--- /dev/null
+From dd214733544427587a95f66dbf3adff072568990 Mon Sep 17 00:00:00 2001
+From: Michael Bommarito <michael.bommarito@gmail.com>
+Date: Thu, 21 May 2026 10:45:17 -0400
+Subject: Bluetooth: L2CAP: reject BR/EDR signaling packets over MTUsig
+
+From: Michael Bommarito <michael.bommarito@gmail.com>
+
+commit dd214733544427587a95f66dbf3adff072568990 upstream.
+
+net/bluetooth/l2cap_core.c:l2cap_sig_channel() accepts BR/EDR
+signaling packets up to the channel MTU and dispatches each command
+without enforcing the signaling MTU (MTUsig). A Bluetooth BR/EDR peer
+within radio range can send a fixed-channel CID 0x0001 packet that is
+larger than MTUsig and contains many L2CAP_ECHO_REQ commands before
+pairing. In a real-radio stock-kernel run, one 681-byte signaling
+packet containing 168 zero-length ECHO_REQ commands made the target
+transmit 168 ECHO_RSP frames over about 220 ms.
+
+Impact: a Bluetooth BR/EDR peer within radio range, before pairing, can
+force 168 ECHO_RSP frames from one 681-byte fixed-channel signaling
+packet containing packed ECHO_REQ commands.
+
+Define Linux's BR/EDR signaling MTU as the spec minimum of 48 bytes and
+reject any larger signaling packet with one L2CAP_COMMAND_REJECT_RSP
+carrying L2CAP_REJ_MTU_EXCEEDED before any command is dispatched.
+
+The Bluetooth Core spec wording for MTUExceeded says the reject
+identifier shall match the first request command in the packet, and
+that packets containing only responses shall be silently discarded.
+Linux intentionally deviates from that prescription: silently
+discarding desynchronizes the peer because the remote stack never
+learns its responses were dropped, and locating the first request
+command requires walking command headers past MTUsig, i.e. processing
+bytes from a packet we have already decided is too large to process.
+We therefore always emit one reject and use the identifier from the
+first command header, a single fixed-offset byte read.
+
+The unrestricted BR/EDR signaling parser and ECHO_REQ response path both
+trace to the initial git import; no later introducing commit is
+available for a Fixes tag.
+
+Cc: stable@vger.kernel.org
+Suggested-by: Luiz Augusto von Dentz <luiz.dentz@gmail.com>
+Link: https://lore.kernel.org/r/20260518002800.1361430-1-michael.bommarito@gmail.com
+Link: https://lore.kernel.org/r/20260520135034.1060859-1-michael.bommarito@gmail.com
+Link: https://lore.kernel.org/r/20260521000555.3712030-1-michael.bommarito@gmail.com
+Assisted-by: Claude:claude-opus-4-7
+Assisted-by: Codex:gpt-5-5-xhigh
+Signed-off-by: Michael Bommarito <michael.bommarito@gmail.com>
+Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/net/bluetooth/l2cap.h | 1
+ net/bluetooth/l2cap_core.c | 46 ++++++++++++++++++++++++++++++++++++++++++
+ 2 files changed, 47 insertions(+)
+
+--- a/include/net/bluetooth/l2cap.h
++++ b/include/net/bluetooth/l2cap.h
+@@ -33,6 +33,7 @@
+ /* L2CAP defaults */
+ #define L2CAP_DEFAULT_MTU 672
+ #define L2CAP_DEFAULT_MIN_MTU 48
++#define L2CAP_SIG_MTU 48 /* BR/EDR signaling MTU */
+ #define L2CAP_DEFAULT_FLUSH_TO 0xFFFF
+ #define L2CAP_EFS_DEFAULT_FLUSH_TO 0xFFFFFFFF
+ #define L2CAP_DEFAULT_TX_WINDOW 63
+--- a/net/bluetooth/l2cap_core.c
++++ b/net/bluetooth/l2cap_core.c
+@@ -6618,6 +6618,15 @@ static inline void l2cap_sig_send_rej(st
+ l2cap_send_cmd(conn, ident, L2CAP_COMMAND_REJ, sizeof(rej), &rej);
+ }
+
++static inline void l2cap_sig_send_mtu_rej(struct l2cap_conn *conn, u8 ident)
++{
++ struct l2cap_cmd_rej_mtu rej;
++
++ rej.reason = cpu_to_le16(L2CAP_REJ_MTU_EXCEEDED);
++ rej.max_mtu = cpu_to_le16(L2CAP_SIG_MTU);
++ l2cap_send_cmd(conn, ident, L2CAP_COMMAND_REJ, sizeof(rej), &rej);
++}
++
+ static inline void l2cap_sig_channel(struct l2cap_conn *conn,
+ struct sk_buff *skb)
+ {
+@@ -6630,6 +6639,43 @@ static inline void l2cap_sig_channel(str
+ if (hcon->type != ACL_LINK)
+ goto drop;
+
++ /*
++ * Bluetooth Core v5.4, Vol 3, Part A, Section 4: the BR/EDR
++ * signaling channel has a fixed signaling MTU (MTUsig) whose
++ * minimum and default is 48 octets. Section 4.1 says that on
++ * an MTUExceeded command reject the identifier "shall match
++ * the first request command in the L2CAP packet" and that
++ * packets containing only response commands "shall be
++ * silently discarded".
++ *
++ * Linux intentionally deviates from that prescription:
++ *
++ * 1. Silently discarding desynchronizes the peer. The
++ * remote stack never learns its responses were dropped,
++ * so any state machine waiting on a paired response
++ * stalls until its own timer fires.
++ *
++ * 2. Locating "the first request command" requires walking
++ * command headers past MTUsig, i.e. processing bytes
++ * from a packet we have already decided is too large to
++ * process.
++ *
++ * Reject every over-MTUsig signaling packet with one
++ * L2CAP_REJ_MTU_EXCEEDED command reject. The reject's
++ * reason field is what tells the peer that the whole packet
++ * was discarded; the identifier value is informational, so
++ * we use the identifier from the first command header, a
++ * single fixed-offset byte read.
++ */
++ if (skb->len > L2CAP_SIG_MTU) {
++ u8 ident = skb->data[1];
++
++ BT_DBG("signaling packet exceeds MTU: %u > %u",
++ skb->len, L2CAP_SIG_MTU);
++ l2cap_sig_send_mtu_rej(conn, ident);
++ goto drop;
++ }
++
+ while (skb->len >= L2CAP_CMD_HDR_SIZE) {
+ u16 len;
+
--- /dev/null
+From d21ad938398bca695a511307de38a65889e3b354 Mon Sep 17 00:00:00 2001
+From: Joonas Lahtinen <joonas.lahtinen@linux.intel.com>
+Date: Wed, 10 Jun 2026 09:03:14 +0300
+Subject: drm/i915/gem: Fix phys BO pread/pwrite with offset
+
+From: Joonas Lahtinen <joonas.lahtinen@linux.intel.com>
+
+commit d21ad938398bca695a511307de38a65889e3b354 upstream.
+
+sg_page() returns struct page pointer not (void *) so the scaling
+of pread/pwrite is wrong for phys BO and wrong parts of BO would be
+accessed if non-zero offset is used.
+
+Last impacted platform with overlay or cursor planes using phys
+mapping was Gen3/945G/Lakeport.
+
+Reported-by: Matthew Wilcox (Oracle) <willy@infradead.org>
+Fixes: c6790dc22312 ("drm/i915: Wean off drm_pci_alloc/drm_pci_free")
+Cc: <stable@vger.kernel.org> # v4.5+
+Cc: Tvrtko Ursulin <tursulin@ursulin.net>
+Cc: Simona Vetter <simona@ffwll.ch>
+Cc: Jani Nikula <jani.nikula@linux.intel.com>
+Cc: Rodrigo Vivi <rodrigo.vivi@intel.com>
+Signed-off-by: Joonas Lahtinen <joonas.lahtinen@linux.intel.com>
+Reviewed-by: Tvrtko Ursulin <tvrtko.ursulin@igalia.com>
+Link: https://patch.msgid.link/20260610060314.26111-1-joonas.lahtinen@linux.intel.com
+(cherry picked from commit 3e49a2f85070b2fb672c1e0fdba281a4ea3aebe6)
+Signed-off-by: Tvrtko Ursulin <tursulin@ursulin.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/i915/gem/i915_gem_phys.c | 19 +++++++++++++++----
+ 1 file changed, 15 insertions(+), 4 deletions(-)
+
+--- a/drivers/gpu/drm/i915/gem/i915_gem_phys.c
++++ b/drivers/gpu/drm/i915/gem/i915_gem_phys.c
+@@ -17,6 +17,17 @@
+ #include "i915_gem_region.h"
+ #include "i915_scatterlist.h"
+
++/* Abuse scatterlist to store pointer instead of struct page. */
++static inline void __set_phys_vaddr(struct scatterlist *sg, void *vaddr)
++{
++ sg_assign_page(sg, (struct page *)vaddr);
++}
++
++static inline void *__get_phys_vaddr(struct scatterlist *sg)
++{
++ return (void *)sg_page(sg);
++}
++
