From: Greg Kroah-Hartman Date: Sun, 13 Jun 2021 12:23:48 +0000 (+0200) Subject: 5.12-stable patches X-Git-Tag: v4.4.273~45 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=56536eda8b2ddbc486eb1b790e8ed76a5ade0aca;p=thirdparty%2Fkernel%2Fstable-queue.git 5.12-stable patches added patches: acpi-pass-the-same-capabilities-to-the-_osc-regardless-of-the-query-flag.patch alsa-firewire-lib-fix-the-context-to-call-snd_pcm_stop_xrun.patch alsa-hda-realtek-fix-mute-micmute-leds-and-speaker-for-hp-elite-dragonfly-g2.patch alsa-hda-realtek-fix-mute-micmute-leds-and-speaker-for-hp-elitebook-x360-1040-g8.patch alsa-hda-realtek-fix-mute-micmute-leds-for-hp-elitebook-840-aero-g8.patch alsa-hda-realtek-fix-mute-micmute-leds-for-hp-zbook-power-g8.patch alsa-hda-realtek-headphone-and-mic-don-t-work-on-an-acer-laptop.patch alsa-seq-fix-race-of-snd_seq_timer_open.patch async_xor-check-src_offs-is-not-null-before-updating-it.patch bcache-avoid-oversized-read-request-in-cache-missing-code-path.patch bcache-remove-bcache-device-self-defined-readahead.patch btrfs-do-not-write-supers-if-we-have-an-fs-error.patch btrfs-promote-debugging-asserts-to-full-fledged-checks-in-validate_super.patch btrfs-return-value-from-btrfs_mark_extent_written-in-case-of-error.patch btrfs-zoned-fix-zone-number-to-sector-physical-calculation.patch bus-mhi-pci_generic-fix-possible-use-after-free-in-mhi_pci_remove.patch cgroup1-don-t-allow-n-in-renaming.patch coredump-limit-what-can-interrupt-coredumps.patch drm-fix-use-after-free-read-in-drm_getunique.patch drm-lock-pointer-access-in-drm_master_release.patch ftrace-do-not-blindly-read-the-ip-address-in-ftrace_bug.patch kvm-avoid-speculation-based-attacks-from-out-of-range-memslot-accesses.patch kvm-x86-mmu-use-the-correct-inherited-permissions-to-get-shadow-page.patch kvm-x86-unload-mmu-on-guest-tlb-flush-if-tdp-disabled-to-force-mmu-sync.patch misc-rtsx-separate-aspm-mode-into-mode_reg-and-mode_cfg.patch mmc-renesas_sdhi-abort-tuning-when-timeout-detected.patch mmc-renesas_sdhi-fix-hs400-on-r-car-m3-w.patch perf-x86-intel-uncore-fix-m2m-event-umask-for-ice-lake-server.patch revert-acpi-sleep-put-the-facs-table-after-using-it.patch spi-bcm2835-fix-out-of-bounds-access-with-more-than-4-slaves.patch staging-rtl8723bs-fix-uninitialized-variables.patch tick-nohz-only-check-for-rcu-deferred-wakeup-on-user-guest-entry-when-needed.patch tools-bootconfig-fix-a-build-error-accroding-to-undefined-fallthrough.patch tracing-correct-the-length-check-which-causes-memory-corruption.patch usb-cdnsp-fix-deadlock-issue-in-cdnsp_thread_irq_handler.patch usb-dwc3-debugfs-add-and-remove-endpoint-dirs-dynamically.patch usb-dwc3-ep0-fix-null-pointer-exception.patch usb-dwc3-gadget-bail-from-dwc3_gadget_exit-if-dwc-gadget-is-null.patch usb-dwc3-meson-g12a-disable-the-regulator-in-the-error-handling-path-of-the-probe.patch usb-dwc3-meson-g12a-fix-usb2-phy-glue-init-when-phy0-is-disabled.patch usb-f_ncm-ncm_bitrate-speed-is-unsigned.patch usb-f_ncm-only-first-packet-of-aggregate-needs-to-start-timer.patch usb-fix-various-gadget-panics-on-10gbps-cabling.patch usb-fix-various-gadgets-null-ptr-deref-on-10gbps-cabling.patch usb-gadget-eem-fix-wrong-eem-header-operation.patch usb-gadget-f_fs-ensure-io_completion_wq-is-idle-during-unbind.patch usb-misc-brcmstb-usb-pinmap-check-return-value-after-calling-platform_get_resource.patch usb-musb-fix-musb_quirk_b_disconnect_99-handling.patch usb-pci-quirks-disable-d3cold-on-xhci-suspend-for-s2idle-on-amd-renoir.patch usb-pd-set-pd_t_sink_wait_cap-to-310ms.patch usb-serial-cp210x-fix-alternate-function-for-cp2102n-qfn20.patch usb-serial-cp210x-fix-cp2102n-a01-modem-control.patch usb-serial-ftdi_sio-add-novatech-orionmx-product-id.patch usb-serial-omninet-add-device-id-for-zyxel-omni-56k-plus.patch usb-serial-quatech2-fix-control-request-directions.patch usb-typec-intel_pmc_mux-add-missed-error-check-for-devm_ioremap_resource.patch usb-typec-intel_pmc_mux-put-fwnode-in-error-case-during-probe.patch usb-typec-tcpm-cancel-frs-hrtimer-when-unregister-tcpm-port.patch usb-typec-tcpm-cancel-vdm-and-state-machine-hrtimer-when-unregister-tcpm-port.patch usb-typec-tcpm-do-not-finish-vdm-ams-for-retrying-responses.patch usb-typec-tcpm-properly-handle-alert-and-status-messages.patch usb-typec-ucsi-clear-ppm-capability-data-in-ucsi_init-error-path.patch usb-typec-wcove-use-le-to-cpu-conversion-when-accessing-msg-header.patch x86-lto-pass-stack-alignment-only-on-lld-13.0.0.patch --- diff --git a/queue-5.12/acpi-pass-the-same-capabilities-to-the-_osc-regardless-of-the-query-flag.patch b/queue-5.12/acpi-pass-the-same-capabilities-to-the-_osc-regardless-of-the-query-flag.patch new file mode 100644 index 00000000000..fe767fc5c73 --- /dev/null +++ b/queue-5.12/acpi-pass-the-same-capabilities-to-the-_osc-regardless-of-the-query-flag.patch @@ -0,0 +1,98 @@ +From 159d8c274fd92438ca6d7068d7a5eeda157227f4 Mon Sep 17 00:00:00 2001 +From: Mika Westerberg +Date: Wed, 9 Jun 2021 13:25:33 +0300 +Subject: ACPI: Pass the same capabilities to the _OSC regardless of the query flag + +From: Mika Westerberg + +commit 159d8c274fd92438ca6d7068d7a5eeda157227f4 upstream. + +Commit 719e1f561afb ("ACPI: Execute platform _OSC also with query bit +clear") makes acpi_bus_osc_negotiate_platform_control() not only query +the platforms capabilities but it also commits the result back to the +firmware to report which capabilities are supported by the OS back to +the firmware + +On certain systems the BIOS loads SSDT tables dynamically based on the +capabilities the OS claims to support. However, on these systems the +_OSC actually clears some of the bits (under certain conditions) so what +happens is that now when we call the _OSC twice the second time we pass +the cleared values and that results errors like below to appear on the +system log: + + ACPI BIOS Error (bug): Could not resolve symbol [\_PR.PR00._CPC], AE_NOT_FOUND (20210105/psargs-330) + ACPI Error: Aborting method \_PR.PR01._CPC due to previous error (AE_NOT_FOUND) (20210105/psparse-529) + +In addition the ACPI 6.4 spec says following [1]: + + If the OS declares support of a feature in the Support Field in one + call to _OSC, then it must preserve the set state of that bit + (declaring support for that feature) in all subsequent calls. + +Based on the above we can fix the issue by passing the same set of +capabilities to the platform wide _OSC in both calls regardless of the +query flag. + +While there drop the context.ret.length checks which were wrong to begin +with (as the length is number of bytes not elements). This is already +checked in acpi_run_osc() that also returns an error in that case. + +Includes fixes by Hans de Goede. + +[1] https://uefi.org/specs/ACPI/6.4/06_Device_Configuration/Device_Configuration.html#sequence-of-osc-calls + +BugLink: https://bugzilla.kernel.org/show_bug.cgi?id=213023 +BugLink: https://bugzilla.redhat.com/show_bug.cgi?id=1963717 +Fixes: 719e1f561afb ("ACPI: Execute platform _OSC also with query bit clear") +Cc: 5.12+ # 5.12+ +Signed-off-by: Mika Westerberg +Reviewed-by: Hans de Goede +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Greg Kroah-Hartman +--- + drivers/acpi/bus.c | 27 ++++++++------------------- + 1 file changed, 8 insertions(+), 19 deletions(-) + +--- a/drivers/acpi/bus.c ++++ b/drivers/acpi/bus.c +@@ -330,32 +330,21 @@ static void acpi_bus_osc_negotiate_platf + if (ACPI_FAILURE(acpi_run_osc(handle, &context))) + return; + +- capbuf_ret = context.ret.pointer; +- if (context.ret.length <= OSC_SUPPORT_DWORD) { +- kfree(context.ret.pointer); +- return; +- } ++ kfree(context.ret.pointer); + +- /* +- * Now run _OSC again with query flag clear and with the caps +- * supported by both the OS and the platform. +- */ ++ /* Now run _OSC again with query flag clear */ + capbuf[OSC_QUERY_DWORD] = 0; +- capbuf[OSC_SUPPORT_DWORD] = capbuf_ret[OSC_SUPPORT_DWORD]; +- kfree(context.ret.pointer); + + if (ACPI_FAILURE(acpi_run_osc(handle, &context))) + return; + + capbuf_ret = context.ret.pointer; +- if (context.ret.length > OSC_SUPPORT_DWORD) { +- osc_sb_apei_support_acked = +- capbuf_ret[OSC_SUPPORT_DWORD] & OSC_SB_APEI_SUPPORT; +- osc_pc_lpi_support_confirmed = +- capbuf_ret[OSC_SUPPORT_DWORD] & OSC_SB_PCLPI_SUPPORT; +- osc_sb_native_usb4_support_confirmed = +- capbuf_ret[OSC_SUPPORT_DWORD] & OSC_SB_NATIVE_USB4_SUPPORT; +- } ++ osc_sb_apei_support_acked = ++ capbuf_ret[OSC_SUPPORT_DWORD] & OSC_SB_APEI_SUPPORT; ++ osc_pc_lpi_support_confirmed = ++ capbuf_ret[OSC_SUPPORT_DWORD] & OSC_SB_PCLPI_SUPPORT; ++ osc_sb_native_usb4_support_confirmed = ++ capbuf_ret[OSC_SUPPORT_DWORD] & OSC_SB_NATIVE_USB4_SUPPORT; + + kfree(context.ret.pointer); + } diff --git a/queue-5.12/alsa-firewire-lib-fix-the-context-to-call-snd_pcm_stop_xrun.patch b/queue-5.12/alsa-firewire-lib-fix-the-context-to-call-snd_pcm_stop_xrun.patch new file mode 100644 index 00000000000..b3cc5616ae3 --- /dev/null +++ b/queue-5.12/alsa-firewire-lib-fix-the-context-to-call-snd_pcm_stop_xrun.patch @@ -0,0 +1,38 @@ +From 9981b20a5e3694f4625ab5a1ddc98ce7503f6d12 Mon Sep 17 00:00:00 2001 +From: Takashi Sakamoto +Date: Sat, 5 Jun 2021 18:10:54 +0900 +Subject: ALSA: firewire-lib: fix the context to call snd_pcm_stop_xrun() + +From: Takashi Sakamoto + +commit 9981b20a5e3694f4625ab5a1ddc98ce7503f6d12 upstream. + +In the workqueue to queue wake-up event, isochronous context is not +processed, thus it's useless to check context for the workqueue to switch +status of runtime for PCM substream to XRUN. On the other hand, in +software IRQ context of 1394 OHCI, it's needed. + +This commit fixes the bug introduced when tasklet was replaced with +workqueue. + +Cc: +Fixes: 2b3d2987d800 ("ALSA: firewire: Replace tasklet with work") +Signed-off-by: Takashi Sakamoto +Link: https://lore.kernel.org/r/20210605091054.68866-1-o-takashi@sakamocchi.jp +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman +--- + sound/firewire/amdtp-stream.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/sound/firewire/amdtp-stream.c ++++ b/sound/firewire/amdtp-stream.c +@@ -804,7 +804,7 @@ static void generate_pkt_descs(struct am + static inline void cancel_stream(struct amdtp_stream *s) + { + s->packet_index = -1; +- if (current_work() == &s->period_work) ++ if (in_interrupt()) + amdtp_stream_pcm_abort(s); + WRITE_ONCE(s->pcm_buffer_pointer, SNDRV_PCM_POS_XRUN); + } diff --git a/queue-5.12/alsa-hda-realtek-fix-mute-micmute-leds-and-speaker-for-hp-elite-dragonfly-g2.patch b/queue-5.12/alsa-hda-realtek-fix-mute-micmute-leds-and-speaker-for-hp-elite-dragonfly-g2.patch new file mode 100644 index 00000000000..d4ca9a5395b --- /dev/null +++ b/queue-5.12/alsa-hda-realtek-fix-mute-micmute-leds-and-speaker-for-hp-elite-dragonfly-g2.patch @@ -0,0 +1,33 @@ +From 15d295b560e6dd45f839a53ae69e4f63b54eb32f Mon Sep 17 00:00:00 2001 +From: Jeremy Szu +Date: Sat, 5 Jun 2021 16:25:36 +0800 +Subject: ALSA: hda/realtek: fix mute/micmute LEDs and speaker for HP Elite Dragonfly G2 + +From: Jeremy Szu + +commit 15d295b560e6dd45f839a53ae69e4f63b54eb32f upstream. + +The HP Elite Dragonfly G2 using ALC285 codec which using 0x04 to control +mute LED and 0x01 to control micmute LED. +In the other hand, there is no output from right channel of speaker. +Therefore, add a quirk to make it works. + +Signed-off-by: Jeremy Szu +Cc: +Link: https://lore.kernel.org/r/20210605082539.41797-1-jeremy.szu@canonical.com +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman +--- + sound/pci/hda/patch_realtek.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/sound/pci/hda/patch_realtek.c ++++ b/sound/pci/hda/patch_realtek.c +@@ -8307,6 +8307,7 @@ static const struct snd_pci_quirk alc269 + SND_PCI_QUIRK(0x103c, 0x8519, "HP Spectre x360 15-df0xxx", ALC285_FIXUP_HP_SPECTRE_X360), + SND_PCI_QUIRK(0x103c, 0x869d, "HP", ALC236_FIXUP_HP_MUTE_LED), + SND_PCI_QUIRK(0x103c, 0x86c7, "HP Envy AiO 32", ALC274_FIXUP_HP_ENVY_GPIO), ++ SND_PCI_QUIRK(0x103c, 0x8716, "HP Elite Dragonfly G2 Notebook PC", ALC285_FIXUP_HP_GPIO_AMP_INIT), + SND_PCI_QUIRK(0x103c, 0x8724, "HP EliteBook 850 G7", ALC285_FIXUP_HP_GPIO_LED), + SND_PCI_QUIRK(0x103c, 0x8729, "HP", ALC285_FIXUP_HP_GPIO_LED), + SND_PCI_QUIRK(0x103c, 0x8730, "HP ProBook 445 G7", ALC236_FIXUP_HP_MUTE_LED_MICMUTE_VREF), diff --git a/queue-5.12/alsa-hda-realtek-fix-mute-micmute-leds-and-speaker-for-hp-elitebook-x360-1040-g8.patch b/queue-5.12/alsa-hda-realtek-fix-mute-micmute-leds-and-speaker-for-hp-elitebook-x360-1040-g8.patch new file mode 100644 index 00000000000..fe6c8f6f005 --- /dev/null +++ b/queue-5.12/alsa-hda-realtek-fix-mute-micmute-leds-and-speaker-for-hp-elitebook-x360-1040-g8.patch @@ -0,0 +1,33 @@ +From 61d3e87468fad82dc8e8cb6de7db563ada64b532 Mon Sep 17 00:00:00 2001 +From: Jeremy Szu +Date: Sat, 5 Jun 2021 16:25:37 +0800 +Subject: ALSA: hda/realtek: fix mute/micmute LEDs and speaker for HP EliteBook x360 1040 G8 + +From: Jeremy Szu + +commit 61d3e87468fad82dc8e8cb6de7db563ada64b532 upstream. + +The HP EliteBook x360 1040 G8 using ALC285 codec which using 0x04 to control +mute LED and 0x01 to control micmute LED. +In the other hand, there is no output from right channel of speaker. +Therefore, add a quirk to make it works. + +Signed-off-by: Jeremy Szu +Cc: +Link: https://lore.kernel.org/r/20210605082539.41797-2-jeremy.szu@canonical.com +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman +--- + sound/pci/hda/patch_realtek.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/sound/pci/hda/patch_realtek.c ++++ b/sound/pci/hda/patch_realtek.c +@@ -8308,6 +8308,7 @@ static const struct snd_pci_quirk alc269 + SND_PCI_QUIRK(0x103c, 0x869d, "HP", ALC236_FIXUP_HP_MUTE_LED), + SND_PCI_QUIRK(0x103c, 0x86c7, "HP Envy AiO 32", ALC274_FIXUP_HP_ENVY_GPIO), + SND_PCI_QUIRK(0x103c, 0x8716, "HP Elite Dragonfly G2 Notebook PC", ALC285_FIXUP_HP_GPIO_AMP_INIT), ++ SND_PCI_QUIRK(0x103c, 0x8720, "HP EliteBook x360 1040 G8 Notebook PC", ALC285_FIXUP_HP_GPIO_AMP_INIT), + SND_PCI_QUIRK(0x103c, 0x8724, "HP EliteBook 850 G7", ALC285_FIXUP_HP_GPIO_LED), + SND_PCI_QUIRK(0x103c, 0x8729, "HP", ALC285_FIXUP_HP_GPIO_LED), + SND_PCI_QUIRK(0x103c, 0x8730, "HP ProBook 445 G7", ALC236_FIXUP_HP_MUTE_LED_MICMUTE_VREF), diff --git a/queue-5.12/alsa-hda-realtek-fix-mute-micmute-leds-for-hp-elitebook-840-aero-g8.patch b/queue-5.12/alsa-hda-realtek-fix-mute-micmute-leds-for-hp-elitebook-840-aero-g8.patch new file mode 100644 index 00000000000..df64d8115da --- /dev/null +++ b/queue-5.12/alsa-hda-realtek-fix-mute-micmute-leds-for-hp-elitebook-840-aero-g8.patch @@ -0,0 +1,33 @@ +From dfb06401b4cdfc71e2fc3e19b877ab845cc9f7f7 Mon Sep 17 00:00:00 2001 +From: Jeremy Szu +Date: Sat, 5 Jun 2021 16:25:38 +0800 +Subject: ALSA: hda/realtek: fix mute/micmute LEDs for HP EliteBook 840 Aero G8 + +From: Jeremy Szu + +commit dfb06401b4cdfc71e2fc3e19b877ab845cc9f7f7 upstream. + +The HP EliteBook 840 Aero G8 using ALC285 codec which using 0x04 to +control mute LED and 0x01 to control micmute LED. +In the other hand, there is no output from right channel of speaker. +Therefore, add a quirk to make it works. + +Signed-off-by: Jeremy Szu +Cc: +Link: https://lore.kernel.org/r/20210605082539.41797-3-jeremy.szu@canonical.com +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman +--- + sound/pci/hda/patch_realtek.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/sound/pci/hda/patch_realtek.c ++++ b/sound/pci/hda/patch_realtek.c +@@ -8327,6 +8327,7 @@ static const struct snd_pci_quirk alc269 + SND_PCI_QUIRK(0x103c, 0x87f5, "HP", ALC287_FIXUP_HP_GPIO_LED), + SND_PCI_QUIRK(0x103c, 0x87f7, "HP Spectre x360 14", ALC245_FIXUP_HP_X360_AMP), + SND_PCI_QUIRK(0x103c, 0x8846, "HP EliteBook 850 G8 Notebook PC", ALC285_FIXUP_HP_GPIO_LED), ++ SND_PCI_QUIRK(0x103c, 0x884b, "HP EliteBook 840 Aero G8 Notebook PC", ALC285_FIXUP_HP_GPIO_LED), + SND_PCI_QUIRK(0x103c, 0x884c, "HP EliteBook 840 G8 Notebook PC", ALC285_FIXUP_HP_GPIO_LED), + SND_PCI_QUIRK(0x103c, 0x886d, "HP ZBook Fury 17.3 Inch G8 Mobile Workstation PC", ALC285_FIXUP_HP_GPIO_AMP_INIT), + SND_PCI_QUIRK(0x103c, 0x8870, "HP ZBook Fury 15.6 Inch G8 Mobile Workstation PC", ALC285_FIXUP_HP_GPIO_AMP_INIT), diff --git a/queue-5.12/alsa-hda-realtek-fix-mute-micmute-leds-for-hp-zbook-power-g8.patch b/queue-5.12/alsa-hda-realtek-fix-mute-micmute-leds-for-hp-zbook-power-g8.patch new file mode 100644 index 00000000000..2025fb7d3d6 --- /dev/null +++ b/queue-5.12/alsa-hda-realtek-fix-mute-micmute-leds-for-hp-zbook-power-g8.patch @@ -0,0 +1,32 @@ +From 600dd2a7e8b62170d177381cc1303861f48f9780 Mon Sep 17 00:00:00 2001 +From: Jeremy Szu +Date: Tue, 8 Jun 2021 19:47:48 +0800 +Subject: ALSA: hda/realtek: fix mute/micmute LEDs for HP ZBook Power G8 + +From: Jeremy Szu + +commit 600dd2a7e8b62170d177381cc1303861f48f9780 upstream. + +The HP ZBook Power G8 using ALC236 codec which using 0x02 to +control mute LED and 0x01 to control micmute LED. +Therefore, add a quirk to make it works. + +Signed-off-by: Jeremy Szu +Cc: +Link: https://lore.kernel.org/r/20210608114750.32009-1-jeremy.szu@canonical.com +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman +--- + sound/pci/hda/patch_realtek.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/sound/pci/hda/patch_realtek.c ++++ b/sound/pci/hda/patch_realtek.c +@@ -8332,6 +8332,7 @@ static const struct snd_pci_quirk alc269 + SND_PCI_QUIRK(0x103c, 0x886d, "HP ZBook Fury 17.3 Inch G8 Mobile Workstation PC", ALC285_FIXUP_HP_GPIO_AMP_INIT), + SND_PCI_QUIRK(0x103c, 0x8870, "HP ZBook Fury 15.6 Inch G8 Mobile Workstation PC", ALC285_FIXUP_HP_GPIO_AMP_INIT), + SND_PCI_QUIRK(0x103c, 0x8873, "HP ZBook Studio 15.6 Inch G8 Mobile Workstation PC", ALC285_FIXUP_HP_GPIO_AMP_INIT), ++ SND_PCI_QUIRK(0x103c, 0x888d, "HP ZBook Power 15.6 inch G8 Mobile Workstation PC", ALC236_FIXUP_HP_GPIO_LED), + SND_PCI_QUIRK(0x103c, 0x8896, "HP EliteBook 855 G8 Notebook PC", ALC285_FIXUP_HP_MUTE_LED), + SND_PCI_QUIRK(0x1043, 0x103e, "ASUS X540SA", ALC256_FIXUP_ASUS_MIC), + SND_PCI_QUIRK(0x1043, 0x103f, "ASUS TX300", ALC282_FIXUP_ASUS_TX300), diff --git a/queue-5.12/alsa-hda-realtek-headphone-and-mic-don-t-work-on-an-acer-laptop.patch b/queue-5.12/alsa-hda-realtek-headphone-and-mic-don-t-work-on-an-acer-laptop.patch new file mode 100644 index 00000000000..59acf52828f --- /dev/null +++ b/queue-5.12/alsa-hda-realtek-headphone-and-mic-don-t-work-on-an-acer-laptop.patch @@ -0,0 +1,72 @@ +From 57c9e21a49b1c196cda28f54de9a5d556ac93f20 Mon Sep 17 00:00:00 2001 +From: Hui Wang +Date: Tue, 8 Jun 2021 10:46:00 +0800 +Subject: ALSA: hda/realtek: headphone and mic don't work on an Acer laptop + +From: Hui Wang + +commit 57c9e21a49b1c196cda28f54de9a5d556ac93f20 upstream. + +There are 2 issues on this machine, the 1st one is mic's plug/unplug +can't be detected, that is because the mic is set to manual detecting +mode, need to apply ALC255_FIXUP_XIAOMI_HEADSET_MIC to set it to auto +detecting mode. The other one is headphone's plug/unplug can't be +detected by pulseaudio, that is because the pulseaudio will use +ucm2/sof-hda-dsp on this machine, and the ucm2 only handle +'Headphone Jack', but on this machine the headphone's pincfg sets the +location to Front, then the alsa mixer name is "Front Headphone Jack" +instead of "Headphone Jack", so override the pincfg to change location +to Left. + +BugLink: http://bugs.launchpad.net/bugs/1930188 +Cc: +Signed-off-by: Hui Wang +Link: https://lore.kernel.org/r/20210608024600.6198-1-hui.wang@canonical.com +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman +--- + sound/pci/hda/patch_realtek.c | 12 ++++++++++++ + 1 file changed, 12 insertions(+) + +--- a/sound/pci/hda/patch_realtek.c ++++ b/sound/pci/hda/patch_realtek.c +@@ -6560,6 +6560,7 @@ enum { + ALC285_FIXUP_HP_SPECTRE_X360, + ALC287_FIXUP_IDEAPAD_BASS_SPK_AMP, + ALC623_FIXUP_LENOVO_THINKSTATION_P340, ++ ALC255_FIXUP_ACER_HEADPHONE_AND_MIC, + }; + + static const struct hda_fixup alc269_fixups[] = { +@@ -8132,6 +8133,15 @@ static const struct hda_fixup alc269_fix + .chained = true, + .chain_id = ALC283_FIXUP_HEADSET_MIC, + }, ++ [ALC255_FIXUP_ACER_HEADPHONE_AND_MIC] = { ++ .type = HDA_FIXUP_PINS, ++ .v.pins = (const struct hda_pintbl[]) { ++ { 0x21, 0x03211030 }, /* Change the Headphone location to Left */ ++ { } ++ }, ++ .chained = true, ++ .chain_id = ALC255_FIXUP_XIAOMI_HEADSET_MIC ++ }, + }; + + static const struct snd_pci_quirk alc269_fixup_tbl[] = { +@@ -8168,6 +8178,7 @@ static const struct snd_pci_quirk alc269 + SND_PCI_QUIRK(0x1025, 0x132a, "Acer TravelMate B114-21", ALC233_FIXUP_ACER_HEADSET_MIC), + SND_PCI_QUIRK(0x1025, 0x1330, "Acer TravelMate X514-51T", ALC255_FIXUP_ACER_HEADSET_MIC), + SND_PCI_QUIRK(0x1025, 0x1430, "Acer TravelMate B311R-31", ALC256_FIXUP_ACER_MIC_NO_PRESENCE), ++ SND_PCI_QUIRK(0x1025, 0x1466, "Acer Aspire A515-56", ALC255_FIXUP_ACER_HEADPHONE_AND_MIC), + SND_PCI_QUIRK(0x1028, 0x0470, "Dell M101z", ALC269_FIXUP_DELL_M101Z), + SND_PCI_QUIRK(0x1028, 0x054b, "Dell XPS one 2710", ALC275_FIXUP_DELL_XPS), + SND_PCI_QUIRK(0x1028, 0x05bd, "Dell Latitude E6440", ALC292_FIXUP_DELL_E7X), +@@ -8722,6 +8733,7 @@ static const struct hda_model_fixup alc2 + {.id = ALC285_FIXUP_HP_SPECTRE_X360, .name = "alc285-hp-spectre-x360"}, + {.id = ALC287_FIXUP_IDEAPAD_BASS_SPK_AMP, .name = "alc287-ideapad-bass-spk-amp"}, + {.id = ALC623_FIXUP_LENOVO_THINKSTATION_P340, .name = "alc623-lenovo-thinkstation-p340"}, ++ {.id = ALC255_FIXUP_ACER_HEADPHONE_AND_MIC, .name = "alc255-acer-headphone-and-mic"}, + {} + }; + #define ALC225_STANDARD_PINS \ diff --git a/queue-5.12/alsa-seq-fix-race-of-snd_seq_timer_open.patch b/queue-5.12/alsa-seq-fix-race-of-snd_seq_timer_open.patch new file mode 100644 index 00000000000..0e7d47daeb4 --- /dev/null +++ b/queue-5.12/alsa-seq-fix-race-of-snd_seq_timer_open.patch @@ -0,0 +1,51 @@ +From 83e197a8414c0ba545e7e3916ce05f836f349273 Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Thu, 10 Jun 2021 17:20:59 +0200 +Subject: ALSA: seq: Fix race of snd_seq_timer_open() + +From: Takashi Iwai + +commit 83e197a8414c0ba545e7e3916ce05f836f349273 upstream. + +The timer instance per queue is exclusive, and snd_seq_timer_open() +should have managed the concurrent accesses. It looks as if it's +checking the already existing timer instance at the beginning, but +it's not right, because there is no protection, hence any later +concurrent call of snd_seq_timer_open() may override the timer +instance easily. This may result in UAF, as the leftover timer +instance can keep running while the queue itself gets closed, as +spotted by syzkaller recently. + +For avoiding the race, add a proper check at the assignment of +tmr->timeri again, and return -EBUSY if it's been already registered. + +Reported-by: syzbot+ddc1260a83ed1cbf6fb5@syzkaller.appspotmail.com +Cc: +Link: https://lore.kernel.org/r/000000000000dce34f05c42f110c@google.com +Link: https://lore.kernel.org/r/20210610152059.24633-1-tiwai@suse.de +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman +--- + sound/core/seq/seq_timer.c | 10 +++++++++- + 1 file changed, 9 insertions(+), 1 deletion(-) + +--- a/sound/core/seq/seq_timer.c ++++ b/sound/core/seq/seq_timer.c +@@ -297,8 +297,16 @@ int snd_seq_timer_open(struct snd_seq_qu + return err; + } + spin_lock_irq(&tmr->lock); +- tmr->timeri = t; ++ if (tmr->timeri) ++ err = -EBUSY; ++ else ++ tmr->timeri = t; + spin_unlock_irq(&tmr->lock); ++ if (err < 0) { ++ snd_timer_close(t); ++ snd_timer_instance_free(t); ++ return err; ++ } + return 0; + } + diff --git a/queue-5.12/async_xor-check-src_offs-is-not-null-before-updating-it.patch b/queue-5.12/async_xor-check-src_offs-is-not-null-before-updating-it.patch new file mode 100644 index 00000000000..5bdb8b662c8 --- /dev/null +++ b/queue-5.12/async_xor-check-src_offs-is-not-null-before-updating-it.patch @@ -0,0 +1,37 @@ +From 9be148e408df7d361ec5afd6299b7736ff3928b0 Mon Sep 17 00:00:00 2001 +From: Xiao Ni +Date: Fri, 28 May 2021 14:16:38 +0800 +Subject: async_xor: check src_offs is not NULL before updating it + +From: Xiao Ni + +commit 9be148e408df7d361ec5afd6299b7736ff3928b0 upstream. + +When PAGE_SIZE is greater than 4kB, multiple stripes may share the same +page. Thus, src_offs is added to async_xor_offs() with array of offsets. +However, async_xor() passes NULL src_offs to async_xor_offs(). In such +case, src_offs should not be updated. Add a check before the update. + +Fixes: ceaf2966ab08(async_xor: increase src_offs when dropping destination page) +Cc: stable@vger.kernel.org # v5.10+ +Reported-by: Oleksandr Shchirskyi +Tested-by: Oleksandr Shchirskyi +Signed-off-by: Xiao Ni +Signed-off-by: Song Liu +Signed-off-by: Greg Kroah-Hartman +--- + crypto/async_tx/async_xor.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/crypto/async_tx/async_xor.c ++++ b/crypto/async_tx/async_xor.c +@@ -233,7 +233,8 @@ async_xor_offs(struct page *dest, unsign + if (submit->flags & ASYNC_TX_XOR_DROP_DST) { + src_cnt--; + src_list++; +- src_offs++; ++ if (src_offs) ++ src_offs++; + } + + /* wait for any prerequisite operations */ diff --git a/queue-5.12/bcache-avoid-oversized-read-request-in-cache-missing-code-path.patch b/queue-5.12/bcache-avoid-oversized-read-request-in-cache-missing-code-path.patch new file mode 100644 index 00000000000..31381fa12c6 --- /dev/null +++ b/queue-5.12/bcache-avoid-oversized-read-request-in-cache-missing-code-path.patch @@ -0,0 +1,186 @@ +From 41fe8d088e96472f63164e213de44ec77be69478 Mon Sep 17 00:00:00 2001 +From: Coly Li +Date: Mon, 7 Jun 2021 20:50:52 +0800 +Subject: bcache: avoid oversized read request in cache missing code path + +From: Coly Li + +commit 41fe8d088e96472f63164e213de44ec77be69478 upstream. + +In the cache missing code path of cached device, if a proper location +from the internal B+ tree is matched for a cache miss range, function +cached_dev_cache_miss() will be called in cache_lookup_fn() in the +following code block, +[code block 1] + 526 unsigned int sectors = KEY_INODE(k) == s->iop.inode + 527 ? min_t(uint64_t, INT_MAX, + 528 KEY_START(k) - bio->bi_iter.bi_sector) + 529 : INT_MAX; + 530 int ret = s->d->cache_miss(b, s, bio, sectors); + +Here s->d->cache_miss() is the call backfunction pointer initialized as +cached_dev_cache_miss(), the last parameter 'sectors' is an important +hint to calculate the size of read request to backing device of the +missing cache data. + +Current calculation in above code block may generate oversized value of +'sectors', which consequently may trigger 2 different potential kernel +panics by BUG() or BUG_ON() as listed below, + +1) BUG_ON() inside bch_btree_insert_key(), +[code block 2] + 886 BUG_ON(b->ops->is_extents && !KEY_SIZE(k)); +2) BUG() inside biovec_slab(), +[code block 3] + 51 default: + 52 BUG(); + 53 return NULL; + +All the above panics are original from cached_dev_cache_miss() by the +oversized parameter 'sectors'. + +Inside cached_dev_cache_miss(), parameter 'sectors' is used to calculate +the size of data read from backing device for the cache missing. This +size is stored in s->insert_bio_sectors by the following lines of code, +[code block 4] + 909 s->insert_bio_sectors = min(sectors, bio_sectors(bio) + reada); + +Then the actual key inserting to the internal B+ tree is generated and +stored in s->iop.replace_key by the following lines of code, +[code block 5] + 911 s->iop.replace_key = KEY(s->iop.inode, + 912 bio->bi_iter.bi_sector + s->insert_bio_sectors, + 913 s->insert_bio_sectors); +The oversized parameter 'sectors' may trigger panic 1) by BUG_ON() from +the above code block. + +And the bio sending to backing device for the missing data is allocated +with hint from s->insert_bio_sectors by the following lines of code, +[code block 6] + 926 cache_bio = bio_alloc_bioset(GFP_NOWAIT, + 927 DIV_ROUND_UP(s->insert_bio_sectors, PAGE_SECTORS), + 928 &dc->disk.bio_split); +The oversized parameter 'sectors' may trigger panic 2) by BUG() from the +agove code block. + +Now let me explain how the panics happen with the oversized 'sectors'. +In code block 5, replace_key is generated by macro KEY(). From the +definition of macro KEY(), +[code block 7] + 71 #define KEY(inode, offset, size) \ + 72 ((struct bkey) { \ + 73 .high = (1ULL << 63) | ((__u64) (size) << 20) | (inode), \ + 74 .low = (offset) \ + 75 }) + +Here 'size' is 16bits width embedded in 64bits member 'high' of struct +bkey. But in code block 1, if "KEY_START(k) - bio->bi_iter.bi_sector" is +very probably to be larger than (1<<16) - 1, which makes the bkey size +calculation in code block 5 is overflowed. In one bug report the value +of parameter 'sectors' is 131072 (= 1 << 17), the overflowed 'sectors' +results the overflowed s->insert_bio_sectors in code block 4, then makes +size field of s->iop.replace_key to be 0 in code block 5. Then the 0- +sized s->iop.replace_key is inserted into the internal B+ tree as cache +missing check key (a special key to detect and avoid a racing between +normal write request and cache missing read request) as, +[code block 8] + 915 ret = bch_btree_insert_check_key(b, &s->op, &s->iop.replace_key); + +Then the 0-sized s->iop.replace_key as 3rd parameter triggers the bkey +size check BUG_ON() in code block 2, and causes the kernel panic 1). + +Another kernel panic is from code block 6, is by the bvecs number +oversized value s->insert_bio_sectors from code block 4, + min(sectors, bio_sectors(bio) + reada) +There are two possibility for oversized reresult, +- bio_sectors(bio) is valid, but bio_sectors(bio) + reada is oversized. +- sectors < bio_sectors(bio) + reada, but sectors is oversized. + +From a bug report the result of "DIV_ROUND_UP(s->insert_bio_sectors, +PAGE_SECTORS)" from code block 6 can be 344, 282, 946, 342 and many +other values which larther than BIO_MAX_VECS (a.k.a 256). When calling +bio_alloc_bioset() with such larger-than-256 value as the 2nd parameter, +this value will eventually be sent to biovec_slab() as parameter +'nr_vecs' in following code path, + bio_alloc_bioset() ==> bvec_alloc() ==> biovec_slab() +Because parameter 'nr_vecs' is larger-than-256 value, the panic by BUG() +in code block 3 is triggered inside biovec_slab(). + +From the above analysis, we know that the 4th parameter 'sector' sent +into cached_dev_cache_miss() may cause overflow in code block 5 and 6, +and finally cause kernel panic in code block 2 and 3. And if result of +bio_sectors(bio) + reada exceeds valid bvecs number, it may also trigger +kernel panic in code block 3 from code block 6. + +Now the almost-useless readahead size for cache missing request back to +backing device is removed, this patch can fix the oversized issue with +more simpler method. +- add a local variable size_limit, set it by the minimum value from + the max bkey size and max bio bvecs number. +- set s->insert_bio_sectors by the minimum value from size_limit, + sectors, and the sectors size of bio. +- replace sectors by s->insert_bio_sectors to do bio_next_split. + +By the above method with size_limit, s->insert_bio_sectors will never +result oversized replace_key size or bio bvecs number. And split bio +'miss' from bio_next_split() will always match the size of 'cache_bio', +that is the current maximum bio size we can sent to backing device for +fetching the cache missing data. + +Current problmatic code can be partially found since Linux v3.13-rc1, +therefore all maintained stable kernels should try to apply this fix. + +Reported-by: Alexander Ullrich +Reported-by: Diego Ercolani +Reported-by: Jan Szubiak +Reported-by: Marco Rebhan +Reported-by: Matthias Ferdinand +Reported-by: Victor Westerhuis +Reported-by: Vojtech Pavlik +Reported-and-tested-by: Rolf Fokkens +Reported-and-tested-by: Thorsten Knabe +Signed-off-by: Coly Li +Cc: stable@vger.kernel.org +Cc: Christoph Hellwig +Cc: Kent Overstreet +Cc: Nix +Cc: Takashi Iwai +Link: https://lore.kernel.org/r/20210607125052.21277-3-colyli@suse.de +Signed-off-by: Jens Axboe +Signed-off-by: Greg Kroah-Hartman +--- + drivers/md/bcache/request.c | 9 +++++++-- + 1 file changed, 7 insertions(+), 2 deletions(-) + +--- a/drivers/md/bcache/request.c ++++ b/drivers/md/bcache/request.c +@@ -882,6 +882,7 @@ static int cached_dev_cache_miss(struct + int ret = MAP_CONTINUE; + struct cached_dev *dc = container_of(s->d, struct cached_dev, disk); + struct bio *miss, *cache_bio; ++ unsigned int size_limit; + + s->cache_missed = 1; + +@@ -891,7 +892,10 @@ static int cached_dev_cache_miss(struct + goto out_submit; + } + +- s->insert_bio_sectors = min(sectors, bio_sectors(bio)); ++ /* Limitation for valid replace key size and cache_bio bvecs number */ ++ size_limit = min_t(unsigned int, BIO_MAX_VECS * PAGE_SECTORS, ++ (1 << KEY_SIZE_BITS) - 1); ++ s->insert_bio_sectors = min3(size_limit, sectors, bio_sectors(bio)); + + s->iop.replace_key = KEY(s->iop.inode, + bio->bi_iter.bi_sector + s->insert_bio_sectors, +@@ -903,7 +907,8 @@ static int cached_dev_cache_miss(struct + + s->iop.replace = true; + +- miss = bio_next_split(bio, sectors, GFP_NOIO, &s->d->bio_split); ++ miss = bio_next_split(bio, s->insert_bio_sectors, GFP_NOIO, ++ &s->d->bio_split); + + /* btree_search_recurse()'s btree iterator is no good anymore */ + ret = miss == bio ? MAP_DONE : -EINTR; diff --git a/queue-5.12/bcache-remove-bcache-device-self-defined-readahead.patch b/queue-5.12/bcache-remove-bcache-device-self-defined-readahead.patch new file mode 100644 index 00000000000..6ce5efec503 --- /dev/null +++ b/queue-5.12/bcache-remove-bcache-device-self-defined-readahead.patch @@ -0,0 +1,205 @@ +From 1616a4c2ab1a80893b6890ae93da40a2b1d0c691 Mon Sep 17 00:00:00 2001 +From: Coly Li +Date: Mon, 7 Jun 2021 20:50:51 +0800 +Subject: bcache: remove bcache device self-defined readahead + +From: Coly Li + +commit 1616a4c2ab1a80893b6890ae93da40a2b1d0c691 upstream. + +For read cache missing, bcache defines a readahead size for the read I/O +request to the backing device for the missing data. This readahead size +is initialized to 0, and almost no one uses it to avoid unnecessary read +amplifying onto backing device and write amplifying onto cache device. +Considering upper layer file system code has readahead logic allready +and works fine with readahead_cache_policy sysfile interface, we don't +have to keep bcache self-defined readahead anymore. + +This patch removes the bcache self-defined readahead for cache missing +request for backing device, and the readahead sysfs file interfaces are +removed as well. + +This is the preparation for next patch to fix potential kernel panic due +to oversized request in a simpler method. + +Reported-by: Alexander Ullrich +Reported-by: Diego Ercolani +Reported-by: Jan Szubiak +Reported-by: Marco Rebhan +Reported-by: Matthias Ferdinand +Reported-by: Victor Westerhuis +Reported-by: Vojtech Pavlik +Reported-and-tested-by: Rolf Fokkens +Reported-and-tested-by: Thorsten Knabe +Signed-off-by: Coly Li +Reviewed-by: Christoph Hellwig +Cc: stable@vger.kernel.org +Cc: Kent Overstreet +Cc: Nix +Cc: Takashi Iwai +Link: https://lore.kernel.org/r/20210607125052.21277-2-colyli@suse.de +Signed-off-by: Jens Axboe +Signed-off-by: Greg Kroah-Hartman +--- + drivers/md/bcache/bcache.h | 1 - + drivers/md/bcache/request.c | 13 +------------ + drivers/md/bcache/stats.c | 14 -------------- + drivers/md/bcache/stats.h | 1 - + drivers/md/bcache/sysfs.c | 4 ---- + 5 files changed, 1 insertion(+), 32 deletions(-) + +--- a/drivers/md/bcache/bcache.h ++++ b/drivers/md/bcache/bcache.h +@@ -364,7 +364,6 @@ struct cached_dev { + + /* The rest of this all shows up in sysfs */ + unsigned int sequential_cutoff; +- unsigned int readahead; + + unsigned int io_disable:1; + unsigned int verify:1; +--- a/drivers/md/bcache/request.c ++++ b/drivers/md/bcache/request.c +@@ -880,7 +880,6 @@ static int cached_dev_cache_miss(struct + struct bio *bio, unsigned int sectors) + { + int ret = MAP_CONTINUE; +- unsigned int reada = 0; + struct cached_dev *dc = container_of(s->d, struct cached_dev, disk); + struct bio *miss, *cache_bio; + +@@ -892,14 +891,7 @@ static int cached_dev_cache_miss(struct + goto out_submit; + } + +- if (!(bio->bi_opf & REQ_RAHEAD) && +- !(bio->bi_opf & (REQ_META|REQ_PRIO)) && +- s->iop.c->gc_stats.in_use < CUTOFF_CACHE_READA) +- reada = min_t(sector_t, dc->readahead >> 9, +- get_capacity(bio->bi_bdev->bd_disk) - +- bio_end_sector(bio)); +- +- s->insert_bio_sectors = min(sectors, bio_sectors(bio) + reada); ++ s->insert_bio_sectors = min(sectors, bio_sectors(bio)); + + s->iop.replace_key = KEY(s->iop.inode, + bio->bi_iter.bi_sector + s->insert_bio_sectors, +@@ -933,9 +925,6 @@ static int cached_dev_cache_miss(struct + if (bch_bio_alloc_pages(cache_bio, __GFP_NOWARN|GFP_NOIO)) + goto out_put; + +- if (reada) +- bch_mark_cache_readahead(s->iop.c, s->d); +- + s->cache_miss = miss; + s->iop.bio = cache_bio; + bio_get(cache_bio); +--- a/drivers/md/bcache/stats.c ++++ b/drivers/md/bcache/stats.c +@@ -46,7 +46,6 @@ read_attribute(cache_misses); + read_attribute(cache_bypass_hits); + read_attribute(cache_bypass_misses); + read_attribute(cache_hit_ratio); +-read_attribute(cache_readaheads); + read_attribute(cache_miss_collisions); + read_attribute(bypassed); + +@@ -64,7 +63,6 @@ SHOW(bch_stats) + DIV_SAFE(var(cache_hits) * 100, + var(cache_hits) + var(cache_misses))); + +- var_print(cache_readaheads); + var_print(cache_miss_collisions); + sysfs_hprint(bypassed, var(sectors_bypassed) << 9); + #undef var +@@ -86,7 +84,6 @@ static struct attribute *bch_stats_files + &sysfs_cache_bypass_hits, + &sysfs_cache_bypass_misses, + &sysfs_cache_hit_ratio, +- &sysfs_cache_readaheads, + &sysfs_cache_miss_collisions, + &sysfs_bypassed, + NULL +@@ -113,7 +110,6 @@ void bch_cache_accounting_clear(struct c + acc->total.cache_misses = 0; + acc->total.cache_bypass_hits = 0; + acc->total.cache_bypass_misses = 0; +- acc->total.cache_readaheads = 0; + acc->total.cache_miss_collisions = 0; + acc->total.sectors_bypassed = 0; + } +@@ -145,7 +141,6 @@ static void scale_stats(struct cache_sta + scale_stat(&stats->cache_misses); + scale_stat(&stats->cache_bypass_hits); + scale_stat(&stats->cache_bypass_misses); +- scale_stat(&stats->cache_readaheads); + scale_stat(&stats->cache_miss_collisions); + scale_stat(&stats->sectors_bypassed); + } +@@ -168,7 +163,6 @@ static void scale_accounting(struct time + move_stat(cache_misses); + move_stat(cache_bypass_hits); + move_stat(cache_bypass_misses); +- move_stat(cache_readaheads); + move_stat(cache_miss_collisions); + move_stat(sectors_bypassed); + +@@ -209,14 +203,6 @@ void bch_mark_cache_accounting(struct ca + mark_cache_stats(&c->accounting.collector, hit, bypass); + } + +-void bch_mark_cache_readahead(struct cache_set *c, struct bcache_device *d) +-{ +- struct cached_dev *dc = container_of(d, struct cached_dev, disk); +- +- atomic_inc(&dc->accounting.collector.cache_readaheads); +- atomic_inc(&c->accounting.collector.cache_readaheads); +-} +- + void bch_mark_cache_miss_collision(struct cache_set *c, struct bcache_device *d) + { + struct cached_dev *dc = container_of(d, struct cached_dev, disk); +--- a/drivers/md/bcache/stats.h ++++ b/drivers/md/bcache/stats.h +@@ -7,7 +7,6 @@ struct cache_stat_collector { + atomic_t cache_misses; + atomic_t cache_bypass_hits; + atomic_t cache_bypass_misses; +- atomic_t cache_readaheads; + atomic_t cache_miss_collisions; + atomic_t sectors_bypassed; + }; +--- a/drivers/md/bcache/sysfs.c ++++ b/drivers/md/bcache/sysfs.c +@@ -137,7 +137,6 @@ rw_attribute(io_disable); + rw_attribute(discard); + rw_attribute(running); + rw_attribute(label); +-rw_attribute(readahead); + rw_attribute(errors); + rw_attribute(io_error_limit); + rw_attribute(io_error_halflife); +@@ -260,7 +259,6 @@ SHOW(__bch_cached_dev) + var_printf(partial_stripes_expensive, "%u"); + + var_hprint(sequential_cutoff); +- var_hprint(readahead); + + sysfs_print(running, atomic_read(&dc->running)); + sysfs_print(state, states[BDEV_STATE(&dc->sb)]); +@@ -365,7 +363,6 @@ STORE(__cached_dev) + sysfs_strtoul_clamp(sequential_cutoff, + dc->sequential_cutoff, + 0, UINT_MAX); +- d_strtoi_h(readahead); + + if (attr == &sysfs_clear_stats) + bch_cache_accounting_clear(&dc->accounting); +@@ -538,7 +535,6 @@ static struct attribute *bch_cached_dev_ + &sysfs_running, + &sysfs_state, + &sysfs_label, +- &sysfs_readahead, + #ifdef CONFIG_BCACHE_DEBUG + &sysfs_verify, + &sysfs_bypass_torture_test, diff --git a/queue-5.12/btrfs-do-not-write-supers-if-we-have-an-fs-error.patch b/queue-5.12/btrfs-do-not-write-supers-if-we-have-an-fs-error.patch new file mode 100644 index 00000000000..4d0fa3ec6f7 --- /dev/null +++ b/queue-5.12/btrfs-do-not-write-supers-if-we-have-an-fs-error.patch @@ -0,0 +1,67 @@ +From 165ea85f14831f27fc6fe3b02b35e42e50b9ed94 Mon Sep 17 00:00:00 2001 +From: Josef Bacik +Date: Wed, 19 May 2021 17:15:53 -0400 +Subject: btrfs: do not write supers if we have an fs error + +From: Josef Bacik + +commit 165ea85f14831f27fc6fe3b02b35e42e50b9ed94 upstream. + +Error injection testing uncovered a pretty severe problem where we could +end up committing a super that pointed to the wrong tree roots, +resulting in transid mismatch errors. + +The way we commit the transaction is we update the super copy with the +current generations and bytenrs of the important roots, and then copy +that into our super_for_commit. Then we allow transactions to continue +again, we write out the dirty pages for the transaction, and then we +write the super. If the write out fails we'll bail and skip writing the +supers. + +However since we've allowed a new transaction to start, we can have a +log attempting to sync at this point, which would be blocked on +fs_info->tree_log_mutex. Once the commit fails we're allowed to do the +log tree commit, which uses super_for_commit, which now points at fs +tree's that were not written out. + +Fix this by checking BTRFS_FS_STATE_ERROR once we acquire the +tree_log_mutex. This way if the transaction commit fails we're sure to +see this bit set and we can skip writing the super out. This patch +fixes this specific transid mismatch error I was seeing with this +particular error path. + +CC: stable@vger.kernel.org # 5.12+ +Reviewed-by: Filipe Manana +Signed-off-by: Josef Bacik +Reviewed-by: David Sterba +Signed-off-by: David Sterba +Signed-off-by: Greg Kroah-Hartman +--- + fs/btrfs/tree-log.c | 16 ++++++++++++++++ + 1 file changed, 16 insertions(+) + +--- a/fs/btrfs/tree-log.c ++++ b/fs/btrfs/tree-log.c +@@ -3302,6 +3302,22 @@ int btrfs_sync_log(struct btrfs_trans_ha + * begins and releases it only after writing its superblock. + */ + mutex_lock(&fs_info->tree_log_mutex); ++ ++ /* ++ * The previous transaction writeout phase could have failed, and thus ++ * marked the fs in an error state. We must not commit here, as we ++ * could have updated our generation in the super_for_commit and ++ * writing the super here would result in transid mismatches. If there ++ * is an error here just bail. ++ */ ++ if (test_bit(BTRFS_FS_STATE_ERROR, &fs_info->fs_state)) { ++ ret = -EIO; ++ btrfs_set_log_full_commit(trans); ++ btrfs_abort_transaction(trans, ret); ++ mutex_unlock(&fs_info->tree_log_mutex); ++ goto out_wake_log_root; ++ } ++ + btrfs_set_super_log_root(fs_info->super_for_commit, log_root_start); + btrfs_set_super_log_root_level(fs_info->super_for_commit, log_root_level); + ret = write_all_supers(fs_info, 1); diff --git a/queue-5.12/btrfs-promote-debugging-asserts-to-full-fledged-checks-in-validate_super.patch b/queue-5.12/btrfs-promote-debugging-asserts-to-full-fledged-checks-in-validate_super.patch new file mode 100644 index 00000000000..f0e4242ecaa --- /dev/null +++ b/queue-5.12/btrfs-promote-debugging-asserts-to-full-fledged-checks-in-validate_super.patch @@ -0,0 +1,70 @@ +From aefd7f7065567a4666f42c0fc8cdb379d2e036bf Mon Sep 17 00:00:00 2001 +From: Nikolay Borisov +Date: Mon, 31 May 2021 12:26:01 +0300 +Subject: btrfs: promote debugging asserts to full-fledged checks in validate_super + +From: Nikolay Borisov + +commit aefd7f7065567a4666f42c0fc8cdb379d2e036bf upstream. + +Syzbot managed to trigger this assert while performing its fuzzing. +Turns out it's better to have those asserts turned into full-fledged +checks so that in case buggy btrfs images are mounted the users gets +an error and mounting is stopped. Alternatively with CONFIG_BTRFS_ASSERT +disabled such image would have been erroneously allowed to be mounted. + +Reported-by: syzbot+a6bf271c02e4fe66b4e4@syzkaller.appspotmail.com +CC: stable@vger.kernel.org # 5.4+ +Reviewed-by: Johannes Thumshirn +Reviewed-by: Qu Wenruo +Signed-off-by: Nikolay Borisov +Reviewed-by: David Sterba +[ add uuids to the messages ] +Signed-off-by: David Sterba +Signed-off-by: Greg Kroah-Hartman +--- + fs/btrfs/disk-io.c | 26 ++++++++++++++++++-------- + 1 file changed, 18 insertions(+), 8 deletions(-) + +--- a/fs/btrfs/disk-io.c ++++ b/fs/btrfs/disk-io.c +@@ -2558,6 +2558,24 @@ static int validate_super(struct btrfs_f + ret = -EINVAL; + } + ++ if (memcmp(fs_info->fs_devices->fsid, fs_info->super_copy->fsid, ++ BTRFS_FSID_SIZE)) { ++ btrfs_err(fs_info, ++ "superblock fsid doesn't match fsid of fs_devices: %pU != %pU", ++ fs_info->super_copy->fsid, fs_info->fs_devices->fsid); ++ ret = -EINVAL; ++ } ++ ++ if (btrfs_fs_incompat(fs_info, METADATA_UUID) && ++ memcmp(fs_info->fs_devices->metadata_uuid, ++ fs_info->super_copy->metadata_uuid, BTRFS_FSID_SIZE)) { ++ btrfs_err(fs_info, ++"superblock metadata_uuid doesn't match metadata uuid of fs_devices: %pU != %pU", ++ fs_info->super_copy->metadata_uuid, ++ fs_info->fs_devices->metadata_uuid); ++ ret = -EINVAL; ++ } ++ + if (memcmp(fs_info->fs_devices->metadata_uuid, sb->dev_item.fsid, + BTRFS_FSID_SIZE) != 0) { + btrfs_err(fs_info, +@@ -3185,14 +3203,6 @@ int __cold open_ctree(struct super_block + + disk_super = fs_info->super_copy; + +- ASSERT(!memcmp(fs_info->fs_devices->fsid, fs_info->super_copy->fsid, +- BTRFS_FSID_SIZE)); +- +- if (btrfs_fs_incompat(fs_info, METADATA_UUID)) { +- ASSERT(!memcmp(fs_info->fs_devices->metadata_uuid, +- fs_info->super_copy->metadata_uuid, +- BTRFS_FSID_SIZE)); +- } + + features = btrfs_super_flags(disk_super); + if (features & BTRFS_SUPER_FLAG_CHANGING_FSID_V2) { diff --git a/queue-5.12/btrfs-return-value-from-btrfs_mark_extent_written-in-case-of-error.patch b/queue-5.12/btrfs-return-value-from-btrfs_mark_extent_written-in-case-of-error.patch new file mode 100644 index 00000000000..a802dee0bae --- /dev/null +++ b/queue-5.12/btrfs-return-value-from-btrfs_mark_extent_written-in-case-of-error.patch @@ -0,0 +1,42 @@ +From e7b2ec3d3d4ebeb4cff7ae45cf430182fa6a49fb Mon Sep 17 00:00:00 2001 +From: Ritesh Harjani +Date: Sun, 30 May 2021 20:24:05 +0530 +Subject: btrfs: return value from btrfs_mark_extent_written() in case of error + +From: Ritesh Harjani + +commit e7b2ec3d3d4ebeb4cff7ae45cf430182fa6a49fb upstream. + +We always return 0 even in case of an error in btrfs_mark_extent_written(). +Fix it to return proper error value in case of a failure. All callers +handle it. + +CC: stable@vger.kernel.org # 4.4+ +Signed-off-by: Ritesh Harjani +Reviewed-by: David Sterba +Signed-off-by: David Sterba +Signed-off-by: Greg Kroah-Hartman +--- + fs/btrfs/file.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/fs/btrfs/file.c ++++ b/fs/btrfs/file.c +@@ -1094,7 +1094,7 @@ int btrfs_mark_extent_written(struct btr + int del_nr = 0; + int del_slot = 0; + int recow; +- int ret; ++ int ret = 0; + u64 ino = btrfs_ino(inode); + + path = btrfs_alloc_path(); +@@ -1315,7 +1315,7 @@ again: + } + out: + btrfs_free_path(path); +- return 0; ++ return ret; + } + + /* diff --git a/queue-5.12/btrfs-zoned-fix-zone-number-to-sector-physical-calculation.patch b/queue-5.12/btrfs-zoned-fix-zone-number-to-sector-physical-calculation.patch new file mode 100644 index 00000000000..2fc6c82a208 --- /dev/null +++ b/queue-5.12/btrfs-zoned-fix-zone-number-to-sector-physical-calculation.patch @@ -0,0 +1,91 @@ +From 5b434df8778771d181bc19fb4593bca114d1c4eb Mon Sep 17 00:00:00 2001 +From: Naohiro Aota +Date: Thu, 27 May 2021 15:27:32 +0900 +Subject: btrfs: zoned: fix zone number to sector/physical calculation + +From: Naohiro Aota + +commit 5b434df8778771d181bc19fb4593bca114d1c4eb upstream. + +In btrfs_get_dev_zone_info(), we have "u32 sb_zone" and calculate "sector_t +sector" by shifting it. But, this "sector" is calculated in 32bit, leading +it to be 0 for the 2nd superblock copy. + +Since zone number is u32, shifting it to sector (sector_t) or physical +address (u64) can easily trigger a missing cast bug like this. + +This commit introduces helpers to convert zone number to sector/LBA, so we +won't fall into the same pitfall again. + +Reported-by: Dmitry Fomichev +Fixes: 12659251ca5d ("btrfs: implement log-structured superblock for ZONED mode") +CC: stable@vger.kernel.org # 5.11+ +Reviewed-by: Johannes Thumshirn +Signed-off-by: Naohiro Aota +Reviewed-by: David Sterba +Signed-off-by: David Sterba +Signed-off-by: Greg Kroah-Hartman +--- + fs/btrfs/zoned.c | 23 ++++++++++++++++++----- + 1 file changed, 18 insertions(+), 5 deletions(-) + +--- a/fs/btrfs/zoned.c ++++ b/fs/btrfs/zoned.c +@@ -150,6 +150,18 @@ static inline u32 sb_zone_number(int shi + return (u32)zone; + } + ++static inline sector_t zone_start_sector(u32 zone_number, ++ struct block_device *bdev) ++{ ++ return (sector_t)zone_number << ilog2(bdev_zone_sectors(bdev)); ++} ++ ++static inline u64 zone_start_physical(u32 zone_number, ++ struct btrfs_zoned_device_info *zone_info) ++{ ++ return (u64)zone_number << zone_info->zone_size_shift; ++} ++ + /* + * Emulate blkdev_report_zones() for a non-zoned device. It slices up the block + * device into static sized chunks and fake a conventional zone on each of +@@ -405,8 +417,8 @@ int btrfs_get_dev_zone_info(struct btrfs + if (sb_zone + 1 >= zone_info->nr_zones) + continue; + +- sector = sb_zone << (zone_info->zone_size_shift - SECTOR_SHIFT); +- ret = btrfs_get_dev_zones(device, sector << SECTOR_SHIFT, ++ ret = btrfs_get_dev_zones(device, ++ zone_start_physical(sb_zone, zone_info), + &zone_info->sb_zones[sb_pos], + &nr_zones); + if (ret) +@@ -721,7 +733,7 @@ int btrfs_sb_log_location_bdev(struct bl + if (sb_zone + 1 >= nr_zones) + return -ENOENT; + +- ret = blkdev_report_zones(bdev, sb_zone << zone_sectors_shift, ++ ret = blkdev_report_zones(bdev, zone_start_sector(sb_zone, bdev), + BTRFS_NR_SB_LOG_ZONES, copy_zone_info_cb, + zones); + if (ret < 0) +@@ -826,7 +838,7 @@ int btrfs_reset_sb_log_zones(struct bloc + return -ENOENT; + + return blkdev_zone_mgmt(bdev, REQ_OP_ZONE_RESET, +- sb_zone << zone_sectors_shift, ++ zone_start_sector(sb_zone, bdev), + zone_sectors * BTRFS_NR_SB_LOG_ZONES, GFP_NOFS); + } + +@@ -878,7 +890,8 @@ u64 btrfs_find_allocatable_zones(struct + if (!(end <= sb_zone || + sb_zone + BTRFS_NR_SB_LOG_ZONES <= begin)) { + have_sb = true; +- pos = ((u64)sb_zone + BTRFS_NR_SB_LOG_ZONES) << shift; ++ pos = zone_start_physical( ++ sb_zone + BTRFS_NR_SB_LOG_ZONES, zinfo); + break; + } + diff --git a/queue-5.12/bus-mhi-pci_generic-fix-possible-use-after-free-in-mhi_pci_remove.patch b/queue-5.12/bus-mhi-pci_generic-fix-possible-use-after-free-in-mhi_pci_remove.patch new file mode 100644 index 00000000000..f18bb8441ff --- /dev/null +++ b/queue-5.12/bus-mhi-pci_generic-fix-possible-use-after-free-in-mhi_pci_remove.patch @@ -0,0 +1,43 @@ +From 0b67808ade8893a1b3608ddd74fac7854786c919 Mon Sep 17 00:00:00 2001 +From: Wei Yongjun +Date: Sun, 6 Jun 2021 21:07:40 +0530 +Subject: bus: mhi: pci_generic: Fix possible use-after-free in mhi_pci_remove() + +From: Wei Yongjun + +commit 0b67808ade8893a1b3608ddd74fac7854786c919 upstream. + +This driver's remove path calls del_timer(). However, that function +does not wait until the timer handler finishes. This means that the +timer handler may still be running after the driver's remove function +has finished, which would result in a use-after-free. + +Fix by calling del_timer_sync(), which makes sure the timer handler +has finished, and unable to re-schedule itself. + +Link: https://lore.kernel.org/r/20210413160318.2003699-1-weiyongjun1@huawei.com +Fixes: 8562d4fe34a3 ("mhi: pci_generic: Add health-check") +Cc: stable +Reported-by: Hulk Robot +Reviewed-by: Hemant kumar +Reviewed-by: Manivannan Sadhasivam +Reviewed-by: Loic Poulain +Signed-off-by: Wei Yongjun +Signed-off-by: Manivannan Sadhasivam +Link: https://lore.kernel.org/r/20210606153741.20725-3-manivannan.sadhasivam@linaro.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/bus/mhi/pci_generic.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/bus/mhi/pci_generic.c ++++ b/drivers/bus/mhi/pci_generic.c +@@ -505,7 +505,7 @@ static void mhi_pci_remove(struct pci_de + struct mhi_pci_device *mhi_pdev = pci_get_drvdata(pdev); + struct mhi_controller *mhi_cntrl = &mhi_pdev->mhi_cntrl; + +- del_timer(&mhi_pdev->health_check_timer); ++ del_timer_sync(&mhi_pdev->health_check_timer); + cancel_work_sync(&mhi_pdev->recovery_work); + + if (test_and_clear_bit(MHI_PCI_DEV_STARTED, &mhi_pdev->status)) { diff --git a/queue-5.12/cgroup1-don-t-allow-n-in-renaming.patch b/queue-5.12/cgroup1-don-t-allow-n-in-renaming.patch new file mode 100644 index 00000000000..14f9a2ddcac --- /dev/null +++ b/queue-5.12/cgroup1-don-t-allow-n-in-renaming.patch @@ -0,0 +1,57 @@ +From b7e24eb1caa5f8da20d405d262dba67943aedc42 Mon Sep 17 00:00:00 2001 +From: Alexander Kuznetsov +Date: Wed, 9 Jun 2021 10:17:19 +0300 +Subject: cgroup1: don't allow '\n' in renaming + +From: Alexander Kuznetsov + +commit b7e24eb1caa5f8da20d405d262dba67943aedc42 upstream. + +cgroup_mkdir() have restriction on newline usage in names: +$ mkdir $'/sys/fs/cgroup/cpu/test\ntest2' +mkdir: cannot create directory +'/sys/fs/cgroup/cpu/test\ntest2': Invalid argument + +But in cgroup1_rename() such check is missed. +This allows us to make /proc//cgroup unparsable: +$ mkdir /sys/fs/cgroup/cpu/test +$ mv /sys/fs/cgroup/cpu/test $'/sys/fs/cgroup/cpu/test\ntest2' +$ echo $$ > $'/sys/fs/cgroup/cpu/test\ntest2' +$ cat /proc/self/cgroup +11:pids:/ +10:freezer:/ +9:hugetlb:/ +8:cpuset:/ +7:blkio:/user.slice +6:memory:/user.slice +5:net_cls,net_prio:/ +4:perf_event:/ +3:devices:/user.slice +2:cpu,cpuacct:/test +test2 +1:name=systemd:/ +0::/ + +Signed-off-by: Alexander Kuznetsov +Reported-by: Andrey Krasichkov +Acked-by: Dmitry Yakunin +Cc: stable@vger.kernel.org +Signed-off-by: Tejun Heo +Signed-off-by: Greg Kroah-Hartman +--- + kernel/cgroup/cgroup-v1.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/kernel/cgroup/cgroup-v1.c ++++ b/kernel/cgroup/cgroup-v1.c +@@ -820,6 +820,10 @@ static int cgroup1_rename(struct kernfs_ + struct cgroup *cgrp = kn->priv; + int ret; + ++ /* do not accept '\n' to prevent making /proc//cgroup unparsable */ ++ if (strchr(new_name_str, '\n')) ++ return -EINVAL; ++ + if (kernfs_type(kn) != KERNFS_DIR) + return -ENOTDIR; + if (kn->parent != new_parent) diff --git a/queue-5.12/coredump-limit-what-can-interrupt-coredumps.patch b/queue-5.12/coredump-limit-what-can-interrupt-coredumps.patch new file mode 100644 index 00000000000..c7cdf306daf --- /dev/null +++ b/queue-5.12/coredump-limit-what-can-interrupt-coredumps.patch @@ -0,0 +1,61 @@ +From 06af8679449d4ed282df13191fc52d5ba28ec536 Mon Sep 17 00:00:00 2001 +From: "Eric W. Biederman" +Date: Thu, 10 Jun 2021 15:11:11 -0500 +Subject: coredump: Limit what can interrupt coredumps + +From: Eric W. Biederman + +commit 06af8679449d4ed282df13191fc52d5ba28ec536 upstream. + +Olivier Langlois has been struggling with coredumps being incompletely written in +processes using io_uring. + +Olivier Langlois writes: +> io_uring is a big user of task_work and any event that io_uring made a +> task waiting for that occurs during the core dump generation will +> generate a TIF_NOTIFY_SIGNAL. +> +> Here are the detailed steps of the problem: +> 1. io_uring calls vfs_poll() to install a task to a file wait queue +> with io_async_wake() as the wakeup function cb from io_arm_poll_handler() +> 2. wakeup function ends up calling task_work_add() with TWA_SIGNAL +> 3. task_work_add() sets the TIF_NOTIFY_SIGNAL bit by calling +> set_notify_signal() + +The coredump code deliberately supports being interrupted by SIGKILL, +and depends upon prepare_signal to filter out all other signals. Now +that signal_pending includes wake ups for TIF_NOTIFY_SIGNAL this hack +in dump_emitted by the coredump code no longer works. + +Make the coredump code more robust by explicitly testing for all of +the wakeup conditions the coredump code supports. This prevents +new wakeup conditions from breaking the coredump code, as well +as fixing the current issue. + +The filesystem code that the coredump code uses already limits +itself to only aborting on fatal_signal_pending. So it should +not develop surprising wake-up reasons either. + +v2: Don't remove the now unnecessary code in prepare_signal. + +Cc: stable@vger.kernel.org +Fixes: 12db8b690010 ("entry: Add support for TIF_NOTIFY_SIGNAL") +Reported-by: Olivier Langlois +Signed-off-by: "Eric W. Biederman" +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman +--- + fs/coredump.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/fs/coredump.c ++++ b/fs/coredump.c +@@ -519,7 +519,7 @@ static bool dump_interrupted(void) + * but then we need to teach dump_write() to restart and clear + * TIF_SIGPENDING. + */ +- return signal_pending(current); ++ return fatal_signal_pending(current) || freezing(current); + } + + static void wait_for_dump_helpers(struct file *file) diff --git a/queue-5.12/drm-fix-use-after-free-read-in-drm_getunique.patch b/queue-5.12/drm-fix-use-after-free-read-in-drm_getunique.patch new file mode 100644 index 00000000000..1823311a5dd --- /dev/null +++ b/queue-5.12/drm-fix-use-after-free-read-in-drm_getunique.patch @@ -0,0 +1,62 @@ +From b436acd1cf7fac0ba987abd22955d98025c80c2b Mon Sep 17 00:00:00 2001 +From: Desmond Cheong Zhi Xi +Date: Tue, 8 Jun 2021 19:04:36 +0800 +Subject: drm: Fix use-after-free read in drm_getunique() + +From: Desmond Cheong Zhi Xi + +commit b436acd1cf7fac0ba987abd22955d98025c80c2b upstream. + +There is a time-of-check-to-time-of-use error in drm_getunique() due +to retrieving file_priv->master prior to locking the device's master +mutex. + +An example can be seen in the crash report of the use-after-free error +found by Syzbot: +https://syzkaller.appspot.com/bug?id=148d2f1dfac64af52ffd27b661981a540724f803 + +In the report, the master pointer was used after being freed. This is +because another process had acquired the device's master mutex in +drm_setmaster_ioctl(), then overwrote fpriv->master in +drm_new_set_master(). The old value of fpriv->master was subsequently +freed before the mutex was unlocked. + +To fix this, we lock the device's master mutex before retrieving the +pointer from from fpriv->master. This patch passes the Syzbot +reproducer test. + +Reported-by: syzbot+c3a706cec1ea99e1c693@syzkaller.appspotmail.com +Signed-off-by: Desmond Cheong Zhi Xi +Cc: stable@vger.kernel.org +Signed-off-by: Daniel Vetter +Link: https://patchwork.freedesktop.org/patch/msgid/20210608110436.239583-1-desmondcheongzx@gmail.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/drm_ioctl.c | 9 +++++---- + 1 file changed, 5 insertions(+), 4 deletions(-) + +--- a/drivers/gpu/drm/drm_ioctl.c ++++ b/drivers/gpu/drm/drm_ioctl.c +@@ -118,17 +118,18 @@ int drm_getunique(struct drm_device *dev + struct drm_file *file_priv) + { + struct drm_unique *u = data; +- struct drm_master *master = file_priv->master; ++ struct drm_master *master; + +- mutex_lock(&master->dev->master_mutex); ++ mutex_lock(&dev->master_mutex); ++ master = file_priv->master; + if (u->unique_len >= master->unique_len) { + if (copy_to_user(u->unique, master->unique, master->unique_len)) { +- mutex_unlock(&master->dev->master_mutex); ++ mutex_unlock(&dev->master_mutex); + return -EFAULT; + } + } + u->unique_len = master->unique_len; +- mutex_unlock(&master->dev->master_mutex); ++ mutex_unlock(&dev->master_mutex); + + return 0; + } diff --git a/queue-5.12/drm-lock-pointer-access-in-drm_master_release.patch b/queue-5.12/drm-lock-pointer-access-in-drm_master_release.patch new file mode 100644 index 00000000000..072c982b6bd --- /dev/null +++ b/queue-5.12/drm-lock-pointer-access-in-drm_master_release.patch @@ -0,0 +1,52 @@ +From c336a5ee984708db4826ef9e47d184e638e29717 Mon Sep 17 00:00:00 2001 +From: Desmond Cheong Zhi Xi +Date: Wed, 9 Jun 2021 17:21:19 +0800 +Subject: drm: Lock pointer access in drm_master_release() + +From: Desmond Cheong Zhi Xi + +commit c336a5ee984708db4826ef9e47d184e638e29717 upstream. + +This patch eliminates the following smatch warning: +drivers/gpu/drm/drm_auth.c:320 drm_master_release() warn: unlocked access 'master' (line 318) expected lock '&dev->master_mutex' + +The 'file_priv->master' field should be protected by the mutex lock to +'&dev->master_mutex'. This is because other processes can concurrently +modify this field and free the current 'file_priv->master' +pointer. This could result in a use-after-free error when 'master' is +dereferenced in subsequent function calls to +'drm_legacy_lock_master_cleanup()' or to 'drm_lease_revoke()'. + +An example of a scenario that would produce this error can be seen +from a similar bug in 'drm_getunique()' that was reported by Syzbot: +https://syzkaller.appspot.com/bug?id=148d2f1dfac64af52ffd27b661981a540724f803 + +In the Syzbot report, another process concurrently acquired the +device's master mutex in 'drm_setmaster_ioctl()', then overwrote +'fpriv->master' in 'drm_new_set_master()'. The old value of +'fpriv->master' was subsequently freed before the mutex was unlocked. + +Reported-by: Dan Carpenter +Signed-off-by: Desmond Cheong Zhi Xi +Cc: stable@vger.kernel.org +Signed-off-by: Daniel Vetter +Link: https://patchwork.freedesktop.org/patch/msgid/20210609092119.173590-1-desmondcheongzx@gmail.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/drm_auth.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/gpu/drm/drm_auth.c ++++ b/drivers/gpu/drm/drm_auth.c +@@ -314,9 +314,10 @@ int drm_master_open(struct drm_file *fil + void drm_master_release(struct drm_file *file_priv) + { + struct drm_device *dev = file_priv->minor->dev; +- struct drm_master *master = file_priv->master; ++ struct drm_master *master; + + mutex_lock(&dev->master_mutex); ++ master = file_priv->master; + if (file_priv->magic) + idr_remove(&file_priv->master->magic_map, file_priv->magic); + diff --git a/queue-5.12/ftrace-do-not-blindly-read-the-ip-address-in-ftrace_bug.patch b/queue-5.12/ftrace-do-not-blindly-read-the-ip-address-in-ftrace_bug.patch new file mode 100644 index 00000000000..47a8cd746cb --- /dev/null +++ b/queue-5.12/ftrace-do-not-blindly-read-the-ip-address-in-ftrace_bug.patch @@ -0,0 +1,55 @@ +From 6c14133d2d3f768e0a35128faac8aa6ed4815051 Mon Sep 17 00:00:00 2001 +From: "Steven Rostedt (VMware)" +Date: Mon, 7 Jun 2021 21:39:08 -0400 +Subject: ftrace: Do not blindly read the ip address in ftrace_bug() + +From: Steven Rostedt (VMware) + +commit 6c14133d2d3f768e0a35128faac8aa6ed4815051 upstream. + +It was reported that a bug on arm64 caused a bad ip address to be used for +updating into a nop in ftrace_init(), but the error path (rightfully) +returned -EINVAL and not -EFAULT, as the bug caused more than one error to +occur. But because -EINVAL was returned, the ftrace_bug() tried to report +what was at the location of the ip address, and read it directly. This +caused the machine to panic, as the ip was not pointing to a valid memory +address. + +Instead, read the ip address with copy_from_kernel_nofault() to safely +access the memory, and if it faults, report that the address faulted, +otherwise report what was in that location. + +Link: https://lore.kernel.org/lkml/20210607032329.28671-1-mark-pk.tsai@mediatek.com/ + +Cc: stable@vger.kernel.org +Fixes: 05736a427f7e1 ("ftrace: warn on failure to disable mcount callers") +Reported-by: Mark-PK Tsai +Tested-by: Mark-PK Tsai +Signed-off-by: Steven Rostedt (VMware) +Signed-off-by: Greg Kroah-Hartman +--- + kernel/trace/ftrace.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +--- a/kernel/trace/ftrace.c ++++ b/kernel/trace/ftrace.c +@@ -1967,12 +1967,18 @@ static int ftrace_hash_ipmodify_update(s + + static void print_ip_ins(const char *fmt, const unsigned char *p) + { ++ char ins[MCOUNT_INSN_SIZE]; + int i; + ++ if (copy_from_kernel_nofault(ins, p, MCOUNT_INSN_SIZE)) { ++ printk(KERN_CONT "%s[FAULT] %px\n", fmt, p); ++ return; ++ } ++ + printk(KERN_CONT "%s", fmt); + + for (i = 0; i < MCOUNT_INSN_SIZE; i++) +- printk(KERN_CONT "%s%02x", i ? ":" : "", p[i]); ++ printk(KERN_CONT "%s%02x", i ? ":" : "", ins[i]); + } + + enum ftrace_bug_type ftrace_bug_type; diff --git a/queue-5.12/kvm-avoid-speculation-based-attacks-from-out-of-range-memslot-accesses.patch b/queue-5.12/kvm-avoid-speculation-based-attacks-from-out-of-range-memslot-accesses.patch new file mode 100644 index 00000000000..880ccba3c6f --- /dev/null +++ b/queue-5.12/kvm-avoid-speculation-based-attacks-from-out-of-range-memslot-accesses.patch @@ -0,0 +1,75 @@ +From da27a83fd6cc7780fea190e1f5c19e87019da65c Mon Sep 17 00:00:00 2001 +From: Paolo Bonzini +Date: Tue, 8 Jun 2021 15:31:42 -0400 +Subject: kvm: avoid speculation-based attacks from out-of-range memslot accesses + +From: Paolo Bonzini + +commit da27a83fd6cc7780fea190e1f5c19e87019da65c upstream. + +KVM's mechanism for accessing guest memory translates a guest physical +address (gpa) to a host virtual address using the right-shifted gpa +(also known as gfn) and a struct kvm_memory_slot. The translation is +performed in __gfn_to_hva_memslot using the following formula: + + hva = slot->userspace_addr + (gfn - slot->base_gfn) * PAGE_SIZE + +It is expected that gfn falls within the boundaries of the guest's +physical memory. However, a guest can access invalid physical addresses +in such a way that the gfn is invalid. + +__gfn_to_hva_memslot is called from kvm_vcpu_gfn_to_hva_prot, which first +retrieves a memslot through __gfn_to_memslot. While __gfn_to_memslot +does check that the gfn falls within the boundaries of the guest's +physical memory or not, a CPU can speculate the result of the check and +continue execution speculatively using an illegal gfn. The speculation +can result in calculating an out-of-bounds hva. If the resulting host +virtual address is used to load another guest physical address, this +is effectively a Spectre gadget consisting of two consecutive reads, +the second of which is data dependent on the first. + +Right now it's not clear if there are any cases in which this is +exploitable. One interesting case was reported by the original author +of this patch, and involves visiting guest page tables on x86. Right +now these are not vulnerable because the hva read goes through get_user(), +which contains an LFENCE speculation barrier. However, there are +patches in progress for x86 uaccess.h to mask kernel addresses instead of +using LFENCE; once these land, a guest could use speculation to read +from the VMM's ring 3 address space. Other architectures such as ARM +already use the address masking method, and would be susceptible to +this same kind of data-dependent access gadgets. Therefore, this patch +proactively protects from these attacks by masking out-of-bounds gfns +in __gfn_to_hva_memslot, which blocks speculation of invalid hvas. + +Sean Christopherson noted that this patch does not cover +kvm_read_guest_offset_cached. This however is limited to a few bytes +past the end of the cache, and therefore it is unlikely to be useful in +the context of building a chain of data dependent accesses. + +Reported-by: Artemiy Margaritov +Co-developed-by: Artemiy Margaritov +Signed-off-by: Paolo Bonzini +Signed-off-by: Greg Kroah-Hartman +--- + include/linux/kvm_host.h | 10 +++++++++- + 1 file changed, 9 insertions(+), 1 deletion(-) + +--- a/include/linux/kvm_host.h ++++ b/include/linux/kvm_host.h +@@ -1118,7 +1118,15 @@ __gfn_to_memslot(struct kvm_memslots *sl + static inline unsigned long + __gfn_to_hva_memslot(struct kvm_memory_slot *slot, gfn_t gfn) + { +- return slot->userspace_addr + (gfn - slot->base_gfn) * PAGE_SIZE; ++ /* ++ * The index was checked originally in search_memslots. To avoid ++ * that a malicious guest builds a Spectre gadget out of e.g. page ++ * table walks, do not let the processor speculate loads outside ++ * the guest's registered memslots. ++ */ ++ unsigned long offset = array_index_nospec(gfn - slot->base_gfn, ++ slot->npages); ++ return slot->userspace_addr + offset * PAGE_SIZE; + } + + static inline int memslot_id(struct kvm *kvm, gfn_t gfn) diff --git a/queue-5.12/kvm-x86-mmu-use-the-correct-inherited-permissions-to-get-shadow-page.patch b/queue-5.12/kvm-x86-mmu-use-the-correct-inherited-permissions-to-get-shadow-page.patch new file mode 100644 index 00000000000..6b74c63808e --- /dev/null +++ b/queue-5.12/kvm-x86-mmu-use-the-correct-inherited-permissions-to-get-shadow-page.patch @@ -0,0 +1,149 @@ +From b1bd5cba3306691c771d558e94baa73e8b0b96b7 Mon Sep 17 00:00:00 2001 +From: Lai Jiangshan +Date: Thu, 3 Jun 2021 13:24:55 +0800 +Subject: KVM: X86: MMU: Use the correct inherited permissions to get shadow page + +From: Lai Jiangshan + +commit b1bd5cba3306691c771d558e94baa73e8b0b96b7 upstream. + +When computing the access permissions of a shadow page, use the effective +permissions of the walk up to that point, i.e. the logic AND of its parents' +permissions. Two guest PxE entries that point at the same table gfn need to +be shadowed with different shadow pages if their parents' permissions are +different. KVM currently uses the effective permissions of the last +non-leaf entry for all non-leaf entries. Because all non-leaf SPTEs have +full ("uwx") permissions, and the effective permissions are recorded only +in role.access and merged into the leaves, this can lead to incorrect +reuse of a shadow page and eventually to a missing guest protection page +fault. + +For example, here is a shared pagetable: + + pgd[] pud[] pmd[] virtual address pointers + /->pmd1(u--)->pte1(uw-)->page1 <- ptr1 (u--) + /->pud1(uw-)--->pmd2(uw-)->pte2(uw-)->page2 <- ptr2 (uw-) + pgd-| (shared pmd[] as above) + \->pud2(u--)--->pmd1(u--)->pte1(uw-)->page1 <- ptr3 (u--) + \->pmd2(uw-)->pte2(uw-)->page2 <- ptr4 (u--) + + pud1 and pud2 point to the same pmd table, so: + - ptr1 and ptr3 points to the same page. + - ptr2 and ptr4 points to the same page. + +(pud1 and pud2 here are pud entries, while pmd1 and pmd2 here are pmd entries) + +- First, the guest reads from ptr1 first and KVM prepares a shadow + page table with role.access=u--, from ptr1's pud1 and ptr1's pmd1. + "u--" comes from the effective permissions of pgd, pud1 and + pmd1, which are stored in pt->access. "u--" is used also to get + the pagetable for pud1, instead of "uw-". + +- Then the guest writes to ptr2 and KVM reuses pud1 which is present. + The hypervisor set up a shadow page for ptr2 with pt->access is "uw-" + even though the pud1 pmd (because of the incorrect argument to + kvm_mmu_get_page in the previous step) has role.access="u--". + +- Then the guest reads from ptr3. The hypervisor reuses pud1's + shadow pmd for pud2, because both use "u--" for their permissions. + Thus, the shadow pmd already includes entries for both pmd1 and pmd2. + +- At last, the guest writes to ptr4. This causes no vmexit or pagefault, + because pud1's shadow page structures included an "uw-" page even though + its role.access was "u--". + +Any kind of shared pagetable might have the similar problem when in +virtual machine without TDP enabled if the permissions are different +from different ancestors. + +In order to fix the problem, we change pt->access to be an array, and +any access in it will not include permissions ANDed from child ptes. + +The test code is: https://lore.kernel.org/kvm/20210603050537.19605-1-jiangshanlai@gmail.com/ +Remember to test it with TDP disabled. + +The problem had existed long before the commit 41074d07c78b ("KVM: MMU: +Fix inherited permissions for emulated guest pte updates"), and it +is hard to find which is the culprit. So there is no fixes tag here. + +Signed-off-by: Lai Jiangshan +Message-Id: <20210603052455.21023-1-jiangshanlai@gmail.com> +Cc: stable@vger.kernel.org +Fixes: cea0f0e7ea54 ("[PATCH] KVM: MMU: Shadow page table caching") +Signed-off-by: Paolo Bonzini +Signed-off-by: Greg Kroah-Hartman +--- + Documentation/virt/kvm/mmu.rst | 4 ++-- + arch/x86/kvm/mmu/paging_tmpl.h | 14 +++++++++----- + 2 files changed, 11 insertions(+), 7 deletions(-) + +--- a/Documentation/virt/kvm/mmu.rst ++++ b/Documentation/virt/kvm/mmu.rst +@@ -171,8 +171,8 @@ Shadow pages contain the following infor + shadow pages) so role.quadrant takes values in the range 0..3. Each + quadrant maps 1GB virtual address space. + role.access: +- Inherited guest access permissions in the form uwx. Note execute +- permission is positive, not negative. ++ Inherited guest access permissions from the parent ptes in the form uwx. ++ Note execute permission is positive, not negative. + role.invalid: + The page is invalid and should not be used. It is a root page that is + currently pinned (by a cpu hardware register pointing to it); once it is +--- a/arch/x86/kvm/mmu/paging_tmpl.h ++++ b/arch/x86/kvm/mmu/paging_tmpl.h +@@ -90,8 +90,8 @@ struct guest_walker { + gpa_t pte_gpa[PT_MAX_FULL_LEVELS]; + pt_element_t __user *ptep_user[PT_MAX_FULL_LEVELS]; + bool pte_writable[PT_MAX_FULL_LEVELS]; +- unsigned pt_access; +- unsigned pte_access; ++ unsigned int pt_access[PT_MAX_FULL_LEVELS]; ++ unsigned int pte_access; + gfn_t gfn; + struct x86_exception fault; + }; +@@ -418,13 +418,15 @@ retry_walk: + } + + walker->ptes[walker->level - 1] = pte; ++ ++ /* Convert to ACC_*_MASK flags for struct guest_walker. */ ++ walker->pt_access[walker->level - 1] = FNAME(gpte_access)(pt_access ^ walk_nx_mask); + } while (!is_last_gpte(mmu, walker->level, pte)); + + pte_pkey = FNAME(gpte_pkeys)(vcpu, pte); + accessed_dirty = have_ad ? pte_access & PT_GUEST_ACCESSED_MASK : 0; + + /* Convert to ACC_*_MASK flags for struct guest_walker. */ +- walker->pt_access = FNAME(gpte_access)(pt_access ^ walk_nx_mask); + walker->pte_access = FNAME(gpte_access)(pte_access ^ walk_nx_mask); + errcode = permission_fault(vcpu, mmu, walker->pte_access, pte_pkey, access); + if (unlikely(errcode)) +@@ -463,7 +465,8 @@ retry_walk: + } + + pgprintk("%s: pte %llx pte_access %x pt_access %x\n", +- __func__, (u64)pte, walker->pte_access, walker->pt_access); ++ __func__, (u64)pte, walker->pte_access, ++ walker->pt_access[walker->level - 1]); + return 1; + + error: +@@ -642,7 +645,7 @@ static int FNAME(fetch)(struct kvm_vcpu + bool huge_page_disallowed = exec && nx_huge_page_workaround_enabled; + struct kvm_mmu_page *sp = NULL; + struct kvm_shadow_walk_iterator it; +- unsigned direct_access, access = gw->pt_access; ++ unsigned int direct_access, access; + int top_level, level, req_level, ret; + gfn_t base_gfn = gw->gfn; + +@@ -674,6 +677,7 @@ static int FNAME(fetch)(struct kvm_vcpu + sp = NULL; + if (!is_shadow_present_pte(*it.sptep)) { + table_gfn = gw->table_gfn[it.level - 2]; ++ access = gw->pt_access[it.level - 2]; + sp = kvm_mmu_get_page(vcpu, table_gfn, addr, it.level-1, + false, access); + } diff --git a/queue-5.12/kvm-x86-unload-mmu-on-guest-tlb-flush-if-tdp-disabled-to-force-mmu-sync.patch b/queue-5.12/kvm-x86-unload-mmu-on-guest-tlb-flush-if-tdp-disabled-to-force-mmu-sync.patch new file mode 100644 index 00000000000..29d05fcf556 --- /dev/null +++ b/queue-5.12/kvm-x86-unload-mmu-on-guest-tlb-flush-if-tdp-disabled-to-force-mmu-sync.patch @@ -0,0 +1,67 @@ +From b53e84eed08b88fd3ff59e5c2a7f1a69d4004e32 Mon Sep 17 00:00:00 2001 +From: Lai Jiangshan +Date: Tue, 1 Jun 2021 01:22:56 +0800 +Subject: KVM: x86: Unload MMU on guest TLB flush if TDP disabled to force MMU sync + +From: Lai Jiangshan + +commit b53e84eed08b88fd3ff59e5c2a7f1a69d4004e32 upstream. + +When using shadow paging, unload the guest MMU when emulating a guest TLB +flush to ensure all roots are synchronized. From the guest's perspective, +flushing the TLB ensures any and all modifications to its PTEs will be +recognized by the CPU. + +Note, unloading the MMU is overkill, but is done to mirror KVM's existing +handling of INVPCID(all) and ensure the bug is squashed. Future cleanup +can be done to more precisely synchronize roots when servicing a guest +TLB flush. + +If TDP is enabled, synchronizing the MMU is unnecessary even if nested +TDP is in play, as a "legacy" TLB flush from L1 does not invalidate L1's +TDP mappings. For EPT, an explicit INVEPT is required to invalidate +guest-physical mappings; for NPT, guest mappings are always tagged with +an ASID and thus can only be invalidated via the VMCB's ASID control. + +This bug has existed since the introduction of KVM_VCPU_FLUSH_TLB. +It was only recently exposed after Linux guests stopped flushing the +local CPU's TLB prior to flushing remote TLBs (see commit 4ce94eabac16, +"x86/mm/tlb: Flush remote and local TLBs concurrently"), but is also +visible in Windows 10 guests. + +Tested-by: Maxim Levitsky +Reviewed-by: Maxim Levitsky +Fixes: f38a7b75267f ("KVM: X86: support paravirtualized help for TLB shootdowns") +Signed-off-by: Lai Jiangshan +[sean: massaged comment and changelog] +Message-Id: <20210531172256.2908-1-jiangshanlai@gmail.com> +Signed-off-by: Sean Christopherson +Cc: stable@vger.kernel.org +Signed-off-by: Paolo Bonzini +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/kvm/x86.c | 13 +++++++++++++ + 1 file changed, 13 insertions(+) + +--- a/arch/x86/kvm/x86.c ++++ b/arch/x86/kvm/x86.c +@@ -2982,6 +2982,19 @@ static void kvm_vcpu_flush_tlb_all(struc + static void kvm_vcpu_flush_tlb_guest(struct kvm_vcpu *vcpu) + { + ++vcpu->stat.tlb_flush; ++ ++ if (!tdp_enabled) { ++ /* ++ * A TLB flush on behalf of the guest is equivalent to ++ * INVPCID(all), toggling CR4.PGE, etc., which requires ++ * a forced sync of the shadow page tables. Unload the ++ * entire MMU here and the subsequent load will sync the ++ * shadow page tables, and also flush the TLB. ++ */ ++ kvm_mmu_unload(vcpu); ++ return; ++ } ++ + static_call(kvm_x86_tlb_flush_guest)(vcpu); + } + diff --git a/queue-5.12/misc-rtsx-separate-aspm-mode-into-mode_reg-and-mode_cfg.patch b/queue-5.12/misc-rtsx-separate-aspm-mode-into-mode_reg-and-mode_cfg.patch new file mode 100644 index 00000000000..e2d5452f988 --- /dev/null +++ b/queue-5.12/misc-rtsx-separate-aspm-mode-into-mode_reg-and-mode_cfg.patch @@ -0,0 +1,247 @@ +From 3df4fce739e2b263120f528c5e0fe6b2f8937b5b Mon Sep 17 00:00:00 2001 +From: Ricky Wu +Date: Mon, 7 Jun 2021 18:16:34 +0800 +Subject: misc: rtsx: separate aspm mode into MODE_REG and MODE_CFG + +From: Ricky Wu + +commit 3df4fce739e2b263120f528c5e0fe6b2f8937b5b upstream. + +aspm (Active State Power Management) +rtsx_comm_set_aspm: this function is for driver to make sure +not enter power saving when processing of init and card_detcct +ASPM_MODE_CFG: 8411 5209 5227 5229 5249 5250 +Change back to use original way to control aspm +ASPM_MODE_REG: 5227A 524A 5250A 5260 5261 5228 +Keep the new way to control aspm + +Fixes: 121e9c6b5c4c ("misc: rtsx: modify and fix init_hw function") +Reported-by: Chris Chiu +Tested-by: Gordon Lack +Cc: stable +Signed-off-by: Ricky Wu +Link: https://lore.kernel.org/r/20210607101634.4948-1-ricky_wu@realtek.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/misc/cardreader/rtl8411.c | 1 + drivers/misc/cardreader/rts5209.c | 1 + drivers/misc/cardreader/rts5227.c | 2 + + drivers/misc/cardreader/rts5228.c | 1 + drivers/misc/cardreader/rts5229.c | 1 + drivers/misc/cardreader/rts5249.c | 3 ++ + drivers/misc/cardreader/rts5260.c | 1 + drivers/misc/cardreader/rts5261.c | 1 + drivers/misc/cardreader/rtsx_pcr.c | 44 ++++++++++++++++++++++++++----------- + include/linux/rtsx_pci.h | 2 + + 10 files changed, 44 insertions(+), 13 deletions(-) + +--- a/drivers/misc/cardreader/rtl8411.c ++++ b/drivers/misc/cardreader/rtl8411.c +@@ -468,6 +468,7 @@ static void rtl8411_init_common_params(s + pcr->sd30_drive_sel_1v8 = DRIVER_TYPE_B; + pcr->sd30_drive_sel_3v3 = DRIVER_TYPE_D; + pcr->aspm_en = ASPM_L1_EN; ++ pcr->aspm_mode = ASPM_MODE_CFG; + pcr->tx_initial_phase = SET_CLOCK_PHASE(23, 7, 14); + pcr->rx_initial_phase = SET_CLOCK_PHASE(4, 3, 10); + pcr->ic_version = rtl8411_get_ic_version(pcr); +--- a/drivers/misc/cardreader/rts5209.c ++++ b/drivers/misc/cardreader/rts5209.c +@@ -255,6 +255,7 @@ void rts5209_init_params(struct rtsx_pcr + pcr->sd30_drive_sel_1v8 = DRIVER_TYPE_B; + pcr->sd30_drive_sel_3v3 = DRIVER_TYPE_D; + pcr->aspm_en = ASPM_L1_EN; ++ pcr->aspm_mode = ASPM_MODE_CFG; + pcr->tx_initial_phase = SET_CLOCK_PHASE(27, 27, 16); + pcr->rx_initial_phase = SET_CLOCK_PHASE(24, 6, 5); + +--- a/drivers/misc/cardreader/rts5227.c ++++ b/drivers/misc/cardreader/rts5227.c +@@ -358,6 +358,7 @@ void rts5227_init_params(struct rtsx_pcr + pcr->sd30_drive_sel_1v8 = CFG_DRIVER_TYPE_B; + pcr->sd30_drive_sel_3v3 = CFG_DRIVER_TYPE_B; + pcr->aspm_en = ASPM_L1_EN; ++ pcr->aspm_mode = ASPM_MODE_CFG; + pcr->tx_initial_phase = SET_CLOCK_PHASE(27, 27, 15); + pcr->rx_initial_phase = SET_CLOCK_PHASE(30, 7, 7); + +@@ -483,6 +484,7 @@ void rts522a_init_params(struct rtsx_pcr + + rts5227_init_params(pcr); + pcr->ops = &rts522a_pcr_ops; ++ pcr->aspm_mode = ASPM_MODE_REG; + pcr->tx_initial_phase = SET_CLOCK_PHASE(20, 20, 11); + pcr->reg_pm_ctrl3 = RTS522A_PM_CTRL3; + +--- a/drivers/misc/cardreader/rts5228.c ++++ b/drivers/misc/cardreader/rts5228.c +@@ -718,6 +718,7 @@ void rts5228_init_params(struct rtsx_pcr + pcr->sd30_drive_sel_1v8 = CFG_DRIVER_TYPE_B; + pcr->sd30_drive_sel_3v3 = CFG_DRIVER_TYPE_B; + pcr->aspm_en = ASPM_L1_EN; ++ pcr->aspm_mode = ASPM_MODE_REG; + pcr->tx_initial_phase = SET_CLOCK_PHASE(28, 27, 11); + pcr->rx_initial_phase = SET_CLOCK_PHASE(24, 6, 5); + +--- a/drivers/misc/cardreader/rts5229.c ++++ b/drivers/misc/cardreader/rts5229.c +@@ -246,6 +246,7 @@ void rts5229_init_params(struct rtsx_pcr + pcr->sd30_drive_sel_1v8 = DRIVER_TYPE_B; + pcr->sd30_drive_sel_3v3 = DRIVER_TYPE_D; + pcr->aspm_en = ASPM_L1_EN; ++ pcr->aspm_mode = ASPM_MODE_CFG; + pcr->tx_initial_phase = SET_CLOCK_PHASE(27, 27, 15); + pcr->rx_initial_phase = SET_CLOCK_PHASE(30, 6, 6); + +--- a/drivers/misc/cardreader/rts5249.c ++++ b/drivers/misc/cardreader/rts5249.c +@@ -566,6 +566,7 @@ void rts5249_init_params(struct rtsx_pcr + pcr->sd30_drive_sel_1v8 = CFG_DRIVER_TYPE_B; + pcr->sd30_drive_sel_3v3 = CFG_DRIVER_TYPE_B; + pcr->aspm_en = ASPM_L1_EN; ++ pcr->aspm_mode = ASPM_MODE_CFG; + pcr->tx_initial_phase = SET_CLOCK_PHASE(1, 29, 16); + pcr->rx_initial_phase = SET_CLOCK_PHASE(24, 6, 5); + +@@ -729,6 +730,7 @@ static const struct pcr_ops rts524a_pcr_ + void rts524a_init_params(struct rtsx_pcr *pcr) + { + rts5249_init_params(pcr); ++ pcr->aspm_mode = ASPM_MODE_REG; + pcr->tx_initial_phase = SET_CLOCK_PHASE(27, 29, 11); + pcr->option.ltr_l1off_sspwrgate = LTR_L1OFF_SSPWRGATE_5250_DEF; + pcr->option.ltr_l1off_snooze_sspwrgate = +@@ -845,6 +847,7 @@ static const struct pcr_ops rts525a_pcr_ + void rts525a_init_params(struct rtsx_pcr *pcr) + { + rts5249_init_params(pcr); ++ pcr->aspm_mode = ASPM_MODE_REG; + pcr->tx_initial_phase = SET_CLOCK_PHASE(25, 29, 11); + pcr->option.ltr_l1off_sspwrgate = LTR_L1OFF_SSPWRGATE_5250_DEF; + pcr->option.ltr_l1off_snooze_sspwrgate = +--- a/drivers/misc/cardreader/rts5260.c ++++ b/drivers/misc/cardreader/rts5260.c +@@ -628,6 +628,7 @@ void rts5260_init_params(struct rtsx_pcr + pcr->sd30_drive_sel_1v8 = CFG_DRIVER_TYPE_B; + pcr->sd30_drive_sel_3v3 = CFG_DRIVER_TYPE_B; + pcr->aspm_en = ASPM_L1_EN; ++ pcr->aspm_mode = ASPM_MODE_REG; + pcr->tx_initial_phase = SET_CLOCK_PHASE(27, 29, 11); + pcr->rx_initial_phase = SET_CLOCK_PHASE(24, 6, 5); + +--- a/drivers/misc/cardreader/rts5261.c ++++ b/drivers/misc/cardreader/rts5261.c +@@ -783,6 +783,7 @@ void rts5261_init_params(struct rtsx_pcr + pcr->sd30_drive_sel_1v8 = 0x00; + pcr->sd30_drive_sel_3v3 = 0x00; + pcr->aspm_en = ASPM_L1_EN; ++ pcr->aspm_mode = ASPM_MODE_REG; + pcr->tx_initial_phase = SET_CLOCK_PHASE(27, 27, 11); + pcr->rx_initial_phase = SET_CLOCK_PHASE(24, 6, 5); + +--- a/drivers/misc/cardreader/rtsx_pcr.c ++++ b/drivers/misc/cardreader/rtsx_pcr.c +@@ -85,12 +85,18 @@ static void rtsx_comm_set_aspm(struct rt + if (pcr->aspm_enabled == enable) + return; + +- if (pcr->aspm_en & 0x02) +- rtsx_pci_write_register(pcr, ASPM_FORCE_CTL, FORCE_ASPM_CTL0 | +- FORCE_ASPM_CTL1, enable ? 0 : FORCE_ASPM_CTL0 | FORCE_ASPM_CTL1); +- else +- rtsx_pci_write_register(pcr, ASPM_FORCE_CTL, FORCE_ASPM_CTL0 | +- FORCE_ASPM_CTL1, FORCE_ASPM_CTL0 | FORCE_ASPM_CTL1); ++ if (pcr->aspm_mode == ASPM_MODE_CFG) { ++ pcie_capability_clear_and_set_word(pcr->pci, PCI_EXP_LNKCTL, ++ PCI_EXP_LNKCTL_ASPMC, ++ enable ? pcr->aspm_en : 0); ++ } else if (pcr->aspm_mode == ASPM_MODE_REG) { ++ if (pcr->aspm_en & 0x02) ++ rtsx_pci_write_register(pcr, ASPM_FORCE_CTL, FORCE_ASPM_CTL0 | ++ FORCE_ASPM_CTL1, enable ? 0 : FORCE_ASPM_CTL0 | FORCE_ASPM_CTL1); ++ else ++ rtsx_pci_write_register(pcr, ASPM_FORCE_CTL, FORCE_ASPM_CTL0 | ++ FORCE_ASPM_CTL1, FORCE_ASPM_CTL0 | FORCE_ASPM_CTL1); ++ } + + if (!enable && (pcr->aspm_en & 0x02)) + mdelay(10); +@@ -1394,7 +1400,8 @@ static int rtsx_pci_init_hw(struct rtsx_ + return err; + } + +- rtsx_pci_write_register(pcr, ASPM_FORCE_CTL, 0x30, 0x30); ++ if (pcr->aspm_mode == ASPM_MODE_REG) ++ rtsx_pci_write_register(pcr, ASPM_FORCE_CTL, 0x30, 0x30); + + /* No CD interrupt if probing driver with card inserted. + * So we need to initialize pcr->card_exist here. +@@ -1410,6 +1417,8 @@ static int rtsx_pci_init_hw(struct rtsx_ + static int rtsx_pci_init_chip(struct rtsx_pcr *pcr) + { + int err; ++ u16 cfg_val; ++ u8 val; + + spin_lock_init(&pcr->lock); + mutex_init(&pcr->pcr_mutex); +@@ -1477,6 +1486,21 @@ static int rtsx_pci_init_chip(struct rts + if (!pcr->slots) + return -ENOMEM; + ++ if (pcr->aspm_mode == ASPM_MODE_CFG) { ++ pcie_capability_read_word(pcr->pci, PCI_EXP_LNKCTL, &cfg_val); ++ if (cfg_val & PCI_EXP_LNKCTL_ASPM_L1) ++ pcr->aspm_enabled = true; ++ else ++ pcr->aspm_enabled = false; ++ ++ } else if (pcr->aspm_mode == ASPM_MODE_REG) { ++ rtsx_pci_read_register(pcr, ASPM_FORCE_CTL, &val); ++ if (val & FORCE_ASPM_CTL0 && val & FORCE_ASPM_CTL1) ++ pcr->aspm_enabled = false; ++ else ++ pcr->aspm_enabled = true; ++ } ++ + if (pcr->ops->fetch_vendor_settings) + pcr->ops->fetch_vendor_settings(pcr); + +@@ -1506,7 +1530,6 @@ static int rtsx_pci_probe(struct pci_dev + struct pcr_handle *handle; + u32 base, len; + int ret, i, bar = 0; +- u8 val; + + dev_dbg(&(pcidev->dev), + ": Realtek PCI-E Card Reader found at %s [%04x:%04x] (rev %x)\n", +@@ -1572,11 +1595,6 @@ static int rtsx_pci_probe(struct pci_dev + pcr->host_cmds_addr = pcr->rtsx_resv_buf_addr; + pcr->host_sg_tbl_ptr = pcr->rtsx_resv_buf + HOST_CMDS_BUF_LEN; + pcr->host_sg_tbl_addr = pcr->rtsx_resv_buf_addr + HOST_CMDS_BUF_LEN; +- rtsx_pci_read_register(pcr, ASPM_FORCE_CTL, &val); +- if (val & FORCE_ASPM_CTL0 && val & FORCE_ASPM_CTL1) +- pcr->aspm_enabled = false; +- else +- pcr->aspm_enabled = true; + pcr->card_inserted = 0; + pcr->card_removed = 0; + INIT_DELAYED_WORK(&pcr->carddet_work, rtsx_pci_card_detect); +--- a/include/linux/rtsx_pci.h ++++ b/include/linux/rtsx_pci.h +@@ -1109,6 +1109,7 @@ struct pcr_ops { + }; + + enum PDEV_STAT {PDEV_STAT_IDLE, PDEV_STAT_RUN}; ++enum ASPM_MODE {ASPM_MODE_CFG, ASPM_MODE_REG}; + + #define ASPM_L1_1_EN BIT(0) + #define ASPM_L1_2_EN BIT(1) +@@ -1234,6 +1235,7 @@ struct rtsx_pcr { + u8 card_drive_sel; + #define ASPM_L1_EN 0x02 + u8 aspm_en; ++ enum ASPM_MODE aspm_mode; + bool aspm_enabled; + + #define PCR_MS_PMOS (1 << 0) diff --git a/queue-5.12/mmc-renesas_sdhi-abort-tuning-when-timeout-detected.patch b/queue-5.12/mmc-renesas_sdhi-abort-tuning-when-timeout-detected.patch new file mode 100644 index 00000000000..a222d8131c3 --- /dev/null +++ b/queue-5.12/mmc-renesas_sdhi-abort-tuning-when-timeout-detected.patch @@ -0,0 +1,53 @@ +From 2c9017d0b5d3fbf17e69577a42d9e610ca122810 Mon Sep 17 00:00:00 2001 +From: Wolfram Sang +Date: Wed, 2 Jun 2021 09:34:35 +0200 +Subject: mmc: renesas_sdhi: abort tuning when timeout detected +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Wolfram Sang + +commit 2c9017d0b5d3fbf17e69577a42d9e610ca122810 upstream. + +We have to bring the eMMC from sending-data state back to transfer state +once we detected a CRC error (timeout) during tuning. So, send a stop +command via mmc_abort_tuning(). + +Fixes: 4f11997773b6 ("mmc: tmio: Add tuning support") +Reported-by Yoshihiro Shimoda +Signed-off-by: Wolfram Sang +Reviewed-by: Niklas Söderlund +Reviewed-by: Yoshihiro Shimoda +Tested-by: Yoshihiro Shimoda +Link: https://lore.kernel.org/r/20210602073435.5955-1-wsa+renesas@sang-engineering.com +Cc: stable@vger.kernel.org +Signed-off-by: Ulf Hansson +Signed-off-by: Greg Kroah-Hartman +--- + drivers/mmc/host/renesas_sdhi_core.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +--- a/drivers/mmc/host/renesas_sdhi_core.c ++++ b/drivers/mmc/host/renesas_sdhi_core.c +@@ -679,14 +679,19 @@ static int renesas_sdhi_execute_tuning(s + + /* Issue CMD19 twice for each tap */ + for (i = 0; i < 2 * priv->tap_num; i++) { ++ int cmd_error; ++ + /* Set sampling clock position */ + sd_scc_write32(host, priv, SH_MOBILE_SDHI_SCC_TAPSET, i % priv->tap_num); + +- if (mmc_send_tuning(mmc, opcode, NULL) == 0) ++ if (mmc_send_tuning(mmc, opcode, &cmd_error) == 0) + set_bit(i, priv->taps); + + if (sd_scc_read32(host, priv, SH_MOBILE_SDHI_SCC_SMPCMP) == 0) + set_bit(i, priv->smpcmp); ++ ++ if (cmd_error) ++ mmc_abort_tuning(mmc, opcode); + } + + ret = renesas_sdhi_select_tuning(host); diff --git a/queue-5.12/mmc-renesas_sdhi-fix-hs400-on-r-car-m3-w.patch b/queue-5.12/mmc-renesas_sdhi-fix-hs400-on-r-car-m3-w.patch new file mode 100644 index 00000000000..ad11f0cd56b --- /dev/null +++ b/queue-5.12/mmc-renesas_sdhi-fix-hs400-on-r-car-m3-w.patch @@ -0,0 +1,44 @@ +From 6687cd72aa9112a454a4646986e0402dd1b07d0e Mon Sep 17 00:00:00 2001 +From: Geert Uytterhoeven +Date: Fri, 4 Jun 2021 14:59:43 +0200 +Subject: mmc: renesas_sdhi: Fix HS400 on R-Car M3-W+ +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Geert Uytterhoeven + +commit 6687cd72aa9112a454a4646986e0402dd1b07d0e upstream. + +R-Car M3-W ES3.0 is marketed as R-Car M3-W+ (R8A77961), and has its own +compatible value "renesas,r8a77961". + +Hence using soc_device_match() with soc_id = "r8a7796" and revision = +"ES3.*" does not actually match running on an R-Car M3-W+ SoC. + +Fix this by matching with soc_id = "r8a77961" instead. + +Fixes: a38c078fea0b1393 ("mmc: renesas_sdhi: Avoid bad TAP in HS400") +Signed-off-by: Geert Uytterhoeven +Reviewed-by: Wolfram Sang +Reviewed-by: Niklas Söderlund +Reviewed-by: Yoshihiro Shimoda +Link: https://lore.kernel.org/r/ee8af5d631f5331139ffea714539030d97352e93.1622811525.git.geert+renesas@glider.be +Cc: stable@vger.kernel.org +Signed-off-by: Ulf Hansson +Signed-off-by: Greg Kroah-Hartman +--- + drivers/mmc/host/renesas_sdhi_core.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/mmc/host/renesas_sdhi_core.c ++++ b/drivers/mmc/host/renesas_sdhi_core.c +@@ -931,7 +931,7 @@ static const struct soc_device_attribute + { .soc_id = "r8a7795", .revision = "ES3.*", .data = &sdhi_quirks_bad_taps2367 }, + { .soc_id = "r8a7796", .revision = "ES1.[012]", .data = &sdhi_quirks_4tap_nohs400 }, + { .soc_id = "r8a7796", .revision = "ES1.*", .data = &sdhi_quirks_r8a7796_es13 }, +- { .soc_id = "r8a7796", .revision = "ES3.*", .data = &sdhi_quirks_bad_taps1357 }, ++ { .soc_id = "r8a77961", .data = &sdhi_quirks_bad_taps1357 }, + { .soc_id = "r8a77965", .data = &sdhi_quirks_r8a77965 }, + { .soc_id = "r8a77980", .data = &sdhi_quirks_nohs400 }, + { .soc_id = "r8a77990", .data = &sdhi_quirks_r8a77990 }, diff --git a/queue-5.12/perf-x86-intel-uncore-fix-m2m-event-umask-for-ice-lake-server.patch b/queue-5.12/perf-x86-intel-uncore-fix-m2m-event-umask-for-ice-lake-server.patch new file mode 100644 index 00000000000..2843b4c8780 --- /dev/null +++ b/queue-5.12/perf-x86-intel-uncore-fix-m2m-event-umask-for-ice-lake-server.patch @@ -0,0 +1,42 @@ +From 848ff3768684701a4ce73a2ec0e5d438d4e2b0da Mon Sep 17 00:00:00 2001 +From: Kan Liang +Date: Tue, 1 Jun 2021 06:09:03 -0700 +Subject: perf/x86/intel/uncore: Fix M2M event umask for Ice Lake server + +From: Kan Liang + +commit 848ff3768684701a4ce73a2ec0e5d438d4e2b0da upstream. + +Perf tool errors out with the latest event list for the Ice Lake server. + +event syntax error: 'unc_m2m_imc_reads.to_pmm' + \___ value too big for format, maximum is 255 + +The same as the Snow Ridge server, the M2M uncore unit in the Ice Lake +server has the unit mask extension field as well. + +Fixes: 2b3b76b5ec67 ("perf/x86/intel/uncore: Add Ice Lake server uncore support") +Reported-by: Jin Yao +Signed-off-by: Kan Liang +Signed-off-by: Peter Zijlstra (Intel) +Cc: stable@vger.kernel.org +Link: https://lkml.kernel.org/r/1622552943-119174-1-git-send-email-kan.liang@linux.intel.com +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/events/intel/uncore_snbep.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/arch/x86/events/intel/uncore_snbep.c ++++ b/arch/x86/events/intel/uncore_snbep.c +@@ -5103,9 +5103,10 @@ static struct intel_uncore_type icx_unco + .perf_ctr = SNR_M2M_PCI_PMON_CTR0, + .event_ctl = SNR_M2M_PCI_PMON_CTL0, + .event_mask = SNBEP_PMON_RAW_EVENT_MASK, ++ .event_mask_ext = SNR_M2M_PCI_PMON_UMASK_EXT, + .box_ctl = SNR_M2M_PCI_PMON_BOX_CTL, + .ops = &snr_m2m_uncore_pci_ops, +- .format_group = &skx_uncore_format_group, ++ .format_group = &snr_m2m_uncore_format_group, + }; + + static struct attribute *icx_upi_uncore_formats_attr[] = { diff --git a/queue-5.12/revert-acpi-sleep-put-the-facs-table-after-using-it.patch b/queue-5.12/revert-acpi-sleep-put-the-facs-table-after-using-it.patch new file mode 100644 index 00000000000..0fc376d72f2 --- /dev/null +++ b/queue-5.12/revert-acpi-sleep-put-the-facs-table-after-using-it.patch @@ -0,0 +1,48 @@ +From f1ffa9d4cccc8fdf6c03fb1b3429154d22037988 Mon Sep 17 00:00:00 2001 +From: Zhang Rui +Date: Thu, 3 Jun 2021 10:34:14 +0800 +Subject: Revert "ACPI: sleep: Put the FACS table after using it" + +From: Zhang Rui + +commit f1ffa9d4cccc8fdf6c03fb1b3429154d22037988 upstream. + +Commit 95722237cb2a ("ACPI: sleep: Put the FACS table after using it") +puts the FACS table during initialization. + +But the hardware signature bits in the FACS table need to be accessed, +after every hibernation, to compare with the original hardware +signature. + +So there is no reason to release the FACS table mapping after +initialization. + +This reverts commit 95722237cb2ae4f7b73471058cdb19e8f4057c93. + +An alternative solution is to use acpi_gbl_FACS variable instead, which +is mapped by the ACPICA core and never released. + +Link: https://bugzilla.kernel.org/show_bug.cgi?id=212277 +Reported-by: Stephan Hohe +Signed-off-by: Zhang Rui +Cc: 5.8+ # 5.8+ +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Greg Kroah-Hartman +--- + drivers/acpi/sleep.c | 4 +--- + 1 file changed, 1 insertion(+), 3 deletions(-) + +--- a/drivers/acpi/sleep.c ++++ b/drivers/acpi/sleep.c +@@ -1009,10 +1009,8 @@ static void acpi_sleep_hibernate_setup(v + return; + + acpi_get_table(ACPI_SIG_FACS, 1, (struct acpi_table_header **)&facs); +- if (facs) { ++ if (facs) + s4_hardware_signature = facs->hardware_signature; +- acpi_put_table((struct acpi_table_header *)facs); +- } + } + #else /* !CONFIG_HIBERNATION */ + static inline void acpi_sleep_hibernate_setup(void) {} diff --git a/queue-5.12/series b/queue-5.12/series index 0b737a1eeca..5ae83bcf775 100644 --- a/queue-5.12/series +++ b/queue-5.12/series @@ -46,3 +46,67 @@ spi-don-t-have-controller-clean-up-spi-device-before.patch spi-cleanup-on-failure-of-initial-setup.patch i2c-mpc-make-use-of-i2c_recover_bus.patch i2c-mpc-implement-erratum-a-004447-workaround.patch +alsa-seq-fix-race-of-snd_seq_timer_open.patch +alsa-firewire-lib-fix-the-context-to-call-snd_pcm_stop_xrun.patch +alsa-hda-realtek-headphone-and-mic-don-t-work-on-an-acer-laptop.patch +alsa-hda-realtek-fix-mute-micmute-leds-and-speaker-for-hp-elite-dragonfly-g2.patch +alsa-hda-realtek-fix-mute-micmute-leds-and-speaker-for-hp-elitebook-x360-1040-g8.patch +alsa-hda-realtek-fix-mute-micmute-leds-for-hp-elitebook-840-aero-g8.patch +alsa-hda-realtek-fix-mute-micmute-leds-for-hp-zbook-power-g8.patch +spi-bcm2835-fix-out-of-bounds-access-with-more-than-4-slaves.patch +revert-acpi-sleep-put-the-facs-table-after-using-it.patch +acpi-pass-the-same-capabilities-to-the-_osc-regardless-of-the-query-flag.patch +drm-fix-use-after-free-read-in-drm_getunique.patch +drm-lock-pointer-access-in-drm_master_release.patch +x86-lto-pass-stack-alignment-only-on-lld-13.0.0.patch +perf-x86-intel-uncore-fix-m2m-event-umask-for-ice-lake-server.patch +kvm-x86-unload-mmu-on-guest-tlb-flush-if-tdp-disabled-to-force-mmu-sync.patch +kvm-x86-mmu-use-the-correct-inherited-permissions-to-get-shadow-page.patch +kvm-avoid-speculation-based-attacks-from-out-of-range-memslot-accesses.patch +staging-rtl8723bs-fix-uninitialized-variables.patch +usb-misc-brcmstb-usb-pinmap-check-return-value-after-calling-platform_get_resource.patch +misc-rtsx-separate-aspm-mode-into-mode_reg-and-mode_cfg.patch +bus-mhi-pci_generic-fix-possible-use-after-free-in-mhi_pci_remove.patch +tick-nohz-only-check-for-rcu-deferred-wakeup-on-user-guest-entry-when-needed.patch +bcache-remove-bcache-device-self-defined-readahead.patch +bcache-avoid-oversized-read-request-in-cache-missing-code-path.patch +async_xor-check-src_offs-is-not-null-before-updating-it.patch +btrfs-do-not-write-supers-if-we-have-an-fs-error.patch +btrfs-zoned-fix-zone-number-to-sector-physical-calculation.patch +btrfs-return-value-from-btrfs_mark_extent_written-in-case-of-error.patch +btrfs-promote-debugging-asserts-to-full-fledged-checks-in-validate_super.patch +coredump-limit-what-can-interrupt-coredumps.patch +cgroup1-don-t-allow-n-in-renaming.patch +ftrace-do-not-blindly-read-the-ip-address-in-ftrace_bug.patch +tracing-correct-the-length-check-which-causes-memory-corruption.patch +tools-bootconfig-fix-a-build-error-accroding-to-undefined-fallthrough.patch +mmc-renesas_sdhi-abort-tuning-when-timeout-detected.patch +mmc-renesas_sdhi-fix-hs400-on-r-car-m3-w.patch +usb-f_ncm-ncm_bitrate-speed-is-unsigned.patch +usb-f_ncm-only-first-packet-of-aggregate-needs-to-start-timer.patch +usb-pd-set-pd_t_sink_wait_cap-to-310ms.patch +usb-dwc3-meson-g12a-fix-usb2-phy-glue-init-when-phy0-is-disabled.patch +usb-dwc3-meson-g12a-disable-the-regulator-in-the-error-handling-path-of-the-probe.patch +usb-dwc3-gadget-bail-from-dwc3_gadget_exit-if-dwc-gadget-is-null.patch +usb-dwc3-debugfs-add-and-remove-endpoint-dirs-dynamically.patch +usb-dwc3-ep0-fix-null-pointer-exception.patch +usb-pci-quirks-disable-d3cold-on-xhci-suspend-for-s2idle-on-amd-renoir.patch +usb-musb-fix-musb_quirk_b_disconnect_99-handling.patch +usb-typec-wcove-use-le-to-cpu-conversion-when-accessing-msg-header.patch +usb-typec-ucsi-clear-ppm-capability-data-in-ucsi_init-error-path.patch +usb-typec-intel_pmc_mux-put-fwnode-in-error-case-during-probe.patch +usb-typec-intel_pmc_mux-add-missed-error-check-for-devm_ioremap_resource.patch +usb-gadget-f_fs-ensure-io_completion_wq-is-idle-during-unbind.patch +usb-serial-ftdi_sio-add-novatech-orionmx-product-id.patch +usb-serial-omninet-add-device-id-for-zyxel-omni-56k-plus.patch +usb-serial-quatech2-fix-control-request-directions.patch +usb-serial-cp210x-fix-alternate-function-for-cp2102n-qfn20.patch +usb-serial-cp210x-fix-cp2102n-a01-modem-control.patch +usb-cdnsp-fix-deadlock-issue-in-cdnsp_thread_irq_handler.patch +usb-gadget-eem-fix-wrong-eem-header-operation.patch +usb-fix-various-gadgets-null-ptr-deref-on-10gbps-cabling.patch +usb-fix-various-gadget-panics-on-10gbps-cabling.patch +usb-typec-tcpm-properly-handle-alert-and-status-messages.patch +usb-typec-tcpm-cancel-vdm-and-state-machine-hrtimer-when-unregister-tcpm-port.patch +usb-typec-tcpm-cancel-frs-hrtimer-when-unregister-tcpm-port.patch +usb-typec-tcpm-do-not-finish-vdm-ams-for-retrying-responses.patch diff --git a/queue-5.12/spi-bcm2835-fix-out-of-bounds-access-with-more-than-4-slaves.patch b/queue-5.12/spi-bcm2835-fix-out-of-bounds-access-with-more-than-4-slaves.patch new file mode 100644 index 00000000000..7818eb9b072 --- /dev/null +++ b/queue-5.12/spi-bcm2835-fix-out-of-bounds-access-with-more-than-4-slaves.patch @@ -0,0 +1,75 @@ +From 13817d466eb8713a1ffd254f537402f091d48444 Mon Sep 17 00:00:00 2001 +From: Lukas Wunner +Date: Sat, 22 May 2021 19:49:50 +0200 +Subject: spi: bcm2835: Fix out-of-bounds access with more than 4 slaves + +From: Lukas Wunner + +commit 13817d466eb8713a1ffd254f537402f091d48444 upstream. + +Commit 571e31fa60b3 ("spi: bcm2835: Cache CS register value for +->prepare_message()") limited the number of slaves to 3 at compile-time. +The limitation was necessitated by a statically-sized array prepare_cs[] +in the driver private data which contains a per-slave register value. + +The commit sought to enforce the limitation at run-time by setting the +controller's num_chipselect to 3: Slaves with a higher chipselect are +rejected by spi_add_device(). + +However the commit neglected that num_chipselect only limits the number +of *native* chipselects. If GPIO chipselects are specified in the +device tree for more than 3 slaves, num_chipselect is silently raised by +of_spi_get_gpio_numbers() and the result are out-of-bounds accesses to +the statically-sized array prepare_cs[]. + +As a bandaid fix which is backportable to stable, raise the number of +allowed slaves to 24 (which "ought to be enough for anybody"), enforce +the limitation on slave ->setup and revert num_chipselect to 3 (which is +the number of native chipselects supported by the controller). +An upcoming for-next commit will allow an arbitrary number of slaves. + +Fixes: 571e31fa60b3 ("spi: bcm2835: Cache CS register value for ->prepare_message()") +Reported-by: Joe Burmeister +Signed-off-by: Lukas Wunner +Cc: stable@vger.kernel.org # v5.4+ +Cc: Phil Elwell +Link: https://lore.kernel.org/r/75854affc1923309fde05e47494263bde73e5592.1621703210.git.lukas@wunner.de +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman +--- + drivers/spi/spi-bcm2835.c | 10 ++++++++-- + 1 file changed, 8 insertions(+), 2 deletions(-) + +--- a/drivers/spi/spi-bcm2835.c ++++ b/drivers/spi/spi-bcm2835.c +@@ -68,7 +68,7 @@ + #define BCM2835_SPI_FIFO_SIZE 64 + #define BCM2835_SPI_FIFO_SIZE_3_4 48 + #define BCM2835_SPI_DMA_MIN_LENGTH 96 +-#define BCM2835_SPI_NUM_CS 4 /* raise as necessary */ ++#define BCM2835_SPI_NUM_CS 24 /* raise as necessary */ + #define BCM2835_SPI_MODE_BITS (SPI_CPOL | SPI_CPHA | SPI_CS_HIGH \ + | SPI_NO_CS | SPI_3WIRE) + +@@ -1195,6 +1195,12 @@ static int bcm2835_spi_setup(struct spi_ + struct gpio_chip *chip; + u32 cs; + ++ if (spi->chip_select >= BCM2835_SPI_NUM_CS) { ++ dev_err(&spi->dev, "only %d chip-selects supported\n", ++ BCM2835_SPI_NUM_CS - 1); ++ return -EINVAL; ++ } ++ + /* + * Precalculate SPI slave's CS register value for ->prepare_message(): + * The driver always uses software-controlled GPIO chip select, hence +@@ -1288,7 +1294,7 @@ static int bcm2835_spi_probe(struct plat + ctlr->use_gpio_descriptors = true; + ctlr->mode_bits = BCM2835_SPI_MODE_BITS; + ctlr->bits_per_word_mask = SPI_BPW_MASK(8); +- ctlr->num_chipselect = BCM2835_SPI_NUM_CS; ++ ctlr->num_chipselect = 3; + ctlr->setup = bcm2835_spi_setup; + ctlr->transfer_one = bcm2835_spi_transfer_one; + ctlr->handle_err = bcm2835_spi_handle_err; diff --git a/queue-5.12/staging-rtl8723bs-fix-uninitialized-variables.patch b/queue-5.12/staging-rtl8723bs-fix-uninitialized-variables.patch new file mode 100644 index 00000000000..2a17a2b3fea --- /dev/null +++ b/queue-5.12/staging-rtl8723bs-fix-uninitialized-variables.patch @@ -0,0 +1,69 @@ +From 43c85d770db80cb135f576f8fde6ff1a08e707a4 Mon Sep 17 00:00:00 2001 +From: Wenli Looi +Date: Mon, 7 Jun 2021 23:46:20 -0700 +Subject: staging: rtl8723bs: Fix uninitialized variables + +From: Wenli Looi + +commit 43c85d770db80cb135f576f8fde6ff1a08e707a4 upstream. + +The sinfo.pertid and sinfo.generation variables are not initialized and +it causes a crash when we use this as a wireless access point. + +[ 456.873025] ------------[ cut here ]------------ +[ 456.878198] kernel BUG at mm/slub.c:3968! +[ 456.882680] Internal error: Oops - BUG: 0 [#1] PREEMPT SMP ARM + + [ snip ] + +[ 457.271004] Backtrace: +[ 457.273733] [] (kfree) from [] (nl80211_send_station+0x954/0xfc4) +[ 457.282481] r9:eccca0c0 r8:e8edfec0 r7:00000000 r6:00000011 r5:e80a9480 r4:e8edfe00 +[ 457.291132] [] (nl80211_send_station) from [] (cfg80211_new_sta+0x90/0x1cc) +[ 457.300850] r10:e80a9480 r9:e8edfe00 r8:ea678cca r7:00000a20 r6:00000000 r5:ec46d000 +[ 457.309586] r4:ec46d9e0 +[ 457.312433] [] (cfg80211_new_sta) from [] (rtw_cfg80211_indicate_sta_assoc+0x80/0x9c [r8723bs]) +[ 457.324095] r10:00009930 r9:e85b9d80 r8:bf091050 r7:00000000 r6:00000000 r5:0000001c +[ 457.332831] r4:c1606788 +[ 457.335692] [] (rtw_cfg80211_indicate_sta_assoc [r8723bs]) from [] (rtw_stassoc_event_callback+0x1c8/0x1d4 [r8723bs]) +[ 457.349489] r7:ea678cc0 r6:000000a1 r5:f1225f84 r4:f086b000 +[ 457.355845] [] (rtw_stassoc_event_callback [r8723bs]) from [] (mlme_evt_hdl+0x8c/0xb4 [r8723bs]) +[ 457.367601] r7:c1604900 r6:f086c4b8 r5:00000000 r4:f086c000 +[ 457.373959] [] (mlme_evt_hdl [r8723bs]) from [] (rtw_cmd_thread+0x198/0x3d8 [r8723bs]) +[ 457.384744] r5:f086e000 r4:f086c000 +[ 457.388754] [] (rtw_cmd_thread [r8723bs]) from [] (kthread+0x170/0x174) +[ 457.398083] r10:ed7a57e8 r9:bf0367a4 r8:f086b000 r7:e8ede000 r6:00000000 r5:e9975200 +[ 457.406828] r4:e8369900 +[ 457.409653] [] (kthread) from [] (ret_from_fork+0x14/0x2c) +[ 457.417718] Exception stack(0xe8edffb0 to 0xe8edfff8) +[ 457.423356] ffa0: 00000000 00000000 00000000 00000000 +[ 457.432492] ffc0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 +[ 457.441618] ffe0: 00000000 00000000 00000000 00000000 00000013 00000000 +[ 457.449006] r10:00000000 r9:00000000 r8:00000000 r7:00000000 r6:00000000 r5:c014a0a4 +[ 457.457750] r4:e9975200 +[ 457.460574] Code: 1a000003 e5953004 e3130001 1a000000 (e7f001f2) +[ 457.467381] ---[ end trace 4acbc8c15e9e6aa7 ]--- + +Link: https://forum.armbian.com/topic/14727-wifi-ap-kernel-bug-in-kernel-5444/ +Fixes: 8689c051a201 ("cfg80211: dynamically allocate per-tid stats for station info") +Fixes: f5ea9120be2e ("nl80211: add generation number to all dumps") +Signed-off-by: Wenli Looi +Reviewed-by: Dan Carpenter +Cc: stable +Link: https://lore.kernel.org/r/20210608064620.74059-1-wlooi@ucalgary.ca +Signed-off-by: Greg Kroah-Hartman +--- + drivers/staging/rtl8723bs/os_dep/ioctl_cfg80211.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/staging/rtl8723bs/os_dep/ioctl_cfg80211.c ++++ b/drivers/staging/rtl8723bs/os_dep/ioctl_cfg80211.c +@@ -2359,7 +2359,7 @@ void rtw_cfg80211_indicate_sta_assoc(str + DBG_871X(FUNC_ADPT_FMT"\n", FUNC_ADPT_ARG(padapter)); + + { +- struct station_info sinfo; ++ struct station_info sinfo = {}; + u8 ie_offset; + if (GetFrameSubType(pmgmt_frame) == WIFI_ASSOCREQ) + ie_offset = _ASOCREQ_IE_OFFSET_; diff --git a/queue-5.12/tick-nohz-only-check-for-rcu-deferred-wakeup-on-user-guest-entry-when-needed.patch b/queue-5.12/tick-nohz-only-check-for-rcu-deferred-wakeup-on-user-guest-entry-when-needed.patch new file mode 100644 index 00000000000..c7f29291b66 --- /dev/null +++ b/queue-5.12/tick-nohz-only-check-for-rcu-deferred-wakeup-on-user-guest-entry-when-needed.patch @@ -0,0 +1,122 @@ +From f268c3737ecaefcfeecfb4cb5e44958a8976f067 Mon Sep 17 00:00:00 2001 +From: Frederic Weisbecker +Date: Thu, 27 May 2021 13:34:41 +0200 +Subject: tick/nohz: Only check for RCU deferred wakeup on user/guest entry when needed + +From: Frederic Weisbecker + +commit f268c3737ecaefcfeecfb4cb5e44958a8976f067 upstream. + +Checking for and processing RCU-nocb deferred wakeup upon user/guest +entry is only relevant when nohz_full runs on the local CPU, otherwise +the periodic tick should take care of it. + +Make sure we don't needlessly pollute these fast-paths as a -3% +performance regression on a will-it-scale.per_process_ops has been +reported so far. + +Fixes: 47b8ff194c1f (entry: Explicitly flush pending rcuog wakeup before last rescheduling point) +Fixes: 4ae7dc97f726 (entry/kvm: Explicitly flush pending rcuog wakeup before last rescheduling point) +Reported-by: kernel test robot +Signed-off-by: Frederic Weisbecker +Signed-off-by: Peter Zijlstra (Intel) +Reviewed-by: Paul E. McKenney +Cc: stable@vger.kernel.org +Link: https://lkml.kernel.org/r/20210527113441.465489-1-frederic@kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + include/linux/entry-kvm.h | 3 ++- + include/linux/tick.h | 7 +++++++ + kernel/entry/common.c | 5 +++-- + kernel/time/tick-sched.c | 1 + + 4 files changed, 13 insertions(+), 3 deletions(-) + +diff --git a/include/linux/entry-kvm.h b/include/linux/entry-kvm.h +index 8b2b1d68b954..136b8d97d8c0 100644 +--- a/include/linux/entry-kvm.h ++++ b/include/linux/entry-kvm.h +@@ -3,6 +3,7 @@ + #define __LINUX_ENTRYKVM_H + + #include ++#include + + /* Transfer to guest mode work */ + #ifdef CONFIG_KVM_XFER_TO_GUEST_WORK +@@ -57,7 +58,7 @@ int xfer_to_guest_mode_handle_work(struct kvm_vcpu *vcpu); + static inline void xfer_to_guest_mode_prepare(void) + { + lockdep_assert_irqs_disabled(); +- rcu_nocb_flush_deferred_wakeup(); ++ tick_nohz_user_enter_prepare(); + } + + /** +diff --git a/include/linux/tick.h b/include/linux/tick.h +index 7340613c7eff..1a0ff88fa107 100644 +--- a/include/linux/tick.h ++++ b/include/linux/tick.h +@@ -11,6 +11,7 @@ + #include + #include + #include ++#include + + #ifdef CONFIG_GENERIC_CLOCKEVENTS + extern void __init tick_init(void); +@@ -300,4 +301,10 @@ static inline void tick_nohz_task_switch(void) + __tick_nohz_task_switch(); + } + ++static inline void tick_nohz_user_enter_prepare(void) ++{ ++ if (tick_nohz_full_cpu(smp_processor_id())) ++ rcu_nocb_flush_deferred_wakeup(); ++} ++ + #endif +diff --git a/kernel/entry/common.c b/kernel/entry/common.c +index a0b3b04fb596..bf16395b9e13 100644 +--- a/kernel/entry/common.c ++++ b/kernel/entry/common.c +@@ -5,6 +5,7 @@ + #include + #include + #include ++#include + + #include "common.h" + +@@ -186,7 +187,7 @@ static unsigned long exit_to_user_mode_loop(struct pt_regs *regs, + local_irq_disable_exit_to_user(); + + /* Check if any of the above work has queued a deferred wakeup */ +- rcu_nocb_flush_deferred_wakeup(); ++ tick_nohz_user_enter_prepare(); + + ti_work = READ_ONCE(current_thread_info()->flags); + } +@@ -202,7 +203,7 @@ static void exit_to_user_mode_prepare(struct pt_regs *regs) + lockdep_assert_irqs_disabled(); + + /* Flush pending rcuog wakeup before the last need_resched() check */ +- rcu_nocb_flush_deferred_wakeup(); ++ tick_nohz_user_enter_prepare(); + + if (unlikely(ti_work & EXIT_TO_USER_MODE_WORK)) + ti_work = exit_to_user_mode_loop(regs, ti_work); +diff --git a/kernel/time/tick-sched.c b/kernel/time/tick-sched.c +index 828b091501ca..6784f27a3099 100644 +--- a/kernel/time/tick-sched.c ++++ b/kernel/time/tick-sched.c +@@ -230,6 +230,7 @@ static void tick_sched_handle(struct tick_sched *ts, struct pt_regs *regs) + + #ifdef CONFIG_NO_HZ_FULL + cpumask_var_t tick_nohz_full_mask; ++EXPORT_SYMBOL_GPL(tick_nohz_full_mask); + bool tick_nohz_full_running; + EXPORT_SYMBOL_GPL(tick_nohz_full_running); + static atomic_t tick_dep_mask; +-- +2.32.0 + diff --git a/queue-5.12/tools-bootconfig-fix-a-build-error-accroding-to-undefined-fallthrough.patch b/queue-5.12/tools-bootconfig-fix-a-build-error-accroding-to-undefined-fallthrough.patch new file mode 100644 index 00000000000..44c23b7bd10 --- /dev/null +++ b/queue-5.12/tools-bootconfig-fix-a-build-error-accroding-to-undefined-fallthrough.patch @@ -0,0 +1,43 @@ +From 824afd55e95c3cb12c55d297a0ae408be1779cc8 Mon Sep 17 00:00:00 2001 +From: Masami Hiramatsu +Date: Thu, 13 May 2021 12:06:33 +0900 +Subject: tools/bootconfig: Fix a build error accroding to undefined fallthrough + +From: Masami Hiramatsu + +commit 824afd55e95c3cb12c55d297a0ae408be1779cc8 upstream. + +Since the "fallthrough" is defined only in the kernel, building +lib/bootconfig.c as a part of user-space tools causes a build +error. + +Add a dummy fallthrough to avoid the build error. + +Link: https://lkml.kernel.org/r/162087519356.442660.11385099982318160180.stgit@devnote2 + +Cc: Ingo Molnar +Cc: stable@vger.kernel.org +Fixes: 4c1ca831adb1 ("Revert "lib: Revert use of fallthrough pseudo-keyword in lib/"") +Signed-off-by: Masami Hiramatsu +Signed-off-by: Steven Rostedt (VMware) +Signed-off-by: Greg Kroah-Hartman +--- + tools/bootconfig/include/linux/bootconfig.h | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/tools/bootconfig/include/linux/bootconfig.h b/tools/bootconfig/include/linux/bootconfig.h +index 078cbd2ba651..de7f30f99af3 100644 +--- a/tools/bootconfig/include/linux/bootconfig.h ++++ b/tools/bootconfig/include/linux/bootconfig.h +@@ -4,4 +4,8 @@ + + #include "../../../../include/linux/bootconfig.h" + ++#ifndef fallthrough ++# define fallthrough ++#endif ++ + #endif +-- +2.32.0 + diff --git a/queue-5.12/tracing-correct-the-length-check-which-causes-memory-corruption.patch b/queue-5.12/tracing-correct-the-length-check-which-causes-memory-corruption.patch new file mode 100644 index 00000000000..f72cf0f2e5d --- /dev/null +++ b/queue-5.12/tracing-correct-the-length-check-which-causes-memory-corruption.patch @@ -0,0 +1,102 @@ +From 3e08a9f9760f4a70d633c328a76408e62d6f80a3 Mon Sep 17 00:00:00 2001 +From: Liangyan +Date: Mon, 7 Jun 2021 20:57:34 +0800 +Subject: tracing: Correct the length check which causes memory corruption + +From: Liangyan + +commit 3e08a9f9760f4a70d633c328a76408e62d6f80a3 upstream. + +We've suffered from severe kernel crashes due to memory corruption on +our production environment, like, + +Call Trace: +[1640542.554277] general protection fault: 0000 [#1] SMP PTI +[1640542.554856] CPU: 17 PID: 26996 Comm: python Kdump: loaded Tainted:G +[1640542.556629] RIP: 0010:kmem_cache_alloc+0x90/0x190 +[1640542.559074] RSP: 0018:ffffb16faa597df8 EFLAGS: 00010286 +[1640542.559587] RAX: 0000000000000000 RBX: 0000000000400200 RCX: +0000000006e931bf +[1640542.560323] RDX: 0000000006e931be RSI: 0000000000400200 RDI: +ffff9a45ff004300 +[1640542.560996] RBP: 0000000000400200 R08: 0000000000023420 R09: +0000000000000000 +[1640542.561670] R10: 0000000000000000 R11: 0000000000000000 R12: +ffffffff9a20608d +[1640542.562366] R13: ffff9a45ff004300 R14: ffff9a45ff004300 R15: +696c662f65636976 +[1640542.563128] FS: 00007f45d7c6f740(0000) GS:ffff9a45ff840000(0000) +knlGS:0000000000000000 +[1640542.563937] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[1640542.564557] CR2: 00007f45d71311a0 CR3: 000000189d63e004 CR4: +00000000003606e0 +[1640542.565279] DR0: 0000000000000000 DR1: 0000000000000000 DR2: +0000000000000000 +[1640542.566069] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: +0000000000000400 +[1640542.566742] Call Trace: +[1640542.567009] anon_vma_clone+0x5d/0x170 +[1640542.567417] __split_vma+0x91/0x1a0 +[1640542.567777] do_munmap+0x2c6/0x320 +[1640542.568128] vm_munmap+0x54/0x70 +[1640542.569990] __x64_sys_munmap+0x22/0x30 +[1640542.572005] do_syscall_64+0x5b/0x1b0 +[1640542.573724] entry_SYSCALL_64_after_hwframe+0x44/0xa9 +[1640542.575642] RIP: 0033:0x7f45d6e61e27 + +James Wang has reproduced it stably on the latest 4.19 LTS. +After some debugging, we finally proved that it's due to ftrace +buffer out-of-bound access using a debug tool as follows: +[ 86.775200] BUG: Out-of-bounds write at addr 0xffff88aefe8b7000 +[ 86.780806] no_context+0xdf/0x3c0 +[ 86.784327] __do_page_fault+0x252/0x470 +[ 86.788367] do_page_fault+0x32/0x140 +[ 86.792145] page_fault+0x1e/0x30 +[ 86.795576] strncpy_from_unsafe+0x66/0xb0 +[ 86.799789] fetch_memory_string+0x25/0x40 +[ 86.804002] fetch_deref_string+0x51/0x60 +[ 86.808134] kprobe_trace_func+0x32d/0x3a0 +[ 86.812347] kprobe_dispatcher+0x45/0x50 +[ 86.816385] kprobe_ftrace_handler+0x90/0xf0 +[ 86.820779] ftrace_ops_assist_func+0xa1/0x140 +[ 86.825340] 0xffffffffc00750bf +[ 86.828603] do_sys_open+0x5/0x1f0 +[ 86.832124] do_syscall_64+0x5b/0x1b0 +[ 86.835900] entry_SYSCALL_64_after_hwframe+0x44/0xa9 + +commit b220c049d519 ("tracing: Check length before giving out +the filter buffer") adds length check to protect trace data +overflow introduced in 0fc1b09ff1ff, seems that this fix can't prevent +overflow entirely, the length check should also take the sizeof +entry->array[0] into account, since this array[0] is filled the +length of trace data and occupy addtional space and risk overflow. + +Link: https://lkml.kernel.org/r/20210607125734.1770447-1-liangyan.peng@linux.alibaba.com + +Cc: stable@vger.kernel.org +Cc: Ingo Molnar +Cc: Xunlei Pang +Cc: Greg Kroah-Hartman +Fixes: b220c049d519 ("tracing: Check length before giving out the filter buffer") +Reviewed-by: Xunlei Pang +Reviewed-by: yinbinbin +Reviewed-by: Wetp Zhang +Tested-by: James Wang +Signed-off-by: Liangyan +Signed-off-by: Steven Rostedt (VMware) +Signed-off-by: Greg Kroah-Hartman +--- + kernel/trace/trace.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/kernel/trace/trace.c ++++ b/kernel/trace/trace.c +@@ -2735,7 +2735,7 @@ trace_event_buffer_lock_reserve(struct t + (entry = this_cpu_read(trace_buffered_event))) { + /* Try to use the per cpu buffer first */ + val = this_cpu_inc_return(trace_buffered_event_cnt); +- if ((len < (PAGE_SIZE - sizeof(*entry))) && val == 1) { ++ if ((len < (PAGE_SIZE - sizeof(*entry) - sizeof(entry->array[0]))) && val == 1) { + trace_event_setup(entry, type, trace_ctx); + entry->array[0] = len; + return entry; diff --git a/queue-5.12/usb-cdnsp-fix-deadlock-issue-in-cdnsp_thread_irq_handler.patch b/queue-5.12/usb-cdnsp-fix-deadlock-issue-in-cdnsp_thread_irq_handler.patch new file mode 100644 index 00000000000..4e8de011ea3 --- /dev/null +++ b/queue-5.12/usb-cdnsp-fix-deadlock-issue-in-cdnsp_thread_irq_handler.patch @@ -0,0 +1,107 @@ +From a9aecef198faae3240921b707bc09b602e966fce Mon Sep 17 00:00:00 2001 +From: Pawel Laszczak +Date: Wed, 26 May 2021 08:05:27 +0200 +Subject: usb: cdnsp: Fix deadlock issue in cdnsp_thread_irq_handler + +From: Pawel Laszczak + +commit a9aecef198faae3240921b707bc09b602e966fce upstream. + +Patch fixes the following critical issue caused by deadlock which has been +detected during testing NCM class: + +smp: csd: Detected non-responsive CSD lock (#1) on CPU#0 +smp: csd: CSD lock (#1) unresponsive. +.... +RIP: 0010:native_queued_spin_lock_slowpath+0x61/0x1d0 +RSP: 0018:ffffbc494011cde0 EFLAGS: 00000002 +RAX: 0000000000000101 RBX: ffff9ee8116b4a68 RCX: 0000000000000000 +RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffff9ee8116b4658 +RBP: ffffbc494011cde0 R08: 0000000000000001 R09: 0000000000000000 +R10: ffff9ee8116b4670 R11: 0000000000000000 R12: ffff9ee8116b4658 +R13: ffff9ee8116b4670 R14: 0000000000000246 R15: ffff9ee8116b4658 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: 00007f7bcc41a830 CR3: 000000007a612003 CR4: 00000000001706e0 +Call Trace: + + do_raw_spin_lock+0xc0/0xd0 + _raw_spin_lock_irqsave+0x95/0xa0 + cdnsp_gadget_ep_queue.cold+0x88/0x107 [cdnsp_udc_pci] + usb_ep_queue+0x35/0x110 + eth_start_xmit+0x220/0x3d0 [u_ether] + ncm_tx_timeout+0x34/0x40 [usb_f_ncm] + ? ncm_free_inst+0x50/0x50 [usb_f_ncm] + __hrtimer_run_queues+0xac/0x440 + hrtimer_run_softirq+0x8c/0xb0 + __do_softirq+0xcf/0x428 + asm_call_irq_on_stack+0x12/0x20 + + do_softirq_own_stack+0x61/0x70 + irq_exit_rcu+0xc1/0xd0 + sysvec_apic_timer_interrupt+0x52/0xb0 + asm_sysvec_apic_timer_interrupt+0x12/0x20 +RIP: 0010:do_raw_spin_trylock+0x18/0x40 +RSP: 0018:ffffbc494138bda8 EFLAGS: 00000246 +RAX: 0000000000000000 RBX: ffff9ee8116b4658 RCX: 0000000000000000 +RDX: 0000000000000001 RSI: 0000000000000000 RDI: ffff9ee8116b4658 +RBP: ffffbc494138bda8 R08: 0000000000000001 R09: 0000000000000000 +R10: ffff9ee8116b4670 R11: 0000000000000000 R12: ffff9ee8116b4658 +R13: ffff9ee8116b4670 R14: ffff9ee7b5c73d80 R15: ffff9ee8116b4000 + _raw_spin_lock+0x3d/0x70 + ? cdnsp_thread_irq_handler.cold+0x32/0x112c [cdnsp_udc_pci] + cdnsp_thread_irq_handler.cold+0x32/0x112c [cdnsp_udc_pci] + ? cdnsp_remove_request+0x1f0/0x1f0 [cdnsp_udc_pci] + ? cdnsp_thread_irq_handler+0x5/0xa0 [cdnsp_udc_pci] + ? irq_thread+0xa0/0x1c0 + irq_thread_fn+0x28/0x60 + irq_thread+0x105/0x1c0 + ? __kthread_parkme+0x42/0x90 + ? irq_forced_thread_fn+0x90/0x90 + ? wake_threads_waitq+0x30/0x30 + ? irq_thread_check_affinity+0xe0/0xe0 + kthread+0x12a/0x160 + ? kthread_park+0x90/0x90 + ret_from_fork+0x22/0x30 + +The root cause of issue is spin_lock/spin_unlock instruction instead +spin_lock_irqsave/spin_lock_irqrestore in cdnsp_thread_irq_handler +function. + +Cc: stable@vger.kernel.org +Fixes: 3d82904559f4 ("usb: cdnsp: cdns3 Add main part of Cadence USBSSP DRD Driver") +Signed-off-by: Pawel Laszczak +Link: https://lore.kernel.org/r/20210526060527.7197-1-pawell@gli-login.cadence.com +Signed-off-by: Peter Chen +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/cdns3/cdnsp-ring.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +--- a/drivers/usb/cdns3/cdnsp-ring.c ++++ b/drivers/usb/cdns3/cdnsp-ring.c +@@ -1517,13 +1517,14 @@ irqreturn_t cdnsp_thread_irq_handler(int + { + struct cdnsp_device *pdev = (struct cdnsp_device *)data; + union cdnsp_trb *event_ring_deq; ++ unsigned long flags; + int counter = 0; + +- spin_lock(&pdev->lock); ++ spin_lock_irqsave(&pdev->lock, flags); + + if (pdev->cdnsp_state & (CDNSP_STATE_HALTED | CDNSP_STATE_DYING)) { + cdnsp_died(pdev); +- spin_unlock(&pdev->lock); ++ spin_unlock_irqrestore(&pdev->lock, flags); + return IRQ_HANDLED; + } + +@@ -1539,7 +1540,7 @@ irqreturn_t cdnsp_thread_irq_handler(int + + cdnsp_update_erst_dequeue(pdev, event_ring_deq, 1); + +- spin_unlock(&pdev->lock); ++ spin_unlock_irqrestore(&pdev->lock, flags); + + return IRQ_HANDLED; + } diff --git a/queue-5.12/usb-dwc3-debugfs-add-and-remove-endpoint-dirs-dynamically.patch b/queue-5.12/usb-dwc3-debugfs-add-and-remove-endpoint-dirs-dynamically.patch new file mode 100644 index 00000000000..a1fa7ef7d8f --- /dev/null +++ b/queue-5.12/usb-dwc3-debugfs-add-and-remove-endpoint-dirs-dynamically.patch @@ -0,0 +1,122 @@ +From 8d396bb0a5b62b326f6be7594d8bd46b088296bd Mon Sep 17 00:00:00 2001 +From: Jack Pham +Date: Sat, 29 May 2021 12:29:32 -0700 +Subject: usb: dwc3: debugfs: Add and remove endpoint dirs dynamically + +From: Jack Pham + +commit 8d396bb0a5b62b326f6be7594d8bd46b088296bd upstream. + +The DWC3 DebugFS directory and files are currently created once +during probe. This includes creation of subdirectories for each +of the gadget's endpoints. This works fine for peripheral-only +controllers, as dwc3_core_init_mode() calls dwc3_gadget_init() +just prior to calling dwc3_debugfs_init(). + +However, for dual-role controllers, dwc3_core_init_mode() will +instead call dwc3_drd_init() which is problematic in a few ways. +First, the initial state must be determined, then dwc3_set_mode() +will have to schedule drd_work and by then dwc3_debugfs_init() +could have already been invoked. Even if the initial mode is +peripheral, dwc3_gadget_init() happens after the DebugFS files +are created, and worse so if the initial state is host and the +controller switches to peripheral much later. And secondly, +even if the gadget endpoints' debug entries were successfully +created, if the controller exits peripheral mode, its dwc3_eps +are freed so the debug files would now hold stale references. + +So it is best if the DebugFS endpoint entries are created and +removed dynamically at the same time the underlying dwc3_eps are. +Do this by calling dwc3_debugfs_create_endpoint_dir() as each +endpoint is created, and conversely remove the DebugFS entry when +the endpoint is freed. + +Fixes: 41ce1456e1db ("usb: dwc3: core: make dwc3_set_mode() work properly") +Cc: stable +Reviewed-by: Peter Chen +Signed-off-by: Jack Pham +Link: https://lore.kernel.org/r/20210529192932.22912-1-jackp@codeaurora.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/dwc3/debug.h | 3 +++ + drivers/usb/dwc3/debugfs.c | 21 ++------------------- + drivers/usb/dwc3/gadget.c | 3 +++ + 3 files changed, 8 insertions(+), 19 deletions(-) + +--- a/drivers/usb/dwc3/debug.h ++++ b/drivers/usb/dwc3/debug.h +@@ -413,9 +413,12 @@ static inline const char *dwc3_gadget_ge + + + #ifdef CONFIG_DEBUG_FS ++extern void dwc3_debugfs_create_endpoint_dir(struct dwc3_ep *dep); + extern void dwc3_debugfs_init(struct dwc3 *d); + extern void dwc3_debugfs_exit(struct dwc3 *d); + #else ++static inline void dwc3_debugfs_create_endpoint_dir(struct dwc3_ep *dep) ++{ } + static inline void dwc3_debugfs_init(struct dwc3 *d) + { } + static inline void dwc3_debugfs_exit(struct dwc3 *d) +--- a/drivers/usb/dwc3/debugfs.c ++++ b/drivers/usb/dwc3/debugfs.c +@@ -890,30 +890,14 @@ static void dwc3_debugfs_create_endpoint + } + } + +-static void dwc3_debugfs_create_endpoint_dir(struct dwc3_ep *dep, +- struct dentry *parent) ++void dwc3_debugfs_create_endpoint_dir(struct dwc3_ep *dep) + { + struct dentry *dir; + +- dir = debugfs_create_dir(dep->name, parent); ++ dir = debugfs_create_dir(dep->name, dep->dwc->root); + dwc3_debugfs_create_endpoint_files(dep, dir); + } + +-static void dwc3_debugfs_create_endpoint_dirs(struct dwc3 *dwc, +- struct dentry *parent) +-{ +- int i; +- +- for (i = 0; i < dwc->num_eps; i++) { +- struct dwc3_ep *dep = dwc->eps[i]; +- +- if (!dep) +- continue; +- +- dwc3_debugfs_create_endpoint_dir(dep, parent); +- } +-} +- + void dwc3_debugfs_init(struct dwc3 *dwc) + { + struct dentry *root; +@@ -944,7 +928,6 @@ void dwc3_debugfs_init(struct dwc3 *dwc) + &dwc3_testmode_fops); + debugfs_create_file("link_state", 0644, root, dwc, + &dwc3_link_state_fops); +- dwc3_debugfs_create_endpoint_dirs(dwc, root); + } + } + +--- a/drivers/usb/dwc3/gadget.c ++++ b/drivers/usb/dwc3/gadget.c +@@ -2720,6 +2720,8 @@ static int dwc3_gadget_init_endpoint(str + INIT_LIST_HEAD(&dep->started_list); + INIT_LIST_HEAD(&dep->cancelled_list); + ++ dwc3_debugfs_create_endpoint_dir(dep); ++ + return 0; + } + +@@ -2763,6 +2765,7 @@ static void dwc3_gadget_free_endpoints(s + list_del(&dep->endpoint.ep_list); + } + ++ debugfs_remove_recursive(debugfs_lookup(dep->name, dwc->root)); + kfree(dep); + } + } diff --git a/queue-5.12/usb-dwc3-ep0-fix-null-pointer-exception.patch b/queue-5.12/usb-dwc3-ep0-fix-null-pointer-exception.patch new file mode 100644 index 00000000000..4c2d61a55c2 --- /dev/null +++ b/queue-5.12/usb-dwc3-ep0-fix-null-pointer-exception.patch @@ -0,0 +1,67 @@ +From d00889080ab60051627dab1d85831cd9db750e2a Mon Sep 17 00:00:00 2001 +From: Marian-Cristian Rotariu +Date: Tue, 8 Jun 2021 19:26:50 +0300 +Subject: usb: dwc3: ep0: fix NULL pointer exception + +From: Marian-Cristian Rotariu + +commit d00889080ab60051627dab1d85831cd9db750e2a upstream. + +There is no validation of the index from dwc3_wIndex_to_dep() and we might +be referring a non-existing ep and trigger a NULL pointer exception. In +certain configurations we might use fewer eps and the index might wrongly +indicate a larger ep index than existing. + +By adding this validation from the patch we can actually report a wrong +index back to the caller. + +In our usecase we are using a composite device on an older kernel, but +upstream might use this fix also. Unfortunately, I cannot describe the +hardware for others to reproduce the issue as it is a proprietary +implementation. + +[ 82.958261] Unable to handle kernel NULL pointer dereference at virtual address 00000000000000a4 +[ 82.966891] Mem abort info: +[ 82.969663] ESR = 0x96000006 +[ 82.972703] Exception class = DABT (current EL), IL = 32 bits +[ 82.978603] SET = 0, FnV = 0 +[ 82.981642] EA = 0, S1PTW = 0 +[ 82.984765] Data abort info: +[ 82.987631] ISV = 0, ISS = 0x00000006 +[ 82.991449] CM = 0, WnR = 0 +[ 82.994409] user pgtable: 4k pages, 39-bit VAs, pgdp = 00000000c6210ccc +[ 83.000999] [00000000000000a4] pgd=0000000053aa5003, pud=0000000053aa5003, pmd=0000000000000000 +[ 83.009685] Internal error: Oops: 96000006 [#1] PREEMPT SMP +[ 83.026433] Process irq/62-dwc3 (pid: 303, stack limit = 0x000000003985154c) +[ 83.033470] CPU: 0 PID: 303 Comm: irq/62-dwc3 Not tainted 4.19.124 #1 +[ 83.044836] pstate: 60000085 (nZCv daIf -PAN -UAO) +[ 83.049628] pc : dwc3_ep0_handle_feature+0x414/0x43c +[ 83.054558] lr : dwc3_ep0_interrupt+0x3b4/0xc94 + +... + +[ 83.141788] Call trace: +[ 83.144227] dwc3_ep0_handle_feature+0x414/0x43c +[ 83.148823] dwc3_ep0_interrupt+0x3b4/0xc94 +[ 83.181546] ---[ end trace aac6b5267d84c32f ]--- + +Signed-off-by: Marian-Cristian Rotariu +Cc: stable +Link: https://lore.kernel.org/r/20210608162650.58426-1-marian.c.rotariu@gmail.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/dwc3/ep0.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/usb/dwc3/ep0.c ++++ b/drivers/usb/dwc3/ep0.c +@@ -292,6 +292,9 @@ static struct dwc3_ep *dwc3_wIndex_to_de + epnum |= 1; + + dep = dwc->eps[epnum]; ++ if (dep == NULL) ++ return NULL; ++ + if (dep->flags & DWC3_EP_ENABLED) + return dep; + diff --git a/queue-5.12/usb-dwc3-gadget-bail-from-dwc3_gadget_exit-if-dwc-gadget-is-null.patch b/queue-5.12/usb-dwc3-gadget-bail-from-dwc3_gadget_exit-if-dwc-gadget-is-null.patch new file mode 100644 index 00000000000..df6eb92ca8d --- /dev/null +++ b/queue-5.12/usb-dwc3-gadget-bail-from-dwc3_gadget_exit-if-dwc-gadget-is-null.patch @@ -0,0 +1,75 @@ +From 03715ea2e3dbbc56947137ce3b4ac18a726b2f87 Mon Sep 17 00:00:00 2001 +From: Jack Pham +Date: Fri, 28 May 2021 09:04:05 -0700 +Subject: usb: dwc3: gadget: Bail from dwc3_gadget_exit() if dwc->gadget is NULL + +From: Jack Pham + +commit 03715ea2e3dbbc56947137ce3b4ac18a726b2f87 upstream. + +There exists a possible scenario in which dwc3_gadget_init() can fail: +during during host -> peripheral mode switch in dwc3_set_mode(), and +a pending gadget driver fails to bind. Then, if the DRD undergoes +another mode switch from peripheral->host the resulting +dwc3_gadget_exit() will attempt to reference an invalid and dangling +dwc->gadget pointer as well as call dma_free_coherent() on unmapped +DMA pointers. + +The exact scenario can be reproduced as follows: + - Start DWC3 in peripheral mode + - Configure ConfigFS gadget with FunctionFS instance (or use g_ffs) + - Run FunctionFS userspace application (open EPs, write descriptors, etc) + - Bind gadget driver to DWC3's UDC + - Switch DWC3 to host mode + => dwc3_gadget_exit() is called. usb_del_gadget() will put the + ConfigFS driver instance on the gadget_driver_pending_list + - Stop FunctionFS application (closes the ep files) + - Switch DWC3 to peripheral mode + => dwc3_gadget_init() fails as usb_add_gadget() calls + check_pending_gadget_drivers() and attempts to rebind the UDC + to the ConfigFS gadget but fails with -19 (-ENODEV) because the + FFS instance is not in FFS_ACTIVE state (userspace has not + re-opened and written the descriptors yet, i.e. desc_ready!=0). + - Switch DWC3 back to host mode + => dwc3_gadget_exit() is called again, but this time dwc->gadget + is invalid. + +Although it can be argued that userspace should take responsibility +for ensuring that the FunctionFS application be ready prior to +allowing the composite driver bind to the UDC, failure to do so +should not result in a panic from the kernel driver. + +Fix this by setting dwc->gadget to NULL in the failure path of +dwc3_gadget_init() and add a check to dwc3_gadget_exit() to bail out +unless the gadget pointer is valid. + +Fixes: e81a7018d93a ("usb: dwc3: allocate gadget structure dynamically") +Cc: +Reviewed-by: Peter Chen +Signed-off-by: Jack Pham +Link: https://lore.kernel.org/r/20210528160405.17550-1-jackp@codeaurora.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/dwc3/gadget.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/drivers/usb/dwc3/gadget.c ++++ b/drivers/usb/dwc3/gadget.c +@@ -4012,6 +4012,7 @@ err5: + dwc3_gadget_free_endpoints(dwc); + err4: + usb_put_gadget(dwc->gadget); ++ dwc->gadget = NULL; + err3: + dma_free_coherent(dwc->sysdev, DWC3_BOUNCE_SIZE, dwc->bounce, + dwc->bounce_addr); +@@ -4031,6 +4032,9 @@ err0: + + void dwc3_gadget_exit(struct dwc3 *dwc) + { ++ if (!dwc->gadget) ++ return; ++ + usb_del_gadget(dwc->gadget); + dwc3_gadget_free_endpoints(dwc); + usb_put_gadget(dwc->gadget); diff --git a/queue-5.12/usb-dwc3-meson-g12a-disable-the-regulator-in-the-error-handling-path-of-the-probe.patch b/queue-5.12/usb-dwc3-meson-g12a-disable-the-regulator-in-the-error-handling-path-of-the-probe.patch new file mode 100644 index 00000000000..9e04adb245a --- /dev/null +++ b/queue-5.12/usb-dwc3-meson-g12a-disable-the-regulator-in-the-error-handling-path-of-the-probe.patch @@ -0,0 +1,58 @@ +From 1d0d3d818eafe1963ec1eaf302175cd14938188e Mon Sep 17 00:00:00 2001 +From: Christophe JAILLET +Date: Fri, 21 May 2021 18:55:50 +0200 +Subject: usb: dwc3: meson-g12a: Disable the regulator in the error handling path of the probe + +From: Christophe JAILLET + +commit 1d0d3d818eafe1963ec1eaf302175cd14938188e upstream. + +If an error occurs after a successful 'regulator_enable()' call, +'regulator_disable()' must be called. + +Fix the error handling path of the probe accordingly. + +The remove function doesn't need to be fixed, because the +'regulator_disable()' call is already hidden in 'dwc3_meson_g12a_suspend()' +which is called via 'pm_runtime_set_suspended()' in the remove function. + +Fixes: c99993376f72 ("usb: dwc3: Add Amlogic G12A DWC3 glue") +Reviewed-by: Martin Blumenstingl +Acked-by: Neil Armstrong +Signed-off-by: Christophe JAILLET +Link: https://lore.kernel.org/r/79df054046224bbb0716a8c5c2082650290eec86.1621616013.git.christophe.jaillet@wanadoo.fr +Cc: stable +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/dwc3/dwc3-meson-g12a.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +--- a/drivers/usb/dwc3/dwc3-meson-g12a.c ++++ b/drivers/usb/dwc3/dwc3-meson-g12a.c +@@ -775,13 +775,13 @@ static int dwc3_meson_g12a_probe(struct + + ret = priv->drvdata->usb_init(priv); + if (ret) +- goto err_disable_clks; ++ goto err_disable_regulator; + + /* Init PHYs */ + for (i = 0 ; i < PHY_COUNT ; ++i) { + ret = phy_init(priv->phys[i]); + if (ret) +- goto err_disable_clks; ++ goto err_disable_regulator; + } + + /* Set PHY Power */ +@@ -819,6 +819,10 @@ err_phys_exit: + for (i = 0 ; i < PHY_COUNT ; ++i) + phy_exit(priv->phys[i]); + ++err_disable_regulator: ++ if (priv->vbus) ++ regulator_disable(priv->vbus); ++ + err_disable_clks: + clk_bulk_disable_unprepare(priv->drvdata->num_clks, + priv->drvdata->clks); diff --git a/queue-5.12/usb-dwc3-meson-g12a-fix-usb2-phy-glue-init-when-phy0-is-disabled.patch b/queue-5.12/usb-dwc3-meson-g12a-fix-usb2-phy-glue-init-when-phy0-is-disabled.patch new file mode 100644 index 00000000000..54d52308b58 --- /dev/null +++ b/queue-5.12/usb-dwc3-meson-g12a-fix-usb2-phy-glue-init-when-phy0-is-disabled.patch @@ -0,0 +1,60 @@ +From 4d2aa178d2ad2fb156711113790dde13e9aa2376 Mon Sep 17 00:00:00 2001 +From: Neil Armstrong +Date: Tue, 1 Jun 2021 10:48:30 +0200 +Subject: usb: dwc3-meson-g12a: fix usb2 PHY glue init when phy0 is disabled + +From: Neil Armstrong + +commit 4d2aa178d2ad2fb156711113790dde13e9aa2376 upstream. + +When only PHY1 is used (for example on Odroid-HC4), the regmap init code +uses the usb2 ports when doesn't initialize the PHY1 regmap entry. + +This fixes: +Unable to handle kernel NULL pointer dereference at virtual address 0000000000000020 +... +pc : regmap_update_bits_base+0x40/0xa0 +lr : dwc3_meson_g12a_usb2_init_phy+0x4c/0xf8 +... +Call trace: +regmap_update_bits_base+0x40/0xa0 +dwc3_meson_g12a_usb2_init_phy+0x4c/0xf8 +dwc3_meson_g12a_usb2_init+0x7c/0xc8 +dwc3_meson_g12a_usb_init+0x28/0x48 +dwc3_meson_g12a_probe+0x298/0x540 +platform_probe+0x70/0xe0 +really_probe+0xf0/0x4d8 +driver_probe_device+0xfc/0x168 +... + +Fixes: 013af227f58a97 ("usb: dwc3: meson-g12a: handle the phy and glue registers separately") +Reviewed-by: Martin Blumenstingl +Signed-off-by: Neil Armstrong +Cc: stable +Link: https://lore.kernel.org/r/20210601084830.260196-1-narmstrong@baylibre.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/dwc3/dwc3-meson-g12a.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +--- a/drivers/usb/dwc3/dwc3-meson-g12a.c ++++ b/drivers/usb/dwc3/dwc3-meson-g12a.c +@@ -651,7 +651,7 @@ static int dwc3_meson_g12a_setup_regmaps + return PTR_ERR(priv->usb_glue_regmap); + + /* Create a regmap for each USB2 PHY control register set */ +- for (i = 0; i < priv->usb2_ports; i++) { ++ for (i = 0; i < priv->drvdata->num_phys; i++) { + struct regmap_config u2p_regmap_config = { + .reg_bits = 8, + .val_bits = 32, +@@ -659,6 +659,9 @@ static int dwc3_meson_g12a_setup_regmaps + .max_register = U2P_R1, + }; + ++ if (!strstr(priv->drvdata->phy_names[i], "usb2")) ++ continue; ++ + u2p_regmap_config.name = devm_kasprintf(priv->dev, GFP_KERNEL, + "u2p-%d", i); + if (!u2p_regmap_config.name) diff --git a/queue-5.12/usb-f_ncm-ncm_bitrate-speed-is-unsigned.patch b/queue-5.12/usb-f_ncm-ncm_bitrate-speed-is-unsigned.patch new file mode 100644 index 00000000000..875b7e2fd02 --- /dev/null +++ b/queue-5.12/usb-f_ncm-ncm_bitrate-speed-is-unsigned.patch @@ -0,0 +1,43 @@ +From 3370139745853f7826895293e8ac3aec1430508e Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Maciej=20=C5=BBenczykowski?= +Date: Mon, 7 Jun 2021 17:53:44 -0700 +Subject: USB: f_ncm: ncm_bitrate (speed) is unsigned +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Maciej Żenczykowski + +commit 3370139745853f7826895293e8ac3aec1430508e upstream. + +[ 190.544755] configfs-gadget gadget: notify speed -44967296 + +This is because 4250000000 - 2**32 is -44967296. + +Fixes: 9f6ce4240a2b ("usb: gadget: f_ncm.c added") +Cc: Brooke Basile +Cc: Bryan O'Donoghue +Cc: Felipe Balbi +Cc: Lorenzo Colitti +Cc: Yauheni Kaliuta +Cc: Linux USB Mailing List +Acked-By: Lorenzo Colitti +Signed-off-by: Maciej Żenczykowski +Cc: stable +Link: https://lore.kernel.org/r/20210608005344.3762668-1-zenczykowski@gmail.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/gadget/function/f_ncm.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/usb/gadget/function/f_ncm.c ++++ b/drivers/usb/gadget/function/f_ncm.c +@@ -583,7 +583,7 @@ static void ncm_do_notify(struct f_ncm * + data[0] = cpu_to_le32(ncm_bitrate(cdev->gadget)); + data[1] = data[0]; + +- DBG(cdev, "notify speed %d\n", ncm_bitrate(cdev->gadget)); ++ DBG(cdev, "notify speed %u\n", ncm_bitrate(cdev->gadget)); + ncm->notify_state = NCM_NOTIFY_CONNECT; + break; + } diff --git a/queue-5.12/usb-f_ncm-only-first-packet-of-aggregate-needs-to-start-timer.patch b/queue-5.12/usb-f_ncm-only-first-packet-of-aggregate-needs-to-start-timer.patch new file mode 100644 index 00000000000..3aa2202815d --- /dev/null +++ b/queue-5.12/usb-f_ncm-only-first-packet-of-aggregate-needs-to-start-timer.patch @@ -0,0 +1,60 @@ +From 1958ff5ad2d4908b44a72bcf564dfe67c981e7fe Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Maciej=20=C5=BBenczykowski?= +Date: Tue, 8 Jun 2021 01:54:38 -0700 +Subject: usb: f_ncm: only first packet of aggregate needs to start timer +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Maciej Żenczykowski + +commit 1958ff5ad2d4908b44a72bcf564dfe67c981e7fe upstream. + +The reasoning for this change is that if we already had +a packet pending, then we also already had a pending timer, +and as such there is no need to reschedule it. + +This also prevents packets getting delayed 60 ms worst case +under a tiny packet every 290us transmit load, by keeping the +timeout always relative to the first queued up packet. +(300us delay * 16KB max aggregation / 80 byte packet =~ 60 ms) + +As such the first packet is now at most delayed by 300us. + +Under low transmit load, this will simply result in us sending +a shorter aggregate, as originally intended. + +This patch has the benefit of greatly reducing (by ~10 factor +with 1500 byte frames aggregated into 16 kiB) the number of +(potentially pretty costly) updates to the hrtimer. + +Cc: Brooke Basile +Cc: Bryan O'Donoghue +Cc: Felipe Balbi +Cc: Lorenzo Colitti +Signed-off-by: Maciej Żenczykowski +Link: https://lore.kernel.org/r/20210608085438.813960-1-zenczykowski@gmail.com +Cc: stable +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/gadget/function/f_ncm.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +--- a/drivers/usb/gadget/function/f_ncm.c ++++ b/drivers/usb/gadget/function/f_ncm.c +@@ -1101,11 +1101,11 @@ static struct sk_buff *ncm_wrap_ntb(stru + ncm->ndp_dgram_count = 1; + + /* Note: we skip opts->next_ndp_index */ +- } + +- /* Delay the timer. */ +- hrtimer_start(&ncm->task_timer, TX_TIMEOUT_NSECS, +- HRTIMER_MODE_REL_SOFT); ++ /* Start the timer. */ ++ hrtimer_start(&ncm->task_timer, TX_TIMEOUT_NSECS, ++ HRTIMER_MODE_REL_SOFT); ++ } + + /* Add the datagram position entries */ + ntb_ndp = skb_put_zero(ncm->skb_tx_ndp, dgram_idx_len); diff --git a/queue-5.12/usb-fix-various-gadget-panics-on-10gbps-cabling.patch b/queue-5.12/usb-fix-various-gadget-panics-on-10gbps-cabling.patch new file mode 100644 index 00000000000..c1098a14732 --- /dev/null +++ b/queue-5.12/usb-fix-various-gadget-panics-on-10gbps-cabling.patch @@ -0,0 +1,67 @@ +From 032e288097a553db5653af552dd8035cd2a0ba96 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Maciej=20=C5=BBenczykowski?= +Date: Tue, 8 Jun 2021 19:44:59 -0700 +Subject: usb: fix various gadget panics on 10gbps cabling +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Maciej Żenczykowski + +commit 032e288097a553db5653af552dd8035cd2a0ba96 upstream. + +usb_assign_descriptors() is called with 5 parameters, +the last 4 of which are the usb_descriptor_header for: + full-speed (USB1.1 - 12Mbps [including USB1.0 low-speed @ 1.5Mbps), + high-speed (USB2.0 - 480Mbps), + super-speed (USB3.0 - 5Gbps), + super-speed-plus (USB3.1 - 10Gbps). + +The differences between full/high/super-speed descriptors are usually +substantial (due to changes in the maximum usb block size from 64 to 512 +to 1024 bytes and other differences in the specs), while the difference +between 5 and 10Gbps descriptors may be as little as nothing +(in many cases the same tuning is simply good enough). + +However if a gadget driver calls usb_assign_descriptors() with +a NULL descriptor for super-speed-plus and is then used on a max 10gbps +configuration, the kernel will crash with a null pointer dereference, +when a 10gbps capable device port + cable + host port combination shows up. +(This wouldn't happen if the gadget max-speed was set to 5gbps, but +it of course defaults to the maximum, and there's no real reason to +artificially limit it) + +The fix is to simply use the 5gbps descriptor as the 10gbps descriptor, +if a 10gbps descriptor wasn't provided. + +Obviously this won't fix the problem if the 5gbps descriptor is also +NULL, but such cases can't be so trivially solved (and any such gadgets +are unlikely to be used with USB3 ports any way). + +Cc: Felipe Balbi +Cc: Greg Kroah-Hartman +Signed-off-by: Maciej Żenczykowski +Cc: stable +Link: https://lore.kernel.org/r/20210609024459.1126080-1-zenczykowski@gmail.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/gadget/config.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +--- a/drivers/usb/gadget/config.c ++++ b/drivers/usb/gadget/config.c +@@ -164,6 +164,14 @@ int usb_assign_descriptors(struct usb_fu + { + struct usb_gadget *g = f->config->cdev->gadget; + ++ /* super-speed-plus descriptor falls back to super-speed one, ++ * if such a descriptor was provided, thus avoiding a NULL ++ * pointer dereference if a 5gbps capable gadget is used with ++ * a 10gbps capable config (device port + cable + host port) ++ */ ++ if (!ssp) ++ ssp = ss; ++ + if (fs) { + f->fs_descriptors = usb_copy_descriptors(fs); + if (!f->fs_descriptors) diff --git a/queue-5.12/usb-fix-various-gadgets-null-ptr-deref-on-10gbps-cabling.patch b/queue-5.12/usb-fix-various-gadgets-null-ptr-deref-on-10gbps-cabling.patch new file mode 100644 index 00000000000..6bdef0c2222 --- /dev/null +++ b/queue-5.12/usb-fix-various-gadgets-null-ptr-deref-on-10gbps-cabling.patch @@ -0,0 +1,162 @@ +From 90c4d05780d47e14a50e11a7f17373104cd47d25 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Maciej=20=C5=BBenczykowski?= +Date: Mon, 7 Jun 2021 21:41:41 -0700 +Subject: usb: fix various gadgets null ptr deref on 10gbps cabling. +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Maciej Żenczykowski + +commit 90c4d05780d47e14a50e11a7f17373104cd47d25 upstream. + +This avoids a null pointer dereference in +f_{ecm,eem,hid,loopback,printer,rndis,serial,sourcesink,subset,tcm} +by simply reusing the 5gbps config for 10gbps. + +Fixes: eaef50c76057 ("usb: gadget: Update usb_assign_descriptors for SuperSpeedPlus") +Cc: Christophe JAILLET +Cc: Felipe Balbi +Cc: Gustavo A. R. Silva +Cc: Lorenzo Colitti +Cc: Martin K. Petersen +Cc: Michael R Sweet +Cc: Mike Christie +Cc: Pawel Laszczak +Cc: Peter Chen +Cc: Sudhakar Panneerselvam +Cc: Wei Ming Chen +Cc: Will McVicker +Cc: Zqiang +Reviewed-By: Lorenzo Colitti +Cc: stable +Signed-off-by: Maciej Żenczykowski +Link: https://lore.kernel.org/r/20210608044141.3898496-1-zenczykowski@gmail.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/gadget/function/f_ecm.c | 2 +- + drivers/usb/gadget/function/f_eem.c | 2 +- + drivers/usb/gadget/function/f_hid.c | 3 ++- + drivers/usb/gadget/function/f_loopback.c | 2 +- + drivers/usb/gadget/function/f_printer.c | 3 ++- + drivers/usb/gadget/function/f_rndis.c | 2 +- + drivers/usb/gadget/function/f_serial.c | 2 +- + drivers/usb/gadget/function/f_sourcesink.c | 3 ++- + drivers/usb/gadget/function/f_subset.c | 2 +- + drivers/usb/gadget/function/f_tcm.c | 3 ++- + 10 files changed, 14 insertions(+), 10 deletions(-) + +--- a/drivers/usb/gadget/function/f_ecm.c ++++ b/drivers/usb/gadget/function/f_ecm.c +@@ -791,7 +791,7 @@ ecm_bind(struct usb_configuration *c, st + fs_ecm_notify_desc.bEndpointAddress; + + status = usb_assign_descriptors(f, ecm_fs_function, ecm_hs_function, +- ecm_ss_function, NULL); ++ ecm_ss_function, ecm_ss_function); + if (status) + goto fail; + +--- a/drivers/usb/gadget/function/f_eem.c ++++ b/drivers/usb/gadget/function/f_eem.c +@@ -302,7 +302,7 @@ static int eem_bind(struct usb_configura + eem_ss_out_desc.bEndpointAddress = eem_fs_out_desc.bEndpointAddress; + + status = usb_assign_descriptors(f, eem_fs_function, eem_hs_function, +- eem_ss_function, NULL); ++ eem_ss_function, eem_ss_function); + if (status) + goto fail; + +--- a/drivers/usb/gadget/function/f_hid.c ++++ b/drivers/usb/gadget/function/f_hid.c +@@ -802,7 +802,8 @@ static int hidg_bind(struct usb_configur + hidg_fs_out_ep_desc.bEndpointAddress; + + status = usb_assign_descriptors(f, hidg_fs_descriptors, +- hidg_hs_descriptors, hidg_ss_descriptors, NULL); ++ hidg_hs_descriptors, hidg_ss_descriptors, ++ hidg_ss_descriptors); + if (status) + goto fail; + +--- a/drivers/usb/gadget/function/f_loopback.c ++++ b/drivers/usb/gadget/function/f_loopback.c +@@ -207,7 +207,7 @@ autoconf_fail: + ss_loop_sink_desc.bEndpointAddress = fs_loop_sink_desc.bEndpointAddress; + + ret = usb_assign_descriptors(f, fs_loopback_descs, hs_loopback_descs, +- ss_loopback_descs, NULL); ++ ss_loopback_descs, ss_loopback_descs); + if (ret) + return ret; + +--- a/drivers/usb/gadget/function/f_printer.c ++++ b/drivers/usb/gadget/function/f_printer.c +@@ -1101,7 +1101,8 @@ autoconf_fail: + ss_ep_out_desc.bEndpointAddress = fs_ep_out_desc.bEndpointAddress; + + ret = usb_assign_descriptors(f, fs_printer_function, +- hs_printer_function, ss_printer_function, NULL); ++ hs_printer_function, ss_printer_function, ++ ss_printer_function); + if (ret) + return ret; + +--- a/drivers/usb/gadget/function/f_rndis.c ++++ b/drivers/usb/gadget/function/f_rndis.c +@@ -789,7 +789,7 @@ rndis_bind(struct usb_configuration *c, + ss_notify_desc.bEndpointAddress = fs_notify_desc.bEndpointAddress; + + status = usb_assign_descriptors(f, eth_fs_function, eth_hs_function, +- eth_ss_function, NULL); ++ eth_ss_function, eth_ss_function); + if (status) + goto fail; + +--- a/drivers/usb/gadget/function/f_serial.c ++++ b/drivers/usb/gadget/function/f_serial.c +@@ -233,7 +233,7 @@ static int gser_bind(struct usb_configur + gser_ss_out_desc.bEndpointAddress = gser_fs_out_desc.bEndpointAddress; + + status = usb_assign_descriptors(f, gser_fs_function, gser_hs_function, +- gser_ss_function, NULL); ++ gser_ss_function, gser_ss_function); + if (status) + goto fail; + dev_dbg(&cdev->gadget->dev, "generic ttyGS%d: %s speed IN/%s OUT/%s\n", +--- a/drivers/usb/gadget/function/f_sourcesink.c ++++ b/drivers/usb/gadget/function/f_sourcesink.c +@@ -431,7 +431,8 @@ no_iso: + ss_iso_sink_desc.bEndpointAddress = fs_iso_sink_desc.bEndpointAddress; + + ret = usb_assign_descriptors(f, fs_source_sink_descs, +- hs_source_sink_descs, ss_source_sink_descs, NULL); ++ hs_source_sink_descs, ss_source_sink_descs, ++ ss_source_sink_descs); + if (ret) + return ret; + +--- a/drivers/usb/gadget/function/f_subset.c ++++ b/drivers/usb/gadget/function/f_subset.c +@@ -358,7 +358,7 @@ geth_bind(struct usb_configuration *c, s + fs_subset_out_desc.bEndpointAddress; + + status = usb_assign_descriptors(f, fs_eth_function, hs_eth_function, +- ss_eth_function, NULL); ++ ss_eth_function, ss_eth_function); + if (status) + goto fail; + +--- a/drivers/usb/gadget/function/f_tcm.c ++++ b/drivers/usb/gadget/function/f_tcm.c +@@ -2061,7 +2061,8 @@ static int tcm_bind(struct usb_configura + uasp_fs_cmd_desc.bEndpointAddress = uasp_ss_cmd_desc.bEndpointAddress; + + ret = usb_assign_descriptors(f, uasp_fs_function_desc, +- uasp_hs_function_desc, uasp_ss_function_desc, NULL); ++ uasp_hs_function_desc, uasp_ss_function_desc, ++ uasp_ss_function_desc); + if (ret) + goto ep_fail; + diff --git a/queue-5.12/usb-gadget-eem-fix-wrong-eem-header-operation.patch b/queue-5.12/usb-gadget-eem-fix-wrong-eem-header-operation.patch new file mode 100644 index 00000000000..f1210f84335 --- /dev/null +++ b/queue-5.12/usb-gadget-eem-fix-wrong-eem-header-operation.patch @@ -0,0 +1,41 @@ +From 305f670846a31a261462577dd0b967c4fa796871 Mon Sep 17 00:00:00 2001 +From: Linyu Yuan +Date: Wed, 9 Jun 2021 07:35:47 +0800 +Subject: usb: gadget: eem: fix wrong eem header operation + +From: Linyu Yuan + +commit 305f670846a31a261462577dd0b967c4fa796871 upstream. + +when skb_clone() or skb_copy_expand() fail, +it should pull skb with lengh indicated by header, +or not it will read network data and check it as header. + +Cc: +Signed-off-by: Linyu Yuan +Link: https://lore.kernel.org/r/20210608233547.3767-1-linyyuan@codeaurora.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/gadget/function/f_eem.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/usb/gadget/function/f_eem.c ++++ b/drivers/usb/gadget/function/f_eem.c +@@ -495,7 +495,7 @@ static int eem_unwrap(struct gether *por + skb2 = skb_clone(skb, GFP_ATOMIC); + if (unlikely(!skb2)) { + DBG(cdev, "unable to unframe EEM packet\n"); +- continue; ++ goto next; + } + skb_trim(skb2, len - ETH_FCS_LEN); + +@@ -505,7 +505,7 @@ static int eem_unwrap(struct gether *por + GFP_ATOMIC); + if (unlikely(!skb3)) { + dev_kfree_skb_any(skb2); +- continue; ++ goto next; + } + dev_kfree_skb_any(skb2); + skb_queue_tail(list, skb3); diff --git a/queue-5.12/usb-gadget-f_fs-ensure-io_completion_wq-is-idle-during-unbind.patch b/queue-5.12/usb-gadget-f_fs-ensure-io_completion_wq-is-idle-during-unbind.patch new file mode 100644 index 00000000000..0cb024ce823 --- /dev/null +++ b/queue-5.12/usb-gadget-f_fs-ensure-io_completion_wq-is-idle-during-unbind.patch @@ -0,0 +1,42 @@ +From 6fc1db5e6211e30fbb1cee8d7925d79d4ed2ae14 Mon Sep 17 00:00:00 2001 +From: Wesley Cheng +Date: Fri, 21 May 2021 17:44:21 -0700 +Subject: usb: gadget: f_fs: Ensure io_completion_wq is idle during unbind + +From: Wesley Cheng + +commit 6fc1db5e6211e30fbb1cee8d7925d79d4ed2ae14 upstream. + +During unbind, ffs_func_eps_disable() will be executed, resulting in +completion callbacks for any pending USB requests. When using AIO, +irrespective of the completion status, io_data work is queued to +io_completion_wq to evaluate and handle the completed requests. Since +work runs asynchronously to the unbind() routine, there can be a +scenario where the work runs after the USB gadget has been fully +removed, resulting in accessing of a resource which has been already +freed. (i.e. usb_ep_free_request() accessing the USB ep structure) + +Explicitly drain the io_completion_wq, instead of relying on the +destroy_workqueue() (in ffs_data_put()) to make sure no pending +completion work items are running. + +Signed-off-by: Wesley Cheng +Cc: stable +Link: https://lore.kernel.org/r/1621644261-1236-1-git-send-email-wcheng@codeaurora.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/gadget/function/f_fs.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/usb/gadget/function/f_fs.c ++++ b/drivers/usb/gadget/function/f_fs.c +@@ -3567,6 +3567,9 @@ static void ffs_func_unbind(struct usb_c + ffs->func = NULL; + } + ++ /* Drain any pending AIO completions */ ++ drain_workqueue(ffs->io_completion_wq); ++ + if (!--opts->refcnt) + functionfs_unbind(ffs); + diff --git a/queue-5.12/usb-misc-brcmstb-usb-pinmap-check-return-value-after-calling-platform_get_resource.patch b/queue-5.12/usb-misc-brcmstb-usb-pinmap-check-return-value-after-calling-platform_get_resource.patch new file mode 100644 index 00000000000..d8f88a4afd7 --- /dev/null +++ b/queue-5.12/usb-misc-brcmstb-usb-pinmap-check-return-value-after-calling-platform_get_resource.patch @@ -0,0 +1,32 @@ +From fbf649cd6d64d40c03c5397ecd6b1ae922ba7afc Mon Sep 17 00:00:00 2001 +From: Yang Yingliang +Date: Sat, 5 Jun 2021 16:09:14 +0800 +Subject: usb: misc: brcmstb-usb-pinmap: check return value after calling platform_get_resource() + +From: Yang Yingliang + +commit fbf649cd6d64d40c03c5397ecd6b1ae922ba7afc upstream. + +It will cause null-ptr-deref if platform_get_resource() returns NULL, +we need check the return value. + +Fixes: 517c4c44b323 ("usb: Add driver to allow any GPIO to be used for 7211 USB signals") +Cc: stable +Signed-off-by: Yang Yingliang +Link: https://lore.kernel.org/r/20210605080914.2057758-1-yangyingliang@huawei.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/misc/brcmstb-usb-pinmap.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/usb/misc/brcmstb-usb-pinmap.c ++++ b/drivers/usb/misc/brcmstb-usb-pinmap.c +@@ -263,6 +263,8 @@ static int __init brcmstb_usb_pinmap_pro + return -EINVAL; + + r = platform_get_resource(pdev, IORESOURCE_MEM, 0); ++ if (!r) ++ return -EINVAL; + + pdata = devm_kzalloc(&pdev->dev, + sizeof(*pdata) + diff --git a/queue-5.12/usb-musb-fix-musb_quirk_b_disconnect_99-handling.patch b/queue-5.12/usb-musb-fix-musb_quirk_b_disconnect_99-handling.patch new file mode 100644 index 00000000000..734b25c3bd2 --- /dev/null +++ b/queue-5.12/usb-musb-fix-musb_quirk_b_disconnect_99-handling.patch @@ -0,0 +1,59 @@ +From b65ba0c362be665192381cc59e3ac3ef6f0dd1e1 Mon Sep 17 00:00:00 2001 +From: Thomas Petazzoni +Date: Fri, 28 May 2021 16:04:46 +0200 +Subject: usb: musb: fix MUSB_QUIRK_B_DISCONNECT_99 handling + +From: Thomas Petazzoni + +commit b65ba0c362be665192381cc59e3ac3ef6f0dd1e1 upstream. + +In commit 92af4fc6ec33 ("usb: musb: Fix suspend with devices +connected for a64"), the logic to support the +MUSB_QUIRK_B_DISCONNECT_99 quirk was modified to only conditionally +schedule the musb->irq_work delayed work. + +This commit badly breaks ECM Gadget on AM335X. Indeed, with this +commit, one can observe massive packet loss: + +$ ping 192.168.0.100 +... +15 packets transmitted, 3 received, 80% packet loss, time 14316ms + +Reverting this commit brings back a properly functioning ECM +Gadget. An analysis of the commit seems to indicate that a mistake was +made: the previous code was not falling through into the +MUSB_QUIRK_B_INVALID_VBUS_91, but now it is, unless the condition is +taken. + +Changing the logic to be as it was before the problematic commit *and* +only conditionally scheduling musb->irq_work resolves the regression: + +$ ping 192.168.0.100 +... +64 packets transmitted, 64 received, 0% packet loss, time 64475ms + +Fixes: 92af4fc6ec33 ("usb: musb: Fix suspend with devices connected for a64") +Cc: stable@vger.kernel.org +Tested-by: Alexandre Belloni +Tested-by: Drew Fustini +Acked-by: Tony Lindgren +Signed-off-by: Thomas Petazzoni +Link: https://lore.kernel.org/r/20210528140446.278076-1-thomas.petazzoni@bootlin.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/musb/musb_core.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +--- a/drivers/usb/musb/musb_core.c ++++ b/drivers/usb/musb/musb_core.c +@@ -2009,9 +2009,8 @@ static void musb_pm_runtime_check_sessio + schedule_delayed_work(&musb->irq_work, + msecs_to_jiffies(1000)); + musb->quirk_retries--; +- break; + } +- fallthrough; ++ break; + case MUSB_QUIRK_B_INVALID_VBUS_91: + if (musb->quirk_retries && !musb->flush_irq_work) { + musb_dbg(musb, diff --git a/queue-5.12/usb-pci-quirks-disable-d3cold-on-xhci-suspend-for-s2idle-on-amd-renoir.patch b/queue-5.12/usb-pci-quirks-disable-d3cold-on-xhci-suspend-for-s2idle-on-amd-renoir.patch new file mode 100644 index 00000000000..d25ff4fc571 --- /dev/null +++ b/queue-5.12/usb-pci-quirks-disable-d3cold-on-xhci-suspend-for-s2idle-on-amd-renoir.patch @@ -0,0 +1,67 @@ +From d1658268e43980c071dbffc3d894f6f6c4b6732a Mon Sep 17 00:00:00 2001 +From: Mario Limonciello +Date: Thu, 27 May 2021 10:45:34 -0500 +Subject: usb: pci-quirks: disable D3cold on xhci suspend for s2idle on AMD Renoir + +From: Mario Limonciello + +commit d1658268e43980c071dbffc3d894f6f6c4b6732a upstream. + +The XHCI controller is required to enter D3hot rather than D3cold for AMD +s2idle on this hardware generation. + +Otherwise, the 'Controller Not Ready' (CNR) bit is not being cleared by +host in resume and eventually this results in xhci resume failures during +the s2idle wakeup. + +Link: https://lore.kernel.org/linux-usb/1612527609-7053-1-git-send-email-Prike.Liang@amd.com/ +Suggested-by: Prike Liang +Signed-off-by: Mario Limonciello +Cc: stable # 5.11+ +Link: https://lore.kernel.org/r/20210527154534.8900-1-mario.limonciello@amd.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/host/xhci-pci.c | 7 ++++++- + drivers/usb/host/xhci.h | 1 + + 2 files changed, 7 insertions(+), 1 deletion(-) + +--- a/drivers/usb/host/xhci-pci.c ++++ b/drivers/usb/host/xhci-pci.c +@@ -59,6 +59,7 @@ + #define PCI_DEVICE_ID_INTEL_MAPLE_RIDGE_XHCI 0x1138 + #define PCI_DEVICE_ID_INTEL_ALDER_LAKE_XHCI 0x461e + ++#define PCI_DEVICE_ID_AMD_RENOIR_XHCI 0x1639 + #define PCI_DEVICE_ID_AMD_PROMONTORYA_4 0x43b9 + #define PCI_DEVICE_ID_AMD_PROMONTORYA_3 0x43ba + #define PCI_DEVICE_ID_AMD_PROMONTORYA_2 0x43bb +@@ -182,6 +183,10 @@ static void xhci_pci_quirks(struct devic + (pdev->device == PCI_DEVICE_ID_AMD_PROMONTORYA_1))) + xhci->quirks |= XHCI_U2_DISABLE_WAKE; + ++ if (pdev->vendor == PCI_VENDOR_ID_AMD && ++ pdev->device == PCI_DEVICE_ID_AMD_RENOIR_XHCI) ++ xhci->quirks |= XHCI_BROKEN_D3COLD; ++ + if (pdev->vendor == PCI_VENDOR_ID_INTEL) { + xhci->quirks |= XHCI_LPM_SUPPORT; + xhci->quirks |= XHCI_INTEL_HOST; +@@ -539,7 +544,7 @@ static int xhci_pci_suspend(struct usb_h + * Systems with the TI redriver that loses port status change events + * need to have the registers polled during D3, so avoid D3cold. + */ +- if (xhci->quirks & XHCI_COMP_MODE_QUIRK) ++ if (xhci->quirks & (XHCI_COMP_MODE_QUIRK | XHCI_BROKEN_D3COLD)) + pci_d3cold_disable(pdev); + + if (xhci->quirks & XHCI_PME_STUCK_QUIRK) +--- a/drivers/usb/host/xhci.h ++++ b/drivers/usb/host/xhci.h +@@ -1892,6 +1892,7 @@ struct xhci_hcd { + #define XHCI_DISABLE_SPARSE BIT_ULL(38) + #define XHCI_SG_TRB_CACHE_SIZE_QUIRK BIT_ULL(39) + #define XHCI_NO_SOFT_RETRY BIT_ULL(40) ++#define XHCI_BROKEN_D3COLD BIT_ULL(41) + + unsigned int num_active_eps; + unsigned int limit_active_eps; diff --git a/queue-5.12/usb-pd-set-pd_t_sink_wait_cap-to-310ms.patch b/queue-5.12/usb-pd-set-pd_t_sink_wait_cap-to-310ms.patch new file mode 100644 index 00000000000..1e941870222 --- /dev/null +++ b/queue-5.12/usb-pd-set-pd_t_sink_wait_cap-to-310ms.patch @@ -0,0 +1,35 @@ +From 6490fa565534fa83593278267785a694fd378a2b Mon Sep 17 00:00:00 2001 +From: Kyle Tso +Date: Fri, 28 May 2021 16:16:13 +0800 +Subject: usb: pd: Set PD_T_SINK_WAIT_CAP to 310ms + +From: Kyle Tso + +commit 6490fa565534fa83593278267785a694fd378a2b upstream. + +Current timer PD_T_SINK_WAIT_CAP is set to 240ms which will violate the +SinkWaitCapTimer (tTypeCSinkWaitCap 310 - 620 ms) defined in the PD +Spec if the port is faster enough when running the state machine. Set it +to the lower bound 310ms to ensure the timeout is in Spec. + +Fixes: f0690a25a140 ("staging: typec: USB Type-C Port Manager (tcpm)") +Cc: stable +Reviewed-by: Guenter Roeck +Signed-off-by: Kyle Tso +Link: https://lore.kernel.org/r/20210528081613.730661-1-kyletso@google.com +Signed-off-by: Greg Kroah-Hartman +--- + include/linux/usb/pd.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/include/linux/usb/pd.h ++++ b/include/linux/usb/pd.h +@@ -460,7 +460,7 @@ static inline unsigned int rdo_max_power + #define PD_T_RECEIVER_RESPONSE 15 /* 15ms max */ + #define PD_T_SOURCE_ACTIVITY 45 + #define PD_T_SINK_ACTIVITY 135 +-#define PD_T_SINK_WAIT_CAP 240 ++#define PD_T_SINK_WAIT_CAP 310 /* 310 - 620 ms */ + #define PD_T_PS_TRANSITION 500 + #define PD_T_SRC_TRANSITION 35 + #define PD_T_DRP_SNK 40 diff --git a/queue-5.12/usb-serial-cp210x-fix-alternate-function-for-cp2102n-qfn20.patch b/queue-5.12/usb-serial-cp210x-fix-alternate-function-for-cp2102n-qfn20.patch new file mode 100644 index 00000000000..464c3fcdc36 --- /dev/null +++ b/queue-5.12/usb-serial-cp210x-fix-alternate-function-for-cp2102n-qfn20.patch @@ -0,0 +1,63 @@ +From 6f7ec77cc8b64ff5037c1945e4650c65c458037d Mon Sep 17 00:00:00 2001 +From: Stefan Agner +Date: Fri, 28 May 2021 22:39:31 +0200 +Subject: USB: serial: cp210x: fix alternate function for CP2102N QFN20 + +From: Stefan Agner + +commit 6f7ec77cc8b64ff5037c1945e4650c65c458037d upstream. + +The QFN20 part has a different GPIO/port function assignment. The +configuration struct bit field ordered as TX/RX/RS485/WAKEUP/CLK +which exactly matches GPIO0-3 for QFN24/28. However, QFN20 has a +different GPIO to primary function assignment. + +Special case QFN20 to follow to properly detect which GPIOs are +available. + +Signed-off-by: Stefan Agner +Link: https://lore.kernel.org/r/51830b2b24118eb0f77c5c9ac64ffb2f519dbb1d.1622218300.git.stefan@agner.ch +Fixes: c8acfe0aadbe ("USB: serial: cp210x: implement GPIO support for CP2102N") +Cc: stable@vger.kernel.org # 4.19 +Signed-off-by: Johan Hovold +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/serial/cp210x.c | 20 +++++++++++++++++++- + 1 file changed, 19 insertions(+), 1 deletion(-) + +--- a/drivers/usb/serial/cp210x.c ++++ b/drivers/usb/serial/cp210x.c +@@ -537,6 +537,12 @@ struct cp210x_single_port_config { + #define CP210X_2NCONFIG_GPIO_RSTLATCH_IDX 587 + #define CP210X_2NCONFIG_GPIO_CONTROL_IDX 600 + ++/* CP2102N QFN20 port configuration values */ ++#define CP2102N_QFN20_GPIO2_TXLED_MODE BIT(2) ++#define CP2102N_QFN20_GPIO3_RXLED_MODE BIT(3) ++#define CP2102N_QFN20_GPIO1_RS485_MODE BIT(4) ++#define CP2102N_QFN20_GPIO0_CLK_MODE BIT(6) ++ + /* CP210X_VENDOR_SPECIFIC, CP210X_WRITE_LATCH call writes these 0x2 bytes. */ + struct cp210x_gpio_write { + u8 mask; +@@ -1726,7 +1732,19 @@ static int cp2102n_gpioconf_init(struct + priv->gpio_pushpull = (gpio_pushpull >> 3) & 0x0f; + + /* 0 indicates GPIO mode, 1 is alternate function */ +- priv->gpio_altfunc = (gpio_ctrl >> 2) & 0x0f; ++ if (priv->partnum == CP210X_PARTNUM_CP2102N_QFN20) { ++ /* QFN20 is special... */ ++ if (gpio_ctrl & CP2102N_QFN20_GPIO0_CLK_MODE) /* GPIO 0 */ ++ priv->gpio_altfunc |= BIT(0); ++ if (gpio_ctrl & CP2102N_QFN20_GPIO1_RS485_MODE) /* GPIO 1 */ ++ priv->gpio_altfunc |= BIT(1); ++ if (gpio_ctrl & CP2102N_QFN20_GPIO2_TXLED_MODE) /* GPIO 2 */ ++ priv->gpio_altfunc |= BIT(2); ++ if (gpio_ctrl & CP2102N_QFN20_GPIO3_RXLED_MODE) /* GPIO 3 */ ++ priv->gpio_altfunc |= BIT(3); ++ } else { ++ priv->gpio_altfunc = (gpio_ctrl >> 2) & 0x0f; ++ } + + if (priv->partnum == CP210X_PARTNUM_CP2102N_QFN28) { + /* diff --git a/queue-5.12/usb-serial-cp210x-fix-cp2102n-a01-modem-control.patch b/queue-5.12/usb-serial-cp210x-fix-cp2102n-a01-modem-control.patch new file mode 100644 index 00000000000..5d6c6edf416 --- /dev/null +++ b/queue-5.12/usb-serial-cp210x-fix-cp2102n-a01-modem-control.patch @@ -0,0 +1,164 @@ +From 63a8eef70ccb5199534dec56fed9759d214bfe55 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Wed, 9 Jun 2021 18:15:09 +0200 +Subject: USB: serial: cp210x: fix CP2102N-A01 modem control +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Johan Hovold + +commit 63a8eef70ccb5199534dec56fed9759d214bfe55 upstream. + +CP2102N revision A01 (firmware version <= 1.0.4) has a buggy +flow-control implementation that uses the ulXonLimit instead of +ulFlowReplace field of the flow-control settings structure (erratum +CP2102N_E104). + +A recent change that set the input software flow-control limits +incidentally broke RTS control for these devices when CRTSCTS is not set +as the new limits would always enable hardware flow control. + +Fix this by explicitly disabling flow control for the buggy firmware +versions and only updating the input software flow-control limits when +IXOFF is requested. This makes sure that the terminal settings matches +the default zero ulXonLimit (ulFlowReplace) for these devices. + +Link: https://lore.kernel.org/r/20210609161509.9459-1-johan@kernel.org +Reported-by: David Frey +Reported-by: Alex Villacís Lasso +Tested-by: Alex Villacís Lasso +Fixes: f61309d9c96a ("USB: serial: cp210x: set IXOFF thresholds") +Cc: stable@vger.kernel.org # 5.12 +Signed-off-by: Johan Hovold +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/serial/cp210x.c | 64 ++++++++++++++++++++++++++++++++++++++++---- + 1 file changed, 59 insertions(+), 5 deletions(-) + +--- a/drivers/usb/serial/cp210x.c ++++ b/drivers/usb/serial/cp210x.c +@@ -252,9 +252,11 @@ struct cp210x_serial_private { + u8 gpio_input; + #endif + u8 partnum; ++ u32 fw_version; + speed_t min_speed; + speed_t max_speed; + bool use_actual_rate; ++ bool no_flow_control; + }; + + enum cp210x_event_state { +@@ -398,6 +400,7 @@ struct cp210x_special_chars { + + /* CP210X_VENDOR_SPECIFIC values */ + #define CP210X_READ_2NCONFIG 0x000E ++#define CP210X_GET_FW_VER_2N 0x0010 + #define CP210X_READ_LATCH 0x00C2 + #define CP210X_GET_PARTNUM 0x370B + #define CP210X_GET_PORTCONFIG 0x370C +@@ -1128,6 +1131,7 @@ static bool cp210x_termios_change(const + static void cp210x_set_flow_control(struct tty_struct *tty, + struct usb_serial_port *port, struct ktermios *old_termios) + { ++ struct cp210x_serial_private *priv = usb_get_serial_data(port->serial); + struct cp210x_port_private *port_priv = usb_get_serial_port_data(port); + struct cp210x_special_chars chars; + struct cp210x_flow_ctl flow_ctl; +@@ -1135,6 +1139,15 @@ static void cp210x_set_flow_control(stru + u32 ctl_hs; + int ret; + ++ /* ++ * Some CP2102N interpret ulXonLimit as ulFlowReplace (erratum ++ * CP2102N_E104). Report back that flow control is not supported. ++ */ ++ if (priv->no_flow_control) { ++ tty->termios.c_cflag &= ~CRTSCTS; ++ tty->termios.c_iflag &= ~(IXON | IXOFF); ++ } ++ + if (old_termios && + C_CRTSCTS(tty) == (old_termios->c_cflag & CRTSCTS) && + I_IXON(tty) == (old_termios->c_iflag & IXON) && +@@ -1191,19 +1204,20 @@ static void cp210x_set_flow_control(stru + port_priv->crtscts = false; + } + +- if (I_IXOFF(tty)) ++ if (I_IXOFF(tty)) { + flow_repl |= CP210X_SERIAL_AUTO_RECEIVE; +- else ++ ++ flow_ctl.ulXonLimit = cpu_to_le32(128); ++ flow_ctl.ulXoffLimit = cpu_to_le32(128); ++ } else { + flow_repl &= ~CP210X_SERIAL_AUTO_RECEIVE; ++ } + + if (I_IXON(tty)) + flow_repl |= CP210X_SERIAL_AUTO_TRANSMIT; + else + flow_repl &= ~CP210X_SERIAL_AUTO_TRANSMIT; + +- flow_ctl.ulXonLimit = cpu_to_le32(128); +- flow_ctl.ulXoffLimit = cpu_to_le32(128); +- + dev_dbg(&port->dev, "%s - ctrl = 0x%02x, flow = 0x%02x\n", __func__, + ctl_hs, flow_repl); + +@@ -1919,6 +1933,45 @@ static void cp210x_init_max_speed(struct + priv->use_actual_rate = use_actual_rate; + } + ++static int cp210x_get_fw_version(struct usb_serial *serial, u16 value) ++{ ++ struct cp210x_serial_private *priv = usb_get_serial_data(serial); ++ u8 ver[3]; ++ int ret; ++ ++ ret = cp210x_read_vendor_block(serial, REQTYPE_DEVICE_TO_HOST, value, ++ ver, sizeof(ver)); ++ if (ret) ++ return ret; ++ ++ dev_dbg(&serial->interface->dev, "%s - %d.%d.%d\n", __func__, ++ ver[0], ver[1], ver[2]); ++ ++ priv->fw_version = ver[0] << 16 | ver[1] << 8 | ver[2]; ++ ++ return 0; ++} ++ ++static void cp210x_determine_quirks(struct usb_serial *serial) ++{ ++ struct cp210x_serial_private *priv = usb_get_serial_data(serial); ++ int ret; ++ ++ switch (priv->partnum) { ++ case CP210X_PARTNUM_CP2102N_QFN28: ++ case CP210X_PARTNUM_CP2102N_QFN24: ++ case CP210X_PARTNUM_CP2102N_QFN20: ++ ret = cp210x_get_fw_version(serial, CP210X_GET_FW_VER_2N); ++ if (ret) ++ break; ++ if (priv->fw_version <= 0x10004) ++ priv->no_flow_control = true; ++ break; ++ default: ++ break; ++ } ++} ++ + static int cp210x_attach(struct usb_serial *serial) + { + int result; +@@ -1939,6 +1992,7 @@ static int cp210x_attach(struct usb_seri + + usb_set_serial_data(serial, priv); + ++ cp210x_determine_quirks(serial); + cp210x_init_max_speed(serial); + + result = cp210x_gpio_init(serial); diff --git a/queue-5.12/usb-serial-ftdi_sio-add-novatech-orionmx-product-id.patch b/queue-5.12/usb-serial-ftdi_sio-add-novatech-orionmx-product-id.patch new file mode 100644 index 00000000000..ffd6ba833b6 --- /dev/null +++ b/queue-5.12/usb-serial-ftdi_sio-add-novatech-orionmx-product-id.patch @@ -0,0 +1,40 @@ +From bc96c72df33ee81b24d87eab953c73f7bcc04f29 Mon Sep 17 00:00:00 2001 +From: George McCollister +Date: Thu, 3 Jun 2021 19:32:08 -0500 +Subject: USB: serial: ftdi_sio: add NovaTech OrionMX product ID + +From: George McCollister + +commit bc96c72df33ee81b24d87eab953c73f7bcc04f29 upstream. + +Add PID for the NovaTech OrionMX so it can be automatically detected. + +Signed-off-by: George McCollister +Cc: stable@vger.kernel.org +Signed-off-by: Johan Hovold +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/serial/ftdi_sio.c | 1 + + drivers/usb/serial/ftdi_sio_ids.h | 1 + + 2 files changed, 2 insertions(+) + +--- a/drivers/usb/serial/ftdi_sio.c ++++ b/drivers/usb/serial/ftdi_sio.c +@@ -611,6 +611,7 @@ static const struct usb_device_id id_tab + .driver_info = (kernel_ulong_t)&ftdi_jtag_quirk }, + { USB_DEVICE(FTDI_VID, FTDI_NT_ORIONLX_PLUS_PID) }, + { USB_DEVICE(FTDI_VID, FTDI_NT_ORION_IO_PID) }, ++ { USB_DEVICE(FTDI_VID, FTDI_NT_ORIONMX_PID) }, + { USB_DEVICE(FTDI_VID, FTDI_SYNAPSE_SS200_PID) }, + { USB_DEVICE(FTDI_VID, FTDI_CUSTOMWARE_MINIPLEX_PID) }, + { USB_DEVICE(FTDI_VID, FTDI_CUSTOMWARE_MINIPLEX2_PID) }, +--- a/drivers/usb/serial/ftdi_sio_ids.h ++++ b/drivers/usb/serial/ftdi_sio_ids.h +@@ -581,6 +581,7 @@ + #define FTDI_NT_ORIONLXM_PID 0x7c90 /* OrionLXm Substation Automation Platform */ + #define FTDI_NT_ORIONLX_PLUS_PID 0x7c91 /* OrionLX+ Substation Automation Platform */ + #define FTDI_NT_ORION_IO_PID 0x7c92 /* Orion I/O */ ++#define FTDI_NT_ORIONMX_PID 0x7c93 /* OrionMX */ + + /* + * Synapse Wireless product ids (FTDI_VID) diff --git a/queue-5.12/usb-serial-omninet-add-device-id-for-zyxel-omni-56k-plus.patch b/queue-5.12/usb-serial-omninet-add-device-id-for-zyxel-omni-56k-plus.patch new file mode 100644 index 00000000000..a113fdecf04 --- /dev/null +++ b/queue-5.12/usb-serial-omninet-add-device-id-for-zyxel-omni-56k-plus.patch @@ -0,0 +1,48 @@ +From fc0b3dc9a11771c3919eaaaf9d649138b095aa0f Mon Sep 17 00:00:00 2001 +From: Alexandre GRIVEAUX +Date: Sun, 23 May 2021 18:35:21 +0200 +Subject: USB: serial: omninet: add device id for Zyxel Omni 56K Plus + +From: Alexandre GRIVEAUX + +commit fc0b3dc9a11771c3919eaaaf9d649138b095aa0f upstream. + +Add device id for Zyxel Omni 56K Plus modem, this modem include: + +USB chip: +NetChip +NET2888 + +Main chip: +901041A +F721501APGF + +Another modem using the same chips is the Zyxel Omni 56K DUO/NEO, +could be added with the right USB ID. + +Signed-off-by: Alexandre GRIVEAUX +Cc: stable@vger.kernel.org +Signed-off-by: Johan Hovold +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/serial/omninet.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/usb/serial/omninet.c ++++ b/drivers/usb/serial/omninet.c +@@ -26,6 +26,7 @@ + + #define ZYXEL_VENDOR_ID 0x0586 + #define ZYXEL_OMNINET_ID 0x1000 ++#define ZYXEL_OMNI_56K_PLUS_ID 0x1500 + /* This one seems to be a re-branded ZyXEL device */ + #define BT_IGNITIONPRO_ID 0x2000 + +@@ -40,6 +41,7 @@ static void omninet_port_remove(struct u + + static const struct usb_device_id id_table[] = { + { USB_DEVICE(ZYXEL_VENDOR_ID, ZYXEL_OMNINET_ID) }, ++ { USB_DEVICE(ZYXEL_VENDOR_ID, ZYXEL_OMNI_56K_PLUS_ID) }, + { USB_DEVICE(ZYXEL_VENDOR_ID, BT_IGNITIONPRO_ID) }, + { } /* Terminating entry */ + }; diff --git a/queue-5.12/usb-serial-quatech2-fix-control-request-directions.patch b/queue-5.12/usb-serial-quatech2-fix-control-request-directions.patch new file mode 100644 index 00000000000..07715a1187a --- /dev/null +++ b/queue-5.12/usb-serial-quatech2-fix-control-request-directions.patch @@ -0,0 +1,52 @@ +From eb8dbe80326c3d44c1e38ee4f40e0d8d3e06f2d0 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Mon, 24 May 2021 11:17:05 +0200 +Subject: USB: serial: quatech2: fix control-request directions + +From: Johan Hovold + +commit eb8dbe80326c3d44c1e38ee4f40e0d8d3e06f2d0 upstream. + +The direction of the pipe argument must match the request-type direction +bit or control requests may fail depending on the host-controller-driver +implementation. + +Fix the three requests which erroneously used usb_rcvctrlpipe(). + +Fixes: f7a33e608d9a ("USB: serial: add quatech2 usb to serial driver") +Cc: stable@vger.kernel.org # 3.5 +Signed-off-by: Johan Hovold +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/serial/quatech2.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/drivers/usb/serial/quatech2.c ++++ b/drivers/usb/serial/quatech2.c +@@ -416,7 +416,7 @@ static void qt2_close(struct usb_serial_ + + /* flush the port transmit buffer */ + i = usb_control_msg(serial->dev, +- usb_rcvctrlpipe(serial->dev, 0), ++ usb_sndctrlpipe(serial->dev, 0), + QT2_FLUSH_DEVICE, 0x40, 1, + port_priv->device_port, NULL, 0, QT2_USB_TIMEOUT); + +@@ -426,7 +426,7 @@ static void qt2_close(struct usb_serial_ + + /* flush the port receive buffer */ + i = usb_control_msg(serial->dev, +- usb_rcvctrlpipe(serial->dev, 0), ++ usb_sndctrlpipe(serial->dev, 0), + QT2_FLUSH_DEVICE, 0x40, 0, + port_priv->device_port, NULL, 0, QT2_USB_TIMEOUT); + +@@ -654,7 +654,7 @@ static int qt2_attach(struct usb_serial + int status; + + /* power on unit */ +- status = usb_control_msg(serial->dev, usb_rcvctrlpipe(serial->dev, 0), ++ status = usb_control_msg(serial->dev, usb_sndctrlpipe(serial->dev, 0), + 0xc2, 0x40, 0x8000, 0, NULL, 0, + QT2_USB_TIMEOUT); + if (status < 0) { diff --git a/queue-5.12/usb-typec-intel_pmc_mux-add-missed-error-check-for-devm_ioremap_resource.patch b/queue-5.12/usb-typec-intel_pmc_mux-add-missed-error-check-for-devm_ioremap_resource.patch new file mode 100644 index 00000000000..4a87ea61d83 --- /dev/null +++ b/queue-5.12/usb-typec-intel_pmc_mux-add-missed-error-check-for-devm_ioremap_resource.patch @@ -0,0 +1,35 @@ +From 843fabdd7623271330af07f1b7fbd7fabe33c8de Mon Sep 17 00:00:00 2001 +From: Andy Shevchenko +Date: Mon, 7 Jun 2021 23:50:06 +0300 +Subject: usb: typec: intel_pmc_mux: Add missed error check for devm_ioremap_resource() + +From: Andy Shevchenko + +commit 843fabdd7623271330af07f1b7fbd7fabe33c8de upstream. + +devm_ioremap_resource() can return an error, add missed check for it. + +Fixes: 43d596e32276 ("usb: typec: intel_pmc_mux: Check the port status before connect") +Reviewed-by: Heikki Krogerus +Signed-off-by: Andy Shevchenko +Cc: stable +Link: https://lore.kernel.org/r/20210607205007.71458-2-andy.shevchenko@gmail.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/typec/mux/intel_pmc_mux.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/drivers/usb/typec/mux/intel_pmc_mux.c ++++ b/drivers/usb/typec/mux/intel_pmc_mux.c +@@ -586,6 +586,11 @@ static int pmc_usb_probe_iom(struct pmc_ + return -ENOMEM; + } + ++ if (IS_ERR(pmc->iom_base)) { ++ put_device(&adev->dev); ++ return PTR_ERR(pmc->iom_base); ++ } ++ + pmc->iom_adev = adev; + + return 0; diff --git a/queue-5.12/usb-typec-intel_pmc_mux-put-fwnode-in-error-case-during-probe.patch b/queue-5.12/usb-typec-intel_pmc_mux-put-fwnode-in-error-case-during-probe.patch new file mode 100644 index 00000000000..d7e1b300a04 --- /dev/null +++ b/queue-5.12/usb-typec-intel_pmc_mux-put-fwnode-in-error-case-during-probe.patch @@ -0,0 +1,37 @@ +From 1a85b350a7741776a406005b943e3dec02c424ed Mon Sep 17 00:00:00 2001 +From: Andy Shevchenko +Date: Mon, 7 Jun 2021 23:50:05 +0300 +Subject: usb: typec: intel_pmc_mux: Put fwnode in error case during ->probe() + +From: Andy Shevchenko + +commit 1a85b350a7741776a406005b943e3dec02c424ed upstream. + +device_get_next_child_node() bumps a reference counting of a returned variable. +We have to balance it whenever we return to the caller. + +Fixes: 6701adfa9693 ("usb: typec: driver for Intel PMC mux control") +Cc: Heikki Krogerus +Reviewed-by: Heikki Krogerus +Signed-off-by: Andy Shevchenko +Cc: stable +Link: https://lore.kernel.org/r/20210607205007.71458-1-andy.shevchenko@gmail.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/typec/mux/intel_pmc_mux.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/drivers/usb/typec/mux/intel_pmc_mux.c ++++ b/drivers/usb/typec/mux/intel_pmc_mux.c +@@ -636,8 +636,10 @@ static int pmc_usb_probe(struct platform + break; + + ret = pmc_usb_register_port(pmc, i, fwnode); +- if (ret) ++ if (ret) { ++ fwnode_handle_put(fwnode); + goto err_remove_ports; ++ } + } + + platform_set_drvdata(pdev, pmc); diff --git a/queue-5.12/usb-typec-tcpm-cancel-frs-hrtimer-when-unregister-tcpm-port.patch b/queue-5.12/usb-typec-tcpm-cancel-frs-hrtimer-when-unregister-tcpm-port.patch new file mode 100644 index 00000000000..25aa7a05d49 --- /dev/null +++ b/queue-5.12/usb-typec-tcpm-cancel-frs-hrtimer-when-unregister-tcpm-port.patch @@ -0,0 +1,32 @@ +From 7ade4805e296c8d1e40c842395bbe478c7210555 Mon Sep 17 00:00:00 2001 +From: Li Jun +Date: Wed, 2 Jun 2021 17:57:08 +0800 +Subject: usb: typec: tcpm: cancel frs hrtimer when unregister tcpm port + +From: Li Jun + +commit 7ade4805e296c8d1e40c842395bbe478c7210555 upstream. + +Like the state_machine_timer, we should also cancel possible pending +frs hrtimer when unregister tcpm port. + +Fixes: 8dc4bd073663 ("usb: typec: tcpm: Add support for Sink Fast Role SWAP(FRS)") +Cc: stable +Reviewed-by: Guenter Roeck +Signed-off-by: Li Jun +Link: https://lore.kernel.org/r/1622627829-11070-2-git-send-email-jun.li@nxp.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/typec/tcpm/tcpm.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/usb/typec/tcpm/tcpm.c ++++ b/drivers/usb/typec/tcpm/tcpm.c +@@ -6228,6 +6228,7 @@ void tcpm_unregister_port(struct tcpm_po + { + int i; + ++ hrtimer_cancel(&port->enable_frs_timer); + hrtimer_cancel(&port->vdm_state_machine_timer); + hrtimer_cancel(&port->state_machine_timer); + diff --git a/queue-5.12/usb-typec-tcpm-cancel-vdm-and-state-machine-hrtimer-when-unregister-tcpm-port.patch b/queue-5.12/usb-typec-tcpm-cancel-vdm-and-state-machine-hrtimer-when-unregister-tcpm-port.patch new file mode 100644 index 00000000000..6ce717ccc6d --- /dev/null +++ b/queue-5.12/usb-typec-tcpm-cancel-vdm-and-state-machine-hrtimer-when-unregister-tcpm-port.patch @@ -0,0 +1,110 @@ +From 3a13ff7ef4349d70d1d18378d661117dd5af8efe Mon Sep 17 00:00:00 2001 +From: Li Jun +Date: Wed, 2 Jun 2021 17:57:07 +0800 +Subject: usb: typec: tcpm: cancel vdm and state machine hrtimer when unregister tcpm port + +From: Li Jun + +commit 3a13ff7ef4349d70d1d18378d661117dd5af8efe upstream. + +A pending hrtimer may expire after the kthread_worker of tcpm port +is destroyed, see below kernel dump when do module unload, fix it +by cancel the 2 hrtimers. + +[ 111.517018] Unable to handle kernel paging request at virtual address ffff8000118cb880 +[ 111.518786] blk_update_request: I/O error, dev sda, sector 60061185 op 0x0:(READ) flags 0x0 phys_seg 1 prio class 0 +[ 111.526594] Mem abort info: +[ 111.526597] ESR = 0x96000047 +[ 111.526600] EC = 0x25: DABT (current EL), IL = 32 bits +[ 111.526604] SET = 0, FnV = 0 +[ 111.526607] EA = 0, S1PTW = 0 +[ 111.526610] Data abort info: +[ 111.526612] ISV = 0, ISS = 0x00000047 +[ 111.526615] CM = 0, WnR = 1 +[ 111.526619] swapper pgtable: 4k pages, 48-bit VAs, pgdp=0000000041d75000 +[ 111.526623] [ffff8000118cb880] pgd=10000001bffff003, p4d=10000001bffff003, pud=10000001bfffe003, pmd=10000001bfffa003, pte=0000000000000000 +[ 111.526642] Internal error: Oops: 96000047 [#1] PREEMPT SMP +[ 111.526647] Modules linked in: dwc3_imx8mp dwc3 phy_fsl_imx8mq_usb [last unloaded: tcpci] +[ 111.526663] CPU: 0 PID: 0 Comm: swapper/0 Not tainted 5.13.0-rc4-00927-gebbe9dbd802c-dirty #36 +[ 111.526670] Hardware name: NXP i.MX8MPlus EVK board (DT) +[ 111.526674] pstate: 800000c5 (Nzcv daIF -PAN -UAO -TCO BTYPE=--) +[ 111.526681] pc : queued_spin_lock_slowpath+0x1a0/0x390 +[ 111.526695] lr : _raw_spin_lock_irqsave+0x88/0xb4 +[ 111.526703] sp : ffff800010003e20 +[ 111.526706] x29: ffff800010003e20 x28: ffff00017f380180 +[ 111.537156] buffer_io_error: 6 callbacks suppressed +[ 111.537162] Buffer I/O error on dev sda1, logical block 60040704, async page read +[ 111.539932] x27: ffff00017f3801c0 +[ 111.539938] x26: ffff800010ba2490 x25: 0000000000000000 x24: 0000000000000001 +[ 111.543025] blk_update_request: I/O error, dev sda, sector 60061186 op 0x0:(READ) flags 0x0 phys_seg 7 prio class 0 +[ 111.548304] +[ 111.548306] x23: 00000000000000c0 x22: ffff0000c2a9f184 x21: ffff00017f380180 +[ 111.551374] Buffer I/O error on dev sda1, logical block 60040705, async page read +[ 111.554499] +[ 111.554503] x20: ffff0000c5f14210 x19: 00000000000000c0 x18: 0000000000000000 +[ 111.557391] Buffer I/O error on dev sda1, logical block 60040706, async page read +[ 111.561218] +[ 111.561222] x17: 0000000000000000 x16: 0000000000000000 x15: 0000000000000000 +[ 111.564205] Buffer I/O error on dev sda1, logical block 60040707, async page read +[ 111.570887] x14: 00000000000000f5 x13: 0000000000000001 x12: 0000000000000040 +[ 111.570902] x11: ffff0000c05ac6d8 +[ 111.583420] Buffer I/O error on dev sda1, logical block 60040708, async page read +[ 111.588978] x10: 0000000000000000 x9 : 0000000000040000 +[ 111.588988] x8 : 0000000000000000 +[ 111.597173] Buffer I/O error on dev sda1, logical block 60040709, async page read +[ 111.605766] x7 : ffff00017f384880 x6 : ffff8000118cb880 +[ 111.605777] x5 : ffff00017f384880 +[ 111.611094] Buffer I/O error on dev sda1, logical block 60040710, async page read +[ 111.617086] x4 : 0000000000000000 x3 : ffff0000c2a9f184 +[ 111.617096] x2 : ffff8000118cb880 +[ 111.622242] Buffer I/O error on dev sda1, logical block 60040711, async page read +[ 111.626927] x1 : ffff8000118cb880 x0 : ffff00017f384888 +[ 111.626938] Call trace: +[ 111.626942] queued_spin_lock_slowpath+0x1a0/0x390 +[ 111.795809] kthread_queue_work+0x30/0xc0 +[ 111.799828] state_machine_timer_handler+0x20/0x30 +[ 111.804624] __hrtimer_run_queues+0x140/0x1e0 +[ 111.808990] hrtimer_interrupt+0xec/0x2c0 +[ 111.813004] arch_timer_handler_phys+0x38/0x50 +[ 111.817456] handle_percpu_devid_irq+0x88/0x150 +[ 111.821991] __handle_domain_irq+0x80/0xe0 +[ 111.826093] gic_handle_irq+0xc0/0x140 +[ 111.829848] el1_irq+0xbc/0x154 +[ 111.832991] arch_cpu_idle+0x1c/0x2c +[ 111.836572] default_idle_call+0x24/0x6c +[ 111.840497] do_idle+0x238/0x2ac +[ 111.843729] cpu_startup_entry+0x2c/0x70 +[ 111.847657] rest_init+0xdc/0xec +[ 111.850890] arch_call_rest_init+0x14/0x20 +[ 111.854988] start_kernel+0x508/0x540 +[ 111.858659] Code: 910020e0 8b0200c2 f861d884 aa0203e1 (f8246827) +[ 111.864760] ---[ end trace 308b9a4a3dcb73ac ]--- +[ 111.869381] Kernel panic - not syncing: Oops: Fatal exception in interrupt +[ 111.876258] SMP: stopping secondary CPUs +[ 111.880185] Kernel Offset: disabled +[ 111.883673] CPU features: 0x00001001,20000846 +[ 111.888031] Memory Limit: none +[ 111.891090] ---[ end Kernel panic - not syncing: Oops: Fatal exception in interrupt ]--- + +Fixes: 3ed8e1c2ac99 ("usb: typec: tcpm: Migrate workqueue to RT priority for processing events") +Cc: stable +Reviewed-by: Guenter Roeck +Signed-off-by: Li Jun +Link: https://lore.kernel.org/r/1622627829-11070-1-git-send-email-jun.li@nxp.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/typec/tcpm/tcpm.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/usb/typec/tcpm/tcpm.c ++++ b/drivers/usb/typec/tcpm/tcpm.c +@@ -6228,6 +6228,9 @@ void tcpm_unregister_port(struct tcpm_po + { + int i; + ++ hrtimer_cancel(&port->vdm_state_machine_timer); ++ hrtimer_cancel(&port->state_machine_timer); ++ + tcpm_reset_port(port); + for (i = 0; i < ARRAY_SIZE(port->port_altmode); i++) + typec_unregister_altmode(port->port_altmode[i]); diff --git a/queue-5.12/usb-typec-tcpm-do-not-finish-vdm-ams-for-retrying-responses.patch b/queue-5.12/usb-typec-tcpm-do-not-finish-vdm-ams-for-retrying-responses.patch new file mode 100644 index 00000000000..23db66be592 --- /dev/null +++ b/queue-5.12/usb-typec-tcpm-do-not-finish-vdm-ams-for-retrying-responses.patch @@ -0,0 +1,35 @@ +From 5ab14ab1f2db24ffae6c5c39a689660486962e6e Mon Sep 17 00:00:00 2001 +From: Kyle Tso +Date: Sun, 6 Jun 2021 16:14:52 +0800 +Subject: usb: typec: tcpm: Do not finish VDM AMS for retrying Responses + +From: Kyle Tso + +commit 5ab14ab1f2db24ffae6c5c39a689660486962e6e upstream. + +If the VDM responses couldn't be sent successfully, it doesn't need to +finish the AMS until the retry count reaches the limit. + +Fixes: 0908c5aca31e ("usb: typec: tcpm: AMS and Collision Avoidance") +Reviewed-by: Guenter Roeck +Cc: stable +Acked-by: Heikki Krogerus +Signed-off-by: Kyle Tso +Link: https://lore.kernel.org/r/20210606081452.764032-1-kyletso@google.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/typec/tcpm/tcpm.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/usb/typec/tcpm/tcpm.c ++++ b/drivers/usb/typec/tcpm/tcpm.c +@@ -1917,6 +1917,9 @@ static void vdm_run_state_machine(struct + tcpm_log(port, "VDM Tx error, retry"); + port->vdm_retries++; + port->vdm_state = VDM_STATE_READY; ++ if (PD_VDO_SVDM(vdo_hdr) && PD_VDO_CMDT(vdo_hdr) == CMDT_INIT) ++ tcpm_ams_finish(port); ++ } else { + tcpm_ams_finish(port); + } + break; diff --git a/queue-5.12/usb-typec-tcpm-properly-handle-alert-and-status-messages.patch b/queue-5.12/usb-typec-tcpm-properly-handle-alert-and-status-messages.patch new file mode 100644 index 00000000000..e0105215473 --- /dev/null +++ b/queue-5.12/usb-typec-tcpm-properly-handle-alert-and-status-messages.patch @@ -0,0 +1,125 @@ +From 063933f47a7af01650af9c4fbcc5831f1c4eb7d9 Mon Sep 17 00:00:00 2001 +From: Kyle Tso +Date: Tue, 1 Jun 2021 00:49:28 +0800 +Subject: usb: typec: tcpm: Properly handle Alert and Status Messages + +From: Kyle Tso + +commit 063933f47a7af01650af9c4fbcc5831f1c4eb7d9 upstream. + +When receiving Alert Message, if it is not unexpected but is +unsupported for some reason, the port should return Not_Supported +Message response. + +Also, according to PD3.0 Spec 6.5.2.1.4 Event Flags Field, the +OTP/OVP/OCP flags in the Event Flags field in Status Message no longer +require Get_PPS_Status Message to clear them. Thus remove it when +receiving Status Message with those flags being set. + +In addition, add the missing AMS operations for Status Message. + +Fixes: 64f7c494a3c0 ("typec: tcpm: Add support for sink PPS related messages") +Fixes: 0908c5aca31e ("usb: typec: tcpm: AMS and Collision Avoidance") +Signed-off-by: Kyle Tso +Link: https://lore.kernel.org/r/20210531164928.2368606-1-kyletso@google.com +Cc: stable +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/typec/tcpm/tcpm.c | 52 +++++++++++++++++++++-------------------- + include/linux/usb/pd_ext_sdb.h | 4 --- + 2 files changed, 27 insertions(+), 29 deletions(-) + +--- a/drivers/usb/typec/tcpm/tcpm.c ++++ b/drivers/usb/typec/tcpm/tcpm.c +@@ -2163,20 +2163,25 @@ static void tcpm_handle_alert(struct tcp + + if (!type) { + tcpm_log(port, "Alert message received with no type"); ++ tcpm_queue_message(port, PD_MSG_CTRL_NOT_SUPP); + return; + } + + /* Just handling non-battery alerts for now */ + if (!(type & USB_PD_ADO_TYPE_BATT_STATUS_CHANGE)) { +- switch (port->state) { +- case SRC_READY: +- case SNK_READY: ++ if (port->pwr_role == TYPEC_SOURCE) { ++ port->upcoming_state = GET_STATUS_SEND; ++ tcpm_ams_start(port, GETTING_SOURCE_SINK_STATUS); ++ } else { ++ /* ++ * Do not check SinkTxOk here in case the Source doesn't set its Rp to ++ * SinkTxOk in time. ++ */ ++ port->ams = GETTING_SOURCE_SINK_STATUS; + tcpm_set_state(port, GET_STATUS_SEND, 0); +- break; +- default: +- tcpm_queue_message(port, PD_MSG_CTRL_WAIT); +- break; + } ++ } else { ++ tcpm_queue_message(port, PD_MSG_CTRL_NOT_SUPP); + } + } + +@@ -2420,7 +2425,12 @@ static void tcpm_pd_data_request(struct + tcpm_pd_handle_state(port, BIST_RX, BIST, 0); + break; + case PD_DATA_ALERT: +- tcpm_handle_alert(port, msg->payload, cnt); ++ if (port->state != SRC_READY && port->state != SNK_READY) ++ tcpm_pd_handle_state(port, port->pwr_role == TYPEC_SOURCE ? ++ SRC_SOFT_RESET_WAIT_SNK_TX : SNK_SOFT_RESET, ++ NONE_AMS, 0); ++ else ++ tcpm_handle_alert(port, msg->payload, cnt); + break; + case PD_DATA_BATT_STATUS: + case PD_DATA_GET_COUNTRY_INFO: +@@ -2744,24 +2754,16 @@ static void tcpm_pd_ext_msg_request(stru + + switch (type) { + case PD_EXT_STATUS: +- /* +- * If PPS related events raised then get PPS status to clear +- * (see USB PD 3.0 Spec, 6.5.2.4) +- */ +- if (msg->ext_msg.data[USB_PD_EXT_SDB_EVENT_FLAGS] & +- USB_PD_EXT_SDB_PPS_EVENTS) +- tcpm_pd_handle_state(port, GET_PPS_STATUS_SEND, +- GETTING_SOURCE_SINK_STATUS, 0); +- +- else +- tcpm_pd_handle_state(port, ready_state(port), NONE_AMS, 0); +- break; + case PD_EXT_PPS_STATUS: +- /* +- * For now the PPS status message is used to clear events +- * and nothing more. +- */ +- tcpm_pd_handle_state(port, ready_state(port), NONE_AMS, 0); ++ if (port->ams == GETTING_SOURCE_SINK_STATUS) { ++ tcpm_ams_finish(port); ++ tcpm_set_state(port, ready_state(port), 0); ++ } else { ++ /* unexpected Status or PPS_Status Message */ ++ tcpm_pd_handle_state(port, port->pwr_role == TYPEC_SOURCE ? ++ SRC_SOFT_RESET_WAIT_SNK_TX : SNK_SOFT_RESET, ++ NONE_AMS, 0); ++ } + break; + case PD_EXT_SOURCE_CAP_EXT: + case PD_EXT_GET_BATT_CAP: +--- a/include/linux/usb/pd_ext_sdb.h ++++ b/include/linux/usb/pd_ext_sdb.h +@@ -24,8 +24,4 @@ enum usb_pd_ext_sdb_fields { + #define USB_PD_EXT_SDB_EVENT_OVP BIT(3) + #define USB_PD_EXT_SDB_EVENT_CF_CV_MODE BIT(4) + +-#define USB_PD_EXT_SDB_PPS_EVENTS (USB_PD_EXT_SDB_EVENT_OCP | \ +- USB_PD_EXT_SDB_EVENT_OTP | \ +- USB_PD_EXT_SDB_EVENT_OVP) +- + #endif /* __LINUX_USB_PD_EXT_SDB_H */ diff --git a/queue-5.12/usb-typec-ucsi-clear-ppm-capability-data-in-ucsi_init-error-path.patch b/queue-5.12/usb-typec-ucsi-clear-ppm-capability-data-in-ucsi_init-error-path.patch new file mode 100644 index 00000000000..2c439443c12 --- /dev/null +++ b/queue-5.12/usb-typec-ucsi-clear-ppm-capability-data-in-ucsi_init-error-path.patch @@ -0,0 +1,48 @@ +From f247f0a82a4f8c3bfed178d8fd9e069d1424ee4e Mon Sep 17 00:00:00 2001 +From: Mayank Rana +Date: Wed, 9 Jun 2021 00:35:35 -0700 +Subject: usb: typec: ucsi: Clear PPM capability data in ucsi_init() error path + +From: Mayank Rana + +commit f247f0a82a4f8c3bfed178d8fd9e069d1424ee4e upstream. + +If ucsi_init() fails for some reason (e.g. ucsi_register_port() +fails or general communication failure to the PPM), particularly at +any point after the GET_CAPABILITY command had been issued, this +results in unwinding the initialization and returning an error. +However the ucsi structure's ucsi_capability member retains its +current value, including likely a non-zero num_connectors. +And because ucsi_init() itself is done in a workqueue a UCSI +interface driver will be unaware that it failed and may think the +ucsi_register() call was completely successful. Later, if +ucsi_unregister() is called, due to this stale ucsi->cap value it +would try to access the items in the ucsi->connector array which +might not be in a proper state or not even allocated at all and +results in NULL or invalid pointer dereference. + +Fix this by clearing the ucsi->cap value to 0 during the error +path of ucsi_init() in order to prevent a later ucsi_unregister() +from entering the connector cleanup loop. + +Fixes: c1b0bc2dabfa ("usb: typec: Add support for UCSI interface") +Cc: stable@vger.kernel.org +Acked-by: Heikki Krogerus +Signed-off-by: Mayank Rana +Signed-off-by: Jack Pham +Link: https://lore.kernel.org/r/20210609073535.5094-1-jackp@codeaurora.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/typec/ucsi/ucsi.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/usb/typec/ucsi/ucsi.c ++++ b/drivers/usb/typec/ucsi/ucsi.c +@@ -1253,6 +1253,7 @@ err_unregister: + } + + err_reset: ++ memset(&ucsi->cap, 0, sizeof(ucsi->cap)); + ucsi_reset_ppm(ucsi); + err: + return ret; diff --git a/queue-5.12/usb-typec-wcove-use-le-to-cpu-conversion-when-accessing-msg-header.patch b/queue-5.12/usb-typec-wcove-use-le-to-cpu-conversion-when-accessing-msg-header.patch new file mode 100644 index 00000000000..20c2a507e19 --- /dev/null +++ b/queue-5.12/usb-typec-wcove-use-le-to-cpu-conversion-when-accessing-msg-header.patch @@ -0,0 +1,40 @@ +From d5ab95da2a41567440097c277c5771ad13928dad Mon Sep 17 00:00:00 2001 +From: Andy Shevchenko +Date: Wed, 9 Jun 2021 20:22:02 +0300 +Subject: usb: typec: wcove: Use LE to CPU conversion when accessing msg->header + +From: Andy Shevchenko + +commit d5ab95da2a41567440097c277c5771ad13928dad upstream. + +As LKP noticed the Sparse is not happy about strict type handling: + .../typec/tcpm/wcove.c:380:50: sparse: expected unsigned short [usertype] header + .../typec/tcpm/wcove.c:380:50: sparse: got restricted __le16 const [usertype] header + +Fix this by switching to use pd_header_cnt_le() instead of pd_header_cnt() +in the affected code. + +Fixes: ae8a2ca8a221 ("usb: typec: Group all TCPCI/TCPM code together") +Fixes: 3c4fb9f16921 ("usb: typec: wcove: start using tcpm for USB PD support") +Reported-by: kernel test robot +Reviewed-by: Heikki Krogerus +Reviewed-by: Guenter Roeck +Signed-off-by: Andy Shevchenko +Link: https://lore.kernel.org/r/20210609172202.83377-1-andriy.shevchenko@linux.intel.com +Cc: stable +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/typec/tcpm/wcove.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/usb/typec/tcpm/wcove.c ++++ b/drivers/usb/typec/tcpm/wcove.c +@@ -378,7 +378,7 @@ static int wcove_pd_transmit(struct tcpc + const u8 *data = (void *)msg; + int i; + +- for (i = 0; i < pd_header_cnt(msg->header) * 4 + 2; i++) { ++ for (i = 0; i < pd_header_cnt_le(msg->header) * 4 + 2; i++) { + ret = regmap_write(wcove->regmap, USBC_TX_DATA + i, + data[i]); + if (ret) diff --git a/queue-5.12/x86-lto-pass-stack-alignment-only-on-lld-13.0.0.patch b/queue-5.12/x86-lto-pass-stack-alignment-only-on-lld-13.0.0.patch new file mode 100644 index 00000000000..d1b26e0d95a --- /dev/null +++ b/queue-5.12/x86-lto-pass-stack-alignment-only-on-lld-13.0.0.patch @@ -0,0 +1,56 @@ +From 2398ce80152aae33b9501ef54452e09e8e8d4262 Mon Sep 17 00:00:00 2001 +From: Tor Vic +Date: Thu, 10 Jun 2021 20:58:06 +0000 +Subject: x86, lto: Pass -stack-alignment only on LLD < 13.0.0 + +From: Tor Vic + +commit 2398ce80152aae33b9501ef54452e09e8e8d4262 upstream. + +Since LLVM commit 3787ee4, the '-stack-alignment' flag has been dropped +[1], leading to the following error message when building a LTO kernel +with Clang-13 and LLD-13: + + ld.lld: error: -plugin-opt=-: ld.lld: Unknown command line argument + '-stack-alignment=8'. Try 'ld.lld --help' + ld.lld: Did you mean '--stackrealign=8'? + +It also appears that the '-code-model' flag is not necessary anymore +starting with LLVM-9 [2]. + +Drop '-code-model' and make '-stack-alignment' conditional on LLD < 13.0.0. + +These flags were necessary because these flags were not encoded in the +IR properly, so the link would restart optimizations without them. Now +there are properly encoded in the IR, and these flags exposing +implementation details are no longer necessary. + +[1] https://reviews.llvm.org/D103048 +[2] https://reviews.llvm.org/D52322 + +Cc: stable@vger.kernel.org +Link: https://github.com/ClangBuiltLinux/linux/issues/1377 +Signed-off-by: Tor Vic +Reviewed-by: Nathan Chancellor +Tested-by: Nathan Chancellor +Signed-off-by: Kees Cook +Link: https://lore.kernel.org/r/f2c018ee-5999-741e-58d4-e482d5246067@mailbox.org +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/Makefile | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +--- a/arch/x86/Makefile ++++ b/arch/x86/Makefile +@@ -192,8 +192,9 @@ endif + KBUILD_LDFLAGS += -m elf_$(UTS_MACHINE) + + ifdef CONFIG_LTO_CLANG +-KBUILD_LDFLAGS += -plugin-opt=-code-model=kernel \ +- -plugin-opt=-stack-alignment=$(if $(CONFIG_X86_32),4,8) ++ifeq ($(shell test $(CONFIG_LLD_VERSION) -lt 130000; echo $$?),0) ++KBUILD_LDFLAGS += -plugin-opt=-stack-alignment=$(if $(CONFIG_X86_32),4,8) ++endif + endif + + ifdef CONFIG_X86_NEED_RELOCS