* [PATCH v2] media: airspy: use vb2_video_unregister_device() on disconnect to fix NULL deref
From: Valery Borovsky @ 2026-05-23 16:53 UTC (permalink / raw)
To: mchehab; +Cc: hverkuil+cisco, linux-media, stable, linux-kernel, linux-usb
In-Reply-To: <f202c8ae-554f-49de-a9d1-add337e28515@kernel.org>
airspy_disconnect() clears s->udev under v4l2_lock, but
airspy_stop_streaming() unconditionally calls airspy_ctrl_msg() and
airspy_free_stream_bufs() afterwards. If a streaming user closes the
device after disconnect, stop_streaming() runs and dereferences the
NULL s->udev:
airspy_stop_streaming()
airspy_ctrl_msg(s, CMD_RECEIVER_MODE, 0, 0, NULL, 0)
usb_sndctrlpipe(s->udev, 0) /* NULL deref */
airspy_free_stream_bufs(s)
usb_free_coherent(s->udev, ...) /* NULL deref */
The airspy driver uses vb2_fop_release() in its file_operations, so
replace video_unregister_device(&s->vdev) with
vb2_video_unregister_device(&s->vdev) and move it before clearing
s->udev. vb2_video_unregister_device() releases the vb2 queue, which
synchronously runs airspy_stop_streaming() if streaming is active, so
the URBs, coherent DMA stream buffers and the hardware stop control
message all execute while s->udev is still valid.
vb2_video_unregister_device() locks vdev->queue->lock (vb_queue_lock)
internally, and stop_streaming() locks v4l2_lock, so the previous outer
mutex_lock(&s->vb_queue_lock) / mutex_lock(&s->v4l2_lock) pair around
the unregister sequence would self-deadlock and has been removed. A
short v4l2_lock critical section around s->udev = NULL remains so any
ioctl path that still holds the file descriptor sees coherent state.
Issue identified by automated review of the INV-003 series at
https://sashiko.dev/
Fixes: 634fe5033951 ("[media] airspy: AirSpy SDR driver")
Cc: stable@vger.kernel.org
Suggested-by: Hans Verkuil <hverkuil+cisco@kernel.org>
Signed-off-by: Valery Borovsky <vebohr@gmail.com>
---
Changes since v1
(https://lore.kernel.org/linux-media/20260513052617.140688-1-vebohr@gmail.com/):
- Rewritten per Hans Verkuil's review
(https://lore.kernel.org/linux-media/f202c8ae-554f-49de-a9d1-add337e28515@kernel.org/):
fix the root cause in airspy_disconnect() by replacing
video_unregister_device() with vb2_video_unregister_device() and
moving it before clearing s->udev, instead of guarding the hardware
teardown in airspy_stop_streaming() with "if (s->udev)".
vb2_video_unregister_device() releases the queue, which synchronously
calls stop_streaming() while s->udev is still valid, so the guard is
no longer needed; airspy_stop_streaming() is unchanged.
- Dropped the outer mutex_lock(&s->vb_queue_lock) /
mutex_lock(&s->v4l2_lock) around the unregister sequence:
vb2_video_unregister_device() acquires vb_queue_lock internally and
stop_streaming() acquires v4l2_lock, so holding either of those
while calling the unregister helper self-deadlocks.
- Rebased on media-committers/next.
drivers/media/usb/airspy/airspy.c | 17 ++++++++++++-----
1 file changed, 12 insertions(+), 5 deletions(-)
diff --git a/drivers/media/usb/airspy/airspy.c b/drivers/media/usb/airspy/airspy.c
index 57edb42463e8..358a66ab8e48 100644
--- a/drivers/media/usb/airspy/airspy.c
+++ b/drivers/media/usb/airspy/airspy.c
@@ -464,14 +464,21 @@ static void airspy_disconnect(struct usb_interface *intf)
dev_dbg(s->dev, "\n");
- mutex_lock(&s->vb_queue_lock);
+ /*
+ * vb2_video_unregister_device() releases the vb2 queue, which
+ * triggers airspy_stop_streaming() if streaming is active.
+ * stop_streaming() dereferences s->udev via airspy_ctrl_msg() and
+ * airspy_free_stream_bufs(), so it must run before s->udev is
+ * cleared. vb2_video_unregister_device() locks vb_queue_lock
+ * internally and stop_streaming() locks v4l2_lock, so neither may
+ * be held by the caller.
+ */
+ v4l2_device_disconnect(&s->v4l2_dev);
+ vb2_video_unregister_device(&s->vdev);
+
mutex_lock(&s->v4l2_lock);
- /* No need to keep the urbs around after disconnection */
s->udev = NULL;
- v4l2_device_disconnect(&s->v4l2_dev);
- video_unregister_device(&s->vdev);
mutex_unlock(&s->v4l2_lock);
- mutex_unlock(&s->vb_queue_lock);
v4l2_device_put(&s->v4l2_dev);
}
--
2.51.0
^ permalink raw reply related
* [BUG] thunderbolt: USB4 v2 TBGAA tunnel creation crash in TMU enhanced uni-directional mode
From: Sebastian Loscher @ 2026-05-23 16:43 UTC (permalink / raw)
To: mika.westerberg; +Cc: linux-usb, andreas.noever, michael.jamet
[-- Attachment #1.1: Type: text/plain, Size: 1587 bytes --]
Hi Mika and the Linux USB team,
I hope you are well. I am testing a new Thunderbolt 5 setup on a brand-new AMD Strix Halo system, and I have run into a reproducible hardware panic during the initial connection handshake.
I have gathered full dynamic debug traces and would appreciate your insight on whether this requires a specific hardware quirk.
This is my first report in such format ever, maybe big for me but please bare with me.
Hardware:
Host: Minisforum MS-S1 Max (AMD Strix Halo USB4 v2 controller)
Dock: Minisforum eGPU dock (Vendor 0x41f, Device 0xd002, TBGAA controller)
Kernel: CachyOS (state your exact kernel version, e.g., 6.12-rcX)
The Issue:
When plugging in the Thunderbolt 5 dock, the connection fails during USB3 tunnel creation and drops entirely.
Using dyndbg="file drivers/thunderbolt/* +p", the trace shows the AMD host successfully shifting the dock into TB5 asymmetric routing (TMU: mode set to: enhanced uni-directional, MedRes). However, immediately after querying the NVM authentication status of the retimers (reading NVM authentication status of retimers), the dock suffers a hardware panic and physically drops the link (acking hot unplug event on 0:1).
The subsequent -107 and -71 PCIe/USB errors appear to be the Linux driver attempting to route through a connection the dock has already severed.
Attached:
Full dynamic debug dmesg trace of the hotplug event.
I deeply hope this contribution can help the community. Let me know if there is anything else I can help with. And keep up the great work.
Kind regards
Sebastian
[-- Attachment #1.2: Type: text/html, Size: 1746 bytes --]
[-- Attachment #2: egpu_crash_log.txt --]
[-- Type: text/plain, Size: 16948 bytes --]
[ 332.894110] [UFW BLOCK] IN=enp98s0 OUT= MAC= SRC=fe80:0000:0000:0000:ee0c:b911:402c:55a2 DST=ff02:0000:0000:0000:0000:0000:0001:0003 LEN=76 TC=0 HOPLIMIT=255 FLOWLBL=319052 PROTO=UDP SPT=5355 DPT=5355 LEN=36
[ 335.894390] [UFW BLOCK] IN=enp97s0 OUT= MAC= SRC=10.23.1.207 DST=224.0.0.252 LEN=56 TOS=0x00 PREC=0x00 TTL=255 ID=13896 PROTO=UDP SPT=5355 DPT=5355 LEN=36
[ 352.890811] [UFW BLOCK] IN=enp98s0 OUT= MAC= SRC=fe80:0000:0000:0000:ee0c:b911:402c:55a2 DST=ff02:0000:0000:0000:0000:0000:0001:0003 LEN=76 TC=0 HOPLIMIT=255 FLOWLBL=319052 PROTO=UDP SPT=5355 DPT=5355 LEN=36
[ 355.893947] [UFW BLOCK] IN=enp98s0 OUT= MAC= SRC=10.23.107.208 DST=224.0.0.252 LEN=56 TOS=0x00 PREC=0x00 TTL=255 ID=8056 PROTO=UDP SPT=5355 DPT=5355 LEN=36
[ 370.697051] thunderbolt 0000:67:00.0: acking hot plug event on 0:1
[ 370.697152] thunderbolt 0000:67:00.0: 0:1: hotplug: scanning
[ 370.697256] thunderbolt 0000:67:00.0: 0:1: is connected, link is up (state: 2)
[ 370.697795] thunderbolt 0000:67:00.0: current switch config:
[ 370.697803] thunderbolt 0000:67:00.0: USB4 Switch: 8087:5786 (Revision: 133, TB Version: 64)
[ 370.697807] thunderbolt 0000:67:00.0: Max Port Number: 23
[ 370.697810] thunderbolt 0000:67:00.0: Config:
[ 370.697812] thunderbolt 0000:67:00.0: Upstream Port Number: 1 Depth: 0 Route String: 0x0 Enabled: 0, PlugEventsDelay: 10ms
[ 370.697815] thunderbolt 0000:67:00.0: unknown1: 0x0 unknown4: 0x0
[ 370.700819] thunderbolt 0000:67:00.0: initializing Switch at 0x1 (depth: 1, up port: 1)
[ 370.701184] thunderbolt 0000:67:00.0: 1: link: USB4
[ 370.701185] thunderbolt 0000:67:00.0: 1: TBT3 support: yes, xHCI: yes
[ 370.702464] thunderbolt 0000:67:00.0: 1: credit allocation parameters:
[ 370.702465] thunderbolt 0000:67:00.0: 1: USB3: 20
[ 370.702466] thunderbolt 0000:67:00.0: 1: DP AUX: 1
[ 370.702466] thunderbolt 0000:67:00.0: 1: DP main: 6
[ 370.702467] thunderbolt 0000:67:00.0: 1: PCIe: 76
[ 370.702468] thunderbolt 0000:67:00.0: 1: unknown credit allocation index 0x0, skipping
[ 370.706433] thunderbolt 0000:67:00.0: 1: DROM version: 1
[ 370.708353] thunderbolt 0000:67:00.0: 1: uid: 0x1bce40080871534
[ 370.709632] thunderbolt 0000:67:00.0: Port 1: 0:5780 (Revision: 0, TB Version: 1, Type: Port (0x1))
[ 370.709634] thunderbolt 0000:67:00.0: Max hop id (in/out): 31/31
[ 370.709635] thunderbolt 0000:67:00.0: Max counters: 4
[ 370.709635] thunderbolt 0000:67:00.0: NFC Credits: 0x4a000000
[ 370.709636] thunderbolt 0000:67:00.0: Credits (total/control): 160/2
[ 370.710784] thunderbolt 0000:67:00.0: Port 2: 0:5780 (Revision: 0, TB Version: 1, Type: Port (0x1))
[ 370.710785] thunderbolt 0000:67:00.0: Max hop id (in/out): 31/31
[ 370.710785] thunderbolt 0000:67:00.0: Max counters: 0
[ 370.710786] thunderbolt 0000:67:00.0: NFC Credits: 0xca000000
[ 370.710786] thunderbolt 0000:67:00.0: Credits (total/control): 160/2
[ 370.711929] thunderbolt 0000:67:00.0: acking hot plug event on 1:13
[ 370.712061] thunderbolt 0000:67:00.0: acking hot plug event on 1:14
[ 370.712066] thunderbolt 0000:67:00.0: Port 3: 0:5780 (Revision: 0, TB Version: 1, Type: Port (0x1))
[ 370.712067] thunderbolt 0000:67:00.0: Max hop id (in/out): 31/31
[ 370.712068] thunderbolt 0000:67:00.0: Max counters: 4
[ 370.712068] thunderbolt 0000:67:00.0: NFC Credits: 0x8a000000
[ 370.712069] thunderbolt 0000:67:00.0: Credits (total/control): 160/2
[ 370.712189] thunderbolt 0000:67:00.0: acking hot plug event on 1:16
[ 370.713215] thunderbolt 0000:67:00.0: Port 4: 0:5780 (Revision: 0, TB Version: 1, Type: Port (0x1))
[ 370.713216] thunderbolt 0000:67:00.0: Max hop id (in/out): 31/31
[ 370.713217] thunderbolt 0000:67:00.0: Max counters: 0
[ 370.713217] thunderbolt 0000:67:00.0: NFC Credits: 0x8a000000
[ 370.713217] thunderbolt 0000:67:00.0: Credits (total/control): 160/2
[ 370.714495] thunderbolt 0000:67:00.0: Port 5: 0:5780 (Revision: 0, TB Version: 1, Type: Port (0x1))
[ 370.714496] thunderbolt 0000:67:00.0: Max hop id (in/out): 31/31
[ 370.714497] thunderbolt 0000:67:00.0: Max counters: 4
[ 370.714497] thunderbolt 0000:67:00.0: NFC Credits: 0x8a000000
[ 370.714497] thunderbolt 0000:67:00.0: Credits (total/control): 160/2
[ 370.715647] thunderbolt 0000:67:00.0: Port 6: 0:5780 (Revision: 0, TB Version: 1, Type: Port (0x1))
[ 370.715648] thunderbolt 0000:67:00.0: Max hop id (in/out): 31/31
[ 370.715649] thunderbolt 0000:67:00.0: Max counters: 0
[ 370.715649] thunderbolt 0000:67:00.0: NFC Credits: 0x8a000000
[ 370.715649] thunderbolt 0000:67:00.0: Credits (total/control): 160/2
[ 370.716928] thunderbolt 0000:67:00.0: Port 7: 0:5780 (Revision: 0, TB Version: 1, Type: Port (0x1))
[ 370.716929] thunderbolt 0000:67:00.0: Max hop id (in/out): 31/31
[ 370.716929] thunderbolt 0000:67:00.0: Max counters: 4
[ 370.716930] thunderbolt 0000:67:00.0: NFC Credits: 0x8a000000
[ 370.716930] thunderbolt 0000:67:00.0: Credits (total/control): 160/2
[ 370.718079] thunderbolt 0000:67:00.0: Port 8: 0:5780 (Revision: 0, TB Version: 1, Type: Port (0x1))
[ 370.718080] thunderbolt 0000:67:00.0: Max hop id (in/out): 31/31
[ 370.718081] thunderbolt 0000:67:00.0: Max counters: 0
[ 370.718081] thunderbolt 0000:67:00.0: NFC Credits: 0x8a000000
[ 370.718082] thunderbolt 0000:67:00.0: Credits (total/control): 160/2
[ 370.718336] thunderbolt 0000:67:00.0: Port 9: 0:5780 (Revision: 0, TB Version: 1, Type: PCIe (0x100102))
[ 370.718337] thunderbolt 0000:67:00.0: Max hop id (in/out): 8/8
[ 370.718337] thunderbolt 0000:67:00.0: Max counters: 2
[ 370.718338] thunderbolt 0000:67:00.0: NFC Credits: 0x40800000
[ 370.718338] thunderbolt 0000:67:00.0: Credits (total/control): 8/0
[ 370.718591] thunderbolt 0000:67:00.0: Port 10: 0:5780 (Revision: 0, TB Version: 1, Type: PCIe (0x100101))
[ 370.718592] thunderbolt 0000:67:00.0: Max hop id (in/out): 8/8
[ 370.718593] thunderbolt 0000:67:00.0: Max counters: 2
[ 370.718593] thunderbolt 0000:67:00.0: NFC Credits: 0x40800000
[ 370.718593] thunderbolt 0000:67:00.0: Credits (total/control): 8/0
[ 370.719103] thunderbolt 0000:67:00.0: Port 11: 0:5780 (Revision: 0, TB Version: 1, Type: DP/HDMI (0xe0102))
[ 370.719105] thunderbolt 0000:67:00.0: Max hop id (in/out): 9/9
[ 370.719105] thunderbolt 0000:67:00.0: Max counters: 2
[ 370.719105] thunderbolt 0000:67:00.0: NFC Credits: 0x800000
[ 370.719106] thunderbolt 0000:67:00.0: Credits (total/control): 8/0
[ 370.719615] thunderbolt 0000:67:00.0: Port 12: 0:5780 (Revision: 0, TB Version: 1, Type: DP/HDMI (0xe0102))
[ 370.719616] thunderbolt 0000:67:00.0: Max hop id (in/out): 9/9
[ 370.719617] thunderbolt 0000:67:00.0: Max counters: 2
[ 370.719617] thunderbolt 0000:67:00.0: NFC Credits: 0x800000
[ 370.719618] thunderbolt 0000:67:00.0: Credits (total/control): 8/0
[ 370.719618] thunderbolt 0000:67:00.0: 1:13: disabled by eeprom
[ 370.719619] thunderbolt 0000:67:00.0: 1:14: disabled by eeprom
[ 370.719746] thunderbolt 0000:67:00.0: Port 15: not implemented
[ 370.719746] thunderbolt 0000:67:00.0: 1:16: disabled by eeprom
[ 370.719999] thunderbolt 0000:67:00.0: Port 17: 0:5780 (Revision: 0, TB Version: 1, Type: PCIe (0x100101))
[ 370.720000] thunderbolt 0000:67:00.0: Max hop id (in/out): 8/8
[ 370.720001] thunderbolt 0000:67:00.0: Max counters: 2
[ 370.720001] thunderbolt 0000:67:00.0: NFC Credits: 0x40800000
[ 370.720002] thunderbolt 0000:67:00.0: Credits (total/control): 8/0
[ 370.720255] thunderbolt 0000:67:00.0: Port 18: 0:5780 (Revision: 0, TB Version: 1, Type: PCIe (0x100101))
[ 370.720256] thunderbolt 0000:67:00.0: Max hop id (in/out): 8/8
[ 370.720257] thunderbolt 0000:67:00.0: Max counters: 2
[ 370.720257] thunderbolt 0000:67:00.0: NFC Credits: 0x40800000
[ 370.720258] thunderbolt 0000:67:00.0: Credits (total/control): 8/0
[ 370.720768] thunderbolt 0000:67:00.0: Port 19: 0:5780 (Revision: 0, TB Version: 1, Type: DP/HDMI (0xe0102))
[ 370.720769] thunderbolt 0000:67:00.0: Max hop id (in/out): 9/9
[ 370.720769] thunderbolt 0000:67:00.0: Max counters: 2
[ 370.720770] thunderbolt 0000:67:00.0: NFC Credits: 0x800000
[ 370.720770] thunderbolt 0000:67:00.0: Credits (total/control): 8/0
[ 370.721023] thunderbolt 0000:67:00.0: Port 20: 0:5780 (Revision: 0, TB Version: 1, Type: USB (0x200102))
[ 370.721024] thunderbolt 0000:67:00.0: Max hop id (in/out): 8/8
[ 370.721025] thunderbolt 0000:67:00.0: Max counters: 1
[ 370.721025] thunderbolt 0000:67:00.0: NFC Credits: 0x800000
[ 370.721026] thunderbolt 0000:67:00.0: Credits (total/control): 8/0
[ 370.721279] thunderbolt 0000:67:00.0: Port 21: 0:5780 (Revision: 0, TB Version: 1, Type: USB (0x200101))
[ 370.721280] thunderbolt 0000:67:00.0: Max hop id (in/out): 8/8
[ 370.721281] thunderbolt 0000:67:00.0: Max counters: 1
[ 370.721281] thunderbolt 0000:67:00.0: NFC Credits: 0x800000
[ 370.721282] thunderbolt 0000:67:00.0: Credits (total/control): 8/0
[ 370.721535] thunderbolt 0000:67:00.0: Port 22: 0:5780 (Revision: 0, TB Version: 1, Type: USB (0x200101))
[ 370.721536] thunderbolt 0000:67:00.0: Max hop id (in/out): 8/8
[ 370.721537] thunderbolt 0000:67:00.0: Max counters: 1
[ 370.721537] thunderbolt 0000:67:00.0: NFC Credits: 0x800000
[ 370.721537] thunderbolt 0000:67:00.0: Credits (total/control): 8/0
[ 370.721791] thunderbolt 0000:67:00.0: Port 23: 0:5780 (Revision: 0, TB Version: 1, Type: USB (0x200101))
[ 370.721792] thunderbolt 0000:67:00.0: Max hop id (in/out): 8/8
[ 370.721793] thunderbolt 0000:67:00.0: Max counters: 1
[ 370.721793] thunderbolt 0000:67:00.0: NFC Credits: 0x800000
[ 370.721793] thunderbolt 0000:67:00.0: Credits (total/control): 8/0
[ 370.721794] thunderbolt 0000:67:00.0: 1: running quirk_usb3_maximum_bandwidth [thunderbolt]
[ 370.721818] thunderbolt 0000:67:00.0: 1:21: USB3 maximum bandwidth limited to 16376 Mb/s
[ 370.721819] thunderbolt 0000:67:00.0: 1:22: USB3 maximum bandwidth limited to 16376 Mb/s
[ 370.721820] thunderbolt 0000:67:00.0: 1:23: USB3 maximum bandwidth limited to 16376 Mb/s
[ 370.722047] thunderbolt 0000:67:00.0: 1: current link speed 40.0 Gb/s
[ 370.722048] thunderbolt 0000:67:00.0: 1: current link width symmetric, dual lanes
[ 370.722687] thunderbolt 0000:67:00.0: 1: preferred link width symmetric, dual lanes
[ 370.723455] thunderbolt 0000:67:00.0: 1: CLx: current mode: disabled
[ 370.730752] thunderbolt 0000:67:00.0: 1: TMU: supports uni-directional mode
[ 370.730753] thunderbolt 0000:67:00.0: 1: TMU: supports enhanced uni-directional mode
[ 370.731136] thunderbolt 0000:67:00.0: 1: TMU: current mode: off
[ 370.733484] thunderbolt 0-1: new device found, vendor=0x41f device=0xd002
[ 370.733486] thunderbolt 0-1: Micro Computer (HK) Tech. Ltd. TBGAA
[ 370.735631] thunderbolt 0000:67:00.0: 1: NVM version 62.42
[ 370.737726] thunderbolt 0000:67:00.0: 0:1: reading NVM authentication status of retimers
[ 370.940313] thunderbolt 0000:67:00.0: 0:1: disabling sideband transactions
[ 371.042092] thunderbolt 0000:67:00.0: 1:1: CLx: CL0s/CL1/CL2 supported
[ 371.042099] thunderbolt 0000:67:00.0: 0:1: CLx: CL0s/CL1/CL2 supported
[ 371.042594] thunderbolt 0000:67:00.0: 1: CLx: CL0s/CL1/CL2 enabled
[ 371.042598] thunderbolt 0000:67:00.0: 1: TMU: mode change off -> enhanced uni-directional, MedRes requested
[ 371.042718] thunderbolt 0000:67:00.0: 0: TMU: local_time[0]=0x5a400000
[ 371.042721] thunderbolt 0000:67:00.0: 0: TMU: local_time[1]=0x005523e1
[ 371.042723] thunderbolt 0000:67:00.0: 0: TMU: local_time[2]=0x03e80000
[ 371.043821] thunderbolt 0000:67:00.0: 1: TMU: updated local time to 0x5523e15a40
[ 371.048099] thunderbolt 0000:67:00.0: 1: TMU: mode set to: enhanced uni-directional, MedRes
[ 371.050527] thunderbolt 0000:67:00.0: 1:1: reading NVM authentication status of retimers
[ 371.201482] thunderbolt 0000:67:00.0: acking hot unplug event on 0:1
[ 371.301780] thunderbolt 0000:67:00.0: 1:1: disabling sideband transactions
[ 371.302412] thunderbolt 0000:67:00.0: 0:1: link maximum bandwidth 9000/9000 Mb/s
[ 371.302655] thunderbolt 0000:67:00.0: 1:1: link maximum bandwidth 72000/72000 Mb/s
[ 371.302782] thunderbolt 0000:67:00.0: 1:20: available bandwidth for new USB3 tunnel 9000/9000 Mb/s
[ 371.303024] thunderbolt 0000:67:00.0: 1: USB3 tunnel creation failed
[ 371.303922] thunderbolt 0000:67:00.0: 0:9 <-> 1:9 (PCI): activating
[ 371.303925] thunderbolt 0000:67:00.0: activating PCIe Down path from 0:9 to 1:9
[ 371.304046] thunderbolt 0000:67:00.0: 1:1: Writing hop 1
[ 371.304047] thunderbolt 0000:67:00.0: 1:1: In HopID: 8 => Out port: 9 Out HopID: 8
[ 371.304048] thunderbolt 0000:67:00.0: 1:1: Weight: 1 Priority: 3 Credits: 76 Drop: 0 PM: 0
[ 371.304049] thunderbolt 0000:67:00.0: 1:1: Counter enabled: 0 Counter index: 2047
[ 371.304050] thunderbolt 0000:67:00.0: 1:1: Flow Control (In/Eg): 1/0 Shared Buffer (In/Eg): 0/0
[ 371.304051] thunderbolt 0000:67:00.0: 1:1: Unknown1: 0x0 Unknown2: 0x0 Unknown3: 0x0
[ 371.304302] thunderbolt 0000:67:00.0: 1:1: hop deactivation failed for hop 1, index 8
[ 371.304303] thunderbolt 0000:67:00.0: PCIe Down path activation failed: -107
[ 371.304304] thunderbolt 0000:67:00.0: 0:9 <-> 1:9 (PCI): activation failed
[ 371.304305] thunderbolt 0000:67:00.0: 0:9 <-> 1:9 (PCI): deactivating
[ 371.304948] thunderbolt 0000:67:00.0: 1:9: PCIe tunnel activation failed, aborting
[ 371.304981] thunderbolt 0000:67:00.0: 0:1: switch unplugged
[ 371.305759] thunderbolt 0-1: device disconnected
[ 371.306674] thunderbolt 0000:67:00.0: bandwidth consumption changed, re-calculating estimated bandwidth
[ 371.306677] thunderbolt 0000:67:00.0: bandwidth re-calculation done
[ 371.306678] thunderbolt 0000:67:00.0: looking for DP IN <-> DP OUT pairs:
[ 371.306705] thunderbolt 0000:67:00.0: 0:13: DP IN available
[ 371.306706] thunderbolt 0000:67:00.0: 0:13: no suitable DP OUT adapter available, not tunneling
[ 371.306833] thunderbolt 0000:67:00.0: 0:14: DP IN available
[ 371.306834] thunderbolt 0000:67:00.0: 0:14: no suitable DP OUT adapter available, not tunneling
[ 371.421827] usb 5-1: new high-speed USB device number 8 using xhci_hcd
[ 371.549027] usb 5-1: New USB device found, idVendor=1d5c, idProduct=5801, bcdDevice= 1.01
[ 371.549043] usb 5-1: New USB device strings: Mfr=1, Product=2, SerialNumber=0
[ 371.549044] usb 5-1: Product: USB2.0 Hub
[ 371.549047] usb 5-1: Manufacturer: Fresco Logic, Inc.
