From: Greg Kroah-Hartman Date: Wed, 17 Sep 2025 08:01:15 +0000 (+0200) Subject: 6.16-stable patches X-Git-Tag: v6.1.153~15 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=57d73c53d5b9b6e2f7ff38aa0887e3ec56d11004;p=thirdparty%2Fkernel%2Fstable-queue.git 6.16-stable patches added patches: dmaengine-dw-dmamux-fix-device-reference-leak-in-rzn1_dmamux_route_allocate.patch dmaengine-qcom-bam_dma-fix-dt-error-handling-for-num-channels-ees.patch phy-qcom-qmp-pcie-fix-phy-initialization-when-powered-down-by-firmware.patch phy-tegra-xusb-fix-device-and-of-node-leak-at-probe.patch phy-ti-omap-usb2-fix-device-leak-at-unbind.patch phy-ti-pipe3-fix-device-leak-at-unbind.patch usb-gadget-dummy-hcd-fix-locking-bug-in-rt-enabled-kernels.patch usb-gadget-midi2-fix-midi2-in-ep-max-packet-size.patch usb-gadget-midi2-fix-missing-ump-group-attributes-initialization.patch usb-typec-tcpm-properly-deliver-cable-vdms-to-altmode-drivers.patch xhci-dbc-decouple-endpoint-allocation-from-initialization.patch xhci-dbc-fix-full-dbc-transfer-ring-after-several-reconnects.patch xhci-fix-memory-leak-regression-when-freeing-xhci-vdev-devices-depth-first.patch --- diff --git a/queue-6.16/dmaengine-dw-dmamux-fix-device-reference-leak-in-rzn1_dmamux_route_allocate.patch b/queue-6.16/dmaengine-dw-dmamux-fix-device-reference-leak-in-rzn1_dmamux_route_allocate.patch new file mode 100644 index 0000000000..8cc3bbe385 --- /dev/null +++ b/queue-6.16/dmaengine-dw-dmamux-fix-device-reference-leak-in-rzn1_dmamux_route_allocate.patch @@ -0,0 +1,63 @@ +From aa2e1e4563d3ab689ffa86ca1412ecbf9fd3b308 Mon Sep 17 00:00:00 2001 +From: Miaoqian Lin +Date: Tue, 2 Sep 2025 17:03:58 +0800 +Subject: dmaengine: dw: dmamux: Fix device reference leak in rzn1_dmamux_route_allocate + +From: Miaoqian Lin + +commit aa2e1e4563d3ab689ffa86ca1412ecbf9fd3b308 upstream. + +The reference taken by of_find_device_by_node() +must be released when not needed anymore. +Add missing put_device() call to fix device reference leaks. + +Fixes: 134d9c52fca2 ("dmaengine: dw: dmamux: Introduce RZN1 DMA router support") +Cc: stable@vger.kernel.org +Signed-off-by: Miaoqian Lin +Reviewed-by: Miquel Raynal +Link: https://lore.kernel.org/r/20250902090358.2423285-1-linmq006@gmail.com +Signed-off-by: Vinod Koul +Signed-off-by: Greg Kroah-Hartman +--- + drivers/dma/dw/rzn1-dmamux.c | 15 +++++++++++---- + 1 file changed, 11 insertions(+), 4 deletions(-) + +--- a/drivers/dma/dw/rzn1-dmamux.c ++++ b/drivers/dma/dw/rzn1-dmamux.c +@@ -48,12 +48,16 @@ static void *rzn1_dmamux_route_allocate( + u32 mask; + int ret; + +- if (dma_spec->args_count != RNZ1_DMAMUX_NCELLS) +- return ERR_PTR(-EINVAL); ++ if (dma_spec->args_count != RNZ1_DMAMUX_NCELLS) { ++ ret = -EINVAL; ++ goto put_device; ++ } + + map = kzalloc(sizeof(*map), GFP_KERNEL); +- if (!map) +- return ERR_PTR(-ENOMEM); ++ if (!map) { ++ ret = -ENOMEM; ++ goto put_device; ++ } + + chan = dma_spec->args[0]; + map->req_idx = dma_spec->args[4]; +@@ -94,12 +98,15 @@ static void *rzn1_dmamux_route_allocate( + if (ret) + goto clear_bitmap; + ++ put_device(&pdev->dev); + return map; + + clear_bitmap: + clear_bit(map->req_idx, dmamux->used_chans); + free_map: + kfree(map); ++put_device: ++ put_device(&pdev->dev); + + return ERR_PTR(ret); + } diff --git a/queue-6.16/dmaengine-qcom-bam_dma-fix-dt-error-handling-for-num-channels-ees.patch b/queue-6.16/dmaengine-qcom-bam_dma-fix-dt-error-handling-for-num-channels-ees.patch new file mode 100644 index 0000000000..afb707b49a --- /dev/null +++ b/queue-6.16/dmaengine-qcom-bam_dma-fix-dt-error-handling-for-num-channels-ees.patch @@ -0,0 +1,65 @@ +From 5068b5254812433e841a40886e695633148d362d Mon Sep 17 00:00:00 2001 +From: Stephan Gerhold +Date: Wed, 12 Feb 2025 18:03:54 +0100 +Subject: dmaengine: qcom: bam_dma: Fix DT error handling for num-channels/ees + +From: Stephan Gerhold + +commit 5068b5254812433e841a40886e695633148d362d upstream. + +When we don't have a clock specified in the device tree, we have no way to +ensure the BAM is on. This is often the case for remotely-controlled or +remotely-powered BAM instances. In this case, we need to read num-channels +from the DT to have all the necessary information to complete probing. + +However, at the moment invalid device trees without clock and without +num-channels still continue probing, because the error handling is missing +return statements. The driver will then later try to read the number of +channels from the registers. This is unsafe, because it relies on boot +firmware and lucky timing to succeed. Unfortunately, the lack of proper +error handling here has been abused for several Qualcomm SoCs upstream, +causing early boot crashes in several situations [1, 2]. + +Avoid these early crashes by