[PATCH 5.15.y 0/6] Few missing CVE fixes

[PATCH 5.15.y 0/6] Few missing CVE fixes

[Harshit Mogalapalli]

Hi stable maintainers,

I have tried backporting some fixes to stable kernel 5.15.y which also
have CVE numbers and are fixing commits in 5.15.y.

I am not a subsystem expert and have only done overall testing that we
do for stable release candidate testing and not any patch specific testing.

Note: All these patches are present in 6.1.y.

Patch 1 -- minor conflicts resolved due to few missing commits.

Patch 2, 3, 4 -- clean cherry-picks from 6.1.y commits and will
therefore have additional SOBs from backporter/stable maintainers

Patch 5 -- Minor conflict resolved as 5.15.y don't have folios.

Patch 6 -- Resolve conflicts due to missing unrcu_pointer() helper and
other commit

Please let me know if there are any comments.

Thanks,
Harshit

Michal Schmidt (1):
  bnxt_re: avoid shift undefined behavior in bnxt_qplib_alloc_init_hwq

Paolo Abeni (1):
  ipv6: release nexthop on device removal

Rémi Denis-Courmont (1):
  phonet/pep: fix racy skb_queue_empty() use

Souradeep Chakrabarti (1):
  net: mana: Fix error handling in mana_create_txq/rxq's NAPI cleanup

Trond Myklebust (1):
  filemap: Fix bounds checking in filemap_read()

Wang Liang (1):
  net: fix crash when config small gso_max_size/gso_ipv4_max_size

 drivers/infiniband/hw/bnxt_re/qplib_fp.c      |  3 +-
 drivers/net/ethernet/microsoft/mana/mana.h    |  2 +
 drivers/net/ethernet/microsoft/mana/mana_en.c | 21 ++++++----
 mm/filemap.c                                  |  2 +-
 net/core/rtnetlink.c                          |  2 +-
 net/ipv6/route.c                              |  6 +--
 net/phonet/pep.c                              | 41 +++++++++++++++----
 7 files changed, 54 insertions(+), 23 deletions(-)

-- 
2.47.1

[PATCH 5.15.y 1/6] net: mana: Fix error handling in mana_create_txq/rxq's NAPI cleanup

[Harshit Mogalapalli]

From: Souradeep Chakrabarti <schakrabarti@linux.microsoft.com>

[ Upstream commit b6ecc662037694488bfff7c9fd21c405df8411f2 ]

Currently napi_disable() gets called during rxq and txq cleanup,
even before napi is enabled and hrtimer is initialized. It causes
kernel panic.

? page_fault_oops+0x136/0x2b0
  ? page_counter_cancel+0x2e/0x80
  ? do_user_addr_fault+0x2f2/0x640
  ? refill_obj_stock+0xc4/0x110
  ? exc_page_fault+0x71/0x160
  ? asm_exc_page_fault+0x27/0x30
  ? __mmdrop+0x10/0x180
  ? __mmdrop+0xec/0x180
  ? hrtimer_active+0xd/0x50
  hrtimer_try_to_cancel+0x2c/0xf0
  hrtimer_cancel+0x15/0x30
  napi_disable+0x65/0x90
  mana_destroy_rxq+0x4c/0x2f0
  mana_create_rxq.isra.0+0x56c/0x6d0
  ? mana_uncfg_vport+0x50/0x50
  mana_alloc_queues+0x21b/0x320
  ? skb_dequeue+0x5f/0x80

Cc: stable@vger.kernel.org
Fixes: e1b5683ff62e ("net: mana: Move NAPI from EQ to CQ")
Signed-off-by: Souradeep Chakrabarti <schakrabarti@linux.microsoft.com>
Reviewed-by: Haiyang Zhang <haiyangz@microsoft.com>
Reviewed-by: Shradha Gupta <shradhagupta@linux.microsoft.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
(cherry picked from commit b6ecc662037694488bfff7c9fd21c405df8411f2)
[Harshit: conflicts resolved due to missing commit: ed5356b53f07 ("net:
mana: Add XDP support") and commit: d356abb95b98 ("net: mana: Add
counter for XDP_TX") in 5.15.y]
Signed-off-by: Harshit Mogalapalli <harshit.m.mogalapalli@oracle.com>
---
 drivers/net/ethernet/microsoft/mana/mana.h    |  2 ++
 drivers/net/ethernet/microsoft/mana/mana_en.c | 21 ++++++++++++-------
 2 files changed, 15 insertions(+), 8 deletions(-)

diff --git a/drivers/net/ethernet/microsoft/mana/mana.h b/drivers/net/ethernet/microsoft/mana/mana.h
index 35e937a7079c..6aac4824090c 100644
--- a/drivers/net/ethernet/microsoft/mana/mana.h
+++ b/drivers/net/ethernet/microsoft/mana/mana.h
@@ -76,6 +76,8 @@ struct mana_txq {
 
 	atomic_t pending_sends;
 
+	bool napi_initialized;
+
 	struct mana_stats stats;
 };
 
diff --git a/drivers/net/ethernet/microsoft/mana/mana_en.c b/drivers/net/ethernet/microsoft/mana/mana_en.c
index b0963fda4d9f..3c754b31c30d 100644
--- a/drivers/net/ethernet/microsoft/mana/mana_en.c
+++ b/drivers/net/ethernet/microsoft/mana/mana_en.c
@@ -1154,10 +1154,12 @@ static void mana_destroy_txq(struct mana_port_context *apc)
 
 	for (i = 0; i < apc->num_queues; i++) {
 		napi = &apc->tx_qp[i].tx_cq.napi;
-		napi_synchronize(napi);
-		napi_disable(napi);
-		netif_napi_del(napi);
-
+		if (apc->tx_qp[i].txq.napi_initialized) {
+			napi_synchronize(napi);
+			napi_disable(napi);
+			netif_napi_del(napi);
+			apc->tx_qp[i].txq.napi_initialized = false;
+		}
 		mana_destroy_wq_obj(apc, GDMA_SQ, apc->tx_qp[i].tx_object);
 
 		mana_deinit_cq(apc, &apc->tx_qp[i].tx_cq);
@@ -1213,6 +1215,7 @@ static int mana_create_txq(struct mana_port_context *apc,
 		txq->ndev = net;
 		txq->net_txq = netdev_get_tx_queue(net, i);
 		txq->vp_offset = apc->tx_vp_offset;
+		txq->napi_initialized = false;
 		skb_queue_head_init(&txq->pending_skbs);
 
 		memset(&spec, 0, sizeof(spec));
@@ -1277,6 +1280,7 @@ static int mana_create_txq(struct mana_port_context *apc,
 
 		netif_tx_napi_add(net, &cq->napi, mana_poll, NAPI_POLL_WEIGHT);
 		napi_enable(&cq->napi);
+		txq->napi_initialized = true;
 
 		mana_gd_ring_cq(cq->gdma_cq, SET_ARM_BIT);
 	}
@@ -1288,7 +1292,7 @@ static int mana_create_txq(struct mana_port_context *apc,
 }
 
 static void mana_destroy_rxq(struct mana_port_context *apc,
-			     struct mana_rxq *rxq, bool validate_state)
+			     struct mana_rxq *rxq, bool napi_initialized)
 
 {
 	struct gdma_context *gc = apc->ac->gdma_dev->gdma_context;
@@ -1302,12 +1306,13 @@ static void mana_destroy_rxq(struct mana_port_context *apc,
 
 	napi = &rxq->rx_cq.napi;
 
-	if (validate_state)
+	if (napi_initialized) {
 		napi_synchronize(napi);
 
-	napi_disable(napi);
-	netif_napi_del(napi);
+		napi_disable(napi);
 
+		netif_napi_del(napi);
+	}
 	mana_destroy_wq_obj(apc, GDMA_RQ, rxq->rxobj);
 
 	mana_deinit_cq(apc, &rxq->rx_cq);
-- 
2.47.1

[PATCH 5.15.y 2/6] bnxt_re: avoid shift undefined behavior in bnxt_qplib_alloc_init_hwq

[Harshit Mogalapalli]

From: Michal Schmidt <mschmidt@redhat.com>

commit 78cfd17142ef70599d6409cbd709d94b3da58659 upstream.

Undefined behavior is triggered when bnxt_qplib_alloc_init_hwq is called
with hwq_attr->aux_depth != 0 and hwq_attr->aux_stride == 0.
In that case, "roundup_pow_of_two(hwq_attr->aux_stride)" gets called.
roundup_pow_of_two is documented as undefined for 0.

Fix it in the one caller that had this combination.

The undefined behavior was detected by UBSAN:
  UBSAN: shift-out-of-bounds in ./include/linux/log2.h:57:13
  shift exponent 64 is too large for 64-bit type 'long unsigned int'
  CPU: 24 PID: 1075 Comm: (udev-worker) Not tainted 6.9.0-rc6+ #4
  Hardware name: Abacus electric, s.r.o. - servis@abacus.cz Super Server/H12SSW-iN, BIOS 2.7 10/25/2023
  Call Trace:
   <TASK>
   dump_stack_lvl+0x5d/0x80
   ubsan_epilogue+0x5/0x30
   __ubsan_handle_shift_out_of_bounds.cold+0x61/0xec
   __roundup_pow_of_two+0x25/0x35 [bnxt_re]
   bnxt_qplib_alloc_init_hwq+0xa1/0x470 [bnxt_re]
   bnxt_qplib_create_qp+0x19e/0x840 [bnxt_re]
   bnxt_re_create_qp+0x9b1/0xcd0 [bnxt_re]
   ? srso_alias_return_thunk+0x5/0xfbef5
   ? srso_alias_return_thunk+0x5/0xfbef5
   ? __kmalloc+0x1b6/0x4f0
   ? create_qp.part.0+0x128/0x1c0 [ib_core]
   ? __pfx_bnxt_re_create_qp+0x10/0x10 [bnxt_re]
   create_qp.part.0+0x128/0x1c0 [ib_core]
   ib_create_qp_kernel+0x50/0xd0 [ib_core]
   create_mad_qp+0x8e/0xe0 [ib_core]
   ? __pfx_qp_event_handler+0x10/0x10 [ib_core]
   ib_mad_init_device+0x2be/0x680 [ib_core]
   add_client_context+0x10d/0x1a0 [ib_core]
   enable_device_and_get+0xe0/0x1d0 [ib_core]
   ib_register_device+0x53c/0x630 [ib_core]
   ? srso_alias_return_thunk+0x5/0xfbef5
   bnxt_re_probe+0xbd8/0xe50 [bnxt_re]
   ? __pfx_bnxt_re_probe+0x10/0x10 [bnxt_re]
   auxiliary_bus_probe+0x49/0x80
   ? driver_sysfs_add+0x57/0xc0
   really_probe+0xde/0x340
   ? pm_runtime_barrier+0x54/0x90
   ? __pfx___driver_attach+0x10/0x10
   __driver_probe_device+0x78/0x110
   driver_probe_device+0x1f/0xa0
   __driver_attach+0xba/0x1c0
   bus_for_each_dev+0x8f/0xe0
   bus_add_driver+0x146/0x220
   driver_register+0x72/0xd0
   __auxiliary_driver_register+0x6e/0xd0
   ? __pfx_bnxt_re_mod_init+0x10/0x10 [bnxt_re]
   bnxt_re_mod_init+0x3e/0xff0 [bnxt_re]
   ? __pfx_bnxt_re_mod_init+0x10/0x10 [bnxt_re]
   do_one_initcall+0x5b/0x310
   do_init_module+0x90/0x250
   init_module_from_file+0x86/0xc0
   idempotent_init_module+0x121/0x2b0
   __x64_sys_finit_module+0x5e/0xb0
   do_syscall_64+0x82/0x160
   ? srso_alias_return_thunk+0x5/0xfbef5
   ? syscall_exit_to_user_mode_prepare+0x149/0x170
   ? srso_alias_return_thunk+0x5/0xfbef5
   ? syscall_exit_to_user_mode+0x75/0x230
   ? srso_alias_return_thunk+0x5/0xfbef5
   ? do_syscall_64+0x8e/0x160
   ? srso_alias_return_thunk+0x5/0xfbef5
   ? __count_memcg_events+0x69/0x100
   ? srso_alias_return_thunk+0x5/0xfbef5
   ? count_memcg_events.constprop.0+0x1a/0x30
   ? srso_alias_return_thunk+0x5/0xfbef5
   ? handle_mm_fault+0x1f0/0x300
   ? srso_alias_return_thunk+0x5/0xfbef5
   ? do_user_addr_fault+0x34e/0x640
   ? srso_alias_return_thunk+0x5/0xfbef5
   ? srso_alias_return_thunk+0x5/0xfbef5
   entry_SYSCALL_64_after_hwframe+0x76/0x7e
  RIP: 0033:0x7f4e5132821d
  Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d e3 db 0c 00 f7 d8 64 89 01 48
  RSP: 002b:00007ffca9c906a8 EFLAGS: 00000246 ORIG_RAX: 0000000000000139
  RAX: ffffffffffffffda RBX: 0000563ec8a8f130 RCX: 00007f4e5132821d
  RDX: 0000000000000000 RSI: 00007f4e518fa07d RDI: 000000000000003b
  RBP: 00007ffca9c90760 R08: 00007f4e513f6b20 R09: 00007ffca9c906f0
  R10: 0000563ec8a8faa0 R11: 0000000000000246 R12: 00007f4e518fa07d
  R13: 0000000000020000 R14: 0000563ec8409e90 R15: 0000563ec8a8fa60
   </TASK>
  ---[ end trace ]---

Fixes: 0c4dcd602817 ("RDMA/bnxt_re: Refactor hardware queue memory allocation")
Signed-off-by: Michal Schmidt <mschmidt@redhat.com>
Link: https://lore.kernel.org/r/20240507103929.30003-1-mschmidt@redhat.com
Acked-by: Selvin Xavier <selvin.xavier@broadcom.com>
Signed-off-by: Leon Romanovsky <leon@kernel.org>
Signed-off-by: Xiangyu Chen <xiangyu.chen@windriver.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
[Harshit: backport to 5.15.y, this is a clean cherrypick from 6.1.y
commit ]
Signed-off-by: Harshit Mogalapalli <harshit.m.mogalapalli@oracle.com>
---
 drivers/infiniband/hw/bnxt_re/qplib_fp.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/drivers/infiniband/hw/bnxt_re/qplib_fp.c b/drivers/infiniband/hw/bnxt_re/qplib_fp.c
index 3725f05ad297..be895398df09 100644
--- a/drivers/infiniband/hw/bnxt_re/qplib_fp.c
+++ b/drivers/infiniband/hw/bnxt_re/qplib_fp.c
@@ -1013,7 +1013,8 @@ int bnxt_qplib_create_qp(struct bnxt_qplib_res *res, struct bnxt_qplib_qp *qp)
 	hwq_attr.stride = sizeof(struct sq_sge);
 	hwq_attr.depth = bnxt_qplib_get_depth(sq);
 	hwq_attr.aux_stride = psn_sz;
-	hwq_attr.aux_depth = bnxt_qplib_set_sq_size(sq, qp->wqe_mode);
+	hwq_attr.aux_depth = psn_sz ? bnxt_qplib_set_sq_size(sq, qp->wqe_mode)
+				    : 0;
 	hwq_attr.type = HWQ_TYPE_QUEUE;
 	rc = bnxt_qplib_alloc_init_hwq(&sq->hwq, &hwq_attr);
 	if (rc)
-- 
2.47.1

[PATCH 5.15.y 3/6] phonet/pep: fix racy skb_queue_empty() use

[Harshit Mogalapalli]

From: Rémi Denis-Courmont <courmisch@gmail.com>

[ Upstream commit 7d2a894d7f487dcb894df023e9d3014cf5b93fe5 ]

The receive queues are protected by their respective spin-lock, not
the socket lock. This could lead to skb_peek() unexpectedly
returning NULL or a pointer to an already dequeued socket buffer.

Fixes: 9641458d3ec4 ("Phonet: Pipe End Point for Phonet Pipes protocol")
Signed-off-by: Rémi Denis-Courmont <courmisch@gmail.com>
Link: https://lore.kernel.org/r/20240218081214.4806-2-remi@remlab.net
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
[Harshit: backport to 5.15.y, clean cherrypick from 6.1.y commit]
Signed-off-by: Harshit Mogalapalli <harshit.m.mogalapalli@oracle.com>
---
 net/phonet/pep.c | 41 ++++++++++++++++++++++++++++++++---------
 1 file changed, 32 insertions(+), 9 deletions(-)

diff --git a/net/phonet/pep.c b/net/phonet/pep.c
index 65d463ad8770..3ea23e7caab6 100644
--- a/net/phonet/pep.c
+++ b/net/phonet/pep.c
@@ -916,6 +916,37 @@ static int pep_sock_enable(struct sock *sk, struct sockaddr *addr, int len)
 	return 0;
 }
 
+static unsigned int pep_first_packet_length(struct sock *sk)
+{
+	struct pep_sock *pn = pep_sk(sk);
+	struct sk_buff_head *q;
+	struct sk_buff *skb;
+	unsigned int len = 0;
+	bool found = false;
+
+	if (sock_flag(sk, SOCK_URGINLINE)) {
+		q = &pn->ctrlreq_queue;
+		spin_lock_bh(&q->lock);
+		skb = skb_peek(q);
+		if (skb) {
+			len = skb->len;
+			found = true;
+		}
+		spin_unlock_bh(&q->lock);
+	}
+
+	if (likely(!found)) {
+		q = &sk->sk_receive_queue;
+		spin_lock_bh(&q->lock);
+		skb = skb_peek(q);
+		if (skb)
+			len = skb->len;
+		spin_unlock_bh(&q->lock);
+	}
+
+	return len;
+}
+
 static int pep_ioctl(struct sock *sk, int cmd, unsigned long arg)
 {
 	struct pep_sock *pn = pep_sk(sk);
@@ -929,15 +960,7 @@ static int pep_ioctl(struct sock *sk, int cmd, unsigned long arg)
 			break;
 		}
 
-		lock_sock(sk);
-		if (sock_flag(sk, SOCK_URGINLINE) &&
-		    !skb_queue_empty(&pn->ctrlreq_queue))
-			answ = skb_peek(&pn->ctrlreq_queue)->len;
-		else if (!skb_queue_empty(&sk->sk_receive_queue))
-			answ = skb_peek(&sk->sk_receive_queue)->len;
-		else
-			answ = 0;
-		release_sock(sk);
+		answ = pep_first_packet_length(sk);
 		ret = put_user(answ, (int __user *)arg);
 		break;
 
-- 
2.47.1

[PATCH 5.15.y 4/6] net: fix crash when config small gso_max_size/gso_ipv4_max_size

[Harshit Mogalapalli]

From: Wang Liang <wangliang74@huawei.com>

[ Upstream commit 9ab5cf19fb0e4680f95e506d6c544259bf1111c4 ]

Config a small gso_max_size/gso_ipv4_max_size will lead to an underflow
in sk_dst_gso_max_size(), which may trigger a BUG_ON crash,
because sk->sk_gso_max_size would be much bigger than device limits.
Call Trace:
tcp_write_xmit
    tso_segs = tcp_init_tso_segs(skb, mss_now);
        tcp_set_skb_tso_segs
            tcp_skb_pcount_set
                // skb->len = 524288, mss_now = 8
                // u16 tso_segs = 524288/8 = 65535 -> 0
                tso_segs = DIV_ROUND_UP(skb->len, mss_now)
    BUG_ON(!tso_segs)
Add check for the minimum value of gso_max_size and gso_ipv4_max_size.

Fixes: 46e6b992c250 ("rtnetlink: allow GSO maximums to be set on device creation")
Fixes: 9eefedd58ae1 ("net: add gso_ipv4_max_size and gro_ipv4_max_size per device")
Signed-off-by: Wang Liang <wangliang74@huawei.com>
Reviewed-by: Eric Dumazet <edumazet@google.com>
Link: https://patch.msgid.link/20241023035213.517386-1-wangliang74@huawei.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
[ Resolve minor conflicts to fix CVE-2024-50258 ]
Signed-off-by: Bin Lan <bin.lan.cn@windriver.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
[Harshit: Clean cherrypick from 6.1.y commit]
Signed-off-by: Harshit Mogalapalli <harshit.m.mogalapalli@oracle.com>
---
 net/core/rtnetlink.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/net/core/rtnetlink.c b/net/core/rtnetlink.c
index 46a97c915e93..e8e67429e437 100644
--- a/net/core/rtnetlink.c
+++ b/net/core/rtnetlink.c
@@ -1899,7 +1899,7 @@ static const struct nla_policy ifla_policy[IFLA_MAX+1] = {
 	[IFLA_NUM_TX_QUEUES]	= { .type = NLA_U32 },
 	[IFLA_NUM_RX_QUEUES]	= { .type = NLA_U32 },
 	[IFLA_GSO_MAX_SEGS]	= { .type = NLA_U32 },
-	[IFLA_GSO_MAX_SIZE]	= { .type = NLA_U32 },
+	[IFLA_GSO_MAX_SIZE]	= NLA_POLICY_MIN(NLA_U32, MAX_TCP_HEADER + 1),
 	[IFLA_PHYS_PORT_ID]	= { .type = NLA_BINARY, .len = MAX_PHYS_ITEM_ID_LEN },
 	[IFLA_CARRIER_CHANGES]	= { .type = NLA_U32 },  /* ignored */
 	[IFLA_PHYS_SWITCH_ID]	= { .type = NLA_BINARY, .len = MAX_PHYS_ITEM_ID_LEN },
-- 
2.47.1

[PATCH 5.15.y 5/6] filemap: Fix bounds checking in filemap_read()

[Harshit Mogalapalli]

From: Trond Myklebust <trond.myklebust@hammerspace.com>

[ Upstream commit ace149e0830c380ddfce7e466fe860ca502fe4ee ]

If the caller supplies an iocb->ki_pos value that is close to the
filesystem upper limit, and an iterator with a count that causes us to
overflow that limit, then filemap_read() enters an infinite loop.

This behaviour was discovered when testing xfstests generic/525 with the
"localio" optimisation for loopback NFS mounts.

Reported-by: Mike Snitzer <snitzer@kernel.org>
Fixes: c2a9737f45e2 ("vfs,mm: fix a dead loop in truncate_inode_pages_range()")
Tested-by: Mike Snitzer <snitzer@kernel.org>
Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
(cherry picked from commit ace149e0830c380ddfce7e466fe860ca502fe4ee)
[Harshit: Minor conflict resolved due to missing commit: 25d6a23e8d28
("filemap: Convert filemap_get_read_batch() to use a folio_batch") in
5.15.y]
Signed-off-by: Harshit Mogalapalli <harshit.m.mogalapalli@oracle.com>
---
 mm/filemap.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/mm/filemap.c b/mm/filemap.c
index c71e86c12418..cc86c5a127b9 100644
--- a/mm/filemap.c
+++ b/mm/filemap.c
@@ -2617,7 +2617,7 @@ ssize_t filemap_read(struct kiocb *iocb, struct iov_iter *iter,
 	if (unlikely(!iov_iter_count(iter)))
 		return 0;
 
-	iov_iter_truncate(iter, inode->i_sb->s_maxbytes);
+	iov_iter_truncate(iter, inode->i_sb->s_maxbytes - iocb->ki_pos);
 	pagevec_init(&pvec);
 
 	do {
-- 
2.47.1

[PATCH 5.15.y 6/6] ipv6: release nexthop on device removal

[Harshit Mogalapalli]

From: Paolo Abeni <pabeni@redhat.com>

[ Upstream commit eb02688c5c45c3e7af7e71f036a7144f5639cbfe ]

The CI is hitting some aperiodic hangup at device removal time in the
pmtu.sh self-test:

unregister_netdevice: waiting for veth_A-R1 to become free. Usage count = 6
ref_tracker: veth_A-R1@ffff888013df15d8 has 1/5 users at
	dst_init+0x84/0x4a0
	dst_alloc+0x97/0x150
	ip6_dst_alloc+0x23/0x90
	ip6_rt_pcpu_alloc+0x1e6/0x520
	ip6_pol_route+0x56f/0x840
	fib6_rule_lookup+0x334/0x630
	ip6_route_output_flags+0x259/0x480
	ip6_dst_lookup_tail.constprop.0+0x5c2/0x940
	ip6_dst_lookup_flow+0x88/0x190
	udp_tunnel6_dst_lookup+0x2a7/0x4c0
	vxlan_xmit_one+0xbde/0x4a50 [vxlan]
	vxlan_xmit+0x9ad/0xf20 [vxlan]
	dev_hard_start_xmit+0x10e/0x360
	__dev_queue_xmit+0xf95/0x18c0
	arp_solicit+0x4a2/0xe00
	neigh_probe+0xaa/0xf0

While the first suspect is the dst_cache, explicitly tracking the dst
owing the last device reference via probes proved such dst is held by
the nexthop in the originating fib6_info.

Similar to commit f5b51fe804ec ("ipv6: route: purge exception on
removal"), we need to explicitly release the originating fib info when
disconnecting a to-be-removed device from a live ipv6 dst: move the
fib6_info cleanup into ip6_dst_ifdown().

Tested running:

./pmtu.sh cleanup_ipv6_exception

in a tight loop for more than 400 iterations with no spat, running an
unpatched kernel  I observed a splat every ~10 iterations.

Fixes: f88d8ea67fbd ("ipv6: Plumb support for nexthop object in a fib6_info")
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Reviewed-by: Eric Dumazet <edumazet@google.com>
Reviewed-by: David Ahern <dsahern@kernel.org>
Link: https://patch.msgid.link/604c45c188c609b732286b47ac2a451a40f6cf6d.1730828007.git.pabeni@redhat.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
(cherry picked from commit eb02688c5c45c3e7af7e71f036a7144f5639cbfe)
[Harshit: Resolved conflict due to missing commit: e5f80fcf869a ("ipv6:
give an IPv6 dev to blackhole_netdev") and commit: b4cb4a1391dc ("net:
use unrcu_pointer() helper") in linux-5.15.y]
Signed-off-by: Harshit Mogalapalli <harshit.m.mogalapalli@oracle.com>
---
 net/ipv6/route.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/net/ipv6/route.c b/net/ipv6/route.c
index f8b2fdaef67f..f30a5b7d93f4 100644
--- a/net/ipv6/route.c
+++ b/net/ipv6/route.c
@@ -377,6 +377,7 @@ static void ip6_dst_ifdown(struct dst_entry *dst, struct net_device *dev,
 	struct inet6_dev *idev = rt->rt6i_idev;
 	struct net_device *loopback_dev =
 		dev_net(dev)->loopback_dev;
+	struct fib6_info *from;
 
 	if (idev && idev->dev != loopback_dev) {
 		struct inet6_dev *loopback_idev = in6_dev_get(loopback_dev);
@@ -385,6 +386,8 @@ static void ip6_dst_ifdown(struct dst_entry *dst, struct net_device *dev,
 			in6_dev_put(idev);
 		}
 	}
+	from = xchg((__force struct fib6_info **)&rt->from, NULL);
+	fib6_info_release(from);
 }
 
 static bool __rt6_check_expired(const struct rt6_info *rt)
@@ -1443,7 +1446,6 @@ static DEFINE_SPINLOCK(rt6_exception_lock);
 static void rt6_remove_exception(struct rt6_exception_bucket *bucket,
 				 struct rt6_exception *rt6_ex)
 {
-	struct fib6_info *from;
 	struct net *net;
 
 	if (!bucket || !rt6_ex)
@@ -1455,8 +1457,6 @@ static void rt6_remove_exception(struct rt6_exception_bucket *bucket,
 	/* purge completely the exception to allow releasing the held resources:
 	 * some [sk] cache may keep the dst around for unlimited time
 	 */
-	from = xchg((__force struct fib6_info **)&rt6_ex->rt6i->from, NULL);
-	fib6_info_release(from);
 	dst_dev_put(&rt6_ex->rt6i->dst);
 
 	hlist_del_rcu(&rt6_ex->hlist);
-- 
2.47.1

Re: [PATCH 5.15.y 2/6] bnxt_re: avoid shift undefined behavior in bnxt_qplib_alloc_init_hwq

[Sasha Levin]

[ Sasha's backport helper bot ]

Hi,

✅ All tests passed successfully. No issues detected.
No action required from the submitter.

The upstream commit SHA1 provided is correct: 78cfd17142ef70599d6409cbd709d94b3da58659

WARNING: Author mismatch between patch and upstream commit:
Backport author: Harshit Mogalapalli<harshit.m.mogalapalli@oracle.com>
Commit author: Michal Schmidt<mschmidt@redhat.com>

Status in newer kernel trees:
6.14.y | Present (exact SHA1)
6.13.y | Present (exact SHA1)
6.12.y | Present (exact SHA1)
6.6.y | Present (different SHA1: a658f011d89d)
6.1.y | Present (different SHA1: 84d2f2915218)

Note: The patch differs from the upstream commit:
---
1:  78cfd17142ef7 ! 1:  2baf62a035300 bnxt_re: avoid shift undefined behavior in bnxt_qplib_alloc_init_hwq
    @@ Metadata
      ## Commit message ##
         bnxt_re: avoid shift undefined behavior in bnxt_qplib_alloc_init_hwq
     
    +    commit 78cfd17142ef70599d6409cbd709d94b3da58659 upstream.
    +
         Undefined behavior is triggered when bnxt_qplib_alloc_init_hwq is called
         with hwq_attr->aux_depth != 0 and hwq_attr->aux_stride == 0.
         In that case, "roundup_pow_of_two(hwq_attr->aux_stride)" gets called.
    @@ Commit message
         Link: https://lore.kernel.org/r/20240507103929.30003-1-mschmidt@redhat.com
         Acked-by: Selvin Xavier <selvin.xavier@broadcom.com>
         Signed-off-by: Leon Romanovsky <leon@kernel.org>
    +    Signed-off-by: Xiangyu Chen <xiangyu.chen@windriver.com>
    +    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
    +    [Harshit: backport to 5.15.y, this is a clean cherrypick from 6.1.y
    +    commit ]
    +    Signed-off-by: Harshit Mogalapalli <harshit.m.mogalapalli@oracle.com>
     
      ## drivers/infiniband/hw/bnxt_re/qplib_fp.c ##
     @@ drivers/infiniband/hw/bnxt_re/qplib_fp.c: int bnxt_qplib_create_qp(struct bnxt_qplib_res *res, struct bnxt_qplib_qp *qp)
    @@ drivers/infiniband/hw/bnxt_re/qplib_fp.c: int bnxt_qplib_create_qp(struct bnxt_q
     -	hwq_attr.aux_depth = bnxt_qplib_set_sq_size(sq, qp->wqe_mode);
     +	hwq_attr.aux_depth = psn_sz ? bnxt_qplib_set_sq_size(sq, qp->wqe_mode)
     +				    : 0;
    - 	/* Update msn tbl size */
    - 	if (BNXT_RE_HW_RETX(qp->dev_cap_flags) && psn_sz) {
    - 		hwq_attr.aux_depth = roundup_pow_of_two(bnxt_qplib_set_sq_size(sq, qp->wqe_mode));
    + 	hwq_attr.type = HWQ_TYPE_QUEUE;
    + 	rc = bnxt_qplib_alloc_init_hwq(&sq->hwq, &hwq_attr);
    + 	if (rc)
---

Results of testing on various branches:

| Branch                    | Patch Apply | Build Test |
|---------------------------|-------------|------------|
| stable/linux-6.1.y        |  Success    |  Success   |

Re: [PATCH 5.15.y 4/6] net: fix crash when config small gso_max_size/gso_ipv4_max_size

[Sasha Levin]

[ Sasha's backport helper bot ]

Hi,

✅ All tests passed successfully. No issues detected.
No action required from the submitter.

The upstream commit SHA1 provided is correct: 9ab5cf19fb0e4680f95e506d6c544259bf1111c4

WARNING: Author mismatch between patch and upstream commit:
Backport author: Harshit Mogalapalli<harshit.m.mogalapalli@oracle.com>
Commit author: Wang Liang<wangliang74@huawei.com>

Status in newer kernel trees:
6.14.y | Present (exact SHA1)
6.13.y | Present (exact SHA1)
6.12.y | Present (exact SHA1)
6.6.y | Present (different SHA1: ac5977001eee)
6.1.y | Present (different SHA1: e9365368b483)

Note: The patch differs from the upstream commit:
---
1:  9ab5cf19fb0e4 ! 1:  92a2aab3e8a99 net: fix crash when config small gso_max_size/gso_ipv4_max_size
    @@ Metadata
      ## Commit message ##
         net: fix crash when config small gso_max_size/gso_ipv4_max_size
     
    +    [ Upstream commit 9ab5cf19fb0e4680f95e506d6c544259bf1111c4 ]
    +
         Config a small gso_max_size/gso_ipv4_max_size will lead to an underflow
         in sk_dst_gso_max_size(), which may trigger a BUG_ON crash,
         because sk->sk_gso_max_size would be much bigger than device limits.
    @@ Commit message
         Reviewed-by: Eric Dumazet <edumazet@google.com>
         Link: https://patch.msgid.link/20241023035213.517386-1-wangliang74@huawei.com
         Signed-off-by: Jakub Kicinski <kuba@kernel.org>
    +    [ Resolve minor conflicts to fix CVE-2024-50258 ]
    +    Signed-off-by: Bin Lan <bin.lan.cn@windriver.com>
    +    Signed-off-by: Sasha Levin <sashal@kernel.org>
    +    [Harshit: Clean cherrypick from 6.1.y commit]
    +    Signed-off-by: Harshit Mogalapalli <harshit.m.mogalapalli@oracle.com>
     
      ## net/core/rtnetlink.c ##
     @@ net/core/rtnetlink.c: static const struct nla_policy ifla_policy[IFLA_MAX+1] = {
    @@ net/core/rtnetlink.c: static const struct nla_policy ifla_policy[IFLA_MAX+1] = {
      	[IFLA_PHYS_PORT_ID]	= { .type = NLA_BINARY, .len = MAX_PHYS_ITEM_ID_LEN },
      	[IFLA_CARRIER_CHANGES]	= { .type = NLA_U32 },  /* ignored */
      	[IFLA_PHYS_SWITCH_ID]	= { .type = NLA_BINARY, .len = MAX_PHYS_ITEM_ID_LEN },
    -@@ net/core/rtnetlink.c: static const struct nla_policy ifla_policy[IFLA_MAX+1] = {
    - 	[IFLA_TSO_MAX_SIZE]	= { .type = NLA_REJECT },
    - 	[IFLA_TSO_MAX_SEGS]	= { .type = NLA_REJECT },
    - 	[IFLA_ALLMULTI]		= { .type = NLA_REJECT },
    --	[IFLA_GSO_IPV4_MAX_SIZE]	= { .type = NLA_U32 },
    -+	[IFLA_GSO_IPV4_MAX_SIZE]	= NLA_POLICY_MIN(NLA_U32, MAX_TCP_HEADER + 1),
    - 	[IFLA_GRO_IPV4_MAX_SIZE]	= { .type = NLA_U32 },
    - };
    - 
---

Results of testing on various branches:

| Branch                    | Patch Apply | Build Test |
|---------------------------|-------------|------------|
| stable/linux-6.1.y        |  Success    |  Success   |

Re: [PATCH 5.15.y 1/6] net: mana: Fix error handling in mana_create_txq/rxq's NAPI cleanup

[Sasha Levin]

[ Sasha's backport helper bot ]

Hi,

✅ All tests passed successfully. No issues detected.
No action required from the submitter.

The upstream commit SHA1 provided is correct: b6ecc662037694488bfff7c9fd21c405df8411f2

WARNING: Author mismatch between patch and upstream commit:
Backport author: Harshit Mogalapalli<harshit.m.mogalapalli@oracle.com>
Commit author: Souradeep Chakrabarti<schakrabarti@linux.microsoft.com>

Status in newer kernel trees:
6.14.y | Present (exact SHA1)
6.13.y | Present (exact SHA1)
6.12.y | Present (exact SHA1)
6.6.y | Present (different SHA1: 9e0bff4900b5)
6.1.y | Present (different SHA1: 9178eb8ebcd8)

Note: The patch differs from the upstream commit:
---
1:  b6ecc66203769 ! 1:  63ebacf9b41b2 net: mana: Fix error handling in mana_create_txq/rxq's NAPI cleanup
    @@ Metadata
      ## Commit message ##
         net: mana: Fix error handling in mana_create_txq/rxq's NAPI cleanup
     
    +    [ Upstream commit b6ecc662037694488bfff7c9fd21c405df8411f2 ]
    +
         Currently napi_disable() gets called during rxq and txq cleanup,
         even before napi is enabled and hrtimer is initialized. It causes
         kernel panic.
    @@ Commit message
         Reviewed-by: Haiyang Zhang <haiyangz@microsoft.com>
         Reviewed-by: Shradha Gupta <shradhagupta@linux.microsoft.com>
         Signed-off-by: David S. Miller <davem@davemloft.net>
    +    (cherry picked from commit b6ecc662037694488bfff7c9fd21c405df8411f2)
    +    [Harshit: conflicts resolved due to missing commit: ed5356b53f07 ("net:
    +    mana: Add XDP support") and commit: d356abb95b98 ("net: mana: Add
    +    counter for XDP_TX") in 5.15.y]
    +    Signed-off-by: Harshit Mogalapalli <harshit.m.mogalapalli@oracle.com>
    +
    + ## drivers/net/ethernet/microsoft/mana/mana.h ##
    +@@ drivers/net/ethernet/microsoft/mana/mana.h: struct mana_txq {
    + 
    + 	atomic_t pending_sends;
    + 
    ++	bool napi_initialized;
    ++
    + 	struct mana_stats stats;
    + };
    + 
     
      ## drivers/net/ethernet/microsoft/mana/mana_en.c ##
     @@ drivers/net/ethernet/microsoft/mana/mana_en.c: static void mana_destroy_txq(struct mana_port_context *apc)
    @@ drivers/net/ethernet/microsoft/mana/mana_en.c: static int mana_create_txq(struct
      		memset(&spec, 0, sizeof(spec));
     @@ drivers/net/ethernet/microsoft/mana/mana_en.c: static int mana_create_txq(struct mana_port_context *apc,
      
    - 		netif_napi_add_tx(net, &cq->napi, mana_poll);
    + 		netif_tx_napi_add(net, &cq->napi, mana_poll, NAPI_POLL_WEIGHT);
      		napi_enable(&cq->napi);
     +		txq->napi_initialized = true;
      
    @@ drivers/net/ethernet/microsoft/mana/mana_en.c: static void mana_destroy_rxq(stru
      		napi_synchronize(napi);
      
     -	napi_disable(napi);
    +-	netif_napi_del(napi);
     +		napi_disable(napi);
      
     +		netif_napi_del(napi);
     +	}
    - 	xdp_rxq_info_unreg(&rxq->xdp_rxq);
    - 
    --	netif_napi_del(napi);
    --
      	mana_destroy_wq_obj(apc, GDMA_RQ, rxq->rxobj);
      
      	mana_deinit_cq(apc, &rxq->rx_cq);
    -
    - ## include/net/mana/mana.h ##
    -@@ include/net/mana/mana.h: struct mana_txq {
    - 
    - 	atomic_t pending_sends;
    - 
    -+	bool napi_initialized;
    -+
    - 	struct mana_stats_tx stats;
    - };
    - 
---

Results of testing on various branches:

| Branch                    | Patch Apply | Build Test |
|---------------------------|-------------|------------|
| stable/linux-5.15.y       |  Success    |  Success   |

Re: [PATCH 5.15.y 5/6] filemap: Fix bounds checking in filemap_read()

[Sasha Levin]

[ Sasha's backport helper bot ]

Hi,

✅ All tests passed successfully. No issues detected.
No action required from the submitter.

The upstream commit SHA1 provided is correct: ace149e0830c380ddfce7e466fe860ca502fe4ee

WARNING: Author mismatch between patch and upstream commit:
Backport author: Harshit Mogalapalli<harshit.m.mogalapalli@oracle.com>
Commit author: Trond Myklebust<trond.myklebust@hammerspace.com>

Status in newer kernel trees:
6.14.y | Present (exact SHA1)
6.13.y | Present (exact SHA1)
6.12.y | Present (exact SHA1)
6.6.y | Present (different SHA1: a2746ab3bbc9)
6.1.y | Present (different SHA1: 26530b757c81)

Note: The patch differs from the upstream commit:
---
1:  ace149e0830c3 ! 1:  dea76eb0a8d6e filemap: Fix bounds checking in filemap_read()
    @@ Metadata
      ## Commit message ##
         filemap: Fix bounds checking in filemap_read()
     
    +    [ Upstream commit ace149e0830c380ddfce7e466fe860ca502fe4ee ]
    +
         If the caller supplies an iocb->ki_pos value that is close to the
         filesystem upper limit, and an iterator with a count that causes us to
         overflow that limit, then filemap_read() enters an infinite loop.
    @@ Commit message
         Tested-by: Mike Snitzer <snitzer@kernel.org>
         Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
         Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
    +    (cherry picked from commit ace149e0830c380ddfce7e466fe860ca502fe4ee)
    +    [Harshit: Minor conflict resolved due to missing commit: 25d6a23e8d28
    +    ("filemap: Convert filemap_get_read_batch() to use a folio_batch") in
    +    5.15.y]
    +    Signed-off-by: Harshit Mogalapalli <harshit.m.mogalapalli@oracle.com>
     
      ## mm/filemap.c ##
     @@ mm/filemap.c: ssize_t filemap_read(struct kiocb *iocb, struct iov_iter *iter,
    @@ mm/filemap.c: ssize_t filemap_read(struct kiocb *iocb, struct iov_iter *iter,
      
     -	iov_iter_truncate(iter, inode->i_sb->s_maxbytes);
     +	iov_iter_truncate(iter, inode->i_sb->s_maxbytes - iocb->ki_pos);
    - 	folio_batch_init(&fbatch);
    + 	pagevec_init(&pvec);
      
      	do {
---

Results of testing on various branches:

| Branch                    | Patch Apply | Build Test |
|---------------------------|-------------|------------|
| stable/linux-6.1.y        |  Success    |  Success   |

Re: [PATCH 5.15.y 3/6] phonet/pep: fix racy skb_queue_empty() use

[Sasha Levin]

[ Sasha's backport helper bot ]

Hi,

✅ All tests passed successfully. No issues detected.
No action required from the submitter.

The upstream commit SHA1 provided is correct: 7d2a894d7f487dcb894df023e9d3014cf5b93fe5

WARNING: Author mismatch between patch and upstream commit:
Backport author: Harshit Mogalapalli<harshit.m.mogalapalli@oracle.com>
Commit author: Rémi Denis-Courmont<courmisch@gmail.com>

Status in newer kernel trees:
6.14.y | Present (exact SHA1)
6.13.y | Present (exact SHA1)
6.12.y | Present (exact SHA1)
6.6.y | Present (different SHA1: 0a9f558c72c4)
6.1.y | Present (different SHA1: 9d5523e065b5)

Note: The patch differs from the upstream commit:
---
1:  7d2a894d7f487 ! 1:  cf507fe643590 phonet/pep: fix racy skb_queue_empty() use
    @@ Metadata
      ## Commit message ##
         phonet/pep: fix racy skb_queue_empty() use
     
    +    [ Upstream commit 7d2a894d7f487dcb894df023e9d3014cf5b93fe5 ]
    +
         The receive queues are protected by their respective spin-lock, not
         the socket lock. This could lead to skb_peek() unexpectedly
         returning NULL or a pointer to an already dequeued socket buffer.
    @@ Commit message
         Signed-off-by: Rémi Denis-Courmont <courmisch@gmail.com>
         Link: https://lore.kernel.org/r/20240218081214.4806-2-remi@remlab.net
         Signed-off-by: Paolo Abeni <pabeni@redhat.com>
    +    Signed-off-by: Sasha Levin <sashal@kernel.org>
    +    [Harshit: backport to 5.15.y, clean cherrypick from 6.1.y commit]
    +    Signed-off-by: Harshit Mogalapalli <harshit.m.mogalapalli@oracle.com>
     
      ## net/phonet/pep.c ##
     @@ net/phonet/pep.c: static int pep_sock_enable(struct sock *sk, struct sockaddr *addr, int len)
    @@ net/phonet/pep.c: static int pep_sock_enable(struct sock *sk, struct sockaddr *a
     +	return len;
     +}
     +
    - static int pep_ioctl(struct sock *sk, int cmd, int *karg)
    + static int pep_ioctl(struct sock *sk, int cmd, unsigned long arg)
      {
      	struct pep_sock *pn = pep_sk(sk);
    -@@ net/phonet/pep.c: static int pep_ioctl(struct sock *sk, int cmd, int *karg)
    +@@ net/phonet/pep.c: static int pep_ioctl(struct sock *sk, int cmd, unsigned long arg)
      			break;
      		}
      
     -		lock_sock(sk);
     -		if (sock_flag(sk, SOCK_URGINLINE) &&
     -		    !skb_queue_empty(&pn->ctrlreq_queue))
    --			*karg = skb_peek(&pn->ctrlreq_queue)->len;
    +-			answ = skb_peek(&pn->ctrlreq_queue)->len;
     -		else if (!skb_queue_empty(&sk->sk_receive_queue))
    --			*karg = skb_peek(&sk->sk_receive_queue)->len;
    +-			answ = skb_peek(&sk->sk_receive_queue)->len;
     -		else
    --			*karg = 0;
    +-			answ = 0;
     -		release_sock(sk);
    -+		*karg = pep_first_packet_length(sk);
    - 		ret = 0;
    ++		answ = pep_first_packet_length(sk);
    + 		ret = put_user(answ, (int __user *)arg);
      		break;
      
---

Results of testing on various branches:

| Branch                    | Patch Apply | Build Test |
|---------------------------|-------------|------------|
| stable/linux-6.1.y        |  Success    |  Success   |

Re: [PATCH 5.15.y 6/6] ipv6: release nexthop on device removal

[Sasha Levin]

[ Sasha's backport helper bot ]

Hi,

✅ All tests passed successfully. No issues detected.
No action required from the submitter.

The upstream commit SHA1 provided is correct: eb02688c5c45c3e7af7e71f036a7144f5639cbfe

WARNING: Author mismatch between patch and upstream commit:
Backport author: Harshit Mogalapalli<harshit.m.mogalapalli@oracle.com>
Commit author: Paolo Abeni<pabeni@redhat.com>

Status in newer kernel trees:
6.14.y | Present (exact SHA1)
6.13.y | Present (exact SHA1)
6.12.y | Present (different SHA1: 0e4c6faaef8a)
6.6.y | Present (different SHA1: 43e25adc8026)
6.1.y | Present (different SHA1: b2f26a27ea3f)

Note: The patch differs from the upstream commit:
---
1:  eb02688c5c45c ! 1:  47cc8122c9644 ipv6: release nexthop on device removal
    @@ Metadata
      ## Commit message ##
         ipv6: release nexthop on device removal
     
    +    [ Upstream commit eb02688c5c45c3e7af7e71f036a7144f5639cbfe ]
    +
         The CI is hitting some aperiodic hangup at device removal time in the
         pmtu.sh self-test:
     
    @@ Commit message
         Reviewed-by: David Ahern <dsahern@kernel.org>
         Link: https://patch.msgid.link/604c45c188c609b732286b47ac2a451a40f6cf6d.1730828007.git.pabeni@redhat.com
         Signed-off-by: Jakub Kicinski <kuba@kernel.org>
    +    (cherry picked from commit eb02688c5c45c3e7af7e71f036a7144f5639cbfe)
    +    [Harshit: Resolved conflict due to missing commit: e5f80fcf869a ("ipv6:
    +    give an IPv6 dev to blackhole_netdev") and commit: b4cb4a1391dc ("net:
    +    use unrcu_pointer() helper") in linux-5.15.y]
    +    Signed-off-by: Harshit Mogalapalli <harshit.m.mogalapalli@oracle.com>
     
      ## net/ipv6/route.c ##
    -@@ net/ipv6/route.c: static void ip6_dst_ifdown(struct dst_entry *dst, struct net_device *dev)
    - {
    - 	struct rt6_info *rt = dst_rt6_info(dst);
    +@@ net/ipv6/route.c: static void ip6_dst_ifdown(struct dst_entry *dst, struct net_device *dev,
      	struct inet6_dev *idev = rt->rt6i_idev;
    + 	struct net_device *loopback_dev =
    + 		dev_net(dev)->loopback_dev;
     +	struct fib6_info *from;
      
    - 	if (idev && idev->dev != blackhole_netdev) {
    - 		struct inet6_dev *blackhole_idev = in6_dev_get(blackhole_netdev);
    -@@ net/ipv6/route.c: static void ip6_dst_ifdown(struct dst_entry *dst, struct net_device *dev)
    + 	if (idev && idev->dev != loopback_dev) {
    + 		struct inet6_dev *loopback_idev = in6_dev_get(loopback_dev);
    +@@ net/ipv6/route.c: static void ip6_dst_ifdown(struct dst_entry *dst, struct net_device *dev,
      			in6_dev_put(idev);
      		}
      	}
    -+	from = unrcu_pointer(xchg(&rt->from, NULL));
    ++	from = xchg((__force struct fib6_info **)&rt->from, NULL);
     +	fib6_info_release(from);
      }
      
    @@ net/ipv6/route.c: static void rt6_remove_exception(struct rt6_exception_bucket *
      	/* purge completely the exception to allow releasing the held resources:
      	 * some [sk] cache may keep the dst around for unlimited time
      	 */
    --	from = unrcu_pointer(xchg(&rt6_ex->rt6i->from, NULL));
    +-	from = xchg((__force struct fib6_info **)&rt6_ex->rt6i->from, NULL);
     -	fib6_info_release(from);
      	dst_dev_put(&rt6_ex->rt6i->dst);
      
---

Results of testing on various branches:

| Branch                    | Patch Apply | Build Test |
|---------------------------|-------------|------------|
| stable/linux-6.1.y        |  Success    |  Success   |