[ 371.588232] hub 5-1:1.0: USB hub found
[ 371.588621] hub 5-1:1.0: 6 ports detected
[ 372.195131] usb 5-1.2: new high-speed USB device number 9 using xhci_hcd
[ 372.292245] usb 5-1.2: New USB device found, idVendor=0bda, idProduct=5420, bcdDevice= 1.80
[ 372.292256] usb 5-1.2: New USB device strings: Mfr=1, Product=2, SerialNumber=0
[ 372.292259] usb 5-1.2: Product: 4-Port USB 2.0 Hub
[ 372.292260] usb 5-1.2: Manufacturer: Generic
[ 372.356618] hub 5-1.2:1.0: USB hub found
[ 372.357272] hub 5-1.2:1.0: 4 ports detected
[ 372.894153] [UFW BLOCK] IN=enp98s0 OUT= MAC= SRC=fe80:0000:0000:0000:ee0c:b911:402c:55a2 DST=ff02:0000:0000:0000:0000:0000:0001:0003 LEN=76 TC=0 HOPLIMIT=255 FLOWLBL=319052 PROTO=UDP SPT=5355 DPT=5355 LEN=36
[ 373.106976] usb 5-1.2.3: new high-speed USB device number 10 using xhci_hcd
[ 373.206451] usb 5-1.2.3: New USB device found, idVendor=0bda, idProduct=8156, bcdDevice=31.04
[ 373.206463] usb 5-1.2.3: New USB device strings: Mfr=1, Product=2, SerialNumber=6
[ 373.206465] usb 5-1.2.3: Product: USB 10/100/1G/2.5G LAN
[ 373.206467] usb 5-1.2.3: Manufacturer: Realtek
[ 373.206469] usb 5-1.2.3: SerialNumber: 4013000001
[ 373.347588] r8152-cfgselector 5-1.2.3: reset high-speed USB device number 10 using xhci_hcd
[ 373.728871] usb 5-1.2.4: new high-speed USB device number 11 using xhci_hcd
[ 373.852519] usb 5-1.2.4: New USB device found, idVendor=152d, idProduct=0583, bcdDevice= 2.14
[ 373.852545] usb 5-1.2.4: New USB device strings: Mfr=1, Product=2, SerialNumber=3
[ 373.852548] usb 5-1.2.4: Product: USB to PCIE Bridge
[ 373.852550] usb 5-1.2.4: Manufacturer: JMicron
[ 373.852552] usb 5-1.2.4: SerialNumber: 0123456789ABCDEF
[ 373.854075] scsi host0: uas
[ 373.854542] scsi 0:0:0:0: Direct-Access JMicron Generic 0214 PQ: 0 ANSI: 6
[ 373.898145] usb 5-1.2.4: stat urb: status -71
[ 375.893793] [UFW BLOCK] IN=enp97s0 OUT= MAC= SRC=10.23.1.207 DST=224.0.0.252 LEN=56 TOS=0x00 PREC=0x00 TTL=255 ID=34161 PROTO=UDP SPT=5355 DPT=5355 LEN=36
[ 392.894057] [UFW BLOCK] IN=enp98s0 OUT= MAC= SRC=fe80:0000:0000:0000:ee0c:b911:402c:55a2 DST=ff02:0000:0000:0000:0000:0000:0001:0003 LEN=76 TC=0 HOPLIMIT=255 FLOWLBL=319052 PROTO=UDP SPT=5355 DPT=5355 LEN=36
^ permalink raw reply
* Re: renesas 1912:0014 failures
From: Michal Pecio @ 2026-05-23 16:32 UTC (permalink / raw)
To: Anders Thomson; +Cc: linux-usb, Mathias Nyman
In-Reply-To: <CAGwGCQJ6SaB_mLH5DGttVDXHvvNW9zrSnijwYxp2W4d_W40FRw@mail.gmail.com>
On Mon, 18 May 2026 14:36:18 +0200, Anders Thomson wrote:
> On Mon, May 18, 2026 at 10:41 AM Anders Thomson <andtho888@gmail.com> wrote:
> >
>
> > > I see you still have the quirk, but it doesn't matter, the chip is
> > > stuck and doesn't work either way.
> >
> > The machine hangs on boot with the quirk. Without quirk i get:
> > [ 2.293602] cdrom: Uniform CD-ROM driver Revision: 3.20
> > [ 2.303526] sr 5:0:0:0: Attached scsi CD-ROM sr0
> > [ 2.303603] sr 5:0:0:0: Attached scsi generic sg4 type 5
> > [ 28.493779] xhci-pci-renesas 0000:03:00.0: xHCI Host Controller
> > [ 28.493891] xhci-pci-renesas 0000:03:00.0: new USB bus registered,
> > assigned bus number 9
> > [ 28.499338] xhci-pci-renesas 0000:03:00.0: hcc params 0x014051cf
> > hci version 0x100 quirks 0x0000000100000090
> >
> > Those 28.xxx renesas lines never show up with the quirk applied.
> > The machine works (waiting 10 minutes I get a logs from other kernel
> > threads), but the boot process is stopped. By the looks of it, no
> > usb probing completes.
> >
> Some advances, perhaps. I _did_ get (twice) the boot to succeed with
> the quirk (still with the 26 sec pause) . Both times was after a full
> power cycle (PSU on/off). After a regular I/O Button press during, the
> boot stalls. I'll run this a few times more to verify.
xhci_hcd.quirks=0x80 should have no effect on anything besides
suspend/resume. If you see differences in boot behavior, it probably
is an effect of suspend/resume cycles performed or attempted during
the previous boot. It seems that the chip gets into some bad state
which requires a power cycle to fix. BTW, do you mean just turning off
the computer, or disconnecting the PSU to remove standby power?
FYI, the quirk performs full xHCI reset during resume and prevents
selectively suspending the chip when all its USB devices are suspended
but the system is running (not going to sleep). It doesn't prevent
suspending when no USB devices are connected at all. And either way,
runtime PM may be turned off, see if this is 'on' or 'auto':
cat /sys/bus/pci/devices/0000:03:00.0/power/control
> After successful boot with quirk, 1st suspend/resume without
> peripherals attached, yielded:
> [...]
>
> After the second suspend/resume, we got this:
> [...]
> [ 1697.224087] xhci-pci-renesas 0000:03:00.0: // Reset the HC
> [...]
> [ 1725.214860] xhci-pci-renesas 0000:03:00.0: PCI post-resume error -110!
> [ 1725.214863] xhci-pci-renesas 0000:03:00.0: HC died; cleaning up
> [ 1725.214875] xhci-pci-renesas 0000:03:00.0: PM: dpm_run_callback():
> pci_pm_resume returns -110
> [ 1725.214879] xhci-pci-renesas 0000:03:00.0: PM: failed to resume
I have no idea why it works the first time but not the second.
Not what happens if the same is done without the quirk?
Maybe try s2idle ("freeze") instead of S3 sleep? But that doesn't
provide the same power saving on older HW.
Regards,
Michal
^ permalink raw reply
* [PATCH usb-gadget] usb: gadget: f_fs: clear stale priv->req/ep on DMA-BUF transfer completion
From: Zhenghang Xiao @ 2026-05-23 15:27 UTC (permalink / raw)
To: Greg Kroah-Hartman, Paul Cercueil; +Cc: security, linux-usb, Zhenghang Xiao
ffs_epfile_dmabuf_io_complete() frees the usb_request via
usb_ep_free_request() but never clears priv->req or priv->ep. When the
host later triggers endpoint disable (via SET_INTERFACE, disconnect, or
gadget unbind), the completion fires and frees req, leaving priv->req as
a dangling pointer. A subsequent close() or FUNCTIONFS_DMABUF_DETACH
ioctl then passes the stale pointer to usb_ep_dequeue(), resulting in a
use-after-free on the freed kmalloc-128 object.
Walk back from req->context to the ffs_dma_fence and its priv, then
clear priv->req and priv->ep before freeing the request. The cleanup
paths in ffs_epfile_release() and ffs_dmabuf_detach() already check for
NULL under eps_lock before calling usb_ep_dequeue().
Fixes: 7b07a2a7ca02 ("usb: gadget: functionfs: Add DMABUF import interface")
Signed-off-by: Zhenghang Xiao <kipreyyy@gmail.com>
---
drivers/usb/gadget/function/f_fs.c | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/drivers/usb/gadget/function/f_fs.c b/drivers/usb/gadget/function/f_fs.c
index 002c3441bea3..88d3e89c21b7 100644
--- a/drivers/usb/gadget/function/f_fs.c
+++ b/drivers/usb/gadget/function/f_fs.c
@@ -1413,8 +1413,13 @@ static void ffs_dmabuf_signal_done(struct ffs_dma_fence *dma_fence, int ret)
static void ffs_epfile_dmabuf_io_complete(struct usb_ep *ep,
struct usb_request *req)
{
+ struct ffs_dma_fence *fence = req->context;
+ struct ffs_dmabuf_priv *priv = fence->priv;
+
pr_vdebug("FFS: DMABUF transfer complete, status=%d\n", req->status);
- ffs_dmabuf_signal_done(req->context, req->status);
+ ffs_dmabuf_signal_done(fence, req->status);
+ priv->req = NULL;
+ priv->ep = NULL;
usb_ep_free_request(ep, req);
}
--
2.50.1 (Apple Git-155)
^ permalink raw reply related
* [PATCH] usb: gadget: uac: validate rate list length before storing
From: Qing Ming @ 2026-05-19 14:33 UTC (permalink / raw)
To: Greg Kroah-Hartman
Cc: Christophe JAILLET, Sumanth Gavini, Kees Cook, linux-usb,
linux-kernel, Qing Ming
UAC1 and UAC2 configfs rate-list attributes parse a comma-separated
list of sampling rates and store each parsed value in fixed-size arrays.
The arrays have UAC_MAX_RATES entries, but the store paths do not check
that the input contains at most that many tokens before writing through
opts->name##s[i++].
Writing more than ten rates therefore writes past the end of the
p_srates[] or c_srates[] array in struct f_uac1_opts or struct
f_uac2_opts.
With CONFIG_UBSAN_BOUNDS enabled, writing an 11-entry rate list to the
UAC1 p_srate attribute reports:
UBSAN: array-index-out-of-bounds
drivers/usb/gadget/function/f_uac1.c:1669:1
index 10 is out of range for type 'int [10]'
__ubsan_handle_out_of_bounds.cold
f_uac1_opts_p_srate_store
configfs_write_iter
vfs_write
ksys_write
do_syscall_64
The same reproducer against the UAC2 p_srate attribute reports:
UBSAN: array-index-out-of-bounds
drivers/usb/gadget/function/f_uac2.c:2087:1
index 10 is out of range for type 'int [10]'
__ubsan_handle_out_of_bounds.cold
f_uac2_opts_p_srate_store
configfs_write_iter
vfs_write
ksys_write
do_syscall_64
Reject additional tokens once UAC_MAX_RATES entries have been parsed.
Also keep the original kstrdup() pointer for kfree(), because strsep()
advances the parsing cursor. Freeing the advanced cursor leaks the
original buffer on successful parses and can free an interior pointer on
some error paths.
Fixes: 695d39ffc2b5 ("usb: gadget: f_uac1: Support multiple sampling rates")
Fixes: a7339e4f5788 ("usb: gadget: f_uac2: Support multiple sampling rates")
Signed-off-by: Qing Ming <a0yami@mailbox.org>
---
drivers/usb/gadget/function/f_uac1.c | 13 +++++++++----
drivers/usb/gadget/function/f_uac2.c | 13 +++++++++----
2 files changed, 18 insertions(+), 8 deletions(-)
diff --git a/drivers/usb/gadget/function/f_uac1.c b/drivers/usb/gadget/function/f_uac1.c
index 85c502e98f57..7a81cd176abd 100644
--- a/drivers/usb/gadget/function/f_uac1.c
+++ b/drivers/usb/gadget/function/f_uac1.c
@@ -1594,7 +1594,8 @@ static ssize_t f_uac1_opts_##name##_store(struct config_item *item, \
const char *page, size_t len) \
{ \
struct f_uac1_opts *opts = to_f_uac1_opts(item); \
- char *split_page = NULL; \
+ char *buf = NULL; \
+ char *split_page; \
int ret = -EINVAL; \
char *token; \
u32 num; \
@@ -1608,18 +1609,22 @@ static ssize_t f_uac1_opts_##name##_store(struct config_item *item, \
\
i = 0; \
memset(opts->name##s, 0x00, sizeof(opts->name##s)); \
- split_page = kstrdup(page, GFP_KERNEL); \
+ buf = kstrdup(page, GFP_KERNEL); \
+ split_page = buf; \
while ((token = strsep(&split_page, ",")) != NULL) { \
ret = kstrtou32(token, 0, &num); \
if (ret) \
goto end; \
- \
+ if (i >= UAC_MAX_RATES) { \
+ ret = -EINVAL; \
+ goto end; \
+ } \
opts->name##s[i++] = num; \
ret = len; \
}; \
\
end: \
- kfree(split_page); \
+ kfree(buf); \
mutex_unlock(&opts->lock); \
return ret; \
} \
diff --git a/drivers/usb/gadget/function/f_uac2.c b/drivers/usb/gadget/function/f_uac2.c
index 897787d0803c..d8cf710085a0 100644
--- a/drivers/usb/gadget/function/f_uac2.c
+++ b/drivers/usb/gadget/function/f_uac2.c
@@ -2012,7 +2012,8 @@ static ssize_t f_uac2_opts_##name##_store(struct config_item *item, \
const char *page, size_t len) \
{ \
struct f_uac2_opts *opts = to_f_uac2_opts(item); \
- char *split_page = NULL; \
+ char *buf = NULL; \
+ char *split_page; \
int ret = -EINVAL; \
char *token; \
u32 num; \
@@ -2026,18 +2027,22 @@ static ssize_t f_uac2_opts_##name##_store(struct config_item *item, \
\
i = 0; \
memset(opts->name##s, 0x00, sizeof(opts->name##s)); \
- split_page = kstrdup(page, GFP_KERNEL); \
+ buf = kstrdup(page, GFP_KERNEL); \
+ split_page = buf; \
while ((token = strsep(&split_page, ",")) != NULL) { \
ret = kstrtou32(token, 0, &num); \
if (ret) \
goto end; \
- \
+ if (i >= UAC_MAX_RATES) { \
+ ret = -EINVAL; \
+ goto end; \
+ } \
opts->name##s[i++] = num; \
ret = len; \
}; \
\
end: \
- kfree(split_page); \
+ kfree(buf); \
mutex_unlock(&opts->lock); \
return ret; \
} \
--
2.53.0
^ permalink raw reply related
* Re: [GIT PULL] USB serial fixes for 7.1-rc5
From: Greg Kroah-Hartman @ 2026-05-23 11:22 UTC (permalink / raw)
To: Johan Hovold; +Cc: linux-usb, linux-kernel
In-Reply-To: <ahFmuYsT3E8GcG5h@hovoldconsulting.com>
On Sat, May 23, 2026 at 10:35:05AM +0200, Johan Hovold wrote:
> The following changes since commit 5d6919055dec134de3c40167a490f33c74c12581:
>
> Linux 7.1-rc3 (2026-05-10 14:08:09 -0700)
>
> are available in the Git repository at:
>
> https://git.kernel.org/pub/scm/linux/kernel/git/johan/usb-serial.git tags/usb-serial-7.1-rc5
Pulled and pushed out, thanks.
greg k-h
^ permalink raw reply
* [PATCH v2 2/2] net: usb: Add Infineon XMM6260 Baseband modem support
From: Svyatoslav Ryhel @ 2026-05-23 8:44 UTC (permalink / raw)
To: Andrew Lunn, David S. Miller, Eric Dumazet, Jakub Kicinski,
Paolo Abeni, Rob Herring, Krzysztof Kozlowski, Conor Dooley,
Svyatoslav Ryhel
Cc: netdev, devicetree, linux-kernel, linux-usb
In-Reply-To: <20260523084408.50346-1-clamor95@gmail.com>
The Infineon/Intel XMM6260 is a 3G-focused, slim modem platform designed
for smartphones, data cards, and Machine-to-Machine (M2M) applications.
