From: Greg Kroah-Hartman Date: Mon, 5 Jun 2023 15:01:24 +0000 (+0200) Subject: 5.10-stable patches X-Git-Tag: v4.14.317~81 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=471a8cd7a9ce1d7bdf6669b0b76ec8e45a396851;p=thirdparty%2Fkernel%2Fstable-queue.git 5.10-stable patches added patches: misc-fastrpc-reject-new-invocations-during-device-removal.patch misc-fastrpc-return-epipe-to-invocations-on-device-removal.patch net-usb-qmi_wwan-set-dtr-quirk-for-broadmobi-bm818.patch usb-gadget-f_fs-add-unbind-event-before-functionfs_unbind.patch --- diff --git a/queue-5.10/misc-fastrpc-reject-new-invocations-during-device-removal.patch b/queue-5.10/misc-fastrpc-reject-new-invocations-during-device-removal.patch new file mode 100644 index 00000000000..3ca0361ee9a --- /dev/null +++ b/queue-5.10/misc-fastrpc-reject-new-invocations-during-device-removal.patch @@ -0,0 +1,50 @@ +From 46248400d81e2aa0b65cd659d6f40188192a58b6 Mon Sep 17 00:00:00 2001 +From: Richard Acayan +Date: Tue, 23 May 2023 16:25:50 +0100 +Subject: misc: fastrpc: reject new invocations during device removal + +From: Richard Acayan + +commit 46248400d81e2aa0b65cd659d6f40188192a58b6 upstream. + +The channel's rpmsg object allows new invocations to be made. After old +invocations are already interrupted, the driver shouldn't try to invoke +anymore. Invalidating the rpmsg at the end of the driver removal +function makes it easy to cause a race condition in userspace. Even +closing a file descriptor before the driver finishes its cleanup can +cause an invocation via fastrpc_release_current_dsp_process() and +subsequent timeout. + +Invalidate the channel before the invocations are interrupted to make +sure that no invocations can be created to hang after the device closes. + +Fixes: c68cfb718c8f ("misc: fastrpc: Add support for context Invoke method") +Cc: stable +Signed-off-by: Richard Acayan +Signed-off-by: Srinivas Kandagatla +Link: https://lore.kernel.org/r/20230523152550.438363-5-srinivas.kandagatla@linaro.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/misc/fastrpc.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/misc/fastrpc.c ++++ b/drivers/misc/fastrpc.c +@@ -1688,7 +1688,9 @@ static void fastrpc_rpmsg_remove(struct + struct fastrpc_user *user; + unsigned long flags; + ++ /* No invocations past this point */ + spin_lock_irqsave(&cctx->lock, flags); ++ cctx->rpdev = NULL; + list_for_each_entry(user, &cctx->users, user) + fastrpc_notify_users(user); + spin_unlock_irqrestore(&cctx->lock, flags); +@@ -1696,7 +1698,6 @@ static void fastrpc_rpmsg_remove(struct + misc_deregister(&cctx->miscdev); + of_platform_depopulate(&rpdev->dev); + +- cctx->rpdev = NULL; + fastrpc_channel_ctx_put(cctx); + } + diff --git a/queue-5.10/misc-fastrpc-return-epipe-to-invocations-on-device-removal.patch b/queue-5.10/misc-fastrpc-return-epipe-to-invocations-on-device-removal.patch new file mode 100644 index 00000000000..41f8c5a9ad6 --- /dev/null +++ b/queue-5.10/misc-fastrpc-return-epipe-to-invocations-on-device-removal.patch @@ -0,0 +1,41 @@ +From b6a062853ddf6b4f653af2d8b75ba45bb9a036ad Mon Sep 17 00:00:00 2001 +From: Richard Acayan +Date: Tue, 23 May 2023 16:25:49 +0100 +Subject: misc: fastrpc: return -EPIPE to invocations on device removal + +From: Richard Acayan + +commit b6a062853ddf6b4f653af2d8b75ba45bb9a036ad upstream. + +The return value is initialized as -1, or -EPERM. The completion of an +invocation implies that the return value is set appropriately, but +"Permission denied" does not accurately describe the outcome of the +invocation. Set the invocation's return value to a more appropriate +"Broken pipe", as the cleanup breaks the driver's connection with rpmsg. + +Fixes: c68cfb718c8f ("misc: fastrpc: Add support for context Invoke method") +Cc: stable +Signed-off-by: Richard Acayan +Reviewed-by: Srinivas Kandagatla +Signed-off-by: Srinivas Kandagatla +Link: https://lore.kernel.org/r/20230523152550.438363-4-srinivas.kandagatla@linaro.org +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Greg Kroah-Hartman +--- + drivers/misc/fastrpc.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/drivers/misc/fastrpc.c ++++ b/drivers/misc/fastrpc.c +@@ -1675,8 +1675,10 @@ static void fastrpc_notify_users(struct + struct fastrpc_invoke_ctx *ctx; + + spin_lock(&user->lock); +- list_for_each_entry(ctx, &user->pending, node) ++ list_for_each_entry(ctx, &user->pending, node) { ++ ctx->retval = -EPIPE; + complete(&ctx->work); ++ } + spin_unlock(&user->lock); + } + diff --git a/queue-5.10/net-usb-qmi_wwan-set-dtr-quirk-for-broadmobi-bm818.patch b/queue-5.10/net-usb-qmi_wwan-set-dtr-quirk-for-broadmobi-bm818.patch new file mode 100644 index 00000000000..5b21be2ddfc --- /dev/null +++ b/queue-5.10/net-usb-qmi_wwan-set-dtr-quirk-for-broadmobi-bm818.patch @@ -0,0 +1,36 @@ +From 36936a56e1814f6c526fe71fbf980beab4f5577a Mon Sep 17 00:00:00 2001 +From: Sebastian Krzyszkowiak +Date: Fri, 26 May 2023 16:38:11 +0200 +Subject: net: usb: qmi_wwan: Set DTR quirk for BroadMobi BM818 +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Sebastian Krzyszkowiak + +commit 36936a56e1814f6c526fe71fbf980beab4f5577a upstream. + +BM818 is based on Qualcomm MDM9607 chipset. + +Fixes: 9a07406b00cd ("net: usb: qmi_wwan: Add the BroadMobi BM818 card") +Cc: stable@vger.kernel.org +Signed-off-by: Sebastian Krzyszkowiak +Acked-by: Bjørn Mork +Link: https://lore.kernel.org/r/20230526-bm818-dtr-v1-1-64bbfa6ba8af@puri.sm +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/usb/qmi_wwan.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/usb/qmi_wwan.c ++++ b/drivers/net/usb/qmi_wwan.c +@@ -1260,7 +1260,7 @@ static const struct usb_device_id produc + {QMI_FIXED_INTF(0x2001, 0x7e3d, 4)}, /* D-Link DWM-222 A2 */ + {QMI_FIXED_INTF(0x2020, 0x2031, 4)}, /* Olicard 600 */ + {QMI_FIXED_INTF(0x2020, 0x2033, 4)}, /* BroadMobi BM806U */ +- {QMI_FIXED_INTF(0x2020, 0x2060, 4)}, /* BroadMobi BM818 */ ++ {QMI_QUIRK_SET_DTR(0x2020, 0x2060, 4)}, /* BroadMobi BM818 */ + {QMI_FIXED_INTF(0x0f3d, 0x68a2, 8)}, /* Sierra Wireless MC7700 */ + {QMI_FIXED_INTF(0x114f, 0x68a2, 8)}, /* Sierra Wireless MC7750 */ + {QMI_FIXED_INTF(0x1199, 0x68a2, 8)}, /* Sierra Wireless MC7710 in QMI mode */ diff --git a/queue-5.10/series b/queue-5.10/series index 9e75c1ee8cd..2af40a6fb00 100644 --- a/queue-5.10/series +++ b/queue-5.10/series @@ -81,3 +81,7 @@ iio-light-vcnl4035-fixed-chip-id-check.patch iio-dac-mcp4725-fix-i2c_master_send-return-value-handling.patch iio-adc-ad7192-change-shorted-channels-to-differential.patch iio-dac-build-ad5758-driver-when-ad5758-is-selected.patch +net-usb-qmi_wwan-set-dtr-quirk-for-broadmobi-bm818.patch +usb-gadget-f_fs-add-unbind-event-before-functionfs_unbind.patch +misc-fastrpc-return-epipe-to-invocations-on-device-removal.patch +misc-fastrpc-reject-new-invocations-during-device-removal.patch diff --git a/queue-5.10/usb-gadget-f_fs-add-unbind-event-before-functionfs_unbind.patch b/queue-5.10/usb-gadget-f_fs-add-unbind-event-before-functionfs_unbind.patch new file mode 100644 index 00000000000..16c68a1f1f6 --- /dev/null +++ b/queue-5.10/usb-gadget-f_fs-add-unbind-event-before-functionfs_unbind.patch @@ -0,0 +1,65 @@ +From efb6b535207395a5c7317993602e2503ca8cb4b3 Mon Sep 17 00:00:00 2001 +From: Uttkarsh Aggarwal +Date: Thu, 25 May 2023 14:58:54 +0530 +Subject: usb: gadget: f_fs: Add unbind event before functionfs_unbind + +From: Uttkarsh Aggarwal + +commit efb6b535207395a5c7317993602e2503ca8cb4b3 upstream. + +While exercising the unbind path, with the current implementation +the functionfs_unbind would be calling which waits for the ffs->mutex +to be available, however within the same time ffs_ep0_read is invoked +& if no setup packets are pending, it will invoke function +wait_event_interruptible_exclusive_locked_irq which by definition waits +for the ev.count to be increased inside the same mutex for which +functionfs_unbind is waiting. +This creates deadlock situation because the functionfs_unbind won't +get the lock until ev.count is increased which can only happen if +the caller ffs_func_unbind can proceed further. + +Following is the illustration: + + CPU1 CPU2 + +ffs_func_unbind() ffs_ep0_read() + mutex_lock(ffs->mutex) + wait_event(ffs->ev.count) +functionfs_unbind() + mutex_lock(ffs->mutex) + mutex_unlock(ffs->mutex) + +ffs_event_add() + + + +Fix this by moving the event unbind before functionfs_unbind +to ensure the ev.count is incrased properly. + +Fixes: 6a19da111057 ("usb: gadget: f_fs: Prevent race during ffs_ep0_queue_wait") +Cc: stable +Signed-off-by: Uttkarsh Aggarwal +Link: https://lore.kernel.org/r/20230525092854.7992-1-quic_uaggarwa@quicinc.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/gadget/function/f_fs.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/usb/gadget/function/f_fs.c ++++ b/drivers/usb/gadget/function/f_fs.c +@@ -3609,6 +3609,7 @@ static void ffs_func_unbind(struct usb_c + /* Drain any pending AIO completions */ + drain_workqueue(ffs->io_completion_wq); + ++ ffs_event_add(ffs, FUNCTIONFS_UNBIND); + if (!--opts->refcnt) + functionfs_unbind(ffs); + +@@ -3633,7 +3634,6 @@ static void ffs_func_unbind(struct usb_c + func->function.ssp_descriptors = NULL; + func->interfaces_nums = NULL; + +- ffs_event_add(ffs, FUNCTIONFS_UNBIND); + } + + static struct usb_function *ffs_alloc(struct usb_function_instance *fi)