--- /dev/null
+From 5337213381df578058e2e41da93cbd0e4639935f Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?C=C3=A1ssio=20Gabriel?= <cassiogabrielcontato@gmail.com>
+Date: Wed, 6 May 2026 00:34:47 -0300
+Subject: ALSA: core: Serialize deferred fasync state checks
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Cássio Gabriel <cassiogabrielcontato@gmail.com>
+
+commit 5337213381df578058e2e41da93cbd0e4639935f upstream.
+
+snd_fasync_helper() updates fasync->on under snd_fasync_lock, and
+snd_fasync_work_fn() now also evaluates fasync->on under the same
+lock. snd_kill_fasync() still tests the flag before taking the lock,
+leaving an unsynchronized read against FASYNC enable/disable updates.
+
+Move the enabled-state check into the locked section.
+
+Also clear fasync->on under snd_fasync_lock in snd_fasync_free()
+before unlinking the pending entry. Together with the locked sender-side
+check, this publishes teardown before flushing the deferred work and
+prevents a racing sender from requeueing the entry after free has
+started.
+
+Fixes: ef34a0ae7a26 ("ALSA: core: Add async signal helpers")
+Fixes: 8146cd333d23 ("ALSA: core: Fix potential data race at fasync handling")
+Cc: stable@vger.kernel.org
+Signed-off-by: Cássio Gabriel <cassiogabrielcontato@gmail.com>
+Link: https://patch.msgid.link/20260506-alsa-core-fasync-on-lock-v1-1-ea48c77d6ca4@gmail.com
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ sound/core/misc.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+--- a/sound/core/misc.c
++++ b/sound/core/misc.c
+@@ -148,9 +148,11 @@ EXPORT_SYMBOL_GPL(snd_fasync_helper);
+
+ void snd_kill_fasync(struct snd_fasync *fasync, int signal, int poll)
+ {
+- if (!fasync || !fasync->on)
++ if (!fasync)
+ return;
+ guard(spinlock_irqsave)(&snd_fasync_lock);
++ if (!fasync->on)
++ return;
+ fasync->signal = signal;
+ fasync->poll = poll;
+ list_move(&fasync->list, &snd_fasync_list);
+@@ -163,8 +165,10 @@ void snd_fasync_free(struct snd_fasync *
+ if (!fasync)
+ return;
+
+- scoped_guard(spinlock_irq, &snd_fasync_lock)
++ scoped_guard(spinlock_irq, &snd_fasync_lock) {
++ fasync->on = 0;
+ list_del_init(&fasync->list);
++ }
+
+ flush_work(&snd_fasync_work);
+ kfree(fasync);
--- /dev/null
+From 0749daa8eb5ab90334aaad3b0671efd7150d43b1 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?C=C3=A1ssio=20Gabriel?= <cassiogabrielcontato@gmail.com>
+Date: Sun, 3 May 2026 21:55:52 -0300
+Subject: ALSA: firewire-tascam: Do not drop unread control events
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Cássio Gabriel <cassiogabrielcontato@gmail.com>
+
+commit 0749daa8eb5ab90334aaad3b0671efd7150d43b1 upstream.
+
+tscm_hwdep_read_queue() copies as many queued control events as fit in
+the userspace buffer. When the buffer is smaller than the current
+contiguous queue segment, length is rounded down to the number of bytes
+that can be copied.
+
+However, after copying that shortened length, the code advances pull_pos
+to the original tail_pos, marking the whole contiguous segment as
+consumed. Any events between the copied portion and tail_pos are lost.
+
+Limit tail_pos to the position after the entries actually copied before
+updating pull_pos. When the whole segment fits, this is equivalent to the
+old tail_pos update; when the buffer is smaller, the remaining events
+stay queued for the next read.
+
+Fixes: a8c0d13267a4 ("ALSA: firewire-tascam: notify events of change of state for userspace applications")
+Cc: stable@vger.kernel.org
+Suggested-by: Takashi Sakamoto <o-takashi@sakamocchi.jp>
+Signed-off-by: Cássio Gabriel <cassiogabrielcontato@gmail.com>
+Reviewed-by: Takashi Sakamoto <o-takashi@sakamocchi.jp>
+Co-developed-by: Takashi Sakamoto <o-takashi@sakamocchi.jp>
+Signed-off-by: Takashi Sakamoto <o-takashi@sakamocchi.jp>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Link: https://patch.msgid.link/20260503-alsa-firewire-tascam-read-queue-v2-1-126c6efd7642@gmail.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ sound/firewire/tascam/tascam-hwdep.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/sound/firewire/tascam/tascam-hwdep.c
++++ b/sound/firewire/tascam/tascam-hwdep.c
+@@ -73,6 +73,7 @@ static long tscm_hwdep_read_queue(struct
+ length = rounddown(remained, sizeof(*entries));
+ if (length == 0)
+ break;
++ tail_pos = head_pos + length / sizeof(*entries);
+
+ spin_unlock_irq(&tscm->lock);
+ if (copy_to_user(pos, &entries[head_pos], length))
--- /dev/null
+From 0faacc0841d66f3cf51989c10a83f3a82d52ff2c Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?C=C3=A1ssio=20Gabriel?= <cassiogabrielcontato@gmail.com>
+Date: Thu, 23 Apr 2026 10:11:31 -0300
+Subject: ALSA: hda: cs35l56: Propagate ASP TX source control errors
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Cássio Gabriel <cassiogabrielcontato@gmail.com>
+
+commit 0faacc0841d66f3cf51989c10a83f3a82d52ff2c upstream.
+
+cs35l56_hda_mixer_get() ignores regmap_read() and
+cs35l56_hda_mixer_put() ignores regmap_update_bits_check().
+
+This makes the ASP TX source controls report success when a regmap
+access fails. The write path returns no change instead of an error,
+and the read path continues after a failed read instead of aborting
+the control callback.
+
+Propagate the regmap errors, matching the posture and volume controls
+in this driver.
+
+Fixes: 73cfbfa9caea ("ALSA: hda/cs35l56: Add driver for Cirrus Logic CS35L56 amplifier")
+Cc: stable@vger.kernel.org
+Signed-off-by: Cássio Gabriel <cassiogabrielcontato@gmail.com>
+Reviewed-by: Richard Fitzgerald <rf@opensource.cirrus.com>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Link: https://patch.msgid.link/20260423-alsa-cs35l56-asp-tx-source-errors-v1-1-17ea7c62ec31@gmail.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ sound/hda/codecs/side-codecs/cs35l56_hda.c | 19 ++++++++++++++-----
+ 1 file changed, 14 insertions(+), 5 deletions(-)
+
+--- a/sound/hda/codecs/side-codecs/cs35l56_hda.c
++++ b/sound/hda/codecs/side-codecs/cs35l56_hda.c
+@@ -180,11 +180,15 @@ static int cs35l56_hda_mixer_get(struct
+ {
+ struct cs35l56_hda *cs35l56 = snd_kcontrol_chip(kcontrol);
+ unsigned int reg_val;
+- int i;
++ int i, ret;
+
+ cs35l56_hda_wait_dsp_ready(cs35l56);
+
+- regmap_read(cs35l56->base.regmap, kcontrol->private_value, ®_val);
++ ret = regmap_read(cs35l56->base.regmap, kcontrol->private_value,
++ ®_val);
++ if (ret)
++ return ret;
++
+ reg_val &= CS35L56_ASP_TXn_SRC_MASK;
+
+ for (i = 0; i < CS35L56_NUM_INPUT_SRC; ++i) {
+@@ -203,15 +207,20 @@ static int cs35l56_hda_mixer_put(struct
+ struct cs35l56_hda *cs35l56 = snd_kcontrol_chip(kcontrol);
+ unsigned int item = ucontrol->value.enumerated.item[0];
+ bool changed;
++ int ret;
+
+ if (item >= CS35L56_NUM_INPUT_SRC)
+ return -EINVAL;
+
+ cs35l56_hda_wait_dsp_ready(cs35l56);
+
+- regmap_update_bits_check(cs35l56->base.regmap, kcontrol->private_value,
+- CS35L56_INPUT_MASK, cs35l56_tx_input_values[item],
+- &changed);
++ ret = regmap_update_bits_check(cs35l56->base.regmap,
++ kcontrol->private_value,
++ CS35L56_INPUT_MASK,
++ cs35l56_tx_input_values[item],
++ &changed);
++ if (ret)
++ return ret;
+
+ return changed;
+ }
--- /dev/null
+From 92a8b5e2eff6920bf815cd6a80b088ec3fdf01a3 Mon Sep 17 00:00:00 2001
+From: Yuriy Padlyak <yuriypadlyak@gmail.com>
+Date: Thu, 30 Apr 2026 01:09:03 +0300
+Subject: ALSA: hda/realtek: Fix speaker silence after S3 resume on Xiaomi Mi Laptop Pro 15
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Yuriy Padlyak <yuriypadlyak@gmail.com>
+
+commit 92a8b5e2eff6920bf815cd6a80b088ec3fdf01a3 upstream.
+
+The Xiaomi Mi Laptop Pro 15 (TM1905, subsystem 1d72:1905) ships with the
+Realtek ALC256 codec on Intel Comet Lake PCH-LP. After S3 resume the
+codec sets coefficient register 0x10 to 0x0220 instead of 0x0020 — bit 9
+is erroneously set, which silences the internal speaker. Bluetooth and
+HDMI audio are unaffected because they use different paths.
+
+This is the same mechanism fixed for Clevo NJ51CU by commit edca7cc4b0ac
+("ALSA: hda/realtek: Fix quirk for Clevo NJ51CU"), but the existing
+ALC256_FIXUP_MIC_NO_PRESENCE_AND_RESUME also reconfigures pin 0x19 as a
+front mic, which is wrong for this Xiaomi where pin 0x19 default is
+0x411111f0 (disabled). Add a minimal fixup that only clears the stuck
+coef bit, and add the Xiaomi SSID to the quirk table.
+
+Verified by reading coef 0x10 with hda-verb after resume (returns
+0x0220), writing 0x0020, and confirming the internal speaker resumes
+output. With this fixup applied the bit is cleared on every codec init,
+including post-resume.
+
+Signed-off-by: Yuriy Padlyak <yuriypadlyak@gmail.com>
+Cc: <stable@vger.kernel.org>
+Tested-by: Yuriy Padlyak <yuriypadlyak@gmail.com>
+Link: https://patch.msgid.link/20260429220903.14918-1-yuriypadlyak@gmail.com
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ sound/hda/codecs/realtek/alc269.c | 19 +++++++++++++++++++
+ 1 file changed, 19 insertions(+)
+
+--- a/sound/hda/codecs/realtek/alc269.c
++++ b/sound/hda/codecs/realtek/alc269.c
+@@ -3397,6 +3397,19 @@ static void alc256_fixup_mic_no_presence
+ }
+ }
+
++static void alc256_fixup_xiaomi_pro15_resume(struct hda_codec *codec,
++ const struct hda_fixup *fix,
++ int action)
++{
++ /*
++ * On the Xiaomi Mi Laptop Pro 15 (TM1905, SSID 1d72:1905) the ALC256
++ * codec sets coefficient 0x10 bit 9 to 1 after S3 resume, silencing
++ * the internal speaker. Bluetooth and HDMI audio are unaffected.
++ * Clear the bit so the speaker keeps working across suspend cycles.
++ */
++ alc_update_coef_idx(codec, 0x10, 1<<9, 0);
++}
++
+ static void alc256_decrease_headphone_amp_val(struct hda_codec *codec,
+ const struct hda_fixup *fix, int action)
+ {
+@@ -4054,6 +4067,7 @@ enum {
+ ALC256_FIXUP_SYSTEM76_MIC_NO_PRESENCE,
+ ALC233_FIXUP_NO_AUDIO_JACK,
+ ALC256_FIXUP_MIC_NO_PRESENCE_AND_RESUME,
++ ALC256_FIXUP_XIAOMI_PRO15_RESUME,
+ ALC285_FIXUP_LEGION_Y9000X_SPEAKERS,
+ ALC285_FIXUP_LEGION_Y9000X_AUTOMUTE,
+ ALC287_FIXUP_LEGION_16ACHG6,
+@@ -6241,6 +6255,10 @@ static const struct hda_fixup alc269_fix
+ .chained = true,
+ .chain_id = ALC269_FIXUP_HEADSET_MODE_NO_HP_MIC
+ },
++ [ALC256_FIXUP_XIAOMI_PRO15_RESUME] = {
++ .type = HDA_FIXUP_FUNC,
++ .v.func = alc256_fixup_xiaomi_pro15_resume,
++ },
+ [ALC287_FIXUP_LEGION_16ACHG6] = {
+ .type = HDA_FIXUP_FUNC,
+ .v.func = alc287_fixup_legion_16achg6_speakers,
+@@ -7751,6 +7769,7 @@ static const struct hda_quirk alc269_fix
+ SND_PCI_QUIRK(0x1d72, 0x1602, "RedmiBook", ALC255_FIXUP_XIAOMI_HEADSET_MIC),
+ SND_PCI_QUIRK(0x1d72, 0x1701, "XiaomiNotebook Pro", ALC298_FIXUP_DELL1_MIC_NO_PRESENCE),
+ SND_PCI_QUIRK(0x1d72, 0x1901, "RedmiBook 14", ALC256_FIXUP_ASUS_HEADSET_MIC),
++ SND_PCI_QUIRK(0x1d72, 0x1905, "Xiaomi Mi Laptop Pro 15", ALC256_FIXUP_XIAOMI_PRO15_RESUME),
+ SND_PCI_QUIRK(0x1d72, 0x1945, "Redmi G", ALC256_FIXUP_ASUS_HEADSET_MIC),
+ SND_PCI_QUIRK(0x1d72, 0x1947, "RedmiBook Air", ALC255_FIXUP_XIAOMI_HEADSET_MIC),
+ SND_PCI_QUIRK(0x1e39, 0xca14, "MEDION NM14LNL", ALC233_FIXUP_MEDION_MTL_SPK),
--- /dev/null
+From 901ac0ff15edf9503162e2cf6579bd11a30f1ed4 Mon Sep 17 00:00:00 2001
+From: Takashi Iwai <tiwai@suse.de>
+Date: Fri, 24 Apr 2026 13:21:55 +0200
+Subject: ALSA: pcm: oss: Fix data race at accessing runtime.oss.trigger
+
+From: Takashi Iwai <tiwai@suse.de>
+
+commit 901ac0ff15edf9503162e2cf6579bd11a30f1ed4 upstream.
+
+Currently the runtime.oss.trigger field may be accessed concurrently
+without protection, which may lead to the data race. And, in this
+case, it may lead to more severe problem because it's a bit field; as
+writing the data, it may overwrite other bit fields as well, which
+confuses the operation completely, as spotted by fuzzing.
+
+Fix it by covering runtime.oss.trigger bit fled also with the existing
+params_lock mutex in both snd_pcm_oss_get_trigger() and
+snd_pcm_oss_poll().
+
+Reported-and-tested-by: Jaeyoung Chung <jjy600901@snu.ac.kr>
+Closes: https://lore.kernel.org/20260423145330.210035-1-jjy600901@snu.ac.kr
+Cc: <stable@vger.kernel.org>
+Link: https://patch.msgid.link/20260424112205.123703-1-tiwai@suse.de
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ sound/core/oss/pcm_oss.c | 29 +++++++++++++++++++++++------
+ 1 file changed, 23 insertions(+), 6 deletions(-)
+
+--- a/sound/core/oss/pcm_oss.c
++++ b/sound/core/oss/pcm_oss.c
+@@ -2149,10 +2149,16 @@ static int snd_pcm_oss_get_trigger(struc
+
+ psubstream = pcm_oss_file->streams[SNDRV_PCM_STREAM_PLAYBACK];
+ csubstream = pcm_oss_file->streams[SNDRV_PCM_STREAM_CAPTURE];
+- if (psubstream && psubstream->runtime && psubstream->runtime->oss.trigger)
+- result |= PCM_ENABLE_OUTPUT;
+- if (csubstream && csubstream->runtime && csubstream->runtime->oss.trigger)
+- result |= PCM_ENABLE_INPUT;
++ if (psubstream && psubstream->runtime) {
++ guard(mutex)(&psubstream->runtime->oss.params_lock);
++ if (psubstream->runtime->oss.trigger)
++ result |= PCM_ENABLE_OUTPUT;
++ }
++ if (csubstream && csubstream->runtime) {
++ guard(mutex)(&csubstream->runtime->oss.params_lock);
++ if (csubstream->runtime->oss.trigger)
++ result |= PCM_ENABLE_INPUT;
++ }
+ return result;
+ }
+
+@@ -2826,6 +2832,17 @@ static int snd_pcm_oss_capture_ready(str
+ runtime->oss.period_frames;
+ }
+
++static bool need_input_retrigger(struct snd_pcm_runtime *runtime)
++{
++ bool ret;
++
++ guard(mutex)(&runtime->oss.params_lock);
++ ret = runtime->oss.trigger;
++ if (ret)
++ runtime->oss.trigger = 0;
++ return ret;
++}
++
+ static __poll_t snd_pcm_oss_poll(struct file *file, poll_table * wait)
+ {
+ struct snd_pcm_oss_file *pcm_oss_file;
+@@ -2858,11 +2875,11 @@ static __poll_t snd_pcm_oss_poll(struct
+ snd_pcm_oss_capture_ready(csubstream))
+ mask |= EPOLLIN | EPOLLRDNORM;
+ }
+- if (ostate != SNDRV_PCM_STATE_RUNNING && runtime->oss.trigger) {
++ if (ostate != SNDRV_PCM_STATE_RUNNING &&
++ need_input_retrigger(runtime)) {
+ struct snd_pcm_oss_file ofile;
+ memset(&ofile, 0, sizeof(ofile));
+ ofile.streams[SNDRV_PCM_STREAM_CAPTURE] = pcm_oss_file->streams[SNDRV_PCM_STREAM_CAPTURE];
+- runtime->oss.trigger = 0;
+ snd_pcm_oss_set_trigger(&ofile, PCM_ENABLE_INPUT);
+ }
+ }
--- /dev/null
+From 92429ca999db99febced82f23362a71b2ba4c1d8 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?C=C3=A1ssio=20Gabriel?= <cassiogabrielcontato@gmail.com>
+Date: Wed, 6 May 2026 00:15:48 -0300
+Subject: ALSA: seq: Fix UMP group 16 filtering
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Cássio Gabriel <cassiogabrielcontato@gmail.com>
+
+commit 92429ca999db99febced82f23362a71b2ba4c1d8 upstream.
+
+The sequencer UAPI defines group_filter as an unsigned int bitmap.
+Bit 0 filters groupless messages and bits 1-16 filter UMP groups 1-16.
+
+The internal snd_seq_client storage is only unsigned short, so bit 16
+is truncated when userspace sets the filter. The same truncation affects
+the automatic UMP client filter used to avoid delivery to inactive
+groups, so events for group 16 cannot be filtered.
+
+Store the internal bitmap as unsigned int and keep both userspace-provided
+and automatically generated values limited to the defined UAPI bits.
+
+Fixes: d2b706077792 ("ALSA: seq: Add UMP group filter")
+Cc: stable@vger.kernel.org
+Signed-off-by: Cássio Gabriel <cassiogabrielcontato@gmail.com>
+Link: https://patch.msgid.link/20260506-alsa-seq-ump-group16-filter-v1-1-b75160bf6993@gmail.com
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ sound/core/seq/seq_clientmgr.c | 2 +-
+ sound/core/seq/seq_clientmgr.h | 5 ++++-
+ sound/core/seq/seq_ump_client.c | 2 +-
+ 3 files changed, 6 insertions(+), 3 deletions(-)
+
+--- a/sound/core/seq/seq_clientmgr.c
++++ b/sound/core/seq/seq_clientmgr.c
+@@ -1253,7 +1253,7 @@ static int snd_seq_ioctl_set_client_info
+ if (client->user_pversion >= SNDRV_PROTOCOL_VERSION(1, 0, 3))
+ client->midi_version = client_info->midi_version;
+ memcpy(client->event_filter, client_info->event_filter, 32);
+- client->group_filter = client_info->group_filter;
++ client->group_filter = client_info->group_filter & SND_SEQ_GROUP_FILTER_MASK;
+
+ /* notify the change */
+ snd_seq_system_client_ev_client_change(client->number);
+--- a/sound/core/seq/seq_clientmgr.h
++++ b/sound/core/seq/seq_clientmgr.h
+@@ -14,6 +14,9 @@
+
+ /* client manager */
+
++#define SND_SEQ_GROUP_FILTER_MASK GENMASK(SNDRV_UMP_MAX_GROUPS, 0)
++#define SND_SEQ_GROUP_FILTER_GROUPS GENMASK(SNDRV_UMP_MAX_GROUPS, 1)
++
+ struct snd_seq_user_client {
+ struct file *file; /* file struct of client */
+ /* ... */
+@@ -40,7 +43,7 @@ struct snd_seq_client {
+ int number; /* client number */
+ unsigned int filter; /* filter flags */
+ DECLARE_BITMAP(event_filter, 256);
+- unsigned short group_filter;
++ unsigned int group_filter;
+ snd_use_lock_t use_lock;
+ int event_lost;
+ /* ports */
+--- a/sound/core/seq/seq_ump_client.c
++++ b/sound/core/seq/seq_ump_client.c
+@@ -369,7 +369,7 @@ static void setup_client_group_filter(st
+ cptr = snd_seq_kernel_client_get(client->seq_client);
+ if (!cptr)
+ return;
+- filter = ~(1U << 0); /* always allow groupless messages */
++ filter = SND_SEQ_GROUP_FILTER_GROUPS; /* always allow groupless messages */
+ for (p = 0; p < SNDRV_UMP_MAX_GROUPS; p++) {
+ if (client->ump->groups[p].active)
+ filter &= ~(1U << (p + 1));
--- /dev/null
+From 6e7247d8f5fefeceb0bb9cc80a5388a636b219cd Mon Sep 17 00:00:00 2001
+From: Takashi Iwai <tiwai@suse.de>
+Date: Mon, 27 Apr 2026 17:22:15 +0200
+Subject: ALSA: usb-audio: Avoid potential endless loop in convert_chmap_v3()
+
+From: Takashi Iwai <tiwai@suse.de>
+
+commit 6e7247d8f5fefeceb0bb9cc80a5388a636b219cd upstream.
+
+The convert_chmap_v3() has a loop with its increment size of
+cs_desc->wLength, but we forgot to validate cs_desc->wLength itself,
+which may lead to potential endless loop by a malformed descriptor.
+
+Add a proper size check to abort the loop for plugging the hole.
+
+Fixes: ecfd41166b72 ("ALSA: usb-audio: Validate UAC3 cluster segment descriptors")
+Cc: <stable@vger.kernel.org>
+Link: https://patch.msgid.link/20260427152224.15276-1-tiwai@suse.de
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ sound/usb/stream.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/sound/usb/stream.c
++++ b/sound/usb/stream.c
+@@ -352,6 +352,8 @@ snd_pcm_chmap_elem *convert_chmap_v3(str
+ if (len < sizeof(*cs_desc))
+ break;
+ cs_len = le16_to_cpu(cs_desc->wLength);
++ if (cs_len < sizeof(*cs_desc))
++ break;
+ if (len < cs_len)
+ break;
+ cs_type = cs_desc->bSegmentType;
--- /dev/null
+From 26265dd69da32d88a88d21987853cec899d9e21f Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?C=C3=A1ssio=20Gabriel?= <cassiogabrielcontato@gmail.com>
+Date: Fri, 24 Apr 2026 18:50:10 -0300
+Subject: ALSA: usb-audio: Fix UAC3 cluster descriptor size check
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Cássio Gabriel <cassiogabrielcontato@gmail.com>
+
+commit 26265dd69da32d88a88d21987853cec899d9e21f upstream.
+
+The UAC3 cluster descriptor length check in
+snd_usb_get_audioformat_uac3()was added to
+make sure that the buffer is large enough for
+a struct uac3_cluster_header_descriptor before the
+returned data is cast and used.
+
+However, the check uses sizeof(cluster), where cluster
+is a pointer, not the size of the descriptor header.
+This makes the validation depend on the architecture
+pointer size and does not match the intended object size.
+
+Check against sizeof(*cluster) instead.
+
+Fixes: fb4e2a6e8f28 ("ALSA: usb-audio: Fix out-of-bounds read in snd_usb_get_audioformat_uac3()")
+Cc: stable@vger.kernel.org
+Signed-off-by: Cássio Gabriel <cassiogabrielcontato@gmail.com>
+Link: https://patch.msgid.link/20260424-alsa-usb-uac3-cluster-size-v1-1-99a5808898a3@gmail.com
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ sound/usb/stream.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/sound/usb/stream.c
++++ b/sound/usb/stream.c
+@@ -997,7 +997,7 @@ snd_usb_get_audioformat_uac3(struct snd_
+ * and request Cluster Descriptor
+ */
+ wLength = le16_to_cpu(hc_header.wLength);
+- if (wLength < sizeof(cluster))
++ if (wLength < sizeof(*cluster))
+ return NULL;
+ cluster = kzalloc(wLength, GFP_KERNEL);
+ if (!cluster)
--- /dev/null
+From f3c57c9c2a49a21d784b7c04a2c883bffc070659 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?C=C3=A1ssio=20Gabriel?= <cassiogabrielcontato@gmail.com>
+Date: Mon, 4 May 2026 11:08:45 -0300
+Subject: ALSA: usb-audio: midi2: Restart output URBs on resume
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Cássio Gabriel <cassiogabrielcontato@gmail.com>
+
+commit f3c57c9c2a49a21d784b7c04a2c883bffc070659 upstream.
+
+USB MIDI 2.0 suspend saves the endpoint running state, clears it and
+kills all endpoint URBs. Resume restores the running state, but only
+restarts input endpoints.
+
+For a running output endpoint, this leaves the endpoint marked running
+with an empty URB queue. Output transfer progress depends on either the
+rawmidi trigger path starting the queue or an output completion refilling
+it. After suspend there is no completion left, and output data that
+remains queued in the raw UMP or legacy rawmidi buffer can stay stalled
+until userspace happens to trigger the stream again.
+
+Restore the saved state with atomic accessors, keep input endpoints
+restarted as before, and restart output endpoints that were running before
+suspend. Clear the saved suspend state after restoring it.
+
+Fixes: ff49d1df79ae ("ALSA: usb-audio: USB MIDI 2.0 UMP support")
+Cc: stable@vger.kernel.org
+Signed-off-by: Cássio Gabriel <cassiogabrielcontato@gmail.com>
+Link: https://patch.msgid.link/20260504-usb-midi2-output-resume-v1-1-c089cc8ad3c6@gmail.com
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ sound/usb/midi2.c | 9 +++++----
+ 1 file changed, 5 insertions(+), 4 deletions(-)
+
+--- a/sound/usb/midi2.c
++++ b/sound/usb/midi2.c
+@@ -227,7 +227,7 @@ static void kill_midi_urbs(struct snd_us
+ if (!ep)
+ return;
+ if (suspending)
+- ep->suspended = ep->running;
++ atomic_set(&ep->suspended, atomic_read(&ep->running));
+ atomic_set(&ep->running, 0);
+ for (i = 0; i < ep->num_urbs; i++) {
+ if (!ep->urbs[i].urb)
+@@ -1190,10 +1190,11 @@ void snd_usb_midi_v2_suspend_all(struct
+
+ static void resume_midi2_endpoint(struct snd_usb_midi2_endpoint *ep)
+ {
+- ep->running = ep->suspended;
+- if (ep->direction == STR_IN)
++ atomic_set(&ep->running, atomic_read(&ep->suspended));
++ atomic_set(&ep->suspended, 0);
++
++ if (ep->direction == STR_IN || atomic_read(&ep->running))
+ submit_io_urbs(ep);
+- /* FIXME: does it all? */
+ }
+
+ void snd_usb_midi_v2_resume_all(struct snd_usb_audio *chip)
--- /dev/null
+From c1fa0bb633e4a6b11e83ffc57fa5abe8ebb87891 Mon Sep 17 00:00:00 2001
+From: Jann Horn <jannh@google.com>
+Date: Mon, 11 May 2026 08:55:11 -0700
+Subject: exit: prevent preemption of oopsing TASK_DEAD task
+
+From: Jann Horn <jannh@google.com>
+
+commit c1fa0bb633e4a6b11e83ffc57fa5abe8ebb87891 upstream.
+
+When an already-exiting task oopses, make_task_dead() currently calls
+do_task_dead() with preemption enabled. That is forbidden:
+do_task_dead() calls __schedule(), which has a comment saying "WARNING:
+must be called with preemption disabled!".
+
+If an oopsing task is preempted in do_task_dead(), between becoming
+TASK_DEAD and entering the scheduler explicitly, bad things happen:
+finish_task_switch() assumes that once the scheduler has switched away
+from a TASK_DEAD task, the task can never run again and its stack is no
+longer needed; but that assumption apparently doesn't hold if the dead
+task was preempted (the SM_PREEMPT case).
+
+This means that the scheduler ends up repeatedly dropping references on
+the dead task's stack, which can lead to use-after-free or double-free
+of the entire task stack; in other words, two tasks can end up running
+on the same stack, resulting in various kinds of memory corruption.
+
+(This does not just affect "recursively oopsing" tasks; it is enough to
+oops once during task exit, for example in a file_operations::release
+handler)
+
+Fixes: 7f80a2fd7db9 ("exit: Stop poorly open coding do_task_dead in make_task_dead")
+Cc: stable@kernel.org
+Signed-off-by: Jann Horn <jannh@google.com>
+Acked-by: Peter Zijlstra <peterz@infradead.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ kernel/exit.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/kernel/exit.c
++++ b/kernel/exit.c
+@@ -1074,6 +1074,7 @@ void __noreturn make_task_dead(int signr
+ futex_exit_recursive(tsk);
+ tsk->exit_state = EXIT_DEAD;
+ refcount_inc(&tsk->rcu_users);
++ preempt_disable();
+ do_task_dead();
+ }
+
flow_dissector-do-not-dissect-pppoe-pfc-frames.patch
smb-client-smbdirect-fix-mr-registration-for-coalesc.patch
net-sched-sch_red-replace-direct-dequeue-call-with-peek-and-qdisc_dequeue_peeked.patch
+exit-prevent-preemption-of-oopsing-task_dead-task.patch
+wifi-mt76-mt7925-fix-ampdu-state-handling-in-mt7925_tx_check_aggr.patch
+wifi-mt76-mt7925-fix-incorrect-length-field-in-txpower-command.patch
+wifi-mt76-mt7921-fix-a-potential-clc-buffer-length-underflow.patch
+wifi-mt76-mt7921-fix-roc-abort-flow-interruption-in-mt7921_roc_work.patch
+wifi-b43legacy-enforce-bounds-check-on-firmware-key-index-in-rx-path.patch
+wifi-mac80211-drop-stray-static-from-fast-rx-rx_result.patch
+wifi-rsi-fix-kthread-lifetime-race-between-self-exit-and-external-stop.patch
+wifi-mac80211-use-safe-list-iteration-in-radar-detect-work.patch
+wifi-ath5k-do-not-access-array-oob.patch
+wifi-mac80211-remove-station-if-connection-prep-fails.patch
+wifi-b43-enforce-bounds-check-on-firmware-key-index-in-b43_rx.patch
+wifi-brcmfmac-fix-potential-use-after-free-issue-when-stopping-watchdog-task.patch
+usb-usblp-fix-heap-leak-in-ieee-1284-device-id-via-short-response.patch
+usb-usblp-fix-uninitialized-heap-leak-via-lpgetstatus-ioctl.patch
+alsa-usb-audio-midi2-restart-output-urbs-on-resume.patch
+alsa-usb-audio-avoid-potential-endless-loop-in-convert_chmap_v3.patch
+alsa-usb-audio-fix-uac3-cluster-descriptor-size-check.patch
+usb-dwc3-move-guid-programming-after-phy-initialization.patch
+usb-typec-tcpm-reset-internal-port-states-on-soft-reset-ams.patch
+usb-omap_udc-dma-don-t-enable-burst-4-mode.patch
+usb-serial-option-add-telit-cinterion-le910cx-compositions.patch
+usb-ulpi-fix-memory-leak-on-ulpi_register-error-paths.patch
+usb-typec-tcpm-fix-debug-accessory-mode-detection-for-sink-ports.patch
+alsa-hda-cs35l56-propagate-asp-tx-source-control-errors.patch
+alsa-pcm-oss-fix-data-race-at-accessing-runtime.oss.trigger.patch
+alsa-hda-realtek-fix-speaker-silence-after-s3-resume-on-xiaomi-mi-laptop-pro-15.patch
+alsa-firewire-tascam-do-not-drop-unread-control-events.patch
+alsa-core-serialize-deferred-fasync-state-checks.patch
+alsa-seq-fix-ump-group-16-filtering.patch
--- /dev/null
+From aad35f9c926ec220b0742af1ada45666ae667956 Mon Sep 17 00:00:00 2001
+From: Selvarasu Ganesan <selvarasu.g@samsung.com>
+Date: Fri, 17 Apr 2026 12:03:11 +0530
+Subject: usb: dwc3: Move GUID programming after PHY initialization
+
+From: Selvarasu Ganesan <selvarasu.g@samsung.com>
+
+commit aad35f9c926ec220b0742af1ada45666ae667956 upstream.
+
+The Linux Version Code is currently written to the GUID register before
+PHY initialization. Certain PHY implementations (such as Synopsys eUSB
+PHY performing link_sw_reset) clear the GUID register to its default
+value during initialization, causing the kernel version information to
+be lost.
+
+Move the GUID register programming to occur after PHY initialization
+completes to ensure the Linux version information persists.
+
+Fixes: fa0ea13e9f1c ("usb: dwc3: core: write LINUX_VERSION_CODE to our GUID register")
+Cc: stable <stable@kernel.org>
+Reported-by: Pritam Manohar Sutar <pritam.sutar@samsung.com>
+Signed-off-by: Selvarasu Ganesan <selvarasu.g@samsung.com>
+Acked-by: Thinh Nguyen <Thinh.Nguyen@synopsys.com>
+Link: https://patch.msgid.link/20260417063314.2359-1-selvarasu.g@samsung.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/dwc3/core.c | 12 ++++++------
+ 1 file changed, 6 insertions(+), 6 deletions(-)
+
+--- a/drivers/usb/dwc3/core.c
++++ b/drivers/usb/dwc3/core.c
+@@ -1341,12 +1341,6 @@ int dwc3_core_init(struct dwc3 *dwc)
+
+ hw_mode = DWC3_GHWPARAMS0_MODE(dwc->hwparams.hwparams0);
+
+- /*
+- * Write Linux Version Code to our GUID register so it's easy to figure
+- * out which kernel version a bug was found.
+- */
+- dwc3_writel(dwc, DWC3_GUID, LINUX_VERSION_CODE);
+-
+ ret = dwc3_phy_setup(dwc);
+ if (ret)
+ return ret;
+@@ -1378,6 +1372,12 @@ int dwc3_core_init(struct dwc3 *dwc)
+ if (ret)
+ goto err_exit_phy;
+
++ /*
++ * Write Linux Version Code to our GUID register so it's easy to figure
++ * out which kernel version a bug was found.
++ */
++ dwc3_writel(dwc, DWC3_GUID, LINUX_VERSION_CODE);
++
+ dwc3_core_setup_global_control(dwc);
+ dwc3_core_num_eps(dwc);
+
--- /dev/null
+From 3f91484f6c13c434bd573ca6b6779c26adb0ddab Mon Sep 17 00:00:00 2001
+From: Aaro Koskinen <aaro.koskinen@iki.fi>
+Date: Mon, 13 Apr 2026 21:49:12 +0300
+Subject: USB: omap_udc: DMA: Don't enable burst 4 mode
+
+From: Aaro Koskinen <aaro.koskinen@iki.fi>
+
+commit 3f91484f6c13c434bd573ca6b6779c26adb0ddab upstream.
+
+Commit 65111084c63d7 ("USB: more omap_udc updates (dma and omap1710)")
+added setting for DMA burst 4 mode. But I think this should be undone for
+two reasons:
+
+- It breaks DMA on 15xx boards - transfers just silently stall.
+
+- On newer OMAP1 boards, like Nokia 770 (omap1710), there is no measurable
+performance impact when testing TCP throughput with g_ether with large
+15000 byte MTU size.
+
+It's also worth noting that when the original change was made, the
+OMAP_DMA_DATA_BURST_4 handling in arch/arm/plat-omap/dma.c was broken, and
+actually resulted in the same as the OMAP_DMA_DATA_BURST_DIS i.e. burst
+disabled. This was fixed not until a couple kernel releases later in an
+unrelated commit 1a8bfa1eb998a ("[ARM] 3142/1: OMAP 2/5: Update files
+common to omap1 and omap2").
+
+So based on this it seems there was never really a very good reason to
+enable this burst mode in omap_udc, so remove it now to allow 15xx DMA
+to work again (it provides 2x throughput compared to PIO mode).
+
+Fixes: 65111084c63d ("[PATCH] USB: more omap_udc updates (dma and omap1710)")
+Cc: stable <stable@kernel.org>
+Signed-off-by: Aaro Koskinen <aaro.koskinen@iki.fi>
+Link: https://patch.msgid.link/ad06qHLclWHeSGnV@darkstar.musicnaut.iki.fi
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/gadget/udc/omap_udc.c | 4 ----
+ 1 file changed, 4 deletions(-)
+
+--- a/drivers/usb/gadget/udc/omap_udc.c
++++ b/drivers/usb/gadget/udc/omap_udc.c
+@@ -733,8 +733,6 @@ static void dma_channel_claim(struct oma
+ if (status == 0) {
+ omap_writew(reg, UDC_TXDMA_CFG);
+ /* EMIFF or SDRC */
+- omap_set_dma_src_burst_mode(ep->lch,
+- OMAP_DMA_DATA_BURST_4);
+ omap_set_dma_src_data_pack(ep->lch, 1);
+ /* TIPB */
+ omap_set_dma_dest_params(ep->lch,
+@@ -756,8 +754,6 @@ static void dma_channel_claim(struct oma
+ UDC_DATA_DMA,
+ 0, 0);
+ /* EMIFF or SDRC */
+- omap_set_dma_dest_burst_mode(ep->lch,
+- OMAP_DMA_DATA_BURST_4);
+ omap_set_dma_dest_data_pack(ep->lch, 1);
+ }
+ }
--- /dev/null
+From 100201d349edd226ca3470c894c92dccc67ee7a8 Mon Sep 17 00:00:00 2001
+From: Fabio Porcedda <fabio.porcedda@gmail.com>
+Date: Mon, 27 Apr 2026 11:17:46 +0200
+Subject: USB: serial: option: add Telit Cinterion LE910Cx compositions
+
+From: Fabio Porcedda <fabio.porcedda@gmail.com>
+
+commit 100201d349edd226ca3470c894c92dccc67ee7a8 upstream.
+
+Add the following Telit Cinterion LE910Cx compositions:
+
+0x1251: RNDIS + tty (AT/NMEA) + tty (AT) + tty (AT) + tty (SAP)
+T: Bus=01 Lev=01 Prnt=21 Port=06 Cnt=01 Dev#=108 Spd=480 MxCh= 0
+D: Ver= 2.00 Cls=00(>ifc ) Sub=00 Prot=00 MxPS=64 #Cfgs= 1
+P: Vendor=1bc7 ProdID=1251 Rev=03.18
+S: Manufacturer=Android
+S: Product=LE910C1-EU
+S: SerialNumber=0123456789ABCDEF
+C: #Ifs= 6 Cfg#= 1 Atr=a0 MxPwr=500mA
+I: If#= 0 Alt= 0 #EPs= 1 Cls=02(commc) Sub=02 Prot=ff Driver=rndis_host
+E: Ad=82(I) Atr=03(Int.) MxPS= 8 Ivl=32ms
+I: If#= 1 Alt= 0 #EPs= 2 Cls=0a(data ) Sub=00 Prot=00 Driver=rndis_host
+E: Ad=01(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
+E: Ad=81(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
+I: If#= 2 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
+E: Ad=02(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
+E: Ad=83(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
+E: Ad=84(I) Atr=03(Int.) MxPS= 10 Ivl=32ms
+I: If#= 3 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
+E: Ad=03(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
+E: Ad=85(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
+E: Ad=86(I) Atr=03(Int.) MxPS= 10 Ivl=32ms
+I: If#= 4 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
+E: Ad=04(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
+E: Ad=87(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
+E: Ad=88(I) Atr=03(Int.) MxPS= 10 Ivl=32ms
+I: If#= 5 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
+E: Ad=05(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
+E: Ad=89(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
+E: Ad=8a(I) Atr=03(Int.) MxPS= 10 Ivl=32ms
+
+0x1253: ECM + tty (AT/NMEA) + tty (AT) + tty (AT) + tty (SAP)
+T: Bus=01 Lev=01 Prnt=21 Port=06 Cnt=01 Dev#=121 Spd=480 MxCh= 0
+D: Ver= 2.00 Cls=00(>ifc ) Sub=00 Prot=00 MxPS=64 #Cfgs= 1
+P: Vendor=1bc7 ProdID=1253 Rev=03.18
+S: Manufacturer=Android
+S: Product=LE910C1-EU
+S: SerialNumber=0123456789ABCDEF
+C: #Ifs= 6 Cfg#= 1 Atr=a0 MxPwr=500mA
+I: If#= 0 Alt= 0 #EPs= 1 Cls=02(commc) Sub=06 Prot=00 Driver=cdc_ether
+E: Ad=82(I) Atr=03(Int.) MxPS= 16 Ivl=32ms
+I: If#= 1 Alt= 1 #EPs= 2 Cls=0a(data ) Sub=00 Prot=00 Driver=cdc_ether
+E: Ad=01(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
+E: Ad=81(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
+I: If#= 2 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
+E: Ad=02(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
+E: Ad=83(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
+E: Ad=84(I) Atr=03(Int.) MxPS= 10 Ivl=32ms
+I: If#= 3 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
+E: Ad=03(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
+E: Ad=85(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
+E: Ad=86(I) Atr=03(Int.) MxPS= 10 Ivl=32ms
+I: If#= 4 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
+E: Ad=04(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
+E: Ad=87(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
+E: Ad=88(I) Atr=03(Int.) MxPS= 10 Ivl=32ms
+I: If#= 5 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
+E: Ad=05(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
+E: Ad=89(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
+E: Ad=8a(I) Atr=03(Int.) MxPS= 10 Ivl=32ms
+
+0x1254: tty (AT) + tty (AT)
+T: Bus=01 Lev=01 Prnt=21 Port=06 Cnt=01 Dev#=122 Spd=480 MxCh= 0
+D: Ver= 2.00 Cls=00(>ifc ) Sub=00 Prot=00 MxPS=64 #Cfgs= 1
+P: Vendor=1bc7 ProdID=1254 Rev=03.18
+S: Manufacturer=Android
+S: Product=LE910C1-EU
+S: SerialNumber=0123456789ABCDEF
+C: #Ifs= 2 Cfg#= 1 Atr=a0 MxPwr=500mA
+I: If#= 0 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
+E: Ad=01(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
+E: Ad=81(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
+E: Ad=82(I) Atr=03(Int.) MxPS= 10 Ivl=32ms
+I: If#= 1 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
+E: Ad=02(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
+E: Ad=83(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
+E: Ad=84(I) Atr=03(Int.) MxPS= 10 Ivl=32ms
+
+0x1255: tty (AT/NMEA) + tty (AT) + tty (AT) + tty (SAP)
+T: Bus=01 Lev=01 Prnt=21 Port=06 Cnt=01 Dev#=123 Spd=480 MxCh= 0
+D: Ver= 2.00 Cls=00(>ifc ) Sub=00 Prot=00 MxPS=64 #Cfgs= 1
+P: Vendor=1bc7 ProdID=1255 Rev=03.18
+S: Manufacturer=Android
+S: Product=LE910C1-EU
+S: SerialNumber=0123456789ABCDEF
+C: #Ifs= 4 Cfg#= 1 Atr=a0 MxPwr=500mA
+I: If#= 0 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
+E: Ad=01(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
+E: Ad=81(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
+E: Ad=82(I) Atr=03(Int.) MxPS= 10 Ivl=32ms
+I: If#= 1 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
+E: Ad=02(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
+E: Ad=83(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
+E: Ad=84(I) Atr=03(Int.) MxPS= 10 Ivl=32ms
+I: If#= 2 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
+E: Ad=03(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
+E: Ad=85(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
+E: Ad=86(I) Atr=03(Int.) MxPS= 10 Ivl=32ms
+I: If#= 3 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
+E: Ad=04(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
+E: Ad=87(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
+E: Ad=88(I) Atr=03(Int.) MxPS= 10 Ivl=32ms
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Fabio Porcedda <fabio.porcedda@gmail.com>
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/serial/option.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/drivers/usb/serial/option.c
++++ b/drivers/usb/serial/option.c
+@@ -1513,7 +1513,11 @@ static const struct usb_device_id option
+ { USB_DEVICE_INTERFACE_CLASS(TELIT_VENDOR_ID, 0x1231, 0xff), /* Telit LE910Cx (RNDIS) */
+ .driver_info = NCTRL(2) | RSVD(3) },
+ { USB_DEVICE_AND_INTERFACE_INFO(TELIT_VENDOR_ID, 0x1250, 0xff, 0x00, 0x00) }, /* Telit LE910Cx (rmnet) */
++ { USB_DEVICE_INTERFACE_CLASS(TELIT_VENDOR_ID, 0x1251, 0xff) }, /* Telit LE910Cx (RNDIS) */
+ { USB_DEVICE_INTERFACE_CLASS(TELIT_VENDOR_ID, 0x1252, 0xff) }, /* Telit LE910Cx (MBIM) */
++ { USB_DEVICE_INTERFACE_CLASS(TELIT_VENDOR_ID, 0x1253, 0xff) }, /* Telit LE910Cx (ECM) */
++ { USB_DEVICE_INTERFACE_CLASS(TELIT_VENDOR_ID, 0x1254, 0xff) }, /* Telit LE910Cx */
++ { USB_DEVICE_INTERFACE_CLASS(TELIT_VENDOR_ID, 0x1255, 0xff) }, /* Telit LE910Cx */
+ { USB_DEVICE(TELIT_VENDOR_ID, 0x1260),
+ .driver_info = NCTRL(0) | RSVD(1) | RSVD(2) },
+ { USB_DEVICE(TELIT_VENDOR_ID, 0x1261),
--- /dev/null
+From f6ec9bb4acc7182b25a793ad094a764e1cb819a7 Mon Sep 17 00:00:00 2001
+From: Xu Yang <xu.yang_2@nxp.com>
+Date: Fri, 24 Apr 2026 15:40:09 +0800
+Subject: usb: typec: tcpm: fix debug accessory mode detection for sink ports
+
+From: Xu Yang <xu.yang_2@nxp.com>
+
+commit f6ec9bb4acc7182b25a793ad094a764e1cb819a7 upstream.
+
+The port in debug accessory mode can be either a source or sink. The
+previous tcpm_port_is_debug() function only checked for source port.
+
+Commit 8db73e6a42b6 ("usb: typec: tcpm: allow sink (ufp) to toggle into
+accessory mode debug") changed the detection logic to support both roles,
+but left some logic in _tcpm_cc_change() unchanged, This causes the state
+machine to transition to an incorrect state when operating as a sink in
+debug accessory mode. Log as below:
+
+[ 978.637541] CC1: 0 -> 5, CC2: 0 -> 5 [state TOGGLING, polarity 0, connected]
+[ 978.637567] state change TOGGLING -> SRC_ATTACH_WAIT [rev1 NONE_AMS]
+[ 978.637596] pending state change SRC_ATTACH_WAIT -> DEBUG_ACC_ATTACHED @ 180 ms [rev1 NONE_AMS]
+[ 978.647098] CC1: 5 -> 0, CC2: 5 -> 5 [state SRC_ATTACH_WAIT, polarity 0, connected]
+[ 978.647115] state change SRC_ATTACH_WAIT -> SRC_ATTACH_WAIT [rev1 NONE_AMS]
+
+It should go to SNK_ATTACH_WAIT instead of SRC_ATTACH_WAIT state.
+
+To fix this, add tcpm_port_is_debug_source() and tcpm_port_is_debug_sink()
+helper to explicitly identify the power mode in debug accessory mode.
+Update the state transition logic in _tcpm_cc_change() to ensure the state
+machine transitions comply with Type-C specification. Also update the logic
+in run_state_machine() to keep consistency.
+
+Fixes: 8db73e6a42b6 ("usb: typec: tcpm: allow sink (ufp) to toggle into accessory mode debug")
+Cc: stable <stable@kernel.org>
+Signed-off-by: Xu Yang <xu.yang_2@nxp.com>
+Acked-by: Heikki Krogerus <heikki.krogerus@linux.intel.com>
+Reviewed-by: Amit Sunil Dhamne <amitsd@google.com>
+Link: https://patch.msgid.link/20260424074009.2979266-1-xu.yang_2@nxp.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/typec/tcpm/tcpm.c | 25 ++++++++++++++++---------
+ 1 file changed, 16 insertions(+), 9 deletions(-)
+
+--- a/drivers/usb/typec/tcpm/tcpm.c
++++ b/drivers/usb/typec/tcpm/tcpm.c
+@@ -634,9 +634,14 @@ static const char * const pd_rev[] = {
+ (tcpm_cc_is_source((port)->cc2) && \
+ !tcpm_cc_is_source((port)->cc1)))
+
++#define tcpm_port_is_debug_source(port) \
++ (tcpm_cc_is_source((port)->cc1) && tcpm_cc_is_source((port)->cc2))
++
++#define tcpm_port_is_debug_sink(port) \
++ (tcpm_cc_is_sink((port)->cc1) && tcpm_cc_is_sink((port)->cc2))
++
+ #define tcpm_port_is_debug(port) \
+- ((tcpm_cc_is_source((port)->cc1) && tcpm_cc_is_source((port)->cc2)) || \
+- (tcpm_cc_is_sink((port)->cc1) && tcpm_cc_is_sink((port)->cc2)))
++ (tcpm_port_is_debug_source(port) || tcpm_port_is_debug_sink(port))
+
+ #define tcpm_port_is_audio(port) \
+ (tcpm_cc_is_audio((port)->cc1) && tcpm_cc_is_audio((port)->cc2))
+@@ -4812,7 +4817,7 @@ static void run_state_machine(struct tcp
+ tcpm_set_state(port, SNK_UNATTACHED, PD_T_DRP_SNK);
+ break;
+ case SRC_ATTACH_WAIT:
+- if (tcpm_port_is_debug(port))
++ if (tcpm_port_is_debug_source(port))
+ tcpm_set_state(port, DEBUG_ACC_ATTACHED,
+ port->timings.cc_debounce_time);
+ else if (tcpm_port_is_audio(port))
+@@ -5070,7 +5075,7 @@ static void run_state_machine(struct tcp
+ tcpm_set_state(port, SRC_UNATTACHED, PD_T_DRP_SRC);
+ break;
+ case SNK_ATTACH_WAIT:
+- if (tcpm_port_is_debug(port))
++ if (tcpm_port_is_debug_sink(port))
+ tcpm_set_state(port, DEBUG_ACC_ATTACHED,
+ PD_T_CC_DEBOUNCE);
+ else if (tcpm_port_is_audio(port))
+@@ -5090,7 +5095,7 @@ static void run_state_machine(struct tcp
+ if (tcpm_port_is_disconnected(port))
+ tcpm_set_state(port, SNK_UNATTACHED,
+ PD_T_PD_DEBOUNCE);
+- else if (tcpm_port_is_debug(port))
++ else if (tcpm_port_is_debug_sink(port))
+ tcpm_set_state(port, DEBUG_ACC_ATTACHED,
+ PD_T_CC_DEBOUNCE);
+ else if (tcpm_port_is_audio(port))
+@@ -5963,10 +5968,10 @@ static void _tcpm_cc_change(struct tcpm_
+
+ switch (port->state) {
+ case TOGGLING:
+- if (tcpm_port_is_debug(port) || tcpm_port_is_audio(port) ||
++ if (tcpm_port_is_debug_source(port) || tcpm_port_is_audio(port) ||
+ tcpm_port_is_source(port))
+ tcpm_set_state(port, SRC_ATTACH_WAIT, 0);
+- else if (tcpm_port_is_sink(port))
++ else if (tcpm_port_is_debug_sink(port) || tcpm_port_is_sink(port))
+ tcpm_set_state(port, SNK_ATTACH_WAIT, 0);
+ break;
+ case CHECK_CONTAMINANT:
+@@ -5974,9 +5979,11 @@ static void _tcpm_cc_change(struct tcpm_
+ break;
+ case SRC_UNATTACHED:
+ case ACC_UNATTACHED:
+- if (tcpm_port_is_debug(port) || tcpm_port_is_audio(port) ||
++ if (tcpm_port_is_debug_source(port) || tcpm_port_is_audio(port) ||
+ tcpm_port_is_source(port))
+ tcpm_set_state(port, SRC_ATTACH_WAIT, 0);
++ else if (tcpm_port_is_debug_sink(port))
++ tcpm_set_state(port, SNK_ATTACH_WAIT, 0);
+ break;
+ case SRC_ATTACH_WAIT:
+ if (tcpm_port_is_disconnected(port) ||
+@@ -5998,7 +6005,7 @@ static void _tcpm_cc_change(struct tcpm_
+ }
+ break;
+ case SNK_UNATTACHED:
+- if (tcpm_port_is_debug(port) || tcpm_port_is_audio(port) ||
++ if (tcpm_port_is_debug_sink(port) || tcpm_port_is_audio(port) ||
+ tcpm_port_is_sink(port))
+ tcpm_set_state(port, SNK_ATTACH_WAIT, 0);
+ break;
--- /dev/null
+From 2909f0d4994fb4306bf116df5ccee797791fce2c Mon Sep 17 00:00:00 2001
+From: Amit Sunil Dhamne <amitsd@google.com>
+Date: Tue, 14 Apr 2026 00:58:32 +0000
+Subject: usb: typec: tcpm: reset internal port states on soft reset AMS
+
+From: Amit Sunil Dhamne <amitsd@google.com>
+
+commit 2909f0d4994fb4306bf116df5ccee797791fce2c upstream.
+
+Reset internal port states (such as vdm_sm_running and
+explicit_contract) on soft reset AMS as the port needs to negotiate a
+new contract. The consequence of leaving the states in as-is cond are as
+follows:
+ * port is in SRC power role and an explicit contract is negotiated
+ with the port partner (in sink role)
+ * port partner sends a Soft Reset AMS while VDM State Machine is
+ running
+ * port accepts the Soft Reset request and the port advertises src caps
+ * port partner sends a Request message but since the explicit_contract
+ and vdm_sm_running are true from previous negotiation, the port ends
+ up sending Soft Reset instead of Accept msg.
+
+Stub Log:
+[ 203.653942] AMS DISCOVER_IDENTITY start
+[ 203.653947] PD TX, header: 0x176f
+[ 203.655901] PD TX complete, status: 0
+[ 203.657470] PD RX, header: 0x124f [1]
+[ 203.657477] Rx VDM cmd 0xff008081 type 2 cmd 1 len 1
+[ 203.657482] AMS DISCOVER_IDENTITY finished
+[ 203.657484] cc:=4
+[ 204.155698] PD RX, header: 0x144f [1]
+[ 204.155718] Rx VDM cmd 0xeeee8001 type 0 cmd 1 len 1
+[ 204.155741] PD TX, header: 0x196f
+[ 204.157622] PD TX complete, status: 0
+[ 204.160060] PD RX, header: 0x4d [1]
+[ 204.160066] state change SRC_READY -> SOFT_RESET [rev2 SOFT_RESET_AMS]
+[ 204.160076] PD TX, header: 0x163
+[ 204.162486] PD TX complete, status: 0
+[ 204.162832] AMS SOFT_RESET_AMS finished
+[ 204.162840] cc:=4
+[ 204.162891] AMS POWER_NEGOTIATION start
+[ 204.162896] state change SOFT_RESET -> AMS_START [rev2 POWER_NEGOTIATION]
+[ 204.162908] state change AMS_START -> SRC_SEND_CAPABILITIES [rev2 POWER_NEGOTIATION]
+[ 204.162913] PD TX, header: 0x1361
+[ 204.165529] PD TX complete, status: 0
+[ 204.165571] pending state change SRC_SEND_CAPABILITIES -> SRC_SEND_CAPABILITIES_TIMEOUT @ 60 ms [rev2 POWER_NEGOTIATION]
+[ 204.166996] PD RX, header: 0x1242 [1]
+[ 204.167009] state change SRC_SEND_CAPABILITIES -> SRC_SOFT_RESET_WAIT_SNK_TX [rev2 POWER_NEGOTIATION]
+[ 204.167019] AMS POWER_NEGOTIATION finished
+[ 204.167020] cc:=4
+[ 204.167083] AMS SOFT_RESET_AMS start
+[ 204.167086] state change SRC_SOFT_RESET_WAIT_SNK_TX -> SOFT_RESET_SEND [rev2 SOFT_RESET_AMS]
+[ 204.167092] PD TX, header: 0x16d
+[ 204.168824] PD TX complete, status: 0
+[ 204.168854] pending state change SOFT_RESET_SEND -> HARD_RESET_SEND @ 60 ms [rev2 SOFT_RESET_AMS]
+[ 204.171876] PD RX, header: 0x43 [1]
+[ 204.171879] AMS SOFT_RESET_AMS finished
+
+This causes COMMON.PROC.PD.11.2 check failure for
+TEST.PD.VDM.SRC.2_Rev2Src test on the PD compliance tester.
