From: Greg Kroah-Hartman Date: Mon, 13 Dec 2021 08:32:09 +0000 (+0100) Subject: 5.15-stable patches X-Git-Tag: v4.4.295~5 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=3304f5223996710d0d40b3b3df2666b2fa8c270d;p=thirdparty%2Fkernel%2Fstable-queue.git 5.15-stable patches added patches: aio-fix-incorrect-usage-of-eventfd_signal_allowed.patch bus-mhi-core-add-support-for-forced-pm-resume.patch bus-mhi-pci_generic-fix-device-recovery-failed-issue.patch clocksource-drivers-dw_apb_timer_of-fix-probe-failure.patch csky-fix-typo-of-fpu-config-macro.patch iio-accel-kxcjk-1013-fix-possible-memory-leak-in-probe-and-remove.patch iio-ad7768-1-call-iio_trigger_notify_done-on-error.patch iio-adc-axp20x_adc-fix-charging-current-reporting-on-axp22x.patch iio-adc-stm32-fix-a-current-leak-by-resetting-pcsel-before-disabling-vdda.patch iio-at91-sama5d2-fix-incorrect-sign-extension.patch iio-dln2-adc-fix-lockdep-complaint.patch iio-dln2-check-return-value-of-devm_iio_trigger_register.patch iio-gyro-adxrs290-fix-data-signedness.patch iio-itg3200-call-iio_trigger_notify_done-on-error.patch iio-kxsd9-don-t-return-error-code-in-trigger-handler.patch iio-ltr501-don-t-return-error-code-in-trigger-handler.patch iio-mma8452-fix-trigger-reference-couting.patch iio-stk3310-don-t-return-error-code-in-interrupt-handler.patch iio-trigger-fix-reference-counting.patch iio-trigger-stm32-timer-fix-module_alias.patch irqchip-armada-370-xp-fix-return-value-of-armada_370_xp_msi_alloc.patch irqchip-armada-370-xp-fix-support-for-multi-msi-interrupts.patch irqchip-aspeed-scu-replace-update_bits-with-write_bits.patch irqchip-irq-gic-v3-its.c-force-synchronisation-when-issuing-invall.patch irqchip-nvic-fix-offset-for-interrupt-priority-offsets.patch misc-fastrpc-fix-improper-packet-size-calculation.patch misc-rtsx-avoid-mangling-irq-during-runtime-pm.patch nvmem-eeprom-at25-fix-fram-byte_len.patch revert-usb-dwc3-dwc3-qcom-enable-tx-fifo-resize-property-by-default.patch usb-core-config-fix-validation-of-wmaxpacketvalue-entries.patch usb-core-config-using-bit-mask-instead-of-individual-bits.patch usb-gadget-detect-too-big-endpoint-0-requests.patch usb-gadget-zero-allocate-endpoint-0-buffers.patch xhci-avoid-race-between-disable-slot-command-and-host-runtime-suspend.patch xhci-remove-config_usb_default_persist-to-prevent-xhci-from-runtime-suspending.patch --- diff --git a/queue-5.15/aio-fix-incorrect-usage-of-eventfd_signal_allowed.patch b/queue-5.15/aio-fix-incorrect-usage-of-eventfd_signal_allowed.patch new file mode 100644 index 00000000000..61acf4cc690 --- /dev/null +++ b/queue-5.15/aio-fix-incorrect-usage-of-eventfd_signal_allowed.patch @@ -0,0 +1,34 @@ +From 4b3749865374899e115aa8c48681709b086fe6d3 Mon Sep 17 00:00:00 2001 +From: Xie Yongji +Date: Mon, 13 Sep 2021 19:19:28 +0800 +Subject: aio: Fix incorrect usage of eventfd_signal_allowed() + +From: Xie Yongji + +commit 4b3749865374899e115aa8c48681709b086fe6d3 upstream. + +We should defer eventfd_signal() to the workqueue when +eventfd_signal_allowed() return false rather than return +true. + +Fixes: b542e383d8c0 ("eventfd: Make signal recursion protection a task bit") +Signed-off-by: Xie Yongji +Link: https://lore.kernel.org/r/20210913111928.98-1-xieyongji@bytedance.com +Reviewed-by: Eric Biggers +Signed-off-by: Eric Biggers +Signed-off-by: Greg Kroah-Hartman +--- + fs/aio.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/fs/aio.c ++++ b/fs/aio.c +@@ -1761,7 +1761,7 @@ static int aio_poll_wake(struct wait_que + list_del_init(&req->wait.entry); + list_del(&iocb->ki_list); + iocb->ki_res.res = mangle_poll(mask); +- if (iocb->ki_eventfd && eventfd_signal_allowed()) { ++ if (iocb->ki_eventfd && !eventfd_signal_allowed()) { + iocb = NULL; + INIT_WORK(&req->work, aio_poll_put_work); + schedule_work(&req->work); diff --git a/queue-5.15/bus-mhi-core-add-support-for-forced-pm-resume.patch b/queue-5.15/bus-mhi-core-add-support-for-forced-pm-resume.patch new file mode 100644 index 00000000000..46452ac3608 --- /dev/null +++ b/queue-5.15/bus-mhi-core-add-support-for-forced-pm-resume.patch @@ -0,0 +1,121 @@ +From cab2d3fd6866e089b5c50db09dece131f85bfebd Mon Sep 17 00:00:00 2001 +From: Loic Poulain +Date: Thu, 9 Dec 2021 18:46:33 +0530 +Subject: bus: mhi: core: Add support for forced PM resume + +From: Loic Poulain + +commit cab2d3fd6866e089b5c50db09dece131f85bfebd upstream. + +For whatever reason, some devices like QCA6390, WCN6855 using ath11k +are not in M3 state during PM resume, but still functional. The +mhi_pm_resume should then not fail in those cases, and let the higher +level device specific stack continue resuming process. + +Add an API mhi_pm_resume_force(), to force resuming irrespective of the +current MHI state. This fixes a regression with non functional ath11k WiFi +after suspend/resume cycle on some machines. + +Bug report: https://bugzilla.kernel.org/show_bug.cgi?id=214179 + +Link: https://lore.kernel.org/regressions/871r5p0x2u.fsf@codeaurora.org/ +Fixes: 020d3b26c07a ("bus: mhi: Early MHI resume failure in non M3 state") +Cc: stable@vger.kernel.org #5.13 +Reported-by: Kalle Valo +Reported-by: Pengyu Ma +Tested-by: Kalle Valo +Acked-by: Kalle Valo +Signed-off-by: Loic Poulain +[mani: Switched to API, added bug report, reported-by tags and CCed stable] +Signed-off-by: Manivannan Sadhasivam +Link: https://lore.kernel.org/r/20211209131633.4168-1-manivannan.sadhasivam@linaro.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/bus/mhi/core/pm.c | 21 ++++++++++++++++++--- + drivers/net/wireless/ath/ath11k/mhi.c | 6 +++++- + include/linux/mhi.h | 13 +++++++++++++ + 3 files changed, 36 insertions(+), 4 deletions(-) + +--- a/drivers/bus/mhi/core/pm.c ++++ b/drivers/bus/mhi/core/pm.c +@@ -881,7 +881,7 @@ int mhi_pm_suspend(struct mhi_controller + } + EXPORT_SYMBOL_GPL(mhi_pm_suspend); + +-int mhi_pm_resume(struct mhi_controller *mhi_cntrl) ++static int __mhi_pm_resume(struct mhi_controller *mhi_cntrl, bool force) + { + struct mhi_chan *itr, *tmp; + struct device *dev = &mhi_cntrl->mhi_dev->dev; +@@ -898,8 +898,12 @@ int mhi_pm_resume(struct mhi_controller + if (MHI_PM_IN_ERROR_STATE(mhi_cntrl->pm_state)) + return -EIO; + +- if (mhi_get_mhi_state(mhi_cntrl) != MHI_STATE_M3) +- return -EINVAL; ++ if (mhi_get_mhi_state(mhi_cntrl) != MHI_STATE_M3) { ++ dev_warn(dev, "Resuming from non M3 state (%s)\n", ++ TO_MHI_STATE_STR(mhi_get_mhi_state(mhi_cntrl))); ++ if (!force) ++ return -EINVAL; ++ } + + /* Notify clients about exiting LPM */ + list_for_each_entry_safe(itr, tmp, &mhi_cntrl->lpm_chans, node) { +@@ -940,8 +944,19 @@ int mhi_pm_resume(struct mhi_controller + + return 0; + } ++ ++int mhi_pm_resume(struct mhi_controller *mhi_cntrl) ++{ ++ return __mhi_pm_resume(mhi_cntrl, false); ++} + EXPORT_SYMBOL_GPL(mhi_pm_resume); + ++int mhi_pm_resume_force(struct mhi_controller *mhi_cntrl) ++{ ++ return __mhi_pm_resume(mhi_cntrl, true); ++} ++EXPORT_SYMBOL_GPL(mhi_pm_resume_force); ++ + int __mhi_device_get_sync(struct mhi_controller *mhi_cntrl) + { + int ret; +--- a/drivers/net/wireless/ath/ath11k/mhi.c ++++ b/drivers/net/wireless/ath/ath11k/mhi.c +@@ -533,7 +533,11 @@ static int ath11k_mhi_set_state(struct a + ret = mhi_pm_suspend(ab_pci->mhi_ctrl); + break; + case ATH11K_MHI_RESUME: +- ret = mhi_pm_resume(ab_pci->mhi_ctrl); ++ /* Do force MHI resume as some devices like QCA6390, WCN6855 ++ * are not in M3 state but they are functional. So just ignore ++ * the MHI state while resuming. ++ */ ++ ret = mhi_pm_resume_force(ab_pci->mhi_ctrl); + break; + case ATH11K_MHI_TRIGGER_RDDM: + ret = mhi_force_rddm_mode(ab_pci->mhi_ctrl); +--- a/include/linux/mhi.h ++++ b/include/linux/mhi.h +@@ -664,6 +664,19 @@ int mhi_pm_suspend(struct mhi_controller + int mhi_pm_resume(struct mhi_controller *mhi_cntrl); + + /** ++ * mhi_pm_resume_force - Force resume MHI from suspended state ++ * @mhi_cntrl: MHI controller ++ * ++ * Resume the device irrespective of its MHI state. As per the MHI spec, devices ++ * has to be in M3 state during resume. But some devices seem to be in a ++ * different MHI state other than M3 but they continue working fine if allowed. ++ * This API is intented to be used for such devices. ++ * ++ * Return: 0 if the resume succeeds, a negative error code otherwise ++ */ ++int mhi_pm_resume_force(struct mhi_controller *mhi_cntrl); ++ ++/** + * mhi_download_rddm_image - Download ramdump image from device for + * debugging purpose. + * @mhi_cntrl: MHI controller diff --git a/queue-5.15/bus-mhi-pci_generic-fix-device-recovery-failed-issue.patch b/queue-5.15/bus-mhi-pci_generic-fix-device-recovery-failed-issue.patch new file mode 100644 index 00000000000..160c3c7f7ad --- /dev/null +++ b/queue-5.15/bus-mhi-pci_generic-fix-device-recovery-failed-issue.patch @@ -0,0 +1,79 @@ +From e2022cbec9c2606514c4edc4a760e3acb7419d8a Mon Sep 17 00:00:00 2001 +From: Slark Xiao +Date: Fri, 26 Nov 2021 16:19:51 +0530 +Subject: bus: mhi: pci_generic: Fix device recovery failed issue + +From: Slark Xiao + +commit e2022cbec9c2606514c4edc4a760e3acb7419d8a upstream. + +For Foxconn T99W175 device(sdx55 platform) in some host platform, +it would be unavailable once the host execute the err handler. + +After checking, it's caused by the delay time too short to +get a successful reset. + +Please see my test evidence as bewlow(BTW, I add some extra test logs +in function mhi_pci_reset_prepare and mhi_pci_reset_done): + When MHI_POST_RESET_DELAY_MS equals to 500ms: + Nov 4 14:30:03 jbd-ThinkEdge kernel: [ 146.222477] mhi mhi0: Device MHI is not in valid state + Nov 4 14:30:03 jbd-ThinkEdge kernel: [ 146.222628] mhi-pci-generic 0000:2d:00.0: mhi_pci_reset_prepare reset + Nov 4 14:30:03 jbd-ThinkEdge kernel: [ 146.222631] mhi-pci-generic 0000:2d:00.0: mhi_pci_reset_prepare mhi_soc_reset + Nov 4 14:30:03 jbd-ThinkEdge kernel: [ 146.222632] mhi mhi0: mhi_soc_reset write soc to reset + Nov 4 14:30:05 jbd-ThinkEdge kernel: [ 147.839993] mhi-pci-generic 0000:2d:00.0: mhi_pci_reset_done + Nov 4 14:30:05 jbd-ThinkEdge kernel: [ 147.902063] mhi-pci-generic 0000:2d:00.0: reset failed + + When MHI_POST_RESET_DELAY_MS equals to 1000ms or 1500ms: + Nov 4 19:07:26 jbd-ThinkEdge kernel: [ 157.067857] mhi mhi0: Device MHI is not in valid state + Nov 4 19:07:26 jbd-ThinkEdge kernel: [ 157.068029] mhi-pci-generic 0000:2d:00.0: mhi_pci_reset_prepare reset + Nov 4 19:07:26 jbd-ThinkEdge kernel: [ 157.068032] mhi-pci-generic 0000:2d:00.0: mhi_pci_reset_prepare mhi_soc_reset + Nov 4 19:07:26 jbd-ThinkEdge kernel: [ 157.068034] mhi mhi0: mhi_soc_reset write soc to reset + Nov 4 19:07:29 jbd-ThinkEdge kernel: [ 159.607006] mhi-pci-generic 0000:2d:00.0: mhi_pci_reset_done + Nov 4 19:07:29 jbd-ThinkEdge kernel: [ 159.607152] mhi mhi0: Requested to power ON + Nov 4 