kernel: bump 6.6 to 6.6.102

Changelog: https://cdn.kernel.org/pub/linux/kernel/v6.x/ChangeLog-6.6.102

Added backport to fix ipv6 breakage with the 6.12.42 release:
generic/backport-6.6/621-proc-fix-missing-pde_set_flags.patch[1]

All patches auto-refreshed.

1. https://lore.kernel.org/all/[email protected]

Link: https://github.com/openwrt/openwrt/pull/19876
Signed-off-by: Hauke Mehrtens <[email protected]>

target/linux/generic/backport-6.6/621-proc-fix-missing-pde_set_flags.patch

@@ -0,0 +1,121 @@
+From: wangzijie <[email protected]>
+To: <[email protected]>, <[email protected]>,
+	<[email protected]>, <[email protected]>,
+	<[email protected]>, <[email protected]>,
+	<[email protected]>, <[email protected]>,
+	<[email protected]>
+Cc: <[email protected]>, <[email protected]>,
+	<[email protected]>, <[email protected]>,
+	wangzijie <[email protected]>
+Subject: [PATCH v3] proc: fix missing pde_set_flags() for net proc files
+Date: Thu, 21 Aug 2025 18:58:06 +0800	[thread overview]
+Message-ID: <[email protected]> (raw)
+
+To avoid potential UAF issues during module removal races, we use pde_set_flags()
+to save proc_ops flags in PDE itself before proc_register(), and then use
+pde_has_proc_*() helpers instead of directly dereferencing pde->proc_ops->*.
+
+However, the pde_set_flags() call was missing when creating net related proc files.
+This omission caused incorrect behavior which FMODE_LSEEK was being cleared
+inappropriately in proc_reg_open() for net proc files. Lars reported it in this link[1].
+
+Fix this by ensuring pde_set_flags() is called when register proc entry, and add
+NULL check for proc_ops in pde_set_flags().
+
+[1]: https://lore.kernel.org/all/[email protected]/
+
+Fixes: ff7ec8dc1b64 ("proc: use the same treatment to check proc_lseek as ones for proc_read_iter et.al")
+Cc: [email protected]
+Reported-by: Lars Wendler <[email protected]>
+Signed-off-by: wangzijie <[email protected]>
+---
+v3:
+- followed by Christian's suggestion to stash pde->proc_ops in a local const variable
+v2:
+- followed by Jiri's suggestion to refractor code and reformat commit message
+---
+ fs/proc/generic.c | 38 +++++++++++++++++++++-----------------
+ 1 file changed, 21 insertions(+), 17 deletions(-)
+
+--- a/fs/proc/generic.c
++++ b/fs/proc/generic.c
+@@ -362,6 +362,25 @@ static const struct inode_operations pro
+ 	.setattr	= proc_notify_change,
+ };
+ 
++static void pde_set_flags(struct proc_dir_entry *pde)
++{
++	const struct proc_ops *proc_ops = pde->proc_ops;
++
++	if (!proc_ops)
++		return;
++
++	if (proc_ops->proc_flags & PROC_ENTRY_PERMANENT)
++		pde->flags |= PROC_ENTRY_PERMANENT;
++	if (proc_ops->proc_read_iter)
++		pde->flags |= PROC_ENTRY_proc_read_iter;
++#ifdef CONFIG_COMPAT
++	if (proc_ops->proc_compat_ioctl)
++		pde->flags |= PROC_ENTRY_proc_compat_ioctl;
++#endif
++	if (proc_ops->proc_lseek)
++		pde->flags |= PROC_ENTRY_proc_lseek;
++}
++
+ /* returns the registered entry, or frees dp and returns NULL on failure */
+ struct proc_dir_entry *proc_register(struct proc_dir_entry *dir,
+ 		struct proc_dir_entry *dp)
+@@ -369,6 +388,8 @@ struct proc_dir_entry *proc_register(str
+ 	if (proc_alloc_inum(&dp->low_ino))
+ 		goto out_free_entry;
+ 
++	pde_set_flags(dp);
++
+ 	write_lock(&proc_subdir_lock);
+ 	dp->parent = dir;
+ 	if (pde_subdir_insert(dir, dp) == false) {
+@@ -557,20 +578,6 @@ struct proc_dir_entry *proc_create_reg(c
+ 	return p;
+ }
+ 
+-static void pde_set_flags(struct proc_dir_entry *pde)
+-{
+-	if (pde->proc_ops->proc_flags & PROC_ENTRY_PERMANENT)
+-		pde->flags |= PROC_ENTRY_PERMANENT;
+-	if (pde->proc_ops->proc_read_iter)
+-		pde->flags |= PROC_ENTRY_proc_read_iter;
+-#ifdef CONFIG_COMPAT
+-	if (pde->proc_ops->proc_compat_ioctl)
+-		pde->flags |= PROC_ENTRY_proc_compat_ioctl;
+-#endif
+-	if (pde->proc_ops->proc_lseek)
+-		pde->flags |= PROC_ENTRY_proc_lseek;
+-}
+-
+ struct proc_dir_entry *proc_create_data(const char *name, umode_t mode,
+ 		struct proc_dir_entry *parent,
+ 		const struct proc_ops *proc_ops, void *data)
+@@ -581,7 +588,6 @@ struct proc_dir_entry *proc_create_data(
+ 	if (!p)
+ 		return NULL;
+ 	p->proc_ops = proc_ops;
+-	pde_set_flags(p);
+ 	return proc_register(parent, p);
+ }
+ EXPORT_SYMBOL(proc_create_data);
+@@ -632,7 +638,6 @@ struct proc_dir_entry *proc_create_seq_p
+ 	p->proc_ops = &proc_seq_ops;
+ 	p->seq_ops = ops;
+ 	p->state_size = state_size;
+-	pde_set_flags(p);
+ 	return proc_register(parent, p);
+ }
+ EXPORT_SYMBOL(proc_create_seq_private);
+@@ -663,7 +668,6 @@ struct proc_dir_entry *proc_create_singl
+ 		return NULL;
+ 	p->proc_ops = &proc_single_ops;
+ 	p->single_show = show;
+-	pde_set_flags(p);
+ 	return proc_register(parent, p);
+ }
+ EXPORT_SYMBOL(proc_create_single_data);

