--- /dev/null
+From 194f9f94a5169547d682e9bbcc5ae6d18a564735 Mon Sep 17 00:00:00 2001
+From: Rengarajan S <rengarajan.s@microchip.com>
+Date: Thu, 5 Dec 2024 19:06:25 +0530
+Subject: misc: microchip: pci1xxxx: Resolve kernel panic during GPIO IRQ handling
+
+From: Rengarajan S <rengarajan.s@microchip.com>
+
+commit 194f9f94a5169547d682e9bbcc5ae6d18a564735 upstream.
+
+Resolve kernel panic caused by improper handling of IRQs while
+accessing GPIO values. This is done by replacing generic_handle_irq with
+handle_nested_irq.
+
+Fixes: 1f4d8ae231f4 ("misc: microchip: pci1xxxx: Add gpio irq handler and irq helper functions irq_ack, irq_mask, irq_unmask and irq_set_type of irq_chip.")
+Cc: stable <stable@kernel.org>
+Signed-off-by: Rengarajan S <rengarajan.s@microchip.com>
+Link: https://lore.kernel.org/r/20241205133626.1483499-2-rengarajan.s@microchip.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/misc/mchp_pci1xxxx/mchp_pci1xxxx_gpio.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/misc/mchp_pci1xxxx/mchp_pci1xxxx_gpio.c
++++ b/drivers/misc/mchp_pci1xxxx/mchp_pci1xxxx_gpio.c
+@@ -277,7 +277,7 @@ static irqreturn_t pci1xxxx_gpio_irq_han
+ writel(BIT(bit), priv->reg_base + INTR_STATUS_OFFSET(gpiobank));
+ spin_unlock_irqrestore(&priv->lock, flags);
+ irq = irq_find_mapping(gc->irq.domain, (bit + (gpiobank * 32)));
+- generic_handle_irq(irq);
++ handle_nested_irq(irq);
+ }
+ }
+ spin_lock_irqsave(&priv->lock, flags);
--- /dev/null
+From c7a5378a0f707686de3ddb489f1653c523bb7dcc Mon Sep 17 00:00:00 2001
+From: Rengarajan S <rengarajan.s@microchip.com>
+Date: Thu, 5 Dec 2024 19:06:26 +0530
+Subject: misc: microchip: pci1xxxx: Resolve return code mismatch during GPIO set config
+
+From: Rengarajan S <rengarajan.s@microchip.com>
+
+commit c7a5378a0f707686de3ddb489f1653c523bb7dcc upstream.
+
+Driver returns -EOPNOTSUPPORTED on unsupported parameters case in set
+config. Upper level driver checks for -ENOTSUPP. Because of the return
+code mismatch, the ioctls from userspace fail. Resolve the issue by
+passing -ENOTSUPP during unsupported case.
+
+Fixes: 7d3e4d807df2 ("misc: microchip: pci1xxxx: load gpio driver for the gpio controller auxiliary device enumerated by the auxiliary bus driver.")
+Cc: stable <stable@kernel.org>
+Signed-off-by: Rengarajan S <rengarajan.s@microchip.com>
+Link: https://lore.kernel.org/r/20241205133626.1483499-3-rengarajan.s@microchip.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/misc/mchp_pci1xxxx/mchp_pci1xxxx_gpio.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/misc/mchp_pci1xxxx/mchp_pci1xxxx_gpio.c
++++ b/drivers/misc/mchp_pci1xxxx/mchp_pci1xxxx_gpio.c
+@@ -148,7 +148,7 @@ static int pci1xxxx_gpio_set_config(stru
+ pci1xxx_assign_bit(priv->reg_base, OPENDRAIN_OFFSET(offset), (offset % 32), true);
+ break;
+ default:
+- ret = -EOPNOTSUPP;
++ ret = -ENOTSUPP;
+ break;
+ }
+ spin_unlock_irqrestore(&priv->lock, flags);
usb-storage-add-max-sectors-quirk-for-nokia-208.patch
usb-serial-cp210x-add-phoenix-contact-ups-device.patch
usb-dwc3-gadget-fix-writing-nyet-threshold.patch
+topology-keep-the-cpumask-unchanged-when-printing-cpumap.patch
+misc-microchip-pci1xxxx-resolve-kernel-panic-during-gpio-irq-handling.patch
+misc-microchip-pci1xxxx-resolve-return-code-mismatch-during-gpio-set-config.patch
+tty-serial-8250-fix-another-runtime-pm-usage-counter-underflow.patch
+usb-gadget-u_serial-disable-ep-before-setting-port-to-null-to-fix-the-crash-caused-by-port-being-null.patch
+x86-fpu-ensure-shadow-stack-is-active-before-getting-registers.patch
+usb-dwc3-am62-disable-autosuspend-during-remove.patch
+usb-usblp-return-error-when-setting-unsupported-protocol.patch
+usb-core-disable-lpm-only-for-non-suspended-ports.patch
+usb-fix-reference-leak-in-usb_new_device.patch
+usb-gadget-midi2-reverse-select-at-the-right-place.patch
+usb-chipidea-ci_hdrc_imx-decrement-device-s-refcount-in-.remove-and-in-the-error-path-of-.probe.patch
+usb-gadget-f_uac2-fix-incorrect-setting-of-bnumendpoints.patch
+usb-typec-tcpm-tcpci_maxim-fix-error-code-in-max_contaminant_read_resistance_kohm.patch
+usb-gadget-f_fs-remove-warn_on-in-functionfs_bind.patch
+usb-gadget-configfs-ignore-trailing-lf-for-user-strings-to-cdev.patch
--- /dev/null
+From cbd399f78e23ad4492c174fc5e6b3676dba74a52 Mon Sep 17 00:00:00 2001
+From: Li Huafei <lihuafei1@huawei.com>
+Date: Thu, 14 Nov 2024 19:01:41 +0800
+Subject: topology: Keep the cpumask unchanged when printing cpumap
+
+From: Li Huafei <lihuafei1@huawei.com>
+
+commit cbd399f78e23ad4492c174fc5e6b3676dba74a52 upstream.
+
+During fuzz testing, the following warning was discovered:
+
+ different return values (15 and 11) from vsnprintf("%*pbl
+ ", ...)
+
+ test:keyward is WARNING in kvasprintf
+ WARNING: CPU: 55 PID: 1168477 at lib/kasprintf.c:30 kvasprintf+0x121/0x130
+ Call Trace:
+ kvasprintf+0x121/0x130
+ kasprintf+0xa6/0xe0
+ bitmap_print_to_buf+0x89/0x100
+ core_siblings_list_read+0x7e/0xb0
+ kernfs_file_read_iter+0x15b/0x270
+ new_sync_read+0x153/0x260
+ vfs_read+0x215/0x290
+ ksys_read+0xb9/0x160
+ do_syscall_64+0x56/0x100
+ entry_SYSCALL_64_after_hwframe+0x78/0xe2
+
+The call trace shows that kvasprintf() reported this warning during the
+printing of core_siblings_list. kvasprintf() has several steps:
+
+ (1) First, calculate the length of the resulting formatted string.
+
+ (2) Allocate a buffer based on the returned length.
+
+ (3) Then, perform the actual string formatting.
+
+ (4) Check whether the lengths of the formatted strings returned in
+ steps (1) and (2) are consistent.
+
+If the core_cpumask is modified between steps (1) and (3), the lengths
+obtained in these two steps may not match. Indeed our test includes cpu
+hotplugging, which should modify core_cpumask while printing.
+
+To fix this issue, cache the cpumask into a temporary variable before
+calling cpumap_print_{list, cpumask}_to_buf(), to keep it unchanged
+during the printing process.
+
+Fixes: bb9ec13d156e ("topology: use bin_attribute to break the size limitation of cpumap ABI")
+Cc: stable <stable@kernel.org>
+Signed-off-by: Li Huafei <lihuafei1@huawei.com>
+Reviewed-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Link: https://lore.kernel.org/r/20241114110141.94725-1-lihuafei1@huawei.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/base/topology.c | 24 ++++++++++++++++++++----
+ 1 file changed, 20 insertions(+), 4 deletions(-)
+
+--- a/drivers/base/topology.c
++++ b/drivers/base/topology.c
+@@ -27,9 +27,17 @@ static ssize_t name##_read(struct file *
+ loff_t off, size_t count) \
+ { \
+ struct device *dev = kobj_to_dev(kobj); \
++ cpumask_var_t mask; \
++ ssize_t n; \
+ \
+- return cpumap_print_bitmask_to_buf(buf, topology_##mask(dev->id), \
+- off, count); \
++ if (!alloc_cpumask_var(&mask, GFP_KERNEL)) \
++ return -ENOMEM; \
++ \
++ cpumask_copy(mask, topology_##mask(dev->id)); \
++ n = cpumap_print_bitmask_to_buf(buf, mask, off, count); \
++ free_cpumask_var(mask); \
++ \
++ return n; \
+ } \
+ \
+ static ssize_t name##_list_read(struct file *file, struct kobject *kobj, \
+@@ -37,9 +45,17 @@ static ssize_t name##_list_read(struct f
+ loff_t off, size_t count) \
+ { \
+ struct device *dev = kobj_to_dev(kobj); \
++ cpumask_var_t mask; \
++ ssize_t n; \
++ \
++ if (!alloc_cpumask_var(&mask, GFP_KERNEL)) \
++ return -ENOMEM; \
++ \
++ cpumask_copy(mask, topology_##mask(dev->id)); \
++ n = cpumap_print_list_to_buf(buf, mask, off, count); \
++ free_cpumask_var(mask); \
+ \
+- return cpumap_print_list_to_buf(buf, topology_##mask(dev->id), \
+- off, count); \
++ return n; \
+ }
+
+ define_id_show_func(physical_package_id, "%d");
--- /dev/null
+From ed2761958ad77e54791802b07095786150eab844 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Ilpo=20J=C3=A4rvinen?= <ilpo.jarvinen@linux.intel.com>
+Date: Tue, 10 Dec 2024 19:01:20 +0200
+Subject: tty: serial: 8250: Fix another runtime PM usage counter underflow
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
+
+commit ed2761958ad77e54791802b07095786150eab844 upstream.
+
+The commit f9b11229b79c ("serial: 8250: Fix PM usage_count for console
+handover") fixed one runtime PM usage counter balance problem that
+occurs because .dev is not set during univ8250 setup preventing call to
+pm_runtime_get_sync(). Later, univ8250_console_exit() will trigger the
+runtime PM usage counter underflow as .dev is already set at that time.
+
+Call pm_runtime_get_sync() to balance the RPM usage counter also in
+serial8250_register_8250_port() before trying to add the port.
