From: Greg Kroah-Hartman Date: Fri, 3 Oct 2025 13:21:58 +0000 (+0200) Subject: 6.17-stable patches X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=85ba4f7521f2c0b567dd548bab703ac5ca24fae0;p=thirdparty%2Fkernel%2Fstable-queue.git 6.17-stable patches added patches: alsa-usb-audio-fix-race-condition-to-uaf-in-snd_usbmidi_free.patch asoc-qcom-audioreach-fix-potential-null-pointer-dereference.patch gcc-plugins-remove-todo_verify_il-for-gcc-16.patch media-b2c2-fix-use-after-free-causing-by-irq_check_work-in-flexcop_pci_remove.patch media-i2c-tc358743-fix-use-after-free-bugs-caused-by-orphan-timer-in-probe.patch media-iris-fix-memory-leak-by-freeing-untracked-persist-buffer.patch media-rc-fix-races-with-imon_disconnect.patch media-stm32-csi-fix-dereference-before-null-check.patch media-tuner-xc5000-fix-use-after-free-in-xc5000_release.patch media-uvcvideo-mark-invalid-entities-with-id-uvc_invalid_entity_id.patch mm-swap-check-for-stable-address-space-before-operating-on-the-vma.patch scsi-target-target_core_configfs-add-length-check-to-avoid-buffer-overflow.patch wifi-ath11k-fix-null-dereference-in-ath11k_qmi_m3_load.patch wifi-rtw89-fix-use-after-free-in-rtw89_core_tx_kick_off_and_wait.patch --- diff --git a/queue-6.17/alsa-usb-audio-fix-race-condition-to-uaf-in-snd_usbmidi_free.patch b/queue-6.17/alsa-usb-audio-fix-race-condition-to-uaf-in-snd_usbmidi_free.patch new file mode 100644 index 0000000000..1d99407d0a --- /dev/null +++ b/queue-6.17/alsa-usb-audio-fix-race-condition-to-uaf-in-snd_usbmidi_free.patch @@ -0,0 +1,54 @@ +From 9f2c0ac1423d5f267e7f1d1940780fc764b0fee3 Mon Sep 17 00:00:00 2001 +From: Jeongjun Park +Date: Sun, 28 Sep 2025 02:39:24 +0900 +Subject: ALSA: usb-audio: fix race condition to UAF in snd_usbmidi_free + +From: Jeongjun Park + +commit 9f2c0ac1423d5f267e7f1d1940780fc764b0fee3 upstream. + +The previous commit 0718a78f6a9f ("ALSA: usb-audio: Kill timer properly at +removal") patched a UAF issue caused by the error timer. + +However, because the error timer kill added in this patch occurs after the +endpoint delete, a race condition to UAF still occurs, albeit rarely. + +Additionally, since kill-cleanup for urb is also missing, freed memory can +be accessed in interrupt context related to urb, which can cause UAF. + +Therefore, to prevent this, error timer and urb must be killed before +freeing the heap memory. + +Cc: +Reported-by: syzbot+f02665daa2abeef4a947@syzkaller.appspotmail.com +Closes: https://syzkaller.appspot.com/bug?extid=f02665daa2abeef4a947 +Fixes: 0718a78f6a9f ("ALSA: usb-audio: Kill timer properly at removal") +Signed-off-by: Jeongjun Park +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman +--- + sound/usb/midi.c | 9 ++++----- + 1 file changed, 4 insertions(+), 5 deletions(-) + +--- a/sound/usb/midi.c ++++ b/sound/usb/midi.c +@@ -1522,15 +1522,14 @@ static void snd_usbmidi_free(struct snd_ + { + int i; + ++ if (!umidi->disconnected) ++ snd_usbmidi_disconnect(&umidi->list); ++ + for (i = 0; i < MIDI_MAX_ENDPOINTS; ++i) { + struct snd_usb_midi_endpoint *ep = &umidi->endpoints[i]; +- if (ep->out) +- snd_usbmidi_out_endpoint_delete(ep->out); +- if (ep->in) +- snd_usbmidi_in_endpoint_delete(ep->in); ++ kfree(ep->out); + } + mutex_destroy(&umidi->mutex); +- timer_shutdown_sync(&umidi->error_timer); + kfree(umidi); + } + diff --git a/queue-6.17/asoc-qcom-audioreach-fix-potential-null-pointer-dereference.patch b/queue-6.17/asoc-qcom-audioreach-fix-potential-null-pointer-dereference.patch new file mode 100644 index 0000000000..64091365e2 --- /dev/null +++ b/queue-6.17/asoc-qcom-audioreach-fix-potential-null-pointer-dereference.patch @@ -0,0 +1,37 @@ +From 8318e04ab2526b155773313b66a1542476ce1106 Mon Sep 17 00:00:00 2001 +From: Srinivas Kandagatla +Date: Mon, 25 Aug 2025 11:12:45 +0100 +Subject: ASoC: qcom: audioreach: fix potential null pointer dereference + +From: Srinivas Kandagatla + +commit 8318e04ab2526b155773313b66a1542476ce1106 upstream. + +It is possible that the topology parsing function +audioreach_widget_load_module_common() could return NULL or an error +pointer. Add missing NULL check so that we do not dereference it. + +Reported-by: Dan Carpenter +Cc: Stable@vger.kernel.org +Fixes: 36ad9bf1d93d ("ASoC: qdsp6: audioreach: add topology support") +Signed-off-by: Srinivas Kandagatla +Link: https://patch.msgid.link/20250825101247.152619-2-srinivas.kandagatla@oss.qualcomm.com +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman +--- + sound/soc/qcom/qdsp6/topology.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/sound/soc/qcom/qdsp6/topology.c ++++ b/sound/soc/qcom/qdsp6/topology.c +@@ -587,8 +587,8 @@ static int audioreach_widget_load_module + return PTR_ERR(cont); + + mod = audioreach_parse_common_tokens(apm, cont, &tplg_w->priv, w); +- if (IS_ERR(mod)) +- return PTR_ERR(mod); ++ if (IS_ERR_OR_NULL(mod)) ++ return mod ? PTR_ERR(mod) : -ENODEV; + + dobj = &w->dobj; + dobj->private = mod; diff --git a/queue-6.17/gcc-plugins-remove-todo_verify_il-for-gcc-16.patch b/queue-6.17/gcc-plugins-remove-todo_verify_il-for-gcc-16.patch new file mode 100644 index 0000000000..ade1b6731a --- /dev/null +++ b/queue-6.17/gcc-plugins-remove-todo_verify_il-for-gcc-16.patch @@ -0,0 +1,41 @@ +From a40282dd3c484e6c882e93f4680e0a3ef3814453 Mon Sep 17 00:00:00 2001 +From: Kees Cook +Date: Sat, 20 Sep 2025 16:45:23 -0700 +Subject: gcc-plugins: Remove TODO_verify_il for GCC >= 16 + +From: Kees Cook + +commit a40282dd3c484e6c882e93f4680e0a3ef3814453 upstream. + +GCC now runs TODO_verify_il automatically[1], so it is no longer exposed to +plugins. Only use the flag on GCC < 16. + +Link: https://gcc.gnu.org/git/?p=gcc.git;a=commit;h=9739ae9384dd7cd3bb1c7683d6b80b7a9116eaf8 [1] +Suggested-by: Christopher Fore +Link: https://lore.kernel.org/r/20250920234519.work.915-kees@kernel.org +Signed-off-by: Kees Cook +Signed-off-by: Greg Kroah-Hartman +--- + scripts/gcc-plugins/gcc-common.h | 7 +++++++ + 1 file changed, 7 insertions(+) + +--- a/scripts/gcc-plugins/gcc-common.h ++++ b/scripts/gcc-plugins/gcc-common.h +@@ -173,10 +173,17 @@ static inline opt_pass *get_pass_for_id( + return g->get_passes()->get_pass_for_id(id); + } + ++#if BUILDING_GCC_VERSION < 16000 + #define TODO_verify_ssa TODO_verify_il + #define TODO_verify_flow TODO_verify_il + #define TODO_verify_stmts TODO_verify_il + #define TODO_verify_rtl_sharing TODO_verify_il ++#else ++#define TODO_verify_ssa 0 ++#define TODO_verify_flow 0 ++#define TODO_verify_stmts 0 ++#define TODO_verify_rtl_sharing 0 ++#endif + + #define INSN_DELETED_P(insn) (insn)->deleted() + diff --git a/queue-6.17/media-b2c2-fix-use-after-free-causing-by-irq_check_work-in-flexcop_pci_remove.patch b/queue-6.17/media-b2c2-fix-use-after-free-causing-by-irq_check_work-in-flexcop_pci_remove.patch new file mode 100644 index 0000000000..6b9b49d456 --- /dev/null +++ b/queue-6.17/media-b2c2-fix-use-after-free-causing-by-irq_check_work-in-flexcop_pci_remove.patch @@ -0,0 +1,119 @@ +From 01e03fb7db419d39e18d6090d4873c1bff103914 Mon Sep 17 00:00:00 2001 +From: Duoming Zhou +Date: Wed, 17 Sep 2025 17:59:26 +0800 +Subject: media: b2c2: Fix use-after-free causing by irq_check_work in flexcop_pci_remove + +From: Duoming Zhou + +commit 01e03fb7db419d39e18d6090d4873c1bff103914 upstream. + +The original code uses cancel_delayed_work() in flexcop_pci_remove(), which +does not guarantee that the delayed work item irq_check_work has fully +completed if it was already running. This leads to use-after-free scenarios +where flexcop_pci_remove() may free the flexcop_device while irq_check_work +is still active and attempts to dereference