From: Greg Kroah-Hartman Date: Tue, 16 Dec 2025 10:34:00 +0000 (+0100) Subject: 6.18-stable patches X-Git-Tag: v6.12.63~18 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=12dd2a617e593e9191b12daec03a8556dc08f951;p=thirdparty%2Fkernel%2Fstable-queue.git 6.18-stable patches added patches: alsa-dice-fix-buffer-overflow-in-detect_stream_formats.patch alsa-hda-cs35l41-fix-null-pointer-dereference-in-cs35l41_hda_read_acpi.patch alsa-hda-realtek-add-match-for-asus-xbox-ally-projects.patch alsa-hda-tas2781-fix-speaker-id-retrieval-for-multiple-probes.patch alsa-wavefront-clear-substream-pointers-on-close.patch alsa-wavefront-fix-integer-overflow-in-sample-size-validation.patch usb-dwc3-dwc3_power_off_all_roothub_ports-use-ioremap_np-when-required.patch usb-gadget-tegra-xudc-always-reinitialize-data-toggle-when-clear-halt.patch usb-phy-initialize-struct-usb_phy-list_head.patch usb-typec-ucsi-fix-probe-failure-in-gaokun_ucsi_probe.patch usb-typec-ucsi-fix-use-after-free-caused-by-uec-work.patch --- diff --git a/queue-6.18/alsa-dice-fix-buffer-overflow-in-detect_stream_formats.patch b/queue-6.18/alsa-dice-fix-buffer-overflow-in-detect_stream_formats.patch new file mode 100644 index 0000000000..df6faa8ab1 --- /dev/null +++ b/queue-6.18/alsa-dice-fix-buffer-overflow-in-detect_stream_formats.patch @@ -0,0 +1,50 @@ +From 324f3e03e8a85931ce0880654e3c3eb38b0f0bba Mon Sep 17 00:00:00 2001 +From: Junrui Luo +Date: Fri, 28 Nov 2025 12:06:31 +0800 +Subject: ALSA: dice: fix buffer overflow in detect_stream_formats() + +From: Junrui Luo + +commit 324f3e03e8a85931ce0880654e3c3eb38b0f0bba upstream. + +The function detect_stream_formats() reads the stream_count value directly +from a FireWire device without validating it. This can lead to +out-of-bounds writes when a malicious device provides a stream_count value +greater than MAX_STREAMS. + +Fix by applying the same validation to both TX and RX stream counts in +detect_stream_formats(). + +Reported-by: Yuhao Jiang +Reported-by: Junrui Luo +Fixes: 58579c056c1c ("ALSA: dice: use extended protocol to detect available stream formats") +Cc: stable@vger.kernel.org +Reviewed-by: Takashi Sakamoto +Signed-off-by: Junrui Luo +Link: https://patch.msgid.link/SYBPR01MB7881B043FC68B4C0DA40B73DAFDCA@SYBPR01MB7881.ausprd01.prod.outlook.com +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman +--- + sound/firewire/dice/dice-extension.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/sound/firewire/dice/dice-extension.c ++++ b/sound/firewire/dice/dice-extension.c +@@ -116,7 +116,7 @@ static int detect_stream_formats(struct + break; + + base_offset += EXT_APP_STREAM_ENTRIES; +- stream_count = be32_to_cpu(reg[0]); ++ stream_count = min_t(unsigned int, be32_to_cpu(reg[0]), MAX_STREAMS); + err = read_stream_entries(dice, section_addr, base_offset, + stream_count, mode, + dice->tx_pcm_chs, +@@ -125,7 +125,7 @@ static int detect_stream_formats(struct + break; + + base_offset += stream_count * EXT_APP_STREAM_ENTRY_SIZE; +- stream_count = be32_to_cpu(reg[1]); ++ stream_count = min_t(unsigned int, be32_to_cpu(reg[1]), MAX_STREAMS); + err = read_stream_entries(dice, section_addr, base_offset, + stream_count, + mode, dice->rx_pcm_chs, diff --git a/queue-6.18/alsa-hda-cs35l41-fix-null-pointer-dereference-in-cs35l41_hda_read_acpi.patch b/queue-6.18/alsa-hda-cs35l41-fix-null-pointer-dereference-in-cs35l41_hda_read_acpi.patch new file mode 100644 index 0000000000..53a4c4c2c3 --- /dev/null +++ b/queue-6.18/alsa-hda-cs35l41-fix-null-pointer-dereference-in-cs35l41_hda_read_acpi.patch @@ -0,0 +1,37 @@ +From c34b04cc6178f33c08331568c7fd25c5b9a39f66 Mon Sep 17 00:00:00 2001 +From: Denis Arefev +Date: Tue, 2 Dec 2025 13:13:36 +0300 +Subject: ALSA: hda: cs35l41: Fix NULL pointer dereference in cs35l41_hda_read_acpi() + +From: Denis Arefev + +commit c34b04cc6178f33c08331568c7fd25c5b9a39f66 upstream. + +The acpi_get_first_physical_node() function can return NULL, in which +case the get_device() function also returns NULL, but this value is +then dereferenced without checking,so add a check to prevent a crash. + +Found by Linux Verification Center (linuxtesting.org) with SVACE. + +Fixes: 7b2f3eb492da ("ALSA: hda: cs35l41: Add support for CS35L41 in HDA systems") +Cc: stable@vger.kernel.org +Signed-off-by: Denis Arefev +Reviewed-by: Richard Fitzgerald +Signed-off-by: Takashi Iwai +Link: https://patch.msgid.link/20251202101338.11437-1-arefev@swemel.ru +Signed-off-by: Greg Kroah-Hartman +--- + sound/hda/codecs/side-codecs/cs35l41_hda.