From: Greg Kroah-Hartman Date: Tue, 12 May 2026 12:38:19 +0000 (+0200) Subject: 6.18-stable patches X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=595bec9f35fe03d7685efb8cfcd850d96e2d6498;p=thirdparty%2Fkernel%2Fstable-queue.git 6.18-stable patches added patches: alsa-core-serialize-deferred-fasync-state-checks.patch alsa-firewire-tascam-do-not-drop-unread-control-events.patch alsa-hda-cs35l56-propagate-asp-tx-source-control-errors.patch alsa-hda-realtek-fix-speaker-silence-after-s3-resume-on-xiaomi-mi-laptop-pro-15.patch alsa-pcm-oss-fix-data-race-at-accessing-runtime.oss.trigger.patch alsa-seq-fix-ump-group-16-filtering.patch alsa-usb-audio-avoid-potential-endless-loop-in-convert_chmap_v3.patch alsa-usb-audio-fix-uac3-cluster-descriptor-size-check.patch alsa-usb-audio-midi2-restart-output-urbs-on-resume.patch exit-prevent-preemption-of-oopsing-task_dead-task.patch powerpc-kdump-fix-kasan-sanitization-flag-for-core_-bits-.o.patch usb-omap_udc-dma-don-t-enable-burst-4-mode.patch usb-serial-option-add-telit-cinterion-le910cx-compositions.patch usb-typec-tcpm-fix-debug-accessory-mode-detection-for-sink-ports.patch usb-typec-tcpm-reset-internal-port-states-on-soft-reset-ams.patch usb-ulpi-fix-memory-leak-on-ulpi_register-error-paths.patch usb-usblp-fix-heap-leak-in-ieee-1284-device-id-via-short-response.patch usb-usblp-fix-uninitialized-heap-leak-via-lpgetstatus-ioctl.patch wifi-ath5k-do-not-access-array-oob.patch wifi-b43-enforce-bounds-check-on-firmware-key-index-in-b43_rx.patch wifi-b43legacy-enforce-bounds-check-on-firmware-key-index-in-rx-path.patch wifi-brcmfmac-fix-potential-use-after-free-issue-when-stopping-watchdog-task.patch wifi-mac80211-drop-stray-static-from-fast-rx-rx_result.patch wifi-mac80211-remove-station-if-connection-prep-fails.patch wifi-mac80211-use-safe-list-iteration-in-radar-detect-work.patch wifi-mt76-mt7921-fix-a-potential-clc-buffer-length-underflow.patch wifi-mt76-mt7921-fix-roc-abort-flow-interruption-in-mt7921_roc_work.patch wifi-mt76-mt7925-fix-ampdu-state-handling-in-mt7925_tx_check_aggr.patch wifi-mt76-mt7925-fix-incorrect-length-field-in-txpower-command.patch wifi-rsi-fix-kthread-lifetime-race-between-self-exit-and-external-stop.patch x86-efi-restore-irq-state-in-efi-page-fault-handler.patch --- diff --git a/queue-6.18/alsa-core-serialize-deferred-fasync-state-checks.patch b/queue-6.18/alsa-core-serialize-deferred-fasync-state-checks.patch new file mode 100644 index 0000000000..08b0d53bc3 --- /dev/null +++ b/queue-6.18/alsa-core-serialize-deferred-fasync-state-checks.patch @@ -0,0 +1,63 @@ +From 5337213381df578058e2e41da93cbd0e4639935f Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?C=C3=A1ssio=20Gabriel?= +Date: Wed, 6 May 2026 00:34:47 -0300 +Subject: ALSA: core: Serialize deferred fasync state checks +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Cássio Gabriel + +commit 5337213381df578058e2e41da93cbd0e4639935f upstream. + +snd_fasync_helper() updates fasync->on under snd_fasync_lock, and +snd_fasync_work_fn() now also evaluates fasync->on under the same +lock. snd_kill_fasync() still tests the flag before taking the lock, +leaving an unsynchronized read against FASYNC enable/disable updates. + +Move the enabled-state check into the locked section. + +Also clear fasync->on under snd_fasync_lock in snd_fasync_free() +before unlinking the pending entry. Together with the locked sender-side +check, this publishes teardown before flushing the deferred work and +prevents a racing sender from requeueing the entry after free has +started. + +Fixes: ef34a0ae7a26 ("ALSA: core: Add async signal helpers") +Fixes: 8146cd333d23 ("ALSA: core: Fix potential data race at fasync handling") +Cc: stable@vger.kernel.org +Signed-off-by: Cássio Gabriel +Link: https://patch.msgid.link/20260506-alsa-core-fasync-on-lock-v1-1-ea48c77d6ca4@gmail.com +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman +--- + sound/core/misc.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +--- a/sound/core/misc.c ++++ b/sound/core/misc.c +@@ -148,9 +148,11 @@ EXPORT_SYMBOL_GPL(snd_fasync_helper); + + void snd_kill_fasync(struct snd_fasync *fasync, int signal, int poll) + { +- if (!fasync || !fasync->on) ++ if (!fasync) + return; + guard(spinlock_irqsave)(&snd_fasync_lock); ++ if (!fasync->on) ++ return; + fasync->signal = signal; + fasync->poll = poll; + list_move(&fasync->list, &snd_fasync_list); +@@ -163,8 +165,10 @@ void snd_fasync_free(struct snd_fasync * + if (!fasync) + return; + +- scoped_guard(spinlock_irq, &snd_fasync_lock) ++ scoped_guard(spinlock_irq, &snd_fasync_lock) { ++ fasync->on = 0; + list_del_init(&fasync->list); ++ } + + flush_work(&snd_fasync_work); + kfree(fasync); diff --git a/queue-6.18/alsa-firewire-tascam-do-not-drop-unread-control-events.patch b/queue-6.18/alsa-firewire-tascam-do-not-drop-unread-control-events.patch new file mode 100644 index 0000000000..b2bd0f8717 --- /dev/null +++ b/queue-6.18/alsa-firewire-tascam-do-not-drop-unread-control-events.patch @@ -0,0 +1,50 @@ +From 0749daa8eb5ab90334aaad3b0671efd7150d43b1 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?C=C3=A1ssio=20Gabriel?= +Date: Sun, 3 May 2026 21:55:52 -0300 +Subject: ALSA: firewire-tascam: Do not drop unread control events +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Cássio Gabriel + +commit 0749daa8eb5ab90334aaad3b0671efd7150d43b1 upstream. + +tscm_hwdep_read_queue() copies as many queued control events as fit in +the userspace buffer. When the buffer is smaller than the current +contiguous queue segment, length is rounded down to the number of bytes +that can be copied. + +However, after copying that shortened length, the code advances pull_pos +to the original tail_pos, marking the whole contiguous segment as +consumed. Any events between the copied portion and tail_pos are lost. + +Limit tail_pos to the position after the entries actually copied before +updating pull_pos. When the whole segment fits, this is equivalent to the +old tail_pos update; when the buffer is smaller, the remaining events +stay queued for the next read. + +Fixes: a8c0d13267a4 ("ALSA: firewire-tascam: notify events of change of state for userspace applications") +Cc: stable@vger.kernel.org +Suggested-by: Takashi Sakamoto +Signed-off-by: Cássio Gabriel +Reviewed-by: Takashi Sakamoto +Co-developed-by: Takashi Sakamoto +Signed-off-by: Takashi Sakamoto +Signed-off-by: Takashi Iwai +Link: https://patch.msgid.link/20260503-alsa-firewire-tascam-read-queue-v2-1-126c6efd7642@gmail.com +Signed-off-by: Greg Kroah-Hartman +--- + sound/firewire/tascam/tascam-hwdep.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/sound/firewire/tascam/tascam-hwdep.c ++++ b/sound/firewire/tascam/tascam-hwdep.c +@@ -73,6 +73,7 @@ static long tscm_hwdep_read_queue(struct + length = rounddown(remained, sizeof(*entries)); + if (length == 0) + break; ++ tail_pos = head_pos + length / sizeof(*entries); + + spin_unlock_irq(&tscm->lock); + if (copy_to_user(pos, &entries[head_pos], length)) diff --git a/queue-6.18/alsa-hda-cs35l56-propagate-asp-tx-source-control-errors.patch b/queue-6.18/alsa-hda-cs35l56-propagate-asp-tx-source-control-errors.patch new file mode 100644 index 0000000000..07e282b234 --- /dev/null +++ b/queue-6.18/alsa-hda-cs35l56-propagate-asp-tx-source-control-errors.patch @@ -0,0 +1,78 @@ +From 0faacc0841d66f3cf51989c10a83f3a82d52ff2c Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?C=C3=A1ssio=20Gabriel?= +Date: Thu, 23 Apr 2026 10:11:31 -0300 +Subject: ALSA: hda: cs35l56: Propagate ASP TX source control errors +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Cássio Gabriel + +commit 0faacc0841d66f3cf51989c10a83f3a82d52ff2c upstream. + +cs35l56_hda_mixer_get() ignores regmap_read() and +cs35l56_hda_mixer_put() ignores regmap_update_bits_check(). + +This makes the ASP TX source controls report success when a regmap +access fails. The write path returns no change instead of an error, +and the read path continues after a failed read instead of aborting +the control callback. + +Propagate the regmap errors, matching the posture and volume controls +in this driver. + +Fixes: 73cfbfa9caea ("ALSA: hda/cs35l56: Add driver for Cirrus Logic CS35L56 amplifier") +Cc: stable@vger.kernel.org +Signed-off-by: Cássio Gabriel +Reviewed-by: Richard Fitzgerald +Signed-off-by: Takashi Iwai +Link: https://patch.msgid.link/20260423-alsa-cs35l56-asp-tx-source-errors-v1-1-17ea7c62ec31@gmail.com +Signed-off-by: Greg Kroah-Hartman +--- + sound/hda/codecs/side-codecs/cs35l56_hda.c | 19 ++++++++++++++----- + 1 file changed, 14 insertions(+), 5 deletions(-) + +--- a/sound/hda/codecs/side-codecs/cs35l56_hda.c ++++ b/sound/hda/codecs/side-codecs/cs35l56_hda.c +@@ -180,11 +180,15 @@ static int cs35l56_hda_mixer_get(struct + { + struct cs35l56_hda *cs35l56 = snd_kcontrol_chip(kcontrol); + unsigned int reg_val; +- int i; ++ int i, ret; + + cs35l56_hda_wait_dsp_ready(cs35l56); + +- regmap_read(cs35l56->base.regmap, kcontrol->private_value, ®_val); ++ ret = regmap_read(cs35l56->base.regmap, kcontrol->private_value, ++ ®_val); ++ if (ret) ++ return ret; ++ + reg_val &= CS35L56_ASP_TXn_SRC_MASK; + + for (i = 0; i < CS35L56_NUM_INPUT_SRC; ++i) { +@@ -203,15 +207,20 @@ static int cs35l56_hda_mixer_put(struct + struct cs35l56_hda *cs35l56 = snd_kcontrol_chip(kcontrol); + unsigned int item = ucontrol->value.enumerated.item[0]; + bool changed; ++ int ret; + + if (item >= CS35L56_NUM_INPUT_SRC) + return -EINVAL; + + cs35l56_hda_wait_dsp_ready(cs35l56); + +- regmap_update_bits_check(cs35l56->base.regmap, kcontrol->private_value, +- CS35L56_INPUT_MASK, cs35l56_tx_input_values[item], +- &changed); ++ ret = regmap_update_bits_check(cs35l56->base.regmap, ++ kcontrol->private_value, ++ CS35L56_INPUT_MASK, ++ cs35l56_tx_input_values[item], ++ &changed); ++ if (ret) ++ return ret; + + return changed; + } diff --git a/queue-6.18/alsa-hda-realtek-fix-speaker-silence-after-s3-resume-on-xiaomi-mi-laptop-pro-15.patch b/queue-6.18/alsa-hda-realtek-fix-speaker-silence-after-s3-resume-on-xiaomi-mi-laptop-pro-15.patch new file mode 100644 index 0000000000..06ffef39af --- /dev/null +++ b/queue-6.18/alsa-hda-realtek-fix-speaker-silence-after-s3-resume-on-xiaomi-mi-laptop-pro-15.patch @@ -0,0 +1,89 @@ +From 92a8b5e2eff6920bf815cd6a80b088ec3fdf01a3 Mon Sep 17 00:00:00 2001 +From: Yuriy Padlyak +Date: Thu, 30 Apr 2026 01:09:03 +0300 +Subject: ALSA: hda/realtek: Fix speaker silence after S3 resume on Xiaomi Mi Laptop Pro 15 +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Yuriy Padlyak + +commit 92a8b5e2eff6920bf815cd6a80b088ec3fdf01a3 upstream. + +The Xiaomi Mi Laptop Pro 15 (TM1905, subsystem 1d72:1905) ships with the +Realtek ALC256 codec on Intel Comet Lake PCH-LP. After S3 resume the +codec sets coefficient register 0x10 to 0x0220 instead of 0x0020 — bit 9 +is erroneously set, which silences the internal speaker. Bluetooth and +HDMI audio are unaffected because they use different paths. + +This is the same mechanism fixed for Clevo NJ51CU by commit edca7cc4b0ac +("ALSA: hda/realtek: Fix quirk for Clevo NJ51CU"), but the existing +ALC256_FIXUP_MIC_NO_PRESENCE_AND_RESUME also reconfigures pin 0x19 as a +front mic, which is wrong for this Xiaomi where pin 0x19 default is +0x411111f0 (disabled). Add a minimal fixup that only clears the stuck +coef bit, and add the Xiaomi SSID to the quirk table. + +Verified by reading coef 0x10 with hda-verb after resume (returns +0x0220), writing 0x0020, and confirming the internal speaker resumes +output. With this fixup applied the bit is cleared on every codec init, +including post-resume. + +Signed-off-by: Yuriy Padlyak +Cc: +Tested-by: Yuriy Padlyak +Link: https://patch.msgid.link/20260429220903.14918-1-yuriypadlyak@gmail.com +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman +--- + sound/hda/codecs/realtek/alc269.c | 19 +++++++++++++++++++ + 1 file changed, 19 insertions(+) + +--- a/sound/hda/codecs/realtek/alc269.c ++++ b/sound/hda/codecs/realtek/alc269.c +@@ -3338,6 +3338,19 @@ static void alc256_fixup_mic_no_presence + } + } + ++static void alc256_fixup_xiaomi_pro15_resume(struct hda_codec *codec, ++ const struct hda_fixup *fix, ++ int action) ++{ ++ /* ++ * On the Xiaomi Mi Laptop Pro 15 (TM1905, SSID 1d72:1905) the ALC256 ++ * codec sets coefficient 0x10 bit 9 to 1 after S3 resume, silencing ++ * the internal speaker. Bluetooth and HDMI audio are unaffected. ++ * Clear the bit so the speaker keeps working across suspend cycles. ++ */ ++ alc_update_coef_idx(codec, 0x10, 1<<9, 0); ++} ++ + static void alc256_decrease_headphone_amp_val(struct hda_codec *codec, + const struct hda_fixup *fix, int action) + { +@@ -3925,6 +3938,7 @@ enum { + ALC256_FIXUP_SYSTEM76_MIC_NO_PRESENCE, + ALC233_FIXUP_NO_AUDIO_JACK, + ALC256_FIXUP_MIC_NO_PRESENCE_AND_RESUME, ++ ALC256_FIXUP_XIAOMI_PRO15_RESUME, + ALC285_FIXUP_LEGION_Y9000X_SPEAKERS, + ALC285_FIXUP_LEGION_Y9000X_AUTOMUTE, + ALC287_FIXUP_LEGION_16ACHG6, +@@ -6099,6 +6113,10 @@ static const struct hda_fixup alc269_fix + .chained = true, + .chain_id = ALC269_FIXUP_HEADSET_MODE_NO_HP_MIC + }, ++ [ALC256_FIXUP_XIAOMI_PRO15_RESUME] = { ++ .type = HDA_FIXUP_FUNC, ++ .v.func = alc256_fixup_xiaomi_pro15_resume, ++ }, + [ALC287_FIXUP_LEGION_16ACHG6] = { + .type = HDA_FIXUP_FUNC, + .v.func = alc287_fixup_legion_16achg6_speakers, +@@ -7538,6 +7556,7 @@ static const struct hda_quirk alc269_fix + SND_PCI_QUIRK(0x1d72, 0x1602, "RedmiBook", ALC255_FIXUP_XIAOMI_HEADSET_MIC), + SND_PCI_QUIRK(0x1d72, 0x1701, "XiaomiNotebook Pro", ALC298_FIXUP_DELL1_MIC_NO_PRESENCE), + SND_PCI_QUIRK(0x1d72, 0x1901, "RedmiBook 14", ALC256_FIXUP_ASUS_HEADSET_MIC), ++ SND_PCI_QUIRK(0x1d72, 0x1905, "Xiaomi Mi Laptop Pro 15", ALC256_FIXUP_XIAOMI_PRO15_RESUME), + SND_PCI_QUIRK(0x1d72, 0x1945, "Redmi G", ALC256_FIXUP_ASUS_HEADSET_MIC), + SND_PCI_QUIRK(0x1d72, 0x1947, "RedmiBook Air", ALC255_FIXUP_XIAOMI_HEADSET_MIC), + SND_PCI_QUIRK(0x1e39, 0xca14, "MEDION NM14LNL", ALC233_FIXUP_MEDION_MTL_SPK), diff --git a/queue-6.18/alsa-pcm-oss-fix-data-race-at-accessing-runtime.oss.trigger.patch b/queue-6.18/alsa-pcm-oss-fix-data-race-at-accessing-runtime.oss.trigger.patch new file mode 100644 index 0000000000..bb82f1d2ab --- /dev/null +++ b/queue-6.18/alsa-pcm-oss-fix-data-race-at-accessing-runtime.oss.trigger.patch @@ -0,0 +1,84 @@ +From 901ac0ff15edf9503162e2cf6579bd11a30f1ed4 Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Fri, 24 Apr 2026 13:21:55 +0200 +Subject: ALSA: pcm: oss: Fix data race at accessing runtime.oss.trigger + +From: Takashi Iwai + +commit 901ac0ff15edf9503162e2cf6579bd11a30f1ed4 upstream. + +Currently the runtime.oss.trigger field may be accessed concurrently +without protection, which may lead to the data race. And, in this +case, it may lead to more severe problem because it's a bit field; as +writing the data, it may overwrite other bit fields as well, which +confuses the operation completely, as spotted by fuzzing. + +Fix it by covering runtime.oss.trigger bit fled also with the existing +params_lock mutex in both snd_pcm_oss_get_trigger() and +snd_pcm_oss_poll(). + +Reported-and-tested-by: Jaeyoung Chung +Closes: https://lore.kernel.org/20260423145330.210035-1-jjy600901@snu.ac.kr +Cc: +Link: https://patch.msgid.link/20260424112205.123703-1-tiwai@suse.de +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman +--- + sound/core/oss/pcm_oss.c | 29 +++++++++++++++++++++++------ + 1 file changed, 23 insertions(+), 6 deletions(-) + +--- a/sound/core/oss/pcm_oss.c ++++ b/sound/core/oss/pcm_oss.c +@@ -2146,10 +2146,16 @@ static int snd_pcm_oss_get_trigger(struc + + psubstream = pcm_oss_file->streams[SNDRV_PCM_STREAM_PLAYBACK]; + csubstream = pcm_oss_file->streams[SNDRV_PCM_STREAM_CAPTURE]; +- if (psubstream && psubstream->runtime && psubstream->runtime->oss.trigger) +- result |= PCM_ENABLE_OUTPUT; +- if (csubstream && csubstream->runtime && csubstream->runtime->oss.trigger) +- result |= PCM_ENABLE_INPUT; ++ if (psubstream && psubstream->runtime) { ++ guard(mutex)(&psubstream->runtime->oss.params_lock); ++ if (psubstream->runtime->oss.trigger) ++ result |= PCM_ENABLE_OUTPUT; ++ } ++ if (csubstream && csubstream->runtime) { ++ guard(mutex)(&csubstream->runtime->oss.params_lock); ++ if (csubstream->runtime->oss.trigger) ++ result |= PCM_ENABLE_INPUT; ++ } + return result; + } + +@@ -2823,6 +2829,17 @@ static int snd_pcm_oss_capture_ready(str + runtime->oss.period_frames; + } + ++static bool need_input_retrigger(struct snd_pcm_runtime *runtime) ++{ ++ bool ret; ++ ++ guard(mutex)(&runtime->oss.params_lock); ++ ret = runtime->oss.trigger; ++ if (ret) ++ runtime->oss.trigger = 0; ++ return ret; ++} ++ + static __poll_t snd_pcm_oss_poll(struct file *file, poll_table * wait) + { + struct snd_pcm_oss_file *pcm_oss_file; +@@ -2855,11 +2872,11 @@ static __poll_t snd_pcm_oss_poll(struct + snd_pcm_oss_capture_ready(csubstream)) + mask |= EPOLLIN | EPOLLRDNORM; + } +- if (ostate != SNDRV_PCM_STATE_RUNNING && runtime->oss.trigger) { ++ if (ostate != SNDRV_PCM_STATE_RUNNING && ++ need_input_retrigger(runtime)) { + struct snd_pcm_oss_file ofile; + memset(&ofile, 0, sizeof(ofile)); + ofile.streams[SNDRV_PCM_STREAM_CAPTURE] = pcm_oss_file->streams[SNDRV_PCM_STREAM_CAPTURE]; +- runtime->oss.trigger = 0; + snd_pcm_oss_set_trigger(&ofile, PCM_ENABLE_INPUT); + } + } diff --git a/queue-6.18/alsa-seq-fix-ump-group-16-filtering.patch b/queue-6.18/alsa-seq-fix-ump-group-16-filtering.patch new file mode 100644 index 0000000000..72f160da4b --- /dev/null +++ b/queue-6.18/alsa-seq-fix-ump-group-16-filtering.patch @@ -0,0 +1,78 @@ +From 92429ca999db99febced82f23362a71b2ba4c1d8 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?C=C3=A1ssio=20Gabriel?= +Date: Wed, 6 May 2026 00:15:48 -0300 +Subject: ALSA: seq: Fix UMP group 16 filtering +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Cássio Gabriel + +commit 92429ca999db99febced82f23362a71b2ba4c1d8 upstream. + +The sequencer UAPI defines group_filter as an unsigned int bitmap. +Bit 0 filters groupless messages and bits 1-16 filter UMP groups 1-16. + +The internal snd_seq_client storage is only unsigned short, so bit 16 +is truncated when userspace sets the filter. The same truncation affects +the automatic UMP client filter used to avoid delivery to inactive +groups, so events for group 16 cannot be filtered. + +Store the internal bitmap as unsigned int and keep both userspace-provided +and automatically generated values limited to the defined UAPI bits. + +Fixes: d2b706077792 ("ALSA: seq: Add UMP group filter") +Cc: stable@vger.kernel.org +Signed-off-by: Cássio Gabriel +Link: https://patch.msgid.link/20260506-alsa-seq-ump-group16-filter-v1-1-b75160bf6993@gmail.com +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman +--- + sound/core/seq/seq_clientmgr.c | 2 +- + sound/core/seq/seq_clientmgr.h | 5 ++++- + sound/core/seq/seq_ump_client.c | 2 +- + 3 files changed, 6 insertions(+), 3 deletions(-) + +--- a/sound/core/seq/seq_clientmgr.c ++++ b/sound/core/seq/seq_clientmgr.c +@@ -1252,7 +1252,7 @@ static int snd_seq_ioctl_set_client_info + if (client->user_pversion >= SNDRV_PROTOCOL_VERSION(1, 0, 3)) + client->midi_version = client_info->midi_version; + memcpy(client->event_filter, client_info->event_filter, 32); +- client->group_filter = client_info->group_filter; ++ client->group_filter = client_info->group_filter & SND_SEQ_GROUP_FILTER_MASK; + + /* notify the change */ + snd_seq_system_client_ev_client_change(client->number); +--- a/sound/core/seq/seq_clientmgr.h ++++ b/sound/core/seq/seq_clientmgr.h +@@ -14,6 +14,9 @@ + + /* client manager */ + ++#define SND_SEQ_GROUP_FILTER_MASK GENMASK(SNDRV_UMP_MAX_GROUPS, 0) ++#define SND_SEQ_GROUP_FILTER_GROUPS GENMASK(SNDRV_UMP_MAX_GROUPS, 1) ++ + struct snd_seq_user_client { + struct file *file; /* file struct of client */ + /* ... */ +@@ -40,7 +43,7 @@ struct snd_seq_client { + int number; /* client number */ + unsigned int filter; /* filter flags */ + DECLARE_BITMAP(event_filter, 256); +- unsigned short group_filter; ++ unsigned int group_filter; + snd_use_lock_t use_lock; + int event_lost; + /* ports */ +--- a/sound/core/seq/seq_ump_client.c ++++ b/sound/core/seq/seq_ump_client.c +@@ -369,7 +369,7 @@ static void setup_client_group_filter(st + cptr = snd_seq_kernel_client_get(client->seq_client); + if (!cptr) + return; +- filter = ~(1U << 0); /* always allow groupless messages */ ++ filter = SND_SEQ_GROUP_FILTER_GROUPS; /* always allow groupless messages */ + for (p = 0; p < SNDRV_UMP_MAX_GROUPS; p++) { + if (client->ump->groups[p].active) + filter &= ~(1U << (p + 1)); diff --git a/queue-6.18/alsa-usb-audio-avoid-potential-endless-loop-in-convert_chmap_v3.patch b/queue-6.18/alsa-usb-audio-avoid-potential-endless-loop-in-convert_chmap_v3.patch new file mode 100644 index 0000000000..a564e90e65 --- /dev/null +++ b/queue-6.18/alsa-usb-audio-avoid-potential-endless-loop-in-convert_chmap_v3.patch @@ -0,0 +1,35 @@ +From 6e7247d8f5fefeceb0bb9cc80a5388a636b219cd Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Mon, 27 Apr 2026 17:22:15 +0200 +Subject: ALSA: usb-audio: Avoid potential endless loop in convert_chmap_v3() + +From: Takashi Iwai + +commit 6e7247d8f5fefeceb0bb9cc80a5388a636b219cd upstream. + +The convert_chmap_v3() has a loop with its increment size of +cs_desc->wLength, but we forgot to validate cs_desc->wLength itself, +which may lead to potential endless loop by a malformed descriptor. + +Add a proper size check to abort the loop for plugging the hole. + +Fixes: ecfd41166b72 ("ALSA: usb-audio: Validate UAC3 cluster segment descriptors") +Cc: +Link: https://patch.msgid.link/20260427152224.15276-1-tiwai@suse.de +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman +--- + sound/usb/stream.