From a37a33ca1b9fe1db7236cbfca01b133902cbc305 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Sat, 23 Aug 2025 18:01:37 +0200 Subject: [PATCH] 6.1-stable patches added patches: comedi-fix-use-of-uninitialized-memory-in-do_insn_ioctl-and-do_insnlist_ioctl.patch comedi-make-insn_rw_emulate_bits-do-insn-n-samples.patch comedi-pcl726-prevent-invalid-irq-number.patch ftrace-also-allocate-and-copy-hash-for-reading-of-filter-files.patch iio-pressure-bmp280-use-is_err-in-bmp280_common_probe.patch iio-proximity-isl29501-fix-buffered-read-on-big-endian-systems.patch most-core-drop-device-reference-after-usage-in-get_channel.patch usb-core-hcd-fix-accessing-unmapped-memory-in-single_step_set_feature-test.patch usb-dwc3-ignore-late-xfernotready-event-to-prevent-halt-timeout.patch usb-dwc3-remove-warn_on-for-device-endpoint-command-timeouts.patch usb-quirks-add-delay_init-quick-for-another-sandisk-3.2gen1-flash-drive.patch usb-renesas-xhci-fix-external-rom-access-timeouts.patch usb-storage-add-unusual-devs-entry-for-novatek-ntk96550-based-camera.patch usb-storage-ignore-driver-cd-mode-for-realtek-multi-mode-wi-fi-dongles.patch usb-storage-realtek_cr-use-correct-byte-order-for-bcs-residue.patch --- ...-do_insn_ioctl-and-do_insnlist_ioctl.patch | 72 ++++++++++ ...sn_rw_emulate_bits-do-insn-n-samples.patch | 82 +++++++++++ ...di-pcl726-prevent-invalid-irq-number.patch | 50 +++++++ ...opy-hash-for-reading-of-filter-files.patch | 75 ++++++++++ ...80-use-is_err-in-bmp280_common_probe.patch | 43 ++++++ ...-buffered-read-on-big-endian-systems.patch | 52 +++++++ ...reference-after-usage-in-get_channel.patch | 34 +++++ queue-6.1/series | 15 ++ ...mory-in-single_step_set_feature-test.patch | 58 ++++++++ ...tready-event-to-prevent-halt-timeout.patch | 46 ++++++ ...for-device-endpoint-command-timeouts.patch | 133 ++++++++++++++++++ ...-another-sandisk-3.2gen1-flash-drive.patch | 31 ++++ ...hci-fix-external-rom-access-timeouts.patch | 72 ++++++++++ ...ry-for-novatek-ntk96550-based-camera.patch | 54 +++++++ ...for-realtek-multi-mode-wi-fi-dongles.patch | 79 +++++++++++ ...e-correct-byte-order-for-bcs-residue.patch | 35 +++++ 16 files changed, 931 insertions(+) create mode 100644 queue-6.1/comedi-fix-use-of-uninitialized-memory-in-do_insn_ioctl-and-do_insnlist_ioctl.patch create mode 100644 queue-6.1/comedi-make-insn_rw_emulate_bits-do-insn-n-samples.patch create mode 100644 queue-6.1/comedi-pcl726-prevent-invalid-irq-number.patch create mode 100644 queue-6.1/ftrace-also-allocate-and-copy-hash-for-reading-of-filter-files.patch create mode 100644 queue-6.1/iio-pressure-bmp280-use-is_err-in-bmp280_common_probe.patch create mode 100644 queue-6.1/iio-proximity-isl29501-fix-buffered-read-on-big-endian-systems.patch create mode 100644 queue-6.1/most-core-drop-device-reference-after-usage-in-get_channel.patch create mode 100644 queue-6.1/usb-core-hcd-fix-accessing-unmapped-memory-in-single_step_set_feature-test.patch create mode 100644 queue-6.1/usb-dwc3-ignore-late-xfernotready-event-to-prevent-halt-timeout.patch create mode 100644 queue-6.1/usb-dwc3-remove-warn_on-for-device-endpoint-command-timeouts.patch create mode 100644 queue-6.1/usb-quirks-add-delay_init-quick-for-another-sandisk-3.2gen1-flash-drive.patch create mode 100644 queue-6.1/usb-renesas-xhci-fix-external-rom-access-timeouts.patch create mode 100644 queue-6.1/usb-storage-add-unusual-devs-entry-for-novatek-ntk96550-based-camera.patch create mode 100644 queue-6.1/usb-storage-ignore-driver-cd-mode-for-realtek-multi-mode-wi-fi-dongles.patch create mode 100644 queue-6.1/usb-storage-realtek_cr-use-correct-byte-order-for-bcs-residue.patch diff --git a/queue-6.1/comedi-fix-use-of-uninitialized-memory-in-do_insn_ioctl-and-do_insnlist_ioctl.patch b/queue-6.1/comedi-fix-use-of-uninitialized-memory-in-do_insn_ioctl-and-do_insnlist_ioctl.patch new file mode 100644 index 0000000000..a703c21587 --- /dev/null +++ b/queue-6.1/comedi-fix-use-of-uninitialized-memory-in-do_insn_ioctl-and-do_insnlist_ioctl.patch @@ -0,0 +1,72 @@ +From 3cd212e895ca2d58963fdc6422502b10dd3966bb Mon Sep 17 00:00:00 2001 +From: Ian Abbott +Date: Fri, 25 Jul 2025 13:53:24 +0100 +Subject: comedi: Fix use of uninitialized memory in do_insn_ioctl() and do_insnlist_ioctl() + +From: Ian Abbott + +commit 3cd212e895ca2d58963fdc6422502b10dd3966bb upstream. + +syzbot reports a KMSAN kernel-infoleak in `do_insn_ioctl()`. A kernel +buffer is allocated to hold `insn->n` samples (each of which is an +`unsigned int`). For some instruction types, `insn->n` samples are +copied back to user-space, unless an error code is being returned. The +problem is that not all the instruction handlers that need to return +data to userspace fill in the whole `insn->n` samples, so that there is +an information leak. There is a similar syzbot report for +`do_insnlist_ioctl()`, although it does not have a reproducer for it at +the time of writing. + +One culprit is `insn_rw_emulate_bits()` which is used as the handler for +`INSN_READ` or `INSN_WRITE` instructions for subdevices that do not have +a specific handler for that instruction, but do have an `INSN_BITS` +handler. For `INSN_READ` it only fills in at most 1 sample, so if +`insn->n` is greater than 1, the remaining `insn->n - 1` samples copied +to userspace will be uninitialized kernel data. + +Another culprit is `vm80xx_ai_insn_read()` in the "vm80xx" driver. It +never returns an error, even if it fails to fill the buffer. + +Fix it in `do_insn_ioctl()` and `do_insnlist_ioctl()` by making sure +that uninitialized parts of the allocated buffer are zeroed before +handling each instruction. + +Thanks to Arnaud Lecomte for their fix to `do_insn_ioctl()`. That fix +replaced the call to `kmalloc_array()` with `kcalloc()`, but it is not +always necessary to clear the whole buffer. + +Fixes: ed9eccbe8970 ("Staging: add comedi core") +Reported-by: syzbot+a5e45f768aab5892da5d@syzkaller.appspotmail.com +Closes: https://syzkaller.appspot.com/bug?extid=a5e45f768aab5892da5d +Reported-by: syzbot+fb4362a104d45ab09cf9@syzkaller.appspotmail.com +Closes: https://syzkaller.appspot.com/bug?extid=fb4362a104d45ab09cf9 +Cc: stable # 5.13+ +Cc: Arnaud Lecomte +Signed-off-by: Ian Abbott +Link: https://lore.kernel.org/r/20250725125324.80276-1-abbotti@mev.co.uk +Signed-off-by: Greg Kroah-Hartman +--- + drivers/comedi/comedi_fops.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/drivers/comedi/comedi_fops.c ++++ b/drivers/comedi/comedi_fops.c +@@ -1582,6 +1582,9 @@ static int do_insnlist_ioctl(struct come + memset(&data[n], 0, (MIN_SAMPLES - n) * + sizeof(unsigned int)); + } ++ } else { ++ memset(data, 0, max_t(unsigned int, n, MIN_SAMPLES) * ++ sizeof(unsigned int)); + } + ret = parse_insn(dev, insns + i, data, file); + if (ret < 0) +@@ -1665,6 +1668,8 @@ static int do_insn_ioctl(struct comedi_d + memset(&data[insn->n], 0, + (MIN_SAMPLES - insn->n) * sizeof(unsigned int)); + } ++ } else { ++ memset(data, 0, n_data * sizeof(unsigned int)); + } + ret = parse_insn(dev, insn, data, file); + if (ret < 0) diff --git a/queue-6.1/comedi-make-insn_rw_emulate_bits-do-insn-n-samples.patch b/queue-6.1/comedi-make-insn_rw_emulate_bits-do-insn-n-samples.patch new file mode 100644 index 0000000000..f9a8a48c31 --- /dev/null +++ b/queue-6.1/comedi-make-insn_rw_emulate_bits-do-insn-n-samples.patch @@ -0,0 +1,82 @@ +From 7afba9221f70d4cbce0f417c558879cba0eb5e66 Mon Sep 17 00:00:00 2001 +From: Ian Abbott +Date: Fri, 25 Jul 2025 15:10:34 +0100 +Subject: comedi: Make insn_rw_emulate_bits() do insn->n samples + +From: Ian Abbott + +commit 7afba9221f70d4cbce0f417c558879cba0eb5e66 upstream. + +The `insn_rw_emulate_bits()` function is used as a default handler for +`INSN_READ` instructions for subdevices that have a handler for +`INSN_BITS` but not for `INSN_READ`. Similarly, it is used as a default +handler for `INSN_WRITE` instructions for subdevices that have a handler +for `INSN_BITS` but not for `INSN_WRITE`. It works by emulating the +`INSN_READ` or `INSN_WRITE` instruction handling with a constructed +`INSN_BITS` instruction. However, `INSN_READ` and `INSN_WRITE` +instructions are supposed to be able read or write multiple samples, +indicated by the `insn->n` value, but `insn_rw_emulate_bits()` currently +only handles a single sample. For `INSN_READ`, the comedi core will +copy `insn->n` samples back to user-space. (That triggered KASAN +kernel-infoleak errors when `insn->n` was greater than 1, but that is +being fixed more generally elsewhere in the comedi core.) + +Make `insn_rw_emulate_bits()` either handle `insn->n` samples, or return +an error, to conform to the general expectation for `INSN_READ` and +`INSN_WRITE` handlers. + +Fixes: ed9eccbe8970 ("Staging: add comedi core") +Cc: stable # 5.13+ +Signed-off-by: Ian Abbott +Link: https://lore.kernel.org/r/20250725141034.87297-1-abbotti@mev.co.uk +Signed-off-by: Greg Kroah-Hartman +--- + drivers/comedi/drivers.c | 25 +++++++++++++------------ + 1 file changed, 13 insertions(+), 12 deletions(-) + +--- a/drivers/comedi/drivers.c ++++ b/drivers/comedi/drivers.c +@@ -619,11 +619,9 @@ static int insn_rw_emulate_bits(struct c + unsigned int chan = CR_CHAN(insn->chanspec); + unsigned int base_chan = (chan < 32) ? 0 : chan; + unsigned int _data[2]; ++ unsigned int i; + int ret; + +- if (insn->n == 0) +- return 0; +- + memset(_data, 0, sizeof(_data)); + memset(&_insn, 0, sizeof(_insn)); + _insn.insn = INSN_BITS; +@@ -634,18 +632,21 @@ static int insn_rw_emulate_bits(struct c + if (insn->insn == INSN_WRITE) { + if (!(s->subdev_flags & SDF_WRITABLE)) + return -EINVAL; +- _data[0] = 1U << (chan - base_chan); /* mask */ +- _data[1] = data[0] ? (1U << (chan - base_chan)) : 0; /* bits */ ++ _data[0] = 1U << (chan - base_chan); /* mask */ + } ++ for (i = 0; i < insn->n; i++) { ++ if (insn->insn == INSN_WRITE) ++ _data[1] = data[i] ? _data[0] : 0; /* bits */ ++ ++ ret = s->insn_bits(dev, s, &_insn, _data); ++ if (ret < 0) ++ return ret; + +- ret = s->insn_bits(dev, s, &_insn, _data); +- if (ret < 0) +- return ret; +- +- if (insn->insn == INSN_READ) +- data[0] = (_data[1] >> (chan - base_chan)) & 1; ++ if (insn->insn == INSN_READ) ++ data[i] = (_data[1] >> (chan - base_chan)) & 1; ++ } + +- return 1; ++ return insn->n; + } + + static int __comedi_device_postconfig_async(struct comedi_device *dev, diff --git a/queue-6.1/comedi-pcl726-prevent-invalid-irq-number.patch b/queue-6.1/comedi-pcl726-prevent-invalid-irq-number.patch new file mode 100644 index 0000000000..f307ab6d9e --- /dev/null +++ b/queue-6.1/comedi-pcl726-prevent-invalid-irq-number.patch @@ -0,0 +1,50 @@ +From 96cb948408b3adb69df7e451ba7da9d21f814d00 Mon Sep 17 00:00:00 2001 +From: Edward Adam Davis +Date: Mon, 7 Jul 2025 20:39:58 +0800 +Subject: comedi: pcl726: Prevent invalid irq number + +From: Edward Adam Davis + +commit 96cb948408b3adb69df7e451ba7da9d21f814d00 upstream. + +The