From: Greg Kroah-Hartman Date: Mon, 13 Apr 2026 12:26:11 +0000 (+0200) Subject: 5.10-stable patches X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=504245372b69f9ed8ce6f9563386ae849fd72789;p=thirdparty%2Fkernel%2Fstable-queue.git 5.10-stable patches added patches: arm64-dts-hisilicon-hi3798cv200-add-missing-dma-ranges.patch arm64-dts-hisilicon-poplar-correct-pcie-reset-gpio-polarity.patch batman-adv-reject-oversized-global-tt-response-buffers.patch mmc-vub300-fix-null-deref-on-disconnect.patch net-altera-tse-fix-skb-leak-on-dma-mapping-error-in-tse_start_xmit.patch net-qualcomm-qca_uart-report-the-consumed-byte-on-rx-skb-allocation-failure.patch net-stmmac-fix-integer-underflow-in-chain-mode.patch netfilter-nft_ct-fix-use-after-free-in-timeout-object-destroy.patch nfc-pn533-allocate-rx-skb-before-consuming-bytes.patch tipc-fix-bc_ackers-underflow-on-duplicate-grp_ack_msg.patch wifi-brcmsmac-fix-dma_free_coherent-size.patch --- diff --git a/queue-5.10/arm64-dts-hisilicon-hi3798cv200-add-missing-dma-ranges.patch b/queue-5.10/arm64-dts-hisilicon-hi3798cv200-add-missing-dma-ranges.patch new file mode 100644 index 0000000000..0f778922cb --- /dev/null +++ b/queue-5.10/arm64-dts-hisilicon-hi3798cv200-add-missing-dma-ranges.patch @@ -0,0 +1,35 @@ +From 1af997cad473d505248df6d9577183bb91f69670 Mon Sep 17 00:00:00 2001 +From: Shawn Guo +Date: Fri, 27 Feb 2026 15:22:10 +0800 +Subject: arm64: dts: hisilicon: hi3798cv200: Add missing dma-ranges + +From: Shawn Guo + +commit 1af997cad473d505248df6d9577183bb91f69670 upstream. + +Reboot starts failing on Poplar since commit 8424ecdde7df ("arm64: mm: +Set ZONE_DMA size based on devicetree's dma-ranges"), which effectively +changes zone_dma_bits from 30 to 32 for arm64 platforms that do not +properly define dma-ranges in device tree. It's unclear how Poplar reboot +gets broken by this change exactly, but a dma-ranges limiting zone_dma to +the first 1 GB fixes the regression. + +Fixes: 2f20182ed670 ("arm64: dts: hisilicon: add dts files for hi3798cv200-poplar board") +Cc: stable@vger.kernel.org +Signed-off-by: Shawn Guo +Signed-off-by: Wei Xu +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm64/boot/dts/hisilicon/hi3798cv200.dtsi | 1 + + 1 file changed, 1 insertion(+) + +--- a/arch/arm64/boot/dts/hisilicon/hi3798cv200.dtsi ++++ b/arch/arm64/boot/dts/hisilicon/hi3798cv200.dtsi +@@ -81,6 +81,7 @@ + #address-cells = <1>; + #size-cells = <1>; + ranges = <0x0 0x0 0xf0000000 0x10000000>; ++ dma-ranges = <0x0 0x0 0x0 0x40000000>; + + crg: clock-reset-controller@8a22000 { + compatible = "hisilicon,hi3798cv200-crg", "syscon", "simple-mfd"; diff --git a/queue-5.10/arm64-dts-hisilicon-poplar-correct-pcie-reset-gpio-polarity.patch b/queue-5.10/arm64-dts-hisilicon-poplar-correct-pcie-reset-gpio-polarity.patch new file mode 100644 index 0000000000..f3653d71a3 --- /dev/null +++ b/queue-5.10/arm64-dts-hisilicon-poplar-correct-pcie-reset-gpio-polarity.patch @@ -0,0 +1,36 @@ +From c1f2b0f2b5e37b2c27540a175aea2755a3799433 Mon Sep 17 00:00:00 2001 +From: Shawn Guo +Date: Fri, 27 Feb 2026 15:19:58 +0800 +Subject: arm64: dts: hisilicon: poplar: Correct PCIe reset GPIO polarity + +From: Shawn Guo + +commit c1f2b0f2b5e37b2c27540a175aea2755a3799433 upstream. + +The PCIe reset GPIO on Poplar is actually active low. The active high +worked before because kernel driver didn't respect the setting from DT. +This is changed since commit 1d26a55fbeb9 ("PCI: histb: Switch to using +gpiod API"), and thus PCIe on Poplar got brken since then. + +Fix the problem by correcting the polarity. + +Fixes: 32fa01761bd9 ("arm64: dts: hi3798cv200: enable PCIe support for poplar board") +Cc: stable@vger.kernel.org +Signed-off-by: Shawn Guo +Signed-off-by: Wei Xu +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm64/boot/dts/hisilicon/hi3798cv200-poplar.dts | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/arm64/boot/dts/hisilicon/hi3798cv200-poplar.dts ++++ b/arch/arm64/boot/dts/hisilicon/hi3798cv200-poplar.dts +@@ -179,7 +179,7 @@ + }; + + &pcie { +- reset-gpios = <&gpio4 4 GPIO_ACTIVE_HIGH>; ++ reset-gpios = <&gpio4 4 GPIO_ACTIVE_LOW>; + vpcie-supply = <®_pcie>; + status = "okay"; + }; diff --git a/queue-5.10/batman-adv-reject-oversized-global-tt-response-buffers.patch b/queue-5.10/batman-adv-reject-oversized-global-tt-response-buffers.patch new file mode 100644 index 0000000000..e9067cd800 --- /dev/null +++ b/queue-5.10/batman-adv-reject-oversized-global-tt-response-buffers.patch @@ -0,0 +1,64 @@ +From 3a359bf5c61d52e7f09754108309d637532164a6 Mon Sep 17 00:00:00 2001 +From: Ruide Cao +Date: Thu, 2 Apr 2026 23:12:31 +0800 +Subject: batman-adv: reject oversized global TT response buffers + +From: Ruide Cao + +commit 3a359bf5c61d52e7f09754108309d637532164a6 upstream. + +batadv_tt_prepare_tvlv_global_data() builds the allocation length for a +global TT response in 16-bit temporaries. When a remote originator +advertises a large enough global TT, the TT payload length plus the VLAN +header offset can exceed 65535 and wrap before kmalloc(). + +The full-table response path still uses the original TT payload length when +it fills tt_change, so the wrapped allocation is too small and +batadv_tt_prepare_tvlv_global_data() writes past the end of the heap object +before the later packet-size check runs. + +Fix this by rejecting TT responses whose TVLV value length cannot fit in +the 16-bit TVLV payload length field. + +Fixes: 7ea7b4a14275 ("batman-adv: make the TT CRC logic VLAN specific") +Cc: stable@vger.kernel.org +Reported-by: Yifan Wu +Reported-by: Juefei Pu +Co-developed-by: Yuan Tan +Signed-off-by: Yuan Tan +Suggested-by: Xin Liu +Tested-by: Ren Wei +Signed-off-by: Ruide Cao +Signed-off-by: Ren Wei +Signed-off-by: Sven Eckelmann +Signed-off-by: Simon Wunderlich +Signed-off-by: Greg Kroah-Hartman +--- + net/batman-adv/translation-table.c | 9 +++++++-- + 1 file changed, 7 insertions(+), 2 deletions(-) + +--- a/net/batman-adv/translation-table.c ++++ b/net/batman-adv/translation-table.c +@@ -849,8 +849,8 @@ batadv_tt_prepare_tvlv_global_data(struc + { + u16 num_vlan = 0; + u16 num_entries = 0; +- u16 change_offset; +- u16 tvlv_len; ++ u16 tvlv_len = 0; ++ unsigned int change_offset; + struct batadv_tvlv_tt_vlan_data *tt_vlan; + struct batadv_orig_node_vlan *vlan; + u8 *tt_change_ptr; +@@ -868,6 +868,11 @@ batadv_tt_prepare_tvlv_global_data(struc + if (*tt_len < 0) + *tt_len = batadv_tt_len(num_entries); + ++ if (change_offset > U16_MAX || *tt_len > U16_MAX - change_offset) { ++ *tt_len = 0; ++ goto out; ++ } ++ + tvlv_len = *tt_len; + tvlv_len += change_offset; + diff --git a/queue-5.10/mmc-vub300-fix-null-deref-on-disconnect.patch b/queue-5.10/mmc-vub300-fix-null-deref-on-disconnect.patch new file mode 100644 index 0000000000..d935f97626 --- /dev/null +++ b/queue-5.10/mmc-vub300-fix-null-deref-on-disconnect.patch @@ -0,0 +1,34 @@ +From dff34ef879c5e73298443956a8b391311ba78d57 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Fri, 27 Mar 2026 11:52:05 +0100 +Subject: mmc: vub300: fix NULL-deref on disconnect + +From: Johan Hovold + +commit dff34ef879c5e73298443956a8b391311ba78d57 upstream. + +Make sure to deregister the controller before dropping the reference to +the driver data on disconnect to avoid NULL-pointer dereferences or +use-after-free. + +Fixes: 88095e7b473a ("mmc: Add new VUB300 USB-to-SD/SDIO/MMC driver") +Cc: stable@vger.kernel.org # 3.0+ +Signed-off-by: Johan Hovold +Signed-off-by: Ulf Hansson +Signed-off-by: Greg Kroah-Hartman +--- + drivers/mmc/host/vub300.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/mmc/host/vub300.c ++++ b/drivers/mmc/host/vub300.c +@@ -2371,8 +2371,8 @@ static void vub300_disconnect(struct usb + usb_set_intfdata(interface, NULL); + /* prevent more I/O from starting */ + vub300->interface = NULL; +- kref_put(&vub300->kref, vub300_delete); + mmc_remove_host(mmc); ++ kref_put(&vub300->kref, vub300_delete); + pr_info("USB vub300 remote SDIO host controller[%d]" + " now disconnected", ifnum); + return; diff --git a/queue-5.10/net-altera-tse-fix-skb-leak-on-dma-mapping-error-in-tse_start_xmit.patch b/queue-5.10/net-altera-tse-fix-skb-leak-on-dma-mapping-error-in-tse_start_xmit.patch new file mode 100644 index 0000000000..a565247286 --- /dev/null +++ b/queue-5.10/net-altera-tse-fix-skb-leak-on-dma-mapping-error-in-tse_start_xmit.patch @@ -0,0 +1,36 @@ +From 6dede3967619b5944003227a5d09fdc21ed57d10 Mon Sep 17 00:00:00 2001 +From: David Carlier +Date: Wed, 1 Apr 2026 22:12:18 +0100 +Subject: net: altera-tse: fix skb leak on DMA mapping error in tse_start_xmit() + +From: David Carlier + +commit 6dede3967619b5944003227a5d09fdc21ed57d10 upstream. + +When dma_map_single() fails in tse_start_xmit(), the function returns +NETDEV_TX_OK without freeing the skb. Since NETDEV_TX_OK tells the +stack the packet was consumed, the skb is never freed, leaking memory +on every DMA mapping failure. + +Add dev_kfree_skb_any() before returning to properly free the skb. + +Fixes: bbd2190ce96d ("Altera TSE: Add main and header file for Altera Ethernet Driver") +Cc: stable@vger.kernel.org +Signed-off-by: David Carlier +Link: https://patch.msgid.link/20260401211218.279185-1-devnexen@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/altera/altera_tse_main.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/net/ethernet/altera/altera_tse_main.c ++++ b/drivers/net/ethernet/altera/altera_tse_main.c +@@ -591,6 +591,7 @@ static netdev_tx_t tse_start_xmit(struct + DMA_TO_DEVICE); + if (dma_mapping_error(priv->device, dma_addr)) { + netdev_err(priv->dev, "%s: DMA mapping error\n", __func__); ++ dev_kfree_skb_any(skb); + ret = NETDEV_TX_OK; + goto out; + } diff --git a/queue-5.10/net-qualcomm-qca_uart-report-the-consumed-byte-on-rx-skb-allocation-failure.patch b/queue-5.10/net-qualcomm-qca_uart-report-the-consumed-byte-on-rx-skb-allocation-failure.patch new file mode 100644 index 0000000000..ec5f7840c6 --- /dev/null +++ b/queue-5.10/net-qualcomm-qca_uart-report-the-consumed-byte-on-rx-skb-allocation-failure.patch @@ -0,0 +1,46 @@ +From b76254c55dc8f23edc089027dd3f8792554c69fb Mon Sep 17 00:00:00 2001 +From: Pengpeng Hou +Date: Thu, 2 Apr 2026 15:12:07 +0800 +Subject: net: qualcomm: qca_uart: report the consumed byte on RX skb allocation failure + +From: Pengpeng Hou + +commit b76254c55dc8f23edc089027dd3f8792554c69fb upstream. + +qca_tty_receive() consumes each input byte before checking whether a +completed frame needs a fresh receive skb. When the current byte completes +a frame, the driver delivers that frame and then allocates a new skb for +the next one. + +If that allocation fails, the current code returns i even though data[i] +has already been consumed and may already have completed the delivered +frame. Since serdev interprets the return value as the number of accepted +bytes, this under-reports progress by one byte and can replay the final +byte of the completed frame into a fresh parser state on the next call. + +Return i + 1 in that failure path so the accepted-byte count matches the +actual receive-state progress. + +Fixes: dfc768fbe618 ("net: qualcomm: add QCA7000 UART driver") +Cc: stable@vger.kernel.org +Signed-off-by: Pengpeng Hou +Reviewed-by: Stefan Wahren +Reviewed-by: Simon Horman +Link: https://patch.msgid.link/20260402071207.4036-1-pengpeng@iscas.ac.cn +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/qualcomm/qca_uart.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/ethernet/qualcomm/qca_uart.c ++++ b/drivers/net/ethernet/qualcomm/qca_uart.c +@@ -115,7 +115,7 @@ qca_tty_receive(struct serdev_device *se + if (!qca->rx_skb) { + netdev_dbg(netdev, "recv: out of RX resources\n"); + n_stats->rx_errors++; +- return i; ++ return i + 1; + } + } + } diff --git a/queue-5.10/net-stmmac-fix-integer-underflow-in-chain-mode.patch b/queue-5.10/net-stmmac-fix-integer-underflow-in-chain-mode.patch new file mode 100644 index 0000000000..cb8c730244 --- /dev/null +++ b/queue-5.10/net-stmmac-fix-integer-underflow-in-chain-mode.patch @@ -0,0 +1,80 @@ +From 51f4e090b9f87b40c21b6daadb5c06e6c0a07b67 Mon Sep 17 00:00:00 2001 +From: Tyllis Xu +Date: Tue, 31 Mar 2026 23:47:07 -0500 +Subject: net: stmmac: fix integer underflow in chain mode + +From: Tyllis Xu + +commit 51f4e090b9f87b40c21b6daadb5c06e6c0a07b67 upstream. + +The jumbo_frm() chain-mode implementation unconditionally computes + + len = nopaged_len - bmax; + +where nopaged_len = skb_headlen(skb) (linear bytes only) and bmax is +BUF_SIZE_8KiB or