From: Greg Kroah-Hartman Date: Mon, 9 Mar 2026 10:37:20 +0000 (+0100) Subject: 5.10-stable patches X-Git-Tag: v6.19.7~23 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=06d8aab54ac0da649da5e9ae8ce551a6aa0ffd6e;p=thirdparty%2Fkernel%2Fstable-queue.git 5.10-stable patches added patches: alsa-usb-audio-use-correct-version-for-uac3-header-validation.patch drbd-fix-logic-bug-in-drbd_al_begin_io_nonblock.patch ib-mthca-add-missed-mthca_unmap_user_db-for-mthca_create_srq.patch net-sched-ets-fix-divide-by-zero-in-the-offload-path.patch selftests-mptcp-more-stable-simult_flows-tests.patch squashfs-check-metadata-block-offset-is-within-range.patch wifi-radiotap-reject-radiotap-with-unknown-bits.patch --- diff --git a/queue-5.10/alsa-usb-audio-use-correct-version-for-uac3-header-validation.patch b/queue-5.10/alsa-usb-audio-use-correct-version-for-uac3-header-validation.patch new file mode 100644 index 0000000000..5e2e168e1b --- /dev/null +++ b/queue-5.10/alsa-usb-audio-use-correct-version-for-uac3-header-validation.patch @@ -0,0 +1,43 @@ +From 54f9d645a5453d0bfece0c465d34aaf072ea99fa Mon Sep 17 00:00:00 2001 +From: Jun Seo +Date: Thu, 26 Feb 2026 10:08:20 +0900 +Subject: ALSA: usb-audio: Use correct version for UAC3 header validation + +From: Jun Seo + +commit 54f9d645a5453d0bfece0c465d34aaf072ea99fa upstream. + +The entry of the validators table for UAC3 AC header descriptor is +defined with the wrong protocol version UAC_VERSION_2, while it should +have been UAC_VERSION_3. This results in the validator never matching +for actual UAC3 devices (protocol == UAC_VERSION_3), causing their +header descriptors to bypass validation entirely. A malicious USB +device presenting a truncated UAC3 header could exploit this to cause +out-of-bounds reads when the driver later accesses unvalidated +descriptor fields. + +The bug was introduced in the same commit as the recently fixed UAC3 +feature unit sub-type typo, and appears to be from the same copy-paste +error when the UAC3 section was created from the UAC2 section. + +Fixes: 57f8770620e9 ("ALSA: usb-audio: More validations of descriptor units") +Cc: +Signed-off-by: Jun Seo +Link: https://patch.msgid.link/20260226010820.36529-1-jun.seo.93@proton.me +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman +--- + sound/usb/validate.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/sound/usb/validate.c ++++ b/sound/usb/validate.c +@@ -281,7 +281,7 @@ static const struct usb_desc_validator a + /* UAC_VERSION_2, UAC2_SAMPLE_RATE_CONVERTER: not implemented yet */ + + /* UAC3 */ +- FIXED(UAC_VERSION_2, UAC_HEADER, struct uac3_ac_header_descriptor), ++ FIXED(UAC_VERSION_3, UAC_HEADER, struct uac3_ac_header_descriptor), + FIXED(UAC_VERSION_3, UAC_INPUT_TERMINAL, + struct uac3_input_terminal_descriptor), + FIXED(UAC_VERSION_3, UAC_OUTPUT_TERMINAL, diff --git a/queue-5.10/drbd-fix-logic-bug-in-drbd_al_begin_io_nonblock.patch b/queue-5.10/drbd-fix-logic-bug-in-drbd_al_begin_io_nonblock.patch new file mode 100644 index 0000000000..07bb3aebec --- /dev/null +++ b/queue-5.10/drbd-fix-logic-bug-in-drbd_al_begin_io_nonblock.patch @@ -0,0 +1,161 @@ +From ab140365fb62c0bdab22b2f516aff563b2559e3b Mon Sep 17 00:00:00 2001 +From: Lars Ellenberg +Date: Thu, 19 Feb 2026 15:20:12 +0100 +Subject: drbd: fix "LOGIC BUG" in drbd_al_begin_io_nonblock() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Lars Ellenberg + +commit ab140365fb62c0bdab22b2f516aff563b2559e3b upstream. + +Even though we check that we "should" be able to do lc_get_cumulative() +while holding the device->al_lock spinlock, it may still fail, +if some other code path decided to do lc_try_lock() with bad timing. + +If that happened, we logged "LOGIC BUG for enr=...", +but still did not return an error. + +The rest of the code now assumed that this request has references +for the relevant activity log extents. + +The implcations are that during an active resync, mutual exclusivity of +resync versus application IO is not guaranteed. And a potential crash +at this point may not realizs that these extents could have been target +of in-flight IO and would need to be resynced just in case. + +Also, once the request completes, it will give up activity log references it +does not even hold, which will trigger a BUG_ON(refcnt == 0) in lc_put(). + +Fix: + +Do not crash the kernel for a condition that is harmless during normal +operation: also catch "e->refcnt == 0", not only "e == NULL" +when being noisy about "al_complete_io() called on inactive extent %u\n". + +And do not try to be smart and "guess" whether something will work, then +be surprised when it does not. +Deal with the fact that it may or may not work. If it does not, remember a +possible "partially in activity log" state (only possible for requests that +cross extent boundaries), and return an error code from +drbd_al_begin_io_nonblock(). + +A latter call for the same request will then resume from where we left off. + +Cc: stable@vger.kernel.org +Signed-off-by: Lars Ellenberg +Signed-off-by: Christoph Böhmwalder +Signed-off-by: Jens Axboe +Signed-off-by: Greg Kroah-Hartman +--- + drivers/block/drbd/drbd_actlog.c | 53 ++++++++++++++++--------------------- + drivers/block/drbd/drbd_interval.h | 5 ++- + 2 files changed, 27 insertions(+), 31 deletions(-) + +--- a/drivers/block/drbd/drbd_actlog.c ++++ b/drivers/block/drbd/drbd_actlog.c +@@ -483,38 +483,20 @@ void drbd_al_begin_io(struct drbd_device + + int drbd_al_begin_io_nonblock(struct drbd_device *device, struct drbd_interval *i) + { +- struct lru_cache *al = device->act_log; + /* for bios crossing activity log extent boundaries, + * we may need to activate two extents in one go */ + unsigned first = i->sector >> (AL_EXTENT_SHIFT-9); + unsigned last = i->size == 0 ? first : (i->sector + (i->size >> 9) - 1) >> (AL_EXTENT_SHIFT-9); +- unsigned nr_al_extents; +- unsigned available_update_slots; + unsigned enr; + +- D_ASSERT(device, first <= last); +- +- nr_al_extents = 1 + last - first; /* worst case: all touched extends are cold. */ +- available_update_slots = min(al->nr_elements - al->used, +- al->max_pending_changes - al->pending_changes); +- +- /* We want all necessary updates for a given request within the same transaction +- * We could first check how many updates are *actually* needed, +- * and use that instead of the worst-case nr_al_extents */ +- if (available_update_slots < nr_al_extents) { +- /* Too many activity log extents are currently "hot". +- * +- * If we have accumulated pending changes already, +- * we made progress. +- * +- * If we cannot get even a single pending change through, +- * stop the fast path until we made some progress, +- * or requests to "cold" extents could be starved. */ +- if (!al->pending_changes) +- __set_bit(__LC_STARVING, &device->act_log->flags); +- return -ENOBUFS; ++ if (i->partially_in_al_next_enr) { ++ D_ASSERT(device, first < i->partially_in_al_next_enr); ++ D_ASSERT(device, last >= i->partially_in_al_next_enr); ++ first = i->partially_in_al_next_enr; + } + ++ D_ASSERT(device, first <= last); ++ + /* Is