+
+Reported-by: Borislav Petkov (AMD) <bp@alien8.de>
+Fixes: bedb404e91bb ("serial: 8250_port: Don't use power management for kernel console")
+Cc: stable <stable@kernel.org>
+Tested-by: Borislav Petkov (AMD) <bp@alien8.de>
+Signed-off-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
+Link: https://lore.kernel.org/r/20241210170120.2231-1-ilpo.jarvinen@linux.intel.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/tty/serial/8250/8250_core.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/tty/serial/8250/8250_core.c
++++ b/drivers/tty/serial/8250/8250_core.c
+@@ -1131,6 +1131,9 @@ int serial8250_register_8250_port(const
+ uart->dl_write = up->dl_write;
+
+ if (uart->port.type != PORT_8250_CIR) {
++ if (uart_console_registered(&uart->port))
++ pm_runtime_get_sync(uart->port.dev);
++
+ if (serial8250_isa_config != NULL)
+ serial8250_isa_config(0, &uart->port,
+ &uart->capabilities);
--- /dev/null
+From 74adad500346fb07d69af2c79acbff4adb061134 Mon Sep 17 00:00:00 2001
+From: Joe Hattori <joe@pf.is.s.u-tokyo.ac.jp>
+Date: Mon, 16 Dec 2024 10:55:39 +0900
+Subject: usb: chipidea: ci_hdrc_imx: decrement device's refcount in .remove() and in the error path of .probe()
+
+From: Joe Hattori <joe@pf.is.s.u-tokyo.ac.jp>
+
+commit 74adad500346fb07d69af2c79acbff4adb061134 upstream.
+
+Current implementation of ci_hdrc_imx_driver does not decrement the
+refcount of the device obtained in usbmisc_get_init_data(). Add a
+put_device() call in .remove() and in .probe() before returning an
+error.
+
+This bug was found by an experimental static analysis tool that I am
+developing.
+
+Cc: stable <stable@kernel.org>
+Fixes: f40017e0f332 ("chipidea: usbmisc_imx: Add USB support for VF610 SoCs")
+Signed-off-by: Joe Hattori <joe@pf.is.s.u-tokyo.ac.jp>
+Acked-by: Peter Chen <peter.chen@kernel.org>
+Link: https://lore.kernel.org/r/20241216015539.352579-1-joe@pf.is.s.u-tokyo.ac.jp
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/chipidea/ci_hdrc_imx.c | 25 +++++++++++++++++--------
+ 1 file changed, 17 insertions(+), 8 deletions(-)
+
+--- a/drivers/usb/chipidea/ci_hdrc_imx.c
++++ b/drivers/usb/chipidea/ci_hdrc_imx.c
+@@ -362,25 +362,29 @@ static int ci_hdrc_imx_probe(struct plat
+ data->pinctrl = devm_pinctrl_get(dev);
+ if (PTR_ERR(data->pinctrl) == -ENODEV)
+ data->pinctrl = NULL;
+- else if (IS_ERR(data->pinctrl))
+- return dev_err_probe(dev, PTR_ERR(data->pinctrl),
++ else if (IS_ERR(data->pinctrl)) {
++ ret = dev_err_probe(dev, PTR_ERR(data->pinctrl),
+ "pinctrl get failed\n");
++ goto err_put;
++ }
+
+ data->hsic_pad_regulator =
+ devm_regulator_get_optional(dev, "hsic");
+ if (PTR_ERR(data->hsic_pad_regulator) == -ENODEV) {
+ /* no pad regulator is needed */
+ data->hsic_pad_regulator = NULL;
+- } else if (IS_ERR(data->hsic_pad_regulator))
+- return dev_err_probe(dev, PTR_ERR(data->hsic_pad_regulator),
++ } else if (IS_ERR(data->hsic_pad_regulator)) {
++ ret = dev_err_probe(dev, PTR_ERR(data->hsic_pad_regulator),
+ "Get HSIC pad regulator error\n");
++ goto err_put;
++ }
+
+ if (data->hsic_pad_regulator) {
+ ret = regulator_enable(data->hsic_pad_regulator);
+ if (ret) {
+ dev_err(dev,
+ "Failed to enable HSIC pad regulator\n");
+- return ret;
++ goto err_put;
+ }
+ }
+ }
+@@ -394,13 +398,14 @@ static int ci_hdrc_imx_probe(struct plat
+ dev_err(dev,
+ "pinctrl_hsic_idle lookup failed, err=%ld\n",
+ PTR_ERR(pinctrl_hsic_idle));
+- return PTR_ERR(pinctrl_hsic_idle);
++ ret = PTR_ERR(pinctrl_hsic_idle);
++ goto err_put;
+ }
+
+ ret = pinctrl_select_state(data->pinctrl, pinctrl_hsic_idle);
+ if (ret) {
+ dev_err(dev, "hsic_idle select failed, err=%d\n", ret);
+- return ret;
++ goto err_put;
+ }
+
+ data->pinctrl_hsic_active = pinctrl_lookup_state(data->pinctrl,
+@@ -409,7 +414,8 @@ static int ci_hdrc_imx_probe(struct plat
+ dev_err(dev,
+ "pinctrl_hsic_active lookup failed, err=%ld\n",
+ PTR_ERR(data->pinctrl_hsic_active));
+- return PTR_ERR(data->pinctrl_hsic_active);
++ ret = PTR_ERR(data->pinctrl_hsic_active);
++ goto err_put;
+ }
+ }
+
+@@ -513,6 +519,8 @@ disable_hsic_regulator:
+ if (pdata.flags & CI_HDRC_PMQOS)
+ cpu_latency_qos_remove_request(&data->pm_qos_req);
+ data->ci_pdev = NULL;
++err_put:
++ put_device(data->usbmisc_data->dev);
+ return ret;
+ }
+
+@@ -536,6 +544,7 @@ static void ci_hdrc_imx_remove(struct pl
+ if (data->hsic_pad_regulator)
+ regulator_disable(data->hsic_pad_regulator);
+ }
++ put_device(data->usbmisc_data->dev);
+ }
+
+ static void ci_hdrc_imx_shutdown(struct platform_device *pdev)
--- /dev/null
+From 59bfeaf5454b7e764288d84802577f4a99bf0819 Mon Sep 17 00:00:00 2001
+From: Kai-Heng Feng <kaihengf@nvidia.com>
+Date: Fri, 6 Dec 2024 15:48:17 +0800
+Subject: USB: core: Disable LPM only for non-suspended ports
+
+From: Kai-Heng Feng <kaihengf@nvidia.com>
+
+commit 59bfeaf5454b7e764288d84802577f4a99bf0819 upstream.
