kernel: bump 6.6 to 6.6.102

Changelog: https://cdn.kernel.org/pub/linux/kernel/v6.x/ChangeLog-6.6.102 Added backport to fix ipv6 breakage with the 6.12.42 release: generic/backport-6.6/621-proc-fix-missing-pde_set_flags.patch[1] All patches auto-refreshed. 1. https://lore.kernel.org/all/20250821105806.1453833-1-wangzijie1@honor.com Link: https://github.com/openwrt/openwrt/pull/19876 (cherry picked from commit 34e1092e88f6df4de3115ea471e632ef21407d38) Link: https://github.com/openwrt/openwrt/pull/19877 Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
author: Hauke Mehrtens 2025-08-24 17:21:54 +0000
committer: Hauke Mehrtens 2025-08-28 19:17:44 +0000
commit: a65ca44cb7a3e6fbb43b230c7c5a0684d88bae8b (patch)
tree: 498009e51f555a7e5ad39d9855274f469c237c16
parent: 406489fd83d9015f1827122d912253744c0efe5a (diff)
download: openwrt-a65ca44cb7a3e6fbb43b230c7c5a0684d88bae8b.tar.gz
12 files changed, 143 insertions, 22 deletions
diff --git a/include/kernel-6.6 b/include/kernel-6.6
index 71181a3fc5..048ae0b42a 100644
--- a/include/kernel-6.6
+++ b/include/kernel-6.6
@@ -1,2 +1,2 @@
-LINUX_VERSION-6.6 = .101
-LINUX_KERNEL_HASH-6.6.101 = 8c4ff2869736538b9b0d88ea8dbf0332b79c6ecc40a32066768a754df1fae1c0
+LINUX_VERSION-6.6 = .102
+LINUX_KERNEL_HASH-6.6.102 = 80d2feb7334c30bacbe1e7dafa9ea415efb2c0ea4f4740ecbd1467cf5d94de5c
diff --git a/target/linux/ath79/patches-6.6/900-unaligned_access_hacks.patch b/target/linux/ath79/patches-6.6/900-unaligned_access_hacks.patch
index 9168d5e973..02b64bb7f8 100644
--- a/target/linux/ath79/patches-6.6/900-unaligned_access_hacks.patch
+++ b/target/linux/ath79/patches-6.6/900-unaligned_access_hacks.patch
@@ -579,7 +579,7 @@ SVN-Revision: 35130
  			goto next_ht;
 --- a/net/ipv6/ip6_offload.c
 +++ b/net/ipv6/ip6_offload.c
-@@ -273,7 +273,7 @@ INDIRECT_CALLABLE_SCOPE struct sk_buff *
+@@ -275,7 +275,7 @@ INDIRECT_CALLABLE_SCOPE struct sk_buff *
  			continue;
  
  		iph2 = (struct ipv6hdr *)(p->data + off);
diff --git a/target/linux/bcm27xx/patches-6.6/950-0243-staging-fbtft-Add-support-for-display-variants.patch b/target/linux/bcm27xx/patches-6.6/950-0243-staging-fbtft-Add-support-for-display-variants.patch
index f49c9a2b56..fad8eb5a11 100644
--- a/target/linux/bcm27xx/patches-6.6/950-0243-staging-fbtft-Add-support-for-display-variants.patch
+++ b/target/linux/bcm27xx/patches-6.6/950-0243-staging-fbtft-Add-support-for-display-variants.patch
@@ -95,7 +95,7 @@ Signed-off-by: Phil Elwell <phil@raspberrypi.com>
  
  #include <video/mipi_display.h>
  
-@@ -1183,6 +1185,7 @@ static struct fbtft_platform_data *fbtft
+@@ -1184,6 +1186,7 @@ static struct fbtft_platform_data *fbtft
   * @display: Display properties
   * @sdev: SPI device
   * @pdev: Platform device
@@ -103,7 +103,7 @@ Signed-off-by: Phil Elwell <phil@raspberrypi.com>
   *
   * Allocates, initializes and registers a framebuffer
   *
-@@ -1192,12 +1195,15 @@ static struct fbtft_platform_data *fbtft
+@@ -1193,12 +1196,15 @@ static struct fbtft_platform_data *fbtft
   */
  int fbtft_probe_common(struct fbtft_display *display,
  		       struct spi_device *sdev,
@@ -120,7 +120,7 @@ Signed-off-by: Phil Elwell <phil@raspberrypi.com>
  	int ret;
  
