[ Upstream commit 1132e90840abf3e7db11f1d28199e9fbc0b0e69e ]
The COREPLL_PWRDN bit in the BLCG register must be set when the XUSB
device controller is powergated and cleared when it is unpowergated.
If this bit is not explicitly controlled, the core PLL may remain in an
incorrect power state across suspend/resume or ELPG transitions.
Therefore, update the driver to explicitly control this bit during
powergate transitions.
Fixes: 49db427232 ("usb: gadget: Add UDC driver for tegra XUSB device mode controller")
Cc: stable <stable@kernel.org>
Signed-off-by: Haotien Hsu <haotienh@nvidia.com>
Signed-off-by: Wayne Chang <waynec@nvidia.com>
Link: https://patch.msgid.link/20260123173121.4093902-1-waynec@nvidia.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
[ Upstream commit 8e4c1d06183c25022f6b0002a5cab84979ca6337 ]
When ffs_epfile_ioctl handles FUNCTIONFS_DMABUF_* ioctls, it's currently
falling through when copy_from_user fails.
However, this fallthrough isn't being checked properly, so the handler
continues executing further than it should. It then tries the secondary
dispatch where it ultimately gives up and returns -ENOTTY.
The end result is invalid ioctl invocations will yield a -ENOTTY rather
than an -EFAULT.
It's a common pattern elsewhere in the kernel code to directly return
-EFAULT when copy_from_user fails. So we update ffs_epfile_ioctl to do
the same and fix this issue.
Signed-off-by: Sam Day <me@samcday.com>
Link: https://patch.msgid.link/20260108-ffs-dmabuf-ioctl-fix-v1-1-e51633891a81@samcday.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
[ Upstream commit 0145e7acd29855dfba4a2f387d455b5d9a520f0e ]
Currently, DMA_FROM_DEVICE is used when attaching DMABUFs to IN
endpoints and DMA_TO_DEVICE for OUT endpoints. This is inverted from
how it should be.
The result is IOMMU read-only mappings placed on OUT queues,
triggering arm-smmu write faults.
Put differently, OUT endpoints flow data from host -> gadget, meaning
the UDC peripheral needs to have write access to the buffer to fill it
with the incoming data.
This commit flips the directions and updates the implicit-sync helpers
so IN endpoints act as readers and OUT endpoints as writers.
Signed-off-by: Sam Day <me@samcday.com>
Tested-by: David Heidelberg <david@ixit.cz> # OnePlus 6T on sdm845-next-20251119
Link: https://patch.msgid.link/20260108-ffs-dmabuf-ioctl-fix-v1-2-e51633891a81@samcday.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
[ Upstream commit f1195ca3b4bbd001d3f1264dce91f83dec7777f5 ]
bdc_run() can be ran during atomic context leading to a sleep during
atomic warning. Fix this by replacing read_poll_timeout() with
read_poll_timeout_atomic().
Fixes: 75ae051efc ("usb: gadget: bdc: use readl_poll_timeout() to simplify code")
Signed-off-by: Justin Chen <justin.chen@broadcom.com>
Reviewed-by: Florian Fainelli <florian.fainelli@broadcom.com>
Link: https://patch.msgid.link/20260120200754.2488765-1-justin.chen@broadcom.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
This reverts commit b49c766856 which is
commit e5bf5ee266633cb18fff6f98f0b7d59a62819eee upstream.
It has been reported to cause test problems in Android devices. As the
other functionfs changes were not also backported at the same time,
something is out of sync. So just revert this one for now and it can
come back in the future as a patch series if it is tested.
Cc: Al Viro <viro@zeniv.linux.org.uk>
Cc: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 2edc1acb1a2512843425aa19d0c6060a0a924605 upstream.
Current req_payload_size calculation has 2 issue:
(1) When the first time calculate req_payload_size for all the buffers,
reqs_per_frame = 0 will be the divisor of DIV_ROUND_UP(). So
the result is undefined.
This happens because VIDIOC_STREAMON is always executed after
VIDIOC_QBUF. So video->reqs_per_frame will be 0 until VIDIOC_STREAMON
is run.
(2) The buf->req_payload_size may be bigger than max_req_size.
Take YUYV pixel format as example:
If bInterval = 1, video->interval = 666666, high-speed:
video->reqs_per_frame = 666666 / 1250 = 534
720p: buf->req_payload_size = 1843200 / 534 = 3452
1080p: buf->req_payload_size = 4147200 / 534 = 7766
Based on such req_payload_size, the controller can't run normally.
To fix above issue, assign max_req_size to buf->req_payload_size when
video->reqs_per_frame = 0. And limit buf->req_payload_size to
video->req_size if it's large than video->req_size. Since max_req_size
is used at many place, add it to struct uvc_video and set the value once
endpoint is enabled.
Fixes: 98ad032915 ("usb: gadget: uvc: set req_length based on payload by nreqs instead of req_size")
Cc: stable@vger.kernel.org
Reviewed-by: Frank Li <Frank.Li@nxp.com>
Signed-off-by: Xu Yang <xu.yang_2@nxp.com>
Link: https://patch.msgid.link/20260113-uvc-gadget-fix-patch-v2-1-62950ef5bcb5@nxp.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 010dc57cb5163e5f4a32430dd5091cc29efd0471 upstream.
According to USB specification:
For full-/high-speed isochronous endpoints, the bInterval value is
used as the exponent for a 2^(bInterval-1) value.
To correctly convert bInterval as interval_duration:
interval_duration = 2^(bInterval-1) * frame_interval
Because the unit of video->interval is 100ns, add a comment info to
make it clear.
Fixes: 48dbe73117 ("usb: gadget: uvc: set req_size and n_requests based on the frame interval")
Cc: stable@vger.kernel.org
Reviewed-by: Frank Li <Frank.Li@nxp.com>
Signed-off-by: Xu Yang <xu.yang_2@nxp.com>
Link: https://patch.msgid.link/20260113-uvc-gadget-fix-patch-v2-2-62950ef5bcb5@nxp.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 782be79e4551550d7a82b1957fc0f7347e6d461f upstream.
A recent change fixing a device reference leak introduced a clock
imbalance by reusing an error path so that the clock may be disabled
before having been enabled.
Note that the clock framework allows for passing in NULL clocks so there
is no risk for a NULL pointer dereference.
Also drop the bogus I2C client NULL check added by the offending commit
as the pointer has already been verified to be non-NULL.
Fixes: c84117912bdd ("USB: lpc32xx_udc: Fix error handling in probe")
Cc: stable@vger.kernel.org
Cc: Ma Ke <make24@iscas.ac.cn>
Signed-off-by: Johan Hovold <johan@kernel.org>
Reviewed-by: Vladimir Zapolskiy <vz@mleia.com>
Link: https://patch.msgid.link/20251218153519.19453-2-johan@kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit c84117912bddd9e5d87e68daf182410c98181407 upstream.
lpc32xx_udc_probe() acquires an i2c_client reference through
isp1301_get_client() but fails to release it in both error handling
paths and the normal removal path. This could result in a reference
count leak for the I2C device, preventing proper cleanup and potentially
leading to resource exhaustion. Add put_device() to release the
reference in the probe failure path and in the remove function.
Calling path: isp1301_get_client() -> of_find_i2c_device_by_node() ->
i2c_find_device_by_fwnode(). As comments of i2c_find_device_by_fwnode()
says, 'The user must call put_device(&client->dev) once done with the
i2c client.'
Found by code review.
Cc: stable <stable@kernel.org>
Fixes: 24a28e4283 ("USB: gadget driver for LPC32xx")
Signed-off-by: Ma Ke <make24@iscas.ac.cn>
Link: https://patch.msgid.link/20251215020931.15324-1-make24@iscas.ac.cn
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
[ Upstream commit e5bf5ee266633cb18fff6f98f0b7d59a62819eee ]
ffs_epfile_open() can race with removal, ending up with file->private_data
pointing to freed object.
There is a total count of opened files on functionfs (both ep0 and
dynamic ones) and when it hits zero, dynamic files get removed.
Unfortunately, that removal can happen while another thread is
in ffs_epfile_open(), but has not incremented the count yet.
In that case open will succeed, leaving us with UAF on any subsequent
read() or write().
