From: Greg Kroah-Hartman Date: Mon, 20 Apr 2026 10:15:15 +0000 (+0200) Subject: 5.15-stable patches X-Git-Url: http://git.ipfire.org/index.cgi?a=commitdiff_plain;h=379ab2bcaf4e1886d33cf6e7749be4df2d5a4ae0;p=thirdparty%2Fkernel%2Fstable-queue.git 5.15-stable patches added patches: alsa-fireworks-bound-device-supplied-status-before-string-array-lookup.patch can-raw-fix-ro-uniq-use-after-free-in-raw_rcv.patch fbdev-tdfxfb-avoid-divide-by-zero-on-fbioput_vscreeninfo.patch hid-alps-fix-null-pointer-dereference-in-alps_raw_event.patch hid-core-clamp-report_size-in-s32ton-to-avoid-undefined-shift.patch i2c-s3c24xx-check-the-size-of-the-smbus-message-before-using-it.patch net-usb-cdc-phonet-fix-skb-frags-overflow-in-rx_complete.patch nfc-digital-bounds-check-nfc-a-cascade-depth-in-sdd-response-handler.patch nfc-llcp-add-missing-return-after-llcp_closed-checks.patch staging-rtl8723bs-initialize-le_tmp64-in-rtw_bip_verify.patch usb-gadget-f_ncm-validate-minimum-block_len-in-ncm_unwrap_ntb.patch usb-gadget-f_phonet-fix-skb-frags-overflow-in-pn_rx_complete.patch usb-gadget-renesas_usb3-validate-endpoint-index-in-standard-request-handlers.patch usb-storage-expand-range-of-matched-versions-for-vl817-quirks-entry.patch usbip-validate-number_of_packets-in-usbip_pack_ret_submit.patch --- diff --git a/queue-5.15/alsa-fireworks-bound-device-supplied-status-before-string-array-lookup.patch b/queue-5.15/alsa-fireworks-bound-device-supplied-status-before-string-array-lookup.patch new file mode 100644 index 0000000000..75ea0789d7 --- /dev/null +++ b/queue-5.15/alsa-fireworks-bound-device-supplied-status-before-string-array-lookup.patch @@ -0,0 +1,52 @@ +From 07704bbf36f57e4379e4cadf96410dab14621e3b Mon Sep 17 00:00:00 2001 +From: Greg Kroah-Hartman +Date: Thu, 9 Apr 2026 16:05:54 +0200 +Subject: ALSA: fireworks: bound device-supplied status before string array lookup + +From: Greg Kroah-Hartman + +commit 07704bbf36f57e4379e4cadf96410dab14621e3b upstream. + +The status field in an EFW response is a 32-bit value supplied by the +firewire device. efr_status_names[] has 17 entries so a status value +outside that range goes off into the weeds when looking at the %s value. + +Even worse, the status could return EFR_STATUS_INCOMPLETE which is +0x80000000, and is obviously not in that array of potential strings. + +Fix this up by properly bounding the index against the array size and +printing "unknown" if it's not recognized. + +Cc: Clemens Ladisch +Cc: Takashi Sakamoto +Cc: Jaroslav Kysela +Cc: Takashi Iwai +Fixes: bde8a8f23bbe ("ALSA: fireworks: Add transaction and some commands") +Cc: stable +Assisted-by: gregkh_clanker_t1000 +Signed-off-by: Greg Kroah-Hartman +Reviewed-by: Takashi Sakamoto +Link: https://patch.msgid.link/2026040953-astute-camera-1aa1@gregkh +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman +--- + sound/firewire/fireworks/fireworks_command.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +--- a/sound/firewire/fireworks/fireworks_command.c ++++ b/sound/firewire/fireworks/fireworks_command.c +@@ -151,10 +151,13 @@ efw_transaction(struct snd_efw *efw, uns + (be32_to_cpu(header->category) != category) || + (be32_to_cpu(header->command) != command) || + (be32_to_cpu(header->status) != EFR_STATUS_OK)) { ++ u32 st = be32_to_cpu(header->status); ++ + dev_err(&efw->unit->device, "EFW command failed [%u/%u]: %s\n", + be32_to_cpu(header->category), + be32_to_cpu(header->command), +- efr_status_names[be32_to_cpu(header->status)]); ++ st < ARRAY_SIZE(efr_status_names) ? ++ efr_status_names[st] : "unknown"); + err = -EIO; + goto end; + } diff --git a/queue-5.15/can-raw-fix-ro-uniq-use-after-free-in-raw_rcv.patch b/queue-5.15/can-raw-fix-ro-uniq-use-after-free-in-raw_rcv.patch new file mode 100644 index 0000000000..06c1a12c24 --- /dev/null +++ b/queue-5.15/can-raw-fix-ro-uniq-use-after-free-in-raw_rcv.patch @@ -0,0 +1,68 @@ +From a535a9217ca3f2fccedaafb2fddb4c48f27d36dc Mon Sep 17 00:00:00 2001 +From: Samuel Page +Date: Wed, 8 Apr 2026 15:30:13 +0100 +Subject: can: raw: fix ro->uniq use-after-free in raw_rcv() + +From: Samuel Page + +commit a535a9217ca3f2fccedaafb2fddb4c48f27d36dc upstream. + +raw_release() unregisters raw CAN receive filters via can_rx_unregister(), +but receiver deletion is deferred with call_rcu(). This leaves a window +where raw_rcv() may still be running in an RCU read-side critical section +after raw_release() frees ro->uniq, leading to a