5.10-stable patches

added patches:
	virtio-net-ensure-the-received-length-does-not-exceed-allocated-size.patch
	xhci-disable-stream-for-xhc-controller-with-xhci_broken_streams.patch

diff --git a/queue-5.10/series b/queue-5.10/series
index 55efa18863bd69daf7f7c9e05d949e8b0acbef45..f1a0b560b47ba94b3add7ee310eafe7cdfb29d0a 100644 (file)
--- a/queue-5.10/series
+++ b/queue-5.10/series
@@ -50,3 +50,5 @@ usb-musb-fix-gadget-state-on-disconnect.patch
 usb-dwc3-qcom-don-t-leave-bcr-asserted.patch
 asoc-fsl_sai-force-a-software-reset-when-starting-in-consumer-mode.patch
 mm-vmalloc-leave-lazy-mmu-mode-on-pte-mapping-error.patch
+virtio-net-ensure-the-received-length-does-not-exceed-allocated-size.patch
+xhci-disable-stream-for-xhc-controller-with-xhci_broken_streams.patch

diff --git a/queue-5.10/virtio-net-ensure-the-received-length-does-not-exceed-allocated-size.patch b/queue-5.10/virtio-net-ensure-the-received-length-does-not-exceed-allocated-size.patch
new file mode 100644 (file)
index 0000000..9c859fc
--- /dev/null
+++ b/queue-5.10/virtio-net-ensure-the-received-length-does-not-exceed-allocated-size.patch
@@ -0,0 +1,112 @@
+From 315dbdd7cdf6aa533829774caaf4d25f1fd20e73 Mon Sep 17 00:00:00 2001
+From: Bui Quang Minh <minhquangbui99@gmail.com>
+Date: Mon, 30 Jun 2025 21:42:10 +0700
+Subject: virtio-net: ensure the received length does not exceed allocated size
+
+From: Bui Quang Minh <minhquangbui99@gmail.com>
+
+commit 315dbdd7cdf6aa533829774caaf4d25f1fd20e73 upstream.
+
+In xdp_linearize_page, when reading the following buffers from the ring,
+we forget to check the received length with the true allocate size. This
+can lead to an out-of-bound read. This commit adds that missing check.
+
+Cc: <stable@vger.kernel.org>
+Fixes: 4941d472bf95 ("virtio-net: do not reset during XDP set")
+Signed-off-by: Bui Quang Minh <minhquangbui99@gmail.com>
+Acked-by: Jason Wang <jasowang@redhat.com>
+Link: https://patch.msgid.link/20250630144212.48471-2-minhquangbui99@gmail.com
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+[ adapted virtqueue_get_buf() to virtqueue_get_buf_ctx() ]
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/virtio_net.c |   38 ++++++++++++++++++++++++++++++++++----
+ 1 file changed, 34 insertions(+), 4 deletions(-)
+
+--- a/drivers/net/virtio_net.c
++++ b/drivers/net/virtio_net.c
+@@ -394,6 +394,26 @@ static unsigned int mergeable_ctx_to_tru
+       return (unsigned long)mrg_ctx & ((1 << MRG_CTX_HEADER_SHIFT) - 1);
+ }
+ 
++static int check_mergeable_len(struct net_device *dev, void *mrg_ctx,
++                             unsigned int len)
++{
++      unsigned int headroom, tailroom, room, truesize;
++
++      truesize = mergeable_ctx_to_truesize(mrg_ctx);
++      headroom = mergeable_ctx_to_headroom(mrg_ctx);
++      tailroom = headroom ? sizeof(struct skb_shared_info) : 0;
++      room = SKB_DATA_ALIGN(headroom + tailroom);
++
++      if (len > truesize - room) {
++              pr_debug("%s: rx error: len %u exceeds truesize %lu\n",
++                       dev->name, len, (unsigned long)(truesize - room));
++              dev->stats.rx_length_errors++;
++              return -1;
++      }
++
++      return 0;
++}
++
+ /* Called from bottom half context */
+ static struct sk_buff *page_to_skb(struct virtnet_info *vi,
+                                  struct receive_queue *rq,
+@@ -639,7 +659,8 @@ static unsigned int virtnet_get_headroom
+  * across multiple buffers (num_buf > 1), and we make sure buffers
+  * have enough headroom.
+  */
+-static struct page *xdp_linearize_page(struct receive_queue *rq,
++static struct page *xdp_linearize_page(struct net_device *dev,
++                                     struct receive_queue *rq,
+                                      u16 *num_buf,
+                                      struct page *p,
+                                      int offset,
+@@ -659,18 +680,27 @@ static struct page *xdp_linearize_page(s
+       memcpy(page_address(page) + page_off, page_address(p) + offset, *len);
+       page_off += *len;
+ 
++      /* Only mergeable mode can go inside this while loop. In small mode,
++       * *num_buf == 1, so it cannot go inside.
++       */
+       while (--*num_buf) {
+               unsigned int buflen;
+               void *buf;
++              void *ctx;
+               int off;
+ 
+-              buf = virtqueue_get_buf(rq->vq, &buflen);
++              buf = virtqueue_get_buf_ctx(rq->vq, &buflen, &ctx);
+               if (unlikely(!buf))
+                       goto err_buf;
+ 
+               p = virt_to_head_page(buf);
+               off = buf - page_address(p);
+ 
++              if (check_mergeable_len(dev, ctx, buflen)) {
++                      put_page(p);
++                      goto err_buf;
++              }
++
+               /* guard against a misconfigured or uncooperative backend that
+                * is sending packet larger than the MTU.
+                */
+@@ -745,7 +775,7 @@ static struct sk_buff *receive_small(str
+                       headroom = vi->hdr_len + header_offset;
+                       buflen = SKB_DATA_ALIGN(GOOD_PACKET_LEN + headroom) +
+                                SKB_DATA_ALIGN(sizeof(struct skb_shared_info));
+-                      xdp_page = xdp_linearize_page(rq, &num_buf, page,
++                      xdp_page = xdp_linearize_page(dev, rq, &num_buf, page,
+                                                     offset, header_offset,
+                                                     &tlen);
+                       if (!xdp_page)
+@@ -916,7 +946,7 @@ static struct sk_buff *receive_mergeable
+               if (unlikely(num_buf > 1 ||
+                            headroom < virtnet_get_headroom(vi))) {
+                       /* linearize data for XDP */
+-                      xdp_page = xdp_linearize_page(rq, &num_buf,
++                      xdp_page = xdp_linearize_page(dev, rq, &num_buf,
+                                                     page, offset,
+                                                     VIRTIO_XDP_HEADROOM,
+                                                     &len);

diff --git a/queue-5.10/xhci-disable-stream-for-xhc-controller-with-xhci_broken_streams.patch b/queue-5.10/xhci-disable-stream-for-xhc-controller-with-xhci_broken_streams.patch
new file mode 100644 (file)
index 0000000..8715481
--- /dev/null
+++ b/queue-5.10/xhci-disable-stream-for-xhc-controller-with-xhci_broken_streams.patch
@@ -0,0 +1,35 @@
+From cd65ee81240e8bc3c3119b46db7f60c80864b90b Mon Sep 17 00:00:00 2001
+From: Hongyu Xie <xiehongyu1@kylinos.cn>
+Date: Fri, 27 Jun 2025 17:41:20 +0300
+Subject: xhci: Disable stream for xHC controller with XHCI_BROKEN_STREAMS
+
+From: Hongyu Xie <xiehongyu1@kylinos.cn>
+
+commit cd65ee81240e8bc3c3119b46db7f60c80864b90b upstream.
+
+Disable stream for platform xHC controller with broken stream.
+
+Fixes: 14aec589327a6 ("storage: accept some UAS devices if streams are unavailable")
+Cc: stable <stable@kernel.org>
+Signed-off-by: Hongyu Xie <xiehongyu1@kylinos.cn>
+Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com>
+Link: https://lore.kernel.org/r/20250627144127.3889714-3-mathias.nyman@linux.intel.com
+[ removed xhci_get_usb3_hcd() call ]
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/host/xhci-plat.c |    3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/usb/host/xhci-plat.c
++++ b/drivers/usb/host/xhci-plat.c
+@@ -361,7 +361,8 @@ static int xhci_plat_probe(struct platfo
+       if (ret)
+               goto disable_usb_phy;
+ 
+-      if (HCC_MAX_PSA(xhci->hcc_params) >= 4)
++      if (HCC_MAX_PSA(xhci->hcc_params) >= 4 &&
++          !(xhci->quirks & XHCI_BROKEN_STREAMS))
+               xhci->shared_hcd->can_do_streams = 1;
+ 
+       ret = usb_add_hcd(xhci->shared_hcd, irq, IRQF_SHARED);