From: Greg Kroah-Hartman Date: Mon, 16 Mar 2026 15:17:03 +0000 (+0100) Subject: 6.6-stable patches X-Git-Tag: v6.18.19~78 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=2b94e4904c8edb4b2daac20cb0220afa96e1d50b;p=thirdparty%2Fkernel%2Fstable-queue.git 6.6-stable patches added patches: alsa-pcm-fix-use-after-free-on-linked-stream-runtime-in-snd_pcm_drain.patch alsa-usb-audio-check-endpoint-numbers-at-parsing-scarlett2-mixer-interfaces.patch cgroup-fix-race-between-task-migration-and-iteration.patch net-usb-lan78xx-fix-silent-drop-of-packets-with-checksum-errors.patch net-usb-lan78xx-fix-tx-byte-statistics-for-small-packets.patch net-usb-lan78xx-skip-ltm-configuration-for-lan7850.patch --- diff --git a/queue-6.6/alsa-pcm-fix-use-after-free-on-linked-stream-runtime-in-snd_pcm_drain.patch b/queue-6.6/alsa-pcm-fix-use-after-free-on-linked-stream-runtime-in-snd_pcm_drain.patch new file mode 100644 index 0000000000..666e5d6098 --- /dev/null +++ b/queue-6.6/alsa-pcm-fix-use-after-free-on-linked-stream-runtime-in-snd_pcm_drain.patch @@ -0,0 +1,81 @@ +From 9b1dbd69ba6f8f8c69bc7b77c2ce3b9c6ed05ba6 Mon Sep 17 00:00:00 2001 +From: Mehul Rao +Date: Thu, 5 Mar 2026 14:35:07 -0500 +Subject: ALSA: pcm: fix use-after-free on linked stream runtime in snd_pcm_drain() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Mehul Rao + +commit 9b1dbd69ba6f8f8c69bc7b77c2ce3b9c6ed05ba6 upstream. + +In the drain loop, the local variable 'runtime' is reassigned to a +linked stream's runtime (runtime = s->runtime at line 2157). After +releasing the stream lock at line 2169, the code accesses +runtime->no_period_wakeup, runtime->rate, and runtime->buffer_size +(lines 2170-2178) — all referencing the linked stream's runtime without +any lock or refcount protecting its lifetime. + +A concurrent close() on the linked stream's fd triggers +snd_pcm_release_substream() → snd_pcm_drop() → pcm_release_private() +→ snd_pcm_unlink() → snd_pcm_detach_substream() → kfree(runtime). +No synchronization prevents kfree(runtime) from completing while the +drain path dereferences the stale pointer. + +Fix by caching the needed runtime fields (no_period_wakeup, rate, +buffer_size) into local variables while still holding the stream lock, +and using the cached values after the lock is released. + +Fixes: f2b3614cefb6 ("ALSA: PCM - Don't check DMA time-out too shortly") +Cc: stable@vger.kernel.org +Signed-off-by: Mehul Rao +Link: https://patch.msgid.link/20260305193508.311096-1-mehulrao@gmail.com +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman +--- + sound/core/pcm_native.c | 19 ++++++++++++++++--- + 1 file changed, 16 insertions(+), 3 deletions(-) + +--- a/sound/core/pcm_native.c ++++ b/sound/core/pcm_native.c +@@ -2148,6 +2148,10 @@ static int snd_pcm_drain(struct snd_pcm_ + for (;;) { + long tout; + struct snd_pcm_runtime *to_check; ++ unsigned int drain_rate; ++ snd_pcm_uframes_t drain_bufsz; ++ bool drain_no_period_wakeup; ++ + if (signal_pending(current)) { + result = -ERESTARTSYS; + break; +@@ -2167,16 +2171,25 @@ static int snd_pcm_drain(struct snd_pcm_ + snd_pcm_group_unref(group, substream); + if (!to_check) + break; /* all drained */ ++ /* ++ * Cache the runtime fields needed after unlock. ++ * A concurrent close() on the linked stream may free ++ * its runtime via snd_pcm_detach_substream() once we ++ * release the stream lock below. ++ */ ++ drain_no_period_wakeup = to_check->no_period_wakeup; ++ drain_rate = to_check->rate; ++ drain_bufsz = to_check->buffer_size; + init_waitqueue_entry(&wait, current); + set_current_state(TASK_INTERRUPTIBLE); + add_wait_queue(&to_check->sleep, &wait); + snd_pcm_stream_unlock_irq(substream); +- if (runtime->no_period_wakeup) ++ if (drain_no_period_wakeup) + tout = MAX_SCHEDULE_TIMEOUT; + else { + tout = 100; +- if (runtime->rate) { +- long t = runtime->buffer_size * 1100 / runtime->rate; ++ if (drain_rate) { ++ long t = drain_bufsz * 1100 / drain_rate; + tout = max(t, tout); + } + tout = msecs_to_jiffies(tout); diff --git a/queue-6.6/alsa-usb-audio-check-endpoint-numbers-at-parsing-scarlett2-mixer-interfaces.patch b/queue-6.6/alsa-usb-audio-check-endpoint-numbers-at-parsing-scarlett2-mixer-interfaces.patch new file mode 100644 index 0000000000..217d35546e --- /dev/null +++ b/queue-6.6/alsa-usb-audio-check-endpoint-numbers-at-parsing-scarlett2-mixer-interfaces.patch @@ -0,0 +1,40 @@ +From df1d8abf36ca3681c21a6809eaa9a1e01ef897a6 Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Mon, 9 Mar 2026 11:46:27 +0100 +Subject: ALSA: usb-audio: Check endpoint numbers at parsing Scarlett2 mixer interfaces + +From: Takashi Iwai + +commit df1d8abf36ca3681c21a6809eaa9a1e01ef897a6 upstream. + +The Scarlett2 mixer quirk in USB-audio driver may hit a NULL +dereference when a malformed USB descriptor is passed, since it +assumes the presence of an endpoint in the parsed interface in +scarlett2_find_fc_interface(), as reported by fuzzer. + +For avoiding the NULL dereference, just add the sanity check of +bNumEndpoints and skip the invalid interface. + +Reported-by: syzbot+8f29539ef9a1c8334f42@syzkaller.appspotmail.com +Closes: https://lore.kernel.org/69acbbe1.050a0220.310d8.0001.GAE@google.com +Reported-by: syzbot+ae893a8901067fde2741@syzkaller.appspotmail.com +Closes: https://lore.kernel.org/69acf72a.050a0220.310d8.0004.GAE@google.com +Cc: +Link: https://patch.msgid.link/20260309104632.141895-1-tiwai@suse.de +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman +--- + sound/usb/mixer_scarlett2.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/sound/usb/mixer_scarlett2.c ++++ b/sound/usb/mixer_scarlett2.c +@@ -3898,6 +3898,8 @@ static int scarlett2_find_fc_interface(s + + if (desc->bInterfaceClass != 255) + continue; ++ if (desc->bNumEndpoints < 1) ++ continue; + + epd = get_endpoint(intf->altsetting, 0); + private->bInterfaceNumber = desc->bInterfaceNumber; diff --git a/queue-6.6/cgroup-fix-race-between-task-migration-and-iteration.patch b/queue-6.6/cgroup-fix-race-between-task-migration-and-iteration.patch new file mode 100644 index 0000000000..21c5378772 --- /dev/null +++ b/queue-6.6/cgroup-fix-race-between-task-migration-and-iteration.patch @@ -0,0 +1,84 @@ +From 5ee01f1a7343d6a3547b6802ca2d4cdce0edacb1 Mon Sep 17 00:00:00 2001 +From: Qingye Zhao +Date: Wed, 11 Feb 2026 09:24:04 +0000 +Subject: cgroup: fix race between task migration and iteration +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Qingye Zhao + +commit 5ee01f1a7343d6a3547b6802ca2d4cdce0edacb1 upstream. + +When a task is migrated out of a css_set, cgroup_migrate_add_task() +first moves it from cset->tasks to cset->mg_tasks via: + + list_move_tail(&task->cg_list, &cset->mg_tasks); + +If a css_task_iter currently has it->task_pos pointing to this task, +css_set_move_task() calls css_task_iter_skip() to keep the iterator +valid. However, since the task has already been