resync active in this area? */ + for (enr = first; enr <= last; enr++) { + struct lc_element *tmp; +@@ -529,14 +511,21 @@ int drbd_al_begin_io_nonblock(struct drb + } + } + +- /* Checkout the refcounts. +- * Given that we checked for available elements and update slots above, +- * this has to be successful. */ ++ /* Try to checkout the refcounts. */ + for (enr = first; enr <= last; enr++) { + struct lc_element *al_ext; + al_ext = lc_get_cumulative(device->act_log, enr); +- if (!al_ext) +- drbd_info(device, "LOGIC BUG for enr=%u\n", enr); ++ ++ if (!al_ext) { ++ /* Did not work. We may have exhausted the possible ++ * changes per transaction. Or raced with someone ++ * "locking" it against changes. ++ * Remember where to continue from. ++ */ ++ if (enr > first) ++ i->partially_in_al_next_enr = enr; ++ return -ENOBUFS; ++ } + } + return 0; + } +@@ -556,7 +545,11 @@ void drbd_al_complete_io(struct drbd_dev + + for (enr = first; enr <= last; enr++) { + extent = lc_find(device->act_log, enr); +- if (!extent) { ++ /* Yes, this masks a bug elsewhere. However, during normal ++ * operation this is harmless, so no need to crash the kernel ++ * by the BUG_ON(refcount == 0) in lc_put(). ++ */ ++ if (!extent || extent->refcnt == 0) { + drbd_err(device, "al_complete_io() called on inactive extent %u\n", enr); + continue; + } +--- a/drivers/block/drbd/drbd_interval.h ++++ b/drivers/block/drbd/drbd_interval.h +@@ -8,12 +8,15 @@ + struct drbd_interval { + struct rb_node rb; + sector_t sector; /* start sector of the interval */ +- unsigned int size; /* size in bytes */ + sector_t end; /* highest interval end in subtree */ ++ unsigned int size; /* size in bytes */ + unsigned int local:1 /* local or remote request? */; + unsigned int waiting:1; /* someone is waiting for completion */ + unsigned int completed:1; /* this has been completed already; + * ignore for conflict detection */ ++ ++ /* to resume a partially successful drbd_al_begin_io_nonblock(); */ ++ unsigned int partially_in_al_next_enr; + }; + + static inline void drbd_clear_interval(struct drbd_interval *i) diff --git a/queue-5.10/ib-mthca-add-missed-mthca_unmap_user_db-for-mthca_create_srq.patch b/queue-5.10/ib-mthca-add-missed-mthca_unmap_user_db-for-mthca_create_srq.patch new file mode 100644 index 0000000000..bb948dc1ae --- /dev/null +++ b/queue-5.10/ib-mthca-add-missed-mthca_unmap_user_db-for-mthca_create_srq.patch @@ -0,0 +1,49 @@ +From 117942ca43e2e3c3d121faae530989931b7f67e1 Mon Sep 17 00:00:00 2001 +From: Jason Gunthorpe +Date: Mon, 16 Feb 2026 11:02:48 -0400 +Subject: IB/mthca: Add missed mthca_unmap_user_db() for mthca_create_srq() + +From: Jason Gunthorpe + +commit 117942ca43e2e3c3d121faae530989931b7f67e1 upstream. + +Fix a user triggerable leak on the system call failure path. + +Cc: stable@vger.kernel.org +Fixes: ec34a922d243 ("[PATCH] IB/mthca: Add SRQ implementation") +Signed-off-by: Jason Gunthorpe +Link: https://patch.msgid.link/2-v1-83e918d69e73+a9-rdma_udata_rc_jgg@nvidia.com +Signed-off-by: Leon Romanovsky +Signed-off-by: Greg Kroah-Hartman +--- + drivers/infiniband/hw/mthca/mthca_provider.