Linux kernel stable tree (mirror) https://git.radix-linux.su/kernel/linux.git/atom?h=v6.18.22 2026-03-04T12:20:34+00:00 2026-03-04T12:20:34+00:00 Sam Day me@samcday.com 2026-01-07T22:30:20+00:00 urn:sha1:7a8ac86f5133c7efdd372adfdc01e7863b15055d [ Upstream commit 8e4c1d06183c25022f6b0002a5cab84979ca6337 ] When ffs_epfile_ioctl handles FUNCTIONFS_DMABUF_* ioctls, it's currently falling through when copy_from_user fails. However, this fallthrough isn't being checked properly, so the handler continues executing further than it should. It then tries the secondary dispatch where it ultimately gives up and returns -ENOTTY. The end result is invalid ioctl invocations will yield a -ENOTTY rather than an -EFAULT. It's a common pattern elsewhere in the kernel code to directly return -EFAULT when copy_from_user fails. So we update ffs_epfile_ioctl to do the same and fix this issue. Signed-off-by: Sam Day <me@samcday.com> Link: https://patch.msgid.link/20260108-ffs-dmabuf-ioctl-fix-v1-1-e51633891a81@samcday.com Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Signed-off-by: Sasha Levin <sashal@kernel.org> 2026-03-04T12:20:34+00:00 Sam Day me@samcday.com 2026-01-07T22:30:21+00:00 urn:sha1:09820593b5069bcd620a1c4043dd1a5cf200f007 [ Upstream commit 0145e7acd29855dfba4a2f387d455b5d9a520f0e ] Currently, DMA_FROM_DEVICE is used when attaching DMABUFs to IN endpoints and DMA_TO_DEVICE for OUT endpoints. This is inverted from how it should be. The result is IOMMU read-only mappings placed on OUT queues, triggering arm-smmu write faults. Put differently, OUT endpoints flow data from host -> gadget, meaning the UDC peripheral needs to have write access to the buffer to fill it with the incoming data. This commit flips the directions and updates the implicit-sync helpers so IN endpoints act as readers and OUT endpoints as writers. Signed-off-by: Sam Day <me@samcday.com> Tested-by: David Heidelberg <david@ixit.cz> # OnePlus 6T on sdm845-next-20251119 Link: https://patch.msgid.link/20260108-ffs-dmabuf-ioctl-fix-v1-2-e51633891a81@samcday.com Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Signed-off-by: Sasha Levin <sashal@kernel.org> 2026-01-23T10:21:36+00:00 Greg Kroah-Hartman gregkh@linuxfoundation.org 2026-01-21T17:21:16+00:00 urn:sha1:2d1bf4a7b8ed87ab32adaa40f53dfe332755451d This reverts commit b49c766856fb5901490de577e046149ebf15e39d which is commit e5bf5ee266633cb18fff6f98f0b7d59a62819eee upstream. It has been reported to cause test problems in Android devices. As the other functionfs changes were not also backported at the same time, something is out of sync. So just revert this one for now and it can come back in the future as a patch series if it is tested. Cc: Al Viro <viro@zeniv.linux.org.uk> Cc: Sasha Levin <sashal@kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2026-01-02T11:57:01+00:00 Al Viro viro@zeniv.linux.org.uk 2025-11-14T07:18:22+00:00 urn:sha1:b49c766856fb5901490de577e046149ebf15e39d [ Upstream commit e5bf5ee266633cb18fff6f98f0b7d59a62819eee ] ffs_epfile_open() can race with removal, ending up with file->private_data pointing to freed object. There is a total count of opened files on functionfs (both ep0 and dynamic ones) and when it hits zero, dynamic files get removed. Unfortunately, that removal can happen while another thread is in ffs_epfile_open(), but has not incremented the count yet. In that case open will succeed, leaving us with UAF on any subsequent read() or write(). The root cause is that ffs->opened is misused; atomic_dec_and_test() vs. atomic_add_return() is not a good idea, when object remains visible all along. To untangle that * serialize openers on ffs->mutex (both for ep0 and for dynamic files) * have dynamic ones use atomic_inc_not_zero() and fail if we had zero ->opened; in that case the file we are opening is doomed. * have the inodes of dynamic files marked on removal (from the callback of simple_recursive_removal()) - clear ->i_private there. * have open of dynamic ones verify they hadn't been already removed, along with checking that state is FFS_ACTIVE. Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> Signed-off-by: Sasha Levin <sashal@kernel.org> 2025-10-04T23:07:08+00:00 Linus Torvalds torvalds@linux-foundation.org 2025-10-04T23:07:08+00:00 urn:sha1:c6006b8ca14dcc604567be99fc4863e6e11ab6e3 Pull USB / Thunderbolt updates from Greg KH: "Here is the big set of USB and thunderbolt drivers for 6.18-rc1. It was another normal development cycle, with lots of the usual drivers getting updates: - Thunderbolt driver cleanups and additions - dwc3 driver updates - dwc2 driver updates - typec driver updates - xhci driver updates and additions - offload USB engine updates for better power management - unused tracepoint removals - usb gadget fixes and updates as more users start to rely on these drivers instead of the "old" function gadget drivers - new USB device ids - other minor driver USB driver updates - new USB I/O driver framework and driver additions" The last item, the usb i/o driver, has an i2c and gpio driver added through this tree. Those drivers were acked by the respective subsystem maintainers. All of these have been in linux-next for a while" * tag 'usb-6.18-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb: (132 commits) usb: vhci-hcd: Prevent suspending virtually attached devices USB: serial: option: add SIMCom 8230C compositions thunderbolt: Fix use-after-free in tb_dp_dprx_work usb: xhci: align PORTSC trace with one-based port numbering usb: xhci: correct indentation for PORTSC tracing function usb: xhci: improve TR Dequeue Pointer mask usb: xhci-pci: add support for hosts with zero USB3 ports usb: xhci: Update a comment about Stop Endpoint retries Revert "usb: xhci: Avoid Stop Endpoint retry loop if the endpoint seems Running" usb: gadget: f_rndis: Refactor bind path to use __free() usb: gadget: f_ecm: Refactor bind path to use __free() usb: gadget: f_acm: Refactor bind path to use __free() usb: gadget: f_ncm: Refactor bind path to use __free() usb: gadget: Introduce free_usb_request helper usb: gadget: Store endpoint pointer in usb_request usb: host: xhci-rcar: Add Renesas RZ/G3E USB3 Host driver support usb: host: xhci-plat: Add .post_resume_quirk for struct xhci_plat_priv usb: host: xhci-rcar: Move R-Car reg definitions dt-bindings: usb: Document Renesas RZ/G3E USB3HOST usb: gadget: f_fs: Fix epfile null pointer access after ep enable. ... 2025-09-17T10:42:47+00:00 Owen Gu guhuinan@xiaomi.com 2025-09-15T09:29:07+00:00 urn:sha1:cfd6f1a7b42f62523c96d9703ef32b0dbc495ba4 A race condition occurs when ffs_func_eps_enable() runs concurrently with ffs_data_reset(). The ffs_data_clear() called in ffs_data_reset() sets ffs->epfiles to NULL before resetting ffs->eps_count to 0, leading to a NULL pointer dereference when accessing epfile->ep in ffs_func_eps_enable() after successful usb_ep_enable(). The ffs->epfiles pointer is set to NULL in both ffs_data_clear() and ffs_data_close() functions, and its modification is protected by the spinlock ffs->eps_lock. And the whole ffs_func_eps_enable() function is also protected by ffs->eps_lock. Thus, add NULL pointer handling for ffs->epfiles in the ffs_func_eps_enable() function to fix issues Signed-off-by: Owen Gu <guhuinan@xiaomi.com> Link: https://lore.kernel.org/r/20250915092907.17802-1-guhuinan@xiaomi.com Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2025-09-15T14:09:42+00:00 Mateusz Guzik mjguzik@gmail.com 2025-09-15T12:57:29+00:00 urn:sha1:f99b3917789d83ea89b24b722d784956f8289f45 generic_delete_inode() is rather misleading for what the routine is doing. inode_just_drop() should be much clearer. The new naming is inconsistent with generic_drop_inode(), so rename that one as well with inode_ as the suffix. No functional changes. Signed-off-by: Mateusz Guzik <mjguzik@gmail.com> Reviewed-by: Jan Kara <jack@suse.cz> Signed-off-by: Christian Brauner <brauner@kernel.org> 2025-07-29T17:17:10+00:00 Linus Torvalds torvalds@linux-foundation.org 2025-07-29T17:17:10+00:00 urn:sha1:4eee1520ea845a6d6d82e85498d9412419560871 Pull USB / Thunderbolt updates from Greg KH: "Here is the big set of USB and Thunderbolt driver changes for 6.17-rc1. Lots of little things in here, mostly all small cleanups and updates, no major new features this development cycle. Stuff included in here is: - xhci minor tweaks for error handling - typec minor updates and a driver update - gadget driver api cleanups - unused function removals - unbind memory leak fixes - a few new device ids added - a few new devices supported for some drivers - other minor cleanups and changes All of these have been in linux-next with no reported issues, with the leak fixes being in the shortest amount of time, but they are 'obviously correct' :)" * tag 'usb-6.17-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb: (100 commits) usb: musb: omap2430: clean up probe error handling usb: musb: omap2430: fix device leak at unbind usb: gadget: udc: renesas_usb3: fix device leak at unbind usb: dwc3: meson-g12a: fix device leaks at unbind usb: dwc3: imx8mp: fix device leak at unbind usb: musb: omap2430: enable compile testing usb: gadget: udc: renesas_usb3: drop unused module alias usb: xhci: print xhci->xhc_state when queue_command failed usb: atm: cxacru: Merge cxacru_upload_firmware() into cxacru_heavy_init() USB: serial: option: add Foxconn T99W709 usb: core: add urb->sgt parameter description thunderbolt: Fix copy+paste error in match_service_id() usb: typec: ucsi: Update power_supply on power role change usb: typec: ucsi: psy: Set current max to 100mA for BC 1.2 and Default usb: typec: fusb302: cache PD RX state usb: typec: ucsi: yoga-c630: add DRM dependency usb: gadget : fix use-after-free in composite_dev_cleanup() usb: chipidea: imx: Add a missing blank line usb: gadget: f_uac1: replace scnprintf() with sysfs_emit() usb: usblp: clean up assignment inside if conditions ... 2025-07-07T09:05:21+00:00 Ingo Rohloff ingo.rohloff@lauterbach.com 2025-07-01T11:36:02+00:00 urn:sha1:b581e472d95d584d2e30e34f3e055d9754faddb2 Commit 24729b307eefc ("usb: gadget: f_fs: Fix race between aio_cancel() and AIO request complete") moved the call to usb_ep_free_request() from ffs_epfile_async_io_complete() to ffs_user_copy_worker(). In ffs_user_copy_worker(), ki_complete() is called before usb_ep_free_request(). Once ki_complete() returns, ffs_aio_cancel() can no longer be invoked for the completed kiocb, as ki_complete() removes it from the &ctx->active_reqs list in aio.c. ffs_aio_cancel() only applies to kiocb instances still present on this list. The potential race between ki_complete() and ffs_aio_cancel() is already guarded by the &ctx->ctx_lock spinlock in aio.c. As a result, there is no race condition between the usb_ep_dequeue() call in ffs_aio_cancel() and the usb_ep_free_request() call in ffs_user_copy_worker(). Consequently, the spin lock/unlock operations on &io_data->ffs->eps_lock are no longer necessary. Signed-off-by: Ingo Rohloff <ingo.rohloff@lauterbach.com> Link: https://lore.kernel.org/r/20250701113602.33402-2-ingo.rohloff@lauterbach.com Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2025-07-03T02:36:52+00:00 Al Viro viro@zeniv.linux.org.uk 2025-03-10T04:45:20+00:00 urn:sha1:bad356bb50e64170f8af14a00797a04313846aeb usual mount leaks if something had been bound on top of disappearing files there. Reviewed-by: Christian Brauner <brauner@kernel.org> Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>