From: Greg Kroah-Hartman Date: Mon, 15 Jun 2026 04:11:01 +0000 (+0200) Subject: 5.10-stable patches X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=5e6af7a21271a226435f4e1fc3fb46b1500f5b28;p=thirdparty%2Fkernel%2Fstable-queue.git 5.10-stable patches added patches: bluetooth-l2cap-reject-br-edr-signaling-packets-over-mtusig.patch drm-i915-gem-fix-phys-bo-pread-pwrite-with-offset.patch netfilter-nft_tunnel-fix-use-after-free-on-object-destroy.patch --- diff --git a/queue-5.10/bluetooth-l2cap-reject-br-edr-signaling-packets-over-mtusig.patch b/queue-5.10/bluetooth-l2cap-reject-br-edr-signaling-packets-over-mtusig.patch new file mode 100644 index 0000000000..e4091cd5a3 --- /dev/null +++ b/queue-5.10/bluetooth-l2cap-reject-br-edr-signaling-packets-over-mtusig.patch @@ -0,0 +1,128 @@ +From dd214733544427587a95f66dbf3adff072568990 Mon Sep 17 00:00:00 2001 +From: Michael Bommarito +Date: Thu, 21 May 2026 10:45:17 -0400 +Subject: Bluetooth: L2CAP: reject BR/EDR signaling packets over MTUsig + +From: Michael Bommarito + +commit dd214733544427587a95f66dbf3adff072568990 upstream. + +net/bluetooth/l2cap_core.c:l2cap_sig_channel() accepts BR/EDR +signaling packets up to the channel MTU and dispatches each command +without enforcing the signaling MTU (MTUsig). A Bluetooth BR/EDR peer +within radio range can send a fixed-channel CID 0x0001 packet that is +larger than MTUsig and contains many L2CAP_ECHO_REQ commands before +pairing. In a real-radio stock-kernel run, one 681-byte signaling +packet containing 168 zero-length ECHO_REQ commands made the target +transmit 168 ECHO_RSP frames over about 220 ms. + +Impact: a Bluetooth BR/EDR peer within radio range, before pairing, can +force 168 ECHO_RSP frames from one 681-byte fixed-channel signaling +packet containing packed ECHO_REQ commands. + +Define Linux's BR/EDR signaling MTU as the spec minimum of 48 bytes and +reject any larger signaling packet with one L2CAP_COMMAND_REJECT_RSP +carrying L2CAP_REJ_MTU_EXCEEDED before any command is dispatched. + +The Bluetooth Core spec wording for MTUExceeded says the reject +identifier shall match the first request command in the packet, and +that packets containing only responses shall be silently discarded. +Linux intentionally deviates from that prescription: silently +discarding desynchronizes the peer because the remote stack never +learns its responses were dropped, and locating the first request +command requires walking command headers past MTUsig, i.e. processing +bytes from a packet we have already decided is too large to process. +We therefore always emit one reject and use the identifier from the +first command header, a single fixed-offset byte read. + +The unrestricted BR/EDR signaling parser and ECHO_REQ response path both +trace to the initial git import; no later introducing commit is +available for a Fixes tag. + +Cc: stable@vger.kernel.org +Suggested-by: Luiz Augusto von Dentz +Link: https://lore.kernel.org/r/20260518002800.1361430-1-michael.bommarito@gmail.com +Link: https://lore.kernel.org/r/20260520135034.1060859-1-michael.bommarito@gmail.com +Link: https://lore.kernel.org/r/20260521000555.3712030-1-michael.bommarito@gmail.com +Assisted-by: Claude:claude-opus-4-7 +Assisted-by: Codex:gpt-5-5-xhigh +Signed-off-by: Michael Bommarito +Signed-off-by: Luiz Augusto von Dentz +Signed-off-by: Greg Kroah-Hartman +--- + include/net/bluetooth/l2cap.h | 1 + net/bluetooth/l2cap_core.c | 46 ++++++++++++++++++++++++++++++++++++++++++ + 2 files changed, 47 insertions(+) + +--- a/include/net/bluetooth/l2cap.h ++++ b/include/net/bluetooth/l2cap.h +@@ -33,6 +33,7 @@ + /* L2CAP defaults */ + #define L2CAP_DEFAULT_MTU 672 + #define L2CAP_DEFAULT_MIN_MTU 48 ++#define L2CAP_SIG_MTU 48 /* BR/EDR signaling MTU */ + #define L2CAP_DEFAULT_FLUSH_TO 0xFFFF + #define L2CAP_EFS_DEFAULT_FLUSH_TO 0xFFFFFFFF + #define L2CAP_DEFAULT_TX_WINDOW 63 +--- a/net/bluetooth/l2cap_core.c ++++ b/net/bluetooth/l2cap_core.c +@@ -6618,6 +6618,15 @@ static inline void l2cap_sig_send_rej(st + l2cap_send_cmd(conn, ident, L2CAP_COMMAND_REJ, sizeof(rej), &rej); + } + ++static inline void l2cap_sig_send_mtu_rej(struct l2cap_conn *conn, u8 ident) ++{ ++ struct l2cap_cmd_rej_mtu rej; ++ ++ rej.reason = cpu_to_le16(L2CAP_REJ_MTU_EXCEEDED); ++ rej.max_mtu = cpu_to_le16(L2CAP_SIG_MTU); ++ l2cap_send_cmd(conn, ident, L2CAP_COMMAND_REJ, sizeof(rej), &rej); ++} ++ + static inline void l2cap_sig_channel(struct l2cap_conn *conn, + struct sk_buff *skb) + { +@@ -6630,6 +6639,43 @@ static inline void l2cap_sig_channel(str + if (hcon->type != ACL_LINK) + goto drop; + ++ /* ++ * Bluetooth Core v5.4, Vol 3, Part A, Section 4: the BR/EDR ++ * signaling channel has a fixed signaling MTU (MTUsig) whose ++ * minimum and default is 48 octets. Section 4.1 says that on ++ * an MTUExceeded command reject the identifier "shall match ++ * the first request command in the L2CAP packet" and that ++ * packets containing only response commands "shall be ++ * silently discarded". ++ * ++ * Linux intentionally deviates from that prescription: ++ * ++ * 1. Silently discarding desynchronizes the peer. The ++ * remote stack never learns its responses were dropped, ++ * so any state machine waiting on a paired response ++ * stalls until its own timer fires. ++ * ++ * 2. Locating "the first request command" requires walking ++ * command headers past MTUsig, i.e. processing bytes ++ * from a packet we have already decided is too large to ++ * process. ++ * ++ * Reject every over-MTUsig signaling packet with one ++ * L2CAP_REJ_MTU_EXCEEDED command reject. The reject's ++ * reason field is what tells the peer that the whole packet ++ * was discarded; the identifier value is informational, so ++ * we use the identifier from the first command header, a ++ * single fixed-offset byte read. ++ */ ++ if (skb->len > L2CAP_SIG_MTU) { ++ u8 ident = skb->data[1]; ++ ++ BT_DBG("signaling packet exceeds MTU: %u > %u", ++ skb->len, L2CAP_SIG_MTU); ++ l2cap_sig_send_mtu_rej(conn, ident); ++ goto drop; ++ } ++ + while (skb->len >= L2CAP_CMD_HDR_SIZE) { + u16 len; + diff --git a/queue-5.10/drm-i915-gem-fix-phys-bo-pread-pwrite-with-offset.patch b/queue-5.10/drm-i915-gem-fix-phys-bo-pread-pwrite-with-offset.patch new file mode 100644 index 0000000000..81e6db5bf1 --- /dev/null +++ b/queue-5.10/drm-i915-gem-fix-phys-bo-pread-pwrite-with-offset.patch @@ -0,0 +1,89 @@ +From d21ad938398bca695a511307de38a65889e3b354 Mon Sep 17 00:00:00 2001 +From: Joonas Lahtinen +Date: Wed, 10 Jun 2026 09:03:14 +0300 +Subject: drm/i915/gem: Fix phys BO pread/pwrite with offset + +From: Joonas Lahtinen + +commit d21ad938398bca695a511307de38a65889e3b354 upstream. + +sg_page() returns struct page pointer not (void *) so the scaling +of pread/pwrite is wrong for phys BO and wrong parts of BO would be +accessed if non-zero offset is used. + +Last impacted platform with overlay or cursor planes using phys +mapping was Gen3/945G/Lakeport. + +Reported-by: Matthew Wilcox (Oracle) +Fixes: c6790dc22312 ("drm/i915: Wean off drm_pci_alloc/drm_pci_free") +Cc: # v4.5+ +Cc: Tvrtko Ursulin +Cc: Simona Vetter +Cc: Jani Nikula +Cc: Rodrigo Vivi +Signed-off-by: Joonas Lahtinen +Reviewed-by: Tvrtko Ursulin +Link: https://patch.msgid.link/20260610060314.26111-1-joonas.lahtinen@linux.intel.com +(cherry picked from commit 3e49a2f85070b2fb672c1e0fdba281a4ea3aebe6) +Signed-off-by: Tvrtko Ursulin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/i915/gem/i915_gem_phys.c | 19 +++++++++++++++---- + 1 file changed, 15 insertions(+), 4 deletions(-) + +--- a/drivers/gpu/drm/i915/gem/i915_gem_phys.c ++++ b/drivers/gpu/drm/i915/gem/i915_gem_phys.c +@@ -17,6 +17,17 @@ + #include "i915_gem_region.h" + #include "i915_scatterlist.h" + ++/* Abuse scatterlist to store pointer instead of struct page. */ ++static inline void __set_phys_vaddr(struct scatterlist *sg, void *vaddr) ++{ ++ sg_assign_page(sg, (struct page *)vaddr); ++} ++ ++static inline void *__get_phys_vaddr(struct scatterlist *sg) ++{ ++ return (void *)sg_page(sg); ++} ++ + static int i915_gem_object_get_pages_phys(struct drm_i915_gem_object *obj) + { + struct address_space *mapping = obj->base.filp->f_mapping; +@@ -52,7 +63,7 @@ static int i915_gem_object_get_pages_phy + sg->offset = 0; + sg->length = obj->base.size; + +- sg_assign_page(sg, (struct page *)vaddr); ++ __set_phys_vaddr(sg, vaddr); + sg_dma_address(sg) = dma; + sg_dma_len(sg) = obj->base.size; + +@@ -94,7 +105,7 @@ i915_gem_object_put_pages_phys(struct dr + struct sg_table *pages) + { + dma_addr_t dma = sg_dma_address(pages->sgl); +- void *vaddr = sg_page(pages->sgl); ++ void *vaddr = __get_phys_vaddr(pages->sgl); + + __i915_gem_object_release_shmem(obj, pages, false); + +@@ -138,7 +149,7 @@ static int + phys_pwrite(struct drm_i915_gem_object *obj, + const struct drm_i915_gem_pwrite *args) + { +- void *vaddr = sg_page(obj->mm.pages->sgl) + args->offset; ++ void *vaddr = __get_phys_vaddr(obj->mm.pages->sgl) + args->offset; + char __user *user_data = u64_to_user_ptr(args->data_ptr); + int err; + +@@ -169,7 +180,7 @@ static int + phys_pread(struct drm_i915_gem_object *obj, + const struct drm_i915_gem_pread *args) + { +- void *vaddr = sg_page(obj->mm.pages->sgl) + args->offset; ++ void *vaddr = __get_phys_vaddr(obj->mm.pages->sgl) + args->offset; + char __user *user_data = u64_to_user_ptr(args->data_ptr); + int err; + diff --git a/queue-5.10/netfilter-nft_tunnel-fix-use-after-free-on-object-destroy.patch b/queue-5.10/netfilter-nft_tunnel-fix-use-after-free-on-object-destroy.patch new file mode 100644 index 0000000000..0696cc9c42 --- /dev/null +++ b/queue-5.10/netfilter-nft_tunnel-fix-use-after-free-on-object-destroy.patch @@ -0,0 +1,43 @@ +From c32b26aaa2f9216520a38b3f4bfeec846eb3eb8a Mon Sep 17 00:00:00 2001 +From: Tristan Madani +Date: Wed, 27 May 2026 13:57:50 +0000 +Subject: netfilter: nft_tunnel: fix use-after-free on object destroy + +From: Tristan Madani + +commit c32b26aaa2f9216520a38b3f4bfeec846eb3eb8a upstream. + +nft_tunnel_obj_destroy() calls metadata_dst_free() which directly +kfree()s the metadata_dst, ignoring the dst_entry refcount. Packets +that took a reference via dst_hold() in nft_tunnel_obj_eval() and +are still queued (e.g. in a netem qdisc) are left with a dangling +pointer. When these packets are eventually dequeued, dst_release() +operates on freed memory. + +Replace metadata_dst_free() with dst_release() so the metadata_dst +is freed only after all references are dropped. The dst subsystem +already handles metadata_dst cleanup in dst_destroy() when +DST_METADATA is set. + +Fixes: af308b94a2a4 ("netfilter: nf_tables: add tunnel support") +Cc: stable@vger.kernel.org +Signed-off-by: Tristan Madani +Reviewed-by: Fernando Fernandez Mancera +Signed-off-by: Florian Westphal +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Greg Kroah-Hartman +--- + net/netfilter/nft_tunnel.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/netfilter/nft_tunnel.c ++++ b/net/netfilter/nft_tunnel.c +@@ -669,7 +669,7 @@ static void nft_tunnel_obj_destroy(const + { + struct nft_tunnel_obj *priv = nft_obj_data(obj); + +- metadata_dst_free(priv->md); ++ dst_release(&priv->md->dst); + } + + static struct nft_object_type nft_tunnel_obj_type; diff --git a/queue-5.10/series b/queue-5.10/series index bc48984b39..184d82afee 100644 --- a/queue-5.10/series +++ b/queue-5.10/series @@ -175,3 +175,6 @@ rds-mark-snapshot-pages-dirty-in-rds_info_getsockopt.patch netfilter-x_tables-avoid-leaking-percpu-counter-poin.patch netfilter-nft_exthdr-fix-register-tracking-for-f_pre.patch net-mvpp2-sync-rx-data-at-the-hardware-packet-offset.patch +netfilter-nft_tunnel-fix-use-after-free-on-object-destroy.patch +bluetooth-l2cap-reject-br-edr-signaling-packets-over-mtusig.patch +drm-i915-gem-fix-phys-bo-pread-pwrite-with-offset.patch