From nobody Sun Feb  8 20:34:44 2026
Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org
 [10.30.226.201])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 0298122F77B;
	Wed,  7 Jan 2026 22:30:23 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=10.30.226.201
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1767825024; cv=none;
 b=tKc2OSc+3yDsVzob3PowiVYM+otyUjQTIccui2yJomzBrZeIuOeXv3NgoAjeOB19t8Qr6gDTBnOu3nGP/7OFcX8a682tcDCTNWBSfnOOY3rMrczk1ZYTWy64+CL9uhYlzJ4/88faTj7Z4vtCtRATdOC7O9jLFp21WLE2RRefzEc=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1767825024; c=relaxed/simple;
	bh=mSX8X0nDOjeXe2Q25Toz3gwqs42fskhILG5gKtDs/g4=;
	h=From:Date:Subject:MIME-Version:Content-Type:Message-Id:References:
	 In-Reply-To:To:Cc;
 b=E4sJan3XpgwZ3+NgidNu83VtxIPyAWQYq5GOLG8/QVDbg4FV1t5mIyduznaS3zgQyb8znAFrurQtVM4fMX+ld2geXToSdtfMGioc9OWJWgaiVNu2oo8SfSi//mFFDCPh6gxdVVqtjwYtTvTvvvxVgpG6N2i4KiAdyzpaMmyyNzA=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org
 header.b=UeENLN6p; arc=none smtp.client-ip=10.30.226.201
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org
 header.b="UeENLN6p"
Received: by smtp.kernel.org (Postfix) with ESMTPS id 9F900C19421;
	Wed,  7 Jan 2026 22:30:23 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org;
	s=k20201202; t=1767825023;
	bh=mSX8X0nDOjeXe2Q25Toz3gwqs42fskhILG5gKtDs/g4=;
	h=From:Date:Subject:References:In-Reply-To:To:Cc:Reply-To:From;
	b=UeENLN6plgK/uWOPeY0OsPpbvLY45ZxAcPtErmHVQtXjXH3/rkowcGWm0ZAY1LOT8
	 5mbH0yEttvTdpdZXRqnE4enkakD2LKI0nEfaBmH/j6Byw2bhVAd3sd/t430K6wFzcr
	 IzgQk2FJw+eyFsW8nb5MMZ4639hm4IFcugk7U/judQsnjU0Lojbe4whMWLdTFA9Rmg
	 oyfPbp099ex482wQx7eiu2rWC0RFMfX4vC/HctI0uPInyX5JGyhx/nfqZTN2qqjln5
	 pF1AThxjMGtfJjN+us1b7kQDPaSDBdRCAkJOnVMtv06NRk/BuZsPlCRSq1nfWeX/3j
	 9bhxassDo2ryA==
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org
 (localhost.localdomain [127.0.0.1])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 90EE2D0D179;
	Wed,  7 Jan 2026 22:30:23 +0000 (UTC)
From: Sam Day via B4 Relay <devnull+me.samcday.com@kernel.org>
Date: Thu, 08 Jan 2026 08:30:20 +1000
Subject: [PATCH 1/2] usb: gadget: f_fs: Fix ioctl error handling
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Message-Id: <20260108-ffs-dmabuf-ioctl-fix-v1-1-e51633891a81@samcday.com>
References: <20260108-ffs-dmabuf-ioctl-fix-v1-0-e51633891a81@samcday.com>
In-Reply-To: <20260108-ffs-dmabuf-ioctl-fix-v1-0-e51633891a81@samcday.com>
To: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Cc: linux-usb@vger.kernel.org, linux-kernel@vger.kernel.org,
 Sam Day <me@samcday.com>
X-Mailer: b4 0.14.2
X-Developer-Signature: v=1; a=ed25519-sha256; t=1767825022; l=2103;
 i=me@samcday.com; s=20240502; h=from:subject:message-id;
 bh=+sgu2dykusg1HSD/3fjxdCUcleWQtBrEsLL9Ec/cHXA=;
 b=oxwqyO9NTmbV96vpdsjWeB2S8TLav+HWSi6CkMSB8muMROJLX7+wolOhFlwfATRY0GQnQ+GwX
 2Mu5iFkTnyxDgJk6rVTDN+Bsye/msuDhmY3wVaR2KxW30ORHnnl+JH9
X-Developer-Key: i=me@samcday.com; a=ed25519;
 pk=bzyS0akxWMqr9+AXzgBRIp28KKpEOs+GjYMc2yf+aeU=
X-Endpoint-Received: by B4 Relay for me@samcday.com/20240502 with
 auth_id=595
X-Original-From: Sam Day <me@samcday.com>
Reply-To: me@samcday.com

From: Sam Day <me@samcday.com>

When ffs_epfile_ioctl handles FUNCTIONFS_DMABUF_* ioctls, it's currently
falling through when copy_from_user fails.

However, this fallthrough isn't being checked properly, so the handler
continues executing further than it should. It then tries the secondary
dispatch where it ultimately gives up and returns -ENOTTY.

The end result is invalid ioctl invocations will yield a -ENOTTY rather
than an -EFAULT.

It's a common pattern elsewhere in the kernel code to directly return
-EFAULT when copy_from_user fails. So we update ffs_epfile_ioctl to do
the same and fix this issue.

Signed-off-by: Sam Day <me@samcday.com>
---
 drivers/usb/gadget/function/f_fs.c | 18 ++++++------------
 1 file changed, 6 insertions(+), 12 deletions(-)

diff --git a/drivers/usb/gadget/function/f_fs.c b/drivers/usb/gadget/functi=
on/f_fs.c
index 05c6750702b609565d7a4adc1ebae16ba3ffeeb7..9ea1445bec97531f9c2bed67826=
8bd6f76199bfb 100644
--- a/drivers/usb/gadget/function/f_fs.c
+++ b/drivers/usb/gadget/function/f_fs.c
@@ -1748,10 +1748,8 @@ static long ffs_epfile_ioctl(struct file *file, unsi=
gned code,
 	{
 		int fd;
=20
-		if (copy_from_user(&fd, (void __user *)value, sizeof(fd))) {
-			ret =3D -EFAULT;
-			break;
-		}
+		if (copy_from_user(&fd, (void __user *)value, sizeof(fd)))
+			return -EFAULT;
=20
 		return ffs_dmabuf_attach(file, fd);
 	}
@@ -1759,10 +1757,8 @@ static long ffs_epfile_ioctl(struct file *file, unsi=
gned code,
 	{
 		int fd;
=20
-		if (copy_from_user(&fd, (void __user *)value, sizeof(fd))) {
-			ret =3D -EFAULT;
-			break;
-		}
+		if (copy_from_user(&fd, (void __user *)value, sizeof(fd)))
+			return -EFAULT;
=20
 		return ffs_dmabuf_detach(file, fd);
 	}
@@ -1770,10 +1766,8 @@ static long ffs_epfile_ioctl(struct file *file, unsi=
gned code,
 	{
 		struct usb_ffs_dmabuf_transfer_req req;
=20
-		if (copy_from_user(&req, (void __user *)value, sizeof(req))) {
-			ret =3D -EFAULT;
-			break;
-		}
+		if (copy_from_user(&req, (void __user *)value, sizeof(req)))
+			return -EFAULT;
=20
 		return ffs_dmabuf_transfer(file, &req);
 	}

--=20
2.52.0
From nobody Sun Feb  8 20:34:44 2026
Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org
 [10.30.226.201])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 02A6A272E6A;
	Wed,  7 Jan 2026 22:30:23 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=10.30.226.201
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1767825024; cv=none;
 b=Ru/3bTNw1lWcjcVpgwaG0H9w0fKY0vfi6coSB/ew6K/sgyFt+6dSLnTXuAcupWLZ7vE8MGiYh8zBJG/BTp46LyfAYUWciJ36RfiJqZVoX8LWXhubHPydDtuIIMf8fGBJL5cev9fIT+3utCU3GACLxTZtVR7JYS0Dh3oDHVFx3i8=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1767825024; c=relaxed/simple;
	bh=dAkL02zScBnfhvBN0iyFjLy5tFVm0EOYNgAKlrJBcqA=;
	h=From:Date:Subject:MIME-Version:Content-Type:Message-Id:References:
	 In-Reply-To:To:Cc;
 b=fX0l0LfP/tT3PSm/zg2MPDM1ukX9Dq7myF4xmr3oPzk1vwwJU3kxJT/xlO7hd40DWKdpMvH45TbGZ9Yn2yeX4JAHjUMquVGHEWIqHOJ0h9ixawBSkSyEW4mNtI3amQnFtpUGGQgTjsBf0YuG/JbOB/KgcaAC7FLfu4fs3zNnMIM=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org
 header.b=mUFQ031O; arc=none smtp.client-ip=10.30.226.201
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org
 header.b="mUFQ031O"
Received: by smtp.kernel.org (Postfix) with ESMTPS id AC70AC19422;
	Wed,  7 Jan 2026 22:30:23 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org;
	s=k20201202; t=1767825023;
	bh=dAkL02zScBnfhvBN0iyFjLy5tFVm0EOYNgAKlrJBcqA=;
	h=From:Date:Subject:References:In-Reply-To:To:Cc:Reply-To:From;
	b=mUFQ031OIDdHVpiPJgURqQqcD72V0AJ08IkvAc1oayCIClXqRSNUBO8+oN1bCqRRg
	 RioOvsbwQlUwRV+y9n63IrkS2ewo4qbdF9T27R2NM7hEc0+SpdgjEdNMERMJp0fj41
	 Nuc5EhScswf4PDPhnQE8qybp4q49cnIwtahgpiBtQIkZeficCzslJxepolvJ/P6+7e
	 6XElQvhfFRXEZjJpeEPgQt496/qzN2jbcJMqP3m3yVRdbMB3bdGRk6BMkpBAgU12jU
	 vL+zxupenhp8DSXsMZCVh2Df9e+nHq0ng43nKBg37zlaK1frvLW5nrJVMFbEyGL7U0
	 pu46pYprky02g==
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org
 (localhost.localdomain [127.0.0.1])
	by smtp.lore.kernel.org (Postfix) with ESMTP id A031BD0D178;
	Wed,  7 Jan 2026 22:30:23 +0000 (UTC)
From: Sam Day via B4 Relay <devnull+me.samcday.com@kernel.org>
Date: Thu, 08 Jan 2026 08:30:21 +1000
Subject: [PATCH 2/2] usb: gadget: f_fs: fix DMA-BUF OUT queues
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Message-Id: <20260108-ffs-dmabuf-ioctl-fix-v1-2-e51633891a81@samcday.com>
References: <20260108-ffs-dmabuf-ioctl-fix-v1-0-e51633891a81@samcday.com>
In-Reply-To: <20260108-ffs-dmabuf-ioctl-fix-v1-0-e51633891a81@samcday.com>
To: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Cc: linux-usb@vger.kernel.org, linux-kernel@vger.kernel.org,
 Sam Day <me@samcday.com>, David Heidelberg <david@ixit.cz>
X-Mailer: b4 0.14.2
X-Developer-Signature: v=1; a=ed25519-sha256; t=1767825022; l=2158;
 i=me@samcday.com; s=20240502; h=from:subject:message-id;
 bh=azguOzfXRNk8xkQSYbcIA+Axl0/kG7ysuSZ9qR/g6jg=;
 b=hauXppLXpTgJQeqrpzIRTyDFVd8M4vidOI0TYfgI3z8TBGtDvEGdl04J5eSKScUJ6Mwd/f3NI
 EvgVUJWO5PoCe8/PodkUd4mGnMQCn3ZubQtm/SkP7V7wZslejsbi2GN
X-Developer-Key: i=me@samcday.com; a=ed25519;
 pk=bzyS0akxWMqr9+AXzgBRIp28KKpEOs+GjYMc2yf+aeU=
X-Endpoint-Received: by B4 Relay for me@samcday.com/20240502 with
 auth_id=595
X-Original-From: Sam Day <me@samcday.com>
Reply-To: me@samcday.com

