From: Greg Kroah-Hartman Date: Mon, 1 Dec 2025 17:18:27 +0000 (+0100) Subject: 6.17-stable patches X-Git-Tag: v5.4.302~14 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=a24e5c4daa563b0c0467e65b86bfc08e09e36088;p=thirdparty%2Fkernel%2Fstable-queue.git 6.17-stable patches added patches: most-usb-fix-double-free-on-late-probe-failure.patch usb-cdns3-fix-double-resource-release-in-cdns3_pci_probe.patch usb-dwc3-fix-race-condition-between-concurrent-dwc3_remove_requests-call-paths.patch usb-dwc3-pci-add-support-for-the-intel-nova-lake-s.patch usb-dwc3-pci-sort-out-the-intel-device-ids.patch usb-gadget-f_eem-fix-memory-leak-in-eem_unwrap.patch usb-renesas_usbhs-fix-synchronous-external-abort-on-unbind.patch usb-storage-fix-memory-leak-in-usb-bulk-transport.patch usb-storage-remove-subclass-and-protocol-overrides-from-novatek-quirk.patch usb-storage-sddr55-reject-out-of-bound-new_pba.patch usb-typec-ucsi-psy-set-max-current-to-zero-when-disconnected.patch usb-uas-fix-urb-unmapping-issue-when-the-uas-device-is-remove-during-ongoing-data-transfer.patch xhci-dbgtty-fix-data-corruption-when-transmitting-data-form-dbc-to-host.patch xhci-dbgtty-fix-device-unregister.patch xhci-fix-stale-flag-preventig-urbs-after-link-state-error-is-cleared.patch --- diff --git a/queue-6.17/most-usb-fix-double-free-on-late-probe-failure.patch b/queue-6.17/most-usb-fix-double-free-on-late-probe-failure.patch new file mode 100644 index 0000000000..b8c5da1d53 --- /dev/null +++ b/queue-6.17/most-usb-fix-double-free-on-late-probe-failure.patch @@ -0,0 +1,73 @@ +From baadf2a5c26e802a46573eaad331b427b49aaa36 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Wed, 29 Oct 2025 10:30:29 +0100 +Subject: most: usb: fix double free on late probe failure + +From: Johan Hovold + +commit baadf2a5c26e802a46573eaad331b427b49aaa36 upstream. + +The MOST subsystem has a non-standard registration function which frees +the interface on registration failures and on deregistration. + +This unsurprisingly leads to bugs in the MOST drivers, and a couple of +recent changes turned a reference underflow and use-after-free in the +USB driver into several double free and a use-after-free on late probe +failures. + +Fixes: 723de0f9171e ("staging: most: remove device from interface structure") +Fixes: 4b1270902609 ("most: usb: Fix use-after-free in hdm_disconnect") +Fixes: a8cc9e5fcb0e ("most: usb: hdm_probe: Fix calling put_device() before device initialization") +Cc: stable@vger.kernel.org +Cc: Christian Gromm +Cc: Victoria Votokina +Signed-off-by: Johan Hovold +Link: https://patch.msgid.link/20251029093029.28922-1-johan@kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/most/most_usb.c | 14 +++++--------- + 1 file changed, 5 insertions(+), 9 deletions(-) + +--- a/drivers/most/most_usb.c ++++ b/drivers/most/most_usb.c +@@ -1058,7 +1058,7 @@ hdm_probe(struct usb_interface *interfac + + ret = most_register_interface(&mdev->iface); + if (ret) +- goto err_free_busy_urbs; ++ return ret; + + mutex_lock(&mdev->io_mutex); + if (le16_to_cpu(usb_dev->descriptor.idProduct) == USB_DEV_ID_OS81118 || +@@ -1068,8 +1068,7 @@ hdm_probe(struct usb_interface *interfac + if (!mdev->dci) { + mutex_unlock(&mdev->io_mutex); + most_deregister_interface(&mdev->iface); +- ret = -ENOMEM; +- goto err_free_busy_urbs; ++ return -ENOMEM; + } + + mdev->dci->dev.init_name = "dci"; +@@ -1078,18 +1077,15 @@ hdm_probe(struct usb_interface *interfac + mdev->dci->dev.release = release_dci; + if (device_register(&mdev->dci->dev)) { + mutex_unlock(&mdev->io_mutex); ++ put_device(&mdev->dci->dev); + most_deregister_interface(&mdev->iface); +- ret = -ENOMEM; +- goto err_free_dci; ++ return -ENOMEM; + } + mdev->dci->usb_device = mdev->usb_device; + } + mutex_unlock(&mdev->io_mutex); + return 0; +-err_free_dci: +- put_device(&mdev->dci->dev); +-err_free_busy_urbs: +- kfree(mdev->busy_urbs); ++ + err_free_ep_address: + kfree(mdev->ep_address); + err_free_cap: diff --git a/queue-6.17/series b/queue-6.17/series index 4de3c51de4..e272a897d9 100644 --- a/queue-6.17/series +++ b/queue-6.17/series @@ -106,3 +106,18 @@ mptcp-clear-scheduled-subflows-on-retransmit.patch mptcp-initialise-rcv_mss-before-calling-tcp_send_active_reset-in-mptcp_do_fastclose.patch serial-8250-fix-8250_rsa-symbol-loop.patch serial-amba-pl011-prefer-dma_mapping_error-over-explicit-address-checking.patch +most-usb-fix-double-free-on-late-probe-failure.patch +usb-cdns3-fix-double-resource-release-in-cdns3_pci_probe.patch +usb-gadget-f_eem-fix-memory-leak-in-eem_unwrap.patch +usb-renesas_usbhs-fix-synchronous-external-abort-on-unbind.patch +usb-storage-fix-memory-leak-in-usb-bulk-transport.patch +usb-storage-remove-subclass-and-protocol-overrides-from-novatek-quirk.patch +usb-storage-sddr55-reject-out-of-bound-new_pba.patch +usb-typec-ucsi-psy-set-max-current-to-zero-when-disconnected.patch +usb-uas-fix-urb-unmapping-issue-when-the-uas-device-is-remove-during-ongoing-data-transfer.patch +usb-dwc3-pci-add-support-for-the-intel-nova-lake-s.patch +usb-dwc3-pci-sort-out-the-intel-device-ids.patch +usb-dwc3-fix-race-condition-between-concurrent-dwc3_remove_requests-call-paths.patch +xhci-fix-stale-flag-preventig-urbs-after-link-state-error-is-cleared.patch +xhci-dbgtty-fix-data-corruption-when-transmitting-data-form-dbc-to-host.patch +xhci-dbgtty-fix-device-unregister.patch diff --git a/queue-6.17/usb-cdns3-fix-double-resource-release-in-cdns3_pci_probe.patch b/queue-6.17/usb-cdns3-fix-double-resource-release-in-cdns3_pci_probe.patch new file mode 100644 index 0000000000..6c267f1799 --- /dev/null +++ b/queue-6.17/usb-cdns3-fix-double-resource-release-in-cdns3_pci_probe.patch @@ -0,0 +1,49 @@ +From 1ec39d2cd88dac2e7cdbac248762f1f057971c5d Mon Sep 17 00:00:00 2001 +From: Miaoqian Lin +Date: Sun, 26 Oct 2025 17:08:59 +0800 +Subject: usb: cdns3: Fix double resource release in cdns3_pci_probe + +From: Miaoqian Lin + +commit 1ec39d2cd88dac2e7cdbac248762f1f057971c5d upstream. + +The driver uses pcim_enable_device() to enable the PCI device, +the device will be automatically disabled on driver detach through +the managed device framework. The manual pci_disable_device() calls +in the error paths are therefore redundant and should be removed. + +Found via static anlaysis and this is similar to commit 99ca0b57e49f +("thermal: intel: int340x: processor: Fix warning during module unload"). + +Fixes: 7733f6c32e36 ("usb: cdns3: Add Cadence USB3 DRD Driver") +Cc: stable +Signed-off-by: Miaoqian Lin +Acked-by: Peter Chen +Link: https://patch.msgid.link/20251026090859.33107-1-linmq006@gmail.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/cdns3/cdns3-pci-wrap.c | 5 +---- + 1 file changed, 1 insertion(+), 4 deletions(-) + +--- a/drivers/usb/cdns3/cdns3-pci-wrap.c ++++ b/drivers/usb/cdns3/cdns3-pci-wrap.c +@@ -98,10 +98,8 @@ static int cdns3_pci_probe(struct pci_de + wrap = pci_get_drvdata(func); + } else { + wrap = kzalloc(sizeof(*wrap), GFP_KERNEL); +- if (!wrap) { +- pci_disable_device(pdev); ++ if (!wrap) + return -ENOMEM; +- } + } + + res = wrap->dev_res; +@@ -160,7 +158,6 @@ static int cdns3_pci_probe(struct pci_de + /* register platform device */ + wrap->plat_dev = platform_device_register_full(&plat_info); + if (IS_ERR(wrap->plat_dev)) { +- pci_disable_device(pdev); + err = PTR_ERR(wrap->plat_dev); + kfree(wrap); + return err; diff --git a/queue-6.17/usb-dwc3-fix-race-condition-between-concurrent-dwc3_remove_requests-call-paths.patch b/queue-6.17/usb-dwc3-fix-race-condition-between-concurrent-dwc3_remove_requests-call-paths.patch new file mode 100644 index 0000000000..316820575d --- /dev/null +++ b/queue-6.17/usb-dwc3-fix-race-condition-between-concurrent-dwc3_remove_requests-call-paths.patch @@ -0,0 +1,84 @@ +From e4037689a366743c4233966f0e74bc455820d316 Mon Sep 17 00:00:00 2001 +From: Manish Nagar +Date: Thu, 20 Nov 2025 13:14:35 +0530 +Subject: usb: dwc3: Fix race condition between concurrent dwc3_remove_requests() call paths + +From: Manish Nagar + +commit e4037689a366743c4233966f0e74bc455820d316 upstream. + +This patch addresses a race condition caused by unsynchronized +execution of multiple call paths invoking `dwc3_remove_requests()`, +leading to premature freeing of USB requests and subsequent crashes. + +Three distinct execution paths interact with `dwc3_remove_requests()`: +Path 1: +Triggered via `dwc3_gadget_reset_interrupt()` during USB reset +handling. The call stack includes: +- `dwc3_ep0_reset_state()` +- `dwc3_ep0_stall_and_restart()` +- `dwc3_ep0_out_start()` +- `dwc3_remove_requests()` +- `dwc3_gadget_del_and_unmap_request()` + +Path 2: +Also initiated from `dwc3_gadget_reset_interrupt()`, but through +`dwc3_stop_active_transfers()`. The call stack includes: +- `dwc3_stop_active_transfers()` +- `dwc3_remove_requests()` +- `dwc3_gadget_del_and_unmap_request()` + +Path 3: +Occurs independently during `adb root` execution, which triggers +USB function unbind and bind operations. The sequence includes: +- `gserial_disconnect()` +- `usb_ep_disable()` +- `dwc3_gadget_ep_disable()` +- `dwc3_remove_requests()` with `-ESHUTDOWN` status + +Path 3 operates asynchronously and lacks synchronization with Paths +1 and 2. When Path 3 completes, it disables endpoints and frees 'out' +requests. If Paths 1 or 2 are still processing these requests, +accessing freed memory leads to a crash due to use-after-free conditions. + +To fix this added check for request completion and skip processing +if already completed and added the request status for ep0 while queue. + +Fixes: 72246da40f37 ("usb: Introduce DesignWare USB3 DRD Driver") +Cc: stable +Suggested-by: Thinh Nguyen +Acked-by: Thinh Nguyen +Signed-off-by: Manish Nagar +Link: https://patch.msgid.link/20251120074435.1983091-1-manish.nagar@oss.qualcomm.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/dwc3/ep0.c | 1 + + drivers/usb/dwc3/gadget.c | 7 +++++++ + 2 files changed, 8 insertions(+) + +--- a/drivers/usb/dwc3/ep0.c ++++ b/drivers/usb/dwc3/ep0.c +@@ -94,6 +94,7 @@ static int __dwc3_gadget_ep0_queue(struc + req->request.actual = 0; + req->request.status = -EINPROGRESS; + req->epnum = dep->number; ++ req->status = DWC3_REQUEST_STATUS_QUEUED; + + list_add_tail(&req->list, &dep->pending_list); + +--- a/drivers/usb/dwc3/gadget.c ++++ b/drivers/usb/dwc3/gadget.c +@@ -228,6 +228,13 @@ void dwc3_gadget_giveback(struct dwc3_ep + { + struct dwc3 *dwc = dep->dwc; + ++ /* ++ * The request might have been processed and completed while the ++ * spinlock was released. Skip processing if already completed. ++ */ ++ if (req->status == DWC3_REQUEST_STATUS_COMPLETED) ++ return; ++ + dwc3_gadget_del_and_unmap_request(dep, req, status); + req->status = DWC3_REQUEST_STATUS_COMPLETED; + diff --git a/queue-6.17/usb-dwc3-pci-add-support-for-the-intel-nova-lake-s.patch b/queue-6.17/usb-dwc3-pci-add-support-for-the-intel-nova-lake-s.patch new file mode 100644 index 0000000000..1eff3618f3 --- /dev/null +++ b/queue-6.17/usb-dwc3-pci-add-support-for-the-intel-nova-lake-s.patch @@ -0,0 +1,39 @@ +From c57ce99ec6cb55b53910b6b3d7437f80159ff9d8 Mon Sep 17 00:00:00 2001 +From: Heikki Krogerus +Date: Thu, 6 Nov 2025 12:59:26 +0100 +Subject: usb: dwc3: pci: add support for the Intel Nova Lake -S + +From: Heikki Krogerus + +commit c57ce99ec6cb55b53910b6b3d7437f80159ff9d8 upstream. + +This patch adds the necessary PCI ID for Intel Nova Lake -S +devices. + +Signed-off-by: Heikki Krogerus +Cc: stable +Acked-by: Thinh Nguyen +Link: https://patch.msgid.link/20251106115926.2317877-1-heikki.krogerus@linux.intel.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/dwc3/dwc3-pci.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/usb/dwc3/dwc3-pci.c ++++ b/drivers/usb/dwc3/dwc3-pci.c +@@ -53,6 +53,7 @@ + #define PCI_DEVICE_ID_INTEL_MTLP 0x7ec1 + #define PCI_DEVICE_ID_INTEL_MTLS 0x7f6f + #define PCI_DEVICE_ID_INTEL_MTL 0x7e7e ++#define PCI_DEVICE_ID_INTEL_NVLS_PCH 0x6e6f + #define PCI_DEVICE_ID_INTEL_ARLH_PCH 0x777e + #define PCI_DEVICE_ID_INTEL_TGL 0x9a15 + #define PCI_DEVICE_ID_INTEL_PTLH 0xe332 +@@ -443,6 +444,7 @@ static const struct pci_device_id dwc3_p + { PCI_DEVICE_DATA(INTEL, MTLM, &dwc3_pci_intel_swnode) }, + { PCI_DEVICE_DATA(INTEL, MTLP, &dwc3_pci_intel_swnode) }, + { PCI_DEVICE_DATA(INTEL, MTL, &dwc3_pci_intel_swnode) }, ++ { PCI_DEVICE_DATA(INTEL, NVLS_PCH, &dwc3_pci_intel_swnode) }, + { PCI_DEVICE_DATA(INTEL, MTLS, &dwc3_pci_intel_swnode) }, + { PCI_DEVICE_DATA(INTEL, ARLH_PCH, &dwc3_pci_intel_swnode) }, + { PCI_DEVICE_DATA(INTEL, TGL, &dwc3_pci_intel_swnode) }, diff --git a/queue-6.17/usb-dwc3-pci-sort-out-the-intel-device-ids.patch b/queue-6.17/usb-dwc3-pci-sort-out-the-intel-device-ids.patch new file mode 100644 index 0000000000..f5295cf128 --- /dev/null +++ b/queue-6.17/usb-dwc3-pci-sort-out-the-intel-device-ids.patch @@ -0,0 +1,151 @@ +From 46b28d2fbd13148981d91246bc0e13f4fc055987 Mon Sep 17 00:00:00 2001 +From: Heikki Krogerus +Date: Fri, 7 Nov 2025 13:15:47 +0100 +Subject: usb: dwc3: pci: Sort out the Intel device IDs + +From: Heikki Krogerus + +commit 46b28d2fbd13148981d91246bc0e13f4fc055987 upstream. + +The PCI device IDs were organised based on the Intel +architecture generation in most cases, but not with every +ID. That left the device ID table with no real order. +Sorting the table based on the device ID. + +Suggested-by: Thinh Nguyen +Cc: stable +Signed-off-by: Heikki Krogerus +Acked-by: Thinh Nguyen +Link: https://patch.msgid.link/20251107121548.2702900-1-heikki.krogerus@linux.intel.