From: Greg Kroah-Hartman Date: Mon, 6 Dec 2021 09:20:02 +0000 (+0100) Subject: 5.15-stable patches X-Git-Tag: v4.4.294~10 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=6986d4fea4f9b7a34dbaddb82b3bfdc2acbcaa82;p=thirdparty%2Fkernel%2Fstable-queue.git 5.15-stable patches added patches: parisc-fix-kbuild_image-for-self-extracting-kernel.patch parisc-fix-make-install-on-newer-debian-releases.patch parisc-mark-cr16-cpu-clocksource-unstable-on-all-smp-machines.patch serial-8250-fix-rts-modem-control-while-in-rs485-mode.patch serial-8250_pci-fix-acces-entries-in-pci_serial_quirks-array.patch serial-8250_pci-rewrite-pericom_do_set_divisor.patch serial-core-fix-transmit-buffer-reset-and-memleak.patch serial-liteuart-fix-minor-number-leak-on-probe-errors.patch serial-liteuart-fix-null-pointer-dereference-in-remove.patch serial-liteuart-fix-use-after-free-and-memleak-on-unbind.patch serial-pl011-add-acpi-sbsa-uart-match-id.patch serial-tegra-change-lower-tolerance-baud-rate-limit-for-tegra20-and-tegra30.patch tty-serial-msm_serial-deactivate-rx-dma-for-polling-support.patch usb-cdns3-gadget-fix-new-urb-never-complete-if-ep-cancel-previous-requests.patch usb-cdnsp-fix-a-null-pointer-dereference-in-cdnsp_endpoint_init.patch usb-no_lpm-quirk-lenovo-powered-usb-c-travel-hub.patch usb-typec-tcpm-wait-in-snk_debounced-until-disconnect.patch vgacon-propagate-console-boot-parameters-before-calling-vc_resize.patch x86-64-mm-map-all-kernel-memory-into-trampoline_pgd.patch x86-tsc-add-a-timer-to-make-sure-tsc_adjust-is-always-checked.patch x86-tsc-disable-clocksource-watchdog-for-tsc-on-qualified-platorms.patch xhci-fix-commad-ring-abort-write-all-64-bits-to-crcr-register.patch --- diff --git a/queue-5.15/parisc-fix-kbuild_image-for-self-extracting-kernel.patch b/queue-5.15/parisc-fix-kbuild_image-for-self-extracting-kernel.patch new file mode 100644 index 00000000000..0f3abb03c47 --- /dev/null +++ b/queue-5.15/parisc-fix-kbuild_image-for-self-extracting-kernel.patch @@ -0,0 +1,35 @@ +From 1d7c29b77725d05faff6754d2f5e7c147aedcf93 Mon Sep 17 00:00:00 2001 +From: Helge Deller +Date: Fri, 26 Nov 2021 22:35:45 +0100 +Subject: parisc: Fix KBUILD_IMAGE for self-extracting kernel + +From: Helge Deller + +commit 1d7c29b77725d05faff6754d2f5e7c147aedcf93 upstream. + +Default KBUILD_IMAGE to $(boot)/bzImage if a self-extracting +(CONFIG_PARISC_SELF_EXTRACT=y) kernel is to be built. +This fixes the bindeb-pkg make target. + +Signed-off-by: Helge Deller +Cc: # v4.14+ +Signed-off-by: Greg Kroah-Hartman +--- + arch/parisc/Makefile | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/arch/parisc/Makefile ++++ b/arch/parisc/Makefile +@@ -17,7 +17,12 @@ + # Mike Shaver, Helge Deller and Martin K. Petersen + # + ++ifdef CONFIG_PARISC_SELF_EXTRACT ++boot := arch/parisc/boot ++KBUILD_IMAGE := $(boot)/bzImage ++else + KBUILD_IMAGE := vmlinuz ++endif + + NM = sh $(srctree)/arch/parisc/nm + CHECKFLAGS += -D__hppa__=1 diff --git a/queue-5.15/parisc-fix-make-install-on-newer-debian-releases.patch b/queue-5.15/parisc-fix-make-install-on-newer-debian-releases.patch new file mode 100644 index 00000000000..2d5d020482e --- /dev/null +++ b/queue-5.15/parisc-fix-make-install-on-newer-debian-releases.patch @@ -0,0 +1,30 @@ +From 0f9fee4cdebfbe695c297e5b603a275e2557c1cc Mon Sep 17 00:00:00 2001 +From: Helge Deller +Date: Sat, 4 Dec 2021 21:14:40 +0100 +Subject: parisc: Fix "make install" on newer debian releases + +From: Helge Deller + +commit 0f9fee4cdebfbe695c297e5b603a275e2557c1cc upstream. + +On newer debian releases the debian-provided "installkernel" script is +installed in /usr/sbin. Fix the kernel install.sh script to look for the +script in this directory as well. + +Signed-off-by: Helge Deller +Cc: # v3.13+ +Signed-off-by: Greg Kroah-Hartman +--- + arch/parisc/install.sh | 1 + + 1 file changed, 1 insertion(+) + +--- a/arch/parisc/install.sh ++++ b/arch/parisc/install.sh +@@ -39,6 +39,7 @@ verify "$3" + if [ -n "${INSTALLKERNEL}" ]; then + if [ -x ~/bin/${INSTALLKERNEL} ]; then exec ~/bin/${INSTALLKERNEL} "$@"; fi + if [ -x /sbin/${INSTALLKERNEL} ]; then exec /sbin/${INSTALLKERNEL} "$@"; fi ++ if [ -x /usr/sbin/${INSTALLKERNEL} ]; then exec /usr/sbin/${INSTALLKERNEL} "$@"; fi + fi + + # Default install diff --git a/queue-5.15/parisc-mark-cr16-cpu-clocksource-unstable-on-all-smp-machines.patch b/queue-5.15/parisc-mark-cr16-cpu-clocksource-unstable-on-all-smp-machines.patch new file mode 100644 index 00000000000..78820fd3484 --- /dev/null +++ b/queue-5.15/parisc-mark-cr16-cpu-clocksource-unstable-on-all-smp-machines.patch @@ -0,0 +1,69 @@ +From afdb4a5b1d340e4afffc65daa21cc71890d7d589 Mon Sep 17 00:00:00 2001 +From: Helge Deller +Date: Sat, 4 Dec 2021 21:21:46 +0100 +Subject: parisc: Mark cr16 CPU clocksource unstable on all SMP machines + +From: Helge Deller + +commit afdb4a5b1d340e4afffc65daa21cc71890d7d589 upstream. + +In commit c8c3735997a3 ("parisc: Enhance detection of synchronous cr16 +clocksources") I assumed that CPUs on the same physical core are syncronous. +While booting up the kernel on two different C8000 machines, one with a +dual-core PA8800 and one with a dual-core PA8900 CPU, this turned out to be +wrong. The symptom was that I saw a jump in the internal clocks printed to the +syslog and strange overall behaviour. On machines which have 4 cores (2 +dual-cores) the problem isn't visible, because the current logic already marked +the cr16 clocksource unstable in this case. + +This patch now marks the cr16 interval timers unstable if we have more than one +CPU in the system, and it fixes this issue. + +Fixes: c8c3735997a3 ("parisc: Enhance detection of synchronous cr16 clocksources") +Signed-off-by: Helge Deller +Cc: # v5.15+ +Signed-off-by: Greg Kroah-Hartman +--- + arch/parisc/kernel/time.c | 28 +++++++--------------------- + 1 file changed, 7 insertions(+), 21 deletions(-) + +--- a/arch/parisc/kernel/time.c ++++ b/arch/parisc/kernel/time.c +@@ -249,30 +249,16 @@ void __init time_init(void) + static int __init init_cr16_clocksource(void) + { + /* +- * The cr16 interval timers are not syncronized across CPUs on +- * different sockets, so mark them unstable and lower rating on +- * multi-socket SMP systems. ++ * The cr16 interval timers are not syncronized across CPUs, even if ++ * they share the same socket. + */ + if (num_online_cpus() > 1 && !running_on_qemu) { +- int cpu; +- unsigned long cpu0_loc; +- cpu0_loc = per_cpu(cpu_data, 0).cpu_loc; ++ /* mark sched_clock unstable */ ++ clear_sched_clock_stable(); + +- for_each_online_cpu(cpu) { +- if (cpu == 0) +- continue; +- if ((cpu0_loc != 0) && +- (cpu0_loc == per_cpu(cpu_data, cpu).cpu_loc)) +- continue; +- +- /* mark sched_clock unstable */ +- clear_sched_clock_stable(); +- +- clocksource_cr16.name = "cr16_unstable"; +- clocksource_cr16.flags = CLOCK_SOURCE_UNSTABLE; +- clocksource_cr16.rating = 0; +- break; +- } ++ clocksource_cr16.name = "cr16_unstable"; ++ clocksource_cr16.flags = CLOCK_SOURCE_UNSTABLE; ++ clocksource_cr16.rating = 0; + } + + /* register at clocksource framework */ diff --git a/queue-5.15/serial-8250-fix-rts-modem-control-while-in-rs485-mode.patch b/queue-5.15/serial-8250-fix-rts-modem-control-while-in-rs485-mode.patch new file mode 100644 index 00000000000..0a8c77032bc --- /dev/null +++ b/queue-5.15/serial-8250-fix-rts-modem-control-while-in-rs485-mode.patch @@ -0,0 +1,101 @@ +From f85e04503f369b3f2be28c83fc48b74e19936ebc Mon Sep 17 00:00:00 2001 +From: Lukas Wunner +Date: Mon, 22 Nov 2021 16:58:24 +0100 +Subject: serial: 8250: Fix RTS modem control while in rs485 mode + +From: Lukas Wunner + +commit f85e04503f369b3f2be28c83fc48b74e19936ebc upstream. + +Commit f45709df7731 ("serial: 8250: Don't touch RTS modem control while +in rs485 mode") sought to prevent user space from interfering with rs485 +communication by ignoring a TIOCMSET ioctl() which changes RTS polarity. + +It did so in serial8250_do_set_mctrl(), which turns out to be too deep +in the call stack: When a uart_port is opened, RTS polarity is set by +the rs485-aware function uart_port_dtr_rts(). It calls down to +serial8250_do_set_mctrl() and that particular RTS polarity change should +*not* be ignored. + +The user-visible result is that on 8250_omap ports which use rs485 with +inverse polarity (RTS bit in MCR register is 1 to receive, 0 to send), +a newly opened port initially sets up RTS for sending instead of +receiving. That's because omap_8250_startup() sets the cached value +up->mcr to 0 and omap_8250_restore_regs() subsequently writes it to the +MCR register. Due to the commit, serial8250_do_set_mctrl() preserves +that incorrect register value: + +do_sys_openat2 + do_filp_open + path_openat + vfs_open + do_dentry_open + chrdev_open + tty_open + uart_open + tty_port_open + uart_port_activate + uart_startup + uart_port_startup + serial8250_startup + omap_8250_startup # up->mcr = 0 + uart_change_speed + serial8250_set_termios + omap_8250_set_termios + omap_8250_restore_regs + serial8250_out_MCR # up->mcr written + tty_port_block_til_ready + uart_dtr_rts + uart_port_dtr_rts + serial8250_set_mctrl + omap8250_set_mctrl + serial8250_do_set_mctrl # mcr[1] = 1 ignored + +Fix by intercepting RTS changes from user space in uart_tiocmset() +instead. + +Link: https://lore.kernel.org/linux-serial/20211027111644.1996921-1-baocheng.su@siemens.com/ +Fixes: f45709df7731 ("serial: 8250: Don't touch RTS modem control while in rs485 mode") +Cc: Chao Zeng +Cc: stable@vger.kernel.org # v5.7+ +Reported-by: Su Bao Cheng +Reported-by: Jan Kiszka +Tested-by: Su Bao Cheng +Signed-off-by: Lukas Wunner +Link: https://lore.kernel.org/r/21170e622a1aaf842a50b32146008b5374b3dd1d.1637596432.git.lukas@wunner.de +Signed-off-by: Greg Kroah-Hartman +--- + drivers/tty/serial/8250/8250_port.c | 7 ------- + drivers/tty/serial/serial_core.c | 5 +++++ + 2 files changed, 5 insertions(+), 7 deletions(-) + +--- a/drivers/tty/serial/8250/8250_port.c ++++ b/drivers/tty/serial/8250/8250_port.c +@@ -2024,13 +2024,6 @@ void serial8250_do_set_mctrl(struct uart + struct uart_8250_port *up = up_to_u8250p(port); + unsigned char mcr; + +- if (port->rs485.flags & SER_RS485_ENABLED) { +- if (serial8250_in_MCR(up) & UART_MCR_RTS) +- mctrl |= TIOCM_RTS; +- else +- mctrl &= ~TIOCM_RTS; +- } +- + mcr = serial8250_TIOCM_to_MCR(mctrl); + + mcr = (mcr & up->mcr_mask) | up->mcr_force | up->mcr; +--- a/drivers/tty/serial/serial_core.c ++++ b/drivers/tty/serial/serial_core.c +@@ -1075,6 +1075,11 @@ uart_tiocmset(struct tty_struct *tty, un + goto out; + + if (!tty_io_error(tty)) { ++ if (uport->rs485.flags & SER_RS485_ENABLED) { ++ set &= ~TIOCM_RTS; ++ clear &= ~TIOCM_RTS; ++ } ++ + uart_update_mctrl(uport, set, clear); + ret = 0; + } diff --git a/queue-5.15/serial-8250_pci-fix-acces-entries-in-pci_serial_quirks-array.patch b/queue-5.15/serial-8250_pci-fix-acces-entries-in-pci_serial_quirks-array.patch new file mode 100644 index 00000000000..a8c0f2cc2cf --- /dev/null +++ b/queue-5.15/serial-8250_pci-fix-acces-entries-in-pci_serial_quirks-array.patch @@ -0,0 +1,44 @@ +From c525c5d2437f93520388920baac6d9340c65d239 Mon Sep 17 00:00:00 2001 +From: Jay Dolan +Date: Mon, 22 Nov 2021 14:06:03 +0200 +Subject: serial: 8250_pci: Fix ACCES entries in pci_serial_quirks array + +From: Jay Dolan + +commit c525c5d2437f93520388920baac6d9340c65d239 upstream. + +Fix error in table for PCI_DEVICE_ID_ACCESIO_PCIE_ICM_4S that caused it +and PCI_DEVICE_ID_ACCESIO_PCIE_ICM232_4 to be missing their fourth port. + +Fixes: 78d3820b9bd3 ("serial: 8250_pci: Have ACCES cards that use the four port Pericom PI7C9X7954 chip use the pci_pericom_setup()") +Cc: stable +Signed-off-by: Jay Dolan +Signed-off-by: Andy Shevchenko +Link: https://lore.kernel.org/r/20211122120604.3909-2-andriy.shevchenko@linux.intel.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/tty/serial/8250/8250_pci.c | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) + +--- a/drivers/tty/serial/8250/8250_pci.c ++++ b/drivers/tty/serial/8250/8250_pci.c +@@ -2317,11 +2317,18 @@ static struct pci_serial_quirk pci_seria + .setup = pci_pericom_setup_four_at_eight, + }, + { +- .vendor = PCI_DEVICE_ID_ACCESIO_PCIE_ICM_4S, ++ .vendor = PCI_VENDOR_ID_ACCESIO, + .device = PCI_DEVICE_ID_ACCESIO_PCIE_ICM232_4, + .subvendor = PCI_ANY_ID, + .subdevice = PCI_ANY_ID, + .setup = pci_pericom_setup_four_at_eight, ++ }, ++ { ++ .vendor = PCI_VENDOR_ID_ACCESIO, ++ .device = PCI_DEVICE_ID_ACCESIO_PCIE_ICM_4S, ++ .subvendor = PCI_ANY_ID, ++ .subdevice = PCI_ANY_ID, ++ .setup = pci_pericom_setup_four_at_eight, + }, + { + .vendor = PCI_VENDOR_ID_ACCESIO, diff --git a/queue-5.15/serial-8250_pci-rewrite-pericom_do_set_divisor.patch b/queue-5.15/serial-8250_pci-rewrite-pericom_do_set_divisor.patch new file mode 100644 index 00000000000..156f3f5fb13 --- /dev/null +++ b/queue-5.15/serial-8250_pci-rewrite-pericom_do_set_divisor.patch @@ -0,0 +1,78 @@ +From bb1201d4b38ec67bd9a871cf86b0cc10f28b15b5 Mon Sep 17 00:00:00 2001 +From: Jay Dolan +Date: Mon, 22 Nov 2021 14:06:04 +0200 +Subject: serial: 8250_pci: rewrite pericom_do_set_divisor() + +From: Jay Dolan + +commit bb1201d4b38ec67bd9a871cf86b0cc10f28b15b5 upstream. + +Have pericom_do_set_divisor() use the uartclk instead of a hard coded +value to work with different speed crystals. Tested with 14.7456 and 24 +MHz crystals. + +Have pericom_do_set_divisor() always calculate the divisor rather than +call serial8250_do_set_divisor() for rates below baud_base. + +Do not write registers or call serial8250_do_set_divisor() if valid +divisors could not be found. + +Fixes: 6bf4e42f1d19 ("serial: 8250: Add support for higher baud rates to Pericom chips") +Cc: stable +Signed-off-by: Jay Dolan +Signed-off-by: Andy Shevchenko +Link: https://lore.kernel.org/r/20211122120604.3909-3-andriy.shevchenko@linux.intel.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/tty/serial/8250/8250_pci.c | 30 +++++++++++++++++------------- + 1 file changed, 17 insertions(+), 13 deletions(-) + +--- a/drivers/tty/serial/8250/8250_pci.c ++++ b/drivers/tty/serial/8250/8250_pci.c +@@ -1349,29 +1349,33 @@ pericom_do_set_divisor(struct uart_port + { + int scr; + int lcr; +- int actual_baud; +- int tolerance; + +- for (scr = 5 ; scr <= 15 ; scr++) { +- actual_baud = 921600 * 16 / scr; +- tolerance = actual_baud / 50; ++ for (scr = 16; scr > 4; scr--) { ++ unsigned int maxrate = port->uartclk / scr; ++ unsigned int divisor = max(maxrate / baud, 1U); ++ int delta = maxrate / divisor - baud; + +- if ((baud < actual_baud + tolerance) && +- (baud > actual_baud - tolerance)) { ++ if (baud > maxrate + baud / 50) ++ continue; + ++ if (delta > baud / 50) ++ divisor++; ++ ++ if (divisor > 0xffff) ++ continue; ++ ++ /* Update delta due to possible divisor change */ ++ delta = maxrate / divisor - baud; ++ if (abs(delta) < baud / 50) { + lcr = serial_port_in(port, UART_LCR); + serial_port_out(port, UART_LCR, lcr | 0x80); +- +- serial_port_out(port, UART_DLL, 1); +- serial_port_out(port, UART_DLM, 0); ++ serial_port_out(port, UART_DLL, divisor & 0xff); ++ serial_port_out(port, UART_DLM, divisor >> 8 & 0xff); + serial_port_out(port, 2, 16 - scr); + serial_port_out(port, UART_LCR, lcr); + return; +- } else if (baud > actual_baud) { +- break; + } + } +- serial8250_do_set_divisor(port, baud, quot, quot_frac); + } + static int pci_pericom_setup(struct serial_private *priv, + const struct pciserial_board *board, diff --git a/queue-5.15/serial-core-fix-transmit-buffer-reset-and-memleak.patch b/queue-5.15/serial-core-fix-transmit-buffer-reset-and-memleak.patch new file mode 100644 index 00000000000..06ad146bc4a --- /dev/null +++ b/queue-5.15/serial-core-fix-transmit-buffer-reset-and-memleak.patch @@ -0,0 +1,74 @@ +From 00de977f9e0aa9760d9a79d1e41ff780f74e3424 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Mon, 8 Nov 2021 09:54:31 +0100 +Subject: serial: core: fix transmit-buffer reset and memleak + +From: Johan Hovold + +commit 00de977f9e0aa9760d9a79d1e41ff780f74e3424 upstream. + +Commit 761ed4a94582 ("tty: serial_core: convert uart_close to use +tty_port_close") converted serial core to use tty_port_close() but +failed to notice that the transmit buffer still needs to be freed on +final close. + +Not freeing the transmit buffer means that the buffer is no longer +cleared on next open so that any ioctl() waiting for the buffer to drain +might wait indefinitely (e.g. on termios changes) or that stale data can +end up being transmitted in case tx is restarted. + +Furthermore, the buffer of any port that has been opened would leak on +driver unbind. + +Note that the port lock is held when clearing the buffer pointer due to +the ldisc race worked around by commit a5ba1d95e46e ("uart: fix race +between uart_put_char() and uart_shutdown()"). + +Also note that the tty-port shutdown() callback is not called for +console ports so it is not strictly necessary to free the buffer page +after releasing the lock (cf. d72402145ace ("tty/serial: do not free +trasnmit buffer page under port lock")). + +Link: https://lore.kernel.org/r/319321886d97c456203d5c6a576a5480d07c3478.1635781688.git.baruch@tkos.co.il +Fixes: 761ed4a94582 ("tty: serial_core: convert uart_close to use tty_port_close") +Cc: stable@vger.kernel.org # 4.9 +Cc: Rob Herring +Reported-by: Baruch Siach +Tested-by: Baruch Siach +Signed-off-by: Johan Hovold +Link: https://lore.kernel.org/r/20211108085431.12637-1-johan@kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/tty/serial/serial_core.c | 13 ++++++++++++- + 1 file changed, 12 insertions(+), 1 deletion(-) + +--- a/drivers/tty/serial/serial_core.c ++++ b/drivers/tty/serial/serial_core.c +@@ -1549,6 +1549,7 @@ static void uart_tty_port_shutdown(struc + { + struct uart_state *state = container_of(port, struct uart_state, port); + struct uart_port *uport = uart_port_check(state); ++ char *buf; + + /* + * At this point, we stop accepting input. To do this, we +@@ -1570,8 +1571,18 @@ static void uart_tty_port_shutdown(struc + */ + tty_port_set_suspended(port, 0); + +- uart_change_pm(state, UART_PM_STATE_OFF); ++ /* ++ * Free the transmit buffer. ++ */ ++ spin_lock_irq(&uport->lock); ++ buf = state->xmit.buf; ++ state->xmit.buf = NULL; ++ spin_unlock_irq(&uport->lock); ++ ++ if (buf) ++ free_page((unsigned long)buf); + ++ uart_change_pm(state, UART_PM_STATE_OFF); + } + + static void uart_wait_until_sent(struct tty_struct *tty, int timeout) diff --git a/queue-5.15/serial-liteuart-fix-minor-number-leak-on-probe-errors.patch b/queue-5.15/serial-liteuart-fix-minor-number-leak-on-probe-errors.patch new file mode 100644 index 00000000000..585534ea1e4 --- /dev/null +++ b/queue-5.15/serial-liteuart-fix-minor-number-leak-on-probe-errors.patch @@ -0,0 +1,58 @@ +From dd5e90b16cca8a697cbe17b72e2a5f49291cabb2 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Wed, 17 Nov 2021 11:05:11 +0100 +Subject: serial: liteuart: fix minor-number leak on probe errors + +From: Johan Hovold + +commit dd5e90b16cca8a697cbe17b72e2a5f49291cabb2 upstream. + +Make sure to release the allocated minor number before returning on +probe errors. + +Fixes: 1da81e5562fa ("drivers/tty/serial: add LiteUART driver") +Cc: stable@vger.kernel.org # 5.11 +Cc: Filip Kokosinski +Cc: Mateusz Holenko +Reviewed-by: Stafford Horne +Reviewed-by: Andy Shevchenko +Signed-off-by: Johan Hovold +Link: https://lore.kernel.org/r/20211117100512.5058-3-johan@kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/tty/serial/liteuart.c | 17 ++++++++++++++--- + 1 file changed, 14 insertions(+), 3 deletions(-) + +--- a/drivers/tty/serial/liteuart.c ++++ b/drivers/tty/serial/liteuart.c +@@ -270,8 +270,10 @@ static int liteuart_probe(struct platfor + + /* get membase */ + port->membase = devm_platform_get_and_ioremap_resource(pdev, 0, NULL); +- if (IS_ERR(port->membase)) +- return PTR_ERR(port->membase); ++ if (IS_ERR(port->membase)) { ++ ret = PTR_ERR(port->membase); ++ goto err_erase_id; ++ } + + /* values not from device tree */ + port->dev = &pdev->dev; +@@ -287,7 +289,16 @@ static int liteuart_probe(struct platfor + + platform_set_drvdata(pdev, port); + +- return uart_add_one_port(&liteuart_driver, &uart->port); ++ ret = uart_add_one_port(&liteuart_driver, &uart->port); ++ if (ret) ++ goto err_erase_id; ++ ++ return 0; ++ ++err_erase_id: ++ xa_erase(&liteuart_array, uart->id); ++ ++ return ret; + } + + static int liteuart_remove(struct platform_device *pdev) diff --git a/queue-5.15/serial-liteuart-fix-null-pointer-dereference-in-remove.patch b/queue-5.15/serial-liteuart-fix-null-pointer-dereference-in-remove.patch new file mode 100644 index 00000000000..aa4ef9b3f67 --- /dev/null +++ b/queue-5.15/serial-liteuart-fix-null-pointer-dereference-in-remove.patch @@ -0,0 +1,33 @@ +From 0f55f89d98c8b3e12b4f55f71c127a173e29557c Mon Sep 17 00:00:00 2001 +From: Ilia Sergachev +Date: Mon, 15 Nov 2021 22:49:44 +0100 +Subject: serial: liteuart: Fix NULL pointer dereference in ->remove() + +From: Ilia Sergachev + +commit 0f55f89d98c8b3e12b4f55f71c127a173e29557c upstream. + +drvdata has to be set in _probe() - otherwise platform_get_drvdata() +causes null pointer dereference BUG in _remove(). + +Fixes: 1da81e5562fa ("drivers/tty/serial: add LiteUART driver") +Cc: stable +Reviewed-by: Johan Hovold +Signed-off-by: Ilia Sergachev +Link: https://lore.kernel.org/r/20211115224944.23f8c12b@dtkw +Signed-off-by: Greg Kroah-Hartman +--- + drivers/tty/serial/liteuart.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/tty/serial/liteuart.c ++++ b/drivers/tty/serial/liteuart.c +@@ -285,6 +285,8 @@ static int liteuart_probe(struct platfor + port->line = dev_id; + spin_lock_init(&port->lock); + ++ platform_set_drvdata(pdev, port); ++ + return uart_add_one_port(&liteuart_driver, &uart->port); + } + diff --git a/queue-5.15/serial-liteuart-fix-use-after-free-and-memleak-on-unbind.patch b/queue-5.15/serial-liteuart-fix-use-after-free-and-memleak-on-unbind.patch new file mode 100644 index 00000000000..1a58a527f07 --- /dev/null +++ b/queue-5.15/serial-liteuart-fix-use-after-free-and-memleak-on-unbind.patch @@ -0,0 +1,36 @@ +From 05f929b395dec8957b636ff14e66b277ed022ed9 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Wed, 17 Nov 2021 11:05:10 +0100 +Subject: serial: liteuart: fix use-after-free and memleak on unbind + +From: Johan Hovold + +commit 05f929b395dec8957b636ff14e66b277ed022ed9 upstream. + +Deregister the port when unbinding the driver to prevent it from being +used after releasing the driver data and leaking memory allocated by +serial core. + +Fixes: 1da81e5562fa ("drivers/tty/serial: add LiteUART driver") +Cc: stable@vger.kernel.org # 5.11 +Cc: Filip Kokosinski +Cc: Mateusz Holenko +Reviewed-by: Stafford Horne +Reviewed-by: Andy Shevchenko +Signed-off-by: Johan Hovold +Link: https://lore.kernel.org/r/20211117100512.5058-2-johan@kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/tty/serial/liteuart.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/tty/serial/liteuart.c ++++ b/drivers/tty/serial/liteuart.c +@@ -295,6 +295,7 @@ static int liteuart_remove(struct platfo + struct uart_port *port = platform_get_drvdata(pdev); + struct liteuart_port *uart = to_liteuart_port(port); + ++ uart_remove_one_port(&liteuart_driver, port); + xa_erase(&liteuart_array, uart->id); + + return 0; diff --git a/queue-5.15/serial-pl011-add-acpi-sbsa-uart-match-id.patch b/queue-5.15/serial-pl011-add-acpi-sbsa-uart-match-id.patch new file mode 100644 index 00000000000..8971c93d8f7 --- /dev/null +++ b/queue-5.15/serial-pl011-add-acpi-sbsa-uart-match-id.patch @@ -0,0 +1,40 @@ +From ac442a077acf9a6bf1db4320ec0c3f303be092b3 Mon Sep 17 00:00:00 2001 +From: Pierre Gondois +Date: Tue, 9 Nov 2021 17:22:48 +0000 +Subject: serial: pl011: Add ACPI SBSA UART match id + +From: Pierre Gondois + +commit ac442a077acf9a6bf1db4320ec0c3f303be092b3 upstream. + +The document 'ACPI for Arm Components 1.0' defines the following +_HID mappings: +-'Prime cell UART (PL011)': ARMH0011 +-'SBSA UART': ARMHB000 + +Use the sbsa-uart driver when a device is described with +the 'ARMHB000' _HID. + +Note: +PL011 devices currently use the sbsa-uart driver instead of the +uart-pl011 driver. Indeed, PL011 devices are not bound to a clock +in ACPI. It is not possible to change their baudrate. + +Cc: +Signed-off-by: Pierre Gondois +Link: https://lore.kernel.org/r/20211109172248.19061-1-Pierre.Gondois@arm.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/tty/serial/amba-pl011.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/tty/serial/amba-pl011.c ++++ b/drivers/tty/serial/amba-pl011.c +@@ -2947,6 +2947,7 @@ MODULE_DEVICE_TABLE(of, sbsa_uart_of_mat + + static const struct acpi_device_id __maybe_unused sbsa_uart_acpi_match[] = { + { "ARMH0011", 0 }, ++ { "ARMHB000", 0 }, + {}, + }; + MODULE_DEVICE_TABLE(acpi, sbsa_uart_acpi_match); diff --git a/queue-5.15/serial-tegra-change-lower-tolerance-baud-rate-limit-for-tegra20-and-tegra30.patch b/queue-5.15/serial-tegra-change-lower-tolerance-baud-rate-limit-for-tegra20-and-tegra30.patch new file mode 100644 index 00000000000..068f593dbcc --- /dev/null +++ b/queue-5.15/serial-tegra-change-lower-tolerance-baud-rate-limit-for-tegra20-and-tegra30.patch @@ -0,0 +1,47 @@ +From b40de7469ef135161c80af0e8c462298cc5dac00 Mon Sep 17 00:00:00 2001 +From: Patrik John +Date: Tue, 23 Nov 2021 14:27:38 +0100 +Subject: serial: tegra: Change lower tolerance baud rate limit for tegra20 and tegra30 + +From: Patrik John + +commit b40de7469ef135161c80af0e8c462298cc5dac00 upstream. + +The current implementation uses 0 as lower limit for the baud rate +tolerance for tegra20 and tegra30 chips which causes isses on UART +initialization as soon as baud rate clock is lower than required even +when within the standard UART tolerance of +/- 4%. + +This fix aligns the implementation with the initial commit description +of +/- 4% tolerance for tegra chips other than tegra186 and +tegra194. + +Fixes: d781ec21bae6 ("serial: tegra: report clk rate errors") +Cc: stable +Signed-off-by: Patrik John +Link: https://lore.kernel.org/r/sig.19614244f8.20211123132737.88341-1-patrik.john@u-blox.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/tty/serial/serial-tegra.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/tty/serial/serial-tegra.c ++++ b/drivers/tty/serial/serial-tegra.c +@@ -1506,7 +1506,7 @@ static struct tegra_uart_chip_data tegra + .fifo_mode_enable_status = false, + .uart_max_port = 5, + .max_dma_burst_bytes = 4, +- .error_tolerance_low_range = 0, ++ .error_tolerance_low_range = -4, + .error_tolerance_high_range = 4, + }; + +@@ -1517,7 +1517,7 @@ static struct tegra_uart_chip_data tegra + .fifo_mode_enable_status = false, + .uart_max_port = 5, + .max_dma_burst_bytes = 4, +- .error_tolerance_low_range = 0, ++ .error_tolerance_low_range = -4, + .error_tolerance_high_range = 4, + }; + diff --git a/queue-5.15/series b/queue-5.15/series index de221934ed5..6083312be6e 100644 --- a/queue-5.15/series +++ b/queue-5.15/series @@ -182,3 +182,25 @@ net-mlx5e-rename-lro_timeout-to-packet_merge_timeout.patch net-mlx5e-rename-tir-lro-functions-to-tir-packet-mer.patch net-mlx5e-sync-tir-params-updates-against-concurrent.patch serial-8250_bcm7271-uart-errors-after-resuming-from-.patch +parisc-fix-kbuild_image-for-self-extracting-kernel.patch +parisc-fix-make-install-on-newer-debian-releases.patch +parisc-mark-cr16-cpu-clocksource-unstable-on-all-smp-machines.patch +vgacon-propagate-console-boot-parameters-before-calling-vc_resize.patch +xhci-fix-commad-ring-abort-write-all-64-bits-to-crcr-register.patch +usb-no_lpm-quirk-lenovo-powered-usb-c-travel-hub.patch +usb-typec-tcpm-wait-in-snk_debounced-until-disconnect.patch +usb-cdns3-gadget-fix-new-urb-never-complete-if-ep-cancel-previous-requests.patch +usb-cdnsp-fix-a-null-pointer-dereference-in-cdnsp_endpoint_init.patch +x86-tsc-add-a-timer-to-make-sure-tsc_adjust-is-always-checked.patch +x86-tsc-disable-clocksource-watchdog-for-tsc-on-qualified-platorms.patch +x86-64-mm-map-all-kernel-memory-into-trampoline_pgd.patch +tty-serial-msm_serial-deactivate-rx-dma-for-polling-support.patch +serial-pl011-add-acpi-sbsa-uart-match-id.patch +serial-tegra-change-lower-tolerance-baud-rate-limit-for-tegra20-and-tegra30.patch +serial-core-fix-transmit-buffer-reset-and-memleak.patch +serial-8250_pci-fix-acces-entries-in-pci_serial_quirks-array.patch +serial-8250_pci-rewrite-pericom_do_set_divisor.patch +serial-8250-fix-rts-modem-control-while-in-rs485-mode.patch +serial-liteuart-fix-null-pointer-dereference-in-remove.patch +serial-liteuart-fix-use-after-free-and-memleak-on-unbind.patch +serial-liteuart-fix-minor-number-leak-on-probe-errors.patch diff --git a/queue-5.15/tty-serial-msm_serial-deactivate-rx-dma-for-polling-support.patch b/queue-5.15/tty-serial-msm_serial-deactivate-rx-dma-for-polling-support.patch new file mode 100644 index 00000000000..dd6929431e7 --- /dev/null +++ b/queue-5.15/tty-serial-msm_serial-deactivate-rx-dma-for-polling-support.patch @@ -0,0 +1,55 @@ +From 7492ffc90fa126afb67d4392d56cb4134780194a Mon Sep 17 00:00:00 2001 +From: Sven Eckelmann +Date: Sat, 13 Nov 2021 13:10:50 +0100 +Subject: tty: serial: msm_serial: Deactivate RX DMA for polling support + +From: Sven Eckelmann + +commit 7492ffc90fa126afb67d4392d56cb4134780194a upstream. + +The CONSOLE_POLLING mode is used for tools like k(g)db. In this kind of +setup, it is often sharing a serial device with the normal system console. +This is usually no problem because the polling helpers can consume input +values directly (when in kgdb context) and the normal Linux handlers can +only consume new input values after kgdb switched back. + +This is not true anymore when RX DMA is enabled for UARTDM controllers. +Single input values can no longer be received correctly. Instead following +seems to happen: + +* on 1. input, some old input is read (continuously) +* on 2. input, two old inputs are read (continuously) +* on 3. input, three old input values are read (continuously) +* on 4. input, 4 previous inputs are received + +This repeats then for each group of 4 input values. + +This behavior changes slightly depending on what state the controller was +when the first input was received. But this makes working with kgdb +basically impossible because control messages are always corrupted when +kgdboc tries to parse them. + +RX DMA should therefore be off when CONSOLE_POLLING is enabled to avoid +these kind of problems. No such problem was noticed for TX DMA. + +Fixes: 99693945013a ("tty: serial: msm: Add RX DMA support") +Cc: stable@vger.kernel.org +Signed-off-by: Sven Eckelmann +Link: https://lore.kernel.org/r/20211113121050.7266-1-sven@narfation.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/tty/serial/msm_serial.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/tty/serial/msm_serial.c ++++ b/drivers/tty/serial/msm_serial.c +@@ -598,6 +598,9 @@ static void msm_start_rx_dma(struct msm_ + u32 val; + int ret; + ++ if (IS_ENABLED(CONFIG_CONSOLE_POLL)) ++ return; ++ + if (!dma->chan) + return; + diff --git a/queue-5.15/usb-cdns3-gadget-fix-new-urb-never-complete-if-ep-cancel-previous-requests.patch b/queue-5.15/usb-cdns3-gadget-fix-new-urb-never-complete-if-ep-cancel-previous-requests.patch new file mode 100644 index 00000000000..d3b6baa25cc --- /dev/null +++ b/queue-5.15/usb-cdns3-gadget-fix-new-urb-never-complete-if-ep-cancel-previous-requests.patch @@ -0,0 +1,95 @@ +From 387c2b6ba197c6df28e75359f7d892f7c8dec204 Mon Sep 17 00:00:00 2001 +From: Frank Li +Date: Tue, 30 Nov 2021 09:42:39 -0600 +Subject: usb: cdns3: gadget: fix new urb never complete if ep cancel previous requests + +From: Frank Li + +commit 387c2b6ba197c6df28e75359f7d892f7c8dec204 upstream. + +This issue was found at android12 MTP. +1. MTP submit many out urb request. +2. Cancel left requests (>20) when enough data get from host +3. Send ACK by IN endpoint. +4. MTP submit new out urb request. +5. 4's urb never complete. + +TRACE LOG: + +MtpServer-2157 [000] d..3 1287.150391: cdns3_ep_dequeue: ep1out: req: 00000000299e6836, req buff 000000009df42287, length: 0/16384 zsi, status: -115, trb: [start:87, end:87: virt addr 0x80004000ffd50420], flags:1 SID: 0 +MtpServer-2157 [000] d..3 1287.150410: cdns3_gadget_giveback: ep1out: req: 00000000299e6836, req buff 000000009df42287, length: 0/16384 zsi, status: -104, trb: [start:87, end:87: virt addr 0x80004000ffd50420], flags:0 SID: 0 +MtpServer-2157 [000] d..3 1287.150433: cdns3_ep_dequeue: ep1out: req: 0000000080b7bde6, req buff 000000009ed5c556, length: 0/16384 zsi, status: -115, trb: [start:88, end:88: virt addr 0x80004000ffd5042c], flags:1 SID: 0 +MtpServer-2157 [000] d..3 1287.150446: cdns3_gadget_giveback: ep1out: req: 0000000080b7bde6, req buff 000000009ed5c556, length: 0/16384 zsi, status: -104, trb: [start:88, end:88: virt addr 0x80004000ffd5042c], flags:0 SID: 0 + .... +MtpServer-2157 [000] d..1 1293.630410: cdns3_alloc_request: ep1out: req: 00000000afbccb7d, req buff 0000000000000000, length: 0/0 zsi, status: 0, trb: [start:0, end:0: virt addr (null)], flags:0 SID: 0 +MtpServer-2157 [000] d..2 1293.630421: cdns3_ep_queue: ep1out: req: 00000000afbccb7d, req buff 00000000871caf90, length: 0/512 zsi, status: -115, trb: [start:0, end:0: virt addr (null)], flags:0 SID: 0 +MtpServer-2157 [000] d..2 1293.630445: cdns3_wa1: WA1: ep1out set guard +MtpServer-2157 [000] d..2 1293.630450: cdns3_wa1: WA1: ep1out restore cycle bit +MtpServer-2157 [000] d..2 1293.630453: cdns3_prepare_trb: ep1out: trb 000000007317b3ee, dma buf: 0xffd5bc00, size: 512, burst: 128 ctrl: 0x00000424 (C=0, T=0, ISP, IOC, Normal) SID:0 LAST_SID:0 +MtpServer-2157 [000] d..2 1293.630460: cdns3_doorbell_epx: ep1out, ep_trbaddr ffd50414 + .... +irq/241-5b13000-2154 [000] d..1 1293.680849: cdns3_epx_irq: IRQ for ep1out: 01000408 ISP , ep_traddr: ffd508ac ep_last_sid: 00000000 use_streams: 0 +irq/241-5b13000-2154 [000] d..1 1293.680858: cdns3_complete_trb: ep1out: trb 0000000021a11b54, dma buf: 0xffd50420, size: 16384, burst: 128 ctrl: 0x00001810 (C=0, T=0, CHAIN, LINK) SID:0 LAST_SID:0 +irq/241-5b13000-2154 [000] d..1 1293.680865: cdns3_request_handled: Req: 00000000afbccb7d not handled, DMA pos: 185, ep deq: 88, ep enq: 185, start trb: 184, end trb: 184 + +Actually DMA pos already bigger than previous submit request afbccb7d's TRB (184-184). The reason of (not handled) is that deq position is wrong. + +The TRB link is below when irq happen. + + DEQ LINK LINK LINK LINK LINK .... TRB(afbccb7d):START DMA(EP_TRADDR). + +Original code check LINK TRB, but DEQ just move one step. + + LINK DEQ LINK LINK LINK LINK .... TRB(afbccb7d):START DMA(EP_TRADDR). + +This patch skip all LINK TRB and sync DEQ to trb's start. + + LINK LINK LINK LINK LINK .... DEQ = TRB(afbccb7d):START DMA(EP_TRADDR). + +Acked-by: Peter Chen +Cc: stable +Signed-off-by: Frank Li +Signed-off-by: Jun Li +Link: https://lore.kernel.org/r/20211130154239.8029-1-Frank.Li@nxp.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/cdns3/cdns3-gadget.c | 20 ++++---------------- + 1 file changed, 4 insertions(+), 16 deletions(-) + +--- a/drivers/usb/cdns3/cdns3-gadget.c ++++ b/drivers/usb/cdns3/cdns3-gadget.c +@@ -337,19 +337,6 @@ static void cdns3_ep_inc_deq(struct cdns + cdns3_ep_inc_trb(&priv_ep->dequeue, &priv_ep->ccs, priv_ep->num_trbs); + } + +-static void cdns3_move_deq_to_next_trb(struct cdns3_request *priv_req) +-{ +- struct cdns3_endpoint *priv_ep = priv_req->priv_ep; +- int current_trb = priv_req->start_trb; +- +- while (current_trb != priv_req->end_trb) { +- cdns3_ep_inc_deq(priv_ep); +- current_trb = priv_ep->dequeue; +- } +- +- cdns3_ep_inc_deq(priv_ep); +-} +- + /** + * cdns3_allow_enable_l1 - enable/disable permits to transition to L1. + * @priv_dev: Extended gadget object +@@ -1517,10 +1504,11 @@ static void cdns3_transfer_completed(str + + trb = priv_ep->trb_pool + priv_ep->dequeue; + +- /* Request was dequeued and TRB was changed to TRB_LINK. */ +- if (TRB_FIELD_TO_TYPE(le32_to_cpu(trb->control)) == TRB_LINK) { ++ /* The TRB was changed as link TRB, and the request was handled at ep_dequeue */ ++ while (TRB_FIELD_TO_TYPE(le32_to_cpu(trb->control)) == TRB_LINK) { + trace_cdns3_complete_trb(priv_ep, trb); +- cdns3_move_deq_to_next_trb(priv_req); ++ cdns3_ep_inc_deq(priv_ep); ++ trb = priv_ep->trb_pool + priv_ep->dequeue; + } + + if (!request->stream_id) { diff --git a/queue-5.15/usb-cdnsp-fix-a-null-pointer-dereference-in-cdnsp_endpoint_init.patch b/queue-5.15/usb-cdnsp-fix-a-null-pointer-dereference-in-cdnsp_endpoint_init.patch new file mode 100644 index 00000000000..f169c90ae95 --- /dev/null +++ b/queue-5.15/usb-cdnsp-fix-a-null-pointer-dereference-in-cdnsp_endpoint_init.patch @@ -0,0 +1,51 @@ +From 37307f7020ab38dde0892a578249bf63d00bca64 Mon Sep 17 00:00:00 2001 +From: Zhou Qingyang +Date: Wed, 1 Dec 2021 01:27:00 +0800 +Subject: usb: cdnsp: Fix a NULL pointer dereference in cdnsp_endpoint_init() + +From: Zhou Qingyang + +commit 37307f7020ab38dde0892a578249bf63d00bca64 upstream. + +In cdnsp_endpoint_init(), cdnsp_ring_alloc() is assigned to pep->ring +and there is a dereference of it in cdnsp_endpoint_init(), which could +lead to a NULL pointer dereference on failure of cdnsp_ring_alloc(). + +Fix this bug by adding a check of pep->ring. + +This bug was found by a static analyzer. The analysis employs +differential checking to identify inconsistent security operations +(e.g., checks or kfrees) between two code paths and confirms that the +inconsistent operations are not recovered in the current function or +the callers, so they constitute bugs. + +Note that, as a bug found by static analysis, it can be a false +positive or hard to trigger. Multiple researchers have cross-reviewed +the bug. + +Builds with CONFIG_USB_CDNSP_GADGET=y show no new warnings, +and our static analyzer no longer warns about this code. + +Fixes: 3d82904559f4 ("usb: cdnsp: cdns3 Add main part of Cadence USBSSP DRD Driver") +Cc: stable +Acked-by: Pawel Laszczak +Acked-by: Peter Chen +Signed-off-by: Zhou Qingyang +Link: https://lore.kernel.org/r/20211130172700.206650-1-zhou1615@umn.edu +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/cdns3/cdnsp-mem.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/usb/cdns3/cdnsp-mem.c ++++ b/drivers/usb/cdns3/cdnsp-mem.c +@@ -987,6 +987,9 @@ int cdnsp_endpoint_init(struct cdnsp_dev + + /* Set up the endpoint ring. */ + pep->ring = cdnsp_ring_alloc(pdev, 2, ring_type, max_packet, mem_flags); ++ if (!pep->ring) ++ return -ENOMEM; ++ + pep->skip = false; + + /* Fill the endpoint context */ diff --git a/queue-5.15/usb-no_lpm-quirk-lenovo-powered-usb-c-travel-hub.patch b/queue-5.15/usb-no_lpm-quirk-lenovo-powered-usb-c-travel-hub.patch new file mode 100644 index 00000000000..5937c0e49b1 --- /dev/null +++ b/queue-5.15/usb-no_lpm-quirk-lenovo-powered-usb-c-travel-hub.patch @@ -0,0 +1,34 @@ +From d2a004037c3c6afd36d40c384d2905f47cd51c57 Mon Sep 17 00:00:00 2001 +From: Ole Ernst +Date: Sat, 27 Nov 2021 10:05:45 +0100 +Subject: USB: NO_LPM quirk Lenovo Powered USB-C Travel Hub + +From: Ole Ernst + +commit d2a004037c3c6afd36d40c384d2905f47cd51c57 upstream. + +This is another branded 8153 device that doesn't work well with LPM: +r8152 2-2.1:1.0 enp0s13f0u2u1: Stop submitting intr, status -71 + +Disable LPM to resolve the issue. + +Signed-off-by: Ole Ernst +Cc: stable +Link: https://lore.kernel.org/r/20211127090546.52072-1-olebowle@gmx.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/core/quirks.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/usb/core/quirks.c ++++ b/drivers/usb/core/quirks.c +@@ -434,6 +434,9 @@ static const struct usb_device_id usb_qu + { USB_DEVICE(0x1532, 0x0116), .driver_info = + USB_QUIRK_LINEAR_UFRAME_INTR_BINTERVAL }, + ++ /* Lenovo Powered USB-C Travel Hub (4X90S92381, RTL8153 GigE) */ ++ { USB_DEVICE(0x17ef, 0x721e), .driver_info = USB_QUIRK_NO_LPM }, ++ + /* Lenovo ThinkCenter A630Z TI024Gen3 usb-audio */ + { USB_DEVICE(0x17ef, 0xa012), .driver_info = + USB_QUIRK_DISCONNECT_SUSPEND }, diff --git a/queue-5.15/usb-typec-tcpm-wait-in-snk_debounced-until-disconnect.patch b/queue-5.15/usb-typec-tcpm-wait-in-snk_debounced-until-disconnect.patch new file mode 100644 index 00000000000..88f3a12a4d0 --- /dev/null +++ b/queue-5.15/usb-typec-tcpm-wait-in-snk_debounced-until-disconnect.patch @@ -0,0 +1,82 @@ +From fbcd13df1e78eb2ba83a3c160eefe2d6f574beaf Mon Sep 17 00:00:00 2001 +From: Badhri Jagan Sridharan +Date: Mon, 29 Nov 2021 16:18:25 -0800 +Subject: usb: typec: tcpm: Wait in SNK_DEBOUNCED until disconnect + +From: Badhri Jagan Sridharan + +commit fbcd13df1e78eb2ba83a3c160eefe2d6f574beaf upstream. + +Stub from the spec: +"4.5.2.2.4.2 Exiting from AttachWait.SNK State +A Sink shall transition to Unattached.SNK when the state of both +the CC1 and CC2 pins is SNK.Open for at least tPDDebounce. +A DRP shall transition to Unattached.SRC when the state of both +the CC1 and CC2 pins is SNK.Open for at least tPDDebounce." + +This change makes TCPM to wait in SNK_DEBOUNCED state until +CC1 and CC2 pins is SNK.Open for at least tPDDebounce. Previously, +TCPM resets the port if vbus is not present in PD_T_PS_SOURCE_ON. +This causes TCPM to loop continuously when connected to a +faulty power source that does not present vbus. Waiting in +SNK_DEBOUNCED also ensures that TCPM is adherant to +"4.5.2.2.4.2 Exiting from AttachWait.SNK State" requirements. + +[ 6169.280751] CC1: 0 -> 0, CC2: 0 -> 5 [state TOGGLING, polarity 0, connected] +[ 6169.280759] state change TOGGLING -> SNK_ATTACH_WAIT [rev2 NONE_AMS] +[ 6169.280771] pending state change SNK_ATTACH_WAIT -> SNK_DEBOUNCED @ 170 ms [rev2 NONE_AMS] +[ 6169.282427] CC1: 0 -> 0, CC2: 5 -> 5 [state SNK_ATTACH_WAIT, polarity 0, connected] +[ 6169.450825] state change SNK_ATTACH_WAIT -> SNK_DEBOUNCED [delayed 170 ms] +[ 6169.450834] pending state change SNK_DEBOUNCED -> PORT_RESET @ 480 ms [rev2 NONE_AMS] +[ 6169.930892] state change SNK_DEBOUNCED -> PORT_RESET [delayed 480 ms] +[ 6169.931296] disable vbus discharge ret:0 +[ 6169.931301] Setting usb_comm capable false +[ 6169.932783] Setting voltage/current limit 0 mV 0 mA +[ 6169.932802] polarity 0 +[ 6169.933706] Requesting mux state 0, usb-role 0, orientation 0 +[ 6169.936689] cc:=0 +[ 6169.936812] pending state change PORT_RESET -> PORT_RESET_WAIT_OFF @ 100 ms [rev2 NONE_AMS] +[ 6169.937157] CC1: 0 -> 0, CC2: 5 -> 0 [state PORT_RESET, polarity 0, disconnected] +[ 6170.036880] state change PORT_RESET -> PORT_RESET_WAIT_OFF [delayed 100 ms] +[ 6170.036890] state change PORT_RESET_WAIT_OFF -> SNK_UNATTACHED [rev2 NONE_AMS] +[ 6170.036896] Start toggling +[ 6170.041412] CC1: 0 -> 0, CC2: 0 -> 0 [state TOGGLING, polarity 0, disconnected] +[ 6170.042973] CC1: 0 -> 0, CC2: 0 -> 5 [state TOGGLING, polarity 0, connected] +[ 6170.042976] state change TOGGLING -> SNK_ATTACH_WAIT [rev2 NONE_AMS] +[ 6170.042981] pending state change SNK_ATTACH_WAIT -> SNK_DEBOUNCED @ 170 ms [rev2 NONE_AMS] +[ 6170.213014] state change SNK_ATTACH_WAIT -> SNK_DEBOUNCED [delayed 170 ms] +[ 6170.213019] pending state change SNK_DEBOUNCED -> PORT_RESET @ 480 ms [rev2 NONE_AMS] +[ 6170.693068] state change SNK_DEBOUNCED -> PORT_RESET [delayed 480 ms] +[ 6170.693304] disable vbus discharge ret:0 +[ 6170.693308] Setting usb_comm capable false +[ 6170.695193] Setting voltage/current limit 0 mV 0 mA +[ 6170.695210] polarity 0 +[ 6170.695990] Requesting mux state 0, usb-role 0, orientation 0 +[ 6170.701896] cc:=0 +[ 6170.702181] pending state change PORT_RESET -> PORT_RESET_WAIT_OFF @ 100 ms [rev2 NONE_AMS] +[ 6170.703343] CC1: 0 -> 0, CC2: 5 -> 0 [state PORT_RESET, polarity 0, disconnected] + +Fixes: f0690a25a140b8 ("staging: typec: USB Type-C Port Manager (tcpm)") +Cc: stable@vger.kernel.org +Acked-by: Heikki Krogerus +Signed-off-by: Badhri Jagan Sridharan +Link: https://lore.kernel.org/r/20211130001825.3142830-1-badhri@google.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/typec/tcpm/tcpm.c | 4 ---- + 1 file changed, 4 deletions(-) + +--- a/drivers/usb/typec/tcpm/tcpm.c ++++ b/drivers/usb/typec/tcpm/tcpm.c +@@ -4110,11 +4110,7 @@ static void run_state_machine(struct tcp + tcpm_try_src(port) ? SRC_TRY + : SNK_ATTACHED, + 0); +- else +- /* Wait for VBUS, but not forever */ +- tcpm_set_state(port, PORT_RESET, PD_T_PS_SOURCE_ON); + break; +- + case SRC_TRY: + port->try_src_count++; + tcpm_set_cc(port, tcpm_rp_cc(port)); diff --git a/queue-5.15/vgacon-propagate-console-boot-parameters-before-calling-vc_resize.patch b/queue-5.15/vgacon-propagate-console-boot-parameters-before-calling-vc_resize.patch new file mode 100644 index 00000000000..c032365b973 --- /dev/null +++ b/queue-5.15/vgacon-propagate-console-boot-parameters-before-calling-vc_resize.patch @@ -0,0 +1,94 @@ +From 3dfac26e2ef29ff2abc2a75aa4cd48fce25a2c4b Mon Sep 17 00:00:00 2001 +From: "Maciej W. Rozycki" +Date: Tue, 26 Oct 2021 00:26:22 +0200 +Subject: vgacon: Propagate console boot parameters before calling `vc_resize' + +From: Maciej W. Rozycki + +commit 3dfac26e2ef29ff2abc2a75aa4cd48fce25a2c4b upstream. + +Fix a division by zero in `vgacon_resize' with a backtrace like: + +vgacon_resize +vc_do_resize +vgacon_init +do_bind_con_driver +do_unbind_con_driver +fbcon_fb_unbind +do_unregister_framebuffer +do_register_framebuffer +register_framebuffer +__drm_fb_helper_initial_config_and_unlock +drm_helper_hpd_irq_event +dw_hdmi_irq +irq_thread +kthread + +caused by `c->vc_cell_height' not having been initialized. This has +only started to trigger with commit 860dafa90259 ("vt: Fix character +height handling with VT_RESIZEX"), however the ultimate offender is +commit 50ec42edd978 ("[PATCH] Detaching fbcon: fix vgacon to allow +retaking of the console"). + +Said commit has added a call to `vc_resize' whenever `vgacon_init' is +called with the `init' argument set to 0, which did not happen before. +And the call is made before a key vgacon boot parameter retrieved in +`vgacon_startup' has been propagated in `vgacon_init' for `vc_resize' to +use to the console structure being worked on. Previously the parameter +was `c->vc_font.height' and now it is `c->vc_cell_height'. + +In this particular scenario the registration of fbcon has failed and vt +resorts to vgacon. Now fbcon does have initialized `c->vc_font.height' +somehow, unlike `c->vc_cell_height', which is why this code did not +crash before, but either way the boot parameters should have been copied +to the console structure ahead of the call to `vc_resize' rather than +afterwards, so that first the call has a chance to use them and second +they do not change the console structure to something possibly different +from what was used by `vc_resize'. + +Move the propagation of the vgacon boot parameters ahead of the call to +`vc_resize' then. Adjust the comment accordingly. + +Fixes: 50ec42edd978 ("[PATCH] Detaching fbcon: fix vgacon to allow retaking of the console") +Cc: stable@vger.kernel.org # v2.6.18+ +Reported-by: Wim Osterholt +Reported-by: Pavel V. Panteleev +Signed-off-by: Maciej W. Rozycki +Link: https://lore.kernel.org/r/alpine.DEB.2.21.2110252317110.58149@angie.orcam.me.uk +Signed-off-by: Greg Kroah-Hartman +--- + drivers/video/console/vgacon.c | 14 +++++++++----- + 1 file changed, 9 insertions(+), 5 deletions(-) + +--- a/drivers/video/console/vgacon.c ++++ b/drivers/video/console/vgacon.c +@@ -366,11 +366,17 @@ static void vgacon_init(struct vc_data * + struct uni_pagedir *p; + + /* +- * We cannot be loaded as a module, therefore init is always 1, +- * but vgacon_init can be called more than once, and init will +- * not be 1. ++ * We cannot be loaded as a module, therefore init will be 1 ++ * if we are the default console, however if we are a fallback ++ * console, for example if fbcon has failed registration, then ++ * init will be 0, so we need to make sure our boot parameters ++ * have been copied to the console structure for vgacon_resize ++ * ultimately called by vc_resize. Any subsequent calls to ++ * vgacon_init init will have init set to 0 too. + */ + c->vc_can_do_color = vga_can_do_color; ++ c->vc_scan_lines = vga_scan_lines; ++ c->vc_font.height = c->vc_cell_height = vga_video_font_height; + + /* set dimensions manually if init != 0 since vc_resize() will fail */ + if (init) { +@@ -379,8 +385,6 @@ static void vgacon_init(struct vc_data * + } else + vc_resize(c, vga_video_num_columns, vga_video_num_lines); + +- c->vc_scan_lines = vga_scan_lines; +- c->vc_font.height = c->vc_cell_height = vga_video_font_height; + c->vc_complement_mask = 0x7700; + if (vga_512_chars) + c->vc_hi_font_mask = 0x0800; diff --git a/queue-5.15/x86-64-mm-map-all-kernel-memory-into-trampoline_pgd.patch b/queue-5.15/x86-64-mm-map-all-kernel-memory-into-trampoline_pgd.patch new file mode 100644 index 00000000000..b7ad09db224 --- /dev/null +++ b/queue-5.15/x86-64-mm-map-all-kernel-memory-into-trampoline_pgd.patch @@ -0,0 +1,93 @@ +From 51523ed1c26758de1af7e58730a656875f72f783 Mon Sep 17 00:00:00 2001 +From: Joerg Roedel +Date: Thu, 2 Dec 2021 16:32:26 +0100 +Subject: x86/64/mm: Map all kernel memory into trampoline_pgd + +From: Joerg Roedel + +commit 51523ed1c26758de1af7e58730a656875f72f783 upstream. + +The trampoline_pgd only maps the 0xfffffff000000000-0xffffffffffffffff +range of kernel memory (with 4-level paging). This range contains the +kernel's text+data+bss mappings and the module mapping space but not the +direct mapping and the vmalloc area. + +This is enough to get the application processors out of real-mode, but +for code that switches back to real-mode the trampoline_pgd is missing +important parts of the address space. For example, consider this code +from arch/x86/kernel/reboot.c, function machine_real_restart() for a +64-bit kernel: + + #ifdef CONFIG_X86_32 + load_cr3(initial_page_table); + #else + write_cr3(real_mode_header->trampoline_pgd); + + /* Exiting long mode will fail if CR4.PCIDE is set. */ + if (boot_cpu_has(X86_FEATURE_PCID)) + cr4_clear_bits(X86_CR4_PCIDE); + #endif + + /* Jump to the identity-mapped low memory code */ + #ifdef CONFIG_X86_32 + asm volatile("jmpl *%0" : : + "rm" (real_mode_header->machine_real_restart_asm), + "a" (type)); + #else + asm volatile("ljmpl *%0" : : + "m" (real_mode_header->machine_real_restart_asm), + "D" (type)); + #endif + +The code switches to the trampoline_pgd, which unmaps the direct mapping +and also the kernel stack. The call to cr4_clear_bits() will find no +stack and crash the machine. The real_mode_header pointer below points +into the direct mapping, and dereferencing it also causes a crash. + +The reason this does not crash always is only that kernel mappings are +global and the CR3 switch does not flush those mappings. But if theses +mappings are not in the TLB already, the above code will crash before it +can jump to the real-mode stub. + +Extend the trampoline_pgd to contain all kernel mappings to prevent +these crashes and to make code which runs on this page-table more +robust. + +Signed-off-by: Joerg Roedel +Signed-off-by: Borislav Petkov +Cc: stable@vger.kernel.org +Link: https://lkml.kernel.org/r/20211202153226.22946-5-joro@8bytes.org +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/realmode/init.c | 12 +++++++++++- + 1 file changed, 11 insertions(+), 1 deletion(-) + +--- a/arch/x86/realmode/init.c ++++ b/arch/x86/realmode/init.c +@@ -72,6 +72,7 @@ static void __init setup_real_mode(void) + #ifdef CONFIG_X86_64 + u64 *trampoline_pgd; + u64 efer; ++ int i; + #endif + + base = (unsigned char *)real_mode_header; +@@ -128,8 +129,17 @@ static void __init setup_real_mode(void) + trampoline_header->flags = 0; + + trampoline_pgd = (u64 *) __va(real_mode_header->trampoline_pgd); ++ ++ /* Map the real mode stub as virtual == physical */ + trampoline_pgd[0] = trampoline_pgd_entry.pgd; +- trampoline_pgd[511] = init_top_pgt[511].pgd; ++ ++ /* ++ * Include the entirety of the kernel mapping into the trampoline ++ * PGD. This way, all mappings present in the normal kernel page ++ * tables are usable while running on trampoline_pgd. ++ */ ++ for (i = pgd_index(__PAGE_OFFSET); i < PTRS_PER_PGD; i++) ++ trampoline_pgd[i] = init_top_pgt[i].pgd; + #endif + + sme_sev_setup_real_mode(trampoline_header); diff --git a/queue-5.15/x86-tsc-add-a-timer-to-make-sure-tsc_adjust-is-always-checked.patch b/queue-5.15/x86-tsc-add-a-timer-to-make-sure-tsc_adjust-is-always-checked.patch new file mode 100644 index 00000000000..2f2ef3aa2db --- /dev/null +++ b/queue-5.15/x86-tsc-add-a-timer-to-make-sure-tsc_adjust-is-always-checked.patch @@ -0,0 +1,88 @@ +From c7719e79347803b8e3b6b50da8c6db410a3012b5 Mon Sep 17 00:00:00 2001 +From: Feng Tang +Date: Wed, 17 Nov 2021 10:37:50 +0800 +Subject: x86/tsc: Add a timer to make sure TSC_adjust is always checked + +From: Feng Tang + +commit c7719e79347803b8e3b6b50da8c6db410a3012b5 upstream. + +The TSC_ADJUST register is checked every time a CPU enters idle state, but +Thomas Gleixner mentioned there is still a caveat that a system won't enter +idle [1], either because it's too busy or configured purposely to not enter +idle. + +Setup a periodic timer (every 10 minutes) to make sure the check is +happening on a regular base. + +[1] https://lore.kernel.org/lkml/875z286xtk.fsf@nanos.tec.linutronix.de/ + +Fixes: 6e3cd95234dc ("x86/hpet: Use another crystalball to evaluate HPET usability") +Requested-by: Thomas Gleixner +Signed-off-by: Feng Tang +Signed-off-by: Thomas Gleixner +Cc: "Paul E. McKenney" +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/r/20211117023751.24190-1-feng.tang@intel.com +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/kernel/tsc_sync.c | 41 +++++++++++++++++++++++++++++++++++++++++ + 1 file changed, 41 insertions(+) + +--- a/arch/x86/kernel/tsc_sync.c ++++ b/arch/x86/kernel/tsc_sync.c +@@ -30,6 +30,7 @@ struct tsc_adjust { + }; + + static DEFINE_PER_CPU(struct tsc_adjust, tsc_adjust); ++static struct timer_list tsc_sync_check_timer; + + /* + * TSC's on different sockets may be reset asynchronously. +@@ -77,6 +78,46 @@ void tsc_verify_tsc_adjust(bool resume) + } + } + ++/* ++ * Normally the tsc_sync will be checked every time system enters idle ++ * state, but there is still caveat that a system won't enter idle, ++ * either because it's too busy or configured purposely to not enter ++ * idle. ++ * ++ * So setup a periodic timer (every 10 minutes) to make sure the check ++ * is always on. ++ */ ++ ++#define SYNC_CHECK_INTERVAL (HZ * 600) ++ ++static void tsc_sync_check_timer_fn(struct timer_list *unused) ++{ ++ int next_cpu; ++ ++ tsc_verify_tsc_adjust(false); ++ ++ /* Run the check for all onlined CPUs in turn */ ++ next_cpu = cpumask_next(raw_smp_processor_id(), cpu_online_mask); ++ if (next_cpu >= nr_cpu_ids) ++ next_cpu = cpumask_first(cpu_online_mask); ++ ++ tsc_sync_check_timer.expires += SYNC_CHECK_INTERVAL; ++ add_timer_on(&tsc_sync_check_timer, next_cpu); ++} ++ ++static int __init start_sync_check_timer(void) ++{ ++ if (!cpu_feature_enabled(X86_FEATURE_TSC_ADJUST) || tsc_clocksource_reliable) ++ return 0; ++ ++ timer_setup(&tsc_sync_check_timer, tsc_sync_check_timer_fn, 0); ++ tsc_sync_check_timer.expires = jiffies + SYNC_CHECK_INTERVAL; ++ add_timer(&tsc_sync_check_timer); ++ ++ return 0; ++} ++late_initcall(start_sync_check_timer); ++ + static void tsc_sanitize_first_cpu(struct tsc_adjust *cur, s64 bootval, + unsigned int cpu, bool bootcpu) + { diff --git a/queue-5.15/x86-tsc-disable-clocksource-watchdog-for-tsc-on-qualified-platorms.patch b/queue-5.15/x86-tsc-disable-clocksource-watchdog-for-tsc-on-qualified-platorms.patch new file mode 100644 index 00000000000..ba306d184d2 --- /dev/null +++ b/queue-5.15/x86-tsc-disable-clocksource-watchdog-for-tsc-on-qualified-platorms.patch @@ -0,0 +1,124 @@ +From b50db7095fe002fa3e16605546cba66bf1b68a3e Mon Sep 17 00:00:00 2001 +From: Feng Tang +Date: Wed, 17 Nov 2021 10:37:51 +0800 +Subject: x86/tsc: Disable clocksource watchdog for TSC on qualified platorms + +From: Feng Tang + +commit b50db7095fe002fa3e16605546cba66bf1b68a3e upstream. + +There are cases that the TSC clocksource is wrongly judged as unstable by +the clocksource watchdog mechanism which tries to validate the TSC against +HPET, PM_TIMER or jiffies. While there is hardly a general reliable way to +check the validity of a watchdog, Thomas Gleixner proposed [1]: + +"I'm inclined to lift that requirement when the CPU has: + + 1) X86_FEATURE_CONSTANT_TSC + 2) X86_FEATURE_NONSTOP_TSC + 3) X86_FEATURE_NONSTOP_TSC_S3 + 4) X86_FEATURE_TSC_ADJUST + 5) At max. 4 sockets + + After two decades of horrors we're finally at a point where TSC seems + to be halfway reliable and less abused by BIOS tinkerers. TSC_ADJUST + was really key as we can now detect even small modifications reliably + and the important point is that we can cure them as well (not pretty + but better than all other options)." + +As feature #3 X86_FEATURE_NONSTOP_TSC_S3 only exists on several generations +of Atom processorz, and is always coupled with X86_FEATURE_CONSTANT_TSC +and X86_FEATURE_NONSTOP_TSC, skip checking it, and also be more defensive +to use maximal 2 sockets. + +The check is done inside tsc_init() before registering 'tsc-early' and +'tsc' clocksources, as there were cases that both of them had been +wrongly judged as unreliable. + +For more background of tsc/watchdog, there is a good summary in [2] + +[tglx} Update vs. jiffies: + + On systems where the only remaining clocksource aside of TSC is jiffies + there is no way to make this work because that creates a circular + dependency. Jiffies accuracy depends on not missing a periodic timer + interrupt, which is not guaranteed. That could be detected by TSC, but as + TSC is not trusted this cannot be compensated. The consequence is a + circulus vitiosus which results in shutting down TSC and falling back to + the jiffies clocksource which is even more unreliable. + +[1]. https://lore.kernel.org/lkml/87eekfk8bd.fsf@nanos.tec.linutronix.de/ +[2]. https://lore.kernel.org/lkml/87a6pimt1f.ffs@nanos.tec.linutronix.de/ + +[ tglx: Refine comment and amend changelog ] + +Fixes: 6e3cd95234dc ("x86/hpet: Use another crystalball to evaluate HPET usability") +Suggested-by: Thomas Gleixner +Signed-off-by: Feng Tang +Signed-off-by: Thomas Gleixner +Cc: "Paul E. McKenney" +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/r/20211117023751.24190-2-feng.tang@intel.com +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/kernel/tsc.c | 28 ++++++++++++++++++++++++---- + 1 file changed, 24 insertions(+), 4 deletions(-) + +--- a/arch/x86/kernel/tsc.c ++++ b/arch/x86/kernel/tsc.c +@@ -1180,6 +1180,12 @@ void mark_tsc_unstable(char *reason) + + EXPORT_SYMBOL_GPL(mark_tsc_unstable); + ++static void __init tsc_disable_clocksource_watchdog(void) ++{ ++ clocksource_tsc_early.flags &= ~CLOCK_SOURCE_MUST_VERIFY; ++ clocksource_tsc.flags &= ~CLOCK_SOURCE_MUST_VERIFY; ++} ++ + static void __init check_system_tsc_reliable(void) + { + #if defined(CONFIG_MGEODEGX1) || defined(CONFIG_MGEODE_LX) || defined(CONFIG_X86_GENERIC) +@@ -1196,6 +1202,23 @@ static void __init check_system_tsc_reli + #endif + if (boot_cpu_has(X86_FEATURE_TSC_RELIABLE)) + tsc_clocksource_reliable = 1; ++ ++ /* ++ * Disable the clocksource watchdog when the system has: ++ * - TSC running at constant frequency ++ * - TSC which does not stop in C-States ++ * - the TSC_ADJUST register which allows to detect even minimal ++ * modifications ++ * - not more than two sockets. As the number of sockets cannot be ++ * evaluated at the early boot stage where this has to be ++ * invoked, check the number of online memory nodes as a ++ * fallback solution which is an reasonable estimate. ++ */ ++ if (boot_cpu_has(X86_FEATURE_CONSTANT_TSC) && ++ boot_cpu_has(X86_FEATURE_NONSTOP_TSC) && ++ boot_cpu_has(X86_FEATURE_TSC_ADJUST) && ++ nr_online_nodes <= 2) ++ tsc_disable_clocksource_watchdog(); + } + + /* +@@ -1387,9 +1410,6 @@ static int __init init_tsc_clocksource(v + if (tsc_unstable) + goto unreg; + +- if (tsc_clocksource_reliable || no_tsc_watchdog) +- clocksource_tsc.flags &= ~CLOCK_SOURCE_MUST_VERIFY; +- + if (boot_cpu_has(X86_FEATURE_NONSTOP_TSC_S3)) + clocksource_tsc.flags |= CLOCK_SOURCE_SUSPEND_NONSTOP; + +@@ -1527,7 +1547,7 @@ void __init tsc_init(void) + } + + if (tsc_clocksource_reliable || no_tsc_watchdog) +- clocksource_tsc_early.flags &= ~CLOCK_SOURCE_MUST_VERIFY; ++ tsc_disable_clocksource_watchdog(); + + clocksource_register_khz(&clocksource_tsc_early, tsc_khz); + detect_art(); diff --git a/queue-5.15/xhci-fix-commad-ring-abort-write-all-64-bits-to-crcr-register.patch b/queue-5.15/xhci-fix-commad-ring-abort-write-all-64-bits-to-crcr-register.patch new file mode 100644 index 00000000000..5be8cad9160 --- /dev/null +++ b/queue-5.15/xhci-fix-commad-ring-abort-write-all-64-bits-to-crcr-register.patch @@ -0,0 +1,70 @@ +From 09f736aa95476631227d2dc0e6b9aeee1ad7ed58 Mon Sep 17 00:00:00 2001 +From: Mathias Nyman +Date: Fri, 26 Nov 2021 14:23:40 +0200 +Subject: xhci: Fix commad ring abort, write all 64 bits to CRCR register. + +From: Mathias Nyman + +commit 09f736aa95476631227d2dc0e6b9aeee1ad7ed58 upstream. + +Turns out some xHC controllers require all 64 bits in the CRCR register +to be written to execute a command abort. + +The lower 32 bits containing the command abort bit is written first. +In case the command ring stops before we write the upper 32 bits then +hardware may use these upper bits to set the commnd ring dequeue pointer. + +Solve this by making sure the upper 32 bits contain a valid command +ring dequeue pointer. + +The original patch that only wrote the first 32 to stop the ring went +to stable, so this fix should go there as well. + +Fixes: ff0e50d3564f ("xhci: Fix command ring pointer corruption while aborting a command") +Cc: stable@vger.kernel.org +Tested-by: Pavankumar Kondeti +Signed-off-by: Mathias Nyman +Link: https://lore.kernel.org/r/20211126122340.1193239-2-mathias.nyman@linux.intel.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/host/xhci-ring.c | 21 ++++++++++++++------- + 1 file changed, 14 insertions(+), 7 deletions(-) + +--- a/drivers/usb/host/xhci-ring.c ++++ b/drivers/usb/host/xhci-ring.c +@@ -366,7 +366,9 @@ static void xhci_handle_stopped_cmd_ring + /* Must be called with xhci->lock held, releases and aquires lock back */ + static int xhci_abort_cmd_ring(struct xhci_hcd *xhci, unsigned long flags) + { +- u32 temp_32; ++ struct xhci_segment *new_seg = xhci->cmd_ring->deq_seg; ++ union xhci_trb *new_deq = xhci->cmd_ring->dequeue; ++ u64 crcr; + int ret; + + xhci_dbg(xhci, "Abort command ring\n"); +@@ -375,13 +377,18 @@ static int xhci_abort_cmd_ring(struct xh + + /* + * The control bits like command stop, abort are located in lower +- * dword of the command ring control register. Limit the write +- * to the lower dword to avoid corrupting the command ring pointer +- * in case if the command ring is stopped by the time upper dword +- * is written. ++ * dword of the command ring control register. ++ * Some controllers require all 64 bits to be written to abort the ring. ++ * Make sure the upper dword is valid, pointing to the next command, ++ * avoiding corrupting the command ring pointer in case the command ring ++ * is stopped by the time the upper dword is written. + */ +- temp_32 = readl(&xhci->op_regs->cmd_ring); +- writel(temp_32 | CMD_RING_ABORT, &xhci->op_regs->cmd_ring); ++ next_trb(xhci, NULL, &new_seg, &new_deq); ++ if (trb_is_link(new_deq)) ++ next_trb(xhci, NULL, &new_seg, &new_deq); ++ ++ crcr = xhci_trb_virt_to_dma(new_seg, new_deq); ++ xhci_write_64(xhci, crcr | CMD_RING_ABORT, &xhci->op_regs->cmd_ring); + + /* Section 4.6.1.2 of xHCI 1.0 spec says software should also time the + * completion of the Command Abort operation. If CRR is not negated in 5