the device. + +A typical race condition is illustrated below: + +CPU 0 (remove) | CPU 1 (delayed work callback) +flexcop_pci_remove() | flexcop_pci_irq_check_work() + cancel_delayed_work() | + flexcop_device_kfree(fc_pci->fc_dev) | + | fc = fc_pci->fc_dev; // UAF + +This is confirmed by a KASAN report: + +================================================================== +BUG: KASAN: slab-use-after-free in __run_timer_base.part.0+0x7d7/0x8c0 +Write of size 8 at addr ffff8880093aa8c8 by task bash/135 +... +Call Trace: + + dump_stack_lvl+0x55/0x70 + print_report+0xcf/0x610 + ? __run_timer_base.part.0+0x7d7/0x8c0 + kasan_report+0xb8/0xf0 + ? __run_timer_base.part.0+0x7d7/0x8c0 + __run_timer_base.part.0+0x7d7/0x8c0 + ? __pfx___run_timer_base.part.0+0x10/0x10 + ? __pfx_read_tsc+0x10/0x10 + ? ktime_get+0x60/0x140 + ? lapic_next_event+0x11/0x20 + ? clockevents_program_event+0x1d4/0x2a0 + run_timer_softirq+0xd1/0x190 + handle_softirqs+0x16a/0x550 + irq_exit_rcu+0xaf/0xe0 + sysvec_apic_timer_interrupt+0x70/0x80 + +... + +Allocated by task 1: + kasan_save_stack+0x24/0x50 + kasan_save_track+0x14/0x30 + __kasan_kmalloc+0x7f/0x90 + __kmalloc_noprof+0x1be/0x460 + flexcop_device_kmalloc+0x54/0xe0 + flexcop_pci_probe+0x1f/0x9d0 + local_pci_probe+0xdc/0x190 + pci_device_probe+0x2fe/0x470 + really_probe+0x1ca/0x5c0 + __driver_probe_device+0x248/0x310 + driver_probe_device+0x44/0x120 + __driver_attach+0xd2/0x310 + bus_for_each_dev+0xed/0x170 + bus_add_driver+0x208/0x500 + driver_register+0x132/0x460 + do_one_initcall+0x89/0x300 + kernel_init_freeable+0x40d/0x720 + kernel_init+0x1a/0x150 + ret_from_fork+0x10c/0x1a0 + ret_from_fork_asm+0x1a/0x30 + +Freed by task 135: + kasan_save_stack+0x24/0x50 + kasan_save_track+0x14/0x30 + kasan_save_free_info+0x3a/0x60 + __kasan_slab_free+0x3f/0x50 + kfree+0x137/0x370 + flexcop_device_kfree+0x32/0x50 + pci_device_remove+0xa6/0x1d0 + device_release_driver_internal+0xf8/0x210 + pci_stop_bus_device+0x105/0x150 + pci_stop_and_remove_bus_device_locked+0x15/0x30 + remove_store+0xcc/0xe0 + kernfs_fop_write_iter+0x2c3/0x440 + vfs_write+0x871/0xd70 + ksys_write+0xee/0x1c0 + do_syscall_64+0xac/0x280 + entry_SYSCALL_64_after_hwframe+0x77/0x7f +... + +Replace cancel_delayed_work() with cancel_delayed_work_sync() to ensure +that the delayed work item is properly canceled and any executing delayed +work has finished before the device memory is deallocated. + +This bug was initially identified through static analysis. To reproduce +and test it, I simulated the B2C2 FlexCop PCI device in QEMU and introduced +artificial delays within the flexcop_pci_irq_check_work() function to +increase the likelihood of triggering the bug. + +Fixes: 382c5546d618 ("V4L/DVB (10694): [PATCH] software IRQ watchdog for Flexcop B2C2 DVB PCI cards") +Cc: stable@vger.kernel.org +Signed-off-by: Duoming Zhou +Signed-off-by: Hans Verkuil +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/pci/b2c2/flexcop-pci.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/media/pci/b2c2/flexcop-pci.c ++++ b/drivers/media/pci/b2c2/flexcop-pci.c +@@ -411,7 +411,7 @@ static void flexcop_pci_remove(struct pc + struct flexcop_pci *fc_pci = pci_get_drvdata(pdev); + + if (irq_chk_intv > 0) +- cancel_delayed_work(&fc_pci->irq_check_work); ++ cancel_delayed_work_sync(&fc_pci->irq_check_work); + + flexcop_pci_dma_exit(fc_pci); + flexcop_device_exit(fc_pci->fc_dev); diff --git a/queue-6.17/media-i2c-tc358743-fix-use-after-free-bugs-caused-by-orphan-timer-in-probe.patch b/queue-6.17/media-i2c-tc358743-fix-use-after-free-bugs-caused-by-orphan-timer-in-probe.patch new file mode 100644 index 0000000000..6c46273092 --- /dev/null +++ b/queue-6.17/media-i2c-tc358743-fix-use-after-free-bugs-caused-by-orphan-timer-in-probe.patch @@ -0,0 +1,144 @@ +From 79d10f4f21a92e459b2276a77be62c59c1502c9d Mon Sep 17 00:00:00 2001 +From: Duoming Zhou +Date: Wed, 17 Sep 2025 17:57:42 +0800 +Subject: media: i2c: tc358743: Fix use-after-free bugs caused by orphan timer in probe + +From: Duoming Zhou + +commit 79d10f4f21a92e459b2276a77be62c59c1502c9d upstream. + +The state->timer is a cyclic timer that schedules work_i2c_poll and +delayed_work_enable_hotplug, while rearming itself. Using timer_delete() +fails to guarantee the timer isn't still running when destroyed, similarly +cancel_delayed_work() cannot ensure delayed_work_enable_hotplug has +terminated if already executing. During probe failure after timer +initialization, these may continue running as orphans and reference the +already-freed tc358743_state object through tc358743_irq_poll_timer. + +The following is the trace captured by KASAN. + +BUG: KASAN: slab-use-after-free in __run_timer_base.part.0+0x7d7/0x8c0 +Write of size 8 at addr ffff88800ded83c8 by task swapper/1/0 +... +Call Trace: + + dump_stack_lvl+0x55/0x70 + print_report+0xcf/0x610 + ? __pfx_sched_balance_find_src_group+0x10/0x10 + ? __run_timer_base.part.0+0x7d7/0x8c0 + kasan_report+0xb8/0xf0 + ? __run_timer_base.part.0+0x7d7/0x8c0 + __run_timer_base.part.0+0x7d7/0x8c0 + ? rcu_sched_clock_irq+0xb06/0x27d0 + ? __pfx___run_timer_base.part.0+0x10/0x10 + ? try_to_wake_up+0xb15/0x1960 + ? tmigr_update_events+0x280/0x740 + ? _raw_spin_lock_irq+0x80/0xe0 + ? __pfx__raw_spin_lock_irq+0x10/0x10 + tmigr_handle_remote_up+0x603/0x7e0 + ? __pfx_tmigr_handle_remote_up+0x10/0x10 + ? sched_balance_trigger+0x98/0x9f0 + ? sched_tick+0x221/0x5a0 + ? _raw_spin_lock_irq+0x80/0xe0 + ? __pfx__raw_spin_lock_irq+0x10/0x10 + ? tick_nohz_handler+0x339/0x440 + ? __pfx_tmigr_handle_remote_up+0x10/0x10 + __walk_groups.isra.0+0x42/0x150 + tmigr_handle_remote+0x1f4/0x2e0 + ? __pfx_tmigr_handle_remote+0x10/0x10 + ? ktime_get+0x60/0x140 + ? lapic_next_event+0x11/0x20 + ? clockevents_program_event+0x1d4/0x2a0 + ? hrtimer_interrupt+0x322/0x780 + handle_softirqs+0x16a/0x550 + irq_exit_rcu+0xaf/0xe0 + sysvec_apic_timer_interrupt+0x70/0x80 + +... + +Allocated by task 141: + kasan_save_stack+0x24/0x50 + kasan_save_track+0x14/0x30 + __kasan_kmalloc+0x7f/0x90 + __kmalloc_node_track_caller_noprof+0x198/0x430 + devm_kmalloc+0x7b/0x1e0 + tc358743_probe+0xb7/0x610 i2c_device_probe+0x51d/0x880 + really_probe+0x1ca/0x5c0 + __driver_probe_device+0x248/0x310 + driver_probe_device+0x44/0x120 + __device_attach_driver+0x174/0x220 + bus_for_each_drv+0x100/0x190 + __device_attach+0x206/0x370 + bus_probe_device+0x123/0x170 + device_add+0xd25/0x1470 + i2c_new_client_device+0x7a0/0xcd0 + do_one_initcall+0x89/0x300 + do_init_module+0x29d/0x7f0 + load_module+0x4f48/0x69e0 + init_module_from_file+0xe4/0x150 + idempotent_init_module+0x320/0x670 + __x64_sys_finit_module+0xbd/0x120 + do_syscall_64+0xac/0x280 + entry_SYSCALL_64_after_hwframe+0x77/0x7f + +Freed by task 141: + kasan_save_stack+0x24/0x50 + kasan_save_track+0x14/0x30 + kasan_save_free_info+0x3a/0x60 + __kasan_slab_free+0x3f/0x50 + kfree+0x137/0x370 + release_nodes+0xa4/0x100 + devres_release_group+0x1b2/0x380 + i2c_device_probe+0x694/0x880 + really_probe+0x1ca/0x5c0 + __driver_probe_device+0x248/0x310 + driver_probe_device+0x44/0x120 + __device_attach_driver+0x174/0x220 + bus_for_each_drv+0x100/0x190 + __device_attach+0x206/0x370 + bus_probe_device+0x123/0x170 + device_add+0xd25/0x1470 + i2c_new_client_device+0x7a0/0xcd0 + do_one_initcall+0x89/0x300 + do_init_module+0x29d/0x7f0 + load_module+0x4f48/0x69e0 + init_module_from_file+0xe4/0x150 + idempotent_init_module+0x320/0x670 + __x64_sys_finit_module+0xbd/0x120 + do_syscall_64+0xac/0x280 + entry_SYSCALL_64_after_hwframe+0x77/0x7f +... + +Replace timer_delete() with timer_delete_sync() and cancel_delayed_work() +with cancel_delayed_work_sync() to ensure proper termination of timer and +work items before resource cleanup. + +This bug was initially identified through static analysis. For reproduction +and testing, I created a functional emulation of the tc358743 device via a +kernel module and introduced faults through the debugfs interface. + +Fixes: 869f38ae07f7 ("media: i2c: tc358743: Fix crash in the probe error path when using polling") +Fixes: d32d98642de6 ("[media] Driver for Toshiba TC358743 HDMI to CSI-2 bridge") +Cc: stable@vger.kernel.org +Signed-off-by: Duoming Zhou +Signed-off-by: Hans Verkuil +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/i2c/tc358743.