+
+Signed-off-by: Amit Sunil Dhamne <amitsd@google.com>
+Fixes: 8d3a0578ad1a ("usb: typec: tcpm: Respond Wait if VDM state machine is running")
+Fixes: f0690a25a140 ("staging: typec: USB Type-C Port Manager (tcpm)")
+Cc: stable <stable@kernel.org>
+Reviewed-by: Badhri Jagan Sridharan <badhri@google.com>
+Acked-by: Heikki Krogerus <heikki.krogerus@linux.intel.com>
+Link: https://patch.msgid.link/20260414-fix-soft-reset-v1-1-01d7cb9764e2@google.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/typec/tcpm/tcpm.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/usb/typec/tcpm/tcpm.c
++++ b/drivers/usb/typec/tcpm/tcpm.c
+@@ -5741,6 +5741,8 @@ static void run_state_machine(struct tcp
+
+ case VCONN_SWAP_ACCEPT:
+ tcpm_pd_send_control(port, PD_CTRL_ACCEPT, TCPC_TX_SOP);
++ port->vdm_sm_running = false;
++ port->explicit_contract = false;
+ tcpm_ams_finish(port);
+ tcpm_set_state(port, VCONN_SWAP_START, 0);
+ break;
--- /dev/null
+From 0b9fcab1b8608d429e5f239afb197de928d4de7d Mon Sep 17 00:00:00 2001
+From: Felix Gu <ustc.gu@gmail.com>
+Date: Tue, 7 Apr 2026 21:21:22 +0800
+Subject: usb: ulpi: fix memory leak on ulpi_register() error paths
+
+From: Felix Gu <ustc.gu@gmail.com>
+
+commit 0b9fcab1b8608d429e5f239afb197de928d4de7d upstream.
+
+Commit 01af542392b5 ("usb: ulpi: fix double free in
+ulpi_register_interface() error path") removed kfree(ulpi) from
+ulpi_register_interface() to fix a double-free when device_register()
+fails.
+
+But when ulpi_of_register() or ulpi_read_id() fail before
+device_register() is called, the ulpi allocation is leaked.
+
+Add kfree(ulpi) on both error paths to properly clean up the allocation.
+
+Fixes: 01af542392b5 ("usb: ulpi: fix double free in ulpi_register_interface() error path")
+Cc: stable <stable@kernel.org>
+Signed-off-by: Felix Gu <ustc.gu@gmail.com>
+Reviewed-by: Heikki Krogerus <heikki.krogerus@linux.intel.com>
+Link: https://patch.msgid.link/20260407-ulpi-v1-1-f3fafe53f7b2@gmail.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/common/ulpi.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+--- a/drivers/usb/common/ulpi.c
++++ b/drivers/usb/common/ulpi.c
+@@ -286,12 +286,15 @@ static int ulpi_register(struct device *
+ ACPI_COMPANION_SET(&ulpi->dev, ACPI_COMPANION(dev));
+
+ ret = ulpi_of_register(ulpi);
+- if (ret)
++ if (ret) {
++ kfree(ulpi);
+ return ret;
++ }
+
+ ret = ulpi_read_id(ulpi);
+ if (ret) {
+ of_node_put(ulpi->dev.of_node);
++ kfree(ulpi);
+ return ret;
+ }
+
--- /dev/null
+From 7a400c6fe3617e31e690e3f7ca37bb335e0498f3 Mon Sep 17 00:00:00 2001
+From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Date: Mon, 20 Apr 2026 18:11:03 +0200
+Subject: usb: usblp: fix heap leak in IEEE 1284 device ID via short response
+
+From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+commit 7a400c6fe3617e31e690e3f7ca37bb335e0498f3 upstream.
+
+usblp_ctrl_msg() collapses the usb_control_msg() return value to
+0/-errno, discarding the actual number of bytes transferred. A broken
+printer can complete the GET_DEVICE_ID control transfer short and the
+driver has no way to know.
+
+usblp_cache_device_id_string() reads the 2-byte big-endian length prefix
+from the response and trusts it (clamped only to the buffer bounds).
+The buffer is kmalloc(1024) at probe time. A device that sends exactly
+two bytes (e.g. 0x03 0xFF, claiming a 1023-byte ID) leaves
+device_id_string[2..1022] holding stale kmalloc heap.
+
+That stale data is then exposed:
+ - via the ieee1284_id sysfs attribute (sprintf("%s", buf+2), truncated
+ at the first NUL in the stale heap), and
+ - via the IOCNR_GET_DEVICE_ID ioctl, which copy_to_user()s the full
+ claimed length regardless of NULs, up to 1021 bytes of uninitialized
+ heap, with the leak size chosen by the device.
+
+Fix this up by just zapping the buffer with zeros before each request
+sent to the device.
+
+Cc: Pete Zaitcev <zaitcev@redhat.com>
+Assisted-by: gkh_clanker_t1000
+Cc: stable <stable@kernel.org>
+Link: https://patch.msgid.link/2026042002-unicorn-greedily-3c63@gregkh
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/class/usblp.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/usb/class/usblp.c
++++ b/drivers/usb/class/usblp.c
+@@ -1377,6 +1377,7 @@ static int usblp_cache_device_id_string(
+ {
+ int err, length;
+
++ memset(usblp->device_id_string, 0, USBLP_DEVICE_ID_SIZE);
+ err = usblp_get_id(usblp, 0, usblp->device_id_string, USBLP_DEVICE_ID_SIZE - 1);
+ if (err < 0) {
+ dev_dbg(&usblp->intf->dev,
--- /dev/null
+From b38e53cbfb9d84732e5984fbd73e128d592415c5 Mon Sep 17 00:00:00 2001
+From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Date: Mon, 20 Apr 2026 18:11:04 +0200
+Subject: usb: usblp: fix uninitialized heap leak via LPGETSTATUS ioctl
+
+From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+commit b38e53cbfb9d84732e5984fbd73e128d592415c5 upstream.
+
+Just like in a previous problem in this driver, usblp_ctrl_msg() will
+collapse the usb_control_msg() return value to 0/-errno, discarding the
+actual number of bytes transferred.
+
+Ideally that short command should be detected and error out, but many
+printers are known to send "incorrect" responses back so we can't just
+do that.
+
+statusbuf is kmalloc(8) at probe time and never filled before the first
+LPGETSTATUS ioctl.
+
+usblp_read_status() requests 1 byte. If a malicious printer responds
+with zero bytes, *statusbuf is one byte of stale kmalloc heap,
+sign-extended into the local int status, which the LPGETSTATUS path then
+copy_to_user()s directly to the ioctl caller.
+
+Fix this all by just zapping out the memory buffer when allocated at
+probe time. If a later call does a short read, the data will be
+identical to what the device sent it the last time, so there is no
+"leak" of information happening.
+
+Cc: Pete Zaitcev <zaitcev@redhat.com>
+Assisted-by: gkh_clanker_t1000
+Cc: stable <stable@kernel.org>
+Link: https://patch.msgid.link/2026042011-shredder-savage-48c6@gregkh
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/class/usblp.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/usb/class/usblp.c
++++ b/drivers/usb/class/usblp.c
+@@ -1178,7 +1178,7 @@ static int usblp_probe(struct usb_interf
+ }
+
+ /* Allocate buffer for printer status */
+- usblp->statusbuf = kmalloc(STATUS_BUF_SIZE, GFP_KERNEL);
++ usblp->statusbuf = kzalloc(STATUS_BUF_SIZE, GFP_KERNEL);
+ if (!usblp->statusbuf) {
+ retval = -ENOMEM;
+ goto abort;
--- /dev/null
+From d748603f12baff112caa3ab7d39f50100f010dbd Mon Sep 17 00:00:00 2001
+From: "Jiri Slaby (SUSE)" <jirislaby@kernel.org>
+Date: Tue, 9 Dec 2025 11:04:59 +0100
+Subject: wifi: ath5k: do not access array OOB
+
+From: Jiri Slaby (SUSE) <jirislaby@kernel.org>
+
+commit d748603f12baff112caa3ab7d39f50100f010dbd upstream.
+
+Vincent reports:
+> The ath5k driver seems to do an array-index-out-of-bounds access as
+> shown by the UBSAN kernel message:
+> UBSAN: array-index-out-of-bounds in drivers/net/wireless/ath/ath5k/base.c:1741:20
+> index 4 is out of range for type 'ieee80211_tx_rate [4]'
+> ...
+> Call Trace:
+> <TASK>
+> dump_stack_lvl+0x5d/0x80
+> ubsan_epilogue+0x5/0x2b
+> __ubsan_handle_out_of_bounds.cold+0x46/0x4b
+> ath5k_tasklet_tx+0x4e0/0x560 [ath5k]
+> tasklet_action_common+0xb5/0x1c0
+
+It is real. 'ts->ts_final_idx' can be 3 on 5212, so:
+ info->status.rates[ts->ts_final_idx + 1].idx = -1;
+with the array defined as:
+ struct ieee80211_tx_rate rates[IEEE80211_TX_MAX_RATES];
+while the size is:
+ #define IEEE80211_TX_MAX_RATES 4
+is indeed bogus.
+
+Set this 'idx = -1' sentinel only if the array index is less than the
+array size. As mac80211 will not look at rates beyond the size
+(IEEE80211_TX_MAX_RATES).
+
+Note: The effect of the OOB write is negligible. It just overwrites the
+next member of info->status, i.e. ack_signal.
+
+Signed-off-by: Jiri Slaby (SUSE) <jirislaby@kernel.org>
+Reported-by: Vincent Danjean <vdanjean@debian.org>
+Link: https://lore.kernel.org/all/aQYUkIaT87ccDCin@eldamar.lan
+Closes: https://bugs.debian.org/1119093
+Fixes: 6d7b97b23e11 ("ath5k: fix tx status reporting issues")
+Cc: stable@vger.kernel.org
+Link: https://patch.msgid.link/20251209100459.2253198-1-jirislaby@kernel.org
+Signed-off-by: Jeff Johnson <jeff.johnson@oss.qualcomm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/wireless/ath/ath5k/base.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/net/wireless/ath/ath5k/base.c
++++ b/drivers/net/wireless/ath/ath5k/base.c
+@@ -1738,7 +1738,8 @@ ath5k_tx_frame_completed(struct ath5k_hw
+ }
+
+ info->status.rates[ts->ts_final_idx].count = ts->ts_final_retry;
+- info->status.rates[ts->ts_final_idx + 1].idx = -1;
++ if (ts->ts_final_idx + 1 < IEEE80211_TX_MAX_RATES)
++ info->status.rates[ts->ts_final_idx + 1].idx = -1;
+
+ if (unlikely(ts->ts_status)) {
+ ah->stats.ack_fail++;
--- /dev/null
+From 1f4f78bf8549e6ac4f04fba4176854f3a6e0c332 Mon Sep 17 00:00:00 2001
+From: Tristan Madani <tristan@talencesecurity.com>
+Date: Fri, 17 Apr 2026 11:11:44 +0000
+Subject: wifi: b43: enforce bounds check on firmware key index in b43_rx()
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Tristan Madani <tristan@talencesecurity.com>
+
+commit 1f4f78bf8549e6ac4f04fba4176854f3a6e0c332 upstream.
+
+The firmware-controlled key index in b43_rx() can exceed the dev->key[]
+array size (58 entries). The existing B43_WARN_ON is non-enforcing in
+production builds, allowing an out-of-bounds read.
+
+Make the B43_WARN_ON check enforcing by dropping the frame when the
+firmware returns an invalid key index.
+
+Suggested-by: Jonas Gorski <jonas.gorski@gmail.com>
+Acked-by: Michael Büsch <m@bues.ch>
+Fixes: e4d6b7951812 ("[B43]: add mac80211-based driver for modern BCM43xx devices")
+Cc: stable@vger.kernel.org
+Signed-off-by: Tristan Madani <tristan@talencesecurity.com>
+Link: https://patch.msgid.link/20260417111145.2694196-1-tristmd@gmail.com
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/wireless/broadcom/b43/xmit.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/net/wireless/broadcom/b43/xmit.c
++++ b/drivers/net/wireless/broadcom/b43/xmit.c
+@@ -702,7 +702,8 @@ void b43_rx(struct b43_wldev *dev, struc
+ * key index, but the ucode passed it slightly different.
+ */
+ keyidx = b43_kidx_to_raw(dev, keyidx);
+- B43_WARN_ON(keyidx >= ARRAY_SIZE(dev->key));
++ if (B43_WARN_ON(keyidx >= ARRAY_SIZE(dev->key)))
++ goto drop;
+
+ if (dev->key[keyidx].algorithm != B43_SEC_ALGO_NONE) {
+ wlhdr_len = ieee80211_hdrlen(fctl);
--- /dev/null
+From a035766f970bde2d4298346a31a80685be5c0205 Mon Sep 17 00:00:00 2001
+From: Tristan Madani <tristan@talencesecurity.com>
+Date: Fri, 17 Apr 2026 11:11:45 +0000
+Subject: wifi: b43legacy: enforce bounds check on firmware key index in RX path
+
+From: Tristan Madani <tristan@talencesecurity.com>
+
+commit a035766f970bde2d4298346a31a80685be5c0205 upstream.
+
+Same fix as b43: the firmware-controlled key index in b43legacy_rx()
+can exceed dev->max_nr_keys. The existing B43legacy_WARN_ON is
+non-enforcing in production builds, allowing an out-of-bounds read of
+dev->key[].
+
+Make the check enforcing by dropping the frame for invalid indices.
+
+Fixes: 75388acd0cd8 ("[B43LEGACY]: add mac80211-based driver for legacy BCM43xx devices")
+Cc: stable@vger.kernel.org
+Signed-off-by: Tristan Madani <tristan@talencesecurity.com>
+Link: https://patch.msgid.link/20260417111145.2694196-2-tristmd@gmail.com
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/wireless/broadcom/b43legacy/xmit.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/net/wireless/broadcom/b43legacy/xmit.c
++++ b/drivers/net/wireless/broadcom/b43legacy/xmit.c
+@@ -476,7 +476,8 @@ void b43legacy_rx(struct b43legacy_wldev
+ * key index, but the ucode passed it slightly different.
+ */
+ keyidx = b43legacy_kidx_to_raw(dev, keyidx);
+- B43legacy_WARN_ON(keyidx >= dev->max_nr_keys);
++ if (B43legacy_WARN_ON(keyidx >= dev->max_nr_keys))
++ goto drop;
+
+ if (dev->key[keyidx].algorithm != B43legacy_SEC_ALGO_NONE) {
+ /* Remove PROTECTED flag to mark it as decrypted. */
--- /dev/null
+From c623b63580880cc742255eaed3d79804c1b91143 Mon Sep 17 00:00:00 2001
+From: Marek Szyprowski <m.szyprowski@samsung.com>
+Date: Thu, 16 Apr 2026 11:33:39 +0200
+Subject: wifi: brcmfmac: Fix potential use-after-free issue when stopping watchdog task
+
+From: Marek Szyprowski <m.szyprowski@samsung.com>
+
+commit c623b63580880cc742255eaed3d79804c1b91143 upstream.
+
+Watchdog task might end between send_sig() and kthread_stop() calls, what
+results in the use-after-free issue. Fix this by increasing watchdog task
+reference count before calling send_sig() and dropping it by switching to
+kthread_stop_put().
+
+Cc: stable@vger.kernel.org
+Fixes: 373c83a801f1 ("brcmfmac: stop watchdog before detach and free everything")
+Fixes: a9ffda88be74 ("brcm80211: fmac: abstract bus_stop interface function pointer")
+Signed-off-by: Marek Szyprowski <m.szyprowski@samsung.com>
+Acked-by: Arend van Spriel <arend.vanspriel@broadcom.com>
+Link: https://patch.msgid.link/20260416093339.2066829-1-m.szyprowski@samsung.com
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/wireless/broadcom/brcm80211/brcmfmac/sdio.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/sdio.c
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/sdio.c
+@@ -2476,8 +2476,9 @@ static void brcmf_sdio_bus_stop(struct d
+ brcmf_dbg(TRACE, "Enter\n");
+
+ if (bus->watchdog_tsk) {
++ get_task_struct(bus->watchdog_tsk);
+ send_sig(SIGTERM, bus->watchdog_tsk, 1);
+- kthread_stop(bus->watchdog_tsk);
++ kthread_stop_put(bus->watchdog_tsk);
+ bus->watchdog_tsk = NULL;
+ }
+
+@@ -4567,8 +4568,9 @@ void brcmf_sdio_remove(struct brcmf_sdio
+ if (bus) {
+ /* Stop watchdog task */
+ if (bus->watchdog_tsk) {
++ get_task_struct(bus->watchdog_tsk);
+ send_sig(SIGTERM, bus->watchdog_tsk, 1);
+- kthread_stop(bus->watchdog_tsk);
++ kthread_stop_put(bus->watchdog_tsk);
+ bus->watchdog_tsk = NULL;
+ }
+
--- /dev/null
+From 7a5b81e0c87a075afd572f659d8eb68c9c4cd2ba Mon Sep 17 00:00:00 2001
+From: Catherine <enderaoelyther@gmail.com>
+Date: Fri, 24 Apr 2026 21:14:36 +0800
+Subject: wifi: mac80211: drop stray 'static' from fast-RX rx_result
+
+From: Catherine <enderaoelyther@gmail.com>
+
+commit 7a5b81e0c87a075afd572f659d8eb68c9c4cd2ba upstream.
+
+ieee80211_invoke_fast_rx() is documented as safe for parallel RX, but
+its per-invocation rx_result is declared static. Concurrent callers then
+share one instance and can overwrite each other's result between
+ieee80211_rx_mesh_data() and the switch on res.
+
+That can make a packet that was queued or consumed by
+ieee80211_rx_mesh_data() fall through into ieee80211_rx_8023(), or make
+a packet that should continue return as queued.
+
+Make res an automatic variable so each invocation keeps its own result.
+
+Fixes: 3468e1e0c639 ("wifi: mac80211: add mesh fast-rx support")
+Cc: stable@vger.kernel.org
+Signed-off-by: Catherine <enderaoelyther@gmail.com>
+Link: https://patch.msgid.link/20260424131435.83212-2-enderaoelyther@gmail.com
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/mac80211/rx.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/mac80211/rx.c
++++ b/net/mac80211/rx.c
+@@ -4928,7 +4928,7 @@ static bool ieee80211_invoke_fast_rx(str
+ struct sk_buff *skb = rx->skb;
+ struct ieee80211_hdr *hdr = (void *)skb->data;
+ struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(skb);
+- static ieee80211_rx_result res;
++ ieee80211_rx_result res;
+ int orig_len = skb->len;
+ int hdrlen = ieee80211_hdrlen(hdr->frame_control);
+ int snap_offs = hdrlen;
--- /dev/null
+From 283fc9e44ff5b5ac967439b4951b80bd4299f4e4 Mon Sep 17 00:00:00 2001
+From: Johannes Berg <johannes.berg@intel.com>
+Date: Tue, 5 May 2026 15:15:34 +0200
+Subject: wifi: mac80211: remove station if connection prep fails
+
+From: Johannes Berg <johannes.berg@intel.com>
+
+commit 283fc9e44ff5b5ac967439b4951b80bd4299f4e4 upstream.
+
+If connection preparation fails for MLO connections, then the
+interface is completely reset to non-MLD. In this case, we must
+not keep the station since it's related to the link of the vif
+being removed. Delete an existing station. Any "new_sta" is
+already being removed, so that doesn't need changes.
+
+This fixes a use-after-free/double-free in debugfs if that's
+enabled, because a vif going from MLD (and to MLD, but that's
+not relevant here) recreates its entire debugfs.
+
+Cc: stable@vger.kernel.org
+Fixes: 81151ce462e5 ("wifi: mac80211: support MLO authentication/association with one link")
+Reviewed-by: Miriam Rachel Korenblit <miriam.rachel.korenblit@intel.com>
+Link: https://patch.msgid.link/20260505151533.c4e52deb06ad.Iafe56cec7de8512626169496b134bce3a6c17010@changeid
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/mac80211/mlme.c | 9 ++++-----
+ 1 file changed, 4 insertions(+), 5 deletions(-)
+
+--- a/net/mac80211/mlme.c
++++ b/net/mac80211/mlme.c
+@@ -9053,7 +9053,7 @@ static int ieee80211_prep_connection(str
+ struct ieee80211_bss *bss = (void *)cbss->priv;
+ struct sta_info *new_sta = NULL;
+ struct ieee80211_link_data *link;
+- bool have_sta = false;
++ struct sta_info *have_sta = NULL;
+ bool mlo;
+ int err;
+ u16 new_links;
+@@ -9072,11 +9072,8 @@ static int ieee80211_prep_connection(str
+ mlo = false;
+ }
+
+- if (assoc) {
+- rcu_read_lock();
++ if (assoc)
+ have_sta = sta_info_get(sdata, ap_mld_addr);
+- rcu_read_unlock();
+- }
+
+ if (mlo && !have_sta &&
+ WARN_ON(sdata->vif.valid_links || sdata->vif.active_links))
+@@ -9239,6 +9236,8 @@ static int ieee80211_prep_connection(str
+ out_release_chan:
+ ieee80211_link_release_channel(link);
+ out_err:
++ if (mlo && have_sta)
++ WARN_ON(__sta_info_destroy(have_sta));
+ ieee80211_vif_set_links(sdata, 0, 0);
+ return err;
+ }
--- /dev/null
+From ac8eb3e18f41e2cc8492cc1d358bcb786c850270 Mon Sep 17 00:00:00 2001
+From: Benjamin Berg <benjamin.berg@intel.com>
+Date: Tue, 5 May 2026 15:15:40 +0200
+Subject: wifi: mac80211: use safe list iteration in radar detect work
+
+From: Benjamin Berg <benjamin.berg@intel.com>
+
+commit ac8eb3e18f41e2cc8492cc1d358bcb786c850270 upstream.
+
+The call to ieee80211_dfs_cac_cancel can cause the iterated chanctx to
+be freed and removed from the list. Guard against this to avoid a
+slab-use-after-free error.
+
+Cc: stable@vger.kernel.org
+Fixes: bca8bc0399ac ("wifi: mac80211: handle ieee80211_radar_detected() for MLO")
+Signed-off-by: Benjamin Berg <benjamin.berg@intel.com>
+Link: https://patch.msgid.link/20260505151539.236d63a1b736.I35dbb9e96a2d4a480be208770fdd99ba3b817b79@changeid
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/mac80211/util.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/net/mac80211/util.c
++++ b/net/mac80211/util.c
+@@ -3623,11 +3623,11 @@ void ieee80211_dfs_radar_detected_work(s
+ struct ieee80211_local *local =
+ container_of(work, struct ieee80211_local, radar_detected_work);
+ struct cfg80211_chan_def chandef;
+- struct ieee80211_chanctx *ctx;
++ struct ieee80211_chanctx *ctx, *tmp;
+
+ lockdep_assert_wiphy(local->hw.wiphy);
+
+- list_for_each_entry(ctx, &local->chanctx_list, list) {
++ list_for_each_entry_safe(ctx, tmp, &local->chanctx_list, list) {
+ if (ctx->replace_state == IEEE80211_CHANCTX_REPLACES_OTHER)
+ continue;
+
--- /dev/null
+From 5373f8b19e568b5c217832b9bbef165bd2b2df14 Mon Sep 17 00:00:00 2001
+From: Leon Yen <leon.yen@mediatek.com>
+Date: Thu, 9 Oct 2025 10:01:58 +0800
+Subject: wifi: mt76: mt7921: fix a potential clc buffer length underflow
+
+From: Leon Yen <leon.yen@mediatek.com>
+
+commit 5373f8b19e568b5c217832b9bbef165bd2b2df14 upstream.
+
+The buf_len is used to limit the iterations for retrieving the country
+power setting and may underflow under certain conditions due to changes
+in the power table in CLC.
+
+This underflow leads to an almost infinite loop or an invalid power
+setting resulting in driver initialization failure.
+
+Cc: stable@vger.kernel.org
+Fixes: fa6ad88e023d ("wifi: mt76: mt7921: fix country count limitation for CLC")
+Signed-off-by: Leon Yen <leon.yen@mediatek.com>
+Signed-off-by: Ming Yen Hsieh <mingyen.hsieh@mediatek.com>
+Link: https://patch.msgid.link/20251009020158.1923429-1-mingyen.hsieh@mediatek.com
+Signed-off-by: Felix Fietkau <nbd@nbd.name>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/wireless/mediatek/mt76/mt7921/mcu.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/net/wireless/mediatek/mt76/mt7921/mcu.c
++++ b/drivers/net/wireless/mediatek/mt76/mt7921/mcu.c
+@@ -1353,6 +1353,9 @@ int __mt7921_mcu_set_clc(struct mt792x_d
+ u16 len = le16_to_cpu(rule->len);
+ u16 offset = len + sizeof(*rule);
+
++ if (buf_len < offset)
++ break;
++
+ pos += offset;
+ buf_len -= offset;
+ if (rule->alpha2[0] != alpha2[0] ||
--- /dev/null
+From fdfa39f9f4fbae532b162da913a67b2410caf38f Mon Sep 17 00:00:00 2001
+From: Quan Zhou <quan.zhou@mediatek.com>
+Date: Fri, 23 Jan 2026 10:16:25 +0800
+Subject: wifi: mt76: mt7921: fix ROC abort flow interruption in mt7921_roc_work
+
+From: Quan Zhou <quan.zhou@mediatek.com>
+
+commit fdfa39f9f4fbae532b162da913a67b2410caf38f upstream.
+
+The mt7921_set_roc API may be executed concurrently with mt7921_roc_work,
+specifically between the following code paths:
+
+- The check and clear of MT76_STATE_ROC in mt7921_roc_work:
+ if (!test_and_clear_bit(MT76_STATE_ROC, &phy->mt76->state))
+ return;
+
+- The execution of ieee80211_iterate_active_interfaces.
+
+This race condition can interrupt the ROC abort flow, resulting in
+the ROC process failing to abort as expected.
+
+To address this defect, the modification of MT76_STATE_ROC is now
+protected by mt792x_mutex_acquire(phy->dev). This ensures that
+changes to the ROC state are properly synchronized, preventing
+race conditions and ensuring the ROC abort flow is not interrupted.
+
+Fixes: 034ae28b56f1 ("wifi: mt76: mt7921: introduce remain_on_channel support")
+Cc: stable@vger.kernel.org
+Signed-off-by: Quan Zhou <quan.zhou@mediatek.com>
+Reviewed-by: Sean Wang <sean.wang@mediatek.com>
+Link: https://patch.msgid.link/2568ece8b557e5dda79391414c834ef3233049b6.1769133724.git.quan.zhou@mediatek.com
+Signed-off-by: Felix Fietkau <nbd@nbd.name>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/wireless/mediatek/mt76/mt7921/main.c | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+--- a/drivers/net/wireless/mediatek/mt76/mt7921/main.c
++++ b/drivers/net/wireless/mediatek/mt76/mt7921/main.c
+@@ -387,10 +387,11 @@ void mt7921_roc_work(struct work_struct
+ phy = (struct mt792x_phy *)container_of(work, struct mt792x_phy,
+ roc_work);
+
+- if (!test_and_clear_bit(MT76_STATE_ROC, &phy->mt76->state))
+- return;
+-
+ mt792x_mutex_acquire(phy->dev);
++ if (!test_and_clear_bit(MT76_STATE_ROC, &phy->mt76->state)) {
++ mt792x_mutex_release(phy->dev);
++ return;
++ }
+ ieee80211_iterate_active_interfaces(phy->mt76->hw,
+ IEEE80211_IFACE_ITER_RESUME_ALL,
+ mt7921_roc_iter, phy);
--- /dev/null
+From bb8e38fcdbf7290d7f0cd572d2d8fdb2b641b492 Mon Sep 17 00:00:00 2001
+From: Quan Zhou <quan.zhou@mediatek.com>
+Date: Thu, 27 Nov 2025 15:49:11 +0800
+Subject: wifi: mt76: mt7925: fix AMPDU state handling in mt7925_tx_check_aggr
+
+From: Quan Zhou <quan.zhou@mediatek.com>
+
+commit bb8e38fcdbf7290d7f0cd572d2d8fdb2b641b492 upstream.
+
+Previously, the AMPDU state bit for a given TID was set before attempting
+to start a BA session, which could result in the AMPDU state being marked
+active even if ieee80211_start_tx_ba_session() failed. This patch changes
+the logic to only set the AMPDU state bit after successfully starting a BA
+session, ensuring proper synchronization between AMPDU state and BA session
+status.
+
+This fixes potential issues with aggregation state tracking and improves
+compatibility with mac80211 BA session management.
+
+Fixes: 44eb173bdd4f ("wifi: mt76: mt7925: add link handling in mt7925_txwi_free")
+Cc: stable@vger.kernel.org
+
+Signed-off-by: Quan Zhou <quan.zhou@mediatek.com>
+Reviewed-by: Sean Wang <sean.wang@mediatek.com>
+Link: https://patch.msgid.link/d5960fbced0beaf33c30203f7f8fb91d0899c87b.1764228973.git.quan.zhou@mediatek.com
+Signed-off-by: Felix Fietkau <nbd@nbd.name>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/wireless/mediatek/mt76/mt7925/mac.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+--- a/drivers/net/wireless/mediatek/mt76/mt7925/mac.c
++++ b/drivers/net/wireless/mediatek/mt76/mt7925/mac.c
+@@ -882,8 +882,10 @@ static void mt7925_tx_check_aggr(struct
+ else
+ mlink = &msta->deflink;
+
+- if (!test_and_set_bit(tid, &mlink->wcid.ampdu_state))
+- ieee80211_start_tx_ba_session(sta, tid, 0);
++ if (!test_and_set_bit(tid, &mlink->wcid.ampdu_state)) {
++ if (ieee80211_start_tx_ba_session(sta, tid, 0))
++ clear_bit(tid, &mlink->wcid.ampdu_state);
++ }
+ }
+
+ static bool
--- /dev/null
+From ccb186326bb6b7f20d77982f855568e7087ad0d7 Mon Sep 17 00:00:00 2001
+From: Ming Yen Hsieh <mingyen.hsieh@mediatek.com>
+Date: Mon, 8 Sep 2025 15:25:26 +0800
+Subject: wifi: mt76: mt7925: fix incorrect length field in txpower command
+
+From: Ming Yen Hsieh <mingyen.hsieh@mediatek.com>
+
+commit ccb186326bb6b7f20d77982f855568e7087ad0d7 upstream.
+
+Set `tx_power_tlv->len` to `msg_len` instead of `sizeof(*tx_power_tlv)`
+to ensure the correct message length is sent to firmware.
+
+Cc: stable@vger.kernel.org
+Fixes: c948b5da6bbe ("wifi: mt76: mt7925: add Mediatek Wi-Fi7 driver for mt7925 chips")
+Signed-off-by: Ming Yen Hsieh <mingyen.hsieh@mediatek.com>
+Link: https://patch.msgid.link/20250908072526.1833938-1-mingyen.hsieh@mediatek.com
+Signed-off-by: Felix Fietkau <nbd@nbd.name>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/wireless/mediatek/mt76/mt7925/mcu.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/net/wireless/mediatek/mt76/mt7925/mcu.c
++++ b/drivers/net/wireless/mediatek/mt76/mt7925/mcu.c
+@@ -3727,7 +3727,7 @@ mt7925_mcu_rate_txpower_band(struct mt76
+ memcpy(tx_power_tlv->alpha2, dev->alpha2, sizeof(dev->alpha2));
+ tx_power_tlv->n_chan = num_ch;
+ tx_power_tlv->tag = cpu_to_le16(0x1);
+- tx_power_tlv->len = cpu_to_le16(sizeof(*tx_power_tlv));
++ tx_power_tlv->len = cpu_to_le16(msg_len);
+
+ switch (band) {
+ case NL80211_BAND_2GHZ:
--- /dev/null
+From db57a1aa54ff68669781976e4edb045e09e2b65b Mon Sep 17 00:00:00 2001
+From: Jeongjun Park <aha310510@gmail.com>
+Date: Thu, 23 Apr 2026 02:38:46 +0900
+Subject: wifi: rsi: fix kthread lifetime race between self-exit and external-stop
+
+From: Jeongjun Park <aha310510@gmail.com>
+
+commit db57a1aa54ff68669781976e4edb045e09e2b65b upstream.
+
+RSI driver use both self-exit(kthread_complete_and_exit) and external-stop
+(kthread_stop) when killing a kthread. Generally, kthread_stop() is called
+first, and in this case, no particular issues occur.
+
+However, in rare instances where kthread_complete_and_exit() is called
+first and then kthread_stop() is called, a UAF occurs because the kthread
+object, which has already exited and been freed, is accessed again.
+
+Therefore, to prevent this with minimal modification, you must remove
+kthread_stop() and change the code to wait until the self-exit operation
+is completed.
+
+Cc: <stable@vger.kernel.org>
+Reported-by: syzbot+5de83f57cd8531f55596@syzkaller.appspotmail.com
+Closes: https://lore.kernel.org/all/69e5d03b.a00a0220.1bd0ca.0064.GAE@google.com/
+Fixes: 4c62764d0fc2 ("rsi: improve kernel thread handling to fix kernel panic")
+Signed-off-by: Jeongjun Park <aha310510@gmail.com>
+Link: https://patch.msgid.link/20260422173846.37640-1-aha310510@gmail.com
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/wireless/rsi/rsi_common.h | 5 ++---
+ 1 file changed, 2 insertions(+), 3 deletions(-)
+
+--- a/drivers/net/wireless/rsi/rsi_common.h
++++ b/drivers/net/wireless/rsi/rsi_common.h
+@@ -70,12 +70,11 @@ static inline int rsi_create_kthread(str
+ return 0;
+ }
+
+-static inline int rsi_kill_thread(struct rsi_thread *handle)
++static inline void rsi_kill_thread(struct rsi_thread *handle)
+ {
+ atomic_inc(&handle->thread_done);
+ rsi_set_event(&handle->event);
+-
+- return kthread_stop(handle->task);
++ wait_for_completion(&handle->completion);
+ }
+
+ void rsi_mac80211_detach(struct rsi_hw *hw);
projects / thirdparty / kernel / stable-queue.git / commitdiff
