From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Fri, 24 Apr 2026 12:36:32 +0000 (+0200)
Subject: 5.15-stable patches
X-Git-Url: http://git.ipfire.org/gitweb/?a=commitdiff_plain;h=ab886ebea4ef60c7a7c2fef9b5ad4bf0c225506f;p=thirdparty%2Fkernel%2Fstable-queue.git

5.15-stable patches

added patches:
	alsa-usb-audio-fix-race-condition-to-uaf-in-snd_usbmidi_free.patch
	tty-n_gsm-fix-flow-control-handling-in-tx-path.patch
---

diff --git a/queue-5.15/alsa-usb-audio-fix-race-condition-to-uaf-in-snd_usbmidi_free.patch b/queue-5.15/alsa-usb-audio-fix-race-condition-to-uaf-in-snd_usbmidi_free.patch
new file mode 100644
index 0000000000..1d99407d0a
--- /dev/null
+++ b/queue-5.15/alsa-usb-audio-fix-race-condition-to-uaf-in-snd_usbmidi_free.patch
@@ -0,0 +1,54 @@
+From 9f2c0ac1423d5f267e7f1d1940780fc764b0fee3 Mon Sep 17 00:00:00 2001
+From: Jeongjun Park <aha310510@gmail.com>
+Date: Sun, 28 Sep 2025 02:39:24 +0900
+Subject: ALSA: usb-audio: fix race condition to UAF in snd_usbmidi_free
+
+From: Jeongjun Park <aha310510@gmail.com>
+
+commit 9f2c0ac1423d5f267e7f1d1940780fc764b0fee3 upstream.
+
+The previous commit 0718a78f6a9f ("ALSA: usb-audio: Kill timer properly at
+removal") patched a UAF issue caused by the error timer.
+
+However, because the error timer kill added in this patch occurs after the
+endpoint delete, a race condition to UAF still occurs, albeit rarely.
+
+Additionally, since kill-cleanup for urb is also missing, freed memory can
+be accessed in interrupt context related to urb, which can cause UAF.
+
+Therefore, to prevent this, error timer and urb must be killed before
+freeing the heap memory.
+
+Cc: <stable@vger.kernel.org>
+Reported-by: syzbot+f02665daa2abeef4a947@syzkaller.appspotmail.com
+Closes: https://syzkaller.appspot.com/bug?extid=f02665daa2abeef4a947
+Fixes: 0718a78f6a9f ("ALSA: usb-audio: Kill timer properly at removal")
+Signed-off-by: Jeongjun Park <aha310510@gmail.com>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ sound/usb/midi.c |    9 ++++-----
+ 1 file changed, 4 insertions(+), 5 deletions(-)
+
+--- a/sound/usb/midi.c
++++ b/sound/usb/midi.c
+@@ -1522,15 +1522,14 @@ static void snd_usbmidi_free(struct snd_
+ {
+ 	int i;
+ 
++	if (!umidi->disconnected)
++		snd_usbmidi_disconnect(&umidi->list);
++
+ 	for (i = 0; i < MIDI_MAX_ENDPOINTS; ++i) {
+ 		struct snd_usb_midi_endpoint *ep = &umidi->endpoints[i];
+-		if (ep->out)
+-			snd_usbmidi_out_endpoint_delete(ep->out);
+-		if (ep->in)
+-			snd_usbmidi_in_endpoint_delete(ep->in);
++		kfree(ep->out);
+ 	}
+ 	mutex_destroy(&umidi->mutex);
+-	timer_shutdown_sync(&umidi->error_timer);
+ 	kfree(umidi);
+ }
+ 
diff --git a/queue-5.15/series b/queue-5.15/series
index 75b471b9c8..885b2adbba 100644
--- a/queue-5.15/series
+++ b/queue-5.15/series
@@ -179,3 +179,5 @@ crypto-ccp-don-t-attempt-to-copy-csr-to-userspace-if-psp-command-failed.patch
 crypto-ccp-don-t-attempt-to-copy-pdh-cert-to-userspace-if-psp-command-failed.patch
 crypto-ccp-don-t-attempt-to-copy-id-to-userspace-if-psp-command-failed.patch
 rxrpc-fix-missing-validation-of-ticket-length-in-non-xdr-key-preparsing.patch
+tty-n_gsm-fix-flow-control-handling-in-tx-path.patch
+alsa-usb-audio-fix-race-condition-to-uaf-in-snd_usbmidi_free.patch
diff --git a/queue-5.15/tty-n_gsm-fix-flow-control-handling-in-tx-path.patch b/queue-5.15/tty-n_gsm-fix-flow-control-handling-in-tx-path.patch
new file mode 100644
index 0000000000..61ac6ac0dd
--- /dev/null
+++ b/queue-5.15/tty-n_gsm-fix-flow-control-handling-in-tx-path.patch
@@ -0,0 +1,35 @@
+From 59ff0680ecbfec742b1e0381e7cc46b41eb06647 Mon Sep 17 00:00:00 2001
+From: Daniel Starke <daniel.starke@siemens.com>
+Date: Thu, 7 Jul 2022 13:32:22 +0200
+Subject: tty: n_gsm: fix flow control handling in tx path
+
+From: Daniel Starke <daniel.starke@siemens.com>
+
+commit 59ff0680ecbfec742b1e0381e7cc46b41eb06647 upstream.
+
+The current implementation constipates all transmission paths during flow
+control except for flow control frames. However, these may not be located
+at the beginning of the transmission queue of the control channel.
+Ensure that flow control frames in the transmission queue for the control
+channel are always handled even if constipated by skipping through other
+messages.
+
+Fixes: 0af021678d5d ("tty: n_gsm: fix deadlock and link starvation in outgoing data path")
+Signed-off-by: Daniel Starke <daniel.starke@siemens.com>
+Link: https://lore.kernel.org/r/20220707113223.3685-3-daniel.starke@siemens.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/tty/n_gsm.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/tty/n_gsm.c
++++ b/drivers/tty/n_gsm.c
+@@ -897,7 +897,7 @@ static int gsm_data_kick(struct gsm_mux
+ 	/* Serialize control messages and control channel messages first */
+ 	list_for_each_entry_safe(msg, nmsg, &gsm->tx_ctrl_list, list) {
+ 		if (gsm->constipated && !gsm_is_flow_ctrl_msg(msg))
+-			return -EAGAIN;
++			continue;
+ 		ret = gsm_send_packet(gsm, msg);
+ 		switch (ret) {
+ 		case -ENOSPC: