From: Greg Kroah-Hartman Date: Tue, 12 May 2026 12:49:45 +0000 (+0200) Subject: 5.10-stable patches X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=44cf845440f9f89fdbce7089f08727fd323b2a75;p=thirdparty%2Fkernel%2Fstable-queue.git 5.10-stable patches added patches: bluetooth-l2cap-fix-null-ptr-deref-in-l2cap_sock_new_connection_cb.patch bluetooth-l2cap-fix-null-ptr-deref-in-l2cap_sock_state_change_cb.patch ipv6-xfrm6-release-dst-on-error-in-xfrm6_rcv_encap.patch spi-zynqmp-gqspi-fix-controller-deregistration.patch xfrm-provide-message-size-for-xfrm_msg_mapping.patch --- diff --git a/queue-5.10/bluetooth-l2cap-fix-null-ptr-deref-in-l2cap_sock_new_connection_cb.patch b/queue-5.10/bluetooth-l2cap-fix-null-ptr-deref-in-l2cap_sock_new_connection_cb.patch new file mode 100644 index 0000000000..6dd228bc4e --- /dev/null +++ b/queue-5.10/bluetooth-l2cap-fix-null-ptr-deref-in-l2cap_sock_new_connection_cb.patch @@ -0,0 +1,33 @@ +From 0a120d96166301d7a95be75b52f843837dbd1219 Mon Sep 17 00:00:00 2001 +From: Siwei Zhang +Date: Wed, 15 Apr 2026 16:49:59 -0400 +Subject: Bluetooth: L2CAP: Fix null-ptr-deref in l2cap_sock_new_connection_cb() + +From: Siwei Zhang + +commit 0a120d96166301d7a95be75b52f843837dbd1219 upstream. + +Add the same NULL guard already present in +l2cap_sock_resume_cb() and l2cap_sock_ready_cb(). + +Fixes: 80808e431e1e ("Bluetooth: Add l2cap_chan_ops abstraction") +Cc: stable@kernel.org +Signed-off-by: Siwei Zhang +Signed-off-by: Luiz Augusto von Dentz +Signed-off-by: Greg Kroah-Hartman +--- + net/bluetooth/l2cap_sock.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/net/bluetooth/l2cap_sock.c ++++ b/net/bluetooth/l2cap_sock.c +@@ -1455,6 +1455,9 @@ static struct l2cap_chan *l2cap_sock_new + { + struct sock *sk, *parent = chan->data; + ++ if (!parent) ++ return NULL; ++ + lock_sock(parent); + + /* Check for backlog size */ diff --git a/queue-5.10/bluetooth-l2cap-fix-null-ptr-deref-in-l2cap_sock_state_change_cb.patch b/queue-5.10/bluetooth-l2cap-fix-null-ptr-deref-in-l2cap_sock_state_change_cb.patch new file mode 100644 index 0000000000..d7c98d128b --- /dev/null +++ b/queue-5.10/bluetooth-l2cap-fix-null-ptr-deref-in-l2cap_sock_state_change_cb.patch @@ -0,0 +1,33 @@ +From 2ff1a41a912de8517b4482e946dd951b7d80edbf Mon Sep 17 00:00:00 2001 +From: Siwei Zhang +Date: Wed, 15 Apr 2026 16:51:36 -0400 +Subject: Bluetooth: L2CAP: Fix null-ptr-deref in l2cap_sock_state_change_cb() + +From: Siwei Zhang + +commit 2ff1a41a912de8517b4482e946dd951b7d80edbf upstream. + +Add the same NULL guard already present in +l2cap_sock_resume_cb() and l2cap_sock_ready_cb(). + +Fixes: 89bc500e41fc ("Bluetooth: Add state tracking to struct l2cap_chan") +Cc: stable@kernel.org +Signed-off-by: Siwei Zhang +Signed-off-by: Luiz Augusto von Dentz +Signed-off-by: Greg Kroah-Hartman +--- + net/bluetooth/l2cap_sock.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/net/bluetooth/l2cap_sock.c ++++ b/net/bluetooth/l2cap_sock.c +@@ -1599,6 +1599,9 @@ static void l2cap_sock_state_change_cb(s + { + struct sock *sk = chan->data; + ++ if (!sk) ++ return; ++ + sk->sk_state = state; + + if (err) diff --git a/queue-5.10/ipv6-xfrm6-release-dst-on-error-in-xfrm6_rcv_encap.patch b/queue-5.10/ipv6-xfrm6-release-dst-on-error-in-xfrm6_rcv_encap.patch new file mode 100644 index 0000000000..22d7660771 --- /dev/null +++ b/queue-5.10/ipv6-xfrm6-release-dst-on-error-in-xfrm6_rcv_encap.patch @@ -0,0 +1,50 @@ +From bc0fcb9823cd0894934cf968b525c575833d7078 Mon Sep 17 00:00:00 2001 +From: Yilin Zhu +Date: Sun, 12 Apr 2026 13:07:54 +0800 +Subject: ipv6: xfrm6: release dst on error in xfrm6_rcv_encap() + +From: Yilin Zhu + +commit bc0fcb9823cd0894934cf968b525c575833d7078 upstream. + +xfrm6_rcv_encap() performs an IPv6 route lookup when the skb does not +already have a dst attached. ip6_route_input_lookup() returns a +referenced dst entry even when the lookup resolves to an error route. + +If dst->error is set, xfrm6_rcv_encap() drops the skb without attaching +the dst to the skb and without releasing the reference returned by the +lookup. Repeated packets hitting this path therefore leak dst entries. + +Release the dst before jumping to the drop path. + +Fixes: 0146dca70b87 ("xfrm: add support for UDPv6 encapsulation of ESP") +Cc: stable@kernel.org +Reported-by: Yifan Wu +Reported-by: Juefei Pu +Co-developed-by: Yuan Tan +Signed-off-by: Yuan Tan +Suggested-by: Xin Liu +Tested-by: Ruide Cao +Signed-off-by: Yilin Zhu +Signed-off-by: Ren Wei +Reviewed-by: Simon Horman +Signed-off-by: Steffen Klassert +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv6/xfrm6_protocol.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/net/ipv6/xfrm6_protocol.c ++++ b/net/ipv6/xfrm6_protocol.c +@@ -88,8 +88,10 @@ int xfrm6_rcv_encap(struct sk_buff *skb, + + dst = ip6_route_input_lookup(dev_net(skb->dev), skb->dev, &fl6, + skb, flags); +- if (dst->error) ++ if (dst->error) { ++ dst_release(dst); + goto drop; ++ } + skb_dst_set(skb, dst); + } + diff --git a/queue-5.10/series b/queue-5.10/series index 4362d72dd8..d64d91a98c 100644 --- a/queue-5.10/series +++ b/queue-5.10/series @@ -233,3 +233,8 @@ usb-omap_udc-dma-don-t-enable-burst-4-mode.patch usb-serial-option-add-telit-cinterion-le910cx-compositions.patch usb-ulpi-fix-memory-leak-on-ulpi_register-error-paths.patch alsa-firewire-tascam-do-not-drop-unread-control-events.patch +xfrm-provide-message-size-for-xfrm_msg_mapping.patch +ipv6-xfrm6-release-dst-on-error-in-xfrm6_rcv_encap.patch +bluetooth-l2cap-fix-null-ptr-deref-in-l2cap_sock_new_connection_cb.patch +bluetooth-l2cap-fix-null-ptr-deref-in-l2cap_sock_state_change_cb.patch +spi-zynqmp-gqspi-fix-controller-deregistration.patch diff --git a/queue-5.10/spi-zynqmp-gqspi-fix-controller-deregistration.patch b/queue-5.10/spi-zynqmp-gqspi-fix-controller-deregistration.patch new file mode 100644 index 0000000000..2d94c591e2 --- /dev/null +++ b/queue-5.10/spi-zynqmp-gqspi-fix-controller-deregistration.patch @@ -0,0 +1,44 @@ +From 6895fc4faafc9082e15e4e624b23dd5f0c98feb5 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Fri, 10 Apr 2026 10:17:55 +0200 +Subject: spi: zynqmp-gqspi: fix controller deregistration + +From: Johan Hovold + +commit 6895fc4faafc9082e15e4e624b23dd5f0c98feb5 upstream. + +Make sure to deregister the controller before disabling underlying +resources like clocks during driver unbind. + +Fixes: dfe11a11d523 ("spi: Add support for Zynq Ultrascale+ MPSoC GQSPI controller") +Cc: stable@vger.kernel.org # 4.2: 64640f6c972e +Cc: stable@vger.kernel.org # 4.2 +Cc: Ranjit Waghmode +Signed-off-by: Johan Hovold +Link: https://patch.msgid.link/20260410081757.503099-26-johan@kernel.org +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman +--- + drivers/spi/spi-zynqmp-gqspi.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/drivers/spi/spi-zynqmp-gqspi.c ++++ b/drivers/spi/spi-zynqmp-gqspi.c +@@ -1175,7 +1175,7 @@ static int zynqmp_qspi_probe(struct plat + SPI_TX_DUAL | SPI_TX_QUAD; + ctlr->dev.of_node = np; + +- ret = devm_spi_register_controller(&pdev->dev, ctlr); ++ ret = spi_register_controller(ctlr); + if (ret) { + dev_err(&pdev->dev, "spi_register_controller failed\n"); + goto clk_dis_all; +@@ -1209,6 +1209,8 @@ static int zynqmp_qspi_remove(struct pla + { + struct zynqmp_qspi *xqspi = platform_get_drvdata(pdev); + ++ spi_unregister_controller(xqspi->ctlr); ++ + zynqmp_gqspi_write(xqspi, GQSPI_EN_OFST, 0x0); + clk_disable_unprepare(xqspi->refclk); + clk_disable_unprepare(xqspi->pclk); diff --git a/queue-5.10/xfrm-provide-message-size-for-xfrm_msg_mapping.patch b/queue-5.10/xfrm-provide-message-size-for-xfrm_msg_mapping.patch new file mode 100644 index 0000000000..02908e242b --- /dev/null +++ b/queue-5.10/xfrm-provide-message-size-for-xfrm_msg_mapping.patch @@ -0,0 +1,40 @@ +From 28465227c80fe417b4013c432be1f3737cb9f9a3 Mon Sep 17 00:00:00 2001 +From: Ruijie Li +Date: Wed, 29 Apr 2026 00:41:43 +0800 +Subject: xfrm: provide message size for XFRM_MSG_MAPPING + +From: Ruijie Li + +commit 28465227c80fe417b4013c432be1f3737cb9f9a3 upstream. + +The compat 64=>32 translation path handles XFRM_MSG_MAPPING, but +xfrm_msg_min[] does not provide the native payload size for this +message type. + +Add the missing XFRM_MSG_MAPPING entry so compat translation can size +and translate mapping notifications correctly. + +Fixes: 5461fc0c8d9f ("xfrm/compat: Add 64=>32-bit messages translator") +Cc: stable@kernel.org +Reported-by: Yuan Tan +Reported-by: Yifan Wu +Reported-by: Juefei Pu +Reported-by: Xin Liu +Signed-off-by: Ruijie Li +Signed-off-by: Ren Wei +Signed-off-by: Steffen Klassert +Signed-off-by: Greg Kroah-Hartman +--- + net/xfrm/xfrm_user.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/net/xfrm/xfrm_user.c ++++ b/net/xfrm/xfrm_user.c +@@ -2727,6 +2727,7 @@ const int xfrm_msg_min[XFRM_NR_MSGTYPES] + [XFRM_MSG_GETSADINFO - XFRM_MSG_BASE] = sizeof(u32), + [XFRM_MSG_NEWSPDINFO - XFRM_MSG_BASE] = sizeof(u32), + [XFRM_MSG_GETSPDINFO - XFRM_MSG_BASE] = sizeof(u32), ++ [XFRM_MSG_MAPPING - XFRM_MSG_BASE] = XMSGSIZE(xfrm_user_mapping), + [XFRM_MSG_SETDEFAULT - XFRM_MSG_BASE] = XMSGSIZE(xfrm_userpolicy_default), + [XFRM_MSG_GETDEFAULT - XFRM_MSG_BASE] = XMSGSIZE(xfrm_userpolicy_default), + };