target/linux/generic/backport-6.6/624-v6.15-ppp-use-IFF_NO_QUEUE-in-virtual-interfaces.patch

@@ -47,7 +47,7 @@ Signed-off-by: Jakub Kicinski <[email protected]>
  		if (error) {
 --- a/drivers/net/ppp/pptp.c
 +++ b/drivers/net/ppp/pptp.c
-@@ -465,6 +465,7 @@ static int pptp_connect(struct socket *s
+@@ -469,6 +469,7 @@ static int pptp_connect(struct socket *s
  	po->chan.mtu -= PPTP_HEADER_OVERHEAD;
  
  	po->chan.hdrlen = 2 + sizeof(struct pptp_gre_header);

target/linux/generic/backport-6.6/770-v6.7-net-introduce-napi_is_scheduled-helper.patch

@@ -42,7 +42,7 @@ Signed-off-by: Paolo Abeni <[email protected]>
   *	@adap: the adapter
 --- a/drivers/net/wireless/realtek/rtw89/core.c
 +++ b/drivers/net/wireless/realtek/rtw89/core.c
-@@ -1744,7 +1744,7 @@ static void rtw89_core_rx_to_mac80211(st
+@@ -1749,7 +1749,7 @@ static void rtw89_core_rx_to_mac80211(st
  	struct napi_struct *napi = &rtwdev->napi;
  
  	/* In low power mode, napi isn't scheduled. Receive it to netif. */

target/linux/generic/hack-6.6/721-net-add-packet-mangeling.patch

@@ -60,7 +60,7 @@ Signed-off-by: Felix Fietkau <[email protected]>
   */
 --- a/include/linux/skbuff.h
 +++ b/include/linux/skbuff.h
-@@ -3098,6 +3098,10 @@ static inline int pskb_trim(struct sk_bu
+@@ -3121,6 +3121,10 @@ static inline int pskb_trim(struct sk_bu
  	return (len < skb->len) ? __pskb_trim(skb, len) : 0;
  }
  
