--- /dev/null
+From ecfd41166b72b67d3bdeb88d224ff445f6163869 Mon Sep 17 00:00:00 2001
+From: Takashi Iwai <tiwai@suse.de>
+Date: Thu, 14 Aug 2025 10:12:43 +0200
+Subject: ALSA: usb-audio: Validate UAC3 cluster segment descriptors
+
+From: Takashi Iwai <tiwai@suse.de>
+
+commit ecfd41166b72b67d3bdeb88d224ff445f6163869 upstream.
+
+UAC3 class segment descriptors need to be verified whether their sizes
+match with the declared lengths and whether they fit with the
+allocated buffer sizes, too. Otherwise malicious firmware may lead to
+the unexpected OOB accesses.
+
+Fixes: 11785ef53228 ("ALSA: usb-audio: Initial Power Domain support")
+Reported-and-tested-by: Youngjun Lee <yjjuny.lee@samsung.com>
+Cc: <stable@vger.kernel.org>
+Link: https://patch.msgid.link/20250814081245.8902-2-tiwai@suse.de
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ sound/usb/stream.c | 25 ++++++++++++++++++++++---
+ 1 file changed, 22 insertions(+), 3 deletions(-)
+
+--- a/sound/usb/stream.c
++++ b/sound/usb/stream.c
+@@ -342,20 +342,28 @@ snd_pcm_chmap_elem *convert_chmap_v3(str
+
+ len = le16_to_cpu(cluster->wLength);
+ c = 0;
+- p += sizeof(struct uac3_cluster_header_descriptor);
++ p += sizeof(*cluster);
++ len -= sizeof(*cluster);
+
+- while (((p - (void *)cluster) < len) && (c < channels)) {
++ while (len > 0 && (c < channels)) {
+ struct uac3_cluster_segment_descriptor *cs_desc = p;
+ u16 cs_len;
+ u8 cs_type;
+
++ if (len < sizeof(*p))
++ break;
+ cs_len = le16_to_cpu(cs_desc->wLength);
++ if (len < cs_len)
++ break;
+ cs_type = cs_desc->bSegmentType;
+
+ if (cs_type == UAC3_CHANNEL_INFORMATION) {
+ struct uac3_cluster_information_segment_descriptor *is = p;
+ unsigned char map;
+
++ if (cs_len < sizeof(*is))
++ break;
++
+ /*
+ * TODO: this conversion is not complete, update it
+ * after adding UAC3 values to asound.h
+@@ -457,6 +465,7 @@ snd_pcm_chmap_elem *convert_chmap_v3(str
+ chmap->map[c++] = map;
+ }
+ p += cs_len;
++ len -= cs_len;
+ }
+
+ if (channels < c)
+@@ -877,7 +886,7 @@ snd_usb_get_audioformat_uac3(struct snd_
+ u64 badd_formats = 0;
+ unsigned int num_channels;
+ struct audioformat *fp;
+- u16 cluster_id, wLength;
++ u16 cluster_id, wLength, cluster_wLength;
+ int clock = 0;
+ int err;
+
+@@ -1004,6 +1013,16 @@ snd_usb_get_audioformat_uac3(struct snd_
+ iface_no, altno);
+ kfree(cluster);
+ return ERR_PTR(-EIO);
++ }
++
++ cluster_wLength = le16_to_cpu(cluster->wLength);
++ if (cluster_wLength < sizeof(*cluster) ||
++ cluster_wLength > wLength) {
++ dev_err(&dev->dev,
++ "%u:%d : invalid Cluster Descriptor size\n",
++ iface_no, altno);
++ kfree(cluster);
++ return ERR_PTR(-EIO);
+ }
+
+ num_channels = cluster->bNrChannels;
--- /dev/null
+From d832ccbc301fbd9e5a1d691bdcf461cdb514595f Mon Sep 17 00:00:00 2001
+From: Takashi Iwai <tiwai@suse.de>
+Date: Thu, 14 Aug 2025 10:12:42 +0200
+Subject: ALSA: usb-audio: Validate UAC3 power domain descriptors, too
+
+From: Takashi Iwai <tiwai@suse.de>
+
+commit d832ccbc301fbd9e5a1d691bdcf461cdb514595f upstream.
