From: Greg Kroah-Hartman Date: Mon, 9 Mar 2026 10:14:29 +0000 (+0100) Subject: 5.10-stable patches X-Git-Tag: v6.19.7~29 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=855d48f9b872c8de803d94c8b0aed13d98f37eda;p=thirdparty%2Fkernel%2Fstable-queue.git 5.10-stable patches added patches: can-ems_usb-ems_usb_read_bulk_callback-check-the-proper-length-of-a-message.patch can-ucan-fix-infinite-loop-from-zero-length-messages.patch hid-add-hid_claimed_input-guards-in-raw_event-callbacks-missing-them.patch media-dvb-core-fix-wrong-reinitialization-of-ringbuffer-on-reopen.patch net-usb-kalmia-validate-usb-endpoints.patch net-usb-kaweth-validate-usb-endpoints.patch net-usb-pegasus-validate-usb-endpoints.patch nfc-pn533-properly-drop-the-usb-interface-reference-on-disconnect.patch x86-efi-defer-freeing-of-boot-services-memory.patch --- diff --git a/queue-5.10/can-ems_usb-ems_usb_read_bulk_callback-check-the-proper-length-of-a-message.patch b/queue-5.10/can-ems_usb-ems_usb_read_bulk_callback-check-the-proper-length-of-a-message.patch new file mode 100644 index 0000000000..2b9b8efdf7 --- /dev/null +++ b/queue-5.10/can-ems_usb-ems_usb_read_bulk_callback-check-the-proper-length-of-a-message.patch @@ -0,0 +1,55 @@ +From 38a01c9700b0dcafe97dfa9dc7531bf4a245deff Mon Sep 17 00:00:00 2001 +From: Greg Kroah-Hartman +Date: Mon, 23 Feb 2026 17:51:17 +0100 +Subject: can: ems_usb: ems_usb_read_bulk_callback(): check the proper length of a message + +From: Greg Kroah-Hartman + +commit 38a01c9700b0dcafe97dfa9dc7531bf4a245deff upstream. + +When looking at the data in a USB urb, the actual_length is the size of +the buffer passed to the driver, not the transfer_buffer_length which is +set by the driver as the max size of the buffer. + +When parsing the messages in ems_usb_read_bulk_callback() properly check +the size both at the beginning of parsing the message to make sure it is +big enough for the expected structure, and at the end of the message to +make sure we don't overflow past the end of the buffer for the next +message. + +Cc: Vincent Mailhol +Cc: Marc Kleine-Budde +Cc: stable@kernel.org +Assisted-by: gkh_clanker_2000 +Signed-off-by: Greg Kroah-Hartman +Link: https://patch.msgid.link/2026022316-answering-strainer-a5db@gregkh +Fixes: 702171adeed3 ("ems_usb: Added support for EMS CPC-USB/ARM7 CAN/USB interface") +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/can/usb/ems_usb.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +--- a/drivers/net/can/usb/ems_usb.c ++++ b/drivers/net/can/usb/ems_usb.c +@@ -438,6 +438,11 @@ static void ems_usb_read_bulk_callback(s + start = CPC_HEADER_SIZE; + + while (msg_count) { ++ if (start + CPC_MSG_HEADER_LEN > urb->actual_length) { ++ netdev_err(netdev, "format error\n"); ++ break; ++ } ++ + msg = (struct ems_cpc_msg *)&ibuf[start]; + + switch (msg->type) { +@@ -467,7 +472,7 @@ static void ems_usb_read_bulk_callback(s + start += CPC_MSG_HEADER_LEN + msg->length; + msg_count--; + +- if (start > urb->transfer_buffer_length) { ++ if (start > urb->actual_length) { + netdev_err(netdev, "format error\n"); + break; + } diff --git a/queue-5.10/can-ucan-fix-infinite-loop-from-zero-length-messages.patch b/queue-5.10/can-ucan-fix-infinite-loop-from-zero-length-messages.patch new file mode 100644 index 0000000000..4ad3207abf --- /dev/null +++ b/queue-5.10/can-ucan-fix-infinite-loop-from-zero-length-messages.patch @@ -0,0 +1,43 @@ +From 1e446fd0582ad8be9f6dafb115fc2e7245f9bea7 Mon Sep 17 00:00:00 2001 +From: Greg Kroah-Hartman +Date: Mon, 23 Feb 2026 17:30:20 +0100 +Subject: can: ucan: Fix infinite loop from zero-length messages + +From: Greg Kroah-Hartman + +commit 1e446fd0582ad8be9f6dafb115fc2e7245f9bea7 upstream. + +If a broken ucan device gets a message with the message length field set +to 0, then the driver will loop for forever in +ucan_read_bulk_callback(), hanging the system. If the length is 0, just +skip the message and go on to the next one. + +This has been fixed in the kvaser_usb driver in the past in commit +0c73772cd2b8 ("can: kvaser_usb: leaf: Fix potential infinite loop in +command parsers"), so there must be some broken devices out there like +this somewhere. + +Cc: Marc Kleine-Budde +Cc: Vincent Mailhol +Cc: stable@kernel.org +Assisted-by: gkh_clanker_2000 +Signed-off-by: Greg Kroah-Hartman +Link: https://patch.msgid.link/2026022319-huff-absurd-6a18@gregkh +Fixes: 9f2d3eae88d2 ("can: ucan: add driver for Theobroma Systems UCAN devices") +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/can/usb/ucan.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/can/usb/ucan.c ++++ b/drivers/net/can/usb/ucan.c +@@ -745,7 +745,7 @@ static void ucan_read_bulk_callback(stru + len = le16_to_cpu(m->len); + + /* check sanity (length of content) */ +- if (urb->actual_length - pos < len) { ++ if ((len == 0) || (urb->actual_length - pos < len)) { + netdev_warn(up->netdev, + "invalid message (short; no data; l:%d)\n", + urb->actual_length); diff --git a/queue-5.10/hid-add-hid_claimed_input-guards-in-raw_event-callbacks-missing-them.patch b/queue-5.10/hid-add-hid_claimed_input-guards-in-raw_event-callbacks-missing-them.patch new file mode 100644 index 0000000000..b49ea18391 --- /dev/null +++ b/queue-5.10/hid-add-hid_claimed_input-guards-in-raw_event-callbacks-missing-them.patch @@ -0,0 +1,65 @@ +From ecfa6f34492c493a9a1dc2900f3edeb01c79946b Mon Sep 17 00:00:00 2001 +From: Greg Kroah-Hartman +Date: Thu, 19 Feb 2026 15:33:54 +0100 +Subject: HID: Add HID_CLAIMED_INPUT guards in raw_event callbacks missing them + +From: Greg Kroah-Hartman + +commit ecfa6f34492c493a9a1dc2900f3edeb01c79946b upstream. + +In commit 2ff5baa9b527 ("HID: appleir: Fix potential NULL dereference at +raw event handle"), we handle the fact that raw event callbacks +can happen even for a HID device that has not been "claimed" causing a +crash if a broken device were attempted to be connected to the system. + +Fix up the remaining in-tree HID drivers that forgot to add this same +check to resolve the same issue. + +Cc: Jiri Kosina +Cc: Benjamin Tissoires +Cc: Bastien Nocera +Cc: linux-input@vger.kernel.org +Cc: stable +Assisted-by: gkh_clanker_2000 +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Benjamin Tissoires +Signed-off-by: Greg Kroah-Hartman +--- + drivers/hid/hid-cmedia.c | 2 +- + drivers/hid/hid-creative-sb0540.c | 2 +- + drivers/hid/hid-zydacron.c | 2 +- + 3 files changed, 3 insertions(+), 3 deletions(-) + +--- a/drivers/hid/hid-cmedia.c ++++ b/drivers/hid/hid-cmedia.c +@@ -57,7 +57,7 @@ static int cmhid_raw_event(struct hid_de + { + struct cmhid *cm = hid_get_drvdata(hid); + +- if (len != CM6533_JD_RAWEV_LEN) ++ if (len != CM6533_JD_RAWEV_LEN || !