--- /dev/null
+From 324f3e03e8a85931ce0880654e3c3eb38b0f0bba Mon Sep 17 00:00:00 2001
+From: Junrui Luo <moonafterrain@outlook.com>
+Date: Fri, 28 Nov 2025 12:06:31 +0800
+Subject: ALSA: dice: fix buffer overflow in detect_stream_formats()
+
+From: Junrui Luo <moonafterrain@outlook.com>
+
+commit 324f3e03e8a85931ce0880654e3c3eb38b0f0bba upstream.
+
+The function detect_stream_formats() reads the stream_count value directly
+from a FireWire device without validating it. This can lead to
+out-of-bounds writes when a malicious device provides a stream_count value
+greater than MAX_STREAMS.
+
+Fix by applying the same validation to both TX and RX stream counts in
+detect_stream_formats().
+
+Reported-by: Yuhao Jiang <danisjiang@gmail.com>
+Reported-by: Junrui Luo <moonafterrain@outlook.com>
+Fixes: 58579c056c1c ("ALSA: dice: use extended protocol to detect available stream formats")
+Cc: stable@vger.kernel.org
+Reviewed-by: Takashi Sakamoto <o-takashi@sakamocchi.jp>
+Signed-off-by: Junrui Luo <moonafterrain@outlook.com>
+Link: https://patch.msgid.link/SYBPR01MB7881B043FC68B4C0DA40B73DAFDCA@SYBPR01MB7881.ausprd01.prod.outlook.com
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ sound/firewire/dice/dice-extension.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/sound/firewire/dice/dice-extension.c
++++ b/sound/firewire/dice/dice-extension.c
+@@ -116,7 +116,7 @@ static int detect_stream_formats(struct
+ break;
+
+ base_offset += EXT_APP_STREAM_ENTRIES;
+- stream_count = be32_to_cpu(reg[0]);
++ stream_count = min_t(unsigned int, be32_to_cpu(reg[0]), MAX_STREAMS);
+ err = read_stream_entries(dice, section_addr, base_offset,
+ stream_count, mode,
+ dice->tx_pcm_chs,
+@@ -125,7 +125,7 @@ static int detect_stream_formats(struct
+ break;
+
+ base_offset += stream_count * EXT_APP_STREAM_ENTRY_SIZE;
+- stream_count = be32_to_cpu(reg[1]);
++ stream_count = min_t(unsigned int, be32_to_cpu(reg[1]), MAX_STREAMS);
+ err = read_stream_entries(dice, section_addr, base_offset,
+ stream_count,
+ mode, dice->rx_pcm_chs,
--- /dev/null
+From c34b04cc6178f33c08331568c7fd25c5b9a39f66 Mon Sep 17 00:00:00 2001
+From: Denis Arefev <arefev@swemel.ru>
+Date: Tue, 2 Dec 2025 13:13:36 +0300
+Subject: ALSA: hda: cs35l41: Fix NULL pointer dereference in cs35l41_hda_read_acpi()
+
+From: Denis Arefev <arefev@swemel.ru>
+
+commit c34b04cc6178f33c08331568c7fd25c5b9a39f66 upstream.
+
+The acpi_get_first_physical_node() function can return NULL, in which
+case the get_device() function also returns NULL, but this value is
+then dereferenced without checking,so add a check to prevent a crash.
+
+Found by Linux Verification Center (linuxtesting.org) with SVACE.
+
+Fixes: 7b2f3eb492da ("ALSA: hda: cs35l41: Add support for CS35L41 in HDA systems")
+Cc: stable@vger.kernel.org
+Signed-off-by: Denis Arefev <arefev@swemel.ru>
+Reviewed-by: Richard Fitzgerald <rf@opensource.cirrus.com>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Link: https://patch.msgid.link/20251202101338.11437-1-arefev@swemel.ru
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ sound/hda/codecs/side-codecs/cs35l41_hda.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/sound/hda/codecs/side-codecs/cs35l41_hda.c
++++ b/sound/hda/codecs/side-codecs/cs35l41_hda.c
+@@ -1901,6 +1901,8 @@ static int cs35l41_hda_read_acpi(struct
+
+ cs35l41->dacpi = adev;
+ physdev = get_device(acpi_get_first_physical_node(adev));
++ if (!physdev)
++ return -ENODEV;
+
+ sub = acpi_get_subsystem_id(ACPI_HANDLE(physdev));
+ if (IS_ERR(sub))
--- /dev/null
+From 18a4895370a79a3efb4a53ccd1efffef6c5b634e Mon Sep 17 00:00:00 2001
+From: Antheas Kapenekakis <lkml@antheas.dev>
+Date: Sun, 26 Oct 2025 20:16:35 +0100
+Subject: ALSA: hda/realtek: Add match for ASUS Xbox Ally projects
+
+From: Antheas Kapenekakis <lkml@antheas.dev>
+
+commit 18a4895370a79a3efb4a53ccd1efffef6c5b634e upstream.
+
+Bind the realtek codec to TAS2781 I2C audio amps on ASUS Xbox Ally
+projects. While these projects work without a quirk, adding it increases
+the output volume significantly.
+
+Cc: stable@vger.kernel.org # 6.17
+Signed-off-by: Antheas Kapenekakis <lkml@antheas.dev>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Link: https://patch.msgid.link/20251026191635.2447593-2-lkml@antheas.dev
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ sound/hda/codecs/realtek/alc269.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/sound/hda/codecs/realtek/alc269.c
++++ b/sound/hda/codecs/realtek/alc269.c
+@@ -6736,6 +6736,8 @@ static const struct hda_quirk alc269_fix
+ SND_PCI_QUIRK(0x1043, 0x12f0, "ASUS X541UV", ALC256_FIXUP_ASUS_MIC_NO_PRESENCE),
+ SND_PCI_QUIRK(0x1043, 0x1313, "Asus K42JZ", ALC269VB_FIXUP_ASUS_MIC_NO_PRESENCE),
+ SND_PCI_QUIRK(0x1043, 0x1314, "ASUS GA605K", ALC285_FIXUP_ASUS_GA605K_HEADSET_MIC),
++ SND_PCI_QUIRK(0x1043, 0x1384, "ASUS RC73XA", ALC287_FIXUP_TXNW2781_I2C),
++ SND_PCI_QUIRK(0x1043, 0x1394, "ASUS RC73YA", ALC287_FIXUP_TXNW2781_I2C),
+ SND_PCI_QUIRK(0x1043, 0x13b0, "ASUS Z550SA", ALC256_FIXUP_ASUS_MIC_NO_PRESENCE),
+ SND_PCI_QUIRK(0x1043, 0x1427, "Asus Zenbook UX31E", ALC269VB_FIXUP_ASUS_ZENBOOK),
+ SND_PCI_QUIRK(0x1043, 0x1433, "ASUS GX650PY/PZ/PV/PU/PYV/PZV/PIV/PVV", ALC285_FIXUP_ASUS_I2C_HEADSET_MIC),
--- /dev/null
+From 945865a0ddf3e3950aea32e23e10d815ee9b21bc Mon Sep 17 00:00:00 2001
+From: Antheas Kapenekakis <lkml@antheas.dev>
+Date: Sun, 26 Oct 2025 20:16:34 +0100
+Subject: ALSA: hda/tas2781: fix speaker id retrieval for multiple probes
+
+From: Antheas Kapenekakis <lkml@antheas.dev>
+
+commit 945865a0ddf3e3950aea32e23e10d815ee9b21bc upstream.
+
+Currently, on ASUS projects, the TAS2781 codec attaches the speaker GPIO
+to the first tasdevice_priv instance using devm. This causes
+tas2781_read_acpi to fail on subsequent probes since the GPIO is already
+managed by the first device. This causes a failure on Xbox Ally X,
+because it has two amplifiers, and prevents us from quirking both the
+Xbox Ally and Xbox Ally X in the realtek codec driver.
+
+It is unnecessary to attach the GPIO to a device as it is static.
+Therefore, instead of attaching it and then reading it when loading the
+firmware, read its value directly in tas2781_read_acpi and store it in
+the private data structure. Then, make reading the value non-fatal so
+that ASUS projects that miss a speaker pin can still work, perhaps using
+fallback firmware.
