In probe appletb_kbd_probe() a "struct appletb_kbd *kbd" is allocated
via devm_kzalloc() to store touch bar keyboard related data.
Later on if backlight_device_get_by_name() finds a backlight device
with name "appletb_backlight" a timer (kbd->inactivity_timer) is setup
with appletb_inactivity_timer() and the timer is armed to run after
appletb_tb_dim_timeout (60) seconds.
A use-after-free is triggered when failure occurs after the timer is
armed. This ultimately means probe failure occurs and as a result the
"struct appletb_kbd *kbd" which is device managed memory is freed.
After 60 seconds the timer will have expired and __run_timers will
attempt to access the timer (kbd->inactivity_timer) however the kdb
structure has been freed causing a use-after free.
[ 71.636938] ==================================================================
[ 71.637915] BUG: KASAN: slab-use-after-free in __run_timers+0x7ad/0x890
[ 71.637915] Write of size 8 at addr ffff8881178c5958 by task swapper/1/0
[ 71.637915]
[ 71.637915] CPU: 1 UID: 0 PID: 0 Comm: swapper/1 Not tainted 6.16.0-rc2-00318-g739a6c93cc75-dirty #12 PREEMPT(voluntary)
[ 71.637915] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.2-debian-1.16.2-1 04/01/2014
[ 71.637915] Call Trace:
[ 71.637915] <IRQ>
[ 71.637915] dump_stack_lvl+0x53/0x70
[ 71.637915] print_report+0xce/0x670
[ 71.637915] ? __run_timers+0x7ad/0x890
[ 71.637915] kasan_report+0xce/0x100
[ 71.637915] ? __run_timers+0x7ad/0x890
[ 71.637915] __run_timers+0x7ad/0x890
[ 71.637915] ? __pfx___run_timers+0x10/0x10
[ 71.637915] ? update_process_times+0xfc/0x190
[ 71.637915] ? __pfx_update_process_times+0x10/0x10
[ 71.637915] ? _raw_spin_lock_irq+0x80/0xe0
[ 71.637915] ? _raw_spin_lock_irq+0x80/0xe0
[ 71.637915] ? __pfx__raw_spin_lock_irq+0x10/0x10
[ 71.637915] run_timer_softirq+0x141/0x240
[ 71.637915] ? __pfx_run_timer_softirq+0x10/0x10
[ 71.637915] ? __pfx___hrtimer_run_queues+0x10/0x10
[ 71.637915] ? kvm_clock_get_cycles+0x18/0x30
[ 71.637915] ? ktime_get+0x60/0x140
[ 71.637915] handle_softirqs+0x1b8/0x5c0
[ 71.637915] ? __pfx_handle_softirqs+0x10/0x10
[ 71.637915] irq_exit_rcu+0xaf/0xe0
[ 71.637915] sysvec_apic_timer_interrupt+0x6c/0x80
[ 71.637915] </IRQ>
[ 71.637915]
[ 71.637915] Allocated by task 39:
[ 71.637915] kasan_save_stack+0x33/0x60
[ 71.637915] kasan_save_track+0x14/0x30
[ 71.637915] __kasan_kmalloc+0x8f/0xa0
[ 71.637915] __kmalloc_node_track_caller_noprof+0x195/0x420
[ 71.637915] devm_kmalloc+0x74/0x1e0
[ 71.637915] appletb_kbd_probe+0x37/0x3c0
[ 71.637915] hid_device_probe+0x2d1/0x680
[ 71.637915] really_probe+0x1c3/0x690
[ 71.637915] __driver_probe_device+0x247/0x300
[ 71.637915] driver_probe_device+0x49/0x210
[...]
[ 71.637915]
[ 71.637915] Freed by task 39:
[ 71.637915] kasan_save_stack+0x33/0x60
[ 71.637915] kasan_save_track+0x14/0x30
[ 71.637915] kasan_save_free_info+0x3b/0x60
[ 71.637915] __kasan_slab_free+0x37/0x50
[ 71.637915] kfree+0xcf/0x360
[ 71.637915] devres_release_group+0x1f8/0x3c0
[ 71.637915] hid_device_probe+0x315/0x680
[ 71.637915] really_probe+0x1c3/0x690
[ 71.637915] __driver_probe_device+0x247/0x300
[ 71.637915] driver_probe_device+0x49/0x210
[...]
The root cause of the issue is that the timer is not disarmed
on failure paths leading to it remaining active and accessing
freed memory. To fix this call timer_delete_sync() to deactivate
the timer.
Fixes: 93a0fc489481 ("HID: hid-appletb-kbd: add support for automatic brightness control while using the touchbar")
Cc: stable(a)vger.kernel.org
Signed-off-by: Qasim Ijaz <qasdev00(a)gmail.com>
---
drivers/hid/hid-appletb-kbd.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/drivers/hid/hid-appletb-kbd.c b/drivers/hid/hid-appletb-kbd.c
index e06567886e50..a70b1c519105 100644
--- a/drivers/hid/hid-appletb-kbd.c
+++ b/drivers/hid/hid-appletb-kbd.c
@@ -438,8 +438,10 @@ static int appletb_kbd_probe(struct hid_device *hdev, const struct hid_device_id
return 0;
close_hw:
- if (kbd->backlight_dev)
+ if (kbd->backlight_dev) {
put_device(&kbd->backlight_dev->dev);
+ timer_delete_sync(&kbd->inactivity_timer);
+ }
hid_hw_close(hdev);
stop_hw:
hid_hw_stop(hdev);
--
2.39.5
Hoi,
This patch series fixes a subtle regression introduced in the recent
scatter-gather cleanup for the DWC3 USB gadget driver, and follows up
with two clean-up patches to simplify and clarify related logic.
Background:
Commit 61440628a4ff ("usb: dwc3: gadget: Cleanup SG handling") removed
some redundant state tracking in the DWC3 gadget driver, including how
scatter-gather TRBs are reclaimed after use. However, the reclaim logic
began relying on the TRB CHN (chain) bit to determine whether TRBs
belonged to a chain — which led to missed TRB reclamation in some
cases.
This broke userspace-facing protocols like MTP (Media Transfer Protocol)
when used via FunctionFS, causing incomplete transfers due to skipped
zero-length packets (ZLPs) or improperly reclaimed short TRBs.
The "offending" chunk from 61440628a4ff:
80 ret = dwc3_gadget_ep_reclaim_completed_trb(dep, req,
81 - trb, event, status, true);
82 + trb, event, status,
83 + !!(trb->ctrl & DWC3_TRB_CTRL_CHN));
Patch 1 fixes the issue by ensuring the HWO bit is always cleared
on reclaimed TRBs, regardless of the CHN bit.
Patches 2 and 3 follow up with simplifications:
- Patch 2 removes the now-redundant `chain` argument to the reclaim function
- Patch 3 simplifies the logic in `dwc3_needs_extra_trb()` to make the conditions easier to read and maintain
All three patches have been tested on a imx8mp based hardware, with
userspace MTP (viveris/uMTP-Responder) over FunctionFS and resolve the
regression while preserving the recent cleanup work.
Signed-off-by: Johannes Schneider <johannes.schneider(a)leica-geosystems.com>
---
Changes in v2:
- dropped Patch 3, as it did change the logic
- CC to stable
- Link to v1: https://lore.kernel.org/r/20250621-dwc3-fix-gadget-mtp-v1-0-a45e6def71bb@le…
---
Johannes Schneider (2):
usb: dwc3: gadget: Fix TRB reclaim logic for short transfers and ZLPs
usb: dwc3: gadget: Simplify TRB reclaim logic by removing redundant 'chain' argument
drivers/usb/dwc3/gadget.c | 10 +++++-----
1 file changed, 5 insertions(+), 5 deletions(-)
---
base-commit: d0c22de9995b624f563bc5004d44ac2655712a56
change-id: 20250621-dwc3-fix-gadget-mtp-3c09a6ab84c6
Best regards,
--
Johannes Schneider <johannes.schneider(a)leica-geosystems.com>
This reverts commit ac64f0e893ff370c4d3426c83c1bd0acae75bcf4 which is
upstream commit be4ae8c19492cd6d5de61ccb34ffb3f5ede5eec8.
This commit is causing a suspend regression on Tegra186 Jetson TX2 with
Linux v6.12.y kernels. This is not seen with Linux v6.15 that includes
this change but indicates that there are there changes missing.
Therefore, revert this change.
Fixes: ac64f0e893ff ("cpufreq: tegra186: Share policy per cluster")
Link: https://lore.kernel.org/linux-tegra/bf1dabf7-0337-40e9-8b8e-4e93a0ffd4cc@nv…
Signed-off-by: Jon Hunter <jonathanh(a)nvidia.com>
---
drivers/cpufreq/tegra186-cpufreq.c | 7 -------
1 file changed, 7 deletions(-)
diff --git a/drivers/cpufreq/tegra186-cpufreq.c b/drivers/cpufreq/tegra186-cpufreq.c
index 4e5b6f9a56d1..7b8fcfa55038 100644
--- a/drivers/cpufreq/tegra186-cpufreq.c
+++ b/drivers/cpufreq/tegra186-cpufreq.c
@@ -73,18 +73,11 @@ static int tegra186_cpufreq_init(struct cpufreq_policy *policy)
{
struct tegra186_cpufreq_data *data = cpufreq_get_driver_data();
unsigned int cluster = data->cpus[policy->cpu].bpmp_cluster_id;
- u32 cpu;
policy->freq_table = data->clusters[cluster].table;
policy->cpuinfo.transition_latency = 300 * 1000;
policy->driver_data = NULL;
- /* set same policy for all cpus in a cluster */
- for (cpu = 0; cpu < ARRAY_SIZE(tegra186_cpus); cpu++) {
- if (data->cpus[cpu].bpmp_cluster_id == cluster)
- cpumask_set_cpu(cpu, policy->cpus);
- }
-
return 0;
}
--
2.43.0
On Wed, 16 Apr 2025, Chao Yu wrote:
> This patch adds a new sysfs entry /sys/fs/f2fs/<disk>/encoding_flags,
> it is a read-only entry to show the value of sb.s_encoding_flags, the
> value is hexadecimal.
>
> =========================== ==========
> Flag_Name Flag_Value
> =========================== ==========
> SB_ENC_STRICT_MODE_FL 0x00000001
> SB_ENC_NO_COMPAT_FALLBACK_FL 0x00000002
> =========================== ==========
>
> case#1
> mkfs.f2fs -f -O casefold -C utf8:strict /dev/vda
> mount /dev/vda /mnt/f2fs
> cat /sys/fs/f2fs/vda/encoding_flags
> 1
>
> case#2
> mkfs.f2fs -f -O casefold -C utf8 /dev/vda
> fsck.f2fs --nolinear-lookup=1 /dev/vda
> mount /dev/vda /mnt/f2fs
> cat /sys/fs/f2fs/vda/encoding_flags
> 2
>
> Signed-off-by: Chao Yu <chao(a)kernel.org>
> ---
> Documentation/ABI/testing/sysfs-fs-f2fs | 13 +++++++++++++
> fs/f2fs/sysfs.c | 9 +++++++++
> 2 files changed, 22 insertions(+)
This patch, commit 617e0491abe4 ("f2fs: sysfs: export linear_lookup in
features directory") upstream, needs to find its way into all Stable
branches containing upstream commit 91b587ba79e1 ("f2fs: Introduce
linear search for dentries"), which is essentially linux-5.15.y and
newer.
stable/linux-5.4.y:
MISSING: f2fs: Introduce linear search for dentries
MISSING: f2fs: sysfs: export linear_lookup in features directory
stable/linux-5.10.y:
MISSING: f2fs: Introduce linear search for dentries
MISSING: f2fs: sysfs: export linear_lookup in features directory
stable/linux-5.15.y:
b0938ffd39ae f2fs: Introduce linear search for dentries [5.15.179]
MISSING: f2fs: sysfs: export linear_lookup in features directory
stable/linux-6.1.y:
de605097eb17 f2fs: Introduce linear search for dentries [6.1.129]
MISSING: f2fs: sysfs: export linear_lookup in features directory
stable/linux-6.6.y:
0bf2adad03e1 f2fs: Introduce linear search for dentries [6.6.76]
MISSING: f2fs: sysfs: export linear_lookup in features directory
stable/linux-6.12.y:
00d1943fe46d f2fs: Introduce linear search for dentries [6.12.13]
MISSING: f2fs: sysfs: export linear_lookup in features directory
mainline:
91b587ba79e1 f2fs: Introduce linear search for dentries
617e0491abe4 f2fs: sysfs: export linear_lookup in features directory
> diff --git a/Documentation/ABI/testing/sysfs-fs-f2fs
> b/Documentation/ABI/testing/sysfs-fs-f2fs index
> 59adb7dc6f9e..0dbe6813b709 100644 ---
> a/Documentation/ABI/testing/sysfs-fs-f2fs +++
> b/Documentation/ABI/testing/sysfs-fs-f2fs @@ -846,3 +846,16 @@
> Description: For several zoned storage devices, vendors will provide
> extra space reserved_blocks. However, it is not enough, since this
> extra space should not be shown to users. So, with this new sysfs
> node, we can hide the space by substracting reserved_blocks from total
> bytes. + +What: /sys/fs/f2fs/<disk>/encoding_flags
> +Date: April 2025 +Contact: "Chao Yu"
> <chao(a)kernel.org> +Description: This is a read-only entry to
> show the value of sb.s_encoding_flags, the + value is
> hexadecimal. + + ===========================
> ========== + Flag_Name Flag_Value +
> =========================== ========== +
> SB_ENC_STRICT_MODE_FL 0x00000001 +
> SB_ENC_NO_COMPAT_FALLBACK_FL 0x00000002 +
> =========================== ========== diff --git
> a/fs/f2fs/sysfs.c b/fs/f2fs/sysfs.c index 3a3485622691..cf98c5cbb98a
> 100644 --- a/fs/f2fs/sysfs.c +++ b/fs/f2fs/sysfs.c @@ -274,6 +274,13
> @@ static ssize_t encoding_show(struct f2fs_attr *a, return
> sysfs_emit(buf, "(none)\n"); }
>
> +static ssize_t encoding_flags_show(struct f2fs_attr *a, +
> struct f2fs_sb_info *sbi, char *buf) +{ + return sysfs_emit(buf,
> "%x\n", +
> le16_to_cpu(F2FS_RAW_SUPER(sbi)->s_encoding_flags)); +} + static
> ssize_t mounted_time_sec_show(struct f2fs_attr *a, struct f2fs_sb_info
> *sbi, char *buf) { @@ -1158,6 +1165,7 @@
> F2FS_GENERAL_RO_ATTR(features);
> F2FS_GENERAL_RO_ATTR(current_reserved_blocks);
> F2FS_GENERAL_RO_ATTR(unusable); F2FS_GENERAL_RO_ATTR(encoding);
> +F2FS_GENERAL_RO_ATTR(encoding_flags);
> F2FS_GENERAL_RO_ATTR(mounted_time_sec);
> F2FS_GENERAL_RO_ATTR(main_blkaddr);
> F2FS_GENERAL_RO_ATTR(pending_discard); @@ -1270,6 +1278,7 @@ static
> struct attribute *f2fs_attrs[] = { ATTR_LIST(reserved_blocks),
> ATTR_LIST(current_reserved_blocks), ATTR_LIST(encoding), +
> ATTR_LIST(encoding_flags), ATTR_LIST(mounted_time_sec), #ifdef
> CONFIG_F2FS_STAT_FS ATTR_LIST(cp_foreground_calls), -- 2.49.0
>
--
Lee Jones [李琼斯]