19:07:51 jbd-ThinkEdge kernel: [ 181.302872] mhi mhi0: Failed to reset MHI due to syserr state + Nov 4 19:07:51 jbd-ThinkEdge kernel: [ 181.303011] mhi-pci-generic 0000:2d:00.0: failed to power up MHI controller + + When MHI_POST_RESET_DELAY_MS equals to 2000ms: + Nov 4 17:51:08 jbd-ThinkEdge kernel: [ 147.180527] mhi mhi0: Failed to transition from PM state: Linkdown or Error Fatal Detect to: SYS ERROR Process + Nov 4 17:51:08 jbd-ThinkEdge kernel: [ 147.180535] mhi mhi0: Device MHI is not in valid state + Nov 4 17:51:08 jbd-ThinkEdge kernel: [ 147.180722] mhi-pci-generic 0000:2d:00.0: mhi_pci_reset_prepare reset + Nov 4 17:51:08 jbd-ThinkEdge kernel: [ 147.180725] mhi-pci-generic 0000:2d:00.0: mhi_pci_reset_prepare mhi_soc_reset + Nov 4 17:51:08 jbd-ThinkEdge kernel: [ 147.180727] mhi mhi0: mhi_soc_reset write soc to reset + Nov 4 17:51:11 jbd-ThinkEdge kernel: [ 150.230787] mhi-pci-generic 0000:2d:00.0: mhi_pci_reset_done + Nov 4 17:51:11 jbd-ThinkEdge kernel: [ 150.230928] mhi mhi0: Requested to power ON + Nov 4 17:51:11 jbd-ThinkEdge kernel: [ 150.231173] mhi mhi0: Power on setup success + Nov 4 17:51:14 jbd-ThinkEdge kernel: [ 153.254747] mhi mhi0: Wait for device to enter SBL or Mission mode + +I also tried big data like 3000, and it worked as well. 500ms may not be +enough for all support mhi device. We shall increase it to 2000ms +at least. + +Link: https://lore.kernel.org/r/20211108113127.3938-1-slark_xiao@163.com +[mani: massaged commit message little bit, added Fixes tag and CCed stable] +Fixes: 8ccc3279fcad ("mhi: pci_generic: Add support for reset") +Cc: stable@vger.kernel.org +Reviewed-by: Manivannan Sadhasivam +Signed-off-by: Slark Xiao +Signed-off-by: Manivannan Sadhasivam +Link: https://lore.kernel.org/r/20211126104951.35685-2-manivannan.sadhasivam@linaro.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/bus/mhi/pci_generic.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/bus/mhi/pci_generic.c b/drivers/bus/mhi/pci_generic.c +index 59a4896a8030..4c577a731709 100644 +--- a/drivers/bus/mhi/pci_generic.c ++++ b/drivers/bus/mhi/pci_generic.c +@@ -20,7 +20,7 @@ + + #define MHI_PCI_DEFAULT_BAR_NUM 0 + +-#define MHI_POST_RESET_DELAY_MS 500 ++#define MHI_POST_RESET_DELAY_MS 2000 + + #define HEALTH_CHECK_PERIOD (HZ * 2) + +-- +2.34.1 + diff --git a/queue-5.15/clocksource-drivers-dw_apb_timer_of-fix-probe-failure.patch b/queue-5.15/clocksource-drivers-dw_apb_timer_of-fix-probe-failure.patch new file mode 100644 index 00000000000..5448e7c9c58 --- /dev/null +++ b/queue-5.15/clocksource-drivers-dw_apb_timer_of-fix-probe-failure.patch @@ -0,0 +1,54 @@ +From a663bd19114d79f0902e2490fc484e5a7419cdc2 Mon Sep 17 00:00:00 2001 +From: Alexey Sheplyakov +Date: Tue, 9 Nov 2021 19:34:02 +0400 +Subject: clocksource/drivers/dw_apb_timer_of: Fix probe failure + +From: Alexey Sheplyakov + +commit a663bd19114d79f0902e2490fc484e5a7419cdc2 upstream. + +The driver refuses to probe with -EINVAL since the commit 5d9814df0aec +("clocksource/drivers/dw_apb_timer_of: Add error handling if no clock +available"). + +Before the driver used to probe successfully if either "clock-freq" or +"clock-frequency" properties has been specified in the device tree. + +That commit changed + +if (A && B) + panic("No clock nor clock-frequency property"); + +into + +if (!A && !B) + return 0; + +That's a bug: the reverse of `A && B` is '!A || !B', not '!A && !B' + +Signed-off-by: Vadim V. Vlasov +Signed-off-by: Alexey Sheplyakov +Fixes: 5d9814df0aec56a6 ("clocksource/drivers/dw_apb_timer_of: Add error handling if no clock available"). +Cc: Daniel Lezcano +Cc: Dinh Nguyen +Cc: Thomas Gleixner +Cc: Vadim V. Vlasov +Acked-by: Dinh Nguyen +Link: https://lore.kernel.org/r/20211109153401.157491-1-asheplyakov@basealt.ru +Signed-off-by: Daniel Lezcano +Signed-off-by: Greg Kroah-Hartman +--- + drivers/clocksource/dw_apb_timer_of.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/clocksource/dw_apb_timer_of.c ++++ b/drivers/clocksource/dw_apb_timer_of.c +@@ -47,7 +47,7 @@ static int __init timer_get_base_and_rat + pr_warn("pclk for %pOFn is present, but could not be activated\n", + np); + +- if (!of_property_read_u32(np, "clock-freq", rate) && ++ if (!of_property_read_u32(np, "clock-freq", rate) || + !of_property_read_u32(np, "clock-frequency", rate)) + return 0; + diff --git a/queue-5.15/csky-fix-typo-of-fpu-config-macro.patch b/queue-5.15/csky-fix-typo-of-fpu-config-macro.patch new file mode 100644 index 00000000000..1223841cf74 --- /dev/null +++ b/queue-5.15/csky-fix-typo-of-fpu-config-macro.patch @@ -0,0 +1,39 @@ +From a0793fdad9a11a32bc6d21317c93c83f4aa82ebc Mon Sep 17 00:00:00 2001 +From: Kelly Devilliv +Date: Mon, 1 Nov 2021 23:05:02 +0800 +Subject: csky: fix typo of fpu config macro + +From: Kelly Devilliv + +commit a0793fdad9a11a32bc6d21317c93c83f4aa82ebc upstream. + +Fix typo which will cause fpe and privilege exception error. + +Signed-off-by: Kelly Devilliv +Cc: stable +Signed-off-by: Guo Ren +Signed-off-by: Greg Kroah-Hartman +--- + arch/csky/kernel/traps.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/arch/csky/kernel/traps.c ++++ b/arch/csky/kernel/traps.c +@@ -209,7 +209,7 @@ asmlinkage void do_trap_illinsn(struct p + + asmlinkage void do_trap_fpe(struct pt_regs *regs) + { +-#ifdef CONFIG_CPU_HAS_FP ++#ifdef CONFIG_CPU_HAS_FPU + return fpu_fpe(regs); + #else + do_trap_error(regs, SIGILL, ILL_ILLOPC, regs->pc, +@@ -219,7 +219,7 @@ asmlinkage void do_trap_fpe(struct pt_re + + asmlinkage void do_trap_priv(struct pt_regs *regs) + { +-#ifdef CONFIG_CPU_HAS_FP ++#ifdef CONFIG_CPU_HAS_FPU + if (user_mode(regs) && fpu_libc_helper(regs)) + return; + #endif diff --git a/queue-5.15/iio-accel-kxcjk-1013-fix-possible-memory-leak-in-probe-and-remove.patch b/queue-5.15/iio-accel-kxcjk-1013-fix-possible-memory-leak-in-probe-and-remove.patch new file mode 100644 index 00000000000..ddb676415c2 --- /dev/null +++ b/queue-5.15/iio-accel-kxcjk-1013-fix-possible-memory-leak-in-probe-and-remove.patch @@ -0,0 +1,60 @@ +From 70c9774e180d151abaab358108e3510a8e615215 Mon Sep 17 00:00:00 2001 +From: Yang Yingliang +Date: Mon, 25 Oct 2021 20:41:59 +0800 +Subject: iio: accel: kxcjk-1013: Fix possible memory leak in probe and remove + +From: Yang Yingliang + +commit 70c9774e180d151abaab358108e3510a8e615215 upstream. + +When ACPI type is ACPI_SMO8500, the data->dready_trig will not be set, the +memory allocated by iio_triggered_buffer_setup() will not be freed, and cause +memory leak as follows: + +unreferenced object 0xffff888009551400 (size 512): + comm "i2c-SMO8500-125", pid 911, jiffies 4294911787 (age 83.852s) + hex dump (first 32 bytes): + 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ + 00 00 00 00 00 00 00 00 20 e2 e5 c0 ff ff ff ff ........ ....... + backtrace: + [<0000000041ce75ee>] kmem_cache_alloc_trace+0x16d/0x360 + [<000000000aeb17b0>] iio_kfifo_allocate+0x41/0x130 [kfifo_buf] + [<000000004b40c1f5>] iio_triggered_buffer_setup_ext+0x2c/0x210 [industrialio_triggered_buffer] + [<000000004375b15f>] kxcjk1013_probe+0x10c3/0x1d81 [kxcjk_1013] + +Fix it by remove data->dready_trig condition in probe and remove. + +Reported-by: Hulk Robot +Fixes: a25691c1f967 ("iio: accel: kxcjk1013: allow using an external trigger") +Signed-off-by: Yang Yingliang +Cc: +Reviewed-by: Hans de Goede +Link: https://lore.kernel.org/r/20211025124159.2700301-1-yangyingliang@huawei.com +Signed-off-by: Jonathan Cameron +Signed-off-by: Greg Kroah-Hartman +--- + drivers/iio/accel/kxcjk-1013.c | 5 ++--- + 1 file changed, 2 insertions(+), 3 deletions(-) + +--- a/drivers/iio/accel/kxcjk-1013.c ++++ b/drivers/iio/accel/kxcjk-1013.c +@@ -1595,8 +1595,7 @@ static int kxcjk1013_probe(struct i2c_cl + return 0; + + err_buffer_cleanup: +- if (data->dready_trig) +- iio_triggered_buffer_cleanup(indio_dev); ++ iio_triggered_buffer_cleanup(indio_dev); + err_trigger_unregister: + if (data->dready_trig) + iio_trigger_unregister(data->dready_trig); +@@ -1618,8 +1617,8 @@ static int kxcjk1013_remove(struct i2c_c + pm_runtime_disable(&client->dev); + pm_runtime_set_suspended(&client->dev); + ++ iio_triggered_buffer_cleanup(indio_dev); + if (data->dready_trig) { +- iio_triggered_buffer_cleanup(indio_dev); + iio_trigger_unregister(data->dready_trig); + iio_trigger_unregister(data->motion_trig); + } diff --git a/queue-5.15/iio-ad7768-1-call-iio_trigger_notify_done-on-error.patch b/queue-5.15/iio-ad7768-1-call-iio_trigger_notify_done-on-error.patch new file mode 100644 index 00000000000..5ed45f49f5d --- /dev/null +++ b/queue-5.15/iio-ad7768-1-call-iio_trigger_notify_done-on-error.patch @@ -0,0 +1,40 @@ +From 6661146427cbbce6d1fe3dbb11ff1c487f55799a Mon Sep 17 00:00:00 2001 +From: Lars-Peter Clausen +Date: Mon, 1 Nov 2021 15:40:55 +0100 +Subject: iio: ad7768-1: Call iio_trigger_notify_done() on error + +From: Lars-Peter Clausen + +commit 6661146427cbbce6d1fe3dbb11ff1c487f55799a upstream. + +IIO trigger handlers must call iio_trigger_notify_done() when done. This +must be done even when an error occurred. Otherwise the trigger will be +seen as busy indefinitely and the trigger handler will never be called +again. + +The ad7768-1 driver neglects to call iio_trigger_notify_done() when there +is an error reading the converter data. Fix this by making sure that +iio_trigger_notify_done() is included in the error exit path. + +Fixes: a5f8c7da3dbe ("iio: adc: Add AD7768-1 ADC basic support") +Signed-off-by: Lars-Peter Clausen +Link: https://lore.kernel.org/r/20211101144055.13858-2-lars@metafoo.de +Cc: +Signed-off-by: Jonathan Cameron +Signed-off-by: Greg Kroah-Hartman +--- + drivers/iio/adc/ad7768-1.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/iio/adc/ad7768-1.c ++++ b/drivers/iio/adc/ad7768-1.c +@@ -480,8 +480,8 @@ static irqreturn_t ad7768_trigger_handle + iio_push_to_buffers_with_timestamp(indio_dev, &st->data.scan, + iio_get_time_ns(indio_dev)); + +- iio_trigger_notify_done(indio_dev->trig); + err_unlock: ++ iio_trigger_notify_done(indio_dev->trig); + mutex_unlock(&st->lock); + + return IRQ_HANDLED; diff --git a/queue-5.15/iio-adc-axp20x_adc-fix-charging-current-reporting-on-axp22x.patch b/queue-5.15/iio-adc-axp20x_adc-fix-charging-current-reporting-on-axp22x.patch new file mode 100644 index 00000000000..ce8b7037ad4 --- /dev/null +++ b/queue-5.15/iio-adc-axp20x_adc-fix-charging-current-reporting-on-axp22x.patch @@ -0,0 +1,66 @@ +From 92beafb76a31bdc02649eb44e93a8e4f4cfcdbe8 Mon Sep 17 00:00:00 2001 +From: Evgeny Boger +Date: Wed, 17 Nov 2021 00:37:46 +0300 +Subject: iio: adc: axp20x_adc: fix charging current reporting on AXP22x + +From: Evgeny Boger + +commit 92beafb76a31bdc02649eb44e93a8e4f4cfcdbe8 upstream. + +Both the charging and discharging currents on AXP22x are stored as +12-bit integers, in accordance with the datasheet. +It's also confirmed by vendor BSP (axp20x_adc.c:axp22_icharge_to_mA). + +The scale factor of 0.5 is never mentioned in datasheet, nor in the +vendor source code. I think it was here to compensate for +erroneous addition bit in register width. + +Tested on custom A40i+AXP221s board with external ammeter as +a reference. + +Fixes: 0e34d5de961d ("iio: adc: add support for X-Powers AXP20X and AXP22X PMICs ADCs") +Signed-off-by: Evgeny Boger +Acked-by: Chen-Yu Tsai +Link: https://lore.kernel.org/r/20211116213746.264378-1-boger@wirenboard.com +Cc: +Signed-off-by: Jonathan Cameron +Signed-off-by: Greg Kroah-Hartman +--- + drivers/iio/adc/axp20x_adc.c | 18 +++--------------- + 1 file changed, 3 insertions(+), 15 deletions(-) + +--- a/drivers/iio/adc/axp20x_adc.c ++++ b/drivers/iio/adc/axp20x_adc.c +@@ -251,19 +251,8 @@ static int axp22x_adc_raw(struct iio_dev + struct iio_chan_spec const *chan, int *val) + { + struct axp20x_adc_iio *info = iio_priv(indio_dev); +- int size; + +- /* +- * N.B.: Unlike the Chinese datasheets tell, the charging current is +- * stored on 12 bits, not 13 bits. Only discharging current is on 13 +- * bits. +- */ +- if (chan->type == IIO_CURRENT && chan->channel == AXP22X_BATT_DISCHRG_I) +- size = 13; +- else +- size = 12; +- +- *val = axp20x_read_variable_width(info->regmap, chan->address, size); ++ *val = axp20x_read_variable_width(info->regmap, chan->address, 12); + if (*val < 0) + return *val; + +@@ -386,9 +375,8 @@ static int axp22x_adc_scale(struct iio_c + return IIO_VAL_INT_PLUS_MICRO; + + case IIO_CURRENT: +- *val = 0; +- *val2 = 500000; +- return IIO_VAL_INT_PLUS_MICRO; ++ *val = 1; ++ return IIO_VAL_INT; + + case IIO_TEMP: + *val = 100; diff --git a/queue-5.15/iio-adc-stm32-fix-a-current-leak-by-resetting-pcsel-before-disabling-vdda.patch b/queue-5.15/iio-adc-stm32-fix-a-current-leak-by-resetting-pcsel-before-disabling-vdda.patch new file mode 100644 index 00000000000..ac4f8618079 --- /dev/null +++ b/queue-5.15/iio-adc-stm32-fix-a-current-leak-by-resetting-pcsel-before-disabling-vdda.patch @@ -0,0 +1,42 @@ +From f711f28e71e965c0d1141c830fa7131b41abbe75 Mon Sep 17 00:00:00 2001 +From: Fabrice Gasnier +Date: Fri, 22 Oct 2021 14:19:29 +0200 +Subject: iio: adc: stm32: fix a current leak by resetting pcsel before disabling vdda + +From: Fabrice Gasnier + +commit f711f28e71e965c0d1141c830fa7131b41abbe75 upstream. + +Some I/Os are connected to ADC input channels, when the corresponding bit +in PCSEL register are set on STM32H7 and STM32MP15. This is done in the +prepare routine of stm32-adc driver. +There are constraints here, as PCSEL shouldn't be set when VDDA supply +is disabled. Enabling/disabling of VDDA supply in done via stm32-adc-core +runtime PM routines (before/after ADC is enabled/disabled). + +Currently, PCSEL remains set when disabling ADC. Later on, PM runtime +can disable the VDDA supply. This creates some conditions on I/Os that +can start to leak current. +So PCSEL needs to be cleared when disabling the ADC. + +Fixes: 95e339b6e85d ("iio: adc: stm32: add support for STM32H7") +Signed-off-by: Fabrice Gasnier +Reviewed-by: Olivier Moysan +Link: https://lore.kernel.org/r/1634905169-23762-1-git-send-email-fabrice.gasnier@foss.st.com +Cc: +Signed-off-by: Jonathan Cameron +Signed-off-by: Greg Kroah-Hartman +--- + drivers/iio/adc/stm32-adc.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/iio/adc/stm32-adc.c ++++ b/drivers/iio/adc/stm32-adc.c +@@ -975,6 +975,7 @@ static void stm32h7_adc_unprepare(struct + { + struct stm32_adc *adc = iio_priv(indio_dev); + ++ stm32_adc_writel(adc, STM32H7_ADC_PCSEL, 0); + stm32h7_adc_disable(indio_dev); + stm32h7_adc_enter_pwr_down(adc); + } diff --git a/queue-5.15/iio-at91-sama5d2-fix-incorrect-sign-extension.patch b/queue-5.15/iio-at91-sama5d2-fix-incorrect-sign-extension.patch new file mode 100644 index 00000000000..f53fc3044a2 --- /dev/null +++ b/queue-5.15/iio-at91-sama5d2-fix-incorrect-sign-extension.patch @@ -0,0 +1,38 @@ +From 652e7df485c6884d552085ae2c73efa6cfea3547 Mon Sep 17 00:00:00 2001 +From: Gwendal Grignou +Date: Thu, 4 Nov 2021 01:24:08 -0700 +Subject: iio: at91-sama5d2: Fix incorrect sign extension + +From: Gwendal Grignou + +commit 652e7df485c6884d552085ae2c73efa6cfea3547 upstream. + +Use scan_type when processing raw data which also fixes that the sign +extension was from the wrong bit. + +Use channel definition as root of trust and replace constant +when reading elements directly using the raw sysfs attributes. + +Fixes: 6794e23fa3fe ("iio: adc: at91-sama5d2_adc: add support for oversampling resolution") +Signed-off-by: Gwendal Grignou +Reviewed-by: Eugen Hristev +Cc: +Link: https://lore.kernel.org/r/20211104082413.3681212-9-gwendal@chromium.org +Signed-off-by: Jonathan Cameron +Signed-off-by: Greg Kroah-Hartman +--- + drivers/iio/adc/at91-sama5d2_adc.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/iio/adc/at91-sama5d2_adc.c ++++ b/drivers/iio/adc/at91-sama5d2_adc.c +@@ -1377,7 +1377,8 @@ static int at91_adc_read_info_raw(struct + *val = st->conversion_value; + ret = at91_adc_adjust_val_osr(st, val); + if (chan->scan_type.sign == 's') +- *val = sign_extend32(*val, 11); ++ *val = sign_extend32(*val, ++ chan->scan_type.realbits - 1); + st->conversion_done = false; + } + diff --git a/queue-5.15/iio-dln2-adc-fix-lockdep-complaint.patch b/queue-5.15/iio-dln2-adc-fix-lockdep-complaint.patch new file mode 100644 index 00000000000..8f7fd7d8f17 --- /dev/null +++ b/queue-5.15/iio-dln2-adc-fix-lockdep-complaint.patch @@ -0,0 +1,94 @@ +From 59f92868176f191eefde70d284bdfc1ed76a84bc Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Noralf=20Tr=C3=B8nnes?= +Date: Mon, 18 Oct 2021 13:37:31 +0200 +Subject: iio: dln2-adc: Fix lockdep complaint +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Noralf Trønnes + +commit 59f92868176f191eefde70d284bdfc1ed76a84bc upstream. + +When reading the voltage: + +$ cat /sys/bus/iio/devices/iio\:device0/in_voltage0_raw + +Lockdep complains: + +[ 153.910616] ====================================================== +[ 153.916918] WARNING: possible circular locking dependency detected +[ 153.923221] 5.14.0+ #5 Not tainted +[ 153.926692] ------------------------------------------------------ +[ 153.932992] cat/717 is trying to acquire lock: +[ 153.937525] c2585358 (&indio_dev->mlock){+.+.}-{3:3}, at: iio_device_claim_direct_mode+0x28/0x44 +[ 153.946541] + but task is already holding lock: +[ 153.952487] c2585860 (&dln2->mutex){+.+.}-{3:3}, at: dln2_adc_read_raw+0x94/0x2bc [dln2_adc] +[ 153.961152] + which lock already depends on the new lock. + +Fix this by not calling into the iio core underneath the dln2->mutex lock. + +Fixes: 7c0299e879dd ("iio: adc: Add support for DLN2 ADC") +Cc: Jack Andersen +Signed-off-by: Noralf Trønnes +Link: https://lore.kernel.org/r/20211018113731.25723-1-noralf@tronnes.org +Cc: +Signed-off-by: Jonathan Cameron +Signed-off-by: Greg Kroah-Hartman +--- + drivers/iio/adc/dln2-adc.c | 15 +++++++-------- + 1 file changed, 7 insertions(+), 8 deletions(-) + +--- a/drivers/iio/adc/dln2-adc.c ++++ b/drivers/iio/adc/dln2-adc.c +@@ -248,7 +248,6 @@ static int dln2_adc_set_chan_period(stru + static int dln2_adc_read(struct dln2_adc *dln2, unsigned int channel) + { + int ret, i; +- struct iio_dev *indio_dev = platform_get_drvdata(dln2->pdev); + u16 conflict; + __le16 value; + int olen = sizeof(value); +@@ -257,13 +256,9 @@ static int dln2_adc_read(struct dln2_adc + .chan = channel, + }; + +- ret = iio_device_claim_direct_mode(indio_dev); +- if (ret < 0) +- return ret; +- + ret = dln2_adc_set_chan_enabled(dln2, channel, true); + if (ret < 0) +- goto release_direct; ++ return ret; + + ret = dln2_adc_set_port_enabled(dln2, true, &conflict); + if (ret < 0) { +@@ -300,8 +295,6 @@ disable_port: + dln2_adc_set_port_enabled(dln2, false, NULL); + disable_chan: + dln2_adc_set_chan_enabled(dln2, channel, false); +-release_direct: +- iio_device_release_direct_mode(indio_dev); + + return ret; + } +@@ -337,10 +330,16 @@ static int dln2_adc_read_raw(struct iio_ + + switch (mask) { + case IIO_CHAN_INFO_RAW: ++ ret = iio_device_claim_direct_mode(indio_dev); ++ if (ret < 0) ++ return ret; ++ + mutex_lock(&dln2->mutex); + ret = dln2_adc_read(dln2, chan->channel); + mutex_unlock(&dln2->mutex); + ++ iio_device_release_direct_mode(indio_dev); ++ + if (ret < 0) + return ret; + diff --git a/queue-5.15/iio-dln2-check-return-value-of-devm_iio_trigger_register.patch b/queue-5.15/iio-dln2-check-return-value-of-devm_iio_trigger_register.patch new file mode 100644 index 00000000000..0d24e83b4b4 --- /dev/null +++ b/queue-5.15/iio-dln2-check-return-value-of-devm_iio_trigger_register.patch @@ -0,0 +1,38 @@ +From 90751fb9f224e0e1555b49a8aa9e68f6537e4cec Mon Sep 17 00:00:00 2001 +From: Lars-Peter Clausen +Date: Mon, 1 Nov 2021 14:30:43 +0100 +Subject: iio: dln2: Check return value of devm_iio_trigger_register() + +From: Lars-Peter Clausen + +commit 90751fb9f224e0e1555b49a8aa9e68f6537e4cec upstream. + +Registering a trigger can fail and the return value of +devm_iio_trigger_register() must be checked. Otherwise undefined behavior +can occur when the trigger is used. + +Fixes: 7c0299e879dd ("iio: adc: Add support for DLN2 ADC") +Signed-off-by: Lars-Peter Clausen +Link: https://lore.kernel.org/r/20211101133043.6974-1-lars@metafoo.de +Cc: +Signed-off-by: Jonathan Cameron +Signed-off-by: Greg Kroah-Hartman +--- + drivers/iio/adc/dln2-adc.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +--- a/drivers/iio/adc/dln2-adc.c ++++ b/drivers/iio/adc/dln2-adc.c +@@ -655,7 +655,11 @@ static int dln2_adc_probe(struct platfor + return -ENOMEM; + } + iio_trigger_set_drvdata(dln2->trig, dln2); +- devm_iio_trigger_register(dev, dln2->trig); ++ ret = devm_iio_trigger_register(dev, dln2->trig); ++ if (ret) { ++ dev_err(dev, "failed to register trigger: %d\n", ret); ++ return ret; ++ } + iio_trigger_set_immutable(indio_dev, dln2->trig); + + ret = devm_iio_triggered_buffer_setup(dev, indio_dev, NULL, diff --git a/queue-5.15/iio-gyro-adxrs290-fix-data-signedness.patch b/queue-5.15/iio-gyro-adxrs290-fix-data-signedness.patch new file mode 100644 index 00000000000..1438f755a1a --- /dev/null +++ b/queue-5.15/iio-gyro-adxrs290-fix-data-signedness.patch @@ -0,0 +1,54 @@ +From fde272e78e004a45c7e4976876277d7e6a5a0ede Mon Sep 17 00:00:00 2001 +From: Kister Genesis Jimenez +Date: Mon, 15 Nov 2021 11:41:47 +0100 +Subject: iio: gyro: adxrs290: fix data signedness +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Kister Genesis Jimenez + +commit fde272e78e004a45c7e4976876277d7e6a5a0ede upstream. + +Properly sign-extend the rate and temperature data. + +Fixes: 2c8920fff1457 ("iio: gyro: Add driver support for ADXRS290") +Signed-off-by: Kister Genesis Jimenez +Signed-off-by: Nuno Sá +Reviewed-by: Andy Shevchenko +Link: https://lore.kernel.org/r/20211115104147.18669-1-nuno.sa@analog.com +Cc: +Signed-off-by: Jonathan Cameron +Signed-off-by: Greg Kroah-Hartman +--- + drivers/iio/gyro/adxrs290.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +--- a/drivers/iio/gyro/adxrs290.c ++++ b/drivers/iio/gyro/adxrs290.c +@@ -7,6 +7,7 @@ + */ + + #include ++#include + #include + #include + #include +@@ -124,7 +125,7 @@ static int adxrs290_get_rate_data(struct + goto err_unlock; + } + +- *val = temp; ++ *val = sign_extend32(temp, 15); + + err_unlock: + mutex_unlock(&st->lock); +@@ -146,7 +147,7 @@ static int adxrs290_get_temp_data(struct + } + + /* extract lower 12 bits temperature reading */ +- *val = temp & 0x0FFF; ++ *val = sign_extend32(temp, 11); + + err_unlock: + mutex_unlock(&st->lock); diff --git a/queue-5.15/iio-itg3200-call-iio_trigger_notify_done-on-error.patch b/queue-5.15/iio-itg3200-call-iio_trigger_notify_done-on-error.patch new file mode 100644 index 00000000000..9d554a80765 --- /dev/null +++ b/queue-5.15/iio-itg3200-call-iio_trigger_notify_done-on-error.patch @@ -0,0 +1,41 @@ +From 67fe29583e72b2103abb661bb58036e3c1f00277 Mon Sep 17 00:00:00 2001 +From: Lars-Peter Clausen +Date: Mon, 1 Nov 2021 15:40:54 +0100 +Subject: iio: itg3200: Call iio_trigger_notify_done() on error + +From: Lars-Peter Clausen + +commit 67fe29583e72b2103abb661bb58036e3c1f00277 upstream. + +IIO trigger handlers must call iio_trigger_notify_done() when done. This +must be done even when an error occurred. Otherwise the trigger will be +seen as busy indefinitely and the trigger handler will never be called +again. + +The itg3200 driver neglects to call iio_trigger_notify_done() when there is +an error reading the gyro data. Fix this by making sure that +iio_trigger_notify_done() is included in the error exit path. + +Fixes: 9dbf091da080 ("iio: gyro: Add itg3200") +Signed-off-by: Lars-Peter Clausen +Link: https://lore.kernel.org/r/20211101144055.13858-1-lars@metafoo.de +Cc: +Signed-off-by: Jonathan Cameron +Signed-off-by: Greg Kroah-Hartman +--- + drivers/iio/gyro/itg3200_buffer.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/iio/gyro/itg3200_buffer.c ++++ b/drivers/iio/gyro/itg3200_buffer.c +@@ -61,9 +61,9 @@ static irqreturn_t itg3200_trigger_handl + + iio_push_to_buffers_with_timestamp(indio_dev, &scan, pf->timestamp); + ++error_ret: + iio_trigger_notify_done(indio_dev->trig); + +-error_ret: + return IRQ_HANDLED; + } + diff --git a/queue-5.15/iio-kxsd9-don-t-return-error-code-in-trigger-handler.patch b/queue-5.15/iio-kxsd9-don-t-return-error-code-in-trigger-handler.patch new file mode 100644 index 00000000000..ab7ce44ba17 --- /dev/null +++ b/queue-5.15/iio-kxsd9-don-t-return-error-code-in-trigger-handler.patch @@ -0,0 +1,54 @@ +From 45febe0d63917ee908198c5be08511c64ee1790a Mon Sep 17 00:00:00 2001 +From: Lars-Peter Clausen +Date: Sun, 24 Oct 2021 19:12:50 +0200 +Subject: iio: kxsd9: Don't return error code in trigger handler + +From: Lars-Peter Clausen + +commit 45febe0d63917ee908198c5be08511c64ee1790a upstream. + +IIO trigger handlers need to return one of the irqreturn_t values. +Returning an error code is not supported. + +The kxsd9 interrupt handler returns an error code if reading the data +registers fails. In addition when exiting due to an error the trigger +handler does not call `iio_trigger_notify_done()`. Which when not done +keeps the triggered disabled forever. + +Modify the code so that the function returns a valid irqreturn_t value as +well as calling `iio_trigger_notify_done()` on all exit paths. + +Since we can't return the error code make sure to at least log it as part +of the error message. + +Fixes: 0427a106a98a ("iio: accel: kxsd9: Add triggered buffer handling") +Signed-off-by: Lars-Peter Clausen +Reviewed-by: Linus Walleij +Link: https://lore.kernel.org/r/20211024171251.22896-2-lars@metafoo.de +Cc: +Signed-off-by: Jonathan Cameron +Signed-off-by: Greg Kroah-Hartman +--- + drivers/iio/accel/kxsd9.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/drivers/iio/accel/kxsd9.c ++++ b/drivers/iio/accel/kxsd9.c +@@ -224,14 +224,14 @@ static irqreturn_t kxsd9_trigger_handler + hw_values.chan, + sizeof(hw_values.chan)); + if (ret) { +- dev_err(st->dev, +- "error reading data\n"); +- return ret; ++ dev_err(st->dev, "error reading data: %d\n", ret); ++ goto out; + } + + iio_push_to_buffers_with_timestamp(indio_dev, + &hw_values, + iio_get_time_ns(indio_dev)); ++out: + iio_trigger_notify_done(indio_dev->trig); + + return IRQ_HANDLED; diff --git a/queue-5.15/iio-ltr501-don-t-return-error-code-in-trigger-handler.patch b/queue-5.15/iio-ltr501-don-t-return-error-code-in-trigger-handler.patch new file mode 100644 index 00000000000..a53ad36a9c4 --- /dev/null +++ b/queue-5.15/iio-ltr501-don-t-return-error-code-in-trigger-handler.patch @@ -0,0 +1,43 @@ +From ef9d67fa72c1b149a420587e435a3e888bdbf74f Mon Sep 17 00:00:00 2001 +From: Lars-Peter Clausen +Date: Sun, 24 Oct 2021 19:12:49 +0200 +Subject: iio: ltr501: Don't return error code in trigger handler + +From: Lars-Peter Clausen + +commit ef9d67fa72c1b149a420587e435a3e888bdbf74f upstream. + +IIO trigger handlers need to return one of the irqreturn_t values. +Returning an error code is not supported. + +The ltr501 interrupt handler gets this right for most error paths, but +there is one case where it returns the error code. + +In addition for this particular case the trigger handler does not call +`iio_trigger_notify_done()`. Which when not done keeps the triggered +disabled forever. + +Modify the code so that the function returns a valid irqreturn_t value as +well as calling `iio_trigger_notify_done()` on all exit paths. + +Fixes: 2690be905123 ("iio: Add Lite-On ltr501 ambient light / proximity sensor driver") +Signed-off-by: Lars-Peter Clausen +Link: https://lore.kernel.org/r/20211024171251.22896-1-lars@metafoo.de +Cc: +Signed-off-by: Jonathan Cameron +Signed-off-by: Greg Kroah-Hartman +--- + drivers/iio/light/ltr501.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/iio/light/ltr501.c ++++ b/drivers/iio/light/ltr501.c +@@ -1273,7 +1273,7 @@ static irqreturn_t ltr501_trigger_handle + ret = regmap_bulk_read(data->regmap, LTR501_ALS_DATA1, + als_buf, sizeof(als_buf)); + if (ret < 0) +- return ret; ++ goto done; + if (test_bit(0, indio_dev->active_scan_mask)) + scan.channels[j++] = le16_to_cpu(als_buf[1]); + if (test_bit(1, indio_dev->active_scan_mask)) diff --git a/queue-5.15/iio-mma8452-fix-trigger-reference-couting.patch b/queue-5.15/iio-mma8452-fix-trigger-reference-couting.patch new file mode 100644 index 00000000000..54894293379 --- /dev/null +++ b/queue-5.15/iio-mma8452-fix-trigger-reference-couting.patch @@ -0,0 +1,41 @@ +From cd0082235783f814241a1c9483fb89e405f4f892 Mon Sep 17 00:00:00 2001 +From: Lars-Peter Clausen +Date: Sun, 24 Oct 2021 11:26:59 +0200 +Subject: iio: mma8452: Fix trigger reference couting + +From: Lars-Peter Clausen + +commit cd0082235783f814241a1c9483fb89e405f4f892 upstream. + +The mma8452 driver directly assigns a trigger to the struct iio_dev. The +IIO core when done using this trigger will call `iio_trigger_put()` to drop +the reference count by 1. + +Without the matching `iio_trigger_get()` in the driver the reference count +can reach 0 too early, the trigger gets freed while still in use and a +use-after-free occurs. + +Fix this by getting a reference to the trigger before assigning it to the +IIO device. + +Fixes: ae6d9ce05691 ("iio: mma8452: Add support for interrupt driven triggers.") +Signed-off-by: Lars-Peter Clausen +Link: https://lore.kernel.org/r/20211024092700.6844-1-lars@metafoo.de +Cc: +Signed-off-by: Jonathan Cameron +Signed-off-by: Greg Kroah-Hartman +--- + drivers/iio/accel/mma8452.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/iio/accel/mma8452.c ++++ b/drivers/iio/accel/mma8452.c +@@ -1470,7 +1470,7 @@ static int mma8452_trigger_setup(struct + if (ret) + return ret; + +- indio_dev->trig = trig; ++ indio_dev->trig = iio_trigger_get(trig); + + return 0; + } diff --git a/queue-5.15/iio-stk3310-don-t-return-error-code-in-interrupt-handler.patch b/queue-5.15/iio-stk3310-don-t-return-error-code-in-interrupt-handler.patch new file mode 100644 index 00000000000..2bca24fb0e0 --- /dev/null +++ b/queue-5.15/iio-stk3310-don-t-return-error-code-in-interrupt-handler.patch @@ -0,0 +1,49 @@ +From 8e1eeca5afa7ba84d885987165dbdc5decf15413 Mon Sep 17 00:00:00 2001 +From: Lars-Peter Clausen +Date: Sun, 24 Oct 2021 19:12:51 +0200 +Subject: iio: stk3310: Don't return error code in interrupt handler + +From: Lars-Peter Clausen + +commit 8e1eeca5afa7ba84d885987165dbdc5decf15413 upstream. + +Interrupt handlers must return one of the irqreturn_t values. Returning a +error code is not supported. + +The stk3310 event interrupt handler returns an error code when reading the +flags register fails. + +Fix the implementation to always return an irqreturn_t value. + +Fixes: 3dd477acbdd1 ("iio: light: Add threshold interrupt support for STK3310") +Signed-off-by: Lars-Peter Clausen +Link: https://lore.kernel.org/r/20211024171251.22896-3-lars@metafoo.de +Cc: +Signed-off-by: Jonathan Cameron +Signed-off-by: Greg Kroah-Hartman +--- + drivers/iio/light/stk3310.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/drivers/iio/light/stk3310.c ++++ b/drivers/iio/light/stk3310.c +@@ -546,9 +546,8 @@ static irqreturn_t stk3310_irq_event_han + mutex_lock(&data->lock); + ret = regmap_field_read(data->reg_flag_nf, &dir); + if (ret < 0) { +- dev_err(&data->client->dev, "register read failed\n"); +- mutex_unlock(&data->lock); +- return ret; ++ dev_err(&data->client->dev, "register read failed: %d\n", ret); ++ goto out; + } + event = IIO_UNMOD_EVENT_CODE(IIO_PROXIMITY, 1, + IIO_EV_TYPE_THRESH, +@@ -560,6 +559,7 @@ static irqreturn_t stk3310_irq_event_han + ret = regmap_field_write(data->reg_flag_psint, 0); + if (ret < 0) + dev_err(&data->client->dev, "failed to reset interrupts\n"); ++out: + mutex_unlock(&data->lock); + + return IRQ_HANDLED; diff --git a/queue-5.15/iio-trigger-fix-reference-counting.patch b/queue-5.15/iio-trigger-fix-reference-counting.patch new file mode 100644 index 00000000000..4c6f8abb1d3 --- /dev/null +++ b/queue-5.15/iio-trigger-fix-reference-counting.patch @@ -0,0 +1,48 @@ +From a827a4984664308f13599a0b26c77018176d0c7c Mon Sep 17 00:00:00 2001 +From: Lars-Peter Clausen +Date: Sun, 24 Oct 2021 11:27:00 +0200 +Subject: iio: trigger: Fix reference counting +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Lars-Peter Clausen + +commit a827a4984664308f13599a0b26c77018176d0c7c upstream. + +In viio_trigger_alloc() device_initialize() is used to set the initial +reference count of the trigger to 1. Then another get_device() is called on +trigger. This sets the reference count to 2 before the trigger is returned. + +iio_trigger_free(), which is the matching API to viio_trigger_alloc(), +calls put_device() which decreases the reference count by 1. But the second +reference count acquired in viio_trigger_alloc() is never dropped. + +As a result the iio_trigger_release() function is never called and the +memory associated with the trigger is never freed. + +Since there is no reason for the trigger to start its lifetime with two +reference counts just remove the extra get_device() in +viio_trigger_alloc(). + +Fixes: 5f9c035cae18 ("staging:iio:triggers. Add a reference get to the core for triggers.") +Signed-off-by: Lars-Peter Clausen +Acked-by: Nuno Sá +Link: https://lore.kernel.org/r/20211024092700.6844-2-lars@metafoo.de +Cc: +Signed-off-by: Jonathan Cameron +Signed-off-by: Greg Kroah-Hartman +--- + drivers/iio/industrialio-trigger.c | 1 - + 1 file changed, 1 deletion(-) + +--- a/drivers/iio/industrialio-trigger.c ++++ b/drivers/iio/industrialio-trigger.c +@@ -556,7 +556,6 @@ struct iio_trigger *viio_trigger_alloc(s + irq_modify_status(trig->subirq_base + i, + IRQ_NOREQUEST | IRQ_NOAUTOEN, IRQ_NOPROBE); + } +- get_device(&trig->dev); + + return trig; + diff --git a/queue-5.15/iio-trigger-stm32-timer-fix-module_alias.patch b/queue-5.15/iio-trigger-stm32-timer-fix-module_alias.patch new file mode 100644 index 00000000000..e5a1960663a --- /dev/null +++ b/queue-5.15/iio-trigger-stm32-timer-fix-module_alias.patch @@ -0,0 +1,31 @@ +From 893621e0606747c5bbefcaf2794d12c7aa6212b7 Mon Sep 17 00:00:00 2001 +From: Alyssa Ross +Date: Thu, 25 Nov 2021 18:28:48 +0000 +Subject: iio: trigger: stm32-timer: fix MODULE_ALIAS + +From: Alyssa Ross + +commit 893621e0606747c5bbefcaf2794d12c7aa6212b7 upstream. + +modprobe can't handle spaces in aliases. + +Fixes: 93fbe91b5521 ("iio: Add STM32 timer trigger driver") +Signed-off-by: Alyssa Ross +Link: https://lore.kernel.org/r/20211125182850.2645424-1-hi@alyssa.is +Cc: +Signed-off-by: Jonathan Cameron +Signed-off-by: Greg Kroah-Hartman +--- + drivers/iio/trigger/stm32-timer-trigger.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/iio/trigger/stm32-timer-trigger.c ++++ b/drivers/iio/trigger/stm32-timer-trigger.c +@@ -912,6 +912,6 @@ static struct platform_driver stm32_time + }; + module_platform_driver(stm32_timer_trigger_driver); + +-MODULE_ALIAS("platform: stm32-timer-trigger"); ++MODULE_ALIAS("platform:stm32-timer-trigger"); + MODULE_DESCRIPTION("STMicroelectronics STM32 Timer Trigger driver"); + MODULE_LICENSE("GPL v2"); diff --git a/queue-5.15/irqchip-armada-370-xp-fix-return-value-of-armada_370_xp_msi_alloc.patch b/queue-5.15/irqchip-armada-370-xp-fix-return-value-of-armada_370_xp_msi_alloc.patch new file mode 100644 index 00000000000..ca24c7a7eb6 --- /dev/null +++ b/queue-5.15/irqchip-armada-370-xp-fix-return-value-of-armada_370_xp_msi_alloc.patch @@ -0,0 +1,36 @@ +From ce20eff57361e72878a772ef08b5239d3ae102b6 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Pali=20Roh=C3=A1r?= +Date: Thu, 25 Nov 2021 14:00:56 +0100 +Subject: irqchip/armada-370-xp: Fix return value of armada_370_xp_msi_alloc() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Pali Rohár + +commit ce20eff57361e72878a772ef08b5239d3ae102b6 upstream. + +IRQ domain alloc function should return zero on success. Non-zero value +indicates failure. + +Signed-off-by: Pali Rohár +Fixes: fcc392d501bd ("irqchip/armada-370-xp: Use the generic MSI infrastructure") +Cc: stable@vger.kernel.org +Signed-off-by: Marc Zyngier +Link: https://lore.kernel.org/r/20211125130057.26705-1-pali@kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/irqchip/irq-armada-370-xp.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/irqchip/irq-armada-370-xp.c ++++ b/drivers/irqchip/irq-armada-370-xp.c +@@ -250,7 +250,7 @@ static int armada_370_xp_msi_alloc(struc + NULL, NULL); + } + +- return hwirq; ++ return 0; + } + + static void armada_370_xp_msi_free(struct irq_domain *domain, diff --git a/queue-5.15/irqchip-armada-370-xp-fix-support-for-multi-msi-interrupts.patch b/queue-5.15/irqchip-armada-370-xp-fix-support-for-multi-msi-interrupts.patch new file mode 100644 index 00000000000..14c7bdbe392 --- /dev/null +++ b/queue-5.15/irqchip-armada-370-xp-fix-support-for-multi-msi-interrupts.patch @@ -0,0 +1,62 @@ +From d0a553502efd545c1ce3fd08fc4d423f8e4ac3d6 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Pali=20Roh=C3=A1r?= +Date: Thu, 25 Nov 2021 14:00:57 +0100 +Subject: irqchip/armada-370-xp: Fix support for Multi-MSI interrupts +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Pali Rohár + +commit d0a553502efd545c1ce3fd08fc4d423f8e4ac3d6 upstream. + +irq-armada-370-xp driver already sets MSI_FLAG_MULTI_PCI_MSI flag into +msi_domain_info structure. But allocated interrupt numbers for Multi-MSI +needs to be properly aligned otherwise devices send MSI interrupt with +wrong number. + +Fix this issue by using function bitmap_find_free_region() instead of +bitmap_find_next_zero_area() to allocate aligned interrupt numbers. + +Signed-off-by: Pali Rohár +Fixes: a71b9412c90c ("irqchip/armada-370-xp: Allow allocation of multiple MSIs") +Cc: stable@vger.kernel.org +Signed-off-by: Marc Zyngier +Link: https://lore.kernel.org/r/20211125130057.26705-2-pali@kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/irqchip/irq-armada-370-xp.c | 14 +++++--------- + 1 file changed, 5 insertions(+), 9 deletions(-) + +--- a/drivers/irqchip/irq-armada-370-xp.c ++++ b/drivers/irqchip/irq-armada-370-xp.c +@@ -232,16 +232,12 @@ static int armada_370_xp_msi_alloc(struc + int hwirq, i; + + mutex_lock(&msi_used_lock); ++ hwirq = bitmap_find_free_region(msi_used, PCI_MSI_DOORBELL_NR, ++ order_base_2(nr_irqs)); ++ mutex_unlock(&msi_used_lock); + +- hwirq = bitmap_find_next_zero_area(msi_used, PCI_MSI_DOORBELL_NR, +- 0, nr_irqs, 0); +- if (hwirq >= PCI_MSI_DOORBELL_NR) { +- mutex_unlock(&msi_used_lock); ++ if (hwirq < 0) + return -ENOSPC; +- } +- +- bitmap_set(msi_used, hwirq, nr_irqs); +- mutex_unlock(&msi_used_lock); + + for (i = 0; i < nr_irqs; i++) { + irq_domain_set_info(domain, virq + i, hwirq + i, +@@ -259,7 +255,7 @@ static void armada_370_xp_msi_free(struc + struct irq_data *d = irq_domain_get_irq_data(domain, virq); + + mutex_lock(&msi_used_lock); +- bitmap_clear(msi_used, d->hwirq, nr_irqs); ++ bitmap_release_region(msi_used, d->hwirq, order_base_2(nr_irqs)); + mutex_unlock(&msi_used_lock); + } + diff --git a/queue-5.15/irqchip-aspeed-scu-replace-update_bits-with-write_bits.patch b/queue-5.15/irqchip-aspeed-scu-replace-update_bits-with-write_bits.patch new file mode 100644 index 00000000000..bf32446abdf --- /dev/null +++ b/queue-5.15/irqchip-aspeed-scu-replace-update_bits-with-write_bits.patch @@ -0,0 +1,36 @@ +From 8958389681b929fcc7301e7dc5f0da12e4a256a0 Mon Sep 17 00:00:00 2001 +From: Billy Tsai +Date: Wed, 24 Nov 2021 17:43:48 +0800 +Subject: irqchip/aspeed-scu: Replace update_bits with write_bits. + +From: Billy Tsai + +commit 8958389681b929fcc7301e7dc5f0da12e4a256a0 upstream. + +The interrupt status bits are cleared by writing 1, we should force a +write to clear the interrupt without checking if the value has changed. + +Fixes: 04f605906ff0 ("irqchip: Add Aspeed SCU interrupt controller") +Signed-off-by: Billy Tsai +Reviewed-by: Joel Stanley +Signed-off-by: Marc Zyngier +Link: https://lore.kernel.org/r/20211124094348.11621-1-billy_tsai@aspeedtech.com +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/irqchip/irq-aspeed-scu-ic.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/irqchip/irq-aspeed-scu-ic.c ++++ b/drivers/irqchip/irq-aspeed-scu-ic.c +@@ -76,8 +76,8 @@ static void aspeed_scu_ic_irq_handler(st + generic_handle_domain_irq(scu_ic->irq_domain, + bit - scu_ic->irq_shift); + +- regmap_update_bits(scu_ic->scu, scu_ic->reg, mask, +- BIT(bit + ASPEED_SCU_IC_STATUS_SHIFT)); ++ regmap_write_bits(scu_ic->scu, scu_ic->reg, mask, ++ BIT(bit + ASPEED_SCU_IC_STATUS_SHIFT)); + } + + chained_irq_exit(chip, desc); diff --git a/queue-5.15/irqchip-irq-gic-v3-its.c-force-synchronisation-when-issuing-invall.patch b/queue-5.15/irqchip-irq-gic-v3-its.c-force-synchronisation-when-issuing-invall.patch new file mode 100644 index 00000000000..c1da275a21a --- /dev/null +++ b/queue-5.15/irqchip-irq-gic-v3-its.c-force-synchronisation-when-issuing-invall.patch @@ -0,0 +1,38 @@ +From b383a42ca523ce54bcbd63f7c8f3cf974abc9b9a Mon Sep 17 00:00:00 2001 +From: Wudi Wang +Date: Wed, 8 Dec 2021 09:54:29 +0800 +Subject: irqchip/irq-gic-v3-its.c: Force synchronisation when issuing INVALL + +From: Wudi Wang + +commit b383a42ca523ce54bcbd63f7c8f3cf974abc9b9a upstream. + +INVALL CMD specifies that the ITS must ensure any caching associated with +the interrupt collection defined by ICID is consistent with the LPI +configuration tables held in memory for all Redistributors. SYNC is +required to ensure that INVALL is executed. + +Currently, LPI configuration data may be inconsistent with that in the +memory within a short period of time after the INVALL command is executed. + +Signed-off-by: Wudi Wang +Signed-off-by: Shaokun Zhang +Signed-off-by: Marc Zyngier +Fixes: cc2d3216f53c ("irqchip: GICv3: ITS command queue") +Link: https://lore.kernel.org/r/20211208015429.5007-1-zhangshaokun@hisilicon.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/irqchip/irq-gic-v3-its.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/irqchip/irq-gic-v3-its.c ++++ b/drivers/irqchip/irq-gic-v3-its.c +@@ -742,7 +742,7 @@ static struct its_collection *its_build_ + + its_fixup_cmd(cmd); + +- return NULL; ++ return desc->its_invall_cmd.col; + } + + static struct its_vpe *its_build_vinvall_cmd(struct its_node *its, diff --git a/queue-5.15/irqchip-nvic-fix-offset-for-interrupt-priority-offsets.patch b/queue-5.15/irqchip-nvic-fix-offset-for-interrupt-priority-offsets.patch new file mode 100644 index 00000000000..f052a3b716d --- /dev/null +++ b/queue-5.15/irqchip-nvic-fix-offset-for-interrupt-priority-offsets.patch @@ -0,0 +1,33 @@ +From c5e0cbe2858d278a27d5b3fe31890aea5be064c4 Mon Sep 17 00:00:00 2001 +From: Vladimir Murzin +Date: Wed, 1 Dec 2021 11:02:58 +0000 +Subject: irqchip: nvic: Fix offset for Interrupt Priority Offsets + +From: Vladimir Murzin + +commit c5e0cbe2858d278a27d5b3fe31890aea5be064c4 upstream. + +According to ARM(v7M) ARM Interrupt Priority Offsets located at +0xE000E400-0xE000E5EC, while 0xE000E300-0xE000E33C covers read-only +Interrupt Active Bit Registers + +Fixes: 292ec080491d ("irqchip: Add support for ARMv7-M NVIC") +Signed-off-by: Vladimir Murzin +Signed-off-by: Marc Zyngier +Link: https://lore.kernel.org/r/20211201110259.84857-1-vladimir.murzin@arm.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/irqchip/irq-nvic.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/irqchip/irq-nvic.c ++++ b/drivers/irqchip/irq-nvic.c +@@ -26,7 +26,7 @@ + + #define NVIC_ISER 0x000 + #define NVIC_ICER 0x080 +-#define NVIC_IPR 0x300 ++#define NVIC_IPR 0x400 + + #define NVIC_MAX_BANKS 16 + /* diff --git a/queue-5.15/misc-fastrpc-fix-improper-packet-size-calculation.patch b/queue-5.15/misc-fastrpc-fix-improper-packet-size-calculation.patch new file mode 100644 index 00000000000..e42d2636fc1 --- /dev/null +++ b/queue-5.15/misc-fastrpc-fix-improper-packet-size-calculation.patch @@ -0,0 +1,48 @@ +From 3a1bf591e9a410f220b7405a142a47407394a1d5 Mon Sep 17 00:00:00 2001 +From: Jeya R +Date: Wed, 24 Nov 2021 22:01:21 +0530 +Subject: misc: fastrpc: fix improper packet size calculation + +From: Jeya R + +commit 3a1bf591e9a410f220b7405a142a47407394a1d5 upstream. + +The buffer list is sorted and this is not being considered while +calculating packet size. This would lead to improper copy length +calculation for non-dmaheap buffers which would eventually cause +sending improper buffers to DSP. + +Fixes: c68cfb718c8f ("misc: fastrpc: Add support for context Invoke method") +Reviewed-by: Srinivas Kandagatla +Signed-off-by: Jeya R +Link: https://lore.kernel.org/r/1637771481-4299-1-git-send-email-jeyr@codeaurora.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/misc/fastrpc.c | 10 ++++++---- + 1 file changed, 6 insertions(+), 4 deletions(-) + +--- a/drivers/misc/fastrpc.c ++++ b/drivers/misc/fastrpc.c +@@ -719,16 +719,18 @@ static int fastrpc_get_meta_size(struct + static u64 fastrpc_get_payload_size(struct fastrpc_invoke_ctx *ctx, int metalen) + { + u64 size = 0; +- int i; ++ int oix; + + size = ALIGN(metalen, FASTRPC_ALIGN); +- for (i = 0; i < ctx->nscalars; i++) { ++ for (oix = 0; oix < ctx->nbufs; oix++) { ++ int i = ctx->olaps[oix].raix; ++ + if (ctx->args[i].fd == 0 || ctx->args[i].fd == -1) { + +- if (ctx->olaps[i].offset == 0) ++ if (ctx->olaps[oix].offset == 0) + size = ALIGN(size, FASTRPC_ALIGN); + +- size += (ctx->olaps[i].mend - ctx->olaps[i].mstart); ++ size += (ctx->olaps[oix].mend - ctx->olaps[oix].mstart); + } + } + diff --git a/queue-5.15/misc-rtsx-avoid-mangling-irq-during-runtime-pm.patch b/queue-5.15/misc-rtsx-avoid-mangling-irq-during-runtime-pm.patch new file mode 100644 index 00000000000..77f9824c7c8 --- /dev/null +++ b/queue-5.15/misc-rtsx-avoid-mangling-irq-during-runtime-pm.patch @@ -0,0 +1,81 @@ +From 0edeb8992db8e7de9b8fe3164ace9a4356b17021 Mon Sep 17 00:00:00 2001 +From: Kai-Heng Feng +Date: Fri, 26 Nov 2021 08:32:44 +0800 +Subject: misc: rtsx: Avoid mangling IRQ during runtime PM + +From: Kai-Heng Feng + +commit 0edeb8992db8e7de9b8fe3164ace9a4356b17021 upstream. + +After commit 5b4258f6721f ("misc: rtsx: rts5249 support runtime PM"), when the +rtsx controller is runtime suspended, bring CPUs offline and back online, the +runtime resume of the controller will fail: + +[ 47.319391] smpboot: CPU 1 is now offline +[ 47.414140] x86: Booting SMP configuration: +[ 47.414147] smpboot: Booting Node 0 Processor 1 APIC 0x2 +[ 47.571334] smpboot: CPU 2 is now offline +[ 47.686055] smpboot: Booting Node 0 Processor 2 APIC 0x4 +[ 47.808174] smpboot: CPU 3 is now offline +[ 47.878146] smpboot: Booting Node 0 Processor 3 APIC 0x6 +[ 48.003679] smpboot: CPU 4 is now offline +[ 48.086187] smpboot: Booting Node 0 Processor 4 APIC 0x1 +[ 48.239627] smpboot: CPU 5 is now offline +[ 48.326059] smpboot: Booting Node 0 Processor 5 APIC 0x3 +[ 48.472193] smpboot: CPU 6 is now offline +[ 48.574181] smpboot: Booting Node 0 Processor 6 APIC 0x5 +[ 48.743375] smpboot: CPU 7 is now offline +[ 48.838047] smpboot: Booting Node 0 Processor 7 APIC 0x7 +[ 48.965447] __common_interrupt: 1.35 No irq handler for vector +[ 51.174065] mmc0: error -110 doing runtime resume +[ 54.978088] I/O error, dev mmcblk0, sector 21479 op 0x1:(WRITE) flags 0x0 phys_seg 11 prio class 0 +[ 54.978108] Buffer I/O error on dev mmcblk0p1, logical block 19431, lost async page write +[ 54.978129] Buffer I/O error on dev mmcblk0p1, logical block 19432, lost async page write +[ 54.978134] Buffer I/O error on dev mmcblk0p1, logical block 19433, lost async page write +[ 54.978137] Buffer I/O error on dev mmcblk0p1, logical block 19434, lost async page write +[ 54.978141] Buffer I/O error on dev mmcblk0p1, logical block 19435, lost async page write +[ 54.978145] Buffer I/O error on dev mmcblk0p1, logical block 19436, lost async page write +[ 54.978148] Buffer I/O error on dev mmcblk0p1, logical block 19437, lost async page write +[ 54.978152] Buffer I/O error on dev mmcblk0p1, logical block 19438, lost async page write +[ 54.978155] Buffer I/O error on dev mmcblk0p1, logical block 19439, lost async page write +[ 54.978160] Buffer I/O error on dev mmcblk0p1, logical block 19440, lost async page write +[ 54.978244] mmc0: card aaaa removed +[ 54.978452] FAT-fs (mmcblk0p1): FAT read failed (blocknr 4257) + +There's interrupt immediately raised on rtsx_pci_write_register() in +runtime resume routine, but the IRQ handler hasn't registered yet. + +So we can either move rtsx_pci_write_register() after rtsx_pci_acquire_irq(), +or just stop mangling IRQ on runtime PM. Choose the latter to save some +CPU cycles. + +Fixes: 5b4258f6721f ("misc: rtsx: rts5249 support runtime PM") +Cc: stable +Signed-off-by: Kai-Heng Feng +BugLink: https://bugs.launchpad.net/bugs/1951784 +Link: https://lore.kernel.org/r/20211126003246.1068770-1-kai.heng.feng@canonical.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/misc/cardreader/rtsx_pcr.c | 4 ---- + 1 file changed, 4 deletions(-) + +--- a/drivers/misc/cardreader/rtsx_pcr.c ++++ b/drivers/misc/cardreader/rtsx_pcr.c +@@ -1803,8 +1803,6 @@ static int rtsx_pci_runtime_suspend(stru + mutex_lock(&pcr->pcr_mutex); + rtsx_pci_power_off(pcr, HOST_ENTER_S3); + +- free_irq(pcr->irq, (void *)pcr); +- + mutex_unlock(&pcr->pcr_mutex); + + pcr->is_runtime_suspended = true; +@@ -1825,8 +1823,6 @@ static int rtsx_pci_runtime_resume(struc + mutex_lock(&pcr->pcr_mutex); + + rtsx_pci_write_register(pcr, HOST_SLEEP_STATE, 0x03, 0x00); +- rtsx_pci_acquire_irq(pcr); +- synchronize_irq(pcr->irq); + + if (pcr->ops->fetch_vendor_settings) + pcr->ops->fetch_vendor_settings(pcr); diff --git a/queue-5.15/nvmem-eeprom-at25-fix-fram-byte_len.patch b/queue-5.15/nvmem-eeprom-at25-fix-fram-byte_len.patch new file mode 100644 index 00000000000..3a25e13e7a4 --- /dev/null +++ b/queue-5.15/nvmem-eeprom-at25-fix-fram-byte_len.patch @@ -0,0 +1,131 @@ +From 9a626577398c24ecab63c0a684436c8928092367 Mon Sep 17 00:00:00 2001 +From: Ralph Siemsen +Date: Mon, 8 Nov 2021 13:16:27 -0500 +Subject: nvmem: eeprom: at25: fix FRAM byte_len + +From: Ralph Siemsen + +commit 9a626577398c24ecab63c0a684436c8928092367 upstream. + +Commit fd307a4ad332 ("nvmem: prepare basics for FRAM support") added +support for FRAM devices such as the Cypress FM25V. During testing, it +was found that the FRAM detects properly, however reads and writes fail. +Upon further investigation, two problem were found in at25_probe() routine. + +1) In the case of an FRAM device without platform data, eg. + fram == true && spi->dev.platform_data == NULL +the stack local variable "struct spi_eeprom chip" is not initialized +fully, prior to being copied into at25->chip. The chip.flags field in +particular can cause problems. + +2) The byte_len of FRAM is computed from its ID register, and is stored +into the stack local "struct spi_eeprom chip" structure. This happens +after the same structure has been copied into at25->chip. As a result, +at25->chip.byte_len does not contain the correct length of the device. +In turn this can cause checks at beginning of at25_ee_read() to fail +(or equally, it could allow reads beyond the end of the device length). + +Fix both of these issues by eliminating the on-stack struct spi_eeprom. +Instead use the one inside at25_data structure, which starts of zeroed. + +Fixes: fd307a4ad332 ("nvmem: prepare basics for FRAM support") +Cc: stable +Reviewed-by: Arnd Bergmann +Signed-off-by: Ralph Siemsen +Link: https://lore.kernel.org/r/20211108181627.645638-1-ralph.siemsen@linaro.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/misc/eeprom/at25.c | 38 ++++++++++++++++++-------------------- + 1 file changed, 18 insertions(+), 20 deletions(-) + +--- a/drivers/misc/eeprom/at25.c ++++ b/drivers/misc/eeprom/at25.c +@@ -376,7 +376,6 @@ MODULE_DEVICE_TABLE(spi, at25_spi_ids); + static int at25_probe(struct spi_device *spi) + { + struct at25_data *at25 = NULL; +- struct spi_eeprom chip; + int err; + int sr; + u8 id[FM25_ID_LEN]; +@@ -389,15 +388,18 @@ static int at25_probe(struct spi_device + if (match && !strcmp(match->compatible, "cypress,fm25")) + is_fram = 1; + ++ at25 = devm_kzalloc(&spi->dev, sizeof(struct at25_data), GFP_KERNEL); ++ if (!at25) ++ return -ENOMEM; ++ + /* Chip description */ +- if (!spi->dev.platform_data) { +- if (!is_fram) { +- err = at25_fw_to_chip(&spi->dev, &chip); +- if (err) +- return err; +- } +- } else +- chip = *(struct spi_eeprom *)spi->dev.platform_data; ++ if (spi->dev.platform_data) { ++ memcpy(&at25->chip, spi->dev.platform_data, sizeof(at25->chip)); ++ } else if (!is_fram) { ++ err = at25_fw_to_chip(&spi->dev, &at25->chip); ++ if (err) ++ return err; ++ } + + /* Ping the chip ... the status register is pretty portable, + * unlike probing manufacturer IDs. We do expect that system +@@ -409,12 +411,7 @@ static int at25_probe(struct spi_device + return -ENXIO; + } + +- at25 = devm_kzalloc(&spi->dev, sizeof(struct at25_data), GFP_KERNEL); +- if (!at25) +- return -ENOMEM; +- + mutex_init(&at25->lock); +- at25->chip = chip; + at25->spi = spi; + spi_set_drvdata(spi, at25); + +@@ -431,7 +428,7 @@ static int at25_probe(struct spi_device + dev_err(&spi->dev, "Error: unsupported size (id %02x)\n", id[7]); + return -ENODEV; + } +- chip.byte_len = int_pow(2, id[7] - 0x21 + 4) * 1024; ++ at25->chip.byte_len = int_pow(2, id[7] - 0x21 + 4) * 1024; + + if (at25->chip.byte_len > 64 * 1024) + at25->chip.flags |= EE_ADDR3; +@@ -464,7 +461,7 @@ static int at25_probe(struct spi_device + at25->nvmem_config.type = is_fram ? NVMEM_TYPE_FRAM : NVMEM_TYPE_EEPROM; + at25->nvmem_config.name = dev_name(&spi->dev); + at25->nvmem_config.dev = &spi->dev; +- at25->nvmem_config.read_only = chip.flags & EE_READONLY; ++ at25->nvmem_config.read_only = at25->chip.flags & EE_READONLY; + at25->nvmem_config.root_only = true; + at25->nvmem_config.owner = THIS_MODULE; + at25->nvmem_config.compat = true; +@@ -474,17 +471,18 @@ static int at25_probe(struct spi_device + at25->nvmem_config.priv = at25; + at25->nvmem_config.stride = 1; + at25->nvmem_config.word_size = 1; +- at25->nvmem_config.size = chip.byte_len; ++ at25->nvmem_config.size = at25->chip.byte_len; + + at25->nvmem = devm_nvmem_register(&spi->dev, &at25->nvmem_config); + if (IS_ERR(at25->nvmem)) + return PTR_ERR(at25->nvmem); + + dev_info(&spi->dev, "%d %s %s %s%s, pagesize %u\n", +- (chip.byte_len < 1024) ? chip.byte_len : (chip.byte_len / 1024), +- (chip.byte_len < 1024) ? "Byte" : "KByte", ++ (at25->chip.byte_len < 1024) ? ++ at25->chip.byte_len : (at25->chip.byte_len / 1024), ++ (at25->chip.byte_len < 1024) ? "Byte" : "KByte", + at25->chip.name, is_fram ? "fram" : "eeprom", +- (chip.flags & EE_READONLY) ? " (readonly)" : "", ++ (at25->chip.flags & EE_READONLY) ? " (readonly)" : "", + at25->chip.page_size); + return 0; + } diff --git a/queue-5.15/revert-usb-dwc3-dwc3-qcom-enable-tx-fifo-resize-property-by-default.patch b/queue-5.15/revert-usb-dwc3-dwc3-qcom-enable-tx-fifo-resize-property-by-default.patch new file mode 100644 index 00000000000..77bbf1415d6 --- /dev/null +++ b/queue-5.15/revert-usb-dwc3-dwc3-qcom-enable-tx-fifo-resize-property-by-default.patch @@ -0,0 +1,71 @@ +From 6a97cee39d8f2ed4d6e35a09a302dae1d566db36 Mon Sep 17 00:00:00 2001 +From: Douglas Anderson +Date: Tue, 7 Dec 2021 09:43:41 -0800 +Subject: Revert "usb: dwc3: dwc3-qcom: Enable tx-fifo-resize property by default" + +From: Douglas Anderson + +commit 6a97cee39d8f2ed4d6e35a09a302dae1d566db36 upstream. + +This reverts commit cefdd52fa0455c0555c30927386ee466a108b060. + +On sc7180-trogdor class devices with 'fw_devlink=permissive' and KASAN +enabled, you'll see a Use-After-Free reported at bootup. + +The root of the problem is that dwc3_qcom_of_register_core() is adding +a devm-allocated "tx-fifo-resize" property to its device tree node +using of_add_property(). + +The issue is that of_add_property() makes a _permanent_ addition to +the device tree that lasts until reboot. That means allocating memory +for the property using "devm" managed memory is a terrible idea since +that memory will be freed upon probe deferral or device unbinding. + +Let's revert the patch since the system is still functional without +it. The fact that of_add_property() makes a permanent change is extra +fodder for those folks who were aruging that the device tree isn't +really the right way to pass information between parts of the +driver. It is an exercise left to the reader to submit a patch +re-adding the new feature in a way that makes everyone happier. + +Fixes: cefdd52fa045 ("usb: dwc3: dwc3-qcom: Enable tx-fifo-resize property by default") +Cc: stable +Reviewed-by: Stephen Boyd +Signed-off-by: Douglas Anderson +Link: https://lore.kernel.org/r/20211207094327.1.Ie3cde3443039342e2963262a4c3ac36dc2c08b30@changeid +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/dwc3/dwc3-qcom.c | 15 --------------- + 1 file changed, 15 deletions(-) + +--- a/drivers/usb/dwc3/dwc3-qcom.c ++++ b/drivers/usb/dwc3/dwc3-qcom.c +@@ -649,7 +649,6 @@ static int dwc3_qcom_of_register_core(st + struct dwc3_qcom *qcom = platform_get_drvdata(pdev); + struct device_node *np = pdev->dev.of_node, *dwc3_np; + struct device *dev = &pdev->dev; +- struct property *prop; + int ret; + + dwc3_np = of_get_compatible_child(np, "snps,dwc3"); +@@ -658,20 +657,6 @@ static int dwc3_qcom_of_register_core(st + return -ENODEV; + } + +- prop = devm_kzalloc(dev, sizeof(*prop), GFP_KERNEL); +- if (!prop) { +- ret = -ENOMEM; +- dev_err(dev, "unable to allocate memory for property\n"); +- goto node_put; +- } +- +- prop->name = "tx-fifo-resize"; +- ret = of_add_property(dwc3_np, prop); +- if (ret) { +- dev_err(dev, "unable to add property\n"); +- goto node_put; +- } +- + ret = of_platform_populate(np, NULL, NULL, dev); + if (ret) { + dev_err(dev, "failed to register dwc3 core - %d\n", ret); diff --git a/queue-5.15/series b/queue-5.15/series index 2308ea8f64e..d62c66c82ba 100644 --- a/queue-5.15/series +++ b/queue-5.15/series @@ -133,3 +133,38 @@ net-fec-only-clear-interrupt-of-handling-queue-in-fec_enet_rx_queue.patch net-neigh-clear-whole-pneigh_entry-at-alloc-time.patch net-qla3xxx-fix-an-error-code-in-ql_adapter_up.patch selftests-fib_tests-rework-fib_rp_filter_test.patch +usb-gadget-detect-too-big-endpoint-0-requests.patch +usb-gadget-zero-allocate-endpoint-0-buffers.patch +revert-usb-dwc3-dwc3-qcom-enable-tx-fifo-resize-property-by-default.patch +usb-core-config-fix-validation-of-wmaxpacketvalue-entries.patch +xhci-remove-config_usb_default_persist-to-prevent-xhci-from-runtime-suspending.patch +usb-core-config-using-bit-mask-instead-of-individual-bits.patch +xhci-avoid-race-between-disable-slot-command-and-host-runtime-suspend.patch +iio-gyro-adxrs290-fix-data-signedness.patch +iio-trigger-fix-reference-counting.patch +iio-trigger-stm32-timer-fix-module_alias.patch +iio-stk3310-don-t-return-error-code-in-interrupt-handler.patch +iio-mma8452-fix-trigger-reference-couting.patch +iio-ltr501-don-t-return-error-code-in-trigger-handler.patch +iio-kxsd9-don-t-return-error-code-in-trigger-handler.patch +iio-itg3200-call-iio_trigger_notify_done-on-error.patch +iio-dln2-adc-fix-lockdep-complaint.patch +iio-dln2-check-return-value-of-devm_iio_trigger_register.patch +iio-at91-sama5d2-fix-incorrect-sign-extension.patch +iio-adc-stm32-fix-a-current-leak-by-resetting-pcsel-before-disabling-vdda.patch +iio-adc-axp20x_adc-fix-charging-current-reporting-on-axp22x.patch +iio-ad7768-1-call-iio_trigger_notify_done-on-error.patch +iio-accel-kxcjk-1013-fix-possible-memory-leak-in-probe-and-remove.patch +misc-rtsx-avoid-mangling-irq-during-runtime-pm.patch +nvmem-eeprom-at25-fix-fram-byte_len.patch +bus-mhi-pci_generic-fix-device-recovery-failed-issue.patch +bus-mhi-core-add-support-for-forced-pm-resume.patch +csky-fix-typo-of-fpu-config-macro.patch +irqchip-aspeed-scu-replace-update_bits-with-write_bits.patch +irqchip-armada-370-xp-fix-return-value-of-armada_370_xp_msi_alloc.patch +irqchip-armada-370-xp-fix-support-for-multi-msi-interrupts.patch +aio-fix-incorrect-usage-of-eventfd_signal_allowed.patch +irqchip-irq-gic-v3-its.c-force-synchronisation-when-issuing-invall.patch +irqchip-nvic-fix-offset-for-interrupt-priority-offsets.patch +misc-fastrpc-fix-improper-packet-size-calculation.patch +clocksource-drivers-dw_apb_timer_of-fix-probe-failure.patch diff --git a/queue-5.15/usb-core-config-fix-validation-of-wmaxpacketvalue-entries.patch b/queue-5.15/usb-core-config-fix-validation-of-wmaxpacketvalue-entries.patch new file mode 100644 index 00000000000..c76edf09ed1 --- /dev/null +++ b/queue-5.15/usb-core-config-fix-validation-of-wmaxpacketvalue-entries.patch @@ -0,0 +1,37 @@ +From 1a3910c80966e4a76b25ce812f6bea0ef1b1d530 Mon Sep 17 00:00:00 2001 +From: Pavel Hofman +Date: Fri, 10 Dec 2021 09:52:18 +0100 +Subject: usb: core: config: fix validation of wMaxPacketValue entries + +From: Pavel Hofman + +commit 1a3910c80966e4a76b25ce812f6bea0ef1b1d530 upstream. + +The checks performed by commit aed9d65ac327 ("USB: validate +wMaxPacketValue entries in endpoint descriptors") require that initial +value of the maxp variable contains both maximum packet size bits +(10..0) and multiple-transactions bits (12..11). However, the existing +code assings only the maximum packet size bits. This patch assigns all +bits of wMaxPacketSize to the variable. + +Fixes: aed9d65ac327 ("USB: validate wMaxPacketValue entries in endpoint descriptors") +Cc: stable +Acked-by: Alan Stern +Signed-off-by: Pavel Hofman +Link: https://lore.kernel.org/r/20211210085219.16796-1-pavel.hofman@ivitera.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/core/config.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/usb/core/config.c ++++ b/drivers/usb/core/config.c +@@ -406,7 +406,7 @@ static int usb_parse_endpoint(struct dev + * the USB-2 spec requires such endpoints to have wMaxPacketSize = 0 + * (see the end of section 5.6.3), so don't warn about them. + */ +- maxp = usb_endpoint_maxp(&endpoint->desc); ++ maxp = le16_to_cpu(endpoint->desc.wMaxPacketSize); + if (maxp == 0 && !(usb_endpoint_xfer_isoc(d) && asnum == 0)) { + dev_warn(ddev, "config %d interface %d altsetting %d endpoint 0x%X has invalid wMaxPacketSize 0\n", + cfgno, inum, asnum, d->bEndpointAddress); diff --git a/queue-5.15/usb-core-config-using-bit-mask-instead-of-individual-bits.patch b/queue-5.15/usb-core-config-using-bit-mask-instead-of-individual-bits.patch new file mode 100644 index 00000000000..799e39c87b1 --- /dev/null +++ b/queue-5.15/usb-core-config-using-bit-mask-instead-of-individual-bits.patch @@ -0,0 +1,34 @@ +From ca5737396927afd4d57b133fd2874bbcf3421cdb Mon Sep 17 00:00:00 2001 +From: Pavel Hofman +Date: Fri, 10 Dec 2021 09:52:19 +0100 +Subject: usb: core: config: using bit mask instead of individual bits + +From: Pavel Hofman + +commit ca5737396927afd4d57b133fd2874bbcf3421cdb upstream. + +Using standard USB_EP_MAXP_MULT_MASK instead of individual bits for +extracting multiple-transactions bits from wMaxPacketSize value. + +Acked-by: Alan Stern +Signed-off-by: Pavel Hofman +Link: https://lore.kernel.org/r/20211210085219.16796-2-pavel.hofman@ivitera.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/core/config.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/usb/core/config.c ++++ b/drivers/usb/core/config.c +@@ -422,9 +422,9 @@ static int usb_parse_endpoint(struct dev + maxpacket_maxes = full_speed_maxpacket_maxes; + break; + case USB_SPEED_HIGH: +- /* Bits 12..11 are allowed only for HS periodic endpoints */ ++ /* Multiple-transactions bits are allowed only for HS periodic endpoints */ + if (usb_endpoint_xfer_int(d) || usb_endpoint_xfer_isoc(d)) { +- i = maxp & (BIT(12) | BIT(11)); ++ i = maxp & USB_EP_MAXP_MULT_MASK; + maxp &= ~i; + } + fallthrough; diff --git a/queue-5.15/usb-gadget-detect-too-big-endpoint-0-requests.patch b/queue-5.15/usb-gadget-detect-too-big-endpoint-0-requests.patch new file mode 100644 index 00000000000..60fcc97a11e --- /dev/null +++ b/queue-5.15/usb-gadget-detect-too-big-endpoint-0-requests.patch @@ -0,0 +1,104 @@ +From 153a2d7e3350cc89d406ba2d35be8793a64c2038 Mon Sep 17 00:00:00 2001 +From: Greg Kroah-Hartman +Date: Thu, 9 Dec 2021 18:59:27 +0100 +Subject: USB: gadget: detect too-big endpoint 0 requests + +From: Greg Kroah-Hartman + +commit 153a2d7e3350cc89d406ba2d35be8793a64c2038 upstream. + +Sometimes USB hosts can ask for buffers that are too large from endpoint +0, which should not be allowed. If this happens for OUT requests, stall +the endpoint, but for IN requests, trim the request size to the endpoint +buffer size. + +Co-developed-by: Szymon Heidrich +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/gadget/composite.c | 12 ++++++++++++ + drivers/usb/gadget/legacy/dbgp.c | 13 +++++++++++++ + drivers/usb/gadget/legacy/inode.c | 16 +++++++++++++++- + 3 files changed, 40 insertions(+), 1 deletion(-) + +--- a/drivers/usb/gadget/composite.c ++++ b/drivers/usb/gadget/composite.c +@@ -1679,6 +1679,18 @@ composite_setup(struct usb_gadget *gadge + struct usb_function *f = NULL; + u8 endp; + ++ if (w_length > USB_COMP_EP0_BUFSIZ) { ++ if (ctrl->bRequestType == USB_DIR_OUT) { ++ goto done; ++ } else { ++ /* Cast away the const, we are going to overwrite on purpose. */ ++ __le16 *temp = (__le16 *)&ctrl->wLength; ++ ++ *temp = cpu_to_le16(USB_COMP_EP0_BUFSIZ); ++ w_length = USB_COMP_EP0_BUFSIZ; ++ } ++ } ++ + /* partial re-init of the response message; the function or the + * gadget might need to intercept e.g. a control-OUT completion + * when we delegate to it. +--- a/drivers/usb/gadget/legacy/dbgp.c ++++ b/drivers/usb/gadget/legacy/dbgp.c +@@ -345,6 +345,19 @@ static int dbgp_setup(struct usb_gadget + void *data = NULL; + u16 len = 0; + ++ if (length > DBGP_REQ_LEN) { ++ if (ctrl->bRequestType == USB_DIR_OUT) { ++ return err; ++ } else { ++ /* Cast away the const, we are going to overwrite on purpose. */ ++ __le16 *temp = (__le16 *)&ctrl->wLength; ++ ++ *temp = cpu_to_le16(DBGP_REQ_LEN); ++ length = DBGP_REQ_LEN; ++ } ++ } ++ ++ + if (request == USB_REQ_GET_DESCRIPTOR) { + switch (value>>8) { + case USB_DT_DEVICE: +--- a/drivers/usb/gadget/legacy/inode.c ++++ b/drivers/usb/gadget/legacy/inode.c +@@ -110,6 +110,8 @@ enum ep0_state { + /* enough for the whole queue: most events invalidate others */ + #define N_EVENT 5 + ++#define RBUF_SIZE 256 ++ + struct dev_data { + spinlock_t lock; + refcount_t count; +@@ -144,7 +146,7 @@ struct dev_data { + struct dentry *dentry; + + /* except this scratch i/o buffer for ep0 */ +- u8 rbuf [256]; ++ u8 rbuf[RBUF_SIZE]; + }; + + static inline void get_dev (struct dev_data *data) +@@ -1334,6 +1336,18 @@ gadgetfs_setup (struct usb_gadget *gadge + u16 w_value = le16_to_cpu(ctrl->wValue); + u16 w_length = le16_to_cpu(ctrl->wLength); + ++ if (w_length > RBUF_SIZE) { ++ if (ctrl->bRequestType == USB_DIR_OUT) { ++ return value; ++ } else { ++ /* Cast away the const, we are going to overwrite on purpose. */ ++ __le16 *temp = (__le16 *)&ctrl->wLength; ++ ++ *temp = cpu_to_le16(RBUF_SIZE); ++ w_length = RBUF_SIZE; ++ } ++ } ++ + spin_lock (&dev->lock); + dev->setup_abort = 0; + if (dev->state == STATE_DEV_UNCONNECTED) { diff --git a/queue-5.15/usb-gadget-zero-allocate-endpoint-0-buffers.patch b/queue-5.15/usb-gadget-zero-allocate-endpoint-0-buffers.patch new file mode 100644 index 00000000000..1731a94b0fc --- /dev/null +++ b/queue-5.15/usb-gadget-zero-allocate-endpoint-0-buffers.patch @@ -0,0 +1,43 @@ +From 86ebbc11bb3f60908a51f3e41a17e3f477c2eaa3 Mon Sep 17 00:00:00 2001 +From: Greg Kroah-Hartman +Date: Thu, 9 Dec 2021 19:02:15 +0100 +Subject: USB: gadget: zero allocate endpoint 0 buffers + +From: Greg Kroah-Hartman + +commit 86ebbc11bb3f60908a51f3e41a17e3f477c2eaa3 upstream. + +Under some conditions, USB gadget devices can show allocated buffer +contents to a host. Fix this up by zero-allocating them so that any +extra data will all just be zeros. + +Reported-by: Szymon Heidrich +Tested-by: Szymon Heidrich +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/gadget/composite.c | 2 +- + drivers/usb/gadget/legacy/dbgp.c | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/usb/gadget/composite.c ++++ b/drivers/usb/gadget/composite.c +@@ -2221,7 +2221,7 @@ int composite_dev_prepare(struct usb_com + if (!cdev->req) + return -ENOMEM; + +- cdev->req->buf = kmalloc(USB_COMP_EP0_BUFSIZ, GFP_KERNEL); ++ cdev->req->buf = kzalloc(USB_COMP_EP0_BUFSIZ, GFP_KERNEL); + if (!cdev->req->buf) + goto fail; + +--- a/drivers/usb/gadget/legacy/dbgp.c ++++ b/drivers/usb/gadget/legacy/dbgp.c +@@ -137,7 +137,7 @@ static int dbgp_enable_ep_req(struct usb + goto fail_1; + } + +- req->buf = kmalloc(DBGP_REQ_LEN, GFP_KERNEL); ++ req->buf = kzalloc(DBGP_REQ_LEN, GFP_KERNEL); + if (!req->buf) { + err = -ENOMEM; + stp = 2; diff --git a/queue-5.15/xhci-avoid-race-between-disable-slot-command-and-host-runtime-suspend.patch b/queue-5.15/xhci-avoid-race-between-disable-slot-command-and-host-runtime-suspend.patch new file mode 100644 index 00000000000..a86120b7b9b --- /dev/null +++ b/queue-5.15/xhci-avoid-race-between-disable-slot-command-and-host-runtime-suspend.patch @@ -0,0 +1,116 @@ +From 7faac1953ed1f658f719cdf7bb7303fa5eef822c Mon Sep 17 00:00:00 2001 +From: Mathias Nyman +Date: Fri, 10 Dec 2021 16:17:35 +0200 +Subject: xhci: avoid race between disable slot command and host runtime suspend + +From: Mathias Nyman + +commit 7faac1953ed1f658f719cdf7bb7303fa5eef822c upstream. + +Make xhci_disable_slot() synchronous, thus ensuring it, and +xhci_free_dev() calling it return after xHC controller completes +the disable slot command. + +Otherwise the roothub and xHC host may runtime suspend, and clear the +command ring while the disable slot command is being processed. + +This causes a command completion mismatch as the completion event can't +be mapped to the correct command. +Command ring gets out of sync and commands time out. +Driver finally assumes host is unresponsive and bails out. + +usb 2-4: USB disconnect, device number 10 +xhci_hcd 0000:00:0d.0: ERROR mismatched command completion event +... +xhci_hcd 0000:00:0d.0: xHCI host controller not responding, assume dead +xhci_hcd 0000:00:0d.0: HC died; cleaning up + +Cc: +Signed-off-by: Mathias Nyman +Link: https://lore.kernel.org/r/20211210141735.1384209-3-mathias.nyman@linux.intel.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/host/xhci-hub.c | 1 + + drivers/usb/host/xhci-ring.c | 1 - + drivers/usb/host/xhci.c | 22 +++++++++++++++------- + 3 files changed, 16 insertions(+), 8 deletions(-) + +--- a/drivers/usb/host/xhci-hub.c ++++ b/drivers/usb/host/xhci-hub.c +@@ -717,6 +717,7 @@ static int xhci_enter_test_mode(struct x + continue; + + retval = xhci_disable_slot(xhci, i); ++ xhci_free_virt_device(xhci, i); + if (retval) + xhci_err(xhci, "Failed to disable slot %d, %d. Enter test mode anyway\n", + i, retval); +--- a/drivers/usb/host/xhci-ring.c ++++ b/drivers/usb/host/xhci-ring.c +@@ -1525,7 +1525,6 @@ static void xhci_handle_cmd_disable_slot + if (xhci->quirks & XHCI_EP_LIMIT_QUIRK) + /* Delete default control endpoint resources */ + xhci_free_device_endpoint_resources(xhci, virt_dev, true); +- xhci_free_virt_device(xhci, slot_id); + } + + static void xhci_handle_cmd_config_ep(struct xhci_hcd *xhci, int slot_id, +--- a/drivers/usb/host/xhci.c ++++ b/drivers/usb/host/xhci.c +@@ -3959,9 +3959,8 @@ static void xhci_free_dev(struct usb_hcd + del_timer_sync(&virt_dev->eps[i].stop_cmd_timer); + } + virt_dev->udev = NULL; +- ret = xhci_disable_slot(xhci, udev->slot_id); +- if (ret) +- xhci_free_virt_device(xhci, udev->slot_id); ++ xhci_disable_slot(xhci, udev->slot_id); ++ xhci_free_virt_device(xhci, udev->slot_id); + } + + int xhci_disable_slot(struct xhci_hcd *xhci, u32 slot_id) +@@ -3971,7 +3970,7 @@ int xhci_disable_slot(struct xhci_hcd *x + u32 state; + int ret = 0; + +- command = xhci_alloc_command(xhci, false, GFP_KERNEL); ++ command = xhci_alloc_command(xhci, true, GFP_KERNEL); + if (!command) + return -ENOMEM; + +@@ -3996,6 +3995,15 @@ int xhci_disable_slot(struct xhci_hcd *x + } + xhci_ring_cmd_db(xhci); + spin_unlock_irqrestore(&xhci->lock, flags); ++ ++ wait_for_completion(command->completion); ++ ++ if (command->status != COMP_SUCCESS) ++ xhci_warn(xhci, "Unsuccessful disable slot %u command, status %d\n", ++ slot_id, command->status); ++ ++ xhci_free_command(xhci, command); ++ + return ret; + } + +@@ -4104,9 +4112,8 @@ int xhci_alloc_dev(struct usb_hcd *hcd, + return 1; + + disable_slot: +- ret = xhci_disable_slot(xhci, udev->slot_id); +- if (ret) +- xhci_free_virt_device(xhci, udev->slot_id); ++ xhci_disable_slot(xhci, udev->slot_id); ++ xhci_free_virt_device(xhci, udev->slot_id); + + return 0; + } +@@ -4236,6 +4243,7 @@ static int xhci_setup_device(struct usb_ + + mutex_unlock(&xhci->mutex); + ret = xhci_disable_slot(xhci, udev->slot_id); ++ xhci_free_virt_device(xhci, udev->slot_id); + if (!ret) + xhci_alloc_dev(hcd, udev); + kfree(command->completion); diff --git a/queue-5.15/xhci-remove-config_usb_default_persist-to-prevent-xhci-from-runtime-suspending.patch b/queue-5.15/xhci-remove-config_usb_default_persist-to-prevent-xhci-from-runtime-suspending.patch new file mode 100644 index 00000000000..abeed8e7adb --- /dev/null +++ b/queue-5.15/xhci-remove-config_usb_default_persist-to-prevent-xhci-from-runtime-suspending.patch @@ -0,0 +1,62 @@ +From 811ae81320da53a5670c36970cefacca8519f90e Mon Sep 17 00:00:00 2001 +From: Kai-Heng Feng +Date: Fri, 10 Dec 2021 16:17:34 +0200 +Subject: xhci: Remove CONFIG_USB_DEFAULT_PERSIST to prevent xHCI from runtime suspending + +From: Kai-Heng Feng + +commit 811ae81320da53a5670c36970cefacca8519f90e upstream. + +When the xHCI is quirked with XHCI_RESET_ON_RESUME, runtime resume +routine also resets the controller. + +This is bad for USB drivers without reset_resume callback, because +there's no subsequent call of usb_dev_complete() -> +usb_resume_complete() to force rebinding the driver to the device. For +instance, btusb device stops working after xHCI controller is runtime +resumed, if the controlled is quirked with XHCI_RESET_ON_RESUME. + +So always take XHCI_RESET_ON_RESUME into account to solve the issue. + +Cc: +Signed-off-by: Kai-Heng Feng +Signed-off-by: Mathias Nyman +Link: https://lore.kernel.org/r/20211210141735.1384209-2-mathias.nyman@linux.intel.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/host/xhci.c | 4 ---- + 1 file changed, 4 deletions(-) + +--- a/drivers/usb/host/xhci.c ++++ b/drivers/usb/host/xhci.c +@@ -3934,7 +3934,6 @@ static void xhci_free_dev(struct usb_hcd + struct xhci_slot_ctx *slot_ctx; + int i, ret; + +-#ifndef CONFIG_USB_DEFAULT_PERSIST + /* + * We called pm_runtime_get_noresume when the device was attached. + * Decrement the counter here to allow controller to runtime suspend +@@ -3942,7 +3941,6 @@ static void xhci_free_dev(struct usb_hcd + */ + if (xhci->quirks & XHCI_RESET_ON_RESUME) + pm_runtime_put_noidle(hcd->self.controller); +-#endif + + ret = xhci_check_args(hcd, udev, NULL, 0, true, __func__); + /* If the host is halted due to driver unload, we still need to free the +@@ -4094,14 +4092,12 @@ int xhci_alloc_dev(struct usb_hcd *hcd, + + xhci_debugfs_create_slot(xhci, slot_id); + +-#ifndef CONFIG_USB_DEFAULT_PERSIST + /* + * If resetting upon resume, we can't put the controller into runtime + * suspend if there is a device attached. + */ + if (xhci->quirks & XHCI_RESET_ON_RESUME) + pm_runtime_get_noresume(hcd->self.controller); +-#endif + + /* Is this a LS or FS device under a HS hub? */ + /* Hub or peripherial? */