From: Sasha Levin Date: Thu, 28 May 2026 19:42:21 +0000 (-0400) Subject: Drop ipv6-route-unregister-netdevice-notifier-on-bpf-init.patch X-Git-Tag: v5.10.258~16 X-Git-Url: http://git.ipfire.org/gitweb/index.cgi?a=commitdiff_plain;h=4ba0d5dc6810f4e00c9407bb9f1365add2380412;p=thirdparty%2Fkernel%2Fstable-queue.git Drop ipv6-route-unregister-netdevice-notifier-on-bpf-init.patch Signed-off-by: Sasha Levin --- diff --git a/queue-5.10/ipv6-route-unregister-netdevice-notifier-on-bpf-init.patch b/queue-5.10/ipv6-route-unregister-netdevice-notifier-on-bpf-init.patch deleted file mode 100644 index f198e92d51..0000000000 --- a/queue-5.10/ipv6-route-unregister-netdevice-notifier-on-bpf-init.patch +++ /dev/null @@ -1,57 +0,0 @@ -From a13cdc97327de0502ef6b15e31823c952746bc3a Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Tue, 19 May 2026 23:03:28 -0400 -Subject: ipv6: route: Unregister netdevice notifier on BPF init failure - -From: Yuho Choi - -[ Upstream commit 1341db322417266fb5845df81d28305b83a37324 ] - -ip6_route_init() registers ip6_route_dev_notifier before registering the -IPv6 route BPF iterator target. If bpf_iter_register() fails after the -notifier has been registered, the error path currently jumps to -out_register_late_subsys and unwinds the RTNL handlers and pernet route -state without removing the notifier from the netdevice notifier chain. - -This leaves ip6_route_dev_notify() callable after the IPv6 route state it -uses has been torn down. Add a separate unwind label for the BPF iterator -failure path and unregister the netdevice notifier before continuing with -the existing cleanup. - -Fixes: 138d0be35b14 ("net: bpf: Add netlink and ipv6_route bpf_iter targets") -Signed-off-by: Yuho Choi -Reviewed-by: Ido Schimmel -Link: https://patch.msgid.link/20260520030329.1061183-1-dbgh9129@gmail.com -Signed-off-by: Jakub Kicinski -Signed-off-by: Sasha Levin ---- - net/ipv6/route.c | 6 +++++- - 1 file changed, 5 insertions(+), 1 deletion(-) - -diff --git a/net/ipv6/route.c b/net/ipv6/route.c -index 27736b5847378..f2b80dedd8e0f 100644 ---- a/net/ipv6/route.c -+++ b/net/ipv6/route.c -@@ -6579,7 +6579,7 @@ int __init ip6_route_init(void) - #if defined(CONFIG_BPF_SYSCALL) && defined(CONFIG_PROC_FS) - ret = bpf_iter_register(); - if (ret) -- goto out_register_late_subsys; -+ goto out_register_notifier; - #endif - #endif - -@@ -6593,6 +6593,10 @@ int __init ip6_route_init(void) - out: - return ret; - -+#if defined(CONFIG_BPF_SYSCALL) && defined(CONFIG_PROC_FS) -+out_register_notifier: -+ unregister_netdevice_notifier(&ip6_route_dev_notifier); -+#endif - out_register_late_subsys: - rtnl_unregister_all(PF_INET6); - unregister_pernet_subsys(&ip6_route_net_late_ops); --- -2.53.0 - diff --git a/queue-5.10/net-usb-lan78xx-fix-double-free-issue-with-interrupt.patch b/queue-5.10/net-usb-lan78xx-fix-double-free-issue-with-interrupt.patch new file mode 100644 index 0000000000..74aebefd8b --- /dev/null +++ b/queue-5.10/net-usb-lan78xx-fix-double-free-issue-with-interrupt.patch @@ -0,0 +1,104 @@ +From 5a55df6cf35681117dbe64dbd277ff8fe8090af4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 23 Mar 2026 16:00:21 +0800 +Subject: net: usb: lan78xx: Fix double free issue with interrupt buffer + allocation + +From: Oleksij Rempel + +[ Upstream commit 03819abbeb11117dcbba40bfe322b88c0c88a6b6 ] + +In lan78xx_probe(), the buffer `buf` was being freed twice: once +implicitly through `usb_free_urb(dev->urb_intr)` with the +`URB_FREE_BUFFER` flag and again explicitly by `kfree(buf)`. This caused +a double