From: Greg Kroah-Hartman Date: Tue, 22 Jul 2025 10:11:15 +0000 (+0200) Subject: 5.10-stable patches X-Git-Tag: v6.1.147~20 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=ec3948e65f9cf9e41f41c1ed47fa493497beb9f5;p=thirdparty%2Fkernel%2Fstable-queue.git 5.10-stable patches added patches: virtio-net-ensure-the-received-length-does-not-exceed-allocated-size.patch xhci-disable-stream-for-xhc-controller-with-xhci_broken_streams.patch --- diff --git a/queue-5.10/series b/queue-5.10/series index 55efa18863..f1a0b560b4 100644 --- a/queue-5.10/series +++ b/queue-5.10/series @@ -50,3 +50,5 @@ usb-musb-fix-gadget-state-on-disconnect.patch usb-dwc3-qcom-don-t-leave-bcr-asserted.patch asoc-fsl_sai-force-a-software-reset-when-starting-in-consumer-mode.patch mm-vmalloc-leave-lazy-mmu-mode-on-pte-mapping-error.patch +virtio-net-ensure-the-received-length-does-not-exceed-allocated-size.patch +xhci-disable-stream-for-xhc-controller-with-xhci_broken_streams.patch diff --git a/queue-5.10/virtio-net-ensure-the-received-length-does-not-exceed-allocated-size.patch b/queue-5.10/virtio-net-ensure-the-received-length-does-not-exceed-allocated-size.patch new file mode 100644 index 0000000000..9c859fc6df --- /dev/null +++ b/queue-5.10/virtio-net-ensure-the-received-length-does-not-exceed-allocated-size.patch @@ -0,0 +1,112 @@ +From 315dbdd7cdf6aa533829774caaf4d25f1fd20e73 Mon Sep 17 00:00:00 2001 +From: Bui Quang Minh +Date: Mon, 30 Jun 2025 21:42:10 +0700 +Subject: virtio-net: ensure the received length does not exceed allocated size + +From: Bui Quang Minh + +commit 315dbdd7cdf6aa533829774caaf4d25f1fd20e73 upstream. + +In xdp_linearize_page, when reading the following buffers from the ring, +we forget to check the received length with the true allocate size. This +can lead to an out-of-bound read. This commit adds that missing check. + +Cc: +Fixes: 4941d472bf95 ("virtio-net: do not reset during XDP set") +Signed-off-by: Bui Quang Minh +Acked-by: Jason Wang +Link: https://patch.msgid.link/20250630144212.48471-2-minhquangbui99@gmail.com +Signed-off-by: Paolo Abeni +[ adapted virtqueue_get_buf() to virtqueue_get_buf_ctx() ] +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/virtio_net.c | 38 ++++++++++++++++++++++++++++++++++---- + 1 file changed, 34 insertions(+), 4 deletions(-) + +--- a/drivers/net/virtio_net.c ++++ b/drivers/net/virtio_net.c +@@ -394,6 +394,26 @@ static unsigned int mergeable_ctx_to_tru + return (unsigned long)mrg_ctx & ((1 << MRG_CTX_HEADER_SHIFT) - 1); + } + ++static int check_mergeable_len(struct net_device *dev, void *mrg_ctx, ++ unsigned int len) ++{ ++ unsigned int headroom, tailroom, room, truesize; ++ ++ truesize = mergeable_ctx_to_truesize(mrg_ctx); ++ headroom = mergeable_ctx_to_headroom(mrg_ctx); ++ tailroom = headroom ? sizeof(struct skb_shared_info) : 0; ++ room = SKB_DATA_ALIGN(headroom + tailroom); ++ ++ if (len > truesize - room) { ++ pr_debug("%s: rx error: len %u exceeds truesize %lu\n", ++ dev->name, len, (unsigned long)(truesize - room)); ++ dev->stats.rx_length_errors++; ++ return -1; ++ } ++ ++ return 0; ++} ++ + /* Called from bottom half context */ + static struct sk_buff *page_to_skb(struct virtnet_info *vi, + struct receive_queue *rq, +@@ -639,7 +659,8 @@ static unsigned int