--- /dev/null
+From 05a1fc5efdd8560f34a3af39c9cf1e1526cc3ddf Mon Sep 17 00:00:00 2001
+From: Takashi Iwai <tiwai@suse.de>
+Date: Sun, 9 Nov 2025 10:12:07 +0100
+Subject: ALSA: usb-audio: Fix potential overflow of PCM transfer buffer
+
+From: Takashi Iwai <tiwai@suse.de>
+
+commit 05a1fc5efdd8560f34a3af39c9cf1e1526cc3ddf upstream.
+
+The PCM stream data in USB-audio driver is transferred over USB URB
+packet buffers, and each packet size is determined dynamically. The
+packet sizes are limited by some factors such as wMaxPacketSize USB
+descriptor. OTOH, in the current code, the actually used packet sizes
+are determined only by the rate and the PPS, which may be bigger than
+the size limit above. This results in a buffer overflow, as reported
+by syzbot.
+
+Basically when the limit is smaller than the calculated packet size,
+it implies that something is wrong, most likely a weird USB
+descriptor. So the best option would be just to return an error at
+the parameter setup time before doing any further operations.
+
+This patch introduces such a sanity check, and returns -EINVAL when
+the packet size is greater than maxpacksize. The comparison with
+ep->packsize[1] alone should suffice since it's always equal or
+greater than ep->packsize[0].
+
+Reported-by: syzbot+bfd77469c8966de076f7@syzkaller.appspotmail.com
+Closes: https://syzkaller.appspot.com/bug?extid=bfd77469c8966de076f7
+Link: https://lore.kernel.org/690b6b46.050a0220.3d0d33.0054.GAE@google.com
+Cc: Lizhi Xu <lizhi.xu@windriver.com>
+Cc: <stable@vger.kernel.org>
+Link: https://patch.msgid.link/20251109091211.12739-1-tiwai@suse.de
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ sound/usb/endpoint.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+--- a/sound/usb/endpoint.c
++++ b/sound/usb/endpoint.c
+@@ -1379,6 +1379,11 @@ int snd_usb_endpoint_set_params(struct s
+ ep->sample_rem = ep->cur_rate % ep->pps;
+ ep->packsize[0] = ep->cur_rate / ep->pps;
+ ep->packsize[1] = (ep->cur_rate + (ep->pps - 1)) / ep->pps;
++ if (ep->packsize[1] > ep->maxpacksize) {
++ usb_audio_dbg(chip, "Too small maxpacksize %u for rate %u / pps %u\n",
++ ep->maxpacksize, ep->cur_rate, ep->pps);
++ return -EINVAL;
++ }
+
+ /* calculate the frequency in 16.16 format */
+ ep->freqm = ep->freqn;
--- /dev/null
+From 895b4c0c79b092d732544011c3cecaf7322c36a1 Mon Sep 17 00:00:00 2001
+From: Wei Yang <albinwyang@tencent.com>
+Date: Sat, 25 Oct 2025 10:42:33 +0800
+Subject: fs/proc: fix uaf in proc_readdir_de()
+
+From: Wei Yang <albinwyang@tencent.com>
+
+commit 895b4c0c79b092d732544011c3cecaf7322c36a1 upstream.
+
+Pde is erased from subdir rbtree through rb_erase(), but not set the node
+to EMPTY, which may result in uaf access. We should use RB_CLEAR_NODE()
+set the erased node to EMPTY, then pde_subdir_next() will return NULL to
+avoid uaf access.
+
+We found an uaf issue while using stress-ng testing, need to run testcase
+getdent and tun in the same time. The steps of the issue is as follows:
+
+1) use getdent to traverse dir /proc/pid/net/dev_snmp6/, and current
+ pde is tun3;
+
+2) in the [time windows] unregister netdevice tun3 and tun2, and erase
+ them from rbtree. erase tun3 first, and then erase tun2. the
+ pde(tun2) will be released to slab;
+
+3) continue to getdent process, then pde_subdir_next() will return
+ pde(tun2) which is released, it will case uaf access.
+
+CPU 0 | CPU 1
+-------------------------------------------------------------------------
+traverse dir /proc/pid/net/dev_snmp6/ | unregister_netdevice(tun->dev) //tun3 tun2
+sys_getdents64() |
+ iterate_dir() |
+ proc_readdir() |
+ proc_readdir_de() | snmp6_unregister_dev()
+ pde_get(de); | proc_remove()
+ read_unlock(&proc_subdir_lock); | remove_proc_subtree()
+ | write_lock(&proc_subdir_lock);
+ [time window] | rb_erase(&root->subdir_node, &parent->subdir);
+ | write_unlock(&proc_subdir_lock);
+ read_lock(&proc_subdir_lock); |
+ next = pde_subdir_next(de); |
+ pde_put(de); |
+ de = next; //UAF |
+
+rbtree of dev_snmp6
+ |
+ pde(tun3)
+ / \
+ NULL pde(tun2)
+
+Link: https://lkml.kernel.org/r/20251025024233.158363-1-albin_yang@163.com
+Signed-off-by: Wei Yang <albinwyang@tencent.com>
+Cc: Al Viro <viro@zeniv.linux.org.uk>
+Cc: Christian Brauner <brauner@kernel.org>
+Cc: wangzijie <wangzijie1@honor.com>
+Cc: Alexey Dobriyan <adobriyan@gmail.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/proc/generic.c | 12 +++++++++---
+ 1 file changed, 9 insertions(+), 3 deletions(-)
+
+--- a/fs/proc/generic.c
++++ b/fs/proc/generic.c
+@@ -695,6 +695,12 @@ void pde_put(struct proc_dir_entry *pde)
+ }
+ }
+
++static void pde_erase(struct proc_dir_entry *pde, struct proc_dir_entry *parent)
++{
++ rb_erase(&pde->subdir_node, &parent->subdir);
++ RB_CLEAR_NODE(&pde->subdir_node);
++}
++
+ /*
+ * Remove a /proc entry and free it if it's not currently in use.
+ */
+@@ -717,7 +723,7 @@ void remove_proc_entry(const char *name,
+ WARN(1, "removing permanent /proc entry '%s'", de->name);
+ de = NULL;
+ } else {
+- rb_erase(&de->subdir_node, &parent->subdir);
++ pde_erase(de, parent);
+ if (S_ISDIR(de->mode))
+ parent->nlink--;
+ }
+@@ -761,7 +767,7 @@ int remove_proc_subtree(const char *name
+ root->parent->name, root->name);
+ return -EINVAL;
+ }
+- rb_erase(&root->subdir_node, &parent->subdir);
++ pde_erase(root, parent);
+
+ de = root;
+ while (1) {
+@@ -773,7 +779,7 @@ int remove_proc_subtree(const char *name
+ next->parent->name, next->name);
+ return -EINVAL;
+ }
+- rb_erase(&next->subdir_node, &de->subdir);
++ pde_erase(next, de);
+ de = next;
+ continue;
+ }
--- /dev/null
+From ac1499fcd40fe06479e9b933347b837ccabc2a40 Mon Sep 17 00:00:00 2001
+From: Chuang Wang <nashuiliang@gmail.com>
+Date: Tue, 11 Nov 2025 14:43:24 +0800
+Subject: ipv4: route: Prevent rt_bind_exception() from rebinding stale fnhe
+
+From: Chuang Wang <nashuiliang@gmail.com>
+
+commit ac1499fcd40fe06479e9b933347b837ccabc2a40 upstream.
+
+The sit driver's packet transmission path calls: sit_tunnel_xmit() ->
+update_or_create_fnhe(), which lead to fnhe_remove_oldest() being called
+to delete entries exceeding FNHE_RECLAIM_DEPTH+random.
+
+The race window is between fnhe_remove_oldest() selecting fnheX for
+deletion and the subsequent kfree_rcu(). During this time, the
+concurrent path's __mkroute_output() -> find_exception() can fetch the
+soon-to-be-deleted fnheX, and rt_bind_exception() then binds it with a
+new dst using a dst_hold(). When the original fnheX is freed via RCU,
+the dst reference remains permanently leaked.
+
+CPU 0 CPU 1
+__mkroute_output()
+ find_exception() [fnheX]
+ update_or_create_fnhe()
+ fnhe_remove_oldest() [fnheX]
+ rt_bind_exception() [bind dst]
+ RCU callback [fnheX freed, dst leak]
+
+This issue manifests as a device reference count leak and a warning in
+dmesg when unregistering the net device:
+
+ unregister_netdevice: waiting for sitX to become free. Usage count = N
+
+Ido Schimmel provided the simple test validation method [1].
+
+The fix clears 'oldest->fnhe_daddr' before calling fnhe_flush_routes().
+Since rt_bind_exception() checks this field, setting it to zero prevents
+the stale fnhe from being reused and bound to a new dst just before it
+is freed.
+
+[1]
+ip netns add ns1
+ip -n ns1 link set dev lo up
+ip -n ns1 address add 192.0.2.1/32 dev lo
+ip -n ns1 link add name dummy1 up type dummy
+ip -n ns1 route add 192.0.2.2/32 dev dummy1
+ip -n ns1 link add name gretap1 up arp off type gretap \
+ local 192.0.2.1 remote 192.0.2.2
+ip -n ns1 route add 198.51.0.0/16 dev gretap1
+taskset -c 0 ip netns exec ns1 mausezahn gretap1 \
+ -A 198.51.100.1 -B 198.51.0.0/16 -t udp -p 1000 -c 0 -q &
+taskset -c 2 ip netns exec ns1 mausezahn gretap1 \
+ -A 198.51.100.1 -B 198.51.0.0/16 -t udp -p 1000 -c 0 -q &
+sleep 10
+ip netns pids ns1 | xargs kill
+ip netns del ns1
+
+Cc: stable@vger.kernel.org
+Fixes: 67d6d681e15b ("ipv4: make exception cache less predictible")
+Signed-off-by: Chuang Wang <nashuiliang@gmail.com>
+Reviewed-by: Ido Schimmel <idosch@nvidia.com>
+Reviewed-by: Eric Dumazet <edumazet@google.com>
+Link: https://patch.msgid.link/20251111064328.24440-1-nashuiliang@gmail.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv4/route.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+--- a/net/ipv4/route.c
++++ b/net/ipv4/route.c
+@@ -617,6 +617,11 @@ static void fnhe_remove_oldest(struct fn
+ oldest_p = fnhe_p;
+ }
+ }
++
++ /* Clear oldest->fnhe_daddr to prevent this fnhe from being
++ * rebound with new dsts in rt_bind_exception().
++ */
++ oldest->fnhe_daddr = 0;
+ fnhe_flush_routes(oldest);
+ *oldest_p = oldest->fnhe_next;
+ kfree_rcu(oldest, rcu);
--- /dev/null
+From a28352cf2d2f8380e7aca8cb61682396dca7a991 Mon Sep 17 00:00:00 2001
+From: Shawn Lin <shawn.lin@rock-chips.com>
+Date: Mon, 20 Oct 2025 09:49:41 +0800
+Subject: mmc: sdhci-of-dwcmshc: Change DLL_STRBIN_TAPNUM_DEFAULT to 0x4
+
+From: Shawn Lin <shawn.lin@rock-chips.com>
+
+commit a28352cf2d2f8380e7aca8cb61682396dca7a991 upstream.
+
+strbin signal delay under 0x8 configuration is not stable after massive
+test. The recommandation of it should be 0x4.
+
+Signed-off-by: Shawn Lin <shawn.lin@rock-chips.com>
+Tested-by: Alexey Charkov <alchark@gmail.com>
+Tested-by: Hugh Cole-Baker <sigmaris@gmail.com>
+Fixes: 08f3dff799d4 ("mmc: sdhci-of-dwcmshc: add rockchip platform support")
+Cc: stable@vger.kernel.org
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/mmc/host/sdhci-of-dwcmshc.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/mmc/host/sdhci-of-dwcmshc.c
++++ b/drivers/mmc/host/sdhci-of-dwcmshc.c
+@@ -52,7 +52,7 @@
+ #define DLL_TXCLK_TAPNUM_DEFAULT 0x10
+ #define DLL_TXCLK_TAPNUM_90_DEGREES 0xA
+ #define DLL_TXCLK_TAPNUM_FROM_SW BIT(24)
+-#define DLL_STRBIN_TAPNUM_DEFAULT 0x8
++#define DLL_STRBIN_TAPNUM_DEFAULT 0x4
+ #define DLL_STRBIN_TAPNUM_FROM_SW BIT(24)
+ #define DLL_STRBIN_DELAY_NUM_SEL BIT(26)
+ #define DLL_STRBIN_DELAY_NUM_OFFSET 16
strparser-fix-signed-unsigned-mismatch-bug.patch
dma-mapping-benchmark-restore-padding-to-ensure-uabi-remained-consistent.patch
loongarch-let-pte-pmd-_modify-record-the-status-of-_page_dirty.patch
+ipv4-route-prevent-rt_bind_exception-from-rebinding-stale-fnhe.patch
+wifi-mac80211-reject-address-change-while-connecting.patch
+fs-proc-fix-uaf-in-proc_readdir_de.patch
+mmc-sdhci-of-dwcmshc-change-dll_strbin_tapnum_default-to-0x4.patch
+alsa-usb-audio-fix-potential-overflow-of-pcm-transfer-buffer.patch
+spi-try-to-get-acpi-gpio-irq-earlier.patch
--- /dev/null
+From 3cd2018e15b3d66d2187d92867e265f45ad79e6f Mon Sep 17 00:00:00 2001
+From: Hans de Goede <hansg@kernel.org>
+Date: Sun, 2 Nov 2025 20:09:21 +0100
+Subject: spi: Try to get ACPI GPIO IRQ earlier
+
+From: Hans de Goede <hansg@kernel.org>
+
+commit 3cd2018e15b3d66d2187d92867e265f45ad79e6f upstream.
+
+Since commit d24cfee7f63d ("spi: Fix acpi deferred irq probe"), the
+acpi_dev_gpio_irq_get() call gets delayed till spi_probe() is called
+on the SPI device.
+
+If there is no driver for the SPI device then the move to spi_probe()
+results in acpi_dev_gpio_irq_get() never getting called. This may
+cause problems by leaving the GPIO pin floating because this call is
+responsible for setting up the GPIO pin direction and/or bias according
+to the values from the ACPI tables.
+
+Re-add the removed acpi_dev_gpio_irq_get() in acpi_register_spi_device()
+to ensure the GPIO pin is always correctly setup, while keeping the
+acpi_dev_gpio_irq_get() call added to spi_probe() to deal with
+-EPROBE_DEFER returns caused by the GPIO controller not having a driver
+yet.
+
+Link: https://bbs.archlinux.org/viewtopic.php?id=302348
+Fixes: d24cfee7f63d ("spi: Fix acpi deferred irq probe")
+Cc: stable@vger.kernel.org
+Signed-off-by: Hans de Goede <hansg@kernel.org>
+Link: https://patch.msgid.link/20251102190921.30068-1-hansg@kernel.org
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/spi/spi.c | 10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+--- a/drivers/spi/spi.c
++++ b/drivers/spi/spi.c
+@@ -2707,6 +2707,16 @@ static acpi_status acpi_register_spi_dev
+ acpi_set_modalias(adev, acpi_device_hid(adev), spi->modalias,
+ sizeof(spi->modalias));
+
++ /*
++ * This gets re-tried in spi_probe() for -EPROBE_DEFER handling in case
++ * the GPIO controller does not have a driver yet. This needs to be done
++ * here too, because this call sets the GPIO direction and/or bias.
++ * Setting these needs to be done even if there is no driver, in which
++ * case spi_probe() will never get called.
++ */
++ if (spi->irq < 0)
++ spi->irq = acpi_dev_gpio_irq_get(adev, 0);
++
+ acpi_device_set_enumerated(adev);
+
+ adev->power.flags.ignore_parent = true;
--- /dev/null
+From a9da90e618cd0669a22bcc06a96209db5dd96e9b Mon Sep 17 00:00:00 2001
+From: Johannes Berg <johannes.berg@intel.com>
+Date: Wed, 5 Nov 2025 15:41:19 +0100
+Subject: wifi: mac80211: reject address change while connecting
+
+From: Johannes Berg <johannes.berg@intel.com>
+
+commit a9da90e618cd0669a22bcc06a96209db5dd96e9b upstream.
+
+While connecting, the MAC address can already no longer be
+changed. The change is already rejected if netif_carrier_ok(),
+but of course that's not true yet while connecting. Check for
+auth_data or assoc_data, so the MAC address cannot be changed.
+
+Also more comprehensively check that there are no stations on
+the interface being changed - if any peer station is added it
+will know about our address already, so we cannot change it.
+
+Cc: stable@vger.kernel.org
+Fixes: 3c06e91b40db ("wifi: mac80211: Support POWERED_ADDR_CHANGE feature")
+Link: https://patch.msgid.link/20251105154119.f9f6c1df81bb.I9bb3760ede650fb96588be0d09a5a7bdec21b217@changeid
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/mac80211/iface.c | 14 +++++++++++---
+ 1 file changed, 11 insertions(+), 3 deletions(-)
+
+--- a/net/mac80211/iface.c
++++ b/net/mac80211/iface.c
+@@ -216,6 +216,10 @@ static int ieee80211_can_powered_addr_ch
+
+ mutex_lock(&local->mtx);
+
++ /* if any stations are set known (so they know this vif too), reject */
++ if (sta_info_get_by_idx(sdata, 0))
++ return -EBUSY;
++
+ /* First check no ROC work is happening on this iface */
+ list_for_each_entry(roc, &local->roc_list, list) {
+ if (roc->sdata != sdata)
+@@ -235,12 +239,16 @@ static int ieee80211_can_powered_addr_ch
+ ret = -EBUSY;
+ }
+
++ /*
++ * More interface types could be added here but changing the
++ * address while powered makes the most sense in client modes.
++ */
+ switch (sdata->vif.type) {
+ case NL80211_IFTYPE_STATION:
+ case NL80211_IFTYPE_P2P_CLIENT:
+- /* More interface types could be added here but changing the
+- * address while powered makes the most sense in client modes.
+- */
++ /* refuse while connecting */
++ if (sdata->u.mgd.auth_data || sdata->u.mgd.assoc_data)
++ return -EBUSY;
+ break;
+ default:
+ ret = -EOPNOTSUPP;
projects / thirdparty / kernel / stable-queue.git / commitdiff