BUF_SIZE_2KiB. However, the caller stmmac_xmit() +decides to invoke jumbo_frm() based on skb->len (total length including +page fragments): + + is_jumbo = stmmac_is_jumbo_frm(priv, skb->len, enh_desc); + +When a packet has a small linear portion (nopaged_len <= bmax) but a +large total length due to page fragments (skb->len > bmax), the +subtraction wraps as an unsigned integer, producing a huge len value +(~0xFFFFxxxx). This causes the while (len != 0) loop to execute +hundreds of thousands of iterations, passing skb->data + bmax * i +pointers far beyond the skb buffer to dma_map_single(). On IOMMU-less +SoCs (the typical deployment for stmmac), this maps arbitrary kernel +memory to the DMA engine, constituting a kernel memory disclosure and +potential memory corruption from hardware. + +Fix this by introducing a buf_len local variable clamped to +min(nopaged_len, bmax). Computing len = nopaged_len - buf_len is then +always safe: it is zero when the linear portion fits within a single +descriptor, causing the while (len != 0) loop to be skipped naturally, +and the fragment loop in stmmac_xmit() handles page fragments afterward. + +Fixes: 286a83721720 ("stmmac: add CHAINED descriptor mode support (V4)") +Cc: stable@vger.kernel.org +Signed-off-by: Tyllis Xu +Link: https://patch.msgid.link/20260401044708.1386919-1-LivelyCarpet87@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/stmicro/stmmac/chain_mode.c | 11 ++++++----- + 1 file changed, 6 insertions(+), 5 deletions(-) + +--- a/drivers/net/ethernet/stmicro/stmmac/chain_mode.c ++++ b/drivers/net/ethernet/stmicro/stmmac/chain_mode.c +@@ -20,7 +20,7 @@ static int jumbo_frm(void *p, struct sk_ + unsigned int nopaged_len = skb_headlen(skb); + struct stmmac_priv *priv = tx_q->priv_data; + unsigned int entry = tx_q->cur_tx; +- unsigned int bmax, des2; ++ unsigned int bmax, buf_len, des2; + unsigned int i = 1, len; + struct dma_desc *desc; + +@@ -31,17 +31,18 @@ static int jumbo_frm(void *p, struct sk_ + else + bmax = BUF_SIZE_2KiB; + +- len = nopaged_len - bmax; ++ buf_len = min_t(unsigned int, nopaged_len, bmax); ++ len = nopaged_len - buf_len; + + des2 = dma_map_single(priv->device, skb->data, +- bmax, DMA_TO_DEVICE); ++ buf_len, DMA_TO_DEVICE); + desc->des2 = cpu_to_le32(des2); + if (dma_mapping_error(priv->device, des2)) + return -1; + tx_q->tx_skbuff_dma[entry].buf = des2; +- tx_q->tx_skbuff_dma[entry].len = bmax; ++ tx_q->tx_skbuff_dma[entry].len = buf_len; + /* do not close the descriptor and do not set own bit */ +- stmmac_prepare_tx_desc(priv, desc, 1, bmax, csum, STMMAC_CHAIN_MODE, ++ stmmac_prepare_tx_desc(priv, desc, 1, buf_len, csum, STMMAC_CHAIN_MODE, + 0, false, skb->len); + + while (len != 0) { diff --git a/queue-5.10/netfilter-nft_ct-fix-use-after-free-in-timeout-object-destroy.patch b/queue-5.10/netfilter-nft_ct-fix-use-after-free-in-timeout-object-destroy.patch new file mode 100644 index 0000000000..6727d505b8 --- /dev/null +++ b/queue-5.10/netfilter-nft_ct-fix-use-after-free-in-timeout-object-destroy.patch @@ -0,0 +1,73 @@ +From f8dca15a1b190787bbd03285304b569631160eda Mon Sep 17 00:00:00 2001 +From: Tuan Do +Date: Fri, 3 Apr 2026 00:33:17 -0700 +Subject: netfilter: nft_ct: fix use-after-free in timeout object destroy + +From: Tuan Do + +commit f8dca15a1b190787bbd03285304b569631160eda upstream. + +nft_ct_timeout_obj_destroy() frees the timeout object with kfree() +immediately after nf_ct_untimeout(), without waiting for an RCU grace +period. Concurrent packet processing on other CPUs may still hold +RCU-protected references to the timeout object obtained via +rcu_dereference() in nf_ct_timeout_data(). + +Add an rcu_head to struct nf_ct_timeout and use kfree_rcu() to defer +freeing until after an RCU grace period, matching the approach already +used in nfnetlink_cttimeout.c. + +KASAN report: + BUG: KASAN: slab-use-after-free in nf_conntrack_tcp_packet+0x1381/0x29d0 + Read of size 4 at addr ffff8881035fe19c by task exploit/80 + + Call Trace: + nf_conntrack_tcp_packet+0x1381/0x29d0 + nf_conntrack_in+0x612/0x8b0 + nf_hook_slow+0x70/0x100 + __ip_local_out+0x1b2/0x210 + tcp_sendmsg_locked+0x722/0x1580 + __sys_sendto+0x2d8/0x320 + + Allocated by task 75: + nft_ct_timeout_obj_init+0xf6/0x290 + nft_obj_init+0x107/0x1b0 + nf_tables_newobj+0x680/0x9c0 + nfnetlink_rcv_batch+0xc29/0xe00 + + Freed by task 26: + nft_obj_destroy+0x3f/0xa0 + nf_tables_trans_destroy_work+0x51c/0x5c0 + process_one_work+0x2c4/0x5a0 + +Fixes: 7e0b2b57f01d ("netfilter: nft_ct: add ct timeout support") +Cc: stable@vger.kernel.org +Signed-off-by: Tuan Do +Signed-off-by: Florian Westphal +Signed-off-by: Greg Kroah-Hartman +--- + include/net/netfilter/nf_conntrack_timeout.h | 1 + + net/netfilter/nft_ct.c | 2 +- + 2 files changed, 2 insertions(+), 1 deletion(-) + +--- a/include/net/netfilter/nf_conntrack_timeout.h ++++ b/include/net/netfilter/nf_conntrack_timeout.h +@@ -14,6 +14,7 @@ + struct nf_ct_timeout { + __u16 l3num; + const struct nf_conntrack_l4proto *l4proto; ++ struct rcu_head rcu; + char data[]; + }; + +--- a/net/netfilter/nft_ct.c ++++ b/net/netfilter/nft_ct.c +@@ -935,7 +935,7 @@ static void nft_ct_timeout_obj_destroy(c + nf_queue_nf_hook_drop(ctx->net); + nf_ct_untimeout(ctx->net, timeout); + nf_ct_netns_put(ctx->net, ctx->family); +- kfree(priv->timeout); ++ kfree_rcu(priv->timeout, rcu); + } + + static int nft_ct_timeout_obj_dump(struct sk_buff *skb, diff --git a/queue-5.10/nfc-pn533-allocate-rx-skb-before-consuming-bytes.patch b/queue-5.10/nfc-pn533-allocate-rx-skb-before-consuming-bytes.patch new file mode 100644 index 0000000000..2a27e08bc6 --- /dev/null +++ b/queue-5.10/nfc-pn533-allocate-rx-skb-before-consuming-bytes.patch @@ -0,0 +1,59 @@ +From c71ba669b570c7b3f86ec875be222ea11dacb352 Mon Sep 17 00:00:00 2001 +From: Pengpeng Hou +Date: Sun, 5 Apr 2026 08:40:00 +0800 +Subject: nfc: pn533: allocate rx skb before consuming bytes + +From: Pengpeng Hou + +commit c71ba669b570c7b3f86ec875be222ea11dacb352 upstream. + +pn532_receive_buf() reports the number of accepted bytes to the serdev +core. The current code consumes bytes into recv_skb and may already hand +a complete frame to pn533_recv_frame() before allocating a fresh receive +buffer. + +If that alloc_skb() fails, the callback returns 0 even though it has +already consumed bytes, and it leaves recv_skb as NULL for the next +receive callback. That breaks the receive_buf() accounting contract and +can also lead to a NULL dereference on the next skb_put_u8(). + +Allocate the receive skb lazily before consuming the next byte instead. +If allocation fails, return the number of bytes already accepted. + +Fixes: c656aa4c27b1 ("nfc: pn533: add UART phy driver") +Cc: stable@vger.kernel.org +Signed-off-by: Pengpeng Hou +Link: https://patch.msgid.link/20260405094003.3-pn533-v2-pengpeng@iscas.ac.cn +Signed-off-by: Paolo Abeni +Signed-off-by: Greg Kroah-Hartman +--- + drivers/nfc/pn533/uart.c | 11 ++++++++--- + 1 file changed, 8 insertions(+), 3 deletions(-) + +--- a/drivers/nfc/pn533/uart.c ++++ b/drivers/nfc/pn533/uart.c +@@ -211,6 +211,13 @@ static int pn532_receive_buf(struct serd + + del_timer(&dev->cmd_timeout); + for (i = 0; i < count; i++) { ++ if (!dev->recv_skb) { ++ dev->recv_skb = alloc_skb(PN532_UART_SKB_BUFF_LEN, ++ GFP_KERNEL); ++ if (!dev->recv_skb) ++ return i; ++ } ++ + if (unlikely(!skb_tailroom(dev->recv_skb))) + skb_trim(dev->recv_skb, 0); + +@@ -219,9 +226,7 @@ static int pn532_receive_buf(struct serd + continue; + + pn533_recv_frame(dev->priv, dev->recv_skb, 0); +- dev->recv_skb = alloc_skb(PN532_UART_SKB_BUFF_LEN, GFP_KERNEL); +- if (!dev->recv_skb) +- return 0; ++ dev->recv_skb = NULL; + } + + return i; diff --git a/queue-5.10/series b/queue-5.10/series index 949b379d31..7df6fcd43e 100644 --- a/queue-5.10/series +++ b/queue-5.10/series @@ -442,3 +442,14 @@ apparmor-fix-unprivileged-local-user-can-do-privileged-policy-management.patch apparmor-fix-differential-encoding-verification.patch apparmor-fix-race-on-rawdata-dereference.patch apparmor-fix-race-between-freeing-data-and-fs-accessing-it.patch +netfilter-nft_ct-fix-use-after-free-in-timeout-object-destroy.patch +tipc-fix-bc_ackers-underflow-on-duplicate-grp_ack_msg.patch +wifi-brcmsmac-fix-dma_free_coherent-size.patch +arm64-dts-hisilicon-poplar-correct-pcie-reset-gpio-polarity.patch +arm64-dts-hisilicon-hi3798cv200-add-missing-dma-ranges.patch +nfc-pn533-allocate-rx-skb-before-consuming-bytes.patch +batman-adv-reject-oversized-global-tt-response-buffers.patch +net-altera-tse-fix-skb-leak-on-dma-mapping-error-in-tse_start_xmit.patch +mmc-vub300-fix-null-deref-on-disconnect.patch +net-qualcomm-qca_uart-report-the-consumed-byte-on-rx-skb-allocation-failure.patch +net-stmmac-fix-integer-underflow-in-chain-mode.patch diff --git a/queue-5.10/tipc-fix-bc_ackers-underflow-on-duplicate-grp_ack_msg.patch b/queue-5.10/tipc-fix-bc_ackers-underflow-on-duplicate-grp_ack_msg.patch new file mode 100644 index 0000000000..edf397c211 --- /dev/null +++ b/queue-5.10/tipc-fix-bc_ackers-underflow-on-duplicate-grp_ack_msg.patch @@ -0,0 +1,57 @@ +From 48a5fe38772b6f039522469ee6131a67838221a8 Mon Sep 17 00:00:00 2001 +From: Oleh Konko +Date: Thu, 2 Apr 2026 09:48:57 +0000 +Subject: tipc: fix bc_ackers underflow on duplicate GRP_ACK_MSG + +From: Oleh Konko + +commit 48a5fe38772b6f039522469ee6131a67838221a8 upstream. + +The GRP_ACK_MSG handler in tipc_group_proto_rcv() currently decrements +bc_ackers on every inbound group ACK, even when the same member has +already acknowledged the current broadcast round. + +Because bc_ackers is a u16, a duplicate ACK received after the last +legitimate ACK wraps the counter to 65535. Once wrapped, +tipc_group_bc_cong() keeps reporting congestion and later group +broadcasts on the affected socket stay blocked until the group is +recreated. + +Fix this by ignoring duplicate or stale ACKs before touching bc_acked or +bc_ackers. This makes repeated GRP_ACK_MSG handling idempotent and +prevents the underflow path. + +Fixes: 2f487712b893 ("tipc: guarantee that group broadcast doesn't bypass group unicast") +Cc: stable@vger.kernel.org +Signed-off-by: Oleh Konko +Reviewed-by: Tung Nguyen +Reviewed-by: Simon Horman +Link: https://patch.msgid.link/41a4833f368641218e444fdcff822039.security@1seal.org +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + net/tipc/group.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +--- a/net/tipc/group.c ++++ b/net/tipc/group.c +@@ -745,6 +745,7 @@ void tipc_group_proto_rcv(struct tipc_gr + u32 port = msg_origport(hdr); + struct tipc_member *m, *pm; + u16 remitted, in_flight; ++ u16 acked; + + if (!grp) + return; +@@ -797,7 +798,10 @@ void tipc_group_proto_rcv(struct tipc_gr + case GRP_ACK_MSG: + if (!m) + return; +- m->bc_acked = msg_grp_bc_acked(hdr); ++ acked = msg_grp_bc_acked(hdr); ++ if (less_eq(acked, m->bc_acked)) ++ return; ++ m->bc_acked = acked; + if (--grp->bc_ackers) + return; + list_del_init(&m->small_win); diff --git a/queue-5.10/wifi-brcmsmac-fix-dma_free_coherent-size.patch b/queue-5.10/wifi-brcmsmac-fix-dma_free_coherent-size.patch new file mode 100644 index 0000000000..81c40d2e03 --- /dev/null +++ b/queue-5.10/wifi-brcmsmac-fix-dma_free_coherent-size.patch @@ -0,0 +1,36 @@ +From 12cd7632757a54ce586e36040210b1a738a0fc53 Mon Sep 17 00:00:00 2001 +From: Thomas Fourier +Date: Wed, 18 Feb 2026 14:07:37 +0100 +Subject: wifi: brcmsmac: Fix dma_free_coherent() size + +From: Thomas Fourier + +commit 12cd7632757a54ce586e36040210b1a738a0fc53 upstream. + +dma_alloc_consistent() may change the size to align it. The new size is +saved in alloced. + +Change the free size to match the allocation size. + +Fixes: 5b435de0d786 ("net: wireless: add brcm80211 drivers") +Cc: +Signed-off-by: Thomas Fourier +Acked-by: Arend van Spriel +Link: https://patch.msgid.link/20260218130741.46566-3-fourier.thomas@gmail.com +Signed-off-by: Johannes Berg +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/wireless/broadcom/brcm80211/brcmsmac/dma.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/wireless/broadcom/brcm80211/brcmsmac/dma.c ++++ b/drivers/net/wireless/broadcom/brcm80211/brcmsmac/dma.c +@@ -483,7 +483,7 @@ static void *dma_ringalloc(struct dma_in + if (((desc_strtaddr + size - 1) & boundary) != (desc_strtaddr + & boundary)) { + *alignbits = dma_align_sizetobits(size); +- dma_free_coherent(di->dmadev, size, va, *descpa); ++ dma_free_coherent(di->dmadev, *alloced, va, *descpa); + va = dma_alloc_consistent(di, size, *alignbits, + alloced, descpa); + }