virtnet_get_headroom + * across multiple buffers (num_buf > 1), and we make sure buffers + * have enough headroom. + */ +-static struct page *xdp_linearize_page(struct receive_queue *rq, ++static struct page *xdp_linearize_page(struct net_device *dev, ++ struct receive_queue *rq, + u16 *num_buf, + struct page *p, + int offset, +@@ -659,18 +680,27 @@ static struct page *xdp_linearize_page(s + memcpy(page_address(page) + page_off, page_address(p) + offset, *len); + page_off += *len; + ++ /* Only mergeable mode can go inside this while loop. In small mode, ++ * *num_buf == 1, so it cannot go inside. ++ */ + while (--*num_buf) { + unsigned int buflen; + void *buf; ++ void *ctx; + int off; + +- buf = virtqueue_get_buf(rq->vq, &buflen); ++ buf = virtqueue_get_buf_ctx(rq->vq, &buflen, &ctx); + if (unlikely(!buf)) + goto err_buf; + + p = virt_to_head_page(buf); + off = buf - page_address(p); + ++ if (check_mergeable_len(dev, ctx, buflen)) { ++ put_page(p); ++ goto err_buf; ++ } ++ + /* guard against a misconfigured or uncooperative backend that + * is sending packet larger than the MTU. + */ +@@ -745,7 +775,7 @@ static struct sk_buff *receive_small(str + headroom = vi->hdr_len + header_offset; + buflen = SKB_DATA_ALIGN(GOOD_PACKET_LEN + headroom) + + SKB_DATA_ALIGN(sizeof(struct skb_shared_info)); +- xdp_page = xdp_linearize_page(rq, &num_buf, page, ++ xdp_page = xdp_linearize_page(dev, rq, &num_buf, page, + offset, header_offset, + &tlen); + if (!xdp_page) +@@ -916,7 +946,7 @@ static struct sk_buff *receive_mergeable + if (unlikely(num_buf > 1 || + headroom < virtnet_get_headroom(vi))) { + /* linearize data for XDP */ +- xdp_page = xdp_linearize_page(rq, &num_buf, ++ xdp_page = xdp_linearize_page(dev, rq, &num_buf, + page, offset, + VIRTIO_XDP_HEADROOM, + &len); diff --git a/queue-5.10/xhci-disable-stream-for-xhc-controller-with-xhci_broken_streams.patch b/queue-5.10/xhci-disable-stream-for-xhc-controller-with-xhci_broken_streams.patch new file mode 100644 index 0000000000..8715481f0a --- /dev/null +++ b/queue-5.10/xhci-disable-stream-for-xhc-controller-with-xhci_broken_streams.patch @@ -0,0 +1,35 @@ +From cd65ee81240e8bc3c3119b46db7f60c80864b90b Mon Sep 17 00:00:00 2001 +From: Hongyu Xie +Date: Fri, 27 Jun 2025 17:41:20 +0300 +Subject: xhci: Disable stream for xHC controller with XHCI_BROKEN_STREAMS + +From: Hongyu Xie + +commit cd65ee81240e8bc3c3119b46db7f60c80864b90b upstream. + +Disable stream for platform xHC controller with broken stream. + +Fixes: 14aec589327a6 ("storage: accept some UAS devices if streams are unavailable") +Cc: stable +Signed-off-by: Hongyu Xie +Signed-off-by: Mathias Nyman +Link: https://lore.kernel.org/r/20250627144127.3889714-3-mathias.nyman@linux.intel.com +[ removed xhci_get_usb3_hcd() call ] +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/host/xhci-plat.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/usb/host/xhci-plat.c ++++ b/drivers/usb/host/xhci-plat.c +@@ -361,7 +361,8 @@ static int xhci_plat_probe(struct platfo + if (ret) + goto disable_usb_phy; + +- if (HCC_MAX_PSA(xhci->hcc_params) >= 4) ++ if (HCC_MAX_PSA(xhci->hcc_params) >= 4 && ++ !(xhci->quirks & XHCI_BROKEN_STREAMS)) + xhci->shared_hcd->can_do_streams = 1; + + ret = usb_add_hcd(xhci->shared_hcd, irq, IRQF_SHARED);