From: Greg Kroah-Hartman Date: Wed, 8 Apr 2026 13:22:57 +0000 (+0200) Subject: 5.15-stable patches X-Git-Tag: v6.1.168~14 X-Git-Url: http://git.ipfire.org/gitweb/?a=commitdiff_plain;h=d242c960dc939abdc085b83a7961c2624b999217;p=thirdparty%2Fkernel%2Fstable-queue.git 5.15-stable patches added patches: wifi-virt_wifi-remove-set_netdev_dev-to-avoid-use-after-free.patch --- diff --git a/queue-5.15/media-uvcvideo-mark-invalid-entities-with-id-uvc_inv.patch b/queue-5.15/media-uvcvideo-mark-invalid-entities-with-id-uvc_inv.patch deleted file mode 100644 index dd63e9cf0f..0000000000 --- a/queue-5.15/media-uvcvideo-mark-invalid-entities-with-id-uvc_inv.patch +++ /dev/null @@ -1,317 +0,0 @@ -From c00bc51ae203f02a86b8e4fae6901f4f9bec6ea9 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Wed, 1 Apr 2026 16:10:48 +0800 -Subject: media: uvcvideo: Mark invalid entities with id UVC_INVALID_ENTITY_ID - -From: Thadeu Lima de Souza Cascardo - -[ Upstream commit 0e2ee70291e64a30fe36960c85294726d34a103e ] - -Per UVC 1.1+ specification 3.7.2, units and terminals must have a non-zero -unique ID. - -``` -Each Unit and Terminal within the video function is assigned a unique -identification number, the Unit ID (UID) or Terminal ID (TID), contained in -the bUnitID or bTerminalID field of the descriptor. The value 0x00 is -reserved for undefined ID, -``` - -If we add a new entity with id 0 or a duplicated ID, it will be marked -as UVC_INVALID_ENTITY_ID. - -In a previous attempt commit 3dd075fe8ebb ("media: uvcvideo: Require -entities to have a non-zero unique ID"), we ignored all the invalid units, -this broke a lot of non-compatible cameras. Hopefully we are more lucky -this time. - -This also prevents some syzkaller reproducers from triggering warnings due -to a chain of entities referring to themselves. In one particular case, an -Output Unit is connected to an Input Unit, both with the same ID of 1. But -when looking up for the source ID of the Output Unit, that same entity is -found instead of the input entity, which leads to such warnings. - -In another case, a backward chain was considered finished as the source ID -was 0. Later on, that entity was found, but its pads were not valid. - -Here is a sample stack trace for one of those cases. - -[ 20.650953] usb 1-1: new high-speed USB device number 2 using dummy_hcd -[ 20.830206] usb 1-1: Using ep0 maxpacket: 8 -[ 20.833501] usb 1-1: config 0 descriptor?? -[ 21.038518] usb 1-1: string descriptor 0 read error: -71 -[ 21.038893] usb 1-1: Found UVC 0.00 device (2833:0201) -[ 21.039299] uvcvideo 1-1:0.0: Entity type for entity Output 1 was not initialized! -[ 21.041583] uvcvideo 1-1:0.0: Entity type for entity Input 1 was not initialized! -[ 21.042218] ------------[ cut here ]------------ -[ 21.042536] WARNING: CPU: 0 PID: 9 at drivers/media/mc/mc-entity.c:1147 media_create_pad_link+0x2c4/0x2e0 -[ 21.043195] Modules linked in: -[ 21.043535] CPU: 0 UID: 0 PID: 9 Comm: kworker/0:1 Not tainted 6.11.0-rc7-00030-g3480e43aeccf #444 -[ 21.044101] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.15.0-1 04/01/2014 -[ 21.044639] Workqueue: usb_hub_wq hub_event -[ 21.045100] RIP: 0010:media_create_pad_link+0x2c4/0x2e0 -[ 21.045508] Code: fe e8 20 01 00 00 b8 f4 ff ff ff 48 83 c4 30 5b 41 5c 41 5d 41 5e 41 5f 5d c3 cc cc cc cc 0f 0b eb e9 0f 0b eb 0a 0f 0b eb 06 <0f> 0b eb 02 0f 0b b8 ea ff ff ff eb d4 66 2e 0f 1f 84 00 00 00 00 -[ 21.046801] RSP: 0018:ffffc9000004b318 EFLAGS: 00010246 -[ 21.047227] RAX: ffff888004e5d458 RBX: 0000000000000000 RCX: ffffffff818fccf1 -[ 21.047719] RDX: 000000000000007b RSI: 0000000000000000 RDI: ffff888004313290 -[ 21.048241] RBP: ffff888004313290 R08: 0001ffffffffffff R09: 0000000000000000 -[ 21.048701] R10: 0000000000000013 R11: 0001888004313290 R12: 0000000000000003 -[ 21.049138] R13: ffff888004313080 R14: ffff888004313080 R15: 0000000000000000 -[ 21.049648] FS: 0000000000000000(0000) GS:ffff88803ec00000(0000) knlGS:0000000000000000 -[ 21.050271] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 -[ 21.050688] CR2: 0000592cc27635b0 CR3: 000000000431c000 CR4: 0000000000750ef0 -[ 21.051136] PKRU: 55555554 -[ 21.051331] Call Trace: -[ 21.051480] -[ 21.051611] ? __warn+0xc4/0x210 -[ 21.051861] ? media_create_pad_link+0x2c4/0x2e0 -[ 21.052252] ? report_bug+0x11b/0x1a0 -[ 21.052540] ? trace_hardirqs_on+0x31/0x40 -[ 21.052901] ? handle_bug+0x3d/0x70 -[ 21.053197] ? exc_invalid_op+0x1a/0x50 -[ 21.053511] ? asm_exc_invalid_op+0x1a/0x20 -[ 21.053924] ? media_create_pad_link+0x91/0x2e0 -[ 21.054364] ? media_create_pad_link+0x2c4/0x2e0 -[ 21.054834] ? media_create_pad_link+0x91/0x2e0 -[ 21.055131] ? _raw_spin_unlock+0x1e/0x40 -[ 21.055441] ? __v4l2_device_register_subdev+0x202/0x210 -[ 21.055837] uvc_mc_register_entities+0x358/0x400 -[ 21.056144] uvc_register_chains+0x1fd/0x290 -[ 21.056413] uvc_probe+0x380e/0x3dc0 -[ 21.056676] ? __lock_acquire+0x5aa/0x26e0 -[ 21.056946] ? find_held_lock+0x33/0xa0 -[ 21.057196] ? kernfs_activate+0x70/0x80 -[ 21.057533] ? usb_match_dynamic_id+0x1b/0x70 -[ 21.057811] ? find_held_lock+0x33/0xa0 -[ 21.058047] ? usb_match_dynamic_id+0x55/0x70 -[ 21.058330] ? lock_release+0x124/0x260 -[ 21.058657] ? usb_match_one_id_intf+0xa2/0x100 -[ 21.058997] usb_probe_interface+0x1ba/0x330 -[ 21.059399] really_probe+0x1ba/0x4c0 -[ 21.059662] __driver_probe_device+0xb2/0x180 -[ 21.059944] driver_probe_device+0x5a/0x100 -[ 21.060170] __device_attach_driver+0xe9/0x160 -[ 21.060427] ? __pfx___device_attach_driver+0x10/0x10 -[ 21.060872] bus_for_each_drv+0xa9/0x100 -[ 21.061312] __device_attach+0xed/0x190 -[ 21.061812] device_initial_probe+0xe/0x20 -[ 21.062229] bus_probe_device+0x4d/0xd0 -[ 21.062590] device_add+0x308/0x590 -[ 21.062912] usb_set_configuration+0x7b6/0xaf0 -[ 21.063403] usb_generic_driver_probe+0x36/0x80 -[ 21.063714] usb_probe_device+0x7b/0x130 -[ 21.063936] really_probe+0x1ba/0x4c0 -[ 21.064111] __driver_probe_device+0xb2/0x180 -[ 21.064577] driver_probe_device+0x5a/0x100 -[ 21.065019] __device_attach_driver+0xe9/0x160 -[ 21.065403] ? __pfx___device_attach_driver+0x10/0x10 -[ 21.065820] bus_for_each_drv+0xa9/0x100 -[ 21.066094] __device_attach+0xed/0x190 -[ 21.066535] device_initial_probe+0xe/0x20 -[ 21.066992] bus_probe_device+0x4d/0xd0 -[ 21.067250] device_add+0x308/0x590 -[ 21.067501] usb_new_device+0x347/0x610 -[ 21.067817] hub_event+0x156b/0x1e30 -[ 21.068060] ? process_scheduled_works+0x48b/0xaf0 -[ 21.068337] process_scheduled_works+0x5a3/0xaf0 -[ 21.068668] worker_thread+0x3cf/0x560 -[ 21.068932] ? kthread+0x109/0x1b0 -[ 21.069133] kthread+0x197/0x1b0 -[ 21.069343] ? __pfx_worker_thread+0x10/0x10 -[ 21.069598] ? __pfx_kthread+0x10/0x10 -[ 21.069908] ret_from_fork+0x32/0x40 -[ 21.070169] ? __pfx_kthread+0x10/0x10 -[ 21.070424] ret_from_fork_asm+0x1a/0x30 -[ 21.070737] - -Reported-by: syzbot+0584f746fde3d52b4675@syzkaller.appspotmail.com -Closes: https://syzkaller.appspot.com/bug?extid=0584f746fde3d52b4675 -Reported-by: syzbot+dd320d114deb3f5bb79b@syzkaller.appspotmail.com -Closes: https://syzkaller.appspot.com/bug?extid=dd320d114deb3f5bb79b -Reported-by: Youngjun Lee -Fixes: a3fbc2e6bb05 ("media: mc-entity.c: use WARN_ON, validate link pads") -Cc: stable@vger.kernel.org -Signed-off-by: Thadeu Lima de Souza Cascardo -Co-developed-by: Ricardo Ribalda -Signed-off-by: Ricardo Ribalda -Reviewed-by: Laurent Pinchart -Reviewed-by: Hans de Goede -Signed-off-by: Hans de Goede -Signed-off-by: Laurent Pinchart -Signed-off-by: Hans Verkuil -Signed-off-by: Johnny Hao -Signed-off-by: Sasha Levin ---- - drivers/media/usb/uvc/uvc_driver.c | 73 +++++++++++++++++++----------- - drivers/media/usb/uvc/uvcvideo.h | 2 + - 2 files changed, 48 insertions(+), 27 deletions(-) - -diff --git a/drivers/media/usb/uvc/uvc_driver.c b/drivers/media/usb/uvc/uvc_driver.c -index 858fc5b26a5e5..c39c1f237d10e 100644 ---- a/drivers/media/usb/uvc/uvc_driver.c -+++ b/drivers/media/usb/uvc/uvc_driver.c -@@ -413,6 +413,9 @@ struct uvc_entity *uvc_entity_by_id(struct uvc_device *dev, int id) - { - struct uvc_entity *entity; - -+ if (id == UVC_INVALID_ENTITY_ID) -+ return NULL; -+ - list_for_each_entry(entity, &dev->entities, list) { - if (entity->id == id) - return entity; -@@ -1029,14 +1032,27 @@ static const u8 uvc_media_transport_input_guid[16] = - UVC_GUID_UVC_MEDIA_TRANSPORT_INPUT; - static const u8 uvc_processing_guid[16] = UVC_GUID_UVC_PROCESSING; - --static struct uvc_entity *uvc_alloc_entity(u16 type, u16 id, -- unsigned int num_pads, unsigned int extra_size) -+static struct uvc_entity *uvc_alloc_new_entity(struct uvc_device *dev, u16 type, -+ u16 id, unsigned int num_pads, -+ unsigned int extra_size) - { - struct uvc_entity *entity; - unsigned int num_inputs; - unsigned int size; - unsigned int i; - -+ /* Per UVC 1.1+ spec 3.7.2, the ID should be non-zero. */ -+ if (id == 0) { -+ dev_err(&dev->intf->dev, "Found Unit with invalid ID 0\n"); -+ id = UVC_INVALID_ENTITY_ID; -+ } -+ -+ /* Per UVC 1.1+ spec 3.7.2, the ID is unique. */ -+ if (uvc_entity_by_id(dev, id)) { -+ dev_err(&dev->intf->dev, "Found multiple Units with ID %u\n", id); -+ id = UVC_INVALID_ENTITY_ID; -+ } -+ - extra_size = roundup(extra_size, sizeof(*entity->pads)); - if (num_pads) - num_inputs = type & UVC_TERM_OUTPUT ? num_pads : num_pads - 1; -@@ -1046,7 +1062,7 @@ static struct uvc_entity *uvc_alloc_entity(u16 type, u16 id, - + num_inputs; - entity = kzalloc(size, GFP_KERNEL); - if (entity == NULL) -- return NULL; -+ return ERR_PTR(-ENOMEM); - - entity->id = id; - entity->type = type; -@@ -1136,10 +1152,10 @@ static int uvc_parse_vendor_control(struct uvc_device *dev, - break; - } - -- unit = uvc_alloc_entity(UVC_VC_EXTENSION_UNIT, buffer[3], -- p + 1, 2*n); -- if (unit == NULL) -- return -ENOMEM; -+ unit = uvc_alloc_new_entity(dev, UVC_VC_EXTENSION_UNIT, -+ buffer[3], p + 1, 2 * n); -+ if (IS_ERR(unit)) -+ return PTR_ERR(unit); - - memcpy(unit->guid, &buffer[4], 16); - unit->extension.bNumControls = buffer[20]; -@@ -1249,10 +1265,10 @@ static int uvc_parse_standard_control(struct uvc_device *dev, - return -EINVAL; - } - -- term = uvc_alloc_entity(type | UVC_TERM_INPUT, buffer[3], -- 1, n + p); -- if (term == NULL) -- return -ENOMEM; -+ term = uvc_alloc_new_entity(dev, type | UVC_TERM_INPUT, -+ buffer[3], 1, n + p); -+ if (IS_ERR(term)) -+ return PTR_ERR(term); - - if (UVC_ENTITY_TYPE(term) == UVC_ITT_CAMERA) { - term->camera.bControlSize = n; -@@ -1308,10 +1324,10 @@ static int uvc_parse_standard_control(struct uvc_device *dev, - return 0; - } - -- term = uvc_alloc_entity(type | UVC_TERM_OUTPUT, buffer[3], -- 1, 0); -- if (term == NULL) -- return -ENOMEM; -+ term = uvc_alloc_new_entity(dev, type | UVC_TERM_OUTPUT, -+ buffer[3], 1, 0); -+ if (IS_ERR(term)) -+ return PTR_ERR(term); - - memcpy(term->baSourceID, &buffer[7], 1); - -@@ -1332,9 +1348,10 @@ static int uvc_parse_standard_control(struct uvc_device *dev, - return -EINVAL; - } - -- unit = uvc_alloc_entity(buffer[2], buffer[3], p + 1, 0); -- if (unit == NULL) -- return -ENOMEM; -+ unit = uvc_alloc_new_entity(dev, buffer[2], buffer[3], -+ p + 1, 0); -+ if (IS_ERR(unit)) -+ return PTR_ERR(unit); - - memcpy(unit->baSourceID, &buffer[5], p); - -@@ -1356,9 +1373,9 @@ static int uvc_parse_standard_control(struct uvc_device *dev, - return -EINVAL; - } - -- unit = uvc_alloc_entity(buffer[2], buffer[3], 2, n); -- if (unit == NULL) -- return -ENOMEM; -+ unit = uvc_alloc_new_entity(dev, buffer[2], buffer[3], 2, n); -+ if (IS_ERR(unit)) -+ return PTR_ERR(unit); - - memcpy(unit->baSourceID, &buffer[4], 1); - unit->processing.wMaxMultiplier = -@@ -1387,9 +1404,10 @@ static int uvc_parse_standard_control(struct uvc_device *dev, - return -EINVAL; - } - -- unit = uvc_alloc_entity(buffer[2], buffer[3], p + 1, n); -- if (unit == NULL) -- return -ENOMEM; -+ unit = uvc_alloc_new_entity(dev, buffer[2], buffer[3], -+ p + 1, n); -+ if (IS_ERR(unit)) -+ return PTR_ERR(unit); - - memcpy(unit->guid, &buffer[4], 16); - unit->extension.bNumControls = buffer[20]; -@@ -1528,9 +1546,10 @@ static int uvc_gpio_parse(struct uvc_device *dev) - return dev_err_probe(&dev->intf->dev, irq, - "No IRQ for privacy GPIO\n"); - -- unit = uvc_alloc_entity(UVC_EXT_GPIO_UNIT, UVC_EXT_GPIO_UNIT_ID, 0, 1); -- if (!unit) -- return -ENOMEM; -+ unit = uvc_alloc_new_entity(dev, UVC_EXT_GPIO_UNIT, -+ UVC_EXT_GPIO_UNIT_ID, 0, 1); -+ if (IS_ERR(unit)) -+ return PTR_ERR(unit); - - unit->gpio.gpio_privacy = gpio_privacy; - unit->gpio.irq = irq; -diff --git a/drivers/media/usb/uvc/uvcvideo.h b/drivers/media/usb/uvc/uvcvideo.h -index 95af1591f1059..be4b746d902c6 100644 ---- a/drivers/media/usb/uvc/uvcvideo.h -+++ b/drivers/media/usb/uvc/uvcvideo.h -@@ -41,6 +41,8 @@ - #define UVC_EXT_GPIO_UNIT 0x7ffe - #define UVC_EXT_GPIO_UNIT_ID 0x100 - -+#define UVC_INVALID_ENTITY_ID 0xffff -+ - /* ------------------------------------------------------------------------ - * GUIDs - */ --- -2.53.0 - diff --git a/queue-5.15/series b/queue-5.15/series index 458773c4fa..d890673622 100644 --- a/queue-5.15/series +++ b/queue-5.15/series @@ -493,7 +493,6 @@ can-gs_usb-gs_usb_receive_bulk_callback-fix-urb-memo.patch can-gs_usb-gs_usb_receive_bulk_callback-unanchor-url.patch can-gs_usb-gs_usb_receive_bulk_callback-fix-error-me.patch fbcon-set-fb_display-i-mode-to-null-when-the-mode-is.patch -media-uvcvideo-mark-invalid-entities-with-id-uvc_inv.patch net-mctp-don-t-access-ifa_index-when-missing.patch smb-client-fix-refcount-leak-for-cifs_sb_tlink.patch staging-rtl8723bs-fix-out-of-bounds-read-in-rtw_get_.patch @@ -501,3 +500,4 @@ usb-gadget-f_subset-fix-unbalanced-refcnt-in-geth_free.patch usb-gadget-f_rndis-protect-rndis-options-with-mutex.patch usb-gadget-f_uac1_legacy-validate-control-request-size.patch io_uring-tctx-work-around-xa_store-allocation-error-issue.patch +wifi-virt_wifi-remove-set_netdev_dev-to-avoid-use-after-free.patch diff --git a/queue-5.15/wifi-virt_wifi-remove-set_netdev_dev-to-avoid-use-after-free.patch b/queue-5.15/wifi-virt_wifi-remove-set_netdev_dev-to-avoid-use-after-free.patch new file mode 100644 index 0000000000..ae83fc33cb --- /dev/null +++ b/queue-5.15/wifi-virt_wifi-remove-set_netdev_dev-to-avoid-use-after-free.patch @@ -0,0 +1,101 @@ +From 789b06f9f39cdc7e895bdab2c034e39c41c8f8d6 Mon Sep 17 00:00:00 2001 +From: Alexander Popov +Date: Wed, 25 Mar 2026 01:46:02 +0300 +Subject: wifi: virt_wifi: remove SET_NETDEV_DEV to avoid use-after-free + +From: Alexander Popov + +commit 789b06f9f39cdc7e895bdab2c034e39c41c8f8d6 upstream. + +Currently we execute `SET_NETDEV_DEV(dev, &priv->lowerdev->dev)` for +the virt_wifi net devices. However, unregistering a virt_wifi device in +netdev_run_todo() can happen together with the device referenced by +SET_NETDEV_DEV(). + +It can result in use-after-free during the ethtool operations performed +on a virt_wifi device that is currently being unregistered. Such a net +device can have the `dev.parent` field pointing to the freed memory, +but ethnl_ops_begin() calls `pm_runtime_get_sync(dev->dev.parent)`. + +Let's remove SET_NETDEV_DEV for virt_wifi to avoid bugs like this: + + ================================================================== + BUG: KASAN: slab-use-after-free in __pm_runtime_resume+0xe2/0xf0 + Read of size 2 at addr ffff88810cfc46f8 by task pm/606 + + Call Trace: + + dump_stack_lvl+0x4d/0x70 + print_report+0x170/0x4f3 + ? __pfx__raw_spin_lock_irqsave+0x10/0x10 + kasan_report+0xda/0x110 + ? __pm_runtime_resume+0xe2/0xf0 + ? __pm_runtime_resume+0xe2/0xf0 + __pm_runtime_resume+0xe2/0xf0 + ethnl_ops_begin+0x49/0x270 + ethnl_set_features+0x23c/0xab0 + ? __pfx_ethnl_set_features+0x10/0x10 + ? kvm_sched_clock_read+0x11/0x20 + ? local_clock_noinstr+0xf/0xf0 + ? local_clock+0x10/0x30 + ? kasan_save_track+0x25/0x60 + ? __kasan_kmalloc+0x7f/0x90 + ? genl_family_rcv_msg_attrs_parse.isra.0+0x150/0x2c0 + genl_family_rcv_msg_doit+0x1e7/0x2c0 + ? __pfx_genl_family_rcv_msg_doit+0x10/0x10 + ? __pfx_cred_has_capability.isra.0+0x10/0x10 + ? stack_trace_save+0x8e/0xc0 + genl_rcv_msg+0x411/0x660 + ? __pfx_genl_rcv_msg+0x10/0x10 + ? __pfx_ethnl_set_features+0x10/0x10 + netlink_rcv_skb+0x121/0x380 + ? __pfx_genl_rcv_msg+0x10/0x10 + ? __pfx_netlink_rcv_skb+0x10/0x10 + ? __pfx_down_read+0x10/0x10 + genl_rcv+0x23/0x30 + netlink_unicast+0x60f/0x830 + ? __pfx_netlink_unicast+0x10/0x10 + ? __pfx___alloc_skb+0x10/0x10 + netlink_sendmsg+0x6ea/0xbc0 + ? __pfx_netlink_sendmsg+0x10/0x10 + ? __futex_queue+0x10b/0x1f0 + ____sys_sendmsg+0x7a2/0x950 + ? copy_msghdr_from_user+0x26b/0x430 + ? __pfx_____sys_sendmsg+0x10/0x10 + ? __pfx_copy_msghdr_from_user+0x10/0x10 + ___sys_sendmsg+0xf8/0x180 + ? __pfx____sys_sendmsg+0x10/0x10 + ? __pfx_futex_wait+0x10/0x10 + ? fdget+0x2e4/0x4a0 + __sys_sendmsg+0x11f/0x1c0 + ? __pfx___sys_sendmsg+0x10/0x10 + do_syscall_64+0xe2/0x570 + ? exc_page_fault+0x66/0xb0 + entry_SYSCALL_64_after_hwframe+0x77/0x7f + + +This fix may be combined with another one in the ethtool subsystem: +https://lore.kernel.org/all/20260322075917.254874-1-alex.popov@linux.com/T/#u + +Fixes: d43c65b05b848e0b ("ethtool: runtime-resume netdev parent in ethnl_ops_begin") +Cc: stable@vger.kernel.org +Signed-off-by: Alexander Popov +Acked-by: Greg Kroah-Hartman +Reviewed-by: Breno Leitao +Link: https://patch.msgid.link/20260324224607.374327-1-alex.popov@linux.com +Signed-off-by: Johannes Berg +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/wireless/virt_wifi.c | 1 - + 1 file changed, 1 deletion(-) + +--- a/drivers/net/wireless/virt_wifi.c ++++ b/drivers/net/wireless/virt_wifi.c +@@ -553,7 +553,6 @@ static int virt_wifi_newlink(struct net + eth_hw_addr_inherit(dev, priv->lowerdev); + netif_stacked_transfer_operstate(priv->lowerdev, dev); + +- SET_NETDEV_DEV(dev, &priv->lowerdev->dev); + dev->ieee80211_ptr = kzalloc(sizeof(*dev->ieee80211_ptr), GFP_KERNEL); + + if (!dev->ieee80211_ptr) {