From: Greg Kroah-Hartman Date: Fri, 15 Aug 2025 15:35:24 +0000 (+0200) Subject: 5.10-stable patches X-Git-Tag: v6.12.43~93 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=abd13fab00b921f43d794896091c3016f3e1751c;p=thirdparty%2Fkernel%2Fstable-queue.git 5.10-stable patches added patches: alsa-usb-audio-validate-uac3-cluster-segment-descriptors.patch alsa-usb-audio-validate-uac3-power-domain-descriptors-too.patch io_uring-don-t-use-int-for-abi.patch net-dpaa-fix-device-leak-when-querying-time-stamp-info.patch net-gianfar-fix-device-leak-when-querying-time-stamp-info.patch netlink-avoid-infinite-retry-looping-in-netlink_unicast.patch --- diff --git a/queue-5.10/alsa-usb-audio-validate-uac3-cluster-segment-descriptors.patch b/queue-5.10/alsa-usb-audio-validate-uac3-cluster-segment-descriptors.patch new file mode 100644 index 0000000000..4b6a9971e8 --- /dev/null +++ b/queue-5.10/alsa-usb-audio-validate-uac3-cluster-segment-descriptors.patch @@ -0,0 +1,91 @@ +From ecfd41166b72b67d3bdeb88d224ff445f6163869 Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Thu, 14 Aug 2025 10:12:43 +0200 +Subject: ALSA: usb-audio: Validate UAC3 cluster segment descriptors + +From: Takashi Iwai + +commit ecfd41166b72b67d3bdeb88d224ff445f6163869 upstream. + +UAC3 class segment descriptors need to be verified whether their sizes +match with the declared lengths and whether they fit with the +allocated buffer sizes, too. Otherwise malicious firmware may lead to +the unexpected OOB accesses. + +Fixes: 11785ef53228 ("ALSA: usb-audio: Initial Power Domain support") +Reported-and-tested-by: Youngjun Lee +Cc: +Link: https://patch.msgid.link/20250814081245.8902-2-tiwai@suse.de +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman +--- + sound/usb/stream.c | 25 ++++++++++++++++++++++--- + 1 file changed, 22 insertions(+), 3 deletions(-) + +--- a/sound/usb/stream.c ++++ b/sound/usb/stream.c +@@ -342,20 +342,28 @@ snd_pcm_chmap_elem *convert_chmap_v3(str + + len = le16_to_cpu(cluster->wLength); + c = 0; +- p += sizeof(struct uac3_cluster_header_descriptor); ++ p += sizeof(*cluster); ++ len -= sizeof(*cluster); + +- while (((p - (void *)cluster) < len) && (c < channels)) { ++ while (len > 0 && (c < channels)) { + struct uac3_cluster_segment_descriptor *cs_desc = p; + u16 cs_len; + u8 cs_type; + ++ if (len < sizeof(*p)) ++ break; + cs_len = le16_to_cpu(cs_desc->wLength); ++ if (len < cs_len) ++ break; + cs_type = cs_desc->bSegmentType; + + if (cs_type == UAC3_CHANNEL_INFORMATION) { + struct uac3_cluster_information_segment_descriptor *is = p; + unsigned char map; + ++ if (cs_len < sizeof(*is)) ++ break; ++ + /* + * TODO: this conversion is not complete, update it + * after adding UAC3 values to asound.h +@@ -457,6 +465,7 @@ snd_pcm_chmap_elem *convert_chmap_v3(str + chmap->map[c++] = map; + } + p += cs_len; ++ len -= cs_len; + } + + if (channels < c) +@@ -877,7 +886,7 @@ snd_usb_get_audioformat_uac3(struct snd_ + u64 badd_formats = 0; + unsigned int num_channels; + struct audioformat *fp; +- u16 cluster_id, wLength; ++ u16 cluster_id, wLength, cluster_wLength; + int clock = 0; + int err; + +@@ -1004,6 +1013,16 @@ snd_usb_get_audioformat_uac3(struct snd_ + iface_no, altno); + kfree(cluster); + return ERR_PTR(-EIO); ++ } ++ ++ cluster_wLength = le16_to_cpu(cluster->wLength); ++ if (cluster_wLength < sizeof(*cluster) || ++ cluster_wLength > wLength) { ++ dev_err(&dev->dev, ++ "%u:%d : invalid Cluster Descriptor size\n", ++ iface_no, altno); ++ kfree(cluster); ++ return ERR_PTR(-EIO); + } + + num_channels = cluster->bNrChannels; diff --git a/queue-5.10/alsa-usb-audio-validate-uac3-power-domain-descriptors-too.patch b/queue-5.10/alsa-usb-audio-validate-uac3-power-domain-descriptors-too.patch new file mode 100644 index 0000000000..cf5680e1ba --- /dev/null +++ b/queue-5.10/alsa-usb-audio-validate-uac3-power-domain-descriptors-too.patch @@ -0,0 +1,51 @@ +From d832ccbc301fbd9e5a1d691bdcf461cdb514595f Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Thu, 14 Aug 2025 10:12:42 +0200 +Subject: ALSA: usb-audio: Validate UAC3 power domain descriptors, too + +From: Takashi Iwai + +commit d832ccbc301fbd9e5a1d691bdcf461cdb514595f upstream. + +UAC3 power domain descriptors need to be verified with its variable +bLength for avoiding the unexpected OOB accesses by malicious +firmware, too. + +Fixes: 9a2fe9b801f5 ("ALSA: usb: initial USB Audio Device Class 3.0 support") +Reported-and-tested-by: Youngjun Lee +Cc: +Link: https://patch.msgid.link/20250814081245.8902-1-tiwai@suse.de +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman +--- + sound/usb/validate.c | 12 ++++++++++++ + 1 file changed, 12 insertions(+) + +--- a/sound/usb/validate.c ++++ b/sound/usb/validate.c +@@ -221,6 +221,17 @@ static bool validate_uac3_feature_unit(c + return d->bLength >= sizeof(*d) + 4 + 2; + } + ++static bool validate_uac3_power_domain_unit(const void *p, ++ const struct usb_desc_validator *v) ++{ ++ const struct uac3_power_domain_descriptor *d = p; ++ ++ if (d->bLength < sizeof(*d)) ++ return false; ++ /* baEntities[] + wPDomainDescrStr */ ++ return d->bLength >= sizeof(*d) + d->bNrEntities + 2; ++} ++ + static bool validate_midi_out_jack(const void *p, + const struct usb_desc_validator *v) + { +@@ -285,6 +296,7 @@ static const struct usb_desc_validator a + struct uac3_clock_multiplier_descriptor), + /* UAC_VERSION_3, UAC3_SAMPLE_RATE_CONVERTER: not implemented yet */ + /* UAC_VERSION_3, UAC3_CONNECTORS: not implemented yet */ ++ FUNC(UAC_VERSION_3, UAC3_POWER_DOMAIN, validate_uac3_power_domain_unit), + { } /* terminator */ + }; + diff --git a/queue-5.10/io_uring-don-t-use-int-for-abi.patch b/queue-5.10/io_uring-don-t-use-int-for-abi.patch new file mode 100644 index 0000000000..32e36f3c2b --- /dev/null +++ b/queue-5.10/io_uring-don-t-use-int-for-abi.patch @@ -0,0 +1,35 @@ +From cf73d9970ea4f8cace5d8f02d2565a2723003112 Mon Sep 17 00:00:00 2001 +From: Pavel Begunkov +Date: Wed, 2 Jul 2025 21:31:54 +0100 +Subject: io_uring: don't use int for ABI + +From: Pavel Begunkov + +commit cf73d9970ea4f8cace5d8f02d2565a2723003112 upstream. + +__kernel_rwf_t is defined as int, the actual size of which is +implementation defined. It won't go well if some compiler / archs +ever defines it as i64, so replace it with __u32, hoping that +there is no one using i16 for it. + +Cc: stable@vger.kernel.org +Fixes: 2b188cc1bb857 ("Add io_uring IO interface") +Signed-off-by: Pavel Begunkov +Link: https://lore.kernel.org/r/47c666c4ee1df2018863af3a2028af18feef11ed.1751412511.git.asml.silence@gmail.com +Signed-off-by: Jens Axboe +Signed-off-by: Greg Kroah-Hartman +--- + include/uapi/linux/io_uring.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/include/uapi/linux/io_uring.h ++++ b/include/uapi/linux/io_uring.h +@@ -29,7 +29,7 @@ struct io_uring_sqe { + }; + __u32 len; /* buffer size or number of iovecs */ + union { +- __kernel_rwf_t rw_flags; ++ __u32 rw_flags; + __u32 fsync_flags; + __u16 poll_events; /* compatibility */ + __u32 poll32_events; /* word-reversed for BE */ diff --git a/queue-5.10/net-dpaa-fix-device-leak-when-querying-time-stamp-info.patch b/queue-5.10/net-dpaa-fix-device-leak-when-querying-time-stamp-info.patch new file mode 100644 index 0000000000..f0c3f8cc4d --- /dev/null +++ b/queue-5.10/net-dpaa-fix-device-leak-when-querying-time-stamp-info.patch @@ -0,0 +1,41 @@ +From 3fa840230f534385b34a4f39c8dd313fbe723f05 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Fri, 25 Jul 2025 19:12:09 +0200 +Subject: net: dpaa: fix device leak when querying time stamp info + +From: Johan Hovold + +commit 3fa840230f534385b34a4f39c8dd313fbe723f05 upstream. + +Make sure to drop the reference to the ptp device taken by +of_find_device_by_node() when querying the time stamping capabilities. + +Note that holding a reference to the ptp device does not prevent its +driver data from going away. + +Fixes: 17ae0b0ee9db ("dpaa_eth: add the get_ts_info interface for ethtool") +Cc: stable@vger.kernel.org # 4.19 +Cc: Yangbo Lu +Signed-off-by: Johan Hovold +Reviewed-by: Simon Horman +Link: https://patch.msgid.link/20250725171213.880-2-johan@kernel.org +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/freescale/dpaa/dpaa_ethtool.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/drivers/net/ethernet/freescale/dpaa/dpaa_ethtool.c ++++ b/drivers/net/ethernet/freescale/dpaa/dpaa_ethtool.c +@@ -499,8 +499,10 @@ static int dpaa_get_ts_info(struct net_d + of_node_put(ptp_node); + } + +- if (ptp_dev) ++ if (ptp_dev) { + ptp = platform_get_drvdata(ptp_dev); ++ put_device(&ptp_dev->dev); ++ } + + if (ptp) + info->phc_index = ptp->phc_index; diff --git a/queue-5.10/net-gianfar-fix-device-leak-when-querying-time-stamp-info.patch b/queue-5.10/net-gianfar-fix-device-leak-when-querying-time-stamp-info.patch new file mode 100644 index 0000000000..02553a09fd --- /dev/null +++ b/queue-5.10/net-gianfar-fix-device-leak-when-querying-time-stamp-info.patch @@ -0,0 +1,41 @@ +From da717540acd34e5056e3fa35791d50f6b3303f55 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Fri, 25 Jul 2025 19:12:11 +0200 +Subject: net: gianfar: fix device leak when querying time stamp info + +From: Johan Hovold + +commit da717540acd34e5056e3fa35791d50f6b3303f55 upstream. + +Make sure to drop the reference to the ptp device taken by +of_find_device_by_node() when querying the time stamping capabilities. + +Note that holding a reference to the ptp device does not prevent its +driver data from going away. + +Fixes: 7349a74ea75c ("net: ethernet: gianfar_ethtool: get phc index through drvdata") +Cc: stable@vger.kernel.org # 4.18 +Cc: Yangbo Lu +Signed-off-by: Johan Hovold +Reviewed-by: Simon Horman +Link: https://patch.msgid.link/20250725171213.880-4-johan@kernel.org +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/freescale/gianfar_ethtool.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/drivers/net/ethernet/freescale/gianfar_ethtool.c ++++ b/drivers/net/ethernet/freescale/gianfar_ethtool.c +@@ -1457,8 +1457,10 @@ static int gfar_get_ts_info(struct net_d + if (ptp_node) { + ptp_dev = of_find_device_by_node(ptp_node); + of_node_put(ptp_node); +- if (ptp_dev) ++ if (ptp_dev) { + ptp = platform_get_drvdata(ptp_dev); ++ put_device(&ptp_dev->dev); ++ } + } + + if (ptp) diff --git a/queue-5.10/netlink-avoid-infinite-retry-looping-in-netlink_unicast.patch b/queue-5.10/netlink-avoid-infinite-retry-looping-in-netlink_unicast.patch new file mode 100644 index 0000000000..e9cfcd0f68 --- /dev/null +++ b/queue-5.10/netlink-avoid-infinite-retry-looping-in-netlink_unicast.patch @@ -0,0 +1,80 @@ +From 759dfc7d04bab1b0b86113f1164dc1fec192b859 Mon Sep 17 00:00:00 2001 +From: Fedor Pchelkin +Date: Mon, 28 Jul 2025 11:06:47 +0300 +Subject: netlink: avoid infinite retry looping in netlink_unicast() + +From: Fedor Pchelkin + +commit 759dfc7d04bab1b0b86113f1164dc1fec192b859 upstream. + +netlink_attachskb() checks for the socket's read memory allocation +constraints. Firstly, it has: + + rmem < READ_ONCE(sk->sk_rcvbuf) + +to check if the just increased rmem value fits into the socket's receive +buffer. If not, it proceeds and tries to wait for the memory under: + + rmem + skb->truesize > READ_ONCE(sk->sk_rcvbuf) + +The checks don't cover the case when skb->truesize + sk->sk_rmem_alloc is +equal to sk->sk_rcvbuf. Thus the function neither successfully accepts +these conditions, nor manages to reschedule the task - and is called in +retry loop for indefinite time which is caught as: + + rcu: INFO: rcu_sched self-detected stall on CPU + rcu: 0-....: (25999 ticks this GP) idle=ef2/1/0x4000000000000000 softirq=262269/262269 fqs=6212 + (t=26000 jiffies g=230833 q=259957) + NMI backtrace for cpu 0 + CPU: 0 PID: 22 Comm: kauditd Not tainted 5.10.240 #68 + Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.17.0-4.fc42 04/01/2014 + Call Trace: + + dump_stack lib/dump_stack.c:120 + nmi_cpu_backtrace.cold lib/nmi_backtrace.c:105 + nmi_trigger_cpumask_backtrace lib/nmi_backtrace.c:62 + rcu_dump_cpu_stacks kernel/rcu/tree_stall.h:335 + rcu_sched_clock_irq.cold kernel/rcu/tree.c:2590 + update_process_times kernel/time/timer.c:1953 + tick_sched_handle kernel/time/tick-sched.c:227 + tick_sched_timer kernel/time/tick-sched.c:1399 + __hrtimer_run_queues kernel/time/hrtimer.c:1652 + hrtimer_interrupt kernel/time/hrtimer.c:1717 + __sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1113 + asm_call_irq_on_stack arch/x86/entry/entry_64.S:808 + + + netlink_attachskb net/netlink/af_netlink.c:1234 + netlink_unicast net/netlink/af_netlink.c:1349 + kauditd_send_queue kernel/audit.c:776 + kauditd_thread kernel/audit.c:897 + kthread kernel/kthread.c:328 + ret_from_fork arch/x86/entry/entry_64.S:304 + +Restore the original behavior of the check which commit in Fixes +accidentally missed when restructuring the code. + +Found by Linux Verification Center (linuxtesting.org). + +Fixes: ae8f160e7eb2 ("netlink: Fix wraparounds of sk->sk_rmem_alloc.") +Cc: stable@vger.kernel.org +Signed-off-by: Fedor Pchelkin +Reviewed-by: Kuniyuki Iwashima +Link: https://patch.msgid.link/20250728080727.255138-1-pchelkin@ispras.ru +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + net/netlink/af_netlink.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/netlink/af_netlink.c ++++ b/net/netlink/af_netlink.c +@@ -1213,7 +1213,7 @@ int netlink_attachskb(struct sock *sk, s + nlk = nlk_sk(sk); + rmem = atomic_add_return(skb->truesize, &sk->sk_rmem_alloc); + +- if ((rmem == skb->truesize || rmem < READ_ONCE(sk->sk_rcvbuf)) && ++ if ((rmem == skb->truesize || rmem <= READ_ONCE(sk->sk_rcvbuf)) && + !test_bit(NETLINK_S_CONGESTED, &nlk->state)) { + netlink_skb_set_owner_r(skb, sk); + return 0; diff --git a/queue-5.10/series b/queue-5.10/series index ebec65d2de..b10409fafa 100644 --- a/queue-5.10/series +++ b/queue-5.10/series @@ -190,3 +190,9 @@ usb-serial-option-add-foxconn-t99w709.patch mips-mm-tlb-r4k-uniquify-tlb-entries-on-init.patch mm-hmm-move-pmd_to_hmm_pfn_flags-to-the-respective-ifdeffery.patch usb-gadget-fix-use-after-free-in-composite_dev_cleanup.patch +io_uring-don-t-use-int-for-abi.patch +alsa-usb-audio-validate-uac3-power-domain-descriptors-too.patch +alsa-usb-audio-validate-uac3-cluster-segment-descriptors.patch +netlink-avoid-infinite-retry-looping-in-netlink_unicast.patch +net-gianfar-fix-device-leak-when-querying-time-stamp-info.patch +net-dpaa-fix-device-leak-when-querying-time-stamp-info.patch