--- /dev/null
+From 324f3e03e8a85931ce0880654e3c3eb38b0f0bba Mon Sep 17 00:00:00 2001
+From: Junrui Luo <moonafterrain@outlook.com>
+Date: Fri, 28 Nov 2025 12:06:31 +0800
+Subject: ALSA: dice: fix buffer overflow in detect_stream_formats()
+
+From: Junrui Luo <moonafterrain@outlook.com>
+
+commit 324f3e03e8a85931ce0880654e3c3eb38b0f0bba upstream.
+
+The function detect_stream_formats() reads the stream_count value directly
+from a FireWire device without validating it. This can lead to
+out-of-bounds writes when a malicious device provides a stream_count value
+greater than MAX_STREAMS.
+
+Fix by applying the same validation to both TX and RX stream counts in
+detect_stream_formats().
+
+Reported-by: Yuhao Jiang <danisjiang@gmail.com>
+Reported-by: Junrui Luo <moonafterrain@outlook.com>
+Fixes: 58579c056c1c ("ALSA: dice: use extended protocol to detect available stream formats")
+Cc: stable@vger.kernel.org
+Reviewed-by: Takashi Sakamoto <o-takashi@sakamocchi.jp>
+Signed-off-by: Junrui Luo <moonafterrain@outlook.com>
+Link: https://patch.msgid.link/SYBPR01MB7881B043FC68B4C0DA40B73DAFDCA@SYBPR01MB7881.ausprd01.prod.outlook.com
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ sound/firewire/dice/dice-extension.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/sound/firewire/dice/dice-extension.c
++++ b/sound/firewire/dice/dice-extension.c
+@@ -116,7 +116,7 @@ static int detect_stream_formats(struct
+ break;
+
+ base_offset += EXT_APP_STREAM_ENTRIES;
+- stream_count = be32_to_cpu(reg[0]);
++ stream_count = min_t(unsigned int, be32_to_cpu(reg[0]), MAX_STREAMS);
+ err = read_stream_entries(dice, section_addr, base_offset,
+ stream_count, mode,
+ dice->tx_pcm_chs,
+@@ -125,7 +125,7 @@ static int detect_stream_formats(struct
+ break;
+
+ base_offset += stream_count * EXT_APP_STREAM_ENTRY_SIZE;
+- stream_count = be32_to_cpu(reg[1]);
++ stream_count = min_t(unsigned int, be32_to_cpu(reg[1]), MAX_STREAMS);
+ err = read_stream_entries(dice, section_addr, base_offset,
+ stream_count,
+ mode, dice->rx_pcm_chs,
--- /dev/null
+From 0c4a13ba88594fd4a27292853e736c6b4349823d Mon Sep 17 00:00:00 2001
+From: Junrui Luo <moonafterrain@outlook.com>
+Date: Thu, 6 Nov 2025 10:49:46 +0800
+Subject: ALSA: wavefront: Fix integer overflow in sample size validation
+
+From: Junrui Luo <moonafterrain@outlook.com>
+
+commit 0c4a13ba88594fd4a27292853e736c6b4349823d upstream.
+
+The wavefront_send_sample() function has an integer overflow issue
+when validating sample size. The header->size field is u32 but gets
+cast to int for comparison with dev->freemem
+
+Fix by using unsigned comparison to avoid integer overflow.
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Cc: stable@vger.kernel.org
+Signed-off-by: Junrui Luo <moonafterrain@outlook.com>
+Link: https://patch.msgid.link/SYBPR01MB7881B47789D1B060CE8BF4C3AFC2A@SYBPR01MB7881.ausprd01.prod.outlook.com
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ sound/isa/wavefront/wavefront_synth.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/sound/isa/wavefront/wavefront_synth.c
++++ b/sound/isa/wavefront/wavefront_synth.c
+@@ -950,9 +950,9 @@ wavefront_send_sample (snd_wavefront_t *
+ if (header->size) {
+ dev->freemem = wavefront_freemem (dev);
+
+- if (dev->freemem < (int)header->size) {
++ if (dev->freemem < 0 || dev->freemem < header->size) {
+ dev_err(dev->card->dev,
+- "insufficient memory to load %d byte sample.\n",
++ "insufficient memory to load %u byte sample.\n",
+ header->size);
+ return -ENOMEM;
+ }
net-lan743x-allocate-rings-outside-zone_dma.patch
net-dst-introduce-dst-dev_rcu.patch
tcp_metrics-use-dst_dev_net_rcu.patch
+usb-gadget-tegra-xudc-always-reinitialize-data-toggle-when-clear-halt.patch
+usb-phy-initialize-struct-usb_phy-list_head.patch
+usb-dwc3-dwc3_power_off_all_roothub_ports-use-ioremap_np-when-required.patch
+alsa-dice-fix-buffer-overflow-in-detect_stream_formats.patch
+alsa-wavefront-fix-integer-overflow-in-sample-size-validation.patch
--- /dev/null
+From 5ed9cc71432a8adf3c42223c935f714aac29901b Mon Sep 17 00:00:00 2001
+From: Sven Peter <sven@kernel.org>
+Date: Wed, 15 Oct 2025 15:40:42 +0000
+Subject: usb: dwc3: dwc3_power_off_all_roothub_ports: Use ioremap_np when required
+
+From: Sven Peter <sven@kernel.org>
+
+commit 5ed9cc71432a8adf3c42223c935f714aac29901b upstream.
+
+On Apple Silicon machines we can't use ioremap() / Device-nGnRE to map most
+regions but must use ioremap_np() / Device-nGnRnE whenever
+IORESOURCE_MEM_NONPOSTED is set. Make sure this is also done inside
+dwc3_power_off_all_roothub_ports to prevent SErrors.
+
+Fixes: 2d2a3349521d ("usb: dwc3: Add workaround for host mode VBUS glitch when boot")
+Cc: stable@kernel.org
+Acked-by: Thinh Nguyen <Thinh.Nguyen@synopsys.com>
+Reviewed-by: Neal Gompa <neal@gompa.dev>
+Signed-off-by: Sven Peter <sven@kernel.org>
+Link: https://patch.msgid.link/20251015-b4-aplpe-dwc3-v2-2-cbd65a2d511a@kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/dwc3/host.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+--- a/drivers/usb/dwc3/host.c
++++ b/drivers/usb/dwc3/host.c
+@@ -37,7 +37,10 @@ static void dwc3_power_off_all_roothub_p
+
+ /* xhci regs is not mapped yet, do it temperary here */
+ if (dwc->xhci_resources[0].start) {
+- xhci_regs = ioremap(dwc->xhci_resources[0].start, DWC3_XHCI_REGS_END);
++ if (dwc->xhci_resources[0].flags & IORESOURCE_MEM_NONPOSTED)
++ xhci_regs = ioremap_np(dwc->xhci_resources[0].start, DWC3_XHCI_REGS_END);
++ else
++ xhci_regs = ioremap(dwc->xhci_resources[0].start, DWC3_XHCI_REGS_END);
+ if (!xhci_regs) {
+ dev_err(dwc->dev, "Failed to ioremap xhci_regs\n");
+ return;
--- /dev/null
+From 2585973c7f9ee31d21e5848c996fab2521fd383d Mon Sep 17 00:00:00 2001
+From: Haotien Hsu <haotienh@nvidia.com>
+Date: Thu, 27 Nov 2025 11:35:40 +0800
+Subject: usb: gadget: tegra-xudc: Always reinitialize data toggle when clear halt
+
+From: Haotien Hsu <haotienh@nvidia.com>
+
+commit 2585973c7f9ee31d21e5848c996fab2521fd383d upstream.
+
+The driver previously skipped handling ClearFeature(ENDPOINT_HALT)
+when the endpoint was already not halted. This prevented the
+controller from resetting the data sequence number and reinitializing
+the endpoint state.
+
+According to USB 3.2 specification Rev. 1.1, section 9.4.5,
+ClearFeature(ENDPOINT_HALT) must always reset the data sequence and
+set the stream state machine to Disabled, regardless of whether the
+endpoint was halted.
+
+Remove the early return so that ClearFeature(ENDPOINT_HALT) always
+resets the endpoint sequence state as required by the specification.
+
+Fixes: 49db427232fe ("usb: gadget: Add UDC driver for tegra XUSB device mode controller")
+Cc: stable <stable@kernel.org>
+Signed-off-by: Haotien Hsu <haotienh@nvidia.com>
+Signed-off-by: Wayne Chang <waynec@nvidia.com>
+Link: https://patch.msgid.link/20251127033540.2287517-1-waynec@nvidia.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/gadget/udc/tegra-xudc.c | 6 ------
+ 1 file changed, 6 deletions(-)
+
+--- a/drivers/usb/gadget/udc/tegra-xudc.c
++++ b/drivers/usb/gadget/udc/tegra-xudc.c
+@@ -1554,12 +1554,6 @@ static int __tegra_xudc_ep_set_halt(stru
+ return -ENOTSUPP;
+ }
+
+- if (!!(xudc_readl(xudc, EP_HALT) & BIT(ep->index)) == halt) {
+- dev_dbg(xudc->dev, "EP %u already %s\n", ep->index,
+- halt ? "halted" : "not halted");
+- return 0;
+- }
+-
+ if (halt) {
+ ep_halt(xudc, ep->index);
+ } else {
--- /dev/null
+From c69ff68b097b0f53333114f1b2c3dc128f389596 Mon Sep 17 00:00:00 2001
+From: Diogo Ivo <diogo.ivo@tecnico.ulisboa.pt>
+Date: Fri, 21 Nov 2025 18:16:36 +0000
+Subject: usb: phy: Initialize struct usb_phy list_head
+
+From: Diogo Ivo <diogo.ivo@tecnico.ulisboa.pt>
+
+commit c69ff68b097b0f53333114f1b2c3dc128f389596 upstream.
+
+As part of the registration of a new 'struct usb_phy' with the USB PHY core
+via either usb_add_phy(struct usb_phy *x, ...) or usb_add_phy_dev(struct
+usb_phy *x) these functions call list_add_tail(&x->head, phy_list) in
+order for the new instance x to be stored in phy_list, a static list
+kept internally by the core.
+
+After 7d21114dc6a2 ("usb: phy: Introduce one extcon device into usb phy")
+when executing either of the registration functions above it is possible
+that usb_add_extcon() fails, leading to either function returning before
+the call to list_add_tail(), leaving x->head uninitialized.
+
+Then, when a driver tries to undo the failed registration by calling
+usb_remove_phy(struct usb_phy *x) there will be an unconditional call to
+list_del(&x->head) acting on an uninitialized variable, and thus a
+possible NULL pointer dereference.
+
+Fix this by initializing x->head before usb_add_extcon() has a
+chance to fail. Note that this was not needed before 7d21114dc6a2 since
+list_add_phy() was executed unconditionally and it guaranteed that x->head
+was initialized.
+
+Fixes: 7d21114dc6a2 ("usb: phy: Introduce one extcon device into usb phy")
+Cc: stable <stable@kernel.org>
+Signed-off-by: Diogo Ivo <diogo.ivo@tecnico.ulisboa.pt>
+Link: https://patch.msgid.link/20251121-diogo-smaug_typec-v2-1-5c37c1169d57@tecnico.ulisboa.pt
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/phy/phy.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/drivers/usb/phy/phy.c
++++ b/drivers/usb/phy/phy.c
+@@ -672,6 +672,8 @@ int usb_add_phy(struct usb_phy *x, enum
+ return -EINVAL;
+ }
+
++ INIT_LIST_HEAD(&x->head);
++
+ usb_charger_init(x);
+ ret = usb_add_extcon(x);
+ if (ret)
+@@ -722,6 +724,8 @@ int usb_add_phy_dev(struct usb_phy *x)
+ return -EINVAL;
+ }
+
++ INIT_LIST_HEAD(&x->head);
++
+ usb_charger_init(x);
+ ret = usb_add_extcon(x);
+ if (ret)
projects / thirdparty / kernel / stable-queue.git / commitdiff