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/sound/usb/stream.c ++++ b/sound/usb/stream.c +@@ -352,6 +352,8 @@ snd_pcm_chmap_elem *convert_chmap_v3(str + if (len < sizeof(*cs_desc)) + break; + cs_len = le16_to_cpu(cs_desc->wLength); ++ if (cs_len < sizeof(*cs_desc)) ++ break; + if (len < cs_len) + break; + cs_type = cs_desc->bSegmentType; diff --git a/queue-6.18/alsa-usb-audio-fix-uac3-cluster-descriptor-size-check.patch b/queue-6.18/alsa-usb-audio-fix-uac3-cluster-descriptor-size-check.patch new file mode 100644 index 0000000000..547baf4fc7 --- /dev/null +++ b/queue-6.18/alsa-usb-audio-fix-uac3-cluster-descriptor-size-check.patch @@ -0,0 +1,46 @@ +From 26265dd69da32d88a88d21987853cec899d9e21f Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?C=C3=A1ssio=20Gabriel?= +Date: Fri, 24 Apr 2026 18:50:10 -0300 +Subject: ALSA: usb-audio: Fix UAC3 cluster descriptor size check +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Cássio Gabriel + +commit 26265dd69da32d88a88d21987853cec899d9e21f upstream. + +The UAC3 cluster descriptor length check in +snd_usb_get_audioformat_uac3()was added to +make sure that the buffer is large enough for +a struct uac3_cluster_header_descriptor before the +returned data is cast and used. + +However, the check uses sizeof(cluster), where cluster +is a pointer, not the size of the descriptor header. +This makes the validation depend on the architecture +pointer size and does not match the intended object size. + +Check against sizeof(*cluster) instead. + +Fixes: fb4e2a6e8f28 ("ALSA: usb-audio: Fix out-of-bounds read in snd_usb_get_audioformat_uac3()") +Cc: stable@vger.kernel.org +Signed-off-by: Cássio Gabriel +Link: https://patch.msgid.link/20260424-alsa-usb-uac3-cluster-size-v1-1-99a5808898a3@gmail.com +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman +--- + sound/usb/stream.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/sound/usb/stream.c ++++ b/sound/usb/stream.c +@@ -999,7 +999,7 @@ snd_usb_get_audioformat_uac3(struct snd_ + * and request Cluster Descriptor + */ + wLength = le16_to_cpu(hc_header.wLength); +- if (wLength < sizeof(cluster)) ++ if (wLength < sizeof(*cluster)) + return NULL; + cluster = kzalloc(wLength, GFP_KERNEL); + if (!cluster) diff --git a/queue-6.18/alsa-usb-audio-midi2-restart-output-urbs-on-resume.patch b/queue-6.18/alsa-usb-audio-midi2-restart-output-urbs-on-resume.patch new file mode 100644 index 0000000000..0ecad4ab2d --- /dev/null +++ b/queue-6.18/alsa-usb-audio-midi2-restart-output-urbs-on-resume.patch @@ -0,0 +1,63 @@ +From f3c57c9c2a49a21d784b7c04a2c883bffc070659 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?C=C3=A1ssio=20Gabriel?= +Date: Mon, 4 May 2026 11:08:45 -0300 +Subject: ALSA: usb-audio: midi2: Restart output URBs on resume +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Cássio Gabriel + +commit f3c57c9c2a49a21d784b7c04a2c883bffc070659 upstream. + +USB MIDI 2.0 suspend saves the endpoint running state, clears it and +kills all endpoint URBs. Resume restores the running state, but only +restarts input endpoints. + +For a running output endpoint, this leaves the endpoint marked running +with an empty URB queue. Output transfer progress depends on either the +rawmidi trigger path starting the queue or an output completion refilling +it. After suspend there is no completion left, and output data that +remains queued in the raw UMP or legacy rawmidi buffer can stay stalled +until userspace happens to trigger the stream again. + +Restore the saved state with atomic accessors, keep input endpoints +restarted as before, and restart output endpoints that were running before +suspend. Clear the saved suspend state after restoring it. + +Fixes: ff49d1df79ae ("ALSA: usb-audio: USB MIDI 2.0 UMP support") +Cc: stable@vger.kernel.org +Signed-off-by: Cássio Gabriel +Link: https://patch.msgid.link/20260504-usb-midi2-output-resume-v1-1-c089cc8ad3c6@gmail.com +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman +--- + sound/usb/midi2.c | 9 +++++---- + 1 file changed, 5 insertions(+), 4 deletions(-) + +--- a/sound/usb/midi2.c ++++ b/sound/usb/midi2.c +@@ -227,7 +227,7 @@ static void kill_midi_urbs(struct snd_us + if (!ep) + return; + if (suspending) +- ep->suspended = ep->running; ++ atomic_set(&ep->suspended, atomic_read(&ep->running)); + atomic_set(&ep->running, 0); + for (i = 0; i < ep->num_urbs; i++) { + if (!ep->urbs[i].urb) +@@ -1190,10 +1190,11 @@ void snd_usb_midi_v2_suspend_all(struct + + static void resume_midi2_endpoint(struct snd_usb_midi2_endpoint *ep) + { +- ep->running = ep->suspended; +- if (ep->direction == STR_IN) ++ atomic_set(&ep->running, atomic_read(&ep->suspended)); ++ atomic_set(&ep->suspended, 0); ++ ++ if (ep->direction == STR_IN || atomic_read(&ep->running)) + submit_io_urbs(ep); +- /* FIXME: does it all? */ + } + + void snd_usb_midi_v2_resume_all(struct snd_usb_audio *chip) diff --git a/queue-6.18/exit-prevent-preemption-of-oopsing-task_dead-task.patch b/queue-6.18/exit-prevent-preemption-of-oopsing-task_dead-task.patch new file mode 100644 index 0000000000..259f5b3f4c --- /dev/null +++ b/queue-6.18/exit-prevent-preemption-of-oopsing-task_dead-task.patch @@ -0,0 +1,50 @@ +From c1fa0bb633e4a6b11e83ffc57fa5abe8ebb87891 Mon Sep 17 00:00:00 2001 +From: Jann Horn +Date: Mon, 11 May 2026 08:55:11 -0700 +Subject: exit: prevent preemption of oopsing TASK_DEAD task + +From: Jann Horn + +commit c1fa0bb633e4a6b11e83ffc57fa5abe8ebb87891 upstream. + +When an already-exiting task oopses, make_task_dead() currently calls +do_task_dead() with preemption enabled. That is forbidden: +do_task_dead() calls __schedule(), which has a comment saying "WARNING: +must be called with preemption disabled!". + +If an oopsing task is preempted in do_task_dead(), between becoming +TASK_DEAD and entering the scheduler explicitly, bad things happen: +finish_task_switch() assumes that once the scheduler has switched away +from a TASK_DEAD task, the task can never run again and its stack is no +longer needed; but that assumption apparently doesn't hold if the dead +task was preempted (the SM_PREEMPT case). + +This means that the scheduler ends up repeatedly dropping references on +the dead task's stack, which can lead to use-after-free or double-free +of the entire task stack; in other words, two tasks can end up running +on the same stack, resulting in various kinds of memory corruption. + +(This does not just affect "recursively oopsing" tasks; it is enough to +oops once during task exit, for example in a file_operations::release +handler) + +Fixes: 7f80a2fd7db9 ("exit: Stop poorly open coding do_task_dead in make_task_dead") +Cc: stable@kernel.org +Signed-off-by: Jann Horn +Acked-by: Peter Zijlstra +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman +--- + kernel/exit.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/kernel/exit.c ++++ b/kernel/exit.c +@@ -1069,6 +1069,7 @@ void __noreturn make_task_dead(int signr + futex_exit_recursive(tsk); + tsk->exit_state = EXIT_DEAD; + refcount_inc(&tsk->rcu_users); ++ preempt_disable(); + do_task_dead(); + } + diff --git a/queue-6.18/powerpc-kdump-fix-kasan-sanitization-flag-for-core_-bits-.o.patch b/queue-6.18/powerpc-kdump-fix-kasan-sanitization-flag-for-core_-bits-.o.patch new file mode 100644 index 0000000000..e8b671068c --- /dev/null +++ b/queue-6.18/powerpc-kdump-fix-kasan-sanitization-flag-for-core_-bits-.o.patch @@ -0,0 +1,52 @@ +From b3a97f9484080c6e71db9e803e3cc1bb372a9bc7 Mon Sep 17 00:00:00 2001 +From: Sourabh Jain +Date: Tue, 7 Apr 2026 18:13:44 +0530 +Subject: powerpc/kdump: fix KASAN sanitization flag for core_$(BITS).o +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Sourabh Jain + +commit b3a97f9484080c6e71db9e803e3cc1bb372a9bc7 upstream. + +KASAN instrumentation is intended to be disabled for the kexec core +code, but the existing Makefile entry misses the object suffix. As a +result, the flag is not applied correctly to core_$(BITS).o. + +So when KASAN is enabled, kexec_copy_flush and copy_segments in +kexec/core_64.c are instrumented, which can result in accesses to +shadow memory via normal address translation paths. Since these run +with the MMU disabled, such accesses may trigger page faults +(bad_page_fault) that cannot be handled in the kdump path, ultimately +causing a hang and preventing the kdump kernel from booting. The same +is true for kexec as well, since the same functions are used there. + +Update the entry to include the “.o” suffix so that KASAN +instrumentation is properly disabled for this object file. + +Fixes: 2ab2d5794f14 ("powerpc/kasan: Disable address sanitization in kexec paths") +Reported-by: Venkat Rao Bagalkote +Closes: https://lore.kernel.org/all/1dee8891-8bcc-46b4-93f3-fc3a774abd5b@linux.ibm.com/ +Cc: stable@vger.kernel.org +Reviewed-by: Ritesh Harjani (IBM) +Tested-by: Venkat Rao Bagalkote +Acked-by: Mahesh Salgaonkar +Reviewed-by: Aboorva Devarajan +Tested-by: Aboorva Devarajan +Signed-off-by: Sourabh Jain +Signed-off-by: Madhavan Srinivasan +Link: https://patch.msgid.link/20260407124349.1698552-1-sourabhjain@linux.ibm.com +Signed-off-by: Greg Kroah-Hartman +--- + arch/powerpc/kexec/Makefile | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/powerpc/kexec/Makefile ++++ b/arch/powerpc/kexec/Makefile +@@ -16,4 +16,4 @@ GCOV_PROFILE_core_$(BITS).o := n + KCOV_INSTRUMENT_core_$(BITS).o := n + UBSAN_SANITIZE_core_$(BITS).o := n + KASAN_SANITIZE_core.o := n +-KASAN_SANITIZE_core_$(BITS) := n ++KASAN_SANITIZE_core_$(BITS).o := n diff --git a/queue-6.18/series b/queue-6.18/series index 3b5264d7bb..8ee8642038 100644 --- a/queue-6.18/series +++ b/queue-6.18/series @@ -22,3 +22,34 @@ net-af_key-zero-aligned-sockaddr-tail-in-pf_key-expo.patch kvm-svm-check-validity-of-vmcb-controls-when-returning-from-smm.patch net-stmmac-disable-eee-rx-clock-stop-when-vlan-is-enabled.patch net-sched-sch_red-replace-direct-dequeue-call-with-peek-and-qdisc_dequeue_peeked.patch +exit-prevent-preemption-of-oopsing-task_dead-task.patch +wifi-mt76-mt7925-fix-ampdu-state-handling-in-mt7925_tx_check_aggr.patch +wifi-mt76-mt7925-fix-incorrect-length-field-in-txpower-command.patch +wifi-mt76-mt7921-fix-a-potential-clc-buffer-length-underflow.patch +wifi-mt76-mt7921-fix-roc-abort-flow-interruption-in-mt7921_roc_work.patch +wifi-b43legacy-enforce-bounds-check-on-firmware-key-index-in-rx-path.patch +wifi-mac80211-drop-stray-static-from-fast-rx-rx_result.patch +wifi-rsi-fix-kthread-lifetime-race-between-self-exit-and-external-stop.patch +wifi-mac80211-use-safe-list-iteration-in-radar-detect-work.patch +wifi-ath5k-do-not-access-array-oob.patch +wifi-mac80211-remove-station-if-connection-prep-fails.patch +wifi-b43-enforce-bounds-check-on-firmware-key-index-in-b43_rx.patch +wifi-brcmfmac-fix-potential-use-after-free-issue-when-stopping-watchdog-task.patch +usb-usblp-fix-heap-leak-in-ieee-1284-device-id-via-short-response.patch +usb-usblp-fix-uninitialized-heap-leak-via-lpgetstatus-ioctl.patch +alsa-usb-audio-midi2-restart-output-urbs-on-resume.patch +alsa-usb-audio-avoid-potential-endless-loop-in-convert_chmap_v3.patch +alsa-usb-audio-fix-uac3-cluster-descriptor-size-check.patch +usb-typec-tcpm-reset-internal-port-states-on-soft-reset-ams.patch +usb-omap_udc-dma-don-t-enable-burst-4-mode.patch +usb-serial-option-add-telit-cinterion-le910cx-compositions.patch +usb-ulpi-fix-memory-leak-on-ulpi_register-error-paths.patch +usb-typec-tcpm-fix-debug-accessory-mode-detection-for-sink-ports.patch +alsa-hda-cs35l56-propagate-asp-tx-source-control-errors.patch +alsa-pcm-oss-fix-data-race-at-accessing-runtime.oss.trigger.patch +alsa-hda-realtek-fix-speaker-silence-after-s3-resume-on-xiaomi-mi-laptop-pro-15.patch +alsa-firewire-tascam-do-not-drop-unread-control-events.patch +alsa-core-serialize-deferred-fasync-state-checks.patch +alsa-seq-fix-ump-group-16-filtering.patch +powerpc-kdump-fix-kasan-sanitization-flag-for-core_-bits-.o.patch +x86-efi-restore-irq-state-in-efi-page-fault-handler.patch diff --git a/queue-6.18/usb-omap_udc-dma-don-t-enable-burst-4-mode.patch b/queue-6.18/usb-omap_udc-dma-don-t-enable-burst-4-mode.patch new file mode 100644 index 0000000000..a95a489cf7 --- /dev/null +++ b/queue-6.18/usb-omap_udc-dma-don-t-enable-burst-4-mode.patch @@ -0,0 +1,60 @@ +From 3f91484f6c13c434bd573ca6b6779c26adb0ddab Mon Sep 17 00:00:00 2001 +From: Aaro Koskinen +Date: Mon, 13 Apr 2026 21:49:12 +0300 +Subject: USB: omap_udc: DMA: Don't enable burst 4 mode + +From: Aaro Koskinen + +commit 3f91484f6c13c434bd573ca6b6779c26adb0ddab upstream. + +Commit 65111084c63d7 ("USB: more omap_udc updates (dma and omap1710)") +added setting for DMA burst 4 mode. But I think this should be undone for +two reasons: + +- It breaks DMA on 15xx boards - transfers just silently stall. + +- On newer OMAP1 boards, like Nokia 770 (omap1710), there is no measurable +performance impact when testing TCP throughput with g_ether with large +15000 byte MTU size. + +It's also worth noting that when the original change was made, the +OMAP_DMA_DATA_BURST_4 handling in arch/arm/plat-omap/dma.c was broken, and +actually resulted in the same as the OMAP_DMA_DATA_BURST_DIS i.e. burst +disabled. This was fixed not until a couple kernel releases later in an +unrelated commit 1a8bfa1eb998a ("[ARM] 3142/1: OMAP 2/5: Update files +common to omap1 and omap2"). + +So based on this it seems there was never really a very good reason to +enable this burst mode in omap_udc, so remove it now to allow 15xx DMA +to work again (it provides 2x throughput compared to PIO mode). + +Fixes: 65111084c63d ("[PATCH] USB: more omap_udc updates (dma and omap1710)") +Cc: stable +Signed-off-by: Aaro Koskinen +Link: https://patch.msgid.link/ad06qHLclWHeSGnV@darkstar.musicnaut.iki.fi +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/gadget/udc/omap_udc.c | 4 ---- + 1 file changed, 4 deletions(-) + +--- a/drivers/usb/gadget/udc/omap_udc.c ++++ b/drivers/usb/gadget/udc/omap_udc.c +@@ -733,8 +733,6 @@ static void dma_channel_claim(struct oma + if (status == 0) { + omap_writew(reg, UDC_TXDMA_CFG); + /* EMIFF or SDRC */ +- omap_set_dma_src_burst_mode(ep->lch, +- OMAP_DMA_DATA_BURST_4); + omap_set_dma_src_data_pack(ep->lch, 1); + /* TIPB */ + omap_set_dma_dest_params(ep->lch, +@@ -756,8 +754,6 @@ static void dma_channel_claim(struct oma + UDC_DATA_DMA, + 0, 0); + /* EMIFF or SDRC */ +- omap_set_dma_dest_burst_mode(ep->lch, +- OMAP_DMA_DATA_BURST_4); + omap_set_dma_dest_data_pack(ep->lch, 1); + } + } diff --git a/queue-6.18/usb-serial-option-add-telit-cinterion-le910cx-compositions.patch b/queue-6.18/usb-serial-option-add-telit-cinterion-le910cx-compositions.patch new file mode 100644 index 0000000000..4c59ad60c3 --- /dev/null +++ b/queue-6.18/usb-serial-option-add-telit-cinterion-le910cx-compositions.patch @@ -0,0 +1,135 @@ +From 100201d349edd226ca3470c894c92dccc67ee7a8 Mon Sep 17 00:00:00 2001 +From: Fabio Porcedda +Date: Mon, 27 Apr 2026 11:17:46 +0200 +Subject: USB: serial: option: add Telit Cinterion LE910Cx compositions + +From: Fabio Porcedda + +commit 100201d349edd226ca3470c894c92dccc67ee7a8 upstream. + +Add the following Telit Cinterion LE910Cx compositions: + +0x1251: RNDIS + tty (AT/NMEA) + tty (AT) + tty (AT) + tty (SAP) +T: Bus=01 Lev=01 Prnt=21 Port=06 Cnt=01 Dev#=108 Spd=480 MxCh= 0 +D: Ver= 2.00 Cls=00(>ifc ) Sub=00 Prot=00 MxPS=64 #Cfgs= 1 +P: Vendor=1bc7 ProdID=1251 Rev=03.18 +S: Manufacturer=Android +S: Product=LE910C1-EU +S: SerialNumber=0123456789ABCDEF +C: #Ifs= 6 Cfg#= 1 Atr=a0 MxPwr=500mA +I: If#= 0 Alt= 0 #EPs= 1 Cls=02(commc) Sub=02 Prot=ff Driver=rndis_host +E: Ad=82(I) Atr=03(Int.) MxPS= 8 Ivl=32ms +I: If#= 1 Alt= 0 #EPs= 2 Cls=0a(data ) Sub=00 Prot=00 Driver=rndis_host +E: Ad=01(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=81(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms +I: If#= 2 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option +E: Ad=02(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=83(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=84(I) Atr=03(Int.) MxPS= 10 Ivl=32ms +I: If#= 3 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option +E: Ad=03(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=85(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=86(I) Atr=03(Int.) MxPS= 10 Ivl=32ms +I: If#= 4 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option +E: Ad=04(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=87(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=88(I) Atr=03(Int.) MxPS= 10 Ivl=32ms +I: If#= 5 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option +E: Ad=05(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=89(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=8a(I) Atr=03(Int.) MxPS= 10 Ivl=32ms + +0x1253: ECM + tty (AT/NMEA) + tty (AT) + tty (AT) + tty (SAP) +T: Bus=01 Lev=01 Prnt=21 Port=06 Cnt=01 Dev#=121 Spd=480 MxCh= 0 +D: Ver= 2.00 Cls=00(>ifc ) Sub=00 Prot=00 MxPS=64 #Cfgs= 1 +P: Vendor=1bc7 ProdID=1253 Rev=03.18 +S: Manufacturer=Android +S: Product=LE910C1-EU +S: SerialNumber=0123456789ABCDEF +C: #Ifs= 6 Cfg#= 1 Atr=a0 MxPwr=500mA +I: If#= 0 Alt= 0 #EPs= 1 Cls=02(commc) Sub=06 Prot=00 Driver=cdc_ether +E: Ad=82(I) Atr=03(Int.) MxPS= 16 Ivl=32ms +I: If#= 1 Alt= 1 #EPs= 2 Cls=0a(data ) Sub=00 Prot=00 Driver=cdc_ether +E: Ad=01(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=81(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms +I: If#= 2 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option +E: Ad=02(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=83(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=84(I) Atr=03(Int.) MxPS= 10 Ivl=32ms +I: If#= 3 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option +E: Ad=03(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=85(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=86(I) Atr=03(Int.) MxPS= 10 Ivl=32ms +I: If#= 4 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option +E: Ad=04(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=87(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=88(I) Atr=03(Int.) MxPS= 10 Ivl=32ms +I: If#= 5 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option +E: Ad=05(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=89(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=8a(I) Atr=03(Int.) MxPS= 10 Ivl=32ms + +0x1254: tty (AT) + tty (AT) +T: Bus=01 Lev=01 Prnt=21 Port=06 Cnt=01 Dev#=122 Spd=480 MxCh= 0 +D: Ver= 2.00 Cls=00(>ifc ) Sub=00 Prot=00 MxPS=64 #Cfgs= 1 +P: Vendor=1bc7 ProdID=1254 Rev=03.18 +S: Manufacturer=Android +S: Product=LE910C1-EU +S: SerialNumber=0123456789ABCDEF +C: #Ifs= 2 Cfg#= 1 Atr=a0 MxPwr=500mA +I: If#= 0 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option +E: Ad=01(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=81(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=82(I) Atr=03(Int.) MxPS= 10 Ivl=32ms +I: If#= 1 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option +E: Ad=02(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=83(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=84(I) Atr=03(Int.) MxPS= 10 Ivl=32ms + +0x1255: tty (AT/NMEA) + tty (AT) + tty (AT) + tty (SAP) +T: Bus=01 Lev=01 Prnt=21 Port=06 Cnt=01 Dev#=123 Spd=480 MxCh= 0 +D: Ver= 2.00 Cls=00(>ifc ) Sub=00 Prot=00 MxPS=64 #Cfgs= 1 +P: Vendor=1bc7 ProdID=1255 Rev=03.18 +S: Manufacturer=Android +S: Product=LE910C1-EU +S: SerialNumber=0123456789ABCDEF +C: #Ifs= 4 Cfg#= 1 Atr=a0 MxPwr=500mA +I: If#= 0 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option +E: Ad=01(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=81(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=82(I) Atr=03(Int.) MxPS= 10 Ivl=32ms +I: If#= 1 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option +E: Ad=02(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=83(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=84(I) Atr=03(Int.) MxPS= 10 Ivl=32ms +I: If#= 2 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option +E: Ad=03(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=85(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=86(I) Atr=03(Int.) MxPS= 10 Ivl=32ms +I: If#= 3 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option +E: Ad=04(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=87(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=88(I) Atr=03(Int.) MxPS= 10 Ivl=32ms + +Cc: stable@vger.kernel.org +Signed-off-by: Fabio Porcedda +Signed-off-by: Johan Hovold +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/serial/option.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/drivers/usb/serial/option.c ++++ b/drivers/usb/serial/option.c +@@ -1513,7 +1513,11 @@ static const struct usb_device_id option + { USB_DEVICE_INTERFACE_CLASS(TELIT_VENDOR_ID, 0x1231, 0xff), /* Telit LE910Cx (RNDIS) */ + .driver_info = NCTRL(2) | RSVD(3) }, + { USB_DEVICE_AND_INTERFACE_INFO(TELIT_VENDOR_ID, 0x1250, 0xff, 0x00, 0x00) }, /* Telit LE910Cx (rmnet) */ ++ { USB_DEVICE_INTERFACE_CLASS(TELIT_VENDOR_ID, 0x1251, 0xff) }, /* Telit LE910Cx (RNDIS) */ + { USB_DEVICE_INTERFACE_CLASS(TELIT_VENDOR_ID, 0x1252, 0xff) }, /* Telit LE910Cx (MBIM) */ ++ { USB_DEVICE_INTERFACE_CLASS(TELIT_VENDOR_ID, 0x1253, 0xff) }, /* Telit LE910Cx (ECM) */ ++ { USB_DEVICE_INTERFACE_CLASS(TELIT_VENDOR_ID, 0x1254, 0xff) }, /* Telit LE910Cx */ ++ { USB_DEVICE_INTERFACE_CLASS(TELIT_VENDOR_ID, 0x1255, 0xff) }, /* Telit LE910Cx */ + { USB_DEVICE(TELIT_VENDOR_ID, 0x1260), + .driver_info = NCTRL(0) | RSVD(1) | RSVD(2) }, + { USB_DEVICE(TELIT_VENDOR_ID, 0x1261), diff --git a/queue-6.18/usb-typec-tcpm-fix-debug-accessory-mode-detection-for-sink-ports.patch b/queue-6.18/usb-typec-tcpm-fix-debug-accessory-mode-detection-for-sink-ports.patch new file mode 100644 index 0000000000..e811cee505 --- /dev/null +++ b/queue-6.18/usb-typec-tcpm-fix-debug-accessory-mode-detection-for-sink-ports.patch @@ -0,0 +1,125 @@ +From f6ec9bb4acc7182b25a793ad094a764e1cb819a7 Mon Sep 17 00:00:00 2001 +From: Xu Yang +Date: Fri, 24 Apr 2026 15:40:09 +0800 +Subject: usb: typec: tcpm: fix debug accessory mode detection for sink ports + +From: Xu Yang + +commit f6ec9bb4acc7182b25a793ad094a764e1cb819a7 upstream. + +The port in debug accessory mode can be either a source or sink. The +previous tcpm_port_is_debug() function only checked for source port. + +Commit 8db73e6a42b6 ("usb: typec: tcpm: allow sink (ufp) to toggle into +accessory mode debug") changed the detection logic to support both roles, +but left some logic in _tcpm_cc_change() unchanged, This causes the state +machine to transition to an incorrect state when operating as a sink in +debug accessory mode. Log as below: + +[ 978.637541] CC1: 0 -> 5, CC2: 0 -> 5 [state TOGGLING, polarity 0, connected] +[ 978.637567] state change TOGGLING -> SRC_ATTACH_WAIT [rev1 NONE_AMS] +[ 978.637596] pending state change SRC_ATTACH_WAIT -> DEBUG_ACC_ATTACHED @ 180 ms [rev1 NONE_AMS] +[ 978.647098] CC1: 5 -> 0, CC2: 5 -> 5 [state SRC_ATTACH_WAIT, polarity 0, connected] +[ 978.647115] state change SRC_ATTACH_WAIT -> SRC_ATTACH_WAIT [rev1 NONE_AMS] + +It should go to SNK_ATTACH_WAIT instead of SRC_ATTACH_WAIT state. + +To fix this, add tcpm_port_is_debug_source() and tcpm_port_is_debug_sink() +helper to explicitly identify the power mode in debug accessory mode. +Update the state transition logic in _tcpm_cc_change() to ensure the state +machine transitions comply with Type-C specification. Also update the logic +in run_state_machine() to keep consistency. + +Fixes: 8db73e6a42b6 ("usb: typec: tcpm: allow sink (ufp) to toggle into accessory mode debug") +Cc: stable +Signed-off-by: Xu Yang +Acked-by: Heikki Krogerus +Reviewed-by: Amit Sunil Dhamne +Link: https://patch.msgid.link/20260424074009.2979266-1-xu.yang_2@nxp.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/typec/tcpm/tcpm.c | 25 ++++++++++++++++--------- + 1 file changed, 16 insertions(+), 9 deletions(-) + +--- a/drivers/usb/typec/tcpm/tcpm.c ++++ b/drivers/usb/typec/tcpm/tcpm.c +@@ -634,9 +634,14 @@ static const char * const pd_rev[] = { + (tcpm_cc_is_source((port)->cc2) && \ + !tcpm_cc_is_source((port)->cc1))) + ++#define tcpm_port_is_debug_source(port) \ ++ (tcpm_cc_is_source((port)->cc1) && tcpm_cc_is_source((port)->cc2)) ++ ++#define tcpm_port_is_debug_sink(port) \ ++ (tcpm_cc_is_sink((port)->cc1) && tcpm_cc_is_sink((port)->cc2)) ++ + #define tcpm_port_is_debug(port) \ +- ((tcpm_cc_is_source((port)->cc1) && tcpm_cc_is_source((port)->cc2)) || \ +- (tcpm_cc_is_sink((port)->cc1) && tcpm_cc_is_sink((port)->cc2))) ++ (tcpm_port_is_debug_source(port) || tcpm_port_is_debug_sink(port)) + + #define tcpm_port_is_audio(port) \ + (tcpm_cc_is_audio((port)->cc1) && tcpm_cc_is_audio((port)->cc2)) +@@ -4799,7 +4804,7 @@ static void run_state_machine(struct tcp + tcpm_set_state(port, SNK_UNATTACHED, PD_T_DRP_SNK); + break; + case SRC_ATTACH_WAIT: +- if (tcpm_port_is_debug(port)) ++ if (tcpm_port_is_debug_source(port)) + tcpm_set_state(port, DEBUG_ACC_ATTACHED, + port->timings.cc_debounce_time); + else if (tcpm_port_is_audio(port)) +@@ -5057,7 +5062,7 @@ static void run_state_machine(struct tcp + tcpm_set_state(port, SRC_UNATTACHED, PD_T_DRP_SRC); + break; + case SNK_ATTACH_WAIT: +- if (tcpm_port_is_debug(port)) ++ if (tcpm_port_is_debug_sink(port)) + tcpm_set_state(port, DEBUG_ACC_ATTACHED, + PD_T_CC_DEBOUNCE); + else if (tcpm_port_is_audio(port)) +@@ -5077,7 +5082,7 @@ static void run_state_machine(struct tcp + if (tcpm_port_is_disconnected(port)) + tcpm_set_state(port, SNK_UNATTACHED, + PD_T_PD_DEBOUNCE); +- else if (tcpm_port_is_debug(port)) ++ else if (tcpm_port_is_debug_sink(port)) + tcpm_set_state(port, DEBUG_ACC_ATTACHED, + PD_T_CC_DEBOUNCE); + else if (tcpm_port_is_audio(port)) +@@ -5950,10 +5955,10 @@ static void _tcpm_cc_change(struct tcpm_ + + switch (port->state) { + case TOGGLING: +- if (tcpm_port_is_debug(port) || tcpm_port_is_audio(port) || ++ if (tcpm_port_is_debug_source(port) || tcpm_port_is_audio(port) || + tcpm_port_is_source(port)) + tcpm_set_state(port, SRC_ATTACH_WAIT, 0); +- else if (tcpm_port_is_sink(port)) ++ else if (tcpm_port_is_debug_sink(port) || tcpm_port_is_sink(port)) + tcpm_set_state(port, SNK_ATTACH_WAIT, 0); + break; + case CHECK_CONTAMINANT: +@@ -5961,9 +5966,11 @@ static void _tcpm_cc_change(struct tcpm_ + break; + case SRC_UNATTACHED: + case ACC_UNATTACHED: +- if (tcpm_port_is_debug(port) || tcpm_port_is_audio(port) || ++ if (tcpm_port_is_debug_source(port) || tcpm_port_is_audio(port) || + tcpm_port_is_source(port)) + tcpm_set_state(port, SRC_ATTACH_WAIT, 0); ++ else if (tcpm_port_is_debug_sink(port)) ++ tcpm_set_state(port, SNK_ATTACH_WAIT, 0); + break; + case SRC_ATTACH_WAIT: + if (tcpm_port_is_disconnected(port) || +@@ -5985,7 +5992,7 @@ static void _tcpm_cc_change(struct tcpm_ + } + break; + case SNK_UNATTACHED: +- if (tcpm_port_is_debug(port) || tcpm_port_is_audio(port) || ++ if (tcpm_port_is_debug_sink(port) || tcpm_port_is_audio(port) || + tcpm_port_is_sink(port)) + tcpm_set_state(port, SNK_ATTACH_WAIT, 0); + break; diff --git a/queue-6.18/usb-typec-tcpm-reset-internal-port-states-on-soft-reset-ams.patch b/queue-6.18/usb-typec-tcpm-reset-internal-port-states-on-soft-reset-ams.patch new file mode 100644 index 0000000000..6d1f38157d --- /dev/null +++ b/queue-6.18/usb-typec-tcpm-reset-internal-port-states-on-soft-reset-ams.patch @@ -0,0 +1,85 @@ +From 2909f0d4994fb4306bf116df5ccee797791fce2c Mon Sep 17 00:00:00 2001 +From: Amit Sunil Dhamne +Date: Tue, 14 Apr 2026 00:58:32 +0000 +Subject: usb: typec: tcpm: reset internal port states on soft reset AMS + +From: Amit Sunil Dhamne + +commit 2909f0d4994fb4306bf116df5ccee797791fce2c upstream. + +Reset internal port states (such as vdm_sm_running and +explicit_contract) on soft reset AMS as the port needs to negotiate a +new contract. The consequence of leaving the states in as-is cond are as +follows: + * port is in SRC power role and an explicit contract is negotiated + with the port partner (in sink role) + * port partner sends a Soft Reset AMS while VDM State Machine is + running + * port accepts the Soft Reset request and the port advertises src caps + * port partner sends a Request message but since the explicit_contract + and vdm_sm_running are true from previous negotiation, the port ends + up sending Soft Reset instead of Accept msg. + +Stub Log: +[ 203.653942] AMS DISCOVER_IDENTITY start +[ 203.653947] PD TX, header: 0x176f +[ 203.655901] PD TX complete, status: 0 +[ 203.657470] PD RX, header: 0x124f [1] +[ 203.657477] Rx VDM cmd 0xff008081 type 2 cmd 1 len 1 +[ 203.657482] AMS DISCOVER_IDENTITY finished +[ 203.657484] cc:=4 +[ 204.155698] PD RX, header: 0x144f [1] +[ 204.155718] Rx VDM cmd 0xeeee8001 type 0 cmd 1 len 1 +[ 204.155741] PD TX, header: 0x196f +[ 204.157622] PD TX complete, status: 0 +[ 204.160060] PD RX, header: 0x4d [1] +[ 204.160066] state change SRC_READY -> SOFT_RESET [rev2 SOFT_RESET_AMS] +[ 204.160076] PD TX, header: 0x163 +[ 204.162486] PD TX complete, status: 0 +[ 204.162832] AMS SOFT_RESET_AMS finished +[ 204.162840] cc:=4 +[ 204.162891] AMS POWER_NEGOTIATION start +[ 204.162896] state change SOFT_RESET -> AMS_START [rev2 POWER_NEGOTIATION] +[ 204.162908] state change AMS_START -> SRC_SEND_CAPABILITIES [rev2 POWER_NEGOTIATION] +[ 204.162913] PD TX, header: 0x1361 +[ 204.165529] PD TX complete, status: 0 +[ 204.165571] pending state change SRC_SEND_CAPABILITIES -> SRC_SEND_CAPABILITIES_TIMEOUT @ 60 ms [rev2 POWER_NEGOTIATION] +[ 204.166996] PD RX, header: 0x1242 [1] +[ 204.167009] state change SRC_SEND_CAPABILITIES -> SRC_SOFT_RESET_WAIT_SNK_TX [rev2 POWER_NEGOTIATION] +[ 204.167019] AMS POWER_NEGOTIATION finished +[ 204.167020] cc:=4 +[ 204.167083] AMS SOFT_RESET_AMS start +[ 204.167086] state change SRC_SOFT_RESET_WAIT_SNK_TX -> SOFT_RESET_SEND [rev2 SOFT_RESET_AMS] +[ 204.167092] PD TX, header: 0x16d +[ 204.168824] PD TX complete, status: 0 +[ 204.168854] pending state change SOFT_RESET_SEND -> HARD_RESET_SEND @ 60 ms [rev2 SOFT_RESET_AMS] +[ 204.171876] PD RX, header: 0x43 [1] +[ 204.171879] AMS SOFT_RESET_AMS finished + +This causes COMMON.PROC.PD.11.2 check failure for +TEST.PD.VDM.SRC.2_Rev2Src test on the PD compliance tester. + +Signed-off-by: Amit Sunil Dhamne +Fixes: 8d3a0578ad1a ("usb: typec: tcpm: Respond Wait if VDM state machine is running") +Fixes: f0690a25a140 ("staging: typec: USB Type-C Port Manager (tcpm)") +Cc: stable +Reviewed-by: Badhri Jagan Sridharan +Acked-by: Heikki Krogerus +Link: https://patch.msgid.link/20260414-fix-soft-reset-v1-1-01d7cb9764e2@google.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/typec/tcpm/tcpm.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/usb/typec/tcpm/tcpm.c ++++ b/drivers/usb/typec/tcpm/tcpm.c +@@ -5728,6 +5728,8 @@ static void run_state_machine(struct tcp + + case VCONN_SWAP_ACCEPT: + tcpm_pd_send_control(port, PD_CTRL_ACCEPT, TCPC_TX_SOP); ++ port->vdm_sm_running = false; ++ port->explicit_contract = false; + tcpm_ams_finish(port); + tcpm_set_state(port, VCONN_SWAP_START, 0); + break; diff --git a/queue-6.18/usb-ulpi-fix-memory-leak-on-ulpi_register-error-paths.patch b/queue-6.18/usb-ulpi-fix-memory-leak-on-ulpi_register-error-paths.patch new file mode 100644 index 0000000000..438d63c388 --- /dev/null +++ b/queue-6.18/usb-ulpi-fix-memory-leak-on-ulpi_register-error-paths.patch @@ -0,0 +1,48 @@ +From 0b9fcab1b8608d429e5f239afb197de928d4de7d Mon Sep 17 00:00:00 2001 +From: Felix Gu +Date: Tue, 7 Apr 2026 21:21:22 +0800 +Subject: usb: ulpi: fix memory leak on ulpi_register() error paths + +From: Felix Gu + +commit 0b9fcab1b8608d429e5f239afb197de928d4de7d upstream. + +Commit 01af542392b5 ("usb: ulpi: fix double free in +ulpi_register_interface() error path") removed kfree(ulpi) from +ulpi_register_interface() to fix a double-free when device_register() +fails. + +But when ulpi_of_register() or ulpi_read_id() fail before +device_register() is called, the ulpi allocation is leaked. + +Add kfree(ulpi) on both error paths to properly clean up the allocation. + +Fixes: 01af542392b5 ("usb: ulpi: fix double free in ulpi_register_interface() error path") +Cc: stable +Signed-off-by: Felix Gu +Reviewed-by: Heikki Krogerus +Link: https://patch.msgid.link/20260407-ulpi-v1-1-f3fafe53f7b2@gmail.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/common/ulpi.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +--- a/drivers/usb/common/ulpi.c ++++ b/drivers/usb/common/ulpi.c +@@ -286,12 +286,15 @@ static int ulpi_register(struct device * + ACPI_COMPANION_SET(&ulpi->dev, ACPI_COMPANION(dev)); + + ret = ulpi_of_register(ulpi); +- if (ret) ++ if (ret) { ++ kfree(ulpi); + return ret; ++ } + + ret = ulpi_read_id(ulpi); + if (ret) { + of_node_put(ulpi->dev.of_node); ++ kfree(ulpi); + return ret; + } + diff --git a/queue-6.18/usb-usblp-fix-heap-leak-in-ieee-1284-device-id-via-short-response.patch b/queue-6.18/usb-usblp-fix-heap-leak-in-ieee-1284-device-id-via-short-response.patch new file mode 100644 index 0000000000..6598b6e7e4 --- /dev/null +++ b/queue-6.18/usb-usblp-fix-heap-leak-in-ieee-1284-device-id-via-short-response.patch @@ -0,0 +1,49 @@ +From 7a400c6fe3617e31e690e3f7ca37bb335e0498f3 Mon Sep 17 00:00:00 2001 +From: Greg Kroah-Hartman +Date: Mon, 20 Apr 2026 18:11:03 +0200 +Subject: usb: usblp: fix heap leak in IEEE 1284 device ID via short response + +From: Greg Kroah-Hartman + +commit 7a400c6fe3617e31e690e3f7ca37bb335e0498f3 upstream. + +usblp_ctrl_msg() collapses the usb_control_msg() return value to +0/-errno, discarding the actual number of bytes transferred. A broken +printer can complete the GET_DEVICE_ID control transfer short and the +driver has no way to know. + +usblp_cache_device_id_string() reads the 2-byte big-endian length prefix +from the response and trusts it (clamped only to the buffer bounds). +The buffer is kmalloc(1024) at probe time. A device that sends exactly +two bytes (e.g. 0x03 0xFF, claiming a 1023-byte ID) leaves +device_id_string[2..1022] holding stale kmalloc heap. + +That stale data is then exposed: + - via the ieee1284_id sysfs attribute (sprintf("%s", buf+2), truncated + at the first NUL in the stale heap), and + - via the IOCNR_GET_DEVICE_ID ioctl, which copy_to_user()s the full + claimed length regardless of NULs, up to 1021 bytes of uninitialized + heap, with the leak size chosen by the device. + +Fix this up by just zapping the buffer with zeros before each request +sent to the device. + +Cc: Pete Zaitcev +Assisted-by: gkh_clanker_t1000 +Cc: stable +Link: https://patch.msgid.link/2026042002-unicorn-greedily-3c63@gregkh +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/class/usblp.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/usb/class/usblp.c ++++ b/drivers/usb/class/usblp.c +@@ -1377,6 +1377,7 @@ static int usblp_cache_device_id_string( + { + int err, length; + ++ memset(usblp->device_id_string, 0, USBLP_DEVICE_ID_SIZE); + err = usblp_get_id(usblp, 0, usblp->device_id_string, USBLP_DEVICE_ID_SIZE - 1); + if (err < 0) { + dev_dbg(&usblp->intf->dev, diff --git a/queue-6.18/usb-usblp-fix-uninitialized-heap-leak-via-lpgetstatus-ioctl.patch b/queue-6.18/usb-usblp-fix-uninitialized-heap-leak-via-lpgetstatus-ioctl.patch new file mode 100644 index 0000000000..876aa86828 --- /dev/null +++ b/queue-6.18/usb-usblp-fix-uninitialized-heap-leak-via-lpgetstatus-ioctl.patch @@ -0,0 +1,50 @@ +From b38e53cbfb9d84732e5984fbd73e128d592415c5 Mon Sep 17 00:00:00 2001 +From: Greg Kroah-Hartman +Date: Mon, 20 Apr 2026 18:11:04 +0200 +Subject: usb: usblp: fix uninitialized heap leak via LPGETSTATUS ioctl + +From: Greg Kroah-Hartman + +commit b38e53cbfb9d84732e5984fbd73e128d592415c5 upstream. + +Just like in a previous problem in this driver, usblp_ctrl_msg() will +collapse the usb_control_msg() return value to 0/-errno, discarding the +actual number of bytes transferred. + +Ideally that short command should be detected and error out, but many +printers are known to send "incorrect" responses back so we can't just +do that. + +statusbuf is kmalloc(8) at probe time and never filled before the first +LPGETSTATUS ioctl. + +usblp_read_status() requests 1 byte. If a malicious printer responds +with zero bytes, *statusbuf is one byte of stale kmalloc heap, +sign-extended into the local int status, which the LPGETSTATUS path then +copy_to_user()s directly to the ioctl caller. + +Fix this all by just zapping out the memory buffer when allocated at +probe time. If a later call does a short read, the data will be +identical to what the device sent it the last time, so there is no +"leak" of information happening. + +Cc: Pete Zaitcev +Assisted-by: gkh_clanker_t1000 +Cc: stable +Link: https://patch.msgid.link/2026042011-shredder-savage-48c6@gregkh +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/class/usblp.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/usb/class/usblp.c ++++ b/drivers/usb/class/usblp.c +@@ -1178,7 +1178,7 @@ static int usblp_probe(struct usb_interf + } + + /* Allocate buffer for printer status */ +- usblp->statusbuf = kmalloc(STATUS_BUF_SIZE, GFP_KERNEL); ++ usblp->statusbuf = kzalloc(STATUS_BUF_SIZE, GFP_KERNEL); + if (!usblp->statusbuf) { + retval = -ENOMEM; + goto abort; diff --git a/queue-6.18/wifi-ath5k-do-not-access-array-oob.patch b/queue-6.18/wifi-ath5k-do-not-access-array-oob.patch new file mode 100644 index 0000000000..de2493d328 --- /dev/null +++ b/queue-6.18/wifi-ath5k-do-not-access-array-oob.patch @@ -0,0 +1,63 @@ +From d748603f12baff112caa3ab7d39f50100f010dbd Mon Sep 17 00:00:00 2001 +From: "Jiri Slaby (SUSE)" +Date: Tue, 9 Dec 2025 11:04:59 +0100 +Subject: wifi: ath5k: do not access array OOB + +From: Jiri Slaby (SUSE) + +commit d748603f12baff112caa3ab7d39f50100f010dbd upstream. + +Vincent reports: +> The ath5k driver seems to do an array-index-out-of-bounds access as +> shown by the UBSAN kernel message: +> UBSAN: array-index-out-of-bounds in drivers/net/wireless/ath/ath5k/base.c:1741:20 +> index 4 is out of range for type 'ieee80211_tx_rate [4]' +> ... +> Call Trace: +> +> dump_stack_lvl+0x5d/0x80 +> ubsan_epilogue+0x5/0x2b +> __ubsan_handle_out_of_bounds.cold+0x46/0x4b +> ath5k_tasklet_tx+0x4e0/0x560 [ath5k] +> tasklet_action_common+0xb5/0x1c0 + +It is real. 'ts->ts_final_idx' can be 3 on 5212, so: + info->status.rates[ts->ts_final_idx + 1].idx = -1; +with the array defined as: + struct ieee80211_tx_rate rates[IEEE80211_TX_MAX_RATES]; +while the size is: + #define IEEE80211_TX_MAX_RATES 4 +is indeed bogus. + +Set this 'idx = -1' sentinel only if the array index is less than the +array size. As mac80211 will not look at rates beyond the size +(IEEE80211_TX_MAX_RATES). + +Note: The effect of the OOB write is negligible. It just overwrites the +next member of info->status, i.e. ack_signal. + +Signed-off-by: Jiri Slaby (SUSE) +Reported-by: Vincent Danjean +Link: https://lore.kernel.org/all/aQYUkIaT87ccDCin@eldamar.lan +Closes: https://bugs.debian.org/1119093 +Fixes: 6d7b97b23e11 ("ath5k: fix tx status reporting issues") +Cc: stable@vger.kernel.org +Link: https://patch.msgid.link/20251209100459.2253198-1-jirislaby@kernel.org +Signed-off-by: Jeff Johnson +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/wireless/ath/ath5k/base.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/net/wireless/ath/ath5k/base.c ++++ b/drivers/net/wireless/ath/ath5k/base.c +@@ -1738,7 +1738,8 @@ ath5k_tx_frame_completed(struct ath5k_hw + } + + info->status.rates[ts->ts_final_idx].count = ts->ts_final_retry; +- info->status.rates[ts->ts_final_idx + 1].idx = -1; ++ if (ts->ts_final_idx + 1 < IEEE80211_TX_MAX_RATES) ++ info->status.rates[ts->ts_final_idx + 1].idx = -1; + + if (unlikely(ts->ts_status)) { + ah->stats.ack_fail++; diff --git a/queue-6.18/wifi-b43-enforce-bounds-check-on-firmware-key-index-in-b43_rx.patch b/queue-6.18/wifi-b43-enforce-bounds-check-on-firmware-key-index-in-b43_rx.patch new file mode 100644 index 0000000000..f66feb2bb5 --- /dev/null +++ b/queue-6.18/wifi-b43-enforce-bounds-check-on-firmware-key-index-in-b43_rx.patch @@ -0,0 +1,43 @@ +From 1f4f78bf8549e6ac4f04fba4176854f3a6e0c332 Mon Sep 17 00:00:00 2001 +From: Tristan Madani +Date: Fri, 17 Apr 2026 11:11:44 +0000 +Subject: wifi: b43: enforce bounds check on firmware key index in b43_rx() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Tristan Madani + +commit 1f4f78bf8549e6ac4f04fba4176854f3a6e0c332 upstream. + +The firmware-controlled key index in b43_rx() can exceed the dev->key[] +array size (58 entries). The existing B43_WARN_ON is non-enforcing in +production builds, allowing an out-of-bounds read. + +Make the B43_WARN_ON check enforcing by dropping the frame when the +firmware returns an invalid key index. + +Suggested-by: Jonas Gorski +Acked-by: Michael Büsch +Fixes: e4d6b7951812 ("[B43]: add mac80211-based driver for modern BCM43xx devices") +Cc: stable@vger.kernel.org +Signed-off-by: Tristan Madani +Link: https://patch.msgid.link/20260417111145.2694196-1-tristmd@gmail.com +Signed-off-by: Johannes Berg +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/wireless/broadcom/b43/xmit.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/net/wireless/broadcom/b43/xmit.c ++++ b/drivers/net/wireless/broadcom/b43/xmit.c +@@ -702,7 +702,8 @@ void b43_rx(struct b43_wldev *dev, struc + * key index, but the ucode passed it slightly different. + */ + keyidx = b43_kidx_to_raw(dev, keyidx); +- B43_WARN_ON(keyidx >= ARRAY_SIZE(dev->key)); ++ if (B43_WARN_ON(keyidx >= ARRAY_SIZE(dev->key))) ++ goto drop; + + if (dev->key[keyidx].algorithm != B43_SEC_ALGO_NONE) { + wlhdr_len = ieee80211_hdrlen(fctl); diff --git a/queue-6.18/wifi-b43legacy-enforce-bounds-check-on-firmware-key-index-in-rx-path.patch b/queue-6.18/wifi-b43legacy-enforce-bounds-check-on-firmware-key-index-in-rx-path.patch new file mode 100644 index 0000000000..2acd847501 --- /dev/null +++ b/queue-6.18/wifi-b43legacy-enforce-bounds-check-on-firmware-key-index-in-rx-path.patch @@ -0,0 +1,38 @@ +From a035766f970bde2d4298346a31a80685be5c0205 Mon Sep 17 00:00:00 2001 +From: Tristan Madani +Date: Fri, 17 Apr 2026 11:11:45 +0000 +Subject: wifi: b43legacy: enforce bounds check on firmware key index in RX path + +From: Tristan Madani + +commit a035766f970bde2d4298346a31a80685be5c0205 upstream. + +Same fix as b43: the firmware-controlled key index in b43legacy_rx() +can exceed dev->max_nr_keys. The existing B43legacy_WARN_ON is +non-enforcing in production builds, allowing an out-of-bounds read of +dev->key[]. + +Make the check enforcing by dropping the frame for invalid indices. + +Fixes: 75388acd0cd8 ("[B43LEGACY]: add mac80211-based driver for legacy BCM43xx devices") +Cc: stable@vger.kernel.org +Signed-off-by: Tristan Madani +Link: https://patch.msgid.link/20260417111145.2694196-2-tristmd@gmail.com +Signed-off-by: Johannes Berg +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/wireless/broadcom/b43legacy/xmit.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/net/wireless/broadcom/b43legacy/xmit.c ++++ b/drivers/net/wireless/broadcom/b43legacy/xmit.c +@@ -476,7 +476,8 @@ void b43legacy_rx(struct b43legacy_wldev + * key index, but the ucode passed it slightly different. + */ + keyidx = b43legacy_kidx_to_raw(dev, keyidx); +- B43legacy_WARN_ON(keyidx >= dev->max_nr_keys); ++ if (B43legacy_WARN_ON(keyidx >= dev->max_nr_keys)) ++ goto drop; + + if (dev->key[keyidx].algorithm != B43legacy_SEC_ALGO_NONE) { + /* Remove PROTECTED flag to mark it as decrypted. */ diff --git a/queue-6.18/wifi-brcmfmac-fix-potential-use-after-free-issue-when-stopping-watchdog-task.patch b/queue-6.18/wifi-brcmfmac-fix-potential-use-after-free-issue-when-stopping-watchdog-task.patch new file mode 100644 index 0000000000..da21b3f00d --- /dev/null +++ b/queue-6.18/wifi-brcmfmac-fix-potential-use-after-free-issue-when-stopping-watchdog-task.patch @@ -0,0 +1,50 @@ +From c623b63580880cc742255eaed3d79804c1b91143 Mon Sep 17 00:00:00 2001 +From: Marek Szyprowski +Date: Thu, 16 Apr 2026 11:33:39 +0200 +Subject: wifi: brcmfmac: Fix potential use-after-free issue when stopping watchdog task + +From: Marek Szyprowski + +commit c623b63580880cc742255eaed3d79804c1b91143 upstream. + +Watchdog task might end between send_sig() and kthread_stop() calls, what +results in the use-after-free issue. Fix this by increasing watchdog task +reference count before calling send_sig() and dropping it by switching to +kthread_stop_put(). + +Cc: stable@vger.kernel.org +Fixes: 373c83a801f1 ("brcmfmac: stop watchdog before detach and free everything") +Fixes: a9ffda88be74 ("brcm80211: fmac: abstract bus_stop interface function pointer") +Signed-off-by: Marek Szyprowski +Acked-by: Arend van Spriel +Link: https://patch.msgid.link/20260416093339.2066829-1-m.szyprowski@samsung.com +Signed-off-by: Johannes Berg +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/wireless/broadcom/brcm80211/brcmfmac/sdio.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/sdio.c ++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/sdio.c +@@ -2476,8 +2476,9 @@ static void brcmf_sdio_bus_stop(struct d + brcmf_dbg(TRACE, "Enter\n"); + + if (bus->watchdog_tsk) { ++ get_task_struct(bus->watchdog_tsk); + send_sig(SIGTERM, bus->watchdog_tsk, 1); +- kthread_stop(bus->watchdog_tsk); ++ kthread_stop_put(bus->watchdog_tsk); + bus->watchdog_tsk = NULL; + } + +@@ -4567,8 +4568,9 @@ void brcmf_sdio_remove(struct brcmf_sdio + if (bus) { + /* Stop watchdog task */ + if (bus->watchdog_tsk) { ++ get_task_struct(bus->watchdog_tsk); + send_sig(SIGTERM, bus->watchdog_tsk, 1); +- kthread_stop(bus->watchdog_tsk); ++ kthread_stop_put(bus->watchdog_tsk); + bus->watchdog_tsk = NULL; + } + diff --git a/queue-6.18/wifi-mac80211-drop-stray-static-from-fast-rx-rx_result.patch b/queue-6.18/wifi-mac80211-drop-stray-static-from-fast-rx-rx_result.patch new file mode 100644 index 0000000000..e21e93bf71 --- /dev/null +++ b/queue-6.18/wifi-mac80211-drop-stray-static-from-fast-rx-rx_result.patch @@ -0,0 +1,41 @@ +From 7a5b81e0c87a075afd572f659d8eb68c9c4cd2ba Mon Sep 17 00:00:00 2001 +From: Catherine +Date: Fri, 24 Apr 2026 21:14:36 +0800 +Subject: wifi: mac80211: drop stray 'static' from fast-RX rx_result + +From: Catherine + +commit 7a5b81e0c87a075afd572f659d8eb68c9c4cd2ba upstream. + +ieee80211_invoke_fast_rx() is documented as safe for parallel RX, but +its per-invocation rx_result is declared static. Concurrent callers then +share one instance and can overwrite each other's result between +ieee80211_rx_mesh_data() and the switch on res. + +That can make a packet that was queued or consumed by +ieee80211_rx_mesh_data() fall through into ieee80211_rx_8023(), or make +a packet that should continue return as queued. + +Make res an automatic variable so each invocation keeps its own result. + +Fixes: 3468e1e0c639 ("wifi: mac80211: add mesh fast-rx support") +Cc: stable@vger.kernel.org +Signed-off-by: Catherine +Link: https://patch.msgid.link/20260424131435.83212-2-enderaoelyther@gmail.com +Signed-off-by: Johannes Berg +Signed-off-by: Greg Kroah-Hartman +--- + net/mac80211/rx.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/mac80211/rx.c ++++ b/net/mac80211/rx.c +@@ -4824,7 +4824,7 @@ static bool ieee80211_invoke_fast_rx(str + struct sk_buff *skb = rx->skb; + struct ieee80211_hdr *hdr = (void *)skb->data; + struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(skb); +- static ieee80211_rx_result res; ++ ieee80211_rx_result res; + int orig_len = skb->len; + int hdrlen = ieee80211_hdrlen(hdr->frame_control); + int snap_offs = hdrlen; diff --git a/queue-6.18/wifi-mac80211-remove-station-if-connection-prep-fails.patch b/queue-6.18/wifi-mac80211-remove-station-if-connection-prep-fails.patch new file mode 100644 index 0000000000..39678439aa --- /dev/null +++ b/queue-6.18/wifi-mac80211-remove-station-if-connection-prep-fails.patch @@ -0,0 +1,62 @@ +From 283fc9e44ff5b5ac967439b4951b80bd4299f4e4 Mon Sep 17 00:00:00 2001 +From: Johannes Berg +Date: Tue, 5 May 2026 15:15:34 +0200 +Subject: wifi: mac80211: remove station if connection prep fails + +From: Johannes Berg + +commit 283fc9e44ff5b5ac967439b4951b80bd4299f4e4 upstream. + +If connection preparation fails for MLO connections, then the +interface is completely reset to non-MLD. In this case, we must +not keep the station since it's related to the link of the vif +being removed. Delete an existing station. Any "new_sta" is +already being removed, so that doesn't need changes. + +This fixes a use-after-free/double-free in debugfs if that's +enabled, because a vif going from MLD (and to MLD, but that's +not relevant here) recreates its entire debugfs. + +Cc: stable@vger.kernel.org +Fixes: 81151ce462e5 ("wifi: mac80211: support MLO authentication/association with one link") +Reviewed-by: Miriam Rachel Korenblit +Link: https://patch.msgid.link/20260505151533.c4e52deb06ad.Iafe56cec7de8512626169496b134bce3a6c17010@changeid +Signed-off-by: Johannes Berg +Signed-off-by: Greg Kroah-Hartman +--- + net/mac80211/mlme.c | 9 ++++----- + 1 file changed, 4 insertions(+), 5 deletions(-) + +--- a/net/mac80211/mlme.c ++++ b/net/mac80211/mlme.c +@@ -8926,7 +8926,7 @@ static int ieee80211_prep_connection(str + struct ieee80211_bss *bss = (void *)cbss->priv; + struct sta_info *new_sta = NULL; + struct ieee80211_link_data *link; +- bool have_sta = false; ++ struct sta_info *have_sta = NULL; + bool mlo; + int err; + u16 new_links; +@@ -8945,11 +8945,8 @@ static int ieee80211_prep_connection(str + mlo = false; + } + +- if (assoc) { +- rcu_read_lock(); ++ if (assoc) + have_sta = sta_info_get(sdata, ap_mld_addr); +- rcu_read_unlock(); +- } + + if (mlo && !have_sta && + WARN_ON(sdata->vif.valid_links || sdata->vif.active_links)) +@@ -9108,6 +9105,8 @@ static int ieee80211_prep_connection(str + out_release_chan: + ieee80211_link_release_channel(link); + out_err: ++ if (mlo && have_sta) ++ WARN_ON(__sta_info_destroy(have_sta)); + ieee80211_vif_set_links(sdata, 0, 0); + return err; + } diff --git a/queue-6.18/wifi-mac80211-use-safe-list-iteration-in-radar-detect-work.patch b/queue-6.18/wifi-mac80211-use-safe-list-iteration-in-radar-detect-work.patch new file mode 100644 index 0000000000..287bd99bd1 --- /dev/null +++ b/queue-6.18/wifi-mac80211-use-safe-list-iteration-in-radar-detect-work.patch @@ -0,0 +1,39 @@ +From ac8eb3e18f41e2cc8492cc1d358bcb786c850270 Mon Sep 17 00:00:00 2001 +From: Benjamin Berg +Date: Tue, 5 May 2026 15:15:40 +0200 +Subject: wifi: mac80211: use safe list iteration in radar detect work + +From: Benjamin Berg + +commit ac8eb3e18f41e2cc8492cc1d358bcb786c850270 upstream. + +The call to ieee80211_dfs_cac_cancel can cause the iterated chanctx to +be freed and removed from the list. Guard against this to avoid a +slab-use-after-free error. + +Cc: stable@vger.kernel.org +Fixes: bca8bc0399ac ("wifi: mac80211: handle ieee80211_radar_detected() for MLO") +Signed-off-by: Benjamin Berg +Link: https://patch.msgid.link/20260505151539.236d63a1b736.I35dbb9e96a2d4a480be208770fdd99ba3b817b79@changeid +Signed-off-by: Johannes Berg +Signed-off-by: Greg Kroah-Hartman +--- + net/mac80211/util.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/net/mac80211/util.c ++++ b/net/mac80211/util.c +@@ -3565,11 +3565,11 @@ void ieee80211_dfs_radar_detected_work(s + struct ieee80211_local *local = + container_of(work, struct ieee80211_local, radar_detected_work); + struct cfg80211_chan_def chandef; +- struct ieee80211_chanctx *ctx; ++ struct ieee80211_chanctx *ctx, *tmp; + + lockdep_assert_wiphy(local->hw.wiphy); + +- list_for_each_entry(ctx, &local->chanctx_list, list) { ++ list_for_each_entry_safe(ctx, tmp, &local->chanctx_list, list) { + if (ctx->replace_state == IEEE80211_CHANCTX_REPLACES_OTHER) + continue; + diff --git a/queue-6.18/wifi-mt76-mt7921-fix-a-potential-clc-buffer-length-underflow.patch b/queue-6.18/wifi-mt76-mt7921-fix-a-potential-clc-buffer-length-underflow.patch new file mode 100644 index 0000000000..70de2f4355 --- /dev/null +++ b/queue-6.18/wifi-mt76-mt7921-fix-a-potential-clc-buffer-length-underflow.patch @@ -0,0 +1,39 @@ +From 5373f8b19e568b5c217832b9bbef165bd2b2df14 Mon Sep 17 00:00:00 2001 +From: Leon Yen +Date: Thu, 9 Oct 2025 10:01:58 +0800 +Subject: wifi: mt76: mt7921: fix a potential clc buffer length underflow + +From: Leon Yen + +commit 5373f8b19e568b5c217832b9bbef165bd2b2df14 upstream. + +The buf_len is used to limit the iterations for retrieving the country +power setting and may underflow under certain conditions due to changes +in the power table in CLC. + +This underflow leads to an almost infinite loop or an invalid power +setting resulting in driver initialization failure. + +Cc: stable@vger.kernel.org +Fixes: fa6ad88e023d ("wifi: mt76: mt7921: fix country count limitation for CLC") +Signed-off-by: Leon Yen +Signed-off-by: Ming Yen Hsieh +Link: https://patch.msgid.link/20251009020158.1923429-1-mingyen.hsieh@mediatek.com +Signed-off-by: Felix Fietkau +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/wireless/mediatek/mt76/mt7921/mcu.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/net/wireless/mediatek/mt76/mt7921/mcu.c ++++ b/drivers/net/wireless/mediatek/mt76/mt7921/mcu.c +@@ -1353,6 +1353,9 @@ int __mt7921_mcu_set_clc(struct mt792x_d + u16 len = le16_to_cpu(rule->len); + u16 offset = len + sizeof(*rule); + ++ if (buf_len < offset) ++ break; ++ + pos += offset; + buf_len -= offset; + if (rule->alpha2[0] != alpha2[0] || diff --git a/queue-6.18/wifi-mt76-mt7921-fix-roc-abort-flow-interruption-in-mt7921_roc_work.patch b/queue-6.18/wifi-mt76-mt7921-fix-roc-abort-flow-interruption-in-mt7921_roc_work.patch new file mode 100644 index 0000000000..0fd9c06b00 --- /dev/null +++ b/queue-6.18/wifi-mt76-mt7921-fix-roc-abort-flow-interruption-in-mt7921_roc_work.patch @@ -0,0 +1,54 @@ +From fdfa39f9f4fbae532b162da913a67b2410caf38f Mon Sep 17 00:00:00 2001 +From: Quan Zhou +Date: Fri, 23 Jan 2026 10:16:25 +0800 +Subject: wifi: mt76: mt7921: fix ROC abort flow interruption in mt7921_roc_work + +From: Quan Zhou + +commit fdfa39f9f4fbae532b162da913a67b2410caf38f upstream. + +The mt7921_set_roc API may be executed concurrently with mt7921_roc_work, +specifically between the following code paths: + +- The check and clear of MT76_STATE_ROC in mt7921_roc_work: + if (!test_and_clear_bit(MT76_STATE_ROC, &phy->mt76->state)) + return; + +- The execution of ieee80211_iterate_active_interfaces. + +This race condition can interrupt the ROC abort flow, resulting in +the ROC process failing to abort as expected. + +To address this defect, the modification of MT76_STATE_ROC is now +protected by mt792x_mutex_acquire(phy->dev). This ensures that +changes to the ROC state are properly synchronized, preventing +race conditions and ensuring the ROC abort flow is not interrupted. + +Fixes: 034ae28b56f1 ("wifi: mt76: mt7921: introduce remain_on_channel support") +Cc: stable@vger.kernel.org +Signed-off-by: Quan Zhou +Reviewed-by: Sean Wang +Link: https://patch.msgid.link/2568ece8b557e5dda79391414c834ef3233049b6.1769133724.git.quan.zhou@mediatek.com +Signed-off-by: Felix Fietkau +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/wireless/mediatek/mt76/mt7921/main.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +--- a/drivers/net/wireless/mediatek/mt76/mt7921/main.c ++++ b/drivers/net/wireless/mediatek/mt76/mt7921/main.c +@@ -387,10 +387,11 @@ void mt7921_roc_work(struct work_struct + phy = (struct mt792x_phy *)container_of(work, struct mt792x_phy, + roc_work); + +- if (!test_and_clear_bit(MT76_STATE_ROC, &phy->mt76->state)) +- return; +- + mt792x_mutex_acquire(phy->dev); ++ if (!test_and_clear_bit(MT76_STATE_ROC, &phy->mt76->state)) { ++ mt792x_mutex_release(phy->dev); ++ return; ++ } + ieee80211_iterate_active_interfaces(phy->mt76->hw, + IEEE80211_IFACE_ITER_RESUME_ALL, + mt7921_roc_iter, phy); diff --git a/queue-6.18/wifi-mt76-mt7925-fix-ampdu-state-handling-in-mt7925_tx_check_aggr.patch b/queue-6.18/wifi-mt76-mt7925-fix-ampdu-state-handling-in-mt7925_tx_check_aggr.patch new file mode 100644 index 0000000000..8d2299e4a3 --- /dev/null +++ b/queue-6.18/wifi-mt76-mt7925-fix-ampdu-state-handling-in-mt7925_tx_check_aggr.patch @@ -0,0 +1,46 @@ +From bb8e38fcdbf7290d7f0cd572d2d8fdb2b641b492 Mon Sep 17 00:00:00 2001 +From: Quan Zhou +Date: Thu, 27 Nov 2025 15:49:11 +0800 +Subject: wifi: mt76: mt7925: fix AMPDU state handling in mt7925_tx_check_aggr + +From: Quan Zhou + +commit bb8e38fcdbf7290d7f0cd572d2d8fdb2b641b492 upstream. + +Previously, the AMPDU state bit for a given TID was set before attempting +to start a BA session, which could result in the AMPDU state being marked +active even if ieee80211_start_tx_ba_session() failed. This patch changes +the logic to only set the AMPDU state bit after successfully starting a BA +session, ensuring proper synchronization between AMPDU state and BA session +status. + +This fixes potential issues with aggregation state tracking and improves +compatibility with mac80211 BA session management. + +Fixes: 44eb173bdd4f ("wifi: mt76: mt7925: add link handling in mt7925_txwi_free") +Cc: stable@vger.kernel.org + +Signed-off-by: Quan Zhou +Reviewed-by: Sean Wang +Link: https://patch.msgid.link/d5960fbced0beaf33c30203f7f8fb91d0899c87b.1764228973.git.quan.zhou@mediatek.com +Signed-off-by: Felix Fietkau +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/wireless/mediatek/mt76/mt7925/mac.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/drivers/net/wireless/mediatek/mt76/mt7925/mac.c ++++ b/drivers/net/wireless/mediatek/mt76/mt7925/mac.c +@@ -881,8 +881,10 @@ static void mt7925_tx_check_aggr(struct + else + mlink = &msta->deflink; + +- if (!test_and_set_bit(tid, &mlink->wcid.ampdu_state)) +- ieee80211_start_tx_ba_session(sta, tid, 0); ++ if (!test_and_set_bit(tid, &mlink->wcid.ampdu_state)) { ++ if (ieee80211_start_tx_ba_session(sta, tid, 0)) ++ clear_bit(tid, &mlink->wcid.ampdu_state); ++ } + } + + static bool diff --git a/queue-6.18/wifi-mt76-mt7925-fix-incorrect-length-field-in-txpower-command.patch b/queue-6.18/wifi-mt76-mt7925-fix-incorrect-length-field-in-txpower-command.patch new file mode 100644 index 0000000000..426970fe59 --- /dev/null +++ b/queue-6.18/wifi-mt76-mt7925-fix-incorrect-length-field-in-txpower-command.patch @@ -0,0 +1,33 @@ +From ccb186326bb6b7f20d77982f855568e7087ad0d7 Mon Sep 17 00:00:00 2001 +From: Ming Yen Hsieh +Date: Mon, 8 Sep 2025 15:25:26 +0800 +Subject: wifi: mt76: mt7925: fix incorrect length field in txpower command + +From: Ming Yen Hsieh + +commit ccb186326bb6b7f20d77982f855568e7087ad0d7 upstream. + +Set `tx_power_tlv->len` to `msg_len` instead of `sizeof(*tx_power_tlv)` +to ensure the correct message length is sent to firmware. + +Cc: stable@vger.kernel.org +Fixes: c948b5da6bbe ("wifi: mt76: mt7925: add Mediatek Wi-Fi7 driver for mt7925 chips") +Signed-off-by: Ming Yen Hsieh +Link: https://patch.msgid.link/20250908072526.1833938-1-mingyen.hsieh@mediatek.com +Signed-off-by: Felix Fietkau +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/wireless/mediatek/mt76/mt7925/mcu.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/wireless/mediatek/mt76/mt7925/mcu.c ++++ b/drivers/net/wireless/mediatek/mt76/mt7925/mcu.c +@@ -3673,7 +3673,7 @@ mt7925_mcu_rate_txpower_band(struct mt76 + memcpy(tx_power_tlv->alpha2, dev->alpha2, sizeof(dev->alpha2)); + tx_power_tlv->n_chan = num_ch; + tx_power_tlv->tag = cpu_to_le16(0x1); +- tx_power_tlv->len = cpu_to_le16(sizeof(*tx_power_tlv)); ++ tx_power_tlv->len = cpu_to_le16(msg_len); + + switch (band) { + case NL80211_BAND_2GHZ: diff --git a/queue-6.18/wifi-rsi-fix-kthread-lifetime-race-between-self-exit-and-external-stop.patch b/queue-6.18/wifi-rsi-fix-kthread-lifetime-race-between-self-exit-and-external-stop.patch new file mode 100644 index 0000000000..64412eb364 --- /dev/null +++ b/queue-6.18/wifi-rsi-fix-kthread-lifetime-race-between-self-exit-and-external-stop.patch @@ -0,0 +1,50 @@ +From db57a1aa54ff68669781976e4edb045e09e2b65b Mon Sep 17 00:00:00 2001 +From: Jeongjun Park +Date: Thu, 23 Apr 2026 02:38:46 +0900 +Subject: wifi: rsi: fix kthread lifetime race between self-exit and external-stop + +From: Jeongjun Park + +commit db57a1aa54ff68669781976e4edb045e09e2b65b upstream. + +RSI driver use both self-exit(kthread_complete_and_exit) and external-stop +(kthread_stop) when killing a kthread. Generally, kthread_stop() is called +first, and in this case, no particular issues occur. + +However, in rare instances where kthread_complete_and_exit() is called +first and then kthread_stop() is called, a UAF occurs because the kthread +object, which has already exited and been freed, is accessed again. + +Therefore, to prevent this with minimal modification, you must remove +kthread_stop() and change the code to wait until the self-exit operation +is completed. + +Cc: +Reported-by: syzbot+5de83f57cd8531f55596@syzkaller.appspotmail.com +Closes: https://lore.kernel.org/all/69e5d03b.a00a0220.1bd0ca.0064.GAE@google.com/ +Fixes: 4c62764d0fc2 ("rsi: improve kernel thread handling to fix kernel panic") +Signed-off-by: Jeongjun Park +Link: https://patch.msgid.link/20260422173846.37640-1-aha310510@gmail.com +Signed-off-by: Johannes Berg +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/wireless/rsi/rsi_common.h | 5 ++--- + 1 file changed, 2 insertions(+), 3 deletions(-) + +--- a/drivers/net/wireless/rsi/rsi_common.h ++++ b/drivers/net/wireless/rsi/rsi_common.h +@@ -70,12 +70,11 @@ static inline int rsi_create_kthread(str + return 0; + } + +-static inline int rsi_kill_thread(struct rsi_thread *handle) ++static inline void rsi_kill_thread(struct rsi_thread *handle) + { + atomic_inc(&handle->thread_done); + rsi_set_event(&handle->event); +- +- return kthread_stop(handle->task); ++ wait_for_completion(&handle->completion); + } + + void rsi_mac80211_detach(struct rsi_hw *hw); diff --git a/queue-6.18/x86-efi-restore-irq-state-in-efi-page-fault-handler.patch b/queue-6.18/x86-efi-restore-irq-state-in-efi-page-fault-handler.patch new file mode 100644 index 0000000000..434cfb05a3 --- /dev/null +++ b/queue-6.18/x86-efi-restore-irq-state-in-efi-page-fault-handler.patch @@ -0,0 +1,100 @@ +From 2c340aab5485ebe9e33c01437dd4815ef33c8df5 Mon Sep 17 00:00:00 2001 +From: Ard Biesheuvel +Date: Fri, 1 May 2026 09:16:38 +0200 +Subject: x86/efi: Restore IRQ state in EFI page fault handler + +From: Ard Biesheuvel + +commit 2c340aab5485ebe9e33c01437dd4815ef33c8df5 upstream. + +The kernel's softirq API does not permit re-enabling softirqs while IRQs +are disabled. The reason for this is that local_bh_enable() will not +only re-enable delivery of softirqs over the back of IRQs, it will also +handle any pending softirqs immediately, regardless of whether IRQs are +enabled at that point. + +For this reason, commit + + d02198550423 ("x86/fpu: Improve crypto performance by making kernel-mode FPU reliably usable in softirqs") + +disables softirqs only when IRQs are enabled, as it is not permitted +otherwise, but also unnecessary, given that asynchronous softirq +delivery never happens to begin with while IRQs are disabled. + +However, this does mean that entering a kernel mode FPU section with +IRQs enabled and leaving it with IRQs disabled leads to problems, as +identified by Sashiko [0]: the EFI page fault handler is called from +page_fault_oops() with IRQs disabled, and thus ends the kernel mode FPU +section with IRQs disabled as well, regardless of whether IRQs were +enabled when it was started. This may result in schedule() being called +with a non-zero preempt_count, causing a BUG(). + +So take care to re-enable IRQs when handling any EFI page faults if they +were taken with IRQs enabled. + +[0] https://sashiko.dev/#/patchset/20260430074107.27051-1-ivan.hu%40canonical.com + +Cc: Eric Biggers +Cc: Ivan Hu +Cc: x86@kernel.org +Cc: +Fixes: d02198550423 ("x86/fpu: Improve crypto performance by making kernel-mode FPU reliably usable in softirqs") +Reviewed-by: Eric Biggers +Signed-off-by: Ard Biesheuvel +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/include/asm/efi.h | 3 ++- + arch/x86/mm/fault.c | 2 +- + arch/x86/platform/efi/quirks.c | 11 ++++++++++- + 3 files changed, 13 insertions(+), 3 deletions(-) + +--- a/arch/x86/include/asm/efi.h ++++ b/arch/x86/include/asm/efi.h +@@ -137,7 +137,8 @@ extern void __init efi_dump_pagetable(vo + extern void __init efi_apply_memmap_quirks(void); + extern int __init efi_reuse_config(u64 tables, int nr_tables); + extern void efi_delete_dummy_variable(void); +-extern void efi_crash_gracefully_on_page_fault(unsigned long phys_addr); ++extern void efi_crash_gracefully_on_page_fault(unsigned long phys_addr, ++ const struct pt_regs *regs); + extern void efi_unmap_boot_services(void); + + void arch_efi_call_virt_setup(void); +--- a/arch/x86/mm/fault.c ++++ b/arch/x86/mm/fault.c +@@ -686,7 +686,7 @@ page_fault_oops(struct pt_regs *regs, un + * avoid hanging the system. + */ + if (IS_ENABLED(CONFIG_EFI)) +- efi_crash_gracefully_on_page_fault(address); ++ efi_crash_gracefully_on_page_fault(address, regs); + + /* Only not-present faults should be handled by KFENCE. */ + if (!(error_code & X86_PF_PROT) && +--- a/arch/x86/platform/efi/quirks.c ++++ b/arch/x86/platform/efi/quirks.c +@@ -761,7 +761,8 @@ int efi_capsule_setup_info(struct capsul + * @return: Returns, if the page fault is not handled. This function + * will never return if the page fault is handled successfully. + */ +-void efi_crash_gracefully_on_page_fault(unsigned long phys_addr) ++void efi_crash_gracefully_on_page_fault(unsigned long phys_addr, ++ const struct pt_regs *regs) + { + if (!IS_ENABLED(CONFIG_X86_64)) + return; +@@ -811,6 +812,14 @@ void efi_crash_gracefully_on_page_fault( + } + + /* ++ * The API does not permit entering a kernel mode FPU section with ++ * interrupts enabled and leaving it with interrupts disabled. So ++ * re-enable interrupts now if they were enabled when the page fault ++ * occurred. ++ */ ++ local_irq_restore(regs->flags); ++ ++ /* + * Before calling EFI Runtime Service, the kernel has switched the + * calling process to efi_mm. Hence, switch back to task_mm. + */