+++ /dev/null
-From a13cdc97327de0502ef6b15e31823c952746bc3a Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Tue, 19 May 2026 23:03:28 -0400
-Subject: ipv6: route: Unregister netdevice notifier on BPF init failure
-
-From: Yuho Choi <dbgh9129@gmail.com>
-
-[ Upstream commit 1341db322417266fb5845df81d28305b83a37324 ]
-
-ip6_route_init() registers ip6_route_dev_notifier before registering the
-IPv6 route BPF iterator target. If bpf_iter_register() fails after the
-notifier has been registered, the error path currently jumps to
-out_register_late_subsys and unwinds the RTNL handlers and pernet route
-state without removing the notifier from the netdevice notifier chain.
-
-This leaves ip6_route_dev_notify() callable after the IPv6 route state it
-uses has been torn down. Add a separate unwind label for the BPF iterator
-failure path and unregister the netdevice notifier before continuing with
-the existing cleanup.
-
-Fixes: 138d0be35b14 ("net: bpf: Add netlink and ipv6_route bpf_iter targets")
-Signed-off-by: Yuho Choi <dbgh9129@gmail.com>
-Reviewed-by: Ido Schimmel <idosch@nvidia.com>
-Link: https://patch.msgid.link/20260520030329.1061183-1-dbgh9129@gmail.com
-Signed-off-by: Jakub Kicinski <kuba@kernel.org>
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- net/ipv6/route.c | 6 +++++-
- 1 file changed, 5 insertions(+), 1 deletion(-)
-
-diff --git a/net/ipv6/route.c b/net/ipv6/route.c
-index 27736b5847378..f2b80dedd8e0f 100644
---- a/net/ipv6/route.c
-+++ b/net/ipv6/route.c
-@@ -6579,7 +6579,7 @@ int __init ip6_route_init(void)
- #if defined(CONFIG_BPF_SYSCALL) && defined(CONFIG_PROC_FS)
- ret = bpf_iter_register();
- if (ret)
-- goto out_register_late_subsys;
-+ goto out_register_notifier;
- #endif
- #endif
-
-@@ -6593,6 +6593,10 @@ int __init ip6_route_init(void)
- out:
- return ret;
-
-+#if defined(CONFIG_BPF_SYSCALL) && defined(CONFIG_PROC_FS)
-+out_register_notifier:
-+ unregister_netdevice_notifier(&ip6_route_dev_notifier);
-+#endif
- out_register_late_subsys:
- rtnl_unregister_all(PF_INET6);
- unregister_pernet_subsys(&ip6_route_net_late_ops);
---
-2.53.0
-
--- /dev/null
+From 5a55df6cf35681117dbe64dbd277ff8fe8090af4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 23 Mar 2026 16:00:21 +0800
+Subject: net: usb: lan78xx: Fix double free issue with interrupt buffer
+ allocation
+
+From: Oleksij Rempel <o.rempel@pengutronix.de>
+
+[ Upstream commit 03819abbeb11117dcbba40bfe322b88c0c88a6b6 ]
+
+In lan78xx_probe(), the buffer `buf` was being freed twice: once
+implicitly through `usb_free_urb(dev->urb_intr)` with the
+`URB_FREE_BUFFER` flag and again explicitly by `kfree(buf)`. This caused
+a double free issue.
+
+To resolve this, reordered `kmalloc()` and `usb_alloc_urb()` calls to
+simplify the initialization sequence and removed the redundant
+`kfree(buf)`. Now, `buf` is allocated after `usb_alloc_urb()`, ensuring
+it is correctly managed by `usb_fill_int_urb()` and freed by
+`usb_free_urb()` as intended.
+
+Fixes: a6df95cae40b ("lan78xx: Fix memory allocation bug")
+Cc: John Efstathiades <john.efstathiades@pebblebay.com>
+Signed-off-by: Oleksij Rempel <o.rempel@pengutronix.de>
+Link: https://patch.msgid.link/20241116130558.1352230-1-o.rempel@pengutronix.de
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+[ Adjust context. Make the function usb_alloc_urb() call before
+kmalloc(). ]
+Signed-off-by: Wenshan Lan <jetlan9@163.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/usb/lan78xx.c | 29 ++++++++++++++---------------
+ 1 file changed, 14 insertions(+), 15 deletions(-)
+
+diff --git a/drivers/net/usb/lan78xx.c b/drivers/net/usb/lan78xx.c
+index f0643d9d8ff94..af0622e942584 100644
+--- a/drivers/net/usb/lan78xx.c
++++ b/drivers/net/usb/lan78xx.c
+@@ -4057,29 +4057,30 @@ static int lan78xx_probe(struct usb_interface *intf,
+
+ period = ep_intr->desc.bInterval;
+ maxp = usb_maxpacket(dev->udev, dev->pipe_intr, 0);
+- buf = kmalloc(maxp, GFP_KERNEL);
+- if (!buf) {
++
++ dev->urb_intr = usb_alloc_urb(0, GFP_KERNEL);
++ if (!dev->urb_intr) {
+ ret = -ENOMEM;
+ goto out3;
+ }
+
+- dev->urb_intr = usb_alloc_urb(0, GFP_KERNEL);
+- if (!dev->urb_intr) {
++ buf = kmalloc(maxp, GFP_KERNEL);
++ if (!buf) {
+ ret = -ENOMEM;
+- goto out4;
+- } else {
+- usb_fill_int_urb(dev->urb_intr, dev->udev,
+- dev->pipe_intr, buf, maxp,
+- intr_complete, dev, period);
+- dev->urb_intr->transfer_flags |= URB_FREE_BUFFER;
++ goto free_urbs;
+ }
+
++ usb_fill_int_urb(dev->urb_intr, dev->udev,
++ dev->pipe_intr, buf, maxp,
++ intr_complete, dev, period);
++ dev->urb_intr->transfer_flags |= URB_FREE_BUFFER;
++
+ dev->maxpacket = usb_maxpacket(dev->udev, dev->pipe_out, 1);
+
+ /* Reject broken descriptors. */
+ if (dev->maxpacket == 0) {
+ ret = -ENODEV;
+- goto out5;
++ goto free_urbs;
+ }
+
+ /* driver requires remote-wakeup capability during autosuspend. */
+@@ -4087,7 +4088,7 @@ static int lan78xx_probe(struct usb_interface *intf,
+
+ ret = lan78xx_phy_init(dev);
+ if (ret < 0)
+- goto out5;
++ goto free_urbs;
+
+ ret = register_netdev(netdev);
+ if (ret != 0) {
+@@ -4109,10 +4110,8 @@ static int lan78xx_probe(struct usb_interface *intf,
+
+ out6:
+ phy_disconnect(netdev->phydev);
+-out5:
++free_urbs:
+ usb_free_urb(dev->urb_intr);
+-out4:
+- kfree(buf);
+ out3:
+ lan78xx_unbind(dev, intf);
+ out2:
+--
+2.53.0
+
string-add-mem_is_zero-helper-to-check-if-memory-are.patch
gpiolib-cdev-use-mem_is_zero-instead-of-memchr_inv-s.patch
gpio-cdev-check-if-uapi-v2-config-attributes-are-cor.patch
-ipv6-route-unregister-netdevice-notifier-on-bpf-init.patch
+net-usb-lan78xx-fix-double-free-issue-with-interrupt.patch
+++ /dev/null
-From f68c7c1bd867898911025a2e73427a100cf49c53 Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Tue, 19 May 2026 23:03:28 -0400
-Subject: ipv6: route: Unregister netdevice notifier on BPF init failure
-
-From: Yuho Choi <dbgh9129@gmail.com>
-
-[ Upstream commit 1341db322417266fb5845df81d28305b83a37324 ]
-
-ip6_route_init() registers ip6_route_dev_notifier before registering the
-IPv6 route BPF iterator target. If bpf_iter_register() fails after the
-notifier has been registered, the error path currently jumps to
-out_register_late_subsys and unwinds the RTNL handlers and pernet route
-state without removing the notifier from the netdevice notifier chain.
