--- /dev/null
+From 46248400d81e2aa0b65cd659d6f40188192a58b6 Mon Sep 17 00:00:00 2001
+From: Richard Acayan <mailingradian@gmail.com>
+Date: Tue, 23 May 2023 16:25:50 +0100
+Subject: misc: fastrpc: reject new invocations during device removal
+
+From: Richard Acayan <mailingradian@gmail.com>
+
+commit 46248400d81e2aa0b65cd659d6f40188192a58b6 upstream.
+
+The channel's rpmsg object allows new invocations to be made. After old
+invocations are already interrupted, the driver shouldn't try to invoke
+anymore. Invalidating the rpmsg at the end of the driver removal
+function makes it easy to cause a race condition in userspace. Even
+closing a file descriptor before the driver finishes its cleanup can
+cause an invocation via fastrpc_release_current_dsp_process() and
+subsequent timeout.
+
+Invalidate the channel before the invocations are interrupted to make
+sure that no invocations can be created to hang after the device closes.
+
+Fixes: c68cfb718c8f ("misc: fastrpc: Add support for context Invoke method")
+Cc: stable <stable@kernel.org>
+Signed-off-by: Richard Acayan <mailingradian@gmail.com>
+Signed-off-by: Srinivas Kandagatla <srinivas.kandagatla@linaro.org>
+Link: https://lore.kernel.org/r/20230523152550.438363-5-srinivas.kandagatla@linaro.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/misc/fastrpc.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/misc/fastrpc.c
++++ b/drivers/misc/fastrpc.c
+@@ -1497,7 +1497,9 @@ static void fastrpc_rpmsg_remove(struct
+ struct fastrpc_user *user;
+ unsigned long flags;
+
++ /* No invocations past this point */
+ spin_lock_irqsave(&cctx->lock, flags);
++ cctx->rpdev = NULL;
+ list_for_each_entry(user, &cctx->users, user)
+ fastrpc_notify_users(user);
+ spin_unlock_irqrestore(&cctx->lock, flags);
+@@ -1505,7 +1507,6 @@ static void fastrpc_rpmsg_remove(struct
+ misc_deregister(&cctx->miscdev);
+ of_platform_depopulate(&rpdev->dev);
+
+- cctx->rpdev = NULL;
+ fastrpc_channel_ctx_put(cctx);
+ }
+
--- /dev/null
+From b6a062853ddf6b4f653af2d8b75ba45bb9a036ad Mon Sep 17 00:00:00 2001
+From: Richard Acayan <mailingradian@gmail.com>
+Date: Tue, 23 May 2023 16:25:49 +0100
+Subject: misc: fastrpc: return -EPIPE to invocations on device removal
+
+From: Richard Acayan <mailingradian@gmail.com>
+
+commit b6a062853ddf6b4f653af2d8b75ba45bb9a036ad upstream.
+
+The return value is initialized as -1, or -EPERM. The completion of an
+invocation implies that the return value is set appropriately, but
+"Permission denied" does not accurately describe the outcome of the
+invocation. Set the invocation's return value to a more appropriate
+"Broken pipe", as the cleanup breaks the driver's connection with rpmsg.
+
+Fixes: c68cfb718c8f ("misc: fastrpc: Add support for context Invoke method")
+Cc: stable <stable@kernel.org>
+Signed-off-by: Richard Acayan <mailingradian@gmail.com>
+Reviewed-by: Srinivas Kandagatla <srinivas.kandagatla@linaro.org>
+Signed-off-by: Srinivas Kandagatla <srinivas.kandagatla@linaro.org>
+Link: https://lore.kernel.org/r/20230523152550.438363-4-srinivas.kandagatla@linaro.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/misc/fastrpc.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/drivers/misc/fastrpc.c
++++ b/drivers/misc/fastrpc.c
+@@ -1484,8 +1484,10 @@ static void fastrpc_notify_users(struct
+ struct fastrpc_invoke_ctx *ctx;
+
+ spin_lock(&user->lock);
+- list_for_each_entry(ctx, &user->pending, node)
++ list_for_each_entry(ctx, &user->pending, node) {
++ ctx->retval = -EPIPE;
+ complete(&ctx->work);
++ }
+ spin_unlock(&user->lock);
+ }
+
--- /dev/null
+From 36936a56e1814f6c526fe71fbf980beab4f5577a Mon Sep 17 00:00:00 2001
+From: Sebastian Krzyszkowiak <sebastian.krzyszkowiak@puri.sm>
+Date: Fri, 26 May 2023 16:38:11 +0200
+Subject: net: usb: qmi_wwan: Set DTR quirk for BroadMobi BM818
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Sebastian Krzyszkowiak <sebastian.krzyszkowiak@puri.sm>
+
+commit 36936a56e1814f6c526fe71fbf980beab4f5577a upstream.
+
+BM818 is based on Qualcomm MDM9607 chipset.
+
+Fixes: 9a07406b00cd ("net: usb: qmi_wwan: Add the BroadMobi BM818 card")
+Cc: stable@vger.kernel.org
+Signed-off-by: Sebastian Krzyszkowiak <sebastian.krzyszkowiak@puri.sm>
+Acked-by: Bjørn Mork <bjorn@mork.no>
+Link: https://lore.kernel.org/r/20230526-bm818-dtr-v1-1-64bbfa6ba8af@puri.sm
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/usb/qmi_wwan.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/net/usb/qmi_wwan.c
++++ b/drivers/net/usb/qmi_wwan.c
+@@ -1282,7 +1282,7 @@ static const struct usb_device_id produc
+ {QMI_FIXED_INTF(0x2001, 0x7e3d, 4)}, /* D-Link DWM-222 A2 */
+ {QMI_FIXED_INTF(0x2020, 0x2031, 4)}, /* Olicard 600 */
+ {QMI_FIXED_INTF(0x2020, 0x2033, 4)}, /* BroadMobi BM806U */
+- {QMI_FIXED_INTF(0x2020, 0x2060, 4)}, /* BroadMobi BM818 */
++ {QMI_QUIRK_SET_DTR(0x2020, 0x2060, 4)}, /* BroadMobi BM818 */
+ {QMI_FIXED_INTF(0x0f3d, 0x68a2, 8)}, /* Sierra Wireless MC7700 */
+ {QMI_FIXED_INTF(0x114f, 0x68a2, 8)}, /* Sierra Wireless MC7750 */
+ {QMI_FIXED_INTF(0x1199, 0x68a2, 8)}, /* Sierra Wireless MC7710 in QMI mode */
iio-light-vcnl4035-fixed-chip-id-check.patch
iio-dac-mcp4725-fix-i2c_master_send-return-value-handling.patch
iio-dac-build-ad5758-driver-when-ad5758-is-selected.patch
+net-usb-qmi_wwan-set-dtr-quirk-for-broadmobi-bm818.patch
+usb-gadget-f_fs-add-unbind-event-before-functionfs_unbind.patch
+misc-fastrpc-return-epipe-to-invocations-on-device-removal.patch
+misc-fastrpc-reject-new-invocations-during-device-removal.patch
--- /dev/null
+From efb6b535207395a5c7317993602e2503ca8cb4b3 Mon Sep 17 00:00:00 2001
+From: Uttkarsh Aggarwal <quic_uaggarwa@quicinc.com>
+Date: Thu, 25 May 2023 14:58:54 +0530
+Subject: usb: gadget: f_fs: Add unbind event before functionfs_unbind
+
+From: Uttkarsh Aggarwal <quic_uaggarwa@quicinc.com>
+
+commit efb6b535207395a5c7317993602e2503ca8cb4b3 upstream.
+
+While exercising the unbind path, with the current implementation
+the functionfs_unbind would be calling which waits for the ffs->mutex
+to be available, however within the same time ffs_ep0_read is invoked
+& if no setup packets are pending, it will invoke function
+wait_event_interruptible_exclusive_locked_irq which by definition waits
+for the ev.count to be increased inside the same mutex for which
+functionfs_unbind is waiting.
+This creates deadlock situation because the functionfs_unbind won't
+get the lock until ev.count is increased which can only happen if
+the caller ffs_func_unbind can proceed further.
+
+Following is the illustration:
+
+ CPU1 CPU2
+
+ffs_func_unbind() ffs_ep0_read()
+ mutex_lock(ffs->mutex)
+ wait_event(ffs->ev.count)
+functionfs_unbind()
+ mutex_lock(ffs->mutex)
+ mutex_unlock(ffs->mutex)
+
+ffs_event_add()
+
+<deadlock>
+
+Fix this by moving the event unbind before functionfs_unbind
+to ensure the ev.count is incrased properly.
+
+Fixes: 6a19da111057 ("usb: gadget: f_fs: Prevent race during ffs_ep0_queue_wait")
+Cc: stable <stable@kernel.org>
+Signed-off-by: Uttkarsh Aggarwal <quic_uaggarwa@quicinc.com>
+Link: https://lore.kernel.org/r/20230525092854.7992-1-quic_uaggarwa@quicinc.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/gadget/function/f_fs.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/usb/gadget/function/f_fs.c
++++ b/drivers/usb/gadget/function/f_fs.c
+@@ -3628,6 +3628,7 @@ static void ffs_func_unbind(struct usb_c
+ /* Drain any pending AIO completions */
+ drain_workqueue(ffs->io_completion_wq);
+
++ ffs_event_add(ffs, FUNCTIONFS_UNBIND);
+ if (!--opts->refcnt)
+ functionfs_unbind(ffs);
+
+@@ -3652,7 +3653,6 @@ static void ffs_func_unbind(struct usb_c
+ func->function.ssp_descriptors = NULL;
+ func->interfaces_nums = NULL;
+
+- ffs_event_add(ffs, FUNCTIONFS_UNBIND);
+ }
+
+ static struct usb_function *ffs_alloc(struct usb_function_instance *fi)
projects / thirdparty / kernel / stable-queue.git / commitdiff