+
+UAC3 power domain descriptors need to be verified with its variable
+bLength for avoiding the unexpected OOB accesses by malicious
+firmware, too.
+
+Fixes: 9a2fe9b801f5 ("ALSA: usb: initial USB Audio Device Class 3.0 support")
+Reported-and-tested-by: Youngjun Lee <yjjuny.lee@samsung.com>
+Cc: <stable@vger.kernel.org>
+Link: https://patch.msgid.link/20250814081245.8902-1-tiwai@suse.de
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ sound/usb/validate.c | 12 ++++++++++++
+ 1 file changed, 12 insertions(+)
+
+--- a/sound/usb/validate.c
++++ b/sound/usb/validate.c
+@@ -221,6 +221,17 @@ static bool validate_uac3_feature_unit(c
+ return d->bLength >= sizeof(*d) + 4 + 2;
+ }
+
++static bool validate_uac3_power_domain_unit(const void *p,
++ const struct usb_desc_validator *v)
++{
++ const struct uac3_power_domain_descriptor *d = p;
++
++ if (d->bLength < sizeof(*d))
++ return false;
++ /* baEntities[] + wPDomainDescrStr */
++ return d->bLength >= sizeof(*d) + d->bNrEntities + 2;
++}
++
+ static bool validate_midi_out_jack(const void *p,
+ const struct usb_desc_validator *v)
+ {
+@@ -285,6 +296,7 @@ static const struct usb_desc_validator a
+ struct uac3_clock_multiplier_descriptor),
+ /* UAC_VERSION_3, UAC3_SAMPLE_RATE_CONVERTER: not implemented yet */
+ /* UAC_VERSION_3, UAC3_CONNECTORS: not implemented yet */
++ FUNC(UAC_VERSION_3, UAC3_POWER_DOMAIN, validate_uac3_power_domain_unit),
+ { } /* terminator */
+ };
+
--- /dev/null
+From cf73d9970ea4f8cace5d8f02d2565a2723003112 Mon Sep 17 00:00:00 2001
+From: Pavel Begunkov <asml.silence@gmail.com>
+Date: Wed, 2 Jul 2025 21:31:54 +0100
+Subject: io_uring: don't use int for ABI
+
+From: Pavel Begunkov <asml.silence@gmail.com>
+
+commit cf73d9970ea4f8cace5d8f02d2565a2723003112 upstream.
+
+__kernel_rwf_t is defined as int, the actual size of which is
+implementation defined. It won't go well if some compiler / archs
+ever defines it as i64, so replace it with __u32, hoping that
+there is no one using i16 for it.
+
+Cc: stable@vger.kernel.org
+Fixes: 2b188cc1bb857 ("Add io_uring IO interface")
+Signed-off-by: Pavel Begunkov <asml.silence@gmail.com>
+Link: https://lore.kernel.org/r/47c666c4ee1df2018863af3a2028af18feef11ed.1751412511.git.asml.silence@gmail.com
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/uapi/linux/io_uring.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/include/uapi/linux/io_uring.h
++++ b/include/uapi/linux/io_uring.h
+@@ -29,7 +29,7 @@ struct io_uring_sqe {
+ };
+ __u32 len; /* buffer size or number of iovecs */
+ union {
+- __kernel_rwf_t rw_flags;
++ __u32 rw_flags;
+ __u32 fsync_flags;
+ __u16 poll_events; /* compatibility */
+ __u32 poll32_events; /* word-reversed for BE */
--- /dev/null
+From 3fa840230f534385b34a4f39c8dd313fbe723f05 Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Fri, 25 Jul 2025 19:12:09 +0200
+Subject: net: dpaa: fix device leak when querying time stamp info
+
+From: Johan Hovold <johan@kernel.org>
+
+commit 3fa840230f534385b34a4f39c8dd313fbe723f05 upstream.