erroring out when any of the required DT +properties are missing. Note that this will break some of the existing DTs +upstream (mainly BAM instances related to the crypto engine). However, +clearly these DTs have never been tested properly, since the error in the +kernel log was just ignored. It's safer to disable the crypto engine for +these broken DTBs. + +[1]: https://lore.kernel.org/r/CY01EKQVWE36.B9X5TDXAREPF@fairphone.com/ +[2]: https://lore.kernel.org/r/20230626145959.646747-1-krzysztof.kozlowski@linaro.org/ + +Cc: stable@vger.kernel.org +Fixes: 48d163b1aa6e ("dmaengine: qcom: bam_dma: get num-channels and num-ees from dt") +Signed-off-by: Stephan Gerhold +Reviewed-by: Konrad Dybcio +Link: https://lore.kernel.org/r/20250212-bam-dma-fixes-v1-8-f560889e65d8@linaro.org +Signed-off-by: Vinod Koul +Signed-off-by: Greg Kroah-Hartman +--- + drivers/dma/qcom/bam_dma.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +--- a/drivers/dma/qcom/bam_dma.c ++++ b/drivers/dma/qcom/bam_dma.c +@@ -1283,13 +1283,17 @@ static int bam_dma_probe(struct platform + if (!bdev->bamclk) { + ret = of_property_read_u32(pdev->dev.of_node, "num-channels", + &bdev->num_channels); +- if (ret) ++ if (ret) { + dev_err(bdev->dev, "num-channels unspecified in dt\n"); ++ return ret; ++ } + + ret = of_property_read_u32(pdev->dev.of_node, "qcom,num-ees", + &bdev->num_ees); +- if (ret) ++ if (ret) { + dev_err(bdev->dev, "num-ees unspecified in dt\n"); ++ return ret; ++ } + } + + ret = clk_prepare_enable(bdev->bamclk); diff --git a/queue-6.16/phy-qcom-qmp-pcie-fix-phy-initialization-when-powered-down-by-firmware.patch b/queue-6.16/phy-qcom-qmp-pcie-fix-phy-initialization-when-powered-down-by-firmware.patch new file mode 100644 index 0000000000..57d5503c7a --- /dev/null +++ b/queue-6.16/phy-qcom-qmp-pcie-fix-phy-initialization-when-powered-down-by-firmware.patch @@ -0,0 +1,97 @@ +From 6cb8c1f957f674ca20b7d7c96b1f1bb11b83b679 Mon Sep 17 00:00:00 2001 +From: Stephan Gerhold +Date: Thu, 21 Aug 2025 10:01:47 +0200 +Subject: phy: qcom: qmp-pcie: Fix PHY initialization when powered down by firmware + +From: Stephan Gerhold + +commit 6cb8c1f957f674ca20b7d7c96b1f1bb11b83b679 upstream. + +Commit 0cc22f5a861c ("phy: qcom: qmp-pcie: Add PHY register retention +support") added support for using the "no_csr" reset to skip configuration +of the PHY if the init sequence was already applied by the boot firmware. +The expectation is that the PHY is only turned on/off by using the "no_csr" +reset, instead of powering it down and re-programming it after a full +reset. + +The boot firmware on X1E does not fully conform to this expectation: If the +PCIe3 link fails to come up (e.g. because no PCIe card is inserted), the +firmware powers down the PHY using the QPHY_PCS_POWER_DOWN_CONTROL +register. The QPHY_START_CTRL register is kept as-is, so the driver assumes +the PHY is already initialized and skips the configuration/power up +sequence. The PHY won't come up again without clearing the +QPHY_PCS_POWER_DOWN_CONTROL, so eventually initialization fails: + + qcom-qmp-pcie-phy 1be0000.phy: phy initialization timed-out + phy phy-1be0000.phy.0: phy poweron failed --> -110 + qcom-pcie 1bd0000.pcie: cannot initialize host + qcom-pcie 1bd0000.pcie: probe with driver qcom-pcie failed with error -110 + +This can be reliably reproduced on the X1E CRD, QCP and Devkit when no card +is inserted for PCIe3. + +Fix this by checking the QPHY_PCS_POWER_DOWN_CONTROL register in addition +to QPHY_START_CTRL. If the PHY is powered down with the register, it +doesn't conform to the expectations for using the "no_csr" reset, so we +fully re-initialize with the normal reset sequence. + +Also check the register more carefully to ensure all of the bits we expect +are actually set. A simple !!(readl()) is not enough, because the PHY might +be only partially set up with some of the expected bits set. + +Cc: stable@vger.kernel.org +Fixes: 0cc22f5a861c ("phy: qcom: qmp-pcie: Add PHY register retention support") +Signed-off-by: Stephan Gerhold +Reviewed-by: Dmitry Baryshkov +Link: https://lore.kernel.org/r/20250821-phy-qcom-qmp-pcie-nocsr-fix-v3-1-4898db0cc07c@linaro.org +Signed-off-by: Vinod Koul +Signed-off-by: Greg Kroah-Hartman +--- + drivers/phy/qualcomm/phy-qcom-qmp-pcie.c | 25 +++++++++++++++++++------ + 1 file changed, 19 insertions(+), 6 deletions(-) + +--- a/drivers/phy/qualcomm/phy-qcom-qmp-pcie.c ++++ b/drivers/phy/qualcomm/phy-qcom-qmp-pcie.c +@@ -3064,6 +3064,14 @@ struct qmp_pcie { + struct clk_fixed_rate aux_clk_fixed; + }; + ++static bool qphy_checkbits(const void __iomem *base, u32 offset, u32 val) ++{ ++ u32 reg; ++ ++ reg = readl(base + offset); ++ return (reg & val) == val; ++} ++ + static inline void qphy_setbits(void __iomem *base, u32 offset, u32 val) + { + u32 reg; +@@ -4332,16 +4340,21 @@ static int qmp_pcie_init(struct phy *phy + struct qmp_pcie *qmp = phy_get_drvdata(phy); + const struct qmp_phy_cfg *cfg = qmp->cfg; + void __iomem *pcs = qmp->pcs; +- bool phy_initialized = !!