- Linux-stable-mirror - lists.linaro.org

Re: [PATCH] Bluetooth: btusb: Add one more ID 0x13d3:0x3612 for Realtek 8852CE

by Paul Menzel

Dear Levi, Thank you for your reply. Am 28.09.25 um 06:41 schrieb Levi Zim: > On 9/27/25 10:25 PM, Paul Menzel wrote: >> For the summary/title “one more” is not necessary. >> > I just blindly followed the format of the last commit that touches that > file. > Should I send a V2 with “one more” removed? No need to resend from my side. >> Am 27.09.25 um 04:29 schrieb Levi Zim via B4 Relay: >>> From: Levi Zim <rsworktech(a)outlook.com> >>> >>> Devices with ID 13d3:3612 are found in ASUS TUF Gaming A16 (2025) >>> and ASUS TX Gaming FA608FM. >>> >>> The corresponding device info from /sys/kernel/debug/usb/devices is >>> >>> T: Bus=03 Lev=02 Prnt=03 Port=02 Cnt=02 Dev#= 6 Spd=12 MxCh= 0 >>> D: Ver= 1.00 Cls=e0(wlcon) Sub=01 Prot=01 MxPS=64 #Cfgs= 1 >>> P: Vendor=13d3 ProdID=3612 Rev= 0.00 >>> S: Manufacturer=Realtek >>> S: Product=Bluetooth Radio >>> C:* #Ifs= 2 Cfg#= 1 Atr=e0 MxPwr=500mA >>> I:* If#= 0 Alt= 0 #EPs= 3 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb >>> E: Ad=81(I) Atr=03(Int.) MxPS= 16 Ivl=1ms >>> E: Ad=02(O) Atr=02(Bulk) MxPS= 64 Ivl=0ms >>> E: Ad=82(I) Atr=02(Bulk) MxPS= 64 Ivl=0ms >>> I:* If#= 1 Alt= 0 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb >>> E: Ad=03(O) Atr=01(Isoc) MxPS= 0 Ivl=1ms >>> E: Ad=83(I) Atr=01(Isoc) MxPS= 0 Ivl=1ms >>> I: If#= 1 Alt= 1 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb >>> E: Ad=03(O) Atr=01(Isoc) MxPS= 9 Ivl=1ms >>> E: Ad=83(I) Atr=01(Isoc) MxPS= 9 Ivl=1ms >>> I: If#= 1 Alt= 2 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb >>> E: Ad=03(O) Atr=01(Isoc) MxPS= 17 Ivl=1ms >>> E: Ad=83(I) Atr=01(Isoc) MxPS= 17 Ivl=1ms >>> I: If#= 1 Alt= 3 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb >>> E: Ad=03(O) Atr=01(Isoc) MxPS= 25 Ivl=1ms >>> E: Ad=83(I) Atr=01(Isoc) MxPS= 25 Ivl=1ms >>> I: If#= 1 Alt= 4 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb >>> E: Ad=03(O) Atr=01(Isoc) MxPS= 33 Ivl=1ms >>> E: Ad=83(I) Atr=01(Isoc) MxPS= 33 Ivl=1ms >>> I: If#= 1 Alt= 5 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb >>> E: Ad=03(O) Atr=01(Isoc) MxPS= 49 Ivl=1ms >>> E: Ad=83(I) Atr=01(Isoc) MxPS= 49 Ivl=1ms >>> I: If#= 1 Alt= 6 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb >>> E: Ad=03(O) Atr=01(Isoc) MxPS= 63 Ivl=1ms >>> E: Ad=83(I) Atr=01(Isoc) MxPS= 63 Ivl=1ms >>> >>> Signed-off-by: Levi Zim <rsworktech(a)outlook.com> >>> --- >>> drivers/bluetooth/btusb.c | 2 ++ >>> 1 file changed, 2 insertions(+) >>> >>> diff --git a/drivers/bluetooth/btusb.c b/drivers/bluetooth/btusb.c >>> index >>> 8085fabadde8ff01171783b59226589757bbbbbc..d1e62b3158166a33153a6dfaade03fd3fb7d8231 100644 >>> --- a/drivers/bluetooth/btusb.c >>> +++ b/drivers/bluetooth/btusb.c >>> @@ -552,6 +552,8 @@ static const struct usb_device_id quirks_table[] = { >>> BTUSB_WIDEBAND_SPEECH }, >>> { USB_DEVICE(0x13d3, 0x3592), .driver_info = BTUSB_REALTEK | >>> BTUSB_WIDEBAND_SPEECH }, >>> + { USB_DEVICE(0x13d3, 0x3612), .driver_info = BTUSB_REALTEK | >>> + BTUSB_WIDEBAND_SPEECH }, >>> { USB_DEVICE(0x0489, 0xe122), .driver_info = BTUSB_REALTEK | >>> BTUSB_WIDEBAND_SPEECH }, >> Reviewed-by: Paul Menzel <pmenzel(a)molgen.mpg.de> Kind regards, Paul