From: Sam Day <me@samcday.com>

Currently, DMA_FROM_DEVICE is used when attaching DMABUFs to IN
endpoints and DMA_TO_DEVICE for OUT endpoints. This is inverted from
how it should be.

The result is IOMMU read-only mappings placed on OUT queues,
triggering arm-smmu write faults.

Put differently, OUT endpoints flow data from host -> gadget, meaning
the UDC peripheral needs to have write access to the buffer to fill it
with the incoming data.

This commit flips the directions and updates the implicit-sync helpers
so IN endpoints act as readers and OUT endpoints as writers.

Signed-off-by: Sam Day <me@samcday.com>
Tested-by: David Heidelberg <david@ixit.cz>  # OnePlus 6T on sdm845-next-20=
251119
---
 drivers/usb/gadget/function/f_fs.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/drivers/usb/gadget/function/f_fs.c b/drivers/usb/gadget/functi=
on/f_fs.c
index 9ea1445bec97531f9c2bed678268bd6f76199bfb..a738d835f61e3d6b31363ccb6dd=
a563336996b0e 100644
--- a/drivers/usb/gadget/function/f_fs.c
+++ b/drivers/usb/gadget/function/f_fs.c
@@ -1513,7 +1513,7 @@ static int ffs_dmabuf_attach(struct file *file, int f=
d)
 		goto err_dmabuf_detach;
 	}
=20
-	dir =3D epfile->in ? DMA_FROM_DEVICE : DMA_TO_DEVICE;
+	dir =3D epfile->in ? DMA_TO_DEVICE : DMA_FROM_DEVICE;
=20
 	err =3D ffs_dma_resv_lock(dmabuf, nonblock);
 	if (err)
@@ -1643,7 +1643,7 @@ static int ffs_dmabuf_transfer(struct file *file,
 	/* Make sure we don't have writers */
 	timeout =3D nonblock ? 0 : msecs_to_jiffies(DMABUF_ENQUEUE_TIMEOUT_MS);
 	retl =3D dma_resv_wait_timeout(dmabuf->resv,
-				     dma_resv_usage_rw(epfile->in),
+				     dma_resv_usage_rw(!epfile->in),
 				     true, timeout);
 	if (retl =3D=3D 0)
 		retl =3D -EBUSY;
@@ -1688,7 +1688,7 @@ static int ffs_dmabuf_transfer(struct file *file,
 	dma_fence_init(&fence->base, &ffs_dmabuf_fence_ops,
 		       &priv->lock, priv->context, seqno);
=20
-	resv_dir =3D epfile->in ? DMA_RESV_USAGE_WRITE : DMA_RESV_USAGE_READ;
+	resv_dir =3D epfile->in ? DMA_RESV_USAGE_READ : DMA_RESV_USAGE_WRITE;
=20
 	dma_resv_add_fence(dmabuf->resv, &fence->base, resv_dir);
 	dma_resv_unlock(dmabuf->resv);

--=20
2.52.0