+
+There's USB error when tegra board is shutting down:
+[ 180.919315] usb 2-3: Failed to set U1 timeout to 0x0,error code -113
+[ 180.919995] usb 2-3: Failed to set U1 timeout to 0xa,error code -113
+[ 180.920512] usb 2-3: Failed to set U2 timeout to 0x4,error code -113
+[ 186.157172] tegra-xusb 3610000.usb: xHCI host controller not responding, assume dead
+[ 186.157858] tegra-xusb 3610000.usb: HC died; cleaning up
+[ 186.317280] tegra-xusb 3610000.usb: Timeout while waiting for evaluate context command
+
+The issue is caused by disabling LPM on already suspended ports.
+
+For USB2 LPM, the LPM is already disabled during port suspend. For USB3
+LPM, port won't transit to U1/U2 when it's already suspended in U3,
+hence disabling LPM is only needed for ports that are not suspended.
+
+Cc: Wayne Chang <waynec@nvidia.com>
+Cc: stable <stable@kernel.org>
+Fixes: d920a2ed8620 ("usb: Disable USB3 LPM at shutdown")
+Signed-off-by: Kai-Heng Feng <kaihengf@nvidia.com>
+Acked-by: Alan Stern <stern@rowland.harvard.edu>
+Tested-by: Jon Hunter <jonathanh@nvidia.com>
+Link: https://lore.kernel.org/r/20241206074817.89189-1-kaihengf@nvidia.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/core/port.c | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+--- a/drivers/usb/core/port.c
++++ b/drivers/usb/core/port.c
+@@ -451,10 +451,11 @@ static int usb_port_runtime_suspend(stru
+ static void usb_port_shutdown(struct device *dev)
+ {
+ struct usb_port *port_dev = to_usb_port(dev);
++ struct usb_device *udev = port_dev->child;
+
+- if (port_dev->child) {
+- usb_disable_usb2_hardware_lpm(port_dev->child);
+- usb_unlocked_disable_lpm(port_dev->child);
++ if (udev && !udev->port_is_suspended) {
++ usb_disable_usb2_hardware_lpm(udev);
++ usb_unlocked_disable_lpm(udev);
+ }
+ }
+
--- /dev/null
+From 625e70ccb7bbbb2cc912e23c63390946170c085c Mon Sep 17 00:00:00 2001
+From: Prashanth K <quic_prashk@quicinc.com>
+Date: Mon, 9 Dec 2024 16:27:28 +0530
+Subject: usb: dwc3-am62: Disable autosuspend during remove
+
+From: Prashanth K <quic_prashk@quicinc.com>
+
+commit 625e70ccb7bbbb2cc912e23c63390946170c085c upstream.
+
+Runtime PM documentation (Section 5) mentions, during remove()
+callbacks, drivers should undo the runtime PM changes done in
+probe(). Usually this means calling pm_runtime_disable(),
+pm_runtime_dont_use_autosuspend() etc. Hence add missing
+function to disable autosuspend on dwc3-am62 driver unbind.
+
+Fixes: e8784c0aec03 ("drivers: usb: dwc3: Add AM62 USB wrapper driver")
+Cc: stable <stable@kernel.org>
+Signed-off-by: Prashanth K <quic_prashk@quicinc.com>
+Acked-by: Thinh Nguyen <Thinh.Nguyen@synopsys.com>
+Link: https://lore.kernel.org/r/20241209105728.3216872-1-quic_prashk@quicinc.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/dwc3/dwc3-am62.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/usb/dwc3/dwc3-am62.c
++++ b/drivers/usb/dwc3/dwc3-am62.c
+@@ -284,6 +284,7 @@ static void dwc3_ti_remove(struct platfo
+
+ pm_runtime_put_sync(dev);
+ pm_runtime_disable(dev);
++ pm_runtime_dont_use_autosuspend(dev);
+ pm_runtime_set_suspended(dev);
+ }
+
--- /dev/null
+From 0df11fa8cee5a9cf8753d4e2672bb3667138c652 Mon Sep 17 00:00:00 2001
+From: Ma Ke <make_ruc2021@163.com>
+Date: Wed, 18 Dec 2024 15:13:46 +0800
+Subject: usb: fix reference leak in usb_new_device()
+
+From: Ma Ke <make_ruc2021@163.com>
+
+commit 0df11fa8cee5a9cf8753d4e2672bb3667138c652 upstream.
+
+When device_add(&udev->dev) succeeds and a later call fails,
+usb_new_device() does not properly call device_del(). As comment of
+device_add() says, 'if device_add() succeeds, you should call
+device_del() when you want to get rid of it. If device_add() has not
+succeeded, use only put_device() to drop the reference count'.
+
+Found by code review.
