From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Fri, 1 May 2026 12:29:06 +0000 (+0200)
Subject: 5.10-stable patches
X-Git-Tag: v6.12.86~48
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=9dc6bf7cbee0b4ee06f20064951e13696a319a17;p=thirdparty%2Fkernel%2Fstable-queue.git

5.10-stable patches

added patches:
	net-rds-fix-mr-cleanup-on-copy-error.patch
	net-smc-avoid-early-lgr-access-in-smc_clc_wait_msg.patch
	rdma-rxe-validate-pad-and-icrc-before-payload_size-in-rxe_rcv.patch
	tpm-avoid-wunused-but-set-variable.patch
---

diff --git a/queue-5.10/net-rds-fix-mr-cleanup-on-copy-error.patch b/queue-5.10/net-rds-fix-mr-cleanup-on-copy-error.patch
new file mode 100644
index 0000000000..e582b58ea9
--- /dev/null
+++ b/queue-5.10/net-rds-fix-mr-cleanup-on-copy-error.patch
@@ -0,0 +1,47 @@
+From 8141a2dc70080eda1aedc0389ed2db2b292af5bd Mon Sep 17 00:00:00 2001
+From: Ao Zhou <draw51280@163.com>
+Date: Wed, 22 Apr 2026 22:52:07 +0800
+Subject: net: rds: fix MR cleanup on copy error
+
+From: Ao Zhou <draw51280@163.com>
+
+commit 8141a2dc70080eda1aedc0389ed2db2b292af5bd upstream.
+
+__rds_rdma_map() hands sg/pages ownership to the transport after
+get_mr() succeeds. If copying the generated cookie back to user space
+fails after that point, the error path must not free those resources
+again before dropping the MR reference.
+
+Remove the duplicate unpin/free from the put_user() failure branch so
+that MR teardown is handled only through the existing final cleanup
+path.
+
+Fixes: 0d4597c8c5ab ("net/rds: Track user mapped pages through special API")
+Cc: stable@kernel.org
+Reported-by: Yuan Tan <yuantan098@gmail.com>
+Reported-by: Yifan Wu <yifanwucs@gmail.com>
+Reported-by: Juefei Pu <tomapufckgml@gmail.com>
+Reported-by: Xin Liu <bird@lzu.edu.cn>
+Signed-off-by: Ao Zhou <draw51280@163.com>
+Signed-off-by: Ren Wei <n05ec@lzu.edu.cn>
+Reviewed-by: Allison Henderson <achender@kernel.org>
+Link: https://patch.msgid.link/79c8ef73ec8e5844d71038983940cc2943099baf.1776764247.git.draw51280@163.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/rds/rdma.c |    4 ----
+ 1 file changed, 4 deletions(-)
+
+--- a/net/rds/rdma.c
++++ b/net/rds/rdma.c
+@@ -326,10 +326,6 @@ static int __rds_rdma_map(struct rds_soc
+ 
+ 	if (args->cookie_addr &&
+ 	    put_user(cookie, (u64 __user *)(unsigned long)args->cookie_addr)) {
+-		if (!need_odp) {
+-			unpin_user_pages(pages, nr_pages);
+-			kfree(sg);
+-		}
+ 		ret = -EFAULT;
+ 		goto out;
+ 	}
diff --git a/queue-5.10/net-smc-avoid-early-lgr-access-in-smc_clc_wait_msg.patch b/queue-5.10/net-smc-avoid-early-lgr-access-in-smc_clc_wait_msg.patch
new file mode 100644
index 0000000000..0de36050fd
--- /dev/null
+++ b/queue-5.10/net-smc-avoid-early-lgr-access-in-smc_clc_wait_msg.patch
@@ -0,0 +1,49 @@
+From 5a8db80f721deee8e916c2cfdee78decda02ce4f Mon Sep 17 00:00:00 2001
+From: Ruijie Li <ruijieli51@gmail.com>
+Date: Wed, 22 Apr 2026 23:40:18 +0800
+Subject: net/smc: avoid early lgr access in smc_clc_wait_msg
+
+From: Ruijie Li <ruijieli51@gmail.com>
+
+commit 5a8db80f721deee8e916c2cfdee78decda02ce4f upstream.
+
+A CLC decline can be received while the handshake is still in an early
+stage, before the connection has been associated with a link group.
+
+The decline handling in smc_clc_wait_msg() updates link-group level sync
+state for first-contact declines, but that state only exists after link
+group setup has completed. Guard the link-group update accordingly and
+keep the per-socket peer diagnosis handling unchanged.
+
+This preserves the existing sync_err handling for established link-group
+contexts and avoids touching link-group state before it is available.
+
+Fixes: 0cfdd8f92cac ("smc: connection and link group creation")
+Cc: stable@kernel.org
+Reported-by: Yuan Tan <yuantan098@gmail.com>
+Reported-by: Yifan Wu <yifanwucs@gmail.com>
+Reported-by: Juefei Pu <tomapufckgml@gmail.com>
+Reported-by: Xin Liu <bird@lzu.edu.cn>
+Signed-off-by: Ruijie Li <ruijieli51@gmail.com>
+Signed-off-by: Ren Wei <n05ec@lzu.edu.cn>
+Reviewed-by: Dust Li <dust.li@linux.alibaba.com>
+Link: https://patch.msgid.link/08c68a5c817acf198cce63d22517e232e8d60718.1776850759.git.ruijieli51@gmail.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/smc/smc_clc.c |    4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/net/smc/smc_clc.c
++++ b/net/smc/smc_clc.c
+@@ -440,8 +440,8 @@ int smc_clc_wait_msg(struct smc_sock *sm
+ 		dclc = (struct smc_clc_msg_decline *)clcm;
+ 		reason_code = SMC_CLC_DECL_PEERDECL;
+ 		smc->peer_diagnosis = ntohl(dclc->peer_diagnosis);
+-		if (((struct smc_clc_msg_decline *)buf)->hdr.typev2 &
+-						SMC_FIRST_CONTACT_MASK) {
++		if ((dclc->hdr.typev2 & SMC_FIRST_CONTACT_MASK) &&
++		    smc->conn.lgr) {
+ 			smc->conn.lgr->sync_err = 1;
+ 			smc_lgr_terminate_sched(smc->conn.lgr);
+ 		}
diff --git a/queue-5.10/rdma-rxe-validate-pad-and-icrc-before-payload_size-in-rxe_rcv.patch b/queue-5.10/rdma-rxe-validate-pad-and-icrc-before-payload_size-in-rxe_rcv.patch
new file mode 100644
index 0000000000..325765b812
--- /dev/null
+++ b/queue-5.10/rdma-rxe-validate-pad-and-icrc-before-payload_size-in-rxe_rcv.patch
@@ -0,0 +1,51 @@
+From 7244491dab347f648e661da96dc0febadd9daec3 Mon Sep 17 00:00:00 2001
+From: hkbinbin <hkbinbinbin@gmail.com>
+Date: Wed, 1 Apr 2026 12:19:07 +0000
+Subject: RDMA/rxe: Validate pad and ICRC before payload_size() in rxe_rcv
+
+From: hkbinbin <hkbinbinbin@gmail.com>
+
+commit 7244491dab347f648e661da96dc0febadd9daec3 upstream.
+
+rxe_rcv() currently checks only that the incoming packet is at least
+header_size(pkt) bytes long before payload_size() is used.
+
+However, payload_size() subtracts both the attacker-controlled BTH pad
+field and RXE_ICRC_SIZE from pkt->paylen:
+
+  payload_size = pkt->paylen - offset[RXE_PAYLOAD] - bth_pad(pkt)
+                 - RXE_ICRC_SIZE
+
+This means a short packet can still make payload_size() underflow even
+if it includes enough bytes for the fixed headers. Simply requiring
+header_size(pkt) + RXE_ICRC_SIZE is not sufficient either, because a
+packet with a forged non-zero BTH pad can still leave payload_size()
+negative and pass an underflowed value to later receive-path users.
+
+Fix this by validating pkt->paylen against the full minimum length
+required by payload_size(): header_size(pkt) + bth_pad(pkt) +
+RXE_ICRC_SIZE.
+
+Cc: stable@vger.kernel.org
+Fixes: 8700e3e7c485 ("Soft RoCE driver")
+Link: https://patch.msgid.link/r/20260401121907.1468366-1-hkbinbinbin@gmail.com
+Signed-off-by: hkbinbin <hkbinbinbin@gmail.com>
+Reviewed-by: Zhu Yanjun <yanjun.zhu@linux.dev>
+Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/infiniband/sw/rxe/rxe_recv.c |    3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/infiniband/sw/rxe/rxe_recv.c
++++ b/drivers/infiniband/sw/rxe/rxe_recv.c
+@@ -364,7 +364,8 @@ void rxe_rcv(struct sk_buff *skb)
+ 	pkt->qp = NULL;
+ 	pkt->mask |= rxe_opcode[pkt->opcode].mask;
+ 
+-	if (unlikely(skb->len < header_size(pkt)))
++	if (unlikely(pkt->paylen < header_size(pkt) + bth_pad(pkt) +
++		       RXE_ICRC_SIZE))
+ 		goto drop;
+ 
+ 	err = hdr_check(pkt);
diff --git a/queue-5.10/series b/queue-5.10/series
index 8cd2c115d9..5f3982bfd0 100644
--- a/queue-5.10/series
+++ b/queue-5.10/series
@@ -168,3 +168,7 @@ alsa-caiaq-fix-control_put-result-and-cache-rollback.patch
 alsa-caiaq-handle-probe-errors-properly.patch
 alsa-6fire-fix-input-volume-change-detection.patch
 iio-adc-ad7768-1-fix-one-shot-mode-data-acquisition.patch
+net-rds-fix-mr-cleanup-on-copy-error.patch
+net-smc-avoid-early-lgr-access-in-smc_clc_wait_msg.patch
+rdma-rxe-validate-pad-and-icrc-before-payload_size-in-rxe_rcv.patch
+tpm-avoid-wunused-but-set-variable.patch
diff --git a/queue-5.10/tpm-avoid-wunused-but-set-variable.patch b/queue-5.10/tpm-avoid-wunused-but-set-variable.patch
new file mode 100644
index 0000000000..253987a829
--- /dev/null
+++ b/queue-5.10/tpm-avoid-wunused-but-set-variable.patch
@@ -0,0 +1,52 @@
+From 6f1d4d2ecfcd1b577dc87350ea965fe81f272e83 Mon Sep 17 00:00:00 2001
+From: Arnd Bergmann <arnd@arndb.de>
+Date: Fri, 22 Mar 2024 14:22:48 +0100
+Subject: tpm: avoid -Wunused-but-set-variable
+
+From: Arnd Bergmann <arnd@arndb.de>
+
+commit 6f1d4d2ecfcd1b577dc87350ea965fe81f272e83 upstream.
+
+Outside of the EFI tpm code, the TPM_MEMREMAP()/TPM_MEMUNMAP functions are
+defined as trivial macros, leading to the mapping_size variable ending
+up unused:
+
+In file included from drivers/char/tpm/tpm-sysfs.c:16:
+In file included from drivers/char/tpm/tpm.h:28:
+include/linux/tpm_eventlog.h:167:6: error: variable 'mapping_size' set but not used [-Werror,-Wunused-but-set-variable]
+  167 |         int mapping_size;
+
+Turn the stubs into inline functions to avoid this warning.
+
+Cc: stable@vger.kernel.org # v5.3+
+Fixes: c46f3405692d ("tpm: Reserve the TPM final events table")
+Signed-off-by: Arnd Bergmann <arnd@arndb.de>
+Reviewed-by: Thorsten Blum <thorsten.blum@linux.dev>
+Reviewed-by: Jarkko Sakkinen <jarkko@kernel.org>
+Signed-off-by: Jarkko Sakkinen <jarkko@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/linux/tpm_eventlog.h |    9 +++++++--
+ 1 file changed, 7 insertions(+), 2 deletions(-)
+
+--- a/include/linux/tpm_eventlog.h
++++ b/include/linux/tpm_eventlog.h
+@@ -131,11 +131,16 @@ struct tcg_algorithm_info {
+ };
+ 
+ #ifndef TPM_MEMREMAP
+-#define TPM_MEMREMAP(start, size) NULL
++static inline void *TPM_MEMREMAP(unsigned long start, size_t size)
++{
++	return NULL;
++}
+ #endif
+ 
+ #ifndef TPM_MEMUNMAP
+-#define TPM_MEMUNMAP(start, size) do{} while(0)
++static inline void TPM_MEMUNMAP(void *mapping, size_t size)
++{
++}
+ #endif
+ 
+ /**