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/dwc3/dwc3-pci.c | 82 ++++++++++++++++++++++---------------------- + 1 file changed, 41 insertions(+), 41 deletions(-) + +--- a/drivers/usb/dwc3/dwc3-pci.c ++++ b/drivers/usb/dwc3/dwc3-pci.c +@@ -21,41 +21,41 @@ + #include + #include + ++#define PCI_DEVICE_ID_INTEL_CMLLP 0x02ee ++#define PCI_DEVICE_ID_INTEL_CMLH 0x06ee ++#define PCI_DEVICE_ID_INTEL_BXT 0x0aaa + #define PCI_DEVICE_ID_INTEL_BYT 0x0f37 + #define PCI_DEVICE_ID_INTEL_MRFLD 0x119e +-#define PCI_DEVICE_ID_INTEL_BSW 0x22b7 +-#define PCI_DEVICE_ID_INTEL_SPTLP 0x9d30 +-#define PCI_DEVICE_ID_INTEL_SPTH 0xa130 +-#define PCI_DEVICE_ID_INTEL_BXT 0x0aaa + #define PCI_DEVICE_ID_INTEL_BXT_M 0x1aaa +-#define PCI_DEVICE_ID_INTEL_APL 0x5aaa +-#define PCI_DEVICE_ID_INTEL_KBP 0xa2b0 +-#define PCI_DEVICE_ID_INTEL_CMLLP 0x02ee +-#define PCI_DEVICE_ID_INTEL_CMLH 0x06ee ++#define PCI_DEVICE_ID_INTEL_BSW 0x22b7 + #define PCI_DEVICE_ID_INTEL_GLK 0x31aa +-#define PCI_DEVICE_ID_INTEL_CNPLP 0x9dee +-#define PCI_DEVICE_ID_INTEL_CNPH 0xa36e +-#define PCI_DEVICE_ID_INTEL_CNPV 0xa3b0 + #define PCI_DEVICE_ID_INTEL_ICLLP 0x34ee +-#define PCI_DEVICE_ID_INTEL_EHL 0x4b7e +-#define PCI_DEVICE_ID_INTEL_TGPLP 0xa0ee + #define PCI_DEVICE_ID_INTEL_TGPH 0x43ee +-#define PCI_DEVICE_ID_INTEL_JSP 0x4dee +-#define PCI_DEVICE_ID_INTEL_WCL 0x4d7e + #define PCI_DEVICE_ID_INTEL_ADL 0x460e +-#define PCI_DEVICE_ID_INTEL_ADL_PCH 0x51ee + #define PCI_DEVICE_ID_INTEL_ADLN 0x465e ++#define PCI_DEVICE_ID_INTEL_EHL 0x4b7e ++#define PCI_DEVICE_ID_INTEL_WCL 0x4d7e ++#define PCI_DEVICE_ID_INTEL_JSP 0x4dee ++#define PCI_DEVICE_ID_INTEL_ADL_PCH 0x51ee + #define PCI_DEVICE_ID_INTEL_ADLN_PCH 0x54ee +-#define PCI_DEVICE_ID_INTEL_ADLS 0x7ae1 +-#define PCI_DEVICE_ID_INTEL_RPL 0xa70e ++#define PCI_DEVICE_ID_INTEL_APL 0x5aaa ++#define PCI_DEVICE_ID_INTEL_NVLS_PCH 0x6e6f ++#define PCI_DEVICE_ID_INTEL_ARLH_PCH 0x777e + #define PCI_DEVICE_ID_INTEL_RPLS 0x7a61 ++#define PCI_DEVICE_ID_INTEL_MTL 0x7e7e ++#define PCI_DEVICE_ID_INTEL_ADLS 0x7ae1 + #define PCI_DEVICE_ID_INTEL_MTLM 0x7eb1 + #define PCI_DEVICE_ID_INTEL_MTLP 0x7ec1 + #define PCI_DEVICE_ID_INTEL_MTLS 0x7f6f +-#define PCI_DEVICE_ID_INTEL_MTL 0x7e7e +-#define PCI_DEVICE_ID_INTEL_NVLS_PCH 0x6e6f +-#define PCI_DEVICE_ID_INTEL_ARLH_PCH 0x777e + #define PCI_DEVICE_ID_INTEL_TGL 0x9a15 ++#define PCI_DEVICE_ID_INTEL_SPTLP 0x9d30 ++#define PCI_DEVICE_ID_INTEL_CNPLP 0x9dee ++#define PCI_DEVICE_ID_INTEL_TGPLP 0xa0ee ++#define PCI_DEVICE_ID_INTEL_SPTH 0xa130 ++#define PCI_DEVICE_ID_INTEL_KBP 0xa2b0 ++#define PCI_DEVICE_ID_INTEL_CNPH 0xa36e ++#define PCI_DEVICE_ID_INTEL_CNPV 0xa3b0 ++#define PCI_DEVICE_ID_INTEL_RPL 0xa70e + #define PCI_DEVICE_ID_INTEL_PTLH 0xe332 + #define PCI_DEVICE_ID_INTEL_PTLH_PCH 0xe37e + #define PCI_DEVICE_ID_INTEL_PTLU 0xe432 +@@ -413,41 +413,41 @@ static void dwc3_pci_remove(struct pci_d + } + + static const struct pci_device_id dwc3_pci_id_table[] = { +- { PCI_DEVICE_DATA(INTEL, BSW, &dwc3_pci_intel_swnode) }, +- { PCI_DEVICE_DATA(INTEL, BYT, &dwc3_pci_intel_byt_swnode) }, +- { PCI_DEVICE_DATA(INTEL, MRFLD, &dwc3_pci_intel_mrfld_swnode) }, + { PCI_DEVICE_DATA(INTEL, CMLLP, &dwc3_pci_intel_swnode) }, + { PCI_DEVICE_DATA(INTEL, CMLH, &dwc3_pci_intel_swnode) }, +- { PCI_DEVICE_DATA(INTEL, SPTLP, &dwc3_pci_intel_swnode) }, +- { PCI_DEVICE_DATA(INTEL, SPTH, &dwc3_pci_intel_swnode) }, + { PCI_DEVICE_DATA(INTEL, BXT, &dwc3_pci_intel_swnode) }, ++ { PCI_DEVICE_DATA(INTEL, BYT, &dwc3_pci_intel_byt_swnode) }, ++ { PCI_DEVICE_DATA(INTEL, MRFLD, &dwc3_pci_intel_mrfld_swnode) }, + { PCI_DEVICE_DATA(INTEL, BXT_M, &dwc3_pci_intel_swnode) }, +- { PCI_DEVICE_DATA(INTEL, APL, &dwc3_pci_intel_swnode) }, +- { PCI_DEVICE_DATA(INTEL, KBP, &dwc3_pci_intel_swnode) }, ++ { PCI_DEVICE_DATA(INTEL, BSW, &dwc3_pci_intel_swnode) }, + { PCI_DEVICE_DATA(INTEL, GLK, &dwc3_pci_intel_swnode) }, +- { PCI_DEVICE_DATA(INTEL, CNPLP, &dwc3_pci_intel_swnode) }, +- { PCI_DEVICE_DATA(INTEL, CNPH, &dwc3_pci_intel_swnode) }, +- { PCI_DEVICE_DATA(INTEL, CNPV, &dwc3_pci_intel_swnode) }, + { PCI_DEVICE_DATA(INTEL, ICLLP, &dwc3_pci_intel_swnode) }, +- { PCI_DEVICE_DATA(INTEL, EHL, &dwc3_pci_intel_swnode) }, +- { PCI_DEVICE_DATA(INTEL, TGPLP, &dwc3_pci_intel_swnode) }, + { PCI_DEVICE_DATA(INTEL, TGPH, &dwc3_pci_intel_swnode) }, +- { PCI_DEVICE_DATA(INTEL, JSP, &dwc3_pci_intel_swnode) }, +- { PCI_DEVICE_DATA(INTEL, WCL, &dwc3_pci_intel_swnode) }, + { PCI_DEVICE_DATA(INTEL, ADL, &dwc3_pci_intel_swnode) }, +- { PCI_DEVICE_DATA(INTEL, ADL_PCH, &dwc3_pci_intel_swnode) }, + { PCI_DEVICE_DATA(INTEL, ADLN, &dwc3_pci_intel_swnode) }, ++ { PCI_DEVICE_DATA(INTEL, EHL, &dwc3_pci_intel_swnode) }, ++ { PCI_DEVICE_DATA(INTEL, WCL, &dwc3_pci_intel_swnode) }, ++ { PCI_DEVICE_DATA(INTEL, JSP, &dwc3_pci_intel_swnode) }, ++ { PCI_DEVICE_DATA(INTEL, ADL_PCH, &dwc3_pci_intel_swnode) }, + { PCI_DEVICE_DATA(INTEL, ADLN_PCH, &dwc3_pci_intel_swnode) }, +- { PCI_DEVICE_DATA(INTEL, ADLS, &dwc3_pci_intel_swnode) }, +- { PCI_DEVICE_DATA(INTEL, RPL, &dwc3_pci_intel_swnode) }, ++ { PCI_DEVICE_DATA(INTEL, APL, &dwc3_pci_intel_swnode) }, ++ { PCI_DEVICE_DATA(INTEL, NVLS_PCH, &dwc3_pci_intel_swnode) }, ++ { PCI_DEVICE_DATA(INTEL, ARLH_PCH, &dwc3_pci_intel_swnode) }, + { PCI_DEVICE_DATA(INTEL, RPLS, &dwc3_pci_intel_swnode) }, ++ { PCI_DEVICE_DATA(INTEL, MTL, &dwc3_pci_intel_swnode) }, ++ { PCI_DEVICE_DATA(INTEL, ADLS, &dwc3_pci_intel_swnode) }, + { PCI_DEVICE_DATA(INTEL, MTLM, &dwc3_pci_intel_swnode) }, + { PCI_DEVICE_DATA(INTEL, MTLP, &dwc3_pci_intel_swnode) }, +- { PCI_DEVICE_DATA(INTEL, MTL, &dwc3_pci_intel_swnode) }, +- { PCI_DEVICE_DATA(INTEL, NVLS_PCH, &dwc3_pci_intel_swnode) }, + { PCI_DEVICE_DATA(INTEL, MTLS, &dwc3_pci_intel_swnode) }, +- { PCI_DEVICE_DATA(INTEL, ARLH_PCH, &dwc3_pci_intel_swnode) }, + { PCI_DEVICE_DATA(INTEL, TGL, &dwc3_pci_intel_swnode) }, ++ { PCI_DEVICE_DATA(INTEL, SPTLP, &dwc3_pci_intel_swnode) }, ++ { PCI_DEVICE_DATA(INTEL, CNPLP, &dwc3_pci_intel_swnode) }, ++ { PCI_DEVICE_DATA(INTEL, TGPLP, &dwc3_pci_intel_swnode) }, ++ { PCI_DEVICE_DATA(INTEL, SPTH, &dwc3_pci_intel_swnode) }, ++ { PCI_DEVICE_DATA(INTEL, KBP, &dwc3_pci_intel_swnode) }, ++ { PCI_DEVICE_DATA(INTEL, CNPH, &dwc3_pci_intel_swnode) }, ++ { PCI_DEVICE_DATA(INTEL, CNPV, &dwc3_pci_intel_swnode) }, ++ { PCI_DEVICE_DATA(INTEL, RPL, &dwc3_pci_intel_swnode) }, + { PCI_DEVICE_DATA(INTEL, PTLH, &dwc3_pci_intel_swnode) }, + { PCI_DEVICE_DATA(INTEL, PTLH_PCH, &dwc3_pci_intel_swnode) }, + { PCI_DEVICE_DATA(INTEL, PTLU, &dwc3_pci_intel_swnode) }, diff --git a/queue-6.17/usb-gadget-f_eem-fix-memory-leak-in-eem_unwrap.patch b/queue-6.17/usb-gadget-f_eem-fix-memory-leak-in-eem_unwrap.patch new file mode 100644 index 0000000000..89ad695fe3 --- /dev/null +++ b/queue-6.17/usb-gadget-f_eem-fix-memory-leak-in-eem_unwrap.patch @@ -0,0 +1,71 @@ +From e4f5ce990818d37930cd9fb0be29eee0553c59d9 Mon Sep 17 00:00:00 2001 +From: Kuen-Han Tsai +Date: Mon, 3 Nov 2025 20:17:59 +0800 +Subject: usb: gadget: f_eem: Fix memory leak in eem_unwrap + +From: Kuen-Han Tsai + +commit e4f5ce990818d37930cd9fb0be29eee0553c59d9 upstream. + +The existing code did not handle the failure case of usb_ep_queue in the +command path, potentially leading to memory leaks. + +Improve error handling to free all allocated resources on usb_ep_queue +failure. This patch continues to use goto logic for error handling, as the +existing error handling is complex and not easily adaptable to auto-cleanup +helpers. + +kmemleak results: + unreferenced object 0xffffff895a512300 (size 240): + backtrace: + slab_post_alloc_hook+0xbc/0x3a4 + kmem_cache_alloc+0x1b4/0x358 + skb_clone+0x90/0xd8 + eem_unwrap+0x1cc/0x36c + unreferenced object 0xffffff8a157f4000 (size 256): + backtrace: + slab_post_alloc_hook+0xbc/0x3a4 + __kmem_cache_alloc_node+0x1b4/0x2dc + kmalloc_trace+0x48/0x140 + dwc3_gadget_ep_alloc_request+0x58/0x11c + usb_ep_alloc_request+0x40/0xe4 + eem_unwrap+0x204/0x36c + unreferenced object 0xffffff8aadbaac00 (size 128): + backtrace: + slab_post_alloc_hook+0xbc/0x3a4 + __kmem_cache_alloc_node+0x1b4/0x2dc + __kmalloc+0x64/0x1a8 + eem_unwrap+0x218/0x36c + unreferenced object 0xffffff89ccef3500 (size 64): + backtrace: + slab_post_alloc_hook+0xbc/0x3a4 + __kmem_cache_alloc_node+0x1b4/0x2dc + kmalloc_trace+0x48/0x140 + eem_unwrap+0x238/0x36c + +Fixes: 4249d6fbc10f ("usb: gadget: eem: fix echo command packet response issue") +Cc: stable@kernel.org +Signed-off-by: Kuen-Han Tsai +Link: https://patch.msgid.link/20251103121814.1559719-1-khtsai@google.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/gadget/function/f_eem.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +--- a/drivers/usb/gadget/function/f_eem.c ++++ b/drivers/usb/gadget/function/f_eem.c +@@ -477,8 +477,13 @@ static int eem_unwrap(struct gether *por + req->complete = eem_cmd_complete; + req->zero = 1; + req->context = ctx; +- if (usb_ep_queue(port->in_ep, req, GFP_ATOMIC)) ++ if (usb_ep_queue(port->in_ep, req, GFP_ATOMIC)) { + DBG(cdev, "echo response queue fail\n"); ++ kfree(ctx); ++ kfree(req->buf); ++ usb_ep_free_request(ep, req); ++ dev_kfree_skb_any(skb2); ++ } + break; + + case 1: /* echo response */ diff --git a/queue-6.17/usb-renesas_usbhs-fix-synchronous-external-abort-on-unbind.patch b/queue-6.17/usb-renesas_usbhs-fix-synchronous-external-abort-on-unbind.patch new file mode 100644 index 0000000000..82c8bbb7b1 --- /dev/null +++ b/queue-6.17/usb-renesas_usbhs-fix-synchronous-external-abort-on-unbind.patch @@ -0,0 +1,139 @@ +From eb9ac779830b2235847b72cb15cf07c7e3333c5e Mon Sep 17 00:00:00 2001 +From: Claudiu Beznea +Date: Mon, 27 Oct 2025 16:07:41 +0200 +Subject: usb: renesas_usbhs: Fix synchronous external abort on unbind + +From: Claudiu Beznea + +commit eb9ac779830b2235847b72cb15cf07c7e3333c5e upstream. + +A synchronous external abort occurs on the Renesas RZ/G3S SoC if unbind is +executed after the configuration sequence described above: + +modprobe usb_f_ecm +modprobe libcomposite +modprobe configfs +cd /sys/kernel/config/usb_gadget +mkdir -p g1 +cd g1 +echo "0x1d6b" > idVendor +echo "0x0104" > idProduct +mkdir -p strings/0x409 +echo "0123456789" > strings/0x409/serialnumber +echo "Renesas." > strings/0x409/manufacturer +echo "Ethernet Gadget" > strings/0x409/product +mkdir -p functions/ecm.usb0 +mkdir -p configs/c.1 +mkdir -p configs/c.1/strings/0x409 +echo "ECM" > configs/c.1/strings/0x409/configuration + +if [ ! -L configs/c.1/ecm.usb0 ]; then + ln -s functions/ecm.usb0 configs/c.1 +fi + +echo 11e20000.usb > UDC +echo 11e20000.usb > /sys/bus/platform/drivers/renesas_usbhs/unbind + +The displayed trace is as follows: + + Internal error: synchronous external abort: 0000000096000010 [#1] SMP + CPU: 0 UID: 0 PID: 188 Comm: sh Tainted: G M 6.17.0-rc7-next-20250922-00010-g41050493b2bd #55 PREEMPT + Tainted: [M]=MACHINE_CHECK + Hardware name: Renesas SMARC EVK version 2 based on r9a08g045s33 (DT) + pstate: 604000c5 (nZCv daIF +PAN -UAO -TCO -DIT -SSBS BTYPE=--) + pc : usbhs_sys_function_pullup+0x10/0x40 [renesas_usbhs] + lr : usbhsg_update_pullup+0x3c/0x68 [renesas_usbhs] + sp : ffff8000838b3920 + x29: ffff8000838b3920 x28: ffff00000d585780 x27: 0000000000000000 + x26: 0000000000000000 x25: 0000000000000000 x24: ffff00000c3e3810 + x23: ffff00000d5e5c80 x22: ffff00000d5e5d40 x21: 0000000000000000 + x20: 0000000000000000 x19: ffff00000d5e5c80 x18: 0000000000000020 + x17: 2e30303230316531 x16: 312d7968703a7968 x15: 3d454d414e5f4344 + x14: 000000000000002c x13: 0000000000000000 x12: 0000000000000000 + x11: ffff00000f358f38 x10: ffff00000f358db0 x9 : ffff00000b41f418 + x8 : 0101010101010101 x7 : 7f7f7f7f7f7f7f7f x6 : fefefeff6364626d + x5 : 8080808000000000 x4 : 000000004b5ccb9d x3 : 0000000000000000 + x2 : 0000000000000000 x1 : ffff800083790000 x0 : ffff00000d5e5c80 + Call trace: + usbhs_sys_function_pullup+0x10/0x40 [renesas_usbhs] (P) + usbhsg_pullup+0x4c/0x7c [renesas_usbhs] + usb_gadget_disconnect_locked+0x48/0xd4 + gadget_unbind_driver+0x44/0x114 + device_remove+0x4c/0x80 + device_release_driver_internal+0x1c8/0x224 + device_release_driver+0x18/0x24 + bus_remove_device+0xcc/0x10c + device_del+0x14c/0x404 + usb_del_gadget+0x88/0xc0 + usb_del_gadget_udc+0x18/0x30 + usbhs_mod_gadget_remove+0x24/0x44 [renesas_usbhs] + usbhs_mod_remove+0x20/0x30 [renesas_usbhs] + usbhs_remove+0x98/0xdc [renesas_usbhs] + platform_remove+0x20/0x30 + device_remove+0x4c/0x80 + device_release_driver_internal+0x1c8/0x224 + device_driver_detach+0x18/0x24 + unbind_store+0xb4/0xb8 + drv_attr_store+0x24/0x38 + sysfs_kf_write+0x7c/0x94 + kernfs_fop_write_iter+0x128/0x1b8 + vfs_write+0x2ac/0x350 + ksys_write+0x68/0xfc + __arm64_sys_write+0x1c/0x28 + invoke_syscall+0x48/0x110 + el0_svc_common.constprop.0+0xc0/0xe0 + do_el0_svc+0x1c/0x28 + el0_svc+0x34/0xf0 + el0t_64_sync_handler+0xa0/0xe4 + el0t_64_sync+0x198/0x19c + Code: 7100003f 1a9f07e1 531c6c22 f9400001 (79400021) + ---[ end trace 0000000000000000 ]--- + note: sh[188] exited with irqs disabled + note: sh[188] exited with preempt_count 1 + +The issue occurs because usbhs_sys_function_pullup(), which accesses the IP +registers, is executed after the USBHS clocks have been disabled. The +problem is reproducible on the Renesas RZ/G3S SoC starting with the +addition of module stop in the clock enable/disable APIs. With module stop +functionality enabled, a bus error is expected if a master accesses a +module whose clock has been stopped and module stop activated. + +Disable the IP clocks at the end of remove. + +Cc: stable +Fixes: f1407d5c6624 ("usb: renesas_usbhs: Add Renesas USBHS common code") +Signed-off-by: Claudiu Beznea +Link: https://patch.msgid.link/20251027140741.557198-1-claudiu.beznea.uj@bp.renesas.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/renesas_usbhs/common.c | 14 +++++++------- + 1 file changed, 7 insertions(+), 7 deletions(-) + +--- a/drivers/usb/renesas_usbhs/common.c ++++ b/drivers/usb/renesas_usbhs/common.c +@@ -809,18 +809,18 @@ static void usbhs_remove(struct platform + + flush_delayed_work(&priv->notify_hotplug_work); + +- /* power off */ +- if (!usbhs_get_dparam(priv, runtime_pwctrl)) +- usbhsc_power_ctrl(priv, 0); +- +- pm_runtime_disable(&pdev->dev); +- + usbhs_platform_call(priv, hardware_exit, pdev); +- usbhsc_clk_put(priv); + reset_control_assert(priv->rsts); + usbhs_mod_remove(priv); + usbhs_fifo_remove(priv); + usbhs_pipe_remove(priv); ++ ++ /* power off */ ++ if (!usbhs_get_dparam(priv, runtime_pwctrl)) ++ usbhsc_power_ctrl(priv, 0); ++ ++ usbhsc_clk_put(priv); ++ pm_runtime_disable(&pdev->dev); + } + + static int usbhsc_suspend(struct device *dev) diff --git a/queue-6.17/usb-storage-fix-memory-leak-in-usb-bulk-transport.patch b/queue-6.17/usb-storage-fix-memory-leak-in-usb-bulk-transport.patch new file mode 100644 index 0000000000..f781e3b5e3 --- /dev/null +++ b/queue-6.17/usb-storage-fix-memory-leak-in-usb-bulk-transport.patch @@ -0,0 +1,62 @@ +From 41e99fe2005182139b1058db71f0d241f8f0078c Mon Sep 17 00:00:00 2001 +From: Desnes Nunes +Date: Fri, 31 Oct 2025 01:34:36 -0300 +Subject: usb: storage: Fix memory leak in USB bulk transport + +From: Desnes Nunes + +commit 41e99fe2005182139b1058db71f0d241f8f0078c upstream. + +A kernel memory leak was identified by the 'ioctl_sg01' test from Linux +Test Project (LTP). The following bytes were mainly observed: 0x53425355. + +When USB storage devices incorrectly skip the data phase with status data, +the code extracts/validates the CSW from the sg buffer, but fails to clear +it afterwards. This leaves status protocol data in srb's transfer buffer, +such as the US_BULK_CS_SIGN 'USBS' signature observed here. Thus, this can +lead to USB protocols leaks to user space through SCSI generic (/dev/sg*) +interfaces, such as the one seen here when the LTP test requested 512 KiB. + +Fix the leak by zeroing the CSW data in srb's transfer buffer immediately +after the validation of devices that skip data phase. + +Note: Differently from CVE-2018-1000204, which fixed a big leak by zero- +ing pages at allocation time, this leak occurs after allocation, when USB +protocol data is written to already-allocated sg pages. + +Fixes: a45b599ad808 ("scsi: sg: allocate with __GFP_ZERO in sg_build_indirect()") +Cc: stable +Signed-off-by: Desnes Nunes +Reviewed-by: Alan Stern +Link: https://patch.msgid.link/20251031043436.55929-1-desnesn@redhat.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/storage/transport.c | 16 ++++++++++++++++ + 1 file changed, 16 insertions(+) + +--- a/drivers/usb/storage/transport.c ++++ b/drivers/usb/storage/transport.c +@@ -1200,7 +1200,23 @@ int usb_stor_Bulk_transport(struct scsi_ + US_BULK_CS_WRAP_LEN && + bcs->Signature == + cpu_to_le32(US_BULK_CS_SIGN)) { ++ unsigned char buf[US_BULK_CS_WRAP_LEN]; ++ + usb_stor_dbg(us, "Device skipped data phase\n"); ++ ++ /* ++ * Devices skipping data phase might leave CSW data in srb's ++ * transfer buffer. Zero it to prevent USB protocol leakage. ++ */ ++ sg = NULL; ++ offset = 0; ++ memset(buf, 0, sizeof(buf)); ++ if (usb_stor_access_xfer_buf(buf, ++ US_BULK_CS_WRAP_LEN, srb, &sg, ++ &offset, TO_XFER_BUF) != ++ US_BULK_CS_WRAP_LEN) ++ usb_stor_dbg(us, "Failed to clear CSW data\n"); ++ + scsi_set_resid(srb, transfer_length); + goto skipped_data_phase; + } diff --git a/queue-6.17/usb-storage-remove-subclass-and-protocol-overrides-from-novatek-quirk.patch b/queue-6.17/usb-storage-remove-subclass-and-protocol-overrides-from-novatek-quirk.patch new file mode 100644 index 0000000000..df7623f286 --- /dev/null +++ b/queue-6.17/usb-storage-remove-subclass-and-protocol-overrides-from-novatek-quirk.patch @@ -0,0 +1,50 @@ +From df5fde297e617041449f603ed5f646861c80000b Mon Sep 17 00:00:00 2001 +From: Alan Stern +Date: Fri, 21 Nov 2025 16:29:34 -0500 +Subject: USB: storage: Remove subclass and protocol overrides from Novatek quirk + +From: Alan Stern + +commit df5fde297e617041449f603ed5f646861c80000b upstream. + +A report from Oleg Smirnov indicates that the unusual_devs quirks +entry for the Novatek camera does not need to override the subclass +and protocol parameters: + +[3266355.209532] usb 1-3: new high-speed USB device number 10 using xhci_hcd +[3266355.333031] usb 1-3: New USB device found, idVendor=0603, idProduct=8611, bcdDevice= 1.00 +[3266355.333040] usb 1-3: New USB device strings: Mfr=1, Product=2, SerialNumber=3 +[3266355.333043] usb 1-3: Product: YICARCAM +[3266355.333045] usb 1-3: Manufacturer: XIAO-YI +[3266355.333047] usb 1-3: SerialNumber: 966110000000100 +[3266355.338621] usb-storage 1-3:1.0: USB Mass Storage device detected +[3266355.338817] usb-storage 1-3:1.0: Quirks match for vid 0603 pid 8611: 4000 +[3266355.338821] usb-storage 1-3:1.0: This device (0603,8611,0100 S 06 P 50) has unneeded SubClass and Protocol entries in unusual_devs.h (kernel 6.16.10-arch1-1) + Please send a copy of this message to + and + +The overrides are harmless but they do provoke the driver into logging +this annoying message. Update the entry to remove the unneeded entries. + +Reported-by: stealth +Closes: https://lore.kernel.org/CAKxjRRxhC0s19iEWoN=pEMqXJ_z8w_moC0GCXSqSKCcOddnWjQ@mail.gmail.com/ +Fixes: 6ca8af3c8fb5 ("USB: storage: Add unusual-devs entry for Novatek NTK96550-based camera") +Signed-off-by: Alan Stern +Cc: stable +Link: https://patch.msgid.link/b440f177-f0b8-4d5a-8f7b-10855d4424ee@rowland.harvard.edu +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/storage/unusual_devs.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/usb/storage/unusual_devs.h ++++ b/drivers/usb/storage/unusual_devs.h +@@ -938,7 +938,7 @@ UNUSUAL_DEV( 0x05e3, 0x0723, 0x9451, 0x + UNUSUAL_DEV( 0x0603, 0x8611, 0x0000, 0xffff, + "Novatek", + "NTK96550-based camera", +- USB_SC_SCSI, USB_PR_BULK, NULL, ++ USB_SC_DEVICE, USB_PR_DEVICE, NULL, + US_FL_BULK_IGNORE_TAG ), + + /* diff --git a/queue-6.17/usb-storage-sddr55-reject-out-of-bound-new_pba.patch b/queue-6.17/usb-storage-sddr55-reject-out-of-bound-new_pba.patch new file mode 100644 index 0000000000..8bcef79888 --- /dev/null +++ b/queue-6.17/usb-storage-sddr55-reject-out-of-bound-new_pba.patch @@ -0,0 +1,42 @@ +From b59d4fda7e7d0aff1043a7f742487cb829f5aac1 Mon Sep 17 00:00:00 2001 +From: Tianchu Chen +Date: Sun, 16 Nov 2025 12:46:18 +0800 +Subject: usb: storage: sddr55: Reject out-of-bound new_pba + +From: Tianchu Chen + +commit b59d4fda7e7d0aff1043a7f742487cb829f5aac1 upstream. + +Discovered by Atuin - Automated Vulnerability Discovery Engine. + +new_pba comes from the status packet returned after each write. +A bogus device could report values beyond the block count derived +from info->capacity, letting the driver walk off the end of +pba_to_lba[] and corrupt heap memory. + +Reject PBAs that exceed the computed block count and fail the +transfer so we avoid touching out-of-range mapping entries. + +Signed-off-by: Tianchu Chen +Cc: stable +Link: https://patch.msgid.link/B2DC73A3EE1E3A1D+202511161322001664687@tencent.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/storage/sddr55.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/drivers/usb/storage/sddr55.c ++++ b/drivers/usb/storage/sddr55.c +@@ -469,6 +469,12 @@ static int sddr55_write_data(struct us_d + new_pba = (status[3] + (status[4] << 8) + (status[5] << 16)) + >> info->blockshift; + ++ /* check if device-reported new_pba is out of range */ ++ if (new_pba >= (info->capacity >> (info->blockshift + info->pageshift))) { ++ result = USB_STOR_TRANSPORT_FAILED; ++ goto leave; ++ } ++ + /* check status for error */ + if (status[0] == 0xff && status[1] == 0x4) { + info->pba_to_lba[new_pba] = BAD_BLOCK; diff --git a/queue-6.17/usb-typec-ucsi-psy-set-max-current-to-zero-when-disconnected.patch b/queue-6.17/usb-typec-ucsi-psy-set-max-current-to-zero-when-disconnected.patch new file mode 100644 index 0000000000..717d3ae27d --- /dev/null +++ b/queue-6.17/usb-typec-ucsi-psy-set-max-current-to-zero-when-disconnected.patch @@ -0,0 +1,44 @@ +From 23379a17334fc24c4a9cbd9967d33dcd9323cc7c Mon Sep 17 00:00:00 2001 +From: Jameson Thies +Date: Thu, 6 Nov 2025 01:14:46 +0000 +Subject: usb: typec: ucsi: psy: Set max current to zero when disconnected + +From: Jameson Thies + +commit 23379a17334fc24c4a9cbd9967d33dcd9323cc7c upstream. + +The ucsi_psy_get_current_max function defaults to 0.1A when it is not +clear how much current the partner device can support. But this does +not check the port is connected, and will report 0.1A max current when +nothing is connected. Update ucsi_psy_get_current_max to report 0A when +there is no connection. + +Fixes: af833e7f7db3 ("usb: typec: ucsi: psy: Set current max to 100mA for BC 1.2 and Default") +Cc: stable@vger.kernel.org +Signed-off-by: Jameson Thies +Reviewed-by: Benson Leung +Reviewed-by: Heikki Krogerus +Reviewed-by: Sebastian Reichel +Tested-by: Kenneth R. Crudup +Rule: add +Link: https://lore.kernel.org/stable/20251017000051.2094101-1-jthies%40google.com +Link: https://patch.msgid.link/20251106011446.2052583-1-jthies@google.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/typec/ucsi/psy.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/drivers/usb/typec/ucsi/psy.c ++++ b/drivers/usb/typec/ucsi/psy.c +@@ -145,6 +145,11 @@ static int ucsi_psy_get_current_max(stru + { + u32 pdo; + ++ if (!UCSI_CONSTAT(con, CONNECTED)) { ++ val->intval = 0; ++ return 0; ++ } ++ + switch (UCSI_CONSTAT(con, PWR_OPMODE)) { + case UCSI_CONSTAT_PWR_OPMODE_PD: + if (con->num_pdos > 0) { diff --git a/queue-6.17/usb-uas-fix-urb-unmapping-issue-when-the-uas-device-is-remove-during-ongoing-data-transfer.patch b/queue-6.17/usb-uas-fix-urb-unmapping-issue-when-the-uas-device-is-remove-during-ongoing-data-transfer.patch new file mode 100644 index 0000000000..868921912e --- /dev/null +++ b/queue-6.17/usb-uas-fix-urb-unmapping-issue-when-the-uas-device-is-remove-during-ongoing-data-transfer.patch @@ -0,0 +1,78 @@ +From 26d56a9fcb2014b99e654127960aa0a48a391e3c Mon Sep 17 00:00:00 2001 +From: Owen Gu +Date: Thu, 20 Nov 2025 20:33:36 +0800 +Subject: usb: uas: fix urb unmapping issue when the uas device is remove during ongoing data transfer + +From: Owen Gu + +commit 26d56a9fcb2014b99e654127960aa0a48a391e3c upstream. + +When a UAS device is unplugged during data transfer, there is +a probability of a system panic occurring. The root cause is +an access to an invalid memory address during URB callback handling. +Specifically, this happens when the dma_direct_unmap_sg() function +is called within the usb_hcd_unmap_urb_for_dma() interface, but the +sg->dma_address field is 0 and the sg data structure has already been +freed. + +The SCSI driver sends transfer commands by invoking uas_queuecommand_lck() +in uas.c, using the uas_submit_urbs() function to submit requests to USB. +Within the uas_submit_urbs() implementation, three URBs (sense_urb, +data_urb, and cmd_urb) are sequentially submitted. Device removal may +occur at any point during uas_submit_urbs execution, which may result +in URB submission failure. However, some URBs might have been successfully +submitted before the failure, and uas_submit_urbs will return the -ENODEV +error code in this case. The current error handling directly calls +scsi_done(). In the SCSI driver, this eventually triggers scsi_complete() +to invoke scsi_end_request() for releasing the sgtable. The successfully +submitted URBs, when being unlinked to giveback, call +usb_hcd_unmap_urb_for_dma() in hcd.c, leading to exceptions during sg +unmapping operations since the sg data structure has already been freed. + +This patch modifies the error condition check in the uas_submit_urbs() +function. When a UAS device is removed but one or more URBs have already +been successfully submitted to USB, it avoids immediately invoking +scsi_done() and save the cmnd to devinfo->cmnd array. If the successfully +submitted URBs is completed before devinfo->resetting being set, then +the scsi_done() function will be called within uas_try_complete() after +all pending URB operations are finalized. Otherwise, the scsi_done() +function will be called within uas_zap_pending(), which is executed after +usb_kill_anchored_urbs(). + +The error handling only takes effect when uas_queuecommand_lck() calls +uas_submit_urbs() and returns the error value -ENODEV . In this case, +the device is disconnected, and the flow proceeds to uas_disconnect(), +where uas_zap_pending() is invoked to call uas_try_complete(). + +Fixes: eb2a86ae8c54 ("USB: UAS: fix disconnect by unplugging a hub") +Cc: stable +Signed-off-by: Yu Chen +Signed-off-by: Owen Gu +Acked-by: Oliver Neukum +Link: https://patch.msgid.link/20251120123336.3328-1-guhuinan@xiaomi.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/storage/uas.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/drivers/usb/storage/uas.c ++++ b/drivers/usb/storage/uas.c +@@ -698,6 +698,10 @@ static int uas_queuecommand_lck(struct s + * of queueing, no matter how fatal the error + */ + if (err == -ENODEV) { ++ if (cmdinfo->state & (COMMAND_INFLIGHT | DATA_IN_URB_INFLIGHT | ++ DATA_OUT_URB_INFLIGHT)) ++ goto out; ++ + set_host_byte(cmnd, DID_NO_CONNECT); + scsi_done(cmnd); + goto zombie; +@@ -711,6 +715,7 @@ static int uas_queuecommand_lck(struct s + uas_add_work(cmnd); + } + ++out: + devinfo->cmnd[idx] = cmnd; + zombie: + spin_unlock_irqrestore(&devinfo->lock, flags); diff --git a/queue-6.17/xhci-dbgtty-fix-data-corruption-when-transmitting-data-form-dbc-to-host.patch b/queue-6.17/xhci-dbgtty-fix-data-corruption-when-transmitting-data-form-dbc-to-host.patch new file mode 100644 index 0000000000..8a5dd86e8c --- /dev/null +++ b/queue-6.17/xhci-dbgtty-fix-data-corruption-when-transmitting-data-form-dbc-to-host.patch @@ -0,0 +1,124 @@ +From f6bb3b67be9af0cfb90075c60850b6af5338a508 Mon Sep 17 00:00:00 2001 +From: Mathias Nyman +Date: Fri, 7 Nov 2025 18:28:17 +0200 +Subject: xhci: dbgtty: Fix data corruption when transmitting data form DbC to host +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Mathias Nyman + +commit f6bb3b67be9af0cfb90075c60850b6af5338a508 upstream. + +Data read from a DbC device may be corrupted due to a race between +ongoing write and write request completion handler both queuing new +transfer blocks (TRBs) if there are remining data in the kfifo. + +TRBs may be in incorrct order compared to the data in the kfifo. + +Driver fails to keep lock between reading data from kfifo into a +dbc request buffer, and queuing the request to the transfer ring. + +This allows completed request to re-queue itself in the middle of +an ongoing transfer loop, forcing itself between a kfifo read and +request TRB write of another request + +cpu0 cpu1 (re-queue completed req2) + +lock(port_lock) +dbc_start_tx() +kfifo_out(fifo, req1->buffer) +unlock(port_lock) + lock(port_lock) + dbc_write_complete(req2) + dbc_start_tx() + kfifo_out(fifo, req2->buffer) + unlock(port_lock) + lock(port_lock) + req2->trb = ring->enqueue; + ring->enqueue++ + unlock(port_lock) +lock(port_lock) +req1->trb = ring->enqueue; +ring->enqueue++ +unlock(port_lock) + +In the above scenario a kfifo containing "12345678" would read "1234" to +req1 and "5678" to req2, but req2 is queued before req1 leading to +data being transmitted as "56781234" + +Solve this by adding a flag that prevents starting a new tx if we +are already mid dbc_start_tx() during the unlocked part. + +The already running dbc_do_start_tx() will make sure the newly completed +request gets re-queued as it is added to the request write_pool while +holding the lock. + +Cc: stable@vger.kernel.org +Fixes: dfba2174dc42 ("usb: xhci: Add DbC support in xHCI driver") +Tested-by: Łukasz Bartosik +Signed-off-by: Mathias Nyman +Link: https://patch.msgid.link/20251107162819.1362579-3-mathias.nyman@linux.intel.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/host/xhci-dbgcap.h | 1 + + drivers/usb/host/xhci-dbgtty.c | 17 ++++++++++++++++- + 2 files changed, 17 insertions(+), 1 deletion(-) + +--- a/drivers/usb/host/xhci-dbgcap.h ++++ b/drivers/usb/host/xhci-dbgcap.h +@@ -114,6 +114,7 @@ struct dbc_port { + unsigned int tx_boundary; + + bool registered; ++ bool tx_running; + }; + + struct dbc_driver { +--- a/drivers/usb/host/xhci-dbgtty.c ++++ b/drivers/usb/host/xhci-dbgtty.c +@@ -47,7 +47,7 @@ dbc_kfifo_to_req(struct dbc_port *port, + return len; + } + +-static int dbc_start_tx(struct dbc_port *port) ++static int dbc_do_start_tx(struct dbc_port *port) + __releases(&port->port_lock) + __acquires(&port->port_lock) + { +@@ -57,6 +57,8 @@ static int dbc_start_tx(struct dbc_port + bool do_tty_wake = false; + struct list_head *pool = &port->write_pool; + ++ port->tx_running = true; ++ + while (!list_empty(pool)) { + req = list_entry(pool->next, struct dbc_request, list_pool); + len = dbc_kfifo_to_req(port, req->buf); +@@ -77,12 +79,25 @@ static int dbc_start_tx(struct dbc_port + } + } + ++ port->tx_running = false; ++ + if (do_tty_wake && port->port.tty) + tty_wakeup(port->port.tty); + + return status; + } + ++/* must be called with port->port_lock held */ ++static int dbc_start_tx(struct dbc_port *port) ++{ ++ lockdep_assert_held(&port->port_lock); ++ ++ if (port->tx_running) ++ return -EBUSY; ++ ++ return dbc_do_start_tx(port); ++} ++ + static void dbc_start_rx(struct dbc_port *port) + __releases(&port->port_lock) + __acquires(&port->port_lock) diff --git a/queue-6.17/xhci-dbgtty-fix-device-unregister.patch b/queue-6.17/xhci-dbgtty-fix-device-unregister.patch new file mode 100644 index 0000000000..b92ecca572 --- /dev/null +++ b/queue-6.17/xhci-dbgtty-fix-device-unregister.patch @@ -0,0 +1,45 @@ +From 1f73b8b56cf35de29a433aee7bfff26cea98be3f Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?=C5=81ukasz=20Bartosik?= +Date: Wed, 19 Nov 2025 21:29:09 +0000 +Subject: xhci: dbgtty: fix device unregister +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Łukasz Bartosik + +commit 1f73b8b56cf35de29a433aee7bfff26cea98be3f upstream. + +When DbC is disconnected then xhci_dbc_tty_unregister_device() +is called. However if there is any user space process blocked +on write to DbC terminal device then it will never be signalled +and thus stay blocked indifinitely. + +This fix adds a tty_vhangup() call in xhci_dbc_tty_unregister_device(). +The tty_vhangup() wakes up any blocked writers and causes subsequent +write attempts to DbC terminal device to fail. + +Cc: stable +Fixes: dfba2174dc42 ("usb: xhci: Add DbC support in xHCI driver") +Signed-off-by: Łukasz Bartosik +Link: https://patch.msgid.link/20251119212910.1245694-1-ukaszb@google.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/host/xhci-dbgtty.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/drivers/usb/host/xhci-dbgtty.c ++++ b/drivers/usb/host/xhci-dbgtty.c +@@ -550,6 +550,12 @@ static void xhci_dbc_tty_unregister_devi + + if (!port->registered) + return; ++ /* ++ * Hang up the TTY. This wakes up any blocked ++ * writers and causes subsequent writes to fail. ++ */ ++ tty_vhangup(port->port.tty); ++ + tty_unregister_device(dbc_tty_driver, port->minor); + xhci_dbc_tty_exit_port(port); + port->registered = false; diff --git a/queue-6.17/xhci-fix-stale-flag-preventig-urbs-after-link-state-error-is-cleared.patch b/queue-6.17/xhci-fix-stale-flag-preventig-urbs-after-link-state-error-is-cleared.patch new file mode 100644 index 0000000000..435bca8a6a --- /dev/null +++ b/queue-6.17/xhci-fix-stale-flag-preventig-urbs-after-link-state-error-is-cleared.patch @@ -0,0 +1,104 @@ +From b69dfcab6894b1fed5362a364411502a7469fce3 Mon Sep 17 00:00:00 2001 +From: Mathias Nyman +Date: Fri, 7 Nov 2025 18:28:16 +0200 +Subject: xhci: fix stale flag preventig URBs after link state error is cleared + +From: Mathias Nyman + +commit b69dfcab6894b1fed5362a364411502a7469fce3 upstream. + +A usb device caught behind a link in ss.Inactive error state needs to +be reset to recover. A VDEV_PORT_ERROR flag is used to track this state, +preventing new transfers from being queued until error is cleared. + +This flag may be left uncleared if link goes to error state between two +resets, and print the following message: + +"xhci_hcd 0000:00:14.0: Can't queue urb, port error, link inactive" + +Fix setting and clearing the flag. + +The flag is cleared after hub driver has successfully reset the device +when hcd->reset_device is called. xhci-hcd issues an internal "reset +device" command in this callback, and clear all flags once the command +completes successfully. + +This command may complete with a context state error if slot was recently +reset and is already in the defauilt state. This is treated as a success +but flag was left uncleared. + +The link state field is also unreliable if port is currently in reset, +so don't set the flag in active reset cases. +Also clear the flag immediately when link is no longer in ss.Inactive +state and port event handler detects a completed reset. + +This issue was discovered while debugging kernel bugzilla issue 220491. +It is likely one small part of the problem, causing some of the failures, +but root cause remains unknown + +Link: https://bugzilla.kernel.org/show_bug.cgi?id=220491 +Fixes: b8c3b718087b ("usb: xhci: Don't try to recover an endpoint if port is in error state.") +Cc: stable@vger.kernel.org +Signed-off-by: Mathias Nyman +Link: https://patch.msgid.link/20251107162819.1362579-2-mathias.nyman@linux.intel.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/host/xhci-ring.c | 15 ++++++++++----- + drivers/usb/host/xhci.c | 1 + + 2 files changed, 11 insertions(+), 5 deletions(-) + +--- a/drivers/usb/host/xhci-ring.c ++++ b/drivers/usb/host/xhci-ring.c +@@ -1984,6 +1984,7 @@ static void xhci_cavium_reset_phy_quirk( + + static void handle_port_status(struct xhci_hcd *xhci, union xhci_trb *event) + { ++ struct xhci_virt_device *vdev = NULL; + struct usb_hcd *hcd; + u32 port_id; + u32 portsc, cmd_reg; +@@ -2015,6 +2016,9 @@ static void handle_port_status(struct xh + goto cleanup; + } + ++ if (port->slot_id) ++ vdev = xhci->devs[port->slot_id]; ++ + /* We might get interrupts after shared_hcd is removed */ + if (port->rhub == &xhci->usb3_rhub && xhci->shared_hcd == NULL) { + xhci_dbg(xhci, "ignore port event for removed USB3 hcd\n"); +@@ -2037,10 +2041,11 @@ static void handle_port_status(struct xh + usb_hcd_resume_root_hub(hcd); + } + +- if (hcd->speed >= HCD_USB3 && +- (portsc & PORT_PLS_MASK) == XDEV_INACTIVE) { +- if (port->slot_id && xhci->devs[port->slot_id]) +- xhci->devs[port->slot_id]->flags |= VDEV_PORT_ERROR; ++ if (vdev && (portsc & PORT_PLS_MASK) == XDEV_INACTIVE) { ++ if (!(portsc & PORT_RESET)) ++ vdev->flags |= VDEV_PORT_ERROR; ++ } else if (vdev && portsc & PORT_RC) { ++ vdev->flags &= ~VDEV_PORT_ERROR; + } + + if ((portsc & PORT_PLC) && (portsc & PORT_PLS_MASK) == XDEV_RESUME) { +@@ -2098,7 +2103,7 @@ static void handle_port_status(struct xh + * so the roothub behavior is consistent with external + * USB 3.0 hub behavior. + */ +- if (port->slot_id && xhci->devs[port->slot_id]) ++ if (vdev) + xhci_ring_device(xhci, port->slot_id); + if (bus_state->port_remote_wakeup & (1 << hcd_portnum)) { + xhci_test_and_clear_bit(xhci, port, PORT_PLC); +--- a/drivers/usb/host/xhci.c ++++ b/drivers/usb/host/xhci.c +@@ -3993,6 +3993,7 @@ static int xhci_discover_or_reset_device + xhci_get_slot_state(xhci, virt_dev->out_ctx)); + xhci_dbg(xhci, "Not freeing device rings.\n"); + /* Don't treat this as an error. May change my mind later. */ ++ virt_dev->flags = 0; + ret = 0; + goto command_cleanup; + case COMP_SUCCESS: