staging-iio-ad9832-correct-phase-range-check.patch
usb-storage-add-max-sectors-quirk-for-nokia-208.patch
usb-serial-cp210x-add-phoenix-contact-ups-device.patch
+usb-gadget-u_serial-disable-ep-before-setting-port-to-null-to-fix-the-crash-caused-by-port-being-null.patch
+usb-usblp-return-error-when-setting-unsupported-protocol.patch
+usb-core-disable-lpm-only-for-non-suspended-ports.patch
+usb-fix-reference-leak-in-usb_new_device.patch
+usb-gadget-f_fs-remove-warn_on-in-functionfs_bind.patch
--- /dev/null
+From 59bfeaf5454b7e764288d84802577f4a99bf0819 Mon Sep 17 00:00:00 2001
+From: Kai-Heng Feng <kaihengf@nvidia.com>
+Date: Fri, 6 Dec 2024 15:48:17 +0800
+Subject: USB: core: Disable LPM only for non-suspended ports
+
+From: Kai-Heng Feng <kaihengf@nvidia.com>
+
+commit 59bfeaf5454b7e764288d84802577f4a99bf0819 upstream.
+
+There's USB error when tegra board is shutting down:
+[ 180.919315] usb 2-3: Failed to set U1 timeout to 0x0,error code -113
+[ 180.919995] usb 2-3: Failed to set U1 timeout to 0xa,error code -113
+[ 180.920512] usb 2-3: Failed to set U2 timeout to 0x4,error code -113
+[ 186.157172] tegra-xusb 3610000.usb: xHCI host controller not responding, assume dead
+[ 186.157858] tegra-xusb 3610000.usb: HC died; cleaning up
+[ 186.317280] tegra-xusb 3610000.usb: Timeout while waiting for evaluate context command
+
+The issue is caused by disabling LPM on already suspended ports.
+
+For USB2 LPM, the LPM is already disabled during port suspend. For USB3
+LPM, port won't transit to U1/U2 when it's already suspended in U3,
+hence disabling LPM is only needed for ports that are not suspended.
+
+Cc: Wayne Chang <waynec@nvidia.com>
+Cc: stable <stable@kernel.org>
+Fixes: d920a2ed8620 ("usb: Disable USB3 LPM at shutdown")
+Signed-off-by: Kai-Heng Feng <kaihengf@nvidia.com>
+Acked-by: Alan Stern <stern@rowland.harvard.edu>
+Tested-by: Jon Hunter <jonathanh@nvidia.com>
+Link: https://lore.kernel.org/r/20241206074817.89189-1-kaihengf@nvidia.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/core/port.c | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+--- a/drivers/usb/core/port.c
++++ b/drivers/usb/core/port.c
+@@ -294,10 +294,11 @@ static int usb_port_runtime_suspend(stru
+ static void usb_port_shutdown(struct device *dev)
+ {
+ struct usb_port *port_dev = to_usb_port(dev);
++ struct usb_device *udev = port_dev->child;
+
+- if (port_dev->child) {
+- usb_disable_usb2_hardware_lpm(port_dev->child);
+- usb_unlocked_disable_lpm(port_dev->child);
++ if (udev && !udev->port_is_suspended) {
++ usb_disable_usb2_hardware_lpm(udev);
++ usb_unlocked_disable_lpm(udev);
+ }
+ }
+
--- /dev/null
+From 0df11fa8cee5a9cf8753d4e2672bb3667138c652 Mon Sep 17 00:00:00 2001
+From: Ma Ke <make_ruc2021@163.com>
+Date: Wed, 18 Dec 2024 15:13:46 +0800
+Subject: usb: fix reference leak in usb_new_device()
+
+From: Ma Ke <make_ruc2021@163.com>
+
+commit 0df11fa8cee5a9cf8753d4e2672bb3667138c652 upstream.
+
+When device_add(&udev->dev) succeeds and a later call fails,
+usb_new_device() does not properly call device_del(). As comment of
+device_add() says, 'if device_add() succeeds, you should call
+device_del() when you want to get rid of it. If device_add() has not
+succeeded, use only put_device() to drop the reference count'.
+
+Found by code review.
+
+Cc: stable <stable@kernel.org>
+Fixes: 9f8b17e643fe ("USB: make usbdevices export their device nodes instead of using a separate class")
+Signed-off-by: Ma Ke <make_ruc2021@163.com>
+Reviewed-by: Alan Stern <stern@rowland.harvard.edu>
+Link: https://lore.kernel.org/r/20241218071346.2973980-1-make_ruc2021@163.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/core/hub.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+--- a/drivers/usb/core/hub.c
++++ b/drivers/usb/core/hub.c
+@@ -2592,13 +2592,13 @@ int usb_new_device(struct usb_device *ud
+ err = sysfs_create_link(&udev->dev.kobj,
+ &port_dev->dev.kobj, "port");
+ if (err)
+- goto fail;
++ goto out_del_dev;
+
+ err = sysfs_create_link(&port_dev->dev.kobj,
+ &udev->dev.kobj, "device");
+ if (err) {
+ sysfs_remove_link(&udev->dev.kobj, "port");
+- goto fail;
++ goto out_del_dev;
+ }
+
+ if (!test_and_set_bit(port1, hub->child_usage_bits))
+@@ -2610,6 +2610,8 @@ int usb_new_device(struct usb_device *ud
+ pm_runtime_put_sync_autosuspend(&udev->dev);
+ return err;
+
++out_del_dev:
++ device_del(&udev->dev);
+ fail:
+ usb_set_device_state(udev, USB_STATE_NOTATTACHED);
+ pm_runtime_disable(&udev->dev);
--- /dev/null
+From dfc51e48bca475bbee984e90f33fdc537ce09699 Mon Sep 17 00:00:00 2001
+From: Akash M <akash.m5@samsung.com>
+Date: Thu, 19 Dec 2024 18:22:19 +0530
+Subject: usb: gadget: f_fs: Remove WARN_ON in functionfs_bind
+
+From: Akash M <akash.m5@samsung.com>
+
+commit dfc51e48bca475bbee984e90f33fdc537ce09699 upstream.
+
+This commit addresses an issue related to below kernel panic where
+panic_on_warn is enabled. It is caused by the unnecessary use of WARN_ON
+in functionsfs_bind, which easily leads to the following scenarios.
+
+1.adb_write in adbd 2. UDC write via configfs
+ ================= =====================
+
+->usb_ffs_open_thread() ->UDC write
+ ->open_functionfs() ->configfs_write_iter()
+ ->adb_open() ->gadget_dev_desc_UDC_store()
+ ->adb_write() ->usb_gadget_register_driver_owner
+ ->driver_register()
+->StartMonitor() ->bus_add_driver()
+ ->adb_read() ->gadget_bind_driver()
+<times-out without BIND event> ->configfs_composite_bind()
+ ->usb_add_function()
+->open_functionfs() ->ffs_func_bind()
+ ->adb_open() ->functionfs_bind()
+ <ffs->state !=FFS_ACTIVE>
+
+The adb_open, adb_read, and adb_write operations are invoked from the
+daemon, but trying to bind the function is a process that is invoked by
+UDC write through configfs, which opens up the possibility of a race
+condition between the two paths. In this race scenario, the kernel panic
+occurs due to the WARN_ON from functionfs_bind when panic_on_warn is
+enabled. This commit fixes the kernel panic by removing the unnecessary
+WARN_ON.
+
+Kernel panic - not syncing: kernel: panic_on_warn set ...
+[ 14.542395] Call trace:
+[ 14.542464] ffs_func_bind+0x1c8/0x14a8
+[ 14.542468] usb_add_function+0xcc/0x1f0
+[ 14.542473] configfs_composite_bind+0x468/0x588
+[ 14.542478] gadget_bind_driver+0x108/0x27c
+[ 14.542483] really_probe+0x190/0x374
+[ 14.542488] __driver_probe_device+0xa0/0x12c
+[ 14.542492] driver_probe_device+0x3c/0x220
+[ 14.542498] __driver_attach+0x11c/0x1fc
+[ 14.542502] bus_for_each_dev+0x104/0x160
+[ 14.542506] driver_attach+0x24/0x34
+[ 14.542510] bus_add_driver+0x154/0x270
+[ 14.542514] driver_register+0x68/0x104
+[ 14.542518] usb_gadget_register_driver_owner+0x48/0xf4
+[ 14.542523] gadget_dev_desc_UDC_store+0xf8/0x144
+[ 14.542526] configfs_write_iter+0xf0/0x138
+
+Fixes: ddf8abd25994 ("USB: f_fs: the FunctionFS driver")
+Cc: stable <stable@kernel.org>
+Signed-off-by: Akash M <akash.m5@samsung.com>
+Link: https://lore.kernel.org/r/20241219125221.1679-1-akash.m5@samsung.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/gadget/function/f_fs.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/usb/gadget/function/f_fs.c
++++ b/drivers/usb/gadget/function/f_fs.c
+@@ -1875,7 +1875,7 @@ static int functionfs_bind(struct ffs_da
+
+ ENTER();
+
+- if (WARN_ON(ffs->state != FFS_ACTIVE
++ if ((ffs->state != FFS_ACTIVE
+ || test_and_set_bit(FFS_FL_BOUND, &ffs->flags)))
+ return -EBADFD;
+
--- /dev/null
+From 13014969cbf07f18d62ceea40bd8ca8ec9d36cec Mon Sep 17 00:00:00 2001
+From: Lianqin Hu <hulianqin@vivo.com>
+Date: Tue, 17 Dec 2024 07:58:44 +0000
+Subject: usb: gadget: u_serial: Disable ep before setting port to null to fix the crash caused by port being null
+
+From: Lianqin Hu <hulianqin@vivo.com>
+
+commit 13014969cbf07f18d62ceea40bd8ca8ec9d36cec upstream.
+
+Considering that in some extreme cases, when performing the
+unbinding operation, gserial_disconnect has cleared gser->ioport,
+which triggers gadget reconfiguration, and then calls gs_read_complete,
+resulting in access to a null pointer. Therefore, ep is disabled before
+gserial_disconnect sets port to null to prevent this from happening.
+
+Call trace:
+ gs_read_complete+0x58/0x240
+ usb_gadget_giveback_request+0x40/0x160
+ dwc3_remove_requests+0x170/0x484
+ dwc3_ep0_out_start+0xb0/0x1d4
+ __dwc3_gadget_start+0x25c/0x720
+ kretprobe_trampoline.cfi_jt+0x0/0x8
+ kretprobe_trampoline.cfi_jt+0x0/0x8
+ udc_bind_to_driver+0x1d8/0x300
+ usb_gadget_probe_driver+0xa8/0x1dc
+ gadget_dev_desc_UDC_store+0x13c/0x188
+ configfs_write_iter+0x160/0x1f4
+ vfs_write+0x2d0/0x40c
+ ksys_write+0x7c/0xf0
+ __arm64_sys_write+0x20/0x30
+ invoke_syscall+0x60/0x150
+ el0_svc_common+0x8c/0xf8
+ do_el0_svc+0x28/0xa0
+ el0_svc+0x24/0x84
+
+Fixes: c1dca562be8a ("usb gadget: split out serial core")
+Cc: stable <stable@kernel.org>
+Suggested-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Lianqin Hu <hulianqin@vivo.com>
+Link: https://lore.kernel.org/r/TYUPR06MB621733B5AC690DBDF80A0DCCD2042@TYUPR06MB6217.apcprd06.prod.outlook.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/gadget/function/u_serial.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+--- a/drivers/usb/gadget/function/u_serial.c
++++ b/drivers/usb/gadget/function/u_serial.c
+@@ -1369,6 +1369,10 @@ void gserial_disconnect(struct gserial *
+ /* REVISIT as above: how best to track this? */
+ port->port_line_coding = gser->port_line_coding;
+
++ /* disable endpoints, aborting down any active I/O */
++ usb_ep_disable(gser->out);
++ usb_ep_disable(gser->in);
++
+ port->port_usb = NULL;
+ gser->ioport = NULL;
+ if (port->port.count > 0 || port->openclose) {
+@@ -1378,10 +1382,6 @@ void gserial_disconnect(struct gserial *
+ }
+ spin_unlock_irqrestore(&port->port_lock, flags);
+
+- /* disable endpoints, aborting down any active I/O */
+- usb_ep_disable(gser->out);
+- usb_ep_disable(gser->in);
+-
+ /* finally, free any unused/unusable I/O buffers */
+ spin_lock_irqsave(&port->port_lock, flags);
+ if (port->port.count == 0 && !port->openclose)
--- /dev/null
+From 7a3d76a0b60b3f6fc3375e4de2174bab43f64545 Mon Sep 17 00:00:00 2001
+From: Jun Yan <jerrysteve1101@gmail.com>
+Date: Thu, 12 Dec 2024 22:38:52 +0800
+Subject: USB: usblp: return error when setting unsupported protocol
+
+From: Jun Yan <jerrysteve1101@gmail.com>
+
+commit 7a3d76a0b60b3f6fc3375e4de2174bab43f64545 upstream.
+
+Fix the regression introduced by commit d8c6edfa3f4e ("USB:
+usblp: don't call usb_set_interface if there's a single alt"),
+which causes that unsupported protocols can also be set via
+ioctl when the num_altsetting of the device is 1.
+
+Move the check for protocol support to the earlier stage.
+
+Fixes: d8c6edfa3f4e ("USB: usblp: don't call usb_set_interface if there's a single alt")
+Cc: stable <stable@kernel.org>
+Signed-off-by: Jun Yan <jerrysteve1101@gmail.com>
+Link: https://lore.kernel.org/r/20241212143852.671889-1-jerrysteve1101@gmail.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/class/usblp.c | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+--- a/drivers/usb/class/usblp.c
++++ b/drivers/usb/class/usblp.c
+@@ -1337,11 +1337,12 @@ static int usblp_set_protocol(struct usb
+ if (protocol < USBLP_FIRST_PROTOCOL || protocol > USBLP_LAST_PROTOCOL)
+ return -EINVAL;
+
++ alts = usblp->protocol[protocol].alt_setting;
++ if (alts < 0)
++ return -EINVAL;
++
+ /* Don't unnecessarily set the interface if there's a single alt. */
+ if (usblp->intf->num_altsetting > 1) {
+- alts = usblp->protocol[protocol].alt_setting;
+- if (alts < 0)
+- return -EINVAL;
+ r = usb_set_interface(usblp->dev, usblp->ifnum, alts);
+ if (r < 0) {
+ printk(KERN_ERR "usblp: can't set desired altsetting %d on interface %d\n",
projects / thirdparty / kernel / stable-queue.git / commitdiff