-
-This leaves ip6_route_dev_notify() callable after the IPv6 route state it
-uses has been torn down. Add a separate unwind label for the BPF iterator
-failure path and unregister the netdevice notifier before continuing with
-the existing cleanup.
-
-Fixes: 138d0be35b14 ("net: bpf: Add netlink and ipv6_route bpf_iter targets")
-Signed-off-by: Yuho Choi <dbgh9129@gmail.com>
-Reviewed-by: Ido Schimmel <idosch@nvidia.com>
-Link: https://patch.msgid.link/20260520030329.1061183-1-dbgh9129@gmail.com
-Signed-off-by: Jakub Kicinski <kuba@kernel.org>
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- net/ipv6/route.c | 6 +++++-
- 1 file changed, 5 insertions(+), 1 deletion(-)
-
-diff --git a/net/ipv6/route.c b/net/ipv6/route.c
-index 52e8e77df69a1..ad21cdf8045a0 100644
---- a/net/ipv6/route.c
-+++ b/net/ipv6/route.c
-@@ -6744,7 +6744,7 @@ int __init ip6_route_init(void)
- #if defined(CONFIG_BPF_SYSCALL) && defined(CONFIG_PROC_FS)
- ret = bpf_iter_register();
- if (ret)
-- goto out_register_late_subsys;
-+ goto out_register_notifier;
- #endif
- #endif
-
-@@ -6758,6 +6758,10 @@ int __init ip6_route_init(void)
- out:
- return ret;
-
-+#if defined(CONFIG_BPF_SYSCALL) && defined(CONFIG_PROC_FS)
-+out_register_notifier:
-+ unregister_netdevice_notifier(&ip6_route_dev_notifier);
-+#endif
- out_register_late_subsys:
- rtnl_unregister_all(PF_INET6);
- unregister_pernet_subsys(&ip6_route_net_late_ops);
---
-2.53.0
-
string-add-mem_is_zero-helper-to-check-if-memory-are.patch
gpiolib-cdev-use-mem_is_zero-instead-of-memchr_inv-s.patch
gpio-cdev-check-if-uapi-v2-config-attributes-are-cor.patch
-ipv6-route-unregister-netdevice-notifier-on-bpf-init.patch
net-mana-validate-rx_req_idx-to-prevent-out-of-bound.patch
+++ /dev/null
-From 98f1089e6738a38bd28887e8d41079089b694e79 Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Tue, 19 May 2026 23:03:28 -0400
-Subject: ipv6: route: Unregister netdevice notifier on BPF init failure
-
-From: Yuho Choi <dbgh9129@gmail.com>
-
-[ Upstream commit 1341db322417266fb5845df81d28305b83a37324 ]
-
-ip6_route_init() registers ip6_route_dev_notifier before registering the
-IPv6 route BPF iterator target. If bpf_iter_register() fails after the
-notifier has been registered, the error path currently jumps to
-out_register_late_subsys and unwinds the RTNL handlers and pernet route
-state without removing the notifier from the netdevice notifier chain.
-
-This leaves ip6_route_dev_notify() callable after the IPv6 route state it
-uses has been torn down. Add a separate unwind label for the BPF iterator
-failure path and unregister the netdevice notifier before continuing with
-the existing cleanup.