@@ -71,7 +71,7 @@ Signed-off-by: Felix Fietkau <[email protected]>
  /**
   *	pskb_trim_unique - remove end from a paged unique (not cloned) buffer
   *	@skb: buffer to alter
-@@ -3263,16 +3267,6 @@ static inline struct sk_buff *dev_alloc_
+@@ -3286,16 +3290,6 @@ static inline struct sk_buff *dev_alloc_
  }
  
  

target/linux/generic/hack-6.6/904-debloat_dma_buf.patch

@@ -73,7 +73,7 @@ Signed-off-by: Felix Fietkau <[email protected]>
 +MODULE_LICENSE("GPL");
 --- a/kernel/sched/core.c
 +++ b/kernel/sched/core.c
-@@ -4486,6 +4486,7 @@ int wake_up_state(struct task_struct *p,
+@@ -4485,6 +4485,7 @@ int wake_up_state(struct task_struct *p,
  {
  	return try_to_wake_up(p, state, 0);
  }

target/linux/generic/kernel-6.6

@@ -1,2 +1,2 @@
-LINUX_VERSION-6.6 = .101
-LINUX_KERNEL_HASH-6.6.101 = 8c4ff2869736538b9b0d88ea8dbf0332b79c6ecc40a32066768a754df1fae1c0
+LINUX_VERSION-6.6 = .102
+LINUX_KERNEL_HASH-6.6.102 = 80d2feb7334c30bacbe1e7dafa9ea415efb2c0ea4f4740ecbd1467cf5d94de5c

target/linux/generic/pending-6.6/650-net-pppoe-implement-GRO-support.patch

@@ -230,7 +230,7 @@ Signed-off-by: Felix Fietkau <[email protected]>
  {
 --- a/net/ipv6/ip6_offload.c
 +++ b/net/ipv6/ip6_offload.c
-@@ -319,6 +319,7 @@ out:
+@@ -321,6 +321,7 @@ out:
  
  	return pp;
  }
@@ -238,7 +238,7 @@ Signed-off-by: Felix Fietkau <[email protected]>
  
  static struct sk_buff *sit_ip6ip6_gro_receive(struct list_head *head,
  					      struct sk_buff *skb)
-@@ -401,6 +402,7 @@ INDIRECT_CALLABLE_SCOPE int ipv6_gro_com
+@@ -403,6 +404,7 @@ INDIRECT_CALLABLE_SCOPE int ipv6_gro_com
  out:
  	return err;
  }

target/linux/generic/pending-6.6/655-increase_skb_pad.patch

@@ -9,7 +9,7 @@ Signed-off-by: Felix Fietkau <[email protected]>
 
 --- a/include/linux/skbuff.h
 +++ b/include/linux/skbuff.h
-@@ -3065,7 +3065,7 @@ static inline int pskb_network_may_pull(
+@@ -3088,7 +3088,7 @@ static inline int pskb_network_may_pull(
   * NET_IP_ALIGN(2) + ethernet_header(14) + IP_header(20/40) + ports(8)
   */
  #ifndef NET_SKB_PAD

target/linux/generic/pending-6.6/670-ipv6-allow-rejecting-with-source-address-failed-policy.patch

@@ -185,7 +185,7 @@ Signed-off-by: Jonas Gorski <[email protected]>
  		cfg->fc_flags |= RTF_REJECT;
  
  	if (rtm->rtm_type == RTN_LOCAL)
-@@ -6341,6 +6372,8 @@ static int ip6_route_dev_notify(struct n
+@@ -6349,6 +6380,8 @@ static int ip6_route_dev_notify(struct n
  #ifdef CONFIG_IPV6_MULTIPLE_TABLES
  		net->ipv6.ip6_prohibit_entry->dst.dev = dev;
  		net->ipv6.ip6_prohibit_entry->rt6i_idev = in6_dev_get(dev);
@@ -194,7 +194,7 @@ Signed-off-by: Jonas Gorski <[email protected]>
  		net->ipv6.ip6_blk_hole_entry->dst.dev = dev;
  		net->ipv6.ip6_blk_hole_entry->rt6i_idev = in6_dev_get(dev);
  #endif
-@@ -6352,6 +6385,7 @@ static int ip6_route_dev_notify(struct n
+@@ -6360,6 +6393,7 @@ static int ip6_route_dev_notify(struct n
  		in6_dev_put_clear(&net->ipv6.ip6_null_entry->rt6i_idev);
  #ifdef CONFIG_IPV6_MULTIPLE_TABLES
  		in6_dev_put_clear(&net->ipv6.ip6_prohibit_entry->rt6i_idev);
@@ -202,7 +202,7 @@ Signed-off-by: Jonas Gorski <[email protected]>
  		in6_dev_put_clear(&net->ipv6.ip6_blk_hole_entry->rt6i_idev);
  #endif
  	}
-@@ -6552,6 +6586,8 @@ static int __net_init ip6_route_net_init
+@@ -6560,6 +6594,8 @@ static int __net_init ip6_route_net_init
  
