From 22f0c33cd4b7a7f59de8b8d620be187043525848 Mon Sep 17 00:00:00 2001 From: Sasha Levin Date: Sun, 13 Apr 2025 13:12:38 -0400 Subject: [PATCH] Fixes for 6.1 Signed-off-by: Sasha Levin --- ...-potential-null-pointer-dereference-.patch | 47 +++++ ...-error-handling-in-pdc20621_i2c_read.patch | 66 +++++++ ...-q.qlen-check-before-qdisc_tree_redu.patch | 63 +++++++ ...ix-null-pointer-deference-in-mtk_iom.patch | 87 ++++++++++ ...ior-across-nexthops-during-path-sele.patch | 63 +++++++ ...t-call-.cleanup_data-when-prepare_da.patch | 78 +++++++++ ...d-checking-for-skb-data-on-ppp_sync_.patch | 73 ++++++++ ...i-conditional-notification-of-events.patch | 73 ++++++++ ...t-tls-explicitly-disallow-disconnect.patch | 69 ++++++++ ...ed-sch_sfq-move-the-limit-validation.patch | 85 +++++++++ ...q-use-a-temporary-work-area-for-vali.patch | 124 ++++++++++++++ ...ix-incorrect-avx2-match-of-5th-field.patch | 53 ++++++ ...-fcloop-swap-list_add_tail-arguments.patch | 38 ++++ ...to-check-if-a-notification-is-needed.patch | 51 ++++++ ...to-check-if-rtnl-group-has-listeners.patch | 53 ++++++ ...futex_waitv-wouldblock-test-should-f.patch | 42 +++++ queue-6.1/series | 18 ++ ...e-enough-buffer-space-when-sending-f.patch | 162 ++++++++++++++++++ ...pc-fix-memory-leak-in-tipc_link_xmit.patch | 40 +++++ 19 files changed, 1285 insertions(+) create mode 100644 queue-6.1/ata-pata_pxa-fix-potential-null-pointer-dereference-.patch create mode 100644 queue-6.1/ata-sata_sx4-add-error-handling-in-pdc20621_i2c_read.patch create mode 100644 queue-6.1/codel-remove-sch-q.qlen-check-before-qdisc_tree_redu.patch create mode 100644 queue-6.1/iommu-mediatek-fix-null-pointer-deference-in-mtk_iom.patch create mode 100644 queue-6.1/ipv6-align-behavior-across-nexthops-during-path-sele.patch create mode 100644 queue-6.1/net-ethtool-don-t-call-.cleanup_data-when-prepare_da.patch create mode 100644 queue-6.1/net-ppp-add-bound-checking-for-skb-data-on-ppp_sync_.patch create mode 100644 queue-6.1/net-sched-cls_api-conditional-notification-of-events.patch create mode 100644 queue-6.1/net-tls-explicitly-disallow-disconnect.patch create mode 100644 queue-6.1/net_sched-sch_sfq-move-the-limit-validation.patch create mode 100644 queue-6.1/net_sched-sch_sfq-use-a-temporary-work-area-for-vali.patch create mode 100644 queue-6.1/nft_set_pipapo-fix-incorrect-avx2-match-of-5th-field.patch create mode 100644 queue-6.1/nvmet-fcloop-swap-list_add_tail-arguments.patch create mode 100644 queue-6.1/rtnl-add-helper-to-check-if-a-notification-is-needed.patch create mode 100644 queue-6.1/rtnl-add-helper-to-check-if-rtnl-group-has-listeners.patch create mode 100644 queue-6.1/selftests-futex-futex_waitv-wouldblock-test-should-f.patch create mode 100644 queue-6.1/series create mode 100644 queue-6.1/tc-ensure-we-have-enough-buffer-space-when-sending-f.patch create mode 100644 queue-6.1/tipc-fix-memory-leak-in-tipc_link_xmit.patch diff --git a/queue-6.1/ata-pata_pxa-fix-potential-null-pointer-dereference-.patch b/queue-6.1/ata-pata_pxa-fix-potential-null-pointer-dereference-.patch new file mode 100644 index 0000000000..424ef7e8d6 --- /dev/null +++ b/queue-6.1/ata-pata_pxa-fix-potential-null-pointer-dereference-.patch @@ -0,0 +1,47 @@ +From ddebc8974d3e6dbe5332e60adf61d014ecdd7707 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 4 Apr 2025 14:14:38 +0800 +Subject: ata: pata_pxa: Fix potential NULL pointer dereference in + pxa_ata_probe() + +From: Henry Martin + +[ Upstream commit ad320e408a8c95a282ab9c05cdf0c9b95e317985 ] + +devm_ioremap() returns NULL on error. Currently, pxa_ata_probe() does +not check for this case, which can result in a NULL pointer dereference. + +Add NULL check after devm_ioremap() to prevent this issue. + +Fixes: 2dc6c6f15da9 ("[ARM] pata_pxa: DMA-capable PATA driver") +Signed-off-by: Henry Martin +Signed-off-by: Damien Le Moal +Signed-off-by: Sasha Levin +--- + drivers/ata/pata_pxa.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/drivers/ata/pata_pxa.c b/drivers/ata/pata_pxa.c +index 985f42c4fd700..9113b74b2b67d 100644 +--- a/drivers/ata/pata_pxa.c ++++ b/drivers/ata/pata_pxa.c +@@ -223,10 +223,16 @@ static int pxa_ata_probe(struct platform_device *pdev) + + ap->ioaddr.cmd_addr = devm_ioremap(&pdev->dev, cmd_res->start, + resource_size(cmd_res)); ++ if (!ap->ioaddr.cmd_addr) ++ return -ENOMEM; + ap->ioaddr.ctl_addr = devm_ioremap(&pdev->dev, ctl_res->start, + resource_size(ctl_res)); ++ if (!ap->ioaddr.ctl_addr) ++ return -ENOMEM; + ap->ioaddr.bmdma_addr = devm_ioremap(&pdev->dev, dma_res->start, + resource_size(dma_res)); ++ if (!ap->ioaddr.bmdma_addr) ++ return -ENOMEM; + + /* + * Adjust register offsets +-- +2.39.5 + diff --git a/queue-6.1/ata-sata_sx4-add-error-handling-in-pdc20621_i2c_read.patch b/queue-6.1/ata-sata_sx4-add-error-handling-in-pdc20621_i2c_read.patch new file mode 100644 index 0000000000..85e0656392 --- /dev/null +++ b/queue-6.1/ata-sata_sx4-add-error-handling-in-pdc20621_i2c_read.patch @@ -0,0 +1,66 @@ +From 1f217c4678d856c73ede8a750554c4fd73e5619b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 8 Apr 2025 15:30:01 +0800 +Subject: ata: sata_sx4: Add error handling in pdc20621_i2c_read() + +From: Wentao Liang + +[ Upstream commit 8d46a27085039158eb5e253ab8a35a0e33b5e864 ] + +The function pdc20621_prog_dimm0() calls the function pdc20621_i2c_read() +but does not handle the error if the read fails. This could lead to +process with invalid data. A proper implementation can be found in +/source/drivers/ata/sata_sx4.c, pdc20621_prog_dimm_global(). As mentioned +in its commit: bb44e154e25125bef31fa956785e90fccd24610b, the variable spd0 +might be used uninitialized when pdc20621_i2c_read() fails. + +Add error handling to pdc20621_i2c_read(). If a read operation fails, +an error message is logged via dev_err(), and return a negative error +code. + +Add error handling to pdc20621_prog_dimm0() in pdc20621_dimm_init(), and +return a negative error code if pdc20621_prog_dimm0() fails. + +Fixes: 4447d3515616 ("libata: convert the remaining SATA drivers to new init model") +Signed-off-by: Wentao Liang +Reviewed-by: Niklas Cassel +Signed-off-by: Damien Le Moal +Signed-off-by: Sasha Levin +--- + drivers/ata/sata_sx4.c | 13 ++++++++++--- + 1 file changed, 10 insertions(+), 3 deletions(-) + +diff --git a/drivers/ata/sata_sx4.c b/drivers/ata/sata_sx4.c +index fa1966638c060..c524634fd9265 100644 +--- a/drivers/ata/sata_sx4.c ++++ b/drivers/ata/sata_sx4.c +@@ -1118,9 +1118,14 @@ static int pdc20621_prog_dimm0(struct ata_host *host) + mmio += PDC_CHIP0_OFS; + + for (i = 0; i < ARRAY_SIZE(pdc_i2c_read_data); i++) +- pdc20621_i2c_read(host, PDC_DIMM0_SPD_DEV_ADDRESS, +- pdc_i2c_read_data[i].reg, +- &spd0[pdc_i2c_read_data[i].ofs]); ++ if (!pdc20621_i2c_read(host, PDC_DIMM0_SPD_DEV_ADDRESS, ++ pdc_i2c_read_data[i].reg, ++ &spd0[pdc_i2c_read_data[i].ofs])) { ++ dev_err(host->dev, ++ "Failed in i2c read at index %d: device=%#x, reg=%#x\n", ++ i, PDC_DIMM0_SPD_DEV_ADDRESS, pdc_i2c_read_data[i].reg); ++ return -EIO; ++ } + + data |= (spd0[4] - 8) | ((spd0[21] != 0) << 3) | ((spd0[3]-11) << 4); + data |= ((spd0[17] / 4) << 6) | ((spd0[5] / 2) << 7) | +@@ -1285,6 +1290,8 @@ static unsigned int pdc20621_dimm_init(struct ata_host *host) + + /* Programming DIMM0 Module Control Register (index_CID0:80h) */ + size = pdc20621_prog_dimm0(host); ++ if (size < 0) ++ return size; + dev_dbg(host->dev, "Local DIMM Size = %dMB\n", size); + + /* Programming DIMM Module Global Control Register (index_CID0:88h) */ +-- +2.39.5 + diff --git a/queue-6.1/codel-remove-sch-q.qlen-check-before-qdisc_tree_redu.patch b/queue-6.1/codel-remove-sch-q.qlen-check-before-qdisc_tree_redu.patch new file mode 100644 index 0000000000..7a67ecf496 --- /dev/null +++ b/queue-6.1/codel-remove-sch-q.qlen-check-before-qdisc_tree_redu.patch @@ -0,0 +1,63 @@ +From e3493bbdaeb02cc7fbc04b18aeb597bb5a63ccd8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 3 Apr 2025 14:16:31 -0700 +Subject: codel: remove sch->q.qlen check before qdisc_tree_reduce_backlog() + +From: Cong Wang + +[ Upstream commit 342debc12183b51773b3345ba267e9263bdfaaef ] + +After making all ->qlen_notify() callbacks idempotent, now it is safe to +remove the check of qlen!=0 from both fq_codel_dequeue() and +codel_qdisc_dequeue(). + +Reported-by: Gerrard Tai +Fixes: 4b549a2ef4be ("fq_codel: Fair Queue Codel AQM") +Fixes: 76e3cc126bb2 ("codel: Controlled Delay AQM") +Signed-off-by: Cong Wang +Reviewed-by: Simon Horman +Link: https://patch.msgid.link/20250403211636.166257-1-xiyou.wangcong@gmail.com +Acked-by: Jamal Hadi Salim +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + net/sched/sch_codel.c | 5 +---- + net/sched/sch_fq_codel.c | 6 ++---- + 2 files changed, 3 insertions(+), 8 deletions(-) + +diff --git a/net/sched/sch_codel.c b/net/sched/sch_codel.c +index d7a4874543de5..5f2e068157456 100644 +--- a/net/sched/sch_codel.c ++++ b/net/sched/sch_codel.c +@@ -95,10 +95,7 @@ static struct sk_buff *codel_qdisc_dequeue(struct Qdisc *sch) + &q->stats, qdisc_pkt_len, codel_get_enqueue_time, + drop_func, dequeue_func); + +- /* We cant call qdisc_tree_reduce_backlog() if our qlen is 0, +- * or HTB crashes. Defer it for next round. +- */ +- if (q->stats.drop_count && sch->q.qlen) { ++ if (q->stats.drop_count) { + qdisc_tree_reduce_backlog(sch, q->stats.drop_count, q->stats.drop_len); + q->stats.drop_count = 0; + q->stats.drop_len = 0; +diff --git a/net/sched/sch_fq_codel.c b/net/sched/sch_fq_codel.c +index 8c4fee0634366..9330923a624c0 100644 +--- a/net/sched/sch_fq_codel.c ++++ b/net/sched/sch_fq_codel.c +@@ -314,10 +314,8 @@ static struct sk_buff *fq_codel_dequeue(struct Qdisc *sch) + } + qdisc_bstats_update(sch, skb); + flow->deficit -= qdisc_pkt_len(skb); +- /* We cant call qdisc_tree_reduce_backlog() if our qlen is 0, +- * or HTB crashes. Defer it for next round. +- */ +- if (q->cstats.drop_count && sch->q.qlen) { ++ ++ if (q->cstats.drop_count) { + qdisc_tree_reduce_backlog(sch, q->cstats.drop_count, + q->cstats.drop_len); + q->cstats.drop_count = 0; +-- +2.39.5 + diff --git a/queue-6.1/iommu-mediatek-fix-null-pointer-deference-in-mtk_iom.patch b/queue-6.1/iommu-mediatek-fix-null-pointer-deference-in-mtk_iom.patch new file mode 100644 index 0000000000..f6216680c9 --- /dev/null +++ b/queue-6.1/iommu-mediatek-fix-null-pointer-deference-in-mtk_iom.patch @@ -0,0 +1,87 @@ +From 8ba47ec61c0592c35fe0753c4dc5b5c7d9317e99 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 3 Apr 2025 12:22:12 +0200 +Subject: iommu/mediatek: Fix NULL pointer deference in mtk_iommu_device_group + +From: Louis-Alexis Eyraud + +[ Upstream commit 38e8844005e6068f336a3ad45451a562a0040ca1 ] + +Currently, mtk_iommu calls during probe iommu_device_register before +the hw_list from driver data is initialized. Since iommu probing issue +fix, it leads to NULL pointer dereference in mtk_iommu_device_group when +hw_list is accessed with list_first_entry (not null safe). + +So, change the call order to ensure iommu_device_register is called +after the driver data are initialized. + +Fixes: 9e3a2a643653 ("iommu/mediatek: Adapt sharing and non-sharing pgtable case") +Fixes: bcb81ac6ae3c ("iommu: Get DT/ACPI parsing into the proper probe path") +Reviewed-by: Yong Wu +Tested-by: Chen-Yu Tsai # MT8183 Juniper, MT8186 Tentacruel +Reviewed-by: AngeloGioacchino Del Regno +Tested-by: AngeloGioacchino Del Regno +Signed-off-by: Louis-Alexis Eyraud +Link: https://lore.kernel.org/r/20250403-fix-mtk-iommu-error-v2-1-fe8b18f8b0a8@collabora.com +Signed-off-by: Joerg Roedel +Signed-off-by: Sasha Levin +--- + drivers/iommu/mtk_iommu.c | 26 +++++++++++++------------- + 1 file changed, 13 insertions(+), 13 deletions(-) + +diff --git a/drivers/iommu/mtk_iommu.c b/drivers/iommu/mtk_iommu.c +index 576163f88a4a5..d4cb09b2e267e 100644 +--- a/drivers/iommu/mtk_iommu.c ++++ b/drivers/iommu/mtk_iommu.c +@@ -1268,15 +1268,6 @@ static int mtk_iommu_probe(struct platform_device *pdev) + platform_set_drvdata(pdev, data); + mutex_init(&data->mutex); + +- ret = iommu_device_sysfs_add(&data->iommu, dev, NULL, +- "mtk-iommu.%pa", &ioaddr); +- if (ret) +- goto out_link_remove; +- +- ret = iommu_device_register(&data->iommu, &mtk_iommu_ops, dev); +- if (ret) +- goto out_sysfs_remove; +- + if (MTK_IOMMU_HAS_FLAG(data->plat_data, SHARE_PGTABLE)) { + list_add_tail(&data->list, data->plat_data->hw_list); + data->hw_list = data->plat_data->hw_list; +@@ -1286,19 +1277,28 @@ static int mtk_iommu_probe(struct platform_device *pdev) + data->hw_list = &data->hw_list_head; + } + ++ ret = iommu_device_sysfs_add(&data->iommu, dev, NULL, ++ "mtk-iommu.%pa", &ioaddr); ++ if (ret) ++ goto out_list_del; ++ ++ ret = iommu_device_register(&data->iommu, &mtk_iommu_ops, dev); ++ if (ret) ++ goto out_sysfs_remove; ++ + if (MTK_IOMMU_IS_TYPE(data->plat_data, MTK_IOMMU_TYPE_MM)) { + ret = component_master_add_with_match(dev, &mtk_iommu_com_ops, match); + if (ret) +- goto out_list_del; ++ goto out_device_unregister; + } + return ret; + +-out_list_del: +- list_del(&data->list); ++out_device_unregister: + iommu_device_unregister(&data->iommu); + out_sysfs_remove: + iommu_device_sysfs_remove(&data->iommu); +-out_link_remove: ++out_list_del: ++ list_del(&data->list); + if (MTK_IOMMU_IS_TYPE(data->plat_data, MTK_IOMMU_TYPE_MM)) + device_link_remove(data->smicomm_dev, dev); + out_runtime_disable: +-- +2.39.5 + diff --git a/queue-6.1/ipv6-align-behavior-across-nexthops-during-path-sele.patch b/queue-6.1/ipv6-align-behavior-across-nexthops-during-path-sele.patch new file mode 100644 index 0000000000..af97f3db2c --- /dev/null +++ b/queue-6.1/ipv6-align-behavior-across-nexthops-during-path-sele.patch @@ -0,0 +1,63 @@ +From 062d2f240f22520b9dccc685eff14c50a3bd816f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 8 Apr 2025 11:43:16 +0300 +Subject: ipv6: Align behavior across nexthops during path selection + +From: Ido Schimmel + +[ Upstream commit 6933cd4714861eea6848f18396a119d741f25fc3 ] + +A nexthop is only chosen when the calculated multipath hash falls in the +nexthop's hash region (i.e., the hash is smaller than the nexthop's hash +threshold) and when the nexthop is assigned a non-negative score by +rt6_score_route(). + +Commit 4d0ab3a6885e ("ipv6: Start path selection from the first +nexthop") introduced an unintentional difference between the first +nexthop and the rest when the score is negative. + +When the first nexthop matches, but has a negative score, the code will +currently evaluate subsequent nexthops until one is found with a +non-negative score. On the other hand, when a different nexthop matches, +but has a negative score, the code will fallback to the nexthop with +which the selection started ('match'). + +Align the behavior across all nexthops and fallback to 'match' when the +first nexthop matches, but has a negative score. + +Fixes: 3d709f69a3e7 ("ipv6: Use hash-threshold instead of modulo-N") +Fixes: 4d0ab3a6885e ("ipv6: Start path selection from the first nexthop") +Reported-by: Willem de Bruijn +Closes: https://lore.kernel.org/netdev/67efef607bc41_1ddca82948c@willemb.c.googlers.com.notmuch/ +Signed-off-by: Ido Schimmel +Reviewed-by: Willem de Bruijn +Reviewed-by: David Ahern +Link: https://patch.msgid.link/20250408084316.243559-1-idosch@nvidia.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/ipv6/route.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/net/ipv6/route.c b/net/ipv6/route.c +index d6de164720a05..4e6b833dc40bb 100644 +--- a/net/ipv6/route.c ++++ b/net/ipv6/route.c +@@ -474,10 +474,10 @@ void fib6_select_path(const struct net *net, struct fib6_result *res, + goto out; + + hash = fl6->mp_hash; +- if (hash <= atomic_read(&first->fib6_nh->fib_nh_upper_bound) && +- rt6_score_route(first->fib6_nh, first->fib6_flags, oif, +- strict) >= 0) { +- match = first; ++ if (hash <= atomic_read(&first->fib6_nh->fib_nh_upper_bound)) { ++ if (rt6_score_route(first->fib6_nh, first->fib6_flags, oif, ++ strict) >= 0) ++ match = first; + goto out; + } + +-- +2.39.5 + diff --git a/queue-6.1/net-ethtool-don-t-call-.cleanup_data-when-prepare_da.patch b/queue-6.1/net-ethtool-don-t-call-.cleanup_data-when-prepare_da.patch new file mode 100644 index 0000000000..ca6eaf7cc4 --- /dev/null +++ b/queue-6.1/net-ethtool-don-t-call-.cleanup_data-when-prepare_da.patch @@ -0,0 +1,78 @@ +From 59299701774d9618d92fed480c96790db4d67b29 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 7 Apr 2025 15:05:10 +0200 +Subject: net: ethtool: Don't call .cleanup_data when prepare_data fails + +From: Maxime Chevallier + +[ Upstream commit 4f038a6a02d20859a3479293cbf172b0f14cbdd6 ] + +There's a consistent pattern where the .cleanup_data() callback is +called when .prepare_data() fails, when it should really be called to +clean after a successful .prepare_data() as per the documentation. + +Rewrite the error-handling paths to make sure we don't cleanup +un-prepared data. + +Fixes: c781ff12a2f3 ("ethtool: Allow network drivers to dump arbitrary EEPROM data") +Reviewed-by: Kory Maincent +Reviewed-by: Simon Horman +Reviewed-by: Michal Kubecek +Signed-off-by: Maxime Chevallier +Link: https://patch.msgid.link/20250407130511.75621-1-maxime.chevallier@bootlin.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + net/ethtool/netlink.c | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +diff --git a/net/ethtool/netlink.c b/net/ethtool/netlink.c +index e5efdf2817eff..98c0641138825 100644 +--- a/net/ethtool/netlink.c ++++ b/net/ethtool/netlink.c +@@ -384,7 +384,7 @@ static int ethnl_default_doit(struct sk_buff *skb, struct genl_info *info) + ret = ops->prepare_data(req_info, reply_data, info); + rtnl_unlock(); + if (ret < 0) +- goto err_cleanup; ++ goto err_dev; + ret = ops->reply_size(req_info, reply_data); + if (ret < 0) + goto err_cleanup; +@@ -442,7 +442,7 @@ static int ethnl_default_dump_one(struct sk_buff *skb, struct net_device *dev, + ret = ctx->ops->prepare_data(ctx->req_info, ctx->reply_data, NULL); + rtnl_unlock(); + if (ret < 0) +- goto out; ++ goto out_cancel; + ret = ethnl_fill_reply_header(skb, dev, ctx->ops->hdr_attr); + if (ret < 0) + goto out; +@@ -451,6 +451,7 @@ static int ethnl_default_dump_one(struct sk_buff *skb, struct net_device *dev, + out: + if (ctx->ops->cleanup_data) + ctx->ops->cleanup_data(ctx->reply_data); ++out_cancel: + ctx->reply_data->dev = NULL; + if (ret < 0) + genlmsg_cancel(skb, ehdr); +@@ -636,7 +637,7 @@ static void ethnl_default_notify(struct net_device *dev, unsigned int cmd, + ethnl_init_reply_data(reply_data, ops, dev); + ret = ops->prepare_data(req_info, reply_data, NULL); + if (ret < 0) +- goto err_cleanup; ++ goto err_rep; + ret = ops->reply_size(req_info, reply_data); + if (ret < 0) + goto err_cleanup; +@@ -671,6 +672,7 @@ static void ethnl_default_notify(struct net_device *dev, unsigned int cmd, + err_cleanup: + if (ops->cleanup_data) + ops->cleanup_data(reply_data); ++err_rep: + kfree(reply_data); + kfree(req_info); + return; +-- +2.39.5 + diff --git a/queue-6.1/net-ppp-add-bound-checking-for-skb-data-on-ppp_sync_.patch b/queue-6.1/net-ppp-add-bound-checking-for-skb-data-on-ppp_sync_.patch new file mode 100644 index 0000000000..72196cda48 --- /dev/null +++ b/queue-6.1/net-ppp-add-bound-checking-for-skb-data-on-ppp_sync_.patch @@ -0,0 +1,73 @@ +From a2a2091cf7d855d398bc8983b696366a39037843 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 8 Apr 2025 17:55:08 +0200 +Subject: net: ppp: Add bound checking for skb data on ppp_sync_txmung +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Arnaud Lecomte + +[ Upstream commit aabc6596ffb377c4c9c8f335124b92ea282c9821 ] + +Ensure we have enough data in linear buffer from skb before accessing +initial bytes. This prevents potential out-of-bounds accesses +when processing short packets. + +When ppp_sync_txmung receives an incoming package with an empty +payload: +(remote) gef➤ p *(struct pppoe_hdr *) (skb->head + skb->network_header) +$18 = { + type = 0x1, + ver = 0x1, + code = 0x0, + sid = 0x2, + length = 0x0, + tag = 0xffff8880371cdb96 +} + +from the skb struct (trimmed) + tail = 0x16, + end = 0x140, + head = 0xffff88803346f400 "4", + data = 0xffff88803346f416 ":\377", + truesize = 0x380, + len = 0x0, + data_len = 0x0, + mac_len = 0xe, + hdr_len = 0x0, + +it is not safe to access data[2]. + +Reported-by: syzbot+29fc8991b0ecb186cf40@syzkaller.appspotmail.com +Closes: https://syzkaller.appspot.com/bug?extid=29fc8991b0ecb186cf40 +Tested-by: syzbot+29fc8991b0ecb186cf40@syzkaller.appspotmail.com +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Arnaud Lecomte +Link: https://patch.msgid.link/20250408-bound-checking-ppp_txmung-v2-1-94bb6e1b92d0@arnaud-lcm.com +[pabeni@redhat.com: fixed subj typo] +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + drivers/net/ppp/ppp_synctty.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/drivers/net/ppp/ppp_synctty.c b/drivers/net/ppp/ppp_synctty.c +index 94ef6f9ca5103..fb533c43deeea 100644 +--- a/drivers/net/ppp/ppp_synctty.c ++++ b/drivers/net/ppp/ppp_synctty.c +@@ -515,6 +515,11 @@ ppp_sync_txmunge(struct syncppp *ap, struct sk_buff *skb) + unsigned char *data; + int islcp; + ++ /* Ensure we can safely access protocol field and LCP code */ ++ if (!pskb_may_pull(skb, 3)) { ++ kfree_skb(skb); ++ return NULL; ++ } + data = skb->data; + proto = get_unaligned_be16(data); + +-- +2.39.5 + diff --git a/queue-6.1/net-sched-cls_api-conditional-notification-of-events.patch b/queue-6.1/net-sched-cls_api-conditional-notification-of-events.patch new file mode 100644 index 0000000000..cd732dde5e --- /dev/null +++ b/queue-6.1/net-sched-cls_api-conditional-notification-of-events.patch @@ -0,0 +1,73 @@ +From 8f2bc6765b2102dc1a5f0077944518e1c366044b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 8 Dec 2023 16:28:47 -0300 +Subject: net/sched: cls_api: conditional notification of events + +From: Pedro Tammela + +[ Upstream commit 93775590b1ee98bf2976b1f4a1ed24e9ff76170f ] + +As of today tc-filter/chain events are unconditionally built and sent to +RTNLGRP_TC. As with the introduction of rtnl_notify_needed we can check +before-hand if they are really needed. This will help to alleviate +system pressure when filters are concurrently added without the rtnl +lock as in tc-flower. + +Reviewed-by: Jiri Pirko +Reviewed-by: Simon Horman +Signed-off-by: Pedro Tammela +Link: https://lore.kernel.org/r/20231208192847.714940-8-pctammela@mojatatu.com +Signed-off-by: Jakub Kicinski +Stable-dep-of: 369609fc6272 ("tc: Ensure we have enough buffer space when sending filter netlink notifications") +Signed-off-by: Sasha Levin +--- + net/sched/cls_api.c | 12 ++++++++++++ + 1 file changed, 12 insertions(+) + +diff --git a/net/sched/cls_api.c b/net/sched/cls_api.c +index 445ab1b0537da..2b44b82877f5a 100644 +--- a/net/sched/cls_api.c ++++ b/net/sched/cls_api.c +@@ -1885,6 +1885,9 @@ static int tfilter_notify(struct net *net, struct sk_buff *oskb, + u32 portid = oskb ? NETLINK_CB(oskb).portid : 0; + int err = 0; + ++ if (!unicast && !rtnl_notify_needed(net, n->nlmsg_flags, RTNLGRP_TC)) ++ return 0; ++ + skb = alloc_skb(NLMSG_GOODSIZE, GFP_KERNEL); + if (!skb) + return -ENOBUFS; +@@ -1914,6 +1917,9 @@ static int tfilter_del_notify(struct net *net, struct sk_buff *oskb, + u32 portid = oskb ? NETLINK_CB(oskb).portid : 0; + int err; + ++ if (!rtnl_notify_needed(net, n->nlmsg_flags, RTNLGRP_TC)) ++ return tp->ops->delete(tp, fh, last, rtnl_held, extack); ++ + skb = alloc_skb(NLMSG_GOODSIZE, GFP_KERNEL); + if (!skb) + return -ENOBUFS; +@@ -2731,6 +2737,9 @@ static int tc_chain_notify(struct tcf_chain *chain, struct sk_buff *oskb, + struct sk_buff *skb; + int err = 0; + ++ if (!unicast && !rtnl_notify_needed(net, flags, RTNLGRP_TC)) ++ return 0; ++ + skb = alloc_skb(NLMSG_GOODSIZE, GFP_KERNEL); + if (!skb) + return -ENOBUFS; +@@ -2760,6 +2769,9 @@ static int tc_chain_notify_delete(const struct tcf_proto_ops *tmplt_ops, + struct net *net = block->net; + struct sk_buff *skb; + ++ if (!rtnl_notify_needed(net, flags, RTNLGRP_TC)) ++ return 0; ++ + skb = alloc_skb(NLMSG_GOODSIZE, GFP_KERNEL); + if (!skb) + return -ENOBUFS; +-- +2.39.5 + diff --git a/queue-6.1/net-tls-explicitly-disallow-disconnect.patch b/queue-6.1/net-tls-explicitly-disallow-disconnect.patch new file mode 100644 index 0000000000..98b4ad4392 --- /dev/null +++ b/queue-6.1/net-tls-explicitly-disallow-disconnect.patch @@ -0,0 +1,69 @@ +From 74007b14f08a144e8c15809855eb60bb720f0593 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 4 Apr 2025 11:03:33 -0700 +Subject: net: tls: explicitly disallow disconnect + +From: Jakub Kicinski + +[ Upstream commit 5071a1e606b30c0c11278d3c6620cd6a24724cf6 ] + +syzbot discovered that it can disconnect a TLS socket and then +run into all sort of unexpected corner cases. I have a vague +recollection of Eric pointing this out to us a long time ago. +Supporting disconnect is really hard, for one thing if offload +is enabled we'd need to wait for all packets to be _acked_. +Disconnect is not commonly used, disallow it. + +The immediate problem syzbot run into is the warning in the strp, +but that's just the easiest bug to trigger: + + WARNING: CPU: 0 PID: 5834 at net/tls/tls_strp.c:486 tls_strp_msg_load+0x72e/0xa80 net/tls/tls_strp.c:486 + RIP: 0010:tls_strp_msg_load+0x72e/0xa80 net/tls/tls_strp.c:486 + Call Trace: + + tls_rx_rec_wait+0x280/0xa60 net/tls/tls_sw.c:1363 + tls_sw_recvmsg+0x85c/0x1c30 net/tls/tls_sw.c:2043 + inet6_recvmsg+0x2c9/0x730 net/ipv6/af_inet6.c:678 + sock_recvmsg_nosec net/socket.c:1023 [inline] + sock_recvmsg+0x109/0x280 net/socket.c:1045 + __sys_recvfrom+0x202/0x380 net/socket.c:2237 + +Fixes: 3c4d7559159b ("tls: kernel TLS support") +Reported-by: syzbot+b4cd76826045a1eb93c1@syzkaller.appspotmail.com +Signed-off-by: Jakub Kicinski +Reviewed-by: Eric Dumazet +Reviewed-by: Sabrina Dubroca +Link: https://patch.msgid.link/20250404180334.3224206-1-kuba@kernel.org +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + net/tls/tls_main.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/net/tls/tls_main.c b/net/tls/tls_main.c +index 75cd20c0e3fdb..14d01558311d2 100644 +--- a/net/tls/tls_main.c ++++ b/net/tls/tls_main.c +@@ -900,6 +900,11 @@ static int tls_setsockopt(struct sock *sk, int level, int optname, + return do_tls_setsockopt(sk, optname, optval, optlen); + } + ++static int tls_disconnect(struct sock *sk, int flags) ++{ ++ return -EOPNOTSUPP; ++} ++ + struct tls_context *tls_ctx_create(struct sock *sk) + { + struct inet_connection_sock *icsk = inet_csk(sk); +@@ -995,6 +1000,7 @@ static void build_protos(struct proto prot[TLS_NUM_CONFIG][TLS_NUM_CONFIG], + prot[TLS_BASE][TLS_BASE] = *base; + prot[TLS_BASE][TLS_BASE].setsockopt = tls_setsockopt; + prot[TLS_BASE][TLS_BASE].getsockopt = tls_getsockopt; ++ prot[TLS_BASE][TLS_BASE].disconnect = tls_disconnect; + prot[TLS_BASE][TLS_BASE].close = tls_sk_proto_close; + + prot[TLS_SW][TLS_BASE] = prot[TLS_BASE][TLS_BASE]; +-- +2.39.5 + diff --git a/queue-6.1/net_sched-sch_sfq-move-the-limit-validation.patch b/queue-6.1/net_sched-sch_sfq-move-the-limit-validation.patch new file mode 100644 index 0000000000..9f23b576d0 --- /dev/null +++ b/queue-6.1/net_sched-sch_sfq-move-the-limit-validation.patch @@ -0,0 +1,85 @@ +From 656ee5eb461a8fc6e2fc7930ba6ea606f013b754 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 7 Apr 2025 13:24:08 -0700 +Subject: net_sched: sch_sfq: move the limit validation + +From: Octavian Purdila + +[ Upstream commit b3bf8f63e6179076b57c9de660c9f80b5abefe70 ] + +It is not sufficient to directly validate the limit on the data that +the user passes as it can be updated based on how the other parameters +are changed. + +Move the check at the end of the configuration update process to also +catch scenarios where the limit is indirectly updated, for example +with the following configurations: + +tc qdisc add dev dummy0 handle 1: root sfq limit 2 flows 1 depth 1 +tc qdisc add dev dummy0 handle 1: root sfq limit 2 flows 1 divisor 1 + +This fixes the following syzkaller reported crash: + +------------[ cut here ]------------ +UBSAN: array-index-out-of-bounds in net/sched/sch_sfq.c:203:6 +index 65535 is out of range for type 'struct sfq_head[128]' +CPU: 1 UID: 0 PID: 3037 Comm: syz.2.16 Not tainted 6.14.0-rc2-syzkaller #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 12/27/2024 +Call Trace: + + __dump_stack lib/dump_stack.c:94 [inline] + dump_stack_lvl+0x201/0x300 lib/dump_stack.c:120 + ubsan_epilogue lib/ubsan.c:231 [inline] + __ubsan_handle_out_of_bounds+0xf5/0x120 lib/ubsan.c:429 + sfq_link net/sched/sch_sfq.c:203 [inline] + sfq_dec+0x53c/0x610 net/sched/sch_sfq.c:231 + sfq_dequeue+0x34e/0x8c0 net/sched/sch_sfq.c:493 + sfq_reset+0x17/0x60 net/sched/sch_sfq.c:518 + qdisc_reset+0x12e/0x600 net/sched/sch_generic.c:1035 + tbf_reset+0x41/0x110 net/sched/sch_tbf.c:339 + qdisc_reset+0x12e/0x600 net/sched/sch_generic.c:1035 + dev_reset_queue+0x100/0x1b0 net/sched/sch_generic.c:1311 + netdev_for_each_tx_queue include/linux/netdevice.h:2590 [inline] + dev_deactivate_many+0x7e5/0xe70 net/sched/sch_generic.c:1375 + +Reported-by: syzbot +Fixes: 10685681bafc ("net_sched: sch_sfq: don't allow 1 packet limit") +Signed-off-by: Octavian Purdila +Acked-by: Cong Wang +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/sched/sch_sfq.c | 10 ++++++---- + 1 file changed, 6 insertions(+), 4 deletions(-) + +diff --git a/net/sched/sch_sfq.c b/net/sched/sch_sfq.c +index 68e909e8fabd9..002941d35b643 100644 +--- a/net/sched/sch_sfq.c ++++ b/net/sched/sch_sfq.c +@@ -661,10 +661,6 @@ static int sfq_change(struct Qdisc *sch, struct nlattr *opt, + if (!p) + return -ENOMEM; + } +- if (ctl->limit == 1) { +- NL_SET_ERR_MSG_MOD(extack, "invalid limit"); +- return -EINVAL; +- } + + sch_tree_lock(sch); + +@@ -705,6 +701,12 @@ static int sfq_change(struct Qdisc *sch, struct nlattr *opt, + limit = min_t(u32, ctl->limit, maxdepth * maxflows); + maxflows = min_t(u32, maxflows, limit); + } ++ if (limit == 1) { ++ sch_tree_unlock(sch); ++ kfree(p); ++ NL_SET_ERR_MSG_MOD(extack, "invalid limit"); ++ return -EINVAL; ++ } + + /* commit configuration */ + q->limit = limit; +-- +2.39.5 + diff --git a/queue-6.1/net_sched-sch_sfq-use-a-temporary-work-area-for-vali.patch b/queue-6.1/net_sched-sch_sfq-use-a-temporary-work-area-for-vali.patch new file mode 100644 index 0000000000..c5dffed133 --- /dev/null +++ b/queue-6.1/net_sched-sch_sfq-use-a-temporary-work-area-for-vali.patch @@ -0,0 +1,124 @@ +From 40c04f7cbf73b5ef1d17b501df559c537fb213a8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 7 Apr 2025 13:24:07 -0700 +Subject: net_sched: sch_sfq: use a temporary work area for validating + configuration + +From: Octavian Purdila + +[ Upstream commit 8c0cea59d40cf6dd13c2950437631dd614fbade6 ] + +Many configuration parameters have influence on others (e.g. divisor +-> flows -> limit, depth -> limit) and so it is difficult to correctly +do all of the validation before applying the configuration. And if a +validation error is detected late it is difficult to roll back a +partially applied configuration. + +To avoid these issues use a temporary work area to update and validate +the configuration and only then apply the configuration to the +internal state. + +Signed-off-by: Octavian Purdila +Acked-by: Cong Wang +Signed-off-by: David S. Miller +Stable-dep-of: b3bf8f63e617 ("net_sched: sch_sfq: move the limit validation") +Signed-off-by: Sasha Levin +--- + net/sched/sch_sfq.c | 56 +++++++++++++++++++++++++++++++++++---------- + 1 file changed, 44 insertions(+), 12 deletions(-) + +diff --git a/net/sched/sch_sfq.c b/net/sched/sch_sfq.c +index 60754f366ab7b..68e909e8fabd9 100644 +--- a/net/sched/sch_sfq.c ++++ b/net/sched/sch_sfq.c +@@ -631,6 +631,15 @@ static int sfq_change(struct Qdisc *sch, struct nlattr *opt, + struct red_parms *p = NULL; + struct sk_buff *to_free = NULL; + struct sk_buff *tail = NULL; ++ unsigned int maxflows; ++ unsigned int quantum; ++ unsigned int divisor; ++ int perturb_period; ++ u8 headdrop; ++ u8 maxdepth; ++ int limit; ++ u8 flags; ++ + + if (opt->nla_len < nla_attr_size(sizeof(*ctl))) + return -EINVAL; +@@ -656,36 +665,59 @@ static int sfq_change(struct Qdisc *sch, struct nlattr *opt, + NL_SET_ERR_MSG_MOD(extack, "invalid limit"); + return -EINVAL; + } ++ + sch_tree_lock(sch); ++ ++ limit = q->limit; ++ divisor = q->divisor; ++ headdrop = q->headdrop; ++ maxdepth = q->maxdepth; ++ maxflows = q->maxflows; ++ perturb_period = q->perturb_period; ++ quantum = q->quantum; ++ flags = q->flags; ++ ++ /* update and validate configuration */ + if (ctl->quantum) +- q->quantum = ctl->quantum; +- WRITE_ONCE(q->perturb_period, ctl->perturb_period * HZ); ++ quantum = ctl->quantum; ++ perturb_period = ctl->perturb_period * HZ; + if (ctl->flows) +- q->maxflows = min_t(u32, ctl->flows, SFQ_MAX_FLOWS); ++ maxflows = min_t(u32, ctl->flows, SFQ_MAX_FLOWS); + if (ctl->divisor) { +- q->divisor = ctl->divisor; +- q->maxflows = min_t(u32, q->maxflows, q->divisor); ++ divisor = ctl->divisor; ++ maxflows = min_t(u32, maxflows, divisor); + } + if (ctl_v1) { + if (ctl_v1->depth) +- q->maxdepth = min_t(u32, ctl_v1->depth, SFQ_MAX_DEPTH); ++ maxdepth = min_t(u32, ctl_v1->depth, SFQ_MAX_DEPTH); + if (p) { +- swap(q->red_parms, p); +- red_set_parms(q->red_parms, ++ red_set_parms(p, + ctl_v1->qth_min, ctl_v1->qth_max, + ctl_v1->Wlog, + ctl_v1->Plog, ctl_v1->Scell_log, + NULL, + ctl_v1->max_P); + } +- q->flags = ctl_v1->flags; +- q->headdrop = ctl_v1->headdrop; ++ flags = ctl_v1->flags; ++ headdrop = ctl_v1->headdrop; + } + if (ctl->limit) { +- q->limit = min_t(u32, ctl->limit, q->maxdepth * q->maxflows); +- q->maxflows = min_t(u32, q->maxflows, q->limit); ++ limit = min_t(u32, ctl->limit, maxdepth * maxflows); ++ maxflows = min_t(u32, maxflows, limit); + } + ++ /* commit configuration */ ++ q->limit = limit; ++ q->divisor = divisor; ++ q->headdrop = headdrop; ++ q->maxdepth = maxdepth; ++ q->maxflows = maxflows; ++ WRITE_ONCE(q->perturb_period, perturb_period); ++ q->quantum = quantum; ++ q->flags = flags; ++ if (p) ++ swap(q->red_parms, p); ++ + qlen = sch->q.qlen; + while (sch->q.qlen > q->limit) { + dropped += sfq_drop(sch, &to_free); +-- +2.39.5 + diff --git a/queue-6.1/nft_set_pipapo-fix-incorrect-avx2-match-of-5th-field.patch b/queue-6.1/nft_set_pipapo-fix-incorrect-avx2-match-of-5th-field.patch new file mode 100644 index 0000000000..066146dbbb --- /dev/null +++ b/queue-6.1/nft_set_pipapo-fix-incorrect-avx2-match-of-5th-field.patch @@ -0,0 +1,53 @@ +From 9d18ca854297d25342168d5d32779afc1426b3c4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 7 Apr 2025 19:40:18 +0200 +Subject: nft_set_pipapo: fix incorrect avx2 match of 5th field octet + +From: Florian Westphal + +[ Upstream commit e042ed950d4e176379ba4c0722146cd96fb38aa2 ] + +Given a set element like: + + icmpv6 . dead:beef:00ff::1 + +The value of 'ff' is irrelevant, any address will be matched +as long as the other octets are the same. + +This is because of too-early register clobbering: +ymm7 is reloaded with new packet data (pkt[9]) but it still holds data +of an earlier load that wasn't processed yet. + +The existing tests in nft_concat_range.sh selftests do exercise this code +path, but do not trigger incorrect matching due to the network prefix +limitation. + +Fixes: 7400b063969b ("nft_set_pipapo: Introduce AVX2-based lookup implementation") +Reported-by: sontu mazumdar +Closes: https://lore.kernel.org/netfilter/CANgxkqwnMH7fXra+VUfODT-8+qFLgskq3set1cAzqqJaV4iEZg@mail.gmail.com/T/#t +Reviewed-by: Stefano Brivio +Signed-off-by: Florian Westphal +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + net/netfilter/nft_set_pipapo_avx2.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/net/netfilter/nft_set_pipapo_avx2.c b/net/netfilter/nft_set_pipapo_avx2.c +index b8d3c3213efee..c15db28c5ebc4 100644 +--- a/net/netfilter/nft_set_pipapo_avx2.c ++++ b/net/netfilter/nft_set_pipapo_avx2.c +@@ -994,8 +994,9 @@ static int nft_pipapo_avx2_lookup_8b_16(unsigned long *map, unsigned long *fill, + NFT_PIPAPO_AVX2_BUCKET_LOAD8(5, lt, 8, pkt[8], bsize); + + NFT_PIPAPO_AVX2_AND(6, 2, 3); ++ NFT_PIPAPO_AVX2_AND(3, 4, 7); + NFT_PIPAPO_AVX2_BUCKET_LOAD8(7, lt, 9, pkt[9], bsize); +- NFT_PIPAPO_AVX2_AND(0, 4, 5); ++ NFT_PIPAPO_AVX2_AND(0, 3, 5); + NFT_PIPAPO_AVX2_BUCKET_LOAD8(1, lt, 10, pkt[10], bsize); + NFT_PIPAPO_AVX2_AND(2, 6, 7); + NFT_PIPAPO_AVX2_BUCKET_LOAD8(3, lt, 11, pkt[11], bsize); +-- +2.39.5 + diff --git a/queue-6.1/nvmet-fcloop-swap-list_add_tail-arguments.patch b/queue-6.1/nvmet-fcloop-swap-list_add_tail-arguments.patch new file mode 100644 index 0000000000..a7253cee75 --- /dev/null +++ b/queue-6.1/nvmet-fcloop-swap-list_add_tail-arguments.patch @@ -0,0 +1,38 @@ +From 968cf28ac3ccaed552c6cc5ff11508c7cc41a027 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 8 Apr 2025 17:29:03 +0200 +Subject: nvmet-fcloop: swap list_add_tail arguments + +From: Daniel Wagner + +[ Upstream commit 2b5f0c5bc819af2b0759a8fcddc1b39102735c0f ] + +The newly element to be added to the list is the first argument of +list_add_tail. This fix is missing dcfad4ab4d67 ("nvmet-fcloop: swap +the list_add_tail arguments"). + +Fixes: 437c0b824dbd ("nvme-fcloop: add target to host LS request support") +Signed-off-by: Daniel Wagner +Reviewed-by: Hannes Reinecke +Signed-off-by: Christoph Hellwig +Signed-off-by: Sasha Levin +--- + drivers/nvme/target/fcloop.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/nvme/target/fcloop.c b/drivers/nvme/target/fcloop.c +index f5b8442b653db..787dfb3859a0d 100644 +--- a/drivers/nvme/target/fcloop.c ++++ b/drivers/nvme/target/fcloop.c +@@ -478,7 +478,7 @@ fcloop_t2h_xmt_ls_rsp(struct nvme_fc_local_port *localport, + if (targetport) { + tport = targetport->private; + spin_lock(&tport->lock); +- list_add_tail(&tport->ls_list, &tls_req->ls_list); ++ list_add_tail(&tls_req->ls_list, &tport->ls_list); + spin_unlock(&tport->lock); + queue_work(nvmet_wq, &tport->ls_work); + } +-- +2.39.5 + diff --git a/queue-6.1/rtnl-add-helper-to-check-if-a-notification-is-needed.patch b/queue-6.1/rtnl-add-helper-to-check-if-a-notification-is-needed.patch new file mode 100644 index 0000000000..ad315efc4f --- /dev/null +++ b/queue-6.1/rtnl-add-helper-to-check-if-a-notification-is-needed.patch @@ -0,0 +1,51 @@ +From 05e9dda19e9e9b22df1e02064af5beda2eb8e23a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 8 Dec 2023 16:28:42 -0300 +Subject: rtnl: add helper to check if a notification is needed + +From: Victor Nogueira + +[ Upstream commit 8439109b76a3c405808383bf9dd532fc4b9c2dbd ] + +Building on the rtnl_has_listeners helper, add the rtnl_notify_needed +helper to check if we can bail out early in the notification routines. + +Reviewed-by: Jiri Pirko +Reviewed-by: Simon Horman +Signed-off-by: Victor Nogueira +Signed-off-by: Pedro Tammela +Link: https://lore.kernel.org/r/20231208192847.714940-3-pctammela@mojatatu.com +Signed-off-by: Jakub Kicinski +Stable-dep-of: 369609fc6272 ("tc: Ensure we have enough buffer space when sending filter netlink notifications") +Signed-off-by: Sasha Levin +--- + include/linux/rtnetlink.h | 15 +++++++++++++++ + 1 file changed, 15 insertions(+) + +diff --git a/include/linux/rtnetlink.h b/include/linux/rtnetlink.h +index ad5f15d369235..f532d1eda761c 100644 +--- a/include/linux/rtnetlink.h ++++ b/include/linux/rtnetlink.h +@@ -145,4 +145,19 @@ static inline int rtnl_has_listeners(const struct net *net, u32 group) + return netlink_has_listeners(rtnl, group); + } + ++/** ++ * rtnl_notify_needed - check if notification is needed ++ * @net: Pointer to the net namespace ++ * @nlflags: netlink ingress message flags ++ * @group: rtnl group ++ * ++ * Based on the ingress message flags and rtnl group, returns true ++ * if a notification is needed, false otherwise. ++ */ ++static inline bool ++rtnl_notify_needed(const struct net *net, u16 nlflags, u32 group) ++{ ++ return (nlflags & NLM_F_ECHO) || rtnl_has_listeners(net, group); ++} ++ + #endif /* __LINUX_RTNETLINK_H */ +-- +2.39.5 + diff --git a/queue-6.1/rtnl-add-helper-to-check-if-rtnl-group-has-listeners.patch b/queue-6.1/rtnl-add-helper-to-check-if-rtnl-group-has-listeners.patch new file mode 100644 index 0000000000..9254a27ead --- /dev/null +++ b/queue-6.1/rtnl-add-helper-to-check-if-rtnl-group-has-listeners.patch @@ -0,0 +1,53 @@ +From 0500425288104b17c59e2dcf8f689b04b1b09bc0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 8 Dec 2023 16:28:41 -0300 +Subject: rtnl: add helper to check if rtnl group has listeners + +From: Jamal Hadi Salim + +[ Upstream commit c5e2a973448d958feb7881e4d875eac59fdeff3d ] + +As of today, rtnl code creates a new skb and unconditionally fills and +broadcasts it to the relevant group. For most operations this is okay +and doesn't waste resources in general. + +When operations are done without the rtnl_lock, as in tc-flower, such +skb allocation, message fill and no-op broadcasting can happen in all +cores of the system, which contributes to system pressure and wastes +precious cpu cycles when no one will receive the built message. + +Introduce this helper so rtnetlink operations can simply check if someone +is listening and then proceed if necessary. + +Reviewed-by: Jiri Pirko +Reviewed-by: Simon Horman +Signed-off-by: Jamal Hadi Salim +Signed-off-by: Victor Nogueira +Signed-off-by: Pedro Tammela +Link: https://lore.kernel.org/r/20231208192847.714940-2-pctammela@mojatatu.com +Signed-off-by: Jakub Kicinski +Stable-dep-of: 369609fc6272 ("tc: Ensure we have enough buffer space when sending filter netlink notifications") +Signed-off-by: Sasha Levin +--- + include/linux/rtnetlink.h | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/include/linux/rtnetlink.h b/include/linux/rtnetlink.h +index ae2c6a3cec5db..ad5f15d369235 100644 +--- a/include/linux/rtnetlink.h ++++ b/include/linux/rtnetlink.h +@@ -138,4 +138,11 @@ extern int ndo_dflt_bridge_getlink(struct sk_buff *skb, u32 pid, u32 seq, + + extern void rtnl_offload_xstats_notify(struct net_device *dev); + ++static inline int rtnl_has_listeners(const struct net *net, u32 group) ++{ ++ struct sock *rtnl = net->rtnl; ++ ++ return netlink_has_listeners(rtnl, group); ++} ++ + #endif /* __LINUX_RTNETLINK_H */ +-- +2.39.5 + diff --git a/queue-6.1/selftests-futex-futex_waitv-wouldblock-test-should-f.patch b/queue-6.1/selftests-futex-futex_waitv-wouldblock-test-should-f.patch new file mode 100644 index 0000000000..b8ae03fc62 --- /dev/null +++ b/queue-6.1/selftests-futex-futex_waitv-wouldblock-test-should-f.patch @@ -0,0 +1,42 @@ +From 84e94c9a67742a3ed877f388fa221ec6df9fe095 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 4 Apr 2025 22:12:20 +0000 +Subject: selftests/futex: futex_waitv wouldblock test should fail +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Edward Liaw + +[ Upstream commit 7d50e00fef2832e98d7e06bbfc85c1d66ee110ca ] + +Testcase should fail if -EWOULDBLOCK is not returned when expected value +differs from actual value from the waiter. + +Link: https://lore.kernel.org/r/20250404221225.1596324-1-edliaw@google.com +Fixes: 9d57f7c79748920636f8293d2f01192d702fe390 ("selftests: futex: Test sys_futex_waitv() wouldblock") +Signed-off-by: Edward Liaw +Reviewed-by: Thomas Gleixner +Reviewed-by: André Almeida +Signed-off-by: Shuah Khan +Signed-off-by: Sasha Levin +--- + .../testing/selftests/futex/functional/futex_wait_wouldblock.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/tools/testing/selftests/futex/functional/futex_wait_wouldblock.c b/tools/testing/selftests/futex/functional/futex_wait_wouldblock.c +index 7d7a6a06cdb75..2d8230da90642 100644 +--- a/tools/testing/selftests/futex/functional/futex_wait_wouldblock.c ++++ b/tools/testing/selftests/futex/functional/futex_wait_wouldblock.c +@@ -98,7 +98,7 @@ int main(int argc, char *argv[]) + info("Calling futex_waitv on f1: %u @ %p with val=%u\n", f1, &f1, f1+1); + res = futex_waitv(&waitv, 1, 0, &to, CLOCK_MONOTONIC); + if (!res || errno != EWOULDBLOCK) { +- ksft_test_result_pass("futex_waitv returned: %d %s\n", ++ ksft_test_result_fail("futex_waitv returned: %d %s\n", + res ? errno : res, + res ? strerror(errno) : ""); + ret = RET_FAIL; +-- +2.39.5 + diff --git a/queue-6.1/series b/queue-6.1/series new file mode 100644 index 0000000000..bf64e03635 --- /dev/null +++ b/queue-6.1/series @@ -0,0 +1,18 @@ +selftests-futex-futex_waitv-wouldblock-test-should-f.patch +ata-pata_pxa-fix-potential-null-pointer-dereference-.patch +tipc-fix-memory-leak-in-tipc_link_xmit.patch +codel-remove-sch-q.qlen-check-before-qdisc_tree_redu.patch +net-tls-explicitly-disallow-disconnect.patch +rtnl-add-helper-to-check-if-rtnl-group-has-listeners.patch +rtnl-add-helper-to-check-if-a-notification-is-needed.patch +net-sched-cls_api-conditional-notification-of-events.patch +tc-ensure-we-have-enough-buffer-space-when-sending-f.patch +net-ethtool-don-t-call-.cleanup_data-when-prepare_da.patch +ata-sata_sx4-add-error-handling-in-pdc20621_i2c_read.patch +nvmet-fcloop-swap-list_add_tail-arguments.patch +net_sched-sch_sfq-use-a-temporary-work-area-for-vali.patch +net_sched-sch_sfq-move-the-limit-validation.patch +ipv6-align-behavior-across-nexthops-during-path-sele.patch +net-ppp-add-bound-checking-for-skb-data-on-ppp_sync_.patch +nft_set_pipapo-fix-incorrect-avx2-match-of-5th-field.patch +iommu-mediatek-fix-null-pointer-deference-in-mtk_iom.patch diff --git a/queue-6.1/tc-ensure-we-have-enough-buffer-space-when-sending-f.patch b/queue-6.1/tc-ensure-we-have-enough-buffer-space-when-sending-f.patch new file mode 100644 index 0000000000..a26cfdc26e --- /dev/null +++ b/queue-6.1/tc-ensure-we-have-enough-buffer-space-when-sending-f.patch @@ -0,0 +1,162 @@ +From 87dc69ffd90178de2148d4ec97bd4c98d61dea4a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 7 Apr 2025 12:55:34 +0200 +Subject: tc: Ensure we have enough buffer space when sending filter netlink + notifications +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Toke Høiland-Jørgensen + +[ Upstream commit 369609fc6272c2f6ad666ba4fd913f3baf32908f ] + +The tfilter_notify() and tfilter_del_notify() functions assume that +NLMSG_GOODSIZE is always enough to dump the filter chain. This is not +always the case, which can lead to silent notify failures (because the +return code of tfilter_notify() is not always checked). In particular, +this can lead to NLM_F_ECHO not being honoured even though an action +succeeds, which forces userspace to create workarounds[0]. + +Fix this by increasing the message size if dumping the filter chain into +the allocated skb fails. Use the size of the incoming skb as a size hint +if set, so we can start at a larger value when appropriate. + +To trigger this, run the following commands: + + # ip link add type veth + # tc qdisc replace dev veth0 root handle 1: fq_codel + # tc -echo filter add dev veth0 parent 1: u32 match u32 0 0 $(for i in $(seq 32); do echo action pedit munge ip dport set 22; done) + +Before this fix, tc just returns: + +Not a filter(cmd 2) + +After the fix, we get the correct echo: + +added filter dev veth0 parent 1: protocol all pref 49152 u32 chain 0 fh 800::800 order 2048 key ht 800 bkt 0 terminal flowid not_in_hw + match 00000000/00000000 at 0 + action order 1: pedit action pass keys 1 + index 1 ref 1 bind 1 + key #0 at 20: val 00000016 mask ffff0000 +[repeated 32 times] + +[0] https://github.com/openvswitch/ovs/commit/106ef21860c935e5e0017a88bf42b94025c4e511 + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Reported-by: Frode Nordahl +Closes: https://bugs.launchpad.net/ubuntu/+source/openvswitch/+bug/2018500 +Signed-off-by: Toke Høiland-Jørgensen +Reviewed-by: Jiri Pirko +Link: https://patch.msgid.link/20250407105542.16601-1-toke@redhat.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + net/sched/cls_api.c | 66 ++++++++++++++++++++++++++++++--------------- + 1 file changed, 45 insertions(+), 21 deletions(-) + +diff --git a/net/sched/cls_api.c b/net/sched/cls_api.c +index 2b44b82877f5a..89da596be1b86 100644 +--- a/net/sched/cls_api.c ++++ b/net/sched/cls_api.c +@@ -1824,6 +1824,7 @@ static int tcf_fill_node(struct net *net, struct sk_buff *skb, + struct tcmsg *tcm; + struct nlmsghdr *nlh; + unsigned char *b = skb_tail_pointer(skb); ++ int ret = -EMSGSIZE; + + nlh = nlmsg_put(skb, portid, seq, event, sizeof(*tcm), flags); + if (!nlh) +@@ -1868,11 +1869,45 @@ static int tcf_fill_node(struct net *net, struct sk_buff *skb, + + return skb->len; + ++cls_op_not_supp: ++ ret = -EOPNOTSUPP; + out_nlmsg_trim: + nla_put_failure: +-cls_op_not_supp: + nlmsg_trim(skb, b); +- return -1; ++ return ret; ++} ++ ++static struct sk_buff *tfilter_notify_prep(struct net *net, ++ struct sk_buff *oskb, ++ struct nlmsghdr *n, ++ struct tcf_proto *tp, ++ struct tcf_block *block, ++ struct Qdisc *q, u32 parent, ++ void *fh, int event, ++ u32 portid, bool rtnl_held, ++ struct netlink_ext_ack *extack) ++{ ++ unsigned int size = oskb ? max(NLMSG_GOODSIZE, oskb->len) : NLMSG_GOODSIZE; ++ struct sk_buff *skb; ++ int ret; ++ ++retry: ++ skb = alloc_skb(size, GFP_KERNEL); ++ if (!skb) ++ return ERR_PTR(-ENOBUFS); ++ ++ ret = tcf_fill_node(net, skb, tp, block, q, parent, fh, portid, ++ n->nlmsg_seq, n->nlmsg_flags, event, false, ++ rtnl_held, extack); ++ if (ret <= 0) { ++ kfree_skb(skb); ++ if (ret == -EMSGSIZE) { ++ size += NLMSG_GOODSIZE; ++ goto retry; ++ } ++ return ERR_PTR(-EINVAL); ++ } ++ return skb; + } + + static int tfilter_notify(struct net *net, struct sk_buff *oskb, +@@ -1888,16 +1923,10 @@ static int tfilter_notify(struct net *net, struct sk_buff *oskb, + if (!unicast && !rtnl_notify_needed(net, n->nlmsg_flags, RTNLGRP_TC)) + return 0; + +- skb = alloc_skb(NLMSG_GOODSIZE, GFP_KERNEL); +- if (!skb) +- return -ENOBUFS; +- +- if (tcf_fill_node(net, skb, tp, block, q, parent, fh, portid, +- n->nlmsg_seq, n->nlmsg_flags, event, +- false, rtnl_held, extack) <= 0) { +- kfree_skb(skb); +- return -EINVAL; +- } ++ skb = tfilter_notify_prep(net, oskb, n, tp, block, q, parent, fh, event, ++ portid, rtnl_held, extack); ++ if (IS_ERR(skb)) ++ return PTR_ERR(skb); + + if (unicast) + err = rtnl_unicast(skb, net, portid); +@@ -1920,16 +1949,11 @@ static int tfilter_del_notify(struct net *net, struct sk_buff *oskb, + if (!rtnl_notify_needed(net, n->nlmsg_flags, RTNLGRP_TC)) + return tp->ops->delete(tp, fh, last, rtnl_held, extack); + +- skb = alloc_skb(NLMSG_GOODSIZE, GFP_KERNEL); +- if (!skb) +- return -ENOBUFS; +- +- if (tcf_fill_node(net, skb, tp, block, q, parent, fh, portid, +- n->nlmsg_seq, n->nlmsg_flags, RTM_DELTFILTER, +- false, rtnl_held, extack) <= 0) { ++ skb = tfilter_notify_prep(net, oskb, n, tp, block, q, parent, fh, ++ RTM_DELTFILTER, portid, rtnl_held, extack); ++ if (IS_ERR(skb)) { + NL_SET_ERR_MSG(extack, "Failed to build del event notification"); +- kfree_skb(skb); +- return -EINVAL; ++ return PTR_ERR(skb); + } + + err = tp->ops->delete(tp, fh, last, rtnl_held, extack); +-- +2.39.5 + diff --git a/queue-6.1/tipc-fix-memory-leak-in-tipc_link_xmit.patch b/queue-6.1/tipc-fix-memory-leak-in-tipc_link_xmit.patch new file mode 100644 index 0000000000..ee04ad0759 --- /dev/null +++ b/queue-6.1/tipc-fix-memory-leak-in-tipc_link_xmit.patch @@ -0,0 +1,40 @@ +From 89b669eaa33b945fb98207743567af175f765953 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 3 Apr 2025 09:24:31 +0000 +Subject: tipc: fix memory leak in tipc_link_xmit + +From: Tung Nguyen + +[ Upstream commit 69ae94725f4fc9e75219d2d69022029c5b24bc9a ] + +In case the backlog transmit queue for system-importance messages is overloaded, +tipc_link_xmit() returns -ENOBUFS but the skb list is not purged. This leads to +memory leak and failure when a skb is allocated. + +This commit fixes this issue by purging the skb list before tipc_link_xmit() +returns. + +Fixes: 365ad353c256 ("tipc: reduce risk of user starvation during link congestion") +Signed-off-by: Tung Nguyen +Link: https://patch.msgid.link/20250403092431.514063-1-tung.quang.nguyen@est.tech +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + net/tipc/link.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/net/tipc/link.c b/net/tipc/link.c +index 8715c9b05f90d..d6a8f0aa531bd 100644 +--- a/net/tipc/link.c ++++ b/net/tipc/link.c +@@ -1068,6 +1068,7 @@ int tipc_link_xmit(struct tipc_link *l, struct sk_buff_head *list, + if (unlikely(l->backlog[imp].len >= l->backlog[imp].limit)) { + if (imp == TIPC_SYSTEM_IMPORTANCE) { + pr_warn("%s<%s>, link overflow", link_rst_msg, l->name); ++ __skb_queue_purge(list); + return -ENOBUFS; + } + rc = link_schedule_user(l, hdr); +-- +2.39.5 + -- 2.47.3