From: Greg Kroah-Hartman Date: Thu, 20 Nov 2025 16:18:49 +0000 (+0100) Subject: 6.1-stable patches X-Git-Tag: v6.6.117~31 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=6624e89ec1b1c03ea2aaa4a0091117bf207b875b;p=thirdparty%2Fkernel%2Fstable-queue.git 6.1-stable patches added patches: alsa-usb-audio-fix-potential-overflow-of-pcm-transfer-buffer.patch fs-proc-fix-uaf-in-proc_readdir_de.patch ipv4-route-prevent-rt_bind_exception-from-rebinding-stale-fnhe.patch mmc-sdhci-of-dwcmshc-change-dll_strbin_tapnum_default-to-0x4.patch spi-try-to-get-acpi-gpio-irq-earlier.patch wifi-mac80211-reject-address-change-while-connecting.patch --- diff --git a/queue-6.1/alsa-usb-audio-fix-potential-overflow-of-pcm-transfer-buffer.patch b/queue-6.1/alsa-usb-audio-fix-potential-overflow-of-pcm-transfer-buffer.patch new file mode 100644 index 0000000000..30c0fccc4e --- /dev/null +++ b/queue-6.1/alsa-usb-audio-fix-potential-overflow-of-pcm-transfer-buffer.patch @@ -0,0 +1,53 @@ +From 05a1fc5efdd8560f34a3af39c9cf1e1526cc3ddf Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Sun, 9 Nov 2025 10:12:07 +0100 +Subject: ALSA: usb-audio: Fix potential overflow of PCM transfer buffer + +From: Takashi Iwai + +commit 05a1fc5efdd8560f34a3af39c9cf1e1526cc3ddf upstream. + +The PCM stream data in USB-audio driver is transferred over USB URB +packet buffers, and each packet size is determined dynamically. The +packet sizes are limited by some factors such as wMaxPacketSize USB +descriptor. OTOH, in the current code, the actually used packet sizes +are determined only by the rate and the PPS, which may be bigger than +the size limit above. This results in a buffer overflow, as reported +by syzbot. + +Basically when the limit is smaller than the calculated packet size, +it implies that something is wrong, most likely a weird USB +descriptor. So the best option would be just to return an error at +the parameter setup time before doing any further operations. + +This patch introduces such a sanity check, and returns -EINVAL when +the packet size is greater than maxpacksize. The comparison with +ep->packsize[1] alone should suffice since it's always equal or +greater than ep->packsize[0]. + +Reported-by: syzbot+bfd77469c8966de076f7@syzkaller.appspotmail.com +Closes: https://syzkaller.appspot.com/bug?extid=bfd77469c8966de076f7 +Link: https://lore.kernel.org/690b6b46.050a0220.3d0d33.0054.GAE@google.com +Cc: Lizhi Xu +Cc: +Link: https://patch.msgid.link/20251109091211.12739-1-tiwai@suse.de +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman +--- + sound/usb/endpoint.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/sound/usb/endpoint.c ++++ b/sound/usb/endpoint.c +@@ -1379,6 +1379,11 @@ int snd_usb_endpoint_set_params(struct s + ep->sample_rem = ep->cur_rate % ep->pps; + ep->packsize[0] = ep->cur_rate / ep->pps; + ep->packsize[1] = (ep->cur_rate + (ep->pps - 1)) / ep->pps; ++ if (ep->packsize[1] > ep->maxpacksize) { ++ usb_audio_dbg(chip, "Too small maxpacksize %u for rate %u / pps %u\n", ++ ep->maxpacksize, ep->cur_rate, ep->pps); ++ return -EINVAL; ++ } + + /* calculate the frequency in 16.16 format */ + ep->freqm = ep->freqn; diff --git a/queue-6.1/fs-proc-fix-uaf-in-proc_readdir_de.patch b/queue-6.1/fs-proc-fix-uaf-in-proc_readdir_de.patch new file mode 100644 index 0000000000..c999a695dc --- /dev/null +++ b/queue-6.1/fs-proc-fix-uaf-in-proc_readdir_de.patch @@ -0,0 +1,105 @@ +From 895b4c0c79b092d732544011c3cecaf7322c36a1 Mon Sep 17 00:00:00 2001 +From: Wei Yang +Date: Sat, 25 Oct 2025 10:42:33 +0800 +Subject: fs/proc: fix uaf in proc_readdir_de() + +From: Wei Yang + +commit 895b4c0c79b092d732544011c3cecaf7322c36a1 upstream. + +Pde is erased from subdir rbtree through rb_erase(), but not set the node +to EMPTY, which may result in uaf access. We should use RB_CLEAR_NODE() +set the erased node to EMPTY, then pde_subdir_next() will return NULL to +avoid uaf access. + +We found an uaf issue while using stress-ng testing, need to run testcase +getdent and tun in the same time. The steps of the issue is as follows: + +1) use getdent to traverse dir /proc/pid/net/dev_snmp6/, and current + pde is tun3; + +2) in the [time windows] unregister netdevice tun3 and tun2, and erase + them from rbtree. erase tun3 first, and then erase tun2. the + pde(tun2) will be released to slab; + +3) continue to getdent process, then pde_subdir_next() will return + pde(tun2) which is released, it will case uaf access. + +CPU 0 | CPU 1 +------------------------------------------------------------------------- +traverse dir /proc/pid/net/dev_snmp6/ | unregister_netdevice(tun->dev) //tun3 tun2 +sys_getdents64() | + iterate_dir() | + proc_readdir() | + proc_readdir_de() | snmp6_unregister_dev() + pde_get(de); | proc_remove() + read_unlock(&proc_subdir_lock); | remove_proc_subtree() + | write_lock(&proc_subdir_lock); + [time window] | rb_erase(&root->subdir_node, &parent->subdir); + | write_unlock(&proc_subdir_lock); + read_lock(&proc_subdir_lock); | + next = pde_subdir_next(de); | + pde_put(de); | + de = next; //UAF | + +rbtree of dev_snmp6 + | + pde(tun3) + / \ + NULL pde(tun2) + +Link: https://lkml.kernel.org/r/20251025024233.158363-1-albin_yang@163.com +Signed-off-by: Wei Yang +Cc: Al Viro +Cc: Christian Brauner +Cc: wangzijie +Cc: Alexey Dobriyan +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + fs/proc/generic.c | 12 +++++++++--- + 1 file changed, 9 insertions(+), 3 deletions(-) + +--- a/fs/proc/generic.c ++++ b/fs/proc/generic.c +@@ -695,6 +695,12 @@ void pde_put(struct proc_dir_entry *pde) + } + } + ++static void pde_erase(struct proc_dir_entry *pde, struct proc_dir_entry *parent) ++{ ++ rb_erase(&pde->subdir_node, &parent->subdir); ++ RB_CLEAR_NODE(&pde->subdir_node); ++} ++ + /* + * Remove a /proc entry and free it if it's not currently in use. + */ +@@ -717,7 +723,7 @@ void remove_proc_entry(const char *name, + WARN(1, "removing permanent /proc entry '%s'", de->name); + de = NULL; + } else { +- rb_erase(&de->subdir_node, &parent->subdir); ++ pde_erase(de, parent); + if (S_ISDIR(de->mode)) + parent->nlink--; + } +@@ -761,7 +767,7 @@ int remove_proc_subtree(const char *name + root->parent->name, root->name); + return -EINVAL; + } +- rb_erase(&root->subdir_node, &parent->subdir); ++ pde_erase(root, parent); + + de = root; + while (1) { +@@ -773,7 +779,7 @@ int remove_proc_subtree(const char *name + next->parent->name, next->name); + return -EINVAL; + } +- rb_erase(&next->subdir_node, &de->subdir); ++ pde_erase(next, de); + de = next; + continue; + } diff --git a/queue-6.1/ipv4-route-prevent-rt_bind_exception-from-rebinding-stale-fnhe.patch b/queue-6.1/ipv4-route-prevent-rt_bind_exception-from-rebinding-stale-fnhe.patch new file mode 100644 index 0000000000..a8c11da3ca --- /dev/null +++ b/queue-6.1/ipv4-route-prevent-rt_bind_exception-from-rebinding-stale-fnhe.patch @@ -0,0 +1,83 @@ +From ac1499fcd40fe06479e9b933347b837ccabc2a40 Mon Sep 17 00:00:00 2001 +From: Chuang Wang +Date: Tue, 11 Nov 2025 14:43:24 +0800 +Subject: ipv4: route: Prevent rt_bind_exception() from rebinding stale fnhe + +From: Chuang Wang + +commit ac1499fcd40fe06479e9b933347b837ccabc2a40 upstream. + +The sit driver's packet transmission path calls: sit_tunnel_xmit() -> +update_or_create_fnhe(), which lead to fnhe_remove_oldest() being called +to delete entries exceeding FNHE_RECLAIM_DEPTH+random. + +The race window is between fnhe_remove_oldest() selecting fnheX for +deletion and the subsequent kfree_rcu(). During this time, the +concurrent path's __mkroute_output() -> find_exception() can fetch the +soon-to-be-deleted fnheX, and rt_bind_exception() then binds it with a +new dst using a dst_hold(). When the original fnheX is freed via RCU, +the dst reference remains permanently leaked. + +CPU 0 CPU 1 +__mkroute_output() + find_exception() [fnheX] + update_or_create_fnhe() + fnhe_remove_oldest() [fnheX] + rt_bind_exception() [bind dst] + RCU callback [fnheX freed, dst leak] + +This issue manifests as a device reference count leak and a warning in +dmesg when unregistering the net device: + + unregister_netdevice: waiting for sitX to become free. Usage count = N + +Ido Schimmel provided the simple test validation method [1]. + +The fix clears 'oldest->fnhe_daddr' before calling fnhe_flush_routes(). +Since rt_bind_exception() checks this field, setting it to zero prevents +the stale fnhe from being reused and bound to a new dst just before it +is freed. + +[1] +ip netns add ns1 +ip -n ns1 link set dev lo up +ip -n ns1 address add 192.0.2.1/32 dev lo +ip -n ns1 link add name dummy1 up type dummy +ip -n ns1 route add 192.0.2.2/32 dev dummy1 +ip -n ns1 link add name gretap1 up arp off type gretap \ + local 192.0.2.1 remote 192.0.2.2 +ip -n ns1 route add 198.51.0.0/16 dev gretap1 +taskset -c 0 ip netns exec ns1 mausezahn gretap1 \ + -A 198.51.100.1 -B 198.51.0.0/16 -t udp -p 1000 -c 0 -q & +taskset -c 2 ip netns exec ns1 mausezahn gretap1 \ + -A 198.51.100.1 -B 198.51.0.0/16 -t udp -p 1000 -c 0 -q & +sleep 10 +ip netns pids ns1 | xargs kill +ip netns del ns1 + +Cc: stable@vger.kernel.org +Fixes: 67d6d681e15b ("ipv4: make exception cache less predictible") +Signed-off-by: Chuang Wang +Reviewed-by: Ido Schimmel +Reviewed-by: Eric Dumazet +Link: https://patch.msgid.link/20251111064328.24440-1-nashuiliang@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv4/route.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/net/ipv4/route.c ++++ b/net/ipv4/route.c +@@ -617,6 +617,11 @@ static void fnhe_remove_oldest(struct fn + oldest_p = fnhe_p; + } + } ++ ++ /* Clear oldest->fnhe_daddr to prevent this fnhe from being ++ * rebound with new dsts in rt_bind_exception(). ++ */ ++ oldest->fnhe_daddr = 0; + fnhe_flush_routes(oldest); + *oldest_p = oldest->fnhe_next; + kfree_rcu(oldest, rcu); diff --git a/queue-6.1/mmc-sdhci-of-dwcmshc-change-dll_strbin_tapnum_default-to-0x4.patch b/queue-6.1/mmc-sdhci-of-dwcmshc-change-dll_strbin_tapnum_default-to-0x4.patch new file mode 100644 index 0000000000..f08df8c772 --- /dev/null +++ b/queue-6.1/mmc-sdhci-of-dwcmshc-change-dll_strbin_tapnum_default-to-0x4.patch @@ -0,0 +1,34 @@ +From a28352cf2d2f8380e7aca8cb61682396dca7a991 Mon Sep 17 00:00:00 2001 +From: Shawn Lin +Date: Mon, 20 Oct 2025 09:49:41 +0800 +Subject: mmc: sdhci-of-dwcmshc: Change DLL_STRBIN_TAPNUM_DEFAULT to 0x4 + +From: Shawn Lin + +commit a28352cf2d2f8380e7aca8cb61682396dca7a991 upstream. + +strbin signal delay under 0x8 configuration is not stable after massive +test. The recommandation of it should be 0x4. + +Signed-off-by: Shawn Lin +Tested-by: Alexey Charkov +Tested-by: Hugh Cole-Baker +Fixes: 08f3dff799d4 ("mmc: sdhci-of-dwcmshc: add rockchip platform support") +Cc: stable@vger.kernel.org +Signed-off-by: Ulf Hansson +Signed-off-by: Greg Kroah-Hartman +--- + drivers/mmc/host/sdhci-of-dwcmshc.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/mmc/host/sdhci-of-dwcmshc.c ++++ b/drivers/mmc/host/sdhci-of-dwcmshc.c +@@ -52,7 +52,7 @@ + #define DLL_TXCLK_TAPNUM_DEFAULT 0x10 + #define DLL_TXCLK_TAPNUM_90_DEGREES 0xA + #define DLL_TXCLK_TAPNUM_FROM_SW BIT(24) +-#define DLL_STRBIN_TAPNUM_DEFAULT 0x8 ++#define DLL_STRBIN_TAPNUM_DEFAULT 0x4 + #define DLL_STRBIN_TAPNUM_FROM_SW BIT(24) + #define DLL_STRBIN_DELAY_NUM_SEL BIT(26) + #define DLL_STRBIN_DELAY_NUM_OFFSET 16 diff --git a/queue-6.1/series b/queue-6.1/series index 0683237a7c..e96db7080f 100644 --- a/queue-6.1/series +++ b/queue-6.1/series @@ -402,3 +402,9 @@ ksmbd-close-accepted-socket-when-per-ip-limit-rejects-connection.patch strparser-fix-signed-unsigned-mismatch-bug.patch dma-mapping-benchmark-restore-padding-to-ensure-uabi-remained-consistent.patch loongarch-let-pte-pmd-_modify-record-the-status-of-_page_dirty.patch +ipv4-route-prevent-rt_bind_exception-from-rebinding-stale-fnhe.patch +wifi-mac80211-reject-address-change-while-connecting.patch +fs-proc-fix-uaf-in-proc_readdir_de.patch +mmc-sdhci-of-dwcmshc-change-dll_strbin_tapnum_default-to-0x4.patch +alsa-usb-audio-fix-potential-overflow-of-pcm-transfer-buffer.patch +spi-try-to-get-acpi-gpio-irq-earlier.patch diff --git a/queue-6.1/spi-try-to-get-acpi-gpio-irq-earlier.patch b/queue-6.1/spi-try-to-get-acpi-gpio-irq-earlier.patch new file mode 100644 index 0000000000..0c7abd0441 --- /dev/null +++ b/queue-6.1/spi-try-to-get-acpi-gpio-irq-earlier.patch @@ -0,0 +1,55 @@ +From 3cd2018e15b3d66d2187d92867e265f45ad79e6f Mon Sep 17 00:00:00 2001 +From: Hans de Goede +Date: Sun, 2 Nov 2025 20:09:21 +0100 +Subject: spi: Try to get ACPI GPIO IRQ earlier + +From: Hans de Goede + +commit 3cd2018e15b3d66d2187d92867e265f45ad79e6f upstream. + +Since commit d24cfee7f63d ("spi: Fix acpi deferred irq probe"), the +acpi_dev_gpio_irq_get() call gets delayed till spi_probe() is called +on the SPI device. + +If there is no driver for the SPI device then the move to spi_probe() +results in acpi_dev_gpio_irq_get() never getting called. This may +cause problems by leaving the GPIO pin floating because this call is +responsible for setting up the GPIO pin direction and/or bias according +to the values from the ACPI tables. + +Re-add the removed acpi_dev_gpio_irq_get() in acpi_register_spi_device() +to ensure the GPIO pin is always correctly setup, while keeping the +acpi_dev_gpio_irq_get() call added to spi_probe() to deal with +-EPROBE_DEFER returns caused by the GPIO controller not having a driver +yet. + +Link: https://bbs.archlinux.org/viewtopic.php?id=302348 +Fixes: d24cfee7f63d ("spi: Fix acpi deferred irq probe") +Cc: stable@vger.kernel.org +Signed-off-by: Hans de Goede +Link: https://patch.msgid.link/20251102190921.30068-1-hansg@kernel.org +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman +--- + drivers/spi/spi.c | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +--- a/drivers/spi/spi.c ++++ b/drivers/spi/spi.c +@@ -2707,6 +2707,16 @@ static acpi_status acpi_register_spi_dev + acpi_set_modalias(adev, acpi_device_hid(adev), spi->modalias, + sizeof(spi->modalias)); + ++ /* ++ * This gets re-tried in spi_probe() for -EPROBE_DEFER handling in case ++ * the GPIO controller does not have a driver yet. This needs to be done ++ * here too, because this call sets the GPIO direction and/or bias. ++ * Setting these needs to be done even if there is no driver, in which ++ * case spi_probe() will never get called. ++ */ ++ if (spi->irq < 0) ++ spi->irq = acpi_dev_gpio_irq_get(adev, 0); ++ + acpi_device_set_enumerated(adev); + + adev->power.flags.ignore_parent = true; diff --git a/queue-6.1/wifi-mac80211-reject-address-change-while-connecting.patch b/queue-6.1/wifi-mac80211-reject-address-change-while-connecting.patch new file mode 100644 index 0000000000..5bb1508a0f --- /dev/null +++ b/queue-6.1/wifi-mac80211-reject-address-change-while-connecting.patch @@ -0,0 +1,60 @@ +From a9da90e618cd0669a22bcc06a96209db5dd96e9b Mon Sep 17 00:00:00 2001 +From: Johannes Berg +Date: Wed, 5 Nov 2025 15:41:19 +0100 +Subject: wifi: mac80211: reject address change while connecting + +From: Johannes Berg + +commit a9da90e618cd0669a22bcc06a96209db5dd96e9b upstream. + +While connecting, the MAC address can already no longer be +changed. The change is already rejected if netif_carrier_ok(), +but of course that's not true yet while connecting. Check for +auth_data or assoc_data, so the MAC address cannot be changed. + +Also more comprehensively check that there are no stations on +the interface being changed - if any peer station is added it +will know about our address already, so we cannot change it. + +Cc: stable@vger.kernel.org +Fixes: 3c06e91b40db ("wifi: mac80211: Support POWERED_ADDR_CHANGE feature") +Link: https://patch.msgid.link/20251105154119.f9f6c1df81bb.I9bb3760ede650fb96588be0d09a5a7bdec21b217@changeid +Signed-off-by: Johannes Berg +Signed-off-by: Greg Kroah-Hartman +--- + net/mac80211/iface.c | 14 +++++++++++--- + 1 file changed, 11 insertions(+), 3 deletions(-) + +--- a/net/mac80211/iface.c ++++ b/net/mac80211/iface.c +@@ -216,6 +216,10 @@ static int ieee80211_can_powered_addr_ch + + mutex_lock(&local->mtx); + ++ /* if any stations are set known (so they know this vif too), reject */ ++ if (sta_info_get_by_idx(sdata, 0)) ++ return -EBUSY; ++ + /* First check no ROC work is happening on this iface */ + list_for_each_entry(roc, &local->roc_list, list) { + if (roc->sdata != sdata) +@@ -235,12 +239,16 @@ static int ieee80211_can_powered_addr_ch + ret = -EBUSY; + } + ++ /* ++ * More interface types could be added here but changing the ++ * address while powered makes the most sense in client modes. ++ */ + switch (sdata->vif.type) { + case NL80211_IFTYPE_STATION: + case NL80211_IFTYPE_P2P_CLIENT: +- /* More interface types could be added here but changing the +- * address while powered makes the most sense in client modes. +- */ ++ /* refuse while connecting */ ++ if (sdata->u.mgd.auth_data || sdata->u.mgd.assoc_data) ++ return -EBUSY; + break; + default: + ret = -EOPNOTSUPP;