From: Greg Kroah-Hartman Date: Tue, 17 Mar 2026 12:10:48 +0000 (+0100) Subject: 5.10-stable patches X-Git-Tag: v6.18.19~48 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=2642ed58457234260ddf957cc5eb2a6d6e9743c2;p=thirdparty%2Fkernel%2Fstable-queue.git 5.10-stable patches added patches: batman-adv-avoid-double-rtnl_lock-elp-metric-worker.patch media-dvb-net-fix-oob-access-in-ule-extension-header-tables.patch net-ethernet-arc-emac-quiesce-interrupts-before-requesting-irq.patch net-ncsi-fix-skb-leak-in-error-paths.patch nouveau-dpcd-return-ebusy-for-aux-xfer-if-the-device-is-asleep.patch parisc-fix-initial-page-table-creation-for-boot.patch parisc-increase-initial-mapping-to-64-mb-with-kallsyms.patch --- diff --git a/queue-5.10/batman-adv-avoid-double-rtnl_lock-elp-metric-worker.patch b/queue-5.10/batman-adv-avoid-double-rtnl_lock-elp-metric-worker.patch new file mode 100644 index 0000000000..2e236a8622 --- /dev/null +++ b/queue-5.10/batman-adv-avoid-double-rtnl_lock-elp-metric-worker.patch @@ -0,0 +1,106 @@ +From cfc83a3c71517b59c1047db57da31e26a9dc2f33 Mon Sep 17 00:00:00 2001 +From: Sven Eckelmann +Date: Mon, 16 Feb 2026 11:20:29 +0100 +Subject: batman-adv: Avoid double-rtnl_lock ELP metric worker +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Sven Eckelmann + +commit cfc83a3c71517b59c1047db57da31e26a9dc2f33 upstream. + +batadv_v_elp_get_throughput() might be called when the RTNL lock is already +held. This could be problematic when the work queue item is cancelled via +cancel_delayed_work_sync() in batadv_v_elp_iface_disable(). In this case, +an rtnl_lock() would cause a deadlock. + +To avoid this, rtnl_trylock() was used in this function to skip the +retrieval of the ethtool information in case the RTNL lock was already +held. + +But for cfg80211 interfaces, batadv_get_real_netdev() was called - which +also uses rtnl_lock(). The approach for __ethtool_get_link_ksettings() must +also be used instead and the lockless version __batadv_get_real_netdev() +has to be called. + +Cc: stable@vger.kernel.org +Fixes: 8c8ecc98f5c6 ("batman-adv: Drop unmanaged ELP metric worker") +Reported-by: Christian Schmidbauer +Signed-off-by: Sven Eckelmann +Tested-by: Sören Skaarup +Signed-off-by: Simon Wunderlich +Signed-off-by: Greg Kroah-Hartman +--- + net/batman-adv/bat_v_elp.c | 10 +++++++++- + net/batman-adv/hard-interface.c | 8 ++++---- + net/batman-adv/hard-interface.h | 1 + + 3 files changed, 14 insertions(+), 5 deletions(-) + +--- a/net/batman-adv/bat_v_elp.c ++++ b/net/batman-adv/bat_v_elp.c +@@ -113,7 +113,15 @@ static bool batadv_v_elp_get_throughput( + /* unsupported WiFi driver version */ + goto default_throughput; + +- real_netdev = batadv_get_real_netdev(hard_iface->net_dev); ++ /* only use rtnl_trylock because the elp worker will be cancelled while ++ * the rntl_lock is held. the cancel_delayed_work_sync() would otherwise ++ * wait forever when the elp work_item was started and it is then also ++ * trying to rtnl_lock ++ */ ++ if (!rtnl_trylock()) ++ return false; ++ real_netdev = __batadv_get_real_netdev(hard_iface->net_dev); ++ rtnl_unlock(); + if (!real_netdev) + goto default_throughput; + +--- a/net/batman-adv/hard-interface.c ++++ b/net/batman-adv/hard-interface.c +@@ -204,7 +204,7 @@ static bool batadv_is_valid_iface(const + } + + /** +- * batadv_get_real_netdevice() - check if the given netdev struct is a virtual ++ * __batadv_get_real_netdev() - check if the given netdev struct is a virtual + * interface on top of another 'real' interface + * @netdev: the device to check + * +@@ -214,7 +214,7 @@ static bool batadv_is_valid_iface(const + * Return: the 'real' net device or the original net device and NULL in case + * of an error. + */ +-static struct net_device *batadv_get_real_netdevice(struct net_device *netdev) ++struct net_device *__batadv_get_real_netdev(struct net_device *netdev) + { + struct batadv_hard_iface *hard_iface = NULL; + struct net_device *real_netdev = NULL; +@@ -268,7 +268,7 @@ struct net_device *batadv_get_real_netde + struct net_device *real_netdev; + + rtnl_lock(); +- real_netdev = batadv_get_real_netdevice(net_device); ++ real_netdev = __batadv_get_real_netdev(net_device); + rtnl_unlock(); + + return real_netdev; +@@ -335,7 +335,7 @@ static u32 batadv_wifi_flags_evaluate(st + if (batadv_is_cfg80211_netdev(net_device)) + wifi_flags |= BATADV_HARDIF_WIFI_CFG80211_DIRECT; + +- real_netdev = batadv_get_real_netdevice(net_device); ++ real_netdev = __batadv_get_real_netdev(net_device); + if (!real_netdev) + return wifi_flags; + +--- a/net/batman-adv/hard-interface.h ++++ b/net/batman-adv/hard-interface.h +@@ -91,6 +91,7 @@ enum batadv_hard_if_cleanup { + + extern struct notifier_block batadv_hard_if_notifier; + ++struct net_device *__batadv_get_real_netdev(struct net_device *net_device); + struct net_device *batadv_get_real_netdev(struct net_device *net_device); + bool batadv_is_cfg80211_hardif(struct batadv_hard_iface *hard_iface); + bool batadv_is_wifi_hardif(struct batadv_hard_iface *hard_iface); diff --git a/queue-5.10/media-dvb-net-fix-oob-access-in-ule-extension-header-tables.patch b/queue-5.10/media-dvb-net-fix-oob-access-in-ule-extension-header-tables.patch new file mode 100644 index 0000000000..bcef47e83d --- /dev/null +++ b/queue-5.10/media-dvb-net-fix-oob-access-in-ule-extension-header-tables.patch @@ -0,0 +1,41 @@ +From 24d87712727a5017ad142d63940589a36cd25647 Mon Sep 17 00:00:00 2001 +From: Ariel Silver +Date: Sat, 21 Feb 2026 15:26:00 +0100 +Subject: media: dvb-net: fix OOB access in ULE extension header tables + +From: Ariel Silver + +commit 24d87712727a5017ad142d63940589a36cd25647 upstream. + +The ule_mandatory_ext_handlers[] and ule_optional_ext_handlers[] tables +in handle_one_ule_extension() are declared with 255 elements (valid +indices 0-254), but the index htype is derived from network-controlled +data as (ule_sndu_type & 0x00FF), giving a range of 0-255. When +htype equals 255, an out-of-bounds read occurs on the function pointer +table, and the OOB value may be called as a function pointer. + +Add a bounds check on htype against the array size before either table +is accessed. Out-of-range values now cause the SNDU to be discarded. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Reported-by: Ariel Silver +Signed-off-by: Ariel Silver +Cc: stable@vger.kernel.org +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/dvb-core/dvb_net.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/media/dvb-core/dvb_net.c ++++ b/drivers/media/dvb-core/dvb_net.c +@@ -228,6 +228,9 @@ static int handle_one_ule_extension( str + unsigned char hlen = (p->ule_sndu_type & 0x0700) >> 8; + unsigned char htype = p->ule_sndu_type & 0x00FF; + ++ if (htype >= ARRAY_SIZE(ule_mandatory_ext_handlers)) ++ return -1; ++ + /* Discriminate mandatory and optional extension headers. */ + if (hlen == 0) { + /* Mandatory extension header */ diff --git a/queue-5.10/net-ethernet-arc-emac-quiesce-interrupts-before-requesting-irq.patch b/queue-5.10/net-ethernet-arc-emac-quiesce-interrupts-before-requesting-irq.patch new file mode 100644 index 0000000000..8c5b3505a8 --- /dev/null +++ b/queue-5.10/net-ethernet-arc-emac-quiesce-interrupts-before-requesting-irq.patch @@ -0,0 +1,53 @@ +From 2503d08f8a2de618e5c3a8183b250ff4a2e2d52c Mon Sep 17 00:00:00 2001 +From: Fan Wu +Date: Mon, 9 Mar 2026 13:24:09 +0000 +Subject: net: ethernet: arc: emac: quiesce interrupts before requesting IRQ + +From: Fan Wu + +commit 2503d08f8a2de618e5c3a8183b250ff4a2e2d52c upstream. + +Normal RX/TX interrupts are enabled later, in arc_emac_open(), so probe +should not see interrupt delivery in the usual case. However, hardware may +still present stale or latched interrupt status left by firmware or the +bootloader. + +If probe later unwinds after devm_request_irq() has installed the handler, +such a stale interrupt can still reach arc_emac_intr() during teardown and +race with release of the associated net_device. + +Avoid that window by putting the device into a known quiescent state before +requesting the IRQ: disable all EMAC interrupt sources and clear any +pending EMAC interrupt status bits. This keeps the change hardware-focused +and minimal, while preventing spurious IRQ delivery from leftover state. + +Fixes: e4f2379db6c6 ("ethernet/arc/arc_emac - Add new driver") +Cc: stable@vger.kernel.org +Signed-off-by: Fan Wu +Link: https://patch.msgid.link/20260309132409.584966-1-fanwu01@zju.edu.cn +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/arc/emac_main.c | 11 +++++++++++ + 1 file changed, 11 insertions(+) + +--- a/drivers/net/ethernet/arc/emac_main.c ++++ b/drivers/net/ethernet/arc/emac_main.c +@@ -935,6 +935,17 @@ int arc_emac_probe(struct net_device *nd + /* Set poll rate so that it polls every 1 ms */ + arc_reg_set(priv, R_POLLRATE, clock_frequency / 1000000); + ++ /* ++ * Put the device into a known quiescent state before requesting ++ * the IRQ. Clear only EMAC interrupt status bits here; leave the ++ * MDIO completion bit alone and avoid writing TXPL_MASK, which is ++ * used to force TX polling rather than acknowledge interrupts. ++ */ ++ arc_reg_set(priv, R_ENABLE, 0); ++ arc_reg_set(priv, R_STATUS, RXINT_MASK | TXINT_MASK | ERR_MASK | ++ TXCH_MASK | MSER_MASK | RXCR_MASK | ++ RXFR_MASK | RXFL_MASK); ++ + ndev->irq = irq; + dev_info(dev, "IRQ is %d\n", ndev->irq); + diff --git a/queue-5.10/net-ncsi-fix-skb-leak-in-error-paths.patch b/queue-5.10/net-ncsi-fix-skb-leak-in-error-paths.patch new file mode 100644 index 0000000000..4f3816b7ba --- /dev/null +++ b/queue-5.10/net-ncsi-fix-skb-leak-in-error-paths.patch @@ -0,0 +1,85 @@ +From 5c3398a54266541610c8d0a7082e654e9ff3e259 Mon Sep 17 00:00:00 2001 +From: Jian Zhang +Date: Thu, 5 Mar 2026 14:06:55 +0800 +Subject: net: ncsi: fix skb leak in error paths + +From: Jian Zhang + +commit 5c3398a54266541610c8d0a7082e654e9ff3e259 upstream. + +Early return paths in NCSI RX and AEN handlers fail to release +the received skb, resulting in a memory leak. + +Specifically, ncsi_aen_handler() returns on invalid AEN packets +without consuming the skb. Similarly, ncsi_rcv_rsp() exits early +when failing to resolve the NCSI device, response handler, or +request, leaving the skb unfreed. + +CC: stable@vger.kernel.org +Fixes: 7a82ecf4cfb8 ("net/ncsi: NCSI AEN packet handler") +Fixes: 138635cc27c9 ("net/ncsi: NCSI response packet handler") +Signed-off-by: Jian Zhang +Link: https://patch.msgid.link/20260305060656.3357250-1-zhangjian.3032@bytedance.