--- /dev/null
+From aa2e1e4563d3ab689ffa86ca1412ecbf9fd3b308 Mon Sep 17 00:00:00 2001
+From: Miaoqian Lin <linmq006@gmail.com>
+Date: Tue, 2 Sep 2025 17:03:58 +0800
+Subject: dmaengine: dw: dmamux: Fix device reference leak in rzn1_dmamux_route_allocate
+
+From: Miaoqian Lin <linmq006@gmail.com>
+
+commit aa2e1e4563d3ab689ffa86ca1412ecbf9fd3b308 upstream.
+
+The reference taken by of_find_device_by_node()
+must be released when not needed anymore.
+Add missing put_device() call to fix device reference leaks.
+
+Fixes: 134d9c52fca2 ("dmaengine: dw: dmamux: Introduce RZN1 DMA router support")
+Cc: stable@vger.kernel.org
+Signed-off-by: Miaoqian Lin <linmq006@gmail.com>
+Reviewed-by: Miquel Raynal <miquel.raynal@bootlin.com>
+Link: https://lore.kernel.org/r/20250902090358.2423285-1-linmq006@gmail.com
+Signed-off-by: Vinod Koul <vkoul@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/dma/dw/rzn1-dmamux.c | 15 +++++++++++----
+ 1 file changed, 11 insertions(+), 4 deletions(-)
+
+--- a/drivers/dma/dw/rzn1-dmamux.c
++++ b/drivers/dma/dw/rzn1-dmamux.c
+@@ -48,12 +48,16 @@ static void *rzn1_dmamux_route_allocate(
+ u32 mask;
+ int ret;
+
+- if (dma_spec->args_count != RNZ1_DMAMUX_NCELLS)
+- return ERR_PTR(-EINVAL);
++ if (dma_spec->args_count != RNZ1_DMAMUX_NCELLS) {
++ ret = -EINVAL;
++ goto put_device;
++ }
+
+ map = kzalloc(sizeof(*map), GFP_KERNEL);
+- if (!map)
+- return ERR_PTR(-ENOMEM);
++ if (!map) {
++ ret = -ENOMEM;
++ goto put_device;
++ }
+
+ chan = dma_spec->args[0];
+ map->req_idx = dma_spec->args[4];
+@@ -94,12 +98,15 @@ static void *rzn1_dmamux_route_allocate(
+ if (ret)
+ goto clear_bitmap;
+
++ put_device(&pdev->dev);
+ return map;
+
+ clear_bitmap:
+ clear_bit(map->req_idx, dmamux->used_chans);
+ free_map:
+ kfree(map);
++put_device:
++ put_device(&pdev->dev);
+
+ return ERR_PTR(ret);
+ }
--- /dev/null
+From 5068b5254812433e841a40886e695633148d362d Mon Sep 17 00:00:00 2001
+From: Stephan Gerhold <stephan.gerhold@linaro.org>
+Date: Wed, 12 Feb 2025 18:03:54 +0100
+Subject: dmaengine: qcom: bam_dma: Fix DT error handling for num-channels/ees
+
+From: Stephan Gerhold <stephan.gerhold@linaro.org>
+
+commit 5068b5254812433e841a40886e695633148d362d upstream.
+
+When we don't have a clock specified in the device tree, we have no way to
+ensure the BAM is on. This is often the case for remotely-controlled or
+remotely-powered BAM instances. In this case, we need to read num-channels
+from the DT to have all the necessary information to complete probing.
+
+However, at the moment invalid device trees without clock and without
+num-channels still continue probing, because the error handling is missing
+return statements. The driver will then later try to read the number of
+channels from the registers. This is unsafe, because it relies on boot
+firmware and lucky timing to succeed. Unfortunately, the lack of proper
+error handling here has been abused for several Qualcomm SoCs upstream,
+causing early boot crashes in several situations [1, 2].
+
+Avoid these early crashes by erroring out when any of the required DT
+properties are missing. Note that this will break some of the existing DTs
+upstream (mainly BAM instances related to the crypto engine). However,
+clearly these DTs have never been tested properly, since the error in the
+kernel log was just ignored. It's safer to disable the crypto engine for
+these broken DTBs.
+
+[1]: https://lore.kernel.org/r/CY01EKQVWE36.B9X5TDXAREPF@fairphone.com/
+[2]: https://lore.kernel.org/r/20230626145959.646747-1-krzysztof.kozlowski@linaro.org/
+
+Cc: stable@vger.kernel.org
+Fixes: 48d163b1aa6e ("dmaengine: qcom: bam_dma: get num-channels and num-ees from dt")
+Signed-off-by: Stephan Gerhold <stephan.gerhold@linaro.org>
+Reviewed-by: Konrad Dybcio <konrad.dybcio@oss.qualcomm.com>
+Link: https://lore.kernel.org/r/20250212-bam-dma-fixes-v1-8-f560889e65d8@linaro.org
+Signed-off-by: Vinod Koul <vkoul@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/dma/qcom/bam_dma.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+--- a/drivers/dma/qcom/bam_dma.c
++++ b/drivers/dma/qcom/bam_dma.c
+@@ -1283,13 +1283,17 @@ static int bam_dma_probe(struct platform
+ if (!bdev->bamclk) {
+ ret = of_property_read_u32(pdev->dev.of_node, "num-channels",
+ &bdev->num_channels);
+- if (ret)
++ if (ret) {
+ dev_err(bdev->dev, "num-channels unspecified in dt\n");
++ return ret;
++ }
+
+ ret = of_property_read_u32(pdev->dev.of_node, "qcom,num-ees",
+ &bdev->num_ees);
+- if (ret)
++ if (ret) {
+ dev_err(bdev->dev, "num-ees unspecified in dt\n");
++ return ret;
++ }
+ }
+
+ ret = clk_prepare_enable(bdev->bamclk);
--- /dev/null
+From 6cb8c1f957f674ca20b7d7c96b1f1bb11b83b679 Mon Sep 17 00:00:00 2001
+From: Stephan Gerhold <stephan.gerhold@linaro.org>
+Date: Thu, 21 Aug 2025 10:01:47 +0200
+Subject: phy: qcom: qmp-pcie: Fix PHY initialization when powered down by firmware
+
+From: Stephan Gerhold <stephan.gerhold@linaro.org>
+
+commit 6cb8c1f957f674ca20b7d7c96b1f1bb11b83b679 upstream.
+
+Commit 0cc22f5a861c ("phy: qcom: qmp-pcie: Add PHY register retention
+support") added support for using the "no_csr" reset to skip configuration
+of the PHY if the init sequence was already applied by the boot firmware.
+The expectation is that the PHY is only turned on/off by using the "no_csr"
+reset, instead of powering it down and re-programming it after a full
+reset.
+
+The boot firmware on X1E does not fully conform to this expectation: If the
+PCIe3 link fails to come up (e.g. because no PCIe card is inserted), the
+firmware powers down the PHY using the QPHY_PCS_POWER_DOWN_CONTROL
+register. The QPHY_START_CTRL register is kept as-is, so the driver assumes
+the PHY is already initialized and skips the configuration/power up
+sequence. The PHY won't come up again without clearing the
+QPHY_PCS_POWER_DOWN_CONTROL, so eventually initialization fails:
+
+ qcom-qmp-pcie-phy 1be0000.phy: phy initialization timed-out
+ phy phy-1be0000.phy.0: phy poweron failed --> -110
+ qcom-pcie 1bd0000.pcie: cannot initialize host
+ qcom-pcie 1bd0000.pcie: probe with driver qcom-pcie failed with error -110
+
+This can be reliably reproduced on the X1E CRD, QCP and Devkit when no card
+is inserted for PCIe3.
+
+Fix this by checking the QPHY_PCS_POWER_DOWN_CONTROL register in addition
+to QPHY_START_CTRL. If the PHY is powered down with the register, it
+doesn't conform to the expectations for using the "no_csr" reset, so we
+fully re-initialize with the normal reset sequence.
+
+Also check the register more carefully to ensure all of the bits we expect
+are actually set. A simple !!(readl()) is not enough, because the PHY might
+be only partially set up with some of the expected bits set.
+
+Cc: stable@vger.kernel.org
+Fixes: 0cc22f5a861c ("phy: qcom: qmp-pcie: Add PHY register retention support")
+Signed-off-by: Stephan Gerhold <stephan.gerhold@linaro.org>
+Reviewed-by: Dmitry Baryshkov <dmitry.baryshkov@oss.qualcomm.com>
+Link: https://lore.kernel.org/r/20250821-phy-qcom-qmp-pcie-nocsr-fix-v3-1-4898db0cc07c@linaro.org
+Signed-off-by: Vinod Koul <vkoul@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/phy/qualcomm/phy-qcom-qmp-pcie.c | 25 +++++++++++++++++++------
+ 1 file changed, 19 insertions(+), 6 deletions(-)
+
+--- a/drivers/phy/qualcomm/phy-qcom-qmp-pcie.c
++++ b/drivers/phy/qualcomm/phy-qcom-qmp-pcie.c
+@@ -3064,6 +3064,14 @@ struct qmp_pcie {
+ struct clk_fixed_rate aux_clk_fixed;
+ };
+
++static bool qphy_checkbits(const void __iomem *base, u32 offset, u32 val)
++{
++ u32 reg;
++
++ reg = readl(base + offset);
++ return (reg & val) == val;
++}
++
+ static inline void qphy_setbits(void __iomem *base, u32 offset, u32 val)
+ {
+ u32 reg;
+@@ -4332,16 +4340,21 @@ static int qmp_pcie_init(struct phy *phy
+ struct qmp_pcie *qmp = phy_get_drvdata(phy);
+ const struct qmp_phy_cfg *cfg = qmp->cfg;
+ void __iomem *pcs = qmp->pcs;
+- bool phy_initialized = !!(readl(pcs + cfg->regs[QPHY_START_CTRL]));
+ int ret;
+
+- qmp->skip_init = qmp->nocsr_reset && phy_initialized;
+ /*
+- * We need to check the existence of init sequences in two cases:
+- * 1. The PHY doesn't support no_csr reset.
+- * 2. The PHY supports no_csr reset but isn't initialized by bootloader.
+- * As we can't skip init in these two cases.
++ * We can skip PHY initialization if all of the following conditions
++ * are met:
++ * 1. The PHY supports the nocsr_reset that preserves the PHY config.
++ * 2. The PHY was started (and not powered down again) by the
++ * bootloader, with all of the expected bits set correctly.
++ * In this case, we can continue without having the init sequence
++ * defined in the driver.
+ */
++ qmp->skip_init = qmp->nocsr_reset &&
++ qphy_checkbits(pcs, cfg->regs[QPHY_START_CTRL], SERDES_START | PCS_START) &&
++ qphy_checkbits(pcs, cfg->regs[QPHY_PCS_POWER_DOWN_CONTROL], cfg->pwrdn_ctrl);
++
+ if (!qmp->skip_init && !cfg->tbls.serdes_num) {
+ dev_err(qmp->dev, "Init sequence not available\n");
+ return -ENODATA;
--- /dev/null
+From bca065733afd1e3a89a02f05ffe14e966cd5f78e Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Thu, 24 Jul 2025 15:12:04 +0200
+Subject: phy: tegra: xusb: fix device and OF node leak at probe
+
+From: Johan Hovold <johan@kernel.org>
+
+commit bca065733afd1e3a89a02f05ffe14e966cd5f78e upstream.
+
+Make sure to drop the references taken to the PMC OF node and device by
+of_parse_phandle() and of_find_device_by_node() during probe.
+
+Note the holding a reference to the PMC device does not prevent the
+PMC regmap from going away (e.g. if the PMC driver is unbound) so there
+is no need to keep the reference.
+
+Fixes: 2d1021487273 ("phy: tegra: xusb: Add wake/sleepwalk for Tegra210")
+Cc: stable@vger.kernel.org # 5.14
+Cc: JC Kuo <jckuo@nvidia.com>
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Reviewed-by: Neil Armstrong <neil.armstrong@linaro.org>
+Link: https://lore.kernel.org/r/20250724131206.2211-2-johan@kernel.org
+Signed-off-by: Vinod Koul <vkoul@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/phy/tegra/xusb-tegra210.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+--- a/drivers/phy/tegra/xusb-tegra210.c
++++ b/drivers/phy/tegra/xusb-tegra210.c
+@@ -3164,18 +3164,22 @@ tegra210_xusb_padctl_probe(struct device
+ }
+
+ pdev = of_find_device_by_node(np);
++ of_node_put(np);
+ if (!pdev) {
+ dev_warn(dev, "PMC device is not available\n");
+ goto out;
+ }
+
+- if (!platform_get_drvdata(pdev))
++ if (!platform_get_drvdata(pdev)) {
++ put_device(&pdev->dev);
+ return ERR_PTR(-EPROBE_DEFER);
++ }
+
+ padctl->regmap = dev_get_regmap(&pdev->dev, "usb_sleepwalk");
+ if (!padctl->regmap)
+ dev_info(dev, "failed to find PMC regmap\n");
+
++ put_device(&pdev->dev);
+ out:
+ return &padctl->base;
+ }
--- /dev/null
+From 64961557efa1b98f375c0579779e7eeda1a02c42 Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Thu, 24 Jul 2025 15:12:05 +0200
+Subject: phy: ti: omap-usb2: fix device leak at unbind
+
+From: Johan Hovold <johan@kernel.org>
+
+commit 64961557efa1b98f375c0579779e7eeda1a02c42 upstream.
+
+Make sure to drop the reference to the control device taken by
+of_find_device_by_node() during probe when the driver is unbound.
+
+Fixes: 478b6c7436c2 ("usb: phy: omap-usb2: Don't use omap_get_control_dev()")
+Cc: stable@vger.kernel.org # 3.13
+Cc: Roger Quadros <rogerq@kernel.org>
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Link: https://lore.kernel.org/r/20250724131206.2211-3-johan@kernel.org
+Signed-off-by: Vinod Koul <vkoul@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/phy/ti/phy-omap-usb2.c | 13 +++++++++++++
+ 1 file changed, 13 insertions(+)
+
+--- a/drivers/phy/ti/phy-omap-usb2.c
++++ b/drivers/phy/ti/phy-omap-usb2.c
+@@ -363,6 +363,13 @@ static void omap_usb2_init_errata(struct
+ phy->flags |= OMAP_USB2_DISABLE_CHRG_DET;
+ }
+
++static void omap_usb2_put_device(void *_dev)
++{
++ struct device *dev = _dev;
++
++ put_device(dev);
++}
++
+ static int omap_usb2_probe(struct platform_device *pdev)
+ {
+ struct omap_usb *phy;
+@@ -373,6 +380,7 @@ static int omap_usb2_probe(struct platfo
+ struct device_node *control_node;
+ struct platform_device *control_pdev;
+ const struct usb_phy_data *phy_data;
++ int ret;
+
+ phy_data = device_get_match_data(&pdev->dev);
+ if (!phy_data)
+@@ -423,6 +431,11 @@ static int omap_usb2_probe(struct platfo
+ return -EINVAL;
+ }
+ phy->control_dev = &control_pdev->dev;
++
++ ret = devm_add_action_or_reset(&pdev->dev, omap_usb2_put_device,
++ phy->control_dev);
++ if (ret)
++ return ret;
+ } else {
+ if (of_property_read_u32_index(node,
+ "syscon-phy-power", 1,
--- /dev/null
+From e19bcea99749ce8e8f1d359f68ae03210694ad56 Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Thu, 24 Jul 2025 15:12:06 +0200
+Subject: phy: ti-pipe3: fix device leak at unbind
+
+From: Johan Hovold <johan@kernel.org>
+
+commit e19bcea99749ce8e8f1d359f68ae03210694ad56 upstream.
+
+Make sure to drop the reference to the control device taken by
+of_find_device_by_node() during probe when the driver is unbound.
+
+Fixes: 918ee0d21ba4 ("usb: phy: omap-usb3: Don't use omap_get_control_dev()")
+Cc: stable@vger.kernel.org # 3.13
+Cc: Roger Quadros <rogerq@kernel.org>
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Link: https://lore.kernel.org/r/20250724131206.2211-4-johan@kernel.org
+Signed-off-by: Vinod Koul <vkoul@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/phy/ti/phy-ti-pipe3.c | 13 +++++++++++++
+ 1 file changed, 13 insertions(+)
+
+--- a/drivers/phy/ti/phy-ti-pipe3.c
++++ b/drivers/phy/ti/phy-ti-pipe3.c
+@@ -667,12 +667,20 @@ static int ti_pipe3_get_clk(struct ti_pi
+ return 0;
+ }
+
++static void ti_pipe3_put_device(void *_dev)
++{
++ struct device *dev = _dev;
++
++ put_device(dev);
++}
++
+ static int ti_pipe3_get_sysctrl(struct ti_pipe3 *phy)
+ {
+ struct device *dev = phy->dev;
+ struct device_node *node = dev->of_node;
+ struct device_node *control_node;
+ struct platform_device *control_pdev;
++ int ret;
+
+ phy->phy_power_syscon = syscon_regmap_lookup_by_phandle(node,
+ "syscon-phy-power");
+@@ -704,6 +712,11 @@ static int ti_pipe3_get_sysctrl(struct t
+ }
+
+ phy->control_dev = &control_pdev->dev;
++
++ ret = devm_add_action_or_reset(dev, ti_pipe3_put_device,
++ phy->control_dev);
++ if (ret)
++ return ret;
+ }
+
+ if (phy->mode == PIPE3_MODE_PCIE) {
dmaengine-ti-edma-fix-memory-allocation-size-for-que.patch
regulator-sy7636a-fix-lifecycle-of-power-good-gpio.patch
erofs-fix-runtime-warning-on-truncate_folio_batch_ex.patch
+xhci-dbc-decouple-endpoint-allocation-from-initialization.patch
+xhci-dbc-fix-full-dbc-transfer-ring-after-several-reconnects.patch
+xhci-fix-memory-leak-regression-when-freeing-xhci-vdev-devices-depth-first.patch
+usb-gadget-dummy-hcd-fix-locking-bug-in-rt-enabled-kernels.patch
+usb-typec-tcpm-properly-deliver-cable-vdms-to-altmode-drivers.patch
+usb-gadget-midi2-fix-missing-ump-group-attributes-initialization.patch
+usb-gadget-midi2-fix-midi2-in-ep-max-packet-size.patch
+dmaengine-qcom-bam_dma-fix-dt-error-handling-for-num-channels-ees.patch
+dmaengine-dw-dmamux-fix-device-reference-leak-in-rzn1_dmamux_route_allocate.patch
+phy-qcom-qmp-pcie-fix-phy-initialization-when-powered-down-by-firmware.patch
+phy-tegra-xusb-fix-device-and-of-node-leak-at-probe.patch
+phy-ti-omap-usb2-fix-device-leak-at-unbind.patch
+phy-ti-pipe3-fix-device-leak-at-unbind.patch
--- /dev/null
+From 8d63c83d8eb922f6c316320f50c82fa88d099bea Mon Sep 17 00:00:00 2001
+From: Alan Stern <stern@rowland.harvard.edu>
+Date: Mon, 25 Aug 2025 12:00:22 -0400
+Subject: USB: gadget: dummy-hcd: Fix locking bug in RT-enabled kernels
+
+From: Alan Stern <stern@rowland.harvard.edu>
+
+commit 8d63c83d8eb922f6c316320f50c82fa88d099bea upstream.
+
+Yunseong Kim and the syzbot fuzzer both reported a problem in
+RT-enabled kernels caused by the way dummy-hcd mixes interrupt
+management and spin-locking. The pattern was:
+
+ local_irq_save(flags);
+ spin_lock(&dum->lock);
+ ...
+ spin_unlock(&dum->lock);
+ ... // calls usb_gadget_giveback_request()
+ local_irq_restore(flags);
+
+The code was written this way because usb_gadget_giveback_request()
+needs to be called with interrupts disabled and the private lock not
+held.
+
+While this pattern works fine in non-RT kernels, it's not good when RT
+is enabled. RT kernels handle spinlocks much like mutexes; in particular,
+spin_lock() may sleep. But sleeping is not allowed while local
+interrupts are disabled.
+
+To fix the problem, rewrite the code to conform to the pattern used
+elsewhere in dummy-hcd and other UDC drivers:
+
+ spin_lock_irqsave(&dum->lock, flags);
+ ...
+ spin_unlock(&dum->lock);
+ usb_gadget_giveback_request(...);
+ spin_lock(&dum->lock);
+ ...
+ spin_unlock_irqrestore(&dum->lock, flags);
+
+This approach satisfies the RT requirements.
+
+Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
+Cc: stable <stable@kernel.org>
+Fixes: b4dbda1a22d2 ("USB: dummy-hcd: disable interrupts during req->complete")
+Reported-by: Yunseong Kim <ysk@kzalloc.com>
+Closes: <https://lore.kernel.org/linux-usb/5b337389-73b9-4ee4-a83e-7e82bf5af87a@kzalloc.com/>
+Reported-by: syzbot+8baacc4139f12fa77909@syzkaller.appspotmail.com
+Closes: <https://lore.kernel.org/linux-usb/68ac2411.050a0220.37038e.0087.GAE@google.com/>
+Tested-by: syzbot+8baacc4139f12fa77909@syzkaller.appspotmail.com
+CC: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
+CC: stable@vger.kernel.org
+Reviewed-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
+Link: https://lore.kernel.org/r/bb192ae2-4eee-48ee-981f-3efdbbd0d8f0@rowland.harvard.edu
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/gadget/udc/dummy_hcd.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+--- a/drivers/usb/gadget/udc/dummy_hcd.c
++++ b/drivers/usb/gadget/udc/dummy_hcd.c
+@@ -765,8 +765,7 @@ static int dummy_dequeue(struct usb_ep *
+ if (!dum->driver)
+ return -ESHUTDOWN;
+
+- local_irq_save(flags);
+- spin_lock(&dum->lock);
++ spin_lock_irqsave(&dum->lock, flags);
+ list_for_each_entry(iter, &ep->queue, queue) {
+ if (&iter->req != _req)
+ continue;
+@@ -776,15 +775,16 @@ static int dummy_dequeue(struct usb_ep *
+ retval = 0;
+ break;
+ }
+- spin_unlock(&dum->lock);
+
+ if (retval == 0) {
+ dev_dbg(udc_dev(dum),
+ "dequeued req %p from %s, len %d buf %p\n",
+ req, _ep->name, _req->length, _req->buf);
++ spin_unlock(&dum->lock);
+ usb_gadget_giveback_request(_ep, _req);
++ spin_lock(&dum->lock);
+ }
+- local_irq_restore(flags);
++ spin_unlock_irqrestore(&dum->lock, flags);
+ return retval;
+ }
+
--- /dev/null
+From 116e79c679a1530cf833d0ff3007061d7a716bd9 Mon Sep 17 00:00:00 2001
+From: Takashi Iwai <tiwai@suse.de>
+Date: Fri, 5 Sep 2025 15:32:34 +0200
+Subject: usb: gadget: midi2: Fix MIDI2 IN EP max packet size
+
+From: Takashi Iwai <tiwai@suse.de>
+
+commit 116e79c679a1530cf833d0ff3007061d7a716bd9 upstream.
+
+The EP-IN of MIDI2 (altset 1) wasn't initialized in
+f_midi2_create_usb_configs() as it's an INT EP unlike others BULK
+EPs. But this leaves rather the max packet size unchanged no matter
+which speed is used, resulting in the very slow access.
+And the wMaxPacketSize values set there look legit for INT EPs, so
+let's initialize the MIDI2 EP-IN there for achieving the equivalent
+speed as well.
+
+Fixes: 8b645922b223 ("usb: gadget: Add support for USB MIDI 2.0 function driver")
+Cc: stable <stable@kernel.org>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Link: https://lore.kernel.org/r/20250905133240.20966-1-tiwai@suse.de
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/gadget/function/f_midi2.c | 10 ++++++++--
+ 1 file changed, 8 insertions(+), 2 deletions(-)
+
+--- a/drivers/usb/gadget/function/f_midi2.c
++++ b/drivers/usb/gadget/function/f_midi2.c
+@@ -1737,9 +1737,12 @@ static int f_midi2_create_usb_configs(st
+ case USB_SPEED_HIGH:
+ midi2_midi1_ep_out_desc.wMaxPacketSize = cpu_to_le16(512);
+ midi2_midi1_ep_in_desc.wMaxPacketSize = cpu_to_le16(512);
+- for (i = 0; i < midi2->num_eps; i++)
++ for (i = 0; i < midi2->num_eps; i++) {
+ midi2_midi2_ep_out_desc[i].wMaxPacketSize =
+ cpu_to_le16(512);
++ midi2_midi2_ep_in_desc[i].wMaxPacketSize =
++ cpu_to_le16(512);
++ }
+ fallthrough;
+ case USB_SPEED_FULL:
+ midi1_in_eps = midi2_midi1_ep_in_descs;
+@@ -1748,9 +1751,12 @@ static int f_midi2_create_usb_configs(st
+ case USB_SPEED_SUPER:
+ midi2_midi1_ep_out_desc.wMaxPacketSize = cpu_to_le16(1024);
+ midi2_midi1_ep_in_desc.wMaxPacketSize = cpu_to_le16(1024);
+- for (i = 0; i < midi2->num_eps; i++)
++ for (i = 0; i < midi2->num_eps; i++) {
+ midi2_midi2_ep_out_desc[i].wMaxPacketSize =
+ cpu_to_le16(1024);
++ midi2_midi2_ep_in_desc[i].wMaxPacketSize =
++ cpu_to_le16(1024);
++ }
+ midi1_in_eps = midi2_midi1_ep_in_ss_descs;
+ midi1_out_eps = midi2_midi1_ep_out_ss_descs;
+ break;
--- /dev/null
+From 21d8525d2e061cde034277d518411b02eac764e2 Mon Sep 17 00:00:00 2001
+From: Takashi Iwai <tiwai@suse.de>
+Date: Thu, 4 Sep 2025 17:39:24 +0200
+Subject: usb: gadget: midi2: Fix missing UMP group attributes initialization
+
+From: Takashi Iwai <tiwai@suse.de>
+
+commit 21d8525d2e061cde034277d518411b02eac764e2 upstream.
+
+The gadget card driver forgot to call snd_ump_update_group_attrs()
+after adding FBs, and this leaves the UMP group attributes
+uninitialized. As a result, -ENODEV error is returned at opening a
+legacy rawmidi device as an inactive group.
+
+This patch adds the missing call to address the behavior above.
+
+Fixes: 8b645922b223 ("usb: gadget: Add support for USB MIDI 2.0 function driver")
+Cc: stable <stable@kernel.org>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Link: https://lore.kernel.org/r/20250904153932.13589-1-tiwai@suse.de
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/gadget/function/f_midi2.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/usb/gadget/function/f_midi2.c
++++ b/drivers/usb/gadget/function/f_midi2.c
+@@ -1599,6 +1599,7 @@ static int f_midi2_create_card(struct f_
+ strscpy(fb->info.name, ump_fb_name(b),
+ sizeof(fb->info.name));
+ }
++ snd_ump_update_group_attrs(ump);
+ }
+
+ for (i = 0; i < midi2->num_eps; i++) {
--- /dev/null
+From f34bfcc77b18375a87091c289c2eb53c249787b4 Mon Sep 17 00:00:00 2001
+From: RD Babiera <rdbabiera@google.com>
+Date: Thu, 21 Aug 2025 20:37:57 +0000
+Subject: usb: typec: tcpm: properly deliver cable vdms to altmode drivers
+
+From: RD Babiera <rdbabiera@google.com>
+
+commit f34bfcc77b18375a87091c289c2eb53c249787b4 upstream.
+
+tcpm_handle_vdm_request delivers messages to the partner altmode or the
+cable altmode depending on the SVDM response type, which is incorrect.
+The partner or cable should be chosen based on the received message type
+instead.
+
+Also add this filter to ADEV_NOTIFY_USB_AND_QUEUE_VDM, which is used when
+the Enter Mode command is responded to by a NAK on SOP or SOP' and when
+the Exit Mode command is responded to by an ACK on SOP.
+
+Fixes: 7e7877c55eb1 ("usb: typec: tcpm: add alt mode enter/exit/vdm support for sop'")
+Cc: stable@vger.kernel.org
+Signed-off-by: RD Babiera <rdbabiera@google.com>
+Reviewed-by: Badhri Jagan Sridharan <badhri@google.com>
+Reviewed-by: Heikki Krogerus <heikki.krogerus@linux.intel.com>
+Link: https://lore.kernel.org/r/20250821203759.1720841-2-rdbabiera@google.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/typec/tcpm/tcpm.c | 12 ++++++++----
+ 1 file changed, 8 insertions(+), 4 deletions(-)
+
+--- a/drivers/usb/typec/tcpm/tcpm.c
++++ b/drivers/usb/typec/tcpm/tcpm.c
+@@ -2426,17 +2426,21 @@ static void tcpm_handle_vdm_request(stru
+ case ADEV_NONE:
+ break;
+ case ADEV_NOTIFY_USB_AND_QUEUE_VDM:
+- WARN_ON(typec_altmode_notify(adev, TYPEC_STATE_USB, NULL));
+- typec_altmode_vdm(adev, p[0], &p[1], cnt);
++ if (rx_sop_type == TCPC_TX_SOP_PRIME) {
++ typec_cable_altmode_vdm(adev, TYPEC_PLUG_SOP_P, p[0], &p[1], cnt);
++ } else {
++ WARN_ON(typec_altmode_notify(adev, TYPEC_STATE_USB, NULL));
++ typec_altmode_vdm(adev, p[0], &p[1], cnt);
++ }
+ break;
+ case ADEV_QUEUE_VDM:
+- if (response_tx_sop_type == TCPC_TX_SOP_PRIME)
++ if (rx_sop_type == TCPC_TX_SOP_PRIME)
+ typec_cable_altmode_vdm(adev, TYPEC_PLUG_SOP_P, p[0], &p[1], cnt);
+ else
+ typec_altmode_vdm(adev, p[0], &p[1], cnt);
+ break;
+ case ADEV_QUEUE_VDM_SEND_EXIT_MODE_ON_FAIL:
+- if (response_tx_sop_type == TCPC_TX_SOP_PRIME) {
++ if (rx_sop_type == TCPC_TX_SOP_PRIME) {
+ if (typec_cable_altmode_vdm(adev, TYPEC_PLUG_SOP_P,
+ p[0], &p[1], cnt)) {
+ int svdm_version = typec_get_cable_svdm_version(
--- /dev/null
+From 220a0ffde02f962c13bc752b01aa570b8c65a37b Mon Sep 17 00:00:00 2001
+From: Mathias Nyman <mathias.nyman@linux.intel.com>
+Date: Tue, 2 Sep 2025 13:53:04 +0300
+Subject: xhci: dbc: decouple endpoint allocation from initialization
+
+From: Mathias Nyman <mathias.nyman@linux.intel.com>
+
+commit 220a0ffde02f962c13bc752b01aa570b8c65a37b upstream.
+
+Decouple allocation of endpoint ring buffer from initialization
+of the buffer, and initialization of endpoint context parts from
+from the rest of the contexts.
+
+It allows driver to clear up and reinitialize endpoint rings
+after disconnect without reallocating everything.
+
+This is a prerequisite for the next patch that prevents the transfer
+ring from filling up with cancelled (no-op) TRBs if a debug cable is
+reconnected several times without transferring anything.
+
+Cc: stable@vger.kernel.org
+Fixes: dfba2174dc42 ("usb: xhci: Add DbC support in xHCI driver")
+Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com>
+Link: https://lore.kernel.org/r/20250902105306.877476-2-mathias.nyman@linux.intel.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/host/xhci-dbgcap.c | 71 ++++++++++++++++++++++++++---------------
+ 1 file changed, 46 insertions(+), 25 deletions(-)
+
+--- a/drivers/usb/host/xhci-dbgcap.c
++++ b/drivers/usb/host/xhci-dbgcap.c
+@@ -101,13 +101,34 @@ static u32 xhci_dbc_populate_strings(str
+ return string_length;
+ }
+
++static void xhci_dbc_init_ep_contexts(struct xhci_dbc *dbc)
++{
++ struct xhci_ep_ctx *ep_ctx;
++ unsigned int max_burst;
++ dma_addr_t deq;
++
++ max_burst = DBC_CTRL_MAXBURST(readl(&dbc->regs->control));
++
++ /* Populate bulk out endpoint context: */
++ ep_ctx = dbc_bulkout_ctx(dbc);
++ deq = dbc_bulkout_enq(dbc);
++ ep_ctx->ep_info = 0;
++ ep_ctx->ep_info2 = dbc_epctx_info2(BULK_OUT_EP, 1024, max_burst);
++ ep_ctx->deq = cpu_to_le64(deq | dbc->ring_out->cycle_state);
++
++ /* Populate bulk in endpoint context: */
++ ep_ctx = dbc_bulkin_ctx(dbc);
++ deq = dbc_bulkin_enq(dbc);
++ ep_ctx->ep_info = 0;
++ ep_ctx->ep_info2 = dbc_epctx_info2(BULK_IN_EP, 1024, max_burst);
++ ep_ctx->deq = cpu_to_le64(deq | dbc->ring_in->cycle_state);
++}
++
+ static void xhci_dbc_init_contexts(struct xhci_dbc *dbc, u32 string_length)
+ {
+ struct dbc_info_context *info;
+- struct xhci_ep_ctx *ep_ctx;
+ u32 dev_info;
+- dma_addr_t deq, dma;
+- unsigned int max_burst;
++ dma_addr_t dma;
+
+ if (!dbc)
+ return;
+@@ -121,20 +142,8 @@ static void xhci_dbc_init_contexts(struc
+ info->serial = cpu_to_le64(dma + DBC_MAX_STRING_LENGTH * 3);
+ info->length = cpu_to_le32(string_length);
+
+- /* Populate bulk out endpoint context: */
+- ep_ctx = dbc_bulkout_ctx(dbc);
+- max_burst = DBC_CTRL_MAXBURST(readl(&dbc->regs->control));
+- deq = dbc_bulkout_enq(dbc);
+- ep_ctx->ep_info = 0;
+- ep_ctx->ep_info2 = dbc_epctx_info2(BULK_OUT_EP, 1024, max_burst);
+- ep_ctx->deq = cpu_to_le64(deq | dbc->ring_out->cycle_state);
+-
+- /* Populate bulk in endpoint context: */
+- ep_ctx = dbc_bulkin_ctx(dbc);
+- deq = dbc_bulkin_enq(dbc);
+- ep_ctx->ep_info = 0;
+- ep_ctx->ep_info2 = dbc_epctx_info2(BULK_IN_EP, 1024, max_burst);
+- ep_ctx->deq = cpu_to_le64(deq | dbc->ring_in->cycle_state);
++ /* Populate bulk in and out endpoint contexts: */
++ xhci_dbc_init_ep_contexts(dbc);
+
+ /* Set DbC context and info registers: */
+ lo_hi_writeq(dbc->ctx->dma, &dbc->regs->dccp);
+@@ -436,6 +445,23 @@ dbc_alloc_ctx(struct device *dev, gfp_t
+ return ctx;
+ }
+
++static void xhci_dbc_ring_init(struct xhci_ring *ring)
++{
++ struct xhci_segment *seg = ring->first_seg;
++
++ /* clear all trbs on ring in case of old ring */
++ memset(seg->trbs, 0, TRB_SEGMENT_SIZE);
++
++ /* Only event ring does not use link TRB */
++ if (ring->type != TYPE_EVENT) {
++ union xhci_trb *trb = &seg->trbs[TRBS_PER_SEGMENT - 1];
++
++ trb->link.segment_ptr = cpu_to_le64(ring->first_seg->dma);
++ trb->link.control = cpu_to_le32(LINK_TOGGLE | TRB_TYPE(TRB_LINK));
++ }
++ xhci_initialize_ring_info(ring);
++}
++
+ static struct xhci_ring *
+ xhci_dbc_ring_alloc(struct device *dev, enum xhci_ring_type type, gfp_t flags)
+ {
+@@ -464,15 +490,10 @@ xhci_dbc_ring_alloc(struct device *dev,
+
+ seg->dma = dma;
+
+- /* Only event ring does not use link TRB */
+- if (type != TYPE_EVENT) {
+- union xhci_trb *trb = &seg->trbs[TRBS_PER_SEGMENT - 1];
+-
+- trb->link.segment_ptr = cpu_to_le64(dma);
+- trb->link.control = cpu_to_le32(LINK_TOGGLE | TRB_TYPE(TRB_LINK));
+- }
+ INIT_LIST_HEAD(&ring->td_list);
+- xhci_initialize_ring_info(ring);
++
++ xhci_dbc_ring_init(ring);
++
+ return ring;
+ dma_fail:
+ kfree(seg);
--- /dev/null
+From a5c98e8b1398534ae1feb6e95e2d3ee5215538ed Mon Sep 17 00:00:00 2001
+From: Mathias Nyman <mathias.nyman@linux.intel.com>
+Date: Tue, 2 Sep 2025 13:53:05 +0300
+Subject: xhci: dbc: Fix full DbC transfer ring after several reconnects
+
+From: Mathias Nyman <mathias.nyman@linux.intel.com>
+
+commit a5c98e8b1398534ae1feb6e95e2d3ee5215538ed upstream.
+
+Pending requests will be flushed on disconnect, and the corresponding
+TRBs will be turned into No-op TRBs, which are ignored by the xHC
+controller once it starts processing the ring.
+
+If the USB debug cable repeatedly disconnects before ring is started
+then the ring will eventually be filled with No-op TRBs.
+No new transfers can be queued when the ring is full, and driver will
+print the following error message:
+
+ "xhci_hcd 0000:00:14.0: failed to queue trbs"
+
+This is a normal case for 'in' transfers where TRBs are always enqueued
+in advance, ready to take on incoming data. If no data arrives, and
+device is disconnected, then ring dequeue will remain at beginning of
+the ring while enqueue points to first free TRB after last cancelled
+No-op TRB.
+s
+Solve this by reinitializing the rings when the debug cable disconnects
+and DbC is leaving the configured state.
+Clear the whole ring buffer and set enqueue and dequeue to the beginning
+of ring, and set cycle bit to its initial state.
+
+Cc: stable@vger.kernel.org
+Fixes: dfba2174dc42 ("usb: xhci: Add DbC support in xHCI driver")
+Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com>
+Link: https://lore.kernel.org/r/20250902105306.877476-3-mathias.nyman@linux.intel.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/host/xhci-dbgcap.c | 23 +++++++++++++++++++++--
+ 1 file changed, 21 insertions(+), 2 deletions(-)
+
+--- a/drivers/usb/host/xhci-dbgcap.c
++++ b/drivers/usb/host/xhci-dbgcap.c
+@@ -462,6 +462,25 @@ static void xhci_dbc_ring_init(struct xh
+ xhci_initialize_ring_info(ring);
+ }
+
++static int xhci_dbc_reinit_ep_rings(struct xhci_dbc *dbc)
++{
++ struct xhci_ring *in_ring = dbc->eps[BULK_IN].ring;
++ struct xhci_ring *out_ring = dbc->eps[BULK_OUT].ring;
++
++ if (!in_ring || !out_ring || !dbc->ctx) {
++ dev_warn(dbc->dev, "Can't re-init unallocated endpoints\n");
++ return -ENODEV;
++ }
++
++ xhci_dbc_ring_init(in_ring);
++ xhci_dbc_ring_init(out_ring);
++
++ /* set ep context enqueue, dequeue, and cycle to initial values */
++ xhci_dbc_init_ep_contexts(dbc);
++
++ return 0;
++}
++
+ static struct xhci_ring *
+ xhci_dbc_ring_alloc(struct device *dev, enum xhci_ring_type type, gfp_t flags)
+ {
+@@ -885,7 +904,7 @@ static enum evtreturn xhci_dbc_do_handle
+ dev_info(dbc->dev, "DbC cable unplugged\n");
+ dbc->state = DS_ENABLED;
+ xhci_dbc_flush_requests(dbc);
+-
++ xhci_dbc_reinit_ep_rings(dbc);
+ return EVT_DISC;
+ }
+
+@@ -895,7 +914,7 @@ static enum evtreturn xhci_dbc_do_handle
+ writel(portsc, &dbc->regs->portsc);
+ dbc->state = DS_ENABLED;
+ xhci_dbc_flush_requests(dbc);
+-
++ xhci_dbc_reinit_ep_rings(dbc);
+ return EVT_DISC;
+ }
+
--- /dev/null
+From edcbe06453ddfde21f6aa763f7cab655f26133cc Mon Sep 17 00:00:00 2001
+From: Mathias Nyman <mathias.nyman@linux.intel.com>
+Date: Tue, 2 Sep 2025 13:53:06 +0300
+Subject: xhci: fix memory leak regression when freeing xhci vdev devices depth first
+
+From: Mathias Nyman <mathias.nyman@linux.intel.com>
+
+commit edcbe06453ddfde21f6aa763f7cab655f26133cc upstream.
+
+Suspend-resume cycle test revealed a memory leak in 6.17-rc3
+
+Turns out the slot_id race fix changes accidentally ends up calling
+xhci_free_virt_device() with an incorrect vdev parameter.
+The vdev variable was reused for temporary purposes right before calling
+xhci_free_virt_device().
+
+Fix this by passing the correct vdev parameter.
+
+The slot_id race fix that caused this regression was targeted for stable,
+so this needs to be applied there as well.
+
+Fixes: 2eb03376151b ("usb: xhci: Fix slot_id resource race conflict")
+Reported-by: David Wang <00107082@163.com>
+Closes: https://lore.kernel.org/linux-usb/20250829181354.4450-1-00107082@163.com
+Suggested-by: Michal Pecio <michal.pecio@gmail.com>
+Suggested-by: David Wang <00107082@163.com>
+Cc: stable@vger.kernel.org
+Tested-by: David Wang <00107082@163.com>
+Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com>
+Link: https://lore.kernel.org/r/20250902105306.877476-4-mathias.nyman@linux.intel.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/host/xhci-mem.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/usb/host/xhci-mem.c
++++ b/drivers/usb/host/xhci-mem.c
+@@ -962,7 +962,7 @@ static void xhci_free_virt_devices_depth
+ out:
+ /* we are now at a leaf device */
+ xhci_debugfs_remove_slot(xhci, slot_id);
+- xhci_free_virt_device(xhci, vdev, slot_id);
++ xhci_free_virt_device(xhci, xhci->devs[slot_id], slot_id);
+ }
+
+ int xhci_alloc_virt_device(struct xhci_hcd *xhci, int slot_id,
projects / thirdparty / kernel / stable-queue.git / commitdiff
