Linux kernel stable tree (mirror) https://git.radix-linux.su/kernel/linux.git/atom?h=v5.15.209 2026-01-19T12:10:05+00:00 2026-01-19T12:10:05+00:00 Jimmy Hu hhhuuu@google.com 2025-12-08T21:02:21+00:00 urn:sha1:eee16f3ff08e759ea828bdf7dc1c0ef2f22134f5 [ Upstream commit baeb66fbd4201d1c4325074e78b1f557dff89b5b ] A race condition during gadget teardown can lead to a use-after-free in usb_gadget_state_work(), as reported by KASAN: BUG: KASAN: invalid-access in sysfs_notify+0x2c/0xd0 Workqueue: events usb_gadget_state_work The fundamental race occurs because a concurrent event (e.g., an interrupt) can call usb_gadget_set_state() and schedule gadget->work at any time during the cleanup process in usb_del_gadget(). Commit 399a45e5237c ("usb: gadget: core: flush gadget workqueue after device removal") attempted to fix this by moving flush_work() to after device_del(). However, this does not fully solve the race, as a new work item can still be scheduled *after* flush_work() completes but before the gadget's memory is freed, leading to the same use-after-free. This patch fixes the race condition robustly by introducing a 'teardown' flag and a 'state_lock' spinlock to the usb_gadget struct. The flag is set during cleanup in usb_del_gadget() *before* calling flush_work() to prevent any new work from being scheduled once cleanup has commenced. The scheduling site, usb_gadget_set_state(), now checks this flag under the lock before queueing the work, thus safely closing the race window. Fixes: 5702f75375aa9 ("usb: gadget: udc-core: move sysfs_notify() to a workqueue") Cc: stable <stable@kernel.org> Signed-off-by: Jimmy Hu <hhhuuu@google.com> Link: https://patch.msgid.link/20251023054945.233861-1-hhhuuu@google.com Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> [ Adjust context ] Signed-off-by: Sasha Levin <sashal@kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2025-10-29T13:03:15+00:00 Kuen-Han Tsai khtsai@google.com 2025-10-20T16:20:32+00:00 urn:sha1:d44e82f46cd0e348837c31e629bf45d0dcabbe3b [ Upstream commit 201c53c687f2b55a7cc6d9f4000af4797860174b ] Introduce the free_usb_request() function that frees both the request's buffer and the request itself. This function serves as the cleanup callback for DEFINE_FREE() to enable automatic, scope-based cleanup for usb_request pointers. Signed-off-by: Kuen-Han Tsai <khtsai@google.com> Link: https://lore.kernel.org/r/20250916-ready-v1-2-4997bf277548@google.com Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Link: https://lore.kernel.org/r/20250916-ready-v1-2-4997bf277548@google.com Stable-dep-of: 75a5b8d4ddd4 ("usb: gadget: f_ncm: Refactor bind path to use __free()") Signed-off-by: Sasha Levin <sashal@kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2025-10-29T13:03:15+00:00 Kuen-Han Tsai khtsai@google.com 2025-10-20T16:20:31+00:00 urn:sha1:97fc7aa654e305a9a1826b2f94cc281fbc462cf7 [ Upstream commit bfb1d99d969fe3b892db30848aeebfa19d21f57f ] Gadget function drivers often have goto-based error handling in their bind paths, which can be bug-prone. Refactoring these paths to use __free() scope-based cleanup is desirable, but currently blocked. The blocker is that usb_ep_free_request(ep, req) requires two parameters, while the __free() mechanism can only pass a pointer to the request itself. Store an endpoint pointer in the struct usb_request. The pointer is populated centrally in usb_ep_alloc_request() on every successful allocation, making the request object self-contained. Signed-off-by: Kuen-Han Tsai <khtsai@google.com> Link: https://lore.kernel.org/r/20250916-ready-v1-1-4997bf277548@google.com Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Link: https://lore.kernel.org/r/20250916-ready-v1-1-4997bf277548@google.com Stable-dep-of: 75a5b8d4ddd4 ("usb: gadget: f_ncm: Refactor bind path to use __free()") Signed-off-by: Sasha Levin <sashal@kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2024-11-01T00:52:35+00:00 Elson Roy Serrao quic_eserrao@quicinc.com 2023-03-24T21:47:59+00:00 urn:sha1:c3f3926854b12adfd1ca4a20381c108c15733996 [ Upstream commit f0db885fb05d35befa81896db6b19eb3ee9ccdfe ] USB3.2 spec section 9.2.5.4 quotes that a function may signal that it wants to exit from Function Suspend by sending a Function Wake Notification to the host if it is enabled for function remote wakeup. Add an api in composite layer that can be used by the function drivers to support this feature. Also expose a gadget op so that composite layer can trigger a wakeup request to the UDC driver. Reviewed-by: Thinh Nguyen <Thinh.Nguyen@synopsys.com> Signed-off-by: Elson Roy Serrao <quic_eserrao@quicinc.com> Link: https://lore.kernel.org/r/1679694482-16430-4-git-send-email-quic_eserrao@quicinc.com Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Stable-dep-of: 705e3ce37bcc ("usb: dwc3: core: Fix system suspend on TI AM62 platforms") Signed-off-by: Sasha Levin <sashal@kernel.org> 2023-05-30T12:55:29+00:00 Elson Roy Serrao quic_eserrao@quicinc.com 2023-03-24T21:47:57+00:00 urn:sha1:7919af1dcb8eae143d8e787086e1ab4f2083e1fd [ Upstream commit b93c2a68f3d9dc98ec30dcb342ae47c1c8d09d18 ] The wakeup bit in the bmAttributes field indicates whether the device is configured for remote wakeup. But this field should be allowed to set only if the UDC supports such wakeup mechanism. So configure this field based on UDC capability. Also inform the UDC whether the device is configured for remote wakeup by implementing a gadget op. Reviewed-by: Thinh Nguyen <Thinh.Nguyen@synopsys.com> Signed-off-by: Elson Roy Serrao <quic_eserrao@quicinc.com> Link: https://lore.kernel.org/r/1679694482-16430-2-git-send-email-quic_eserrao@quicinc.com Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Stable-dep-of: 4e8ef34e36f2 ("usb: dwc3: fix gadget mode suspend interrupt handler issue") Signed-off-by: Sasha Levin <sashal@kernel.org> 2021-08-13T11:05:51+00:00 Chunfeng Yun chunfeng.yun@mediatek.com 2021-08-13T06:30:53+00:00 urn:sha1:97d99f7e8f1ccaa18d6447f4a3b0b48ed64aa214 usb_endpoint_maxp() already returns actual max packet size, no need to AND 0x7ff. Acked-by: Felipe Balbi <balbi@kernel.org> Signed-off-by: Chunfeng Yun <chunfeng.yun@mediatek.com> Link: https://lore.kernel.org/r/1628836253-7432-7-git-send-email-chunfeng.yun@mediatek.com Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2021-07-12T07:37:25+00:00 Wesley Cheng wcheng@codeaurora.org 2021-07-10T09:13:10+00:00 urn:sha1:ce7d0008c2356626f69f37ef1afce8fbc83fe142 Some UDCs may have constraints on how many high bandwidth endpoints it can support in a certain configuration. This API allows for the composite driver to pass down the total number of endpoints to the UDC so it can verify it has the required resources to support the configuration. Signed-off-by: Wesley Cheng <wcheng@codeaurora.org> Link: https://lore.kernel.org/r/1625908395-5498-2-git-send-email-wcheng@codeaurora.org Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2021-06-04T11:51:55+00:00 Alan Stern stern@rowland.harvard.edu 2021-05-20T20:21:44+00:00 urn:sha1:7dc0c55e9f302e7048e040ee4437437bbea1e2cd The Gadget API has a theoretical race when a gadget driver is unbound. Although the pull-up is turned off before the driver's ->unbind callback runs, if the USB cable were to be unplugged at just the wrong moment there would be nothing to prevent the UDC driver from invoking the ->disconnect callback after the unbind has finished. In theory, other asynchronous callbacks could also happen during the time before the UDC driver's udc_stop routine is called, and the gadget driver would not be prepared to handle any of them. We need a way to tell UDC drivers to stop issuing asynchronous (that is, ->suspend, ->resume, ->disconnect, ->reset, or ->setup) callbacks at some point after the pull-up has been turned off and before the ->unbind callback runs. This patch adds a new ->udc_async_callbacks callback to the usb_gadget_ops structure for precisely this purpose, and it adds the corresponding support to the UDC core. Later patches in this series add support for udc_async_callbacks to several UDC drivers. Acked-by: Felipe Balbi <balbi@kernel.org> Signed-off-by: Alan Stern <stern@rowland.harvard.edu> Link: https://lore.kernel.org/r/20210520202144.GC1216852@rowland.harvard.edu Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2021-05-21T18:05:31+00:00 Zhen Lei thunder.leizhen@huawei.com 2021-05-17T09:40:20+00:00 urn:sha1:24bb0076d7bc0ea4caf0af55bd0273a1c343748a Fix some spelling mistakes in comments: trasfer ==> transfer consumtion ==> consumption endoint ==> endpoint sharable ==> shareable contraints ==> constraints Auxilary ==> Auxiliary correspondig ==> corresponding interupt ==> interrupt inifinite ==> infinite assignement ==> assignment Signed-off-by: Zhen Lei <thunder.leizhen@huawei.com> Link: https://lore.kernel.org/r/20210517094020.7310-1-thunder.leizhen@huawei.com Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2021-01-18T17:40:08+00:00 Thinh Nguyen Thinh.Nguyen@synopsys.com 2021-01-14T02:53:07+00:00 urn:sha1:ead4c124852e66b6aa033e34cf9c4f08d40aeffc A SuperSpeed Plus device may operate at different speed and lane count (i.e. gen2x2, gen1x2, or gen2x1). Introduce gadget ops udc_set_ssp_rate() to set the desire corresponding usb_ssp_rate for SuperSpeed Plus capable devices. If the USB device supports different speeds at SuperSpeed Plus, set the device to operate with the maximum number of lanes and speed. Signed-off-by: Thinh Nguyen <Thinh.Nguyen@synopsys.com> Link: https://lore.kernel.org/r/9b85357cdadc02e3f0d653fd05f89eb46af836e1.1610592135.git.Thinh.Nguyen@synopsys.com Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>