2 months, 1 week

1
0
0 0

[PATCH v2] ALSA: usb-audio: fix race condition to UAF in snd_usbmidi_free

by Jeongjun Park

The previous commit 0718a78f6a9f ("ALSA: usb-audio: Kill timer properly at removal") patched a UAF issue caused by the error timer. However, because the error timer kill added in this patch occurs after the endpoint delete, a race condition to UAF still occurs, albeit rarely. Additionally, since kill-cleanup for urb is also missing, freed memory can be accessed in interrupt context related to urb, which can cause UAF. Therefore, to prevent this, error timer and urb must be killed before freeing the heap memory. Cc: <stable(a)vger.kernel.org> Reported-by: syzbot+f02665daa2abeef4a947(a)syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=f02665daa2abeef4a947 Fixes: 0718a78f6a9f ("ALSA: usb-audio: Kill timer properly at removal") Signed-off-by: Jeongjun Park <aha310510(a)gmail.com> --- sound/usb/midi.c | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) diff --git a/sound/usb/midi.c b/sound/usb/midi.c index acb3bf92857c..97e7e7662b12 100644 --- a/sound/usb/midi.c +++ b/sound/usb/midi.c @@ -1522,15 +1522,14 @@ static void snd_usbmidi_free(struct snd_usb_midi *umidi) { int i; + if (!umidi->disconnected) + snd_usbmidi_disconnect(&umidi->list); + for (i = 0; i < MIDI_MAX_ENDPOINTS; ++i) { struct snd_usb_midi_endpoint *ep = &umidi->endpoints[i]; - if (ep->out) - snd_usbmidi_out_endpoint_delete(ep->out); - if (ep->in) - snd_usbmidi_in_endpoint_delete(ep->in); + kfree(ep->out); } mutex_destroy(&umidi->mutex); - timer_shutdown_sync(&umidi->error_timer); kfree(umidi); } --

2 months, 1 week

2
1
0 0

[PATCH] i2c: fix reference leak in MP2 PCI device

by Ma Ke

In i2c_amd_probe(), amd_mp2_find_device() utilizes driver_find_next_device() which internally calls driver_find_device() to locate the matching device. driver_find_device() increments the reference count of the found device by calling get_device(), but amd_mp2_find_device() fails to call put_device() to decrement the reference count before returning. This results in a reference count leak of the PCI device each time i2c_amd_probe() is executed, which may prevent the device from being properly released and cause a memory leak. Found by code review. Cc: stable(a)vger.kernel.org Fixes: 529766e0a011 ("i2c: Add drivers for the AMD PCIe MP2 I2C controller") Signed-off-by: Ma Ke <make24(a)iscas.ac.cn> --- drivers/i2c/busses/i2c-amd-mp2-pci.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/drivers/i2c/busses/i2c-amd-mp2-pci.c b/drivers/i2c/busses/i2c-amd-mp2-pci.c index ef7370d3dbea..1f01d3f121ba 100644 --- a/drivers/i2c/busses/i2c-amd-mp2-pci.c +++ b/drivers/i2c/busses/i2c-amd-mp2-pci.c @@ -464,7 +464,9 @@ struct amd_mp2_dev *amd_mp2_find_device(void) return NULL; pci_dev = to_pci_dev(dev); - return (struct amd_mp2_dev *)pci_get_drvdata(pci_dev); + mp2_dev = (struct amd_mp2_dev *)pci_get_drvdata(pci_dev); + put_device(dev); + return mp2_dev; } EXPORT_SYMBOL_GPL(amd_mp2_find_device); -- 2.17.1

2 months, 1 week

4
4
0 0

[PATCH] soc: samsung: exynos-pmu: fix reference leak in exynos_get_pmu_regmap_by_phandle()

by Ma Ke

In exynos_get_pmu_regmap_by_phandle(), driver_find_device_by_of_node() utilizes driver_find_device_by_fwnode() which internally calls driver_find_device() to locate the matching device. driver_find_device() increments the reference count of the found device by calling get_device(), but exynos_get_pmu_regmap_by_phandle() fails to call put_device() to decrement the reference count before returning. This results in a reference count leak of the device each time exynos_get_pmu_regmap_by_phandle() is executed, which may prevent the device from being properly released and cause a memory leak. Found by code review. Cc: stable(a)vger.kernel.org Fixes: 0b7c6075022c ("soc: samsung: exynos-pmu: Add regmap support for SoCs that protect PMU regs") Signed-off-by: Ma Ke <make24(a)iscas.ac.cn> --- drivers/soc/samsung/exynos-pmu.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/drivers/soc/samsung/exynos-pmu.c b/drivers/soc/samsung/exynos-pmu.c index a77288f49d24..ed903a2dd416 100644 --- a/drivers/soc/samsung/exynos-pmu.c +++ b/drivers/soc/samsung/exynos-pmu.c @@ -302,6 +302,7 @@ struct regmap *exynos_get_pmu_regmap_by_phandle(struct device_node *np, { struct device_node *pmu_np; struct device *dev; + struct regmap *regmap; if (propname) pmu_np = of_parse_phandle(np, propname, 0); @@ -325,7 +326,10 @@ struct regmap *exynos_get_pmu_regmap_by_phandle(struct device_node *np, if (!dev) return ERR_PTR(-EPROBE_DEFER); - return syscon_node_to_regmap(pmu_np); + regmap = syscon_node_to_regmap(pmu_np); + put_device(regmap); + + return regmap; } EXPORT_SYMBOL_GPL(exynos_get_pmu_regmap_by_phandle); -- 2.17.1

2 months, 1 week

2
2
0 0

[i2c-host PATCH i2c-host-fixes v7 0/2] i2c: rtl9300: Implement I2C block read and write

by Sven Eckelmann

This patch was already applied [1] but then removed. Instead, only the chunk @@ -314,7 +343,7 @@ static u32 rtl9300_i2c_func(struct i2c_adapter *a) { return I2C_FUNC_SMBUS_QUICK | I2C_FUNC_SMBUS_BYTE | I2C_FUNC_SMBUS_BYTE_DATA | I2C_FUNC_SMBUS_WORD_DATA | - I2C_FUNC_SMBUS_BLOCK_DATA; + I2C_FUNC_SMBUS_BLOCK_DATA | I2C_FUNC_SMBUS_I2C_BLOCK; } was added as part of a patch which has nothing to do with I2C_FUNC_SMBUS_I2C_BLOCK [2] and was never submitted like this [3]. I am therefore resubmitting this patch again with a patch that is removing the errornous I2C_FUNC_SMBUS_I2C_BLOCK from i2c-host-fixes. Order: * The first patch needs to be applied on top of i2c-host-fixes * after i2c-host-fixes (with this patch) is included in the i2c-host branch: - the second patch from this series - The patches 4-12 from Jonas [4] need to be applied on top of it in the i2c-host branch: + https://lore.kernel.org/r/20250831100457.3114-5-jelonek.jonas@gmail.com + https://lore.kernel.org/r/20250831100457.3114-6-jelonek.jonas@gmail.com + https://lore.kernel.org/r/20250831100457.3114-7-jelonek.jonas@gmail.com + https://lore.kernel.org/r/20250831100457.3114-8-jelonek.jonas@gmail.com + https://lore.kernel.org/r/20250831100457.3114-9-jelonek.jonas@gmail.com + https://lore.kernel.org/r/20250831100457.3114-10-jelonek.jonas@gmail.com + https://lore.kernel.org/r/20250831100457.3114-11-jelonek.jonas@gmail.com + https://lore.kernel.org/r/20250831100457.3114-12-jelonek.jonas@gmail.com + https://lore.kernel.org/r/20250831100457.3114-13-jelonek.jonas@gmail.com [1] https://lore.kernel.org/r/a422shurtl3xrvnh2ieynqq2kw5awqnmall2wjdpozx336m26… [2] https://git.kernel.org/pub/scm/linux/kernel/git/andi.shyti/linux.git/commit… [3] https://lore.kernel.org/r/20250831100457.3114-4-jelonek.jonas@gmail.com [4] https://lore.kernel.org/r/20250831100457.3114-1-jelonek.jonas@gmail.com Signed-off-by: Sven Eckelmann <sven(a)narfation.org> --- Changes in v7: - Split into two patches. One for i2c-host-fixes to remove the actually unsupported I2C_FUNC_SMBUS_I2C_BLOCK. The next one is for i2c-host and readds it with the correct code. - Link to v6: https://lore.kernel.org/r/20250926-i2c-rtl9300-multi-byte-v6-1-a2d7d8926105… Changes in v6: - drop all fixes patches (which were already applied) - drop rtl9300_i2c_func chunk which was incorrectly added by another commit [2] (but was not intended to be in there by the original patch [3] - Link to v5: https://lore.kernel.org/r/20250810-i2c-rtl9300-multi-byte-v5-0-cd9dca0db722… Changes in v5: - Simplify function/capability registration by using I2C_FUNC_SMBUS_I2C_BLOCK, thanks Jonas Jelonek - Link to v4: https://lore.kernel.org/r/20250809-i2c-rtl9300-multi-byte-v4-0-d71dd5eb6121… Changes in v4: - Provide only "write" examples for "i2c: rtl9300: Fix multi-byte I2C write" - drop the second initialization of vals in rtl9300_i2c_write() directly in the "Fix multi-byte I2C write" fix - indicate in target branch for each patch in PATCH prefix - minor commit message cleanups - Link to v3: https://lore.kernel.org/r/20250804-i2c-rtl9300-multi-byte-v3-0-e20607e1b28c… Changes in v3: - integrated patch https://lore.kernel.org/r/20250615235248.529019-1-alexguo1023@gmail.com to avoid conflicts in the I2C_SMBUS_BLOCK_DATA code - added Fixes and stable(a)vger.kernel.org to Alex Guo's patch - added Chris Packham's Reviewed-by/Acked-by - Link to v2: https://lore.kernel.org/r/20250803-i2c-rtl9300-multi-byte-v2-0-9b7b759fe2b6… Changes in v2: - add the missing transfer width and read length increase for the SMBus Write/Read - Link to v1: https://lore.kernel.org/r/20250802-i2c-rtl9300-multi-byte-v1-0-5f687e0098e2… --- Harshal Gohel (1): [i2c-host] i2c: rtl9300: Implement I2C block read and write Sven Eckelmann (1): [i2c-host-fixes] i2c: rtl9300: Drop unsupported I2C_FUNC_SMBUS_BLOCK_DATA drivers/i2c/busses/i2c-rtl9300.c | 35 ++++++++++++++++++++++++++++++++--- 1 file changed, 32 insertions(+), 3 deletions(-) --- base-commit: 217f92d91c9faeb6b78bd6205b3585944cbcb433 change-id: 20250802-i2c-rtl9300-multi-byte-edaa1fb0872c Best regards, -- Sven Eckelmann <sven(a)narfation.org>

2 months, 1 week

2
2
0 0

Gratulujeme, ponuka daru

by Kristine Charity Services

2 months, 1 week

1
0
0 0

[PATCH] drm/tegra: dc: fix reference leak in tegra_dc_couple()

by Ma Ke

driver_find_device() calls get_device() to increment the reference count once a matching device is found, but there is no put_device() to balance the reference count. To avoid reference count leakage, add put_device() to decrease the reference count. Found by code review. Cc: stable(a)vger.kernel.org Fixes: a31500fe7055 ("drm/tegra: dc: Restore coupling of display controllers") Signed-off-by: Ma Ke <make24(a)iscas.ac.cn> --- drivers/gpu/drm/tegra/dc.c | 1 + 1 file changed, 1 insertion(+) diff --git a/drivers/gpu/drm/tegra/dc.c b/drivers/gpu/drm/tegra/dc.c index 59d5c1ba145a..6c84bd69b11f 100644 --- a/drivers/gpu/drm/tegra/dc.c +++ b/drivers/gpu/drm/tegra/dc.c @@ -3148,6 +3148,7 @@ static int tegra_dc_couple(struct tegra_dc *dc) dc->client.parent = &parent->client; dev_dbg(dc->dev, "coupled to %s\n", dev_name(companion)); + put_device(companion); } return 0; -- 2.17.1

2 months, 1 week

3
2
0 0

[PATCH] ALSA: usb-audio: fix race condition to UAF in snd_usbmidi_free

by Jeongjun Park

The previous commit 0718a78f6a9f ("ALSA: usb-audio: Kill timer properly at removal") patched a UAF issue caused by the error timer. However, because the error timer kill added in this patch occurs after the endpoint delete, a race condition to UAF still occurs, albeit rarely. Therefore, to prevent this, the error timer must be killed before freeing the heap memory. Cc: <stable(a)vger.kernel.org> Fixes: 0718a78f6a9f ("ALSA: usb-audio: Kill timer properly at removal") Signed-off-by: Jeongjun Park <aha310510(a)gmail.com> --- sound/usb/midi.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/sound/usb/midi.c b/sound/usb/midi.c index acb3bf92857c..8d15f1caa92b 100644 --- a/sound/usb/midi.c +++ b/sound/usb/midi.c @@ -1522,6 +1522,8 @@ static void snd_usbmidi_free(struct snd_usb_midi *umidi) { int i; + timer_shutdown_sync(&umidi->error_timer); + for (i = 0; i < MIDI_MAX_ENDPOINTS; ++i) { struct snd_usb_midi_endpoint *ep = &umidi->endpoints[i]; if (ep->out) @@ -1530,7 +1532,6 @@ static void snd_usbmidi_free(struct snd_usb_midi *umidi) snd_usbmidi_in_endpoint_delete(ep->in); } mutex_destroy(&umidi->mutex); - timer_shutdown_sync(&umidi->error_timer); kfree(umidi); } --

2 months, 1 week

2
3
0 0

Website Designing, Mobile Apps & Tie-ups.

by Sales Bard India

Greetings!! We are a 24+ yr old high tech Web Development firm with presence of over 18+ yrs in Mauritius; partners of RV TechAdvisora Ltd and headquartered in India We have catered to over 7000 trendy websites; are a team of 30 people. Our Services: Domain Registrations, Webhosting, Google Workspace, Mobile Responsive Website Designing, Wordpress Websites, Mobile Apps, Web Apps, E-commerce websites, Google Ads, SEO, Catalogue design & affiliated services Find below some of the ready packages we offer for making an easy selection for the kind of Mobile Responsive HTML Website: 5 page Responsive Website @ MUR 13,499/- 10 page Responsive Website @ MUR 19,999/- 15 page Responsive Website @ MUR 25,499/- 20 page Responsive Website @ MUR 31,499/- 25 page Responsive Website @ MUR 36,499/- 30 page Responsive Website @ MUR 40,999/- Additional page beyond 30 pages @ MUR 1199 per page Find below some of the ready packages we offer for making an easy selection for the kind of Mobile Responsive Wordpress Website; With Wordpress CMS, website content can be easily maintained by your company with a backend login. 5 page Responsive Website @ MUR 14,999/- 10 page Responsive Website @ MUR 21,999/- 15 page Responsive Website @ MUR 27,499/- 20 page Responsive Website @ MUR 32,999/- 25 page Responsive Website @ MUR 36,999/- 30 page Responsive Website @ MUR 40,999/- Additional page beyond 30 pages @ MUR 1199 per page Our brief website portfolio: http://www.mirackle.com/portfolio.html Note: We are also looking for tie-ups with IT/Web design cos. who would want to outsource work for high end Websites/Mobile APP requirements etc. We have a team of highly skilled php coders who can cater to any complex requirement. India Whatsapp: +91 9323272846 / 9323551195; Mauritius WharsApp: +230 5758 5497; Email: business(a)mirackle.com ; Web: http://www.mirackle.com Regards, Amit Patel

2 months, 1 week

1
0
0 0

[PATCH] perf: arm_cspmu: fix error handling in arm_cspmu_impl_unregister()

by Ma Ke

driver_find_device() calls get_device() to increment the reference count once a matching device is found. device_release_driver() releases the driver, but it does not decrease the reference count that was incremented by driver_find_device(). At the end of the loop, there is no put_device() to balance the reference count. To avoid reference count leakage, add put_device() to decrease the reference count. Found by code review. Cc: stable(a)vger.kernel.org Fixes: bfc653aa89cb ("perf: arm_cspmu: Separate Arm and vendor module") Signed-off-by: Ma Ke <make24(a)iscas.ac.cn> --- drivers/perf/arm_cspmu/arm_cspmu.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/drivers/perf/arm_cspmu/arm_cspmu.c b/drivers/perf/arm_cspmu/arm_cspmu.c index efa9b229e701..e0d4293f06f9 100644 --- a/drivers/perf/arm_cspmu/arm_cspmu.c +++ b/drivers/perf/arm_cspmu/arm_cspmu.c @@ -1365,8 +1365,10 @@ void arm_cspmu_impl_unregister(const struct arm_cspmu_impl_match *impl_match) /* Unbind the driver from all matching backend devices. */ while ((dev = driver_find_device(&arm_cspmu_driver.driver, NULL, - match, arm_cspmu_match_device))) + match, arm_cspmu_match_device))) { device_release_driver(dev); + put_device(dev); + } mutex_lock(&arm_cspmu_lock); -- 2.17.1

2 months, 1 week

2
1
0 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

Linux-stable-mirror