free issue. + +To resolve this, reordered `kmalloc()` and `usb_alloc_urb()` calls to +simplify the initialization sequence and removed the redundant +`kfree(buf)`. Now, `buf` is allocated after `usb_alloc_urb()`, ensuring +it is correctly managed by `usb_fill_int_urb()` and freed by +`usb_free_urb()` as intended. + +Fixes: a6df95cae40b ("lan78xx: Fix memory allocation bug") +Cc: John Efstathiades +Signed-off-by: Oleksij Rempel +Link: https://patch.msgid.link/20241116130558.1352230-1-o.rempel@pengutronix.de +Signed-off-by: Jakub Kicinski +[ Adjust context. Make the function usb_alloc_urb() call before +kmalloc(). ] +Signed-off-by: Wenshan Lan +Signed-off-by: Sasha Levin +--- + drivers/net/usb/lan78xx.c | 29 ++++++++++++++--------------- + 1 file changed, 14 insertions(+), 15 deletions(-) + +diff --git a/drivers/net/usb/lan78xx.c b/drivers/net/usb/lan78xx.c +index f0643d9d8ff94..af0622e942584 100644 +--- a/drivers/net/usb/lan78xx.c ++++ b/drivers/net/usb/lan78xx.c +@@ -4057,29 +4057,30 @@ static int lan78xx_probe(struct usb_interface *intf, + + period = ep_intr->desc.bInterval; + maxp = usb_maxpacket(dev->udev, dev->pipe_intr, 0); +- buf = kmalloc(maxp, GFP_KERNEL); +- if (!buf) { ++ ++ dev->urb_intr = usb_alloc_urb(0, GFP_KERNEL); ++ if (!dev->urb_intr) { + ret = -ENOMEM; + goto out3; + } + +- dev->urb_intr = usb_alloc_urb(0, GFP_KERNEL); +- if (!dev->urb_intr) { ++ buf = kmalloc(maxp, GFP_KERNEL); ++ if (!buf) { + ret = -ENOMEM; +- goto out4; +- } else { +- usb_fill_int_urb(dev->urb_intr, dev->udev, +- dev->pipe_intr, buf, maxp, +- intr_complete, dev, period); +- dev->urb_intr->transfer_flags |= URB_FREE_BUFFER; ++ goto free_urbs; + } + ++ usb_fill_int_urb(dev->urb_intr, dev->udev, ++ dev->pipe_intr, buf, maxp, ++ intr_complete, dev, period); ++ dev->urb_intr->transfer_flags |= URB_FREE_BUFFER; ++ + dev->maxpacket = usb_maxpacket(dev->udev, dev->pipe_out, 1); + + /* Reject broken descriptors. */ + if (dev->maxpacket == 0) { + ret = -ENODEV; +- goto out5; ++ goto free_urbs; + } + + /* driver requires remote-wakeup capability during autosuspend. */ +@@ -4087,7 +4088,7 @@ static int lan78xx_probe(struct usb_interface *intf, + + ret = lan78xx_phy_init(dev); + if (ret < 0) +- goto out5; ++ goto free_urbs; + + ret = register_netdev(netdev); + if (ret != 0) { +@@ -4109,10 +4110,8 @@ static int lan78xx_probe(struct usb_interface *intf, + + out6: + phy_disconnect(netdev->phydev); +-out5: ++free_urbs: + usb_free_urb(dev->urb_intr); +-out4: +- kfree(buf); + out3: + lan78xx_unbind(dev, intf); + out2: +-- +2.53.0 + diff --git a/queue-5.10/series b/queue-5.10/series index fdc6e13463..36ddcd64dd 100644 --- a/queue-5.10/series +++ b/queue-5.10/series @@ -593,4 +593,4 @@ net-ag71xx-check-error-for-platform_get_irq.patch string-add-mem_is_zero-helper-to-check-if-memory-are.patch gpiolib-cdev-use-mem_is_zero-instead-of-memchr_inv-s.patch gpio-cdev-check-if-uapi-v2-config-attributes-are-cor.patch -ipv6-route-unregister-netdevice-notifier-on-bpf-init.patch +net-usb-lan78xx-fix-double-free-issue-with-interrupt.patch diff --git a/queue-5.15/ipv6-route-unregister-netdevice-notifier-on-bpf-init.patch b/queue-5.15/ipv6-route-unregister-netdevice-notifier-on-bpf-init.patch deleted file mode 100644 index 8bff5e54e9..0000000000 --- a/queue-5.15/ipv6-route-unregister-netdevice-notifier-on-bpf-init.patch +++ /dev/null @@ -1,57 +0,0 @@ -From f68c7c1bd867898911025a2e73427a100cf49c53 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Tue, 19 May 2026 23:03:28 -0400 -Subject: ipv6: route: Unregister netdevice notifier on BPF init failure - -From: Yuho Choi - -[ Upstream commit 1341db322417266fb5845df81d28305b83a37324 ] - -ip6_route_init() registers ip6_route_dev_notifier before registering the -IPv6 route BPF iterator target. If bpf_iter_register() fails after the -notifier has been registered, the error path currently jumps to -out_register_late_subsys and unwinds the RTNL handlers and pernet route -state without removing the notifier from the netdevice notifier chain. - -This leaves ip6_route_dev_notify() callable after the IPv6 route state it -uses has been torn down. Add a separate unwind label for the BPF iterator -failure path and unregister the netdevice notifier before continuing with -the existing cleanup. - -Fixes: 138d0be35b14 ("net: bpf: Add netlink and ipv6_route bpf_iter targets") -Signed-off-by: Yuho Choi -Reviewed-by: Ido Schimmel -Link: https://patch.msgid.link/20260520030329.1061183-1-dbgh9129@gmail.com -Signed-off-by: Jakub Kicinski -Signed-off-by: Sasha Levin ---- - net/ipv6/route.c | 6 +++++- - 1 file changed, 5 insertions(+), 1 deletion(-) - -diff --git a/net/ipv6/route.c b/net/ipv6/route.c -index 52e8e77df69a1..ad21cdf8045a0 100644 ---- a/net/ipv6/route.c -+++ b/net/ipv6/route.c -@@ -6744,7 +6744,7 @@ int __init ip6_route_init(void) - #if defined(CONFIG_BPF_SYSCALL) && defined(CONFIG_PROC_FS) - ret = bpf_iter_register(); - if (ret) -- goto out_register_late_subsys; -+ goto out_register_notifier; - #endif - #endif - -@@ -6758,6 +6758,10 @@ int __init ip6_route_init(void) - out: - return ret; - -+#if defined(CONFIG_BPF_SYSCALL) && defined(CONFIG_PROC_FS) -+out_register_notifier: -+ unregister_netdevice_notifier(&ip6_route_dev_notifier); -+#endif - out_register_late_subsys: - rtnl_unregister_all(PF_INET6); - unregister_pernet_subsys(&ip6_route_net_late_ops); --- -2.53.0 - diff --git a/queue-5.15/series b/queue-5.15/series index cf68bd7b31..24ac03cd62 100644 --- a/queue-5.15/series +++ b/queue-5.15/series @@ -779,5 +779,4 @@ net-ag71xx-check-error-for-platform_get_irq.patch string-add-mem_is_zero-helper-to-check-if-memory-are.patch gpiolib-cdev-use-mem_is_zero-instead-of-memchr_inv-s.patch gpio-cdev-check-if-uapi-v2-config-attributes-are-cor.patch -ipv6-route-unregister-netdevice-notifier-on-bpf-init.patch net-mana-validate-rx_req_idx-to-prevent-out-of-bound.patch diff --git a/queue-6.1/ipv6-route-unregister-netdevice-notifier-on-bpf-init.patch b/queue-6.1/ipv6-route-unregister-netdevice-notifier-on-bpf-init.patch deleted file mode 100644 index c1722ebff8..0000000000 --- a/queue-6.1/ipv6-route-unregister-netdevice-notifier-on-bpf-init.patch +++ /dev/null @@ -1,57 +0,0 @@ -From 98f1089e6738a38bd28887e8d41079089b694e79 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Tue, 19 May 2026 23:03:28 -0400 -Subject: ipv6: route: Unregister netdevice notifier on BPF init failure - -From: Yuho Choi - -[ Upstream commit 1341db322417266fb5845df81d28305b83a37324 ] - -ip6_route_init() registers ip6_route_dev_notifier before registering the -IPv6 route BPF iterator target. If bpf_iter_register() fails after the -notifier has been registered, the error path currently jumps to -out_register_late_subsys and unwinds the RTNL handlers and pernet route -state without removing the notifier from the netdevice notifier chain. - -This leaves ip6_route_dev_notify() callable after the IPv6 route state it -uses has been torn down. Add a separate unwind label for the BPF iterator -failure path and unregister the netdevice notifier before continuing with -the existing cleanup. - -Fixes: 138d0be35b14 ("net: bpf: Add netlink and ipv6_route bpf_iter targets") -Signed-off-by: Yuho Choi -Reviewed-by: Ido Schimmel -Link: https://patch.msgid.link/20260520030329.1061183-1-dbgh9129@gmail.com -Signed-off-by: Jakub Kicinski -Signed-off-by: Sasha Levin ---- - net/ipv6/route.c | 6 +++++- - 1 file changed, 5 insertions(+), 1 deletion(-) - -diff --git a/net/ipv6/route.c b/net/ipv6/route.c -index 987ef0954e2ea..2ab8aacf5513d 100644 ---- a/net/ipv6/route.c -+++ b/net/ipv6/route.c -@@ -6802,7 +6802,7 @@ int __init ip6_route_init(void) - #if defined(CONFIG_BPF_SYSCALL) && defined(CONFIG_PROC_FS) - ret = bpf_iter_register(); - if (ret) -- goto out_register_late_subsys; -+ goto out_register_notifier; - #endif - #endif - -@@ -6817,6 +6817,10 @@ int __init ip6_route_init(void) - out: - return ret; - -+#if defined(CONFIG_BPF_SYSCALL) && defined(CONFIG_PROC_FS) -+out_register_notifier: -+ unregister_netdevice_notifier(&ip6_route_dev_notifier); -+#endif - out_register_late_subsys: - rtnl_unregister_all(PF_INET6); - unregister_pernet_subsys(&ip6_route_net_late_ops); --- -2.53.0 - diff --git a/queue-6.1/series b/queue-6.1/series index 13bfb2e288..f92e109a74 100644 --- a/queue-6.1/series +++ b/queue-6.1/series @@ -966,5 +966,4 @@ net-ag71xx-check-error-for-platform_get_irq.patch string-add-mem_is_zero-helper-to-check-if-memory-are.patch gpiolib-cdev-use-mem_is_zero-instead-of-memchr_inv-s.patch gpio-cdev-check-if-uapi-v2-config-attributes-are-cor.patch -ipv6-route-unregister-netdevice-notifier-on-bpf-init.patch net-mana-validate-rx_req_idx-to-prevent-out-of-bound.patch diff --git a/queue-6.12/ipv6-route-unregister-netdevice-notifier-on-bpf-init.patch b/queue-6.12/ipv6-route-unregister-netdevice-notifier-on-bpf-init.patch deleted file mode 100644 index 08391b6c73..0000000000 --- a/queue-6.12/ipv6-route-unregister-netdevice-notifier-on-bpf-init.patch +++ /dev/null @@ -1,57 +0,0 @@ -From 5dd9d37dbf8db894f0ce91372705fb4c8b93ba96 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Tue, 19 May 2026 23:03:28 -0400 -Subject: ipv6: route: Unregister netdevice notifier on BPF init failure - -From: Yuho Choi - -[ Upstream commit 1341db322417266fb5845df81d28305b83a37324 ] - -ip6_route_init() registers ip6_route_dev_notifier before registering the -IPv6 route BPF iterator target. If bpf_iter_register() fails after the -notifier has been registered, the error path currently jumps to -out_register_late_subsys and unwinds the RTNL handlers and pernet route -state without removing the notifier from the netdevice notifier chain. - -This leaves ip6_route_dev_notify() callable after the IPv6 route state it -uses has been torn down. Add a separate unwind label for the BPF iterator -failure path and unregister the netdevice notifier before continuing with -the existing cleanup. - -Fixes: 138d0be35b14 ("net: bpf: Add netlink and ipv6_route bpf_iter targets") -Signed-off-by: Yuho Choi -Reviewed-by: Ido Schimmel -Link: https://patch.msgid.link/20260520030329.1061183-1-dbgh9129@gmail.com -Signed-off-by: Jakub Kicinski -Signed-off-by: Sasha Levin ---- - net/ipv6/route.c | 6 +++++- - 1 file changed, 5 insertions(+), 1 deletion(-) - -diff --git a/net/ipv6/route.c b/net/ipv6/route.c -index 31c9e3b73f2da..0c2303d7e6f89 100644 ---- a/net/ipv6/route.c -+++ b/net/ipv6/route.c -@@ -6826,7 +6826,7 @@ int __init ip6_route_init(void) - #if defined(CONFIG_BPF_SYSCALL) && defined(CONFIG_PROC_FS) - ret = bpf_iter_register(); - if (ret) -- goto out_register_late_subsys; -+ goto out_register_notifier; - #endif - #endif - -@@ -6840,6 +6840,10 @@ int __init ip6_route_init(void) - out: - return ret; - -+#if defined(CONFIG_BPF_SYSCALL) && defined(CONFIG_PROC_FS) -+out_register_notifier: -+ unregister_netdevice_notifier(&ip6_route_dev_notifier); -+#endif - out_register_late_subsys: - rtnl_unregister_all(PF_INET6); - unregister_pernet_subsys(&ip6_route_net_late_ops); --- -2.53.0 - diff --git a/queue-6.12/landlock-fix-tcp-handling-of-short-af_unspec-address.patch b/queue-6.12/landlock-fix-tcp-handling-of-short-af_unspec-address.patch new file mode 100644 index 0000000000..eaeedba2f4 --- /dev/null +++ b/queue-6.12/landlock-fix-tcp-handling-of-short-af_unspec-address.patch @@ -0,0 +1,176 @@ +From acfce351147019a9db1a7544ee172780b8efc3ce Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 28 May 2026 12:14:26 +0000 +Subject: landlock: Fix TCP handling of short AF_UNSPEC addresses +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Matthieu Buffet + +[ Upstream commit e4d82cbce2258f454634307fdabf33aa46b61ab0 ] + +current_check_access_socket() treats AF_UNSPEC addresses as +AF_INET ones, and only later adds special case handling to +allow connect(AF_UNSPEC), and on IPv4 sockets +bind(AF_UNSPEC+INADDR_ANY). +This would be fine except AF_UNSPEC addresses can be as +short as a bare AF_UNSPEC sa_family_t field, and nothing +more. The AF_INET code path incorrectly enforces a length of +sizeof(struct sockaddr_in) instead. + +Move AF_UNSPEC edge case handling up inside the switch-case, +before the address is (potentially incorrectly) treated as +AF_INET. + +Fixes: fff69fb03dde ("landlock: Support network rules with TCP bind and connect") +Signed-off-by: Matthieu Buffet +Link: https://lore.kernel.org/r/20251027190726.626244-4-matthieu@buffet.re +Signed-off-by: Mickaël Salaün +[ There was a conflict due to missing commit 9f74411a40ce ("landlock: + Log TCP bind and connect denials") ] +Signed-off-by: Maximilian Heyne +Signed-off-by: Sasha Levin +--- + security/landlock/net.c | 118 +++++++++++++++++++++++----------------- + 1 file changed, 67 insertions(+), 51 deletions(-) + +diff --git a/security/landlock/net.c b/security/landlock/net.c +index 104b6c01fe503..53d479893475f 100644 +--- a/security/landlock/net.c ++++ b/security/landlock/net.c +@@ -72,6 +72,61 @@ static int current_check_access_socket(struct socket *const sock, + + switch (address->sa_family) { + case AF_UNSPEC: ++ if (access_request == LANDLOCK_ACCESS_NET_CONNECT_TCP) { ++ /* ++ * Connecting to an address with AF_UNSPEC dissolves ++ * the TCP association, which have the same effect as ++ * closing the connection while retaining the socket ++ * object (i.e., the file descriptor). As for dropping ++ * privileges, closing connections is always allowed. ++ * ++ * For a TCP access control system, this request is ++ * legitimate. Let the network stack handle potential ++ * inconsistencies and return -EINVAL if needed. ++ */ ++ return 0; ++ } else if (access_request == LANDLOCK_ACCESS_NET_BIND_TCP) { ++ /* ++ * Binding to an AF_UNSPEC address is treated ++ * differently by IPv4 and IPv6 sockets. The socket's ++ * family may change under our feet due to ++ * setsockopt(IPV6_ADDRFORM), but that's ok: we either ++ * reject entirely or require ++ * %LANDLOCK_ACCESS_NET_BIND_TCP for the given port, so ++ * it cannot be used to bypass the policy. ++ * ++ * IPv4 sockets map AF_UNSPEC to AF_INET for ++ * retrocompatibility for bind accesses, only if the ++ * address is INADDR_ANY (cf. __inet_bind). IPv6 ++ * sockets always reject it. ++ * ++ * Checking the address is required to not wrongfully ++ * return -EACCES instead of -EAFNOSUPPORT or -EINVAL. ++ * We could return 0 and let the network stack handle ++ * these checks, but it is safer to return a proper ++ * error and test consistency thanks to kselftest. ++ */ ++ if (sock->sk->__sk_common.skc_family == AF_INET) { ++ const struct sockaddr_in *const sockaddr = ++ (struct sockaddr_in *)address; ++ ++ if (addrlen < sizeof(struct sockaddr_in)) ++ return -EINVAL; ++ ++ if (sockaddr->sin_addr.s_addr != ++ htonl(INADDR_ANY)) ++ return -EAFNOSUPPORT; ++ } else { ++ if (addrlen < SIN6_LEN_RFC2133) ++ return -EINVAL; ++ else ++ return -EAFNOSUPPORT; ++ } ++ } else { ++ WARN_ON_ONCE(1); ++ } ++ /* Only for bind(AF_UNSPEC+INADDR_ANY) on IPv4 socket. */ ++ fallthrough; + case AF_INET: + if (addrlen < sizeof(struct sockaddr_in)) + return -EINVAL; +@@ -90,57 +145,18 @@ static int current_check_access_socket(struct socket *const sock, + return 0; + } + +- /* Specific AF_UNSPEC handling. */ +- if (address->sa_family == AF_UNSPEC) { +- /* +- * Connecting to an address with AF_UNSPEC dissolves the TCP +- * association, which have the same effect as closing the +- * connection while retaining the socket object (i.e., the file +- * descriptor). As for dropping privileges, closing +- * connections is always allowed. +- * +- * For a TCP access control system, this request is legitimate. +- * Let the network stack handle potential inconsistencies and +- * return -EINVAL if needed. +- */ +- if (access_request == LANDLOCK_ACCESS_NET_CONNECT_TCP) +- return 0; +- +- /* +- * For compatibility reason, accept AF_UNSPEC for bind +- * accesses (mapped to AF_INET) only if the address is +- * INADDR_ANY (cf. __inet_bind). Checking the address is +- * required to not wrongfully return -EACCES instead of +- * -EAFNOSUPPORT. +- * +- * We could return 0 and let the network stack handle these +- * checks, but it is safer to return a proper error and test +- * consistency thanks to kselftest. +- */ +- if (access_request == LANDLOCK_ACCESS_NET_BIND_TCP) { +- /* addrlen has already been checked for AF_UNSPEC. */ +- const struct sockaddr_in *const sockaddr = +- (struct sockaddr_in *)address; +- +- if (sock->sk->__sk_common.skc_family != AF_INET) +- return -EINVAL; +- +- if (sockaddr->sin_addr.s_addr != htonl(INADDR_ANY)) +- return -EAFNOSUPPORT; +- } +- } else { +- /* +- * Checks sa_family consistency to not wrongfully return +- * -EACCES instead of -EINVAL. Valid sa_family changes are +- * only (from AF_INET or AF_INET6) to AF_UNSPEC. +- * +- * We could return 0 and let the network stack handle this +- * check, but it is safer to return a proper error and test +- * consistency thanks to kselftest. +- */ +- if (address->sa_family != sock->sk->__sk_common.skc_family) +- return -EINVAL; +- } ++ /* ++ * Checks sa_family consistency to not wrongfully return ++ * -EACCES instead of -EINVAL. Valid sa_family changes are ++ * only (from AF_INET or AF_INET6) to AF_UNSPEC. ++ * ++ * We could return 0 and let the network stack handle this ++ * check, but it is safer to return a proper error and test ++ * consistency thanks to kselftest. ++ */ ++ if (address->sa_family != sock->sk->__sk_common.skc_family && ++ address->sa_family != AF_UNSPEC) ++ return -EINVAL; + + id.key.data = (__force uintptr_t)port; + BUILD_BUG_ON(sizeof(port) > sizeof(id.key.data)); +-- +2.53.0 + diff --git a/queue-6.12/series b/queue-6.12/series index ba826063ee..c790958ad9 100644 --- a/queue-6.12/series +++ b/queue-6.12/series @@ -264,9 +264,9 @@ gpiolib-cdev-use-mem_is_zero-instead-of-memchr_inv-s.patch gpio-cdev-check-if-uapi-v2-config-attributes-are-cor.patch asoc-cs35l56-fix-flushing-of-irq-work-in-cs35l56_sdw.patch drm-xe-oa-fix-exec_queue-leak-on-width-check-in-stre.patch -ipv6-route-unregister-netdevice-notifier-on-bpf-init.patch octeontx2-af-npc-fix-allmulticast-skip-logic-for-lbk.patch net-mana-validate-rx_req_idx-to-prevent-out-of-bound.patch pds_core-ensure-null-termination-for-firmware-versio.patch net-gro-don-t-merge-zcopy-skbs.patch loongarch-kprobes-fix-handling-of-fatal-unrecoverabl.patch +landlock-fix-tcp-handling-of-short-af_unspec-address.patch diff --git a/queue-6.6/ipv6-route-unregister-netdevice-notifier-on-bpf-init.patch b/queue-6.6/ipv6-route-unregister-netdevice-notifier-on-bpf-init.patch deleted file mode 100644 index ec1b8a5d27..0000000000 --- a/queue-6.6/ipv6-route-unregister-netdevice-notifier-on-bpf-init.patch +++ /dev/null @@ -1,57 +0,0 @@ -From a1e38ab8eff054c3b59a90aec95bed1365cef369 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Tue, 19 May 2026 23:03:28 -0400 -Subject: ipv6: route: Unregister netdevice notifier on BPF init failure - -From: Yuho Choi - -[ Upstream commit 1341db322417266fb5845df81d28305b83a37324 ] - -ip6_route_init() registers ip6_route_dev_notifier before registering the -IPv6 route BPF iterator target. If bpf_iter_register() fails after the -notifier has been registered, the error path currently jumps to -out_register_late_subsys and unwinds the RTNL handlers and pernet route -state without removing the notifier from the netdevice notifier chain. - -This leaves ip6_route_dev_notify() callable after the IPv6 route state it -uses has been torn down. Add a separate unwind label for the BPF iterator -failure path and unregister the netdevice notifier before continuing with -the existing cleanup. - -Fixes: 138d0be35b14 ("net: bpf: Add netlink and ipv6_route bpf_iter targets") -Signed-off-by: Yuho Choi -Reviewed-by: Ido Schimmel -Link: https://patch.msgid.link/20260520030329.1061183-1-dbgh9129@gmail.com -Signed-off-by: Jakub Kicinski -Signed-off-by: Sasha Levin ---- - net/ipv6/route.c | 6 +++++- - 1 file changed, 5 insertions(+), 1 deletion(-) - -diff --git a/net/ipv6/route.c b/net/ipv6/route.c -index c5b71baf95e7b..e10810b36484a 100644 ---- a/net/ipv6/route.c -+++ b/net/ipv6/route.c -@@ -6818,7 +6818,7 @@ int __init ip6_route_init(void) - #if defined(CONFIG_BPF_SYSCALL) && defined(CONFIG_PROC_FS) - ret = bpf_iter_register(); - if (ret) -- goto out_register_late_subsys; -+ goto out_register_notifier; - #endif - #endif - -@@ -6833,6 +6833,10 @@ int __init ip6_route_init(void) - out: - return ret; - -+#if defined(CONFIG_BPF_SYSCALL) && defined(CONFIG_PROC_FS) -+out_register_notifier: -+ unregister_netdevice_notifier(&ip6_route_dev_notifier); -+#endif - out_register_late_subsys: - rtnl_unregister_all(PF_INET6); - unregister_pernet_subsys(&ip6_route_net_late_ops); --- -2.53.0 - diff --git a/queue-6.6/series b/queue-6.6/series index 583e0653d8..f040a0ab30 100644 --- a/queue-6.6/series +++ b/queue-6.6/series @@ -179,7 +179,6 @@ string-add-mem_is_zero-helper-to-check-if-memory-are.patch gpiolib-cdev-use-mem_is_zero-instead-of-memchr_inv-s.patch gpio-cdev-check-if-uapi-v2-config-attributes-are-cor.patch asoc-cs35l56-fix-flushing-of-irq-work-in-cs35l56_sdw.patch -ipv6-route-unregister-netdevice-notifier-on-bpf-init.patch net-mana-validate-rx_req_idx-to-prevent-out-of-bound.patch pds_core-add-an-error-code-check-in-pdsc_dl_info_get.patch pds_core-ensure-null-termination-for-firmware-versio.patch