From: Greg Kroah-Hartman Date: Mon, 13 Apr 2026 12:26:14 +0000 (+0200) Subject: 5.15-stable patches X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=a7e4e89738c5d04aafa48e5d87ca34e5a1670c3c;p=thirdparty%2Fkernel%2Fstable-queue.git 5.15-stable patches added patches: arm64-dts-hisilicon-hi3798cv200-add-missing-dma-ranges.patch arm64-dts-hisilicon-poplar-correct-pcie-reset-gpio-polarity.patch batman-adv-reject-oversized-global-tt-response-buffers.patch drm-i915-gt-fix-refcount-underflow-in-intel_engine_park_heartbeat.patch mmc-vub300-fix-null-deref-on-disconnect.patch net-altera-tse-fix-skb-leak-on-dma-mapping-error-in-tse_start_xmit.patch net-qualcomm-qca_uart-report-the-consumed-byte-on-rx-skb-allocation-failure.patch net-stmmac-fix-integer-underflow-in-chain-mode.patch net-tls-fix-use-after-free-in-ebusy-error-path-of-tls_do_encryption.patch netfilter-nft_ct-fix-use-after-free-in-timeout-object-destroy.patch nfc-pn533-allocate-rx-skb-before-consuming-bytes.patch tipc-fix-bc_ackers-underflow-on-duplicate-grp_ack_msg.patch wifi-brcmsmac-fix-dma_free_coherent-size.patch --- diff --git a/queue-5.15/arm64-dts-hisilicon-hi3798cv200-add-missing-dma-ranges.patch b/queue-5.15/arm64-dts-hisilicon-hi3798cv200-add-missing-dma-ranges.patch new file mode 100644 index 0000000000..0f778922cb --- /dev/null +++ b/queue-5.15/arm64-dts-hisilicon-hi3798cv200-add-missing-dma-ranges.patch @@ -0,0 +1,35 @@ +From 1af997cad473d505248df6d9577183bb91f69670 Mon Sep 17 00:00:00 2001 +From: Shawn Guo +Date: Fri, 27 Feb 2026 15:22:10 +0800 +Subject: arm64: dts: hisilicon: hi3798cv200: Add missing dma-ranges + +From: Shawn Guo + +commit 1af997cad473d505248df6d9577183bb91f69670 upstream. + +Reboot starts failing on Poplar since commit 8424ecdde7df ("arm64: mm: +Set ZONE_DMA size based on devicetree's dma-ranges"), which effectively +changes zone_dma_bits from 30 to 32 for arm64 platforms that do not +properly define dma-ranges in device tree. It's unclear how Poplar reboot +gets broken by this change exactly, but a dma-ranges limiting zone_dma to +the first 1 GB fixes the regression. + +Fixes: 2f20182ed670 ("arm64: dts: hisilicon: add dts files for hi3798cv200-poplar board") +Cc: stable@vger.kernel.org +Signed-off-by: Shawn Guo +Signed-off-by: Wei Xu +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm64/boot/dts/hisilicon/hi3798cv200.dtsi | 1 + + 1 file changed, 1 insertion(+) + +--- a/arch/arm64/boot/dts/hisilicon/hi3798cv200.dtsi ++++ b/arch/arm64/boot/dts/hisilicon/hi3798cv200.dtsi +@@ -81,6 +81,7 @@ + #address-cells = <1>; + #size-cells = <1>; + ranges = <0x0 0x0 0xf0000000 0x10000000>; ++ dma-ranges = <0x0 0x0 0x0 0x40000000>; + + crg: clock-reset-controller@8a22000 { + compatible = "hisilicon,hi3798cv200-crg", "syscon", "simple-mfd"; diff --git a/queue-5.15/arm64-dts-hisilicon-poplar-correct-pcie-reset-gpio-polarity.patch b/queue-5.15/arm64-dts-hisilicon-poplar-correct-pcie-reset-gpio-polarity.patch new file mode 100644 index 0000000000..f3653d71a3 --- /dev/null +++ b/queue-5.15/arm64-dts-hisilicon-poplar-correct-pcie-reset-gpio-polarity.patch @@ -0,0 +1,36 @@ +From c1f2b0f2b5e37b2c27540a175aea2755a3799433 Mon Sep 17 00:00:00 2001 +From: Shawn Guo +Date: Fri, 27 Feb 2026 15:19:58 +0800 +Subject: arm64: dts: hisilicon: poplar: Correct PCIe reset GPIO polarity + +From: Shawn Guo + +commit c1f2b0f2b5e37b2c27540a175aea2755a3799433 upstream. + +The PCIe reset GPIO on Poplar is actually active low. The active high +worked before because kernel driver didn't respect the setting from DT. +This is changed since commit 1d26a55fbeb9 ("PCI: histb: Switch to using +gpiod API"), and thus PCIe on Poplar got brken since then. + +Fix the problem by correcting the polarity. + +Fixes: 32fa01761bd9 ("arm64: dts: hi3798cv200: enable PCIe support for poplar board") +Cc: stable@vger.kernel.org +Signed-off-by: Shawn Guo +Signed-off-by: Wei Xu +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm64/boot/dts/hisilicon/hi3798cv200-poplar.dts | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/arm64/boot/dts/hisilicon/hi3798cv200-poplar.dts ++++ b/arch/arm64/boot/dts/hisilicon/hi3798cv200-poplar.dts +@@ -179,7 +179,7 @@ + }; + + &pcie { +- reset-gpios = <&gpio4 4 GPIO_ACTIVE_HIGH>; ++ reset-gpios = <&gpio4 4 GPIO_ACTIVE_LOW>; + vpcie-supply = <®_pcie>; + status = "okay"; + }; diff --git a/queue-5.15/batman-adv-reject-oversized-global-tt-response-buffers.patch b/queue-5.15/batman-adv-reject-oversized-global-tt-response-buffers.patch new file mode 100644 index 0000000000..5054b5251d --- /dev/null +++ b/queue-5.15/batman-adv-reject-oversized-global-tt-response-buffers.patch @@ -0,0 +1,64 @@ +From 3a359bf5c61d52e7f09754108309d637532164a6 Mon Sep 17 00:00:00 2001 +From: Ruide Cao +Date: Thu, 2 Apr 2026 23:12:31 +0800 +Subject: batman-adv: reject oversized global TT response buffers + +From: Ruide Cao + +commit 3a359bf5c61d52e7f09754108309d637532164a6 upstream. + +batadv_tt_prepare_tvlv_global_data() builds the allocation length for a +global TT response in 16-bit temporaries. When a remote originator +advertises a large enough global TT, the TT payload length plus the VLAN +header offset can exceed 65535 and wrap before kmalloc(). + +The full-table response path still uses the original TT payload length when +it fills tt_change, so the wrapped allocation is too small and +batadv_tt_prepare_tvlv_global_data() writes past the end of the heap object +before the later packet-size check runs. + +Fix this by rejecting TT responses whose TVLV value length cannot fit in +the 16-bit TVLV payload length field. + +Fixes: 7ea7b4a14275 ("batman-adv: make the TT CRC logic VLAN specific") +Cc: stable@vger.kernel.org +Reported-by: Yifan Wu +Reported-by: Juefei Pu +Co-developed-by: Yuan Tan +Signed-off-by: Yuan Tan +Suggested-by: Xin Liu +Tested-by: Ren Wei +Signed-off-by: Ruide Cao +Signed-off-by: Ren Wei +Signed-off-by: Sven Eckelmann +Signed-off-by: Simon Wunderlich +Signed-off-by: Greg Kroah-Hartman +--- + net/batman-adv/translation-table.c | 9 +++++++-- + 1 file changed, 7 insertions(+), 2 deletions(-) + +--- a/net/batman-adv/translation-table.c ++++ b/net/batman-adv/translation-table.c +@@ -844,8 +844,8 @@ batadv_tt_prepare_tvlv_global_data(struc + { + u16 num_vlan = 0; + u16 num_entries = 0; +- u16 change_offset; +- u16 tvlv_len; ++ u16 tvlv_len = 0; ++ unsigned int change_offset; + struct batadv_tvlv_tt_vlan_data *tt_vlan; + struct batadv_orig_node_vlan *vlan; + u8 *tt_change_ptr; +@@ -863,6 +863,11 @@ batadv_tt_prepare_tvlv_global_data(struc + if (*tt_len < 0) + *tt_len = batadv_tt_len(num_entries); + ++ if (change_offset > U16_MAX || *tt_len > U16_MAX - change_offset) { ++ *tt_len = 0; ++ goto out; ++ } ++ + tvlv_len = *tt_len; + tvlv_len += change_offset; + diff --git a/queue-5.15/drm-i915-gt-fix-refcount-underflow-in-intel_engine_park_heartbeat.patch b/queue-5.15/drm-i915-gt-fix-refcount-underflow-in-intel_engine_park_heartbeat.patch new file mode 100644 index 0000000000..3b083be7d9 --- /dev/null +++ b/queue-5.15/drm-i915-gt-fix-refcount-underflow-in-intel_engine_park_heartbeat.patch @@ -0,0 +1,119 @@ +From 4c71fd099513bfa8acab529b626e1f0097b76061 Mon Sep 17 00:00:00 2001 +From: Sebastian Brzezinka +Date: Wed, 1 Apr 2026 12:10:07 +0200 +Subject: drm/i915/gt: fix refcount underflow in intel_engine_park_heartbeat + +From: Sebastian Brzezinka + +commit 4c71fd099513bfa8acab529b626e1f0097b76061 upstream. + +A use-after-free / refcount underflow is possible when the heartbeat +worker and intel_engine_park_heartbeat() race to release the same +engine->heartbeat.systole request. + +The heartbeat worker reads engine->heartbeat.systole and calls +i915_request_put() on it when the request is complete, but clears +the pointer in a separate, non-atomic step. Concurrently, a request +retirement on another CPU can drop the engine wakeref to zero, triggering +__engine_park() -> intel_engine_park_heartbeat(). If the heartbeat +timer is pending at that point, cancel_delayed_work() returns true and +intel_engine_park_heartbeat() reads the stale non-NULL systole pointer +and calls i915_request_put() on it again, causing a refcount underflow: + +``` +<4> [487.221889] Workqueue: i915-unordered engine_retire [i915] +<4> [487.222640] RIP: 0010:refcount_warn_saturate+0x68/0xb0 +... +<4> [487.222707] Call Trace: +<4> [487.222711] +<4> [487.222716] intel_engine_park_heartbeat.part.0+0x6f/0x80 [i915] +<4> [487.223115] intel_engine_park_heartbeat+0x25/0x40 [i915] +<4> [487.223566] __engine_park+0xb9/0x650 [i915] +<4> [487.223973] ____intel_wakeref_put_last+0x2e/0xb0 [i915] +<4> [487.224408] __intel_wakeref_put_last+0x72/0x90 [i915] +<4> [487.224797] intel_context_exit_engine+0x7c/0x80 [i915] +<4> [487.225238] intel_context_exit+0xf1/0x1b0 [i915] +<4> [487.225695] i915_request_retire.part.0+0x1b9/0x530 [i915] +<4> [487.226178] i915_request_retire+0x1c/0x40 [i915] +<4> [487.226625] engine_retire+0x122/0x180 [i915] +<4> [487.227037] process_one_work+0x239/0x760 +<4> [487.227060] worker_thread+0x200/0x3f0 +<4> [487.227068] ? __pfx_worker_thread+0x10/0x10 +<4> [487.227075] kthread+0x10d/0x150 +<4> [487.227083] ? __pfx_kthread+0x10/0x10 +<4> [487.227092] ret_from_fork+0x3d4/0x480 +<4> [487.227099] ? __pfx_kthread+0x10/0x10 +<4> [487.227107] ret_from_fork_asm+0x1a/0x30 +<4> [487.227141] +``` + +Fix this by replacing the non-atomic pointer read + separate clear with +xchg() in both racing paths. xchg() is a single indivisible hardware +instruction that atomically reads the old pointer and writes NULL. This +guarantees only one of the two concurrent callers obtains the non-NULL +pointer and performs the put, the other gets NULL and skips it. + +Closes: https://gitlab.freedesktop.org/drm/i915/kernel/-/work_items/15880 +Fixes: 058179e72e09 ("drm/i915/gt: Replace hangcheck by heartbeats") +Cc: # v5.5+ +Signed-off-by: Sebastian Brzezinka +Reviewed-by: Krzysztof Karas +Reviewed-by: Andi Shyti +Signed-off-by: Andi Shyti +Link: https://lore.kernel.org/r/d4c1c14255688dd07cc8044973c4f032a8d1559e.1775038106.git.sebastian.brzezinka@intel.com +(cherry picked from commit 13238dc0ee4f9ab8dafa2cca7295736191ae2f42) +Signed-off-by: Joonas Lahtinen +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/i915/gt/intel_engine_heartbeat.c | 26 +++++++++++++++-------- + 1 file changed, 18 insertions(+), 8 deletions(-) + +--- a/drivers/gpu/drm/i915/gt/intel_engine_heartbeat.c ++++ b/drivers/gpu/drm/i915/gt/intel_engine_heartbeat.c +@@ -116,10 +116,12 @@ static void heartbeat(struct work_struct + /* Just in case everything has gone horribly wrong, give it a kick */ + intel_engine_flush_submission(engine); + +- rq = engine->heartbeat.systole; +- if (rq && i915_request_completed(rq)) { +- i915_request_put(rq); +- engine->heartbeat.systole = NULL; ++ rq = xchg(&engine->heartbeat.systole, NULL); ++ if (rq) { ++ if (i915_request_completed(rq)) ++ i915_request_put(rq); ++ else ++ engine->heartbeat.systole = rq; + } + + if (!intel_engine_pm_get_if_awake(engine)) +@@ -200,8 +202,11 @@ static void heartbeat(struct work_struct + unlock: + mutex_unlock(&ce->timeline->mutex); + out: +- if (!engine->i915->params.enable_hangcheck || !next_heartbeat(engine)) +- i915_request_put(fetch_and_zero(&engine->heartbeat.systole)); ++ if (!engine->i915->params.enable_hangcheck || !next_heartbeat(engine)) { ++ rq = xchg(&engine->heartbeat.systole, NULL); ++ if (rq) ++ i915_request_put(rq); ++ } + intel_engine_pm_put(engine); + } + +@@ -215,8 +220,13 @@ void intel_engine_unpark_heartbeat(struc + + void intel_engine_park_heartbeat(struct intel_engine_cs *engine) + { +- if (cancel_delayed_work(&engine->heartbeat.work)) +- i915_request_put(fetch_and_zero(&engine->heartbeat.systole)); ++ if (cancel_delayed_work(&engine->heartbeat.work)) { ++ struct i915_request *rq; ++ ++ rq = xchg(&engine->heartbeat.systole, NULL); ++ if (rq) ++ i915_request_put(rq); ++ } + } + + void intel_gt_unpark_heartbeats(struct intel_gt *gt) diff --git a/queue-5.15/mmc-vub300-fix-null-deref-on-disconnect.patch b/queue-5.15/mmc-vub300-fix-null-deref-on-disconnect.patch new file mode 100644 index 0000000000..d935f97626 --- /dev/null +++ b/queue-5.15/mmc-vub300-fix-null-deref-on-disconnect.patch @@ -0,0 +1,34 @@ +From dff34ef879c5e73298443956a8b391311ba78d57 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Fri, 27 Mar 2026 11:52:05 +0100 +Subject: mmc: vub300: fix NULL-deref on disconnect + +From: Johan Hovold + +commit dff34ef879c5e73298443956a8b391311ba78d57 upstream. + +Make sure to deregister the controller before dropping the reference to +the driver data on disconnect to avoid NULL-pointer dereferences or +use-after-free. + +Fixes: 88095e7b473a ("mmc: Add new VUB300 USB-to-SD/SDIO/MMC driver") +Cc: stable@vger.kernel.org # 3.0+ +Signed-off-by: Johan Hovold +Signed-off-by: Ulf Hansson +Signed-off-by: Greg Kroah-Hartman +--- + drivers/mmc/host/vub300.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/mmc/host/vub300.c ++++ b/drivers/mmc/host/vub300.c +@@ -2371,8 +2371,8 @@ static void vub300_disconnect(struct usb + usb_set_intfdata(interface, NULL); + /* prevent more I/O from starting */ + vub300->interface = NULL; +- kref_put(&vub300->kref, vub300_delete); + mmc_remove_host(mmc); ++ kref_put(&vub300->kref, vub300_delete); + pr_info("USB vub300 remote SDIO host controller[%d]" + " now disconnected", ifnum); + return; diff --git a/queue-5.15/net-altera-tse-fix-skb-leak-on-dma-mapping-error-in-tse_start_xmit.patch b/queue-5.15/net-altera-tse-fix-skb-leak-on-dma-mapping-error-in-tse_start_xmit.patch new file mode 100644 index 0000000000..a565247286 --- /dev/null +++ b/queue-5.15/net-altera-tse-fix-skb-leak-on-dma-mapping-error-in-tse_start_xmit.patch @@ -0,0 +1,36 @@ +From 6dede3967619b5944003227a5d09fdc21ed57d10 Mon Sep 17 00:00:00 2001 +From: David Carlier +Date: Wed, 1 Apr 2026 22:12:18 +0100 +Subject: net: altera-tse: fix skb leak on DMA mapping error in tse_start_xmit() + +From: David Carlier + +commit 6dede3967619b5944003227a5d09fdc21ed57d10 upstream. + +When dma_map_single() fails in tse_start_xmit(), the function returns +NETDEV_TX_OK without freeing the skb. Since NETDEV_TX_OK tells the +stack the packet was consumed, the skb is never freed, leaking memory +on every DMA mapping failure. + +Add dev_kfree_skb_any() before returning to properly free the skb. + +Fixes: bbd2190ce96d ("Altera TSE: Add main and header file for Altera Ethernet Driver") +Cc: stable@vger.kernel.org +Signed-off-by: David Carlier +Link: https://patch.msgid.link/20260401211218.279185-1-devnexen@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/altera/altera_tse_main.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/net/ethernet/altera/altera_tse_main.c ++++ b/drivers/net/ethernet/altera/altera_tse_main.c +@@ -591,6 +591,7 @@ static netdev_tx_t tse_start_xmit(struct + DMA_TO_DEVICE); + if (dma_mapping_error(priv->device, dma_addr)) { + netdev_err(priv->dev, "%s: DMA mapping error\n", __func__); ++ dev_kfree_skb_any(skb); + ret = NETDEV_TX_OK; + goto out; + } diff --git a/queue-5.15/net-qualcomm-qca_uart-report-the-consumed-byte-on-rx-skb-allocation-failure.patch b/queue-5.15/net-qualcomm-qca_uart-report-the-consumed-byte-on-rx-skb-allocation-failure.patch new file mode 100644 index 0000000000..ec5f7840c6 --- /dev/null +++ b/queue-5.15/net-qualcomm-qca_uart-report-the-consumed-byte-on-rx-skb-allocation-failure.patch @@ -0,0 +1,46 @@ +From b76254c55dc8f23edc089027dd3f8792554c69fb Mon Sep 17 00:00:00 2001 +From: Pengpeng Hou +Date: Thu, 2 Apr 2026 15:12:07 +0800 +Subject: net: qualcomm: qca_uart: report the consumed byte on RX skb allocation failure + +From: Pengpeng Hou + +commit b76254c55dc8f23edc089027dd3f8792554c69fb upstream. + +qca_tty_receive() consumes each input byte before checking whether a +completed frame needs a fresh receive skb. When the current byte completes +a frame, the driver delivers that frame and then allocates a new skb for +the next one. + +If that allocation fails, the current code returns i even though data[i] +has already been consumed and may already have completed the delivered +frame. Since serdev interprets the return value as the number of accepted +bytes, this under-reports progress by one byte and can replay the final +byte of the completed frame into a fresh parser state on the next call. + +Return i + 1 in that failure path so the accepted-byte count matches the +actual receive-state progress. + +Fixes: dfc768fbe618 ("net: qualcomm: add QCA7000 UART driver") +Cc: stable@vger.kernel.org +Signed-off-by: Pengpeng Hou +Reviewed-by: Stefan Wahren +Reviewed-by: Simon Horman +Link: https://patch.msgid.link/20260402071207.4036-1-pengpeng@iscas.ac.cn +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/qualcomm/qca_uart.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/ethernet/qualcomm/qca_uart.c ++++ b/drivers/net/ethernet/qualcomm/qca_uart.c +@@ -115,7 +115,7 @@ qca_tty_receive(struct serdev_device *se + if (!qca->rx_skb) { + netdev_dbg(netdev, "recv: out of RX resources\n"); + n_stats->rx_errors++; +- return i; ++ return i + 1; + } + } + } diff --git a/queue-5.15/net-stmmac-fix-integer-underflow-in-chain-mode.patch b/queue-5.15/net-stmmac-fix-integer-underflow-in-chain-mode.patch new file mode 100644 index 0000000000..cb8c730244 --- /dev/null +++ b/queue-5.15/net-stmmac-fix-integer-underflow-in-chain-mode.patch @@ -0,0 +1,80 @@ +From 51f4e090b9f87b40c21b6daadb5c06e6c0a07b67 Mon Sep 17 00:00:00 2001 +From: Tyllis Xu +Date: Tue, 31 Mar 2026 23:47:07 -0500 +Subject: net: stmmac: fix integer underflow in chain mode + +From: Tyllis Xu + +commit 51f4e090b9f87b40c21b6daadb5c06e6c0a07b67 upstream. + +The jumbo_frm() chain-mode implementation unconditionally computes + + len = nopaged_len - bmax; + +where nopaged_len = skb_headlen(skb) (linear bytes only) and bmax is +BUF_SIZE_8KiB or BUF_SIZE_2KiB. However, the caller stmmac_xmit() +decides to invoke jumbo_frm() based on skb->len (total length including +page fragments): + + is_jumbo = stmmac_is_jumbo_frm(priv, skb->len, enh_desc); + +When a packet has a small linear portion (nopaged_len <= bmax) but a +large total length due to page fragments (skb->len > bmax), the +subtraction wraps as an unsigned integer, producing a huge len value +(~0xFFFFxxxx). This causes the while (len != 0) loop to execute +hundreds of thousands of iterations, passing skb->data + bmax * i +pointers far beyond the skb buffer to dma_map_single(). On IOMMU-less +SoCs (the typical deployment for stmmac), this maps arbitrary kernel +memory to the DMA engine, constituting a kernel memory disclosure and +potential memory corruption from hardware. + +Fix this by introducing a buf_len local variable clamped to +min(nopaged_len, bmax). Computing len = nopaged_len - buf_len is then +always safe: it is zero when the linear portion fits within a single +descriptor, causing the while (len != 0) loop to be skipped naturally, +and the fragment loop in stmmac_xmit() handles page fragments afterward. + +Fixes: 286a83721720 ("stmmac: add CHAINED descriptor mode support (V4)") +Cc: stable@vger.kernel.org +Signed-off-by: Tyllis Xu +Link: https://patch.msgid.link/20260401044708.1386919-1-LivelyCarpet87@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/stmicro/stmmac/chain_mode.c | 11 ++++++----- + 1 file changed, 6 insertions(+), 5 deletions(-) + +--- a/drivers/net/ethernet/stmicro/stmmac/chain_mode.c ++++ b/drivers/net/ethernet/stmicro/stmmac/chain_mode.c +@@ -20,7 +20,7 @@ static int jumbo_frm(void *p, struct sk_ + unsigned int nopaged_len = skb_headlen(skb); + struct stmmac_priv *priv = tx_q->priv_data; + unsigned int entry = tx_q->cur_tx; +- unsigned int bmax, des2; ++ unsigned int bmax, buf_len, des2; + unsigned int i = 1, len; + struct dma_desc *desc; + +@@ -31,17 +31,18 @@ static int jumbo_frm(void *p, struct sk_ + else + bmax = BUF_SIZE_2KiB; + +- len = nopaged_len - bmax; ++ buf_len = min_t(unsigned int, nopaged_len, bmax); ++ len = nopaged_len - buf_len; + + des2 = dma_map_single(priv->device, skb->data, +- bmax, DMA_TO_DEVICE); ++ buf_len, DMA_TO_DEVICE); + desc->des2 = cpu_to_le32(des2); + if (dma_mapping_error(priv->device, des2)) + return -1; + tx_q->tx_skbuff_dma[entry].buf = des2; +- tx_q->tx_skbuff_dma[entry].len = bmax; ++ tx_q->tx_skbuff_dma[entry].len = buf_len; + /* do not close the descriptor and do not set own bit */ +- stmmac_prepare_tx_desc(priv, desc, 1, bmax, csum, STMMAC_CHAIN_MODE, ++ stmmac_prepare_tx_desc(priv, desc, 1, buf_len, csum, STMMAC_CHAIN_MODE, + 0, false, skb->len); + + while (len != 0) { diff --git a/queue-5.15/net-tls-fix-use-after-free-in-ebusy-error-path-of-tls_do_encryption.patch b/queue-5.15/net-tls-fix-use-after-free-in-ebusy-error-path-of-tls_do_encryption.patch new file mode 100644 index 0000000000..d490122901 --- /dev/null +++ b/queue-5.15/net-tls-fix-use-after-free-in-ebusy-error-path-of-tls_do_encryption.patch @@ -0,0 +1,64 @@ +From a9b8b18364fffce4c451e6f6fd218fa4ab646705 Mon Sep 17 00:00:00 2001 +From: Muhammad Alifa Ramdhan +Date: Fri, 3 Apr 2026 09:36:17 +0800 +Subject: net/tls: fix use-after-free in -EBUSY error path of tls_do_encryption + +From: Muhammad Alifa Ramdhan + +commit a9b8b18364fffce4c451e6f6fd218fa4ab646705 upstream. + +The -EBUSY handling in tls_do_encryption(), introduced by commit +859054147318 ("net: tls: handle backlogging of crypto requests"), has +a use-after-free due to double cleanup of encrypt_pending and the +scatterlist entry. + +When crypto_aead_encrypt() returns -EBUSY, the request is enqueued to +the cryptd backlog and the async callback tls_encrypt_done() will be +invoked upon completion. That callback unconditionally restores the +scatterlist entry (sge->offset, sge->length) and decrements +ctx->encrypt_pending. However, if tls_encrypt_async_wait() returns an +error, the synchronous error path in tls_do_encryption() performs the +same cleanup again, double-decrementing encrypt_pending and +double-restoring the scatterlist. + +The double-decrement corrupts the encrypt_pending sentinel (initialized +to 1), making tls_encrypt_async_wait() permanently skip the wait for +pending async callbacks. A subsequent sendmsg can then free the +tls_rec via bpf_exec_tx_verdict() while a cryptd callback is still +pending, resulting in a use-after-free when the callback fires on the +freed record. + +Fix this by skipping the synchronous cleanup when the -EBUSY async +wait returns an error, since the callback has already handled +encrypt_pending and sge restoration. + +Fixes: 859054147318 ("net: tls: handle backlogging of crypto requests") +Cc: stable@vger.kernel.org +Signed-off-by: Muhammad Alifa Ramdhan +Reviewed-by: Sabrina Dubroca +Link: https://patch.msgid.link/20260403013617.2838875-1-ramdhan@starlabs.sg +Signed-off-by: Paolo Abeni +Signed-off-by: Greg Kroah-Hartman +--- + net/tls/tls_sw.c | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +--- a/net/tls/tls_sw.c ++++ b/net/tls/tls_sw.c +@@ -568,6 +568,16 @@ static int tls_do_encryption(struct sock + if (rc == -EBUSY) { + rc = tls_encrypt_async_wait(ctx); + rc = rc ?: -EINPROGRESS; ++ /* ++ * The async callback tls_encrypt_done() has already ++ * decremented encrypt_pending and restored the sge on ++ * both success and error. Skip the synchronous cleanup ++ * below on error, just remove the record and return. ++ */ ++ if (rc != -EINPROGRESS) { ++ list_del(&rec->list); ++ return rc; ++ } + } + if (!rc || rc != -EINPROGRESS) { + atomic_dec(&ctx->encrypt_pending); diff --git a/queue-5.15/netfilter-nft_ct-fix-use-after-free-in-timeout-object-destroy.patch b/queue-5.15/netfilter-nft_ct-fix-use-after-free-in-timeout-object-destroy.patch new file mode 100644 index 0000000000..6727d505b8 --- /dev/null +++ b/queue-5.15/netfilter-nft_ct-fix-use-after-free-in-timeout-object-destroy.patch @@ -0,0 +1,73 @@ +From f8dca15a1b190787bbd03285304b569631160eda Mon Sep 17 00:00:00 2001 +From: Tuan Do +Date: Fri, 3 Apr 2026 00:33:17 -0700 +Subject: netfilter: nft_ct: fix use-after-free in timeout object destroy + +From: Tuan Do + +commit f8dca15a1b190787bbd03285304b569631160eda upstream. + +nft_ct_timeout_obj_destroy() frees the timeout object with kfree() +immediately after nf_ct_untimeout(), without waiting for an RCU grace +period. Concurrent packet processing on other CPUs may still hold +RCU-protected references to the timeout object obtained via +rcu_dereference() in nf_ct_timeout_data(). + +Add an rcu_head to struct nf_ct_timeout and use kfree_rcu() to defer +freeing until after an RCU grace period, matching the approach already +used in nfnetlink_cttimeout.c. + +KASAN report: + BUG: KASAN: slab-use-after-free in nf_conntrack_tcp_packet+0x1381/0x29d0 + Read of size 4 at addr ffff8881035fe19c by task exploit/80 + + Call Trace: + nf_conntrack_tcp_packet+0x1381/0x29d0 + nf_conntrack_in+0x612/0x8b0 + nf_hook_slow+0x70/0x100 + __ip_local_out+0x1b2/0x210 + tcp_sendmsg_locked+0x722/0x1580 + __sys_sendto+0x2d8/0x320 + + Allocated by task 75: + nft_ct_timeout_obj_init+0xf6/0x290 + nft_obj_init+0x107/0x1b0 + nf_tables_newobj+0x680/0x9c0 + nfnetlink_rcv_batch+0xc29/0xe00 + + Freed by task 26: + nft_obj_destroy+0x3f/0xa0 + nf_tables_trans_destroy_work+0x51c/0x5c0 + process_one_work+0x2c4/0x5a0 + +Fixes: 7e0b2b57f01d ("netfilter: nft_ct: add ct timeout support") +Cc: stable@vger.kernel.org +Signed-off-by: Tuan Do +Signed-off-by: Florian Westphal +Signed-off-by: Greg Kroah-Hartman +--- + include/net/netfilter/nf_conntrack_timeout.h | 1 + + net/netfilter/nft_ct.c | 2 +- + 2 files changed, 2 insertions(+), 1 deletion(-) + +--- a/include/net/netfilter/nf_conntrack_timeout.h ++++ b/include/net/netfilter/nf_conntrack_timeout.h +@@ -14,6 +14,7 @@ + struct nf_ct_timeout { + __u16 l3num; + const struct nf_conntrack_l4proto *l4proto; ++ struct rcu_head rcu; + char data[]; + }; + +--- a/net/netfilter/nft_ct.c ++++ b/net/netfilter/nft_ct.c +@@ -935,7 +935,7 @@ static void nft_ct_timeout_obj_destroy(c + nf_queue_nf_hook_drop(ctx->net); + nf_ct_untimeout(ctx->net, timeout); + nf_ct_netns_put(ctx->net, ctx->family); +- kfree(priv->timeout); ++ kfree_rcu(priv->timeout, rcu); + } + + static int nft_ct_timeout_obj_dump(struct sk_buff *skb, diff --git a/queue-5.15/nfc-pn533-allocate-rx-skb-before-consuming-bytes.patch b/queue-5.15/nfc-pn533-allocate-rx-skb-before-consuming-bytes.patch new file mode 100644 index 0000000000..2a27e08bc6 --- /dev/null +++ b/queue-5.15/nfc-pn533-allocate-rx-skb-before-consuming-bytes.patch @@ -0,0 +1,59 @@ +From c71ba669b570c7b3f86ec875be222ea11dacb352 Mon Sep 17 00:00:00 2001 +From: Pengpeng Hou +Date: Sun, 5 Apr 2026 08:40:00 +0800 +Subject: nfc: pn533: allocate rx skb before consuming bytes + +From: Pengpeng Hou + +commit c71ba669b570c7b3f86ec875be222ea11dacb352 upstream. + +pn532_receive_buf() reports the number of accepted bytes to the serdev +core. The current code consumes bytes into recv_skb and may already hand +a complete frame to pn533_recv_frame() before allocating a fresh receive +buffer. + +If that alloc_skb() fails, the callback returns 0 even though it has +already consumed bytes, and it leaves recv_skb as NULL for the next +receive callback. That breaks the receive_buf() accounting contract and +can also lead to a NULL dereference on the next skb_put_u8(). + +Allocate the receive skb lazily before consuming the next byte instead. +If allocation fails, return the number of bytes already accepted. + +Fixes: c656aa4c27b1 ("nfc: pn533: add UART phy driver") +Cc: stable@vger.kernel.org +Signed-off-by: Pengpeng Hou +Link: https://patch.msgid.link/20260405094003.3-pn533-v2-pengpeng@iscas.ac.cn +Signed-off-by: Paolo Abeni +Signed-off-by: Greg Kroah-Hartman +--- + drivers/nfc/pn533/uart.c | 11 ++++++++--- + 1 file changed, 8 insertions(+), 3 deletions(-) + +--- a/drivers/nfc/pn533/uart.c ++++ b/drivers/nfc/pn533/uart.c +@@ -211,6 +211,13 @@ static int pn532_receive_buf(struct serd + + del_timer(&dev->cmd_timeout); + for (i = 0; i < count; i++) { ++ if (!dev->recv_skb) { ++ dev->recv_skb = alloc_skb(PN532_UART_SKB_BUFF_LEN, ++ GFP_KERNEL); ++ if (!dev->recv_skb) ++ return i; ++ } ++ + if (unlikely(!skb_tailroom(dev->recv_skb))) + skb_trim(dev->recv_skb, 0); + +@@ -219,9 +226,7 @@ static int pn532_receive_buf(struct serd + continue; + + pn533_recv_frame(dev->priv, dev->recv_skb, 0); +- dev->recv_skb = alloc_skb(PN532_UART_SKB_BUFF_LEN, GFP_KERNEL); +- if (!dev->recv_skb) +- return 0; ++ dev->recv_skb = NULL; + } + + return i; diff --git a/queue-5.15/series b/queue-5.15/series index eb39617ccc..0a01ff2a29 100644 --- a/queue-5.15/series +++ b/queue-5.15/series @@ -523,3 +523,16 @@ apparmor-fix-unprivileged-local-user-can-do-privileged-policy-management.patch apparmor-fix-differential-encoding-verification.patch apparmor-fix-race-on-rawdata-dereference.patch apparmor-fix-race-between-freeing-data-and-fs-accessing-it.patch +netfilter-nft_ct-fix-use-after-free-in-timeout-object-destroy.patch +tipc-fix-bc_ackers-underflow-on-duplicate-grp_ack_msg.patch +wifi-brcmsmac-fix-dma_free_coherent-size.patch +arm64-dts-hisilicon-poplar-correct-pcie-reset-gpio-polarity.patch +arm64-dts-hisilicon-hi3798cv200-add-missing-dma-ranges.patch +nfc-pn533-allocate-rx-skb-before-consuming-bytes.patch +batman-adv-reject-oversized-global-tt-response-buffers.patch +net-tls-fix-use-after-free-in-ebusy-error-path-of-tls_do_encryption.patch +net-altera-tse-fix-skb-leak-on-dma-mapping-error-in-tse_start_xmit.patch +drm-i915-gt-fix-refcount-underflow-in-intel_engine_park_heartbeat.patch +mmc-vub300-fix-null-deref-on-disconnect.patch +net-qualcomm-qca_uart-report-the-consumed-byte-on-rx-skb-allocation-failure.patch +net-stmmac-fix-integer-underflow-in-chain-mode.patch diff --git a/queue-5.15/tipc-fix-bc_ackers-underflow-on-duplicate-grp_ack_msg.patch b/queue-5.15/tipc-fix-bc_ackers-underflow-on-duplicate-grp_ack_msg.patch new file mode 100644 index 0000000000..9f3b2f93f1 --- /dev/null +++ b/queue-5.15/tipc-fix-bc_ackers-underflow-on-duplicate-grp_ack_msg.patch @@ -0,0 +1,57 @@ +From 48a5fe38772b6f039522469ee6131a67838221a8 Mon Sep 17 00:00:00 2001 +From: Oleh Konko +Date: Thu, 2 Apr 2026 09:48:57 +0000 +Subject: tipc: fix bc_ackers underflow on duplicate GRP_ACK_MSG + +From: Oleh Konko + +commit 48a5fe38772b6f039522469ee6131a67838221a8 upstream. + +The GRP_ACK_MSG handler in tipc_group_proto_rcv() currently decrements +bc_ackers on every inbound group ACK, even when the same member has +already acknowledged the current broadcast round. + +Because bc_ackers is a u16, a duplicate ACK received after the last +legitimate ACK wraps the counter to 65535. Once wrapped, +tipc_group_bc_cong() keeps reporting congestion and later group +broadcasts on the affected socket stay blocked until the group is +recreated. + +Fix this by ignoring duplicate or stale ACKs before touching bc_acked or +bc_ackers. This makes repeated GRP_ACK_MSG handling idempotent and +prevents the underflow path. + +Fixes: 2f487712b893 ("tipc: guarantee that group broadcast doesn't bypass group unicast") +Cc: stable@vger.kernel.org +Signed-off-by: Oleh Konko +Reviewed-by: Tung Nguyen +Reviewed-by: Simon Horman +Link: https://patch.msgid.link/41a4833f368641218e444fdcff822039.security@1seal.org +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + net/tipc/group.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +--- a/net/tipc/group.c ++++ b/net/tipc/group.c +@@ -746,6 +746,7 @@ void tipc_group_proto_rcv(struct tipc_gr + u32 port = msg_origport(hdr); + struct tipc_member *m, *pm; + u16 remitted, in_flight; ++ u16 acked; + + if (!grp) + return; +@@ -798,7 +799,10 @@ void tipc_group_proto_rcv(struct tipc_gr + case GRP_ACK_MSG: + if (!m) + return; +- m->bc_acked = msg_grp_bc_acked(hdr); ++ acked = msg_grp_bc_acked(hdr); ++ if (less_eq(acked, m->bc_acked)) ++ return; ++ m->bc_acked = acked; + if (--grp->bc_ackers) + return; + list_del_init(&m->small_win); diff --git a/queue-5.15/wifi-brcmsmac-fix-dma_free_coherent-size.patch b/queue-5.15/wifi-brcmsmac-fix-dma_free_coherent-size.patch new file mode 100644 index 0000000000..81c40d2e03 --- /dev/null +++ b/queue-5.15/wifi-brcmsmac-fix-dma_free_coherent-size.patch @@ -0,0 +1,36 @@ +From 12cd7632757a54ce586e36040210b1a738a0fc53 Mon Sep 17 00:00:00 2001 +From: Thomas Fourier +Date: Wed, 18 Feb 2026 14:07:37 +0100 +Subject: wifi: brcmsmac: Fix dma_free_coherent() size + +From: Thomas Fourier + +commit 12cd7632757a54ce586e36040210b1a738a0fc53 upstream. + +dma_alloc_consistent() may change the size to align it. The new size is +saved in alloced. + +Change the free size to match the allocation size. + +Fixes: 5b435de0d786 ("net: wireless: add brcm80211 drivers") +Cc: +Signed-off-by: Thomas Fourier +Acked-by: Arend van Spriel +Link: https://patch.msgid.link/20260218130741.46566-3-fourier.thomas@gmail.com +Signed-off-by: Johannes Berg +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/wireless/broadcom/brcm80211/brcmsmac/dma.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/wireless/broadcom/brcm80211/brcmsmac/dma.c ++++ b/drivers/net/wireless/broadcom/brcm80211/brcmsmac/dma.c +@@ -483,7 +483,7 @@ static void *dma_ringalloc(struct dma_in + if (((desc_strtaddr + size - 1) & boundary) != (desc_strtaddr + & boundary)) { + *alignbits = dma_align_sizetobits(size); +- dma_free_coherent(di->dmadev, size, va, *descpa); ++ dma_free_coherent(di->dmadev, *alloced, va, *descpa); + va = dma_alloc_consistent(di, size, *alignbits, + alloced, descpa); + }