-checker-fix-misleading-root-drop_level-er.patch +soc-microchip-mpfs-fix-memory-leak-in-mpfs_sys_contr.patch +cache-starfive-fix-device-node-leak-in-starlink_cach.patch +cache-ax45mp-fix-device-node-reference-leak-in-ax45m.patch +soc-rockchip-grf-add-missing-of_node_put-when-return.patch +soc-fsl-qbman-fix-race-condition-in-qman_destroy_fq.patch +soc-fsl-cpm1-qmc-fix-error-check-for-devm_ioremap_re.patch +tee-shm-remove-refcounting-of-kernel-pages.patch +wifi-mac80211-remove-keys-after-disabling-beaconing.patch +wifi-mac80211-use-jiffies_delta_to_msecs-for-sta_inf.patch +wifi-mac80211-fix-static_branch_dec-underflow-for-aq.patch +wifi-cfg80211-cancel-pmsr_free_wk-in-cfg80211_pmsr_w.patch +arm64-dts-renesas-rzt2h-n2h-evk-add-ramp-delay-for-s.patch +arm64-dts-renesas-rzv2-evk-cn15-sd-add-ramp-delay-fo.patch +arm64-dts-renesas-r9a09g057-add-rtc-node.patch +arm64-dts-renesas-r9a09g057-remove-wdt-0-2-3-nodes.patch +arm64-dts-renesas-r9a09g077-fix-cpg-register-region-.patch +arm64-dts-renesas-r9a09g087-fix-cpg-register-region-.patch +arm64-dts-renesas-rzg3s-smarc-som-set-bypass-for-ver.patch +firmware-arm_ffa-remove-vm_id-argument-in-ffa_rxtx_u.patch +firmware-arm_scpi-fix-device_node-reference-leak-in-.patch +firmware-arm_scmi-fix-null-dereference-on-notify-err.patch +bluetooth-le-l2cap-disconnect-if-received-packet-s-s.patch +bluetooth-le-l2cap-disconnect-if-sum-of-payload-size.patch +bluetooth-smp-make-sm-per-kdu-bi-04-c-happy.patch +bluetooth-iso-fix-defer-tests-being-unstable.patch +bluetooth-hci_sync-fix-hci_le_create_conn_sync.patch +bluetooth-mgmt-fix-list-corruption-and-uaf-in-comman.patch +bluetooth-hidp-fix-possible-uaf.patch +bluetooth-l2cap-fix-use-after-free-in-l2cap_unregist.patch +bluetooth-qca-fix-rom-version-reading-on-wcn3998-chi.patch +bridge-cfm-fix-race-condition-in-peer_mep-deletion.patch +net-rose-fix-null-pointer-dereference-in-rose_transm.patch +mpls-add-missing-unregister_netdevice_notifier-to-mp.patch +netfilter-ctnetlink-fix-use-after-free-in-ctnetlink_.patch +netfilter-nf_conntrack_sip-fix-content-length-u32-tr.patch +netfilter-nf_conntrack_h323-fix-oob-read-in-decode_i.patch +nf_tables-nft_dynset-fix-possible-stateful-expressio.patch +netfilter-nft_ct-drop-pending-enqueued-packets-on-re.patch +netfilter-xt_ct-drop-pending-enqueued-packets-on-tem.patch +netfilter-xt_time-use-unsigned-int-for-monthday-bit-.patch +netfilter-nf_conntrack_h323-check-for-zero-length-in.patch +crypto-ccp-fix-leaking-the-same-page-twice.patch +net-bcmgenet-increase-wol-poll-timeout.patch +net-mana-fix-use-after-free-in-mana_hwc_destroy_chan.patch +sched-idle-consolidate-the-handling-of-two-special-c.patch +pm-runtime-fix-a-race-condition-related-to-device-re.patch +bonding-prevent-potential-infinite-loop-in-bond_head.patch +net-smc-fix-null-dereference-and-uaf-in-smc_tcp_syn_.patch +net-sched-teql-fix-double-free-in-teql_master_xmit.patch +net-airoha-remove-airoha_dev_stop-in-airoha_remove.patch +net-usb-cdc_ncm-add-ndpoffset-to-ndp16-nframes-bound.patch +net-usb-cdc_ncm-add-ndpoffset-to-ndp32-nframes-bound.patch +clsact-fix-use-after-free-in-init-destroy-rollback-a.patch +net-usb-aqc111-do-not-perform-pm-inside-suspend-call.patch +acpica-update-the-format-of-arg3-of-_dsm.patch +igc-fix-missing-update-of-skb-tail-in-igc_xmit_frame.patch +igc-fix-page-fault-in-xdp-tx-timestamps-handling.patch +iavf-fix-vlan-filter-lost-on-add-delete-race.patch +libie-prevent-memleak-in-fwlog-code.patch +wifi-mac80211-fix-null-deref-in-mesh_matches_local.patch +wifi-wlcore-return-enomem-instead-of-eagain-if-there.patch +wifi-mac80211-always-free-skb-on-ieee80211_tx_prepar.patch +acpi-processor-fix-previous-acpi_processor_errata_pi.patch +netdevsim-drop-psp-ext-ref-on-forward-failure.patch +net-macb-fix-uninitialized-rx_fs_lock.patch +net-mlx5-qos-restrict-rtnl-area-to-avoid-a-lock-cycl.patch +net-mlx5e-prevent-concurrent-access-to-ipsec-aso-con.patch +net-mlx5e-fix-race-condition-during-ipsec-esn-update.patch +udp_tunnel-fix-null-deref-caused-by-udp_sock_create6.patch +net-bonding-fix-null-deref-in-bond_debug_rlb_hash_sh.patch +netfilter-bpf-defer-hook-memory-release-until-rcu-re.patch +netfilter-nf_tables-release-flowtable-after-rcu-grac.patch +nfnetlink_osf-validate-individual-option-lengths-in-.patch +net-mvpp2-guard-flow-control-update-with-global_tx_f.patch +net-shaper-protect-late-read-accesses-to-the-hierarc.patch +net-shaper-protect-from-late-creation-of-hierarchy.patch +net-dsa-bcm_sf2-fix-missing-clk_disable_unprepare-in.patch +icmp-fix-null-pointer-dereference-in-icmp_tag_valida.patch +mptcp-fix-lock-class-name-family-in-pm_nl_create_lis.patch diff --git a/queue-6.18/soc-fsl-cpm1-qmc-fix-error-check-for-devm_ioremap_re.patch b/queue-6.18/soc-fsl-cpm1-qmc-fix-error-check-for-devm_ioremap_re.patch new file mode 100644 index 0000000000..a80dedd36c --- /dev/null +++ b/queue-6.18/soc-fsl-cpm1-qmc-fix-error-check-for-devm_ioremap_re.patch @@ -0,0 +1,42 @@ +From eacd000a033f6201d592e3b1b0398611f4aa8145 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 9 Feb 2026 09:59:04 +0800 +Subject: soc: fsl: cpm1: qmc: Fix error check for devm_ioremap_resource() in + qmc_qe_init_resources() + +From: Chen Ni + +[ Upstream commit 3f4e403304186d79fddace860360540fc3af97f9 ] + +Fix wrong variable used for error checking after devm_ioremap_resource() +call. The function checks qmc->scc_pram instead of qmc->dpram, which +could lead to incorrect error handling. + +Fixes: eb680d563089 ("soc: fsl: cpm1: qmc: Add support for QUICC Engine (QE) implementation") +Signed-off-by: Chen Ni +Acked-by: Herve Codina +Link: https://lore.kernel.org/r/20260209015904.871269-1-nichen@iscas.ac.cn +Signed-off-by: Christophe Leroy (CS GROUP) +Signed-off-by: Sasha Levin +--- + drivers/soc/fsl/qe/qmc.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/soc/fsl/qe/qmc.c b/drivers/soc/fsl/qe/qmc.c +index da5ea6d356184..6db5ab05c2c1c 100644 +--- a/drivers/soc/fsl/qe/qmc.c ++++ b/drivers/soc/fsl/qe/qmc.c +@@ -1799,8 +1799,8 @@ static int qmc_qe_init_resources(struct qmc *qmc, struct platform_device *pdev) + return -EINVAL; + qmc->dpram_offset = res->start - qe_muram_dma(qe_muram_addr(0)); + qmc->dpram = devm_ioremap_resource(qmc->dev, res); +- if (IS_ERR(qmc->scc_pram)) +- return PTR_ERR(qmc->scc_pram); ++ if (IS_ERR(qmc->dpram)) ++ return PTR_ERR(qmc->dpram); + + return 0; + } +-- +2.51.0 + diff --git a/queue-6.18/soc-fsl-qbman-fix-race-condition-in-qman_destroy_fq.patch b/queue-6.18/soc-fsl-qbman-fix-race-condition-in-qman_destroy_fq.patch new file mode 100644 index 0000000000..5d3bceec9c --- /dev/null +++ b/queue-6.18/soc-fsl-qbman-fix-race-condition-in-qman_destroy_fq.patch @@ -0,0 +1,92 @@ +From 26e9d3bd358c1a9205b2adaa2fe7cbaea830261f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 23 Dec 2025 08:25:49 +0100 +Subject: soc: fsl: qbman: fix race condition in qman_destroy_fq + +From: Richard Genoud + +[ Upstream commit 014077044e874e270ec480515edbc1cadb976cf2 ] + +When QMAN_FQ_FLAG_DYNAMIC_FQID is set, there's a race condition between +fq_table[fq->idx] state and freeing/allocating from the pool and +WARN_ON(fq_table[fq->idx]) in qman_create_fq() gets triggered. + +Indeed, we can have: + Thread A Thread B + qman_destroy_fq() qman_create_fq() + qman_release_fqid() + qman_shutdown_fq() + gen_pool_free() + -- At this point, the fqid is available again -- + qman_alloc_fqid() + -- so, we can get the just-freed fqid in thread B -- + fq->fqid = fqid; + fq->idx = fqid * 2; + WARN_ON(fq_table[fq->idx]); + fq_table[fq->idx] = fq; + fq_table[fq->idx] = NULL; + +And adding some logs between qman_release_fqid() and +fq_table[fq->idx] = NULL makes the WARN_ON() trigger a lot more. + +To prevent that, ensure that fq_table[fq->idx] is set to NULL before +gen_pool_free() is called by using smp_wmb(). + +Fixes: c535e923bb97 ("soc/fsl: Introduce DPAA 1.x QMan device driver") +Signed-off-by: Richard Genoud +Tested-by: CHAMPSEIX Thomas +Link: https://lore.kernel.org/r/20251223072549.397625-1-richard.genoud@bootlin.com +Signed-off-by: Christophe Leroy (CS GROUP) +Signed-off-by: Sasha Levin +--- + drivers/soc/fsl/qbman/qman.c | 24 ++++++++++++++++++++++-- + 1 file changed, 22 insertions(+), 2 deletions(-) + +diff --git a/drivers/soc/fsl/qbman/qman.c b/drivers/soc/fsl/qbman/qman.c +index 9be240999f877..43a4e8d58b9bc 100644 +--- a/drivers/soc/fsl/qbman/qman.c ++++ b/drivers/soc/fsl/qbman/qman.c +@@ -1827,6 +1827,8 @@ EXPORT_SYMBOL(qman_create_fq); + + void qman_destroy_fq(struct qman_fq *fq) + { ++ int leaked; ++ + /* + * We don't need to lock the FQ as it is a pre-condition that the FQ be + * quiesced. Instead, run some checks. +@@ -1834,11 +1836,29 @@ void qman_destroy_fq(struct qman_fq *fq) + switch (fq->state) { + case qman_fq_state_parked: + case qman_fq_state_oos: +- if (fq_isset(fq, QMAN_FQ_FLAG_DYNAMIC_FQID)) +- qman_release_fqid(fq->fqid); ++ /* ++ * There's a race condition here on releasing the fqid, ++ * setting the fq_table to NULL, and freeing the fqid. ++ * To prevent it, this order should be respected: ++ */ ++ if (fq_isset(fq, QMAN_FQ_FLAG_DYNAMIC_FQID)) { ++ leaked = qman_shutdown_fq(fq->fqid); ++ if (leaked) ++ pr_debug("FQID %d leaked\n", fq->fqid); ++ } + + DPAA_ASSERT(fq_table[fq->idx]); + fq_table[fq->idx] = NULL; ++ ++ if (fq_isset(fq, QMAN_FQ_FLAG_DYNAMIC_FQID) && !leaked) { ++ /* ++ * fq_table[fq->idx] should be set to null before ++ * freeing fq->fqid otherwise it could by allocated by ++ * qman_alloc_fqid() while still being !NULL ++ */ ++ smp_wmb(); ++ gen_pool_free(qm_fqalloc, fq->fqid | DPAA_GENALLOC_OFF, 1); ++ } + return; + default: + break; +-- +2.51.0 + diff --git a/queue-6.18/soc-microchip-mpfs-fix-memory-leak-in-mpfs_sys_contr.patch b/queue-6.18/soc-microchip-mpfs-fix-memory-leak-in-mpfs_sys_contr.patch new file mode 100644 index 0000000000..8d42a4d84a --- /dev/null +++ b/queue-6.18/soc-microchip-mpfs-fix-memory-leak-in-mpfs_sys_contr.patch @@ -0,0 +1,70 @@ +From 3a51bf23f52786e756ad0434c88b6ba3978ac0fe Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 28 Dec 2025 12:48:36 +0000 +Subject: soc: microchip: mpfs: Fix memory leak in mpfs_sys_controller_probe() + +From: Zilin Guan + +[ Upstream commit 5a741f8cc6fe62542f955cd8d24933a1b6589cbd ] + +In mpfs_sys_controller_probe(), if of_get_mtd_device_by_node() fails, +the function returns immediately without freeing the allocated memory +for sys_controller, leading to a memory leak. + +Fix this by jumping to the out_free label to ensure the memory is +properly freed. + +Also, consolidate the error handling for the mbox_request_channel() +failure case to use the same label. + +Fixes: 742aa6c563d2 ("soc: microchip: mpfs: enable access to the system controller's flash") +Co-developed-by: Jianhao Xu +Signed-off-by: Jianhao Xu +Signed-off-by: Zilin Guan +Signed-off-by: Conor Dooley +Signed-off-by: Sasha Levin +--- + drivers/soc/microchip/mpfs-sys-controller.c | 13 +++++++++---- + 1 file changed, 9 insertions(+), 4 deletions(-) + +diff --git a/drivers/soc/microchip/mpfs-sys-controller.c b/drivers/soc/microchip/mpfs-sys-controller.c +index 30bc45d17d343..81636cfecd37e 100644 +--- a/drivers/soc/microchip/mpfs-sys-controller.c ++++ b/drivers/soc/microchip/mpfs-sys-controller.c +@@ -142,8 +142,10 @@ static int mpfs_sys_controller_probe(struct platform_device *pdev) + + sys_controller->flash = of_get_mtd_device_by_node(np); + of_node_put(np); +- if (IS_ERR(sys_controller->flash)) +- return dev_err_probe(dev, PTR_ERR(sys_controller->flash), "Failed to get flash\n"); ++ if (IS_ERR(sys_controller->flash)) { ++ ret = dev_err_probe(dev, PTR_ERR(sys_controller->flash), "Failed to get flash\n"); ++ goto out_free; ++ } + + no_flash: + sys_controller->client.dev = dev; +@@ -155,8 +157,7 @@ static int mpfs_sys_controller_probe(struct platform_device *pdev) + if (IS_ERR(sys_controller->chan)) { + ret = dev_err_probe(dev, PTR_ERR(sys_controller->chan), + "Failed to get mbox channel\n"); +- kfree(sys_controller); +- return ret; ++ goto out_free; + } + + init_completion(&sys_controller->c); +@@ -174,6 +175,10 @@ static int mpfs_sys_controller_probe(struct platform_device *pdev) + dev_info(&pdev->dev, "Registered MPFS system controller\n"); + + return 0; ++ ++out_free: ++ kfree(sys_controller); ++ return ret; + } + + static void mpfs_sys_controller_remove(struct platform_device *pdev) +-- +2.51.0 + diff --git a/queue-6.18/soc-rockchip-grf-add-missing-of_node_put-when-return.patch b/queue-6.18/soc-rockchip-grf-add-missing-of_node_put-when-return.patch new file mode 100644 index 0000000000..f384e53ff9 --- /dev/null +++ b/queue-6.18/soc-rockchip-grf-add-missing-of_node_put-when-return.patch @@ -0,0 +1,39 @@ +From 0a7162e81d3dd1ff59e444da69537efc98b78a92 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 11 Feb 2026 21:02:37 +0800 +Subject: soc: rockchip: grf: Add missing of_node_put() when returning + +From: Shawn Lin + +[ Upstream commit 24ed11ee5bacf9a9aca18fc6b47667c7f38d578b ] + +Fix the smatch checking: +drivers/soc/rockchip/grf.c:249 rockchip_grf_init() +warn: inconsistent refcounting 'np->kobj.kref.refcount.refs.counter': + +Reported-by: Dan Carpenter +Fixes: 75fb63ae0312 ("soc: rockchip: grf: Support multiple grf to be handled") +Closes: https://lore.kernel.org/all/aYXvgTcUJWQL2can@stanley.mountain/ +Signed-off-by: Shawn Lin +Link: https://patch.msgid.link/1770814957-17762-1-git-send-email-shawn.lin@rock-chips.com +Signed-off-by: Heiko Stuebner +Signed-off-by: Sasha Levin +--- + drivers/soc/rockchip/grf.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/soc/rockchip/grf.c b/drivers/soc/rockchip/grf.c +index db407fa279850..1f070e0becb52 100644 +--- a/drivers/soc/rockchip/grf.c ++++ b/drivers/soc/rockchip/grf.c +@@ -216,6 +216,7 @@ static int __init rockchip_grf_init(void) + grf = syscon_node_to_regmap(np); + if (IS_ERR(grf)) { + pr_err("%s: could not get grf syscon\n", __func__); ++ of_node_put(np); + return PTR_ERR(grf); + } + +-- +2.51.0 + diff --git a/queue-6.18/tee-shm-remove-refcounting-of-kernel-pages.patch b/queue-6.18/tee-shm-remove-refcounting-of-kernel-pages.patch new file mode 100644 index 0000000000..6c56e74704 --- /dev/null +++ b/queue-6.18/tee-shm-remove-refcounting-of-kernel-pages.patch @@ -0,0 +1,93 @@ +From ccf6f7ed34a656d9d99557794e7cffea537e7dcd Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 20 Feb 2026 14:19:59 +0530 +Subject: tee: shm: Remove refcounting of kernel pages +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Matthew Wilcox + +[ Upstream commit 08d9a4580f71120be3c5b221af32dca00a48ceb0 ] + +Earlier TEE subsystem assumed to refcount all the memory pages to be +shared with TEE implementation to be refcounted. However, the slab +allocations within the kernel don't allow refcounting kernel pages. + +It is rather better to trust the kernel clients to not free pages while +being shared with TEE implementation. Hence, remove refcounting of kernel +pages from register_shm_helper() API. + +Fixes: b9c0e49abfca ("mm: decline to manipulate the refcount on a slab page") +Reported-by: Marco Felsch +Reported-by: Sven Püschel +Signed-off-by: Matthew Wilcox +Co-developed-by: Sumit Garg +Signed-off-by: Sumit Garg +Tested-by: Sven Püschel +Signed-off-by: Jens Wiklander +Signed-off-by: Sasha Levin +--- + drivers/tee/tee_shm.c | 27 --------------------------- + 1 file changed, 27 deletions(-) + +diff --git a/drivers/tee/tee_shm.c b/drivers/tee/tee_shm.c +index 4a47de4bb2e5c..898707ca21a8e 100644 +--- a/drivers/tee/tee_shm.c ++++ b/drivers/tee/tee_shm.c +@@ -23,29 +23,11 @@ struct tee_shm_dma_mem { + struct page *page; + }; + +-static void shm_put_kernel_pages(struct page **pages, size_t page_count) +-{ +- size_t n; +- +- for (n = 0; n < page_count; n++) +- put_page(pages[n]); +-} +- +-static void shm_get_kernel_pages(struct page **pages, size_t page_count) +-{ +- size_t n; +- +- for (n = 0; n < page_count; n++) +- get_page(pages[n]); +-} +- + static void release_registered_pages(struct tee_shm *shm) + { + if (shm->pages) { + if (shm->flags & TEE_SHM_USER_MAPPED) + unpin_user_pages(shm->pages, shm->num_pages); +- else +- shm_put_kernel_pages(shm->pages, shm->num_pages); + + kfree(shm->pages); + } +@@ -477,13 +459,6 @@ register_shm_helper(struct tee_context *ctx, struct iov_iter *iter, u32 flags, + goto err_put_shm_pages; + } + +- /* +- * iov_iter_extract_kvec_pages does not get reference on the pages, +- * get a reference on them. +- */ +- if (iov_iter_is_kvec(iter)) +- shm_get_kernel_pages(shm->pages, num_pages); +- + shm->offset = off; + shm->size = len; + shm->num_pages = num_pages; +@@ -499,8 +474,6 @@ register_shm_helper(struct tee_context *ctx, struct iov_iter *iter, u32 flags, + err_put_shm_pages: + if (!iov_iter_is_kvec(iter)) + unpin_user_pages(shm->pages, shm->num_pages); +- else +- shm_put_kernel_pages(shm->pages, shm->num_pages); + err_free_shm_pages: + kfree(shm->pages); + err_free_shm: +-- +2.51.0 + diff --git a/queue-6.18/udp_tunnel-fix-null-deref-caused-by-udp_sock_create6.patch b/queue-6.18/udp_tunnel-fix-null-deref-caused-by-udp_sock_create6.patch new file mode 100644 index 0000000000..99c16b94df --- /dev/null +++ b/queue-6.18/udp_tunnel-fix-null-deref-caused-by-udp_sock_create6.patch @@ -0,0 +1,64 @@ +From 9af39cecf3c481916cb952f2b4490b9fde19e1a1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 16 Mar 2026 18:02:41 -0700 +Subject: udp_tunnel: fix NULL deref caused by udp_sock_create6 when + CONFIG_IPV6=n + +From: Xiang Mei + +[ Upstream commit b3a6df291fecf5f8a308953b65ca72b7fc9e015d ] + +When CONFIG_IPV6 is disabled, the udp_sock_create6() function returns 0 +(success) without actually creating a socket. Callers such as +fou_create() then proceed to dereference the uninitialized socket +pointer, resulting in a NULL pointer dereference. + +The captured NULL deref crash: + BUG: kernel NULL pointer dereference, address: 0000000000000018 + RIP: 0010:fou_nl_add_doit (net/ipv4/fou_core.c:590 net/ipv4/fou_core.c:764) + [...] + Call Trace: + + genl_family_rcv_msg_doit.constprop.0 (net/netlink/genetlink.c:1114) + genl_rcv_msg (net/netlink/genetlink.c:1194 net/netlink/genetlink.c:1209) + [...] + netlink_rcv_skb (net/netlink/af_netlink.c:2550) + genl_rcv (net/netlink/genetlink.c:1219) + netlink_unicast (net/netlink/af_netlink.c:1319 net/netlink/af_netlink.c:1344) + netlink_sendmsg (net/netlink/af_netlink.c:1894) + __sock_sendmsg (net/socket.c:727 (discriminator 1) net/socket.c:742 (discriminator 1)) + __sys_sendto (./include/linux/file.h:62 (discriminator 1) ./include/linux/file.h:83 (discriminator 1) net/socket.c:2183 (discriminator 1)) + __x64_sys_sendto (net/socket.c:2213 (discriminator 1) net/socket.c:2209 (discriminator 1) net/socket.c:2209 (discriminator 1)) + do_syscall_64 (arch/x86/entry/syscall_64.c:63 (discriminator 1) arch/x86/entry/syscall_64.c:94 (discriminator 1)) + entry_SYSCALL_64_after_hwframe (net/arch/x86/entry/entry_64.S:130) + +This patch makes udp_sock_create6 return -EPFNOSUPPORT instead, so +callers correctly take their error paths. There is only one caller of +the vulnerable function and only privileged users can trigger it. + +Fixes: fd384412e199b ("udp_tunnel: Seperate ipv6 functions into its own file.") +Reported-by: Weiming Shi +Signed-off-by: Xiang Mei +Link: https://patch.msgid.link/20260317010241.1893893-1-xmei5@asu.edu +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + include/net/udp_tunnel.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/include/net/udp_tunnel.h b/include/net/udp_tunnel.h +index 9acef2fbd2fdc..d97ee26ba4f66 100644 +--- a/include/net/udp_tunnel.h ++++ b/include/net/udp_tunnel.h +@@ -47,7 +47,7 @@ int udp_sock_create6(struct net *net, struct udp_port_cfg *cfg, + static inline int udp_sock_create6(struct net *net, struct udp_port_cfg *cfg, + struct socket **sockp) + { +- return 0; ++ return -EPFNOSUPPORT; + } + #endif + +-- +2.51.0 + diff --git a/queue-6.18/wifi-cfg80211-cancel-pmsr_free_wk-in-cfg80211_pmsr_w.patch b/queue-6.18/wifi-cfg80211-cancel-pmsr_free_wk-in-cfg80211_pmsr_w.patch new file mode 100644 index 0000000000..0977d381c1 --- /dev/null +++ b/queue-6.18/wifi-cfg80211-cancel-pmsr_free_wk-in-cfg80211_pmsr_w.patch @@ -0,0 +1,51 @@ +From b4d299d035a00277470708dd71b0d3b18c3665b8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 5 Mar 2026 21:36:59 +0530 +Subject: wifi: cfg80211: cancel pmsr_free_wk in cfg80211_pmsr_wdev_down + +From: Peddolla Harshavardhan Reddy + +[ Upstream commit 6dccbc9f3e1d38565dff7730d2b7d1e8b16c9b09 ] + +When the nl80211 socket that originated a PMSR request is +closed, cfg80211_release_pmsr() sets the request's nl_portid +to zero and schedules pmsr_free_wk to process the abort +asynchronously. If the interface is concurrently torn down +before that work runs, cfg80211_pmsr_wdev_down() calls +cfg80211_pmsr_process_abort() directly. However, the already- +scheduled pmsr_free_wk work item remains pending and may run +after the interface has been removed from the driver. This +could cause the driver's abort_pmsr callback to operate on a +torn-down interface, leading to undefined behavior and +potential crashes. + +Cancel pmsr_free_wk synchronously in cfg80211_pmsr_wdev_down() +before calling cfg80211_pmsr_process_abort(). This ensures any +pending or in-progress work is drained before interface teardown +proceeds, preventing the work from invoking the driver abort +callback after the interface is gone. + +Fixes: 9bb7e0f24e7e ("cfg80211: add peer measurement with FTM initiator API") +Signed-off-by: Peddolla Harshavardhan Reddy +Link: https://patch.msgid.link/20260305160712.1263829-3-peddolla.reddy@oss.qualcomm.com +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + net/wireless/pmsr.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/net/wireless/pmsr.c b/net/wireless/pmsr.c +index a117f5093ca29..13801cf35e9fc 100644 +--- a/net/wireless/pmsr.c ++++ b/net/wireless/pmsr.c +@@ -647,6 +647,7 @@ void cfg80211_pmsr_wdev_down(struct wireless_dev *wdev) + } + spin_unlock_bh(&wdev->pmsr_lock); + ++ cancel_work_sync(&wdev->pmsr_free_wk); + if (found) + cfg80211_pmsr_process_abort(wdev); + +-- +2.51.0 + diff --git a/queue-6.18/wifi-mac80211-always-free-skb-on-ieee80211_tx_prepar.patch b/queue-6.18/wifi-mac80211-always-free-skb-on-ieee80211_tx_prepar.patch new file mode 100644 index 0000000000..4995667716 --- /dev/null +++ b/queue-6.18/wifi-mac80211-always-free-skb-on-ieee80211_tx_prepar.patch @@ -0,0 +1,120 @@ +From 38d9215943d4712c07a103e46580c924067a6b33 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 14 Mar 2026 06:54:55 +0000 +Subject: wifi: mac80211: always free skb on ieee80211_tx_prepare_skb() failure + +From: Felix Fietkau + +[ Upstream commit d5ad6ab61cbd89afdb60881f6274f74328af3ee9 ] + +ieee80211_tx_prepare_skb() has three error paths, but only two of them +free the skb. The first error path (ieee80211_tx_prepare() returning +TX_DROP) does not free it, while invoke_tx_handlers() failure and the +fragmentation check both do. + +Add kfree_skb() to the first error path so all three are consistent, +and remove the now-redundant frees in callers (ath9k, mt76, +mac80211_hwsim) to avoid double-free. + +Document the skb ownership guarantee in the function's kdoc. + +Signed-off-by: Felix Fietkau +Link: https://patch.msgid.link/20260314065455.2462900-1-nbd@nbd.name +Fixes: 06be6b149f7e ("mac80211: add ieee80211_tx_prepare_skb() helper function") +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ath/ath9k/channel.c | 6 ++---- + drivers/net/wireless/mediatek/mt76/scan.c | 4 +--- + drivers/net/wireless/virtual/mac80211_hwsim.c | 1 - + include/net/mac80211.h | 4 +++- + net/mac80211/tx.c | 4 +++- + 5 files changed, 9 insertions(+), 10 deletions(-) + +diff --git a/drivers/net/wireless/ath/ath9k/channel.c b/drivers/net/wireless/ath/ath9k/channel.c +index 121e51ce1bc0e..8b27d8cc086ab 100644 +--- a/drivers/net/wireless/ath/ath9k/channel.c ++++ b/drivers/net/wireless/ath/ath9k/channel.c +@@ -1006,7 +1006,7 @@ static void ath_scan_send_probe(struct ath_softc *sc, + skb_set_queue_mapping(skb, IEEE80211_AC_VO); + + if (!ieee80211_tx_prepare_skb(sc->hw, vif, skb, band, NULL)) +- goto error; ++ return; + + txctl.txq = sc->tx.txq_map[IEEE80211_AC_VO]; + if (ath_tx_start(sc->hw, skb, &txctl)) +@@ -1119,10 +1119,8 @@ ath_chanctx_send_vif_ps_frame(struct ath_softc *sc, struct ath_vif *avp, + + skb->priority = 7; + skb_set_queue_mapping(skb, IEEE80211_AC_VO); +- if (!ieee80211_tx_prepare_skb(sc->hw, vif, skb, band, &sta)) { +- dev_kfree_skb_any(skb); ++ if (!ieee80211_tx_prepare_skb(sc->hw, vif, skb, band, &sta)) + return false; +- } + break; + default: + return false; +diff --git a/drivers/net/wireless/mediatek/mt76/scan.c b/drivers/net/wireless/mediatek/mt76/scan.c +index 5a875aac410fc..3d9cf6f5e137f 100644 +--- a/drivers/net/wireless/mediatek/mt76/scan.c ++++ b/drivers/net/wireless/mediatek/mt76/scan.c +@@ -63,10 +63,8 @@ mt76_scan_send_probe(struct mt76_dev *dev, struct cfg80211_ssid *ssid) + + rcu_read_lock(); + +- if (!ieee80211_tx_prepare_skb(phy->hw, vif, skb, band, NULL)) { +- ieee80211_free_txskb(phy->hw, skb); ++ if (!ieee80211_tx_prepare_skb(phy->hw, vif, skb, band, NULL)) + goto out; +- } + + info = IEEE80211_SKB_CB(skb); + if (req->no_cck) +diff --git a/drivers/net/wireless/virtual/mac80211_hwsim.c b/drivers/net/wireless/virtual/mac80211_hwsim.c +index 2f263d89d2d69..20815fdc9d376 100644 +--- a/drivers/net/wireless/virtual/mac80211_hwsim.c ++++ b/drivers/net/wireless/virtual/mac80211_hwsim.c +@@ -3021,7 +3021,6 @@ static void hw_scan_work(struct work_struct *work) + hwsim->tmp_chan->band, + NULL)) { + rcu_read_unlock(); +- kfree_skb(probe); + continue; + } + +diff --git a/include/net/mac80211.h b/include/net/mac80211.h +index a55085cf4ec49..ac2546b121385 100644 +--- a/include/net/mac80211.h ++++ b/include/net/mac80211.h +@@ -7289,7 +7289,9 @@ void ieee80211_report_wowlan_wakeup(struct ieee80211_vif *vif, + * @band: the band to transmit on + * @sta: optional pointer to get the station to send the frame to + * +- * Return: %true if the skb was prepared, %false otherwise ++ * Return: %true if the skb was prepared, %false otherwise. ++ * On failure, the skb is freed by this function; callers must not ++ * free it again. + * + * Note: must be called under RCU lock + */ +diff --git a/net/mac80211/tx.c b/net/mac80211/tx.c +index 160667be3f4d2..2f830001b0cd6 100644 +--- a/net/mac80211/tx.c ++++ b/net/mac80211/tx.c +@@ -1896,8 +1896,10 @@ bool ieee80211_tx_prepare_skb(struct ieee80211_hw *hw, + struct ieee80211_tx_data tx; + struct sk_buff *skb2; + +- if (ieee80211_tx_prepare(sdata, &tx, NULL, skb) == TX_DROP) ++ if (ieee80211_tx_prepare(sdata, &tx, NULL, skb) == TX_DROP) { ++ kfree_skb(skb); + return false; ++ } + + info->band = band; + info->control.vif = vif; +-- +2.51.0 + diff --git a/queue-6.18/wifi-mac80211-fix-null-deref-in-mesh_matches_local.patch b/queue-6.18/wifi-mac80211-fix-null-deref-in-mesh_matches_local.patch new file mode 100644 index 0000000000..9399d3724a --- /dev/null +++ b/queue-6.18/wifi-mac80211-fix-null-deref-in-mesh_matches_local.patch @@ -0,0 +1,81 @@ +From 43c6a2174d8ad01117d0b835e5729489ec658b95 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 17 Mar 2026 20:42:44 -0700 +Subject: wifi: mac80211: fix NULL deref in mesh_matches_local() + +From: Xiang Mei + +[ Upstream commit c73bb9a2d33bf81f6eecaa0f474b6c6dbe9855bd ] + +mesh_matches_local() unconditionally dereferences ie->mesh_config to +compare mesh configuration parameters. When called from +mesh_rx_csa_frame(), the parsed action-frame elements may not contain a +Mesh Configuration IE, leaving ie->mesh_config NULL and triggering a +kernel NULL pointer dereference. + +The other two callers are already safe: + - ieee80211_mesh_rx_bcn_presp() checks !elems->mesh_config before + calling mesh_matches_local() + - mesh_plink_get_event() is only reached through + mesh_process_plink_frame(), which checks !elems->mesh_config, too + +mesh_rx_csa_frame() is the only caller that passes raw parsed elements +to mesh_matches_local() without guarding mesh_config. An adjacent +attacker can exploit this by sending a crafted CSA action frame that +includes a valid Mesh ID IE but omits the Mesh Configuration IE, +crashing the kernel. + +The captured crash log: + +Oops: general protection fault, probably for non-canonical address ... +KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007] +Workqueue: events_unbound cfg80211_wiphy_work +[...] +Call Trace: + + ? __pfx_mesh_matches_local (net/mac80211/mesh.c:65) + ieee80211_mesh_rx_queued_mgmt (net/mac80211/mesh.c:1686) + [...] + ieee80211_iface_work (net/mac80211/iface.c:1754 net/mac80211/iface.c:1802) + [...] + cfg80211_wiphy_work (net/wireless/core.c:426) + process_one_work (net/kernel/workqueue.c:3280) + ? assign_work (net/kernel/workqueue.c:1219) + worker_thread (net/kernel/workqueue.c:3352) + ? __pfx_worker_thread (net/kernel/workqueue.c:3385) + kthread (net/kernel/kthread.c:436) + [...] + ret_from_fork_asm (net/arch/x86/entry/entry_64.S:255) + + +This patch adds a NULL check for ie->mesh_config at the top of +mesh_matches_local() to return false early when the Mesh Configuration +IE is absent. + +Fixes: 2e3c8736820b ("mac80211: support functions for mesh") +Reported-by: Weiming Shi +Signed-off-by: Xiang Mei +Link: https://patch.msgid.link/20260318034244.2595020-1-xmei5@asu.edu +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + net/mac80211/mesh.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/net/mac80211/mesh.c b/net/mac80211/mesh.c +index e235ab7a5651c..4b0eebd5c7cf8 100644 +--- a/net/mac80211/mesh.c ++++ b/net/mac80211/mesh.c +@@ -79,6 +79,9 @@ bool mesh_matches_local(struct ieee80211_sub_if_data *sdata, + * - MDA enabled + * - Power management control on fc + */ ++ if (!ie->mesh_config) ++ return false; ++ + if (!(ifmsh->mesh_id_len == ie->mesh_id_len && + memcmp(ifmsh->mesh_id, ie->mesh_id, ie->mesh_id_len) == 0 && + (ifmsh->mesh_pp_id == ie->mesh_config->meshconf_psel) && +-- +2.51.0 + diff --git a/queue-6.18/wifi-mac80211-fix-static_branch_dec-underflow-for-aq.patch b/queue-6.18/wifi-mac80211-fix-static_branch_dec-underflow-for-aq.patch new file mode 100644 index 0000000000..8776d072f9 --- /dev/null +++ b/queue-6.18/wifi-mac80211-fix-static_branch_dec-underflow-for-aq.patch @@ -0,0 +1,112 @@ +From e0f55465b6250a94eef8ccd470d16290d92e4225 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 6 Mar 2026 07:24:02 +0000 +Subject: wifi: mac80211: Fix static_branch_dec() underflow for aql_disable. + +From: Kuniyuki Iwashima + +[ Upstream commit b94ae8e0d5fe1bdbbfdc3854ff6ce98f6876a828 ] + +syzbot reported static_branch_dec() underflow in aql_enable_write(). [0] + +The problem is that aql_enable_write() does not serialise concurrent +write()s to the debugfs. + +aql_enable_write() checks static_key_false(&aql_disable.key) and +later calls static_branch_inc() or static_branch_dec(), but the +state may change between the two calls. + +aql_disable does not need to track inc/dec. + +Let's use static_branch_enable() and static_branch_disable(). + +[0]: +val == 0 +WARNING: kernel/jump_label.c:311 at __static_key_slow_dec_cpuslocked.part.0+0x107/0x120 kernel/jump_label.c:311, CPU#0: syz.1.3155/20288 +Modules linked in: +CPU: 0 UID: 0 PID: 20288 Comm: syz.1.3155 Tainted: G U L syzkaller #0 PREEMPT(full) +Tainted: [U]=USER, [L]=SOFTLOCKUP +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/24/2026 +RIP: 0010:__static_key_slow_dec_cpuslocked.part.0+0x107/0x120 kernel/jump_label.c:311 +Code: f2 c9 ff 5b 5d c3 cc cc cc cc e8 54 f2 c9 ff 48 89 df e8 ac f9 ff ff eb ad e8 45 f2 c9 ff 90 0f 0b 90 eb a2 e8 3a f2 c9 ff 90 <0f> 0b 90 eb 97 48 89 df e8 5c 4b 33 00 e9 36 ff ff ff 0f 1f 80 00 +RSP: 0018:ffffc9000b9f7c10 EFLAGS: 00010293 +RAX: 0000000000000000 RBX: ffffffff9b3e5d40 RCX: ffffffff823c57b4 +RDX: ffff8880285a0000 RSI: ffffffff823c5846 RDI: ffff8880285a0000 +RBP: 0000000000000000 R08: 0000000000000005 R09: 0000000000000000 +R10: 0000000000000000 R11: 0000000000000000 R12: 000000000000000a +R13: 1ffff9200173ef88 R14: 0000000000000001 R15: ffffc9000b9f7e98 +FS: 00007f530dd726c0(0000) GS:ffff8881245e3000(0000) knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: 0000200000001140 CR3: 000000007cc4a000 CR4: 00000000003526f0 +Call Trace: + + __static_key_slow_dec_cpuslocked kernel/jump_label.c:297 [inline] + __static_key_slow_dec kernel/jump_label.c:321 [inline] + static_key_slow_dec+0x7c/0xc0 kernel/jump_label.c:336 + aql_enable_write+0x2b2/0x310 net/mac80211/debugfs.c:343 + short_proxy_write+0x133/0x1a0 fs/debugfs/file.c:383 + vfs_write+0x2aa/0x1070 fs/read_write.c:684 + ksys_pwrite64 fs/read_write.c:793 [inline] + __do_sys_pwrite64 fs/read_write.c:801 [inline] + __se_sys_pwrite64 fs/read_write.c:798 [inline] + __x64_sys_pwrite64+0x1eb/0x250 fs/read_write.c:798 + do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] + do_syscall_64+0xc9/0xf80 arch/x86/entry/syscall_64.c:94 + entry_SYSCALL_64_after_hwframe+0x77/0x7f +RIP: 0033:0x7f530cf9aeb9 +Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48 +RSP: 002b:00007f530dd72028 EFLAGS: 00000246 ORIG_RAX: 0000000000000012 +RAX: ffffffffffffffda RBX: 00007f530d215fa0 RCX: 00007f530cf9aeb9 +RDX: 0000000000000003 RSI: 0000000000000000 RDI: 0000000000000010 +RBP: 00007f530d008c1f R08: 0000000000000000 R09: 0000000000000000 +R10: 4200000000000005 R11: 0000000000000246 R12: 0000000000000000 +R13: 00007f530d216038 R14: 00007f530d215fa0 R15: 00007ffde89fb978 + + +Fixes: e908435e402a ("mac80211: introduce aql_enable node in debugfs") +Reported-by: syzbot+feb9ce36a95341bb47a4@syzkaller.appspotmail.com +Closes: https://lore.kernel.org/all/69a8979e.a70a0220.b118c.0025.GAE@google.com/ +Signed-off-by: Kuniyuki Iwashima +Link: https://patch.msgid.link/20260306072405.3649474-1-kuniyu@google.com +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + net/mac80211/debugfs.c | 14 +++++--------- + 1 file changed, 5 insertions(+), 9 deletions(-) + +diff --git a/net/mac80211/debugfs.c b/net/mac80211/debugfs.c +index d02f07368c511..687a66cd49433 100644 +--- a/net/mac80211/debugfs.c ++++ b/net/mac80211/debugfs.c +@@ -320,7 +320,6 @@ static ssize_t aql_enable_read(struct file *file, char __user *user_buf, + static ssize_t aql_enable_write(struct file *file, const char __user *user_buf, + size_t count, loff_t *ppos) + { +- bool aql_disabled = static_key_false(&aql_disable.key); + char buf[3]; + size_t len; + +@@ -335,15 +334,12 @@ static ssize_t aql_enable_write(struct file *file, const char __user *user_buf, + if (len > 0 && buf[len - 1] == '\n') + buf[len - 1] = 0; + +- if (buf[0] == '0' && buf[1] == '\0') { +- if (!aql_disabled) +- static_branch_inc(&aql_disable); +- } else if (buf[0] == '1' && buf[1] == '\0') { +- if (aql_disabled) +- static_branch_dec(&aql_disable); +- } else { ++ if (buf[0] == '0' && buf[1] == '\0') ++ static_branch_enable(&aql_disable); ++ else if (buf[0] == '1' && buf[1] == '\0') ++ static_branch_disable(&aql_disable); ++ else + return -EINVAL; +- } + + return count; + } +-- +2.51.0 + diff --git a/queue-6.18/wifi-mac80211-remove-keys-after-disabling-beaconing.patch b/queue-6.18/wifi-mac80211-remove-keys-after-disabling-beaconing.patch new file mode 100644 index 0000000000..13447b8713 --- /dev/null +++ b/queue-6.18/wifi-mac80211-remove-keys-after-disabling-beaconing.patch @@ -0,0 +1,56 @@ +From 0cc1ad6c442deb817db4e8ba2e3e192cdbdc132f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 3 Mar 2026 15:03:39 +0100 +Subject: wifi: mac80211: remove keys after disabling beaconing + +From: Johannes Berg + +[ Upstream commit 708bbb45537780a8d3721ca1e0cf1932c1d1bf5f ] + +We shouldn't remove keys before disable beaconing, at least when +beacon protection is used, since that would remove keys that are +still used for beacon transmission at the same time. Stop before +removing keys so there's no race. + +Fixes: af2d14b01c32 ("mac80211: Beacon protection using the new BIGTK (STA)") +Reviewed-by: Miriam Rachel Korenblit +Link: https://patch.msgid.link/20260303150339.574e7887b3ab.I50d708f5aa22584506a91d0da7f8a73ba39fceac@changeid +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + net/mac80211/cfg.c | 12 ++++++------ + 1 file changed, 6 insertions(+), 6 deletions(-) + +diff --git a/net/mac80211/cfg.c b/net/mac80211/cfg.c +index e18df59951a82..d32eacbb7517d 100644 +--- a/net/mac80211/cfg.c ++++ b/net/mac80211/cfg.c +@@ -1872,12 +1872,6 @@ static int ieee80211_stop_ap(struct wiphy *wiphy, struct net_device *dev, + + __sta_info_flush(sdata, true, link_id, NULL); + +- ieee80211_remove_link_keys(link, &keys); +- if (!list_empty(&keys)) { +- synchronize_net(); +- ieee80211_free_key_list(local, &keys); +- } +- + ieee80211_stop_mbssid(sdata); + RCU_INIT_POINTER(link_conf->tx_bss_conf, NULL); + +@@ -1889,6 +1883,12 @@ static int ieee80211_stop_ap(struct wiphy *wiphy, struct net_device *dev, + ieee80211_link_info_change_notify(sdata, link, + BSS_CHANGED_BEACON_ENABLED); + ++ ieee80211_remove_link_keys(link, &keys); ++ if (!list_empty(&keys)) { ++ synchronize_net(); ++ ieee80211_free_key_list(local, &keys); ++ } ++ + if (sdata->wdev.links[link_id].cac_started) { + chandef = link_conf->chanreq.oper; + wiphy_delayed_work_cancel(wiphy, &link->dfs_cac_timer_work); +-- +2.51.0 + diff --git a/queue-6.18/wifi-mac80211-use-jiffies_delta_to_msecs-for-sta_inf.patch b/queue-6.18/wifi-mac80211-use-jiffies_delta_to_msecs-for-sta_inf.patch new file mode 100644 index 0000000000..415bb66d24 --- /dev/null +++ b/queue-6.18/wifi-mac80211-use-jiffies_delta_to_msecs-for-sta_inf.patch @@ -0,0 +1,54 @@ +From aed56b2e99326a35a2d3e2854d6fe4473ab84ff6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 3 Mar 2026 17:06:39 +0100 +Subject: wifi: mac80211: use jiffies_delta_to_msecs() for sta_info inactive + times + +From: Nicolas Cavallari + +[ Upstream commit ac6f24cc9c0a9aefa55ec9696dcafa971d4d760b ] + +Inactive times of around 0xffffffff milliseconds have been observed on +an ath9k device on ARM. This is likely due to a memory ordering race in +the jiffies_to_msecs(jiffies - last_active()) calculation causing an +overflow when the observed jiffies is below ieee80211_sta_last_active(). + +Use jiffies_delta_to_msecs() instead to avoid this problem. + +Fixes: 7bbdd2d98797 ("mac80211: implement station stats retrieval") +Signed-off-by: Nicolas Cavallari +Link: https://patch.msgid.link/20260303161701.31808-1-nicolas.cavallari@green-communications.fr +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + net/mac80211/sta_info.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +diff --git a/net/mac80211/sta_info.c b/net/mac80211/sta_info.c +index 1a995bc301b19..b0d9bb830f293 100644 +--- a/net/mac80211/sta_info.c ++++ b/net/mac80211/sta_info.c +@@ -2759,7 +2759,9 @@ static void sta_set_link_sinfo(struct sta_info *sta, + } + + link_sinfo->inactive_time = +- jiffies_to_msecs(jiffies - ieee80211_sta_last_active(sta, link_id)); ++ jiffies_delta_to_msecs(jiffies - ++ ieee80211_sta_last_active(sta, ++ link_id)); + + if (!(link_sinfo->filled & (BIT_ULL(NL80211_STA_INFO_TX_BYTES64) | + BIT_ULL(NL80211_STA_INFO_TX_BYTES)))) { +@@ -2992,7 +2994,8 @@ void sta_set_sinfo(struct sta_info *sta, struct station_info *sinfo, + sinfo->connected_time = ktime_get_seconds() - sta->last_connected; + sinfo->assoc_at = sta->assoc_at; + sinfo->inactive_time = +- jiffies_to_msecs(jiffies - ieee80211_sta_last_active(sta, -1)); ++ jiffies_delta_to_msecs(jiffies - ++ ieee80211_sta_last_active(sta, -1)); + + if (!(sinfo->filled & (BIT_ULL(NL80211_STA_INFO_TX_BYTES64) | + BIT_ULL(NL80211_STA_INFO_TX_BYTES)))) { +-- +2.51.0 + diff --git a/queue-6.18/wifi-wlcore-return-enomem-instead-of-eagain-if-there.patch b/queue-6.18/wifi-wlcore-return-enomem-instead-of-eagain-if-there.patch new file mode 100644 index 0000000000..2bb09c5801 --- /dev/null +++ b/queue-6.18/wifi-wlcore-return-enomem-instead-of-eagain-if-there.patch @@ -0,0 +1,54 @@ +From 3f13ece2adc940b9b7a2a3f5c0cc722bbc65e0bc Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 17 Mar 2026 23:46:36 -0700 +Subject: wifi: wlcore: Return -ENOMEM instead of -EAGAIN if there is not + enough headroom + +From: Guenter Roeck + +[ Upstream commit deb353d9bb009638b7762cae2d0b6e8fdbb41a69 ] + +Since upstream commit e75665dd0968 ("wifi: wlcore: ensure skb headroom +before skb_push"), wl1271_tx_allocate() and with it +wl1271_prepare_tx_frame() returns -EAGAIN if pskb_expand_head() fails. +However, in wlcore_tx_work_locked(), a return value of -EAGAIN from +wl1271_prepare_tx_frame() is interpreted as the aggregation buffer being +full. This causes the code to flush the buffer, put the skb back at the +head of the queue, and immediately retry the same skb in a tight while +loop. + +Because wlcore_tx_work_locked() holds wl->mutex, and the retry happens +immediately with GFP_ATOMIC, this will result in an infinite loop and a +CPU soft lockup. Return -ENOMEM instead so the packet is dropped and +the loop terminates. + +The problem was found by an experimental code review agent based on +gemini-3.1-pro while reviewing backports into v6.18.y. + +Assisted-by: Gemini:gemini-3.1-pro +Fixes: e75665dd0968 ("wifi: wlcore: ensure skb headroom before skb_push") +Cc: Peter Astrand +Signed-off-by: Guenter Roeck +Link: https://patch.msgid.link/20260318064636.3065925-1-linux@roeck-us.net +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ti/wlcore/tx.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/wireless/ti/wlcore/tx.c b/drivers/net/wireless/ti/wlcore/tx.c +index f251627c24c6e..3c0f8f3ba2668 100644 +--- a/drivers/net/wireless/ti/wlcore/tx.c ++++ b/drivers/net/wireless/ti/wlcore/tx.c +@@ -210,7 +210,7 @@ static int wl1271_tx_allocate(struct wl1271 *wl, struct wl12xx_vif *wlvif, + if (skb_headroom(skb) < (total_len - skb->len) && + pskb_expand_head(skb, (total_len - skb->len), 0, GFP_ATOMIC)) { + wl1271_free_tx_id(wl, id); +- return -EAGAIN; ++ return -ENOMEM; + } + desc = skb_push(skb, total_len - skb->len); + +-- +2.51.0 + diff --git a/queue-6.19/acpi-processor-fix-previous-acpi_processor_errata_pi.patch b/queue-6.19/acpi-processor-fix-previous-acpi_processor_errata_pi.patch new file mode 100644 index 0000000000..248cb69947 --- /dev/null +++ b/queue-6.19/acpi-processor-fix-previous-acpi_processor_errata_pi.patch @@ -0,0 +1,74 @@ +From 14e3c7a73b3ec057e94bb3e82ac33cd33e4e4843 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 17 Mar 2026 21:39:05 +0100 +Subject: ACPI: processor: Fix previous acpi_processor_errata_piix4() fix + +From: Rafael J. Wysocki + +[ Upstream commit bf504b229cb8d534eccbaeaa23eba34c05131e25 ] + +After commi f132e089fe89 ("ACPI: processor: Fix NULL-pointer dereference +in acpi_processor_errata_piix4()"), device pointers may be dereferenced +after dropping references to the device objects pointed to by them, +which may cause a use-after-free to occur. + +Moreover, debug messages about enabling the errata may be printed +if the errata flags corresponding to them are unset. + +Address all of these issues by moving message printing to the points +in the code where the errata flags are set. + +Fixes: f132e089fe89 ("ACPI: processor: Fix NULL-pointer dereference in acpi_processor_errata_piix4()") +Reported-by: Guenter Roeck +Closes: https://lore.kernel.org/linux-acpi/938e2206-def5-4b7a-9b2c-d1fd37681d8a@roeck-us.net/ +Reviewed-by: Guenter Roeck +Signed-off-by: Rafael J. Wysocki +Link: https://patch.msgid.link/5975693.DvuYhMxLoT@rafael.j.wysocki +Signed-off-by: Sasha Levin +--- + drivers/acpi/acpi_processor.c | 15 ++++++++------- + 1 file changed, 8 insertions(+), 7 deletions(-) + +diff --git a/drivers/acpi/acpi_processor.c b/drivers/acpi/acpi_processor.c +index 85096ce7b658b..5a562e27d3a80 100644 +--- a/drivers/acpi/acpi_processor.c ++++ b/drivers/acpi/acpi_processor.c +@@ -113,6 +113,10 @@ static int acpi_processor_errata_piix4(struct pci_dev *dev) + PCI_ANY_ID, PCI_ANY_ID, NULL); + if (ide_dev) { + errata.piix4.bmisx = pci_resource_start(ide_dev, 4); ++ if (errata.piix4.bmisx) ++ dev_dbg(&ide_dev->dev, ++ "Bus master activity detection (BM-IDE) erratum enabled\n"); ++ + pci_dev_put(ide_dev); + } + +@@ -131,20 +135,17 @@ static int acpi_processor_errata_piix4(struct pci_dev *dev) + if (isa_dev) { + pci_read_config_byte(isa_dev, 0x76, &value1); + pci_read_config_byte(isa_dev, 0x77, &value2); +- if ((value1 & 0x80) || (value2 & 0x80)) ++ if ((value1 & 0x80) || (value2 & 0x80)) { + errata.piix4.fdma = 1; ++ dev_dbg(&isa_dev->dev, ++ "Type-F DMA livelock erratum (C3 disabled)\n"); ++ } + pci_dev_put(isa_dev); + } + + break; + } + +- if (ide_dev) +- dev_dbg(&ide_dev->dev, "Bus master activity detection (BM-IDE) erratum enabled\n"); +- +- if (isa_dev) +- dev_dbg(&isa_dev->dev, "Type-F DMA livelock erratum (C3 disabled)\n"); +- + return 0; + } + +-- +2.51.0 + diff --git a/queue-6.19/acpica-update-the-format-of-arg3-of-_dsm.patch b/queue-6.19/acpica-update-the-format-of-arg3-of-_dsm.patch new file mode 100644 index 0000000000..22a72777a1 --- /dev/null +++ b/queue-6.19/acpica-update-the-format-of-arg3-of-_dsm.patch @@ -0,0 +1,37 @@ +From 5902fbdb71f7106a64d470d65c936549aae35345 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 17 Mar 2026 20:34:49 +0100 +Subject: ACPICA: Update the format of Arg3 of _DSM + +From: Saket Dumbre + +[ Upstream commit ab93d7eee94205430fc3b0532557cb0494bf2faf ] + +To get rid of type incompatibility warnings in Linux. + +Fixes: 81f92cff6d42 ("ACPICA: ACPI_TYPE_ANY does not include the package type") +Link: https://github.com/acpica/acpica/commit/4fb74872dcec +Signed-off-by: Saket Dumbre +Signed-off-by: Rafael J. Wysocki +Link: https://patch.msgid.link/12856643.O9o76ZdvQC@rafael.j.wysocki +Signed-off-by: Sasha Levin +--- + drivers/acpi/acpica/acpredef.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/acpi/acpica/acpredef.h b/drivers/acpi/acpica/acpredef.h +index da2c45880cc7e..c9e65c6a20690 100644 +--- a/drivers/acpi/acpica/acpredef.h ++++ b/drivers/acpi/acpica/acpredef.h +@@ -450,7 +450,7 @@ const union acpi_predefined_info acpi_gbl_predefined_methods[] = { + + {{"_DSM", + METHOD_4ARGS(ACPI_TYPE_BUFFER, ACPI_TYPE_INTEGER, ACPI_TYPE_INTEGER, +- ACPI_TYPE_ANY | ACPI_TYPE_PACKAGE) | ++ ACPI_TYPE_PACKAGE | ACPI_TYPE_ANY) | + ARG_COUNT_IS_MINIMUM, + METHOD_RETURNS(ACPI_RTYPE_ALL)}}, /* Must return a value, but it can be of any type */ + +-- +2.51.0 + diff --git a/queue-6.19/af_unix-give-up-gc-if-msg_peek-intervened.patch b/queue-6.19/af_unix-give-up-gc-if-msg_peek-intervened.patch new file mode 100644 index 0000000000..d4be92bc2e --- /dev/null +++ b/queue-6.19/af_unix-give-up-gc-if-msg_peek-intervened.patch @@ -0,0 +1,256 @@ +From 88f9c738cf4e62b41d6d7b0833d616aca9439f35 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 11 Mar 2026 05:40:40 +0000 +Subject: af_unix: Give up GC if MSG_PEEK intervened. + +From: Kuniyuki Iwashima + +[ Upstream commit e5b31d988a41549037b8d8721a3c3cae893d8670 ] + +Igor Ushakov reported that GC purged the receive queue of +an alive socket due to a race with MSG_PEEK with a nice repro. + +This is the exact same issue previously fixed by commit +cbcf01128d0a ("af_unix: fix garbage collect vs MSG_PEEK"). + +After GC was replaced with the current algorithm, the cited +commit removed the locking dance in unix_peek_fds() and +reintroduced the same issue. + +The problem is that MSG_PEEK bumps a file refcount without +interacting with GC. + +Consider an SCC containing sk-A and sk-B, where sk-A is +close()d but can be recv()ed via sk-B. + +The bad thing happens if sk-A is recv()ed with MSG_PEEK from +sk-B and sk-B is close()d while GC is checking unix_vertex_dead() +for sk-A and sk-B. + + GC thread User thread + --------- ----------- + unix_vertex_dead(sk-A) + -> true <------. + \ + `------ recv(sk-B, MSG_PEEK) + invalidate !! -> sk-A's file refcount : 1 -> 2 + + close(sk-B) + -> sk-B's file refcount : 2 -> 1 + unix_vertex_dead(sk-B) + -> true + +Initially, sk-A's file refcount is 1 by the inflight fd in sk-B +recvq. GC thinks sk-A is dead because the file refcount is the +same as the number of its inflight fds. + +However, sk-A's file refcount is bumped silently by MSG_PEEK, +which invalidates the previous evaluation. + +At this moment, sk-B's file refcount is 2; one by the open fd, +and one by the inflight fd in sk-A. The subsequent close() +releases one refcount by the former. + +Finally, GC incorrectly concludes that both sk-A and sk-B are dead. + +One option is to restore the locking dance in unix_peek_fds(), +but we can resolve this more elegantly thanks to the new algorithm. + +The point is that the issue does not occur without the subsequent +close() and we actually do not need to synchronise MSG_PEEK with +the dead SCC detection. + +When the issue occurs, close() and GC touch the same file refcount. +If GC sees the refcount being decremented by close(), it can just +give up garbage-collecting the SCC. + +Therefore, we only need to signal the race during MSG_PEEK with +a proper memory barrier to make it visible to the GC. + +Let's use seqcount_t to notify GC when MSG_PEEK occurs and let +it defer the SCC to the next run. + +This way no locking is needed on the MSG_PEEK side, and we can +avoid imposing a penalty on every MSG_PEEK unnecessarily. + +Note that we can retry within unix_scc_dead() if MSG_PEEK is +detected, but we do not do so to avoid hung task splat from +abusive MSG_PEEK calls. + +Fixes: 118f457da9ed ("af_unix: Remove lock dance in unix_peek_fds().") +Reported-by: Igor Ushakov +Signed-off-by: Kuniyuki Iwashima +Link: https://patch.msgid.link/20260311054043.1231316-1-kuniyu@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/unix/af_unix.c | 2 ++ + net/unix/af_unix.h | 1 + + net/unix/garbage.c | 79 ++++++++++++++++++++++++++++++---------------- + 3 files changed, 54 insertions(+), 28 deletions(-) + +diff --git a/net/unix/af_unix.c b/net/unix/af_unix.c +index 6965b9a49d68a..3db79e83d2114 100644 +--- a/net/unix/af_unix.c ++++ b/net/unix/af_unix.c +@@ -1958,6 +1958,8 @@ static void unix_detach_fds(struct scm_cookie *scm, struct sk_buff *skb) + static void unix_peek_fds(struct scm_cookie *scm, struct sk_buff *skb) + { + scm->fp = scm_fp_dup(UNIXCB(skb).fp); ++ ++ unix_peek_fpl(scm->fp); + } + + static void unix_destruct_scm(struct sk_buff *skb) +diff --git a/net/unix/af_unix.h b/net/unix/af_unix.h +index c4f1b2da363de..8119dbeef3a3c 100644 +--- a/net/unix/af_unix.h ++++ b/net/unix/af_unix.h +@@ -29,6 +29,7 @@ void unix_del_edges(struct scm_fp_list *fpl); + void unix_update_edges(struct unix_sock *receiver); + int unix_prepare_fpl(struct scm_fp_list *fpl); + void unix_destroy_fpl(struct scm_fp_list *fpl); ++void unix_peek_fpl(struct scm_fp_list *fpl); + void unix_schedule_gc(struct user_struct *user); + + /* SOCK_DIAG */ +diff --git a/net/unix/garbage.c b/net/unix/garbage.c +index 25f65817faab9..aaa5f5bf51cad 100644 +--- a/net/unix/garbage.c ++++ b/net/unix/garbage.c +@@ -318,6 +318,25 @@ void unix_destroy_fpl(struct scm_fp_list *fpl) + unix_free_vertices(fpl); + } + ++static bool gc_in_progress; ++static seqcount_t unix_peek_seq = SEQCNT_ZERO(unix_peek_seq); ++ ++void unix_peek_fpl(struct scm_fp_list *fpl) ++{ ++ static DEFINE_SPINLOCK(unix_peek_lock); ++ ++ if (!fpl || !fpl->count_unix) ++ return; ++ ++ if (!READ_ONCE(gc_in_progress)) ++ return; ++ ++ /* Invalidate the final refcnt check in unix_vertex_dead(). */ ++ spin_lock(&unix_peek_lock); ++ raw_write_seqcount_barrier(&unix_peek_seq); ++ spin_unlock(&unix_peek_lock); ++} ++ + static bool unix_vertex_dead(struct unix_vertex *vertex) + { + struct unix_edge *edge; +@@ -351,6 +370,36 @@ static bool unix_vertex_dead(struct unix_vertex *vertex) + return true; + } + ++static LIST_HEAD(unix_visited_vertices); ++static unsigned long unix_vertex_grouped_index = UNIX_VERTEX_INDEX_MARK2; ++ ++static bool unix_scc_dead(struct list_head *scc, bool fast) ++{ ++ struct unix_vertex *vertex; ++ bool scc_dead = true; ++ unsigned int seq; ++ ++ seq = read_seqcount_begin(&unix_peek_seq); ++ ++ list_for_each_entry_reverse(vertex, scc, scc_entry) { ++ /* Don't restart DFS from this vertex. */ ++ list_move_tail(&vertex->entry, &unix_visited_vertices); ++ ++ /* Mark vertex as off-stack for __unix_walk_scc(). */ ++ if (!fast) ++ vertex->index = unix_vertex_grouped_index; ++ ++ if (scc_dead) ++ scc_dead = unix_vertex_dead(vertex); ++ } ++ ++ /* If MSG_PEEK intervened, defer this SCC to the next round. */ ++ if (read_seqcount_retry(&unix_peek_seq, seq)) ++ return false; ++ ++ return scc_dead; ++} ++ + static void unix_collect_skb(struct list_head *scc, struct sk_buff_head *hitlist) + { + struct unix_vertex *vertex; +@@ -404,9 +453,6 @@ static bool unix_scc_cyclic(struct list_head *scc) + return false; + } + +-static LIST_HEAD(unix_visited_vertices); +-static unsigned long unix_vertex_grouped_index = UNIX_VERTEX_INDEX_MARK2; +- + static unsigned long __unix_walk_scc(struct unix_vertex *vertex, + unsigned long *last_index, + struct sk_buff_head *hitlist) +@@ -474,9 +520,7 @@ static unsigned long __unix_walk_scc(struct unix_vertex *vertex, + } + + if (vertex->index == vertex->scc_index) { +- struct unix_vertex *v; + struct list_head scc; +- bool scc_dead = true; + + /* SCC finalised. + * +@@ -485,18 +529,7 @@ static unsigned long __unix_walk_scc(struct unix_vertex *vertex, + */ + __list_cut_position(&scc, &vertex_stack, &vertex->scc_entry); + +- list_for_each_entry_reverse(v, &scc, scc_entry) { +- /* Don't restart DFS from this vertex in unix_walk_scc(). */ +- list_move_tail(&v->entry, &unix_visited_vertices); +- +- /* Mark vertex as off-stack. */ +- v->index = unix_vertex_grouped_index; +- +- if (scc_dead) +- scc_dead = unix_vertex_dead(v); +- } +- +- if (scc_dead) { ++ if (unix_scc_dead(&scc, false)) { + unix_collect_skb(&scc, hitlist); + } else { + if (unix_vertex_max_scc_index < vertex->scc_index) +@@ -550,19 +583,11 @@ static void unix_walk_scc_fast(struct sk_buff_head *hitlist) + while (!list_empty(&unix_unvisited_vertices)) { + struct unix_vertex *vertex; + struct list_head scc; +- bool scc_dead = true; + + vertex = list_first_entry(&unix_unvisited_vertices, typeof(*vertex), entry); + list_add(&scc, &vertex->scc_entry); + +- list_for_each_entry_reverse(vertex, &scc, scc_entry) { +- list_move_tail(&vertex->entry, &unix_visited_vertices); +- +- if (scc_dead) +- scc_dead = unix_vertex_dead(vertex); +- } +- +- if (scc_dead) { ++ if (unix_scc_dead(&scc, true)) { + cyclic_sccs--; + unix_collect_skb(&scc, hitlist); + } +@@ -577,8 +602,6 @@ static void unix_walk_scc_fast(struct sk_buff_head *hitlist) + cyclic_sccs ? UNIX_GRAPH_CYCLIC : UNIX_GRAPH_NOT_CYCLIC); + } + +-static bool gc_in_progress; +- + static void unix_gc(struct work_struct *work) + { + struct sk_buff_head hitlist; +-- +2.51.0 + diff --git a/queue-6.19/arm64-dts-renesas-r8a78000-fix-out-of-range-spi-inte.patch b/queue-6.19/arm64-dts-renesas-r8a78000-fix-out-of-range-spi-inte.patch new file mode 100644 index 0000000000..e8e4c2e5b4 --- /dev/null +++ b/queue-6.19/arm64-dts-renesas-r8a78000-fix-out-of-range-spi-inte.patch @@ -0,0 +1,99 @@ +From 78984a253d44f958e8a3283e39ddaab87dc2ff0f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 4 Mar 2026 17:29:01 +0100 +Subject: arm64: dts: renesas: r8a78000: Fix out-of-range SPI interrupt numbers + +From: Geert Uytterhoeven + +[ Upstream commit 85c2601e2c2feb60980c7ca23de28c49472f61f1 ] + +SPI interrupts are in the range 0-987. Extended SPI interrupts should +use GIC_ESPI, instead of abusing GIC_SPI with a manual offset of 4064. + +Fixes: 63500d12cf76d003 ("arm64: dts: renesas: Add R8A78000 SoC support") +Signed-off-by: Geert Uytterhoeven +Link: https://patch.msgid.link/1f9dd274720ea1b66617a5dd84f76c3efc829dc8.1772641415.git.geert+renesas@glider.be +Signed-off-by: Sasha Levin +--- + arch/arm64/boot/dts/renesas/r8a78000.dtsi | 16 ++++++++-------- + 1 file changed, 8 insertions(+), 8 deletions(-) + +diff --git a/arch/arm64/boot/dts/renesas/r8a78000.dtsi b/arch/arm64/boot/dts/renesas/r8a78000.dtsi +index 4c97298fa7634..3e1c98903cea0 100644 +--- a/arch/arm64/boot/dts/renesas/r8a78000.dtsi ++++ b/arch/arm64/boot/dts/renesas/r8a78000.dtsi +@@ -698,7 +698,7 @@ scif0: serial@c0700000 { + compatible = "renesas,scif-r8a78000", + "renesas,rcar-gen5-scif", "renesas,scif"; + reg = <0 0xc0700000 0 0x40>; +- interrupts = ; ++ interrupts = ; + clocks = <&dummy_clk_sgasyncd16>, <&dummy_clk_sgasyncd16>, <&scif_clk>; + clock-names = "fck", "brg_int", "scif_clk"; + status = "disabled"; +@@ -708,7 +708,7 @@ scif1: serial@c0704000 { + compatible = "renesas,scif-r8a78000", + "renesas,rcar-gen5-scif", "renesas,scif"; + reg = <0 0xc0704000 0 0x40>; +- interrupts = ; ++ interrupts = ; + clocks = <&dummy_clk_sgasyncd16>, <&dummy_clk_sgasyncd16>, <&scif_clk>; + clock-names = "fck", "brg_int", "scif_clk"; + status = "disabled"; +@@ -718,7 +718,7 @@ scif3: serial@c0708000 { + compatible = "renesas,scif-r8a78000", + "renesas,rcar-gen5-scif", "renesas,scif"; + reg = <0 0xc0708000 0 0x40>; +- interrupts = ; ++ interrupts = ; + clocks = <&dummy_clk_sgasyncd16>, <&dummy_clk_sgasyncd16>, <&scif_clk>; + clock-names = "fck", "brg_int", "scif_clk"; + status = "disabled"; +@@ -728,7 +728,7 @@ scif4: serial@c070c000 { + compatible = "renesas,scif-r8a78000", + "renesas,rcar-gen5-scif", "renesas,scif"; + reg = <0 0xc070c000 0 0x40>; +- interrupts = ; ++ interrupts = ; + clocks = <&dummy_clk_sgasyncd16>, <&dummy_clk_sgasyncd16>, <&scif_clk>; + clock-names = "fck", "brg_int", "scif_clk"; + status = "disabled"; +@@ -738,7 +738,7 @@ hscif0: serial@c0710000 { + compatible = "renesas,hscif-r8a78000", + "renesas,rcar-gen5-hscif", "renesas,hscif"; + reg = <0 0xc0710000 0 0x60>; +- interrupts = ; ++ interrupts = ; + clocks = <&dummy_clk_sgasyncd4>, <&dummy_clk_sgasyncd4>, <&scif_clk>; + clock-names = "fck", "brg_int", "scif_clk"; + status = "disabled"; +@@ -748,7 +748,7 @@ hscif1: serial@c0714000 { + compatible = "renesas,hscif-r8a78000", + "renesas,rcar-gen5-hscif", "renesas,hscif"; + reg = <0 0xc0714000 0 0x60>; +- interrupts = ; ++ interrupts = ; + clocks = <&dummy_clk_sgasyncd4>, <&dummy_clk_sgasyncd4>, <&scif_clk>; + clock-names = "fck", "brg_int", "scif_clk"; + status = "disabled"; +@@ -758,7 +758,7 @@ hscif2: serial@c0718000 { + compatible = "renesas,hscif-r8a78000", + "renesas,rcar-gen5-hscif", "renesas,hscif"; + reg = <0 0xc0718000 0 0x60>; +- interrupts = ; ++ interrupts = ; + clocks = <&dummy_clk_sgasyncd4>, <&dummy_clk_sgasyncd4>, <&scif_clk>; + clock-names = "fck", "brg_int", "scif_clk"; + status = "disabled"; +@@ -768,7 +768,7 @@ hscif3: serial@c071c000 { + compatible = "renesas,hscif-r8a78000", + "renesas,rcar-gen5-hscif", "renesas,hscif"; + reg = <0 0xc071c000 0 0x60>; +- interrupts = ; ++ interrupts = ; + clocks = <&dummy_clk_sgasyncd4>, <&dummy_clk_sgasyncd4>, <&scif_clk>; + clock-names = "fck", "brg_int", "scif_clk"; + status = "disabled"; +-- +2.51.0 + diff --git a/queue-6.19/arm64-dts-renesas-r9a09g057-remove-wdt-0-2-3-nodes.patch b/queue-6.19/arm64-dts-renesas-r9a09g057-remove-wdt-0-2-3-nodes.patch new file mode 100644 index 0000000000..58491919eb --- /dev/null +++ b/queue-6.19/arm64-dts-renesas-r9a09g057-remove-wdt-0-2-3-nodes.patch @@ -0,0 +1,82 @@ +From d90ae1397c70ffb4835bad335b0ed9a24ecde9e7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 3 Feb 2026 12:42:46 +0000 +Subject: arm64: dts: renesas: r9a09g057: Remove wdt{0,2,3} nodes + +From: Fabrizio Castro + +[ Upstream commit a3f34651de4287138c0da19ba321ad72622b4af3 ] + +The HW user manual for the Renesas RZ/V2H(P) SoC (a.k.a r9a09g057) +states that only WDT1 is supposed to be accessed by the CA55 cores. +WDT0 is supposed to be used by the CM33 core, WDT2 is supposed +to be used by the CR8 core 0, and WDT3 is supposed to be used +by the CR8 core 1. + +Remove wdt{0,2,3} from the SoC specific device tree to make it +compliant with the specification from the HW manual. + +This change is harmless as there are currently no users of the +wdt{0,2,3} device tree nodes, only the wdt1 node is actually used. + +Fixes: 095105496e7d ("arm64: dts: renesas: r9a09g057: Add WDT0-WDT3 nodes") +Signed-off-by: Fabrizio Castro +Reviewed-by: Geert Uytterhoeven +Link: https://patch.msgid.link/20260203124247.7320-3-fabrizio.castro.jz@renesas.com +Signed-off-by: Geert Uytterhoeven +Signed-off-by: Sasha Levin +--- + arch/arm64/boot/dts/renesas/r9a09g057.dtsi | 30 ---------------------- + 1 file changed, 30 deletions(-) + +diff --git a/arch/arm64/boot/dts/renesas/r9a09g057.dtsi b/arch/arm64/boot/dts/renesas/r9a09g057.dtsi +index 4df32d7e99981..3d7f4dae5c195 100644 +--- a/arch/arm64/boot/dts/renesas/r9a09g057.dtsi ++++ b/arch/arm64/boot/dts/renesas/r9a09g057.dtsi +@@ -581,16 +581,6 @@ ostm7: timer@12c03000 { + status = "disabled"; + }; + +- wdt0: watchdog@11c00400 { +- compatible = "renesas,r9a09g057-wdt"; +- reg = <0 0x11c00400 0 0x400>; +- clocks = <&cpg CPG_MOD 0x4b>, <&cpg CPG_MOD 0x4c>; +- clock-names = "pclk", "oscclk"; +- resets = <&cpg 0x75>; +- power-domains = <&cpg>; +- status = "disabled"; +- }; +- + wdt1: watchdog@14400000 { + compatible = "renesas,r9a09g057-wdt"; + reg = <0 0x14400000 0 0x400>; +@@ -601,26 +591,6 @@ wdt1: watchdog@14400000 { + status = "disabled"; + }; + +- wdt2: watchdog@13000000 { +- compatible = "renesas,r9a09g057-wdt"; +- reg = <0 0x13000000 0 0x400>; +- clocks = <&cpg CPG_MOD 0x4f>, <&cpg CPG_MOD 0x50>; +- clock-names = "pclk", "oscclk"; +- resets = <&cpg 0x77>; +- power-domains = <&cpg>; +- status = "disabled"; +- }; +- +- wdt3: watchdog@13000400 { +- compatible = "renesas,r9a09g057-wdt"; +- reg = <0 0x13000400 0 0x400>; +- clocks = <&cpg CPG_MOD 0x51>, <&cpg CPG_MOD 0x52>; +- clock-names = "pclk", "oscclk"; +- resets = <&cpg 0x78>; +- power-domains = <&cpg>; +- status = "disabled"; +- }; +- + rtc: rtc@11c00800 { + compatible = "renesas,r9a09g057-rtca3", "renesas,rz-rtca3"; + reg = <0 0x11c00800 0 0x400>; +-- +2.51.0 + diff --git a/queue-6.19/arm64-dts-renesas-r9a09g077-fix-cpg-register-region-.patch b/queue-6.19/arm64-dts-renesas-r9a09g077-fix-cpg-register-region-.patch new file mode 100644 index 0000000000..32ee122a45 --- /dev/null +++ b/queue-6.19/arm64-dts-renesas-r9a09g077-fix-cpg-register-region-.patch @@ -0,0 +1,42 @@ +From 52e4adc79d8ac1cf2fae692753af38bddfd41beb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 13 Feb 2026 13:17:41 +0000 +Subject: arm64: dts: renesas: r9a09g077: Fix CPG register region sizes + +From: Lad Prabhakar + +[ Upstream commit b12985ceca18bcf67f176883175d544daad5e00e ] + +The CPG register regions were incorrectly sized. Update them to match +the actual hardware specification: + - First region (0x80280000): 0x1000 -> 0x10000 (64kiB) + - Second region (0x81280000): 0x9000 -> 0x10000 (64kiB) + +Fixes: d17b34744f5e4 ("arm64: dts: renesas: Add initial support for the Renesas RZ/T2H SoC") +Signed-off-by: Lad Prabhakar +Reviewed-by: Geert Uytterhoeven +Link: https://patch.msgid.link/20260213131742.3606334-2-prabhakar.mahadev-lad.rj@bp.renesas.com +Signed-off-by: Geert Uytterhoeven +Signed-off-by: Sasha Levin +--- + arch/arm64/boot/dts/renesas/r9a09g077.dtsi | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/arch/arm64/boot/dts/renesas/r9a09g077.dtsi b/arch/arm64/boot/dts/renesas/r9a09g077.dtsi +index f5fa6ca064097..5f4d30f75cbde 100644 +--- a/arch/arm64/boot/dts/renesas/r9a09g077.dtsi ++++ b/arch/arm64/boot/dts/renesas/r9a09g077.dtsi +@@ -747,8 +747,8 @@ mii_conv3: mii-conv@3 { + + cpg: clock-controller@80280000 { + compatible = "renesas,r9a09g077-cpg-mssr"; +- reg = <0 0x80280000 0 0x1000>, +- <0 0x81280000 0 0x9000>; ++ reg = <0 0x80280000 0 0x10000>, ++ <0 0x81280000 0 0x10000>; + clocks = <&extal_clk>; + clock-names = "extal"; + #clock-cells = <2>; +-- +2.51.0 + diff --git a/queue-6.19/arm64-dts-renesas-r9a09g087-fix-cpg-register-region-.patch b/queue-6.19/arm64-dts-renesas-r9a09g087-fix-cpg-register-region-.patch new file mode 100644 index 0000000000..b2651533cd --- /dev/null +++ b/queue-6.19/arm64-dts-renesas-r9a09g087-fix-cpg-register-region-.patch @@ -0,0 +1,42 @@ +From 1d0eb78ce2754d16cb681157bd71808a9e927ae1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 13 Feb 2026 13:17:42 +0000 +Subject: arm64: dts: renesas: r9a09g087: Fix CPG register region sizes + +From: Lad Prabhakar + +[ Upstream commit f459672cf3ffd3c062973838951418271aa2ceef ] + +The CPG register regions were incorrectly sized. Update them to match +the actual hardware specification: + - First region (0x80280000): 0x1000 -> 0x10000 (64kiB) + - Second region (0x81280000): 0x9000 -> 0x10000 (64kiB) + +Fixes: 4b3d31f0b81fe ("arm64: dts: renesas: Add initial SoC DTSI for the RZ/N2H SoC") +Signed-off-by: Lad Prabhakar +Reviewed-by: Geert Uytterhoeven +Link: https://patch.msgid.link/20260213131742.3606334-3-prabhakar.mahadev-lad.rj@bp.renesas.com +Signed-off-by: Geert Uytterhoeven +Signed-off-by: Sasha Levin +--- + arch/arm64/boot/dts/renesas/r9a09g087.dtsi | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/arch/arm64/boot/dts/renesas/r9a09g087.dtsi b/arch/arm64/boot/dts/renesas/r9a09g087.dtsi +index 361a9235f00d9..46f2b1fd98dc3 100644 +--- a/arch/arm64/boot/dts/renesas/r9a09g087.dtsi ++++ b/arch/arm64/boot/dts/renesas/r9a09g087.dtsi +@@ -750,8 +750,8 @@ mii_conv3: mii-conv@3 { + + cpg: clock-controller@80280000 { + compatible = "renesas,r9a09g087-cpg-mssr"; +- reg = <0 0x80280000 0 0x1000>, +- <0 0x81280000 0 0x9000>; ++ reg = <0 0x80280000 0 0x10000>, ++ <0 0x81280000 0 0x10000>; + clocks = <&extal_clk>; + clock-names = "extal"; + #clock-cells = <2>; +-- +2.51.0 + diff --git a/queue-6.19/arm64-dts-renesas-rzg3s-smarc-som-set-bypass-for-ver.patch b/queue-6.19/arm64-dts-renesas-rzg3s-smarc-som-set-bypass-for-ver.patch new file mode 100644 index 0000000000..904bf2a7ab --- /dev/null +++ b/queue-6.19/arm64-dts-renesas-rzg3s-smarc-som-set-bypass-for-ver.patch @@ -0,0 +1,73 @@ +From fc7a7524cae76e202f52607c467f166a8c4b79c7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 2 Mar 2026 15:57:03 +0200 +Subject: arm64: dts: renesas: rzg3s-smarc-som: Set bypass for Versa3 PLL2 +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Claudiu Beznea + +[ Upstream commit 6dcbb6f070cccabc6a13d640a5a84de581fdd761 ] + +The default settings for the Versa3 device on the Renesas RZ/G3S SMARC +SoM board have PLL2 disabled. PLL2 was later enabled together with audio +support, as it is required to support both 44.1 kHz and 48 kHz audio. + +With PLL2 enabled, it was observed that Linux occasionally either hangs +during boot (the last log message being related to the I2C probe) or +randomly crashes. This was mainly reproducible on cold boots. During +debugging, it was also noticed that the Unicode replacement character (�) +sometimes appears on the serial console. Further investigation traced this +to the configuration applied through the Versa3 register at offset 0x1c, +which controls PLL enablement. + +The appearance of the Unicode replacement character suggested an issue +with the SoC reference clock. The RZ/G3S reference clock is provided by +the Versa3 clock generator (REF output). + +After checking with the Renesas Versa3 hardware team, it was found that +this is related to the PLL2 lock bit being set through the +renesas,settings DT property. + +The PLL lock bit must be set to avoid unstable clock output from the PLL. +However, due to the Versa3 hardware design, when a PLL lock bit is set, +all outputs (including the REF clock) are temporarily disabled until the +configured PLLs become stable. + +As an alternative, the bypass bit can be used. This does not interrupt the +PLL2 output or any other Versa3 outputs, but it may result in temporary +instability on PLL2 output while the configuration is applied. Since PLL2 +feeds only the audio path and audio is not used during early boot, this is +acceptable and does not affect system boot. + +Drop the PLL2 lock bit and set the bypass bit instead. + +This has been tested with more than 1000 cold boots. + +Fixes: a94253232b04 ("arm64: dts: renesas: rzg3s-smarc-som: Add versa3 clock generator node") +Signed-off-by: Claudiu Beznea +Reviewed-by: Geert Uytterhoeven +Link: https://patch.msgid.link/20260302135703.162601-1-claudiu.beznea.uj@bp.renesas.com +Signed-off-by: Geert Uytterhoeven +Signed-off-by: Sasha Levin +--- + arch/arm64/boot/dts/renesas/rzg3s-smarc-som.dtsi | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/arm64/boot/dts/renesas/rzg3s-smarc-som.dtsi b/arch/arm64/boot/dts/renesas/rzg3s-smarc-som.dtsi +index 6f25ab6179829..fbfa6cfb19297 100644 +--- a/arch/arm64/boot/dts/renesas/rzg3s-smarc-som.dtsi ++++ b/arch/arm64/boot/dts/renesas/rzg3s-smarc-som.dtsi +@@ -162,7 +162,7 @@ versa3: clock-generator@68 { + <100000000>; + renesas,settings = [ + 80 00 11 19 4c 42 dc 2f 06 7d 20 1a 5f 1e f2 27 +- 00 40 00 00 00 00 00 00 06 0c 19 02 3f f0 90 86 ++ 00 40 00 00 00 00 00 00 06 0c 19 02 3b f0 90 86 + a0 80 30 30 9c + ]; + }; +-- +2.51.0 + diff --git a/queue-6.19/arm64-dts-renesas-rzt2h-n2h-evk-add-ramp-delay-for-s.patch b/queue-6.19/arm64-dts-renesas-rzt2h-n2h-evk-add-ramp-delay-for-s.patch new file mode 100644 index 0000000000..4c13899c49 --- /dev/null +++ b/queue-6.19/arm64-dts-renesas-rzt2h-n2h-evk-add-ramp-delay-for-s.patch @@ -0,0 +1,53 @@ +From 09049e72f1597f142d43f400267571711d8598ae Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 23 Jan 2026 22:59:54 +0000 +Subject: arm64: dts: renesas: rzt2h-n2h-evk: Add ramp delay for SD0 card + regulator + +From: Lad Prabhakar + +[ Upstream commit bb70589b67039e491dd60cf71272884e926a0f95 ] + +Add a ramp delay of 60 uV/us to the vqmmc_sdhi0 voltage regulator to +fix UHS-I SD card detection failures. + +Measurements on CN78 pin 4 showed the actual voltage ramp time to be +21.86ms when switching between 3.3V and 1.8V. A 25ms ramp delay has +been configured to provide adequate margin. The calculation is based +on the voltage delta of 1.5V (3.3V - 1.8V): + 1500000 uV / 60 uV/us = 25000 us (25ms) + +Prior to this patch, UHS-I cards failed to initialize with: + + mmc0: error -110 whilst initialising SD card + +After this patch, UHS-I cards are properly detected on SD0: + + mmc0: new UHS-I speed SDR104 SDXC card at address aaaa + mmcblk0: mmc0:aaaa SR64G 59.5 GiB + +Fixes: d065453e5ee09 ("arm64: dts: renesas: rzt2h-rzn2h-evk: Enable SD card slot") +Signed-off-by: Lad Prabhakar +Reviewed-by: Geert Uytterhoeven +Link: https://patch.msgid.link/20260123225957.1007089-2-prabhakar.mahadev-lad.rj@bp.renesas.com +Signed-off-by: Geert Uytterhoeven +Signed-off-by: Sasha Levin +--- + arch/arm64/boot/dts/renesas/rzt2h-n2h-evk-common.dtsi | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/arch/arm64/boot/dts/renesas/rzt2h-n2h-evk-common.dtsi b/arch/arm64/boot/dts/renesas/rzt2h-n2h-evk-common.dtsi +index 63bd91690b540..890e4ddc1e78b 100644 +--- a/arch/arm64/boot/dts/renesas/rzt2h-n2h-evk-common.dtsi ++++ b/arch/arm64/boot/dts/renesas/rzt2h-n2h-evk-common.dtsi +@@ -53,6 +53,7 @@ vqmmc_sdhi0: regulator-vqmmc-sdhi0 { + regulator-max-microvolt = <3300000>; + gpios-states = <0>; + states = <3300000 0>, <1800000 1>; ++ regulator-ramp-delay = <60>; + }; + #endif + +-- +2.51.0 + diff --git a/queue-6.19/arm64-dts-renesas-rzv2-evk-cn15-sd-add-ramp-delay-fo.patch b/queue-6.19/arm64-dts-renesas-rzv2-evk-cn15-sd-add-ramp-delay-fo.patch new file mode 100644 index 0000000000..e608faf126 --- /dev/null +++ b/queue-6.19/arm64-dts-renesas-rzv2-evk-cn15-sd-add-ramp-delay-fo.patch @@ -0,0 +1,53 @@ +From aeb470d307da2538f8a31e30241de67d8644971d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 23 Jan 2026 22:59:57 +0000 +Subject: arm64: dts: renesas: rzv2-evk-cn15-sd: Add ramp delay for SD0 + regulator + +From: Lad Prabhakar + +[ Upstream commit 5c03465ecf6a56b7b261df9594f0e10612f53a50 ] + +Set an appropriate ramp delay for the SD0 I/O voltage regulator in the +CN15 SD overlay to make UHS-I voltage switching reliable during card +initialization. + +This issue was observed on the RZ/V2H EVK, while the same UHS-I cards +worked on the RZ/V2N EVK without problems. Adding the ramp delay makes +the behavior consistent and avoids SD init timeouts. + +Before this change SD0 could fail with: + + mmc0: error -110 whilst initialising SD card + +With the delay in place UHS-I cards enumerate correctly: + + mmc0: new UHS-I speed SDR104 SDXC card at address aaaa + mmcblk0: mmc0:aaaa SR64G 59.5 GiB + mmcblk0: p1 + +Fixes: 3d6c2bc7629c8 ("arm64: dts: renesas: Add CN15 eMMC and SD overlays for RZ/V2H and RZ/V2N EVKs") +Signed-off-by: Lad Prabhakar +Reviewed-by: Geert Uytterhoeven +Link: https://patch.msgid.link/20260123225957.1007089-5-prabhakar.mahadev-lad.rj@bp.renesas.com +Signed-off-by: Geert Uytterhoeven +Signed-off-by: Sasha Levin +--- + arch/arm64/boot/dts/renesas/rzv2-evk-cn15-sd.dtso | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/arch/arm64/boot/dts/renesas/rzv2-evk-cn15-sd.dtso b/arch/arm64/boot/dts/renesas/rzv2-evk-cn15-sd.dtso +index 0af1e0a6c7f48..fc53c1aae3b52 100644 +--- a/arch/arm64/boot/dts/renesas/rzv2-evk-cn15-sd.dtso ++++ b/arch/arm64/boot/dts/renesas/rzv2-evk-cn15-sd.dtso +@@ -25,6 +25,7 @@ + regulator-max-microvolt = <3300000>; + gpios-states = <0>; + states = <3300000 0>, <1800000 1>; ++ regulator-ramp-delay = <60>; + }; + }; + +-- +2.51.0 + diff --git a/queue-6.19/bluetooth-hci_sync-fix-hci_le_create_conn_sync.patch b/queue-6.19/bluetooth-hci_sync-fix-hci_le_create_conn_sync.patch new file mode 100644 index 0000000000..7445df4f96 --- /dev/null +++ b/queue-6.19/bluetooth-hci_sync-fix-hci_le_create_conn_sync.patch @@ -0,0 +1,52 @@ +From 33462ef03c88eca85ac2d8e025625f04297b1e8d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 5 Mar 2026 14:50:52 +0100 +Subject: Bluetooth: hci_sync: Fix hci_le_create_conn_sync + +From: Michael Grzeschik + +[ Upstream commit 2cabe7ff1001b7a197009cf50ba71701f9cbd354 ] + +While introducing hci_le_create_conn_sync the functionality +of hci_connect_le was ported to hci_le_create_conn_sync including +the disable of the scan before starting the connection. + +When this code was run non synchronously the immediate call that was +setting the flag HCI_LE_SCAN_INTERRUPTED had an impact. Since the +completion handler for the LE_SCAN_DISABLE was not immediately called. +In the completion handler of the LE_SCAN_DISABLE event, this flag is +checked to set the state of the hdev to DISCOVERY_STOPPED. + +With the synchronised approach the later setting of the +HCI_LE_SCAN_INTERRUPTED flag has not the same effect. The completion +handler would immediately fire in the LE_SCAN_DISABLE call, check for +the flag, which is then not yet set and do nothing. + +To fix this issue and make the function call work as before, we move the +setting of the flag HCI_LE_SCAN_INTERRUPTED before disabling the scan. + +Fixes: 8e8b92ee60de ("Bluetooth: hci_sync: Add hci_le_create_conn_sync") +Signed-off-by: Michael Grzeschik +Signed-off-by: Luiz Augusto von Dentz +Signed-off-by: Sasha Levin +--- + net/bluetooth/hci_sync.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/bluetooth/hci_sync.c b/net/bluetooth/hci_sync.c +index 80b601e344ae3..43b36581e336d 100644 +--- a/net/bluetooth/hci_sync.c ++++ b/net/bluetooth/hci_sync.c +@@ -6596,8 +6596,8 @@ static int hci_le_create_conn_sync(struct hci_dev *hdev, void *data) + * state. + */ + if (hci_dev_test_flag(hdev, HCI_LE_SCAN)) { +- hci_scan_disable_sync(hdev); + hci_dev_set_flag(hdev, HCI_LE_SCAN_INTERRUPTED); ++ hci_scan_disable_sync(hdev); + } + + /* Update random address, but set require_privacy to false so +-- +2.51.0 + diff --git a/queue-6.19/bluetooth-hidp-fix-possible-uaf.patch b/queue-6.19/bluetooth-hidp-fix-possible-uaf.patch new file mode 100644 index 0000000000..fb9220717c --- /dev/null +++ b/queue-6.19/bluetooth-hidp-fix-possible-uaf.patch @@ -0,0 +1,237 @@ +From daa60f39fe3952819691f9a1f278572a83cb4a8f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 5 Mar 2026 10:17:47 -0500 +Subject: Bluetooth: HIDP: Fix possible UAF + +From: Luiz Augusto von Dentz + +[ Upstream commit dbf666e4fc9bdd975a61bf682b3f75cb0145eedd ] + +This fixes the following trace caused by not dropping l2cap_conn +reference when user->remove callback is called: + +[ 97.809249] l2cap_conn_free: freeing conn ffff88810a171c00 +[ 97.809907] CPU: 1 UID: 0 PID: 1419 Comm: repro_standalon Not tainted 7.0.0-rc1-dirty #14 PREEMPT(lazy) +[ 97.809935] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.17.0-debian-1.17.0-1 04/01/2014 +[ 97.809947] Call Trace: +[ 97.809954] +[ 97.809961] dump_stack_lvl (lib/dump_stack.c:122) +[ 97.809990] l2cap_conn_free (net/bluetooth/l2cap_core.c:1808) +[ 97.810017] l2cap_conn_del (./include/linux/kref.h:66 net/bluetooth/l2cap_core.c:1821 net/bluetooth/l2cap_core.c:1798) +[ 97.810055] l2cap_disconn_cfm (net/bluetooth/l2cap_core.c:7347 (discriminator 1) net/bluetooth/l2cap_core.c:7340 (discriminator 1)) +[ 97.810086] ? __pfx_l2cap_disconn_cfm (net/bluetooth/l2cap_core.c:7341) +[ 97.810117] hci_conn_hash_flush (./include/net/bluetooth/hci_core.h:2152 (discriminator 2) net/bluetooth/hci_conn.c:2644 (discriminator 2)) +[ 97.810148] hci_dev_close_sync (net/bluetooth/hci_sync.c:5360) +[ 97.810180] ? __pfx_hci_dev_close_sync (net/bluetooth/hci_sync.c:5285) +[ 97.810212] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221) +[ 97.810242] ? up_write (./arch/x86/include/asm/atomic64_64.h:87 (discriminator 5) ./include/linux/atomic/atomic-arch-fallback.h:2852 (discriminator 5) ./include/linux/atomic/atomic-long.h:268 (discriminator 5) ./include/linux/atomic/atomic-instrumented.h:3391 (discriminator 5) kernel/locking/rwsem.c:1385 (discriminator 5) kernel/locking/rwsem.c:1643 (discriminator 5)) +[ 97.810267] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221) +[ 97.810290] ? rcu_is_watching (./arch/x86/include/asm/atomic.h:23 ./include/linux/atomic/atomic-arch-fallback.h:457 ./include/linux/context_tracking.h:128 kernel/rcu/tree.c:752) +[ 97.810320] hci_unregister_dev (net/bluetooth/hci_core.c:504 net/bluetooth/hci_core.c:2716) +[ 97.810346] vhci_release (drivers/bluetooth/hci_vhci.c:691) +[ 97.810375] ? __pfx_vhci_release (drivers/bluetooth/hci_vhci.c:678) +[ 97.810404] __fput (fs/file_table.c:470) +[ 97.810430] task_work_run (kernel/task_work.c:235) +[ 97.810451] ? __pfx_task_work_run (kernel/task_work.c:201) +[ 97.810472] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221) +[ 97.810495] ? do_raw_spin_unlock (./include/asm-generic/qspinlock.h:128 (discriminator 5) kernel/locking/spinlock_debug.c:142 (discriminator 5)) +[ 97.810527] do_exit (kernel/exit.c:972) +[ 97.810547] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221) +[ 97.810574] ? __pfx_do_exit (kernel/exit.c:897) +[ 97.810594] ? lock_acquire (kernel/locking/lockdep.c:470 (discriminator 6) kernel/locking/lockdep.c:5870 (discriminator 6) kernel/locking/lockdep.c:5825 (discriminator 6)) +[ 97.810616] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221) +[ 97.810639] ? do_raw_spin_lock (kernel/locking/spinlock_debug.c:95 (discriminator 4) kernel/locking/spinlock_debug.c:118 (discriminator 4)) +[ 97.810664] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221) +[ 97.810688] ? find_held_lock (kernel/locking/lockdep.c:5350 (discriminator 1)) +[ 97.810721] do_group_exit (kernel/exit.c:1093) +[ 97.810745] get_signal (kernel/signal.c:3007 (discriminator 1)) +[ 97.810772] ? security_file_permission (./arch/x86/include/asm/jump_label.h:37 security/security.c:2366) +[ 97.810803] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221) +[ 97.810826] ? vfs_read (fs/read_write.c:555) +[ 97.810854] ? __pfx_get_signal (kernel/signal.c:2800) +[ 97.810880] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221) +[ 97.810905] ? __pfx_vfs_read (fs/read_write.c:555) +[ 97.810932] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221) +[ 97.810960] arch_do_signal_or_restart (arch/x86/kernel/signal.c:337 (discriminator 1)) +[ 97.810990] ? __pfx_arch_do_signal_or_restart (arch/x86/kernel/signal.c:334) +[ 97.811021] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221) +[ 97.811055] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221) +[ 97.811078] ? ksys_read (fs/read_write.c:707) +[ 97.811106] ? __pfx_ksys_read (fs/read_write.c:707) +[ 97.811137] exit_to_user_mode_loop (kernel/entry/common.c:66 kernel/entry/common.c:98) +[ 97.811169] ? rcu_is_watching (./arch/x86/include/asm/atomic.h:23 ./include/linux/atomic/atomic-arch-fallback.h:457 ./include/linux/context_tracking.h:128 kernel/rcu/tree.c:752) +[ 97.811192] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221) +[ 97.811215] ? trace_hardirqs_off (./include/trace/events/preemptirq.h:36 (discriminator 33) kernel/trace/trace_preemptirq.c:95 (discriminator 33) kernel/trace/trace_preemptirq.c:90 (discriminator 33)) +[ 97.811240] do_syscall_64 (./include/linux/irq-entry-common.h:226 ./include/linux/irq-entry-common.h:256 ./include/linux/entry-common.h:325 arch/x86/entry/syscall_64.c:100) +[ 97.811268] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221) +[ 97.811292] ? exc_page_fault (arch/x86/mm/fault.c:1480 (discriminator 3) arch/x86/mm/fault.c:1527 (discriminator 3)) +[ 97.811318] entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130) +[ 97.811338] RIP: 0033:0x445cfe +[ 97.811352] Code: Unable to access opcode bytes at 0x445cd4. + +Code starting with the faulting instruction +=========================================== +[ 97.811360] RSP: 002b:00007f65c41c6dc8 EFLAGS: 00000246 ORIG_RAX: 0000000000000000 +[ 97.811378] RAX: fffffffffffffe00 RBX: 00007f65c41c76c0 RCX: 0000000000445cfe +[ 97.811391] RDX: 0000000000000400 RSI: 00007f65c41c6e40 RDI: 0000000000000004 +[ 97.811403] RBP: 00007f65c41c7250 R08: 0000000000000000 R09: 0000000000000000 +[ 97.811415] R10: 0000000000000000 R11: 0000000000000246 R12: ffffffffffffffe8 +[ 97.811428] R13: 0000000000000000 R14: 00007fff780a8c00 R15: 00007f65c41c76c0 +[ 97.811453] +[ 98.402453] ================================================================== +[ 98.403560] BUG: KASAN: use-after-free in __mutex_lock (kernel/locking/mutex.c:199 kernel/locking/mutex.c:694 kernel/locking/mutex.c:776) +[ 98.404541] Read of size 8 at addr ffff888113ee40a8 by task khidpd_00050004/1430 +[ 98.405361] +[ 98.405563] CPU: 1 UID: 0 PID: 1430 Comm: khidpd_00050004 Not tainted 7.0.0-rc1-dirty #14 PREEMPT(lazy) +[ 98.405588] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.17.0-debian-1.17.0-1 04/01/2014 +[ 98.405600] Call Trace: +[ 98.405607] +[ 98.405614] dump_stack_lvl (lib/dump_stack.c:122) +[ 98.405641] print_report (mm/kasan/report.c:379 mm/kasan/report.c:482) +[ 98.405667] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221) +[ 98.405691] ? __virt_addr_valid (arch/x86/mm/physaddr.c:55) +[ 98.405724] ? __mutex_lock (kernel/locking/mutex.c:199 kernel/locking/mutex.c:694 kernel/locking/mutex.c:776) +[ 98.405748] kasan_report (mm/kasan/report.c:221 mm/kasan/report.c:597) +[ 98.405778] ? __mutex_lock (kernel/locking/mutex.c:199 kernel/locking/mutex.c:694 kernel/locking/mutex.c:776) +[ 98.405807] __mutex_lock (kernel/locking/mutex.c:199 kernel/locking/mutex.c:694 kernel/locking/mutex.c:776) +[ 98.405832] ? do_raw_spin_lock (kernel/locking/spinlock_debug.c:95 (discriminator 4) kernel/locking/spinlock_debug.c:118 (discriminator 4)) +[ 98.405859] ? l2cap_unregister_user (./include/linux/list.h:381 (discriminator 2) net/bluetooth/l2cap_core.c:1723 (discriminator 2)) +[ 98.405888] ? __pfx_do_raw_spin_lock (kernel/locking/spinlock_debug.c:114) +[ 98.405915] ? __pfx___mutex_lock (kernel/locking/mutex.c:775) +[ 98.405939] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221) +[ 98.405963] ? lock_acquire (kernel/locking/lockdep.c:470 (discriminator 6) kernel/locking/lockdep.c:5870 (discriminator 6) kernel/locking/lockdep.c:5825 (discriminator 6)) +[ 98.405984] ? find_held_lock (kernel/locking/lockdep.c:5350 (discriminator 1)) +[ 98.406015] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221) +[ 98.406038] ? lock_release (kernel/locking/lockdep.c:5536 kernel/locking/lockdep.c:5889 kernel/locking/lockdep.c:5875) +[ 98.406061] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221) +[ 98.406085] ? _raw_spin_unlock_irqrestore (./arch/x86/include/asm/irqflags.h:42 ./arch/x86/include/asm/irqflags.h:119 ./arch/x86/include/asm/irqflags.h:159 ./include/linux/spinlock_api_smp.h:178 kernel/locking/spinlock.c:194) +[ 98.406107] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221) +[ 98.406130] ? __timer_delete_sync (kernel/time/timer.c:1592) +[ 98.406158] ? l2cap_unregister_user (./include/linux/list.h:381 (discriminator 2) net/bluetooth/l2cap_core.c:1723 (discriminator 2)) +[ 98.406186] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221) +[ 98.406210] l2cap_unregister_user (./include/linux/list.h:381 (discriminator 2) net/bluetooth/l2cap_core.c:1723 (discriminator 2)) +[ 98.406263] hidp_session_thread (./include/linux/instrumented.h:112 ./include/linux/atomic/atomic-instrumented.h:400 ./include/linux/refcount.h:389 ./include/linux/refcount.h:432 ./include/linux/refcount.h:450 ./include/linux/kref.h:64 net/bluetooth/hidp/core.c:996 net/bluetooth/hidp/core.c:1305) +[ 98.406293] ? __pfx_hidp_session_thread (net/bluetooth/hidp/core.c:1264) +[ 98.406323] ? kthread (kernel/kthread.c:433) +[ 98.406340] ? __pfx_hidp_session_wake_function (net/bluetooth/hidp/core.c:1251) +[ 98.406370] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221) +[ 98.406393] ? find_held_lock (kernel/locking/lockdep.c:5350 (discriminator 1)) +[ 98.406424] ? __pfx_hidp_session_wake_function (net/bluetooth/hidp/core.c:1251) +[ 98.406453] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221) +[ 98.406476] ? trace_hardirqs_on (kernel/trace/trace_preemptirq.c:79 (discriminator 1)) +[ 98.406499] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221) +[ 98.406523] ? kthread (kernel/kthread.c:433) +[ 98.406539] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221) +[ 98.406565] ? kthread (kernel/kthread.c:433) +[ 98.406581] ? __pfx_hidp_session_thread (net/bluetooth/hidp/core.c:1264) +[ 98.406610] kthread (kernel/kthread.c:467) +[ 98.406627] ? __pfx_kthread (kernel/kthread.c:412) +[ 98.406645] ret_from_fork (arch/x86/kernel/process.c:164) +[ 98.406674] ? __pfx_ret_from_fork (arch/x86/kernel/process.c:153) +[ 98.406704] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221) +[ 98.406728] ? __pfx_kthread (kernel/kthread.c:412) +[ 98.406747] ret_from_fork_asm (arch/x86/entry/entry_64.S:258) +[ 98.406774] +[ 98.406780] +[ 98.433693] The buggy address belongs to the physical page: +[ 98.434405] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xffff888113ee7c40 pfn:0x113ee4 +[ 98.435557] flags: 0x200000000000000(node=0|zone=2) +[ 98.436198] raw: 0200000000000000 ffffea0004244308 ffff8881f6f3ebc0 0000000000000000 +[ 98.437195] raw: ffff888113ee7c40 0000000000000000 00000000ffffffff 0000000000000000 +[ 98.438115] page dumped because: kasan: bad access detected +[ 98.438951] +[ 98.439211] Memory state around the buggy address: +[ 98.439871] ffff888113ee3f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc +[ 98.440714] ffff888113ee4000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff +[ 98.441580] >ffff888113ee4080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff +[ 98.442458] ^ +[ 98.443011] ffff888113ee4100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff +[ 98.443889] ffff888113ee4180: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff +[ 98.444768] ================================================================== +[ 98.445719] Disabling lock debugging due to kernel taint +[ 98.448074] l2cap_conn_free: freeing conn ffff88810c22b400 +[ 98.450012] CPU: 1 UID: 0 PID: 1430 Comm: khidpd_00050004 Tainted: G B 7.0.0-rc1-dirty #14 PREEMPT(lazy) +[ 98.450040] Tainted: [B]=BAD_PAGE +[ 98.450047] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.17.0-debian-1.17.0-1 04/01/2014 +[ 98.450059] Call Trace: +[ 98.450065] +[ 98.450071] dump_stack_lvl (lib/dump_stack.c:122) +[ 98.450099] l2cap_conn_free (net/bluetooth/l2cap_core.c:1808) +[ 98.450125] l2cap_conn_put (net/bluetooth/l2cap_core.c:1822) +[ 98.450154] session_free (net/bluetooth/hidp/core.c:990) +[ 98.450181] hidp_session_thread (net/bluetooth/hidp/core.c:1307) +[ 98.450213] ? __pfx_hidp_session_thread (net/bluetooth/hidp/core.c:1264) +[ 98.450271] ? kthread (kernel/kthread.c:433) +[ 98.450293] ? __pfx_hidp_session_wake_function (net/bluetooth/hidp/core.c:1251) +[ 98.450339] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221) +[ 98.450368] ? find_held_lock (kernel/locking/lockdep.c:5350 (discriminator 1)) +[ 98.450406] ? __pfx_hidp_session_wake_function (net/bluetooth/hidp/core.c:1251) +[ 98.450442] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221) +[ 98.450471] ? trace_hardirqs_on (kernel/trace/trace_preemptirq.c:79 (discriminator 1)) +[ 98.450499] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221) +[ 98.450528] ? kthread (kernel/kthread.c:433) +[ 98.450547] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221) +[ 98.450578] ? kthread (kernel/kthread.c:433) +[ 98.450598] ? __pfx_hidp_session_thread (net/bluetooth/hidp/core.c:1264) +[ 98.450637] kthread (kernel/kthread.c:467) +[ 98.450657] ? __pfx_kthread (kernel/kthread.c:412) +[ 98.450680] ret_from_fork (arch/x86/kernel/process.c:164) +[ 98.450715] ? __pfx_ret_from_fork (arch/x86/kernel/process.c:153) +[ 98.450752] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221) +[ 98.450782] ? __pfx_kthread (kernel/kthread.c:412) +[ 98.450804] ret_from_fork_asm (arch/x86/entry/entry_64.S:258) +[ 98.450836] + +Fixes: b4f34d8d9d26 ("Bluetooth: hidp: add new session-management helpers") +Reported-by: soufiane el hachmi +Tested-by: soufiane el hachmi +Signed-off-by: Luiz Augusto von Dentz +Signed-off-by: Sasha Levin +--- + net/bluetooth/hidp/core.c | 16 ++++++++++++++-- + 1 file changed, 14 insertions(+), 2 deletions(-) + +diff --git a/net/bluetooth/hidp/core.c b/net/bluetooth/hidp/core.c +index 6724adce615b6..e0e4003815500 100644 +--- a/net/bluetooth/hidp/core.c ++++ b/net/bluetooth/hidp/core.c +@@ -986,7 +986,8 @@ static void session_free(struct kref *ref) + skb_queue_purge(&session->intr_transmit); + fput(session->intr_sock->file); + fput(session->ctrl_sock->file); +- l2cap_conn_put(session->conn); ++ if (session->conn) ++ l2cap_conn_put(session->conn); + kfree(session); + } + +@@ -1164,6 +1165,15 @@ static void hidp_session_remove(struct l2cap_conn *conn, + + down_write(&hidp_session_sem); + ++ /* Drop L2CAP reference immediately to indicate that ++ * l2cap_unregister_user() shall not be called as it is already ++ * considered removed. ++ */ ++ if (session->conn) { ++ l2cap_conn_put(session->conn); ++ session->conn = NULL; ++ } ++ + hidp_session_terminate(session); + + cancel_work_sync(&session->dev_init); +@@ -1301,7 +1311,9 @@ static int hidp_session_thread(void *arg) + * Instead, this call has the same semantics as if user-space tried to + * delete the session. + */ +- l2cap_unregister_user(session->conn, &session->user); ++ if (session->conn) ++ l2cap_unregister_user(session->conn, &session->user); ++ + hidp_session_put(session); + + module_put_and_kthread_exit(0); +-- +2.51.0 + diff --git a/queue-6.19/bluetooth-iso-fix-defer-tests-being-unstable.patch b/queue-6.19/bluetooth-iso-fix-defer-tests-being-unstable.patch new file mode 100644 index 0000000000..0bbc1e5398 --- /dev/null +++ b/queue-6.19/bluetooth-iso-fix-defer-tests-being-unstable.patch @@ -0,0 +1,49 @@ +From 03833a16b30e6de304738488b43055ed05634f6a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 27 Feb 2026 15:23:01 -0500 +Subject: Bluetooth: ISO: Fix defer tests being unstable + +From: Luiz Augusto von Dentz + +[ Upstream commit 62bcaa6b351b6dc400f6c6b83762001fd9f5c12d ] + +iso-tester defer tests seem to fail with hci_conn_hash_lookup_cig +being unable to resolve a cig in set_cig_params_sync due a race +where it is run immediatelly before hci_bind_cis is able to set +the QoS settings into the hci_conn object. + +So this moves the assigning of the QoS settings to be done directly +by hci_le_set_cig_params to prevent that from happening again. + +Fixes: 26afbd826ee3 ("Bluetooth: Add initial implementation of CIS connections") +Signed-off-by: Luiz Augusto von Dentz +Signed-off-by: Sasha Levin +--- + net/bluetooth/hci_conn.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/net/bluetooth/hci_conn.c b/net/bluetooth/hci_conn.c +index dc085856f5e91..0f512c2c2fd3c 100644 +--- a/net/bluetooth/hci_conn.c ++++ b/net/bluetooth/hci_conn.c +@@ -1944,6 +1944,8 @@ static bool hci_le_set_cig_params(struct hci_conn *conn, struct bt_iso_qos *qos) + return false; + + done: ++ conn->iso_qos = *qos; ++ + if (hci_cmd_sync_queue(hdev, set_cig_params_sync, + UINT_PTR(qos->ucast.cig), NULL) < 0) + return false; +@@ -2013,8 +2015,6 @@ struct hci_conn *hci_bind_cis(struct hci_dev *hdev, bdaddr_t *dst, + } + + hci_conn_hold(cis); +- +- cis->iso_qos = *qos; + cis->state = BT_BOUND; + + return cis; +-- +2.51.0 + diff --git a/queue-6.19/bluetooth-l2cap-fix-use-after-free-in-l2cap_unregist.patch b/queue-6.19/bluetooth-l2cap-fix-use-after-free-in-l2cap_unregist.patch new file mode 100644 index 0000000000..e2d7bf0ca4 --- /dev/null +++ b/queue-6.19/bluetooth-l2cap-fix-use-after-free-in-l2cap_unregist.patch @@ -0,0 +1,90 @@ +From aa58570ea6976a29fc50e38b0b6014617ed46c5c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 6 Nov 2025 23:50:16 +0530 +Subject: Bluetooth: L2CAP: Fix use-after-free in l2cap_unregister_user + +From: Shaurya Rane + +[ Upstream commit 752a6c9596dd25efd6978a73ff21f3b592668f4a ] + +After commit ab4eedb790ca ("Bluetooth: L2CAP: Fix corrupted list in +hci_chan_del"), l2cap_conn_del() uses conn->lock to protect access to +conn->users. However, l2cap_register_user() and l2cap_unregister_user() +don't use conn->lock, creating a race condition where these functions can +access conn->users and conn->hchan concurrently with l2cap_conn_del(). + +This can lead to use-after-free and list corruption bugs, as reported +by syzbot. + +Fix this by changing l2cap_register_user() and l2cap_unregister_user() +to use conn->lock instead of hci_dev_lock(), ensuring consistent locking +for the l2cap_conn structure. + +Reported-by: syzbot+14b6d57fb728e27ce23c@syzkaller.appspotmail.com +Closes: https://syzkaller.appspot.com/bug?extid=14b6d57fb728e27ce23c +Fixes: ab4eedb790ca ("Bluetooth: L2CAP: Fix corrupted list in hci_chan_del") +Signed-off-by: Shaurya Rane +Signed-off-by: Luiz Augusto von Dentz +Signed-off-by: Sasha Levin +--- + net/bluetooth/l2cap_core.c | 20 ++++++++------------ + 1 file changed, 8 insertions(+), 12 deletions(-) + +diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c +index 05acc2e98f58f..9ea030fc9a9cc 100644 +--- a/net/bluetooth/l2cap_core.c ++++ b/net/bluetooth/l2cap_core.c +@@ -1686,17 +1686,15 @@ static void l2cap_info_timeout(struct work_struct *work) + + int l2cap_register_user(struct l2cap_conn *conn, struct l2cap_user *user) + { +- struct hci_dev *hdev = conn->hcon->hdev; + int ret; + + /* We need to check whether l2cap_conn is registered. If it is not, we +- * must not register the l2cap_user. l2cap_conn_del() is unregisters +- * l2cap_conn objects, but doesn't provide its own locking. Instead, it +- * relies on the parent hci_conn object to be locked. This itself relies +- * on the hci_dev object to be locked. So we must lock the hci device +- * here, too. */ ++ * must not register the l2cap_user. l2cap_conn_del() unregisters ++ * l2cap_conn objects under conn->lock, and we use the same lock here ++ * to protect access to conn->users and conn->hchan. ++ */ + +- hci_dev_lock(hdev); ++ mutex_lock(&conn->lock); + + if (!list_empty(&user->list)) { + ret = -EINVAL; +@@ -1717,16 +1715,14 @@ int l2cap_register_user(struct l2cap_conn *conn, struct l2cap_user *user) + ret = 0; + + out_unlock: +- hci_dev_unlock(hdev); ++ mutex_unlock(&conn->lock); + return ret; + } + EXPORT_SYMBOL(l2cap_register_user); + + void l2cap_unregister_user(struct l2cap_conn *conn, struct l2cap_user *user) + { +- struct hci_dev *hdev = conn->hcon->hdev; +- +- hci_dev_lock(hdev); ++ mutex_lock(&conn->lock); + + if (list_empty(&user->list)) + goto out_unlock; +@@ -1735,7 +1731,7 @@ void l2cap_unregister_user(struct l2cap_conn *conn, struct l2cap_user *user) + user->remove(conn, user); + + out_unlock: +- hci_dev_unlock(hdev); ++ mutex_unlock(&conn->lock); + } + EXPORT_SYMBOL(l2cap_unregister_user); + +-- +2.51.0 + diff --git a/queue-6.19/bluetooth-le-l2cap-disconnect-if-received-packet-s-s.patch b/queue-6.19/bluetooth-le-l2cap-disconnect-if-received-packet-s-s.patch new file mode 100644 index 0000000000..ca9c9e50df --- /dev/null +++ b/queue-6.19/bluetooth-le-l2cap-disconnect-if-received-packet-s-s.patch @@ -0,0 +1,55 @@ +From 2081cdc2602cb443160c1b04fd20e24148f9a2b7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 25 Feb 2026 18:07:25 +0100 +Subject: Bluetooth: LE L2CAP: Disconnect if received packet's SDU exceeds IMTU + +From: Christian Eggers + +[ Upstream commit e1d9a66889867c232657a9b6f25d451d7c3ab96f ] + +Core 6.0, Vol 3, Part A, 3.4.3: +"If the SDU length field value exceeds the receiver's MTU, the receiver +shall disconnect the channel..." + +This fixes L2CAP/LE/CFC/BV-26-C (running together with 'l2test -r -P +0x0027 -V le_public -I 100'). + +Fixes: aac23bf63659 ("Bluetooth: Implement LE L2CAP reassembly") +Signed-off-by: Christian Eggers +Signed-off-by: Luiz Augusto von Dentz +Signed-off-by: Sasha Levin +--- + net/bluetooth/l2cap_core.c | 10 +++++++--- + 1 file changed, 7 insertions(+), 3 deletions(-) + +diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c +index 319c87bd795d5..1618fe98dce71 100644 +--- a/net/bluetooth/l2cap_core.c ++++ b/net/bluetooth/l2cap_core.c +@@ -6654,8 +6654,10 @@ static int l2cap_ecred_data_rcv(struct l2cap_chan *chan, struct sk_buff *skb) + return -ENOBUFS; + } + +- if (chan->imtu < skb->len) { +- BT_ERR("Too big LE L2CAP PDU"); ++ if (skb->len > chan->imtu) { ++ BT_ERR("Too big LE L2CAP PDU: len %u > %u", skb->len, ++ chan->imtu); ++ l2cap_send_disconn_req(chan, ECONNRESET); + return -ENOBUFS; + } + +@@ -6681,7 +6683,9 @@ static int l2cap_ecred_data_rcv(struct l2cap_chan *chan, struct sk_buff *skb) + sdu_len, skb->len, chan->imtu); + + if (sdu_len > chan->imtu) { +- BT_ERR("Too big LE L2CAP SDU length received"); ++ BT_ERR("Too big LE L2CAP SDU length: len %u > %u", ++ skb->len, sdu_len); ++ l2cap_send_disconn_req(chan, ECONNRESET); + err = -EMSGSIZE; + goto failed; + } +-- +2.51.0 + diff --git a/queue-6.19/bluetooth-le-l2cap-disconnect-if-sum-of-payload-size.patch b/queue-6.19/bluetooth-le-l2cap-disconnect-if-sum-of-payload-size.patch new file mode 100644 index 0000000000..d561eb5536 --- /dev/null +++ b/queue-6.19/bluetooth-le-l2cap-disconnect-if-sum-of-payload-size.patch @@ -0,0 +1,39 @@ +From 312abdc9676f3da68d114e86044e2cc6048bdad3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 25 Feb 2026 18:07:27 +0100 +Subject: Bluetooth: LE L2CAP: Disconnect if sum of payload sizes exceed SDU + +From: Christian Eggers + +[ Upstream commit b6a2bf43aa37670432843bc73ae2a6288ba4d6f8 ] + +Core 6.0, Vol 3, Part A, 3.4.3: +"... If the sum of the payload sizes for the K-frames exceeds the +specified SDU length, the receiver shall disconnect the channel." + +This fixes L2CAP/LE/CFC/BV-27-C (running together with 'l2test -r -P +0x0027 -V le_public'). + +Fixes: aac23bf63659 ("Bluetooth: Implement LE L2CAP reassembly") +Signed-off-by: Christian Eggers +Signed-off-by: Luiz Augusto von Dentz +Signed-off-by: Sasha Levin +--- + net/bluetooth/l2cap_core.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c +index 1618fe98dce71..05acc2e98f58f 100644 +--- a/net/bluetooth/l2cap_core.c ++++ b/net/bluetooth/l2cap_core.c +@@ -6721,6 +6721,7 @@ static int l2cap_ecred_data_rcv(struct l2cap_chan *chan, struct sk_buff *skb) + + if (chan->sdu->len + skb->len > chan->sdu_len) { + BT_ERR("Too much LE L2CAP data received"); ++ l2cap_send_disconn_req(chan, ECONNRESET); + err = -EINVAL; + goto failed; + } +-- +2.51.0 + diff --git a/queue-6.19/bluetooth-mgmt-fix-list-corruption-and-uaf-in-comman.patch b/queue-6.19/bluetooth-mgmt-fix-list-corruption-and-uaf-in-comman.patch new file mode 100644 index 0000000000..a1e242b309 --- /dev/null +++ b/queue-6.19/bluetooth-mgmt-fix-list-corruption-and-uaf-in-comman.patch @@ -0,0 +1,67 @@ +From b17e08daca0be65de40f5f5803e0227c8dbf00e3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 27 Feb 2026 11:03:39 +0000 +Subject: Bluetooth: MGMT: Fix list corruption and UAF in command complete + handlers + +From: Wang Tao + +[ Upstream commit 17f89341cb4281d1da0e2fb0de5406ab7c4e25ef ] + +Commit 302a1f674c00 ("Bluetooth: MGMT: Fix possible UAFs") introduced +mgmt_pending_valid(), which not only validates the pending command but +also unlinks it from the pending list if it is valid. This change in +semantics requires updates to several completion handlers to avoid list +corruption and memory safety issues. + +This patch addresses two left-over issues from the aforementioned rework: + +1. In mgmt_add_adv_patterns_monitor_complete(), mgmt_pending_remove() +is replaced with mgmt_pending_free() in the success path. Since +mgmt_pending_valid() already unlinks the command at the beginning of +the function, calling mgmt_pending_remove() leads to a double list_del() +and subsequent list corruption/kernel panic. + +2. In set_mesh_complete(), the use of mgmt_pending_foreach() in the error +path is removed. Since the current command is already unlinked by +mgmt_pending_valid(), this foreach loop would incorrectly target other +pending mesh commands, potentially freeing them while they are still being +processed concurrently (leading to UAFs). The redundant mgmt_cmd_status() +is also simplified to use cmd->opcode directly. + +Fixes: 302a1f674c00 ("Bluetooth: MGMT: Fix possible UAFs") +Signed-off-by: Wang Tao +Signed-off-by: Luiz Augusto von Dentz +Signed-off-by: Sasha Levin +--- + net/bluetooth/mgmt.c | 7 ++----- + 1 file changed, 2 insertions(+), 5 deletions(-) + +diff --git a/net/bluetooth/mgmt.c b/net/bluetooth/mgmt.c +index 0e46f9e08b106..2c63f49c33018 100644 +--- a/net/bluetooth/mgmt.c ++++ b/net/bluetooth/mgmt.c +@@ -2195,10 +2195,7 @@ static void set_mesh_complete(struct hci_dev *hdev, void *data, int err) + sk = cmd->sk; + + if (status) { +- mgmt_cmd_status(cmd->sk, hdev->id, MGMT_OP_SET_MESH_RECEIVER, +- status); +- mgmt_pending_foreach(MGMT_OP_SET_MESH_RECEIVER, hdev, true, +- cmd_status_rsp, &status); ++ mgmt_cmd_status(cmd->sk, hdev->id, cmd->opcode, status); + goto done; + } + +@@ -5377,7 +5374,7 @@ static void mgmt_add_adv_patterns_monitor_complete(struct hci_dev *hdev, + + mgmt_cmd_complete(cmd->sk, cmd->hdev->id, cmd->opcode, + mgmt_status(status), &rp, sizeof(rp)); +- mgmt_pending_remove(cmd); ++ mgmt_pending_free(cmd); + + hci_dev_unlock(hdev); + bt_dev_dbg(hdev, "add monitor %d complete, status %d", +-- +2.51.0 + diff --git a/queue-6.19/bluetooth-qca-fix-rom-version-reading-on-wcn3998-chi.patch b/queue-6.19/bluetooth-qca-fix-rom-version-reading-on-wcn3998-chi.patch new file mode 100644 index 0000000000..98a2bf6f98 --- /dev/null +++ b/queue-6.19/bluetooth-qca-fix-rom-version-reading-on-wcn3998-chi.patch @@ -0,0 +1,46 @@ +From c7005aa0bfe6fc4b5a8eb80db8694e474607f734 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 11 Mar 2026 01:02:57 +0200 +Subject: Bluetooth: qca: fix ROM version reading on WCN3998 chips + +From: Dmitry Baryshkov + +[ Upstream commit 99b2c531e0e797119ae1b9195a8764ee98b00e65 ] + +WCN3998 uses a bit different format for rom version: + +[ 5.479978] Bluetooth: hci0: setting up wcn399x +[ 5.633763] Bluetooth: hci0: QCA Product ID :0x0000000a +[ 5.645350] Bluetooth: hci0: QCA SOC Version :0x40010224 +[ 5.650906] Bluetooth: hci0: QCA ROM Version :0x00001001 +[ 5.665173] Bluetooth: hci0: QCA Patch Version:0x00006699 +[ 5.679356] Bluetooth: hci0: QCA controller version 0x02241001 +[ 5.691109] Bluetooth: hci0: QCA Downloading qca/crbtfw21.tlv +[ 6.680102] Bluetooth: hci0: QCA Downloading qca/crnv21.bin +[ 6.842948] Bluetooth: hci0: QCA setup on UART is completed + +Fixes: 523760b7ff88 ("Bluetooth: hci_qca: Added support for WCN3998") +Reviewed-by: Bartosz Golaszewski +Signed-off-by: Dmitry Baryshkov +Signed-off-by: Luiz Augusto von Dentz +Signed-off-by: Sasha Levin +--- + drivers/bluetooth/btqca.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/bluetooth/btqca.c b/drivers/bluetooth/btqca.c +index 7c958d6065bec..86a48d009d1ba 100644 +--- a/drivers/bluetooth/btqca.c ++++ b/drivers/bluetooth/btqca.c +@@ -804,6 +804,8 @@ int qca_uart_setup(struct hci_dev *hdev, uint8_t baudrate, + */ + if (soc_type == QCA_WCN3988) + rom_ver = ((soc_ver & 0x00000f00) >> 0x05) | (soc_ver & 0x0000000f); ++ else if (soc_type == QCA_WCN3998) ++ rom_ver = ((soc_ver & 0x0000f000) >> 0x07) | (soc_ver & 0x0000000f); + else + rom_ver = ((soc_ver & 0x00000f00) >> 0x04) | (soc_ver & 0x0000000f); + +-- +2.51.0 + diff --git a/queue-6.19/bluetooth-smp-make-sm-per-kdu-bi-04-c-happy.patch b/queue-6.19/bluetooth-smp-make-sm-per-kdu-bi-04-c-happy.patch new file mode 100644 index 0000000000..fd83f3db1b --- /dev/null +++ b/queue-6.19/bluetooth-smp-make-sm-per-kdu-bi-04-c-happy.patch @@ -0,0 +1,36 @@ +From 1de26d65d4c5b1c6eaebdf3694b14f74c9bf553a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 25 Feb 2026 18:07:28 +0100 +Subject: Bluetooth: SMP: make SM/PER/KDU/BI-04-C happy + +From: Christian Eggers + +[ Upstream commit 0e4d4dcc1a6e82cc6f9abf32193558efa7e1613d ] + +The last test step ("Test with Invalid public key X and Y, all set to +0") expects to get an "DHKEY check failed" instead of "unspecified". + +Fixes: 6d19628f539f ("Bluetooth: SMP: Fail if remote and local public keys are identical") +Signed-off-by: Christian Eggers +Signed-off-by: Luiz Augusto von Dentz +Signed-off-by: Sasha Levin +--- + net/bluetooth/smp.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/bluetooth/smp.c b/net/bluetooth/smp.c +index 3a1ce04a7a536..9d96040745897 100644 +--- a/net/bluetooth/smp.c ++++ b/net/bluetooth/smp.c +@@ -2743,7 +2743,7 @@ static int smp_cmd_public_key(struct l2cap_conn *conn, struct sk_buff *skb) + if (!test_bit(SMP_FLAG_DEBUG_KEY, &smp->flags) && + !crypto_memneq(key, smp->local_pk, 64)) { + bt_dev_err(hdev, "Remote and local public keys are identical"); +- return SMP_UNSPECIFIED; ++ return SMP_DHKEY_CHECK_FAILED; + } + + memcpy(smp->remote_pk, key, 64); +-- +2.51.0 + diff --git a/queue-6.19/bonding-prevent-potential-infinite-loop-in-bond_head.patch b/queue-6.19/bonding-prevent-potential-infinite-loop-in-bond_head.patch new file mode 100644 index 0000000000..588ec694ea --- /dev/null +++ b/queue-6.19/bonding-prevent-potential-infinite-loop-in-bond_head.patch @@ -0,0 +1,205 @@ +From 81c56a2756bddeba2590057ca8fc17039a6db726 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 15 Mar 2026 10:41:52 +0000 +Subject: bonding: prevent potential infinite loop in bond_header_parse() + +From: Eric Dumazet + +[ Upstream commit b7405dcf7385445e10821777143f18c3ce20fa04 ] + +bond_header_parse() can loop if a stack of two bonding devices is setup, +because skb->dev always points to the hierarchy top. + +Add new "const struct net_device *dev" parameter to +(struct header_ops)->parse() method to make sure the recursion +is bounded, and that the final leaf parse method is called. + +Fixes: 950803f72547 ("bonding: fix type confusion in bond_setup_by_slave()") +Signed-off-by: Eric Dumazet +Reviewed-by: Jiayuan Chen +Tested-by: Jiayuan Chen +Cc: Jay Vosburgh +Cc: Andrew Lunn +Link: https://patch.msgid.link/20260315104152.1436867-1-edumazet@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/firewire/net.c | 5 +++-- + drivers/net/bonding/bond_main.c | 8 +++++--- + include/linux/etherdevice.h | 3 ++- + include/linux/if_ether.h | 3 ++- + include/linux/netdevice.h | 6 ++++-- + net/ethernet/eth.c | 9 +++------ + net/ipv4/ip_gre.c | 3 ++- + net/mac802154/iface.c | 4 +++- + net/phonet/af_phonet.c | 5 ++++- + 9 files changed, 28 insertions(+), 18 deletions(-) + +diff --git a/drivers/firewire/net.c b/drivers/firewire/net.c +index 6d64467135395..e829454089550 100644 +--- a/drivers/firewire/net.c ++++ b/drivers/firewire/net.c +@@ -257,9 +257,10 @@ static void fwnet_header_cache_update(struct hh_cache *hh, + memcpy((u8 *)hh->hh_data + HH_DATA_OFF(FWNET_HLEN), haddr, net->addr_len); + } + +-static int fwnet_header_parse(const struct sk_buff *skb, unsigned char *haddr) ++static int fwnet_header_parse(const struct sk_buff *skb, const struct net_device *dev, ++ unsigned char *haddr) + { +- memcpy(haddr, skb->dev->dev_addr, FWNET_ALEN); ++ memcpy(haddr, dev->dev_addr, FWNET_ALEN); + + return FWNET_ALEN; + } +diff --git a/drivers/net/bonding/bond_main.c b/drivers/net/bonding/bond_main.c +index e8e261e0cb4e1..106cfe732a15e 100644 +--- a/drivers/net/bonding/bond_main.c ++++ b/drivers/net/bonding/bond_main.c +@@ -1497,9 +1497,11 @@ static int bond_header_create(struct sk_buff *skb, struct net_device *bond_dev, + return ret; + } + +-static int bond_header_parse(const struct sk_buff *skb, unsigned char *haddr) ++static int bond_header_parse(const struct sk_buff *skb, ++ const struct net_device *dev, ++ unsigned char *haddr) + { +- struct bonding *bond = netdev_priv(skb->dev); ++ struct bonding *bond = netdev_priv(dev); + const struct header_ops *slave_ops; + struct slave *slave; + int ret = 0; +@@ -1509,7 +1511,7 @@ static int bond_header_parse(const struct sk_buff *skb, unsigned char *haddr) + if (slave) { + slave_ops = READ_ONCE(slave->dev->header_ops); + if (slave_ops && slave_ops->parse) +- ret = slave_ops->parse(skb, haddr); ++ ret = slave_ops->parse(skb, slave->dev, haddr); + } + rcu_read_unlock(); + return ret; +diff --git a/include/linux/etherdevice.h b/include/linux/etherdevice.h +index 9a1eacf35d370..df8f88f63a706 100644 +--- a/include/linux/etherdevice.h ++++ b/include/linux/etherdevice.h +@@ -42,7 +42,8 @@ extern const struct header_ops eth_header_ops; + + int eth_header(struct sk_buff *skb, struct net_device *dev, unsigned short type, + const void *daddr, const void *saddr, unsigned len); +-int eth_header_parse(const struct sk_buff *skb, unsigned char *haddr); ++int eth_header_parse(const struct sk_buff *skb, const struct net_device *dev, ++ unsigned char *haddr); + int eth_header_cache(const struct neighbour *neigh, struct hh_cache *hh, + __be16 type); + void eth_header_cache_update(struct hh_cache *hh, const struct net_device *dev, +diff --git a/include/linux/if_ether.h b/include/linux/if_ether.h +index 61b7335aa037c..ca9afa824aa4f 100644 +--- a/include/linux/if_ether.h ++++ b/include/linux/if_ether.h +@@ -40,7 +40,8 @@ static inline struct ethhdr *inner_eth_hdr(const struct sk_buff *skb) + return (struct ethhdr *)skb_inner_mac_header(skb); + } + +-int eth_header_parse(const struct sk_buff *skb, unsigned char *haddr); ++int eth_header_parse(const struct sk_buff *skb, const struct net_device *dev, ++ unsigned char *haddr); + + extern ssize_t sysfs_format_mac(char *buf, const unsigned char *addr, int len); + +diff --git a/include/linux/netdevice.h b/include/linux/netdevice.h +index 444e52eb8ed99..1216f050f0699 100644 +--- a/include/linux/netdevice.h ++++ b/include/linux/netdevice.h +@@ -311,7 +311,9 @@ struct header_ops { + int (*create) (struct sk_buff *skb, struct net_device *dev, + unsigned short type, const void *daddr, + const void *saddr, unsigned int len); +- int (*parse)(const struct sk_buff *skb, unsigned char *haddr); ++ int (*parse)(const struct sk_buff *skb, ++ const struct net_device *dev, ++ unsigned char *haddr); + int (*cache)(const struct neighbour *neigh, struct hh_cache *hh, __be16 type); + void (*cache_update)(struct hh_cache *hh, + const struct net_device *dev, +@@ -3442,7 +3444,7 @@ static inline int dev_parse_header(const struct sk_buff *skb, + + if (!dev->header_ops || !dev->header_ops->parse) + return 0; +- return dev->header_ops->parse(skb, haddr); ++ return dev->header_ops->parse(skb, dev, haddr); + } + + static inline __be16 dev_parse_header_protocol(const struct sk_buff *skb) +diff --git a/net/ethernet/eth.c b/net/ethernet/eth.c +index 13a63b48b7eeb..d9faadbe9b6c8 100644 +--- a/net/ethernet/eth.c ++++ b/net/ethernet/eth.c +@@ -193,14 +193,11 @@ __be16 eth_type_trans(struct sk_buff *skb, struct net_device *dev) + } + EXPORT_SYMBOL(eth_type_trans); + +-/** +- * eth_header_parse - extract hardware address from packet +- * @skb: packet to extract header from +- * @haddr: destination buffer +- */ +-int eth_header_parse(const struct sk_buff *skb, unsigned char *haddr) ++int eth_header_parse(const struct sk_buff *skb, const struct net_device *dev, ++ unsigned char *haddr) + { + const struct ethhdr *eth = eth_hdr(skb); ++ + memcpy(haddr, eth->h_source, ETH_ALEN); + return ETH_ALEN; + } +diff --git a/net/ipv4/ip_gre.c b/net/ipv4/ip_gre.c +index e13244729ad8d..35f0baa99d409 100644 +--- a/net/ipv4/ip_gre.c ++++ b/net/ipv4/ip_gre.c +@@ -919,7 +919,8 @@ static int ipgre_header(struct sk_buff *skb, struct net_device *dev, + return -(t->hlen + sizeof(*iph)); + } + +-static int ipgre_header_parse(const struct sk_buff *skb, unsigned char *haddr) ++static int ipgre_header_parse(const struct sk_buff *skb, const struct net_device *dev, ++ unsigned char *haddr) + { + const struct iphdr *iph = (const struct iphdr *) skb_mac_header(skb); + memcpy(haddr, &iph->saddr, 4); +diff --git a/net/mac802154/iface.c b/net/mac802154/iface.c +index 9e4631fade90c..000be60d95803 100644 +--- a/net/mac802154/iface.c ++++ b/net/mac802154/iface.c +@@ -469,7 +469,9 @@ static int mac802154_header_create(struct sk_buff *skb, + } + + static int +-mac802154_header_parse(const struct sk_buff *skb, unsigned char *haddr) ++mac802154_header_parse(const struct sk_buff *skb, ++ const struct net_device *dev, ++ unsigned char *haddr) + { + struct ieee802154_hdr hdr; + +diff --git a/net/phonet/af_phonet.c b/net/phonet/af_phonet.c +index 238a9638d2b0f..d89225d6bfd3b 100644 +--- a/net/phonet/af_phonet.c ++++ b/net/phonet/af_phonet.c +@@ -129,9 +129,12 @@ static int pn_header_create(struct sk_buff *skb, struct net_device *dev, + return 1; + } + +-static int pn_header_parse(const struct sk_buff *skb, unsigned char *haddr) ++static int pn_header_parse(const struct sk_buff *skb, ++ const struct net_device *dev, ++ unsigned char *haddr) + { + const u8 *media = skb_mac_header(skb); ++ + *haddr = *media; + return 1; + } +-- +2.51.0 + diff --git a/queue-6.19/bridge-cfm-fix-race-condition-in-peer_mep-deletion.patch b/queue-6.19/bridge-cfm-fix-race-condition-in-peer_mep-deletion.patch new file mode 100644 index 0000000000..a5b27b818d --- /dev/null +++ b/queue-6.19/bridge-cfm-fix-race-condition-in-peer_mep-deletion.patch @@ -0,0 +1,75 @@ +From 7d466b727ccce42b4fdc27448b1fde40b147c80c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 11 Mar 2026 03:18:09 +0900 +Subject: bridge: cfm: Fix race condition in peer_mep deletion + +From: Hyunwoo Kim + +[ Upstream commit 3715a00855316066cdda69d43648336367422127 ] + +When a peer MEP is being deleted, cancel_delayed_work_sync() is called +on ccm_rx_dwork before freeing. However, br_cfm_frame_rx() runs in +softirq context under rcu_read_lock (without RTNL) and can re-schedule +ccm_rx_dwork via ccm_rx_timer_start() between cancel_delayed_work_sync() +returning and kfree_rcu() being called. + +The following is a simple race scenario: + + cpu0 cpu1 + +mep_delete_implementation() + cancel_delayed_work_sync(ccm_rx_dwork); + br_cfm_frame_rx() + // peer_mep still in hlist + if (peer_mep->ccm_defect) + ccm_rx_timer_start() + queue_delayed_work(ccm_rx_dwork) + hlist_del_rcu(&peer_mep->head); + kfree_rcu(peer_mep, rcu); + ccm_rx_work_expired() + // on freed peer_mep + +To prevent this, cancel_delayed_work_sync() is replaced with +disable_delayed_work_sync() in both peer MEP deletion paths, so +that subsequent queue_delayed_work() calls from br_cfm_frame_rx() +are silently rejected. + +The cc_peer_disable() helper retains cancel_delayed_work_sync() +because it is also used for the CC enable/disable toggle path where +the work must remain re-schedulable. + +Fixes: dc32cbb3dbd7 ("bridge: cfm: Kernel space implementation of CFM. CCM frame RX added.") +Signed-off-by: Hyunwoo Kim +Reviewed-by: Ido Schimmel +Link: https://patch.msgid.link/abBgYT5K_FI9rD1a@v4bel +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/bridge/br_cfm.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/net/bridge/br_cfm.c b/net/bridge/br_cfm.c +index c2c1c7d44c615..f4ca77d9b0e96 100644 +--- a/net/bridge/br_cfm.c ++++ b/net/bridge/br_cfm.c +@@ -576,7 +576,7 @@ static void mep_delete_implementation(struct net_bridge *br, + + /* Empty and free peer MEP list */ + hlist_for_each_entry_safe(peer_mep, n_store, &mep->peer_mep_list, head) { +- cancel_delayed_work_sync(&peer_mep->ccm_rx_dwork); ++ disable_delayed_work_sync(&peer_mep->ccm_rx_dwork); + hlist_del_rcu(&peer_mep->head); + kfree_rcu(peer_mep, rcu); + } +@@ -732,7 +732,7 @@ int br_cfm_cc_peer_mep_remove(struct net_bridge *br, const u32 instance, + return -ENOENT; + } + +- cc_peer_disable(peer_mep); ++ disable_delayed_work_sync(&peer_mep->ccm_rx_dwork); + + hlist_del_rcu(&peer_mep->head); + kfree_rcu(peer_mep, rcu); +-- +2.51.0 + diff --git a/queue-6.19/btrfs-log-new-dentries-when-logging-parent-dir-of-a-.patch b/queue-6.19/btrfs-log-new-dentries-when-logging-parent-dir-of-a-.patch new file mode 100644 index 0000000000..555615cb78 --- /dev/null +++ b/queue-6.19/btrfs-log-new-dentries-when-logging-parent-dir-of-a-.patch @@ -0,0 +1,99 @@ +From f92d7adc9538a2d41246c310d858fbbbdfcd1d9a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 3 Mar 2026 16:57:43 +0000 +Subject: btrfs: log new dentries when logging parent dir of a conflicting + inode + +From: Filipe Manana + +[ Upstream commit 9573a365ff9ff45da9222d3fe63695ce562beb24 ] + +If we log the parent directory of a conflicting inode, we are not logging +the new dentries of the directory, so when we finish we have the parent +directory's inode marked as logged but we did not log its new dentries. +As a consequence if the parent directory is explicitly fsynced later and +it does not have any new changes since we logged it, the fsync is a no-op +and after a power failure the new dentries are missing. + +Example scenario: + + $ mkdir foo + + $ sync + + $rmdir foo + + $ mkdir dir1 + $ mkdir dir2 + + # A file with the same name and parent as the directory we just deleted + # and was persisted in a past transaction. So the deleted directory's + # inode is a conflicting inode of this new file's inode. + $ touch foo + + $ ln foo dir2/link + + # The fsync on dir2 will log the parent directory (".") because the + # conflicting inode (deleted directory) does not exists anymore, but it + # it does not log its new dentries (dir1). + $ xfs_io -c "fsync" dir2 + + # This fsync on the parent directory is no-op, since the previous fsync + # logged it (but without logging its new dentries). + $ xfs_io -c "fsync" . + + + + # After log replay dir1 is missing. + +Fix this by ensuring we log new dir dentries whenever we log the parent +directory of a no longer existing conflicting inode. + +A test case for fstests will follow soon. + +Reported-by: Vyacheslav Kovalevsky +Link: https://lore.kernel.org/linux-btrfs/182055fa-e9ce-4089-9f5f-4b8a23e8dd91@gmail.com/ +Fixes: a3baaf0d786e ("Btrfs: fix fsync after succession of renames and unlink/rmdir") +Reviewed-by: Boris Burkov +Signed-off-by: Filipe Manana +Signed-off-by: David Sterba +Signed-off-by: Sasha Levin +--- + fs/btrfs/tree-log.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/fs/btrfs/tree-log.c b/fs/btrfs/tree-log.c +index 6cffcf0c3e7af..6c40f48cc194d 100644 +--- a/fs/btrfs/tree-log.c ++++ b/fs/btrfs/tree-log.c +@@ -6195,6 +6195,7 @@ static int log_conflicting_inodes(struct btrfs_trans_handle *trans, + struct btrfs_root *root, + struct btrfs_log_ctx *ctx) + { ++ const bool orig_log_new_dentries = ctx->log_new_dentries; + int ret = 0; + + /* +@@ -6256,7 +6257,11 @@ static int log_conflicting_inodes(struct btrfs_trans_handle *trans, + * dir index key range logged for the directory. So we + * must make sure the deletion is recorded. + */ ++ ctx->log_new_dentries = false; + ret = btrfs_log_inode(trans, inode, LOG_INODE_ALL, ctx); ++ if (!ret && ctx->log_new_dentries) ++ ret = log_new_dir_dentries(trans, inode, ctx); ++ + btrfs_add_delayed_iput(inode); + if (ret) + break; +@@ -6291,6 +6296,7 @@ static int log_conflicting_inodes(struct btrfs_trans_handle *trans, + break; + } + ++ ctx->log_new_dentries = orig_log_new_dentries; + ctx->logging_conflict_inodes = false; + if (ret) + free_conflicting_inodes(ctx); +-- +2.51.0 + diff --git a/queue-6.19/btrfs-tree-checker-fix-misleading-root-drop_level-er.patch b/queue-6.19/btrfs-tree-checker-fix-misleading-root-drop_level-er.patch new file mode 100644 index 0000000000..d3588871e4 --- /dev/null +++ b/queue-6.19/btrfs-tree-checker-fix-misleading-root-drop_level-er.patch @@ -0,0 +1,38 @@ +From 37f99088e1f524c820251ad92d932999a2cb06a6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 12 Mar 2026 08:33:21 +0800 +Subject: btrfs: tree-checker: fix misleading root drop_level error message + +From: ZhengYuan Huang + +[ Upstream commit fc1cd1f18c34f91e78362f9629ab9fd43b9dcab9 ] + +Fix tree-checker error message to report "invalid root drop_level" +instead of the misleading "invalid root level". + +Fixes: 259ee7754b67 ("btrfs: tree-checker: Add ROOT_ITEM check") +Reviewed-by: Qu Wenruo +Signed-off-by: ZhengYuan Huang +Reviewed-by: David Sterba +Signed-off-by: David Sterba +Signed-off-by: Sasha Levin +--- + fs/btrfs/tree-checker.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/fs/btrfs/tree-checker.c b/fs/btrfs/tree-checker.c +index 12d6ae49bc078..59794d726fd27 100644 +--- a/fs/btrfs/tree-checker.c ++++ b/fs/btrfs/tree-checker.c +@@ -1256,7 +1256,7 @@ static int check_root_item(struct extent_buffer *leaf, struct btrfs_key *key, + } + if (unlikely(btrfs_root_drop_level(&ri) >= BTRFS_MAX_LEVEL)) { + generic_err(leaf, slot, +- "invalid root level, have %u expect [0, %u]", ++ "invalid root drop_level, have %u expect [0, %u]", + btrfs_root_drop_level(&ri), BTRFS_MAX_LEVEL - 1); + return -EUCLEAN; + } +-- +2.51.0 + diff --git a/queue-6.19/cache-ax45mp-fix-device-node-reference-leak-in-ax45m.patch b/queue-6.19/cache-ax45mp-fix-device-node-reference-leak-in-ax45m.patch new file mode 100644 index 0000000000..0fdc3e1efe --- /dev/null +++ b/queue-6.19/cache-ax45mp-fix-device-node-reference-leak-in-ax45m.patch @@ -0,0 +1,46 @@ +From ebe7f179c84be9e948051d57624ae588445de18b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 31 Jan 2026 01:49:09 +0800 +Subject: cache: ax45mp: Fix device node reference leak in ax45mp_cache_init() + +From: Felix Gu + +[ Upstream commit 0528a348b04b327a4611e29589beb4c9ae81304a ] + +In ax45mp_cache_init(), of_find_matching_node() returns a device node +with an incremented reference count that must be released with +of_node_put(). The current code fails to call of_node_put() which +causes a reference leak. + +Use the __free(device_node) attribute to ensure automatic cleanup when +the variable goes out of scope. + +Fixes: d34599bcd2e4 ("cache: Add L2 cache management for Andes AX45MP RISC-V core") +Signed-off-by: Felix Gu +Signed-off-by: Conor Dooley +Signed-off-by: Sasha Levin +--- + drivers/cache/ax45mp_cache.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/cache/ax45mp_cache.c b/drivers/cache/ax45mp_cache.c +index 1d7dd3d2c101c..934c5087ec2bd 100644 +--- a/drivers/cache/ax45mp_cache.c ++++ b/drivers/cache/ax45mp_cache.c +@@ -178,11 +178,11 @@ static const struct of_device_id ax45mp_cache_ids[] = { + + static int __init ax45mp_cache_init(void) + { +- struct device_node *np; + struct resource res; + int ret; + +- np = of_find_matching_node(NULL, ax45mp_cache_ids); ++ struct device_node *np __free(device_node) = ++ of_find_matching_node(NULL, ax45mp_cache_ids); + if (!of_device_is_available(np)) + return -ENODEV; + +-- +2.51.0 + diff --git a/queue-6.19/cache-starfive-fix-device-node-leak-in-starlink_cach.patch b/queue-6.19/cache-starfive-fix-device-node-leak-in-starlink_cach.patch new file mode 100644 index 0000000000..e98452b35b --- /dev/null +++ b/queue-6.19/cache-starfive-fix-device-node-leak-in-starlink_cach.patch @@ -0,0 +1,44 @@ +From da4bf827d1eea0cefe467fb749d3791570f592e2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 31 Jan 2026 01:13:45 +0800 +Subject: cache: starfive: fix device node leak in starlink_cache_init() + +From: Felix Gu + +[ Upstream commit 3c85234b979af71cb9db5eb976ea08a468415767 ] + +of_find_matching_node() returns a device_node with refcount incremented. + +Use __free(device_node) attribute to automatically call of_node_put() +when the variable goes out of scope, preventing the refcount leak. + +Fixes: cabff60ca77d ("cache: Add StarFive StarLink cache management") +Signed-off-by: Felix Gu +Reviewed-by: Jonathan Cameron +Signed-off-by: Conor Dooley +Signed-off-by: Sasha Levin +--- + drivers/cache/starfive_starlink_cache.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/cache/starfive_starlink_cache.c b/drivers/cache/starfive_starlink_cache.c +index 24c7d078ca227..3a25d2d7c70ca 100644 +--- a/drivers/cache/starfive_starlink_cache.c ++++ b/drivers/cache/starfive_starlink_cache.c +@@ -102,11 +102,11 @@ static const struct of_device_id starlink_cache_ids[] = { + + static int __init starlink_cache_init(void) + { +- struct device_node *np; + u32 block_size; + int ret; + +- np = of_find_matching_node(NULL, starlink_cache_ids); ++ struct device_node *np __free(device_node) = ++ of_find_matching_node(NULL, starlink_cache_ids); + if (!of_device_is_available(np)) + return -ENODEV; + +-- +2.51.0 + diff --git a/queue-6.19/clsact-fix-use-after-free-in-init-destroy-rollback-a.patch b/queue-6.19/clsact-fix-use-after-free-in-init-destroy-rollback-a.patch new file mode 100644 index 0000000000..b689bc44b0 --- /dev/null +++ b/queue-6.19/clsact-fix-use-after-free-in-init-destroy-rollback-a.patch @@ -0,0 +1,116 @@ +From 634fc35df2fd75d28a7328b5a1f6eec4147ad807 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 13 Mar 2026 07:55:31 +0100 +Subject: clsact: Fix use-after-free in init/destroy rollback asymmetry + +From: Daniel Borkmann + +[ Upstream commit a0671125d4f55e1e98d9bde8a0b671941987e208 ] + +Fix a use-after-free in the clsact qdisc upon init/destroy rollback asymmetry. +The latter is achieved by first fully initializing a clsact instance, and +then in a second step having a replacement failure for the new clsact qdisc +instance. clsact_init() initializes ingress first and then takes care of the +egress part. This can fail midway, for example, via tcf_block_get_ext(). Upon +failure, the kernel will trigger the clsact_destroy() callback. + +Commit 1cb6f0bae504 ("bpf: Fix too early release of tcx_entry") details the +way how the transition is happening. If tcf_block_get_ext on the q->ingress_block +ends up failing, we took the tcx_miniq_inc reference count on the ingress +side, but not yet on the egress side. clsact_destroy() tests whether the +{ingress,egress}_entry was non-NULL. However, even in midway failure on the +replacement, both are in fact non-NULL with a valid egress_entry from the +previous clsact instance. + +What we really need to test for is whether the qdisc instance-specific ingress +or egress side previously got initialized. This adds a small helper for checking +the miniq initialization called mini_qdisc_pair_inited, and utilizes that upon +clsact_destroy() in order to fix the use-after-free scenario. Convert the +ingress_destroy() side as well so both are consistent to each other. + +Fixes: 1cb6f0bae504 ("bpf: Fix too early release of tcx_entry") +Reported-by: Keenan Dong +Signed-off-by: Daniel Borkmann +Cc: Martin KaFai Lau +Acked-by: Martin KaFai Lau +Link: https://patch.msgid.link/20260313065531.98639-1-daniel@iogearbox.net +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + include/net/sch_generic.h | 5 +++++ + net/sched/sch_ingress.c | 14 ++++++++------ + 2 files changed, 13 insertions(+), 6 deletions(-) + +diff --git a/include/net/sch_generic.h b/include/net/sch_generic.h +index cafb266a0b80d..c3d657359a3d2 100644 +--- a/include/net/sch_generic.h ++++ b/include/net/sch_generic.h +@@ -1457,6 +1457,11 @@ void mini_qdisc_pair_init(struct mini_Qdisc_pair *miniqp, struct Qdisc *qdisc, + void mini_qdisc_pair_block_init(struct mini_Qdisc_pair *miniqp, + struct tcf_block *block); + ++static inline bool mini_qdisc_pair_inited(struct mini_Qdisc_pair *miniqp) ++{ ++ return !!miniqp->p_miniq; ++} ++ + void mq_change_real_num_tx(struct Qdisc *sch, unsigned int new_real_tx); + + int sch_frag_xmit_hook(struct sk_buff *skb, int (*xmit)(struct sk_buff *skb)); +diff --git a/net/sched/sch_ingress.c b/net/sched/sch_ingress.c +index cc6051d4f2ef8..c3e18bae8fbfc 100644 +--- a/net/sched/sch_ingress.c ++++ b/net/sched/sch_ingress.c +@@ -113,14 +113,15 @@ static void ingress_destroy(struct Qdisc *sch) + { + struct ingress_sched_data *q = qdisc_priv(sch); + struct net_device *dev = qdisc_dev(sch); +- struct bpf_mprog_entry *entry = rtnl_dereference(dev->tcx_ingress); ++ struct bpf_mprog_entry *entry; + + if (sch->parent != TC_H_INGRESS) + return; + + tcf_block_put_ext(q->block, sch, &q->block_info); + +- if (entry) { ++ if (mini_qdisc_pair_inited(&q->miniqp)) { ++ entry = rtnl_dereference(dev->tcx_ingress); + tcx_miniq_dec(entry); + if (!tcx_entry_is_active(entry)) { + tcx_entry_update(dev, NULL, true); +@@ -290,10 +291,9 @@ static int clsact_init(struct Qdisc *sch, struct nlattr *opt, + + static void clsact_destroy(struct Qdisc *sch) + { ++ struct bpf_mprog_entry *ingress_entry, *egress_entry; + struct clsact_sched_data *q = qdisc_priv(sch); + struct net_device *dev = qdisc_dev(sch); +- struct bpf_mprog_entry *ingress_entry = rtnl_dereference(dev->tcx_ingress); +- struct bpf_mprog_entry *egress_entry = rtnl_dereference(dev->tcx_egress); + + if (sch->parent != TC_H_CLSACT) + return; +@@ -301,7 +301,8 @@ static void clsact_destroy(struct Qdisc *sch) + tcf_block_put_ext(q->ingress_block, sch, &q->ingress_block_info); + tcf_block_put_ext(q->egress_block, sch, &q->egress_block_info); + +- if (ingress_entry) { ++ if (mini_qdisc_pair_inited(&q->miniqp_ingress)) { ++ ingress_entry = rtnl_dereference(dev->tcx_ingress); + tcx_miniq_dec(ingress_entry); + if (!tcx_entry_is_active(ingress_entry)) { + tcx_entry_update(dev, NULL, true); +@@ -309,7 +310,8 @@ static void clsact_destroy(struct Qdisc *sch) + } + } + +- if (egress_entry) { ++ if (mini_qdisc_pair_inited(&q->miniqp_egress)) { ++ egress_entry = rtnl_dereference(dev->tcx_egress); + tcx_miniq_dec(egress_entry); + if (!tcx_entry_is_active(egress_entry)) { + tcx_entry_update(dev, NULL, false); +-- +2.51.0 + diff --git a/queue-6.19/crypto-ccp-fix-leaking-the-same-page-twice.patch b/queue-6.19/crypto-ccp-fix-leaking-the-same-page-twice.patch new file mode 100644 index 0000000000..8135bffc1f --- /dev/null +++ b/queue-6.19/crypto-ccp-fix-leaking-the-same-page-twice.patch @@ -0,0 +1,56 @@ +From e71909831d17dcd9ba0a18ddc7b2b9a167de220f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 4 Mar 2026 12:39:34 -0800 +Subject: crypto: ccp - Fix leaking the same page twice + +From: Guenter Roeck + +[ Upstream commit 5c52607c43c397b79a9852ce33fc61de58c3645c ] + +Commit 551120148b67 ("crypto: ccp - Fix a case where SNP_SHUTDOWN is +missed") fixed a case where SNP is left in INIT state if page reclaim +fails. It removes the transition to the INIT state for this command and +adjusts the page state management. + +While doing this, it added a call to snp_leak_pages() after a call to +snp_reclaim_pages() failed. Since snp_reclaim_pages() already calls +snp_leak_pages() internally on the pages it fails to reclaim, calling +it again leaks the exact same page twice. + +Fix by removing the extra call to snp_leak_pages(). + +The problem was found by an experimental code review agent based on +gemini-3.1-pro while reviewing backports into v6.18.y. + +Assisted-by: Gemini:gemini-3.1-pro +Fixes: 551120148b67 ("crypto: ccp - Fix a case where SNP_SHUTDOWN is missed") +Cc: Tycho Andersen (AMD) +Cc: Tom Lendacky +Signed-off-by: Guenter Roeck +Reviewed-by: Tom Lendacky +Reviewed-by: Tycho Andersen (AMD) +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +--- + drivers/crypto/ccp/sev-dev.c | 4 +--- + 1 file changed, 1 insertion(+), 3 deletions(-) + +diff --git a/drivers/crypto/ccp/sev-dev.c b/drivers/crypto/ccp/sev-dev.c +index 0d90b5f6a4548..a554fe3de3fd2 100644 +--- a/drivers/crypto/ccp/sev-dev.c ++++ b/drivers/crypto/ccp/sev-dev.c +@@ -2408,10 +2408,8 @@ static int sev_ioctl_do_snp_platform_status(struct sev_issue_cmd *argp) + * in Firmware state on failure. Use snp_reclaim_pages() to + * transition either case back to Hypervisor-owned state. + */ +- if (snp_reclaim_pages(__pa(data), 1, true)) { +- snp_leak_pages(__page_to_pfn(status_page), 1); ++ if (snp_reclaim_pages(__pa(data), 1, true)) + return -EFAULT; +- } + } + + if (ret) +-- +2.51.0 + diff --git a/queue-6.19/firmware-arm_ffa-remove-vm_id-argument-in-ffa_rxtx_u.patch b/queue-6.19/firmware-arm_ffa-remove-vm_id-argument-in-ffa_rxtx_u.patch new file mode 100644 index 0000000000..f5c23ef055 --- /dev/null +++ b/queue-6.19/firmware-arm_ffa-remove-vm_id-argument-in-ffa_rxtx_u.patch @@ -0,0 +1,77 @@ +From 7ea0507d33b2d86877400fd28a5a8a5388805ae9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 4 Mar 2026 12:09:53 +0000 +Subject: firmware: arm_ffa: Remove vm_id argument in ffa_rxtx_unmap() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Yeoreum Yun + +[ Upstream commit a4e8473b775160f3ce978f621cf8dea2c7250433 ] + +According to the FF-A specification (DEN0077, v1.1, §13.7), when +FFA_RXTX_UNMAP is invoked from any instance other than non-secure +physical, the w1 register must be zero (MBZ). If a non-zero value is +supplied in this context, the SPMC must return FFA_INVALID_PARAMETER. + +The Arm FF-A driver operates exclusively as a guest or non-secure +physical instance where the partition ID is always zero and is not +invoked from a hypervisor context where w1 carries a VM ID. In this +execution model, the partition ID observed by the driver is always zero, +and passing a VM ID is unnecessary and potentially invalid. + +Remove the vm_id parameter from ffa_rxtx_unmap() and ensure that the +SMC call is issued with w1 implicitly zeroed, as required by the +specification. This prevents invalid parameter errors and aligns the +implementation with the defined FF-A ABI behavior. + +Fixes: 3bbfe9871005 ("firmware: arm_ffa: Add initial Arm FFA driver support") +Signed-off-by: Yeoreum Yun +Message-Id: <20260304120953.847671-1-yeoreum.yun@arm.com> +Signed-off-by: Sudeep Holla +Signed-off-by: Sasha Levin +--- + drivers/firmware/arm_ffa/driver.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/drivers/firmware/arm_ffa/driver.c b/drivers/firmware/arm_ffa/driver.c +index 11a702e7f641c..f6ceae987acbc 100644 +--- a/drivers/firmware/arm_ffa/driver.c ++++ b/drivers/firmware/arm_ffa/driver.c +@@ -205,12 +205,12 @@ static int ffa_rxtx_map(phys_addr_t tx_buf, phys_addr_t rx_buf, u32 pg_cnt) + return 0; + } + +-static int ffa_rxtx_unmap(u16 vm_id) ++static int ffa_rxtx_unmap(void) + { + ffa_value_t ret; + + invoke_ffa_fn((ffa_value_t){ +- .a0 = FFA_RXTX_UNMAP, .a1 = PACK_TARGET_INFO(vm_id, 0), ++ .a0 = FFA_RXTX_UNMAP, + }, &ret); + + if (ret.a0 == FFA_ERROR) +@@ -2093,7 +2093,7 @@ static int __init ffa_init(void) + + pr_err("failed to setup partitions\n"); + ffa_notifications_cleanup(); +- ffa_rxtx_unmap(drv_info->vm_id); ++ ffa_rxtx_unmap(); + free_pages: + if (drv_info->tx_buffer) + free_pages_exact(drv_info->tx_buffer, rxtx_bufsz); +@@ -2108,7 +2108,7 @@ static void __exit ffa_exit(void) + { + ffa_notifications_cleanup(); + ffa_partitions_cleanup(); +- ffa_rxtx_unmap(drv_info->vm_id); ++ ffa_rxtx_unmap(); + free_pages_exact(drv_info->tx_buffer, drv_info->rxtx_bufsz); + free_pages_exact(drv_info->rx_buffer, drv_info->rxtx_bufsz); + kfree(drv_info); +-- +2.51.0 + diff --git a/queue-6.19/firmware-arm_scmi-fix-null-dereference-on-notify-err.patch b/queue-6.19/firmware-arm_scmi-fix-null-dereference-on-notify-err.patch new file mode 100644 index 0000000000..499a7847ac --- /dev/null +++ b/queue-6.19/firmware-arm_scmi-fix-null-dereference-on-notify-err.patch @@ -0,0 +1,52 @@ +From 69675acc191070674fada7bc7c894ef1c624b922 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 5 Mar 2026 13:10:11 +0000 +Subject: firmware: arm_scmi: Fix NULL dereference on notify error path + +From: Cristian Marussi + +[ Upstream commit 555317d6100164748f7d09f80142739bd29f0cda ] + +Since commit b5daf93b809d1 ("firmware: arm_scmi: Avoid notifier +registration for unsupported events") the call chains leading to the helper +__scmi_event_handler_get_ops expect an ERR_PTR to be returned on failure to +get an handler for the requested event key, while the current helper can +still return a NULL when no handler could be found or created. + +Fix by forcing an ERR_PTR return value when the handler reference is NULL. + +Fixes: b5daf93b809d1 ("firmware: arm_scmi: Avoid notifier registration for unsupported events") +Signed-off-by: Cristian Marussi +Reviewed-by: Dan Carpenter +Message-Id: <20260305131011.541444-1-cristian.marussi@arm.com> +Signed-off-by: Sudeep Holla +Signed-off-by: Sasha Levin +--- + drivers/firmware/arm_scmi/notify.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/firmware/arm_scmi/notify.c b/drivers/firmware/arm_scmi/notify.c +index dee9f238f6fdd..2047edbdc5f6b 100644 +--- a/drivers/firmware/arm_scmi/notify.c ++++ b/drivers/firmware/arm_scmi/notify.c +@@ -1066,7 +1066,7 @@ static int scmi_register_event_handler(struct scmi_notify_instance *ni, + * since at creation time we usually want to have all setup and ready before + * events really start flowing. + * +- * Return: A properly refcounted handler on Success, NULL on Failure ++ * Return: A properly refcounted handler on Success, ERR_PTR on Failure + */ + static inline struct scmi_event_handler * + __scmi_event_handler_get_ops(struct scmi_notify_instance *ni, +@@ -1113,7 +1113,7 @@ __scmi_event_handler_get_ops(struct scmi_notify_instance *ni, + } + mutex_unlock(&ni->pending_mtx); + +- return hndl; ++ return hndl ?: ERR_PTR(-ENODEV); + } + + static struct scmi_event_handler * +-- +2.51.0 + diff --git a/queue-6.19/firmware-arm_scpi-fix-device_node-reference-leak-in-.patch b/queue-6.19/firmware-arm_scpi-fix-device_node-reference-leak-in-.patch new file mode 100644 index 0000000000..6465dfa4f4 --- /dev/null +++ b/queue-6.19/firmware-arm_scpi-fix-device_node-reference-leak-in-.patch @@ -0,0 +1,58 @@ +From f977d83802cfd813ce06aaa5373fca3b16a1ad59 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 21 Jan 2026 21:08:19 +0800 +Subject: firmware: arm_scpi: Fix device_node reference leak in probe path + +From: Felix Gu + +[ Upstream commit 879c001afbac3df94160334fe5117c0c83b2cf48 ] + +A device_node reference obtained from the device tree is not released +on all error paths in the arm_scpi probe path. Specifically, a node +returned by of_parse_phandle() could be leaked when the probe failed +after the node was acquired. The probe function returns early and +the shmem reference is not released. + +Use __free(device_node) scope-based cleanup to automatically release +the reference when the variable goes out of scope. + +Fixes: ed7ecb883901 ("firmware: arm_scpi: Add compatibility checks for shmem node") +Signed-off-by: Felix Gu +Message-Id: <20260121-arm_scpi_2-v2-1-702d7fa84acb@gmail.com> +Signed-off-by: Sudeep Holla +Signed-off-by: Sasha Levin +--- + drivers/firmware/arm_scpi.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/drivers/firmware/arm_scpi.c b/drivers/firmware/arm_scpi.c +index 87c323de17b90..398642cc25d90 100644 +--- a/drivers/firmware/arm_scpi.c ++++ b/drivers/firmware/arm_scpi.c +@@ -18,6 +18,7 @@ + + #include + #include ++#include + #include + #include + #include +@@ -940,13 +941,13 @@ static int scpi_probe(struct platform_device *pdev) + int idx = scpi_drvinfo->num_chans; + struct scpi_chan *pchan = scpi_drvinfo->channels + idx; + struct mbox_client *cl = &pchan->cl; +- struct device_node *shmem = of_parse_phandle(np, "shmem", idx); ++ struct device_node *shmem __free(device_node) = ++ of_parse_phandle(np, "shmem", idx); + + if (!of_match_node(shmem_of_match, shmem)) + return -ENXIO; + + ret = of_address_to_resource(shmem, 0, &res); +- of_node_put(shmem); + if (ret) { + dev_err(dev, "failed to get SCPI payload mem resource\n"); + return ret; +-- +2.51.0 + diff --git a/queue-6.19/iavf-fix-vlan-filter-lost-on-add-delete-race.patch b/queue-6.19/iavf-fix-vlan-filter-lost-on-add-delete-race.patch new file mode 100644 index 0000000000..3dae40dea3 --- /dev/null +++ b/queue-6.19/iavf-fix-vlan-filter-lost-on-add-delete-race.patch @@ -0,0 +1,70 @@ +From a47a3a94bf5c2fa12bc9bca96bb2c94ba9257b59 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 25 Feb 2026 11:01:37 +0100 +Subject: iavf: fix VLAN filter lost on add/delete race + +From: Petr Oros + +[ Upstream commit fc9c69be594756b81b54c6bc40803fa6052f35ae ] + +When iavf_add_vlan() finds an existing filter in IAVF_VLAN_REMOVE +state, it transitions the filter to IAVF_VLAN_ACTIVE assuming the +pending delete can simply be cancelled. However, there is no guarantee +that iavf_del_vlans() has not already processed the delete AQ request +and removed the filter from the PF. In that case the filter remains in +the driver's list as IAVF_VLAN_ACTIVE but is no longer programmed on +the NIC. Since iavf_add_vlans() only picks up filters in +IAVF_VLAN_ADD state, the filter is never re-added, and spoof checking +drops all traffic for that VLAN. + + CPU0 CPU1 Workqueue + ---- ---- --------- + iavf_del_vlan(vlan 100) + f->state = REMOVE + schedule AQ_DEL_VLAN + iavf_add_vlan(vlan 100) + f->state = ACTIVE + iavf_del_vlans() + f is ACTIVE, skip + iavf_add_vlans() + f is ACTIVE, skip + + Filter is ACTIVE in driver but absent from NIC. + +Transition to IAVF_VLAN_ADD instead and schedule +IAVF_FLAG_AQ_ADD_VLAN_FILTER so iavf_add_vlans() re-programs the +filter. A duplicate add is idempotent on the PF. + +Fixes: 0c0da0e95105 ("iavf: refactor VLAN filter states") +Signed-off-by: Petr Oros +Tested-by: Rafal Romanowski +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/iavf/iavf_main.c | 9 ++++++--- + 1 file changed, 6 insertions(+), 3 deletions(-) + +diff --git a/drivers/net/ethernet/intel/iavf/iavf_main.c b/drivers/net/ethernet/intel/iavf/iavf_main.c +index 03ab2a4276bbf..0a72d419782e5 100644 +--- a/drivers/net/ethernet/intel/iavf/iavf_main.c ++++ b/drivers/net/ethernet/intel/iavf/iavf_main.c +@@ -757,10 +757,13 @@ iavf_vlan_filter *iavf_add_vlan(struct iavf_adapter *adapter, + adapter->num_vlan_filters++; + iavf_schedule_aq_request(adapter, IAVF_FLAG_AQ_ADD_VLAN_FILTER); + } else if (f->state == IAVF_VLAN_REMOVE) { +- /* IAVF_VLAN_REMOVE means that VLAN wasn't yet removed. +- * We can safely only change the state here. ++ /* Re-add the filter since we cannot tell whether the ++ * pending delete has already been processed by the PF. ++ * A duplicate add is harmless. + */ +- f->state = IAVF_VLAN_ACTIVE; ++ f->state = IAVF_VLAN_ADD; ++ iavf_schedule_aq_request(adapter, ++ IAVF_FLAG_AQ_ADD_VLAN_FILTER); + } + + clearout: +-- +2.51.0 + diff --git a/queue-6.19/icmp-fix-null-pointer-dereference-in-icmp_tag_valida.patch b/queue-6.19/icmp-fix-null-pointer-dereference-in-icmp_tag_valida.patch new file mode 100644 index 0000000000..98e88fd4c4 --- /dev/null +++ b/queue-6.19/icmp-fix-null-pointer-dereference-in-icmp_tag_valida.patch @@ -0,0 +1,68 @@ +From cff388b65b93af0550fa012b9a7ab310f9998cd3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 18 Mar 2026 21:06:01 +0800 +Subject: icmp: fix NULL pointer dereference in icmp_tag_validation() + +From: Weiming Shi + +[ Upstream commit 614aefe56af8e13331e50220c936fc0689cf5675 ] + +icmp_tag_validation() unconditionally dereferences the result of +rcu_dereference(inet_protos[proto]) without checking for NULL. +The inet_protos[] array is sparse -- only about 15 of 256 protocol +numbers have registered handlers. When ip_no_pmtu_disc is set to 3 +(hardened PMTU mode) and the kernel receives an ICMP Fragmentation +Needed error with a quoted inner IP header containing an unregistered +protocol number, the NULL dereference causes a kernel panic in +softirq context. + + Oops: general protection fault, probably for non-canonical address 0xdffffc0000000002: 0000 [#1] SMP KASAN NOPTI + KASAN: null-ptr-deref in range [0x0000000000000010-0x0000000000000017] + RIP: 0010:icmp_unreach (net/ipv4/icmp.c:1085 net/ipv4/icmp.c:1143) + Call Trace: + + icmp_rcv (net/ipv4/icmp.c:1527) + ip_protocol_deliver_rcu (net/ipv4/ip_input.c:207) + ip_local_deliver_finish (net/ipv4/ip_input.c:242) + ip_local_deliver (net/ipv4/ip_input.c:262) + ip_rcv (net/ipv4/ip_input.c:573) + __netif_receive_skb_one_core (net/core/dev.c:6164) + process_backlog (net/core/dev.c:6628) + handle_softirqs (kernel/softirq.c:561) + + +Add a NULL check before accessing icmp_strict_tag_validation. If the +protocol has no registered handler, return false since it cannot +perform strict tag validation. + +Fixes: 8ed1dc44d3e9 ("ipv4: introduce hardened ip_no_pmtu_disc mode") +Reported-by: Xiang Mei +Signed-off-by: Weiming Shi +Link: https://patch.msgid.link/20260318130558.1050247-4-bestswngs@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/ipv4/icmp.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/net/ipv4/icmp.c b/net/ipv4/icmp.c +index 471dd862f6639..e619b73f5063e 100644 +--- a/net/ipv4/icmp.c ++++ b/net/ipv4/icmp.c +@@ -1067,10 +1067,12 @@ static void icmp_socket_deliver(struct sk_buff *skb, u32 info) + + static bool icmp_tag_validation(int proto) + { ++ const struct net_protocol *ipprot; + bool ok; + + rcu_read_lock(); +- ok = rcu_dereference(inet_protos[proto])->icmp_strict_tag_validation; ++ ipprot = rcu_dereference(inet_protos[proto]); ++ ok = ipprot ? ipprot->icmp_strict_tag_validation : false; + rcu_read_unlock(); + return ok; + } +-- +2.51.0 + diff --git a/queue-6.19/igc-fix-missing-update-of-skb-tail-in-igc_xmit_frame.patch b/queue-6.19/igc-fix-missing-update-of-skb-tail-in-igc_xmit_frame.patch new file mode 100644 index 0000000000..208dd807f3 --- /dev/null +++ b/queue-6.19/igc-fix-missing-update-of-skb-tail-in-igc_xmit_frame.patch @@ -0,0 +1,45 @@ +From f7221e8072cab9f48fe1588a53aa6d3cb7da5e37 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 14 Feb 2026 19:46:32 +0000 +Subject: igc: fix missing update of skb->tail in igc_xmit_frame() + +From: Kohei Enju + +[ Upstream commit 0ffba246652faf4a36aedc66059c2f94e4c83ea5 ] + +igc_xmit_frame() misses updating skb->tail when the packet size is +shorter than the minimum one. +Use skb_put_padto() in alignment with other Intel Ethernet drivers. + +Fixes: 0507ef8a0372 ("igc: Add transmit and receive fastpath and interrupt handlers") +Signed-off-by: Kohei Enju +Reviewed-by: Simon Horman +Reviewed-by: Paul Menzel +Tested-by: Avigail Dahan +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/igc/igc_main.c | 7 ++----- + 1 file changed, 2 insertions(+), 5 deletions(-) + +diff --git a/drivers/net/ethernet/intel/igc/igc_main.c b/drivers/net/ethernet/intel/igc/igc_main.c +index 4439eeb378c1f..6a174d46929e2 100644 +--- a/drivers/net/ethernet/intel/igc/igc_main.c ++++ b/drivers/net/ethernet/intel/igc/igc_main.c +@@ -1730,11 +1730,8 @@ static netdev_tx_t igc_xmit_frame(struct sk_buff *skb, + /* The minimum packet size with TCTL.PSP set is 17 so pad the skb + * in order to meet this minimum size requirement. + */ +- if (skb->len < 17) { +- if (skb_padto(skb, 17)) +- return NETDEV_TX_OK; +- skb->len = 17; +- } ++ if (skb_put_padto(skb, 17)) ++ return NETDEV_TX_OK; + + return igc_xmit_frame_ring(skb, igc_tx_queue_mapping(adapter, skb)); + } +-- +2.51.0 + diff --git a/queue-6.19/igc-fix-page-fault-in-xdp-tx-timestamps-handling.patch b/queue-6.19/igc-fix-page-fault-in-xdp-tx-timestamps-handling.patch new file mode 100644 index 0000000000..5f4f6e59d6 --- /dev/null +++ b/queue-6.19/igc-fix-page-fault-in-xdp-tx-timestamps-handling.patch @@ -0,0 +1,118 @@ +From fab85634b691cdb6dc0be87f783d65081c38f270 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 25 Feb 2026 10:58:29 +0100 +Subject: igc: fix page fault in XDP TX timestamps handling + +From: Zdenek Bouska + +[ Upstream commit 45b33e805bd39f615d9353a7194b2da5281332df ] + +If an XDP application that requested TX timestamping is shutting down +while the link of the interface in use is still up the following kernel +splat is reported: + +[ 883.803618] [ T1554] BUG: unable to handle page fault for address: ffffcfb6200fd008 +... +[ 883.803650] [ T1554] Call Trace: +[ 883.803652] [ T1554] +[ 883.803654] [ T1554] igc_ptp_tx_tstamp_event+0xdf/0x160 [igc] +[ 883.803660] [ T1554] igc_tsync_interrupt+0x2d5/0x300 [igc] +... + +During shutdown of the TX ring the xsk_meta pointers are left behind, so +that the IRQ handler is trying to touch them. + +This issue is now being fixed by cleaning up the stale xsk meta data on +TX shutdown. TX timestamps on other queues remain unaffected. + +Fixes: 15fd021bc427 ("igc: Add Tx hardware timestamp request for AF_XDP zero-copy packet") +Signed-off-by: Zdenek Bouska +Reviewed-by: Paul Menzel +Reviewed-by: Florian Bezdeka +Tested-by: Avigail Dahan +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/igc/igc.h | 2 ++ + drivers/net/ethernet/intel/igc/igc_main.c | 7 +++++ + drivers/net/ethernet/intel/igc/igc_ptp.c | 33 +++++++++++++++++++++++ + 3 files changed, 42 insertions(+) + +diff --git a/drivers/net/ethernet/intel/igc/igc.h b/drivers/net/ethernet/intel/igc/igc.h +index a427f05814c1a..17236813965d3 100644 +--- a/drivers/net/ethernet/intel/igc/igc.h ++++ b/drivers/net/ethernet/intel/igc/igc.h +@@ -781,6 +781,8 @@ int igc_ptp_hwtstamp_set(struct net_device *netdev, + struct kernel_hwtstamp_config *config, + struct netlink_ext_ack *extack); + void igc_ptp_tx_hang(struct igc_adapter *adapter); ++void igc_ptp_clear_xsk_tx_tstamp_queue(struct igc_adapter *adapter, ++ u16 queue_id); + void igc_ptp_read(struct igc_adapter *adapter, struct timespec64 *ts); + void igc_ptp_tx_tstamp_event(struct igc_adapter *adapter); + +diff --git a/drivers/net/ethernet/intel/igc/igc_main.c b/drivers/net/ethernet/intel/igc/igc_main.c +index 6a174d46929e2..b1ca2079e5cf3 100644 +--- a/drivers/net/ethernet/intel/igc/igc_main.c ++++ b/drivers/net/ethernet/intel/igc/igc_main.c +@@ -264,6 +264,13 @@ static void igc_clean_tx_ring(struct igc_ring *tx_ring) + /* reset next_to_use and next_to_clean */ + tx_ring->next_to_use = 0; + tx_ring->next_to_clean = 0; ++ ++ /* Clear any lingering XSK TX timestamp requests */ ++ if (test_bit(IGC_RING_FLAG_TX_HWTSTAMP, &tx_ring->flags)) { ++ struct igc_adapter *adapter = netdev_priv(tx_ring->netdev); ++ ++ igc_ptp_clear_xsk_tx_tstamp_queue(adapter, tx_ring->queue_index); ++ } + } + + /** +diff --git a/drivers/net/ethernet/intel/igc/igc_ptp.c b/drivers/net/ethernet/intel/igc/igc_ptp.c +index 44ee193867661..3d6b2264164af 100644 +--- a/drivers/net/ethernet/intel/igc/igc_ptp.c ++++ b/drivers/net/ethernet/intel/igc/igc_ptp.c +@@ -577,6 +577,39 @@ static void igc_ptp_clear_tx_tstamp(struct igc_adapter *adapter) + spin_unlock_irqrestore(&adapter->ptp_tx_lock, flags); + } + ++/** ++ * igc_ptp_clear_xsk_tx_tstamp_queue - Clear pending XSK TX timestamps for a queue ++ * @adapter: Board private structure ++ * @queue_id: TX queue index to clear timestamps for ++ * ++ * Iterates over all TX timestamp registers and releases any pending ++ * timestamp requests associated with the given TX queue. This is ++ * called when an XDP pool is being disabled to ensure no stale ++ * timestamp references remain. ++ */ ++void igc_ptp_clear_xsk_tx_tstamp_queue(struct igc_adapter *adapter, u16 queue_id) ++{ ++ unsigned long flags; ++ int i; ++ ++ spin_lock_irqsave(&adapter->ptp_tx_lock, flags); ++ ++ for (i = 0; i < IGC_MAX_TX_TSTAMP_REGS; i++) { ++ struct igc_tx_timestamp_request *tstamp = &adapter->tx_tstamp[i]; ++ ++ if (tstamp->buffer_type != IGC_TX_BUFFER_TYPE_XSK) ++ continue; ++ if (tstamp->xsk_queue_index != queue_id) ++ continue; ++ if (!tstamp->xsk_tx_buffer) ++ continue; ++ ++ igc_ptp_free_tx_buffer(adapter, tstamp); ++ } ++ ++ spin_unlock_irqrestore(&adapter->ptp_tx_lock, flags); ++} ++ + static void igc_ptp_disable_tx_timestamp(struct igc_adapter *adapter) + { + struct igc_hw *hw = &adapter->hw; +-- +2.51.0 + diff --git a/queue-6.19/ip_tunnel-adapt-iptunnel_xmit_stats-to-netdev_pcpu_s.patch b/queue-6.19/ip_tunnel-adapt-iptunnel_xmit_stats-to-netdev_pcpu_s.patch new file mode 100644 index 0000000000..cb40c5154e --- /dev/null +++ b/queue-6.19/ip_tunnel-adapt-iptunnel_xmit_stats-to-netdev_pcpu_s.patch @@ -0,0 +1,100 @@ +From 4721b78418df52583a27d10456b3596824f60a0b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 11 Mar 2026 12:31:10 +0000 +Subject: ip_tunnel: adapt iptunnel_xmit_stats() to NETDEV_PCPU_STAT_DSTATS + +From: Eric Dumazet + +[ Upstream commit 8431c602f551549f082bbfa67f3003f2d8e3e132 ] + +Blamed commits forgot that vxlan/geneve use udp_tunnel[6]_xmit_skb() which +call iptunnel_xmit_stats(). + +iptunnel_xmit_stats() was assuming tunnels were only using +NETDEV_PCPU_STAT_TSTATS. + +@syncp offset in pcpu_sw_netstats and pcpu_dstats is different. + +32bit kernels would either have corruptions or freezes if the syncp +sequence was overwritten. + +This patch also moves pcpu_stat_type closer to dev->{t,d}stats to avoid +a potential cache line miss since iptunnel_xmit_stats() needs to read it. + +Fixes: 6fa6de302246 ("geneve: Handle stats using NETDEV_PCPU_STAT_DSTATS.") +Fixes: be226352e8dc ("vxlan: Handle stats using NETDEV_PCPU_STAT_DSTATS.") +Signed-off-by: Eric Dumazet +Reviewed-by: Guillaume Nault +Link: https://patch.msgid.link/20260311123110.1471930-1-edumazet@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + include/linux/netdevice.h | 3 +-- + include/net/ip_tunnels.h | 30 +++++++++++++++++++++++------- + 2 files changed, 24 insertions(+), 9 deletions(-) + +diff --git a/include/linux/netdevice.h b/include/linux/netdevice.h +index 65d85dc9c8f05..444e52eb8ed99 100644 +--- a/include/linux/netdevice.h ++++ b/include/linux/netdevice.h +@@ -2153,6 +2153,7 @@ struct net_device { + unsigned long state; + unsigned int flags; + unsigned short hard_header_len; ++ enum netdev_stat_type pcpu_stat_type:8; + netdev_features_t features; + struct inet6_dev __rcu *ip6_ptr; + __cacheline_group_end(net_device_read_txrx); +@@ -2401,8 +2402,6 @@ struct net_device { + void *ml_priv; + enum netdev_ml_priv_type ml_priv_type; + +- enum netdev_stat_type pcpu_stat_type:8; +- + #if IS_ENABLED(CONFIG_GARP) + struct garp_port __rcu *garp_port; + #endif +diff --git a/include/net/ip_tunnels.h b/include/net/ip_tunnels.h +index 80662f8120803..1f577a4f8ce9b 100644 +--- a/include/net/ip_tunnels.h ++++ b/include/net/ip_tunnels.h +@@ -665,13 +665,29 @@ static inline int iptunnel_pull_offloads(struct sk_buff *skb) + static inline void iptunnel_xmit_stats(struct net_device *dev, int pkt_len) + { + if (pkt_len > 0) { +- struct pcpu_sw_netstats *tstats = get_cpu_ptr(dev->tstats); +- +- u64_stats_update_begin(&tstats->syncp); +- u64_stats_add(&tstats->tx_bytes, pkt_len); +- u64_stats_inc(&tstats->tx_packets); +- u64_stats_update_end(&tstats->syncp); +- put_cpu_ptr(tstats); ++ if (dev->pcpu_stat_type == NETDEV_PCPU_STAT_DSTATS) { ++ struct pcpu_dstats *dstats = get_cpu_ptr(dev->dstats); ++ ++ u64_stats_update_begin(&dstats->syncp); ++ u64_stats_add(&dstats->tx_bytes, pkt_len); ++ u64_stats_inc(&dstats->tx_packets); ++ u64_stats_update_end(&dstats->syncp); ++ put_cpu_ptr(dstats); ++ return; ++ } ++ if (dev->pcpu_stat_type == NETDEV_PCPU_STAT_TSTATS) { ++ struct pcpu_sw_netstats *tstats = get_cpu_ptr(dev->tstats); ++ ++ u64_stats_update_begin(&tstats->syncp); ++ u64_stats_add(&tstats->tx_bytes, pkt_len); ++ u64_stats_inc(&tstats->tx_packets); ++ u64_stats_update_end(&tstats->syncp); ++ put_cpu_ptr(tstats); ++ return; ++ } ++ pr_err_once("iptunnel_xmit_stats pcpu_stat_type=%d\n", ++ dev->pcpu_stat_type); ++ WARN_ON_ONCE(1); + return; + } + +-- +2.51.0 + diff --git a/queue-6.19/ipv6-add-null-checks-for-idev-in-srv6-paths.patch b/queue-6.19/ipv6-add-null-checks-for-idev-in-srv6-paths.patch new file mode 100644 index 0000000000..1e4d89e201 --- /dev/null +++ b/queue-6.19/ipv6-add-null-checks-for-idev-in-srv6-paths.patch @@ -0,0 +1,59 @@ +From 18de305c1203751972d54c879b1360501332e90d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 16 Mar 2026 15:33:01 +0800 +Subject: ipv6: add NULL checks for idev in SRv6 paths + +From: Minhong He + +[ Upstream commit 06413793526251870e20402c39930804f14d59c0 ] + +__in6_dev_get() can return NULL when the device has no IPv6 configuration +(e.g. MTU < IPV6_MIN_MTU or after NETDEV_UNREGISTER). + +Add NULL checks for idev returned by __in6_dev_get() in both +seg6_hmac_validate_skb() and ipv6_srh_rcv() to prevent potential NULL +pointer dereferences. + +Fixes: 1ababeba4a21 ("ipv6: implement dataplane support for rthdr type 4 (Segment Routing Header)") +Fixes: bf355b8d2c30 ("ipv6: sr: add core files for SR HMAC support") +Signed-off-by: Minhong He +Reviewed-by: Andrea Mayer +Link: https://patch.msgid.link/20260316073301.106643-1-heminhong@kylinos.cn +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/ipv6/exthdrs.c | 4 ++++ + net/ipv6/seg6_hmac.c | 2 ++ + 2 files changed, 6 insertions(+) + +diff --git a/net/ipv6/exthdrs.c b/net/ipv6/exthdrs.c +index 310836a0cf17b..1d509b6d16bbd 100644 +--- a/net/ipv6/exthdrs.c ++++ b/net/ipv6/exthdrs.c +@@ -379,6 +379,10 @@ static int ipv6_srh_rcv(struct sk_buff *skb) + hdr = (struct ipv6_sr_hdr *)skb_transport_header(skb); + + idev = __in6_dev_get(skb->dev); ++ if (!idev) { ++ kfree_skb(skb); ++ return -1; ++ } + + accept_seg6 = min(READ_ONCE(net->ipv6.devconf_all->seg6_enabled), + READ_ONCE(idev->cnf.seg6_enabled)); +diff --git a/net/ipv6/seg6_hmac.c b/net/ipv6/seg6_hmac.c +index ee6bac0160ace..e6964c6b0d381 100644 +--- a/net/ipv6/seg6_hmac.c ++++ b/net/ipv6/seg6_hmac.c +@@ -184,6 +184,8 @@ bool seg6_hmac_validate_skb(struct sk_buff *skb) + int require_hmac; + + idev = __in6_dev_get(skb->dev); ++ if (!idev) ++ return false; + + srh = (struct ipv6_sr_hdr *)skb_transport_header(skb); + +-- +2.51.0 + diff --git a/queue-6.19/libie-prevent-memleak-in-fwlog-code.patch b/queue-6.19/libie-prevent-memleak-in-fwlog-code.patch new file mode 100644 index 0000000000..a11099e2db --- /dev/null +++ b/queue-6.19/libie-prevent-memleak-in-fwlog-code.patch @@ -0,0 +1,152 @@ +From d1ea593cd42518208dcdeb375ab188f0380f845b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 11 Feb 2026 10:10:08 +0100 +Subject: libie: prevent memleak in fwlog code + +From: Michal Swiatkowski + +[ Upstream commit 6850deb61118345996f03b87817b4ae0f2f25c38 ] + +All cmd_buf buffers are allocated and need to be freed after usage. +Add an error unwinding path that properly frees these buffers. + +The memory leak happens whenever fwlog configuration is changed. For +example: + +$echo 256K > /sys/kernel/debug/ixgbe/0000\:32\:00.0/fwlog/log_size + +Fixes: 96a9a9341cda ("ice: configure FW logging") +Reviewed-by: Aleksandr Loktionov +Signed-off-by: Michal Swiatkowski +Reviewed-by: Simon Horman +Tested-by: Rinitha S (A Contingent worker at Intel) +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/libie/fwlog.c | 49 +++++++++++++++++------- + 1 file changed, 36 insertions(+), 13 deletions(-) + +diff --git a/drivers/net/ethernet/intel/libie/fwlog.c b/drivers/net/ethernet/intel/libie/fwlog.c +index 5d890d9d3c4d5..3b32986c2978a 100644 +--- a/drivers/net/ethernet/intel/libie/fwlog.c ++++ b/drivers/net/ethernet/intel/libie/fwlog.c +@@ -433,17 +433,21 @@ libie_debugfs_module_write(struct file *filp, const char __user *buf, + module = libie_find_module_by_dentry(fwlog->debugfs_modules, dentry); + if (module < 0) { + dev_info(dev, "unknown module\n"); +- return -EINVAL; ++ count = -EINVAL; ++ goto free_cmd_buf; + } + + cnt = sscanf(cmd_buf, "%s", user_val); +- if (cnt != 1) +- return -EINVAL; ++ if (cnt != 1) { ++ count = -EINVAL; ++ goto free_cmd_buf; ++ } + + log_level = sysfs_match_string(libie_fwlog_level_string, user_val); + if (log_level < 0) { + dev_info(dev, "unknown log level '%s'\n", user_val); +- return -EINVAL; ++ count = -EINVAL; ++ goto free_cmd_buf; + } + + if (module != LIBIE_AQC_FW_LOG_ID_MAX) { +@@ -458,6 +462,9 @@ libie_debugfs_module_write(struct file *filp, const char __user *buf, + fwlog->cfg.module_entries[i].log_level = log_level; + } + ++free_cmd_buf: ++ kfree(cmd_buf); ++ + return count; + } + +@@ -515,23 +522,31 @@ libie_debugfs_nr_messages_write(struct file *filp, const char __user *buf, + return PTR_ERR(cmd_buf); + + ret = sscanf(cmd_buf, "%s", user_val); +- if (ret != 1) +- return -EINVAL; ++ if (ret != 1) { ++ count = -EINVAL; ++ goto free_cmd_buf; ++ } + + ret = kstrtos16(user_val, 0, &nr_messages); +- if (ret) +- return ret; ++ if (ret) { ++ count = ret; ++ goto free_cmd_buf; ++ } + + if (nr_messages < LIBIE_AQC_FW_LOG_MIN_RESOLUTION || + nr_messages > LIBIE_AQC_FW_LOG_MAX_RESOLUTION) { + dev_err(dev, "Invalid FW log number of messages %d, value must be between %d - %d\n", + nr_messages, LIBIE_AQC_FW_LOG_MIN_RESOLUTION, + LIBIE_AQC_FW_LOG_MAX_RESOLUTION); +- return -EINVAL; ++ count = -EINVAL; ++ goto free_cmd_buf; + } + + fwlog->cfg.log_resolution = nr_messages; + ++free_cmd_buf: ++ kfree(cmd_buf); ++ + return count; + } + +@@ -588,8 +603,10 @@ libie_debugfs_enable_write(struct file *filp, const char __user *buf, + return PTR_ERR(cmd_buf); + + ret = sscanf(cmd_buf, "%s", user_val); +- if (ret != 1) +- return -EINVAL; ++ if (ret != 1) { ++ ret = -EINVAL; ++ goto free_cmd_buf; ++ } + + ret = kstrtobool(user_val, &enable); + if (ret) +@@ -624,6 +641,8 @@ libie_debugfs_enable_write(struct file *filp, const char __user *buf, + */ + if (WARN_ON(ret != (ssize_t)count && ret >= 0)) + ret = -EIO; ++free_cmd_buf: ++ kfree(cmd_buf); + + return ret; + } +@@ -682,8 +701,10 @@ libie_debugfs_log_size_write(struct file *filp, const char __user *buf, + return PTR_ERR(cmd_buf); + + ret = sscanf(cmd_buf, "%s", user_val); +- if (ret != 1) +- return -EINVAL; ++ if (ret != 1) { ++ ret = -EINVAL; ++ goto free_cmd_buf; ++ } + + index = sysfs_match_string(libie_fwlog_log_size, user_val); + if (index < 0) { +@@ -712,6 +733,8 @@ libie_debugfs_log_size_write(struct file *filp, const char __user *buf, + */ + if (WARN_ON(ret != (ssize_t)count && ret >= 0)) + ret = -EIO; ++free_cmd_buf: ++ kfree(cmd_buf); + + return ret; + } +-- +2.51.0 + diff --git a/queue-6.19/mpls-add-missing-unregister_netdevice_notifier-to-mp.patch b/queue-6.19/mpls-add-missing-unregister_netdevice_notifier-to-mp.patch new file mode 100644 index 0000000000..38b374071d --- /dev/null +++ b/queue-6.19/mpls-add-missing-unregister_netdevice_notifier-to-mp.patch @@ -0,0 +1,37 @@ +From a0035e2d5323dfc87bd46daf1a55b0bfabaeb6dc Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 11 Mar 2026 23:35:09 +0100 +Subject: mpls: add missing unregister_netdevice_notifier to mpls_init + +From: Sabrina Dubroca + +[ Upstream commit 99600f79b28c83c68bae199a3d8e95049a758308 ] + +If mpls_init() fails after registering mpls_dev_notifier, it never +gets removed. Add the missing unregister_netdevice_notifier() call to +the error handling path. + +Fixes: 5be2062e3080 ("mpls: Handle error of rtnl_register_module().") +Signed-off-by: Sabrina Dubroca +Link: https://patch.msgid.link/7c55363c4f743d19e2306204a134407c90a69bbb.1773228081.git.sd@queasysnail.net +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/mpls/af_mpls.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/net/mpls/af_mpls.c b/net/mpls/af_mpls.c +index 580aac112dd21..c57f10e2ef269 100644 +--- a/net/mpls/af_mpls.c ++++ b/net/mpls/af_mpls.c +@@ -2854,6 +2854,7 @@ static int __init mpls_init(void) + rtnl_af_unregister(&mpls_af_ops); + out_unregister_dev_type: + dev_remove_pack(&mpls_packet_type); ++ unregister_netdevice_notifier(&mpls_dev_notifier); + out_unregister_pernet: + unregister_pernet_subsys(&mpls_net_ops); + goto out; +-- +2.51.0 + diff --git a/queue-6.19/mptcp-fix-lock-class-name-family-in-pm_nl_create_lis.patch b/queue-6.19/mptcp-fix-lock-class-name-family-in-pm_nl_create_lis.patch new file mode 100644 index 0000000000..6686baad73 --- /dev/null +++ b/queue-6.19/mptcp-fix-lock-class-name-family-in-pm_nl_create_lis.patch @@ -0,0 +1,39 @@ +From 5f56655a909d66207f84d95fc514e4bafe620e76 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 19 Mar 2026 19:21:59 +0800 +Subject: MPTCP: fix lock class name family in pm_nl_create_listen_socket + +From: Li Xiasong + +[ Upstream commit 7ab4a7c5d969642782b8a5b608da0dd02aa9f229 ] + +In mptcp_pm_nl_create_listen_socket(), use entry->addr.family +instead of sk->sk_family for lock class setup. The 'sk' parameter +is a netlink socket, not the MPTCP subflow socket being created. + +Fixes: cee4034a3db1 ("mptcp: fix lockdep false positive in mptcp_pm_nl_create_listen_socket()") +Signed-off-by: Li Xiasong +Reviewed-by: Matthieu Baerts (NGI0) +Link: https://patch.msgid.link/20260319112159.3118874-1-lixiasong1@huawei.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/mptcp/pm_kernel.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/mptcp/pm_kernel.c b/net/mptcp/pm_kernel.c +index 0ef43993e15ad..17eb50276e778 100644 +--- a/net/mptcp/pm_kernel.c ++++ b/net/mptcp/pm_kernel.c +@@ -838,7 +838,7 @@ static struct lock_class_key mptcp_keys[2]; + static int mptcp_pm_nl_create_listen_socket(struct sock *sk, + struct mptcp_pm_addr_entry *entry) + { +- bool is_ipv6 = sk->sk_family == AF_INET6; ++ bool is_ipv6 = entry->addr.family == AF_INET6; + int addrlen = sizeof(struct sockaddr_in); + struct sockaddr_storage addr; + struct sock *newsk, *ssk; +-- +2.51.0 + diff --git a/queue-6.19/net-airoha-remove-airoha_dev_stop-in-airoha_remove.patch b/queue-6.19/net-airoha-remove-airoha_dev_stop-in-airoha_remove.patch new file mode 100644 index 0000000000..2973e7a81d --- /dev/null +++ b/queue-6.19/net-airoha-remove-airoha_dev_stop-in-airoha_remove.patch @@ -0,0 +1,40 @@ +From ece3d421a4e2c8e5199b7ad3772b715489adc4f6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 13 Mar 2026 12:27:00 +0100 +Subject: net: airoha: Remove airoha_dev_stop() in airoha_remove() + +From: Lorenzo Bianconi + +[ Upstream commit d4a533ad249e9fbdc2d0633f2ddd60a5b3a9a4ca ] + +Do not run airoha_dev_stop routine explicitly in airoha_remove() +since ndo_stop() callback is already executed by unregister_netdev() in +__dev_close_many routine if necessary and, doing so, we will end up causing +an underflow in the qdma users atomic counters. Rely on networking subsystem +to stop the device removing the airoha_eth module. + +Fixes: 23020f0493270 ("net: airoha: Introduce ethernet support for EN7581 SoC") +Signed-off-by: Lorenzo Bianconi +Reviewed-by: Simon Horman +Link: https://patch.msgid.link/20260313-airoha-remove-ndo_stop-remove-net-v2-1-67542c3ceeca@kernel.org +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/airoha/airoha_eth.c | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/drivers/net/ethernet/airoha/airoha_eth.c b/drivers/net/ethernet/airoha/airoha_eth.c +index 315d97036ac1d..c37a1b86180f3 100644 +--- a/drivers/net/ethernet/airoha/airoha_eth.c ++++ b/drivers/net/ethernet/airoha/airoha_eth.c +@@ -3080,7 +3080,6 @@ static void airoha_remove(struct platform_device *pdev) + if (!port) + continue; + +- airoha_dev_stop(port->dev); + unregister_netdev(port->dev); + airoha_metadata_dst_free(port); + } +-- +2.51.0 + diff --git a/queue-6.19/net-bcmgenet-increase-wol-poll-timeout.patch b/queue-6.19/net-bcmgenet-increase-wol-poll-timeout.patch new file mode 100644 index 0000000000..6f0139253b --- /dev/null +++ b/queue-6.19/net-bcmgenet-increase-wol-poll-timeout.patch @@ -0,0 +1,38 @@ +From 8d1436df1b5f0871acac498f83e1c2ff765a2e68 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 12 Mar 2026 12:18:52 -0700 +Subject: net: bcmgenet: increase WoL poll timeout + +From: Justin Chen + +[ Upstream commit 6cfc3bc02b977f2fba5f7268e6504d1931a774f7 ] + +Some systems require more than 5ms to get into WoL mode. Increase the +timeout value to 50ms. + +Fixes: c51de7f3976b ("net: bcmgenet: add Wake-on-LAN support code") +Signed-off-by: Justin Chen +Reviewed-by: Florian Fainelli +Link: https://patch.msgid.link/20260312191852.3904571-1-justin.chen@broadcom.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/broadcom/genet/bcmgenet_wol.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/broadcom/genet/bcmgenet_wol.c b/drivers/net/ethernet/broadcom/genet/bcmgenet_wol.c +index 8fb5512882980..96d5d4f7f51fe 100644 +--- a/drivers/net/ethernet/broadcom/genet/bcmgenet_wol.c ++++ b/drivers/net/ethernet/broadcom/genet/bcmgenet_wol.c +@@ -123,7 +123,7 @@ static int bcmgenet_poll_wol_status(struct bcmgenet_priv *priv) + while (!(bcmgenet_rbuf_readl(priv, RBUF_STATUS) + & RBUF_STATUS_WOL)) { + retries++; +- if (retries > 5) { ++ if (retries > 50) { + netdev_crit(dev, "polling wol mode timeout\n"); + return -ETIMEDOUT; + } +-- +2.51.0 + diff --git a/queue-6.19/net-bonding-fix-null-deref-in-bond_debug_rlb_hash_sh.patch b/queue-6.19/net-bonding-fix-null-deref-in-bond_debug_rlb_hash_sh.patch new file mode 100644 index 0000000000..d3d4e28bd2 --- /dev/null +++ b/queue-6.19/net-bonding-fix-null-deref-in-bond_debug_rlb_hash_sh.patch @@ -0,0 +1,87 @@ +From 7d9d509736cf5c3d8141c8fde88a595309789472 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 16 Mar 2026 17:50:34 -0700 +Subject: net: bonding: fix NULL deref in bond_debug_rlb_hash_show + +From: Xiang Mei + +[ Upstream commit 605b52497bf89b3b154674deb135da98f916e390 ] + +rlb_clear_slave intentionally keeps RLB hash-table entries on +the rx_hashtbl_used_head list with slave set to NULL when no +replacement slave is available. However, bond_debug_rlb_hash_show +visites client_info->slave without checking if it's NULL. + +Other used-list iterators in bond_alb.c already handle this NULL-slave +state safely: + +- rlb_update_client returns early on !client_info->slave +- rlb_req_update_slave_clients, rlb_clear_slave, and rlb_rebalance +compare slave values before visiting +- lb_req_update_subnet_clients continues if slave is NULL + +The following NULL deref crash can be trigger in +bond_debug_rlb_hash_show: + +[ 1.289791] BUG: kernel NULL pointer dereference, address: 0000000000000000 +[ 1.292058] RIP: 0010:bond_debug_rlb_hash_show (drivers/net/bonding/bond_debugfs.c:41) +[ 1.293101] RSP: 0018:ffffc900004a7d00 EFLAGS: 00010286 +[ 1.293333] RAX: 0000000000000000 RBX: ffff888102b48200 RCX: ffff888102b48204 +[ 1.293631] RDX: ffff888102b48200 RSI: ffffffff839daad5 RDI: ffff888102815078 +[ 1.293924] RBP: ffff888102815078 R08: ffff888102b4820e R09: 0000000000000000 +[ 1.294267] R10: 0000000000000000 R11: 0000000000000000 R12: ffff888100f929c0 +[ 1.294564] R13: ffff888100f92a00 R14: 0000000000000001 R15: ffffc900004a7ed8 +[ 1.294864] FS: 0000000001395380(0000) GS:ffff888196e75000(0000) knlGS:0000000000000000 +[ 1.295239] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ 1.295480] CR2: 0000000000000000 CR3: 0000000102adc004 CR4: 0000000000772ef0 +[ 1.295897] Call Trace: +[ 1.296134] seq_read_iter (fs/seq_file.c:231) +[ 1.296341] seq_read (fs/seq_file.c:164) +[ 1.296493] full_proxy_read (fs/debugfs/file.c:378 (discriminator 1)) +[ 1.296658] vfs_read (fs/read_write.c:572) +[ 1.296981] ksys_read (fs/read_write.c:717) +[ 1.297132] do_syscall_64 (arch/x86/entry/syscall_64.c:63 (discriminator 1) arch/x86/entry/syscall_64.c:94 (discriminator 1)) +[ 1.297325] entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130) + +Add a NULL check and print "(none)" for entries with no assigned slave. + +Fixes: caafa84251b88 ("bonding: add the debugfs interface to see RLB hash table") +Reported-by: Weiming Shi +Signed-off-by: Xiang Mei +Link: https://patch.msgid.link/20260317005034.1888794-1-xmei5@asu.edu +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/bonding/bond_debugfs.c | 16 +++++++++++----- + 1 file changed, 11 insertions(+), 5 deletions(-) + +diff --git a/drivers/net/bonding/bond_debugfs.c b/drivers/net/bonding/bond_debugfs.c +index 8adbec7c5084a..8967b65f6d840 100644 +--- a/drivers/net/bonding/bond_debugfs.c ++++ b/drivers/net/bonding/bond_debugfs.c +@@ -34,11 +34,17 @@ static int bond_debug_rlb_hash_show(struct seq_file *m, void *v) + for (; hash_index != RLB_NULL_INDEX; + hash_index = client_info->used_next) { + client_info = &(bond_info->rx_hashtbl[hash_index]); +- seq_printf(m, "%-15pI4 %-15pI4 %-17pM %s\n", +- &client_info->ip_src, +- &client_info->ip_dst, +- &client_info->mac_dst, +- client_info->slave->dev->name); ++ if (client_info->slave) ++ seq_printf(m, "%-15pI4 %-15pI4 %-17pM %s\n", ++ &client_info->ip_src, ++ &client_info->ip_dst, ++ &client_info->mac_dst, ++ client_info->slave->dev->name); ++ else ++ seq_printf(m, "%-15pI4 %-15pI4 %-17pM (none)\n", ++ &client_info->ip_src, ++ &client_info->ip_dst, ++ &client_info->mac_dst); + } + + spin_unlock_bh(&bond->mode_lock); +-- +2.51.0 + diff --git a/queue-6.19/net-dsa-bcm_sf2-fix-missing-clk_disable_unprepare-in.patch b/queue-6.19/net-dsa-bcm_sf2-fix-missing-clk_disable_unprepare-in.patch new file mode 100644 index 0000000000..504a9ac6fe --- /dev/null +++ b/queue-6.19/net-dsa-bcm_sf2-fix-missing-clk_disable_unprepare-in.patch @@ -0,0 +1,59 @@ +From b48a4d4e2bc5d04f92837c71d56f249853ee1d3e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 18 Mar 2026 08:42:12 +0000 +Subject: net: dsa: bcm_sf2: fix missing clk_disable_unprepare() in error paths + +From: Anas Iqbal + +[ Upstream commit b48731849609cbd8c53785a48976850b443153fd ] + +Smatch reports: +drivers/net/dsa/bcm_sf2.c:997 bcm_sf2_sw_resume() warn: +'priv->clk' from clk_prepare_enable() not released on lines: 983,990. + +The clock enabled by clk_prepare_enable() in bcm_sf2_sw_resume() +is not released if bcm_sf2_sw_rst() or bcm_sf2_cfp_resume() fails. + +Add the missing clk_disable_unprepare() calls in the error paths +to properly release the clock resource. + +Fixes: e9ec5c3bd238 ("net: dsa: bcm_sf2: request and handle clocks") +Reviewed-by: Jonas Gorski +Reviewed-by: Florian Fainelli +Signed-off-by: Anas Iqbal +Link: https://patch.msgid.link/20260318084212.1287-1-mohd.abd.6602@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/dsa/bcm_sf2.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/dsa/bcm_sf2.c b/drivers/net/dsa/bcm_sf2.c +index 960685596093b..de3efa3ce9a75 100644 +--- a/drivers/net/dsa/bcm_sf2.c ++++ b/drivers/net/dsa/bcm_sf2.c +@@ -980,15 +980,19 @@ static int bcm_sf2_sw_resume(struct dsa_switch *ds) + ret = bcm_sf2_sw_rst(priv); + if (ret) { + pr_err("%s: failed to software reset switch\n", __func__); ++ if (!priv->wol_ports_mask) ++ clk_disable_unprepare(priv->clk); + return ret; + } + + bcm_sf2_crossbar_setup(priv); + + ret = bcm_sf2_cfp_resume(ds); +- if (ret) ++ if (ret) { ++ if (!priv->wol_ports_mask) ++ clk_disable_unprepare(priv->clk); + return ret; +- ++ } + if (priv->hw_params.num_gphy == 1) + bcm_sf2_gphy_enable_set(ds, true); + +-- +2.51.0 + diff --git a/queue-6.19/net-macb-fix-uninitialized-rx_fs_lock.patch b/queue-6.19/net-macb-fix-uninitialized-rx_fs_lock.patch new file mode 100644 index 0000000000..c9f5347f7b --- /dev/null +++ b/queue-6.19/net-macb-fix-uninitialized-rx_fs_lock.patch @@ -0,0 +1,78 @@ +From c5152e540b4f86e5edba48d41138a96c8d6bac6f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 16 Mar 2026 13:38:25 +0300 +Subject: net: macb: fix uninitialized rx_fs_lock + +From: Fedor Pchelkin + +[ Upstream commit 34b11cc56e4369bc08b1f4c4a04222d75ed596ce ] + +If hardware doesn't support RX Flow Filters, rx_fs_lock spinlock is not +initialized leading to the following assertion splat triggerable via +set_rxnfc callback. + +INFO: trying to register non-static key. +The code is fine but needs lockdep annotation, or maybe +you didn't initialize this object before use? +turning off the locking correctness validator. +CPU: 1 PID: 949 Comm: syz.0.6 Not tainted 6.1.164+ #113 +Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.16.1-0-g3208b098f51a-prebuilt.qemu.org 04/01/2014 +Call Trace: + + __dump_stack lib/dump_stack.c:88 [inline] + dump_stack_lvl+0x8d/0xba lib/dump_stack.c:106 + assign_lock_key kernel/locking/lockdep.c:974 [inline] + register_lock_class+0x141b/0x17f0 kernel/locking/lockdep.c:1287 + __lock_acquire+0x74f/0x6c40 kernel/locking/lockdep.c:4928 + lock_acquire kernel/locking/lockdep.c:5662 [inline] + lock_acquire+0x190/0x4b0 kernel/locking/lockdep.c:5627 + __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline] + _raw_spin_lock_irqsave+0x33/0x50 kernel/locking/spinlock.c:162 + gem_del_flow_filter drivers/net/ethernet/cadence/macb_main.c:3562 [inline] + gem_set_rxnfc+0x533/0xac0 drivers/net/ethernet/cadence/macb_main.c:3667 + ethtool_set_rxnfc+0x18c/0x280 net/ethtool/ioctl.c:961 + __dev_ethtool net/ethtool/ioctl.c:2956 [inline] + dev_ethtool+0x229c/0x6290 net/ethtool/ioctl.c:3095 + dev_ioctl+0x637/0x1070 net/core/dev_ioctl.c:510 + sock_do_ioctl+0x20d/0x2c0 net/socket.c:1215 + sock_ioctl+0x577/0x6d0 net/socket.c:1320 + vfs_ioctl fs/ioctl.c:51 [inline] + __do_sys_ioctl fs/ioctl.c:870 [inline] + __se_sys_ioctl fs/ioctl.c:856 [inline] + __x64_sys_ioctl+0x18c/0x210 fs/ioctl.c:856 + do_syscall_x64 arch/x86/entry/common.c:46 [inline] + do_syscall_64+0x35/0x80 arch/x86/entry/common.c:76 + entry_SYSCALL_64_after_hwframe+0x6e/0xd8 + +A more straightforward solution would be to always initialize rx_fs_lock, +just like rx_fs_list. However, in this case the driver set_rxnfc callback +would return with a rather confusing error code, e.g. -EINVAL. So deny +set_rxnfc attempts directly if the RX filtering feature is not supported +by hardware. + +Fixes: ae8223de3df5 ("net: macb: Added support for RX filtering") +Signed-off-by: Fedor Pchelkin +Link: https://patch.msgid.link/20260316103826.74506-2-pchelkin@ispras.ru +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/cadence/macb_main.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/net/ethernet/cadence/macb_main.c b/drivers/net/ethernet/cadence/macb_main.c +index a0802177a7a24..1a46e27bfbb4a 100644 +--- a/drivers/net/ethernet/cadence/macb_main.c ++++ b/drivers/net/ethernet/cadence/macb_main.c +@@ -3979,6 +3979,9 @@ static int gem_set_rxnfc(struct net_device *netdev, struct ethtool_rxnfc *cmd) + struct macb *bp = netdev_priv(netdev); + int ret; + ++ if (!(netdev->hw_features & NETIF_F_NTUPLE)) ++ return -EOPNOTSUPP; ++ + switch (cmd->cmd) { + case ETHTOOL_SRXCLSRLINS: + if ((cmd->fs.location >= bp->max_tuples) +-- +2.51.0 + diff --git a/queue-6.19/net-mana-fix-use-after-free-in-mana_hwc_destroy_chan.patch b/queue-6.19/net-mana-fix-use-after-free-in-mana_hwc_destroy_chan.patch new file mode 100644 index 0000000000..fefc541bfe --- /dev/null +++ b/queue-6.19/net-mana-fix-use-after-free-in-mana_hwc_destroy_chan.patch @@ -0,0 +1,67 @@ +From 70e56ed1644aaf4e7da71a2e477f21191a91ce15 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 11 Mar 2026 12:22:04 -0700 +Subject: net: mana: fix use-after-free in mana_hwc_destroy_channel() by + reordering teardown + +From: Dipayaan Roy + +[ Upstream commit fa103fc8f56954a60699a29215cb713448a39e87 ] + +A potential race condition exists in mana_hwc_destroy_channel() where +hwc->caller_ctx is freed before the HWC's Completion Queue (CQ) and +Event Queue (EQ) are destroyed. This allows an in-flight CQ interrupt +handler to dereference freed memory, leading to a use-after-free or +NULL pointer dereference in mana_hwc_handle_resp(). + +mana_smc_teardown_hwc() signals the hardware to stop but does not +synchronize against IRQ handlers already executing on other CPUs. The +IRQ synchronization only happens in mana_hwc_destroy_cq() via +mana_gd_destroy_eq() -> mana_gd_deregister_irq(). Since this runs +after kfree(hwc->caller_ctx), a concurrent mana_hwc_rx_event_handler() +can dereference freed caller_ctx (and rxq->msg_buf) in +mana_hwc_handle_resp(). + +Fix this by reordering teardown to reverse-of-creation order: destroy +the TX/RX work queues and CQ/EQ before freeing hwc->caller_ctx. This +ensures all in-flight interrupt handlers complete before the memory they +access is freed. + +Fixes: ca9c54d2d6a5 ("net: mana: Add a driver for Microsoft Azure Network Adapter (MANA)") +Reviewed-by: Haiyang Zhang +Signed-off-by: Dipayaan Roy +Reviewed-by: Simon Horman +Link: https://patch.msgid.link/abHA3AjNtqa1nx9k@linuxonhyperv3.guj3yctzbm1etfxqx2vob5hsef.xx.internal.cloudapp.net +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/microsoft/mana/hw_channel.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/drivers/net/ethernet/microsoft/mana/hw_channel.c b/drivers/net/ethernet/microsoft/mana/hw_channel.c +index aa4e2731e2ba7..840c6b8957c90 100644 +--- a/drivers/net/ethernet/microsoft/mana/hw_channel.c ++++ b/drivers/net/ethernet/microsoft/mana/hw_channel.c +@@ -814,9 +814,6 @@ void mana_hwc_destroy_channel(struct gdma_context *gc) + gc->max_num_cqs = 0; + } + +- kfree(hwc->caller_ctx); +- hwc->caller_ctx = NULL; +- + if (hwc->txq) + mana_hwc_destroy_wq(hwc, hwc->txq); + +@@ -826,6 +823,9 @@ void mana_hwc_destroy_channel(struct gdma_context *gc) + if (hwc->cq) + mana_hwc_destroy_cq(hwc->gdma_dev->gdma_context, hwc->cq); + ++ kfree(hwc->caller_ctx); ++ hwc->caller_ctx = NULL; ++ + mana_gd_free_res_map(&hwc->inflight_msg_res); + + hwc->num_inflight_msg = 0; +-- +2.51.0 + diff --git a/queue-6.19/net-mlx5-qos-restrict-rtnl-area-to-avoid-a-lock-cycl.patch b/queue-6.19/net-mlx5-qos-restrict-rtnl-area-to-avoid-a-lock-cycl.patch new file mode 100644 index 0000000000..9e2a7518cd --- /dev/null +++ b/queue-6.19/net-mlx5-qos-restrict-rtnl-area-to-avoid-a-lock-cycl.patch @@ -0,0 +1,112 @@ +From ffcacb1755e8eb4288673bb41fbce78baa771165 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 16 Mar 2026 11:46:01 +0200 +Subject: net/mlx5: qos: Restrict RTNL area to avoid a lock cycle + +From: Cosmin Ratiu + +[ Upstream commit b7e3a5d9c0d66b7fb44f63aef3bd734821afa0c8 ] + +A lock dependency cycle exists where: +1. mlx5_ib_roce_init -> mlx5_core_uplink_netdev_event_replay -> +mlx5_blocking_notifier_call_chain (takes notifier_rwsem) -> +mlx5e_mdev_notifier_event -> mlx5_netdev_notifier_register -> +register_netdevice_notifier_dev_net (takes rtnl) +=> notifier_rwsem -> rtnl + +2. mlx5e_probe -> _mlx5e_probe -> +mlx5_core_uplink_netdev_set (takes uplink_netdev_lock) -> +mlx5_blocking_notifier_call_chain (takes notifier_rwsem) +=> uplink_netdev_lock -> notifier_rwsem + +3: devlink_nl_rate_set_doit -> devlink_nl_rate_set -> +mlx5_esw_devlink_rate_leaf_tx_max_set -> esw_qos_devlink_rate_to_mbps -> +mlx5_esw_qos_max_link_speed_get (takes rtnl) -> +mlx5_esw_qos_lag_link_speed_get_locked -> +mlx5_uplink_netdev_get (takes uplink_netdev_lock) +=> rtnl -> uplink_netdev_lock +=> BOOM! (lock cycle) + +Fix that by restricting the rtnl-protected section to just the necessary +part, the call to netdev_master_upper_dev_get and speed querying, so +that the last lock dependency is avoided and the cycle doesn't close. +This is safe because mlx5_uplink_netdev_get uses netdev_hold to keep the +uplink netdev alive while its master device is queried. + +Use this opportunity to rename the ambiguously-named "hold_rtnl_lock" +argument to "take_rtnl" and remove the "_locked" suffix from +mlx5_esw_qos_lag_link_speed_get_locked. + +Fixes: 6b4be64fd9fe ("net/mlx5e: Harden uplink netdev access against device unbind") +Signed-off-by: Cosmin Ratiu +Reviewed-by: Dragos Tatulea +Signed-off-by: Tariq Toukan +Link: https://patch.msgid.link/20260316094603.6999-2-tariqt@nvidia.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + .../net/ethernet/mellanox/mlx5/core/esw/qos.c | 23 ++++++++----------- + 1 file changed, 9 insertions(+), 14 deletions(-) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/esw/qos.c b/drivers/net/ethernet/mellanox/mlx5/core/esw/qos.c +index 4278bcb04c72e..2e11574b3a81f 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/esw/qos.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/esw/qos.c +@@ -1490,24 +1490,24 @@ static int esw_qos_node_enable_tc_arbitration(struct mlx5_esw_sched_node *node, + return err; + } + +-static u32 mlx5_esw_qos_lag_link_speed_get_locked(struct mlx5_core_dev *mdev) ++static u32 mlx5_esw_qos_lag_link_speed_get(struct mlx5_core_dev *mdev, ++ bool take_rtnl) + { + struct ethtool_link_ksettings lksettings; + struct net_device *slave, *master; + u32 speed = SPEED_UNKNOWN; + +- /* Lock ensures a stable reference to master and slave netdevice +- * while port speed of master is queried. +- */ +- ASSERT_RTNL(); +- + slave = mlx5_uplink_netdev_get(mdev); + if (!slave) + goto out; + ++ if (take_rtnl) ++ rtnl_lock(); + master = netdev_master_upper_dev_get(slave); + if (master && !__ethtool_get_link_ksettings(master, &lksettings)) + speed = lksettings.base.speed; ++ if (take_rtnl) ++ rtnl_unlock(); + + out: + mlx5_uplink_netdev_put(mdev, slave); +@@ -1515,20 +1515,15 @@ static u32 mlx5_esw_qos_lag_link_speed_get_locked(struct mlx5_core_dev *mdev) + } + + static int mlx5_esw_qos_max_link_speed_get(struct mlx5_core_dev *mdev, u32 *link_speed_max, +- bool hold_rtnl_lock, struct netlink_ext_ack *extack) ++ bool take_rtnl, ++ struct netlink_ext_ack *extack) + { + int err; + + if (!mlx5_lag_is_active(mdev)) + goto skip_lag; + +- if (hold_rtnl_lock) +- rtnl_lock(); +- +- *link_speed_max = mlx5_esw_qos_lag_link_speed_get_locked(mdev); +- +- if (hold_rtnl_lock) +- rtnl_unlock(); ++ *link_speed_max = mlx5_esw_qos_lag_link_speed_get(mdev, take_rtnl); + + if (*link_speed_max != (u32)SPEED_UNKNOWN) + return 0; +-- +2.51.0 + diff --git a/queue-6.19/net-mlx5e-fix-race-condition-during-ipsec-esn-update.patch b/queue-6.19/net-mlx5e-fix-race-condition-during-ipsec-esn-update.patch new file mode 100644 index 0000000000..c4e6117115 --- /dev/null +++ b/queue-6.19/net-mlx5e-fix-race-condition-during-ipsec-esn-update.patch @@ -0,0 +1,128 @@ +From 711f10b59669106d0e3d2ca01791b0c2fc0b80d9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 16 Mar 2026 11:46:03 +0200 +Subject: net/mlx5e: Fix race condition during IPSec ESN update + +From: Jianbo Liu + +[ Upstream commit beb6e2e5976a128b0cccf10d158124422210c5ef ] + +In IPSec full offload mode, the device reports an ESN (Extended +Sequence Number) wrap event to the driver. The driver validates this +event by querying the IPSec ASO and checking that the esn_event_arm +field is 0x0, which indicates an event has occurred. After handling +the event, the driver must re-arm the context by setting esn_event_arm +back to 0x1. + +A race condition exists in this handling path. After validating the +event, the driver calls mlx5_accel_esp_modify_xfrm() to update the +kernel's xfrm state. This function temporarily releases and +re-acquires the xfrm state lock. + +So, need to acknowledge the event first by setting esn_event_arm to +0x1. This prevents the driver from reprocessing the same ESN update if +the hardware sends events for other reason. Since the next ESN update +only occurs after nearly 2^31 packets are received, there's no risk of +missing an update, as it will happen long after this handling has +finished. + +Processing the event twice causes the ESN high-order bits (esn_msb) to +be incremented incorrectly. The driver then programs the hardware with +this invalid ESN state, which leads to anti-replay failures and a +complete halt of IPSec traffic. + +Fix this by re-arming the ESN event immediately after it is validated, +before calling mlx5_accel_esp_modify_xfrm(). This ensures that any +spurious, duplicate events are correctly ignored, closing the race +window. + +Fixes: fef06678931f ("net/mlx5e: Fix ESN update kernel panic") +Signed-off-by: Jianbo Liu +Reviewed-by: Leon Romanovsky +Signed-off-by: Tariq Toukan +Link: https://patch.msgid.link/20260316094603.6999-4-tariqt@nvidia.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + .../mlx5/core/en_accel/ipsec_offload.c | 33 ++++++++----------- + 1 file changed, 14 insertions(+), 19 deletions(-) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec_offload.c b/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec_offload.c +index 2739ff490239d..e0611fa827971 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec_offload.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec_offload.c +@@ -310,10 +310,11 @@ static void mlx5e_ipsec_aso_update(struct mlx5e_ipsec_sa_entry *sa_entry, + mlx5e_ipsec_aso_query(sa_entry, data); + } + +-static void mlx5e_ipsec_update_esn_state(struct mlx5e_ipsec_sa_entry *sa_entry, +- u32 mode_param) ++static void ++mlx5e_ipsec_update_esn_state(struct mlx5e_ipsec_sa_entry *sa_entry, ++ u32 mode_param, ++ struct mlx5_accel_esp_xfrm_attrs *attrs) + { +- struct mlx5_accel_esp_xfrm_attrs attrs = {}; + struct mlx5_wqe_aso_ctrl_seg data = {}; + + if (mode_param < MLX5E_IPSEC_ESN_SCOPE_MID) { +@@ -323,18 +324,7 @@ static void mlx5e_ipsec_update_esn_state(struct mlx5e_ipsec_sa_entry *sa_entry, + sa_entry->esn_state.overlap = 1; + } + +- mlx5e_ipsec_build_accel_xfrm_attrs(sa_entry, &attrs); +- +- /* It is safe to execute the modify below unlocked since the only flows +- * that could affect this HW object, are create, destroy and this work. +- * +- * Creation flow can't co-exist with this modify work, the destruction +- * flow would cancel this work, and this work is a single entity that +- * can't conflict with it self. +- */ +- spin_unlock_bh(&sa_entry->x->lock); +- mlx5_accel_esp_modify_xfrm(sa_entry, &attrs); +- spin_lock_bh(&sa_entry->x->lock); ++ mlx5e_ipsec_build_accel_xfrm_attrs(sa_entry, attrs); + + data.data_offset_condition_operand = + MLX5_IPSEC_ASO_REMOVE_FLOW_PKT_CNT_OFFSET; +@@ -451,7 +441,9 @@ static void mlx5e_ipsec_handle_event(struct work_struct *_work) + struct mlx5e_ipsec_work *work = + container_of(_work, struct mlx5e_ipsec_work, work); + struct mlx5e_ipsec_sa_entry *sa_entry = work->data; ++ struct mlx5_accel_esp_xfrm_attrs tmp = {}; + struct mlx5_accel_esp_xfrm_attrs *attrs; ++ bool need_modify = false; + int ret; + + attrs = &sa_entry->attrs; +@@ -461,19 +453,22 @@ static void mlx5e_ipsec_handle_event(struct work_struct *_work) + if (ret) + goto unlock; + ++ if (attrs->lft.soft_packet_limit != XFRM_INF) ++ mlx5e_ipsec_handle_limits(sa_entry); ++ + if (attrs->replay_esn.trigger && + !MLX5_GET(ipsec_aso, sa_entry->ctx, esn_event_arm)) { + u32 mode_param = MLX5_GET(ipsec_aso, sa_entry->ctx, + mode_parameter); + +- mlx5e_ipsec_update_esn_state(sa_entry, mode_param); ++ mlx5e_ipsec_update_esn_state(sa_entry, mode_param, &tmp); ++ need_modify = true; + } + +- if (attrs->lft.soft_packet_limit != XFRM_INF) +- mlx5e_ipsec_handle_limits(sa_entry); +- + unlock: + spin_unlock_bh(&sa_entry->x->lock); ++ if (need_modify) ++ mlx5_accel_esp_modify_xfrm(sa_entry, &tmp); + kfree(work); + } + +-- +2.51.0 + diff --git a/queue-6.19/net-mlx5e-prevent-concurrent-access-to-ipsec-aso-con.patch b/queue-6.19/net-mlx5e-prevent-concurrent-access-to-ipsec-aso-con.patch new file mode 100644 index 0000000000..484aab62ca --- /dev/null +++ b/queue-6.19/net-mlx5e-prevent-concurrent-access-to-ipsec-aso-con.patch @@ -0,0 +1,115 @@ +From 1aa76291ebe229adb7d8b4733a46cc806d1626e1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 16 Mar 2026 11:46:02 +0200 +Subject: net/mlx5e: Prevent concurrent access to IPSec ASO context + +From: Jianbo Liu + +[ Upstream commit 99b36850d881e2d65912b2520a1c80d0fcc9429a ] + +The query or updating IPSec offload object is through Access ASO WQE. +The driver uses a single mlx5e_ipsec_aso struct for each PF, which +contains a shared DMA-mapped context for all ASO operations. + +A race condition exists because the ASO spinlock is released before +the hardware has finished processing WQE. If a second operation is +initiated immediately after, it overwrites the shared context in the +DMA area. + +When the first operation's completion is processed later, it reads +this corrupted context, leading to unexpected behavior and incorrect +results. + +This commit fixes the race by introducing a private context within +each IPSec offload object. The shared ASO context is now copied to +this private context while the ASO spinlock is held. Subsequent +processing uses this saved, per-object context, ensuring its integrity +is maintained. + +Fixes: 1ed78fc03307 ("net/mlx5e: Update IPsec soft and hard limits") +Signed-off-by: Jianbo Liu +Reviewed-by: Leon Romanovsky +Signed-off-by: Tariq Toukan +Link: https://patch.msgid.link/20260316094603.6999-3-tariqt@nvidia.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + .../mellanox/mlx5/core/en_accel/ipsec.h | 1 + + .../mellanox/mlx5/core/en_accel/ipsec_offload.c | 17 ++++++++--------- + 2 files changed, 9 insertions(+), 9 deletions(-) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec.h b/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec.h +index f8eaaf37963b1..abcbd38db9dbb 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec.h ++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec.h +@@ -287,6 +287,7 @@ struct mlx5e_ipsec_sa_entry { + struct mlx5e_ipsec_dwork *dwork; + struct mlx5e_ipsec_limits limits; + u32 rx_mapped_id; ++ u8 ctx[MLX5_ST_SZ_BYTES(ipsec_aso)]; + }; + + struct mlx5_accel_pol_xfrm_attrs { +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec_offload.c b/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec_offload.c +index ef7322d381af6..2739ff490239d 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec_offload.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec_offload.c +@@ -370,20 +370,18 @@ static void mlx5e_ipsec_aso_update_soft(struct mlx5e_ipsec_sa_entry *sa_entry, + static void mlx5e_ipsec_handle_limits(struct mlx5e_ipsec_sa_entry *sa_entry) + { + struct mlx5_accel_esp_xfrm_attrs *attrs = &sa_entry->attrs; +- struct mlx5e_ipsec *ipsec = sa_entry->ipsec; +- struct mlx5e_ipsec_aso *aso = ipsec->aso; + bool soft_arm, hard_arm; + u64 hard_cnt; + + lockdep_assert_held(&sa_entry->x->lock); + +- soft_arm = !MLX5_GET(ipsec_aso, aso->ctx, soft_lft_arm); +- hard_arm = !MLX5_GET(ipsec_aso, aso->ctx, hard_lft_arm); ++ soft_arm = !MLX5_GET(ipsec_aso, sa_entry->ctx, soft_lft_arm); ++ hard_arm = !MLX5_GET(ipsec_aso, sa_entry->ctx, hard_lft_arm); + if (!soft_arm && !hard_arm) + /* It is not lifetime event */ + return; + +- hard_cnt = MLX5_GET(ipsec_aso, aso->ctx, remove_flow_pkt_cnt); ++ hard_cnt = MLX5_GET(ipsec_aso, sa_entry->ctx, remove_flow_pkt_cnt); + if (!hard_cnt || hard_arm) { + /* It is possible to see packet counter equal to zero without + * hard limit event armed. Such situation can be if packet +@@ -454,10 +452,8 @@ static void mlx5e_ipsec_handle_event(struct work_struct *_work) + container_of(_work, struct mlx5e_ipsec_work, work); + struct mlx5e_ipsec_sa_entry *sa_entry = work->data; + struct mlx5_accel_esp_xfrm_attrs *attrs; +- struct mlx5e_ipsec_aso *aso; + int ret; + +- aso = sa_entry->ipsec->aso; + attrs = &sa_entry->attrs; + + spin_lock_bh(&sa_entry->x->lock); +@@ -466,8 +462,9 @@ static void mlx5e_ipsec_handle_event(struct work_struct *_work) + goto unlock; + + if (attrs->replay_esn.trigger && +- !MLX5_GET(ipsec_aso, aso->ctx, esn_event_arm)) { +- u32 mode_param = MLX5_GET(ipsec_aso, aso->ctx, mode_parameter); ++ !MLX5_GET(ipsec_aso, sa_entry->ctx, esn_event_arm)) { ++ u32 mode_param = MLX5_GET(ipsec_aso, sa_entry->ctx, ++ mode_parameter); + + mlx5e_ipsec_update_esn_state(sa_entry, mode_param); + } +@@ -629,6 +626,8 @@ int mlx5e_ipsec_aso_query(struct mlx5e_ipsec_sa_entry *sa_entry, + /* We are in atomic context */ + udelay(10); + } while (ret && time_is_after_jiffies(expires)); ++ if (!ret) ++ memcpy(sa_entry->ctx, aso->ctx, MLX5_ST_SZ_BYTES(ipsec_aso)); + spin_unlock_bh(&aso->lock); + return ret; + } +-- +2.51.0 + diff --git a/queue-6.19/net-mvpp2-guard-flow-control-update-with-global_tx_f.patch b/queue-6.19/net-mvpp2-guard-flow-control-update-with-global_tx_f.patch new file mode 100644 index 0000000000..799feffc34 --- /dev/null +++ b/queue-6.19/net-mvpp2-guard-flow-control-update-with-global_tx_f.patch @@ -0,0 +1,86 @@ +From 03d251be6b4dd77cd4775314d456a5c044ad625d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 16 Mar 2026 12:31:01 -0700 +Subject: net: mvpp2: guard flow control update with global_tx_fc in buffer + switching + +From: Muhammad Hammad Ijaz + +[ Upstream commit 8a63baadf08453f66eb582fdb6dd234f72024723 ] + +mvpp2_bm_switch_buffers() unconditionally calls +mvpp2_bm_pool_update_priv_fc() when switching between per-cpu and +shared buffer pool modes. This function programs CM3 flow control +registers via mvpp2_cm3_read()/mvpp2_cm3_write(), which dereference +priv->cm3_base without any NULL check. + +When the CM3 SRAM resource is not present in the device tree (the +third reg entry added by commit 60523583b07c ("dts: marvell: add CM3 +SRAM memory to cp11x ethernet device tree")), priv->cm3_base remains +NULL and priv->global_tx_fc is false. Any operation that triggers +mvpp2_bm_switch_buffers(), for example an MTU change that crosses +the jumbo frame threshold, will crash: + + Unable to handle kernel NULL pointer dereference at + virtual address 0000000000000000 + Mem abort info: + ESR = 0x0000000096000006 + EC = 0x25: DABT (current EL), IL = 32 bits + pc : readl+0x0/0x18 + lr : mvpp2_cm3_read.isra.0+0x14/0x20 + Call trace: + readl+0x0/0x18 + mvpp2_bm_pool_update_fc+0x40/0x12c + mvpp2_bm_pool_update_priv_fc+0x94/0xd8 + mvpp2_bm_switch_buffers.isra.0+0x80/0x1c0 + mvpp2_change_mtu+0x140/0x380 + __dev_set_mtu+0x1c/0x38 + dev_set_mtu_ext+0x78/0x118 + dev_set_mtu+0x48/0xa8 + dev_ifsioc+0x21c/0x43c + dev_ioctl+0x2d8/0x42c + sock_ioctl+0x314/0x378 + +Every other flow control call site in the driver already guards +hardware access with either priv->global_tx_fc or port->tx_fc. +mvpp2_bm_switch_buffers() is the only place that omits this check. + +Add the missing priv->global_tx_fc guard to both the disable and +re-enable calls in mvpp2_bm_switch_buffers(), consistent with the +rest of the driver. + +Fixes: 3a616b92a9d1 ("net: mvpp2: Add TX flow control support for jumbo frames") +Signed-off-by: Muhammad Hammad Ijaz +Reviewed-by: Gunnar Kudrjavets +Link: https://patch.msgid.link/20260316193157.65748-1-mhijaz@amazon.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/marvell/mvpp2/mvpp2_main.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/marvell/mvpp2/mvpp2_main.c b/drivers/net/ethernet/marvell/mvpp2/mvpp2_main.c +index 33426fded919a..789e14bb1377a 100644 +--- a/drivers/net/ethernet/marvell/mvpp2/mvpp2_main.c ++++ b/drivers/net/ethernet/marvell/mvpp2/mvpp2_main.c +@@ -5018,7 +5018,7 @@ static int mvpp2_bm_switch_buffers(struct mvpp2 *priv, bool percpu) + if (priv->percpu_pools) + numbufs = port->nrxqs * 2; + +- if (change_percpu) ++ if (change_percpu && priv->global_tx_fc) + mvpp2_bm_pool_update_priv_fc(priv, false); + + for (i = 0; i < numbufs; i++) +@@ -5043,7 +5043,7 @@ static int mvpp2_bm_switch_buffers(struct mvpp2 *priv, bool percpu) + mvpp2_open(port->dev); + } + +- if (change_percpu) ++ if (change_percpu && priv->global_tx_fc) + mvpp2_bm_pool_update_priv_fc(priv, true); + + return 0; +-- +2.51.0 + diff --git a/queue-6.19/net-rose-fix-null-pointer-dereference-in-rose_transm.patch b/queue-6.19/net-rose-fix-null-pointer-dereference-in-rose_transm.patch new file mode 100644 index 0000000000..9bb7d2e090 --- /dev/null +++ b/queue-6.19/net-rose-fix-null-pointer-dereference-in-rose_transm.patch @@ -0,0 +1,64 @@ +From 8de52074ce0e1f85dc52bfdf2d9794b69d23c9eb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 11 Mar 2026 15:06:02 +0800 +Subject: net/rose: fix NULL pointer dereference in rose_transmit_link on + reconnect + +From: Jiayuan Chen + +[ Upstream commit e1f0a18c9564cdb16523c802e2c6fe5874e3d944 ] + +syzkaller reported a bug [1], and the reproducer is available at [2]. + +ROSE sockets use four sk->sk_state values: TCP_CLOSE, TCP_LISTEN, +TCP_SYN_SENT, and TCP_ESTABLISHED. rose_connect() already rejects +calls for TCP_ESTABLISHED (-EISCONN) and TCP_CLOSE with SS_CONNECTING +(-ECONNREFUSED), but lacks a check for TCP_SYN_SENT. + +When rose_connect() is called a second time while the first connection +attempt is still in progress (TCP_SYN_SENT), it overwrites +rose->neighbour via rose_get_neigh(). If that returns NULL, the socket +is left with rose->state == ROSE_STATE_1 but rose->neighbour == NULL. +When the socket is subsequently closed, rose_release() sees +ROSE_STATE_1 and calls rose_write_internal() -> +rose_transmit_link(skb, NULL), causing a NULL pointer dereference. + +Per connect(2), a second connect() while a connection is already in +progress should return -EALREADY. Add this missing check for +TCP_SYN_SENT to complete the state validation in rose_connect(). + +[1] https://syzkaller.appspot.com/bug?extid=d00f90e0af54102fb271 +[2] https://gist.github.com/mrpre/9e6779e0d13e2c66779b1653fef80516 + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Reported-by: syzbot+d00f90e0af54102fb271@syzkaller.appspotmail.com +Closes: https://lore.kernel.org/all/69694d6f.050a0220.58bed.0027.GAE@google.com/T/ +Suggested-by: Eric Dumazet +Signed-off-by: Jiayuan Chen +Reviewed-by: Eric Dumazet +Link: https://patch.msgid.link/20260311070611.76913-1-jiayuan.chen@linux.dev +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/rose/af_rose.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/net/rose/af_rose.c b/net/rose/af_rose.c +index c0f5a515a8ce5..de18af4e40660 100644 +--- a/net/rose/af_rose.c ++++ b/net/rose/af_rose.c +@@ -811,6 +811,11 @@ static int rose_connect(struct socket *sock, struct sockaddr_unsized *uaddr, int + goto out_release; + } + ++ if (sk->sk_state == TCP_SYN_SENT) { ++ err = -EALREADY; ++ goto out_release; ++ } ++ + sk->sk_state = TCP_CLOSE; + sock->state = SS_UNCONNECTED; + +-- +2.51.0 + diff --git a/queue-6.19/net-sched-teql-fix-double-free-in-teql_master_xmit.patch b/queue-6.19/net-sched-teql-fix-double-free-in-teql_master_xmit.patch new file mode 100644 index 0000000000..3e99b3517f --- /dev/null +++ b/queue-6.19/net-sched-teql-fix-double-free-in-teql_master_xmit.patch @@ -0,0 +1,202 @@ +From 8a32dad3133f4ce6c21aa70e265ef5ea19bcd468 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 15 Mar 2026 11:54:22 -0400 +Subject: net/sched: teql: Fix double-free in teql_master_xmit + +From: Jamal Hadi Salim + +[ Upstream commit 66360460cab63c248ca5b1070a01c0c29133b960 ] + +Whenever a TEQL devices has a lockless Qdisc as root, qdisc_reset should +be called using the seq_lock to avoid racing with the datapath. Failure +to do so may cause crashes like the following: + +[ 238.028993][ T318] BUG: KASAN: double-free in skb_release_data (net/core/skbuff.c:1139) +[ 238.029328][ T318] Free of addr ffff88810c67ec00 by task poc_teql_uaf_ke/318 +[ 238.029749][ T318] +[ 238.029900][ T318] CPU: 3 UID: 0 PID: 318 Comm: poc_teql_ke Not tainted 7.0.0-rc3-00149-ge5b31d988a41 #704 PREEMPT(full) +[ 238.029906][ T318] Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011 +[ 238.029910][ T318] Call Trace: +[ 238.029913][ T318] +[ 238.029916][ T318] dump_stack_lvl (lib/dump_stack.c:122) +[ 238.029928][ T318] print_report (mm/kasan/report.c:379 mm/kasan/report.c:482) +[ 238.029940][ T318] ? skb_release_data (net/core/skbuff.c:1139) +[ 238.029944][ T318] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221) +... +[ 238.029957][ T318] ? skb_release_data (net/core/skbuff.c:1139) +[ 238.029969][ T318] kasan_report_invalid_free (mm/kasan/report.c:221 mm/kasan/report.c:563) +[ 238.029979][ T318] ? skb_release_data (net/core/skbuff.c:1139) +[ 238.029989][ T318] check_slab_allocation (mm/kasan/common.c:231) +[ 238.029995][ T318] kmem_cache_free (mm/slub.c:2637 (discriminator 1) mm/slub.c:6168 (discriminator 1) mm/slub.c:6298 (discriminator 1)) +[ 238.030004][ T318] skb_release_data (net/core/skbuff.c:1139) +... +[ 238.030025][ T318] sk_skb_reason_drop (net/core/skbuff.c:1256) +[ 238.030032][ T318] pfifo_fast_reset (./include/linux/ptr_ring.h:171 ./include/linux/ptr_ring.h:309 ./include/linux/skb_array.h:98 net/sched/sch_generic.c:827) +[ 238.030039][ T318] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221) +... +[ 238.030054][ T318] qdisc_reset (net/sched/sch_generic.c:1034) +[ 238.030062][ T318] teql_destroy (./include/linux/spinlock.h:395 net/sched/sch_teql.c:157) +[ 238.030071][ T318] __qdisc_destroy (./include/net/pkt_sched.h:328 net/sched/sch_generic.c:1077) +[ 238.030077][ T318] qdisc_graft (net/sched/sch_api.c:1062 net/sched/sch_api.c:1053 net/sched/sch_api.c:1159) +[ 238.030089][ T318] ? __pfx_qdisc_graft (net/sched/sch_api.c:1091) +[ 238.030095][ T318] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221) +[ 238.030102][ T318] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221) +[ 238.030106][ T318] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221) +[ 238.030114][ T318] tc_get_qdisc (net/sched/sch_api.c:1529 net/sched/sch_api.c:1556) +... +[ 238.072958][ T318] Allocated by task 303 on cpu 5 at 238.026275s: +[ 238.073392][ T318] kasan_save_stack (mm/kasan/common.c:58) +[ 238.073884][ T318] kasan_save_track (mm/kasan/common.c:64 (discriminator 5) mm/kasan/common.c:79 (discriminator 5)) +[ 238.074230][ T318] __kasan_slab_alloc (mm/kasan/common.c:369) +[ 238.074578][ T318] kmem_cache_alloc_node_noprof (./include/linux/kasan.h:253 mm/slub.c:4542 mm/slub.c:4869 mm/slub.c:4921) +[ 238.076091][ T318] kmalloc_reserve (net/core/skbuff.c:616 (discriminator 107)) +[ 238.076450][ T318] __alloc_skb (net/core/skbuff.c:713) +[ 238.076834][ T318] alloc_skb_with_frags (./include/linux/skbuff.h:1383 net/core/skbuff.c:6763) +[ 238.077178][ T318] sock_alloc_send_pskb (net/core/sock.c:2997) +[ 238.077520][ T318] packet_sendmsg (net/packet/af_packet.c:2926 net/packet/af_packet.c:3019 net/packet/af_packet.c:3108) +[ 238.081469][ T318] +[ 238.081870][ T318] Freed by task 299 on cpu 1 at 238.028496s: +[ 238.082761][ T318] kasan_save_stack (mm/kasan/common.c:58) +[ 238.083481][ T318] kasan_save_track (mm/kasan/common.c:64 (discriminator 5) mm/kasan/common.c:79 (discriminator 5)) +[ 238.085348][ T318] kasan_save_free_info (mm/kasan/generic.c:587 (discriminator 1)) +[ 238.085900][ T318] __kasan_slab_free (mm/kasan/common.c:287) +[ 238.086439][ T318] kmem_cache_free (mm/slub.c:6168 (discriminator 3) mm/slub.c:6298 (discriminator 3)) +[ 238.087007][ T318] skb_release_data (net/core/skbuff.c:1139) +[ 238.087491][ T318] consume_skb (net/core/skbuff.c:1451) +[ 238.087757][ T318] teql_master_xmit (net/sched/sch_teql.c:358) +[ 238.088116][ T318] dev_hard_start_xmit (./include/linux/netdevice.h:5324 ./include/linux/netdevice.h:5333 net/core/dev.c:3871 net/core/dev.c:3887) +[ 238.088468][ T318] sch_direct_xmit (net/sched/sch_generic.c:347) +[ 238.088820][ T318] __qdisc_run (net/sched/sch_generic.c:420 (discriminator 1)) +[ 238.089166][ T318] __dev_queue_xmit (./include/net/sch_generic.h:229 ./include/net/pkt_sched.h:121 ./include/net/pkt_sched.h:117 net/core/dev.c:4196 net/core/dev.c:4802) + +Workflow to reproduce: +1. Initialize a TEQL topology (dummy0 and ifb0 as slaves, teql0 up). +2. Start multiple sender workers continuously transmitting packets + through teql0 to drive teql_master_xmit(). +3. In parallel, repeatedly delete and re-add the root qdisc on + dummy0 and ifb0 via RTNETLINK, forcing frequent teardown and reset activity + (teql_destroy() / qdisc_reset()). +4. After running both workloads concurrently for several iterations, + KASAN reports slab-use-after-free or double-free in the skb free path. + +Fix this by moving dev_reset_queue to sch_generic.h and calling it, instead +of qdisc_reset, in teql_destroy since it handles both the lock and lockless +cases correctly for root qdiscs. + +Fixes: 96009c7d500e ("sched: replace __QDISC_STATE_RUNNING bit with a spin lock") +Reported-by: Xianrui Dong +Tested-by: Xianrui Dong +Co-developed-by: Victor Nogueira +Signed-off-by: Victor Nogueira +Signed-off-by: Jamal Hadi Salim +Link: https://patch.msgid.link/20260315155422.147256-1-jhs@mojatatu.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + include/net/sch_generic.h | 28 ++++++++++++++++++++++++++++ + net/sched/sch_generic.c | 27 --------------------------- + net/sched/sch_teql.c | 7 ++----- + 3 files changed, 30 insertions(+), 32 deletions(-) + +diff --git a/include/net/sch_generic.h b/include/net/sch_generic.h +index d5d55cb21686d..cafb266a0b80d 100644 +--- a/include/net/sch_generic.h ++++ b/include/net/sch_generic.h +@@ -716,6 +716,34 @@ void qdisc_destroy(struct Qdisc *qdisc); + void qdisc_put(struct Qdisc *qdisc); + void qdisc_put_unlocked(struct Qdisc *qdisc); + void qdisc_tree_reduce_backlog(struct Qdisc *qdisc, int n, int len); ++ ++static inline void dev_reset_queue(struct net_device *dev, ++ struct netdev_queue *dev_queue, ++ void *_unused) ++{ ++ struct Qdisc *qdisc; ++ bool nolock; ++ ++ qdisc = rtnl_dereference(dev_queue->qdisc_sleeping); ++ if (!qdisc) ++ return; ++ ++ nolock = qdisc->flags & TCQ_F_NOLOCK; ++ ++ if (nolock) ++ spin_lock_bh(&qdisc->seqlock); ++ spin_lock_bh(qdisc_lock(qdisc)); ++ ++ qdisc_reset(qdisc); ++ ++ spin_unlock_bh(qdisc_lock(qdisc)); ++ if (nolock) { ++ clear_bit(__QDISC_STATE_MISSED, &qdisc->state); ++ clear_bit(__QDISC_STATE_DRAINING, &qdisc->state); ++ spin_unlock_bh(&qdisc->seqlock); ++ } ++} ++ + #ifdef CONFIG_NET_SCHED + int qdisc_offload_dump_helper(struct Qdisc *q, enum tc_setup_type type, + void *type_data); +diff --git a/net/sched/sch_generic.c b/net/sched/sch_generic.c +index 852e603c17551..8b07d194c4c35 100644 +--- a/net/sched/sch_generic.c ++++ b/net/sched/sch_generic.c +@@ -1290,33 +1290,6 @@ static void dev_deactivate_queue(struct net_device *dev, + } + } + +-static void dev_reset_queue(struct net_device *dev, +- struct netdev_queue *dev_queue, +- void *_unused) +-{ +- struct Qdisc *qdisc; +- bool nolock; +- +- qdisc = rtnl_dereference(dev_queue->qdisc_sleeping); +- if (!qdisc) +- return; +- +- nolock = qdisc->flags & TCQ_F_NOLOCK; +- +- if (nolock) +- spin_lock_bh(&qdisc->seqlock); +- spin_lock_bh(qdisc_lock(qdisc)); +- +- qdisc_reset(qdisc); +- +- spin_unlock_bh(qdisc_lock(qdisc)); +- if (nolock) { +- clear_bit(__QDISC_STATE_MISSED, &qdisc->state); +- clear_bit(__QDISC_STATE_DRAINING, &qdisc->state); +- spin_unlock_bh(&qdisc->seqlock); +- } +-} +- + static bool some_qdisc_is_busy(struct net_device *dev) + { + unsigned int i; +diff --git a/net/sched/sch_teql.c b/net/sched/sch_teql.c +index 783300d8b0197..ec4039a201a2c 100644 +--- a/net/sched/sch_teql.c ++++ b/net/sched/sch_teql.c +@@ -146,15 +146,12 @@ teql_destroy(struct Qdisc *sch) + master->slaves = NEXT_SLAVE(q); + if (q == master->slaves) { + struct netdev_queue *txq; +- spinlock_t *root_lock; + + txq = netdev_get_tx_queue(master->dev, 0); + master->slaves = NULL; + +- root_lock = qdisc_root_sleeping_lock(rtnl_dereference(txq->qdisc)); +- spin_lock_bh(root_lock); +- qdisc_reset(rtnl_dereference(txq->qdisc)); +- spin_unlock_bh(root_lock); ++ dev_reset_queue(master->dev, ++ txq, NULL); + } + } + skb_queue_purge(&dat->q); +-- +2.51.0 + diff --git a/queue-6.19/net-shaper-protect-from-late-creation-of-hierarchy.patch b/queue-6.19/net-shaper-protect-from-late-creation-of-hierarchy.patch new file mode 100644 index 0000000000..7890be6dbd --- /dev/null +++ b/queue-6.19/net-shaper-protect-from-late-creation-of-hierarchy.patch @@ -0,0 +1,397 @@ +From 9dc4c787ab7ac8b6137d4eae1ab5e9871c5cafd5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 17 Mar 2026 09:10:14 -0700 +Subject: net: shaper: protect from late creation of hierarchy + +From: Jakub Kicinski + +[ Upstream commit d75ec7e8ba1979a1eb0b9211d94d749cdce849c8 ] + +We look up a netdev during prep of Netlink ops (pre- callbacks) +and take a ref to it. Then later in the body of the callback +we take its lock or RCU which are the actual protections. + +The netdev may get unregistered in between the time we take +the ref and the time we lock it. We may allocate the hierarchy +after flush has already run, which would lead to a leak. + +Take the instance lock in pre- already, this saves us from the race +and removes the need for dedicated lock/unlock callbacks completely. +After all, if there's any chance of write happening concurrently +with the flush - we're back to leaking the hierarchy. + +We may take the lock for devices which don't support shapers but +we're only dealing with SET operations here, not taking the lock +would be optimizing for an error case. + +Fixes: 93954b40f6a4 ("net-shapers: implement NL set and delete operations") +Link: https://lore.kernel.org/20260309173450.538026-1-p@1g4.org +Signed-off-by: Jakub Kicinski +Link: https://patch.msgid.link/20260317161014.779569-2-kuba@kernel.org +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + Documentation/netlink/specs/net_shaper.yaml | 12 +- + net/shaper/shaper.c | 134 +++++++++++--------- + net/shaper/shaper_nl_gen.c | 12 +- + net/shaper/shaper_nl_gen.h | 5 + + 4 files changed, 89 insertions(+), 74 deletions(-) + +diff --git a/Documentation/netlink/specs/net_shaper.yaml b/Documentation/netlink/specs/net_shaper.yaml +index 0b1b54be48f92..3f2ad772b64b1 100644 +--- a/Documentation/netlink/specs/net_shaper.yaml ++++ b/Documentation/netlink/specs/net_shaper.yaml +@@ -247,8 +247,8 @@ operations: + flags: [admin-perm] + + do: +- pre: net-shaper-nl-pre-doit +- post: net-shaper-nl-post-doit ++ pre: net-shaper-nl-pre-doit-write ++ post: net-shaper-nl-post-doit-write + request: + attributes: + - ifindex +@@ -278,8 +278,8 @@ operations: + flags: [admin-perm] + + do: +- pre: net-shaper-nl-pre-doit +- post: net-shaper-nl-post-doit ++ pre: net-shaper-nl-pre-doit-write ++ post: net-shaper-nl-post-doit-write + request: + attributes: *ns-binding + +@@ -309,8 +309,8 @@ operations: + flags: [admin-perm] + + do: +- pre: net-shaper-nl-pre-doit +- post: net-shaper-nl-post-doit ++ pre: net-shaper-nl-pre-doit-write ++ post: net-shaper-nl-post-doit-write + request: + attributes: + - ifindex +diff --git a/net/shaper/shaper.c b/net/shaper/shaper.c +index 081dac917dc2d..be9999ab62e39 100644 +--- a/net/shaper/shaper.c ++++ b/net/shaper/shaper.c +@@ -36,24 +36,6 @@ static struct net_shaper_binding *net_shaper_binding_from_ctx(void *ctx) + return &((struct net_shaper_nl_ctx *)ctx)->binding; + } + +-static void net_shaper_lock(struct net_shaper_binding *binding) +-{ +- switch (binding->type) { +- case NET_SHAPER_BINDING_TYPE_NETDEV: +- netdev_lock(binding->netdev); +- break; +- } +-} +- +-static void net_shaper_unlock(struct net_shaper_binding *binding) +-{ +- switch (binding->type) { +- case NET_SHAPER_BINDING_TYPE_NETDEV: +- netdev_unlock(binding->netdev); +- break; +- } +-} +- + static struct net_shaper_hierarchy * + net_shaper_hierarchy(struct net_shaper_binding *binding) + { +@@ -219,12 +201,49 @@ static int net_shaper_ctx_setup(const struct genl_info *info, int type, + return 0; + } + ++/* Like net_shaper_ctx_setup(), but for "write" handlers (never for dumps!) ++ * Acquires the lock protecting the hierarchy (instance lock for netdev). ++ */ ++static int net_shaper_ctx_setup_lock(const struct genl_info *info, int type, ++ struct net_shaper_nl_ctx *ctx) ++{ ++ struct net *ns = genl_info_net(info); ++ struct net_device *dev; ++ int ifindex; ++ ++ if (GENL_REQ_ATTR_CHECK(info, type)) ++ return -EINVAL; ++ ++ ifindex = nla_get_u32(info->attrs[type]); ++ dev = netdev_get_by_index_lock(ns, ifindex); ++ if (!dev) { ++ NL_SET_BAD_ATTR(info->extack, info->attrs[type]); ++ return -ENOENT; ++ } ++ ++ if (!dev->netdev_ops->net_shaper_ops) { ++ NL_SET_BAD_ATTR(info->extack, info->attrs[type]); ++ netdev_unlock(dev); ++ return -EOPNOTSUPP; ++ } ++ ++ ctx->binding.type = NET_SHAPER_BINDING_TYPE_NETDEV; ++ ctx->binding.netdev = dev; ++ return 0; ++} ++ + static void net_shaper_ctx_cleanup(struct net_shaper_nl_ctx *ctx) + { + if (ctx->binding.type == NET_SHAPER_BINDING_TYPE_NETDEV) + netdev_put(ctx->binding.netdev, &ctx->dev_tracker); + } + ++static void net_shaper_ctx_cleanup_unlock(struct net_shaper_nl_ctx *ctx) ++{ ++ if (ctx->binding.type == NET_SHAPER_BINDING_TYPE_NETDEV) ++ netdev_unlock(ctx->binding.netdev); ++} ++ + static u32 net_shaper_handle_to_index(const struct net_shaper_handle *handle) + { + return FIELD_PREP(NET_SHAPER_SCOPE_MASK, handle->scope) | +@@ -278,7 +297,7 @@ net_shaper_lookup(struct net_shaper_binding *binding, + } + + /* Allocate on demand the per device shaper's hierarchy container. +- * Called under the net shaper lock ++ * Called under the lock protecting the hierarchy (instance lock for netdev) + */ + static struct net_shaper_hierarchy * + net_shaper_hierarchy_setup(struct net_shaper_binding *binding) +@@ -697,6 +716,22 @@ void net_shaper_nl_post_doit(const struct genl_split_ops *ops, + net_shaper_generic_post(info); + } + ++int net_shaper_nl_pre_doit_write(const struct genl_split_ops *ops, ++ struct sk_buff *skb, struct genl_info *info) ++{ ++ struct net_shaper_nl_ctx *ctx = (struct net_shaper_nl_ctx *)info->ctx; ++ ++ BUILD_BUG_ON(sizeof(*ctx) > sizeof(info->ctx)); ++ ++ return net_shaper_ctx_setup_lock(info, NET_SHAPER_A_IFINDEX, ctx); ++} ++ ++void net_shaper_nl_post_doit_write(const struct genl_split_ops *ops, ++ struct sk_buff *skb, struct genl_info *info) ++{ ++ net_shaper_ctx_cleanup_unlock((struct net_shaper_nl_ctx *)info->ctx); ++} ++ + int net_shaper_nl_pre_dumpit(struct netlink_callback *cb) + { + struct net_shaper_nl_ctx *ctx = (struct net_shaper_nl_ctx *)cb->ctx; +@@ -824,45 +859,38 @@ int net_shaper_nl_set_doit(struct sk_buff *skb, struct genl_info *info) + + binding = net_shaper_binding_from_ctx(info->ctx); + +- net_shaper_lock(binding); + ret = net_shaper_parse_info(binding, info->attrs, info, &shaper, + &exists); + if (ret) +- goto unlock; ++ return ret; + + if (!exists) + net_shaper_default_parent(&shaper.handle, &shaper.parent); + + hierarchy = net_shaper_hierarchy_setup(binding); +- if (!hierarchy) { +- ret = -ENOMEM; +- goto unlock; +- } ++ if (!hierarchy) ++ return -ENOMEM; + + /* The 'set' operation can't create node-scope shapers. */ + handle = shaper.handle; + if (handle.scope == NET_SHAPER_SCOPE_NODE && +- !net_shaper_lookup(binding, &handle)) { +- ret = -ENOENT; +- goto unlock; +- } ++ !net_shaper_lookup(binding, &handle)) ++ return -ENOENT; + + ret = net_shaper_pre_insert(binding, &handle, info->extack); + if (ret) +- goto unlock; ++ return ret; + + ops = net_shaper_ops(binding); + ret = ops->set(binding, &shaper, info->extack); + if (ret) { + net_shaper_rollback(binding); +- goto unlock; ++ return ret; + } + + net_shaper_commit(binding, 1, &shaper); + +-unlock: +- net_shaper_unlock(binding); +- return ret; ++ return 0; + } + + static int __net_shaper_delete(struct net_shaper_binding *binding, +@@ -1091,35 +1119,26 @@ int net_shaper_nl_delete_doit(struct sk_buff *skb, struct genl_info *info) + + binding = net_shaper_binding_from_ctx(info->ctx); + +- net_shaper_lock(binding); + ret = net_shaper_parse_handle(info->attrs[NET_SHAPER_A_HANDLE], info, + &handle); + if (ret) +- goto unlock; ++ return ret; + + hierarchy = net_shaper_hierarchy(binding); +- if (!hierarchy) { +- ret = -ENOENT; +- goto unlock; +- } ++ if (!hierarchy) ++ return -ENOENT; + + shaper = net_shaper_lookup(binding, &handle); +- if (!shaper) { +- ret = -ENOENT; +- goto unlock; +- } ++ if (!shaper) ++ return -ENOENT; + + if (handle.scope == NET_SHAPER_SCOPE_NODE) { + ret = net_shaper_pre_del_node(binding, shaper, info->extack); + if (ret) +- goto unlock; ++ return ret; + } + +- ret = __net_shaper_delete(binding, shaper, info->extack); +- +-unlock: +- net_shaper_unlock(binding); +- return ret; ++ return __net_shaper_delete(binding, shaper, info->extack); + } + + static int net_shaper_group_send_reply(struct net_shaper_binding *binding, +@@ -1168,21 +1187,17 @@ int net_shaper_nl_group_doit(struct sk_buff *skb, struct genl_info *info) + if (!net_shaper_ops(binding)->group) + return -EOPNOTSUPP; + +- net_shaper_lock(binding); + leaves_count = net_shaper_list_len(info, NET_SHAPER_A_LEAVES); + if (!leaves_count) { + NL_SET_BAD_ATTR(info->extack, + info->attrs[NET_SHAPER_A_LEAVES]); +- ret = -EINVAL; +- goto unlock; ++ return -EINVAL; + } + + leaves = kcalloc(leaves_count, sizeof(struct net_shaper) + + sizeof(struct net_shaper *), GFP_KERNEL); +- if (!leaves) { +- ret = -ENOMEM; +- goto unlock; +- } ++ if (!leaves) ++ return -ENOMEM; + old_nodes = (void *)&leaves[leaves_count]; + + ret = net_shaper_parse_node(binding, info->attrs, info, &node); +@@ -1259,9 +1274,6 @@ int net_shaper_nl_group_doit(struct sk_buff *skb, struct genl_info *info) + + free_leaves: + kfree(leaves); +- +-unlock: +- net_shaper_unlock(binding); + return ret; + + free_msg: +@@ -1371,14 +1383,12 @@ static void net_shaper_flush(struct net_shaper_binding *binding) + if (!hierarchy) + return; + +- net_shaper_lock(binding); + xa_lock(&hierarchy->shapers); + xa_for_each(&hierarchy->shapers, index, cur) { + __xa_erase(&hierarchy->shapers, index); + kfree(cur); + } + xa_unlock(&hierarchy->shapers); +- net_shaper_unlock(binding); + + kfree(hierarchy); + } +diff --git a/net/shaper/shaper_nl_gen.c b/net/shaper/shaper_nl_gen.c +index e8cccc4c11803..9b29be3ef19a8 100644 +--- a/net/shaper/shaper_nl_gen.c ++++ b/net/shaper/shaper_nl_gen.c +@@ -99,27 +99,27 @@ static const struct genl_split_ops net_shaper_nl_ops[] = { + }, + { + .cmd = NET_SHAPER_CMD_SET, +- .pre_doit = net_shaper_nl_pre_doit, ++ .pre_doit = net_shaper_nl_pre_doit_write, + .doit = net_shaper_nl_set_doit, +- .post_doit = net_shaper_nl_post_doit, ++ .post_doit = net_shaper_nl_post_doit_write, + .policy = net_shaper_set_nl_policy, + .maxattr = NET_SHAPER_A_IFINDEX, + .flags = GENL_ADMIN_PERM | GENL_CMD_CAP_DO, + }, + { + .cmd = NET_SHAPER_CMD_DELETE, +- .pre_doit = net_shaper_nl_pre_doit, ++ .pre_doit = net_shaper_nl_pre_doit_write, + .doit = net_shaper_nl_delete_doit, +- .post_doit = net_shaper_nl_post_doit, ++ .post_doit = net_shaper_nl_post_doit_write, + .policy = net_shaper_delete_nl_policy, + .maxattr = NET_SHAPER_A_IFINDEX, + .flags = GENL_ADMIN_PERM | GENL_CMD_CAP_DO, + }, + { + .cmd = NET_SHAPER_CMD_GROUP, +- .pre_doit = net_shaper_nl_pre_doit, ++ .pre_doit = net_shaper_nl_pre_doit_write, + .doit = net_shaper_nl_group_doit, +- .post_doit = net_shaper_nl_post_doit, ++ .post_doit = net_shaper_nl_post_doit_write, + .policy = net_shaper_group_nl_policy, + .maxattr = NET_SHAPER_A_LEAVES, + .flags = GENL_ADMIN_PERM | GENL_CMD_CAP_DO, +diff --git a/net/shaper/shaper_nl_gen.h b/net/shaper/shaper_nl_gen.h +index ec41c90431a4c..42c46c52c7751 100644 +--- a/net/shaper/shaper_nl_gen.h ++++ b/net/shaper/shaper_nl_gen.h +@@ -18,12 +18,17 @@ extern const struct nla_policy net_shaper_leaf_info_nl_policy[NET_SHAPER_A_WEIGH + + int net_shaper_nl_pre_doit(const struct genl_split_ops *ops, + struct sk_buff *skb, struct genl_info *info); ++int net_shaper_nl_pre_doit_write(const struct genl_split_ops *ops, ++ struct sk_buff *skb, struct genl_info *info); + int net_shaper_nl_cap_pre_doit(const struct genl_split_ops *ops, + struct sk_buff *skb, struct genl_info *info); + void + net_shaper_nl_post_doit(const struct genl_split_ops *ops, struct sk_buff *skb, + struct genl_info *info); + void ++net_shaper_nl_post_doit_write(const struct genl_split_ops *ops, ++ struct sk_buff *skb, struct genl_info *info); ++void + net_shaper_nl_cap_post_doit(const struct genl_split_ops *ops, + struct sk_buff *skb, struct genl_info *info); + int net_shaper_nl_pre_dumpit(struct netlink_callback *cb); +-- +2.51.0 + diff --git a/queue-6.19/net-shaper-protect-late-read-accesses-to-the-hierarc.patch b/queue-6.19/net-shaper-protect-late-read-accesses-to-the-hierarc.patch new file mode 100644 index 0000000000..32cbf22003 --- /dev/null +++ b/queue-6.19/net-shaper-protect-late-read-accesses-to-the-hierarc.patch @@ -0,0 +1,94 @@ +From a099f2c12aa6fd850feff2dd16379e94f9e5131f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 17 Mar 2026 09:10:13 -0700 +Subject: net: shaper: protect late read accesses to the hierarchy + +From: Jakub Kicinski + +[ Upstream commit 0f9ea7141f365b4f27226898e62220fb98ef8dc6 ] + +We look up a netdev during prep of Netlink ops (pre- callbacks) +and take a ref to it. Then later in the body of the callback +we take its lock or RCU which are the actual protections. + +This is not proper, a conversion from a ref to a locked netdev +must include a liveness check (a check if the netdev hasn't been +unregistered already). Fix the read cases (those under RCU). +Writes needs a separate change to protect from creating the +hierarchy after flush has already run. + +Fixes: 4b623f9f0f59 ("net-shapers: implement NL get operation") +Reported-by: Paul Moses +Link: https://lore.kernel.org/20260309173450.538026-1-p@1g4.org +Signed-off-by: Jakub Kicinski +Link: https://patch.msgid.link/20260317161014.779569-1-kuba@kernel.org +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + net/shaper/shaper.c | 26 ++++++++++++++++++++++---- + 1 file changed, 22 insertions(+), 4 deletions(-) + +diff --git a/net/shaper/shaper.c b/net/shaper/shaper.c +index 318a0567a6981..081dac917dc2d 100644 +--- a/net/shaper/shaper.c ++++ b/net/shaper/shaper.c +@@ -65,6 +65,21 @@ net_shaper_hierarchy(struct net_shaper_binding *binding) + return NULL; + } + ++static struct net_shaper_hierarchy * ++net_shaper_hierarchy_rcu(struct net_shaper_binding *binding) ++{ ++ /* Readers look up the device and take a ref, then take RCU lock ++ * later at which point netdev may have been unregistered and flushed. ++ * READ_ONCE() pairs with WRITE_ONCE() in net_shaper_hierarchy_setup. ++ */ ++ if (binding->type == NET_SHAPER_BINDING_TYPE_NETDEV && ++ READ_ONCE(binding->netdev->reg_state) <= NETREG_REGISTERED) ++ return READ_ONCE(binding->netdev->net_shaper_hierarchy); ++ ++ /* No other type supported yet. */ ++ return NULL; ++} ++ + static const struct net_shaper_ops * + net_shaper_ops(struct net_shaper_binding *binding) + { +@@ -251,9 +266,10 @@ static struct net_shaper * + net_shaper_lookup(struct net_shaper_binding *binding, + const struct net_shaper_handle *handle) + { +- struct net_shaper_hierarchy *hierarchy = net_shaper_hierarchy(binding); + u32 index = net_shaper_handle_to_index(handle); ++ struct net_shaper_hierarchy *hierarchy; + ++ hierarchy = net_shaper_hierarchy_rcu(binding); + if (!hierarchy || xa_get_mark(&hierarchy->shapers, index, + NET_SHAPER_NOT_VALID)) + return NULL; +@@ -778,17 +794,19 @@ int net_shaper_nl_get_dumpit(struct sk_buff *skb, + + /* Don't error out dumps performed before any set operation. */ + binding = net_shaper_binding_from_ctx(ctx); +- hierarchy = net_shaper_hierarchy(binding); +- if (!hierarchy) +- return 0; + + rcu_read_lock(); ++ hierarchy = net_shaper_hierarchy_rcu(binding); ++ if (!hierarchy) ++ goto out_unlock; ++ + for (; (shaper = xa_find(&hierarchy->shapers, &ctx->start_index, + U32_MAX, XA_PRESENT)); ctx->start_index++) { + ret = net_shaper_fill_one(skb, binding, shaper, info); + if (ret) + break; + } ++out_unlock: + rcu_read_unlock(); + + return ret; +-- +2.51.0 + diff --git a/queue-6.19/net-smc-fix-null-dereference-and-uaf-in-smc_tcp_syn_.patch b/queue-6.19/net-smc-fix-null-dereference-and-uaf-in-smc_tcp_syn_.patch new file mode 100644 index 0000000000..921db4f60f --- /dev/null +++ b/queue-6.19/net-smc-fix-null-dereference-and-uaf-in-smc_tcp_syn_.patch @@ -0,0 +1,208 @@ +From ee92650fb61e6f52ccb134560e82a3c3aedb59bc Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 12 Mar 2026 17:29:07 +0800 +Subject: net/smc: fix NULL dereference and UAF in smc_tcp_syn_recv_sock() + +From: Jiayuan Chen + +[ Upstream commit 6d5e4538364b9ceb1ac2941a4deb86650afb3538 ] + +Syzkaller reported a panic in smc_tcp_syn_recv_sock() [1]. + +smc_tcp_syn_recv_sock() is called in the TCP receive path +(softirq) via icsk_af_ops->syn_recv_sock on the clcsock (TCP +listening socket). It reads sk_user_data to get the smc_sock +pointer. However, when the SMC listen socket is being closed +concurrently, smc_close_active() sets clcsock->sk_user_data +to NULL under sk_callback_lock, and then the smc_sock itself +can be freed via sock_put() in smc_release(). + +This leads to two issues: + +1) NULL pointer dereference: sk_user_data is NULL when + accessed. +2) Use-after-free: sk_user_data is read as non-NULL, but the + smc_sock is freed before its fields (e.g., queued_smc_hs, + ori_af_ops) are accessed. + +The race window looks like this (the syzkaller crash [1] +triggers via the SYN cookie path: tcp_get_cookie_sock() -> +smc_tcp_syn_recv_sock(), but the normal tcp_check_req() path +has the same race): + + CPU A (softirq) CPU B (process ctx) + + tcp_v4_rcv() + TCP_NEW_SYN_RECV: + sk = req->rsk_listener + sock_hold(sk) + /* No lock on listener */ + smc_close_active(): + write_lock_bh(cb_lock) + sk_user_data = NULL + write_unlock_bh(cb_lock) + ... + smc_clcsock_release() + sock_put(smc->sk) x2 + -> smc_sock freed! + tcp_check_req() + smc_tcp_syn_recv_sock(): + smc = user_data(sk) + -> NULL or dangling + smc->queued_smc_hs + -> crash! + +Note that the clcsock and smc_sock are two independent objects +with separate refcounts. TCP stack holds a reference on the +clcsock, which keeps it alive, but this does NOT prevent the +smc_sock from being freed. + +Fix this by using RCU and refcount_inc_not_zero() to safely +access smc_sock. Since smc_tcp_syn_recv_sock() is called in +the TCP three-way handshake path, taking read_lock_bh on +sk_callback_lock is too heavy and would not survive a SYN +flood attack. Using rcu_read_lock() is much more lightweight. + +- Set SOCK_RCU_FREE on the SMC listen socket so that + smc_sock freeing is deferred until after the RCU grace + period. This guarantees the memory is still valid when + accessed inside rcu_read_lock(). +- Use rcu_read_lock() to protect reading sk_user_data. +- Use refcount_inc_not_zero(&smc->sk.sk_refcnt) to pin the + smc_sock. If the refcount has already reached zero (close + path completed), it returns false and we bail out safely. + +Note: smc_hs_congested() has a similar lockless read of +sk_user_data without rcu_read_lock(), but it only checks for +NULL and accesses the global smc_hs_wq, never dereferencing +any smc_sock field, so it is not affected. + +Reproducer was verified with mdelay injection and smc_run, +the issue no longer occurs with this patch applied. + +[1] https://syzkaller.appspot.com/bug?extid=827ae2bfb3a3529333e9 + +Fixes: 8270d9c21041 ("net/smc: Limit backlog connections") +Reported-by: syzbot+827ae2bfb3a3529333e9@syzkaller.appspotmail.com +Closes: https://lore.kernel.org/all/67eaf9b8.050a0220.3c3d88.004a.GAE@google.com/T/ +Suggested-by: Eric Dumazet +Reviewed-by: Eric Dumazet +Signed-off-by: Jiayuan Chen +Link: https://patch.msgid.link/20260312092909.48325-1-jiayuan.chen@linux.dev +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/smc/af_smc.c | 23 +++++++++++++++++------ + net/smc/smc.h | 5 +++++ + net/smc/smc_close.c | 2 +- + 3 files changed, 23 insertions(+), 7 deletions(-) + +diff --git a/net/smc/af_smc.c b/net/smc/af_smc.c +index 18c56b0d7ad53..765f26aaca93d 100644 +--- a/net/smc/af_smc.c ++++ b/net/smc/af_smc.c +@@ -131,7 +131,14 @@ static struct sock *smc_tcp_syn_recv_sock(const struct sock *sk, + struct smc_sock *smc; + struct sock *child; + +- smc = smc_clcsock_user_data(sk); ++ rcu_read_lock(); ++ smc = smc_clcsock_user_data_rcu(sk); ++ if (!smc || !refcount_inc_not_zero(&smc->sk.sk_refcnt)) { ++ rcu_read_unlock(); ++ smc = NULL; ++ goto drop; ++ } ++ rcu_read_unlock(); + + if (READ_ONCE(sk->sk_ack_backlog) + atomic_read(&smc->queued_smc_hs) > + sk->sk_max_ack_backlog) +@@ -153,11 +160,14 @@ static struct sock *smc_tcp_syn_recv_sock(const struct sock *sk, + if (inet_csk(child)->icsk_af_ops == inet_csk(sk)->icsk_af_ops) + inet_csk(child)->icsk_af_ops = smc->ori_af_ops; + } ++ sock_put(&smc->sk); + return child; + + drop: + dst_release(dst); + tcp_listendrop(sk); ++ if (smc) ++ sock_put(&smc->sk); + return NULL; + } + +@@ -254,7 +264,7 @@ static void smc_fback_restore_callbacks(struct smc_sock *smc) + struct sock *clcsk = smc->clcsock->sk; + + write_lock_bh(&clcsk->sk_callback_lock); +- clcsk->sk_user_data = NULL; ++ rcu_assign_sk_user_data(clcsk, NULL); + + smc_clcsock_restore_cb(&clcsk->sk_state_change, &smc->clcsk_state_change); + smc_clcsock_restore_cb(&clcsk->sk_data_ready, &smc->clcsk_data_ready); +@@ -902,7 +912,7 @@ static void smc_fback_replace_callbacks(struct smc_sock *smc) + struct sock *clcsk = smc->clcsock->sk; + + write_lock_bh(&clcsk->sk_callback_lock); +- clcsk->sk_user_data = (void *)((uintptr_t)smc | SK_USER_DATA_NOCOPY); ++ __rcu_assign_sk_user_data_with_flags(clcsk, smc, SK_USER_DATA_NOCOPY); + + smc_clcsock_replace_cb(&clcsk->sk_state_change, smc_fback_state_change, + &smc->clcsk_state_change); +@@ -2665,8 +2675,8 @@ int smc_listen(struct socket *sock, int backlog) + * smc-specific sk_data_ready function + */ + write_lock_bh(&smc->clcsock->sk->sk_callback_lock); +- smc->clcsock->sk->sk_user_data = +- (void *)((uintptr_t)smc | SK_USER_DATA_NOCOPY); ++ __rcu_assign_sk_user_data_with_flags(smc->clcsock->sk, smc, ++ SK_USER_DATA_NOCOPY); + smc_clcsock_replace_cb(&smc->clcsock->sk->sk_data_ready, + smc_clcsock_data_ready, &smc->clcsk_data_ready); + write_unlock_bh(&smc->clcsock->sk->sk_callback_lock); +@@ -2687,10 +2697,11 @@ int smc_listen(struct socket *sock, int backlog) + write_lock_bh(&smc->clcsock->sk->sk_callback_lock); + smc_clcsock_restore_cb(&smc->clcsock->sk->sk_data_ready, + &smc->clcsk_data_ready); +- smc->clcsock->sk->sk_user_data = NULL; ++ rcu_assign_sk_user_data(smc->clcsock->sk, NULL); + write_unlock_bh(&smc->clcsock->sk->sk_callback_lock); + goto out; + } ++ sock_set_flag(sk, SOCK_RCU_FREE); + sk->sk_max_ack_backlog = backlog; + sk->sk_ack_backlog = 0; + sk->sk_state = SMC_LISTEN; +diff --git a/net/smc/smc.h b/net/smc/smc.h +index 9e6af72784baa..52145df83f6e7 100644 +--- a/net/smc/smc.h ++++ b/net/smc/smc.h +@@ -346,6 +346,11 @@ static inline struct smc_sock *smc_clcsock_user_data(const struct sock *clcsk) + ((uintptr_t)clcsk->sk_user_data & ~SK_USER_DATA_NOCOPY); + } + ++static inline struct smc_sock *smc_clcsock_user_data_rcu(const struct sock *clcsk) ++{ ++ return (struct smc_sock *)rcu_dereference_sk_user_data(clcsk); ++} ++ + /* save target_cb in saved_cb, and replace target_cb with new_cb */ + static inline void smc_clcsock_replace_cb(void (**target_cb)(struct sock *), + void (*new_cb)(struct sock *), +diff --git a/net/smc/smc_close.c b/net/smc/smc_close.c +index 10219f55aad14..bb0313ef5f7c1 100644 +--- a/net/smc/smc_close.c ++++ b/net/smc/smc_close.c +@@ -218,7 +218,7 @@ int smc_close_active(struct smc_sock *smc) + write_lock_bh(&smc->clcsock->sk->sk_callback_lock); + smc_clcsock_restore_cb(&smc->clcsock->sk->sk_data_ready, + &smc->clcsk_data_ready); +- smc->clcsock->sk->sk_user_data = NULL; ++ rcu_assign_sk_user_data(smc->clcsock->sk, NULL); + write_unlock_bh(&smc->clcsock->sk->sk_callback_lock); + rc = kernel_sock_shutdown(smc->clcsock, SHUT_RDWR); + } +-- +2.51.0 + diff --git a/queue-6.19/net-ti-icssg-prueth-fix-memory-leak-in-xdp_drop-for-.patch b/queue-6.19/net-ti-icssg-prueth-fix-memory-leak-in-xdp_drop-for-.patch new file mode 100644 index 0000000000..c810e56001 --- /dev/null +++ b/queue-6.19/net-ti-icssg-prueth-fix-memory-leak-in-xdp_drop-for-.patch @@ -0,0 +1,53 @@ +From 4d9a71cccdbe0e712979af32322ac29e2178d233 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 11 Mar 2026 15:24:41 +0530 +Subject: net: ti: icssg-prueth: Fix memory leak in XDP_DROP for non-zero-copy + mode + +From: Meghana Malladi + +[ Upstream commit 719d3e71691db7c4f1658ba5a6d1472928121594 ] + +Page recycling was removed from the XDP_DROP path in emac_run_xdp() to +avoid conflicts with AF_XDP zero-copy mode, which uses xsk_buff_free() +instead. + +However, this causes a memory leak when running XDP programs that drop +packets in non-zero-copy mode (standard page pool mode). The pages are +never returned to the page pool, leading to OOM conditions. + +Fix this by handling cleanup in the caller, emac_rx_packet(). +When emac_run_xdp() returns ICSSG_XDP_CONSUMED for XDP_DROP, the +caller now recycles the page back to the page pool. The zero-copy +path, emac_rx_packet_zc() already handles cleanup correctly with +xsk_buff_free(). + +Fixes: 7a64bb388df3 ("net: ti: icssg-prueth: Add AF_XDP zero copy for RX") +Signed-off-by: Meghana Malladi +Reviewed-by: Simon Horman +Link: https://patch.msgid.link/20260311095441.1691636-1-m-malladi@ti.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/ti/icssg/icssg_common.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/drivers/net/ethernet/ti/icssg/icssg_common.c b/drivers/net/ethernet/ti/icssg/icssg_common.c +index 090aa74d3ce72..a9b5f86bc71bc 100644 +--- a/drivers/net/ethernet/ti/icssg/icssg_common.c ++++ b/drivers/net/ethernet/ti/icssg/icssg_common.c +@@ -1075,6 +1075,11 @@ static int emac_rx_packet(struct prueth_emac *emac, u32 flow_id, u32 *xdp_state) + xdp_prepare_buff(&xdp, pa, PRUETH_HEADROOM, pkt_len, false); + + *xdp_state = emac_run_xdp(emac, &xdp, &pkt_len); ++ if (*xdp_state == ICSSG_XDP_CONSUMED) { ++ page_pool_recycle_direct(pool, page); ++ goto requeue; ++ } ++ + if (*xdp_state != ICSSG_XDP_PASS) + goto requeue; + headroom = xdp.data - xdp.data_hard_start; +-- +2.51.0 + diff --git a/queue-6.19/net-usb-aqc111-do-not-perform-pm-inside-suspend-call.patch b/queue-6.19/net-usb-aqc111-do-not-perform-pm-inside-suspend-call.patch new file mode 100644 index 0000000000..327ec90a8a --- /dev/null +++ b/queue-6.19/net-usb-aqc111-do-not-perform-pm-inside-suspend-call.patch @@ -0,0 +1,69 @@ +From 3ba43e9b03a3a37c0ff10e567601fb1698b4c578 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 13 Mar 2026 16:16:43 +0200 +Subject: net: usb: aqc111: Do not perform PM inside suspend callback + +From: Nikola Z. Ivanov + +[ Upstream commit 069c8f5aebe4d5224cf62acc7d4b3486091c658a ] + +syzbot reports "task hung in rpm_resume" + +This is caused by aqc111_suspend calling +the PM variant of its write_cmd routine. + +The simplified call trace looks like this: + +rpm_suspend() + usb_suspend_both() - here udev->dev.power.runtime_status == RPM_SUSPENDING + aqc111_suspend() - called for the usb device interface + aqc111_write32_cmd() + usb_autopm_get_interface() + pm_runtime_resume_and_get() + rpm_resume() - here we call rpm_resume() on our parent + rpm_resume() - Here we wait for a status change that will never happen. + +At this point we block another task which holds +rtnl_lock and locks up the whole networking stack. + +Fix this by replacing the write_cmd calls with their _nopm variants + +Reported-by: syzbot+48dc1e8dfc92faf1124c@syzkaller.appspotmail.com +Closes: https://syzkaller.appspot.com/bug?extid=48dc1e8dfc92faf1124c +Fixes: e58ba4544c77 ("net: usb: aqc111: Add support for wake on LAN by MAGIC packet") +Signed-off-by: Nikola Z. Ivanov +Link: https://patch.msgid.link/20260313141643.1181386-1-zlatistiv@gmail.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + drivers/net/usb/aqc111.c | 12 ++++++------ + 1 file changed, 6 insertions(+), 6 deletions(-) + +diff --git a/drivers/net/usb/aqc111.c b/drivers/net/usb/aqc111.c +index 9201ee10a13f7..d316aa66dbc23 100644 +--- a/drivers/net/usb/aqc111.c ++++ b/drivers/net/usb/aqc111.c +@@ -1400,14 +1400,14 @@ static int aqc111_suspend(struct usb_interface *intf, pm_message_t message) + aqc111_write16_cmd_nopm(dev, AQ_ACCESS_MAC, + SFR_MEDIUM_STATUS_MODE, 2, ®16); + +- aqc111_write_cmd(dev, AQ_WOL_CFG, 0, 0, +- WOL_CFG_SIZE, &wol_cfg); +- aqc111_write32_cmd(dev, AQ_PHY_OPS, 0, 0, +- &aqc111_data->phy_cfg); ++ aqc111_write_cmd_nopm(dev, AQ_WOL_CFG, 0, 0, ++ WOL_CFG_SIZE, &wol_cfg); ++ aqc111_write32_cmd_nopm(dev, AQ_PHY_OPS, 0, 0, ++ &aqc111_data->phy_cfg); + } else { + aqc111_data->phy_cfg |= AQ_LOW_POWER; +- aqc111_write32_cmd(dev, AQ_PHY_OPS, 0, 0, +- &aqc111_data->phy_cfg); ++ aqc111_write32_cmd_nopm(dev, AQ_PHY_OPS, 0, 0, ++ &aqc111_data->phy_cfg); + + /* Disable RX path */ + aqc111_read16_cmd_nopm(dev, AQ_ACCESS_MAC, +-- +2.51.0 + diff --git a/queue-6.19/net-usb-cdc_ncm-add-ndpoffset-to-ndp16-nframes-bound.patch b/queue-6.19/net-usb-cdc_ncm-add-ndpoffset-to-ndp16-nframes-bound.patch new file mode 100644 index 0000000000..4f66741faa --- /dev/null +++ b/queue-6.19/net-usb-cdc_ncm-add-ndpoffset-to-ndp16-nframes-bound.patch @@ -0,0 +1,65 @@ +From 59beefa152be2a1af40f46326455048234680d27 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 13 Mar 2026 22:46:39 -0700 +Subject: net: usb: cdc_ncm: add ndpoffset to NDP16 nframes bounds check + +From: Tobi Gaertner + +[ Upstream commit 2aa8a4fa8d5b7d0e1ebcec100e1a4d80a1f4b21a ] + +cdc_ncm_rx_verify_ndp16() validates that the NDP header and its DPE +entries fit within the skb. The first check correctly accounts for +ndpoffset: + + if ((ndpoffset + sizeof(struct usb_cdc_ncm_ndp16)) > skb_in->len) + +but the second check omits it: + + if ((sizeof(struct usb_cdc_ncm_ndp16) + + ret * (sizeof(struct usb_cdc_ncm_dpe16))) > skb_in->len) + +This validates the DPE array size against the total skb length as if +the NDP were at offset 0, rather than at ndpoffset. When the NDP is +placed near the end of the NTB (large wNdpIndex), the DPE entries can +extend past the skb data buffer even though the check passes. +cdc_ncm_rx_fixup() then reads out-of-bounds memory when iterating +the DPE array. + +Add ndpoffset to the nframes bounds check and use struct_size_t() to +express the NDP-plus-DPE-array size more clearly. + +Fixes: ff06ab13a4cc ("net: cdc_ncm: splitting rx_fixup for code reuse") +Signed-off-by: Tobi Gaertner +Link: https://patch.msgid.link/20260314054640.2895026-2-tob.gaertner@me.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/usb/cdc_ncm.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/usb/cdc_ncm.c b/drivers/net/usb/cdc_ncm.c +index 5d123df0a866b..a9d0162b5ee01 100644 +--- a/drivers/net/usb/cdc_ncm.c ++++ b/drivers/net/usb/cdc_ncm.c +@@ -1656,6 +1656,7 @@ int cdc_ncm_rx_verify_ndp16(struct sk_buff *skb_in, int ndpoffset) + struct usbnet *dev = netdev_priv(skb_in->dev); + struct usb_cdc_ncm_ndp16 *ndp16; + int ret = -EINVAL; ++ size_t ndp_len; + + if ((ndpoffset + sizeof(struct usb_cdc_ncm_ndp16)) > skb_in->len) { + netif_dbg(dev, rx_err, dev->net, "invalid NDP offset <%u>\n", +@@ -1675,8 +1676,8 @@ int cdc_ncm_rx_verify_ndp16(struct sk_buff *skb_in, int ndpoffset) + sizeof(struct usb_cdc_ncm_dpe16)); + ret--; /* we process NDP entries except for the last one */ + +- if ((sizeof(struct usb_cdc_ncm_ndp16) + +- ret * (sizeof(struct usb_cdc_ncm_dpe16))) > skb_in->len) { ++ ndp_len = struct_size_t(struct usb_cdc_ncm_ndp16, dpe16, ret); ++ if (ndpoffset + ndp_len > skb_in->len) { + netif_dbg(dev, rx_err, dev->net, "Invalid nframes = %d\n", ret); + ret = -EINVAL; + } +-- +2.51.0 + diff --git a/queue-6.19/net-usb-cdc_ncm-add-ndpoffset-to-ndp32-nframes-bound.patch b/queue-6.19/net-usb-cdc_ncm-add-ndpoffset-to-ndp32-nframes-bound.patch new file mode 100644 index 0000000000..0417aad561 --- /dev/null +++ b/queue-6.19/net-usb-cdc_ncm-add-ndpoffset-to-ndp32-nframes-bound.patch @@ -0,0 +1,54 @@ +From 0317bc75292fca43e57b26db82828e6c0bdf04e3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 13 Mar 2026 22:46:40 -0700 +Subject: net: usb: cdc_ncm: add ndpoffset to NDP32 nframes bounds check + +From: Tobi Gaertner + +[ Upstream commit 77914255155e68a20aa41175edeecf8121dac391 ] + +The same bounds-check bug fixed for NDP16 in the previous patch also +exists in cdc_ncm_rx_verify_ndp32(). The DPE array size is validated +against the total skb length without accounting for ndpoffset, allowing +out-of-bounds reads when the NDP32 is placed near the end of the NTB. + +Add ndpoffset to the nframes bounds check and use struct_size_t() to +express the NDP-plus-DPE-array size more clearly. + +Compile-tested only. + +Fixes: 0fa81b304a79 ("cdc_ncm: Implement the 32-bit version of NCM Transfer Block") +Signed-off-by: Tobi Gaertner +Link: https://patch.msgid.link/20260314054640.2895026-3-tob.gaertner@me.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/usb/cdc_ncm.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/usb/cdc_ncm.c b/drivers/net/usb/cdc_ncm.c +index a9d0162b5ee01..81d7e99fc0f09 100644 +--- a/drivers/net/usb/cdc_ncm.c ++++ b/drivers/net/usb/cdc_ncm.c +@@ -1693,6 +1693,7 @@ int cdc_ncm_rx_verify_ndp32(struct sk_buff *skb_in, int ndpoffset) + struct usbnet *dev = netdev_priv(skb_in->dev); + struct usb_cdc_ncm_ndp32 *ndp32; + int ret = -EINVAL; ++ size_t ndp_len; + + if ((ndpoffset + sizeof(struct usb_cdc_ncm_ndp32)) > skb_in->len) { + netif_dbg(dev, rx_err, dev->net, "invalid NDP offset <%u>\n", +@@ -1712,8 +1713,8 @@ int cdc_ncm_rx_verify_ndp32(struct sk_buff *skb_in, int ndpoffset) + sizeof(struct usb_cdc_ncm_dpe32)); + ret--; /* we process NDP entries except for the last one */ + +- if ((sizeof(struct usb_cdc_ncm_ndp32) + +- ret * (sizeof(struct usb_cdc_ncm_dpe32))) > skb_in->len) { ++ ndp_len = struct_size_t(struct usb_cdc_ncm_ndp32, dpe32, ret); ++ if (ndpoffset + ndp_len > skb_in->len) { + netif_dbg(dev, rx_err, dev->net, "Invalid nframes = %d\n", ret); + ret = -EINVAL; + } +-- +2.51.0 + diff --git a/queue-6.19/netdevsim-drop-psp-ext-ref-on-forward-failure.patch b/queue-6.19/netdevsim-drop-psp-ext-ref-on-forward-failure.patch new file mode 100644 index 0000000000..6552e4f43d --- /dev/null +++ b/queue-6.19/netdevsim-drop-psp-ext-ref-on-forward-failure.patch @@ -0,0 +1,53 @@ +From 0ddbd055a1a654a77a565e04c394d44f4e71edeb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 17 Mar 2026 00:14:31 -0600 +Subject: netdevsim: drop PSP ext ref on forward failure + +From: Wesley Atwell + +[ Upstream commit 7d9351435ebba08bbb60f42793175c9dc714d2fb ] + +nsim_do_psp() takes an extra reference to the PSP skb extension so the +extension survives __dev_forward_skb(). That forward path scrubs the skb +and drops attached skb extensions before nsim_psp_handle_ext() can +reattach the PSP metadata. + +If __dev_forward_skb() fails in nsim_forward_skb(), the function returns +before nsim_psp_handle_ext() can attach that extension to the skb, leaving +the extra reference leaked. + +Drop the saved PSP extension reference before returning from the +forward-failure path. Guard the put because plain or non-decapsulated +traffic can also fail forwarding without ever taking the extra PSP +reference. + +Fixes: f857478d6206 ("netdevsim: a basic test PSP implementation") +Signed-off-by: Wesley Atwell +Reviewed-by: Daniel Zahka +Link: https://patch.msgid.link/20260317061431.1482716-1-atwellwea@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/netdevsim/netdev.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/netdevsim/netdev.c b/drivers/net/netdevsim/netdev.c +index 6927c1962277a..62223ad2d63f9 100644 +--- a/drivers/net/netdevsim/netdev.c ++++ b/drivers/net/netdevsim/netdev.c +@@ -109,8 +109,11 @@ static int nsim_forward_skb(struct net_device *tx_dev, + int ret; + + ret = __dev_forward_skb(rx_dev, skb); +- if (ret) ++ if (ret) { ++ if (psp_ext) ++ __skb_ext_put(psp_ext); + return ret; ++ } + + nsim_psp_handle_ext(skb, psp_ext); + +-- +2.51.0 + diff --git a/queue-6.19/netfilter-bpf-defer-hook-memory-release-until-rcu-re.patch b/queue-6.19/netfilter-bpf-defer-hook-memory-release-until-rcu-re.patch new file mode 100644 index 0000000000..5a9924ed79 --- /dev/null +++ b/queue-6.19/netfilter-bpf-defer-hook-memory-release-until-rcu-re.patch @@ -0,0 +1,47 @@ +From 39eb670e9a0be6095d943a2cdcaf8e1035e07024 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 17 Mar 2026 12:23:08 +0100 +Subject: netfilter: bpf: defer hook memory release until rcu readers are done + +From: Florian Westphal + +[ Upstream commit 24f90fa3994b992d1a09003a3db2599330a5232a ] + +Yiming Qian reports UaF when concurrent process is dumping hooks via +nfnetlink_hooks: + +BUG: KASAN: slab-use-after-free in nfnl_hook_dump_one.isra.0+0xe71/0x10f0 +Read of size 8 at addr ffff888003edbf88 by task poc/79 +Call Trace: + + nfnl_hook_dump_one.isra.0+0xe71/0x10f0 + netlink_dump+0x554/0x12b0 + nfnl_hook_get+0x176/0x230 + [..] + +Defer release until after concurrent readers have completed. + +Reported-by: Yiming Qian +Fixes: 84601d6ee68a ("bpf: add bpf_link support for BPF_NETFILTER programs") +Signed-off-by: Florian Westphal +Signed-off-by: Sasha Levin +--- + net/netfilter/nf_bpf_link.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/netfilter/nf_bpf_link.c b/net/netfilter/nf_bpf_link.c +index 46e667a50d988..248840dbca1b2 100644 +--- a/net/netfilter/nf_bpf_link.c ++++ b/net/netfilter/nf_bpf_link.c +@@ -170,7 +170,7 @@ static int bpf_nf_link_update(struct bpf_link *link, struct bpf_prog *new_prog, + + static const struct bpf_link_ops bpf_nf_link_lops = { + .release = bpf_nf_link_release, +- .dealloc = bpf_nf_link_dealloc, ++ .dealloc_deferred = bpf_nf_link_dealloc, + .detach = bpf_nf_link_detach, + .show_fdinfo = bpf_nf_link_show_info, + .fill_link_info = bpf_nf_link_fill_link_info, +-- +2.51.0 + diff --git a/queue-6.19/netfilter-conntrack-add-missing-netlink-policy-valid.patch b/queue-6.19/netfilter-conntrack-add-missing-netlink-policy-valid.patch new file mode 100644 index 0000000000..008f416e60 --- /dev/null +++ b/queue-6.19/netfilter-conntrack-add-missing-netlink-policy-valid.patch @@ -0,0 +1,64 @@ +From e700099eabe66f9a47b39bb489cbd7514b9c5bdb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 10 Mar 2026 00:28:29 +0100 +Subject: netfilter: conntrack: add missing netlink policy validations + +From: Florian Westphal + +[ Upstream commit f900e1d77ee0ef87bfb5ab3fe60f0b3d8ad5ba05 ] + +Hyunwoo Kim reports out-of-bounds access in sctp and ctnetlink. + +These attributes are used by the kernel without any validation. +Extend the netlink policies accordingly. + +Quoting the reporter: + nlattr_to_sctp() assigns the user-supplied CTA_PROTOINFO_SCTP_STATE + value directly to ct->proto.sctp.state without checking that it is + within the valid range. [..] + + and: ... with exp->dir = 100, the access at + ct->master->tuplehash[100] reads 5600 bytes past the start of a + 320-byte nf_conn object, causing a slab-out-of-bounds read confirmed by + UBSAN. + +Fixes: 076a0ca02644 ("netfilter: ctnetlink: add NAT support for expectations") +Fixes: a258860e01b8 ("netfilter: ctnetlink: add full support for SCTP to ctnetlink") +Reported-by: Hyunwoo Kim +Signed-off-by: Florian Westphal +Signed-off-by: Sasha Levin +--- + net/netfilter/nf_conntrack_netlink.c | 2 +- + net/netfilter/nf_conntrack_proto_sctp.c | 3 ++- + 2 files changed, 3 insertions(+), 2 deletions(-) + +diff --git a/net/netfilter/nf_conntrack_netlink.c b/net/netfilter/nf_conntrack_netlink.c +index f261dd48973fe..d9f33a6c807c8 100644 +--- a/net/netfilter/nf_conntrack_netlink.c ++++ b/net/netfilter/nf_conntrack_netlink.c +@@ -3488,7 +3488,7 @@ ctnetlink_change_expect(struct nf_conntrack_expect *x, + + #if IS_ENABLED(CONFIG_NF_NAT) + static const struct nla_policy exp_nat_nla_policy[CTA_EXPECT_NAT_MAX+1] = { +- [CTA_EXPECT_NAT_DIR] = { .type = NLA_U32 }, ++ [CTA_EXPECT_NAT_DIR] = NLA_POLICY_MAX(NLA_BE32, IP_CT_DIR_REPLY), + [CTA_EXPECT_NAT_TUPLE] = { .type = NLA_NESTED }, + }; + #endif +diff --git a/net/netfilter/nf_conntrack_proto_sctp.c b/net/netfilter/nf_conntrack_proto_sctp.c +index 7c6f7c9f73320..645d2c43ebf7a 100644 +--- a/net/netfilter/nf_conntrack_proto_sctp.c ++++ b/net/netfilter/nf_conntrack_proto_sctp.c +@@ -582,7 +582,8 @@ static int sctp_to_nlattr(struct sk_buff *skb, struct nlattr *nla, + } + + static const struct nla_policy sctp_nla_policy[CTA_PROTOINFO_SCTP_MAX+1] = { +- [CTA_PROTOINFO_SCTP_STATE] = { .type = NLA_U8 }, ++ [CTA_PROTOINFO_SCTP_STATE] = NLA_POLICY_MAX(NLA_U8, ++ SCTP_CONNTRACK_HEARTBEAT_SENT), + [CTA_PROTOINFO_SCTP_VTAG_ORIGINAL] = { .type = NLA_U32 }, + [CTA_PROTOINFO_SCTP_VTAG_REPLY] = { .type = NLA_U32 }, + }; +-- +2.51.0 + diff --git a/queue-6.19/netfilter-ctnetlink-fix-use-after-free-in-ctnetlink_.patch b/queue-6.19/netfilter-ctnetlink-fix-use-after-free-in-ctnetlink_.patch new file mode 100644 index 0000000000..b8f2b6c12b --- /dev/null +++ b/queue-6.19/netfilter-ctnetlink-fix-use-after-free-in-ctnetlink_.patch @@ -0,0 +1,123 @@ +From 970675ee789a0349f5fbe5f56d9f2529f261c2f8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 8 Mar 2026 02:21:37 +0900 +Subject: netfilter: ctnetlink: fix use-after-free in ctnetlink_dump_exp_ct() + +From: Hyunwoo Kim + +[ Upstream commit 5cb81eeda909dbb2def209dd10636b51549a3f8a ] + +ctnetlink_dump_exp_ct() stores a conntrack pointer in cb->data for the +netlink dump callback ctnetlink_exp_ct_dump_table(), but drops the +conntrack reference immediately after netlink_dump_start(). When the +dump spans multiple rounds, the second recvmsg() triggers the dump +callback which dereferences the now-freed conntrack via nfct_help(ct), +leading to a use-after-free on ct->ext. + +The bug is that the netlink_dump_control has no .start or .done +callbacks to manage the conntrack reference across dump rounds. Other +dump functions in the same file (e.g. ctnetlink_get_conntrack) properly +use .start/.done callbacks for this purpose. + +Fix this by adding .start and .done callbacks that hold and release the +conntrack reference for the duration of the dump, and move the +nfct_help() call after the cb->args[0] early-return check in the dump +callback to avoid dereferencing ct->ext unnecessarily. + + BUG: KASAN: slab-use-after-free in ctnetlink_exp_ct_dump_table+0x4f/0x2e0 + Read of size 8 at addr ffff88810597ebf0 by task ctnetlink_poc/133 + + CPU: 1 UID: 0 PID: 133 Comm: ctnetlink_poc Not tainted 7.0.0-rc2+ #3 PREEMPTLAZY + Call Trace: + + ctnetlink_exp_ct_dump_table+0x4f/0x2e0 + netlink_dump+0x333/0x880 + netlink_recvmsg+0x3e2/0x4b0 + ? aa_sk_perm+0x184/0x450 + sock_recvmsg+0xde/0xf0 + + Allocated by task 133: + kmem_cache_alloc_noprof+0x134/0x440 + __nf_conntrack_alloc+0xa8/0x2b0 + ctnetlink_create_conntrack+0xa1/0x900 + ctnetlink_new_conntrack+0x3cf/0x7d0 + nfnetlink_rcv_msg+0x48e/0x510 + netlink_rcv_skb+0xc9/0x1f0 + nfnetlink_rcv+0xdb/0x220 + netlink_unicast+0x3ec/0x590 + netlink_sendmsg+0x397/0x690 + __sys_sendmsg+0xf4/0x180 + + Freed by task 0: + slab_free_after_rcu_debug+0xad/0x1e0 + rcu_core+0x5c3/0x9c0 + +Fixes: e844a928431f ("netfilter: ctnetlink: allow to dump expectation per master conntrack") +Signed-off-by: Hyunwoo Kim +Signed-off-by: Florian Westphal +Signed-off-by: Sasha Levin +--- + net/netfilter/nf_conntrack_netlink.c | 26 +++++++++++++++++++++++++- + 1 file changed, 25 insertions(+), 1 deletion(-) + +diff --git a/net/netfilter/nf_conntrack_netlink.c b/net/netfilter/nf_conntrack_netlink.c +index 3a04665adf992..f261dd48973fe 100644 +--- a/net/netfilter/nf_conntrack_netlink.c ++++ b/net/netfilter/nf_conntrack_netlink.c +@@ -3211,7 +3211,7 @@ ctnetlink_exp_ct_dump_table(struct sk_buff *skb, struct netlink_callback *cb) + { + struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh); + struct nf_conn *ct = cb->data; +- struct nf_conn_help *help = nfct_help(ct); ++ struct nf_conn_help *help; + u_int8_t l3proto = nfmsg->nfgen_family; + unsigned long last_id = cb->args[1]; + struct nf_conntrack_expect *exp; +@@ -3219,6 +3219,10 @@ ctnetlink_exp_ct_dump_table(struct sk_buff *skb, struct netlink_callback *cb) + if (cb->args[0]) + return 0; + ++ help = nfct_help(ct); ++ if (!help) ++ return 0; ++ + rcu_read_lock(); + + restart: +@@ -3248,6 +3252,24 @@ ctnetlink_exp_ct_dump_table(struct sk_buff *skb, struct netlink_callback *cb) + return skb->len; + } + ++static int ctnetlink_dump_exp_ct_start(struct netlink_callback *cb) ++{ ++ struct nf_conn *ct = cb->data; ++ ++ if (!refcount_inc_not_zero(&ct->ct_general.use)) ++ return -ENOENT; ++ return 0; ++} ++ ++static int ctnetlink_dump_exp_ct_done(struct netlink_callback *cb) ++{ ++ struct nf_conn *ct = cb->data; ++ ++ if (ct) ++ nf_ct_put(ct); ++ return 0; ++} ++ + static int ctnetlink_dump_exp_ct(struct net *net, struct sock *ctnl, + struct sk_buff *skb, + const struct nlmsghdr *nlh, +@@ -3263,6 +3285,8 @@ static int ctnetlink_dump_exp_ct(struct net *net, struct sock *ctnl, + struct nf_conntrack_zone zone; + struct netlink_dump_control c = { + .dump = ctnetlink_exp_ct_dump_table, ++ .start = ctnetlink_dump_exp_ct_start, ++ .done = ctnetlink_dump_exp_ct_done, + }; + + err = ctnetlink_parse_tuple(cda, &tuple, CTA_EXPECT_MASTER, +-- +2.51.0 + diff --git a/queue-6.19/netfilter-nf_conntrack_h323-check-for-zero-length-in.patch b/queue-6.19/netfilter-nf_conntrack_h323-check-for-zero-length-in.patch new file mode 100644 index 0000000000..b6ab09ab83 --- /dev/null +++ b/queue-6.19/netfilter-nf_conntrack_h323-check-for-zero-length-in.patch @@ -0,0 +1,47 @@ +From 326653108784977e90fe90305ea556c6c76785cb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 12 Mar 2026 14:49:50 +0000 +Subject: netfilter: nf_conntrack_h323: check for zero length in DecodeQ931() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Jenny Guanni Qu + +[ Upstream commit f173d0f4c0f689173f8cdac79991043a4a89bf66 ] + +In DecodeQ931(), the UserUserIE code path reads a 16-bit length from +the packet, then decrements it by 1 to skip the protocol discriminator +byte before passing it to DecodeH323_UserInformation(). If the encoded +length is 0, the decrement wraps to -1, which is then passed as a +large value to the decoder, leading to an out-of-bounds read. + +Add a check to ensure len is positive after the decrement. + +Fixes: 5e35941d9901 ("[NETFILTER]: Add H.323 conntrack/NAT helper") +Reported-by: Klaudia Kloc +Reported-by: Dawid Moczadło +Tested-by: Jenny Guanni Qu +Signed-off-by: Jenny Guanni Qu +Signed-off-by: Florian Westphal +Signed-off-by: Sasha Levin +--- + net/netfilter/nf_conntrack_h323_asn1.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/net/netfilter/nf_conntrack_h323_asn1.c b/net/netfilter/nf_conntrack_h323_asn1.c +index c972e9488e16f..7b1497ed97d26 100644 +--- a/net/netfilter/nf_conntrack_h323_asn1.c ++++ b/net/netfilter/nf_conntrack_h323_asn1.c +@@ -924,6 +924,8 @@ int DecodeQ931(unsigned char *buf, size_t sz, Q931 *q931) + break; + p++; + len--; ++ if (len <= 0) ++ break; + return DecodeH323_UserInformation(buf, p, len, + &q931->UUIE); + } +-- +2.51.0 + diff --git a/queue-6.19/netfilter-nf_conntrack_h323-fix-oob-read-in-decode_i.patch b/queue-6.19/netfilter-nf_conntrack_h323-fix-oob-read-in-decode_i.patch new file mode 100644 index 0000000000..3024d0af75 --- /dev/null +++ b/queue-6.19/netfilter-nf_conntrack_h323-fix-oob-read-in-decode_i.patch @@ -0,0 +1,48 @@ +From 62140a73955a2a60b0534b865de265d47e34cec6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 12 Mar 2026 02:29:32 +0000 +Subject: netfilter: nf_conntrack_h323: fix OOB read in decode_int() CONS case +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Jenny Guanni Qu + +[ Upstream commit 1e3a3593162c96e8a8de48b1e14f60c3b57fca8a ] + +In decode_int(), the CONS case calls get_bits(bs, 2) to read a length +value, then calls get_uint(bs, len) without checking that len bytes +remain in the buffer. The existing boundary check only validates the +2 bits for get_bits(), not the subsequent 1-4 bytes that get_uint() +reads. This allows a malformed H.323/RAS packet to cause a 1-4 byte +slab-out-of-bounds read. + +Add a boundary check for len bytes after get_bits() and before +get_uint(). + +Fixes: 5e35941d9901 ("[NETFILTER]: Add H.323 conntrack/NAT helper") +Reported-by: Klaudia Kloc +Reported-by: Dawid Moczadło +Signed-off-by: Jenny Guanni Qu +Signed-off-by: Florian Westphal +Signed-off-by: Sasha Levin +--- + net/netfilter/nf_conntrack_h323_asn1.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/net/netfilter/nf_conntrack_h323_asn1.c b/net/netfilter/nf_conntrack_h323_asn1.c +index 62aa22a078769..c972e9488e16f 100644 +--- a/net/netfilter/nf_conntrack_h323_asn1.c ++++ b/net/netfilter/nf_conntrack_h323_asn1.c +@@ -331,6 +331,8 @@ static int decode_int(struct bitstr *bs, const struct field_t *f, + if (nf_h323_error_boundary(bs, 0, 2)) + return H323_ERROR_BOUND; + len = get_bits(bs, 2) + 1; ++ if (nf_h323_error_boundary(bs, len, 0)) ++ return H323_ERROR_BOUND; + BYTE_ALIGN(bs); + if (base && (f->attr & DECODE)) { /* timeToLive */ + unsigned int v = get_uint(bs, len) + f->lb; +-- +2.51.0 + diff --git a/queue-6.19/netfilter-nf_conntrack_sip-fix-content-length-u32-tr.patch b/queue-6.19/netfilter-nf_conntrack_sip-fix-content-length-u32-tr.patch new file mode 100644 index 0000000000..2d87f71484 --- /dev/null +++ b/queue-6.19/netfilter-nf_conntrack_sip-fix-content-length-u32-tr.patch @@ -0,0 +1,66 @@ +From a43b75e20b8daffe8a2140f6fd8d39ac22e4aa65 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 10 Mar 2026 21:49:01 +0000 +Subject: netfilter: nf_conntrack_sip: fix Content-Length u32 truncation in + sip_help_tcp() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Lukas Johannes Möller + +[ Upstream commit fbce58e719a17aa215c724473fd5baaa4a8dc57c ] + +sip_help_tcp() parses the SIP Content-Length header with +simple_strtoul(), which returns unsigned long, but stores the result in +unsigned int clen. On 64-bit systems, values exceeding UINT_MAX are +silently truncated before computing the SIP message boundary. + +For example, Content-Length 4294967328 (2^32 + 32) is truncated to 32, +causing the parser to miscalculate where the current message ends. The +loop then treats trailing data in the TCP segment as a second SIP +message and processes it through the SDP parser. + +Fix this by changing clen to unsigned long to match the return type of +simple_strtoul(), and reject Content-Length values that exceed the +remaining TCP payload length. + +Fixes: f5b321bd37fb ("netfilter: nf_conntrack_sip: add TCP support") +Signed-off-by: Lukas Johannes Möller +Signed-off-by: Florian Westphal +Signed-off-by: Sasha Levin +--- + net/netfilter/nf_conntrack_sip.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/net/netfilter/nf_conntrack_sip.c b/net/netfilter/nf_conntrack_sip.c +index ca748f8dbff13..4ab5ef71d96db 100644 +--- a/net/netfilter/nf_conntrack_sip.c ++++ b/net/netfilter/nf_conntrack_sip.c +@@ -1534,11 +1534,12 @@ static int sip_help_tcp(struct sk_buff *skb, unsigned int protoff, + { + struct tcphdr *th, _tcph; + unsigned int dataoff, datalen; +- unsigned int matchoff, matchlen, clen; ++ unsigned int matchoff, matchlen; + unsigned int msglen, origlen; + const char *dptr, *end; + s16 diff, tdiff = 0; + int ret = NF_ACCEPT; ++ unsigned long clen; + bool term; + + if (ctinfo != IP_CT_ESTABLISHED && +@@ -1573,6 +1574,9 @@ static int sip_help_tcp(struct sk_buff *skb, unsigned int protoff, + if (dptr + matchoff == end) + break; + ++ if (clen > datalen) ++ break; ++ + term = false; + for (; end + strlen("\r\n\r\n") <= dptr + datalen; end++) { + if (end[0] == '\r' && end[1] == '\n' && +-- +2.51.0 + diff --git a/queue-6.19/netfilter-nf_flow_table_ip-reset-mac-header-before-v.patch b/queue-6.19/netfilter-nf_flow_table_ip-reset-mac-header-before-v.patch new file mode 100644 index 0000000000..c9737d0818 --- /dev/null +++ b/queue-6.19/netfilter-nf_flow_table_ip-reset-mac-header-before-v.patch @@ -0,0 +1,39 @@ +From 411ca0397bb7f860ee767fcdfdcdfda5441c1921 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 10 Mar 2026 15:39:33 +0100 +Subject: netfilter: nf_flow_table_ip: reset mac header before vlan push + +From: Eric Woudstra + +[ Upstream commit a3aca98aec9a278ee56da4f8013bfa1dd1a1c298 ] + +With double vlan tagged packets in the fastpath, getting the error: + +skb_vlan_push got skb with skb->data not at mac header (offset 18) + +Call skb_reset_mac_header() before calling skb_vlan_push(). + +Fixes: c653d5a78f34 ("netfilter: flowtable: inline vlan encapsulation in xmit path") +Signed-off-by: Eric Woudstra +Acked-by: Pablo Neira Ayuso +Signed-off-by: Florian Westphal +Signed-off-by: Sasha Levin +--- + net/netfilter/nf_flow_table_ip.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/net/netfilter/nf_flow_table_ip.c b/net/netfilter/nf_flow_table_ip.c +index 78883343e5d68..458895e9e1f85 100644 +--- a/net/netfilter/nf_flow_table_ip.c ++++ b/net/netfilter/nf_flow_table_ip.c +@@ -576,6 +576,7 @@ static int nf_flow_encap_push(struct sk_buff *skb, + switch (tuple->encap[i].proto) { + case htons(ETH_P_8021Q): + case htons(ETH_P_8021AD): ++ skb_reset_mac_header(skb); + if (skb_vlan_push(skb, tuple->encap[i].proto, + tuple->encap[i].id) < 0) + return -1; +-- +2.51.0 + diff --git a/queue-6.19/netfilter-nf_tables-release-flowtable-after-rcu-grac.patch b/queue-6.19/netfilter-nf_tables-release-flowtable-after-rcu-grac.patch new file mode 100644 index 0000000000..49b1b3d567 --- /dev/null +++ b/queue-6.19/netfilter-nf_tables-release-flowtable-after-rcu-grac.patch @@ -0,0 +1,51 @@ +From 703614e5d24989eba0232d209cd9aede20cb6bad Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 17 Mar 2026 20:00:26 +0100 +Subject: netfilter: nf_tables: release flowtable after rcu grace period on + error + +From: Pablo Neira Ayuso + +[ Upstream commit d73f4b53aaaea4c95f245e491aa5eeb8a21874ce ] + +Call synchronize_rcu() after unregistering the hooks from error path, +since a hook that already refers to this flowtable can be already +registered, exposing this flowtable to packet path and nfnetlink_hook +control plane. + +This error path is rare, it should only happen by reaching the maximum +number hooks or by failing to set up to hardware offload, just call +synchronize_rcu(). + +There is a check for already used device hooks by different flowtable +that could result in EEXIST at this late stage. The hook parser can be +updated to perform this check earlier to this error path really becomes +rarely exercised. + +Uncovered by KASAN reported as use-after-free from nfnetlink_hook path +when dumping hooks. + +Fixes: 3b49e2e94e6e ("netfilter: nf_tables: add flow table netlink frontend") +Reported-by: Yiming Qian +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Florian Westphal +Signed-off-by: Sasha Levin +--- + net/netfilter/nf_tables_api.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c +index 03321b800707c..fdbb1e20499bd 100644 +--- a/net/netfilter/nf_tables_api.c ++++ b/net/netfilter/nf_tables_api.c +@@ -9203,6 +9203,7 @@ static int nf_tables_newflowtable(struct sk_buff *skb, + return 0; + + err_flowtable_hooks: ++ synchronize_rcu(); + nft_trans_destroy(trans); + err_flowtable_trans: + nft_hooks_destroy(&flowtable->hook_list); +-- +2.51.0 + diff --git a/queue-6.19/netfilter-nft_ct-drop-pending-enqueued-packets-on-re.patch b/queue-6.19/netfilter-nft_ct-drop-pending-enqueued-packets-on-re.patch new file mode 100644 index 0000000000..62917f97df --- /dev/null +++ b/queue-6.19/netfilter-nft_ct-drop-pending-enqueued-packets-on-re.patch @@ -0,0 +1,70 @@ +From 42c484b0116ae21c1fd6522ee1194db418815f14 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 12 Mar 2026 13:48:47 +0100 +Subject: netfilter: nft_ct: drop pending enqueued packets on removal + +From: Pablo Neira Ayuso + +[ Upstream commit 36eae0956f659e48d5366d9b083d9417f3263ddc ] + +Packets sitting in nfqueue might hold a reference to: + +- templates that specify the conntrack zone, because a percpu area is + used and module removal is possible. +- conntrack timeout policies and helper, where object removal leave + a stale reference. + +Since these objects can just go away, drop enqueued packets to avoid +stale reference to them. + +If there is a need for finer grain removal, this logic can be revisited +to make selective packet drop upon dependencies. + +Fixes: 7e0b2b57f01d ("netfilter: nft_ct: add ct timeout support") +Reported-by: Yiming Qian +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Florian Westphal +Signed-off-by: Sasha Levin +--- + net/netfilter/nft_ct.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/net/netfilter/nft_ct.c b/net/netfilter/nft_ct.c +index 6f2ae7cad7310..db1bf69f87750 100644 +--- a/net/netfilter/nft_ct.c ++++ b/net/netfilter/nft_ct.c +@@ -23,6 +23,7 @@ + #include + #include + #include ++#include "nf_internals.h" + + struct nft_ct_helper_obj { + struct nf_conntrack_helper *helper4; +@@ -543,6 +544,7 @@ static void __nft_ct_set_destroy(const struct nft_ctx *ctx, struct nft_ct *priv) + #endif + #ifdef CONFIG_NF_CONNTRACK_ZONES + case NFT_CT_ZONE: ++ nf_queue_nf_hook_drop(ctx->net); + mutex_lock(&nft_ct_pcpu_mutex); + if (--nft_ct_pcpu_template_refcnt == 0) + nft_ct_tmpl_put_pcpu(); +@@ -1016,6 +1018,7 @@ static void nft_ct_timeout_obj_destroy(const struct nft_ctx *ctx, + struct nft_ct_timeout_obj *priv = nft_obj_data(obj); + struct nf_ct_timeout *timeout = priv->timeout; + ++ nf_queue_nf_hook_drop(ctx->net); + nf_ct_untimeout(ctx->net, timeout); + nf_ct_netns_put(ctx->net, ctx->family); + kfree(priv->timeout); +@@ -1148,6 +1151,7 @@ static void nft_ct_helper_obj_destroy(const struct nft_ctx *ctx, + { + struct nft_ct_helper_obj *priv = nft_obj_data(obj); + ++ nf_queue_nf_hook_drop(ctx->net); + if (priv->helper4) + nf_conntrack_helper_put(priv->helper4); + if (priv->helper6) +-- +2.51.0 + diff --git a/queue-6.19/netfilter-xt_ct-drop-pending-enqueued-packets-on-tem.patch b/queue-6.19/netfilter-xt_ct-drop-pending-enqueued-packets-on-tem.patch new file mode 100644 index 0000000000..0d56ccaa76 --- /dev/null +++ b/queue-6.19/netfilter-xt_ct-drop-pending-enqueued-packets-on-tem.patch @@ -0,0 +1,54 @@ +From a2c3106c31c7c98739be1b76e4aa56b0c7040fe4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 12 Mar 2026 13:48:48 +0100 +Subject: netfilter: xt_CT: drop pending enqueued packets on template removal + +From: Pablo Neira Ayuso + +[ Upstream commit f62a218a946b19bb59abdd5361da85fa4606b96b ] + +Templates refer to objects that can go away while packets are sitting in +nfqueue refer to: + +- helper, this can be an issue on module removal. +- timeout policy, nfnetlink_cttimeout might remove it. + +The use of templates with zone and event cache filter are safe, since +this just copies values. + +Flush these enqueued packets in case the template rule gets removed. + +Fixes: 24de58f46516 ("netfilter: xt_CT: allow to attach timeout policy + glue code") +Reported-by: Yiming Qian +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Florian Westphal +Signed-off-by: Sasha Levin +--- + net/netfilter/xt_CT.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/net/netfilter/xt_CT.c b/net/netfilter/xt_CT.c +index 3ba94c34297cf..498f5871c84a0 100644 +--- a/net/netfilter/xt_CT.c ++++ b/net/netfilter/xt_CT.c +@@ -16,6 +16,7 @@ + #include + #include + #include ++#include "nf_internals.h" + + static inline int xt_ct_target(struct sk_buff *skb, struct nf_conn *ct) + { +@@ -283,6 +284,9 @@ static void xt_ct_tg_destroy(const struct xt_tgdtor_param *par, + struct nf_conn_help *help; + + if (ct) { ++ if (info->helper[0] || info->timeout[0]) ++ nf_queue_nf_hook_drop(par->net); ++ + help = nfct_help(ct); + xt_ct_put_helper(help); + +-- +2.51.0 + diff --git a/queue-6.19/netfilter-xt_time-use-unsigned-int-for-monthday-bit-.patch b/queue-6.19/netfilter-xt_time-use-unsigned-int-for-monthday-bit-.patch new file mode 100644 index 0000000000..9aa9d190c7 --- /dev/null +++ b/queue-6.19/netfilter-xt_time-use-unsigned-int-for-monthday-bit-.patch @@ -0,0 +1,53 @@ +From 312ba393b75a0c52655a07e08b47427399f2f6bf Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 12 Mar 2026 14:59:49 +0000 +Subject: netfilter: xt_time: use unsigned int for monthday bit shift +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Jenny Guanni Qu + +[ Upstream commit 00050ec08cecfda447e1209b388086d76addda3a ] + +The monthday field can be up to 31, and shifting a signed integer 1 +by 31 positions (1 << 31) is undefined behavior in C, as the result +overflows a 32-bit signed int. Use 1U to ensure well-defined behavior +for all valid monthday values. + +Change the weekday shift to 1U as well for consistency. + +Fixes: ee4411a1b1e0 ("[NETFILTER]: x_tables: add xt_time match") +Reported-by: Klaudia Kloc +Reported-by: Dawid Moczadło +Tested-by: Jenny Guanni Qu +Signed-off-by: Jenny Guanni Qu +Signed-off-by: Florian Westphal +Signed-off-by: Sasha Levin +--- + net/netfilter/xt_time.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/net/netfilter/xt_time.c b/net/netfilter/xt_time.c +index 6aa12d0f54e23..61de85e02a40f 100644 +--- a/net/netfilter/xt_time.c ++++ b/net/netfilter/xt_time.c +@@ -227,13 +227,13 @@ time_mt(const struct sk_buff *skb, struct xt_action_param *par) + + localtime_2(¤t_time, stamp); + +- if (!(info->weekdays_match & (1 << current_time.weekday))) ++ if (!(info->weekdays_match & (1U << current_time.weekday))) + return false; + + /* Do not spend time computing monthday if all days match anyway */ + if (info->monthdays_match != XT_TIME_ALL_MONTHDAYS) { + localtime_3(¤t_time, stamp); +- if (!(info->monthdays_match & (1 << current_time.monthday))) ++ if (!(info->monthdays_match & (1U << current_time.monthday))) + return false; + } + +-- +2.51.0 + diff --git a/queue-6.19/nf_tables-nft_dynset-fix-possible-stateful-expressio.patch b/queue-6.19/nf_tables-nft_dynset-fix-possible-stateful-expressio.patch new file mode 100644 index 0000000000..2996d6243c --- /dev/null +++ b/queue-6.19/nf_tables-nft_dynset-fix-possible-stateful-expressio.patch @@ -0,0 +1,107 @@ +From 2ea4dd366785bc7877d517493775b1229c71fb2d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 12 Mar 2026 12:38:59 +0100 +Subject: nf_tables: nft_dynset: fix possible stateful expression memleak in + error path +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Pablo Neira Ayuso + +[ Upstream commit 0548a13b5a145b16e4da0628b5936baf35f51b43 ] + +If cloning the second stateful expression in the element via GFP_ATOMIC +fails, then the first stateful expression remains in place without being +released. + +   unreferenced object (percpu) 0x607b97e9cab8 (size 16): +     comm "softirq", pid 0, jiffies 4294931867 +     hex dump (first 16 bytes on cpu 3): +       00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 +     backtrace (crc 0): +       pcpu_alloc_noprof+0x453/0xd80 +       nft_counter_clone+0x9c/0x190 [nf_tables] +       nft_expr_clone+0x8f/0x1b0 [nf_tables] +       nft_dynset_new+0x2cb/0x5f0 [nf_tables] +       nft_rhash_update+0x236/0x11c0 [nf_tables] +       nft_dynset_eval+0x11f/0x670 [nf_tables] +       nft_do_chain+0x253/0x1700 [nf_tables] +       nft_do_chain_ipv4+0x18d/0x270 [nf_tables] +       nf_hook_slow+0xaa/0x1e0 +       ip_local_deliver+0x209/0x330 + +Fixes: 563125a73ac3 ("netfilter: nftables: generalize set extension to support for several expressions") +Reported-by: Gurpreet Shergill +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Florian Westphal +Signed-off-by: Sasha Levin +--- + include/net/netfilter/nf_tables.h | 2 ++ + net/netfilter/nf_tables_api.c | 4 ++-- + net/netfilter/nft_dynset.c | 10 +++++++++- + 3 files changed, 13 insertions(+), 3 deletions(-) + +diff --git a/include/net/netfilter/nf_tables.h b/include/net/netfilter/nf_tables.h +index c18cffafc9696..4dc080f7f27c6 100644 +--- a/include/net/netfilter/nf_tables.h ++++ b/include/net/netfilter/nf_tables.h +@@ -875,6 +875,8 @@ struct nft_elem_priv *nft_set_elem_init(const struct nft_set *set, + u64 timeout, u64 expiration, gfp_t gfp); + int nft_set_elem_expr_clone(const struct nft_ctx *ctx, struct nft_set *set, + struct nft_expr *expr_array[]); ++void nft_set_elem_expr_destroy(const struct nft_ctx *ctx, ++ struct nft_set_elem_expr *elem_expr); + void nft_set_elem_destroy(const struct nft_set *set, + const struct nft_elem_priv *elem_priv, + bool destroy_expr); +diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c +index c9a76c760b17c..03321b800707c 100644 +--- a/net/netfilter/nf_tables_api.c ++++ b/net/netfilter/nf_tables_api.c +@@ -6744,8 +6744,8 @@ static void __nft_set_elem_expr_destroy(const struct nft_ctx *ctx, + } + } + +-static void nft_set_elem_expr_destroy(const struct nft_ctx *ctx, +- struct nft_set_elem_expr *elem_expr) ++void nft_set_elem_expr_destroy(const struct nft_ctx *ctx, ++ struct nft_set_elem_expr *elem_expr) + { + struct nft_expr *expr; + u32 size; +diff --git a/net/netfilter/nft_dynset.c b/net/netfilter/nft_dynset.c +index 7807d81296646..9123277be03ce 100644 +--- a/net/netfilter/nft_dynset.c ++++ b/net/netfilter/nft_dynset.c +@@ -30,18 +30,26 @@ static int nft_dynset_expr_setup(const struct nft_dynset *priv, + const struct nft_set_ext *ext) + { + struct nft_set_elem_expr *elem_expr = nft_set_ext_expr(ext); ++ struct nft_ctx ctx = { ++ .net = read_pnet(&priv->set->net), ++ .family = priv->set->table->family, ++ }; + struct nft_expr *expr; + int i; + + for (i = 0; i < priv->num_exprs; i++) { + expr = nft_setelem_expr_at(elem_expr, elem_expr->size); + if (nft_expr_clone(expr, priv->expr_array[i], GFP_ATOMIC) < 0) +- return -1; ++ goto err_out; + + elem_expr->size += priv->expr_array[i]->ops->size; + } + + return 0; ++err_out: ++ nft_set_elem_expr_destroy(&ctx, elem_expr); ++ ++ return -1; + } + + struct nft_elem_priv *nft_dynset_new(struct nft_set *set, +-- +2.51.0 + diff --git a/queue-6.19/nfnetlink_osf-validate-individual-option-lengths-in-.patch b/queue-6.19/nfnetlink_osf-validate-individual-option-lengths-in-.patch new file mode 100644 index 0000000000..146908b38c --- /dev/null +++ b/queue-6.19/nfnetlink_osf-validate-individual-option-lengths-in-.patch @@ -0,0 +1,83 @@ +From 5b115e03427e9d1750893f6170c4ce9fa2e1d805 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 19 Mar 2026 15:32:44 +0800 +Subject: nfnetlink_osf: validate individual option lengths in fingerprints + +From: Weiming Shi + +[ Upstream commit dbdfaae9609629a9569362e3b8f33d0a20fd783c ] + +nfnl_osf_add_callback() validates opt_num bounds and string +NUL-termination but does not check individual option length fields. +A zero-length option causes nf_osf_match_one() to enter the option +matching loop even when foptsize sums to zero, which matches packets +with no TCP options where ctx->optp is NULL: + + Oops: general protection fault + KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007] + RIP: 0010:nf_osf_match_one (net/netfilter/nfnetlink_osf.c:98) + Call Trace: + nf_osf_match (net/netfilter/nfnetlink_osf.c:227) + xt_osf_match_packet (net/netfilter/xt_osf.c:32) + ipt_do_table (net/ipv4/netfilter/ip_tables.c:293) + nf_hook_slow (net/netfilter/core.c:623) + ip_local_deliver (net/ipv4/ip_input.c:262) + ip_rcv (net/ipv4/ip_input.c:573) + +Additionally, an MSS option (kind=2) with length < 4 causes +out-of-bounds reads when nf_osf_match_one() unconditionally accesses +optp[2] and optp[3] for MSS value extraction. While RFC 9293 +section 3.2 specifies that the MSS option is always exactly 4 +bytes (Kind=2, Length=4), the check uses "< 4" rather than +"!= 4" because lengths greater than 4 do not cause memory +safety issues -- the buffer is guaranteed to be at least +foptsize bytes by the ctx->optsize == foptsize check. + +Reject fingerprints where any option has zero length, or where an MSS +option has length less than 4, at add time rather than trusting these +values in the packet matching hot path. + +Fixes: 11eeef41d5f6 ("netfilter: passive OS fingerprint xtables match") +Reported-by: Xiang Mei +Signed-off-by: Weiming Shi +Signed-off-by: Florian Westphal +Signed-off-by: Sasha Levin +--- + net/netfilter/nfnetlink_osf.c | 13 +++++++++++++ + 1 file changed, 13 insertions(+) + +diff --git a/net/netfilter/nfnetlink_osf.c b/net/netfilter/nfnetlink_osf.c +index c0fc431991e88..9fc9544d4bc53 100644 +--- a/net/netfilter/nfnetlink_osf.c ++++ b/net/netfilter/nfnetlink_osf.c +@@ -302,7 +302,9 @@ static int nfnl_osf_add_callback(struct sk_buff *skb, + { + struct nf_osf_user_finger *f; + struct nf_osf_finger *kf = NULL, *sf; ++ unsigned int tot_opt_len = 0; + int err = 0; ++ int i; + + if (!capable(CAP_NET_ADMIN)) + return -EPERM; +@@ -318,6 +320,17 @@ static int nfnl_osf_add_callback(struct sk_buff *skb, + if (f->opt_num > ARRAY_SIZE(f->opt)) + return -EINVAL; + ++ for (i = 0; i < f->opt_num; i++) { ++ if (!f->opt[i].length || f->opt[i].length > MAX_IPOPTLEN) ++ return -EINVAL; ++ if (f->opt[i].kind == OSFOPT_MSS && f->opt[i].length < 4) ++ return -EINVAL; ++ ++ tot_opt_len += f->opt[i].length; ++ if (tot_opt_len > MAX_IPOPTLEN) ++ return -EINVAL; ++ } ++ + if (!memchr(f->genre, 0, MAXGENRELEN) || + !memchr(f->subtype, 0, MAXGENRELEN) || + !memchr(f->version, 0, MAXGENRELEN)) +-- +2.51.0 + diff --git a/queue-6.19/pm-runtime-fix-a-race-condition-related-to-device-re.patch b/queue-6.19/pm-runtime-fix-a-race-condition-related-to-device-re.patch new file mode 100644 index 0000000000..d92c81f5d4 --- /dev/null +++ b/queue-6.19/pm-runtime-fix-a-race-condition-related-to-device-re.patch @@ -0,0 +1,126 @@ +From e9d764f64a955f018200795452b8e980db4c6fbc Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 12 Mar 2026 11:27:20 -0700 +Subject: PM: runtime: Fix a race condition related to device removal + +From: Bart Van Assche + +[ Upstream commit 29ab768277617452d88c0607c9299cdc63b6e9ff ] + +The following code in pm_runtime_work() may dereference the dev->parent +pointer after the parent device has been freed: + + /* Maybe the parent is now able to suspend. */ + if (parent && !parent->power.ignore_children) { + spin_unlock(&dev->power.lock); + + spin_lock(&parent->power.lock); + rpm_idle(parent, RPM_ASYNC); + spin_unlock(&parent->power.lock); + + spin_lock(&dev->power.lock); + } + +Fix this by inserting a flush_work() call in pm_runtime_remove(). + +Without this patch blktest block/001 triggers the following complaint +sporadically: + +BUG: KASAN: slab-use-after-free in lock_acquire+0x70/0x160 +Read of size 1 at addr ffff88812bef7198 by task kworker/u553:1/3081 +Workqueue: pm pm_runtime_work +Call Trace: + + dump_stack_lvl+0x61/0x80 + print_address_description.constprop.0+0x8b/0x310 + print_report+0xfd/0x1d7 + kasan_report+0xd8/0x1d0 + __kasan_check_byte+0x42/0x60 + lock_acquire.part.0+0x38/0x230 + lock_acquire+0x70/0x160 + _raw_spin_lock+0x36/0x50 + rpm_suspend+0xc6a/0xfe0 + rpm_idle+0x578/0x770 + pm_runtime_work+0xee/0x120 + process_one_work+0xde3/0x1410 + worker_thread+0x5eb/0xfe0 + kthread+0x37b/0x480 + ret_from_fork+0x6cb/0x920 + ret_from_fork_asm+0x11/0x20 + + +Allocated by task 4314: + kasan_save_stack+0x2a/0x50 + kasan_save_track+0x18/0x40 + kasan_save_alloc_info+0x3d/0x50 + __kasan_kmalloc+0xa0/0xb0 + __kmalloc_noprof+0x311/0x990 + scsi_alloc_target+0x122/0xb60 [scsi_mod] + __scsi_scan_target+0x101/0x460 [scsi_mod] + scsi_scan_channel+0x179/0x1c0 [scsi_mod] + scsi_scan_host_selected+0x259/0x2d0 [scsi_mod] + store_scan+0x2d2/0x390 [scsi_mod] + dev_attr_store+0x43/0x80 + sysfs_kf_write+0xde/0x140 + kernfs_fop_write_iter+0x3ef/0x670 + vfs_write+0x506/0x1470 + ksys_write+0xfd/0x230 + __x64_sys_write+0x76/0xc0 + x64_sys_call+0x213/0x1810 + do_syscall_64+0xee/0xfc0 + entry_SYSCALL_64_after_hwframe+0x4b/0x53 + +Freed by task 4314: + kasan_save_stack+0x2a/0x50 + kasan_save_track+0x18/0x40 + kasan_save_free_info+0x3f/0x50 + __kasan_slab_free+0x67/0x80 + kfree+0x225/0x6c0 + scsi_target_dev_release+0x3d/0x60 [scsi_mod] + device_release+0xa3/0x220 + kobject_cleanup+0x105/0x3a0 + kobject_put+0x72/0xd0 + put_device+0x17/0x20 + scsi_device_dev_release+0xacf/0x12c0 [scsi_mod] + device_release+0xa3/0x220 + kobject_cleanup+0x105/0x3a0 + kobject_put+0x72/0xd0 + put_device+0x17/0x20 + scsi_device_put+0x7f/0xc0 [scsi_mod] + sdev_store_delete+0xa5/0x120 [scsi_mod] + dev_attr_store+0x43/0x80 + sysfs_kf_write+0xde/0x140 + kernfs_fop_write_iter+0x3ef/0x670 + vfs_write+0x506/0x1470 + ksys_write+0xfd/0x230 + __x64_sys_write+0x76/0xc0 + x64_sys_call+0x213/0x1810 + +Reported-by: Ming Lei +Closes: https://lore.kernel.org/all/ZxdNvLNI8QaOfD2d@fedora/ +Reported-by: syzbot+6c905ab800f20cf4086c@syzkaller.appspotmail.com +Closes: https://lore.kernel.org/all/68c13942.050a0220.2ff435.000b.GAE@google.com/ +Fixes: 5e928f77a09a ("PM: Introduce core framework for run-time PM of I/O devices (rev. 17)") +Signed-off-by: Bart Van Assche +Link: https://patch.msgid.link/20260312182720.2776083-1-bvanassche@acm.org +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +--- + drivers/base/power/runtime.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/base/power/runtime.c b/drivers/base/power/runtime.c +index 0ee8ea971aa46..335288e8b5b31 100644 +--- a/drivers/base/power/runtime.c ++++ b/drivers/base/power/runtime.c +@@ -1895,6 +1895,7 @@ void pm_runtime_reinit(struct device *dev) + void pm_runtime_remove(struct device *dev) + { + __pm_runtime_disable(dev, false); ++ flush_work(&dev->power.work); + pm_runtime_reinit(dev); + } + +-- +2.51.0 + diff --git a/queue-6.19/sched-idle-consolidate-the-handling-of-two-special-c.patch b/queue-6.19/sched-idle-consolidate-the-handling-of-two-special-c.patch new file mode 100644 index 0000000000..d25245606b --- /dev/null +++ b/queue-6.19/sched-idle-consolidate-the-handling-of-two-special-c.patch @@ -0,0 +1,133 @@ +From 6eeed4f464e547301c36e990850604f3ff2f4fbf Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 13 Mar 2026 13:25:41 +0100 +Subject: sched: idle: Consolidate the handling of two special cases + +From: Rafael J. Wysocki + +[ Upstream commit f4c31b07b136839e0fb3026f8a5b6543e3b14d2f ] + +There are two special cases in the idle loop that are handled +inconsistently even though they are analogous. + +The first one is when a cpuidle driver is absent and the default CPU +idle time power management implemented by the architecture code is used. +In that case, the scheduler tick is stopped every time before invoking +default_idle_call(). + +The second one is when a cpuidle driver is present, but there is only +one idle state in its table. In that case, the scheduler tick is never +stopped at all. + +Since each of these approaches has its drawbacks, reconcile them with +the help of one simple heuristic. Namely, stop the tick if the CPU has +been woken up by it in the previous iteration of the idle loop, or let +it tick otherwise. + +Signed-off-by: Rafael J. Wysocki +Reviewed-by: Christian Loehle +Reviewed-by: Frederic Weisbecker +Reviewed-by: Qais Yousef +Reviewed-by: Aboorva Devarajan +Fixes: ed98c3491998 ("sched: idle: Do not stop the tick before cpuidle_idle_call()") +[ rjw: Added Fixes tag, changelog edits ] +Link: https://patch.msgid.link/4741364.LvFx2qVVIh@rafael.j.wysocki +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +--- + kernel/sched/idle.c | 30 +++++++++++++++++++++--------- + 1 file changed, 21 insertions(+), 9 deletions(-) + +diff --git a/kernel/sched/idle.c b/kernel/sched/idle.c +index 69c70d509e1cf..8e00d95fb3388 100644 +--- a/kernel/sched/idle.c ++++ b/kernel/sched/idle.c +@@ -161,6 +161,14 @@ static int call_cpuidle(struct cpuidle_driver *drv, struct cpuidle_device *dev, + return cpuidle_enter(drv, dev, next_state); + } + ++static void idle_call_stop_or_retain_tick(bool stop_tick) ++{ ++ if (stop_tick || tick_nohz_tick_stopped()) ++ tick_nohz_idle_stop_tick(); ++ else ++ tick_nohz_idle_retain_tick(); ++} ++ + /** + * cpuidle_idle_call - the main idle function + * +@@ -170,7 +178,7 @@ static int call_cpuidle(struct cpuidle_driver *drv, struct cpuidle_device *dev, + * set, and it returns with polling set. If it ever stops polling, it + * must clear the polling bit. + */ +-static void cpuidle_idle_call(void) ++static void cpuidle_idle_call(bool stop_tick) + { + struct cpuidle_device *dev = cpuidle_get_device(); + struct cpuidle_driver *drv = cpuidle_get_cpu_driver(dev); +@@ -186,7 +194,7 @@ static void cpuidle_idle_call(void) + } + + if (cpuidle_not_available(drv, dev)) { +- tick_nohz_idle_stop_tick(); ++ idle_call_stop_or_retain_tick(stop_tick); + + default_idle_call(); + goto exit_idle; +@@ -222,17 +230,19 @@ static void cpuidle_idle_call(void) + next_state = cpuidle_find_deepest_state(drv, dev, max_latency_ns); + call_cpuidle(drv, dev, next_state); + } else if (drv->state_count > 1) { +- bool stop_tick = true; ++ /* ++ * stop_tick is expected to be true by default by cpuidle ++ * governors, which allows them to select idle states with ++ * target residency above the tick period length. ++ */ ++ stop_tick = true; + + /* + * Ask the cpuidle framework to choose a convenient idle state. + */ + next_state = cpuidle_select(drv, dev, &stop_tick); + +- if (stop_tick || tick_nohz_tick_stopped()) +- tick_nohz_idle_stop_tick(); +- else +- tick_nohz_idle_retain_tick(); ++ idle_call_stop_or_retain_tick(stop_tick); + + entered_state = call_cpuidle(drv, dev, next_state); + /* +@@ -240,7 +250,7 @@ static void cpuidle_idle_call(void) + */ + cpuidle_reflect(dev, entered_state); + } else { +- tick_nohz_idle_retain_tick(); ++ idle_call_stop_or_retain_tick(stop_tick); + + /* + * If there is only a single idle state (or none), there is +@@ -268,6 +278,7 @@ static void cpuidle_idle_call(void) + static void do_idle(void) + { + int cpu = smp_processor_id(); ++ bool got_tick = false; + + /* + * Check if we need to update blocked load +@@ -338,8 +349,9 @@ static void do_idle(void) + tick_nohz_idle_restart_tick(); + cpu_idle_poll(); + } else { +- cpuidle_idle_call(); ++ cpuidle_idle_call(got_tick); + } ++ got_tick = tick_nohz_idle_got_tick(); + arch_cpu_idle_exit(); + } + +-- +2.51.0 + diff --git a/queue-6.19/series b/queue-6.19/series index 9eaf22f3a2..b906b36a59 100644 --- a/queue-6.19/series +++ b/queue-6.19/series @@ -92,3 +92,90 @@ drm-xe-always-kill-exec-queues-in-xe_guc_submit_pause_abort.patch drm-xe-fix-missing-runtime-pm-reference-in-ccs_mode_store.patch drm-xe-open-code-ggtt-mmio-access-protection.patch bluetooth-l2cap-fix-accepting-multiple-l2cap_ecred_conn_req.patch +btrfs-log-new-dentries-when-logging-parent-dir-of-a-.patch +btrfs-tree-checker-fix-misleading-root-drop_level-er.patch +soc-microchip-mpfs-fix-memory-leak-in-mpfs_sys_contr.patch +cache-starfive-fix-device-node-leak-in-starlink_cach.patch +cache-ax45mp-fix-device-node-reference-leak-in-ax45m.patch +soc-rockchip-grf-add-missing-of_node_put-when-return.patch +soc-fsl-qbman-fix-race-condition-in-qman_destroy_fq.patch +soc-fsl-cpm1-qmc-fix-error-check-for-devm_ioremap_re.patch +tee-shm-remove-refcounting-of-kernel-pages.patch +wifi-mac80211-remove-keys-after-disabling-beaconing.patch +wifi-mac80211-use-jiffies_delta_to_msecs-for-sta_inf.patch +wifi-mac80211-fix-static_branch_dec-underflow-for-aq.patch +wifi-cfg80211-cancel-pmsr_free_wk-in-cfg80211_pmsr_w.patch +arm64-dts-renesas-rzt2h-n2h-evk-add-ramp-delay-for-s.patch +arm64-dts-renesas-rzv2-evk-cn15-sd-add-ramp-delay-fo.patch +arm64-dts-renesas-r9a09g057-remove-wdt-0-2-3-nodes.patch +arm64-dts-renesas-r9a09g077-fix-cpg-register-region-.patch +arm64-dts-renesas-r9a09g087-fix-cpg-register-region-.patch +arm64-dts-renesas-rzg3s-smarc-som-set-bypass-for-ver.patch +arm64-dts-renesas-r8a78000-fix-out-of-range-spi-inte.patch +firmware-arm_ffa-remove-vm_id-argument-in-ffa_rxtx_u.patch +firmware-arm_scpi-fix-device_node-reference-leak-in-.patch +firmware-arm_scmi-fix-null-dereference-on-notify-err.patch +bluetooth-le-l2cap-disconnect-if-received-packet-s-s.patch +bluetooth-le-l2cap-disconnect-if-sum-of-payload-size.patch +bluetooth-smp-make-sm-per-kdu-bi-04-c-happy.patch +bluetooth-iso-fix-defer-tests-being-unstable.patch +bluetooth-hci_sync-fix-hci_le_create_conn_sync.patch +bluetooth-mgmt-fix-list-corruption-and-uaf-in-comman.patch +bluetooth-hidp-fix-possible-uaf.patch +bluetooth-l2cap-fix-use-after-free-in-l2cap_unregist.patch +bluetooth-qca-fix-rom-version-reading-on-wcn3998-chi.patch +af_unix-give-up-gc-if-msg_peek-intervened.patch +bridge-cfm-fix-race-condition-in-peer_mep-deletion.patch +net-rose-fix-null-pointer-dereference-in-rose_transm.patch +ip_tunnel-adapt-iptunnel_xmit_stats-to-netdev_pcpu_s.patch +mpls-add-missing-unregister_netdevice_notifier-to-mp.patch +netfilter-ctnetlink-fix-use-after-free-in-ctnetlink_.patch +netfilter-conntrack-add-missing-netlink-policy-valid.patch +netfilter-nf_conntrack_sip-fix-content-length-u32-tr.patch +netfilter-nf_flow_table_ip-reset-mac-header-before-v.patch +netfilter-nf_conntrack_h323-fix-oob-read-in-decode_i.patch +nf_tables-nft_dynset-fix-possible-stateful-expressio.patch +netfilter-nft_ct-drop-pending-enqueued-packets-on-re.patch +netfilter-xt_ct-drop-pending-enqueued-packets-on-tem.patch +netfilter-xt_time-use-unsigned-int-for-monthday-bit-.patch +netfilter-nf_conntrack_h323-check-for-zero-length-in.patch +crypto-ccp-fix-leaking-the-same-page-twice.patch +net-bcmgenet-increase-wol-poll-timeout.patch +net-mana-fix-use-after-free-in-mana_hwc_destroy_chan.patch +net-ti-icssg-prueth-fix-memory-leak-in-xdp_drop-for-.patch +sched-idle-consolidate-the-handling-of-two-special-c.patch +pm-runtime-fix-a-race-condition-related-to-device-re.patch +bonding-prevent-potential-infinite-loop-in-bond_head.patch +net-smc-fix-null-dereference-and-uaf-in-smc_tcp_syn_.patch +net-sched-teql-fix-double-free-in-teql_master_xmit.patch +net-airoha-remove-airoha_dev_stop-in-airoha_remove.patch +net-usb-cdc_ncm-add-ndpoffset-to-ndp16-nframes-bound.patch +net-usb-cdc_ncm-add-ndpoffset-to-ndp32-nframes-bound.patch +clsact-fix-use-after-free-in-init-destroy-rollback-a.patch +net-usb-aqc111-do-not-perform-pm-inside-suspend-call.patch +acpica-update-the-format-of-arg3-of-_dsm.patch +igc-fix-missing-update-of-skb-tail-in-igc_xmit_frame.patch +igc-fix-page-fault-in-xdp-tx-timestamps-handling.patch +iavf-fix-vlan-filter-lost-on-add-delete-race.patch +libie-prevent-memleak-in-fwlog-code.patch +wifi-mac80211-fix-null-deref-in-mesh_matches_local.patch +wifi-wlcore-return-enomem-instead-of-eagain-if-there.patch +wifi-mac80211-always-free-skb-on-ieee80211_tx_prepar.patch +acpi-processor-fix-previous-acpi_processor_errata_pi.patch +netdevsim-drop-psp-ext-ref-on-forward-failure.patch +net-macb-fix-uninitialized-rx_fs_lock.patch +ipv6-add-null-checks-for-idev-in-srv6-paths.patch +net-mlx5-qos-restrict-rtnl-area-to-avoid-a-lock-cycl.patch +net-mlx5e-prevent-concurrent-access-to-ipsec-aso-con.patch +net-mlx5e-fix-race-condition-during-ipsec-esn-update.patch +udp_tunnel-fix-null-deref-caused-by-udp_sock_create6.patch +net-bonding-fix-null-deref-in-bond_debug_rlb_hash_sh.patch +netfilter-bpf-defer-hook-memory-release-until-rcu-re.patch +netfilter-nf_tables-release-flowtable-after-rcu-grac.patch +nfnetlink_osf-validate-individual-option-lengths-in-.patch +net-mvpp2-guard-flow-control-update-with-global_tx_f.patch +net-shaper-protect-late-read-accesses-to-the-hierarc.patch +net-shaper-protect-from-late-creation-of-hierarchy.patch +net-dsa-bcm_sf2-fix-missing-clk_disable_unprepare-in.patch +icmp-fix-null-pointer-dereference-in-icmp_tag_valida.patch +mptcp-fix-lock-class-name-family-in-pm_nl_create_lis.patch diff --git a/queue-6.19/soc-fsl-cpm1-qmc-fix-error-check-for-devm_ioremap_re.patch b/queue-6.19/soc-fsl-cpm1-qmc-fix-error-check-for-devm_ioremap_re.patch new file mode 100644 index 0000000000..c7c2e67603 --- /dev/null +++ b/queue-6.19/soc-fsl-cpm1-qmc-fix-error-check-for-devm_ioremap_re.patch @@ -0,0 +1,42 @@ +From 641f5ca21a793578fad28179ad80e4b6db8bc4ef Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 9 Feb 2026 09:59:04 +0800 +Subject: soc: fsl: cpm1: qmc: Fix error check for devm_ioremap_resource() in + qmc_qe_init_resources() + +From: Chen Ni + +[ Upstream commit 3f4e403304186d79fddace860360540fc3af97f9 ] + +Fix wrong variable used for error checking after devm_ioremap_resource() +call. The function checks qmc->scc_pram instead of qmc->dpram, which +could lead to incorrect error handling. + +Fixes: eb680d563089 ("soc: fsl: cpm1: qmc: Add support for QUICC Engine (QE) implementation") +Signed-off-by: Chen Ni +Acked-by: Herve Codina +Link: https://lore.kernel.org/r/20260209015904.871269-1-nichen@iscas.ac.cn +Signed-off-by: Christophe Leroy (CS GROUP) +Signed-off-by: Sasha Levin +--- + drivers/soc/fsl/qe/qmc.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/soc/fsl/qe/qmc.c b/drivers/soc/fsl/qe/qmc.c +index da5ea6d356184..6db5ab05c2c1c 100644 +--- a/drivers/soc/fsl/qe/qmc.c ++++ b/drivers/soc/fsl/qe/qmc.c +@@ -1799,8 +1799,8 @@ static int qmc_qe_init_resources(struct qmc *qmc, struct platform_device *pdev) + return -EINVAL; + qmc->dpram_offset = res->start - qe_muram_dma(qe_muram_addr(0)); + qmc->dpram = devm_ioremap_resource(qmc->dev, res); +- if (IS_ERR(qmc->scc_pram)) +- return PTR_ERR(qmc->scc_pram); ++ if (IS_ERR(qmc->dpram)) ++ return PTR_ERR(qmc->dpram); + + return 0; + } +-- +2.51.0 + diff --git a/queue-6.19/soc-fsl-qbman-fix-race-condition-in-qman_destroy_fq.patch b/queue-6.19/soc-fsl-qbman-fix-race-condition-in-qman_destroy_fq.patch new file mode 100644 index 0000000000..09028fe754 --- /dev/null +++ b/queue-6.19/soc-fsl-qbman-fix-race-condition-in-qman_destroy_fq.patch @@ -0,0 +1,92 @@ +From a2d364c7b01e0c3b4d6367a6d84350752d1099bf Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 23 Dec 2025 08:25:49 +0100 +Subject: soc: fsl: qbman: fix race condition in qman_destroy_fq + +From: Richard Genoud + +[ Upstream commit 014077044e874e270ec480515edbc1cadb976cf2 ] + +When QMAN_FQ_FLAG_DYNAMIC_FQID is set, there's a race condition between +fq_table[fq->idx] state and freeing/allocating from the pool and +WARN_ON(fq_table[fq->idx]) in qman_create_fq() gets triggered. + +Indeed, we can have: + Thread A Thread B + qman_destroy_fq() qman_create_fq() + qman_release_fqid() + qman_shutdown_fq() + gen_pool_free() + -- At this point, the fqid is available again -- + qman_alloc_fqid() + -- so, we can get the just-freed fqid in thread B -- + fq->fqid = fqid; + fq->idx = fqid * 2; + WARN_ON(fq_table[fq->idx]); + fq_table[fq->idx] = fq; + fq_table[fq->idx] = NULL; + +And adding some logs between qman_release_fqid() and +fq_table[fq->idx] = NULL makes the WARN_ON() trigger a lot more. + +To prevent that, ensure that fq_table[fq->idx] is set to NULL before +gen_pool_free() is called by using smp_wmb(). + +Fixes: c535e923bb97 ("soc/fsl: Introduce DPAA 1.x QMan device driver") +Signed-off-by: Richard Genoud +Tested-by: CHAMPSEIX Thomas +Link: https://lore.kernel.org/r/20251223072549.397625-1-richard.genoud@bootlin.com +Signed-off-by: Christophe Leroy (CS GROUP) +Signed-off-by: Sasha Levin +--- + drivers/soc/fsl/qbman/qman.c | 24 ++++++++++++++++++++++-- + 1 file changed, 22 insertions(+), 2 deletions(-) + +diff --git a/drivers/soc/fsl/qbman/qman.c b/drivers/soc/fsl/qbman/qman.c +index 6b392b3ad4b15..39a3e7aab6ff2 100644 +--- a/drivers/soc/fsl/qbman/qman.c ++++ b/drivers/soc/fsl/qbman/qman.c +@@ -1827,6 +1827,8 @@ EXPORT_SYMBOL(qman_create_fq); + + void qman_destroy_fq(struct qman_fq *fq) + { ++ int leaked; ++ + /* + * We don't need to lock the FQ as it is a pre-condition that the FQ be + * quiesced. Instead, run some checks. +@@ -1834,11 +1836,29 @@ void qman_destroy_fq(struct qman_fq *fq) + switch (fq->state) { + case qman_fq_state_parked: + case qman_fq_state_oos: +- if (fq_isset(fq, QMAN_FQ_FLAG_DYNAMIC_FQID)) +- qman_release_fqid(fq->fqid); ++ /* ++ * There's a race condition here on releasing the fqid, ++ * setting the fq_table to NULL, and freeing the fqid. ++ * To prevent it, this order should be respected: ++ */ ++ if (fq_isset(fq, QMAN_FQ_FLAG_DYNAMIC_FQID)) { ++ leaked = qman_shutdown_fq(fq->fqid); ++ if (leaked) ++ pr_debug("FQID %d leaked\n", fq->fqid); ++ } + + DPAA_ASSERT(fq_table[fq->idx]); + fq_table[fq->idx] = NULL; ++ ++ if (fq_isset(fq, QMAN_FQ_FLAG_DYNAMIC_FQID) && !leaked) { ++ /* ++ * fq_table[fq->idx] should be set to null before ++ * freeing fq->fqid otherwise it could by allocated by ++ * qman_alloc_fqid() while still being !NULL ++ */ ++ smp_wmb(); ++ gen_pool_free(qm_fqalloc, fq->fqid | DPAA_GENALLOC_OFF, 1); ++ } + return; + default: + break; +-- +2.51.0 + diff --git a/queue-6.19/soc-microchip-mpfs-fix-memory-leak-in-mpfs_sys_contr.patch b/queue-6.19/soc-microchip-mpfs-fix-memory-leak-in-mpfs_sys_contr.patch new file mode 100644 index 0000000000..9b9d6ddd93 --- /dev/null +++ b/queue-6.19/soc-microchip-mpfs-fix-memory-leak-in-mpfs_sys_contr.patch @@ -0,0 +1,70 @@ +From 2474c616643e5324cc8855dc73f1f6f410122fda Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 28 Dec 2025 12:48:36 +0000 +Subject: soc: microchip: mpfs: Fix memory leak in mpfs_sys_controller_probe() + +From: Zilin Guan + +[ Upstream commit 5a741f8cc6fe62542f955cd8d24933a1b6589cbd ] + +In mpfs_sys_controller_probe(), if of_get_mtd_device_by_node() fails, +the function returns immediately without freeing the allocated memory +for sys_controller, leading to a memory leak. + +Fix this by jumping to the out_free label to ensure the memory is +properly freed. + +Also, consolidate the error handling for the mbox_request_channel() +failure case to use the same label. + +Fixes: 742aa6c563d2 ("soc: microchip: mpfs: enable access to the system controller's flash") +Co-developed-by: Jianhao Xu +Signed-off-by: Jianhao Xu +Signed-off-by: Zilin Guan +Signed-off-by: Conor Dooley +Signed-off-by: Sasha Levin +--- + drivers/soc/microchip/mpfs-sys-controller.c | 13 +++++++++---- + 1 file changed, 9 insertions(+), 4 deletions(-) + +diff --git a/drivers/soc/microchip/mpfs-sys-controller.c b/drivers/soc/microchip/mpfs-sys-controller.c +index 30bc45d17d343..81636cfecd37e 100644 +--- a/drivers/soc/microchip/mpfs-sys-controller.c ++++ b/drivers/soc/microchip/mpfs-sys-controller.c +@@ -142,8 +142,10 @@ static int mpfs_sys_controller_probe(struct platform_device *pdev) + + sys_controller->flash = of_get_mtd_device_by_node(np); + of_node_put(np); +- if (IS_ERR(sys_controller->flash)) +- return dev_err_probe(dev, PTR_ERR(sys_controller->flash), "Failed to get flash\n"); ++ if (IS_ERR(sys_controller->flash)) { ++ ret = dev_err_probe(dev, PTR_ERR(sys_controller->flash), "Failed to get flash\n"); ++ goto out_free; ++ } + + no_flash: + sys_controller->client.dev = dev; +@@ -155,8 +157,7 @@ static int mpfs_sys_controller_probe(struct platform_device *pdev) + if (IS_ERR(sys_controller->chan)) { + ret = dev_err_probe(dev, PTR_ERR(sys_controller->chan), + "Failed to get mbox channel\n"); +- kfree(sys_controller); +- return ret; ++ goto out_free; + } + + init_completion(&sys_controller->c); +@@ -174,6 +175,10 @@ static int mpfs_sys_controller_probe(struct platform_device *pdev) + dev_info(&pdev->dev, "Registered MPFS system controller\n"); + + return 0; ++ ++out_free: ++ kfree(sys_controller); ++ return ret; + } + + static void mpfs_sys_controller_remove(struct platform_device *pdev) +-- +2.51.0 + diff --git a/queue-6.19/soc-rockchip-grf-add-missing-of_node_put-when-return.patch b/queue-6.19/soc-rockchip-grf-add-missing-of_node_put-when-return.patch new file mode 100644 index 0000000000..4ffbf22aa5 --- /dev/null +++ b/queue-6.19/soc-rockchip-grf-add-missing-of_node_put-when-return.patch @@ -0,0 +1,39 @@ +From 0c45faaa5547d6934c43f1f583553ae691990363 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 11 Feb 2026 21:02:37 +0800 +Subject: soc: rockchip: grf: Add missing of_node_put() when returning + +From: Shawn Lin + +[ Upstream commit 24ed11ee5bacf9a9aca18fc6b47667c7f38d578b ] + +Fix the smatch checking: +drivers/soc/rockchip/grf.c:249 rockchip_grf_init() +warn: inconsistent refcounting 'np->kobj.kref.refcount.refs.counter': + +Reported-by: Dan Carpenter +Fixes: 75fb63ae0312 ("soc: rockchip: grf: Support multiple grf to be handled") +Closes: https://lore.kernel.org/all/aYXvgTcUJWQL2can@stanley.mountain/ +Signed-off-by: Shawn Lin +Link: https://patch.msgid.link/1770814957-17762-1-git-send-email-shawn.lin@rock-chips.com +Signed-off-by: Heiko Stuebner +Signed-off-by: Sasha Levin +--- + drivers/soc/rockchip/grf.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/soc/rockchip/grf.c b/drivers/soc/rockchip/grf.c +index 04937c40da471..b459607c118aa 100644 +--- a/drivers/soc/rockchip/grf.c ++++ b/drivers/soc/rockchip/grf.c +@@ -231,6 +231,7 @@ static int __init rockchip_grf_init(void) + grf = syscon_node_to_regmap(np); + if (IS_ERR(grf)) { + pr_err("%s: could not get grf syscon\n", __func__); ++ of_node_put(np); + return PTR_ERR(grf); + } + +-- +2.51.0 + diff --git a/queue-6.19/tee-shm-remove-refcounting-of-kernel-pages.patch b/queue-6.19/tee-shm-remove-refcounting-of-kernel-pages.patch new file mode 100644 index 0000000000..d5954c1755 --- /dev/null +++ b/queue-6.19/tee-shm-remove-refcounting-of-kernel-pages.patch @@ -0,0 +1,93 @@ +From b590a0d5e3eabab1b0eb08a63d3632cb6d7b40cd Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 20 Feb 2026 14:19:59 +0530 +Subject: tee: shm: Remove refcounting of kernel pages +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Matthew Wilcox + +[ Upstream commit 08d9a4580f71120be3c5b221af32dca00a48ceb0 ] + +Earlier TEE subsystem assumed to refcount all the memory pages to be +shared with TEE implementation to be refcounted. However, the slab +allocations within the kernel don't allow refcounting kernel pages. + +It is rather better to trust the kernel clients to not free pages while +being shared with TEE implementation. Hence, remove refcounting of kernel +pages from register_shm_helper() API. + +Fixes: b9c0e49abfca ("mm: decline to manipulate the refcount on a slab page") +Reported-by: Marco Felsch +Reported-by: Sven Püschel +Signed-off-by: Matthew Wilcox +Co-developed-by: Sumit Garg +Signed-off-by: Sumit Garg +Tested-by: Sven Püschel +Signed-off-by: Jens Wiklander +Signed-off-by: Sasha Levin +--- + drivers/tee/tee_shm.c | 27 --------------------------- + 1 file changed, 27 deletions(-) + +diff --git a/drivers/tee/tee_shm.c b/drivers/tee/tee_shm.c +index 4a47de4bb2e5c..898707ca21a8e 100644 +--- a/drivers/tee/tee_shm.c ++++ b/drivers/tee/tee_shm.c +@@ -23,29 +23,11 @@ struct tee_shm_dma_mem { + struct page *page; + }; + +-static void shm_put_kernel_pages(struct page **pages, size_t page_count) +-{ +- size_t n; +- +- for (n = 0; n < page_count; n++) +- put_page(pages[n]); +-} +- +-static void shm_get_kernel_pages(struct page **pages, size_t page_count) +-{ +- size_t n; +- +- for (n = 0; n < page_count; n++) +- get_page(pages[n]); +-} +- + static void release_registered_pages(struct tee_shm *shm) + { + if (shm->pages) { + if (shm->flags & TEE_SHM_USER_MAPPED) + unpin_user_pages(shm->pages, shm->num_pages); +- else +- shm_put_kernel_pages(shm->pages, shm->num_pages); + + kfree(shm->pages); + } +@@ -477,13 +459,6 @@ register_shm_helper(struct tee_context *ctx, struct iov_iter *iter, u32 flags, + goto err_put_shm_pages; + } + +- /* +- * iov_iter_extract_kvec_pages does not get reference on the pages, +- * get a reference on them. +- */ +- if (iov_iter_is_kvec(iter)) +- shm_get_kernel_pages(shm->pages, num_pages); +- + shm->offset = off; + shm->size = len; + shm->num_pages = num_pages; +@@ -499,8 +474,6 @@ register_shm_helper(struct tee_context *ctx, struct iov_iter *iter, u32 flags, + err_put_shm_pages: + if (!iov_iter_is_kvec(iter)) + unpin_user_pages(shm->pages, shm->num_pages); +- else +- shm_put_kernel_pages(shm->pages, shm->num_pages); + err_free_shm_pages: + kfree(shm->pages); + err_free_shm: +-- +2.51.0 + diff --git a/queue-6.19/udp_tunnel-fix-null-deref-caused-by-udp_sock_create6.patch b/queue-6.19/udp_tunnel-fix-null-deref-caused-by-udp_sock_create6.patch new file mode 100644 index 0000000000..67e94b5f5d --- /dev/null +++ b/queue-6.19/udp_tunnel-fix-null-deref-caused-by-udp_sock_create6.patch @@ -0,0 +1,64 @@ +From 3ff2d9e6a417df29764a7bba03b3889559dae1a4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 16 Mar 2026 18:02:41 -0700 +Subject: udp_tunnel: fix NULL deref caused by udp_sock_create6 when + CONFIG_IPV6=n + +From: Xiang Mei + +[ Upstream commit b3a6df291fecf5f8a308953b65ca72b7fc9e015d ] + +When CONFIG_IPV6 is disabled, the udp_sock_create6() function returns 0 +(success) without actually creating a socket. Callers such as +fou_create() then proceed to dereference the uninitialized socket +pointer, resulting in a NULL pointer dereference. + +The captured NULL deref crash: + BUG: kernel NULL pointer dereference, address: 0000000000000018 + RIP: 0010:fou_nl_add_doit (net/ipv4/fou_core.c:590 net/ipv4/fou_core.c:764) + [...] + Call Trace: + + genl_family_rcv_msg_doit.constprop.0 (net/netlink/genetlink.c:1114) + genl_rcv_msg (net/netlink/genetlink.c:1194 net/netlink/genetlink.c:1209) + [...] + netlink_rcv_skb (net/netlink/af_netlink.c:2550) + genl_rcv (net/netlink/genetlink.c:1219) + netlink_unicast (net/netlink/af_netlink.c:1319 net/netlink/af_netlink.c:1344) + netlink_sendmsg (net/netlink/af_netlink.c:1894) + __sock_sendmsg (net/socket.c:727 (discriminator 1) net/socket.c:742 (discriminator 1)) + __sys_sendto (./include/linux/file.h:62 (discriminator 1) ./include/linux/file.h:83 (discriminator 1) net/socket.c:2183 (discriminator 1)) + __x64_sys_sendto (net/socket.c:2213 (discriminator 1) net/socket.c:2209 (discriminator 1) net/socket.c:2209 (discriminator 1)) + do_syscall_64 (arch/x86/entry/syscall_64.c:63 (discriminator 1) arch/x86/entry/syscall_64.c:94 (discriminator 1)) + entry_SYSCALL_64_after_hwframe (net/arch/x86/entry/entry_64.S:130) + +This patch makes udp_sock_create6 return -EPFNOSUPPORT instead, so +callers correctly take their error paths. There is only one caller of +the vulnerable function and only privileged users can trigger it. + +Fixes: fd384412e199b ("udp_tunnel: Seperate ipv6 functions into its own file.") +Reported-by: Weiming Shi +Signed-off-by: Xiang Mei +Link: https://patch.msgid.link/20260317010241.1893893-1-xmei5@asu.edu +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + include/net/udp_tunnel.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/include/net/udp_tunnel.h b/include/net/udp_tunnel.h +index 9acef2fbd2fdc..d97ee26ba4f66 100644 +--- a/include/net/udp_tunnel.h ++++ b/include/net/udp_tunnel.h +@@ -47,7 +47,7 @@ int udp_sock_create6(struct net *net, struct udp_port_cfg *cfg, + static inline int udp_sock_create6(struct net *net, struct udp_port_cfg *cfg, + struct socket **sockp) + { +- return 0; ++ return -EPFNOSUPPORT; + } + #endif + +-- +2.51.0 + diff --git a/queue-6.19/wifi-cfg80211-cancel-pmsr_free_wk-in-cfg80211_pmsr_w.patch b/queue-6.19/wifi-cfg80211-cancel-pmsr_free_wk-in-cfg80211_pmsr_w.patch new file mode 100644 index 0000000000..bb8836d292 --- /dev/null +++ b/queue-6.19/wifi-cfg80211-cancel-pmsr_free_wk-in-cfg80211_pmsr_w.patch @@ -0,0 +1,51 @@ +From c10b06e64cfdb9fc2ecc5a49e7c1f33a7c91bf2b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 5 Mar 2026 21:36:59 +0530 +Subject: wifi: cfg80211: cancel pmsr_free_wk in cfg80211_pmsr_wdev_down + +From: Peddolla Harshavardhan Reddy + +[ Upstream commit 6dccbc9f3e1d38565dff7730d2b7d1e8b16c9b09 ] + +When the nl80211 socket that originated a PMSR request is +closed, cfg80211_release_pmsr() sets the request's nl_portid +to zero and schedules pmsr_free_wk to process the abort +asynchronously. If the interface is concurrently torn down +before that work runs, cfg80211_pmsr_wdev_down() calls +cfg80211_pmsr_process_abort() directly. However, the already- +scheduled pmsr_free_wk work item remains pending and may run +after the interface has been removed from the driver. This +could cause the driver's abort_pmsr callback to operate on a +torn-down interface, leading to undefined behavior and +potential crashes. + +Cancel pmsr_free_wk synchronously in cfg80211_pmsr_wdev_down() +before calling cfg80211_pmsr_process_abort(). This ensures any +pending or in-progress work is drained before interface teardown +proceeds, preventing the work from invoking the driver abort +callback after the interface is gone. + +Fixes: 9bb7e0f24e7e ("cfg80211: add peer measurement with FTM initiator API") +Signed-off-by: Peddolla Harshavardhan Reddy +Link: https://patch.msgid.link/20260305160712.1263829-3-peddolla.reddy@oss.qualcomm.com +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + net/wireless/pmsr.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/net/wireless/pmsr.c b/net/wireless/pmsr.c +index a117f5093ca29..13801cf35e9fc 100644 +--- a/net/wireless/pmsr.c ++++ b/net/wireless/pmsr.c +@@ -647,6 +647,7 @@ void cfg80211_pmsr_wdev_down(struct wireless_dev *wdev) + } + spin_unlock_bh(&wdev->pmsr_lock); + ++ cancel_work_sync(&wdev->pmsr_free_wk); + if (found) + cfg80211_pmsr_process_abort(wdev); + +-- +2.51.0 + diff --git a/queue-6.19/wifi-mac80211-always-free-skb-on-ieee80211_tx_prepar.patch b/queue-6.19/wifi-mac80211-always-free-skb-on-ieee80211_tx_prepar.patch new file mode 100644 index 0000000000..f493bb9065 --- /dev/null +++ b/queue-6.19/wifi-mac80211-always-free-skb-on-ieee80211_tx_prepar.patch @@ -0,0 +1,120 @@ +From a4a302b6ec1437ea09cd8f3111d1064d06bd3354 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 14 Mar 2026 06:54:55 +0000 +Subject: wifi: mac80211: always free skb on ieee80211_tx_prepare_skb() failure + +From: Felix Fietkau + +[ Upstream commit d5ad6ab61cbd89afdb60881f6274f74328af3ee9 ] + +ieee80211_tx_prepare_skb() has three error paths, but only two of them +free the skb. The first error path (ieee80211_tx_prepare() returning +TX_DROP) does not free it, while invoke_tx_handlers() failure and the +fragmentation check both do. + +Add kfree_skb() to the first error path so all three are consistent, +and remove the now-redundant frees in callers (ath9k, mt76, +mac80211_hwsim) to avoid double-free. + +Document the skb ownership guarantee in the function's kdoc. + +Signed-off-by: Felix Fietkau +Link: https://patch.msgid.link/20260314065455.2462900-1-nbd@nbd.name +Fixes: 06be6b149f7e ("mac80211: add ieee80211_tx_prepare_skb() helper function") +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ath/ath9k/channel.c | 6 ++---- + drivers/net/wireless/mediatek/mt76/scan.c | 4 +--- + drivers/net/wireless/virtual/mac80211_hwsim.c | 1 - + include/net/mac80211.h | 4 +++- + net/mac80211/tx.c | 4 +++- + 5 files changed, 9 insertions(+), 10 deletions(-) + +diff --git a/drivers/net/wireless/ath/ath9k/channel.c b/drivers/net/wireless/ath/ath9k/channel.c +index 121e51ce1bc0e..8b27d8cc086ab 100644 +--- a/drivers/net/wireless/ath/ath9k/channel.c ++++ b/drivers/net/wireless/ath/ath9k/channel.c +@@ -1006,7 +1006,7 @@ static void ath_scan_send_probe(struct ath_softc *sc, + skb_set_queue_mapping(skb, IEEE80211_AC_VO); + + if (!ieee80211_tx_prepare_skb(sc->hw, vif, skb, band, NULL)) +- goto error; ++ return; + + txctl.txq = sc->tx.txq_map[IEEE80211_AC_VO]; + if (ath_tx_start(sc->hw, skb, &txctl)) +@@ -1119,10 +1119,8 @@ ath_chanctx_send_vif_ps_frame(struct ath_softc *sc, struct ath_vif *avp, + + skb->priority = 7; + skb_set_queue_mapping(skb, IEEE80211_AC_VO); +- if (!ieee80211_tx_prepare_skb(sc->hw, vif, skb, band, &sta)) { +- dev_kfree_skb_any(skb); ++ if (!ieee80211_tx_prepare_skb(sc->hw, vif, skb, band, &sta)) + return false; +- } + break; + default: + return false; +diff --git a/drivers/net/wireless/mediatek/mt76/scan.c b/drivers/net/wireless/mediatek/mt76/scan.c +index ff9176cdee3de..63b0447e55c15 100644 +--- a/drivers/net/wireless/mediatek/mt76/scan.c ++++ b/drivers/net/wireless/mediatek/mt76/scan.c +@@ -63,10 +63,8 @@ mt76_scan_send_probe(struct mt76_dev *dev, struct cfg80211_ssid *ssid) + + rcu_read_lock(); + +- if (!ieee80211_tx_prepare_skb(phy->hw, vif, skb, band, NULL)) { +- ieee80211_free_txskb(phy->hw, skb); ++ if (!ieee80211_tx_prepare_skb(phy->hw, vif, skb, band, NULL)) + goto out; +- } + + info = IEEE80211_SKB_CB(skb); + if (req->no_cck) +diff --git a/drivers/net/wireless/virtual/mac80211_hwsim.c b/drivers/net/wireless/virtual/mac80211_hwsim.c +index 79cc63272134d..cfbd0c50be1c9 100644 +--- a/drivers/net/wireless/virtual/mac80211_hwsim.c ++++ b/drivers/net/wireless/virtual/mac80211_hwsim.c +@@ -3021,7 +3021,6 @@ static void hw_scan_work(struct work_struct *work) + hwsim->tmp_chan->band, + NULL)) { + rcu_read_unlock(); +- kfree_skb(probe); + continue; + } + +diff --git a/include/net/mac80211.h b/include/net/mac80211.h +index c2e49542626c8..706f87c6d905a 100644 +--- a/include/net/mac80211.h ++++ b/include/net/mac80211.h +@@ -7291,7 +7291,9 @@ void ieee80211_report_wowlan_wakeup(struct ieee80211_vif *vif, + * @band: the band to transmit on + * @sta: optional pointer to get the station to send the frame to + * +- * Return: %true if the skb was prepared, %false otherwise ++ * Return: %true if the skb was prepared, %false otherwise. ++ * On failure, the skb is freed by this function; callers must not ++ * free it again. + * + * Note: must be called under RCU lock + */ +diff --git a/net/mac80211/tx.c b/net/mac80211/tx.c +index 1b55e83404135..0692fbb6c489e 100644 +--- a/net/mac80211/tx.c ++++ b/net/mac80211/tx.c +@@ -1898,8 +1898,10 @@ bool ieee80211_tx_prepare_skb(struct ieee80211_hw *hw, + struct ieee80211_tx_data tx; + struct sk_buff *skb2; + +- if (ieee80211_tx_prepare(sdata, &tx, NULL, skb) == TX_DROP) ++ if (ieee80211_tx_prepare(sdata, &tx, NULL, skb) == TX_DROP) { ++ kfree_skb(skb); + return false; ++ } + + info->band = band; + info->control.vif = vif; +-- +2.51.0 + diff --git a/queue-6.19/wifi-mac80211-fix-null-deref-in-mesh_matches_local.patch b/queue-6.19/wifi-mac80211-fix-null-deref-in-mesh_matches_local.patch new file mode 100644 index 0000000000..ce0bff7c28 --- /dev/null +++ b/queue-6.19/wifi-mac80211-fix-null-deref-in-mesh_matches_local.patch @@ -0,0 +1,81 @@ +From f3da6c3e7bbbf9dc195f57dc3e14b7952c202c33 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 17 Mar 2026 20:42:44 -0700 +Subject: wifi: mac80211: fix NULL deref in mesh_matches_local() + +From: Xiang Mei + +[ Upstream commit c73bb9a2d33bf81f6eecaa0f474b6c6dbe9855bd ] + +mesh_matches_local() unconditionally dereferences ie->mesh_config to +compare mesh configuration parameters. When called from +mesh_rx_csa_frame(), the parsed action-frame elements may not contain a +Mesh Configuration IE, leaving ie->mesh_config NULL and triggering a +kernel NULL pointer dereference. + +The other two callers are already safe: + - ieee80211_mesh_rx_bcn_presp() checks !elems->mesh_config before + calling mesh_matches_local() + - mesh_plink_get_event() is only reached through + mesh_process_plink_frame(), which checks !elems->mesh_config, too + +mesh_rx_csa_frame() is the only caller that passes raw parsed elements +to mesh_matches_local() without guarding mesh_config. An adjacent +attacker can exploit this by sending a crafted CSA action frame that +includes a valid Mesh ID IE but omits the Mesh Configuration IE, +crashing the kernel. + +The captured crash log: + +Oops: general protection fault, probably for non-canonical address ... +KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007] +Workqueue: events_unbound cfg80211_wiphy_work +[...] +Call Trace: + + ? __pfx_mesh_matches_local (net/mac80211/mesh.c:65) + ieee80211_mesh_rx_queued_mgmt (net/mac80211/mesh.c:1686) + [...] + ieee80211_iface_work (net/mac80211/iface.c:1754 net/mac80211/iface.c:1802) + [...] + cfg80211_wiphy_work (net/wireless/core.c:426) + process_one_work (net/kernel/workqueue.c:3280) + ? assign_work (net/kernel/workqueue.c:1219) + worker_thread (net/kernel/workqueue.c:3352) + ? __pfx_worker_thread (net/kernel/workqueue.c:3385) + kthread (net/kernel/kthread.c:436) + [...] + ret_from_fork_asm (net/arch/x86/entry/entry_64.S:255) + + +This patch adds a NULL check for ie->mesh_config at the top of +mesh_matches_local() to return false early when the Mesh Configuration +IE is absent. + +Fixes: 2e3c8736820b ("mac80211: support functions for mesh") +Reported-by: Weiming Shi +Signed-off-by: Xiang Mei +Link: https://patch.msgid.link/20260318034244.2595020-1-xmei5@asu.edu +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + net/mac80211/mesh.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/net/mac80211/mesh.c b/net/mac80211/mesh.c +index 129e814abe764..d7f691325746c 100644 +--- a/net/mac80211/mesh.c ++++ b/net/mac80211/mesh.c +@@ -79,6 +79,9 @@ bool mesh_matches_local(struct ieee80211_sub_if_data *sdata, + * - MDA enabled + * - Power management control on fc + */ ++ if (!ie->mesh_config) ++ return false; ++ + if (!(ifmsh->mesh_id_len == ie->mesh_id_len && + memcmp(ifmsh->mesh_id, ie->mesh_id, ie->mesh_id_len) == 0 && + (ifmsh->mesh_pp_id == ie->mesh_config->meshconf_psel) && +-- +2.51.0 + diff --git a/queue-6.19/wifi-mac80211-fix-static_branch_dec-underflow-for-aq.patch b/queue-6.19/wifi-mac80211-fix-static_branch_dec-underflow-for-aq.patch new file mode 100644 index 0000000000..a345e77f37 --- /dev/null +++ b/queue-6.19/wifi-mac80211-fix-static_branch_dec-underflow-for-aq.patch @@ -0,0 +1,112 @@ +From 50868a0718205baa520f63585f387686cfc28245 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 6 Mar 2026 07:24:02 +0000 +Subject: wifi: mac80211: Fix static_branch_dec() underflow for aql_disable. + +From: Kuniyuki Iwashima + +[ Upstream commit b94ae8e0d5fe1bdbbfdc3854ff6ce98f6876a828 ] + +syzbot reported static_branch_dec() underflow in aql_enable_write(). [0] + +The problem is that aql_enable_write() does not serialise concurrent +write()s to the debugfs. + +aql_enable_write() checks static_key_false(&aql_disable.key) and +later calls static_branch_inc() or static_branch_dec(), but the +state may change between the two calls. + +aql_disable does not need to track inc/dec. + +Let's use static_branch_enable() and static_branch_disable(). + +[0]: +val == 0 +WARNING: kernel/jump_label.c:311 at __static_key_slow_dec_cpuslocked.part.0+0x107/0x120 kernel/jump_label.c:311, CPU#0: syz.1.3155/20288 +Modules linked in: +CPU: 0 UID: 0 PID: 20288 Comm: syz.1.3155 Tainted: G U L syzkaller #0 PREEMPT(full) +Tainted: [U]=USER, [L]=SOFTLOCKUP +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/24/2026 +RIP: 0010:__static_key_slow_dec_cpuslocked.part.0+0x107/0x120 kernel/jump_label.c:311 +Code: f2 c9 ff 5b 5d c3 cc cc cc cc e8 54 f2 c9 ff 48 89 df e8 ac f9 ff ff eb ad e8 45 f2 c9 ff 90 0f 0b 90 eb a2 e8 3a f2 c9 ff 90 <0f> 0b 90 eb 97 48 89 df e8 5c 4b 33 00 e9 36 ff ff ff 0f 1f 80 00 +RSP: 0018:ffffc9000b9f7c10 EFLAGS: 00010293 +RAX: 0000000000000000 RBX: ffffffff9b3e5d40 RCX: ffffffff823c57b4 +RDX: ffff8880285a0000 RSI: ffffffff823c5846 RDI: ffff8880285a0000 +RBP: 0000000000000000 R08: 0000000000000005 R09: 0000000000000000 +R10: 0000000000000000 R11: 0000000000000000 R12: 000000000000000a +R13: 1ffff9200173ef88 R14: 0000000000000001 R15: ffffc9000b9f7e98 +FS: 00007f530dd726c0(0000) GS:ffff8881245e3000(0000) knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: 0000200000001140 CR3: 000000007cc4a000 CR4: 00000000003526f0 +Call Trace: + + __static_key_slow_dec_cpuslocked kernel/jump_label.c:297 [inline] + __static_key_slow_dec kernel/jump_label.c:321 [inline] + static_key_slow_dec+0x7c/0xc0 kernel/jump_label.c:336 + aql_enable_write+0x2b2/0x310 net/mac80211/debugfs.c:343 + short_proxy_write+0x133/0x1a0 fs/debugfs/file.c:383 + vfs_write+0x2aa/0x1070 fs/read_write.c:684 + ksys_pwrite64 fs/read_write.c:793 [inline] + __do_sys_pwrite64 fs/read_write.c:801 [inline] + __se_sys_pwrite64 fs/read_write.c:798 [inline] + __x64_sys_pwrite64+0x1eb/0x250 fs/read_write.c:798 + do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] + do_syscall_64+0xc9/0xf80 arch/x86/entry/syscall_64.c:94 + entry_SYSCALL_64_after_hwframe+0x77/0x7f +RIP: 0033:0x7f530cf9aeb9 +Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48 +RSP: 002b:00007f530dd72028 EFLAGS: 00000246 ORIG_RAX: 0000000000000012 +RAX: ffffffffffffffda RBX: 00007f530d215fa0 RCX: 00007f530cf9aeb9 +RDX: 0000000000000003 RSI: 0000000000000000 RDI: 0000000000000010 +RBP: 00007f530d008c1f R08: 0000000000000000 R09: 0000000000000000 +R10: 4200000000000005 R11: 0000000000000246 R12: 0000000000000000 +R13: 00007f530d216038 R14: 00007f530d215fa0 R15: 00007ffde89fb978 + + +Fixes: e908435e402a ("mac80211: introduce aql_enable node in debugfs") +Reported-by: syzbot+feb9ce36a95341bb47a4@syzkaller.appspotmail.com +Closes: https://lore.kernel.org/all/69a8979e.a70a0220.b118c.0025.GAE@google.com/ +Signed-off-by: Kuniyuki Iwashima +Link: https://patch.msgid.link/20260306072405.3649474-1-kuniyu@google.com +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + net/mac80211/debugfs.c | 14 +++++--------- + 1 file changed, 5 insertions(+), 9 deletions(-) + +diff --git a/net/mac80211/debugfs.c b/net/mac80211/debugfs.c +index d02f07368c511..687a66cd49433 100644 +--- a/net/mac80211/debugfs.c ++++ b/net/mac80211/debugfs.c +@@ -320,7 +320,6 @@ static ssize_t aql_enable_read(struct file *file, char __user *user_buf, + static ssize_t aql_enable_write(struct file *file, const char __user *user_buf, + size_t count, loff_t *ppos) + { +- bool aql_disabled = static_key_false(&aql_disable.key); + char buf[3]; + size_t len; + +@@ -335,15 +334,12 @@ static ssize_t aql_enable_write(struct file *file, const char __user *user_buf, + if (len > 0 && buf[len - 1] == '\n') + buf[len - 1] = 0; + +- if (buf[0] == '0' && buf[1] == '\0') { +- if (!aql_disabled) +- static_branch_inc(&aql_disable); +- } else if (buf[0] == '1' && buf[1] == '\0') { +- if (aql_disabled) +- static_branch_dec(&aql_disable); +- } else { ++ if (buf[0] == '0' && buf[1] == '\0') ++ static_branch_enable(&aql_disable); ++ else if (buf[0] == '1' && buf[1] == '\0') ++ static_branch_disable(&aql_disable); ++ else + return -EINVAL; +- } + + return count; + } +-- +2.51.0 + diff --git a/queue-6.19/wifi-mac80211-remove-keys-after-disabling-beaconing.patch b/queue-6.19/wifi-mac80211-remove-keys-after-disabling-beaconing.patch new file mode 100644 index 0000000000..b1fb7b9247 --- /dev/null +++ b/queue-6.19/wifi-mac80211-remove-keys-after-disabling-beaconing.patch @@ -0,0 +1,56 @@ +From 3366fe80b2801399f1efa44ebaf5339e8765de64 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 3 Mar 2026 15:03:39 +0100 +Subject: wifi: mac80211: remove keys after disabling beaconing + +From: Johannes Berg + +[ Upstream commit 708bbb45537780a8d3721ca1e0cf1932c1d1bf5f ] + +We shouldn't remove keys before disable beaconing, at least when +beacon protection is used, since that would remove keys that are +still used for beacon transmission at the same time. Stop before +removing keys so there's no race. + +Fixes: af2d14b01c32 ("mac80211: Beacon protection using the new BIGTK (STA)") +Reviewed-by: Miriam Rachel Korenblit +Link: https://patch.msgid.link/20260303150339.574e7887b3ab.I50d708f5aa22584506a91d0da7f8a73ba39fceac@changeid +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + net/mac80211/cfg.c | 12 ++++++------ + 1 file changed, 6 insertions(+), 6 deletions(-) + +diff --git a/net/mac80211/cfg.c b/net/mac80211/cfg.c +index c81091a5cc3a3..e480b48e8365d 100644 +--- a/net/mac80211/cfg.c ++++ b/net/mac80211/cfg.c +@@ -1889,12 +1889,6 @@ static int ieee80211_stop_ap(struct wiphy *wiphy, struct net_device *dev, + + __sta_info_flush(sdata, true, link_id, NULL); + +- ieee80211_remove_link_keys(link, &keys); +- if (!list_empty(&keys)) { +- synchronize_net(); +- ieee80211_free_key_list(local, &keys); +- } +- + ieee80211_stop_mbssid(sdata); + RCU_INIT_POINTER(link_conf->tx_bss_conf, NULL); + +@@ -1906,6 +1900,12 @@ static int ieee80211_stop_ap(struct wiphy *wiphy, struct net_device *dev, + ieee80211_link_info_change_notify(sdata, link, + BSS_CHANGED_BEACON_ENABLED); + ++ ieee80211_remove_link_keys(link, &keys); ++ if (!list_empty(&keys)) { ++ synchronize_net(); ++ ieee80211_free_key_list(local, &keys); ++ } ++ + if (sdata->wdev.links[link_id].cac_started) { + chandef = link_conf->chanreq.oper; + wiphy_delayed_work_cancel(wiphy, &link->dfs_cac_timer_work); +-- +2.51.0 + diff --git a/queue-6.19/wifi-mac80211-use-jiffies_delta_to_msecs-for-sta_inf.patch b/queue-6.19/wifi-mac80211-use-jiffies_delta_to_msecs-for-sta_inf.patch new file mode 100644 index 0000000000..47678a61bc --- /dev/null +++ b/queue-6.19/wifi-mac80211-use-jiffies_delta_to_msecs-for-sta_inf.patch @@ -0,0 +1,54 @@ +From edd7d4cff46dd5118795631ddf8b4a4594ea5dc2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 3 Mar 2026 17:06:39 +0100 +Subject: wifi: mac80211: use jiffies_delta_to_msecs() for sta_info inactive + times + +From: Nicolas Cavallari + +[ Upstream commit ac6f24cc9c0a9aefa55ec9696dcafa971d4d760b ] + +Inactive times of around 0xffffffff milliseconds have been observed on +an ath9k device on ARM. This is likely due to a memory ordering race in +the jiffies_to_msecs(jiffies - last_active()) calculation causing an +overflow when the observed jiffies is below ieee80211_sta_last_active(). + +Use jiffies_delta_to_msecs() instead to avoid this problem. + +Fixes: 7bbdd2d98797 ("mac80211: implement station stats retrieval") +Signed-off-by: Nicolas Cavallari +Link: https://patch.msgid.link/20260303161701.31808-1-nicolas.cavallari@green-communications.fr +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + net/mac80211/sta_info.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +diff --git a/net/mac80211/sta_info.c b/net/mac80211/sta_info.c +index 1a995bc301b19..b0d9bb830f293 100644 +--- a/net/mac80211/sta_info.c ++++ b/net/mac80211/sta_info.c +@@ -2759,7 +2759,9 @@ static void sta_set_link_sinfo(struct sta_info *sta, + } + + link_sinfo->inactive_time = +- jiffies_to_msecs(jiffies - ieee80211_sta_last_active(sta, link_id)); ++ jiffies_delta_to_msecs(jiffies - ++ ieee80211_sta_last_active(sta, ++ link_id)); + + if (!(link_sinfo->filled & (BIT_ULL(NL80211_STA_INFO_TX_BYTES64) | + BIT_ULL(NL80211_STA_INFO_TX_BYTES)))) { +@@ -2992,7 +2994,8 @@ void sta_set_sinfo(struct sta_info *sta, struct station_info *sinfo, + sinfo->connected_time = ktime_get_seconds() - sta->last_connected; + sinfo->assoc_at = sta->assoc_at; + sinfo->inactive_time = +- jiffies_to_msecs(jiffies - ieee80211_sta_last_active(sta, -1)); ++ jiffies_delta_to_msecs(jiffies - ++ ieee80211_sta_last_active(sta, -1)); + + if (!(sinfo->filled & (BIT_ULL(NL80211_STA_INFO_TX_BYTES64) | + BIT_ULL(NL80211_STA_INFO_TX_BYTES)))) { +-- +2.51.0 + diff --git a/queue-6.19/wifi-wlcore-return-enomem-instead-of-eagain-if-there.patch b/queue-6.19/wifi-wlcore-return-enomem-instead-of-eagain-if-there.patch new file mode 100644 index 0000000000..c0b9dba30f --- /dev/null +++ b/queue-6.19/wifi-wlcore-return-enomem-instead-of-eagain-if-there.patch @@ -0,0 +1,54 @@ +From 5bba9b1cb4ed5a7aa48cd0d6afaca82292767d05 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 17 Mar 2026 23:46:36 -0700 +Subject: wifi: wlcore: Return -ENOMEM instead of -EAGAIN if there is not + enough headroom + +From: Guenter Roeck + +[ Upstream commit deb353d9bb009638b7762cae2d0b6e8fdbb41a69 ] + +Since upstream commit e75665dd0968 ("wifi: wlcore: ensure skb headroom +before skb_push"), wl1271_tx_allocate() and with it +wl1271_prepare_tx_frame() returns -EAGAIN if pskb_expand_head() fails. +However, in wlcore_tx_work_locked(), a return value of -EAGAIN from +wl1271_prepare_tx_frame() is interpreted as the aggregation buffer being +full. This causes the code to flush the buffer, put the skb back at the +head of the queue, and immediately retry the same skb in a tight while +loop. + +Because wlcore_tx_work_locked() holds wl->mutex, and the retry happens +immediately with GFP_ATOMIC, this will result in an infinite loop and a +CPU soft lockup. Return -ENOMEM instead so the packet is dropped and +the loop terminates. + +The problem was found by an experimental code review agent based on +gemini-3.1-pro while reviewing backports into v6.18.y. + +Assisted-by: Gemini:gemini-3.1-pro +Fixes: e75665dd0968 ("wifi: wlcore: ensure skb headroom before skb_push") +Cc: Peter Astrand +Signed-off-by: Guenter Roeck +Link: https://patch.msgid.link/20260318064636.3065925-1-linux@roeck-us.net +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ti/wlcore/tx.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/wireless/ti/wlcore/tx.c b/drivers/net/wireless/ti/wlcore/tx.c +index 6241866d39df6..75cfbcfb7626d 100644 +--- a/drivers/net/wireless/ti/wlcore/tx.c ++++ b/drivers/net/wireless/ti/wlcore/tx.c +@@ -210,7 +210,7 @@ static int wl1271_tx_allocate(struct wl1271 *wl, struct wl12xx_vif *wlvif, + if (skb_headroom(skb) < (total_len - skb->len) && + pskb_expand_head(skb, (total_len - skb->len), 0, GFP_ATOMIC)) { + wl1271_free_tx_id(wl, id); +- return -EAGAIN; ++ return -ENOMEM; + } + desc = skb_push(skb, total_len - skb->len); + +-- +2.51.0 + diff --git a/queue-6.6/acpi-processor-fix-previous-acpi_processor_errata_pi.patch b/queue-6.6/acpi-processor-fix-previous-acpi_processor_errata_pi.patch new file mode 100644 index 0000000000..c3873f8612 --- /dev/null +++ b/queue-6.6/acpi-processor-fix-previous-acpi_processor_errata_pi.patch @@ -0,0 +1,74 @@ +From 5d3af2ab1c0940a5566628190b2f6e15f8ead2d4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 17 Mar 2026 21:39:05 +0100 +Subject: ACPI: processor: Fix previous acpi_processor_errata_piix4() fix + +From: Rafael J. Wysocki + +[ Upstream commit bf504b229cb8d534eccbaeaa23eba34c05131e25 ] + +After commi f132e089fe89 ("ACPI: processor: Fix NULL-pointer dereference +in acpi_processor_errata_piix4()"), device pointers may be dereferenced +after dropping references to the device objects pointed to by them, +which may cause a use-after-free to occur. + +Moreover, debug messages about enabling the errata may be printed +if the errata flags corresponding to them are unset. + +Address all of these issues by moving message printing to the points +in the code where the errata flags are set. + +Fixes: f132e089fe89 ("ACPI: processor: Fix NULL-pointer dereference in acpi_processor_errata_piix4()") +Reported-by: Guenter Roeck +Closes: https://lore.kernel.org/linux-acpi/938e2206-def5-4b7a-9b2c-d1fd37681d8a@roeck-us.net/ +Reviewed-by: Guenter Roeck +Signed-off-by: Rafael J. Wysocki +Link: https://patch.msgid.link/5975693.DvuYhMxLoT@rafael.j.wysocki +Signed-off-by: Sasha Levin +--- + drivers/acpi/acpi_processor.c | 15 ++++++++------- + 1 file changed, 8 insertions(+), 7 deletions(-) + +diff --git a/drivers/acpi/acpi_processor.c b/drivers/acpi/acpi_processor.c +index 5e409f86f0709..55f0ea3535055 100644 +--- a/drivers/acpi/acpi_processor.c ++++ b/drivers/acpi/acpi_processor.c +@@ -102,6 +102,10 @@ static int acpi_processor_errata_piix4(struct pci_dev *dev) + PCI_ANY_ID, PCI_ANY_ID, NULL); + if (ide_dev) { + errata.piix4.bmisx = pci_resource_start(ide_dev, 4); ++ if (errata.piix4.bmisx) ++ dev_dbg(&ide_dev->dev, ++ "Bus master activity detection (BM-IDE) erratum enabled\n"); ++ + pci_dev_put(ide_dev); + } + +@@ -120,20 +124,17 @@ static int acpi_processor_errata_piix4(struct pci_dev *dev) + if (isa_dev) { + pci_read_config_byte(isa_dev, 0x76, &value1); + pci_read_config_byte(isa_dev, 0x77, &value2); +- if ((value1 & 0x80) || (value2 & 0x80)) ++ if ((value1 & 0x80) || (value2 & 0x80)) { + errata.piix4.fdma = 1; ++ dev_dbg(&isa_dev->dev, ++ "Type-F DMA livelock erratum (C3 disabled)\n"); ++ } + pci_dev_put(isa_dev); + } + + break; + } + +- if (ide_dev) +- dev_dbg(&ide_dev->dev, "Bus master activity detection (BM-IDE) erratum enabled\n"); +- +- if (isa_dev) +- dev_dbg(&isa_dev->dev, "Type-F DMA livelock erratum (C3 disabled)\n"); +- + return 0; + } + +-- +2.51.0 + diff --git a/queue-6.6/bluetooth-hci_sync-fix-hci_le_create_conn_sync.patch b/queue-6.6/bluetooth-hci_sync-fix-hci_le_create_conn_sync.patch new file mode 100644 index 0000000000..09657ae64d --- /dev/null +++ b/queue-6.6/bluetooth-hci_sync-fix-hci_le_create_conn_sync.patch @@ -0,0 +1,52 @@ +From f38b1ee87a1bb0255f84717aa823ef3bdd554941 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 5 Mar 2026 14:50:52 +0100 +Subject: Bluetooth: hci_sync: Fix hci_le_create_conn_sync + +From: Michael Grzeschik + +[ Upstream commit 2cabe7ff1001b7a197009cf50ba71701f9cbd354 ] + +While introducing hci_le_create_conn_sync the functionality +of hci_connect_le was ported to hci_le_create_conn_sync including +the disable of the scan before starting the connection. + +When this code was run non synchronously the immediate call that was +setting the flag HCI_LE_SCAN_INTERRUPTED had an impact. Since the +completion handler for the LE_SCAN_DISABLE was not immediately called. +In the completion handler of the LE_SCAN_DISABLE event, this flag is +checked to set the state of the hdev to DISCOVERY_STOPPED. + +With the synchronised approach the later setting of the +HCI_LE_SCAN_INTERRUPTED flag has not the same effect. The completion +handler would immediately fire in the LE_SCAN_DISABLE call, check for +the flag, which is then not yet set and do nothing. + +To fix this issue and make the function call work as before, we move the +setting of the flag HCI_LE_SCAN_INTERRUPTED before disabling the scan. + +Fixes: 8e8b92ee60de ("Bluetooth: hci_sync: Add hci_le_create_conn_sync") +Signed-off-by: Michael Grzeschik +Signed-off-by: Luiz Augusto von Dentz +Signed-off-by: Sasha Levin +--- + net/bluetooth/hci_sync.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/bluetooth/hci_sync.c b/net/bluetooth/hci_sync.c +index 6a14f76071077..6192f70e4d393 100644 +--- a/net/bluetooth/hci_sync.c ++++ b/net/bluetooth/hci_sync.c +@@ -6555,8 +6555,8 @@ static int hci_le_create_conn_sync(struct hci_dev *hdev, void *data) + * state. + */ + if (hci_dev_test_flag(hdev, HCI_LE_SCAN)) { +- hci_scan_disable_sync(hdev); + hci_dev_set_flag(hdev, HCI_LE_SCAN_INTERRUPTED); ++ hci_scan_disable_sync(hdev); + } + + /* Update random address, but set require_privacy to false so +-- +2.51.0 + diff --git a/queue-6.6/bluetooth-hidp-fix-possible-uaf.patch b/queue-6.6/bluetooth-hidp-fix-possible-uaf.patch new file mode 100644 index 0000000000..587286ca4f --- /dev/null +++ b/queue-6.6/bluetooth-hidp-fix-possible-uaf.patch @@ -0,0 +1,237 @@ +From 1a6d446fd3da37f176f8dcc0f554cfd3c3549661 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 5 Mar 2026 10:17:47 -0500 +Subject: Bluetooth: HIDP: Fix possible UAF + +From: Luiz Augusto von Dentz + +[ Upstream commit dbf666e4fc9bdd975a61bf682b3f75cb0145eedd ] + +This fixes the following trace caused by not dropping l2cap_conn +reference when user->remove callback is called: + +[ 97.809249] l2cap_conn_free: freeing conn ffff88810a171c00 +[ 97.809907] CPU: 1 UID: 0 PID: 1419 Comm: repro_standalon Not tainted 7.0.0-rc1-dirty #14 PREEMPT(lazy) +[ 97.809935] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.17.0-debian-1.17.0-1 04/01/2014 +[ 97.809947] Call Trace: +[ 97.809954] +[ 97.809961] dump_stack_lvl (lib/dump_stack.c:122) +[ 97.809990] l2cap_conn_free (net/bluetooth/l2cap_core.c:1808) +[ 97.810017] l2cap_conn_del (./include/linux/kref.h:66 net/bluetooth/l2cap_core.c:1821 net/bluetooth/l2cap_core.c:1798) +[ 97.810055] l2cap_disconn_cfm (net/bluetooth/l2cap_core.c:7347 (discriminator 1) net/bluetooth/l2cap_core.c:7340 (discriminator 1)) +[ 97.810086] ? __pfx_l2cap_disconn_cfm (net/bluetooth/l2cap_core.c:7341) +[ 97.810117] hci_conn_hash_flush (./include/net/bluetooth/hci_core.h:2152 (discriminator 2) net/bluetooth/hci_conn.c:2644 (discriminator 2)) +[ 97.810148] hci_dev_close_sync (net/bluetooth/hci_sync.c:5360) +[ 97.810180] ? __pfx_hci_dev_close_sync (net/bluetooth/hci_sync.c:5285) +[ 97.810212] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221) +[ 97.810242] ? up_write (./arch/x86/include/asm/atomic64_64.h:87 (discriminator 5) ./include/linux/atomic/atomic-arch-fallback.h:2852 (discriminator 5) ./include/linux/atomic/atomic-long.h:268 (discriminator 5) ./include/linux/atomic/atomic-instrumented.h:3391 (discriminator 5) kernel/locking/rwsem.c:1385 (discriminator 5) kernel/locking/rwsem.c:1643 (discriminator 5)) +[ 97.810267] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221) +[ 97.810290] ? rcu_is_watching (./arch/x86/include/asm/atomic.h:23 ./include/linux/atomic/atomic-arch-fallback.h:457 ./include/linux/context_tracking.h:128 kernel/rcu/tree.c:752) +[ 97.810320] hci_unregister_dev (net/bluetooth/hci_core.c:504 net/bluetooth/hci_core.c:2716) +[ 97.810346] vhci_release (drivers/bluetooth/hci_vhci.c:691) +[ 97.810375] ? __pfx_vhci_release (drivers/bluetooth/hci_vhci.c:678) +[ 97.810404] __fput (fs/file_table.c:470) +[ 97.810430] task_work_run (kernel/task_work.c:235) +[ 97.810451] ? __pfx_task_work_run (kernel/task_work.c:201) +[ 97.810472] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221) +[ 97.810495] ? do_raw_spin_unlock (./include/asm-generic/qspinlock.h:128 (discriminator 5) kernel/locking/spinlock_debug.c:142 (discriminator 5)) +[ 97.810527] do_exit (kernel/exit.c:972) +[ 97.810547] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221) +[ 97.810574] ? __pfx_do_exit (kernel/exit.c:897) +[ 97.810594] ? lock_acquire (kernel/locking/lockdep.c:470 (discriminator 6) kernel/locking/lockdep.c:5870 (discriminator 6) kernel/locking/lockdep.c:5825 (discriminator 6)) +[ 97.810616] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221) +[ 97.810639] ? do_raw_spin_lock (kernel/locking/spinlock_debug.c:95 (discriminator 4) kernel/locking/spinlock_debug.c:118 (discriminator 4)) +[ 97.810664] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221) +[ 97.810688] ? find_held_lock (kernel/locking/lockdep.c:5350 (discriminator 1)) +[ 97.810721] do_group_exit (kernel/exit.c:1093) +[ 97.810745] get_signal (kernel/signal.c:3007 (discriminator 1)) +[ 97.810772] ? security_file_permission (./arch/x86/include/asm/jump_label.h:37 security/security.c:2366) +[ 97.810803] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221) +[ 97.810826] ? vfs_read (fs/read_write.c:555) +[ 97.810854] ? __pfx_get_signal (kernel/signal.c:2800) +[ 97.810880] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221) +[ 97.810905] ? __pfx_vfs_read (fs/read_write.c:555) +[ 97.810932] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221) +[ 97.810960] arch_do_signal_or_restart (arch/x86/kernel/signal.c:337 (discriminator 1)) +[ 97.810990] ? __pfx_arch_do_signal_or_restart (arch/x86/kernel/signal.c:334) +[ 97.811021] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221) +[ 97.811055] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221) +[ 97.811078] ? ksys_read (fs/read_write.c:707) +[ 97.811106] ? __pfx_ksys_read (fs/read_write.c:707) +[ 97.811137] exit_to_user_mode_loop (kernel/entry/common.c:66 kernel/entry/common.c:98) +[ 97.811169] ? rcu_is_watching (./arch/x86/include/asm/atomic.h:23 ./include/linux/atomic/atomic-arch-fallback.h:457 ./include/linux/context_tracking.h:128 kernel/rcu/tree.c:752) +[ 97.811192] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221) +[ 97.811215] ? trace_hardirqs_off (./include/trace/events/preemptirq.h:36 (discriminator 33) kernel/trace/trace_preemptirq.c:95 (discriminator 33) kernel/trace/trace_preemptirq.c:90 (discriminator 33)) +[ 97.811240] do_syscall_64 (./include/linux/irq-entry-common.h:226 ./include/linux/irq-entry-common.h:256 ./include/linux/entry-common.h:325 arch/x86/entry/syscall_64.c:100) +[ 97.811268] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221) +[ 97.811292] ? exc_page_fault (arch/x86/mm/fault.c:1480 (discriminator 3) arch/x86/mm/fault.c:1527 (discriminator 3)) +[ 97.811318] entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130) +[ 97.811338] RIP: 0033:0x445cfe +[ 97.811352] Code: Unable to access opcode bytes at 0x445cd4. + +Code starting with the faulting instruction +=========================================== +[ 97.811360] RSP: 002b:00007f65c41c6dc8 EFLAGS: 00000246 ORIG_RAX: 0000000000000000 +[ 97.811378] RAX: fffffffffffffe00 RBX: 00007f65c41c76c0 RCX: 0000000000445cfe +[ 97.811391] RDX: 0000000000000400 RSI: 00007f65c41c6e40 RDI: 0000000000000004 +[ 97.811403] RBP: 00007f65c41c7250 R08: 0000000000000000 R09: 0000000000000000 +[ 97.811415] R10: 0000000000000000 R11: 0000000000000246 R12: ffffffffffffffe8 +[ 97.811428] R13: 0000000000000000 R14: 00007fff780a8c00 R15: 00007f65c41c76c0 +[ 97.811453] +[ 98.402453] ================================================================== +[ 98.403560] BUG: KASAN: use-after-free in __mutex_lock (kernel/locking/mutex.c:199 kernel/locking/mutex.c:694 kernel/locking/mutex.c:776) +[ 98.404541] Read of size 8 at addr ffff888113ee40a8 by task khidpd_00050004/1430 +[ 98.405361] +[ 98.405563] CPU: 1 UID: 0 PID: 1430 Comm: khidpd_00050004 Not tainted 7.0.0-rc1-dirty #14 PREEMPT(lazy) +[ 98.405588] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.17.0-debian-1.17.0-1 04/01/2014 +[ 98.405600] Call Trace: +[ 98.405607] +[ 98.405614] dump_stack_lvl (lib/dump_stack.c:122) +[ 98.405641] print_report (mm/kasan/report.c:379 mm/kasan/report.c:482) +[ 98.405667] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221) +[ 98.405691] ? __virt_addr_valid (arch/x86/mm/physaddr.c:55) +[ 98.405724] ? __mutex_lock (kernel/locking/mutex.c:199 kernel/locking/mutex.c:694 kernel/locking/mutex.c:776) +[ 98.405748] kasan_report (mm/kasan/report.c:221 mm/kasan/report.c:597) +[ 98.405778] ? __mutex_lock (kernel/locking/mutex.c:199 kernel/locking/mutex.c:694 kernel/locking/mutex.c:776) +[ 98.405807] __mutex_lock (kernel/locking/mutex.c:199 kernel/locking/mutex.c:694 kernel/locking/mutex.c:776) +[ 98.405832] ? do_raw_spin_lock (kernel/locking/spinlock_debug.c:95 (discriminator 4) kernel/locking/spinlock_debug.c:118 (discriminator 4)) +[ 98.405859] ? l2cap_unregister_user (./include/linux/list.h:381 (discriminator 2) net/bluetooth/l2cap_core.c:1723 (discriminator 2)) +[ 98.405888] ? __pfx_do_raw_spin_lock (kernel/locking/spinlock_debug.c:114) +[ 98.405915] ? __pfx___mutex_lock (kernel/locking/mutex.c:775) +[ 98.405939] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221) +[ 98.405963] ? lock_acquire (kernel/locking/lockdep.c:470 (discriminator 6) kernel/locking/lockdep.c:5870 (discriminator 6) kernel/locking/lockdep.c:5825 (discriminator 6)) +[ 98.405984] ? find_held_lock (kernel/locking/lockdep.c:5350 (discriminator 1)) +[ 98.406015] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221) +[ 98.406038] ? lock_release (kernel/locking/lockdep.c:5536 kernel/locking/lockdep.c:5889 kernel/locking/lockdep.c:5875) +[ 98.406061] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221) +[ 98.406085] ? _raw_spin_unlock_irqrestore (./arch/x86/include/asm/irqflags.h:42 ./arch/x86/include/asm/irqflags.h:119 ./arch/x86/include/asm/irqflags.h:159 ./include/linux/spinlock_api_smp.h:178 kernel/locking/spinlock.c:194) +[ 98.406107] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221) +[ 98.406130] ? __timer_delete_sync (kernel/time/timer.c:1592) +[ 98.406158] ? l2cap_unregister_user (./include/linux/list.h:381 (discriminator 2) net/bluetooth/l2cap_core.c:1723 (discriminator 2)) +[ 98.406186] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221) +[ 98.406210] l2cap_unregister_user (./include/linux/list.h:381 (discriminator 2) net/bluetooth/l2cap_core.c:1723 (discriminator 2)) +[ 98.406263] hidp_session_thread (./include/linux/instrumented.h:112 ./include/linux/atomic/atomic-instrumented.h:400 ./include/linux/refcount.h:389 ./include/linux/refcount.h:432 ./include/linux/refcount.h:450 ./include/linux/kref.h:64 net/bluetooth/hidp/core.c:996 net/bluetooth/hidp/core.c:1305) +[ 98.406293] ? __pfx_hidp_session_thread (net/bluetooth/hidp/core.c:1264) +[ 98.406323] ? kthread (kernel/kthread.c:433) +[ 98.406340] ? __pfx_hidp_session_wake_function (net/bluetooth/hidp/core.c:1251) +[ 98.406370] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221) +[ 98.406393] ? find_held_lock (kernel/locking/lockdep.c:5350 (discriminator 1)) +[ 98.406424] ? __pfx_hidp_session_wake_function (net/bluetooth/hidp/core.c:1251) +[ 98.406453] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221) +[ 98.406476] ? trace_hardirqs_on (kernel/trace/trace_preemptirq.c:79 (discriminator 1)) +[ 98.406499] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221) +[ 98.406523] ? kthread (kernel/kthread.c:433) +[ 98.406539] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221) +[ 98.406565] ? kthread (kernel/kthread.c:433) +[ 98.406581] ? __pfx_hidp_session_thread (net/bluetooth/hidp/core.c:1264) +[ 98.406610] kthread (kernel/kthread.c:467) +[ 98.406627] ? __pfx_kthread (kernel/kthread.c:412) +[ 98.406645] ret_from_fork (arch/x86/kernel/process.c:164) +[ 98.406674] ? __pfx_ret_from_fork (arch/x86/kernel/process.c:153) +[ 98.406704] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221) +[ 98.406728] ? __pfx_kthread (kernel/kthread.c:412) +[ 98.406747] ret_from_fork_asm (arch/x86/entry/entry_64.S:258) +[ 98.406774] +[ 98.406780] +[ 98.433693] The buggy address belongs to the physical page: +[ 98.434405] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xffff888113ee7c40 pfn:0x113ee4 +[ 98.435557] flags: 0x200000000000000(node=0|zone=2) +[ 98.436198] raw: 0200000000000000 ffffea0004244308 ffff8881f6f3ebc0 0000000000000000 +[ 98.437195] raw: ffff888113ee7c40 0000000000000000 00000000ffffffff 0000000000000000 +[ 98.438115] page dumped because: kasan: bad access detected +[ 98.438951] +[ 98.439211] Memory state around the buggy address: +[ 98.439871] ffff888113ee3f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc +[ 98.440714] ffff888113ee4000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff +[ 98.441580] >ffff888113ee4080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff +[ 98.442458] ^ +[ 98.443011] ffff888113ee4100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff +[ 98.443889] ffff888113ee4180: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff +[ 98.444768] ================================================================== +[ 98.445719] Disabling lock debugging due to kernel taint +[ 98.448074] l2cap_conn_free: freeing conn ffff88810c22b400 +[ 98.450012] CPU: 1 UID: 0 PID: 1430 Comm: khidpd_00050004 Tainted: G B 7.0.0-rc1-dirty #14 PREEMPT(lazy) +[ 98.450040] Tainted: [B]=BAD_PAGE +[ 98.450047] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.17.0-debian-1.17.0-1 04/01/2014 +[ 98.450059] Call Trace: +[ 98.450065] +[ 98.450071] dump_stack_lvl (lib/dump_stack.c:122) +[ 98.450099] l2cap_conn_free (net/bluetooth/l2cap_core.c:1808) +[ 98.450125] l2cap_conn_put (net/bluetooth/l2cap_core.c:1822) +[ 98.450154] session_free (net/bluetooth/hidp/core.c:990) +[ 98.450181] hidp_session_thread (net/bluetooth/hidp/core.c:1307) +[ 98.450213] ? __pfx_hidp_session_thread (net/bluetooth/hidp/core.c:1264) +[ 98.450271] ? kthread (kernel/kthread.c:433) +[ 98.450293] ? __pfx_hidp_session_wake_function (net/bluetooth/hidp/core.c:1251) +[ 98.450339] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221) +[ 98.450368] ? find_held_lock (kernel/locking/lockdep.c:5350 (discriminator 1)) +[ 98.450406] ? __pfx_hidp_session_wake_function (net/bluetooth/hidp/core.c:1251) +[ 98.450442] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221) +[ 98.450471] ? trace_hardirqs_on (kernel/trace/trace_preemptirq.c:79 (discriminator 1)) +[ 98.450499] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221) +[ 98.450528] ? kthread (kernel/kthread.c:433) +[ 98.450547] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221) +[ 98.450578] ? kthread (kernel/kthread.c:433) +[ 98.450598] ? __pfx_hidp_session_thread (net/bluetooth/hidp/core.c:1264) +[ 98.450637] kthread (kernel/kthread.c:467) +[ 98.450657] ? __pfx_kthread (kernel/kthread.c:412) +[ 98.450680] ret_from_fork (arch/x86/kernel/process.c:164) +[ 98.450715] ? __pfx_ret_from_fork (arch/x86/kernel/process.c:153) +[ 98.450752] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221) +[ 98.450782] ? __pfx_kthread (kernel/kthread.c:412) +[ 98.450804] ret_from_fork_asm (arch/x86/entry/entry_64.S:258) +[ 98.450836] + +Fixes: b4f34d8d9d26 ("Bluetooth: hidp: add new session-management helpers") +Reported-by: soufiane el hachmi +Tested-by: soufiane el hachmi +Signed-off-by: Luiz Augusto von Dentz +Signed-off-by: Sasha Levin +--- + net/bluetooth/hidp/core.c | 16 ++++++++++++++-- + 1 file changed, 14 insertions(+), 2 deletions(-) + +diff --git a/net/bluetooth/hidp/core.c b/net/bluetooth/hidp/core.c +index 707f229f896a1..40a6f1e20babc 100644 +--- a/net/bluetooth/hidp/core.c ++++ b/net/bluetooth/hidp/core.c +@@ -986,7 +986,8 @@ static void session_free(struct kref *ref) + skb_queue_purge(&session->intr_transmit); + fput(session->intr_sock->file); + fput(session->ctrl_sock->file); +- l2cap_conn_put(session->conn); ++ if (session->conn) ++ l2cap_conn_put(session->conn); + kfree(session); + } + +@@ -1164,6 +1165,15 @@ static void hidp_session_remove(struct l2cap_conn *conn, + + down_write(&hidp_session_sem); + ++ /* Drop L2CAP reference immediately to indicate that ++ * l2cap_unregister_user() shall not be called as it is already ++ * considered removed. ++ */ ++ if (session->conn) { ++ l2cap_conn_put(session->conn); ++ session->conn = NULL; ++ } ++ + hidp_session_terminate(session); + + cancel_work_sync(&session->dev_init); +@@ -1301,7 +1311,9 @@ static int hidp_session_thread(void *arg) + * Instead, this call has the same semantics as if user-space tried to + * delete the session. + */ +- l2cap_unregister_user(session->conn, &session->user); ++ if (session->conn) ++ l2cap_unregister_user(session->conn, &session->user); ++ + hidp_session_put(session); + + module_put_and_kthread_exit(0); +-- +2.51.0 + diff --git a/queue-6.6/bluetooth-iso-fix-defer-tests-being-unstable.patch b/queue-6.6/bluetooth-iso-fix-defer-tests-being-unstable.patch new file mode 100644 index 0000000000..b1c062005c --- /dev/null +++ b/queue-6.6/bluetooth-iso-fix-defer-tests-being-unstable.patch @@ -0,0 +1,49 @@ +From 66e1e6ac63fed60fbe2975c7c903629e07da63d3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 27 Feb 2026 15:23:01 -0500 +Subject: Bluetooth: ISO: Fix defer tests being unstable + +From: Luiz Augusto von Dentz + +[ Upstream commit 62bcaa6b351b6dc400f6c6b83762001fd9f5c12d ] + +iso-tester defer tests seem to fail with hci_conn_hash_lookup_cig +being unable to resolve a cig in set_cig_params_sync due a race +where it is run immediatelly before hci_bind_cis is able to set +the QoS settings into the hci_conn object. + +So this moves the assigning of the QoS settings to be done directly +by hci_le_set_cig_params to prevent that from happening again. + +Fixes: 26afbd826ee3 ("Bluetooth: Add initial implementation of CIS connections") +Signed-off-by: Luiz Augusto von Dentz +Signed-off-by: Sasha Levin +--- + net/bluetooth/hci_conn.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/net/bluetooth/hci_conn.c b/net/bluetooth/hci_conn.c +index 30feeaf7e6424..97e48c1f69aff 100644 +--- a/net/bluetooth/hci_conn.c ++++ b/net/bluetooth/hci_conn.c +@@ -1837,6 +1837,8 @@ static bool hci_le_set_cig_params(struct hci_conn *conn, struct bt_iso_qos *qos) + return false; + + done: ++ conn->iso_qos = *qos; ++ + if (hci_cmd_sync_queue(hdev, set_cig_params_sync, + UINT_PTR(qos->ucast.cig), NULL) < 0) + return false; +@@ -1903,8 +1905,6 @@ struct hci_conn *hci_bind_cis(struct hci_dev *hdev, bdaddr_t *dst, + } + + hci_conn_hold(cis); +- +- cis->iso_qos = *qos; + cis->state = BT_BOUND; + + return cis; +-- +2.51.0 + diff --git a/queue-6.6/bluetooth-l2cap-fix-use-after-free-in-l2cap_unregist.patch b/queue-6.6/bluetooth-l2cap-fix-use-after-free-in-l2cap_unregist.patch new file mode 100644 index 0000000000..fb454caa9f --- /dev/null +++ b/queue-6.6/bluetooth-l2cap-fix-use-after-free-in-l2cap_unregist.patch @@ -0,0 +1,90 @@ +From 6edbf1c4030bc1c12e81b38e49df0490d48f53af Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 6 Nov 2025 23:50:16 +0530 +Subject: Bluetooth: L2CAP: Fix use-after-free in l2cap_unregister_user + +From: Shaurya Rane + +[ Upstream commit 752a6c9596dd25efd6978a73ff21f3b592668f4a ] + +After commit ab4eedb790ca ("Bluetooth: L2CAP: Fix corrupted list in +hci_chan_del"), l2cap_conn_del() uses conn->lock to protect access to +conn->users. However, l2cap_register_user() and l2cap_unregister_user() +don't use conn->lock, creating a race condition where these functions can +access conn->users and conn->hchan concurrently with l2cap_conn_del(). + +This can lead to use-after-free and list corruption bugs, as reported +by syzbot. + +Fix this by changing l2cap_register_user() and l2cap_unregister_user() +to use conn->lock instead of hci_dev_lock(), ensuring consistent locking +for the l2cap_conn structure. + +Reported-by: syzbot+14b6d57fb728e27ce23c@syzkaller.appspotmail.com +Closes: https://syzkaller.appspot.com/bug?extid=14b6d57fb728e27ce23c +Fixes: ab4eedb790ca ("Bluetooth: L2CAP: Fix corrupted list in hci_chan_del") +Signed-off-by: Shaurya Rane +Signed-off-by: Luiz Augusto von Dentz +Signed-off-by: Sasha Levin +--- + net/bluetooth/l2cap_core.c | 20 ++++++++------------ + 1 file changed, 8 insertions(+), 12 deletions(-) + +diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c +index 4ab738e651837..7f807e0b0992f 100644 +--- a/net/bluetooth/l2cap_core.c ++++ b/net/bluetooth/l2cap_core.c +@@ -1686,17 +1686,15 @@ static void l2cap_info_timeout(struct work_struct *work) + + int l2cap_register_user(struct l2cap_conn *conn, struct l2cap_user *user) + { +- struct hci_dev *hdev = conn->hcon->hdev; + int ret; + + /* We need to check whether l2cap_conn is registered. If it is not, we +- * must not register the l2cap_user. l2cap_conn_del() is unregisters +- * l2cap_conn objects, but doesn't provide its own locking. Instead, it +- * relies on the parent hci_conn object to be locked. This itself relies +- * on the hci_dev object to be locked. So we must lock the hci device +- * here, too. */ ++ * must not register the l2cap_user. l2cap_conn_del() unregisters ++ * l2cap_conn objects under conn->lock, and we use the same lock here ++ * to protect access to conn->users and conn->hchan. ++ */ + +- hci_dev_lock(hdev); ++ mutex_lock(&conn->lock); + + if (!list_empty(&user->list)) { + ret = -EINVAL; +@@ -1717,16 +1715,14 @@ int l2cap_register_user(struct l2cap_conn *conn, struct l2cap_user *user) + ret = 0; + + out_unlock: +- hci_dev_unlock(hdev); ++ mutex_unlock(&conn->lock); + return ret; + } + EXPORT_SYMBOL(l2cap_register_user); + + void l2cap_unregister_user(struct l2cap_conn *conn, struct l2cap_user *user) + { +- struct hci_dev *hdev = conn->hcon->hdev; +- +- hci_dev_lock(hdev); ++ mutex_lock(&conn->lock); + + if (list_empty(&user->list)) + goto out_unlock; +@@ -1735,7 +1731,7 @@ void l2cap_unregister_user(struct l2cap_conn *conn, struct l2cap_user *user) + user->remove(conn, user); + + out_unlock: +- hci_dev_unlock(hdev); ++ mutex_unlock(&conn->lock); + } + EXPORT_SYMBOL(l2cap_unregister_user); + +-- +2.51.0 + diff --git a/queue-6.6/bluetooth-le-l2cap-disconnect-if-received-packet-s-s.patch b/queue-6.6/bluetooth-le-l2cap-disconnect-if-received-packet-s-s.patch new file mode 100644 index 0000000000..670b7d6d0f --- /dev/null +++ b/queue-6.6/bluetooth-le-l2cap-disconnect-if-received-packet-s-s.patch @@ -0,0 +1,55 @@ +From 2f59bb6d1cb6c38d12b85250ef2e179cf1676f27 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 25 Feb 2026 18:07:25 +0100 +Subject: Bluetooth: LE L2CAP: Disconnect if received packet's SDU exceeds IMTU + +From: Christian Eggers + +[ Upstream commit e1d9a66889867c232657a9b6f25d451d7c3ab96f ] + +Core 6.0, Vol 3, Part A, 3.4.3: +"If the SDU length field value exceeds the receiver's MTU, the receiver +shall disconnect the channel..." + +This fixes L2CAP/LE/CFC/BV-26-C (running together with 'l2test -r -P +0x0027 -V le_public -I 100'). + +Fixes: aac23bf63659 ("Bluetooth: Implement LE L2CAP reassembly") +Signed-off-by: Christian Eggers +Signed-off-by: Luiz Augusto von Dentz +Signed-off-by: Sasha Levin +--- + net/bluetooth/l2cap_core.c | 10 +++++++--- + 1 file changed, 7 insertions(+), 3 deletions(-) + +diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c +index 0253bdbbfc593..94dee7c227f74 100644 +--- a/net/bluetooth/l2cap_core.c ++++ b/net/bluetooth/l2cap_core.c +@@ -6610,8 +6610,10 @@ static int l2cap_ecred_data_rcv(struct l2cap_chan *chan, struct sk_buff *skb) + return -ENOBUFS; + } + +- if (chan->imtu < skb->len) { +- BT_ERR("Too big LE L2CAP PDU"); ++ if (skb->len > chan->imtu) { ++ BT_ERR("Too big LE L2CAP PDU: len %u > %u", skb->len, ++ chan->imtu); ++ l2cap_send_disconn_req(chan, ECONNRESET); + return -ENOBUFS; + } + +@@ -6637,7 +6639,9 @@ static int l2cap_ecred_data_rcv(struct l2cap_chan *chan, struct sk_buff *skb) + sdu_len, skb->len, chan->imtu); + + if (sdu_len > chan->imtu) { +- BT_ERR("Too big LE L2CAP SDU length received"); ++ BT_ERR("Too big LE L2CAP SDU length: len %u > %u", ++ skb->len, sdu_len); ++ l2cap_send_disconn_req(chan, ECONNRESET); + err = -EMSGSIZE; + goto failed; + } +-- +2.51.0 + diff --git a/queue-6.6/bluetooth-le-l2cap-disconnect-if-sum-of-payload-size.patch b/queue-6.6/bluetooth-le-l2cap-disconnect-if-sum-of-payload-size.patch new file mode 100644 index 0000000000..06436f4efb --- /dev/null +++ b/queue-6.6/bluetooth-le-l2cap-disconnect-if-sum-of-payload-size.patch @@ -0,0 +1,39 @@ +From 982449d4fbb36ab87859fc8bb34a14f13b217a76 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 25 Feb 2026 18:07:27 +0100 +Subject: Bluetooth: LE L2CAP: Disconnect if sum of payload sizes exceed SDU + +From: Christian Eggers + +[ Upstream commit b6a2bf43aa37670432843bc73ae2a6288ba4d6f8 ] + +Core 6.0, Vol 3, Part A, 3.4.3: +"... If the sum of the payload sizes for the K-frames exceeds the +specified SDU length, the receiver shall disconnect the channel." + +This fixes L2CAP/LE/CFC/BV-27-C (running together with 'l2test -r -P +0x0027 -V le_public'). + +Fixes: aac23bf63659 ("Bluetooth: Implement LE L2CAP reassembly") +Signed-off-by: Christian Eggers +Signed-off-by: Luiz Augusto von Dentz +Signed-off-by: Sasha Levin +--- + net/bluetooth/l2cap_core.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c +index 94dee7c227f74..4ab738e651837 100644 +--- a/net/bluetooth/l2cap_core.c ++++ b/net/bluetooth/l2cap_core.c +@@ -6677,6 +6677,7 @@ static int l2cap_ecred_data_rcv(struct l2cap_chan *chan, struct sk_buff *skb) + + if (chan->sdu->len + skb->len > chan->sdu_len) { + BT_ERR("Too much LE L2CAP data received"); ++ l2cap_send_disconn_req(chan, ECONNRESET); + err = -EINVAL; + goto failed; + } +-- +2.51.0 + diff --git a/queue-6.6/bluetooth-qca-fix-rom-version-reading-on-wcn3998-chi.patch b/queue-6.6/bluetooth-qca-fix-rom-version-reading-on-wcn3998-chi.patch new file mode 100644 index 0000000000..167df50dca --- /dev/null +++ b/queue-6.6/bluetooth-qca-fix-rom-version-reading-on-wcn3998-chi.patch @@ -0,0 +1,46 @@ +From be5629c1bf517f18c38154b328f184e673c6674d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 11 Mar 2026 01:02:57 +0200 +Subject: Bluetooth: qca: fix ROM version reading on WCN3998 chips + +From: Dmitry Baryshkov + +[ Upstream commit 99b2c531e0e797119ae1b9195a8764ee98b00e65 ] + +WCN3998 uses a bit different format for rom version: + +[ 5.479978] Bluetooth: hci0: setting up wcn399x +[ 5.633763] Bluetooth: hci0: QCA Product ID :0x0000000a +[ 5.645350] Bluetooth: hci0: QCA SOC Version :0x40010224 +[ 5.650906] Bluetooth: hci0: QCA ROM Version :0x00001001 +[ 5.665173] Bluetooth: hci0: QCA Patch Version:0x00006699 +[ 5.679356] Bluetooth: hci0: QCA controller version 0x02241001 +[ 5.691109] Bluetooth: hci0: QCA Downloading qca/crbtfw21.tlv +[ 6.680102] Bluetooth: hci0: QCA Downloading qca/crnv21.bin +[ 6.842948] Bluetooth: hci0: QCA setup on UART is completed + +Fixes: 523760b7ff88 ("Bluetooth: hci_qca: Added support for WCN3998") +Reviewed-by: Bartosz Golaszewski +Signed-off-by: Dmitry Baryshkov +Signed-off-by: Luiz Augusto von Dentz +Signed-off-by: Sasha Levin +--- + drivers/bluetooth/btqca.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/bluetooth/btqca.c b/drivers/bluetooth/btqca.c +index 5651f40db1736..5b34da23adce7 100644 +--- a/drivers/bluetooth/btqca.c ++++ b/drivers/bluetooth/btqca.c +@@ -826,6 +826,8 @@ int qca_uart_setup(struct hci_dev *hdev, uint8_t baudrate, + */ + if (soc_type == QCA_WCN3988) + rom_ver = ((soc_ver & 0x00000f00) >> 0x05) | (soc_ver & 0x0000000f); ++ else if (soc_type == QCA_WCN3998) ++ rom_ver = ((soc_ver & 0x0000f000) >> 0x07) | (soc_ver & 0x0000000f); + else + rom_ver = ((soc_ver & 0x00000f00) >> 0x04) | (soc_ver & 0x0000000f); + +-- +2.51.0 + diff --git a/queue-6.6/bluetooth-smp-make-sm-per-kdu-bi-04-c-happy.patch b/queue-6.6/bluetooth-smp-make-sm-per-kdu-bi-04-c-happy.patch new file mode 100644 index 0000000000..d95b352345 --- /dev/null +++ b/queue-6.6/bluetooth-smp-make-sm-per-kdu-bi-04-c-happy.patch @@ -0,0 +1,36 @@ +From 32224a11f4c215fa23ddad1e4510c4fd9eac862d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 25 Feb 2026 18:07:28 +0100 +Subject: Bluetooth: SMP: make SM/PER/KDU/BI-04-C happy + +From: Christian Eggers + +[ Upstream commit 0e4d4dcc1a6e82cc6f9abf32193558efa7e1613d ] + +The last test step ("Test with Invalid public key X and Y, all set to +0") expects to get an "DHKEY check failed" instead of "unspecified". + +Fixes: 6d19628f539f ("Bluetooth: SMP: Fail if remote and local public keys are identical") +Signed-off-by: Christian Eggers +Signed-off-by: Luiz Augusto von Dentz +Signed-off-by: Sasha Levin +--- + net/bluetooth/smp.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/bluetooth/smp.c b/net/bluetooth/smp.c +index e7ee13fe83a74..62c8eab1b84a5 100644 +--- a/net/bluetooth/smp.c ++++ b/net/bluetooth/smp.c +@@ -2744,7 +2744,7 @@ static int smp_cmd_public_key(struct l2cap_conn *conn, struct sk_buff *skb) + if (!test_bit(SMP_FLAG_DEBUG_KEY, &smp->flags) && + !crypto_memneq(key, smp->local_pk, 64)) { + bt_dev_err(hdev, "Remote and local public keys are identical"); +- return SMP_UNSPECIFIED; ++ return SMP_DHKEY_CHECK_FAILED; + } + + memcpy(smp->remote_pk, key, 64); +-- +2.51.0 + diff --git a/queue-6.6/btrfs-log-new-dentries-when-logging-parent-dir-of-a-.patch b/queue-6.6/btrfs-log-new-dentries-when-logging-parent-dir-of-a-.patch new file mode 100644 index 0000000000..306339aa94 --- /dev/null +++ b/queue-6.6/btrfs-log-new-dentries-when-logging-parent-dir-of-a-.patch @@ -0,0 +1,99 @@ +From 8b83e1c9a733adad7495c1802e74f947e024db73 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 3 Mar 2026 16:57:43 +0000 +Subject: btrfs: log new dentries when logging parent dir of a conflicting + inode + +From: Filipe Manana + +[ Upstream commit 9573a365ff9ff45da9222d3fe63695ce562beb24 ] + +If we log the parent directory of a conflicting inode, we are not logging +the new dentries of the directory, so when we finish we have the parent +directory's inode marked as logged but we did not log its new dentries. +As a consequence if the parent directory is explicitly fsynced later and +it does not have any new changes since we logged it, the fsync is a no-op +and after a power failure the new dentries are missing. + +Example scenario: + + $ mkdir foo + + $ sync + + $rmdir foo + + $ mkdir dir1 + $ mkdir dir2 + + # A file with the same name and parent as the directory we just deleted + # and was persisted in a past transaction. So the deleted directory's + # inode is a conflicting inode of this new file's inode. + $ touch foo + + $ ln foo dir2/link + + # The fsync on dir2 will log the parent directory (".") because the + # conflicting inode (deleted directory) does not exists anymore, but it + # it does not log its new dentries (dir1). + $ xfs_io -c "fsync" dir2 + + # This fsync on the parent directory is no-op, since the previous fsync + # logged it (but without logging its new dentries). + $ xfs_io -c "fsync" . + + + + # After log replay dir1 is missing. + +Fix this by ensuring we log new dir dentries whenever we log the parent +directory of a no longer existing conflicting inode. + +A test case for fstests will follow soon. + +Reported-by: Vyacheslav Kovalevsky +Link: https://lore.kernel.org/linux-btrfs/182055fa-e9ce-4089-9f5f-4b8a23e8dd91@gmail.com/ +Fixes: a3baaf0d786e ("Btrfs: fix fsync after succession of renames and unlink/rmdir") +Reviewed-by: Boris Burkov +Signed-off-by: Filipe Manana +Signed-off-by: David Sterba +Signed-off-by: Sasha Levin +--- + fs/btrfs/tree-log.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/fs/btrfs/tree-log.c b/fs/btrfs/tree-log.c +index 882bb3c04c23f..c77852dc32399 100644 +--- a/fs/btrfs/tree-log.c ++++ b/fs/btrfs/tree-log.c +@@ -5856,6 +5856,7 @@ static int log_conflicting_inodes(struct btrfs_trans_handle *trans, + struct btrfs_root *root, + struct btrfs_log_ctx *ctx) + { ++ const bool orig_log_new_dentries = ctx->log_new_dentries; + int ret = 0; + + /* +@@ -5917,7 +5918,11 @@ static int log_conflicting_inodes(struct btrfs_trans_handle *trans, + * dir index key range logged for the directory. So we + * must make sure the deletion is recorded. + */ ++ ctx->log_new_dentries = false; + ret = btrfs_log_inode(trans, inode, LOG_INODE_ALL, ctx); ++ if (!ret && ctx->log_new_dentries) ++ ret = log_new_dir_dentries(trans, inode, ctx); ++ + btrfs_add_delayed_iput(inode); + if (ret) + break; +@@ -5952,6 +5957,7 @@ static int log_conflicting_inodes(struct btrfs_trans_handle *trans, + break; + } + ++ ctx->log_new_dentries = orig_log_new_dentries; + ctx->logging_conflict_inodes = false; + if (ret) + free_conflicting_inodes(ctx); +-- +2.51.0 + diff --git a/queue-6.6/btrfs-tree-checker-fix-misleading-root-drop_level-er.patch b/queue-6.6/btrfs-tree-checker-fix-misleading-root-drop_level-er.patch new file mode 100644 index 0000000000..1d8fd6afa2 --- /dev/null +++ b/queue-6.6/btrfs-tree-checker-fix-misleading-root-drop_level-er.patch @@ -0,0 +1,38 @@ +From 68cac4d9001aa8cc53036e6b8cb68a49e08f82ed Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 12 Mar 2026 08:33:21 +0800 +Subject: btrfs: tree-checker: fix misleading root drop_level error message + +From: ZhengYuan Huang + +[ Upstream commit fc1cd1f18c34f91e78362f9629ab9fd43b9dcab9 ] + +Fix tree-checker error message to report "invalid root drop_level" +instead of the misleading "invalid root level". + +Fixes: 259ee7754b67 ("btrfs: tree-checker: Add ROOT_ITEM check") +Reviewed-by: Qu Wenruo +Signed-off-by: ZhengYuan Huang +Reviewed-by: David Sterba +Signed-off-by: David Sterba +Signed-off-by: Sasha Levin +--- + fs/btrfs/tree-checker.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/fs/btrfs/tree-checker.c b/fs/btrfs/tree-checker.c +index e38994ac14848..d2c36b765c83a 100644 +--- a/fs/btrfs/tree-checker.c ++++ b/fs/btrfs/tree-checker.c +@@ -1220,7 +1220,7 @@ static int check_root_item(struct extent_buffer *leaf, struct btrfs_key *key, + } + if (unlikely(btrfs_root_drop_level(&ri) >= BTRFS_MAX_LEVEL)) { + generic_err(leaf, slot, +- "invalid root level, have %u expect [0, %u]", ++ "invalid root drop_level, have %u expect [0, %u]", + btrfs_root_drop_level(&ri), BTRFS_MAX_LEVEL - 1); + return -EUCLEAN; + } +-- +2.51.0 + diff --git a/queue-6.6/cache-ax45mp-fix-device-node-reference-leak-in-ax45m.patch b/queue-6.6/cache-ax45mp-fix-device-node-reference-leak-in-ax45m.patch new file mode 100644 index 0000000000..4cd7bb3e83 --- /dev/null +++ b/queue-6.6/cache-ax45mp-fix-device-node-reference-leak-in-ax45m.patch @@ -0,0 +1,46 @@ +From 6fffdd3f50e69589ecd016373e8e91c1e069edc0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 31 Jan 2026 01:49:09 +0800 +Subject: cache: ax45mp: Fix device node reference leak in ax45mp_cache_init() + +From: Felix Gu + +[ Upstream commit 0528a348b04b327a4611e29589beb4c9ae81304a ] + +In ax45mp_cache_init(), of_find_matching_node() returns a device node +with an incremented reference count that must be released with +of_node_put(). The current code fails to call of_node_put() which +causes a reference leak. + +Use the __free(device_node) attribute to ensure automatic cleanup when +the variable goes out of scope. + +Fixes: d34599bcd2e4 ("cache: Add L2 cache management for Andes AX45MP RISC-V core") +Signed-off-by: Felix Gu +Signed-off-by: Conor Dooley +Signed-off-by: Sasha Levin +--- + drivers/cache/ax45mp_cache.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/cache/ax45mp_cache.c b/drivers/cache/ax45mp_cache.c +index 1d7dd3d2c101c..934c5087ec2bd 100644 +--- a/drivers/cache/ax45mp_cache.c ++++ b/drivers/cache/ax45mp_cache.c +@@ -178,11 +178,11 @@ static const struct of_device_id ax45mp_cache_ids[] = { + + static int __init ax45mp_cache_init(void) + { +- struct device_node *np; + struct resource res; + int ret; + +- np = of_find_matching_node(NULL, ax45mp_cache_ids); ++ struct device_node *np __free(device_node) = ++ of_find_matching_node(NULL, ax45mp_cache_ids); + if (!of_device_is_available(np)) + return -ENODEV; + +-- +2.51.0 + diff --git a/queue-6.6/clsact-fix-use-after-free-in-init-destroy-rollback-a.patch b/queue-6.6/clsact-fix-use-after-free-in-init-destroy-rollback-a.patch new file mode 100644 index 0000000000..feef4decfd --- /dev/null +++ b/queue-6.6/clsact-fix-use-after-free-in-init-destroy-rollback-a.patch @@ -0,0 +1,116 @@ +From dd230bfe813a5e044c15f3231b6f1d3a27db181e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 13 Mar 2026 07:55:31 +0100 +Subject: clsact: Fix use-after-free in init/destroy rollback asymmetry + +From: Daniel Borkmann + +[ Upstream commit a0671125d4f55e1e98d9bde8a0b671941987e208 ] + +Fix a use-after-free in the clsact qdisc upon init/destroy rollback asymmetry. +The latter is achieved by first fully initializing a clsact instance, and +then in a second step having a replacement failure for the new clsact qdisc +instance. clsact_init() initializes ingress first and then takes care of the +egress part. This can fail midway, for example, via tcf_block_get_ext(). Upon +failure, the kernel will trigger the clsact_destroy() callback. + +Commit 1cb6f0bae504 ("bpf: Fix too early release of tcx_entry") details the +way how the transition is happening. If tcf_block_get_ext on the q->ingress_block +ends up failing, we took the tcx_miniq_inc reference count on the ingress +side, but not yet on the egress side. clsact_destroy() tests whether the +{ingress,egress}_entry was non-NULL. However, even in midway failure on the +replacement, both are in fact non-NULL with a valid egress_entry from the +previous clsact instance. + +What we really need to test for is whether the qdisc instance-specific ingress +or egress side previously got initialized. This adds a small helper for checking +the miniq initialization called mini_qdisc_pair_inited, and utilizes that upon +clsact_destroy() in order to fix the use-after-free scenario. Convert the +ingress_destroy() side as well so both are consistent to each other. + +Fixes: 1cb6f0bae504 ("bpf: Fix too early release of tcx_entry") +Reported-by: Keenan Dong +Signed-off-by: Daniel Borkmann +Cc: Martin KaFai Lau +Acked-by: Martin KaFai Lau +Link: https://patch.msgid.link/20260313065531.98639-1-daniel@iogearbox.net +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + include/net/sch_generic.h | 5 +++++ + net/sched/sch_ingress.c | 14 ++++++++------ + 2 files changed, 13 insertions(+), 6 deletions(-) + +diff --git a/include/net/sch_generic.h b/include/net/sch_generic.h +index 15f4a0548d824..385af747b0b4e 100644 +--- a/include/net/sch_generic.h ++++ b/include/net/sch_generic.h +@@ -1365,6 +1365,11 @@ void mini_qdisc_pair_init(struct mini_Qdisc_pair *miniqp, struct Qdisc *qdisc, + void mini_qdisc_pair_block_init(struct mini_Qdisc_pair *miniqp, + struct tcf_block *block); + ++static inline bool mini_qdisc_pair_inited(struct mini_Qdisc_pair *miniqp) ++{ ++ return !!miniqp->p_miniq; ++} ++ + void mq_change_real_num_tx(struct Qdisc *sch, unsigned int new_real_tx); + + int sch_frag_xmit_hook(struct sk_buff *skb, int (*xmit)(struct sk_buff *skb)); +diff --git a/net/sched/sch_ingress.c b/net/sched/sch_ingress.c +index 8dde3548dc11c..70d668cb0db81 100644 +--- a/net/sched/sch_ingress.c ++++ b/net/sched/sch_ingress.c +@@ -113,14 +113,15 @@ static void ingress_destroy(struct Qdisc *sch) + { + struct ingress_sched_data *q = qdisc_priv(sch); + struct net_device *dev = qdisc_dev(sch); +- struct bpf_mprog_entry *entry = rtnl_dereference(dev->tcx_ingress); ++ struct bpf_mprog_entry *entry; + + if (sch->parent != TC_H_INGRESS) + return; + + tcf_block_put_ext(q->block, sch, &q->block_info); + +- if (entry) { ++ if (mini_qdisc_pair_inited(&q->miniqp)) { ++ entry = rtnl_dereference(dev->tcx_ingress); + tcx_miniq_dec(entry); + if (!tcx_entry_is_active(entry)) { + tcx_entry_update(dev, NULL, true); +@@ -289,10 +290,9 @@ static int clsact_init(struct Qdisc *sch, struct nlattr *opt, + + static void clsact_destroy(struct Qdisc *sch) + { ++ struct bpf_mprog_entry *ingress_entry, *egress_entry; + struct clsact_sched_data *q = qdisc_priv(sch); + struct net_device *dev = qdisc_dev(sch); +- struct bpf_mprog_entry *ingress_entry = rtnl_dereference(dev->tcx_ingress); +- struct bpf_mprog_entry *egress_entry = rtnl_dereference(dev->tcx_egress); + + if (sch->parent != TC_H_CLSACT) + return; +@@ -300,7 +300,8 @@ static void clsact_destroy(struct Qdisc *sch) + tcf_block_put_ext(q->ingress_block, sch, &q->ingress_block_info); + tcf_block_put_ext(q->egress_block, sch, &q->egress_block_info); + +- if (ingress_entry) { ++ if (mini_qdisc_pair_inited(&q->miniqp_ingress)) { ++ ingress_entry = rtnl_dereference(dev->tcx_ingress); + tcx_miniq_dec(ingress_entry); + if (!tcx_entry_is_active(ingress_entry)) { + tcx_entry_update(dev, NULL, true); +@@ -308,7 +309,8 @@ static void clsact_destroy(struct Qdisc *sch) + } + } + +- if (egress_entry) { ++ if (mini_qdisc_pair_inited(&q->miniqp_egress)) { ++ egress_entry = rtnl_dereference(dev->tcx_egress); + tcx_miniq_dec(egress_entry); + if (!tcx_entry_is_active(egress_entry)) { + tcx_entry_update(dev, NULL, false); +-- +2.51.0 + diff --git a/queue-6.6/firmware-arm_scpi-fix-device_node-reference-leak-in-.patch b/queue-6.6/firmware-arm_scpi-fix-device_node-reference-leak-in-.patch new file mode 100644 index 0000000000..7e77165023 --- /dev/null +++ b/queue-6.6/firmware-arm_scpi-fix-device_node-reference-leak-in-.patch @@ -0,0 +1,58 @@ +From cb2be583f0709561f27dd31253b87da3dfbbebea Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 21 Jan 2026 21:08:19 +0800 +Subject: firmware: arm_scpi: Fix device_node reference leak in probe path + +From: Felix Gu + +[ Upstream commit 879c001afbac3df94160334fe5117c0c83b2cf48 ] + +A device_node reference obtained from the device tree is not released +on all error paths in the arm_scpi probe path. Specifically, a node +returned by of_parse_phandle() could be leaked when the probe failed +after the node was acquired. The probe function returns early and +the shmem reference is not released. + +Use __free(device_node) scope-based cleanup to automatically release +the reference when the variable goes out of scope. + +Fixes: ed7ecb883901 ("firmware: arm_scpi: Add compatibility checks for shmem node") +Signed-off-by: Felix Gu +Message-Id: <20260121-arm_scpi_2-v2-1-702d7fa84acb@gmail.com> +Signed-off-by: Sudeep Holla +Signed-off-by: Sasha Levin +--- + drivers/firmware/arm_scpi.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/drivers/firmware/arm_scpi.c b/drivers/firmware/arm_scpi.c +index 3de25e9d18ef8..2d85e783ae267 100644 +--- a/drivers/firmware/arm_scpi.c ++++ b/drivers/firmware/arm_scpi.c +@@ -18,6 +18,7 @@ + + #include + #include ++#include + #include + #include + #include +@@ -945,13 +946,13 @@ static int scpi_probe(struct platform_device *pdev) + int idx = scpi_drvinfo->num_chans; + struct scpi_chan *pchan = scpi_drvinfo->channels + idx; + struct mbox_client *cl = &pchan->cl; +- struct device_node *shmem = of_parse_phandle(np, "shmem", idx); ++ struct device_node *shmem __free(device_node) = ++ of_parse_phandle(np, "shmem", idx); + + if (!of_match_node(shmem_of_match, shmem)) + return -ENXIO; + + ret = of_address_to_resource(shmem, 0, &res); +- of_node_put(shmem); + if (ret) { + dev_err(dev, "failed to get SCPI payload mem resource\n"); + return ret; +-- +2.51.0 + diff --git a/queue-6.6/iavf-fix-vlan-filter-lost-on-add-delete-race.patch b/queue-6.6/iavf-fix-vlan-filter-lost-on-add-delete-race.patch new file mode 100644 index 0000000000..886e5b4241 --- /dev/null +++ b/queue-6.6/iavf-fix-vlan-filter-lost-on-add-delete-race.patch @@ -0,0 +1,70 @@ +From 6ef452f048a1f98d9c9281386e3515e2ca342c09 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 25 Feb 2026 11:01:37 +0100 +Subject: iavf: fix VLAN filter lost on add/delete race + +From: Petr Oros + +[ Upstream commit fc9c69be594756b81b54c6bc40803fa6052f35ae ] + +When iavf_add_vlan() finds an existing filter in IAVF_VLAN_REMOVE +state, it transitions the filter to IAVF_VLAN_ACTIVE assuming the +pending delete can simply be cancelled. However, there is no guarantee +that iavf_del_vlans() has not already processed the delete AQ request +and removed the filter from the PF. In that case the filter remains in +the driver's list as IAVF_VLAN_ACTIVE but is no longer programmed on +the NIC. Since iavf_add_vlans() only picks up filters in +IAVF_VLAN_ADD state, the filter is never re-added, and spoof checking +drops all traffic for that VLAN. + + CPU0 CPU1 Workqueue + ---- ---- --------- + iavf_del_vlan(vlan 100) + f->state = REMOVE + schedule AQ_DEL_VLAN + iavf_add_vlan(vlan 100) + f->state = ACTIVE + iavf_del_vlans() + f is ACTIVE, skip + iavf_add_vlans() + f is ACTIVE, skip + + Filter is ACTIVE in driver but absent from NIC. + +Transition to IAVF_VLAN_ADD instead and schedule +IAVF_FLAG_AQ_ADD_VLAN_FILTER so iavf_add_vlans() re-programs the +filter. A duplicate add is idempotent on the PF. + +Fixes: 0c0da0e95105 ("iavf: refactor VLAN filter states") +Signed-off-by: Petr Oros +Tested-by: Rafal Romanowski +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/iavf/iavf_main.c | 9 ++++++--- + 1 file changed, 6 insertions(+), 3 deletions(-) + +diff --git a/drivers/net/ethernet/intel/iavf/iavf_main.c b/drivers/net/ethernet/intel/iavf/iavf_main.c +index f6a748ae1c959..02e07fe6a0528 100644 +--- a/drivers/net/ethernet/intel/iavf/iavf_main.c ++++ b/drivers/net/ethernet/intel/iavf/iavf_main.c +@@ -802,10 +802,13 @@ iavf_vlan_filter *iavf_add_vlan(struct iavf_adapter *adapter, + adapter->num_vlan_filters++; + iavf_schedule_aq_request(adapter, IAVF_FLAG_AQ_ADD_VLAN_FILTER); + } else if (f->state == IAVF_VLAN_REMOVE) { +- /* IAVF_VLAN_REMOVE means that VLAN wasn't yet removed. +- * We can safely only change the state here. ++ /* Re-add the filter since we cannot tell whether the ++ * pending delete has already been processed by the PF. ++ * A duplicate add is harmless. + */ +- f->state = IAVF_VLAN_ACTIVE; ++ f->state = IAVF_VLAN_ADD; ++ iavf_schedule_aq_request(adapter, ++ IAVF_FLAG_AQ_ADD_VLAN_FILTER); + } + + clearout: +-- +2.51.0 + diff --git a/queue-6.6/icmp-fix-null-pointer-dereference-in-icmp_tag_valida.patch b/queue-6.6/icmp-fix-null-pointer-dereference-in-icmp_tag_valida.patch new file mode 100644 index 0000000000..b2c3763e4c --- /dev/null +++ b/queue-6.6/icmp-fix-null-pointer-dereference-in-icmp_tag_valida.patch @@ -0,0 +1,68 @@ +From fcbf73e865e669002f26a424c5aab0335f513c05 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 18 Mar 2026 21:06:01 +0800 +Subject: icmp: fix NULL pointer dereference in icmp_tag_validation() + +From: Weiming Shi + +[ Upstream commit 614aefe56af8e13331e50220c936fc0689cf5675 ] + +icmp_tag_validation() unconditionally dereferences the result of +rcu_dereference(inet_protos[proto]) without checking for NULL. +The inet_protos[] array is sparse -- only about 15 of 256 protocol +numbers have registered handlers. When ip_no_pmtu_disc is set to 3 +(hardened PMTU mode) and the kernel receives an ICMP Fragmentation +Needed error with a quoted inner IP header containing an unregistered +protocol number, the NULL dereference causes a kernel panic in +softirq context. + + Oops: general protection fault, probably for non-canonical address 0xdffffc0000000002: 0000 [#1] SMP KASAN NOPTI + KASAN: null-ptr-deref in range [0x0000000000000010-0x0000000000000017] + RIP: 0010:icmp_unreach (net/ipv4/icmp.c:1085 net/ipv4/icmp.c:1143) + Call Trace: + + icmp_rcv (net/ipv4/icmp.c:1527) + ip_protocol_deliver_rcu (net/ipv4/ip_input.c:207) + ip_local_deliver_finish (net/ipv4/ip_input.c:242) + ip_local_deliver (net/ipv4/ip_input.c:262) + ip_rcv (net/ipv4/ip_input.c:573) + __netif_receive_skb_one_core (net/core/dev.c:6164) + process_backlog (net/core/dev.c:6628) + handle_softirqs (kernel/softirq.c:561) + + +Add a NULL check before accessing icmp_strict_tag_validation. If the +protocol has no registered handler, return false since it cannot +perform strict tag validation. + +Fixes: 8ed1dc44d3e9 ("ipv4: introduce hardened ip_no_pmtu_disc mode") +Reported-by: Xiang Mei +Signed-off-by: Weiming Shi +Link: https://patch.msgid.link/20260318130558.1050247-4-bestswngs@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/ipv4/icmp.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/net/ipv4/icmp.c b/net/ipv4/icmp.c +index 784591ed5bb7c..64a0bc633a3eb 100644 +--- a/net/ipv4/icmp.c ++++ b/net/ipv4/icmp.c +@@ -870,10 +870,12 @@ static void icmp_socket_deliver(struct sk_buff *skb, u32 info) + + static bool icmp_tag_validation(int proto) + { ++ const struct net_protocol *ipprot; + bool ok; + + rcu_read_lock(); +- ok = rcu_dereference(inet_protos[proto])->icmp_strict_tag_validation; ++ ipprot = rcu_dereference(inet_protos[proto]); ++ ok = ipprot ? ipprot->icmp_strict_tag_validation : false; + rcu_read_unlock(); + return ok; + } +-- +2.51.0 + diff --git a/queue-6.6/igc-fix-missing-update-of-skb-tail-in-igc_xmit_frame.patch b/queue-6.6/igc-fix-missing-update-of-skb-tail-in-igc_xmit_frame.patch new file mode 100644 index 0000000000..cc6770de32 --- /dev/null +++ b/queue-6.6/igc-fix-missing-update-of-skb-tail-in-igc_xmit_frame.patch @@ -0,0 +1,45 @@ +From 7ffef30b1b37d25b36250e4c562cebd73764dbe6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 14 Feb 2026 19:46:32 +0000 +Subject: igc: fix missing update of skb->tail in igc_xmit_frame() + +From: Kohei Enju + +[ Upstream commit 0ffba246652faf4a36aedc66059c2f94e4c83ea5 ] + +igc_xmit_frame() misses updating skb->tail when the packet size is +shorter than the minimum one. +Use skb_put_padto() in alignment with other Intel Ethernet drivers. + +Fixes: 0507ef8a0372 ("igc: Add transmit and receive fastpath and interrupt handlers") +Signed-off-by: Kohei Enju +Reviewed-by: Simon Horman +Reviewed-by: Paul Menzel +Tested-by: Avigail Dahan +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/igc/igc_main.c | 7 ++----- + 1 file changed, 2 insertions(+), 5 deletions(-) + +diff --git a/drivers/net/ethernet/intel/igc/igc_main.c b/drivers/net/ethernet/intel/igc/igc_main.c +index 3e1408e1c1fcf..13c41facfc976 100644 +--- a/drivers/net/ethernet/intel/igc/igc_main.c ++++ b/drivers/net/ethernet/intel/igc/igc_main.c +@@ -1700,11 +1700,8 @@ static netdev_tx_t igc_xmit_frame(struct sk_buff *skb, + /* The minimum packet size with TCTL.PSP set is 17 so pad the skb + * in order to meet this minimum size requirement. + */ +- if (skb->len < 17) { +- if (skb_padto(skb, 17)) +- return NETDEV_TX_OK; +- skb->len = 17; +- } ++ if (skb_put_padto(skb, 17)) ++ return NETDEV_TX_OK; + + return igc_xmit_frame_ring(skb, igc_tx_queue_mapping(adapter, skb)); + } +-- +2.51.0 + diff --git a/queue-6.6/mpls-add-missing-unregister_netdevice_notifier-to-mp.patch b/queue-6.6/mpls-add-missing-unregister_netdevice_notifier-to-mp.patch new file mode 100644 index 0000000000..a518a4a3d3 --- /dev/null +++ b/queue-6.6/mpls-add-missing-unregister_netdevice_notifier-to-mp.patch @@ -0,0 +1,37 @@ +From cacb0a13da84a781de3445525487864f0fa4e5b3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 11 Mar 2026 23:35:09 +0100 +Subject: mpls: add missing unregister_netdevice_notifier to mpls_init + +From: Sabrina Dubroca + +[ Upstream commit 99600f79b28c83c68bae199a3d8e95049a758308 ] + +If mpls_init() fails after registering mpls_dev_notifier, it never +gets removed. Add the missing unregister_netdevice_notifier() call to +the error handling path. + +Fixes: 5be2062e3080 ("mpls: Handle error of rtnl_register_module().") +Signed-off-by: Sabrina Dubroca +Link: https://patch.msgid.link/7c55363c4f743d19e2306204a134407c90a69bbb.1773228081.git.sd@queasysnail.net +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/mpls/af_mpls.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/net/mpls/af_mpls.c b/net/mpls/af_mpls.c +index 5a4b175b78c8c..0561a530ecf0d 100644 +--- a/net/mpls/af_mpls.c ++++ b/net/mpls/af_mpls.c +@@ -2775,6 +2775,7 @@ static int __init mpls_init(void) + out_unregister_rtnl_af: + rtnl_af_unregister(&mpls_af_ops); + dev_remove_pack(&mpls_packet_type); ++ unregister_netdevice_notifier(&mpls_dev_notifier); + out_unregister_pernet: + unregister_pernet_subsys(&mpls_net_ops); + goto out; +-- +2.51.0 + diff --git a/queue-6.6/net-bcmgenet-increase-wol-poll-timeout.patch b/queue-6.6/net-bcmgenet-increase-wol-poll-timeout.patch new file mode 100644 index 0000000000..a32b7e4f18 --- /dev/null +++ b/queue-6.6/net-bcmgenet-increase-wol-poll-timeout.patch @@ -0,0 +1,38 @@ +From 4852e4c0d55d85e11a8eec8cc72f47f4ae0e6e31 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 12 Mar 2026 12:18:52 -0700 +Subject: net: bcmgenet: increase WoL poll timeout + +From: Justin Chen + +[ Upstream commit 6cfc3bc02b977f2fba5f7268e6504d1931a774f7 ] + +Some systems require more than 5ms to get into WoL mode. Increase the +timeout value to 50ms. + +Fixes: c51de7f3976b ("net: bcmgenet: add Wake-on-LAN support code") +Signed-off-by: Justin Chen +Reviewed-by: Florian Fainelli +Link: https://patch.msgid.link/20260312191852.3904571-1-justin.chen@broadcom.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/broadcom/genet/bcmgenet_wol.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/broadcom/genet/bcmgenet_wol.c b/drivers/net/ethernet/broadcom/genet/bcmgenet_wol.c +index 3b082114f2e53..2033fb9d893e0 100644 +--- a/drivers/net/ethernet/broadcom/genet/bcmgenet_wol.c ++++ b/drivers/net/ethernet/broadcom/genet/bcmgenet_wol.c +@@ -123,7 +123,7 @@ static int bcmgenet_poll_wol_status(struct bcmgenet_priv *priv) + while (!(bcmgenet_rbuf_readl(priv, RBUF_STATUS) + & RBUF_STATUS_WOL)) { + retries++; +- if (retries > 5) { ++ if (retries > 50) { + netdev_crit(dev, "polling wol mode timeout\n"); + return -ETIMEDOUT; + } +-- +2.51.0 + diff --git a/queue-6.6/net-bonding-fix-null-deref-in-bond_debug_rlb_hash_sh.patch b/queue-6.6/net-bonding-fix-null-deref-in-bond_debug_rlb_hash_sh.patch new file mode 100644 index 0000000000..37525788ee --- /dev/null +++ b/queue-6.6/net-bonding-fix-null-deref-in-bond_debug_rlb_hash_sh.patch @@ -0,0 +1,87 @@ +From e8d1785205d6ff296dfaa7983f78344560eeb9a8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 16 Mar 2026 17:50:34 -0700 +Subject: net: bonding: fix NULL deref in bond_debug_rlb_hash_show + +From: Xiang Mei + +[ Upstream commit 605b52497bf89b3b154674deb135da98f916e390 ] + +rlb_clear_slave intentionally keeps RLB hash-table entries on +the rx_hashtbl_used_head list with slave set to NULL when no +replacement slave is available. However, bond_debug_rlb_hash_show +visites client_info->slave without checking if it's NULL. + +Other used-list iterators in bond_alb.c already handle this NULL-slave +state safely: + +- rlb_update_client returns early on !client_info->slave +- rlb_req_update_slave_clients, rlb_clear_slave, and rlb_rebalance +compare slave values before visiting +- lb_req_update_subnet_clients continues if slave is NULL + +The following NULL deref crash can be trigger in +bond_debug_rlb_hash_show: + +[ 1.289791] BUG: kernel NULL pointer dereference, address: 0000000000000000 +[ 1.292058] RIP: 0010:bond_debug_rlb_hash_show (drivers/net/bonding/bond_debugfs.c:41) +[ 1.293101] RSP: 0018:ffffc900004a7d00 EFLAGS: 00010286 +[ 1.293333] RAX: 0000000000000000 RBX: ffff888102b48200 RCX: ffff888102b48204 +[ 1.293631] RDX: ffff888102b48200 RSI: ffffffff839daad5 RDI: ffff888102815078 +[ 1.293924] RBP: ffff888102815078 R08: ffff888102b4820e R09: 0000000000000000 +[ 1.294267] R10: 0000000000000000 R11: 0000000000000000 R12: ffff888100f929c0 +[ 1.294564] R13: ffff888100f92a00 R14: 0000000000000001 R15: ffffc900004a7ed8 +[ 1.294864] FS: 0000000001395380(0000) GS:ffff888196e75000(0000) knlGS:0000000000000000 +[ 1.295239] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ 1.295480] CR2: 0000000000000000 CR3: 0000000102adc004 CR4: 0000000000772ef0 +[ 1.295897] Call Trace: +[ 1.296134] seq_read_iter (fs/seq_file.c:231) +[ 1.296341] seq_read (fs/seq_file.c:164) +[ 1.296493] full_proxy_read (fs/debugfs/file.c:378 (discriminator 1)) +[ 1.296658] vfs_read (fs/read_write.c:572) +[ 1.296981] ksys_read (fs/read_write.c:717) +[ 1.297132] do_syscall_64 (arch/x86/entry/syscall_64.c:63 (discriminator 1) arch/x86/entry/syscall_64.c:94 (discriminator 1)) +[ 1.297325] entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130) + +Add a NULL check and print "(none)" for entries with no assigned slave. + +Fixes: caafa84251b88 ("bonding: add the debugfs interface to see RLB hash table") +Reported-by: Weiming Shi +Signed-off-by: Xiang Mei +Link: https://patch.msgid.link/20260317005034.1888794-1-xmei5@asu.edu +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/bonding/bond_debugfs.c | 16 +++++++++++----- + 1 file changed, 11 insertions(+), 5 deletions(-) + +diff --git a/drivers/net/bonding/bond_debugfs.c b/drivers/net/bonding/bond_debugfs.c +index b19492a7f6ad1..3c1945c3e850a 100644 +--- a/drivers/net/bonding/bond_debugfs.c ++++ b/drivers/net/bonding/bond_debugfs.c +@@ -34,11 +34,17 @@ static int bond_debug_rlb_hash_show(struct seq_file *m, void *v) + for (; hash_index != RLB_NULL_INDEX; + hash_index = client_info->used_next) { + client_info = &(bond_info->rx_hashtbl[hash_index]); +- seq_printf(m, "%-15pI4 %-15pI4 %-17pM %s\n", +- &client_info->ip_src, +- &client_info->ip_dst, +- &client_info->mac_dst, +- client_info->slave->dev->name); ++ if (client_info->slave) ++ seq_printf(m, "%-15pI4 %-15pI4 %-17pM %s\n", ++ &client_info->ip_src, ++ &client_info->ip_dst, ++ &client_info->mac_dst, ++ client_info->slave->dev->name); ++ else ++ seq_printf(m, "%-15pI4 %-15pI4 %-17pM (none)\n", ++ &client_info->ip_src, ++ &client_info->ip_dst, ++ &client_info->mac_dst); + } + + spin_unlock_bh(&bond->mode_lock); +-- +2.51.0 + diff --git a/queue-6.6/net-dsa-bcm_sf2-fix-missing-clk_disable_unprepare-in.patch b/queue-6.6/net-dsa-bcm_sf2-fix-missing-clk_disable_unprepare-in.patch new file mode 100644 index 0000000000..3341e632c4 --- /dev/null +++ b/queue-6.6/net-dsa-bcm_sf2-fix-missing-clk_disable_unprepare-in.patch @@ -0,0 +1,59 @@ +From 8934258bd466150a945001da5b1a1bbc33a7c08d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 18 Mar 2026 08:42:12 +0000 +Subject: net: dsa: bcm_sf2: fix missing clk_disable_unprepare() in error paths + +From: Anas Iqbal + +[ Upstream commit b48731849609cbd8c53785a48976850b443153fd ] + +Smatch reports: +drivers/net/dsa/bcm_sf2.c:997 bcm_sf2_sw_resume() warn: +'priv->clk' from clk_prepare_enable() not released on lines: 983,990. + +The clock enabled by clk_prepare_enable() in bcm_sf2_sw_resume() +is not released if bcm_sf2_sw_rst() or bcm_sf2_cfp_resume() fails. + +Add the missing clk_disable_unprepare() calls in the error paths +to properly release the clock resource. + +Fixes: e9ec5c3bd238 ("net: dsa: bcm_sf2: request and handle clocks") +Reviewed-by: Jonas Gorski +Reviewed-by: Florian Fainelli +Signed-off-by: Anas Iqbal +Link: https://patch.msgid.link/20260318084212.1287-1-mohd.abd.6602@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/dsa/bcm_sf2.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/dsa/bcm_sf2.c b/drivers/net/dsa/bcm_sf2.c +index 257df16768750..7defcfd1c213f 100644 +--- a/drivers/net/dsa/bcm_sf2.c ++++ b/drivers/net/dsa/bcm_sf2.c +@@ -971,15 +971,19 @@ static int bcm_sf2_sw_resume(struct dsa_switch *ds) + ret = bcm_sf2_sw_rst(priv); + if (ret) { + pr_err("%s: failed to software reset switch\n", __func__); ++ if (!priv->wol_ports_mask) ++ clk_disable_unprepare(priv->clk); + return ret; + } + + bcm_sf2_crossbar_setup(priv); + + ret = bcm_sf2_cfp_resume(ds); +- if (ret) ++ if (ret) { ++ if (!priv->wol_ports_mask) ++ clk_disable_unprepare(priv->clk); + return ret; +- ++ } + if (priv->hw_params.num_gphy == 1) + bcm_sf2_gphy_enable_set(ds, true); + +-- +2.51.0 + diff --git a/queue-6.6/net-macb-fix-uninitialized-rx_fs_lock.patch b/queue-6.6/net-macb-fix-uninitialized-rx_fs_lock.patch new file mode 100644 index 0000000000..6561778fbd --- /dev/null +++ b/queue-6.6/net-macb-fix-uninitialized-rx_fs_lock.patch @@ -0,0 +1,78 @@ +From 2aa220557c0f041b3871e71f60433d21e8f6bbe6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 16 Mar 2026 13:38:25 +0300 +Subject: net: macb: fix uninitialized rx_fs_lock + +From: Fedor Pchelkin + +[ Upstream commit 34b11cc56e4369bc08b1f4c4a04222d75ed596ce ] + +If hardware doesn't support RX Flow Filters, rx_fs_lock spinlock is not +initialized leading to the following assertion splat triggerable via +set_rxnfc callback. + +INFO: trying to register non-static key. +The code is fine but needs lockdep annotation, or maybe +you didn't initialize this object before use? +turning off the locking correctness validator. +CPU: 1 PID: 949 Comm: syz.0.6 Not tainted 6.1.164+ #113 +Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.16.1-0-g3208b098f51a-prebuilt.qemu.org 04/01/2014 +Call Trace: + + __dump_stack lib/dump_stack.c:88 [inline] + dump_stack_lvl+0x8d/0xba lib/dump_stack.c:106 + assign_lock_key kernel/locking/lockdep.c:974 [inline] + register_lock_class+0x141b/0x17f0 kernel/locking/lockdep.c:1287 + __lock_acquire+0x74f/0x6c40 kernel/locking/lockdep.c:4928 + lock_acquire kernel/locking/lockdep.c:5662 [inline] + lock_acquire+0x190/0x4b0 kernel/locking/lockdep.c:5627 + __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline] + _raw_spin_lock_irqsave+0x33/0x50 kernel/locking/spinlock.c:162 + gem_del_flow_filter drivers/net/ethernet/cadence/macb_main.c:3562 [inline] + gem_set_rxnfc+0x533/0xac0 drivers/net/ethernet/cadence/macb_main.c:3667 + ethtool_set_rxnfc+0x18c/0x280 net/ethtool/ioctl.c:961 + __dev_ethtool net/ethtool/ioctl.c:2956 [inline] + dev_ethtool+0x229c/0x6290 net/ethtool/ioctl.c:3095 + dev_ioctl+0x637/0x1070 net/core/dev_ioctl.c:510 + sock_do_ioctl+0x20d/0x2c0 net/socket.c:1215 + sock_ioctl+0x577/0x6d0 net/socket.c:1320 + vfs_ioctl fs/ioctl.c:51 [inline] + __do_sys_ioctl fs/ioctl.c:870 [inline] + __se_sys_ioctl fs/ioctl.c:856 [inline] + __x64_sys_ioctl+0x18c/0x210 fs/ioctl.c:856 + do_syscall_x64 arch/x86/entry/common.c:46 [inline] + do_syscall_64+0x35/0x80 arch/x86/entry/common.c:76 + entry_SYSCALL_64_after_hwframe+0x6e/0xd8 + +A more straightforward solution would be to always initialize rx_fs_lock, +just like rx_fs_list. However, in this case the driver set_rxnfc callback +would return with a rather confusing error code, e.g. -EINVAL. So deny +set_rxnfc attempts directly if the RX filtering feature is not supported +by hardware. + +Fixes: ae8223de3df5 ("net: macb: Added support for RX filtering") +Signed-off-by: Fedor Pchelkin +Link: https://patch.msgid.link/20260316103826.74506-2-pchelkin@ispras.ru +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/cadence/macb_main.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/net/ethernet/cadence/macb_main.c b/drivers/net/ethernet/cadence/macb_main.c +index 1907820a7209e..693688a580022 100644 +--- a/drivers/net/ethernet/cadence/macb_main.c ++++ b/drivers/net/ethernet/cadence/macb_main.c +@@ -3855,6 +3855,9 @@ static int gem_set_rxnfc(struct net_device *netdev, struct ethtool_rxnfc *cmd) + struct macb *bp = netdev_priv(netdev); + int ret; + ++ if (!(netdev->hw_features & NETIF_F_NTUPLE)) ++ return -EOPNOTSUPP; ++ + switch (cmd->cmd) { + case ETHTOOL_SRXCLSRLINS: + if ((cmd->fs.location >= bp->max_tuples) +-- +2.51.0 + diff --git a/queue-6.6/net-mana-fix-use-after-free-in-mana_hwc_destroy_chan.patch b/queue-6.6/net-mana-fix-use-after-free-in-mana_hwc_destroy_chan.patch new file mode 100644 index 0000000000..302a11c2b3 --- /dev/null +++ b/queue-6.6/net-mana-fix-use-after-free-in-mana_hwc_destroy_chan.patch @@ -0,0 +1,67 @@ +From 6476ab160238350b8e43fa50b6e3bf21586bb820 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 11 Mar 2026 12:22:04 -0700 +Subject: net: mana: fix use-after-free in mana_hwc_destroy_channel() by + reordering teardown + +From: Dipayaan Roy + +[ Upstream commit fa103fc8f56954a60699a29215cb713448a39e87 ] + +A potential race condition exists in mana_hwc_destroy_channel() where +hwc->caller_ctx is freed before the HWC's Completion Queue (CQ) and +Event Queue (EQ) are destroyed. This allows an in-flight CQ interrupt +handler to dereference freed memory, leading to a use-after-free or +NULL pointer dereference in mana_hwc_handle_resp(). + +mana_smc_teardown_hwc() signals the hardware to stop but does not +synchronize against IRQ handlers already executing on other CPUs. The +IRQ synchronization only happens in mana_hwc_destroy_cq() via +mana_gd_destroy_eq() -> mana_gd_deregister_irq(). Since this runs +after kfree(hwc->caller_ctx), a concurrent mana_hwc_rx_event_handler() +can dereference freed caller_ctx (and rxq->msg_buf) in +mana_hwc_handle_resp(). + +Fix this by reordering teardown to reverse-of-creation order: destroy +the TX/RX work queues and CQ/EQ before freeing hwc->caller_ctx. This +ensures all in-flight interrupt handlers complete before the memory they +access is freed. + +Fixes: ca9c54d2d6a5 ("net: mana: Add a driver for Microsoft Azure Network Adapter (MANA)") +Reviewed-by: Haiyang Zhang +Signed-off-by: Dipayaan Roy +Reviewed-by: Simon Horman +Link: https://patch.msgid.link/abHA3AjNtqa1nx9k@linuxonhyperv3.guj3yctzbm1etfxqx2vob5hsef.xx.internal.cloudapp.net +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/microsoft/mana/hw_channel.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/drivers/net/ethernet/microsoft/mana/hw_channel.c b/drivers/net/ethernet/microsoft/mana/hw_channel.c +index 9d6426d4158e3..148dda6570fc5 100644 +--- a/drivers/net/ethernet/microsoft/mana/hw_channel.c ++++ b/drivers/net/ethernet/microsoft/mana/hw_channel.c +@@ -776,9 +776,6 @@ void mana_hwc_destroy_channel(struct gdma_context *gc) + gc->max_num_cqs = 0; + } + +- kfree(hwc->caller_ctx); +- hwc->caller_ctx = NULL; +- + if (hwc->txq) + mana_hwc_destroy_wq(hwc, hwc->txq); + +@@ -788,6 +785,9 @@ void mana_hwc_destroy_channel(struct gdma_context *gc) + if (hwc->cq) + mana_hwc_destroy_cq(hwc->gdma_dev->gdma_context, hwc->cq); + ++ kfree(hwc->caller_ctx); ++ hwc->caller_ctx = NULL; ++ + mana_gd_free_res_map(&hwc->inflight_msg_res); + + hwc->num_inflight_msg = 0; +-- +2.51.0 + diff --git a/queue-6.6/net-mlx5-qos-restrict-rtnl-area-to-avoid-a-lock-cycl.patch b/queue-6.6/net-mlx5-qos-restrict-rtnl-area-to-avoid-a-lock-cycl.patch new file mode 100644 index 0000000000..a93fe382bc --- /dev/null +++ b/queue-6.6/net-mlx5-qos-restrict-rtnl-area-to-avoid-a-lock-cycl.patch @@ -0,0 +1,112 @@ +From 51d02bada6833bae8bb8cbb5ac1921f80a000109 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 16 Mar 2026 11:46:01 +0200 +Subject: net/mlx5: qos: Restrict RTNL area to avoid a lock cycle + +From: Cosmin Ratiu + +[ Upstream commit b7e3a5d9c0d66b7fb44f63aef3bd734821afa0c8 ] + +A lock dependency cycle exists where: +1. mlx5_ib_roce_init -> mlx5_core_uplink_netdev_event_replay -> +mlx5_blocking_notifier_call_chain (takes notifier_rwsem) -> +mlx5e_mdev_notifier_event -> mlx5_netdev_notifier_register -> +register_netdevice_notifier_dev_net (takes rtnl) +=> notifier_rwsem -> rtnl + +2. mlx5e_probe -> _mlx5e_probe -> +mlx5_core_uplink_netdev_set (takes uplink_netdev_lock) -> +mlx5_blocking_notifier_call_chain (takes notifier_rwsem) +=> uplink_netdev_lock -> notifier_rwsem + +3: devlink_nl_rate_set_doit -> devlink_nl_rate_set -> +mlx5_esw_devlink_rate_leaf_tx_max_set -> esw_qos_devlink_rate_to_mbps -> +mlx5_esw_qos_max_link_speed_get (takes rtnl) -> +mlx5_esw_qos_lag_link_speed_get_locked -> +mlx5_uplink_netdev_get (takes uplink_netdev_lock) +=> rtnl -> uplink_netdev_lock +=> BOOM! (lock cycle) + +Fix that by restricting the rtnl-protected section to just the necessary +part, the call to netdev_master_upper_dev_get and speed querying, so +that the last lock dependency is avoided and the cycle doesn't close. +This is safe because mlx5_uplink_netdev_get uses netdev_hold to keep the +uplink netdev alive while its master device is queried. + +Use this opportunity to rename the ambiguously-named "hold_rtnl_lock" +argument to "take_rtnl" and remove the "_locked" suffix from +mlx5_esw_qos_lag_link_speed_get_locked. + +Fixes: 6b4be64fd9fe ("net/mlx5e: Harden uplink netdev access against device unbind") +Signed-off-by: Cosmin Ratiu +Reviewed-by: Dragos Tatulea +Signed-off-by: Tariq Toukan +Link: https://patch.msgid.link/20260316094603.6999-2-tariqt@nvidia.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + .../net/ethernet/mellanox/mlx5/core/esw/qos.c | 23 ++++++++----------- + 1 file changed, 9 insertions(+), 14 deletions(-) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/esw/qos.c b/drivers/net/ethernet/mellanox/mlx5/core/esw/qos.c +index 05fbd2098b268..71df503f40d6d 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/esw/qos.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/esw/qos.c +@@ -713,24 +713,24 @@ int mlx5_esw_qos_set_vport_rate(struct mlx5_eswitch *esw, struct mlx5_vport *vpo + return err; + } + +-static u32 mlx5_esw_qos_lag_link_speed_get_locked(struct mlx5_core_dev *mdev) ++static u32 mlx5_esw_qos_lag_link_speed_get(struct mlx5_core_dev *mdev, ++ bool take_rtnl) + { + struct ethtool_link_ksettings lksettings; + struct net_device *slave, *master; + u32 speed = SPEED_UNKNOWN; + +- /* Lock ensures a stable reference to master and slave netdevice +- * while port speed of master is queried. +- */ +- ASSERT_RTNL(); +- + slave = mlx5_uplink_netdev_get(mdev); + if (!slave) + goto out; + ++ if (take_rtnl) ++ rtnl_lock(); + master = netdev_master_upper_dev_get(slave); + if (master && !__ethtool_get_link_ksettings(master, &lksettings)) + speed = lksettings.base.speed; ++ if (take_rtnl) ++ rtnl_unlock(); + + out: + mlx5_uplink_netdev_put(mdev, slave); +@@ -738,20 +738,15 @@ static u32 mlx5_esw_qos_lag_link_speed_get_locked(struct mlx5_core_dev *mdev) + } + + static int mlx5_esw_qos_max_link_speed_get(struct mlx5_core_dev *mdev, u32 *link_speed_max, +- bool hold_rtnl_lock, struct netlink_ext_ack *extack) ++ bool take_rtnl, ++ struct netlink_ext_ack *extack) + { + int err; + + if (!mlx5_lag_is_active(mdev)) + goto skip_lag; + +- if (hold_rtnl_lock) +- rtnl_lock(); +- +- *link_speed_max = mlx5_esw_qos_lag_link_speed_get_locked(mdev); +- +- if (hold_rtnl_lock) +- rtnl_unlock(); ++ *link_speed_max = mlx5_esw_qos_lag_link_speed_get(mdev, take_rtnl); + + if (*link_speed_max != (u32)SPEED_UNKNOWN) + return 0; +-- +2.51.0 + diff --git a/queue-6.6/net-mlx5e-fix-race-condition-during-ipsec-esn-update.patch b/queue-6.6/net-mlx5e-fix-race-condition-during-ipsec-esn-update.patch new file mode 100644 index 0000000000..ee18e86cd7 --- /dev/null +++ b/queue-6.6/net-mlx5e-fix-race-condition-during-ipsec-esn-update.patch @@ -0,0 +1,128 @@ +From 9d79acebefa0fa44ef61dc6014cde59eab767039 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 16 Mar 2026 11:46:03 +0200 +Subject: net/mlx5e: Fix race condition during IPSec ESN update + +From: Jianbo Liu + +[ Upstream commit beb6e2e5976a128b0cccf10d158124422210c5ef ] + +In IPSec full offload mode, the device reports an ESN (Extended +Sequence Number) wrap event to the driver. The driver validates this +event by querying the IPSec ASO and checking that the esn_event_arm +field is 0x0, which indicates an event has occurred. After handling +the event, the driver must re-arm the context by setting esn_event_arm +back to 0x1. + +A race condition exists in this handling path. After validating the +event, the driver calls mlx5_accel_esp_modify_xfrm() to update the +kernel's xfrm state. This function temporarily releases and +re-acquires the xfrm state lock. + +So, need to acknowledge the event first by setting esn_event_arm to +0x1. This prevents the driver from reprocessing the same ESN update if +the hardware sends events for other reason. Since the next ESN update +only occurs after nearly 2^31 packets are received, there's no risk of +missing an update, as it will happen long after this handling has +finished. + +Processing the event twice causes the ESN high-order bits (esn_msb) to +be incremented incorrectly. The driver then programs the hardware with +this invalid ESN state, which leads to anti-replay failures and a +complete halt of IPSec traffic. + +Fix this by re-arming the ESN event immediately after it is validated, +before calling mlx5_accel_esp_modify_xfrm(). This ensures that any +spurious, duplicate events are correctly ignored, closing the race +window. + +Fixes: fef06678931f ("net/mlx5e: Fix ESN update kernel panic") +Signed-off-by: Jianbo Liu +Reviewed-by: Leon Romanovsky +Signed-off-by: Tariq Toukan +Link: https://patch.msgid.link/20260316094603.6999-4-tariqt@nvidia.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + .../mlx5/core/en_accel/ipsec_offload.c | 33 ++++++++----------- + 1 file changed, 14 insertions(+), 19 deletions(-) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec_offload.c b/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec_offload.c +index eab368dea0e27..fd03aa4f47b5a 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec_offload.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec_offload.c +@@ -309,10 +309,11 @@ static void mlx5e_ipsec_aso_update(struct mlx5e_ipsec_sa_entry *sa_entry, + mlx5e_ipsec_aso_query(sa_entry, data); + } + +-static void mlx5e_ipsec_update_esn_state(struct mlx5e_ipsec_sa_entry *sa_entry, +- u32 mode_param) ++static void ++mlx5e_ipsec_update_esn_state(struct mlx5e_ipsec_sa_entry *sa_entry, ++ u32 mode_param, ++ struct mlx5_accel_esp_xfrm_attrs *attrs) + { +- struct mlx5_accel_esp_xfrm_attrs attrs = {}; + struct mlx5_wqe_aso_ctrl_seg data = {}; + + if (mode_param < MLX5E_IPSEC_ESN_SCOPE_MID) { +@@ -322,18 +323,7 @@ static void mlx5e_ipsec_update_esn_state(struct mlx5e_ipsec_sa_entry *sa_entry, + sa_entry->esn_state.overlap = 1; + } + +- mlx5e_ipsec_build_accel_xfrm_attrs(sa_entry, &attrs); +- +- /* It is safe to execute the modify below unlocked since the only flows +- * that could affect this HW object, are create, destroy and this work. +- * +- * Creation flow can't co-exist with this modify work, the destruction +- * flow would cancel this work, and this work is a single entity that +- * can't conflict with it self. +- */ +- spin_unlock_bh(&sa_entry->x->lock); +- mlx5_accel_esp_modify_xfrm(sa_entry, &attrs); +- spin_lock_bh(&sa_entry->x->lock); ++ mlx5e_ipsec_build_accel_xfrm_attrs(sa_entry, attrs); + + data.data_offset_condition_operand = + MLX5_IPSEC_ASO_REMOVE_FLOW_PKT_CNT_OFFSET; +@@ -450,7 +440,9 @@ static void mlx5e_ipsec_handle_event(struct work_struct *_work) + struct mlx5e_ipsec_work *work = + container_of(_work, struct mlx5e_ipsec_work, work); + struct mlx5e_ipsec_sa_entry *sa_entry = work->data; ++ struct mlx5_accel_esp_xfrm_attrs tmp = {}; + struct mlx5_accel_esp_xfrm_attrs *attrs; ++ bool need_modify = false; + int ret; + + attrs = &sa_entry->attrs; +@@ -460,19 +452,22 @@ static void mlx5e_ipsec_handle_event(struct work_struct *_work) + if (ret) + goto unlock; + ++ if (attrs->lft.soft_packet_limit != XFRM_INF) ++ mlx5e_ipsec_handle_limits(sa_entry); ++ + if (attrs->replay_esn.trigger && + !MLX5_GET(ipsec_aso, sa_entry->ctx, esn_event_arm)) { + u32 mode_param = MLX5_GET(ipsec_aso, sa_entry->ctx, + mode_parameter); + +- mlx5e_ipsec_update_esn_state(sa_entry, mode_param); ++ mlx5e_ipsec_update_esn_state(sa_entry, mode_param, &tmp); ++ need_modify = true; + } + +- if (attrs->lft.soft_packet_limit != XFRM_INF) +- mlx5e_ipsec_handle_limits(sa_entry); +- + unlock: + spin_unlock_bh(&sa_entry->x->lock); ++ if (need_modify) ++ mlx5_accel_esp_modify_xfrm(sa_entry, &tmp); + kfree(work); + } + +-- +2.51.0 + diff --git a/queue-6.6/net-mlx5e-prevent-concurrent-access-to-ipsec-aso-con.patch b/queue-6.6/net-mlx5e-prevent-concurrent-access-to-ipsec-aso-con.patch new file mode 100644 index 0000000000..aea68a9b06 --- /dev/null +++ b/queue-6.6/net-mlx5e-prevent-concurrent-access-to-ipsec-aso-con.patch @@ -0,0 +1,115 @@ +From f019586d1626d8563a0a7ee60e5cfce4587f5c4e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 16 Mar 2026 11:46:02 +0200 +Subject: net/mlx5e: Prevent concurrent access to IPSec ASO context + +From: Jianbo Liu + +[ Upstream commit 99b36850d881e2d65912b2520a1c80d0fcc9429a ] + +The query or updating IPSec offload object is through Access ASO WQE. +The driver uses a single mlx5e_ipsec_aso struct for each PF, which +contains a shared DMA-mapped context for all ASO operations. + +A race condition exists because the ASO spinlock is released before +the hardware has finished processing WQE. If a second operation is +initiated immediately after, it overwrites the shared context in the +DMA area. + +When the first operation's completion is processed later, it reads +this corrupted context, leading to unexpected behavior and incorrect +results. + +This commit fixes the race by introducing a private context within +each IPSec offload object. The shared ASO context is now copied to +this private context while the ASO spinlock is held. Subsequent +processing uses this saved, per-object context, ensuring its integrity +is maintained. + +Fixes: 1ed78fc03307 ("net/mlx5e: Update IPsec soft and hard limits") +Signed-off-by: Jianbo Liu +Reviewed-by: Leon Romanovsky +Signed-off-by: Tariq Toukan +Link: https://patch.msgid.link/20260316094603.6999-3-tariqt@nvidia.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + .../mellanox/mlx5/core/en_accel/ipsec.h | 1 + + .../mellanox/mlx5/core/en_accel/ipsec_offload.c | 17 ++++++++--------- + 2 files changed, 9 insertions(+), 9 deletions(-) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec.h b/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec.h +index 9e7c42c2f77b2..bb8942b1a23d2 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec.h ++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec.h +@@ -266,6 +266,7 @@ struct mlx5e_ipsec_sa_entry { + struct mlx5e_ipsec_dwork *dwork; + struct mlx5e_ipsec_limits limits; + u32 rx_mapped_id; ++ u8 ctx[MLX5_ST_SZ_BYTES(ipsec_aso)]; + }; + + struct mlx5_accel_pol_xfrm_attrs { +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec_offload.c b/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec_offload.c +index 940e350058d10..eab368dea0e27 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec_offload.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec_offload.c +@@ -369,20 +369,18 @@ static void mlx5e_ipsec_aso_update_soft(struct mlx5e_ipsec_sa_entry *sa_entry, + static void mlx5e_ipsec_handle_limits(struct mlx5e_ipsec_sa_entry *sa_entry) + { + struct mlx5_accel_esp_xfrm_attrs *attrs = &sa_entry->attrs; +- struct mlx5e_ipsec *ipsec = sa_entry->ipsec; +- struct mlx5e_ipsec_aso *aso = ipsec->aso; + bool soft_arm, hard_arm; + u64 hard_cnt; + + lockdep_assert_held(&sa_entry->x->lock); + +- soft_arm = !MLX5_GET(ipsec_aso, aso->ctx, soft_lft_arm); +- hard_arm = !MLX5_GET(ipsec_aso, aso->ctx, hard_lft_arm); ++ soft_arm = !MLX5_GET(ipsec_aso, sa_entry->ctx, soft_lft_arm); ++ hard_arm = !MLX5_GET(ipsec_aso, sa_entry->ctx, hard_lft_arm); + if (!soft_arm && !hard_arm) + /* It is not lifetime event */ + return; + +- hard_cnt = MLX5_GET(ipsec_aso, aso->ctx, remove_flow_pkt_cnt); ++ hard_cnt = MLX5_GET(ipsec_aso, sa_entry->ctx, remove_flow_pkt_cnt); + if (!hard_cnt || hard_arm) { + /* It is possible to see packet counter equal to zero without + * hard limit event armed. Such situation can be if packet +@@ -453,10 +451,8 @@ static void mlx5e_ipsec_handle_event(struct work_struct *_work) + container_of(_work, struct mlx5e_ipsec_work, work); + struct mlx5e_ipsec_sa_entry *sa_entry = work->data; + struct mlx5_accel_esp_xfrm_attrs *attrs; +- struct mlx5e_ipsec_aso *aso; + int ret; + +- aso = sa_entry->ipsec->aso; + attrs = &sa_entry->attrs; + + spin_lock_bh(&sa_entry->x->lock); +@@ -465,8 +461,9 @@ static void mlx5e_ipsec_handle_event(struct work_struct *_work) + goto unlock; + + if (attrs->replay_esn.trigger && +- !MLX5_GET(ipsec_aso, aso->ctx, esn_event_arm)) { +- u32 mode_param = MLX5_GET(ipsec_aso, aso->ctx, mode_parameter); ++ !MLX5_GET(ipsec_aso, sa_entry->ctx, esn_event_arm)) { ++ u32 mode_param = MLX5_GET(ipsec_aso, sa_entry->ctx, ++ mode_parameter); + + mlx5e_ipsec_update_esn_state(sa_entry, mode_param); + } +@@ -628,6 +625,8 @@ int mlx5e_ipsec_aso_query(struct mlx5e_ipsec_sa_entry *sa_entry, + /* We are in atomic context */ + udelay(10); + } while (ret && time_is_after_jiffies(expires)); ++ if (!ret) ++ memcpy(sa_entry->ctx, aso->ctx, MLX5_ST_SZ_BYTES(ipsec_aso)); + spin_unlock_bh(&aso->lock); + return ret; + } +-- +2.51.0 + diff --git a/queue-6.6/net-mvpp2-guard-flow-control-update-with-global_tx_f.patch b/queue-6.6/net-mvpp2-guard-flow-control-update-with-global_tx_f.patch new file mode 100644 index 0000000000..220452b0b9 --- /dev/null +++ b/queue-6.6/net-mvpp2-guard-flow-control-update-with-global_tx_f.patch @@ -0,0 +1,86 @@ +From 9b2061f04e3d82bc8a1f215192f14ed7e41de351 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 16 Mar 2026 12:31:01 -0700 +Subject: net: mvpp2: guard flow control update with global_tx_fc in buffer + switching + +From: Muhammad Hammad Ijaz + +[ Upstream commit 8a63baadf08453f66eb582fdb6dd234f72024723 ] + +mvpp2_bm_switch_buffers() unconditionally calls +mvpp2_bm_pool_update_priv_fc() when switching between per-cpu and +shared buffer pool modes. This function programs CM3 flow control +registers via mvpp2_cm3_read()/mvpp2_cm3_write(), which dereference +priv->cm3_base without any NULL check. + +When the CM3 SRAM resource is not present in the device tree (the +third reg entry added by commit 60523583b07c ("dts: marvell: add CM3 +SRAM memory to cp11x ethernet device tree")), priv->cm3_base remains +NULL and priv->global_tx_fc is false. Any operation that triggers +mvpp2_bm_switch_buffers(), for example an MTU change that crosses +the jumbo frame threshold, will crash: + + Unable to handle kernel NULL pointer dereference at + virtual address 0000000000000000 + Mem abort info: + ESR = 0x0000000096000006 + EC = 0x25: DABT (current EL), IL = 32 bits + pc : readl+0x0/0x18 + lr : mvpp2_cm3_read.isra.0+0x14/0x20 + Call trace: + readl+0x0/0x18 + mvpp2_bm_pool_update_fc+0x40/0x12c + mvpp2_bm_pool_update_priv_fc+0x94/0xd8 + mvpp2_bm_switch_buffers.isra.0+0x80/0x1c0 + mvpp2_change_mtu+0x140/0x380 + __dev_set_mtu+0x1c/0x38 + dev_set_mtu_ext+0x78/0x118 + dev_set_mtu+0x48/0xa8 + dev_ifsioc+0x21c/0x43c + dev_ioctl+0x2d8/0x42c + sock_ioctl+0x314/0x378 + +Every other flow control call site in the driver already guards +hardware access with either priv->global_tx_fc or port->tx_fc. +mvpp2_bm_switch_buffers() is the only place that omits this check. + +Add the missing priv->global_tx_fc guard to both the disable and +re-enable calls in mvpp2_bm_switch_buffers(), consistent with the +rest of the driver. + +Fixes: 3a616b92a9d1 ("net: mvpp2: Add TX flow control support for jumbo frames") +Signed-off-by: Muhammad Hammad Ijaz +Reviewed-by: Gunnar Kudrjavets +Link: https://patch.msgid.link/20260316193157.65748-1-mhijaz@amazon.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/marvell/mvpp2/mvpp2_main.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/marvell/mvpp2/mvpp2_main.c b/drivers/net/ethernet/marvell/mvpp2/mvpp2_main.c +index aabc39f7690f8..410c9dea4fa2e 100644 +--- a/drivers/net/ethernet/marvell/mvpp2/mvpp2_main.c ++++ b/drivers/net/ethernet/marvell/mvpp2/mvpp2_main.c +@@ -5012,7 +5012,7 @@ static int mvpp2_bm_switch_buffers(struct mvpp2 *priv, bool percpu) + if (priv->percpu_pools) + numbufs = port->nrxqs * 2; + +- if (change_percpu) ++ if (change_percpu && priv->global_tx_fc) + mvpp2_bm_pool_update_priv_fc(priv, false); + + for (i = 0; i < numbufs; i++) +@@ -5037,7 +5037,7 @@ static int mvpp2_bm_switch_buffers(struct mvpp2 *priv, bool percpu) + mvpp2_open(port->dev); + } + +- if (change_percpu) ++ if (change_percpu && priv->global_tx_fc) + mvpp2_bm_pool_update_priv_fc(priv, true); + + return 0; +-- +2.51.0 + diff --git a/queue-6.6/net-rose-fix-null-pointer-dereference-in-rose_transm.patch b/queue-6.6/net-rose-fix-null-pointer-dereference-in-rose_transm.patch new file mode 100644 index 0000000000..69e221db1a --- /dev/null +++ b/queue-6.6/net-rose-fix-null-pointer-dereference-in-rose_transm.patch @@ -0,0 +1,64 @@ +From 010e1833c15f7117be13bda50dd9284e1d07329e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 11 Mar 2026 15:06:02 +0800 +Subject: net/rose: fix NULL pointer dereference in rose_transmit_link on + reconnect + +From: Jiayuan Chen + +[ Upstream commit e1f0a18c9564cdb16523c802e2c6fe5874e3d944 ] + +syzkaller reported a bug [1], and the reproducer is available at [2]. + +ROSE sockets use four sk->sk_state values: TCP_CLOSE, TCP_LISTEN, +TCP_SYN_SENT, and TCP_ESTABLISHED. rose_connect() already rejects +calls for TCP_ESTABLISHED (-EISCONN) and TCP_CLOSE with SS_CONNECTING +(-ECONNREFUSED), but lacks a check for TCP_SYN_SENT. + +When rose_connect() is called a second time while the first connection +attempt is still in progress (TCP_SYN_SENT), it overwrites +rose->neighbour via rose_get_neigh(). If that returns NULL, the socket +is left with rose->state == ROSE_STATE_1 but rose->neighbour == NULL. +When the socket is subsequently closed, rose_release() sees +ROSE_STATE_1 and calls rose_write_internal() -> +rose_transmit_link(skb, NULL), causing a NULL pointer dereference. + +Per connect(2), a second connect() while a connection is already in +progress should return -EALREADY. Add this missing check for +TCP_SYN_SENT to complete the state validation in rose_connect(). + +[1] https://syzkaller.appspot.com/bug?extid=d00f90e0af54102fb271 +[2] https://gist.github.com/mrpre/9e6779e0d13e2c66779b1653fef80516 + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Reported-by: syzbot+d00f90e0af54102fb271@syzkaller.appspotmail.com +Closes: https://lore.kernel.org/all/69694d6f.050a0220.58bed.0027.GAE@google.com/T/ +Suggested-by: Eric Dumazet +Signed-off-by: Jiayuan Chen +Reviewed-by: Eric Dumazet +Link: https://patch.msgid.link/20260311070611.76913-1-jiayuan.chen@linux.dev +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/rose/af_rose.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/net/rose/af_rose.c b/net/rose/af_rose.c +index 1cc5eaeb1c608..e80bc7788bec5 100644 +--- a/net/rose/af_rose.c ++++ b/net/rose/af_rose.c +@@ -810,6 +810,11 @@ static int rose_connect(struct socket *sock, struct sockaddr *uaddr, int addr_le + goto out_release; + } + ++ if (sk->sk_state == TCP_SYN_SENT) { ++ err = -EALREADY; ++ goto out_release; ++ } ++ + sk->sk_state = TCP_CLOSE; + sock->state = SS_UNCONNECTED; + +-- +2.51.0 + diff --git a/queue-6.6/net-sched-teql-fix-double-free-in-teql_master_xmit.patch b/queue-6.6/net-sched-teql-fix-double-free-in-teql_master_xmit.patch new file mode 100644 index 0000000000..6ab803ef6c --- /dev/null +++ b/queue-6.6/net-sched-teql-fix-double-free-in-teql_master_xmit.patch @@ -0,0 +1,202 @@ +From 98198770adf9933beb9cfe7bbdd94899860119dd Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 15 Mar 2026 11:54:22 -0400 +Subject: net/sched: teql: Fix double-free in teql_master_xmit + +From: Jamal Hadi Salim + +[ Upstream commit 66360460cab63c248ca5b1070a01c0c29133b960 ] + +Whenever a TEQL devices has a lockless Qdisc as root, qdisc_reset should +be called using the seq_lock to avoid racing with the datapath. Failure +to do so may cause crashes like the following: + +[ 238.028993][ T318] BUG: KASAN: double-free in skb_release_data (net/core/skbuff.c:1139) +[ 238.029328][ T318] Free of addr ffff88810c67ec00 by task poc_teql_uaf_ke/318 +[ 238.029749][ T318] +[ 238.029900][ T318] CPU: 3 UID: 0 PID: 318 Comm: poc_teql_ke Not tainted 7.0.0-rc3-00149-ge5b31d988a41 #704 PREEMPT(full) +[ 238.029906][ T318] Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011 +[ 238.029910][ T318] Call Trace: +[ 238.029913][ T318] +[ 238.029916][ T318] dump_stack_lvl (lib/dump_stack.c:122) +[ 238.029928][ T318] print_report (mm/kasan/report.c:379 mm/kasan/report.c:482) +[ 238.029940][ T318] ? skb_release_data (net/core/skbuff.c:1139) +[ 238.029944][ T318] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221) +... +[ 238.029957][ T318] ? skb_release_data (net/core/skbuff.c:1139) +[ 238.029969][ T318] kasan_report_invalid_free (mm/kasan/report.c:221 mm/kasan/report.c:563) +[ 238.029979][ T318] ? skb_release_data (net/core/skbuff.c:1139) +[ 238.029989][ T318] check_slab_allocation (mm/kasan/common.c:231) +[ 238.029995][ T318] kmem_cache_free (mm/slub.c:2637 (discriminator 1) mm/slub.c:6168 (discriminator 1) mm/slub.c:6298 (discriminator 1)) +[ 238.030004][ T318] skb_release_data (net/core/skbuff.c:1139) +... +[ 238.030025][ T318] sk_skb_reason_drop (net/core/skbuff.c:1256) +[ 238.030032][ T318] pfifo_fast_reset (./include/linux/ptr_ring.h:171 ./include/linux/ptr_ring.h:309 ./include/linux/skb_array.h:98 net/sched/sch_generic.c:827) +[ 238.030039][ T318] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221) +... +[ 238.030054][ T318] qdisc_reset (net/sched/sch_generic.c:1034) +[ 238.030062][ T318] teql_destroy (./include/linux/spinlock.h:395 net/sched/sch_teql.c:157) +[ 238.030071][ T318] __qdisc_destroy (./include/net/pkt_sched.h:328 net/sched/sch_generic.c:1077) +[ 238.030077][ T318] qdisc_graft (net/sched/sch_api.c:1062 net/sched/sch_api.c:1053 net/sched/sch_api.c:1159) +[ 238.030089][ T318] ? __pfx_qdisc_graft (net/sched/sch_api.c:1091) +[ 238.030095][ T318] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221) +[ 238.030102][ T318] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221) +[ 238.030106][ T318] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221) +[ 238.030114][ T318] tc_get_qdisc (net/sched/sch_api.c:1529 net/sched/sch_api.c:1556) +... +[ 238.072958][ T318] Allocated by task 303 on cpu 5 at 238.026275s: +[ 238.073392][ T318] kasan_save_stack (mm/kasan/common.c:58) +[ 238.073884][ T318] kasan_save_track (mm/kasan/common.c:64 (discriminator 5) mm/kasan/common.c:79 (discriminator 5)) +[ 238.074230][ T318] __kasan_slab_alloc (mm/kasan/common.c:369) +[ 238.074578][ T318] kmem_cache_alloc_node_noprof (./include/linux/kasan.h:253 mm/slub.c:4542 mm/slub.c:4869 mm/slub.c:4921) +[ 238.076091][ T318] kmalloc_reserve (net/core/skbuff.c:616 (discriminator 107)) +[ 238.076450][ T318] __alloc_skb (net/core/skbuff.c:713) +[ 238.076834][ T318] alloc_skb_with_frags (./include/linux/skbuff.h:1383 net/core/skbuff.c:6763) +[ 238.077178][ T318] sock_alloc_send_pskb (net/core/sock.c:2997) +[ 238.077520][ T318] packet_sendmsg (net/packet/af_packet.c:2926 net/packet/af_packet.c:3019 net/packet/af_packet.c:3108) +[ 238.081469][ T318] +[ 238.081870][ T318] Freed by task 299 on cpu 1 at 238.028496s: +[ 238.082761][ T318] kasan_save_stack (mm/kasan/common.c:58) +[ 238.083481][ T318] kasan_save_track (mm/kasan/common.c:64 (discriminator 5) mm/kasan/common.c:79 (discriminator 5)) +[ 238.085348][ T318] kasan_save_free_info (mm/kasan/generic.c:587 (discriminator 1)) +[ 238.085900][ T318] __kasan_slab_free (mm/kasan/common.c:287) +[ 238.086439][ T318] kmem_cache_free (mm/slub.c:6168 (discriminator 3) mm/slub.c:6298 (discriminator 3)) +[ 238.087007][ T318] skb_release_data (net/core/skbuff.c:1139) +[ 238.087491][ T318] consume_skb (net/core/skbuff.c:1451) +[ 238.087757][ T318] teql_master_xmit (net/sched/sch_teql.c:358) +[ 238.088116][ T318] dev_hard_start_xmit (./include/linux/netdevice.h:5324 ./include/linux/netdevice.h:5333 net/core/dev.c:3871 net/core/dev.c:3887) +[ 238.088468][ T318] sch_direct_xmit (net/sched/sch_generic.c:347) +[ 238.088820][ T318] __qdisc_run (net/sched/sch_generic.c:420 (discriminator 1)) +[ 238.089166][ T318] __dev_queue_xmit (./include/net/sch_generic.h:229 ./include/net/pkt_sched.h:121 ./include/net/pkt_sched.h:117 net/core/dev.c:4196 net/core/dev.c:4802) + +Workflow to reproduce: +1. Initialize a TEQL topology (dummy0 and ifb0 as slaves, teql0 up). +2. Start multiple sender workers continuously transmitting packets + through teql0 to drive teql_master_xmit(). +3. In parallel, repeatedly delete and re-add the root qdisc on + dummy0 and ifb0 via RTNETLINK, forcing frequent teardown and reset activity + (teql_destroy() / qdisc_reset()). +4. After running both workloads concurrently for several iterations, + KASAN reports slab-use-after-free or double-free in the skb free path. + +Fix this by moving dev_reset_queue to sch_generic.h and calling it, instead +of qdisc_reset, in teql_destroy since it handles both the lock and lockless +cases correctly for root qdiscs. + +Fixes: 96009c7d500e ("sched: replace __QDISC_STATE_RUNNING bit with a spin lock") +Reported-by: Xianrui Dong +Tested-by: Xianrui Dong +Co-developed-by: Victor Nogueira +Signed-off-by: Victor Nogueira +Signed-off-by: Jamal Hadi Salim +Link: https://patch.msgid.link/20260315155422.147256-1-jhs@mojatatu.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + include/net/sch_generic.h | 28 ++++++++++++++++++++++++++++ + net/sched/sch_generic.c | 27 --------------------------- + net/sched/sch_teql.c | 7 ++----- + 3 files changed, 30 insertions(+), 32 deletions(-) + +diff --git a/include/net/sch_generic.h b/include/net/sch_generic.h +index 232b7b22e993a..15f4a0548d824 100644 +--- a/include/net/sch_generic.h ++++ b/include/net/sch_generic.h +@@ -694,6 +694,34 @@ void qdisc_destroy(struct Qdisc *qdisc); + void qdisc_put(struct Qdisc *qdisc); + void qdisc_put_unlocked(struct Qdisc *qdisc); + void qdisc_tree_reduce_backlog(struct Qdisc *qdisc, int n, int len); ++ ++static inline void dev_reset_queue(struct net_device *dev, ++ struct netdev_queue *dev_queue, ++ void *_unused) ++{ ++ struct Qdisc *qdisc; ++ bool nolock; ++ ++ qdisc = rtnl_dereference(dev_queue->qdisc_sleeping); ++ if (!qdisc) ++ return; ++ ++ nolock = qdisc->flags & TCQ_F_NOLOCK; ++ ++ if (nolock) ++ spin_lock_bh(&qdisc->seqlock); ++ spin_lock_bh(qdisc_lock(qdisc)); ++ ++ qdisc_reset(qdisc); ++ ++ spin_unlock_bh(qdisc_lock(qdisc)); ++ if (nolock) { ++ clear_bit(__QDISC_STATE_MISSED, &qdisc->state); ++ clear_bit(__QDISC_STATE_DRAINING, &qdisc->state); ++ spin_unlock_bh(&qdisc->seqlock); ++ } ++} ++ + #ifdef CONFIG_NET_SCHED + int qdisc_offload_dump_helper(struct Qdisc *q, enum tc_setup_type type, + void *type_data); +diff --git a/net/sched/sch_generic.c b/net/sched/sch_generic.c +index c1c67da2d3fc4..714e51f8d46e9 100644 +--- a/net/sched/sch_generic.c ++++ b/net/sched/sch_generic.c +@@ -1290,33 +1290,6 @@ static void dev_deactivate_queue(struct net_device *dev, + } + } + +-static void dev_reset_queue(struct net_device *dev, +- struct netdev_queue *dev_queue, +- void *_unused) +-{ +- struct Qdisc *qdisc; +- bool nolock; +- +- qdisc = rtnl_dereference(dev_queue->qdisc_sleeping); +- if (!qdisc) +- return; +- +- nolock = qdisc->flags & TCQ_F_NOLOCK; +- +- if (nolock) +- spin_lock_bh(&qdisc->seqlock); +- spin_lock_bh(qdisc_lock(qdisc)); +- +- qdisc_reset(qdisc); +- +- spin_unlock_bh(qdisc_lock(qdisc)); +- if (nolock) { +- clear_bit(__QDISC_STATE_MISSED, &qdisc->state); +- clear_bit(__QDISC_STATE_DRAINING, &qdisc->state); +- spin_unlock_bh(&qdisc->seqlock); +- } +-} +- + static bool some_qdisc_is_busy(struct net_device *dev) + { + unsigned int i; +diff --git a/net/sched/sch_teql.c b/net/sched/sch_teql.c +index c89cb6eba27da..efcca26966213 100644 +--- a/net/sched/sch_teql.c ++++ b/net/sched/sch_teql.c +@@ -146,15 +146,12 @@ teql_destroy(struct Qdisc *sch) + master->slaves = NEXT_SLAVE(q); + if (q == master->slaves) { + struct netdev_queue *txq; +- spinlock_t *root_lock; + + txq = netdev_get_tx_queue(master->dev, 0); + master->slaves = NULL; + +- root_lock = qdisc_root_sleeping_lock(rtnl_dereference(txq->qdisc)); +- spin_lock_bh(root_lock); +- qdisc_reset(rtnl_dereference(txq->qdisc)); +- spin_unlock_bh(root_lock); ++ dev_reset_queue(master->dev, ++ txq, NULL); + } + } + skb_queue_purge(&dat->q); +-- +2.51.0 + diff --git a/queue-6.6/net-smc-fix-null-dereference-and-uaf-in-smc_tcp_syn_.patch b/queue-6.6/net-smc-fix-null-dereference-and-uaf-in-smc_tcp_syn_.patch new file mode 100644 index 0000000000..a9c0424b12 --- /dev/null +++ b/queue-6.6/net-smc-fix-null-dereference-and-uaf-in-smc_tcp_syn_.patch @@ -0,0 +1,208 @@ +From 66aa4249ada8f4a7d0d6ffccafbffc94ef3c6073 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 12 Mar 2026 17:29:07 +0800 +Subject: net/smc: fix NULL dereference and UAF in smc_tcp_syn_recv_sock() + +From: Jiayuan Chen + +[ Upstream commit 6d5e4538364b9ceb1ac2941a4deb86650afb3538 ] + +Syzkaller reported a panic in smc_tcp_syn_recv_sock() [1]. + +smc_tcp_syn_recv_sock() is called in the TCP receive path +(softirq) via icsk_af_ops->syn_recv_sock on the clcsock (TCP +listening socket). It reads sk_user_data to get the smc_sock +pointer. However, when the SMC listen socket is being closed +concurrently, smc_close_active() sets clcsock->sk_user_data +to NULL under sk_callback_lock, and then the smc_sock itself +can be freed via sock_put() in smc_release(). + +This leads to two issues: + +1) NULL pointer dereference: sk_user_data is NULL when + accessed. +2) Use-after-free: sk_user_data is read as non-NULL, but the + smc_sock is freed before its fields (e.g., queued_smc_hs, + ori_af_ops) are accessed. + +The race window looks like this (the syzkaller crash [1] +triggers via the SYN cookie path: tcp_get_cookie_sock() -> +smc_tcp_syn_recv_sock(), but the normal tcp_check_req() path +has the same race): + + CPU A (softirq) CPU B (process ctx) + + tcp_v4_rcv() + TCP_NEW_SYN_RECV: + sk = req->rsk_listener + sock_hold(sk) + /* No lock on listener */ + smc_close_active(): + write_lock_bh(cb_lock) + sk_user_data = NULL + write_unlock_bh(cb_lock) + ... + smc_clcsock_release() + sock_put(smc->sk) x2 + -> smc_sock freed! + tcp_check_req() + smc_tcp_syn_recv_sock(): + smc = user_data(sk) + -> NULL or dangling + smc->queued_smc_hs + -> crash! + +Note that the clcsock and smc_sock are two independent objects +with separate refcounts. TCP stack holds a reference on the +clcsock, which keeps it alive, but this does NOT prevent the +smc_sock from being freed. + +Fix this by using RCU and refcount_inc_not_zero() to safely +access smc_sock. Since smc_tcp_syn_recv_sock() is called in +the TCP three-way handshake path, taking read_lock_bh on +sk_callback_lock is too heavy and would not survive a SYN +flood attack. Using rcu_read_lock() is much more lightweight. + +- Set SOCK_RCU_FREE on the SMC listen socket so that + smc_sock freeing is deferred until after the RCU grace + period. This guarantees the memory is still valid when + accessed inside rcu_read_lock(). +- Use rcu_read_lock() to protect reading sk_user_data. +- Use refcount_inc_not_zero(&smc->sk.sk_refcnt) to pin the + smc_sock. If the refcount has already reached zero (close + path completed), it returns false and we bail out safely. + +Note: smc_hs_congested() has a similar lockless read of +sk_user_data without rcu_read_lock(), but it only checks for +NULL and accesses the global smc_hs_wq, never dereferencing +any smc_sock field, so it is not affected. + +Reproducer was verified with mdelay injection and smc_run, +the issue no longer occurs with this patch applied. + +[1] https://syzkaller.appspot.com/bug?extid=827ae2bfb3a3529333e9 + +Fixes: 8270d9c21041 ("net/smc: Limit backlog connections") +Reported-by: syzbot+827ae2bfb3a3529333e9@syzkaller.appspotmail.com +Closes: https://lore.kernel.org/all/67eaf9b8.050a0220.3c3d88.004a.GAE@google.com/T/ +Suggested-by: Eric Dumazet +Reviewed-by: Eric Dumazet +Signed-off-by: Jiayuan Chen +Link: https://patch.msgid.link/20260312092909.48325-1-jiayuan.chen@linux.dev +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/smc/af_smc.c | 23 +++++++++++++++++------ + net/smc/smc.h | 5 +++++ + net/smc/smc_close.c | 2 +- + 3 files changed, 23 insertions(+), 7 deletions(-) + +diff --git a/net/smc/af_smc.c b/net/smc/af_smc.c +index b3bfd0f18d418..0e9a3b8da6a63 100644 +--- a/net/smc/af_smc.c ++++ b/net/smc/af_smc.c +@@ -124,7 +124,14 @@ static struct sock *smc_tcp_syn_recv_sock(const struct sock *sk, + struct smc_sock *smc; + struct sock *child; + +- smc = smc_clcsock_user_data(sk); ++ rcu_read_lock(); ++ smc = smc_clcsock_user_data_rcu(sk); ++ if (!smc || !refcount_inc_not_zero(&smc->sk.sk_refcnt)) { ++ rcu_read_unlock(); ++ smc = NULL; ++ goto drop; ++ } ++ rcu_read_unlock(); + + if (READ_ONCE(sk->sk_ack_backlog) + atomic_read(&smc->queued_smc_hs) > + sk->sk_max_ack_backlog) +@@ -146,11 +153,14 @@ static struct sock *smc_tcp_syn_recv_sock(const struct sock *sk, + if (inet_csk(child)->icsk_af_ops == inet_csk(sk)->icsk_af_ops) + inet_csk(child)->icsk_af_ops = smc->ori_af_ops; + } ++ sock_put(&smc->sk); + return child; + + drop: + dst_release(dst); + tcp_listendrop(sk); ++ if (smc) ++ sock_put(&smc->sk); + return NULL; + } + +@@ -249,7 +259,7 @@ static void smc_fback_restore_callbacks(struct smc_sock *smc) + struct sock *clcsk = smc->clcsock->sk; + + write_lock_bh(&clcsk->sk_callback_lock); +- clcsk->sk_user_data = NULL; ++ rcu_assign_sk_user_data(clcsk, NULL); + + smc_clcsock_restore_cb(&clcsk->sk_state_change, &smc->clcsk_state_change); + smc_clcsock_restore_cb(&clcsk->sk_data_ready, &smc->clcsk_data_ready); +@@ -882,7 +892,7 @@ static void smc_fback_replace_callbacks(struct smc_sock *smc) + struct sock *clcsk = smc->clcsock->sk; + + write_lock_bh(&clcsk->sk_callback_lock); +- clcsk->sk_user_data = (void *)((uintptr_t)smc | SK_USER_DATA_NOCOPY); ++ __rcu_assign_sk_user_data_with_flags(clcsk, smc, SK_USER_DATA_NOCOPY); + + smc_clcsock_replace_cb(&clcsk->sk_state_change, smc_fback_state_change, + &smc->clcsk_state_change); +@@ -2651,8 +2661,8 @@ static int smc_listen(struct socket *sock, int backlog) + * smc-specific sk_data_ready function + */ + write_lock_bh(&smc->clcsock->sk->sk_callback_lock); +- smc->clcsock->sk->sk_user_data = +- (void *)((uintptr_t)smc | SK_USER_DATA_NOCOPY); ++ __rcu_assign_sk_user_data_with_flags(smc->clcsock->sk, smc, ++ SK_USER_DATA_NOCOPY); + smc_clcsock_replace_cb(&smc->clcsock->sk->sk_data_ready, + smc_clcsock_data_ready, &smc->clcsk_data_ready); + write_unlock_bh(&smc->clcsock->sk->sk_callback_lock); +@@ -2673,10 +2683,11 @@ static int smc_listen(struct socket *sock, int backlog) + write_lock_bh(&smc->clcsock->sk->sk_callback_lock); + smc_clcsock_restore_cb(&smc->clcsock->sk->sk_data_ready, + &smc->clcsk_data_ready); +- smc->clcsock->sk->sk_user_data = NULL; ++ rcu_assign_sk_user_data(smc->clcsock->sk, NULL); + write_unlock_bh(&smc->clcsock->sk->sk_callback_lock); + goto out; + } ++ sock_set_flag(sk, SOCK_RCU_FREE); + sk->sk_max_ack_backlog = backlog; + sk->sk_ack_backlog = 0; + sk->sk_state = SMC_LISTEN; +diff --git a/net/smc/smc.h b/net/smc/smc.h +index 36699ba551887..49bf6971610df 100644 +--- a/net/smc/smc.h ++++ b/net/smc/smc.h +@@ -304,6 +304,11 @@ static inline struct smc_sock *smc_clcsock_user_data(const struct sock *clcsk) + ((uintptr_t)clcsk->sk_user_data & ~SK_USER_DATA_NOCOPY); + } + ++static inline struct smc_sock *smc_clcsock_user_data_rcu(const struct sock *clcsk) ++{ ++ return (struct smc_sock *)rcu_dereference_sk_user_data(clcsk); ++} ++ + /* save target_cb in saved_cb, and replace target_cb with new_cb */ + static inline void smc_clcsock_replace_cb(void (**target_cb)(struct sock *), + void (*new_cb)(struct sock *), +diff --git a/net/smc/smc_close.c b/net/smc/smc_close.c +index 10219f55aad14..bb0313ef5f7c1 100644 +--- a/net/smc/smc_close.c ++++ b/net/smc/smc_close.c +@@ -218,7 +218,7 @@ int smc_close_active(struct smc_sock *smc) + write_lock_bh(&smc->clcsock->sk->sk_callback_lock); + smc_clcsock_restore_cb(&smc->clcsock->sk->sk_data_ready, + &smc->clcsk_data_ready); +- smc->clcsock->sk->sk_user_data = NULL; ++ rcu_assign_sk_user_data(smc->clcsock->sk, NULL); + write_unlock_bh(&smc->clcsock->sk->sk_callback_lock); + rc = kernel_sock_shutdown(smc->clcsock, SHUT_RDWR); + } +-- +2.51.0 + diff --git a/queue-6.6/net-usb-aqc111-do-not-perform-pm-inside-suspend-call.patch b/queue-6.6/net-usb-aqc111-do-not-perform-pm-inside-suspend-call.patch new file mode 100644 index 0000000000..f00e2bf563 --- /dev/null +++ b/queue-6.6/net-usb-aqc111-do-not-perform-pm-inside-suspend-call.patch @@ -0,0 +1,69 @@ +From 66d153138c5802eb316de1329a8ebc95fcf337a2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 13 Mar 2026 16:16:43 +0200 +Subject: net: usb: aqc111: Do not perform PM inside suspend callback + +From: Nikola Z. Ivanov + +[ Upstream commit 069c8f5aebe4d5224cf62acc7d4b3486091c658a ] + +syzbot reports "task hung in rpm_resume" + +This is caused by aqc111_suspend calling +the PM variant of its write_cmd routine. + +The simplified call trace looks like this: + +rpm_suspend() + usb_suspend_both() - here udev->dev.power.runtime_status == RPM_SUSPENDING + aqc111_suspend() - called for the usb device interface + aqc111_write32_cmd() + usb_autopm_get_interface() + pm_runtime_resume_and_get() + rpm_resume() - here we call rpm_resume() on our parent + rpm_resume() - Here we wait for a status change that will never happen. + +At this point we block another task which holds +rtnl_lock and locks up the whole networking stack. + +Fix this by replacing the write_cmd calls with their _nopm variants + +Reported-by: syzbot+48dc1e8dfc92faf1124c@syzkaller.appspotmail.com +Closes: https://syzkaller.appspot.com/bug?extid=48dc1e8dfc92faf1124c +Fixes: e58ba4544c77 ("net: usb: aqc111: Add support for wake on LAN by MAGIC packet") +Signed-off-by: Nikola Z. Ivanov +Link: https://patch.msgid.link/20260313141643.1181386-1-zlatistiv@gmail.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + drivers/net/usb/aqc111.c | 12 ++++++------ + 1 file changed, 6 insertions(+), 6 deletions(-) + +diff --git a/drivers/net/usb/aqc111.c b/drivers/net/usb/aqc111.c +index 3ebb1f84d3025..f1820c0d4830f 100644 +--- a/drivers/net/usb/aqc111.c ++++ b/drivers/net/usb/aqc111.c +@@ -1400,14 +1400,14 @@ static int aqc111_suspend(struct usb_interface *intf, pm_message_t message) + aqc111_write16_cmd_nopm(dev, AQ_ACCESS_MAC, + SFR_MEDIUM_STATUS_MODE, 2, ®16); + +- aqc111_write_cmd(dev, AQ_WOL_CFG, 0, 0, +- WOL_CFG_SIZE, &wol_cfg); +- aqc111_write32_cmd(dev, AQ_PHY_OPS, 0, 0, +- &aqc111_data->phy_cfg); ++ aqc111_write_cmd_nopm(dev, AQ_WOL_CFG, 0, 0, ++ WOL_CFG_SIZE, &wol_cfg); ++ aqc111_write32_cmd_nopm(dev, AQ_PHY_OPS, 0, 0, ++ &aqc111_data->phy_cfg); + } else { + aqc111_data->phy_cfg |= AQ_LOW_POWER; +- aqc111_write32_cmd(dev, AQ_PHY_OPS, 0, 0, +- &aqc111_data->phy_cfg); ++ aqc111_write32_cmd_nopm(dev, AQ_PHY_OPS, 0, 0, ++ &aqc111_data->phy_cfg); + + /* Disable RX path */ + aqc111_read16_cmd_nopm(dev, AQ_ACCESS_MAC, +-- +2.51.0 + diff --git a/queue-6.6/net-usb-cdc_ncm-add-ndpoffset-to-ndp16-nframes-bound.patch b/queue-6.6/net-usb-cdc_ncm-add-ndpoffset-to-ndp16-nframes-bound.patch new file mode 100644 index 0000000000..658cf2cebe --- /dev/null +++ b/queue-6.6/net-usb-cdc_ncm-add-ndpoffset-to-ndp16-nframes-bound.patch @@ -0,0 +1,65 @@ +From a2d88fa63e021931d526330b6a6250df69e14cdc Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 13 Mar 2026 22:46:39 -0700 +Subject: net: usb: cdc_ncm: add ndpoffset to NDP16 nframes bounds check + +From: Tobi Gaertner + +[ Upstream commit 2aa8a4fa8d5b7d0e1ebcec100e1a4d80a1f4b21a ] + +cdc_ncm_rx_verify_ndp16() validates that the NDP header and its DPE +entries fit within the skb. The first check correctly accounts for +ndpoffset: + + if ((ndpoffset + sizeof(struct usb_cdc_ncm_ndp16)) > skb_in->len) + +but the second check omits it: + + if ((sizeof(struct usb_cdc_ncm_ndp16) + + ret * (sizeof(struct usb_cdc_ncm_dpe16))) > skb_in->len) + +This validates the DPE array size against the total skb length as if +the NDP were at offset 0, rather than at ndpoffset. When the NDP is +placed near the end of the NTB (large wNdpIndex), the DPE entries can +extend past the skb data buffer even though the check passes. +cdc_ncm_rx_fixup() then reads out-of-bounds memory when iterating +the DPE array. + +Add ndpoffset to the nframes bounds check and use struct_size_t() to +express the NDP-plus-DPE-array size more clearly. + +Fixes: ff06ab13a4cc ("net: cdc_ncm: splitting rx_fixup for code reuse") +Signed-off-by: Tobi Gaertner +Link: https://patch.msgid.link/20260314054640.2895026-2-tob.gaertner@me.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/usb/cdc_ncm.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/usb/cdc_ncm.c b/drivers/net/usb/cdc_ncm.c +index 22554daaf6ff1..ae7a2829fe49d 100644 +--- a/drivers/net/usb/cdc_ncm.c ++++ b/drivers/net/usb/cdc_ncm.c +@@ -1656,6 +1656,7 @@ int cdc_ncm_rx_verify_ndp16(struct sk_buff *skb_in, int ndpoffset) + struct usbnet *dev = netdev_priv(skb_in->dev); + struct usb_cdc_ncm_ndp16 *ndp16; + int ret = -EINVAL; ++ size_t ndp_len; + + if ((ndpoffset + sizeof(struct usb_cdc_ncm_ndp16)) > skb_in->len) { + netif_dbg(dev, rx_err, dev->net, "invalid NDP offset <%u>\n", +@@ -1675,8 +1676,8 @@ int cdc_ncm_rx_verify_ndp16(struct sk_buff *skb_in, int ndpoffset) + sizeof(struct usb_cdc_ncm_dpe16)); + ret--; /* we process NDP entries except for the last one */ + +- if ((sizeof(struct usb_cdc_ncm_ndp16) + +- ret * (sizeof(struct usb_cdc_ncm_dpe16))) > skb_in->len) { ++ ndp_len = struct_size_t(struct usb_cdc_ncm_ndp16, dpe16, ret); ++ if (ndpoffset + ndp_len > skb_in->len) { + netif_dbg(dev, rx_err, dev->net, "Invalid nframes = %d\n", ret); + ret = -EINVAL; + } +-- +2.51.0 + diff --git a/queue-6.6/net-usb-cdc_ncm-add-ndpoffset-to-ndp32-nframes-bound.patch b/queue-6.6/net-usb-cdc_ncm-add-ndpoffset-to-ndp32-nframes-bound.patch new file mode 100644 index 0000000000..5b083ee733 --- /dev/null +++ b/queue-6.6/net-usb-cdc_ncm-add-ndpoffset-to-ndp32-nframes-bound.patch @@ -0,0 +1,54 @@ +From f92bc34d4f3608eb004fc2d679288a3374db6238 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 13 Mar 2026 22:46:40 -0700 +Subject: net: usb: cdc_ncm: add ndpoffset to NDP32 nframes bounds check + +From: Tobi Gaertner + +[ Upstream commit 77914255155e68a20aa41175edeecf8121dac391 ] + +The same bounds-check bug fixed for NDP16 in the previous patch also +exists in cdc_ncm_rx_verify_ndp32(). The DPE array size is validated +against the total skb length without accounting for ndpoffset, allowing +out-of-bounds reads when the NDP32 is placed near the end of the NTB. + +Add ndpoffset to the nframes bounds check and use struct_size_t() to +express the NDP-plus-DPE-array size more clearly. + +Compile-tested only. + +Fixes: 0fa81b304a79 ("cdc_ncm: Implement the 32-bit version of NCM Transfer Block") +Signed-off-by: Tobi Gaertner +Link: https://patch.msgid.link/20260314054640.2895026-3-tob.gaertner@me.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/usb/cdc_ncm.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/usb/cdc_ncm.c b/drivers/net/usb/cdc_ncm.c +index ae7a2829fe49d..56dfd4cd2aa4f 100644 +--- a/drivers/net/usb/cdc_ncm.c ++++ b/drivers/net/usb/cdc_ncm.c +@@ -1693,6 +1693,7 @@ int cdc_ncm_rx_verify_ndp32(struct sk_buff *skb_in, int ndpoffset) + struct usbnet *dev = netdev_priv(skb_in->dev); + struct usb_cdc_ncm_ndp32 *ndp32; + int ret = -EINVAL; ++ size_t ndp_len; + + if ((ndpoffset + sizeof(struct usb_cdc_ncm_ndp32)) > skb_in->len) { + netif_dbg(dev, rx_err, dev->net, "invalid NDP offset <%u>\n", +@@ -1712,8 +1713,8 @@ int cdc_ncm_rx_verify_ndp32(struct sk_buff *skb_in, int ndpoffset) + sizeof(struct usb_cdc_ncm_dpe32)); + ret--; /* we process NDP entries except for the last one */ + +- if ((sizeof(struct usb_cdc_ncm_ndp32) + +- ret * (sizeof(struct usb_cdc_ncm_dpe32))) > skb_in->len) { ++ ndp_len = struct_size_t(struct usb_cdc_ncm_ndp32, dpe32, ret); ++ if (ndpoffset + ndp_len > skb_in->len) { + netif_dbg(dev, rx_err, dev->net, "Invalid nframes = %d\n", ret); + ret = -EINVAL; + } +-- +2.51.0 + diff --git a/queue-6.6/netfilter-bpf-defer-hook-memory-release-until-rcu-re.patch b/queue-6.6/netfilter-bpf-defer-hook-memory-release-until-rcu-re.patch new file mode 100644 index 0000000000..aa0bd5257c --- /dev/null +++ b/queue-6.6/netfilter-bpf-defer-hook-memory-release-until-rcu-re.patch @@ -0,0 +1,47 @@ +From 76e0365b2771ffa38b973403138b6ccc73f60737 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 17 Mar 2026 12:23:08 +0100 +Subject: netfilter: bpf: defer hook memory release until rcu readers are done + +From: Florian Westphal + +[ Upstream commit 24f90fa3994b992d1a09003a3db2599330a5232a ] + +Yiming Qian reports UaF when concurrent process is dumping hooks via +nfnetlink_hooks: + +BUG: KASAN: slab-use-after-free in nfnl_hook_dump_one.isra.0+0xe71/0x10f0 +Read of size 8 at addr ffff888003edbf88 by task poc/79 +Call Trace: + + nfnl_hook_dump_one.isra.0+0xe71/0x10f0 + netlink_dump+0x554/0x12b0 + nfnl_hook_get+0x176/0x230 + [..] + +Defer release until after concurrent readers have completed. + +Reported-by: Yiming Qian +Fixes: 84601d6ee68a ("bpf: add bpf_link support for BPF_NETFILTER programs") +Signed-off-by: Florian Westphal +Signed-off-by: Sasha Levin +--- + net/netfilter/nf_bpf_link.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/netfilter/nf_bpf_link.c b/net/netfilter/nf_bpf_link.c +index 658e401b7937e..c65502aa12557 100644 +--- a/net/netfilter/nf_bpf_link.c ++++ b/net/netfilter/nf_bpf_link.c +@@ -170,7 +170,7 @@ static int bpf_nf_link_update(struct bpf_link *link, struct bpf_prog *new_prog, + + static const struct bpf_link_ops bpf_nf_link_lops = { + .release = bpf_nf_link_release, +- .dealloc = bpf_nf_link_dealloc, ++ .dealloc_deferred = bpf_nf_link_dealloc, + .detach = bpf_nf_link_detach, + .show_fdinfo = bpf_nf_link_show_info, + .fill_link_info = bpf_nf_link_fill_link_info, +-- +2.51.0 + diff --git a/queue-6.6/netfilter-ctnetlink-fix-use-after-free-in-ctnetlink_.patch b/queue-6.6/netfilter-ctnetlink-fix-use-after-free-in-ctnetlink_.patch new file mode 100644 index 0000000000..f4890ca1e9 --- /dev/null +++ b/queue-6.6/netfilter-ctnetlink-fix-use-after-free-in-ctnetlink_.patch @@ -0,0 +1,123 @@ +From f9c2c1d656aac2e04a77d60bf1a40b9e923fa7e5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 8 Mar 2026 02:21:37 +0900 +Subject: netfilter: ctnetlink: fix use-after-free in ctnetlink_dump_exp_ct() + +From: Hyunwoo Kim + +[ Upstream commit 5cb81eeda909dbb2def209dd10636b51549a3f8a ] + +ctnetlink_dump_exp_ct() stores a conntrack pointer in cb->data for the +netlink dump callback ctnetlink_exp_ct_dump_table(), but drops the +conntrack reference immediately after netlink_dump_start(). When the +dump spans multiple rounds, the second recvmsg() triggers the dump +callback which dereferences the now-freed conntrack via nfct_help(ct), +leading to a use-after-free on ct->ext. + +The bug is that the netlink_dump_control has no .start or .done +callbacks to manage the conntrack reference across dump rounds. Other +dump functions in the same file (e.g. ctnetlink_get_conntrack) properly +use .start/.done callbacks for this purpose. + +Fix this by adding .start and .done callbacks that hold and release the +conntrack reference for the duration of the dump, and move the +nfct_help() call after the cb->args[0] early-return check in the dump +callback to avoid dereferencing ct->ext unnecessarily. + + BUG: KASAN: slab-use-after-free in ctnetlink_exp_ct_dump_table+0x4f/0x2e0 + Read of size 8 at addr ffff88810597ebf0 by task ctnetlink_poc/133 + + CPU: 1 UID: 0 PID: 133 Comm: ctnetlink_poc Not tainted 7.0.0-rc2+ #3 PREEMPTLAZY + Call Trace: + + ctnetlink_exp_ct_dump_table+0x4f/0x2e0 + netlink_dump+0x333/0x880 + netlink_recvmsg+0x3e2/0x4b0 + ? aa_sk_perm+0x184/0x450 + sock_recvmsg+0xde/0xf0 + + Allocated by task 133: + kmem_cache_alloc_noprof+0x134/0x440 + __nf_conntrack_alloc+0xa8/0x2b0 + ctnetlink_create_conntrack+0xa1/0x900 + ctnetlink_new_conntrack+0x3cf/0x7d0 + nfnetlink_rcv_msg+0x48e/0x510 + netlink_rcv_skb+0xc9/0x1f0 + nfnetlink_rcv+0xdb/0x220 + netlink_unicast+0x3ec/0x590 + netlink_sendmsg+0x397/0x690 + __sys_sendmsg+0xf4/0x180 + + Freed by task 0: + slab_free_after_rcu_debug+0xad/0x1e0 + rcu_core+0x5c3/0x9c0 + +Fixes: e844a928431f ("netfilter: ctnetlink: allow to dump expectation per master conntrack") +Signed-off-by: Hyunwoo Kim +Signed-off-by: Florian Westphal +Signed-off-by: Sasha Levin +--- + net/netfilter/nf_conntrack_netlink.c | 26 +++++++++++++++++++++++++- + 1 file changed, 25 insertions(+), 1 deletion(-) + +diff --git a/net/netfilter/nf_conntrack_netlink.c b/net/netfilter/nf_conntrack_netlink.c +index 237468202a0be..b4761a060e7a0 100644 +--- a/net/netfilter/nf_conntrack_netlink.c ++++ b/net/netfilter/nf_conntrack_netlink.c +@@ -3200,7 +3200,7 @@ ctnetlink_exp_ct_dump_table(struct sk_buff *skb, struct netlink_callback *cb) + { + struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh); + struct nf_conn *ct = cb->data; +- struct nf_conn_help *help = nfct_help(ct); ++ struct nf_conn_help *help; + u_int8_t l3proto = nfmsg->nfgen_family; + unsigned long last_id = cb->args[1]; + struct nf_conntrack_expect *exp; +@@ -3208,6 +3208,10 @@ ctnetlink_exp_ct_dump_table(struct sk_buff *skb, struct netlink_callback *cb) + if (cb->args[0]) + return 0; + ++ help = nfct_help(ct); ++ if (!help) ++ return 0; ++ + rcu_read_lock(); + + restart: +@@ -3237,6 +3241,24 @@ ctnetlink_exp_ct_dump_table(struct sk_buff *skb, struct netlink_callback *cb) + return skb->len; + } + ++static int ctnetlink_dump_exp_ct_start(struct netlink_callback *cb) ++{ ++ struct nf_conn *ct = cb->data; ++ ++ if (!refcount_inc_not_zero(&ct->ct_general.use)) ++ return -ENOENT; ++ return 0; ++} ++ ++static int ctnetlink_dump_exp_ct_done(struct netlink_callback *cb) ++{ ++ struct nf_conn *ct = cb->data; ++ ++ if (ct) ++ nf_ct_put(ct); ++ return 0; ++} ++ + static int ctnetlink_dump_exp_ct(struct net *net, struct sock *ctnl, + struct sk_buff *skb, + const struct nlmsghdr *nlh, +@@ -3252,6 +3274,8 @@ static int ctnetlink_dump_exp_ct(struct net *net, struct sock *ctnl, + struct nf_conntrack_zone zone; + struct netlink_dump_control c = { + .dump = ctnetlink_exp_ct_dump_table, ++ .start = ctnetlink_dump_exp_ct_start, ++ .done = ctnetlink_dump_exp_ct_done, + }; + + err = ctnetlink_parse_tuple(cda, &tuple, CTA_EXPECT_MASTER, +-- +2.51.0 + diff --git a/queue-6.6/netfilter-ctnetlink-remove-refcounting-in-expectatio.patch b/queue-6.6/netfilter-ctnetlink-remove-refcounting-in-expectatio.patch new file mode 100644 index 0000000000..59728fa3f7 --- /dev/null +++ b/queue-6.6/netfilter-ctnetlink-remove-refcounting-in-expectatio.patch @@ -0,0 +1,165 @@ +From 7554aacaae72c842e24b7abb4aee06c403c713c2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 1 Aug 2025 17:25:09 +0200 +Subject: netfilter: ctnetlink: remove refcounting in expectation dumpers + +From: Florian Westphal + +[ Upstream commit 1492e3dcb2be3aa46d1963da96aa9593e4e4db5a ] + +Same pattern as previous patch: do not keep the expectation object +alive via refcount, only store a cookie value and then use that +as the skip hint for dump resumption. + +AFAICS this has the same issue as the one resolved in the conntrack +dumper, when we do + if (!refcount_inc_not_zero(&exp->use)) + +to increment the refcount, there is a chance that exp == last, which +causes a double-increment of the refcount and subsequent memory leak. + +Fixes: cf6994c2b981 ("[NETFILTER]: nf_conntrack_netlink: sync expectation dumping with conntrack table dumping") +Fixes: e844a928431f ("netfilter: ctnetlink: allow to dump expectation per master conntrack") +Signed-off-by: Florian Westphal +Signed-off-by: Pablo Neira Ayuso +Stable-dep-of: 5cb81eeda909 ("netfilter: ctnetlink: fix use-after-free in ctnetlink_dump_exp_ct()") +Signed-off-by: Sasha Levin +--- + net/netfilter/nf_conntrack_netlink.c | 41 ++++++++++++---------------- + 1 file changed, 17 insertions(+), 24 deletions(-) + +diff --git a/net/netfilter/nf_conntrack_netlink.c b/net/netfilter/nf_conntrack_netlink.c +index 928bd2013289a..237468202a0be 100644 +--- a/net/netfilter/nf_conntrack_netlink.c ++++ b/net/netfilter/nf_conntrack_netlink.c +@@ -3140,23 +3140,27 @@ ctnetlink_expect_event(unsigned int events, const struct nf_exp_event *item) + return 0; + } + #endif +-static int ctnetlink_exp_done(struct netlink_callback *cb) ++ ++static unsigned long ctnetlink_exp_id(const struct nf_conntrack_expect *exp) + { +- if (cb->args[1]) +- nf_ct_expect_put((struct nf_conntrack_expect *)cb->args[1]); +- return 0; ++ unsigned long id = (unsigned long)exp; ++ ++ id += nf_ct_get_id(exp->master); ++ id += exp->class; ++ ++ return id ? id : 1; + } + + static int + ctnetlink_exp_dump_table(struct sk_buff *skb, struct netlink_callback *cb) + { + struct net *net = sock_net(skb->sk); +- struct nf_conntrack_expect *exp, *last; + struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh); + u_int8_t l3proto = nfmsg->nfgen_family; ++ unsigned long last_id = cb->args[1]; ++ struct nf_conntrack_expect *exp; + + rcu_read_lock(); +- last = (struct nf_conntrack_expect *)cb->args[1]; + for (; cb->args[0] < nf_ct_expect_hsize; cb->args[0]++) { + restart: + hlist_for_each_entry_rcu(exp, &nf_ct_expect_hash[cb->args[0]], +@@ -3168,7 +3172,7 @@ ctnetlink_exp_dump_table(struct sk_buff *skb, struct netlink_callback *cb) + continue; + + if (cb->args[1]) { +- if (exp != last) ++ if (ctnetlink_exp_id(exp) != last_id) + continue; + cb->args[1] = 0; + } +@@ -3177,9 +3181,7 @@ ctnetlink_exp_dump_table(struct sk_buff *skb, struct netlink_callback *cb) + cb->nlh->nlmsg_seq, + IPCTNL_MSG_EXP_NEW, + exp) < 0) { +- if (!refcount_inc_not_zero(&exp->use)) +- continue; +- cb->args[1] = (unsigned long)exp; ++ cb->args[1] = ctnetlink_exp_id(exp); + goto out; + } + } +@@ -3190,32 +3192,30 @@ ctnetlink_exp_dump_table(struct sk_buff *skb, struct netlink_callback *cb) + } + out: + rcu_read_unlock(); +- if (last) +- nf_ct_expect_put(last); +- + return skb->len; + } + + static int + ctnetlink_exp_ct_dump_table(struct sk_buff *skb, struct netlink_callback *cb) + { +- struct nf_conntrack_expect *exp, *last; + struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh); + struct nf_conn *ct = cb->data; + struct nf_conn_help *help = nfct_help(ct); + u_int8_t l3proto = nfmsg->nfgen_family; ++ unsigned long last_id = cb->args[1]; ++ struct nf_conntrack_expect *exp; + + if (cb->args[0]) + return 0; + + rcu_read_lock(); +- last = (struct nf_conntrack_expect *)cb->args[1]; ++ + restart: + hlist_for_each_entry_rcu(exp, &help->expectations, lnode) { + if (l3proto && exp->tuple.src.l3num != l3proto) + continue; + if (cb->args[1]) { +- if (exp != last) ++ if (ctnetlink_exp_id(exp) != last_id) + continue; + cb->args[1] = 0; + } +@@ -3223,9 +3223,7 @@ ctnetlink_exp_ct_dump_table(struct sk_buff *skb, struct netlink_callback *cb) + cb->nlh->nlmsg_seq, + IPCTNL_MSG_EXP_NEW, + exp) < 0) { +- if (!refcount_inc_not_zero(&exp->use)) +- continue; +- cb->args[1] = (unsigned long)exp; ++ cb->args[1] = ctnetlink_exp_id(exp); + goto out; + } + } +@@ -3236,9 +3234,6 @@ ctnetlink_exp_ct_dump_table(struct sk_buff *skb, struct netlink_callback *cb) + cb->args[0] = 1; + out: + rcu_read_unlock(); +- if (last) +- nf_ct_expect_put(last); +- + return skb->len; + } + +@@ -3257,7 +3252,6 @@ static int ctnetlink_dump_exp_ct(struct net *net, struct sock *ctnl, + struct nf_conntrack_zone zone; + struct netlink_dump_control c = { + .dump = ctnetlink_exp_ct_dump_table, +- .done = ctnetlink_exp_done, + }; + + err = ctnetlink_parse_tuple(cda, &tuple, CTA_EXPECT_MASTER, +@@ -3307,7 +3301,6 @@ static int ctnetlink_get_expect(struct sk_buff *skb, + else { + struct netlink_dump_control c = { + .dump = ctnetlink_exp_dump_table, +- .done = ctnetlink_exp_done, + }; + return netlink_dump_start(info->sk, skb, info->nlh, &c); + } +-- +2.51.0 + diff --git a/queue-6.6/netfilter-nf_conntrack_h323-check-for-zero-length-in.patch b/queue-6.6/netfilter-nf_conntrack_h323-check-for-zero-length-in.patch new file mode 100644 index 0000000000..c5434896a0 --- /dev/null +++ b/queue-6.6/netfilter-nf_conntrack_h323-check-for-zero-length-in.patch @@ -0,0 +1,47 @@ +From 6d5623ad84cb731c4004907055a7c5b74d2a9aab Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 12 Mar 2026 14:49:50 +0000 +Subject: netfilter: nf_conntrack_h323: check for zero length in DecodeQ931() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Jenny Guanni Qu + +[ Upstream commit f173d0f4c0f689173f8cdac79991043a4a89bf66 ] + +In DecodeQ931(), the UserUserIE code path reads a 16-bit length from +the packet, then decrements it by 1 to skip the protocol discriminator +byte before passing it to DecodeH323_UserInformation(). If the encoded +length is 0, the decrement wraps to -1, which is then passed as a +large value to the decoder, leading to an out-of-bounds read. + +Add a check to ensure len is positive after the decrement. + +Fixes: 5e35941d9901 ("[NETFILTER]: Add H.323 conntrack/NAT helper") +Reported-by: Klaudia Kloc +Reported-by: Dawid Moczadło +Tested-by: Jenny Guanni Qu +Signed-off-by: Jenny Guanni Qu +Signed-off-by: Florian Westphal +Signed-off-by: Sasha Levin +--- + net/netfilter/nf_conntrack_h323_asn1.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/net/netfilter/nf_conntrack_h323_asn1.c b/net/netfilter/nf_conntrack_h323_asn1.c +index c972e9488e16f..7b1497ed97d26 100644 +--- a/net/netfilter/nf_conntrack_h323_asn1.c ++++ b/net/netfilter/nf_conntrack_h323_asn1.c +@@ -924,6 +924,8 @@ int DecodeQ931(unsigned char *buf, size_t sz, Q931 *q931) + break; + p++; + len--; ++ if (len <= 0) ++ break; + return DecodeH323_UserInformation(buf, p, len, + &q931->UUIE); + } +-- +2.51.0 + diff --git a/queue-6.6/netfilter-nf_conntrack_h323-fix-oob-read-in-decode_i.patch b/queue-6.6/netfilter-nf_conntrack_h323-fix-oob-read-in-decode_i.patch new file mode 100644 index 0000000000..4f16b7122f --- /dev/null +++ b/queue-6.6/netfilter-nf_conntrack_h323-fix-oob-read-in-decode_i.patch @@ -0,0 +1,48 @@ +From f346443a507b638d97b3b1d71fb7b130e00ed9fc Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 12 Mar 2026 02:29:32 +0000 +Subject: netfilter: nf_conntrack_h323: fix OOB read in decode_int() CONS case +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Jenny Guanni Qu + +[ Upstream commit 1e3a3593162c96e8a8de48b1e14f60c3b57fca8a ] + +In decode_int(), the CONS case calls get_bits(bs, 2) to read a length +value, then calls get_uint(bs, len) without checking that len bytes +remain in the buffer. The existing boundary check only validates the +2 bits for get_bits(), not the subsequent 1-4 bytes that get_uint() +reads. This allows a malformed H.323/RAS packet to cause a 1-4 byte +slab-out-of-bounds read. + +Add a boundary check for len bytes after get_bits() and before +get_uint(). + +Fixes: 5e35941d9901 ("[NETFILTER]: Add H.323 conntrack/NAT helper") +Reported-by: Klaudia Kloc +Reported-by: Dawid Moczadło +Signed-off-by: Jenny Guanni Qu +Signed-off-by: Florian Westphal +Signed-off-by: Sasha Levin +--- + net/netfilter/nf_conntrack_h323_asn1.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/net/netfilter/nf_conntrack_h323_asn1.c b/net/netfilter/nf_conntrack_h323_asn1.c +index 62aa22a078769..c972e9488e16f 100644 +--- a/net/netfilter/nf_conntrack_h323_asn1.c ++++ b/net/netfilter/nf_conntrack_h323_asn1.c +@@ -331,6 +331,8 @@ static int decode_int(struct bitstr *bs, const struct field_t *f, + if (nf_h323_error_boundary(bs, 0, 2)) + return H323_ERROR_BOUND; + len = get_bits(bs, 2) + 1; ++ if (nf_h323_error_boundary(bs, len, 0)) ++ return H323_ERROR_BOUND; + BYTE_ALIGN(bs); + if (base && (f->attr & DECODE)) { /* timeToLive */ + unsigned int v = get_uint(bs, len) + f->lb; +-- +2.51.0 + diff --git a/queue-6.6/netfilter-nf_conntrack_sip-fix-content-length-u32-tr.patch b/queue-6.6/netfilter-nf_conntrack_sip-fix-content-length-u32-tr.patch new file mode 100644 index 0000000000..7883aae0c3 --- /dev/null +++ b/queue-6.6/netfilter-nf_conntrack_sip-fix-content-length-u32-tr.patch @@ -0,0 +1,66 @@ +From aa4bab9ed05ca48fd2ec0e617243f90dc802aa0d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 10 Mar 2026 21:49:01 +0000 +Subject: netfilter: nf_conntrack_sip: fix Content-Length u32 truncation in + sip_help_tcp() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Lukas Johannes Möller + +[ Upstream commit fbce58e719a17aa215c724473fd5baaa4a8dc57c ] + +sip_help_tcp() parses the SIP Content-Length header with +simple_strtoul(), which returns unsigned long, but stores the result in +unsigned int clen. On 64-bit systems, values exceeding UINT_MAX are +silently truncated before computing the SIP message boundary. + +For example, Content-Length 4294967328 (2^32 + 32) is truncated to 32, +causing the parser to miscalculate where the current message ends. The +loop then treats trailing data in the TCP segment as a second SIP +message and processes it through the SDP parser. + +Fix this by changing clen to unsigned long to match the return type of +simple_strtoul(), and reject Content-Length values that exceed the +remaining TCP payload length. + +Fixes: f5b321bd37fb ("netfilter: nf_conntrack_sip: add TCP support") +Signed-off-by: Lukas Johannes Möller +Signed-off-by: Florian Westphal +Signed-off-by: Sasha Levin +--- + net/netfilter/nf_conntrack_sip.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/net/netfilter/nf_conntrack_sip.c b/net/netfilter/nf_conntrack_sip.c +index d0eac27f6ba03..657839a58782a 100644 +--- a/net/netfilter/nf_conntrack_sip.c ++++ b/net/netfilter/nf_conntrack_sip.c +@@ -1534,11 +1534,12 @@ static int sip_help_tcp(struct sk_buff *skb, unsigned int protoff, + { + struct tcphdr *th, _tcph; + unsigned int dataoff, datalen; +- unsigned int matchoff, matchlen, clen; ++ unsigned int matchoff, matchlen; + unsigned int msglen, origlen; + const char *dptr, *end; + s16 diff, tdiff = 0; + int ret = NF_ACCEPT; ++ unsigned long clen; + bool term; + + if (ctinfo != IP_CT_ESTABLISHED && +@@ -1573,6 +1574,9 @@ static int sip_help_tcp(struct sk_buff *skb, unsigned int protoff, + if (dptr + matchoff == end) + break; + ++ if (clen > datalen) ++ break; ++ + term = false; + for (; end + strlen("\r\n\r\n") <= dptr + datalen; end++) { + if (end[0] == '\r' && end[1] == '\n' && +-- +2.51.0 + diff --git a/queue-6.6/netfilter-nf_tables-release-flowtable-after-rcu-grac.patch b/queue-6.6/netfilter-nf_tables-release-flowtable-after-rcu-grac.patch new file mode 100644 index 0000000000..1a940cfbd2 --- /dev/null +++ b/queue-6.6/netfilter-nf_tables-release-flowtable-after-rcu-grac.patch @@ -0,0 +1,51 @@ +From 662be15e4fc47570f1d198144a07e2bd6866ee8b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 17 Mar 2026 20:00:26 +0100 +Subject: netfilter: nf_tables: release flowtable after rcu grace period on + error + +From: Pablo Neira Ayuso + +[ Upstream commit d73f4b53aaaea4c95f245e491aa5eeb8a21874ce ] + +Call synchronize_rcu() after unregistering the hooks from error path, +since a hook that already refers to this flowtable can be already +registered, exposing this flowtable to packet path and nfnetlink_hook +control plane. + +This error path is rare, it should only happen by reaching the maximum +number hooks or by failing to set up to hardware offload, just call +synchronize_rcu(). + +There is a check for already used device hooks by different flowtable +that could result in EEXIST at this late stage. The hook parser can be +updated to perform this check earlier to this error path really becomes +rarely exercised. + +Uncovered by KASAN reported as use-after-free from nfnetlink_hook path +when dumping hooks. + +Fixes: 3b49e2e94e6e ("netfilter: nf_tables: add flow table netlink frontend") +Reported-by: Yiming Qian +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Florian Westphal +Signed-off-by: Sasha Levin +--- + net/netfilter/nf_tables_api.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c +index 41614e897ec8f..a3f7c7ae55b8c 100644 +--- a/net/netfilter/nf_tables_api.c ++++ b/net/netfilter/nf_tables_api.c +@@ -8772,6 +8772,7 @@ static int nf_tables_newflowtable(struct sk_buff *skb, + return 0; + + err_flowtable_hooks: ++ synchronize_rcu(); + nft_trans_destroy(trans); + err_flowtable_trans: + nft_hooks_destroy(&flowtable->hook_list); +-- +2.51.0 + diff --git a/queue-6.6/netfilter-nft_ct-add-seqadj-extension-for-natted-con.patch b/queue-6.6/netfilter-nft_ct-add-seqadj-extension-for-natted-con.patch new file mode 100644 index 0000000000..4c18000e05 --- /dev/null +++ b/queue-6.6/netfilter-nft_ct-add-seqadj-extension-for-natted-con.patch @@ -0,0 +1,114 @@ +From 86ab1be6ac735d2a388345dbee94f5590500e94d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 24 Oct 2025 18:22:16 +0200 +Subject: netfilter: nft_ct: add seqadj extension for natted connections + +From: Andrii Melnychenko + +[ Upstream commit 90918e3b6404c2a37837b8f11692471b4c512de2 ] + +Sequence adjustment may be required for FTP traffic with PASV/EPSV modes. +due to need to re-write packet payload (IP, port) on the ftp control +connection. This can require changes to the TCP length and expected +seq / ack_seq. + +The easiest way to reproduce this issue is with PASV mode. +Example ruleset: +table inet ftp_nat { + ct helper ftp_helper { + type "ftp" protocol tcp + l3proto inet + } + + chain prerouting { + type filter hook prerouting priority 0; policy accept; + tcp dport 21 ct state new ct helper set "ftp_helper" + } +} +table ip nat { + chain prerouting { + type nat hook prerouting priority -100; policy accept; + tcp dport 21 dnat ip prefix to ip daddr map { + 192.168.100.1 : 192.168.13.2/32 } + } + + chain postrouting { + type nat hook postrouting priority 100 ; policy accept; + tcp sport 21 snat ip prefix to ip saddr map { + 192.168.13.2 : 192.168.100.1/32 } + } +} + +Note that the ftp helper gets assigned *after* the dnat setup. + +The inverse (nat after helper assign) is handled by an existing +check in nf_nat_setup_info() and will not show the problem. + +Topoloy: + + +-------------------+ +----------------------------------+ + | FTP: 192.168.13.2 | <-> | NAT: 192.168.13.3, 192.168.100.1 | + +-------------------+ +----------------------------------+ + | + +-----------------------+ + | Client: 192.168.100.2 | + +-----------------------+ + +ftp nat changes do not work as expected in this case: +Connected to 192.168.100.1. +[..] +ftp> epsv +EPSV/EPRT on IPv4 off. +ftp> ls +227 Entering passive mode (192,168,100,1,209,129). +421 Service not available, remote server has closed connection. + +Kernel logs: +Missing nfct_seqadj_ext_add() setup call +WARNING: CPU: 1 PID: 0 at net/netfilter/nf_conntrack_seqadj.c:41 +[..] + __nf_nat_mangle_tcp_packet+0x100/0x160 [nf_nat] + nf_nat_ftp+0x142/0x280 [nf_nat_ftp] + help+0x4d1/0x880 [nf_conntrack_ftp] + nf_confirm+0x122/0x2e0 [nf_conntrack] + nf_hook_slow+0x3c/0xb0 + .. + +Fix this by adding the required extension when a conntrack helper is assigned +to a connection that has a nat binding. + +Fixes: 1a64edf54f55 ("netfilter: nft_ct: add helper set support") +Signed-off-by: Andrii Melnychenko +Signed-off-by: Florian Westphal +Stable-dep-of: 36eae0956f65 ("netfilter: nft_ct: drop pending enqueued packets on removal") +Signed-off-by: Sasha Levin +--- + net/netfilter/nft_ct.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/net/netfilter/nft_ct.c b/net/netfilter/nft_ct.c +index 3ec63852d058f..1070d68f9e77f 100644 +--- a/net/netfilter/nft_ct.c ++++ b/net/netfilter/nft_ct.c +@@ -22,6 +22,7 @@ + #include + #include + #include ++#include + + struct nft_ct_helper_obj { + struct nf_conntrack_helper *helper4; +@@ -1173,6 +1174,10 @@ static void nft_ct_helper_obj_eval(struct nft_object *obj, + if (help) { + rcu_assign_pointer(help->helper, to_assign); + set_bit(IPS_HELPER_BIT, &ct->status); ++ ++ if ((ct->status & IPS_NAT_MASK) && !nfct_seqadj(ct)) ++ if (!nfct_seqadj_ext_add(ct)) ++ regs->verdict.code = NF_DROP; + } + } + +-- +2.51.0 + diff --git a/queue-6.6/netfilter-nft_ct-drop-pending-enqueued-packets-on-re.patch b/queue-6.6/netfilter-nft_ct-drop-pending-enqueued-packets-on-re.patch new file mode 100644 index 0000000000..2668a40ae4 --- /dev/null +++ b/queue-6.6/netfilter-nft_ct-drop-pending-enqueued-packets-on-re.patch @@ -0,0 +1,70 @@ +From 59f4f20882acae6fb1c025b9a3ce271ec623f5b2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 12 Mar 2026 13:48:47 +0100 +Subject: netfilter: nft_ct: drop pending enqueued packets on removal + +From: Pablo Neira Ayuso + +[ Upstream commit 36eae0956f659e48d5366d9b083d9417f3263ddc ] + +Packets sitting in nfqueue might hold a reference to: + +- templates that specify the conntrack zone, because a percpu area is + used and module removal is possible. +- conntrack timeout policies and helper, where object removal leave + a stale reference. + +Since these objects can just go away, drop enqueued packets to avoid +stale reference to them. + +If there is a need for finer grain removal, this logic can be revisited +to make selective packet drop upon dependencies. + +Fixes: 7e0b2b57f01d ("netfilter: nft_ct: add ct timeout support") +Reported-by: Yiming Qian +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Florian Westphal +Signed-off-by: Sasha Levin +--- + net/netfilter/nft_ct.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/net/netfilter/nft_ct.c b/net/netfilter/nft_ct.c +index 1070d68f9e77f..128eb0ac37742 100644 +--- a/net/netfilter/nft_ct.c ++++ b/net/netfilter/nft_ct.c +@@ -23,6 +23,7 @@ + #include + #include + #include ++#include "nf_internals.h" + + struct nft_ct_helper_obj { + struct nf_conntrack_helper *helper4; +@@ -527,6 +528,7 @@ static void __nft_ct_set_destroy(const struct nft_ctx *ctx, struct nft_ct *priv) + #endif + #ifdef CONFIG_NF_CONNTRACK_ZONES + case NFT_CT_ZONE: ++ nf_queue_nf_hook_drop(ctx->net); + mutex_lock(&nft_ct_pcpu_mutex); + if (--nft_ct_pcpu_template_refcnt == 0) + nft_ct_tmpl_put_pcpu(); +@@ -997,6 +999,7 @@ static void nft_ct_timeout_obj_destroy(const struct nft_ctx *ctx, + struct nft_ct_timeout_obj *priv = nft_obj_data(obj); + struct nf_ct_timeout *timeout = priv->timeout; + ++ nf_queue_nf_hook_drop(ctx->net); + nf_ct_untimeout(ctx->net, timeout); + nf_ct_netns_put(ctx->net, ctx->family); + kfree(priv->timeout); +@@ -1129,6 +1132,7 @@ static void nft_ct_helper_obj_destroy(const struct nft_ctx *ctx, + { + struct nft_ct_helper_obj *priv = nft_obj_data(obj); + ++ nf_queue_nf_hook_drop(ctx->net); + if (priv->helper4) + nf_conntrack_helper_put(priv->helper4); + if (priv->helper6) +-- +2.51.0 + diff --git a/queue-6.6/netfilter-xt_ct-drop-pending-enqueued-packets-on-tem.patch b/queue-6.6/netfilter-xt_ct-drop-pending-enqueued-packets-on-tem.patch new file mode 100644 index 0000000000..5801717bf6 --- /dev/null +++ b/queue-6.6/netfilter-xt_ct-drop-pending-enqueued-packets-on-tem.patch @@ -0,0 +1,54 @@ +From 69732f8926e713f43bb3eac059f7f9fbc02e5fa3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 12 Mar 2026 13:48:48 +0100 +Subject: netfilter: xt_CT: drop pending enqueued packets on template removal + +From: Pablo Neira Ayuso + +[ Upstream commit f62a218a946b19bb59abdd5361da85fa4606b96b ] + +Templates refer to objects that can go away while packets are sitting in +nfqueue refer to: + +- helper, this can be an issue on module removal. +- timeout policy, nfnetlink_cttimeout might remove it. + +The use of templates with zone and event cache filter are safe, since +this just copies values. + +Flush these enqueued packets in case the template rule gets removed. + +Fixes: 24de58f46516 ("netfilter: xt_CT: allow to attach timeout policy + glue code") +Reported-by: Yiming Qian +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Florian Westphal +Signed-off-by: Sasha Levin +--- + net/netfilter/xt_CT.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/net/netfilter/xt_CT.c b/net/netfilter/xt_CT.c +index 3ba94c34297cf..498f5871c84a0 100644 +--- a/net/netfilter/xt_CT.c ++++ b/net/netfilter/xt_CT.c +@@ -16,6 +16,7 @@ + #include + #include + #include ++#include "nf_internals.h" + + static inline int xt_ct_target(struct sk_buff *skb, struct nf_conn *ct) + { +@@ -283,6 +284,9 @@ static void xt_ct_tg_destroy(const struct xt_tgdtor_param *par, + struct nf_conn_help *help; + + if (ct) { ++ if (info->helper[0] || info->timeout[0]) ++ nf_queue_nf_hook_drop(par->net); ++ + help = nfct_help(ct); + xt_ct_put_helper(help); + +-- +2.51.0 + diff --git a/queue-6.6/netfilter-xt_time-use-unsigned-int-for-monthday-bit-.patch b/queue-6.6/netfilter-xt_time-use-unsigned-int-for-monthday-bit-.patch new file mode 100644 index 0000000000..052237b165 --- /dev/null +++ b/queue-6.6/netfilter-xt_time-use-unsigned-int-for-monthday-bit-.patch @@ -0,0 +1,53 @@ +From fd1adb968b59b0cd9c7a5ced82748dce126179ca Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 12 Mar 2026 14:59:49 +0000 +Subject: netfilter: xt_time: use unsigned int for monthday bit shift +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Jenny Guanni Qu + +[ Upstream commit 00050ec08cecfda447e1209b388086d76addda3a ] + +The monthday field can be up to 31, and shifting a signed integer 1 +by 31 positions (1 << 31) is undefined behavior in C, as the result +overflows a 32-bit signed int. Use 1U to ensure well-defined behavior +for all valid monthday values. + +Change the weekday shift to 1U as well for consistency. + +Fixes: ee4411a1b1e0 ("[NETFILTER]: x_tables: add xt_time match") +Reported-by: Klaudia Kloc +Reported-by: Dawid Moczadło +Tested-by: Jenny Guanni Qu +Signed-off-by: Jenny Guanni Qu +Signed-off-by: Florian Westphal +Signed-off-by: Sasha Levin +--- + net/netfilter/xt_time.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/net/netfilter/xt_time.c b/net/netfilter/xt_time.c +index 6aa12d0f54e23..61de85e02a40f 100644 +--- a/net/netfilter/xt_time.c ++++ b/net/netfilter/xt_time.c +@@ -227,13 +227,13 @@ time_mt(const struct sk_buff *skb, struct xt_action_param *par) + + localtime_2(¤t_time, stamp); + +- if (!(info->weekdays_match & (1 << current_time.weekday))) ++ if (!(info->weekdays_match & (1U << current_time.weekday))) + return false; + + /* Do not spend time computing monthday if all days match anyway */ + if (info->monthdays_match != XT_TIME_ALL_MONTHDAYS) { + localtime_3(¤t_time, stamp); +- if (!(info->monthdays_match & (1 << current_time.monthday))) ++ if (!(info->monthdays_match & (1U << current_time.monthday))) + return false; + } + +-- +2.51.0 + diff --git a/queue-6.6/nfnetlink_osf-validate-individual-option-lengths-in-.patch b/queue-6.6/nfnetlink_osf-validate-individual-option-lengths-in-.patch new file mode 100644 index 0000000000..b3285a4321 --- /dev/null +++ b/queue-6.6/nfnetlink_osf-validate-individual-option-lengths-in-.patch @@ -0,0 +1,83 @@ +From c6e56b5ca74c091e544b42ab4e0e8005eff94011 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 19 Mar 2026 15:32:44 +0800 +Subject: nfnetlink_osf: validate individual option lengths in fingerprints + +From: Weiming Shi + +[ Upstream commit dbdfaae9609629a9569362e3b8f33d0a20fd783c ] + +nfnl_osf_add_callback() validates opt_num bounds and string +NUL-termination but does not check individual option length fields. +A zero-length option causes nf_osf_match_one() to enter the option +matching loop even when foptsize sums to zero, which matches packets +with no TCP options where ctx->optp is NULL: + + Oops: general protection fault + KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007] + RIP: 0010:nf_osf_match_one (net/netfilter/nfnetlink_osf.c:98) + Call Trace: + nf_osf_match (net/netfilter/nfnetlink_osf.c:227) + xt_osf_match_packet (net/netfilter/xt_osf.c:32) + ipt_do_table (net/ipv4/netfilter/ip_tables.c:293) + nf_hook_slow (net/netfilter/core.c:623) + ip_local_deliver (net/ipv4/ip_input.c:262) + ip_rcv (net/ipv4/ip_input.c:573) + +Additionally, an MSS option (kind=2) with length < 4 causes +out-of-bounds reads when nf_osf_match_one() unconditionally accesses +optp[2] and optp[3] for MSS value extraction. While RFC 9293 +section 3.2 specifies that the MSS option is always exactly 4 +bytes (Kind=2, Length=4), the check uses "< 4" rather than +"!= 4" because lengths greater than 4 do not cause memory +safety issues -- the buffer is guaranteed to be at least +foptsize bytes by the ctx->optsize == foptsize check. + +Reject fingerprints where any option has zero length, or where an MSS +option has length less than 4, at add time rather than trusting these +values in the packet matching hot path. + +Fixes: 11eeef41d5f6 ("netfilter: passive OS fingerprint xtables match") +Reported-by: Xiang Mei +Signed-off-by: Weiming Shi +Signed-off-by: Florian Westphal +Signed-off-by: Sasha Levin +--- + net/netfilter/nfnetlink_osf.c | 13 +++++++++++++ + 1 file changed, 13 insertions(+) + +diff --git a/net/netfilter/nfnetlink_osf.c b/net/netfilter/nfnetlink_osf.c +index 50723ba082890..da9d5d6de98f4 100644 +--- a/net/netfilter/nfnetlink_osf.c ++++ b/net/netfilter/nfnetlink_osf.c +@@ -302,7 +302,9 @@ static int nfnl_osf_add_callback(struct sk_buff *skb, + { + struct nf_osf_user_finger *f; + struct nf_osf_finger *kf = NULL, *sf; ++ unsigned int tot_opt_len = 0; + int err = 0; ++ int i; + + if (!capable(CAP_NET_ADMIN)) + return -EPERM; +@@ -318,6 +320,17 @@ static int nfnl_osf_add_callback(struct sk_buff *skb, + if (f->opt_num > ARRAY_SIZE(f->opt)) + return -EINVAL; + ++ for (i = 0; i < f->opt_num; i++) { ++ if (!f->opt[i].length || f->opt[i].length > MAX_IPOPTLEN) ++ return -EINVAL; ++ if (f->opt[i].kind == OSFOPT_MSS && f->opt[i].length < 4) ++ return -EINVAL; ++ ++ tot_opt_len += f->opt[i].length; ++ if (tot_opt_len > MAX_IPOPTLEN) ++ return -EINVAL; ++ } ++ + if (!memchr(f->genre, 0, MAXGENRELEN) || + !memchr(f->subtype, 0, MAXGENRELEN) || + !memchr(f->version, 0, MAXGENRELEN)) +-- +2.51.0 + diff --git a/queue-6.6/pm-runtime-fix-a-race-condition-related-to-device-re.patch b/queue-6.6/pm-runtime-fix-a-race-condition-related-to-device-re.patch new file mode 100644 index 0000000000..638522a769 --- /dev/null +++ b/queue-6.6/pm-runtime-fix-a-race-condition-related-to-device-re.patch @@ -0,0 +1,126 @@ +From 915ad709996515b5d2b1272b01b506f917c62741 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 12 Mar 2026 11:27:20 -0700 +Subject: PM: runtime: Fix a race condition related to device removal + +From: Bart Van Assche + +[ Upstream commit 29ab768277617452d88c0607c9299cdc63b6e9ff ] + +The following code in pm_runtime_work() may dereference the dev->parent +pointer after the parent device has been freed: + + /* Maybe the parent is now able to suspend. */ + if (parent && !parent->power.ignore_children) { + spin_unlock(&dev->power.lock); + + spin_lock(&parent->power.lock); + rpm_idle(parent, RPM_ASYNC); + spin_unlock(&parent->power.lock); + + spin_lock(&dev->power.lock); + } + +Fix this by inserting a flush_work() call in pm_runtime_remove(). + +Without this patch blktest block/001 triggers the following complaint +sporadically: + +BUG: KASAN: slab-use-after-free in lock_acquire+0x70/0x160 +Read of size 1 at addr ffff88812bef7198 by task kworker/u553:1/3081 +Workqueue: pm pm_runtime_work +Call Trace: + + dump_stack_lvl+0x61/0x80 + print_address_description.constprop.0+0x8b/0x310 + print_report+0xfd/0x1d7 + kasan_report+0xd8/0x1d0 + __kasan_check_byte+0x42/0x60 + lock_acquire.part.0+0x38/0x230 + lock_acquire+0x70/0x160 + _raw_spin_lock+0x36/0x50 + rpm_suspend+0xc6a/0xfe0 + rpm_idle+0x578/0x770 + pm_runtime_work+0xee/0x120 + process_one_work+0xde3/0x1410 + worker_thread+0x5eb/0xfe0 + kthread+0x37b/0x480 + ret_from_fork+0x6cb/0x920 + ret_from_fork_asm+0x11/0x20 + + +Allocated by task 4314: + kasan_save_stack+0x2a/0x50 + kasan_save_track+0x18/0x40 + kasan_save_alloc_info+0x3d/0x50 + __kasan_kmalloc+0xa0/0xb0 + __kmalloc_noprof+0x311/0x990 + scsi_alloc_target+0x122/0xb60 [scsi_mod] + __scsi_scan_target+0x101/0x460 [scsi_mod] + scsi_scan_channel+0x179/0x1c0 [scsi_mod] + scsi_scan_host_selected+0x259/0x2d0 [scsi_mod] + store_scan+0x2d2/0x390 [scsi_mod] + dev_attr_store+0x43/0x80 + sysfs_kf_write+0xde/0x140 + kernfs_fop_write_iter+0x3ef/0x670 + vfs_write+0x506/0x1470 + ksys_write+0xfd/0x230 + __x64_sys_write+0x76/0xc0 + x64_sys_call+0x213/0x1810 + do_syscall_64+0xee/0xfc0 + entry_SYSCALL_64_after_hwframe+0x4b/0x53 + +Freed by task 4314: + kasan_save_stack+0x2a/0x50 + kasan_save_track+0x18/0x40 + kasan_save_free_info+0x3f/0x50 + __kasan_slab_free+0x67/0x80 + kfree+0x225/0x6c0 + scsi_target_dev_release+0x3d/0x60 [scsi_mod] + device_release+0xa3/0x220 + kobject_cleanup+0x105/0x3a0 + kobject_put+0x72/0xd0 + put_device+0x17/0x20 + scsi_device_dev_release+0xacf/0x12c0 [scsi_mod] + device_release+0xa3/0x220 + kobject_cleanup+0x105/0x3a0 + kobject_put+0x72/0xd0 + put_device+0x17/0x20 + scsi_device_put+0x7f/0xc0 [scsi_mod] + sdev_store_delete+0xa5/0x120 [scsi_mod] + dev_attr_store+0x43/0x80 + sysfs_kf_write+0xde/0x140 + kernfs_fop_write_iter+0x3ef/0x670 + vfs_write+0x506/0x1470 + ksys_write+0xfd/0x230 + __x64_sys_write+0x76/0xc0 + x64_sys_call+0x213/0x1810 + +Reported-by: Ming Lei +Closes: https://lore.kernel.org/all/ZxdNvLNI8QaOfD2d@fedora/ +Reported-by: syzbot+6c905ab800f20cf4086c@syzkaller.appspotmail.com +Closes: https://lore.kernel.org/all/68c13942.050a0220.2ff435.000b.GAE@google.com/ +Fixes: 5e928f77a09a ("PM: Introduce core framework for run-time PM of I/O devices (rev. 17)") +Signed-off-by: Bart Van Assche +Link: https://patch.msgid.link/20260312182720.2776083-1-bvanassche@acm.org +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +--- + drivers/base/power/runtime.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/base/power/runtime.c b/drivers/base/power/runtime.c +index b28fb11cd6db8..2766bdc9158ab 100644 +--- a/drivers/base/power/runtime.c ++++ b/drivers/base/power/runtime.c +@@ -1854,6 +1854,7 @@ void pm_runtime_reinit(struct device *dev) + void pm_runtime_remove(struct device *dev) + { + __pm_runtime_disable(dev, false); ++ flush_work(&dev->power.work); + pm_runtime_reinit(dev); + } + +-- +2.51.0 + diff --git a/queue-6.6/sched-idle-consolidate-the-handling-of-two-special-c.patch b/queue-6.6/sched-idle-consolidate-the-handling-of-two-special-c.patch new file mode 100644 index 0000000000..fc4e0c6c20 --- /dev/null +++ b/queue-6.6/sched-idle-consolidate-the-handling-of-two-special-c.patch @@ -0,0 +1,133 @@ +From c48e2b31c3891421ebfa088289350286079d9794 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 13 Mar 2026 13:25:41 +0100 +Subject: sched: idle: Consolidate the handling of two special cases + +From: Rafael J. Wysocki + +[ Upstream commit f4c31b07b136839e0fb3026f8a5b6543e3b14d2f ] + +There are two special cases in the idle loop that are handled +inconsistently even though they are analogous. + +The first one is when a cpuidle driver is absent and the default CPU +idle time power management implemented by the architecture code is used. +In that case, the scheduler tick is stopped every time before invoking +default_idle_call(). + +The second one is when a cpuidle driver is present, but there is only +one idle state in its table. In that case, the scheduler tick is never +stopped at all. + +Since each of these approaches has its drawbacks, reconcile them with +the help of one simple heuristic. Namely, stop the tick if the CPU has +been woken up by it in the previous iteration of the idle loop, or let +it tick otherwise. + +Signed-off-by: Rafael J. Wysocki +Reviewed-by: Christian Loehle +Reviewed-by: Frederic Weisbecker +Reviewed-by: Qais Yousef +Reviewed-by: Aboorva Devarajan +Fixes: ed98c3491998 ("sched: idle: Do not stop the tick before cpuidle_idle_call()") +[ rjw: Added Fixes tag, changelog edits ] +Link: https://patch.msgid.link/4741364.LvFx2qVVIh@rafael.j.wysocki +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +--- + kernel/sched/idle.c | 30 +++++++++++++++++++++--------- + 1 file changed, 21 insertions(+), 9 deletions(-) + +diff --git a/kernel/sched/idle.c b/kernel/sched/idle.c +index ecf555ad158ab..20a8f0f972e63 100644 +--- a/kernel/sched/idle.c ++++ b/kernel/sched/idle.c +@@ -134,6 +134,14 @@ static int call_cpuidle(struct cpuidle_driver *drv, struct cpuidle_device *dev, + return cpuidle_enter(drv, dev, next_state); + } + ++static void idle_call_stop_or_retain_tick(bool stop_tick) ++{ ++ if (stop_tick || tick_nohz_tick_stopped()) ++ tick_nohz_idle_stop_tick(); ++ else ++ tick_nohz_idle_retain_tick(); ++} ++ + /** + * cpuidle_idle_call - the main idle function + * +@@ -143,7 +151,7 @@ static int call_cpuidle(struct cpuidle_driver *drv, struct cpuidle_device *dev, + * set, and it returns with polling set. If it ever stops polling, it + * must clear the polling bit. + */ +-static void cpuidle_idle_call(void) ++static void cpuidle_idle_call(bool stop_tick) + { + struct cpuidle_device *dev = cpuidle_get_device(); + struct cpuidle_driver *drv = cpuidle_get_cpu_driver(dev); +@@ -165,7 +173,7 @@ static void cpuidle_idle_call(void) + */ + + if (cpuidle_not_available(drv, dev)) { +- tick_nohz_idle_stop_tick(); ++ idle_call_stop_or_retain_tick(stop_tick); + + default_idle_call(); + goto exit_idle; +@@ -200,17 +208,19 @@ static void cpuidle_idle_call(void) + next_state = cpuidle_find_deepest_state(drv, dev, max_latency_ns); + call_cpuidle(drv, dev, next_state); + } else if (drv->state_count > 1) { +- bool stop_tick = true; ++ /* ++ * stop_tick is expected to be true by default by cpuidle ++ * governors, which allows them to select idle states with ++ * target residency above the tick period length. ++ */ ++ stop_tick = true; + + /* + * Ask the cpuidle framework to choose a convenient idle state. + */ + next_state = cpuidle_select(drv, dev, &stop_tick); + +- if (stop_tick || tick_nohz_tick_stopped()) +- tick_nohz_idle_stop_tick(); +- else +- tick_nohz_idle_retain_tick(); ++ idle_call_stop_or_retain_tick(stop_tick); + + entered_state = call_cpuidle(drv, dev, next_state); + /* +@@ -218,7 +228,7 @@ static void cpuidle_idle_call(void) + */ + cpuidle_reflect(dev, entered_state); + } else { +- tick_nohz_idle_retain_tick(); ++ idle_call_stop_or_retain_tick(stop_tick); + + /* + * If there is only a single idle state (or none), there is +@@ -246,6 +256,7 @@ static void cpuidle_idle_call(void) + static void do_idle(void) + { + int cpu = smp_processor_id(); ++ bool got_tick = false; + + /* + * Check if we need to update blocked load +@@ -288,8 +299,9 @@ static void do_idle(void) + tick_nohz_idle_restart_tick(); + cpu_idle_poll(); + } else { +- cpuidle_idle_call(); ++ cpuidle_idle_call(got_tick); + } ++ got_tick = tick_nohz_idle_got_tick(); + arch_cpu_idle_exit(); + } + +-- +2.51.0 + diff --git a/queue-6.6/series b/queue-6.6/series index 95f6a24ac3..fe5603f7eb 100644 --- a/queue-6.6/series +++ b/queue-6.6/series @@ -493,3 +493,56 @@ drm-amdgpu-mmhub3.0-add-bounds-checking-for-cid.patch drm-radeon-apply-state-adjust-rules-to-some-additional-hainan-vairants.patch drm-amdgpu-apply-state-adjust-rules-to-some-additional-hainan-vairants.patch drm-amd-display-wrap-dcn32_override_min_req_memclk-in-dc_fp_-start-end.patch +btrfs-log-new-dentries-when-logging-parent-dir-of-a-.patch +btrfs-tree-checker-fix-misleading-root-drop_level-er.patch +cache-ax45mp-fix-device-node-reference-leak-in-ax45m.patch +soc-fsl-qbman-fix-race-condition-in-qman_destroy_fq.patch +wifi-mac80211-fix-static_branch_dec-underflow-for-aq.patch +wifi-cfg80211-cancel-pmsr_free_wk-in-cfg80211_pmsr_w.patch +firmware-arm_scpi-fix-device_node-reference-leak-in-.patch +bluetooth-le-l2cap-disconnect-if-received-packet-s-s.patch +bluetooth-le-l2cap-disconnect-if-sum-of-payload-size.patch +bluetooth-smp-make-sm-per-kdu-bi-04-c-happy.patch +bluetooth-iso-fix-defer-tests-being-unstable.patch +bluetooth-hci_sync-fix-hci_le_create_conn_sync.patch +bluetooth-hidp-fix-possible-uaf.patch +bluetooth-l2cap-fix-use-after-free-in-l2cap_unregist.patch +bluetooth-qca-fix-rom-version-reading-on-wcn3998-chi.patch +net-rose-fix-null-pointer-dereference-in-rose_transm.patch +mpls-add-missing-unregister_netdevice_notifier-to-mp.patch +netfilter-ctnetlink-remove-refcounting-in-expectatio.patch +netfilter-ctnetlink-fix-use-after-free-in-ctnetlink_.patch +netfilter-nf_conntrack_sip-fix-content-length-u32-tr.patch +netfilter-nf_conntrack_h323-fix-oob-read-in-decode_i.patch +netfilter-nft_ct-add-seqadj-extension-for-natted-con.patch +netfilter-nft_ct-drop-pending-enqueued-packets-on-re.patch +netfilter-xt_ct-drop-pending-enqueued-packets-on-tem.patch +netfilter-xt_time-use-unsigned-int-for-monthday-bit-.patch +netfilter-nf_conntrack_h323-check-for-zero-length-in.patch +net-bcmgenet-increase-wol-poll-timeout.patch +net-mana-fix-use-after-free-in-mana_hwc_destroy_chan.patch +sched-idle-consolidate-the-handling-of-two-special-c.patch +pm-runtime-fix-a-race-condition-related-to-device-re.patch +net-smc-fix-null-dereference-and-uaf-in-smc_tcp_syn_.patch +net-sched-teql-fix-double-free-in-teql_master_xmit.patch +net-usb-cdc_ncm-add-ndpoffset-to-ndp16-nframes-bound.patch +net-usb-cdc_ncm-add-ndpoffset-to-ndp32-nframes-bound.patch +clsact-fix-use-after-free-in-init-destroy-rollback-a.patch +net-usb-aqc111-do-not-perform-pm-inside-suspend-call.patch +igc-fix-missing-update-of-skb-tail-in-igc_xmit_frame.patch +iavf-fix-vlan-filter-lost-on-add-delete-race.patch +wifi-mac80211-fix-null-deref-in-mesh_matches_local.patch +wifi-wlcore-return-enomem-instead-of-eagain-if-there.patch +acpi-processor-fix-previous-acpi_processor_errata_pi.patch +net-macb-fix-uninitialized-rx_fs_lock.patch +net-mlx5-qos-restrict-rtnl-area-to-avoid-a-lock-cycl.patch +net-mlx5e-prevent-concurrent-access-to-ipsec-aso-con.patch +net-mlx5e-fix-race-condition-during-ipsec-esn-update.patch +udp_tunnel-fix-null-deref-caused-by-udp_sock_create6.patch +net-bonding-fix-null-deref-in-bond_debug_rlb_hash_sh.patch +netfilter-bpf-defer-hook-memory-release-until-rcu-re.patch +netfilter-nf_tables-release-flowtable-after-rcu-grac.patch +nfnetlink_osf-validate-individual-option-lengths-in-.patch +net-mvpp2-guard-flow-control-update-with-global_tx_f.patch +net-dsa-bcm_sf2-fix-missing-clk_disable_unprepare-in.patch +icmp-fix-null-pointer-dereference-in-icmp_tag_valida.patch diff --git a/queue-6.6/soc-fsl-qbman-fix-race-condition-in-qman_destroy_fq.patch b/queue-6.6/soc-fsl-qbman-fix-race-condition-in-qman_destroy_fq.patch new file mode 100644 index 0000000000..e9e3930b8a --- /dev/null +++ b/queue-6.6/soc-fsl-qbman-fix-race-condition-in-qman_destroy_fq.patch @@ -0,0 +1,92 @@ +From e58d03a913bfd62b698032d3dc8f6471c6ad44d6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 23 Dec 2025 08:25:49 +0100 +Subject: soc: fsl: qbman: fix race condition in qman_destroy_fq + +From: Richard Genoud + +[ Upstream commit 014077044e874e270ec480515edbc1cadb976cf2 ] + +When QMAN_FQ_FLAG_DYNAMIC_FQID is set, there's a race condition between +fq_table[fq->idx] state and freeing/allocating from the pool and +WARN_ON(fq_table[fq->idx]) in qman_create_fq() gets triggered. + +Indeed, we can have: + Thread A Thread B + qman_destroy_fq() qman_create_fq() + qman_release_fqid() + qman_shutdown_fq() + gen_pool_free() + -- At this point, the fqid is available again -- + qman_alloc_fqid() + -- so, we can get the just-freed fqid in thread B -- + fq->fqid = fqid; + fq->idx = fqid * 2; + WARN_ON(fq_table[fq->idx]); + fq_table[fq->idx] = fq; + fq_table[fq->idx] = NULL; + +And adding some logs between qman_release_fqid() and +fq_table[fq->idx] = NULL makes the WARN_ON() trigger a lot more. + +To prevent that, ensure that fq_table[fq->idx] is set to NULL before +gen_pool_free() is called by using smp_wmb(). + +Fixes: c535e923bb97 ("soc/fsl: Introduce DPAA 1.x QMan device driver") +Signed-off-by: Richard Genoud +Tested-by: CHAMPSEIX Thomas +Link: https://lore.kernel.org/r/20251223072549.397625-1-richard.genoud@bootlin.com +Signed-off-by: Christophe Leroy (CS GROUP) +Signed-off-by: Sasha Levin +--- + drivers/soc/fsl/qbman/qman.c | 24 ++++++++++++++++++++++-- + 1 file changed, 22 insertions(+), 2 deletions(-) + +diff --git a/drivers/soc/fsl/qbman/qman.c b/drivers/soc/fsl/qbman/qman.c +index 7e9074519ad22..bcbf6bf2e8f45 100644 +--- a/drivers/soc/fsl/qbman/qman.c ++++ b/drivers/soc/fsl/qbman/qman.c +@@ -1827,6 +1827,8 @@ EXPORT_SYMBOL(qman_create_fq); + + void qman_destroy_fq(struct qman_fq *fq) + { ++ int leaked; ++ + /* + * We don't need to lock the FQ as it is a pre-condition that the FQ be + * quiesced. Instead, run some checks. +@@ -1834,11 +1836,29 @@ void qman_destroy_fq(struct qman_fq *fq) + switch (fq->state) { + case qman_fq_state_parked: + case qman_fq_state_oos: +- if (fq_isset(fq, QMAN_FQ_FLAG_DYNAMIC_FQID)) +- qman_release_fqid(fq->fqid); ++ /* ++ * There's a race condition here on releasing the fqid, ++ * setting the fq_table to NULL, and freeing the fqid. ++ * To prevent it, this order should be respected: ++ */ ++ if (fq_isset(fq, QMAN_FQ_FLAG_DYNAMIC_FQID)) { ++ leaked = qman_shutdown_fq(fq->fqid); ++ if (leaked) ++ pr_debug("FQID %d leaked\n", fq->fqid); ++ } + + DPAA_ASSERT(fq_table[fq->idx]); + fq_table[fq->idx] = NULL; ++ ++ if (fq_isset(fq, QMAN_FQ_FLAG_DYNAMIC_FQID) && !leaked) { ++ /* ++ * fq_table[fq->idx] should be set to null before ++ * freeing fq->fqid otherwise it could by allocated by ++ * qman_alloc_fqid() while still being !NULL ++ */ ++ smp_wmb(); ++ gen_pool_free(qm_fqalloc, fq->fqid | DPAA_GENALLOC_OFF, 1); ++ } + return; + default: + break; +-- +2.51.0 + diff --git a/queue-6.6/udp_tunnel-fix-null-deref-caused-by-udp_sock_create6.patch b/queue-6.6/udp_tunnel-fix-null-deref-caused-by-udp_sock_create6.patch new file mode 100644 index 0000000000..a063315da1 --- /dev/null +++ b/queue-6.6/udp_tunnel-fix-null-deref-caused-by-udp_sock_create6.patch @@ -0,0 +1,64 @@ +From 2b3a5278ce4b6f81725d4b10ce0a28bd143fc2ca Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 16 Mar 2026 18:02:41 -0700 +Subject: udp_tunnel: fix NULL deref caused by udp_sock_create6 when + CONFIG_IPV6=n + +From: Xiang Mei + +[ Upstream commit b3a6df291fecf5f8a308953b65ca72b7fc9e015d ] + +When CONFIG_IPV6 is disabled, the udp_sock_create6() function returns 0 +(success) without actually creating a socket. Callers such as +fou_create() then proceed to dereference the uninitialized socket +pointer, resulting in a NULL pointer dereference. + +The captured NULL deref crash: + BUG: kernel NULL pointer dereference, address: 0000000000000018 + RIP: 0010:fou_nl_add_doit (net/ipv4/fou_core.c:590 net/ipv4/fou_core.c:764) + [...] + Call Trace: + + genl_family_rcv_msg_doit.constprop.0 (net/netlink/genetlink.c:1114) + genl_rcv_msg (net/netlink/genetlink.c:1194 net/netlink/genetlink.c:1209) + [...] + netlink_rcv_skb (net/netlink/af_netlink.c:2550) + genl_rcv (net/netlink/genetlink.c:1219) + netlink_unicast (net/netlink/af_netlink.c:1319 net/netlink/af_netlink.c:1344) + netlink_sendmsg (net/netlink/af_netlink.c:1894) + __sock_sendmsg (net/socket.c:727 (discriminator 1) net/socket.c:742 (discriminator 1)) + __sys_sendto (./include/linux/file.h:62 (discriminator 1) ./include/linux/file.h:83 (discriminator 1) net/socket.c:2183 (discriminator 1)) + __x64_sys_sendto (net/socket.c:2213 (discriminator 1) net/socket.c:2209 (discriminator 1) net/socket.c:2209 (discriminator 1)) + do_syscall_64 (arch/x86/entry/syscall_64.c:63 (discriminator 1) arch/x86/entry/syscall_64.c:94 (discriminator 1)) + entry_SYSCALL_64_after_hwframe (net/arch/x86/entry/entry_64.S:130) + +This patch makes udp_sock_create6 return -EPFNOSUPPORT instead, so +callers correctly take their error paths. There is only one caller of +the vulnerable function and only privileged users can trigger it. + +Fixes: fd384412e199b ("udp_tunnel: Seperate ipv6 functions into its own file.") +Reported-by: Weiming Shi +Signed-off-by: Xiang Mei +Link: https://patch.msgid.link/20260317010241.1893893-1-xmei5@asu.edu +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + include/net/udp_tunnel.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/include/net/udp_tunnel.h b/include/net/udp_tunnel.h +index 29251c3519cf0..0e6eb40cd7778 100644 +--- a/include/net/udp_tunnel.h ++++ b/include/net/udp_tunnel.h +@@ -47,7 +47,7 @@ int udp_sock_create6(struct net *net, struct udp_port_cfg *cfg, + static inline int udp_sock_create6(struct net *net, struct udp_port_cfg *cfg, + struct socket **sockp) + { +- return 0; ++ return -EPFNOSUPPORT; + } + #endif + +-- +2.51.0 + diff --git a/queue-6.6/wifi-cfg80211-cancel-pmsr_free_wk-in-cfg80211_pmsr_w.patch b/queue-6.6/wifi-cfg80211-cancel-pmsr_free_wk-in-cfg80211_pmsr_w.patch new file mode 100644 index 0000000000..90840cd538 --- /dev/null +++ b/queue-6.6/wifi-cfg80211-cancel-pmsr_free_wk-in-cfg80211_pmsr_w.patch @@ -0,0 +1,51 @@ +From 2715c4645a81af2371c651f0cde77108ccad98f1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 5 Mar 2026 21:36:59 +0530 +Subject: wifi: cfg80211: cancel pmsr_free_wk in cfg80211_pmsr_wdev_down + +From: Peddolla Harshavardhan Reddy + +[ Upstream commit 6dccbc9f3e1d38565dff7730d2b7d1e8b16c9b09 ] + +When the nl80211 socket that originated a PMSR request is +closed, cfg80211_release_pmsr() sets the request's nl_portid +to zero and schedules pmsr_free_wk to process the abort +asynchronously. If the interface is concurrently torn down +before that work runs, cfg80211_pmsr_wdev_down() calls +cfg80211_pmsr_process_abort() directly. However, the already- +scheduled pmsr_free_wk work item remains pending and may run +after the interface has been removed from the driver. This +could cause the driver's abort_pmsr callback to operate on a +torn-down interface, leading to undefined behavior and +potential crashes. + +Cancel pmsr_free_wk synchronously in cfg80211_pmsr_wdev_down() +before calling cfg80211_pmsr_process_abort(). This ensures any +pending or in-progress work is drained before interface teardown +proceeds, preventing the work from invoking the driver abort +callback after the interface is gone. + +Fixes: 9bb7e0f24e7e ("cfg80211: add peer measurement with FTM initiator API") +Signed-off-by: Peddolla Harshavardhan Reddy +Link: https://patch.msgid.link/20260305160712.1263829-3-peddolla.reddy@oss.qualcomm.com +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + net/wireless/pmsr.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/net/wireless/pmsr.c b/net/wireless/pmsr.c +index 841a4516793b1..77cb1de9fc13b 100644 +--- a/net/wireless/pmsr.c ++++ b/net/wireless/pmsr.c +@@ -641,6 +641,7 @@ void cfg80211_pmsr_wdev_down(struct wireless_dev *wdev) + } + spin_unlock_bh(&wdev->pmsr_lock); + ++ cancel_work_sync(&wdev->pmsr_free_wk); + if (found) + cfg80211_pmsr_process_abort(wdev); + +-- +2.51.0 + diff --git a/queue-6.6/wifi-mac80211-fix-null-deref-in-mesh_matches_local.patch b/queue-6.6/wifi-mac80211-fix-null-deref-in-mesh_matches_local.patch new file mode 100644 index 0000000000..7b48e5dcf0 --- /dev/null +++ b/queue-6.6/wifi-mac80211-fix-null-deref-in-mesh_matches_local.patch @@ -0,0 +1,81 @@ +From bf18c45fcd815ffa54117200aeddb745e29b8eac Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 17 Mar 2026 20:42:44 -0700 +Subject: wifi: mac80211: fix NULL deref in mesh_matches_local() + +From: Xiang Mei + +[ Upstream commit c73bb9a2d33bf81f6eecaa0f474b6c6dbe9855bd ] + +mesh_matches_local() unconditionally dereferences ie->mesh_config to +compare mesh configuration parameters. When called from +mesh_rx_csa_frame(), the parsed action-frame elements may not contain a +Mesh Configuration IE, leaving ie->mesh_config NULL and triggering a +kernel NULL pointer dereference. + +The other two callers are already safe: + - ieee80211_mesh_rx_bcn_presp() checks !elems->mesh_config before + calling mesh_matches_local() + - mesh_plink_get_event() is only reached through + mesh_process_plink_frame(), which checks !elems->mesh_config, too + +mesh_rx_csa_frame() is the only caller that passes raw parsed elements +to mesh_matches_local() without guarding mesh_config. An adjacent +attacker can exploit this by sending a crafted CSA action frame that +includes a valid Mesh ID IE but omits the Mesh Configuration IE, +crashing the kernel. + +The captured crash log: + +Oops: general protection fault, probably for non-canonical address ... +KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007] +Workqueue: events_unbound cfg80211_wiphy_work +[...] +Call Trace: + + ? __pfx_mesh_matches_local (net/mac80211/mesh.c:65) + ieee80211_mesh_rx_queued_mgmt (net/mac80211/mesh.c:1686) + [...] + ieee80211_iface_work (net/mac80211/iface.c:1754 net/mac80211/iface.c:1802) + [...] + cfg80211_wiphy_work (net/wireless/core.c:426) + process_one_work (net/kernel/workqueue.c:3280) + ? assign_work (net/kernel/workqueue.c:1219) + worker_thread (net/kernel/workqueue.c:3352) + ? __pfx_worker_thread (net/kernel/workqueue.c:3385) + kthread (net/kernel/kthread.c:436) + [...] + ret_from_fork_asm (net/arch/x86/entry/entry_64.S:255) + + +This patch adds a NULL check for ie->mesh_config at the top of +mesh_matches_local() to return false early when the Mesh Configuration +IE is absent. + +Fixes: 2e3c8736820b ("mac80211: support functions for mesh") +Reported-by: Weiming Shi +Signed-off-by: Xiang Mei +Link: https://patch.msgid.link/20260318034244.2595020-1-xmei5@asu.edu +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + net/mac80211/mesh.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/net/mac80211/mesh.c b/net/mac80211/mesh.c +index 3e6e0497520d6..0899443e83cda 100644 +--- a/net/mac80211/mesh.c ++++ b/net/mac80211/mesh.c +@@ -76,6 +76,9 @@ bool mesh_matches_local(struct ieee80211_sub_if_data *sdata, + * - MDA enabled + * - Power management control on fc + */ ++ if (!ie->mesh_config) ++ return false; ++ + if (!(ifmsh->mesh_id_len == ie->mesh_id_len && + memcmp(ifmsh->mesh_id, ie->mesh_id, ie->mesh_id_len) == 0 && + (ifmsh->mesh_pp_id == ie->mesh_config->meshconf_psel) && +-- +2.51.0 + diff --git a/queue-6.6/wifi-mac80211-fix-static_branch_dec-underflow-for-aq.patch b/queue-6.6/wifi-mac80211-fix-static_branch_dec-underflow-for-aq.patch new file mode 100644 index 0000000000..af4ea3466d --- /dev/null +++ b/queue-6.6/wifi-mac80211-fix-static_branch_dec-underflow-for-aq.patch @@ -0,0 +1,112 @@ +From 1a437d7b870552887365e2340a45288b166b3cc1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 6 Mar 2026 07:24:02 +0000 +Subject: wifi: mac80211: Fix static_branch_dec() underflow for aql_disable. + +From: Kuniyuki Iwashima + +[ Upstream commit b94ae8e0d5fe1bdbbfdc3854ff6ce98f6876a828 ] + +syzbot reported static_branch_dec() underflow in aql_enable_write(). [0] + +The problem is that aql_enable_write() does not serialise concurrent +write()s to the debugfs. + +aql_enable_write() checks static_key_false(&aql_disable.key) and +later calls static_branch_inc() or static_branch_dec(), but the +state may change between the two calls. + +aql_disable does not need to track inc/dec. + +Let's use static_branch_enable() and static_branch_disable(). + +[0]: +val == 0 +WARNING: kernel/jump_label.c:311 at __static_key_slow_dec_cpuslocked.part.0+0x107/0x120 kernel/jump_label.c:311, CPU#0: syz.1.3155/20288 +Modules linked in: +CPU: 0 UID: 0 PID: 20288 Comm: syz.1.3155 Tainted: G U L syzkaller #0 PREEMPT(full) +Tainted: [U]=USER, [L]=SOFTLOCKUP +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/24/2026 +RIP: 0010:__static_key_slow_dec_cpuslocked.part.0+0x107/0x120 kernel/jump_label.c:311 +Code: f2 c9 ff 5b 5d c3 cc cc cc cc e8 54 f2 c9 ff 48 89 df e8 ac f9 ff ff eb ad e8 45 f2 c9 ff 90 0f 0b 90 eb a2 e8 3a f2 c9 ff 90 <0f> 0b 90 eb 97 48 89 df e8 5c 4b 33 00 e9 36 ff ff ff 0f 1f 80 00 +RSP: 0018:ffffc9000b9f7c10 EFLAGS: 00010293 +RAX: 0000000000000000 RBX: ffffffff9b3e5d40 RCX: ffffffff823c57b4 +RDX: ffff8880285a0000 RSI: ffffffff823c5846 RDI: ffff8880285a0000 +RBP: 0000000000000000 R08: 0000000000000005 R09: 0000000000000000 +R10: 0000000000000000 R11: 0000000000000000 R12: 000000000000000a +R13: 1ffff9200173ef88 R14: 0000000000000001 R15: ffffc9000b9f7e98 +FS: 00007f530dd726c0(0000) GS:ffff8881245e3000(0000) knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: 0000200000001140 CR3: 000000007cc4a000 CR4: 00000000003526f0 +Call Trace: + + __static_key_slow_dec_cpuslocked kernel/jump_label.c:297 [inline] + __static_key_slow_dec kernel/jump_label.c:321 [inline] + static_key_slow_dec+0x7c/0xc0 kernel/jump_label.c:336 + aql_enable_write+0x2b2/0x310 net/mac80211/debugfs.c:343 + short_proxy_write+0x133/0x1a0 fs/debugfs/file.c:383 + vfs_write+0x2aa/0x1070 fs/read_write.c:684 + ksys_pwrite64 fs/read_write.c:793 [inline] + __do_sys_pwrite64 fs/read_write.c:801 [inline] + __se_sys_pwrite64 fs/read_write.c:798 [inline] + __x64_sys_pwrite64+0x1eb/0x250 fs/read_write.c:798 + do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] + do_syscall_64+0xc9/0xf80 arch/x86/entry/syscall_64.c:94 + entry_SYSCALL_64_after_hwframe+0x77/0x7f +RIP: 0033:0x7f530cf9aeb9 +Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48 +RSP: 002b:00007f530dd72028 EFLAGS: 00000246 ORIG_RAX: 0000000000000012 +RAX: ffffffffffffffda RBX: 00007f530d215fa0 RCX: 00007f530cf9aeb9 +RDX: 0000000000000003 RSI: 0000000000000000 RDI: 0000000000000010 +RBP: 00007f530d008c1f R08: 0000000000000000 R09: 0000000000000000 +R10: 4200000000000005 R11: 0000000000000246 R12: 0000000000000000 +R13: 00007f530d216038 R14: 00007f530d215fa0 R15: 00007ffde89fb978 + + +Fixes: e908435e402a ("mac80211: introduce aql_enable node in debugfs") +Reported-by: syzbot+feb9ce36a95341bb47a4@syzkaller.appspotmail.com +Closes: https://lore.kernel.org/all/69a8979e.a70a0220.b118c.0025.GAE@google.com/ +Signed-off-by: Kuniyuki Iwashima +Link: https://patch.msgid.link/20260306072405.3649474-1-kuniyu@google.com +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + net/mac80211/debugfs.c | 14 +++++--------- + 1 file changed, 5 insertions(+), 9 deletions(-) + +diff --git a/net/mac80211/debugfs.c b/net/mac80211/debugfs.c +index 207f772bd8ce2..bd7c5dfeaa8c5 100644 +--- a/net/mac80211/debugfs.c ++++ b/net/mac80211/debugfs.c +@@ -326,7 +326,6 @@ static ssize_t aql_enable_read(struct file *file, char __user *user_buf, + static ssize_t aql_enable_write(struct file *file, const char __user *user_buf, + size_t count, loff_t *ppos) + { +- bool aql_disabled = static_key_false(&aql_disable.key); + char buf[3]; + size_t len; + +@@ -341,15 +340,12 @@ static ssize_t aql_enable_write(struct file *file, const char __user *user_buf, + if (len > 0 && buf[len - 1] == '\n') + buf[len - 1] = 0; + +- if (buf[0] == '0' && buf[1] == '\0') { +- if (!aql_disabled) +- static_branch_inc(&aql_disable); +- } else if (buf[0] == '1' && buf[1] == '\0') { +- if (aql_disabled) +- static_branch_dec(&aql_disable); +- } else { ++ if (buf[0] == '0' && buf[1] == '\0') ++ static_branch_enable(&aql_disable); ++ else if (buf[0] == '1' && buf[1] == '\0') ++ static_branch_disable(&aql_disable); ++ else + return -EINVAL; +- } + + return count; + } +-- +2.51.0 + diff --git a/queue-6.6/wifi-wlcore-return-enomem-instead-of-eagain-if-there.patch b/queue-6.6/wifi-wlcore-return-enomem-instead-of-eagain-if-there.patch new file mode 100644 index 0000000000..86d4e76123 --- /dev/null +++ b/queue-6.6/wifi-wlcore-return-enomem-instead-of-eagain-if-there.patch @@ -0,0 +1,54 @@ +From f15b48473131b496d007edf4811292ab3ad9f2ae Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 17 Mar 2026 23:46:36 -0700 +Subject: wifi: wlcore: Return -ENOMEM instead of -EAGAIN if there is not + enough headroom + +From: Guenter Roeck + +[ Upstream commit deb353d9bb009638b7762cae2d0b6e8fdbb41a69 ] + +Since upstream commit e75665dd0968 ("wifi: wlcore: ensure skb headroom +before skb_push"), wl1271_tx_allocate() and with it +wl1271_prepare_tx_frame() returns -EAGAIN if pskb_expand_head() fails. +However, in wlcore_tx_work_locked(), a return value of -EAGAIN from +wl1271_prepare_tx_frame() is interpreted as the aggregation buffer being +full. This causes the code to flush the buffer, put the skb back at the +head of the queue, and immediately retry the same skb in a tight while +loop. + +Because wlcore_tx_work_locked() holds wl->mutex, and the retry happens +immediately with GFP_ATOMIC, this will result in an infinite loop and a +CPU soft lockup. Return -ENOMEM instead so the packet is dropped and +the loop terminates. + +The problem was found by an experimental code review agent based on +gemini-3.1-pro while reviewing backports into v6.18.y. + +Assisted-by: Gemini:gemini-3.1-pro +Fixes: e75665dd0968 ("wifi: wlcore: ensure skb headroom before skb_push") +Cc: Peter Astrand +Signed-off-by: Guenter Roeck +Link: https://patch.msgid.link/20260318064636.3065925-1-linux@roeck-us.net +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ti/wlcore/tx.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/wireless/ti/wlcore/tx.c b/drivers/net/wireless/ti/wlcore/tx.c +index 75ad096676561..1c6373013f66a 100644 +--- a/drivers/net/wireless/ti/wlcore/tx.c ++++ b/drivers/net/wireless/ti/wlcore/tx.c +@@ -213,7 +213,7 @@ static int wl1271_tx_allocate(struct wl1271 *wl, struct wl12xx_vif *wlvif, + if (skb_headroom(skb) < (total_len - skb->len) && + pskb_expand_head(skb, (total_len - skb->len), 0, GFP_ATOMIC)) { + wl1271_free_tx_id(wl, id); +- return -EAGAIN; ++ return -ENOMEM; + } + desc = skb_push(skb, total_len - skb->len); + +-- +2.51.0 + -- 2.47.3