From: Greg Kroah-Hartman Date: Tue, 16 Dec 2025 10:33:46 +0000 (+0100) Subject: 6.17-stable patches X-Git-Tag: v6.12.63~19 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=35a5424b858d84b69bbaa693779f4526d7271c91;p=thirdparty%2Fkernel%2Fstable-queue.git 6.17-stable patches added patches: alsa-dice-fix-buffer-overflow-in-detect_stream_formats.patch alsa-hda-cs35l41-fix-null-pointer-dereference-in-cs35l41_hda_read_acpi.patch alsa-hda-realtek-add-match-for-asus-xbox-ally-projects.patch alsa-hda-tas2781-fix-speaker-id-retrieval-for-multiple-probes.patch alsa-wavefront-fix-integer-overflow-in-sample-size-validation.patch usb-dwc3-dwc3_power_off_all_roothub_ports-use-ioremap_np-when-required.patch usb-gadget-tegra-xudc-always-reinitialize-data-toggle-when-clear-halt.patch usb-phy-initialize-struct-usb_phy-list_head.patch usb-typec-ucsi-fix-probe-failure-in-gaokun_ucsi_probe.patch usb-typec-ucsi-fix-use-after-free-caused-by-uec-work.patch --- diff --git a/queue-6.17/alsa-dice-fix-buffer-overflow-in-detect_stream_formats.patch b/queue-6.17/alsa-dice-fix-buffer-overflow-in-detect_stream_formats.patch new file mode 100644 index 0000000000..df6faa8ab1 --- /dev/null +++ b/queue-6.17/alsa-dice-fix-buffer-overflow-in-detect_stream_formats.patch @@ -0,0 +1,50 @@ +From 324f3e03e8a85931ce0880654e3c3eb38b0f0bba Mon Sep 17 00:00:00 2001 +From: Junrui Luo +Date: Fri, 28 Nov 2025 12:06:31 +0800 +Subject: ALSA: dice: fix buffer overflow in detect_stream_formats() + +From: Junrui Luo + +commit 324f3e03e8a85931ce0880654e3c3eb38b0f0bba upstream. + +The function detect_stream_formats() reads the stream_count value directly +from a FireWire device without validating it. This can lead to +out-of-bounds writes when a malicious device provides a stream_count value +greater than MAX_STREAMS. + +Fix by applying the same validation to both TX and RX stream counts in +detect_stream_formats(). + +Reported-by: Yuhao Jiang +Reported-by: Junrui Luo +Fixes: 58579c056c1c ("ALSA: dice: use extended protocol to detect available stream formats") +Cc: stable@vger.kernel.org +Reviewed-by: Takashi Sakamoto +Signed-off-by: Junrui Luo +Link: https://patch.msgid.link/SYBPR01MB7881B043FC68B4C0DA40B73DAFDCA@SYBPR01MB7881.ausprd01.prod.outlook.com +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman +--- + sound/firewire/dice/dice-extension.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/sound/firewire/dice/dice-extension.c ++++ b/sound/firewire/dice/dice-extension.c +@@ -116,7 +116,7 @@ static int detect_stream_formats(struct + break; + + base_offset += EXT_APP_STREAM_ENTRIES; +- stream_count = be32_to_cpu(reg[0]); ++ stream_count = min_t(unsigned int, be32_to_cpu(reg[0]), MAX_STREAMS); + err = read_stream_entries(dice, section_addr, base_offset, + stream_count, mode, + dice->tx_pcm_chs, +@@ -125,7 +125,7 @@ static int detect_stream_formats(struct + break; + + base_offset += stream_count * EXT_APP_STREAM_ENTRY_SIZE; +- stream_count = be32_to_cpu(reg[1]); ++ stream_count = min_t(unsigned int, be32_to_cpu(reg[1]), MAX_STREAMS); + err = read_stream_entries(dice, section_addr, base_offset, + stream_count, + mode, dice->rx_pcm_chs, diff --git a/queue-6.17/alsa-hda-cs35l41-fix-null-pointer-dereference-in-cs35l41_hda_read_acpi.patch b/queue-6.17/alsa-hda-cs35l41-fix-null-pointer-dereference-in-cs35l41_hda_read_acpi.patch new file mode 100644 index 0000000000..635437b145 --- /dev/null +++ b/queue-6.17/alsa-hda-cs35l41-fix-null-pointer-dereference-in-cs35l41_hda_read_acpi.patch @@ -0,0 +1,37 @@ +From c34b04cc6178f33c08331568c7fd25c5b9a39f66 Mon Sep 17 00:00:00 2001 +From: Denis Arefev +Date: Tue, 2 Dec 2025 13:13:36 +0300 +Subject: ALSA: hda: cs35l41: Fix NULL pointer dereference in cs35l41_hda_read_acpi() + +From: Denis Arefev + +commit c34b04cc6178f33c08331568c7fd25c5b9a39f66 upstream. + +The acpi_get_first_physical_node() function can return NULL, in which +case the get_device() function also returns NULL, but this value is +then dereferenced without checking,so add a check to prevent a crash. + +Found by Linux Verification Center (linuxtesting.org) with SVACE. + +Fixes: 7b2f3eb492da ("ALSA: hda: cs35l41: Add support for CS35L41 in HDA systems") +Cc: stable@vger.kernel.org +Signed-off-by: Denis Arefev +Reviewed-by: Richard Fitzgerald +Signed-off-by: Takashi Iwai +Link: https://patch.msgid.link/20251202101338.11437-1-arefev@swemel.ru +Signed-off-by: Greg Kroah-Hartman +--- + sound/hda/codecs/side-codecs/cs35l41_hda.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/sound/hda/codecs/side-codecs/cs35l41_hda.c ++++ b/sound/hda/codecs/side-codecs/cs35l41_hda.c +@@ -1917,6 +1917,8 @@ static int cs35l41_hda_read_acpi(struct + + cs35l41->dacpi = adev; + physdev = get_device(acpi_get_first_physical_node(adev)); ++ if (!physdev) ++ return -ENODEV; + + sub = acpi_get_subsystem_id(ACPI_HANDLE(physdev)); + if (IS_ERR(sub)) diff --git a/queue-6.17/alsa-hda-realtek-add-match-for-asus-xbox-ally-projects.patch b/queue-6.17/alsa-hda-realtek-add-match-for-asus-xbox-ally-projects.patch new file mode 100644 index 0000000000..833c7413aa --- /dev/null +++ b/queue-6.17/alsa-hda-realtek-add-match-for-asus-xbox-ally-projects.patch @@ -0,0 +1,33 @@ +From 18a4895370a79a3efb4a53ccd1efffef6c5b634e Mon Sep 17 00:00:00 2001 +From: Antheas Kapenekakis +Date: Sun, 26 Oct 2025 20:16:35 +0100 +Subject: ALSA: hda/realtek: Add match for ASUS Xbox Ally projects + +From: Antheas Kapenekakis + +commit 18a4895370a79a3efb4a53ccd1efffef6c5b634e upstream. + +Bind the realtek codec to TAS2781 I2C audio amps on ASUS Xbox Ally +projects. While these projects work without a quirk, adding it increases +the output volume significantly. + +Cc: stable@vger.kernel.org # 6.17 +Signed-off-by: Antheas Kapenekakis +Signed-off-by: Takashi Iwai +Link: https://patch.msgid.link/20251026191635.2447593-2-lkml@antheas.dev +Signed-off-by: Greg Kroah-Hartman +--- + sound/hda/codecs/realtek/alc269.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/sound/hda/codecs/realtek/alc269.c ++++ b/sound/hda/codecs/realtek/alc269.c +@@ -6725,6 +6725,8 @@ static const struct hda_quirk alc269_fix + SND_PCI_QUIRK(0x1043, 0x12f0, "ASUS X541UV", ALC256_FIXUP_ASUS_MIC_NO_PRESENCE), + SND_PCI_QUIRK(0x1043, 0x1313, "Asus K42JZ", ALC269VB_FIXUP_ASUS_MIC_NO_PRESENCE), + SND_PCI_QUIRK(0x1043, 0x1314, "ASUS GA605K", ALC285_FIXUP_ASUS_GA605K_HEADSET_MIC), ++ SND_PCI_QUIRK(0x1043, 0x1384, "ASUS RC73XA", ALC287_FIXUP_TXNW2781_I2C), ++ SND_PCI_QUIRK(0x1043, 0x1394, "ASUS RC73YA", ALC287_FIXUP_TXNW2781_I2C), + SND_PCI_QUIRK(0x1043, 0x13b0, "ASUS Z550SA", ALC256_FIXUP_ASUS_MIC_NO_PRESENCE), + SND_PCI_QUIRK(0x1043, 0x1427, "Asus Zenbook UX31E", ALC269VB_FIXUP_ASUS_ZENBOOK), + SND_PCI_QUIRK(0x1043, 0x1433, "ASUS GX650PY/PZ/PV/PU/PYV/PZV/PIV/PVV", ALC285_FIXUP_ASUS_I2C_HEADSET_MIC), diff --git a/queue-6.17/alsa-hda-tas2781-fix-speaker-id-retrieval-for-multiple-probes.patch b/queue-6.17/alsa-hda-tas2781-fix-speaker-id-retrieval-for-multiple-probes.patch new file mode 100644 index 0000000000..092c40ee43 --- /dev/null +++ b/queue-6.17/alsa-hda-tas2781-fix-speaker-id-retrieval-for-multiple-probes.patch @@ -0,0 +1,131 @@ +From 945865a0ddf3e3950aea32e23e10d815ee9b21bc Mon Sep 17 00:00:00 2001 +From: Antheas Kapenekakis +Date: Sun, 26 Oct 2025 20:16:34 +0100 +Subject: ALSA: hda/tas2781: fix speaker id retrieval for multiple probes + +From: Antheas Kapenekakis + +commit 945865a0ddf3e3950aea32e23e10d815ee9b21bc upstream. + +Currently, on ASUS projects, the TAS2781 codec attaches the speaker GPIO +to the first tasdevice_priv instance using devm. This causes +tas2781_read_acpi to fail on subsequent probes since the GPIO is already +managed by the first device. This causes a failure on Xbox Ally X, +because it has two amplifiers, and prevents us from quirking both the +Xbox Ally and Xbox Ally X in the realtek codec driver. + +It is unnecessary to attach the GPIO to a device as it is static. +Therefore, instead of attaching it and then reading it when loading the +firmware, read its value directly in tas2781_read_acpi and store it in +the private data structure. Then, make reading the value non-fatal so +that ASUS projects that miss a speaker pin can still work, perhaps using +fallback firmware. + +Fixes: 4e7035a75da9 ("ALSA: hda/tas2781: Add speaker id check for ASUS projects") +Cc: stable@vger.kernel.org # 6.17 +Signed-off-by: Antheas Kapenekakis +Reviewed-by: Baojun Xu +Signed-off-by: Takashi Iwai +Link: https://patch.msgid.link/20251026191635.2447593-1-lkml@antheas.dev +Signed-off-by: Greg Kroah-Hartman +--- + include/sound/tas2781.h | 2 - + sound/hda/codecs/side-codecs/tas2781_hda_i2c.c | 44 ++++++++++++++----------- + 2 files changed, 26 insertions(+), 20 deletions(-) + +--- a/include/sound/tas2781.h ++++ b/include/sound/tas2781.h +@@ -183,7 +183,6 @@ struct tasdevice_priv { + struct acoustic_data acou_data; + #endif + struct tasdevice_fw *fmw; +- struct gpio_desc *speaker_id; + struct gpio_desc *reset; + struct mutex codec_lock; + struct regmap *regmap; +@@ -200,6 +199,7 @@ struct tasdevice_priv { + unsigned int magic_num; + unsigned int chip_id; + unsigned int sysclk; ++ int speaker_id; + + int irq; + int cur_prog; +--- a/sound/hda/codecs/side-codecs/tas2781_hda_i2c.c ++++ b/sound/hda/codecs/side-codecs/tas2781_hda_i2c.c +@@ -85,6 +85,7 @@ static const struct acpi_gpio_mapping ta + + static int tas2781_read_acpi(struct tasdevice_priv *p, const char *hid) + { ++ struct gpio_desc *speaker_id; + struct acpi_device *adev; + struct device *physdev; + LIST_HEAD(resources); +@@ -117,19 +118,31 @@ static int tas2781_read_acpi(struct tasd + /* Speaker id was needed for ASUS projects. */ + ret = kstrtou32(sub, 16, &subid); + if (!ret && upper_16_bits(subid) == PCI_VENDOR_ID_ASUSTEK) { +- ret = devm_acpi_dev_add_driver_gpios(p->dev, +- tas2781_speaker_id_gpios); +- if (ret < 0) ++ ret = acpi_dev_add_driver_gpios(adev, tas2781_speaker_id_gpios); ++ if (ret < 0) { + dev_err(p->dev, "Failed to add driver gpio %d.\n", + ret); +- p->speaker_id = devm_gpiod_get(p->dev, "speakerid", GPIOD_IN); +- if (IS_ERR(p->speaker_id)) { +- dev_err(p->dev, "Failed to get Speaker id.\n"); +- ret = PTR_ERR(p->speaker_id); +- goto err; ++ p->speaker_id = -1; ++ goto end_2563; ++ } ++ ++ speaker_id = fwnode_gpiod_get_index(acpi_fwnode_handle(adev), ++ "speakerid", 0, GPIOD_IN, NULL); ++ if (!IS_ERR(speaker_id)) { ++ p->speaker_id = gpiod_get_value_cansleep(speaker_id); ++ dev_dbg(p->dev, "Got speaker id gpio from ACPI: %d.\n", ++ p->speaker_id); ++ gpiod_put(speaker_id); ++ } else { ++ p->speaker_id = -1; ++ ret = PTR_ERR(speaker_id); ++ dev_err(p->dev, "Get speaker id gpio failed %d.