From: Tudor Ambarus <tudor.ambarus@xxxxxxxxxx> commit 382b6eabb0316b7334d97afbdcf33a4e20b0ecd8 upstream. The blamed commit made ffs_func_disable() always return -EINVAL as the method calls ffs_func_set_alt() with the ``alt`` argument being ``(unsigned)-1``, which is always greater than MAX_ALT_SETTINGS. Use the MAX_ALT_SETTINGS check just in the f->set_alt() code path, f->disable() doesn't care about the ``alt`` parameter. Make a surgical fix, but really the f->disable() code shall be pulled out from ffs_func_set_alt(), the code will become clearer. A patch will follow. Note that ffs_func_disable() always returning -EINVAL made pixel6 crash on USB disconnect. Fixes: 2f550553e23c ("usb: gadget: f_fs: Add the missing get_alt callback") Cc: stable <stable@xxxxxxxxxx> Reported-by: William McVicker <willmcvicker@xxxxxxxxxx> Signed-off-by: Tudor Ambarus <tudor.ambarus@xxxxxxxxxx> Link: https://lore.kernel.org/r/20240802140428.2000312-2-tudor.ambarus@xxxxxxxxxx Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx> --- drivers/usb/gadget/function/f_fs.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) --- a/drivers/usb/gadget/function/f_fs.c +++ b/drivers/usb/gadget/function/f_fs.c @@ -3731,10 +3731,10 @@ static int ffs_func_set_alt(struct usb_f struct ffs_data *ffs = func->ffs; int ret = 0, intf; - if (alt > MAX_ALT_SETTINGS) - return -EINVAL; - if (alt != (unsigned)-1) { + if (alt > MAX_ALT_SETTINGS) + return -EINVAL; + intf = ffs_func_revmap_intf(func, interface); if (intf < 0) return intf; Patches currently in stable-queue which might be from tudor.ambarus@xxxxxxxxxx are queue-6.10/usb-gadget-f_fs-restore-ffs_func_disable-functionality.patch