From: Greg Kroah-Hartman Date: Tue, 9 Jun 2026 10:49:02 +0000 (+0200) Subject: 6.1-stable patches X-Git-Url: http://git.ipfire.org/gitweb/?a=commitdiff_plain;h=ee7abd315f4604e91d843c10942365ae83f7ae97;p=thirdparty%2Fkernel%2Fstable-queue.git 6.1-stable patches added patches: bpf-free-reuseport-cbpf-prog-after-rcu-grace-period.patch disable-wattribute-alias-for-clang-23-and-newer.patch dmaengine-idxd-fix-not-releasing-workqueue-on-.relea.patch usb-serial-mct_u232-fix-memory-corruption-with-small.patch --- diff --git a/queue-6.1/bpf-free-reuseport-cbpf-prog-after-rcu-grace-period.patch b/queue-6.1/bpf-free-reuseport-cbpf-prog-after-rcu-grace-period.patch new file mode 100644 index 0000000000..cd0c8bd9ed --- /dev/null +++ b/queue-6.1/bpf-free-reuseport-cbpf-prog-after-rcu-grace-period.patch @@ -0,0 +1,139 @@ +From 7eee604a6c31c32601d7a331dfdab430d9a8616c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 26 Apr 2026 01:26:43 +0000 +Subject: bpf: Free reuseport cBPF prog after RCU grace period. + +From: Kuniyuki Iwashima + +[ Upstream commit 18fc650ccd7fe3376eca89203668cfb8268f60df ] + +Eulgyu Kim reported the splat below with a repro. [0] + +The repro sets up a UDP reuseport group with a cBPF prog and +replaces it with a new one while another thread is sending +a UDP packet to the group. + +The reuseport prog is freed by sk_reuseport_prog_free(). +bpf_prog_put() is called for "e"BPF prog to destruct through +multiple stages while cBPF prog is freed immediately by +bpf_release_orig_filter() and bpf_prog_free(). + +If a reuseport prog is detached from the setsockopt() path +(reuseport_attach_prog() or reuseport_detach_prog()), +sk_reuseport_prog_free() is called without waiting for RCU +readers to complete, resulting in various bugs. + +Let's defer freeing the reuseport cBPF prog after one RCU +grace period. + +Note "e"BPF prog is safe as is unless the fast path starts +to touch fields destroyed in bpf_prog_put_deferred() and +__bpf_prog_put_noref(). + +[0]: +BUG: KASAN: vmalloc-out-of-bounds in reuseport_select_sock+0xedc/0x1220 net/core/sock_reuseport.c:596 +Read of size 4 at addr ffffc9000051e004 by task slowme/10208 +CPU: 6 UID: 1000 PID: 10208 Comm: slowme Not tainted 7.0.0-geb7ac95ff75e #32 PREEMPT(full) +Hardware name: QEMU Ubuntu 24.04 PC v2 (i440FX + PIIX, arch_caps fix, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 +Call Trace: + + dump_stack_lvl+0xe8/0x150 lib/dump_stack.c:120 + print_address_description mm/kasan/report.c:378 [inline] + print_report+0xca/0x240 mm/kasan/report.c:482 + kasan_report+0x118/0x150 mm/kasan/report.c:595 + reuseport_select_sock+0xedc/0x1220 net/core/sock_reuseport.c:596 + udp4_lib_lookup2+0x3bc/0x950 net/ipv4/udp.c:495 + __udp4_lib_lookup+0x768/0xe20 net/ipv4/udp.c:723 + __udp4_lib_lookup_skb+0x297/0x390 net/ipv4/udp.c:752 + __udp4_lib_rcv+0x1312/0x2620 net/ipv4/udp.c:2752 + ip_protocol_deliver_rcu+0x282/0x440 net/ipv4/ip_input.c:207 + ip_local_deliver_finish+0x3bb/0x6f0 net/ipv4/ip_input.c:241 + NF_HOOK+0x30c/0x3a0 include/linux/netfilter.h:318 + NF_HOOK+0x30c/0x3a0 include/linux/netfilter.h:318 + __netif_receive_skb_one_core net/core/dev.c:6181 [inline] + __netif_receive_skb net/core/dev.c:6294 [inline] + process_backlog+0xaa4/0x1960 net/core/dev.c:6645 + __napi_poll+0xae/0x340 net/core/dev.c:7709 + napi_poll net/core/dev.c:7772 [inline] + net_rx_action+0x5d7/0xf50 net/core/dev.c:7929 + handle_softirqs+0x22b/0x870 kernel/softirq.c:622 + do_softirq+0x76/0xd0 kernel/softirq.c:523 + + + __local_bh_enable_ip+0xf8/0x130 kernel/softirq.c:450 + local_bh_enable include/linux/bottom_half.h:33 [inline] + rcu_read_unlock_bh include/linux/rcupdate.h:924 [inline] + __dev_queue_xmit+0x1dd7/0x3710 net/core/dev.c:4890 + neigh_output include/net/neighbour.h:556 [inline] + ip_finish_output2+0xca9/0x1070 net/ipv4/ip_output.c:237 + NF_HOOK_COND include/linux/netfilter.h:307 [inline] + ip_output+0x29f/0x450 net/ipv4/ip_output.c:438 + ip_send_skb+0x45/0xc0 net/ipv4/ip_output.c:1508 + udp_send_skb+0xb04/0x1510 net/ipv4/udp.c:1195 + udp_sendmsg+0x1a71/0x2350 net/ipv4/udp.c:1485 + sock_sendmsg_nosec net/socket.c:727 [inline] + __sock_sendmsg net/socket.c:742 [inline] + __sys_sendto+0x554/0x680 net/socket.c:2206 + __do_sys_sendto net/socket.c:2213 [inline] + __se_sys_sendto net/socket.c:2209 [inline] + __x64_sys_sendto+0xde/0x100 net/socket.c:2209 + do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] + do_syscall_64+0x160/0xf80 arch/x86/entry/syscall_64.c:94 + entry_SYSCALL_64_after_hwframe+0x77/0x7f +RIP: 0033:0x415a2d +Code: b3 66 2e 0f 1f 84 00 00 00 00 00 66 90 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 +RSP: 002b:00007f6bc31e41e8 EFLAGS: 00000212 ORIG_RAX: 000000000000002c +RAX: ffffffffffffffda RBX: 00007f6bc31e4cdc RCX: 0000000000415a2d +RDX: 0000000000000001 RSI: 00007f6bc31e421f RDI: 0000000000000003 +RBP: 00007f6bc31e4240 R08: 00007f6bc31e4220 R09: 0000000000000010 +R10: 0000000000000000 R11: 0000000000000212 R12: 00007f6bc31e46c0 +R13: ffffffffffffffb8 R14: 0000000000000000 R15: 00007ffc9b0d70b0 + + +Fixes: 538950a1b752 ("soreuseport: setsockopt SO_ATTACH_REUSEPORT_[CE]BPF") +Reported-by: Eulgyu Kim +Reported-by: Taeyang Lee <0wn@theori.io> +Signed-off-by: Kuniyuki Iwashima +Signed-off-by: Daniel Borkmann +Acked-by: Daniel Borkmann +Link: https://lore.kernel.org/bpf/20260426012647.3233119-1-kuniyu@google.com +Signed-off-by: Sasha Levin +--- + net/core/filter.c | 15 ++++++++++++--- + 1 file changed, 12 insertions(+), 3 deletions(-) + +diff --git a/net/core/filter.c b/net/core/filter.c +index 0ea9ede2c44724..3628ea596050f0 100644 +--- a/net/core/filter.c ++++ b/net/core/filter.c +@@ -1643,15 +1643,24 @@ int sk_reuseport_attach_bpf(u32 ufd, struct sock *sk) + return err; + } + ++static void sk_reuseport_prog_free_rcu(struct rcu_head *rcu) ++{ ++ struct bpf_prog_aux *aux = container_of(rcu, struct bpf_prog_aux, rcu); ++ struct bpf_prog *prog = aux->prog; ++ ++ bpf_release_orig_filter(prog); ++ bpf_prog_free(prog); ++} ++ + void sk_reuseport_prog_free(struct bpf_prog *prog) + { + if (!prog) + return; + +- if (prog->type == BPF_PROG_TYPE_SK_REUSEPORT) +- bpf_prog_put(prog); ++ if (bpf_prog_was_classic(prog)) ++ call_rcu(&prog->aux->rcu, sk_reuseport_prog_free_rcu); + else +- bpf_prog_destroy(prog); ++ bpf_prog_put(prog); + } + + struct bpf_scratchpad { +-- +2.53.0 + diff --git a/queue-6.1/disable-wattribute-alias-for-clang-23-and-newer.patch b/queue-6.1/disable-wattribute-alias-for-clang-23-and-newer.patch new file mode 100644 index 0000000000..0d7554e2ff --- /dev/null +++ b/queue-6.1/disable-wattribute-alias-for-clang-23-and-newer.patch @@ -0,0 +1,123 @@ +From c794e16ac93109312d78729d0008649e5148b103 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 16 May 2026 04:34:14 +0900 +Subject: Disable -Wattribute-alias for clang-23 and newer + +From: Nathan Chancellor + +commit 175db11786bde9061db526bf1ac5107d915f5163 upstream. + +Clang recently added support for -Wattribute-alias [1], which results in +the same warnings that necessitated commit bee20031772a ("disable +-Wattribute-alias warning for SYSCALL_DEFINEx()") for GCC. + + kernel/time/itimer.c:325:1: error: alias and aliasee have different types 'long (unsigned int)' and 'long (typeof (__builtin_choose_expr((__builtin_types_compatible_p(typeof ((unsigned int)0), typeof (0LL)) || __builtin_types_compatible_p(typeof ((unsigned int)0), typeof (0ULL))), 0LL, 0L)))' (aka 'long (long)') [-Werror,-Wattribute-alias] + 325 | SYSCALL_DEFINE1(alarm, unsigned int, seconds) + | ^ + include/linux/syscalls.h:225:36: note: expanded from macro 'SYSCALL_DEFINE1' + 225 | #define SYSCALL_DEFINE1(name, ...) SYSCALL_DEFINEx(1, _##name, __VA_ARGS__) + | ^ + include/linux/syscalls.h:236:2: note: expanded from macro 'SYSCALL_DEFINEx' + 236 | __SYSCALL_DEFINEx(x, sname, __VA_ARGS__) + | ^ + include/linux/syscalls.h:251:18: note: expanded from macro '__SYSCALL_DEFINEx' + 251 | __attribute__((alias(__stringify(__se_sys##name)))); \ + | ^ + kernel/time/itimer.c:325:1: note: aliasee is declared here + include/linux/syscalls.h:225:36: note: expanded from macro 'SYSCALL_DEFINE1' + 225 | #define SYSCALL_DEFINE1(name, ...) SYSCALL_DEFINEx(1, _##name, __VA_ARGS__) + | ^ + include/linux/syscalls.h:236:2: note: expanded from macro 'SYSCALL_DEFINEx' + 236 | __SYSCALL_DEFINEx(x, sname, __VA_ARGS__) + | ^ + include/linux/syscalls.h:255:18: note: expanded from macro '__SYSCALL_DEFINEx' + 255 | asmlinkage long __se_sys##name(__MAP(x,__SC_LONG,__VA_ARGS__)) \ + | ^ + :16:1: note: expanded from here + 16 | __se_sys_alarm + | ^ + +Disable the warnings in the same way for clang-23 and newer. Disable the +warning about unknown warning options to avoid breaking the build for +versions of clang-23 that do not have -Wattribute-alias, such as ones +deployed by vendors like Android or CI systems or when bisecting LLVM +between llvmorg-23-init and release/23.x. + +Cc: stable@vger.kernel.org +Closes: https://github.com/ClangBuiltLinux/linux/issues/2163 +Link: https://github.com/llvm/llvm-project/commit/40da6920a0d71d49dfa2392b09153600b0759f5e [1] +Link: https://patch.msgid.link/20260515-syscall-disable-attribute-alias-for-clang-v1-1-9a9d95d41df6@kernel.org +[nathan: Drop arch/riscv hunk in older trees and address conflicts] +Signed-off-by: Nathan Chancellor +Signed-off-by: Sasha Levin +--- + include/linux/compat.h | 4 ++++ + include/linux/compiler-clang.h | 6 ++++++ + include/linux/compiler_types.h | 4 ++++ + include/linux/syscalls.h | 4 ++++ + 4 files changed, 18 insertions(+) + +diff --git a/include/linux/compat.h b/include/linux/compat.h +index 77e84d17521eb8..38f22c9ac9109b 100644 +--- a/include/linux/compat.h ++++ b/include/linux/compat.h +@@ -72,6 +72,10 @@ + __diag_push(); \ + __diag_ignore(GCC, 8, "-Wattribute-alias", \ + "Type aliasing is used to sanitize syscall arguments");\ ++ __diag_ignore(clang, 23, "-Wunknown-warning-option", \ ++ "Avoid breaking versions without -Wattribute-alias"); \ ++ __diag_ignore(clang, 23, "-Wattribute-alias", \ ++ "Type aliasing is used to sanitize syscall arguments"); \ + asmlinkage long compat_sys##name(__MAP(x,__SC_DECL,__VA_ARGS__)) \ + __attribute__((alias(__stringify(__se_compat_sys##name)))); \ + ALLOW_ERROR_INJECTION(compat_sys##name, ERRNO); \ +diff --git a/include/linux/compiler-clang.h b/include/linux/compiler-clang.h +index f9de53fff3acc4..2fd5b596b36b5c 100644 +--- a/include/linux/compiler-clang.h ++++ b/include/linux/compiler-clang.h +@@ -144,5 +144,11 @@ + #define __diag_clang_11(s) + #endif + ++#if CONFIG_CLANG_VERSION >= 230000 ++#define __diag_clang_23(s) __diag(s) ++#else ++#define __diag_clang_23(s) ++#endif ++ + #define __diag_ignore_all(option, comment) \ + __diag_clang(11, ignore, option) +diff --git a/include/linux/compiler_types.h b/include/linux/compiler_types.h +index ef359a76b11f89..7c9883c499cfe1 100644 +--- a/include/linux/compiler_types.h ++++ b/include/linux/compiler_types.h +@@ -399,6 +399,10 @@ struct ftrace_likely_data { + #define __diag_GCC(version, severity, string) + #endif + ++#ifndef __diag_clang ++#define __diag_clang(version, severity, string) ++#endif ++ + #define __diag_push() __diag(push) + #define __diag_pop() __diag(pop) + +diff --git a/include/linux/syscalls.h b/include/linux/syscalls.h +index dcce762b48facb..7ff6bc7da1f655 100644 +--- a/include/linux/syscalls.h ++++ b/include/linux/syscalls.h +@@ -240,6 +240,10 @@ static inline int is_syscall_trace_event(struct trace_event_call *tp_event) + __diag_push(); \ + __diag_ignore(GCC, 8, "-Wattribute-alias", \ + "Type aliasing is used to sanitize syscall arguments");\ ++ __diag_ignore(clang, 23, "-Wunknown-warning-option", \ ++ "Avoid breaking versions without -Wattribute-alias");\ ++ __diag_ignore(clang, 23, "-Wattribute-alias", \ ++ "Type aliasing is used to sanitize syscall arguments");\ + asmlinkage long sys##name(__MAP(x,__SC_DECL,__VA_ARGS__)) \ + __attribute__((alias(__stringify(__se_sys##name)))); \ + ALLOW_ERROR_INJECTION(sys##name, ERRNO); \ +-- +2.53.0 + diff --git