From: Greg Kroah-Hartman Date: Mon, 9 Mar 2026 10:15:04 +0000 (+0100) Subject: 6.6-stable patches X-Git-Tag: v6.19.7~26 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=5406fa0211f4133f84041838701530660fc1b006;p=thirdparty%2Fkernel%2Fstable-queue.git 6.6-stable patches added patches: can-ems_usb-ems_usb_read_bulk_callback-check-the-proper-length-of-a-message.patch can-ucan-fix-infinite-loop-from-zero-length-messages.patch can-usb-etas_es58x-correctly-anchor-the-urb-in-the-read-bulk-callback.patch can-usb-f81604-correctly-anchor-the-urb-in-the-read-bulk-callback.patch can-usb-f81604-handle-bulk-write-errors-properly.patch can-usb-f81604-handle-short-interrupt-urb-messages-properly.patch eventpoll-fix-integer-overflow-in-ep_loop_check_proc.patch hid-add-hid_claimed_input-guards-in-raw_event-callbacks-missing-them.patch media-dvb-core-fix-wrong-reinitialization-of-ringbuffer-on-reopen.patch net-usb-kalmia-validate-usb-endpoints.patch net-usb-kaweth-validate-usb-endpoints.patch net-usb-pegasus-validate-usb-endpoints.patch nfc-pn533-properly-drop-the-usb-interface-reference-on-disconnect.patch x86-efi-defer-freeing-of-boot-services-memory.patch --- diff --git a/queue-6.6/can-ems_usb-ems_usb_read_bulk_callback-check-the-proper-length-of-a-message.patch b/queue-6.6/can-ems_usb-ems_usb_read_bulk_callback-check-the-proper-length-of-a-message.patch new file mode 100644 index 0000000000..f698ba6658 --- /dev/null +++ b/queue-6.6/can-ems_usb-ems_usb_read_bulk_callback-check-the-proper-length-of-a-message.patch @@ -0,0 +1,55 @@ +From 38a01c9700b0dcafe97dfa9dc7531bf4a245deff Mon Sep 17 00:00:00 2001 +From: Greg Kroah-Hartman +Date: Mon, 23 Feb 2026 17:51:17 +0100 +Subject: can: ems_usb: ems_usb_read_bulk_callback(): check the proper length of a message + +From: Greg Kroah-Hartman + +commit 38a01c9700b0dcafe97dfa9dc7531bf4a245deff upstream. + +When looking at the data in a USB urb, the actual_length is the size of +the buffer passed to the driver, not the transfer_buffer_length which is +set by the driver as the max size of the buffer. + +When parsing the messages in ems_usb_read_bulk_callback() properly check +the size both at the beginning of parsing the message to make sure it is +big enough for the expected structure, and at the end of the message to +make sure we don't overflow past the end of the buffer for the next +message. + +Cc: Vincent Mailhol +Cc: Marc Kleine-Budde +Cc: stable@kernel.org +Assisted-by: gkh_clanker_2000 +Signed-off-by: Greg Kroah-Hartman +Link: https://patch.msgid.link/2026022316-answering-strainer-a5db@gregkh +Fixes: 702171adeed3 ("ems_usb: Added support for EMS CPC-USB/ARM7 CAN/USB interface") +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/can/usb/ems_usb.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +--- a/drivers/net/can/usb/ems_usb.c ++++ b/drivers/net/can/usb/ems_usb.c +@@ -445,6 +445,11 @@ static void ems_usb_read_bulk_callback(s + start = CPC_HEADER_SIZE; + + while (msg_count) { ++ if (start + CPC_MSG_HEADER_LEN > urb->actual_length) { ++ netdev_err(netdev, "format error\n"); ++ break; ++ } ++ + msg = (struct ems_cpc_msg *)&ibuf[start]; + + switch (msg->type) { +@@ -474,7 +479,7 @@ static void ems_usb_read_bulk_callback(s + start += CPC_MSG_HEADER_LEN + msg->length; + msg_count--; + +- if (start > urb->transfer_buffer_length) { ++ if (start > urb->actual_length) { + netdev_err(netdev, "format error\n"); + break; + } diff --git a/queue-6.6/can-ucan-fix-infinite-loop-from-zero-length-messages.patch b/queue-6.6/can-ucan-fix-infinite-loop-from-zero-length-messages.patch new file mode 100644 index 0000000000..8cb76e719b --- /dev/null +++ b/queue-6.6/can-ucan-fix-infinite-loop-from-zero-length-messages.patch @@ -0,0 +1,43 @@ +From 1e446fd0582ad8be9f6dafb115fc2e7245f9bea7 Mon Sep 17 00:00:00 2001 +From: Greg Kroah-Hartman +Date: Mon, 23 Feb 2026 17:30:20 +0100 +Subject: can: ucan: Fix infinite loop from zero-length messages + +From: Greg Kroah-Hartman + +commit 1e446fd0582ad8be9f6dafb115fc2e7245f9bea7 upstream. + +If a broken ucan device gets a message with the message length field set +to 0, then the driver will loop for forever in +ucan_read_bulk_callback(), hanging the system. If the length is 0, just +skip the message and go on to the next one. + +This has been fixed in the kvaser_usb driver in the past in commit +0c73772cd2b8 ("can: kvaser_usb: leaf: Fix potential infinite loop in +command parsers"), so there must be some broken devices out there like +this somewhere. + +Cc: Marc Kleine-Budde +Cc: Vincent Mailhol +Cc: stable@kernel.org +Assisted-by: gkh_clanker_2000 +Signed-off-by: Greg Kroah-Hartman +Link: https://patch.msgid.link/2026022319-huff-absurd-6a18@gregkh +Fixes: 9f2d3eae88d2 ("can: ucan: add driver for Theobroma Systems UCAN devices") +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/can/usb/ucan.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/can/usb/ucan.c ++++ b/drivers/net/can/usb/ucan.c +@@ -749,7 +749,7 @@ static void ucan_read_bulk_callback(stru + len = le16_to_cpu(m->len); + + /* check sanity (length of content) */ +- if (urb->actual_length - pos < len) { ++ if ((len == 0) || (urb->actual_length - pos < len)) { + netdev_warn(up->netdev, + "invalid message (short; no data; l:%d)\n", + urb->actual_length); diff --git a/queue-6.6/can-usb-etas_es58x-correctly-anchor-the-urb-in-the-read-bulk-callback.patch b/queue-6.6/can-usb-etas_es58x-correctly-anchor-the-urb-in-the-read-bulk-callback.patch new file mode 100644 index 0000000000..de390fb1cf --- /dev/null +++ b/queue-6.6/can-usb-etas_es58x-correctly-anchor-the-urb-in-the-read-bulk-callback.patch @@ -0,0 +1,52 @@ +From 5eaad4f768266f1f17e01232ffe2ef009f8129b7 Mon Sep 17 00:00:00 2001 +From: Greg Kroah-Hartman +Date: Mon, 23 Feb 2026 17:39:20 +0100 +Subject: can: usb: etas_es58x: correctly anchor the urb in the read bulk callback + +From: Greg Kroah-Hartman + +commit 5eaad4f768266f1f17e01232ffe2ef009f8129b7 upstream. + +When submitting an urb, that is using the anchor pattern, it needs to be +anchored before submitting it otherwise it could be leaked if +usb_kill_anchored_urbs() is called. This logic is correctly done +elsewhere in the driver, except in the read bulk callback so do that +here also. + +Cc: Vincent Mailhol +Cc: Marc Kleine-Budde +Cc: stable@kernel.org +Assisted-by: gkh_clanker_2000 +Signed-off-by: Greg Kroah-Hartman +Reviewed-by: Vincent Mailhol +Tested-by: Vincent Mailhol +Link: https://patch.msgid.link/2026022320-poser-stiffly-9d84@gregkh +Fixes: 8537257874e9 ("can: etas_es58x: add core support for ETAS ES58X CAN USB interfaces") +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/can/usb/etas_es58x/es58x_core.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +--- a/drivers/net/can/usb/etas_es58x/es58x_core.c ++++ b/drivers/net/can/usb/etas_es58x/es58x_core.c +@@ -1461,12 +1461,18 @@ static void es58x_read_bulk_callback(str + } + + resubmit_urb: ++ usb_anchor_urb(urb, &es58x_dev->rx_urbs); + ret = usb_submit_urb(urb, GFP_ATOMIC); ++ if (!ret) ++ return; ++ ++ usb_unanchor_urb(urb); ++ + if (ret == -ENODEV) { + for (i = 0; i < es58x_dev->num_can_ch; i++) + if (es58x_dev->netdev[i]) + netif_device_detach(es58x_dev->netdev[i]); +- } else if (ret) ++ } else + dev_err_ratelimited(dev, + "Failed resubmitting read bulk urb: %pe\n", + ERR_PTR(ret)); diff --git a/queue-6.6/can-usb-f81604-correctly-anchor-the-urb-in-the-read-bulk-callback.patch b/queue-6.6/can-usb-f81604-correctly-anchor-the-urb-in-the-read-bulk-callback.patch new file mode 100644 index 0000000000..73dc8319af --- /dev/null +++ b/queue-6.6/can-usb-f81604-correctly-anchor-the-urb-in-the-read-bulk-callback.patch @@ -0,0 +1,73 @@ +From 952caa5da10bed22be09612433964f6877ba0dde Mon Sep 17 00:00:00 2001 +From: Greg Kroah-Hartman +Date: Mon, 23 Feb 2026 13:10:32 +0100 +Subject: can: usb: f81604: correctly anchor the urb in the read bulk callback + +From: Greg Kroah-Hartman + +commit 952caa5da10bed22be09612433964f6877ba0dde upstream. + +When submitting an urb, that is using the anchor pattern, it needs to be +anchored before submitting it otherwise it could be leaked if +usb_kill_anchored_urbs() is called. This logic is correctly done +elsewhere in the driver, except in the read bulk callback so do that +here also. + +Cc: Ji-Ze Hong (Peter Hong) +Cc: Marc Kleine-Budde +Cc: Vincent Mailhol +Cc: stable@kernel.org +Assisted-by: gkh_clanker_2000 +Signed-off-by: Greg Kroah-Hartman +Link: https://patch.msgid.link/2026022334-starlight-scaling-2cea@gregkh +Fixes: 88da17436973 ("can: usb: f81604: add Fintek F81604 support") +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/can/usb/f81604.c | 15 +++++++++++++-- + 1 file changed, 13 insertions(+), 2 deletions(-) + +--- a/drivers/net/can/usb/f81604.c ++++ b/drivers/net/can/usb/f81604.c +@@ -413,6 +413,7 @@ static void f81604_read_bulk_callback(st + { + struct f81604_can_frame *frame = urb->transfer_buffer; + struct net_device *netdev = urb->context; ++ struct f81604_port_priv *priv = netdev_priv(netdev); + int ret; + + if (!netif_device_present(netdev)) +@@ -445,10 +446,15 @@ static void f81604_read_bulk_callback(st + f81604_process_rx_packet(netdev, frame); + + resubmit_urb: ++ usb_anchor_urb(urb, &priv->urbs_anchor); + ret = usb_submit_urb(urb, GFP_ATOMIC); ++ if (!ret) ++ return; ++ usb_unanchor_urb(urb); ++ + if (ret == -ENODEV) + netif_device_detach(netdev); +- else if (ret) ++ else + netdev_err(netdev, + "%s: failed to resubmit read bulk urb: %pe\n", + __func__, ERR_PTR(ret)); +@@ -646,10 +652,15 @@ static void f81604_read_int_callback(str + f81604_handle_tx(priv, data); + + resubmit_urb: ++ usb_anchor_urb(urb, &priv->urbs_anchor); + ret = usb_submit_urb(urb, GFP_ATOMIC); ++ if (!ret) ++ return; ++ usb_unanchor_urb(urb); ++ + if (ret == -ENODEV) + netif_device_detach(netdev); +- else if (ret) ++ else + netdev_err(netdev, "%s: failed to resubmit int urb: %pe\n", + __func__, ERR_PTR(ret)); + } diff --git a/queue-6.6/can-usb-f81604-handle-bulk-write-errors-properly.patch b/queue-6.6/can-usb-f81604-handle-bulk-write-errors-properly.patch new file mode 100644 index 0000000000..c8a5885928 --- /dev/null +++ b/queue-6.6/can-usb-f81604-handle-bulk-write-errors-properly.patch @@ -0,0 +1,61 @@ +From 51f94780720fa90c424f67e3e9784cb8ef8190e5 Mon Sep 17 00:00:00 2001 +From: Greg Kroah-Hartman +Date: Mon, 23 Feb 2026 13:10:31 +0100 +Subject: can: usb: f81604: handle bulk write errors properly + +From: Greg Kroah-Hartman + +commit 51f94780720fa90c424f67e3e9784cb8ef8190e5 upstream. + +If a write urb fails then more needs to be done other than just logging +the message, otherwise the transmission could be stalled. Properly +increment the error counters and wake up the queues so that data will +continue to flow. + +Cc: Ji-Ze Hong (Peter Hong) +Cc: Marc Kleine-Budde +Cc: Vincent Mailhol +Cc: stable@kernel.org +Assisted-by: gkh_clanker_2000 +Signed-off-by: Greg Kroah-Hartman +Link: https://patch.msgid.link/2026022334-slackness-dynamic-9195@gregkh +Fixes: 88da17436973 ("can: usb: f81604: add Fintek F81604 support") +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/can/usb/f81604.c | 24 +++++++++++++++++++++--- + 1 file changed, 21 insertions(+), 3 deletions(-) + +--- a/drivers/net/can/usb/f81604.c ++++ b/drivers/net/can/usb/f81604.c +@@ -891,9 +891,27 @@ static void f81604_write_bulk_callback(s + if (!netif_device_present(netdev)) + return; + +- if (urb->status) +- netdev_info(netdev, "%s: Tx URB error: %pe\n", __func__, +- ERR_PTR(urb->status)); ++ if (!urb->status) ++ return; ++ ++ switch (urb->status) { ++ case -ENOENT: ++ case -ECONNRESET: ++ case -ESHUTDOWN: ++ return; ++ default: ++ break; ++ } ++ ++ if (net_ratelimit()) ++ netdev_err(netdev, "%s: Tx URB error: %pe\n", __func__, ++ ERR_PTR(urb->status)); ++ ++ can_free_echo_skb(netdev, 0, NULL); ++ netdev->stats.tx_dropped++; ++ netdev->stats.tx_errors++; ++ ++ netif_wake_queue(netdev); + } + + static void f81604_clear_reg_work(struct work_struct *work) diff --git a/queue-6.6/can-usb-f81604-handle-short-interrupt-urb-messages-properly.patch b/queue-6.6/can-usb-f81604-handle-short-interrupt-urb-messages-properly.patch new file mode 100644 index 0000000000..ac435ab6ee --- /dev/null +++ b/queue-6.6/can-usb-f81604-handle-short-interrupt-urb-messages-properly.patch @@ -0,0 +1,41 @@ +From 7299b1b39a255f6092ce4ec0b65f66e9d6a357af Mon Sep 17 00:00:00 2001 +From: Greg Kroah-Hartman +Date: Mon, 23 Feb 2026 13:10:30 +0100 +Subject: can: usb: f81604: handle short interrupt urb messages properly + +From: Greg Kroah-Hartman + +commit 7299b1b39a255f6092ce4ec0b65f66e9d6a357af upstream. + +If an interrupt urb is received that is not the correct length, properly +detect it and don't attempt to treat the data as valid. + +Cc: Ji-Ze Hong (Peter Hong) +Cc: Marc Kleine-Budde +Cc: Vincent Mailhol +Cc: stable@kernel.org +Assisted-by: gkh_clanker_2000 +Signed-off-by: Greg Kroah-Hartman +Link: https://patch.msgid.link/2026022331-opal-evaluator-a928@gregkh +Fixes: 88da17436973 ("can: usb: f81604: add Fintek F81604 support") +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/can/usb/f81604.