From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Wed, 8 Oct 2025 05:55:26 +0000 (+0200)
Subject: 6.6-stable patches
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=9daad4d5cd2d975df50e6e4f66293051e147dd70;p=thirdparty%2Fkernel%2Fstable-queue.git

6.6-stable patches

added patches:
	alsa-usb-audio-fix-race-condition-to-uaf-in-snd_usbmidi_free.patch
	alsa-usb-audio-kill-timer-properly-at-removal.patch
	hid-fix-i2c-read-buffer-overflow-in-raw_event-for-mcp2221.patch
---

diff --git a/queue-6.6/alsa-usb-audio-fix-race-condition-to-uaf-in-snd_usbmidi_free.patch b/queue-6.6/alsa-usb-audio-fix-race-condition-to-uaf-in-snd_usbmidi_free.patch
new file mode 100644
index 0000000000..1d99407d0a
--- /dev/null
+++ b/queue-6.6/alsa-usb-audio-fix-race-condition-to-uaf-in-snd_usbmidi_free.patch
@@ -0,0 +1,54 @@
+From 9f2c0ac1423d5f267e7f1d1940780fc764b0fee3 Mon Sep 17 00:00:00 2001
+From: Jeongjun Park <aha310510@gmail.com>
+Date: Sun, 28 Sep 2025 02:39:24 +0900
+Subject: ALSA: usb-audio: fix race condition to UAF in snd_usbmidi_free
+
+From: Jeongjun Park <aha310510@gmail.com>
+
+commit 9f2c0ac1423d5f267e7f1d1940780fc764b0fee3 upstream.
+
+The previous commit 0718a78f6a9f ("ALSA: usb-audio: Kill timer properly at
+removal") patched a UAF issue caused by the error timer.
+
+However, because the error timer kill added in this patch occurs after the
+endpoint delete, a race condition to UAF still occurs, albeit rarely.
+
+Additionally, since kill-cleanup for urb is also missing, freed memory can
+be accessed in interrupt context related to urb, which can cause UAF.
+
+Therefore, to prevent this, error timer and urb must be killed before
+freeing the heap memory.
+
+Cc: <stable@vger.kernel.org>
+Reported-by: syzbot+f02665daa2abeef4a947@syzkaller.appspotmail.com
+Closes: https://syzkaller.appspot.com/bug?extid=f02665daa2abeef4a947
+Fixes: 0718a78f6a9f ("ALSA: usb-audio: Kill timer properly at removal")
+Signed-off-by: Jeongjun Park <aha310510@gmail.com>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ sound/usb/midi.c |    9 ++++-----
+ 1 file changed, 4 insertions(+), 5 deletions(-)
+
+--- a/sound/usb/midi.c
++++ b/sound/usb/midi.c
+@@ -1522,15 +1522,14 @@ static void snd_usbmidi_free(struct snd_
+ {
+ 	int i;
+ 
++	if (!umidi->disconnected)
++		snd_usbmidi_disconnect(&umidi->list);
++
+ 	for (i = 0; i < MIDI_MAX_ENDPOINTS; ++i) {
+ 		struct snd_usb_midi_endpoint *ep = &umidi->endpoints[i];
+-		if (ep->out)
+-			snd_usbmidi_out_endpoint_delete(ep->out);
+-		if (ep->in)
+-			snd_usbmidi_in_endpoint_delete(ep->in);
++		kfree(ep->out);
+ 	}
+ 	mutex_destroy(&umidi->mutex);
+-	timer_shutdown_sync(&umidi->error_timer);
+ 	kfree(umidi);
+ }
+ 
diff --git a/queue-6.6/alsa-usb-audio-kill-timer-properly-at-removal.patch b/queue-6.6/alsa-usb-audio-kill-timer-properly-at-removal.patch
new file mode 100644
index 0000000000..fe6168f47a
--- /dev/null
+++ b/queue-6.6/alsa-usb-audio-kill-timer-properly-at-removal.patch
@@ -0,0 +1,51 @@
+From 0718a78f6a9f04b88d0dc9616cc216b31c5f3cf1 Mon Sep 17 00:00:00 2001
+From: Takashi Iwai <tiwai@suse.de>
+Date: Mon, 19 May 2025 23:20:30 +0200
+Subject: ALSA: usb-audio: Kill timer properly at removal
+
+From: Takashi Iwai <tiwai@suse.de>
+
+commit 0718a78f6a9f04b88d0dc9616cc216b31c5f3cf1 upstream.
+
+The USB-audio MIDI code initializes the timer, but in a rare case, the
+driver might be freed without the disconnect call.  This leaves the
+timer in an active state while the assigned object is released via
+snd_usbmidi_free(), which ends up with a kernel warning when the debug
+configuration is enabled, as spotted by fuzzer.
+
+For avoiding the problem, put timer_shutdown_sync() at
+snd_usbmidi_free(), so that the timer can be killed properly.
+While we're at it, replace the existing timer_delete_sync() at the
+disconnect callback with timer_shutdown_sync(), too.
+
+Reported-by: syzbot+d8f72178ab6783a7daea@syzkaller.appspotmail.com
+Closes: https://lore.kernel.org/681c70d7.050a0220.a19a9.00c6.GAE@google.com
+Cc: <stable@vger.kernel.org>
+Link: https://patch.msgid.link/20250519212031.14436-1-tiwai@suse.de
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+[ del_timer vs timer_delete differences ]
+Signed-off-by: Jeongjun Park <aha310510@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ sound/usb/midi.c |    3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/sound/usb/midi.c
++++ b/sound/usb/midi.c
+@@ -1530,6 +1530,7 @@ static void snd_usbmidi_free(struct snd_
+ 			snd_usbmidi_in_endpoint_delete(ep->in);
+ 	}
+ 	mutex_destroy(&umidi->mutex);
++	timer_shutdown_sync(&umidi->error_timer);
+ 	kfree(umidi);
+ }
+ 
+@@ -1553,7 +1554,7 @@ void snd_usbmidi_disconnect(struct list_
+ 	spin_unlock_irq(&umidi->disc_lock);
+ 	up_write(&umidi->disc_rwsem);
+ 
+-	del_timer_sync(&umidi->error_timer);
++	timer_shutdown_sync(&umidi->error_timer);
+ 
+ 	for (i = 0; i < MIDI_MAX_ENDPOINTS; ++i) {
+ 		struct snd_usb_midi_endpoint *ep = &umidi->endpoints[i];
diff --git a/queue-6.6/hid-fix-i2c-read-buffer-overflow-in-raw_event-for-mcp2221.patch b/queue-6.6/hid-fix-i2c-read-buffer-overflow-in-raw_event-for-mcp2221.patch
new file mode 100644
index 0000000000..bbf1acfd24
--- /dev/null
+++ b/queue-6.6/hid-fix-i2c-read-buffer-overflow-in-raw_event-for-mcp2221.patch
@@ -0,0 +1,42 @@
+From b56cc41a3ae7323aa3c6165f93c32e020538b6d2 Mon Sep 17 00:00:00 2001
+From: Arnaud Lecomte <contact@arnaud-lcm.com>
+Date: Sat, 26 Jul 2025 23:09:31 +0100
+Subject: hid: fix I2C read buffer overflow in raw_event() for mcp2221
+
+From: Arnaud Lecomte <contact@arnaud-lcm.com>
+
+commit b56cc41a3ae7323aa3c6165f93c32e020538b6d2 upstream.
+
+As reported by syzbot, mcp2221_raw_event lacked
+validation of incoming I2C read data sizes, risking buffer
+overflows in mcp->rxbuf during multi-part transfers.
+As highlighted in the DS20005565B spec, p44, we have:
+"The number of read-back data bytes to follow in this packet:
+from 0 to a maximum of 60 bytes of read-back bytes."
+This patch enforces we don't exceed this limit.
+
+Reported-by: syzbot+52c1a7d3e5b361ccd346@syzkaller.appspotmail.com
+Closes: https://syzkaller.appspot.com/bug?extid=52c1a7d3e5b361ccd346
+Tested-by: syzbot+52c1a7d3e5b361ccd346@syzkaller.appspotmail.com
+Signed-off-by: Arnaud Lecomte <contact@arnaud-lcm.com>
+Link: https://patch.msgid.link/20250726220931.7126-1-contact@arnaud-lcm.com
+Signed-off-by: Benjamin Tissoires <bentiss@kernel.org>
+Signed-off-by: Romain Sioen <romain.sioen@microchip.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/hid/hid-mcp2221.c |    4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/drivers/hid/hid-mcp2221.c
++++ b/drivers/hid/hid-mcp2221.c
+@@ -814,6 +814,10 @@ static int mcp2221_raw_event(struct hid_
+ 			}
+ 			if (data[2] == MCP2221_I2C_READ_COMPL ||
+ 			    data[2] == MCP2221_I2C_READ_PARTIAL) {
++				if (!mcp->rxbuf || mcp->rxbuf_idx < 0 || data[3] > 60) {
++					mcp->status = -EINVAL;
++					break;
++				}
+ 				buf = mcp->rxbuf;
+ 				memcpy(&buf[mcp->rxbuf_idx], &data[4], data[3]);
+ 				mcp->rxbuf_idx = mcp->rxbuf_idx + data[3];
diff --git a/queue-6.6/series b/queue-6.6/series
index 93c605ff5d..98c06d9496 100644
--- a/queue-6.6/series
+++ b/queue-6.6/series
@@ -13,3 +13,6 @@ btrfs-ref-verify-handle-damaged-extent-root-tree.patch
 can-hi311x-fix-null-pointer-dereference-when-resumin.patch
 can-rcar_canfd-fix-controller-mode-setting.patch
 platform-x86-amd-pmc-add-stellaris-slim-gen6-amd-to-.patch
+alsa-usb-audio-kill-timer-properly-at-removal.patch
+alsa-usb-audio-fix-race-condition-to-uaf-in-snd_usbmidi_free.patch
+hid-fix-i2c-read-buffer-overflow-in-raw_event-for-mcp2221.patch