  	if (sdev)
-@@ -1213,6 +1219,14 @@ int fbtft_probe_common(struct fbtft_disp
+@@ -1214,6 +1220,14 @@ int fbtft_probe_common(struct fbtft_disp
  		pdata = fbtft_properties_read(dev);
  		if (IS_ERR(pdata))
  			return PTR_ERR(pdata);
diff --git a/target/linux/bcm27xx/patches-6.6/950-0472-pps-Compatibility-hack-should-be-X86-specific.patch b/target/linux/bcm27xx/patches-6.6/950-0472-pps-Compatibility-hack-should-be-X86-specific.patch
index 4cc2e594ba..04a2da5b41 100644
--- a/target/linux/bcm27xx/patches-6.6/950-0472-pps-Compatibility-hack-should-be-X86-specific.patch
+++ b/target/linux/bcm27xx/patches-6.6/950-0472-pps-Compatibility-hack-should-be-X86-specific.patch
@@ -22,7 +22,7 @@ Signed-off-by: Phil Elwell <phil@raspberrypi.com>
 
 --- a/drivers/pps/pps.c
 +++ b/drivers/pps/pps.c
-@@ -249,12 +249,13 @@ static long pps_cdev_ioctl(struct file *
+@@ -254,12 +254,13 @@ static long pps_cdev_ioctl(struct file *
  static long pps_cdev_compat_ioctl(struct file *file,
  		unsigned int cmd, unsigned long arg)
  {
@@ -38,7 +38,7 @@ Signed-off-by: Phil Elwell <phil@raspberrypi.com>
  		struct pps_fdata_compat compat;
  		struct pps_fdata fdata;
  		int err;
-@@ -289,6 +290,7 @@ static long pps_cdev_compat_ioctl(struct
+@@ -296,6 +297,7 @@ static long pps_cdev_compat_ioctl(struct
  		return copy_to_user(uarg, &compat,
  				sizeof(struct pps_fdata_compat)) ? -EFAULT : 0;
  	}
diff --git a/target/linux/generic/backport-6.6/621-proc-fix-missing-pde_set_flags.patch b/target/linux/generic/backport-6.6/621-proc-fix-missing-pde_set_flags.patch
new file mode 100644
index 0000000000..ba026b9c3a
--- /dev/null
+++ b/target/linux/generic/backport-6.6/621-proc-fix-missing-pde_set_flags.patch
@@ -0,0 +1,121 @@
+From: wangzijie <wangzijie1@honor.com>
+To: <akpm@linux-foundation.org>, <brauner@kernel.org>,
+	<viro@zeniv.linux.org.uk>, <adobriyan@gmail.com>,
+	<rick.p.edgecombe@intel.com>, <ast@kernel.org>,
+	<k.shutemov@gmail.com>, <jirislaby@kernel.org>,
+	<linux-fsdevel@vger.kernel.org>
+Cc: <polynomial-c@gmx.de>, <gregkh@linuxfoundation.org>,
+	<stable@vger.kernel.org>, <regressions@lists.linux.dev>,
+	wangzijie <wangzijie1@honor.com>
+Subject: [PATCH v3] proc: fix missing pde_set_flags() for net proc files
+Date: Thu, 21 Aug 2025 18:58:06 +0800	[thread overview]
+Message-ID: <20250821105806.1453833-1-wangzijie1@honor.com> (raw)
+
+To avoid potential UAF issues during module removal races, we use pde_set_flags()
+to save proc_ops flags in PDE itself before proc_register(), and then use
+pde_has_proc_*() helpers instead of directly dereferencing pde->proc_ops->*.
+
+However, the pde_set_flags() call was missing when creating net related proc files.
+This omission caused incorrect behavior which FMODE_LSEEK was being cleared
+inappropriately in proc_reg_open() for net proc files. Lars reported it in this link[1].
+
+Fix this by ensuring pde_set_flags() is called when register proc entry, and add
+NULL check for proc_ops in pde_set_flags().
+
+[1]: https://lore.kernel.org/all/20250815195616.64497967@chagall.paradoxon.rec/
+
+Fixes: ff7ec8dc1b64 ("proc: use the same treatment to check proc_lseek as ones for proc_read_iter et.al")
+Cc: stable@vger.kernel.org
+Reported-by: Lars Wendler <polynomial-c@gmx.de>
+Signed-off-by: wangzijie <wangzijie1@honor.com>
+---
+v3:
+- followed by Christian's suggestion to stash pde->proc_ops in a local const variable
+v2:
+- followed by Jiri's suggestion to refractor code and reformat commit message
+---
+ fs/proc/generic.c | 38 +++++++++++++++++++++-----------------
+ 1 file changed, 21 insertions(+), 17 deletions(-)
+
+--- a/fs/proc/generic.c
++++ b/fs/proc/generic.c
+@@ -362,6 +362,25 @@ static const struct inode_operations pro
+ 	.setattr	= proc_notify_change,
+ };
+ 
++static void pde_set_flags(struct proc_dir_entry *pde)
++{
++	const struct proc_ops *proc_ops = pde->proc_ops;
++
++	if (!proc_ops)
++		return;
++
++	if (proc_ops->proc_flags & PROC_ENTRY_PERMANENT)
++		pde->flags |= PROC_ENTRY_PERMANENT;
++	if (proc_ops->proc_read_iter)
++		pde->flags |= PROC_ENTRY_proc_read_iter;
++#ifdef CONFIG_COMPAT
++	if (proc_ops->proc_compat_ioctl)
++		pde->flags |= PROC_ENTRY_proc_compat_ioctl;
++#endif
++	if (proc_ops->proc_lseek)
++		pde->flags |= PROC_ENTRY_proc_lseek;
++}
++
+ /* returns the registered entry, or frees dp and returns NULL on failure */
+ struct proc_dir_entry *proc_register(struct proc_dir_entry *dir,
+ 		struct proc_dir_entry *dp)
+@@ -369,6 +388,8 @@ struct proc_dir_entry *proc_register(str
+ 	if (proc_alloc_inum(&dp->low_ino))
+ 		goto out_free_entry;
+ 
++	pde_set_flags(dp);
++
+ 	write_lock(&proc_subdir_lock);
+ 	dp->parent = dir;
+ 	if (pde_subdir_insert(dir, dp) == false) {
+@@ -557,20 +578,6 @@ struct proc_dir_entry *proc_create_reg(c
+ 	return p;
+ }
+ 
+-static void pde_set_flags(struct proc_dir_entry *pde)
+-{
+-	if (pde->proc_ops->proc_flags & PROC_ENTRY_PERMANENT)
+-		pde->flags |= PROC_ENTRY_PERMANENT;
+-	if (pde->proc_ops->proc_read_iter)
+-		pde->flags |= PROC_ENTRY_proc_read_iter;
+-#ifdef CONFIG_COMPAT
+-	if (pde->proc_ops->proc_compat_ioctl)
+-		pde->flags |= PROC_ENTRY_proc_compat_ioctl;
+-#endif
+-	if (pde->proc_ops->proc_lseek)
+-		pde->flags |= PROC_ENTRY_proc_lseek;
+-}
+-
+ struct proc_dir_entry *proc_create_data(const char *name, umode_t mode,
+ 		struct proc_dir_entry *parent,
+ 		const struct proc_ops *proc_ops, void *data)
+@@ -581,7 +588,6 @@ struct proc_dir_entry *proc_create_data(
+ 	if (!p)
+ 		return NULL;
+ 	p->proc_ops = proc_ops;
+-	pde_set_flags(p);
+ 	return proc_register(parent, p);
+ }
+ EXPORT_SYMBOL(proc_create_data);
+@@ -632,7 +638,6 @@ struct proc_dir_entry *proc_create_seq_p
+ 	p->proc_ops = &proc_seq_ops;
+ 	p->seq_ops = ops;
+ 	p->state_size = state_size;
+-	pde_set_flags(p);
+ 	return proc_register(parent, p);
+ }
+ EXPORT_SYMBOL(proc_create_seq_private);
+@@ -663,7 +668,6 @@ struct proc_dir_entry *proc_create_singl
+ 		return NULL;
+ 	p->proc_ops = &proc_single_ops;
+ 	p->single_show = show;
+-	pde_set_flags(p);
+ 	return proc_register(parent, p);
+ }
+ EXPORT_SYMBOL(proc_create_single_data);
diff --git a/target/linux/generic/backport-6.6/770-v6.7-net-introduce-napi_is_scheduled-helper.patch b/target/linux/generic/backport-6.6/770-v6.7-net-introduce-napi_is_scheduled-helper.patch
index 319bc3e47b..4aa93c20d1 100644
--- a/target/linux/generic/backport-6.6/770-v6.7-net-introduce-napi_is_scheduled-helper.patch
+++ b/target/linux/generic/backport-6.6/770-v6.7-net-introduce-napi_is_scheduled-helper.patch
@@ -42,7 +42,7 @@ Signed-off-by: Paolo Abeni <pabeni@redhat.com>
   *	@adap: the adapter
 --- a/drivers/net/wireless/realtek/rtw89/core.c
 +++ b/drivers/net/wireless/realtek/rtw89/core.c
-@@ -1744,7 +1744,7 @@ static void rtw89_core_rx_to_mac80211(st
+@@ -1749,7 +1749,7 @@ static void rtw89_core_rx_to_mac80211(st
  	struct napi_struct *napi = &rtwdev->napi;
  
  	/* In low power mode, napi isn't scheduled. Receive it to netif. */
diff --git a/target/linux/generic/hack-6.6/721-net-add-packet-mangeling.patch b/target/linux/generic/hack-6.6/721-net-add-packet-mangeling.patch
index 8b784836a0..30a0b86b00 100644
--- a/target/linux/generic/hack-6.6/721-net-add-packet-mangeling.patch
+++ b/target/linux/generic/hack-6.6/721-net-add-packet-mangeling.patch
@@ -60,7 +60,7 @@ Signed-off-by: Felix Fietkau <nbd@nbd.name>
   */
 --- a/include/linux/skbuff.h
 +++ b/include/linux/skbuff.h
-@@ -3098,6 +3098,10 @@ static inline int pskb_trim(struct sk_bu
+@@ -3121,6 +3121,10 @@ static inline int pskb_trim(struct sk_bu
  	return (len < skb->len) ? __pskb_trim(skb, len) : 0;
  }
  
@@ -71,7 +71,7 @@ Signed-off-by: Felix Fietkau <nbd@nbd.name>
  /**
   *	pskb_trim_unique - remove end from a paged unique (not cloned) buffer
   *	@skb: buffer to alter
-@@ -3263,16 +3267,6 @@ static inline struct sk_buff *dev_alloc_
+@@ -3286,16 +3290,6 @@ static inline struct sk_buff *dev_alloc_
  }
  
  
diff --git a/target/linux/generic/hack-6.6/904-debloat_dma_buf.patch b/target/linux/generic/hack-6.6/904-debloat_dma_buf.patch
index 4d2ea46212..3ca98788ab 100644
--- a/target/linux/generic/hack-6.6/904-debloat_dma_buf.patch
+++ b/target/linux/generic/hack-6.6/904-debloat_dma_buf.patch
@@ -73,7 +73,7 @@ Signed-off-by: Felix Fietkau <nbd@nbd.name>
 +MODULE_LICENSE("GPL");
 --- a/kernel/sched/core.c
 +++ b/kernel/sched/core.c
-@@ -4486,6 +4486,7 @@ int wake_up_state(struct task_struct *p,
+@@ -4485,6 +4485,7 @@ int wake_up_state(struct task_struct *p,
  {
  	return try_to_wake_up(p, state, 0);
  }
diff --git a/target/linux/generic/pending-6.6/655-increase_skb_pad.patch b/target/linux/generic/pending-6.6/655-increase_skb_pad.patch
index 4f3bb06051..8fbc915881 100644
--- a/target/linux/generic/pending-6.6/655-increase_skb_pad.patch
+++ b/target/linux/generic/pending-6.6/655-increase_skb_pad.patch
@@ -9,7 +9,7 @@ Signed-off-by: Felix Fietkau <nbd@nbd.name>
 
 --- a/include/linux/skbuff.h
 +++ b/include/linux/skbuff.h
-@@ -3065,7 +3065,7 @@ static inline int pskb_network_may_pull(
+@@ -3088,7 +3088,7 @@ static inline int pskb_network_may_pull(
   * NET_IP_ALIGN(2) + ethernet_header(14) + IP_header(20/40) + ports(8)
   */
  #ifndef NET_SKB_PAD
diff --git a/target/linux/generic/pending-6.6/670-ipv6-allow-rejecting-with-source-address-failed-policy.patch b/target/linux/generic/pending-6.6/670-ipv6-allow-rejecting-with-source-address-failed-policy.patch
index 0ad36b3430..ef7ca8cf74 100644
--- a/target/linux/generic/pending-6.6/670-ipv6-allow-rejecting-with-source-address-failed-policy.patch
+++ b/target/linux/generic/pending-6.6/670-ipv6-allow-rejecting-with-source-address-failed-policy.patch
@@ -185,7 +185,7 @@ Signed-off-by: Jonas Gorski <jogo@openwrt.org>
  		cfg->fc_flags |= RTF_REJECT;
  
  	if (rtm->rtm_type == RTN_LOCAL)
-@@ -6341,6 +6372,8 @@ static int ip6_route_dev_notify(struct n
+@@ -6349,6 +6380,8 @@ static int ip6_route_dev_notify(struct n
  #ifdef CONFIG_IPV6_MULTIPLE_TABLES
  		net->ipv6.ip6_prohibit_entry->dst.dev = dev;
  		net->ipv6.ip6_prohibit_entry->rt6i_idev = in6_dev_get(dev);
@@ -194,7 +194,7 @@ Signed-off-by: Jonas Gorski <jogo@openwrt.org>
  		net->ipv6.ip6_blk_hole_entry->dst.dev = dev;
  		net->ipv6.ip6_blk_hole_entry->rt6i_idev = in6_dev_get(dev);
  #endif
-@@ -6352,6 +6385,7 @@ static int ip6_route_dev_notify(struct n
+@@ -6360,6 +6393,7 @@ static int ip6_route_dev_notify(struct n
  		in6_dev_put_clear(&net->ipv6.ip6_null_entry->rt6i_idev);
  #ifdef CONFIG_IPV6_MULTIPLE_TABLES
  		in6_dev_put_clear(&net->ipv6.ip6_prohibit_entry->rt6i_idev);
@@ -202,7 +202,7 @@ Signed-off-by: Jonas Gorski <jogo@openwrt.org>
  		in6_dev_put_clear(&net->ipv6.ip6_blk_hole_entry->rt6i_idev);
  #endif
  	}
-@@ -6552,6 +6586,8 @@ static int __net_init ip6_route_net_init
+@@ -6560,6 +6594,8 @@ static int __net_init ip6_route_net_init
  
  #ifdef CONFIG_IPV6_MULTIPLE_TABLES
  	net->ipv6.fib6_has_custom_rules = false;
@@ -211,7 +211,7 @@ Signed-off-by: Jonas Gorski <jogo@openwrt.org>
  	net->ipv6.ip6_prohibit_entry = kmemdup(&ip6_prohibit_entry_template,
  					       sizeof(*net->ipv6.ip6_prohibit_entry),
  					       GFP_KERNEL);
-@@ -6562,11 +6598,21 @@ static int __net_init ip6_route_net_init
+@@ -6570,11 +6606,21 @@ static int __net_init ip6_route_net_init
  			 ip6_template_metrics, true);
  	INIT_LIST_HEAD(&net->ipv6.ip6_prohibit_entry->dst.rt_uncached);
  
@@ -234,7 +234,7 @@ Signed-off-by: Jonas Gorski <jogo@openwrt.org>
  	net->ipv6.ip6_blk_hole_entry->dst.ops = &net->ipv6.ip6_dst_ops;
  	dst_init_metrics(&net->ipv6.ip6_blk_hole_entry->dst,
  			 ip6_template_metrics, true);
-@@ -6593,6 +6639,8 @@ out:
+@@ -6601,6 +6647,8 @@ out:
  	return ret;
  
  #ifdef CONFIG_IPV6_MULTIPLE_TABLES
@@ -243,7 +243,7 @@ Signed-off-by: Jonas Gorski <jogo@openwrt.org>
  out_ip6_prohibit_entry:
  	kfree(net->ipv6.ip6_prohibit_entry);
  out_ip6_null_entry:
-@@ -6612,6 +6660,7 @@ static void __net_exit ip6_route_net_exi
+@@ -6620,6 +6668,7 @@ static void __net_exit ip6_route_net_exi
  	kfree(net->ipv6.ip6_null_entry);
  #ifdef CONFIG_IPV6_MULTIPLE_TABLES
  	kfree(net->ipv6.ip6_prohibit_entry);
@@ -251,7 +251,7 @@ Signed-off-by: Jonas Gorski <jogo@openwrt.org>
  	kfree(net->ipv6.ip6_blk_hole_entry);
  #endif
  	dst_entries_destroy(&net->ipv6.ip6_dst_ops);
-@@ -6695,6 +6744,9 @@ void __init ip6_route_init_special_entri
+@@ -6703,6 +6752,9 @@ void __init ip6_route_init_special_entri
  	init_net.ipv6.ip6_prohibit_entry->rt6i_idev = in6_dev_get(init_net.loopback_dev);
  	init_net.ipv6.ip6_blk_hole_entry->dst.dev = init_net.loopback_dev;
  	init_net.ipv6.ip6_blk_hole_entry->rt6i_idev = in6_dev_get(init_net.loopback_dev);
diff --git a/target/linux/generic/pending-6.6/701-netfilter-nf_tables-ignore-EOPNOTSUPP-on-flowtable-d.patch b/target/linux/generic/pending-6.6/701-netfilter-nf_tables-ignore-EOPNOTSUPP-on-flowtable-d.patch
index 1ae6f89399..7a5413700a 100644
--- a/target/linux/generic/pending-6.6/701-netfilter-nf_tables-ignore-EOPNOTSUPP-on-flowtable-d.patch
+++ b/target/linux/generic/pending-6.6/701-netfilter-nf_tables-ignore-EOPNOTSUPP-on-flowtable-d.patch
@@ -18,7 +18,7 @@ Signed-off-by: Felix Fietkau <nbd@nbd.name>
 
 --- a/net/netfilter/nf_tables_api.c
 +++ b/net/netfilter/nf_tables_api.c
-@@ -8469,7 +8469,7 @@ static int nft_register_flowtable_net_ho
+@@ -8449,7 +8449,7 @@ static int nft_register_flowtable_net_ho
  		err = flowtable->data.type->setup(&flowtable->data,
  						  hook->ops.dev,
  						  FLOW_BLOCK_BIND);
diff --git a/target/linux/ipq40xx/patches-6.6/701-net-dsa-add-out-of-band-tagging-protocol.patch b/target/linux/ipq40xx/patches-6.6/701-net-dsa-add-out-of-band-tagging-protocol.patch
index d49b18242a..15b8e6dadc 100644
--- a/target/linux/ipq40xx/patches-6.6/701-net-dsa-add-out-of-band-tagging-protocol.patch
+++ b/target/linux/ipq40xx/patches-6.6/701-net-dsa-add-out-of-band-tagging-protocol.patch
@@ -93,7 +93,7 @@ Signed-off-by: Maxime Chevallier <maxime.chevallier@bootlin.com>
 +#endif
 --- a/include/linux/skbuff.h
 +++ b/include/linux/skbuff.h
-@@ -4683,6 +4683,9 @@ enum skb_ext_id {
+@@ -4706,6 +4706,9 @@ enum skb_ext_id {
  #if IS_ENABLED(CONFIG_MCTP_FLOWS)
  	SKB_EXT_MCTP,
  #endif
author	Hauke Mehrtens	2025-08-24 17:21:54 +0000
committer	Hauke Mehrtens	2025-08-28 19:17:44 +0000
commit	a65ca44cb7a3e6fbb43b230c7c5a0684d88bae8b (patch)
tree	498009e51f555a7e5ad39d9855274f469c237c16
parent	406489fd83d9015f1827122d912253744c0efe5a (diff)
download	openwrt-a65ca44cb7a3e6fbb43b230c7c5a0684d88bae8b.tar.gz