From: Hauke Mehrtens Date: Tue, 26 Aug 2025 22:58:12 +0000 (+0000) Subject: kernel: bump 6.6 to 6.6.102 X-Git-Url: http://git.ipfire.org/gitweb/?a=commitdiff_plain;h=refs%2Fpull%2F19876%2Fhead;p=thirdparty%2Fopenwrt.git kernel: bump 6.6 to 6.6.102 Changelog: https://cdn.kernel.org/pub/linux/kernel/v6.x/ChangeLog-6.6.102 Added backport to fix ipv6 breakage with the 6.12.42 release: generic/backport-6.6/621-proc-fix-missing-pde_set_flags.patch[1] All patches auto-refreshed. 1. https://lore.kernel.org/all/20250821105806.1453833-1-wangzijie1@honor.com Link: https://github.com/openwrt/openwrt/pull/19876 Signed-off-by: Hauke Mehrtens --- diff --git a/target/linux/generic/backport-6.6/621-proc-fix-missing-pde_set_flags.patch b/target/linux/generic/backport-6.6/621-proc-fix-missing-pde_set_flags.patch new file mode 100644 index 00000000000..ba026b9c3a1 --- /dev/null +++ b/target/linux/generic/backport-6.6/621-proc-fix-missing-pde_set_flags.patch @@ -0,0 +1,121 @@ +From: wangzijie +To: , , + , , + , , + , , + +Cc: , , + , , + wangzijie +Subject: [PATCH v3] proc: fix missing pde_set_flags() for net proc files +Date: Thu, 21 Aug 2025 18:58:06 +0800 [thread overview] +Message-ID: <20250821105806.1453833-1-wangzijie1@honor.com> (raw) + +To avoid potential UAF issues during module removal races, we use pde_set_flags() +to save proc_ops flags in PDE itself before proc_register(), and then use +pde_has_proc_*() helpers instead of directly dereferencing pde->proc_ops->*. + +However, the pde_set_flags() call was missing when creating net related proc files. +This omission caused incorrect behavior which FMODE_LSEEK was being cleared +inappropriately in proc_reg_open() for net proc files. Lars reported it in this link[1]. + +Fix this by ensuring pde_set_flags() is called when register proc entry, and add +NULL check for proc_ops in pde_set_flags(). + +[1]: https://lore.kernel.org/all/20250815195616.64497967@chagall.paradoxon.rec/ + +Fixes: ff7ec8dc1b64 ("proc: use the same treatment to check proc_lseek as ones for proc_read_iter et.al") +Cc: stable@vger.kernel.org +Reported-by: Lars Wendler +Signed-off-by: wangzijie +--- +v3: +- followed by Christian's suggestion to stash pde->proc_ops in a local const variable +v2: +- followed by Jiri's suggestion to refractor code and reformat commit message +--- + fs/proc/generic.c | 38 +++++++++++++++++++++----------------- + 1 file changed, 21 insertions(+), 17 deletions(-) + +--- a/fs/proc/generic.c ++++ b/fs/proc/generic.c +@@ -362,6 +362,25 @@ static const struct inode_operations pro + .setattr = proc_notify_change, + }; + ++static void pde_set_flags(struct proc_dir_entry *pde) ++{ ++ const struct proc_ops *proc_ops = pde->proc_ops; ++ ++ if (!proc_ops) ++ return; ++ ++ if (proc_ops->proc_flags & PROC_ENTRY_PERMANENT) ++ pde->flags |= PROC_ENTRY_PERMANENT; ++ if (proc_ops->proc_read_iter) ++ pde->flags |= PROC_ENTRY_proc_read_iter; ++#ifdef CONFIG_COMPAT ++ if (proc_ops->proc_compat_ioctl) ++ pde->flags |= PROC_ENTRY_proc_compat_ioctl; ++#endif ++ if (proc_ops->proc_lseek) ++ pde->flags |= PROC_ENTRY_proc_lseek; ++} ++ + /* returns the registered entry, or frees dp and returns NULL on failure */ + struct proc_dir_entry *proc_register(struct proc_dir_entry *dir, + struct proc_dir_entry *dp) +@@ -369,6 +388,8 @@ struct proc_dir_entry *proc_register(str + if (proc_alloc_inum(&dp->low_ino)) + goto out_free_entry; + ++ pde_set_flags(dp); ++ + write_lock(&proc_subdir_lock); + dp->parent = dir; + if (pde_subdir_insert(dir, dp) == false) { +@@ -557,20 +578,6 @@ struct proc_dir_entry *proc_create_reg(c + return p; + } + +-static void pde_set_flags(struct proc_dir_entry *pde) +-{ +- if (pde->proc_ops->proc_flags & PROC_ENTRY_PERMANENT) +- pde->flags |= PROC_ENTRY_PERMANENT; +- if (pde->proc_ops->proc_read_iter) +- pde->flags |= PROC_ENTRY_proc_read_iter; +-#ifdef CONFIG_COMPAT +- if (pde->proc_ops->proc_compat_ioctl) +- pde->flags |= PROC_ENTRY_proc_compat_ioctl; +-#endif +- if (pde->proc_ops->proc_lseek) +- pde->flags |= PROC_ENTRY_proc_lseek; +-} +- + struct proc_dir_entry *proc_create_data(const char *name, umode_t mode, + struct proc_dir_entry *parent, + const struct proc_ops *proc_ops, void *data) +@@ -581,7 +588,6 @@ struct proc_dir_entry *proc_create_data( + if (!p) + return NULL; + p->proc_ops = proc_ops; +- pde_set_flags(p); + return proc_register(parent, p); + } + EXPORT_SYMBOL(proc_create_data); +@@ -632,7 +638,6 @@ struct proc_dir_entry *proc_create_seq_p + p->proc_ops = &proc_seq_ops; + p->seq_ops = ops; + p->state_size = state_size; +- pde_set_flags(p); + return proc_register(parent, p); + } + EXPORT_SYMBOL(proc_create_seq_private); +@@ -663,7 +668,6 @@ struct proc_dir_entry *proc_create_singl + return NULL; + p->proc_ops = &proc_single_ops; + p->single_show = show; +- pde_set_flags(p); + return proc_register(parent, p); + } + EXPORT_SYMBOL(proc_create_single_data); diff --git a/target/linux/generic/backport-6.6/624-v6.15-ppp-use-IFF_NO_QUEUE-in-virtual-interfaces.patch b/target/linux/generic/backport-6.6/624-v6.15-ppp-use-IFF_NO_QUEUE-in-virtual-interfaces.patch index ad98807a6f0..7d18fff096e 100644 --- a/target/linux/generic/backport-6.6/624-v6.15-ppp-use-IFF_NO_QUEUE-in-virtual-interfaces.patch +++ b/target/linux/generic/backport-6.6/624-v6.15-ppp-use-IFF_NO_QUEUE-in-virtual-interfaces.patch @@ -47,7 +47,7 @@ Signed-off-by: Jakub Kicinski if (error) { --- a/drivers/net/ppp/pptp.c +++ b/drivers/net/ppp/pptp.c -@@ -465,6 +465,7 @@ static int pptp_connect(struct socket *s +@@ -469,6 +469,7 @@ static int pptp_connect(struct socket *s po->chan.mtu -= PPTP_HEADER_OVERHEAD; po->chan.hdrlen = 2 + sizeof(struct pptp_gre_header); diff --git a/target/linux/generic/backport-6.6/770-v6.7-net-introduce-napi_is_scheduled-helper.patch b/target/linux/generic/backport-6.6/770-v6.7-net-introduce-napi_is_scheduled-helper.patch index 319bc3e47bf..4aa93c20d1b 100644 --- a/target/linux/generic/backport-6.6/770-v6.7-net-introduce-napi_is_scheduled-helper.patch +++ b/target/linux/generic/backport-6.6/770-v6.7-net-introduce-napi_is_scheduled-helper.patch @@ -42,7 +42,7 @@ Signed-off-by: Paolo Abeni * @adap: the adapter --- a/drivers/net/wireless/realtek/rtw89/core.c +++ b/drivers/net/wireless/realtek/rtw89/core.c -@@ -1744,7 +1744,7 @@ static void rtw89_core_rx_to_mac80211(st +@@ -1749,7 +1749,7 @@ static void rtw89_core_rx_to_mac80211(st struct napi_struct *napi = &rtwdev->napi; /* In low power mode, napi isn't scheduled. Receive it to netif. */ diff --git a/target/linux/generic/hack-6.6/721-net-add-packet-mangeling.patch b/target/linux/generic/hack-6.6/721-net-add-packet-mangeling.patch index 8b784836a00..30a0b86b00c 100644 --- a/target/linux/generic/hack-6.6/721-net-add-packet-mangeling.patch +++ b/target/linux/generic/hack-6.6/721-net-add-packet-mangeling.patch @@ -60,7 +60,7 @@ Signed-off-by: Felix Fietkau */ --- a/include/linux/skbuff.h +++ b/include/linux/skbuff.h -@@ -3098,6 +3098,10 @@ static inline int pskb_trim(struct sk_bu +@@ -3121,6 +3121,10 @@ static inline int pskb_trim(struct sk_bu return (len < skb->len) ? __pskb_trim(skb, len) : 0; } @@ -71,7 +71,7 @@ Signed-off-by: Felix Fietkau /** * pskb_trim_unique - remove end from a paged unique (not cloned) buffer * @skb: buffer to alter -@@ -3263,16 +3267,6 @@ static inline struct sk_buff *dev_alloc_ +@@ -3286,16 +3290,6 @@ static inline struct sk_buff *dev_alloc_ } diff --git a/target/linux/generic/hack-6.6/904-debloat_dma_buf.patch b/target/linux/generic/hack-6.6/904-debloat_dma_buf.patch index 4d2ea46212d..3ca98788abd 100644 --- a/target/linux/generic/hack-6.6/904-debloat_dma_buf.patch +++ b/target/linux/generic/hack-6.6/904-debloat_dma_buf.patch @@ -73,7 +73,7 @@ Signed-off-by: Felix Fietkau +MODULE_LICENSE("GPL"); --- a/kernel/sched/core.c +++ b/kernel/sched/core.c -@@ -4486,6 +4486,7 @@ int wake_up_state(struct task_struct *p, +@@ -4485,6 +4485,7 @@ int wake_up_state(struct task_struct *p, { return try_to_wake_up(p, state, 0); } diff --git a/target/linux/generic/kernel-6.6 b/target/linux/generic/kernel-6.6 index 71181a3fc5a..048ae0b42a7 100644 --- a/target/linux/generic/kernel-6.6 +++ b/target/linux/generic/kernel-6.6 @@ -1,2 +1,2 @@ -LINUX_VERSION-6.6 = .101 -LINUX_KERNEL_HASH-6.6.101 = 8c4ff2869736538b9b0d88ea8dbf0332b79c6ecc40a32066768a754df1fae1c0 +LINUX_VERSION-6.6 = .102 +LINUX_KERNEL_HASH-6.6.102 = 80d2feb7334c30bacbe1e7dafa9ea415efb2c0ea4f4740ecbd1467cf5d94de5c diff --git a/target/linux/generic/pending-6.6/650-net-pppoe-implement-GRO-support.patch b/target/linux/generic/pending-6.6/650-net-pppoe-implement-GRO-support.patch index 1c6849bf220..c1d77d8cc7c 100644 --- a/target/linux/generic/pending-6.6/650-net-pppoe-implement-GRO-support.patch +++ b/target/linux/generic/pending-6.6/650-net-pppoe-implement-GRO-support.patch @@ -230,7 +230,7 @@ Signed-off-by: Felix Fietkau { --- a/net/ipv6/ip6_offload.c +++ b/net/ipv6/ip6_offload.c -@@ -319,6 +319,7 @@ out: +@@ -321,6 +321,7 @@ out: return pp; } @@ -238,7 +238,7 @@ Signed-off-by: Felix Fietkau static struct sk_buff *sit_ip6ip6_gro_receive(struct list_head *head, struct sk_buff *skb) -@@ -401,6 +402,7 @@ INDIRECT_CALLABLE_SCOPE int ipv6_gro_com +@@ -403,6 +404,7 @@ INDIRECT_CALLABLE_SCOPE int ipv6_gro_com out: return err; } diff --git a/target/linux/generic/pending-6.6/655-increase_skb_pad.patch b/target/linux/generic/pending-6.6/655-increase_skb_pad.patch index 4f3bb060519..8fbc9158813 100644 --- a/target/linux/generic/pending-6.6/655-increase_skb_pad.patch +++ b/target/linux/generic/pending-6.6/655-increase_skb_pad.patch @@ -9,7 +9,7 @@ Signed-off-by: Felix Fietkau --- a/include/linux/skbuff.h +++ b/include/linux/skbuff.h -@@ -3065,7 +3065,7 @@ static inline int pskb_network_may_pull( +@@ -3088,7 +3088,7 @@ static inline int pskb_network_may_pull( * NET_IP_ALIGN(2) + ethernet_header(14) + IP_header(20/40) + ports(8) */ #ifndef NET_SKB_PAD diff --git a/target/linux/generic/pending-6.6/670-ipv6-allow-rejecting-with-source-address-failed-policy.patch b/target/linux/generic/pending-6.6/670-ipv6-allow-rejecting-with-source-address-failed-policy.patch index 0ad36b34302..ef7ca8cf74f 100644 --- a/target/linux/generic/pending-6.6/670-ipv6-allow-rejecting-with-source-address-failed-policy.patch +++ b/target/linux/generic/pending-6.6/670-ipv6-allow-rejecting-with-source-address-failed-policy.patch @@ -185,7 +185,7 @@ Signed-off-by: Jonas Gorski cfg->fc_flags |= RTF_REJECT; if (rtm->rtm_type == RTN_LOCAL) -@@ -6341,6 +6372,8 @@ static int ip6_route_dev_notify(struct n +@@ -6349,6 +6380,8 @@ static int ip6_route_dev_notify(struct n #ifdef CONFIG_IPV6_MULTIPLE_TABLES net->ipv6.ip6_prohibit_entry->dst.dev = dev; net->ipv6.ip6_prohibit_entry->rt6i_idev = in6_dev_get(dev); @@ -194,7 +194,7 @@ Signed-off-by: Jonas Gorski net->ipv6.ip6_blk_hole_entry->dst.dev = dev; net->ipv6.ip6_blk_hole_entry->rt6i_idev = in6_dev_get(dev); #endif -@@ -6352,6 +6385,7 @@ static int ip6_route_dev_notify(struct n +@@ -6360,6 +6393,7 @@ static int ip6_route_dev_notify(struct n in6_dev_put_clear(&net->ipv6.ip6_null_entry->rt6i_idev); #ifdef CONFIG_IPV6_MULTIPLE_TABLES in6_dev_put_clear(&net->ipv6.ip6_prohibit_entry->rt6i_idev); @@ -202,7 +202,7 @@ Signed-off-by: Jonas Gorski in6_dev_put_clear(&net->ipv6.ip6_blk_hole_entry->rt6i_idev); #endif } -@@ -6552,6 +6586,8 @@ static int __net_init ip6_route_net_init +@@ -6560,6 +6594,8 @@ static int __net_init ip6_route_net_init #ifdef CONFIG_IPV6_MULTIPLE_TABLES net->ipv6.fib6_has_custom_rules = false; @@ -211,7 +211,7 @@ Signed-off-by: Jonas Gorski net->ipv6.ip6_prohibit_entry = kmemdup(&ip6_prohibit_entry_template, sizeof(*net->ipv6.ip6_prohibit_entry), GFP_KERNEL); -@@ -6562,11 +6598,21 @@ static int __net_init ip6_route_net_init +@@ -6570,11 +6606,21 @@ static int __net_init ip6_route_net_init ip6_template_metrics, true); INIT_LIST_HEAD(&net->ipv6.ip6_prohibit_entry->dst.rt_uncached); @@ -234,7 +234,7 @@ Signed-off-by: Jonas Gorski net->ipv6.ip6_blk_hole_entry->dst.ops = &net->ipv6.ip6_dst_ops; dst_init_metrics(&net->ipv6.ip6_blk_hole_entry->dst, ip6_template_metrics, true); -@@ -6593,6 +6639,8 @@ out: +@@ -6601,6 +6647,8 @@ out: return ret; #ifdef CONFIG_IPV6_MULTIPLE_TABLES @@ -243,7 +243,7 @@ Signed-off-by: Jonas Gorski out_ip6_prohibit_entry: kfree(net->ipv6.ip6_prohibit_entry); out_ip6_null_entry: -@@ -6612,6 +6660,7 @@ static void __net_exit ip6_route_net_exi +@@ -6620,6 +6668,7 @@ static void __net_exit ip6_route_net_exi kfree(net->ipv6.ip6_null_entry); #ifdef CONFIG_IPV6_MULTIPLE_TABLES kfree(net->ipv6.ip6_prohibit_entry); @@ -251,7 +251,7 @@ Signed-off-by: Jonas Gorski kfree(net->ipv6.ip6_blk_hole_entry); #endif dst_entries_destroy(&net->ipv6.ip6_dst_ops); -@@ -6695,6 +6744,9 @@ void __init ip6_route_init_special_entri +@@ -6703,6 +6752,9 @@ void __init ip6_route_init_special_entri init_net.ipv6.ip6_prohibit_entry->rt6i_idev = in6_dev_get(init_net.loopback_dev); init_net.ipv6.ip6_blk_hole_entry->dst.dev = init_net.loopback_dev; init_net.ipv6.ip6_blk_hole_entry->rt6i_idev = in6_dev_get(init_net.loopback_dev); diff --git a/target/linux/generic/pending-6.6/701-netfilter-nf_tables-ignore-EOPNOTSUPP-on-flowtable-d.patch b/target/linux/generic/pending-6.6/701-netfilter-nf_tables-ignore-EOPNOTSUPP-on-flowtable-d.patch index 1ae6f893991..7a5413700a9 100644 --- a/target/linux/generic/pending-6.6/701-netfilter-nf_tables-ignore-EOPNOTSUPP-on-flowtable-d.patch +++ b/target/linux/generic/pending-6.6/701-netfilter-nf_tables-ignore-EOPNOTSUPP-on-flowtable-d.patch @@ -18,7 +18,7 @@ Signed-off-by: Felix Fietkau --- a/net/netfilter/nf_tables_api.c +++ b/net/netfilter/nf_tables_api.c -@@ -8469,7 +8469,7 @@ static int nft_register_flowtable_net_ho +@@ -8449,7 +8449,7 @@ static int nft_register_flowtable_net_ho err = flowtable->data.type->setup(&flowtable->data, hook->ops.dev, FLOW_BLOCK_BIND);