+
+Fixes: 4e7035a75da9 ("ALSA: hda/tas2781: Add speaker id check for ASUS projects")
+Cc: stable@vger.kernel.org # 6.17
+Signed-off-by: Antheas Kapenekakis <lkml@antheas.dev>
+Reviewed-by: Baojun Xu <baojun.xu@ti.com>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Link: https://patch.msgid.link/20251026191635.2447593-1-lkml@antheas.dev
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/sound/tas2781.h | 2 -
+ sound/hda/codecs/side-codecs/tas2781_hda_i2c.c | 44 ++++++++++++++-----------
+ 2 files changed, 26 insertions(+), 20 deletions(-)
+
+--- a/include/sound/tas2781.h
++++ b/include/sound/tas2781.h
+@@ -197,7 +197,6 @@ struct tasdevice_priv {
+ struct acoustic_data acou_data;
+ #endif
+ struct tasdevice_fw *fmw;
+- struct gpio_desc *speaker_id;
+ struct gpio_desc *reset;
+ struct mutex codec_lock;
+ struct regmap *regmap;
+@@ -215,6 +214,7 @@ struct tasdevice_priv {
+ unsigned int magic_num;
+ unsigned int chip_id;
+ unsigned int sysclk;
++ int speaker_id;
+
+ int irq;
+ int cur_prog;
+--- a/sound/hda/codecs/side-codecs/tas2781_hda_i2c.c
++++ b/sound/hda/codecs/side-codecs/tas2781_hda_i2c.c
+@@ -87,6 +87,7 @@ static const struct acpi_gpio_mapping ta
+
+ static int tas2781_read_acpi(struct tasdevice_priv *p, const char *hid)
+ {
++ struct gpio_desc *speaker_id;
+ struct acpi_device *adev;
+ struct device *physdev;
+ LIST_HEAD(resources);
+@@ -119,19 +120,31 @@ static int tas2781_read_acpi(struct tasd
+ /* Speaker id was needed for ASUS projects. */
+ ret = kstrtou32(sub, 16, &subid);
+ if (!ret && upper_16_bits(subid) == PCI_VENDOR_ID_ASUSTEK) {
+- ret = devm_acpi_dev_add_driver_gpios(p->dev,
+- tas2781_speaker_id_gpios);
+- if (ret < 0)
++ ret = acpi_dev_add_driver_gpios(adev, tas2781_speaker_id_gpios);
++ if (ret < 0) {
+ dev_err(p->dev, "Failed to add driver gpio %d.\n",
+ ret);
+- p->speaker_id = devm_gpiod_get(p->dev, "speakerid", GPIOD_IN);
+- if (IS_ERR(p->speaker_id)) {
+- dev_err(p->dev, "Failed to get Speaker id.\n");
+- ret = PTR_ERR(p->speaker_id);
+- goto err;
++ p->speaker_id = -1;
++ goto end_2563;
++ }
++
++ speaker_id = fwnode_gpiod_get_index(acpi_fwnode_handle(adev),
++ "speakerid", 0, GPIOD_IN, NULL);
++ if (!IS_ERR(speaker_id)) {
++ p->speaker_id = gpiod_get_value_cansleep(speaker_id);
++ dev_dbg(p->dev, "Got speaker id gpio from ACPI: %d.\n",
++ p->speaker_id);
++ gpiod_put(speaker_id);
++ } else {
++ p->speaker_id = -1;
++ ret = PTR_ERR(speaker_id);
++ dev_err(p->dev, "Get speaker id gpio failed %d.\n",
++ ret);
+ }
++
++ acpi_dev_remove_driver_gpios(adev);
+ } else {
+- p->speaker_id = NULL;
++ p->speaker_id = -1;
+ }
+
+ end_2563:
+@@ -432,23 +445,16 @@ static void tasdevice_dspfw_init(void *c
+ struct tas2781_hda *tas_hda = dev_get_drvdata(tas_priv->dev);
+ struct tas2781_hda_i2c_priv *hda_priv = tas_hda->hda_priv;
+ struct hda_codec *codec = tas_priv->codec;
+- int ret, spk_id;
++ int ret;
+
+ tasdevice_dsp_remove(tas_priv);
+ tas_priv->fw_state = TASDEVICE_DSP_FW_PENDING;
+- if (tas_priv->speaker_id != NULL) {
+- // Speaker id need to be checked for ASUS only.
+- spk_id = gpiod_get_value(tas_priv->speaker_id);
+- if (spk_id < 0) {
+- // Speaker id is not valid, use default.
+- dev_dbg(tas_priv->dev, "Wrong spk_id = %d\n", spk_id);
+- spk_id = 0;
+- }
++ if (tas_priv->speaker_id >= 0) {
+ snprintf(tas_priv->coef_binaryname,
+ sizeof(tas_priv->coef_binaryname),
+ "TAS2XXX%04X%d.bin",
+ lower_16_bits(codec->core.subsystem_id),
+- spk_id);
++ tas_priv->speaker_id);
+ } else {
+ snprintf(tas_priv->coef_binaryname,
+ sizeof(tas_priv->coef_binaryname),
--- /dev/null
+From e11c5c13ce0ab2325d38fe63500be1dd88b81e38 Mon Sep 17 00:00:00 2001
+From: Junrui Luo <moonafterrain@outlook.com>
+Date: Thu, 6 Nov 2025 10:24:57 +0800
+Subject: ALSA: wavefront: Clear substream pointers on close
+
+From: Junrui Luo <moonafterrain@outlook.com>
+
+commit e11c5c13ce0ab2325d38fe63500be1dd88b81e38 upstream.