use-after-free of the +percpu uniq storage. + +Move free_percpu(ro->uniq) out of raw_release() and into a raw-specific +socket destructor. can_rx_unregister() takes an extra reference to the +socket and only drops it from the RCU callback, so freeing uniq from +sk_destruct ensures the percpu area is not released until the relevant +callbacks have drained. + +Fixes: 514ac99c64b2 ("can: fix multiple delivery of a single CAN frame for overlapping CAN filters") +Cc: stable@vger.kernel.org # v4.1+ +Assisted-by: Bynario AI +Signed-off-by: Samuel Page +Link: https://patch.msgid.link/26ec626d-cae7-4418-9782-7198864d070c@bynar.io +Acked-by: Oliver Hartkopp +[mkl: applied manually] +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Greg Kroah-Hartman +--- + net/can/raw.c | 11 ++++++++++- + 1 file changed, 10 insertions(+), 1 deletion(-) + +--- a/net/can/raw.c ++++ b/net/can/raw.c +@@ -333,6 +333,14 @@ static int raw_notifier(struct notifier_ + return NOTIFY_DONE; + } + ++static void raw_sock_destruct(struct sock *sk) ++{ ++ struct raw_sock *ro = raw_sk(sk); ++ ++ free_percpu(ro->uniq); ++ can_sock_destruct(sk); ++} ++ + static int raw_init(struct sock *sk) + { + struct raw_sock *ro = raw_sk(sk); +@@ -358,6 +366,8 @@ static int raw_init(struct sock *sk) + if (unlikely(!ro->uniq)) + return -ENOMEM; + ++ sk->sk_destruct = raw_sock_destruct; ++ + /* set notifier */ + spin_lock(&raw_notifier_lock); + list_add_tail(&ro->notifier, &raw_notifier_list); +@@ -405,7 +415,6 @@ static int raw_release(struct socket *so + ro->bound = 0; + ro->dev = NULL; + ro->count = 0; +- free_percpu(ro->uniq); + + sock_orphan(sk); + sock->sk = NULL; diff --git a/queue-5.15/fbdev-tdfxfb-avoid-divide-by-zero-on-fbioput_vscreeninfo.patch b/queue-5.15/fbdev-tdfxfb-avoid-divide-by-zero-on-fbioput_vscreeninfo.patch new file mode 100644 index 0000000000..d3ee5c466d --- /dev/null +++ b/queue-5.15/fbdev-tdfxfb-avoid-divide-by-zero-on-fbioput_vscreeninfo.patch @@ -0,0 +1,36 @@ +From 8f98b81fe011e1879e6a7b1247e69e06a5e17af2 Mon Sep 17 00:00:00 2001 +From: Greg Kroah-Hartman +Date: Thu, 9 Apr 2026 15:23:14 +0200 +Subject: fbdev: tdfxfb: avoid divide-by-zero on FBIOPUT_VSCREENINFO + +From: Greg Kroah-Hartman + +commit 8f98b81fe011e1879e6a7b1247e69e06a5e17af2 upstream. + +Much like commit 19f953e74356 ("fbdev: fb_pm2fb: Avoid potential divide +by zero error"), we also need to prevent that same crash from happening +in the udlfb driver as it uses pixclock directly when dividing, which +will crash. + +Cc: Helge Deller +Assisted-by: gregkh_clanker_t1000 +Cc: stable +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Helge Deller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/video/fbdev/tdfxfb.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/video/fbdev/tdfxfb.c ++++ b/drivers/video/fbdev/tdfxfb.c +@@ -495,6 +495,9 @@ static int tdfxfb_check_var(struct fb_va + } + } + ++ if (!var->pixclock) ++ return -EINVAL; ++ + if (PICOS2KHZ(var->pixclock) > par->max_pixclock) { + DPRINTK("pixclock too high (%ldKHz)\n", + PICOS2KHZ(var->pixclock)); diff --git a/queue-5.15/hid-alps-fix-null-pointer-dereference-in-alps_raw_event.patch b/queue-5.15/hid-alps-fix-null-pointer-dereference-in-alps_raw_event.patch new file mode 100644 index 0000000000..1b8f5a4ed0 --- /dev/null +++ b/queue-5.15/hid-alps-fix-null-pointer-dereference-in-alps_raw_event.patch @@ -0,0 +1,44 @@ +From 1badfc4319224820d5d890f8eab6aa52e4e83339 Mon Sep 17 00:00:00 2001 +From: Greg Kroah-Hartman +Date: Mon, 6 Apr 2026 16:03:25 +0200 +Subject: HID: alps: fix NULL pointer dereference in alps_raw_event() + +From: Greg Kroah-Hartman + +commit 1badfc4319224820d5d890f8eab6aa52e4e83339 upstream. + +Commit ecfa6f34492c ("HID: Add HID_CLAIMED_INPUT guards in raw_event +callbacks missing them") attempted to fix up the HID drivers that had +missed the previous fix that was done in 2ff5baa9b527 ("HID: appleir: +Fix potential NULL dereference at raw event handle"), but the alps +driver was missed. + +Fix this up by properly checking in the hid-alps driver that it had been +claimed correctly before attempting to process the raw event. + +Fixes: 73196ebe134d ("HID: alps: add support for Alps T4 Touchpad device") +Cc: stable +Cc: Jiri Kosina +Cc: Benjamin Tissoires +Cc: Masaki Ota +Cc: linux-input@vger.kernel.org +Assisted-by: gregkh_clanker_t1000 +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Jiri Kosina +Signed-off-by: Greg Kroah-Hartman +--- + drivers/hid/hid-alps.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/hid/hid-alps.c ++++ b/drivers/hid/hid-alps.c +@@ -437,6 +437,9 @@ static int alps_raw_event(struct hid_dev + int ret = 0; + struct alps_dev *hdata = hid_get_drvdata(hdev); + ++ if (!(hdev->claimed & HID_CLAIMED_INPUT) || !hdata->input) ++ return 0; ++ + switch (hdev->product) { + case HID_PRODUCT_ID_T4_BTNLESS: + ret = t4_raw_event(hdata, data, size); diff --git a/queue-5.15/hid-core-clamp-report_size-in-s32ton-to-avoid-undefined-shift.patch b/queue-5.15/hid-core-clamp-report_size-in-s32ton-to-avoid-undefined-shift.patch new file mode 100644 index 0000000000..0acaa797bd --- /dev/null +++ b/queue-5.15/hid-core-clamp-report_size-in-s32ton-to-avoid-undefined-shift.patch @@ -0,0 +1,48 @@ +From 69c02ffde6ed4d535fa4e693a9e572729cad3d0d Mon Sep 17 00:00:00 2001 +From: Greg Kroah-Hartman +Date: Mon, 6 Apr 2026 16:04:10 +0200 +Subject: HID: core: clamp report_size in s32ton() to avoid undefined shift + +From: Greg Kroah-Hartman + +commit 69c02ffde6ed4d535fa4e693a9e572729cad3d0d upstream. + +s32ton() shifts by n-1 where n is the field's report_size, a value that +comes directly from a HID device. The HID parser bounds report_size +only to <= 256, so a broken HID device can supply a report descriptor +with a wide field that triggers shift exponents up to 256 on a 32-bit +type when an output report is built via hid_output_field() or +hid_set_field(). + +Commit ec61b41918587 ("HID: core: fix shift-out-of-bounds in +hid_report_raw_event") added the same n > 32 clamp to the function +snto32(), but s32ton() was never given the same fix as I guess syzbot +hadn't figured out how to fuzz a device the same way. + +Fix this up by just clamping the max value of n, just like snto32() +does. + +Cc: stable +Cc: Jiri Kosina +Cc: Benjamin Tissoires +Cc: linux-input@vger.kernel.org +Assisted-by: gregkh_clanker_t1000 +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Jiri Kosina +Signed-off-by: Greg Kroah-Hartman +--- + drivers/hid/hid-core.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/hid/hid-core.c ++++ b/drivers/hid/hid-core.c +@@ -1354,6 +1354,9 @@ static u32 s32ton(__s32 value, unsigned + if (!value || !n) + return 0; + ++ if (n > 32) ++ n = 32; ++ + a = value >> (n - 1); + if (a && a != -1) + return value < 0 ? 1 << (n - 1) : (1 << (n - 1)) - 1; diff --git a/queue-5.15/i2c-s3c24xx-check-the-size-of-the-smbus-message-before-using-it.patch b/queue-5.15/i2c-s3c24xx-check-the-size-of-the-smbus-message-before-using-it.patch new file mode 100644 index 0000000000..865f85cf7f --- /dev/null +++ b/queue-5.15/i2c-s3c24xx-check-the-size-of-the-smbus-message-before-using-it.patch @@ -0,0 +1,46 @@ +From c0128c7157d639a931353ea344fb44aad6d6e17a Mon Sep 17 00:00:00 2001 +From: Greg Kroah-Hartman +Date: Mon, 23 Feb 2026 18:05:15 +0100 +Subject: i2c: s3c24xx: check the size of the SMBUS message before using it + +From: Greg Kroah-Hartman + +commit c0128c7157d639a931353ea344fb44aad6d6e17a upstream. + +The first byte of an i2c SMBUS message is the size, and it should be +verified to ensure that it is in the range of 0..I2C_SMBUS_BLOCK_MAX +before processing it. + +This is the same logic that was added in commit a6e04f05ce0b ("i2c: +tegra: check msg length in SMBUS block read") to the i2c tegra driver. + +Cc: Krzysztof Kozlowski +Cc: Alim Akhtar +Cc: Andi Shyti +Cc: stable +Assisted-by: gkh_clanker_2000 +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Andi Shyti +Link: https://lore.kernel.org/r/2026022314-rely-scrubbed-4839@gregkh +Signed-off-by: Greg Kroah-Hartman +--- + drivers/i2c/busses/i2c-s3c2410.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +--- a/drivers/i2c/busses/i2c-s3c2410.c ++++ b/drivers/i2c/busses/i2c-s3c2410.c +@@ -508,8 +508,13 @@ static int i2c_s3c_irq_nextbyte(struct s + i2c->msg->buf[i2c->msg_ptr++] = byte; + + /* Add actual length to read for smbus block read */ +- if (i2c->msg->flags & I2C_M_RECV_LEN && i2c->msg->len == 1) ++ if (i2c->msg->flags & I2C_M_RECV_LEN && i2c->msg->len == 1) { ++ if (byte == 0 || byte > I2C_SMBUS_BLOCK_MAX) { ++ s3c24xx_i2c_stop(i2c, -EPROTO); ++ break; ++ } + i2c->msg->len += byte; ++ } + prepare_read: + if (is_msglast(i2c)) { + /* last byte of buffer */ diff --git a/queue-5.15/net-usb-cdc-phonet-fix-skb-frags-overflow-in-rx_complete.patch b/queue-5.15/net-usb-cdc-phonet-fix-skb-frags-overflow-in-rx_complete.patch new file mode 100644 index 0000000000..1174630614 --- /dev/null +++ b/queue-5.15/net-usb-cdc-phonet-fix-skb-frags-overflow-in-rx_complete.patch @@ -0,0 +1,54 @@ +From 600dc40554dc5ad1e6f3af51f700228033f43ea7 Mon Sep 17 00:00:00 2001 +From: Greg Kroah-Hartman +Date: Sat, 11 Apr 2026 13:01:35 +0200 +Subject: net: usb: cdc-phonet: fix skb frags[] overflow in rx_complete() + +From: Greg Kroah-Hartman + +commit 600dc40554dc5ad1e6f3af51f700228033f43ea7 upstream. + +A malicious USB device claiming to be a CDC Phonet modem can overflow +the skb_shared_info->frags[] array by sending an unbounded sequence of +full-page bulk transfers. + +Drop the skb and increment the length error when the frag limit is +reached. This matches the same fix that commit f0813bcd2d9d ("net: +wwan: t7xx: fix potential skb->frags overflow in RX path") did for the +t7xx driver. + +Cc: Andrew Lunn +Cc: "David S. Miller" +Cc: Eric Dumazet +Cc: Jakub Kicinski +Cc: Paolo Abeni +Cc: stable +Assisted-by: gregkh_clanker_t1000 +Signed-off-by: Greg Kroah-Hartman +Link: https://patch.msgid.link/2026041134-dreamboat-buddhism-d1ec@gregkh +Fixes: 87cf65601e17 ("USB host CDC Phonet network interface driver") +Signed-off-by: Paolo Abeni +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/usb/cdc-phonet.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +--- a/drivers/net/usb/cdc-phonet.c ++++ b/drivers/net/usb/cdc-phonet.c +@@ -157,11 +157,16 @@ static void rx_complete(struct urb *req) + PAGE_SIZE); + page = NULL; + } +- } else { ++ } else if (skb_shinfo(skb)->nr_frags < MAX_SKB_FRAGS) { + skb_add_rx_frag(skb, skb_shinfo(skb)->nr_frags, + page, 0, req->actual_length, + PAGE_SIZE); + page = NULL; ++ } else { ++ dev_kfree_skb_any(skb); ++ pnd->rx_skb = NULL; ++ skb = NULL; ++ dev->stats.rx_length_errors++; + } + if (req->actual_length < PAGE_SIZE) + pnd->rx_skb = NULL; /* Last fragment */ diff --git a/queue-5.15/nfc-digital-bounds-check-nfc-a-cascade-depth-in-sdd-response-handler.patch b/queue-5.15/nfc-digital-bounds-check-nfc-a-cascade-depth-in-sdd-response-handler.patch new file mode 100644 index 0000000000..a7b6f45afd --- /dev/null +++ b/queue-5.15/nfc-digital-bounds-check-nfc-a-cascade-depth-in-sdd-response-handler.patch @@ -0,0 +1,58 @@ +From 46ce8be2ced389bccd84bcc04a12cf2f4d0c22d1 Mon Sep 17 00:00:00 2001 +From: Greg Kroah-Hartman +Date: Thu, 9 Apr 2026 17:18:14 +0200 +Subject: NFC: digital: Bounds check NFC-A cascade depth in SDD response handler + +From: Greg Kroah-Hartman + +commit 46ce8be2ced389bccd84bcc04a12cf2f4d0c22d1 upstream. + +The NFC-A anti-collision cascade in digital_in_recv_sdd_res() appends 3 +or 4 bytes to target->nfcid1 on each round, but the number of cascade +rounds is controlled entirely by the peer device. The peer sets the +cascade tag in the SDD_RES (deciding 3 vs 4 bytes) and the +cascade-incomplete bit in the SEL_RES (deciding whether another round +follows). + +ISO 14443-3 limits NFC-A to three cascade levels and target->nfcid1 is +sized accordingly (NFC_NFCID1_MAXSIZE = 10), but nothing in the driver +actually enforces this. This means a malicious peer can keep the +cascade running, writing past the heap-allocated nfc_target with each +round. + +Fix this by rejecting the response when the accumulated UID would exceed +the buffer. + +Commit e329e71013c9 ("NFC: nci: Bounds check struct nfc_target arrays") +fixed similar missing checks against the same field on the NCI path. + +Cc: Simon Horman +Cc: Kees Cook +Cc: Thierry Escande +Cc: Samuel Ortiz +Fixes: 2c66daecc409 ("NFC Digital: Add NFC-A technology support") +Cc: stable +Assisted-by: gregkh_clanker_t1000 +Signed-off-by: Greg Kroah-Hartman +Link: https://patch.msgid.link/2026040913-figure-seducing-bd3f@gregkh +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + net/nfc/digital_technology.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/net/nfc/digital_technology.c ++++ b/net/nfc/digital_technology.c +@@ -424,6 +424,12 @@ static void digital_in_recv_sdd_res(stru + size = 4; + } + ++ if (target->nfcid1_len + size > NFC_NFCID1_MAXSIZE) { ++ PROTOCOL_ERR("4.7.2.1"); ++ rc = -EPROTO; ++ goto exit; ++ } ++ + memcpy(target->nfcid1 + target->nfcid1_len, sdd_res->nfcid1 + offset, + size); + target->nfcid1_len += size; diff --git a/queue-5.15/nfc-llcp-add-missing-return-after-llcp_closed-checks.patch b/queue-5.15/nfc-llcp-add-missing-return-after-llcp_closed-checks.patch new file mode 100644 index 0000000000..7e4ba9fcbc --- /dev/null +++ b/queue-5.15/nfc-llcp-add-missing-return-after-llcp_closed-checks.patch @@ -0,0 +1,48 @@ +From 2b5dd4632966c39da6ba74dbc8689b309065e82c Mon Sep 17 00:00:00 2001 +From: Junxi Qian +Date: Wed, 8 Apr 2026 16:10:06 +0800 +Subject: nfc: llcp: add missing return after LLCP_CLOSED checks + +From: Junxi Qian + +commit 2b5dd4632966c39da6ba74dbc8689b309065e82c upstream. + +In nfc_llcp_recv_hdlc() and nfc_llcp_recv_disc(), when the socket +state is LLCP_CLOSED, the code correctly calls release_sock() and +nfc_llcp_sock_put() but fails to return. Execution falls through to +the remainder of the function, which calls release_sock() and +nfc_llcp_sock_put() again. This results in a double release_sock() +and a refcount underflow via double nfc_llcp_sock_put(), leading to +a use-after-free. + +Add the missing return statements after the LLCP_CLOSED branches +in both functions to prevent the fall-through. + +Fixes: d646960f7986 ("NFC: Initial LLCP support") +Signed-off-by: Junxi Qian +Reviewed-by: Eric Dumazet +Link: https://patch.msgid.link/20260408081006.3723-1-qjx1298677004@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + net/nfc/llcp_core.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/net/nfc/llcp_core.c ++++ b/net/nfc/llcp_core.c +@@ -1098,6 +1098,7 @@ static void nfc_llcp_recv_hdlc(struct nf + if (sk->sk_state == LLCP_CLOSED) { + release_sock(sk); + nfc_llcp_sock_put(llcp_sock); ++ return; + } + + /* Pass the payload upstream */ +@@ -1189,6 +1190,7 @@ static void nfc_llcp_recv_disc(struct nf + if (sk->sk_state == LLCP_CLOSED) { + release_sock(sk); + nfc_llcp_sock_put(llcp_sock); ++ return; + } + + if (sk->sk_state == LLCP_CONNECTED) { diff --git a/queue-5.15/series b/queue-5.15/series index d358554484..9b67f8febb 100644 --- a/queue-5.15/series +++ b/queue-5.15/series @@ -52,3 +52,18 @@ alsa-usb-audio-improve-focusrite-sample-rate-filteri.patch alsa-usb-audio-update-for-native-dsd-support-quirks.patch alsa-usb-audio-remove-validate_rates-quirk-for-focus.patch batman-adv-hold-claim-backbone-gateways-by-reference.patch +nfc-llcp-add-missing-return-after-llcp_closed-checks.patch +can-raw-fix-ro-uniq-use-after-free-in-raw_rcv.patch +i2c-s3c24xx-check-the-size-of-the-smbus-message-before-using-it.patch +staging-rtl8723bs-initialize-le_tmp64-in-rtw_bip_verify.patch +hid-alps-fix-null-pointer-dereference-in-alps_raw_event.patch +hid-core-clamp-report_size-in-s32ton-to-avoid-undefined-shift.patch +net-usb-cdc-phonet-fix-skb-frags-overflow-in-rx_complete.patch +nfc-digital-bounds-check-nfc-a-cascade-depth-in-sdd-response-handler.patch +alsa-fireworks-bound-device-supplied-status-before-string-array-lookup.patch +fbdev-tdfxfb-avoid-divide-by-zero-on-fbioput_vscreeninfo.patch +usb-gadget-f_ncm-validate-minimum-block_len-in-ncm_unwrap_ntb.patch +usb-gadget-f_phonet-fix-skb-frags-overflow-in-pn_rx_complete.patch +usb-gadget-renesas_usb3-validate-endpoint-index-in-standard-request-handlers.patch +usbip-validate-number_of_packets-in-usbip_pack_ret_submit.patch +usb-storage-expand-range-of-matched-versions-for-vl817-quirks-entry.patch diff --git a/queue-5.15/staging-rtl8723bs-initialize-le_tmp64-in-rtw_bip_verify.patch b/queue-5.15/staging-rtl8723bs-initialize-le_tmp64-in-rtw_bip_verify.patch new file mode 100644 index 0000000000..ae1eaa951e --- /dev/null +++ b/queue-5.15/staging-rtl8723bs-initialize-le_tmp64-in-rtw_bip_verify.patch @@ -0,0 +1,44 @@ +From 8c964b82a4e97ec7f25e17b803ee196009b38a57 Mon Sep 17 00:00:00 2001 +From: Lin YuChen +Date: Sat, 21 Mar 2026 01:25:02 +0800 +Subject: staging: rtl8723bs: initialize le_tmp64 in rtw_BIP_verify() + +From: Lin YuChen + +commit 8c964b82a4e97ec7f25e17b803ee196009b38a57 upstream. + +Initialize le_tmp64 to zero in rtw_BIP_verify() to prevent using +uninitialized data. + +Smatch warns that only 6 bytes are copied to this 8-byte (u64) +variable, leaving the last two bytes uninitialized: + +drivers/staging/rtl8723bs/core/rtw_security.c:1308 rtw_BIP_verify() +warn: not copying enough bytes for '&le_tmp64' (8 vs 6 bytes) + +Initializing the variable at the start of the function fixes this +warning and ensures predictable behavior. + +Fixes: 554c0a3abf21 ("staging: Add rtl8723bs sdio wifi driver") +Cc: stable +Reported-by: Dan Carpenter +Closes: https://lore.kernel.org/linux-staging/abvwIQh0CHTp4wNJ@stanley.mountain/ +Signed-off-by: Lin YuChen +Reviewed-by: Dan Carpenter +Link: https://patch.msgid.link/20260320172502.167332-1-starpt.official@gmail.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/staging/rtl8723bs/core/rtw_security.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/staging/rtl8723bs/core/rtw_security.c ++++ b/drivers/staging/rtl8723bs/core/rtw_security.c +@@ -1364,7 +1364,7 @@ u32 rtw_BIP_verify(struct adapter *padap + u8 mic[16]; + struct mlme_ext_priv *pmlmeext = &padapter->mlmeextpriv; + __le16 le_tmp; +- __le64 le_tmp64; ++ __le64 le_tmp64 = 0; + + ori_len = pattrib->pkt_len-WLAN_HDR_A3_LEN+BIP_AAD_SIZE; + BIP_AAD = rtw_zmalloc(ori_len); diff --git a/queue-5.15/usb-gadget-f_ncm-validate-minimum-block_len-in-ncm_unwrap_ntb.patch b/queue-5.15/usb-gadget-f_ncm-validate-minimum-block_len-in-ncm_unwrap_ntb.patch new file mode 100644 index 0000000000..473817e91a --- /dev/null +++ b/queue-5.15/usb-gadget-f_ncm-validate-minimum-block_len-in-ncm_unwrap_ntb.patch @@ -0,0 +1,51 @@ +From 8f993d30b95dc9557a8a96ceca11abed674c8acb Mon Sep 17 00:00:00 2001 +From: Greg Kroah-Hartman +Date: Tue, 7 Apr 2026 11:02:54 +0200 +Subject: usb: gadget: f_ncm: validate minimum block_len in ncm_unwrap_ntb() + +From: Greg Kroah-Hartman + +commit 8f993d30b95dc9557a8a96ceca11abed674c8acb upstream. + +The block_len read from the host-supplied NTB header is checked against +ntb_max but has no lower bound. When block_len is smaller than +opts->ndp_size, the bounds check of: + ndp_index > (block_len - opts->ndp_size) +will underflow producing a huge unsigned value that ndp_index can never +exceed, defeating the check entirely. + +The same underflow occurs in the datagram index checks against block_len +- opts->dpe_size. With those checks neutered, a malicious USB host can +choose ndp_index and datagram offsets that point past the actual +transfer, and the skb_put_data() copies adjacent kernel memory into the +network skb. + +Fix this by rejecting block lengths that cannot hold at least the NTB +header plus one NDP. This will make block_len - opts->ndp_size and +block_len - opts->dpe_size both well-defined. + +Commit 8d2b1a1ec9f5 ("CDC-NCM: avoid overflow in sanity checking") fixed +a related class of issues on the host side of NCM. + +Fixes: 2b74b0a04d3e ("USB: gadget: f_ncm: add bounds checks to ncm_unwrap_ntb()") +Cc: stable +Assisted-by: gregkh_clanker_t1000 +Link: https://patch.msgid.link/2026040753-baffle-handheld-624d@gregkh +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/gadget/function/f_ncm.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/usb/gadget/function/f_ncm.c ++++ b/drivers/usb/gadget/function/f_ncm.c +@@ -1215,8 +1215,8 @@ parse_ntb: + + block_len = get_ncm(&tmp, opts->block_length); + /* (d)wBlockLength */ +- if (block_len > ntb_max) { +- INFO(port->func.config->cdev, "OUT size exceeded\n"); ++ if ((block_len < opts->nth_size + opts->ndp_size) || (block_len > ntb_max)) { ++ INFO(port->func.config->cdev, "Bad block length: %#X\n", block_len); + goto err; + } + diff --git a/queue-5.15/usb-gadget-f_phonet-fix-skb-frags-overflow-in-pn_rx_complete.patch b/queue-5.15/usb-gadget-f_phonet-fix-skb-frags-overflow-in-pn_rx_complete.patch new file mode 100644 index 0000000000..f221bf0476 --- /dev/null +++ b/queue-5.15/usb-gadget-f_phonet-fix-skb-frags-overflow-in-pn_rx_complete.patch @@ -0,0 +1,51 @@ +From c088d5dd2fffb4de1fb8e7f57751c8b82942180a Mon Sep 17 00:00:00 2001 +From: Greg Kroah-Hartman +Date: Tue, 7 Apr 2026 10:55:05 +0200 +Subject: usb: gadget: f_phonet: fix skb frags[] overflow in pn_rx_complete() + +From: Greg Kroah-Hartman + +commit c088d5dd2fffb4de1fb8e7f57751c8b82942180a upstream. + +A broken/bored/mean USB host can overflow the skb_shared_info->frags[] +array on a Linux gadget exposing a Phonet function by sending an +unbounded sequence of full-page OUT transfers. + +pn_rx_complete() finalizes the skb only when req->actual < req->length, +where req->length is set to PAGE_SIZE by the gadget. If the host always +sends exactly PAGE_SIZE bytes per transfer, fp->rx.skb will never be +reset and each completion will add another fragment via +skb_add_rx_frag(). Once nr_frags exceeds MAX_SKB_FRAGS (default 17), +subsequent frag stores overwrite memory adjacent to the shinfo on the +heap. + +Drop the skb and account a length error when the frag limit is reached, +matching the fix applied in t7xx by commit f0813bcd2d9d ("net: wwan: +t7xx: fix potential skb->frags overflow in RX path"). + +Cc: stable +Assisted-by: gregkh_clanker_t1000 +Link: https://patch.msgid.link/2026040705-fruit-unloved-0701@gregkh +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/gadget/function/f_phonet.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +--- a/drivers/usb/gadget/function/f_phonet.c ++++ b/drivers/usb/gadget/function/f_phonet.c +@@ -330,6 +330,15 @@ static void pn_rx_complete(struct usb_ep + if (unlikely(!skb)) + break; + ++ if (unlikely(skb_shinfo(skb)->nr_frags >= MAX_SKB_FRAGS)) { ++ /* Frame count from host exceeds frags[] capacity */ ++ dev_kfree_skb_any(skb); ++ if (fp->rx.skb == skb) ++ fp->rx.skb = NULL; ++ dev->stats.rx_length_errors++; ++ break; ++ } ++ + if (skb->len == 0) { /* First fragment */ + skb->protocol = htons(ETH_P_PHONET); + skb_reset_mac_header(skb); diff --git a/queue-5.15/usb-gadget-renesas_usb3-validate-endpoint-index-in-standard-request-handlers.patch b/queue-5.15/usb-gadget-renesas_usb3-validate-endpoint-index-in-standard-request-handlers.patch new file mode 100644 index 0000000000..1c8d4fc137 --- /dev/null +++ b/queue-5.15/usb-gadget-renesas_usb3-validate-endpoint-index-in-standard-request-handlers.patch @@ -0,0 +1,50 @@ +From f880aac8a57ebd92abfa685d45424b2998ac1059 Mon Sep 17 00:00:00 2001 +From: Greg Kroah-Hartman +Date: Mon, 6 Apr 2026 17:09:48 +0200 +Subject: usb: gadget: renesas_usb3: validate endpoint index in standard request handlers + +From: Greg Kroah-Hartman + +commit f880aac8a57ebd92abfa685d45424b2998ac1059 upstream. + +The GET_STATUS and SET/CLEAR_FEATURE handlers extract the endpoint +number from the host-supplied wIndex without any sort of validation. +Fix this up by validating the number of endpoints actually match up with +the number the device has before attempting to dereference a pointer +based on this math. + +This is just like what was done in commit ee0d382feb44 ("usb: gadget: +aspeed_udc: validate endpoint index for ast udc") for the aspeed driver. + +Fixes: 746bfe63bba3 ("usb: gadget: renesas_usb3: add support for Renesas USB3.0 peripheral controller") +Cc: stable +Assisted-by: gregkh_clanker_t1000 +Link: https://patch.msgid.link/2026040647-sincerity-untidy-b104@gregkh +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/gadget/udc/renesas_usb3.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +--- a/drivers/usb/gadget/udc/renesas_usb3.c ++++ b/drivers/usb/gadget/udc/renesas_usb3.c +@@ -1611,6 +1611,10 @@ static bool usb3_std_req_get_status(stru + break; + case USB_RECIP_ENDPOINT: + num = le16_to_cpu(ctrl->wIndex) & USB_ENDPOINT_NUMBER_MASK; ++ if (num >= usb3->num_usb3_eps) { ++ stall = true; ++ break; ++ } + usb3_ep = usb3_get_ep(usb3, num); + if (usb3_ep->halt) + status |= 1 << USB_ENDPOINT_HALT; +@@ -1723,7 +1727,8 @@ static bool usb3_std_req_feature_endpoin + struct renesas_usb3_ep *usb3_ep; + struct renesas_usb3_request *usb3_req; + +- if (le16_to_cpu(ctrl->wValue) != USB_ENDPOINT_HALT) ++ if ((le16_to_cpu(ctrl->wValue) != USB_ENDPOINT_HALT) || ++ (num >= usb3->num_usb3_eps)) + return true; /* stall */ + + usb3_ep = usb3_get_ep(usb3, num); diff --git a/queue-5.15/usb-storage-expand-range-of-matched-versions-for-vl817-quirks-entry.patch b/queue-5.15/usb-storage-expand-range-of-matched-versions-for-vl817-quirks-entry.patch new file mode 100644 index 0000000000..2f2185493d --- /dev/null +++ b/queue-5.15/usb-storage-expand-range-of-matched-versions-for-vl817-quirks-entry.patch @@ -0,0 +1,42 @@ +From 609865ab3d5d803556f628e221ecd3d06aed9f30 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Daniel=20Br=C3=A1t?= +Date: Thu, 2 Apr 2026 19:24:33 +0200 +Subject: usb: storage: Expand range of matched versions for VL817 quirks entry +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Daniel Brát + +commit 609865ab3d5d803556f628e221ecd3d06aed9f30 upstream. + +Expands range of matched bcdDevice values for the VL817 quirk entry. +This is based on experience with Axagon EE35-GTR rev1 3.5" HDD +enclosure, which reports its bcdDevice as 0x0843, but presumably other +vendors using this IC in their products may set it to any other value. + +Signed-off-by: Daniel Brát +Cc: stable +Link: https://patch.msgid.link/20260402172433.5227-1-danek.brat@gmail.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/storage/unusual_devs.h | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +--- a/drivers/usb/storage/unusual_devs.h ++++ b/drivers/usb/storage/unusual_devs.h +@@ -2339,10 +2339,11 @@ UNUSUAL_DEV( 0x2027, 0xa001, 0x0000, 0x + US_FL_SCM_MULT_TARG ), + + /* +- * Reported by DocMAX +- * and Thomas Weißschuh ++ * Reported by DocMAX , ++ * Thomas Weißschuh ++ * and Daniel Brát + */ +-UNUSUAL_DEV( 0x2109, 0x0715, 0x9999, 0x9999, ++UNUSUAL_DEV( 0x2109, 0x0715, 0x0000, 0x9999, + "VIA Labs, Inc.", + "VL817 SATA Bridge", + USB_SC_DEVICE, USB_PR_DEVICE, NULL, diff --git a/queue-5.15/usbip-validate-number_of_packets-in-usbip_pack_ret_submit.patch b/queue-5.15/usbip-validate-number_of_packets-in-usbip_pack_ret_submit.patch new file mode 100644 index 0000000000..db0e5ed791 --- /dev/null +++ b/queue-5.15/usbip-validate-number_of_packets-in-usbip_pack_ret_submit.patch @@ -0,0 +1,86 @@ +From 2ab833a16a825373aad2ba7d54b572b277e95b71 Mon Sep 17 00:00:00 2001 +From: Nathan Rebello +Date: Thu, 2 Apr 2026 04:52:59 -0400 +Subject: usbip: validate number_of_packets in usbip_pack_ret_submit() + +From: Nathan Rebello + +commit 2ab833a16a825373aad2ba7d54b572b277e95b71 upstream. + +When a USB/IP client receives a RET_SUBMIT response, +usbip_pack_ret_submit() unconditionally overwrites +urb->number_of_packets from the network PDU. This value is +subsequently used as the loop bound in usbip_recv_iso() and +usbip_pad_iso() to iterate over urb->iso_frame_desc[], a flexible +array whose size was fixed at URB allocation time based on the +*original* number_of_packets from the CMD_SUBMIT. + +A malicious USB/IP server can set number_of_packets in the response +to a value larger than what was originally submitted, causing a heap +out-of-bounds write when usbip_recv_iso() writes to +urb->iso_frame_desc[i] beyond the allocated region. + +KASAN confirmed this with kernel 7.0.0-rc5: + + BUG: KASAN: slab-out-of-bounds in usbip_recv_iso+0x46a/0x640 + Write of size 4 at addr ffff888106351d40 by task vhci_rx/69 + + The buggy address is located 0 bytes to the right of + allocated 320-byte region [ffff888106351c00, ffff888106351d40) + +The server side (stub_rx.c) and gadget side (vudc_rx.c) already +validate number_of_packets in the CMD_SUBMIT path since commits +c6688ef9f297 ("usbip: fix stub_rx: harden CMD_SUBMIT path to handle +malicious input") and b78d830f0049 ("usbip: fix vudc_rx: harden +CMD_SUBMIT path to handle malicious input"). The server side validates +against USBIP_MAX_ISO_PACKETS because no URB exists yet at that point. +On the client side we have the original URB, so we can use the tighter +bound: the response must not exceed the original number_of_packets. + +This mirrors the existing validation of actual_length against +transfer_buffer_length in usbip_recv_xbuff(), which checks the +response value against the original allocation size. + +Kelvin Mbogo's series ("usb: usbip: fix integer overflow in +usbip_recv_iso()", v2) hardens the receive-side functions themselves; +this patch complements that work by catching the bad value at its +source -- in usbip_pack_ret_submit() before the overwrite -- and +using the tighter per-URB allocation bound rather than the global +USBIP_MAX_ISO_PACKETS limit. + +Fix this by checking rpdu->number_of_packets against +urb->number_of_packets in usbip_pack_ret_submit() before the +overwrite. On violation, clamp to zero so that usbip_recv_iso() and +usbip_pad_iso() safely return early. + +Fixes: 1325f85fa49f ("staging: usbip: bugfix add number of packets for isochronous frames") +Cc: stable +Acked-by: Shuah Khan +Signed-off-by: Nathan Rebello +Link: https://patch.msgid.link/20260402085259.234-1-nathan.c.rebello@gmail.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/usbip/usbip_common.c | 12 ++++++++++++ + 1 file changed, 12 insertions(+) + +--- a/drivers/usb/usbip/usbip_common.c ++++ b/drivers/usb/usbip/usbip_common.c +@@ -384,6 +384,18 @@ static void usbip_pack_ret_submit(struct + urb->status = rpdu->status; + urb->actual_length = rpdu->actual_length; + urb->start_frame = rpdu->start_frame; ++ /* ++ * The number_of_packets field determines the length of ++ * iso_frame_desc[], which is a flexible array allocated ++ * at URB creation time. A response must never claim more ++ * packets than originally submitted; doing so would cause ++ * an out-of-bounds write in usbip_recv_iso() and ++ * usbip_pad_iso(). Clamp to zero on violation so both ++ * functions safely return early. ++ */ ++ if (rpdu->number_of_packets < 0 || ++ rpdu->number_of_packets > urb->number_of_packets) ++ rpdu->number_of_packets = 0; + urb->number_of_packets = rpdu->number_of_packets; + urb->error_count = rpdu->error_count; + }