-
-Fixes: 138d0be35b14 ("net: bpf: Add netlink and ipv6_route bpf_iter targets")
-Signed-off-by: Yuho Choi <dbgh9129@gmail.com>
-Reviewed-by: Ido Schimmel <idosch@nvidia.com>
-Link: https://patch.msgid.link/20260520030329.1061183-1-dbgh9129@gmail.com
-Signed-off-by: Jakub Kicinski <kuba@kernel.org>
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- net/ipv6/route.c | 6 +++++-
- 1 file changed, 5 insertions(+), 1 deletion(-)
-
-diff --git a/net/ipv6/route.c b/net/ipv6/route.c
-index 987ef0954e2ea..2ab8aacf5513d 100644
---- a/net/ipv6/route.c
-+++ b/net/ipv6/route.c
-@@ -6802,7 +6802,7 @@ int __init ip6_route_init(void)
- #if defined(CONFIG_BPF_SYSCALL) && defined(CONFIG_PROC_FS)
- ret = bpf_iter_register();
- if (ret)
-- goto out_register_late_subsys;
-+ goto out_register_notifier;
- #endif
- #endif
-
-@@ -6817,6 +6817,10 @@ int __init ip6_route_init(void)
- out:
- return ret;
-
-+#if defined(CONFIG_BPF_SYSCALL) && defined(CONFIG_PROC_FS)
-+out_register_notifier:
-+ unregister_netdevice_notifier(&ip6_route_dev_notifier);
-+#endif
- out_register_late_subsys:
- rtnl_unregister_all(PF_INET6);
- unregister_pernet_subsys(&ip6_route_net_late_ops);
---
-2.53.0
-
string-add-mem_is_zero-helper-to-check-if-memory-are.patch
gpiolib-cdev-use-mem_is_zero-instead-of-memchr_inv-s.patch
gpio-cdev-check-if-uapi-v2-config-attributes-are-cor.patch
-ipv6-route-unregister-netdevice-notifier-on-bpf-init.patch
net-mana-validate-rx_req_idx-to-prevent-out-of-bound.patch
+++ /dev/null
-From 5dd9d37dbf8db894f0ce91372705fb4c8b93ba96 Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Tue, 19 May 2026 23:03:28 -0400
-Subject: ipv6: route: Unregister netdevice notifier on BPF init failure
-
-From: Yuho Choi <dbgh9129@gmail.com>
-
-[ Upstream commit 1341db322417266fb5845df81d28305b83a37324 ]
-
-ip6_route_init() registers ip6_route_dev_notifier before registering the
-IPv6 route BPF iterator target. If bpf_iter_register() fails after the
-notifier has been registered, the error path currently jumps to
-out_register_late_subsys and unwinds the RTNL handlers and pernet route
-state without removing the notifier from the netdevice notifier chain.
-
-This leaves ip6_route_dev_notify() callable after the IPv6 route state it
-uses has been torn down. Add a separate unwind label for the BPF iterator
-failure path and unregister the netdevice notifier before continuing with
-the existing cleanup.
-
-Fixes: 138d0be35b14 ("net: bpf: Add netlink and ipv6_route bpf_iter targets")
-Signed-off-by: Yuho Choi <dbgh9129@gmail.com>
-Reviewed-by: Ido Schimmel <idosch@nvidia.com>
-Link: https://patch.msgid.link/20260520030329.1061183-1-dbgh9129@gmail.com
-Signed-off-by: Jakub Kicinski <kuba@kernel.org>
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- net/ipv6/route.c | 6 +++++-
- 1 file changed, 5 insertions(+), 1 deletion(-)
-
-diff --git a/net/ipv6/route.c b/net/ipv6/route.c
-index 31c9e3b73f2da..0c2303d7e6f89 100644
---- a/net/ipv6/route.c
-+++ b/net/ipv6/route.c
-@@ -6826,7 +6826,7 @@ int __init ip6_route_init(void)
- #if defined(CONFIG_BPF_SYSCALL) && defined(CONFIG_PROC_FS)
- ret = bpf_iter_register();
- if (ret)
-- goto out_register_late_subsys;
-+ goto out_register_notifier;
- #endif
- #endif
-
-@@ -6840,6 +6840,10 @@ int __init ip6_route_init(void)
- out:
- return ret;
-
-+#if defined(CONFIG_BPF_SYSCALL) && defined(CONFIG_PROC_FS)
-+out_register_notifier:
-+ unregister_netdevice_notifier(&ip6_route_dev_notifier);
-+#endif
- out_register_late_subsys:
- rtnl_unregister_all(PF_INET6);
- unregister_pernet_subsys(&ip6_route_net_late_ops);
---
-2.53.0
-
--- /dev/null
+From acfce351147019a9db1a7544ee172780b8efc3ce Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 28 May 2026 12:14:26 +0000
+Subject: landlock: Fix TCP handling of short AF_UNSPEC addresses
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Matthieu Buffet <matthieu@buffet.re>
+
+[ Upstream commit e4d82cbce2258f454634307fdabf33aa46b61ab0 ]
+
+current_check_access_socket() treats AF_UNSPEC addresses as
+AF_INET ones, and only later adds special case handling to
+allow connect(AF_UNSPEC), and on IPv4 sockets
+bind(AF_UNSPEC+INADDR_ANY).
+This would be fine except AF_UNSPEC addresses can be as
+short as a bare AF_UNSPEC sa_family_t field, and nothing
+more. The AF_INET code path incorrectly enforces a length of
+sizeof(struct sockaddr_in) instead.
+
+Move AF_UNSPEC edge case handling up inside the switch-case,
+before the address is (potentially incorrectly) treated as
+AF_INET.
+
+Fixes: fff69fb03dde ("landlock: Support network rules with TCP bind and connect")
+Signed-off-by: Matthieu Buffet <matthieu@buffet.re>
+Link: https://lore.kernel.org/r/20251027190726.626244-4-matthieu@buffet.re
+Signed-off-by: Mickaël Salaün <mic@digikod.net>
+[ There was a conflict due to missing commit 9f74411a40ce ("landlock:
+ Log TCP bind and connect denials") ]
+Signed-off-by: Maximilian Heyne <mheyne@amazon.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ security/landlock/net.c | 118 +++++++++++++++++++++++-----------------
+ 1 file changed, 67 insertions(+), 51 deletions(-)
+
+diff --git a/security/landlock/net.c b/security/landlock/net.c
+index 104b6c01fe503..53d479893475f 100644
+--- a/security/landlock/net.c
++++ b/security/landlock/net.c
+@@ -72,6 +72,61 @@ static int current_check_access_socket(struct socket *const sock,
+
+ switch (address->sa_family) {
+ case AF_UNSPEC:
++ if (access_request == LANDLOCK_ACCESS_NET_CONNECT_TCP) {
++ /*
++ * Connecting to an address with AF_UNSPEC dissolves
++ * the TCP association, which have the same effect as
++ * closing the connection while retaining the socket
++ * object (i.e., the file descriptor). As for dropping
++ * privileges, closing connections is always allowed.
++ *
++ * For a TCP access control system, this request is
++ * legitimate. Let the network stack handle potential
++ * inconsistencies and return -EINVAL if needed.
++ */
++ return 0;
++ } else if (access_request == LANDLOCK_ACCESS_NET_BIND_TCP) {
++ /*
++ * Binding to an AF_UNSPEC address is treated
++ * differently by IPv4 and IPv6 sockets. The socket's
++ * family may change under our feet due to
++ * setsockopt(IPV6_ADDRFORM), but that's ok: we either
++ * reject entirely or require
++ * %LANDLOCK_ACCESS_NET_BIND_TCP for the given port, so
++ * it cannot be used to bypass the policy.
++ *
++ * IPv4 sockets map AF_UNSPEC to AF_INET for
++ * retrocompatibility for bind accesses, only if the
++ * address is INADDR_ANY (cf. __inet_bind). IPv6
++ * sockets always reject it.
++ *
++ * Checking the address is required to not wrongfully
++ * return -EACCES instead of -EAFNOSUPPORT or -EINVAL.
++ * We could return 0 and let the network stack handle
++ * these checks, but it is safer to return a proper
++ * error and test consistency thanks to kselftest.
++ */
++ if (sock->sk->__sk_common.skc_family == AF_INET) {
++ const struct sockaddr_in *const sockaddr =
++ (struct sockaddr_in *)address;
++
++ if (addrlen < sizeof(struct sockaddr_in))
++ return -EINVAL;
++
++ if (sockaddr->sin_addr.s_addr !=
++ htonl(INADDR_ANY))
++ return -EAFNOSUPPORT;
++ } else {
++ if (addrlen < SIN6_LEN_RFC2133)
++ return -EINVAL;
++ else
++ return -EAFNOSUPPORT;
++ }
++ } else {
++ WARN_ON_ONCE(1);
++ }
++ /* Only for bind(AF_UNSPEC+INADDR_ANY) on IPv4 socket. */
++ fallthrough;
+ case AF_INET:
+ if (addrlen < sizeof(struct sockaddr_in))
+ return -EINVAL;
+@@ -90,57 +145,18 @@ static int current_check_access_socket(struct socket *const sock,
+ return 0;
+ }
+
+- /* Specific AF_UNSPEC handling. */
+- if (address->sa_family == AF_UNSPEC) {
+- /*
+- * Connecting to an address with AF_UNSPEC dissolves the TCP
+- * association, which have the same effect as closing the
+- * connection while retaining the socket object (i.e., the file
+- * descriptor). As for dropping privileges, closing
+- * connections is always allowed.
+- *
+- * For a TCP access control system, this request is legitimate.
+- * Let the network stack handle potential inconsistencies and
+- * return -EINVAL if needed.
+- */
+- if (access_request == LANDLOCK_ACCESS_NET_CONNECT_TCP)
+- return 0;
+-
+- /*
+- * For compatibility reason, accept AF_UNSPEC for bind
+- * accesses (mapped to AF_INET) only if the address is
+- * INADDR_ANY (cf. __inet_bind). Checking the address is
+- * required to not wrongfully return -EACCES instead of
+- * -EAFNOSUPPORT.
+- *
+- * We could return 0 and let the network stack handle these
+- * checks, but it is safer to return a proper error and test
+- * consistency thanks to kselftest.
+- */
+- if (access_request == LANDLOCK_ACCESS_NET_BIND_TCP) {
+- /* addrlen has already been checked for AF_UNSPEC. */
+- const struct sockaddr_in *const sockaddr =
+- (struct sockaddr_in *)address;
+-
+- if (sock->sk->__sk_common.skc_family != AF_INET)
+- return -EINVAL;
+-
+- if (sockaddr->sin_addr.s_addr != htonl(INADDR_ANY))
+- return -EAFNOSUPPORT;
+- }
+- } else {
+- /*
+- * Checks sa_family consistency to not wrongfully return
+- * -EACCES instead of -EINVAL. Valid sa_family changes are
+- * only (from AF_INET or AF_INET6) to AF_UNSPEC.
+- *
+- * We could return 0 and let the network stack handle this
+- * check, but it is safer to return a proper error and test
+- * consistency thanks to kselftest.
+- */
+- if (address->sa_family != sock->sk->__sk_common.skc_family)
+- return -EINVAL;
+- }
++ /*
++ * Checks sa_family consistency to not wrongfully return
++ * -EACCES instead of -EINVAL. Valid sa_family changes are
++ * only (from AF_INET or AF_INET6) to AF_UNSPEC.
++ *
++ * We could return 0 and let the network stack handle this
++ * check, but it is safer to return a proper error and test
++ * consistency thanks to kselftest.
++ */
++ if (address->sa_family != sock->sk->__sk_common.skc_family &&
++ address->sa_family != AF_UNSPEC)
++ return -EINVAL;
+
+ id.key.data = (__force uintptr_t)port;
+ BUILD_BUG_ON(sizeof(port) > sizeof(id.key.data));
+--
+2.53.0
+
gpio-cdev-check-if-uapi-v2-config-attributes-are-cor.patch
asoc-cs35l56-fix-flushing-of-irq-work-in-cs35l56_sdw.patch
drm-xe-oa-fix-exec_queue-leak-on-width-check-in-stre.patch
-ipv6-route-unregister-netdevice-notifier-on-bpf-init.patch
octeontx2-af-npc-fix-allmulticast-skip-logic-for-lbk.patch
net-mana-validate-rx_req_idx-to-prevent-out-of-bound.patch
pds_core-ensure-null-termination-for-firmware-versio.patch
net-gro-don-t-merge-zcopy-skbs.patch
loongarch-kprobes-fix-handling-of-fatal-unrecoverabl.patch
+landlock-fix-tcp-handling-of-short-af_unspec-address.patch
+++ /dev/null
-From a1e38ab8eff054c3b59a90aec95bed1365cef369 Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Tue, 19 May 2026 23:03:28 -0400
-Subject: ipv6: route: Unregister netdevice notifier on BPF init failure
-
-From: Yuho Choi <dbgh9129@gmail.com>
-
-[ Upstream commit 1341db322417266fb5845df81d28305b83a37324 ]
-
-ip6_route_init() registers ip6_route_dev_notifier before registering the
-IPv6 route BPF iterator target. If bpf_iter_register() fails after the
-notifier has been registered, the error path currently jumps to
-out_register_late_subsys and unwinds the RTNL handlers and pernet route
-state without removing the notifier from the netdevice notifier chain.
-
-This leaves ip6_route_dev_notify() callable after the IPv6 route state it
-uses has been torn down. Add a separate unwind label for the BPF iterator
-failure path and unregister the netdevice notifier before continuing with
-the existing cleanup.
-
-Fixes: 138d0be35b14 ("net: bpf: Add netlink and ipv6_route bpf_iter targets")
-Signed-off-by: Yuho Choi <dbgh9129@gmail.com>
-Reviewed-by: Ido Schimmel <idosch@nvidia.com>
-Link: https://patch.msgid.link/20260520030329.1061183-1-dbgh9129@gmail.com
-Signed-off-by: Jakub Kicinski <kuba@kernel.org>
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- net/ipv6/route.c | 6 +++++-
- 1 file changed, 5 insertions(+), 1 deletion(-)
-
-diff --git a/net/ipv6/route.c b/net/ipv6/route.c
-index c5b71baf95e7b..e10810b36484a 100644
---- a/net/ipv6/route.c
-+++ b/net/ipv6/route.c
-@@ -6818,7 +6818,7 @@ int __init ip6_route_init(void)
- #if defined(CONFIG_BPF_SYSCALL) && defined(CONFIG_PROC_FS)
- ret = bpf_iter_register();
- if (ret)
-- goto out_register_late_subsys;
-+ goto out_register_notifier;
- #endif
- #endif
-
-@@ -6833,6 +6833,10 @@ int __init ip6_route_init(void)
- out:
- return ret;
-
-+#if defined(CONFIG_BPF_SYSCALL) && defined(CONFIG_PROC_FS)
-+out_register_notifier:
-+ unregister_netdevice_notifier(&ip6_route_dev_notifier);
-+#endif
- out_register_late_subsys:
- rtnl_unregister_all(PF_INET6);
- unregister_pernet_subsys(&ip6_route_net_late_ops);
---
-2.53.0
-
gpiolib-cdev-use-mem_is_zero-instead-of-memchr_inv-s.patch
gpio-cdev-check-if-uapi-v2-config-attributes-are-cor.patch
asoc-cs35l56-fix-flushing-of-irq-work-in-cs35l56_sdw.patch
-ipv6-route-unregister-netdevice-notifier-on-bpf-init.patch
net-mana-validate-rx_req_idx-to-prevent-out-of-bound.patch
pds_core-add-an-error-code-check-in-pdsc_dl_info_get.patch
pds_core-ensure-null-termination-for-firmware-versio.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