+ static int i915_gem_object_get_pages_phys(struct drm_i915_gem_object *obj)
+ {
+ struct address_space *mapping = obj->base.filp->f_mapping;
+@@ -52,7 +63,7 @@ static int i915_gem_object_get_pages_phy
+ sg->offset = 0;
+ sg->length = obj->base.size;
+
+- sg_assign_page(sg, (struct page *)vaddr);
++ __set_phys_vaddr(sg, vaddr);
+ sg_dma_address(sg) = dma;
+ sg_dma_len(sg) = obj->base.size;
+
+@@ -94,7 +105,7 @@ i915_gem_object_put_pages_phys(struct dr
+ struct sg_table *pages)
+ {
+ dma_addr_t dma = sg_dma_address(pages->sgl);
+- void *vaddr = sg_page(pages->sgl);
++ void *vaddr = __get_phys_vaddr(pages->sgl);
+
+ __i915_gem_object_release_shmem(obj, pages, false);
+
+@@ -138,7 +149,7 @@ static int
+ phys_pwrite(struct drm_i915_gem_object *obj,
+ const struct drm_i915_gem_pwrite *args)
+ {
+- void *vaddr = sg_page(obj->mm.pages->sgl) + args->offset;
++ void *vaddr = __get_phys_vaddr(obj->mm.pages->sgl) + args->offset;
+ char __user *user_data = u64_to_user_ptr(args->data_ptr);
+ int err;
+
+@@ -169,7 +180,7 @@ static int
+ phys_pread(struct drm_i915_gem_object *obj,
+ const struct drm_i915_gem_pread *args)
+ {
+- void *vaddr = sg_page(obj->mm.pages->sgl) + args->offset;
++ void *vaddr = __get_phys_vaddr(obj->mm.pages->sgl) + args->offset;
+ char __user *user_data = u64_to_user_ptr(args->data_ptr);
+ int err;
+
--- /dev/null
+From c32b26aaa2f9216520a38b3f4bfeec846eb3eb8a Mon Sep 17 00:00:00 2001
+From: Tristan Madani <tristan@talencesecurity.com>
+Date: Wed, 27 May 2026 13:57:50 +0000
+Subject: netfilter: nft_tunnel: fix use-after-free on object destroy
+
+From: Tristan Madani <tristan@talencesecurity.com>
+
+commit c32b26aaa2f9216520a38b3f4bfeec846eb3eb8a upstream.
+
+nft_tunnel_obj_destroy() calls metadata_dst_free() which directly
+kfree()s the metadata_dst, ignoring the dst_entry refcount. Packets
+that took a reference via dst_hold() in nft_tunnel_obj_eval() and
+are still queued (e.g. in a netem qdisc) are left with a dangling
+pointer. When these packets are eventually dequeued, dst_release()
+operates on freed memory.
+
+Replace metadata_dst_free() with dst_release() so the metadata_dst
+is freed only after all references are dropped. The dst subsystem
+already handles metadata_dst cleanup in dst_destroy() when
+DST_METADATA is set.
+
+Fixes: af308b94a2a4 ("netfilter: nf_tables: add tunnel support")
+Cc: stable@vger.kernel.org
+Signed-off-by: Tristan Madani <tristan@talencesecurity.com>
+Reviewed-by: Fernando Fernandez Mancera <fmancera@suse.de>
+Signed-off-by: Florian Westphal <fw@strlen.de>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/netfilter/nft_tunnel.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/netfilter/nft_tunnel.c
++++ b/net/netfilter/nft_tunnel.c
+@@ -669,7 +669,7 @@ static void nft_tunnel_obj_destroy(const
+ {
+ struct nft_tunnel_obj *priv = nft_obj_data(obj);
+
+- metadata_dst_free(priv->md);
++ dst_release(&priv->md->dst);
+ }
+
+ static struct nft_object_type nft_tunnel_obj_type;
projects / thirdparty / kernel / stable-queue.git / commitdiff
