Upon resume from system suspend, the PM runtime core issues the
following warning:
tegra-xudc 3550000.usb: Runtime PM usage count underflow!
This is because tegra_xudc_resume() unconditionally calls
schedule_work(&xudc->usb_role_sw_work) whether or not anything has
changed, which causes tegra_xudc_device_mode_off() to be called
even when we're already in that mode.
Keep track of the current state of "device_mode", and only schedule
this work if it has changed from the hardware state on resume.
Signed-off-by: "Russell King (Oracle)" <rmk+kernel@armlinux.org.uk>
Link: https://lore.kernel.org/r/E1uhtkH-007KDZ-JT@rmk-PC.armlinux.org.uk
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Pull USB / Thunderbolt updates from Greg KH:
"Here is the big set of USB and Thunderbolt driver changes for
6.17-rc1.
Lots of little things in here, mostly all small cleanups and updates,
no major new features this development cycle. Stuff included in here
is:
- xhci minor tweaks for error handling
- typec minor updates and a driver update
- gadget driver api cleanups
- unused function removals
- unbind memory leak fixes
- a few new device ids added
- a few new devices supported for some drivers
- other minor cleanups and changes
All of these have been in linux-next with no reported issues, with the
leak fixes being in the shortest amount of time, but they are
'obviously correct' :)"
* tag 'usb-6.17-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb: (100 commits)
usb: musb: omap2430: clean up probe error handling
usb: musb: omap2430: fix device leak at unbind
usb: gadget: udc: renesas_usb3: fix device leak at unbind
usb: dwc3: meson-g12a: fix device leaks at unbind
usb: dwc3: imx8mp: fix device leak at unbind
usb: musb: omap2430: enable compile testing
usb: gadget: udc: renesas_usb3: drop unused module alias
usb: xhci: print xhci->xhc_state when queue_command failed
usb: atm: cxacru: Merge cxacru_upload_firmware() into cxacru_heavy_init()
USB: serial: option: add Foxconn T99W709
usb: core: add urb->sgt parameter description
thunderbolt: Fix copy+paste error in match_service_id()
usb: typec: ucsi: Update power_supply on power role change
usb: typec: ucsi: psy: Set current max to 100mA for BC 1.2 and Default
usb: typec: fusb302: cache PD RX state
usb: typec: ucsi: yoga-c630: add DRM dependency
usb: gadget : fix use-after-free in composite_dev_cleanup()
usb: chipidea: imx: Add a missing blank line
usb: gadget: f_uac1: replace scnprintf() with sysfs_emit()
usb: usblp: clean up assignment inside if conditions
...
Pull gpio updates from Bartosz Golaszewski:
"There's one new driver (Apple SMC) and extensions to existing drivers
for supporting new HW models. A lot of different impovements across
drivers and in core GPIO code. Details on that are in the signed tag
as usual.
We managed to remove some of the legacy APIs. Arnd Bergmann started to
work on making the legacy bits optional so that we may compile them
only for older platforms that still really need them.
Rob Herring has done a lot of work to convert legacy .txt dt-bindings
for GPIO controllers to YAML. There are only a few left now in the
GPIO tree.
A big part of the commits in this PR concern the conversion of GPIO
drivers to using the new line value setter callbacks. This conversion
is now complete treewide (unless I've missed something) and once all
the changes from different trees land in mainline, I'll send you
another PR containing a commit dropping the legacy callbacks from the
tree.
As the quest to pay back technical dept never really ends, we're
starting another set of interface conversions, this time it's about
moving fields specific to only a handful of drivers using the
gpio-mmio helper out of the core gpio_chip structure that every
controller implements and uses. This cycle we introduce a new set of
APIs and convert a few drivers under drivers/gpio/, next cycle we'll
convert remaining modules treewide (in gpio, pinctrl and mfd trees)
and finally remove the old interfaces and move the gpio-mmio fields
into their own structure wrapping gpio_chip.
One last change I should mention here is the rework of the sysfs
interface. In 2016, we introduced the GPIO character device as the
preferred alternative to the sysfs class under /sys/class/gpio. While
it has seen a wide adoption with the help of its user-space
counterpart - libgpiod - there are still users who prefer the
simplicity of sysfs.