(hid->claimed & HID_CLAIMED_INPUT)) + goto out; + if (memcmp(data+CM6533_JD_SFX_OFFSET, ji_sfx, sizeof(ji_sfx))) + goto out; +--- a/drivers/hid/hid-creative-sb0540.c ++++ b/drivers/hid/hid-creative-sb0540.c +@@ -153,7 +153,7 @@ static int creative_sb0540_raw_event(str + u64 code, main_code; + int key; + +- if (len != 6) ++ if (len != 6 || !(hid->claimed & HID_CLAIMED_INPUT)) + return 0; + + /* From daemons/hw_hiddev.c sb0540_rec() in lirc */ +--- a/drivers/hid/hid-zydacron.c ++++ b/drivers/hid/hid-zydacron.c +@@ -114,7 +114,7 @@ static int zc_raw_event(struct hid_devic + unsigned key; + unsigned short index; + +- if (report->id == data[0]) { ++ if (report->id == data[0] && (hdev->claimed & HID_CLAIMED_INPUT)) { + + /* break keys */ + for (index = 0; index < 4; index++) { diff --git a/queue-5.10/media-dvb-core-fix-wrong-reinitialization-of-ringbuffer-on-reopen.patch b/queue-5.10/media-dvb-core-fix-wrong-reinitialization-of-ringbuffer-on-reopen.patch new file mode 100644 index 0000000000..8048afadc0 --- /dev/null +++ b/queue-5.10/media-dvb-core-fix-wrong-reinitialization-of-ringbuffer-on-reopen.patch @@ -0,0 +1,52 @@ +From bfbc0b5b32a8f28ce284add619bf226716a59bc0 Mon Sep 17 00:00:00 2001 +From: Jens Axboe +Date: Tue, 24 Feb 2026 11:51:16 -0700 +Subject: media: dvb-core: fix wrong reinitialization of ringbuffer on reopen + +From: Jens Axboe + +commit bfbc0b5b32a8f28ce284add619bf226716a59bc0 upstream. + +dvb_dvr_open() calls dvb_ringbuffer_init() when a new reader opens the +DVR device. dvb_ringbuffer_init() calls init_waitqueue_head(), which +reinitializes the waitqueue list head to empty. + +Since dmxdev->dvr_buffer.queue is a shared waitqueue (all opens of the +same DVR device share it), this orphans any existing waitqueue entries +from io_uring poll or epoll, leaving them with stale prev/next pointers +while the list head is reset to {self, self}. + +The waitqueue and spinlock in dvr_buffer are already properly +initialized once in dvb_dmxdev_init(). The open path only needs to +reset the buffer data pointer, size, and read/write positions. + +Replace the dvb_ringbuffer_init() call in dvb_dvr_open() with direct +assignment of data/size and a call to dvb_ringbuffer_reset(), which +properly resets pread, pwrite, and error with correct memory ordering +without touching the waitqueue or spinlock. + +Cc: stable@vger.kernel.org +Fixes: 34731df288a5f ("V4L/DVB (3501): Dmxdev: use dvb_ringbuffer") +Reported-by: syzbot+ab12f0c08dd7ab8d057c@syzkaller.appspotmail.com +Tested-by: syzbot+ab12f0c08dd7ab8d057c@syzkaller.appspotmail.com +Link: https://lore.kernel.org/all/698a26d3.050a0220.3b3015.007d.GAE@google.com/ +Signed-off-by: Jens Axboe +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/dvb-core/dmxdev.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/drivers/media/dvb-core/dmxdev.c ++++ b/drivers/media/dvb-core/dmxdev.c +@@ -178,7 +178,9 @@ static int dvb_dvr_open(struct inode *in + mutex_unlock(&dmxdev->mutex); + return -ENOMEM; + } +- dvb_ringbuffer_init(&dmxdev->dvr_buffer, mem, DVR_BUFFER_SIZE); ++ dmxdev->dvr_buffer.data = mem; ++ dmxdev->dvr_buffer.size = DVR_BUFFER_SIZE; ++ dvb_ringbuffer_reset(&dmxdev->dvr_buffer); + if (dmxdev->may_do_mmap) + dvb_vb2_init(&dmxdev->dvr_vb2_ctx, "dvr", + file->f_flags & O_NONBLOCK); diff --git a/queue-5.10/net-arcnet-com20020-pci-fix-support-for-2.5mbit-card.patch b/queue-5.10/net-arcnet-com20020-pci-fix-support-for-2.5mbit-card.patch index 1cb8a785d1..1191fe27ca 100644 --- a/queue-5.10/net-arcnet-com20020-pci-fix-support-for-2.5mbit-card.patch +++ b/queue-5.10/net-arcnet-com20020-pci-fix-support-for-2.5mbit-card.patch @@ -32,14 +32,12 @@ Link: https://patch.msgid.link/20260213045510.32368-1-enelsonmoore@gmail.com Signed-off-by: Paolo Abeni Signed-off-by: Sasha Levin --- - drivers/net/arcnet/com20020-pci.c | 16 +++++++++++++++- + drivers/net/arcnet/com20020-pci.c | 16 +++++++++++++++- 1 file changed, 15 insertions(+), 1 deletion(-) -diff --git a/drivers/net/arcnet/com20020-pci.c b/drivers/net/arcnet/com20020-pci.c -index 00a80f0adece4..7cea482f2d5f9 100644 --- a/drivers/net/arcnet/com20020-pci.c +++ b/drivers/net/arcnet/com20020-pci.c -@@ -114,6 +114,8 @@ static const struct attribute_group com20020_state_group = { +@@ -114,6 +114,8 @@ static const struct attribute_group com2 .attrs = com20020_state_attrs, }; @@ -48,7 +46,7 @@ index 00a80f0adece4..7cea482f2d5f9 100644 static void com20020pci_remove(struct pci_dev *pdev); static int com20020pci_probe(struct pci_dev *pdev, -@@ -139,7 +141,7 @@ static int com20020pci_probe(struct pci_dev *pdev, +@@ -139,7 +141,7 @@ static int com20020pci_probe(struct pci_ ci = (struct com20020_pci_card_info *)id->driver_data; if (!ci) @@ -57,7 +55,7 @@ index 00a80f0adece4..7cea482f2d5f9 100644 priv->ci = ci; mm = &ci->misc_map; -@@ -346,6 +348,18 @@ static struct com20020_pci_card_info card_info_5mbit = { +@@ -346,6 +348,18 @@ static struct com20020_pci_card_info car .flags = ARC_IS_5MBIT, }; @@ -76,6 +74,3 @@ index 00a80f0adece4..7cea482f2d5f9 100644 static struct com20020_pci_card_info card_info_sohard = { .name = "SOHARD SH ARC-PCI", .devcount = 1, --- -2.51.0 - diff --git a/queue-5.10/net-usb-kalmia-validate-usb-endpoints.patch b/queue-5.10/net-usb-kalmia-validate-usb-endpoints.patch new file mode 100644 index 0000000000..a03a2e406f --- /dev/null +++ b/queue-5.10/net-usb-kalmia-validate-usb-endpoints.patch @@ -0,0 +1,46 @@ +From c58b6c29a4c9b8125e8ad3bca0637e00b71e2693 Mon Sep 17 00:00:00 2001 +From: Greg Kroah-Hartman +Date: Mon, 23 Feb 2026 13:59:26 +0100 +Subject: net: usb: kalmia: validate USB endpoints + +From: Greg Kroah-Hartman + +commit c58b6c29a4c9b8125e8ad3bca0637e00b71e2693 upstream. + +The kalmia driver should validate that the device it is probing has the +proper number and types of USB endpoints it is expecting before it binds +to it. If a malicious device were to not have the same urbs the driver +will crash later on when it blindly accesses these endpoints. + +Cc: stable +Signed-off-by: Greg Kroah-Hartman +Reviewed-by: Simon Horman +Fixes: d40261236e8e ("net/usb: Add Samsung Kalmia driver for Samsung GT-B3730") +Link: https://patch.msgid.link/2026022326-shack-headstone-ef6f@gregkh +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/usb/kalmia.