From: Greg Kroah-Hartman Date: Mon, 20 Apr 2026 10:15:25 +0000 (+0200) Subject: 6.1-stable patches X-Git-Url: http://git.ipfire.org/index.cgi?a=commitdiff_plain;h=516a18f8d40f3bd03673dedf006c25e4b2a5e62a;p=thirdparty%2Fkernel%2Fstable-queue.git 6.1-stable patches added patches: alsa-fireworks-bound-device-supplied-status-before-string-array-lookup.patch can-raw-fix-ro-uniq-use-after-free-in-raw_rcv.patch drm-vc4-platform_get_irq_byname-returns-an-int.patch fbdev-tdfxfb-avoid-divide-by-zero-on-fbioput_vscreeninfo.patch hid-alps-fix-null-pointer-dereference-in-alps_raw_event.patch hid-core-clamp-report_size-in-s32ton-to-avoid-undefined-shift.patch i2c-s3c24xx-check-the-size-of-the-smbus-message-before-using-it.patch ksmbd-require-3-sub-authorities-before-reading-sub_auth.patch ksmbd-validate-eanamelength-in-smb2_get_ea.patch net-usb-cdc-phonet-fix-skb-frags-overflow-in-rx_complete.patch nfc-digital-bounds-check-nfc-a-cascade-depth-in-sdd-response-handler.patch nfc-llcp-add-missing-return-after-llcp_closed-checks.patch staging-rtl8723bs-initialize-le_tmp64-in-rtw_bip_verify.patch usb-cdc-acm-add-quirks-for-yoga-book-9-14iah10-ingenic-touchscreen.patch usb-gadget-f_ncm-validate-minimum-block_len-in-ncm_unwrap_ntb.patch usb-gadget-f_phonet-fix-skb-frags-overflow-in-pn_rx_complete.patch usb-gadget-renesas_usb3-validate-endpoint-index-in-standard-request-handlers.patch usb-port-add-delay-after-usb_hub_set_port_power.patch usb-storage-expand-range-of-matched-versions-for-vl817-quirks-entry.patch usbip-validate-number_of_packets-in-usbip_pack_ret_submit.patch --- diff --git a/queue-6.1/alsa-fireworks-bound-device-supplied-status-before-string-array-lookup.patch b/queue-6.1/alsa-fireworks-bound-device-supplied-status-before-string-array-lookup.patch new file mode 100644 index 0000000000..75ea0789d7 --- /dev/null +++ b/queue-6.1/alsa-fireworks-bound-device-supplied-status-before-string-array-lookup.patch @@ -0,0 +1,52 @@ +From 07704bbf36f57e4379e4cadf96410dab14621e3b Mon Sep 17 00:00:00 2001 +From: Greg Kroah-Hartman +Date: Thu, 9 Apr 2026 16:05:54 +0200 +Subject: ALSA: fireworks: bound device-supplied status before string array lookup + +From: Greg Kroah-Hartman + +commit 07704bbf36f57e4379e4cadf96410dab14621e3b upstream. + +The status field in an EFW response is a 32-bit value supplied by the +firewire device. efr_status_names[] has 17 entries so a status value +outside that range goes off into the weeds when looking at the %s value. + +Even worse, the status could return EFR_STATUS_INCOMPLETE which is +0x80000000, and is obviously not in that array of potential strings. + +Fix this up by properly bounding the index against the array size and +printing "unknown" if it's not recognized. + +Cc: Clemens Ladisch +Cc: Takashi Sakamoto +Cc: Jaroslav Kysela +Cc: Takashi Iwai +Fixes: bde8a8f23bbe ("ALSA: fireworks: Add transaction and some commands") +Cc: stable +Assisted-by: gregkh_clanker_t1000 +Signed-off-by: Greg Kroah-Hartman +Reviewed-by: Takashi Sakamoto +Link: https://patch.msgid.link/2026040953-astute-camera-1aa1@gregkh +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman +--- + sound/firewire/fireworks/fireworks_command.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +--- a/sound/firewire/fireworks/fireworks_command.c ++++ b/sound/firewire/fireworks/fireworks_command.c +@@ -151,10 +151,13 @@ efw_transaction(struct snd_efw *efw, uns + (be32_to_cpu(header->category) != category) || + (be32_to_cpu(header->command) != command) || + (be32_to_cpu(header->status) != EFR_STATUS_OK)) { ++ u32 st = be32_to_cpu(header->status); ++ + dev_err(&efw->unit->device, "EFW command failed [%u/%u]: %s\n", + be32_to_cpu(header->category), + be32_to_cpu(header->command), +- efr_status_names[be32_to_cpu(header->status)]); ++ st < ARRAY_SIZE(efr_status_names) ? ++ efr_status_names[st] : "unknown"); + err = -EIO; + goto end; + } diff --git a/queue-6.1/can-raw-fix-ro-uniq-use-after-free-in-raw_rcv.patch b/queue-6.1/can-raw-fix-ro-uniq-use-after-free-in-raw_rcv.patch new file mode 100644 index 0000000000..8dcee299a8 --- /dev/null +++ b/queue-6.1/can-raw-fix-ro-uniq-use-after-free-in-raw_rcv.patch @@ -0,0 +1,68 @@ +From a535a9217ca3f2fccedaafb2fddb4c48f27d36dc Mon Sep 17 00:00:00 2001 +From: Samuel Page +Date: Wed, 8 Apr 2026 15:30:13 +0100 +Subject: can: raw: fix ro->uniq use-after-free in raw_rcv() + +From: Samuel Page + +commit a535a9217ca3f2fccedaafb2fddb4c48f27d36dc upstream. + +raw_release() unregisters raw CAN receive filters via can_rx_unregister(), +but receiver deletion is deferred with call_rcu(). This leaves a window +where raw_rcv() may still be running in an RCU read-side critical section +after raw_release() frees ro->uniq, leading to a use-after-free of the +percpu uniq storage. + +Move free_percpu(ro->uniq) out of raw_release() and into a raw-specific +socket destructor. can_rx_unregister() takes an extra reference to the +socket and only drops it from the RCU callback, so freeing uniq from +sk_destruct ensures the percpu area is not released until the relevant +callbacks have drained. + +Fixes: 514ac99c64b2 ("can: fix multiple delivery of a single CAN frame for overlapping CAN filters") +Cc: stable@vger.kernel.org # v4.1+ +Assisted-by: Bynario AI +Signed-off-by: Samuel Page +Link: https://patch.msgid.link/26ec626d-cae7-4418-9782-7198864d070c@bynar.io +Acked-by: Oliver Hartkopp +[mkl: applied manually] +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Greg Kroah-Hartman +--- + net/can/raw.c | 11 ++++++++++- + 1 file changed, 10 insertions(+), 1 deletion(-) + +--- a/net/can/raw.c ++++ b/net/can/raw.c +@@ -336,6 +336,14 @@ static int raw_notifier(struct notifier_ + return NOTIFY_DONE; + } + ++static void raw_sock_destruct(struct sock *sk) ++{ ++ struct raw_sock *ro = raw_sk(sk); ++ ++ free_percpu(ro->uniq); ++ can_sock_destruct(sk); ++} ++ + static int raw_init(struct sock *sk) + { + struct raw_sock *ro = raw_sk(sk); +@@ -362,6 +370,8 @@ static int raw_init(struct sock *sk) + if (unlikely(!ro->uniq)) + return -ENOMEM; + ++ sk->sk_destruct = raw_sock_destruct; ++ + /* set notifier */ + spin_lock(&raw_notifier_lock); + list_add_tail(&ro->notifier, &raw_notifier_list); +@@ -409,7 +419,6 @@ static int raw_release(struct socket *so + ro->bound = 0; + ro->dev = NULL; + ro->count = 0; +- free_percpu(ro->uniq); + + sock_orphan(sk); + sock->sk = NULL; diff --git a/queue-6.1/drm-vc4-platform_get_irq_byname-returns-an-int.patch b/queue-6.1/drm-vc4-platform_get_irq_byname-returns-an-int.patch new file mode 100644 index 0000000000..f6427a2fbf --- /dev/null +++ b/queue-6.1/drm-vc4-platform_get_irq_byname-returns-an-int.patch @@ -0,0 +1,64 @@ +From e597a809a2b97e927060ba182f58eb3e6101bc70 Mon Sep 17 00:00:00 2001 +From: Greg Kroah-Hartman +Date: Mon, 23 Feb 2026 16:53:39 +0100 +Subject: drm/vc4: platform_get_irq_byname() returns an int +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Greg Kroah-Hartman + +commit e597a809a2b97e927060ba182f58eb3e6101bc70 upstream. + +platform_get_irq_byname() will return a negative value if an error +happens, so it should be checked and not just passed directly into +devm_request_threaded_irq() hoping all will be ok. + +Cc: Maxime Ripard +Cc: Dave Stevenson +Cc: Maíra Canal +Cc: Raspberry Pi Kernel Maintenance +Cc: Maarten Lankhorst +Cc: Thomas Zimmermann +Cc: David Airlie +Cc: Simona Vetter +Cc: stable +Assisted-by: gkh_clanker_2000 +Signed-off-by: Greg Kroah-Hartman +Link: https://patch.msgid.link/2026022339-cornflake-t-shirt-2471@gregkh +Signed-off-by: Maíra Canal +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/vc4/vc4_hdmi.c | 14 ++++++++++---- + 1 file changed, 10 insertions(+), 4 deletions(-) + +--- a/drivers/gpu/drm/vc4/vc4_hdmi.c ++++ b/drivers/gpu/drm/vc4/vc4_hdmi.c +@@ -2614,17 +2614,23 @@ static int vc4_hdmi_hotplug_init(struct + int ret; + + if (vc4_hdmi->variant->external_irq_controller) { +- unsigned int hpd_con = platform_get_irq_byname(pdev, "hpd-connected"); +- unsigned int hpd_rm = platform_get_irq_byname(pdev, "hpd-removed"); ++ int hpd = platform_get_irq_byname(pdev, "hpd-connected"); + +- ret = devm_request_threaded_irq(&pdev->dev, hpd_con, ++ if (hpd < 0) ++ return hpd; ++ ++ ret = devm_request_threaded_irq(&pdev->dev, hpd, + NULL, + vc4_hdmi_hpd_irq_thread, IRQF_ONESHOT, + "vc4 hdmi hpd connected", vc4_hdmi); + if (ret) + return ret; + +- ret = devm_request_threaded_irq(&pdev->dev, hpd_rm, ++ hpd = platform_get_irq_byname(pdev, "hpd-removed"); ++ if (hpd < 0) ++ return hpd; ++ ++ ret = devm_request_threaded_irq(&pdev->dev, hpd, + NULL, + vc4_hdmi_hpd_irq_thread, IRQF_ONESHOT, + "vc4 hdmi hpd disconnected", vc4_hdmi); diff --git a/queue-6.1/fbdev-tdfxfb-avoid-divide-by-zero-on-fbioput_vscreeninfo.patch b/queue-6.1/fbdev-tdfxfb-avoid-divide-by-zero-on-fbioput_vscreeninfo.patch new file mode 100644 index 0000000000..d36e3dce3f --- /dev/null +++ b/queue-6.1/fbdev-tdfxfb-avoid-divide-by-zero-on-fbioput_vscreeninfo.patch @@ -0,0 +1,36 @@ +From 8f98b81fe011e1879e6a7b1247e69e06a5e17af2 Mon Sep 17 00:00:00 2001 +From: Greg Kroah-Hartman +Date: Thu, 9 Apr 2026 15:23:14 +0200 +Subject: fbdev: tdfxfb: avoid divide-by-zero on FBIOPUT_VSCREENINFO + +From: Greg Kroah-Hartman + +commit 8f98b81fe011e1879e6a7b1247e69e06a5e17af2 upstream. + +Much like commit 19f953e74356 ("fbdev: fb_pm2fb: Avoid potential divide +by zero error"), we also need to prevent that same crash from happening +in the udlfb driver as it uses pixclock directly when dividing, which +will crash. + +Cc: Helge Deller +Assisted-by: gregkh_clanker_t1000 +Cc: stable +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Helge Deller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/video/fbdev/tdfxfb.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/video/fbdev/tdfxfb.c ++++ b/drivers/video/fbdev/tdfxfb.c +@@ -496,6 +496,9 @@ static int tdfxfb_check_var(struct fb_va + } + } + ++ if (!var->pixclock) ++ return -EINVAL; ++ + if (PICOS2KHZ(var->pixclock) > par->max_pixclock) { + DPRINTK("pixclock too high (%ldKHz)\n", + PICOS2KHZ(var->pixclock)); diff --git a/queue-6.1/hid-alps-fix-null-pointer-dereference-in-alps_raw_event.patch b/queue-6.1/hid-alps-fix-null-pointer-dereference-in-alps_raw_event.patch new file mode 100644 index 0000000000..1b8f5a4ed0 --- /dev/null +++ b/queue-6.1/hid-alps-fix-null-pointer-dereference-in-alps_raw_event.patch @@ -0,0 +1,44 @@ +From 1badfc4319224820d5d890f8eab6aa52e4e83339 Mon Sep 17 00:00:00 2001 +From: Greg Kroah-Hartman +Date: Mon, 6 Apr 2026 16:03:25 +0200 +Subject: HID: alps: fix NULL pointer dereference in alps_raw_event() + +From: Greg Kroah-Hartman + +commit 1badfc4319224820d5d890f8eab6aa52e4e83339 upstream. + +Commit ecfa6f34492c ("HID: Add HID_CLAIMED_INPUT guards in raw_event +callbacks missing them") attempted to fix up the HID drivers that had +missed the previous fix that was done in 2ff5baa9b527 ("HID: appleir: +Fix potential NULL dereference at raw event handle"), but the alps +driver was missed. + +Fix this up by properly checking in the hid-alps driver that it had been +claimed correctly before attempting to process the raw event. + +Fixes: 73196ebe134d ("HID: alps: add support for Alps T4 Touchpad device") +Cc: stable +Cc: Jiri Kosina +Cc: Benjamin Tissoires +Cc: Masaki Ota +Cc: linux-input@vger.kernel.org +Assisted-by: gregkh_clanker_t1000 +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Jiri Kosina +Signed-off-by: Greg Kroah-Hartman +--- + drivers/hid/hid-alps.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/hid/hid-alps.c ++++ b/drivers/hid/hid-alps.c +@@ -437,6 +437,9 @@ static int alps_raw_event(struct hid_dev + int ret = 0; + struct alps_dev *hdata = hid_get_drvdata(hdev); + ++ if (!(hdev->claimed & HID_CLAIMED_INPUT) || !hdata->input) ++ return 0; ++ + switch (hdev->product) { + case HID_PRODUCT_ID_T4_BTNLESS: + ret = t4_raw_event(hdata, data, size); diff --git a/queue-6.1/hid-core-clamp-report_size-in-s32ton-to-avoid-undefined-shift.patch b/queue-6.1/hid-core-clamp-report_size-in-s32ton-to-avoid-undefined-shift.patch new file mode 100644 index 0000000000..a6be77faf3 --- /dev/null +++ b/queue-6.1/hid-core-clamp-report_size-in-s32ton-to-avoid-undefined-shift.patch @@ -0,0 +1,48 @@ +From 69c02ffde6ed4d535fa4e693a9e572729cad3d0d Mon Sep 17 00:00:00 2001 +From: Greg Kroah-Hartman +Date: Mon, 6 Apr 2026 16:04:10 +0200 +Subject: HID: core: clamp report_size in s32ton() to avoid undefined shift + +From: Greg Kroah-Hartman + +commit 69c02ffde6ed4d535fa4e693a9e572729cad3d0d upstream. + +s32ton() shifts by n-1 where n is the field's report_size, a value that +comes directly from a HID device. The HID parser bounds report_size +only to <= 256, so a broken HID device can supply a report descriptor +with a wide field that triggers shift exponents up to 256 on a 32-bit +type when an output report is built via hid_output_field() or +hid_set_field(). + +Commit ec61b41918587 ("HID: core: fix shift-out-of-bounds in +hid_report_raw_event") added the same n > 32 clamp to the function +snto32(), but s32ton() was never given the same fix as I guess syzbot +hadn't figured out how to fuzz a device the same way. + +Fix this up by just clamping the max value of n, just like snto32() +does. + +Cc: stable +Cc: Jiri Kosina +Cc: Benjamin Tissoires +Cc: linux-input@vger.kernel.org +Assisted-by: gregkh_clanker_t1000 +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Jiri Kosina +Signed-off-by: Greg Kroah-Hartman +--- + drivers/hid/hid-core.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/hid/hid-core.c ++++ b/drivers/hid/hid-core.c +@@ -1358,6 +1358,9 @@ static u32 s32ton(__s32 value, unsigned + if (!value || !n) + return 0; + ++ if (n > 32) ++ n = 32; ++ + a = value >> (n - 1); + + if (a && a != -1) diff --git a/queue-6.1/i2c-s3c24xx-check-the-size-of-the-smbus-message-before-using-it.patch b/queue-6.1/i2c-s3c24xx-check-the-size-of-the-smbus-message-before-using-it.patch new file mode 100644 index 0000000000..865f85cf7f --- /dev/null +++ b/queue-6.1/i2c-s3c24xx-check-the-size-of-the-smbus-message-before-using-it.patch @@ -0,0 +1,46 @@ +From c0128c7157d639a931353ea344fb44aad6d6e17a Mon Sep 17 00:00:00 2001 +From: Greg Kroah-Hartman +Date: Mon, 23 Feb 2026 18:05:15 +0100 +Subject: i2c: s3c24xx: check the size of the SMBUS message before using it + +From: Greg Kroah-Hartman + +commit c0128c7157d639a931353ea344fb44aad6d6e17a upstream. + +The first byte of an i2c SMBUS message is the size, and it should be +verified to ensure that it is in the range of 0..I2C_SMBUS_BLOCK_MAX +before processing it. + +This is the same logic that was added in commit a6e04f05ce0b ("i2c: +tegra: check msg length in SMBUS block read") to the i2c tegra driver. + +Cc: Krzysztof Kozlowski +Cc: Alim Akhtar +Cc: Andi Shyti +Cc: stable +Assisted-by: gkh_clanker_2000 +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Andi Shyti +Link: https://lore.kernel.org/r/2026022314-rely-scrubbed-4839@gregkh +Signed-off-by: Greg Kroah-Hartman +--- + drivers/i2c/busses/i2c-s3c2410.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +--- a/drivers/i2c/busses/i2c-s3c2410.c ++++ b/drivers/i2c/busses/i2c-s3c2410.c +@@ -508,8 +508,13 @@ static int i2c_s3c_irq_nextbyte(struct s + i2c->msg->buf[i2c->msg_ptr++] = byte; + + /* Add actual length to read for smbus block read */ +- if (i2c->msg->flags & I2C_M_RECV_LEN && i2c->msg->len == 1) ++ if (i2c->msg->flags & I2C_M_RECV_LEN && i2c->msg->len == 1) { ++ if (byte == 0 || byte > I2C_SMBUS_BLOCK_MAX) { ++ s3c24xx_i2c_stop(i2c, -EPROTO); ++ break; ++ } + i2c->msg->len += byte; ++ } + prepare_read: + if (is_msglast(i2c)) { + /* last byte of buffer */ diff --git a/queue-6.1/ksmbd-require-3-sub-authorities-before-reading-sub_auth.patch b/queue-6.1/ksmbd-require-3-sub-authorities-before-reading-sub_auth.patch new file mode 100644 index 0000000000..969127e064 --- /dev/null +++ b/queue-6.1/ksmbd-require-3-sub-authorities-before-reading-sub_auth.patch @@ -0,0 +1,51 @@ +From 53370cf9090777774e07fd9a8ebce67c6cc333ab Mon Sep 17 00:00:00 2001 +From: Greg Kroah-Hartman +Date: Mon, 6 Apr 2026 15:46:47 +0200 +Subject: ksmbd: require 3 sub-authorities before reading sub_auth[2] + +From: Greg Kroah-Hartman + +commit 53370cf9090777774e07fd9a8ebce67c6cc333ab upstream. + +parse_dacl() compares each ACE SID against sid_unix_NFS_mode and on +match reads sid.sub_auth[2] as the file mode. If sid_unix_NFS_mode is +the prefix S-1-5-88-3 with num_subauth = 2 then compare_sids() compares +only min(num_subauth, 2) sub-authorities so a client SID with +num_subauth = 2 and sub_auth = {88, 3} will match. + +If num_subauth = 2 and the ACE is placed at the very end of the security +descriptor, sub_auth[2] will be 4 bytes past end_of_acl. The +out-of-band bytes will then be masked to the low 9 bits and applied as +the file's POSIX mode, probably not something that is good to have +happen. + +Fix this up by forcing the SID to actually carry a third sub-authority +before reading it at all. + +Cc: Namjae Jeon +Cc: Steve French +Cc: Sergey Senozhatsky +Cc: Tom Talpey +Cc: linux-cifs@vger.kernel.org +Cc: +Assisted-by: gregkh_clanker_t1000 +Signed-off-by: Greg Kroah-Hartman +Acked-by: Namjae Jeon +Signed-off-by: Steve French +Signed-off-by: Greg Kroah-Hartman +--- + fs/smb/server/smbacl.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/fs/smb/server/smbacl.c ++++ b/fs/smb/server/smbacl.c +@@ -451,7 +451,8 @@ static void parse_dacl(struct user_names + ppace[i]->access_req = + smb_map_generic_desired_access(ppace[i]->access_req); + +- if (!(compare_sids(&ppace[i]->sid, &sid_unix_NFS_mode))) { ++ if (ppace[i]->sid.num_subauth >= 3 && ++ !(compare_sids(&ppace[i]->sid, &sid_unix_NFS_mode))) { + fattr->cf_mode = + le32_to_cpu(ppace[i]->sid.sub_auth[2]); + break; diff --git a/queue-6.1/ksmbd-validate-eanamelength-in-smb2_get_ea.patch b/queue-6.1/ksmbd-validate-eanamelength-in-smb2_get_ea.patch new file mode 100644 index 0000000000..ab590eb827 --- /dev/null +++ b/queue-6.1/ksmbd-validate-eanamelength-in-smb2_get_ea.patch @@ -0,0 +1,49 @@ +From 66751841212c2cc196577453c37f7774ff363f02 Mon Sep 17 00:00:00 2001 +From: Greg Kroah-Hartman +Date: Mon, 6 Apr 2026 15:46:46 +0200 +Subject: ksmbd: validate EaNameLength in smb2_get_ea() + +From: Greg Kroah-Hartman + +commit 66751841212c2cc196577453c37f7774ff363f02 upstream. + +smb2_get_ea() reads ea_req->EaNameLength from the client request and +passes it directly to strncmp() as the comparison length without +verifying that the length of the name really is the size of the input +buffer received. + +Fix this up by properly checking the size of the name based on the value +received and the overall size of the request, to prevent a later +strncmp() call to use the length as a "trusted" size of the buffer. +Without this check, uninitialized heap values might be slowly leaked to +the client. + +Cc: Namjae Jeon +Cc: Steve French +Cc: Sergey Senozhatsky +Cc: Tom Talpey +Cc: linux-cifs@vger.kernel.org +Cc: +Assisted-by: gregkh_clanker_t1000 +Signed-off-by: Greg Kroah-Hartman +Acked-by: Namjae Jeon +Signed-off-by: Steve French +Signed-off-by: Greg Kroah-Hartman +--- + fs/smb/server/smb2pdu.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/fs/smb/server/smb2pdu.c ++++ b/fs/smb/server/smb2pdu.c +@@ -4390,6 +4390,11 @@ static int smb2_get_ea(struct ksmbd_work + + ea_req = (struct smb2_ea_info_req *)((char *)req + + le16_to_cpu(req->InputBufferOffset)); ++ ++ if (le32_to_cpu(req->InputBufferLength) < ++ offsetof(struct smb2_ea_info_req, name) + ++ ea_req->EaNameLength) ++ return -EINVAL; + } else { + /* need to send all EAs, if no specific EA is requested*/ + if (le32_to_cpu(req->Flags) & SL_RETURN_SINGLE_ENTRY) diff --git a/queue-6.1/net-usb-cdc-phonet-fix-skb-frags-overflow-in-rx_complete.patch b/queue-6.1/net-usb-cdc-phonet-fix-skb-frags-overflow-in-rx_complete.patch new file mode 100644 index 0000000000..1174630614 --- /dev/null +++ b/queue-6.1/net-usb-cdc-phonet-fix-skb-frags-overflow-in-rx_complete.patch @@ -0,0 +1,54 @@ +From 600dc40554dc5ad1e6f3af51f700228033f43ea7 Mon Sep 17 00:00:00 2001 +From: Greg Kroah-Hartman +Date: Sat, 11 Apr 2026 13:01:35 +0200 +Subject: net: usb: cdc-phonet: fix skb frags[] overflow in rx_complete() + +From: Greg Kroah-Hartman + +commit 600dc40554dc5ad1e6f3af51f700228033f43ea7 upstream. + +A malicious USB device claiming to be a CDC Phonet modem can overflow +the skb_shared_info->frags[] array by sending an unbounded sequence of +full-page bulk transfers. + +Drop the skb and increment the length error when the frag limit is +reached. This matches the same fix that commit f0813bcd2d9d ("net: +wwan: t7xx: fix potential skb->frags overflow in RX path") did for the +t7xx driver. + +Cc: Andrew Lunn +Cc: "David S. Miller" +Cc: Eric Dumazet +Cc: Jakub Kicinski +Cc: Paolo Abeni +Cc: stable +Assisted-by: gregkh_clanker_t1000 +Signed-off-by: Greg Kroah-Hartman +Link: https://patch.msgid.link/2026041134-dreamboat-buddhism-d1ec@gregkh +Fixes: 87cf65601e17 ("USB host CDC Phonet network interface driver") +Signed-off-by: Paolo Abeni +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/usb/cdc-phonet.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +--- a/drivers/net/usb/cdc-phonet.c ++++ b/drivers/net/usb/cdc-phonet.c +@@ -157,11 +157,16 @@ static void rx_complete(struct urb *req) + PAGE_SIZE); + page = NULL; + } +- } else { ++ } else if (skb_shinfo(skb)->nr_frags < MAX_SKB_FRAGS) { + skb_add_rx_frag(skb, skb_shinfo(skb)->nr_frags, + page, 0, req->actual_length, + PAGE_SIZE); + page = NULL; ++ } else { ++ dev_kfree_skb_any(skb); ++ pnd->rx_skb = NULL; ++ skb = NULL; ++ dev->stats.rx_length_errors++; + } + if (req->actual_length < PAGE_SIZE) + pnd->rx_skb = NULL; /* Last fragment */ diff --git a/queue-6.1/nfc-digital-bounds-check-nfc-a-cascade-depth-in-sdd-response-handler.patch b/queue-6.1/nfc-digital-bounds-check-nfc-a-cascade-depth-in-sdd-response-handler.patch new file mode 100644 index 0000000000..a7b6f45afd --- /dev/null +++ b/queue-6.1/nfc-digital-bounds-check-nfc-a-cascade-depth-in-sdd-response-handler.patch @@ -0,0 +1,58 @@ +From 46ce8be2ced389bccd84bcc04a12cf2f4d0c22d1 Mon Sep 17 00:00:00 2001 +From: Greg Kroah-Hartman +Date: Thu, 9 Apr 2026 17:18:14 +0200 +Subject: NFC: digital: Bounds check NFC-A cascade depth in SDD response handler + +From: Greg Kroah-Hartman + +commit 46ce8be2ced389bccd84bcc04a12cf2f4d0c22d1 upstream. + +The NFC-A anti-collision cascade in digital_in_recv_sdd_res() appends 3 +or 4 bytes to target->nfcid1 on each round, but the number of cascade +rounds is controlled entirely by the peer device. The peer sets the +cascade tag in the SDD_RES (deciding 3 vs 4 bytes) and the +cascade-incomplete bit in the SEL_RES (deciding whether another round +follows). + +ISO 14443-3 limits NFC-A to three cascade levels and target->nfcid1 is +sized accordingly (NFC_NFCID1_MAXSIZE = 10), but nothing in the driver +actually enforces this. This means a malicious peer can keep the +cascade running, writing past the heap-allocated nfc_target with each +round. + +Fix this by rejecting the response when the accumulated UID would exceed +the buffer. + +Commit e329e71013c9 ("NFC: nci: Bounds check struct nfc_target arrays") +fixed similar missing checks against the same field on the NCI path. + +Cc: Simon Horman +Cc: Kees Cook +Cc: Thierry Escande +Cc: Samuel Ortiz +Fixes: 2c66daecc409 ("NFC Digital: Add NFC-A technology support") +Cc: stable +Assisted-by: gregkh_clanker_t1000 +Signed-off-by: Greg Kroah-Hartman +Link: https://patch.msgid.link/2026040913-figure-seducing-bd3f@gregkh +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + net/nfc/digital_technology.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/net/nfc/digital_technology.c ++++ b/net/nfc/digital_technology.c +@@ -424,6 +424,12 @@ static void digital_in_recv_sdd_res(stru + size = 4; + } + ++ if (target->nfcid1_len + size > NFC_NFCID1_MAXSIZE) { ++ PROTOCOL_ERR("4.7.2.1"); ++ rc = -EPROTO; ++ goto exit; ++ } ++ + memcpy(target->nfcid1 + target->nfcid1_len, sdd_res->nfcid1 + offset, + size); + target->nfcid1_len += size; diff --git a/queue-6.1/nfc-llcp-add-missing-return-after-llcp_closed-checks.patch b/queue-6.1/nfc-llcp-add-missing-return-after-llcp_closed-checks.patch new file mode 100644 index 0000000000..0ec225316b --- /dev/null +++ b/queue-6.1/nfc-llcp-add-missing-return-after-llcp_closed-checks.patch @@ -0,0 +1,48 @@ +From 2b5dd4632966c39da6ba74dbc8689b309065e82c Mon Sep 17 00:00:00 2001 +From: Junxi Qian +Date: Wed, 8 Apr 2026 16:10:06 +0800 +Subject: nfc: llcp: add missing return after LLCP_CLOSED checks + +From: Junxi Qian + +commit 2b5dd4632966c39da6ba74dbc8689b309065e82c upstream. + +In nfc_llcp_recv_hdlc() and nfc_llcp_recv_disc(), when the socket +state is LLCP_CLOSED, the code correctly calls release_sock() and +nfc_llcp_sock_put() but fails to return. Execution falls through to +the remainder of the function, which calls release_sock() and +nfc_llcp_sock_put() again. This results in a double release_sock() +and a refcount underflow via double nfc_llcp_sock_put(), leading to +a use-after-free. + +Add the missing return statements after the LLCP_CLOSED branches +in both functions to prevent the fall-through. + +Fixes: d646960f7986 ("NFC: Initial LLCP support") +Signed-off-by: Junxi Qian +Reviewed-by: Eric Dumazet +Link: https://patch.msgid.link/20260408081006.3723-1-qjx1298677004@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + net/nfc/llcp_core.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/net/nfc/llcp_core.c ++++ b/net/nfc/llcp_core.c +@@ -1089,6 +1089,7 @@ static void nfc_llcp_recv_hdlc(struct nf + if (sk->sk_state == LLCP_CLOSED) { + release_sock(sk); + nfc_llcp_sock_put(llcp_sock); ++ return; + } + + /* Pass the payload upstream */ +@@ -1180,6 +1181,7 @@ static void nfc_llcp_recv_disc(struct nf + if (sk->sk_state == LLCP_CLOSED) { + release_sock(sk); + nfc_llcp_sock_put(llcp_sock); ++ return; + } + + if (sk->sk_state == LLCP_CONNECTED) { diff --git a/queue-6.1/series b/queue-6.1/series index c4be014680..b0ad5fc900 100644 --- a/queue-6.1/series +++ b/queue-6.1/series @@ -56,3 +56,23 @@ revert-drm-fix-use-after-free-on-framebuffers-and-pr.patch netfilter-conntrack-add-missing-netlink-policy-valid.patch alsa-usb-audio-improve-focusrite-sample-rate-filteri.patch drm-i915-psr-do-not-use-pipe_src-as-borders-for-su-a.patch +nfc-llcp-add-missing-return-after-llcp_closed-checks.patch +can-raw-fix-ro-uniq-use-after-free-in-raw_rcv.patch +i2c-s3c24xx-check-the-size-of-the-smbus-message-before-using-it.patch +staging-rtl8723bs-initialize-le_tmp64-in-rtw_bip_verify.patch +hid-alps-fix-null-pointer-dereference-in-alps_raw_event.patch +hid-core-clamp-report_size-in-s32ton-to-avoid-undefined-shift.patch +net-usb-cdc-phonet-fix-skb-frags-overflow-in-rx_complete.patch +nfc-digital-bounds-check-nfc-a-cascade-depth-in-sdd-response-handler.patch +drm-vc4-platform_get_irq_byname-returns-an-int.patch +alsa-fireworks-bound-device-supplied-status-before-string-array-lookup.patch +fbdev-tdfxfb-avoid-divide-by-zero-on-fbioput_vscreeninfo.patch +usb-gadget-f_ncm-validate-minimum-block_len-in-ncm_unwrap_ntb.patch +usb-gadget-f_phonet-fix-skb-frags-overflow-in-pn_rx_complete.patch +usb-gadget-renesas_usb3-validate-endpoint-index-in-standard-request-handlers.patch +ksmbd-validate-eanamelength-in-smb2_get_ea.patch +ksmbd-require-3-sub-authorities-before-reading-sub_auth.patch +usbip-validate-number_of_packets-in-usbip_pack_ret_submit.patch +usb-storage-expand-range-of-matched-versions-for-vl817-quirks-entry.patch +usb-cdc-acm-add-quirks-for-yoga-book-9-14iah10-ingenic-touchscreen.patch +usb-port-add-delay-after-usb_hub_set_port_power.patch diff --git a/queue-6.1/staging-rtl8723bs-initialize-le_tmp64-in-rtw_bip_verify.patch b/queue-6.1/staging-rtl8723bs-initialize-le_tmp64-in-rtw_bip_verify.patch new file mode 100644 index 0000000000..ae1eaa951e --- /dev/null +++ b/queue-6.1/staging-rtl8723bs-initialize-le_tmp64-in-rtw_bip_verify.patch @@ -0,0 +1,44 @@ +From 8c964b82a4e97ec7f25e17b803ee196009b38a57 Mon Sep 17 00:00:00 2001 +From: Lin YuChen +Date: Sat, 21 Mar 2026 01:25:02 +0800 +Subject: staging: rtl8723bs: initialize le_tmp64 in rtw_BIP_verify() + +From: Lin YuChen + +commit 8c964b82a4e97ec7f25e17b803ee196009b38a57 upstream. + +Initialize le_tmp64 to zero in rtw_BIP_verify() to prevent using +uninitialized data. + +Smatch warns that only 6 bytes are copied to this 8-byte (u64) +variable, leaving the last two bytes uninitialized: + +drivers/staging/rtl8723bs/core/rtw_security.c:1308 rtw_BIP_verify() +warn: not copying enough bytes for '&le_tmp64' (8 vs 6 bytes) + +Initializing the variable at the start of the function fixes this +warning and ensures predictable behavior. + +Fixes: 554c0a3abf21 ("staging: Add rtl8723bs sdio wifi driver") +Cc: stable +Reported-by: Dan Carpenter +Closes: https://lore.kernel.org/linux-staging/abvwIQh0CHTp4wNJ@stanley.mountain/ +Signed-off-by: Lin YuChen +Reviewed-by: Dan Carpenter +Link: https://patch.msgid.link/20260320172502.167332-1-starpt.official@gmail.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/staging/rtl8723bs/core/rtw_security.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/staging/rtl8723bs/core/rtw_security.c ++++ b/drivers/staging/rtl8723bs/core/rtw_security.c +@@ -1364,7 +1364,7 @@ u32 rtw_BIP_verify(struct adapter *padap + u8 mic[16]; + struct mlme_ext_priv *pmlmeext = &padapter->mlmeextpriv; + __le16 le_tmp; +- __le64 le_tmp64; ++ __le64 le_tmp64 = 0; + + ori_len = pattrib->pkt_len-WLAN_HDR_A3_LEN+BIP_AAD_SIZE; + BIP_AAD = rtw_zmalloc(ori_len); diff --git a/queue-6.1/usb-cdc-acm-add-quirks-for-yoga-book-9-14iah10-ingenic-touchscreen.patch b/queue-6.1/usb-cdc-acm-add-quirks-for-yoga-book-9-14iah10-ingenic-touchscreen.patch new file mode 100644 index 0000000000..2532273959 --- /dev/null +++ b/queue-6.1/usb-cdc-acm-add-quirks-for-yoga-book-9-14iah10-ingenic-touchscreen.patch @@ -0,0 +1,158 @@ +From f58752ebcb35e156c85cd1a82d6579c7af3b9023 Mon Sep 17 00:00:00 2001 +From: Dave Carey +Date: Thu, 2 Apr 2026 14:29:50 -0400 +Subject: USB: cdc-acm: Add quirks for Yoga Book 9 14IAH10 INGENIC touchscreen + +From: Dave Carey + +commit f58752ebcb35e156c85cd1a82d6579c7af3b9023 upstream. + +The Lenovo Yoga Book 9 14IAH10 (83KJ) has a composite USB device +(17EF:6161) that controls both touchscreens via a CDC ACM interface. +Interface 0 is a standard CDC ACM control interface, but interface 1 +(the data interface) incorrectly declares vendor-specific class (0xFF) +instead of USB_CLASS_CDC_DATA. cdc-acm rejects the device at probe with +-EINVAL, leaving interface 0 unbound and EP 0x82 never polled. + +With no consumer polling EP 0x82, the firmware's watchdog fires every +~20 seconds and resets the USB bus, producing a continuous disconnect/ +reconnect loop that prevents the touchscreens from ever initialising. + +Add two new quirk flags: + +VENDOR_CLASS_DATA_IFACE: Bypasses the bInterfaceClass check in +acm_probe() that would otherwise reject the vendor-class data +interface with -EINVAL. + +ALWAYS_POLL_CTRL: Submits the notification URB at probe() rather than +waiting for a TTY open. This keeps EP 0x82 polled at all times, +permanently suppressing the firmware watchdog. The URB is resubmitted +after port_shutdown() and on system resume. SET_CONTROL_LINE_STATE +(DTR|RTS) is sent at probe and after port_shutdown() to complete +firmware handshake. + +Note: the firmware performs exactly 4 USB connect/disconnect cycles +(~19 s each) on every cold boot before stabilising. This is a fixed +firmware property; touch is available ~75-80 s after power-on. + +Signed-off-by: Dave Carey +Cc: stable +Tested-by: Dave Carey +Acked-by: Oliver Neukum +Link: https://patch.msgid.link/20260402182950.389016-1-carvsdriver@gmail.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/class/cdc-acm.c | 53 ++++++++++++++++++++++++++++++++++++++------ + 1 file changed, 46 insertions(+), 7 deletions(-) + +--- a/drivers/usb/class/cdc-acm.c ++++ b/drivers/usb/class/cdc-acm.c +@@ -113,6 +113,8 @@ static int acm_ctrl_msg(struct acm *acm, + int retval; + + retval = usb_autopm_get_interface(acm->control); ++#define VENDOR_CLASS_DATA_IFACE BIT(9) /* data interface uses vendor-specific class */ ++#define ALWAYS_POLL_CTRL BIT(10) /* keep ctrl URB active even without an open TTY */ + if (retval) + return retval; + +@@ -699,12 +701,14 @@ static int acm_port_activate(struct tty_ + set_bit(TTY_NO_WRITE_SPLIT, &tty->flags); + acm->control->needs_remote_wakeup = 1; + +- acm->ctrlurb->dev = acm->dev; +- retval = usb_submit_urb(acm->ctrlurb, GFP_KERNEL); +- if (retval) { +- dev_err(&acm->control->dev, +- "%s - usb_submit_urb(ctrl irq) failed\n", __func__); +- goto error_submit_urb; ++ if (!(acm->quirks & ALWAYS_POLL_CTRL)) { ++ acm->ctrlurb->dev = acm->dev; ++ retval = usb_submit_urb(acm->ctrlurb, GFP_KERNEL); ++ if (retval) { ++ dev_err(&acm->control->dev, ++ "%s - usb_submit_urb(ctrl irq) failed\n", __func__); ++ goto error_submit_urb; ++ } + } + + acm_tty_set_termios(tty, NULL); +@@ -777,6 +781,14 @@ static void acm_port_shutdown(struct tty + + acm_unpoison_urbs(acm); + ++ if (acm->quirks & ALWAYS_POLL_CTRL) { ++ acm->ctrlurb->dev = acm->dev; ++ if (usb_submit_urb(acm->ctrlurb, GFP_KERNEL)) ++ dev_dbg(&acm->control->dev, ++ "ctrl polling restart failed after port close\n"); ++ /* port_shutdown() cleared DTR/RTS; restore them */ ++ acm_set_control(acm, USB_CDC_CTRL_DTR | USB_CDC_CTRL_RTS); ++ } + } + + static void acm_tty_cleanup(struct tty_struct *tty) +@@ -1304,6 +1316,9 @@ skip_normal_probe: + dev_dbg(&intf->dev, + "Your device has switched interfaces.\n"); + swap(control_interface, data_interface); ++ } else if (quirks & VENDOR_CLASS_DATA_IFACE) { ++ dev_dbg(&intf->dev, ++ "Vendor-specific data interface class, continuing.\n"); + } else { + return -EINVAL; + } +@@ -1498,6 +1513,9 @@ skip_countries: + acm->line.bDataBits = 8; + acm_set_line(acm, &acm->line); + ++ if (quirks & ALWAYS_POLL_CTRL) ++ acm_set_control(acm, USB_CDC_CTRL_DTR | USB_CDC_CTRL_RTS); ++ + if (!acm->combined_interfaces) { + rv = usb_driver_claim_interface(&acm_driver, data_interface, acm); + if (rv) +@@ -1519,6 +1537,13 @@ skip_countries: + + dev_info(&intf->dev, "ttyACM%d: USB ACM device\n", minor); + ++ if (acm->quirks & ALWAYS_POLL_CTRL) { ++ acm->ctrlurb->dev = acm->dev; ++ if (usb_submit_urb(acm->ctrlurb, GFP_KERNEL)) ++ dev_warn(&intf->dev, ++ "failed to start persistent ctrl polling\n"); ++ } ++ + return 0; + + err_release_data_interface: +@@ -1645,7 +1670,7 @@ static int acm_resume(struct usb_interfa + + acm_unpoison_urbs(acm); + +- if (tty_port_initialized(&acm->port)) { ++ if (tty_port_initialized(&acm->port) || (acm->quirks & ALWAYS_POLL_CTRL)) { + rv = usb_submit_urb(acm->ctrlurb, GFP_ATOMIC); + + for (;;) { +@@ -1992,6 +2017,20 @@ static const struct usb_device_id acm_id + /* CH343 supports CAP_BRK, but doesn't advertise it */ + { USB_DEVICE(0x1a86, 0x55d3), .driver_info = MISSING_CAP_BRK, }, + ++ /* ++ * Lenovo Yoga Book 9 14IAH10 (83KJ) — INGENIC 17EF:6161 touchscreen ++ * composite device. The CDC ACM control interface (0) uses a standard ++ * Union descriptor, but the data interface (1) is declared as vendor- ++ * specific class (0xff) with no CDC data descriptors, so cdc-acm would ++ * normally reject it. The firmware also requires continuous polling of ++ * the notification endpoint (EP 0x82) to suppress a 20-second watchdog ++ * reset; ALWAYS_POLL_CTRL keeps the ctrlurb active even when no TTY is ++ * open. Match only the control interface by class to avoid probing the ++ * vendor-specific data interface. ++ */ ++ { USB_DEVICE_INTERFACE_CLASS(0x17ef, 0x6161, USB_CLASS_COMM), ++ .driver_info = VENDOR_CLASS_DATA_IFACE | ALWAYS_POLL_CTRL }, ++ + /* control interfaces without any protocol set */ + { USB_INTERFACE_INFO(USB_CLASS_COMM, USB_CDC_SUBCLASS_ACM, + USB_CDC_PROTO_NONE) }, diff --git a/queue-6.1/usb-gadget-f_ncm-validate-minimum-block_len-in-ncm_unwrap_ntb.patch b/queue-6.1/usb-gadget-f_ncm-validate-minimum-block_len-in-ncm_unwrap_ntb.patch new file mode 100644 index 0000000000..c259d60a3f --- /dev/null +++ b/queue-6.1/usb-gadget-f_ncm-validate-minimum-block_len-in-ncm_unwrap_ntb.patch @@ -0,0 +1,51 @@ +From 8f993d30b95dc9557a8a96ceca11abed674c8acb Mon Sep 17 00:00:00 2001 +From: Greg Kroah-Hartman +Date: Tue, 7 Apr 2026 11:02:54 +0200 +Subject: usb: gadget: f_ncm: validate minimum block_len in ncm_unwrap_ntb() + +From: Greg Kroah-Hartman + +commit 8f993d30b95dc9557a8a96ceca11abed674c8acb upstream. + +The block_len read from the host-supplied NTB header is checked against +ntb_max but has no lower bound. When block_len is smaller than +opts->ndp_size, the bounds check of: + ndp_index > (block_len - opts->ndp_size) +will underflow producing a huge unsigned value that ndp_index can never +exceed, defeating the check entirely. + +The same underflow occurs in the datagram index checks against block_len +- opts->dpe_size. With those checks neutered, a malicious USB host can +choose ndp_index and datagram offsets that point past the actual +transfer, and the skb_put_data() copies adjacent kernel memory into the +network skb. + +Fix this by rejecting block lengths that cannot hold at least the NTB +header plus one NDP. This will make block_len - opts->ndp_size and +block_len - opts->dpe_size both well-defined. + +Commit 8d2b1a1ec9f5 ("CDC-NCM: avoid overflow in sanity checking") fixed +a related class of issues on the host side of NCM. + +Fixes: 2b74b0a04d3e ("USB: gadget: f_ncm: add bounds checks to ncm_unwrap_ntb()") +Cc: stable +Assisted-by: gregkh_clanker_t1000 +Link: https://patch.msgid.link/2026040753-baffle-handheld-624d@gregkh +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/gadget/function/f_ncm.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/usb/gadget/function/f_ncm.c ++++ b/drivers/usb/gadget/function/f_ncm.c +@@ -1211,8 +1211,8 @@ parse_ntb: + + block_len = get_ncm(&tmp, opts->block_length); + /* (d)wBlockLength */ +- if (block_len > ntb_max) { +- INFO(port->func.config->cdev, "OUT size exceeded\n"); ++ if ((block_len < opts->nth_size + opts->ndp_size) || (block_len > ntb_max)) { ++ INFO(port->func.config->cdev, "Bad block length: %#X\n", block_len); + goto err; + } + diff --git a/queue-6.1/usb-gadget-f_phonet-fix-skb-frags-overflow-in-pn_rx_complete.patch b/queue-6.1/usb-gadget-f_phonet-fix-skb-frags-overflow-in-pn_rx_complete.patch new file mode 100644 index 0000000000..533371efea --- /dev/null +++ b/queue-6.1/usb-gadget-f_phonet-fix-skb-frags-overflow-in-pn_rx_complete.patch @@ -0,0 +1,51 @@ +From c088d5dd2fffb4de1fb8e7f57751c8b82942180a Mon Sep 17 00:00:00 2001 +From: Greg Kroah-Hartman +Date: Tue, 7 Apr 2026 10:55:05 +0200 +Subject: usb: gadget: f_phonet: fix skb frags[] overflow in pn_rx_complete() + +From: Greg Kroah-Hartman + +commit c088d5dd2fffb4de1fb8e7f57751c8b82942180a upstream. + +A broken/bored/mean USB host can overflow the skb_shared_info->frags[] +array on a Linux gadget exposing a Phonet function by sending an +unbounded sequence of full-page OUT transfers. + +pn_rx_complete() finalizes the skb only when req->actual < req->length, +where req->length is set to PAGE_SIZE by the gadget. If the host always +sends exactly PAGE_SIZE bytes per transfer, fp->rx.skb will never be +reset and each completion will add another fragment via +skb_add_rx_frag(). Once nr_frags exceeds MAX_SKB_FRAGS (default 17), +subsequent frag stores overwrite memory adjacent to the shinfo on the +heap. + +Drop the skb and account a length error when the frag limit is reached, +matching the fix applied in t7xx by commit f0813bcd2d9d ("net: wwan: +t7xx: fix potential skb->frags overflow in RX path"). + +Cc: stable +Assisted-by: gregkh_clanker_t1000 +Link: https://patch.msgid.link/2026040705-fruit-unloved-0701@gregkh +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/gadget/function/f_phonet.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +--- a/drivers/usb/gadget/function/f_phonet.c ++++ b/drivers/usb/gadget/function/f_phonet.c +@@ -333,6 +333,15 @@ static void pn_rx_complete(struct usb_ep + if (unlikely(!skb)) + break; + ++ if (unlikely(skb_shinfo(skb)->nr_frags >= MAX_SKB_FRAGS)) { ++ /* Frame count from host exceeds frags[] capacity */ ++ dev_kfree_skb_any(skb); ++ if (fp->rx.skb == skb) ++ fp->rx.skb = NULL; ++ dev->stats.rx_length_errors++; ++ break; ++ } ++ + if (skb->len == 0) { /* First fragment */ + skb->protocol = htons(ETH_P_PHONET); + skb_reset_mac_header(skb); diff --git a/queue-6.1/usb-gadget-renesas_usb3-validate-endpoint-index-in-standard-request-handlers.patch b/queue-6.1/usb-gadget-renesas_usb3-validate-endpoint-index-in-standard-request-handlers.patch new file mode 100644 index 0000000000..501930dbfa --- /dev/null +++ b/queue-6.1/usb-gadget-renesas_usb3-validate-endpoint-index-in-standard-request-handlers.patch @@ -0,0 +1,50 @@ +From f880aac8a57ebd92abfa685d45424b2998ac1059 Mon Sep 17 00:00:00 2001 +From: Greg Kroah-Hartman +Date: Mon, 6 Apr 2026 17:09:48 +0200 +Subject: usb: gadget: renesas_usb3: validate endpoint index in standard request handlers + +From: Greg Kroah-Hartman + +commit f880aac8a57ebd92abfa685d45424b2998ac1059 upstream. + +The GET_STATUS and SET/CLEAR_FEATURE handlers extract the endpoint +number from the host-supplied wIndex without any sort of validation. +Fix this up by validating the number of endpoints actually match up with +the number the device has before attempting to dereference a pointer +based on this math. + +This is just like what was done in commit ee0d382feb44 ("usb: gadget: +aspeed_udc: validate endpoint index for ast udc") for the aspeed driver. + +Fixes: 746bfe63bba3 ("usb: gadget: renesas_usb3: add support for Renesas USB3.0 peripheral controller") +Cc: stable +Assisted-by: gregkh_clanker_t1000 +Link: https://patch.msgid.link/2026040647-sincerity-untidy-b104@gregkh +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/gadget/udc/renesas_usb3.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +--- a/drivers/usb/gadget/udc/renesas_usb3.c ++++ b/drivers/usb/gadget/udc/renesas_usb3.c +@@ -1628,6 +1628,10 @@ static bool usb3_std_req_get_status(stru + break; + case USB_RECIP_ENDPOINT: + num = le16_to_cpu(ctrl->wIndex) & USB_ENDPOINT_NUMBER_MASK; ++ if (num >= usb3->num_usb3_eps) { ++ stall = true; ++ break; ++ } + usb3_ep = usb3_get_ep(usb3, num); + if (usb3_ep->halt) + status |= 1 << USB_ENDPOINT_HALT; +@@ -1740,7 +1744,8 @@ static bool usb3_std_req_feature_endpoin + struct renesas_usb3_ep *usb3_ep; + struct renesas_usb3_request *usb3_req; + +- if (le16_to_cpu(ctrl->wValue) != USB_ENDPOINT_HALT) ++ if ((le16_to_cpu(ctrl->wValue) != USB_ENDPOINT_HALT) || ++ (num >= usb3->num_usb3_eps)) + return true; /* stall */ + + usb3_ep = usb3_get_ep(usb3, num); diff --git a/queue-6.1/usb-port-add-delay-after-usb_hub_set_port_power.patch b/queue-6.1/usb-port-add-delay-after-usb_hub_set_port_power.patch new file mode 100644 index 0000000000..1a00ff4591 --- /dev/null +++ b/queue-6.1/usb-port-add-delay-after-usb_hub_set_port_power.patch @@ -0,0 +1,63 @@ +From b84cc80610a8ce036deb987f056ce3196ead7f1e Mon Sep 17 00:00:00 2001 +From: Xu Yang +Date: Mon, 16 Mar 2026 17:50:42 +0800 +Subject: usb: port: add delay after usb_hub_set_port_power() + +From: Xu Yang + +commit b84cc80610a8ce036deb987f056ce3196ead7f1e upstream. + +When a port is disabled, an attached device will be disconnected. This +causes a port-status-change event, which will race with hub autosuspend +(if the disabled port was the only connected port on its hub), causing +an immediate resume and a second autosuspend. Both of these can be +avoided by adding a short delay after the call to +usb_hub_set_port_power(). + +Below log shows what is happening: + +$ echo 1 > usb1-port1/disable +[ 37.958239] usb 1-1: USB disconnect, device number 2 +[ 37.964101] usb 1-1: unregistering device +[ 37.970070] hub 1-0:1.0: hub_suspend +[ 37.971305] hub 1-0:1.0: state 7 ports 1 chg 0000 evt 0002 +[ 37.974412] usb usb1: bus auto-suspend, wakeup 1 +[ 37.988175] usb usb1: suspend raced with wakeup event <--- +[ 37.993947] usb usb1: usb auto-resume +[ 37.998401] hub 1-0:1.0: hub_resume +[ 38.105688] usb usb1-port1: status 0000, change 0000, 12 Mb/s +[ 38.112399] hub 1-0:1.0: state 7 ports 1 chg 0000 evt 0000 +[ 38.118645] hub 1-0:1.0: hub_suspend +[ 38.122963] usb usb1: bus auto-suspend, wakeup 1 +[ 38.200368] usb usb1: usb wakeup-resume +[ 38.204982] usb usb1: usb auto-resume +[ 38.209376] hub 1-0:1.0: hub_resume +[ 38.213676] usb usb1-port1: status 0101 change 0001 +[ 38.321552] hub 1-0:1.0: state 7 ports 1 chg 0002 evt 0000 +[ 38.327978] usb usb1-port1: status 0101, change 0000, 12 Mb/s +[ 38.457429] usb 1-1: new high-speed USB device number 3 using ci_hdrc + +Then, port change bit will be fixed to the final state and +usb_clear_port_feature() can correctly clear it after this period. This +will also avoid usb runtime suspend routine to run because +usb_autopm_put_interface() not run yet. + +Fixes: f061f43d7418 ("usb: hub: port: add sysfs entry to switch port power") +Cc: stable@kernel.org +Signed-off-by: Xu Yang +Link: https://patch.msgid.link/20260316095042.1559882-1-xu.yang_2@nxp.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/core/port.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/usb/core/port.c ++++ b/drivers/usb/core/port.c +@@ -111,6 +111,7 @@ static ssize_t disable_store(struct devi + usb_disconnect(&port_dev->child); + + rc = usb_hub_set_port_power(hdev, hub, port1, !disabled); ++ msleep(2 * hub_power_on_good_delay(hub)); + + if (disabled) { + usb_clear_port_feature(hdev, port1, USB_PORT_FEAT_C_CONNECTION); diff --git a/queue-6.1/usb-storage-expand-range-of-matched-versions-for-vl817-quirks-entry.patch b/queue-6.1/usb-storage-expand-range-of-matched-versions-for-vl817-quirks-entry.patch new file mode 100644 index 0000000000..b43a274cba --- /dev/null +++ b/queue-6.1/usb-storage-expand-range-of-matched-versions-for-vl817-quirks-entry.patch @@ -0,0 +1,42 @@ +From 609865ab3d5d803556f628e221ecd3d06aed9f30 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Daniel=20Br=C3=A1t?= +Date: Thu, 2 Apr 2026 19:24:33 +0200 +Subject: usb: storage: Expand range of matched versions for VL817 quirks entry +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Daniel Brát + +commit 609865ab3d5d803556f628e221ecd3d06aed9f30 upstream. + +Expands range of matched bcdDevice values for the VL817 quirk entry. +This is based on experience with Axagon EE35-GTR rev1 3.5" HDD +enclosure, which reports its bcdDevice as 0x0843, but presumably other +vendors using this IC in their products may set it to any other value. + +Signed-off-by: Daniel Brát +Cc: stable +Link: https://patch.msgid.link/20260402172433.5227-1-danek.brat@gmail.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/storage/unusual_devs.h | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +--- a/drivers/usb/storage/unusual_devs.h ++++ b/drivers/usb/storage/unusual_devs.h +@@ -2350,10 +2350,11 @@ UNUSUAL_DEV( 0x2027, 0xa001, 0x0000, 0x + US_FL_SCM_MULT_TARG ), + + /* +- * Reported by DocMAX +- * and Thomas Weißschuh ++ * Reported by DocMAX , ++ * Thomas Weißschuh ++ * and Daniel Brát + */ +-UNUSUAL_DEV( 0x2109, 0x0715, 0x9999, 0x9999, ++UNUSUAL_DEV( 0x2109, 0x0715, 0x0000, 0x9999, + "VIA Labs, Inc.", + "VL817 SATA Bridge", + USB_SC_DEVICE, USB_PR_DEVICE, NULL, diff --git a/queue-6.1/usbip-validate-number_of_packets-in-usbip_pack_ret_submit.patch b/queue-6.1/usbip-validate-number_of_packets-in-usbip_pack_ret_submit.patch new file mode 100644 index 0000000000..d0b96e625e --- /dev/null +++ b/queue-6.1/usbip-validate-number_of_packets-in-usbip_pack_ret_submit.patch @@ -0,0 +1,86 @@ +From 2ab833a16a825373aad2ba7d54b572b277e95b71 Mon Sep 17 00:00:00 2001 +From: Nathan Rebello +Date: Thu, 2 Apr 2026 04:52:59 -0400 +Subject: usbip: validate number_of_packets in usbip_pack_ret_submit() + +From: Nathan Rebello + +commit 2ab833a16a825373aad2ba7d54b572b277e95b71 upstream. + +When a USB/IP client receives a RET_SUBMIT response, +usbip_pack_ret_submit() unconditionally overwrites +urb->number_of_packets from the network PDU. This value is +subsequently used as the loop bound in usbip_recv_iso() and +usbip_pad_iso() to iterate over urb->iso_frame_desc[], a flexible +array whose size was fixed at URB allocation time based on the +*original* number_of_packets from the CMD_SUBMIT. + +A malicious USB/IP server can set number_of_packets in the response +to a value larger than what was originally submitted, causing a heap +out-of-bounds write when usbip_recv_iso() writes to +urb->iso_frame_desc[i] beyond the allocated region. + +KASAN confirmed this with kernel 7.0.0-rc5: + + BUG: KASAN: slab-out-of-bounds in usbip_recv_iso+0x46a/0x640 + Write of size 4 at addr ffff888106351d40 by task vhci_rx/69 + + The buggy address is located 0 bytes to the right of + allocated 320-byte region [ffff888106351c00, ffff888106351d40) + +The server side (stub_rx.c) and gadget side (vudc_rx.c) already +validate number_of_packets in the CMD_SUBMIT path since commits +c6688ef9f297 ("usbip: fix stub_rx: harden CMD_SUBMIT path to handle +malicious input") and b78d830f0049 ("usbip: fix vudc_rx: harden +CMD_SUBMIT path to handle malicious input"). The server side validates +against USBIP_MAX_ISO_PACKETS because no URB exists yet at that point. +On the client side we have the original URB, so we can use the tighter +bound: the response must not exceed the original number_of_packets. + +This mirrors the existing validation of actual_length against +transfer_buffer_length in usbip_recv_xbuff(), which checks the +response value against the original allocation size. + +Kelvin Mbogo's series ("usb: usbip: fix integer overflow in +usbip_recv_iso()", v2) hardens the receive-side functions themselves; +this patch complements that work by catching the bad value at its +source -- in usbip_pack_ret_submit() before the overwrite -- and +using the tighter per-URB allocation bound rather than the global +USBIP_MAX_ISO_PACKETS limit. + +Fix this by checking rpdu->number_of_packets against +urb->number_of_packets in usbip_pack_ret_submit() before the +overwrite. On violation, clamp to zero so that usbip_recv_iso() and +usbip_pad_iso() safely return early. + +Fixes: 1325f85fa49f ("staging: usbip: bugfix add number of packets for isochronous frames") +Cc: stable +Acked-by: Shuah Khan +Signed-off-by: Nathan Rebello +Link: https://patch.msgid.link/20260402085259.234-1-nathan.c.rebello@gmail.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/usbip/usbip_common.c | 12 ++++++++++++ + 1 file changed, 12 insertions(+) + +--- a/drivers/usb/usbip/usbip_common.c ++++ b/drivers/usb/usbip/usbip_common.c +@@ -469,6 +469,18 @@ static void usbip_pack_ret_submit(struct + urb->status = rpdu->status; + urb->actual_length = rpdu->actual_length; + urb->start_frame = rpdu->start_frame; ++ /* ++ * The number_of_packets field determines the length of ++ * iso_frame_desc[], which is a flexible array allocated ++ * at URB creation time. A response must never claim more ++ * packets than originally submitted; doing so would cause ++ * an out-of-bounds write in usbip_recv_iso() and ++ * usbip_pad_iso(). Clamp to zero on violation so both ++ * functions safely return early. ++ */ ++ if (rpdu->number_of_packets < 0 || ++ rpdu->number_of_packets > urb->number_of_packets) ++ rpdu->number_of_packets = 0; + urb->number_of_packets = rpdu->number_of_packets; + urb->error_count = rpdu->error_count; + }