reproducer passed in an irq number(0x80008000) that was too large, +which triggered the oob. + +Added an interrupt number check to prevent users from passing in an irq +number that was too large. + +If `it->options[1]` is 31, then `1 << it->options[1]` is still invalid +because it shifts a 1-bit into the sign bit (which is UB in C). +Possible solutions include reducing the upper bound on the +`it->options[1]` value to 30 or lower, or using `1U << it->options[1]`. + +The old code would just not attempt to request the IRQ if the +`options[1]` value were invalid. And it would still configure the +device without interrupts even if the call to `request_irq` returned an +error. So it would be better to combine this test with the test below. + +Fixes: fff46207245c ("staging: comedi: pcl726: enable the interrupt support code") +Cc: stable # 5.13+ +Reported-by: syzbot+5cd373521edd68bebcb3@syzkaller.appspotmail.com +Closes: https://syzkaller.appspot.com/bug?extid=5cd373521edd68bebcb3 +Tested-by: syzbot+5cd373521edd68bebcb3@syzkaller.appspotmail.com +Signed-off-by: Edward Adam Davis +Reviewed-by: Ian Abbott +Link: https://lore.kernel.org/r/tencent_3C66983CC1369E962436264A50759176BF09@qq.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/comedi/drivers/pcl726.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/comedi/drivers/pcl726.c ++++ b/drivers/comedi/drivers/pcl726.c +@@ -328,7 +328,8 @@ static int pcl726_attach(struct comedi_d + * Hook up the external trigger source interrupt only if the + * user config option is valid and the board supports interrupts. + */ +- if (it->options[1] && (board->irq_mask & (1 << it->options[1]))) { ++ if (it->options[1] > 0 && it->options[1] < 16 && ++ (board->irq_mask & (1U << it->options[1]))) { + ret = request_irq(it->options[1], pcl726_interrupt, 0, + dev->board_name, dev); + if (ret == 0) { diff --git a/queue-6.1/ftrace-also-allocate-and-copy-hash-for-reading-of-filter-files.patch b/queue-6.1/ftrace-also-allocate-and-copy-hash-for-reading-of-filter-files.patch new file mode 100644 index 0000000000..5f183101e2 --- /dev/null +++ b/queue-6.1/ftrace-also-allocate-and-copy-hash-for-reading-of-filter-files.patch @@ -0,0 +1,75 @@ +From bfb336cf97df7b37b2b2edec0f69773e06d11955 Mon Sep 17 00:00:00 2001 +From: Steven Rostedt +Date: Fri, 22 Aug 2025 18:36:06 -0400 +Subject: ftrace: Also allocate and copy hash for reading of filter files + +From: Steven Rostedt + +commit bfb336cf97df7b37b2b2edec0f69773e06d11955 upstream. + +Currently the reader of set_ftrace_filter and set_ftrace_notrace just adds +the pointer to the global tracer hash to its iterator. Unlike the writer +that allocates a copy of the hash, the reader keeps the pointer to the +filter hashes. This is problematic because this pointer is static across +function calls that release the locks that can update the global tracer +hashes. This can cause UAF and similar bugs. + +Allocate and copy the hash for reading the filter files like it is done +for the writers. This not only fixes UAF bugs, but also makes the code a +bit simpler as it doesn't have to differentiate when to free the +iterator's hash between writers and readers. + +Cc: stable@vger.kernel.org +Cc: Masami Hiramatsu +Cc: Mathieu Desnoyers +Cc: Nathan Chancellor +Cc: Linus Torvalds +Link: https://lore.kernel.org/20250822183606.12962cc3@batman.local.home +Fixes: c20489dad156 ("ftrace: Assign iter->hash to filter or notrace hashes on seq read") +Closes: https://lore.kernel.org/all/20250813023044.2121943-1-wutengda@huaweicloud.com/ +Closes: https://lore.kernel.org/all/20250822192437.GA458494@ax162/ +Reported-by: Tengda Wu +Tested-by: Tengda Wu +Tested-by: Nathan Chancellor +Signed-off-by: Steven Rostedt (Google) +Signed-off-by: Greg Kroah-Hartman +--- + kernel/trace/ftrace.c | 19 ++++++++++--------- + 1 file changed, 10 insertions(+), 9 deletions(-) + +--- a/kernel/trace/ftrace.c ++++ b/kernel/trace/ftrace.c +@@ -3934,13 +3934,17 @@ ftrace_regex_open(struct ftrace_ops *ops + } else { + iter->hash = alloc_and_copy_ftrace_hash(size_bits, hash); + } ++ } else { ++ if (hash) ++ iter->hash = alloc_and_copy_ftrace_hash(hash->size_bits, hash); ++ else ++ iter->hash = EMPTY_HASH; ++ } + +- if (!iter->hash) { +- trace_parser_put(&iter->parser); +- goto out_unlock; +- } +- } else +- iter->hash = hash; ++ if (!iter->hash) { ++ trace_parser_put(&iter->parser); ++ goto out_unlock; ++ } + + ret = 0; + +@@ -6132,9 +6136,6 @@ int ftrace_regex_release(struct inode *i + ftrace_hash_move_and_update_ops(iter->ops, orig_hash, + iter->hash, filter_hash); + mutex_unlock(&ftrace_lock); +- } else { +- /* For read only, the hash is the ops hash */ +- iter->hash = NULL; + } + + mutex_unlock(&iter->ops->func_hash->regex_lock); diff --git a/queue-6.1/iio-pressure-bmp280-use-is_err-in-bmp280_common_probe.patch b/queue-6.1/iio-pressure-bmp280-use-is_err-in-bmp280_common_probe.patch new file mode 100644 index 0000000000..962d40e036 --- /dev/null +++ b/queue-6.1/iio-pressure-bmp280-use-is_err-in-bmp280_common_probe.patch @@ -0,0 +1,43 @@ +From 43c0f6456f801181a80b73d95def0e0fd134e1cc Mon Sep 17 00:00:00 2001 +From: Salah Triki +Date: Mon, 18 Aug 2025 10:27:30 +0100 +Subject: iio: pressure: bmp280: Use IS_ERR() in bmp280_common_probe() + +From: Salah Triki + +commit 43c0f6456f801181a80b73d95def0e0fd134e1cc upstream. + +`devm_gpiod_get_optional()` may return non-NULL error pointer on failure. +Check its return value using `IS_ERR()` and propagate the error if +necessary. + +Fixes: df6e71256c84 ("iio: pressure: bmp280: Explicitly mark GPIO optional") +Signed-off-by: Salah Triki +Reviewed-by: David Lechner +Link: https://patch.msgid.link/20250818092740.545379-2-salah.triki@gmail.com +Cc: +Signed-off-by: Jonathan Cameron +Signed-off-by: Greg Kroah-Hartman +--- + drivers/iio/pressure/bmp280-core.c | 9 +++++---- + 1 file changed, 5 insertions(+), 4 deletions(-) + +--- a/drivers/iio/pressure/bmp280-core.c ++++ b/drivers/iio/pressure/bmp280-core.c +@@ -1740,11 +1740,12 @@ int bmp280_common_probe(struct device *d + + /* Bring chip out of reset if there is an assigned GPIO line */ + gpiod = devm_gpiod_get_optional(dev, "reset", GPIOD_OUT_HIGH); ++ if (IS_ERR(gpiod)) ++ return dev_err_probe(dev, PTR_ERR(gpiod), "failed to get reset GPIO\n"); ++ + /* Deassert the signal */ +- if (gpiod) { +- dev_info(dev, "release reset\n"); +- gpiod_set_value(gpiod, 0); +- } ++ dev_info(dev, "release reset\n"); ++ gpiod_set_value(gpiod, 0); + + data->regmap = regmap; + diff --git a/queue-6.1/iio-proximity-isl29501-fix-buffered-read-on-big-endian-systems.patch b/queue-6.1/iio-proximity-isl29501-fix-buffered-read-on-big-endian-systems.patch new file mode 100644 index 0000000000..7a68584f3d --- /dev/null +++ b/queue-6.1/iio-proximity-isl29501-fix-buffered-read-on-big-endian-systems.patch @@ -0,0 +1,52 @@ +From de18e978d0cda23e4c102e18092b63a5b0b3a800 Mon Sep 17 00:00:00 2001 +From: David Lechner +Date: Tue, 22 Jul 2025 15:54:21 -0500 +Subject: iio: proximity: isl29501: fix buffered read on big-endian systems + +From: David Lechner + +commit de18e978d0cda23e4c102e18092b63a5b0b3a800 upstream. + +Fix passing a u32 value as a u16 buffer scan item. This works on little- +endian systems, but not on big-endian systems. + +A new local variable is introduced for getting the register value and +the array is changed to a struct to make the data layout more explicit +rather than just changing the type and having to recalculate the proper +length needed for the timestamp. + +Fixes: 1c28799257bc ("iio: light: isl29501: Add support for the ISL29501 ToF sensor.") +Signed-off-by: David Lechner +Link: https://patch.msgid.link/20250722-iio-use-more-iio_declare_buffer_with_ts-7-v2-1-d3ebeb001ed3@baylibre.com +Cc: +Signed-off-by: Jonathan Cameron +Signed-off-by: Greg Kroah-Hartman +--- + drivers/iio/proximity/isl29501.c | 14 ++++++++++---- + 1 file changed, 10 insertions(+), 4 deletions(-) + +--- a/drivers/iio/proximity/isl29501.c ++++ b/drivers/iio/proximity/isl29501.c +@@ -938,12 +938,18 @@ static irqreturn_t isl29501_trigger_hand + struct iio_dev *indio_dev = pf->indio_dev; + struct isl29501_private *isl29501 = iio_priv(indio_dev); + const unsigned long *active_mask = indio_dev->active_scan_mask; +- u32 buffer[4] __aligned(8) = {}; /* 1x16-bit + naturally aligned ts */ ++ u32 value; ++ struct { ++ u16 data; ++ aligned_s64 ts; ++ } scan = { }; + +- if (test_bit(ISL29501_DISTANCE_SCAN_INDEX, active_mask)) +- isl29501_register_read(isl29501, REG_DISTANCE, buffer); ++ if (test_bit(ISL29501_DISTANCE_SCAN_INDEX, active_mask)) { ++ isl29501_register_read(isl29501, REG_DISTANCE, &value); ++ scan.data = value; ++ } + +- iio_push_to_buffers_with_timestamp(indio_dev, buffer, pf->timestamp); ++ iio_push_to_buffers_with_timestamp(indio_dev, &scan, pf->timestamp); + iio_trigger_notify_done(indio_dev->trig); + + return IRQ_HANDLED; diff --git a/queue-6.1/most-core-drop-device-reference-after-usage-in-get_channel.patch b/queue-6.1/most-core-drop-device-reference-after-usage-in-get_channel.patch new file mode 100644 index 0000000000..b22824fea4 --- /dev/null +++ b/queue-6.1/most-core-drop-device-reference-after-usage-in-get_channel.patch @@ -0,0 +1,34 @@ +From b47b493d6387ae437098112936f32be27f73516c Mon Sep 17 00:00:00 2001 +From: Miaoqian Lin +Date: Mon, 4 Aug 2025 12:29:55 +0400 +Subject: most: core: Drop device reference after usage in get_channel() + +From: Miaoqian Lin + +commit b47b493d6387ae437098112936f32be27f73516c upstream. + +In get_channel(), the reference obtained by bus_find_device_by_name() +was dropped via put_device() before accessing the device's driver data +Move put_device() after usage to avoid potential issues. + +Fixes: 2485055394be ("staging: most: core: drop device reference") +Cc: stable +Signed-off-by: Miaoqian Lin +Link: https://lore.kernel.org/r/20250804082955.3621026-1-linmq006@gmail.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/most/core.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/most/core.c ++++ b/drivers/most/core.c +@@ -538,8 +538,8 @@ static struct most_channel *get_channel( + dev = bus_find_device_by_name(&mostbus, NULL, mdev); + if (!dev) + return NULL; +- put_device(dev); + iface = dev_get_drvdata(dev); ++ put_device(dev); + list_for_each_entry_safe(c, tmp, &iface->p->channel_list, list) { + if (!strcmp(dev_name(&c->dev), mdev_ch)) + return c; diff --git a/queue-6.1/series b/queue-6.1/series index 4d25e1ec81..0865cf8e86 100644 --- a/queue-6.1/series +++ b/queue-6.1/series @@ -406,3 +406,18 @@ smb-server-split-ksmbd_rdma_stop_listening-out-of-ks.patch fs-buffer-fix-use-after-free-when-call-bh_read-helpe.patch use-uniform-permission-checks-for-all-mount-propagat.patch fpga-zynq_fpga-fix-the-wrong-usage-of-dma_map_sgtable.patch +ftrace-also-allocate-and-copy-hash-for-reading-of-filter-files.patch +iio-pressure-bmp280-use-is_err-in-bmp280_common_probe.patch +iio-proximity-isl29501-fix-buffered-read-on-big-endian-systems.patch +most-core-drop-device-reference-after-usage-in-get_channel.patch +usb-quirks-add-delay_init-quick-for-another-sandisk-3.2gen1-flash-drive.patch +comedi-make-insn_rw_emulate_bits-do-insn-n-samples.patch +comedi-pcl726-prevent-invalid-irq-number.patch +comedi-fix-use-of-uninitialized-memory-in-do_insn_ioctl-and-do_insnlist_ioctl.patch +usb-core-hcd-fix-accessing-unmapped-memory-in-single_step_set_feature-test.patch +usb-renesas-xhci-fix-external-rom-access-timeouts.patch +usb-storage-add-unusual-devs-entry-for-novatek-ntk96550-based-camera.patch +usb-storage-realtek_cr-use-correct-byte-order-for-bcs-residue.patch +usb-storage-ignore-driver-cd-mode-for-realtek-multi-mode-wi-fi-dongles.patch +usb-dwc3-ignore-late-xfernotready-event-to-prevent-halt-timeout.patch +usb-dwc3-remove-warn_on-for-device-endpoint-command-timeouts.patch diff --git a/queue-6.1/usb-core-hcd-fix-accessing-unmapped-memory-in-single_step_set_feature-test.patch b/queue-6.1/usb-core-hcd-fix-accessing-unmapped-memory-in-single_step_set_feature-test.patch new file mode 100644 index 0000000000..1a20743b17 --- /dev/null +++ b/queue-6.1/usb-core-hcd-fix-accessing-unmapped-memory-in-single_step_set_feature-test.patch @@ -0,0 +1,58 @@ +From 8fe06185e11ae753414aa6117f0e798aa77567ff Mon Sep 17 00:00:00 2001 +From: Xu Yang +Date: Wed, 6 Aug 2025 16:39:55 +0800 +Subject: usb: core: hcd: fix accessing unmapped memory in SINGLE_STEP_SET_FEATURE test + +From: Xu Yang + +commit 8fe06185e11ae753414aa6117f0e798aa77567ff upstream. + +The USB core will unmap urb->transfer_dma after SETUP stage completes. +Then the USB controller will access unmapped memory when it received +device descriptor. If iommu is equipped, the entire test can't be +completed due to the memory accessing is blocked. + +Fix it by calling map_urb_for_dma() again for IN stage. To reduce +redundant map for urb->transfer_buffer, this will also set +URB_NO_TRANSFER_DMA_MAP flag before first map_urb_for_dma() to skip +dma map for urb->transfer_buffer and clear URB_NO_TRANSFER_DMA_MAP +flag before second map_urb_for_dma(). + +Fixes: 216e0e563d81 ("usb: core: hcd: use map_urb_for_dma for single step set feature urb") +Cc: stable +Reviewed-by: Jun Li +Signed-off-by: Xu Yang +Acked-by: Alan Stern +Link: https://lore.kernel.org/r/20250806083955.3325299-1-xu.yang_2@nxp.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/core/hcd.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +--- a/drivers/usb/core/hcd.c ++++ b/drivers/usb/core/hcd.c +@@ -2177,7 +2177,7 @@ static struct urb *request_single_step_s + urb->complete = usb_ehset_completion; + urb->status = -EINPROGRESS; + urb->actual_length = 0; +- urb->transfer_flags = URB_DIR_IN; ++ urb->transfer_flags = URB_DIR_IN | URB_NO_TRANSFER_DMA_MAP; + usb_get_urb(urb); + atomic_inc(&urb->use_count); + atomic_inc(&urb->dev->urbnum); +@@ -2241,9 +2241,15 @@ int ehset_single_step_set_feature(struct + + /* Complete remaining DATA and STATUS stages using the same URB */ + urb->status = -EINPROGRESS; ++ urb->transfer_flags &= ~URB_NO_TRANSFER_DMA_MAP; + usb_get_urb(urb); + atomic_inc(&urb->use_count); + atomic_inc(&urb->dev->urbnum); ++ if (map_urb_for_dma(hcd, urb, GFP_KERNEL)) { ++ usb_put_urb(urb); ++ goto out1; ++ } ++ + retval = hcd->driver->submit_single_step_set_feature(hcd, urb, 0); + if (!retval && !wait_for_completion_timeout(&done, + msecs_to_jiffies(2000))) { diff --git a/queue-6.1/usb-dwc3-ignore-late-xfernotready-event-to-prevent-halt-timeout.patch b/queue-6.1/usb-dwc3-ignore-late-xfernotready-event-to-prevent-halt-timeout.patch new file mode 100644 index 0000000000..d579ec8e50 --- /dev/null +++ b/queue-6.1/usb-dwc3-ignore-late-xfernotready-event-to-prevent-halt-timeout.patch @@ -0,0 +1,46 @@ +From 58577118cc7cec9eb7c1836bf88f865ff2c5e3a3 Mon Sep 17 00:00:00 2001 +From: Kuen-Han Tsai +Date: Thu, 7 Aug 2025 17:06:55 +0800 +Subject: usb: dwc3: Ignore late xferNotReady event to prevent halt timeout + +From: Kuen-Han Tsai + +commit 58577118cc7cec9eb7c1836bf88f865ff2c5e3a3 upstream. + +During a device-initiated disconnect, the End Transfer command resets +the event filter, allowing a new xferNotReady event to be generated +before the controller is fully halted. Processing this late event +incorrectly triggers a Start Transfer, which prevents the controller +from halting and results in a DSTS.DEVCTLHLT bit polling timeout. + +Ignore the late xferNotReady event if the controller is already in a +disconnected state. + +Fixes: 72246da40f37 ("usb: Introduce DesignWare USB3 DRD Driver") +Cc: stable +Signed-off-by: Kuen-Han Tsai +Acked-by: Thinh Nguyen +Link: https://lore.kernel.org/r/20250807090700.2397190-1-khtsai@google.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/dwc3/gadget.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +--- a/drivers/usb/dwc3/gadget.c ++++ b/drivers/usb/dwc3/gadget.c +@@ -3590,6 +3590,15 @@ static void dwc3_gadget_endpoint_transfe + static void dwc3_gadget_endpoint_transfer_not_ready(struct dwc3_ep *dep, + const struct dwc3_event_depevt *event) + { ++ /* ++ * During a device-initiated disconnect, a late xferNotReady event can ++ * be generated after the End Transfer command resets the event filter, ++ * but before the controller is halted. Ignore it to prevent a new ++ * transfer from starting. ++ */ ++ if (!dep->dwc->connected) ++ return; ++ + dwc3_gadget_endpoint_frame_from_event(dep, event); + + /* diff --git a/queue-6.1/usb-dwc3-remove-warn_on-for-device-endpoint-command-timeouts.patch b/queue-6.1/usb-dwc3-remove-warn_on-for-device-endpoint-command-timeouts.patch new file mode 100644 index 0000000000..293cc1e288 --- /dev/null +++ b/queue-6.1/usb-dwc3-remove-warn_on-for-device-endpoint-command-timeouts.patch @@ -0,0 +1,133 @@ +From 45eae113dccaf8e502090ecf5b3d9e9b805add6f Mon Sep 17 00:00:00 2001 +From: Selvarasu Ganesan +Date: Fri, 8 Aug 2025 18:23:05 +0530 +Subject: usb: dwc3: Remove WARN_ON for device endpoint command timeouts + +From: Selvarasu Ganesan + +commit 45eae113dccaf8e502090ecf5b3d9e9b805add6f upstream. + +This commit addresses a rarely observed endpoint command timeout +which causes kernel panic due to warn when 'panic_on_warn' is enabled +and unnecessary call trace prints when 'panic_on_warn' is disabled. +It is seen during fast software-controlled connect/disconnect testcases. +The following is one such endpoint command timeout that we observed: + +1. Connect + ======= +->dwc3_thread_interrupt + ->dwc3_ep0_interrupt + ->configfs_composite_setup + ->composite_setup + ->usb_ep_queue + ->dwc3_gadget_ep0_queue + ->__dwc3_gadget_ep0_queue + ->__dwc3_ep0_do_control_data + ->dwc3_send_gadget_ep_cmd + +2. Disconnect + ========== +->dwc3_thread_interrupt + ->dwc3_gadget_disconnect_interrupt + ->dwc3_ep0_reset_state + ->dwc3_ep0_end_control_data + ->dwc3_send_gadget_ep_cmd + +In the issue scenario, in Exynos platforms, we observed that control +transfers for the previous connect have not yet been completed and end +transfer command sent as a part of the disconnect sequence and +processing of USB_ENDPOINT_HALT feature request from the host timeout. +This maybe an expected scenario since the controller is processing EP +commands sent as a part of the previous connect. It maybe better to +remove WARN_ON in all places where device endpoint commands are sent to +avoid unnecessary kernel panic due to warn. + +Cc: stable +Co-developed-by: Akash M +Signed-off-by: Akash M +Signed-off-by: Selvarasu Ganesan +Acked-by: Thinh Nguyen +Reviewed-by: Sebastian Andrzej Siewior +Link: https://lore.kernel.org/r/20250808125315.1607-1-selvarasu.g@samsung.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/dwc3/ep0.c | 20 ++++++++++++++++---- + drivers/usb/dwc3/gadget.c | 10 ++++++++-- + 2 files changed, 24 insertions(+), 6 deletions(-) + +--- a/drivers/usb/dwc3/ep0.c ++++ b/drivers/usb/dwc3/ep0.c +@@ -286,7 +286,9 @@ void dwc3_ep0_out_start(struct dwc3 *dwc + dwc3_ep0_prepare_one_trb(dep, dwc->ep0_trb_addr, 8, + DWC3_TRBCTL_CONTROL_SETUP, false); + ret = dwc3_ep0_start_trans(dep); +- WARN_ON(ret < 0); ++ if (ret < 0) ++ dev_err(dwc->dev, "ep0 out start transfer failed: %d\n", ret); ++ + for (i = 2; i < DWC3_ENDPOINTS_NUM; i++) { + struct dwc3_ep *dwc3_ep; + +@@ -1058,7 +1060,9 @@ static void __dwc3_ep0_do_control_data(s + ret = dwc3_ep0_start_trans(dep); + } + +- WARN_ON(ret < 0); ++ if (ret < 0) ++ dev_err(dwc->dev, ++ "ep0 data phase start transfer failed: %d\n", ret); + } + + static int dwc3_ep0_start_control_status(struct dwc3_ep *dep) +@@ -1075,7 +1079,12 @@ static int dwc3_ep0_start_control_status + + static void __dwc3_ep0_do_control_status(struct dwc3 *dwc, struct dwc3_ep *dep) + { +- WARN_ON(dwc3_ep0_start_control_status(dep)); ++ int ret; ++ ++ ret = dwc3_ep0_start_control_status(dep); ++ if (ret) ++ dev_err(dwc->dev, ++ "ep0 status phase start transfer failed: %d\n", ret); + } + + static void dwc3_ep0_do_control_status(struct dwc3 *dwc, +@@ -1118,7 +1127,10 @@ void dwc3_ep0_end_control_data(struct dw + cmd |= DWC3_DEPCMD_PARAM(dep->resource_index); + memset(¶ms, 0, sizeof(params)); + ret = dwc3_send_gadget_ep_cmd(dep, cmd, ¶ms); +- WARN_ON_ONCE(ret); ++ if (ret) ++ dev_err_ratelimited(dwc->dev, ++ "ep0 data phase end transfer failed: %d\n", ret); ++ + dep->resource_index = 0; + } + +--- a/drivers/usb/dwc3/gadget.c ++++ b/drivers/usb/dwc3/gadget.c +@@ -1724,7 +1724,11 @@ static int __dwc3_stop_active_transfer(s + dep->flags |= DWC3_EP_DELAY_STOP; + return 0; + } +- WARN_ON_ONCE(ret); ++ ++ if (ret) ++ dev_err_ratelimited(dep->dwc->dev, ++ "end transfer failed: %d\n", ret); ++ + dep->resource_index = 0; + + if (!interrupt) +@@ -3897,7 +3901,9 @@ static void dwc3_clear_stall_all_ep(stru + dep->flags &= ~DWC3_EP_STALL; + + ret = dwc3_send_clear_stall_ep_cmd(dep); +- WARN_ON_ONCE(ret); ++ if (ret) ++ dev_err_ratelimited(dwc->dev, ++ "failed to clear STALL on %s\n", dep->name); + } + } + diff --git a/queue-6.1/usb-quirks-add-delay_init-quick-for-another-sandisk-3.2gen1-flash-drive.patch b/queue-6.1/usb-quirks-add-delay_init-quick-for-another-sandisk-3.2gen1-flash-drive.patch new file mode 100644 index 0000000000..854028db6a --- /dev/null +++ b/queue-6.1/usb-quirks-add-delay_init-quick-for-another-sandisk-3.2gen1-flash-drive.patch @@ -0,0 +1,31 @@ +From e664036cf36480414936cd91f4cfa2179a3d8367 Mon Sep 17 00:00:00 2001 +From: Miao Li +Date: Fri, 1 Aug 2025 16:27:28 +0800 +Subject: usb: quirks: Add DELAY_INIT quick for another SanDisk 3.2Gen1 Flash Drive + +From: Miao Li + +commit e664036cf36480414936cd91f4cfa2179a3d8367 upstream. + +Another SanDisk 3.2Gen1 Flash Drive also need DELAY_INIT quick, +or it will randomly work incorrectly on Huawei hisi platforms +when doing reboot test. + +Signed-off-by: Miao Li +Cc: stable +Link: https://lore.kernel.org/r/20250801082728.469406-1-limiao870622@163.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/core/quirks.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/usb/core/quirks.c ++++ b/drivers/usb/core/quirks.c +@@ -371,6 +371,7 @@ static const struct usb_device_id usb_qu + { USB_DEVICE(0x0781, 0x5591), .driver_info = USB_QUIRK_NO_LPM }, + + /* SanDisk Corp. SanDisk 3.2Gen1 */ ++ { USB_DEVICE(0x0781, 0x5596), .driver_info = USB_QUIRK_DELAY_INIT }, + { USB_DEVICE(0x0781, 0x55a3), .driver_info = USB_QUIRK_DELAY_INIT }, + + /* SanDisk Extreme 55AE */ diff --git a/queue-6.1/usb-renesas-xhci-fix-external-rom-access-timeouts.patch b/queue-6.1/usb-renesas-xhci-fix-external-rom-access-timeouts.patch new file mode 100644 index 0000000000..c9cb5c3318 --- /dev/null +++ b/queue-6.1/usb-renesas-xhci-fix-external-rom-access-timeouts.patch @@ -0,0 +1,72 @@ +From f9420f4757752f056144896024d5ea89e5a611f1 Mon Sep 17 00:00:00 2001 +From: Marek Vasut +Date: Sun, 3 Aug 2025 00:55:20 +0200 +Subject: usb: renesas-xhci: Fix External ROM access timeouts +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Marek Vasut + +commit f9420f4757752f056144896024d5ea89e5a611f1 upstream. + +Increase the External ROM access timeouts to prevent failures during +programming of External SPI EEPROM chips. The current timeouts are +too short for some SPI EEPROMs used with uPD720201 controllers. + +The current timeout for Chip Erase in renesas_rom_erase() is 100 ms , +the current timeout for Sector Erase issued by the controller before +Page Program in renesas_fw_download_image() is also 100 ms. Neither +timeout is sufficient for e.g. the Macronix MX25L5121E or MX25V5126F. + +MX25L5121E reference manual [1] page 35 section "ERASE AND PROGRAMMING +PERFORMANCE" and page 23 section "Table 8. AC CHARACTERISTICS (Temperature += 0°C to 70°C for Commercial grade, VCC = 2.7V ~ 3.6V)" row "tCE" indicate +that the maximum time required for Chip Erase opcode to complete is 2 s, +and for Sector Erase it is 300 ms . + +MX25V5126F reference manual [2] page 47 section "13. ERASE AND PROGRAMMING +PERFORMANCE (2.3V - 3.6V)" and page 42 section "Table 8. AC CHARACTERISTICS +(Temperature = -40°C to 85°C for Industrial grade, VCC = 2.3V - 3.6V)" row +"tCE" indicate that the maximum time required for Chip Erase opcode to +complete is 3.2 s, and for Sector Erase it is 400 ms . + +Update the timeouts such, that Chip Erase timeout is set to 5 seconds, +and Sector Erase timeout is set to 500 ms. Such lengthy timeouts ought +to be sufficient for majority of SPI EEPROM chips. + +[1] https://www.macronix.com/Lists/Datasheet/Attachments/8634/MX25L5121E,%203V,%20512Kb,%20v1.3.pdf +[2] https://www.macronix.com/Lists/Datasheet/Attachments/8750/MX25V5126F,%202.5V,%20512Kb,%20v1.1.pdf + +Fixes: 2478be82de44 ("usb: renesas-xhci: Add ROM loader for uPD720201") +Cc: stable +Signed-off-by: Marek Vasut +Link: https://lore.kernel.org/r/20250802225526.25431-1-marek.vasut+renesas@mailbox.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/host/xhci-pci-renesas.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +--- a/drivers/usb/host/xhci-pci-renesas.c ++++ b/drivers/usb/host/xhci-pci-renesas.c +@@ -47,8 +47,9 @@ + #define RENESAS_ROM_ERASE_MAGIC 0x5A65726F + #define RENESAS_ROM_WRITE_MAGIC 0x53524F4D + +-#define RENESAS_RETRY 10000 +-#define RENESAS_DELAY 10 ++#define RENESAS_RETRY 50000 /* 50000 * RENESAS_DELAY ~= 500ms */ ++#define RENESAS_CHIP_ERASE_RETRY 500000 /* 500000 * RENESAS_DELAY ~= 5s */ ++#define RENESAS_DELAY 10 + + static int renesas_fw_download_image(struct pci_dev *dev, + const u32 *fw, size_t step, bool rom) +@@ -405,7 +406,7 @@ static void renesas_rom_erase(struct pci + /* sleep a bit while ROM is erased */ + msleep(20); + +- for (i = 0; i < RENESAS_RETRY; i++) { ++ for (i = 0; i < RENESAS_CHIP_ERASE_RETRY; i++) { + retval = pci_read_config_byte(pdev, RENESAS_ROM_STATUS, + &status); + status &= RENESAS_ROM_STATUS_ERASE; diff --git a/queue-6.1/usb-storage-add-unusual-devs-entry-for-novatek-ntk96550-based-camera.patch b/queue-6.1/usb-storage-add-unusual-devs-entry-for-novatek-ntk96550-based-camera.patch new file mode 100644 index 0000000000..24e43b2cf0 --- /dev/null +++ b/queue-6.1/usb-storage-add-unusual-devs-entry-for-novatek-ntk96550-based-camera.patch @@ -0,0 +1,54 @@ +From 6ca8af3c8fb584f3424a827f554ff74f898c27cd Mon Sep 17 00:00:00 2001 +From: Mael GUERIN +Date: Wed, 6 Aug 2025 18:44:03 +0200 +Subject: USB: storage: Add unusual-devs entry for Novatek NTK96550-based camera + +From: Mael GUERIN + +commit 6ca8af3c8fb584f3424a827f554ff74f898c27cd upstream. + +Add the US_FL_BULK_IGNORE_TAG quirk for Novatek NTK96550-based camera +to fix USB resets after sending SCSI vendor commands due to CBW and +CSW tags difference, leading to undesired slowness while communicating +with the device. + +Please find below the copy of /sys/kernel/debug/usb/devices with my +device plugged in (listed as TechSys USB mass storage here, the +underlying chipset being the Novatek NTK96550-based camera): + +T: Bus=03 Lev=01 Prnt=01 Port=00 Cnt=01 Dev#= 3 Spd=480 MxCh= 0 +D: Ver= 2.00 Cls=00(>ifc ) Sub=00 Prot=00 MxPS=64 #Cfgs= 1 +P: Vendor=0603 ProdID=8611 Rev= 0.01 +S: Manufacturer=TechSys +S: Product=USB Mass Storage +S: SerialNumber=966110000000100 +C:* #Ifs= 1 Cfg#= 1 Atr=c0 MxPwr=100mA +I:* If#= 0 Alt= 0 #EPs= 2 Cls=08(stor.) Sub=06 Prot=50 Driver=usb-storage +E: Ad=81(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=02(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms + +Signed-off-by: Mael GUERIN +Cc: stable +Acked-by: Alan Stern +Link: https://lore.kernel.org/r/20250806164406.43450-1-mael.guerin@murena.io +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/storage/unusual_devs.h | 7 +++++++ + 1 file changed, 7 insertions(+) + +--- a/drivers/usb/storage/unusual_devs.h ++++ b/drivers/usb/storage/unusual_devs.h +@@ -934,6 +934,13 @@ UNUSUAL_DEV( 0x05e3, 0x0723, 0x9451, 0x + USB_SC_DEVICE, USB_PR_DEVICE, NULL, + US_FL_SANE_SENSE ), + ++/* Added by Maël GUERIN */ ++UNUSUAL_DEV( 0x0603, 0x8611, 0x0000, 0xffff, ++ "Novatek", ++ "NTK96550-based camera", ++ USB_SC_SCSI, USB_PR_BULK, NULL, ++ US_FL_BULK_IGNORE_TAG ), ++ + /* + * Reported by Hanno Boeck + * Taken from the Lycoris Kernel diff --git a/queue-6.1/usb-storage-ignore-driver-cd-mode-for-realtek-multi-mode-wi-fi-dongles.patch b/queue-6.1/usb-storage-ignore-driver-cd-mode-for-realtek-multi-mode-wi-fi-dongles.patch new file mode 100644 index 0000000000..44e6015c02 --- /dev/null +++ b/queue-6.1/usb-storage-ignore-driver-cd-mode-for-realtek-multi-mode-wi-fi-dongles.patch @@ -0,0 +1,79 @@ +From a3dc32c635bae0ae569f489e00de0e8f015bfc25 Mon Sep 17 00:00:00 2001 +From: Zenm Chen +Date: Thu, 14 Aug 2025 00:24:15 +0800 +Subject: USB: storage: Ignore driver CD mode for Realtek multi-mode Wi-Fi dongles + +From: Zenm Chen + +commit a3dc32c635bae0ae569f489e00de0e8f015bfc25 upstream. + +Many Realtek USB Wi-Fi dongles released in recent years have two modes: +one is driver CD mode which has Windows driver onboard, another one is +Wi-Fi mode. Add the US_FL_IGNORE_DEVICE quirk for these multi-mode devices. +Otherwise, usb_modeswitch may fail to switch them to Wi-Fi mode. + +Currently there are only two USB IDs known to be used by these multi-mode +Wi-Fi dongles: 0bda:1a2b and 0bda:a192. + +Information about Mercury MW310UH in /sys/kernel/debug/usb/devices. +T: Bus=02 Lev=01 Prnt=01 Port=01 Cnt=01 Dev#= 12 Spd=480 MxCh= 0 +D: Ver= 2.00 Cls=00(>ifc ) Sub=00 Prot=00 MxPS=64 #Cfgs= 1 +P: Vendor=0bda ProdID=a192 Rev= 2.00 +S: Manufacturer=Realtek +S: Product=DISK +C:* #Ifs= 1 Cfg#= 1 Atr=80 MxPwr=500mA +I:* If#= 0 Alt= 0 #EPs= 2 Cls=08(stor.) Sub=06 Prot=50 Driver=(none) +E: Ad=8a(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=0b(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms + +Information about D-Link AX9U rev. A1 in /sys/kernel/debug/usb/devices. +T: Bus=03 Lev=01 Prnt=01 Port=02 Cnt=01 Dev#= 55 Spd=480 MxCh= 0 +D: Ver= 2.00 Cls=00(>ifc ) Sub=00 Prot=00 MxPS=64 #Cfgs= 1 +P: Vendor=0bda ProdID=1a2b Rev= 0.00 +S: Manufacturer=Realtek +S: Product=DISK +C:* #Ifs= 1 Cfg#= 1 Atr=e0 MxPwr=500mA +I:* If#= 0 Alt= 0 #EPs= 2 Cls=08(stor.) Sub=06 Prot=50 Driver=(none) +E: Ad=84(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=05(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms + +Cc: stable +Signed-off-by: Zenm Chen +Acked-by: Alan Stern +Link: https://lore.kernel.org/r/20250813162415.2630-1-zenmchen@gmail.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/storage/unusual_devs.h | 22 ++++++++++++++++++++++ + 1 file changed, 22 insertions(+) + +--- a/drivers/usb/storage/unusual_devs.h ++++ b/drivers/usb/storage/unusual_devs.h +@@ -1501,6 +1501,28 @@ UNUSUAL_DEV( 0x0bc2, 0x3332, 0x0000, 0x9 + USB_SC_DEVICE, USB_PR_DEVICE, NULL, + US_FL_NO_WP_DETECT ), + ++/* ++ * Reported by Zenm Chen ++ * Ignore driver CD mode, otherwise usb_modeswitch may fail to switch ++ * the device into Wi-Fi mode. ++ */ ++UNUSUAL_DEV( 0x0bda, 0x1a2b, 0x0000, 0xffff, ++ "Realtek", ++ "DISK", ++ USB_SC_DEVICE, USB_PR_DEVICE, NULL, ++ US_FL_IGNORE_DEVICE ), ++ ++/* ++ * Reported by Zenm Chen ++ * Ignore driver CD mode, otherwise usb_modeswitch may fail to switch ++ * the device into Wi-Fi mode. ++ */ ++UNUSUAL_DEV( 0x0bda, 0xa192, 0x0000, 0xffff, ++ "Realtek", ++ "DISK", ++ USB_SC_DEVICE, USB_PR_DEVICE, NULL, ++ US_FL_IGNORE_DEVICE ), ++ + UNUSUAL_DEV( 0x0d49, 0x7310, 0x0000, 0x9999, + "Maxtor", + "USB to SATA", diff --git a/queue-6.1/usb-storage-realtek_cr-use-correct-byte-order-for-bcs-residue.patch b/queue-6.1/usb-storage-realtek_cr-use-correct-byte-order-for-bcs-residue.patch new file mode 100644 index 0000000000..61442e8032 --- /dev/null +++ b/queue-6.1/usb-storage-realtek_cr-use-correct-byte-order-for-bcs-residue.patch @@ -0,0 +1,35 @@ +From 98da66a70ad2396e5a508c4245367797ebc052ce Mon Sep 17 00:00:00 2001 +From: Thorsten Blum +Date: Wed, 13 Aug 2025 16:52:49 +0200 +Subject: usb: storage: realtek_cr: Use correct byte order for bcs->Residue + +From: Thorsten Blum + +commit 98da66a70ad2396e5a508c4245367797ebc052ce upstream. + +Since 'bcs->Residue' has the data type '__le32', convert it to the +correct byte order of the CPU using this driver when assigning it to +the local variable 'residue'. + +Cc: stable +Fixes: 50a6cb932d5c ("USB: usb_storage: add ums-realtek driver") +Suggested-by: Alan Stern +Acked-by: Alan Stern +Signed-off-by: Thorsten Blum +Link: https://lore.kernel.org/r/20250813145247.184717-3-thorsten.blum@linux.dev +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/storage/realtek_cr.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/usb/storage/realtek_cr.c ++++ b/drivers/usb/storage/realtek_cr.c +@@ -252,7 +252,7 @@ static int rts51x_bulk_transport(struct + return USB_STOR_TRANSPORT_ERROR; + } + +- residue = bcs->Residue; ++ residue = le32_to_cpu(bcs->Residue); + if (bcs->Tag != us->tag) + return USB_STOR_TRANSPORT_ERROR; + -- 2.47.3