The modem is usually connected via the application processor's USB line
in HSIC mode; however, to work properly, the modem must control this line
Dmesg with modem appearing on LG Optimus Vu (P895):
[ 9.427014] ci_hdrc ci_hdrc.1: EHCI Host Controller
[ 9.431488] ci_hdrc ci_hdrc.1: new USB bus registered, assigned bus number 1
[ 9.457197] ci_hdrc ci_hdrc.1: USB 2.0 started, EHCI 1.00
[ 9.460370] usb usb1: New USB device found, idVendor=1d6b, idProduct=0002, bcdDevice= 6.16
[ 9.468470] usb usb1: New USB device strings: Mfr=3, Product=2, SerialNumber=1
[ 9.475597] usb usb1: Product: EHCI Host Controller
[ 9.480508] usb usb1: Manufacturer: Linux 6.16.0+ ehci_hcd
[ 9.485913] usb usb1: SerialNumber: ci_hdrc.1
[ 9.490862] hub 1-0:1.0: USB hub found
[ 9.494005] hub 1-0:1.0: 1 port detected
[ 9.657191] usb 1-1: new high-speed USB device number 2 using ci_hdrc
[ 9.844726] usb 1-1: New USB device found, idVendor=1519, idProduct=0020, bcdDevice=12.74
[ 9.850530] usb 1-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3
[ 9.857594] usb 1-1: Product: HSIC Device
[ 9.861606] usb 1-1: Manufacturer: Comneon
[ 9.865627] usb 1-1: SerialNumber: 0123456789
[ 9.908739] cdc_acm 1-1:1.0: ttyACM0: USB ACM device
Signed-off-by: Svyatoslav Ryhel <clamor95@gmail.com>
---
drivers/net/usb/Kconfig | 15 ++
drivers/net/usb/Makefile | 1 +
drivers/net/usb/baseband-xmm6260.c | 378 +++++++++++++++++++++++++++++
3 files changed, 394 insertions(+)
create mode 100644 drivers/net/usb/baseband-xmm6260.c
diff --git a/drivers/net/usb/Kconfig b/drivers/net/usb/Kconfig
index 52a5c0922c79..d54d8db752df 100644
--- a/drivers/net/usb/Kconfig
+++ b/drivers/net/usb/Kconfig
@@ -642,4 +642,19 @@ config USB_RTL8153_ECM
CONFIG_USB_RTL8152 is not set, or the RTL8153 device is not
supported by r8152 driver.
+config USB_NET_XMM6260
+ tristate "Infineon XMM626X Baseband HSPA/HSUPA modem"
+ depends on USB_CHIPIDEA && (RFKILL || RFKILL=n)
+ help
+ Select this if you want to use an Infineon XMM626X modem, found in
+ devices such as the LG Optimus 4X P880, LG Optimus Vu P895, Samsung
+ Galaxy S II (GT-I9100), and Galaxy Nexus (GT-I9250). This driver
+ handles the modem configuration and provides a stable way to expose
+ the modem's USB interface. To establish a connection, you will first
+ need a userspace program to send the correct commands to the modem
+ through its CDC ACM port, as well as a DHCP client.
+
+ To compile this driver as a module, choose M here: the module will
+ be called baseband-xmm6260.
+
endif # USB_NET_DRIVERS
diff --git a/drivers/net/usb/Makefile b/drivers/net/usb/Makefile
index 4964f7b326fb..ffa532c7d7d6 100644
--- a/drivers/net/usb/Makefile
+++ b/drivers/net/usb/Makefile
@@ -42,3 +42,4 @@ obj-$(CONFIG_USB_NET_CDC_MBIM) += cdc_mbim.o
obj-$(CONFIG_USB_NET_CH9200) += ch9200.o
obj-$(CONFIG_USB_NET_AQC111) += aqc111.o
obj-$(CONFIG_USB_RTL8153_ECM) += r8153_ecm.o
+obj-$(CONFIG_USB_NET_XMM6260) += baseband-xmm6260.o
diff --git a/drivers/net/usb/baseband-xmm6260.c b/drivers/net/usb/baseband-xmm6260.c
new file mode 100644
index 000000000000..557ec79f5e2a
--- /dev/null
+++ b/drivers/net/usb/baseband-xmm6260.c
@@ -0,0 +1,378 @@
+// SPDX-License-Identifier: GPL-2.0-only
+/*
+ * Copyright (C) 2011 NVIDIA Corporation
+ * Copyright (C) 2023 Svyatoslav Ryhel <clamor95@gmail.com>
+ */
+
+#include <linux/array_size.h>
+#include <linux/bitfield.h>
+#include <linux/bitops.h>
+#include <linux/delay.h>
+#include <linux/device.h>
+#include <linux/err.h>
+#include <linux/export.h>
+#include <linux/gpio/consumer.h>
+#include <linux/mod_devicetable.h>
+#include <linux/module.h>
+#include <linux/notifier.h>
+#include <linux/platform_device.h>
+#include <linux/property.h>
+#include <linux/pwrseq/consumer.h>
+#include <linux/regulator/consumer.h>
+#include <linux/rfkill.h>
+#include <linux/usb.h>
+
+#define BASEBAND_XMM_INIT_DELAY 5000
+
+#define BASEBAND_PRODUCT_ID_XMM6260 0x0020
+#define BASEBAND_VENDOR_ID_COMNEON 0x1519
+
+/*
+ * Starting from ver 1145 modem starts in the IPC_AP_WAKE_IRQ_READY state.
+ * AP wake interrupt keeps low util CP starts to initiate its HSIC hw. AP wake
+ * interrupt goes up during CP HSIC init (BASEBAND_XMM_IPC_AP_WAKE_INIT1 state)
+ * at this point Host USB bus must be configured in order for modem to set
+ * properly. Then interrupt goes down when CP HSIC is ready
+ * (BASEBAND_XMM_IPC_AP_WAKE_INIT2 state) and at this point XMM6260 USB device
+ * should appear and be accessible for further work. In case it does not, the
+ * cycle must repeat.
+ */
+
+/* bits [0:2] */
+enum baseband_xmm_ipc_ap_wake_state {
+ BASEBAND_XMM_IPC_AP_WAKE_IRQ_READY,
+ BASEBAND_XMM_IPC_AP_WAKE_INIT1,
+ BASEBAND_XMM_IPC_AP_WAKE_INIT2,
+ BASEBAND_XMM_IPC_AP_WAKE_L,
+ BASEBAND_XMM_IPC_AP_WAKE_H,
+ BASEBAND_XMM_IPC_AP_WAKE_UNINIT,
+ BASEBAND_XMM_IPC_AP_WAKE_MASK = 7,
+};
+
+#define BASEBAND_XMM_IPC_AP_WAKE_MAX 3
+
+#define BASEBAND_XMM_STATE_POWERED 3 /* Tracks regulator state */
+#define BASEBAND_XMM_STATE_PROTECTED 4 /* Prevents rfkill from access */
+#define BASEBAND_XMM_STATE_PRESENT 5 /* Tracks USB device presence */
+#define BASEBAND_XMM_STATE_POWEROFF 6 /* Prevents poweroff recursive call */
+#define BASEBAND_XMM_STATE_MAX 8
+
+struct baseband_xmm_data {
+ struct device *dev;
+ struct rfkill *rfkill_dev;
+ struct pwrseq_desc *pwrseq;
+
+ DECLARE_BITMAP(state, BASEBAND_XMM_STATE_MAX);
+ int irq;
+
+ struct gpio_desc *reset_gpio;
+ struct gpio_desc *enable_gpio;
+
+ struct gpio_desc *ipc_cp_gpio;
+ struct gpio_desc *ipc_ap_gpio;
+
+ struct regulator *vbat_supply;
+
+ struct delayed_work modem_work;
+ struct notifier_block nb;
+};
+
+static int get_ipc_ap_wake(struct baseband_xmm_data *priv)
+{
+ int i, ret = 0;
+
+ for (i = 0; i < BASEBAND_XMM_IPC_AP_WAKE_MAX; i++)
+ ret |= (test_bit(i, priv->state) << i);
+
+ return ret;
+}
+
+static void set_ipc_ap_wake(struct baseband_xmm_data *priv,
+ enum baseband_xmm_ipc_ap_wake_state state)
+{
+ for (int i = 0; i < BASEBAND_XMM_IPC_AP_WAKE_MAX; i++)
+ if (state & BIT(i))
+ set_bit(i, priv->state);
+ else
+ clear_bit(i, priv->state);
+}
+
+static void baseband_xmm_reset(struct baseband_xmm_data *priv)
+{
+ int ret;
+
+ set_bit(BASEBAND_XMM_STATE_PROTECTED, priv->state);
+
+ if (!test_bit(BASEBAND_XMM_STATE_POWERED, priv->state)) {
+ ret = regulator_enable(priv->vbat_supply);
+ if (ret)
+ dev_err(priv->dev,
+ "failed to enable vbat power supply\n");
+
+ set_bit(BASEBAND_XMM_STATE_POWERED, priv->state);
+ }
+
+ gpiod_set_value_cansleep(priv->enable_gpio, 0);
+ msleep(50);
+
+ gpiod_set_value_cansleep(priv->reset_gpio, 1);
+ msleep(200);
+ gpiod_set_value_cansleep(priv->reset_gpio, 0);
+
+ msleep(50);
+
+ /* falling edge trigger to CP */
+ gpiod_set_value_cansleep(priv->enable_gpio, 1);
+ usleep_range(50, 100);
+ gpiod_set_value_cansleep(priv->enable_gpio, 0);
+ msleep(20);
+}
+
+static void baseband_xmm_poweroff(struct baseband_xmm_data *priv)
+{
+ /*
+ * The test_bit check prevents poweroff from being recursively
+ * called during USB device deregistration. USB device
+ * deregistration can be triggered by the driver by calling this
+ * function or by some external event. The first case will cause
+ * a recursive call by the notifier if not handled, while the
+ * second case requires this call to handle the USB controller
+ * properly.
+ */
+ if (test_bit(BASEBAND_XMM_STATE_POWEROFF, priv->state))
+ return;
+
+ set_bit(BASEBAND_XMM_STATE_PROTECTED, priv->state);
+ set_bit(BASEBAND_XMM_STATE_POWEROFF, priv->state);
+
+ pwrseq_power_off(priv->pwrseq);
+ gpiod_set_value_cansleep(priv->reset_gpio, 1);
+
+ if (test_bit(BASEBAND_XMM_STATE_POWERED, priv->state)) {
+ regulator_disable(priv->vbat_supply);
+ clear_bit(BASEBAND_XMM_STATE_POWERED, priv->state);
+ }
+ set_ipc_ap_wake(priv, BASEBAND_XMM_IPC_AP_WAKE_IRQ_READY);
+
+ clear_bit(BASEBAND_XMM_STATE_PROTECTED, priv->state);
+ clear_bit(BASEBAND_XMM_STATE_PRESENT, priv->state);
+ clear_bit(BASEBAND_XMM_STATE_POWEROFF, priv->state);
+}
+
+static int baseband_xmm_usb_notifier_call(struct notifier_block *nb,
+ unsigned long action, void *data)
+{
+ struct baseband_xmm_data *priv =
+ container_of(nb, struct baseband_xmm_data, nb);
+ struct usb_device *udev;
+ u16 product, vendor;
+
+ if (action == USB_BUS_ADD || action == USB_BUS_REMOVE)
+ return NOTIFY_OK;
+
+ udev = data;
+ product = le16_to_cpu(udev->descriptor.idProduct);
+ vendor = le16_to_cpu(udev->descriptor.idVendor);
+
+ switch (action) {
+ case USB_DEVICE_ADD:
+ /* Infineon XMM6260 ID 1519:0020 */
+ if (vendor == BASEBAND_VENDOR_ID_COMNEON &&
+ product == BASEBAND_PRODUCT_ID_XMM6260) {
+ cancel_delayed_work_sync(&priv->modem_work);
+ clear_bit(BASEBAND_XMM_STATE_PROTECTED, priv->state);
+ set_bit(BASEBAND_XMM_STATE_PRESENT, priv->state);
+ }
+ break;
+
+ case USB_DEVICE_REMOVE:
+ /* Infineon XMM6260 ID 1519:0020 */
+ if (vendor == BASEBAND_VENDOR_ID_COMNEON &&
+ product == BASEBAND_PRODUCT_ID_XMM6260)
+ baseband_xmm_poweroff(priv);
+ break;
+
+ default:
+ break;
+ }
+
+ return NOTIFY_OK;
+}
+
+static int baseband_xmm_set_block(void *data, bool blocked)
+{
+ struct baseband_xmm_data *priv = data;
+
+ if (test_bit(BASEBAND_XMM_STATE_PROTECTED, priv->state))
+ return -EBUSY;
+
+ if (blocked && test_bit(BASEBAND_XMM_STATE_PRESENT, priv->state))
+ baseband_xmm_poweroff(priv);
+ else if (!blocked && !test_bit(BASEBAND_XMM_STATE_PRESENT, priv->state))
+ baseband_xmm_reset(priv);
+
+ return 0;
+}
+
+static const struct rfkill_ops baseband_xmm_rfkill_ops = {
+ .set_block = baseband_xmm_set_block,
+};
+
+static void baseband_xmm_work(struct work_struct *work)
+{
+ struct baseband_xmm_data *priv =
+ container_of(work, struct baseband_xmm_data, modem_work.work);
+
+ baseband_xmm_poweroff(priv);
+};
+
+static irqreturn_t baseband_hostwake_interrupt(int irq, void *dev_id)
+{
+ struct baseband_xmm_data *priv = dev_id;
+ int state = gpiod_get_value(priv->ipc_ap_gpio);
+
+ switch (get_ipc_ap_wake(priv)) {
+ case BASEBAND_XMM_IPC_AP_WAKE_IRQ_READY:
+ if (!state) {
+ set_ipc_ap_wake(priv, BASEBAND_XMM_IPC_AP_WAKE_INIT1);
+ pwrseq_power_on(priv->pwrseq);
+ }
+ break;
+
+ case BASEBAND_XMM_IPC_AP_WAKE_INIT1:
+ if (state) {
+ set_ipc_ap_wake(priv, BASEBAND_XMM_IPC_AP_WAKE_INIT2);
+ schedule_delayed_work(&priv->modem_work,
+ msecs_to_jiffies(BASEBAND_XMM_INIT_DELAY));
+ }
+ break;
+
+ default:
+ break;
+ }
+
+ return IRQ_HANDLED;
+}
+
+static int baseband_xmm_probe(struct platform_device *pdev)
+{
+ struct baseband_xmm_data *priv;
+ struct device *dev = &pdev->dev;
+ unsigned long irqflags;
+ int ret;
+
+ priv = devm_kzalloc(dev, sizeof(*priv), GFP_KERNEL);
+ if (!priv)
+ return -ENOMEM;
+
+ priv->dev = dev;
+ platform_set_drvdata(pdev, priv);
+
+ priv->vbat_supply = devm_regulator_get(dev, "vbat");
+ if (IS_ERR(priv->vbat_supply))
+ return dev_err_probe(dev, PTR_ERR(priv->vbat_supply),
+ "failed to get vbat regulator\n");
+
+ /* Own modem gpios */
+ priv->reset_gpio = devm_gpiod_get_optional(dev, "reset",
+ GPIOD_OUT_LOW);
+ if (IS_ERR(priv->reset_gpio))
+ return dev_err_probe(dev, PTR_ERR(priv->reset_gpio),
+ "failed to get reset GPIO\n");
+
+ priv->enable_gpio = devm_gpiod_get_optional(dev, "enable",
+ GPIOD_OUT_LOW);
+ if (IS_ERR(priv->enable_gpio))
+ return dev_err_probe(dev, PTR_ERR(priv->enable_gpio),
+ "failed to get enable GPIO\n");
+
+ /* CP - AP connections */
+ priv->ipc_cp_gpio = devm_gpiod_get_optional(dev, "cp-wake",
+ GPIOD_OUT_LOW);
+ if (IS_ERR(priv->ipc_cp_gpio))
+ return dev_err_probe(dev, PTR_ERR(priv->ipc_cp_gpio),
+ "failed to get CP wake GPIO\n");
+
+ priv->ipc_ap_gpio = devm_gpiod_get_optional(dev, "ap-wake", GPIOD_IN);
+ if (IS_ERR(priv->ipc_ap_gpio))
+ return dev_err_probe(dev, PTR_ERR(priv->ipc_ap_gpio),
+ "failed to get AP wake GPIO\n");
+
+ /* Modem power sequence */
+ priv->pwrseq = devm_pwrseq_get(dev, "modem-power");
+ if (IS_ERR(priv->pwrseq))
+ return dev_err_probe(dev, PTR_ERR(priv->pwrseq),
+ "failed to get modem pwrseq");
+
+ bitmap_zero(priv->state, BASEBAND_XMM_STATE_MAX);
+ INIT_DELAYED_WORK(&priv->modem_work, baseband_xmm_work);
+
+ priv->irq = platform_get_irq(pdev, 0);
+ if (priv->irq < 0)
+ return dev_err_probe(dev, priv->irq, "failed to get IRQ\n");
+
+ /*
+ * Systems using device tree should set up interrupt via DT,
+ * the rest will use the default edge both interrupt.
+ */
+ irqflags = dev->of_node ? 0 : IRQF_TRIGGER_RISING | IRQF_TRIGGER_FALLING;
+
+ ret = devm_request_threaded_irq(dev, priv->irq, NULL,
+ &baseband_hostwake_interrupt,
+ IRQF_ONESHOT | irqflags,
+ "modem-hostwake", priv);
+ if (ret)
+ return dev_err_probe(dev, ret,
+ "failed to register IRQ %d\n", priv->irq);
+
+ priv->rfkill_dev = rfkill_alloc("xmm-modem", dev, RFKILL_TYPE_WWAN,
+ &baseband_xmm_rfkill_ops, priv);
+ if (!priv->rfkill_dev)
+ return -ENOMEM;
+
+ ret = rfkill_register(priv->rfkill_dev);
+ if (ret) {
+ rfkill_destroy(priv->rfkill_dev);
+ return dev_err_probe(dev, ret,
+ "failed to register WWAN rfkill\n");
+ }
+
+ priv->nb.notifier_call = baseband_xmm_usb_notifier_call;
+ usb_register_notify(&priv->nb);
+
+ return 0;
+}
+
+static void baseband_xmm_remove(struct platform_device *pdev)
+{
+ struct baseband_xmm_data *priv = platform_get_drvdata(pdev);
+
+ rfkill_unregister(priv->rfkill_dev);
+ rfkill_destroy(priv->rfkill_dev);
+
+ disable_irq(priv->irq);
+ cancel_delayed_work_sync(&priv->modem_work);
+
+ usb_unregister_notify(&priv->nb);
+ baseband_xmm_poweroff(priv);
+}
+
+static const struct of_device_id baseband_xmm_match[] = {
+ { .compatible = "infineon,xmm6260" },
+ { }
+};
+MODULE_DEVICE_TABLE(of, baseband_xmm_match);
+
+static struct platform_driver baseband_xmm_driver = {
+ .driver = {
+ .name = "baseband-xmm6260",
+ .of_match_table = baseband_xmm_match,
+ },
+ .probe = baseband_xmm_probe,
+ .remove = baseband_xmm_remove,
+};
+module_platform_driver(baseband_xmm_driver);
+
+MODULE_AUTHOR("Svyatolsav Ryhel <clamor95@gmail.com>");
+MODULE_DESCRIPTION("Baseband Infineon XMM6260 driver");
+MODULE_LICENSE("GPL");
--
2.51.0
^ permalink raw reply related
* [PATCH v2 1/2] dt-bindings: net: Document Infineon/Intel XMM6260 modem
From: Svyatoslav Ryhel @ 2026-05-23 8:44 UTC (permalink / raw)
To: Andrew Lunn, David S. Miller, Eric Dumazet, Jakub Kicinski,
Paolo Abeni, Rob Herring, Krzysztof Kozlowski, Conor Dooley,
Svyatoslav Ryhel
Cc: netdev, devicetree, linux-kernel, linux-usb
In-Reply-To: <20260523084408.50346-1-clamor95@gmail.com>
Describe the Infineon/Intel XMM6260, a 3G-focused, slim modem platform
designed for smartphones, data cards, and Machine-to-Machine (M2M)
applications.
Signed-off-by: Svyatoslav Ryhel <clamor95@gmail.com>
Reviewed-by: Krzysztof Kozlowski <krzysztof.kozlowski@oss.qualcomm.com>
---
.../bindings/net/infineon,xmm6260.yaml | 74 +++++++++++++++++++
1 file changed, 74 insertions(+)
create mode 100644 Documentation/devicetree/bindings/net/infineon,xmm6260.yaml
diff --git a/Documentation/devicetree/bindings/net/infineon,xmm6260.yaml b/Documentation/devicetree/bindings/net/infineon,xmm6260.yaml
new file mode 100644
index 000000000000..ffff58e479ef
--- /dev/null
+++ b/Documentation/devicetree/bindings/net/infineon,xmm6260.yaml
@@ -0,0 +1,74 @@
+# SPDX-License-Identifier: (GPL-2.0 OR BSD-2-Clause)
+%YAML 1.2
+---
+$id: http://devicetree.org/schemas/net/infineon,xmm6260.yaml#
+$schema: http://devicetree.org/meta-schemas/core.yaml#
+
+title: Infineon/Intel XMM6260 embedded USB modem
+
+description:
+ The Infineon/Intel XMM6260 is a 3G-focused, slim modem platform designed
+ for smartphones, data cards, and Machine-to-Machine (M2M) applications.
+ The modem is usually connected via the application processor's USB line
+ in HSIC mode; however, to work properly, the modem must control this line.
+
+maintainers:
+ - Svyatoslav Ryhel <clamor95@gmail.com>
+
+properties:
+ compatible:
+ const: infineon,xmm6260
+
+ interrupts:
+ maxItems: 1
+
+ enable-gpios:
+ description: GPIO connected to the ON1 pin
+ maxItems: 1
+
+ reset-gpios:
+ description: GPIO connected to the RESET_PWRDWN_N pin
+ maxItems: 1
+
+ ap-wake-gpios:
+ description: GPIO connected to the EINT3 pin
+ maxItems: 1
+
+ cp-wake-gpios:
+ description: GPIO connected to the EINT2 pin
+ maxItems: 1
+
+ vbat-supply:
+ description: Supply connected to the VBAT lines.
+
+ infineon,modem-pwrseq:
+ description:
+ Contains phandle pointing to the modem's power sequence.
+ $ref: /schemas/types.yaml#/definitions/phandle
+
+required:
+ - compatible
+ - interrupts
+
+additionalProperties: false
+
+examples:
+ - |
+ #include <dt-bindings/gpio/gpio.h>
+ #include <dt-bindings/interrupt-controller/irq.h>
+
+ modem {
+ compatible = "infineon,xmm6260";
+
+ interrupt-parent = <&gpio>;
+ interrupts = <168 IRQ_TYPE_EDGE_BOTH>;
+
+ enable-gpios = <&gpio 112 GPIO_ACTIVE_HIGH>;
+ reset-gpios = <&gpio 169 GPIO_ACTIVE_LOW>;
+
+ cp-wake-gpios = <&gpio 151 GPIO_ACTIVE_HIGH>;
+ ap-wake-gpios = <&gpio 168 GPIO_ACTIVE_HIGH>;
+
+ infineon,modem-pwrseq = <&xmm6260_modem_pwrseq>;
+ vbat-supply = <&vdd_3v3_vbat>;
+ };
--
2.51.0
^ permalink raw reply related
* [PATCH v2 0/2] Add support for Infineon/Intel XMM6260 modem
From: Svyatoslav Ryhel @ 2026-05-23 8:44 UTC (permalink / raw)
To: Andrew Lunn, David S. Miller, Eric Dumazet, Jakub Kicinski,
Paolo Abeni, Rob Herring, Krzysztof Kozlowski, Conor Dooley,
Svyatoslav Ryhel
Cc: netdev, devicetree, linux-kernel, linux-usb
The Infineon/Intel XMM6260 is a 3G-focused, slim modem platform designed
for smartphones, data cards, and Machine-to-Machine (M2M) applications.
The modem is typically connected via the application processor's USB line
in HSIC mode. To function correctly, the modem must control this line, as
it requires precise timing to initiate or de-initialize the USB connection.
This control is necessary to successfully enumerate the next stage of the
USB device loader (moving from firmware loading to the actual device
interface for example).
Patchset adds support for the generic portion of the Infineon XMM6260
baseband modem, which was used in many Tegra-, OMAP-, and Exynos-based
devices circa 2012. This driver provides generic power sequences,
manages initial communication with the application processor, handles the
SoC-specific modem powersequence, and verifies that the modem USB device
appears correctly.
While current support is relatively basic, this configuration already
allows the modem device to appear in the dmesg of my device
(LG Optimus Vu (P895)):
[ 9.427014] ci_hdrc ci_hdrc.1: EHCI Host Controller
[ 9.431488] ci_hdrc ci_hdrc.1: new USB bus registered, assigned bus number 1
[ 9.457197] ci_hdrc ci_hdrc.1: USB 2.0 started, EHCI 1.00
[ 9.460370] usb usb1: New USB device found, idVendor=1d6b, idProduct=0002, bcdDevice= 6.16
[ 9.468470] usb usb1: New USB device strings: Mfr=3, Product=2, SerialNumber=1
[ 9.475597] usb usb1: Product: EHCI Host Controller
[ 9.480508] usb usb1: Manufacturer: Linux 6.16.0+ ehci_hcd
[ 9.485913] usb usb1: SerialNumber: ci_hdrc.1
[ 9.490862] hub 1-0:1.0: USB hub found
[ 9.494005] hub 1-0:1.0: 1 port detected
[ 9.657191] usb 1-1: new high-speed USB device number 2 using ci_hdrc
[ 9.844726] usb 1-1: New USB device found, idVendor=1519, idProduct=0020, bcdDevice=12.74
[ 9.850530] usb 1-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3
[ 9.857594] usb 1-1: Product: HSIC Device
[ 9.861606] usb 1-1: Manufacturer: Comneon
[ 9.865627] usb 1-1: SerialNumber: 0123456789
[ 9.908739] cdc_acm 1-1:1.0: ttyACM0: USB ACM device
This patchset is a part of larger series aiming to bring XMM6260 modem
support for Tegra devices:
https://lore.kernel.org/lkml/20260511135703.62470-1-clamor95@gmail.com/
---
Changes in v2:
- changed phy to pwrseq in schema
- adjusted Kconfig dependencies
- implemented bitmap for modem state tracking
- switched from phy to power sequencing
- in notifier added chech to filter only USB events
- in notifier added USB_DEVICE_REMOVE
- added tracking for regulator, rfkill access, usb device
presence and poweroff calls using bitops
- moved pseq on call from work to irq handler
- improved rfkill registration logic
---
Svyatoslav Ryhel (2):
dt-bindings: net: Document Infineon/Intel XMM6260 modem
net: usb: Add Infineon XMM6260 Baseband modem support
.../bindings/net/infineon,xmm6260.yaml | 74 ++++
drivers/net/usb/Kconfig | 15 +
drivers/net/usb/Makefile | 1 +
drivers/net/usb/baseband-xmm6260.c | 378 ++++++++++++++++++
4 files changed, 468 insertions(+)
create mode 100644 Documentation/devicetree/bindings/net/infineon,xmm6260.yaml
create mode 100644 drivers/net/usb/baseband-xmm6260.c
--
2.51.0
^ permalink raw reply
* [GIT PULL] USB serial fixes for 7.1-rc5
From: Johan Hovold @ 2026-05-23 8:35 UTC (permalink / raw)
To: Greg Kroah-Hartman; +Cc: linux-usb, linux-kernel
The following changes since commit 5d6919055dec134de3c40167a490f33c74c12581:
Linux 7.1-rc3 (2026-05-10 14:08:09 -0700)
are available in the Git repository at:
https://git.kernel.org/pub/scm/linux/kernel/git/johan/usb-serial.git tags/usb-serial-7.1-rc5
for you to fetch changes up to 9f9bfc80c67f35a275820da7e83a35dface08281:
USB: serial: cypress_m8: validate interrupt packet headers (2026-05-23 09:35:26 +0200)
----------------------------------------------------------------
USB serial fixes for 7.1-rc5
Here are a number of fixes for memory corruption and information leaks
due to missing endpoint and transfer sanity checks dating back to
simpler times when we trusted our hardware.
Included are also a fix for a recently added modem device id entry and
some new modem devices ids.
All but the last five commits have been in linux-next and with no
reported issues.
----------------------------------------------------------------
Jan Volckaert (1):
USB: serial: option: add MeiG SRM813Q
Johan Hovold (8):
USB: serial: digi_acceleport: fix memory corruption with small endpoints
USB: serial: keyspan: fix missing indat transfer sanity check
USB: serial: mct_u232: fix memory corruption with small endpoint
USB: serial: mct_u232: fix missing interrupt-in transfer sanity check
USB: serial: cypress_m8: fix memory corruption with small endpoint
USB: serial: mxuport: fix memory corruption with small endpoint
USB: serial: omninet: fix memory corruption with small endpoint
USB: serial: safe_serial: fix memory corruption with small endpoint
Wanquan Zhong (1):
USB: serial: option: add missing RSVD(5) flag for Rolling RW135R-GL
Zhang Cen (2):
USB: serial: belkin_sa: validate interrupt status length
USB: serial: cypress_m8: validate interrupt packet headers
drivers/usb/serial/belkin_sa.c | 3 +++
drivers/usb/serial/cypress_m8.c | 20 +++++++++++++++++++-
drivers/usb/serial/digi_acceleport.c | 23 +++++++++++++++++++++--
drivers/usb/serial/keyspan.c | 4 ++++
drivers/usb/serial/mct_u232.c | 26 ++++++++++++++++----------
drivers/usb/serial/mxuport.c | 8 ++++++++
drivers/usb/serial/omninet.c | 9 +++++----
drivers/usb/serial/option.c | 9 ++++++++-
drivers/usb/serial/safe_serial.c | 11 +++++++++++
9 files changed, 95 insertions(+), 18 deletions(-)
^ permalink raw reply
* [PATCH v2 4/4] usb: chipidea: tegra: Expose tegra_usb structure
From: Svyatoslav Ryhel @ 2026-05-23 8:30 UTC (permalink / raw)
To: Greg Kroah-Hartman, Rob Herring, Krzysztof Kozlowski,
Conor Dooley, Thierry Reding, Jonathan Hunter, Peter Chen,
Svyatoslav Ryhel, Xu Yang, Peng Fan
Cc: linux-usb, devicetree, linux-tegra, linux-kernel
In-Reply-To: <20260523083013.46372-1-clamor95@gmail.com>
The tegra_usb structure is platform data of USB controller and is required
for proper controller malipulation if its init/deinit is externally
controlled.
Signed-off-by: Svyatoslav Ryhel <clamor95@gmail.com>
---
drivers/usb/chipidea/ci_hdrc_tegra.c | 13 +------------
include/linux/usb/tegra_usb_phy.h | 15 +++++++++++++++
2 files changed, 16 insertions(+), 12 deletions(-)
diff --git a/drivers/usb/chipidea/ci_hdrc_tegra.c b/drivers/usb/chipidea/ci_hdrc_tegra.c
index a19cb3b33bf3..109c4afdee4a 100644
--- a/drivers/usb/chipidea/ci_hdrc_tegra.c
+++ b/drivers/usb/chipidea/ci_hdrc_tegra.c
@@ -16,6 +16,7 @@
#include <linux/usb/hcd.h>
#include <linux/usb/of.h>
#include <linux/usb/phy.h>
+#include <linux/usb/tegra_usb_phy.h>
#include <soc/tegra/common.h>
@@ -23,18 +24,6 @@
#include "ci.h"
-struct tegra_usb {
- struct ci_hdrc_platform_data data;
- struct platform_device *dev;
-
- const struct tegra_usb_soc_info *soc;
- struct usb_phy *phy;
- struct clk *clk;
-
- bool needs_double_reset;
- bool externally_controlled;
-};
-
struct tegra_usb_soc_info {
unsigned long flags;
unsigned int txfifothresh;
diff --git a/include/linux/usb/tegra_usb_phy.h b/include/linux/usb/tegra_usb_phy.h
index 6343f88df5de..ba74b7ebfba0 100644
--- a/include/linux/usb/tegra_usb_phy.h
+++ b/include/linux/usb/tegra_usb_phy.h
@@ -9,6 +9,7 @@
#include <linux/clk.h>
#include <linux/regmap.h>
#include <linux/reset.h>
+#include <linux/usb/chipidea.h>
#include <linux/usb/otg.h>
struct gpio_desc;
@@ -62,6 +63,20 @@ enum tegra_usb_phy_port_speed {
TEGRA_USB_PHY_PORT_SPEED_HIGH,
};
+struct tegra_usb_soc_info;
+
+struct tegra_usb {
+ struct ci_hdrc_platform_data data;
+ struct platform_device *dev;
+
+ const struct tegra_usb_soc_info *soc;
+ struct usb_phy *phy;
+ struct clk *clk;
+
+ bool needs_double_reset;
+ bool externally_controlled;
+};
+
struct tegra_xtal_freq;
struct tegra_usb_phy {
--
2.51.0
^ permalink raw reply related
* [PATCH v2 3/4] usb: chipidea: tegra: Avoid controller/PHY init if bus is externally controlled
From: Svyatoslav Ryhel @ 2026-05-23 8:30 UTC (permalink / raw)
To: Greg Kroah-Hartman, Rob Herring, Krzysztof Kozlowski,
Conor Dooley, Thierry Reding, Jonathan Hunter, Peter Chen,
Svyatoslav Ryhel, Xu Yang, Peng Fan
Cc: linux-usb, devicetree, linux-tegra, linux-kernel
In-Reply-To: <20260523083013.46372-1-clamor95@gmail.com>
If the USB controller and PHY are externally controlled, then the
registration of the controller and the PHY initialization should be
skipped, since these configurations must be done by the device that
controls the bus to work correctly.
Since USB PHY in Tegra controls clock gates required by the controller
itself, Chipidea core PHY management is not suitable for Tegra.
Signed-off-by: Svyatoslav Ryhel <clamor95@gmail.com>
---
drivers/usb/chipidea/ci_hdrc_tegra.c | 32 ++++++++++++++++++----------
1 file changed, 21 insertions(+), 11 deletions(-)
diff --git a/drivers/usb/chipidea/ci_hdrc_tegra.c b/drivers/usb/chipidea/ci_hdrc_tegra.c
index 372788f0f970..a19cb3b33bf3 100644
--- a/drivers/usb/chipidea/ci_hdrc_tegra.c
+++ b/drivers/usb/chipidea/ci_hdrc_tegra.c
@@ -32,6 +32,7 @@ struct tegra_usb {
struct clk *clk;
bool needs_double_reset;
+ bool externally_controlled;
};
struct tegra_usb_soc_info {
@@ -312,6 +313,9 @@ static int tegra_usb_probe(struct platform_device *pdev)
if (device_property_present(&pdev->dev, "nvidia,needs-double-reset"))
usb->needs_double_reset = true;
+ if (device_property_present(&pdev->dev, "nvidia,external-control"))
+ usb->externally_controlled = true;
+
err = tegra_usb_reset_controller(&pdev->dev);
if (err) {
dev_err_probe(&pdev->dev, err, "failed to reset controller");
@@ -323,9 +327,11 @@ static int tegra_usb_probe(struct platform_device *pdev)
* initialized, otherwise CPU will hang because clocks are gated.
* PHY driver controls gating of internal USB clocks on Tegra.
*/
- err = usb_phy_init(usb->phy);
- if (err)
- goto fail_power_off;
+ if (!usb->externally_controlled) {
+ err = usb_phy_init(usb->phy);
+ if (err)
+ goto fail_power_off;
+ }
/* setup and register ChipIdea HDRC device */
usb->soc = soc;
@@ -342,12 +348,14 @@ static int tegra_usb_probe(struct platform_device *pdev)
if (of_usb_get_phy_mode(pdev->dev.of_node) == USBPHY_INTERFACE_MODE_ULPI)
usb->data.flags &= ~CI_HDRC_SUPPORTS_RUNTIME_PM;
- usb->dev = ci_hdrc_add_device(&pdev->dev, pdev->resource,
- pdev->num_resources, &usb->data);
- if (IS_ERR(usb->dev)) {
- err = dev_err_probe(&pdev->dev, PTR_ERR(usb->dev),
- "failed to add HDRC device");
- goto phy_shutdown;
+ if (!usb->externally_controlled) {
+ usb->dev = ci_hdrc_add_device(&pdev->dev, pdev->resource,
+ pdev->num_resources, &usb->data);
+ if (IS_ERR(usb->dev)) {
+ err = dev_err_probe(&pdev->dev, PTR_ERR(usb->dev),
+ "failed to add HDRC device");
+ goto phy_shutdown;
+ }
}
return 0;
@@ -365,8 +373,10 @@ static void tegra_usb_remove(struct platform_device *pdev)
{
struct tegra_usb *usb = platform_get_drvdata(pdev);
- ci_hdrc_remove_device(usb->dev);
- usb_phy_shutdown(usb->phy);
+ if (!usb->externally_controlled) {
+ ci_hdrc_remove_device(usb->dev);
+ usb_phy_shutdown(usb->phy);
+ }
pm_runtime_put_sync_suspend(&pdev->dev);
pm_runtime_force_suspend(&pdev->dev);
--
2.51.0
^ permalink raw reply related
* [PATCH v2 2/4] dt-bindings: usb: chipidea,usb2-tegra: Document nvidia,external-control property
From: Svyatoslav Ryhel @ 2026-05-23 8:30 UTC (permalink / raw)
To: Greg Kroah-Hartman, Rob Herring, Krzysztof Kozlowski,
Conor Dooley, Thierry Reding, Jonathan Hunter, Peter Chen,
Svyatoslav Ryhel, Xu Yang, Peng Fan
Cc: linux-usb, devicetree, linux-tegra, linux-kernel
In-Reply-To: <20260523083013.46372-1-clamor95@gmail.com>
Document the nvidia,external-control property required, for example, for
USB lines in HSIC mode connected to a modem, where the modem requires
precise control over the USB bus to properly enumerate all its stages and
intermediate devices.
Signed-off-by: Svyatoslav Ryhel <clamor95@gmail.com>
---
.../devicetree/bindings/usb/chipidea,usb2-tegra.yaml | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/Documentation/devicetree/bindings/usb/chipidea,usb2-tegra.yaml b/Documentation/devicetree/bindings/usb/chipidea,usb2-tegra.yaml
index 78046f8a63ad..d99a18900b5a 100644
--- a/Documentation/devicetree/bindings/usb/chipidea,usb2-tegra.yaml
+++ b/Documentation/devicetree/bindings/usb/chipidea,usb2-tegra.yaml
@@ -40,6 +40,13 @@ properties:
type: boolean
deprecated: true
+ nvidia,external-control:
+ description:
+ Indicates that the controller is configured externally and that the host
+ should not attempt to access it. This is usually used by a modem that
+ requires precise bus configuration.
+ type: boolean
+
required:
- compatible
- reg
--
2.51.0
^ permalink raw reply related
* [PATCH v2 1/4] dt-bindings: usb: Move Tegra-specific Chipidea USB properties into a dedicated schema
From: Svyatoslav Ryhel @ 2026-05-23 8:30 UTC (permalink / raw)
To: Greg Kroah-Hartman, Rob Herring, Krzysztof Kozlowski,
Conor Dooley, Thierry Reding, Jonathan Hunter, Peter Chen,
Svyatoslav Ryhel, Xu Yang, Peng Fan
Cc: linux-usb, devicetree, linux-tegra, linux-kernel
In-Reply-To: <20260523083013.46372-1-clamor95@gmail.com>
Move all Tegra-specific Chipidea devices and their properties into a
dedicated schema file, by analogy with i.MX.
Signed-off-by: Svyatoslav Ryhel <clamor95@gmail.com>
---
.../bindings/usb/chipidea,usb2-tegra.yaml | 88 +++++++++++++++++++
.../devicetree/bindings/usb/ci-hdrc-usb2.yaml | 22 -----
2 files changed, 88 insertions(+), 22 deletions(-)
create mode 100644 Documentation/devicetree/bindings/usb/chipidea,usb2-tegra.yaml
diff --git a/Documentation/devicetree/bindings/usb/chipidea,usb2-tegra.yaml b/Documentation/devicetree/bindings/usb/chipidea,usb2-tegra.yaml
new file mode 100644
index 000000000000..78046f8a63ad
--- /dev/null
+++ b/Documentation/devicetree/bindings/usb/chipidea,usb2-tegra.yaml
@@ -0,0 +1,88 @@
+# SPDX-License-Identifier: (GPL-2.0-only OR BSD-2-Clause)
+%YAML 1.2
+---
+$id: http://devicetree.org/schemas/usb/chipidea,usb2-tegra.yaml#
+$schema: http://devicetree.org/meta-schemas/core.yaml#
+
+title: Tegra USB2 ChipIdea USB controller
+
+maintainers:
+ - Svyatoslav Ryhel <clamor95@gmail.com>
+
+properties:
+ compatible:
+ oneOf:
+ - enum:
+ - nvidia,tegra20-ehci
+ - nvidia,tegra20-udc
+ - nvidia,tegra30-ehci
+ - nvidia,tegra30-udc
+ - nvidia,tegra114-udc
+ - nvidia,tegra124-udc
+ - items:
+ - enum:
+ - nvidia,tegra114-ehci
+ - nvidia,tegra124-ehci
+ - nvidia,tegra210-ehci
+ - const: nvidia,tegra30-ehci
+
+ operating-points-v2:
+ description: A phandle to the OPP table containing the performance states.
+ $ref: /schemas/types.yaml#/definitions/phandle
+
+ nvidia,phy:
+ description: phandle of usb phy that connects to the port. Use "phys" instead.
+ $ref: /schemas/types.yaml#/definitions/phandle
+ deprecated: true
+
+ nvidia,needs-double-reset:
+ description: Indicates double reset or not.
+ type: boolean
+ deprecated: true
+
+required:
+ - compatible
+ - reg
+ - interrupts
+ - clocks
+ - resets
+
+allOf:
+ - $ref: chipidea,usb2-common.yaml#
+
+unevaluatedProperties: false
+
+examples:
+ - |
+ #include <dt-bindings/clock/tegra30-car.h>
+ #include <dt-bindings/interrupt-controller/arm-gic.h>
+
+ usb@7d000000 {
+ compatible = "nvidia,tegra30-udc";
+ reg = <0x7d000000 0x4000>;
+ interrupts = <GIC_SPI 20 IRQ_TYPE_LEVEL_HIGH>;
+ phy_type = "utmi";
+ clocks = <&tegra_car TEGRA30_CLK_USBD>;
+ resets = <&tegra_car 22>;
+ reset-names = "usb";
+ phys = <&phy1>;
+ power-domains = <&pd_core>;
+ operating-points-v2 = <&usbd_dvfs_opp_table>;
+
+ dr_mode = "otg";
+
+ hnp-disable;
+ srp-disable;
+ adp-disable;
+
+ usb-role-switch;
+ extcon = <&charger>, <&extcon>; /* vbus, id */
+ vbus-supply = <&usb_otg_vbus>;
+
+ port {
+ usb_in: endpoint {
+ remote-endpoint = <&connector_out>;
+ };
+ };
+ };
+...
diff --git a/Documentation/devicetree/bindings/usb/ci-hdrc-usb2.yaml b/Documentation/devicetree/bindings/usb/ci-hdrc-usb2.yaml
index 691d6cf02c27..5abca0572714 100644
--- a/Documentation/devicetree/bindings/usb/ci-hdrc-usb2.yaml
+++ b/Documentation/devicetree/bindings/usb/ci-hdrc-usb2.yaml
@@ -17,20 +17,8 @@ properties:
- chipidea,usb2
- lsi,zevio-usb
- nuvoton,npcm750-udc
- - nvidia,tegra20-ehci
- - nvidia,tegra20-udc
- - nvidia,tegra30-ehci
- - nvidia,tegra30-udc
- - nvidia,tegra114-udc
- - nvidia,tegra124-udc
- nxp,s32g2-usb
- qcom,ci-hdrc
- - items:
- - enum:
- - nvidia,tegra114-ehci
- - nvidia,tegra124-ehci
- - nvidia,tegra210-ehci
- - const: nvidia,tegra30-ehci
- items:
- const: xlnx,zynq-usb-2.20a
- const: chipidea,usb2
@@ -65,16 +53,6 @@ properties:
- description: register offset
- description: phy index
- nvidia,phy:
- description: phandle of usb phy that connects to the port. Use "phys" instead.
- $ref: /schemas/types.yaml#/definitions/phandle
- deprecated: true
-
- nvidia,needs-double-reset:
- description: Indicates double reset or not.
- type: boolean
- deprecated: true
-
ulpi:
type: object
additionalProperties: false
--
2.51.0
^ permalink raw reply related
* [PATCH v2 0/4] usb: chipidea: tegra: Add external control option
From: Svyatoslav Ryhel @ 2026-05-23 8:30 UTC (permalink / raw)
To: Greg Kroah-Hartman, Rob Herring, Krzysztof Kozlowski,
Conor Dooley, Thierry Reding, Jonathan Hunter, Peter Chen,
Svyatoslav Ryhel, Xu Yang, Peng Fan
Cc: linux-usb, devicetree, linux-tegra, linux-kernel
Patchset adjusts the Tegra-specific portion of the Chipidea USB controller
to allow for the disabling of automatic PHY and USB controller
registration. This is achieved by adding the nvidia,external-control
property/flag. It does not affect any existing configurations, but it
allows the USB line to be registered or deregistered by an external
device — in this case, the modem.
Since Tegra USB PHY holds clock gating for controller PHY cannot be
handled by code Chipidea mechanism.
This patchset is a part of larger series aiming to bring XMM6260 modem
support for Tegra devices:
https://lore.kernel.org/lkml/20260511135703.62470-1-clamor95@gmail.com/
---
Changes in v2:
- separated Tegra USB into its own schema
- tegra_usb structure moved into tegra_usb_phy.h
---
Svyatoslav Ryhel (4):
dt-bindings: usb: Move Tegra-specific Chipidea USB properties into a
dedicated schema
dt-bindings: usb: chipidea,usb2-tegra: Document
nvidia,external-control property
usb: chipidea: tegra: Avoid controller/PHY init if bus is externally
controlled
usb: chipidea: tegra: Expose tegra_usb structure
.../bindings/usb/chipidea,usb2-tegra.yaml | 95 +++++++++++++++++++
.../devicetree/bindings/usb/ci-hdrc-usb2.yaml | 22 -----
drivers/usb/chipidea/ci_hdrc_tegra.c | 43 ++++-----
include/linux/usb/tegra_usb_phy.h | 15 +++
4 files changed, 131 insertions(+), 44 deletions(-)
create mode 100644 Documentation/devicetree/bindings/usb/chipidea,usb2-tegra.yaml
--
2.51.0
^ permalink raw reply
* Re: [PATCH RFT RFC] usb: xhci: Kill hosts with HCE or HSE on command timeout
From: Michal Pecio @ 2026-05-23 8:28 UTC (permalink / raw)
To: Desnes Nunes; +Cc: linux-kernel, linux-usb, gregkh, mathias.nyman, stable
In-Reply-To: <CACaw+exPdwXVsJc5Xr=vN1WJt8XR46=X0-8PP=+5dWY5zUrKeQ@mail.gmail.com>
[-- Attachment #1: Type: text/plain, Size: 1624 bytes --]
On Sat, 23 May 2026 00:47:28 -0300, Desnes Nunes wrote:
> Hello Michal,
>
> On Fri, May 22, 2026 at 9:29 PM Michal Pecio <michal.pecio@gmail.com> wrote:
> > Sorry, I forgot about the most important thing: crash kernel log,
> > or at least the IOMMU fault message showing the bad address.
>
> I was indeed intrigued and almost sent it without you asking for it :-)
>
> The crashkernel's fault address is shown latter on down below, but now
> I have attached the full kexec dmesg too.
>
> PS: Note that the debugfs file 'memory' from before contains the
> addresses of the main kernel, not crashkernel's addresses:
> - From main dmesg:
> [ 6.728105] xhci_hcd 0000:80:14.0: Device context base array
> address = 0x000000010a958000 (DMA), 00000000f542e3ba (virt)
> [ 6.737602] xhci_hcd 0000:80:14.0: ERST deq = 64'h10a95a000
Neither debugfs dump corresponds to this dmesg, addresses don't match.
And it doesn't look like the guard pages patch is working here.
But maybe it doesn't matter. Your "memory" files show a clear pattern
of consecutive page-sized allocations (example from after.zip):
102fb6000 DCBAA
102fb7000 CR
102fb8000 ER segmnet 0
102fb9000 ER segment 1
102fba000 ERST
We can make a guess that the faulting address is the ERST, which
definitely should be accessible to the host controller.
This simple patch logs ERST allocation and freeing; as far as I see
nothing else touches that mapping.
If the ERST is somehow freed before starting the HC, that's a bug.
Otherwise, it seems you were right that you have some IOMMU problem.
Regards,
Michal
[-- Attachment #2: xhci-erst-alloc.patch --]
[-- Type: text/x-patch, Size: 755 bytes --]
diff --git a/drivers/usb/host/xhci-mem.c b/drivers/usb/host/xhci-mem.c
index e76e321e119f..3f1e25bcb7ee 100644
--- a/drivers/usb/host/xhci-mem.c
+++ b/drivers/usb/host/xhci-mem.c
@@ -1815,6 +1815,7 @@ static int xhci_alloc_erst(struct xhci_hcd *xhci,
size, &erst->erst_dma_addr, flags);
if (!erst->entries)
return -ENOMEM;
+ xhci_info(xhci, "alloc ERST at %pad\n", &erst->erst_dma_addr);
erst->num_entries = evt_ring->num_segs;
@@ -1867,6 +1868,7 @@ xhci_free_interrupter(struct xhci_hcd *xhci, struct xhci_interrupter *ir)
ir->erst.entries,
ir->erst.erst_dma_addr);
ir->erst.entries = NULL;
+ xhci_info(xhci, "free ERST at %pad\n", &ir->erst.erst_dma_addr);
/* free interrupter event ring */
if (ir->event_ring)
^ permalink raw reply related
* Re: [PATCH v2] USB: serial: cypress_m8: validate interrupt packet headers
From: Johan Hovold @ 2026-05-23 7:49 UTC (permalink / raw)
To: Zhang Cen
Cc: Greg Kroah-Hartman, linux-usb, linux-kernel, zerocling0077,
2045gemini
In-Reply-To: <20260522145442.2868601-1-rollkingzzc@gmail.com>
On Fri, May 22, 2026 at 10:54:42PM +0800, Zhang Cen wrote:
> cypress_read_int_callback() parses the interrupt-in buffer according to
> the selected Cypress packet format. Format 1 has a two-byte status/count
> header and format 2 has a one-byte combined status/count header. The
> usb-serial core sizes the interrupt-in buffer from the endpoint
> descriptor's wMaxPacketSize, and successful interrupt transfers can
> complete short when URB_SHORT_NOT_OK is not set.
>
> Check that the completed packet contains the selected header before
> reading it. Malformed short reports are ignored and the interrupt URB is
> resubmitted through the existing retry path, preventing out-of-bounds
> header-byte reads.
>
> KASAN report as below:
> KASAN slab-out-of-bounds in cypress_read_int_callback+0x240/0x7f0
> Read of size 1
> Call trace:
> cypress_read_int_callback() (drivers/usb/serial/cypress_m8.c:1009)
> __usb_hcd_giveback_urb()
> dummy_timer()
>
> Fixes: 3416eaa1f8f8 ("USB: cypress_m8: Packet format is separate from characteristic size")
> Assisted-by: Codex:gpt-5.5
> Signed-off-by: Zhang Cen <rollkingzzc@gmail.com>
> ---
> v2:
> Check only urb->actual_length before reading the packet-format header.
> Reuse the existing i header-length variable instead of adding a new one.
> Shorten the KASAN trace in the commit message.
Thanks for the v2.
> drivers/usb/serial/cypress_m8.c | 15 ++++++++++++---
> 1 file changed, 12 insertions(+), 3 deletions(-)
>
> diff --git a/drivers/usb/serial/cypress_m8.c b/drivers/usb/serial/cypress_m8.c
> index afff1a0f4298b..49c0f3e379bd0 100644
> --- a/drivers/usb/serial/cypress_m8.c
> +++ b/drivers/usb/serial/cypress_m8.c
> @@ -1060,18 +1060,27 @@ static void cypress_read_int_callback(struct urb *urb)
> default:
> case packet_format_1:
> /* This is for the CY7C64013... */
> - priv->current_status = data[0] & 0xF8;
> - bytes = data[1] + 2;
> i = 2;
> + if (result < i)
> + break;
> + priv->current_status = data[0] & 0xF8;
> + bytes = data[1] + i;
> break;
I know I asked you to move the initialisation of i (the header length),
but when applying I ended up changing this so that the sanity checks use
constants instead, which I found more readable.
The end result is here:
https://git.kernel.org/pub/scm/linux/kernel/git/johan/usb-serial.git/commit/?h=usb-linus&id=9f9bfc80c67f35a275820da7e83a35dface08281
Johan
^ permalink raw reply
* [PATCH v2 2/2] usb: dwc3: xilinx: use reset_control_reset() in versal init
From: Radhey Shyam Pandey @ 2026-05-23 7:08 UTC (permalink / raw)
To: Thinh.Nguyen, gregkh, michal.simek, p.zabel
Cc: linux-usb, linux-arm-kernel, linux-kernel, git,
Radhey Shyam Pandey
In-Reply-To: <cover.1779518171.git.radhey.shyam.pandey@amd.com>
Replace reset_control_assert()/deassert() with reset_control_reset().
For dwc3-xilinx, reset_control_reset() routes via the zynqmp reset
driver and uses PM_RESET_ACTION_PULSE, which performs assert and
deassert in firmware. This results in a single SMC call issuing a
reset pulse and taking the IP out of reset.
Signed-off-by: Radhey Shyam Pandey <radhey.shyam.pandey@amd.com>
---
Changes for v2:
- As suggested by Thinh rephrased commit description to explain
firmware driven reset sequence.
---
drivers/usb/dwc3/dwc3-xilinx.c | 16 ++++------------
1 file changed, 4 insertions(+), 12 deletions(-)
diff --git a/drivers/usb/dwc3/dwc3-xilinx.c b/drivers/usb/dwc3/dwc3-xilinx.c
index 02dc35e110b9..b832505e1b04 100644
--- a/drivers/usb/dwc3/dwc3-xilinx.c
+++ b/drivers/usb/dwc3/dwc3-xilinx.c
@@ -98,18 +98,10 @@ static int dwc3_xlnx_init_versal(struct dwc3_xlnx *priv_data)
dwc3_xlnx_mask_phy_rst(priv_data, false);
- /* Assert and De-assert reset */
- ret = reset_control_assert(crst);
- if (ret < 0) {
- dev_err_probe(dev, ret, "failed to assert Reset\n");
- return ret;
- }
-
- ret = reset_control_deassert(crst);
- if (ret < 0) {
- dev_err_probe(dev, ret, "failed to De-assert Reset\n");
- return ret;
- }
+ /* assert and deassert reset */
+ ret = reset_control_reset(crst);
+ if (ret)
+ return dev_err_probe(dev, ret, "failed to assert and deassert reset\n");
dwc3_xlnx_mask_phy_rst(priv_data, true);
dwc3_xlnx_set_coherency(priv_data, XLNX_USB2_TRAFFIC_ROUTE_CONFIG);
--
2.43.0
^ permalink raw reply related
* [PATCH v2 1/2] usb: dwc3: xilinx: fix missing space before closing comment delimiter
From: Radhey Shyam Pandey @ 2026-05-23 7:08 UTC (permalink / raw)
To: Thinh.Nguyen, gregkh, michal.simek, p.zabel
Cc: linux-usb, linux-arm-kernel, linux-kernel, git,
Radhey Shyam Pandey
In-Reply-To: <cover.1779518171.git.radhey.shyam.pandey@amd.com>
Add missing space before '*/' in an inline comment to follow
the kernel coding style.
Acked-by: Thinh Nguyen <Thinh.Nguyen@synopsys.com>
Signed-off-by: Radhey Shyam Pandey <radhey.shyam.pandey@amd.com>
---
Changes for v2:
- Add Thinh Nguyen acked by tag.
---
drivers/usb/dwc3/dwc3-xilinx.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/usb/dwc3/dwc3-xilinx.c b/drivers/usb/dwc3/dwc3-xilinx.c
index 9b9525592a85..02dc35e110b9 100644
--- a/drivers/usb/dwc3/dwc3-xilinx.c
+++ b/drivers/usb/dwc3/dwc3-xilinx.c
@@ -194,7 +194,7 @@ static int dwc3_xlnx_init_zynqmp(struct dwc3_xlnx *priv_data)
}
if (priv_data->usb3_phy) {
- /* Set PIPE Power Present signal in FPD Power Present Register*/
+ /* Set PIPE Power Present signal in FPD Power Present Register */
writel(FPD_POWER_PRSNT_OPTION, priv_data->regs + XLNX_USB_FPD_POWER_PRSNT);
/* Set the PIPE Clock Select bit in FPD PIPE Clock register */
writel(PIPE_CLK_SELECT, priv_data->regs + XLNX_USB_FPD_PIPE_CLK);
--
2.43.0
^ permalink raw reply related
* [PATCH v2 0/2] minor cleanup for dwc3-xilinx glue driver
From: Radhey Shyam Pandey @ 2026-05-23 7:08 UTC (permalink / raw)
To: Thinh.Nguyen, gregkh, michal.simek, p.zabel
Cc: linux-usb, linux-arm-kernel, linux-kernel, git,
Radhey Shyam Pandey
Minor cleanups for the dwc3-xilinx glue driver:
- Fix a comment style violation (missing space before closing delimiter).
- Use reset_control_reset in versal init.
Changes for v2:
- Rephrased commit description for 2/2 patch.
- Drop functional fix (usb: dwc3: xilinx: fix error handling in zynqmp
init error paths) from this series.
Radhey Shyam Pandey (2):
usb: dwc3: xilinx: fix missing space before closing comment delimiter
usb: dwc3: xilinx: use reset_control_reset() in versal init
drivers/usb/dwc3/dwc3-xilinx.c | 18 +++++-------------
1 file changed, 5 insertions(+), 13 deletions(-)
base-commit: c1ecb239fa3456529a32255359fc78b69eb9d847
--
2.43.0
^ permalink raw reply
* Re: [PATCH] USB: serial: safe_serial: fix memory corruption with small endpoint
From: Greg Kroah-Hartman @ 2026-05-23 5:50 UTC (permalink / raw)
To: Johan Hovold; +Cc: linux-usb, linux-kernel, stable
In-Reply-To: <20260522142218.947657-1-johan@kernel.org>
On Fri, May 22, 2026 at 04:22:18PM +0200, Johan Hovold wrote:
> Make sure that the bulk-out buffer size is at least eight bytes to avoid
> user-controlled slab corruption in "safe" mode should a malicious device
> report a smaller size.
>
> Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
> Cc: stable@vger.kernel.org
> Signed-off-by: Johan Hovold <johan@kernel.org>
> ---
> drivers/usb/serial/safe_serial.c | 11 +++++++++++
> 1 file changed, 11 insertions(+)
Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
^ permalink raw reply
* Re: [PATCH] USB: serial: omninet: fix memory corruption with small endpoint
From: Greg Kroah-Hartman @ 2026-05-23 5:50 UTC (permalink / raw)
To: Johan Hovold; +Cc: linux-usb, linux-kernel, stable
In-Reply-To: <20260522142058.947562-1-johan@kernel.org>
On Fri, May 22, 2026 at 04:20:58PM +0200, Johan Hovold wrote:
> Make sure that the bulk-out buffers are at least as large as the
> hardcoded transfer size to avoid user-controlled slab corruption should
> a malicious device report a smaller endpoint max packet size than
> expected.
>
> Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
> Cc: stable@vger.kernel.org
> Signed-off-by: Johan Hovold <johan@kernel.org>
> ---
> drivers/usb/serial/omninet.c | 9 +++++----
> 1 file changed, 5 insertions(+), 4 deletions(-)
Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
^ permalink raw reply
* Re: [PATCH] USB: serial: mxuport: fix memory corruption with small endpoint
From: Greg Kroah-Hartman @ 2026-05-23 5:50 UTC (permalink / raw)
To: Johan Hovold; +Cc: linux-usb, linux-kernel, stable, Andrew Lunn
In-Reply-To: <20260522141950.947466-1-johan@kernel.org>
On Fri, May 22, 2026 at 04:19:50PM +0200, Johan Hovold wrote:
> Make sure that the bulk-out endpoint max packet size is at least eight
> bytes to avoid user-controlled slab corruption should a malicious device
> report a smaller size.
>
> Fixes: ee467a1f2066 ("USB: serial: add Moxa UPORT 12XX/14XX/16XX driver")
> Cc: stable@vger.kernel.org # 3.14
> Cc: Andrew Lunn <andrew@lunn.ch>
> Signed-off-by: Johan Hovold <johan@kernel.org>
> ---
> drivers/usb/serial/mxuport.c | 8 ++++++++
> 1 file changed, 8 insertions(+)
>
> diff --git a/drivers/usb/serial/mxuport.c b/drivers/usb/serial/mxuport.c
> index ad5fdf55a02e..c9b9928c473a 100644
> --- a/drivers/usb/serial/mxuport.c
> +++ b/drivers/usb/serial/mxuport.c
> @@ -962,6 +962,14 @@ static int mxuport_calc_num_ports(struct usb_serial *serial,
> */
> BUILD_BUG_ON(ARRAY_SIZE(epds->bulk_out) < 16);
>
> + /*
> + * The bulk-out buffers must be large enough for the four-byte header
> + * (and following data), but assume anything smaller than eight bytes
> + * is broken.
> + */
> + if (usb_endpoint_maxp(epds->bulk_out[0]) < 8)
> + return -EINVAL;
> +
> for (i = 1; i < num_ports; ++i)
> epds->bulk_out[i] = epds->bulk_out[0];
>
> --
> 2.53.0
>
Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
^ permalink raw reply
* [bug report] usb: dwc2: host: fix logical omissions in dwc2_process_non_isoc_desc
From: Dan Carpenter @ 2026-05-23 4:40 UTC (permalink / raw)
To: Vardan Mikayelyan, Minas Harutyunyan; +Cc: linux-usb
[ Ancient code... -dan ]
Hello Vardan Mikayelyan,
Commit 3142a16b9816 ("usb: dwc2: host: fix logical omissions in
dwc2_process_non_isoc_desc") from Feb 16, 2016 (linux-next), leads to
the following Smatch static checker warning:
drivers/usb/dwc2/hcd_ddma.c:1224 dwc2_complete_non_isoc_xfer_ddma()
warn: passing freed memory 'qtd' (line 1224)
drivers/usb/dwc2/hcd_ddma.c
1198 static void dwc2_complete_non_isoc_xfer_ddma(struct dwc2_hsotg *hsotg,
1199 struct dwc2_host_chan *chan,
1200 int chnum,
1201 enum dwc2_halt_status halt_status)
1202 {
1203 struct list_head *qtd_item, *qtd_tmp;
1204 struct dwc2_qh *qh = chan->qh;
1205 struct dwc2_qtd *qtd = NULL;
1206 int xfer_done;
1207 int desc_num = 0;
1208
1209 if (chan->halt_status == DWC2_HC_XFER_URB_DEQUEUE) {
1210 list_for_each_entry(qtd, &qh->qtd_list, qtd_list_entry)
1211 qtd->in_process = 0;
1212 return;
1213 }
1214
1215 list_for_each_safe(qtd_item, qtd_tmp, &qh->qtd_list) {
1216 int i;
1217 int qtd_desc_count;
1218
1219 qtd = list_entry(qtd_item, struct dwc2_qtd, qtd_list_entry);
1220 xfer_done = 0;
1221 qtd_desc_count = qtd->n_desc;
1222
1223 for (i = 0; i < qtd_desc_count; i++) {
--> 1224 if (dwc2_process_non_isoc_desc(hsotg, chan, chnum, qtd,
1225 desc_num, halt_status,
1226 &xfer_done)) {
Originally dwc2_process_non_isoc_desc() would free qtd and return 1
for failed. Not it frees it and then when this loop iterates the
next time it is a use after free.
1227 qtd = NULL;
1228 goto stop_scan;
1229 }
1230
1231 desc_num++;
Maybe add a check here on &xfer_done?
if (xfer_done)
break or something?
1232 }
1233 }
Here is the problem in dwc2_process_non_isoc_desc()
drivers/usb/dwc2/hcd_ddma.c
1155 failed = dwc2_update_non_isoc_urb_state_ddma(hsotg, chan, qtd, dma_desc,
1156 halt_status, n_bytes,
1157 xfer_done);
1158 if (failed || (*xfer_done && urb->status != -EINPROGRESS)) {
1159 dwc2_host_complete(hsotg, qtd, urb->status);
1160 dwc2_hcd_qtd_unlink_and_free(hsotg, qtd, qh);
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Free.
1161 dev_vdbg(hsotg->dev, "failed=%1x xfer_done=%1x\n",
1162 failed, *xfer_done);
1163 return failed;
^^^^^^^^^^^^^
Either 1 or zero.
1164 }
This email is a free service from the Smatch-CI project [smatch.sf.net].
regards,
dan carpenter
^ permalink raw reply
* Re: [syzbot] [usb?] KASAN: slab-use-after-free Write in iowarrior_write_callback (2)
From: Greg KH @ 2026-05-23 4:19 UTC (permalink / raw)
To: Joseph Bursey; +Cc: syzbot, linux-kernel, linux-usb, syzkaller-bugs
In-Reply-To: <32c79569-8001-48d2-9675-b38b1670f285@uci.edu>
On Fri, May 22, 2026 at 01:38:40PM -0700, Joseph Bursey wrote:
> Hello, I believe I have a reproducer for this bug using a combination
> of syz-execprog and eBPF programs. There are three artifacts used to
> reproduce the bug: prog.syz loader.c and func.bpf.c, which can be
> compiled as follows:
>
> bpftool btf dump file linux/vmlinux format c > vmlinux.h
> gcc loader.c -o loader -lbpf -lelf -lz -static -lzstd
> clang -O2 -g -target bpf -c func.bpf.c -o func.bpf.o
>
> And then run using syz-execprog:
>
> ./loader & ./syz-execprog -executor=./syz-executor -enable=usb,close_fds
> -repeat=0 -procs=4 -threaded -collide -slowdown=1 ./prog.syz
>
> The following configs were added to what Syzkaller used:
> CONFIG_KPROBES=y
> CONFIG_KPROBE_EVENTS=y
> CONFIG_FTRACE_SYSCALLS=y
> CONFIG_DEBUG_INFO_BTF=y
> CONFIG_DEBUG_INFO_BTF_MODULES=y
> CONFIG_FUNCTION_TRACER=y
> CONFIG_KPROBE_EVENTS_ON_NOTRACE=y
>
> I am interested to know if eBPF based reproducers are helpful during
> the debugging process.
If you can use that to create a fix, great! Otherwise there's not much
we can do here with this :)
thanks,
greg k-h
^ permalink raw reply
page: next (older) | prev (newer) | latest
- recent:[subjects (threaded)|topics (new)|topics (active)]
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox