From: Greg Kroah-Hartman Date: Mon, 15 Jun 2026 15:00:03 +0000 (+0200) Subject: 5.10-stable patches X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=272d50b9899c344d3336506ee01a9f2aa0e34929;p=thirdparty%2Fkernel%2Fstable-queue.git 5.10-stable patches added patches: fuse-reject-fuse_notify-pagecache-ops-on-directories.patch i2c-qcom-cci-fix-null-pointer-dereference-in-cci_remove.patch i2c-tegra-fix-noirq-suspend-resume.patch input-atkbd-add-dmi-quirk-for-lenovo-yoga-air-14-83qk.patch input-atkbd-skip-deactivate-for-honor-bcc-n-s-internal-keyboard.patch ipc-shm-serialize-orphan-cleanup-with-shm_nattch-updates.patch misc-fastrpc-fix-use-after-free-of-fastrpc_user-in-workqueue-context.patch net-bonding-fix-null-pointer-dereference-in-bond_do_ioctl.patch net-mv643xx-fix-of-node-refcount.patch net-rds-clear-i_sends-on-setup-unwind.patch --- diff --git a/queue-5.10/fuse-reject-fuse_notify-pagecache-ops-on-directories.patch b/queue-5.10/fuse-reject-fuse_notify-pagecache-ops-on-directories.patch new file mode 100644 index 0000000000..2ba644d70d --- /dev/null +++ b/queue-5.10/fuse-reject-fuse_notify-pagecache-ops-on-directories.patch @@ -0,0 +1,56 @@ +From 9c954499d43aefac01c5dfb57a82b13d2dcf4b94 Mon Sep 17 00:00:00 2001 +From: Jann Horn +Date: Tue, 19 May 2026 16:29:38 +0200 +Subject: fuse: reject fuse_notify() pagecache ops on directories + +From: Jann Horn + +commit 9c954499d43aefac01c5dfb57a82b13d2dcf4b94 upstream. + +The operations FUSE_NOTIFY_STORE and FUSE_NOTIFY_RETRIEVE allow the +FUSE daemon to actively write/read pagecache contents. + +For directories with FOPEN_CACHE_DIR, the pagecache is used as +kernel-internal cache storage, and userspace is not supposed to have +direct access to this cache - in particular, fuse_parse_cache() will hit +WARN_ON() if the cache contains bogus data. + +Reject FUSE_NOTIFY_STORE and FUSE_NOTIFY_RETRIEVE on anything other than +regular files with -EINVAL. + +Fixes: 5d7bc7e8680c ("fuse: allow using readdir cache") +Cc: stable@vger.kernel.org +Signed-off-by: Jann Horn +Link: https://patch.msgid.link/20260519-fuse-dir-pagecache-v2-1-5428fa48e175@google.com +Acked-by: Miklos Szeredi +Signed-off-by: Christian Brauner (Amutable) +Signed-off-by: Greg Kroah-Hartman +--- + fs/fuse/dev.c | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) + +--- a/fs/fuse/dev.c ++++ b/fs/fuse/dev.c +@@ -1603,6 +1603,10 @@ static int fuse_notify_store(struct fuse + inode = fuse_ilookup(fc, nodeid, NULL); + if (!inode) + goto out_up_killsb; ++ if (!S_ISREG(inode->i_mode)) { ++ err = -EINVAL; ++ goto out_iput; ++ } + + mapping = inode->i_mapping; + index = outarg.offset >> PAGE_SHIFT; +@@ -1774,7 +1778,10 @@ static int fuse_notify_retrieve(struct f + + inode = fuse_ilookup(fc, nodeid, &fm); + if (inode) { +- err = fuse_retrieve(fm, inode, &outarg); ++ if (!S_ISREG(inode->i_mode)) ++ err = -EINVAL; ++ else ++ err = fuse_retrieve(fm, inode, &outarg); + iput(inode); + } + up_read(&fc->killsb); diff --git a/queue-5.10/i2c-qcom-cci-fix-null-pointer-dereference-in-cci_remove.patch b/queue-5.10/i2c-qcom-cci-fix-null-pointer-dereference-in-cci_remove.patch new file mode 100644 index 0000000000..c20dc0bf3c --- /dev/null +++ b/queue-5.10/i2c-qcom-cci-fix-null-pointer-dereference-in-cci_remove.patch @@ -0,0 +1,55 @@ +From 729ac5a4b966aac42e08a94dea966f4429008548 Mon Sep 17 00:00:00 2001 +From: Vladimir Zapolskiy +Date: Sat, 16 May 2026 02:41:18 +0300 +Subject: i2c: qcom-cci: Fix NULL pointer dereference in cci_remove() + +From: Vladimir Zapolskiy + +commit 729ac5a4b966aac42e08a94dea966f4429008548 upstream. + +On all modern platforms Qualcomm CCI controller provides two I2C masters, +and on particular boards only one I2C master may be initialized, and in +such cases the device unbinding or driver removal causes a NULL pointer +dereference, because cci_halt() is called for all two I2C masters, but +a completion is initialized only for the single enabled master: + + % rmmod i2c-qcom-cci + Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000 + + Call trace: + __wait_for_common+0x194/0x1a8 (P) + wait_for_completion_timeout+0x20/0x2c + cci_remove+0xc4/0x138 [i2c_qcom_cci] + platform_remove+0x20/0x30 + device_remove+0x4c/0x80 + device_release_driver_internal+0x1c8/0x224 + driver_detach+0x50/0x98 + bus_remove_driver+0x6c/0xbc + driver_unregister+0x30/0x60 + platform_driver_unregister+0x14/0x20 + qcom_cci_driver_exit+0x18/0x1008 [i2c_qcom_cci] + .... + +Fixes: e517526195de ("i2c: Add Qualcomm CCI I2C driver") +Signed-off-by: Vladimir Zapolskiy +Cc: # v5.8+ +Reviewed-by: Konrad Dybcio +Signed-off-by: Andi Shyti +Link: https://lore.kernel.org/r/20260515234121.1607425-2-vladimir.zapolskiy@linaro.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/i2c/busses/i2c-qcom-cci.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/i2c/busses/i2c-qcom-cci.c ++++ b/drivers/i2c/busses/i2c-qcom-cci.c +@@ -683,8 +683,8 @@ static int cci_remove(struct platform_de + if (cci->master[i].cci) { + i2c_del_adapter(&cci->master[i].adap); + of_node_put(cci->master[i].adap.dev.of_node); ++ cci_halt(cci, i); + } +- cci_halt(cci, i); + } + + disable_irq(cci->irq); diff --git a/queue-5.10/i2c-tegra-fix-noirq-suspend-resume.patch b/queue-5.10/i2c-tegra-fix-noirq-suspend-resume.patch new file mode 100644 index 0000000000..86730c4106 --- /dev/null +++ b/queue-5.10/i2c-tegra-fix-noirq-suspend-resume.patch @@ -0,0 +1,121 @@ +From 656646b3847ac6a21b074a813223feef2aadd6e2 Mon Sep 17 00:00:00 2001 +From: Akhil R +Date: Mon, 18 May 2026 17:10:13 +0530 +Subject: i2c: tegra: Fix NOIRQ suspend/resume + +From: Akhil R + +commit 656646b3847ac6a21b074a813223feef2aadd6e2 upstream. + +The Tegra I2C driver relies on runtime PM to wake up the controller before +each transfer. However, runtime PM is disabled between the system suspend +and NOIRQ suspend. If an I2C device initiates a transfer during this +window, the I2C controller fails to wake up and the transfer fails. To +handle this, the controller must be kept available for this period to +allow transfers. + +Rework the I2C controller's system PM callbacks such that the controller +is resumed from runtime suspend during system suspend and it stays +RPM_ACTIVE throughout the suspend-resume cycle until it is runtime +suspended back in the system resume. The clocks are disabled in NOIRQ +suspend and enabled back in NOIRQ resume by calling the controller's +runtime PM functions directly. + +Fixes: 8ebf15e9c869 ("i2c: tegra: Move suspend handling to NOIRQ phase") +Assisted-by: Cursor:claude-4.6-opus +Signed-off-by: Akhil R +Cc: # v5.4+ +Reviewed-by: Jon Hunter +Signed-off-by: Andi Shyti +Link: https://lore.kernel.org/r/20260518114013.62065-5-akhilrajeev@nvidia.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/i2c/busses/i2c-tegra.c | 53 +++++++++++++++++++++++------------------ + 1 file changed, 30 insertions(+), 23 deletions(-) + +--- a/drivers/i2c/busses/i2c-tegra.c ++++ b/drivers/i2c/busses/i2c-tegra.c +@@ -1873,28 +1873,37 @@ static int __maybe_unused tegra_i2c_runt + + static int __maybe_unused tegra_i2c_suspend(struct device *dev) + { ++ /* ++ * Bring the controller up and hold a usage count so it stays ++ * available until the noirq phase. ++ */ ++ return pm_runtime_resume_and_get(dev); ++} ++ ++static int __maybe_unused tegra_i2c_suspend_noirq(struct device *dev) ++{ + struct tegra_i2c_dev *i2c_dev = dev_get_drvdata(dev); +- int err; + + i2c_mark_adapter_suspended(&i2c_dev->adapter); + +- if (!pm_runtime_status_suspended(dev)) { +- err = tegra_i2c_runtime_suspend(dev); +- if (err) +- return err; +- } +- +- return 0; ++ /* ++ * Runtime PM is already disabled at this point, so invoke the ++ * runtime_suspend callback directly to put the controller down. ++ */ ++ return tegra_i2c_runtime_suspend(dev); + } + +-static int __maybe_unused tegra_i2c_resume(struct device *dev) ++static int __maybe_unused tegra_i2c_resume_noirq(struct device *dev) + { + struct tegra_i2c_dev *i2c_dev = dev_get_drvdata(dev); + int err; + + /* +- * We need to ensure that clocks are enabled so that registers can be +- * restored in tegra_i2c_init(). ++ * Runtime PM is still disabled at this point, so invoke the ++ * runtime_resume callback directly to bring the controller back up ++ * before re-initializing the hardware. The adapter is then marked ++ * resumed so that consumers can issue transfers from their own ++ * resume_noirq() handlers and onwards. + */ + err = tegra_i2c_runtime_resume(dev); + if (err) +@@ -1904,24 +1913,22 @@ static int __maybe_unused tegra_i2c_resu + if (err) + return err; + +- /* +- * In case we are runtime suspended, disable clocks again so that we +- * don't unbalance the clock reference counts during the next runtime +- * resume transition. +- */ +- if (pm_runtime_status_suspended(dev)) { +- err = tegra_i2c_runtime_suspend(dev); +- if (err) +- return err; +- } +- + i2c_mark_adapter_resumed(&i2c_dev->adapter); + + return 0; + } + ++static int __maybe_unused tegra_i2c_resume(struct device *dev) ++{ ++ pm_runtime_put(dev); ++ ++ return 0; ++} ++ + static const struct dev_pm_ops tegra_i2c_pm = { +- SET_NOIRQ_SYSTEM_SLEEP_PM_OPS(tegra_i2c_suspend, tegra_i2c_resume) ++ SET_SYSTEM_SLEEP_PM_OPS(tegra_i2c_suspend, tegra_i2c_resume) ++ SET_NOIRQ_SYSTEM_SLEEP_PM_OPS(tegra_i2c_suspend_noirq, ++ tegra_i2c_resume_noirq) + SET_RUNTIME_PM_OPS(tegra_i2c_runtime_suspend, tegra_i2c_runtime_resume, + NULL) + }; diff --git a/queue-5.10/input-atkbd-add-dmi-quirk-for-lenovo-yoga-air-14-83qk.patch b/queue-5.10/input-atkbd-add-dmi-quirk-for-lenovo-yoga-air-14-83qk.patch new file mode 100644 index 0000000000..6aab9083d2 --- /dev/null +++ b/queue-5.10/input-atkbd-add-dmi-quirk-for-lenovo-yoga-air-14-83qk.patch @@ -0,0 +1,52 @@ +From ad0979fe053e9f2db82da82188256ef6eb41095a Mon Sep 17 00:00:00 2001 +From: Zeyu WANG +Date: Wed, 3 Jun 2026 01:09:09 +0800 +Subject: Input: atkbd - add DMI quirk for Lenovo Yoga Air 14 (83QK) + +From: Zeyu WANG + +commit ad0979fe053e9f2db82da82188256ef6eb41095a upstream. + +The Lenovo Yoga Air 14 (83QK) laptop keyboard becomes unresponsive +after the standard atkbd init sequence. Controlled testing on the +actual hardware shows the F5 (ATKBD_CMD_RESET_DIS / deactivate) +command specifically corrupts the EC state, causing zero IRQ1 +interrupts after init. + +Skipping only the deactivate command (while keeping F4 ENABLE) +resolves the issue completely: both keystroke input and CapsLock +LED toggle work correctly. The reverse test - skipping only F4 +while keeping F5 - makes the problem worse (zero keystroke +interrupts), confirming F5 is the sole culprit. + +Add a DMI quirk entry for LENOVO/83QK using the existing +atkbd_deactivate_fixup callback, consistent with the existing +entries for LG Electronics and HONOR FMB-P that address the +same EC F5 deactivate issue. + +Signed-off-by: Zeyu WANG +Link: https://patch.msgid.link/20260602170909.14725-1-zeyu.thomas.wang@gmail.com +Cc: stable@vger.kernel.org +Signed-off-by: Dmitry Torokhov +Signed-off-by: Greg Kroah-Hartman +--- + drivers/input/keyboard/atkbd.