a/queue-6.1/dmaengine-idxd-fix-not-releasing-workqueue-on-.relea.patch b/queue-6.1/dmaengine-idxd-fix-not-releasing-workqueue-on-.relea.patch new file mode 100644 index 0000000000..1c854a7271 --- /dev/null +++ b/queue-6.1/dmaengine-idxd-fix-not-releasing-workqueue-on-.relea.patch @@ -0,0 +1,53 @@ +From 7c9193103c51ab28e99bdfa51b1d59514cb6d247 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 8 Jun 2026 17:55:10 +0800 +Subject: dmaengine: idxd: Fix not releasing workqueue on .release() + +From: Vinicius Costa Gomes + +[ Upstream commit 3d33de353b1ff9023d5ec73b9becf80ea87af695 ] + +The workqueue associated with an DSA/IAA device is not released when +the object is freed. + +Fixes: 47c16ac27d4c ("dmaengine: idxd: fix idxd conf_dev 'struct device' lifetime") +Reviewed-by: Dave Jiang +Signed-off-by: Vinicius Costa Gomes +Link: https://patch.msgid.link/20260121-idxd-fix-flr-on-kernel-queues-v3-v3-7-7ed70658a9d1@intel.com +Signed-off-by: Vinod Koul +[ Remove destroy_workqueue(idxd->wq) from the function idxd_remove() to +avoid the workqueue is released twice. ] +Signed-off-by: Wenshan Lan +Signed-off-by: Sasha Levin +--- + drivers/dma/idxd/init.c | 1 - + drivers/dma/idxd/sysfs.c | 1 + + 2 files changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/dma/idxd/init.c b/drivers/dma/idxd/init.c +index 6059ffc08eace1..2880a0b0f5e67e 100644 +--- a/drivers/dma/idxd/init.c ++++ b/drivers/dma/idxd/init.c +@@ -813,7 +813,6 @@ static void idxd_remove(struct pci_dev *pdev) + if (device_user_pasid_enabled(idxd)) + iommu_dev_disable_feature(&pdev->dev, IOMMU_DEV_FEAT_SVA); + pci_disable_device(pdev); +- destroy_workqueue(idxd->wq); + perfmon_pmu_remove(idxd); + put_device(idxd_confdev(idxd)); + } +diff --git a/drivers/dma/idxd/sysfs.c b/drivers/dma/idxd/sysfs.c +index 0689464c4816ab..ea222e1654ab94 100644 +--- a/drivers/dma/idxd/sysfs.c ++++ b/drivers/dma/idxd/sysfs.c +@@ -1663,6 +1663,7 @@ static void idxd_conf_device_release(struct device *dev) + { + struct idxd_device *idxd = confdev_to_idxd(dev); + ++ destroy_workqueue(idxd->wq); + kfree(idxd->groups); + bitmap_free(idxd->wq_enable_map); + kfree(idxd->wqs); +-- +2.53.0 + diff --git a/queue-6.1/series b/queue-6.1/series index e54251a6eb..b52eb86872 100644 --- a/queue-6.1/series +++ b/queue-6.1/series @@ -187,3 +187,7 @@ usb-serial-cypress_m8-fix-memory-corruption-with-sma.patch serial-dz-fix-bootconsole-handover-lockup.patch bpf-bonding-reject-vlan-srcmac-xmit_hash_policy-chan.patch usb-core-fix-superspeed-root-hub-wmaxpacketsize.patch +bpf-free-reuseport-cbpf-prog-after-rcu-grace-period.patch +usb-serial-mct_u232-fix-memory-corruption-with-small.patch +dmaengine-idxd-fix-not-releasing-workqueue-on-.relea.patch +disable-wattribute-alias-for-clang-23-and-newer.patch diff --git a/queue-6.1/usb-serial-mct_u232-fix-memory-corruption-with-small.patch b/queue-6.1/usb-serial-mct_u232-fix-memory-corruption-with-small.patch new file mode 100644 index 0000000000..42fa38b87a --- /dev/null +++ b/queue-6.1/usb-serial-mct_u232-fix-memory-corruption-with-small.patch @@ -0,0 +1,81 @@ +From e3e3be4a49abcf9949bd8a97775c9c9eddfb76f0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 4 Jun 2026 14:11:33 +0200 +Subject: USB: serial: mct_u232: fix memory corruption with small endpoint + +From: Johan Hovold + +commit 915b36d701950503c4ea0f6e314b10868e59fce3 upstream. + +The driver overrides the maximum transfer size for a specific device +which only accepts 16 byte packets for its 32 byte bulk-out endpoint. + +Make sure to never increase the maximum transfer size to prevent slab +corruption should a malicious device report a smaller endpoint max +packet size than expected. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Cc: stable@vger.kernel.org +Reviewed-by: Greg Kroah-Hartman +Signed-off-by: Johan Hovold +Signed-off-by: Sasha Levin +--- + drivers/usb/serial/mct_u232.c | 21 +++++++++++---------- + 1 file changed, 11 insertions(+), 10 deletions(-) + +diff --git a/drivers/usb/serial/mct_u232.c b/drivers/usb/serial/mct_u232.c +index 389bbab8182a41..3c1351bb7ca3d8 100644 +--- a/drivers/usb/serial/mct_u232.c ++++ b/drivers/usb/serial/mct_u232.c +@@ -379,6 +379,7 @@ static int mct_u232_port_probe(struct usb_serial_port *port) + { + struct usb_serial *serial = port->serial; + struct mct_u232_private *priv; ++ u16 pid; + + /* check first to simplify error handling */ + if (!serial->port[1] || !serial->port[1]->interrupt_in_urb) { +@@ -386,6 +387,16 @@ static int mct_u232_port_probe(struct usb_serial_port *port) + return -ENODEV; + } + ++ /* ++ * Compensate for a hardware bug: although the Sitecom U232-P25 ++ * device reports a maximum output packet size of 32 bytes, ++ * it seems to be able to accept only 16 bytes (and that's what ++ * SniffUSB says too...) ++ */ ++ pid = le16_to_cpu(serial->dev->descriptor.idProduct); ++ if (pid == MCT_U232_SITECOM_PID) ++ port->bulk_out_size = min(16, port->bulk_out_size); ++ + priv = kzalloc(sizeof(*priv), GFP_KERNEL); + if (!priv) + return -ENOMEM; +@@ -411,7 +422,6 @@ static void mct_u232_port_remove(struct usb_serial_port *port) + + static int mct_u232_open(struct tty_struct *tty, struct usb_serial_port *port) + { +- struct usb_serial *serial = port->serial; + struct mct_u232_private *priv = usb_get_serial_port_data(port); + int retval = 0; + unsigned int control_state; +@@ -419,15 +429,6 @@ static int mct_u232_open(struct tty_struct *tty, struct usb_serial_port *port) + unsigned char last_lcr; + unsigned char last_msr; + +- /* Compensate for a hardware bug: although the Sitecom U232-P25 +- * device reports a maximum output packet size of 32 bytes, +- * it seems to be able to accept only 16 bytes (and that's what +- * SniffUSB says too...) +- */ +- if (le16_to_cpu(serial->dev->descriptor.idProduct) +- == MCT_U232_SITECOM_PID) +- port->bulk_out_size = 16; +- + /* Do a defined restart: the normal serial device seems to + * always turn on DTR and RTS here, so do the same. I'm not + * sure if this is really necessary. But it should not harm +-- +2.53.0 +