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/media/i2c/tc358743.c ++++ b/drivers/media/i2c/tc358743.c +@@ -2245,10 +2245,10 @@ static int tc358743_probe(struct i2c_cli + err_work_queues: + cec_unregister_adapter(state->cec_adap); + if (!state->i2c_client->irq) { +- timer_delete(&state->timer); ++ timer_delete_sync(&state->timer); + flush_work(&state->work_i2c_poll); + } +- cancel_delayed_work(&state->delayed_work_enable_hotplug); ++ cancel_delayed_work_sync(&state->delayed_work_enable_hotplug); + mutex_destroy(&state->confctl_mutex); + err_hdl: + media_entity_cleanup(&sd->entity); diff --git a/queue-6.17/media-iris-fix-memory-leak-by-freeing-untracked-persist-buffer.patch b/queue-6.17/media-iris-fix-memory-leak-by-freeing-untracked-persist-buffer.patch new file mode 100644 index 0000000000..52f36e6e8b --- /dev/null +++ b/queue-6.17/media-iris-fix-memory-leak-by-freeing-untracked-persist-buffer.patch @@ -0,0 +1,51 @@ +From 02a24f13b3a1d9da9f3de56aa5fdb7cc1fe167a2 Mon Sep 17 00:00:00 2001 +From: Dikshita Agarwal +Date: Mon, 25 Aug 2025 12:30:27 +0530 +Subject: media: iris: Fix memory leak by freeing untracked persist buffer + +From: Dikshita Agarwal + +commit 02a24f13b3a1d9da9f3de56aa5fdb7cc1fe167a2 upstream. + +One internal buffer which is allocated only once per session was not +being freed during session close because it was not being tracked as +part of internal buffer list which resulted in a memory leak. + +Add the necessary logic to explicitly free the untracked internal buffer +during session close to ensure all allocated memory is released +properly. + +Fixes: 73702f45db81 ("media: iris: allocate, initialize and queue internal buffers") +Cc: stable@vger.kernel.org +Reviewed-by: Vikash Garodia +Tested-by: Vikash Garodia # X1E80100 +Tested-by: Neil Armstrong # on SM8550-HDK +Tested-by: Neil Armstrong # on SM8650-HDK +Signed-off-by: Dikshita Agarwal +Tested-by: Bryan O'Donoghue # x1e80100-crd +Signed-off-by: Bryan O'Donoghue +Signed-off-by: Hans Verkuil +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/platform/qcom/iris/iris_buffer.c | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +--- a/drivers/media/platform/qcom/iris/iris_buffer.c ++++ b/drivers/media/platform/qcom/iris/iris_buffer.c +@@ -413,6 +413,16 @@ static int iris_destroy_internal_buffers + } + } + ++ if (force) { ++ buffers = &inst->buffers[BUF_PERSIST]; ++ ++ list_for_each_entry_safe(buf, next, &buffers->list, list) { ++ ret = iris_destroy_internal_buffer(inst, buf); ++ if (ret) ++ return ret; ++ } ++ } ++ + return 0; + } + diff --git a/queue-6.17/media-rc-fix-races-with-imon_disconnect.patch b/queue-6.17/media-rc-fix-races-with-imon_disconnect.patch new file mode 100644 index 0000000000..32b095cdc3 --- /dev/null +++ b/queue-6.17/media-rc-fix-races-with-imon_disconnect.patch @@ -0,0 +1,160 @@ +From fa0f61cc1d828178aa921475a9b786e7fbb65ccb Mon Sep 17 00:00:00 2001 +From: Larshin Sergey +Date: Tue, 29 Jul 2025 13:13:32 +0300 +Subject: media: rc: fix races with imon_disconnect() + +From: Larshin Sergey + +commit fa0f61cc1d828178aa921475a9b786e7fbb65ccb upstream. + +Syzbot reports a KASAN issue as below: +BUG: KASAN: use-after-free in __create_pipe include/linux/usb.h:1945 [inline] +BUG: KASAN: use-after-free in send_packet+0xa2d/0xbc0 drivers/media/rc/imon.c:627 +Read of size 4 at addr ffff8880256fb000 by task syz-executor314/4465 + +CPU: 2 PID: 4465 Comm: syz-executor314 Not tainted 6.0.0-rc1-syzkaller #0 +Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.14.0-2 04/01/2014 +Call Trace: + +__dump_stack lib/dump_stack.c:88 [inline] +dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106 +print_address_description mm/kasan/report.c:317 [inline] +print_report.cold+0x2ba/0x6e9 mm/kasan/report.c:433 +kasan_report+0xb1/0x1e0 mm/kasan/report.c:495 +__create_pipe include/linux/usb.h:1945 [inline] +send_packet+0xa2d/0xbc0 drivers/media/rc/imon.c:627 +vfd_write+0x2d9/0x550 drivers/media/rc/imon.c:991 +vfs_write+0x2d7/0xdd0 fs/read_write.c:576 +ksys_write+0x127/0x250 fs/read_write.c:631 +do_syscall_x64 arch/x86/entry/common.c:50 [inline] +do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80 +entry_SYSCALL_64_after_hwframe+0x63/0xcd + +The iMON driver improperly releases the usb_device reference in +imon_disconnect without coordinating with active users of the +device. + +Specifically, the fields usbdev_intf0 and usbdev_intf1 are not +protected by the users counter (ictx->users). During probe, +imon_init_intf0 or imon_init_intf1 increments the usb_device +reference count depending on the interface. However, during +disconnect, usb_put_dev is called unconditionally, regardless of +actual usage. + +As a result, if vfd_write or other operations are still in +progress after disconnect, this can lead to a use-after-free of +the usb_device pointer. + +Thread 1 vfd_write Thread 2 imon_disconnect + ... + if + usb_put_dev(ictx->usbdev_intf0) + else + usb_put_dev(ictx->usbdev_intf1) +... +while + send_packet + if + pipe = usb_sndintpipe( + ictx->usbdev_intf0) UAF + else + pipe = usb_sndctrlpipe( + ictx->usbdev_intf0, 0) UAF + +Guard access to usbdev_intf0 and usbdev_intf1 after disconnect by +checking ictx->disconnected in all writer paths. Add early return +with -ENODEV in send_packet(), vfd_write(), lcd_write() and +display_open() if the device is no longer present. + +Set and read ictx->disconnected under ictx->lock to ensure memory +synchronization. Acquire the lock in imon_disconnect() before setting +the flag to synchronize with any ongoing operations. + +Ensure writers exit early and safely after disconnect before the USB +core proceeds with cleanup. + +Found by Linux Verification Center (linuxtesting.org) with Syzkaller. + +Reported-by: syzbot+f1a69784f6efe748c3bf@syzkaller.appspotmail.com +Closes: https://syzkaller.appspot.com/bug?extid=f1a69784f6efe748c3bf +Fixes: 21677cfc562a ("V4L/DVB: ir-core: add imon driver") +Cc: stable@vger.kernel.org + +Signed-off-by: Larshin Sergey +Signed-off-by: Sean Young +Signed-off-by: Hans Verkuil +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/rc/imon.c | 27 ++++++++++++++++++++------- + 1 file changed, 20 insertions(+), 7 deletions(-) + +--- a/drivers/media/rc/imon.c ++++ b/drivers/media/rc/imon.c +@@ -536,7 +536,9 @@ static int display_open(struct inode *in + + mutex_lock(&ictx->lock); + +- if (!ictx->display_supported) { ++ if (ictx->disconnected) { ++ retval = -ENODEV; ++ } else if (!ictx->display_supported) { + pr_err("display not supported by device\n"); + retval = -ENODEV; + } else if (ictx->display_isopen) { +@@ -598,6 +600,9 @@ static int send_packet(struct imon_conte + int retval = 0; + struct usb_ctrlrequest *control_req = NULL; + ++ if (ictx->disconnected) ++ return -ENODEV; ++ + /* Check if we need to use control or interrupt urb */ + if (!ictx->tx_control) { + pipe = usb_sndintpipe(ictx->usbdev_intf0, +@@ -949,12 +954,14 @@ static ssize_t vfd_write(struct file *fi + static const unsigned char vfd_packet6[] = { + 0x01, 0x00, 0x00, 0x00, 0x00, 0xFF, 0xFF }; + +- if (ictx->disconnected) +- return -ENODEV; +- + if (mutex_lock_interruptible(&ictx->lock)) + return -ERESTARTSYS; + ++ if (ictx->disconnected) { ++ retval = -ENODEV; ++ goto exit; ++ } ++ + if (!ictx->dev_present_intf0) { + pr_err_ratelimited("no iMON device present\n"); + retval = -ENODEV; +@@ -1029,11 +1036,13 @@ static ssize_t lcd_write(struct file *fi + int retval = 0; + struct imon_context *ictx = file->private_data; + +- if (ictx->disconnected) +- return -ENODEV; +- + mutex_lock(&ictx->lock); + ++ if (ictx->disconnected) { ++ retval = -ENODEV; ++ goto exit; ++ } ++ + if (!ictx->display_supported) { + pr_err_ratelimited("no iMON display present\n"); + retval = -ENODEV; +@@ -2499,7 +2508,11 @@ static void imon_disconnect(struct usb_i + int ifnum; + + ictx = usb_get_intfdata(interface); ++ ++ mutex_lock(&ictx->lock); + ictx->disconnected = true; ++ mutex_unlock(&ictx->lock); ++ + dev = ictx->dev; + ifnum = interface->cur_altsetting->desc.bInterfaceNumber; + diff --git a/queue-6.17/media-stm32-csi-fix-dereference-before-null-check.patch b/queue-6.17/media-stm32-csi-fix-dereference-before-null-check.patch new file mode 100644 index 0000000000..e11ddae38b --- /dev/null +++ b/queue-6.17/media-stm32-csi-fix-dereference-before-null-check.patch @@ -0,0 +1,46 @@ +From 80eaf32672871bd2623ce6ba13ffc1f018756580 Mon Sep 17 00:00:00 2001 +From: Chandra Mohan Sundar +Date: Mon, 18 Aug 2025 15:01:57 +0530 +Subject: media: stm32-csi: Fix dereference before NULL check + +From: Chandra Mohan Sundar + +commit 80eaf32672871bd2623ce6ba13ffc1f018756580 upstream. + +In 'stm32_csi_start', 'csidev->s_subdev' is dereferenced directly while +assigning a value to the 'src_pad'. However the same value is being +checked against NULL at a later point of time indicating that there +are chances that the value can be NULL. + +Move the dereference after the NULL check. + +Fixes: e7bad98c205d1 ("media: v4l: Convert the users of v4l2_get_link_freq to call it on a pad") +Cc: stable@vger.kernel.org +Signed-off-by: Chandra Mohan Sundar +Signed-off-by: Sakari Ailus +Signed-off-by: Hans Verkuil +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/platform/st/stm32/stm32-csi.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/media/platform/st/stm32/stm32-csi.c ++++ b/drivers/media/platform/st/stm32/stm32-csi.c +@@ -443,8 +443,7 @@ static void stm32_csi_phy_reg_write(stru + static int stm32_csi_start(struct stm32_csi_dev *csidev, + struct v4l2_subdev_state *state) + { +- struct media_pad *src_pad = +- &csidev->s_subdev->entity.pads[csidev->s_subdev_pad_nb]; ++ struct media_pad *src_pad; + const struct stm32_csi_mbps_phy_reg *phy_regs = NULL; + struct v4l2_mbus_framefmt *sink_fmt; + const struct stm32_csi_fmts *fmt; +@@ -466,6 +465,7 @@ static int stm32_csi_start(struct stm32_ + if (!csidev->s_subdev) + return -EIO; + ++ src_pad = &csidev->s_subdev->entity.pads[csidev->s_subdev_pad_nb]; + link_freq = v4l2_get_link_freq(src_pad, + fmt->bpp, 2 * csidev->num_lanes); + if (link_freq < 0) diff --git a/queue-6.17/media-tuner-xc5000-fix-use-after-free-in-xc5000_release.patch b/queue-6.17/media-tuner-xc5000-fix-use-after-free-in-xc5000_release.patch new file mode 100644 index 0000000000..521b872da1 --- /dev/null +++ b/queue-6.17/media-tuner-xc5000-fix-use-after-free-in-xc5000_release.patch @@ -0,0 +1,55 @@ +From 40b7a19f321e65789612ebaca966472055dab48c Mon Sep 17 00:00:00 2001 +From: Duoming Zhou +Date: Wed, 17 Sep 2025 17:56:08 +0800 +Subject: media: tuner: xc5000: Fix use-after-free in xc5000_release + +From: Duoming Zhou + +commit 40b7a19f321e65789612ebaca966472055dab48c upstream. + +The original code uses cancel_delayed_work() in xc5000_release(), which +does not guarantee that the delayed work item timer_sleep has fully +completed if it was already running. This leads to use-after-free scenarios +where xc5000_release() may free the xc5000_priv while timer_sleep is still +active and attempts to dereference the xc5000_priv. + +A typical race condition is illustrated below: + +CPU 0 (release thread) | CPU 1 (delayed work callback) +xc5000_release() | xc5000_do_timer_sleep() + cancel_delayed_work() | + hybrid_tuner_release_state(priv) | + kfree(priv) | + | priv = container_of() // UAF + +Replace cancel_delayed_work() with cancel_delayed_work_sync() to ensure +that the timer_sleep is properly canceled before the xc5000_priv memory +is deallocated. + +A deadlock concern was considered: xc5000_release() is called in a process +context and is not holding any locks that the timer_sleep work item might +also need. Therefore, the use of the _sync() variant is safe here. + +This bug was initially identified through static analysis. + +Fixes: f7a27ff1fb77 ("[media] xc5000: delay tuner sleep to 5 seconds") +Cc: stable@vger.kernel.org +Signed-off-by: Duoming Zhou +Signed-off-by: Hans Verkuil +[hverkuil: fix typo in Subject: tunner -> tuner] +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/tuners/xc5000.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/media/tuners/xc5000.c ++++ b/drivers/media/tuners/xc5000.c +@@ -1304,7 +1304,7 @@ static void xc5000_release(struct dvb_fr + mutex_lock(&xc5000_list_mutex); + + if (priv) { +- cancel_delayed_work(&priv->timer_sleep); ++ cancel_delayed_work_sync(&priv->timer_sleep); + hybrid_tuner_release_state(priv); + } + diff --git a/queue-6.17/media-uvcvideo-mark-invalid-entities-with-id-uvc_invalid_entity_id.patch b/queue-6.17/media-uvcvideo-mark-invalid-entities-with-id-uvc_invalid_entity_id.patch new file mode 100644 index 0000000000..63774b1b7f --- /dev/null +++ b/queue-6.17/media-uvcvideo-mark-invalid-entities-with-id-uvc_invalid_entity_id.patch @@ -0,0 +1,309 @@ +From 0e2ee70291e64a30fe36960c85294726d34a103e Mon Sep 17 00:00:00 2001 +From: Thadeu Lima de Souza Cascardo +Date: Wed, 20 Aug 2025 16:08:16 +0000 +Subject: media: uvcvideo: Mark invalid entities with id UVC_INVALID_ENTITY_ID + +From: Thadeu Lima de Souza Cascardo + +commit 0e2ee70291e64a30fe36960c85294726d34a103e upstream. + +Per UVC 1.1+ specification 3.7.2, units and terminals must have a non-zero +unique ID. + +``` +Each Unit and Terminal within the video function is assigned a unique +identification number, the Unit ID (UID) or Terminal ID (TID), contained in +the bUnitID or bTerminalID field of the descriptor. The value 0x00 is +reserved for undefined ID, +``` + +If we add a new entity with id 0 or a duplicated ID, it will be marked +as UVC_INVALID_ENTITY_ID. + +In a previous attempt commit 3dd075fe8ebb ("media: uvcvideo: Require +entities to have a non-zero unique ID"), we ignored all the invalid units, +this broke a lot of non-compatible cameras. Hopefully we are more lucky +this time. + +This also prevents some syzkaller reproducers from triggering warnings due +to a chain of entities referring to themselves. In one particular case, an +Output Unit is connected to an Input Unit, both with the same ID of 1. But +when looking up for the source ID of the Output Unit, that same entity is +found instead of the input entity, which leads to such warnings. + +In another case, a backward chain was considered finished as the source ID +was 0. Later on, that entity was found, but its pads were not valid. + +Here is a sample stack trace for one of those cases. + +[ 20.650953] usb 1-1: new high-speed USB device number 2 using dummy_hcd +[ 20.830206] usb 1-1: Using ep0 maxpacket: 8 +[ 20.833501] usb 1-1: config 0 descriptor?? +[ 21.038518] usb 1-1: string descriptor 0 read error: -71 +[ 21.038893] usb 1-1: Found UVC 0.00 device (2833:0201) +[ 21.039299] uvcvideo 1-1:0.0: Entity type for entity Output 1 was not initialized! +[ 21.041583] uvcvideo 1-1:0.0: Entity type for entity Input 1 was not initialized! +[ 21.042218] ------------[ cut here ]------------ +[ 21.042536] WARNING: CPU: 0 PID: 9 at drivers/media/mc/mc-entity.c:1147 media_create_pad_link+0x2c4/0x2e0 +[ 21.043195] Modules linked in: +[ 21.043535] CPU: 0 UID: 0 PID: 9 Comm: kworker/0:1 Not tainted 6.11.0-rc7-00030-g3480e43aeccf #444 +[ 21.044101] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.15.0-1 04/01/2014 +[ 21.044639] Workqueue: usb_hub_wq hub_event +[ 21.045100] RIP: 0010:media_create_pad_link+0x2c4/0x2e0 +[ 21.045508] Code: fe e8 20 01 00 00 b8 f4 ff ff ff 48 83 c4 30 5b 41 5c 41 5d 41 5e 41 5f 5d c3 cc cc cc cc 0f 0b eb e9 0f 0b eb 0a 0f 0b eb 06 <0f> 0b eb 02 0f 0b b8 ea ff ff ff eb d4 66 2e 0f 1f 84 00 00 00 00 +[ 21.046801] RSP: 0018:ffffc9000004b318 EFLAGS: 00010246 +[ 21.047227] RAX: ffff888004e5d458 RBX: 0000000000000000 RCX: ffffffff818fccf1 +[ 21.047719] RDX: 000000000000007b RSI: 0000000000000000 RDI: ffff888004313290 +[ 21.048241] RBP: ffff888004313290 R08: 0001ffffffffffff R09: 0000000000000000 +[ 21.048701] R10: 0000000000000013 R11: 0001888004313290 R12: 0000000000000003 +[ 21.049138] R13: ffff888004313080 R14: ffff888004313080 R15: 0000000000000000 +[ 21.049648] FS: 0000000000000000(0000) GS:ffff88803ec00000(0000) knlGS:0000000000000000 +[ 21.050271] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ 21.050688] CR2: 0000592cc27635b0 CR3: 000000000431c000 CR4: 0000000000750ef0 +[ 21.051136] PKRU: 55555554 +[ 21.051331] Call Trace: +[ 21.051480] +[ 21.051611] ? __warn+0xc4/0x210 +[ 21.051861] ? media_create_pad_link+0x2c4/0x2e0 +[ 21.052252] ? report_bug+0x11b/0x1a0 +[ 21.052540] ? trace_hardirqs_on+0x31/0x40 +[ 21.052901] ? handle_bug+0x3d/0x70 +[ 21.053197] ? exc_invalid_op+0x1a/0x50 +[ 21.053511] ? asm_exc_invalid_op+0x1a/0x20 +[ 21.053924] ? media_create_pad_link+0x91/0x2e0 +[ 21.054364] ? media_create_pad_link+0x2c4/0x2e0 +[ 21.054834] ? media_create_pad_link+0x91/0x2e0 +[ 21.055131] ? _raw_spin_unlock+0x1e/0x40 +[ 21.055441] ? __v4l2_device_register_subdev+0x202/0x210 +[ 21.055837] uvc_mc_register_entities+0x358/0x400 +[ 21.056144] uvc_register_chains+0x1fd/0x290 +[ 21.056413] uvc_probe+0x380e/0x3dc0 +[ 21.056676] ? __lock_acquire+0x5aa/0x26e0 +[ 21.056946] ? find_held_lock+0x33/0xa0 +[ 21.057196] ? kernfs_activate+0x70/0x80 +[ 21.057533] ? usb_match_dynamic_id+0x1b/0x70 +[ 21.057811] ? find_held_lock+0x33/0xa0 +[ 21.058047] ? usb_match_dynamic_id+0x55/0x70 +[ 21.058330] ? lock_release+0x124/0x260 +[ 21.058657] ? usb_match_one_id_intf+0xa2/0x100 +[ 21.058997] usb_probe_interface+0x1ba/0x330 +[ 21.059399] really_probe+0x1ba/0x4c0 +[ 21.059662] __driver_probe_device+0xb2/0x180 +[ 21.059944] driver_probe_device+0x5a/0x100 +[ 21.060170] __device_attach_driver+0xe9/0x160 +[ 21.060427] ? __pfx___device_attach_driver+0x10/0x10 +[ 21.060872] bus_for_each_drv+0xa9/0x100 +[ 21.061312] __device_attach+0xed/0x190 +[ 21.061812] device_initial_probe+0xe/0x20 +[ 21.062229] bus_probe_device+0x4d/0xd0 +[ 21.062590] device_add+0x308/0x590 +[ 21.062912] usb_set_configuration+0x7b6/0xaf0 +[ 21.063403] usb_generic_driver_probe+0x36/0x80 +[ 21.063714] usb_probe_device+0x7b/0x130 +[ 21.063936] really_probe+0x1ba/0x4c0 +[ 21.064111] __driver_probe_device+0xb2/0x180 +[ 21.064577] driver_probe_device+0x5a/0x100 +[ 21.065019] __device_attach_driver+0xe9/0x160 +[ 21.065403] ? __pfx___device_attach_driver+0x10/0x10 +[ 21.065820] bus_for_each_drv+0xa9/0x100 +[ 21.066094] __device_attach+0xed/0x190 +[ 21.066535] device_initial_probe+0xe/0x20 +[ 21.066992] bus_probe_device+0x4d/0xd0 +[ 21.067250] device_add+0x308/0x590 +[ 21.067501] usb_new_device+0x347/0x610 +[ 21.067817] hub_event+0x156b/0x1e30 +[ 21.068060] ? process_scheduled_works+0x48b/0xaf0 +[ 21.068337] process_scheduled_works+0x5a3/0xaf0 +[ 21.068668] worker_thread+0x3cf/0x560 +[ 21.068932] ? kthread+0x109/0x1b0 +[ 21.069133] kthread+0x197/0x1b0 +[ 21.069343] ? __pfx_worker_thread+0x10/0x10 +[ 21.069598] ? __pfx_kthread+0x10/0x10 +[ 21.069908] ret_from_fork+0x32/0x40 +[ 21.070169] ? __pfx_kthread+0x10/0x10 +[ 21.070424] ret_from_fork_asm+0x1a/0x30 +[ 21.070737] + +Reported-by: syzbot+0584f746fde3d52b4675@syzkaller.appspotmail.com +Closes: https://syzkaller.appspot.com/bug?extid=0584f746fde3d52b4675 +Reported-by: syzbot+dd320d114deb3f5bb79b@syzkaller.appspotmail.com +Closes: https://syzkaller.appspot.com/bug?extid=dd320d114deb3f5bb79b +Reported-by: Youngjun Lee +Fixes: a3fbc2e6bb05 ("media: mc-entity.c: use WARN_ON, validate link pads") +Cc: stable@vger.kernel.org +Signed-off-by: Thadeu Lima de Souza Cascardo +Co-developed-by: Ricardo Ribalda +Signed-off-by: Ricardo Ribalda +Reviewed-by: Laurent Pinchart +Reviewed-by: Hans de Goede +Signed-off-by: Hans de Goede +Signed-off-by: Laurent Pinchart +Signed-off-by: Hans Verkuil +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/usb/uvc/uvc_driver.c | 73 +++++++++++++++++++++++-------------- + drivers/media/usb/uvc/uvcvideo.h | 2 + + 2 files changed, 48 insertions(+), 27 deletions(-) + +--- a/drivers/media/usb/uvc/uvc_driver.c ++++ b/drivers/media/usb/uvc/uvc_driver.c +@@ -137,6 +137,9 @@ struct uvc_entity *uvc_entity_by_id(stru + { + struct uvc_entity *entity; + ++ if (id == UVC_INVALID_ENTITY_ID) ++ return NULL; ++ + list_for_each_entry(entity, &dev->entities, list) { + if (entity->id == id) + return entity; +@@ -795,14 +798,27 @@ static const u8 uvc_media_transport_inpu + UVC_GUID_UVC_MEDIA_TRANSPORT_INPUT; + static const u8 uvc_processing_guid[16] = UVC_GUID_UVC_PROCESSING; + +-static struct uvc_entity *uvc_alloc_entity(u16 type, u16 id, +- unsigned int num_pads, unsigned int extra_size) ++static struct uvc_entity *uvc_alloc_new_entity(struct uvc_device *dev, u16 type, ++ u16 id, unsigned int num_pads, ++ unsigned int extra_size) + { + struct uvc_entity *entity; + unsigned int num_inputs; + unsigned int size; + unsigned int i; + ++ /* Per UVC 1.1+ spec 3.7.2, the ID should be non-zero. */ ++ if (id == 0) { ++ dev_err(&dev->intf->dev, "Found Unit with invalid ID 0\n"); ++ id = UVC_INVALID_ENTITY_ID; ++ } ++ ++ /* Per UVC 1.1+ spec 3.7.2, the ID is unique. */ ++ if (uvc_entity_by_id(dev, id)) { ++ dev_err(&dev->intf->dev, "Found multiple Units with ID %u\n", id); ++ id = UVC_INVALID_ENTITY_ID; ++ } ++ + extra_size = roundup(extra_size, sizeof(*entity->pads)); + if (num_pads) + num_inputs = type & UVC_TERM_OUTPUT ? num_pads : num_pads - 1; +@@ -812,7 +828,7 @@ static struct uvc_entity *uvc_alloc_enti + + num_inputs; + entity = kzalloc(size, GFP_KERNEL); + if (entity == NULL) +- return NULL; ++ return ERR_PTR(-ENOMEM); + + entity->id = id; + entity->type = type; +@@ -924,10 +940,10 @@ static int uvc_parse_vendor_control(stru + break; + } + +- unit = uvc_alloc_entity(UVC_VC_EXTENSION_UNIT, buffer[3], +- p + 1, 2*n); +- if (unit == NULL) +- return -ENOMEM; ++ unit = uvc_alloc_new_entity(dev, UVC_VC_EXTENSION_UNIT, ++ buffer[3], p + 1, 2 * n); ++ if (IS_ERR(unit)) ++ return PTR_ERR(unit); + + memcpy(unit->guid, &buffer[4], 16); + unit->extension.bNumControls = buffer[20]; +@@ -1036,10 +1052,10 @@ static int uvc_parse_standard_control(st + return -EINVAL; + } + +- term = uvc_alloc_entity(type | UVC_TERM_INPUT, buffer[3], +- 1, n + p); +- if (term == NULL) +- return -ENOMEM; ++ term = uvc_alloc_new_entity(dev, type | UVC_TERM_INPUT, ++ buffer[3], 1, n + p); ++ if (IS_ERR(term)) ++ return PTR_ERR(term); + + if (UVC_ENTITY_TYPE(term) == UVC_ITT_CAMERA) { + term->camera.bControlSize = n; +@@ -1095,10 +1111,10 @@ static int uvc_parse_standard_control(st + return 0; + } + +- term = uvc_alloc_entity(type | UVC_TERM_OUTPUT, buffer[3], +- 1, 0); +- if (term == NULL) +- return -ENOMEM; ++ term = uvc_alloc_new_entity(dev, type | UVC_TERM_OUTPUT, ++ buffer[3], 1, 0); ++ if (IS_ERR(term)) ++ return PTR_ERR(term); + + memcpy(term->baSourceID, &buffer[7], 1); + +@@ -1117,9 +1133,10 @@ static int uvc_parse_standard_control(st + return -EINVAL; + } + +- unit = uvc_alloc_entity(buffer[2], buffer[3], p + 1, 0); +- if (unit == NULL) +- return -ENOMEM; ++ unit = uvc_alloc_new_entity(dev, buffer[2], buffer[3], ++ p + 1, 0); ++ if (IS_ERR(unit)) ++ return PTR_ERR(unit); + + memcpy(unit->baSourceID, &buffer[5], p); + +@@ -1139,9 +1156,9 @@ static int uvc_parse_standard_control(st + return -EINVAL; + } + +- unit = uvc_alloc_entity(buffer[2], buffer[3], 2, n); +- if (unit == NULL) +- return -ENOMEM; ++ unit = uvc_alloc_new_entity(dev, buffer[2], buffer[3], 2, n); ++ if (IS_ERR(unit)) ++ return PTR_ERR(unit); + + memcpy(unit->baSourceID, &buffer[4], 1); + unit->processing.wMaxMultiplier = +@@ -1168,9 +1185,10 @@ static int uvc_parse_standard_control(st + return -EINVAL; + } + +- unit = uvc_alloc_entity(buffer[2], buffer[3], p + 1, n); +- if (unit == NULL) +- return -ENOMEM; ++ unit = uvc_alloc_new_entity(dev, buffer[2], buffer[3], ++ p + 1, n); ++ if (IS_ERR(unit)) ++ return PTR_ERR(unit); + + memcpy(unit->guid, &buffer[4], 16); + unit->extension.bNumControls = buffer[20]; +@@ -1315,9 +1333,10 @@ static int uvc_gpio_parse(struct uvc_dev + return dev_err_probe(&dev->intf->dev, irq, + "No IRQ for privacy GPIO\n"); + +- unit = uvc_alloc_entity(UVC_EXT_GPIO_UNIT, UVC_EXT_GPIO_UNIT_ID, 0, 1); +- if (!unit) +- return -ENOMEM; ++ unit = uvc_alloc_new_entity(dev, UVC_EXT_GPIO_UNIT, ++ UVC_EXT_GPIO_UNIT_ID, 0, 1); ++ if (IS_ERR(unit)) ++ return PTR_ERR(unit); + + unit->gpio.gpio_privacy = gpio_privacy; + unit->gpio.irq = irq; +--- a/drivers/media/usb/uvc/uvcvideo.h ++++ b/drivers/media/usb/uvc/uvcvideo.h +@@ -41,6 +41,8 @@ + #define UVC_EXT_GPIO_UNIT 0x7ffe + #define UVC_EXT_GPIO_UNIT_ID 0x100 + ++#define UVC_INVALID_ENTITY_ID 0xffff ++ + /* ------------------------------------------------------------------------ + * Driver specific constants. + */ diff --git a/queue-6.17/mm-swap-check-for-stable-address-space-before-operating-on-the-vma.patch b/queue-6.17/mm-swap-check-for-stable-address-space-before-operating-on-the-vma.patch new file mode 100644 index 0000000000..4388ff3a05 --- /dev/null +++ b/queue-6.17/mm-swap-check-for-stable-address-space-before-operating-on-the-vma.patch @@ -0,0 +1,101 @@ +From 1367da7eb875d01102d2ed18654b24d261ff5393 Mon Sep 17 00:00:00 2001 +From: Charan Teja Kalla +Date: Wed, 24 Sep 2025 23:41:38 +0530 +Subject: mm: swap: check for stable address space before operating on the VMA + +From: Charan Teja Kalla + +commit 1367da7eb875d01102d2ed18654b24d261ff5393 upstream. + +It is possible to hit a zero entry while traversing the vmas in unuse_mm() +called from swapoff path and accessing it causes the OOPS: + +Unable to handle kernel NULL pointer dereference at virtual address +0000000000000446--> Loading the memory from offset 0x40 on the +XA_ZERO_ENTRY as address. +Mem abort info: + ESR = 0x0000000096000005 + EC = 0x25: DABT (current EL), IL = 32 bits + SET = 0, FnV = 0 + EA = 0, S1PTW = 0 + FSC = 0x05: level 1 translation fault + +The issue is manifested from the below race between the fork() on a +process and swapoff: +fork(dup_mmap()) swapoff(unuse_mm) +--------------- ----------------- +1) Identical mtree is built using + __mt_dup(). + +2) copy_pte_range()--> + copy_nonpresent_pte(): + The dst mm is added into the + mmlist to be visible to the + swapoff operation. + +3) Fatal signal is sent to the parent +process(which is the current during the +fork) thus skip the duplication of the +vmas and mark the vma range with +XA_ZERO_ENTRY as a marker for this process +that helps during exit_mmap(). + + 4) swapoff is tried on the + 'mm' added to the 'mmlist' as + part of the 2. + + 5) unuse_mm(), that iterates + through the vma's of this 'mm' + will hit the non-NULL zero entry + and operating on this zero entry + as a vma is resulting into the + oops. + +The proper fix would be around not exposing this partially-valid tree to +others when droping the mmap lock, which is being solved with [1]. A +simpler solution would be checking for MMF_UNSTABLE, as it is set if +mm_struct is not fully initialized in dup_mmap(). + +Thanks to Liam/Lorenzo/David for all the suggestions in fixing this +issue. + +Link: https://lkml.kernel.org/r/20250924181138.1762750-1-charan.kalla@oss.qualcomm.com +Link: https://lore.kernel.org/all/20250815191031.3769540-1-Liam.Howlett@oracle.com/ [1] +Fixes: d24062914837 ("fork: use __mt_dup() to duplicate maple tree in dup_mmap()") +Signed-off-by: Charan Teja Kalla +Suggested-by: David Hildenbrand +Cc: Baoquan He +Cc: Barry Song +Cc: Chris Li +Cc: Kairui Song +Cc: Kemeng Shi +Cc: Liam Howlett +Cc: Lorenzo Stoakes +Cc: Nhat Pham +Cc: Peng Zhang +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + mm/swapfile.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/mm/swapfile.c ++++ b/mm/swapfile.c +@@ -2243,6 +2243,8 @@ static int unuse_mm(struct mm_struct *mm + VMA_ITERATOR(vmi, mm, 0); + + mmap_read_lock(mm); ++ if (check_stable_address_space(mm)) ++ goto unlock; + for_each_vma(vmi, vma) { + if (vma->anon_vma && !is_vm_hugetlb_page(vma)) { + ret = unuse_vma(vma, type); +@@ -2252,6 +2254,7 @@ static int unuse_mm(struct mm_struct *mm + + cond_resched(); + } ++unlock: + mmap_read_unlock(mm); + return ret; + } diff --git a/queue-6.17/scsi-target-target_core_configfs-add-length-check-to-avoid-buffer-overflow.patch b/queue-6.17/scsi-target-target_core_configfs-add-length-check-to-avoid-buffer-overflow.patch new file mode 100644 index 0000000000..acc6a746bd --- /dev/null +++ b/queue-6.17/scsi-target-target_core_configfs-add-length-check-to-avoid-buffer-overflow.patch @@ -0,0 +1,47 @@ +From 27e06650a5eafe832a90fd2604f0c5e920857fae Mon Sep 17 00:00:00 2001 +From: Wang Haoran +Date: Sat, 20 Sep 2025 15:44:41 +0800 +Subject: scsi: target: target_core_configfs: Add length check to avoid buffer overflow + +From: Wang Haoran + +commit 27e06650a5eafe832a90fd2604f0c5e920857fae upstream. + +A buffer overflow arises from the usage of snprintf to write into the +buffer "buf" in target_lu_gp_members_show function located in +/drivers/target/target_core_configfs.c. This buffer is allocated with +size LU_GROUP_NAME_BUF (256 bytes). + +snprintf(...) formats multiple strings into buf with the HBA name +(hba->hba_group.cg_item), a slash character, a devicename (dev-> +dev_group.cg_item) and a newline character, the total formatted string +length may exceed the buffer size of 256 bytes. + +Since snprintf() returns the total number of bytes that would have been +written (the length of %s/%sn ), this value may exceed the buffer length +(256 bytes) passed to memcpy(), this will ultimately cause function +memcpy reporting a buffer overflow error. + +An additional check of the return value of snprintf() can avoid this +buffer overflow. + +Reported-by: Wang Haoran +Reported-by: ziiiro +Signed-off-by: Wang Haoran +Signed-off-by: Martin K. Petersen +Signed-off-by: Greg Kroah-Hartman +--- + drivers/target/target_core_configfs.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/target/target_core_configfs.c ++++ b/drivers/target/target_core_configfs.c +@@ -2774,7 +2774,7 @@ static ssize_t target_lu_gp_members_show + config_item_name(&dev->dev_group.cg_item)); + cur_len++; /* Extra byte for NULL terminator */ + +- if ((cur_len + len) > PAGE_SIZE) { ++ if ((cur_len + len) > PAGE_SIZE || cur_len > LU_GROUP_NAME_BUF) { + pr_warn("Ran out of lu_gp_show_attr" + "_members buffer\n"); + break; diff --git a/queue-6.17/series b/queue-6.17/series index c47cccf3e3..0415d37612 100644 --- a/queue-6.17/series +++ b/queue-6.17/series @@ -1 +1,15 @@ blk-mq-fix-blk_mq_tags-double-free-while-nr_requests-grown.patch +gcc-plugins-remove-todo_verify_il-for-gcc-16.patch +scsi-target-target_core_configfs-add-length-check-to-avoid-buffer-overflow.patch +alsa-usb-audio-fix-race-condition-to-uaf-in-snd_usbmidi_free.patch +wifi-rtw89-fix-use-after-free-in-rtw89_core_tx_kick_off_and_wait.patch +media-b2c2-fix-use-after-free-causing-by-irq_check_work-in-flexcop_pci_remove.patch +media-i2c-tc358743-fix-use-after-free-bugs-caused-by-orphan-timer-in-probe.patch +media-tuner-xc5000-fix-use-after-free-in-xc5000_release.patch +media-rc-fix-races-with-imon_disconnect.patch +media-uvcvideo-mark-invalid-entities-with-id-uvc_invalid_entity_id.patch +mm-swap-check-for-stable-address-space-before-operating-on-the-vma.patch +wifi-ath11k-fix-null-dereference-in-ath11k_qmi_m3_load.patch +media-iris-fix-memory-leak-by-freeing-untracked-persist-buffer.patch +media-stm32-csi-fix-dereference-before-null-check.patch +asoc-qcom-audioreach-fix-potential-null-pointer-dereference.patch diff --git a/queue-6.17/wifi-ath11k-fix-null-dereference-in-ath11k_qmi_m3_load.patch b/queue-6.17/wifi-ath11k-fix-null-dereference-in-ath11k_qmi_m3_load.patch new file mode 100644 index 0000000000..aed7df34d1 --- /dev/null +++ b/queue-6.17/wifi-ath11k-fix-null-dereference-in-ath11k_qmi_m3_load.patch @@ -0,0 +1,40 @@ +From 3fd2ef2ae2b5c955584a3bee8e83ae7d7a98f782 Mon Sep 17 00:00:00 2001 +From: Matvey Kovalev +Date: Wed, 17 Sep 2025 22:20:01 +0300 +Subject: wifi: ath11k: fix NULL dereference in ath11k_qmi_m3_load() + +From: Matvey Kovalev + +commit 3fd2ef2ae2b5c955584a3bee8e83ae7d7a98f782 upstream. + +If ab->fw.m3_data points to data, then fw pointer remains null. +Further, if m3_mem is not allocated, then fw is dereferenced to be +passed to ath11k_err function. + +Replace fw->size by m3_len. + +Found by Linux Verification Center (linuxtesting.org) with SVACE. + +Fixes: 7db88b962f06 ("wifi: ath11k: add firmware-2.bin support") +Cc: stable@vger.kernel.org +Signed-off-by: Matvey Kovalev +Reviewed-by: Baochen Qiang +Reviewed-by: Vasanthakumar Thiagarajan +Link: https://patch.msgid.link/20250917192020.1340-1-matvey.kovalev@ispras.ru +Signed-off-by: Jeff Johnson +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/wireless/ath/ath11k/qmi.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/wireless/ath/ath11k/qmi.c ++++ b/drivers/net/wireless/ath/ath11k/qmi.c +@@ -2557,7 +2557,7 @@ static int ath11k_qmi_m3_load(struct ath + GFP_KERNEL); + if (!m3_mem->vaddr) { + ath11k_err(ab, "failed to allocate memory for M3 with size %zu\n", +- fw->size); ++ m3_len); + ret = -ENOMEM; + goto out; + } diff --git a/queue-6.17/wifi-rtw89-fix-use-after-free-in-rtw89_core_tx_kick_off_and_wait.patch b/queue-6.17/wifi-rtw89-fix-use-after-free-in-rtw89_core_tx_kick_off_and_wait.patch new file mode 100644 index 0000000000..0ebf07ed0e --- /dev/null +++ b/queue-6.17/wifi-rtw89-fix-use-after-free-in-rtw89_core_tx_kick_off_and_wait.patch @@ -0,0 +1,322 @@ +From 3e31a6bc07312b448fad3b45de578471f86f0e77 Mon Sep 17 00:00:00 2001 +From: Fedor Pchelkin +Date: Sat, 20 Sep 2025 00:08:47 +0300 +Subject: wifi: rtw89: fix use-after-free in rtw89_core_tx_kick_off_and_wait() + +From: Fedor Pchelkin + +commit 3e31a6bc07312b448fad3b45de578471f86f0e77 upstream. + +There is a bug observed when rtw89_core_tx_kick_off_and_wait() tries to +access already freed skb_data: + + BUG: KFENCE: use-after-free write in rtw89_core_tx_kick_off_and_wait drivers/net/wireless/realtek/rtw89/core.c:1110 + + CPU: 6 UID: 0 PID: 41377 Comm: kworker/u64:24 Not tainted 6.17.0-rc1+ #1 PREEMPT(lazy) + Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS edk2-20250523-14.fc42 05/23/2025 + Workqueue: events_unbound cfg80211_wiphy_work [cfg80211] + + Use-after-free write at 0x0000000020309d9d (in kfence-#251): + rtw89_core_tx_kick_off_and_wait drivers/net/wireless/realtek/rtw89/core.c:1110 + rtw89_core_scan_complete drivers/net/wireless/realtek/rtw89/core.c:5338 + rtw89_hw_scan_complete_cb drivers/net/wireless/realtek/rtw89/fw.c:7979 + rtw89_chanctx_proceed_cb drivers/net/wireless/realtek/rtw89/chan.c:3165 + rtw89_chanctx_proceed drivers/net/wireless/realtek/rtw89/chan.h:141 + rtw89_hw_scan_complete drivers/net/wireless/realtek/rtw89/fw.c:8012 + rtw89_mac_c2h_scanofld_rsp drivers/net/wireless/realtek/rtw89/mac.c:5059 + rtw89_fw_c2h_work drivers/net/wireless/realtek/rtw89/fw.c:6758 + process_one_work kernel/workqueue.c:3241 + worker_thread kernel/workqueue.c:3400 + kthread kernel/kthread.c:463 + ret_from_fork arch/x86/kernel/process.c:154 + ret_from_fork_asm arch/x86/entry/entry_64.S:258 + + kfence-#251: 0x0000000056e2393d-0x000000009943cb62, size=232, cache=skbuff_head_cache + + allocated by task 41377 on cpu 6 at 77869.159548s (0.009551s ago): + __alloc_skb net/core/skbuff.c:659 + __netdev_alloc_skb net/core/skbuff.c:734 + ieee80211_nullfunc_get net/mac80211/tx.c:5844 + rtw89_core_send_nullfunc drivers/net/wireless/realtek/rtw89/core.c:3431 + rtw89_core_scan_complete drivers/net/wireless/realtek/rtw89/core.c:5338 + rtw89_hw_scan_complete_cb drivers/net/wireless/realtek/rtw89/fw.c:7979 + rtw89_chanctx_proceed_cb drivers/net/wireless/realtek/rtw89/chan.c:3165 + rtw89_chanctx_proceed drivers/net/wireless/realtek/rtw89/chan.c:3194 + rtw89_hw_scan_complete drivers/net/wireless/realtek/rtw89/fw.c:8012 + rtw89_mac_c2h_scanofld_rsp drivers/net/wireless/realtek/rtw89/mac.c:5059 + rtw89_fw_c2h_work drivers/net/wireless/realtek/rtw89/fw.c:6758 + process_one_work kernel/workqueue.c:3241 + worker_thread kernel/workqueue.c:3400 + kthread kernel/kthread.c:463 + ret_from_fork arch/x86/kernel/process.c:154 + ret_from_fork_asm arch/x86/entry/entry_64.S:258 + + freed by task 1045 on cpu 9 at 77869.168393s (0.001557s ago): + ieee80211_tx_status_skb net/mac80211/status.c:1117 + rtw89_pci_release_txwd_skb drivers/net/wireless/realtek/rtw89/pci.c:564 + rtw89_pci_release_tx_skbs.isra.0 drivers/net/wireless/realtek/rtw89/pci.c:651 + rtw89_pci_release_tx drivers/net/wireless/realtek/rtw89/pci.c:676 + rtw89_pci_napi_poll drivers/net/wireless/realtek/rtw89/pci.c:4238 + __napi_poll net/core/dev.c:7495 + net_rx_action net/core/dev.c:7557 net/core/dev.c:7684 + handle_softirqs kernel/softirq.c:580 + do_softirq.part.0 kernel/softirq.c:480 + __local_bh_enable_ip kernel/softirq.c:407 + rtw89_pci_interrupt_threadfn drivers/net/wireless/realtek/rtw89/pci.c:927 + irq_thread_fn kernel/irq/manage.c:1133 + irq_thread kernel/irq/manage.c:1257 + kthread kernel/kthread.c:463 + ret_from_fork arch/x86/kernel/process.c:154 + ret_from_fork_asm arch/x86/entry/entry_64.S:258 + +It is a consequence of a race between the waiting and the signaling side +of the completion: + + Waiting thread Completing thread + +rtw89_core_tx_kick_off_and_wait() + rcu_assign_pointer(skb_data->wait, wait) + /* start waiting */ + wait_for_completion_timeout() + rtw89_pci_tx_status() + rtw89_core_tx_wait_complete() + rcu_read_lock() + /* signals completion and + * proceeds further + */ + complete(&wait->completion) + rcu_read_unlock() + ... + /* frees skb_data */ + ieee80211_tx_status_ni() + /* returns (exit status doesn't matter) */ + wait_for_completion_timeout() + ... + /* accesses the already freed skb_data */ + rcu_assign_pointer(skb_data->wait, NULL) + +The completing side might proceed and free the underlying skb even before +the waiting side is fully awoken and run to execution. Actually the race +happens regardless of wait_for_completion_timeout() exit status, e.g. +the waiting side may hit a timeout and the concurrent completing side is +still able to free the skb. + +Skbs which are sent by rtw89_core_tx_kick_off_and_wait() are owned by the +driver. They don't come from core ieee80211 stack so no need to pass them +to ieee80211_tx_status_ni() on completing side. + +Introduce a work function which will act as a garbage collector for +rtw89_tx_wait_info objects and the associated skbs. Thus no potentially +heavy locks are required on the completing side. + +Found by Linux Verification Center (linuxtesting.org). + +Fixes: 1ae5ca615285 ("wifi: rtw89: add function to wait for completion of TX skbs") +Cc: stable@vger.kernel.org +Suggested-by: Zong-Zhe Yang +Signed-off-by: Fedor Pchelkin +Acked-by: Ping-Ke Shih +Signed-off-by: Ping-Ke Shih +Link: https://patch.msgid.link/20250919210852.823912-2-pchelkin@ispras.ru +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/wireless/realtek/rtw89/core.c | 30 ++++++++++++++++++++----- + drivers/net/wireless/realtek/rtw89/core.h | 35 ++++++++++++++++++++++++++++-- + drivers/net/wireless/realtek/rtw89/pci.c | 3 +- + drivers/net/wireless/realtek/rtw89/ser.c | 2 + + 4 files changed, 61 insertions(+), 9 deletions(-) + +--- a/drivers/net/wireless/realtek/rtw89/core.c ++++ b/drivers/net/wireless/realtek/rtw89/core.c +@@ -1073,6 +1073,14 @@ rtw89_core_tx_update_desc_info(struct rt + } + } + ++static void rtw89_tx_wait_work(struct wiphy *wiphy, struct wiphy_work *work) ++{ ++ struct rtw89_dev *rtwdev = container_of(work, struct rtw89_dev, ++ tx_wait_work.work); ++ ++ rtw89_tx_wait_list_clear(rtwdev); ++} ++ + void rtw89_core_tx_kick_off(struct rtw89_dev *rtwdev, u8 qsel) + { + u8 ch_dma; +@@ -1090,6 +1098,8 @@ int rtw89_core_tx_kick_off_and_wait(stru + unsigned long time_left; + int ret = 0; + ++ lockdep_assert_wiphy(rtwdev->hw->wiphy); ++ + wait = kzalloc(sizeof(*wait), GFP_KERNEL); + if (!wait) { + rtw89_core_tx_kick_off(rtwdev, qsel); +@@ -1097,18 +1107,23 @@ int rtw89_core_tx_kick_off_and_wait(stru + } + + init_completion(&wait->completion); ++ wait->skb = skb; + rcu_assign_pointer(skb_data->wait, wait); + + rtw89_core_tx_kick_off(rtwdev, qsel); + time_left = wait_for_completion_timeout(&wait->completion, + msecs_to_jiffies(timeout)); +- if (time_left == 0) +- ret = -ETIMEDOUT; +- else if (!wait->tx_done) +- ret = -EAGAIN; + +- rcu_assign_pointer(skb_data->wait, NULL); +- kfree_rcu(wait, rcu_head); ++ if (time_left == 0) { ++ ret = -ETIMEDOUT; ++ list_add_tail(&wait->list, &rtwdev->tx_waits); ++ wiphy_delayed_work_queue(rtwdev->hw->wiphy, &rtwdev->tx_wait_work, ++ RTW89_TX_WAIT_WORK_TIMEOUT); ++ } else { ++ if (!wait->tx_done) ++ ret = -EAGAIN; ++ rtw89_tx_wait_release(wait); ++ } + + return ret; + } +@@ -4978,6 +4993,7 @@ void rtw89_core_stop(struct rtw89_dev *r + wiphy_work_cancel(wiphy, &btc->dhcp_notify_work); + wiphy_work_cancel(wiphy, &btc->icmp_notify_work); + cancel_delayed_work_sync(&rtwdev->txq_reinvoke_work); ++ wiphy_delayed_work_cancel(wiphy, &rtwdev->tx_wait_work); + wiphy_delayed_work_cancel(wiphy, &rtwdev->track_work); + wiphy_delayed_work_cancel(wiphy, &rtwdev->track_ps_work); + wiphy_delayed_work_cancel(wiphy, &rtwdev->chanctx_work); +@@ -5203,6 +5219,7 @@ int rtw89_core_init(struct rtw89_dev *rt + INIT_LIST_HEAD(&rtwdev->scan_info.pkt_list[band]); + } + INIT_LIST_HEAD(&rtwdev->scan_info.chan_list); ++ INIT_LIST_HEAD(&rtwdev->tx_waits); + INIT_WORK(&rtwdev->ba_work, rtw89_core_ba_work); + INIT_WORK(&rtwdev->txq_work, rtw89_core_txq_work); + INIT_DELAYED_WORK(&rtwdev->txq_reinvoke_work, rtw89_core_txq_reinvoke_work); +@@ -5214,6 +5231,7 @@ int rtw89_core_init(struct rtw89_dev *rt + wiphy_delayed_work_init(&rtwdev->coex_rfk_chk_work, rtw89_coex_rfk_chk_work); + wiphy_delayed_work_init(&rtwdev->cfo_track_work, rtw89_phy_cfo_track_work); + wiphy_delayed_work_init(&rtwdev->mcc_prepare_done_work, rtw89_mcc_prepare_done_work); ++ wiphy_delayed_work_init(&rtwdev->tx_wait_work, rtw89_tx_wait_work); + INIT_DELAYED_WORK(&rtwdev->forbid_ba_work, rtw89_forbid_ba_work); + wiphy_delayed_work_init(&rtwdev->antdiv_work, rtw89_phy_antdiv_work); + rtwdev->txq_wq = alloc_workqueue("rtw89_tx_wq", WQ_UNBOUND | WQ_HIGHPRI, 0); +--- a/drivers/net/wireless/realtek/rtw89/core.h ++++ b/drivers/net/wireless/realtek/rtw89/core.h +@@ -3506,9 +3506,12 @@ struct rtw89_phy_rate_pattern { + bool enable; + }; + ++#define RTW89_TX_WAIT_WORK_TIMEOUT msecs_to_jiffies(500) + struct rtw89_tx_wait_info { + struct rcu_head rcu_head; ++ struct list_head list; + struct completion completion; ++ struct sk_buff *skb; + bool tx_done; + }; + +@@ -5925,6 +5928,9 @@ struct rtw89_dev { + /* used to protect rpwm */ + spinlock_t rpwm_lock; + ++ struct list_head tx_waits; ++ struct wiphy_delayed_work tx_wait_work; ++ + struct rtw89_cam_info cam_info; + + struct sk_buff_head c2h_queue; +@@ -6181,6 +6187,26 @@ rtw89_assoc_link_rcu_dereference(struct + list_first_entry_or_null(&p->dlink_pool, typeof(*p->links_inst), dlink_schd); \ + }) + ++static inline void rtw89_tx_wait_release(struct rtw89_tx_wait_info *wait) ++{ ++ dev_kfree_skb_any(wait->skb); ++ kfree_rcu(wait, rcu_head); ++} ++ ++static inline void rtw89_tx_wait_list_clear(struct rtw89_dev *rtwdev) ++{ ++ struct rtw89_tx_wait_info *wait, *tmp; ++ ++ lockdep_assert_wiphy(rtwdev->hw->wiphy); ++ ++ list_for_each_entry_safe(wait, tmp, &rtwdev->tx_waits, list) { ++ if (!completion_done(&wait->completion)) ++ continue; ++ list_del(&wait->list); ++ rtw89_tx_wait_release(wait); ++ } ++} ++ + static inline int rtw89_hci_tx_write(struct rtw89_dev *rtwdev, + struct rtw89_core_tx_request *tx_req) + { +@@ -6190,6 +6216,7 @@ static inline int rtw89_hci_tx_write(str + static inline void rtw89_hci_reset(struct rtw89_dev *rtwdev) + { + rtwdev->hci.ops->reset(rtwdev); ++ rtw89_tx_wait_list_clear(rtwdev); + } + + static inline int rtw89_hci_start(struct rtw89_dev *rtwdev) +@@ -7258,11 +7285,12 @@ static inline struct sk_buff *rtw89_allo + return dev_alloc_skb(length); + } + +-static inline void rtw89_core_tx_wait_complete(struct rtw89_dev *rtwdev, ++static inline bool rtw89_core_tx_wait_complete(struct rtw89_dev *rtwdev, + struct rtw89_tx_skb_data *skb_data, + bool tx_done) + { + struct rtw89_tx_wait_info *wait; ++ bool ret = false; + + rcu_read_lock(); + +@@ -7270,11 +7298,14 @@ static inline void rtw89_core_tx_wait_co + if (!wait) + goto out; + ++ ret = true; + wait->tx_done = tx_done; +- complete(&wait->completion); ++ /* Don't access skb anymore after completion */ ++ complete_all(&wait->completion); + + out: + rcu_read_unlock(); ++ return ret; + } + + static inline bool rtw89_is_mlo_1_1(struct rtw89_dev *rtwdev) +--- a/drivers/net/wireless/realtek/rtw89/pci.c ++++ b/drivers/net/wireless/realtek/rtw89/pci.c +@@ -464,7 +464,8 @@ static void rtw89_pci_tx_status(struct r + struct rtw89_tx_skb_data *skb_data = RTW89_TX_SKB_CB(skb); + struct ieee80211_tx_info *info; + +- rtw89_core_tx_wait_complete(rtwdev, skb_data, tx_status == RTW89_TX_DONE); ++ if (rtw89_core_tx_wait_complete(rtwdev, skb_data, tx_status == RTW89_TX_DONE)) ++ return; + + info = IEEE80211_SKB_CB(skb); + ieee80211_tx_info_clear_status(info); +--- a/drivers/net/wireless/realtek/rtw89/ser.c ++++ b/drivers/net/wireless/realtek/rtw89/ser.c +@@ -502,7 +502,9 @@ static void ser_reset_trx_st_hdl(struct + } + + drv_stop_rx(ser); ++ wiphy_lock(wiphy); + drv_trx_reset(ser); ++ wiphy_unlock(wiphy); + + /* wait m3 */ + hal_send_m2_event(ser);