From: Greg Kroah-Hartman Date: Tue, 16 Dec 2025 10:33:13 +0000 (+0100) Subject: 6.1-stable patches X-Git-Tag: v6.12.63~22 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=27b511e343f9986b4b8efed95dc5b5b8853d5e4a;p=thirdparty%2Fkernel%2Fstable-queue.git 6.1-stable patches added patches: alsa-dice-fix-buffer-overflow-in-detect_stream_formats.patch usb-gadget-tegra-xudc-always-reinitialize-data-toggle-when-clear-halt.patch usb-phy-initialize-struct-usb_phy-list_head.patch --- diff --git a/queue-6.1/alsa-dice-fix-buffer-overflow-in-detect_stream_formats.patch b/queue-6.1/alsa-dice-fix-buffer-overflow-in-detect_stream_formats.patch new file mode 100644 index 0000000000..df6faa8ab1 --- /dev/null +++ b/queue-6.1/alsa-dice-fix-buffer-overflow-in-detect_stream_formats.patch @@ -0,0 +1,50 @@ +From 324f3e03e8a85931ce0880654e3c3eb38b0f0bba Mon Sep 17 00:00:00 2001 +From: Junrui Luo +Date: Fri, 28 Nov 2025 12:06:31 +0800 +Subject: ALSA: dice: fix buffer overflow in detect_stream_formats() + +From: Junrui Luo + +commit 324f3e03e8a85931ce0880654e3c3eb38b0f0bba upstream. + +The function detect_stream_formats() reads the stream_count value directly +from a FireWire device without validating it. This can lead to +out-of-bounds writes when a malicious device provides a stream_count value +greater than MAX_STREAMS. + +Fix by applying the same validation to both TX and RX stream counts in +detect_stream_formats(). + +Reported-by: Yuhao Jiang +Reported-by: Junrui Luo +Fixes: 58579c056c1c ("ALSA: dice: use extended protocol to detect available stream formats") +Cc: stable@vger.kernel.org +Reviewed-by: Takashi Sakamoto +Signed-off-by: Junrui Luo +Link: https://patch.msgid.link/SYBPR01MB7881B043FC68B4C0DA40B73DAFDCA@SYBPR01MB7881.ausprd01.prod.outlook.com +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman +--- + sound/firewire/dice/dice-extension.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/sound/firewire/dice/dice-extension.c ++++ b/sound/firewire/dice/dice-extension.c +@@ -116,7 +116,7 @@ static int detect_stream_formats(struct + break; + + base_offset += EXT_APP_STREAM_ENTRIES; +- stream_count = be32_to_cpu(reg[0]); ++ stream_count = min_t(unsigned int, be32_to_cpu(reg[0]), MAX_STREAMS); + err = read_stream_entries(dice, section_addr, base_offset, + stream_count, mode, + dice->tx_pcm_chs, +@@ -125,7 +125,7 @@ static int detect_stream_formats(struct + break; + + base_offset += stream_count * EXT_APP_STREAM_ENTRY_SIZE; +- stream_count = be32_to_cpu(reg[1]); ++ stream_count = min_t(unsigned int, be32_to_cpu(reg[1]), MAX_STREAMS); + err = read_stream_entries(dice, section_addr, base_offset, + stream_count, + mode, dice->rx_pcm_chs, diff --git a/queue-6.1/series b/queue-6.1/series index 6016b611a6..1e2896b7bf 100644 --- a/queue-6.1/series +++ b/queue-6.1/series @@ -218,3 +218,6 @@ irqchip-mchp-eic-fix-error-code-in-mchp_eic_domain_a.patch ocfs2-fix-memory-leak-in-ocfs2_merge_rec_left.patch loongarch-add-machine_kexec_mask_interrupts-implementation.patch net-lan743x-allocate-rings-outside-zone_dma.patch +usb-gadget-tegra-xudc-always-reinitialize-data-toggle-when-clear-halt.patch +usb-phy-initialize-struct-usb_phy-list_head.patch +alsa-dice-fix-buffer-overflow-in-detect_stream_formats.patch diff --git a/queue-6.1/usb-gadget-tegra-xudc-always-reinitialize-data-toggle-when-clear-halt.patch b/queue-6.1/usb-gadget-tegra-xudc-always-reinitialize-data-toggle-when-clear-halt.patch new file mode 100644 index 0000000000..be1bd8a768 --- /dev/null +++ b/queue-6.1/usb-gadget-tegra-xudc-always-reinitialize-data-toggle-when-clear-halt.patch @@ -0,0 +1,48 @@ +From 2585973c7f9ee31d21e5848c996fab2521fd383d Mon Sep 17 00:00:00 2001 +From: Haotien Hsu +Date: Thu, 27 Nov 2025 11:35:40 +0800 +Subject: usb: gadget: tegra-xudc: Always reinitialize data toggle when clear halt + +From: Haotien Hsu + +commit 2585973c7f9ee31d21e5848c996fab2521fd383d upstream. + +The driver previously skipped handling ClearFeature(ENDPOINT_HALT) +when the endpoint was already not halted. This prevented the +controller from resetting the data sequence number and reinitializing +the endpoint state. + +According to USB 3.2 specification Rev. 1.1, section 9.4.5, +ClearFeature(ENDPOINT_HALT) must always reset the data sequence and +set the stream state machine to Disabled, regardless of whether the +endpoint was halted. + +Remove the early return so that ClearFeature(ENDPOINT_HALT) always +resets the endpoint sequence state as required by the specification. + +Fixes: 49db427232fe ("usb: gadget: Add UDC driver for tegra XUSB device mode controller") +Cc: stable +Signed-off-by: Haotien Hsu +Signed-off-by: Wayne Chang +Link: https://patch.msgid.link/20251127033540.2287517-1-waynec@nvidia.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/gadget/udc/tegra-xudc.c | 6 ------ + 1 file changed, 6 deletions(-) + +--- a/drivers/usb/gadget/udc/tegra-xudc.c ++++ b/drivers/usb/gadget/udc/tegra-xudc.c +@@ -1548,12 +1548,6 @@ static int __tegra_xudc_ep_set_halt(stru + return -ENOTSUPP; + } + +- if (!!(xudc_readl(xudc, EP_HALT) & BIT(ep->index)) == halt) { +- dev_dbg(xudc->dev, "EP %u already %s\n", ep->index, +- halt ? "halted" : "not halted"); +- return 0; +- } +- + if (halt) { + ep_halt(xudc, ep->index); + } else { diff --git a/queue-6.1/usb-phy-initialize-struct-usb_phy-list_head.patch b/queue-6.1/usb-phy-initialize-struct-usb_phy-list_head.patch new file mode 100644 index 0000000000..096b793d63 --- /dev/null +++ b/queue-6.1/usb-phy-initialize-struct-usb_phy-list_head.patch @@ -0,0 +1,59 @@ +From c69ff68b097b0f53333114f1b2c3dc128f389596 Mon Sep 17 00:00:00 2001 +From: Diogo Ivo +Date: Fri, 21 Nov 2025 18:16:36 +0000 +Subject: usb: phy: Initialize struct usb_phy list_head + +From: Diogo Ivo + +commit c69ff68b097b0f53333114f1b2c3dc128f389596 upstream. + +As part of the registration of a new 'struct usb_phy' with the USB PHY core +via either usb_add_phy(struct usb_phy *x, ...) or usb_add_phy_dev(struct +usb_phy *x) these functions call list_add_tail(&x->head, phy_list) in +order for the new instance x to be stored in phy_list, a static list +kept internally by the core. + +After 7d21114dc6a2 ("usb: phy: Introduce one extcon device into usb phy") +when executing either of the registration functions above it is possible +that usb_add_extcon() fails, leading to either function returning before +the call to list_add_tail(), leaving x->head uninitialized. + +Then, when a driver tries to undo the failed registration by calling +usb_remove_phy(struct usb_phy *x) there will be an unconditional call to +list_del(&x->head) acting on an uninitialized variable, and thus a +possible NULL pointer dereference. + +Fix this by initializing x->head before usb_add_extcon() has a +chance to fail. Note that this was not needed before 7d21114dc6a2 since +list_add_phy() was executed unconditionally and it guaranteed that x->head +was initialized. + +Fixes: 7d21114dc6a2 ("usb: phy: Introduce one extcon device into usb phy") +Cc: stable +Signed-off-by: Diogo Ivo +Link: https://patch.msgid.link/20251121-diogo-smaug_typec-v2-1-5c37c1169d57@tecnico.ulisboa.pt +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/phy/phy.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/drivers/usb/phy/phy.c ++++ b/drivers/usb/phy/phy.c +@@ -672,6 +672,8 @@ int usb_add_phy(struct usb_phy *x, enum + return -EINVAL; + } + ++ INIT_LIST_HEAD(&x->head); ++ + usb_charger_init(x); + ret = usb_add_extcon(x); + if (ret) +@@ -722,6 +724,8 @@ int usb_add_phy_dev(struct usb_phy *x) + return -EINVAL; + } + ++ INIT_LIST_HEAD(&x->head); ++ + usb_charger_init(x); + ret = usb_add_extcon(x); + if (ret)