From: Greg Kroah-Hartman Date: Mon, 15 Jun 2026 15:59:12 +0000 (+0200) Subject: 5.10-stable patches X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=a844f4e214ed03dbe2db915570dae1ac460dab41;p=thirdparty%2Fkernel%2Fstable-queue.git 5.10-stable patches added patches: mmc-core-fix-host-controller-programming-for-fixed-driver-type.patch mmc-sdhci-add-signal-voltage-switch-in-sdhci_resume_host.patch sctp-diag-reject-stale-associations-in-dump_one-path.patch sctp-stream-fully-roll-back-denied-add-stream-state.patch thunderbolt-bound-root-directory-content-to-block-size.patch thunderbolt-clamp-xdomain-response-data-copy-to-allocation-size.patch thunderbolt-limit-xdomain-response-copy-to-actual-frame-size.patch thunderbolt-reject-zero-length-property-entries-in-validator.patch --- diff --git a/queue-5.10/mmc-core-fix-host-controller-programming-for-fixed-driver-type.patch b/queue-5.10/mmc-core-fix-host-controller-programming-for-fixed-driver-type.patch new file mode 100644 index 0000000000..80d22e9119 --- /dev/null +++ b/queue-5.10/mmc-core-fix-host-controller-programming-for-fixed-driver-type.patch @@ -0,0 +1,46 @@ +From 5a52c5701a67d5176eb1afbf1bdaf7d6dfeec597 Mon Sep 17 00:00:00 2001 +From: Kamal Dasu +Date: Thu, 23 Apr 2026 15:18:55 -0400 +Subject: mmc: core: Fix host controller programming for fixed driver type + +From: Kamal Dasu + +commit 5a52c5701a67d5176eb1afbf1bdaf7d6dfeec597 upstream. + +When using the fixed-emmc-driver-type device tree property, the MMC core +correctly selects the driver strength for the card but fails to program +the host controller accordingly. This causes a mismatch where the card +uses the specified driver type while the host controller defaults to +Type B (since ios->drv_type remains zero). + +Split the driver type programming logic to handle both fixed and dynamic +driver type selection paths. For fixed driver types, program the host +controller with the selected drive_strength value. For dynamic selection, +use the existing drv_type as before. + +This ensures both the eMMC device and host controller use matching driver +strengths, preventing potential signal integrity issues. + +Fixes: 6186d06c519e ("mmc: parse new binding for eMMC fixed driver type") +Signed-off-by: Kamal Dasu +Reviewed-by: Shawn Lin +Cc: stable@vger.kernel.org +Signed-off-by: Ulf Hansson +Signed-off-by: Greg Kroah-Hartman +--- + drivers/mmc/core/mmc.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/drivers/mmc/core/mmc.c ++++ b/drivers/mmc/core/mmc.c +@@ -1336,7 +1336,9 @@ static void mmc_select_driver_type(struc + + card->drive_strength = drive_strength; + +- if (drv_type) ++ if (fixed_drv_type >= 0 && drive_strength) ++ mmc_set_driver_type(card->host, drive_strength); ++ else if (drv_type) + mmc_set_driver_type(card->host, drv_type); + } + diff --git a/queue-5.10/mmc-sdhci-add-signal-voltage-switch-in-sdhci_resume_host.patch b/queue-5.10/mmc-sdhci-add-signal-voltage-switch-in-sdhci_resume_host.patch new file mode 100644 index 0000000000..3655d1e67d --- /dev/null +++ b/queue-5.10/mmc-sdhci-add-signal-voltage-switch-in-sdhci_resume_host.patch @@ -0,0 +1,47 @@ +From f595e8e77a51eee35e331f69321766593a845ef2 Mon Sep 17 00:00:00 2001 +From: Jisheng Zhang +Date: Sun, 24 May 2026 10:34:55 +0800 +Subject: mmc: sdhci: add signal voltage switch in sdhci_resume_host + +From: Jisheng Zhang + +commit f595e8e77a51eee35e331f69321766593a845ef2 upstream. + +I met one suspend/resume issue with sdr104 capable sdio wifi card (with +"keep-power-in-suspend" set in DT property): +After resuming from suspend to ram, the sdio wifi card stops working. +Further