+
+Cc: stable <stable@kernel.org>
+Fixes: 9f8b17e643fe ("USB: make usbdevices export their device nodes instead of using a separate class")
+Signed-off-by: Ma Ke <make_ruc2021@163.com>
+Reviewed-by: Alan Stern <stern@rowland.harvard.edu>
+Link: https://lore.kernel.org/r/20241218071346.2973980-1-make_ruc2021@163.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/core/hub.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+--- a/drivers/usb/core/hub.c
++++ b/drivers/usb/core/hub.c
+@@ -2633,13 +2633,13 @@ int usb_new_device(struct usb_device *ud
+ err = sysfs_create_link(&udev->dev.kobj,
+ &port_dev->dev.kobj, "port");
+ if (err)
+- goto fail;
++ goto out_del_dev;
+
+ err = sysfs_create_link(&port_dev->dev.kobj,
+ &udev->dev.kobj, "device");
+ if (err) {
+ sysfs_remove_link(&udev->dev.kobj, "port");
+- goto fail;
++ goto out_del_dev;
+ }
+
+ if (!test_and_set_bit(port1, hub->child_usage_bits))
+@@ -2651,6 +2651,8 @@ int usb_new_device(struct usb_device *ud
+ pm_runtime_put_sync_autosuspend(&udev->dev);
+ return err;
+
++out_del_dev:
++ device_del(&udev->dev);
+ fail:
+ usb_set_device_state(udev, USB_STATE_NOTATTACHED);
+ pm_runtime_disable(&udev->dev);
--- /dev/null
+From 9466545720e231fc02acd69b5f4e9138e09a26f6 Mon Sep 17 00:00:00 2001
+From: Ingo Rohloff <ingo.rohloff@lauterbach.com>
+Date: Thu, 12 Dec 2024 16:41:14 +0100
+Subject: usb: gadget: configfs: Ignore trailing LF for user strings to cdev
+
+From: Ingo Rohloff <ingo.rohloff@lauterbach.com>
+
+commit 9466545720e231fc02acd69b5f4e9138e09a26f6 upstream.
+
+Since commit c033563220e0f7a8
+("usb: gadget: configfs: Attach arbitrary strings to cdev")
+a user can provide extra string descriptors to a USB gadget via configfs.
+
+For "manufacturer", "product", "serialnumber", setting the string via
+configfs ignores a trailing LF.
+
+For the arbitrary strings the LF was not ignored.
+
+This patch ignores a trailing LF to make this consistent with the existing
+behavior for "manufacturer", ... string descriptors.
+
+Fixes: c033563220e0 ("usb: gadget: configfs: Attach arbitrary strings to cdev")
+Cc: stable <stable@kernel.org>
+Signed-off-by: Ingo Rohloff <ingo.rohloff@lauterbach.com>
+Link: https://lore.kernel.org/r/20241212154114.29295-1-ingo.rohloff@lauterbach.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/gadget/configfs.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+--- a/drivers/usb/gadget/configfs.c
++++ b/drivers/usb/gadget/configfs.c
+@@ -824,11 +824,15 @@ static ssize_t gadget_string_s_store(str
+ {
+ struct gadget_string *string = to_gadget_string(item);
+ int size = min(sizeof(string->string), len + 1);
++ ssize_t cpy_len;
+
+ if (len > USB_MAX_STRING_LEN)
+ return -EINVAL;
+
+- return strscpy(string->string, page, size);
++ cpy_len = strscpy(string->string, page, size);
++ if (cpy_len > 0 && string->string[cpy_len - 1] == '\n')
++ string->string[cpy_len - 1] = 0;
++ return len;
+ }
+ CONFIGFS_ATTR(gadget_string_, s);
+
--- /dev/null
+From dfc51e48bca475bbee984e90f33fdc537ce09699 Mon Sep 17 00:00:00 2001
+From: Akash M <akash.m5@samsung.com>
+Date: Thu, 19 Dec 2024 18:22:19 +0530
+Subject: usb: gadget: f_fs: Remove WARN_ON in functionfs_bind
+
+From: Akash M <akash.m5@samsung.com>
+
+commit dfc51e48bca475bbee984e90f33fdc537ce09699 upstream.
+
+This commit addresses an issue related to below kernel panic where
+panic_on_warn is enabled. It is caused by the unnecessary use of WARN_ON
+in functionsfs_bind, which easily leads to the following scenarios.
+
+1.adb_write in adbd 2. UDC write via configfs
+ ================= =====================
+
+->usb_ffs_open_thread() ->UDC write
+ ->open_functionfs() ->configfs_write_iter()
+ ->adb_open() ->gadget_dev_desc_UDC_store()
+ ->adb_write() ->usb_gadget_register_driver_owner
+ ->driver_register()
+->StartMonitor() ->bus_add_driver()
+ ->adb_read() ->gadget_bind_driver()
+<times-out without BIND event> ->configfs_composite_bind()
+ ->usb_add_function()
+->open_functionfs() ->ffs_func_bind()
+ ->adb_open() ->functionfs_bind()
+ <ffs->state !=FFS_ACTIVE>
+
+The adb_open, adb_read, and adb_write operations are invoked from the
+daemon, but trying to bind the function is a process that is invoked by
+UDC write through configfs, which opens up the possibility of a race
+condition between the two paths. In this race scenario, the kernel panic
+occurs due to the WARN_ON from functionfs_bind when panic_on_warn is
+enabled. This commit fixes the kernel panic by removing the unnecessary
+WARN_ON.
+
+Kernel panic - not syncing: kernel: panic_on_warn set ...