As far as the GPIO subsystem is concerned, the problem is not the
existince of the GPIO class as such but rather the fact that it
exposes the global GPIO numbers to the user-space, stopping us from
ever being able to remove the numberspace from the kernel. To that
end, this release we introduced a parallel, limited sysfs interface
that doesn't expose these numbers and only implements a subset of
features that are relevant to the existing users. This is a result of
several discussions over the course of last year and should allow us
to remove the legacy part some time in the future.
Summary:
GPIOLIB core:
- introduce a parallel, limited sysfs user ABI that doesn't expose
the global GPIO numbers to user-space while maintaining backward
compatibility with the end goal of it completely replacing the
existing interface, allowing us to remove it
- remove the legacy devm_gpio_request() routine which has no more
users
- start the process of allowing to compile-out the legacy parts of
the GPIO core for users who don't need it by introducing a new
Kconfig option: GPIOLIB_LEGACY
- don't use global GPIO numbers in debugfs output from the core code
(drivers still do it, the work is ongoing)
- start the process of moving the fields specific to the gpio-mmio
helper out of the core struct gpio_chip into their own structure
that wraps it: create a new header with modern interfaces and
convert several drivers to using it
- remove the platform data structure associated with the gpio-mmio
helper from the kernel after having converted all remaining users
to generic device properties
- remove legacy struct gpio definition as it has no more users
New drivers:
- add the GPIO driver for the Apple System Management Controller
Driver improvements:
- add support for new models to gpio-adp5585, gpio-tps65219 and
gpio-pca953x
- extend the interrupt support in gpio-loongson-64bit
- allow to mark the simulated GPIO lines as invalid in gpio-sim
- convert all remaining GPIO drivers to using the new GPIO value
setter callbacks
- convert gpio-rcar to using simple device power management ops
callbacks
- don't check if current direction of a line is output before setting
the value in gpio-pisosr and ti-fpc202: the GPIO core already
handles that
- also drop unneeded GPIO range checks in drivers, the core already
makes sure we're within bounds when calling driver callbacks
- use dev_fwnode() where applicable across GPIO drivers
- set line value in gpio-zynqmp-modepin and gpio-twl6040 when the
user wants to change direction of the pin to output even though
these drivers don't need to do anything else to actually set the
direction, otherwise a call like gpiod_direction_output(d, 1) will
not result in the line driver high
- remove the reduntant call to pm_runtime_mark_last_busy() from
gpio-arizona
- use lock guards in gpio-cadence and gpio-mxc
- check the return values of regmap functions in gpio-wcd934x and
gpio-tps65912
- use better regmap interfaces in gpio-wcove and gpio-pca953x
- remove dummy GPIO chip callbacks from several drivers in cases
where the GPIO core can already handle their absence
- allow building gpio-palmas as a module
Fixes:
- use correct bit widths (according to the documentation) in
gpio-virtio
Device-tree bindings:
- convert several of the legacy .txt documents for many different
devices to YAML, improving automatic validation
- create a "trivial" GPIO DT schema that covers a wide range of
simple hardware that share a set of basic GPIO properties
- document new HW: Apple MAC SMC GPIO block and adp5589 I/O expander
- document a new model for pca95xx
- add and/or remove properties in YAML documents for gpio-rockchip,
fsl,qoriq-gpio, arm,pl061 and gpio-xilinx
Misc:
- some minor refactoring in several places, adding/removing forward
declarations, moving defines to better places, constify the
arguments in some functions, remove duplicate includes, etc.
- documentation updates"
* tag 'gpio-updates-for-v6.17-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/brgl/linux: (202 commits)
MIPS: alchemy: gpio: use new GPIO line value setter callbacks for the remaining chips
gpiolib: enable CONFIG_GPIOLIB_LEGACY even for !GPIOLIB
gpio: virtio: Fix config space reading.
gpiolib: make legacy interfaces optional
dt-bindings: gpio: rockchip: Allow use of a power-domain
gpiolib: of: add forward declaration for struct device_node
power: reset: macsmc-reboot: Add driver for rebooting via Apple SMC
gpio: Add new gpio-macsmc driver for Apple Macs
mfd: Add Apple Silicon System Management Controller
soc: apple: rtkit: Make shmem_destroy optional
dt-bindings: mfd: Add Apple Mac System Management Controller
dt-bindings: power: reboot: Add Apple Mac SMC Reboot Controller
dt-bindings: gpio: Add Apple Mac SMC GPIO block
gpio: cadence: Remove duplicated include in gpio-cadence.c
gpio: tps65219: Add support for TI TPS65214 PMIC
gpio: tps65219: Update _IDX & _OFFSET macro prefix
gpio: sysfs: Fix an end of loop test in gpiod_unexport()
dt-bindings: gpio: Convert qca,ar7100-gpio to DT schema
dt-bindings: gpio: Convert maxim,max3191x to DT schema
dt-bindings: gpio: fsl,qoriq-gpio: Add missing mpc8xxx compatibles
...
