--- /dev/null
+From 324f3e03e8a85931ce0880654e3c3eb38b0f0bba Mon Sep 17 00:00:00 2001
+From: Junrui Luo <moonafterrain@outlook.com>
+Date: Fri, 28 Nov 2025 12:06:31 +0800
+Subject: ALSA: dice: fix buffer overflow in detect_stream_formats()
+
+From: Junrui Luo <moonafterrain@outlook.com>
+
+commit 324f3e03e8a85931ce0880654e3c3eb38b0f0bba upstream.
+
+The function detect_stream_formats() reads the stream_count value directly
+from a FireWire device without validating it. This can lead to
+out-of-bounds writes when a malicious device provides a stream_count value
+greater than MAX_STREAMS.
+
+Fix by applying the same validation to both TX and RX stream counts in
+detect_stream_formats().
+
+Reported-by: Yuhao Jiang <danisjiang@gmail.com>
+Reported-by: Junrui Luo <moonafterrain@outlook.com>
+Fixes: 58579c056c1c ("ALSA: dice: use extended protocol to detect available stream formats")
+Cc: stable@vger.kernel.org
+Reviewed-by: Takashi Sakamoto <o-takashi@sakamocchi.jp>
+Signed-off-by: Junrui Luo <moonafterrain@outlook.com>
+Link: https://patch.msgid.link/SYBPR01MB7881B043FC68B4C0DA40B73DAFDCA@SYBPR01MB7881.ausprd01.prod.outlook.com
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ sound/firewire/dice/dice-extension.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/sound/firewire/dice/dice-extension.c
++++ b/sound/firewire/dice/dice-extension.c
+@@ -116,7 +116,7 @@ static int detect_stream_formats(struct
+ break;
+
+ base_offset += EXT_APP_STREAM_ENTRIES;
+- stream_count = be32_to_cpu(reg[0]);
++ stream_count = min_t(unsigned int, be32_to_cpu(reg[0]), MAX_STREAMS);
+ err = read_stream_entries(dice, section_addr, base_offset,
+ stream_count, mode,
+ dice->tx_pcm_chs,
+@@ -125,7 +125,7 @@ static int detect_stream_formats(struct
+ break;
+
+ base_offset += stream_count * EXT_APP_STREAM_ENTRY_SIZE;
+- stream_count = be32_to_cpu(reg[1]);
++ stream_count = min_t(unsigned int, be32_to_cpu(reg[1]), MAX_STREAMS);
+ err = read_stream_entries(dice, section_addr, base_offset,
+ stream_count,
+ mode, dice->rx_pcm_chs,
ocfs2-fix-memory-leak-in-ocfs2_merge_rec_left.patch
loongarch-add-machine_kexec_mask_interrupts-implementation.patch
net-lan743x-allocate-rings-outside-zone_dma.patch
+usb-gadget-tegra-xudc-always-reinitialize-data-toggle-when-clear-halt.patch
+usb-phy-initialize-struct-usb_phy-list_head.patch
+alsa-dice-fix-buffer-overflow-in-detect_stream_formats.patch
--- /dev/null
+From 2585973c7f9ee31d21e5848c996fab2521fd383d Mon Sep 17 00:00:00 2001
+From: Haotien Hsu <haotienh@nvidia.com>
+Date: Thu, 27 Nov 2025 11:35:40 +0800
+Subject: usb: gadget: tegra-xudc: Always reinitialize data toggle when clear halt
+
+From: Haotien Hsu <haotienh@nvidia.com>
+
+commit 2585973c7f9ee31d21e5848c996fab2521fd383d upstream.
+
+The driver previously skipped handling ClearFeature(ENDPOINT_HALT)
+when the endpoint was already not halted. This prevented the
+controller from resetting the data sequence number and reinitializing
+the endpoint state.
+
+According to USB 3.2 specification Rev. 1.1, section 9.4.5,
+ClearFeature(ENDPOINT_HALT) must always reset the data sequence and
+set the stream state machine to Disabled, regardless of whether the
+endpoint was halted.
+
+Remove the early return so that ClearFeature(ENDPOINT_HALT) always
+resets the endpoint sequence state as required by the specification.
+
+Fixes: 49db427232fe ("usb: gadget: Add UDC driver for tegra XUSB device mode controller")
+Cc: stable <stable@kernel.org>
+Signed-off-by: Haotien Hsu <haotienh@nvidia.com>
+Signed-off-by: Wayne Chang <waynec@nvidia.com>
+Link: https://patch.msgid.link/20251127033540.2287517-1-waynec@nvidia.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/gadget/udc/tegra-xudc.c | 6 ------
+ 1 file changed, 6 deletions(-)
+
+--- a/drivers/usb/gadget/udc/tegra-xudc.c
++++ b/drivers/usb/gadget/udc/tegra-xudc.c
+@@ -1548,12 +1548,6 @@ static int __tegra_xudc_ep_set_halt(stru
+ return -ENOTSUPP;
+ }
+
+- if (!!(xudc_readl(xudc, EP_HALT) & BIT(ep->index)) == halt) {
+- dev_dbg(xudc->dev, "EP %u already %s\n", ep->index,
+- halt ? "halted" : "not halted");
+- return 0;
+- }
+-
+ if (halt) {
+ ep_halt(xudc, ep->index);
+ } else {
--- /dev/null
+From c69ff68b097b0f53333114f1b2c3dc128f389596 Mon Sep 17 00:00:00 2001
+From: Diogo Ivo <diogo.ivo@tecnico.ulisboa.pt>
+Date: Fri, 21 Nov 2025 18:16:36 +0000
+Subject: usb: phy: Initialize struct usb_phy list_head
+
+From: Diogo Ivo <diogo.ivo@tecnico.ulisboa.pt>
+
+commit c69ff68b097b0f53333114f1b2c3dc128f389596 upstream.
+
+As part of the registration of a new 'struct usb_phy' with the USB PHY core
+via either usb_add_phy(struct usb_phy *x, ...) or usb_add_phy_dev(struct
+usb_phy *x) these functions call list_add_tail(&x->head, phy_list) in
+order for the new instance x to be stored in phy_list, a static list
+kept internally by the core.
+
+After 7d21114dc6a2 ("usb: phy: Introduce one extcon device into usb phy")
+when executing either of the registration functions above it is possible
+that usb_add_extcon() fails, leading to either function returning before
+the call to list_add_tail(), leaving x->head uninitialized.
+
+Then, when a driver tries to undo the failed registration by calling
+usb_remove_phy(struct usb_phy *x) there will be an unconditional call to
+list_del(&x->head) acting on an uninitialized variable, and thus a
+possible NULL pointer dereference.
+
+Fix this by initializing x->head before usb_add_extcon() has a
+chance to fail. Note that this was not needed before 7d21114dc6a2 since
+list_add_phy() was executed unconditionally and it guaranteed that x->head
+was initialized.
+
+Fixes: 7d21114dc6a2 ("usb: phy: Introduce one extcon device into usb phy")
+Cc: stable <stable@kernel.org>
+Signed-off-by: Diogo Ivo <diogo.ivo@tecnico.ulisboa.pt>
+Link: https://patch.msgid.link/20251121-diogo-smaug_typec-v2-1-5c37c1169d57@tecnico.ulisboa.pt
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/phy/phy.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/drivers/usb/phy/phy.c
++++ b/drivers/usb/phy/phy.c
+@@ -672,6 +672,8 @@ int usb_add_phy(struct usb_phy *x, enum
+ return -EINVAL;
+ }
+
++ INIT_LIST_HEAD(&x->head);
++
+ usb_charger_init(x);
+ ret = usb_add_extcon(x);
+ if (ret)
+@@ -722,6 +724,8 @@ int usb_add_phy_dev(struct usb_phy *x)
+ return -EINVAL;
+ }
+
++ INIT_LIST_HEAD(&x->head);
++
+ usb_charger_init(x);
+ ret = usb_add_extcon(x);
+ if (ret)
projects / thirdparty / kernel / stable-queue.git / commitdiff