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +--- a/drivers/net/usb/kalmia.c ++++ b/drivers/net/usb/kalmia.c +@@ -132,11 +132,18 @@ kalmia_bind(struct usbnet *dev, struct u + { + int status; + u8 ethernet_addr[ETH_ALEN]; ++ static const u8 ep_addr[] = { ++ 1 | USB_DIR_IN, ++ 2 | USB_DIR_OUT, ++ 0}; + + /* Don't bind to AT command interface */ + if (intf->cur_altsetting->desc.bInterfaceClass != USB_CLASS_VENDOR_SPEC) + return -EINVAL; + ++ if (!usb_check_bulk_endpoints(intf, ep_addr)) ++ return -ENODEV; ++ + dev->in = usb_rcvbulkpipe(dev->udev, 0x81 & USB_ENDPOINT_NUMBER_MASK); + dev->out = usb_sndbulkpipe(dev->udev, 0x02 & USB_ENDPOINT_NUMBER_MASK); + dev->status = NULL; diff --git a/queue-5.10/net-usb-kaweth-validate-usb-endpoints.patch b/queue-5.10/net-usb-kaweth-validate-usb-endpoints.patch new file mode 100644 index 0000000000..559ca250ef --- /dev/null +++ b/queue-5.10/net-usb-kaweth-validate-usb-endpoints.patch @@ -0,0 +1,54 @@ +From 4b063c002ca759d1b299988ee23f564c9609c875 Mon Sep 17 00:00:00 2001 +From: Greg Kroah-Hartman +Date: Mon, 23 Feb 2026 14:00:06 +0100 +Subject: net: usb: kaweth: validate USB endpoints + +From: Greg Kroah-Hartman + +commit 4b063c002ca759d1b299988ee23f564c9609c875 upstream. + +The kaweth driver should validate that the device it is probing has the +proper number and types of USB endpoints it is expecting before it binds +to it. If a malicious device were to not have the same urbs the driver +will crash later on when it blindly accesses these endpoints. + +Cc: stable +Signed-off-by: Greg Kroah-Hartman +Reviewed-by: Simon Horman +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Link: https://patch.msgid.link/2026022305-substance-virtual-c728@gregkh +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/usb/kaweth.c | 13 +++++++++++++ + 1 file changed, 13 insertions(+) + +--- a/drivers/net/usb/kaweth.c ++++ b/drivers/net/usb/kaweth.c +@@ -883,6 +883,13 @@ static int kaweth_probe( + const eth_addr_t bcast_addr = { 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF }; + int result = 0; + int rv = -EIO; ++ static const u8 bulk_ep_addr[] = { ++ 1 | USB_DIR_IN, ++ 2 | USB_DIR_OUT, ++ 0}; ++ static const u8 int_ep_addr[] = { ++ 3 | USB_DIR_IN, ++ 0}; + + dev_dbg(dev, + "Kawasaki Device Probe (Device number:%d): 0x%4.4x:0x%4.4x:0x%4.4x\n", +@@ -896,6 +903,12 @@ static int kaweth_probe( + (int)udev->descriptor.bLength, + (int)udev->descriptor.bDescriptorType); + ++ if (!usb_check_bulk_endpoints(intf, bulk_ep_addr) || ++ !usb_check_int_endpoints(intf, int_ep_addr)) { ++ dev_err(dev, "couldn't find required endpoints\n"); ++ return -ENODEV; ++ } ++ + netdev = alloc_etherdev(sizeof(*kaweth)); + if (!netdev) + return -ENOMEM; diff --git a/queue-5.10/net-usb-pegasus-validate-usb-endpoints.patch b/queue-5.10/net-usb-pegasus-validate-usb-endpoints.patch new file mode 100644 index 0000000000..6e8b760445 --- /dev/null +++ b/queue-5.10/net-usb-pegasus-validate-usb-endpoints.patch @@ -0,0 +1,62 @@ +From 11de1d3ae5565ed22ef1f89d73d8f2d00322c699 Mon Sep 17 00:00:00 2001 +From: Greg Kroah-Hartman +Date: Mon, 23 Feb 2026 13:58:48 +0100 +Subject: net: usb: pegasus: validate USB endpoints + +From: Greg Kroah-Hartman + +commit 11de1d3ae5565ed22ef1f89d73d8f2d00322c699 upstream. + +The pegasus driver should validate that the device it is probing has the +proper number and types of USB endpoints it is expecting before it binds +to it. If a malicious device were to not have the same urbs the driver +will crash later on when it blindly accesses these endpoints. + +Cc: Petko Manolov +Cc: stable +Signed-off-by: Greg Kroah-Hartman +Link: https://patch.msgid.link/2026022347-legibly-attest-cc5c@gregkh +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/usb/pegasus.c | 13 ++++++++++++- + 1 file changed, 12 insertions(+), 1 deletion(-) + +--- a/drivers/net/usb/pegasus.c ++++ b/drivers/net/usb/pegasus.c +@@ -841,8 +841,19 @@ static void unlink_all_urbs(pegasus_t *p + + static int alloc_urbs(pegasus_t *pegasus) + { ++ static const u8 bulk_ep_addr[] = { ++ 1 | USB_DIR_IN, ++ 2 | USB_DIR_OUT, ++ 0}; ++ static const u8 int_ep_addr[] = { ++ 3 | USB_DIR_IN, ++ 0}; + int res = -ENOMEM; + ++ if (!usb_check_bulk_endpoints(pegasus->intf, bulk_ep_addr) || ++ !usb_check_int_endpoints(pegasus->intf, int_ep_addr)) ++ return -ENODEV; ++ + pegasus->rx_urb = usb_alloc_urb(0, GFP_KERNEL); + if (!pegasus->rx_urb) { + return res; +@@ -1197,6 +1208,7 @@ static int pegasus_probe(struct usb_inte + + pegasus = netdev_priv(net); + pegasus->dev_index = dev_index; ++ pegasus->intf = intf; + + res = alloc_urbs(pegasus); + if (res < 0) { +@@ -1208,7 +1220,6 @@ static int pegasus_probe(struct usb_inte + + INIT_DELAYED_WORK(&pegasus->carrier_check, check_carrier); + +- pegasus->intf = intf; + pegasus->usb = dev; + pegasus->net = net; + diff --git a/queue-5.10/nfc-pn533-properly-drop-the-usb-interface-reference-on-disconnect.patch b/queue-5.10/nfc-pn533-properly-drop-the-usb-interface-reference-on-disconnect.patch new file mode 100644 index 0000000000..3259d35546 --- /dev/null +++ b/queue-5.10/nfc-pn533-properly-drop-the-usb-interface-reference-on-disconnect.patch @@ -0,0 +1,35 @@ +From 12133a483dfa832241fbbf09321109a0ea8a520e Mon Sep 17 00:00:00 2001 +From: Greg Kroah-Hartman +Date: Mon, 23 Feb 2026 12:28:30 +0100 +Subject: nfc: pn533: properly drop the usb interface reference on disconnect + +From: Greg Kroah-Hartman + +commit 12133a483dfa832241fbbf09321109a0ea8a520e upstream. + +When the device is disconnected from the driver, there is a "dangling" +reference count on the usb interface that was grabbed in the probe +callback. Fix this up by properly dropping the reference after we are +done with it. + +Cc: stable +Signed-off-by: Greg Kroah-Hartman +Reviewed-by: Simon Horman +Fixes: c46ee38620a2 ("NFC: pn533: add NXP pn533 nfc device driver") +Link: https://patch.msgid.link/2026022329-flashing-ought-7573@gregkh +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/nfc/pn533/usb.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/nfc/pn533/usb.c ++++ b/drivers/nfc/pn533/usb.c +@@ -633,6 +633,7 @@ static void pn533_usb_disconnect(struct + usb_free_urb(phy->out_urb); + usb_free_urb(phy->ack_urb); + kfree(phy->ack_buffer); ++ usb_put_dev(phy->udev); + + nfc_info(&interface->dev, "NXP PN533 NFC device disconnected\n"); + } diff --git a/queue-5.10/series b/queue-5.10/series index 57cbc20ca4..615353c3fa 100644 --- a/queue-5.10/series +++ b/queue-5.10/series @@ -29,3 +29,12 @@ alsa-hda-conexant-add-quirk-for-hp-zbook-studio-g4.patch hwmon-max16065-use-read-write_once-to-avoid-compiler.patch alsa-hda-conexant-fix-headphone-jack-handling-on-ace.patch net-arcnet-com20020-pci-fix-support-for-2.5mbit-card.patch +media-dvb-core-fix-wrong-reinitialization-of-ringbuffer-on-reopen.patch +nfc-pn533-properly-drop-the-usb-interface-reference-on-disconnect.patch +net-usb-kaweth-validate-usb-endpoints.patch +net-usb-kalmia-validate-usb-endpoints.patch +net-usb-pegasus-validate-usb-endpoints.patch +can-ems_usb-ems_usb_read_bulk_callback-check-the-proper-length-of-a-message.patch +can-ucan-fix-infinite-loop-from-zero-length-messages.patch +hid-add-hid_claimed_input-guards-in-raw_event-callbacks-missing-them.patch +x86-efi-defer-freeing-of-boot-services-memory.patch diff --git a/queue-5.10/x86-efi-defer-freeing-of-boot-services-memory.patch b/queue-5.10/x86-efi-defer-freeing-of-boot-services-memory.patch new file mode 100644 index 0000000000..14af6537a7 --- /dev/null +++ b/queue-5.10/x86-efi-defer-freeing-of-boot-services-memory.patch @@ -0,0 +1,186 @@ +From a4b0bf6a40f3c107c67a24fbc614510ef5719980 Mon Sep 17 00:00:00 2001 +From: "Mike Rapoport (Microsoft)" +Date: Wed, 25 Feb 2026 08:55:55 +0200 +Subject: x86/efi: defer freeing of boot services memory + +From: Mike Rapoport (Microsoft) + +commit a4b0bf6a40f3c107c67a24fbc614510ef5719980 upstream. + +efi_free_boot_services() frees memory occupied by EFI_BOOT_SERVICES_CODE +and EFI_BOOT_SERVICES_DATA using memblock_free_late(). + +There are two issue with that: memblock_free_late() should be used for +memory allocated with memblock_alloc() while the memory reserved with +memblock_reserve() should be freed with free_reserved_area(). + +More acutely, with CONFIG_DEFERRED_STRUCT_PAGE_INIT=y +efi_free_boot_services() is called before deferred initialization of the +memory map is complete. + +Benjamin Herrenschmidt reports that this causes a leak of ~140MB of +RAM on EC2 t3a.nano instances which only have 512MB or RAM. + +If the freed memory resides in the areas that memory map for them is +still uninitialized, they won't be actually freed because +memblock_free_late() calls memblock_free_pages() and the latter skips +uninitialized pages. + +Using free_reserved_area() at this point is also problematic because +__free_page() accesses the buddy of the freed page and that again might +end up in uninitialized part of the memory map. + +Delaying the entire efi_free_boot_services() could be problematic +because in addition to freeing boot services memory it updates +efi.memmap without any synchronization and that's undesirable late in +boot when there is concurrency. + +More robust approach is to only defer freeing of the EFI boot services +memory. + +Split efi_free_boot_services() in two. First efi_unmap_boot_services() +collects ranges that should be freed into an array then +efi_free_boot_services() later frees them after deferred init is complete. + +Link: https://lore.kernel.org/all/ec2aaef14783869b3be6e3c253b2dcbf67dbc12a.camel@kernel.crashing.org +Fixes: 916f676f8dc0 ("x86, efi: Retain boot service code until after switching to virtual mode") +Cc: +Signed-off-by: Mike Rapoport (Microsoft) +Reviewed-by: Benjamin Herrenschmidt +Signed-off-by: Ard Biesheuvel +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/include/asm/efi.h | 2 - + arch/x86/platform/efi/efi.c | 2 - + arch/x86/platform/efi/quirks.c | 55 ++++++++++++++++++++++++++++++++++-- + drivers/firmware/efi/mokvar-table.c | 2 - + 4 files changed, 55 insertions(+), 6 deletions(-) + +--- a/arch/x86/include/asm/efi.h ++++ b/arch/x86/include/asm/efi.h +@@ -151,7 +151,7 @@ extern int __init efi_reuse_config(u64 t + extern void efi_delete_dummy_variable(void); + extern void efi_switch_mm(struct mm_struct *mm); + extern void efi_recover_from_page_fault(unsigned long phys_addr); +-extern void efi_free_boot_services(void); ++extern void efi_unmap_boot_services(void); + + /* kexec external ABI */ + struct efi_setup_data { +--- a/arch/x86/platform/efi/efi.c ++++ b/arch/x86/platform/efi/efi.c +@@ -831,7 +831,7 @@ static void __init __efi_enter_virtual_m + } + + efi_check_for_embedded_firmwares(); +- efi_free_boot_services(); ++ efi_unmap_boot_services(); + + if (!efi_is_mixed()) + efi_native_runtime_setup(); +--- a/arch/x86/platform/efi/quirks.c ++++ b/arch/x86/platform/efi/quirks.c +@@ -333,7 +333,7 @@ void __init efi_reserve_boot_services(vo + + /* + * Because the following memblock_reserve() is paired +- * with memblock_free_late() for this region in ++ * with free_reserved_area() for this region in + * efi_free_boot_services(), we must be extremely + * careful not to reserve, and subsequently free, + * critical regions of memory (like the kernel image) or +@@ -396,17 +396,33 @@ static void __init efi_unmap_pages(efi_m + pr_err("Failed to unmap VA mapping for 0x%llx\n", va); + } + +-void __init efi_free_boot_services(void) ++struct efi_freeable_range { ++ u64 start; ++ u64 end; ++}; ++ ++static struct efi_freeable_range *ranges_to_free; ++ ++void __init efi_unmap_boot_services(void) + { + struct efi_memory_map_data data = { 0 }; + efi_memory_desc_t *md; + int num_entries = 0; ++ int idx = 0; ++ size_t sz; + void *new, *new_md; + + /* Keep all regions for /sys/kernel/debug/efi */ + if (efi_enabled(EFI_DBG)) + return; + ++ sz = sizeof(*ranges_to_free) * efi.memmap.nr_map + 1; ++ ranges_to_free = kzalloc(sz, GFP_KERNEL); ++ if (!ranges_to_free) { ++ pr_err("Failed to allocate storage for freeable EFI regions\n"); ++ return; ++ } ++ + for_each_efi_memory_desc(md) { + unsigned long long start = md->phys_addr; + unsigned long long size = md->num_pages << EFI_PAGE_SHIFT; +@@ -451,7 +467,15 @@ void __init efi_free_boot_services(void) + size -= rm_size; + } + +- memblock_free_late(start, size); ++ /* ++ * With CONFIG_DEFERRED_STRUCT_PAGE_INIT parts of the memory ++ * map are still not initialized and we can't reliably free ++ * memory here. ++ * Queue the ranges to free at a later point. ++ */ ++ ranges_to_free[idx].start = start; ++ ranges_to_free[idx].end = start + size; ++ idx++; + } + + if (!num_entries) +@@ -492,6 +516,31 @@ void __init efi_free_boot_services(void) + } + } + ++static int __init efi_free_boot_services(void) ++{ ++ struct efi_freeable_range *range = ranges_to_free; ++ unsigned long freed = 0; ++ ++ if (!ranges_to_free) ++ return 0; ++ ++ while (range->start) { ++ void *start = phys_to_virt(range->start); ++ void *end = phys_to_virt(range->end); ++ ++ free_reserved_area(start, end, -1, NULL); ++ freed += (end - start); ++ range++; ++ } ++ kfree(ranges_to_free); ++ ++ if (freed) ++ pr_info("Freeing EFI boot services memory: %ldK\n", freed / SZ_1K); ++ ++ return 0; ++} ++arch_initcall(efi_free_boot_services); ++ + /* + * A number of config table entries get remapped to virtual addresses + * after entering EFI virtual mode. However, the kexec kernel requires +--- a/drivers/firmware/efi/mokvar-table.c ++++ b/drivers/firmware/efi/mokvar-table.c +@@ -85,7 +85,7 @@ static struct kobject *mokvar_kobj; + * as an alternative to ordinary EFI variables, due to platform-dependent + * limitations. The memory occupied by this table is marked as reserved. + * +- * This routine must be called before efi_free_boot_services() in order ++ * This routine must be called before efi_unmap_boot_services() in order + * to guarantee that it can mark the table as reserved. + * + * Implicit inputs: