July 2025 - Linux-stable-mirror

[PATCH net-next v2 1/2] net: ipv4: fix incorrect MTU in broadcast routes

by Oscar Maes

Currently, __mkroute_output overrules the MTU value configured for broadcast routes. This buggy behaviour can be reproduced with: ip link set dev eth1 mtu 9000 ip route del broadcast 192.168.0.255 dev eth1 proto kernel scope link src 192.168.0.2 ip route add broadcast 192.168.0.255 dev eth1 proto kernel scope link src 192.168.0.2 mtu 1500 The maximum packet size should be 1500, but it is actually 8000: ping -b 192.168.0.255 -s 8000 Fix __mkroute_output to allow MTU values to be configured for for broadcast routes (to support a mixed-MTU local-area-network). Signed-off-by: Oscar Maes <oscmaes92(a)gmail.com> --- net/ipv4/route.c | 1 - 1 file changed, 1 deletion(-) diff --git a/net/ipv4/route.c b/net/ipv4/route.c index 64ba377cd..f639a2ae8 100644 --- a/net/ipv4/route.c +++ b/net/ipv4/route.c @@ -2588,7 +2588,6 @@ static struct rtable *__mkroute_output(const struct fib_result *res, do_cache = true; if (type == RTN_BROADCAST) { flags |= RTCF_BROADCAST | RTCF_LOCAL; - fi = NULL; } else if (type == RTN_MULTICAST) { flags |= RTCF_MULTICAST | RTCF_LOCAL; if (!ip_check_mc_rcu(in_dev, fl4->daddr, fl4->saddr, -- 2.39.5

1 month, 1 week

3
3
0 0

[PATCH AUTOSEL 5.4] rxrpc: Fix oops due to non-existence of prealloc backlog struct

by Sasha Levin

From: David Howells <dhowells(a)redhat.com> [ Upstream commit 880a88f318cf1d2a0f4c0a7ff7b07e2062b434a4 ] If an AF_RXRPC service socket is opened and bound, but calls are preallocated, then rxrpc_alloc_incoming_call() will oops because the rxrpc_backlog struct doesn't get allocated until the first preallocation is made. Fix this by returning NULL from rxrpc_alloc_incoming_call() if there is no backlog struct. This will cause the incoming call to be aborted. Reported-by: Junvyyang, Tencent Zhuque Lab <zhuque(a)tencent.com> Suggested-by: Junvyyang, Tencent Zhuque Lab <zhuque(a)tencent.com> Signed-off-by: David Howells <dhowells(a)redhat.com> cc: LePremierHomme <kwqcheii(a)proton.me> cc: Marc Dionne <marc.dionne(a)auristor.com> cc: Willy Tarreau <w(a)1wt.eu> cc: Simon Horman <horms(a)kernel.org> cc: linux-afs(a)lists.infradead.org Link: https://patch.msgid.link/20250708211506.2699012-3-dhowells@redhat.com Signed-off-by: Jakub Kicinski <kuba(a)kernel.org> Signed-off-by: Sasha Levin <sashal(a)kernel.org> --- LLM Generated explanations, may be completely bogus: **YES** This commit should be backported to stable kernel trees for the following reasons: 1. **Fixes a Critical Kernel Oops**: The commit addresses a NULL pointer dereference that causes a kernel crash when `rx->backlog` is NULL. At line 257 of the original code, `smp_load_acquire(&b->call_backlog_head)` would dereference a NULL pointer if no preallocation was done. 2. **Minimal and Safe Fix**: The fix is a simple defensive check: ```c + if (!b) + return NULL; ``` This is placed immediately after obtaining the backlog pointer and before any usage. The fix has zero risk of regression - if `b` is NULL, the code would have crashed anyway. 3. **Clear Reproducible Scenario**: The bug occurs in a specific but realistic scenario - when an AF_RXRPC service socket is opened and bound but no calls are preallocated (meaning `rxrpc_service_prealloc()` was never called to allocate the backlog structure). 4. **Follows Stable Kernel Rules**: This fix meets all criteria for stable backporting: - Fixes a real bug that users can hit - Small and contained change (2 lines) - Obviously correct with no side effects - Already tested and merged upstream 5. **Similar to Previously Backported Fixes**: Looking at Similar Commit #2 which was marked YES, it also fixed an oops in the rxrpc preallocation/backlog system with minimal changes. The commit prevents a kernel crash with a trivial NULL check, making it an ideal candidate for stable backporting. net/rxrpc/call_accept.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/net/rxrpc/call_accept.c b/net/rxrpc/call_accept.c index 55fb3744552de..99f05057e4c90 100644 --- a/net/rxrpc/call_accept.c +++ b/net/rxrpc/call_accept.c @@ -281,6 +281,9 @@ static struct rxrpc_call *rxrpc_alloc_incoming_call(struct rxrpc_sock *rx, unsigned short call_tail, conn_tail, peer_tail; unsigned short call_count, conn_count; + if (!b) + return NULL; + /* #calls >= #conns >= #peers must hold true. */ call_head = smp_load_acquire(&b->call_backlog_head); call_tail = b->call_backlog_tail; -- 2.39.5

1 month, 1 week

1
0
0 0

[PATCH AUTOSEL 5.10] rxrpc: Fix oops due to non-existence of prealloc backlog struct

by Sasha Levin

From: David Howells <dhowells(a)redhat.com> [ Upstream commit 880a88f318cf1d2a0f4c0a7ff7b07e2062b434a4 ] If an AF_RXRPC service socket is opened and bound, but calls are preallocated, then rxrpc_alloc_incoming_call() will oops because the rxrpc_backlog struct doesn't get allocated until the first preallocation is made. Fix this by returning NULL from rxrpc_alloc_incoming_call() if there is no backlog struct. This will cause the incoming call to be aborted. Reported-by: Junvyyang, Tencent Zhuque Lab <zhuque(a)tencent.com> Suggested-by: Junvyyang, Tencent Zhuque Lab <zhuque(a)tencent.com> Signed-off-by: David Howells <dhowells(a)redhat.com> cc: LePremierHomme <kwqcheii(a)proton.me> cc: Marc Dionne <marc.dionne(a)auristor.com> cc: Willy Tarreau <w(a)1wt.eu> cc: Simon Horman <horms(a)kernel.org> cc: linux-afs(a)lists.infradead.org Link: https://patch.msgid.link/20250708211506.2699012-3-dhowells@redhat.com Signed-off-by: Jakub Kicinski <kuba(a)kernel.org> Signed-off-by: Sasha Levin <sashal(a)kernel.org> --- LLM Generated explanations, may be completely bogus: **YES** This commit should be backported to stable kernel trees for the following reasons: 1. **Fixes a Critical Kernel Oops**: The commit addresses a NULL pointer dereference that causes a kernel crash when `rx->backlog` is NULL. At line 257 of the original code, `smp_load_acquire(&b->call_backlog_head)` would dereference a NULL pointer if no preallocation was done. 2. **Minimal and Safe Fix**: The fix is a simple defensive check: ```c + if (!b) + return NULL; ``` This is placed immediately after obtaining the backlog pointer and before any usage. The fix has zero risk of regression - if `b` is NULL, the code would have crashed anyway. 3. **Clear Reproducible Scenario**: The bug occurs in a specific but realistic scenario - when an AF_RXRPC service socket is opened and bound but no calls are preallocated (meaning `rxrpc_service_prealloc()` was never called to allocate the backlog structure). 4. **Follows Stable Kernel Rules**: This fix meets all criteria for stable backporting: - Fixes a real bug that users can hit - Small and contained change (2 lines) - Obviously correct with no side effects - Already tested and merged upstream 5. **Similar to Previously Backported Fixes**: Looking at Similar Commit #2 which was marked YES, it also fixed an oops in the rxrpc preallocation/backlog system with minimal changes. The commit prevents a kernel crash with a trivial NULL check, making it an ideal candidate for stable backporting. net/rxrpc/call_accept.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/net/rxrpc/call_accept.c b/net/rxrpc/call_accept.c index 2a14d69b171f3..b96af42a1b041 100644 --- a/net/rxrpc/call_accept.c +++ b/net/rxrpc/call_accept.c @@ -271,6 +271,9 @@ static struct rxrpc_call *rxrpc_alloc_incoming_call(struct rxrpc_sock *rx, unsigned short call_tail, conn_tail, peer_tail; unsigned short call_count, conn_count; + if (!b) + return NULL; + /* #calls >= #conns >= #peers must hold true. */ call_head = smp_load_acquire(&b->call_backlog_head); call_tail = b->call_backlog_tail; -- 2.39.5

1 month, 1 week

1
0
0 0

[PATCH AUTOSEL 5.15 1/3] rxrpc: Fix oops due to non-existence of prealloc backlog struct

by Sasha Levin

From: David Howells <dhowells(a)redhat.com> [ Upstream commit 880a88f318cf1d2a0f4c0a7ff7b07e2062b434a4 ] If an AF_RXRPC service socket is opened and bound, but calls are preallocated, then rxrpc_alloc_incoming_call() will oops because the rxrpc_backlog struct doesn't get allocated until the first preallocation is made. Fix this by returning NULL from rxrpc_alloc_incoming_call() if there is no backlog struct. This will cause the incoming call to be aborted. Reported-by: Junvyyang, Tencent Zhuque Lab <zhuque(a)tencent.com> Suggested-by: Junvyyang, Tencent Zhuque Lab <zhuque(a)tencent.com> Signed-off-by: David Howells <dhowells(a)redhat.com> cc: LePremierHomme <kwqcheii(a)proton.me> cc: Marc Dionne <marc.dionne(a)auristor.com> cc: Willy Tarreau <w(a)1wt.eu> cc: Simon Horman <horms(a)kernel.org> cc: linux-afs(a)lists.infradead.org Link: https://patch.msgid.link/20250708211506.2699012-3-dhowells@redhat.com Signed-off-by: Jakub Kicinski <kuba(a)kernel.org> Signed-off-by: Sasha Levin <sashal(a)kernel.org> --- LLM Generated explanations, may be completely bogus: **YES** This commit should be backported to stable kernel trees for the following reasons: 1. **Fixes a Critical Kernel Oops**: The commit addresses a NULL pointer dereference that causes a kernel crash when `rx->backlog` is NULL. At line 257 of the original code, `smp_load_acquire(&b->call_backlog_head)` would dereference a NULL pointer if no preallocation was done. 2. **Minimal and Safe Fix**: The fix is a simple defensive check: ```c + if (!b) + return NULL; ``` This is placed immediately after obtaining the backlog pointer and before any usage. The fix has zero risk of regression - if `b` is NULL, the code would have crashed anyway. 3. **Clear Reproducible Scenario**: The bug occurs in a specific but realistic scenario - when an AF_RXRPC service socket is opened and bound but no calls are preallocated (meaning `rxrpc_service_prealloc()` was never called to allocate the backlog structure). 4. **Follows Stable Kernel Rules**: This fix meets all criteria for stable backporting: - Fixes a real bug that users can hit - Small and contained change (2 lines) - Obviously correct with no side effects - Already tested and merged upstream 5. **Similar to Previously Backported Fixes**: Looking at Similar Commit #2 which was marked YES, it also fixed an oops in the rxrpc preallocation/backlog system with minimal changes. The commit prevents a kernel crash with a trivial NULL check, making it an ideal candidate for stable backporting. net/rxrpc/call_accept.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/net/rxrpc/call_accept.c b/net/rxrpc/call_accept.c index 99e10eea37321..658b592e58e05 100644 --- a/net/rxrpc/call_accept.c +++ b/net/rxrpc/call_accept.c @@ -270,6 +270,9 @@ static struct rxrpc_call *rxrpc_alloc_incoming_call(struct rxrpc_sock *rx, unsigned short call_tail, conn_tail, peer_tail; unsigned short call_count, conn_count; + if (!b) + return NULL; + /* #calls >= #conns >= #peers must hold true. */ call_head = smp_load_acquire(&b->call_backlog_head); call_tail = b->call_backlog_tail; -- 2.39.5

1 month, 1 week

1
2
0 0

[PATCH AUTOSEL 6.1 1/4] net/sched: sch_qfq: Fix null-deref in agg_dequeue

by Sasha Levin

From: Xiang Mei <xmei5(a)asu.edu> [ Upstream commit dd831ac8221e691e9e918585b1003c7071df0379 ] To prevent a potential crash in agg_dequeue (net/sched/sch_qfq.c) when cl->qdisc->ops->peek(cl->qdisc) returns NULL, we check the return value before using it, similar to the existing approach in sch_hfsc.c. To avoid code duplication, the following changes are made: 1. Changed qdisc_warn_nonwc(include/net/pkt_sched.h) into a static inline function. 2. Moved qdisc_peek_len from net/sched/sch_hfsc.c to include/net/pkt_sched.h so that sch_qfq can reuse it. 3. Applied qdisc_peek_len in agg_dequeue to avoid crashing. Signed-off-by: Xiang Mei <xmei5(a)asu.edu> Reviewed-by: Cong Wang <xiyou.wangcong(a)gmail.com> Link: https://patch.msgid.link/20250705212143.3982664-1-xmei5@asu.edu Signed-off-by: Paolo Abeni <pabeni(a)redhat.com> Signed-off-by: Sasha Levin <sashal(a)kernel.org> --- LLM Generated explanations, may be completely bogus: Based on my analysis of the commit and related code, here is my assessment: **YES** - This commit should be backported to stable kernel trees. Here's my extensive explanation: ## Reason for Backporting 1. **Real Bug Fix**: This commit fixes a NULL pointer dereference bug in `agg_dequeue()` function in `net/sched/sch_qfq.c`. The bug occurs when `cl->qdisc->ops->peek(cl->qdisc)` returns NULL, but the code at line 992 (before the fix) directly uses this potentially NULL value in `qdisc_pkt_len()` without checking: ```c else if (cl->deficit < qdisc_pkt_len(cl->qdisc->ops->peek(cl->qdisc))) ``` 2. **Crash Prevention**: This is not a theoretical issue - it causes an actual kernel crash (NULL pointer dereference) that can affect system stability. This meets the stable kernel criteria of fixing "a real bug that bothers people" including "an oops, a hang, data corruption." 3. **Similar Patterns in Other Schedulers**: The commit shows that this pattern of NULL checking after peek operations is already implemented in other packet schedulers: - `sch_hfsc.c` already has the `qdisc_peek_len()` function with NULL checking - `sch_drr.c` checks for NULL after peek operations (lines 385-387) - The similar commit #1 shows DRR had a similar issue fixed 4. **Minimal and Contained Fix**: The fix is: - Small in size (well under 100 lines) - Obviously correct - it adds proper NULL checking - Moves existing code to be reusable - Makes the code more consistent across schedulers 5. **Precedent from Similar Commits**: Looking at the historical commits: - Similar commit #2 (sch_codel NULL check) was backported (Status: YES) - Similar commit #3 (multiple schedulers NULL handling) was backported (Status: YES) - Both dealt with NULL pointer handling in packet scheduler dequeue paths 6. **Code Consolidation**: The fix properly consolidates the NULL checking logic: - Converts `qdisc_warn_nonwc` from a regular function to static inline (reducing overhead) - Moves `qdisc_peek_len` from sch_hfsc.c to the common header so it can be reused - Uses the same pattern across multiple schedulers for consistency 7. **Tested Pattern**: The `qdisc_peek_len()` function being moved has been in use in sch_hfsc.c, proving it's a tested and working solution. 8. **Security Consideration**: While not explicitly a security vulnerability, NULL pointer dereferences can potentially be exploited for denial of service attacks, making this fix important for system stability. The commit follows all the stable kernel rules: it fixes a real bug (NULL pointer dereference), is obviously correct (adds NULL check), is small and contained, and improves consistency across the codebase. The pattern of backporting similar NULL check fixes in packet schedulers (as seen in similar commits #2 and #3) supports backporting this fix as well. include/net/pkt_sched.h | 25 ++++++++++++++++++++++++- net/sched/sch_api.c | 10 ---------- net/sched/sch_hfsc.c | 16 ---------------- net/sched/sch_qfq.c | 2 +- 4 files changed, 25 insertions(+), 28 deletions(-) diff --git a/include/net/pkt_sched.h b/include/net/pkt_sched.h index f99a513b40a92..76f9fb651faff 100644 --- a/include/net/pkt_sched.h +++ b/include/net/pkt_sched.h @@ -113,7 +113,6 @@ struct qdisc_rate_table *qdisc_get_rtab(struct tc_ratespec *r, struct netlink_ext_ack *extack); void qdisc_put_rtab(struct qdisc_rate_table *tab); void qdisc_put_stab(struct qdisc_size_table *tab); -void qdisc_warn_nonwc(const char *txt, struct Qdisc *qdisc); bool sch_direct_xmit(struct sk_buff *skb, struct Qdisc *q, struct net_device *dev, struct netdev_queue *txq, spinlock_t *root_lock, bool validate); @@ -247,4 +246,28 @@ static inline bool tc_qdisc_stats_dump(struct Qdisc *sch, return true; } +static inline void qdisc_warn_nonwc(const char *txt, struct Qdisc *qdisc) +{ + if (!(qdisc->flags & TCQ_F_WARN_NONWC)) { + pr_warn("%s: %s qdisc %X: is non-work-conserving?\n", + txt, qdisc->ops->id, qdisc->handle >> 16); + qdisc->flags |= TCQ_F_WARN_NONWC; + } +} + +static inline unsigned int qdisc_peek_len(struct Qdisc *sch) +{ + struct sk_buff *skb; + unsigned int len; + + skb = sch->ops->peek(sch); + if (unlikely(skb == NULL)) { + qdisc_warn_nonwc("qdisc_peek_len", sch); + return 0; + } + len = qdisc_pkt_len(skb); + + return len; +} + #endif diff --git a/net/sched/sch_api.c b/net/sched/sch_api.c index 7c5df62421bbd..6a2d258b01daa 100644 --- a/net/sched/sch_api.c +++ b/net/sched/sch_api.c @@ -593,16 +593,6 @@ void __qdisc_calculate_pkt_len(struct sk_buff *skb, qdisc_skb_cb(skb)->pkt_len = pkt_len; } -void qdisc_warn_nonwc(const char *txt, struct Qdisc *qdisc) -{ - if (!(qdisc->flags & TCQ_F_WARN_NONWC)) { - pr_warn("%s: %s qdisc %X: is non-work-conserving?\n", - txt, qdisc->ops->id, qdisc->handle >> 16); - qdisc->flags |= TCQ_F_WARN_NONWC; - } -} -EXPORT_SYMBOL(qdisc_warn_nonwc); - static enum hrtimer_restart qdisc_watchdog(struct hrtimer *timer) { struct qdisc_watchdog *wd = container_of(timer, struct qdisc_watchdog, diff --git a/net/sched/sch_hfsc.c b/net/sched/sch_hfsc.c index 61b91de8065f0..302413e0aceff 100644 --- a/net/sched/sch_hfsc.c +++ b/net/sched/sch_hfsc.c @@ -836,22 +836,6 @@ update_vf(struct hfsc_class *cl, unsigned int len, u64 cur_time) } } -static unsigned int -qdisc_peek_len(struct Qdisc *sch) -{ - struct sk_buff *skb; - unsigned int len; - - skb = sch->ops->peek(sch); - if (unlikely(skb == NULL)) { - qdisc_warn_nonwc("qdisc_peek_len", sch); - return 0; - } - len = qdisc_pkt_len(skb); - - return len; -} - static void hfsc_adjust_levels(struct hfsc_class *cl) { diff --git a/net/sched/sch_qfq.c b/net/sched/sch_qfq.c index 6462468bf77c7..cde6c7026ab1d 100644 --- a/net/sched/sch_qfq.c +++ b/net/sched/sch_qfq.c @@ -991,7 +991,7 @@ static struct sk_buff *agg_dequeue(struct qfq_aggregate *agg, if (cl->qdisc->q.qlen == 0) /* no more packets, remove from list */ list_del_init(&cl->alist); - else if (cl->deficit < qdisc_pkt_len(cl->qdisc->ops->peek(cl->qdisc))) { + else if (cl->deficit < qdisc_peek_len(cl->qdisc)) { cl->deficit += agg->lmax; list_move_tail(&cl->alist, &agg->active); } -- 2.39.5

1 month, 1 week

1
3
0 0

[PATCH AUTOSEL 6.6 1/6] net/sched: sch_qfq: Fix null-deref in agg_dequeue

by Sasha Levin

From: Xiang Mei <xmei5(a)asu.edu> [ Upstream commit dd831ac8221e691e9e918585b1003c7071df0379 ] To prevent a potential crash in agg_dequeue (net/sched/sch_qfq.c) when cl->qdisc->ops->peek(cl->qdisc) returns NULL, we check the return value before using it, similar to the existing approach in sch_hfsc.c. To avoid code duplication, the following changes are made: 1. Changed qdisc_warn_nonwc(include/net/pkt_sched.h) into a static inline function. 2. Moved qdisc_peek_len from net/sched/sch_hfsc.c to include/net/pkt_sched.h so that sch_qfq can reuse it. 3. Applied qdisc_peek_len in agg_dequeue to avoid crashing. Signed-off-by: Xiang Mei <xmei5(a)asu.edu> Reviewed-by: Cong Wang <xiyou.wangcong(a)gmail.com> Link: https://patch.msgid.link/20250705212143.3982664-1-xmei5@asu.edu Signed-off-by: Paolo Abeni <pabeni(a)redhat.com> Signed-off-by: Sasha Levin <sashal(a)kernel.org> --- LLM Generated explanations, may be completely bogus: Based on my analysis of the commit and related code, here is my assessment: **YES** - This commit should be backported to stable kernel trees. Here's my extensive explanation: ## Reason for Backporting 1. **Real Bug Fix**: This commit fixes a NULL pointer dereference bug in `agg_dequeue()` function in `net/sched/sch_qfq.c`. The bug occurs when `cl->qdisc->ops->peek(cl->qdisc)` returns NULL, but the code at line 992 (before the fix) directly uses this potentially NULL value in `qdisc_pkt_len()` without checking: ```c else if (cl->deficit < qdisc_pkt_len(cl->qdisc->ops->peek(cl->qdisc))) ``` 2. **Crash Prevention**: This is not a theoretical issue - it causes an actual kernel crash (NULL pointer dereference) that can affect system stability. This meets the stable kernel criteria of fixing "a real bug that bothers people" including "an oops, a hang, data corruption." 3. **Similar Patterns in Other Schedulers**: The commit shows that this pattern of NULL checking after peek operations is already implemented in other packet schedulers: - `sch_hfsc.c` already has the `qdisc_peek_len()` function with NULL checking - `sch_drr.c` checks for NULL after peek operations (lines 385-387) - The similar commit #1 shows DRR had a similar issue fixed 4. **Minimal and Contained Fix**: The fix is: - Small in size (well under 100 lines) - Obviously correct - it adds proper NULL checking - Moves existing code to be reusable - Makes the code more consistent across schedulers 5. **Precedent from Similar Commits**: Looking at the historical commits: - Similar commit #2 (sch_codel NULL check) was backported (Status: YES) - Similar commit #3 (multiple schedulers NULL handling) was backported (Status: YES) - Both dealt with NULL pointer handling in packet scheduler dequeue paths 6. **Code Consolidation**: The fix properly consolidates the NULL checking logic: - Converts `qdisc_warn_nonwc` from a regular function to static inline (reducing overhead) - Moves `qdisc_peek_len` from sch_hfsc.c to the common header so it can be reused - Uses the same pattern across multiple schedulers for consistency 7. **Tested Pattern**: The `qdisc_peek_len()` function being moved has been in use in sch_hfsc.c, proving it's a tested and working solution. 8. **Security Consideration**: While not explicitly a security vulnerability, NULL pointer dereferences can potentially be exploited for denial of service attacks, making this fix important for system stability. The commit follows all the stable kernel rules: it fixes a real bug (NULL pointer dereference), is obviously correct (adds NULL check), is small and contained, and improves consistency across the codebase. The pattern of backporting similar NULL check fixes in packet schedulers (as seen in similar commits #2 and #3) supports backporting this fix as well. include/net/pkt_sched.h | 25 ++++++++++++++++++++++++- net/sched/sch_api.c | 10 ---------- net/sched/sch_hfsc.c | 16 ---------------- net/sched/sch_qfq.c | 2 +- 4 files changed, 25 insertions(+), 28 deletions(-) diff --git a/include/net/pkt_sched.h b/include/net/pkt_sched.h index 15960564e0c36..4d72d24b1f33e 100644 --- a/include/net/pkt_sched.h +++ b/include/net/pkt_sched.h @@ -112,7 +112,6 @@ struct qdisc_rate_table *qdisc_get_rtab(struct tc_ratespec *r, struct netlink_ext_ack *extack); void qdisc_put_rtab(struct qdisc_rate_table *tab); void qdisc_put_stab(struct qdisc_size_table *tab); -void qdisc_warn_nonwc(const char *txt, struct Qdisc *qdisc); bool sch_direct_xmit(struct sk_buff *skb, struct Qdisc *q, struct net_device *dev, struct netdev_queue *txq, spinlock_t *root_lock, bool validate); @@ -306,4 +305,28 @@ static inline bool tc_qdisc_stats_dump(struct Qdisc *sch, return true; } +static inline void qdisc_warn_nonwc(const char *txt, struct Qdisc *qdisc) +{ + if (!(qdisc->flags & TCQ_F_WARN_NONWC)) { + pr_warn("%s: %s qdisc %X: is non-work-conserving?\n", + txt, qdisc->ops->id, qdisc->handle >> 16); + qdisc->flags |= TCQ_F_WARN_NONWC; + } +} + +static inline unsigned int qdisc_peek_len(struct Qdisc *sch) +{ + struct sk_buff *skb; + unsigned int len; + + skb = sch->ops->peek(sch); + if (unlikely(skb == NULL)) { + qdisc_warn_nonwc("qdisc_peek_len", sch); + return 0; + } + len = qdisc_pkt_len(skb); + + return len; +} + #endif diff --git a/net/sched/sch_api.c b/net/sched/sch_api.c index 282423106f15d..ae63b3199b1d1 100644 --- a/net/sched/sch_api.c +++ b/net/sched/sch_api.c @@ -594,16 +594,6 @@ void __qdisc_calculate_pkt_len(struct sk_buff *skb, qdisc_skb_cb(skb)->pkt_len = pkt_len; } -void qdisc_warn_nonwc(const char *txt, struct Qdisc *qdisc) -{ - if (!(qdisc->flags & TCQ_F_WARN_NONWC)) { - pr_warn("%s: %s qdisc %X: is non-work-conserving?\n", - txt, qdisc->ops->id, qdisc->handle >> 16); - qdisc->flags |= TCQ_F_WARN_NONWC; - } -} -EXPORT_SYMBOL(qdisc_warn_nonwc); - static enum hrtimer_restart qdisc_watchdog(struct hrtimer *timer) { struct qdisc_watchdog *wd = container_of(timer, struct qdisc_watchdog, diff --git a/net/sched/sch_hfsc.c b/net/sched/sch_hfsc.c index afcb83d469ff6..751b1e2c35b3f 100644 --- a/net/sched/sch_hfsc.c +++ b/net/sched/sch_hfsc.c @@ -835,22 +835,6 @@ update_vf(struct hfsc_class *cl, unsigned int len, u64 cur_time) } } -static unsigned int -qdisc_peek_len(struct Qdisc *sch) -{ - struct sk_buff *skb; - unsigned int len; - - skb = sch->ops->peek(sch); - if (unlikely(skb == NULL)) { - qdisc_warn_nonwc("qdisc_peek_len", sch); - return 0; - } - len = qdisc_pkt_len(skb); - - return len; -} - static void hfsc_adjust_levels(struct hfsc_class *cl) { diff --git a/net/sched/sch_qfq.c b/net/sched/sch_qfq.c index 5e557b960bde3..e0cefa21ce21c 100644 --- a/net/sched/sch_qfq.c +++ b/net/sched/sch_qfq.c @@ -992,7 +992,7 @@ static struct sk_buff *agg_dequeue(struct qfq_aggregate *agg, if (cl->qdisc->q.qlen == 0) /* no more packets, remove from list */ list_del_init(&cl->alist); - else if (cl->deficit < qdisc_pkt_len(cl->qdisc->ops->peek(cl->qdisc))) { + else if (cl->deficit < qdisc_peek_len(cl->qdisc)) { cl->deficit += agg->lmax; list_move_tail(&cl->alist, &agg->active); } -- 2.39.5

1 month, 1 week

1
5
0 0

[PATCH AUTOSEL 6.12 01/12] wifi: mac80211: always initialize sdata::key_list

by Sasha Levin

From: Miri Korenblit <miriam.rachel.korenblit(a)intel.com> [ Upstream commit d7a54d02db41f72f0581a3c77c75b0993ed3f6e2 ] This is currently not initialized for a virtual monitor, leading to a NULL pointer dereference when - for example - iterating over all the keys of all the vifs. Reviewed-by: Johannes Berg <johannes.berg(a)intel.com> Signed-off-by: Miri Korenblit <miriam.rachel.korenblit(a)intel.com> Link: https://patch.msgid.link/20250709233400.8dcefe578497.I4c90a00ae3256520e0631… Signed-off-by: Johannes Berg <johannes.berg(a)intel.com> Signed-off-by: Sasha Levin <sashal(a)kernel.org> --- LLM Generated explanations, may be completely bogus: Based on my analysis of the commit and the code changes, here is my assessment: **YES** This commit should be backported to stable kernel trees for the following reasons: 1. **Critical NULL Pointer Dereference Fix**: The commit fixes a NULL pointer dereference that occurs when iterating over the key_list of virtual monitor interfaces. This is a crash-inducing bug that affects system stability. 2. **Clear Bug with Simple Fix**: The issue is straightforward - the `key_list` was not initialized for virtual monitor interfaces created via `ieee80211_add_virtual_monitor()`. The fix is minimal and contained - it simply moves the `INIT_LIST_HEAD(&sdata->key_list)` initialization from `ieee80211_if_add()` into `ieee80211_sdata_init()`, ensuring all sdata structures have their key_list properly initialized. 3. **Real-World Impact**: The bug can be triggered when any code iterates over all interfaces and their keys. Looking at the code, functions like `ieee80211_iter_keys()` and `ieee80211_iter_keys_rcu()` iterate through all interfaces when called without a specific vif parameter: ```c list_for_each_entry(sdata, &local->interfaces, list) list_for_each_entry_safe(key, tmp, &sdata->key_list, list) ``` This would cause a NULL pointer dereference when it encounters a virtual monitor interface. 4. **Minimal Risk**: The change is extremely low risk - it only adds initialization of a list head that should have been initialized all along. There are no architectural changes or feature additions. 5. **Follows Stable Rules**: This perfectly fits the stable kernel criteria: - Fixes a real bug (NULL pointer dereference/crash) - Small and contained change (2 lines moved) - Obviously correct fix - No new features or behaviors introduced The commit is similar in nature to commit #5 in the reference list which was marked as suitable for backporting - both fix NULL pointer dereferences in the wifi/mac80211 subsystem with minimal, targeted changes. net/mac80211/iface.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/net/mac80211/iface.c b/net/mac80211/iface.c index 209d6ffa8e426..adfdc14bd91ac 100644 --- a/net/mac80211/iface.c +++ b/net/mac80211/iface.c @@ -1121,6 +1121,8 @@ static void ieee80211_sdata_init(struct ieee80211_local *local, { sdata->local = local; + INIT_LIST_HEAD(&sdata->key_list); + /* * Initialize the default link, so we can use link_id 0 for non-MLD, * and that continues to work for non-MLD-aware drivers that use just @@ -2162,8 +2164,6 @@ int ieee80211_if_add(struct ieee80211_local *local, const char *name, ieee80211_init_frag_cache(&sdata->frags); - INIT_LIST_HEAD(&sdata->key_list); - wiphy_delayed_work_init(&sdata->dec_tailroom_needed_wk, ieee80211_delayed_tailroom_dec); -- 2.39.5

1 month, 1 week

1
11
0 0

[PATCH AUTOSEL 6.15 01/15] wifi: mac80211: always initialize sdata::key_list

by Sasha Levin

From: Miri Korenblit <miriam.rachel.korenblit(a)intel.com> [ Upstream commit d7a54d02db41f72f0581a3c77c75b0993ed3f6e2 ] This is currently not initialized for a virtual monitor, leading to a NULL pointer dereference when - for example - iterating over all the keys of all the vifs. Reviewed-by: Johannes Berg <johannes.berg(a)intel.com> Signed-off-by: Miri Korenblit <miriam.rachel.korenblit(a)intel.com> Link: https://patch.msgid.link/20250709233400.8dcefe578497.I4c90a00ae3256520e0631… Signed-off-by: Johannes Berg <johannes.berg(a)intel.com> Signed-off-by: Sasha Levin <sashal(a)kernel.org> --- LLM Generated explanations, may be completely bogus: Based on my analysis of the commit and the code changes, here is my assessment: **YES** This commit should be backported to stable kernel trees for the following reasons: 1. **Critical NULL Pointer Dereference Fix**: The commit fixes a NULL pointer dereference that occurs when iterating over the key_list of virtual monitor interfaces. This is a crash-inducing bug that affects system stability. 2. **Clear Bug with Simple Fix**: The issue is straightforward - the `key_list` was not initialized for virtual monitor interfaces created via `ieee80211_add_virtual_monitor()`. The fix is minimal and contained - it simply moves the `INIT_LIST_HEAD(&sdata->key_list)` initialization from `ieee80211_if_add()` into `ieee80211_sdata_init()`, ensuring all sdata structures have their key_list properly initialized. 3. **Real-World Impact**: The bug can be triggered when any code iterates over all interfaces and their keys. Looking at the code, functions like `ieee80211_iter_keys()` and `ieee80211_iter_keys_rcu()` iterate through all interfaces when called without a specific vif parameter: ```c list_for_each_entry(sdata, &local->interfaces, list) list_for_each_entry_safe(key, tmp, &sdata->key_list, list) ``` This would cause a NULL pointer dereference when it encounters a virtual monitor interface. 4. **Minimal Risk**: The change is extremely low risk - it only adds initialization of a list head that should have been initialized all along. There are no architectural changes or feature additions. 5. **Follows Stable Rules**: This perfectly fits the stable kernel criteria: - Fixes a real bug (NULL pointer dereference/crash) - Small and contained change (2 lines moved) - Obviously correct fix - No new features or behaviors introduced The commit is similar in nature to commit #5 in the reference list which was marked as suitable for backporting - both fix NULL pointer dereferences in the wifi/mac80211 subsystem with minimal, targeted changes. net/mac80211/iface.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/net/mac80211/iface.c b/net/mac80211/iface.c index 7d93e5aa595b2..0485a78eda366 100644 --- a/net/mac80211/iface.c +++ b/net/mac80211/iface.c @@ -1117,6 +1117,8 @@ static void ieee80211_sdata_init(struct ieee80211_local *local, { sdata->local = local; + INIT_LIST_HEAD(&sdata->key_list); + /* * Initialize the default link, so we can use link_id 0 for non-MLD, * and that continues to work for non-MLD-aware drivers that use just @@ -2177,8 +2179,6 @@ int ieee80211_if_add(struct ieee80211_local *local, const char *name, ieee80211_init_frag_cache(&sdata->frags); - INIT_LIST_HEAD(&sdata->key_list); - wiphy_delayed_work_init(&sdata->dec_tailroom_needed_wk, ieee80211_delayed_tailroom_dec); -- 2.39.5

1 month, 1 week

1
14
0 0

[PATCH] HID: multitouch: fix slab out-of-bounds access in mt_report_fixup()

by Qasim Ijaz

A malicious HID device can trigger a slab out-of-bounds during mt_report_fixup() by passing in report descriptor smaller than 607 bytes. mt_report_fixup() attempts to patch byte offset 607 of the descriptor with 0x25 by first checking if byte offset 607 is 0x15 however it lacks bounds checks to verify if the descriptor is big enough before conducting this check. Fix this vulnerability by ensuring the descriptor size is greater than or equal to 608 before accessing it. Below is the KASAN splat after the out of bounds access happens: [ 13.671954] ================================================================== [ 13.672667] BUG: KASAN: slab-out-of-bounds in mt_report_fixup+0x103/0x110 [ 13.673297] Read of size 1 at addr ffff888103df39df by task kworker/0:1/10 [ 13.673297] [ 13.673297] CPU: 0 UID: 0 PID: 10 Comm: kworker/0:1 Not tainted 6.15.0-00005-gec5d573d83f4-dirty #3 [ 13.673297] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.2-debian-1.16.2-1 04/04 [ 13.673297] Call Trace: [ 13.673297] <TASK> [ 13.673297] dump_stack_lvl+0x5f/0x80 [ 13.673297] print_report+0xd1/0x660 [ 13.673297] kasan_report+0xe5/0x120 [ 13.673297] __asan_report_load1_noabort+0x18/0x20 [ 13.673297] mt_report_fixup+0x103/0x110 [ 13.673297] hid_open_report+0x1ef/0x810 [ 13.673297] mt_probe+0x422/0x960 [ 13.673297] hid_device_probe+0x2e2/0x6f0 [ 13.673297] really_probe+0x1c6/0x6b0 [ 13.673297] __driver_probe_device+0x24f/0x310 [ 13.673297] driver_probe_device+0x4e/0x220 [ 13.673297] __device_attach_driver+0x169/0x320 [ 13.673297] bus_for_each_drv+0x11d/0x1b0 [ 13.673297] __device_attach+0x1b8/0x3e0 [ 13.673297] device_initial_probe+0x12/0x20 [ 13.673297] bus_probe_device+0x13d/0x180 [ 13.673297] device_add+0xe3a/0x1670 [ 13.673297] hid_add_device+0x31d/0xa40 [...] Fixes: c8000deb6836 ("HID: multitouch: Add support for GT7868Q") Cc: stable(a)vger.kernel.org Signed-off-by: Qasim Ijaz <qasdev00(a)gmail.com> --- drivers/hid/hid-multitouch.c | 25 ++++++++++++++++--------- 1 file changed, 16 insertions(+), 9 deletions(-) diff --git a/drivers/hid/hid-multitouch.c b/drivers/hid/hid-multitouch.c index 7ac8e16e6158..af4abe3ba410 100644 --- a/drivers/hid/hid-multitouch.c +++ b/drivers/hid/hid-multitouch.c @@ -1461,18 +1461,25 @@ static const __u8 *mt_report_fixup(struct hid_device *hdev, __u8 *rdesc, if (hdev->vendor == I2C_VENDOR_ID_GOODIX && (hdev->product == I2C_DEVICE_ID_GOODIX_01E8 || hdev->product == I2C_DEVICE_ID_GOODIX_01E9)) { - if (rdesc[607] == 0x15) { - rdesc[607] = 0x25; - dev_info( - &hdev->dev, - "GT7868Q report descriptor fixup is applied.\n"); + if (*size >= 608) { + if (rdesc[607] == 0x15) { + rdesc[607] = 0x25; + dev_info( + &hdev->dev, + "GT7868Q report descriptor fixup is applied.\n"); + } else { + dev_info( + &hdev->dev, + "The byte is not expected for fixing the report descriptor. \ + It's possible that the touchpad firmware is not suitable for applying the fix. \ + got: %x\n", + rdesc[607]); + } } else { dev_info( &hdev->dev, - "The byte is not expected for fixing the report descriptor. \ -It's possible that the touchpad firmware is not suitable for applying the fix. \ -got: %x\n", - rdesc[607]); + "GT7868Q fixup: report descriptor only %u bytes, skipping\n", + *size); } } -- 2.39.5

1 month, 1 week

1
0
0 0

[PATCH] ARM: Fix allowing linker DCE with binutils < 2.36

by Nathan Chancellor

Commit e7607f7d6d81 ("ARM: 9443/1: Require linker to support KEEP within OVERLAY for DCE") accidentally broke the binutils version restriction that was added in commit 0d437918fb64 ("ARM: 9414/1: Fix build issue with LD_DEAD_CODE_DATA_ELIMINATION"), reintroducing the segmentation fault addressed by that workaround. Restore the binutils version dependency by using CONFIG_LD_CAN_USE_KEEP_IN_OVERLAY as an additional condition to ensure that CONFIG_HAVE_LD_DEAD_CODE_DATA_ELIMINATION is only enabled with binutils >= 2.36 and ld.lld >= 21.0.0. Cc: stable(a)vger.kernel.org Fixes: e7607f7d6d81 ("ARM: 9443/1: Require linker to support KEEP within OVERLAY for DCE") Reported-by: Rob Landley <rob(a)landley.net> Closes: https://lore.kernel.org/6739da7d-e555-407a-b5cb-e5681da71056@landley.net/ Tested-by: Rob Landley <rob(a)landley.net> Signed-off-by: Nathan Chancellor <nathan(a)kernel.org> --- arch/arm/Kconfig | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/arch/arm/Kconfig b/arch/arm/Kconfig index 3072731fe09c..962451e54fdd 100644 --- a/arch/arm/Kconfig +++ b/arch/arm/Kconfig @@ -121,7 +121,7 @@ config ARM select HAVE_KERNEL_XZ select HAVE_KPROBES if !XIP_KERNEL && !CPU_ENDIAN_BE32 && !CPU_V7M select HAVE_KRETPROBES if HAVE_KPROBES - select HAVE_LD_DEAD_CODE_DATA_ELIMINATION if (LD_VERSION >= 23600 || LD_CAN_USE_KEEP_IN_OVERLAY) + select HAVE_LD_DEAD_CODE_DATA_ELIMINATION if (LD_VERSION >= 23600 || LD_IS_LLD) && LD_CAN_USE_KEEP_IN_OVERLAY select HAVE_MOD_ARCH_SPECIFIC select HAVE_NMI select HAVE_OPTPROBES if !THUMB2_KERNEL --- base-commit: d7b8f8e20813f0179d8ef519541a3527e7661d3a change-id: 20250707-arm-fix-dce-older-binutils-87a5a4b829d9 Best regards, -- Nathan Chancellor <nathan(a)kernel.org>

1 month, 1 week

1
1
0 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

Linux-stable-mirror July 2025