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/sound/hda/codecs/side-codecs/cs35l41_hda.c ++++ b/sound/hda/codecs/side-codecs/cs35l41_hda.c +@@ -1901,6 +1901,8 @@ static int cs35l41_hda_read_acpi(struct + + cs35l41->dacpi = adev; + physdev = get_device(acpi_get_first_physical_node(adev)); ++ if (!physdev) ++ return -ENODEV; + + sub = acpi_get_subsystem_id(ACPI_HANDLE(physdev)); + if (IS_ERR(sub)) diff --git a/queue-6.18/alsa-hda-realtek-add-match-for-asus-xbox-ally-projects.patch b/queue-6.18/alsa-hda-realtek-add-match-for-asus-xbox-ally-projects.patch new file mode 100644 index 0000000000..9f5ce02e21 --- /dev/null +++ b/queue-6.18/alsa-hda-realtek-add-match-for-asus-xbox-ally-projects.patch @@ -0,0 +1,33 @@ +From 18a4895370a79a3efb4a53ccd1efffef6c5b634e Mon Sep 17 00:00:00 2001 +From: Antheas Kapenekakis +Date: Sun, 26 Oct 2025 20:16:35 +0100 +Subject: ALSA: hda/realtek: Add match for ASUS Xbox Ally projects + +From: Antheas Kapenekakis + +commit 18a4895370a79a3efb4a53ccd1efffef6c5b634e upstream. + +Bind the realtek codec to TAS2781 I2C audio amps on ASUS Xbox Ally +projects. While these projects work without a quirk, adding it increases +the output volume significantly. + +Cc: stable@vger.kernel.org # 6.17 +Signed-off-by: Antheas Kapenekakis +Signed-off-by: Takashi Iwai +Link: https://patch.msgid.link/20251026191635.2447593-2-lkml@antheas.dev +Signed-off-by: Greg Kroah-Hartman +--- + sound/hda/codecs/realtek/alc269.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/sound/hda/codecs/realtek/alc269.c ++++ b/sound/hda/codecs/realtek/alc269.c +@@ -6736,6 +6736,8 @@ static const struct hda_quirk alc269_fix + SND_PCI_QUIRK(0x1043, 0x12f0, "ASUS X541UV", ALC256_FIXUP_ASUS_MIC_NO_PRESENCE), + SND_PCI_QUIRK(0x1043, 0x1313, "Asus K42JZ", ALC269VB_FIXUP_ASUS_MIC_NO_PRESENCE), + SND_PCI_QUIRK(0x1043, 0x1314, "ASUS GA605K", ALC285_FIXUP_ASUS_GA605K_HEADSET_MIC), ++ SND_PCI_QUIRK(0x1043, 0x1384, "ASUS RC73XA", ALC287_FIXUP_TXNW2781_I2C), ++ SND_PCI_QUIRK(0x1043, 0x1394, "ASUS RC73YA", ALC287_FIXUP_TXNW2781_I2C), + SND_PCI_QUIRK(0x1043, 0x13b0, "ASUS Z550SA", ALC256_FIXUP_ASUS_MIC_NO_PRESENCE), + SND_PCI_QUIRK(0x1043, 0x1427, "Asus Zenbook UX31E", ALC269VB_FIXUP_ASUS_ZENBOOK), + SND_PCI_QUIRK(0x1043, 0x1433, "ASUS GX650PY/PZ/PV/PU/PYV/PZV/PIV/PVV", ALC285_FIXUP_ASUS_I2C_HEADSET_MIC), diff --git a/queue-6.18/alsa-hda-tas2781-fix-speaker-id-retrieval-for-multiple-probes.patch b/queue-6.18/alsa-hda-tas2781-fix-speaker-id-retrieval-for-multiple-probes.patch new file mode 100644 index 0000000000..3e9b6be55d --- /dev/null +++ b/queue-6.18/alsa-hda-tas2781-fix-speaker-id-retrieval-for-multiple-probes.patch @@ -0,0 +1,131 @@ +From 945865a0ddf3e3950aea32e23e10d815ee9b21bc Mon Sep 17 00:00:00 2001 +From: Antheas Kapenekakis +Date: Sun, 26 Oct 2025 20:16:34 +0100 +Subject: ALSA: hda/tas2781: fix speaker id retrieval for multiple probes + +From: Antheas Kapenekakis + +commit 945865a0ddf3e3950aea32e23e10d815ee9b21bc upstream. + +Currently, on ASUS projects, the TAS2781 codec attaches the speaker GPIO +to the first tasdevice_priv instance using devm. This causes +tas2781_read_acpi to fail on subsequent probes since the GPIO is already +managed by the first device. This causes a failure on Xbox Ally X, +because it has two amplifiers, and prevents us from quirking both the +Xbox Ally and Xbox Ally X in the realtek codec driver. + +It is unnecessary to attach the GPIO to a device as it is static. +Therefore, instead of attaching it and then reading it when loading the +firmware, read its value directly in tas2781_read_acpi and store it in +the private data structure. Then, make reading the value non-fatal so +that ASUS projects that miss a speaker pin can still work, perhaps using +fallback firmware. + +Fixes: 4e7035a75da9 ("ALSA: hda/tas2781: Add speaker id check for ASUS projects") +Cc: stable@vger.kernel.org # 6.17 +Signed-off-by: Antheas Kapenekakis +Reviewed-by: Baojun Xu +Signed-off-by: Takashi Iwai +Link: https://patch.msgid.link/20251026191635.2447593-1-lkml@antheas.dev +Signed-off-by: Greg Kroah-Hartman +--- + include/sound/tas2781.h | 2 - + sound/hda/codecs/side-codecs/tas2781_hda_i2c.c | 44 ++++++++++++++----------- + 2 files changed, 26 insertions(+), 20 deletions(-) + +--- a/include/sound/tas2781.h ++++ b/include/sound/tas2781.h +@@ -197,7 +197,6 @@ struct tasdevice_priv { + struct acoustic_data acou_data; + #endif + struct tasdevice_fw *fmw; +- struct gpio_desc *speaker_id; + struct gpio_desc *reset; + struct mutex codec_lock; + struct regmap *regmap; +@@ -215,6 +214,7 @@ struct tasdevice_priv { + unsigned int magic_num; + unsigned int chip_id; + unsigned int sysclk; ++ int speaker_id; + + int irq; + int cur_prog; +--- a/sound/hda/codecs/side-codecs/tas2781_hda_i2c.c ++++ b/sound/hda/codecs/side-codecs/tas2781_hda_i2c.c +@@ -87,6 +87,7 @@ static const struct acpi_gpio_mapping ta + + static int tas2781_read_acpi(struct tasdevice_priv *p, const char *hid) + { ++ struct gpio_desc *speaker_id; + struct acpi_device *adev; + struct device *physdev; + LIST_HEAD(resources); +@@ -119,19 +120,31 @@ static int tas2781_read_acpi(struct tasd + /* Speaker id was needed for ASUS projects. */ + ret = kstrtou32(sub, 16, &subid); + if (!ret && upper_16_bits(subid) == PCI_VENDOR_ID_ASUSTEK) { +- ret = devm_acpi_dev_add_driver_gpios(p->dev, +- tas2781_speaker_id_gpios); +- if (ret < 0) ++ ret = acpi_dev_add_driver_gpios(adev, tas2781_speaker_id_gpios); ++ if (ret < 0) { + dev_err(p->dev, "Failed to add driver gpio %d.\n", + ret); +- p->speaker_id = devm_gpiod_get(p->dev, "speakerid", GPIOD_IN); +- if (IS_ERR(p->speaker_id)) { +- dev_err(p->dev, "Failed to get Speaker id.\n"); +- ret = PTR_ERR(p->speaker_id); +- goto err; ++ p->speaker_id = -1; ++ goto end_2563; ++ } ++ ++ speaker_id = fwnode_gpiod_get_index(acpi_fwnode_handle(adev), ++ "speakerid", 0, GPIOD_IN, NULL); ++ if (!IS_ERR(speaker_id)) { ++ p->speaker_id = gpiod_get_value_cansleep(speaker_id); ++ dev_dbg(p->dev, "Got speaker id gpio from ACPI: %d.\n", ++ p->speaker_id); ++ gpiod_put(speaker_id); ++ } else { ++ p->speaker_id = -1; ++ ret = PTR_ERR(speaker_id); ++ dev_err(p->dev, "Get speaker id gpio failed %d.\n", ++ ret); + } ++ ++ acpi_dev_remove_driver_gpios(adev); + } else { +- p->speaker_id = NULL; ++ p->speaker_id = -1; + } + + end_2563: +@@ -432,23 +445,16 @@ static void tasdevice_dspfw_init(void *c + struct tas2781_hda *tas_hda = dev_get_drvdata(tas_priv->dev); + struct tas2781_hda_i2c_priv *hda_priv = tas_hda->hda_priv; + struct hda_codec *codec = tas_priv->codec; +- int ret, spk_id; ++ int ret; + + tasdevice_dsp_remove(tas_priv); + tas_priv->fw_state = TASDEVICE_DSP_FW_PENDING; +- if (tas_priv->speaker_id != NULL) { +- // Speaker id need to be checked for ASUS only. +- spk_id = gpiod_get_value(tas_priv->speaker_id); +- if (spk_id < 0) { +- // Speaker id is not valid, use default. +- dev_dbg(tas_priv->dev, "Wrong spk_id = %d\n", spk_id); +- spk_id = 0; +- } ++ if (tas_priv->speaker_id >= 0) { + snprintf(tas_priv->coef_binaryname, + sizeof(tas_priv->coef_binaryname), + "TAS2XXX%04X%d.bin", + lower_16_bits(codec->core.subsystem_id), +- spk_id); ++ tas_priv->speaker_id); + } else { + snprintf(tas_priv->coef_binaryname, + sizeof(tas_priv->coef_binaryname), diff --git a/queue-6.18/alsa-wavefront-clear-substream-pointers-on-close.patch b/queue-6.18/alsa-wavefront-clear-substream-pointers-on-close.patch new file mode 100644 index 0000000000..b4133be740 --- /dev/null +++ b/queue-6.18/alsa-wavefront-clear-substream-pointers-on-close.patch @@ -0,0 +1,43 @@ +From e11c5c13ce0ab2325d38fe63500be1dd88b81e38 Mon Sep 17 00:00:00 2001 +From: Junrui Luo +Date: Thu, 6 Nov 2025 10:24:57 +0800 +Subject: ALSA: wavefront: Clear substream pointers on close + +From: Junrui Luo + +commit e11c5c13ce0ab2325d38fe63500be1dd88b81e38 upstream. + +Clear substream pointers in close functions to avoid leaving dangling +pointers, helping to improve code safety and +prevents potential issues. + +Reported-by: Yuhao Jiang +Reported-by: Junrui Luo +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Cc: stable@vger.kernel.org +Signed-off-by: Junrui Luo +Link: https://patch.msgid.link/SYBPR01MB7881DF762CAB45EE42F6D812AFC2A@SYBPR01MB7881.ausprd01.prod.outlook.com +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman +--- + sound/isa/wavefront/wavefront_midi.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/sound/isa/wavefront/wavefront_midi.c ++++ b/sound/isa/wavefront/wavefront_midi.c +@@ -278,6 +278,7 @@ static int snd_wavefront_midi_input_clos + return -EIO; + + guard(spinlock_irqsave)(&midi->open); ++ midi->substream_input[mpu] = NULL; + midi->mode[mpu] &= ~MPU401_MODE_INPUT; + + return 0; +@@ -300,6 +301,7 @@ static int snd_wavefront_midi_output_clo + return -EIO; + + guard(spinlock_irqsave)(&midi->open); ++ midi->substream_output[mpu] = NULL; + midi->mode[mpu] &= ~MPU401_MODE_OUTPUT; + return 0; + } diff --git a/queue-6.18/alsa-wavefront-fix-integer-overflow-in-sample-size-validation.patch b/queue-6.18/alsa-wavefront-fix-integer-overflow-in-sample-size-validation.patch new file mode 100644 index 0000000000..0afceb324e --- /dev/null +++ b/queue-6.18/alsa-wavefront-fix-integer-overflow-in-sample-size-validation.patch @@ -0,0 +1,39 @@ +From 0c4a13ba88594fd4a27292853e736c6b4349823d Mon Sep 17 00:00:00 2001 +From: Junrui Luo +Date: Thu, 6 Nov 2025 10:49:46 +0800 +Subject: ALSA: wavefront: Fix integer overflow in sample size validation + +From: Junrui Luo + +commit 0c4a13ba88594fd4a27292853e736c6b4349823d upstream. + +The wavefront_send_sample() function has an integer overflow issue +when validating sample size. The header->size field is u32 but gets +cast to int for comparison with dev->freemem + +Fix by using unsigned comparison to avoid integer overflow. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Cc: stable@vger.kernel.org +Signed-off-by: Junrui Luo +Link: https://patch.msgid.link/SYBPR01MB7881B47789D1B060CE8BF4C3AFC2A@SYBPR01MB7881.ausprd01.prod.outlook.com +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman +--- + sound/isa/wavefront/wavefront_synth.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/sound/isa/wavefront/wavefront_synth.c ++++ b/sound/isa/wavefront/wavefront_synth.c +@@ -950,9 +950,9 @@ wavefront_send_sample (snd_wavefront_t * + if (header->size) { + dev->freemem = wavefront_freemem (dev); + +- if (dev->freemem < (int)header->size) { ++ if (dev->freemem < 0 || dev->freemem < header->size) { + dev_err(dev->card->dev, +- "insufficient memory to load %d byte sample.\n", ++ "insufficient memory to load %u byte sample.\n", + header->size); + return -ENOMEM; + } diff --git a/queue-6.18/media-ov02c10-fix-default-vertical-flip.patch b/queue-6.18/media-ov02c10-fix-default-vertical-flip.patch deleted file mode 100644 index 7b7661418b..0000000000 --- a/queue-6.18/media-ov02c10-fix-default-vertical-flip.patch +++ /dev/null @@ -1,42 +0,0 @@ -From 14cc4474799a595caeccdb8fdf2ca4b867cef972 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Wed, 20 Aug 2025 02:13:19 +0200 -Subject: media: ov02c10: Fix default vertical flip - -From: Sebastian Reichel - -[ Upstream commit d5ebe3f7d13d4cee3ff7e718de23564915aaf163 ] - -The driver right now defaults to setting the vertical flip bit. This -conflicts with proper handling of the rotation property defined in -ACPI or device tree, so drop the VFLIP bit. It should be handled via -V4L2_CID_VFLIP instead. - -Reported-by: Frederic Stuyk -Closes: https://lore.kernel.org/all/b6df9ae7-ea9f-4e5a-8065-5b130f534f37@runbox.com/ -Fixes: 44f89010dae0 ("media: i2c: Add Omnivision OV02C10 sensor driver") -Signed-off-by: Sebastian Reichel -Reviewed-by: Bryan O'Donoghue -Signed-off-by: Sakari Ailus -Signed-off-by: Hans Verkuil -Signed-off-by: Sasha Levin ---- - drivers/media/i2c/ov02c10.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/drivers/media/i2c/ov02c10.c b/drivers/media/i2c/ov02c10.c -index 8c4d85dc7922e..8e22ff446b0c4 100644 ---- a/drivers/media/i2c/ov02c10.c -+++ b/drivers/media/i2c/ov02c10.c -@@ -174,7 +174,7 @@ static const struct reg_sequence sensor_1928x1092_30fps_setting[] = { - {0x3816, 0x01}, - {0x3817, 0x01}, - -- {0x3820, 0xb0}, -+ {0x3820, 0xa0}, - {0x3821, 0x00}, - {0x3822, 0x80}, - {0x3823, 0x08}, --- -2.51.0 - diff --git a/queue-6.18/series b/queue-6.18/series index ef9192f501..f18dce0b09 100644 --- a/queue-6.18/series +++ b/queue-6.18/series @@ -143,7 +143,6 @@ task_work-fix-nmi-race-condition.patch drm-rcar-du-dsi-fix-missing-parameter-in-rxsetr_.en-.patch x86-dumpstack-prevent-kasan-false-positive-warnings-.patch accel-ivpu-remove-skip-of-dma-unmap-for-imported-buf.patch -media-ov02c10-fix-default-vertical-flip.patch tools-nolibc-stdio-let-perror-work-when-nolibc_ignor.patch tools-nolibc-dirent-avoid-errno-in-readdir_r.patch clk-qcom-gcc-qcs615-update-the-sdcc-clock-to-use-sha.patch @@ -602,3 +601,14 @@ perf-x86-intel-fix-null-event-dereference-crash-in-h.patch efi-cper-add-a-new-helper-function-to-print-bitmasks.patch efi-cper-adjust-infopfx-size-to-accept-an-extra-spac.patch efi-cper-align-arm-cper-type-with-uefi-2.9a-2.10-spe.patch +usb-gadget-tegra-xudc-always-reinitialize-data-toggle-when-clear-halt.patch +usb-typec-ucsi-fix-probe-failure-in-gaokun_ucsi_probe.patch +usb-phy-initialize-struct-usb_phy-list_head.patch +usb-typec-ucsi-fix-use-after-free-caused-by-uec-work.patch +usb-dwc3-dwc3_power_off_all_roothub_ports-use-ioremap_np-when-required.patch +alsa-dice-fix-buffer-overflow-in-detect_stream_formats.patch +alsa-hda-realtek-add-match-for-asus-xbox-ally-projects.patch +alsa-hda-tas2781-fix-speaker-id-retrieval-for-multiple-probes.patch +alsa-hda-cs35l41-fix-null-pointer-dereference-in-cs35l41_hda_read_acpi.patch +alsa-wavefront-clear-substream-pointers-on-close.patch +alsa-wavefront-fix-integer-overflow-in-sample-size-validation.patch diff --git a/queue-6.18/usb-dwc3-dwc3_power_off_all_roothub_ports-use-ioremap_np-when-required.patch b/queue-6.18/usb-dwc3-dwc3_power_off_all_roothub_ports-use-ioremap_np-when-required.patch new file mode 100644 index 0000000000..16f980971f --- /dev/null +++ b/queue-6.18/usb-dwc3-dwc3_power_off_all_roothub_ports-use-ioremap_np-when-required.patch @@ -0,0 +1,39 @@ +From 5ed9cc71432a8adf3c42223c935f714aac29901b Mon Sep 17 00:00:00 2001 +From: Sven Peter +Date: Wed, 15 Oct 2025 15:40:42 +0000 +Subject: usb: dwc3: dwc3_power_off_all_roothub_ports: Use ioremap_np when required + +From: Sven Peter + +commit 5ed9cc71432a8adf3c42223c935f714aac29901b upstream. + +On Apple Silicon machines we can't use ioremap() / Device-nGnRE to map most +regions but must use ioremap_np() / Device-nGnRnE whenever +IORESOURCE_MEM_NONPOSTED is set. Make sure this is also done inside +dwc3_power_off_all_roothub_ports to prevent SErrors. + +Fixes: 2d2a3349521d ("usb: dwc3: Add workaround for host mode VBUS glitch when boot") +Cc: stable@kernel.org +Acked-by: Thinh Nguyen +Reviewed-by: Neal Gompa +Signed-off-by: Sven Peter +Link: https://patch.msgid.link/20251015-b4-aplpe-dwc3-v2-2-cbd65a2d511a@kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/dwc3/host.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +--- a/drivers/usb/dwc3/host.c ++++ b/drivers/usb/dwc3/host.c +@@ -37,7 +37,10 @@ static void dwc3_power_off_all_roothub_p + + /* xhci regs are not mapped yet, do it temporarily here */ + if (dwc->xhci_resources[0].start) { +- xhci_regs = ioremap(dwc->xhci_resources[0].start, DWC3_XHCI_REGS_END); ++ if (dwc->xhci_resources[0].flags & IORESOURCE_MEM_NONPOSTED) ++ xhci_regs = ioremap_np(dwc->xhci_resources[0].start, DWC3_XHCI_REGS_END); ++ else ++ xhci_regs = ioremap(dwc->xhci_resources[0].start, DWC3_XHCI_REGS_END); + if (!xhci_regs) { + dev_err(dwc->dev, "Failed to ioremap xhci_regs\n"); + return; diff --git a/queue-6.18/usb-gadget-tegra-xudc-always-reinitialize-data-toggle-when-clear-halt.patch b/queue-6.18/usb-gadget-tegra-xudc-always-reinitialize-data-toggle-when-clear-halt.patch new file mode 100644 index 0000000000..fe2094fe2e --- /dev/null +++ b/queue-6.18/usb-gadget-tegra-xudc-always-reinitialize-data-toggle-when-clear-halt.patch @@ -0,0 +1,48 @@ +From 2585973c7f9ee31d21e5848c996fab2521fd383d Mon Sep 17 00:00:00 2001 +From: Haotien Hsu +Date: Thu, 27 Nov 2025 11:35:40 +0800 +Subject: usb: gadget: tegra-xudc: Always reinitialize data toggle when clear halt + +From: Haotien Hsu + +commit 2585973c7f9ee31d21e5848c996fab2521fd383d upstream. + +The driver previously skipped handling ClearFeature(ENDPOINT_HALT) +when the endpoint was already not halted. This prevented the +controller from resetting the data sequence number and reinitializing +the endpoint state. + +According to USB 3.2 specification Rev. 1.1, section 9.4.5, +ClearFeature(ENDPOINT_HALT) must always reset the data sequence and +set the stream state machine to Disabled, regardless of whether the +endpoint was halted. + +Remove the early return so that ClearFeature(ENDPOINT_HALT) always +resets the endpoint sequence state as required by the specification. + +Fixes: 49db427232fe ("usb: gadget: Add UDC driver for tegra XUSB device mode controller") +Cc: stable +Signed-off-by: Haotien Hsu +Signed-off-by: Wayne Chang +Link: https://patch.msgid.link/20251127033540.2287517-1-waynec@nvidia.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/gadget/udc/tegra-xudc.c | 6 ------ + 1 file changed, 6 deletions(-) + +--- a/drivers/usb/gadget/udc/tegra-xudc.c ++++ b/drivers/usb/gadget/udc/tegra-xudc.c +@@ -1558,12 +1558,6 @@ static int __tegra_xudc_ep_set_halt(stru + return -ENOTSUPP; + } + +- if (!!(xudc_readl(xudc, EP_HALT) & BIT(ep->index)) == halt) { +- dev_dbg(xudc->dev, "EP %u already %s\n", ep->index, +- halt ? "halted" : "not halted"); +- return 0; +- } +- + if (halt) { + ep_halt(xudc, ep->index); + } else { diff --git a/queue-6.18/usb-phy-initialize-struct-usb_phy-list_head.patch b/queue-6.18/usb-phy-initialize-struct-usb_phy-list_head.patch new file mode 100644 index 0000000000..647e3ad85e --- /dev/null +++ b/queue-6.18/usb-phy-initialize-struct-usb_phy-list_head.patch @@ -0,0 +1,59 @@ +From c69ff68b097b0f53333114f1b2c3dc128f389596 Mon Sep 17 00:00:00 2001 +From: Diogo Ivo +Date: Fri, 21 Nov 2025 18:16:36 +0000 +Subject: usb: phy: Initialize struct usb_phy list_head + +From: Diogo Ivo + +commit c69ff68b097b0f53333114f1b2c3dc128f389596 upstream. + +As part of the registration of a new 'struct usb_phy' with the USB PHY core +via either usb_add_phy(struct usb_phy *x, ...) or usb_add_phy_dev(struct +usb_phy *x) these functions call list_add_tail(&x->head, phy_list) in +order for the new instance x to be stored in phy_list, a static list +kept internally by the core. + +After 7d21114dc6a2 ("usb: phy: Introduce one extcon device into usb phy") +when executing either of the registration functions above it is possible +that usb_add_extcon() fails, leading to either function returning before +the call to list_add_tail(), leaving x->head uninitialized. + +Then, when a driver tries to undo the failed registration by calling +usb_remove_phy(struct usb_phy *x) there will be an unconditional call to +list_del(&x->head) acting on an uninitialized variable, and thus a +possible NULL pointer dereference. + +Fix this by initializing x->head before usb_add_extcon() has a +chance to fail. Note that this was not needed before 7d21114dc6a2 since +list_add_phy() was executed unconditionally and it guaranteed that x->head +was initialized. + +Fixes: 7d21114dc6a2 ("usb: phy: Introduce one extcon device into usb phy") +Cc: stable +Signed-off-by: Diogo Ivo +Link: https://patch.msgid.link/20251121-diogo-smaug_typec-v2-1-5c37c1169d57@tecnico.ulisboa.pt +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/phy/phy.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/drivers/usb/phy/phy.c ++++ b/drivers/usb/phy/phy.c +@@ -646,6 +646,8 @@ int usb_add_phy(struct usb_phy *x, enum + return -EINVAL; + } + ++ INIT_LIST_HEAD(&x->head); ++ + usb_charger_init(x); + ret = usb_add_extcon(x); + if (ret) +@@ -696,6 +698,8 @@ int usb_add_phy_dev(struct usb_phy *x) + return -EINVAL; + } + ++ INIT_LIST_HEAD(&x->head); ++ + usb_charger_init(x); + ret = usb_add_extcon(x); + if (ret) diff --git a/queue-6.18/usb-typec-ucsi-fix-probe-failure-in-gaokun_ucsi_probe.patch b/queue-6.18/usb-typec-ucsi-fix-probe-failure-in-gaokun_ucsi_probe.patch new file mode 100644 index 0000000000..5a980d07e5 --- /dev/null +++ b/queue-6.18/usb-typec-ucsi-fix-probe-failure-in-gaokun_ucsi_probe.patch @@ -0,0 +1,41 @@ +From 6b120ef99fbcba9e413783561f8cc160719db589 Mon Sep 17 00:00:00 2001 +From: Duoming Zhou +Date: Tue, 25 Nov 2025 18:36:26 +0800 +Subject: usb: typec: ucsi: fix probe failure in gaokun_ucsi_probe() + +From: Duoming Zhou + +commit 6b120ef99fbcba9e413783561f8cc160719db589 upstream. + +The gaokun_ucsi_probe() uses ucsi_create() to allocate a UCSI instance. +The ucsi_create() validates whether ops->poll_cci is defined, and if not, +it directly returns -EINVAL. However, the gaokun_ucsi_ops structure does +not define the poll_cci, causing ucsi_create() always fail with -EINVAL. +This issue can be observed in the kernel log with the following error: + +ucsi_huawei_gaokun.ucsi huawei_gaokun_ec.ucsi.0: probe with driver +ucsi_huawei_gaokun.ucsi failed with error -22 + +Fix the issue by adding the missing poll_cci callback to gaokun_ucsi_ops. + +Fixes: 00327d7f2c8c ("usb: typec: ucsi: add Huawei Matebook E Go ucsi driver") +Cc: stable +Signed-off-by: Duoming Zhou +Reviewed-by: Heikki Krogerus +Reviewed-by: Pengyu Luo +Link: https://patch.msgid.link/4d077d6439d728be68646bb8c8678436a3a0885e.1764065838.git.duoming@zju.edu.cn +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/typec/ucsi/ucsi_huawei_gaokun.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/usb/typec/ucsi/ucsi_huawei_gaokun.c ++++ b/drivers/usb/typec/ucsi/ucsi_huawei_gaokun.c +@@ -196,6 +196,7 @@ static void gaokun_ucsi_connector_status + const struct ucsi_operations gaokun_ucsi_ops = { + .read_version = gaokun_ucsi_read_version, + .read_cci = gaokun_ucsi_read_cci, ++ .poll_cci = gaokun_ucsi_read_cci, + .read_message_in = gaokun_ucsi_read_message_in, + .sync_control = ucsi_sync_control_common, + .async_control = gaokun_ucsi_async_control, diff --git a/queue-6.18/usb-typec-ucsi-fix-use-after-free-caused-by-uec-work.patch b/queue-6.18/usb-typec-ucsi-fix-use-after-free-caused-by-uec-work.patch new file mode 100644 index 0000000000..d1ba607119 --- /dev/null +++ b/queue-6.18/usb-typec-ucsi-fix-use-after-free-caused-by-uec-work.patch @@ -0,0 +1,134 @@ +From 2b7a0f47aaf2439d517ba0a6b29c66a535302154 Mon Sep 17 00:00:00 2001 +From: Duoming Zhou +Date: Tue, 25 Nov 2025 18:36:27 +0800 +Subject: usb: typec: ucsi: fix use-after-free caused by uec->work + +From: Duoming Zhou + +commit 2b7a0f47aaf2439d517ba0a6b29c66a535302154 upstream. + +The delayed work uec->work is scheduled in gaokun_ucsi_probe() +but never properly canceled in gaokun_ucsi_remove(). This creates +use-after-free scenarios where the ucsi and gaokun_ucsi structure +are freed after ucsi_destroy() completes execution, while the +gaokun_ucsi_register_worker() might be either currently executing +or still pending in the work queue. The already-freed gaokun_ucsi +or ucsi structure may then be accessed. + +Furthermore, the race window is 3 seconds, which is sufficiently +long to make this bug easily reproducible. The following is the +trace captured by KASAN: + +================================================================== +BUG: KASAN: slab-use-after-free in __run_timers+0x5ec/0x630 +Write of size 8 at addr ffff00000ec28cc8 by task swapper/0/0 +... +Call trace: + show_stack+0x18/0x24 (C) + dump_stack_lvl+0x78/0x90 + print_report+0x114/0x580 + kasan_report+0xa4/0xf0 + __asan_report_store8_noabort+0x20/0x2c + __run_timers+0x5ec/0x630 + run_timer_softirq+0xe8/0x1cc + handle_softirqs+0x294/0x720 + __do_softirq+0x14/0x20 + ____do_softirq+0x10/0x1c + call_on_irq_stack+0x30/0x48 + do_softirq_own_stack+0x1c/0x28 + __irq_exit_rcu+0x27c/0x364 + irq_exit_rcu+0x10/0x1c + el1_interrupt+0x40/0x60 + el1h_64_irq_handler+0x18/0x24 + el1h_64_irq+0x6c/0x70 + arch_local_irq_enable+0x4/0x8 (P) + do_idle+0x334/0x458 + cpu_startup_entry+0x60/0x70 + rest_init+0x158/0x174 + start_kernel+0x2f8/0x394 + __primary_switched+0x8c/0x94 + +Allocated by task 72 on cpu 0 at 27.510341s: + kasan_save_stack+0x2c/0x54 + kasan_save_track+0x24/0x5c + kasan_save_alloc_info+0x40/0x54 + __kasan_kmalloc+0xa0/0xb8 + __kmalloc_node_track_caller_noprof+0x1c0/0x588 + devm_kmalloc+0x7c/0x1c8 + gaokun_ucsi_probe+0xa0/0x840 auxiliary_bus_probe+0x94/0xf8 + really_probe+0x17c/0x5b8 + __driver_probe_device+0x158/0x2c4 + driver_probe_device+0x10c/0x264 + __device_attach_driver+0x168/0x2d0 + bus_for_each_drv+0x100/0x188 + __device_attach+0x174/0x368 + device_initial_probe+0x14/0x20 + bus_probe_device+0x120/0x150 + device_add+0xb3c/0x10fc + __auxiliary_device_add+0x88/0x130 +... + +Freed by task 73 on cpu 1 at 28.910627s: + kasan_save_stack+0x2c/0x54 + kasan_save_track+0x24/0x5c + __kasan_save_free_info+0x4c/0x74 + __kasan_slab_free+0x60/0x8c + kfree+0xd4/0x410 + devres_release_all+0x140/0x1f0 + device_unbind_cleanup+0x20/0x190 + device_release_driver_internal+0x344/0x460 + device_release_driver+0x18/0x24 + bus_remove_device+0x198/0x274 + device_del+0x310/0xa84 +... + +The buggy address belongs to the object at ffff00000ec28c00 + which belongs to the cache kmalloc-512 of size 512 +The buggy address is located 200 bytes inside of + freed 512-byte region +The buggy address belongs to the physical page: +page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x4ec28 +head: order:2 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 +flags: 0x3fffe0000000040(head|node=0|zone=0|lastcpupid=0x1ffff) +page_type: f5(slab) +raw: 03fffe0000000040 ffff000008801c80 dead000000000122 0000000000000000 +raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 +head: 03fffe0000000040 ffff000008801c80 dead000000000122 0000000000000000 +head: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 +head: 03fffe0000000002 fffffdffc03b0a01 00000000ffffffff 00000000ffffffff +head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000004 +page dumped because: kasan: bad access detected + +Memory state around the buggy address: + ffff00000ec28b80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc + ffff00000ec28c00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb +>ffff00000ec28c80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb + ^ + ffff00000ec28d00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb + ffff00000ec28d80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb +================================================================== + +Add disable_delayed_work_sync() in gaokun_ucsi_remove() to ensure +that uec->work is properly canceled and prevented from executing +after the ucsi and gaokun_ucsi structure have been deallocated. + +Fixes: 00327d7f2c8c ("usb: typec: ucsi: add Huawei Matebook E Go ucsi driver") +Cc: stable +Signed-off-by: Duoming Zhou +Reviewed-by: Heikki Krogerus +Link: https://patch.msgid.link/cc31e12ef9ffbf86676585b02233165fd33f0d8e.1764065838.git.duoming@zju.edu.cn +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/typec/ucsi/ucsi_huawei_gaokun.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/usb/typec/ucsi/ucsi_huawei_gaokun.c ++++ b/drivers/usb/typec/ucsi/ucsi_huawei_gaokun.c +@@ -503,6 +503,7 @@ static void gaokun_ucsi_remove(struct au + { + struct gaokun_ucsi *uec = auxiliary_get_drvdata(adev); + ++ disable_delayed_work_sync(&uec->work); + gaokun_ec_unregister_notify(uec->ec, &uec->nb); + ucsi_unregister(uec->ucsi); + ucsi_destroy(uec->ucsi);