+
+Clear substream pointers in close functions to avoid leaving dangling
+pointers, helping to improve code safety and
+prevents potential issues.
+
+Reported-by: Yuhao Jiang <danisjiang@gmail.com>
+Reported-by: Junrui Luo <moonafterrain@outlook.com>
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Cc: stable@vger.kernel.org
+Signed-off-by: Junrui Luo <moonafterrain@outlook.com>
+Link: https://patch.msgid.link/SYBPR01MB7881DF762CAB45EE42F6D812AFC2A@SYBPR01MB7881.ausprd01.prod.outlook.com
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ sound/isa/wavefront/wavefront_midi.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/sound/isa/wavefront/wavefront_midi.c
++++ b/sound/isa/wavefront/wavefront_midi.c
+@@ -278,6 +278,7 @@ static int snd_wavefront_midi_input_clos
+ return -EIO;
+
+ guard(spinlock_irqsave)(&midi->open);
++ midi->substream_input[mpu] = NULL;
+ midi->mode[mpu] &= ~MPU401_MODE_INPUT;
+
+ return 0;
+@@ -300,6 +301,7 @@ static int snd_wavefront_midi_output_clo
+ return -EIO;
+
+ guard(spinlock_irqsave)(&midi->open);
++ midi->substream_output[mpu] = NULL;
+ midi->mode[mpu] &= ~MPU401_MODE_OUTPUT;
+ return 0;
+ }
--- /dev/null
+From 0c4a13ba88594fd4a27292853e736c6b4349823d Mon Sep 17 00:00:00 2001
+From: Junrui Luo <moonafterrain@outlook.com>
+Date: Thu, 6 Nov 2025 10:49:46 +0800
+Subject: ALSA: wavefront: Fix integer overflow in sample size validation
+
+From: Junrui Luo <moonafterrain@outlook.com>
+
+commit 0c4a13ba88594fd4a27292853e736c6b4349823d upstream.
+
+The wavefront_send_sample() function has an integer overflow issue
+when validating sample size. The header->size field is u32 but gets
+cast to int for comparison with dev->freemem
+
+Fix by using unsigned comparison to avoid integer overflow.
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Cc: stable@vger.kernel.org
+Signed-off-by: Junrui Luo <moonafterrain@outlook.com>
+Link: https://patch.msgid.link/SYBPR01MB7881B47789D1B060CE8BF4C3AFC2A@SYBPR01MB7881.ausprd01.prod.outlook.com
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ sound/isa/wavefront/wavefront_synth.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/sound/isa/wavefront/wavefront_synth.c
++++ b/sound/isa/wavefront/wavefront_synth.c
+@@ -950,9 +950,9 @@ wavefront_send_sample (snd_wavefront_t *
+ if (header->size) {
+ dev->freemem = wavefront_freemem (dev);
+
+- if (dev->freemem < (int)header->size) {
++ if (dev->freemem < 0 || dev->freemem < header->size) {
+ dev_err(dev->card->dev,
+- "insufficient memory to load %d byte sample.\n",
++ "insufficient memory to load %u byte sample.\n",
+ header->size);
+ return -ENOMEM;
+ }
+++ /dev/null
-From 14cc4474799a595caeccdb8fdf2ca4b867cef972 Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Wed, 20 Aug 2025 02:13:19 +0200
-Subject: media: ov02c10: Fix default vertical flip
-
-From: Sebastian Reichel <sre@kernel.org>
-
-[ Upstream commit d5ebe3f7d13d4cee3ff7e718de23564915aaf163 ]
-
-The driver right now defaults to setting the vertical flip bit. This
-conflicts with proper handling of the rotation property defined in
-ACPI or device tree, so drop the VFLIP bit. It should be handled via
-V4L2_CID_VFLIP instead.
-
-Reported-by: Frederic Stuyk <fstuyk@runbox.com>
-Closes: https://lore.kernel.org/all/b6df9ae7-ea9f-4e5a-8065-5b130f534f37@runbox.com/
-Fixes: 44f89010dae0 ("media: i2c: Add Omnivision OV02C10 sensor driver")
-Signed-off-by: Sebastian Reichel <sre@kernel.org>
-Reviewed-by: Bryan O'Donoghue <bod@kernel.org>
-Signed-off-by: Sakari Ailus <sakari.ailus@linux.intel.com>
-Signed-off-by: Hans Verkuil <hverkuil+cisco@kernel.org>
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- drivers/media/i2c/ov02c10.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/drivers/media/i2c/ov02c10.c b/drivers/media/i2c/ov02c10.c
-index 8c4d85dc7922e..8e22ff446b0c4 100644
---- a/drivers/media/i2c/ov02c10.c
-+++ b/drivers/media/i2c/ov02c10.c
-@@ -174,7 +174,7 @@ static const struct reg_sequence sensor_1928x1092_30fps_setting[] = {
- {0x3816, 0x01},
- {0x3817, 0x01},
-
-- {0x3820, 0xb0},
-+ {0x3820, 0xa0},
- {0x3821, 0x00},
- {0x3822, 0x80},
- {0x3823, 0x08},
---
-2.51.0
-
drm-rcar-du-dsi-fix-missing-parameter-in-rxsetr_.en-.patch
x86-dumpstack-prevent-kasan-false-positive-warnings-.patch
accel-ivpu-remove-skip-of-dma-unmap-for-imported-buf.patch
-media-ov02c10-fix-default-vertical-flip.patch
tools-nolibc-stdio-let-perror-work-when-nolibc_ignor.patch
tools-nolibc-dirent-avoid-errno-in-readdir_r.patch
clk-qcom-gcc-qcs615-update-the-sdcc-clock-to-use-sha.patch
efi-cper-add-a-new-helper-function-to-print-bitmasks.patch
efi-cper-adjust-infopfx-size-to-accept-an-extra-spac.patch
efi-cper-align-arm-cper-type-with-uefi-2.9a-2.10-spe.patch
+usb-gadget-tegra-xudc-always-reinitialize-data-toggle-when-clear-halt.patch
+usb-typec-ucsi-fix-probe-failure-in-gaokun_ucsi_probe.patch
+usb-phy-initialize-struct-usb_phy-list_head.patch
+usb-typec-ucsi-fix-use-after-free-caused-by-uec-work.patch
+usb-dwc3-dwc3_power_off_all_roothub_ports-use-ioremap_np-when-required.patch
+alsa-dice-fix-buffer-overflow-in-detect_stream_formats.patch
+alsa-hda-realtek-add-match-for-asus-xbox-ally-projects.patch
+alsa-hda-tas2781-fix-speaker-id-retrieval-for-multiple-probes.patch
+alsa-hda-cs35l41-fix-null-pointer-dereference-in-cs35l41_hda_read_acpi.patch
+alsa-wavefront-clear-substream-pointers-on-close.patch
+alsa-wavefront-fix-integer-overflow-in-sample-size-validation.patch
--- /dev/null
+From 5ed9cc71432a8adf3c42223c935f714aac29901b Mon Sep 17 00:00:00 2001
+From: Sven Peter <sven@kernel.org>
+Date: Wed, 15 Oct 2025 15:40:42 +0000
+Subject: usb: dwc3: dwc3_power_off_all_roothub_ports: Use ioremap_np when required
+
+From: Sven Peter <sven@kernel.org>
+
+commit 5ed9cc71432a8adf3c42223c935f714aac29901b upstream.
+
+On Apple Silicon machines we can't use ioremap() / Device-nGnRE to map most
+regions but must use ioremap_np() / Device-nGnRnE whenever
+IORESOURCE_MEM_NONPOSTED is set. Make sure this is also done inside
+dwc3_power_off_all_roothub_ports to prevent SErrors.
+
+Fixes: 2d2a3349521d ("usb: dwc3: Add workaround for host mode VBUS glitch when boot")
+Cc: stable@kernel.org
+Acked-by: Thinh Nguyen <Thinh.Nguyen@synopsys.com>
+Reviewed-by: Neal Gompa <neal@gompa.dev>
+Signed-off-by: Sven Peter <sven@kernel.org>
+Link: https://patch.msgid.link/20251015-b4-aplpe-dwc3-v2-2-cbd65a2d511a@kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/dwc3/host.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+--- a/drivers/usb/dwc3/host.c
++++ b/drivers/usb/dwc3/host.c
+@@ -37,7 +37,10 @@ static void dwc3_power_off_all_roothub_p
+
+ /* xhci regs are not mapped yet, do it temporarily here */
+ if (dwc->xhci_resources[0].start) {
+- xhci_regs = ioremap(dwc->xhci_resources[0].start, DWC3_XHCI_REGS_END);
++ if (dwc->xhci_resources[0].flags & IORESOURCE_MEM_NONPOSTED)
++ xhci_regs = ioremap_np(dwc->xhci_resources[0].start, DWC3_XHCI_REGS_END);
++ else
++ xhci_regs = ioremap(dwc->xhci_resources[0].start, DWC3_XHCI_REGS_END);
+ if (!xhci_regs) {
+ dev_err(dwc->dev, "Failed to ioremap xhci_regs\n");
+ return;
--- /dev/null
+From 2585973c7f9ee31d21e5848c996fab2521fd383d Mon Sep 17 00:00:00 2001
+From: Haotien Hsu <haotienh@nvidia.com>
+Date: Thu, 27 Nov 2025 11:35:40 +0800
+Subject: usb: gadget: tegra-xudc: Always reinitialize data toggle when clear halt
+
+From: Haotien Hsu <haotienh@nvidia.com>
+
+commit 2585973c7f9ee31d21e5848c996fab2521fd383d upstream.
+
+The driver previously skipped handling ClearFeature(ENDPOINT_HALT)
+when the endpoint was already not halted. This prevented the
+controller from resetting the data sequence number and reinitializing
+the endpoint state.
+
+According to USB 3.2 specification Rev. 1.1, section 9.4.5,
+ClearFeature(ENDPOINT_HALT) must always reset the data sequence and
+set the stream state machine to Disabled, regardless of whether the
+endpoint was halted.
+
+Remove the early return so that ClearFeature(ENDPOINT_HALT) always
+resets the endpoint sequence state as required by the specification.
+
+Fixes: 49db427232fe ("usb: gadget: Add UDC driver for tegra XUSB device mode controller")
+Cc: stable <stable@kernel.org>
+Signed-off-by: Haotien Hsu <haotienh@nvidia.com>
+Signed-off-by: Wayne Chang <waynec@nvidia.com>
+Link: https://patch.msgid.link/20251127033540.2287517-1-waynec@nvidia.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/gadget/udc/tegra-xudc.c | 6 ------
+ 1 file changed, 6 deletions(-)
+
+--- a/drivers/usb/gadget/udc/tegra-xudc.c
++++ b/drivers/usb/gadget/udc/tegra-xudc.c
+@@ -1558,12 +1558,6 @@ static int __tegra_xudc_ep_set_halt(stru
+ return -ENOTSUPP;
+ }
+
+- if (!!(xudc_readl(xudc, EP_HALT) & BIT(ep->index)) == halt) {
+- dev_dbg(xudc->dev, "EP %u already %s\n", ep->index,
+- halt ? "halted" : "not halted");
+- return 0;
+- }
+-
+ if (halt) {
+ ep_halt(xudc, ep->index);
+ } else {
--- /dev/null
+From c69ff68b097b0f53333114f1b2c3dc128f389596 Mon Sep 17 00:00:00 2001
+From: Diogo Ivo <diogo.ivo@tecnico.ulisboa.pt>
+Date: Fri, 21 Nov 2025 18:16:36 +0000
+Subject: usb: phy: Initialize struct usb_phy list_head
+
+From: Diogo Ivo <diogo.ivo@tecnico.ulisboa.pt>
+
+commit c69ff68b097b0f53333114f1b2c3dc128f389596 upstream.
+
+As part of the registration of a new 'struct usb_phy' with the USB PHY core
+via either usb_add_phy(struct usb_phy *x, ...) or usb_add_phy_dev(struct
+usb_phy *x) these functions call list_add_tail(&x->head, phy_list) in
+order for the new instance x to be stored in phy_list, a static list
+kept internally by the core.
+
+After 7d21114dc6a2 ("usb: phy: Introduce one extcon device into usb phy")
+when executing either of the registration functions above it is possible
+that usb_add_extcon() fails, leading to either function returning before
+the call to list_add_tail(), leaving x->head uninitialized.
+
+Then, when a driver tries to undo the failed registration by calling
+usb_remove_phy(struct usb_phy *x) there will be an unconditional call to
+list_del(&x->head) acting on an uninitialized variable, and thus a
+possible NULL pointer dereference.
+
+Fix this by initializing x->head before usb_add_extcon() has a
+chance to fail. Note that this was not needed before 7d21114dc6a2 since
+list_add_phy() was executed unconditionally and it guaranteed that x->head
+was initialized.
+
+Fixes: 7d21114dc6a2 ("usb: phy: Introduce one extcon device into usb phy")
+Cc: stable <stable@kernel.org>
+Signed-off-by: Diogo Ivo <diogo.ivo@tecnico.ulisboa.pt>
+Link: https://patch.msgid.link/20251121-diogo-smaug_typec-v2-1-5c37c1169d57@tecnico.ulisboa.pt
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/phy/phy.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/drivers/usb/phy/phy.c
++++ b/drivers/usb/phy/phy.c
+@@ -646,6 +646,8 @@ int usb_add_phy(struct usb_phy *x, enum
+ return -EINVAL;
+ }
+
++ INIT_LIST_HEAD(&x->head);
++
+ usb_charger_init(x);
+ ret = usb_add_extcon(x);
+ if (ret)
+@@ -696,6 +698,8 @@ int usb_add_phy_dev(struct usb_phy *x)
+ return -EINVAL;
+ }
+
++ INIT_LIST_HEAD(&x->head);
++
+ usb_charger_init(x);
+ ret = usb_add_extcon(x);
+ if (ret)
--- /dev/null
+From 6b120ef99fbcba9e413783561f8cc160719db589 Mon Sep 17 00:00:00 2001
+From: Duoming Zhou <duoming@zju.edu.cn>
+Date: Tue, 25 Nov 2025 18:36:26 +0800
+Subject: usb: typec: ucsi: fix probe failure in gaokun_ucsi_probe()
+
+From: Duoming Zhou <duoming@zju.edu.cn>
+
+commit 6b120ef99fbcba9e413783561f8cc160719db589 upstream.
+
+The gaokun_ucsi_probe() uses ucsi_create() to allocate a UCSI instance.
+The ucsi_create() validates whether ops->poll_cci is defined, and if not,
+it directly returns -EINVAL. However, the gaokun_ucsi_ops structure does
+not define the poll_cci, causing ucsi_create() always fail with -EINVAL.
+This issue can be observed in the kernel log with the following error:
+
+ucsi_huawei_gaokun.ucsi huawei_gaokun_ec.ucsi.0: probe with driver
+ucsi_huawei_gaokun.ucsi failed with error -22
+
+Fix the issue by adding the missing poll_cci callback to gaokun_ucsi_ops.
+
+Fixes: 00327d7f2c8c ("usb: typec: ucsi: add Huawei Matebook E Go ucsi driver")
+Cc: stable <stable@kernel.org>
+Signed-off-by: Duoming Zhou <duoming@zju.edu.cn>
+Reviewed-by: Heikki Krogerus <heikki.krogerus@linux.intel.com>
+Reviewed-by: Pengyu Luo <mitltlatltl@gmail.com>
+Link: https://patch.msgid.link/4d077d6439d728be68646bb8c8678436a3a0885e.1764065838.git.duoming@zju.edu.cn
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/typec/ucsi/ucsi_huawei_gaokun.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/usb/typec/ucsi/ucsi_huawei_gaokun.c
++++ b/drivers/usb/typec/ucsi/ucsi_huawei_gaokun.c
+@@ -196,6 +196,7 @@ static void gaokun_ucsi_connector_status
+ const struct ucsi_operations gaokun_ucsi_ops = {
+ .read_version = gaokun_ucsi_read_version,
+ .read_cci = gaokun_ucsi_read_cci,
++ .poll_cci = gaokun_ucsi_read_cci,
+ .read_message_in = gaokun_ucsi_read_message_in,
+ .sync_control = ucsi_sync_control_common,
+ .async_control = gaokun_ucsi_async_control,
--- /dev/null
+From 2b7a0f47aaf2439d517ba0a6b29c66a535302154 Mon Sep 17 00:00:00 2001
+From: Duoming Zhou <duoming@zju.edu.cn>
+Date: Tue, 25 Nov 2025 18:36:27 +0800
+Subject: usb: typec: ucsi: fix use-after-free caused by uec->work
+
+From: Duoming Zhou <duoming@zju.edu.cn>
+
+commit 2b7a0f47aaf2439d517ba0a6b29c66a535302154 upstream.
+
+The delayed work uec->work is scheduled in gaokun_ucsi_probe()
+but never properly canceled in gaokun_ucsi_remove(). This creates
+use-after-free scenarios where the ucsi and gaokun_ucsi structure
+are freed after ucsi_destroy() completes execution, while the
+gaokun_ucsi_register_worker() might be either currently executing
+or still pending in the work queue. The already-freed gaokun_ucsi
+or ucsi structure may then be accessed.
+
+Furthermore, the race window is 3 seconds, which is sufficiently
+long to make this bug easily reproducible. The following is the
+trace captured by KASAN:
+
+==================================================================
+BUG: KASAN: slab-use-after-free in __run_timers+0x5ec/0x630
+Write of size 8 at addr ffff00000ec28cc8 by task swapper/0/0
+...
+Call trace:
+ show_stack+0x18/0x24 (C)
+ dump_stack_lvl+0x78/0x90
+ print_report+0x114/0x580
+ kasan_report+0xa4/0xf0
+ __asan_report_store8_noabort+0x20/0x2c
+ __run_timers+0x5ec/0x630
+ run_timer_softirq+0xe8/0x1cc
+ handle_softirqs+0x294/0x720
+ __do_softirq+0x14/0x20
+ ____do_softirq+0x10/0x1c
+ call_on_irq_stack+0x30/0x48
+ do_softirq_own_stack+0x1c/0x28
+ __irq_exit_rcu+0x27c/0x364
+ irq_exit_rcu+0x10/0x1c
+ el1_interrupt+0x40/0x60
+ el1h_64_irq_handler+0x18/0x24
+ el1h_64_irq+0x6c/0x70
+ arch_local_irq_enable+0x4/0x8 (P)
+ do_idle+0x334/0x458
+ cpu_startup_entry+0x60/0x70
+ rest_init+0x158/0x174
+ start_kernel+0x2f8/0x394
+ __primary_switched+0x8c/0x94
+
+Allocated by task 72 on cpu 0 at 27.510341s:
+ kasan_save_stack+0x2c/0x54
+ kasan_save_track+0x24/0x5c
+ kasan_save_alloc_info+0x40/0x54
+ __kasan_kmalloc+0xa0/0xb8
+ __kmalloc_node_track_caller_noprof+0x1c0/0x588
+ devm_kmalloc+0x7c/0x1c8
+ gaokun_ucsi_probe+0xa0/0x840 auxiliary_bus_probe+0x94/0xf8
+ really_probe+0x17c/0x5b8
+ __driver_probe_device+0x158/0x2c4
+ driver_probe_device+0x10c/0x264
+ __device_attach_driver+0x168/0x2d0
+ bus_for_each_drv+0x100/0x188
+ __device_attach+0x174/0x368
+ device_initial_probe+0x14/0x20
+ bus_probe_device+0x120/0x150
+ device_add+0xb3c/0x10fc
+ __auxiliary_device_add+0x88/0x130
+...
+
+Freed by task 73 on cpu 1 at 28.910627s:
+ kasan_save_stack+0x2c/0x54
+ kasan_save_track+0x24/0x5c
+ __kasan_save_free_info+0x4c/0x74
+ __kasan_slab_free+0x60/0x8c
+ kfree+0xd4/0x410
+ devres_release_all+0x140/0x1f0
+ device_unbind_cleanup+0x20/0x190
+ device_release_driver_internal+0x344/0x460
+ device_release_driver+0x18/0x24
+ bus_remove_device+0x198/0x274
+ device_del+0x310/0xa84
+...
+
+The buggy address belongs to the object at ffff00000ec28c00
+ which belongs to the cache kmalloc-512 of size 512
+The buggy address is located 200 bytes inside of
+ freed 512-byte region
+The buggy address belongs to the physical page:
+page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x4ec28
+head: order:2 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
+flags: 0x3fffe0000000040(head|node=0|zone=0|lastcpupid=0x1ffff)
+page_type: f5(slab)
+raw: 03fffe0000000040 ffff000008801c80 dead000000000122 0000000000000000
+raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000
+head: 03fffe0000000040 ffff000008801c80 dead000000000122 0000000000000000
+head: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000
+head: 03fffe0000000002 fffffdffc03b0a01 00000000ffffffff 00000000ffffffff
+head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000004
+page dumped because: kasan: bad access detected
+
+Memory state around the buggy address:
+ ffff00000ec28b80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
+ ffff00000ec28c00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
+>ffff00000ec28c80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
+ ^
+ ffff00000ec28d00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
+ ffff00000ec28d80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
+==================================================================
+
+Add disable_delayed_work_sync() in gaokun_ucsi_remove() to ensure
+that uec->work is properly canceled and prevented from executing
+after the ucsi and gaokun_ucsi structure have been deallocated.
+
+Fixes: 00327d7f2c8c ("usb: typec: ucsi: add Huawei Matebook E Go ucsi driver")
+Cc: stable <stable@kernel.org>
+Signed-off-by: Duoming Zhou <duoming@zju.edu.cn>
+Reviewed-by: Heikki Krogerus <heikki.krogerus@linux.intel.com>
+Link: https://patch.msgid.link/cc31e12ef9ffbf86676585b02233165fd33f0d8e.1764065838.git.duoming@zju.edu.cn
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/typec/ucsi/ucsi_huawei_gaokun.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/usb/typec/ucsi/ucsi_huawei_gaokun.c
++++ b/drivers/usb/typec/ucsi/ucsi_huawei_gaokun.c
+@@ -503,6 +503,7 @@ static void gaokun_ucsi_remove(struct au
+ {
+ struct gaokun_ucsi *uec = auxiliary_get_drvdata(adev);
+
++ disable_delayed_work_sync(&uec->work);
+ gaokun_ec_unregister_notify(uec->ec, &uec->nb);
+ ucsi_unregister(uec->ucsi);
+ ucsi_destroy(uec->ucsi);
projects / thirdparty / kernel / stable-queue.git / commitdiff