moved to ->mg_tasks, +the iterator is advanced relative to the mg_tasks list instead of the +original tasks list. As a result, remaining tasks on cset->tasks, as +well as tasks queued on cset->mg_tasks, can be skipped by iteration. + +Fix this by calling css_set_skip_task_iters() before unlinking +task->cg_list from cset->tasks. This advances all active iterators to +the next task on cset->tasks, so iteration continues correctly even +when a task is concurrently being migrated. + +This race is hard to hit in practice without instrumentation, but it +can be reproduced by artificially slowing down cgroup_procs_show(). +For example, on an Android device a temporary +/sys/kernel/cgroup/cgroup_test knob can be added to inject a delay +into cgroup_procs_show(), and then: + + 1) Spawn three long-running tasks (PIDs 101, 102, 103). + 2) Create a test cgroup and move the tasks into it. + 3) Enable a large delay via /sys/kernel/cgroup/cgroup_test. + 4) In one shell, read cgroup.procs from the test cgroup. + 5) Within the delay window, in another shell migrate PID 102 by + writing it to a different cgroup.procs file. + +Under this setup, cgroup.procs can intermittently show only PID 101 +while skipping PID 103. Once the migration completes, reading the +file again shows all tasks as expected. + +Note that this change does not allow removing the existing +css_set_skip_task_iters() call in css_set_move_task(). The new call +in cgroup_migrate_add_task() only handles iterators that are racing +with migration while the task is still on cset->tasks. Iterators may +also start after the task has been moved to cset->mg_tasks. If we +dropped css_set_skip_task_iters() from css_set_move_task(), such +iterators could keep task_pos pointing to a migrating task, causing +css_task_iter_advance() to malfunction on the destination css_set, +up to and including crashes or infinite loops. + +The race window between migration and iteration is very small, and +css_task_iter is not on a hot path. In the worst case, when an +iterator is positioned on the first thread of the migrating process, +cgroup_migrate_add_task() may have to skip multiple tasks via +css_set_skip_task_iters(). However, this only happens when migration +and iteration actually race, so the performance impact is negligible +compared to the correctness fix provided here. + +Fixes: b636fd38dc40 ("cgroup: Implement css_task_iter_skip()") +Cc: stable@vger.kernel.org # v5.2+ +Signed-off-by: Qingye Zhao +Reviewed-by: Michal Koutný +Signed-off-by: Tejun Heo +Signed-off-by: Greg Kroah-Hartman +--- + kernel/cgroup/cgroup.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/kernel/cgroup/cgroup.c ++++ b/kernel/cgroup/cgroup.c +@@ -2457,6 +2457,7 @@ static void cgroup_migrate_add_task(stru + + mgctx->tset.nr_tasks++; + ++ css_set_skip_task_iters(cset, task); + list_move_tail(&task->cg_list, &cset->mg_tasks); + if (list_empty(&cset->mg_node)) + list_add_tail(&cset->mg_node, diff --git a/queue-6.6/net-usb-lan78xx-fix-silent-drop-of-packets-with-checksum-errors.patch b/queue-6.6/net-usb-lan78xx-fix-silent-drop-of-packets-with-checksum-errors.patch new file mode 100644 index 0000000000..644b57b5fa --- /dev/null +++ b/queue-6.6/net-usb-lan78xx-fix-silent-drop-of-packets-with-checksum-errors.patch @@ -0,0 +1,65 @@ +From e4f774a0cc955ce762aec91c66915a6e15087ab7 Mon Sep 17 00:00:00 2001 +From: Oleksij Rempel +Date: Thu, 5 Mar 2026 15:34:26 +0100 +Subject: net: usb: lan78xx: fix silent drop of packets with checksum errors + +From: Oleksij Rempel + +commit e4f774a0cc955ce762aec91c66915a6e15087ab7 upstream. + +Do not drop packets with checksum errors at the USB driver level; +pass them to the network stack. + +Previously, the driver dropped all packets where the 'Receive Error +Detected' (RED) bit was set, regardless of the specific error type. This +caused packets with only IP or TCP/UDP checksum errors to be dropped +before reaching the kernel, preventing the network stack from accounting +for them or performing software fallback. + +Add a mask for hard hardware errors to safely drop genuinely corrupt +frames, while allowing checksum-errored frames to pass with their +ip_summed field explicitly set to CHECKSUM_NONE. + +Fixes: 55d7de9de6c3 ("Microchip's LAN7800 family USB 2/3 to 10/100/1000 Ethernet device driver") +Cc: stable@vger.kernel.org +Signed-off-by: Oleksij Rempel +Link: https://patch.msgid.link/20260305143429.530909-2-o.rempel@pengutronix.de +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/usb/lan78xx.c | 4 +++- + drivers/net/usb/lan78xx.h | 3 +++ + 2 files changed, 6 insertions(+), 1 deletion(-) + +--- a/drivers/net/usb/lan78xx.c ++++ b/drivers/net/usb/lan78xx.c +@@ -3537,6 +3537,7 @@ static void lan78xx_rx_csum_offload(stru + */ + if (!(dev->net->features & NETIF_F_RXCSUM) || + unlikely(rx_cmd_a & RX_CMD_A_ICSM_) || ++ unlikely(rx_cmd_a & RX_CMD_A_CSE_MASK_) || + ((rx_cmd_a & RX_CMD_A_FVTG_) && + !(dev->net->features & NETIF_F_HW_VLAN_CTAG_RX))) { + skb->ip_summed = CHECKSUM_NONE; +@@ -3609,7 +3610,8 @@ static int lan78xx_rx(struct lan78xx_net + return 0; + } + +- if (unlikely(rx_cmd_a & RX_CMD_A_RED_)) { ++ if (unlikely(rx_cmd_a & RX_CMD_A_RED_) && ++ (rx_cmd_a & RX_CMD_A_RX_HARD_ERRS_MASK_)) { + netif_dbg(dev, rx_err, dev->net, + "Error rx_cmd_a=0x%08x", rx_cmd_a); + } else { +--- a/drivers/net/usb/lan78xx.h ++++ b/drivers/net/usb/lan78xx.h +@@ -74,6 +74,9 @@ + #define RX_CMD_A_ICSM_ (0x00004000) + #define RX_CMD_A_LEN_MASK_ (0x00003FFF) + ++#define RX_CMD_A_RX_HARD_ERRS_MASK_ \ ++ (RX_CMD_A_RX_ERRS_MASK_ & ~RX_CMD_A_CSE_MASK_) ++ + /* Rx Command B */ + #define RX_CMD_B_CSUM_SHIFT_ (16) + #define RX_CMD_B_CSUM_MASK_ (0xFFFF0000) diff --git a/queue-6.6/net-usb-lan78xx-fix-tx-byte-statistics-for-small-packets.patch b/queue-6.6/net-usb-lan78xx-fix-tx-byte-statistics-for-small-packets.patch new file mode 100644 index 0000000000..127ba0d80f --- /dev/null +++ b/queue-6.6/net-usb-lan78xx-fix-tx-byte-statistics-for-small-packets.patch @@ -0,0 +1,43 @@ +From 50988747c30df47b73b787f234f746027cb7ec6c Mon Sep 17 00:00:00 2001 +From: Oleksij Rempel +Date: Thu, 5 Mar 2026 15:34:27 +0100 +Subject: net: usb: lan78xx: fix TX byte statistics for small packets + +From: Oleksij Rempel + +commit 50988747c30df47b73b787f234f746027cb7ec6c upstream. + +Account for hardware auto-padding in TX byte counters to reflect actual +wire traffic. + +The LAN7850 hardware automatically pads undersized frames to the minimum +Ethernet frame length (ETH_ZLEN, 60 bytes). However, the driver tracks +the network statistics based on the unpadded socket buffer length. This +results in the tx_bytes counter under-reporting the actual physical +bytes placed on the Ethernet wire for small packets (like short ARP or +ICMP requests). + +Use max_t() to ensure the transmission statistics accurately account for +the hardware-generated padding. + +Fixes: d383216a7efe ("lan78xx: Introduce Tx URB processing improvements") +Cc: stable@vger.kernel.org +Signed-off-by: Oleksij Rempel +Link: https://patch.msgid.link/20260305143429.530909-3-o.rempel@pengutronix.de +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/usb/lan78xx.