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/drivers/net/can/usb/f81604.c ++++ b/drivers/net/can/usb/f81604.c +@@ -626,6 +626,12 @@ static void f81604_read_int_callback(str + netdev_info(netdev, "%s: Int URB aborted: %pe\n", __func__, + ERR_PTR(urb->status)); + ++ if (urb->actual_length < sizeof(*data)) { ++ netdev_warn(netdev, "%s: short int URB: %u < %zu\n", ++ __func__, urb->actual_length, sizeof(*data)); ++ goto resubmit_urb; ++ } ++ + switch (urb->status) { + case 0: /* success */ + break; diff --git a/queue-6.6/eventpoll-fix-integer-overflow-in-ep_loop_check_proc.patch b/queue-6.6/eventpoll-fix-integer-overflow-in-ep_loop_check_proc.patch new file mode 100644 index 0000000000..7a25fe4220 --- /dev/null +++ b/queue-6.6/eventpoll-fix-integer-overflow-in-ep_loop_check_proc.patch @@ -0,0 +1,49 @@ +From fdcfce93073d990ed4b71752e31ad1c1d6e9d58b Mon Sep 17 00:00:00 2001 +From: Jann Horn +Date: Mon, 23 Feb 2026 20:59:33 +0100 +Subject: eventpoll: Fix integer overflow in ep_loop_check_proc() + +From: Jann Horn + +commit fdcfce93073d990ed4b71752e31ad1c1d6e9d58b upstream. + +If a recursive call to ep_loop_check_proc() hits the `result = INT_MAX`, +an integer overflow will occur in the calling ep_loop_check_proc() at +`result = max(result, ep_loop_check_proc(ep_tovisit, depth + 1) + 1)`, +breaking the recursion depth check. + +Fix it by using a different placeholder value that can't lead to an +overflow. + +Reported-by: Guenter Roeck +Fixes: f2e467a48287 ("eventpoll: Fix semi-unbounded recursion") +Cc: stable@vger.kernel.org +Signed-off-by: Jann Horn +Link: https://patch.msgid.link/20260223-epoll-int-overflow-v1-1-452f35132224@google.com +Signed-off-by: Christian Brauner +Signed-off-by: Greg Kroah-Hartman +--- + fs/eventpoll.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +--- a/fs/eventpoll.c ++++ b/fs/eventpoll.c +@@ -1907,7 +1907,8 @@ static int ep_poll(struct eventpoll *ep, + * @ep: the &struct eventpoll to be currently checked. + * @depth: Current depth of the path being checked. + * +- * Return: depth of the subtree, or INT_MAX if we found a loop or went too deep. ++ * Return: depth of the subtree, or a value bigger than EP_MAX_NESTS if we found ++ * a loop or went too deep. + */ + static int ep_loop_check_proc(struct eventpoll *ep, int depth) + { +@@ -1926,7 +1927,7 @@ static int ep_loop_check_proc(struct eve + struct eventpoll *ep_tovisit; + ep_tovisit = epi->ffd.file->private_data; + if (ep_tovisit == inserting_into || depth > EP_MAX_NESTS) +- result = INT_MAX; ++ result = EP_MAX_NESTS+1; + else + result = max(result, ep_loop_check_proc(ep_tovisit, depth + 1) + 1); + if (result > EP_MAX_NESTS) diff --git a/queue-6.6/hid-add-hid_claimed_input-guards-in-raw_event-callbacks-missing-them.patch b/queue-6.6/hid-add-hid_claimed_input-guards-in-raw_event-callbacks-missing-them.patch new file mode 100644 index 0000000000..500b682069 --- /dev/null +++ b/queue-6.6/hid-add-hid_claimed_input-guards-in-raw_event-callbacks-missing-them.patch @@ -0,0 +1,65 @@ +From ecfa6f34492c493a9a1dc2900f3edeb01c79946b Mon Sep 17 00:00:00 2001 +From: Greg Kroah-Hartman +Date: Thu, 19 Feb 2026 15:33:54 +0100 +Subject: HID: Add HID_CLAIMED_INPUT guards in raw_event callbacks missing them + +From: Greg Kroah-Hartman + +commit ecfa6f34492c493a9a1dc2900f3edeb01c79946b upstream. + +In commit 2ff5baa9b527 ("HID: appleir: Fix potential NULL dereference at +raw event handle"), we handle the fact that raw event callbacks +can happen even for a HID device that has not been "claimed" causing a +crash if a broken device were attempted to be connected to the system. + +Fix up the remaining in-tree HID drivers that forgot to add this same +check to resolve the same issue. + +Cc: Jiri Kosina +Cc: Benjamin Tissoires +Cc: Bastien Nocera +Cc: linux-input@vger.kernel.org +Cc: stable +Assisted-by: gkh_clanker_2000 +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Benjamin Tissoires +Signed-off-by: Greg Kroah-Hartman +--- + drivers/hid/hid-cmedia.c | 2 +- + drivers/hid/hid-creative-sb0540.c | 2 +- + drivers/hid/hid-zydacron.c | 2 +- + 3 files changed, 3 insertions(+), 3 deletions(-) + +--- a/drivers/hid/hid-cmedia.c ++++ b/drivers/hid/hid-cmedia.c +@@ -99,7 +99,7 @@ static int cmhid_raw_event(struct hid_de + { + struct cmhid *cm = hid_get_drvdata(hid); + +- if (len != CM6533_JD_RAWEV_LEN) ++ if (len != CM6533_JD_RAWEV_LEN || !(hid->claimed & HID_CLAIMED_INPUT)) + goto out; + if (memcmp(data+CM6533_JD_SFX_OFFSET, ji_sfx, sizeof(ji_sfx))) + goto out; +--- a/drivers/hid/hid-creative-sb0540.c ++++ b/drivers/hid/hid-creative-sb0540.c +@@ -153,7 +153,7 @@ static int creative_sb0540_raw_event(str + u64 code, main_code; + int key; + +- if (len != 6) ++ if (len != 6 || !(hid->claimed & HID_CLAIMED_INPUT)) + return 0; + + /* From daemons/hw_hiddev.c sb0540_rec() in lirc */ +--- a/drivers/hid/hid-zydacron.c ++++ b/drivers/hid/hid-zydacron.c +@@ -114,7 +114,7 @@ static int zc_raw_event(struct hid_devic + unsigned key; + unsigned short index; + +- if (report->id == data[0]) { ++ if (report->id == data[0] && (hdev->claimed & HID_CLAIMED_INPUT)) { + + /* break keys */ + for (index = 0; index < 4; index++) { diff --git a/queue-6.6/media-dvb-core-fix-wrong-reinitialization-of-ringbuffer-on-reopen.patch b/queue-6.6/media-dvb-core-fix-wrong-reinitialization-of-ringbuffer-on-reopen.patch new file mode 100644 index 0000000000..7f288a9130 --- /dev/null +++ b/queue-6.6/media-dvb-core-fix-wrong-reinitialization-of-ringbuffer-on-reopen.patch @@ -0,0 +1,52 @@ +From bfbc0b5b32a8f28ce284add619bf226716a59bc0 Mon Sep 17 00:00:00 2001 +From: Jens Axboe +Date: Tue, 24 Feb 2026 11:51:16 -0700 +Subject: media: dvb-core: fix wrong reinitialization of ringbuffer on reopen + +From: Jens Axboe + +commit bfbc0b5b32a8f28ce284add619bf226716a59bc0 upstream. + +dvb_dvr_open() calls dvb_ringbuffer_init() when a new reader opens the +DVR device. dvb_ringbuffer_init() calls init_waitqueue_head(), which +reinitializes the waitqueue list head to empty. + +Since dmxdev->dvr_buffer.queue is a shared waitqueue (all opens of the +same DVR device share it), this orphans any existing waitqueue entries +from io_uring poll or epoll, leaving them with stale prev/next pointers +while the list head is reset to {self, self}. + +The waitqueue and spinlock in dvr_buffer are already properly +initialized once in dvb_dmxdev_init(). The open path only needs to +reset the buffer data pointer, size, and read/write positions. + +Replace the dvb_ringbuffer_init() call in dvb_dvr_open() with direct +assignment of data/size and a call to dvb_ringbuffer_reset(), which +properly resets pread, pwrite, and error with correct memory ordering +without touching the waitqueue or spinlock. + +Cc: stable@vger.kernel.org +Fixes: 34731df288a5f ("V4L/DVB (3501): Dmxdev: use dvb_ringbuffer") +Reported-by: syzbot+ab12f0c08dd7ab8d057c@syzkaller.appspotmail.com +Tested-by: syzbot+ab12f0c08dd7ab8d057c@syzkaller.appspotmail.com +Link: https://lore.kernel.org/all/698a26d3.050a0220.3b3015.007d.GAE@google.com/ +Signed-off-by: Jens Axboe +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/dvb-core/dmxdev.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/drivers/media/dvb-core/dmxdev.c ++++ b/drivers/media/dvb-core/dmxdev.c +@@ -168,7 +168,9 @@ static int dvb_dvr_open(struct inode *in + mutex_unlock(&dmxdev->mutex); + return -ENOMEM; + } +- dvb_ringbuffer_init(&dmxdev->dvr_buffer, mem, DVR_BUFFER_SIZE); ++ dmxdev->dvr_buffer.data = mem; ++ dmxdev->dvr_buffer.size = DVR_BUFFER_SIZE; ++ dvb_ringbuffer_reset(&dmxdev->dvr_buffer); + if (dmxdev->may_do_mmap) + dvb_vb2_init(&dmxdev->dvr_vb2_ctx, "dvr", + file->f_flags & O_NONBLOCK); diff --git a/queue-6.6/net-usb-kalmia-validate-usb-endpoints.patch b/queue-6.6/net-usb-kalmia-validate-usb-endpoints.patch new file mode 100644 index 0000000000..a03a2e406f --- /dev/null +++ b/queue-6.6/net-usb-kalmia-validate-usb-endpoints.patch @@ -0,0 +1,46 @@ +From c58b6c29a4c9b8125e8ad3bca0637e00b71e2693 Mon Sep 17 00:00:00 2001 +From: Greg Kroah-Hartman +Date: Mon, 23 Feb 2026 13:59:26 +0100 +Subject: net: usb: kalmia: validate USB endpoints + +From: Greg Kroah-Hartman + +commit c58b6c29a4c9b8125e8ad3bca0637e00b71e2693 upstream. + +The kalmia driver should validate that the device it is probing has the +proper number and types of USB endpoints it is expecting before it binds +to it. If a malicious device were to not have the same urbs the driver +will crash later on when it blindly accesses these endpoints. + +Cc: stable +Signed-off-by: Greg Kroah-Hartman +Reviewed-by: Simon Horman +Fixes: d40261236e8e ("net/usb: Add Samsung Kalmia driver for Samsung GT-B3730") +Link: https://patch.msgid.link/2026022326-shack-headstone-ef6f@gregkh +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/usb/kalmia.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +--- a/drivers/net/usb/kalmia.c ++++ b/drivers/net/usb/kalmia.c +@@ -132,11 +132,18 @@ kalmia_bind(struct usbnet *dev, struct u + { + int status; + u8 ethernet_addr[ETH_ALEN]; ++ static const u8 ep_addr[] = { ++ 1 | USB_DIR_IN, ++ 2 | USB_DIR_OUT, ++ 0}; + + /* Don't bind to AT command interface */ + if (intf->cur_altsetting->desc.bInterfaceClass != USB_CLASS_VENDOR_SPEC) + return -EINVAL; + ++ if (!usb_check_bulk_endpoints(intf, ep_addr)) ++ return -ENODEV; ++ + dev->in = usb_rcvbulkpipe(dev->udev, 0x81 & USB_ENDPOINT_NUMBER_MASK); + dev->out = usb_sndbulkpipe(dev->udev, 0x02 & USB_ENDPOINT_NUMBER_MASK); + dev->status = NULL; diff --git a/queue-6.6/net-usb-kaweth-validate-usb-endpoints.patch b/queue-6.6/net-usb-kaweth-validate-usb-endpoints.patch new file mode 100644 index 0000000000..559ca250ef --- /dev/null +++ b/queue-6.6/net-usb-kaweth-validate-usb-endpoints.patch @@ -0,0 +1,54 @@ +From 4b063c002ca759d1b299988ee23f564c9609c875 Mon Sep 17 00:00:00 2001 +From: Greg Kroah-Hartman +Date: Mon, 23 Feb 2026 14:00:06 +0100 +Subject: net: usb: kaweth: validate USB endpoints + +From: Greg Kroah-Hartman + +commit 4b063c002ca759d1b299988ee23f564c9609c875 upstream. + +The kaweth driver should validate that the device it is probing has the +proper number and types of USB endpoints it is expecting before it binds +to it. If a malicious device were to not have the same urbs the driver +will crash later on when it blindly accesses these endpoints. + +Cc: stable +Signed-off-by: Greg Kroah-Hartman +Reviewed-by: Simon Horman +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Link: https://patch.msgid.link/2026022305-substance-virtual-c728@gregkh +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/usb/kaweth.c | 13 +++++++++++++ + 1 file changed, 13 insertions(+) + +--- a/drivers/net/usb/kaweth.c ++++ b/drivers/net/usb/kaweth.c +@@ -883,6 +883,13 @@ static int kaweth_probe( + const eth_addr_t bcast_addr = { 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF }; + int result = 0; + int rv = -EIO; ++ static const u8 bulk_ep_addr[] = { ++ 1 | USB_DIR_IN, ++ 2 | USB_DIR_OUT, ++ 0}; ++ static const u8 int_ep_addr[] = { ++ 3 | USB_DIR_IN, ++ 0}; + + dev_dbg(dev, + "Kawasaki Device Probe (Device number:%d): 0x%4.4x:0x%4.4x:0x%4.4x\n", +@@ -896,6 +903,12 @@ static int kaweth_probe( + (int)udev->descriptor.bLength, + (int)udev->descriptor.bDescriptorType); + ++ if (!usb_check_bulk_endpoints(intf, bulk_ep_addr) || ++ !usb_check_int_endpoints(intf, int_ep_addr)) { ++ dev_err(dev, "couldn't find required endpoints\n"); ++ return -ENODEV; ++ } ++ + netdev = alloc_etherdev(sizeof(*kaweth)); + if (!netdev) + return -ENOMEM; diff --git a/queue-6.6/net-usb-pegasus-validate-usb-endpoints.patch b/queue-6.6/net-usb-pegasus-validate-usb-endpoints.patch new file mode 100644 index 0000000000..9cbcc490c4 --- /dev/null +++ b/queue-6.6/net-usb-pegasus-validate-usb-endpoints.patch @@ -0,0 +1,62 @@ +From 11de1d3ae5565ed22ef1f89d73d8f2d00322c699 Mon Sep 17 00:00:00 2001 +From: Greg Kroah-Hartman +Date: Mon, 23 Feb 2026 13:58:48 +0100 +Subject: net: usb: pegasus: validate USB endpoints + +From: Greg Kroah-Hartman + +commit 11de1d3ae5565ed22ef1f89d73d8f2d00322c699 upstream. + +The pegasus driver should validate that the device it is probing has the +proper number and types of USB endpoints it is expecting before it binds +to it. If a malicious device were to not have the same urbs the driver +will crash later on when it blindly accesses these endpoints. + +Cc: Petko Manolov +Cc: stable +Signed-off-by: Greg Kroah-Hartman +Link: https://patch.msgid.link/2026022347-legibly-attest-cc5c@gregkh +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/usb/pegasus.c | 13 ++++++++++++- + 1 file changed, 12 insertions(+), 1 deletion(-) + +--- a/drivers/net/usb/pegasus.c ++++ b/drivers/net/usb/pegasus.c +@@ -815,8 +815,19 @@ static void unlink_all_urbs(pegasus_t *p + + static int alloc_urbs(pegasus_t *pegasus) + { ++ static const u8 bulk_ep_addr[] = { ++ 1 | USB_DIR_IN, ++ 2 | USB_DIR_OUT, ++ 0}; ++ static const u8 int_ep_addr[] = { ++ 3 | USB_DIR_IN, ++ 0}; + int res = -ENOMEM; + ++ if (!usb_check_bulk_endpoints(pegasus->intf, bulk_ep_addr) || ++ !usb_check_int_endpoints(pegasus->intf, int_ep_addr)) ++ return -ENODEV; ++ + pegasus->rx_urb = usb_alloc_urb(0, GFP_KERNEL); + if (!pegasus->rx_urb) { + return res; +@@ -1171,6 +1182,7 @@ static int pegasus_probe(struct usb_inte + + pegasus = netdev_priv(net); + pegasus->dev_index = dev_index; ++ pegasus->intf = intf; + + res = alloc_urbs(pegasus); + if (res < 0) { +@@ -1182,7 +1194,6 @@ static int pegasus_probe(struct usb_inte + + INIT_DELAYED_WORK(&pegasus->carrier_check, check_carrier); + +- pegasus->intf = intf; + pegasus->usb = dev; + pegasus->net = net; + diff --git a/queue-6.6/nfc-pn533-properly-drop-the-usb-interface-reference-on-disconnect.patch b/queue-6.6/nfc-pn533-properly-drop-the-usb-interface-reference-on-disconnect.patch new file mode 100644 index 0000000000..0a9b783732 --- /dev/null +++ b/queue-6.6/nfc-pn533-properly-drop-the-usb-interface-reference-on-disconnect.patch @@ -0,0 +1,35 @@ +From 12133a483dfa832241fbbf09321109a0ea8a520e Mon Sep 17 00:00:00 2001 +From: Greg Kroah-Hartman +Date: Mon, 23 Feb 2026 12:28:30 +0100 +Subject: nfc: pn533: properly drop the usb interface reference on disconnect + +From: Greg Kroah-Hartman + +commit 12133a483dfa832241fbbf09321109a0ea8a520e upstream. + +When the device is disconnected from the driver, there is a "dangling" +reference count on the usb interface that was grabbed in the probe +callback. Fix this up by properly dropping the reference after we are +done with it. + +Cc: stable +Signed-off-by: Greg Kroah-Hartman +Reviewed-by: Simon Horman +Fixes: c46ee38620a2 ("NFC: pn533: add NXP pn533 nfc device driver") +Link: https://patch.msgid.link/2026022329-flashing-ought-7573@gregkh +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/nfc/pn533/usb.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/nfc/pn533/usb.c ++++ b/drivers/nfc/pn533/usb.c +@@ -629,6 +629,7 @@ static void pn533_usb_disconnect(struct + usb_free_urb(phy->out_urb); + usb_free_urb(phy->ack_urb); + kfree(phy->ack_buffer); ++ usb_put_dev(phy->udev); + + nfc_info(&interface->dev, "NXP PN533 NFC device disconnected\n"); + } diff --git a/queue-6.6/series b/queue-6.6/series index 93d55bd393..d7e6446492 100644 --- a/queue-6.6/series +++ b/queue-6.6/series @@ -87,3 +87,17 @@ alsa-hda-conexant-fix-headphone-jack-handling-on-ace.patch net-arcnet-com20020-pci-fix-support-for-2.5mbit-card.patch drm-amd-drop-special-case-for-yellow-carp-without-di.patch drm-amdgpu-keep-vga-memory-on-macbooks-with-switchab.patch +eventpoll-fix-integer-overflow-in-ep_loop_check_proc.patch +media-dvb-core-fix-wrong-reinitialization-of-ringbuffer-on-reopen.patch +nfc-pn533-properly-drop-the-usb-interface-reference-on-disconnect.patch +net-usb-kaweth-validate-usb-endpoints.patch +net-usb-kalmia-validate-usb-endpoints.patch +net-usb-pegasus-validate-usb-endpoints.patch +can-ems_usb-ems_usb_read_bulk_callback-check-the-proper-length-of-a-message.patch +can-usb-f81604-correctly-anchor-the-urb-in-the-read-bulk-callback.patch +can-ucan-fix-infinite-loop-from-zero-length-messages.patch +can-usb-etas_es58x-correctly-anchor-the-urb-in-the-read-bulk-callback.patch +can-usb-f81604-handle-short-interrupt-urb-messages-properly.patch +can-usb-f81604-handle-bulk-write-errors-properly.patch +hid-add-hid_claimed_input-guards-in-raw_event-callbacks-missing-them.patch +x86-efi-defer-freeing-of-boot-services-memory.patch diff --git a/queue-6.6/x86-efi-defer-freeing-of-boot-services-memory.patch b/queue-6.6/x86-efi-defer-freeing-of-boot-services-memory.patch new file mode 100644 index 0000000000..d123142671 --- /dev/null +++ b/queue-6.6/x86-efi-defer-freeing-of-boot-services-memory.patch @@ -0,0 +1,186 @@ +From a4b0bf6a40f3c107c67a24fbc614510ef5719980 Mon Sep 17 00:00:00 2001 +From: "Mike Rapoport (Microsoft)" +Date: Wed, 25 Feb 2026 08:55:55 +0200 +Subject: x86/efi: defer freeing of boot services memory + +From: Mike Rapoport (Microsoft) + +commit a4b0bf6a40f3c107c67a24fbc614510ef5719980 upstream. + +efi_free_boot_services() frees memory occupied by EFI_BOOT_SERVICES_CODE +and EFI_BOOT_SERVICES_DATA using memblock_free_late(). + +There are two issue with that: memblock_free_late() should be used for +memory allocated with memblock_alloc() while the memory reserved with +memblock_reserve() should be freed with free_reserved_area(). + +More acutely, with CONFIG_DEFERRED_STRUCT_PAGE_INIT=y +efi_free_boot_services() is called before deferred initialization of the +memory map is complete. + +Benjamin Herrenschmidt reports that this causes a leak of ~140MB of +RAM on EC2 t3a.nano instances which only have 512MB or RAM. + +If the freed memory resides in the areas that memory map for them is +still uninitialized, they won't be actually freed because +memblock_free_late() calls memblock_free_pages() and the latter skips +uninitialized pages. + +Using free_reserved_area() at this point is also problematic because +__free_page() accesses the buddy of the freed page and that again might +end up in uninitialized part of the memory map. + +Delaying the entire efi_free_boot_services() could be problematic +because in addition to freeing boot services memory it updates +efi.memmap without any synchronization and that's undesirable late in +boot when there is concurrency. + +More robust approach is to only defer freeing of the EFI boot services +memory. + +Split efi_free_boot_services() in two. First efi_unmap_boot_services() +collects ranges that should be freed into an array then +efi_free_boot_services() later frees them after deferred init is complete. + +Link: https://lore.kernel.org/all/ec2aaef14783869b3be6e3c253b2dcbf67dbc12a.camel@kernel.crashing.org +Fixes: 916f676f8dc0 ("x86, efi: Retain boot service code until after switching to virtual mode") +Cc: +Signed-off-by: Mike Rapoport (Microsoft) +Reviewed-by: Benjamin Herrenschmidt +Signed-off-by: Ard Biesheuvel +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/include/asm/efi.h | 2 - + arch/x86/platform/efi/efi.c | 2 - + arch/x86/platform/efi/quirks.c | 55 ++++++++++++++++++++++++++++++++++-- + drivers/firmware/efi/mokvar-table.c | 2 - + 4 files changed, 55 insertions(+), 6 deletions(-) + +--- a/arch/x86/include/asm/efi.h ++++ b/arch/x86/include/asm/efi.h +@@ -138,7 +138,7 @@ extern void __init efi_apply_memmap_quir + extern int __init efi_reuse_config(u64 tables, int nr_tables); + extern void efi_delete_dummy_variable(void); + extern void efi_crash_gracefully_on_page_fault(unsigned long phys_addr); +-extern void efi_free_boot_services(void); ++extern void efi_unmap_boot_services(void); + + void arch_efi_call_virt_setup(void); + void arch_efi_call_virt_teardown(void); +--- a/arch/x86/platform/efi/efi.c ++++ b/arch/x86/platform/efi/efi.c +@@ -860,7 +860,7 @@ static void __init __efi_enter_virtual_m + } + + efi_check_for_embedded_firmwares(); +- efi_free_boot_services(); ++ efi_unmap_boot_services(); + + if (!efi_is_mixed()) + efi_native_runtime_setup(); +--- a/arch/x86/platform/efi/quirks.c ++++ b/arch/x86/platform/efi/quirks.c +@@ -341,7 +341,7 @@ void __init efi_reserve_boot_services(vo + + /* + * Because the following memblock_reserve() is paired +- * with memblock_free_late() for this region in ++ * with free_reserved_area() for this region in + * efi_free_boot_services(), we must be extremely + * careful not to reserve, and subsequently free, + * critical regions of memory (like the kernel image) or +@@ -404,17 +404,33 @@ static void __init efi_unmap_pages(efi_m + pr_err("Failed to unmap VA mapping for 0x%llx\n", va); + } + +-void __init efi_free_boot_services(void) ++struct efi_freeable_range { ++ u64 start; ++ u64 end; ++}; ++ ++static struct efi_freeable_range *ranges_to_free; ++ ++void __init efi_unmap_boot_services(void) + { + struct efi_memory_map_data data = { 0 }; + efi_memory_desc_t *md; + int num_entries = 0; ++ int idx = 0; ++ size_t sz; + void *new, *new_md; + + /* Keep all regions for /sys/kernel/debug/efi */ + if (efi_enabled(EFI_DBG)) + return; + ++ sz = sizeof(*ranges_to_free) * efi.memmap.nr_map + 1; ++ ranges_to_free = kzalloc(sz, GFP_KERNEL); ++ if (!ranges_to_free) { ++ pr_err("Failed to allocate storage for freeable EFI regions\n"); ++ return; ++ } ++ + for_each_efi_memory_desc(md) { + unsigned long long start = md->phys_addr; + unsigned long long size = md->num_pages << EFI_PAGE_SHIFT; +@@ -471,7 +487,15 @@ void __init efi_free_boot_services(void) + start = SZ_1M; + } + +- memblock_free_late(start, size); ++ /* ++ * With CONFIG_DEFERRED_STRUCT_PAGE_INIT parts of the memory ++ * map are still not initialized and we can't reliably free ++ * memory here. ++ * Queue the ranges to free at a later point. ++ */ ++ ranges_to_free[idx].start = start; ++ ranges_to_free[idx].end = start + size; ++ idx++; + } + + if (!num_entries) +@@ -512,6 +536,31 @@ void __init efi_free_boot_services(void) + } + } + ++static int __init efi_free_boot_services(void) ++{ ++ struct efi_freeable_range *range = ranges_to_free; ++ unsigned long freed = 0; ++ ++ if (!ranges_to_free) ++ return 0; ++ ++ while (range->start) { ++ void *start = phys_to_virt(range->start); ++ void *end = phys_to_virt(range->end); ++ ++ free_reserved_area(start, end, -1, NULL); ++ freed += (end - start); ++ range++; ++ } ++ kfree(ranges_to_free); ++ ++ if (freed) ++ pr_info("Freeing EFI boot services memory: %ldK\n", freed / SZ_1K); ++ ++ return 0; ++} ++arch_initcall(efi_free_boot_services); ++ + /* + * A number of config table entries get remapped to virtual addresses + * after entering EFI virtual mode. However, the kexec kernel requires +--- a/drivers/firmware/efi/mokvar-table.c ++++ b/drivers/firmware/efi/mokvar-table.c +@@ -85,7 +85,7 @@ static struct kobject *mokvar_kobj; + * as an alternative to ordinary EFI variables, due to platform-dependent + * limitations. The memory occupied by this table is marked as reserved. + * +- * This routine must be called before efi_free_boot_services() in order ++ * This routine must be called before efi_unmap_boot_services() in order + * to guarantee that it can mark the table as reserved. + * + * Implicit inputs: