From: Greg Kroah-Hartman Date: Sun, 18 Jun 2023 12:57:33 +0000 (+0200) Subject: 6.3-stable patches X-Git-Tag: v4.14.319~42 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=131605989c8b5c984bc7c0cf6f7b16e089191fc4;p=thirdparty%2Fkernel%2Fstable-queue.git 6.3-stable patches added patches: clk-pxa-fix-null-pointer-dereference-in-pxa3xx_clk_update_accr.patch serial-lantiq-add-missing-interrupt-ack.patch thunderbolt-dma_test-use-correct-value-for-absent-rings-when-creating-paths.patch thunderbolt-do-not-touch-cl-state-configuration-during-discovery.patch thunderbolt-increase-displayport-connection-manager-handshake-timeout.patch thunderbolt-mask-ring-interrupt-on-intel-hardware-as-well.patch tty-serial-fsl_lpuart-reduce-rx-watermark-to-0-on-ls1028a.patch usb-dwc3-fix-use-after-free-on-core-driver-unbind.patch usb-dwc3-gadget-reset-num-trbs-before-giving-back-the-request.patch usb-dwc3-qcom-fix-null-deref-on-suspend.patch usb-gadget-udc-core-offload-usb_udc_vbus_handler-processing.patch usb-gadget-udc-core-prevent-soft_connect_store-race.patch usb-gadget-udc-renesas_usb3-fix-rz-v2m-modprobe-bind-error.patch usb-serial-option-add-quectel-em061kgl-series.patch usb-typec-fix-fast_role_swap_current-show-function.patch usb-typec-ucsi-fix-command-cancellation.patch --- diff --git a/queue-6.3/clk-pxa-fix-null-pointer-dereference-in-pxa3xx_clk_update_accr.patch b/queue-6.3/clk-pxa-fix-null-pointer-dereference-in-pxa3xx_clk_update_accr.patch new file mode 100644 index 00000000000..95acca5a852 --- /dev/null +++ b/queue-6.3/clk-pxa-fix-null-pointer-dereference-in-pxa3xx_clk_update_accr.patch @@ -0,0 +1,41 @@ +From 23200a4c8ac284f8b4263d7cecaefecaa3ad6732 Mon Sep 17 00:00:00 2001 +From: Arnd Bergmann +Date: Thu, 11 May 2023 12:58:33 +0200 +Subject: clk: pxa: fix NULL pointer dereference in pxa3xx_clk_update_accr + +From: Arnd Bergmann + +commit 23200a4c8ac284f8b4263d7cecaefecaa3ad6732 upstream. + +sparse points out an embarrasing bug in an older patch of mine, +which uses the register offset instead of an __iomem pointer: + +drivers/clk/pxa/clk-pxa3xx.c:167:9: sparse: sparse: Using plain integer as NULL pointer + +Unlike sparse, gcc and clang ignore this bug and fail to warn +because a literal '0' is considered a valid representation of +a NULL pointer. + +Fixes: 3c816d950a49 ("ARM: pxa: move clk register definitions to driver") +Cc: stable@vger.kernel.org +Reported-by: kernel test robot +Link: https://lore.kernel.org/oe-kbuild-all/202305111301.RAHohdob-lkp@intel.com/ +Signed-off-by: Arnd Bergmann +Link: https://lore.kernel.org/r/20230511105845.299859-1-arnd@kernel.org +Signed-off-by: Stephen Boyd +Signed-off-by: Greg Kroah-Hartman +--- + drivers/clk/pxa/clk-pxa3xx.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/clk/pxa/clk-pxa3xx.c ++++ b/drivers/clk/pxa/clk-pxa3xx.c +@@ -164,7 +164,7 @@ void pxa3xx_clk_update_accr(u32 disable, + accr &= ~disable; + accr |= enable; + +- writel(accr, ACCR); ++ writel(accr, clk_regs + ACCR); + if (xclkcfg) + __asm__("mcr p14, 0, %0, c6, c0, 0\n" : : "r"(xclkcfg)); + diff --git a/queue-6.3/serial-lantiq-add-missing-interrupt-ack.patch b/queue-6.3/serial-lantiq-add-missing-interrupt-ack.patch new file mode 100644 index 00000000000..62ffdde1861 --- /dev/null +++ b/queue-6.3/serial-lantiq-add-missing-interrupt-ack.patch @@ -0,0 +1,36 @@ +From 306320034e8fbe7ee1cc4f5269c55658b4612048 Mon Sep 17 00:00:00 2001 +From: Bernhard Seibold +Date: Fri, 2 Jun 2023 15:30:29 +0200 +Subject: serial: lantiq: add missing interrupt ack +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Bernhard Seibold + +commit 306320034e8fbe7ee1cc4f5269c55658b4612048 upstream. + +Currently, the error interrupt is never acknowledged, so once active it +will stay active indefinitely, causing the handler to be called in an +infinite loop. + +Fixes: 2f0fc4159a6a ("SERIAL: Lantiq: Add driver for MIPS Lantiq SOCs.") +Cc: +Signed-off-by: Bernhard Seibold +Reviewed-by: Ilpo Järvinen +Message-ID: <20230602133029.546-1-mail@bernhard-seibold.de> +Signed-off-by: Greg Kroah-Hartman +--- + drivers/tty/serial/lantiq.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/tty/serial/lantiq.c ++++ b/drivers/tty/serial/lantiq.c +@@ -250,6 +250,7 @@ lqasc_err_int(int irq, void *_port) + struct ltq_uart_port *ltq_port = to_ltq_uart_port(port); + + spin_lock_irqsave(<q_port->lock, flags); ++ __raw_writel(ASC_IRNCR_EIR, port->membase + LTQ_ASC_IRNCR); + /* clear any pending interrupts */ + asc_update_bits(0, ASCWHBSTATE_CLRPE | ASCWHBSTATE_CLRFE | + ASCWHBSTATE_CLRROE, port->membase + LTQ_ASC_WHBSTATE); diff --git a/queue-6.3/series b/queue-6.3/series index 9f7710525b1..866cec5295a 100644 --- a/queue-6.3/series +++ b/queue-6.3/series @@ -89,3 +89,19 @@ drm-amdgpu-program-gds-backup-address-as-zero-if-no-gds-allocated.patch drm-amdgpu-implement-gfx9-patch-functions-for-resubmission.patch drm-amdgpu-modify-indirect-buffer-packages-for-resubmission.patch alsa-hda-realtek-add-a-quirk-for-compaq-n14jp6.patch +thunderbolt-increase-displayport-connection-manager-handshake-timeout.patch +thunderbolt-do-not-touch-cl-state-configuration-during-discovery.patch +thunderbolt-dma_test-use-correct-value-for-absent-rings-when-creating-paths.patch +thunderbolt-mask-ring-interrupt-on-intel-hardware-as-well.patch +clk-pxa-fix-null-pointer-dereference-in-pxa3xx_clk_update_accr.patch +usb-serial-option-add-quectel-em061kgl-series.patch +serial-lantiq-add-missing-interrupt-ack.patch +tty-serial-fsl_lpuart-reduce-rx-watermark-to-0-on-ls1028a.patch +usb-typec-ucsi-fix-command-cancellation.patch +usb-typec-fix-fast_role_swap_current-show-function.patch +usb-gadget-udc-core-offload-usb_udc_vbus_handler-processing.patch +usb-gadget-udc-core-prevent-soft_connect_store-race.patch +usb-gadget-udc-renesas_usb3-fix-rz-v2m-modprobe-bind-error.patch +usb-dwc3-qcom-fix-null-deref-on-suspend.patch +usb-dwc3-fix-use-after-free-on-core-driver-unbind.patch +usb-dwc3-gadget-reset-num-trbs-before-giving-back-the-request.patch diff --git a/queue-6.3/thunderbolt-dma_test-use-correct-value-for-absent-rings-when-creating-paths.patch b/queue-6.3/thunderbolt-dma_test-use-correct-value-for-absent-rings-when-creating-paths.patch new file mode 100644 index 00000000000..b0ed8275b87 --- /dev/null +++ b/queue-6.3/thunderbolt-dma_test-use-correct-value-for-absent-rings-when-creating-paths.patch @@ -0,0 +1,49 @@ +From 70c2e03e9aaf17496c63f6e42333c012f5ae5307 Mon Sep 17 00:00:00 2001 +From: Mika Westerberg +Date: Wed, 29 Mar 2023 13:23:04 +0300 +Subject: thunderbolt: dma_test: Use correct value for absent rings when creating paths + +From: Mika Westerberg + +commit 70c2e03e9aaf17496c63f6e42333c012f5ae5307 upstream. + +Both tb_xdomain_enable_paths() and tb_xdomain_disable_paths() expect -1, +not 0, if the corresponding ring is not needed. For this reason change +the driver to use correct value for the rings that are not needed. + +Fixes: 180b0689425c ("thunderbolt: Allow multiple DMA tunnels over a single XDomain connection") +Cc: stable@vger.kernel.org +Reported-by: Pengfei Xu +Tested-by: Pengfei Xu +Signed-off-by: Mika Westerberg +Signed-off-by: Greg Kroah-Hartman +--- + drivers/thunderbolt/dma_test.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +--- a/drivers/thunderbolt/dma_test.c ++++ b/drivers/thunderbolt/dma_test.c +@@ -192,9 +192,9 @@ static int dma_test_start_rings(struct d + } + + ret = tb_xdomain_enable_paths(dt->xd, dt->tx_hopid, +- dt->tx_ring ? dt->tx_ring->hop : 0, ++ dt->tx_ring ? dt->tx_ring->hop : -1, + dt->rx_hopid, +- dt->rx_ring ? dt->rx_ring->hop : 0); ++ dt->rx_ring ? dt->rx_ring->hop : -1); + if (ret) { + dma_test_free_rings(dt); + return ret; +@@ -218,9 +218,9 @@ static void dma_test_stop_rings(struct d + tb_ring_stop(dt->tx_ring); + + ret = tb_xdomain_disable_paths(dt->xd, dt->tx_hopid, +- dt->tx_ring ? dt->tx_ring->hop : 0, ++ dt->tx_ring ? dt->tx_ring->hop : -1, + dt->rx_hopid, +- dt->rx_ring ? dt->rx_ring->hop : 0); ++ dt->rx_ring ? dt->rx_ring->hop : -1); + if (ret) + dev_warn(&dt->svc->dev, "failed to disable DMA paths\n"); + diff --git a/queue-6.3/thunderbolt-do-not-touch-cl-state-configuration-during-discovery.patch b/queue-6.3/thunderbolt-do-not-touch-cl-state-configuration-during-discovery.patch new file mode 100644 index 00000000000..e609181cb1c --- /dev/null +++ b/queue-6.3/thunderbolt-do-not-touch-cl-state-configuration-during-discovery.patch @@ -0,0 +1,69 @@ +From 3fe95742af29b8b4eccab2ba94bc521805c6e10c Mon Sep 17 00:00:00 2001 +From: Mika Westerberg +Date: Wed, 24 May 2023 13:47:04 +0300 +Subject: thunderbolt: Do not touch CL state configuration during discovery + +From: Mika Westerberg + +commit 3fe95742af29b8b4eccab2ba94bc521805c6e10c upstream. + +If the boot firmware has already established tunnels, especially ones +that have special requirements from the link such as DisplayPort, we +should not blindly enable CL states (nor change the TMU configuration). +Otherwise the existing tunnels may not work as expected. + +For this reason, skip the CL state enabling when we go over the existing +topology. This will also keep the TMU settings untouched because we do +not change the TMU configuration when CL states are not enabled. + +Reported-by: Koba Ko +Closes: https://gitlab.freedesktop.org/drm/intel/-/issues/7831 +Cc: stable@vger.kernel.org # v6.0+ +Acked-By: Yehezkel Bernat +Signed-off-by: Mika Westerberg +Signed-off-by: Greg Kroah-Hartman +--- + drivers/thunderbolt/tb.c | 17 ++++++++++++----- + 1 file changed, 12 insertions(+), 5 deletions(-) + +--- a/drivers/thunderbolt/tb.c ++++ b/drivers/thunderbolt/tb.c +@@ -737,6 +737,7 @@ static void tb_scan_port(struct tb_port + { + struct tb_cm *tcm = tb_priv(port->sw->tb); + struct tb_port *upstream_port; ++ bool discovery = false; + struct tb_switch *sw; + int ret; + +@@ -804,8 +805,10 @@ static void tb_scan_port(struct tb_port + * tunnels and know which switches were authorized already by + * the boot firmware. + */ +- if (!tcm->hotplug_active) ++ if (!tcm->hotplug_active) { + dev_set_uevent_suppress(&sw->dev, true); ++ discovery = true; ++ } + + /* + * At the moment Thunderbolt 2 and beyond (devices with LC) we +@@ -835,10 +838,14 @@ static void tb_scan_port(struct tb_port + * CL0s and CL1 are enabled and supported together. + * Silently ignore CLx enabling in case CLx is not supported. + */ +- ret = tb_switch_enable_clx(sw, TB_CL1); +- if (ret && ret != -EOPNOTSUPP) +- tb_sw_warn(sw, "failed to enable %s on upstream port\n", +- tb_switch_clx_name(TB_CL1)); ++ if (discovery) { ++ tb_sw_dbg(sw, "discovery, not touching CL states\n"); ++ } else { ++ ret = tb_switch_enable_clx(sw, TB_CL1); ++ if (ret && ret != -EOPNOTSUPP) ++ tb_sw_warn(sw, "failed to enable %s on upstream port\n", ++ tb_switch_clx_name(TB_CL1)); ++ } + + if (tb_switch_is_clx_enabled(sw, TB_CL1)) + /* diff --git a/queue-6.3/thunderbolt-increase-displayport-connection-manager-handshake-timeout.patch b/queue-6.3/thunderbolt-increase-displayport-connection-manager-handshake-timeout.patch new file mode 100644 index 00000000000..fa36eee27eb --- /dev/null +++ b/queue-6.3/thunderbolt-increase-displayport-connection-manager-handshake-timeout.patch @@ -0,0 +1,39 @@ +From b6d572aeb58a5e0be86bd51ea514c4feba996cc4 Mon Sep 17 00:00:00 2001 +From: Mika Westerberg +Date: Wed, 24 May 2023 10:41:57 +0300 +Subject: thunderbolt: Increase DisplayPort Connection Manager handshake timeout + +From: Mika Westerberg + +commit b6d572aeb58a5e0be86bd51ea514c4feba996cc4 upstream. + +It turns out that when plugging in VGA cable through USB-C to VGA/DVI +dongle the Connection Manager handshake can take longer time, at least +on Intel Titan Ridge based docks such as Dell WD91TB. This leads to +following error in the dmesg: + + thunderbolt 0000:00:0d.3: 3:10: DP tunnel activation failed, aborting + +and the display stays blank (because we failed to establish the tunnel). +For this reason increase the timeout to 3s. + +Reported-by: Koba Ko +Cc: stable@vger.kernel.org +Acked-By: Yehezkel Bernat +Signed-off-by: Mika Westerberg +Signed-off-by: Greg Kroah-Hartman +--- + drivers/thunderbolt/tunnel.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/thunderbolt/tunnel.c ++++ b/drivers/thunderbolt/tunnel.c +@@ -526,7 +526,7 @@ static int tb_dp_xchg_caps(struct tb_tun + * Perform connection manager handshake between IN and OUT ports + * before capabilities exchange can take place. + */ +- ret = tb_dp_cm_handshake(in, out, 1500); ++ ret = tb_dp_cm_handshake(in, out, 3000); + if (ret) + return ret; + diff --git a/queue-6.3/thunderbolt-mask-ring-interrupt-on-intel-hardware-as-well.patch b/queue-6.3/thunderbolt-mask-ring-interrupt-on-intel-hardware-as-well.patch new file mode 100644 index 00000000000..e8a904d9815 --- /dev/null +++ b/queue-6.3/thunderbolt-mask-ring-interrupt-on-intel-hardware-as-well.patch @@ -0,0 +1,50 @@ +From 9f9666e65359d5047089aef97ac87c50f624ecb0 Mon Sep 17 00:00:00 2001 +From: Mika Westerberg +Date: Tue, 30 May 2023 08:48:29 +0300 +Subject: thunderbolt: Mask ring interrupt on Intel hardware as well + +From: Mika Westerberg + +commit 9f9666e65359d5047089aef97ac87c50f624ecb0 upstream. + +When resuming from system sleep states the driver issues following +warning on Intel hardware: + + thunderbolt 0000:07:00.0: interrupt for TX ring 0 is already enabled + +The reason for this is that the commit in question did not mask the ring +interrupt on Intel hardware leaving the interrupt active. Fix this by +masking it also in Intel hardware. + +Reported-by: beld zhang +Tested-by: beld zhang +Closes: https://lore.kernel.org/linux-usb/ZHKW5NeabmfhgLbY@debian.me/ +Fixes: c4af8e3fecd0 ("thunderbolt: Clear registers properly when auto clear isn't in use") +Cc: stable@vger.kernel.org +Reviewed-by: Mario Limonciello +Signed-off-by: Mika Westerberg +Signed-off-by: Greg Kroah-Hartman +--- + drivers/thunderbolt/nhi.c | 11 ++++++++--- + 1 file changed, 8 insertions(+), 3 deletions(-) + +--- a/drivers/thunderbolt/nhi.c ++++ b/drivers/thunderbolt/nhi.c +@@ -56,9 +56,14 @@ static int ring_interrupt_index(const st + + static void nhi_mask_interrupt(struct tb_nhi *nhi, int mask, int ring) + { +- if (nhi->quirks & QUIRK_AUTO_CLEAR_INT) +- return; +- iowrite32(mask, nhi->iobase + REG_RING_INTERRUPT_MASK_CLEAR_BASE + ring); ++ if (nhi->quirks & QUIRK_AUTO_CLEAR_INT) { ++ u32 val; ++ ++ val = ioread32(nhi->iobase + REG_RING_INTERRUPT_BASE + ring); ++ iowrite32(val & ~mask, nhi->iobase + REG_RING_INTERRUPT_BASE + ring); ++ } else { ++ iowrite32(mask, nhi->iobase + REG_RING_INTERRUPT_MASK_CLEAR_BASE + ring); ++ } + } + + static void nhi_clear_interrupt(struct tb_nhi *nhi, int ring) diff --git a/queue-6.3/tty-serial-fsl_lpuart-reduce-rx-watermark-to-0-on-ls1028a.patch b/queue-6.3/tty-serial-fsl_lpuart-reduce-rx-watermark-to-0-on-ls1028a.patch new file mode 100644 index 00000000000..7e6c3529e64 --- /dev/null +++ b/queue-6.3/tty-serial-fsl_lpuart-reduce-rx-watermark-to-0-on-ls1028a.patch @@ -0,0 +1,40 @@ +From a82c3df955f8c1c726e4976527aa6ae924a67dd9 Mon Sep 17 00:00:00 2001 +From: Robert Hodaszi +Date: Fri, 9 Jun 2023 14:13:34 +0200 +Subject: tty: serial: fsl_lpuart: reduce RX watermark to 0 on LS1028A + +From: Robert Hodaszi + +commit a82c3df955f8c1c726e4976527aa6ae924a67dd9 upstream. + +LS1028A is using DMA with LPUART. Having RX watermark set to 1, means +DMA transactions are started only after receiving the second character. + +On other platforms with newer LPUART IP, Receiver Idle Empty function +initiates the DMA request after the receiver is idling for 4 characters. +But this feature is missing on LS1028A, which is causing a 1-character +delay in the RX direction on this platform. + +Set RX watermark to 0 to initiate RX DMA after each character. + +Link: https://lore.kernel.org/linux-serial/20230607103459.1222426-1-robert.hodaszi@digi.com/ +Fixes: 9ad9df844754 ("tty: serial: fsl_lpuart: Fix the wrong RXWATER setting for rx dma case") +Cc: stable +Signed-off-by: Robert Hodaszi +Message-ID: <20230609121334.1878626-1-robert.hodaszi@digi.com> +Signed-off-by: Greg Kroah-Hartman +--- + drivers/tty/serial/fsl_lpuart.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/tty/serial/fsl_lpuart.c ++++ b/drivers/tty/serial/fsl_lpuart.c +@@ -310,7 +310,7 @@ static const struct lpuart_soc_data ls10 + static const struct lpuart_soc_data ls1028a_data = { + .devtype = LS1028A_LPUART, + .iotype = UPIO_MEM32, +- .rx_watermark = 1, ++ .rx_watermark = 0, + }; + + static struct lpuart_soc_data imx7ulp_data = { diff --git a/queue-6.3/usb-dwc3-fix-use-after-free-on-core-driver-unbind.patch b/queue-6.3/usb-dwc3-fix-use-after-free-on-core-driver-unbind.patch new file mode 100644 index 00000000000..88ff033bc3b --- /dev/null +++ b/queue-6.3/usb-dwc3-fix-use-after-free-on-core-driver-unbind.patch @@ -0,0 +1,47 @@ +From e3dbb657571509044be15184a13134fa7c1fdca1 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Wed, 7 Jun 2023 12:05:40 +0200 +Subject: USB: dwc3: fix use-after-free on core driver unbind + +From: Johan Hovold + +commit e3dbb657571509044be15184a13134fa7c1fdca1 upstream. + +Some dwc3 glue drivers are currently accessing the driver data of the +child core device directly, which is clearly a bad idea as the child may +not have probed yet or may have been unbound from its driver. + +As a workaround until the glue drivers have been fixed, clear the driver +data pointer before allowing the glue parent device to runtime suspend +to prevent its driver from accessing data that has been freed during +unbind. + +Fixes: 6dd2565989b4 ("usb: dwc3: add imx8mp dwc3 glue layer driver") +Fixes: 6895ea55c385 ("usb: dwc3: qcom: Configure wakeup interrupts during suspend") +Cc: stable@vger.kernel.org # 5.12 +Cc: Li Jun +Cc: Sandeep Maheswaram +Cc: Krishna Kurapati +Signed-off-by: Johan Hovold +Acked-by: Thinh Nguyen +Reviewed-by: Manivannan Sadhasivam +Message-ID: <20230607100540.31045-3-johan+linaro@kernel.org> +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/dwc3/core.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/drivers/usb/dwc3/core.c ++++ b/drivers/usb/dwc3/core.c +@@ -1982,6 +1982,11 @@ static int dwc3_remove(struct platform_d + pm_runtime_allow(&pdev->dev); + pm_runtime_disable(&pdev->dev); + pm_runtime_put_noidle(&pdev->dev); ++ /* ++ * HACK: Clear the driver data, which is currently accessed by parent ++ * glue drivers, before allowing the parent to suspend. ++ */ ++ platform_set_drvdata(pdev, NULL); + pm_runtime_set_suspended(&pdev->dev); + + dwc3_free_event_buffers(dwc); diff --git a/queue-6.3/usb-dwc3-gadget-reset-num-trbs-before-giving-back-the-request.patch b/queue-6.3/usb-dwc3-gadget-reset-num-trbs-before-giving-back-the-request.patch new file mode 100644 index 00000000000..d7fc68ba9f2 --- /dev/null +++ b/queue-6.3/usb-dwc3-gadget-reset-num-trbs-before-giving-back-the-request.patch @@ -0,0 +1,41 @@ +From 00f8205ffcf112dcef14f8151d78075d38d22c08 Mon Sep 17 00:00:00 2001 +From: Elson Roy Serrao +Date: Thu, 1 Jun 2023 14:27:30 -0700 +Subject: usb: dwc3: gadget: Reset num TRBs before giving back the request + +From: Elson Roy Serrao + +commit 00f8205ffcf112dcef14f8151d78075d38d22c08 upstream. + +Consider a scenario where cable disconnect happens when there is an active +usb reqest queued to the UDC. As part of the disconnect we would issue an +end transfer with no interrupt-on-completion before giving back this +request. Since we are giving back the request without skipping TRBs the +num_trbs field of dwc3_request still holds the stale value previously used. +Function drivers re-use same request for a given bind-unbind session and +hence their dwc3_request context gets preserved across cable +disconnect/connect. When such a request gets re-queued after cable connect, +we would increase the num_trbs field on top of the previous stale value +thus incorrectly representing the number of TRBs used. Fix this by +resetting num_trbs field before giving back the request. + +Fixes: 09fe1f8d7e2f ("usb: dwc3: gadget: track number of TRBs per request") +Cc: stable +Signed-off-by: Elson Roy Serrao +Acked-by: Thinh Nguyen +Message-ID: <1685654850-8468-1-git-send-email-quic_eserrao@quicinc.com> +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/dwc3/gadget.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/usb/dwc3/gadget.c ++++ b/drivers/usb/dwc3/gadget.c +@@ -180,6 +180,7 @@ static void dwc3_gadget_del_and_unmap_re + list_del(&req->list); + req->remaining = 0; + req->needs_extra_trb = false; ++ req->num_trbs = 0; + + if (req->request.status == -EINPROGRESS) + req->request.status = status; diff --git a/queue-6.3/usb-dwc3-qcom-fix-null-deref-on-suspend.patch b/queue-6.3/usb-dwc3-qcom-fix-null-deref-on-suspend.patch new file mode 100644 index 00000000000..84a9294f55f --- /dev/null +++ b/queue-6.3/usb-dwc3-qcom-fix-null-deref-on-suspend.patch @@ -0,0 +1,62 @@ +From d2d69354226de0b333d4405981f3d9c41ba8430a Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Wed, 7 Jun 2023 12:05:39 +0200 +Subject: USB: dwc3: qcom: fix NULL-deref on suspend + +From: Johan Hovold + +commit d2d69354226de0b333d4405981f3d9c41ba8430a upstream. + +The Qualcomm dwc3 glue driver is currently accessing the driver data of +the child core device during suspend and on wakeup interrupts. This is +clearly a bad idea as the child may not have probed yet or could have +been unbound from its driver. + +The first such layering violation was part of the initial version of the +driver, but this was later made worse when the hack that accesses the +driver data of the grand child xhci device to configure the wakeup +interrupts was added. + +Fixing this properly is not that easily done, so add a sanity check to +make sure that the child driver data is non-NULL before dereferencing it +for now. + +Note that this relies on subtleties like the fact that driver core is +making sure that the parent is not suspended while the child is probing. + +Reported-by: Manivannan Sadhasivam +Link: https://lore.kernel.org/all/20230325165217.31069-4-manivannan.sadhasivam@linaro.org/ +Fixes: d9152161b4bf ("usb: dwc3: Add Qualcomm DWC3 glue layer driver") +Fixes: 6895ea55c385 ("usb: dwc3: qcom: Configure wakeup interrupts during suspend") +Cc: stable@vger.kernel.org # 3.18: a872ab303d5d: "usb: dwc3: qcom: fix use-after-free on runtime-PM wakeup" +Cc: Sandeep Maheswaram +Cc: Krishna Kurapati +Signed-off-by: Johan Hovold +Acked-by: Thinh Nguyen +Reviewed-by: Manivannan Sadhasivam +Message-ID: <20230607100540.31045-2-johan+linaro@kernel.org> +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/dwc3/dwc3-qcom.c | 11 ++++++++++- + 1 file changed, 10 insertions(+), 1 deletion(-) + +--- a/drivers/usb/dwc3/dwc3-qcom.c ++++ b/drivers/usb/dwc3/dwc3-qcom.c +@@ -308,7 +308,16 @@ static void dwc3_qcom_interconnect_exit( + /* Only usable in contexts where the role can not change. */ + static bool dwc3_qcom_is_host(struct dwc3_qcom *qcom) + { +- struct dwc3 *dwc = platform_get_drvdata(qcom->dwc3); ++ struct dwc3 *dwc; ++ ++ /* ++ * FIXME: Fix this layering violation. ++ */ ++ dwc = platform_get_drvdata(qcom->dwc3); ++ ++ /* Core driver may not have probed yet. */ ++ if (!dwc) ++ return false; + + return dwc->xhci; + } diff --git a/queue-6.3/usb-gadget-udc-core-offload-usb_udc_vbus_handler-processing.patch b/queue-6.3/usb-gadget-udc-core-offload-usb_udc_vbus_handler-processing.patch new file mode 100644 index 00000000000..5499bd634c3 --- /dev/null +++ b/queue-6.3/usb-gadget-udc-core-offload-usb_udc_vbus_handler-processing.patch @@ -0,0 +1,135 @@ +From 50966da807c81c5eb3bdfd392990fe0bba94d1ee Mon Sep 17 00:00:00 2001 +From: Badhri Jagan Sridharan +Date: Fri, 9 Jun 2023 01:02:26 +0000 +Subject: usb: gadget: udc: core: Offload usb_udc_vbus_handler processing + +From: Badhri Jagan Sridharan + +commit 50966da807c81c5eb3bdfd392990fe0bba94d1ee upstream. + +usb_udc_vbus_handler() can be invoked from interrupt context by irq +handlers of the gadget drivers, however, usb_udc_connect_control() has +to run in non-atomic context due to the following: +a. Some of the gadget driver implementations expect the ->pullup + callback to be invoked in non-atomic context. +b. usb_gadget_disconnect() acquires udc_lock which is a mutex. + +Hence offload invocation of usb_udc_connect_control() +to workqueue. + +UDC should not be pulled up unless gadget driver is bound. The new flag +"allow_connect" is now set by gadget_bind_driver() and cleared by +gadget_unbind_driver(). This prevents work item to pull up the gadget +even if queued when the gadget driver is already unbound. + +Cc: stable@vger.kernel.org +Fixes: 1016fc0c096c ("USB: gadget: Fix obscure lockdep violation for udc_mutex") +Signed-off-by: Badhri Jagan Sridharan +Reviewed-by: Alan Stern +Message-ID: <20230609010227.978661-1-badhri@google.com> +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/gadget/udc/core.c | 29 +++++++++++++++++++++++++++-- + 1 file changed, 27 insertions(+), 2 deletions(-) + +--- a/drivers/usb/gadget/udc/core.c ++++ b/drivers/usb/gadget/udc/core.c +@@ -37,6 +37,9 @@ static struct bus_type gadget_bus_type; + * @vbus: for udcs who care about vbus status, this value is real vbus status; + * for udcs who do not care about vbus status, this value is always true + * @started: the UDC's started state. True if the UDC had started. ++ * @allow_connect: Indicates whether UDC is allowed to be pulled up. ++ * Set/cleared by gadget_(un)bind_driver() after gadget driver is bound or ++ * unbound. + * + * This represents the internal data structure which is used by the UDC-class + * to hold information about udc driver and gadget together. +@@ -48,6 +51,8 @@ struct usb_udc { + struct list_head list; + bool vbus; + bool started; ++ bool allow_connect; ++ struct work_struct vbus_work; + }; + + static struct class *udc_class; +@@ -679,7 +684,7 @@ int usb_gadget_connect(struct usb_gadget + goto out; + } + +- if (gadget->deactivated) { ++ if (gadget->deactivated || !gadget->udc->allow_connect) { + /* + * If gadget is deactivated we only save new state. + * Gadget will be connected automatically after activation. +@@ -1059,6 +1064,13 @@ static void usb_udc_connect_control(stru + usb_gadget_disconnect(udc->gadget); + } + ++static void vbus_event_work(struct work_struct *work) ++{ ++ struct usb_udc *udc = container_of(work, struct usb_udc, vbus_work); ++ ++ usb_udc_connect_control(udc); ++} ++ + /** + * usb_udc_vbus_handler - updates the udc core vbus status, and try to + * connect or disconnect gadget +@@ -1067,6 +1079,14 @@ static void usb_udc_connect_control(stru + * + * The udc driver calls it when it wants to connect or disconnect gadget + * according to vbus status. ++ * ++ * This function can be invoked from interrupt context by irq handlers of ++ * the gadget drivers, however, usb_udc_connect_control() has to run in ++ * non-atomic context due to the following: ++ * a. Some of the gadget driver implementations expect the ->pullup ++ * callback to be invoked in non-atomic context. ++ * b. usb_gadget_disconnect() acquires udc_lock which is a mutex. ++ * Hence offload invocation of usb_udc_connect_control() to workqueue. + */ + void usb_udc_vbus_handler(struct usb_gadget *gadget, bool status) + { +@@ -1074,7 +1094,7 @@ void usb_udc_vbus_handler(struct usb_gad + + if (udc) { + udc->vbus = status; +- usb_udc_connect_control(udc); ++ schedule_work(&udc->vbus_work); + } + } + EXPORT_SYMBOL_GPL(usb_udc_vbus_handler); +@@ -1301,6 +1321,7 @@ int usb_add_gadget(struct usb_gadget *ga + mutex_lock(&udc_lock); + list_add_tail(&udc->list, &udc_list); + mutex_unlock(&udc_lock); ++ INIT_WORK(&udc->vbus_work, vbus_event_work); + + ret = device_add(&udc->dev); + if (ret) +@@ -1432,6 +1453,7 @@ void usb_del_gadget(struct usb_gadget *g + flush_work(&gadget->work); + device_del(&gadget->dev); + ida_free(&gadget_id_numbers, gadget->id_number); ++ cancel_work_sync(&udc->vbus_work); + device_unregister(&udc->dev); + } + EXPORT_SYMBOL_GPL(usb_del_gadget); +@@ -1500,6 +1522,7 @@ static int gadget_bind_driver(struct dev + if (ret) + goto err_start; + usb_gadget_enable_async_callbacks(udc); ++ udc->allow_connect = true; + usb_udc_connect_control(udc); + + kobject_uevent(&udc->dev.kobj, KOBJ_CHANGE); +@@ -1531,6 +1554,8 @@ static void gadget_unbind_driver(struct + + kobject_uevent(&udc->dev.kobj, KOBJ_CHANGE); + ++ udc->allow_connect = false; ++ cancel_work_sync(&udc->vbus_work); + usb_gadget_disconnect(gadget); + usb_gadget_disable_async_callbacks(udc); + if (gadget->irq) diff --git a/queue-6.3/usb-gadget-udc-core-prevent-soft_connect_store-race.patch b/queue-6.3/usb-gadget-udc-core-prevent-soft_connect_store-race.patch new file mode 100644 index 00000000000..789bd4f4cf0 --- /dev/null +++ b/queue-6.3/usb-gadget-udc-core-prevent-soft_connect_store-race.patch @@ -0,0 +1,363 @@ +From 286d9975a838d0a54da049765fa1d1fb96b89682 Mon Sep 17 00:00:00 2001 +From: Badhri Jagan Sridharan +Date: Fri, 9 Jun 2023 01:02:27 +0000 +Subject: usb: gadget: udc: core: Prevent soft_connect_store() race + +From: Badhri Jagan Sridharan + +commit 286d9975a838d0a54da049765fa1d1fb96b89682 upstream. + +usb_udc_connect_control(), soft_connect_store() and +usb_gadget_deactivate() can potentially race against each other to invoke +usb_gadget_connect()/usb_gadget_disconnect(). To prevent this, guard +udc->started, gadget->allow_connect, gadget->deactivate and +gadget->connect with connect_lock so that ->pullup() is only invoked when +the gadget is bound, started and not deactivated. The routines +usb_gadget_connect_locked(), usb_gadget_disconnect_locked(), +usb_udc_connect_control_locked(), usb_gadget_udc_start_locked(), +usb_gadget_udc_stop_locked() are called with this lock held. + +An earlier version of this commit was reverted due to the crash reported in +https://lore.kernel.org/all/ZF4BvgsOyoKxdPFF@francesco-nb.int.toradex.com/. +commit 16737e78d190 ("usb: gadget: udc: core: Offload usb_udc_vbus_handler processing") +addresses the crash reported. + +Cc: stable@vger.kernel.org +Fixes: 628ef0d273a6 ("usb: udc: add usb_udc_vbus_handler") +Signed-off-by: Badhri Jagan Sridharan +Reviewed-by: Alan Stern +Message-ID: <20230609010227.978661-2-badhri@google.com> +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/gadget/udc/core.c | 155 ++++++++++++++++++++++++++++-------------- + 1 file changed, 106 insertions(+), 49 deletions(-) + +--- a/drivers/usb/gadget/udc/core.c ++++ b/drivers/usb/gadget/udc/core.c +@@ -40,6 +40,11 @@ static struct bus_type gadget_bus_type; + * @allow_connect: Indicates whether UDC is allowed to be pulled up. + * Set/cleared by gadget_(un)bind_driver() after gadget driver is bound or + * unbound. ++ * @connect_lock: protects udc->started, gadget->connect, ++ * gadget->allow_connect and gadget->deactivate. The routines ++ * usb_gadget_connect_locked(), usb_gadget_disconnect_locked(), ++ * usb_udc_connect_control_locked(), usb_gadget_udc_start_locked() and ++ * usb_gadget_udc_stop_locked() are called with this lock held. + * + * This represents the internal data structure which is used by the UDC-class + * to hold information about udc driver and gadget together. +@@ -53,6 +58,7 @@ struct usb_udc { + bool started; + bool allow_connect; + struct work_struct vbus_work; ++ struct mutex connect_lock; + }; + + static struct class *udc_class; +@@ -665,17 +671,8 @@ out: + } + EXPORT_SYMBOL_GPL(usb_gadget_vbus_disconnect); + +-/** +- * usb_gadget_connect - software-controlled connect to USB host +- * @gadget:the peripheral being connected +- * +- * Enables the D+ (or potentially D-) pullup. The host will start +- * enumerating this gadget when the pullup is active and a VBUS session +- * is active (the link is powered). +- * +- * Returns zero on success, else negative errno. +- */ +-int usb_gadget_connect(struct usb_gadget *gadget) ++static int usb_gadget_connect_locked(struct usb_gadget *gadget) ++ __must_hold(&gadget->udc->connect_lock) + { + int ret = 0; + +@@ -684,10 +681,12 @@ int usb_gadget_connect(struct usb_gadget + goto out; + } + +- if (gadget->deactivated || !gadget->udc->allow_connect) { ++ if (gadget->deactivated || !gadget->udc->allow_connect || !gadget->udc->started) { + /* +- * If gadget is deactivated we only save new state. +- * Gadget will be connected automatically after activation. ++ * If the gadget isn't usable (because it is deactivated, ++ * unbound, or not yet started), we only save the new state. ++ * The gadget will be connected automatically when it is ++ * activated/bound/started. + */ + gadget->connected = true; + goto out; +@@ -702,22 +701,31 @@ out: + + return ret; + } +-EXPORT_SYMBOL_GPL(usb_gadget_connect); + + /** +- * usb_gadget_disconnect - software-controlled disconnect from USB host +- * @gadget:the peripheral being disconnected +- * +- * Disables the D+ (or potentially D-) pullup, which the host may see +- * as a disconnect (when a VBUS session is active). Not all systems +- * support software pullup controls. ++ * usb_gadget_connect - software-controlled connect to USB host ++ * @gadget:the peripheral being connected + * +- * Following a successful disconnect, invoke the ->disconnect() callback +- * for the current gadget driver so that UDC drivers don't need to. ++ * Enables the D+ (or potentially D-) pullup. The host will start ++ * enumerating this gadget when the pullup is active and a VBUS session ++ * is active (the link is powered). + * + * Returns zero on success, else negative errno. + */ +-int usb_gadget_disconnect(struct usb_gadget *gadget) ++int usb_gadget_connect(struct usb_gadget *gadget) ++{ ++ int ret; ++ ++ mutex_lock(&gadget->udc->connect_lock); ++ ret = usb_gadget_connect_locked(gadget); ++ mutex_unlock(&gadget->udc->connect_lock); ++ ++ return ret; ++} ++EXPORT_SYMBOL_GPL(usb_gadget_connect); ++ ++static int usb_gadget_disconnect_locked(struct usb_gadget *gadget) ++ __must_hold(&gadget->udc->connect_lock) + { + int ret = 0; + +@@ -729,7 +737,7 @@ int usb_gadget_disconnect(struct usb_gad + if (!gadget->connected) + goto out; + +- if (gadget->deactivated) { ++ if (gadget->deactivated || !gadget->udc->started) { + /* + * If gadget is deactivated we only save new state. + * Gadget will stay disconnected after activation. +@@ -752,6 +760,30 @@ out: + + return ret; + } ++ ++/** ++ * usb_gadget_disconnect - software-controlled disconnect from USB host ++ * @gadget:the peripheral being disconnected ++ * ++ * Disables the D+ (or potentially D-) pullup, which the host may see ++ * as a disconnect (when a VBUS session is active). Not all systems ++ * support software pullup controls. ++ * ++ * Following a successful disconnect, invoke the ->disconnect() callback ++ * for the current gadget driver so that UDC drivers don't need to. ++ * ++ * Returns zero on success, else negative errno. ++ */ ++int usb_gadget_disconnect(struct usb_gadget *gadget) ++{ ++ int ret; ++ ++ mutex_lock(&gadget->udc->connect_lock); ++ ret = usb_gadget_disconnect_locked(gadget); ++ mutex_unlock(&gadget->udc->connect_lock); ++ ++ return ret; ++} + EXPORT_SYMBOL_GPL(usb_gadget_disconnect); + + /** +@@ -769,13 +801,14 @@ int usb_gadget_deactivate(struct usb_gad + { + int ret = 0; + ++ mutex_lock(&gadget->udc->connect_lock); + if (gadget->deactivated) +- goto out; ++ goto unlock; + + if (gadget->connected) { +- ret = usb_gadget_disconnect(gadget); ++ ret = usb_gadget_disconnect_locked(gadget); + if (ret) +- goto out; ++ goto unlock; + + /* + * If gadget was being connected before deactivation, we want +@@ -785,7 +818,8 @@ int usb_gadget_deactivate(struct usb_gad + } + gadget->deactivated = true; + +-out: ++unlock: ++ mutex_unlock(&gadget->udc->connect_lock); + trace_usb_gadget_deactivate(gadget, ret); + + return ret; +@@ -805,8 +839,9 @@ int usb_gadget_activate(struct usb_gadge + { + int ret = 0; + ++ mutex_lock(&gadget->udc->connect_lock); + if (!gadget->deactivated) +- goto out; ++ goto unlock; + + gadget->deactivated = false; + +@@ -815,9 +850,11 @@ int usb_gadget_activate(struct usb_gadge + * while it was being deactivated, we call usb_gadget_connect(). + */ + if (gadget->connected) +- ret = usb_gadget_connect(gadget); ++ ret = usb_gadget_connect_locked(gadget); ++ mutex_unlock(&gadget->udc->connect_lock); + +-out: ++unlock: ++ mutex_unlock(&gadget->udc->connect_lock); + trace_usb_gadget_activate(gadget, ret); + + return ret; +@@ -1056,19 +1093,22 @@ EXPORT_SYMBOL_GPL(usb_gadget_set_state); + + /* ------------------------------------------------------------------------- */ + +-static void usb_udc_connect_control(struct usb_udc *udc) ++/* Acquire connect_lock before calling this function. */ ++static void usb_udc_connect_control_locked(struct usb_udc *udc) __must_hold(&udc->connect_lock) + { + if (udc->vbus) +- usb_gadget_connect(udc->gadget); ++ usb_gadget_connect_locked(udc->gadget); + else +- usb_gadget_disconnect(udc->gadget); ++ usb_gadget_disconnect_locked(udc->gadget); + } + + static void vbus_event_work(struct work_struct *work) + { + struct usb_udc *udc = container_of(work, struct usb_udc, vbus_work); + +- usb_udc_connect_control(udc); ++ mutex_lock(&udc->connect_lock); ++ usb_udc_connect_control_locked(udc); ++ mutex_unlock(&udc->connect_lock); + } + + /** +@@ -1117,7 +1157,7 @@ void usb_gadget_udc_reset(struct usb_gad + EXPORT_SYMBOL_GPL(usb_gadget_udc_reset); + + /** +- * usb_gadget_udc_start - tells usb device controller to start up ++ * usb_gadget_udc_start_locked - tells usb device controller to start up + * @udc: The UDC to be started + * + * This call is issued by the UDC Class driver when it's about +@@ -1128,8 +1168,11 @@ EXPORT_SYMBOL_GPL(usb_gadget_udc_reset); + * necessary to have it powered on. + * + * Returns zero on success, else negative errno. ++ * ++ * Caller should acquire connect_lock before invoking this function. + */ +-static inline int usb_gadget_udc_start(struct usb_udc *udc) ++static inline int usb_gadget_udc_start_locked(struct usb_udc *udc) ++ __must_hold(&udc->connect_lock) + { + int ret; + +@@ -1146,7 +1189,7 @@ static inline int usb_gadget_udc_start(s + } + + /** +- * usb_gadget_udc_stop - tells usb device controller we don't need it anymore ++ * usb_gadget_udc_stop_locked - tells usb device controller we don't need it anymore + * @udc: The UDC to be stopped + * + * This call is issued by the UDC Class driver after calling +@@ -1155,8 +1198,11 @@ static inline int usb_gadget_udc_start(s + * The details are implementation specific, but it can go as + * far as powering off UDC completely and disable its data + * line pullups. ++ * ++ * Caller should acquire connect lock before invoking this function. + */ +-static inline void usb_gadget_udc_stop(struct usb_udc *udc) ++static inline void usb_gadget_udc_stop_locked(struct usb_udc *udc) ++ __must_hold(&udc->connect_lock) + { + if (!udc->started) { + dev_err(&udc->dev, "UDC had already stopped\n"); +@@ -1315,6 +1361,7 @@ int usb_add_gadget(struct usb_gadget *ga + + udc->gadget = gadget; + gadget->udc = udc; ++ mutex_init(&udc->connect_lock); + + udc->started = false; + +@@ -1518,12 +1565,16 @@ static int gadget_bind_driver(struct dev + if (ret) + goto err_bind; + +- ret = usb_gadget_udc_start(udc); +- if (ret) ++ mutex_lock(&udc->connect_lock); ++ ret = usb_gadget_udc_start_locked(udc); ++ if (ret) { ++ mutex_unlock(&udc->connect_lock); + goto err_start; ++ } + usb_gadget_enable_async_callbacks(udc); + udc->allow_connect = true; +- usb_udc_connect_control(udc); ++ usb_udc_connect_control_locked(udc); ++ mutex_unlock(&udc->connect_lock); + + kobject_uevent(&udc->dev.kobj, KOBJ_CHANGE); + return 0; +@@ -1556,12 +1607,14 @@ static void gadget_unbind_driver(struct + + udc->allow_connect = false; + cancel_work_sync(&udc->vbus_work); +- usb_gadget_disconnect(gadget); ++ mutex_lock(&udc->connect_lock); ++ usb_gadget_disconnect_locked(gadget); + usb_gadget_disable_async_callbacks(udc); + if (gadget->irq) + synchronize_irq(gadget->irq); + udc->driver->unbind(gadget); +- usb_gadget_udc_stop(udc); ++ usb_gadget_udc_stop_locked(udc); ++ mutex_unlock(&udc->connect_lock); + + mutex_lock(&udc_lock); + driver->is_bound = false; +@@ -1647,11 +1700,15 @@ static ssize_t soft_connect_store(struct + } + + if (sysfs_streq(buf, "connect")) { +- usb_gadget_udc_start(udc); +- usb_gadget_connect(udc->gadget); ++ mutex_lock(&udc->connect_lock); ++ usb_gadget_udc_start_locked(udc); ++ usb_gadget_connect_locked(udc->gadget); ++ mutex_unlock(&udc->connect_lock); + } else if (sysfs_streq(buf, "disconnect")) { +- usb_gadget_disconnect(udc->gadget); +- usb_gadget_udc_stop(udc); ++ mutex_lock(&udc->connect_lock); ++ usb_gadget_disconnect_locked(udc->gadget); ++ usb_gadget_udc_stop_locked(udc); ++ mutex_unlock(&udc->connect_lock); + } else { + dev_err(dev, "unsupported command '%s'\n", buf); + ret = -EINVAL; diff --git a/queue-6.3/usb-gadget-udc-renesas_usb3-fix-rz-v2m-modprobe-bind-error.patch b/queue-6.3/usb-gadget-udc-renesas_usb3-fix-rz-v2m-modprobe-bind-error.patch new file mode 100644 index 00000000000..6d89657c08a --- /dev/null +++ b/queue-6.3/usb-gadget-udc-renesas_usb3-fix-rz-v2m-modprobe-bind-error.patch @@ -0,0 +1,46 @@ +From 3e6ac852fbc71a234de24b5455086f6b98d3d958 Mon Sep 17 00:00:00 2001 +From: Biju Das +Date: Tue, 30 May 2023 17:17:20 +0100 +Subject: usb: gadget: udc: renesas_usb3: Fix RZ/V2M {modprobe,bind} error + +From: Biju Das + +commit 3e6ac852fbc71a234de24b5455086f6b98d3d958 upstream. + +Currently {modprobe, bind} after {rmmod, unbind} results in probe failure. + +genirq: Flags mismatch irq 22. 00000004 (85070400.usb3drd) vs. 00000004 (85070400.usb3drd) +renesas_usb3: probe of 85070000.usb3peri failed with error -16 + +The reason is, it is trying to register an interrupt handler for the same +IRQ twice. The devm_request_irq() was called with the parent device. +So the interrupt handler won't be unregistered when the usb3-peri device +is unbound. + +Fix this issue by replacing "parent dev"->"dev" as the irq resource +is managed by this driver. + +Fixes: 9cad72dfc556 ("usb: gadget: Add support for RZ/V2M USB3DRD driver") +Cc: stable +Signed-off-by: Biju Das +Reviewed-by: Geert Uytterhoeven +Message-ID: <20230530161720.179927-1-biju.das.jz@bp.renesas.com> +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/gadget/udc/renesas_usb3.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/usb/gadget/udc/renesas_usb3.c ++++ b/drivers/usb/gadget/udc/renesas_usb3.c +@@ -2898,9 +2898,9 @@ static int renesas_usb3_probe(struct pla + struct rzv2m_usb3drd *ddata = dev_get_drvdata(pdev->dev.parent); + + usb3->drd_reg = ddata->reg; +- ret = devm_request_irq(ddata->dev, ddata->drd_irq, ++ ret = devm_request_irq(&pdev->dev, ddata->drd_irq, + renesas_usb3_otg_irq, 0, +- dev_name(ddata->dev), usb3); ++ dev_name(&pdev->dev), usb3); + if (ret < 0) + return ret; + } diff --git a/queue-6.3/usb-serial-option-add-quectel-em061kgl-series.patch b/queue-6.3/usb-serial-option-add-quectel-em061kgl-series.patch new file mode 100644 index 00000000000..1b57a2c2754 --- /dev/null +++ b/queue-6.3/usb-serial-option-add-quectel-em061kgl-series.patch @@ -0,0 +1,99 @@ +From f1832e2b5e498e258b090af3b065b85cf8cc5161 Mon Sep 17 00:00:00 2001 +From: Jerry Meng +Date: Wed, 31 May 2023 11:51:16 +0800 +Subject: USB: serial: option: add Quectel EM061KGL series + +From: Jerry Meng + +commit f1832e2b5e498e258b090af3b065b85cf8cc5161 upstream. + +Add support for Quectel EM061KGL series which are based on Qualcomm +SDX12 chip: + +EM061KGL_LTA(0x2c7c / 0x0123): MBIM + GNSS + DIAG + NMEA + AT + QDSS + DPL +EM061KGL_LMS(0x2c7c / 0x0124): MBIM + GNSS + DIAG + NMEA + AT + QDSS + DPL +EM061KGL_LWW(0x2c7c / 0x6008): MBIM + GNSS + DIAG + NMEA + AT + QDSS + DPL +EM061KGL_LCN(0x2c7c / 0x6009): MBIM + GNSS + DIAG + NMEA + AT + QDSS + DPL + +Above products use the exact same interface layout and +option driver is for interfaces DIAG, NMEA and AT. + +T: Bus=03 Lev=01 Prnt=01 Port=01 Cnt=02 Dev#= 5 Spd=480 MxCh= 0 +D: Ver= 2.00 Cls=00(>ifc ) Sub=00 Prot=00 MxPS=64 #Cfgs= 1 +P: Vendor=2c7c ProdID=6008 Rev= 5.04 +S: Manufacturer=Quectel +S: Product=Quectel EM061K-GL +S: SerialNumber=f6fa08b6 +C:* #Ifs= 8 Cfg#= 1 Atr=a0 MxPwr=500mA +A: FirstIf#= 0 IfCount= 2 Cls=02(comm.) Sub=0e Prot=00 +I:* If#= 0 Alt= 0 #EPs= 1 Cls=02(comm.) Sub=0e Prot=00 Driver=cdc_mbim +E: Ad=81(I) Atr=03(Int.) MxPS= 64 Ivl=32ms +I: If#= 1 Alt= 0 #EPs= 0 Cls=0a(data ) Sub=00 Prot=02 Driver=cdc_mbim +I:* If#= 1 Alt= 1 #EPs= 2 Cls=0a(data ) Sub=00 Prot=02 Driver=cdc_mbim +E: Ad=8e(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=0f(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms +I:* If#= 2 Alt= 0 #EPs= 1 Cls=ff(vend.) Sub=ff Prot=ff Driver=(none) +E: Ad=82(I) Atr=03(Int.) MxPS= 64 Ivl=32ms +I:* If#= 3 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=30 Driver=option +E: Ad=01(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=83(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms +I:* If#= 4 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=40 Driver=option +E: Ad=85(I) Atr=03(Int.) MxPS= 10 Ivl=32ms +E: Ad=84(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=02(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms +I:* If#= 5 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=40 Driver=option +E: Ad=87(I) Atr=03(Int.) MxPS= 10 Ivl=32ms +E: Ad=86(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=03(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms +I:* If#= 6 Alt= 0 #EPs= 1 Cls=ff(vend.) Sub=ff Prot=70 Driver=(none) +E: Ad=88(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms +I:* If#= 7 Alt= 0 #EPs= 1 Cls=ff(vend.) Sub=ff Prot=80 Driver=(none) +E: Ad=8f(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms + +Signed-off-by: Jerry Meng +Cc: stable@vger.kernel.org +Signed-off-by: Johan Hovold +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/serial/option.c | 16 ++++++++++++++++ + 1 file changed, 16 insertions(+) + +--- a/drivers/usb/serial/option.c ++++ b/drivers/usb/serial/option.c +@@ -248,6 +248,8 @@ static void option_instat_callback(struc + #define QUECTEL_VENDOR_ID 0x2c7c + /* These Quectel products use Quectel's vendor ID */ + #define QUECTEL_PRODUCT_EC21 0x0121 ++#define QUECTEL_PRODUCT_EM061K_LTA 0x0123 ++#define QUECTEL_PRODUCT_EM061K_LMS 0x0124 + #define QUECTEL_PRODUCT_EC25 0x0125 + #define QUECTEL_PRODUCT_EG91 0x0191 + #define QUECTEL_PRODUCT_EG95 0x0195 +@@ -266,6 +268,8 @@ static void option_instat_callback(struc + #define QUECTEL_PRODUCT_RM520N 0x0801 + #define QUECTEL_PRODUCT_EC200U 0x0901 + #define QUECTEL_PRODUCT_EC200S_CN 0x6002 ++#define QUECTEL_PRODUCT_EM061K_LWW 0x6008 ++#define QUECTEL_PRODUCT_EM061K_LCN 0x6009 + #define QUECTEL_PRODUCT_EC200T 0x6026 + #define QUECTEL_PRODUCT_RM500K 0x7001 + +@@ -1189,6 +1193,18 @@ static const struct usb_device_id option + { USB_DEVICE_AND_INTERFACE_INFO(QUECTEL_VENDOR_ID, QUECTEL_PRODUCT_EM060K, 0xff, 0x00, 0x40) }, + { USB_DEVICE_AND_INTERFACE_INFO(QUECTEL_VENDOR_ID, QUECTEL_PRODUCT_EM060K, 0xff, 0xff, 0x30) }, + { USB_DEVICE_AND_INTERFACE_INFO(QUECTEL_VENDOR_ID, QUECTEL_PRODUCT_EM060K, 0xff, 0xff, 0x40) }, ++ { USB_DEVICE_AND_INTERFACE_INFO(QUECTEL_VENDOR_ID, QUECTEL_PRODUCT_EM061K_LCN, 0xff, 0xff, 0x30) }, ++ { USB_DEVICE_AND_INTERFACE_INFO(QUECTEL_VENDOR_ID, QUECTEL_PRODUCT_EM061K_LCN, 0xff, 0x00, 0x40) }, ++ { USB_DEVICE_AND_INTERFACE_INFO(QUECTEL_VENDOR_ID, QUECTEL_PRODUCT_EM061K_LCN, 0xff, 0xff, 0x40) }, ++ { USB_DEVICE_AND_INTERFACE_INFO(QUECTEL_VENDOR_ID, QUECTEL_PRODUCT_EM061K_LMS, 0xff, 0xff, 0x30) }, ++ { USB_DEVICE_AND_INTERFACE_INFO(QUECTEL_VENDOR_ID, QUECTEL_PRODUCT_EM061K_LMS, 0xff, 0x00, 0x40) }, ++ { USB_DEVICE_AND_INTERFACE_INFO(QUECTEL_VENDOR_ID, QUECTEL_PRODUCT_EM061K_LMS, 0xff, 0xff, 0x40) }, ++ { USB_DEVICE_AND_INTERFACE_INFO(QUECTEL_VENDOR_ID, QUECTEL_PRODUCT_EM061K_LTA, 0xff, 0xff, 0x30) }, ++ { USB_DEVICE_AND_INTERFACE_INFO(QUECTEL_VENDOR_ID, QUECTEL_PRODUCT_EM061K_LTA, 0xff, 0x00, 0x40) }, ++ { USB_DEVICE_AND_INTERFACE_INFO(QUECTEL_VENDOR_ID, QUECTEL_PRODUCT_EM061K_LTA, 0xff, 0xff, 0x40) }, ++ { USB_DEVICE_AND_INTERFACE_INFO(QUECTEL_VENDOR_ID, QUECTEL_PRODUCT_EM061K_LWW, 0xff, 0xff, 0x30) }, ++ { USB_DEVICE_AND_INTERFACE_INFO(QUECTEL_VENDOR_ID, QUECTEL_PRODUCT_EM061K_LWW, 0xff, 0x00, 0x40) }, ++ { USB_DEVICE_AND_INTERFACE_INFO(QUECTEL_VENDOR_ID, QUECTEL_PRODUCT_EM061K_LWW, 0xff, 0xff, 0x40) }, + { USB_DEVICE_AND_INTERFACE_INFO(QUECTEL_VENDOR_ID, QUECTEL_PRODUCT_EM12, 0xff, 0xff, 0xff), + .driver_info = RSVD(1) | RSVD(2) | RSVD(3) | RSVD(4) | NUMEP2 }, + { USB_DEVICE_AND_INTERFACE_INFO(QUECTEL_VENDOR_ID, QUECTEL_PRODUCT_EM12, 0xff, 0, 0) }, diff --git a/queue-6.3/usb-typec-fix-fast_role_swap_current-show-function.patch b/queue-6.3/usb-typec-fix-fast_role_swap_current-show-function.patch new file mode 100644 index 00000000000..151ab851e9e --- /dev/null +++ b/queue-6.3/usb-typec-fix-fast_role_swap_current-show-function.patch @@ -0,0 +1,36 @@ +From 92c9c3baad6b1fd584fbabeaa4756f9b77926cb5 Mon Sep 17 00:00:00 2001 +From: Pavan Holla +Date: Wed, 7 Jun 2023 19:33:26 +0000 +Subject: usb: typec: Fix fast_role_swap_current show function + +From: Pavan Holla + +commit 92c9c3baad6b1fd584fbabeaa4756f9b77926cb5 upstream. + +The current implementation mistakenly performs a & operation on +the output of sysfs_emit. This patch performs the & operation before +calling sysfs_emit. + +Fixes: 662a60102c12 ("usb: typec: Separate USB Power Delivery from USB Type-C") +Cc: stable +Reported-by: Benson Leung +Signed-off-by: Pavan Holla +Reviewed-by: Heikki Krogerus +Reviewed-by: Benson Leung +Message-ID: <20230607193328.3359487-1-pholla@chromium.org> +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/typec/pd.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/usb/typec/pd.c ++++ b/drivers/usb/typec/pd.c +@@ -96,7 +96,7 @@ peak_current_show(struct device *dev, st + static ssize_t + fast_role_swap_current_show(struct device *dev, struct device_attribute *attr, char *buf) + { +- return sysfs_emit(buf, "%u\n", to_pdo(dev)->pdo >> PDO_FIXED_FRS_CURR_SHIFT) & 3; ++ return sysfs_emit(buf, "%u\n", (to_pdo(dev)->pdo >> PDO_FIXED_FRS_CURR_SHIFT) & 3); + } + static DEVICE_ATTR_RO(fast_role_swap_current); + diff --git a/queue-6.3/usb-typec-ucsi-fix-command-cancellation.patch b/queue-6.3/usb-typec-ucsi-fix-command-cancellation.patch new file mode 100644 index 00000000000..92f02929a9e --- /dev/null +++ b/queue-6.3/usb-typec-ucsi-fix-command-cancellation.patch @@ -0,0 +1,51 @@ +From c4a8bfabefed706bb9150867db528ceefd5cb5fe Mon Sep 17 00:00:00 2001 +From: Heikki Krogerus +Date: Tue, 6 Jun 2023 14:58:02 +0300 +Subject: usb: typec: ucsi: Fix command cancellation + +From: Heikki Krogerus + +commit c4a8bfabefed706bb9150867db528ceefd5cb5fe upstream. + +The Cancel command was passed to the write callback as the +offset instead of as the actual command which caused NULL +pointer dereference. + +Reported-by: Stephan Bolten +Closes: https://bugzilla.kernel.org/show_bug.cgi?id=217517 +Fixes: 094902bc6a3c ("usb: typec: ucsi: Always cancel the command if PPM reports BUSY condition") +Cc: stable@vger.kernel.org +Signed-off-by: Heikki Krogerus +Message-ID: <20230606115802.79339-1-heikki.krogerus@linux.intel.com> +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/typec/ucsi/ucsi.c | 11 +++++++---- + 1 file changed, 7 insertions(+), 4 deletions(-) + +--- a/drivers/usb/typec/ucsi/ucsi.c ++++ b/drivers/usb/typec/ucsi/ucsi.c +@@ -132,10 +132,8 @@ static int ucsi_exec_command(struct ucsi + if (ret) + return ret; + +- if (cci & UCSI_CCI_BUSY) { +- ucsi->ops->async_write(ucsi, UCSI_CANCEL, NULL, 0); +- return -EBUSY; +- } ++ if (cmd != UCSI_CANCEL && cci & UCSI_CCI_BUSY) ++ return ucsi_exec_command(ucsi, UCSI_CANCEL); + + if (!(cci & UCSI_CCI_COMMAND_COMPLETE)) + return -EIO; +@@ -149,6 +147,11 @@ static int ucsi_exec_command(struct ucsi + return ucsi_read_error(ucsi); + } + ++ if (cmd == UCSI_CANCEL && cci & UCSI_CCI_CANCEL_COMPLETE) { ++ ret = ucsi_acknowledge_command(ucsi); ++ return ret ? ret : -EBUSY; ++ } ++ + return UCSI_CCI_LENGTH(cci); + } +