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + net/ncsi/ncsi-aen.c | 3 ++- + net/ncsi/ncsi-rsp.c | 16 ++++++++++++---- + 2 files changed, 14 insertions(+), 5 deletions(-) + +--- a/net/ncsi/ncsi-aen.c ++++ b/net/ncsi/ncsi-aen.c +@@ -224,7 +224,8 @@ int ncsi_aen_handler(struct ncsi_dev_pri + if (!nah) { + netdev_warn(ndp->ndev.dev, "Invalid AEN (0x%x) received\n", + h->type); +- return -ENOENT; ++ ret = -ENOENT; ++ goto out; + } + + ret = ncsi_validate_aen_pkt(h, nah->payload); +--- a/net/ncsi/ncsi-rsp.c ++++ b/net/ncsi/ncsi-rsp.c +@@ -1146,8 +1146,10 @@ int ncsi_rcv_rsp(struct sk_buff *skb, st + /* Find the NCSI device */ + nd = ncsi_find_dev(orig_dev); + ndp = nd ? TO_NCSI_DEV_PRIV(nd) : NULL; +- if (!ndp) +- return -ENODEV; ++ if (!ndp) { ++ ret = -ENODEV; ++ goto err_free_skb; ++ } + + /* Check if it is AEN packet */ + hdr = (struct ncsi_pkt_hdr *)skb_network_header(skb); +@@ -1169,7 +1171,8 @@ int ncsi_rcv_rsp(struct sk_buff *skb, st + if (!nrh) { + netdev_err(nd->dev, "Received unrecognized packet (0x%x)\n", + hdr->type); +- return -ENOENT; ++ ret = -ENOENT; ++ goto err_free_skb; + } + + /* Associate with the request */ +@@ -1177,7 +1180,8 @@ int ncsi_rcv_rsp(struct sk_buff *skb, st + nr = &ndp->requests[hdr->id]; + if (!nr->used) { + spin_unlock_irqrestore(&ndp->lock, flags); +- return -ENODEV; ++ ret = -ENODEV; ++ goto err_free_skb; + } + + nr->rsp = skb; +@@ -1231,4 +1235,8 @@ out_netlink: + out: + ncsi_free_request(nr); + return ret; ++ ++err_free_skb: ++ kfree_skb(skb); ++ return ret; + } diff --git a/queue-5.10/nouveau-dpcd-return-ebusy-for-aux-xfer-if-the-device-is-asleep.patch b/queue-5.10/nouveau-dpcd-return-ebusy-for-aux-xfer-if-the-device-is-asleep.patch new file mode 100644 index 0000000000..95e982dc46 --- /dev/null +++ b/queue-5.10/nouveau-dpcd-return-ebusy-for-aux-xfer-if-the-device-is-asleep.patch @@ -0,0 +1,45 @@ +From 8f3c6f08ababad2e3bdd239728cf66a9949446b4 Mon Sep 17 00:00:00 2001 +From: Dave Airlie +Date: Tue, 24 Feb 2026 13:17:50 +1000 +Subject: nouveau/dpcd: return EBUSY for aux xfer if the device is asleep + +From: Dave Airlie + +commit 8f3c6f08ababad2e3bdd239728cf66a9949446b4 upstream. + +If we have runtime suspended, and userspace wants to use /dev/drm_dp_* +then just tell it the device is busy instead of crashing in the GSP +code. + +WARNING: CPU: 2 PID: 565741 at drivers/gpu/drm/nouveau/nvkm/subdev/gsp/rm/r535/rpc.c:164 r535_gsp_msgq_wait+0x9a/0xb0 [nouveau] +CPU: 2 UID: 0 PID: 565741 Comm: fwupd Not tainted 6.18.10-200.fc43.x86_64 #1 PREEMPT(lazy) +Hardware name: LENOVO 20QTS0PQ00/20QTS0PQ00, BIOS N2OET65W (1.52 ) 08/05/2024 +RIP: 0010:r535_gsp_msgq_wait+0x9a/0xb0 [nouveau] + +This is a simple fix to get backported. We should probably engineer a +proper power domain solution to wake up devices and keep them awake +while fw updates are happening. + +Cc: stable@vger.kernel.org +Fixes: 8894f4919bc4 ("drm/nouveau: register a drm_dp_aux channel for each dp connector") +Reviewed-by: Lyude Paul +Signed-off-by: Dave Airlie +Link: https://patch.msgid.link/20260224031750.791621-1-airlied@gmail.com +Signed-off-by: Danilo Krummrich +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/nouveau/nouveau_connector.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/gpu/drm/nouveau/nouveau_connector.c ++++ b/drivers/gpu/drm/nouveau/nouveau_connector.c +@@ -1176,6 +1176,9 @@ nouveau_connector_aux_xfer(struct drm_dp + u8 size = msg->size; + int ret; + ++ if (pm_runtime_suspended(nv_connector->base.dev->dev)) ++ return -EBUSY; ++ + nv_encoder = find_encoder(&nv_connector->base, DCB_OUTPUT_DP); + if (!nv_encoder || !(aux = nv_encoder->aux)) + return -ENODEV; diff --git a/queue-5.10/parisc-fix-initial-page-table-creation-for-boot.patch b/queue-5.10/parisc-fix-initial-page-table-creation-for-boot.patch new file mode 100644 index 0000000000..bbe66643d8 --- /dev/null +++ b/queue-5.10/parisc-fix-initial-page-table-creation-for-boot.patch @@ -0,0 +1,46 @@ +From 8475d8fe21ec9c7eb2faca555fbc5b68cf0d2597 Mon Sep 17 00:00:00 2001 +From: Helge Deller +Date: Wed, 4 Mar 2026 22:24:18 +0100 +Subject: parisc: Fix initial page table creation for boot + +From: Helge Deller + +commit 8475d8fe21ec9c7eb2faca555fbc5b68cf0d2597 upstream. + +The KERNEL_INITIAL_ORDER value defines the initial size (usually 32 or +64 MB) of the page table during bootup. Up until now the whole area was +initialized with PTE entries, but there was no check if we filled too +many entries. Change the code to fill up with so many entries that the +"_end" symbol can be reached by the kernel, but not more entries than +actually fit into the initial PTE tables. + +Signed-off-by: Helge Deller +Cc: # v6.0+ +Signed-off-by: Greg Kroah-Hartman +--- + arch/parisc/kernel/head.S | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +--- a/arch/parisc/kernel/head.S ++++ b/arch/parisc/kernel/head.S +@@ -55,6 +55,7 @@ ENTRY(parisc_kernel_start) + + .import __bss_start,data + .import __bss_stop,data ++ .import __end,data + + load32 PA(__bss_start),%r3 + load32 PA(__bss_stop),%r4 +@@ -148,7 +149,11 @@ $cpu_ok: + * everything ... it will get remapped correctly later */ + ldo 0+_PAGE_KERNEL_RWX(%r0),%r3 /* Hardwired 0 phys addr start */ + load32 (1<<(KERNEL_INITIAL_ORDER-PAGE_SHIFT)),%r11 /* PFN count */ +- load32 PA(pg0),%r1 ++ load32 PA(_end),%r1 ++ SHRREG %r1,PAGE_SHIFT,%r1 /* %r1 is PFN count for _end symbol */ ++ cmpb,<<,n %r11,%r1,1f ++ copy %r1,%r11 /* %r1 PFN count smaller than %r11 */ ++1: load32 PA(pg0),%r1 + + $pgt_fill_loop: + STREGM %r3,ASM_PTE_ENTRY_SIZE(%r1) diff --git a/queue-5.10/parisc-increase-initial-mapping-to-64-mb-with-kallsyms.patch b/queue-5.10/parisc-increase-initial-mapping-to-64-mb-with-kallsyms.patch new file mode 100644 index 0000000000..abfe828086 --- /dev/null +++ b/queue-5.10/parisc-increase-initial-mapping-to-64-mb-with-kallsyms.patch @@ -0,0 +1,30 @@ +From 8e732934fb81282be41602550e7e07baf265e972 Mon Sep 17 00:00:00 2001 +From: Helge Deller +Date: Tue, 3 Mar 2026 23:36:10 +0100 +Subject: parisc: Increase initial mapping to 64 MB with KALLSYMS + +From: Helge Deller + +commit 8e732934fb81282be41602550e7e07baf265e972 upstream. + +The 32MB initial kernel mapping can become too small when CONFIG_KALLSYMS +is used. Increase the mapping to 64 MB in this case. + +Signed-off-by: Helge Deller +Cc: # v6.0+ +Signed-off-by: Greg Kroah-Hartman +--- + arch/parisc/include/asm/pgtable.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/parisc/include/asm/pgtable.h ++++ b/arch/parisc/include/asm/pgtable.h +@@ -109,7 +109,7 @@ extern void __update_cache(pte_t pte); + printk("%s:%d: bad pgd %08lx.\n", __FILE__, __LINE__, (unsigned long)pgd_val(e)) + + /* This is the size of the initially mapped kernel memory */ +-#if defined(CONFIG_64BIT) ++#if defined(CONFIG_64BIT) || defined(CONFIG_KALLSYMS) + #define KERNEL_INITIAL_ORDER 26 /* 1<<26 = 64MB */ + #else + #define KERNEL_INITIAL_ORDER 25 /* 1<<25 = 32MB */ diff --git a/queue-5.10/series b/queue-5.10/series index 5409efa687..eb60c76913 100644 --- a/queue-5.10/series +++ b/queue-5.10/series @@ -112,3 +112,10 @@ time-jiffies-mark-jiffies_64_to_clock_t-notrace.patch irqchip-gic-v3-its-limit-number-of-per-device-msis-to-the-range-the-its-supports.patch staging-rtl8723bs-fix-potential-out-of-bounds-read-in-rtw_restruct_wmm_ie.patch staging-rtl8723bs-properly-validate-the-data-in-rtw_get_ie_ex.patch +media-dvb-net-fix-oob-access-in-ule-extension-header-tables.patch +batman-adv-avoid-double-rtnl_lock-elp-metric-worker.patch +parisc-increase-initial-mapping-to-64-mb-with-kallsyms.patch +nouveau-dpcd-return-ebusy-for-aux-xfer-if-the-device-is-asleep.patch +parisc-fix-initial-page-table-creation-for-boot.patch +net-ncsi-fix-skb-leak-in-error-paths.patch +net-ethernet-arc-emac-quiesce-interrupts-before-requesting-irq.patch