(readl(pcs + cfg->regs[QPHY_START_CTRL])); + int ret; + +- qmp->skip_init = qmp->nocsr_reset && phy_initialized; + /* +- * We need to check the existence of init sequences in two cases: +- * 1. The PHY doesn't support no_csr reset. +- * 2. The PHY supports no_csr reset but isn't initialized by bootloader. +- * As we can't skip init in these two cases. ++ * We can skip PHY initialization if all of the following conditions ++ * are met: ++ * 1. The PHY supports the nocsr_reset that preserves the PHY config. ++ * 2. The PHY was started (and not powered down again) by the ++ * bootloader, with all of the expected bits set correctly. ++ * In this case, we can continue without having the init sequence ++ * defined in the driver. + */ ++ qmp->skip_init = qmp->nocsr_reset && ++ qphy_checkbits(pcs, cfg->regs[QPHY_START_CTRL], SERDES_START | PCS_START) && ++ qphy_checkbits(pcs, cfg->regs[QPHY_PCS_POWER_DOWN_CONTROL], cfg->pwrdn_ctrl); ++ + if (!qmp->skip_init && !cfg->tbls.serdes_num) { + dev_err(qmp->dev, "Init sequence not available\n"); + return -ENODATA; diff --git a/queue-6.16/phy-tegra-xusb-fix-device-and-of-node-leak-at-probe.patch b/queue-6.16/phy-tegra-xusb-fix-device-and-of-node-leak-at-probe.patch new file mode 100644 index 0000000000..6f91903709 --- /dev/null +++ b/queue-6.16/phy-tegra-xusb-fix-device-and-of-node-leak-at-probe.patch @@ -0,0 +1,54 @@ +From bca065733afd1e3a89a02f05ffe14e966cd5f78e Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Thu, 24 Jul 2025 15:12:04 +0200 +Subject: phy: tegra: xusb: fix device and OF node leak at probe + +From: Johan Hovold + +commit bca065733afd1e3a89a02f05ffe14e966cd5f78e upstream. + +Make sure to drop the references taken to the PMC OF node and device by +of_parse_phandle() and of_find_device_by_node() during probe. + +Note the holding a reference to the PMC device does not prevent the +PMC regmap from going away (e.g. if the PMC driver is unbound) so there +is no need to keep the reference. + +Fixes: 2d1021487273 ("phy: tegra: xusb: Add wake/sleepwalk for Tegra210") +Cc: stable@vger.kernel.org # 5.14 +Cc: JC Kuo +Signed-off-by: Johan Hovold +Reviewed-by: Neil Armstrong +Link: https://lore.kernel.org/r/20250724131206.2211-2-johan@kernel.org +Signed-off-by: Vinod Koul +Signed-off-by: Greg Kroah-Hartman +--- + drivers/phy/tegra/xusb-tegra210.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +--- a/drivers/phy/tegra/xusb-tegra210.c ++++ b/drivers/phy/tegra/xusb-tegra210.c +@@ -3164,18 +3164,22 @@ tegra210_xusb_padctl_probe(struct device + } + + pdev = of_find_device_by_node(np); ++ of_node_put(np); + if (!pdev) { + dev_warn(dev, "PMC device is not available\n"); + goto out; + } + +- if (!platform_get_drvdata(pdev)) ++ if (!platform_get_drvdata(pdev)) { ++ put_device(&pdev->dev); + return ERR_PTR(-EPROBE_DEFER); ++ } + + padctl->regmap = dev_get_regmap(&pdev->dev, "usb_sleepwalk"); + if (!padctl->regmap) + dev_info(dev, "failed to find PMC regmap\n"); + ++ put_device(&pdev->dev); + out: + return &padctl->base; + } diff --git a/queue-6.16/phy-ti-omap-usb2-fix-device-leak-at-unbind.patch b/queue-6.16/phy-ti-omap-usb2-fix-device-leak-at-unbind.patch new file mode 100644 index 0000000000..3652f602ef --- /dev/null +++ b/queue-6.16/phy-ti-omap-usb2-fix-device-leak-at-unbind.patch @@ -0,0 +1,59 @@ +From 64961557efa1b98f375c0579779e7eeda1a02c42 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Thu, 24 Jul 2025 15:12:05 +0200 +Subject: phy: ti: omap-usb2: fix device leak at unbind + +From: Johan Hovold + +commit 64961557efa1b98f375c0579779e7eeda1a02c42 upstream. + +Make sure to drop the reference to the control device taken by +of_find_device_by_node() during probe when the driver is unbound. + +Fixes: 478b6c7436c2 ("usb: phy: omap-usb2: Don't use omap_get_control_dev()") +Cc: stable@vger.kernel.org # 3.13 +Cc: Roger Quadros +Signed-off-by: Johan Hovold +Link: https://lore.kernel.org/r/20250724131206.2211-3-johan@kernel.org +Signed-off-by: Vinod Koul +Signed-off-by: Greg Kroah-Hartman +--- + drivers/phy/ti/phy-omap-usb2.c | 13 +++++++++++++ + 1 file changed, 13 insertions(+) + +--- a/drivers/phy/ti/phy-omap-usb2.c ++++ b/drivers/phy/ti/phy-omap-usb2.c +@@ -363,6 +363,13 @@ static void omap_usb2_init_errata(struct + phy->flags |= OMAP_USB2_DISABLE_CHRG_DET; + } + ++static void omap_usb2_put_device(void *_dev) ++{ ++ struct device *dev = _dev; ++ ++ put_device(dev); ++} ++ + static int omap_usb2_probe(struct platform_device *pdev) + { + struct omap_usb *phy; +@@ -373,6 +380,7 @@ static int omap_usb2_probe(struct platfo + struct device_node *control_node; + struct platform_device *control_pdev; + const struct usb_phy_data *phy_data; ++ int ret; + + phy_data = device_get_match_data(&pdev->dev); + if (!phy_data) +@@ -423,6 +431,11 @@ static int omap_usb2_probe(struct platfo + return -EINVAL; + } + phy->control_dev = &control_pdev->dev; ++ ++ ret = devm_add_action_or_reset(&pdev->dev, omap_usb2_put_device, ++ phy->control_dev); ++ if (ret) ++ return ret; + } else { + if (of_property_read_u32_index(node, + "syscon-phy-power", 1, diff --git a/queue-6.16/phy-ti-pipe3-fix-device-leak-at-unbind.patch b/queue-6.16/phy-ti-pipe3-fix-device-leak-at-unbind.patch new file mode 100644 index 0000000000..dc8a88d4c5 --- /dev/null +++ b/queue-6.16/phy-ti-pipe3-fix-device-leak-at-unbind.patch @@ -0,0 +1,58 @@ +From e19bcea99749ce8e8f1d359f68ae03210694ad56 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Thu, 24 Jul 2025 15:12:06 +0200 +Subject: phy: ti-pipe3: fix device leak at unbind + +From: Johan Hovold + +commit e19bcea99749ce8e8f1d359f68ae03210694ad56 upstream. + +Make sure to drop the reference to the control device taken by +of_find_device_by_node() during probe when the driver is unbound. + +Fixes: 918ee0d21ba4 ("usb: phy: omap-usb3: Don't use omap_get_control_dev()") +Cc: stable@vger.kernel.org # 3.13 +Cc: Roger Quadros +Signed-off-by: Johan Hovold +Link: https://lore.kernel.org/r/20250724131206.2211-4-johan@kernel.org +Signed-off-by: Vinod Koul +Signed-off-by: Greg Kroah-Hartman +--- + drivers/phy/ti/phy-ti-pipe3.c | 13 +++++++++++++ + 1 file changed, 13 insertions(+) + +--- a/drivers/phy/ti/phy-ti-pipe3.c ++++ b/drivers/phy/ti/phy-ti-pipe3.c +@@ -667,12 +667,20 @@ static int ti_pipe3_get_clk(struct ti_pi + return 0; + } + ++static void ti_pipe3_put_device(void *_dev) ++{ ++ struct device *dev = _dev; ++ ++ put_device(dev); ++} ++ + static int ti_pipe3_get_sysctrl(struct ti_pipe3 *phy) + { + struct device *dev = phy->dev; + struct device_node *node = dev->of_node; + struct device_node *control_node; + struct platform_device *control_pdev; ++ int ret; + + phy->phy_power_syscon = syscon_regmap_lookup_by_phandle(node, + "syscon-phy-power"); +@@ -704,6 +712,11 @@ static int ti_pipe3_get_sysctrl(struct t + } + + phy->control_dev = &control_pdev->dev; ++ ++ ret = devm_add_action_or_reset(dev, ti_pipe3_put_device, ++ phy->control_dev); ++ if (ret) ++ return ret; + } + + if (phy->mode == PIPE3_MODE_PCIE) { diff --git a/queue-6.16/series b/queue-6.16/series index 53a2cb5ec3..7ab1708852 100644 --- a/queue-6.16/series +++ b/queue-6.16/series @@ -174,3 +174,16 @@ erofs-fix-invalid-algorithm-for-encoded-extents.patch dmaengine-ti-edma-fix-memory-allocation-size-for-que.patch regulator-sy7636a-fix-lifecycle-of-power-good-gpio.patch erofs-fix-runtime-warning-on-truncate_folio_batch_ex.patch +xhci-dbc-decouple-endpoint-allocation-from-initialization.patch +xhci-dbc-fix-full-dbc-transfer-ring-after-several-reconnects.patch +xhci-fix-memory-leak-regression-when-freeing-xhci-vdev-devices-depth-first.patch +usb-gadget-dummy-hcd-fix-locking-bug-in-rt-enabled-kernels.patch +usb-typec-tcpm-properly-deliver-cable-vdms-to-altmode-drivers.patch +usb-gadget-midi2-fix-missing-ump-group-attributes-initialization.patch +usb-gadget-midi2-fix-midi2-in-ep-max-packet-size.patch +dmaengine-qcom-bam_dma-fix-dt-error-handling-for-num-channels-ees.patch +dmaengine-dw-dmamux-fix-device-reference-leak-in-rzn1_dmamux_route_allocate.patch +phy-qcom-qmp-pcie-fix-phy-initialization-when-powered-down-by-firmware.patch +phy-tegra-xusb-fix-device-and-of-node-leak-at-probe.patch +phy-ti-omap-usb2-fix-device-leak-at-unbind.patch +phy-ti-pipe3-fix-device-leak-at-unbind.patch diff --git a/queue-6.16/usb-gadget-dummy-hcd-fix-locking-bug-in-rt-enabled-kernels.patch b/queue-6.16/usb-gadget-dummy-hcd-fix-locking-bug-in-rt-enabled-kernels.patch new file mode 100644 index 0000000000..e575123e4d --- /dev/null +++ b/queue-6.16/usb-gadget-dummy-hcd-fix-locking-bug-in-rt-enabled-kernels.patch @@ -0,0 +1,90 @@ +From 8d63c83d8eb922f6c316320f50c82fa88d099bea Mon Sep 17 00:00:00 2001 +From: Alan Stern +Date: Mon, 25 Aug 2025 12:00:22 -0400 +Subject: USB: gadget: dummy-hcd: Fix locking bug in RT-enabled kernels + +From: Alan Stern + +commit 8d63c83d8eb922f6c316320f50c82fa88d099bea upstream. + +Yunseong Kim and the syzbot fuzzer both reported a problem in +RT-enabled kernels caused by the way dummy-hcd mixes interrupt +management and spin-locking. The pattern was: + + local_irq_save(flags); + spin_lock(&dum->lock); + ... + spin_unlock(&dum->lock); + ... // calls usb_gadget_giveback_request() + local_irq_restore(flags); + +The code was written this way because usb_gadget_giveback_request() +needs to be called with interrupts disabled and the private lock not +held. + +While this pattern works fine in non-RT kernels, it's not good when RT +is enabled. RT kernels handle spinlocks much like mutexes; in particular, +spin_lock() may sleep. But sleeping is not allowed while local +interrupts are disabled. + +To fix the problem, rewrite the code to conform to the pattern used +elsewhere in dummy-hcd and other UDC drivers: + + spin_lock_irqsave(&dum->lock, flags); + ... + spin_unlock(&dum->lock); + usb_gadget_giveback_request(...); + spin_lock(&dum->lock); + ... + spin_unlock_irqrestore(&dum->lock, flags); + +This approach satisfies the RT requirements. + +Signed-off-by: Alan Stern +Cc: stable +Fixes: b4dbda1a22d2 ("USB: dummy-hcd: disable interrupts during req->complete") +Reported-by: Yunseong Kim +Closes: +Reported-by: syzbot+8baacc4139f12fa77909@syzkaller.appspotmail.com +Closes: +Tested-by: syzbot+8baacc4139f12fa77909@syzkaller.appspotmail.com +CC: Sebastian Andrzej Siewior +CC: stable@vger.kernel.org +Reviewed-by: Sebastian Andrzej Siewior +Link: https://lore.kernel.org/r/bb192ae2-4eee-48ee-981f-3efdbbd0d8f0@rowland.harvard.edu +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/gadget/udc/dummy_hcd.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +--- a/drivers/usb/gadget/udc/dummy_hcd.c ++++ b/drivers/usb/gadget/udc/dummy_hcd.c +@@ -765,8 +765,7 @@ static int dummy_dequeue(struct usb_ep * + if (!dum->driver) + return -ESHUTDOWN; + +- local_irq_save(flags); +- spin_lock(&dum->lock); ++ spin_lock_irqsave(&dum->lock, flags); + list_for_each_entry(iter, &ep->queue, queue) { + if (&iter->req != _req) + continue; +@@ -776,15 +775,16 @@ static int dummy_dequeue(struct usb_ep * + retval = 0; + break; + } +- spin_unlock(&dum->lock); + + if (retval == 0) { + dev_dbg(udc_dev(dum), + "dequeued req %p from %s, len %d buf %p\n", + req, _ep->name, _req->length, _req->buf); ++ spin_unlock(&dum->lock); + usb_gadget_giveback_request(_ep, _req); ++ spin_lock(&dum->lock); + } +- local_irq_restore(flags); ++ spin_unlock_irqrestore(&dum->lock, flags); + return retval; + } + diff --git a/queue-6.16/usb-gadget-midi2-fix-midi2-in-ep-max-packet-size.patch b/queue-6.16/usb-gadget-midi2-fix-midi2-in-ep-max-packet-size.patch new file mode 100644 index 0000000000..87eed26092 --- /dev/null +++ b/queue-6.16/usb-gadget-midi2-fix-midi2-in-ep-max-packet-size.patch @@ -0,0 +1,56 @@ +From 116e79c679a1530cf833d0ff3007061d7a716bd9 Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Fri, 5 Sep 2025 15:32:34 +0200 +Subject: usb: gadget: midi2: Fix MIDI2 IN EP max packet size + +From: Takashi Iwai + +commit 116e79c679a1530cf833d0ff3007061d7a716bd9 upstream. + +The EP-IN of MIDI2 (altset 1) wasn't initialized in +f_midi2_create_usb_configs() as it's an INT EP unlike others BULK +EPs. But this leaves rather the max packet size unchanged no matter +which speed is used, resulting in the very slow access. +And the wMaxPacketSize values set there look legit for INT EPs, so +let's initialize the MIDI2 EP-IN there for achieving the equivalent +speed as well. + +Fixes: 8b645922b223 ("usb: gadget: Add support for USB MIDI 2.0 function driver") +Cc: stable +Signed-off-by: Takashi Iwai +Link: https://lore.kernel.org/r/20250905133240.20966-1-tiwai@suse.de +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/gadget/function/f_midi2.c | 10 ++++++++-- + 1 file changed, 8 insertions(+), 2 deletions(-) + +--- a/drivers/usb/gadget/function/f_midi2.c ++++ b/drivers/usb/gadget/function/f_midi2.c +@@ -1737,9 +1737,12 @@ static int f_midi2_create_usb_configs(st + case USB_SPEED_HIGH: + midi2_midi1_ep_out_desc.wMaxPacketSize = cpu_to_le16(512); + midi2_midi1_ep_in_desc.wMaxPacketSize = cpu_to_le16(512); +- for (i = 0; i < midi2->num_eps; i++) ++ for (i = 0; i < midi2->num_eps; i++) { + midi2_midi2_ep_out_desc[i].wMaxPacketSize = + cpu_to_le16(512); ++ midi2_midi2_ep_in_desc[i].wMaxPacketSize = ++ cpu_to_le16(512); ++ } + fallthrough; + case USB_SPEED_FULL: + midi1_in_eps = midi2_midi1_ep_in_descs; +@@ -1748,9 +1751,12 @@ static int f_midi2_create_usb_configs(st + case USB_SPEED_SUPER: + midi2_midi1_ep_out_desc.wMaxPacketSize = cpu_to_le16(1024); + midi2_midi1_ep_in_desc.wMaxPacketSize = cpu_to_le16(1024); +- for (i = 0; i < midi2->num_eps; i++) ++ for (i = 0; i < midi2->num_eps; i++) { + midi2_midi2_ep_out_desc[i].wMaxPacketSize = + cpu_to_le16(1024); ++ midi2_midi2_ep_in_desc[i].wMaxPacketSize = ++ cpu_to_le16(1024); ++ } + midi1_in_eps = midi2_midi1_ep_in_ss_descs; + midi1_out_eps = midi2_midi1_ep_out_ss_descs; + break; diff --git a/queue-6.16/usb-gadget-midi2-fix-missing-ump-group-attributes-initialization.patch b/queue-6.16/usb-gadget-midi2-fix-missing-ump-group-attributes-initialization.patch new file mode 100644 index 0000000000..dbbc240afc --- /dev/null +++ b/queue-6.16/usb-gadget-midi2-fix-missing-ump-group-attributes-initialization.patch @@ -0,0 +1,35 @@ +From 21d8525d2e061cde034277d518411b02eac764e2 Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Thu, 4 Sep 2025 17:39:24 +0200 +Subject: usb: gadget: midi2: Fix missing UMP group attributes initialization + +From: Takashi Iwai + +commit 21d8525d2e061cde034277d518411b02eac764e2 upstream. + +The gadget card driver forgot to call snd_ump_update_group_attrs() +after adding FBs, and this leaves the UMP group attributes +uninitialized. As a result, -ENODEV error is returned at opening a +legacy rawmidi device as an inactive group. + +This patch adds the missing call to address the behavior above. + +Fixes: 8b645922b223 ("usb: gadget: Add support for USB MIDI 2.0 function driver") +Cc: stable +Signed-off-by: Takashi Iwai +Link: https://lore.kernel.org/r/20250904153932.13589-1-tiwai@suse.de +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/gadget/function/f_midi2.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/usb/gadget/function/f_midi2.c ++++ b/drivers/usb/gadget/function/f_midi2.c +@@ -1599,6 +1599,7 @@ static int f_midi2_create_card(struct f_ + strscpy(fb->info.name, ump_fb_name(b), + sizeof(fb->info.name)); + } ++ snd_ump_update_group_attrs(ump); + } + + for (i = 0; i < midi2->num_eps; i++) { diff --git a/queue-6.16/usb-typec-tcpm-properly-deliver-cable-vdms-to-altmode-drivers.patch b/queue-6.16/usb-typec-tcpm-properly-deliver-cable-vdms-to-altmode-drivers.patch new file mode 100644 index 0000000000..6ad799f341 --- /dev/null +++ b/queue-6.16/usb-typec-tcpm-properly-deliver-cable-vdms-to-altmode-drivers.patch @@ -0,0 +1,57 @@ +From f34bfcc77b18375a87091c289c2eb53c249787b4 Mon Sep 17 00:00:00 2001 +From: RD Babiera +Date: Thu, 21 Aug 2025 20:37:57 +0000 +Subject: usb: typec: tcpm: properly deliver cable vdms to altmode drivers + +From: RD Babiera + +commit f34bfcc77b18375a87091c289c2eb53c249787b4 upstream. + +tcpm_handle_vdm_request delivers messages to the partner altmode or the +cable altmode depending on the SVDM response type, which is incorrect. +The partner or cable should be chosen based on the received message type +instead. + +Also add this filter to ADEV_NOTIFY_USB_AND_QUEUE_VDM, which is used when +the Enter Mode command is responded to by a NAK on SOP or SOP' and when +the Exit Mode command is responded to by an ACK on SOP. + +Fixes: 7e7877c55eb1 ("usb: typec: tcpm: add alt mode enter/exit/vdm support for sop'") +Cc: stable@vger.kernel.org +Signed-off-by: RD Babiera +Reviewed-by: Badhri Jagan Sridharan +Reviewed-by: Heikki Krogerus +Link: https://lore.kernel.org/r/20250821203759.1720841-2-rdbabiera@google.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/typec/tcpm/tcpm.c | 12 ++++++++---- + 1 file changed, 8 insertions(+), 4 deletions(-) + +--- a/drivers/usb/typec/tcpm/tcpm.c ++++ b/drivers/usb/typec/tcpm/tcpm.c +@@ -2426,17 +2426,21 @@ static void tcpm_handle_vdm_request(stru + case ADEV_NONE: + break; + case ADEV_NOTIFY_USB_AND_QUEUE_VDM: +- WARN_ON(typec_altmode_notify(adev, TYPEC_STATE_USB, NULL)); +- typec_altmode_vdm(adev, p[0], &p[1], cnt); ++ if (rx_sop_type == TCPC_TX_SOP_PRIME) { ++ typec_cable_altmode_vdm(adev, TYPEC_PLUG_SOP_P, p[0], &p[1], cnt); ++ } else { ++ WARN_ON(typec_altmode_notify(adev, TYPEC_STATE_USB, NULL)); ++ typec_altmode_vdm(adev, p[0], &p[1], cnt); ++ } + break; + case ADEV_QUEUE_VDM: +- if (response_tx_sop_type == TCPC_TX_SOP_PRIME) ++ if (rx_sop_type == TCPC_TX_SOP_PRIME) + typec_cable_altmode_vdm(adev, TYPEC_PLUG_SOP_P, p[0], &p[1], cnt); + else + typec_altmode_vdm(adev, p[0], &p[1], cnt); + break; + case ADEV_QUEUE_VDM_SEND_EXIT_MODE_ON_FAIL: +- if (response_tx_sop_type == TCPC_TX_SOP_PRIME) { ++ if (rx_sop_type == TCPC_TX_SOP_PRIME) { + if (typec_cable_altmode_vdm(adev, TYPEC_PLUG_SOP_P, + p[0], &p[1], cnt)) { + int svdm_version = typec_get_cable_svdm_version( diff --git a/queue-6.16/xhci-dbc-decouple-endpoint-allocation-from-initialization.patch b/queue-6.16/xhci-dbc-decouple-endpoint-allocation-from-initialization.patch new file mode 100644 index 0000000000..fb0d09d6a1 --- /dev/null +++ b/queue-6.16/xhci-dbc-decouple-endpoint-allocation-from-initialization.patch @@ -0,0 +1,135 @@ +From 220a0ffde02f962c13bc752b01aa570b8c65a37b Mon Sep 17 00:00:00 2001 +From: Mathias Nyman +Date: Tue, 2 Sep 2025 13:53:04 +0300 +Subject: xhci: dbc: decouple endpoint allocation from initialization + +From: Mathias Nyman + +commit 220a0ffde02f962c13bc752b01aa570b8c65a37b upstream. + +Decouple allocation of endpoint ring buffer from initialization +of the buffer, and initialization of endpoint context parts from +from the rest of the contexts. + +It allows driver to clear up and reinitialize endpoint rings +after disconnect without reallocating everything. + +This is a prerequisite for the next patch that prevents the transfer +ring from filling up with cancelled (no-op) TRBs if a debug cable is +reconnected several times without transferring anything. + +Cc: stable@vger.kernel.org +Fixes: dfba2174dc42 ("usb: xhci: Add DbC support in xHCI driver") +Signed-off-by: Mathias Nyman +Link: https://lore.kernel.org/r/20250902105306.877476-2-mathias.nyman@linux.intel.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/host/xhci-dbgcap.c | 71 ++++++++++++++++++++++++++--------------- + 1 file changed, 46 insertions(+), 25 deletions(-) + +--- a/drivers/usb/host/xhci-dbgcap.c ++++ b/drivers/usb/host/xhci-dbgcap.c +@@ -101,13 +101,34 @@ static u32 xhci_dbc_populate_strings(str + return string_length; + } + ++static void xhci_dbc_init_ep_contexts(struct xhci_dbc *dbc) ++{ ++ struct xhci_ep_ctx *ep_ctx; ++ unsigned int max_burst; ++ dma_addr_t deq; ++ ++ max_burst = DBC_CTRL_MAXBURST(readl(&dbc->regs->control)); ++ ++ /* Populate bulk out endpoint context: */ ++ ep_ctx = dbc_bulkout_ctx(dbc); ++ deq = dbc_bulkout_enq(dbc); ++ ep_ctx->ep_info = 0; ++ ep_ctx->ep_info2 = dbc_epctx_info2(BULK_OUT_EP, 1024, max_burst); ++ ep_ctx->deq = cpu_to_le64(deq | dbc->ring_out->cycle_state); ++ ++ /* Populate bulk in endpoint context: */ ++ ep_ctx = dbc_bulkin_ctx(dbc); ++ deq = dbc_bulkin_enq(dbc); ++ ep_ctx->ep_info = 0; ++ ep_ctx->ep_info2 = dbc_epctx_info2(BULK_IN_EP, 1024, max_burst); ++ ep_ctx->deq = cpu_to_le64(deq | dbc->ring_in->cycle_state); ++} ++ + static void xhci_dbc_init_contexts(struct xhci_dbc *dbc, u32 string_length) + { + struct dbc_info_context *info; +- struct xhci_ep_ctx *ep_ctx; + u32 dev_info; +- dma_addr_t deq, dma; +- unsigned int max_burst; ++ dma_addr_t dma; + + if (!dbc) + return; +@@ -121,20 +142,8 @@ static void xhci_dbc_init_contexts(struc + info->serial = cpu_to_le64(dma + DBC_MAX_STRING_LENGTH * 3); + info->length = cpu_to_le32(string_length); + +- /* Populate bulk out endpoint context: */ +- ep_ctx = dbc_bulkout_ctx(dbc); +- max_burst = DBC_CTRL_MAXBURST(readl(&dbc->regs->control)); +- deq = dbc_bulkout_enq(dbc); +- ep_ctx->ep_info = 0; +- ep_ctx->ep_info2 = dbc_epctx_info2(BULK_OUT_EP, 1024, max_burst); +- ep_ctx->deq = cpu_to_le64(deq | dbc->ring_out->cycle_state); +- +- /* Populate bulk in endpoint context: */ +- ep_ctx = dbc_bulkin_ctx(dbc); +- deq = dbc_bulkin_enq(dbc); +- ep_ctx->ep_info = 0; +- ep_ctx->ep_info2 = dbc_epctx_info2(BULK_IN_EP, 1024, max_burst); +- ep_ctx->deq = cpu_to_le64(deq | dbc->ring_in->cycle_state); ++ /* Populate bulk in and out endpoint contexts: */ ++ xhci_dbc_init_ep_contexts(dbc); + + /* Set DbC context and info registers: */ + lo_hi_writeq(dbc->ctx->dma, &dbc->regs->dccp); +@@ -436,6 +445,23 @@ dbc_alloc_ctx(struct device *dev, gfp_t + return ctx; + } + ++static void xhci_dbc_ring_init(struct xhci_ring *ring) ++{ ++ struct xhci_segment *seg = ring->first_seg; ++ ++ /* clear all trbs on ring in case of old ring */ ++ memset(seg->trbs, 0, TRB_SEGMENT_SIZE); ++ ++ /* Only event ring does not use link TRB */ ++ if (ring->type != TYPE_EVENT) { ++ union xhci_trb *trb = &seg->trbs[TRBS_PER_SEGMENT - 1]; ++ ++ trb->link.segment_ptr = cpu_to_le64(ring->first_seg->dma); ++ trb->link.control = cpu_to_le32(LINK_TOGGLE | TRB_TYPE(TRB_LINK)); ++ } ++ xhci_initialize_ring_info(ring); ++} ++ + static struct xhci_ring * + xhci_dbc_ring_alloc(struct device *dev, enum xhci_ring_type type, gfp_t flags) + { +@@ -464,15 +490,10 @@ xhci_dbc_ring_alloc(struct device *dev, + + seg->dma = dma; + +- /* Only event ring does not use link TRB */ +- if (type != TYPE_EVENT) { +- union xhci_trb *trb = &seg->trbs[TRBS_PER_SEGMENT - 1]; +- +- trb->link.segment_ptr = cpu_to_le64(dma); +- trb->link.control = cpu_to_le32(LINK_TOGGLE | TRB_TYPE(TRB_LINK)); +- } + INIT_LIST_HEAD(&ring->td_list); +- xhci_initialize_ring_info(ring); ++ ++ xhci_dbc_ring_init(ring); ++ + return ring; + dma_fail: + kfree(seg); diff --git a/queue-6.16/xhci-dbc-fix-full-dbc-transfer-ring-after-several-reconnects.patch b/queue-6.16/xhci-dbc-fix-full-dbc-transfer-ring-after-several-reconnects.patch new file mode 100644 index 0000000000..562bc3ce72 --- /dev/null +++ b/queue-6.16/xhci-dbc-fix-full-dbc-transfer-ring-after-several-reconnects.patch @@ -0,0 +1,86 @@ +From a5c98e8b1398534ae1feb6e95e2d3ee5215538ed Mon Sep 17 00:00:00 2001 +From: Mathias Nyman +Date: Tue, 2 Sep 2025 13:53:05 +0300 +Subject: xhci: dbc: Fix full DbC transfer ring after several reconnects + +From: Mathias Nyman + +commit a5c98e8b1398534ae1feb6e95e2d3ee5215538ed upstream. + +Pending requests will be flushed on disconnect, and the corresponding +TRBs will be turned into No-op TRBs, which are ignored by the xHC +controller once it starts processing the ring. + +If the USB debug cable repeatedly disconnects before ring is started +then the ring will eventually be filled with No-op TRBs. +No new transfers can be queued when the ring is full, and driver will +print the following error message: + + "xhci_hcd 0000:00:14.0: failed to queue trbs" + +This is a normal case for 'in' transfers where TRBs are always enqueued +in advance, ready to take on incoming data. If no data arrives, and +device is disconnected, then ring dequeue will remain at beginning of +the ring while enqueue points to first free TRB after last cancelled +No-op TRB. +s +Solve this by reinitializing the rings when the debug cable disconnects +and DbC is leaving the configured state. +Clear the whole ring buffer and set enqueue and dequeue to the beginning +of ring, and set cycle bit to its initial state. + +Cc: stable@vger.kernel.org +Fixes: dfba2174dc42 ("usb: xhci: Add DbC support in xHCI driver") +Signed-off-by: Mathias Nyman +Link: https://lore.kernel.org/r/20250902105306.877476-3-mathias.nyman@linux.intel.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/host/xhci-dbgcap.c | 23 +++++++++++++++++++++-- + 1 file changed, 21 insertions(+), 2 deletions(-) + +--- a/drivers/usb/host/xhci-dbgcap.c ++++ b/drivers/usb/host/xhci-dbgcap.c +@@ -462,6 +462,25 @@ static void xhci_dbc_ring_init(struct xh + xhci_initialize_ring_info(ring); + } + ++static int xhci_dbc_reinit_ep_rings(struct xhci_dbc *dbc) ++{ ++ struct xhci_ring *in_ring = dbc->eps[BULK_IN].ring; ++ struct xhci_ring *out_ring = dbc->eps[BULK_OUT].ring; ++ ++ if (!in_ring || !out_ring || !dbc->ctx) { ++ dev_warn(dbc->dev, "Can't re-init unallocated endpoints\n"); ++ return -ENODEV; ++ } ++ ++ xhci_dbc_ring_init(in_ring); ++ xhci_dbc_ring_init(out_ring); ++ ++ /* set ep context enqueue, dequeue, and cycle to initial values */ ++ xhci_dbc_init_ep_contexts(dbc); ++ ++ return 0; ++} ++ + static struct xhci_ring * + xhci_dbc_ring_alloc(struct device *dev, enum xhci_ring_type type, gfp_t flags) + { +@@ -885,7 +904,7 @@ static enum evtreturn xhci_dbc_do_handle + dev_info(dbc->dev, "DbC cable unplugged\n"); + dbc->state = DS_ENABLED; + xhci_dbc_flush_requests(dbc); +- ++ xhci_dbc_reinit_ep_rings(dbc); + return EVT_DISC; + } + +@@ -895,7 +914,7 @@ static enum evtreturn xhci_dbc_do_handle + writel(portsc, &dbc->regs->portsc); + dbc->state = DS_ENABLED; + xhci_dbc_flush_requests(dbc); +- ++ xhci_dbc_reinit_ep_rings(dbc); + return EVT_DISC; + } + diff --git a/queue-6.16/xhci-fix-memory-leak-regression-when-freeing-xhci-vdev-devices-depth-first.patch b/queue-6.16/xhci-fix-memory-leak-regression-when-freeing-xhci-vdev-devices-depth-first.patch new file mode 100644 index 0000000000..434db132c8 --- /dev/null +++ b/queue-6.16/xhci-fix-memory-leak-regression-when-freeing-xhci-vdev-devices-depth-first.patch @@ -0,0 +1,46 @@ +From edcbe06453ddfde21f6aa763f7cab655f26133cc Mon Sep 17 00:00:00 2001 +From: Mathias Nyman +Date: Tue, 2 Sep 2025 13:53:06 +0300 +Subject: xhci: fix memory leak regression when freeing xhci vdev devices depth first + +From: Mathias Nyman + +commit edcbe06453ddfde21f6aa763f7cab655f26133cc upstream. + +Suspend-resume cycle test revealed a memory leak in 6.17-rc3 + +Turns out the slot_id race fix changes accidentally ends up calling +xhci_free_virt_device() with an incorrect vdev parameter. +The vdev variable was reused for temporary purposes right before calling +xhci_free_virt_device(). + +Fix this by passing the correct vdev parameter. + +The slot_id race fix that caused this regression was targeted for stable, +so this needs to be applied there as well. + +Fixes: 2eb03376151b ("usb: xhci: Fix slot_id resource race conflict") +Reported-by: David Wang <00107082@163.com> +Closes: https://lore.kernel.org/linux-usb/20250829181354.4450-1-00107082@163.com +Suggested-by: Michal Pecio +Suggested-by: David Wang <00107082@163.com> +Cc: stable@vger.kernel.org +Tested-by: David Wang <00107082@163.com> +Signed-off-by: Mathias Nyman +Link: https://lore.kernel.org/r/20250902105306.877476-4-mathias.nyman@linux.intel.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/host/xhci-mem.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/usb/host/xhci-mem.c ++++ b/drivers/usb/host/xhci-mem.c +@@ -962,7 +962,7 @@ static void xhci_free_virt_devices_depth + out: + /* we are now at a leaf device */ + xhci_debugfs_remove_slot(xhci, slot_id); +- xhci_free_virt_device(xhci, vdev, slot_id); ++ xhci_free_virt_device(xhci, xhci->devs[slot_id], slot_id); + } + + int xhci_alloc_virt_device(struct xhci_hcd *xhci, int slot_id,