Pull simple_recursive_removal() update from Al Viro:
"Removing subtrees of kernel filesystems is done in quite a few places;
unfortunately, it's easy to get wrong. A number of open-coded attempts
are out there, with varying amount of bogosities.
simple_recursive_removal() had been introduced for doing that with all
precautions needed; it does an equivalent of rm -rf, with sufficient
locking, eviction of anything mounted on top of the subtree, etc.
This series converts a bunch of open-coded instances to using that"
* tag 'pull-simple_recursive_removal' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs:
functionfs, gadgetfs: use simple_recursive_removal()
kill binderfs_remove_file()
fuse_ctl: use simple_recursive_removal()
pstore: switch to locked_recursive_removal()
binfmt_misc: switch to locked_recursive_removal()
spufs: switch to locked_recursive_removal()
add locked_recursive_removal()
better lockdep annotations for simple_recursive_removal()
simple_recursive_removal(): saner interaction with fsnotify
1. In func configfs_composite_bind() -> composite_os_desc_req_prepare():
if kmalloc fails, the pointer cdev->os_desc_req will be freed but not
set to NULL. Then it will return a failure to the upper-level function.
2. in func configfs_composite_bind() -> composite_dev_cleanup():
it will checks whether cdev->os_desc_req is NULL. If it is not NULL, it
will attempt to use it.This will lead to a use-after-free issue.
BUG: KASAN: use-after-free in composite_dev_cleanup+0xf4/0x2c0
Read of size 8 at addr 0000004827837a00 by task init/1
CPU: 10 PID: 1 Comm: init Tainted: G O 5.10.97-oh #1
kasan_report+0x188/0x1cc
__asan_load8+0xb4/0xbc
composite_dev_cleanup+0xf4/0x2c0
configfs_composite_bind+0x210/0x7ac
udc_bind_to_driver+0xb4/0x1ec
usb_gadget_probe_driver+0xec/0x21c
gadget_dev_desc_UDC_store+0x264/0x27c
Fixes: 37a3a53342 ("usb: gadget: OS Feature Descriptors support")
Cc: stable <stable@kernel.org>
Signed-off-by: Tao Xue <xuetao09@huawei.com>
Link: https://lore.kernel.org/r/20250721093908.14967-1-xuetao09@huawei.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
When writing an empty string to either 'qw_sign' or 'landingPage'
sysfs attributes, the store functions attempt to access page[l - 1]
before validating that the length 'l' is greater than zero.
This patch fixes the vulnerability by adding a check at the beginning
of os_desc_qw_sign_store() and webusb_landingPage_store() to handle
the zero-length input case gracefully by returning immediately.
Signed-off-by: Xinyu Liu <katieeliu@tencent.com>
Cc: stable <stable@kernel.org>
Link: https://lore.kernel.org/r/tencent_B1C9481688D0E95E7362AB2E999DE8048207@qq.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Commit 24729b307e ("usb: gadget: f_fs: Fix race between aio_cancel()
and AIO request complete") moved the call to usb_ep_free_request() from
ffs_epfile_async_io_complete() to ffs_user_copy_worker().
In ffs_user_copy_worker(), ki_complete() is called before
usb_ep_free_request(). Once ki_complete() returns, ffs_aio_cancel() can
no longer be invoked for the completed kiocb, as ki_complete() removes it
from the &ctx->active_reqs list in aio.c. ffs_aio_cancel() only applies
to kiocb instances still present on this list.
The potential race between ki_complete() and ffs_aio_cancel() is already
guarded by the &ctx->ctx_lock spinlock in aio.c.
As a result, there is no race condition between the usb_ep_dequeue() call
in ffs_aio_cancel() and the usb_ep_free_request() call in
ffs_user_copy_worker(). Consequently, the spin lock/unlock operations on
&io_data->ffs->eps_lock are no longer necessary.
Signed-off-by: Ingo Rohloff <ingo.rohloff@lauterbach.com>
Link: https://lore.kernel.org/r/20250701113602.33402-2-ingo.rohloff@lauterbach.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
In hidg_bind(), if alloc_workqueue() fails after usb_assign_descriptors()
has successfully allocated the USB descriptors, the current error handling
does not call usb_free_all_descriptors() to free the allocated descriptors,
resulting in a memory leak.
Restructure the error handling by adding proper cleanup labels:
- fail_free_all: cleans up workqueue and descriptors
- fail_free_descs: cleans up descriptors only
- fail: original cleanup for earlier failures
This ensures that allocated resources are properly freed in reverse order
of their allocation, preventing the memory leak when alloc_workqueue() fails.
Fixes: a139c98f76 ("USB: gadget: f_hid: Add GET_REPORT via userspace IOCTL")
Cc: stable@vger.kernel.org
Signed-off-by: Yuhao Jiang <danisjiang@gmail.com>
Link: https://lore.kernel.org/r/20250623094844.244977-1-danisjiang@gmail.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
We need the USB fixes in here as well to build on top of for other
changes that depend on them.
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
usual mount leaks if something had been bound on top of disappearing
files there.
Reviewed-by: Christian Brauner <brauner@kernel.org>
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
This reverts commit ffd603f214.
Commit ffd603f214 ("usb: gadget: u_serial: Add null pointer check in
gs_start_io") adds null pointer checks at the beginning of the
gs_start_io() function to prevent a null pointer dereference. However,
these checks are redundant because the function's comment already
requires callers to hold the port_lock and ensure port.tty and port_usb
are not null. All existing callers already follow these rules.
The true cause of the null pointer dereference is a race condition. When
gs_start_io() calls either gs_start_rx() or gs_start_tx(), the port_lock
is temporarily released for usb_ep_queue(). This allows port.tty and
port_usb to be cleared.
Fixes: ffd603f214 ("usb: gadget: u_serial: Add null pointer check in gs_start_io")
Cc: stable <stable@kernel.org>
Signed-off-by: Kuen-Han Tsai <khtsai@google.com>
Reviewed-by: Prashanth K <prashanth.k@oss.qualcomm.com>
Link: https://lore.kernel.org/r/20250617050844.1848232-1-khtsai@google.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
usb_remove_config() was added in 2012's
commit Fixes: 51cce6fc15 ("usb: gadget: composite: Add
usb_remove_config")
but has remained unused.
I see there was a use in drivers/staging/cch that
was removed by
commit 515e6dd20b ("Staging: ccg: delete it from the tree")
but it had it's own copy of usb_remove_config()
Remove it.
Signed-off-by: "Dr. David Alan Gilbert" <linux@treblig.org>
Link: https://lore.kernel.org/r/20250608233338.179894-3-linux@treblig.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Use the function usb_endpoint_num() and usb_endpoint_type()
rather than constants.
The Coccinelle semantic patch is as follows:
@@ struct usb_endpoint_descriptor *epd; @@
- (epd->bEndpointAddress & \(USB_ENDPOINT_NUMBER_MASK\|0x0f\))
+ usb_endpoint_num(epd)
@@ struct usb_endpoint_descriptor *epd; @@
- (epd->bmAttributes & \(USB_ENDPOINT_XFERTYPE_MASK\|3\))
+ usb_endpoint_type(epd)
Signed-off-by: Chen Ni <nichen@iscas.ac.cn>
Link: https://lore.kernel.org/r/20250618040204.363383-1-nichen@iscas.ac.cn
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Use the function usb_endpoint_num() and usb_endpoint_type()
rather than constants.
The Coccinelle semantic patch is as follows:
@@ struct usb_endpoint_descriptor *epd; @@
- (epd->bEndpointAddress & \(USB_ENDPOINT_NUMBER_MASK\|0x0f\))
+ usb_endpoint_num(epd)
@@ struct usb_endpoint_descriptor *epd; @@
- (epd->bmAttributes & \(USB_ENDPOINT_XFERTYPE_MASK\|3\))
+ usb_endpoint_type(epd)
Signed-off-by: Chen Ni <nichen@iscas.ac.cn>
Link: https://lore.kernel.org/r/20250618041222.408372-1-nichen@iscas.ac.cn
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Use the function usb_endpoint_num() and usb_endpoint_type()
rather than constants.
The Coccinelle semantic patch is as follows:
@@ struct usb_endpoint_descriptor *epd; @@
- (epd->bEndpointAddress & \(USB_ENDPOINT_NUMBER_MASK\|0x0f\))
+ usb_endpoint_num(epd)
@@ struct usb_endpoint_descriptor *epd; @@
- (epd->bmAttributes & \(USB_ENDPOINT_XFERTYPE_MASK\|3\))
+ usb_endpoint_type(epd)
Signed-off-by: Chen Ni <nichen@iscas.ac.cn>
Link: https://lore.kernel.org/r/20250618070714.817146-1-nichen@iscas.ac.cn
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Pull USB / Thunderbolt updates from Greg KH:
"Here is the big set of USB and Thunderbolt changes for 6.16-rc1.
Included in here are the following:
- USB offload support for audio devices.
I think this takes the record for the most number of patch series
(30+) over the longest period of time (2+ years) to get merged
properly.
Many props go to Wesley Cheng for seeing this effort through, they
took a major out-of-tree hacked-up-monstrosity that was created by
multiple vendors for their specific devices, got it all merged into
a semi-coherent set of changes, and got all of the different major
subsystems to agree on how this should be implemented both with
changes to their code as well as userspace apis, AND wrangled the
hardware companies into agreeing to go forward with this, despite
making them all redo work they had already done in their private
device trees.
This feature offers major power savings on embedded devices where a
USB audio stream can continue to flow while the rest of the system
is sleeping, something that devices running on battery power really
care about. There are still some more small tweaks left to be done
here, and those patches are still out for review and arguing among
the different hardware companies, but this is a major step forward
and a great example of how to do upstream development well.
- small number of thunderbolt fixes and updates, things seem to be
slowing down here (famous last words...)
- xhci refactors and reworking to try to handle some rough corner
cases in some hardware implementations where things don't always
work properly
- typec driver updates
- USB3 power management reworking and updates
- Removal of some old and orphaned UDC gadget drivers that had not
been used in a very long time, dropping over 11 thousand lines from
the tree, always a nice thing, making up for the 12k lines added
for the USB offload feature.
- lots of little updates and fixes in different drivers
All of these have been in linux-next for over 2 weeks, the USB offload
logic has been in there for 8 weeks now, with no reported issues"
* tag 'usb-6.16-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb: (172 commits)
ALSA: usb-audio: qcom: fix USB_XHCI dependency
ASoC: qdsp6: fix compile-testing without CONFIG_OF
usb: misc: onboard_usb_dev: fix build warning for CONFIG_USB_ONBOARD_DEV_USB5744=n
usb: typec: tipd: fix typo in TPS_STATUS_HIGH_VOLAGE_WARNING macro
USB: typec: fix const issue in typec_match()
USB: gadget: udc: fix const issue in gadget_match_driver()
USB: gadget: fix up const issue with struct usb_function_instance
USB: serial: pl2303: add new chip PL2303GC-Q20 and PL2303GT-2AB
USB: serial: bus: fix const issue in usb_serial_device_match()
usb: usbtmc: Fix timeout value in get_stb
usb: usbtmc: Fix read_stb function and get_stb ioctl
ALSA: qc_audio_offload: try to reduce address space confusion
ALSA: qc_audio_offload: avoid leaking xfer_buf allocation
ALSA: qc_audio_offload: rename dma/iova/va/cpu/phys variables
ALSA: usb-audio: qcom: Fix an error handling path in qc_usb_audio_probe()
usb: misc: onboard_usb_dev: Fix usb5744 initialization sequence
dt-bindings: usb: ti,usb8041: Add binding for TI USB8044 hub controller
usb: misc: onboard_usb_dev: Add support for TI TUSB8044 hub
usb: gadget: lpc32xx_udc: Use USB API functions rather than constants
usb: gadget: epautoconf: Use USB API functions rather than constants
...
Pull HID updates from Jiri Kosina:
- support for Apple Magic Mouse 2 USB-C (Aditya Garg)
- power management improvement for multitouch devices (Werner Sembach)
- fix for ACPI initialization in intel-thc driver (Wentao Guan)
- adaptation of HID drivers to use new gpio_chip's line setter
callbacks (Bartosz Golaszewski)
- fix potential OOB in usbhid_parse() (Terry Junge)
- make it possible to set hid_mouse_ignore_list dynamically (the same
way we handle other quirks) (Aditya Garg)
- other small assorted fixes and device ID additions
* tag 'hid-for-linus-2025060301' of git://git.kernel.org/pub/scm/linux/kernel/git/hid/hid:
HID: multitouch: Disable touchpad on firmware level while not in use
HID: core: Add functions for HID drivers to react on first open and last close call
HID: HID_APPLETB_BL should depend on X86
HID: HID_APPLETB_KBD should depend on X86
HID: appletb-kbd: Use secs_to_jiffies() instead of msecs_to_jiffies()
HID: intel-thc-hid: intel-thc: make read-only arrays static const
HID: magicmouse: Apple Magic Mouse 2 USB-C support
HID: mcp2221: use new line value setter callbacks
HID: mcp2200: use new line value setter callbacks
HID: cp2112: use new line value setter callbacks
HID: cp2112: use lock guards
HID: cp2112: hold the lock for the entire direction_output() call
HID: cp2112: destroy mutex on driver detach
HID: intel-thc-hid: intel-quicki2c: pass correct arguments to acpi_evaluate_object
HID: corsair-void: Use to_delayed_work()
HID: hid-logitech: use sysfs_emit_at() instead of scnprintf()
HID: quirks: Add HID_QUIRK_IGNORE_MOUSE quirk
HID: usbhid: Eliminate recurrent out-of-bounds bug in usbhid_parse()
HID: Kysona: Add periodic online check
gadget_match_driver() takes a const pointer, and then decides to cast it
away into a non-const one, which is not a good thing to do overall. Fix
this up by properly setting the pointers to be const to preserve that
attribute.
Fixes: d69d804845 ("driver core: have match() callback in struct bus_type take a const *")
Link: https://lore.kernel.org/r/2025052139-rash-unsaddle-7c5e@gregkh
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
In struct usb_function, the struct usb_function_instance pointer
variable "fi" is listed as const, but it is written to in numerous
places, making the const marking of it a total lie. Fix this up by just
removing the const pointer attribute as this is modified in numerous
places.
Link: https://lore.kernel.org/r/2025052145-undress-puma-f7cf@gregkh
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Pull sound fixes from Takashi Iwai:
"A handful small fixes. The only significant change is the fix for MIDI
2.0 UMP handling in ALSA sequencer, but as MIDI 2.0 stuff is still new
and rarely used, the impact should be pretty limited.
Other than that, quirks for USB-audio and a few cosmetic fixes and
changes in drivers that should be safe to apply"
* tag 'sound-6.15-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound:
ALSA: usb-audio: Add sample rate quirk for Microdia JP001 USB Camera
ALSA: es1968: Add error handling for snd_pcm_hw_constraint_pow2()
ALSA: sh: SND_AICA should depend on SH_DMA_API
ALSA: usb-audio: Add sample rate quirk for Audioengine D1
ALSA: ump: Fix a typo of snd_ump_stream_msg_device_info
ALSA/hda: intel-sdw-acpi: Correct sdw_intel_acpi_scan() function parameter
ALSA: seq: Fix delivery of UMP events to group ports
Currently when the host sends GET_STATUS request for an interface,
we use get_status callbacks to set/clear remote wakeup capability
of that interface. And if get_status callback isn't present for
that interface, then we assume its remote wakeup capability based
on bmAttributes.
Now consider a scenario, where we have a USB configuration with
multiple interfaces (say ECM + ADB), here ECM is remote wakeup
capable and as of now ADB isn't. And bmAttributes will indicate
the device as wakeup capable. With the current implementation,
when host sends GET_STATUS request for both interfaces, we will
set FUNC_RW_CAP for both. This results in USB3 CV Chapter 9.15
(Function Remote Wakeup Test) failures as host expects remote
wakeup from both interfaces.
The above scenario is just an example, and the failure can be
observed if we use configuration with any interface except ECM.
Hence avoid configuring remote wakeup capability from composite
driver based on bmAttributes, instead use get_status callbacks
and let the function drivers decide this.
Cc: stable <stable@kernel.org>
Fixes: 481c225c48 ("usb: gadget: Handle function suspend feature selector")
Signed-off-by: Prashanth K <prashanth.k@oss.qualcomm.com>
Reviewed-by: Thinh Nguyen <Thinh.Nguyen@synopsys.com>
Link: https://lore.kernel.org/r/20250422103231.1954387-3-prashanth.k@oss.qualcomm.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
We identified a bug where the ST_RC bit in the status register was not
being acknowledged after clearing the CTRL_RUN bit in the control
register. This could lead to unexpected behavior in the USB gadget
drivers.
This patch resolves the issue by adding the necessary code to explicitly
acknowledge ST_RC after clearing CTRL_RUN based on the programming
sequence, ensuring proper state transition.
Fixes: 49db427232 ("usb: gadget: Add UDC driver for tegra XUSB device mode controller")
Cc: stable <stable@kernel.org>
Signed-off-by: Wayne Chang <waynec@nvidia.com>
Link: https://lore.kernel.org/r/20250418081228.1194779-1-waynec@nvidia.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
This patch enhances the HID gadget driver to support dynamic configuration
of the interrupt polling interval (bInterval) via configfs. A new
‘interval’ attribute is exposed under each HID function’s configfs
directory, and any write to it will adjust the poll rate for all endpoints
without requiring a rebuild.
When the attribute has never been written, legacy defaults are preserved:
• Full-Speed (FS) endpoints (IN & OUT) poll every 10 ms
• High-Speed (HS) endpoints (IN & OUT) poll every 4 micro-frames
(~1 ms)
To implement this cleanly:
• Add two new fields to f_hid_opts and f_hidg:
– unsigned char interval
– bool interval_user_set
• Introduce dedicated f_hid_opts_interval_show/store functions.
The store routine parses into an unsigned int, bounds‐checks,
assigns to opts->interval, and sets opts->interval_user_set = true.
• Initialize opts->interval = 4 and opts->interval_user_set = false in
hidg_alloc_inst(), then copy both into the live f_hidg instance in
hidg_alloc().
• In hidg_bind(), set each endpoint’s bInterval based on whether the
user has written the attribute:
– If interval_user_set == false, use FS=10 / HS=4
– If interval_user_set == true, use the user’s value for both FS
& HS
Signed-off-by: Ben Hoff <hoff.benjamin.k@gmail.com>
Link: https://lore.kernel.org/r/20250429182809.811786-1-hoff.benjamin.k@gmail.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
In preparation for making the kmalloc family of allocators type aware,
we need to make sure that the returned type from the allocation matches
the type of the variable being assigned. (Before, the allocator would
always return "void *", which can be implicitly cast to any pointer type.)
The assigned type is "struct usb_function **" but the returned type
will be "struct usb_function ***". These are the same size allocation
(pointer size), but different types. Adjust the allocation type to match
the assignment.
Signed-off-by: Kees Cook <kees@kernel.org>
Link: https://lore.kernel.org/r/20250426062125.work.209-kees@kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Update struct hid_descriptor to better reflect the mandatory and
optional parts of the HID Descriptor as per USB HID 1.11 specification.
Note: the kernel currently does not parse any optional HID class
descriptors, only the mandatory report descriptor.
Update all references to member element desc[0] to rpt_desc.
Add test to verify bLength and bNumDescriptors values are valid.
Replace the for loop with direct access to the mandatory HID class
descriptor member for the report descriptor. This eliminates the
possibility of getting an out-of-bounds fault.
Add a warning message if the HID descriptor contains any unsupported
optional HID class descriptors.
Reported-by: syzbot+c52569baf0c843f35495@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=c52569baf0c843f35495
Fixes: f043bfc98c ("HID: usbhid: fix out-of-bounds bug")
Cc: stable@vger.kernel.org
Signed-off-by: Terry Junge <linuxhid@cosmicgizmosystems.com>
Reviewed-by: Michael Kelley <mhklinux@outlook.com>
Signed-off-by: Jiri Kosina <jkosina@suse.com>
The variable tpgt in usbg_make_tpg() is defined as unsigned long and is
assigned to tpgt->tport_tpgt, which is defined as u16. This may cause an
integer overflow when tpgt is greater than USHRT_MAX (65535). I
haven't tried to trigger it myself, but it is possible to trigger it
by calling usbg_make_tpg() with a large value for tpgt.
I modified the type of tpgt to match tpgt->tport_tpgt and adjusted the
relevant code accordingly.
This patch is similar to commit 59c816c1f2 ("vhost/scsi: potential
memory corruption").
Signed-off-by: Chen Yufeng <chenyufeng@iie.ac.cn>
Link: https://lore.kernel.org/r/20250415065857.1619-1-chenyufeng@iie.ac.cn
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