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/usb/lan78xx.c ++++ b/drivers/net/usb/lan78xx.c +@@ -3886,7 +3886,7 @@ static struct skb_data *lan78xx_tx_buf_f + } + + tx_data += len; +- entry->length += len; ++ entry->length += max_t(unsigned int, len, ETH_ZLEN); + entry->num_of_packet += skb_shinfo(skb)->gso_segs ?: 1; + + dev_kfree_skb_any(skb); diff --git a/queue-6.6/net-usb-lan78xx-skip-ltm-configuration-for-lan7850.patch b/queue-6.6/net-usb-lan78xx-skip-ltm-configuration-for-lan7850.patch new file mode 100644 index 0000000000..858cc3615f --- /dev/null +++ b/queue-6.6/net-usb-lan78xx-skip-ltm-configuration-for-lan7850.patch @@ -0,0 +1,46 @@ +From d9cc0e440f0664f6f3e2c26e39ab9dd5f3badba7 Mon Sep 17 00:00:00 2001 +From: Oleksij Rempel +Date: Thu, 5 Mar 2026 15:34:28 +0100 +Subject: net: usb: lan78xx: skip LTM configuration for LAN7850 + +From: Oleksij Rempel + +commit d9cc0e440f0664f6f3e2c26e39ab9dd5f3badba7 upstream. + +Do not configure Latency Tolerance Messaging (LTM) on USB 2.0 hardware. + +The LAN7850 is a High-Speed (USB 2.0) only device and does not support +SuperSpeed features like LTM. Currently, the driver unconditionally +attempts to configure LTM registers during initialization. On the +LAN7850, these registers do not exist, resulting in writes to invalid +or undocumented memory space. + +This issue was identified during a port to the regmap API with strict +register validation enabled. While no functional issues or crashes have +been observed from these invalid writes, bypassing LTM initialization +on the LAN7850 ensures the driver strictly adheres to the hardware's +valid register map. + +Fixes: 55d7de9de6c3 ("Microchip's LAN7800 family USB 2/3 to 10/100/1000 Ethernet device driver") +Cc: stable@vger.kernel.org +Signed-off-by: Oleksij Rempel +Link: https://patch.msgid.link/20260305143429.530909-4-o.rempel@pengutronix.de +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/usb/lan78xx.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/drivers/net/usb/lan78xx.c ++++ b/drivers/net/usb/lan78xx.c +@@ -2672,6 +2672,10 @@ static void lan78xx_init_ltm(struct lan7 + u32 buf; + u32 regs[6] = { 0 }; + ++ /* LAN7850 is USB 2.0 and does not support LTM */ ++ if (dev->chipid == ID_REV_CHIP_ID_7850_) ++ return; ++ + ret = lan78xx_read_reg(dev, USB_CFG1, &buf); + if (buf & USB_CFG1_LTM_ENABLE_) { + u8 temp[2]; diff --git a/queue-6.6/series b/queue-6.6/series index 6641d2b54c..f265894ce4 100644 --- a/queue-6.6/series +++ b/queue-6.6/series @@ -258,3 +258,9 @@ octeontx2-af-devlink-health-use-retained-error-fmsg-.patch octeontx2-af-devlink-fix-nix-ras-reporter-to-use-ras.patch usb-gadget-f_mass_storage-fix-potential-integer-over.patch revert-arm64-dts-qcom-sdm845-oneplus-mark-l14a-regul.patch +cgroup-fix-race-between-task-migration-and-iteration.patch +alsa-pcm-fix-use-after-free-on-linked-stream-runtime-in-snd_pcm_drain.patch +alsa-usb-audio-check-endpoint-numbers-at-parsing-scarlett2-mixer-interfaces.patch +net-usb-lan78xx-fix-silent-drop-of-packets-with-checksum-errors.patch +net-usb-lan78xx-fix-tx-byte-statistics-for-small-packets.patch +net-usb-lan78xx-skip-ltm-configuration-for-lan7850.patch