From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Wed, 8 Apr 2026 12:16:52 +0000 (+0200)
Subject: 5.15-stable patches
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=7e722558e4f92dc4e01b205f09498aa85a4c6653;p=thirdparty%2Fkernel%2Fstable-queue.git

5.15-stable patches

added patches:
	usb-gadget-f_rndis-protect-rndis-options-with-mutex.patch
	usb-gadget-f_subset-fix-unbalanced-refcnt-in-geth_free.patch
	usb-gadget-f_uac1_legacy-validate-control-request-size.patch
---

diff --git a/queue-5.15/series b/queue-5.15/series
index 12fde6b5a6..04b55a3d3b 100644
--- a/queue-5.15/series
+++ b/queue-5.15/series
@@ -497,3 +497,6 @@ media-uvcvideo-mark-invalid-entities-with-id-uvc_inv.patch
 net-mctp-don-t-access-ifa_index-when-missing.patch
 smb-client-fix-refcount-leak-for-cifs_sb_tlink.patch
 staging-rtl8723bs-fix-out-of-bounds-read-in-rtw_get_.patch
+usb-gadget-f_subset-fix-unbalanced-refcnt-in-geth_free.patch
+usb-gadget-f_rndis-protect-rndis-options-with-mutex.patch
+usb-gadget-f_uac1_legacy-validate-control-request-size.patch
diff --git a/queue-5.15/usb-gadget-f_rndis-protect-rndis-options-with-mutex.patch b/queue-5.15/usb-gadget-f_rndis-protect-rndis-options-with-mutex.patch
new file mode 100644
index 0000000000..4223b16dcd
--- /dev/null
+++ b/queue-5.15/usb-gadget-f_rndis-protect-rndis-options-with-mutex.patch
@@ -0,0 +1,46 @@
+From 8d8c68b1fc06ece60cf43e1306ff0f4ac121547e Mon Sep 17 00:00:00 2001
+From: Kuen-Han Tsai <khtsai@google.com>
+Date: Fri, 20 Mar 2026 16:54:45 +0800
+Subject: usb: gadget: f_rndis: Protect RNDIS options with mutex
+
+From: Kuen-Han Tsai <khtsai@google.com>
+
+commit 8d8c68b1fc06ece60cf43e1306ff0f4ac121547e upstream.
+
+The class/subclass/protocol options are suspectible to race conditions
+as they can be accessed concurrently through configfs.
+
+Use existing mutex to protect these options. This issue was identified
+during code inspection.
+
+Fixes: 73517cf49bd4 ("usb: gadget: add RNDIS configfs options for class/subclass/protocol")
+Cc: stable@vger.kernel.org
+Signed-off-by: Kuen-Han Tsai <khtsai@google.com>
+Link: https://patch.msgid.link/20260320-usb-net-lifecycle-v1-2-4886b578161b@google.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/gadget/function/f_rndis.c |    3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/usb/gadget/function/f_rndis.c
++++ b/drivers/usb/gadget/function/f_rndis.c
+@@ -11,6 +11,7 @@
+ 
+ /* #define VERBOSE_DEBUG */
+ 
++#include <linux/cleanup.h>
+ #include <linux/slab.h>
+ #include <linux/kernel.h>
+ #include <linux/module.h>
+@@ -690,9 +691,11 @@ rndis_bind(struct usb_configuration *c,
+ 		f->os_desc_table[0].os_desc = &rndis_opts->rndis_os_desc;
+ 	}
+ 
++	mutex_lock(&rndis_opts->lock);
+ 	rndis_iad_descriptor.bFunctionClass = rndis_opts->class;
+ 	rndis_iad_descriptor.bFunctionSubClass = rndis_opts->subclass;
+ 	rndis_iad_descriptor.bFunctionProtocol = rndis_opts->protocol;
++	mutex_unlock(&rndis_opts->lock);
+ 
+ 	/*
+ 	 * in drivers/usb/gadget/configfs.c:configfs_composite_bind()
diff --git a/queue-5.15/usb-gadget-f_subset-fix-unbalanced-refcnt-in-geth_free.patch b/queue-5.15/usb-gadget-f_subset-fix-unbalanced-refcnt-in-geth_free.patch
new file mode 100644
index 0000000000..e9e2326899
--- /dev/null
+++ b/queue-5.15/usb-gadget-f_subset-fix-unbalanced-refcnt-in-geth_free.patch
@@ -0,0 +1,49 @@
+From caa27923aacd8a5869207842f2ab1657c6c0c7bc Mon Sep 17 00:00:00 2001
+From: Kuen-Han Tsai <khtsai@google.com>
+Date: Fri, 20 Mar 2026 16:54:44 +0800
+Subject: usb: gadget: f_subset: Fix unbalanced refcnt in geth_free
+
+From: Kuen-Han Tsai <khtsai@google.com>
+
+commit caa27923aacd8a5869207842f2ab1657c6c0c7bc upstream.
+
+geth_alloc() increments the reference count, but geth_free() fails to
+decrement it. This prevents the configuration of attributes via configfs
+after unlinking the function.
+
+Decrement the reference count in geth_free() to ensure proper cleanup.
+
+Fixes: 02832e56f88a ("usb: gadget: f_subset: add configfs support")
+Cc: stable@vger.kernel.org
+Signed-off-by: Kuen-Han Tsai <khtsai@google.com>
+Link: https://patch.msgid.link/20260320-usb-net-lifecycle-v1-1-4886b578161b@google.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/gadget/function/f_subset.c |    7 +++++++
+ 1 file changed, 7 insertions(+)
+
+--- a/drivers/usb/gadget/function/f_subset.c
++++ b/drivers/usb/gadget/function/f_subset.c
+@@ -6,6 +6,7 @@
+  * Copyright (C) 2008 Nokia Corporation
+  */
+ 
++#include <linux/cleanup.h>
+ #include <linux/slab.h>
+ #include <linux/kernel.h>
+ #include <linux/module.h>
+@@ -451,8 +452,14 @@ static struct usb_function_instance *get
+ static void geth_free(struct usb_function *f)
+ {
+ 	struct f_gether *eth;
++	struct f_gether_opts *opts;
++
++	opts = container_of(f->fi, struct f_gether_opts, func_inst);
+ 
+ 	eth = func_to_geth(f);
++	mutex_lock(&opts->lock);
++	opts->refcnt--;
++	mutex_unlock(&opts->lock);
+ 	kfree(eth);
+ }
+ 
diff --git a/queue-5.15/usb-gadget-f_uac1_legacy-validate-control-request-size.patch b/queue-5.15/usb-gadget-f_uac1_legacy-validate-control-request-size.patch
new file mode 100644
index 0000000000..a87e0d14b0
--- /dev/null
+++ b/queue-5.15/usb-gadget-f_uac1_legacy-validate-control-request-size.patch
@@ -0,0 +1,92 @@
+From 6e0e34d85cd46ceb37d16054e97a373a32770f6c Mon Sep 17 00:00:00 2001
+From: Taegu Ha <hataegu0826@gmail.com>
+Date: Thu, 2 Apr 2026 04:13:11 +0900
+Subject: usb: gadget: f_uac1_legacy: validate control request size
+
+From: Taegu Ha <hataegu0826@gmail.com>
+
+commit 6e0e34d85cd46ceb37d16054e97a373a32770f6c upstream.
+
+f_audio_complete() copies req->length bytes into a 4-byte stack
+variable:
+
+  u32 data = 0;
+  memcpy(&data, req->buf, req->length);
+
+req->length is derived from the host-controlled USB request path,
+which can lead to a stack out-of-bounds write.
+
+Validate req->actual against the expected payload size for the
+supported control selectors and decode only the expected amount
+of data.
+
+This avoids copying a host-influenced length into a fixed-size
+stack object.
+
+Signed-off-by: Taegu Ha <hataegu0826@gmail.com>
+Cc: stable <stable@kernel.org>
+Link: https://patch.msgid.link/20260401191311.3604898-1-hataegu0826@gmail.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/gadget/function/f_uac1_legacy.c |   47 ++++++++++++++++++++++------
+ 1 file changed, 37 insertions(+), 10 deletions(-)
+
+--- a/drivers/usb/gadget/function/f_uac1_legacy.c
++++ b/drivers/usb/gadget/function/f_uac1_legacy.c
+@@ -360,19 +360,46 @@ static int f_audio_out_ep_complete(struc
+ static void f_audio_complete(struct usb_ep *ep, struct usb_request *req)
+ {
+ 	struct f_audio *audio = req->context;
+-	int status = req->status;
+-	u32 data = 0;
+ 	struct usb_ep *out_ep = audio->out_ep;
+ 
+-	switch (status) {
+-
+-	case 0:				/* normal completion? */
+-		if (ep == out_ep)
++	switch (req->status) {
++	case 0:
++		if (ep == out_ep) {
+ 			f_audio_out_ep_complete(ep, req);
+-		else if (audio->set_con) {
+-			memcpy(&data, req->buf, req->length);
+-			audio->set_con->set(audio->set_con, audio->set_cmd,
+-					le16_to_cpu(data));
++		} else if (audio->set_con) {
++			struct usb_audio_control *con = audio->set_con;
++			u8 type = con->type;
++			u32 data;
++			bool valid_request = false;
++
++			switch (type) {
++			case UAC_FU_MUTE: {
++				u8 value;
++
++				if (req->actual == sizeof(value)) {
++					memcpy(&value, req->buf, sizeof(value));
++					data = value;
++					valid_request = true;
++				}
++				break;
++			}
++			case UAC_FU_VOLUME: {
++				__le16 value;
++
++				if (req->actual == sizeof(value)) {
++					memcpy(&value, req->buf, sizeof(value));
++					data = le16_to_cpu(value);
++					valid_request = true;
++				}
++				break;
++			}
++			}
++
++			if (valid_request)
++				con->set(con, audio->set_cmd, data);
++			else
++				usb_ep_set_halt(ep);
++
+ 			audio->set_con = NULL;
+ 		}
+ 		break;