+[ 14.542395] Call trace:
+[ 14.542464] ffs_func_bind+0x1c8/0x14a8
+[ 14.542468] usb_add_function+0xcc/0x1f0
+[ 14.542473] configfs_composite_bind+0x468/0x588
+[ 14.542478] gadget_bind_driver+0x108/0x27c
+[ 14.542483] really_probe+0x190/0x374
+[ 14.542488] __driver_probe_device+0xa0/0x12c
+[ 14.542492] driver_probe_device+0x3c/0x220
+[ 14.542498] __driver_attach+0x11c/0x1fc
+[ 14.542502] bus_for_each_dev+0x104/0x160
+[ 14.542506] driver_attach+0x24/0x34
+[ 14.542510] bus_add_driver+0x154/0x270
+[ 14.542514] driver_register+0x68/0x104
+[ 14.542518] usb_gadget_register_driver_owner+0x48/0xf4
+[ 14.542523] gadget_dev_desc_UDC_store+0xf8/0x144
+[ 14.542526] configfs_write_iter+0xf0/0x138
+
+Fixes: ddf8abd25994 ("USB: f_fs: the FunctionFS driver")
+Cc: stable <stable@kernel.org>
+Signed-off-by: Akash M <akash.m5@samsung.com>
+Link: https://lore.kernel.org/r/20241219125221.1679-1-akash.m5@samsung.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/gadget/function/f_fs.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/usb/gadget/function/f_fs.c
++++ b/drivers/usb/gadget/function/f_fs.c
+@@ -1810,7 +1810,7 @@ static int functionfs_bind(struct ffs_da
+ struct usb_gadget_strings **lang;
+ int first_id;
+
+- if (WARN_ON(ffs->state != FFS_ACTIVE
++ if ((ffs->state != FFS_ACTIVE
+ || test_and_set_bit(FFS_FL_BOUND, &ffs->flags)))
+ return -EBADFD;
+
--- /dev/null
+From 057bd54dfcf68b1f67e6dfc32a47a72e12198495 Mon Sep 17 00:00:00 2001
+From: Prashanth K <quic_prashk@quicinc.com>
+Date: Wed, 11 Dec 2024 17:29:15 +0530
+Subject: usb: gadget: f_uac2: Fix incorrect setting of bNumEndpoints
+
+From: Prashanth K <quic_prashk@quicinc.com>
+
+commit 057bd54dfcf68b1f67e6dfc32a47a72e12198495 upstream.
+
+Currently afunc_bind sets std_ac_if_desc.bNumEndpoints to 1 if
+controls (mute/volume) are enabled. During next afunc_bind call,
+bNumEndpoints would be unchanged and incorrectly set to 1 even
+if the controls aren't enabled.
+
+Fix this by resetting the value of bNumEndpoints to 0 on every
+afunc_bind call.
+
+Fixes: eaf6cbe09920 ("usb: gadget: f_uac2: add volume and mute support")
+Cc: stable <stable@kernel.org>
+Signed-off-by: Prashanth K <quic_prashk@quicinc.com>
+Link: https://lore.kernel.org/r/20241211115915.159864-1-quic_prashk@quicinc.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/gadget/function/f_uac2.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/usb/gadget/function/f_uac2.c
++++ b/drivers/usb/gadget/function/f_uac2.c
+@@ -1176,6 +1176,7 @@ afunc_bind(struct usb_configuration *cfg
+ uac2->as_in_alt = 0;
+ }
+
++ std_ac_if_desc.bNumEndpoints = 0;
+ if (FUOUT_EN(uac2_opts) || FUIN_EN(uac2_opts)) {
+ uac2->int_ep = usb_ep_autoconfig(gadget, &fs_ep_int_desc);
+ if (!uac2->int_ep) {
--- /dev/null
+From 6f660ffce7c938f2a5d8473c0e0b45e4fb25ef7f Mon Sep 17 00:00:00 2001
+From: Takashi Iwai <tiwai@suse.de>
+Date: Wed, 1 Jan 2025 14:11:19 +0100
+Subject: usb: gadget: midi2: Reverse-select at the right place
+
+From: Takashi Iwai <tiwai@suse.de>
+
+commit 6f660ffce7c938f2a5d8473c0e0b45e4fb25ef7f upstream.
+
+We should do reverse selection of other components from
+CONFIG_USB_F_MIDI2 which is tristate, instead of
+CONFIG_USB_CONFIGFS_F_MIDI2 which is bool, for satisfying subtle
+module dependencies.
+
+Fixes: 8b645922b223 ("usb: gadget: Add support for USB MIDI 2.0 function driver")
+Cc: stable <stable@kernel.org>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Link: https://lore.kernel.org/r/20250101131124.27599-1-tiwai@suse.de
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/gadget/Kconfig | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/usb/gadget/Kconfig
++++ b/drivers/usb/gadget/Kconfig
+@@ -210,6 +210,8 @@ config USB_F_MIDI
+
+ config USB_F_MIDI2
+ tristate
++ select SND_UMP
++ select SND_UMP_LEGACY_RAWMIDI
+
+ config USB_F_HID
+ tristate
+@@ -444,8 +446,6 @@ config USB_CONFIGFS_F_MIDI2
+ depends on USB_CONFIGFS
+ depends on SND
+ select USB_LIBCOMPOSITE
+- select SND_UMP
+- select SND_UMP_LEGACY_RAWMIDI
+ select USB_F_MIDI2
+ help
+ The MIDI 2.0 function driver provides the generic emulated
--- /dev/null
+From 13014969cbf07f18d62ceea40bd8ca8ec9d36cec Mon Sep 17 00:00:00 2001
+From: Lianqin Hu <hulianqin@vivo.com>
+Date: Tue, 17 Dec 2024 07:58:44 +0000
+Subject: usb: gadget: u_serial: Disable ep before setting port to null to fix the crash caused by port being null
+
+From: Lianqin Hu <hulianqin@vivo.com>
+
+commit 13014969cbf07f18d62ceea40bd8ca8ec9d36cec upstream.
+
+Considering that in some extreme cases, when performing the
+unbinding operation, gserial_disconnect has cleared gser->ioport,
+which triggers gadget reconfiguration, and then calls gs_read_complete,
+resulting in access to a null pointer. Therefore, ep is disabled before
+gserial_disconnect sets port to null to prevent this from happening.
+
+Call trace:
+ gs_read_complete+0x58/0x240
+ usb_gadget_giveback_request+0x40/0x160
+ dwc3_remove_requests+0x170/0x484
+ dwc3_ep0_out_start+0xb0/0x1d4
+ __dwc3_gadget_start+0x25c/0x720
+ kretprobe_trampoline.cfi_jt+0x0/0x8
+ kretprobe_trampoline.cfi_jt+0x0/0x8
+ udc_bind_to_driver+0x1d8/0x300
+ usb_gadget_probe_driver+0xa8/0x1dc
+ gadget_dev_desc_UDC_store+0x13c/0x188
+ configfs_write_iter+0x160/0x1f4
+ vfs_write+0x2d0/0x40c
+ ksys_write+0x7c/0xf0
+ __arm64_sys_write+0x20/0x30
+ invoke_syscall+0x60/0x150
+ el0_svc_common+0x8c/0xf8
+ do_el0_svc+0x28/0xa0
+ el0_svc+0x24/0x84
+
+Fixes: c1dca562be8a ("usb gadget: split out serial core")
+Cc: stable <stable@kernel.org>
+Suggested-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Lianqin Hu <hulianqin@vivo.com>
+Link: https://lore.kernel.org/r/TYUPR06MB621733B5AC690DBDF80A0DCCD2042@TYUPR06MB6217.apcprd06.prod.outlook.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/gadget/function/u_serial.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+--- a/drivers/usb/gadget/function/u_serial.c
++++ b/drivers/usb/gadget/function/u_serial.c
+@@ -1398,6 +1398,10 @@ void gserial_disconnect(struct gserial *
+ /* REVISIT as above: how best to track this? */
+ port->port_line_coding = gser->port_line_coding;
+
++ /* disable endpoints, aborting down any active I/O */
++ usb_ep_disable(gser->out);
++ usb_ep_disable(gser->in);
++
+ port->port_usb = NULL;
+ gser->ioport = NULL;
+ if (port->port.count > 0) {
+@@ -1409,10 +1413,6 @@ void gserial_disconnect(struct gserial *
+ spin_unlock(&port->port_lock);
+ spin_unlock_irqrestore(&serial_port_lock, flags);
+
+- /* disable endpoints, aborting down any active I/O */
+- usb_ep_disable(gser->out);
+- usb_ep_disable(gser->in);
+-
+ /* finally, free any unused/unusable I/O buffers */
+ spin_lock_irqsave(&port->port_lock, flags);
+ if (port->port.count == 0)
--- /dev/null
+From b9711ff7cde0cfbcdd44cb1fac55b6eec496e690 Mon Sep 17 00:00:00 2001
+From: Dan Carpenter <dan.carpenter@linaro.org>
+Date: Fri, 6 Dec 2024 16:09:18 +0300
+Subject: usb: typec: tcpm/tcpci_maxim: fix error code in max_contaminant_read_resistance_kohm()
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Dan Carpenter <dan.carpenter@linaro.org>
+
+commit b9711ff7cde0cfbcdd44cb1fac55b6eec496e690 upstream.
+
+If max_contaminant_read_adc_mv() fails, then return the error code. Don't
+return zero.
+
+Fixes: 02b332a06397 ("usb: typec: maxim_contaminant: Implement check_contaminant callback")
+Cc: stable <stable@kernel.org>
+Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
+Reviewed-by: André Draszik <andre.draszik@linaro.org>
+Reviewed-by: Heikki Krogerus <heikki.krogerus@linux.intel.com>
+Link: https://lore.kernel.org/r/f1bf3768-419e-40dd-989c-f7f455d6c824@stanley.mountain
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/typec/tcpm/maxim_contaminant.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/usb/typec/tcpm/maxim_contaminant.c
++++ b/drivers/usb/typec/tcpm/maxim_contaminant.c
+@@ -137,7 +137,7 @@ static int max_contaminant_read_resistan
+
+ mv = max_contaminant_read_adc_mv(chip, channel, sleep_msec, raw, true);
+ if (mv < 0)
+- return ret;
++ return mv;
+
+ /* OVP enable */
+ ret = regmap_update_bits(regmap, TCPC_VENDOR_CC_CTRL2, CCOVPDIS, 0);
+@@ -159,7 +159,7 @@ static int max_contaminant_read_resistan
+
+ mv = max_contaminant_read_adc_mv(chip, channel, sleep_msec, raw, true);
+ if (mv < 0)
+- return ret;
++ return mv;
+ /* Disable current source */
+ ret = regmap_update_bits(regmap, TCPC_VENDOR_CC_CTRL2, SBURPCTRL, 0);
+ if (ret < 0)
--- /dev/null
+From 7a3d76a0b60b3f6fc3375e4de2174bab43f64545 Mon Sep 17 00:00:00 2001
+From: Jun Yan <jerrysteve1101@gmail.com>
+Date: Thu, 12 Dec 2024 22:38:52 +0800
+Subject: USB: usblp: return error when setting unsupported protocol
+
+From: Jun Yan <jerrysteve1101@gmail.com>
+
+commit 7a3d76a0b60b3f6fc3375e4de2174bab43f64545 upstream.
+
+Fix the regression introduced by commit d8c6edfa3f4e ("USB:
+usblp: don't call usb_set_interface if there's a single alt"),
+which causes that unsupported protocols can also be set via
+ioctl when the num_altsetting of the device is 1.
+
+Move the check for protocol support to the earlier stage.
+
+Fixes: d8c6edfa3f4e ("USB: usblp: don't call usb_set_interface if there's a single alt")
+Cc: stable <stable@kernel.org>
+Signed-off-by: Jun Yan <jerrysteve1101@gmail.com>
+Link: https://lore.kernel.org/r/20241212143852.671889-1-jerrysteve1101@gmail.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/class/usblp.c | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+--- a/drivers/usb/class/usblp.c
++++ b/drivers/usb/class/usblp.c
+@@ -1337,11 +1337,12 @@ static int usblp_set_protocol(struct usb
+ if (protocol < USBLP_FIRST_PROTOCOL || protocol > USBLP_LAST_PROTOCOL)
+ return -EINVAL;
+
++ alts = usblp->protocol[protocol].alt_setting;
++ if (alts < 0)
++ return -EINVAL;
++
+ /* Don't unnecessarily set the interface if there's a single alt. */
+ if (usblp->intf->num_altsetting > 1) {
+- alts = usblp->protocol[protocol].alt_setting;
+- if (alts < 0)
+- return -EINVAL;
+ r = usb_set_interface(usblp->dev, usblp->ifnum, alts);
+ if (r < 0) {
+ printk(KERN_ERR "usblp: can't set desired altsetting %d on interface %d\n",
--- /dev/null
+From a9d9c33132d49329ada647e4514d210d15e31d81 Mon Sep 17 00:00:00 2001
+From: Rick Edgecombe <rick.p.edgecombe@intel.com>
+Date: Tue, 7 Jan 2025 15:30:56 -0800
+Subject: x86/fpu: Ensure shadow stack is active before "getting" registers
+
+From: Rick Edgecombe <rick.p.edgecombe@intel.com>
+
+commit a9d9c33132d49329ada647e4514d210d15e31d81 upstream.
+
+The x86 shadow stack support has its own set of registers. Those registers
+are XSAVE-managed, but they are "supervisor state components" which means
+that userspace can not touch them with XSAVE/XRSTOR. It also means that
+they are not accessible from the existing ptrace ABI for XSAVE state.
+Thus, there is a new ptrace get/set interface for it.
+
+The regset code that ptrace uses provides an ->active() handler in
+addition to the get/set ones. For shadow stack this ->active() handler
+verifies that shadow stack is enabled via the ARCH_SHSTK_SHSTK bit in the
+thread struct. The ->active() handler is checked from some call sites of
+the regset get/set handlers, but not the ptrace ones. This was not
+understood when shadow stack support was put in place.
+
+As a result, both the set/get handlers can be called with
+XFEATURE_CET_USER in its init state, which would cause get_xsave_addr() to
+return NULL and trigger a WARN_ON(). The ssp_set() handler luckily has an
+ssp_active() check to avoid surprising the kernel with shadow stack
+behavior when the kernel is not ready for it (ARCH_SHSTK_SHSTK==0). That
+check just happened to avoid the warning.
+
+But the ->get() side wasn't so lucky. It can be called with shadow stacks
+disabled, triggering the warning in practice, as reported by Christina
+Schimpe:
+
+WARNING: CPU: 5 PID: 1773 at arch/x86/kernel/fpu/regset.c:198 ssp_get+0x89/0xa0
+[...]
+Call Trace:
+<TASK>
+? show_regs+0x6e/0x80
+? ssp_get+0x89/0xa0
+? __warn+0x91/0x150
+? ssp_get+0x89/0xa0
+? report_bug+0x19d/0x1b0
+? handle_bug+0x46/0x80
+? exc_invalid_op+0x1d/0x80
+? asm_exc_invalid_op+0x1f/0x30
+? __pfx_ssp_get+0x10/0x10
+? ssp_get+0x89/0xa0
+? ssp_get+0x52/0xa0
+__regset_get+0xad/0xf0
+copy_regset_to_user+0x52/0xc0
+ptrace_regset+0x119/0x140
+ptrace_request+0x13c/0x850
+? wait_task_inactive+0x142/0x1d0
+? do_syscall_64+0x6d/0x90
+arch_ptrace+0x102/0x300
+[...]
+
+Ensure that shadow stacks are active in a thread before looking them up
+in the XSAVE buffer. Since ARCH_SHSTK_SHSTK and user_ssp[SHSTK_EN] are
+set at the same time, the active check ensures that there will be
+something to find in the XSAVE buffer.
+
+[ dhansen: changelog/subject tweaks ]
+
+Fixes: 2fab02b25ae7 ("x86: Add PTRACE interface for shadow stack")
+Reported-by: Christina Schimpe <christina.schimpe@intel.com>
+Signed-off-by: Rick Edgecombe <rick.p.edgecombe@intel.com>
+Signed-off-by: Dave Hansen <dave.hansen@linux.intel.com>
+Tested-by: Christina Schimpe <christina.schimpe@intel.com>
+Cc:stable@vger.kernel.org
+Link: https://lore.kernel.org/all/20250107233056.235536-1-rick.p.edgecombe%40intel.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/x86/kernel/fpu/regset.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/arch/x86/kernel/fpu/regset.c b/arch/x86/kernel/fpu/regset.c
+index 6bc1eb2a21bd..887b0b8e21e3 100644
+--- a/arch/x86/kernel/fpu/regset.c
++++ b/arch/x86/kernel/fpu/regset.c
+@@ -190,7 +190,8 @@ int ssp_get(struct task_struct *target, const struct user_regset *regset,
+ struct fpu *fpu = &target->thread.fpu;
+ struct cet_user_state *cetregs;
+
+- if (!cpu_feature_enabled(X86_FEATURE_USER_SHSTK))
++ if (!cpu_feature_enabled(X86_FEATURE_USER_SHSTK) ||
++ !ssp_active(target, regset))
+ return -ENODEV;
+
+ sync_fpstate(fpu);
+--
+2.48.0
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
