From: Greg Kroah-Hartman Date: Sat, 6 May 2023 02:18:33 +0000 (+0900) Subject: 6.3-stable patches X-Git-Tag: v5.15.111~135 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=55ecb970395992778f7515226c8f7e9854813b9a;p=thirdparty%2Fkernel%2Fstable-queue.git 6.3-stable patches added patches: asoc-amd-ps-update-the-acp-clock-source.patch blk-crypto-make-blk_crypto_evict_key-more-robust.patch blk-crypto-make-blk_crypto_evict_key-return-void.patch blk-mq-release-crypto-keyslot-before-reporting-i-o-complete.patch blk-stat-fix-queue_flag_stats-clear.patch bus-mhi-host-pci_generic-revert-add-a-secondary-at-port-to-telit-fn990.patch drm-vmwgfx-fix-legacy-display-unit-atomic-drm-support.patch fs-fix-sysctls.c-built.patch hwmon-adt7475-use-device_property-apis-when-configuring-polarity.patch hwmon-k10temp-check-range-scale-when-cur_temp-register-is-read-write.patch iio-addac-stx104-fix-race-condition-for-stx104_write_raw.patch iio-addac-stx104-fix-race-condition-when-converting-analog-to-digital.patch ima-allow-fix-uml-builds.patch ipmi-fix-ssif-not-responding-under-certain-cond.patch ipmi-ssif-add-send_retries-increment.patch kheaders-use-array-declaration-instead-of-char.patch media-ov8856-do-not-check-for-for-module-version.patch mips-fw-allow-firmware-to-pass-a-empty-env.patch pci-kirin-select-regmap_mmio.patch pci-pciehp-fix-ab-ba-deadlock-between-reset_lock-and-device_lock.patch pci-qcom-fix-the-incorrect-register-usage-in-v2.7.0-config.patch phy-qcom-qmp-pcie-sc8180x-pcie-phy-has-2-lanes.patch posix-cpu-timers-implement-the-missing-timer_wait_running-callback.patch powerpc-boot-fix-boot-wrapper-code-generation-with-config_power10_cpu.patch serial-8250-fix-serial8250_tx_empty-race-with-dma-tx.patch serial-fix-tiocsrs485-locking.patch serial-max310x-fix-io-data-corruption-in-batched-operations.patch staging-iio-resolver-ads1210-fix-config-mode.patch tick-nohz-fix-cpu_is_hotpluggable-by-checking-with-nohz-subsystem.patch tpm-add-tpm_amd_is_rng_defective-to-the-hwrng_unregister-call-site.patch tty-prevent-writing-chars-during-tcsetattr-tcsadrain-flush.patch usb-dwc3-fix-runtime-pm-imbalance-on-probe-errors.patch usb-dwc3-fix-runtime-pm-imbalance-on-unbind.patch usb-dwc3-gadget-stall-and-restart-ep0-if-host-is-unresponsive.patch usb-gadget-udc-core-invoke-usb_gadget_connect-only-when-started.patch usb-gadget-udc-core-prevent-redundant-calls-to-pullup.patch wifi-mt76-add-missing-locking-to-protect-against-concurrent-rx-status-calls.patch wifi-mt76-mt7921e-set-memory-space-enable-in-pci_command-if-unset.patch wifi-rtw88-usb-fix-priority-queue-to-endpoint-mapping.patch wifi-rtw89-correct-5-mhz-mask-setting.patch xhci-fix-debugfs-register-accesses-while-suspended.patch --- diff --git a/queue-6.3/asoc-amd-ps-update-the-acp-clock-source.patch b/queue-6.3/asoc-amd-ps-update-the-acp-clock-source.patch new file mode 100644 index 00000000000..c7bde952da0 --- /dev/null +++ b/queue-6.3/asoc-amd-ps-update-the-acp-clock-source.patch @@ -0,0 +1,38 @@ +From a4d432e9132c0b29d857b09ca2ec4c1f455b5948 Mon Sep 17 00:00:00 2001 +From: Syed Saba Kareem +Date: Fri, 31 Mar 2023 10:50:23 +0530 +Subject: ASoC: amd: ps: update the acp clock source. + +From: Syed Saba Kareem + +commit a4d432e9132c0b29d857b09ca2ec4c1f455b5948 upstream. + +Updating the clock source from ACLK to default clock + +Signed-off-by: Syed Saba Kareem +Link: https://lore.kernel.org/r/20230331052102.2211115-1-Syed.SabaKareem@amd.com +Signed-off-by: Mark Brown +Cc: Mario Limonciello +Signed-off-by: Greg Kroah-Hartman +--- + sound/soc/amd/ps/pci-ps.c | 2 -- + 1 file changed, 2 deletions(-) + +--- a/sound/soc/amd/ps/pci-ps.c ++++ b/sound/soc/amd/ps/pci-ps.c +@@ -91,7 +91,6 @@ static int acp63_init(void __iomem *acp_ + dev_err(dev, "ACP reset failed\n"); + return ret; + } +- acp63_writel(0x03, acp_base + ACP_CLKMUX_SEL); + acp63_enable_interrupts(acp_base); + return 0; + } +@@ -106,7 +105,6 @@ static int acp63_deinit(void __iomem *ac + dev_err(dev, "ACP reset failed\n"); + return ret; + } +- acp63_writel(0, acp_base + ACP_CLKMUX_SEL); + acp63_writel(0, acp_base + ACP_CONTROL); + return 0; + } diff --git a/queue-6.3/blk-crypto-make-blk_crypto_evict_key-more-robust.patch b/queue-6.3/blk-crypto-make-blk_crypto_evict_key-more-robust.patch new file mode 100644 index 00000000000..d53b0e9548c --- /dev/null +++ b/queue-6.3/blk-crypto-make-blk_crypto_evict_key-more-robust.patch @@ -0,0 +1,160 @@ +From 5c7cb94452901a93e90c2230632e2c12a681bc92 Mon Sep 17 00:00:00 2001 +From: Eric Biggers +Date: Wed, 15 Mar 2023 11:39:04 -0700 +Subject: blk-crypto: make blk_crypto_evict_key() more robust + +From: Eric Biggers + +commit 5c7cb94452901a93e90c2230632e2c12a681bc92 upstream. + +If blk_crypto_evict_key() sees that the key is still in-use (due to a +bug) or that ->keyslot_evict failed, it currently just returns while +leaving the key linked into the keyslot management structures. + +However, blk_crypto_evict_key() is only called in contexts such as inode +eviction where failure is not an option. So actually the caller +proceeds with freeing the blk_crypto_key regardless of the return value +of blk_crypto_evict_key(). + +These two assumptions don't match, and the result is that there can be a +use-after-free in blk_crypto_reprogram_all_keys() after one of these +errors occurs. (Note, these errors *shouldn't* happen; we're just +talking about what happens if they do anyway.) + +Fix this by making blk_crypto_evict_key() unlink the key from the +keyslot management structures even on failure. + +Also improve some comments. + +Fixes: 1b2628397058 ("block: Keyslot Manager for Inline Encryption") +Cc: stable@vger.kernel.org +Signed-off-by: Eric Biggers +Reviewed-by: Christoph Hellwig +Link: https://lore.kernel.org/r/20230315183907.53675-2-ebiggers@kernel.org +Signed-off-by: Jens Axboe +Signed-off-by: Greg Kroah-Hartman +--- + block/blk-crypto-profile.c | 46 ++++++++++++++++++++------------------------- + block/blk-crypto.c | 28 +++++++++++++++++++-------- + 2 files changed, 41 insertions(+), 33 deletions(-) + +--- a/block/blk-crypto-profile.c ++++ b/block/blk-crypto-profile.c +@@ -354,28 +354,16 @@ bool __blk_crypto_cfg_supported(struct b + return true; + } + +-/** +- * __blk_crypto_evict_key() - Evict a key from a device. +- * @profile: the crypto profile of the device +- * @key: the key to evict. It must not still be used in any I/O. +- * +- * If the device has keyslots, this finds the keyslot (if any) that contains the +- * specified key and calls the driver's keyslot_evict function to evict it. +- * +- * Otherwise, this just calls the driver's keyslot_evict function if it is +- * implemented, passing just the key (without any particular keyslot). This +- * allows layered devices to evict the key from their underlying devices. +- * +- * Context: Process context. Takes and releases profile->lock. +- * Return: 0 on success or if there's no keyslot with the specified key, -EBUSY +- * if the keyslot is still in use, or another -errno value on other +- * error. ++/* ++ * This is an internal function that evicts a key from an inline encryption ++ * device that can be either a real device or the blk-crypto-fallback "device". ++ * It is used only by blk_crypto_evict_key(); see that function for details. + */ + int __blk_crypto_evict_key(struct blk_crypto_profile *profile, + const struct blk_crypto_key *key) + { + struct blk_crypto_keyslot *slot; +- int err = 0; ++ int err; + + if (profile->num_slots == 0) { + if (profile->ll_ops.keyslot_evict) { +@@ -389,22 +377,30 @@ int __blk_crypto_evict_key(struct blk_cr + + blk_crypto_hw_enter(profile); + slot = blk_crypto_find_keyslot(profile, key); +- if (!slot) +- goto out_unlock; ++ if (!slot) { ++ /* ++ * Not an error, since a key not in use by I/O is not guaranteed ++ * to be in a keyslot. There can be more keys than keyslots. ++ */ ++ err = 0; ++ goto out; ++ } + + if (WARN_ON_ONCE(atomic_read(&slot->slot_refs) != 0)) { ++ /* BUG: key is still in use by I/O */ + err = -EBUSY; +- goto out_unlock; ++ goto out_remove; + } + err = profile->ll_ops.keyslot_evict(profile, key, + blk_crypto_keyslot_index(slot)); +- if (err) +- goto out_unlock; +- ++out_remove: ++ /* ++ * Callers free the key even on error, so unlink the key from the hash ++ * table and clear slot->key even on error. ++ */ + hlist_del(&slot->hash_node); + slot->key = NULL; +- err = 0; +-out_unlock: ++out: + blk_crypto_hw_exit(profile); + return err; + } +--- a/block/blk-crypto.c ++++ b/block/blk-crypto.c +@@ -400,15 +400,19 @@ int blk_crypto_start_using_key(struct bl + } + + /** +- * blk_crypto_evict_key() - Evict a key from any inline encryption hardware +- * it may have been programmed into +- * @bdev: The block_device who's associated inline encryption hardware this key +- * might have been programmed into +- * @key: The key to evict ++ * blk_crypto_evict_key() - Evict a blk_crypto_key from a block_device ++ * @bdev: a block_device on which I/O using the key may have been done ++ * @key: the key to evict + * +- * Upper layers (filesystems) must call this function to ensure that a key is +- * evicted from any hardware that it might have been programmed into. The key +- * must not be in use by any in-flight IO when this function is called. ++ * For a given block_device, this function removes the given blk_crypto_key from ++ * the keyslot management structures and evicts it from any underlying hardware ++ * keyslot(s) or blk-crypto-fallback keyslot it may have been programmed into. ++ * ++ * Upper layers must call this before freeing the blk_crypto_key. It must be ++ * called for every block_device the key may have been used on. The key must no ++ * longer be in use by any I/O when this function is called. ++ * ++ * Context: May sleep. + */ + void blk_crypto_evict_key(struct block_device *bdev, + const struct blk_crypto_key *key) +@@ -420,6 +424,14 @@ void blk_crypto_evict_key(struct block_d + err = __blk_crypto_evict_key(q->crypto_profile, key); + else + err = blk_crypto_fallback_evict_key(key); ++ /* ++ * An error can only occur here if the key failed to be evicted from a ++ * keyslot (due to a hardware or driver issue) or is allegedly still in ++ * use by I/O (due to a kernel bug). Even in these cases, the key is ++ * still unlinked from the keyslot management structures, and the caller ++ * is allowed and expected to free it right away. There's nothing ++ * callers can do to handle errors, so just log them and return void. ++ */ + if (err) + pr_warn_ratelimited("%pg: error %d evicting key\n", bdev, err); + } diff --git a/queue-6.3/blk-crypto-make-blk_crypto_evict_key-return-void.patch b/queue-6.3/blk-crypto-make-blk_crypto_evict_key-return-void.patch new file mode 100644 index 00000000000..a9caa79ee1a --- /dev/null +++ b/queue-6.3/blk-crypto-make-blk_crypto_evict_key-return-void.patch @@ -0,0 +1,130 @@ +From 70493a63ba04f754f7a7dd53a4fcc82700181490 Mon Sep 17 00:00:00 2001 +From: Eric Biggers +Date: Wed, 15 Mar 2023 11:39:03 -0700 +Subject: blk-crypto: make blk_crypto_evict_key() return void + +From: Eric Biggers + +commit 70493a63ba04f754f7a7dd53a4fcc82700181490 upstream. + +blk_crypto_evict_key() is only called in contexts such as inode eviction +where failure is not an option. So there is nothing the caller can do +with errors except log them. (dm-table.c does "use" the error code, but +only to pass on to upper layers, so it doesn't really count.) + +Just make blk_crypto_evict_key() return void and log errors itself. + +Cc: stable@vger.kernel.org +Signed-off-by: Eric Biggers +Reviewed-by: Christoph Hellwig +Link: https://lore.kernel.org/r/20230315183907.53675-2-ebiggers@kernel.org +Signed-off-by: Jens Axboe +Signed-off-by: Greg Kroah-Hartman +--- + block/blk-crypto.c | 20 +++++++++----------- + drivers/md/dm-table.c | 19 +++++-------------- + include/linux/blk-crypto.h | 4 ++-- + 3 files changed, 16 insertions(+), 27 deletions(-) + +--- a/block/blk-crypto.c ++++ b/block/blk-crypto.c +@@ -13,6 +13,7 @@ + #include + #include + #include ++#include + #include + + #include "blk-crypto-internal.h" +@@ -408,21 +409,18 @@ int blk_crypto_start_using_key(struct bl + * Upper layers (filesystems) must call this function to ensure that a key is + * evicted from any hardware that it might have been programmed into. The key + * must not be in use by any in-flight IO when this function is called. +- * +- * Return: 0 on success or if the key wasn't in any keyslot; -errno on error. + */ +-int blk_crypto_evict_key(struct block_device *bdev, +- const struct blk_crypto_key *key) ++void blk_crypto_evict_key(struct block_device *bdev, ++ const struct blk_crypto_key *key) + { + struct request_queue *q = bdev_get_queue(bdev); ++ int err; + + if (blk_crypto_config_supported_natively(bdev, &key->crypto_cfg)) +- return __blk_crypto_evict_key(q->crypto_profile, key); +- +- /* +- * If the block_device didn't support the key, then blk-crypto-fallback +- * may have been used, so try to evict the key from blk-crypto-fallback. +- */ +- return blk_crypto_fallback_evict_key(key); ++ err = __blk_crypto_evict_key(q->crypto_profile, key); ++ else ++ err = blk_crypto_fallback_evict_key(key); ++ if (err) ++ pr_warn_ratelimited("%pg: error %d evicting key\n", bdev, err); + } + EXPORT_SYMBOL_GPL(blk_crypto_evict_key); +--- a/drivers/md/dm-table.c ++++ b/drivers/md/dm-table.c +@@ -1202,21 +1202,12 @@ struct dm_crypto_profile { + struct mapped_device *md; + }; + +-struct dm_keyslot_evict_args { +- const struct blk_crypto_key *key; +- int err; +-}; +- + static int dm_keyslot_evict_callback(struct dm_target *ti, struct dm_dev *dev, + sector_t start, sector_t len, void *data) + { +- struct dm_keyslot_evict_args *args = data; +- int err; ++ const struct blk_crypto_key *key = data; + +- err = blk_crypto_evict_key(dev->bdev, args->key); +- if (!args->err) +- args->err = err; +- /* Always try to evict the key from all devices. */ ++ blk_crypto_evict_key(dev->bdev, key); + return 0; + } + +@@ -1229,7 +1220,6 @@ static int dm_keyslot_evict(struct blk_c + { + struct mapped_device *md = + container_of(profile, struct dm_crypto_profile, profile)->md; +- struct dm_keyslot_evict_args args = { key }; + struct dm_table *t; + int srcu_idx; + +@@ -1242,11 +1232,12 @@ static int dm_keyslot_evict(struct blk_c + + if (!ti->type->iterate_devices) + continue; +- ti->type->iterate_devices(ti, dm_keyslot_evict_callback, &args); ++ ti->type->iterate_devices(ti, dm_keyslot_evict_callback, ++ (void *)key); + } + + dm_put_live_table(md, srcu_idx); +- return args.err; ++ return 0; + } + + static int +--- a/include/linux/blk-crypto.h ++++ b/include/linux/blk-crypto.h +@@ -95,8 +95,8 @@ int blk_crypto_init_key(struct blk_crypt + int blk_crypto_start_using_key(struct block_device *bdev, + const struct blk_crypto_key *key); + +-int blk_crypto_evict_key(struct block_device *bdev, +- const struct blk_crypto_key *key); ++void blk_crypto_evict_key(struct block_device *bdev, ++ const struct blk_crypto_key *key); + + bool blk_crypto_config_supported_natively(struct block_device *bdev, + const struct blk_crypto_config *cfg); diff --git a/queue-6.3/blk-mq-release-crypto-keyslot-before-reporting-i-o-complete.patch b/queue-6.3/blk-mq-release-crypto-keyslot-before-reporting-i-o-complete.patch new file mode 100644 index 00000000000..4af16ad84f9 --- /dev/null +++ b/queue-6.3/blk-mq-release-crypto-keyslot-before-reporting-i-o-complete.patch @@ -0,0 +1,194 @@ +From 9cd1e566676bbcb8a126acd921e4e194e6339603 Mon Sep 17 00:00:00 2001 +From: Eric Biggers +Date: Wed, 15 Mar 2023 11:39:02 -0700 +Subject: blk-mq: release crypto keyslot before reporting I/O complete + +From: Eric Biggers + +commit 9cd1e566676bbcb8a126acd921e4e194e6339603 upstream. + +Once all I/O using a blk_crypto_key has completed, filesystems can call +blk_crypto_evict_key(). However, the block layer currently doesn't call +blk_crypto_put_keyslot() until the request is being freed, which happens +after upper layers have been told (via bio_endio()) the I/O has +completed. This causes a race condition where blk_crypto_evict_key() +can see 'slot_refs != 0' without there being an actual bug. + +This makes __blk_crypto_evict_key() hit the +'WARN_ON_ONCE(atomic_read(&slot->slot_refs) != 0)' and return without +doing anything, eventually causing a use-after-free in +blk_crypto_reprogram_all_keys(). (This is a very rare bug and has only +been seen when per-file keys are being used with fscrypt.) + +There are two options to fix this: either release the keyslot before +bio_endio() is called on the request's last bio, or make +__blk_crypto_evict_key() ignore slot_refs. Let's go with the first +solution, since it preserves the ability to report bugs (via +WARN_ON_ONCE) where a key is evicted while still in-use. + +Fixes: a892c8d52c02 ("block: Inline encryption support for blk-mq") +Cc: stable@vger.kernel.org +Reviewed-by: Nathan Huckleberry +Reviewed-by: Christoph Hellwig +Signed-off-by: Eric Biggers +Link: https://lore.kernel.org/r/20230315183907.53675-2-ebiggers@kernel.org +Signed-off-by: Jens Axboe +Signed-off-by: Greg Kroah-Hartman +--- + block/blk-crypto-internal.h | 25 +++++++++++++++++++++---- + block/blk-crypto.c | 24 ++++++++++++------------ + block/blk-merge.c | 2 ++ + block/blk-mq.c | 15 ++++++++++++++- + 4 files changed, 49 insertions(+), 17 deletions(-) + +--- a/block/blk-crypto-internal.h ++++ b/block/blk-crypto-internal.h +@@ -65,6 +65,11 @@ static inline bool blk_crypto_rq_is_encr + return rq->crypt_ctx; + } + ++static inline bool blk_crypto_rq_has_keyslot(struct request *rq) ++{ ++ return rq->crypt_keyslot; ++} ++ + blk_status_t blk_crypto_get_keyslot(struct blk_crypto_profile *profile, + const struct blk_crypto_key *key, + struct blk_crypto_keyslot **slot_ptr); +@@ -119,6 +124,11 @@ static inline bool blk_crypto_rq_is_encr + return false; + } + ++static inline bool blk_crypto_rq_has_keyslot(struct request *rq) ++{ ++ return false; ++} ++ + #endif /* CONFIG_BLK_INLINE_ENCRYPTION */ + + void __bio_crypt_advance(struct bio *bio, unsigned int bytes); +@@ -153,14 +163,21 @@ static inline bool blk_crypto_bio_prep(s + return true; + } + +-blk_status_t __blk_crypto_init_request(struct request *rq); +-static inline blk_status_t blk_crypto_init_request(struct request *rq) ++blk_status_t __blk_crypto_rq_get_keyslot(struct request *rq); ++static inline blk_status_t blk_crypto_rq_get_keyslot(struct request *rq) + { + if (blk_crypto_rq_is_encrypted(rq)) +- return __blk_crypto_init_request(rq); ++ return __blk_crypto_rq_get_keyslot(rq); + return BLK_STS_OK; + } + ++void __blk_crypto_rq_put_keyslot(struct request *rq); ++static inline void blk_crypto_rq_put_keyslot(struct request *rq) ++{ ++ if (blk_crypto_rq_has_keyslot(rq)) ++ __blk_crypto_rq_put_keyslot(rq); ++} ++ + void __blk_crypto_free_request(struct request *rq); + static inline void blk_crypto_free_request(struct request *rq) + { +@@ -199,7 +216,7 @@ static inline blk_status_t blk_crypto_in + { + + if (blk_crypto_rq_is_encrypted(rq)) +- return blk_crypto_init_request(rq); ++ return blk_crypto_rq_get_keyslot(rq); + return BLK_STS_OK; + } + +--- a/block/blk-crypto.c ++++ b/block/blk-crypto.c +@@ -224,27 +224,27 @@ static bool bio_crypt_check_alignment(st + return true; + } + +-blk_status_t __blk_crypto_init_request(struct request *rq) ++blk_status_t __blk_crypto_rq_get_keyslot(struct request *rq) + { + return blk_crypto_get_keyslot(rq->q->crypto_profile, + rq->crypt_ctx->bc_key, + &rq->crypt_keyslot); + } + +-/** +- * __blk_crypto_free_request - Uninitialize the crypto fields of a request. +- * +- * @rq: The request whose crypto fields to uninitialize. +- * +- * Completely uninitializes the crypto fields of a request. If a keyslot has +- * been programmed into some inline encryption hardware, that keyslot is +- * released. The rq->crypt_ctx is also freed. +- */ +-void __blk_crypto_free_request(struct request *rq) ++void __blk_crypto_rq_put_keyslot(struct request *rq) + { + blk_crypto_put_keyslot(rq->crypt_keyslot); ++ rq->crypt_keyslot = NULL; ++} ++ ++void __blk_crypto_free_request(struct request *rq) ++{ ++ /* The keyslot, if one was needed, should have been released earlier. */ ++ if (WARN_ON_ONCE(rq->crypt_keyslot)) ++ __blk_crypto_rq_put_keyslot(rq); ++ + mempool_free(rq->crypt_ctx, bio_crypt_ctx_pool); +- blk_crypto_rq_set_defaults(rq); ++ rq->crypt_ctx = NULL; + } + + /** +--- a/block/blk-merge.c ++++ b/block/blk-merge.c +@@ -867,6 +867,8 @@ static struct request *attempt_merge(str + if (!blk_discard_mergable(req)) + elv_merge_requests(q, req, next); + ++ blk_crypto_rq_put_keyslot(next); ++ + /* + * 'next' is going away, so update stats accordingly + */ +--- a/block/blk-mq.c ++++ b/block/blk-mq.c +@@ -840,6 +840,12 @@ static void blk_complete_request(struct + req->q->integrity.profile->complete_fn(req, total_bytes); + #endif + ++ /* ++ * Upper layers may call blk_crypto_evict_key() anytime after the last ++ * bio_endio(). Therefore, the keyslot must be released before that. ++ */ ++ blk_crypto_rq_put_keyslot(req); ++ + blk_account_io_completion(req, total_bytes); + + do { +@@ -905,6 +911,13 @@ bool blk_update_request(struct request * + req->q->integrity.profile->complete_fn(req, nr_bytes); + #endif + ++ /* ++ * Upper layers may call blk_crypto_evict_key() anytime after the last ++ * bio_endio(). Therefore, the keyslot must be released before that. ++ */ ++ if (blk_crypto_rq_has_keyslot(req) && nr_bytes >= blk_rq_bytes(req)) ++ __blk_crypto_rq_put_keyslot(req); ++ + if (unlikely(error && !blk_rq_is_passthrough(req) && + !(req->rq_flags & RQF_QUIET)) && + !test_bit(GD_DEAD, &req->q->disk->state)) { +@@ -2965,7 +2978,7 @@ void blk_mq_submit_bio(struct bio *bio) + + blk_mq_bio_to_request(rq, bio, nr_segs); + +- ret = blk_crypto_init_request(rq); ++ ret = blk_crypto_rq_get_keyslot(rq); + if (ret != BLK_STS_OK) { + bio->bi_status = ret; + bio_endio(bio); diff --git a/queue-6.3/blk-stat-fix-queue_flag_stats-clear.patch b/queue-6.3/blk-stat-fix-queue_flag_stats-clear.patch new file mode 100644 index 00000000000..b348217e028 --- /dev/null +++ b/queue-6.3/blk-stat-fix-queue_flag_stats-clear.patch @@ -0,0 +1,73 @@ +From 20de765f6d9da0c47b756429c60b41063b990a10 Mon Sep 17 00:00:00 2001 +From: Chengming Zhou +Date: Thu, 13 Apr 2023 14:28:04 +0800 +Subject: blk-stat: fix QUEUE_FLAG_STATS clear + +From: Chengming Zhou + +commit 20de765f6d9da0c47b756429c60b41063b990a10 upstream. + +We need to set QUEUE_FLAG_STATS for two cases: +1. blk_stat_enable_accounting() +2. blk_stat_add_callback() + +So we should clear it only when ((q->stats->accounting == 0) && +list_empty(&q->stats->callbacks)). + +blk_stat_disable_accounting() only check if q->stats->accounting +is 0 before clear the flag, this patch fix it. + +Also add list_empty(&q->stats->callbacks)) check when enable, or +the flag is already set. + +The bug can be reproduced on kernel without BLK_DEV_THROTTLING +(since it unconditionally enable accounting, see the next patch). + + # cat /sys/block/sr0/queue/scheduler + none mq-deadline [bfq] + + # cat /sys/kernel/debug/block/sr0/state + SAME_COMP|IO_STAT|INIT_DONE|STATS|REGISTERED|NOWAIT|30 + + # echo none > /sys/block/sr0/queue/scheduler + + # cat /sys/kernel/debug/block/sr0/state + SAME_COMP|IO_STAT|INIT_DONE|REGISTERED|NOWAIT + + # cat /sys/block/sr0/queue/wbt_lat_usec + 75000 + +We can see that after changing elevator from "bfq" to "none", +"STATS" flag is lost even though WBT callback still need it. + +Fixes: 68497092bde9 ("block: make queue stat accounting a reference") +Cc: # v5.17+ +Signed-off-by: Chengming Zhou +Acked-by: Tejun Heo +Link: https://lore.kernel.org/r/20230413062805.2081970-1-chengming.zhou@linux.dev +Signed-off-by: Jens Axboe +Signed-off-by: Greg Kroah-Hartman +--- + block/blk-stat.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/block/blk-stat.c ++++ b/block/blk-stat.c +@@ -190,7 +190,7 @@ void blk_stat_disable_accounting(struct + unsigned long flags; + + spin_lock_irqsave(&q->stats->lock, flags); +- if (!--q->stats->accounting) ++ if (!--q->stats->accounting && list_empty(&q->stats->callbacks)) + blk_queue_flag_clear(QUEUE_FLAG_STATS, q); + spin_unlock_irqrestore(&q->stats->lock, flags); + } +@@ -201,7 +201,7 @@ void blk_stat_enable_accounting(struct r + unsigned long flags; + + spin_lock_irqsave(&q->stats->lock, flags); +- if (!q->stats->accounting++) ++ if (!q->stats->accounting++ && list_empty(&q->stats->callbacks)) + blk_queue_flag_set(QUEUE_FLAG_STATS, q); + spin_unlock_irqrestore(&q->stats->lock, flags); + } diff --git a/queue-6.3/bus-mhi-host-pci_generic-revert-add-a-secondary-at-port-to-telit-fn990.patch b/queue-6.3/bus-mhi-host-pci_generic-revert-add-a-secondary-at-port-to-telit-fn990.patch new file mode 100644 index 00000000000..f7b9de19d72 --- /dev/null +++ b/queue-6.3/bus-mhi-host-pci_generic-revert-add-a-secondary-at-port-to-telit-fn990.patch @@ -0,0 +1,47 @@ +From 14853a0676c126aad836eb249499552fa9d6e85a Mon Sep 17 00:00:00 2001 +From: Slark Xiao +Date: Fri, 10 Mar 2023 18:17:15 +0800 +Subject: bus: mhi: host: pci_generic: Revert "Add a secondary AT port to Telit FN990" + +From: Slark Xiao + +commit 14853a0676c126aad836eb249499552fa9d6e85a upstream. + +This reverts commit 2d5253a096c6057bbf7caa5520856dcdf7eca8bb. +There are 2 commits with commit message "Add a secondary AT port to Telit +FN990": + +commit 2d5253a096c6 ("bus: mhi: host: pci_generic: Add a secondary AT port +to Telit FN990") +commit 479aa3b0ec2e ("bus: mhi: host: pci_generic: Add a secondary AT port +to Telit FN990") + +This turned out to be due to the patch getting applied through different +trees and git settled on a resolution while applying it second time. But +the second AT port of Foxconn devices don't work in PCIe mode. So the +second commit needs to be reverted. + +Cc: stable@vger.kernel.org # 6.2 +Fixes: 2d5253a096c6 ("bus: mhi: host: pci_generic: Add a secondary AT port to Telit FN990") +Signed-off-by: Slark Xiao +Reviewed-by: Fabio Porcedda +Reviewed-by: Manivannan Sadhasivam +Link: https://lore.kernel.org/r/20230310101715.69209-1-slark_xiao@163.com +[mani: massaged the commit message a bit, added fixes tag and CCed stable] +Signed-off-by: Manivannan Sadhasivam +Signed-off-by: Greg Kroah-Hartman +--- + drivers/bus/mhi/host/pci_generic.c | 2 -- + 1 file changed, 2 deletions(-) + +--- a/drivers/bus/mhi/host/pci_generic.c ++++ b/drivers/bus/mhi/host/pci_generic.c +@@ -344,8 +344,6 @@ static const struct mhi_channel_config m + MHI_CHANNEL_CONFIG_DL(13, "MBIM", 32, 0), + MHI_CHANNEL_CONFIG_UL(32, "DUN", 32, 0), + MHI_CHANNEL_CONFIG_DL(33, "DUN", 32, 0), +- MHI_CHANNEL_CONFIG_UL(92, "DUN2", 32, 1), +- MHI_CHANNEL_CONFIG_DL(93, "DUN2", 32, 1), + MHI_CHANNEL_CONFIG_HW_UL(100, "IP_HW0_MBIM", 128, 2), + MHI_CHANNEL_CONFIG_HW_DL(101, "IP_HW0_MBIM", 128, 3), + }; diff --git a/queue-6.3/drm-vmwgfx-fix-legacy-display-unit-atomic-drm-support.patch b/queue-6.3/drm-vmwgfx-fix-legacy-display-unit-atomic-drm-support.patch new file mode 100644 index 00000000000..7c92586ea5b --- /dev/null +++ b/queue-6.3/drm-vmwgfx-fix-legacy-display-unit-atomic-drm-support.patch @@ -0,0 +1,208 @@ +From a37a512db3fa1b65fe9087003e5b2072cefb3667 Mon Sep 17 00:00:00 2001 +From: Martin Krastev +Date: Mon, 20 Mar 2023 22:09:49 -0400 +Subject: drm/vmwgfx: Fix Legacy Display Unit atomic drm support + +From: Martin Krastev + +commit a37a512db3fa1b65fe9087003e5b2072cefb3667 upstream. + +Legacy Display Unit (LDU) fb dirty support used a custom fb dirty callback. Latter +handled only the DIRTYFB IOCTL presentation path but not the ADDFB2/PAGE_FLIP/RMFB +IOCTL path, common for Wayland compositors. + +Get rid of the custom callback in favor of drm_atomic_helper_dirtyfb and unify the +handling of the presentation paths inside of vmw_ldu_primary_plane_atomic_update. +This also homogenizes the fb dirty callbacks across all DUs: LDU, SOU and STDU. + +Signed-off-by: Martin Krastev +Reviewed-by: Maaz Mombasawala +Fixes: 2f5544ff0300 ("drm/vmwgfx: Use atomic helper function for dirty fb IOCTL") +Cc: # v5.0+ +Signed-off-by: Zack Rusin +Link: https://patchwork.freedesktop.org/patch/msgid/20230321020949.335012-3-zack@kde.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/vmwgfx/vmwgfx_kms.c | 62 ------------------------------------ + drivers/gpu/drm/vmwgfx/vmwgfx_kms.h | 5 -- + drivers/gpu/drm/vmwgfx/vmwgfx_ldu.c | 45 +++++++++++++++++++++----- + 3 files changed, 38 insertions(+), 74 deletions(-) + +--- a/drivers/gpu/drm/vmwgfx/vmwgfx_kms.c ++++ b/drivers/gpu/drm/vmwgfx/vmwgfx_kms.c +@@ -1420,70 +1420,10 @@ static void vmw_framebuffer_bo_destroy(s + kfree(vfbd); + } + +-static int vmw_framebuffer_bo_dirty(struct drm_framebuffer *framebuffer, +- struct drm_file *file_priv, +- unsigned int flags, unsigned int color, +- struct drm_clip_rect *clips, +- unsigned int num_clips) +-{ +- struct vmw_private *dev_priv = vmw_priv(framebuffer->dev); +- struct vmw_framebuffer_bo *vfbd = +- vmw_framebuffer_to_vfbd(framebuffer); +- struct drm_clip_rect norect; +- int ret, increment = 1; +- +- drm_modeset_lock_all(&dev_priv->drm); +- +- if (!num_clips) { +- num_clips = 1; +- clips = &norect; +- norect.x1 = norect.y1 = 0; +- norect.x2 = framebuffer->width; +- norect.y2 = framebuffer->height; +- } else if (flags & DRM_MODE_FB_DIRTY_ANNOTATE_COPY) { +- num_clips /= 2; +- increment = 2; +- } +- +- switch (dev_priv->active_display_unit) { +- case vmw_du_legacy: +- ret = vmw_kms_ldu_do_bo_dirty(dev_priv, &vfbd->base, 0, 0, +- clips, num_clips, increment); +- break; +- default: +- ret = -EINVAL; +- WARN_ONCE(true, "Dirty called with invalid display system.\n"); +- break; +- } +- +- vmw_cmd_flush(dev_priv, false); +- +- drm_modeset_unlock_all(&dev_priv->drm); +- +- return ret; +-} +- +-static int vmw_framebuffer_bo_dirty_ext(struct drm_framebuffer *framebuffer, +- struct drm_file *file_priv, +- unsigned int flags, unsigned int color, +- struct drm_clip_rect *clips, +- unsigned int num_clips) +-{ +- struct vmw_private *dev_priv = vmw_priv(framebuffer->dev); +- +- if (dev_priv->active_display_unit == vmw_du_legacy && +- vmw_cmd_supported(dev_priv)) +- return vmw_framebuffer_bo_dirty(framebuffer, file_priv, flags, +- color, clips, num_clips); +- +- return drm_atomic_helper_dirtyfb(framebuffer, file_priv, flags, color, +- clips, num_clips); +-} +- + static const struct drm_framebuffer_funcs vmw_framebuffer_bo_funcs = { + .create_handle = vmw_framebuffer_bo_create_handle, + .destroy = vmw_framebuffer_bo_destroy, +- .dirty = vmw_framebuffer_bo_dirty_ext, ++ .dirty = drm_atomic_helper_dirtyfb, + }; + + /* +--- a/drivers/gpu/drm/vmwgfx/vmwgfx_kms.h ++++ b/drivers/gpu/drm/vmwgfx/vmwgfx_kms.h +@@ -512,11 +512,6 @@ void vmw_du_connector_destroy_state(stru + */ + int vmw_kms_ldu_init_display(struct vmw_private *dev_priv); + int vmw_kms_ldu_close_display(struct vmw_private *dev_priv); +-int vmw_kms_ldu_do_bo_dirty(struct vmw_private *dev_priv, +- struct vmw_framebuffer *framebuffer, +- unsigned int flags, unsigned int color, +- struct drm_clip_rect *clips, +- unsigned int num_clips, int increment); + int vmw_kms_update_proxy(struct vmw_resource *res, + const struct drm_clip_rect *clips, + unsigned num_clips, +--- a/drivers/gpu/drm/vmwgfx/vmwgfx_ldu.c ++++ b/drivers/gpu/drm/vmwgfx/vmwgfx_ldu.c +@@ -234,6 +234,7 @@ static const struct drm_crtc_funcs vmw_l + .atomic_duplicate_state = vmw_du_crtc_duplicate_state, + .atomic_destroy_state = vmw_du_crtc_destroy_state, + .set_config = drm_atomic_helper_set_config, ++ .page_flip = drm_atomic_helper_page_flip, + }; + + +@@ -273,6 +274,12 @@ static const struct + drm_connector_helper_funcs vmw_ldu_connector_helper_funcs = { + }; + ++static int vmw_kms_ldu_do_bo_dirty(struct vmw_private *dev_priv, ++ struct vmw_framebuffer *framebuffer, ++ unsigned int flags, unsigned int color, ++ struct drm_mode_rect *clips, ++ unsigned int num_clips); ++ + /* + * Legacy Display Plane Functions + */ +@@ -291,7 +298,6 @@ vmw_ldu_primary_plane_atomic_update(stru + struct drm_framebuffer *fb; + struct drm_crtc *crtc = new_state->crtc ?: old_state->crtc; + +- + ldu = vmw_crtc_to_ldu(crtc); + dev_priv = vmw_priv(plane->dev); + fb = new_state->fb; +@@ -304,8 +310,31 @@ vmw_ldu_primary_plane_atomic_update(stru + vmw_ldu_del_active(dev_priv, ldu); + + vmw_ldu_commit_list(dev_priv); +-} + ++ if (vfb && vmw_cmd_supported(dev_priv)) { ++ struct drm_mode_rect fb_rect = { ++ .x1 = 0, ++ .y1 = 0, ++ .x2 = vfb->base.width, ++ .y2 = vfb->base.height ++ }; ++ struct drm_mode_rect *damage_rects = drm_plane_get_damage_clips(new_state); ++ u32 rect_count = drm_plane_get_damage_clips_count(new_state); ++ int ret; ++ ++ if (!damage_rects) { ++ damage_rects = &fb_rect; ++ rect_count = 1; ++ } ++ ++ ret = vmw_kms_ldu_do_bo_dirty(dev_priv, vfb, 0, 0, damage_rects, rect_count); ++ ++ drm_WARN_ONCE(plane->dev, ret, ++ "vmw_kms_ldu_do_bo_dirty failed with: ret=%d\n", ret); ++ ++ vmw_cmd_flush(dev_priv, false); ++ } ++} + + static const struct drm_plane_funcs vmw_ldu_plane_funcs = { + .update_plane = drm_atomic_helper_update_plane, +@@ -536,11 +565,11 @@ int vmw_kms_ldu_close_display(struct vmw + } + + +-int vmw_kms_ldu_do_bo_dirty(struct vmw_private *dev_priv, +- struct vmw_framebuffer *framebuffer, +- unsigned int flags, unsigned int color, +- struct drm_clip_rect *clips, +- unsigned int num_clips, int increment) ++static int vmw_kms_ldu_do_bo_dirty(struct vmw_private *dev_priv, ++ struct vmw_framebuffer *framebuffer, ++ unsigned int flags, unsigned int color, ++ struct drm_mode_rect *clips, ++ unsigned int num_clips) + { + size_t fifo_size; + int i; +@@ -556,7 +585,7 @@ int vmw_kms_ldu_do_bo_dirty(struct vmw_p + return -ENOMEM; + + memset(cmd, 0, fifo_size); +- for (i = 0; i < num_clips; i++, clips += increment) { ++ for (i = 0; i < num_clips; i++, clips++) { + cmd[i].header = SVGA_CMD_UPDATE; + cmd[i].body.x = clips->x1; + cmd[i].body.y = clips->y1; diff --git a/queue-6.3/fs-fix-sysctls.c-built.patch b/queue-6.3/fs-fix-sysctls.c-built.patch new file mode 100644 index 00000000000..8b44b05a0c3 --- /dev/null +++ b/queue-6.3/fs-fix-sysctls.c-built.patch @@ -0,0 +1,56 @@ +From e3184de9d46c2eebdb776face2e2662c6733331d Mon Sep 17 00:00:00 2001 +From: Kefeng Wang +Date: Fri, 31 Mar 2023 16:45:02 +0800 +Subject: fs: fix sysctls.c built + +From: Kefeng Wang + +commit e3184de9d46c2eebdb776face2e2662c6733331d upstream. + +'obj-$(CONFIG_SYSCTL) += sysctls.o' must be moved after "obj-y :=", +or it won't be built as it is overwrited. + +Note that there is nothing that is going to break by linking +sysctl.o later, we were just being way to cautious and patches +have been updated to reflect these considerations and sent for +stable as well with the whole "base" stuff needing to be linked +prior to child sysctl tables that use that directory. All of +the kernel sysctl APIs always share the same directory, and races +against using it should end up re-using the same single created +directory. + +And so something we can do eventually is do away with all the base stuff. +For now it's fine, it's not creating an issue. It is just a bit pedantic +and careful. + +Fixes: ab171b952c6e ("fs: move namespace sysctls and declare fs base directory") +Cc: stable@vger.kernel.org # v5.17 +Cc: Christian Brauner +Cc: Kefeng Wang +Signed-off-by: Kefeng Wang +[mcgrof: enhanced commit log for stable criteria and clarify base stuff ] +Signed-off-by: Luis Chamberlain +Signed-off-by: Greg Kroah-Hartman +--- + fs/Makefile | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +--- a/fs/Makefile ++++ b/fs/Makefile +@@ -6,7 +6,6 @@ + # Rewritten to use lists instead of if-statements. + # + +-obj-$(CONFIG_SYSCTL) += sysctls.o + + obj-y := open.o read_write.o file_table.o super.o \ + char_dev.o stat.o exec.o pipe.o namei.o fcntl.o \ +@@ -50,7 +49,7 @@ obj-$(CONFIG_FS_MBCACHE) += mbcache.o + obj-$(CONFIG_FS_POSIX_ACL) += posix_acl.o + obj-$(CONFIG_NFS_COMMON) += nfs_common/ + obj-$(CONFIG_COREDUMP) += coredump.o +-obj-$(CONFIG_SYSCTL) += drop_caches.o ++obj-$(CONFIG_SYSCTL) += drop_caches.o sysctls.o + + obj-$(CONFIG_FHANDLE) += fhandle.o + obj-y += iomap/ diff --git a/queue-6.3/hwmon-adt7475-use-device_property-apis-when-configuring-polarity.patch b/queue-6.3/hwmon-adt7475-use-device_property-apis-when-configuring-polarity.patch new file mode 100644 index 00000000000..baa8849d89f --- /dev/null +++ b/queue-6.3/hwmon-adt7475-use-device_property-apis-when-configuring-polarity.patch @@ -0,0 +1,44 @@ +From 2a8e41ad337508fc5d598c0f9288890214f8e318 Mon Sep 17 00:00:00 2001 +From: Chris Packham +Date: Wed, 19 Apr 2023 11:36:55 +1200 +Subject: hwmon: (adt7475) Use device_property APIs when configuring polarity +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Chris Packham + +commit 2a8e41ad337508fc5d598c0f9288890214f8e318 upstream. + +On DT unaware platforms of_property_read_u32_array() returns -ENOSYS +which wasn't handled by the code treating adi,pwm-active-state as +optional. Update the code to use device_property_read_u32_array() which +deals gracefully with DT unaware platforms. + +Fixes: 86da28eed4fb ("hwmon: (adt7475) Add support for inverting pwm output") +Reported-by: Mariusz Białończyk +Link: https://lore.kernel.org/linux-hwmon/52e26a67-9131-2dc0-40cb-db5c07370027@alliedtelesis.co.nz/T/#mdd0505801e0a4e72340de009a47c0fca4f771ed3 +Signed-off-by: Chris Packham +Link: https://lore.kernel.org/r/20230418233656.869055-2-chris.packham@alliedtelesis.co.nz +Cc: stable@vger.kernel.org +Signed-off-by: Guenter Roeck +Signed-off-by: Greg Kroah-Hartman +--- + drivers/hwmon/adt7475.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/drivers/hwmon/adt7475.c ++++ b/drivers/hwmon/adt7475.c +@@ -1604,9 +1604,9 @@ static int adt7475_set_pwm_polarity(stru + int ret, i; + u8 val; + +- ret = of_property_read_u32_array(client->dev.of_node, +- "adi,pwm-active-state", states, +- ARRAY_SIZE(states)); ++ ret = device_property_read_u32_array(&client->dev, ++ "adi,pwm-active-state", states, ++ ARRAY_SIZE(states)); + if (ret) + return ret; + diff --git a/queue-6.3/hwmon-k10temp-check-range-scale-when-cur_temp-register-is-read-write.patch b/queue-6.3/hwmon-k10temp-check-range-scale-when-cur_temp-register-is-read-write.patch new file mode 100644 index 00000000000..13b059ee071 --- /dev/null +++ b/queue-6.3/hwmon-k10temp-check-range-scale-when-cur_temp-register-is-read-write.patch @@ -0,0 +1,76 @@ +From 0c072385348e3ac5229145644055d3e2afb5b3db Mon Sep 17 00:00:00 2001 +From: Babu Moger +Date: Thu, 13 Apr 2023 16:39:58 -0500 +Subject: hwmon: (k10temp) Check range scale when CUR_TEMP register is read-write +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Babu Moger + +commit 0c072385348e3ac5229145644055d3e2afb5b3db upstream. + +Spec says, when CUR_TEMP_TJ_SEL == 3 and CUR_TEMP_RANGE_SEL == 0, +it should use RangeUnadjusted is 0, which is (CurTmp*0.125 -49) C. The +CUR_TEMP register is read-write when CUR_TEMP_TJ_SEL == 3 (bit 17-16). + +Add the check to detect it. + +Sensors command's output before the patch. +$sensors + k10temp-pci-00c3 + Adapter: PCI adapter + Tctl: +76.6°C <- Wrong value + Tccd1: +26.5°C + Tccd2: +27.5°C + Tccd3: +27.2°C + Tccd4: +27.5°C + Tccd5: +26.0°C + Tccd6: +26.2°C + Tccd7: +25.0°C + Tccd8: +26.5°C + +Sensors command's output after the patch. +$sensors + k10temp-pci-00c3 + Adapter: PCI adapter + Tctl: +28.8°C <- corrected value + Tccd1: +27.5°C + Tccd2: +28.5°C + Tccd3: +28.5°C + Tccd4: +28.5°C + Tccd5: +27.0°C + Tccd6: +27.5°C + Tccd7: +27.0°C + Tccd8: +27.5°C + +Signed-off-by: Babu Moger +Fixes: 1b59788979ac ("hwmon: (k10temp) Add temperature offset for Ryzen 2700X") +Link: https://lore.kernel.org/r/20230413213958.847634-1-babu.moger@amd.com +Cc: stable@vger.kernel.org +Signed-off-by: Guenter Roeck +Signed-off-by: Greg Kroah-Hartman +--- + drivers/hwmon/k10temp.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/drivers/hwmon/k10temp.c ++++ b/drivers/hwmon/k10temp.c +@@ -75,6 +75,7 @@ static DEFINE_MUTEX(nb_smu_ind_mutex); + + #define ZEN_CUR_TEMP_SHIFT 21 + #define ZEN_CUR_TEMP_RANGE_SEL_MASK BIT(19) ++#define ZEN_CUR_TEMP_TJ_SEL_MASK GENMASK(17, 16) + + struct k10temp_data { + struct pci_dev *pdev; +@@ -155,7 +156,8 @@ static long get_raw_temp(struct k10temp_ + + data->read_tempreg(data->pdev, ®val); + temp = (regval >> ZEN_CUR_TEMP_SHIFT) * 125; +- if (regval & data->temp_adjust_mask) ++ if ((regval & data->temp_adjust_mask) || ++ (regval & ZEN_CUR_TEMP_TJ_SEL_MASK) == ZEN_CUR_TEMP_TJ_SEL_MASK) + temp -= 49000; + return temp; + } diff --git a/queue-6.3/iio-addac-stx104-fix-race-condition-for-stx104_write_raw.patch b/queue-6.3/iio-addac-stx104-fix-race-condition-for-stx104_write_raw.patch new file mode 100644 index 00000000000..a52e50728b0 --- /dev/null +++ b/queue-6.3/iio-addac-stx104-fix-race-condition-for-stx104_write_raw.patch @@ -0,0 +1,68 @@ +From 9740827468cea80c42db29e7171a50e99acf7328 Mon Sep 17 00:00:00 2001 +From: William Breathitt Gray +Date: Thu, 6 Apr 2023 10:40:10 -0400 +Subject: iio: addac: stx104: Fix race condition for stx104_write_raw() + +From: William Breathitt Gray + +commit 9740827468cea80c42db29e7171a50e99acf7328 upstream. + +The priv->chan_out_states array and actual DAC value can become +mismatched if stx104_write_raw() is called concurrently. Prevent such a +race condition by utilizing a mutex. + +Fixes: 97a445dad37a ("iio: Add IIO support for the DAC on the Apex Embedded Systems STX104") +Signed-off-by: William Breathitt Gray +Link: https://lore.kernel.org/r/c95c9a77fcef36b2a052282146950f23bbc1ebdc.1680790580.git.william.gray@linaro.org +Cc: +Signed-off-by: Jonathan Cameron +Signed-off-by: Greg Kroah-Hartman +--- + drivers/iio/addac/stx104.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +--- a/drivers/iio/addac/stx104.c ++++ b/drivers/iio/addac/stx104.c +@@ -15,6 +15,7 @@ + #include + #include + #include ++#include + #include + #include + +@@ -69,10 +70,12 @@ struct stx104_reg { + + /** + * struct stx104_iio - IIO device private data structure ++ * @lock: synchronization lock to prevent I/O race conditions + * @chan_out_states: channels' output states + * @reg: I/O address offset for the device registers + */ + struct stx104_iio { ++ struct mutex lock; + unsigned int chan_out_states[STX104_NUM_OUT_CHAN]; + struct stx104_reg __iomem *reg; + }; +@@ -182,9 +185,12 @@ static int stx104_write_raw(struct iio_d + if ((unsigned int)val > 65535) + return -EINVAL; + ++ mutex_lock(&priv->lock); ++ + priv->chan_out_states[chan->channel] = val; + iowrite16(val, &priv->reg->dac[chan->channel]); + ++ mutex_unlock(&priv->lock); + return 0; + } + return -EINVAL; +@@ -355,6 +361,8 @@ static int stx104_probe(struct device *d + + indio_dev->name = dev_name(dev); + ++ mutex_init(&priv->lock); ++ + /* configure device for software trigger operation */ + iowrite8(0, &priv->reg->acr); + diff --git a/queue-6.3/iio-addac-stx104-fix-race-condition-when-converting-analog-to-digital.patch b/queue-6.3/iio-addac-stx104-fix-race-condition-when-converting-analog-to-digital.patch new file mode 100644 index 00000000000..72c045f1b2d --- /dev/null +++ b/queue-6.3/iio-addac-stx104-fix-race-condition-when-converting-analog-to-digital.patch @@ -0,0 +1,44 @@ +From 4f9b80aefb9e2f542a49d9ec087cf5919730e1dd Mon Sep 17 00:00:00 2001 +From: William Breathitt Gray +Date: Thu, 6 Apr 2023 10:40:11 -0400 +Subject: iio: addac: stx104: Fix race condition when converting analog-to-digital + +From: William Breathitt Gray + +commit 4f9b80aefb9e2f542a49d9ec087cf5919730e1dd upstream. + +The ADC conversion procedure requires several device I/O operations +performed in a particular sequence. If stx104_read_raw() is called +concurrently, the ADC conversion procedure could be clobbered. Prevent +such a race condition by utilizing a mutex. + +Fixes: 4075a283ae83 ("iio: stx104: Add IIO support for the ADC channels") +Signed-off-by: William Breathitt Gray +Link: https://lore.kernel.org/r/2ae5e40eed5006ca735e4c12181a9ff5ced65547.1680790580.git.william.gray@linaro.org +Cc: +Signed-off-by: Jonathan Cameron +Signed-off-by: Greg Kroah-Hartman +--- + drivers/iio/addac/stx104.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/drivers/iio/addac/stx104.c ++++ b/drivers/iio/addac/stx104.c +@@ -114,6 +114,8 @@ static int stx104_read_raw(struct iio_de + return IIO_VAL_INT; + } + ++ mutex_lock(&priv->lock); ++ + /* select ADC channel */ + iowrite8(chan->channel | (chan->channel << 4), ®->achan); + +@@ -124,6 +126,8 @@ static int stx104_read_raw(struct iio_de + while (ioread8(®->cir_asr) & BIT(7)); + + *val = ioread16(®->ssr_ad); ++ ++ mutex_unlock(&priv->lock); + return IIO_VAL_INT; + case IIO_CHAN_INFO_OFFSET: + /* get ADC bipolar/unipolar configuration */ diff --git a/queue-6.3/ima-allow-fix-uml-builds.patch b/queue-6.3/ima-allow-fix-uml-builds.patch new file mode 100644 index 00000000000..b2c8eaffec5 --- /dev/null +++ b/queue-6.3/ima-allow-fix-uml-builds.patch @@ -0,0 +1,51 @@ +From 644f17412f5acf01a19af9d04a921937a2bc86c6 Mon Sep 17 00:00:00 2001 +From: Randy Dunlap +Date: Thu, 23 Feb 2023 19:27:03 -0800 +Subject: IMA: allow/fix UML builds + +From: Randy Dunlap + +commit 644f17412f5acf01a19af9d04a921937a2bc86c6 upstream. + +UML supports HAS_IOMEM since 0bbadafdc49d (um: allow disabling +NO_IOMEM). + +Current IMA build on UML fails on allmodconfig (with TCG_TPM=m): + +ld: security/integrity/ima/ima_queue.o: in function `ima_add_template_entry': +ima_queue.c:(.text+0x2d9): undefined reference to `tpm_pcr_extend' +ld: security/integrity/ima/ima_init.o: in function `ima_init': +ima_init.c:(.init.text+0x43f): undefined reference to `tpm_default_chip' +ld: security/integrity/ima/ima_crypto.o: in function `ima_calc_boot_aggregate_tfm': +ima_crypto.c:(.text+0x1044): undefined reference to `tpm_pcr_read' +ld: ima_crypto.c:(.text+0x10d8): undefined reference to `tpm_pcr_read' + +Modify the IMA Kconfig entry so that it selects TCG_TPM if HAS_IOMEM +is set, regardless of the UML Kconfig setting. +This updates TCG_TPM from =m to =y and fixes the linker errors. + +Fixes: f4a0391dfa91 ("ima: fix Kconfig dependencies") +Cc: Stable # v5.14+ +Signed-off-by: Randy Dunlap +Cc: Fabio Estevam +Cc: Richard Weinberger +Cc: Anton Ivanov +Cc: Johannes Berg +Cc: linux-um@lists.infradead.org +Signed-off-by: Mimi Zohar +Signed-off-by: Greg Kroah-Hartman +--- + security/integrity/ima/Kconfig | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/security/integrity/ima/Kconfig ++++ b/security/integrity/ima/Kconfig +@@ -8,7 +8,7 @@ config IMA + select CRYPTO_HMAC + select CRYPTO_SHA1 + select CRYPTO_HASH_INFO +- select TCG_TPM if HAS_IOMEM && !UML ++ select TCG_TPM if HAS_IOMEM + select TCG_TIS if TCG_TPM && X86 + select TCG_CRB if TCG_TPM && ACPI + select TCG_IBMVTPM if TCG_TPM && PPC_PSERIES diff --git a/queue-6.3/ipmi-fix-ssif-not-responding-under-certain-cond.patch b/queue-6.3/ipmi-fix-ssif-not-responding-under-certain-cond.patch new file mode 100644 index 00000000000..8afb4c8810a --- /dev/null +++ b/queue-6.3/ipmi-fix-ssif-not-responding-under-certain-cond.patch @@ -0,0 +1,73 @@ +From 6d2555cde2918409b0331560e66f84a0ad4849c6 Mon Sep 17 00:00:00 2001 +From: Zhang Yuchen +Date: Wed, 12 Apr 2023 15:49:07 +0800 +Subject: ipmi: fix SSIF not responding under certain cond. + +From: Zhang Yuchen + +commit 6d2555cde2918409b0331560e66f84a0ad4849c6 upstream. + +The ipmi communication is not restored after a specific version of BMC is +upgraded on our server. +The ipmi driver does not respond after printing the following log: + + ipmi_ssif: Invalid response getting flags: 1c 1 + +I found that after entering this branch, ssif_info->ssif_state always +holds SSIF_GETTING_FLAGS and never return to IDLE. + +As a result, the driver cannot be loaded, because the driver status is +checked during the unload process and must be IDLE in shutdown_ssif(): + + while (ssif_info->ssif_state != SSIF_IDLE) + schedule_timeout(1); + +The process trigger this problem is: + +1. One msg timeout and next msg start send, and call +ssif_set_need_watch(). + +2. ssif_set_need_watch()->watch_timeout()->start_flag_fetch() change +ssif_state to SSIF_GETTING_FLAGS. + +3. In msg_done_handler() ssif_state == SSIF_GETTING_FLAGS, if an error +message is received, the second branch does not modify the ssif_state. + +4. All retry action need IS_SSIF_IDLE() == True. Include retry action in +watch_timeout(), msg_done_handler(). Sending msg does not work either. +SSIF_IDLE is also checked in start_next_msg(). + +5. The only thing that can be triggered in the SSIF driver is +watch_timeout(), after destory_user(), this timer will stop too. + +So, if enter this branch, the ssif_state will remain SSIF_GETTING_FLAGS +and can't send msg, no timer started, can't unload. + +We did a comparative test before and after adding this patch, and the +result is effective. + +Fixes: 259307074bfc ("ipmi: Add SMBus interface driver (SSIF)") + +Cc: stable@vger.kernel.org +Signed-off-by: Zhang Yuchen +Message-Id: <20230412074907.80046-1-zhangyuchen.lcr@bytedance.com> +Signed-off-by: Corey Minyard +Signed-off-by: Greg Kroah-Hartman +--- + drivers/char/ipmi/ipmi_ssif.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/char/ipmi/ipmi_ssif.c ++++ b/drivers/char/ipmi/ipmi_ssif.c +@@ -786,9 +786,9 @@ static void msg_done_handler(struct ssif + } else if (data[0] != (IPMI_NETFN_APP_REQUEST | 1) << 2 + || data[1] != IPMI_GET_MSG_FLAGS_CMD) { + /* +- * Don't abort here, maybe it was a queued +- * response to a previous command. ++ * Recv error response, give up. + */ ++ ssif_info->ssif_state = SSIF_IDLE; + ipmi_ssif_unlock_cond(ssif_info, flags); + dev_warn(&ssif_info->client->dev, + "Invalid response getting flags: %x %x\n", diff --git a/queue-6.3/ipmi-ssif-add-send_retries-increment.patch b/queue-6.3/ipmi-ssif-add-send_retries-increment.patch new file mode 100644 index 00000000000..0def4ca9d75 --- /dev/null +++ b/queue-6.3/ipmi-ssif-add-send_retries-increment.patch @@ -0,0 +1,34 @@ +From 6ce7995a43febe693d4894033c6e29314970646a Mon Sep 17 00:00:00 2001 +From: Corey Minyard +Date: Tue, 4 Apr 2023 12:09:14 +0000 +Subject: ipmi:ssif: Add send_retries increment + +From: Corey Minyard + +commit 6ce7995a43febe693d4894033c6e29314970646a upstream. + +A recent change removed an increment of send_retries, re-add it. + +Fixes: 95767ed78a18 ipmi:ssif: resend_msg() cannot fail +Reported-by: Pavel Machek +Cc: stable@vger.kernel.org +Signed-off-by: Corey Minyard +Signed-off-by: Greg Kroah-Hartman +--- + drivers/char/ipmi/ipmi_ssif.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/drivers/char/ipmi/ipmi_ssif.c ++++ b/drivers/char/ipmi/ipmi_ssif.c +@@ -557,8 +557,10 @@ static void retry_timeout(struct timer_l + + if (waiting) + start_get(ssif_info); +- if (resend) ++ if (resend) { + start_resend(ssif_info); ++ ssif_inc_stat(ssif_info, send_retries); ++ } + } + + static void watch_timeout(struct timer_list *t) diff --git a/queue-6.3/kheaders-use-array-declaration-instead-of-char.patch b/queue-6.3/kheaders-use-array-declaration-instead-of-char.patch new file mode 100644 index 00000000000..0db69d95c2a --- /dev/null +++ b/queue-6.3/kheaders-use-array-declaration-instead-of-char.patch @@ -0,0 +1,75 @@ +From b69edab47f1da8edd8e7bfdf8c70f51a2a5d89fb Mon Sep 17 00:00:00 2001 +From: Kees Cook +Date: Thu, 2 Mar 2023 14:49:50 -0800 +Subject: kheaders: Use array declaration instead of char + +From: Kees Cook + +commit b69edab47f1da8edd8e7bfdf8c70f51a2a5d89fb upstream. + +Under CONFIG_FORTIFY_SOURCE, memcpy() will check the size of destination +and source buffers. Defining kernel_headers_data as "char" would trip +this check. Since these addresses are treated as byte arrays, define +them as arrays (as done everywhere else). + +This was seen with: + + $ cat /sys/kernel/kheaders.tar.xz >> /dev/null + + detected buffer overflow in memcpy + kernel BUG at lib/string_helpers.c:1027! + ... + RIP: 0010:fortify_panic+0xf/0x20 + [...] + Call Trace: + + ikheaders_read+0x45/0x50 [kheaders] + kernfs_fop_read_iter+0x1a4/0x2f0 + ... + +Reported-by: Jakub Kicinski +Link: https://lore.kernel.org/bpf/20230302112130.6e402a98@kernel.org/ +Acked-by: Joel Fernandes (Google) +Reviewed-by: Alexander Lobakin +Tested-by: Jakub Kicinski +Fixes: 43d8ce9d65a5 ("Provide in-kernel headers to make extending kernel easier") +Cc: stable@vger.kernel.org +Signed-off-by: Kees Cook +Link: https://lore.kernel.org/r/20230302224946.never.243-kees@kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + kernel/kheaders.c | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +--- a/kernel/kheaders.c ++++ b/kernel/kheaders.c +@@ -26,15 +26,15 @@ asm ( + " .popsection \n" + ); + +-extern char kernel_headers_data; +-extern char kernel_headers_data_end; ++extern char kernel_headers_data[]; ++extern char kernel_headers_data_end[]; + + static ssize_t + ikheaders_read(struct file *file, struct kobject *kobj, + struct bin_attribute *bin_attr, + char *buf, loff_t off, size_t len) + { +- memcpy(buf, &kernel_headers_data + off, len); ++ memcpy(buf, &kernel_headers_data[off], len); + return len; + } + +@@ -48,8 +48,8 @@ static struct bin_attribute kheaders_att + + static int __init ikheaders_init(void) + { +- kheaders_attr.size = (&kernel_headers_data_end - +- &kernel_headers_data); ++ kheaders_attr.size = (kernel_headers_data_end - ++ kernel_headers_data); + return sysfs_create_bin_file(kernel_kobj, &kheaders_attr); + } + diff --git a/queue-6.3/media-ov8856-do-not-check-for-for-module-version.patch b/queue-6.3/media-ov8856-do-not-check-for-for-module-version.patch new file mode 100644 index 00000000000..e4f75f5403f --- /dev/null +++ b/queue-6.3/media-ov8856-do-not-check-for-for-module-version.patch @@ -0,0 +1,78 @@ +From 5a4e1b5aed2a36a10d6a3b30fafb6b3bf41c3186 Mon Sep 17 00:00:00 2001 +From: Ricardo Ribalda +Date: Thu, 23 Mar 2023 23:44:20 +0100 +Subject: media: ov8856: Do not check for for module version + +From: Ricardo Ribalda + +commit 5a4e1b5aed2a36a10d6a3b30fafb6b3bf41c3186 upstream. + +It the device is probed in non-zero ACPI D state, the module +identification is delayed until the first streamon. + +The module identification has two parts: deviceID and version. To rea +the version we have to enable OTP read. This cannot be done during +streamon, becase it modifies REG_MODE_SELECT. + +Since the driver has the same behaviour for all the module versions, do +not read the module version from the sensor's OTP. + +Cc: stable@vger.kernel.org +Fixes: 0e014f1a8d54 ("media: ov8856: support device probe in non-zero ACPI D state") +Signed-off-by: Ricardo Ribalda +Signed-off-by: Sakari Ailus +Signed-off-by: Hans Verkuil +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/i2c/ov8856.c | 40 ---------------------------------------- + 1 file changed, 40 deletions(-) + +--- a/drivers/media/i2c/ov8856.c ++++ b/drivers/media/i2c/ov8856.c +@@ -1709,46 +1709,6 @@ static int ov8856_identify_module(struct + return -ENXIO; + } + +- ret = ov8856_write_reg(ov8856, OV8856_REG_MODE_SELECT, +- OV8856_REG_VALUE_08BIT, OV8856_MODE_STREAMING); +- if (ret) +- return ret; +- +- ret = ov8856_write_reg(ov8856, OV8856_OTP_MODE_CTRL, +- OV8856_REG_VALUE_08BIT, OV8856_OTP_MODE_AUTO); +- if (ret) { +- dev_err(&client->dev, "failed to set otp mode"); +- return ret; +- } +- +- ret = ov8856_write_reg(ov8856, OV8856_OTP_LOAD_CTRL, +- OV8856_REG_VALUE_08BIT, +- OV8856_OTP_LOAD_CTRL_ENABLE); +- if (ret) { +- dev_err(&client->dev, "failed to enable load control"); +- return ret; +- } +- +- ret = ov8856_read_reg(ov8856, OV8856_MODULE_REVISION, +- OV8856_REG_VALUE_08BIT, &val); +- if (ret) { +- dev_err(&client->dev, "failed to read module revision"); +- return ret; +- } +- +- dev_info(&client->dev, "OV8856 revision %x (%s) at address 0x%02x\n", +- val, +- val == OV8856_2A_MODULE ? "2A" : +- val == OV8856_1B_MODULE ? "1B" : "unknown revision", +- client->addr); +- +- ret = ov8856_write_reg(ov8856, OV8856_REG_MODE_SELECT, +- OV8856_REG_VALUE_08BIT, OV8856_MODE_STANDBY); +- if (ret) { +- dev_err(&client->dev, "failed to exit streaming mode"); +- return ret; +- } +- + ov8856->identified = true; + + return 0; diff --git a/queue-6.3/mips-fw-allow-firmware-to-pass-a-empty-env.patch b/queue-6.3/mips-fw-allow-firmware-to-pass-a-empty-env.patch new file mode 100644 index 00000000000..051ff595482 --- /dev/null +++ b/queue-6.3/mips-fw-allow-firmware-to-pass-a-empty-env.patch @@ -0,0 +1,35 @@ +From ee1809ed7bc456a72dc8410b475b73021a3a68d5 Mon Sep 17 00:00:00 2001 +From: Jiaxun Yang +Date: Tue, 11 Apr 2023 12:14:26 +0100 +Subject: MIPS: fw: Allow firmware to pass a empty env + +From: Jiaxun Yang + +commit ee1809ed7bc456a72dc8410b475b73021a3a68d5 upstream. + +fw_getenv will use env entry to determine style of env, +however it is legal for firmware to just pass a empty list. + +Check if first entry exist before running strchr to avoid +null pointer dereference. + +Cc: stable@vger.kernel.org +Link: https://github.com/clbr/n64bootloader/issues/5 +Signed-off-by: Jiaxun Yang +Signed-off-by: Thomas Bogendoerfer +Signed-off-by: Greg Kroah-Hartman +--- + arch/mips/fw/lib/cmdline.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/mips/fw/lib/cmdline.c ++++ b/arch/mips/fw/lib/cmdline.c +@@ -53,7 +53,7 @@ char *fw_getenv(char *envname) + { + char *result = NULL; + +- if (_fw_envp != NULL) { ++ if (_fw_envp != NULL && fw_envp(0) != NULL) { + /* + * Return a pointer to the given environment variable. + * YAMON uses "name", "value" pairs, while U-Boot uses diff --git a/queue-6.3/pci-kirin-select-regmap_mmio.patch b/queue-6.3/pci-kirin-select-regmap_mmio.patch new file mode 100644 index 00000000000..cdbb8f600c0 --- /dev/null +++ b/queue-6.3/pci-kirin-select-regmap_mmio.patch @@ -0,0 +1,34 @@ +From 3a2776e8a0e156a61f5b59ae341d8fffc730b962 Mon Sep 17 00:00:00 2001 +From: Josh Triplett +Date: Sun, 13 Nov 2022 23:23:26 -0800 +Subject: PCI: kirin: Select REGMAP_MMIO + +From: Josh Triplett + +commit 3a2776e8a0e156a61f5b59ae341d8fffc730b962 upstream. + +pcie-kirin uses regmaps, and needs to pull them in; otherwise, with +CONFIG_PCIE_KIRIN=y and without CONFIG_REGMAP_MMIO pcie-kirin produces +a linker failure looking for __devm_regmap_init_mmio_clk(). + +Fixes: d19afe7be126 ("PCI: kirin: Use regmap for APB registers") +Link: https://lore.kernel.org/r/04636141da1d6d592174eefb56760511468d035d.1668410580.git.josh@joshtriplett.org +Signed-off-by: Josh Triplett +[lpieralisi@kernel.org: commit log and removed REGMAP select] +Signed-off-by: Lorenzo Pieralisi +Cc: stable@vger.kernel.org # 5.16+ +Signed-off-by: Greg Kroah-Hartman +--- + drivers/pci/controller/dwc/Kconfig | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/pci/controller/dwc/Kconfig ++++ b/drivers/pci/controller/dwc/Kconfig +@@ -307,6 +307,7 @@ config PCIE_KIRIN + tristate "HiSilicon Kirin series SoCs PCIe controllers" + depends on PCI_MSI + select PCIE_DW_HOST ++ select REGMAP_MMIO + help + Say Y here if you want PCIe controller support + on HiSilicon Kirin series SoCs. diff --git a/queue-6.3/pci-pciehp-fix-ab-ba-deadlock-between-reset_lock-and-device_lock.patch b/queue-6.3/pci-pciehp-fix-ab-ba-deadlock-between-reset_lock-and-device_lock.patch new file mode 100644 index 00000000000..38ef98435ef --- /dev/null +++ b/queue-6.3/pci-pciehp-fix-ab-ba-deadlock-between-reset_lock-and-device_lock.patch @@ -0,0 +1,178 @@ +From f5eff5591b8f9c5effd25c92c758a127765f74c1 Mon Sep 17 00:00:00 2001 +From: Lukas Wunner +Date: Tue, 11 Apr 2023 08:21:02 +0200 +Subject: PCI: pciehp: Fix AB-BA deadlock between reset_lock and device_lock + +From: Lukas Wunner + +commit f5eff5591b8f9c5effd25c92c758a127765f74c1 upstream. + +In 2013, commits + + 2e35afaefe64 ("PCI: pciehp: Add reset_slot() method") + 608c388122c7 ("PCI: Add slot reset option to pci_dev_reset()") + +amended PCIe hotplug to mask Presence Detect Changed events during a +Secondary Bus Reset. The reset thus no longer causes gratuitous slot +bringdown and bringup. + +However the commits neglected to serialize reset with code paths reading +slot registers. For instance, a slot bringup due to an earlier hotplug +event may see the Presence Detect State bit cleared during a concurrent +Secondary Bus Reset. + +In 2018, commit + + 5b3f7b7d062b ("PCI: pciehp: Avoid slot access during reset") + +retrofitted the missing locking. It introduced a reset_lock which +serializes a Secondary Bus Reset with other parts of pciehp. + +Unfortunately the locking turns out to be overzealous: reset_lock is +held for the entire enumeration and de-enumeration of hotplugged devices, +including driver binding and unbinding. + +Driver binding and unbinding acquires device_lock while the reset_lock +of the ancestral hotplug port is held. A concurrent Secondary Bus Reset +acquires the ancestral reset_lock while already holding the device_lock. +The asymmetric locking order in the two code paths can lead to AB-BA +deadlocks. + +Michael Haeuptle reports such deadlocks on simultaneous hot-removal and +vfio release (the latter implies a Secondary Bus Reset): + + pciehp_ist() # down_read(reset_lock) + pciehp_handle_presence_or_link_change() + pciehp_disable_slot() + __pciehp_disable_slot() + remove_board() + pciehp_unconfigure_device() + pci_stop_and_remove_bus_device() + pci_stop_bus_device() + pci_stop_dev() + device_release_driver() + device_release_driver_internal() + __device_driver_lock() # device_lock() + + SYS_munmap() + vfio_device_fops_release() + vfio_device_group_close() + vfio_device_close() + vfio_device_last_close() + vfio_pci_core_close_device() + vfio_pci_core_disable() # device_lock() + __pci_reset_function_locked() + pci_reset_bus_function() + pci_dev_reset_slot_function() + pci_reset_hotplug_slot() + pciehp_reset_slot() # down_write(reset_lock) + +Ian May reports the same deadlock on simultaneous hot-removal and an +AER-induced Secondary Bus Reset: + + aer_recover_work_func() + pcie_do_recovery() + aer_root_reset() + pci_bus_error_reset() + pci_slot_reset() + pci_slot_lock() # device_lock() + pci_reset_hotplug_slot() + pciehp_reset_slot() # down_write(reset_lock) + +Fix by releasing the reset_lock during driver binding and unbinding, +thereby splitting and shrinking the critical section. + +Driver binding and unbinding is protected by the device_lock() and thus +serialized with a Secondary Bus Reset. There's no need to additionally +protect it with the reset_lock. However, pciehp does not bind and +unbind devices directly, but rather invokes PCI core functions which +also perform certain enumeration and de-enumeration steps. + +The reset_lock's purpose is to protect slot registers, not enumeration +and de-enumeration of hotplugged devices. That would arguably be the +job of the PCI core, not the PCIe hotplug driver. After all, an +AER-induced Secondary Bus Reset may as well happen during boot-time +enumeration of the PCI hierarchy and there's no locking to prevent that +either. + +Exempting *de-enumeration* from the reset_lock is relatively harmless: +A concurrent Secondary Bus Reset may foil config space accesses such as +PME interrupt disablement. But if the device is physically gone, those +accesses are pointless anyway. If the device is physically present and +only logically removed through an Attention Button press or the sysfs +"power" attribute, PME interrupts as well as DMA cannot come through +because pciehp_unconfigure_device() disables INTx and Bus Master bits. +That's still protected by the reset_lock in the present commit. + +Exempting *enumeration* from the reset_lock also has limited impact: +The exempted call to pci_bus_add_device() may perform device accesses +through pcibios_bus_add_device() and pci_fixup_device() which are now +no longer protected from a concurrent Secondary Bus Reset. Otherwise +there should be no impact. + +In essence, the present commit seeks to fix the AB-BA deadlocks while +still retaining a best-effort reset protection for enumeration and +de-enumeration of hotplugged devices -- until a general solution is +implemented in the PCI core. + +Link: https://lore.kernel.org/linux-pci/CS1PR8401MB0728FC6FDAB8A35C22BD90EC95F10@CS1PR8401MB0728.NAMPRD84.PROD.OUTLOOK.COM +Link: https://lore.kernel.org/linux-pci/20200615143250.438252-1-ian.may@canonical.com +Link: https://lore.kernel.org/linux-pci/ce878dab-c0c4-5bd0-a725-9805a075682d@amd.com +Link: https://lore.kernel.org/linux-pci/ed831249-384a-6d35-0831-70af191e9bce@huawei.com +Link: https://bugzilla.kernel.org/show_bug.cgi?id=215590 +Fixes: 5b3f7b7d062b ("PCI: pciehp: Avoid slot access during reset") +Link: https://lore.kernel.org/r/fef2b2e9edf245c049a8c5b94743c0f74ff5008a.1681191902.git.lukas@wunner.de +Reported-by: Michael Haeuptle +Reported-by: Ian May +Reported-by: Andrey Grodzovsky +Reported-by: Rahul Kumar +Reported-by: Jialin Zhang +Tested-by: Anatoli Antonovitch +Signed-off-by: Lukas Wunner +Signed-off-by: Bjorn Helgaas +Cc: stable@vger.kernel.org # v4.19+ +Cc: Dan Stein +Cc: Ashok Raj +Cc: Alex Michon +Cc: Xiongfeng Wang +Cc: Alex Williamson +Cc: Mika Westerberg +Cc: Sathyanarayanan Kuppuswamy +Signed-off-by: Greg Kroah-Hartman +--- + drivers/pci/hotplug/pciehp_pci.c | 15 +++++++++++++++ + 1 file changed, 15 insertions(+) + +--- a/drivers/pci/hotplug/pciehp_pci.c ++++ b/drivers/pci/hotplug/pciehp_pci.c +@@ -63,7 +63,14 @@ int pciehp_configure_device(struct contr + + pci_assign_unassigned_bridge_resources(bridge); + pcie_bus_configure_settings(parent); ++ ++ /* ++ * Release reset_lock during driver binding ++ * to avoid AB-BA deadlock with device_lock. ++ */ ++ up_read(&ctrl->reset_lock); + pci_bus_add_devices(parent); ++ down_read_nested(&ctrl->reset_lock, ctrl->depth); + + out: + pci_unlock_rescan_remove(); +@@ -104,7 +111,15 @@ void pciehp_unconfigure_device(struct co + list_for_each_entry_safe_reverse(dev, temp, &parent->devices, + bus_list) { + pci_dev_get(dev); ++ ++ /* ++ * Release reset_lock during driver unbinding ++ * to avoid AB-BA deadlock with device_lock. ++ */ ++ up_read(&ctrl->reset_lock); + pci_stop_and_remove_bus_device(dev); ++ down_read_nested(&ctrl->reset_lock, ctrl->depth); ++ + /* + * Ensure that no new Requests will be generated from + * the device. diff --git a/queue-6.3/pci-qcom-fix-the-incorrect-register-usage-in-v2.7.0-config.patch b/queue-6.3/pci-qcom-fix-the-incorrect-register-usage-in-v2.7.0-config.patch new file mode 100644 index 00000000000..e09dca3e75a --- /dev/null +++ b/queue-6.3/pci-qcom-fix-the-incorrect-register-usage-in-v2.7.0-config.patch @@ -0,0 +1,44 @@ +From 2542e16c392508800f1d9037feee881a9c444951 Mon Sep 17 00:00:00 2001 +From: Manivannan Sadhasivam +Date: Thu, 16 Mar 2023 13:40:59 +0530 +Subject: PCI: qcom: Fix the incorrect register usage in v2.7.0 config + +From: Manivannan Sadhasivam + +commit 2542e16c392508800f1d9037feee881a9c444951 upstream. + +Qcom PCIe IP version v2.7.0 and its derivatives don't contain the +PCIE20_PARF_AXI_MSTR_WR_ADDR_HALT register. Instead, they have the new +PCIE20_PARF_AXI_MSTR_WR_ADDR_HALT_V2 register. So fix the incorrect +register usage which is modifying a different register. + +Also in this IP version, this register change doesn't depend on MSI +being enabled. So remove that check also. + +Link: https://lore.kernel.org/r/20230316081117.14288-2-manivannan.sadhasivam@linaro.org +Fixes: ed8cc3b1fc84 ("PCI: qcom: Add support for SDM845 PCIe controller") +Signed-off-by: Manivannan Sadhasivam +Signed-off-by: Lorenzo Pieralisi +Cc: # 5.6+ +Signed-off-by: Greg Kroah-Hartman +--- + drivers/pci/controller/dwc/pcie-qcom.c | 8 +++----- + 1 file changed, 3 insertions(+), 5 deletions(-) + +--- a/drivers/pci/controller/dwc/pcie-qcom.c ++++ b/drivers/pci/controller/dwc/pcie-qcom.c +@@ -1279,11 +1279,9 @@ static int qcom_pcie_init_2_7_0(struct q + val &= ~REQ_NOT_ENTR_L1; + writel(val, pcie->parf + PCIE20_PARF_PM_CTRL); + +- if (IS_ENABLED(CONFIG_PCI_MSI)) { +- val = readl(pcie->parf + PCIE20_PARF_AXI_MSTR_WR_ADDR_HALT); +- val |= BIT(31); +- writel(val, pcie->parf + PCIE20_PARF_AXI_MSTR_WR_ADDR_HALT); +- } ++ val = readl(pcie->parf + PCIE20_PARF_AXI_MSTR_WR_ADDR_HALT_V2); ++ val |= BIT(31); ++ writel(val, pcie->parf + PCIE20_PARF_AXI_MSTR_WR_ADDR_HALT_V2); + + return 0; + err_disable_clocks: diff --git a/queue-6.3/phy-qcom-qmp-pcie-sc8180x-pcie-phy-has-2-lanes.patch b/queue-6.3/phy-qcom-qmp-pcie-sc8180x-pcie-phy-has-2-lanes.patch new file mode 100644 index 00000000000..a53a758c997 --- /dev/null +++ b/queue-6.3/phy-qcom-qmp-pcie-sc8180x-pcie-phy-has-2-lanes.patch @@ -0,0 +1,33 @@ +From 1db6b0a4246ce708b89f5136571130b9987741d1 Mon Sep 17 00:00:00 2001 +From: Dmitry Baryshkov +Date: Fri, 31 Mar 2023 18:12:49 +0300 +Subject: phy: qcom-qmp-pcie: sc8180x PCIe PHY has 2 lanes + +From: Dmitry Baryshkov + +commit 1db6b0a4246ce708b89f5136571130b9987741d1 upstream. + +All PCIe PHYs on sc8180x platform have 2 lanes, so change the number of +lanes to 2. + +Fixes: f839f14e24f2 ("phy: qcom-qmp: Add sc8180x PCIe support") +Cc: stable@vger.kernel.org # 5.15 +Sgned-off-by: Dmitry Baryshkov +Link: https://lore.kernel.org/r/20230331151250.4049-1-dmitry.baryshkov@linaro.org +Signed-off-by: Vinod Koul +Signed-off-by: Greg Kroah-Hartman +--- + drivers/phy/qualcomm/phy-qcom-qmp-pcie.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/phy/qualcomm/phy-qcom-qmp-pcie.c ++++ b/drivers/phy/qualcomm/phy-qcom-qmp-pcie.c +@@ -2152,7 +2152,7 @@ static const struct qmp_phy_cfg msm8998_ + }; + + static const struct qmp_phy_cfg sc8180x_pciephy_cfg = { +- .lanes = 1, ++ .lanes = 2, + + .tbls = { + .serdes = sc8180x_qmp_pcie_serdes_tbl, diff --git a/queue-6.3/posix-cpu-timers-implement-the-missing-timer_wait_running-callback.patch b/queue-6.3/posix-cpu-timers-implement-the-missing-timer_wait_running-callback.patch new file mode 100644 index 00000000000..cf07b463b61 --- /dev/null +++ b/queue-6.3/posix-cpu-timers-implement-the-missing-timer_wait_running-callback.patch @@ -0,0 +1,268 @@ +From f7abf14f0001a5a47539d9f60bbdca649e43536b Mon Sep 17 00:00:00 2001 +From: Thomas Gleixner +Date: Mon, 17 Apr 2023 15:37:55 +0200 +Subject: posix-cpu-timers: Implement the missing timer_wait_running callback + +From: Thomas Gleixner + +commit f7abf14f0001a5a47539d9f60bbdca649e43536b upstream. + +For some unknown reason the introduction of the timer_wait_running callback +missed to fixup posix CPU timers, which went unnoticed for almost four years. +Marco reported recently that the WARN_ON() in timer_wait_running() +triggers with a posix CPU timer test case. + +Posix CPU timers have two execution models for expiring timers depending on +CONFIG_POSIX_CPU_TIMERS_TASK_WORK: + +1) If not enabled, the expiry happens in hard interrupt context so + spin waiting on the remote CPU is reasonably time bound. + + Implement an empty stub function for that case. + +2) If enabled, the expiry happens in task work before returning to user + space or guest mode. The expired timers are marked as firing and moved + from the timer queue to a local list head with sighand lock held. Once + the timers are moved, sighand lock is dropped and the expiry happens in + fully preemptible context. That means the expiring task can be scheduled + out, migrated, interrupted etc. So spin waiting on it is more than + suboptimal. + + The timer wheel has a timer_wait_running() mechanism for RT, which uses + a per CPU timer-base expiry lock which is held by the expiry code and the + task waiting for the timer function to complete blocks on that lock. + + This does not work in the same way for posix CPU timers as there is no + timer base and expiry for process wide timers can run on any task + belonging to that process, but the concept of waiting on an expiry lock + can be used too in a slightly different way: + + - Add a mutex to struct posix_cputimers_work. This struct is per task + and used to schedule the expiry task work from the timer interrupt. + + - Add a task_struct pointer to struct cpu_timer which is used to store + a the task which runs the expiry. That's filled in when the task + moves the expired timers to the local expiry list. That's not + affecting the size of the k_itimer union as there are bigger union + members already + + - Let the task take the expiry mutex around the expiry function + + - Let the waiter acquire a task reference with rcu_read_lock() held and + block on the expiry mutex + + This avoids spin-waiting on a task which might not even be on a CPU and + works nicely for RT too. + +Fixes: ec8f954a40da ("posix-timers: Use a callback for cancel synchronization on PREEMPT_RT") +Reported-by: Marco Elver +Signed-off-by: Thomas Gleixner +Tested-by: Marco Elver +Tested-by: Sebastian Andrzej Siewior +Reviewed-by: Frederic Weisbecker +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/r/87zg764ojw.ffs@tglx +Signed-off-by: Greg Kroah-Hartman +--- + include/linux/posix-timers.h | 17 +++++--- + kernel/time/posix-cpu-timers.c | 81 +++++++++++++++++++++++++++++++++-------- + kernel/time/posix-timers.c | 4 ++ + 3 files changed, 82 insertions(+), 20 deletions(-) + +--- a/include/linux/posix-timers.h ++++ b/include/linux/posix-timers.h +@@ -4,6 +4,7 @@ + + #include + #include ++#include + #include + #include + +@@ -62,16 +63,18 @@ static inline int clockid_to_fd(const cl + * cpu_timer - Posix CPU timer representation for k_itimer + * @node: timerqueue node to queue in the task/sig + * @head: timerqueue head on which this timer is queued +- * @task: Pointer to target task ++ * @pid: Pointer to target task PID + * @elist: List head for the expiry list + * @firing: Timer is currently firing ++ * @handling: Pointer to the task which handles expiry + */ + struct cpu_timer { +- struct timerqueue_node node; +- struct timerqueue_head *head; +- struct pid *pid; +- struct list_head elist; +- int firing; ++ struct timerqueue_node node; ++ struct timerqueue_head *head; ++ struct pid *pid; ++ struct list_head elist; ++ int firing; ++ struct task_struct __rcu *handling; + }; + + static inline bool cpu_timer_enqueue(struct timerqueue_head *head, +@@ -135,10 +138,12 @@ struct posix_cputimers { + /** + * posix_cputimers_work - Container for task work based posix CPU timer expiry + * @work: The task work to be scheduled ++ * @mutex: Mutex held around expiry in context of this task work + * @scheduled: @work has been scheduled already, no further processing + */ + struct posix_cputimers_work { + struct callback_head work; ++ struct mutex mutex; + unsigned int scheduled; + }; + +--- a/kernel/time/posix-cpu-timers.c ++++ b/kernel/time/posix-cpu-timers.c +@@ -846,6 +846,8 @@ static u64 collect_timerqueue(struct tim + return expires; + + ctmr->firing = 1; ++ /* See posix_cpu_timer_wait_running() */ ++ rcu_assign_pointer(ctmr->handling, current); + cpu_timer_dequeue(ctmr); + list_add_tail(&ctmr->elist, firing); + } +@@ -1161,7 +1163,49 @@ static void handle_posix_cpu_timers(stru + #ifdef CONFIG_POSIX_CPU_TIMERS_TASK_WORK + static void posix_cpu_timers_work(struct callback_head *work) + { ++ struct posix_cputimers_work *cw = container_of(work, typeof(*cw), work); ++ ++ mutex_lock(&cw->mutex); + handle_posix_cpu_timers(current); ++ mutex_unlock(&cw->mutex); ++} ++ ++/* ++ * Invoked from the posix-timer core when a cancel operation failed because ++ * the timer is marked firing. The caller holds rcu_read_lock(), which ++ * protects the timer and the task which is expiring it from being freed. ++ */ ++static void posix_cpu_timer_wait_running(struct k_itimer *timr) ++{ ++ struct task_struct *tsk = rcu_dereference(timr->it.cpu.handling); ++ ++ /* Has the handling task completed expiry already? */ ++ if (!tsk) ++ return; ++ ++ /* Ensure that the task cannot go away */ ++ get_task_struct(tsk); ++ /* Now drop the RCU protection so the mutex can be locked */ ++ rcu_read_unlock(); ++ /* Wait on the expiry mutex */ ++ mutex_lock(&tsk->posix_cputimers_work.mutex); ++ /* Release it immediately again. */ ++ mutex_unlock(&tsk->posix_cputimers_work.mutex); ++ /* Drop the task reference. */ ++ put_task_struct(tsk); ++ /* Relock RCU so the callsite is balanced */ ++ rcu_read_lock(); ++} ++ ++static void posix_cpu_timer_wait_running_nsleep(struct k_itimer *timr) ++{ ++ /* Ensure that timr->it.cpu.handling task cannot go away */ ++ rcu_read_lock(); ++ spin_unlock_irq(&timr->it_lock); ++ posix_cpu_timer_wait_running(timr); ++ rcu_read_unlock(); ++ /* @timr is on stack and is valid */ ++ spin_lock_irq(&timr->it_lock); + } + + /* +@@ -1177,6 +1221,7 @@ void clear_posix_cputimers_work(struct t + sizeof(p->posix_cputimers_work.work)); + init_task_work(&p->posix_cputimers_work.work, + posix_cpu_timers_work); ++ mutex_init(&p->posix_cputimers_work.mutex); + p->posix_cputimers_work.scheduled = false; + } + +@@ -1255,6 +1300,18 @@ static inline void __run_posix_cpu_timer + lockdep_posixtimer_exit(); + } + ++static void posix_cpu_timer_wait_running(struct k_itimer *timr) ++{ ++ cpu_relax(); ++} ++ ++static void posix_cpu_timer_wait_running_nsleep(struct k_itimer *timr) ++{ ++ spin_unlock_irq(&timr->it_lock); ++ cpu_relax(); ++ spin_lock_irq(&timr->it_lock); ++} ++ + static inline bool posix_cpu_timers_work_scheduled(struct task_struct *tsk) + { + return false; +@@ -1363,6 +1420,8 @@ static void handle_posix_cpu_timers(stru + */ + if (likely(cpu_firing >= 0)) + cpu_timer_fire(timer); ++ /* See posix_cpu_timer_wait_running() */ ++ rcu_assign_pointer(timer->it.cpu.handling, NULL); + spin_unlock(&timer->it_lock); + } + } +@@ -1497,23 +1556,16 @@ static int do_cpu_nanosleep(const clocki + expires = cpu_timer_getexpires(&timer.it.cpu); + error = posix_cpu_timer_set(&timer, 0, &zero_it, &it); + if (!error) { +- /* +- * Timer is now unarmed, deletion can not fail. +- */ ++ /* Timer is now unarmed, deletion can not fail. */ + posix_cpu_timer_del(&timer); ++ } else { ++ while (error == TIMER_RETRY) { ++ posix_cpu_timer_wait_running_nsleep(&timer); ++ error = posix_cpu_timer_del(&timer); ++ } + } +- spin_unlock_irq(&timer.it_lock); + +- while (error == TIMER_RETRY) { +- /* +- * We need to handle case when timer was or is in the +- * middle of firing. In other cases we already freed +- * resources. +- */ +- spin_lock_irq(&timer.it_lock); +- error = posix_cpu_timer_del(&timer); +- spin_unlock_irq(&timer.it_lock); +- } ++ spin_unlock_irq(&timer.it_lock); + + if ((it.it_value.tv_sec | it.it_value.tv_nsec) == 0) { + /* +@@ -1623,6 +1675,7 @@ const struct k_clock clock_posix_cpu = { + .timer_del = posix_cpu_timer_del, + .timer_get = posix_cpu_timer_get, + .timer_rearm = posix_cpu_timer_rearm, ++ .timer_wait_running = posix_cpu_timer_wait_running, + }; + + const struct k_clock clock_process = { +--- a/kernel/time/posix-timers.c ++++ b/kernel/time/posix-timers.c +@@ -846,6 +846,10 @@ static struct k_itimer *timer_wait_runni + rcu_read_lock(); + unlock_timer(timer, *flags); + ++ /* ++ * kc->timer_wait_running() might drop RCU lock. So @timer ++ * cannot be touched anymore after the function returns! ++ */ + if (!WARN_ON_ONCE(!kc->timer_wait_running)) + kc->timer_wait_running(timer); + diff --git a/queue-6.3/powerpc-boot-fix-boot-wrapper-code-generation-with-config_power10_cpu.patch b/queue-6.3/powerpc-boot-fix-boot-wrapper-code-generation-with-config_power10_cpu.patch new file mode 100644 index 00000000000..6920122e48a --- /dev/null +++ b/queue-6.3/powerpc-boot-fix-boot-wrapper-code-generation-with-config_power10_cpu.patch @@ -0,0 +1,35 @@ +From 648a1783fe2551f5a091c9a5f8f463cb2cbf8745 Mon Sep 17 00:00:00 2001 +From: Nicholas Piggin +Date: Fri, 7 Apr 2023 14:09:09 +1000 +Subject: powerpc/boot: Fix boot wrapper code generation with CONFIG_POWER10_CPU + +From: Nicholas Piggin + +commit 648a1783fe2551f5a091c9a5f8f463cb2cbf8745 upstream. + +-mcpu=power10 will generate prefixed and pcrel code by default, which +we do not support. The general kernel disables these with cflags, but +those were missed for the boot wrapper. + +Fixes: 4b2a9315f20d ("powerpc/64s: POWER10 CPU Kconfig build option") +Cc: stable@vger.kernel.org # v6.1+ +Reported-by: Danny Tsen +Signed-off-by: Nicholas Piggin +Signed-off-by: Michael Ellerman +Link: https://msgid.link/20230407040909.230998-1-npiggin@gmail.com +Signed-off-by: Greg Kroah-Hartman +--- + arch/powerpc/boot/Makefile | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/arch/powerpc/boot/Makefile ++++ b/arch/powerpc/boot/Makefile +@@ -34,6 +34,8 @@ endif + + BOOTCFLAGS := -Wall -Wundef -Wstrict-prototypes -Wno-trigraphs \ + -fno-strict-aliasing -O2 -msoft-float -mno-altivec -mno-vsx \ ++ $(call cc-option,-mno-prefixed) $(call cc-option,-mno-pcrel) \ ++ $(call cc-option,-mno-mma) \ + $(call cc-option,-mno-spe) $(call cc-option,-mspe=no) \ + -pipe -fomit-frame-pointer -fno-builtin -fPIC -nostdinc \ + $(LINUXINCLUDE) diff --git a/queue-6.3/serial-8250-fix-serial8250_tx_empty-race-with-dma-tx.patch b/queue-6.3/serial-8250-fix-serial8250_tx_empty-race-with-dma-tx.patch new file mode 100644 index 00000000000..9ab6b7f85a0 --- /dev/null +++ b/queue-6.3/serial-8250-fix-serial8250_tx_empty-race-with-dma-tx.patch @@ -0,0 +1,91 @@ +From 146a37e05d620cef4ad430e5d1c9c077fe6fa76f Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Ilpo=20J=C3=A4rvinen?= +Date: Fri, 17 Mar 2023 13:33:18 +0200 +Subject: serial: 8250: Fix serial8250_tx_empty() race with DMA Tx +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Ilpo Järvinen + +commit 146a37e05d620cef4ad430e5d1c9c077fe6fa76f upstream. + +There's a potential race before THRE/TEMT deasserts when DMA Tx is +starting up (or the next batch of continuous Tx is being submitted). +This can lead to misdetecting Tx empty condition. + +It is entirely normal for THRE/TEMT to be set for some time after the +DMA Tx had been setup in serial8250_tx_dma(). As Tx side is definitely +not empty at that point, it seems incorrect for serial8250_tx_empty() +claim Tx is empty. + +Fix the race by also checking in serial8250_tx_empty() whether there's +DMA Tx active. + +Note: This fix only addresses in-kernel race mainly to make using +TCSADRAIN/FLUSH robust. Userspace can still cause other races but they +seem userspace concurrency control problems. + +Fixes: 9ee4b83e51f74 ("serial: 8250: Add support for dmaengine") +Cc: stable@vger.kernel.org +Signed-off-by: Ilpo Järvinen +Link: https://lore.kernel.org/r/20230317113318.31327-3-ilpo.jarvinen@linux.intel.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/tty/serial/8250/8250.h | 12 ++++++++++++ + drivers/tty/serial/8250/8250_port.c | 7 ++++--- + 2 files changed, 16 insertions(+), 3 deletions(-) + +--- a/drivers/tty/serial/8250/8250.h ++++ b/drivers/tty/serial/8250/8250.h +@@ -365,6 +365,13 @@ static inline void serial8250_do_prepare + if (dma->prepare_rx_dma) + dma->prepare_rx_dma(p); + } ++ ++static inline bool serial8250_tx_dma_running(struct uart_8250_port *p) ++{ ++ struct uart_8250_dma *dma = p->dma; ++ ++ return dma && dma->tx_running; ++} + #else + static inline int serial8250_tx_dma(struct uart_8250_port *p) + { +@@ -380,6 +387,11 @@ static inline int serial8250_request_dma + return -1; + } + static inline void serial8250_release_dma(struct uart_8250_port *p) { } ++ ++static inline bool serial8250_tx_dma_running(struct uart_8250_port *p) ++{ ++ return false; ++} + #endif + + static inline int ns16550a_goto_highspeed(struct uart_8250_port *up) +--- a/drivers/tty/serial/8250/8250_port.c ++++ b/drivers/tty/serial/8250/8250_port.c +@@ -2016,18 +2016,19 @@ static int serial8250_tx_threshold_handl + static unsigned int serial8250_tx_empty(struct uart_port *port) + { + struct uart_8250_port *up = up_to_u8250p(port); ++ unsigned int result = 0; + unsigned long flags; +- u16 lsr; + + serial8250_rpm_get(up); + + spin_lock_irqsave(&port->lock, flags); +- lsr = serial_lsr_in(up); ++ if (!serial8250_tx_dma_running(up) && uart_lsr_tx_empty(serial_lsr_in(up))) ++ result = TIOCSER_TEMT; + spin_unlock_irqrestore(&port->lock, flags); + + serial8250_rpm_put(up); + +- return uart_lsr_tx_empty(lsr) ? TIOCSER_TEMT : 0; ++ return result; + } + + unsigned int serial8250_do_get_mctrl(struct uart_port *port) diff --git a/queue-6.3/serial-fix-tiocsrs485-locking.patch b/queue-6.3/serial-fix-tiocsrs485-locking.patch new file mode 100644 index 00000000000..3dcab02c0cc --- /dev/null +++ b/queue-6.3/serial-fix-tiocsrs485-locking.patch @@ -0,0 +1,50 @@ +From 9e4f2a8004213339e9d837d891a59cc80e082966 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Wed, 12 Apr 2023 14:48:11 +0200 +Subject: serial: fix TIOCSRS485 locking +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Johan Hovold + +commit 9e4f2a8004213339e9d837d891a59cc80e082966 upstream. + +The RS485 multipoint addressing support for some reason added a new +ADDRB termios cflag which is (only!) updated from one of the RS485 +ioctls. + +Make sure to take the termios rw semaphore for the right ioctl (i.e. +set, not get). + +Fixes: ae50bb275283 ("serial: take termios_rwsem for ->rs485_config() & pass termios as param") +Cc: stable@vger.kernel.org # 6.0 +Cc: Ilpo Järvinen +Reviewed-by: Ilpo Järvinen +Signed-off-by: Johan Hovold +Link: https://lore.kernel.org/r/20230412124811.11217-1-johan@kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/tty/serial/serial_core.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/tty/serial/serial_core.c ++++ b/drivers/tty/serial/serial_core.c +@@ -1552,7 +1552,7 @@ uart_ioctl(struct tty_struct *tty, unsig + goto out; + + /* rs485_config requires more locking than others */ +- if (cmd == TIOCGRS485) ++ if (cmd == TIOCSRS485) + down_write(&tty->termios_rwsem); + + mutex_lock(&port->mutex); +@@ -1595,7 +1595,7 @@ uart_ioctl(struct tty_struct *tty, unsig + } + out_up: + mutex_unlock(&port->mutex); +- if (cmd == TIOCGRS485) ++ if (cmd == TIOCSRS485) + up_write(&tty->termios_rwsem); + out: + return ret; diff --git a/queue-6.3/serial-max310x-fix-io-data-corruption-in-batched-operations.patch b/queue-6.3/serial-max310x-fix-io-data-corruption-in-batched-operations.patch new file mode 100644 index 00000000000..b3946872917 --- /dev/null +++ b/queue-6.3/serial-max310x-fix-io-data-corruption-in-batched-operations.patch @@ -0,0 +1,93 @@ +From 3f42b142ea1171967e40e10e4b0241c0d6d28d41 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Jan=20Kundr=C3=A1t?= +Date: Wed, 5 Apr 2023 22:14:23 +0200 +Subject: serial: max310x: fix IO data corruption in batched operations +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Jan Kundrát + +commit 3f42b142ea1171967e40e10e4b0241c0d6d28d41 upstream. + +After upgrading from 5.16 to 6.1, our board with a MAX14830 started +producing lots of garbage data over UART. Bisection pointed out commit +285e76fc049c as the culprit. That patch tried to replace hand-written +code which I added in 2b4bac48c1084 ("serial: max310x: Use batched reads +when reasonably safe") with the generic regmap infrastructure for +batched operations. + +Unfortunately, the `regmap_raw_read` and `regmap_raw_write` which were +used are actually functions which perform IO over *multiple* registers. +That's not what is needed for accessing these Tx/Rx FIFOs; the +appropriate functions are the `_noinc_` versions, not the `_raw_` ones. + +Fix this regression by using `regmap_noinc_read()` and +`regmap_noinc_write()` along with the necessary `regmap_config` setup; +with this patch in place, our board communicates happily again. Since +our board uses SPI for talking to this chip, the I2C part is completely +untested. + +Fixes: 285e76fc049c ("serial: max310x: use regmap methods for SPI batch operations") +Cc: stable@vger.kernel.org +Reviewed-by: Andy Shevchenko +Signed-off-by: Jan Kundrát +Link: https://lore.kernel.org/r/79db8e82aadb0e174bc82b9996423c3503c8fb37.1680732084.git.jan.kundrat@cesnet.cz +Signed-off-by: Greg Kroah-Hartman +--- + drivers/tty/serial/max310x.c | 17 +++++++++++++++-- + 1 file changed, 15 insertions(+), 2 deletions(-) + +--- a/drivers/tty/serial/max310x.c ++++ b/drivers/tty/serial/max310x.c +@@ -525,6 +525,11 @@ static bool max310x_reg_precious(struct + return false; + } + ++static bool max310x_reg_noinc(struct device *dev, unsigned int reg) ++{ ++ return reg == MAX310X_RHR_REG; ++} ++ + static int max310x_set_baud(struct uart_port *port, int baud) + { + unsigned int mode = 0, div = 0, frac = 0, c = 0, F = 0; +@@ -651,14 +656,14 @@ static void max310x_batch_write(struct u + { + struct max310x_one *one = to_max310x_port(port); + +- regmap_raw_write(one->regmap, MAX310X_THR_REG, txbuf, len); ++ regmap_noinc_write(one->regmap, MAX310X_THR_REG, txbuf, len); + } + + static void max310x_batch_read(struct uart_port *port, u8 *rxbuf, unsigned int len) + { + struct max310x_one *one = to_max310x_port(port); + +- regmap_raw_read(one->regmap, MAX310X_RHR_REG, rxbuf, len); ++ regmap_noinc_read(one->regmap, MAX310X_RHR_REG, rxbuf, len); + } + + static void max310x_handle_rx(struct uart_port *port, unsigned int rxlen) +@@ -1468,6 +1473,10 @@ static struct regmap_config regcfg = { + .writeable_reg = max310x_reg_writeable, + .volatile_reg = max310x_reg_volatile, + .precious_reg = max310x_reg_precious, ++ .writeable_noinc_reg = max310x_reg_noinc, ++ .readable_noinc_reg = max310x_reg_noinc, ++ .max_raw_read = MAX310X_FIFO_SIZE, ++ .max_raw_write = MAX310X_FIFO_SIZE, + }; + + #ifdef CONFIG_SPI_MASTER +@@ -1553,6 +1562,10 @@ static struct regmap_config regcfg_i2c = + .volatile_reg = max310x_reg_volatile, + .precious_reg = max310x_reg_precious, + .max_register = MAX310X_I2C_REVID_EXTREG, ++ .writeable_noinc_reg = max310x_reg_noinc, ++ .readable_noinc_reg = max310x_reg_noinc, ++ .max_raw_read = MAX310X_FIFO_SIZE, ++ .max_raw_write = MAX310X_FIFO_SIZE, + }; + + static const struct max310x_if_cfg max310x_i2c_if_cfg = { diff --git a/queue-6.3/series b/queue-6.3/series index e69de29bb2d..9abaa917e26 100644 --- a/queue-6.3/series +++ b/queue-6.3/series @@ -0,0 +1,41 @@ +wifi-mt76-mt7921e-set-memory-space-enable-in-pci_command-if-unset.patch +asoc-amd-ps-update-the-acp-clock-source.patch +powerpc-boot-fix-boot-wrapper-code-generation-with-config_power10_cpu.patch +pci-kirin-select-regmap_mmio.patch +pci-pciehp-fix-ab-ba-deadlock-between-reset_lock-and-device_lock.patch +pci-qcom-fix-the-incorrect-register-usage-in-v2.7.0-config.patch +bus-mhi-host-pci_generic-revert-add-a-secondary-at-port-to-telit-fn990.patch +phy-qcom-qmp-pcie-sc8180x-pcie-phy-has-2-lanes.patch +ima-allow-fix-uml-builds.patch +wifi-rtw88-usb-fix-priority-queue-to-endpoint-mapping.patch +usb-gadget-udc-core-invoke-usb_gadget_connect-only-when-started.patch +usb-gadget-udc-core-prevent-redundant-calls-to-pullup.patch +usb-dwc3-gadget-stall-and-restart-ep0-if-host-is-unresponsive.patch +usb-dwc3-fix-runtime-pm-imbalance-on-probe-errors.patch +usb-dwc3-fix-runtime-pm-imbalance-on-unbind.patch +hwmon-k10temp-check-range-scale-when-cur_temp-register-is-read-write.patch +hwmon-adt7475-use-device_property-apis-when-configuring-polarity.patch +tpm-add-tpm_amd_is_rng_defective-to-the-hwrng_unregister-call-site.patch +posix-cpu-timers-implement-the-missing-timer_wait_running-callback.patch +media-ov8856-do-not-check-for-for-module-version.patch +drm-vmwgfx-fix-legacy-display-unit-atomic-drm-support.patch +blk-stat-fix-queue_flag_stats-clear.patch +blk-mq-release-crypto-keyslot-before-reporting-i-o-complete.patch +blk-crypto-make-blk_crypto_evict_key-return-void.patch +blk-crypto-make-blk_crypto_evict_key-more-robust.patch +staging-iio-resolver-ads1210-fix-config-mode.patch +tty-prevent-writing-chars-during-tcsetattr-tcsadrain-flush.patch +xhci-fix-debugfs-register-accesses-while-suspended.patch +serial-fix-tiocsrs485-locking.patch +serial-8250-fix-serial8250_tx_empty-race-with-dma-tx.patch +serial-max310x-fix-io-data-corruption-in-batched-operations.patch +tick-nohz-fix-cpu_is_hotpluggable-by-checking-with-nohz-subsystem.patch +fs-fix-sysctls.c-built.patch +mips-fw-allow-firmware-to-pass-a-empty-env.patch +ipmi-ssif-add-send_retries-increment.patch +ipmi-fix-ssif-not-responding-under-certain-cond.patch +iio-addac-stx104-fix-race-condition-when-converting-analog-to-digital.patch +iio-addac-stx104-fix-race-condition-for-stx104_write_raw.patch +kheaders-use-array-declaration-instead-of-char.patch +wifi-mt76-add-missing-locking-to-protect-against-concurrent-rx-status-calls.patch +wifi-rtw89-correct-5-mhz-mask-setting.patch diff --git a/queue-6.3/staging-iio-resolver-ads1210-fix-config-mode.patch b/queue-6.3/staging-iio-resolver-ads1210-fix-config-mode.patch new file mode 100644 index 00000000000..6f853d0c46c --- /dev/null +++ b/queue-6.3/staging-iio-resolver-ads1210-fix-config-mode.patch @@ -0,0 +1,37 @@ +From 16313403d873ff17a587818b61f84c8cb4971cef Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Nuno=20S=C3=A1?= +Date: Mon, 27 Mar 2023 16:54:14 +0200 +Subject: staging: iio: resolver: ads1210: fix config mode +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Nuno Sá + +commit 16313403d873ff17a587818b61f84c8cb4971cef upstream. + +As stated in the device datasheet [1], bits a0 and a1 have to be set to +1 for the configuration mode. + +[1]: https://www.analog.com/media/en/technical-documentation/data-sheets/ad2s1210.pdf + +Fixes: b19e9ad5e2cb9 ("staging:iio:resolver:ad2s1210 general driver cleanup") +Cc: stable +Signed-off-by: Nuno Sá +Link: https://lore.kernel.org/r/20230327145414.1505537-1-nuno.sa@analog.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/staging/iio/resolver/ad2s1210.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/staging/iio/resolver/ad2s1210.c ++++ b/drivers/staging/iio/resolver/ad2s1210.c +@@ -101,7 +101,7 @@ struct ad2s1210_state { + static const int ad2s1210_mode_vals[4][2] = { + [MOD_POS] = { 0, 0 }, + [MOD_VEL] = { 0, 1 }, +- [MOD_CONFIG] = { 1, 0 }, ++ [MOD_CONFIG] = { 1, 1 }, + }; + + static inline void ad2s1210_set_mode(enum ad2s1210_mode mode, diff --git a/queue-6.3/tick-nohz-fix-cpu_is_hotpluggable-by-checking-with-nohz-subsystem.patch b/queue-6.3/tick-nohz-fix-cpu_is_hotpluggable-by-checking-with-nohz-subsystem.patch new file mode 100644 index 00000000000..abeb2632185 --- /dev/null +++ b/queue-6.3/tick-nohz-fix-cpu_is_hotpluggable-by-checking-with-nohz-subsystem.patch @@ -0,0 +1,97 @@ +From 58d7668242647e661a20efe065519abd6454287e Mon Sep 17 00:00:00 2001 +From: "Joel Fernandes (Google)" +Date: Tue, 24 Jan 2023 17:31:26 +0000 +Subject: tick/nohz: Fix cpu_is_hotpluggable() by checking with nohz subsystem + +From: Joel Fernandes (Google) + +commit 58d7668242647e661a20efe065519abd6454287e upstream. + +For CONFIG_NO_HZ_FULL systems, the tick_do_timer_cpu cannot be offlined. +However, cpu_is_hotpluggable() still returns true for those CPUs. This causes +torture tests that do offlining to end up trying to offline this CPU causing +test failures. Such failure happens on all architectures. + +Fix the repeated error messages thrown by this (even if the hotplug errors are +harmless) by asking the opinion of the nohz subsystem on whether the CPU can be +hotplugged. + +[ Apply Frederic Weisbecker feedback on refactoring tick_nohz_cpu_down(). ] + +For drivers/base/ portion: +Acked-by: Greg Kroah-Hartman +Acked-by: Frederic Weisbecker +Cc: Frederic Weisbecker +Cc: "Paul E. McKenney" +Cc: Zhouyi Zhou +Cc: Will Deacon +Cc: Marc Zyngier +Cc: rcu +Cc: stable@vger.kernel.org +Fixes: 2987557f52b9 ("driver-core/cpu: Expose hotpluggability to the rest of the kernel") +Signed-off-by: Paul E. McKenney +Signed-off-by: Joel Fernandes (Google) +Signed-off-by: Greg Kroah-Hartman +--- + drivers/base/cpu.c | 3 ++- + include/linux/tick.h | 2 ++ + kernel/time/tick-sched.c | 11 ++++++++--- + 3 files changed, 12 insertions(+), 4 deletions(-) + +--- a/drivers/base/cpu.c ++++ b/drivers/base/cpu.c +@@ -487,7 +487,8 @@ static const struct attribute_group *cpu + bool cpu_is_hotpluggable(unsigned int cpu) + { + struct device *dev = get_cpu_device(cpu); +- return dev && container_of(dev, struct cpu, dev)->hotpluggable; ++ return dev && container_of(dev, struct cpu, dev)->hotpluggable ++ && tick_nohz_cpu_hotpluggable(cpu); + } + EXPORT_SYMBOL_GPL(cpu_is_hotpluggable); + +--- a/include/linux/tick.h ++++ b/include/linux/tick.h +@@ -216,6 +216,7 @@ extern void tick_nohz_dep_set_signal(str + enum tick_dep_bits bit); + extern void tick_nohz_dep_clear_signal(struct signal_struct *signal, + enum tick_dep_bits bit); ++extern bool tick_nohz_cpu_hotpluggable(unsigned int cpu); + + /* + * The below are tick_nohz_[set,clear]_dep() wrappers that optimize off-cases +@@ -280,6 +281,7 @@ static inline void tick_nohz_full_add_cp + + static inline void tick_nohz_dep_set_cpu(int cpu, enum tick_dep_bits bit) { } + static inline void tick_nohz_dep_clear_cpu(int cpu, enum tick_dep_bits bit) { } ++static inline bool tick_nohz_cpu_hotpluggable(unsigned int cpu) { return true; } + + static inline void tick_dep_set(enum tick_dep_bits bit) { } + static inline void tick_dep_clear(enum tick_dep_bits bit) { } +--- a/kernel/time/tick-sched.c ++++ b/kernel/time/tick-sched.c +@@ -527,7 +527,7 @@ void __init tick_nohz_full_setup(cpumask + tick_nohz_full_running = true; + } + +-static int tick_nohz_cpu_down(unsigned int cpu) ++bool tick_nohz_cpu_hotpluggable(unsigned int cpu) + { + /* + * The tick_do_timer_cpu CPU handles housekeeping duty (unbound +@@ -535,8 +535,13 @@ static int tick_nohz_cpu_down(unsigned i + * CPUs. It must remain online when nohz full is enabled. + */ + if (tick_nohz_full_running && tick_do_timer_cpu == cpu) +- return -EBUSY; +- return 0; ++ return false; ++ return true; ++} ++ ++static int tick_nohz_cpu_down(unsigned int cpu) ++{ ++ return tick_nohz_cpu_hotpluggable(cpu) ? 0 : -EBUSY; + } + + void __init tick_nohz_init(void) diff --git a/queue-6.3/tpm-add-tpm_amd_is_rng_defective-to-the-hwrng_unregister-call-site.patch b/queue-6.3/tpm-add-tpm_amd_is_rng_defective-to-the-hwrng_unregister-call-site.patch new file mode 100644 index 00000000000..b475757b93b --- /dev/null +++ b/queue-6.3/tpm-add-tpm_amd_is_rng_defective-to-the-hwrng_unregister-call-site.patch @@ -0,0 +1,64 @@ +From bd8621ca1510e6e802df9855bdc35a04a3cfa932 Mon Sep 17 00:00:00 2001 +From: Jarkko Sakkinen +Date: Sun, 23 Apr 2023 18:49:58 +0300 +Subject: tpm: Add !tpm_amd_is_rng_defective() to the hwrng_unregister() call site + +From: Jarkko Sakkinen + +commit bd8621ca1510e6e802df9855bdc35a04a3cfa932 upstream. + +The following crash was reported: + +[ 1950.279393] list_del corruption, ffff99560d485790->next is NULL +[ 1950.279400] ------------[ cut here ]------------ +[ 1950.279401] kernel BUG at lib/list_debug.c:49! +[ 1950.279405] invalid opcode: 0000 [#1] PREEMPT SMP NOPTI +[ 1950.279407] CPU: 11 PID: 5886 Comm: modprobe Tainted: G O 6.2.8_1 #1 +[ 1950.279409] Hardware name: Gigabyte Technology Co., Ltd. B550M AORUS PRO-P/B550M AORUS PRO-P, +BIOS F15c 05/11/2022 +[ 1950.279410] RIP: 0010:__list_del_entry_valid+0x59/0xc0 +[ 1950.279415] Code: 48 8b 01 48 39 f8 75 5a 48 8b 72 08 48 39 c6 75 65 b8 01 00 00 00 c3 cc cc cc +cc 48 89 fe 48 c7 c7 08 a8 13 9e e8 b7 0a bc ff <0f> 0b 48 89 fe 48 c7 c7 38 a8 13 9e e8 a6 0a bc +ff 0f 0b 48 89 fe +[ 1950.279416] RSP: 0018:ffffa96d05647e08 EFLAGS: 00010246 +[ 1950.279418] RAX: 0000000000000033 RBX: ffff99560d485750 RCX: 0000000000000000 +[ 1950.279419] RDX: 0000000000000000 RSI: ffffffff9e107c59 RDI: 00000000ffffffff +[ 1950.279420] RBP: ffffffffc19c5168 R08: 0000000000000000 R09: ffffa96d05647cc8 +[ 1950.279421] R10: 0000000000000003 R11: ffffffff9ea2a568 R12: 0000000000000000 +[ 1950.279422] R13: ffff99560140a2e0 R14: ffff99560127d2e0 R15: 0000000000000000 +[ 1950.279422] FS: 00007f67da795380(0000) GS:ffff995d1f0c0000(0000) knlGS:0000000000000000 +[ 1950.279424] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ 1950.279424] CR2: 00007f67da7e65c0 CR3: 00000001feed2000 CR4: 0000000000750ee0 +[ 1950.279426] PKRU: 55555554 +[ 1950.279426] Call Trace: +[ 1950.279428] +[ 1950.279430] hwrng_unregister+0x28/0xe0 [rng_core] +[ 1950.279436] tpm_chip_unregister+0xd5/0xf0 [tpm] + +Add the forgotten !tpm_amd_is_rng_defective() invariant to the +hwrng_unregister() call site inside tpm_chip_unregister(). + +Cc: stable@vger.kernel.org +Reported-by: Martin Dimov +Link: https://lore.kernel.org/linux-integrity/3d1d7e9dbfb8c96125bc93b6b58b90a7@dmarto.com/ +Fixes: f1324bbc4011 ("tpm: disable hwrng for fTPM on some AMD designs") +Fixes: b006c439d58d ("hwrng: core - start hwrng kthread also for untrusted sources") +Tested-by: Martin Dimov +Signed-off-by: Jarkko Sakkinen +Signed-off-by: Greg Kroah-Hartman +--- + drivers/char/tpm/tpm-chip.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/char/tpm/tpm-chip.c ++++ b/drivers/char/tpm/tpm-chip.c +@@ -682,7 +682,8 @@ EXPORT_SYMBOL_GPL(tpm_chip_register); + void tpm_chip_unregister(struct tpm_chip *chip) + { + tpm_del_legacy_sysfs(chip); +- if (IS_ENABLED(CONFIG_HW_RANDOM_TPM) && !tpm_is_firmware_upgrade(chip)) ++ if (IS_ENABLED(CONFIG_HW_RANDOM_TPM) && !tpm_is_firmware_upgrade(chip) && ++ !tpm_amd_is_rng_defective(chip)) + hwrng_unregister(&chip->hwrng); + tpm_bios_log_teardown(chip); + if (chip->flags & TPM_CHIP_FLAG_TPM2 && !tpm_is_firmware_upgrade(chip)) diff --git a/queue-6.3/tty-prevent-writing-chars-during-tcsetattr-tcsadrain-flush.patch b/queue-6.3/tty-prevent-writing-chars-during-tcsetattr-tcsadrain-flush.patch new file mode 100644 index 00000000000..3517368d11b --- /dev/null +++ b/queue-6.3/tty-prevent-writing-chars-during-tcsetattr-tcsadrain-flush.patch @@ -0,0 +1,126 @@ +From 094fb49a2d0d6827c86d2e0840873e6db0c491d2 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Ilpo=20J=C3=A4rvinen?= +Date: Fri, 17 Mar 2023 13:33:17 +0200 +Subject: tty: Prevent writing chars during tcsetattr TCSADRAIN/FLUSH +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Ilpo Järvinen + +commit 094fb49a2d0d6827c86d2e0840873e6db0c491d2 upstream. + +If userspace races tcsetattr() with a write, the drained condition +might not be guaranteed by the kernel. There is a race window after +checking Tx is empty before tty_set_termios() takes termios_rwsem for +write. During that race window, more characters can be queued by a +racing writer. + +Any ongoing transmission might produce garbage during HW's +->set_termios() call. The intent of TCSADRAIN/FLUSH seems to be +preventing such a character corruption. If those flags are set, take +tty's write lock to stop any writer before performing the lower layer +Tx empty check and wait for the pending characters to be sent (if any). + +The initial wait for all-writers-done must be placed outside of tty's +write lock to avoid deadlock which makes it impossible to use +tty_wait_until_sent(). The write lock is retried if a racing write is +detected. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Cc: stable@vger.kernel.org +Signed-off-by: Ilpo Järvinen +Link: https://lore.kernel.org/r/20230317113318.31327-2-ilpo.jarvinen@linux.intel.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/tty/tty.h | 2 ++ + drivers/tty/tty_io.c | 4 ++-- + drivers/tty/tty_ioctl.c | 45 +++++++++++++++++++++++++++++++++------------ + 3 files changed, 37 insertions(+), 14 deletions(-) + +--- a/drivers/tty/tty.h ++++ b/drivers/tty/tty.h +@@ -62,6 +62,8 @@ int __tty_check_change(struct tty_struct + int tty_check_change(struct tty_struct *tty); + void __stop_tty(struct tty_struct *tty); + void __start_tty(struct tty_struct *tty); ++void tty_write_unlock(struct tty_struct *tty); ++int tty_write_lock(struct tty_struct *tty, int ndelay); + void tty_vhangup_session(struct tty_struct *tty); + void tty_open_proc_set_tty(struct file *filp, struct tty_struct *tty); + int tty_signal_session_leader(struct tty_struct *tty, int exit_session); +--- a/drivers/tty/tty_io.c ++++ b/drivers/tty/tty_io.c +@@ -933,13 +933,13 @@ static ssize_t tty_read(struct kiocb *io + return i; + } + +-static void tty_write_unlock(struct tty_struct *tty) ++void tty_write_unlock(struct tty_struct *tty) + { + mutex_unlock(&tty->atomic_write_lock); + wake_up_interruptible_poll(&tty->write_wait, EPOLLOUT); + } + +-static int tty_write_lock(struct tty_struct *tty, int ndelay) ++int tty_write_lock(struct tty_struct *tty, int ndelay) + { + if (!mutex_trylock(&tty->atomic_write_lock)) { + if (ndelay) +--- a/drivers/tty/tty_ioctl.c ++++ b/drivers/tty/tty_ioctl.c +@@ -500,21 +500,42 @@ static int set_termios(struct tty_struct + tmp_termios.c_ispeed = tty_termios_input_baud_rate(&tmp_termios); + tmp_termios.c_ospeed = tty_termios_baud_rate(&tmp_termios); + +- ld = tty_ldisc_ref(tty); ++ if (opt & (TERMIOS_FLUSH|TERMIOS_WAIT)) { ++retry_write_wait: ++ retval = wait_event_interruptible(tty->write_wait, !tty_chars_in_buffer(tty)); ++ if (retval < 0) ++ return retval; + +- if (ld != NULL) { +- if ((opt & TERMIOS_FLUSH) && ld->ops->flush_buffer) +- ld->ops->flush_buffer(tty); +- tty_ldisc_deref(ld); +- } ++ if (tty_write_lock(tty, 0) < 0) ++ goto retry_write_wait; + +- if (opt & TERMIOS_WAIT) { +- tty_wait_until_sent(tty, 0); +- if (signal_pending(current)) +- return -ERESTARTSYS; +- } ++ /* Racing writer? */ ++ if (tty_chars_in_buffer(tty)) { ++ tty_write_unlock(tty); ++ goto retry_write_wait; ++ } ++ ++ ld = tty_ldisc_ref(tty); ++ if (ld != NULL) { ++ if ((opt & TERMIOS_FLUSH) && ld->ops->flush_buffer) ++ ld->ops->flush_buffer(tty); ++ tty_ldisc_deref(ld); ++ } + +- tty_set_termios(tty, &tmp_termios); ++ if ((opt & TERMIOS_WAIT) && tty->ops->wait_until_sent) { ++ tty->ops->wait_until_sent(tty, 0); ++ if (signal_pending(current)) { ++ tty_write_unlock(tty); ++ return -ERESTARTSYS; ++ } ++ } ++ ++ tty_set_termios(tty, &tmp_termios); ++ ++ tty_write_unlock(tty); ++ } else { ++ tty_set_termios(tty, &tmp_termios); ++ } + + /* FIXME: Arguably if tmp_termios == tty->termios AND the + actual requested termios was not tmp_termios then we may diff --git a/queue-6.3/usb-dwc3-fix-runtime-pm-imbalance-on-probe-errors.patch b/queue-6.3/usb-dwc3-fix-runtime-pm-imbalance-on-probe-errors.patch new file mode 100644 index 00000000000..455c6d6455c --- /dev/null +++ b/queue-6.3/usb-dwc3-fix-runtime-pm-imbalance-on-probe-errors.patch @@ -0,0 +1,57 @@ +From 9a8ad10c9f2e0925ff26308ec6756b93fc2f4977 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Tue, 4 Apr 2023 09:25:14 +0200 +Subject: USB: dwc3: fix runtime pm imbalance on probe errors + +From: Johan Hovold + +commit 9a8ad10c9f2e0925ff26308ec6756b93fc2f4977 upstream. + +Make sure not to suspend the device when probe fails to avoid disabling +clocks and phys multiple times. + +Fixes: 328082376aea ("usb: dwc3: fix runtime PM in error path") +Cc: stable@vger.kernel.org # 4.8 +Cc: Roger Quadros +Acked-by: Thinh Nguyen +Signed-off-by: Johan Hovold +Link: https://lore.kernel.org/r/20230404072524.19014-2-johan+linaro@kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/dwc3/core.c | 14 +++++--------- + 1 file changed, 5 insertions(+), 9 deletions(-) + +--- a/drivers/usb/dwc3/core.c ++++ b/drivers/usb/dwc3/core.c +@@ -1883,13 +1883,11 @@ static int dwc3_probe(struct platform_de + spin_lock_init(&dwc->lock); + mutex_init(&dwc->mutex); + ++ pm_runtime_get_noresume(dev); + pm_runtime_set_active(dev); + pm_runtime_use_autosuspend(dev); + pm_runtime_set_autosuspend_delay(dev, DWC3_DEFAULT_AUTOSUSPEND_DELAY); + pm_runtime_enable(dev); +- ret = pm_runtime_get_sync(dev); +- if (ret < 0) +- goto err1; + + pm_runtime_forbid(dev); + +@@ -1954,12 +1952,10 @@ err3: + dwc3_free_event_buffers(dwc); + + err2: +- pm_runtime_allow(&pdev->dev); +- +-err1: +- pm_runtime_put_sync(&pdev->dev); +- pm_runtime_disable(&pdev->dev); +- ++ pm_runtime_allow(dev); ++ pm_runtime_disable(dev); ++ pm_runtime_set_suspended(dev); ++ pm_runtime_put_noidle(dev); + disable_clks: + dwc3_clk_disable(dwc); + assert_reset: diff --git a/queue-6.3/usb-dwc3-fix-runtime-pm-imbalance-on-unbind.patch b/queue-6.3/usb-dwc3-fix-runtime-pm-imbalance-on-unbind.patch new file mode 100644 index 00000000000..96603f634a0 --- /dev/null +++ b/queue-6.3/usb-dwc3-fix-runtime-pm-imbalance-on-unbind.patch @@ -0,0 +1,34 @@ +From 44d257e9012ee8040e41d224d0e5bfb5ef5427ea Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Tue, 4 Apr 2023 09:25:15 +0200 +Subject: USB: dwc3: fix runtime pm imbalance on unbind + +From: Johan Hovold + +commit 44d257e9012ee8040e41d224d0e5bfb5ef5427ea upstream. + +Make sure to balance the runtime PM usage count on driver unbind by +adding back the pm_runtime_allow() call that had been erroneously +removed. + +Fixes: 266d0493900a ("usb: dwc3: core: don't trigger runtime pm when remove driver") +Cc: stable@vger.kernel.org # 5.9 +Cc: Li Jun +Acked-by: Thinh Nguyen +Signed-off-by: Johan Hovold +Link: https://lore.kernel.org/r/20230404072524.19014-3-johan+linaro@kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/dwc3/core.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/usb/dwc3/core.c ++++ b/drivers/usb/dwc3/core.c +@@ -1979,6 +1979,7 @@ static int dwc3_remove(struct platform_d + dwc3_core_exit(dwc); + dwc3_ulpi_exit(dwc); + ++ pm_runtime_allow(&pdev->dev); + pm_runtime_disable(&pdev->dev); + pm_runtime_put_noidle(&pdev->dev); + pm_runtime_set_suspended(&pdev->dev); diff --git a/queue-6.3/usb-dwc3-gadget-stall-and-restart-ep0-if-host-is-unresponsive.patch b/queue-6.3/usb-dwc3-gadget-stall-and-restart-ep0-if-host-is-unresponsive.patch new file mode 100644 index 00000000000..15130bff9a2 --- /dev/null +++ b/queue-6.3/usb-dwc3-gadget-stall-and-restart-ep0-if-host-is-unresponsive.patch @@ -0,0 +1,121 @@ +From 02435a739b81ae24aff5d6e930efef9458e2af3c Mon Sep 17 00:00:00 2001 +From: Wesley Cheng +Date: Thu, 13 Apr 2023 12:57:40 -0700 +Subject: usb: dwc3: gadget: Stall and restart EP0 if host is unresponsive + +From: Wesley Cheng + +commit 02435a739b81ae24aff5d6e930efef9458e2af3c upstream. + +It was observed that there are hosts that may complete pending SETUP +transactions before the stop active transfers and controller halt occurs, +leading to lingering endxfer commands on DEPs on subsequent pullup/gadget +start iterations. + + dwc3_gadget_ep_disable name=ep8in flags=0x3009 direction=1 + dwc3_gadget_ep_disable name=ep4in flags=1 direction=1 + dwc3_gadget_ep_disable name=ep3out flags=1 direction=0 + usb_gadget_disconnect deactivated=0 connected=0 ret=0 + +The sequence shows that the USB gadget disconnect (dwc3_gadget_pullup(0)) +routine completed successfully, allowing for the USB gadget to proceed with +a USB gadget connect. However, if this occurs the system runs into an +issue where: + + BUG: spinlock already unlocked on CPU + spin_bug+0x0 + dwc3_remove_requests+0x278 + dwc3_ep0_out_start+0xb0 + __dwc3_gadget_start+0x25c + +This is due to the pending endxfers, leading to gadget start (w/o lock +held) to execute the remove requests, which will unlock the dwc3 +spinlock as part of giveback. + +To mitigate this, resolve the pending endxfers on the pullup disable +path by re-locating the SETUP phase check after stop active transfers, since +that is where the DWC3_EP_DELAY_STOP is potentially set. This also allows +for handling of a host that may be unresponsive by using the completion +timeout to trigger the stall and restart for EP0. + +Fixes: c96683798e27 ("usb: dwc3: ep0: Don't prepare beyond Setup stage") +Cc: stable@vger.kernel.org +Acked-by: Thinh Nguyen +Signed-off-by: Wesley Cheng +Link: https://lore.kernel.org/r/20230413195742.11821-2-quic_wcheng@quicinc.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/dwc3/gadget.c | 49 ++++++++++++++++++++++++++++++---------------- + 1 file changed, 32 insertions(+), 17 deletions(-) + +--- a/drivers/usb/dwc3/gadget.c ++++ b/drivers/usb/dwc3/gadget.c +@@ -2532,29 +2532,17 @@ static int __dwc3_gadget_start(struct dw + static int dwc3_gadget_soft_disconnect(struct dwc3 *dwc) + { + unsigned long flags; ++ int ret; + + spin_lock_irqsave(&dwc->lock, flags); + dwc->connected = false; + + /* +- * Per databook, when we want to stop the gadget, if a control transfer +- * is still in process, complete it and get the core into setup phase. ++ * Attempt to end pending SETUP status phase, and not wait for the ++ * function to do so. + */ +- if (dwc->ep0state != EP0_SETUP_PHASE) { +- int ret; +- +- if (dwc->delayed_status) +- dwc3_ep0_send_delayed_status(dwc); +- +- reinit_completion(&dwc->ep0_in_setup); +- +- spin_unlock_irqrestore(&dwc->lock, flags); +- ret = wait_for_completion_timeout(&dwc->ep0_in_setup, +- msecs_to_jiffies(DWC3_PULL_UP_TIMEOUT)); +- spin_lock_irqsave(&dwc->lock, flags); +- if (ret == 0) +- dev_warn(dwc->dev, "timed out waiting for SETUP phase\n"); +- } ++ if (dwc->delayed_status) ++ dwc3_ep0_send_delayed_status(dwc); + + /* + * In the Synopsys DesignWare Cores USB3 Databook Rev. 3.30a +@@ -2568,6 +2556,33 @@ static int dwc3_gadget_soft_disconnect(s + spin_unlock_irqrestore(&dwc->lock, flags); + + /* ++ * Per databook, when we want to stop the gadget, if a control transfer ++ * is still in process, complete it and get the core into setup phase. ++ * In case the host is unresponsive to a SETUP transaction, forcefully ++ * stall the transfer, and move back to the SETUP phase, so that any ++ * pending endxfers can be executed. ++ */ ++ if (dwc->ep0state != EP0_SETUP_PHASE) { ++ reinit_completion(&dwc->ep0_in_setup); ++ ++ ret = wait_for_completion_timeout(&dwc->ep0_in_setup, ++ msecs_to_jiffies(DWC3_PULL_UP_TIMEOUT)); ++ if (ret == 0) { ++ unsigned int dir; ++ ++ dev_warn(dwc->dev, "wait for SETUP phase timed out\n"); ++ spin_lock_irqsave(&dwc->lock, flags); ++ dir = !!dwc->ep0_expect_in; ++ if (dwc->ep0state == EP0_DATA_PHASE) ++ dwc3_ep0_end_control_data(dwc, dwc->eps[dir]); ++ else ++ dwc3_ep0_end_control_data(dwc, dwc->eps[!dir]); ++ dwc3_ep0_stall_and_restart(dwc); ++ spin_unlock_irqrestore(&dwc->lock, flags); ++ } ++ } ++ ++ /* + * Note: if the GEVNTCOUNT indicates events in the event buffer, the + * driver needs to acknowledge them before the controller can halt. + * Simply let the interrupt handler acknowledges and handle the diff --git a/queue-6.3/usb-gadget-udc-core-invoke-usb_gadget_connect-only-when-started.patch b/queue-6.3/usb-gadget-udc-core-invoke-usb_gadget_connect-only-when-started.patch new file mode 100644 index 00000000000..3e92c9fc6aa --- /dev/null +++ b/queue-6.3/usb-gadget-udc-core-invoke-usb_gadget_connect-only-when-started.patch @@ -0,0 +1,359 @@ +From 0db213ea8eed5534a5169e807f28103cbc9d23df Mon Sep 17 00:00:00 2001 +From: Badhri Jagan Sridharan +Date: Fri, 7 Apr 2023 03:07:40 +0000 +Subject: usb: gadget: udc: core: Invoke usb_gadget_connect only when started + +From: Badhri Jagan Sridharan + +commit 0db213ea8eed5534a5169e807f28103cbc9d23df upstream. + +usb_udc_connect_control does not check to see if the udc has already +been started. This causes gadget->ops->pullup to be called through +usb_gadget_connect when invoked from usb_udc_vbus_handler even before +usb_gadget_udc_start is called. Guard this by checking for udc->started +in usb_udc_connect_control before invoking usb_gadget_connect. + +Guarding udc->vbus, udc->started, gadget->connect, gadget->deactivate +related functions with connect_lock. usb_gadget_connect_locked, +usb_gadget_disconnect_locked, usb_udc_connect_control_locked, +usb_gadget_udc_start_locked, usb_gadget_udc_stop_locked are called with +this lock held as they can be simulataneously invoked from different code +paths. + +Adding an additional check to make sure udc is started(udc->started) +before pullup callback is invoked. + +Fixes: 628ef0d273a6 ("usb: udc: add usb_udc_vbus_handler") +Cc: stable@vger.kernel.org +Signed-off-by: Badhri Jagan Sridharan +Link: https://lore.kernel.org/r/20230407030741.3163220-1-badhri@google.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/gadget/udc/core.c | 148 +++++++++++++++++++++++++++++------------- + 1 file changed, 104 insertions(+), 44 deletions(-) + +--- a/drivers/usb/gadget/udc/core.c ++++ b/drivers/usb/gadget/udc/core.c +@@ -37,6 +37,10 @@ static struct bus_type gadget_bus_type; + * @vbus: for udcs who care about vbus status, this value is real vbus status; + * for udcs who do not care about vbus status, this value is always true + * @started: the UDC's started state. True if the UDC had started. ++ * @connect_lock: protects udc->vbus, udc->started, gadget->connect, gadget->deactivate related ++ * functions. usb_gadget_connect_locked, usb_gadget_disconnect_locked, ++ * usb_udc_connect_control_locked, usb_gadget_udc_start_locked, usb_gadget_udc_stop_locked are ++ * called with this lock held. + * + * This represents the internal data structure which is used by the UDC-class + * to hold information about udc driver and gadget together. +@@ -48,6 +52,7 @@ struct usb_udc { + struct list_head list; + bool vbus; + bool started; ++ struct mutex connect_lock; + }; + + static struct class *udc_class; +@@ -660,17 +665,9 @@ out: + } + EXPORT_SYMBOL_GPL(usb_gadget_vbus_disconnect); + +-/** +- * usb_gadget_connect - software-controlled connect to USB host +- * @gadget:the peripheral being connected +- * +- * Enables the D+ (or potentially D-) pullup. The host will start +- * enumerating this gadget when the pullup is active and a VBUS session +- * is active (the link is powered). +- * +- * Returns zero on success, else negative errno. +- */ +-int usb_gadget_connect(struct usb_gadget *gadget) ++/* Internal version of usb_gadget_connect needs to be called with connect_lock held. */ ++static int usb_gadget_connect_locked(struct usb_gadget *gadget) ++ __must_hold(&gadget->udc->connect_lock) + { + int ret = 0; + +@@ -679,10 +676,12 @@ int usb_gadget_connect(struct usb_gadget + goto out; + } + +- if (gadget->deactivated) { ++ if (gadget->deactivated || !gadget->udc->started) { + /* + * If gadget is deactivated we only save new state. + * Gadget will be connected automatically after activation. ++ * ++ * udc first needs to be started before gadget can be pulled up. + */ + gadget->connected = true; + goto out; +@@ -697,22 +696,32 @@ out: + + return ret; + } +-EXPORT_SYMBOL_GPL(usb_gadget_connect); + + /** +- * usb_gadget_disconnect - software-controlled disconnect from USB host +- * @gadget:the peripheral being disconnected +- * +- * Disables the D+ (or potentially D-) pullup, which the host may see +- * as a disconnect (when a VBUS session is active). Not all systems +- * support software pullup controls. ++ * usb_gadget_connect - software-controlled connect to USB host ++ * @gadget:the peripheral being connected + * +- * Following a successful disconnect, invoke the ->disconnect() callback +- * for the current gadget driver so that UDC drivers don't need to. ++ * Enables the D+ (or potentially D-) pullup. The host will start ++ * enumerating this gadget when the pullup is active and a VBUS session ++ * is active (the link is powered). + * + * Returns zero on success, else negative errno. + */ +-int usb_gadget_disconnect(struct usb_gadget *gadget) ++int usb_gadget_connect(struct usb_gadget *gadget) ++{ ++ int ret; ++ ++ mutex_lock(&gadget->udc->connect_lock); ++ ret = usb_gadget_connect_locked(gadget); ++ mutex_unlock(&gadget->udc->connect_lock); ++ ++ return ret; ++} ++EXPORT_SYMBOL_GPL(usb_gadget_connect); ++ ++/* Internal version of usb_gadget_disconnect needs to be called with connect_lock held. */ ++static int usb_gadget_disconnect_locked(struct usb_gadget *gadget) ++ __must_hold(&gadget->udc->connect_lock) + { + int ret = 0; + +@@ -724,10 +733,12 @@ int usb_gadget_disconnect(struct usb_gad + if (!gadget->connected) + goto out; + +- if (gadget->deactivated) { ++ if (gadget->deactivated || !gadget->udc->started) { + /* + * If gadget is deactivated we only save new state. + * Gadget will stay disconnected after activation. ++ * ++ * udc should have been started before gadget being pulled down. + */ + gadget->connected = false; + goto out; +@@ -747,6 +758,30 @@ out: + + return ret; + } ++ ++/** ++ * usb_gadget_disconnect - software-controlled disconnect from USB host ++ * @gadget:the peripheral being disconnected ++ * ++ * Disables the D+ (or potentially D-) pullup, which the host may see ++ * as a disconnect (when a VBUS session is active). Not all systems ++ * support software pullup controls. ++ * ++ * Following a successful disconnect, invoke the ->disconnect() callback ++ * for the current gadget driver so that UDC drivers don't need to. ++ * ++ * Returns zero on success, else negative errno. ++ */ ++int usb_gadget_disconnect(struct usb_gadget *gadget) ++{ ++ int ret; ++ ++ mutex_lock(&gadget->udc->connect_lock); ++ ret = usb_gadget_disconnect_locked(gadget); ++ mutex_unlock(&gadget->udc->connect_lock); ++ ++ return ret; ++} + EXPORT_SYMBOL_GPL(usb_gadget_disconnect); + + /** +@@ -767,10 +802,11 @@ int usb_gadget_deactivate(struct usb_gad + if (gadget->deactivated) + goto out; + ++ mutex_lock(&gadget->udc->connect_lock); + if (gadget->connected) { +- ret = usb_gadget_disconnect(gadget); ++ ret = usb_gadget_disconnect_locked(gadget); + if (ret) +- goto out; ++ goto unlock; + + /* + * If gadget was being connected before deactivation, we want +@@ -780,6 +816,8 @@ int usb_gadget_deactivate(struct usb_gad + } + gadget->deactivated = true; + ++unlock: ++ mutex_unlock(&gadget->udc->connect_lock); + out: + trace_usb_gadget_deactivate(gadget, ret); + +@@ -803,6 +841,7 @@ int usb_gadget_activate(struct usb_gadge + if (!gadget->deactivated) + goto out; + ++ mutex_lock(&gadget->udc->connect_lock); + gadget->deactivated = false; + + /* +@@ -810,7 +849,8 @@ int usb_gadget_activate(struct usb_gadge + * while it was being deactivated, we call usb_gadget_connect(). + */ + if (gadget->connected) +- ret = usb_gadget_connect(gadget); ++ ret = usb_gadget_connect_locked(gadget); ++ mutex_unlock(&gadget->udc->connect_lock); + + out: + trace_usb_gadget_activate(gadget, ret); +@@ -1051,12 +1091,13 @@ EXPORT_SYMBOL_GPL(usb_gadget_set_state); + + /* ------------------------------------------------------------------------- */ + +-static void usb_udc_connect_control(struct usb_udc *udc) ++/* Acquire connect_lock before calling this function. */ ++static void usb_udc_connect_control_locked(struct usb_udc *udc) __must_hold(&udc->connect_lock) + { +- if (udc->vbus) +- usb_gadget_connect(udc->gadget); ++ if (udc->vbus && udc->started) ++ usb_gadget_connect_locked(udc->gadget); + else +- usb_gadget_disconnect(udc->gadget); ++ usb_gadget_disconnect_locked(udc->gadget); + } + + /** +@@ -1072,10 +1113,12 @@ void usb_udc_vbus_handler(struct usb_gad + { + struct usb_udc *udc = gadget->udc; + ++ mutex_lock(&udc->connect_lock); + if (udc) { + udc->vbus = status; +- usb_udc_connect_control(udc); ++ usb_udc_connect_control_locked(udc); + } ++ mutex_unlock(&udc->connect_lock); + } + EXPORT_SYMBOL_GPL(usb_udc_vbus_handler); + +@@ -1097,7 +1140,7 @@ void usb_gadget_udc_reset(struct usb_gad + EXPORT_SYMBOL_GPL(usb_gadget_udc_reset); + + /** +- * usb_gadget_udc_start - tells usb device controller to start up ++ * usb_gadget_udc_start_locked - tells usb device controller to start up + * @udc: The UDC to be started + * + * This call is issued by the UDC Class driver when it's about +@@ -1108,8 +1151,11 @@ EXPORT_SYMBOL_GPL(usb_gadget_udc_reset); + * necessary to have it powered on. + * + * Returns zero on success, else negative errno. ++ * ++ * Caller should acquire connect_lock before invoking this function. + */ +-static inline int usb_gadget_udc_start(struct usb_udc *udc) ++static inline int usb_gadget_udc_start_locked(struct usb_udc *udc) ++ __must_hold(&udc->connect_lock) + { + int ret; + +@@ -1126,7 +1172,7 @@ static inline int usb_gadget_udc_start(s + } + + /** +- * usb_gadget_udc_stop - tells usb device controller we don't need it anymore ++ * usb_gadget_udc_stop_locked - tells usb device controller we don't need it anymore + * @udc: The UDC to be stopped + * + * This call is issued by the UDC Class driver after calling +@@ -1135,8 +1181,11 @@ static inline int usb_gadget_udc_start(s + * The details are implementation specific, but it can go as + * far as powering off UDC completely and disable its data + * line pullups. ++ * ++ * Caller should acquire connect lock before invoking this function. + */ +-static inline void usb_gadget_udc_stop(struct usb_udc *udc) ++static inline void usb_gadget_udc_stop_locked(struct usb_udc *udc) ++ __must_hold(&udc->connect_lock) + { + if (!udc->started) { + dev_err(&udc->dev, "UDC had already stopped\n"); +@@ -1295,6 +1344,7 @@ int usb_add_gadget(struct usb_gadget *ga + + udc->gadget = gadget; + gadget->udc = udc; ++ mutex_init(&udc->connect_lock); + + udc->started = false; + +@@ -1496,11 +1546,15 @@ static int gadget_bind_driver(struct dev + if (ret) + goto err_bind; + +- ret = usb_gadget_udc_start(udc); +- if (ret) ++ mutex_lock(&udc->connect_lock); ++ ret = usb_gadget_udc_start_locked(udc); ++ if (ret) { ++ mutex_unlock(&udc->connect_lock); + goto err_start; ++ } + usb_gadget_enable_async_callbacks(udc); +- usb_udc_connect_control(udc); ++ usb_udc_connect_control_locked(udc); ++ mutex_unlock(&udc->connect_lock); + + kobject_uevent(&udc->dev.kobj, KOBJ_CHANGE); + return 0; +@@ -1531,12 +1585,14 @@ static void gadget_unbind_driver(struct + + kobject_uevent(&udc->dev.kobj, KOBJ_CHANGE); + +- usb_gadget_disconnect(gadget); ++ mutex_lock(&udc->connect_lock); ++ usb_gadget_disconnect_locked(gadget); + usb_gadget_disable_async_callbacks(udc); + if (gadget->irq) + synchronize_irq(gadget->irq); + udc->driver->unbind(gadget); +- usb_gadget_udc_stop(udc); ++ usb_gadget_udc_stop_locked(udc); ++ mutex_unlock(&udc->connect_lock); + + mutex_lock(&udc_lock); + driver->is_bound = false; +@@ -1622,11 +1678,15 @@ static ssize_t soft_connect_store(struct + } + + if (sysfs_streq(buf, "connect")) { +- usb_gadget_udc_start(udc); +- usb_gadget_connect(udc->gadget); ++ mutex_lock(&udc->connect_lock); ++ usb_gadget_udc_start_locked(udc); ++ usb_gadget_connect_locked(udc->gadget); ++ mutex_unlock(&udc->connect_lock); + } else if (sysfs_streq(buf, "disconnect")) { +- usb_gadget_disconnect(udc->gadget); +- usb_gadget_udc_stop(udc); ++ mutex_lock(&udc->connect_lock); ++ usb_gadget_disconnect_locked(udc->gadget); ++ usb_gadget_udc_stop_locked(udc); ++ mutex_unlock(&udc->connect_lock); + } else { + dev_err(dev, "unsupported command '%s'\n", buf); + ret = -EINVAL; diff --git a/queue-6.3/usb-gadget-udc-core-prevent-redundant-calls-to-pullup.patch b/queue-6.3/usb-gadget-udc-core-prevent-redundant-calls-to-pullup.patch new file mode 100644 index 00000000000..ad04f5e58b4 --- /dev/null +++ b/queue-6.3/usb-gadget-udc-core-prevent-redundant-calls-to-pullup.patch @@ -0,0 +1,35 @@ +From a3afbf5cc887fc3401f012fe629810998ed61859 Mon Sep 17 00:00:00 2001 +From: Badhri Jagan Sridharan +Date: Fri, 7 Apr 2023 03:07:41 +0000 +Subject: usb: gadget: udc: core: Prevent redundant calls to pullup + +From: Badhri Jagan Sridharan + +commit a3afbf5cc887fc3401f012fe629810998ed61859 upstream. + +usb_gadget_connect calls gadget->ops->pullup without checking whether +gadget->connected was previously set. Make this symmetric to +usb_gadget_disconnect by returning early if gadget->connected is +already set. + +Fixes: 5a1da544e572 ("usb: gadget: core: do not try to disconnect gadget if it is not connected") +Cc: stable@vger.kernel.org +Signed-off-by: Badhri Jagan Sridharan +Link: https://lore.kernel.org/r/20230407030741.3163220-2-badhri@google.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/gadget/udc/core.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/usb/gadget/udc/core.c ++++ b/drivers/usb/gadget/udc/core.c +@@ -676,6 +676,9 @@ static int usb_gadget_connect_locked(str + goto out; + } + ++ if (gadget->connected) ++ goto out; ++ + if (gadget->deactivated || !gadget->udc->started) { + /* + * If gadget is deactivated we only save new state. diff --git a/queue-6.3/wifi-mt76-add-missing-locking-to-protect-against-concurrent-rx-status-calls.patch b/queue-6.3/wifi-mt76-add-missing-locking-to-protect-against-concurrent-rx-status-calls.patch new file mode 100644 index 00000000000..b5aa95a771e --- /dev/null +++ b/queue-6.3/wifi-mt76-add-missing-locking-to-protect-against-concurrent-rx-status-calls.patch @@ -0,0 +1,104 @@ +From 5b8ccdfb943f6a03c676d2ea816dd38c149e920b Mon Sep 17 00:00:00 2001 +From: Felix Fietkau +Date: Fri, 14 Apr 2023 14:10:54 +0200 +Subject: wifi: mt76: add missing locking to protect against concurrent rx/status calls + +From: Felix Fietkau + +commit 5b8ccdfb943f6a03c676d2ea816dd38c149e920b upstream. + +According to the documentation, ieee80211_rx_list must not run concurrently +with ieee80211_tx_status (or its variants). + +Cc: stable@vger.kernel.org +Fixes: 88046b2c9f6d ("mt76: add support for reporting tx status with skb") +Reported-by: Brian Coverstone +Signed-off-by: Felix Fietkau +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/wireless/mediatek/mt76/dma.c | 2 ++ + drivers/net/wireless/mediatek/mt76/mt7603/mac.c | 5 ++++- + drivers/net/wireless/mediatek/mt76/mt7615/mac.c | 5 ++++- + drivers/net/wireless/mediatek/mt76/mt76x02_mac.c | 5 ++++- + drivers/net/wireless/mediatek/mt76/tx.c | 4 ++++ + 5 files changed, 18 insertions(+), 3 deletions(-) + +--- a/drivers/net/wireless/mediatek/mt76/dma.c ++++ b/drivers/net/wireless/mediatek/mt76/dma.c +@@ -576,7 +576,9 @@ free: + free_skb: + status.skb = tx_info.skb; + hw = mt76_tx_status_get_hw(dev, tx_info.skb); ++ spin_lock_bh(&dev->rx_lock); + ieee80211_tx_status_ext(hw, &status); ++ spin_unlock_bh(&dev->rx_lock); + + return ret; + } +--- a/drivers/net/wireless/mediatek/mt76/mt7603/mac.c ++++ b/drivers/net/wireless/mediatek/mt76/mt7603/mac.c +@@ -1279,8 +1279,11 @@ void mt7603_mac_add_txs(struct mt7603_de + if (wcidx >= MT7603_WTBL_STA || !sta) + goto out; + +- if (mt7603_fill_txs(dev, msta, &info, txs_data)) ++ if (mt7603_fill_txs(dev, msta, &info, txs_data)) { ++ spin_lock_bh(&dev->mt76.rx_lock); + ieee80211_tx_status_noskb(mt76_hw(dev), sta, &info); ++ spin_unlock_bh(&dev->mt76.rx_lock); ++ } + + out: + rcu_read_unlock(); +--- a/drivers/net/wireless/mediatek/mt76/mt7615/mac.c ++++ b/drivers/net/wireless/mediatek/mt76/mt7615/mac.c +@@ -1530,8 +1530,11 @@ static void mt7615_mac_add_txs(struct mt + if (wcid->phy_idx && dev->mt76.phys[MT_BAND1]) + mphy = dev->mt76.phys[MT_BAND1]; + +- if (mt7615_fill_txs(dev, msta, &info, txs_data)) ++ if (mt7615_fill_txs(dev, msta, &info, txs_data)) { ++ spin_lock_bh(&dev->mt76.rx_lock); + ieee80211_tx_status_noskb(mphy->hw, sta, &info); ++ spin_unlock_bh(&dev->mt76.rx_lock); ++ } + + out: + rcu_read_unlock(); +--- a/drivers/net/wireless/mediatek/mt76/mt76x02_mac.c ++++ b/drivers/net/wireless/mediatek/mt76/mt76x02_mac.c +@@ -631,8 +631,11 @@ void mt76x02_send_tx_status(struct mt76x + + mt76_tx_status_unlock(mdev, &list); + +- if (!status.skb) ++ if (!status.skb) { ++ spin_lock_bh(&dev->mt76.rx_lock); + ieee80211_tx_status_ext(mt76_hw(dev), &status); ++ spin_unlock_bh(&dev->mt76.rx_lock); ++ } + + if (!len) + goto out; +--- a/drivers/net/wireless/mediatek/mt76/tx.c ++++ b/drivers/net/wireless/mediatek/mt76/tx.c +@@ -77,7 +77,9 @@ mt76_tx_status_unlock(struct mt76_dev *d + } + + hw = mt76_tx_status_get_hw(dev, skb); ++ spin_lock_bh(&dev->rx_lock); + ieee80211_tx_status_ext(hw, &status); ++ spin_unlock_bh(&dev->rx_lock); + } + rcu_read_unlock(); + } +@@ -263,7 +265,9 @@ void __mt76_tx_complete_skb(struct mt76_ + if (cb->pktid < MT_PACKET_ID_FIRST) { + hw = mt76_tx_status_get_hw(dev, skb); + status.sta = wcid_to_sta(wcid); ++ spin_lock_bh(&dev->rx_lock); + ieee80211_tx_status_ext(hw, &status); ++ spin_unlock_bh(&dev->rx_lock); + goto out; + } + diff --git a/queue-6.3/wifi-mt76-mt7921e-set-memory-space-enable-in-pci_command-if-unset.patch b/queue-6.3/wifi-mt76-mt7921e-set-memory-space-enable-in-pci_command-if-unset.patch new file mode 100644 index 00000000000..430812f47f3 --- /dev/null +++ b/queue-6.3/wifi-mt76-mt7921e-set-memory-space-enable-in-pci_command-if-unset.patch @@ -0,0 +1,47 @@ +From 09d4d6da1b65d09414e7bce61459593f3c80ead1 Mon Sep 17 00:00:00 2001 +From: Mario Limonciello +Date: Wed, 29 Mar 2023 14:57:58 -0500 +Subject: wifi: mt76: mt7921e: Set memory space enable in PCI_COMMAND if unset + +From: Mario Limonciello + +commit 09d4d6da1b65d09414e7bce61459593f3c80ead1 upstream. + +When the BIOS has been configured for Fast Boot, systems with mt7921e +have non-functional wifi. Turning on Fast boot caused both bus master +enable and memory space enable bits in PCI_COMMAND not to get configured. + +The mt7921 driver already sets bus master enable, but explicitly check +and set memory access enable as well to fix this problem. + +Tested-by: Anson Tsao +Signed-off-by: Mario Limonciello +Acked-by: Sean Wang +Signed-off-by: Felix Fietkau +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/wireless/mediatek/mt76/mt7921/pci.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/drivers/net/wireless/mediatek/mt76/mt7921/pci.c ++++ b/drivers/net/wireless/mediatek/mt76/mt7921/pci.c +@@ -263,6 +263,7 @@ static int mt7921_pci_probe(struct pci_d + struct mt76_dev *mdev; + u8 features; + int ret; ++ u16 cmd; + + ret = pcim_enable_device(pdev); + if (ret) +@@ -272,6 +273,11 @@ static int mt7921_pci_probe(struct pci_d + if (ret) + return ret; + ++ pci_read_config_word(pdev, PCI_COMMAND, &cmd); ++ if (!(cmd & PCI_COMMAND_MEMORY)) { ++ cmd |= PCI_COMMAND_MEMORY; ++ pci_write_config_word(pdev, PCI_COMMAND, cmd); ++ } + pci_set_master(pdev); + + ret = pci_alloc_irq_vectors(pdev, 1, 1, PCI_IRQ_ALL_TYPES); diff --git a/queue-6.3/wifi-rtw88-usb-fix-priority-queue-to-endpoint-mapping.patch b/queue-6.3/wifi-rtw88-usb-fix-priority-queue-to-endpoint-mapping.patch new file mode 100644 index 00000000000..fcfd0edee06 --- /dev/null +++ b/queue-6.3/wifi-rtw88-usb-fix-priority-queue-to-endpoint-mapping.patch @@ -0,0 +1,144 @@ +From a6f187f92bcc2b17821538b4a11d61764e68b091 Mon Sep 17 00:00:00 2001 +From: Sascha Hauer +Date: Mon, 17 Apr 2023 16:03:55 +0200 +Subject: wifi: rtw88: usb: fix priority queue to endpoint mapping + +From: Sascha Hauer + +commit a6f187f92bcc2b17821538b4a11d61764e68b091 upstream. + +The RTW88 chipsets have four different priority queues in hardware. For +the USB type chipsets the packets destined for a specific priority queue +must be sent through the endpoint corresponding to the queue. This was +not fully understood when porting from the RTW88 USB out of tree driver +and thus violated. + +This patch implements the qsel to endpoint mapping as in +get_usb_bulkout_id_88xx() in the downstream driver. + +Without this the driver often issues "timed out to flush queue 3" +warnings and often TX stalls completely. + +Signed-off-by: Sascha Hauer +Tested-by: ValdikSS +Tested-by: Alexandru gagniuc +Tested-by: Larry Finger +Cc: stable@vger.kernel.org +Reviewed-by: Ping-Ke Shih +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20230417140358.2240429-2-s.hauer@pengutronix.de +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/wireless/realtek/rtw88/usb.c | 70 ++++++++++++++++++++----------- + 1 file changed, 47 insertions(+), 23 deletions(-) + +--- a/drivers/net/wireless/realtek/rtw88/usb.c ++++ b/drivers/net/wireless/realtek/rtw88/usb.c +@@ -118,6 +118,22 @@ static void rtw_usb_write32(struct rtw_d + rtw_usb_write(rtwdev, addr, val, 4); + } + ++static int dma_mapping_to_ep(enum rtw_dma_mapping dma_mapping) ++{ ++ switch (dma_mapping) { ++ case RTW_DMA_MAPPING_HIGH: ++ return 0; ++ case RTW_DMA_MAPPING_NORMAL: ++ return 1; ++ case RTW_DMA_MAPPING_LOW: ++ return 2; ++ case RTW_DMA_MAPPING_EXTRA: ++ return 3; ++ default: ++ return -EINVAL; ++ } ++} ++ + static int rtw_usb_parse(struct rtw_dev *rtwdev, + struct usb_interface *interface) + { +@@ -129,6 +145,8 @@ static int rtw_usb_parse(struct rtw_dev + int num_out_pipes = 0; + int i; + u8 num; ++ const struct rtw_chip_info *chip = rtwdev->chip; ++ const struct rtw_rqpn *rqpn; + + for (i = 0; i < interface_desc->bNumEndpoints; i++) { + endpoint = &host_interface->endpoint[i].desc; +@@ -183,31 +201,34 @@ static int rtw_usb_parse(struct rtw_dev + + rtwdev->hci.bulkout_num = num_out_pipes; + +- switch (num_out_pipes) { +- case 4: +- case 3: +- rtwusb->qsel_to_ep[TX_DESC_QSEL_TID0] = 2; +- rtwusb->qsel_to_ep[TX_DESC_QSEL_TID1] = 2; +- rtwusb->qsel_to_ep[TX_DESC_QSEL_TID2] = 2; +- rtwusb->qsel_to_ep[TX_DESC_QSEL_TID3] = 2; +- rtwusb->qsel_to_ep[TX_DESC_QSEL_TID4] = 1; +- rtwusb->qsel_to_ep[TX_DESC_QSEL_TID5] = 1; +- rtwusb->qsel_to_ep[TX_DESC_QSEL_TID6] = 0; +- rtwusb->qsel_to_ep[TX_DESC_QSEL_TID7] = 0; +- break; +- case 2: +- rtwusb->qsel_to_ep[TX_DESC_QSEL_TID0] = 1; +- rtwusb->qsel_to_ep[TX_DESC_QSEL_TID1] = 1; +- rtwusb->qsel_to_ep[TX_DESC_QSEL_TID2] = 1; +- rtwusb->qsel_to_ep[TX_DESC_QSEL_TID3] = 1; +- break; +- case 1: +- break; +- default: +- rtw_err(rtwdev, "failed to get out_pipes(%d)\n", num_out_pipes); ++ if (num_out_pipes < 1 || num_out_pipes > 4) { ++ rtw_err(rtwdev, "invalid number of endpoints %d\n", num_out_pipes); + return -EINVAL; + } + ++ rqpn = &chip->rqpn_table[num_out_pipes]; ++ ++ rtwusb->qsel_to_ep[TX_DESC_QSEL_TID0] = dma_mapping_to_ep(rqpn->dma_map_be); ++ rtwusb->qsel_to_ep[TX_DESC_QSEL_TID1] = dma_mapping_to_ep(rqpn->dma_map_bk); ++ rtwusb->qsel_to_ep[TX_DESC_QSEL_TID2] = dma_mapping_to_ep(rqpn->dma_map_bk); ++ rtwusb->qsel_to_ep[TX_DESC_QSEL_TID3] = dma_mapping_to_ep(rqpn->dma_map_be); ++ rtwusb->qsel_to_ep[TX_DESC_QSEL_TID4] = dma_mapping_to_ep(rqpn->dma_map_vi); ++ rtwusb->qsel_to_ep[TX_DESC_QSEL_TID5] = dma_mapping_to_ep(rqpn->dma_map_vi); ++ rtwusb->qsel_to_ep[TX_DESC_QSEL_TID6] = dma_mapping_to_ep(rqpn->dma_map_vo); ++ rtwusb->qsel_to_ep[TX_DESC_QSEL_TID7] = dma_mapping_to_ep(rqpn->dma_map_vo); ++ rtwusb->qsel_to_ep[TX_DESC_QSEL_TID8] = -EINVAL; ++ rtwusb->qsel_to_ep[TX_DESC_QSEL_TID9] = -EINVAL; ++ rtwusb->qsel_to_ep[TX_DESC_QSEL_TID10] = -EINVAL; ++ rtwusb->qsel_to_ep[TX_DESC_QSEL_TID11] = -EINVAL; ++ rtwusb->qsel_to_ep[TX_DESC_QSEL_TID12] = -EINVAL; ++ rtwusb->qsel_to_ep[TX_DESC_QSEL_TID13] = -EINVAL; ++ rtwusb->qsel_to_ep[TX_DESC_QSEL_TID14] = -EINVAL; ++ rtwusb->qsel_to_ep[TX_DESC_QSEL_TID15] = -EINVAL; ++ rtwusb->qsel_to_ep[TX_DESC_QSEL_BEACON] = dma_mapping_to_ep(rqpn->dma_map_hi); ++ rtwusb->qsel_to_ep[TX_DESC_QSEL_HIGH] = dma_mapping_to_ep(rqpn->dma_map_hi); ++ rtwusb->qsel_to_ep[TX_DESC_QSEL_MGMT] = dma_mapping_to_ep(rqpn->dma_map_mg); ++ rtwusb->qsel_to_ep[TX_DESC_QSEL_H2C] = dma_mapping_to_ep(rqpn->dma_map_hi); ++ + return 0; + } + +@@ -250,7 +271,7 @@ static void rtw_usb_write_port_tx_comple + static int qsel_to_ep(struct rtw_usb *rtwusb, unsigned int qsel) + { + if (qsel >= ARRAY_SIZE(rtwusb->qsel_to_ep)) +- return 0; ++ return -EINVAL; + + return rtwusb->qsel_to_ep[qsel]; + } +@@ -265,6 +286,9 @@ static int rtw_usb_write_port(struct rtw + int ret; + int ep = qsel_to_ep(rtwusb, qsel); + ++ if (ep < 0) ++ return ep; ++ + pipe = usb_sndbulkpipe(usbd, rtwusb->out_ep[ep]); + urb = usb_alloc_urb(0, GFP_ATOMIC); + if (!urb) diff --git a/queue-6.3/wifi-rtw89-correct-5-mhz-mask-setting.patch b/queue-6.3/wifi-rtw89-correct-5-mhz-mask-setting.patch new file mode 100644 index 00000000000..6eb9d0a8d81 --- /dev/null +++ b/queue-6.3/wifi-rtw89-correct-5-mhz-mask-setting.patch @@ -0,0 +1,80 @@ +From d33fc8d0368c180fe2338bfae4f5367a66a719f4 Mon Sep 17 00:00:00 2001 +From: Eric Huang +Date: Thu, 6 Apr 2023 15:28:41 +0800 +Subject: wifi: rtw89: correct 5 MHz mask setting + +From: Eric Huang + +commit d33fc8d0368c180fe2338bfae4f5367a66a719f4 upstream. + +Use primary channel index to determine which 5 MHz mask should be enable. +This mask is used to prevent noise from channel edge to effect CCA +threshold in wide bandwidth (>= 40 MHZ). + +Fixes: 1b00e9236a71 ("rtw89: 8852c: add set channel of BB part") +Fixes: 6b0698984eb0 ("wifi: rtw89: 8852b: add chip_ops::set_channel") +Cc: stable@vger.kernel.org +Signed-off-by: Eric Huang +Signed-off-by: Ping-Ke Shih +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20230406072841.8308-1-pkshih@realtek.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/wireless/realtek/rtw89/rtw8852b.c | 9 +++++---- + drivers/net/wireless/realtek/rtw89/rtw8852c.c | 9 +++++---- + 2 files changed, 10 insertions(+), 8 deletions(-) + +--- a/drivers/net/wireless/realtek/rtw89/rtw8852b.c ++++ b/drivers/net/wireless/realtek/rtw89/rtw8852b.c +@@ -1284,7 +1284,7 @@ static void rtw8852b_ctrl_cck_en(struct + static void rtw8852b_5m_mask(struct rtw89_dev *rtwdev, const struct rtw89_chan *chan, + enum rtw89_phy_idx phy_idx) + { +- u8 pri_ch = chan->primary_channel; ++ u8 pri_ch = chan->pri_ch_idx; + bool mask_5m_low; + bool mask_5m_en; + +@@ -1292,12 +1292,13 @@ static void rtw8852b_5m_mask(struct rtw8 + case RTW89_CHANNEL_WIDTH_40: + /* Prich=1: Mask 5M High, Prich=2: Mask 5M Low */ + mask_5m_en = true; +- mask_5m_low = pri_ch == 2; ++ mask_5m_low = pri_ch == RTW89_SC_20_LOWER; + break; + case RTW89_CHANNEL_WIDTH_80: + /* Prich=3: Mask 5M High, Prich=4: Mask 5M Low, Else: Disable */ +- mask_5m_en = pri_ch == 3 || pri_ch == 4; +- mask_5m_low = pri_ch == 4; ++ mask_5m_en = pri_ch == RTW89_SC_20_UPMOST || ++ pri_ch == RTW89_SC_20_LOWEST; ++ mask_5m_low = pri_ch == RTW89_SC_20_LOWEST; + break; + default: + mask_5m_en = false; +--- a/drivers/net/wireless/realtek/rtw89/rtw8852c.c ++++ b/drivers/net/wireless/realtek/rtw89/rtw8852c.c +@@ -1445,18 +1445,19 @@ static void rtw8852c_5m_mask(struct rtw8 + const struct rtw89_chan *chan, + enum rtw89_phy_idx phy_idx) + { +- u8 pri_ch = chan->primary_channel; ++ u8 pri_ch = chan->pri_ch_idx; + bool mask_5m_low; + bool mask_5m_en; + + switch (chan->band_width) { + case RTW89_CHANNEL_WIDTH_40: + mask_5m_en = true; +- mask_5m_low = pri_ch == 2; ++ mask_5m_low = pri_ch == RTW89_SC_20_LOWER; + break; + case RTW89_CHANNEL_WIDTH_80: +- mask_5m_en = ((pri_ch == 3) || (pri_ch == 4)); +- mask_5m_low = pri_ch == 4; ++ mask_5m_en = pri_ch == RTW89_SC_20_UPMOST || ++ pri_ch == RTW89_SC_20_LOWEST; ++ mask_5m_low = pri_ch == RTW89_SC_20_LOWEST; + break; + default: + mask_5m_en = false; diff --git a/queue-6.3/xhci-fix-debugfs-register-accesses-while-suspended.patch b/queue-6.3/xhci-fix-debugfs-register-accesses-while-suspended.patch new file mode 100644 index 00000000000..6f7010a1564 --- /dev/null +++ b/queue-6.3/xhci-fix-debugfs-register-accesses-while-suspended.patch @@ -0,0 +1,33 @@ +From 735baf1b23458f71a8b15cb924af22c9ff9cd125 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Wed, 5 Apr 2023 11:03:42 +0200 +Subject: xhci: fix debugfs register accesses while suspended + +From: Johan Hovold + +commit 735baf1b23458f71a8b15cb924af22c9ff9cd125 upstream. + +Wire up the debugfs regset device pointer so that the controller is +resumed before accessing registers to avoid crashing or locking up if it +happens to be runtime suspended. + +Fixes: 02b6fdc2a153 ("usb: xhci: Add debugfs interface for xHCI driver") +Cc: stable@vger.kernel.org # 4.15: 30332eeefec8: debugfs: regset32: Add Runtime PM support +Cc: stable@vger.kernel.org # 4.15 +Signed-off-by: Johan Hovold +Link: https://lore.kernel.org/r/20230405090342.7363-1-johan+linaro@kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/host/xhci-debugfs.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/usb/host/xhci-debugfs.c ++++ b/drivers/usb/host/xhci-debugfs.c +@@ -133,6 +133,7 @@ static void xhci_debugfs_regset(struct x + regset->regs = regs; + regset->nregs = nregs; + regset->base = hcd->regs + base; ++ regset->dev = hcd->self.controller; + + debugfs_create_regset32((const char *)rgs->name, 0444, parent, regset); + }