The root cause is that ffs->opened is misused; atomic_dec_and_test() vs.
atomic_add_return() is not a good idea, when object remains visible all
along.
To untangle that
* serialize openers on ffs->mutex (both for ep0 and for dynamic files)
* have dynamic ones use atomic_inc_not_zero() and fail if we had
zero ->opened; in that case the file we are opening is doomed.
* have the inodes of dynamic files marked on removal (from the
callback of simple_recursive_removal()) - clear ->i_private there.
* have open of dynamic ones verify they hadn't been already removed,
along with checking that state is FFS_ACTIVE.
Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Sasha Levin <sashal@kernel.org>
commit 2585973c7f9ee31d21e5848c996fab2521fd383d upstream.
The driver previously skipped handling ClearFeature(ENDPOINT_HALT)
when the endpoint was already not halted. This prevented the
controller from resetting the data sequence number and reinitializing
the endpoint state.
According to USB 3.2 specification Rev. 1.1, section 9.4.5,
ClearFeature(ENDPOINT_HALT) must always reset the data sequence and
set the stream state machine to Disabled, regardless of whether the
endpoint was halted.
Remove the early return so that ClearFeature(ENDPOINT_HALT) always
resets the endpoint sequence state as required by the specification.
Fixes: 49db427232 ("usb: gadget: Add UDC driver for tegra XUSB device mode controller")
Cc: stable <stable@kernel.org>
Signed-off-by: Haotien Hsu <haotienh@nvidia.com>
Signed-off-by: Wayne Chang <waynec@nvidia.com>
Link: https://patch.msgid.link/20251127033540.2287517-1-waynec@nvidia.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
[ Upstream commit a5160af78be7fcf3ade6caab0a14e349560c96d7 ]
The previous commit removed the PAGE_SIZE limit on transfer length of
raw_io buffer in order to avoid any problems with emulating USB devices
whose full configuration descriptor exceeds PAGE_SIZE in length. However
this also removes the upperbound on user supplied length, allowing very
large values to be passed to the allocator.
syzbot on fuzzing the transfer length with very large value (1.81GB)
results in kmalloc() to fall back to the page allocator, which triggers
a kernel warning as the page allocator cannot handle allocations more
than MAX_PAGE_ORDER/KMALLOC_MAX_SIZE.
Since there is no limit imposed on the size of buffer for both control
and non control transfers, cap the raw_io transfer length to
KMALLOC_MAX_SIZE and return -EINVAL for larger transfer length to
prevent any warnings from the page allocator.
Fixes: 37b9dd0d11 ("usb: raw-gadget: do not limit transfer length")
Tested-by: syzbot+d8fd35fa6177afa8c92b@syzkaller.appspotmail.com
Reported-by: syzbot+d8fd35fa6177afa8c92b@syzkaller.appspotmail.com
Closes: https://lore.kernel.org/all/68fc07a0.a70a0220.3bf6c6.01ab.GAE@google.com/
Signed-off-by: Gopi Krishna Menon <krishnagopi487@gmail.com>
Reviewed-by: Andrey Konovalov <andreyknvl@gmail.com>
Link: https://patch.msgid.link/20251028165659.50962-1-krishnagopi487@gmail.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
devm_pm_runtime_enable() can fail due to memory allocation.
The current code ignores its return value, potentially causing
pm_runtime_resume_and_get() to operate on uninitialized runtime
PM state.
Check the return value of devm_pm_runtime_enable() and return on failure.
Fixes: 3e6e14ffde ("usb: gadget: udc: add Renesas RZ/N1 USBF controller support")
Signed-off-by: Haotian Zhang <vulab@iscas.ac.cn>
Acked-by: Herve Codina <herve.codina@bootlin.com>
Reviewed-by: Geert Uytterhoeven <geert+renesas@glider.be>
Link: https://patch.msgid.link/20251124022215.1619-1-vulab@iscas.ac.cn
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
A race condition during gadget teardown can lead to a use-after-free
in usb_gadget_state_work(), as reported by KASAN:
BUG: KASAN: invalid-access in sysfs_notify+0x2c/0xd0
Workqueue: events usb_gadget_state_work
The fundamental race occurs because a concurrent event (e.g., an
interrupt) can call usb_gadget_set_state() and schedule gadget->work
at any time during the cleanup process in usb_del_gadget().
Commit 399a45e523 ("usb: gadget: core: flush gadget workqueue after
device removal") attempted to fix this by moving flush_work() to after
device_del(). However, this does not fully solve the race, as a new
work item can still be scheduled *after* flush_work() completes but
before the gadget's memory is freed, leading to the same use-after-free.
This patch fixes the race condition robustly by introducing a 'teardown'
flag and a 'state_lock' spinlock to the usb_gadget struct. The flag is
set during cleanup in usb_del_gadget() *before* calling flush_work() to
prevent any new work from being scheduled once cleanup has commenced.
The scheduling site, usb_gadget_set_state(), now checks this flag under
the lock before queueing the work, thus safely closing the race window.
Fixes: 5702f75375 ("usb: gadget: udc-core: move sysfs_notify() to a workqueue")
Cc: stable <stable@kernel.org>
Signed-off-by: Jimmy Hu <hhhuuu@google.com>
Link: https://patch.msgid.link/20251023054945.233861-1-hhhuuu@google.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Drop the check on the maximum transfer length in Raw Gadget for both
control and non-control transfers.
Limiting the transfer length causes a problem with emulating USB devices
whose full configuration descriptor exceeds PAGE_SIZE in length.
Overall, there does not appear to be any reason to enforce any kind of
transfer length limit on the Raw Gadget side for either control or
non-control transfers, so let's just drop the related check.
Cc: stable <stable@kernel.org>
Fixes: f2c2e71764 ("usb: gadget: add raw-gadget interface")
Signed-off-by: Andrey Konovalov <andreyknvl@gmail.com>
Link: https://patch.msgid.link/a6024e8eab679043e9b8a5defdb41c4bda62f02b.1761085528.git.andreyknvl@gmail.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Here is the big set of USB and thunderbolt drivers for 6.18-rc1. It was
another normal development cycle, with lots of the usual drivers getting
updates:
- Thunderbolt driver cleanups and additions
- dwc3 driver updates
- dwc2 driver updates
- typec driver updates
- xhci driver updates and additions
- offload USB engine updates for better power management
- unused tracepoint removals
- usb gadget fixes and updates as more users start to rely on these
drivers instead of the "old" function gadget drivers
- new USB device ids
- other minor driver USB driver updates
- new USB I/O driver framework and driver additions
The last item, the usb i/o driver, has an i2c and gpio driver added
through this tree. Those drivers were acked by the respective subsystem
maintainers, but you will get a merge conflict with the i2c tree where
new drivers were added in the same places in a Kconfig and Makefile.
The merge conflict is simple, just take both sides.
All of these have been in linux-next for a while, with the only issue
being the i2c tree merge conflicts.
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
-----BEGIN PGP SIGNATURE-----
iG0EABECAC0WIQT0tgzFv3jCIUoxPcsxR9QN2y37KQUCaOEo8Q8cZ3JlZ0Brcm9h
aC5jb20ACgkQMUfUDdst+ynpOQCgkenJzjsGVHhl/tm447z3pQ8NtvQAn2GfxMF9
4jQlUtr6McyzCLVPOZRD
=pPei
-----END PGP SIGNATURE-----
Merge tag 'usb-6.18-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb
Pull USB / Thunderbolt updates from Greg KH:
"Here is the big set of USB and thunderbolt drivers for 6.18-rc1. It
was another normal development cycle, with lots of the usual drivers
getting updates:
- Thunderbolt driver cleanups and additions
- dwc3 driver updates
- dwc2 driver updates
- typec driver updates
- xhci driver updates and additions
- offload USB engine updates for better power management
- unused tracepoint removals
- usb gadget fixes and updates as more users start to rely on these
drivers instead of the "old" function gadget drivers
- new USB device ids
- other minor driver USB driver updates
- new USB I/O driver framework and driver additions"
The last item, the usb i/o driver, has an i2c and gpio driver added
through this tree. Those drivers were acked by the respective
subsystem maintainers.
All of these have been in linux-next for a while"
* tag 'usb-6.18-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb: (132 commits)
usb: vhci-hcd: Prevent suspending virtually attached devices
USB: serial: option: add SIMCom 8230C compositions
thunderbolt: Fix use-after-free in tb_dp_dprx_work
usb: xhci: align PORTSC trace with one-based port numbering
usb: xhci: correct indentation for PORTSC tracing function
usb: xhci: improve TR Dequeue Pointer mask
usb: xhci-pci: add support for hosts with zero USB3 ports
usb: xhci: Update a comment about Stop Endpoint retries
Revert "usb: xhci: Avoid Stop Endpoint retry loop if the endpoint seems Running"
usb: gadget: f_rndis: Refactor bind path to use __free()
usb: gadget: f_ecm: Refactor bind path to use __free()
usb: gadget: f_acm: Refactor bind path to use __free()
usb: gadget: f_ncm: Refactor bind path to use __free()
usb: gadget: Introduce free_usb_request helper
usb: gadget: Store endpoint pointer in usb_request
usb: host: xhci-rcar: Add Renesas RZ/G3E USB3 Host driver support
usb: host: xhci-plat: Add .post_resume_quirk for struct xhci_plat_priv
usb: host: xhci-rcar: Move R-Car reg definitions
dt-bindings: usb: Document Renesas RZ/G3E USB3HOST
usb: gadget: f_fs: Fix epfile null pointer access after ep enable.
...
-----BEGIN PGP SIGNATURE-----
iQIzBAABCgAdFiEE+QmuaPwR3wnBdVwACF8+vY7k4RUFAmjdReIACgkQCF8+vY7k
4RUyzxAAmqaYUomji7+Imoy/M9lFE5EBwC5HAZ2wfS9c8l7sYw9kZEaoq+JOapKB
EU+dLr/judjpntmIOYqGPBgbVdzalGEvYsZ2KgVbygZS5JgF0K+Yb4ary3t+wN+H
43pGExsdRdwZhVU02xkSOohBcvWTEtWCjypdRSxSs03oLQtJ7AOcSNvsD25DTSNC
05l3Fr/5Ckjr9PpjjYaTX1SdRyPWoRD536yeGbbRo3ZTCGG8dFXwqZdhAqrMfFmb
dAVttiTvMBHY/4LdA7YFLW/Ww3ty9uMgwv7D2LYCBPwKr01W32x4e0hZjQNjltlk
omcw13oKMDhWm7bsB4ja2X3DjFLZnFcULyAtdhgR/+5748fIL82pp16XR80Zbweb
UgO5WsUCQbYAfKdiu6CG/amwG1yHJW/2fRh6xD8WEKcsLjnIFhPN4rTsLXo6IeMY
KVru2OOfXJUdo6fMfHk7EZElWGMS9H1iQy64v3eJe1bAIa0tMZKhwxrpAJTk1Ykf
fvWdqdp761c1+P53is/LHtt7fqCN6aHsDcwXTCsJGH1YI4b/qxXjcgPMyedf6kRu
GY+soXWcpldhxrR4yblMFhaJGFgIdFmnYDHWWzMxgQ0a8ch0ORf8aGlF5kT5SP+9
VPnZqY+EECrHqvI3DU4CaHNbZFXp6RKW+2ZkXFpIRH12v1aARmE=
=Fuey
-----END PGP SIGNATURE-----
Merge tag 'media/v6.18-1' of git://git.kernel.org/pub/scm/linux/kernel/git/mchehab/linux-media
Pull media updates from Mauro Carvalho Chehab:
- Added a new V4L2 clock helper
- New camera sensor drivers
- iris: Enable H.264/H.265 encoder support and fixes in iris driver
common code
- camss: add support for new SoC flavors
- venus: add new SoC support
- tc358743: support more infoframe types
- Various fixes, driver improvements and cleanups
* tag 'media/v6.18-1' of git://git.kernel.org/pub/scm/linux/kernel/git/mchehab/linux-media: (439 commits)
media: venus: pm_helpers: add fallback for the opp-table
media: qcom: camss: vfe: Fix BPL alignment for QCM2290
media: tuner: xc5000: Fix use-after-free in xc5000_release
media: i2c: tc358743: Fix use-after-free bugs caused by orphan timer in probe
media: b2c2: Fix use-after-free causing by irq_check_work in flexcop_pci_remove
media: vsp1: Export missing vsp1_isp_free_buffer symbol
media: renesas: vsp1: Convert to SYSTEM_SLEEP/RUNTIME_PM_OPS()
media: renesas: ceu: Convert to RUNTIME_PM_OPS()
media: renesas: fdp1: Convert to RUNTIME_PM_OPS()
media: renesas: rcar-vin: Convert to DEFINE_SIMPLE_DEV_PM_OPS()
media: renesas: rcar_drif: Convert to DEFINE_SIMPLE_DEV_PM_OPS()
media: uvcvideo: Mark invalid entities with id UVC_INVALID_ENTITY_ID
media: uvcvideo: Support UVC_CROSXU_CONTROL_IQ_PROFILE
media: uvcvideo: Run uvc_ctrl_init_ctrl for all controls
media: uvcvideo: Shorten the transfer size non compliance message
media: uvcvideo: Do not re-reference dev->udev
media: uvcvideo: Use intf instead of udev for printks
media: uvcvideo: Move video_device under video_queue
media: uvcvideo: Drop stream->mutex
media: uvcvideo: Move MSXU_CONTROL_METADATA definition to header
...
-----BEGIN PGP SIGNATURE-----
iHUEABYKAB0WIQRAhzRXHqcMeLMyaSiRxhvAZXjcogUCaNZQMQAKCRCRxhvAZXjc
omNLAQCgrwzd9sa1JTlixweu3OAxQlSEbLuMpEv7Ztm+B7Wz0AD9HtwPC44Kev03
GbMcB2DCFLC4evqYECj6IG7NBmoKsAs=
=1ICf
-----END PGP SIGNATURE-----
Merge tag 'vfs-6.18-rc1.misc' of git://git.kernel.org/pub/scm/linux/kernel/git/vfs/vfs
Pull misc vfs updates from Christian Brauner:
"This contains the usual selections of misc updates for this cycle.
Features:
- Add "initramfs_options" parameter to set initramfs mount options.
This allows to add specific mount options to the rootfs to e.g.,
limit the memory size
- Add RWF_NOSIGNAL flag for pwritev2()
Add RWF_NOSIGNAL flag for pwritev2. This flag prevents the SIGPIPE
signal from being raised when writing on disconnected pipes or
sockets. The flag is handled directly by the pipe filesystem and
converted to the existing MSG_NOSIGNAL flag for sockets
- Allow to pass pid namespace as procfs mount option
Ever since the introduction of pid namespaces, procfs has had very
implicit behaviour surrounding them (the pidns used by a procfs
mount is auto-selected based on the mounting process's active
pidns, and the pidns itself is basically hidden once the mount has
been constructed)
This implicit behaviour has historically meant that userspace was
required to do some special dances in order to configure the pidns
of a procfs mount as desired. Examples include:
* In order to bypass the mnt_too_revealing() check, Kubernetes
creates a procfs mount from an empty pidns so that user
namespaced containers can be nested (without this, the nested
containers would fail to mount procfs)
But this requires forking off a helper process because you cannot
just one-shot this using mount(2)
* Container runtimes in general need to fork into a container
before configuring its mounts, which can lead to security issues
in the case of shared-pidns containers (a privileged process in
the pidns can interact with your container runtime process)
While SUID_DUMP_DISABLE and user namespaces make this less of an
issue, the strict need for this due to a minor uAPI wart is kind
of unfortunate
Things would be much easier if there was a way for userspace to
just specify the pidns they want. So this pull request contains
changes to implement a new "pidns" argument which can be set
using fsconfig(2):
fsconfig(procfd, FSCONFIG_SET_FD, "pidns", NULL, nsfd);
fsconfig(procfd, FSCONFIG_SET_STRING, "pidns", "/proc/self/ns/pid", 0);
or classic mount(2) / mount(8):
// mount -t proc -o pidns=/proc/self/ns/pid proc /tmp/proc
mount("proc", "/tmp/proc", "proc", MS_..., "pidns=/proc/self/ns/pid");
Cleanups:
- Remove the last references to EXPORT_OP_ASYNC_LOCK
- Make file_remove_privs_flags() static
- Remove redundant __GFP_NOWARN when GFP_NOWAIT is used
- Use try_cmpxchg() in start_dir_add()
- Use try_cmpxchg() in sb_init_done_wq()
- Replace offsetof() with struct_size() in ioctl_file_dedupe_range()
- Remove vfs_ioctl() export
- Replace rwlock() with spinlock in epoll code as rwlock causes
priority inversion on preempt rt kernels
- Make ns_entries in fs/proc/namespaces const
- Use a switch() statement() in init_special_inode() just like we do
in may_open()
- Use struct_size() in dir_add() in the initramfs code
- Use str_plural() in rd_load_image()
- Replace strcpy() with strscpy() in find_link()
- Rename generic_delete_inode() to inode_just_drop() and
generic_drop_inode() to inode_generic_drop()
- Remove unused arguments from fcntl_{g,s}et_rw_hint()
Fixes:
- Document @name parameter for name_contains_dotdot() helper
- Fix spelling mistake
- Always return zero from replace_fd() instead of the file descriptor
number
- Limit the size for copy_file_range() in compat mode to prevent a
signed overflow
- Fix debugfs mount options not being applied
- Verify the inode mode when loading it from disk in minixfs
- Verify the inode mode when loading it from disk in cramfs
- Don't trigger automounts with RESOLVE_NO_XDEV
If openat2() was called with RESOLVE_NO_XDEV it didn't traverse
through automounts, but could still trigger them
- Add FL_RECLAIM flag to show_fl_flags() macro so it appears in
tracepoints
- Fix unused variable warning in rd_load_image() on s390
- Make INITRAMFS_PRESERVE_MTIME depend on BLK_DEV_INITRD
- Use ns_capable_noaudit() when determining net sysctl permissions
- Don't call path_put() under namespace semaphore in listmount() and
statmount()"
* tag 'vfs-6.18-rc1.misc' of git://git.kernel.org/pub/scm/linux/kernel/git/vfs/vfs: (38 commits)
fcntl: trim arguments
listmount: don't call path_put() under namespace semaphore
statmount: don't call path_put() under namespace semaphore
pid: use ns_capable_noaudit() when determining net sysctl permissions
fs: rename generic_delete_inode() and generic_drop_inode()
init: INITRAMFS_PRESERVE_MTIME should depend on BLK_DEV_INITRD
initramfs: Replace strcpy() with strscpy() in find_link()
initrd: Use str_plural() in rd_load_image()
initramfs: Use struct_size() helper to improve dir_add()
initrd: Fix unused variable warning in rd_load_image() on s390
fs: use the switch statement in init_special_inode()
fs/proc/namespaces: make ns_entries const
filelock: add FL_RECLAIM to show_fl_flags() macro
eventpoll: Replace rwlock with spinlock
selftests/proc: add tests for new pidns APIs
procfs: add "pidns" mount option
pidns: move is-ancestor logic to helper
openat2: don't trigger automounts with RESOLVE_NO_XDEV
namei: move cross-device check to __traverse_mounts
namei: remove LOOKUP_NO_XDEV check from handle_mounts
...
Kuen-Han Tsai <khtsai@google.com> says:
This patch series refactors the error-handling paths in the bind()
function for f_ncm, f_acm, f_ecm, and f_rndis drivers.
The current, unified goto logic in these drivers is vulnerable to a null
pointer dereference. This is caused by the cleanup logic incorrectly
handling the stale usb_request pointer after a bind/unbind cycle. This
series fixes this issue by converting the drivers to use the modern
__free() scope-based cleanup mechanism.
Patches 1-2 are preparatory, adding the endpoint pointer to struct
usb_request and defining helpers for the __free() cleanup. The remaining
four patches use this new plumbing to refactor each driver.
Future work
-----------
1. Refactor usb_ep_free_request(), usb_ep_queue(), and usb_ep_dequeue()
functions as the ep parameter becomes redudant.
2. Convert the remaining gadget function drivers to use the new __free()
cleanup mechanism.
Link: https://lore.kernel.org/r/20250916-ready-v1-0-4997bf277548@google.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
After an bind/unbind cycle, the rndis->notify_req is left stale. If a
subsequent bind fails, the unified error label attempts to free this
stale request, leading to a NULL pointer dereference when accessing
ep->ops->free_request.
Refactor the error handling in the bind path to use the __free()
automatic cleanup mechanism.
Fixes: 45fe3b8e53 ("usb ethernet gadget: split RNDIS function")
Cc: stable@kernel.org
Signed-off-by: Kuen-Han Tsai <khtsai@google.com>
Link: https://lore.kernel.org/r/20250916-ready-v1-6-4997bf277548@google.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Link: https://lore.kernel.org/r/20250916-ready-v1-6-4997bf277548@google.com
After an bind/unbind cycle, the ecm->notify_req is left stale. If a
subsequent bind fails, the unified error label attempts to free this
stale request, leading to a NULL pointer dereference when accessing
ep->ops->free_request.
Refactor the error handling in the bind path to use the __free()
automatic cleanup mechanism.
Fixes: da741b8c56 ("usb ethernet gadget: split CDC Ethernet function")
Cc: stable@kernel.org
Signed-off-by: Kuen-Han Tsai <khtsai@google.com>
Link: https://lore.kernel.org/r/20250916-ready-v1-5-4997bf277548@google.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Link: https://lore.kernel.org/r/20250916-ready-v1-5-4997bf277548@google.com
After an bind/unbind cycle, the acm->notify_req is left stale. If a
subsequent bind fails, the unified error label attempts to free this
stale request, leading to a NULL pointer dereference when accessing
ep->ops->free_request.
Refactor the error handling in the bind path to use the __free()
automatic cleanup mechanism.
Unable to handle kernel NULL pointer dereference at virtual address 0000000000000020
Call trace:
usb_ep_free_request+0x2c/0xec
gs_free_req+0x30/0x44
acm_bind+0x1b8/0x1f4
usb_add_function+0xcc/0x1f0
configfs_composite_bind+0x468/0x588
gadget_bind_driver+0x104/0x270
really_probe+0x190/0x374
__driver_probe_device+0xa0/0x12c
driver_probe_device+0x3c/0x218
__device_attach_driver+0x14c/0x188
bus_for_each_drv+0x10c/0x168
__device_attach+0xfc/0x198
device_initial_probe+0x14/0x24
bus_probe_device+0x94/0x11c
device_add+0x268/0x48c
usb_add_gadget+0x198/0x28c
dwc3_gadget_init+0x700/0x858
__dwc3_set_mode+0x3cc/0x664
process_scheduled_works+0x1d8/0x488
worker_thread+0x244/0x334
kthread+0x114/0x1bc
ret_from_fork+0x10/0x20
Fixes: 1f1ba11b64 ("usb gadget: issue notifications from ACM function")
Cc: stable@kernel.org
Signed-off-by: Kuen-Han Tsai <khtsai@google.com>
Link: https://lore.kernel.org/r/20250916-ready-v1-4-4997bf277548@google.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Link: https://lore.kernel.org/r/20250916-ready-v1-4-4997bf277548@google.com
After an bind/unbind cycle, the ncm->notify_req is left stale. If a
subsequent bind fails, the unified error label attempts to free this
stale request, leading to a NULL pointer dereference when accessing
ep->ops->free_request.
Refactor the error handling in the bind path to use the __free()
automatic cleanup mechanism.
Unable to handle kernel NULL pointer dereference at virtual address 0000000000000020
Call trace:
usb_ep_free_request+0x2c/0xec
ncm_bind+0x39c/0x3dc
usb_add_function+0xcc/0x1f0
configfs_composite_bind+0x468/0x588
gadget_bind_driver+0x104/0x270
really_probe+0x190/0x374
__driver_probe_device+0xa0/0x12c
driver_probe_device+0x3c/0x218
__device_attach_driver+0x14c/0x188
bus_for_each_drv+0x10c/0x168
__device_attach+0xfc/0x198
device_initial_probe+0x14/0x24
bus_probe_device+0x94/0x11c
device_add+0x268/0x48c
usb_add_gadget+0x198/0x28c
dwc3_gadget_init+0x700/0x858
__dwc3_set_mode+0x3cc/0x664
process_scheduled_works+0x1d8/0x488
worker_thread+0x244/0x334
kthread+0x114/0x1bc
ret_from_fork+0x10/0x20
Fixes: 9f6ce4240a ("usb: gadget: f_ncm.c added")
Cc: stable@kernel.org
Signed-off-by: Kuen-Han Tsai <khtsai@google.com>
Link: https://lore.kernel.org/r/20250916-ready-v1-3-4997bf277548@google.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Link: https://lore.kernel.org/r/20250916-ready-v1-3-4997bf277548@google.com
Gadget function drivers often have goto-based error handling in their
bind paths, which can be bug-prone. Refactoring these paths to use
__free() scope-based cleanup is desirable, but currently blocked.
The blocker is that usb_ep_free_request(ep, req) requires two
parameters, while the __free() mechanism can only pass a pointer to the
request itself.
Store an endpoint pointer in the struct usb_request. The pointer is
populated centrally in usb_ep_alloc_request() on every successful
allocation, making the request object self-contained.
Signed-off-by: Kuen-Han Tsai <khtsai@google.com>
Link: https://lore.kernel.org/r/20250916-ready-v1-1-4997bf277548@google.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Link: https://lore.kernel.org/r/20250916-ready-v1-1-4997bf277548@google.com
A race condition occurs when ffs_func_eps_enable() runs concurrently
with ffs_data_reset(). The ffs_data_clear() called in ffs_data_reset()
sets ffs->epfiles to NULL before resetting ffs->eps_count to 0, leading
to a NULL pointer dereference when accessing epfile->ep in
ffs_func_eps_enable() after successful usb_ep_enable().
The ffs->epfiles pointer is set to NULL in both ffs_data_clear() and
ffs_data_close() functions, and its modification is protected by the
spinlock ffs->eps_lock. And the whole ffs_func_eps_enable() function
is also protected by ffs->eps_lock.
Thus, add NULL pointer handling for ffs->epfiles in the
ffs_func_eps_enable() function to fix issues
Signed-off-by: Owen Gu <guhuinan@xiaomi.com>
Link: https://lore.kernel.org/r/20250915092907.17802-1-guhuinan@xiaomi.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
generic_delete_inode() is rather misleading for what the routine is
doing. inode_just_drop() should be much clearer.
The new naming is inconsistent with generic_drop_inode(), so rename that
one as well with inode_ as the suffix.
No functional changes.
Signed-off-by: Mateusz Guzik <mjguzik@gmail.com>
Reviewed-by: Jan Kara <jack@suse.cz>
Signed-off-by: Christian Brauner <brauner@kernel.org>
While the userspace program can be notified of gadget state changes,
timing issue can lead to missed transitions when reading the state
value.
Introduce a trace event for usb_gadget_set_state to reliably track state
transitions.
Signed-off-by: Kuen-Han Tsai <khtsai@google.com>
Link: https://lore.kernel.org/r/20250818082722.2952867-1-khtsai@google.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
For ternary operators in the form of "a ? true : false", if 'a' itself
returns a boolean result, the ternary operator can be omitted. Remove
redundant ternary operators to clean up the code.
Signed-off-by: Liao Yuanhong <liaoyuanhong@vivo.com>
Link: https://lore.kernel.org/r/20250902132613.84876-1-liaoyuanhong@vivo.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
The EP-IN of MIDI2 (altset 1) wasn't initialized in
f_midi2_create_usb_configs() as it's an INT EP unlike others BULK
EPs. But this leaves rather the max packet size unchanged no matter
which speed is used, resulting in the very slow access.
And the wMaxPacketSize values set there look legit for INT EPs, so
let's initialize the MIDI2 EP-IN there for achieving the equivalent
speed as well.
Fixes: 8b645922b2 ("usb: gadget: Add support for USB MIDI 2.0 function driver")
Cc: stable <stable@kernel.org>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Link: https://lore.kernel.org/r/20250905133240.20966-1-tiwai@suse.de
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
The gadget card driver forgot to call snd_ump_update_group_attrs()
after adding FBs, and this leaves the UMP group attributes
uninitialized. As a result, -ENODEV error is returned at opening a
legacy rawmidi device as an inactive group.
This patch adds the missing call to address the behavior above.
Fixes: 8b645922b2 ("usb: gadget: Add support for USB MIDI 2.0 function driver")
Cc: stable <stable@kernel.org>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Link: https://lore.kernel.org/r/20250904153932.13589-1-tiwai@suse.de
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Yunseong Kim and the syzbot fuzzer both reported a problem in
RT-enabled kernels caused by the way dummy-hcd mixes interrupt
management and spin-locking. The pattern was:
local_irq_save(flags);
spin_lock(&dum->lock);
...
spin_unlock(&dum->lock);
... // calls usb_gadget_giveback_request()
local_irq_restore(flags);
The code was written this way because usb_gadget_giveback_request()
needs to be called with interrupts disabled and the private lock not
held.
While this pattern works fine in non-RT kernels, it's not good when RT
is enabled. RT kernels handle spinlocks much like mutexes; in particular,
spin_lock() may sleep. But sleeping is not allowed while local
interrupts are disabled.
To fix the problem, rewrite the code to conform to the pattern used
elsewhere in dummy-hcd and other UDC drivers:
spin_lock_irqsave(&dum->lock, flags);
...
spin_unlock(&dum->lock);
usb_gadget_giveback_request(...);
spin_lock(&dum->lock);
...
spin_unlock_irqrestore(&dum->lock, flags);
This approach satisfies the RT requirements.
Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
Cc: stable <stable@kernel.org>
Fixes: b4dbda1a22 ("USB: dummy-hcd: disable interrupts during req->complete")
Reported-by: Yunseong Kim <ysk@kzalloc.com>
Closes: <https://lore.kernel.org/linux-usb/5b337389-73b9-4ee4-a83e-7e82bf5af87a@kzalloc.com/>
Reported-by: syzbot+8baacc4139f12fa77909@syzkaller.appspotmail.com
Closes: <https://lore.kernel.org/linux-usb/68ac2411.050a0220.37038e.0087.GAE@google.com/>
Tested-by: syzbot+8baacc4139f12fa77909@syzkaller.appspotmail.com
CC: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
CC: stable@vger.kernel.org
Reviewed-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
Link: https://lore.kernel.org/r/bb192ae2-4eee-48ee-981f-3efdbbd0d8f0@rowland.harvard.edu
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Tracepoints that are defined take up around 5K each, even if they are not
used. If they are defined and not used, then they waste memory for unused
code. Soon unused tracepoints will cause warnings.
Remove the unused tracepoints of the cdns2 subsystem. They are:
cdns2_ep0_enqueue
cdns2_ep0_set_config
cdns2_ep_queue
cdns2_iso_out_ep_disable
cdns2_lpm
cdns2_mapped_request
cdns2_map_request
cdns2_may_wakeup
Signed-off-by: Steven Rostedt (Google) <rostedt@goodmis.org>
Link: https://lore.kernel.org/r/20250829015649.885512884@kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Set the hid req->zero flag of ep0/in_ep to true by default,
then the UDC drivers can transfer a zero length packet at
the end if the hid transfer with size divisible to EPs max
packet size according to the USB 2.0 spec.
Signed-off-by: William Wu <william.wu@rock-chips.com>
Link: https://lore.kernel.org/r/1756204087-26111-1-git-send-email-william.wu@rock-chips.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Once the use_os_string flag is set to true for some functions
(e.g. adb/mtp) which need to response the OS string, and then
if we re-bind the ConfigFS gadget to use the other functions
(e.g. hid) which should not to response the OS string, however,
because the use_os_string flag is still true, so the usb gadget
response the OS string descriptor incorrectly, this can cause
the USB device to be unrecognizable on the Windows system.
An example of this as follows:
echo 1 > os_desc/use
ln -s functions/ffs.adb configs/b.1/function0
start adbd
echo "<udc device>" > UDC #succeed
stop adbd
rm configs/b.1/function0
echo 0 > os_desc/use
ln -s functions/hid.gs0 configs/b.1/function0
echo "<udc device>" > UDC #fail to connect on Windows
This patch sets the use_os_string flag to false at bind if
the functions not support OS Descriptors.
Signed-off-by: William Wu <william.wu@rock-chips.com>
Fixes: 87213d388e ("usb: gadget: configfs: OS String support")
Link: https://lore.kernel.org/r/1755833769-25434-1-git-send-email-william.wu@rock-chips.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
This fix is already present in f_ecm.c and was never
propagated to f_ncm.c
When creating multiple NCM ethernet devices
on a composite usb gadget device
each MAC address on the HOST side will be identical.
Having the same MAC on different network interfaces is bad.
This fix updates the MAC address inside the
ncm_strings_defs global during the ncm_bind call.
This ensures each device has a unique MAC.
In f_ecm.c ecm_string_defs is updated in the same way.
The defunct MAC assignment in ncm_alloc has been removed.
Signed-off-by: raub camaioni <raubcameo@gmail.com>
Link: https://lore.kernel.org/r/20250815131358.1047525-1-raubcameo@gmail.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Upon resume from system suspend, the PM runtime core issues the
following warning:
tegra-xudc 3550000.usb: Runtime PM usage count underflow!
This is because tegra_xudc_resume() unconditionally calls
schedule_work(&xudc->usb_role_sw_work) whether or not anything has
changed, which causes tegra_xudc_device_mode_off() to be called
even when we're already in that mode.
Keep track of the current state of "device_mode", and only schedule
this work if it has changed from the hardware state on resume.
Signed-off-by: "Russell King (Oracle)" <rmk+kernel@armlinux.org.uk>
Link: https://lore.kernel.org/r/E1uhtkH-007KDZ-JT@rmk-PC.armlinux.org.uk
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Multiple drivers that use v4l2_fh and call v4l2_fh_del() manually reset
the file->private_data pointer to NULL in their video device .release()
file operation handler. Move the code to the v4l2_fh_del() function to
avoid direct access to file->private_data in drivers. This requires
adding a file pointer argument to the function.
Changes to drivers have been generated with the following coccinelle
semantic patch:
@@
expression fh;
identifier filp;
identifier release;
type ret;
@@
ret release(..., struct file *filp, ...)
{
<...
- filp->private_data = NULL;
...
- v4l2_fh_del(fh);
+ v4l2_fh_del(fh, filp);
...>
}
@@
expression fh;
identifier filp;
identifier release;
type ret;
@@
ret release(..., struct file *filp, ...)
{
<...
- v4l2_fh_del(fh);
+ v4l2_fh_del(fh, filp);
...
- filp->private_data = NULL;
...>
}
@@
expression fh;
identifier filp;
identifier release;
type ret;
@@
ret release(..., struct file *filp, ...)
{
<...
- v4l2_fh_del(fh);
+ v4l2_fh_del(fh, filp);
...>
}
Manual changes have been applied to Documentation/ to update the usage
patterns, to drivers/media/v4l2-core/v4l2-fh.c to update the
v4l2_fh_del() prototype and reset file->private_data, and to
include/media/v4l2-fh.h to update the v4l2_fh_del() function prototype
and its documentation.
Additionally, white space issues have been fixed manually in
drivers/usb/gadget/function/uvc_v4l2.c
Signed-off-by: Laurent Pinchart <laurent.pinchart+renesas@ideasonboard.com>
Signed-off-by: Hans Verkuil <hverkuil+cisco@kernel.org>
All the drivers that use v4l2_fh and call v4l2_fh_add() manually store a
pointer to the v4l2_fh instance in file->private_data in their video
device .open() file operation handler. Move the code to the
v4l2_fh_add() function to avoid direct access to file->private_data in
drivers. This requires adding a file pointer argument to the function.
Changes to drivers have been generated with the following coccinelle
semantic patch:
@@
expression fh;
identifier filp;
identifier open;
type ret;
@@
ret open(..., struct file *filp, ...)
{
<...
- filp->private_data = fh;
...
- v4l2_fh_add(fh);
+ v4l2_fh_add(fh, filp);
...>
}
@@
expression fh;
identifier filp;
identifier open;
type ret;
@@
ret open(..., struct file *filp, ...)
{
<...
- v4l2_fh_add(fh);
+ v4l2_fh_add(fh, filp);
...
- filp->private_data = fh;
...>
}
Manual changes have been applied to Documentation/ to update the usage
patterns, to drivers/media/v4l2-core/v4l2-fh.c to update the
v4l2_fh_add() prototype set file->private_data, and to
include/media/v4l2-fh.h to update the v4l2_fh_add() function prototype
and its documentation.
Additionally, white space issues have been fixed manually in
drivers/media/platform/nvidia/tegra-vde/v4l2.c,
drivers/media/platform/rockchip/rkvdec/rkvdec.c,
drivers/media/v4l2-core/v4l2-fh.c and
drivers/staging/most/video/video.c.
Signed-off-by: Laurent Pinchart <laurent.pinchart+renesas@ideasonboard.com>
Signed-off-by: Hans Verkuil <hverkuil+cisco@kernel.org>
Accessing file->private_data manually to retrieve the v4l2_fh pointer is
error-prone, as the field is a void * and will happily cast implicitly
to any pointer type.
Replace all remaining locations that read the v4l2_fh pointer directly
from file->private_data with usage of the file_to_v4l2_fh() function.
The change was generated manually.
No functional change is intended, this only paves the way to remove
direct accesses to file->private_data and make V4L2 drivers safer.
Other accesses to the field will be addressed separately.
Signed-off-by: Laurent Pinchart <laurent.pinchart+renesas@ideasonboard.com>
Signed-off-by: Hans Verkuil <hverkuil+cisco@kernel.org>
Here is the big set of USB and Thunderbolt driver changes for 6.17-rc1.
Lots of little things in here, mostly all small cleanups and updates, no
major new features this development cycle. Stuff included in here is:
- xhci minor tweaks for error handling
- typec minor updates and a driver update
- gadget driver api cleanups
- unused function removals
- unbind memory leak fixes
- a few new device ids added
- a few new devices supported for some drivers
- other minor cleanups and changes
All of these have been in linux-next with no reported issues, with the
leak fixes being in the shortest amount of time, but they are "obviously
correct" :)
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
-----BEGIN PGP SIGNATURE-----
iG0EABECAC0WIQT0tgzFv3jCIUoxPcsxR9QN2y37KQUCaIeVLw8cZ3JlZ0Brcm9h
aC5jb20ACgkQMUfUDdst+yn3RACgg394VU3ENwqvkh1iF95fVwVheJYAn08YUeoM
98vPdogv4+kuC3B0TbiM
=7pfy
-----END PGP SIGNATURE-----
Merge tag 'usb-6.17-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb
Pull USB / Thunderbolt updates from Greg KH:
"Here is the big set of USB and Thunderbolt driver changes for
6.17-rc1.
Lots of little things in here, mostly all small cleanups and updates,
no major new features this development cycle. Stuff included in here
is:
- xhci minor tweaks for error handling
- typec minor updates and a driver update
- gadget driver api cleanups
- unused function removals
- unbind memory leak fixes
- a few new device ids added
- a few new devices supported for some drivers
- other minor cleanups and changes
All of these have been in linux-next with no reported issues, with the
leak fixes being in the shortest amount of time, but they are
'obviously correct' :)"
* tag 'usb-6.17-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb: (100 commits)
usb: musb: omap2430: clean up probe error handling
usb: musb: omap2430: fix device leak at unbind
usb: gadget: udc: renesas_usb3: fix device leak at unbind
usb: dwc3: meson-g12a: fix device leaks at unbind
usb: dwc3: imx8mp: fix device leak at unbind
usb: musb: omap2430: enable compile testing
usb: gadget: udc: renesas_usb3: drop unused module alias
usb: xhci: print xhci->xhc_state when queue_command failed
usb: atm: cxacru: Merge cxacru_upload_firmware() into cxacru_heavy_init()
USB: serial: option: add Foxconn T99W709
usb: core: add urb->sgt parameter description
thunderbolt: Fix copy+paste error in match_service_id()
usb: typec: ucsi: Update power_supply on power role change
usb: typec: ucsi: psy: Set current max to 100mA for BC 1.2 and Default
usb: typec: fusb302: cache PD RX state
usb: typec: ucsi: yoga-c630: add DRM dependency
usb: gadget : fix use-after-free in composite_dev_cleanup()
usb: chipidea: imx: Add a missing blank line
usb: gadget: f_uac1: replace scnprintf() with sysfs_emit()
usb: usblp: clean up assignment inside if conditions
...
GPIOLIB core:
- introduce a parallel, limited sysfs user ABI that doesn't expose the
global GPIO numbers to user-space while maintaining backward
compatibility with the end goal of it completely replacing the existing
interface, allowing us to remove it
- remove the legacy devm_gpio_request() routine which has no more users
- start the process of allowing to compile-out the legacy parts of the
GPIO core for users who don't need it by introducing a new Kconfig
option: GPIOLIB_LEGACY
- don't use global GPIO numbers in debugfs output from the core code
(drivers still do it, the work is ongoing)
- start the process of moving the fields specific to the gpio-mmio helper
out of the core struct gpio_chip into their own structure that wraps
it: create a new header with modern interfaces and convert several
drivers to using it
- remove the platform data structure associated with the gpio-mmio helper
from the kernel after having converted all remaining users to generic
device properties
- remove legacy struct gpio definition as it has no more users
New drivers:
- add the GPIO driver for the Apple System Management Controller
Driver improvements:
- add support for new models to gpio-adp5585, gpio-tps65219 and
gpio-pca953x
- extend the interrupt support in gpio-loongson-64bit
- allow to mark the simulated GPIO lines as invalid in gpio-sim
- convert all remaining GPIO drivers to using the new GPIO value setter
callbacks
- convert gpio-rcar to using simple device power management ops callbacks
- don't check if current direction of a line is output before setting
the value in gpio-pisosr and ti-fpc202: the GPIO core already handles
that
- also drop unneeded GPIO range checks in drivers, the core already makes
sure we're within bounds when calling driver callbacks
- use dev_fwnode() where applicable across GPIO drivers
- set line value in gpio-zynqmp-modepin and gpio-twl6040 when the user
wants to change direction of the pin to output even though these
drivers don't need to do anything else to actually set the direction,
otherwise a call like gpiod_direction_output(d, 1) will not result in
the line driver high
- remove the reduntant call to pm_runtime_mark_last_busy() from
gpio-arizona
- use lock guards in gpio-cadence and gpio-mxc
- check the return values of regmap functions in gpio-wcd934x and
gpio-tps65912
- use better regmap interfaces in gpio-wcove and gpio-pca953x
- remove dummy GPIO chip callbacks from several drivers in cases where
the GPIO core can already handle their absence
- allow building gpio-palmas as a module
Fixes:
- use correct bit widths (according to the documentation) in gpio-virtio
Device-tree bindings:
- convert several of the legacy .txt documents for many different devices
to YAML, improving automatic validation
- create a "trivial" GPIO DT schema that covers a wide range of simple
hardware that share a set of basic GPIO properties
- document new HW: Apple MAC SMC GPIO block and adp5589 I/O expander
- document a new model for pca95xx
- add and/or remove properties in YAML documents for gpio-rockchip,
fsl,qoriq-gpio, arm,pl061 and gpio-xilinx
Misc:
- some minor refactoring in several places, adding/removing forward
declarations, moving defines to better places, constify the arguments
in some functions, remove duplicate includes, etc.
- documentation updates
-----BEGIN PGP SIGNATURE-----
iQIzBAABCgAdFiEEFp3rbAvDxGAT0sefEacuoBRx13IFAmiHQsUACgkQEacuoBRx
13LNDxAAsHxVqBjdCSzmnOCteIRrRWv8yCzeuPzFWekxGPJNEx/tC83cqdLF2yN/
MFrlQLx4ZksCBWOmcoC9aQE5c8ZXfnugF2rztxeDIRtSwC0ED97K9Z798RrgLJUF
M6HyaWgsEcMBDk0jXG2w3JESnPbx74VnGtPixv8+QeiM2DA5XRsLPaPbQEkatBVo
9T7Ls/vfS6AK9fSqMg2ZjKi3bXpXMsmU4PXrhh/mCGSBU/TO3fF1IPig5SsKUpNL
C2nm3e4XIaXCNIBqgGSpppbzCrwDBlDTb029QtoStXgsiMbppXI532NjuCfDlj80
1Vlmwot4O91SJoC9XvmSM6KBWrBqX2zL3bYtpkLymEPPS8+25gwQ3HxteIzl1V4S
Up8KZ+9EmNxxhfKYzhdWG0Puyam4sHiP1MlkeyEKgHJen4/07Pg4WdOthyuH72tg
/U5wS+zDhhDpibHFYdQ5F04ubMfVxipvf0JHhbjuDAuXKqGohjJNUiE2/M7yBnyd
n0IS9Bw95lOLepbAHkm/JneFvSJYJfOrLz+d981664tfrY7A99RLtSOluzQKSrzz
dpqc+yn+x/TKaZeYV22mhIri5o9oupT7JqPHqXYe//iWzJt3m2EavzTRoR2JeJQq
p7Quytgfj4FcR2v6GyldXWwFhRK0397kOLcNUQ7HVMaOAMMi5Y8=
=tUPm
-----END PGP SIGNATURE-----
Merge tag 'gpio-updates-for-v6.17-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/brgl/linux
Pull gpio updates from Bartosz Golaszewski:
"There's one new driver (Apple SMC) and extensions to existing drivers
for supporting new HW models. A lot of different impovements across
drivers and in core GPIO code. Details on that are in the signed tag
as usual.
We managed to remove some of the legacy APIs. Arnd Bergmann started to
work on making the legacy bits optional so that we may compile them
only for older platforms that still really need them.
Rob Herring has done a lot of work to convert legacy .txt dt-bindings
for GPIO controllers to YAML. There are only a few left now in the
GPIO tree.
A big part of the commits in this PR concern the conversion of GPIO
drivers to using the new line value setter callbacks. This conversion
is now complete treewide (unless I've missed something) and once all
the changes from different trees land in mainline, I'll send you
another PR containing a commit dropping the legacy callbacks from the
tree.
As the quest to pay back technical dept never really ends, we're
starting another set of interface conversions, this time it's about
moving fields specific to only a handful of drivers using the
gpio-mmio helper out of the core gpio_chip structure that every
controller implements and uses. This cycle we introduce a new set of
APIs and convert a few drivers under drivers/gpio/, next cycle we'll
convert remaining modules treewide (in gpio, pinctrl and mfd trees)
and finally remove the old interfaces and move the gpio-mmio fields
into their own structure wrapping gpio_chip.
One last change I should mention here is the rework of the sysfs
interface. In 2016, we introduced the GPIO character device as the
preferred alternative to the sysfs class under /sys/class/gpio. While
it has seen a wide adoption with the help of its user-space
counterpart - libgpiod - there are still users who prefer the
simplicity of sysfs.
As far as the GPIO subsystem is concerned, the problem is not the
existince of the GPIO class as such but rather the fact that it
exposes the global GPIO numbers to the user-space, stopping us from
ever being able to remove the numberspace from the kernel. To that
end, this release we introduced a parallel, limited sysfs interface
that doesn't expose these numbers and only implements a subset of
features that are relevant to the existing users. This is a result of
several discussions over the course of last year and should allow us
to remove the legacy part some time in the future.
Summary:
GPIOLIB core:
- introduce a parallel, limited sysfs user ABI that doesn't expose
the global GPIO numbers to user-space while maintaining backward
compatibility with the end goal of it completely replacing the
existing interface, allowing us to remove it
- remove the legacy devm_gpio_request() routine which has no more
users
- start the process of allowing to compile-out the legacy parts of
the GPIO core for users who don't need it by introducing a new
Kconfig option: GPIOLIB_LEGACY
- don't use global GPIO numbers in debugfs output from the core code
(drivers still do it, the work is ongoing)
- start the process of moving the fields specific to the gpio-mmio
helper out of the core struct gpio_chip into their own structure
that wraps it: create a new header with modern interfaces and
convert several drivers to using it
- remove the platform data structure associated with the gpio-mmio
helper from the kernel after having converted all remaining users
to generic device properties
- remove legacy struct gpio definition as it has no more users
New drivers:
- add the GPIO driver for the Apple System Management Controller
Driver improvements:
- add support for new models to gpio-adp5585, gpio-tps65219 and
gpio-pca953x
- extend the interrupt support in gpio-loongson-64bit
- allow to mark the simulated GPIO lines as invalid in gpio-sim
- convert all remaining GPIO drivers to using the new GPIO value
setter callbacks
- convert gpio-rcar to using simple device power management ops
callbacks
- don't check if current direction of a line is output before setting
the value in gpio-pisosr and ti-fpc202: the GPIO core already
handles that
- also drop unneeded GPIO range checks in drivers, the core already
makes sure we're within bounds when calling driver callbacks
- use dev_fwnode() where applicable across GPIO drivers
- set line value in gpio-zynqmp-modepin and gpio-twl6040 when the
user wants to change direction of the pin to output even though
these drivers don't need to do anything else to actually set the
direction, otherwise a call like gpiod_direction_output(d, 1) will
not result in the line driver high
- remove the reduntant call to pm_runtime_mark_last_busy() from
gpio-arizona
- use lock guards in gpio-cadence and gpio-mxc
- check the return values of regmap functions in gpio-wcd934x and
gpio-tps65912
- use better regmap interfaces in gpio-wcove and gpio-pca953x
- remove dummy GPIO chip callbacks from several drivers in cases
where the GPIO core can already handle their absence
- allow building gpio-palmas as a module
Fixes:
- use correct bit widths (according to the documentation) in
gpio-virtio
Device-tree bindings:
- convert several of the legacy .txt documents for many different
devices to YAML, improving automatic validation
- create a "trivial" GPIO DT schema that covers a wide range of
simple hardware that share a set of basic GPIO properties
- document new HW: Apple MAC SMC GPIO block and adp5589 I/O expander
- document a new model for pca95xx
- add and/or remove properties in YAML documents for gpio-rockchip,
fsl,qoriq-gpio, arm,pl061 and gpio-xilinx
Misc:
- some minor refactoring in several places, adding/removing forward
declarations, moving defines to better places, constify the
arguments in some functions, remove duplicate includes, etc.
- documentation updates"
* tag 'gpio-updates-for-v6.17-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/brgl/linux: (202 commits)
MIPS: alchemy: gpio: use new GPIO line value setter callbacks for the remaining chips
gpiolib: enable CONFIG_GPIOLIB_LEGACY even for !GPIOLIB
gpio: virtio: Fix config space reading.
gpiolib: make legacy interfaces optional
dt-bindings: gpio: rockchip: Allow use of a power-domain
gpiolib: of: add forward declaration for struct device_node
power: reset: macsmc-reboot: Add driver for rebooting via Apple SMC
gpio: Add new gpio-macsmc driver for Apple Macs
mfd: Add Apple Silicon System Management Controller
soc: apple: rtkit: Make shmem_destroy optional
dt-bindings: mfd: Add Apple Mac System Management Controller
dt-bindings: power: reboot: Add Apple Mac SMC Reboot Controller
dt-bindings: gpio: Add Apple Mac SMC GPIO block
gpio: cadence: Remove duplicated include in gpio-cadence.c
gpio: tps65219: Add support for TI TPS65214 PMIC
gpio: tps65219: Update _IDX & _OFFSET macro prefix
gpio: sysfs: Fix an end of loop test in gpiod_unexport()
dt-bindings: gpio: Convert qca,ar7100-gpio to DT schema
dt-bindings: gpio: Convert maxim,max3191x to DT schema
dt-bindings: gpio: fsl,qoriq-gpio: Add missing mpc8xxx compatibles
...
places; unfortunately, it's easy to get wrong. A number of open-coded
attempts are out there, with varying amount of bogosities.
simple_recursive_removal() had been introduced for doing that with
all precautions needed; it does an equivalent of rm -rf, with sufficient
locking, eviction of anything mounted on top of the subtree, etc.
This series converts a bunch of open-coded instances to using that.
-----BEGIN PGP SIGNATURE-----
iHUEABYIAB0WIQQqUNBr3gm4hGXdBJlZ7Krx/gZQ6wUCaIRCUwAKCRBZ7Krx/gZQ
66XWAP9BNyHcvl9uV/ku/mswYiRBxYoVogciIKeugwYTVLuTJgEA7jdh1eyLkvbS
rwbL7XD+Q35/vXZHEet+RLCGH3ae6wc=
=yaKF
-----END PGP SIGNATURE-----
Merge tag 'pull-simple_recursive_removal' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs
Pull simple_recursive_removal() update from Al Viro:
"Removing subtrees of kernel filesystems is done in quite a few places;
unfortunately, it's easy to get wrong. A number of open-coded attempts
are out there, with varying amount of bogosities.
simple_recursive_removal() had been introduced for doing that with all
precautions needed; it does an equivalent of rm -rf, with sufficient
locking, eviction of anything mounted on top of the subtree, etc.
This series converts a bunch of open-coded instances to using that"
* tag 'pull-simple_recursive_removal' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs:
functionfs, gadgetfs: use simple_recursive_removal()
kill binderfs_remove_file()
fuse_ctl: use simple_recursive_removal()
pstore: switch to locked_recursive_removal()
binfmt_misc: switch to locked_recursive_removal()
spufs: switch to locked_recursive_removal()
add locked_recursive_removal()
better lockdep annotations for simple_recursive_removal()
simple_recursive_removal(): saner interaction with fsnotify
Make sure to drop the reference to the companion device taken during
probe when the driver is unbound.
Fixes: 39facfa01c ("usb: gadget: udc: renesas_usb3: Add register of usb role switch")
Cc: stable@vger.kernel.org # 4.19
Cc: Yoshihiro Shimoda <yoshihiro.shimoda.uh@renesas.com>
Signed-off-by: Johan Hovold <johan@kernel.org>
Link: https://lore.kernel.org/r/20250724091910.21092-4-johan@kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Since commit f3323cd03e ("usb: gadget: udc: renesas_usb3: remove R-Car
H3 ES1.* handling") the driver only supports OF probe so drop the unused
platform module alias.
Signed-off-by: Johan Hovold <johan@kernel.org>
Link: https://lore.kernel.org/r/20250724092006.21216-1-johan@kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
1. In func configfs_composite_bind() -> composite_os_desc_req_prepare():
if kmalloc fails, the pointer cdev->os_desc_req will be freed but not
set to NULL. Then it will return a failure to the upper-level function.
2. in func configfs_composite_bind() -> composite_dev_cleanup():
it will checks whether cdev->os_desc_req is NULL. If it is not NULL, it
will attempt to use it.This will lead to a use-after-free issue.
BUG: KASAN: use-after-free in composite_dev_cleanup+0xf4/0x2c0
Read of size 8 at addr 0000004827837a00 by task init/1
CPU: 10 PID: 1 Comm: init Tainted: G O 5.10.97-oh #1
kasan_report+0x188/0x1cc
__asan_load8+0xb4/0xbc
composite_dev_cleanup+0xf4/0x2c0
configfs_composite_bind+0x210/0x7ac
udc_bind_to_driver+0xb4/0x1ec
usb_gadget_probe_driver+0xec/0x21c
gadget_dev_desc_UDC_store+0x264/0x27c
Fixes: 37a3a53342 ("usb: gadget: OS Feature Descriptors support")
Cc: stable <stable@kernel.org>
Signed-off-by: Tao Xue <xuetao09@huawei.com>
Link: https://lore.kernel.org/r/20250721093908.14967-1-xuetao09@huawei.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Documentation/filesystems/sysfs.rst mentions that show() should only
use sysfs_emit() or sysfs_emit_at() when formating the value to be
returned to user space. So replace scnprintf() with sysfs_emit().
Signed-off-by: Sumanth Gavini <sumanth.gavini@yahoo.com>
Link: https://lore.kernel.org/r/20250718175037.299710-1-sumanth.gavini@yahoo.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Haotien Hsu
Sam Day
Justin Chen
Greg Kroah-Hartman
Xu Yang
Johan Hovold
Ma Ke
Al Viro
Gopi Krishna Menon
Haotian Zhang
Kuen-Han Tsai
Jimmy Hu
Andrey Konovalov
Linus Torvalds
Owen Gu
Mateusz Guzik
Liao Yuanhong
Takashi Iwai
Alan Stern
Steven Rostedt
William Wu
raub camaioni
Russell King (Oracle)
Laurent Pinchart
Tao Xue
Sumanth Gavini
Akash Kumar