From f96e41ca56b6b4a7d32a954f3f5464b6fcad126f Mon Sep 17 00:00:00 2001 From: Brett Mastbergen Date: Fri, 22 Aug 2025 12:21:36 -0400 Subject: [PATCH 1/6] net: atm: fix use after free in lec_send() jira VULN-56261 cve CVE-2025-22004 commit-author Dan Carpenter commit f3009d0d6ab78053117f8857b921a8237f4d17b3 The ->send() operation frees skb so save the length before calling ->send() to avoid a use after free. Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Signed-off-by: Dan Carpenter Reviewed-by: Simon Horman Link: https://patch.msgid.link/c751531d-4af4-42fe-affe-6104b34b791d@stanley.mountain Signed-off-by: Paolo Abeni (cherry picked from commit f3009d0d6ab78053117f8857b921a8237f4d17b3) Signed-off-by: Brett Mastbergen --- net/atm/lec.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/net/atm/lec.c b/net/atm/lec.c index 21b0caf3aad05..f36eb5fc734ce 100644 --- a/net/atm/lec.c +++ b/net/atm/lec.c @@ -180,6 +180,7 @@ static void lec_send(struct atm_vcc *vcc, struct sk_buff *skb) { struct net_device *dev = skb->dev; + unsigned int len = skb->len; ATM_SKB(skb)->vcc = vcc; ATM_SKB(skb)->atm_options = vcc->atm_options; @@ -191,7 +192,7 @@ lec_send(struct atm_vcc *vcc, struct sk_buff *skb) } dev->stats.tx_packets++; - dev->stats.tx_bytes += skb->len; + dev->stats.tx_bytes += len; } static void lec_tx_timeout(struct net_device *dev) From a57a12688f496ec8bb9ded42df8fa44f82644ee6 Mon Sep 17 00:00:00 2001 From: Brett Mastbergen Date: Fri, 22 Aug 2025 12:21:37 -0400 Subject: [PATCH 2/6] HID: core: zero-initialize the report buffer MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit jira VULN-40845 cve CVE-2024-50302 commit-author Jiri Kosina commit 177f25d1292c7e16e1199b39c85480f7f8815552 Since the report buffer is used by all kinds of drivers in various ways, let's zero-initialize it during allocation to make sure that it can't be ever used to leak kernel memory via specially-crafted report. Fixes: 27ce405039bf ("HID: fix data access in implement()") Reported-by: Benoît Sevens Acked-by: Benjamin Tissoires Signed-off-by: Jiri Kosina (cherry picked from commit 177f25d1292c7e16e1199b39c85480f7f8815552) Signed-off-by: Brett Mastbergen --- drivers/hid/hid-core.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/hid/hid-core.c b/drivers/hid/hid-core.c index 8ee1af48dff30..5d49eaa8ece30 100644 --- a/drivers/hid/hid-core.c +++ b/drivers/hid/hid-core.c @@ -1353,7 +1353,7 @@ u8 *hid_alloc_report_buf(struct hid_report *report, gfp_t flags) u32 len = hid_report_len(report) + 7; - return kmalloc(len, flags); + return kzalloc(len, flags); } EXPORT_SYMBOL_GPL(hid_alloc_report_buf); From 49f9d93124b0836a56eee93114f12bacf65242d6 Mon Sep 17 00:00:00 2001 From: Brett Mastbergen Date: Fri, 22 Aug 2025 12:43:30 -0400 Subject: [PATCH 3/6] fuse: fix pipe buffer lifetime for direct_io jira VULN-7917 cve CVE-2022-1011 commit-author Miklos Szeredi commit 0c4bcfdecb1ac0967619ee7ff44871d93c08c909 upstream-diff Used 4.19 LT commit 99db28212be68030c1db3a525f6bbdce39b039e9 because page info is in fuse_req in this kernel as opposed to fuse_args in upstream In FOPEN_DIRECT_IO mode, fuse_file_write_iter() calls fuse_direct_write_iter(), which normally calls fuse_direct_io(), which then imports the write buffer with fuse_get_user_pages(), which uses iov_iter_get_pages() to grab references to userspace pages instead of actually copying memory. On the filesystem device side, these pages