  #ifdef CONFIG_IPV6_MULTIPLE_TABLES
  	net->ipv6.fib6_has_custom_rules = false;
@@ -211,7 +211,7 @@ Signed-off-by: Jonas Gorski <[email protected]>
  	net->ipv6.ip6_prohibit_entry = kmemdup(&ip6_prohibit_entry_template,
  					       sizeof(*net->ipv6.ip6_prohibit_entry),
  					       GFP_KERNEL);
-@@ -6562,11 +6598,21 @@ static int __net_init ip6_route_net_init
+@@ -6570,11 +6606,21 @@ static int __net_init ip6_route_net_init
  			 ip6_template_metrics, true);
  	INIT_LIST_HEAD(&net->ipv6.ip6_prohibit_entry->dst.rt_uncached);
  
@@ -234,7 +234,7 @@ Signed-off-by: Jonas Gorski <[email protected]>
  	net->ipv6.ip6_blk_hole_entry->dst.ops = &net->ipv6.ip6_dst_ops;
  	dst_init_metrics(&net->ipv6.ip6_blk_hole_entry->dst,
  			 ip6_template_metrics, true);
-@@ -6593,6 +6639,8 @@ out:
+@@ -6601,6 +6647,8 @@ out:
  	return ret;
  
  #ifdef CONFIG_IPV6_MULTIPLE_TABLES
@@ -243,7 +243,7 @@ Signed-off-by: Jonas Gorski <[email protected]>
  out_ip6_prohibit_entry:
  	kfree(net->ipv6.ip6_prohibit_entry);
  out_ip6_null_entry:
-@@ -6612,6 +6660,7 @@ static void __net_exit ip6_route_net_exi
+@@ -6620,6 +6668,7 @@ static void __net_exit ip6_route_net_exi
  	kfree(net->ipv6.ip6_null_entry);
  #ifdef CONFIG_IPV6_MULTIPLE_TABLES
  	kfree(net->ipv6.ip6_prohibit_entry);
@@ -251,7 +251,7 @@ Signed-off-by: Jonas Gorski <[email protected]>
  	kfree(net->ipv6.ip6_blk_hole_entry);
  #endif
  	dst_entries_destroy(&net->ipv6.ip6_dst_ops);
-@@ -6695,6 +6744,9 @@ void __init ip6_route_init_special_entri
+@@ -6703,6 +6752,9 @@ void __init ip6_route_init_special_entri
  	init_net.ipv6.ip6_prohibit_entry->rt6i_idev = in6_dev_get(init_net.loopback_dev);
  	init_net.ipv6.ip6_blk_hole_entry->dst.dev = init_net.loopback_dev;
  	init_net.ipv6.ip6_blk_hole_entry->rt6i_idev = in6_dev_get(init_net.loopback_dev);

target/linux/generic/pending-6.6/701-netfilter-nf_tables-ignore-EOPNOTSUPP-on-flowtable-d.patch

@@ -18,7 +18,7 @@ Signed-off-by: Felix Fietkau <[email protected]>
 
 --- a/net/netfilter/nf_tables_api.c
 +++ b/net/netfilter/nf_tables_api.c
-@@ -8469,7 +8469,7 @@ static int nft_register_flowtable_net_ho
+@@ -8449,7 +8449,7 @@ static int nft_register_flowtable_net_ho
  		err = flowtable->data.type->setup(&flowtable->data,
  						  hook->ops.dev,
  						  FLOW_BLOCK_BIND);