debug shows that although ios shows the sdio card is at sdr104 +mode, the voltage is still at 3V3. This is due to missing the calling +of ->start_signal_voltage_switch() in sdhci_resume_host(). + +Fix this issue by adding ->start_signal_voltage_switch() in +sdhci_resume_host(). This also matches what we do for +sdhci_runtime_resume_host(). + +Then the question is: why this issue hasn't reported and fixed for so +long time. IMHO, several reasons: Some host controllers just kick off +the runtime resume for system resume, so they benefit from the well +supported runtime pm code; Some platforms just use the old sdio wifi +card which doesn't need signal voltage switch at all, the default +voltage is 3v3 after resuming. + +Fixes: 6308d2905bd3 ("mmc: sdhci: add quirk for keeping card power during suspend") +Signed-off-by: Jisheng Zhang +Acked-by: Adrian Hunter +Cc: stable@vger.kernel.org +Signed-off-by: Ulf Hansson +Signed-off-by: Greg Kroah-Hartman +--- + drivers/mmc/host/sdhci.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/mmc/host/sdhci.c ++++ b/drivers/mmc/host/sdhci.c +@@ -3756,6 +3756,7 @@ int sdhci_resume_host(struct sdhci_host + host->pwr = 0; + host->clock = 0; + host->reinit_uhs = true; ++ mmc->ops->start_signal_voltage_switch(mmc, &mmc->ios); + mmc->ops->set_ios(mmc, &mmc->ios); + } else { + sdhci_init(host, (host->mmc->pm_flags & MMC_PM_KEEP_POWER)); diff --git a/queue-5.10/sctp-diag-reject-stale-associations-in-dump_one-path.patch b/queue-5.10/sctp-diag-reject-stale-associations-in-dump_one-path.patch new file mode 100644 index 0000000000..8b05822df7 --- /dev/null +++ b/queue-5.10/sctp-diag-reject-stale-associations-in-dump_one-path.patch @@ -0,0 +1,78 @@ +From 5eba3e48d78edd7551b992cb7ba687019b3a78da Mon Sep 17 00:00:00 2001 +From: Zhao Zhang +Date: Sat, 30 May 2026 23:57:14 +0800 +Subject: sctp: diag: reject stale associations in dump_one path + +From: Zhao Zhang + +commit 5eba3e48d78edd7551b992cb7ba687019b3a78da upstream. + +The SCTP exact sock_diag lookup can hold a transport reference, block on +lock_sock(sk), and then resume after sctp_association_free() has marked +the association dead and freed its bind address list. + +When that happens, inet_assoc_attr_size() and +inet_diag_msg_sctpasoc_fill() can still dereference association state +that is no longer valid for reporting. In particular, +inet_diag_msg_sctpasoc_fill() may read an empty bind-address list as a +real sctp_sockaddr_entry and trigger an out-of-bounds read from +unrelated association memory. + +Reject the association after taking the socket lock if it has been +reaped or detached from the endpoint, and report the lookup as stale. +This keeps the exact dump-one path from formatting torn association +state. + +Fixes: 8f840e47f190 ("sctp: add the sctp_diag.c file") +Cc: stable@kernel.org +Reported-by: Yuan Tan +Reported-by: Yifan Wu +Reported-by: Juefei Pu +Reported-by: Zhengchuan Liang +Reported-by: Xin Liu +Signed-off-by: Zhao Zhang +Signed-off-by: Ren Wei +Acked-by: Xin Long +Link: https://patch.msgid.link/fac6043fa20a2ff68e12958c431836f692c51268.1780113823.git.zzhan461@ucr.edu +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + net/sctp/diag.c | 17 +++++++++-------- + 1 file changed, 9 insertions(+), 8 deletions(-) + +--- a/net/sctp/diag.c ++++ b/net/sctp/diag.c +@@ -266,15 +266,15 @@ static int sctp_sock_dump_one(struct sct + + lock_sock(sk); + +- rep = nlmsg_new(inet_assoc_attr_size(sk, assoc), GFP_KERNEL); +- if (!rep) { +- release_sock(sk); +- return -ENOMEM; ++ if (ep != assoc->ep || assoc->base.dead) { ++ err = -ESTALE; ++ goto out_unlock; + } + +- if (ep != assoc->ep) { +- err = -EAGAIN; +- goto out; ++ rep = nlmsg_new(inet_assoc_attr_size(sk, assoc), GFP_KERNEL); ++ if (!rep) { ++ err = -ENOMEM; ++ goto out_unlock; + } + + err = inet_sctp_diag_fill(sk, assoc, rep, req, sk_user_ns(NETLINK_CB(skb).sk), +@@ -289,8 +289,9 @@ static int sctp_sock_dump_one(struct sct + return nlmsg_unicast(sock_net(skb->sk)->diag_nlsk, rep, NETLINK_CB(skb).portid); + + out: +- release_sock(sk); + kfree_skb(rep); ++out_unlock: ++ release_sock(sk); + return err; + } + diff --git a/queue-5.10/sctp-stream-fully-roll-back-denied-add-stream-state.patch b/queue-5.10/sctp-stream-fully-roll-back-denied-add-stream-state.patch new file mode 100644 index 0000000000..3da2d88952 --- /dev/null +++ b/queue-5.10/sctp-stream-fully-roll-back-denied-add-stream-state.patch @@ -0,0 +1,61 @@ +From a5f8a90ac9f77c678a9781c0a464b635e0d63e49 Mon Sep 17 00:00:00 2001 +From: Wyatt Feng +Date: Fri, 5 Jun 2026 13:53:42 +0800 +Subject: sctp: stream: fully roll back denied add-stream state + +From: Wyatt Feng + +commit a5f8a90ac9f77c678a9781c0a464b635e0d63e49 upstream. + +When ADD_OUT_STREAMS is denied, SCTP only shrinks the queued chunks and +then lowers outcnt. That leaves removed stream metadata behind, so a +later re-add can reuse a stale ext and hit a null-pointer dereference in +the scheduler get path. + +Fix the rollback by tearing down the removed stream state the same way +other stream resizes do. Unschedule the current scheduler state, drop +the removed stream ext state with sctp_stream_outq_migrate(), and then +reschedule the remaining streams. + +This keeps scheduler-private RR/FC/PRIO lists consistent while fully +rolling back denied outgoing stream additions. + +Fixes: 637784ade221 ("sctp: introduce priority based stream scheduler") +Cc: stable@kernel.org +Reported-by: Yuan Tan +Reported-by: Yifan Wu +Reported-by: Juefei Pu +Reported-by: Zhengchuan Liang +Reported-by: Xin Liu +Signed-off-by: Wyatt Feng +Signed-off-by: Ren Wei +Acked-by: Xin Long +Link: https://patch.msgid.link/d78954ecd94954653ee299400e98d74a03a6f7d3.1780603399.git.bronzed_45_vested@icloud.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + net/sctp/stream.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +--- a/net/sctp/stream.c ++++ b/net/sctp/stream.c +@@ -1038,6 +1038,7 @@ struct sctp_chunk *sctp_process_strreset + stsn, rtsn, GFP_ATOMIC); + } else if (req->type == SCTP_PARAM_RESET_ADD_OUT_STREAMS) { + struct sctp_strreset_addstrm *addstrm; ++ const struct sctp_sched_ops *sched; + __u16 number; + + addstrm = (struct sctp_strreset_addstrm *)req; +@@ -1048,7 +1049,10 @@ struct sctp_chunk *sctp_process_strreset + for (i = number; i < stream->outcnt; i++) + SCTP_SO(stream, i)->state = SCTP_STREAM_OPEN; + } else { +- sctp_stream_shrink_out(stream, number); ++ sched = sctp_sched_ops_from_stream(stream); ++ sched->unsched_all(stream); ++ sctp_stream_outq_migrate(stream, NULL, number); ++ sched->sched_all(stream); + stream->outcnt = number; + } + diff --git a/queue-5.10/series b/queue-5.10/series index 4512310012..702120dc90 100644 --- a/queue-5.10/series +++ b/queue-5.10/series @@ -200,3 +200,11 @@ misc-fastrpc-fix-use-after-free-of-fastrpc_user-in-workqueue-context.patch net-bonding-fix-null-pointer-dereference-in-bond_do_ioctl.patch net-mv643xx-fix-of-node-refcount.patch net-rds-clear-i_sends-on-setup-unwind.patch +mmc-core-fix-host-controller-programming-for-fixed-driver-type.patch +mmc-sdhci-add-signal-voltage-switch-in-sdhci_resume_host.patch +sctp-diag-reject-stale-associations-in-dump_one-path.patch +sctp-stream-fully-roll-back-denied-add-stream-state.patch +thunderbolt-reject-zero-length-property-entries-in-validator.patch +thunderbolt-bound-root-directory-content-to-block-size.patch +thunderbolt-clamp-xdomain-response-data-copy-to-allocation-size.patch +thunderbolt-limit-xdomain-response-copy-to-actual-frame-size.patch diff --git a/queue-5.10/thunderbolt-bound-root-directory-content-to-block-size.patch b/queue-5.10/thunderbolt-bound-root-directory-content-to-block-size.patch new file mode 100644 index 0000000000..88323bec0f --- /dev/null +++ b/queue-5.10/thunderbolt-bound-root-directory-content-to-block-size.patch @@ -0,0 +1,40 @@ +From 65423079c7420e3dbf9a7aa345c243a3f5752e5d Mon Sep 17 00:00:00 2001 +From: Michael Bommarito +Date: Mon, 25 May 2026 05:28:26 -0400 +Subject: thunderbolt: Bound root directory content to block size + +From: Michael Bommarito + +commit 65423079c7420e3dbf9a7aa345c243a3f5752e5d upstream. + +__tb_property_parse_dir() does not check that content_offset + +content_len fits within block_len for the root directory case. +When rootdir->length equals or exceeds block_len - 2, the entry +loop reads past the allocated property block. + +Add a bounds check after computing content_offset and content_len +to reject directories whose content extends past the block. + +Fixes: cdae7c07e3e3 ("thunderbolt: Add support for XDomain properties") +Cc: stable@vger.kernel.org +Assisted-by: Claude:claude-opus-4-7 +Signed-off-by: Michael Bommarito +Signed-off-by: Mika Westerberg +Signed-off-by: Greg Kroah-Hartman +--- + drivers/thunderbolt/property.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/drivers/thunderbolt/property.c ++++ b/drivers/thunderbolt/property.c +@@ -181,6 +181,10 @@ static struct tb_property_dir *__tb_prop + if (is_root) { + content_offset = dir_offset + 2; + content_len = dir_len; ++ if (content_offset + content_len > block_len) { ++ tb_property_free_dir(dir); ++ return NULL; ++ } + } else { + if (dir_len < 4) { + tb_property_free_dir(dir); diff --git a/queue-5.10/thunderbolt-clamp-xdomain-response-data-copy-to-allocation-size.patch b/queue-5.10/thunderbolt-clamp-xdomain-response-data-copy-to-allocation-size.patch new file mode 100644 index 0000000000..2b3134a176 --- /dev/null +++ b/queue-5.10/thunderbolt-clamp-xdomain-response-data-copy-to-allocation-size.patch @@ -0,0 +1,39 @@ +From 322e93448d908434ae5545660fcbe8f5a7a8e141 Mon Sep 17 00:00:00 2001 +From: Michael Bommarito +Date: Mon, 25 May 2026 05:28:27 -0400 +Subject: thunderbolt: Clamp XDomain response data copy to allocation size + +From: Michael Bommarito + +commit 322e93448d908434ae5545660fcbe8f5a7a8e141 upstream. + +tb_xdp_properties_request() derives the per-packet copy length from +the response header without checking that it fits in the previously +allocated data buffer. A malicious peer can set its length field +larger than the declared data_length, causing memcpy to write past +the kcalloc allocation. + +Clamp the per-packet copy length so that the cumulative offset +never exceeds data_len. + +Fixes: cdae7c07e3e3 ("thunderbolt: Add support for XDomain properties") +Cc: stable@vger.kernel.org +Assisted-by: Claude:claude-opus-4-7 +Signed-off-by: Michael Bommarito +Signed-off-by: Mika Westerberg +Signed-off-by: Greg Kroah-Hartman +--- + drivers/thunderbolt/xdomain.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/thunderbolt/xdomain.c ++++ b/drivers/thunderbolt/xdomain.c +@@ -355,6 +355,8 @@ static int tb_xdp_properties_request(str + } + } + ++ if (req.offset + len > data_len) ++ len = data_len - req.offset; + memcpy(data + req.offset, res->data, len * 4); + req.offset += len; + } while (!data_len || req.offset < data_len); diff --git a/queue-5.10/thunderbolt-limit-xdomain-response-copy-to-actual-frame-size.patch b/queue-5.10/thunderbolt-limit-xdomain-response-copy-to-actual-frame-size.patch new file mode 100644 index 0000000000..5b0fe187a0 --- /dev/null +++ b/queue-5.10/thunderbolt-limit-xdomain-response-copy-to-actual-frame-size.patch @@ -0,0 +1,40 @@ +From 4db2bd2ed4785dbadaeeab9f4e346b21ac5fb8eb Mon Sep 17 00:00:00 2001 +From: Michael Bommarito +Date: Mon, 25 May 2026 05:28:29 -0400 +Subject: thunderbolt: Limit XDomain response copy to actual frame size + +From: Michael Bommarito + +commit 4db2bd2ed4785dbadaeeab9f4e346b21ac5fb8eb upstream. + +tb_xdomain_copy() copies req->response_size bytes from the received +packet buffer regardless of the actual frame size. When a short +response arrives, this reads past the valid frame data in the DMA +pool buffer into stale contents from previous transactions. + +Use the minimum of frame size and expected response size for the +copy length. + +Fixes: cdae7c07e3e3 ("thunderbolt: Add support for XDomain properties") +Cc: stable@vger.kernel.org +Assisted-by: Claude:claude-opus-4-7 +Signed-off-by: Michael Bommarito +Signed-off-by: Mika Westerberg +Signed-off-by: Greg Kroah-Hartman +--- + drivers/thunderbolt/xdomain.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/drivers/thunderbolt/xdomain.c ++++ b/drivers/thunderbolt/xdomain.c +@@ -81,7 +81,9 @@ static bool tb_xdomain_match(const struc + static bool tb_xdomain_copy(struct tb_cfg_request *req, + const struct ctl_pkg *pkg) + { +- memcpy(req->response, pkg->buffer, req->response_size); ++ size_t len = min_t(size_t, pkg->frame.size, req->response_size); ++ ++ memcpy(req->response, pkg->buffer, len); + req->result.err = 0; + return true; + } diff --git a/queue-5.10/thunderbolt-reject-zero-length-property-entries-in-validator.patch b/queue-5.10/thunderbolt-reject-zero-length-property-entries-in-validator.patch new file mode 100644 index 0000000000..4259805be4 --- /dev/null +++ b/queue-5.10/thunderbolt-reject-zero-length-property-entries-in-validator.patch @@ -0,0 +1,42 @@ +From cff8eb65d1eafe7793e54b4d0cf6bf831644630b Mon Sep 17 00:00:00 2001 +From: Michael Bommarito +Date: Mon, 25 May 2026 05:28:25 -0400 +Subject: thunderbolt: Reject zero-length property entries in validator + +From: Michael Bommarito + +commit cff8eb65d1eafe7793e54b4d0cf6bf831644630b upstream. + +tb_property_entry_valid() accepts entries with length == 0 for +DIRECTORY, DATA, and TEXT types. A zero-length TEXT entry passes +validation but causes an underflow in the null-termination logic: + + property->value.text[property->length * 4 - 1] = '\0'; + +When property->length is 0 this writes to offset -1 relative to +the allocation. + +Reject zero-length entries early in the validator since they have no +valid representation in the XDomain property protocol. + +Fixes: cdae7c07e3e3 ("thunderbolt: Add support for XDomain properties") +Cc: stable@vger.kernel.org +Assisted-by: Claude:claude-opus-4-7 +Signed-off-by: Michael Bommarito +Signed-off-by: Mika Westerberg +Signed-off-by: Greg Kroah-Hartman +--- + drivers/thunderbolt/property.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/thunderbolt/property.c ++++ b/drivers/thunderbolt/property.c +@@ -59,6 +59,8 @@ static bool tb_property_entry_valid(cons + case TB_PROPERTY_TYPE_DIRECTORY: + case TB_PROPERTY_TYPE_DATA: + case TB_PROPERTY_TYPE_TEXT: ++ if (!entry->length) ++ return false; + if (entry->length > block_len) + return false; + if (check_add_overflow(entry->value, entry->length, &end) ||