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +--- a/drivers/input/keyboard/atkbd.c ++++ b/drivers/input/keyboard/atkbd.c +@@ -1939,6 +1939,14 @@ static const struct dmi_system_id atkbd_ + }, + .callback = atkbd_deactivate_fixup, + }, ++ { ++ /* Lenovo Yoga Air 14 (83QK) */ ++ .matches = { ++ DMI_MATCH(DMI_SYS_VENDOR, "LENOVO"), ++ DMI_MATCH(DMI_PRODUCT_NAME, "83QK"), ++ }, ++ .callback = atkbd_deactivate_fixup, ++ }, + { } + }; + diff --git a/queue-5.10/input-atkbd-skip-deactivate-for-honor-bcc-n-s-internal-keyboard.patch b/queue-5.10/input-atkbd-skip-deactivate-for-honor-bcc-n-s-internal-keyboard.patch new file mode 100644 index 0000000000..7d7e4d671d --- /dev/null +++ b/queue-5.10/input-atkbd-skip-deactivate-for-honor-bcc-n-s-internal-keyboard.patch @@ -0,0 +1,45 @@ +From fb402386af4cdce108ff991a796386de55439735 Mon Sep 17 00:00:00 2001 +From: Cryolitia PukNgae +Date: Fri, 5 Jun 2026 15:27:21 +0800 +Subject: Input: atkbd - skip deactivate for HONOR BCC-N's internal keyboard + +From: Cryolitia PukNgae + +commit fb402386af4cdce108ff991a796386de55439735 upstream. + +After commit 9cf6e24c9fbf17e52de9fff07f12be7565ea6d61 ("Input: atkbd - +do not skip atkbd_deactivate() when skipping ATKBD_CMD_GETID"), HONOR +BCC-N, aka HONOR MagicBook 14 2026's internal keyboard stops +working. Adding the atkbd_deactivate_fixup quirk fixes it. + +DMI: HONOR BCC-N/BCC-N-PCB, BIOS 1.04 04/07/2026 + +Fixes: 9cf6e24c9fbf17e52de9fff07f12be7565ea6d61 ("Input: atkbd - do not skip atkbd_deactivate() when skipping ATKBD_CMD_GETID") +Reported-by: Hongfei Ren +Link: https://github.com/colorcube/Linux-on-Honor-Magicbook-14-Pro/issues/1#issuecomment-4562679891 +Tested-by: Hongfei Ren +Cc: stable@kernel.org +Signed-off-by: Cryolitia PukNgae +Link: https://patch.msgid.link/20260605-honor-v1-1-78e05e491193@linux.dev +Signed-off-by: Dmitry Torokhov +Signed-off-by: Greg Kroah-Hartman +--- + drivers/input/keyboard/atkbd.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +--- a/drivers/input/keyboard/atkbd.c ++++ b/drivers/input/keyboard/atkbd.c +@@ -1947,6 +1947,13 @@ static const struct dmi_system_id atkbd_ + }, + .callback = atkbd_deactivate_fixup, + }, ++ { ++ .matches = { ++ DMI_MATCH(DMI_SYS_VENDOR, "HONOR"), ++ DMI_MATCH(DMI_PRODUCT_NAME, "BCC-N"), ++ }, ++ .callback = atkbd_deactivate_fixup, ++ }, + { } + }; + diff --git a/queue-5.10/ipc-shm-serialize-orphan-cleanup-with-shm_nattch-updates.patch b/queue-5.10/ipc-shm-serialize-orphan-cleanup-with-shm_nattch-updates.patch new file mode 100644 index 0000000000..e8e9fe461f --- /dev/null +++ b/queue-5.10/ipc-shm-serialize-orphan-cleanup-with-shm_nattch-updates.patch @@ -0,0 +1,68 @@ +From 2e5c6f4fd4001562781e99bbfc7f1f0127187542 Mon Sep 17 00:00:00 2001 +From: Yilin Zhu +Date: Thu, 30 Apr 2026 13:21:34 +0800 +Subject: ipc/shm: serialize orphan cleanup with shm_nattch updates + +From: Yilin Zhu + +commit 2e5c6f4fd4001562781e99bbfc7f1f0127187542 upstream. + +shm_destroy_orphaned() walks the shm idr under shm_ids(ns).rwsem, but that +does not serialize all fields tested by shm_may_destroy(). In particular, +shm_nattch is updated while holding shm_perm.lock, and attach paths can do +that without holding the rwsem. + +Do not decide that an orphaned segment is unused before taking the object +lock. Move the shm_may_destroy() check under shm_perm.lock, matching the +other destroy paths, and unlock the segment when it no longer qualifies +for removal. + +Link: https://lore.kernel.org/9d97cc1031de2d0bace0edf3a668818aa2f4eca6.1777410234.git.zylzyl2333@gmail.com +Fixes: 4c677e2eefdb ("shm: optimize locking and ipc_namespace getting") +Reported-by: Yuan Tan +Reported-by: Yifan Wu +Reported-by: Juefei Pu +Reported-by: Xin Liu +Signed-off-by: Yilin Zhu +Signed-off-by: Ren Wei +Cc: Christian Brauner +Cc: Jeongjun Park +Cc: Kees Cook +Cc: Liam Howlett +Cc: Lorenzo Stoakes +Cc: Serge Hallyn +Cc: Vasiliy Kulikov +Cc: Davidlohr Bueso +Cc: Oleg Nesterov +Cc: Serge Hallyn +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + ipc/shm.c | 10 ++++++---- + 1 file changed, 6 insertions(+), 4 deletions(-) + +--- a/ipc/shm.c ++++ b/ipc/shm.c +@@ -402,15 +402,17 @@ static int shm_try_destroy_orphaned(int + * We want to destroy segments without users and with already + * exit'ed originating process. + * +- * As shp->* are changed under rwsem, it's safe to skip shp locking. ++ * shm_nattch can be changed under shm_perm.lock without holding the ++ * rwsem, so take the object lock before checking shm_may_destroy(). + */ + if (!list_empty(&shp->shm_clist)) + return 0; + +- if (shm_may_destroy(shp)) { +- shm_lock_by_ptr(shp); ++ shm_lock_by_ptr(shp); ++ if (shm_may_destroy(shp)) + shm_destroy(ns, shp); +- } ++ else ++ shm_unlock(shp); + return 0; + } + diff --git a/queue-5.10/misc-fastrpc-fix-use-after-free-of-fastrpc_user-in-workqueue-context.patch b/queue-5.10/misc-fastrpc-fix-use-after-free-of-fastrpc_user-in-workqueue-context.patch new file mode 100644 index 0000000000..93f4ffdf2e --- /dev/null +++ b/queue-5.10/misc-fastrpc-fix-use-after-free-of-fastrpc_user-in-workqueue-context.patch @@ -0,0 +1,207 @@ +From e85eb5feca8e254905ffa6c57a3c99c89a674a0f Mon Sep 17 00:00:00 2001 +From: Anandu Krishnan E +Date: Sat, 30 May 2026 21:45:25 +0100 +Subject: misc: fastrpc: fix use-after-free of fastrpc_user in workqueue context +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Anandu Krishnan E + +commit e85eb5feca8e254905ffa6c57a3c99c89a674a0f upstream. + +There is a race between fastrpc_device_release() and the workqueue +that processes DSP responses. When the user closes the file descriptor, +fastrpc_device_release() frees the fastrpc_user structure. Concurrently, +an in-flight DSP invocation can complete and fastrpc_rpmsg_callback() +schedules context cleanup via schedule_work(&ctx->put_work). If the +workqueue runs fastrpc_context_free() in parallel with or after +fastrpc_device_release() has freed the user structure, it dereferences +the freed fastrpc_user. Depending on the state of the context at the +time of the race, any one of the following accesses can be hit: + + 1. fastrpc_buf_free() calls fastrpc_ipa_to_dma_addr(buf->fl->cctx, ...) + to strip the SID bits from the stored IOVA before passing the + physical address to dma_free_coherent(). + + 2. fastrpc_free_map() reads map->fl->cctx->vmperms[0].vmid to + reconstruct the source permission bitmask needed for the + qcom_scm_assign_mem() call that returns memory from the DSP VM + back to HLOS. + + 3. fastrpc_free_map() acquires map->fl->lock to safely remove the + map node from the fl->maps list. + +The resulting use-after-free manifests as: + + pc : fastrpc_buf_free+0x38/0x80 [fastrpc] + lr : fastrpc_context_free+0xa8/0x1b0 [fastrpc] + fastrpc_context_free+0xa8/0x1b0 [fastrpc] + fastrpc_context_put_wq+0x78/0xa0 [fastrpc] + process_one_work+0x180/0x450 + worker_thread+0x26c/0x388 + +Add kref-based reference counting to fastrpc_user. Have each invoke +context take a reference on the user at allocation time and release it +when the context is freed. Release the initial reference in +fastrpc_device_release() at file close. Move the teardown of the user +structure — freeing pending contexts, maps, mmaps, and the channel +context reference — into the kref release callback fastrpc_user_free(), +so that it runs only when the last reference is dropped, regardless of +whether that happens at device close or after the final in-flight +context completes. + +Fixes: 6cffd79504ce ("misc: fastrpc: Add support for dmabuf exporter") +Cc: stable@kernel.org +Signed-off-by: Anandu Krishnan E +Signed-off-by: Srinivas Kandagatla +Link: https://patch.msgid.link/20260530204528.116920-2-srini@kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/misc/fastrpc.c | 75 +++++++++++++++++++++++++++++++++---------------- + 1 file changed, 52 insertions(+), 23 deletions(-) + +--- a/drivers/misc/fastrpc.c ++++ b/drivers/misc/fastrpc.c +@@ -232,6 +232,8 @@ struct fastrpc_user { + spinlock_t lock; + /* lock for allocations */ + struct mutex mutex; ++ /* Reference count */ ++ struct kref refcount; + }; + + static void fastrpc_free_map(struct kref *ref) +@@ -352,15 +354,57 @@ static void fastrpc_channel_ctx_put(stru + kref_put(&cctx->refcount, fastrpc_channel_ctx_free); + } + ++static void fastrpc_context_put(struct fastrpc_invoke_ctx *ctx); ++ ++static void fastrpc_user_free(struct kref *ref) ++{ ++ struct fastrpc_user *fl = container_of(ref, struct fastrpc_user, refcount); ++ struct fastrpc_invoke_ctx *ctx, *n; ++ struct fastrpc_map *map, *m; ++ struct fastrpc_buf *buf, *b; ++ ++ if (fl->init_mem) ++ fastrpc_buf_free(fl->init_mem); ++ ++ list_for_each_entry_safe(ctx, n, &fl->pending, node) { ++ list_del(&ctx->node); ++ fastrpc_context_put(ctx); ++ } ++ ++ list_for_each_entry_safe(map, m, &fl->maps, node) ++ fastrpc_map_put(map); ++ ++ list_for_each_entry_safe(buf, b, &fl->mmaps, node) { ++ list_del(&buf->node); ++ fastrpc_buf_free(buf); ++ } ++ ++ fastrpc_channel_ctx_put(fl->cctx); ++ mutex_destroy(&fl->mutex); ++ kfree(fl); ++} ++ ++static void fastrpc_user_get(struct fastrpc_user *fl) ++{ ++ kref_get(&fl->refcount); ++} ++ ++static void fastrpc_user_put(struct fastrpc_user *fl) ++{ ++ kref_put(&fl->refcount, fastrpc_user_free); ++} ++ + static void fastrpc_context_free(struct kref *ref) + { + struct fastrpc_invoke_ctx *ctx; + struct fastrpc_channel_ctx *cctx; ++ struct fastrpc_user *fl; + unsigned long flags; + int i; + + ctx = container_of(ref, struct fastrpc_invoke_ctx, refcount); + cctx = ctx->cctx; ++ fl = ctx->fl; + + for (i = 0; i < ctx->nscalars; i++) + fastrpc_map_put(ctx->maps[i]); +@@ -376,6 +420,8 @@ static void fastrpc_context_free(struct + kfree(ctx->olaps); + kfree(ctx); + ++ /* Release the reference taken in fastrpc_context_alloc() */ ++ fastrpc_user_put(fl); + fastrpc_channel_ctx_put(cctx); + } + +@@ -485,6 +531,8 @@ static struct fastrpc_invoke_ctx *fastrp + + /* Released in fastrpc_context_put() */ + fastrpc_channel_ctx_get(cctx); ++ /* Take a reference to user, released in fastrpc_context_free() */ ++ fastrpc_user_get(user); + + ctx->sc = sc; + ctx->retval = -1; +@@ -515,6 +563,7 @@ err_idr: + spin_lock(&user->lock); + list_del(&ctx->node); + spin_unlock(&user->lock); ++ fastrpc_user_put(user); + fastrpc_channel_ctx_put(cctx); + kfree(ctx->maps); + kfree(ctx->olaps); +@@ -1179,9 +1228,6 @@ static int fastrpc_device_release(struct + { + struct fastrpc_user *fl = (struct fastrpc_user *)file->private_data; + struct fastrpc_channel_ctx *cctx = fl->cctx; +- struct fastrpc_invoke_ctx *ctx, *n; +- struct fastrpc_map *map, *m; +- struct fastrpc_buf *buf, *b; + unsigned long flags; + + fastrpc_release_current_dsp_process(fl); +@@ -1190,28 +1236,10 @@ static int fastrpc_device_release(struct + list_del(&fl->user); + spin_unlock_irqrestore(&cctx->lock, flags); + +- if (fl->init_mem) +- fastrpc_buf_free(fl->init_mem); +- +- list_for_each_entry_safe(ctx, n, &fl->pending, node) { +- list_del(&ctx->node); +- fastrpc_context_put(ctx); +- } +- +- list_for_each_entry_safe(map, m, &fl->maps, node) +- fastrpc_map_put(map); +- +- list_for_each_entry_safe(buf, b, &fl->mmaps, node) { +- list_del(&buf->node); +- fastrpc_buf_free(buf); +- } +- + fastrpc_session_free(cctx, fl->sctx); +- fastrpc_channel_ctx_put(cctx); +- +- mutex_destroy(&fl->mutex); +- kfree(fl); + file->private_data = NULL; ++ /* Release the reference taken in fastrpc_device_open */ ++ fastrpc_user_put(fl); + + return 0; + } +@@ -1251,6 +1279,7 @@ static int fastrpc_device_open(struct in + spin_lock_irqsave(&cctx->lock, flags); + list_add_tail(&fl->user, &cctx->users); + spin_unlock_irqrestore(&cctx->lock, flags); ++ kref_init(&fl->refcount); + + return 0; + } diff --git a/queue-5.10/net-bonding-fix-null-pointer-dereference-in-bond_do_ioctl.patch b/queue-5.10/net-bonding-fix-null-pointer-dereference-in-bond_do_ioctl.patch new file mode 100644 index 0000000000..6b1dd2b5c9 --- /dev/null +++ b/queue-5.10/net-bonding-fix-null-pointer-dereference-in-bond_do_ioctl.patch @@ -0,0 +1,57 @@ +From a764b0e8317a863006e05732e1aefe821b9d8c2d Mon Sep 17 00:00:00 2001 +From: ZhaoJinming +Date: Mon, 1 Jun 2026 16:56:49 +0800 +Subject: net: bonding: fix NULL pointer dereference in bond_do_ioctl() + +From: ZhaoJinming + +commit a764b0e8317a863006e05732e1aefe821b9d8c2d upstream. + +In bond_do_ioctl(), slave_dev is obtained via __dev_get_by_name() which +can return NULL if the requested interface name does not exist. However, +the subsequent slave_dbg() call is placed before the NULL check: + + slave_dev = __dev_get_by_name(net, ifr->ifr_slave); + slave_dbg(bond_dev, slave_dev, "slave_dev=%p:\n", slave_dev); //here + if (!slave_dev) + return -ENODEV; + +The slave_dbg() macro expands to netdev_dbg(bond_dev, "(slave %s): " fmt, +(slave_dev)->name, ...) which unconditionally dereferences slave_dev->name +before the NULL check is performed. This results in a NULL pointer +dereference kernel oops when a user calls bonding ioctl (e.g. +SIOCBONDENSLAVE, SIOCBONDRELEASE, etc.) with a non-existent slave +interface name. + +This is reachable from userspace via the bonding ioctl interface with +CAP_NET_ADMIN capability, making it a potential local denial-of-service +vector. + +Fix by moving the slave_dbg() call after the NULL check. + +Fixes: e2a7420df2e0 ("bonding/main: convert to using slave printk macros") +Cc: stable@vger.kernel.org # v5.2+ +Signed-off-by: ZhaoJinming +Link: https://patch.msgid.link/20260601085649.4029067-1-zhaojinming@uniontech.com +Signed-off-by: Paolo Abeni +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/bonding/bond_main.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/net/bonding/bond_main.c ++++ b/drivers/net/bonding/bond_main.c +@@ -4018,11 +4018,11 @@ static int bond_do_ioctl(struct net_devi + + slave_dev = __dev_get_by_name(net, ifr->ifr_slave); + +- slave_dbg(bond_dev, slave_dev, "slave_dev=%p:\n", slave_dev); +- + if (!slave_dev) + return -ENODEV; + ++ slave_dbg(bond_dev, slave_dev, "slave_dev=%p:\n", slave_dev); ++ + switch (cmd) { + case BOND_ENSLAVE_OLD: + case SIOCBONDENSLAVE: diff --git a/queue-5.10/net-mv643xx-fix-of-node-refcount.patch b/queue-5.10/net-mv643xx-fix-of-node-refcount.patch new file mode 100644 index 0000000000..dd14e4845d --- /dev/null +++ b/queue-5.10/net-mv643xx-fix-of-node-refcount.patch @@ -0,0 +1,38 @@ +From 4aacf509e537a711fa71bca9f234e5eb6968850e Mon Sep 17 00:00:00 2001 +From: Bartosz Golaszewski +Date: Tue, 2 Jun 2026 09:34:14 +0200 +Subject: net: mv643xx: fix OF node refcount + +From: Bartosz Golaszewski + +commit 4aacf509e537a711fa71bca9f234e5eb6968850e upstream. + +Platform devices created with platform_device_alloc() call +platform_device_release() when the last reference to the device's +kobject is dropped. This function calls of_node_put() unconditionally. +This works fine for devices created with platform_device_register_full() +but users of the split approach (platform_device_alloc() + +platform_device_add()) must bump the reference of the of_node they +assign manually. Add the missing call to of_node_get(). + +Cc: stable@vger.kernel.org +Fixes: 76723bca2802 ("net: mv643xx_eth: add DT parsing support") +Signed-off-by: Bartosz Golaszewski +Link: https://patch.msgid.link/20260602073414.22500-1-bartosz.golaszewski@oss.qualcomm.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/marvell/mv643xx_eth.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/ethernet/marvell/mv643xx_eth.c ++++ b/drivers/net/ethernet/marvell/mv643xx_eth.c +@@ -2754,7 +2754,7 @@ static int mv643xx_eth_shared_of_add_por + if (!ppdev) + return -ENOMEM; + ppdev->dev.coherent_dma_mask = DMA_BIT_MASK(32); +- ppdev->dev.of_node = pnp; ++ ppdev->dev.of_node = of_node_get(pnp); + + ret = platform_device_add_resources(ppdev, &res, 1); + if (ret) diff --git a/queue-5.10/net-rds-clear-i_sends-on-setup-unwind.patch b/queue-5.10/net-rds-clear-i_sends-on-setup-unwind.patch new file mode 100644 index 0000000000..b3c7919ee7 --- /dev/null +++ b/queue-5.10/net-rds-clear-i_sends-on-setup-unwind.patch @@ -0,0 +1,47 @@ +From 20cf0fb715c41111469577e85e35d15f099473e0 Mon Sep 17 00:00:00 2001 +From: Yuqi Xu +Date: Fri, 29 May 2026 21:01:44 +0800 +Subject: net: rds: clear i_sends on setup unwind + +From: Yuqi Xu + +commit 20cf0fb715c41111469577e85e35d15f099473e0 upstream. + +The RDS IB connection teardown path is written so it can run during +partial startup and on repeated shutdown attempts. It uses NULL +pointers to distinguish resources that are still owned from resources +that have already been released. + +When rds_ib_setup_qp() fails after allocating i_sends but before +allocating i_recvs, the sends_out path frees i_sends without clearing +the pointer. A later shutdown pass can still treat that stale pointer +as a live send ring allocation. + +Clear i_sends after vfree() in the error unwind path so the existing +shutdown logic continues to use the correct ownership state. + +Fixes: 3b12f73a5c29 ("rds: ib: add error handle") +Cc: stable@kernel.org +Reported-by: Yuan Tan +Reported-by: Zhengchuan Liang +Reported-by: Xin Liu +Signed-off-by: Yuqi Xu +Signed-off-by: Ren Wei +Reviewed-by: Allison Henderson +Link: https://patch.msgid.link/5a0f7624bb9845a7b67d26166a150b59e7f394ce.1779632468.git.xuyq21@lenovo.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + net/rds/ib_cm.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/net/rds/ib_cm.c ++++ b/net/rds/ib_cm.c +@@ -690,6 +690,7 @@ static int rds_ib_setup_qp(struct rds_co + + sends_out: + vfree(ic->i_sends); ++ ic->i_sends = NULL; + + ack_dma_out: + rds_dma_hdr_free(rds_ibdev->dev, ic->i_ack, ic->i_ack_dma, diff --git a/queue-5.10/series b/queue-5.10/series index 2332a56d50..4512310012 100644 --- a/queue-5.10/series +++ b/queue-5.10/series @@ -190,3 +190,13 @@ arm-socfpga-fix-of-node-refcount-leak-in-smp-setup.patch vsock-vmci-fix-sk_ack_backlog-leak-on-failed-handshake.patch ib-isert-reject-login-pdus-shorter-than-iser_headers_len.patch pidfd-refuse-access-to-tasks-that-have-started-exiting-harder.patch +fuse-reject-fuse_notify-pagecache-ops-on-directories.patch +i2c-qcom-cci-fix-null-pointer-dereference-in-cci_remove.patch +i2c-tegra-fix-noirq-suspend-resume.patch +input-atkbd-add-dmi-quirk-for-lenovo-yoga-air-14-83qk.patch +input-atkbd-skip-deactivate-for-honor-bcc-n-s-internal-keyboard.patch +ipc-shm-serialize-orphan-cleanup-with-shm_nattch-updates.patch +misc-fastrpc-fix-use-after-free-of-fastrpc_user-in-workqueue-context.patch +net-bonding-fix-null-pointer-dereference-in-bond_do_ioctl.patch +net-mv643xx-fix-of-node-refcount.patch +net-rds-clear-i_sends-on-setup-unwind.patch