From: Sasha Levin Date: Fri, 29 May 2026 11:59:49 +0000 (-0400) Subject: drop 4 patches based on RC review feedback X-Git-Tag: v5.10.258~15 X-Git-Url: http://git.ipfire.org/gitweb/index.cgi?a=commitdiff_plain;h=779e55348f18eb1242815b16a8064fee411b5f2d;p=thirdparty%2Fkernel%2Fstable-queue.git drop 4 patches based on RC review feedback Dropped patches: - "firmware: arm_ffa: bound partition_info_get_regs copies" Queues: 6.12 Reason: -Werror,-Wincompatible-pointer-types build break on stable-rc/linux-6.12.y (arm64 allmodconfig, clang-21); struct ffa_partition_info.uuid is still u32[4] in 6.12, the uuid_t conversion prerequisite b7c9f32614f17 was not backported. Report: https://lore.kernel.org/stable/178001274428.7152.372661732178917650@330cfa3079ca/ - "firmware: arm_ffa: fix big-endian support in __ffa_partition_info_get_regs" [dependency] Queues: 6.12 Reason: Stable-dep-of 3974ea193840; introduces the failing uuid_copy(&buf->uuid, ...) line, so it must be dropped together with the patch above. - "net: shaper: reject handle IDs exceeding internal bit-width" Queues: 7.0, 6.18 Reason: ynl tooling build break - adds 'scope: kernel' to net_shaper.yaml but genetlink.yaml schema (additionalProperties: False) has no 'scope' support; prerequisite fbf5df34a4dbcd ("tools: ynl: add scope qualifier for definitions") is not queued. Report: https://lore.kernel.org/stable/d66f5c95-ebc0-4c53-9852-f73c790363f7@leemhuis.info/ - "af_unix: Reject SIOCATMARK on non-stream sockets" Queues: 6.1, 5.15, 5.10 Reason: defective backport of upstream d119775f2bad - the sk_type check was placed in unix_stream_read_generic() instead of unix_ioctl()'s SIOCATMARK case, regressing blocking SOCK_SEQPACKET recvmsg while not fixing the intended ioctl behavior (5.10 has no SIOCATMARK/OOB support at all). Mirrors the revert already queued for 6.6. Report: https://lore.kernel.org/stable/20260527094544.2344825-1-guanwentao@uniontech.com/ Signed-off-by: Sasha Levin --- diff --git a/queue-5.10/af_unix-reject-siocatmark-on-non-stream-sockets.patch b/queue-5.10/af_unix-reject-siocatmark-on-non-stream-sockets.patch deleted file mode 100644 index b0bc8e6105..0000000000 --- a/queue-5.10/af_unix-reject-siocatmark-on-non-stream-sockets.patch +++ /dev/null @@ -1,48 +0,0 @@ -From d119775f2bad827edc28071c061fdd4a91f889a5 Mon Sep 17 00:00:00 2001 -From: Jiexun Wang -Date: Wed, 6 May 2026 22:08:23 +0800 -Subject: af_unix: Reject SIOCATMARK on non-stream sockets - -From: Jiexun Wang - -commit d119775f2bad827edc28071c061fdd4a91f889a5 upstream. - -SIOCATMARK reports whether the receive queue is at the urgent mark for -MSG_OOB. - -In AF_UNIX, MSG_OOB is supported only for SOCK_STREAM sockets. -SOCK_DGRAM and SOCK_SEQPACKET reject MSG_OOB in sendmsg() and recvmsg(), -so they should not support SIOCATMARK either. - -Return -EOPNOTSUPP for non-stream sockets before checking the receive -queue. - -Fixes: 314001f0bf92 ("af_unix: Add OOB support") -Cc: stable@kernel.org -Reported-by: Yuan Tan -Reported-by: Yifan Wu -Reported-by: Juefei Pu -Reported-by: Xin Liu -Suggested-by: Kuniyuki Iwashima -Signed-off-by: Jiexun Wang -Signed-off-by: Ren Wei -Reviewed-by: Kuniyuki Iwashima -Link: https://patch.msgid.link/20260506140825.2987635-1-n05ec@lzu.edu.cn -Signed-off-by: Jakub Kicinski -Signed-off-by: Greg Kroah-Hartman ---- - net/unix/af_unix.c | 3 +++ - 1 file changed, 3 insertions(+) - ---- a/net/unix/af_unix.c -+++ b/net/unix/af_unix.c -@@ -2380,6 +2380,9 @@ again: - goto out; - } - -+ if (sk->sk_type != SOCK_STREAM) -+ return -EOPNOTSUPP; -+ - mutex_lock(&u->iolock); - goto redo; - unlock: diff --git a/queue-5.10/series b/queue-5.10/series index 36ddcd64dd..8940fc2fd2 100644 --- a/queue-5.10/series +++ b/queue-5.10/series @@ -240,7 +240,6 @@ sound-ua101-fix-division-by-zero-at-probe.patch ip6_gre-use-cached-t-net-in-ip6erspan_changelink.patch net-rds-handle-zerocopy-send-cleanup-before-the-message-is-queued.patch parisc-fix-irq-leak-in-lasi-driver.patch -af_unix-reject-siocatmark-on-non-stream-sockets.patch hv_sock-fix-arm64-support.patch ibmveth-disable-gso-for-packets-with-small-mss.patch udf-reject-descriptors-with-oversized-crc-length.patch diff --git a/queue-5.15/af_unix-reject-siocatmark-on-non-stream-sockets.patch b/queue-5.15/af_unix-reject-siocatmark-on-non-stream-sockets.patch deleted file mode 100644 index 9da776d477..0000000000 --- a/queue-5.15/af_unix-reject-siocatmark-on-non-stream-sockets.patch +++ /dev/null @@ -1,48 +0,0 @@ -From d119775f2bad827edc28071c061fdd4a91f889a5 Mon Sep 17 00:00:00 2001 -From: Jiexun Wang -Date: Wed, 6 May 2026 22:08:23 +0800 -Subject: af_unix: Reject SIOCATMARK on non-stream sockets - -From: Jiexun Wang - -commit d119775f2bad827edc28071c061fdd4a91f889a5 upstream. - -SIOCATMARK reports whether the receive queue is at the urgent mark for -MSG_OOB. - -In AF_UNIX, MSG_OOB is supported only for SOCK_STREAM sockets. -SOCK_DGRAM and SOCK_SEQPACKET reject MSG_OOB in sendmsg() and recvmsg(), -so they should not support SIOCATMARK either. - -Return -EOPNOTSUPP for non-stream sockets before checking the receive -queue. - -Fixes: 314001f0bf92 ("af_unix: Add OOB support") -Cc: stable@kernel.org -Reported-by: Yuan Tan -Reported-by: Yifan Wu -Reported-by: Juefei Pu -Reported-by: Xin Liu -Suggested-by: Kuniyuki Iwashima -Signed-off-by: Jiexun Wang -Signed-off-by: Ren Wei -Reviewed-by: Kuniyuki Iwashima -Link: https://patch.msgid.link/20260506140825.2987635-1-n05ec@lzu.edu.cn -Signed-off-by: Jakub Kicinski -Signed-off-by: Greg Kroah-Hartman ---- - net/unix/af_unix.c | 3 +++ - 1 file changed, 3 insertions(+) - ---- a/net/unix/af_unix.c -+++ b/net/unix/af_unix.c -@@ -2706,6 +2706,9 @@ again: - goto out; - } - -+ if (sk->sk_type != SOCK_STREAM) -+ return -EOPNOTSUPP; -+ - mutex_lock(&u->iolock); - goto redo; - unlock: diff --git a/queue-5.15/series b/queue-5.15/series index 24ac03cd62..69b66a7123 100644 --- a/queue-5.15/series +++ b/queue-5.15/series @@ -318,7 +318,6 @@ parisc-fix-irq-leak-in-lasi-driver.patch hwmon-ltc2992-clamp-threshold-writes-to-hardware-range.patch hwmon-ltc2992-fix-u32-overflow-in-power-read-path.patch hwmon-corsair-psu-close-hid-device-on-probe-errors.patch -af_unix-reject-siocatmark-on-non-stream-sockets.patch extcon-ptn5150-handle-pending-irq-events-during-system-resume.patch hv_sock-fix-arm64-support.patch ibmveth-disable-gso-for-packets-with-small-mss.patch diff --git a/queue-6.1/af_unix-reject-siocatmark-on-non-stream-sockets.patch b/queue-6.1/af_unix-reject-siocatmark-on-non-stream-sockets.patch deleted file mode 100644 index 30318fc2d3..0000000000 --- a/queue-6.1/af_unix-reject-siocatmark-on-non-stream-sockets.patch +++ /dev/null @@ -1,48 +0,0 @@ -From d119775f2bad827edc28071c061fdd4a91f889a5 Mon Sep 17 00:00:00 2001 -From: Jiexun Wang -Date: Wed, 6 May 2026 22:08:23 +0800 -Subject: af_unix: Reject SIOCATMARK on non-stream sockets - -From: Jiexun Wang - -commit d119775f2bad827edc28071c061fdd4a91f889a5 upstream. - -SIOCATMARK reports whether the receive queue is at the urgent mark for -MSG_OOB. - -In AF_UNIX, MSG_OOB is supported only for SOCK_STREAM sockets. -SOCK_DGRAM and SOCK_SEQPACKET reject MSG_OOB in sendmsg() and recvmsg(), -so they should not support SIOCATMARK either. - -Return -EOPNOTSUPP for non-stream sockets before checking the receive -queue. - -Fixes: 314001f0bf92 ("af_unix: Add OOB support") -Cc: stable@kernel.org -Reported-by: Yuan Tan -Reported-by: Yifan Wu -Reported-by: Juefei Pu -Reported-by: Xin Liu -Suggested-by: Kuniyuki Iwashima -Signed-off-by: Jiexun Wang -Signed-off-by: Ren Wei -Reviewed-by: Kuniyuki Iwashima -Link: https://patch.msgid.link/20260506140825.2987635-1-n05ec@lzu.edu.cn -Signed-off-by: Jakub Kicinski -Signed-off-by: Greg Kroah-Hartman ---- - net/unix/af_unix.c | 3 +++ - 1 file changed, 3 insertions(+) - ---- a/net/unix/af_unix.c -+++ b/net/unix/af_unix.c -@@ -2848,6 +2848,9 @@ again: - goto out; - } - -+ if (sk->sk_type != SOCK_STREAM) -+ return -EOPNOTSUPP; -+ - mutex_lock(&u->iolock); - goto redo; - unlock: diff --git a/queue-6.1/series b/queue-6.1/series index f92e109a74..6edbb6c691 100644 --- a/queue-6.1/series +++ b/queue-6.1/series @@ -328,7 +328,6 @@ parisc-fix-irq-leak-in-lasi-driver.patch hwmon-ltc2992-clamp-threshold-writes-to-hardware-range.patch hwmon-ltc2992-fix-u32-overflow-in-power-read-path.patch hwmon-corsair-psu-close-hid-device-on-probe-errors.patch -af_unix-reject-siocatmark-on-non-stream-sockets.patch cifs-abort-open_cached_dir-if-we-don-t-request-leases.patch cifs-change_conf-needs-to-be-called-for-session-setup.patch extcon-ptn5150-handle-pending-irq-events-during-system-resume.patch diff --git a/queue-6.12/firmware-arm_ffa-bound-partition_info_get_regs-copie.patch b/queue-6.12/firmware-arm_ffa-bound-partition_info_get_regs-copie.patch deleted file mode 100644 index a54448b948..0000000000 --- a/queue-6.12/firmware-arm_ffa-bound-partition_info_get_regs-copie.patch +++ /dev/null @@ -1,100 +0,0 @@ -From ce710f6b9da6cf26d441fbbed4bdb5ac87b1b341 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Tue, 28 Apr 2026 19:33:30 +0100 -Subject: firmware: arm_ffa: Bound PARTITION_INFO_GET_REGS copies - -From: Sudeep Holla - -[ Upstream commit 3974ea1938406f9bfa7c1f48d4e43533f447bb08 ] - -The register-based PARTITION_INFO_GET path trusted the firmware-provided -indices when copying partition descriptors into the caller buffer. -Reject inconsistent counts or index progressions so the copy loop cannot -write past the allocated array. - -Fixes: ba85c644ac8d ("firmware: arm_ffa: Add support for FFA_PARTITION_INFO_GET_REGS") -Link: https://patch.msgid.link/20260428-ffa_fixes-v2-6-8595ae450034@kernel.org -(fixed cur_idx when exactly one descriptor in the first fragment) -Signed-off-by: Sudeep Holla -Signed-off-by: Sasha Levin ---- - drivers/firmware/arm_ffa/driver.c | 29 +++++++++++++++++++++++------ - 1 file changed, 23 insertions(+), 6 deletions(-) - -diff --git a/drivers/firmware/arm_ffa/driver.c b/drivers/firmware/arm_ffa/driver.c -index f033bd8ee816d..521007bfa35a4 100644 ---- a/drivers/firmware/arm_ffa/driver.c -+++ b/drivers/firmware/arm_ffa/driver.c -@@ -307,6 +307,12 @@ __ffa_partition_info_get(u32 uuid0, u32 uuid1, u32 uuid2, u32 uuid3, - #define PART_INFO_ID_MASK GENMASK(15, 0) - #define PART_INFO_EXEC_CXT_MASK GENMASK(31, 16) - #define PART_INFO_PROPS_MASK GENMASK(63, 32) -+#define FFA_PART_INFO_GET_REGS_FIRST_REG 3 -+#define FFA_PART_INFO_GET_REGS_REGS_PER_DESC 3 -+#define FFA_PART_INFO_GET_REGS_MAX_DESC \ -+ (((sizeof(ffa_value_t) / sizeof_field(ffa_value_t, a0)) - \ -+ FFA_PART_INFO_GET_REGS_FIRST_REG) / \ -+ FFA_PART_INFO_GET_REGS_REGS_PER_DESC) - #define PART_INFO_ID(x) ((u16)(FIELD_GET(PART_INFO_ID_MASK, (x)))) - #define PART_INFO_EXEC_CXT(x) ((u16)(FIELD_GET(PART_INFO_EXEC_CXT_MASK, (x)))) - #define PART_INFO_PROPERTIES(x) ((u32)(FIELD_GET(PART_INFO_PROPS_MASK, (x)))) -@@ -314,15 +320,13 @@ static int - __ffa_partition_info_get_regs(u32 uuid0, u32 uuid1, u32 uuid2, u32 uuid3, - struct ffa_partition_info *buffer, int num_parts) - { -- u16 buf_sz, start_idx, cur_idx, count = 0, prev_idx = 0, tag = 0; -+ u16 buf_sz, start_idx = 0, cur_idx, count = 0, tag = 0; - struct ffa_partition_info *buf = buffer; - ffa_value_t partition_info; - - do { - __le64 *regs; -- int idx; -- -- start_idx = prev_idx ? prev_idx + 1 : 0; -+ int idx, nr_desc, buf_idx; - - invoke_ffa_fn((ffa_value_t){ - .a0 = FFA_PARTITION_INFO_GET_REGS, -@@ -338,15 +342,28 @@ __ffa_partition_info_get_regs(u32 uuid0, u32 uuid1, u32 uuid2, u32 uuid3, - count = PARTITION_COUNT(partition_info.a2); - if (!buffer || !num_parts) /* count only */ - return count; -+ if (count > num_parts) -+ return -EINVAL; - - cur_idx = CURRENT_INDEX(partition_info.a2); -+ if (cur_idx < start_idx || cur_idx >= count) -+ return -EINVAL; -+ -+ nr_desc = cur_idx - start_idx + 1; -+ if (nr_desc > FFA_PART_INFO_GET_REGS_MAX_DESC) -+ return -EINVAL; -+ -+ buf_idx = buf - buffer; -+ if (buf_idx + nr_desc > num_parts) -+ return -EINVAL; -+ - tag = UUID_INFO_TAG(partition_info.a2); - buf_sz = PARTITION_INFO_SZ(partition_info.a2); - if (buf_sz > sizeof(*buffer)) - buf_sz = sizeof(*buffer); - - regs = (void *)&partition_info.a3; -- for (idx = 0; idx < cur_idx - start_idx + 1; idx++, buf++) { -+ for (idx = 0; idx < nr_desc; idx++, buf++) { - union { - uuid_t uuid; - u64 regs[2]; -@@ -364,7 +381,7 @@ __ffa_partition_info_get_regs(u32 uuid0, u32 uuid1, u32 uuid2, u32 uuid3, - uuid_copy(&buf->uuid, &uuid_regs.uuid); - regs += 3; - } -- prev_idx = cur_idx; -+ start_idx = cur_idx + 1; - - } while (cur_idx < (count - 1)); - --- -2.53.0 - diff --git a/queue-6.12/firmware-arm_ffa-fix-big-endian-support-in-__ffa_par.patch b/queue-6.12/firmware-arm_ffa-fix-big-endian-support-in-__ffa_par.patch deleted file mode 100644 index 789d3266c2..0000000000 --- a/queue-6.12/firmware-arm_ffa-fix-big-endian-support-in-__ffa_par.patch +++ /dev/null @@ -1,90 +0,0 @@ -From b2e6055b1976439f447ebf68c1f41cfd2aa89145 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Mon, 17 Feb 2025 15:38:46 +0000 -Subject: firmware: arm_ffa: Fix big-endian support in - __ffa_partition_info_regs_get() - -From: Sudeep Holla - -[ Upstream commit 7bc0f589c81d62bc95f9ed142847219fc5d8ef6c ] - -Currently the FF-A driver doesn't support big-endian correctly. It is -hard to regularly test the setup due to lack of test infrastructure and -tools. - -In order to support full stack, we need to take small steps in getting -the support for big-endian kernel added slowly. This change fixes the -support in __ffa_partition_info_regs_get() so that the response from the -firmware are converted correctly as required. With this change, we can -enumerate all the FF-A devices correctly in the big-endian kernel if the -FFA_PARTITION_INFO_REGS_GET is supported. - -Tested-by: Viresh Kumar -Message-Id: <20250217-ffa_updates-v3-5-bd1d9de615e7@arm.com> -Signed-off-by: Sudeep Holla -Stable-dep-of: 3974ea193840 ("firmware: arm_ffa: Bound PARTITION_INFO_GET_REGS copies") -Signed-off-by: Sasha Levin ---- - drivers/firmware/arm_ffa/driver.c | 31 +++++++++++++++++++++++++++++-- - 1 file changed, 29 insertions(+), 2 deletions(-) - -diff --git a/drivers/firmware/arm_ffa/driver.c b/drivers/firmware/arm_ffa/driver.c -index a6c5f89476c06..f033bd8ee816d 100644 ---- a/drivers/firmware/arm_ffa/driver.c -+++ b/drivers/firmware/arm_ffa/driver.c -@@ -304,14 +304,24 @@ __ffa_partition_info_get(u32 uuid0, u32 uuid1, u32 uuid2, u32 uuid3, - #define CURRENT_INDEX(x) ((u16)(FIELD_GET(CURRENT_INDEX_MASK, (x)))) - #define UUID_INFO_TAG(x) ((u16)(FIELD_GET(UUID_INFO_TAG_MASK, (x)))) - #define PARTITION_INFO_SZ(x) ((u16)(FIELD_GET(PARTITION_INFO_SZ_MASK, (x)))) -+#define PART_INFO_ID_MASK GENMASK(15, 0) -+#define PART_INFO_EXEC_CXT_MASK GENMASK(31, 16) -+#define PART_INFO_PROPS_MASK GENMASK(63, 32) -+#define PART_INFO_ID(x) ((u16)(FIELD_GET(PART_INFO_ID_MASK, (x)))) -+#define PART_INFO_EXEC_CXT(x) ((u16)(FIELD_GET(PART_INFO_EXEC_CXT_MASK, (x)))) -+#define PART_INFO_PROPERTIES(x) ((u32)(FIELD_GET(PART_INFO_PROPS_MASK, (x)))) - static int - __ffa_partition_info_get_regs(u32 uuid0, u32 uuid1, u32 uuid2, u32 uuid3, - struct ffa_partition_info *buffer, int num_parts) - { - u16 buf_sz, start_idx, cur_idx, count = 0, prev_idx = 0, tag = 0; -+ struct ffa_partition_info *buf = buffer; - ffa_value_t partition_info; - - do { -+ __le64 *regs; -+ int idx; -+ - start_idx = prev_idx ? prev_idx + 1 : 0; - - invoke_ffa_fn((ffa_value_t){ -@@ -335,8 +345,25 @@ __ffa_partition_info_get_regs(u32 uuid0, u32 uuid1, u32 uuid2, u32 uuid3, - if (buf_sz > sizeof(*buffer)) - buf_sz = sizeof(*buffer); - -- memcpy(buffer + prev_idx * buf_sz, &partition_info.a3, -- (cur_idx - start_idx + 1) * buf_sz); -+ regs = (void *)&partition_info.a3; -+ for (idx = 0; idx < cur_idx - start_idx + 1; idx++, buf++) { -+ union { -+ uuid_t uuid; -+ u64 regs[2]; -+ } uuid_regs = { -+ .regs = { -+ le64_to_cpu(*(regs + 1)), -+ le64_to_cpu(*(regs + 2)), -+ } -+ }; -+ u64 val = *(u64 *)regs; -+ -+ buf->id = PART_INFO_ID(val); -+ buf->exec_ctxt = PART_INFO_EXEC_CXT(val); -+ buf->properties = PART_INFO_PROPERTIES(val); -+ uuid_copy(&buf->uuid, &uuid_regs.uuid); -+ regs += 3; -+ } - prev_idx = cur_idx; - - } while (cur_idx < (count - 1)); --- -2.53.0 - diff --git a/queue-6.12/series b/queue-6.12/series index c790958ad9..709e7011d9 100644 --- a/queue-6.12/series +++ b/queue-6.12/series @@ -155,8 +155,6 @@ riscv-mm-fixup-no5lvl-failure-when-vaddr-is-invalid.patch kunit-config-enable-kunit_debugfs-by-default.patch kunit-config-kunit_debugfs-should-depend-on-debug_fs.patch pinctrl-qcom-fix-wakeirq-map-by-removing-disconnecte.patch -firmware-arm_ffa-fix-big-endian-support-in-__ffa_par.patch -firmware-arm_ffa-bound-partition_info_get_regs-copie.patch firmware-arm_ffa-align-rxtx-buffer-size-before-mappi.patch firmware-arm_ffa-fix-sched-recv-callback-partition-l.patch arm-integrator-fix-early-initialization.patch diff --git a/queue-6.18/net-shaper-reject-handle-ids-exceeding-internal-bit-.patch b/queue-6.18/net-shaper-reject-handle-ids-exceeding-internal-bit-.patch deleted file mode 100644 index 067d8cdd76..0000000000 --- a/queue-6.18/net-shaper-reject-handle-ids-exceeding-internal-bit-.patch +++ /dev/null @@ -1,121 +0,0 @@ -From 13ff86e23d003ac51ba826c1d8744f56699c6529 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Sun, 10 May 2026 12:29:02 -0700 -Subject: net: shaper: reject handle IDs exceeding internal bit-width - -From: Jakub Kicinski - -[ Upstream commit 8d5806c600fddb907ebe378f9c366d4b52ac3a39 ] - -net_shaper_parse_handle() reads the user-supplied handle ID via -nla_get_u32(), accepting the full u32 range. However, the xarray key -is built by net_shaper_handle_to_index() using -FIELD_PREP(NET_SHAPER_ID_MASK, handle->id), where NET_SHAPER_ID_MASK -is GENMASK(25, 0) - only 26 bits wide. FIELD_PREP silently masks off -the upper bits at runtime. A user-supplied NODE id like 0x04000123 -becomes id 0x123. - -Additionally, a user-supplied id equal to NET_SHAPER_ID_UNSPEC -(0x03FFFFFF, which is NET_SHAPER_ID_MASK itself) would collide with -the sentinel used internally by the group operation to signal -"allocate a new NODE id". - -Reject user-supplied IDs >= NET_SHAPER_ID_MASK (i.e., >= 0x03FFFFFF) -in the policy. - -Fixes: 4b623f9f0f59 ("net-shapers: implement NL get operation") -Signed-off-by: Jakub Kicinski -Link: https://patch.msgid.link/20260510192904.3987113-9-kuba@kernel.org -Signed-off-by: Paolo Abeni -Signed-off-by: Sasha Levin ---- - Documentation/netlink/specs/net_shaper.yaml | 7 +++++++ - net/shaper/shaper.c | 4 +++- - net/shaper/shaper_nl_gen.c | 7 ++++++- - net/shaper/shaper_nl_gen.h | 2 ++ - 4 files changed, 18 insertions(+), 2 deletions(-) - -diff --git a/Documentation/netlink/specs/net_shaper.yaml b/Documentation/netlink/specs/net_shaper.yaml -index 3f2ad772b64b1..de01f922040a5 100644 ---- a/Documentation/netlink/specs/net_shaper.yaml -+++ b/Documentation/netlink/specs/net_shaper.yaml -@@ -33,6 +33,11 @@ doc: | - @cap-get operation. - - definitions: -+ - -+ type: const -+ name: max-handle-id -+ value: 0x3fffffe -+ scope: kernel - - - type: enum - name: scope -@@ -140,6 +145,8 @@ attribute-sets: - - - name: id - type: u32 -+ checks: -+ max: max-handle-id - doc: | - Numeric identifier of a shaper. The id semantic depends on - the scope. For @queue scope it's the queue id and for @node -diff --git a/net/shaper/shaper.c b/net/shaper/shaper.c -index 5338842122a2a..b2d85963243fa 100644 ---- a/net/shaper/shaper.c -+++ b/net/shaper/shaper.c -@@ -21,6 +21,8 @@ - - #define NET_SHAPER_ID_UNSPEC NET_SHAPER_ID_MASK - -+static_assert(NET_SHAPER_ID_UNSPEC == NET_SHAPER_MAX_HANDLE_ID + 1); -+ - struct net_shaper_hierarchy { - struct xarray shapers; - }; -@@ -360,7 +362,7 @@ static int net_shaper_pre_insert(struct net_shaper_binding *binding, - handle->id == NET_SHAPER_ID_UNSPEC) { - u32 min, max; - -- handle->id = NET_SHAPER_ID_MASK - 1; -+ handle->id = NET_SHAPER_MAX_HANDLE_ID; - max = net_shaper_handle_to_index(handle); - handle->id = 0; - min = net_shaper_handle_to_index(handle); -diff --git a/net/shaper/shaper_nl_gen.c b/net/shaper/shaper_nl_gen.c -index c52abf13ff0c9..16ab88f5eb7b4 100644 ---- a/net/shaper/shaper_nl_gen.c -+++ b/net/shaper/shaper_nl_gen.c -@@ -10,10 +10,15 @@ - - #include - -+/* Integer value ranges */ -+static const struct netlink_range_validation net_shaper_a_handle_id_range = { -+ .max = NET_SHAPER_MAX_HANDLE_ID, -+}; -+ - /* Common nested types */ - const struct nla_policy net_shaper_handle_nl_policy[NET_SHAPER_A_HANDLE_ID + 1] = { - [NET_SHAPER_A_HANDLE_SCOPE] = NLA_POLICY_MAX(NLA_U32, 3), -- [NET_SHAPER_A_HANDLE_ID] = { .type = NLA_U32, }, -+ [NET_SHAPER_A_HANDLE_ID] = NLA_POLICY_FULL_RANGE(NLA_U32, &net_shaper_a_handle_id_range), - }; - - const struct nla_policy net_shaper_leaf_info_nl_policy[NET_SHAPER_A_WEIGHT + 1] = { -diff --git a/net/shaper/shaper_nl_gen.h b/net/shaper/shaper_nl_gen.h -index 1e20eebdedd71..3e5e7342ffbbc 100644 ---- a/net/shaper/shaper_nl_gen.h -+++ b/net/shaper/shaper_nl_gen.h -@@ -11,6 +11,8 @@ - - #include - -+#define NET_SHAPER_MAX_HANDLE_ID 67108862 -+ - /* Common nested types */ - extern const struct nla_policy net_shaper_handle_nl_policy[NET_SHAPER_A_HANDLE_ID + 1]; - extern const struct nla_policy net_shaper_leaf_info_nl_policy[NET_SHAPER_A_WEIGHT + 1]; --- -2.53.0 - diff --git a/queue-6.18/series b/queue-6.18/series index 85c11bda82..fcc22b528a 100644 --- a/queue-6.18/series +++ b/queue-6.18/series @@ -259,7 +259,6 @@ net-shaper-fix-trivial-ordering-issue-in-net_shaper_.patch net-shaper-reject-duplicate-leaves-in-group-request.patch net-shaper-set-ret-to-enomem-when-genlmsg_new-fails-.patch net-shaper-fix-undersized-reply-skb-allocation-in-gr.patch -net-shaper-reject-handle-ids-exceeding-internal-bit-.patch net-shaper-enforce-singleton-netdev-scope-with-id-0.patch net-shaper-reject-queue-scope-handle-with-missing-id.patch block-don-t-overwrite-bip_vcnt-in-bio_integrity_copy.patch diff --git a/queue-7.0/net-shaper-reject-handle-ids-exceeding-internal-bit-.patch b/queue-7.0/net-shaper-reject-handle-ids-exceeding-internal-bit-.patch deleted file mode 100644 index 38e9bf2cf7..0000000000 --- a/queue-7.0/net-shaper-reject-handle-ids-exceeding-internal-bit-.patch +++ /dev/null @@ -1,121 +0,0 @@ -From b633a86e382ed381c1efad0c8723f68ffe990a2a Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Sun, 10 May 2026 12:29:02 -0700 -Subject: net: shaper: reject handle IDs exceeding internal bit-width - -From: Jakub Kicinski - -[ Upstream commit 8d5806c600fddb907ebe378f9c366d4b52ac3a39 ] - -net_shaper_parse_handle() reads the user-supplied handle ID via -nla_get_u32(), accepting the full u32 range. However, the xarray key -is built by net_shaper_handle_to_index() using -FIELD_PREP(NET_SHAPER_ID_MASK, handle->id), where NET_SHAPER_ID_MASK -is GENMASK(25, 0) - only 26 bits wide. FIELD_PREP silently masks off -the upper bits at runtime. A user-supplied NODE id like 0x04000123 -becomes id 0x123. - -Additionally, a user-supplied id equal to NET_SHAPER_ID_UNSPEC -(0x03FFFFFF, which is NET_SHAPER_ID_MASK itself) would collide with -the sentinel used internally by the group operation to signal -"allocate a new NODE id". - -Reject user-supplied IDs >= NET_SHAPER_ID_MASK (i.e., >= 0x03FFFFFF) -in the policy. - -Fixes: 4b623f9f0f59 ("net-shapers: implement NL get operation") -Signed-off-by: Jakub Kicinski -Link: https://patch.msgid.link/20260510192904.3987113-9-kuba@kernel.org -Signed-off-by: Paolo Abeni -Signed-off-by: Sasha Levin ---- - Documentation/netlink/specs/net_shaper.yaml | 7 +++++++ - net/shaper/shaper.c | 4 +++- - net/shaper/shaper_nl_gen.c | 7 ++++++- - net/shaper/shaper_nl_gen.h | 2 ++ - 4 files changed, 18 insertions(+), 2 deletions(-) - -diff --git a/Documentation/netlink/specs/net_shaper.yaml b/Documentation/netlink/specs/net_shaper.yaml -index 3f2ad772b64b1..de01f922040a5 100644 ---- a/Documentation/netlink/specs/net_shaper.yaml -+++ b/Documentation/netlink/specs/net_shaper.yaml -@@ -33,6 +33,11 @@ doc: | - @cap-get operation. - - definitions: -+ - -+ type: const -+ name: max-handle-id -+ value: 0x3fffffe -+ scope: kernel - - - type: enum - name: scope -@@ -140,6 +145,8 @@ attribute-sets: - - - name: id - type: u32 -+ checks: -+ max: max-handle-id - doc: | - Numeric identifier of a shaper. The id semantic depends on - the scope. For @queue scope it's the queue id and for @node -diff --git a/net/shaper/shaper.c b/net/shaper/shaper.c -index 08fde2d9e8aa8..eb049847fed65 100644 ---- a/net/shaper/shaper.c -+++ b/net/shaper/shaper.c -@@ -21,6 +21,8 @@ - - #define NET_SHAPER_ID_UNSPEC NET_SHAPER_ID_MASK - -+static_assert(NET_SHAPER_ID_UNSPEC == NET_SHAPER_MAX_HANDLE_ID + 1); -+ - struct net_shaper_hierarchy { - struct xarray shapers; - }; -@@ -360,7 +362,7 @@ static int net_shaper_pre_insert(struct net_shaper_binding *binding, - handle->id == NET_SHAPER_ID_UNSPEC) { - u32 min, max; - -- handle->id = NET_SHAPER_ID_MASK - 1; -+ handle->id = NET_SHAPER_MAX_HANDLE_ID; - max = net_shaper_handle_to_index(handle); - handle->id = 0; - min = net_shaper_handle_to_index(handle); -diff --git a/net/shaper/shaper_nl_gen.c b/net/shaper/shaper_nl_gen.c -index 9b29be3ef19a8..76eff85ec66df 100644 ---- a/net/shaper/shaper_nl_gen.c -+++ b/net/shaper/shaper_nl_gen.c -@@ -11,10 +11,15 @@ - - #include - -+/* Integer value ranges */ -+static const struct netlink_range_validation net_shaper_a_handle_id_range = { -+ .max = NET_SHAPER_MAX_HANDLE_ID, -+}; -+ - /* Common nested types */ - const struct nla_policy net_shaper_handle_nl_policy[NET_SHAPER_A_HANDLE_ID + 1] = { - [NET_SHAPER_A_HANDLE_SCOPE] = NLA_POLICY_MAX(NLA_U32, 3), -- [NET_SHAPER_A_HANDLE_ID] = { .type = NLA_U32, }, -+ [NET_SHAPER_A_HANDLE_ID] = NLA_POLICY_FULL_RANGE(NLA_U32, &net_shaper_a_handle_id_range), - }; - - const struct nla_policy net_shaper_leaf_info_nl_policy[NET_SHAPER_A_WEIGHT + 1] = { -diff --git a/net/shaper/shaper_nl_gen.h b/net/shaper/shaper_nl_gen.h -index 42c46c52c7751..2406652a9014a 100644 ---- a/net/shaper/shaper_nl_gen.h -+++ b/net/shaper/shaper_nl_gen.h -@@ -12,6 +12,8 @@ - - #include - -+#define NET_SHAPER_MAX_HANDLE_ID 67108862 -+ - /* Common nested types */ - extern const struct nla_policy net_shaper_handle_nl_policy[NET_SHAPER_A_HANDLE_ID + 1]; - extern const struct nla_policy net_shaper_leaf_info_nl_policy[NET_SHAPER_A_WEIGHT + 1]; --- -2.53.0 - diff --git a/queue-7.0/series b/queue-7.0/series index c53462ee91..8debe2a55e 100644 --- a/queue-7.0/series +++ b/queue-7.0/series @@ -281,7 +281,6 @@ net-shaper-fix-trivial-ordering-issue-in-net_shaper_.patch net-shaper-reject-duplicate-leaves-in-group-request.patch net-shaper-set-ret-to-enomem-when-genlmsg_new-fails-.patch net-shaper-fix-undersized-reply-skb-allocation-in-gr.patch -net-shaper-reject-handle-ids-exceeding-internal-bit-.patch net-shaper-enforce-singleton-netdev-scope-with-id-0.patch net-shaper-reject-queue-scope-handle-with-missing-id.patch block-don-t-overwrite-bip_vcnt-in-bio_integrity_copy.patch