--- /dev/null
+From 5c65b96b549ea2dcfde497436bf9e048deb87758 Mon Sep 17 00:00:00 2001
+From: Yuqi Xu <xuyq21@lenovo.com>
+Date: Fri, 29 May 2026 16:54:23 +0800
+Subject: Bluetooth: hci_sync: reject oversized Broadcast Announcement prepend
+
+From: Yuqi Xu <xuyq21@lenovo.com>
+
+commit 5c65b96b549ea2dcfde497436bf9e048deb87758 upstream.
+
+Existing advertising instances can already hold the maximum extended
+advertising payload. When hci_adv_bcast_annoucement() prepends the
+Broadcast Announcement service data to that payload, the combined data
+may no longer fit in the temporary buffer used to rebuild the
+advertising data.
+
+Reject that case before copying the existing payload and report the
+failure through the device log. This keeps the existing advertising
+data intact and avoids overrunning the temporary buffer.
+
+Fixes: 5725bc608252 ("Bluetooth: hci_sync: Fix broadcast/PA when using an existing instance")
+Cc: stable@kernel.org
+Reported-by: Yuan Tan <yuantan098@gmail.com>
+Reported-by: Zhengchuan Liang <zcliangcn@gmail.com>
+Reported-by: Xin Liu <bird@lzu.edu.cn>
+Assisted-by: Codex:GPT-5.4
+Signed-off-by: Yuqi Xu <xuyq21@lenovo.com>
+Signed-off-by: Ren Wei <n05ec@lzu.edu.cn>
+Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/bluetooth/hci_sync.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+--- a/net/bluetooth/hci_sync.c
++++ b/net/bluetooth/hci_sync.c
+@@ -1706,6 +1706,11 @@ static int hci_adv_bcast_annoucement(str
+ /* Generate Broadcast ID */
+ get_random_bytes(bid, sizeof(bid));
+ len = eir_append_service_data(ad, 0, 0x1852, bid, sizeof(bid));
++ if (adv->adv_data_len > sizeof(ad) - len) {
++ bt_dev_err(hdev, "No room for Broadcast Announcement");
++ return -EINVAL;
++ }
++
+ memcpy(ad + len, adv->adv_data, adv->adv_data_len);
+ hci_set_adv_instance_data(hdev, adv->instance, len + adv->adv_data_len,
+ ad, 0, NULL);
--- /dev/null
+From dd214733544427587a95f66dbf3adff072568990 Mon Sep 17 00:00:00 2001
+From: Michael Bommarito <michael.bommarito@gmail.com>
+Date: Thu, 21 May 2026 10:45:17 -0400
+Subject: Bluetooth: L2CAP: reject BR/EDR signaling packets over MTUsig
+
+From: Michael Bommarito <michael.bommarito@gmail.com>
+
+commit dd214733544427587a95f66dbf3adff072568990 upstream.
+
+net/bluetooth/l2cap_core.c:l2cap_sig_channel() accepts BR/EDR
+signaling packets up to the channel MTU and dispatches each command
+without enforcing the signaling MTU (MTUsig). A Bluetooth BR/EDR peer
+within radio range can send a fixed-channel CID 0x0001 packet that is
+larger than MTUsig and contains many L2CAP_ECHO_REQ commands before
+pairing. In a real-radio stock-kernel run, one 681-byte signaling
+packet containing 168 zero-length ECHO_REQ commands made the target
+transmit 168 ECHO_RSP frames over about 220 ms.
+
+Impact: a Bluetooth BR/EDR peer within radio range, before pairing, can
+force 168 ECHO_RSP frames from one 681-byte fixed-channel signaling
+packet containing packed ECHO_REQ commands.
+
+Define Linux's BR/EDR signaling MTU as the spec minimum of 48 bytes and
+reject any larger signaling packet with one L2CAP_COMMAND_REJECT_RSP
+carrying L2CAP_REJ_MTU_EXCEEDED before any command is dispatched.
+
+The Bluetooth Core spec wording for MTUExceeded says the reject
+identifier shall match the first request command in the packet, and
+that packets containing only responses shall be silently discarded.
+Linux intentionally deviates from that prescription: silently
+discarding desynchronizes the peer because the remote stack never
+learns its responses were dropped, and locating the first request
+command requires walking command headers past MTUsig, i.e. processing
+bytes from a packet we have already decided is too large to process.
+We therefore always emit one reject and use the identifier from the
+first command header, a single fixed-offset byte read.
+
+The unrestricted BR/EDR signaling parser and ECHO_REQ response path both
+trace to the initial git import; no later introducing commit is
+available for a Fixes tag.
+
+Cc: stable@vger.kernel.org
+Suggested-by: Luiz Augusto von Dentz <luiz.dentz@gmail.com>
+Link: https://lore.kernel.org/r/20260518002800.1361430-1-michael.bommarito@gmail.com
+Link: https://lore.kernel.org/r/20260520135034.1060859-1-michael.bommarito@gmail.com
+Link: https://lore.kernel.org/r/20260521000555.3712030-1-michael.bommarito@gmail.com
+Assisted-by: Claude:claude-opus-4-7
+Assisted-by: Codex:gpt-5-5-xhigh
+Signed-off-by: Michael Bommarito <michael.bommarito@gmail.com>
+Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/net/bluetooth/l2cap.h | 1
+ net/bluetooth/l2cap_core.c | 46 ++++++++++++++++++++++++++++++++++++++++++
+ 2 files changed, 47 insertions(+)
+
+--- a/include/net/bluetooth/l2cap.h
++++ b/include/net/bluetooth/l2cap.h
+@@ -33,6 +33,7 @@
+ /* L2CAP defaults */
+ #define L2CAP_DEFAULT_MTU 672
+ #define L2CAP_DEFAULT_MIN_MTU 48
++#define L2CAP_SIG_MTU 48 /* BR/EDR signaling MTU */
+ #define L2CAP_DEFAULT_FLUSH_TO 0xFFFF
+ #define L2CAP_EFS_DEFAULT_FLUSH_TO 0xFFFFFFFF
+ #define L2CAP_DEFAULT_TX_WINDOW 63
+--- a/net/bluetooth/l2cap_core.c
++++ b/net/bluetooth/l2cap_core.c
+@@ -6640,6 +6640,15 @@ static inline void l2cap_sig_send_rej(st
+ l2cap_send_cmd(conn, ident, L2CAP_COMMAND_REJ, sizeof(rej), &rej);
+ }
+
++static inline void l2cap_sig_send_mtu_rej(struct l2cap_conn *conn, u8 ident)
++{
++ struct l2cap_cmd_rej_mtu rej;
++
++ rej.reason = cpu_to_le16(L2CAP_REJ_MTU_EXCEEDED);
++ rej.max_mtu = cpu_to_le16(L2CAP_SIG_MTU);
++ l2cap_send_cmd(conn, ident, L2CAP_COMMAND_REJ, sizeof(rej), &rej);
++}
++
+ static inline void l2cap_sig_channel(struct l2cap_conn *conn,
+ struct sk_buff *skb)
+ {
+@@ -6652,6 +6661,43 @@ static inline void l2cap_sig_channel(str
+ if (hcon->type != ACL_LINK)
+ goto drop;
+
++ /*
++ * Bluetooth Core v5.4, Vol 3, Part A, Section 4: the BR/EDR
++ * signaling channel has a fixed signaling MTU (MTUsig) whose
++ * minimum and default is 48 octets. Section 4.1 says that on
++ * an MTUExceeded command reject the identifier "shall match
++ * the first request command in the L2CAP packet" and that
++ * packets containing only response commands "shall be
++ * silently discarded".
++ *
++ * Linux intentionally deviates from that prescription:
++ *
++ * 1. Silently discarding desynchronizes the peer. The
++ * remote stack never learns its responses were dropped,
++ * so any state machine waiting on a paired response
++ * stalls until its own timer fires.
++ *
++ * 2. Locating "the first request command" requires walking
++ * command headers past MTUsig, i.e. processing bytes
++ * from a packet we have already decided is too large to
++ * process.
++ *
++ * Reject every over-MTUsig signaling packet with one
++ * L2CAP_REJ_MTU_EXCEEDED command reject. The reject's
++ * reason field is what tells the peer that the whole packet
++ * was discarded; the identifier value is informational, so
++ * we use the identifier from the first command header, a
++ * single fixed-offset byte read.
++ */
++ if (skb->len > L2CAP_SIG_MTU) {
++ u8 ident = skb->data[1];
++
++ BT_DBG("signaling packet exceeds MTU: %u > %u",
++ skb->len, L2CAP_SIG_MTU);
++ l2cap_sig_send_mtu_rej(conn, ident);
++ goto drop;
++ }
++
+ while (skb->len >= L2CAP_CMD_HDR_SIZE) {
+ u16 len;
+
--- /dev/null
+From d21ad938398bca695a511307de38a65889e3b354 Mon Sep 17 00:00:00 2001
+From: Joonas Lahtinen <joonas.lahtinen@linux.intel.com>
+Date: Wed, 10 Jun 2026 09:03:14 +0300
+Subject: drm/i915/gem: Fix phys BO pread/pwrite with offset
+
+From: Joonas Lahtinen <joonas.lahtinen@linux.intel.com>
+
+commit d21ad938398bca695a511307de38a65889e3b354 upstream.
+
+sg_page() returns struct page pointer not (void *) so the scaling
+of pread/pwrite is wrong for phys BO and wrong parts of BO would be
+accessed if non-zero offset is used.
+
+Last impacted platform with overlay or cursor planes using phys
+mapping was Gen3/945G/Lakeport.
+
+Reported-by: Matthew Wilcox (Oracle) <willy@infradead.org>
+Fixes: c6790dc22312 ("drm/i915: Wean off drm_pci_alloc/drm_pci_free")
+Cc: <stable@vger.kernel.org> # v4.5+
+Cc: Tvrtko Ursulin <tursulin@ursulin.net>
+Cc: Simona Vetter <simona@ffwll.ch>
+Cc: Jani Nikula <jani.nikula@linux.intel.com>
+Cc: Rodrigo Vivi <rodrigo.vivi@intel.com>
+Signed-off-by: Joonas Lahtinen <joonas.lahtinen@linux.intel.com>
+Reviewed-by: Tvrtko Ursulin <tvrtko.ursulin@igalia.com>
+Link: https://patch.msgid.link/20260610060314.26111-1-joonas.lahtinen@linux.intel.com
+(cherry picked from commit 3e49a2f85070b2fb672c1e0fdba281a4ea3aebe6)
+Signed-off-by: Tvrtko Ursulin <tursulin@ursulin.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/i915/gem/i915_gem_phys.c | 19 +++++++++++++++----
+ 1 file changed, 15 insertions(+), 4 deletions(-)
+
+--- a/drivers/gpu/drm/i915/gem/i915_gem_phys.c
++++ b/drivers/gpu/drm/i915/gem/i915_gem_phys.c
+@@ -17,6 +17,17 @@
+ #include "i915_gem_tiling.h"
+ #include "i915_scatterlist.h"
+
++/* Abuse scatterlist to store pointer instead of struct page. */
++static inline void __set_phys_vaddr(struct scatterlist *sg, void *vaddr)
++{
++ sg_assign_page(sg, (struct page *)vaddr);
++}
++
++static inline void *__get_phys_vaddr(struct scatterlist *sg)
++{
++ return (void *)sg_page(sg);
++}
++
+ static int i915_gem_object_get_pages_phys(struct drm_i915_gem_object *obj)
+ {
+ struct address_space *mapping = obj->base.filp->f_mapping;
+@@ -53,7 +64,7 @@ static int i915_gem_object_get_pages_phy
+ sg->offset = 0;
+ sg->length = obj->base.size;
+
+- sg_assign_page(sg, (struct page *)vaddr);
++ __set_phys_vaddr(sg, vaddr);
+ sg_dma_address(sg) = dma;
+ sg_dma_len(sg) = obj->base.size;
+
+@@ -97,7 +108,7 @@ i915_gem_object_put_pages_phys(struct dr
+ struct sg_table *pages)
+ {
+ dma_addr_t dma = sg_dma_address(pages->sgl);
+- void *vaddr = sg_page(pages->sgl);
++ void *vaddr = __get_phys_vaddr(pages->sgl);
+
+ __i915_gem_object_release_shmem(obj, pages, false);
+
+@@ -140,7 +151,7 @@ i915_gem_object_put_pages_phys(struct dr
+ int i915_gem_object_pwrite_phys(struct drm_i915_gem_object *obj,
+ const struct drm_i915_gem_pwrite *args)
+ {
+- void *vaddr = sg_page(obj->mm.pages->sgl) + args->offset;
++ void *vaddr = __get_phys_vaddr(obj->mm.pages->sgl) + args->offset;
+ char __user *user_data = u64_to_user_ptr(args->data_ptr);
+ struct drm_i915_private *i915 = to_i915(obj->base.dev);
+ int err;
+@@ -171,7 +182,7 @@ int i915_gem_object_pwrite_phys(struct d
+ int i915_gem_object_pread_phys(struct drm_i915_gem_object *obj,
+ const struct drm_i915_gem_pread *args)
+ {
+- void *vaddr = sg_page(obj->mm.pages->sgl) + args->offset;
++ void *vaddr = __get_phys_vaddr(obj->mm.pages->sgl) + args->offset;
+ char __user *user_data = u64_to_user_ptr(args->data_ptr);
+ int err;
+
--- /dev/null
+From b837e38c255dd9f8b53511d52e87f1fda32b3dfe Mon Sep 17 00:00:00 2001
+From: Inochi Amaoto <inochiama@gmail.com>
+Date: Thu, 21 May 2026 15:21:20 +0800
+Subject: mmc: litex_mmc: Use DIV_ROUND_UP for more accurate clock calculation
+
+From: Inochi Amaoto <inochiama@gmail.com>
+
+commit b837e38c255dd9f8b53511d52e87f1fda32b3dfe upstream.
+
+The previous clock uses roundup_pow_of_two() to calculate the core
+clock frequency. It does not meet the actual hardware meaning.
+The actual frequency is calculated by "ref_clk / ((div >> 1) << 1)".
+
+Fix the clock divider calculation.
+
+Fixes: 92e099104729 ("mmc: Add driver for LiteX's LiteSDCard interface")
+Signed-off-by: Inochi Amaoto <inochiama@gmail.com>
+Reviewed-by: Gabriel Somlo <gsomlo@gmail.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Ulf Hansson <ulfh@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/mmc/host/litex_mmc.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/drivers/mmc/host/litex_mmc.c
++++ b/drivers/mmc/host/litex_mmc.c
+@@ -16,6 +16,7 @@
+ #include <linux/interrupt.h>
+ #include <linux/iopoll.h>
+ #include <linux/litex.h>
++#include <linux/math.h>
+ #include <linux/mod_devicetable.h>
+ #include <linux/module.h>
+ #include <linux/platform_device.h>
+@@ -436,11 +437,10 @@ static void litex_mmc_setclk(struct lite
+ struct device *dev = mmc_dev(host->mmc);
+ u32 div;
+
+- div = freq ? host->ref_clk / freq : 256U;
+- div = roundup_pow_of_two(div);
++ div = freq ? DIV_ROUND_UP(host->ref_clk, freq) : 256U;
+ div = clamp(div, 2U, 256U);
+ dev_dbg(dev, "sd_clk_freq=%d: set to %d via div=%d\n",
+- freq, host->ref_clk / div, div);
++ freq, host->ref_clk / ((div + 1) & ~1U), div);
+ litex_write16(host->sdphy + LITEX_PHY_CLOCKERDIV, div);
+ host->sd_clk = freq;
+ }
--- /dev/null
+From c32b26aaa2f9216520a38b3f4bfeec846eb3eb8a Mon Sep 17 00:00:00 2001
+From: Tristan Madani <tristan@talencesecurity.com>
+Date: Wed, 27 May 2026 13:57:50 +0000
+Subject: netfilter: nft_tunnel: fix use-after-free on object destroy
+
+From: Tristan Madani <tristan@talencesecurity.com>
+
+commit c32b26aaa2f9216520a38b3f4bfeec846eb3eb8a upstream.
+
+nft_tunnel_obj_destroy() calls metadata_dst_free() which directly
+kfree()s the metadata_dst, ignoring the dst_entry refcount. Packets
+that took a reference via dst_hold() in nft_tunnel_obj_eval() and
+are still queued (e.g. in a netem qdisc) are left with a dangling
+pointer. When these packets are eventually dequeued, dst_release()
+operates on freed memory.
+
+Replace metadata_dst_free() with dst_release() so the metadata_dst
+is freed only after all references are dropped. The dst subsystem
+already handles metadata_dst cleanup in dst_destroy() when
+DST_METADATA is set.
+
+Fixes: af308b94a2a4 ("netfilter: nf_tables: add tunnel support")
+Cc: stable@vger.kernel.org
+Signed-off-by: Tristan Madani <tristan@talencesecurity.com>
+Reviewed-by: Fernando Fernandez Mancera <fmancera@suse.de>
+Signed-off-by: Florian Westphal <fw@strlen.de>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/netfilter/nft_tunnel.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/netfilter/nft_tunnel.c
++++ b/net/netfilter/nft_tunnel.c
+@@ -699,7 +699,7 @@ static void nft_tunnel_obj_destroy(const
+ {
+ struct nft_tunnel_obj *priv = nft_obj_data(obj);
+
+- metadata_dst_free(priv->md);
++ dst_release(&priv->md->dst);
+ }
+
+ static struct nft_object_type nft_tunnel_obj_type;
net-mvpp2-build-skb-from-xdp-adjusted-data-on-xdp_pa.patch
netfilter-ctnetlink-ensure-safe-access-to-master-con.patch
drm-vc4-fix-krealloc-memory-leak.patch
+netfilter-nft_tunnel-fix-use-after-free-on-object-destroy.patch
+bluetooth-hci_sync-reject-oversized-broadcast-announcement-prepend.patch
+bluetooth-l2cap-reject-br-edr-signaling-packets-over-mtusig.patch
+mmc-litex_mmc-use-div_round_up-for-more-accurate-clock-calculation.patch
+drm-i915-gem-fix-phys-bo-pread-pwrite-with-offset.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