\n", ++ ret); + } ++ ++ acpi_dev_remove_driver_gpios(adev); + } else { +- p->speaker_id = NULL; ++ p->speaker_id = -1; + } + + end_2563: +@@ -430,23 +443,16 @@ static void tasdevice_dspfw_init(void *c + struct tas2781_hda *tas_hda = dev_get_drvdata(tas_priv->dev); + struct tas2781_hda_i2c_priv *hda_priv = tas_hda->hda_priv; + struct hda_codec *codec = tas_priv->codec; +- int ret, spk_id; ++ int ret; + + tasdevice_dsp_remove(tas_priv); + tas_priv->fw_state = TASDEVICE_DSP_FW_PENDING; +- if (tas_priv->speaker_id != NULL) { +- // Speaker id need to be checked for ASUS only. +- spk_id = gpiod_get_value(tas_priv->speaker_id); +- if (spk_id < 0) { +- // Speaker id is not valid, use default. +- dev_dbg(tas_priv->dev, "Wrong spk_id = %d\n", spk_id); +- spk_id = 0; +- } ++ if (tas_priv->speaker_id >= 0) { + snprintf(tas_priv->coef_binaryname, + sizeof(tas_priv->coef_binaryname), + "TAS2XXX%04X%d.bin", + lower_16_bits(codec->core.subsystem_id), +- spk_id); ++ tas_priv->speaker_id); + } else { + snprintf(tas_priv->coef_binaryname, + sizeof(tas_priv->coef_binaryname), diff --git a/queue-6.17/alsa-wavefront-fix-integer-overflow-in-sample-size-validation.patch b/queue-6.17/alsa-wavefront-fix-integer-overflow-in-sample-size-validation.patch new file mode 100644 index 0000000000..0afceb324e --- /dev/null +++ b/queue-6.17/alsa-wavefront-fix-integer-overflow-in-sample-size-validation.patch @@ -0,0 +1,39 @@ +From 0c4a13ba88594fd4a27292853e736c6b4349823d Mon Sep 17 00:00:00 2001 +From: Junrui Luo +Date: Thu, 6 Nov 2025 10:49:46 +0800 +Subject: ALSA: wavefront: Fix integer overflow in sample size validation + +From: Junrui Luo + +commit 0c4a13ba88594fd4a27292853e736c6b4349823d upstream. + +The wavefront_send_sample() function has an integer overflow issue +when validating sample size. The header->size field is u32 but gets +cast to int for comparison with dev->freemem + +Fix by using unsigned comparison to avoid integer overflow. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Cc: stable@vger.kernel.org +Signed-off-by: Junrui Luo +Link: https://patch.msgid.link/SYBPR01MB7881B47789D1B060CE8BF4C3AFC2A@SYBPR01MB7881.ausprd01.prod.outlook.com +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman +--- + sound/isa/wavefront/wavefront_synth.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/sound/isa/wavefront/wavefront_synth.c ++++ b/sound/isa/wavefront/wavefront_synth.c +@@ -950,9 +950,9 @@ wavefront_send_sample (snd_wavefront_t * + if (header->size) { + dev->freemem = wavefront_freemem (dev); + +- if (dev->freemem < (int)header->size) { ++ if (dev->freemem < 0 || dev->freemem < header->size) { + dev_err(dev->card->dev, +- "insufficient memory to load %d byte sample.\n", ++ "insufficient memory to load %u byte sample.\n", + header->size); + return -ENOMEM; + } diff --git a/queue-6.17/series b/queue-6.17/series index d91bd182c4..8e1cc38db1 100644 --- a/queue-6.17/series +++ b/queue-6.17/series @@ -495,3 +495,13 @@ irqchip-mchp-eic-fix-error-code-in-mchp_eic_domain_a.patch cpu-make-atomic-hotplug-callbacks-run-with-interrupt.patch ocfs2-fix-memory-leak-in-ocfs2_merge_rec_left.patch perf-x86-intel-fix-null-event-dereference-crash-in-h.patch +usb-gadget-tegra-xudc-always-reinitialize-data-toggle-when-clear-halt.patch +usb-typec-ucsi-fix-probe-failure-in-gaokun_ucsi_probe.patch +usb-phy-initialize-struct-usb_phy-list_head.patch +usb-typec-ucsi-fix-use-after-free-caused-by-uec-work.patch +usb-dwc3-dwc3_power_off_all_roothub_ports-use-ioremap_np-when-required.patch +alsa-dice-fix-buffer-overflow-in-detect_stream_formats.patch +alsa-hda-realtek-add-match-for-asus-xbox-ally-projects.patch +alsa-hda-tas2781-fix-speaker-id-retrieval-for-multiple-probes.patch +alsa-hda-cs35l41-fix-null-pointer-dereference-in-cs35l41_hda_read_acpi.patch +alsa-wavefront-fix-integer-overflow-in-sample-size-validation.patch diff --git a/queue-6.17/usb-dwc3-dwc3_power_off_all_roothub_ports-use-ioremap_np-when-required.patch b/queue-6.17/usb-dwc3-dwc3_power_off_all_roothub_ports-use-ioremap_np-when-required.patch new file mode 100644 index 0000000000..16f980971f --- /dev/null +++ b/queue-6.17/usb-dwc3-dwc3_power_off_all_roothub_ports-use-ioremap_np-when-required.patch @@ -0,0 +1,39 @@ +From 5ed9cc71432a8adf3c42223c935f714aac29901b Mon Sep 17 00:00:00 2001 +From: Sven Peter +Date: Wed, 15 Oct 2025 15:40:42 +0000 +Subject: usb: dwc3: dwc3_power_off_all_roothub_ports: Use ioremap_np when required + +From: Sven Peter + +commit 5ed9cc71432a8adf3c42223c935f714aac29901b upstream. + +On Apple Silicon machines we can't use ioremap() / Device-nGnRE to map most +regions but must use ioremap_np() / Device-nGnRnE whenever +IORESOURCE_MEM_NONPOSTED is set. Make sure this is also done inside +dwc3_power_off_all_roothub_ports to prevent SErrors. + +Fixes: 2d2a3349521d ("usb: dwc3: Add workaround for host mode VBUS glitch when boot") +Cc: stable@kernel.org +Acked-by: Thinh Nguyen +Reviewed-by: Neal Gompa +Signed-off-by: Sven Peter +Link: https://patch.msgid.link/20251015-b4-aplpe-dwc3-v2-2-cbd65a2d511a@kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/dwc3/host.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +--- a/drivers/usb/dwc3/host.c ++++ b/drivers/usb/dwc3/host.c +@@ -37,7 +37,10 @@ static void dwc3_power_off_all_roothub_p + + /* xhci regs are not mapped yet, do it temporarily here */ + if (dwc->xhci_resources[0].start) { +- xhci_regs = ioremap(dwc->xhci_resources[0].start, DWC3_XHCI_REGS_END); ++ if (dwc->xhci_resources[0].flags & IORESOURCE_MEM_NONPOSTED) ++ xhci_regs = ioremap_np(dwc->xhci_resources[0].start, DWC3_XHCI_REGS_END); ++ else ++ xhci_regs = ioremap(dwc->xhci_resources[0].start, DWC3_XHCI_REGS_END); + if (!xhci_regs) { + dev_err(dwc->dev, "Failed to ioremap xhci_regs\n"); + return; diff --git a/queue-6.17/usb-gadget-tegra-xudc-always-reinitialize-data-toggle-when-clear-halt.patch b/queue-6.17/usb-gadget-tegra-xudc-always-reinitialize-data-toggle-when-clear-halt.patch new file mode 100644 index 0000000000..957d4be28a --- /dev/null +++ b/queue-6.17/usb-gadget-tegra-xudc-always-reinitialize-data-toggle-when-clear-halt.patch @@ -0,0 +1,48 @@ +From 2585973c7f9ee31d21e5848c996fab2521fd383d Mon Sep 17 00:00:00 2001 +From: Haotien Hsu +Date: Thu, 27 Nov 2025 11:35:40 +0800 +Subject: usb: gadget: tegra-xudc: Always reinitialize data toggle when clear halt + +From: Haotien Hsu + +commit 2585973c7f9ee31d21e5848c996fab2521fd383d upstream. + +The driver previously skipped handling ClearFeature(ENDPOINT_HALT) +when the endpoint was already not halted. This prevented the +controller from resetting the data sequence number and reinitializing +the endpoint state. + +According to USB 3.2 specification Rev. 1.1, section 9.4.5, +ClearFeature(ENDPOINT_HALT) must always reset the data sequence and +set the stream state machine to Disabled, regardless of whether the +endpoint was halted. + +Remove the early return so that ClearFeature(ENDPOINT_HALT) always +resets the endpoint sequence state as required by the specification. + +Fixes: 49db427232fe ("usb: gadget: Add UDC driver for tegra XUSB device mode controller") +Cc: stable +Signed-off-by: Haotien Hsu +Signed-off-by: Wayne Chang +Link: https://patch.msgid.link/20251127033540.2287517-1-waynec@nvidia.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/gadget/udc/tegra-xudc.c | 6 ------ + 1 file changed, 6 deletions(-) + +--- a/drivers/usb/gadget/udc/tegra-xudc.c ++++ b/drivers/usb/gadget/udc/tegra-xudc.c +@@ -1559,12 +1559,6 @@ static int __tegra_xudc_ep_set_halt(stru + return -ENOTSUPP; + } + +- if (!!(xudc_readl(xudc, EP_HALT) & BIT(ep->index)) == halt) { +- dev_dbg(xudc->dev, "EP %u already %s\n", ep->index, +- halt ? "halted" : "not halted"); +- return 0; +- } +- + if (halt) { + ep_halt(xudc, ep->index); + } else { diff --git a/queue-6.17/usb-phy-initialize-struct-usb_phy-list_head.patch b/queue-6.17/usb-phy-initialize-struct-usb_phy-list_head.patch new file mode 100644 index 0000000000..647e3ad85e --- /dev/null +++ b/queue-6.17/usb-phy-initialize-struct-usb_phy-list_head.patch @@ -0,0 +1,59 @@ +From c69ff68b097b0f53333114f1b2c3dc128f389596 Mon Sep 17 00:00:00 2001 +From: Diogo Ivo +Date: Fri, 21 Nov 2025 18:16:36 +0000 +Subject: usb: phy: Initialize struct usb_phy list_head + +From: Diogo Ivo + +commit c69ff68b097b0f53333114f1b2c3dc128f389596 upstream. + +As part of the registration of a new 'struct usb_phy' with the USB PHY core +via either usb_add_phy(struct usb_phy *x, ...) or usb_add_phy_dev(struct +usb_phy *x) these functions call list_add_tail(&x->head, phy_list) in +order for the new instance x to be stored in phy_list, a static list +kept internally by the core. + +After 7d21114dc6a2 ("usb: phy: Introduce one extcon device into usb phy") +when executing either of the registration functions above it is possible +that usb_add_extcon() fails, leading to either function returning before +the call to list_add_tail(), leaving x->head uninitialized. + +Then, when a driver tries to undo the failed registration by calling +usb_remove_phy(struct usb_phy *x) there will be an unconditional call to +list_del(&x->head) acting on an uninitialized variable, and thus a +possible NULL pointer dereference. + +Fix this by initializing x->head before usb_add_extcon() has a +chance to fail. Note that this was not needed before 7d21114dc6a2 since +list_add_phy() was executed unconditionally and it guaranteed that x->head +was initialized. + +Fixes: 7d21114dc6a2 ("usb: phy: Introduce one extcon device into usb phy") +Cc: stable +Signed-off-by: Diogo Ivo +Link: https://patch.msgid.link/20251121-diogo-smaug_typec-v2-1-5c37c1169d57@tecnico.ulisboa.pt +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/phy/phy.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/drivers/usb/phy/phy.c ++++ b/drivers/usb/phy/phy.c +@@ -646,6 +646,8 @@ int usb_add_phy(struct usb_phy *x, enum + return -EINVAL; + } + ++ INIT_LIST_HEAD(&x->head); ++ + usb_charger_init(x); + ret = usb_add_extcon(x); + if (ret) +@@ -696,6 +698,8 @@ int usb_add_phy_dev(struct usb_phy *x) + return -EINVAL; + } + ++ INIT_LIST_HEAD(&x->head); ++ + usb_charger_init(x); + ret = usb_add_extcon(x); + if (ret) diff --git a/queue-6.17/usb-typec-ucsi-fix-probe-failure-in-gaokun_ucsi_probe.patch b/queue-6.17/usb-typec-ucsi-fix-probe-failure-in-gaokun_ucsi_probe.patch new file mode 100644 index 0000000000..9e4d365d9e --- /dev/null +++ b/queue-6.17/usb-typec-ucsi-fix-probe-failure-in-gaokun_ucsi_probe.patch @@ -0,0 +1,46 @@ +From 6b120ef99fbcba9e413783561f8cc160719db589 Mon Sep 17 00:00:00 2001 +From: Duoming Zhou +Date: Tue, 25 Nov 2025 18:36:26 +0800 +Subject: usb: typec: ucsi: fix probe failure in gaokun_ucsi_probe() + +From: Duoming Zhou + +commit 6b120ef99fbcba9e413783561f8cc160719db589 upstream. + +The gaokun_ucsi_probe() uses ucsi_create() to allocate a UCSI instance. +The ucsi_create() validates whether ops->poll_cci is defined, and if not, +it directly returns -EINVAL. However, the gaokun_ucsi_ops structure does +not define the poll_cci, causing ucsi_create() always fail with -EINVAL. +This issue can be observed in the kernel log with the following error: + +ucsi_huawei_gaokun.ucsi huawei_gaokun_ec.ucsi.0: probe with driver +ucsi_huawei_gaokun.ucsi failed with error -22 + +Fix the issue by adding the missing poll_cci callback to gaokun_ucsi_ops. + +Fixes: 00327d7f2c8c ("usb: typec: ucsi: add Huawei Matebook E Go ucsi driver") +Cc: stable +Signed-off-by: Duoming Zhou +Reviewed-by: Heikki Krogerus +Reviewed-by: Pengyu Luo +Link: https://patch.msgid.link/4d077d6439d728be68646bb8c8678436a3a0885e.1764065838.git.duoming@zju.edu.cn +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/typec/ucsi/ucsi_huawei_gaokun.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/usb/typec/ucsi/ucsi_huawei_gaokun.c b/drivers/usb/typec/ucsi/ucsi_huawei_gaokun.c +index 7b5222081bbb..8401ab414bd9 100644 +--- a/drivers/usb/typec/ucsi/ucsi_huawei_gaokun.c ++++ b/drivers/usb/typec/ucsi/ucsi_huawei_gaokun.c +@@ -196,6 +196,7 @@ static void gaokun_ucsi_connector_status(struct ucsi_connector *con) + const struct ucsi_operations gaokun_ucsi_ops = { + .read_version = gaokun_ucsi_read_version, + .read_cci = gaokun_ucsi_read_cci, ++ .poll_cci = gaokun_ucsi_read_cci, + .read_message_in = gaokun_ucsi_read_message_in, + .sync_control = ucsi_sync_control_common, + .async_control = gaokun_ucsi_async_control, +-- +2.52.0 + diff --git a/queue-6.17/usb-typec-ucsi-fix-use-after-free-caused-by-uec-work.patch b/queue-6.17/usb-typec-ucsi-fix-use-after-free-caused-by-uec-work.patch new file mode 100644 index 0000000000..d1ba607119 --- /dev/null +++ b/queue-6.17/usb-typec-ucsi-fix-use-after-free-caused-by-uec-work.patch @@ -0,0 +1,134 @@ +From 2b7a0f47aaf2439d517ba0a6b29c66a535302154 Mon Sep 17 00:00:00 2001 +From: Duoming Zhou +Date: Tue, 25 Nov 2025 18:36:27 +0800 +Subject: usb: typec: ucsi: fix use-after-free caused by uec->work + +From: Duoming Zhou + +commit 2b7a0f47aaf2439d517ba0a6b29c66a535302154 upstream. + +The delayed work uec->work is scheduled in gaokun_ucsi_probe() +but never properly canceled in gaokun_ucsi_remove(). This creates +use-after-free scenarios where the ucsi and gaokun_ucsi structure +are freed after ucsi_destroy() completes execution, while the +gaokun_ucsi_register_worker() might be either currently executing +or still pending in the work queue. The already-freed gaokun_ucsi +or ucsi structure may then be accessed. + +Furthermore, the race window is 3 seconds, which is sufficiently +long to make this bug easily reproducible. The following is the +trace captured by KASAN: + +================================================================== +BUG: KASAN: slab-use-after-free in __run_timers+0x5ec/0x630 +Write of size 8 at addr ffff00000ec28cc8 by task swapper/0/0 +... +Call trace: + show_stack+0x18/0x24 (C) + dump_stack_lvl+0x78/0x90 + print_report+0x114/0x580 + kasan_report+0xa4/0xf0 + __asan_report_store8_noabort+0x20/0x2c + __run_timers+0x5ec/0x630 + run_timer_softirq+0xe8/0x1cc + handle_softirqs+0x294/0x720 + __do_softirq+0x14/0x20 + ____do_softirq+0x10/0x1c + call_on_irq_stack+0x30/0x48 + do_softirq_own_stack+0x1c/0x28 + __irq_exit_rcu+0x27c/0x364 + irq_exit_rcu+0x10/0x1c + el1_interrupt+0x40/0x60 + el1h_64_irq_handler+0x18/0x24 + el1h_64_irq+0x6c/0x70 + arch_local_irq_enable+0x4/0x8 (P) + do_idle+0x334/0x458 + cpu_startup_entry+0x60/0x70 + rest_init+0x158/0x174 + start_kernel+0x2f8/0x394 + __primary_switched+0x8c/0x94 + +Allocated by task 72 on cpu 0 at 27.510341s: + kasan_save_stack+0x2c/0x54 + kasan_save_track+0x24/0x5c + kasan_save_alloc_info+0x40/0x54 + __kasan_kmalloc+0xa0/0xb8 + __kmalloc_node_track_caller_noprof+0x1c0/0x588 + devm_kmalloc+0x7c/0x1c8 + gaokun_ucsi_probe+0xa0/0x840 auxiliary_bus_probe+0x94/0xf8 + really_probe+0x17c/0x5b8 + __driver_probe_device+0x158/0x2c4 + driver_probe_device+0x10c/0x264 + __device_attach_driver+0x168/0x2d0 + bus_for_each_drv+0x100/0x188 + __device_attach+0x174/0x368 + device_initial_probe+0x14/0x20 + bus_probe_device+0x120/0x150 + device_add+0xb3c/0x10fc + __auxiliary_device_add+0x88/0x130 +... + +Freed by task 73 on cpu 1 at 28.910627s: + kasan_save_stack+0x2c/0x54 + kasan_save_track+0x24/0x5c + __kasan_save_free_info+0x4c/0x74 + __kasan_slab_free+0x60/0x8c + kfree+0xd4/0x410 + devres_release_all+0x140/0x1f0 + device_unbind_cleanup+0x20/0x190 + device_release_driver_internal+0x344/0x460 + device_release_driver+0x18/0x24 + bus_remove_device+0x198/0x274 + device_del+0x310/0xa84 +... + +The buggy address belongs to the object at ffff00000ec28c00 + which belongs to the cache kmalloc-512 of size 512 +The buggy address is located 200 bytes inside of + freed 512-byte region +The buggy address belongs to the physical page: +page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x4ec28 +head: order:2 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 +flags: 0x3fffe0000000040(head|node=0|zone=0|lastcpupid=0x1ffff) +page_type: f5(slab) +raw: 03fffe0000000040 ffff000008801c80 dead000000000122 0000000000000000 +raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 +head: 03fffe0000000040 ffff000008801c80 dead000000000122 0000000000000000 +head: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 +head: 03fffe0000000002 fffffdffc03b0a01 00000000ffffffff 00000000ffffffff +head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000004 +page dumped because: kasan: bad access detected + +Memory state around the buggy address: + ffff00000ec28b80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc + ffff00000ec28c00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb +>ffff00000ec28c80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb + ^ + ffff00000ec28d00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb + ffff00000ec28d80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb +================================================================== + +Add disable_delayed_work_sync() in gaokun_ucsi_remove() to ensure +that uec->work is properly canceled and prevented from executing +after the ucsi and gaokun_ucsi structure have been deallocated. + +Fixes: 00327d7f2c8c ("usb: typec: ucsi: add Huawei Matebook E Go ucsi driver") +Cc: stable +Signed-off-by: Duoming Zhou +Reviewed-by: Heikki Krogerus +Link: https://patch.msgid.link/cc31e12ef9ffbf86676585b02233165fd33f0d8e.1764065838.git.duoming@zju.edu.cn +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/typec/ucsi/ucsi_huawei_gaokun.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/usb/typec/ucsi/ucsi_huawei_gaokun.c ++++ b/drivers/usb/typec/ucsi/ucsi_huawei_gaokun.c +@@ -503,6 +503,7 @@ static void gaokun_ucsi_remove(struct au + { + struct gaokun_ucsi *uec = auxiliary_get_drvdata(adev); + ++ disable_delayed_work_sync(&uec->work); + gaokun_ec_unregister_notify(uec->ec, &uec->nb); + ucsi_unregister(uec->ucsi); + ucsi_destroy(uec->ucsi);