From 295fcbcec7983f68142fd1416dde5d4a53a349db Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Tue, 16 Dec 2025 11:33:34 +0100 Subject: [PATCH] 6.12-stable patches added patches: alsa-dice-fix-buffer-overflow-in-detect_stream_formats.patch alsa-wavefront-fix-integer-overflow-in-sample-size-validation.patch usb-dwc3-dwc3_power_off_all_roothub_ports-use-ioremap_np-when-required.patch usb-gadget-tegra-xudc-always-reinitialize-data-toggle-when-clear-halt.patch usb-phy-initialize-struct-usb_phy-list_head.patch --- ...er-overflow-in-detect_stream_formats.patch | 50 ++++++++++++++++ ...r-overflow-in-sample-size-validation.patch | 39 ++++++++++++ queue-6.12/series | 5 ++ ...b_ports-use-ioremap_np-when-required.patch | 39 ++++++++++++ ...itialize-data-toggle-when-clear-halt.patch | 48 +++++++++++++++ ...-initialize-struct-usb_phy-list_head.patch | 59 +++++++++++++++++++ 6 files changed, 240 insertions(+) create mode 100644 queue-6.12/alsa-dice-fix-buffer-overflow-in-detect_stream_formats.patch create mode 100644 queue-6.12/alsa-wavefront-fix-integer-overflow-in-sample-size-validation.patch create mode 100644 queue-6.12/usb-dwc3-dwc3_power_off_all_roothub_ports-use-ioremap_np-when-required.patch create mode 100644 queue-6.12/usb-gadget-tegra-xudc-always-reinitialize-data-toggle-when-clear-halt.patch create mode 100644 queue-6.12/usb-phy-initialize-struct-usb_phy-list_head.patch diff --git a/queue-6.12/alsa-dice-fix-buffer-overflow-in-detect_stream_formats.patch b/queue-6.12/alsa-dice-fix-buffer-overflow-in-detect_stream_formats.patch new file mode 100644 index 0000000000..df6faa8ab1 --- /dev/null +++ b/queue-6.12/alsa-dice-fix-buffer-overflow-in-detect_stream_formats.patch @@ -0,0 +1,50 @@ +From 324f3e03e8a85931ce0880654e3c3eb38b0f0bba Mon Sep 17 00:00:00 2001 +From: Junrui Luo +Date: Fri, 28 Nov 2025 12:06:31 +0800 +Subject: ALSA: dice: fix buffer overflow in detect_stream_formats() + +From: Junrui Luo + +commit 324f3e03e8a85931ce0880654e3c3eb38b0f0bba upstream. + +The function detect_stream_formats() reads the stream_count value directly +from a FireWire device without validating it. This can lead to +out-of-bounds writes when a malicious device provides a stream_count value +greater than MAX_STREAMS. + +Fix by applying the same validation to both TX and RX stream counts in +detect_stream_formats(). + +Reported-by: Yuhao Jiang +Reported-by: Junrui Luo +Fixes: 58579c056c1c ("ALSA: dice: use extended protocol to detect available stream formats") +Cc: stable@vger.kernel.org +Reviewed-by: Takashi Sakamoto +Signed-off-by: Junrui Luo +Link: https://patch.msgid.link/SYBPR01MB7881B043FC68B4C0DA40B73DAFDCA@SYBPR01MB7881.ausprd01.prod.outlook.com +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman +--- + sound/firewire/dice/dice-extension.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/sound/firewire/dice/dice-extension.c ++++ b/sound/firewire/dice/dice-extension.c +@@ -116,7 +116,7 @@ static int detect_stream_formats(struct + break; + + base_offset += EXT_APP_STREAM_ENTRIES; +- stream_count = be32_to_cpu(reg[0]); ++ stream_count = min_t(unsigned int, be32_to_cpu(reg[0]), MAX_STREAMS); + err = read_stream_entries(dice, section_addr, base_offset, + stream_count, mode, + dice->tx_pcm_chs, +@@ -125,7 +125,7 @@ static int detect_stream_formats(struct + break; + + base_offset += stream_count * EXT_APP_STREAM_ENTRY_SIZE; +- stream_count = be32_to_cpu(reg[1]); ++ stream_count = min_t(unsigned int, be32_to_cpu(reg[1]), MAX_STREAMS); + err = read_stream_entries(dice, section_addr, base_offset, + stream_count, + mode, dice->rx_pcm_chs, diff --git a/queue-6.12/alsa-wavefront-fix-integer-overflow-in-sample-size-validation.patch b/queue-6.12/alsa-wavefront-fix-integer-overflow-in-sample-size-validation.patch new file mode 100644 index 0000000000..0afceb324e --- /dev/null +++ b/queue-6.12/alsa-wavefront-fix-integer-overflow-in-sample-size-validation.patch @@ -0,0 +1,39 @@ +From 0c4a13ba88594fd4a27292853e736c6b4349823d Mon Sep 17 00:00:00 2001 +From: Junrui Luo +Date: Thu, 6 Nov 2025 10:49:46 +0800 +Subject: ALSA: wavefront: Fix integer overflow in sample size validation + +From: Junrui Luo + +commit 0c4a13ba88594fd4a27292853e736c6b4349823d upstream. + +The wavefront_send_sample() function has an integer overflow issue +when validating sample size. The header->size field is u32 but gets +cast to int for comparison with dev->freemem + +Fix by using unsigned comparison to avoid integer overflow. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Cc: stable@vger.kernel.org +Signed-off-by: Junrui Luo +Link: https://patch.msgid.link/SYBPR01MB7881B47789D1B060CE8BF4C3AFC2A@SYBPR01MB7881.ausprd01.prod.outlook.com +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman +--- + sound/isa/wavefront/wavefront_synth.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/sound/isa/wavefront/wavefront_synth.c ++++ b/sound/isa/wavefront/wavefront_synth.c +@@ -950,9 +950,9 @@ wavefront_send_sample (snd_wavefront_t * + if (header->size) { + dev->freemem = wavefront_freemem (dev); + +- if (dev->freemem < (int)header->size) { ++ if (dev->freemem < 0 || dev->freemem < header->size) { + dev_err(dev->card->dev, +- "insufficient memory to load %d byte sample.\n", ++ "insufficient memory to load %u byte sample.\n", + header->size); + return -ENOMEM; + } diff --git a/queue-6.12/series b/queue-6.12/series index ed0902f777..66d6d1a788 100644 --- a/queue-6.12/series +++ b/queue-6.12/series @@ -347,3 +347,8 @@ loongarch-add-machine_kexec_mask_interrupts-implementation.patch net-lan743x-allocate-rings-outside-zone_dma.patch net-dst-introduce-dst-dev_rcu.patch tcp_metrics-use-dst_dev_net_rcu.patch +usb-gadget-tegra-xudc-always-reinitialize-data-toggle-when-clear-halt.patch +usb-phy-initialize-struct-usb_phy-list_head.patch +usb-dwc3-dwc3_power_off_all_roothub_ports-use-ioremap_np-when-required.patch +alsa-dice-fix-buffer-overflow-in-detect_stream_formats.patch +alsa-wavefront-fix-integer-overflow-in-sample-size-validation.patch diff --git a/queue-6.12/usb-dwc3-dwc3_power_off_all_roothub_ports-use-ioremap_np-when-required.patch b/queue-6.12/usb-dwc3-dwc3_power_off_all_roothub_ports-use-ioremap_np-when-required.patch new file mode 100644 index 0000000000..72beda2dad --- /dev/null +++ b/queue-6.12/usb-dwc3-dwc3_power_off_all_roothub_ports-use-ioremap_np-when-required.patch @@ -0,0 +1,39 @@ +From 5ed9cc71432a8adf3c42223c935f714aac29901b Mon Sep 17 00:00:00 2001 +From: Sven Peter +Date: Wed, 15 Oct 2025 15:40:42 +0000 +Subject: usb: dwc3: dwc3_power_off_all_roothub_ports: Use ioremap_np when required + +From: Sven Peter + +commit 5ed9cc71432a8adf3c42223c935f714aac29901b upstream. + +On Apple Silicon machines we can't use ioremap() / Device-nGnRE to map most +regions but must use ioremap_np() / Device-nGnRnE whenever +IORESOURCE_MEM_NONPOSTED is set. Make sure this is also done inside +dwc3_power_off_all_roothub_ports to prevent SErrors. + +Fixes: 2d2a3349521d ("usb: dwc3: Add workaround for host mode VBUS glitch when boot") +Cc: stable@kernel.org +Acked-by: Thinh Nguyen +Reviewed-by: Neal Gompa +Signed-off-by: Sven Peter +Link: https://patch.msgid.link/20251015-b4-aplpe-dwc3-v2-2-cbd65a2d511a@kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/dwc3/host.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +--- a/drivers/usb/dwc3/host.c ++++ b/drivers/usb/dwc3/host.c +@@ -37,7 +37,10 @@ static void dwc3_power_off_all_roothub_p + + /* xhci regs is not mapped yet, do it temperary here */ + if (dwc->xhci_resources[0].start) { +- xhci_regs = ioremap(dwc->xhci_resources[0].start, DWC3_XHCI_REGS_END); ++ if (dwc->xhci_resources[0].flags & IORESOURCE_MEM_NONPOSTED) ++ xhci_regs = ioremap_np(dwc->xhci_resources[0].start, DWC3_XHCI_REGS_END); ++ else ++ xhci_regs = ioremap(dwc->xhci_resources[0].start, DWC3_XHCI_REGS_END); + if (!xhci_regs) { + dev_err(dwc->dev, "Failed to ioremap xhci_regs\n"); + return; diff --git a/queue-6.12/usb-gadget-tegra-xudc-always-reinitialize-data-toggle-when-clear-halt.patch b/queue-6.12/usb-gadget-tegra-xudc-always-reinitialize-data-toggle-when-clear-halt.patch new file mode 100644 index 0000000000..2b6e8cafdf --- /dev/null +++ b/queue-6.12/usb-gadget-tegra-xudc-always-reinitialize-data-toggle-when-clear-halt.patch @@ -0,0 +1,48 @@ +From 2585973c7f9ee31d21e5848c996fab2521fd383d Mon Sep 17 00:00:00 2001 +From: Haotien Hsu +Date: Thu, 27 Nov 2025 11:35:40 +0800 +Subject: usb: gadget: tegra-xudc: Always reinitialize data toggle when clear halt + +From: Haotien Hsu + +commit 2585973c7f9ee31d21e5848c996fab2521fd383d upstream. + +The driver previously skipped handling ClearFeature(ENDPOINT_HALT) +when the endpoint was already not halted. This prevented the +controller from resetting the data sequence number and reinitializing +the endpoint state. + +According to USB 3.2 specification Rev. 1.1, section 9.4.5, +ClearFeature(ENDPOINT_HALT) must always reset the data sequence and +set the stream state machine to Disabled, regardless of whether the +endpoint was halted. + +Remove the early return so that ClearFeature(ENDPOINT_HALT) always +resets the endpoint sequence state as required by the specification. + +Fixes: 49db427232fe ("usb: gadget: Add UDC driver for tegra XUSB device mode controller") +Cc: stable +Signed-off-by: Haotien Hsu +Signed-off-by: Wayne Chang +Link: https://patch.msgid.link/20251127033540.2287517-1-waynec@nvidia.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/gadget/udc/tegra-xudc.c | 6 ------ + 1 file changed, 6 deletions(-) + +--- a/drivers/usb/gadget/udc/tegra-xudc.c ++++ b/drivers/usb/gadget/udc/tegra-xudc.c +@@ -1554,12 +1554,6 @@ static int __tegra_xudc_ep_set_halt(stru + return -ENOTSUPP; + } + +- if (!!(xudc_readl(xudc, EP_HALT) & BIT(ep->index)) == halt) { +- dev_dbg(xudc->dev, "EP %u already %s\n", ep->index, +- halt ? "halted" : "not halted"); +- return 0; +- } +- + if (halt) { + ep_halt(xudc, ep->index); + } else { diff --git a/queue-6.12/usb-phy-initialize-struct-usb_phy-list_head.patch b/queue-6.12/usb-phy-initialize-struct-usb_phy-list_head.patch new file mode 100644 index 0000000000..096b793d63 --- /dev/null +++ b/queue-6.12/usb-phy-initialize-struct-usb_phy-list_head.patch @@ -0,0 +1,59 @@ +From c69ff68b097b0f53333114f1b2c3dc128f389596 Mon Sep 17 00:00:00 2001 +From: Diogo Ivo +Date: Fri, 21 Nov 2025 18:16:36 +0000 +Subject: usb: phy: Initialize struct usb_phy list_head + +From: Diogo Ivo + +commit c69ff68b097b0f53333114f1b2c3dc128f389596 upstream. + +As part of the registration of a new 'struct usb_phy' with the USB PHY core +via either usb_add_phy(struct usb_phy *x, ...) or usb_add_phy_dev(struct +usb_phy *x) these functions call list_add_tail(&x->head, phy_list) in +order for the new instance x to be stored in phy_list, a static list +kept internally by the core. + +After 7d21114dc6a2 ("usb: phy: Introduce one extcon device into usb phy") +when executing either of the registration functions above it is possible +that usb_add_extcon() fails, leading to either function returning before +the call to list_add_tail(), leaving x->head uninitialized. + +Then, when a driver tries to undo the failed registration by calling +usb_remove_phy(struct usb_phy *x) there will be an unconditional call to +list_del(&x->head) acting on an uninitialized variable, and thus a +possible NULL pointer dereference. + +Fix this by initializing x->head before usb_add_extcon() has a +chance to fail. Note that this was not needed before 7d21114dc6a2 since +list_add_phy() was executed unconditionally and it guaranteed that x->head +was initialized. + +Fixes: 7d21114dc6a2 ("usb: phy: Introduce one extcon device into usb phy") +Cc: stable +Signed-off-by: Diogo Ivo +Link: https://patch.msgid.link/20251121-diogo-smaug_typec-v2-1-5c37c1169d57@tecnico.ulisboa.pt +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/phy/phy.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/drivers/usb/phy/phy.c ++++ b/drivers/usb/phy/phy.c +@@ -672,6 +672,8 @@ int usb_add_phy(struct usb_phy *x, enum + return -EINVAL; + } + ++ INIT_LIST_HEAD(&x->head); ++ + usb_charger_init(x); + ret = usb_add_extcon(x); + if (ret) +@@ -722,6 +724,8 @@ int usb_add_phy_dev(struct usb_phy *x) + return -EINVAL; + } + ++ INIT_LIST_HEAD(&x->head); ++ + usb_charger_init(x); + ret = usb_add_extcon(x); + if (ret) -- 2.47.3