+
+Make sure to drop the reference to the ptp device taken by
+of_find_device_by_node() when querying the time stamping capabilities.
+
+Note that holding a reference to the ptp device does not prevent its
+driver data from going away.
+
+Fixes: 17ae0b0ee9db ("dpaa_eth: add the get_ts_info interface for ethtool")
+Cc: stable@vger.kernel.org # 4.19
+Cc: Yangbo Lu <yangbo.lu@nxp.com>
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Link: https://patch.msgid.link/20250725171213.880-2-johan@kernel.org
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/freescale/dpaa/dpaa_ethtool.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/drivers/net/ethernet/freescale/dpaa/dpaa_ethtool.c
++++ b/drivers/net/ethernet/freescale/dpaa/dpaa_ethtool.c
+@@ -499,8 +499,10 @@ static int dpaa_get_ts_info(struct net_d
+ of_node_put(ptp_node);
+ }
+
+- if (ptp_dev)
++ if (ptp_dev) {
+ ptp = platform_get_drvdata(ptp_dev);
++ put_device(&ptp_dev->dev);
++ }
+
+ if (ptp)
+ info->phc_index = ptp->phc_index;
--- /dev/null
+From da717540acd34e5056e3fa35791d50f6b3303f55 Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Fri, 25 Jul 2025 19:12:11 +0200
+Subject: net: gianfar: fix device leak when querying time stamp info
+
+From: Johan Hovold <johan@kernel.org>
+
+commit da717540acd34e5056e3fa35791d50f6b3303f55 upstream.
+
+Make sure to drop the reference to the ptp device taken by
+of_find_device_by_node() when querying the time stamping capabilities.
+
+Note that holding a reference to the ptp device does not prevent its
+driver data from going away.
+
+Fixes: 7349a74ea75c ("net: ethernet: gianfar_ethtool: get phc index through drvdata")
+Cc: stable@vger.kernel.org # 4.18
+Cc: Yangbo Lu <yangbo.lu@nxp.com>
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Link: https://patch.msgid.link/20250725171213.880-4-johan@kernel.org
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/freescale/gianfar_ethtool.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/drivers/net/ethernet/freescale/gianfar_ethtool.c
++++ b/drivers/net/ethernet/freescale/gianfar_ethtool.c
+@@ -1457,8 +1457,10 @@ static int gfar_get_ts_info(struct net_d
+ if (ptp_node) {
+ ptp_dev = of_find_device_by_node(ptp_node);
+ of_node_put(ptp_node);
+- if (ptp_dev)
++ if (ptp_dev) {
+ ptp = platform_get_drvdata(ptp_dev);
++ put_device(&ptp_dev->dev);
++ }
+ }
+
+ if (ptp)
--- /dev/null
+From 759dfc7d04bab1b0b86113f1164dc1fec192b859 Mon Sep 17 00:00:00 2001
+From: Fedor Pchelkin <pchelkin@ispras.ru>
+Date: Mon, 28 Jul 2025 11:06:47 +0300
+Subject: netlink: avoid infinite retry looping in netlink_unicast()
+
+From: Fedor Pchelkin <pchelkin@ispras.ru>
+
+commit 759dfc7d04bab1b0b86113f1164dc1fec192b859 upstream.
+
+netlink_attachskb() checks for the socket's read memory allocation
+constraints. Firstly, it has:
+
+ rmem < READ_ONCE(sk->sk_rcvbuf)
+
+to check if the just increased rmem value fits into the socket's receive
+buffer. If not, it proceeds and tries to wait for the memory under:
+
+ rmem + skb->truesize > READ_ONCE(sk->sk_rcvbuf)
+
+The checks don't cover the case when skb->truesize + sk->sk_rmem_alloc is
+equal to sk->sk_rcvbuf. Thus the function neither successfully accepts
+these conditions, nor manages to reschedule the task - and is called in
+retry loop for indefinite time which is caught as:
+
+ rcu: INFO: rcu_sched self-detected stall on CPU
+ rcu: 0-....: (25999 ticks this GP) idle=ef2/1/0x4000000000000000 softirq=262269/262269 fqs=6212
+ (t=26000 jiffies g=230833 q=259957)
+ NMI backtrace for cpu 0
+ CPU: 0 PID: 22 Comm: kauditd Not tainted 5.10.240 #68
+ Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.17.0-4.fc42 04/01/2014
+ Call Trace:
+ <IRQ>
+ dump_stack lib/dump_stack.c:120
+ nmi_cpu_backtrace.cold lib/nmi_backtrace.c:105
+ nmi_trigger_cpumask_backtrace lib/nmi_backtrace.c:62
+ rcu_dump_cpu_stacks kernel/rcu/tree_stall.h:335
+ rcu_sched_clock_irq.cold kernel/rcu/tree.c:2590
+ update_process_times kernel/time/timer.c:1953
+ tick_sched_handle kernel/time/tick-sched.c:227
+ tick_sched_timer kernel/time/tick-sched.c:1399
+ __hrtimer_run_queues kernel/time/hrtimer.c:1652
+ hrtimer_interrupt kernel/time/hrtimer.c:1717
+ __sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1113
+ asm_call_irq_on_stack arch/x86/entry/entry_64.S:808
+ </IRQ>
+
+ netlink_attachskb net/netlink/af_netlink.c:1234
+ netlink_unicast net/netlink/af_netlink.c:1349
+ kauditd_send_queue kernel/audit.c:776
+ kauditd_thread kernel/audit.c:897
+ kthread kernel/kthread.c:328
+ ret_from_fork arch/x86/entry/entry_64.S:304
+
+Restore the original behavior of the check which commit in Fixes
+accidentally missed when restructuring the code.
+
+Found by Linux Verification Center (linuxtesting.org).
+
+Fixes: ae8f160e7eb2 ("netlink: Fix wraparounds of sk->sk_rmem_alloc.")
+Cc: stable@vger.kernel.org
+Signed-off-by: Fedor Pchelkin <pchelkin@ispras.ru>
+Reviewed-by: Kuniyuki Iwashima <kuniyu@google.com>
+Link: https://patch.msgid.link/20250728080727.255138-1-pchelkin@ispras.ru
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/netlink/af_netlink.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/netlink/af_netlink.c
++++ b/net/netlink/af_netlink.c
+@@ -1213,7 +1213,7 @@ int netlink_attachskb(struct sock *sk, s
+ nlk = nlk_sk(sk);
+ rmem = atomic_add_return(skb->truesize, &sk->sk_rmem_alloc);
+
+- if ((rmem == skb->truesize || rmem < READ_ONCE(sk->sk_rcvbuf)) &&
++ if ((rmem == skb->truesize || rmem <= READ_ONCE(sk->sk_rcvbuf)) &&
+ !test_bit(NETLINK_S_CONGESTED, &nlk->state)) {
+ netlink_skb_set_owner_r(skb, sk);
+ return 0;
mips-mm-tlb-r4k-uniquify-tlb-entries-on-init.patch
mm-hmm-move-pmd_to_hmm_pfn_flags-to-the-respective-ifdeffery.patch
usb-gadget-fix-use-after-free-in-composite_dev_cleanup.patch
+io_uring-don-t-use-int-for-abi.patch
+alsa-usb-audio-validate-uac3-power-domain-descriptors-too.patch
+alsa-usb-audio-validate-uac3-cluster-segment-descriptors.patch
+netlink-avoid-infinite-retry-looping-in-netlink_unicast.patch
+net-gianfar-fix-device-leak-when-querying-time-stamp-info.patch
+net-dpaa-fix-device-leak-when-querying-time-stamp-info.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