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +--- a/drivers/infiniband/hw/mthca/mthca_provider.c ++++ b/drivers/infiniband/hw/mthca/mthca_provider.c +@@ -436,6 +436,8 @@ static int mthca_create_srq(struct ib_sr + + if (context && ib_copy_to_udata(udata, &srq->srqn, sizeof(__u32))) { + mthca_free_srq(to_mdev(ibsrq->device), srq); ++ mthca_unmap_user_db(to_mdev(ibsrq->device), &context->uar, ++ context->db_tab, ucmd.db_index); + return -EFAULT; + } + +@@ -444,6 +446,7 @@ static int mthca_create_srq(struct ib_sr + + static int mthca_destroy_srq(struct ib_srq *srq, struct ib_udata *udata) + { ++ mthca_free_srq(to_mdev(srq->device), to_msrq(srq)); + if (udata) { + struct mthca_ucontext *context = + rdma_udata_to_drv_context( +@@ -454,8 +457,6 @@ static int mthca_destroy_srq(struct ib_s + mthca_unmap_user_db(to_mdev(srq->device), &context->uar, + context->db_tab, to_msrq(srq)->db_index); + } +- +- mthca_free_srq(to_mdev(srq->device), to_msrq(srq)); + return 0; + } + diff --git a/queue-5.10/net-sched-ets-fix-divide-by-zero-in-the-offload-path.patch b/queue-5.10/net-sched-ets-fix-divide-by-zero-in-the-offload-path.patch new file mode 100644 index 0000000000..68a99b8a63 --- /dev/null +++ b/queue-5.10/net-sched-ets-fix-divide-by-zero-in-the-offload-path.patch @@ -0,0 +1,115 @@ +From e35626f610f3d2b7953ccddf6a77453da22b3a9e Mon Sep 17 00:00:00 2001 +From: Davide Caratti +Date: Tue, 24 Feb 2026 21:28:32 +0100 +Subject: net/sched: ets: fix divide by zero in the offload path + +From: Davide Caratti + +commit e35626f610f3d2b7953ccddf6a77453da22b3a9e upstream. + +Offloading ETS requires computing each class' WRR weight: this is done by +averaging over the sums of quanta as 'q_sum' and 'q_psum'. Using unsigned +int, the same integer size as the individual DRR quanta, can overflow and +even cause division by zero, like it happened in the following splat: + + Oops: divide error: 0000 [#1] SMP PTI + CPU: 13 UID: 0 PID: 487 Comm: tc Tainted: G E 6.19.0-virtme #45 PREEMPT(full) + Tainted: [E]=UNSIGNED_MODULE + Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011 + RIP: 0010:ets_offload_change+0x11f/0x290 [sch_ets] + Code: e4 45 31 ff eb 03 41 89 c7 41 89 cb 89 ce 83 f9 0f 0f 87 b7 00 00 00 45 8b 08 31 c0 45 01 cc 45 85 c9 74 09 41 6b c4 64 31 d2 <41> f7 f2 89 c2 44 29 fa 45 89 df 41 83 fb 0f 0f 87 c7 00 00 00 44 + RSP: 0018:ffffd0a180d77588 EFLAGS: 00010246 + RAX: 00000000ffffff38 RBX: ffff8d3d482ca000 RCX: 0000000000000000 + RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffffd0a180d77660 + RBP: ffffd0a180d77690 R08: ffff8d3d482ca2d8 R09: 00000000fffffffe + R10: 0000000000000000 R11: 0000000000000000 R12: 00000000fffffffe + R13: ffff8d3d472f2000 R14: 0000000000000003 R15: 0000000000000000 + FS: 00007f440b6c2740(0000) GS:ffff8d3dc9803000(0000) knlGS:0000000000000000 + CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 + CR2: 000000003cdd2000 CR3: 0000000007b58002 CR4: 0000000000172ef0 + Call Trace: + + ets_qdisc_change+0x870/0xf40 [sch_ets] + qdisc_create+0x12b/0x540 + tc_modify_qdisc+0x6d7/0xbd0 + rtnetlink_rcv_msg+0x168/0x6b0 + netlink_rcv_skb+0x5c/0x110 + netlink_unicast+0x1d6/0x2b0 + netlink_sendmsg+0x22e/0x470 + ____sys_sendmsg+0x38a/0x3c0 + ___sys_sendmsg+0x99/0xe0 + __sys_sendmsg+0x8a/0xf0 + do_syscall_64+0x111/0xf80 + entry_SYSCALL_64_after_hwframe+0x77/0x7f + RIP: 0033:0x7f440b81c77e + Code: 4d 89 d8 e8 d4 bc 00 00 4c 8b 5d f8 41 8b 93 08 03 00 00 59 5e 48 83 f8 fc 74 11 c9 c3 0f 1f 80 00 00 00 00 48 8b 45 10 0f 05 c3 83 e2 39 83 fa 08 75 e7 e8 13 ff ff ff 0f 1f 00 f3 0f 1e fa + RSP: 002b:00007fff951e4c10 EFLAGS: 00000202 ORIG_RAX: 000000000000002e + RAX: ffffffffffffffda RBX: 0000000000481820 RCX: 00007f440b81c77e + RDX: 0000000000000000 RSI: 00007fff951e4cd0 RDI: 0000000000000003 + RBP: 00007fff951e4c20 R08: 0000000000000000 R09: 0000000000000000 + R10: 0000000000000000 R11: 0000000000000202 R12: 00007fff951f4fa8 + R13: 00000000699ddede R14: 00007f440bb01000 R15: 0000000000486980 + + Modules linked in: sch_ets(E) netdevsim(E) + ---[ end trace 0000000000000000 ]--- + RIP: 0010:ets_offload_change+0x11f/0x290 [sch_ets] + Code: e4 45 31 ff eb 03 41 89 c7 41 89 cb 89 ce 83 f9 0f 0f 87 b7 00 00 00 45 8b 08 31 c0 45 01 cc 45 85 c9 74 09 41 6b c4 64 31 d2 <41> f7 f2 89 c2 44 29 fa 45 89 df 41 83 fb 0f 0f 87 c7 00 00 00 44 + RSP: 0018:ffffd0a180d77588 EFLAGS: 00010246 + RAX: 00000000ffffff38 RBX: ffff8d3d482ca000 RCX: 0000000000000000 + RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffffd0a180d77660 + RBP: ffffd0a180d77690 R08: ffff8d3d482ca2d8 R09: 00000000fffffffe + R10: 0000000000000000 R11: 0000000000000000 R12: 00000000fffffffe + R13: ffff8d3d472f2000 R14: 0000000000000003 R15: 0000000000000000 + FS: 00007f440b6c2740(0000) GS:ffff8d3dc9803000(0000) knlGS:0000000000000000 + CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 + CR2: 000000003cdd2000 CR3: 0000000007b58002 CR4: 0000000000172ef0 + Kernel panic - not syncing: Fatal exception + Kernel Offset: 0x30000000 from 0xffffffff81000000 (relocation range: 0xffffffff80000000-0xffffffffbfffffff) + ---[ end Kernel panic - not syncing: Fatal exception ]--- + +Fix this using 64-bit integers for 'q_sum' and 'q_psum'. + +Cc: stable@vger.kernel.org +Fixes: d35eb52bd2ac ("net: sch_ets: Make the ETS qdisc offloadable") +Signed-off-by: Davide Caratti +Reviewed-by: Jamal Hadi Salim +Reviewed-by: Petr Machata +Link: https://patch.msgid.link/28504887df314588c7255e9911769c36f751edee.1771964872.git.dcaratti@redhat.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + net/sched/sch_ets.c | 12 ++++++++---- + 1 file changed, 8 insertions(+), 4 deletions(-) + +--- a/net/sched/sch_ets.c ++++ b/net/sched/sch_ets.c +@@ -115,12 +115,12 @@ static void ets_offload_change(struct Qd + struct ets_sched *q = qdisc_priv(sch); + struct tc_ets_qopt_offload qopt; + unsigned int w_psum_prev = 0; +- unsigned int q_psum = 0; +- unsigned int q_sum = 0; + unsigned int quantum; + unsigned int w_psum; + unsigned int weight; + unsigned int i; ++ u64 q_psum = 0; ++ u64 q_sum = 0; + + if (!tc_can_offload(dev) || !dev->netdev_ops->ndo_setup_tc) + return; +@@ -138,8 +138,12 @@ static void ets_offload_change(struct Qd + + for (i = 0; i < q->nbands; i++) { + quantum = q->classes[i].quantum; +- q_psum += quantum; +- w_psum = quantum ? q_psum * 100 / q_sum : 0; ++ if (quantum) { ++ q_psum += quantum; ++ w_psum = div64_u64(q_psum * 100, q_sum); ++ } else { ++ w_psum = 0; ++ } + weight = w_psum - w_psum_prev; + w_psum_prev = w_psum; + diff --git a/queue-5.10/selftests-mptcp-more-stable-simult_flows-tests.patch b/queue-5.10/selftests-mptcp-more-stable-simult_flows-tests.patch new file mode 100644 index 0000000000..de38a73f3d --- /dev/null +++ b/queue-5.10/selftests-mptcp-more-stable-simult_flows-tests.patch @@ -0,0 +1,60 @@ +From 8c09412e584d9bcc0e71d758ec1008d1c8d1a326 Mon Sep 17 00:00:00 2001 +From: Paolo Abeni +Date: Tue, 3 Mar 2026 11:56:02 +0100 +Subject: selftests: mptcp: more stable simult_flows tests + +From: Paolo Abeni + +commit 8c09412e584d9bcc0e71d758ec1008d1c8d1a326 upstream. + +By default, the netem qdisc can keep up to 1000 packets under its belly +to deal with the configured rate and delay. The simult flows test-case +simulates very low speed links, to avoid problems due to slow CPUs and +the TCP stack tend to transmit at a slightly higher rate than the +(virtual) link constraints. + +All the above causes a relatively large amount of packets being enqueued +in the netem qdiscs - the longer the transfer, the longer the queue - +producing increasingly high TCP RTT samples and consequently increasingly +larger receive buffer size due to DRS. + +When the receive buffer size becomes considerably larger than the needed +size, the tests results can flake, i.e. because minimal inaccuracy in the +pacing rate can lead to a single subflow usage towards the end of the +connection for a considerable amount of data. + +Address the issue explicitly setting netem limits suitable for the +configured link speeds and unflake all the affected tests. + +Fixes: 1a418cb8e888 ("mptcp: simult flow self-tests") +Cc: stable@vger.kernel.org +Signed-off-by: Paolo Abeni +Reviewed-by: Matthieu Baerts (NGI0) +Signed-off-by: Matthieu Baerts (NGI0) +Link: https://patch.msgid.link/20260303-net-mptcp-misc-fixes-7-0-rc2-v1-1-4b5462b6f016@kernel.org +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + tools/testing/selftests/net/mptcp/simult_flows.sh | 11 +++++++---- + 1 file changed, 7 insertions(+), 4 deletions(-) + +--- a/tools/testing/selftests/net/mptcp/simult_flows.sh ++++ b/tools/testing/selftests/net/mptcp/simult_flows.sh +@@ -235,10 +235,13 @@ run_test() + for dev in ns2eth1 ns2eth2; do + tc -n $ns2 qdisc del dev $dev root >/dev/null 2>&1 + done +- tc -n $ns1 qdisc add dev ns1eth1 root netem rate ${rate1}mbit $delay1 +- tc -n $ns1 qdisc add dev ns1eth2 root netem rate ${rate2}mbit $delay2 +- tc -n $ns2 qdisc add dev ns2eth1 root netem rate ${rate1}mbit $delay1 +- tc -n $ns2 qdisc add dev ns2eth2 root netem rate ${rate2}mbit $delay2 ++ ++ # keep the queued pkts number low, or the RTT estimator will see ++ # increasing latency over time. ++ tc -n $ns1 qdisc add dev ns1eth1 root netem rate ${rate1}mbit $delay1 limit 50 ++ tc -n $ns1 qdisc add dev ns1eth2 root netem rate ${rate2}mbit $delay2 limit 50 ++ tc -n $ns2 qdisc add dev ns2eth1 root netem rate ${rate1}mbit $delay1 limit 50 ++ tc -n $ns2 qdisc add dev ns2eth2 root netem rate ${rate2}mbit $delay2 limit 50 + + # time is measure in ms + local time=$((size * 8 * 1000 / (( $rate1 + $rate2) * 1024 *1024) )) diff --git a/queue-5.10/series b/queue-5.10/series index 615353c3fa..278db6709f 100644 --- a/queue-5.10/series +++ b/queue-5.10/series @@ -38,3 +38,10 @@ can-ems_usb-ems_usb_read_bulk_callback-check-the-proper-length-of-a-message.patc can-ucan-fix-infinite-loop-from-zero-length-messages.patch hid-add-hid_claimed_input-guards-in-raw_event-callbacks-missing-them.patch x86-efi-defer-freeing-of-boot-services-memory.patch +alsa-usb-audio-use-correct-version-for-uac3-header-validation.patch +wifi-radiotap-reject-radiotap-with-unknown-bits.patch +ib-mthca-add-missed-mthca_unmap_user_db-for-mthca_create_srq.patch +net-sched-ets-fix-divide-by-zero-in-the-offload-path.patch +squashfs-check-metadata-block-offset-is-within-range.patch +drbd-fix-logic-bug-in-drbd_al_begin_io_nonblock.patch +selftests-mptcp-more-stable-simult_flows-tests.patch diff --git a/queue-5.10/squashfs-check-metadata-block-offset-is-within-range.patch b/queue-5.10/squashfs-check-metadata-block-offset-is-within-range.patch new file mode 100644 index 0000000000..a2baa70eca --- /dev/null +++ b/queue-5.10/squashfs-check-metadata-block-offset-is-within-range.patch @@ -0,0 +1,46 @@ +From fdb24a820a5832ec4532273282cbd4f22c291a0d Mon Sep 17 00:00:00 2001 +From: Phillip Lougher +Date: Tue, 17 Feb 2026 05:09:55 +0000 +Subject: Squashfs: check metadata block offset is within range + +From: Phillip Lougher + +commit fdb24a820a5832ec4532273282cbd4f22c291a0d upstream. + +Syzkaller reports a "general protection fault in squashfs_copy_data" + +This is ultimately caused by a corrupted index look-up table, which +produces a negative metadata block offset. + +This is subsequently passed to squashfs_copy_data (via +squashfs_read_metadata) where the negative offset causes an out of bounds +access. + +The fix is to check that the offset is within range in +squashfs_read_metadata. This will trap this and other cases. + +Link: https://lkml.kernel.org/r/20260217050955.138351-1-phillip@squashfs.org.uk +Fixes: f400e12656ab ("Squashfs: cache operations") +Reported-by: syzbot+a9747fe1c35a5b115d3f@syzkaller.appspotmail.com +Closes: https://lore.kernel.org/all/699234e2.a70a0220.2c38d7.00e2.GAE@google.com/ +Signed-off-by: Phillip Lougher +Cc: Christian Brauner +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + fs/squashfs/cache.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/fs/squashfs/cache.c ++++ b/fs/squashfs/cache.c +@@ -340,6 +340,9 @@ int squashfs_read_metadata(struct super_ + if (unlikely(length < 0)) + return -EIO; + ++ if (unlikely(*offset < 0 || *offset >= SQUASHFS_METADATA_SIZE)) ++ return -EIO; ++ + while (length) { + entry = squashfs_cache_get(sb, msblk->block_cache, *block, 0); + if (entry->error) { diff --git a/queue-5.10/wifi-radiotap-reject-radiotap-with-unknown-bits.patch b/queue-5.10/wifi-radiotap-reject-radiotap-with-unknown-bits.patch new file mode 100644 index 0000000000..029a69ba41 --- /dev/null +++ b/queue-5.10/wifi-radiotap-reject-radiotap-with-unknown-bits.patch @@ -0,0 +1,51 @@ +From c854758abe0b8d86f9c43dc060ff56a0ee5b31e0 Mon Sep 17 00:00:00 2001 +From: Johannes Berg +Date: Tue, 17 Feb 2026 13:05:26 +0100 +Subject: wifi: radiotap: reject radiotap with unknown bits + +From: Johannes Berg + +commit c854758abe0b8d86f9c43dc060ff56a0ee5b31e0 upstream. + +The radiotap parser is currently only used with the radiotap +namespace (not with vendor namespaces), but if the undefined +field 18 is used, the alignment/size is unknown as well. In +this case, iterator->_next_ns_data isn't initialized (it's +only set for skipping vendor namespaces), and syzbot points +out that we later compare against this uninitialized value. + +Fix this by moving the rejection of unknown radiotap fields +down to after the in-namespace lookup, so it will really use +iterator->_next_ns_data only for vendor namespaces, even in +case undefined fields are present. + +Cc: stable@vger.kernel.org +Fixes: 33e5a2f776e3 ("wireless: update radiotap parser") +Reported-by: syzbot+b09c1af8764c0097bb19@syzkaller.appspotmail.com +Closes: https://lore.kernel.org/r/69944a91.a70a0220.2c38d7.00fc.GAE@google.com +Link: https://patch.msgid.link/20260217120526.162647-2-johannes@sipsolutions.net +Signed-off-by: Johannes Berg +Signed-off-by: Greg Kroah-Hartman +--- + net/wireless/radiotap.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/net/wireless/radiotap.c ++++ b/net/wireless/radiotap.c +@@ -240,14 +240,14 @@ int ieee80211_radiotap_iterator_next( + default: + if (!iterator->current_namespace || + iterator->_arg_index >= iterator->current_namespace->n_bits) { +- if (iterator->current_namespace == &radiotap_ns) +- return -ENOENT; + align = 0; + } else { + align = iterator->current_namespace->align_size[iterator->_arg_index].align; + size = iterator->current_namespace->align_size[iterator->_arg_index].size; + } + if (!align) { ++ if (iterator->current_namespace == &radiotap_ns) ++ return -ENOENT; + /* skip all subsequent data */ + iterator->_arg = iterator->_next_ns_data; + /* give up on this namespace */