From 9b684bde589c888205b8621e5b7b4fc0341cdf13 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Thu, 4 Jun 2026 12:33:49 +0200 Subject: [PATCH] 5.10-stable patches added patches: asoc-qcom-q6asm-dai-close-stream-only-when-running.patch asoc-qcom-q6asm-dai-do-not-set-stream-state-in-event-and-trigger-callbacks.patch asoc-qcom-q6asm-dai-fix-error-handling-in-prepare-and-set_params.patch bpf-sockmap-fix-tail-fragment-offset-in-bpf_msg_push_data.patch hid-wacom-fix-oob-write-in-wacom_hid_set_device_mode.patch iommu-debugobjects-avoid-gcc-16.1-section-mismatch-warnings.patch ip6-vti-use-ip6_tnl.net-in-vti6_changelink.patch ip6-vti-use-ip6_tnl.net-in-vti6_siocdevprivate.patch ipv6-exthdrs-refresh-nh-pointer-after-ipv6_hop_jumbo.patch ipv6-validate-extension-header-length-before-copying-to-cmsg.patch macsec-fix-replay-protection-at-xpn-lower-pn-wrap.patch netfilter-conntrack-tcp-do-not-force-close-on-invalid-seq-rst-without-direction-check.patch nfc-hci-fix-out-of-bounds-read-in-hcp-header-parsing.patch wireguard-send-append-trailer-after-expanding-head.patch xfrm-ah-use-skb_to_full_sk-in-async-output-callbacks.patch xfrm-esp-restore-combined-single-frag-length-gate.patch xfrm-route-migrate-notifications-to-caller-s-netns.patch --- ...m-dai-close-stream-only-when-running.patch | 72 ++++++++ ...state-in-event-and-trigger-callbacks.patch | 67 +++++++ ...r-handling-in-prepare-and-set_params.patch | 83 +++++++++ ...fragment-offset-in-bpf_msg_push_data.patch | 47 +++++ ...b-write-in-wacom_hid_set_device_mode.patch | 81 +++++++++ ...d-gcc-16.1-section-mismatch-warnings.patch | 126 +++++++++++++ ...i-use-ip6_tnl.net-in-vti6_changelink.patch | 76 ++++++++ ...e-ip6_tnl.net-in-vti6_siocdevprivate.patch | 88 ++++++++++ ...resh-nh-pointer-after-ipv6_hop_jumbo.patch | 34 ++++ ...header-length-before-copying-to-cmsg.patch | 166 ++++++++++++++++++ ...play-protection-at-xpn-lower-pn-wrap.patch | 43 +++++ ...alid-seq-rst-without-direction-check.patch | 49 ++++++ ...of-bounds-read-in-hcp-header-parsing.patch | 89 ++++++++++ queue-5.10/series | 17 ++ ...-append-trailer-after-expanding-head.patch | 61 +++++++ ...to_full_sk-in-async-output-callbacks.patch | 86 +++++++++ ...ore-combined-single-frag-length-gate.patch | 60 +++++++ ...rate-notifications-to-caller-s-netns.patch | 161 +++++++++++++++++ 18 files changed, 1406 insertions(+) create mode 100644 queue-5.10/asoc-qcom-q6asm-dai-close-stream-only-when-running.patch create mode 100644 queue-5.10/asoc-qcom-q6asm-dai-do-not-set-stream-state-in-event-and-trigger-callbacks.patch create mode 100644 queue-5.10/asoc-qcom-q6asm-dai-fix-error-handling-in-prepare-and-set_params.patch create mode 100644 queue-5.10/bpf-sockmap-fix-tail-fragment-offset-in-bpf_msg_push_data.patch create mode 100644 queue-5.10/hid-wacom-fix-oob-write-in-wacom_hid_set_device_mode.patch create mode 100644 queue-5.10/iommu-debugobjects-avoid-gcc-16.1-section-mismatch-warnings.patch create mode 100644 queue-5.10/ip6-vti-use-ip6_tnl.net-in-vti6_changelink.patch create mode 100644 queue-5.10/ip6-vti-use-ip6_tnl.net-in-vti6_siocdevprivate.patch create mode 100644 queue-5.10/ipv6-exthdrs-refresh-nh-pointer-after-ipv6_hop_jumbo.patch create mode 100644 queue-5.10/ipv6-validate-extension-header-length-before-copying-to-cmsg.patch create mode 100644 queue-5.10/macsec-fix-replay-protection-at-xpn-lower-pn-wrap.patch create mode 100644 queue-5.10/netfilter-conntrack-tcp-do-not-force-close-on-invalid-seq-rst-without-direction-check.patch create mode 100644 queue-5.10/nfc-hci-fix-out-of-bounds-read-in-hcp-header-parsing.patch create mode 100644 queue-5.10/wireguard-send-append-trailer-after-expanding-head.patch create mode 100644 queue-5.10/xfrm-ah-use-skb_to_full_sk-in-async-output-callbacks.patch create mode 100644 queue-5.10/xfrm-esp-restore-combined-single-frag-length-gate.patch create mode 100644 queue-5.10/xfrm-route-migrate-notifications-to-caller-s-netns.patch diff --git a/queue-5.10/asoc-qcom-q6asm-dai-close-stream-only-when-running.patch b/queue-5.10/asoc-qcom-q6asm-dai-close-stream-only-when-running.patch new file mode 100644 index 0000000000..5b96e72e60 --- /dev/null +++ b/queue-5.10/asoc-qcom-q6asm-dai-close-stream-only-when-running.patch @@ -0,0 +1,72 @@ +From 048c540ee76ded666bda74f9dae1ca3254e0633c Mon Sep 17 00:00:00 2001 +From: Srinivas Kandagatla +Date: Mon, 18 May 2026 09:23:44 +0000 +Subject: ASoC: qcom: q6asm-dai: close stream only when running + +From: Srinivas Kandagatla + +commit 048c540ee76ded666bda74f9dae1ca3254e0633c upstream. + +q6asm_dai_close() and q6asm_dai_compr_free() currently issue CMD_CLOSE +whenever prtd->state is non-zero. + +After prepare() closes an existing stream, the state is updated to +Q6ASM_STREAM_STOPPED. Since this state is also non-zero, the close and +free paths can send CMD_CLOSE again for a stream that has already been +closed. + +Restrict CMD_CLOSE to the Q6ASM_STREAM_RUNNING state so the command is +sent only when the ASM stream is still active. + +Fixes: 2a9e92d371db ("ASoC: qdsp6: q6asm: Add q6asm dai driver") +Cc: Stable@vger.kernel.org +Signed-off-by: Srinivas Kandagatla +Link: https://patch.msgid.link/20260518092347.3446946-3-srinivas.kandagatla@oss.qualcomm.com +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman +--- + sound/soc/qcom/qdsp6/q6asm-dai.c | 14 +++++++------- + 1 file changed, 7 insertions(+), 7 deletions(-) + +--- a/sound/soc/qcom/qdsp6/q6asm-dai.c ++++ b/sound/soc/qcom/qdsp6/q6asm-dai.c +@@ -458,12 +458,12 @@ static int q6asm_dai_close(struct snd_so + struct q6asm_dai_rtd *prtd = runtime->private_data; + + if (prtd->audio_client) { +- if (prtd->state) ++ if (prtd->state == Q6ASM_STREAM_RUNNING) { + q6asm_cmd(prtd->audio_client, prtd->stream_id, + CMD_CLOSE); +- +- q6asm_unmap_memory_regions(substream->stream, ++ q6asm_unmap_memory_regions(substream->stream, + prtd->audio_client); ++ } + q6asm_audio_client_free(prtd->audio_client); + prtd->audio_client = NULL; + } +@@ -692,7 +692,7 @@ static int q6asm_dai_compr_free(struct s + struct snd_soc_pcm_runtime *rtd = stream->private_data; + + if (prtd->audio_client) { +- if (prtd->state) { ++ if (prtd->state == Q6ASM_STREAM_RUNNING) { + q6asm_cmd(prtd->audio_client, prtd->stream_id, + CMD_CLOSE); + if (prtd->next_track_stream_id) { +@@ -700,11 +700,11 @@ static int q6asm_dai_compr_free(struct s + prtd->next_track_stream_id, + CMD_CLOSE); + } +- } + +- snd_dma_free_pages(&prtd->dma_buffer); +- q6asm_unmap_memory_regions(stream->direction, ++ q6asm_unmap_memory_regions(stream->direction, + prtd->audio_client); ++ } ++ snd_dma_free_pages(&prtd->dma_buffer); + q6asm_audio_client_free(prtd->audio_client); + prtd->audio_client = NULL; + } diff --git a/queue-5.10/asoc-qcom-q6asm-dai-do-not-set-stream-state-in-event-and-trigger-callbacks.patch b/queue-5.10/asoc-qcom-q6asm-dai-do-not-set-stream-state-in-event-and-trigger-callbacks.patch new file mode 100644 index 0000000000..f152d7efe2 --- /dev/null +++ b/queue-5.10/asoc-qcom-q6asm-dai-do-not-set-stream-state-in-event-and-trigger-callbacks.patch @@ -0,0 +1,67 @@ +From cee3e63e7106c3c81b2053371fdf14240bfba2fc Mon Sep 17 00:00:00 2001 +From: Srinivas Kandagatla +Date: Mon, 18 May 2026 09:23:43 +0000 +Subject: ASoC: qcom: q6asm-dai: do not set stream state in event and trigger callbacks + +From: Srinivas Kandagatla + +commit cee3e63e7106c3c81b2053371fdf14240bfba2fc upstream. + +The q6asm-dai stream state is used by prepare() to decide whether an +existing stream setup needs to be closed before opening/configuring a new +one. Updating the state from trigger or asynchronous DSP callbacks can make +that state stale or incorrect relative to the actual setup lifetime. + +In particular, setting Q6ASM_STREAM_STOPPED on STOP or EOS completion can +make prepare() believe there is no active setup to close, which can result +in opening/configuring the same stream more than once. + +Keep stream state updates tied to prepare(), where the stream is actually +closed and reopened, and stop changing it from trigger and EOS callbacks. + +Fixes: bfbb12dfa144 ("ASoC: qcom: q6asm-dai: perform correct state check before closing") +Cc: Stable@vger.kernel.org +Closes: https://lore.kernel.org/all/afS7rTHdc9TyIeLx@rdacayan/ +Signed-off-by: Srinivas Kandagatla +Link: https://patch.msgid.link/20260518092347.3446946-2-srinivas.kandagatla@oss.qualcomm.com +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman +--- + sound/soc/qcom/qdsp6/q6asm-dai.c | 5 ----- + 1 file changed, 5 deletions(-) + +--- a/sound/soc/qcom/qdsp6/q6asm-dai.c ++++ b/sound/soc/qcom/qdsp6/q6asm-dai.c +@@ -191,7 +191,6 @@ static void event_handler(uint32_t opcod + prtd->pcm_count, 0, 0, 0); + break; + case ASM_CLIENT_EVENT_CMD_EOS_DONE: +- prtd->state = Q6ASM_STREAM_STOPPED; + break; + case ASM_CLIENT_EVENT_DATA_WRITE_DONE: { + prtd->pcm_irq_pos += prtd->pcm_count; +@@ -338,7 +337,6 @@ static int q6asm_dai_trigger(struct snd_ + 0, 0, 0); + break; + case SNDRV_PCM_TRIGGER_STOP: +- prtd->state = Q6ASM_STREAM_STOPPED; + ret = q6asm_cmd_nowait(prtd->audio_client, prtd->stream_id, + CMD_EOS); + break; +@@ -568,8 +566,6 @@ static void compress_event_handler(uint3 + snd_compr_drain_notify(prtd->cstream); + prtd->notify_on_drain = false; + +- } else { +- prtd->state = Q6ASM_STREAM_STOPPED; + } + spin_unlock_irqrestore(&prtd->lock, flags); + break; +@@ -1032,7 +1028,6 @@ static int q6asm_dai_compr_trigger(struc + 0, 0, 0); + break; + case SNDRV_PCM_TRIGGER_STOP: +- prtd->state = Q6ASM_STREAM_STOPPED; + ret = q6asm_cmd_nowait(prtd->audio_client, prtd->stream_id, + CMD_EOS); + break; diff --git a/queue-5.10/asoc-qcom-q6asm-dai-fix-error-handling-in-prepare-and-set_params.patch b/queue-5.10/asoc-qcom-q6asm-dai-fix-error-handling-in-prepare-and-set_params.patch new file mode 100644 index 0000000000..4404f0733d --- /dev/null +++ b/queue-5.10/asoc-qcom-q6asm-dai-fix-error-handling-in-prepare-and-set_params.patch @@ -0,0 +1,83 @@ +From 4b4db09f283df65d780bc7cee66cb4a7e9bf4770 Mon Sep 17 00:00:00 2001 +From: Srinivas Kandagatla +Date: Mon, 18 May 2026 09:23:45 +0000 +Subject: ASoC: qcom: q6asm-dai: fix error handling in prepare and set_params + +From: Srinivas Kandagatla + +commit 4b4db09f283df65d780bc7cee66cb4a7e9bf4770 upstream. + +Fix error handling in q6asm_dai_compr_set_params() and q6asm_dai_prepare() +for both CMD_CLOSE and q6asm_unmap_memory_regions(). + +In both the functions, we are doing q6asm_audio_client_free in failure +cases, which means if prepare or set_params fail, we can never recover. +Now open and close are done in respective dai_open/close functions. + +Fixes: 2a9e92d371db ("ASoC: qdsp6: q6asm: Add q6asm dai driver") +Cc: Stable@vger.kernel.org +Signed-off-by: Srinivas Kandagatla +Link: https://patch.msgid.link/20260518092347.3446946-4-srinivas.kandagatla@oss.qualcomm.com +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman +--- + sound/soc/qcom/qdsp6/q6asm-dai.c | 24 ++++++++++++++++-------- + 1 file changed, 16 insertions(+), 8 deletions(-) + +--- a/sound/soc/qcom/qdsp6/q6asm-dai.c ++++ b/sound/soc/qcom/qdsp6/q6asm-dai.c +@@ -239,9 +239,19 @@ static int q6asm_dai_prepare(struct snd_ + /* rate and channels are sent to audio driver */ + if (prtd->state == Q6ASM_STREAM_RUNNING) { + /* clear the previous setup if any */ +- q6asm_cmd(prtd->audio_client, prtd->stream_id, CMD_CLOSE); +- q6asm_unmap_memory_regions(substream->stream, +- prtd->audio_client); ++ ret = q6asm_cmd(prtd->audio_client, prtd->stream_id, CMD_CLOSE); ++ if (ret < 0) { ++ dev_err(dev, "Failed to close q6asm stream %d\n", prtd->stream_id); ++ return ret; ++ } ++ ++ ret = q6asm_unmap_memory_regions(substream->stream, prtd->audio_client); ++ if (ret < 0) { ++ dev_err(dev, "Failed to unmap memory regions for q6asm stream %d\n", ++ prtd->stream_id); ++ return ret; ++ } ++ + q6routing_stream_close(soc_prtd->dai_link->id, + substream->stream); + prtd->state = Q6ASM_STREAM_STOPPED; +@@ -309,8 +319,6 @@ routing_err: + q6asm_cmd(prtd->audio_client, prtd->stream_id, CMD_CLOSE); + open_err: + q6asm_unmap_memory_regions(substream->stream, prtd->audio_client); +- q6asm_audio_client_free(prtd->audio_client); +- prtd->audio_client = NULL; + + return ret; + } +@@ -926,7 +934,7 @@ static int q6asm_dai_compr_set_params(st + prtd->session_id, dir); + if (ret) { + dev_err(dev, "Stream reg failed ret:%d\n", ret); +- goto q6_err; ++ goto routing_err; + } + + ret = __q6asm_dai_compr_set_codec_params(component, stream, +@@ -952,11 +960,11 @@ static int q6asm_dai_compr_set_params(st + return 0; + + q6_err: ++ q6routing_stream_close(rtd->dai_link->id, dir); ++routing_err: + q6asm_cmd(prtd->audio_client, prtd->stream_id, CMD_CLOSE); + + open_err: +- q6asm_audio_client_free(prtd->audio_client); +- prtd->audio_client = NULL; + return ret; + } + diff --git a/queue-5.10/bpf-sockmap-fix-tail-fragment-offset-in-bpf_msg_push_data.patch b/queue-5.10/bpf-sockmap-fix-tail-fragment-offset-in-bpf_msg_push_data.patch new file mode 100644 index 0000000000..20391145e6 --- /dev/null +++ b/queue-5.10/bpf-sockmap-fix-tail-fragment-offset-in-bpf_msg_push_data.patch @@ -0,0 +1,47 @@ +From f72eed9b84fb771019a955908132410a9ba9ea3f Mon Sep 17 00:00:00 2001 +From: Yuqi Xu +Date: Wed, 27 May 2026 11:48:15 +0800 +Subject: bpf: sockmap: fix tail fragment offset in bpf_msg_push_data + +From: Yuqi Xu + +commit f72eed9b84fb771019a955908132410a9ba9ea3f upstream. + +When bpf_msg_push_data() inserts data in the middle of a scatterlist +entry, it splits the original entry into a left fragment and a right +fragment. + +The right fragment offset is page-local, but the code advances it with +`start`, which is the message-global insertion point. For inserts into a +non-first SG entry, this over-advances the offset and leaves the split +layout inconsistent. + +Advance the right fragment offset by the fragment-local delta, +`start - offset`, which matches the length removed from the front of the +original entry. + +Fixes: 6fff607e2f14 ("bpf: sk_msg program helper bpf_msg_push_data") +Cc: stable@kernel.org +Reported-by: Yuan Tan +Reported-by: Zhengchuan Liang +Reported-by: Xin Liu +Signed-off-by: Yuqi Xu +Signed-off-by: Ren Wei +Link: https://patch.msgid.link/8b129d10566aa3eb43f61a8f9757bcf51707d324.1779636774.git.xuyq21@lenovo.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + net/core/filter.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/core/filter.c ++++ b/net/core/filter.c +@@ -2845,7 +2845,7 @@ BPF_CALL_4(bpf_msg_push_data, struct sk_ + + psge->length = start - offset; + rsge.length -= psge->length; +- rsge.offset += start; ++ rsge.offset += start - offset; + + sk_msg_iter_var_next(i); + sg_unmark_end(psge); diff --git a/queue-5.10/hid-wacom-fix-oob-write-in-wacom_hid_set_device_mode.patch b/queue-5.10/hid-wacom-fix-oob-write-in-wacom_hid_set_device_mode.patch new file mode 100644 index 0000000000..79b2db4ab3 --- /dev/null +++ b/queue-5.10/hid-wacom-fix-oob-write-in-wacom_hid_set_device_mode.patch @@ -0,0 +1,81 @@ +From c0a8899e02ddebd51e2589835182c239c2e224ae Mon Sep 17 00:00:00 2001 +From: Lee Jones +Date: Wed, 27 May 2026 17:05:26 +0100 +Subject: HID: wacom: Fix OOB write in wacom_hid_set_device_mode() + +From: Lee Jones + +commit c0a8899e02ddebd51e2589835182c239c2e224ae upstream. + +wacom_hid_set_device_mode() currently assumes that the HID_DG_INPUTMODE +usage is always located in the first field (field[0]) of the feature report. +However, a device can specify HID_DG_INPUTMODE in a different field. + +If HID_DG_INPUTMODE is in a field other than the first one and the first +field has a report_count smaller than the usage_index of HID_DG_INPUTMODE, +this leads to an out-of-bounds write to r->field[0]->value. + +Fix this by storing the field index of HID_DG_INPUTMODE in 'struct +hid_data' during feature mapping. In wacom_hid_set_device_mode(), use +this stored field index to access the correct field and add bounds +checks to ensure both the field index and the value index are within +valid ranges before writing. + +Cc: stable@vger.kernel.org +Fixes: 5ae6e89f7409 ("HID: wacom: implement the finger part of the HID generic handling") +Tested-by: Ping Cheng +Reviewed-by: Ping Cheng +Signed-off-by: Lee Jones +Signed-off-by: Benjamin Tissoires +Signed-off-by: Greg Kroah-Hartman +--- + drivers/hid/wacom_sys.c | 13 ++++++++++--- + drivers/hid/wacom_wac.h | 1 + + 2 files changed, 11 insertions(+), 3 deletions(-) + +--- a/drivers/hid/wacom_sys.c ++++ b/drivers/hid/wacom_sys.c +@@ -346,6 +346,7 @@ static void wacom_feature_mapping(struct + + hid_data->inputmode = field->report->id; + hid_data->inputmode_index = usage->usage_index; ++ hid_data->inputmode_field_index = field->index; + break; + + case HID_UP_DIGITIZER: +@@ -561,9 +562,14 @@ static int wacom_hid_set_device_mode(str + + re = &(hdev->report_enum[HID_FEATURE_REPORT]); + r = re->report_id_hash[hid_data->inputmode]; +- if (r) { +- r->field[0]->value[hid_data->inputmode_index] = 2; +- hid_hw_request(hdev, r, HID_REQ_SET_REPORT); ++ if (r && hid_data->inputmode_field_index >= 0 && ++ hid_data->inputmode_field_index < r->maxfield) { ++ struct hid_field *field = r->field[hid_data->inputmode_field_index]; ++ ++ if (field && hid_data->inputmode_index < field->report_count) { ++ field->value[hid_data->inputmode_index] = 2; ++ hid_hw_request(hdev, r, HID_REQ_SET_REPORT); ++ } + } + return 0; + } +@@ -2815,6 +2821,7 @@ static int wacom_probe(struct hid_device + return error; + + wacom_wac->hid_data.inputmode = -1; ++ wacom_wac->hid_data.inputmode_field_index = -1; + wacom_wac->mode_report = -1; + + if (hid_is_usb(hdev)) { +--- a/drivers/hid/wacom_wac.h ++++ b/drivers/hid/wacom_wac.h +@@ -296,6 +296,7 @@ struct wacom_shared { + struct hid_data { + __s16 inputmode; /* InputMode HID feature, -1 if non-existent */ + __s16 inputmode_index; /* InputMode HID feature index in the report */ ++ __s16 inputmode_field_index; /* InputMode HID feature field index in the report */ + bool sense_state; + bool inrange_state; + bool invert_state; diff --git a/queue-5.10/iommu-debugobjects-avoid-gcc-16.1-section-mismatch-warnings.patch b/queue-5.10/iommu-debugobjects-avoid-gcc-16.1-section-mismatch-warnings.patch new file mode 100644 index 0000000000..604dfec4d0 --- /dev/null +++ b/queue-5.10/iommu-debugobjects-avoid-gcc-16.1-section-mismatch-warnings.patch @@ -0,0 +1,126 @@ +From 4c9ad387aa2d6785299722e54224d34764edaeb3 Mon Sep 17 00:00:00 2001 +From: Arnd Bergmann +Date: Wed, 13 May 2026 16:53:54 +0200 +Subject: iommu, debugobjects: avoid gcc-16.1 section mismatch warnings + +From: Arnd Bergmann + +commit 4c9ad387aa2d6785299722e54224d34764edaeb3 upstream. + +gcc-16 has gained some more advanced inter-procedual optimization +techniques that enable it to inline the dummy_tlb_add_page() and +dummy_tlb_flush() function pointers into a specialized version of +__arm_v7s_unmap: + +WARNING: modpost: vmlinux: section mismatch in reference: __arm_v7s_unmap+0x2cc (section: .text) -> dummy_tlb_add_page (section: .init.text) +ERROR: modpost: Section mismatches detected. + +>From what I can tell, the transformation is correct, as this is only +called when __arm_v7s_unmap() is called from arm_v7s_do_selftests(), +which is also __init. Since __arm_v7s_unmap() however is not __init, +gcc cannot inline the inner function calls directly. + +In debug_objects_selftest(), the same thing happens. Both the +caller and the leaf function are __init, but the IPA pulls +it into a non-init one: + +WARNING: modpost: vmlinux: section mismatch in reference: lookup_object_or_alloc+0x7c (section: .text.lookup_object_or_alloc) -> is_static_object (section: .init.text) + +Marking the affected functions as not "__init" would reliably avoid this +issue but is not a good solution because it removes an otherwise correct +annotation. I tried marking the functions as 'noinline', but that ended +up not covering all the affected configurations. + +With some more experimenting, I found that marking these functions as +__attribute__((noipa)) is both logical and reliable. + +In order to keep the syntax readable, add a custom macro for this in +include/linux/compiler_attributes.h next to other related macros and +use it to annotate both files. + +Link: https://lore.kernel.org/all/abRB6g-48ZX6Yl2r@willie-the-truck/ +Cc: Will Deacon +Cc: Thomas Gleixner +Cc: Andrew Morton +Cc: Miguel Ojeda +Cc: linux-kbuild@vger.kernel.org +Cc: stable@vger.kernel.org +Signed-off-by: Arnd Bergmann +Acked-by: Will Deacon +Acked-by: Thomas Gleixner +Acked-by: Miguel Ojeda +Signed-off-by: Joerg Roedel +Signed-off-by: Greg Kroah-Hartman +--- + drivers/iommu/io-pgtable-arm-v7s.c | 18 ++++++++++++------ + include/linux/compiler_attributes.h | 11 +++++++++++ + lib/debugobjects.c | 2 +- + 3 files changed, 24 insertions(+), 7 deletions(-) + +--- a/drivers/iommu/io-pgtable-arm-v7s.c ++++ b/drivers/iommu/io-pgtable-arm-v7s.c +@@ -848,21 +848,27 @@ struct io_pgtable_init_fns io_pgtable_ar + + static struct io_pgtable_cfg *cfg_cookie __initdata; + +-static void __init dummy_tlb_flush_all(void *cookie) ++/* ++ * __noipa prevents gcc from turning indirect iommu_flush_ops calls ++ * into direct calls from a specialized __arm_v7s_unmap() that triggers ++ * a build time section mismatch assertion. ++ */ ++static __noipa void __init dummy_tlb_flush_all(void *cookie) + { + WARN_ON(cookie != cfg_cookie); + } + +-static void __init dummy_tlb_flush(unsigned long iova, size_t size, +- size_t granule, void *cookie) ++static __noipa void __init dummy_tlb_flush(unsigned long iova, size_t size, ++ size_t granule, void *cookie) + { + WARN_ON(cookie != cfg_cookie); + WARN_ON(!(size & cfg_cookie->pgsize_bitmap)); + } + +-static void __init dummy_tlb_add_page(struct iommu_iotlb_gather *gather, +- unsigned long iova, size_t granule, +- void *cookie) ++static __noipa void __init dummy_tlb_add_page(struct iommu_iotlb_gather *gather, ++ unsigned long iova, ++ size_t granule, ++ void *cookie) + { + dummy_tlb_flush(iova, granule, granule, cookie); + } +--- a/include/linux/compiler_attributes.h ++++ b/include/linux/compiler_attributes.h +@@ -316,6 +316,17 @@ + #endif + + /* ++ * Optional: not supported by clang ++ * ++ * gcc: https://gcc.gnu.org/onlinedocs/gcc/Common-Attributes.html#index-noipa ++ */ ++#if __has_attribute(noipa) ++# define __noipa __attribute__((noipa)) ++#else ++# define __noipa ++#endif ++ ++/* + * gcc: https://gcc.gnu.org/onlinedocs/gcc/Common-Function-Attributes.html#index-weak-function-attribute + * gcc: https://gcc.gnu.org/onlinedocs/gcc/Common-Variable-Attributes.html#index-weak-variable-attribute + */ +--- a/lib/debugobjects.c ++++ b/lib/debugobjects.c +@@ -1068,7 +1068,7 @@ struct self_test { + + static __initconst const struct debug_obj_descr descr_type_test; + +-static bool __init is_static_object(void *addr) ++static __noipa bool __init is_static_object(void *addr) + { + struct self_test *obj = addr; + diff --git a/queue-5.10/ip6-vti-use-ip6_tnl.net-in-vti6_changelink.patch b/queue-5.10/ip6-vti-use-ip6_tnl.net-in-vti6_changelink.patch new file mode 100644 index 0000000000..6b6ad2a3ae --- /dev/null +++ b/queue-5.10/ip6-vti-use-ip6_tnl.net-in-vti6_changelink.patch @@ -0,0 +1,76 @@ +From 11b326fb0a374f4654f9be22d0f0f7abd9f7d3fe Mon Sep 17 00:00:00 2001 +From: Kuniyuki Iwashima +Date: Thu, 21 May 2026 21:05:54 +0800 +Subject: ip6: vti: Use ip6_tnl.net in vti6_changelink(). + +From: Kuniyuki Iwashima + +commit 11b326fb0a374f4654f9be22d0f0f7abd9f7d3fe upstream. + +ip netns add ns1 +ip netns add ns2 +ip -n ns1 link add vti6_test type vti6 remote ::1 local ::2 key 7 +ip -n ns1 link set vti6_test netns ns2 +ip -n ns2 link set vti6_test type vti6 remote ::3 local ::4 key 9 +ip netns del ns2 +ip netns del ns1 +[ 132.495484] ------------[ cut here ]------------ +[ 132.497609] kernel BUG at net/core/dev.c:12376! + +Commit 61220ab34948 ("vti6: Enable namespace changing") dropped +NETIF_F_NETNS_LOCAL from vti6 devices. A vti6 tunnel can then +move through IFLA_NET_NS_FD. After the move dev_net(dev) points +at the new netns while t->net stays at the creation netns. + +vti6_changelink() and vti6_update() still use dev_net(dev) and +dev_net(t->dev). They unlink from one per netns hash and relink +into another. The creation netns is left with a stale entry. +cleanup_net() of that netns later walks freed memory. + +Reachable from an unprivileged user namespace (unshare --user +--map-root-user --net). Cross tenant scope on container hosts. + +Fixes: 61220ab34948 ("vti6: Enable namespace changing") +Reported-by: Maoyi Xie +Reviewed-by: Eric Dumazet +Cc: stable@vger.kernel.org # v5.15+ +Signed-off-by: Kuniyuki Iwashima +Link: https://patch.msgid.link/20260521130555.3421684-2-maoyixie.tju@gmail.com +Signed-off-by: Paolo Abeni +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv6/ip6_vti.c | 12 +++++++----- + 1 file changed, 7 insertions(+), 5 deletions(-) + +--- a/net/ipv6/ip6_vti.c ++++ b/net/ipv6/ip6_vti.c +@@ -725,10 +725,11 @@ vti6_tnl_change(struct ip6_tnl *t, const + static int vti6_update(struct ip6_tnl *t, struct __ip6_tnl_parm *p, + bool keep_mtu) + { +- struct net *net = dev_net(t->dev); +- struct vti6_net *ip6n = net_generic(net, vti6_net_id); ++ struct net *net = t->net; ++ struct vti6_net *ip6n; + int err; + ++ ip6n = net_generic(net, vti6_net_id); + vti6_tnl_unlink(ip6n, t); + synchronize_net(); + err = vti6_tnl_change(t, p, keep_mtu); +@@ -1040,11 +1041,12 @@ static int vti6_changelink(struct net_de + struct nlattr *data[], + struct netlink_ext_ack *extack) + { +- struct ip6_tnl *t; ++ struct ip6_tnl *t = netdev_priv(dev); ++ struct net *net = t->net; + struct __ip6_tnl_parm p; +- struct net *net = dev_net(dev); +- struct vti6_net *ip6n = net_generic(net, vti6_net_id); ++ struct vti6_net *ip6n; + ++ ip6n = net_generic(net, vti6_net_id); + if (dev == ip6n->fb_tnl_dev) + return -EINVAL; + diff --git a/queue-5.10/ip6-vti-use-ip6_tnl.net-in-vti6_siocdevprivate.patch b/queue-5.10/ip6-vti-use-ip6_tnl.net-in-vti6_siocdevprivate.patch new file mode 100644 index 0000000000..bbd7e2f184 --- /dev/null +++ b/queue-5.10/ip6-vti-use-ip6_tnl.net-in-vti6_siocdevprivate.patch @@ -0,0 +1,88 @@ +From 8b484efd5cb4eeef9021a661e198edc5349dacf6 Mon Sep 17 00:00:00 2001 +From: Maoyi Xie +Date: Thu, 21 May 2026 21:05:55 +0800 +Subject: ip6: vti: Use ip6_tnl.net in vti6_siocdevprivate(). + +From: Maoyi Xie + +commit 8b484efd5cb4eeef9021a661e198edc5349dacf6 upstream. + +After patch 1/2 in this series, vti6_update() unlinks and relinks +the tunnel through t->net. vti6_siocdevprivate() still uses +dev_net(dev) for the collision lookup. For a tunnel moved through +IFLA_NET_NS_FD, dev_net(dev) is the new netns, not t->net. + +SIOCCHGTUNNEL on a migrated tunnel then runs: + + net = dev_net(dev) /* migrated netns */ + t = vti6_locate(net, &p1, false) /* misses target in t->net */ + ... + t = netdev_priv(dev) + vti6_update(t, &p1, false) /* mutates t->net's hash */ + +A caller in the migrated netns picks params that match a tunnel +in the creation netns. The lookup in dev_net(dev) finds nothing. +vti6_update() prepends the migrated tunnel at the head of the +creation netns hash bucket for those params. Later lookups in +the creation netns resolve to the migrated device. xfrm receive +delivers the matched packets through a device the caller controls. + +Reachable from an unprivileged user namespace (unshare --user +--map-root-user --net). Cross tenant scope on container hosts. + +Switch the SIOCCHGTUNNEL path on a non fallback device to use +t->net for the lookup. The lookup now matches the netns +vti6_update() operates on. + +Also add ns_capable(self->net->user_ns, CAP_NET_ADMIN) before +the lookup. The check at the top of the case is against +dev_net(dev)->user_ns, which after migration is the attacker's +netns. A caller there can pick params absent from self->net, +the lookup returns NULL, t becomes self, and vti6_update() +inserts the device into the creation netns hash. The new check +requires CAP_NET_ADMIN in the creation netns user_ns too. + +SIOCADDTUNNEL and SIOCCHGTUNNEL on the fallback device keep +dev_net(dev), which equals init_net there. + +Fixes: 61220ab34948 ("vti6: Enable namespace changing") +Suggested-by: Jakub Kicinski +Suggested-by: Xiao Liang +Cc: stable@vger.kernel.org # v5.15+ +Signed-off-by: Maoyi Xie +Link: https://patch.msgid.link/20260521130555.3421684-3-maoyixie.tju@gmail.com +Signed-off-by: Paolo Abeni +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv6/ip6_vti.c | 11 +++++++++-- + 1 file changed, 9 insertions(+), 2 deletions(-) + +--- a/net/ipv6/ip6_vti.c ++++ b/net/ipv6/ip6_vti.c +@@ -836,17 +836,24 @@ vti6_ioctl(struct net_device *dev, struc + if (p.proto != IPPROTO_IPV6 && p.proto != 0) + break; + vti6_parm_from_user(&p1, &p); +- t = vti6_locate(net, &p1, cmd == SIOCADDTUNNEL); + if (dev != ip6n->fb_tnl_dev && cmd == SIOCCHGTUNNEL) { ++ struct ip6_tnl *self = netdev_priv(dev); ++ ++ err = -EPERM; ++ if (!ns_capable(self->net->user_ns, CAP_NET_ADMIN)) ++ break; ++ t = vti6_locate(self->net, &p1, false); + if (t) { + if (t->dev != dev) { + err = -EEXIST; + break; + } + } else +- t = netdev_priv(dev); ++ t = self; + + err = vti6_update(t, &p1, false); ++ } else { ++ t = vti6_locate(net, &p1, cmd == SIOCADDTUNNEL); + } + if (t) { + err = 0; diff --git a/queue-5.10/ipv6-exthdrs-refresh-nh-pointer-after-ipv6_hop_jumbo.patch b/queue-5.10/ipv6-exthdrs-refresh-nh-pointer-after-ipv6_hop_jumbo.patch new file mode 100644 index 0000000000..6c6f7779b3 --- /dev/null +++ b/queue-5.10/ipv6-exthdrs-refresh-nh-pointer-after-ipv6_hop_jumbo.patch @@ -0,0 +1,34 @@ +From d47548a36639095939f4747d4c43f2271366f565 Mon Sep 17 00:00:00 2001 +From: Justin Iurman +Date: Fri, 22 May 2026 13:20:13 +0200 +Subject: ipv6: exthdrs: refresh nh pointer after ipv6_hop_jumbo() + +From: Justin Iurman + +commit d47548a36639095939f4747d4c43f2271366f565 upstream. + +ipv6_hop_jumbo() calls pskb_trim_rcsum(), which can change skb pointers. +Let's recompute nh pointer to make sure any change won't mess things up. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Cc: stable@vger.kernel.org +Signed-off-by: Justin Iurman +Reviewed-by: Ido Schimmel +Link: https://patch.msgid.link/20260522112013.12342-1-justin.iurman@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv6/exthdrs.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/net/ipv6/exthdrs.c ++++ b/net/ipv6/exthdrs.c +@@ -180,6 +180,8 @@ static bool ip6_parse_tlv(const struct t + func(). */ + if (curr->func(skb, off) == false) + return false; ++ ++ nh = skb_network_header(skb); + break; + } + } diff --git a/queue-5.10/ipv6-validate-extension-header-length-before-copying-to-cmsg.patch b/queue-5.10/ipv6-validate-extension-header-length-before-copying-to-cmsg.patch new file mode 100644 index 0000000000..07a4f184c6 --- /dev/null +++ b/queue-5.10/ipv6-validate-extension-header-length-before-copying-to-cmsg.patch @@ -0,0 +1,166 @@ +From dd433671fef381fdaf7b530c631e6b782d66e224 Mon Sep 17 00:00:00 2001 +From: Qi Tang +Date: Sat, 23 May 2026 22:32:45 +0800 +Subject: ipv6: validate extension header length before copying to cmsg + +From: Qi Tang + +commit dd433671fef381fdaf7b530c631e6b782d66e224 upstream. + +ip6_datagram_recv_specific_ctl() builds IPV6_{HOPOPTS,DSTOPTS,RTHDR} +cmsgs (and their IPV6_2292* legacy counterparts) by trusting the +on-wire hdrlen byte (ptr[1]) when computing the put_cmsg() length. +The length was validated only at parse time (ipv6_parse_hopopts(), +etc.). An nftables payload-write expression can rewrite hdrlen after +parsing and before the skb reaches recvmsg; the write itself is +in-bounds but put_cmsg() then reads up to ((hdrlen+1) << 3) = 2040 +bytes from an 8-byte header. nftables is reachable from an +unprivileged user namespace, so this is an unprivileged +slab-out-of-bounds read: + + BUG: KASAN: slab-out-of-bounds in put_cmsg+0x3ac/0x540 + put_cmsg+0x3ac/0x540 + udpv6_recvmsg+0xca0/0x1250 + sock_recvmsg+0xdf/0x190 + ____sys_recvmsg+0x1b1/0x620 + +Add ipv6_get_exthdr_len() which validates that at least two bytes +are accessible before reading the hdrlen field, then checks the +computed length against skb_tail_pointer(skb), returning 0 on +failure. Extension headers are kept in the linear skb area by +pskb_may_pull() during input, so skb_tail_pointer() is the correct +bound. + +Use ipv6_get_exthdr_len() at all non-AH call sites: the five +standalone cmsg blocks (HbH, 2292HbH, 2292DSTOPTS x2, 2292RTHDR) +and the three standard cases in the extension-header walk loop +(DSTOPTS, ROUTING, default). AH retains an inline bounds check +because its length formula differs ((ptr[1]+2)<<2). + +The walk loop also gets a pre-read bounds check at the top to +validate ptr before any case accesses ptr[0] or ptr[1]. + +When the walk loop detects a corrupted header, return from the +function instead of continuing to process later socket options. + +Cc: stable@vger.kernel.org +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Qi Tang +Reviewed-by: Willem de Bruijn +Link: https://patch.msgid.link/20260523143245.2281415-1-tpluszz77@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv6/datagram.c | 54 ++++++++++++++++++++++++++++++++++++++++++++-------- + 1 file changed, 46 insertions(+), 8 deletions(-) + +--- a/net/ipv6/datagram.c ++++ b/net/ipv6/datagram.c +@@ -611,6 +611,18 @@ void ip6_datagram_recv_common_ctl(struct + } + } + ++static u16 ipv6_get_exthdr_len(const struct sk_buff *skb, const u8 *ptr) ++{ ++ u16 len; ++ ++ if (ptr + 2 > skb_tail_pointer(skb)) ++ return 0; ++ ++ len = (ptr[1] + 1) << 3; ++ ++ return (len <= skb_tail_pointer(skb) - ptr) ? len : 0; ++} ++ + void ip6_datagram_recv_specific_ctl(struct sock *sk, struct msghdr *msg, + struct sk_buff *skb) + { +@@ -637,7 +649,10 @@ void ip6_datagram_recv_specific_ctl(stru + /* HbH is allowed only once */ + if (np->rxopt.bits.hopopts && (opt->flags & IP6SKB_HOPBYHOP)) { + u8 *ptr = nh + sizeof(struct ipv6hdr); +- put_cmsg(msg, SOL_IPV6, IPV6_HOPOPTS, (ptr[1]+1)<<3, ptr); ++ u16 len = ipv6_get_exthdr_len(skb, ptr); ++ ++ if (len) ++ put_cmsg(msg, SOL_IPV6, IPV6_HOPOPTS, len, ptr); + } + + if (opt->lastopt && +@@ -658,26 +673,37 @@ void ip6_datagram_recv_specific_ctl(stru + unsigned int len; + u8 *ptr = nh + off; + ++ if (ptr + 2 > skb_tail_pointer(skb)) ++ return; ++ + switch (nexthdr) { + case IPPROTO_DSTOPTS: + nexthdr = ptr[0]; +- len = (ptr[1] + 1) << 3; ++ len = ipv6_get_exthdr_len(skb, ptr); ++ if (!len) ++ return; + if (np->rxopt.bits.dstopts) + put_cmsg(msg, SOL_IPV6, IPV6_DSTOPTS, len, ptr); + break; + case IPPROTO_ROUTING: + nexthdr = ptr[0]; +- len = (ptr[1] + 1) << 3; ++ len = ipv6_get_exthdr_len(skb, ptr); ++ if (!len) ++ return; + if (np->rxopt.bits.srcrt) + put_cmsg(msg, SOL_IPV6, IPV6_RTHDR, len, ptr); + break; + case IPPROTO_AH: + nexthdr = ptr[0]; + len = (ptr[1] + 2) << 2; ++ if (ptr + len > skb_tail_pointer(skb)) ++ return; + break; + default: + nexthdr = ptr[0]; +- len = (ptr[1] + 1) << 3; ++ len = ipv6_get_exthdr_len(skb, ptr); ++ if (!len) ++ return; + break; + } + +@@ -699,19 +725,31 @@ void ip6_datagram_recv_specific_ctl(stru + } + if (np->rxopt.bits.ohopopts && (opt->flags & IP6SKB_HOPBYHOP)) { + u8 *ptr = nh + sizeof(struct ipv6hdr); +- put_cmsg(msg, SOL_IPV6, IPV6_2292HOPOPTS, (ptr[1]+1)<<3, ptr); ++ u16 len = ipv6_get_exthdr_len(skb, ptr); ++ ++ if (len) ++ put_cmsg(msg, SOL_IPV6, IPV6_2292HOPOPTS, len, ptr); + } + if (np->rxopt.bits.odstopts && opt->dst0) { + u8 *ptr = nh + opt->dst0; +- put_cmsg(msg, SOL_IPV6, IPV6_2292DSTOPTS, (ptr[1]+1)<<3, ptr); ++ u16 len = ipv6_get_exthdr_len(skb, ptr); ++ ++ if (len) ++ put_cmsg(msg, SOL_IPV6, IPV6_2292DSTOPTS, len, ptr); + } + if (np->rxopt.bits.osrcrt && opt->srcrt) { + struct ipv6_rt_hdr *rthdr = (struct ipv6_rt_hdr *)(nh + opt->srcrt); +- put_cmsg(msg, SOL_IPV6, IPV6_2292RTHDR, (rthdr->hdrlen+1) << 3, rthdr); ++ u16 len = ipv6_get_exthdr_len(skb, (u8 *)rthdr); ++ ++ if (len) ++ put_cmsg(msg, SOL_IPV6, IPV6_2292RTHDR, len, rthdr); + } + if (np->rxopt.bits.odstopts && opt->dst1) { + u8 *ptr = nh + opt->dst1; +- put_cmsg(msg, SOL_IPV6, IPV6_2292DSTOPTS, (ptr[1]+1)<<3, ptr); ++ u16 len = ipv6_get_exthdr_len(skb, ptr); ++ ++ if (len) ++ put_cmsg(msg, SOL_IPV6, IPV6_2292DSTOPTS, len, ptr); + } + if (np->rxopt.bits.rxorigdstaddr) { + struct sockaddr_in6 sin6; diff --git a/queue-5.10/macsec-fix-replay-protection-at-xpn-lower-pn-wrap.patch b/queue-5.10/macsec-fix-replay-protection-at-xpn-lower-pn-wrap.patch new file mode 100644 index 0000000000..a20e57f560 --- /dev/null +++ b/queue-5.10/macsec-fix-replay-protection-at-xpn-lower-pn-wrap.patch @@ -0,0 +1,43 @@ +From e68842b3356471ba56c882209f324613dac47f64 Mon Sep 17 00:00:00 2001 +From: Junrui Luo +Date: Wed, 20 May 2026 11:47:55 +0800 +Subject: macsec: fix replay protection at XPN lower-PN wrap + +From: Junrui Luo + +commit e68842b3356471ba56c882209f324613dac47f64 upstream. + +In macsec_post_decrypt(), when pn is U32_MAX, pn + 1 overflows u32 to 0 +and the first branch never fires. If next_pn_halves.lower is also in the +upper half, pn_same_half(pn, lower) is true and the XPN else-if does not +fire either, leaving next_pn_halves unchanged. An attacker that captures +the legitimate frame carrying pn == 0xFFFFFFFF on an XPN association +can then replay it indefinitely, since lowest_pn never rises above +the captured pn and macsec_decrypt() reconstructs the same IV. + +Extend the XPN else-if to also fire when pn + 1 wraps to 0, so receipt +of pn == U32_MAX advances next_pn_halves to (upper + 1, 0). + +Fixes: a21ecf0e0338 ("macsec: Support XPN frame handling - IEEE 802.1AEbw") +Reported-by: Yuhao Jiang +Cc: stable@vger.kernel.org +Signed-off-by: Junrui Luo +Link: https://patch.msgid.link/SYBPR01MB78813FD49E58F253B989F197AF012@SYBPR01MB7881.ausprd01.prod.outlook.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/macsec.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/net/macsec.c ++++ b/drivers/net/macsec.c +@@ -828,7 +828,8 @@ static bool macsec_post_decrypt(struct s + if (pn + 1 > rx_sa->next_pn_halves.lower) { + rx_sa->next_pn_halves.lower = pn + 1; + } else if (secy->xpn && +- !pn_same_half(pn, rx_sa->next_pn_halves.lower)) { ++ (pn + 1 == 0 || ++ !pn_same_half(pn, rx_sa->next_pn_halves.lower))) { + rx_sa->next_pn_halves.upper++; + rx_sa->next_pn_halves.lower = pn + 1; + } diff --git a/queue-5.10/netfilter-conntrack-tcp-do-not-force-close-on-invalid-seq-rst-without-direction-check.patch b/queue-5.10/netfilter-conntrack-tcp-do-not-force-close-on-invalid-seq-rst-without-direction-check.patch new file mode 100644 index 0000000000..9c06aaa682 --- /dev/null +++ b/queue-5.10/netfilter-conntrack-tcp-do-not-force-close-on-invalid-seq-rst-without-direction-check.patch @@ -0,0 +1,49 @@ +From bed6e04be8e6b9133d8b16d5a42d0e0ce674fa9a Mon Sep 17 00:00:00 2001 +From: Hamza Mahfooz +Date: Mon, 11 May 2026 10:43:14 -0400 +Subject: netfilter: conntrack: tcp: do not force CLOSE on invalid-seq RST without direction check + +From: Hamza Mahfooz + +commit bed6e04be8e6b9133d8b16d5a42d0e0ce674fa9a upstream. + +An unintended behavior in the TCP conntrack state machine allows a +connection to be forced into the CLOSE state using an RST packet with an +invalid sequence number. + +Specifically, after a SYN packet is observed, an RST with an invalid SEQ +can transition the conntrack entry to TCP_CONNTRACK_CLOSE, regardless of +whether the RST corresponds to the expected reply direction. The relevant +code path assumes the RST is a response to an outgoing SYN, but does not +validate packet direction or ensure that a matching SYN was actually sent +in the opposite direction. + +As a result, a crafted packet sequence consisting of a SYN followed by an +invalid-sequence RST can prematurely terminate an active NAT entry. This +makes connection teardown easier than intended. + +So, tighten the state transition logic to ensure that RST-triggered +CLOSE transitions only occur when the RST is a valid response to a +previously observed SYN in the correct direction. + +Cc: stable@vger.kernel.org +Fixes: 9fb9cbb1082d ("[NETFILTER]: Add nf_conntrack subsystem.") +Signed-off-by: Hamza Mahfooz +Signed-off-by: Florian Westphal +Signed-off-by: Greg Kroah-Hartman +--- + net/netfilter/nf_conntrack_proto_tcp.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/net/netfilter/nf_conntrack_proto_tcp.c ++++ b/net/netfilter/nf_conntrack_proto_tcp.c +@@ -1083,7 +1083,8 @@ int nf_conntrack_tcp_packet(struct nf_co + new_state = old_state; + } + if (((test_bit(IPS_SEEN_REPLY_BIT, &ct->status) +- && ct->proto.tcp.last_index == TCP_SYN_SET) ++ && ct->proto.tcp.last_index == TCP_SYN_SET ++ && ct->proto.tcp.last_dir != dir) + || (!test_bit(IPS_ASSURED_BIT, &ct->status) + && ct->proto.tcp.last_index == TCP_ACK_SET)) + && ntohl(th->ack_seq) == ct->proto.tcp.last_end) { diff --git a/queue-5.10/nfc-hci-fix-out-of-bounds-read-in-hcp-header-parsing.patch b/queue-5.10/nfc-hci-fix-out-of-bounds-read-in-hcp-header-parsing.patch new file mode 100644 index 0000000000..258a5abb34 --- /dev/null +++ b/queue-5.10/nfc-hci-fix-out-of-bounds-read-in-hcp-header-parsing.patch @@ -0,0 +1,89 @@ +From f040e590c035bfd9553fe79ee9585caf1b14d67b Mon Sep 17 00:00:00 2001 +From: Ashutosh Desai +Date: Tue, 5 May 2026 17:07:12 +0000 +Subject: nfc: hci: fix out-of-bounds read in HCP header parsing + +From: Ashutosh Desai + +commit f040e590c035bfd9553fe79ee9585caf1b14d67b upstream. + +Both nfc_hci_recv_from_llc() and nci_hci_data_received_cb() read +packet->header from skb->data at function entry without first checking +that the buffer holds at least one byte. A malicious NFC peer can send +a 0-byte HCP frame that passes through the SHDLC layer and reaches +these functions, causing an out-of-bounds heap read of packet->header. +The same 0-byte frame, if queued as a non-final fragment, also causes +the reassembly loop to underflow msg_len to UINT_MAX, triggering +skb_over_panic() when the reassembled skb is written. + +Fix this by adding a pskb_may_pull() check at the entry of each +function before packet->header is first accessed. The existing +pskb_may_pull() checks before the reassembled hcp_skb is cast to +struct hcp_packet remain in place to guard the 2-byte HCP message +header. + +Fixes: 8b8d2e08bf0d ("NFC: HCI support") +Fixes: 11f54f228643 ("NFC: nci: Add HCI over NCI protocol support") +Cc: stable@vger.kernel.org +Reviewed-by: Simon Horman +Signed-off-by: Ashutosh Desai +Link: https://patch.msgid.link/20260505170712.96560-1-ashutoshdesai993@gmail.com +Signed-off-by: David Heidelberg +Signed-off-by: Greg Kroah-Hartman +--- + net/nfc/hci/core.c | 10 ++++++++++ + net/nfc/nci/hci.c | 10 ++++++++++ + 2 files changed, 20 insertions(+) + +--- a/net/nfc/hci/core.c ++++ b/net/nfc/hci/core.c +@@ -861,6 +861,11 @@ static void nfc_hci_recv_from_llc(struct + struct sk_buff *frag_skb; + int msg_len; + ++ if (!pskb_may_pull(skb, NFC_HCI_HCP_PACKET_HEADER_LEN)) { ++ kfree_skb(skb); ++ return; ++ } ++ + packet = (struct hcp_packet *)skb->data; + if ((packet->header & ~NFC_HCI_FRAGMENT) == 0) { + skb_queue_tail(&hdev->rx_hcp_frags, skb); +@@ -904,6 +909,11 @@ static void nfc_hci_recv_from_llc(struct + * unblock waiting cmd context. Otherwise, enqueue to dispatch + * in separate context where handler can also execute command. + */ ++ if (!pskb_may_pull(hcp_skb, NFC_HCI_HCP_HEADER_LEN)) { ++ kfree_skb(hcp_skb); ++ return; ++ } ++ + packet = (struct hcp_packet *)hcp_skb->data; + type = HCP_MSG_GET_TYPE(packet->message.header); + if (type == NFC_HCI_HCP_RESPONSE) { +--- a/net/nfc/nci/hci.c ++++ b/net/nfc/nci/hci.c +@@ -444,6 +444,11 @@ void nci_hci_data_received_cb(void *cont + return; + } + ++ if (!pskb_may_pull(skb, NCI_HCI_HCP_PACKET_HEADER_LEN)) { ++ kfree_skb(skb); ++ return; ++ } ++ + packet = (struct nci_hcp_packet *)skb->data; + if ((packet->header & ~NCI_HCI_FRAGMENT) == 0) { + skb_queue_tail(&ndev->hci_dev->rx_hcp_frags, skb); +@@ -487,6 +492,11 @@ void nci_hci_data_received_cb(void *cont + * unblock waiting cmd context. Otherwise, enqueue to dispatch + * in separate context where handler can also execute command. + */ ++ if (!pskb_may_pull(hcp_skb, NCI_HCI_HCP_HEADER_LEN)) { ++ kfree_skb(hcp_skb); ++ return; ++ } ++ + packet = (struct nci_hcp_packet *)hcp_skb->data; + type = NCI_HCP_MSG_GET_TYPE(packet->message.header); + if (type == NCI_HCI_HCP_RESPONSE) { diff --git a/queue-5.10/series b/queue-5.10/series index efde0e2c3f..37971f1cef 100644 --- a/queue-5.10/series +++ b/queue-5.10/series @@ -66,3 +66,20 @@ iio-buffer-hw-consumer-fix-use-after-free-in-error-path.patch usb-serial-omninet-fix-memory-corruption-with-small-endpoint.patch usb-dwc2-fix-use-after-free-in-debug-code.patch input-elan_i2c-validate-firmware-size-before-use.patch +wireguard-send-append-trailer-after-expanding-head.patch +bpf-sockmap-fix-tail-fragment-offset-in-bpf_msg_push_data.patch +macsec-fix-replay-protection-at-xpn-lower-pn-wrap.patch +ipv6-exthdrs-refresh-nh-pointer-after-ipv6_hop_jumbo.patch +asoc-qcom-q6asm-dai-fix-error-handling-in-prepare-and-set_params.patch +ip6-vti-use-ip6_tnl.net-in-vti6_siocdevprivate.patch +ipv6-validate-extension-header-length-before-copying-to-cmsg.patch +ip6-vti-use-ip6_tnl.net-in-vti6_changelink.patch +hid-wacom-fix-oob-write-in-wacom_hid_set_device_mode.patch +iommu-debugobjects-avoid-gcc-16.1-section-mismatch-warnings.patch +nfc-hci-fix-out-of-bounds-read-in-hcp-header-parsing.patch +xfrm-route-migrate-notifications-to-caller-s-netns.patch +xfrm-ah-use-skb_to_full_sk-in-async-output-callbacks.patch +netfilter-conntrack-tcp-do-not-force-close-on-invalid-seq-rst-without-direction-check.patch +asoc-qcom-q6asm-dai-close-stream-only-when-running.patch +asoc-qcom-q6asm-dai-do-not-set-stream-state-in-event-and-trigger-callbacks.patch +xfrm-esp-restore-combined-single-frag-length-gate.patch diff --git a/queue-5.10/wireguard-send-append-trailer-after-expanding-head.patch b/queue-5.10/wireguard-send-append-trailer-after-expanding-head.patch new file mode 100644 index 0000000000..703c1fb9fa --- /dev/null +++ b/queue-5.10/wireguard-send-append-trailer-after-expanding-head.patch @@ -0,0 +1,61 @@ +From f75e3eb08fe31d30a9af6ed80cdd22e6772837e2 Mon Sep 17 00:00:00 2001 +From: "Jason A. Donenfeld" +Date: Fri, 29 May 2026 19:31:34 +0200 +Subject: wireguard: send: append trailer after expanding head + +From: Jason A. Donenfeld + +commit f75e3eb08fe31d30a9af6ed80cdd22e6772837e2 upstream. + +With how this is currently written, we add the trailer, zero it out, and +then add the header space on. If that header space requires a +reallocation + copy, the zeros in the trailer aren't copied, because the +skb len hasn't actually been yet expanded to cover that. Instead add the +padding at the end of the process rather than at the beginning. + +Fixes: e7096c131e51 ("net: WireGuard secure network tunnel") +Cc: stable@vger.kernel.org +Signed-off-by: Jason A. Donenfeld +Link: https://patch.msgid.link/20260529173134.3080773-2-Jason@zx2c4.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/wireguard/send.c | 20 ++++++++++---------- + 1 file changed, 10 insertions(+), 10 deletions(-) + +--- a/drivers/net/wireguard/send.c ++++ b/drivers/net/wireguard/send.c +@@ -177,16 +177,6 @@ static bool encrypt_packet(struct sk_buf + trailer_len = padding_len + noise_encrypted_len(0); + plaintext_len = skb->len + padding_len; + +- /* Expand data section to have room for padding and auth tag. */ +- num_frags = skb_cow_data(skb, trailer_len, &trailer); +- if (unlikely(num_frags < 0 || num_frags > ARRAY_SIZE(sg))) +- return false; +- +- /* Set the padding to zeros, and make sure it and the auth tag are part +- * of the skb. +- */ +- memset(skb_tail_pointer(trailer), 0, padding_len); +- + /* Expand head section to have room for our header and the network + * stack's headers. + */ +@@ -198,6 +188,16 @@ static bool encrypt_packet(struct sk_buf + skb_checksum_help(skb))) + return false; + ++ /* Expand data section to have room for padding and auth tag. */ ++ num_frags = skb_cow_data(skb, trailer_len, &trailer); ++ if (unlikely(num_frags < 0 || num_frags > ARRAY_SIZE(sg))) ++ return false; ++ ++ /* Set the padding to zeros, and make sure it and the auth tag are part ++ * of the skb. ++ */ ++ memset(skb_tail_pointer(trailer), 0, padding_len); ++ + /* Only after checksumming can we safely add on the padding at the end + * and the header. + */ diff --git a/queue-5.10/xfrm-ah-use-skb_to_full_sk-in-async-output-callbacks.patch b/queue-5.10/xfrm-ah-use-skb_to_full_sk-in-async-output-callbacks.patch new file mode 100644 index 0000000000..6cde52ef04 --- /dev/null +++ b/queue-5.10/xfrm-ah-use-skb_to_full_sk-in-async-output-callbacks.patch @@ -0,0 +1,86 @@ +From 79d8be262377f7112cfa3088dfc4142d5a2533f3 Mon Sep 17 00:00:00 2001 +From: Michael Bommarito +Date: Fri, 15 May 2026 11:45:31 -0400 +Subject: xfrm: ah: use skb_to_full_sk in async output callbacks + +From: Michael Bommarito + +commit 79d8be262377f7112cfa3088dfc4142d5a2533f3 upstream. + +When AH output is offloaded to an asynchronous crypto provider +(hardware accelerators such as AMD CCP, or a forced-async software +shim used for testing), the digest completion fires +ah_output_done() / ah6_output_done() on a workqueue. The egress +skb at that point may have been originated by a TCP listener +sending a SYN-ACK, which sets skb->sk to a request_sock via +skb_set_owner_edemux(); it may also have been originated by an +inet_timewait_sock retransmit. Neither is a full struct sock, and +passing the raw skb->sk to xfrm_output_resume() then forwards a +non-full socket through the rest of the xfrm output chain. + +xfrm_output_resume() and its downstream consumers expect a full +sk where they dereference at all. The natural egress path +through ah_output_done() does not crash today because the +consumers that read past sock_common are either gated by +sk_fullsock() or short-circuit on flags that are clear on a fresh +request_sock; an exhaustive walk of the 50 most plausible +consumers under sch_fq, dev_queue_xmit, netfilter, tc-egress and +cgroup-egress BPF found no current unguarded deref. The bug is +still a real type confusion that future consumer changes could +turn into a memory-corruption primitive. + +This is the same bug class fixed for ESP in commit 1620c88887b1 +("xfrm: Fix the usage of skb->sk"). Apply the analogous fix to +AH: convert skb->sk to a full socket pointer (or NULL) via +skb_to_full_sk() before handing it to xfrm_output_resume(). + +The same async AH callbacks were touched recently for an +independent ESN-related ICV layout bug in commit ec54093e6a8f +("xfrm: ah: account for ESN high bits in async callbacks"); the +sk type-confusion addressed here is orthogonal. This patch is +part of an ongoing audit of the AH callback paths; an ah_output +ihl-validation hardening series is also currently under review on +netdev. + +Reproduced under UML + KASAN + lockdep with a forced-async +hmac(sha1) shim that registers at priority 9999 and wraps the +sync in-tree hmac-sha1-lib. With the shim loaded, ah_output_done +runs on every SYN-ACK egress through a transport-mode AH SA and +skb->sk arrives as a request_sock (TCP_NEW_SYN_RECV); after this +patch, xfrm_output_resume() receives the listener (the result of +sk_to_full_sk()) and consumer derefs land on full-sock fields as +intended. + +Fixes: 9ab1265d5231 ("xfrm: Use actual socket sk instead of skb socket for xfrm_output_resume") +Cc: stable@vger.kernel.org +Assisted-by: Claude:claude-opus-4-7 +Signed-off-by: Michael Bommarito +Signed-off-by: Steffen Klassert +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv4/ah4.c | 2 +- + net/ipv6/ah6.c | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +--- a/net/ipv4/ah4.c ++++ b/net/ipv4/ah4.c +@@ -141,7 +141,7 @@ static void ah_output_done(struct crypto + } + + kfree(AH_SKB_CB(skb)->tmp); +- xfrm_output_resume(skb->sk, skb, err); ++ xfrm_output_resume(skb_to_full_sk(skb), skb, err); + } + + static int ah_output(struct xfrm_state *x, struct sk_buff *skb) +--- a/net/ipv6/ah6.c ++++ b/net/ipv6/ah6.c +@@ -338,7 +338,7 @@ static void ah6_output_done(struct crypt + ah6_restore_hdrs(top_iph, iph_ext, extlen); + + kfree(AH_SKB_CB(skb)->tmp); +- xfrm_output_resume(skb->sk, skb, err); ++ xfrm_output_resume(skb_to_full_sk(skb), skb, err); + } + + static int ah6_output(struct xfrm_state *x, struct sk_buff *skb) diff --git a/queue-5.10/xfrm-esp-restore-combined-single-frag-length-gate.patch b/queue-5.10/xfrm-esp-restore-combined-single-frag-length-gate.patch new file mode 100644 index 0000000000..3bd414df3f --- /dev/null +++ b/queue-5.10/xfrm-esp-restore-combined-single-frag-length-gate.patch @@ -0,0 +1,60 @@ +From dfa0d7b0ff1eb6b2c416b8fdb9b4f2cefba57a40 Mon Sep 17 00:00:00 2001 +From: Jingguo Tan +Date: Mon, 18 May 2026 17:06:48 +0800 +Subject: xfrm: esp: restore combined single-frag length gate + +From: Jingguo Tan + +commit dfa0d7b0ff1eb6b2c416b8fdb9b4f2cefba57a40 upstream. + +The ESP out-of-place fast path appends the trailer in esp_output_head() +before esp_output_tail() allocates the destination page frag. The +head-side gate currently checks skb->data_len and tailen separately, but +the tail code allocates a single destination frag from the combined +post-trailer skb->data_len. + +Reject the page-frag fast path when the combined aligned length exceeds a +page. Otherwise skb_page_frag_refill() may fall back to a single page while +the destination sg still spans the combined skb->data_len. + +Restore this combined-length page gate for both IPv4 and IPv6. + +Fixes: 5bd8baab087d ("esp: limit skb_page_frag_refill use to a single page") +Cc: stable@vger.kernel.org +Signed-off-by: Lin Ma +Signed-off-by: Chenyuan Mi +Signed-off-by: Jingguo Tan +Reviewed-by: Sabrina Dubroca +Signed-off-by: Steffen Klassert +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv4/esp4.c | 4 ++-- + net/ipv6/esp6.c | 4 ++-- + 2 files changed, 4 insertions(+), 4 deletions(-) + +--- a/net/ipv4/esp4.c ++++ b/net/ipv4/esp4.c +@@ -459,8 +459,8 @@ int esp_output_head(struct xfrm_state *x + return err; + } + +- if (ALIGN(tailen, L1_CACHE_BYTES) > PAGE_SIZE || +- ALIGN(skb->data_len, L1_CACHE_BYTES) > PAGE_SIZE) ++ if (ALIGN(skb->data_len + tailen, L1_CACHE_BYTES) > ++ PAGE_SIZE) + goto cow; + + if (!skb_cloned(skb)) { +--- a/net/ipv6/esp6.c ++++ b/net/ipv6/esp6.c +@@ -493,8 +493,8 @@ int esp6_output_head(struct xfrm_state * + return err; + } + +- if (ALIGN(tailen, L1_CACHE_BYTES) > PAGE_SIZE || +- ALIGN(skb->data_len, L1_CACHE_BYTES) > PAGE_SIZE) ++ if (ALIGN(skb->data_len + tailen, L1_CACHE_BYTES) > ++ PAGE_SIZE) + goto cow; + + if (!skb_cloned(skb)) { diff --git a/queue-5.10/xfrm-route-migrate-notifications-to-caller-s-netns.patch b/queue-5.10/xfrm-route-migrate-notifications-to-caller-s-netns.patch new file mode 100644 index 0000000000..6e74b98eea --- /dev/null +++ b/queue-5.10/xfrm-route-migrate-notifications-to-caller-s-netns.patch @@ -0,0 +1,161 @@ +From 7e2a4f7ca0952820731ef7bdadfc9a9e9d3571b4 Mon Sep 17 00:00:00 2001 +From: Maoyi Xie +Date: Mon, 4 May 2026 22:27:36 +0800 +Subject: xfrm: route MIGRATE notifications to caller's netns + +From: Maoyi Xie + +commit 7e2a4f7ca0952820731ef7bdadfc9a9e9d3571b4 upstream. + +xfrm_send_migrate() in net/xfrm/xfrm_user.c and pfkey_send_migrate() +in net/key/af_key.c both hardcode &init_net for the multicast that +announces a successful XFRM_MSG_MIGRATE / SADB_X_MIGRATE. + +XFRM_MSG_MIGRATE arrives on a per-netns NETLINK_XFRM socket, and the +rest of the xfrm/af_key netlink path was made netns-aware in 2008. +The other 14 multicast paths in xfrm_user.c route their event using +xs_net(x), xp_net(xp) or sock_net(skb->sk); only the migrate path +was missed. + +Two consequences of the init_net hardcoding: + + 1. The notification (selector, old/new endpoint addresses, and the + km_address) is delivered to listeners on init_net's + XFRMNLGRP_MIGRATE / pfkey BROADCAST_ALL groups rather than on + the issuing netns. An IKE daemon running in init_net therefore + receives migration notifications originating from any other + netns on the host. + + 2. An IKE daemon running inside a non-init netns and subscribed + to its own XFRMNLGRP_MIGRATE / pfkey groups never receives the + notification of its own migration. IKEv2 MOBIKE / address-update + handling inside a netns is silently broken. + +Thread struct net through km_migrate() and the xfrm_mgr.migrate +function pointer, drop the &init_net override in xfrm_send_migrate() +and pfkey_send_migrate(), and pass the caller's net (already in +scope in xfrm_migrate() via sock_net(skb->sk)) all the way down. +struct xfrm_mgr is in-tree only and not exported as a stable API, +so the function-pointer signature change is internal. + +pfkey_broadcast() is already netns-aware via net_generic(net, +pfkey_net_id) since the pernet conversion. The five other +pfkey_broadcast() callers in af_key.c already pass xs_net(x), +sock_net(sk) or a per-netns net, so this only removes the +&init_net outlier. + +Fixes: 5c79de6e79cd ("[XFRM]: User interface for handling XFRM_MSG_MIGRATE") +Cc: stable@vger.kernel.org # v5.15+ +Signed-off-by: Maoyi Xie +Signed-off-by: Steffen Klassert +Signed-off-by: Greg Kroah-Hartman +--- + include/net/xfrm.h | 3 ++- + net/key/af_key.c | 6 +++--- + net/xfrm/xfrm_policy.c | 2 +- + net/xfrm/xfrm_state.c | 4 ++-- + net/xfrm/xfrm_user.c | 5 ++--- + 5 files changed, 10 insertions(+), 10 deletions(-) + +--- a/include/net/xfrm.h ++++ b/include/net/xfrm.h +@@ -593,6 +593,7 @@ struct xfrm_mgr { + const struct xfrm_migrate *m, + int num_bundles, + const struct xfrm_kmaddress *k, ++ struct net *net, + const struct xfrm_encap_tmpl *encap); + bool (*is_alive)(const struct km_event *c); + }; +@@ -1697,7 +1698,7 @@ int xfrm_sk_policy_insert(struct sock *s + #ifdef CONFIG_XFRM_MIGRATE + int km_migrate(const struct xfrm_selector *sel, u8 dir, u8 type, + const struct xfrm_migrate *m, int num_bundles, +- const struct xfrm_kmaddress *k, ++ const struct xfrm_kmaddress *k, struct net *net, + const struct xfrm_encap_tmpl *encap); + struct xfrm_state *xfrm_migrate_state_find(struct xfrm_migrate *m, struct net *net, + u32 if_id); +--- a/net/key/af_key.c ++++ b/net/key/af_key.c +@@ -3552,7 +3552,7 @@ static int set_ipsecrequest(struct sk_bu + #ifdef CONFIG_NET_KEY_MIGRATE + static int pfkey_send_migrate(const struct xfrm_selector *sel, u8 dir, u8 type, + const struct xfrm_migrate *m, int num_bundles, +- const struct xfrm_kmaddress *k, ++ const struct xfrm_kmaddress *k, struct net *net, + const struct xfrm_encap_tmpl *encap) + { + int i; +@@ -3657,7 +3657,7 @@ static int pfkey_send_migrate(const stru + } + + /* broadcast migrate message to sockets */ +- pfkey_broadcast(skb, GFP_ATOMIC, BROADCAST_ALL, NULL, &init_net); ++ pfkey_broadcast(skb, GFP_ATOMIC, BROADCAST_ALL, NULL, net); + + return 0; + +@@ -3668,7 +3668,7 @@ err: + #else + static int pfkey_send_migrate(const struct xfrm_selector *sel, u8 dir, u8 type, + const struct xfrm_migrate *m, int num_bundles, +- const struct xfrm_kmaddress *k, ++ const struct xfrm_kmaddress *k, struct net *net, + const struct xfrm_encap_tmpl *encap) + { + return -ENOPROTOOPT; +--- a/net/xfrm/xfrm_policy.c ++++ b/net/xfrm/xfrm_policy.c +@@ -4532,7 +4532,7 @@ int xfrm_migrate(const struct xfrm_selec + } + + /* Stage 5 - announce */ +- km_migrate(sel, dir, type, m, num_migrate, k, encap); ++ km_migrate(sel, dir, type, m, num_migrate, k, net, encap); + + xfrm_pol_put(pol); + +--- a/net/xfrm/xfrm_state.c ++++ b/net/xfrm/xfrm_state.c +@@ -2270,7 +2270,7 @@ EXPORT_SYMBOL(km_policy_expired); + #ifdef CONFIG_XFRM_MIGRATE + int km_migrate(const struct xfrm_selector *sel, u8 dir, u8 type, + const struct xfrm_migrate *m, int num_migrate, +- const struct xfrm_kmaddress *k, ++ const struct xfrm_kmaddress *k, struct net *net, + const struct xfrm_encap_tmpl *encap) + { + int err = -EINVAL; +@@ -2281,7 +2281,7 @@ int km_migrate(const struct xfrm_selecto + list_for_each_entry_rcu(km, &xfrm_km_list, list) { + if (km->migrate) { + ret = km->migrate(sel, dir, type, m, num_migrate, k, +- encap); ++ net, encap); + if (!ret) + err = ret; + } +--- a/net/xfrm/xfrm_user.c ++++ b/net/xfrm/xfrm_user.c +@@ -2675,10 +2675,9 @@ out_cancel: + + static int xfrm_send_migrate(const struct xfrm_selector *sel, u8 dir, u8 type, + const struct xfrm_migrate *m, int num_migrate, +- const struct xfrm_kmaddress *k, ++ const struct xfrm_kmaddress *k, struct net *net, + const struct xfrm_encap_tmpl *encap) + { +- struct net *net = &init_net; + struct sk_buff *skb; + int err; + +@@ -2696,7 +2695,7 @@ static int xfrm_send_migrate(const struc + #else + static int xfrm_send_migrate(const struct xfrm_selector *sel, u8 dir, u8 type, + const struct xfrm_migrate *m, int num_migrate, +- const struct xfrm_kmaddress *k, ++ const struct xfrm_kmaddress *k, struct net *net, + const struct xfrm_encap_tmpl *encap) + { + return -ENOPROTOOPT; -- 2.47.3