can then either be read to userspace (via fuse_dev_read()), or splice()d over into a pipe using fuse_dev_splice_read() as pipe buffers with &nosteal_pipe_buf_ops. This is wrong because after fuse_dev_do_read() unlocks the FUSE request, the userspace filesystem can mark the request as completed, causing write() to return. At that point, the userspace filesystem should no longer have access to the pipe buffer. Fix by copying pages coming from the user address space to new pipe buffers. Reported-by: Jann Horn Fixes: c3021629a0d8 ("fuse: support splice() reading from fuse device") Cc: Signed-off-by: Miklos Szeredi (cherry picked from commit 0c4bcfdecb1ac0967619ee7ff44871d93c08c909) Signed-off-by: Brett Mastbergen --- fs/fuse/dev.c | 12 +++++++++++- fs/fuse/file.c | 1 + fs/fuse/fuse_i.h | 2 ++ 3 files changed, 14 insertions(+), 1 deletion(-) diff --git a/fs/fuse/dev.c b/fs/fuse/dev.c index f37a2da3e455a..64660e509026a 100644 --- a/fs/fuse/dev.c +++ b/fs/fuse/dev.c @@ -932,7 +932,17 @@ static int fuse_copy_page(struct fuse_copy_state *cs, struct page **pagep, while (count) { if (cs->write && cs->pipebufs && page) { - return fuse_ref_page(cs, page, offset, count); + /* + * Can't control lifetime of pipe buffers, so always + * copy user pages. + */ + if (cs->req->user_pages) { + err = fuse_copy_fill(cs); + if (err) + return err; + } else { + return fuse_ref_page(cs, page, offset, count); + } } else if (!cs->len) { if (cs->move_pages && page && offset == 0 && count == PAGE_SIZE) { diff --git a/fs/fuse/file.c b/fs/fuse/file.c index c2d2d549ae72f..47d0e6fe2a9f3 100644 --- a/fs/fuse/file.c +++ b/fs/fuse/file.c @@ -1386,6 +1386,7 @@ static int fuse_get_user_pages(struct fuse_req *req, struct iov_iter *ii, nbytes += frag_size; } + req->user_pages = true; if (write) req->in.argpages = 1; else diff --git a/fs/fuse/fuse_i.h b/fs/fuse/fuse_i.h index a376c38aeb402..a011f39d1fe2e 100644 --- a/fs/fuse/fuse_i.h +++ b/fs/fuse/fuse_i.h @@ -267,6 +267,8 @@ struct fuse_req { /** refcount */ atomic_t count; + bool user_pages; + /** Unique ID for the interrupt request */ u64 intr_unique; From 663bd768a0aa88e5ffea437a63ce0707e1716356 Mon Sep 17 00:00:00 2001 From: Brett Mastbergen Date: Fri, 22 Aug 2025 13:27:36 -0400 Subject: [PATCH 4/6] ALSA: usb-audio: Fix potential out-of-bound accesses for Extigy and Mbox devices MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit jira VULN-46737 cve CVE-2024-53197 commit-author Benoît Sevens commit b909df18ce2a998afef81d58bbd1a05dc0788c40 upstream-diff This kernel doesn't have snd_usb_mbox3_boot_quirk(), so that change hunk from the upstream commit isn't necessary. A bogus device can provide a bNumConfigurations value that exceeds the initial value used in usb_get_configuration for allocating dev->config. This can lead to out-of-bounds accesses later, e.g. in usb_destroy_configuration. Signed-off-by: Benoît Sevens Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Cc: stable@kernel.org Link: https://patch.msgid.link/20241120124144.3814457-1-bsevens@google.com Signed-off-by: Takashi Iwai (cherry picked from commit b909df18ce2a998afef81d58bbd1a05dc0788c40) Signed-off-by: Brett Mastbergen --- sound/usb/quirks.c | 18 ++++++++++++++---- 1 file changed, 14 insertions(+), 4 deletions(-) diff --git a/sound/usb/quirks.c b/sound/usb/quirks.c index 770daabb02620..76bb607a87637 100644 --- a/sound/usb/quirks.c +++ b/sound/usb/quirks.c @@ -577,6 +577,7 @@ int snd_usb_create_quirk(struct snd_usb_audio *chip, static int snd_usb_extigy_boot_quirk(struct usb_device *dev, struct usb_interface *intf) { struct usb_host_config *config = dev->actconfig; + struct usb_device_descriptor new_device_descriptor; int err; if (le16_to_cpu(get_cfg_desc(config)->wTotalLength) == EXTIGY_FIRMWARE_SIZE_OLD || @@ -588,10 +589,14 @@ static int snd_usb_extigy_boot_quirk(struct usb_device *dev, struct usb_interfac if (err < 0) dev_dbg(&dev->dev, "error sending boot message: %d\n", err); err = usb_get_descriptor(dev, USB_DT_DEVICE, 0, - &dev->descriptor, sizeof(dev->descriptor)); - config = dev->actconfig; + &new_device_descriptor, sizeof(new_device_descriptor)); if (err < 0) dev_dbg(&dev->dev, "error usb_get_descriptor: %d\n", err); + if (new_device_descriptor.bNumConfigurations > dev->descriptor.bNumConfigurations) + dev_dbg(&dev->dev, "error too large bNumConfigurations: %d\n", + new_device_descriptor.bNumConfigurations); + else + memcpy(&dev->descriptor, &new_device_descriptor, sizeof(dev->descriptor)); err = usb_reset_configuration(dev); if (err < 0) dev_dbg(&dev->dev, "error usb_reset_configuration: %d\n", err); @@ -925,6 +930,7 @@ static void mbox2_setup_48_24_magic(struct usb_device *dev) static int snd_usb_mbox2_boot_quirk(struct usb_device *dev) { struct usb_host_config *config = dev->actconfig; + struct usb_device_descriptor new_device_descriptor; int err; u8 bootresponse[0x12]; int fwsize; @@ -960,10 +966,14 @@ static int snd_usb_mbox2_boot_quirk(struct usb_device *dev) dev_dbg(&dev->dev, "device initialised!\n"); err = usb_get_descriptor(dev, USB_DT_DEVICE, 0, - &dev->descriptor, sizeof(dev->descriptor)); - config = dev->actconfig; + &new_device_descriptor, sizeof(new_device_descriptor)); if (err < 0) dev_dbg(&dev->dev, "error usb_get_descriptor: %d\n", err); + if (new_device_descriptor.bNumConfigurations > dev->descriptor.bNumConfigurations) + dev_dbg(&dev->dev, "error too large bNumConfigurations: %d\n", + new_device_descriptor.bNumConfigurations); + else + memcpy(&dev->descriptor, &new_device_descriptor, sizeof(dev->descriptor)); err = usb_reset_configuration(dev); if (err < 0) From 774c83474a25c6cc42074f74de44e97debfbf1e0 Mon Sep 17 00:00:00 2001 From: Brett Mastbergen Date: Fri, 22 Aug 2025 14:56:10 -0400 Subject: [PATCH 5/6] ALSA: usb-audio: Fix a DMA to stack memory bug jira VULN-46737 cve-bf CVE-2024-53197 commit-author Dan Carpenter commit f7d306b47a24367302bd4fe846854e07752ffcd9 upstream-diff Use 5.10 LT commit e7c1fcdda47b0633c4b2b5d0db73d442ac35c071 This kernel doesn't have snd_usb_mbox3_boot_quirk(), so that change hunk from the upstream commit isn't necessary. Also this kernel doesn't have the __free annotation, so this version calls kfree the good old fashioned way The usb_get_descriptor() function does DMA so we're not allowed to use a stack buffer for that. Doing DMA to the stack is not portable all architectures. Move the "new_device_descriptor" from being stored on the stack and allocate it with kmalloc() instead. Fixes: b909df18ce2a ("ALSA: usb-audio: Fix potential out-of-bound accesses for Extigy and Mbox devices") Cc: stable@kernel.org Signed-off-by: Dan Carpenter Link: https://patch.msgid.link/60e3aa09-039d-46d2-934c-6f123026c2eb@stanley.mountain Signed-off-by: Takashi Iwai (cherry picked from commit f7d306b47a24367302bd4fe846854e07752ffcd9) Signed-off-by: Brett Mastbergen --- sound/usb/quirks.c | 31 +++++++++++++++++++++---------- 1 file changed, 21 insertions(+), 10 deletions(-) diff --git a/sound/usb/quirks.c b/sound/usb/quirks.c index 76bb607a87637..340d6b03ffde1 100644 --- a/sound/usb/quirks.c +++ b/sound/usb/quirks.c @@ -577,7 +577,7 @@ int snd_usb_create_quirk(struct snd_usb_audio *chip, static int snd_usb_extigy_boot_quirk(struct usb_device *dev, struct usb_interface *intf) { struct usb_host_config *config = dev->actconfig; - struct usb_device_descriptor new_device_descriptor; + struct usb_device_descriptor *new_device_descriptor = NULL; int err; if (le16_to_cpu(get_cfg_desc(config)->wTotalLength) == EXTIGY_FIRMWARE_SIZE_OLD || @@ -588,15 +588,20 @@ static int snd_usb_extigy_boot_quirk(struct usb_device *dev, struct usb_interfac 0x10, 0x43, 0x0001, 0x000a, NULL, 0); if (err < 0) dev_dbg(&dev->dev, "error sending boot message: %d\n", err); + + new_device_descriptor = kmalloc(sizeof(*new_device_descriptor), GFP_KERNEL); + if (!new_device_descriptor) + return -ENOMEM; err = usb_get_descriptor(dev, USB_DT_DEVICE, 0, - &new_device_descriptor, sizeof(new_device_descriptor)); + new_device_descriptor, sizeof(*new_device_descriptor)); if (err < 0) dev_dbg(&dev->dev, "error usb_get_descriptor: %d\n", err); - if (new_device_descriptor.bNumConfigurations > dev->descriptor.bNumConfigurations) + if (new_device_descriptor->bNumConfigurations > dev->descriptor.bNumConfigurations) dev_dbg(&dev->dev, "error too large bNumConfigurations: %d\n", - new_device_descriptor.bNumConfigurations); + new_device_descriptor->bNumConfigurations); else - memcpy(&dev->descriptor, &new_device_descriptor, sizeof(dev->descriptor)); + memcpy(&dev->descriptor, new_device_descriptor, sizeof(dev->descriptor)); + kfree(new_device_descriptor); err = usb_reset_configuration(dev); if (err < 0) dev_dbg(&dev->dev, "error usb_reset_configuration: %d\n", err); @@ -930,7 +935,7 @@ static void mbox2_setup_48_24_magic(struct usb_device *dev) static int snd_usb_mbox2_boot_quirk(struct usb_device *dev) { struct usb_host_config *config = dev->actconfig; - struct usb_device_descriptor new_device_descriptor; + struct usb_device_descriptor *new_device_descriptor = NULL; int err; u8 bootresponse[0x12]; int fwsize; @@ -965,15 +970,21 @@ static int snd_usb_mbox2_boot_quirk(struct usb_device *dev) dev_dbg(&dev->dev, "device initialised!\n"); + new_device_descriptor = kmalloc(sizeof(*new_device_descriptor), GFP_KERNEL); + if (!new_device_descriptor) + return -ENOMEM; + err = usb_get_descriptor(dev, USB_DT_DEVICE, 0, - &new_device_descriptor, sizeof(new_device_descriptor)); + new_device_descriptor, sizeof(*new_device_descriptor)); if (err < 0) dev_dbg(&dev->dev, "error usb_get_descriptor: %d\n", err); - if (new_device_descriptor.bNumConfigurations > dev->descriptor.bNumConfigurations) + if (new_device_descriptor->bNumConfigurations > dev->descriptor.bNumConfigurations) dev_dbg(&dev->dev, "error too large bNumConfigurations: %d\n", - new_device_descriptor.bNumConfigurations); + new_device_descriptor->bNumConfigurations); else - memcpy(&dev->descriptor, &new_device_descriptor, sizeof(dev->descriptor)); + memcpy(&dev->descriptor, new_device_descriptor, sizeof(dev->descriptor)); + + kfree(new_device_descriptor); err = usb_reset_configuration(dev); if (err < 0) From 1f9605447e3ae3bf56a34b02768b875ceaf14514 Mon Sep 17 00:00:00 2001 From: Brett Mastbergen Date: Mon, 25 Aug 2025 11:28:34 -0400 Subject: [PATCH 6/6] github actions: Switch to centos 7 container For some reason creating a centos-7 chroot with rinse has stopped working. Switch to a centos-7 container, which actually brings this build check more in line with all of the other branches. Note: We are checking out the code manually because centos-7 is too old to work properly with actions/checkout@v4 --- .github/workflows/build-check_x86_64.yml | 52 ++++++++++-------------- 1 file changed, 21 insertions(+), 31 deletions(-) diff --git a/.github/workflows/build-check_x86_64.yml b/.github/workflows/build-check_x86_64.yml index 22420825aeb8d..2c3a478d3f083 100644 --- a/.github/workflows/build-check_x86_64.yml +++ b/.github/workflows/build-check_x86_64.yml @@ -9,46 +9,36 @@ jobs: kernel-build-job: runs-on: labels: kernel-build + container: + image: centos:7 + options: --cpus 8 steps: - - name: Checkout code - uses: actions/checkout@v4 - with: - ref: "${{ github.event.pull_request.head.sha }}" - fetch-depth: 0 - path: kernel-src-tree - - - name: Install rinse - run: | - sudo apt-get install rinse - - - name: Build centos7 chroot - run: | - sudo rinse --distribution centos-7 \ - --mirror http://dl.rockylinux.org/vault/centos/7/os/x86_64/Packages \ - --arch amd64 \ - --directory centos-7-chroot - - - name: Point yum to vault (in chroot) + - name: Point yum to vault run: | - sudo sed -e '/mirrorlist=.*/d' \ + sed -e '/mirrorlist=.*/d' \ -e 's/#baseurl=/baseurl=/' \ -e "s/\$releasever/7.9.2009/g" \ -e "s/mirror.centos.org/dl.rockylinux.org\/vault/g" \ - -i centos-7-chroot/etc/yum.repos.d/CentOS-Base.repo + -i /etc/yum.repos.d/CentOS-Base.repo - name: Install tools and Libraries (in chroot) run: | - sudo chroot centos-7-chroot yum groupinstall 'Development Tools' -y - sudo chroot centos-7-chroot yum install bc dwarves git glibc-devel hostname kernel-devel mpfr openssl openssl-devel elfutils-libelf-devel -y + yum groupinstall 'Development Tools' -y + yum install bc dwarves git glibc-devel hostname kernel-devel mpfr openssl openssl-devel elfutils-libelf-devel -y - - name: Build the Kernel (in chroot) + - name: Checkout code run: | - sudo mv kernel-src-tree centos-7-chroot - sudo chroot centos-7-chroot sh -c "cd kernel-src-tree && cp configs/kernel-3.10.0-x86_64.config .config" - sudo chroot centos-7-chroot sh -c "cd kernel-src-tree && make olddefconfig" - sudo chroot centos-7-chroot sh -c "cd kernel-src-tree && make -j$(nproc)" + git clone --branch ${{ github.head_ref }} "https://oauth2:$GITHUB_TOKEN@github.com/ctrliq/kernel-src-tree" + + - name: Build the Kernel + working-directory: kernel-src-tree + run: | + cp configs/kernel-3.10.0-x86_64.config .config + make olddefconfig + make -j$(nproc) + - name: Check kabi + working-directory: kernel-src-tree run: | - sudo chroot centos-7-chroot sh -c "git clone --branch c7 --single-branch https://git.centos.org/rpms/kernel.git kernel-dist-git" - sudo chroot centos-7-chroot sh -c "cd kernel-dist-git && git reset --hard imports/c7/kernel-3.10.0-1160.119.1.el7" - sudo chroot centos-7-chroot sh -c "./kernel-dist-git/SOURCES/check-kabi -k ./kernel-dist-git/SOURCES/Module.kabi_x86_64 -s ./kernel-src-tree/Module.symvers" + git clone --branch imports/c7/kernel-3.10.0-1160.119.1.el7 --depth 1 https://git.centos.org/rpms/kernel.git kernel-dist-git + ./kernel-dist-git/SOURCES/check-kabi -k ./kernel-dist-git/SOURCES/Module.kabi_x86_64 -s Module.symvers