From: Greg Kroah-Hartman Date: Tue, 18 Feb 2025 12:30:07 +0000 (+0100) Subject: 6.1-stable patches X-Git-Tag: v6.1.129~60 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=6bc766e20b0a9dfaf5e37547616818896e639258;p=thirdparty%2Fkernel%2Fstable-queue.git 6.1-stable patches added patches: alpha-align-stack-for-page-fault-and-user-unaligned-trap-handlers.patch alpha-make-stack-16-byte-aligned-most-cases.patch batman-adv-drop-unmanaged-elp-metric-worker.patch batman-adv-fix-panic-during-interface-removal.patch batman-adv-ignore-neighbor-throughput-metrics-in-error-case.patch can-c_can-fix-unbalanced-runtime-pm-disable-in-error-path.patch can-ctucanfd-handle-skb-allocation-failure.patch can-j1939-j1939_sk_send_loop-fix-unable-to-send-messages-with-data-length-zero.patch cgroup-fix-race-between-fork-and-cgroup.kill.patch drm-amdgpu-avoid-buffer-overflow-attach-in-smu_sys_set_pp_table.patch efi-avoid-cold-plugged-memory-for-placing-the-kernel.patch gpio-stmpe-check-return-value-of-stmpe_reg_read-in-stmpe_gpio_irq_sync_unlock.patch gpiolib-acpi-add-a-quirk-for-acer-nitro-anv14.patch kvm-nsvm-enter-guest-mode-before-initializing-nested-npt-mmu.patch kvm-x86-reject-hyper-v-s-send_ipi-hypercalls-if-local-apic-isn-t-in-kernel.patch partitions-mac-fix-handling-of-bogus-partition-table.patch perf-x86-intel-ensure-lbrs-are-disabled-when-a-cpu-is-starting.patch serial-8250-fix-fifo-underflow-on-flush.patch usb-add-usb_quirk_no_lpm-quirk-for-sony-xperia-xz1-smartphone.patch usb-cdc-acm-check-control-transfer-buffer-size-before-access.patch usb-cdc-acm-fill-in-renesas-r-car-d3-usb-download-mode-quirk.patch usb-cdc-acm-fix-handling-of-oversized-fragments.patch usb-core-fix-pipe-creation-for-get_bmaxpacketsize0.patch usb-dwc2-gadget-remove-of_node-reference-upon-udc_stop.patch usb-dwc3-fix-timeout-issue-during-controller-enter-exit-from-halt-state.patch usb-gadget-f_midi-fix-midi-streaming-descriptor-lengths.patch usb-gadget-udc-renesas_usb3-fix-compiler-warning.patch usb-hub-ignore-non-compliant-devices-with-too-many-configs-or-interfaces.patch usb-pci-quirks-fix-hccparams-register-error-for-ls7a-ehci.patch usb-quirks-add-usb_quirk_no_lpm-quirk-for-teclast-dist.patch usb-roles-set-switch-registered-flag-early-on.patch usb-serial-option-add-meig-smart-slm828.patch usb-serial-option-add-telit-cinterion-fn990b-compositions.patch usb-serial-option-drop-meig-smart-defines.patch usb-serial-option-fix-telit-cinterion-fn990a-name.patch --- diff --git a/queue-6.1/alpha-align-stack-for-page-fault-and-user-unaligned-trap-handlers.patch b/queue-6.1/alpha-align-stack-for-page-fault-and-user-unaligned-trap-handlers.patch new file mode 100644 index 0000000000..bb30bc7012 --- /dev/null +++ b/queue-6.1/alpha-align-stack-for-page-fault-and-user-unaligned-trap-handlers.patch @@ -0,0 +1,129 @@ +From 3b35a171060f846b08b48646b38c30b5d57d17ff Mon Sep 17 00:00:00 2001 +From: Ivan Kokshaysky +Date: Tue, 4 Feb 2025 23:35:24 +0100 +Subject: alpha: align stack for page fault and user unaligned trap handlers + +From: Ivan Kokshaysky + +commit 3b35a171060f846b08b48646b38c30b5d57d17ff upstream. + +do_page_fault() and do_entUna() are special because they use +non-standard stack frame layout. Fix them manually. + +Cc: stable@vger.kernel.org +Tested-by: Maciej W. Rozycki +Tested-by: Magnus Lindholm +Tested-by: Matt Turner +Reviewed-by: Maciej W. Rozycki +Suggested-by: Maciej W. Rozycki +Signed-off-by: Ivan Kokshaysky +Signed-off-by: Matt Turner +Signed-off-by: Greg Kroah-Hartman +--- + arch/alpha/kernel/entry.S | 20 ++++++++++---------- + arch/alpha/kernel/traps.c | 2 +- + arch/alpha/mm/fault.c | 4 ++-- + 3 files changed, 13 insertions(+), 13 deletions(-) + +--- a/arch/alpha/kernel/entry.S ++++ b/arch/alpha/kernel/entry.S +@@ -199,8 +199,8 @@ CFI_END_OSF_FRAME entArith + CFI_START_OSF_FRAME entMM + SAVE_ALL + /* save $9 - $15 so the inline exception code can manipulate them. */ +- subq $sp, 56, $sp +- .cfi_adjust_cfa_offset 56 ++ subq $sp, 64, $sp ++ .cfi_adjust_cfa_offset 64 + stq $9, 0($sp) + stq $10, 8($sp) + stq $11, 16($sp) +@@ -215,7 +215,7 @@ CFI_START_OSF_FRAME entMM + .cfi_rel_offset $13, 32 + .cfi_rel_offset $14, 40 + .cfi_rel_offset $15, 48 +- addq $sp, 56, $19 ++ addq $sp, 64, $19 + /* handle the fault */ + lda $8, 0x3fff + bic $sp, $8, $8 +@@ -228,7 +228,7 @@ CFI_START_OSF_FRAME entMM + ldq $13, 32($sp) + ldq $14, 40($sp) + ldq $15, 48($sp) +- addq $sp, 56, $sp ++ addq $sp, 64, $sp + .cfi_restore $9 + .cfi_restore $10 + .cfi_restore $11 +@@ -236,7 +236,7 @@ CFI_START_OSF_FRAME entMM + .cfi_restore $13 + .cfi_restore $14 + .cfi_restore $15 +- .cfi_adjust_cfa_offset -56 ++ .cfi_adjust_cfa_offset -64 + /* finish up the syscall as normal. */ + br ret_from_sys_call + CFI_END_OSF_FRAME entMM +@@ -383,8 +383,8 @@ entUnaUser: + .cfi_restore $0 + .cfi_adjust_cfa_offset -256 + SAVE_ALL /* setup normal kernel stack */ +- lda $sp, -56($sp) +- .cfi_adjust_cfa_offset 56 ++ lda $sp, -64($sp) ++ .cfi_adjust_cfa_offset 64 + stq $9, 0($sp) + stq $10, 8($sp) + stq $11, 16($sp) +@@ -400,7 +400,7 @@ entUnaUser: + .cfi_rel_offset $14, 40 + .cfi_rel_offset $15, 48 + lda $8, 0x3fff +- addq $sp, 56, $19 ++ addq $sp, 64, $19 + bic $sp, $8, $8 + jsr $26, do_entUnaUser + ldq $9, 0($sp) +@@ -410,7 +410,7 @@ entUnaUser: + ldq $13, 32($sp) + ldq $14, 40($sp) + ldq $15, 48($sp) +- lda $sp, 56($sp) ++ lda $sp, 64($sp) + .cfi_restore $9 + .cfi_restore $10 + .cfi_restore $11 +@@ -418,7 +418,7 @@ entUnaUser: + .cfi_restore $13 + .cfi_restore $14 + .cfi_restore $15 +- .cfi_adjust_cfa_offset -56 ++ .cfi_adjust_cfa_offset -64 + br ret_from_sys_call + CFI_END_OSF_FRAME entUna + +--- a/arch/alpha/kernel/traps.c ++++ b/arch/alpha/kernel/traps.c +@@ -707,7 +707,7 @@ s_reg_to_mem (unsigned long s_reg) + static int unauser_reg_offsets[32] = { + R(r0), R(r1), R(r2), R(r3), R(r4), R(r5), R(r6), R(r7), R(r8), + /* r9 ... r15 are stored in front of regs. */ +- -56, -48, -40, -32, -24, -16, -8, ++ -64, -56, -48, -40, -32, -24, -16, /* padding at -8 */ + R(r16), R(r17), R(r18), + R(r19), R(r20), R(r21), R(r22), R(r23), R(r24), R(r25), R(r26), + R(r27), R(r28), R(gp), +--- a/arch/alpha/mm/fault.c ++++ b/arch/alpha/mm/fault.c +@@ -78,8 +78,8 @@ __load_new_mm_context(struct mm_struct * + + /* Macro for exception fixup code to access integer registers. */ + #define dpf_reg(r) \ +- (((unsigned long *)regs)[(r) <= 8 ? (r) : (r) <= 15 ? (r)-16 : \ +- (r) <= 18 ? (r)+10 : (r)-10]) ++ (((unsigned long *)regs)[(r) <= 8 ? (r) : (r) <= 15 ? (r)-17 : \ ++ (r) <= 18 ? (r)+11 : (r)-10]) + + asmlinkage void + do_page_fault(unsigned long address, unsigned long mmcsr, diff --git a/queue-6.1/alpha-make-stack-16-byte-aligned-most-cases.patch b/queue-6.1/alpha-make-stack-16-byte-aligned-most-cases.patch new file mode 100644 index 0000000000..5142f0ba70 --- /dev/null +++ b/queue-6.1/alpha-make-stack-16-byte-aligned-most-cases.patch @@ -0,0 +1,69 @@ +From 0a0f7362b0367634a2d5cb7c96226afc116f19c9 Mon Sep 17 00:00:00 2001 +From: Ivan Kokshaysky +Date: Tue, 4 Feb 2025 23:35:23 +0100 +Subject: alpha: make stack 16-byte aligned (most cases) + +From: Ivan Kokshaysky + +commit 0a0f7362b0367634a2d5cb7c96226afc116f19c9 upstream. + +The problem is that GCC expects 16-byte alignment of the incoming stack +since early 2004, as Maciej found out [1]: + Having actually dug speculatively I can see that the psABI was changed in + GCC 3.5 with commit e5e10fb4a350 ("re PR target/14539 (128-bit long double + improperly aligned)") back in Mar 2004, when the stack pointer alignment + was increased from 8 bytes to 16 bytes, and arch/alpha/kernel/entry.S has + various suspicious stack pointer adjustments, starting with SP_OFF which + is not a whole multiple of 16. + +Also, as Magnus noted, "ALPHA Calling Standard" [2] required the same: + D.3.1 Stack Alignment + This standard requires that stacks be octaword aligned at the time a + new procedure is invoked. + +However: +- the "normal" kernel stack is always misaligned by 8 bytes, thanks to + the odd number of 64-bit words in 'struct pt_regs', which is the very + first thing pushed onto the kernel thread stack; +- syscall, fault, interrupt etc. handlers may, or may not, receive aligned + stack depending on numerous factors. + +Somehow we got away with it until recently, when we ended up with +a stack corruption in kernel/smp.c:smp_call_function_single() due to +its use of 32-byte aligned local data and the compiler doing clever +things allocating it on the stack. + +This adds padding between the PAL-saved and kernel-saved registers +so that 'struct pt_regs' have an even number of 64-bit words. +This makes the stack properly aligned for most of the kernel +code, except two handlers which need special threatment. + +Note: struct pt_regs doesn't belong in uapi/asm; this should be fixed, +but let's put this off until later. + +Link: https://lore.kernel.org/rcu/alpine.DEB.2.21.2501130248010.18889@angie.orcam.me.uk/ [1] +Link: https://bitsavers.org/pdf/dec/alpha/Alpha_Calling_Standard_Rev_2.0_19900427.pdf [2] + +Cc: stable@vger.kernel.org +Tested-by: Maciej W. Rozycki +Tested-by: Magnus Lindholm +Tested-by: Matt Turner +Reviewed-by: Maciej W. Rozycki +Signed-off-by: Ivan Kokshaysky +Signed-off-by: Matt Turner +Signed-off-by: Greg Kroah-Hartman +--- + arch/alpha/include/uapi/asm/ptrace.h | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/arch/alpha/include/uapi/asm/ptrace.h ++++ b/arch/alpha/include/uapi/asm/ptrace.h +@@ -42,6 +42,8 @@ struct pt_regs { + unsigned long trap_a0; + unsigned long trap_a1; + unsigned long trap_a2; ++/* This makes the stack 16-byte aligned as GCC expects */ ++ unsigned long __pad0; + /* These are saved by PAL-code: */ + unsigned long ps; + unsigned long pc; diff --git a/queue-6.1/batman-adv-drop-unmanaged-elp-metric-worker.patch b/queue-6.1/batman-adv-drop-unmanaged-elp-metric-worker.patch new file mode 100644 index 0000000000..845a58e067 --- /dev/null +++ b/queue-6.1/batman-adv-drop-unmanaged-elp-metric-worker.patch @@ -0,0 +1,252 @@ +From 8c8ecc98f5c65947b0070a24bac11e12e47cc65d Mon Sep 17 00:00:00 2001 +From: Sven Eckelmann +Date: Mon, 20 Jan 2025 00:06:11 +0100 +Subject: batman-adv: Drop unmanaged ELP metric worker + +From: Sven Eckelmann + +commit 8c8ecc98f5c65947b0070a24bac11e12e47cc65d upstream. + +The ELP worker needs to calculate new metric values for all neighbors +"reachable" over an interface. Some of the used metric sources require +locks which might need to sleep. This sleep is incompatible with the RCU +list iterator used for the recorded neighbors. The initial approach to work +around of this problem was to queue another work item per neighbor and then +run this in a new context. + +Even when this solved the RCU vs might_sleep() conflict, it has a major +problems: Nothing was stopping the work item in case it is not needed +anymore - for example because one of the related interfaces was removed or +the batman-adv module was unloaded - resulting in potential invalid memory +accesses. + +Directly canceling the metric worker also has various problems: + +* cancel_work_sync for a to-be-deactivated interface is called with + rtnl_lock held. But the code in the ELP metric worker also tries to use + rtnl_lock() - which will never return in this case. This also means that + cancel_work_sync would never return because it is waiting for the worker + to finish. +* iterating over the neighbor list for the to-be-deactivated interface is + currently done using the RCU specific methods. Which means that it is + possible to miss items when iterating over it without the associated + spinlock - a behaviour which is acceptable for a periodic metric check + but not for a cleanup routine (which must "stop" all still running + workers) + +The better approch is to get rid of the per interface neighbor metric +worker and handle everything in the interface worker. The original problems +are solved by: + +* creating a list of neighbors which require new metric information inside + the RCU protected context, gathering the metric according to the new list + outside the RCU protected context +* only use rcu_trylock inside metric gathering code to avoid a deadlock + when the cancel_delayed_work_sync is called in the interface removal code + (which is called with the rtnl_lock held) + +Cc: stable@vger.kernel.org +Fixes: c833484e5f38 ("batman-adv: ELP - compute the metric based on the estimated throughput") +Signed-off-by: Sven Eckelmann +Signed-off-by: Simon Wunderlich +Signed-off-by: Greg Kroah-Hartman +--- + net/batman-adv/bat_v.c | 2 - + net/batman-adv/bat_v_elp.c | 71 ++++++++++++++++++++++++++++++--------------- + net/batman-adv/bat_v_elp.h | 2 - + net/batman-adv/types.h | 3 - + 4 files changed, 48 insertions(+), 30 deletions(-) + +--- a/net/batman-adv/bat_v.c ++++ b/net/batman-adv/bat_v.c +@@ -113,8 +113,6 @@ static void + batadv_v_hardif_neigh_init(struct batadv_hardif_neigh_node *hardif_neigh) + { + ewma_throughput_init(&hardif_neigh->bat_v.throughput); +- INIT_WORK(&hardif_neigh->bat_v.metric_work, +- batadv_v_elp_throughput_metric_update); + } + + /** +--- a/net/batman-adv/bat_v_elp.c ++++ b/net/batman-adv/bat_v_elp.c +@@ -18,6 +18,7 @@ + #include + #include + #include ++#include + #include + #include + #include +@@ -27,6 +28,7 @@ + #include + #include + #include ++#include + #include + #include + #include +@@ -43,6 +45,18 @@ + #include "send.h" + + /** ++ * struct batadv_v_metric_queue_entry - list of hardif neighbors which require ++ * and metric update ++ */ ++struct batadv_v_metric_queue_entry { ++ /** @hardif_neigh: hardif neighbor scheduled for metric update */ ++ struct batadv_hardif_neigh_node *hardif_neigh; ++ ++ /** @list: list node for metric_queue */ ++ struct list_head list; ++}; ++ ++/** + * batadv_v_elp_start_timer() - restart timer for ELP periodic work + * @hard_iface: the interface for which the timer has to be reset + */ +@@ -138,10 +152,17 @@ static bool batadv_v_elp_get_throughput( + goto default_throughput; + } + ++ /* only use rtnl_trylock because the elp worker will be cancelled while ++ * the rntl_lock is held. the cancel_delayed_work_sync() would otherwise ++ * wait forever when the elp work_item was started and it is then also ++ * trying to rtnl_lock ++ */ ++ if (!rtnl_trylock()) ++ return false; ++ + /* if not a wifi interface, check if this device provides data via + * ethtool (e.g. an Ethernet adapter) + */ +- rtnl_lock(); + ret = __ethtool_get_link_ksettings(hard_iface->net_dev, &link_settings); + rtnl_unlock(); + if (ret == 0) { +@@ -176,31 +197,19 @@ default_throughput: + /** + * batadv_v_elp_throughput_metric_update() - worker updating the throughput + * metric of a single hop neighbour +- * @work: the work queue item ++ * @neigh: the neighbour to probe + */ +-void batadv_v_elp_throughput_metric_update(struct work_struct *work) ++static void ++batadv_v_elp_throughput_metric_update(struct batadv_hardif_neigh_node *neigh) + { +- struct batadv_hardif_neigh_node_bat_v *neigh_bat_v; +- struct batadv_hardif_neigh_node *neigh; + u32 throughput; + bool valid; + +- neigh_bat_v = container_of(work, struct batadv_hardif_neigh_node_bat_v, +- metric_work); +- neigh = container_of(neigh_bat_v, struct batadv_hardif_neigh_node, +- bat_v); +- + valid = batadv_v_elp_get_throughput(neigh, &throughput); + if (!valid) +- goto put_neigh; ++ return; + + ewma_throughput_add(&neigh->bat_v.throughput, throughput); +- +-put_neigh: +- /* decrement refcounter to balance increment performed before scheduling +- * this task +- */ +- batadv_hardif_neigh_put(neigh); + } + + /** +@@ -274,14 +283,16 @@ batadv_v_elp_wifi_neigh_probe(struct bat + */ + static void batadv_v_elp_periodic_work(struct work_struct *work) + { ++ struct batadv_v_metric_queue_entry *metric_entry; ++ struct batadv_v_metric_queue_entry *metric_safe; + struct batadv_hardif_neigh_node *hardif_neigh; + struct batadv_hard_iface *hard_iface; + struct batadv_hard_iface_bat_v *bat_v; + struct batadv_elp_packet *elp_packet; ++ struct list_head metric_queue; + struct batadv_priv *bat_priv; + struct sk_buff *skb; + u32 elp_interval; +- bool ret; + + bat_v = container_of(work, struct batadv_hard_iface_bat_v, elp_wq.work); + hard_iface = container_of(bat_v, struct batadv_hard_iface, bat_v); +@@ -317,6 +328,8 @@ static void batadv_v_elp_periodic_work(s + + atomic_inc(&hard_iface->bat_v.elp_seqno); + ++ INIT_LIST_HEAD(&metric_queue); ++ + /* The throughput metric is updated on each sent packet. This way, if a + * node is dead and no longer sends packets, batman-adv is still able to + * react timely to its death. +@@ -341,16 +354,28 @@ static void batadv_v_elp_periodic_work(s + + /* Reading the estimated throughput from cfg80211 is a task that + * may sleep and that is not allowed in an rcu protected +- * context. Therefore schedule a task for that. ++ * context. Therefore add it to metric_queue and process it ++ * outside rcu protected context. + */ +- ret = queue_work(batadv_event_workqueue, +- &hardif_neigh->bat_v.metric_work); +- +- if (!ret) ++ metric_entry = kzalloc(sizeof(*metric_entry), GFP_ATOMIC); ++ if (!metric_entry) { + batadv_hardif_neigh_put(hardif_neigh); ++ continue; ++ } ++ ++ metric_entry->hardif_neigh = hardif_neigh; ++ list_add(&metric_entry->list, &metric_queue); + } + rcu_read_unlock(); + ++ list_for_each_entry_safe(metric_entry, metric_safe, &metric_queue, list) { ++ batadv_v_elp_throughput_metric_update(metric_entry->hardif_neigh); ++ ++ batadv_hardif_neigh_put(metric_entry->hardif_neigh); ++ list_del(&metric_entry->list); ++ kfree(metric_entry); ++ } ++ + restart_timer: + batadv_v_elp_start_timer(hard_iface); + out: +--- a/net/batman-adv/bat_v_elp.h ++++ b/net/batman-adv/bat_v_elp.h +@@ -10,7 +10,6 @@ + #include "main.h" + + #include +-#include + + int batadv_v_elp_iface_enable(struct batadv_hard_iface *hard_iface); + void batadv_v_elp_iface_disable(struct batadv_hard_iface *hard_iface); +@@ -19,6 +18,5 @@ void batadv_v_elp_iface_activate(struct + void batadv_v_elp_primary_iface_set(struct batadv_hard_iface *primary_iface); + int batadv_v_elp_packet_recv(struct sk_buff *skb, + struct batadv_hard_iface *if_incoming); +-void batadv_v_elp_throughput_metric_update(struct work_struct *work); + + #endif /* _NET_BATMAN_ADV_BAT_V_ELP_H_ */ +--- a/net/batman-adv/types.h ++++ b/net/batman-adv/types.h +@@ -596,9 +596,6 @@ struct batadv_hardif_neigh_node_bat_v { + * neighbor + */ + unsigned long last_unicast_tx; +- +- /** @metric_work: work queue callback item for metric update */ +- struct work_struct metric_work; + }; + + /** diff --git a/queue-6.1/batman-adv-fix-panic-during-interface-removal.patch b/queue-6.1/batman-adv-fix-panic-during-interface-removal.patch new file mode 100644 index 0000000000..1cda5de38f --- /dev/null +++ b/queue-6.1/batman-adv-fix-panic-during-interface-removal.patch @@ -0,0 +1,81 @@ +From ccb7276a6d26d6f8416e315b43b45e15ee7f29e2 Mon Sep 17 00:00:00 2001 +From: Andy Strohman +Date: Thu, 9 Jan 2025 02:27:56 +0000 +Subject: batman-adv: fix panic during interface removal + +From: Andy Strohman + +commit ccb7276a6d26d6f8416e315b43b45e15ee7f29e2 upstream. + +Reference counting is used to ensure that +batadv_hardif_neigh_node and batadv_hard_iface +are not freed before/during +batadv_v_elp_throughput_metric_update work is +finished. + +But there isn't a guarantee that the hard if will +remain associated with a soft interface up until +the work is finished. + +This fixes a crash triggered by reboot that looks +like this: + +Call trace: + batadv_v_mesh_free+0xd0/0x4dc [batman_adv] + batadv_v_elp_throughput_metric_update+0x1c/0xa4 + process_one_work+0x178/0x398 + worker_thread+0x2e8/0x4d0 + kthread+0xd8/0xdc + ret_from_fork+0x10/0x20 + +(the batadv_v_mesh_free call is misleading, +and does not actually happen) + +I was able to make the issue happen more reliably +by changing hardif_neigh->bat_v.metric_work work +to be delayed work. This allowed me to track down +and confirm the fix. + +Cc: stable@vger.kernel.org +Fixes: c833484e5f38 ("batman-adv: ELP - compute the metric based on the estimated throughput") +Signed-off-by: Andy Strohman +[sven@narfation.org: prevent entering batadv_v_elp_get_throughput without + soft_iface] +Signed-off-by: Sven Eckelmann +Signed-off-by: Simon Wunderlich +Signed-off-by: Greg Kroah-Hartman +--- + net/batman-adv/bat_v_elp.c | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) + +--- a/net/batman-adv/bat_v_elp.c ++++ b/net/batman-adv/bat_v_elp.c +@@ -67,12 +67,19 @@ static void batadv_v_elp_start_timer(str + static u32 batadv_v_elp_get_throughput(struct batadv_hardif_neigh_node *neigh) + { + struct batadv_hard_iface *hard_iface = neigh->if_incoming; ++ struct net_device *soft_iface = hard_iface->soft_iface; + struct ethtool_link_ksettings link_settings; + struct net_device *real_netdev; + struct station_info sinfo; + u32 throughput; + int ret; + ++ /* don't query throughput when no longer associated with any ++ * batman-adv interface ++ */ ++ if (!soft_iface) ++ return BATADV_THROUGHPUT_DEFAULT_VALUE; ++ + /* if the user specified a customised value for this interface, then + * return it directly + */ +@@ -142,7 +149,7 @@ static u32 batadv_v_elp_get_throughput(s + + default_throughput: + if (!(hard_iface->bat_v.flags & BATADV_WARNING_DEFAULT)) { +- batadv_info(hard_iface->soft_iface, ++ batadv_info(soft_iface, + "WiFi driver or ethtool info does not provide information about link speeds on interface %s, therefore defaulting to hardcoded throughput values of %u.%1u Mbps. Consider overriding the throughput manually or checking your driver.\n", + hard_iface->net_dev->name, + BATADV_THROUGHPUT_DEFAULT_VALUE / 10, diff --git a/queue-6.1/batman-adv-ignore-neighbor-throughput-metrics-in-error-case.patch b/queue-6.1/batman-adv-ignore-neighbor-throughput-metrics-in-error-case.patch new file mode 100644 index 0000000000..1fff11905d --- /dev/null +++ b/queue-6.1/batman-adv-ignore-neighbor-throughput-metrics-in-error-case.patch @@ -0,0 +1,137 @@ +From e7e34ffc976aaae4f465b7898303241b81ceefc3 Mon Sep 17 00:00:00 2001 +From: Sven Eckelmann +Date: Mon, 20 Jan 2025 20:35:28 +0100 +Subject: batman-adv: Ignore neighbor throughput metrics in error case + +From: Sven Eckelmann + +commit e7e34ffc976aaae4f465b7898303241b81ceefc3 upstream. + +If a temporary error happened in the evaluation of the neighbor throughput +information, then the invalid throughput result should not be stored in the +throughtput EWMA. + +Cc: stable@vger.kernel.org +Signed-off-by: Sven Eckelmann +Signed-off-by: Simon Wunderlich +Signed-off-by: Greg Kroah-Hartman +--- + net/batman-adv/bat_v_elp.c | 50 ++++++++++++++++++++++++++++++--------------- + 1 file changed, 34 insertions(+), 16 deletions(-) + +--- a/net/batman-adv/bat_v_elp.c ++++ b/net/batman-adv/bat_v_elp.c +@@ -60,11 +60,13 @@ static void batadv_v_elp_start_timer(str + /** + * batadv_v_elp_get_throughput() - get the throughput towards a neighbour + * @neigh: the neighbour for which the throughput has to be obtained ++ * @pthroughput: calculated throughput towards the given neighbour in multiples ++ * of 100kpbs (a value of '1' equals 0.1Mbps, '10' equals 1Mbps, etc). + * +- * Return: The throughput towards the given neighbour in multiples of 100kpbs +- * (a value of '1' equals 0.1Mbps, '10' equals 1Mbps, etc). ++ * Return: true when value behind @pthroughput was set + */ +-static u32 batadv_v_elp_get_throughput(struct batadv_hardif_neigh_node *neigh) ++static bool batadv_v_elp_get_throughput(struct batadv_hardif_neigh_node *neigh, ++ u32 *pthroughput) + { + struct batadv_hard_iface *hard_iface = neigh->if_incoming; + struct net_device *soft_iface = hard_iface->soft_iface; +@@ -78,14 +80,16 @@ static u32 batadv_v_elp_get_throughput(s + * batman-adv interface + */ + if (!soft_iface) +- return BATADV_THROUGHPUT_DEFAULT_VALUE; ++ return false; + + /* if the user specified a customised value for this interface, then + * return it directly + */ + throughput = atomic_read(&hard_iface->bat_v.throughput_override); +- if (throughput != 0) +- return throughput; ++ if (throughput != 0) { ++ *pthroughput = throughput; ++ return true; ++ } + + /* if this is a wireless device, then ask its throughput through + * cfg80211 API +@@ -112,19 +116,24 @@ static u32 batadv_v_elp_get_throughput(s + * possible to delete this neighbor. For now set + * the throughput metric to 0. + */ +- return 0; ++ *pthroughput = 0; ++ return true; + } + if (ret) + goto default_throughput; + +- if (sinfo.filled & BIT(NL80211_STA_INFO_EXPECTED_THROUGHPUT)) +- return sinfo.expected_throughput / 100; ++ if (sinfo.filled & BIT(NL80211_STA_INFO_EXPECTED_THROUGHPUT)) { ++ *pthroughput = sinfo.expected_throughput / 100; ++ return true; ++ } + + /* try to estimate the expected throughput based on reported tx + * rates + */ +- if (sinfo.filled & BIT(NL80211_STA_INFO_TX_BITRATE)) +- return cfg80211_calculate_bitrate(&sinfo.txrate) / 3; ++ if (sinfo.filled & BIT(NL80211_STA_INFO_TX_BITRATE)) { ++ *pthroughput = cfg80211_calculate_bitrate(&sinfo.txrate) / 3; ++ return true; ++ } + + goto default_throughput; + } +@@ -143,8 +152,10 @@ static u32 batadv_v_elp_get_throughput(s + hard_iface->bat_v.flags &= ~BATADV_FULL_DUPLEX; + + throughput = link_settings.base.speed; +- if (throughput && throughput != SPEED_UNKNOWN) +- return throughput * 10; ++ if (throughput && throughput != SPEED_UNKNOWN) { ++ *pthroughput = throughput * 10; ++ return true; ++ } + } + + default_throughput: +@@ -158,7 +169,8 @@ default_throughput: + } + + /* if none of the above cases apply, return the base_throughput */ +- return BATADV_THROUGHPUT_DEFAULT_VALUE; ++ *pthroughput = BATADV_THROUGHPUT_DEFAULT_VALUE; ++ return true; + } + + /** +@@ -170,15 +182,21 @@ void batadv_v_elp_throughput_metric_upda + { + struct batadv_hardif_neigh_node_bat_v *neigh_bat_v; + struct batadv_hardif_neigh_node *neigh; ++ u32 throughput; ++ bool valid; + + neigh_bat_v = container_of(work, struct batadv_hardif_neigh_node_bat_v, + metric_work); + neigh = container_of(neigh_bat_v, struct batadv_hardif_neigh_node, + bat_v); + +- ewma_throughput_add(&neigh->bat_v.throughput, +- batadv_v_elp_get_throughput(neigh)); ++ valid = batadv_v_elp_get_throughput(neigh, &throughput); ++ if (!valid) ++ goto put_neigh; ++ ++ ewma_throughput_add(&neigh->bat_v.throughput, throughput); + ++put_neigh: + /* decrement refcounter to balance increment performed before scheduling + * this task + */ diff --git a/queue-6.1/can-c_can-fix-unbalanced-runtime-pm-disable-in-error-path.patch b/queue-6.1/can-c_can-fix-unbalanced-runtime-pm-disable-in-error-path.patch new file mode 100644 index 0000000000..6d955ec1a9 --- /dev/null +++ b/queue-6.1/can-c_can-fix-unbalanced-runtime-pm-disable-in-error-path.patch @@ -0,0 +1,45 @@ +From 257a2cd3eb578ee63d6bf90475dc4f4b16984139 Mon Sep 17 00:00:00 2001 +From: Krzysztof Kozlowski +Date: Sun, 12 Jan 2025 13:41:52 +0100 +Subject: can: c_can: fix unbalanced runtime PM disable in error path + +From: Krzysztof Kozlowski + +commit 257a2cd3eb578ee63d6bf90475dc4f4b16984139 upstream. + +Runtime PM is enabled as one of the last steps of probe(), so all +earlier gotos to "exit_free_device" label were not correct and were +leading to unbalanced runtime PM disable depth. + +Fixes: 6e2fe01dd6f9 ("can: c_can: move runtime PM enable/disable to c_can_platform") +Cc: stable@vger.kernel.org +Signed-off-by: Krzysztof Kozlowski +Reviewed-by: Vincent Mailhol +Link: https://patch.msgid.link/20250112-syscon-phandle-args-can-v1-1-314d9549906f@linaro.org +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/can/c_can/c_can_platform.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +--- a/drivers/net/can/c_can/c_can_platform.c ++++ b/drivers/net/can/c_can/c_can_platform.c +@@ -395,15 +395,16 @@ static int c_can_plat_probe(struct platf + if (ret) { + dev_err(&pdev->dev, "registering %s failed (err=%d)\n", + KBUILD_MODNAME, ret); +- goto exit_free_device; ++ goto exit_pm_runtime; + } + + dev_info(&pdev->dev, "%s device registered (regs=%p, irq=%d)\n", + KBUILD_MODNAME, priv->base, dev->irq); + return 0; + +-exit_free_device: ++exit_pm_runtime: + pm_runtime_disable(priv->device); ++exit_free_device: + free_c_can_dev(dev); + exit: + dev_err(&pdev->dev, "probe failed\n"); diff --git a/queue-6.1/can-ctucanfd-handle-skb-allocation-failure.patch b/queue-6.1/can-ctucanfd-handle-skb-allocation-failure.patch new file mode 100644 index 0000000000..bcce2a9641 --- /dev/null +++ b/queue-6.1/can-ctucanfd-handle-skb-allocation-failure.patch @@ -0,0 +1,49 @@ +From 9bd24927e3eeb85642c7baa3b28be8bea6c2a078 Mon Sep 17 00:00:00 2001 +From: Fedor Pchelkin +Date: Tue, 14 Jan 2025 18:21:38 +0300 +Subject: can: ctucanfd: handle skb allocation failure + +From: Fedor Pchelkin + +commit 9bd24927e3eeb85642c7baa3b28be8bea6c2a078 upstream. + +If skb allocation fails, the pointer to struct can_frame is NULL. This +is actually handled everywhere inside ctucan_err_interrupt() except for +the only place. + +Add the missed NULL check. + +Found by Linux Verification Center (linuxtesting.org) with SVACE static +analysis tool. + +Fixes: 2dcb8e8782d8 ("can: ctucanfd: add support for CTU CAN FD open-source IP core - bus independent part.") +Cc: stable@vger.kernel.org +Signed-off-by: Fedor Pchelkin +Acked-by: Pavel Pisa +Reviewed-by: Vincent Mailhol +Link: https://patch.msgid.link/20250114152138.139580-1-pchelkin@ispras.ru +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/can/ctucanfd/ctucanfd_base.c | 10 ++++++---- + 1 file changed, 6 insertions(+), 4 deletions(-) + +--- a/drivers/net/can/ctucanfd/ctucanfd_base.c ++++ b/drivers/net/can/ctucanfd/ctucanfd_base.c +@@ -867,10 +867,12 @@ static void ctucan_err_interrupt(struct + } + break; + case CAN_STATE_ERROR_ACTIVE: +- cf->can_id |= CAN_ERR_CNT; +- cf->data[1] = CAN_ERR_CRTL_ACTIVE; +- cf->data[6] = bec.txerr; +- cf->data[7] = bec.rxerr; ++ if (skb) { ++ cf->can_id |= CAN_ERR_CNT; ++ cf->data[1] = CAN_ERR_CRTL_ACTIVE; ++ cf->data[6] = bec.txerr; ++ cf->data[7] = bec.rxerr; ++ } + break; + default: + netdev_warn(ndev, "unhandled error state (%d:%s)!\n", diff --git a/queue-6.1/can-j1939-j1939_sk_send_loop-fix-unable-to-send-messages-with-data-length-zero.patch b/queue-6.1/can-j1939-j1939_sk_send_loop-fix-unable-to-send-messages-with-data-length-zero.patch new file mode 100644 index 0000000000..9a112d4f3e --- /dev/null +++ b/queue-6.1/can-j1939-j1939_sk_send_loop-fix-unable-to-send-messages-with-data-length-zero.patch @@ -0,0 +1,78 @@ +From 44de577e61ed239db09f0da9d436866bef9b77dd Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Alexander=20H=C3=B6lzl?= +Date: Wed, 5 Feb 2025 18:46:51 +0100 +Subject: can: j1939: j1939_sk_send_loop(): fix unable to send messages with data length zero +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Alexander Hölzl + +commit 44de577e61ed239db09f0da9d436866bef9b77dd upstream. + +The J1939 standard requires the transmission of messages of length 0. + +For example proprietary messages are specified with a data length of 0 +to 1785. The transmission of such messages is not possible. Sending +results in no error being returned but no corresponding can frame +being generated. + +Enable the transmission of zero length J1939 messages. In order to +facilitate this two changes are necessary: + +1) If the transmission of a new message is requested from user space +the message is segmented in j1939_sk_send_loop(). Let the segmentation +take into account zero length messages, do not terminate immediately, +queue the corresponding skb. + +2) j1939_session_skb_get_by_offset() selects the next skb to transmit +for a session. Take into account that there might be zero length skbs +in the queue. + +Signed-off-by: Alexander Hölzl +Acked-by: Oleksij Rempel +Link: https://patch.msgid.link/20250205174651.103238-1-alexander.hoelzl@gmx.net +Fixes: 9d71dd0c7009 ("can: add support of SAE J1939 protocol") +Cc: stable@vger.kernel.org +[mkl: commit message rephrased] +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Greg Kroah-Hartman +--- + net/can/j1939/socket.c | 4 ++-- + net/can/j1939/transport.c | 5 +++-- + 2 files changed, 5 insertions(+), 4 deletions(-) + +--- a/net/can/j1939/socket.c ++++ b/net/can/j1939/socket.c +@@ -1132,7 +1132,7 @@ static int j1939_sk_send_loop(struct j19 + + todo_size = size; + +- while (todo_size) { ++ do { + struct j1939_sk_buff_cb *skcb; + + segment_size = min_t(size_t, J1939_MAX_TP_PACKET_SIZE, +@@ -1177,7 +1177,7 @@ static int j1939_sk_send_loop(struct j19 + + todo_size -= segment_size; + session->total_queued_size += segment_size; +- } ++ } while (todo_size); + + switch (ret) { + case 0: /* OK */ +--- a/net/can/j1939/transport.c ++++ b/net/can/j1939/transport.c +@@ -382,8 +382,9 @@ sk_buff *j1939_session_skb_get_by_offset + skb_queue_walk(&session->skb_queue, do_skb) { + do_skcb = j1939_skb_to_cb(do_skb); + +- if (offset_start >= do_skcb->offset && +- offset_start < (do_skcb->offset + do_skb->len)) { ++ if ((offset_start >= do_skcb->offset && ++ offset_start < (do_skcb->offset + do_skb->len)) || ++ (offset_start == 0 && do_skcb->offset == 0 && do_skb->len == 0)) { + skb = do_skb; + } + } diff --git a/queue-6.1/cgroup-fix-race-between-fork-and-cgroup.kill.patch b/queue-6.1/cgroup-fix-race-between-fork-and-cgroup.kill.patch new file mode 100644 index 0000000000..1bf5f46f7b --- /dev/null +++ b/queue-6.1/cgroup-fix-race-between-fork-and-cgroup.kill.patch @@ -0,0 +1,165 @@ +From b69bb476dee99d564d65d418e9a20acca6f32c3f Mon Sep 17 00:00:00 2001 +From: Shakeel Butt +Date: Thu, 30 Jan 2025 16:05:42 -0800 +Subject: cgroup: fix race between fork and cgroup.kill +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Shakeel Butt + +commit b69bb476dee99d564d65d418e9a20acca6f32c3f upstream. + +Tejun reported the following race between fork() and cgroup.kill at [1]. + +Tejun: + I was looking at cgroup.kill implementation and wondering whether there + could be a race window. So, __cgroup_kill() does the following: + + k1. Set CGRP_KILL. + k2. Iterate tasks and deliver SIGKILL. + k3. Clear CGRP_KILL. + + The copy_process() does the following: + + c1. Copy a bunch of stuff. + c2. Grab siglock. + c3. Check fatal_signal_pending(). + c4. Commit to forking. + c5. Release siglock. + c6. Call cgroup_post_fork() which puts the task on the css_set and tests + CGRP_KILL. + + The intention seems to be that either a forking task gets SIGKILL and + terminates on c3 or it sees CGRP_KILL on c6 and kills the child. However, I + don't see what guarantees that k3 can't happen before c6. ie. After a + forking task passes c5, k2 can take place and then before the forking task + reaches c6, k3 can happen. Then, nobody would send SIGKILL to the child. + What am I missing? + +This is indeed a race. One way to fix this race is by taking +cgroup_threadgroup_rwsem in write mode in __cgroup_kill() as the fork() +side takes cgroup_threadgroup_rwsem in read mode from cgroup_can_fork() +to cgroup_post_fork(). However that would be heavy handed as this adds +one more potential stall scenario for cgroup.kill which is usually +called under extreme situation like memory pressure. + +To fix this race, let's maintain a sequence number per cgroup which gets +incremented on __cgroup_kill() call. On the fork() side, the +cgroup_can_fork() will cache the sequence number locally and recheck it +against the cgroup's sequence number at cgroup_post_fork() site. If the +sequence numbers mismatch, it means __cgroup_kill() can been called and +we should send SIGKILL to the newly created task. + +Reported-by: Tejun Heo +Closes: https://lore.kernel.org/all/Z5QHE2Qn-QZ6M-KW@slm.duckdns.org/ [1] +Fixes: 661ee6280931 ("cgroup: introduce cgroup.kill") +Cc: stable@vger.kernel.org # v5.14+ +Signed-off-by: Shakeel Butt +Reviewed-by: Michal Koutný +Signed-off-by: Tejun Heo +Signed-off-by: Greg Kroah-Hartman +--- + include/linux/cgroup-defs.h | 6 +++--- + include/linux/sched/task.h | 1 + + kernel/cgroup/cgroup.c | 20 ++++++++++++-------- + 3 files changed, 16 insertions(+), 11 deletions(-) + +--- a/include/linux/cgroup-defs.h ++++ b/include/linux/cgroup-defs.h +@@ -71,9 +71,6 @@ enum { + + /* Cgroup is frozen. */ + CGRP_FROZEN, +- +- /* Control group has to be killed. */ +- CGRP_KILL, + }; + + /* cgroup_root->flags */ +@@ -424,6 +421,9 @@ struct cgroup { + + int nr_threaded_children; /* # of live threaded child cgroups */ + ++ /* sequence number for cgroup.kill, serialized by css_set_lock. */ ++ unsigned int kill_seq; ++ + struct kernfs_node *kn; /* cgroup kernfs entry */ + struct cgroup_file procs_file; /* handle for "cgroup.procs" */ + struct cgroup_file events_file; /* handle for "cgroup.events" */ +--- a/include/linux/sched/task.h ++++ b/include/linux/sched/task.h +@@ -38,6 +38,7 @@ struct kernel_clone_args { + void *fn_arg; + struct cgroup *cgrp; + struct css_set *cset; ++ unsigned int kill_seq; + }; + + /* +--- a/kernel/cgroup/cgroup.c ++++ b/kernel/cgroup/cgroup.c +@@ -3952,7 +3952,7 @@ static void __cgroup_kill(struct cgroup + lockdep_assert_held(&cgroup_mutex); + + spin_lock_irq(&css_set_lock); +- set_bit(CGRP_KILL, &cgrp->flags); ++ cgrp->kill_seq++; + spin_unlock_irq(&css_set_lock); + + css_task_iter_start(&cgrp->self, CSS_TASK_ITER_PROCS | CSS_TASK_ITER_THREADED, &it); +@@ -3968,10 +3968,6 @@ static void __cgroup_kill(struct cgroup + send_sig(SIGKILL, task, 0); + } + css_task_iter_end(&it); +- +- spin_lock_irq(&css_set_lock); +- clear_bit(CGRP_KILL, &cgrp->flags); +- spin_unlock_irq(&css_set_lock); + } + + static void cgroup_kill(struct cgroup *cgrp) +@@ -6409,6 +6405,10 @@ static int cgroup_css_set_fork(struct ke + spin_lock_irq(&css_set_lock); + cset = task_css_set(current); + get_css_set(cset); ++ if (kargs->cgrp) ++ kargs->kill_seq = kargs->cgrp->kill_seq; ++ else ++ kargs->kill_seq = cset->dfl_cgrp->kill_seq; + spin_unlock_irq(&css_set_lock); + + if (!(kargs->flags & CLONE_INTO_CGROUP)) { +@@ -6592,6 +6592,7 @@ void cgroup_post_fork(struct task_struct + struct kernel_clone_args *kargs) + __releases(&cgroup_threadgroup_rwsem) __releases(&cgroup_mutex) + { ++ unsigned int cgrp_kill_seq = 0; + unsigned long cgrp_flags = 0; + bool kill = false; + struct cgroup_subsys *ss; +@@ -6605,10 +6606,13 @@ void cgroup_post_fork(struct task_struct + + /* init tasks are special, only link regular threads */ + if (likely(child->pid)) { +- if (kargs->cgrp) ++ if (kargs->cgrp) { + cgrp_flags = kargs->cgrp->flags; +- else ++ cgrp_kill_seq = kargs->cgrp->kill_seq; ++ } else { + cgrp_flags = cset->dfl_cgrp->flags; ++ cgrp_kill_seq = cset->dfl_cgrp->kill_seq; ++ } + + WARN_ON_ONCE(!list_empty(&child->cg_list)); + cset->nr_tasks++; +@@ -6643,7 +6647,7 @@ void cgroup_post_fork(struct task_struct + * child down right after we finished preparing it for + * userspace. + */ +- kill = test_bit(CGRP_KILL, &cgrp_flags); ++ kill = kargs->kill_seq != cgrp_kill_seq; + } + + spin_unlock_irq(&css_set_lock); diff --git a/queue-6.1/drm-amdgpu-avoid-buffer-overflow-attach-in-smu_sys_set_pp_table.patch b/queue-6.1/drm-amdgpu-avoid-buffer-overflow-attach-in-smu_sys_set_pp_table.patch new file mode 100644 index 0000000000..62d82a49a2 --- /dev/null +++ b/queue-6.1/drm-amdgpu-avoid-buffer-overflow-attach-in-smu_sys_set_pp_table.patch @@ -0,0 +1,34 @@ +From 1abb2648698bf10783d2236a6b4a7ca5e8021699 Mon Sep 17 00:00:00 2001 +From: Jiang Liu +Date: Fri, 7 Feb 2025 14:44:14 +0800 +Subject: drm/amdgpu: avoid buffer overflow attach in smu_sys_set_pp_table() + +From: Jiang Liu + +commit 1abb2648698bf10783d2236a6b4a7ca5e8021699 upstream. + +It malicious user provides a small pptable through sysfs and then +a bigger pptable, it may cause buffer overflow attack in function +smu_sys_set_pp_table(). + +Reviewed-by: Lijo Lazar +Signed-off-by: Jiang Liu +Signed-off-by: Alex Deucher +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/amd/pm/swsmu/amdgpu_smu.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/gpu/drm/amd/pm/swsmu/amdgpu_smu.c ++++ b/drivers/gpu/drm/amd/pm/swsmu/amdgpu_smu.c +@@ -516,7 +516,8 @@ static int smu_sys_set_pp_table(void *ha + return -EIO; + } + +- if (!smu_table->hardcode_pptable) { ++ if (!smu_table->hardcode_pptable || smu_table->power_play_table_size < size) { ++ kfree(smu_table->hardcode_pptable); + smu_table->hardcode_pptable = kzalloc(size, GFP_KERNEL); + if (!smu_table->hardcode_pptable) + return -ENOMEM; diff --git a/queue-6.1/efi-avoid-cold-plugged-memory-for-placing-the-kernel.patch b/queue-6.1/efi-avoid-cold-plugged-memory-for-placing-the-kernel.patch new file mode 100644 index 0000000000..2f68ef03c3 --- /dev/null +++ b/queue-6.1/efi-avoid-cold-plugged-memory-for-placing-the-kernel.patch @@ -0,0 +1,99 @@ +From ba69e0750b0362870294adab09339a0c39c3beaf Mon Sep 17 00:00:00 2001 +From: Ard Biesheuvel +Date: Sat, 1 Feb 2025 18:21:35 +0100 +Subject: efi: Avoid cold plugged memory for placing the kernel + +From: Ard Biesheuvel + +commit ba69e0750b0362870294adab09339a0c39c3beaf upstream. + +UEFI 2.11 introduced EFI_MEMORY_HOT_PLUGGABLE to annotate system memory +regions that are 'cold plugged' at boot, i.e., hot pluggable memory that +is available from early boot, and described as system RAM by the +firmware. + +Existing loaders and EFI applications running in the boot context will +happily use this memory for allocating data structures that cannot be +freed or moved at runtime, and this prevents the memory from being +unplugged. Going forward, the new EFI_MEMORY_HOT_PLUGGABLE attribute +should be tested, and memory annotated as such should be avoided for +such allocations. + +In the EFI stub, there are a couple of occurrences where, instead of the +high-level AllocatePages() UEFI boot service, a low-level code sequence +is used that traverses the EFI memory map and carves out the requested +number of pages from a free region. This is needed, e.g., for allocating +as low as possible, or for allocating pages at random. + +While AllocatePages() should presumably avoid special purpose memory and +cold plugged regions, this manual approach needs to incorporate this +logic itself, in order to prevent the kernel itself from ending up in a +hot unpluggable region, preventing it from being unplugged. + +So add the EFI_MEMORY_HOTPLUGGABLE macro definition, and check for it +where appropriate. + +Cc: stable@vger.kernel.org +Signed-off-by: Ard Biesheuvel +Signed-off-by: Greg Kroah-Hartman +--- + drivers/firmware/efi/efi.c | 6 ++++-- + drivers/firmware/efi/libstub/randomalloc.c | 3 +++ + drivers/firmware/efi/libstub/relocate.c | 3 +++ + include/linux/efi.h | 1 + + 4 files changed, 11 insertions(+), 2 deletions(-) + +--- a/drivers/firmware/efi/efi.c ++++ b/drivers/firmware/efi/efi.c +@@ -835,13 +835,15 @@ char * __init efi_md_typeattr_format(cha + EFI_MEMORY_WB | EFI_MEMORY_UCE | EFI_MEMORY_RO | + EFI_MEMORY_WP | EFI_MEMORY_RP | EFI_MEMORY_XP | + EFI_MEMORY_NV | EFI_MEMORY_SP | EFI_MEMORY_CPU_CRYPTO | +- EFI_MEMORY_RUNTIME | EFI_MEMORY_MORE_RELIABLE)) ++ EFI_MEMORY_MORE_RELIABLE | EFI_MEMORY_HOT_PLUGGABLE | ++ EFI_MEMORY_RUNTIME)) + snprintf(pos, size, "|attr=0x%016llx]", + (unsigned long long)attr); + else + snprintf(pos, size, +- "|%3s|%2s|%2s|%2s|%2s|%2s|%2s|%2s|%2s|%3s|%2s|%2s|%2s|%2s]", ++ "|%3s|%2s|%2s|%2s|%2s|%2s|%2s|%2s|%2s|%2s|%3s|%2s|%2s|%2s|%2s]", + attr & EFI_MEMORY_RUNTIME ? "RUN" : "", ++ attr & EFI_MEMORY_HOT_PLUGGABLE ? "HP" : "", + attr & EFI_MEMORY_MORE_RELIABLE ? "MR" : "", + attr & EFI_MEMORY_CPU_CRYPTO ? "CC" : "", + attr & EFI_MEMORY_SP ? "SP" : "", +--- a/drivers/firmware/efi/libstub/randomalloc.c ++++ b/drivers/firmware/efi/libstub/randomalloc.c +@@ -25,6 +25,9 @@ static unsigned long get_entry_num_slots + if (md->type != EFI_CONVENTIONAL_MEMORY) + return 0; + ++ if (md->attribute & EFI_MEMORY_HOT_PLUGGABLE) ++ return 0; ++ + if (efi_soft_reserve_enabled() && + (md->attribute & EFI_MEMORY_SP)) + return 0; +--- a/drivers/firmware/efi/libstub/relocate.c ++++ b/drivers/firmware/efi/libstub/relocate.c +@@ -53,6 +53,9 @@ efi_status_t efi_low_alloc_above(unsigne + if (desc->type != EFI_CONVENTIONAL_MEMORY) + continue; + ++ if (desc->attribute & EFI_MEMORY_HOT_PLUGGABLE) ++ continue; ++ + if (efi_soft_reserve_enabled() && + (desc->attribute & EFI_MEMORY_SP)) + continue; +--- a/include/linux/efi.h ++++ b/include/linux/efi.h +@@ -125,6 +125,7 @@ typedef struct { + #define EFI_MEMORY_RO ((u64)0x0000000000020000ULL) /* read-only */ + #define EFI_MEMORY_SP ((u64)0x0000000000040000ULL) /* soft reserved */ + #define EFI_MEMORY_CPU_CRYPTO ((u64)0x0000000000080000ULL) /* supports encryption */ ++#define EFI_MEMORY_HOT_PLUGGABLE BIT_ULL(20) /* supports unplugging at runtime */ + #define EFI_MEMORY_RUNTIME ((u64)0x8000000000000000ULL) /* range requires runtime mapping */ + #define EFI_MEMORY_DESCRIPTOR_VERSION 1 + diff --git a/queue-6.1/gpio-stmpe-check-return-value-of-stmpe_reg_read-in-stmpe_gpio_irq_sync_unlock.patch b/queue-6.1/gpio-stmpe-check-return-value-of-stmpe_reg_read-in-stmpe_gpio_irq_sync_unlock.patch new file mode 100644 index 0000000000..6a0c16d989 --- /dev/null +++ b/queue-6.1/gpio-stmpe-check-return-value-of-stmpe_reg_read-in-stmpe_gpio_irq_sync_unlock.patch @@ -0,0 +1,65 @@ +From b9644fbfbcab13da7f8b37bef7c51e5b8407d031 Mon Sep 17 00:00:00 2001 +From: Wentao Liang +Date: Wed, 12 Feb 2025 10:18:49 +0800 +Subject: gpio: stmpe: Check return value of stmpe_reg_read in stmpe_gpio_irq_sync_unlock + +From: Wentao Liang + +commit b9644fbfbcab13da7f8b37bef7c51e5b8407d031 upstream. + +The stmpe_reg_read function can fail, but its return value is not checked +in stmpe_gpio_irq_sync_unlock. This can lead to silent failures and +incorrect behavior if the hardware access fails. + +This patch adds checks for the return value of stmpe_reg_read. If the +function fails, an error message is logged and the function returns +early to avoid further issues. + +Fixes: b888fb6f2a27 ("gpio: stmpe: i2c transfer are forbiden in atomic context") +Cc: stable@vger.kernel.org # 4.16+ +Signed-off-by: Wentao Liang +Link: https://lore.kernel.org/r/20250212021849.275-1-vulab@iscas.ac.cn +Signed-off-by: Bartosz Golaszewski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpio/gpio-stmpe.c | 15 ++++++++++++--- + 1 file changed, 12 insertions(+), 3 deletions(-) + +--- a/drivers/gpio/gpio-stmpe.c ++++ b/drivers/gpio/gpio-stmpe.c +@@ -191,7 +191,7 @@ static void stmpe_gpio_irq_sync_unlock(s + [REG_IE][CSB] = STMPE_IDX_IEGPIOR_CSB, + [REG_IE][MSB] = STMPE_IDX_IEGPIOR_MSB, + }; +- int i, j; ++ int ret, i, j; + + /* + * STMPE1600: to be able to get IRQ from pins, +@@ -199,8 +199,16 @@ static void stmpe_gpio_irq_sync_unlock(s + * GPSR or GPCR registers + */ + if (stmpe->partnum == STMPE1600) { +- stmpe_reg_read(stmpe, stmpe->regs[STMPE_IDX_GPMR_LSB]); +- stmpe_reg_read(stmpe, stmpe->regs[STMPE_IDX_GPMR_CSB]); ++ ret = stmpe_reg_read(stmpe, stmpe->regs[STMPE_IDX_GPMR_LSB]); ++ if (ret < 0) { ++ dev_err(stmpe->dev, "Failed to read GPMR_LSB: %d\n", ret); ++ goto err; ++ } ++ ret = stmpe_reg_read(stmpe, stmpe->regs[STMPE_IDX_GPMR_CSB]); ++ if (ret < 0) { ++ dev_err(stmpe->dev, "Failed to read GPMR_CSB: %d\n", ret); ++ goto err; ++ } + } + + for (i = 0; i < CACHE_NR_REGS; i++) { +@@ -222,6 +230,7 @@ static void stmpe_gpio_irq_sync_unlock(s + } + } + ++err: + mutex_unlock(&stmpe_gpio->irq_lock); + } + diff --git a/queue-6.1/gpiolib-acpi-add-a-quirk-for-acer-nitro-anv14.patch b/queue-6.1/gpiolib-acpi-add-a-quirk-for-acer-nitro-anv14.patch new file mode 100644 index 0000000000..ecbfca4eeb --- /dev/null +++ b/queue-6.1/gpiolib-acpi-add-a-quirk-for-acer-nitro-anv14.patch @@ -0,0 +1,51 @@ +From 8743d66979e494c5378563e6b5a32e913380abd8 Mon Sep 17 00:00:00 2001 +From: Mario Limonciello +Date: Tue, 11 Feb 2025 14:32:01 -0600 +Subject: gpiolib: acpi: Add a quirk for Acer Nitro ANV14 + +From: Mario Limonciello + +commit 8743d66979e494c5378563e6b5a32e913380abd8 upstream. + +Spurious immediate wake up events are reported on Acer Nitro ANV14. GPIO 11 is +specified as an edge triggered input and also a wake source but this pin is +supposed to be an output pin for an LED, so it's effectively floating. + +Block the interrupt from getting set up for this GPIO on this device. + +Cc: stable@vger.kernel.org +Reported-by: Delgan +Tested-by: Delgan +Closes: https://gitlab.freedesktop.org/drm/amd/-/issues/3954 +Signed-off-by: Mario Limonciello +Acked-by: Mika Westerberg +Link: https://lore.kernel.org/r/20250211203222.761206-1-superm1@kernel.org +Signed-off-by: Bartosz Golaszewski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpio/gpiolib-acpi.c | 14 ++++++++++++++ + 1 file changed, 14 insertions(+) + +--- a/drivers/gpio/gpiolib-acpi.c ++++ b/drivers/gpio/gpiolib-acpi.c +@@ -1640,6 +1640,20 @@ static const struct dmi_system_id gpioli + .ignore_wake = "PNP0C50:00@8", + }, + }, ++ { ++ /* ++ * Spurious wakeups from GPIO 11 ++ * Found in BIOS 1.04 ++ * https://gitlab.freedesktop.org/drm/amd/-/issues/3954 ++ */ ++ .matches = { ++ DMI_MATCH(DMI_SYS_VENDOR, "Acer"), ++ DMI_MATCH(DMI_PRODUCT_FAMILY, "Acer Nitro V 14"), ++ }, ++ .driver_data = &(struct acpi_gpiolib_dmi_quirk) { ++ .ignore_interrupt = "AMDI0030:00@11", ++ }, ++ }, + {} /* Terminating entry */ + }; + diff --git a/queue-6.1/kvm-nsvm-enter-guest-mode-before-initializing-nested-npt-mmu.patch b/queue-6.1/kvm-nsvm-enter-guest-mode-before-initializing-nested-npt-mmu.patch new file mode 100644 index 0000000000..5ef7dc49d2 --- /dev/null +++ b/queue-6.1/kvm-nsvm-enter-guest-mode-before-initializing-nested-npt-mmu.patch @@ -0,0 +1,81 @@ +From 46d6c6f3ef0eaff71c2db6d77d4e2ebb7adac34f Mon Sep 17 00:00:00 2001 +From: Sean Christopherson +Date: Wed, 29 Jan 2025 17:08:25 -0800 +Subject: KVM: nSVM: Enter guest mode before initializing nested NPT MMU + +From: Sean Christopherson + +commit 46d6c6f3ef0eaff71c2db6d77d4e2ebb7adac34f upstream. + +When preparing vmcb02 for nested VMRUN (or state restore), "enter" guest +mode prior to initializing the MMU for nested NPT so that guest_mode is +set in the MMU's role. KVM's model is that all L2 MMUs are tagged with +guest_mode, as the behavior of hypervisor MMUs tends to be significantly +different than kernel MMUs. + +Practically speaking, the bug is relatively benign, as KVM only directly +queries role.guest_mode in kvm_mmu_free_guest_mode_roots() and +kvm_mmu_page_ad_need_write_protect(), which SVM doesn't use, and in paths +that are optimizations (mmu_page_zap_pte() and +shadow_mmu_try_split_huge_pages()). + +And while the role is incorprated into shadow page usage, because nested +NPT requires KVM to be using NPT for L1, reusing shadow pages across L1 +and L2 is impossible as L1 MMUs will always have direct=1, while L2 MMUs +will have direct=0. + +Hoist the TLB processing and setting of HF_GUEST_MASK to the beginning +of the flow instead of forcing guest_mode in the MMU, as nothing in +nested_vmcb02_prepare_control() between the old and new locations touches +TLB flush requests or HF_GUEST_MASK, i.e. there's no reason to present +inconsistent vCPU state to the MMU. + +Fixes: 69cb877487de ("KVM: nSVM: move MMU setup to nested_prepare_vmcb_control") +Cc: stable@vger.kernel.org +Reported-by: Yosry Ahmed +Reviewed-by: Yosry Ahmed +Link: https://lore.kernel.org/r/20250130010825.220346-1-seanjc@google.com +Signed-off-by: Sean Christopherson +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/kvm/mmu/mmu.c | 2 +- + arch/x86/kvm/svm/nested.c | 10 +++++----- + 2 files changed, 6 insertions(+), 6 deletions(-) + +--- a/arch/x86/kvm/mmu/mmu.c ++++ b/arch/x86/kvm/mmu/mmu.c +@@ -5150,7 +5150,7 @@ void kvm_init_shadow_npt_mmu(struct kvm_ + union kvm_mmu_page_role root_role; + + /* NPT requires CR0.PG=1. */ +- WARN_ON_ONCE(cpu_role.base.direct); ++ WARN_ON_ONCE(cpu_role.base.direct || !cpu_role.base.guest_mode); + + root_role = cpu_role.base; + root_role.level = kvm_mmu_get_tdp_level(vcpu); +--- a/arch/x86/kvm/svm/nested.c ++++ b/arch/x86/kvm/svm/nested.c +@@ -619,6 +619,11 @@ static void nested_vmcb02_prepare_contro + u32 pause_count12; + u32 pause_thresh12; + ++ nested_svm_transition_tlb_flush(vcpu); ++ ++ /* Enter Guest-Mode */ ++ enter_guest_mode(vcpu); ++ + /* + * Filled at exit: exit_code, exit_code_hi, exit_info_1, exit_info_2, + * exit_int_info, exit_int_info_err, next_rip, insn_len, insn_bytes. +@@ -717,11 +722,6 @@ static void nested_vmcb02_prepare_contro + } + } + +- nested_svm_transition_tlb_flush(vcpu); +- +- /* Enter Guest-Mode */ +- enter_guest_mode(vcpu); +- + /* + * Merge guest and host intercepts - must be called with vcpu in + * guest-mode to take effect. diff --git a/queue-6.1/kvm-x86-reject-hyper-v-s-send_ipi-hypercalls-if-local-apic-isn-t-in-kernel.patch b/queue-6.1/kvm-x86-reject-hyper-v-s-send_ipi-hypercalls-if-local-apic-isn-t-in-kernel.patch new file mode 100644 index 0000000000..dc725e449e --- /dev/null +++ b/queue-6.1/kvm-x86-reject-hyper-v-s-send_ipi-hypercalls-if-local-apic-isn-t-in-kernel.patch @@ -0,0 +1,73 @@ +From a8de7f100bb5989d9c3627d3a223ee1c863f3b69 Mon Sep 17 00:00:00 2001 +From: Sean Christopherson +Date: Fri, 17 Jan 2025 16:34:51 -0800 +Subject: KVM: x86: Reject Hyper-V's SEND_IPI hypercalls if local APIC isn't in-kernel + +From: Sean Christopherson + +commit a8de7f100bb5989d9c3627d3a223ee1c863f3b69 upstream. + +Advertise support for Hyper-V's SEND_IPI and SEND_IPI_EX hypercalls if and +only if the local API is emulated/virtualized by KVM, and explicitly reject +said hypercalls if the local APIC is emulated in userspace, i.e. don't rely +on userspace to opt-in to KVM_CAP_HYPERV_ENFORCE_CPUID. + +Rejecting SEND_IPI and SEND_IPI_EX fixes a NULL-pointer dereference if +Hyper-V enlightenments are exposed to the guest without an in-kernel local +APIC: + + dump_stack+0xbe/0xfd + __kasan_report.cold+0x34/0x84 + kasan_report+0x3a/0x50 + __apic_accept_irq+0x3a/0x5c0 + kvm_hv_send_ipi.isra.0+0x34e/0x820 + kvm_hv_hypercall+0x8d9/0x9d0 + kvm_emulate_hypercall+0x506/0x7e0 + __vmx_handle_exit+0x283/0xb60 + vmx_handle_exit+0x1d/0xd0 + vcpu_enter_guest+0x16b0/0x24c0 + vcpu_run+0xc0/0x550 + kvm_arch_vcpu_ioctl_run+0x170/0x6d0 + kvm_vcpu_ioctl+0x413/0xb20 + __se_sys_ioctl+0x111/0x160 + do_syscal1_64+0x30/0x40 + entry_SYSCALL_64_after_hwframe+0x67/0xd1 + +Note, checking the sending vCPU is sufficient, as the per-VM irqchip_mode +can't be modified after vCPUs are created, i.e. if one vCPU has an +in-kernel local APIC, then all vCPUs have an in-kernel local APIC. + +Reported-by: Dongjie Zou +Fixes: 214ff83d4473 ("KVM: x86: hyperv: implement PV IPI send hypercalls") +Fixes: 2bc39970e932 ("x86/kvm/hyper-v: Introduce KVM_GET_SUPPORTED_HV_CPUID") +Cc: stable@vger.kernel.org +Reviewed-by: Vitaly Kuznetsov +Link: https://lore.kernel.org/r/20250118003454.2619573-2-seanjc@google.com +Signed-off-by: Sean Christopherson +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/kvm/hyperv.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +--- a/arch/x86/kvm/hyperv.c ++++ b/arch/x86/kvm/hyperv.c +@@ -1915,6 +1915,9 @@ static u64 kvm_hv_send_ipi(struct kvm_vc + u32 vector; + bool all_cpus; + ++ if (!lapic_in_kernel(vcpu)) ++ return HV_STATUS_INVALID_HYPERCALL_INPUT; ++ + if (hc->code == HVCALL_SEND_IPI) { + if (!hc->fast) { + if (unlikely(kvm_read_guest(kvm, hc->ingpa, &send_ipi, +@@ -2518,7 +2521,8 @@ int kvm_get_hv_cpuid(struct kvm_vcpu *vc + ent->eax |= HV_X64_REMOTE_TLB_FLUSH_RECOMMENDED; + ent->eax |= HV_X64_APIC_ACCESS_RECOMMENDED; + ent->eax |= HV_X64_RELAXED_TIMING_RECOMMENDED; +- ent->eax |= HV_X64_CLUSTER_IPI_RECOMMENDED; ++ if (!vcpu || lapic_in_kernel(vcpu)) ++ ent->eax |= HV_X64_CLUSTER_IPI_RECOMMENDED; + ent->eax |= HV_X64_EX_PROCESSOR_MASKS_RECOMMENDED; + if (evmcs_ver) + ent->eax |= HV_X64_ENLIGHTENED_VMCS_RECOMMENDED; diff --git a/queue-6.1/partitions-mac-fix-handling-of-bogus-partition-table.patch b/queue-6.1/partitions-mac-fix-handling-of-bogus-partition-table.patch new file mode 100644 index 0000000000..65eae42616 --- /dev/null +++ b/queue-6.1/partitions-mac-fix-handling-of-bogus-partition-table.patch @@ -0,0 +1,69 @@ +From 80e648042e512d5a767da251d44132553fe04ae0 Mon Sep 17 00:00:00 2001 +From: Jann Horn +Date: Fri, 14 Feb 2025 02:39:50 +0100 +Subject: partitions: mac: fix handling of bogus partition table + +From: Jann Horn + +commit 80e648042e512d5a767da251d44132553fe04ae0 upstream. + +Fix several issues in partition probing: + + - The bailout for a bad partoffset must use put_dev_sector(), since the + preceding read_part_sector() succeeded. + - If the partition table claims a silly sector size like 0xfff bytes + (which results in partition table entries straddling sector boundaries), + bail out instead of accessing out-of-bounds memory. + - We must not assume that the partition table contains proper NUL + termination - use strnlen() and strncmp() instead of strlen() and + strcmp(). + +Cc: stable@vger.kernel.org +Signed-off-by: Jann Horn +Link: https://lore.kernel.org/r/20250214-partition-mac-v1-1-c1c626dffbd5@google.com +Signed-off-by: Jens Axboe +Signed-off-by: Greg Kroah-Hartman +--- + block/partitions/mac.c | 18 +++++++++++++++--- + 1 file changed, 15 insertions(+), 3 deletions(-) + +--- a/block/partitions/mac.c ++++ b/block/partitions/mac.c +@@ -51,13 +51,25 @@ int mac_partition(struct parsed_partitio + } + secsize = be16_to_cpu(md->block_size); + put_dev_sector(sect); ++ ++ /* ++ * If the "block size" is not a power of 2, things get weird - we might ++ * end up with a partition straddling a sector boundary, so we wouldn't ++ * be able to read a partition entry with read_part_sector(). ++ * Real block sizes are probably (?) powers of two, so just require ++ * that. ++ */ ++ if (!is_power_of_2(secsize)) ++ return -1; + datasize = round_down(secsize, 512); + data = read_part_sector(state, datasize / 512, §); + if (!data) + return -1; + partoffset = secsize % 512; +- if (partoffset + sizeof(*part) > datasize) ++ if (partoffset + sizeof(*part) > datasize) { ++ put_dev_sector(sect); + return -1; ++ } + part = (struct mac_partition *) (data + partoffset); + if (be16_to_cpu(part->signature) != MAC_PARTITION_MAGIC) { + put_dev_sector(sect); +@@ -110,8 +122,8 @@ int mac_partition(struct parsed_partitio + int i, l; + + goodness++; +- l = strlen(part->name); +- if (strcmp(part->name, "/") == 0) ++ l = strnlen(part->name, sizeof(part->name)); ++ if (strncmp(part->name, "/", sizeof(part->name)) == 0) + goodness++; + for (i = 0; i <= l - 4; ++i) { + if (strncasecmp(part->name + i, "root", diff --git a/queue-6.1/perf-x86-intel-ensure-lbrs-are-disabled-when-a-cpu-is-starting.patch b/queue-6.1/perf-x86-intel-ensure-lbrs-are-disabled-when-a-cpu-is-starting.patch new file mode 100644 index 0000000000..8b8f10b7be --- /dev/null +++ b/queue-6.1/perf-x86-intel-ensure-lbrs-are-disabled-when-a-cpu-is-starting.patch @@ -0,0 +1,56 @@ +From c631a2de7ae48d50434bdc205d901423f8577c65 Mon Sep 17 00:00:00 2001 +From: Sean Christopherson +Date: Thu, 30 Jan 2025 17:07:21 -0800 +Subject: perf/x86/intel: Ensure LBRs are disabled when a CPU is starting + +From: Sean Christopherson + +commit c631a2de7ae48d50434bdc205d901423f8577c65 upstream. + +Explicitly clear DEBUGCTL.LBR when a CPU is starting, prior to purging the +LBR MSRs themselves, as at least one system has been found to transfer +control to the kernel with LBRs enabled (it's unclear whether it's a BIOS +flaw or a CPU goof). Because the kernel preserves the original DEBUGCTL, +even when toggling LBRs, leaving DEBUGCTL.LBR as is results in running +with LBRs enabled at all times. + +Closes: https://lore.kernel.org/all/c9d8269bff69f6359731d758e3b1135dedd7cc61.camel@redhat.com +Reported-by: Maxim Levitsky +Signed-off-by: Sean Christopherson +Signed-off-by: Peter Zijlstra (Intel) +Reviewed-by: Maxim Levitsky +Cc: stable@vger.kernel.org +Link: https://lkml.kernel.org/r/20250131010721.470503-1-seanjc@google.com +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/events/intel/core.c | 5 ++++- + arch/x86/include/asm/msr-index.h | 3 ++- + 2 files changed, 6 insertions(+), 2 deletions(-) + +--- a/arch/x86/events/intel/core.c ++++ b/arch/x86/events/intel/core.c +@@ -4582,8 +4582,11 @@ static void intel_pmu_cpu_starting(int c + + init_debug_store_on_cpu(cpu); + /* +- * Deal with CPUs that don't clear their LBRs on power-up. ++ * Deal with CPUs that don't clear their LBRs on power-up, and that may ++ * even boot with LBRs enabled. + */ ++ if (!static_cpu_has(X86_FEATURE_ARCH_LBR) && x86_pmu.lbr_nr) ++ msr_clear_bit(MSR_IA32_DEBUGCTLMSR, DEBUGCTLMSR_LBR_BIT); + intel_pmu_lbr_reset(); + + cpuc->lbr_sel = NULL; +--- a/arch/x86/include/asm/msr-index.h ++++ b/arch/x86/include/asm/msr-index.h +@@ -357,7 +357,8 @@ + #define MSR_IA32_PASID_VALID BIT_ULL(31) + + /* DEBUGCTLMSR bits (others vary by model): */ +-#define DEBUGCTLMSR_LBR (1UL << 0) /* last branch recording */ ++#define DEBUGCTLMSR_LBR_BIT 0 /* last branch recording */ ++#define DEBUGCTLMSR_LBR (1UL << DEBUGCTLMSR_LBR_BIT) + #define DEBUGCTLMSR_BTF_SHIFT 1 + #define DEBUGCTLMSR_BTF (1UL << 1) /* single-step on branches */ + #define DEBUGCTLMSR_BUS_LOCK_DETECT (1UL << 2) diff --git a/queue-6.1/serial-8250-fix-fifo-underflow-on-flush.patch b/queue-6.1/serial-8250-fix-fifo-underflow-on-flush.patch new file mode 100644 index 0000000000..31dafc32d5 --- /dev/null +++ b/queue-6.1/serial-8250-fix-fifo-underflow-on-flush.patch @@ -0,0 +1,114 @@ +From 9e512eaaf8f4008c44ede3dfc0fbc9d9c5118583 Mon Sep 17 00:00:00 2001 +From: John Keeping +Date: Sat, 8 Feb 2025 12:41:44 +0000 +Subject: serial: 8250: Fix fifo underflow on flush + +From: John Keeping + +commit 9e512eaaf8f4008c44ede3dfc0fbc9d9c5118583 upstream. + +When flushing the serial port's buffer, uart_flush_buffer() calls +kfifo_reset() but if there is an outstanding DMA transfer then the +completion function will consume data from the kfifo via +uart_xmit_advance(), underflowing and leading to ongoing DMA as the +driver tries to transmit another 2^32 bytes. + +This is readily reproduced with serial-generic and amidi sending even +short messages as closing the device on exit will wait for the fifo to +drain and in the underflow case amidi hangs for 30 seconds on exit in +tty_wait_until_sent(). A trace of that gives: + + kworker/1:1-84 [001] 51.769423: bprint: serial8250_tx_dma: tx_size=3 fifo_len=3 + amidi-763 [001] 51.769460: bprint: uart_flush_buffer: resetting fifo + irq/21-fe530000-76 [000] 51.769474: bprint: __dma_tx_complete: tx_size=3 + irq/21-fe530000-76 [000] 51.769479: bprint: serial8250_tx_dma: tx_size=4096 fifo_len=4294967293 + irq/21-fe530000-76 [000] 51.781295: bprint: __dma_tx_complete: tx_size=4096 + irq/21-fe530000-76 [000] 51.781301: bprint: serial8250_tx_dma: tx_size=4096 fifo_len=4294963197 + irq/21-fe530000-76 [000] 51.793131: bprint: __dma_tx_complete: tx_size=4096 + irq/21-fe530000-76 [000] 51.793135: bprint: serial8250_tx_dma: tx_size=4096 fifo_len=4294959101 + irq/21-fe530000-76 [000] 51.804949: bprint: __dma_tx_complete: tx_size=4096 + +Since the port lock is held in when the kfifo is reset in +uart_flush_buffer() and in __dma_tx_complete(), adding a flush_buffer +hook to adjust the outstanding DMA byte count is sufficient to avoid the +kfifo underflow. + +Fixes: 9ee4b83e51f74 ("serial: 8250: Add support for dmaengine") +Cc: stable +Signed-off-by: John Keeping +Link: https://lore.kernel.org/r/20250208124148.1189191-1-jkeeping@inmusicbrands.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/tty/serial/8250/8250.h | 2 ++ + drivers/tty/serial/8250/8250_dma.c | 16 ++++++++++++++++ + drivers/tty/serial/8250/8250_port.c | 9 +++++++++ + 3 files changed, 27 insertions(+) + +--- a/drivers/tty/serial/8250/8250.h ++++ b/drivers/tty/serial/8250/8250.h +@@ -344,6 +344,7 @@ static inline int is_omap1510_8250(struc + + #ifdef CONFIG_SERIAL_8250_DMA + extern int serial8250_tx_dma(struct uart_8250_port *); ++extern void serial8250_tx_dma_flush(struct uart_8250_port *); + extern int serial8250_rx_dma(struct uart_8250_port *); + extern void serial8250_rx_dma_flush(struct uart_8250_port *); + extern int serial8250_request_dma(struct uart_8250_port *); +@@ -376,6 +377,7 @@ static inline int serial8250_tx_dma(stru + { + return -1; + } ++static inline void serial8250_tx_dma_flush(struct uart_8250_port *p) { } + static inline int serial8250_rx_dma(struct uart_8250_port *p) + { + return -1; +--- a/drivers/tty/serial/8250/8250_dma.c ++++ b/drivers/tty/serial/8250/8250_dma.c +@@ -133,6 +133,22 @@ err: + return ret; + } + ++void serial8250_tx_dma_flush(struct uart_8250_port *p) ++{ ++ struct uart_8250_dma *dma = p->dma; ++ ++ if (!dma->tx_running) ++ return; ++ ++ /* ++ * kfifo_reset() has been called by the serial core, avoid ++ * advancing and underflowing in __dma_tx_complete(). ++ */ ++ dma->tx_size = 0; ++ ++ dmaengine_terminate_async(dma->rxchan); ++} ++ + int serial8250_rx_dma(struct uart_8250_port *p) + { + struct uart_8250_dma *dma = p->dma; +--- a/drivers/tty/serial/8250/8250_port.c ++++ b/drivers/tty/serial/8250/8250_port.c +@@ -2550,6 +2550,14 @@ static unsigned int npcm_get_divisor(str + return DIV_ROUND_CLOSEST(port->uartclk, 16 * baud + 2) - 2; + } + ++static void serial8250_flush_buffer(struct uart_port *port) ++{ ++ struct uart_8250_port *up = up_to_u8250p(port); ++ ++ if (up->dma) ++ serial8250_tx_dma_flush(up); ++} ++ + static unsigned int serial8250_do_get_divisor(struct uart_port *port, + unsigned int baud, + unsigned int *frac) +@@ -3260,6 +3268,7 @@ static const struct uart_ops serial8250_ + .break_ctl = serial8250_break_ctl, + .startup = serial8250_startup, + .shutdown = serial8250_shutdown, ++ .flush_buffer = serial8250_flush_buffer, + .set_termios = serial8250_set_termios, + .set_ldisc = serial8250_set_ldisc, + .pm = serial8250_pm, diff --git a/queue-6.1/series b/queue-6.1/series index 910ab4177d..0c9d78878a 100644 --- a/queue-6.1/series +++ b/queue-6.1/series @@ -493,3 +493,38 @@ selftests-gpio-gpio-sim-fix-missing-chip-disablement.patch x86-mm-tlb-only-trim-the-mm_cpumask-once-a-second.patch orangefs-fix-a-oob-in-orangefs_debug_write.patch asoc-intel-bytcr_rt5640-add-dmi-quirk-for-vexia-edu-.patch +batman-adv-fix-panic-during-interface-removal.patch +batman-adv-ignore-neighbor-throughput-metrics-in-error-case.patch +batman-adv-drop-unmanaged-elp-metric-worker.patch +drm-amdgpu-avoid-buffer-overflow-attach-in-smu_sys_set_pp_table.patch +kvm-x86-reject-hyper-v-s-send_ipi-hypercalls-if-local-apic-isn-t-in-kernel.patch +kvm-nsvm-enter-guest-mode-before-initializing-nested-npt-mmu.patch +perf-x86-intel-ensure-lbrs-are-disabled-when-a-cpu-is-starting.patch +usb-dwc3-fix-timeout-issue-during-controller-enter-exit-from-halt-state.patch +usb-roles-set-switch-registered-flag-early-on.patch +usb-gadget-udc-renesas_usb3-fix-compiler-warning.patch +usb-dwc2-gadget-remove-of_node-reference-upon-udc_stop.patch +usb-pci-quirks-fix-hccparams-register-error-for-ls7a-ehci.patch +usb-core-fix-pipe-creation-for-get_bmaxpacketsize0.patch +usb-quirks-add-usb_quirk_no_lpm-quirk-for-teclast-dist.patch +usb-add-usb_quirk_no_lpm-quirk-for-sony-xperia-xz1-smartphone.patch +usb-gadget-f_midi-fix-midi-streaming-descriptor-lengths.patch +usb-hub-ignore-non-compliant-devices-with-too-many-configs-or-interfaces.patch +usb-cdc-acm-fill-in-renesas-r-car-d3-usb-download-mode-quirk.patch +usb-cdc-acm-check-control-transfer-buffer-size-before-access.patch +usb-cdc-acm-fix-handling-of-oversized-fragments.patch +usb-serial-option-add-meig-smart-slm828.patch +usb-serial-option-add-telit-cinterion-fn990b-compositions.patch +usb-serial-option-fix-telit-cinterion-fn990a-name.patch +usb-serial-option-drop-meig-smart-defines.patch +can-ctucanfd-handle-skb-allocation-failure.patch +can-c_can-fix-unbalanced-runtime-pm-disable-in-error-path.patch +can-j1939-j1939_sk_send_loop-fix-unable-to-send-messages-with-data-length-zero.patch +alpha-make-stack-16-byte-aligned-most-cases.patch +efi-avoid-cold-plugged-memory-for-placing-the-kernel.patch +cgroup-fix-race-between-fork-and-cgroup.kill.patch +serial-8250-fix-fifo-underflow-on-flush.patch +alpha-align-stack-for-page-fault-and-user-unaligned-trap-handlers.patch +gpiolib-acpi-add-a-quirk-for-acer-nitro-anv14.patch +gpio-stmpe-check-return-value-of-stmpe_reg_read-in-stmpe_gpio_irq_sync_unlock.patch +partitions-mac-fix-handling-of-bogus-partition-table.patch diff --git a/queue-6.1/usb-add-usb_quirk_no_lpm-quirk-for-sony-xperia-xz1-smartphone.patch b/queue-6.1/usb-add-usb_quirk_no_lpm-quirk-for-sony-xperia-xz1-smartphone.patch new file mode 100644 index 0000000000..8ac42e28b6 --- /dev/null +++ b/queue-6.1/usb-add-usb_quirk_no_lpm-quirk-for-sony-xperia-xz1-smartphone.patch @@ -0,0 +1,55 @@ +From 159daf1258227f44b26b5d38f4aa8f37b8cca663 Mon Sep 17 00:00:00 2001 +From: Mathias Nyman +Date: Thu, 6 Feb 2025 17:18:36 +0200 +Subject: USB: Add USB_QUIRK_NO_LPM quirk for sony xperia xz1 smartphone + +From: Mathias Nyman + +commit 159daf1258227f44b26b5d38f4aa8f37b8cca663 upstream. + +The fastboot tool for communicating with Android bootloaders does not +work reliably with this device if USB 2 Link Power Management (LPM) +is enabled. + +Various fastboot commands are affected, including the +following, which usually reproduces the problem within two tries: + + fastboot getvar kernel + getvar:kernel FAILED (remote: 'GetVar Variable Not found') + +This issue was hidden on many systems up until commit 63a1f8454962 +("xhci: stored cached port capability values in one place") as the xhci +driver failed to detect USB 2 LPM support if USB 3 ports were listed +before USB 2 ports in the "supported protocol capabilities". + +Adding the quirk resolves the issue. No drawbacks are expected since +the device uses different USB product IDs outside of fastboot mode, and +since fastboot commands worked before, until LPM was enabled on the +tested system by the aforementioned commit. + +Based on a patch from Forest from which most of the +code and commit message is taken. + +Cc: stable +Reported-by: Forest +Closes: https://lore.kernel.org/hk8umj9lv4l4qguftdq1luqtdrpa1gks5l@sonic.net +Tested-by: Forest +Signed-off-by: Mathias Nyman +Link: https://lore.kernel.org/r/20250206151836.51742-1-mathias.nyman@linux.intel.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/core/quirks.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/usb/core/quirks.c ++++ b/drivers/usb/core/quirks.c +@@ -432,6 +432,9 @@ static const struct usb_device_id usb_qu + { USB_DEVICE(0x0c45, 0x7056), .driver_info = + USB_QUIRK_IGNORE_REMOTE_WAKEUP }, + ++ /* Sony Xperia XZ1 Compact (lilac) smartphone in fastboot mode */ ++ { USB_DEVICE(0x0fce, 0x0dde), .driver_info = USB_QUIRK_NO_LPM }, ++ + /* Action Semiconductor flash disk */ + { USB_DEVICE(0x10d6, 0x2200), .driver_info = + USB_QUIRK_STRING_FETCH_255 }, diff --git a/queue-6.1/usb-cdc-acm-check-control-transfer-buffer-size-before-access.patch b/queue-6.1/usb-cdc-acm-check-control-transfer-buffer-size-before-access.patch new file mode 100644 index 0000000000..7090272507 --- /dev/null +++ b/queue-6.1/usb-cdc-acm-check-control-transfer-buffer-size-before-access.patch @@ -0,0 +1,66 @@ +From e563b01208f4d1f609bcab13333b6c0e24ce6a01 Mon Sep 17 00:00:00 2001 +From: Jann Horn +Date: Wed, 12 Feb 2025 19:15:15 +0100 +Subject: usb: cdc-acm: Check control transfer buffer size before access + +From: Jann Horn + +commit e563b01208f4d1f609bcab13333b6c0e24ce6a01 upstream. + +If the first fragment is shorter than struct usb_cdc_notification, we can't +calculate an expected_size. Log an error and discard the notification +instead of reading lengths from memory outside the received data, which can +lead to memory corruption when the expected_size decreases between +fragments, causing `expected_size - acm->nb_index` to wrap. + +This issue has been present since the beginning of git history; however, +it only leads to memory corruption since commit ea2583529cd1 +("cdc-acm: reassemble fragmented notifications"). + +A mitigating factor is that acm_ctrl_irq() can only execute after userspace +has opened /dev/ttyACM*; but if ModemManager is running, ModemManager will +do that automatically depending on the USB device's vendor/product IDs and +its other interfaces. + +Cc: stable +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Jann Horn +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/class/cdc-acm.c | 17 ++++++++++++++--- + 1 file changed, 14 insertions(+), 3 deletions(-) + +--- a/drivers/usb/class/cdc-acm.c ++++ b/drivers/usb/class/cdc-acm.c +@@ -360,7 +360,7 @@ static void acm_process_notification(str + static void acm_ctrl_irq(struct urb *urb) + { + struct acm *acm = urb->context; +- struct usb_cdc_notification *dr = urb->transfer_buffer; ++ struct usb_cdc_notification *dr; + unsigned int current_size = urb->actual_length; + unsigned int expected_size, copy_size, alloc_size; + int retval; +@@ -387,9 +387,20 @@ static void acm_ctrl_irq(struct urb *urb + + usb_mark_last_busy(acm->dev); + +- if (acm->nb_index) ++ if (acm->nb_index == 0) { ++ /* ++ * The first chunk of a message must contain at least the ++ * notification header with the length field, otherwise we ++ * can't get an expected_size. ++ */ ++ if (current_size < sizeof(struct usb_cdc_notification)) { ++ dev_dbg(&acm->control->dev, "urb too short\n"); ++ goto exit; ++ } ++ dr = urb->transfer_buffer; ++ } else { + dr = (struct usb_cdc_notification *)acm->notification_buffer; +- ++ } + /* size = notification-header + (optional) data */ + expected_size = sizeof(struct usb_cdc_notification) + + le16_to_cpu(dr->wLength); diff --git a/queue-6.1/usb-cdc-acm-fill-in-renesas-r-car-d3-usb-download-mode-quirk.patch b/queue-6.1/usb-cdc-acm-fill-in-renesas-r-car-d3-usb-download-mode-quirk.patch new file mode 100644 index 0000000000..b94b518ab9 --- /dev/null +++ b/queue-6.1/usb-cdc-acm-fill-in-renesas-r-car-d3-usb-download-mode-quirk.patch @@ -0,0 +1,46 @@ +From 7284922f3e4fa285dff1b8bb593aa9a0b8458f30 Mon Sep 17 00:00:00 2001 +From: Marek Vasut +Date: Sun, 9 Feb 2025 15:56:11 +0100 +Subject: USB: cdc-acm: Fill in Renesas R-Car D3 USB Download mode quirk + +From: Marek Vasut + +commit 7284922f3e4fa285dff1b8bb593aa9a0b8458f30 upstream. + +Add Renesas R-Car D3 USB Download mode quirk and update comments +on all the other Renesas R-Car USB Download mode quirks to discern +them from each other. This follows R-Car Series, 3rd Generation +reference manual Rev.2.00 chapter 19.2.8 USB download mode . + +Fixes: 6d853c9e4104 ("usb: cdc-acm: Add DISABLE_ECHO for Renesas USB Download mode") +Cc: stable +Signed-off-by: Marek Vasut +Reviewed-by: Geert Uytterhoeven +Link: https://lore.kernel.org/r/20250209145708.106914-1-marek.vasut+renesas@mailbox.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/class/cdc-acm.c | 9 ++++++--- + 1 file changed, 6 insertions(+), 3 deletions(-) + +--- a/drivers/usb/class/cdc-acm.c ++++ b/drivers/usb/class/cdc-acm.c +@@ -1703,13 +1703,16 @@ static const struct usb_device_id acm_id + { USB_DEVICE(0x0870, 0x0001), /* Metricom GS Modem */ + .driver_info = NO_UNION_NORMAL, /* has no union descriptor */ + }, +- { USB_DEVICE(0x045b, 0x023c), /* Renesas USB Download mode */ ++ { USB_DEVICE(0x045b, 0x023c), /* Renesas R-Car H3 USB Download mode */ + .driver_info = DISABLE_ECHO, /* Don't echo banner */ + }, +- { USB_DEVICE(0x045b, 0x0248), /* Renesas USB Download mode */ ++ { USB_DEVICE(0x045b, 0x0247), /* Renesas R-Car D3 USB Download mode */ + .driver_info = DISABLE_ECHO, /* Don't echo banner */ + }, +- { USB_DEVICE(0x045b, 0x024D), /* Renesas USB Download mode */ ++ { USB_DEVICE(0x045b, 0x0248), /* Renesas R-Car M3-N USB Download mode */ ++ .driver_info = DISABLE_ECHO, /* Don't echo banner */ ++ }, ++ { USB_DEVICE(0x045b, 0x024D), /* Renesas R-Car E3 USB Download mode */ + .driver_info = DISABLE_ECHO, /* Don't echo banner */ + }, + { USB_DEVICE(0x0e8d, 0x0003), /* FIREFLY, MediaTek Inc; andrey.arapov@gmail.com */ diff --git a/queue-6.1/usb-cdc-acm-fix-handling-of-oversized-fragments.patch b/queue-6.1/usb-cdc-acm-fix-handling-of-oversized-fragments.patch new file mode 100644 index 0000000000..5818088de6 --- /dev/null +++ b/queue-6.1/usb-cdc-acm-fix-handling-of-oversized-fragments.patch @@ -0,0 +1,42 @@ +From 12e712964f41d05ae034989892de445781c46730 Mon Sep 17 00:00:00 2001 +From: Jann Horn +Date: Wed, 12 Feb 2025 19:15:16 +0100 +Subject: usb: cdc-acm: Fix handling of oversized fragments + +From: Jann Horn + +commit 12e712964f41d05ae034989892de445781c46730 upstream. + +If we receive an initial fragment of size 8 bytes which specifies a wLength +of 1 byte (so the reassembled message is supposed to be 9 bytes long), and +we then receive a second fragment of size 9 bytes (which is not supposed to +happen), we currently wrongly bypass the fragment reassembly code but still +pass the pointer to the acm->notification_buffer to +acm_process_notification(). + +Make this less wrong by always going through fragment reassembly when we +expect more fragments. + +Before this patch, receiving an overlong fragment could lead to `newctrl` +in acm_process_notification() being uninitialized data (instead of data +coming from the device). + +Cc: stable +Fixes: ea2583529cd1 ("cdc-acm: reassemble fragmented notifications") +Signed-off-by: Jann Horn +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/class/cdc-acm.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/usb/class/cdc-acm.c ++++ b/drivers/usb/class/cdc-acm.c +@@ -405,7 +405,7 @@ static void acm_ctrl_irq(struct urb *urb + expected_size = sizeof(struct usb_cdc_notification) + + le16_to_cpu(dr->wLength); + +- if (current_size < expected_size) { ++ if (acm->nb_index != 0 || current_size < expected_size) { + /* notification is transmitted fragmented, reassemble */ + if (acm->nb_size < expected_size) { + u8 *new_buffer; diff --git a/queue-6.1/usb-core-fix-pipe-creation-for-get_bmaxpacketsize0.patch b/queue-6.1/usb-core-fix-pipe-creation-for-get_bmaxpacketsize0.patch new file mode 100644 index 0000000000..195cbba4c4 --- /dev/null +++ b/queue-6.1/usb-core-fix-pipe-creation-for-get_bmaxpacketsize0.patch @@ -0,0 +1,64 @@ +From 4aac0db5a0ebc599d4ad9bf5ebab78afa1f33e10 Mon Sep 17 00:00:00 2001 +From: Stefan Eichenberger +Date: Mon, 3 Feb 2025 11:58:24 +0100 +Subject: usb: core: fix pipe creation for get_bMaxPacketSize0 + +From: Stefan Eichenberger + +commit 4aac0db5a0ebc599d4ad9bf5ebab78afa1f33e10 upstream. + +When usb_control_msg is used in the get_bMaxPacketSize0 function, the +USB pipe does not include the endpoint device number. This can cause +failures when a usb hub port is reinitialized after encountering a bad +cable connection. As a result, the system logs the following error +messages: +usb usb2-port1: cannot reset (err = -32) +usb usb2-port1: Cannot enable. Maybe the USB cable is bad? +usb usb2-port1: attempt power cycle +usb 2-1: new high-speed USB device number 5 using ci_hdrc +usb 2-1: device descriptor read/8, error -71 + +The problem began after commit 85d07c556216 ("USB: core: Unite old +scheme and new scheme descriptor reads"). There +usb_get_device_descriptor was replaced with get_bMaxPacketSize0. Unlike +usb_get_device_descriptor, the get_bMaxPacketSize0 function uses the +macro usb_rcvaddr0pipe, which does not include the endpoint device +number. usb_get_device_descriptor, on the other hand, used the macro +usb_rcvctrlpipe, which includes the endpoint device number. + +By modifying the get_bMaxPacketSize0 function to use usb_rcvctrlpipe +instead of usb_rcvaddr0pipe, the issue can be resolved. This change will +ensure that the endpoint device number is included in the USB pipe, +preventing reinitialization failures. If the endpoint has not set the +device number yet, it will still work because the device number is 0 in +udev. + +Cc: stable +Fixes: 85d07c556216 ("USB: core: Unite old scheme and new scheme descriptor reads") +Signed-off-by: Stefan Eichenberger +Reviewed-by: Alan Stern +Link: https://lore.kernel.org/r/20250203105840.17539-1-eichest@gmail.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/core/hub.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +--- a/drivers/usb/core/hub.c ++++ b/drivers/usb/core/hub.c +@@ -4651,7 +4651,6 @@ void usb_ep0_reinit(struct usb_device *u + EXPORT_SYMBOL_GPL(usb_ep0_reinit); + + #define usb_sndaddr0pipe() (PIPE_CONTROL << 30) +-#define usb_rcvaddr0pipe() ((PIPE_CONTROL << 30) | USB_DIR_IN) + + static int hub_set_address(struct usb_device *udev, int devnum) + { +@@ -4757,7 +4756,7 @@ static int get_bMaxPacketSize0(struct us + for (i = 0; i < GET_MAXPACKET0_TRIES; ++i) { + /* Start with invalid values in case the transfer fails */ + buf->bDescriptorType = buf->bMaxPacketSize0 = 0; +- rc = usb_control_msg(udev, usb_rcvaddr0pipe(), ++ rc = usb_control_msg(udev, usb_rcvctrlpipe(udev, 0), + USB_REQ_GET_DESCRIPTOR, USB_DIR_IN, + USB_DT_DEVICE << 8, 0, + buf, size, diff --git a/queue-6.1/usb-dwc2-gadget-remove-of_node-reference-upon-udc_stop.patch b/queue-6.1/usb-dwc2-gadget-remove-of_node-reference-upon-udc_stop.patch new file mode 100644 index 0000000000..bf5a881c2b --- /dev/null +++ b/queue-6.1/usb-dwc2-gadget-remove-of_node-reference-upon-udc_stop.patch @@ -0,0 +1,51 @@ +From 58cd423820d5b5610977e55e4acdd06628829ede Mon Sep 17 00:00:00 2001 +From: Fabrice Gasnier +Date: Fri, 24 Jan 2025 18:33:25 +0100 +Subject: usb: dwc2: gadget: remove of_node reference upon udc_stop + +From: Fabrice Gasnier + +commit 58cd423820d5b5610977e55e4acdd06628829ede upstream. + +In dwc2_hsotg_udc_start(), e.g. when binding composite driver, "of_node" +is set to hsotg->dev->of_node. + +It causes errors when binding the gadget driver several times, on +stm32mp157c-ev1 board. Below error is seen: +"pin PA10 already requested by 49000000.usb-otg; cannot claim for gadget.0" + +The first time, no issue is seen as when registering the driver, of_node +isn't NULL: +-> gadget_dev_desc_UDC_store + -> usb_gadget_register_driver_owner + -> driver_register + ... + -> really_probe -> pinctrl_bind_pins (no effect) + +Then dwc2_hsotg_udc_start() sets of_node. + +The second time (stop the gadget, reconfigure it, then start it again), +of_node has been set, so the probing code tries to acquire pins for the +gadget. These pins are hold by the controller, hence the error. + +So clear gadget.dev.of_node in udc_stop() routine to avoid the issue. + +Fixes: 7d7b22928b90 ("usb: gadget: s3c-hsotg: Propagate devicetree to gadget drivers") +Cc: stable +Signed-off-by: Fabrice Gasnier +Link: https://lore.kernel.org/r/20250124173325.2747710-1-fabrice.gasnier@foss.st.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/dwc2/gadget.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/usb/dwc2/gadget.c ++++ b/drivers/usb/dwc2/gadget.c +@@ -4613,6 +4613,7 @@ static int dwc2_hsotg_udc_stop(struct us + spin_lock_irqsave(&hsotg->lock, flags); + + hsotg->driver = NULL; ++ hsotg->gadget.dev.of_node = NULL; + hsotg->gadget.speed = USB_SPEED_UNKNOWN; + hsotg->enabled = 0; + diff --git a/queue-6.1/usb-dwc3-fix-timeout-issue-during-controller-enter-exit-from-halt-state.patch b/queue-6.1/usb-dwc3-fix-timeout-issue-during-controller-enter-exit-from-halt-state.patch new file mode 100644 index 0000000000..0cf98d5a1c --- /dev/null +++ b/queue-6.1/usb-dwc3-fix-timeout-issue-during-controller-enter-exit-from-halt-state.patch @@ -0,0 +1,91 @@ +From d3a8c28426fc1fb3252753a9f1db0d691ffc21b0 Mon Sep 17 00:00:00 2001 +From: Selvarasu Ganesan +Date: Sat, 1 Feb 2025 22:09:02 +0530 +Subject: usb: dwc3: Fix timeout issue during controller enter/exit from halt state +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Selvarasu Ganesan + +commit d3a8c28426fc1fb3252753a9f1db0d691ffc21b0 upstream. + +There is a frequent timeout during controller enter/exit from halt state +after toggling the run_stop bit by SW. This timeout occurs when +performing frequent role switches between host and device, causing +device enumeration issues due to the timeout. This issue was not present +when USB2 suspend PHY was disabled by passing the SNPS quirks +(snps,dis_u2_susphy_quirk and snps,dis_enblslpm_quirk) from the DTS. +However, there is a requirement to enable USB2 suspend PHY by setting of +GUSB2PHYCFG.ENBLSLPM and GUSB2PHYCFG.SUSPHY bits when controller starts +in gadget or host mode results in the timeout issue. + +This commit addresses this timeout issue by ensuring that the bits +GUSB2PHYCFG.ENBLSLPM and GUSB2PHYCFG.SUSPHY are cleared before starting +the dwc3_gadget_run_stop sequence and restoring them after the +dwc3_gadget_run_stop sequence is completed. + +Fixes: 72246da40f37 ("usb: Introduce DesignWare USB3 DRD Driver") +Cc: stable +Signed-off-by: Selvarasu Ganesan +Acked-by: Thinh Nguyen +Link: https://lore.kernel.org/r/20250201163903.459-1-selvarasu.g@samsung.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/dwc3/gadget.c | 34 ++++++++++++++++++++++++++++++++++ + 1 file changed, 34 insertions(+) + +--- a/drivers/usb/dwc3/gadget.c ++++ b/drivers/usb/dwc3/gadget.c +@@ -2485,10 +2485,38 @@ static int dwc3_gadget_run_stop(struct d + { + u32 reg; + u32 timeout = 2000; ++ u32 saved_config = 0; + + if (pm_runtime_suspended(dwc->dev)) + return 0; + ++ /* ++ * When operating in USB 2.0 speeds (HS/FS), ensure that ++ * GUSB2PHYCFG.ENBLSLPM and GUSB2PHYCFG.SUSPHY are cleared before starting ++ * or stopping the controller. This resolves timeout issues that occur ++ * during frequent role switches between host and device modes. ++ * ++ * Save and clear these settings, then restore them after completing the ++ * controller start or stop sequence. ++ * ++ * This solution was discovered through experimentation as it is not ++ * mentioned in the dwc3 programming guide. It has been tested on an ++ * Exynos platforms. ++ */ ++ reg = dwc3_readl(dwc->regs, DWC3_GUSB2PHYCFG(0)); ++ if (reg & DWC3_GUSB2PHYCFG_SUSPHY) { ++ saved_config |= DWC3_GUSB2PHYCFG_SUSPHY; ++ reg &= ~DWC3_GUSB2PHYCFG_SUSPHY; ++ } ++ ++ if (reg & DWC3_GUSB2PHYCFG_ENBLSLPM) { ++ saved_config |= DWC3_GUSB2PHYCFG_ENBLSLPM; ++ reg &= ~DWC3_GUSB2PHYCFG_ENBLSLPM; ++ } ++ ++ if (saved_config) ++ dwc3_writel(dwc->regs, DWC3_GUSB2PHYCFG(0), reg); ++ + reg = dwc3_readl(dwc->regs, DWC3_DCTL); + if (is_on) { + if (DWC3_VER_IS_WITHIN(DWC3, ANY, 187A)) { +@@ -2516,6 +2544,12 @@ static int dwc3_gadget_run_stop(struct d + reg &= DWC3_DSTS_DEVCTRLHLT; + } while (--timeout && !(!is_on ^ !reg)); + ++ if (saved_config) { ++ reg = dwc3_readl(dwc->regs, DWC3_GUSB2PHYCFG(0)); ++ reg |= saved_config; ++ dwc3_writel(dwc->regs, DWC3_GUSB2PHYCFG(0), reg); ++ } ++ + if (!timeout) + return -ETIMEDOUT; + diff --git a/queue-6.1/usb-gadget-f_midi-fix-midi-streaming-descriptor-lengths.patch b/queue-6.1/usb-gadget-f_midi-fix-midi-streaming-descriptor-lengths.patch new file mode 100644 index 0000000000..226a6a7c8a --- /dev/null +++ b/queue-6.1/usb-gadget-f_midi-fix-midi-streaming-descriptor-lengths.patch @@ -0,0 +1,52 @@ +From da1668997052ed1cb00322e1f3b63702615c9429 Mon Sep 17 00:00:00 2001 +From: John Keeping +Date: Thu, 30 Jan 2025 19:50:34 +0000 +Subject: usb: gadget: f_midi: fix MIDI Streaming descriptor lengths + +From: John Keeping + +commit da1668997052ed1cb00322e1f3b63702615c9429 upstream. + +While the MIDI jacks are configured correctly, and the MIDIStreaming +endpoint descriptors are filled with the correct information, +bNumEmbMIDIJack and bLength are set incorrectly in these descriptors. + +This does not matter when the numbers of in and out ports are equal, but +when they differ the host will receive broken descriptors with +uninitialized stack memory leaking into the descriptor for whichever +value is smaller. + +The precise meaning of "in" and "out" in the port counts is not clearly +defined and can be confusing. But elsewhere the driver consistently +uses this to match the USB meaning of IN and OUT viewed from the host, +so that "in" ports send data to the host and "out" ports receive data +from it. + +Cc: stable +Fixes: c8933c3f79568 ("USB: gadget: f_midi: allow a dynamic number of input and output ports") +Signed-off-by: John Keeping +Reviewed-by: Takashi Iwai +Link: https://lore.kernel.org/r/20250130195035.3883857-1-jkeeping@inmusicbrands.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/gadget/function/f_midi.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +--- a/drivers/usb/gadget/function/f_midi.c ++++ b/drivers/usb/gadget/function/f_midi.c +@@ -999,11 +999,11 @@ static int f_midi_bind(struct usb_config + } + + /* configure the endpoint descriptors ... */ +- ms_out_desc.bLength = USB_DT_MS_ENDPOINT_SIZE(midi->in_ports); +- ms_out_desc.bNumEmbMIDIJack = midi->in_ports; ++ ms_out_desc.bLength = USB_DT_MS_ENDPOINT_SIZE(midi->out_ports); ++ ms_out_desc.bNumEmbMIDIJack = midi->out_ports; + +- ms_in_desc.bLength = USB_DT_MS_ENDPOINT_SIZE(midi->out_ports); +- ms_in_desc.bNumEmbMIDIJack = midi->out_ports; ++ ms_in_desc.bLength = USB_DT_MS_ENDPOINT_SIZE(midi->in_ports); ++ ms_in_desc.bNumEmbMIDIJack = midi->in_ports; + + /* ... and add them to the list */ + endpoint_descriptor_index = i; diff --git a/queue-6.1/usb-gadget-udc-renesas_usb3-fix-compiler-warning.patch b/queue-6.1/usb-gadget-udc-renesas_usb3-fix-compiler-warning.patch new file mode 100644 index 0000000000..3f812ca11a --- /dev/null +++ b/queue-6.1/usb-gadget-udc-renesas_usb3-fix-compiler-warning.patch @@ -0,0 +1,38 @@ +From 335a1fc1193481f8027f176649c72868172f6f8b Mon Sep 17 00:00:00 2001 +From: Guo Ren +Date: Wed, 22 Jan 2025 03:12:31 -0500 +Subject: usb: gadget: udc: renesas_usb3: Fix compiler warning + +From: Guo Ren + +commit 335a1fc1193481f8027f176649c72868172f6f8b upstream. + +drivers/usb/gadget/udc/renesas_usb3.c: In function 'renesas_usb3_probe': +drivers/usb/gadget/udc/renesas_usb3.c:2638:73: warning: '%d' +directive output may be truncated writing between 1 and 11 bytes into a +region of size 6 [-Wformat-truncation=] +2638 | snprintf(usb3_ep->ep_name, sizeof(usb3_ep->ep_name), "ep%d", i); + ^~~~~~~~~~~~~~~~~~~~~~~~ ^~ ^ + +Fixes: 746bfe63bba3 ("usb: gadget: renesas_usb3: add support for Renesas USB3.0 peripheral controller") +Cc: stable@vger.kernel.org +Reported-by: kernel test robot +Closes: https://lore.kernel.org/oe-kbuild-all/202501201409.BIQPtkeB-lkp@intel.com/ +Signed-off-by: Guo Ren +Link: https://lore.kernel.org/r/20250122081231.47594-1-guoren@kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/gadget/udc/renesas_usb3.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/usb/gadget/udc/renesas_usb3.c ++++ b/drivers/usb/gadget/udc/renesas_usb3.c +@@ -309,7 +309,7 @@ struct renesas_usb3_request { + struct list_head queue; + }; + +-#define USB3_EP_NAME_SIZE 8 ++#define USB3_EP_NAME_SIZE 16 + struct renesas_usb3_ep { + struct usb_ep ep; + struct renesas_usb3 *usb3; diff --git a/queue-6.1/usb-hub-ignore-non-compliant-devices-with-too-many-configs-or-interfaces.patch b/queue-6.1/usb-hub-ignore-non-compliant-devices-with-too-many-configs-or-interfaces.patch new file mode 100644 index 0000000000..b10ad164da --- /dev/null +++ b/queue-6.1/usb-hub-ignore-non-compliant-devices-with-too-many-configs-or-interfaces.patch @@ -0,0 +1,79 @@ +From 2240fed37afbcdb5e8b627bc7ad986891100e05d Mon Sep 17 00:00:00 2001 +From: Alan Stern +Date: Wed, 22 Jan 2025 14:26:17 -0500 +Subject: USB: hub: Ignore non-compliant devices with too many configs or interfaces + +From: Alan Stern + +commit 2240fed37afbcdb5e8b627bc7ad986891100e05d upstream. + +Robert Morris created a test program which can cause +usb_hub_to_struct_hub() to dereference a NULL or inappropriate +pointer: + +Oops: general protection fault, probably for non-canonical address +0xcccccccccccccccc: 0000 [#1] SMP DEBUG_PAGEALLOC PTI +CPU: 7 UID: 0 PID: 117 Comm: kworker/7:1 Not tainted 6.13.0-rc3-00017-gf44d154d6e3d #14 +Hardware name: FreeBSD BHYVE/BHYVE, BIOS 14.0 10/17/2021 +Workqueue: usb_hub_wq hub_event +RIP: 0010:usb_hub_adjust_deviceremovable+0x78/0x110 +... +Call Trace: + + ? die_addr+0x31/0x80 + ? exc_general_protection+0x1b4/0x3c0 + ? asm_exc_general_protection+0x26/0x30 + ? usb_hub_adjust_deviceremovable+0x78/0x110 + hub_probe+0x7c7/0xab0 + usb_probe_interface+0x14b/0x350 + really_probe+0xd0/0x2d0 + ? __pfx___device_attach_driver+0x10/0x10 + __driver_probe_device+0x6e/0x110 + driver_probe_device+0x1a/0x90 + __device_attach_driver+0x7e/0xc0 + bus_for_each_drv+0x7f/0xd0 + __device_attach+0xaa/0x1a0 + bus_probe_device+0x8b/0xa0 + device_add+0x62e/0x810 + usb_set_configuration+0x65d/0x990 + usb_generic_driver_probe+0x4b/0x70 + usb_probe_device+0x36/0xd0 + +The cause of this error is that the device has two interfaces, and the +hub driver binds to interface 1 instead of interface 0, which is where +usb_hub_to_struct_hub() looks. + +We can prevent the problem from occurring by refusing to accept hub +devices that violate the USB spec by having more than one +configuration or interface. + +Reported-and-tested-by: Robert Morris +Cc: stable +Closes: https://lore.kernel.org/linux-usb/95564.1737394039@localhost/ +Signed-off-by: Alan Stern +Link: https://lore.kernel.org/r/c27f3bf4-63d8-4fb5-ac82-09e3cd19f61c@rowland.harvard.edu +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/core/hub.c | 11 +++++++++++ + 1 file changed, 11 insertions(+) + +--- a/drivers/usb/core/hub.c ++++ b/drivers/usb/core/hub.c +@@ -1819,6 +1819,17 @@ static int hub_probe(struct usb_interfac + hdev = interface_to_usbdev(intf); + + /* ++ * The USB 2.0 spec prohibits hubs from having more than one ++ * configuration or interface, and we rely on this prohibition. ++ * Refuse to accept a device that violates it. ++ */ ++ if (hdev->descriptor.bNumConfigurations > 1 || ++ hdev->actconfig->desc.bNumInterfaces > 1) { ++ dev_err(&intf->dev, "Invalid hub with more than one config or interface\n"); ++ return -EINVAL; ++ } ++ ++ /* + * Set default autosuspend delay as 0 to speedup bus suspend, + * based on the below considerations: + * diff --git a/queue-6.1/usb-pci-quirks-fix-hccparams-register-error-for-ls7a-ehci.patch b/queue-6.1/usb-pci-quirks-fix-hccparams-register-error-for-ls7a-ehci.patch new file mode 100644 index 0000000000..2831c0399f --- /dev/null +++ b/queue-6.1/usb-pci-quirks-fix-hccparams-register-error-for-ls7a-ehci.patch @@ -0,0 +1,54 @@ +From e71f7f42e3c874ac3314b8f250e8416a706165af Mon Sep 17 00:00:00 2001 +From: Huacai Chen +Date: Sun, 2 Feb 2025 20:49:35 +0800 +Subject: USB: pci-quirks: Fix HCCPARAMS register error for LS7A EHCI + +From: Huacai Chen + +commit e71f7f42e3c874ac3314b8f250e8416a706165af upstream. + +LS7A EHCI controller doesn't have extended capabilities, so the EECP +(EHCI Extended Capabilities Pointer) field of HCCPARAMS register should +be 0x0, but it reads as 0xa0 now. This is a hardware flaw and will be +fixed in future, now just clear the EECP field to avoid error messages +on boot: + +...... +[ 0.581675] pci 0000:00:04.1: EHCI: unrecognized capability ff +[ 0.581699] pci 0000:00:04.1: EHCI: unrecognized capability ff +[ 0.581716] pci 0000:00:04.1: EHCI: unrecognized capability ff +[ 0.581851] pci 0000:00:04.1: EHCI: unrecognized capability ff +...... +[ 0.581916] pci 0000:00:05.1: EHCI: unrecognized capability ff +[ 0.581951] pci 0000:00:05.1: EHCI: unrecognized capability ff +[ 0.582704] pci 0000:00:05.1: EHCI: unrecognized capability ff +[ 0.582799] pci 0000:00:05.1: EHCI: unrecognized capability ff +...... + +Cc: stable +Signed-off-by: Baoqi Zhang +Signed-off-by: Huacai Chen +Link: https://lore.kernel.org/r/20250202124935.480500-1-chenhuacai@loongson.cn +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/host/pci-quirks.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +--- a/drivers/usb/host/pci-quirks.c ++++ b/drivers/usb/host/pci-quirks.c +@@ -946,6 +946,15 @@ static void quirk_usb_disable_ehci(struc + * booting from USB disk or using a usb keyboard + */ + hcc_params = readl(base + EHCI_HCC_PARAMS); ++ ++ /* LS7A EHCI controller doesn't have extended capabilities, the ++ * EECP (EHCI Extended Capabilities Pointer) field of HCCPARAMS ++ * register should be 0x0 but it reads as 0xa0. So clear it to ++ * avoid error messages on boot. ++ */ ++ if (pdev->vendor == PCI_VENDOR_ID_LOONGSON && pdev->device == 0x7a14) ++ hcc_params &= ~(0xffL << 8); ++ + offset = (hcc_params >> 8) & 0xff; + while (offset && --count) { + pci_read_config_dword(pdev, offset, &cap); diff --git a/queue-6.1/usb-quirks-add-usb_quirk_no_lpm-quirk-for-teclast-dist.patch b/queue-6.1/usb-quirks-add-usb_quirk_no_lpm-quirk-for-teclast-dist.patch new file mode 100644 index 0000000000..95b546e47f --- /dev/null +++ b/queue-6.1/usb-quirks-add-usb_quirk_no_lpm-quirk-for-teclast-dist.patch @@ -0,0 +1,33 @@ +From e169d96eecd447ff7fd7542ca5fa0911f5622054 Mon Sep 17 00:00:00 2001 +From: Lei Huang +Date: Wed, 12 Feb 2025 17:38:29 +0800 +Subject: USB: quirks: add USB_QUIRK_NO_LPM quirk for Teclast dist + +From: Lei Huang + +commit e169d96eecd447ff7fd7542ca5fa0911f5622054 upstream. + +Teclast disk used on Huawei hisi platforms doesn't work well, +losing connectivity intermittently if LPM is enabled. +Add quirk disable LPM to resolve the issue. + +Signed-off-by: Lei Huang +Cc: stable +Link: https://lore.kernel.org/r/20250212093829.7379-1-huanglei814@163.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/core/quirks.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/usb/core/quirks.c ++++ b/drivers/usb/core/quirks.c +@@ -522,6 +522,9 @@ static const struct usb_device_id usb_qu + /* Blackmagic Design UltraStudio SDI */ + { USB_DEVICE(0x1edb, 0xbd4f), .driver_info = USB_QUIRK_NO_LPM }, + ++ /* Teclast disk */ ++ { USB_DEVICE(0x1f75, 0x0917), .driver_info = USB_QUIRK_NO_LPM }, ++ + /* Hauppauge HVR-950q */ + { USB_DEVICE(0x2040, 0x7200), .driver_info = + USB_QUIRK_CONFIG_INTF_STRINGS }, diff --git a/queue-6.1/usb-roles-set-switch-registered-flag-early-on.patch b/queue-6.1/usb-roles-set-switch-registered-flag-early-on.patch new file mode 100644 index 0000000000..ec159121c4 --- /dev/null +++ b/queue-6.1/usb-roles-set-switch-registered-flag-early-on.patch @@ -0,0 +1,63 @@ +From 634775a752a86784511018a108f3b530cc3399a7 Mon Sep 17 00:00:00 2001 +From: Elson Roy Serrao +Date: Thu, 6 Feb 2025 11:39:50 -0800 +Subject: usb: roles: set switch registered flag early on + +From: Elson Roy Serrao + +commit 634775a752a86784511018a108f3b530cc3399a7 upstream. + +The role switch registration and set_role() can happen in parallel as they +are invoked independent of each other. There is a possibility that a driver +might spend significant amount of time in usb_role_switch_register() API +due to the presence of time intensive operations like component_add() +which operate under common mutex. This leads to a time window after +allocating the switch and before setting the registered flag where the set +role notifications are dropped. Below timeline summarizes this behavior + +Thread1 | Thread2 +usb_role_switch_register() | + | | + ---> allocate switch | + | | + ---> component_add() | usb_role_switch_set_role() + | | | + | | --> Drop role notifications + | | since sw->registered + | | flag is not set. + | | + --->Set registered flag.| + +To avoid this, set the registered flag early on in the switch register +API. + +Fixes: b787a3e78175 ("usb: roles: don't get/set_role() when usb_role_switch is unregistered") +Cc: stable +Signed-off-by: Elson Roy Serrao +Reviewed-by: Heikki Krogerus +Link: https://lore.kernel.org/r/20250206193950.22421-1-quic_eserrao@quicinc.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/roles/class.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +--- a/drivers/usb/roles/class.c ++++ b/drivers/usb/roles/class.c +@@ -354,14 +354,15 @@ usb_role_switch_register(struct device * + dev_set_name(&sw->dev, "%s-role-switch", + desc->name ? desc->name : dev_name(parent)); + ++ sw->registered = true; ++ + ret = device_register(&sw->dev); + if (ret) { ++ sw->registered = false; + put_device(&sw->dev); + return ERR_PTR(ret); + } + +- sw->registered = true; +- + /* TODO: Symlinks for the host port and the device controller. */ + + return sw; diff --git a/queue-6.1/usb-serial-option-add-meig-smart-slm828.patch b/queue-6.1/usb-serial-option-add-meig-smart-slm828.patch new file mode 100644 index 0000000000..c8667a82f6 --- /dev/null +++ b/queue-6.1/usb-serial-option-add-meig-smart-slm828.patch @@ -0,0 +1,85 @@ +From db79e75460fc59b19f9c89d4b068e61cee59f37d Mon Sep 17 00:00:00 2001 +From: "Chester A. Unal" +Date: Fri, 24 Jan 2025 10:28:00 +0000 +Subject: USB: serial: option: add MeiG Smart SLM828 + +From: Chester A. Unal + +commit db79e75460fc59b19f9c89d4b068e61cee59f37d upstream. + +MeiG Smart SLM828 is an LTE-A CAT6 modem with the mPCIe form factor. The +"Cls=ff(vend.) Sub=10 Prot=02" and "Cls=ff(vend.) Sub=10 Prot=03" +interfaces respond to AT commands. Add these interfaces. + +The product ID the modem uses is shared across multiple modems. Therefore, +add comments to describe which interface is used for which modem. + +T: Bus=01 Lev=01 Prnt=05 Port=01 Cnt=01 Dev#= 6 Spd=480 MxCh= 0 +D: Ver= 2.10 Cls=00(>ifc ) Sub=00 Prot=00 MxPS=64 #Cfgs= 1 +P: Vendor=2dee ProdID=4d22 Rev=05.04 +S: Manufacturer=MEIG +S: Product=LTE-A Module +S: SerialNumber=4da7ec42 +C: #Ifs= 6 Cfg#= 1 Atr=80 MxPwr=500mA +I: If#= 0 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=10 Prot=01 Driver=(none) +E: Ad=01(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=81(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms +I: If#= 1 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=10 Prot=02 Driver=(none) +E: Ad=02(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=82(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=83(I) Atr=03(Int.) MxPS= 10 Ivl=32ms +I: If#= 2 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=10 Prot=03 Driver=(none) +E: Ad=03(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=84(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=85(I) Atr=03(Int.) MxPS= 10 Ivl=32ms +I: If#= 3 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=10 Prot=04 Driver=(none) +E: Ad=04(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=86(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=87(I) Atr=03(Int.) MxPS= 10 Ivl=32ms +I: If#= 4 Alt= 0 #EPs= 1 Cls=ff(vend.) Sub=ff Prot=ff Driver=(none) +E: Ad=88(I) Atr=03(Int.) MxPS= 64 Ivl=32ms +I: If#= 5 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=10 Prot=05 Driver=qmi_wwan +E: Ad=0f(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=89(I) Atr=03(Int.) MxPS= 8 Ivl=32ms +E: Ad=8e(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms + +Signed-off-by: Chester A. Unal +Link: https://lore.kernel.org/20250124-for-johan-meig-slm828-v2-1-6b4cd3f6344f@arinc9.com +Cc: stable@vger.kernel.org +Signed-off-by: Johan Hovold +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/serial/option.c | 15 ++++++++++----- + 1 file changed, 10 insertions(+), 5 deletions(-) + +--- a/drivers/usb/serial/option.c ++++ b/drivers/usb/serial/option.c +@@ -621,7 +621,10 @@ static void option_instat_callback(struc + + /* MeiG Smart Technology products */ + #define MEIGSMART_VENDOR_ID 0x2dee +-/* MeiG Smart SRM815/SRM825L based on Qualcomm 315 */ ++/* ++ * MeiG Smart SLM828, SRM815, and SRM825L use the same product ID. SLM828 is ++ * based on Qualcomm SDX12. SRM815 and SRM825L are based on Qualcomm 315. ++ */ + #define MEIGSMART_PRODUCT_SRM825L 0x4d22 + /* MeiG Smart SLM320 based on UNISOC UIS8910 */ + #define MEIGSMART_PRODUCT_SLM320 0x4d41 +@@ -2405,10 +2408,12 @@ static const struct usb_device_id option + { USB_DEVICE_AND_INTERFACE_INFO(UNISOC_VENDOR_ID, LUAT_PRODUCT_AIR720U, 0xff, 0, 0) }, + { USB_DEVICE_AND_INTERFACE_INFO(MEIGSMART_VENDOR_ID, MEIGSMART_PRODUCT_SLM320, 0xff, 0, 0) }, + { USB_DEVICE_AND_INTERFACE_INFO(MEIGSMART_VENDOR_ID, MEIGSMART_PRODUCT_SLM770A, 0xff, 0, 0) }, +- { USB_DEVICE_AND_INTERFACE_INFO(MEIGSMART_VENDOR_ID, MEIGSMART_PRODUCT_SRM825L, 0xff, 0, 0) }, +- { USB_DEVICE_AND_INTERFACE_INFO(MEIGSMART_VENDOR_ID, MEIGSMART_PRODUCT_SRM825L, 0xff, 0xff, 0x30) }, +- { USB_DEVICE_AND_INTERFACE_INFO(MEIGSMART_VENDOR_ID, MEIGSMART_PRODUCT_SRM825L, 0xff, 0xff, 0x40) }, +- { USB_DEVICE_AND_INTERFACE_INFO(MEIGSMART_VENDOR_ID, MEIGSMART_PRODUCT_SRM825L, 0xff, 0xff, 0x60) }, ++ { USB_DEVICE_AND_INTERFACE_INFO(MEIGSMART_VENDOR_ID, MEIGSMART_PRODUCT_SRM825L, 0xff, 0, 0) }, /* MeiG Smart SRM815 */ ++ { USB_DEVICE_AND_INTERFACE_INFO(MEIGSMART_VENDOR_ID, MEIGSMART_PRODUCT_SRM825L, 0xff, 0x10, 0x02) }, /* MeiG Smart SLM828 */ ++ { USB_DEVICE_AND_INTERFACE_INFO(MEIGSMART_VENDOR_ID, MEIGSMART_PRODUCT_SRM825L, 0xff, 0x10, 0x03) }, /* MeiG Smart SLM828 */ ++ { USB_DEVICE_AND_INTERFACE_INFO(MEIGSMART_VENDOR_ID, MEIGSMART_PRODUCT_SRM825L, 0xff, 0xff, 0x30) }, /* MeiG Smart SRM815 and SRM825L */ ++ { USB_DEVICE_AND_INTERFACE_INFO(MEIGSMART_VENDOR_ID, MEIGSMART_PRODUCT_SRM825L, 0xff, 0xff, 0x40) }, /* MeiG Smart SRM825L */ ++ { USB_DEVICE_AND_INTERFACE_INFO(MEIGSMART_VENDOR_ID, MEIGSMART_PRODUCT_SRM825L, 0xff, 0xff, 0x60) }, /* MeiG Smart SRM825L */ + { USB_DEVICE_INTERFACE_CLASS(0x1bbb, 0x0530, 0xff), /* TCL IK512 MBIM */ + .driver_info = NCTRL(1) }, + { USB_DEVICE_INTERFACE_CLASS(0x1bbb, 0x0640, 0xff), /* TCL IK512 ECM */ diff --git a/queue-6.1/usb-serial-option-add-telit-cinterion-fn990b-compositions.patch b/queue-6.1/usb-serial-option-add-telit-cinterion-fn990b-compositions.patch new file mode 100644 index 0000000000..e8593441c4 --- /dev/null +++ b/queue-6.1/usb-serial-option-add-telit-cinterion-fn990b-compositions.patch @@ -0,0 +1,208 @@ +From c979fb5ece2dc11cc9cc3d5c66f750e210bfdee2 Mon Sep 17 00:00:00 2001 +From: Fabio Porcedda +Date: Wed, 5 Feb 2025 18:16:45 +0100 +Subject: USB: serial: option: add Telit Cinterion FN990B compositions + +From: Fabio Porcedda + +commit c979fb5ece2dc11cc9cc3d5c66f750e210bfdee2 upstream. + +Add the following Telit Cinterion FN990B40 compositions: + +0x10d0: rmnet + tty (AT/NMEA) + tty (AT) + tty (AT) + tty (AT) + + tty (diag) + DPL + QDSS (Qualcomm Debug SubSystem) + adb +T: Bus=01 Lev=01 Prnt=01 Port=01 Cnt=01 Dev#= 17 Spd=480 MxCh= 0 +D: Ver= 2.10 Cls=00(>ifc ) Sub=00 Prot=00 MxPS=64 #Cfgs= 1 +P: Vendor=1bc7 ProdID=10d0 Rev=05.15 +S: Manufacturer=Telit Cinterion +S: Product=FN990 +S: SerialNumber=43b38f19 +C: #Ifs= 9 Cfg#= 1 Atr=e0 MxPwr=500mA +I: If#= 0 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=50 Driver=qmi_wwan +E: Ad=01(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=81(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=82(I) Atr=03(Int.) MxPS= 8 Ivl=32ms +I: If#= 1 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=60 Driver=option +E: Ad=02(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=83(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=84(I) Atr=03(Int.) MxPS= 10 Ivl=32ms +I: If#= 2 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=40 Driver=option +E: Ad=03(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=85(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=86(I) Atr=03(Int.) MxPS= 10 Ivl=32ms +I: If#= 3 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=40 Driver=option +E: Ad=04(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=87(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=88(I) Atr=03(Int.) MxPS= 10 Ivl=32ms +I: If#= 4 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=40 Driver=option +E: Ad=05(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=89(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=8a(I) Atr=03(Int.) MxPS= 10 Ivl=32ms +I: If#= 5 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=30 Driver=option +E: Ad=06(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=8b(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms +I: If#= 6 Alt= 0 #EPs= 1 Cls=ff(vend.) Sub=ff Prot=80 Driver=(none) +E: Ad=8c(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms +I: If#= 7 Alt= 0 #EPs= 1 Cls=ff(vend.) Sub=ff Prot=70 Driver=(none) +E: Ad=8d(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms +I: If#= 8 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=42 Prot=01 Driver=usbfs +E: Ad=07(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=8e(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms + +0x10d1: MBIM + tty (AT/NMEA) + tty (AT) + tty (AT) + tty (AT) + + tty (diag) + DPL + QDSS (Qualcomm Debug SubSystem) + adb +T: Bus=01 Lev=01 Prnt=01 Port=01 Cnt=01 Dev#= 16 Spd=480 MxCh= 0 +D: Ver= 2.10 Cls=00(>ifc ) Sub=00 Prot=00 MxPS=64 #Cfgs= 1 +P: Vendor=1bc7 ProdID=10d1 Rev=05.15 +S: Manufacturer=Telit Cinterion +S: Product=FN990 +S: SerialNumber=43b38f19 +C: #Ifs=10 Cfg#= 1 Atr=e0 MxPwr=500mA +I: If#= 0 Alt= 0 #EPs= 1 Cls=02(commc) Sub=0e Prot=00 Driver=cdc_mbim +E: Ad=82(I) Atr=03(Int.) MxPS= 64 Ivl=32ms +I: If#= 1 Alt= 1 #EPs= 2 Cls=0a(data ) Sub=00 Prot=02 Driver=cdc_mbim +E: Ad=01(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=81(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms +I: If#= 2 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=60 Driver=option +E: Ad=02(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=83(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=84(I) Atr=03(Int.) MxPS= 10 Ivl=32ms +I: If#= 3 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=40 Driver=option +E: Ad=03(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=85(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=86(I) Atr=03(Int.) MxPS= 10 Ivl=32ms +I: If#= 4 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=40 Driver=option +E: Ad=04(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=87(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=88(I) Atr=03(Int.) MxPS= 10 Ivl=32ms +I: If#= 5 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=40 Driver=option +E: Ad=05(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=89(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=8a(I) Atr=03(Int.) MxPS= 10 Ivl=32ms +I: If#= 6 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=30 Driver=option +E: Ad=06(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=8b(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms +I: If#= 7 Alt= 0 #EPs= 1 Cls=ff(vend.) Sub=ff Prot=80 Driver=(none) +E: Ad=8c(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms +I: If#= 8 Alt= 0 #EPs= 1 Cls=ff(vend.) Sub=ff Prot=70 Driver=(none) +E: Ad=8d(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms +I: If#= 9 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=42 Prot=01 Driver=usbfs +E: Ad=07(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=8e(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms + +0x10d2: RNDIS + tty (AT/NMEA) + tty (AT) + tty (AT) + tty (AT) + + tty (diag) + DPL + QDSS (Qualcomm Debug SubSystem) + adb +T: Bus=01 Lev=01 Prnt=01 Port=01 Cnt=01 Dev#= 18 Spd=480 MxCh= 0 +D: Ver= 2.10 Cls=00(>ifc ) Sub=00 Prot=00 MxPS=64 #Cfgs= 1 +P: Vendor=1bc7 ProdID=10d2 Rev=05.15 +S: Manufacturer=Telit Cinterion +S: Product=FN990 +S: SerialNumber=43b38f19 +C: #Ifs=10 Cfg#= 1 Atr=e0 MxPwr=500mA +I: If#= 0 Alt= 0 #EPs= 1 Cls=ef(misc ) Sub=04 Prot=01 Driver=rndis_host +E: Ad=82(I) Atr=03(Int.) MxPS= 8 Ivl=32ms +I: If#= 1 Alt= 0 #EPs= 2 Cls=0a(data ) Sub=00 Prot=00 Driver=rndis_host +E: Ad=01(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=81(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms +I: If#= 2 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=60 Driver=option +E: Ad=02(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=83(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=84(I) Atr=03(Int.) MxPS= 10 Ivl=32ms +I: If#= 3 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=40 Driver=option +E: Ad=03(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=85(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=86(I) Atr=03(Int.) MxPS= 10 Ivl=32ms +I: If#= 4 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=40 Driver=option +E: Ad=04(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=87(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=88(I) Atr=03(Int.) MxPS= 10 Ivl=32ms +I: If#= 5 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=40 Driver=option +E: Ad=05(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=89(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=8a(I) Atr=03(Int.) MxPS= 10 Ivl=32ms +I: If#= 6 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=30 Driver=option +E: Ad=06(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=8b(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms +I: If#= 7 Alt= 0 #EPs= 1 Cls=ff(vend.) Sub=ff Prot=80 Driver=(none) +E: Ad=8c(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms +I: If#= 8 Alt= 0 #EPs= 1 Cls=ff(vend.) Sub=ff Prot=70 Driver=(none) +E: Ad=8d(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms +I: If#= 9 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=42 Prot=01 Driver=usbfs +E: Ad=07(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=8e(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms + +0x10d3: ECM + tty (AT/NMEA) + tty (AT) + tty (AT) + tty (AT) + + tty (diag) + DPL + QDSS (Qualcomm Debug SubSystem) + adb +T: Bus=01 Lev=01 Prnt=01 Port=01 Cnt=01 Dev#= 20 Spd=480 MxCh= 0 +D: Ver= 2.10 Cls=00(>ifc ) Sub=00 Prot=00 MxPS=64 #Cfgs= 1 +P: Vendor=1bc7 ProdID=10d3 Rev=05.15 +S: Manufacturer=Telit Cinterion +S: Product=FN990 +S: SerialNumber=43b38f19 +C: #Ifs=10 Cfg#= 1 Atr=e0 MxPwr=500mA +I: If#= 0 Alt= 0 #EPs= 1 Cls=02(commc) Sub=06 Prot=00 Driver=cdc_ether +E: Ad=82(I) Atr=03(Int.) MxPS= 16 Ivl=32ms +I: If#= 1 Alt= 1 #EPs= 2 Cls=0a(data ) Sub=00 Prot=00 Driver=cdc_ether +E: Ad=01(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=81(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms +I: If#= 2 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=60 Driver=option +E: Ad=02(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=83(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=84(I) Atr=03(Int.) MxPS= 10 Ivl=32ms +I: If#= 3 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=40 Driver=option +E: Ad=03(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=85(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=86(I) Atr=03(Int.) MxPS= 10 Ivl=32ms +I: If#= 4 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=40 Driver=option +E: Ad=04(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=87(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=88(I) Atr=03(Int.) MxPS= 10 Ivl=32ms +I: If#= 5 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=40 Driver=option +E: Ad=05(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=89(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=8a(I) Atr=03(Int.) MxPS= 10 Ivl=32ms +I: If#= 6 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=30 Driver=option +E: Ad=06(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=8b(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms +I: If#= 7 Alt= 0 #EPs= 1 Cls=ff(vend.) Sub=ff Prot=80 Driver=(none) +E: Ad=8c(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms +I: If#= 8 Alt= 0 #EPs= 1 Cls=ff(vend.) Sub=ff Prot=70 Driver=(none) +E: Ad=8d(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms +I: If#= 9 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=42 Prot=01 Driver=usbfs +E: Ad=07(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=8e(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms + +Cc: stable@vger.kernel.org +Signed-off-by: Fabio Porcedda +Reviewed-by: Daniele Palmas +Signed-off-by: Johan Hovold +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/serial/option.c | 16 ++++++++++++++++ + 1 file changed, 16 insertions(+) + +--- a/drivers/usb/serial/option.c ++++ b/drivers/usb/serial/option.c +@@ -1406,6 +1406,22 @@ static const struct usb_device_id option + .driver_info = RSVD(0) | NCTRL(3) }, + { USB_DEVICE_INTERFACE_CLASS(TELIT_VENDOR_ID, 0x10c8, 0xff), /* Telit FE910C04 (rmnet) */ + .driver_info = RSVD(0) | NCTRL(2) | RSVD(3) | RSVD(4) }, ++ { USB_DEVICE_INTERFACE_PROTOCOL(TELIT_VENDOR_ID, 0x10d0, 0x60) }, /* Telit FN990B (rmnet) */ ++ { USB_DEVICE_INTERFACE_PROTOCOL(TELIT_VENDOR_ID, 0x10d0, 0x40) }, ++ { USB_DEVICE_INTERFACE_PROTOCOL(TELIT_VENDOR_ID, 0x10d0, 0x30), ++ .driver_info = NCTRL(5) }, ++ { USB_DEVICE_INTERFACE_PROTOCOL(TELIT_VENDOR_ID, 0x10d1, 0x60) }, /* Telit FN990B (MBIM) */ ++ { USB_DEVICE_INTERFACE_PROTOCOL(TELIT_VENDOR_ID, 0x10d1, 0x40) }, ++ { USB_DEVICE_INTERFACE_PROTOCOL(TELIT_VENDOR_ID, 0x10d1, 0x30), ++ .driver_info = NCTRL(6) }, ++ { USB_DEVICE_INTERFACE_PROTOCOL(TELIT_VENDOR_ID, 0x10d2, 0x60) }, /* Telit FN990B (RNDIS) */ ++ { USB_DEVICE_INTERFACE_PROTOCOL(TELIT_VENDOR_ID, 0x10d2, 0x40) }, ++ { USB_DEVICE_INTERFACE_PROTOCOL(TELIT_VENDOR_ID, 0x10d2, 0x30), ++ .driver_info = NCTRL(6) }, ++ { USB_DEVICE_INTERFACE_PROTOCOL(TELIT_VENDOR_ID, 0x10d3, 0x60) }, /* Telit FN990B (ECM) */ ++ { USB_DEVICE_INTERFACE_PROTOCOL(TELIT_VENDOR_ID, 0x10d3, 0x40) }, ++ { USB_DEVICE_INTERFACE_PROTOCOL(TELIT_VENDOR_ID, 0x10d3, 0x30), ++ .driver_info = NCTRL(6) }, + { USB_DEVICE(TELIT_VENDOR_ID, TELIT_PRODUCT_ME910), + .driver_info = NCTRL(0) | RSVD(1) | RSVD(3) }, + { USB_DEVICE(TELIT_VENDOR_ID, TELIT_PRODUCT_ME910_DUAL_MODEM), diff --git a/queue-6.1/usb-serial-option-drop-meig-smart-defines.patch b/queue-6.1/usb-serial-option-drop-meig-smart-defines.patch new file mode 100644 index 0000000000..8dfa9b3bee --- /dev/null +++ b/queue-6.1/usb-serial-option-drop-meig-smart-defines.patch @@ -0,0 +1,74 @@ +From 6aa8a63c471eb6756aabd03f880feffe6a7af6c9 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Tue, 11 Feb 2025 15:45:16 +0100 +Subject: USB: serial: option: drop MeiG Smart defines + +From: Johan Hovold + +commit 6aa8a63c471eb6756aabd03f880feffe6a7af6c9 upstream. + +Several MeiG Smart modems apparently use the same product id, making the +defines even less useful. + +Drop them in favour of using comments consistently to make the id table +slightly less unwieldy. + +Cc: stable@vger.kernel.org +Acked-by: Chester A. Unal +Signed-off-by: Johan Hovold +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/serial/option.c | 28 ++++++++-------------------- + 1 file changed, 8 insertions(+), 20 deletions(-) + +--- a/drivers/usb/serial/option.c ++++ b/drivers/usb/serial/option.c +@@ -619,18 +619,6 @@ static void option_instat_callback(struc + /* Luat Air72*U series based on UNISOC UIS8910 uses UNISOC's vendor ID */ + #define LUAT_PRODUCT_AIR720U 0x4e00 + +-/* MeiG Smart Technology products */ +-#define MEIGSMART_VENDOR_ID 0x2dee +-/* +- * MeiG Smart SLM828, SRM815, and SRM825L use the same product ID. SLM828 is +- * based on Qualcomm SDX12. SRM815 and SRM825L are based on Qualcomm 315. +- */ +-#define MEIGSMART_PRODUCT_SRM825L 0x4d22 +-/* MeiG Smart SLM320 based on UNISOC UIS8910 */ +-#define MEIGSMART_PRODUCT_SLM320 0x4d41 +-/* MeiG Smart SLM770A based on ASR1803 */ +-#define MEIGSMART_PRODUCT_SLM770A 0x4d57 +- + /* Device flags */ + + /* Highest interface number which can be used with NCTRL() and RSVD() */ +@@ -2366,6 +2354,14 @@ static const struct usb_device_id option + { USB_DEVICE_INTERFACE_CLASS(0x2cb7, 0x0a05, 0xff) }, /* Fibocom FM650-CN (NCM mode) */ + { USB_DEVICE_INTERFACE_CLASS(0x2cb7, 0x0a06, 0xff) }, /* Fibocom FM650-CN (RNDIS mode) */ + { USB_DEVICE_INTERFACE_CLASS(0x2cb7, 0x0a07, 0xff) }, /* Fibocom FM650-CN (MBIM mode) */ ++ { USB_DEVICE_AND_INTERFACE_INFO(0x2dee, 0x4d41, 0xff, 0, 0) }, /* MeiG Smart SLM320 */ ++ { USB_DEVICE_AND_INTERFACE_INFO(0x2dee, 0x4d57, 0xff, 0, 0) }, /* MeiG Smart SLM770A */ ++ { USB_DEVICE_AND_INTERFACE_INFO(0x2dee, 0x4d22, 0xff, 0, 0) }, /* MeiG Smart SRM815 */ ++ { USB_DEVICE_AND_INTERFACE_INFO(0x2dee, 0x4d22, 0xff, 0x10, 0x02) }, /* MeiG Smart SLM828 */ ++ { USB_DEVICE_AND_INTERFACE_INFO(0x2dee, 0x4d22, 0xff, 0x10, 0x03) }, /* MeiG Smart SLM828 */ ++ { USB_DEVICE_AND_INTERFACE_INFO(0x2dee, 0x4d22, 0xff, 0xff, 0x30) }, /* MeiG Smart SRM815 and SRM825L */ ++ { USB_DEVICE_AND_INTERFACE_INFO(0x2dee, 0x4d22, 0xff, 0xff, 0x40) }, /* MeiG Smart SRM825L */ ++ { USB_DEVICE_AND_INTERFACE_INFO(0x2dee, 0x4d22, 0xff, 0xff, 0x60) }, /* MeiG Smart SRM825L */ + { USB_DEVICE_INTERFACE_CLASS(0x2df3, 0x9d03, 0xff) }, /* LongSung M5710 */ + { USB_DEVICE_INTERFACE_CLASS(0x305a, 0x1404, 0xff) }, /* GosunCn GM500 RNDIS */ + { USB_DEVICE_INTERFACE_CLASS(0x305a, 0x1405, 0xff) }, /* GosunCn GM500 MBIM */ +@@ -2422,14 +2418,6 @@ static const struct usb_device_id option + { USB_DEVICE_AND_INTERFACE_INFO(SIERRA_VENDOR_ID, SIERRA_PRODUCT_EM9191, 0xff, 0, 0) }, + { USB_DEVICE_AND_INTERFACE_INFO(UNISOC_VENDOR_ID, TOZED_PRODUCT_LT70C, 0xff, 0, 0) }, + { USB_DEVICE_AND_INTERFACE_INFO(UNISOC_VENDOR_ID, LUAT_PRODUCT_AIR720U, 0xff, 0, 0) }, +- { USB_DEVICE_AND_INTERFACE_INFO(MEIGSMART_VENDOR_ID, MEIGSMART_PRODUCT_SLM320, 0xff, 0, 0) }, +- { USB_DEVICE_AND_INTERFACE_INFO(MEIGSMART_VENDOR_ID, MEIGSMART_PRODUCT_SLM770A, 0xff, 0, 0) }, +- { USB_DEVICE_AND_INTERFACE_INFO(MEIGSMART_VENDOR_ID, MEIGSMART_PRODUCT_SRM825L, 0xff, 0, 0) }, /* MeiG Smart SRM815 */ +- { USB_DEVICE_AND_INTERFACE_INFO(MEIGSMART_VENDOR_ID, MEIGSMART_PRODUCT_SRM825L, 0xff, 0x10, 0x02) }, /* MeiG Smart SLM828 */ +- { USB_DEVICE_AND_INTERFACE_INFO(MEIGSMART_VENDOR_ID, MEIGSMART_PRODUCT_SRM825L, 0xff, 0x10, 0x03) }, /* MeiG Smart SLM828 */ +- { USB_DEVICE_AND_INTERFACE_INFO(MEIGSMART_VENDOR_ID, MEIGSMART_PRODUCT_SRM825L, 0xff, 0xff, 0x30) }, /* MeiG Smart SRM815 and SRM825L */ +- { USB_DEVICE_AND_INTERFACE_INFO(MEIGSMART_VENDOR_ID, MEIGSMART_PRODUCT_SRM825L, 0xff, 0xff, 0x40) }, /* MeiG Smart SRM825L */ +- { USB_DEVICE_AND_INTERFACE_INFO(MEIGSMART_VENDOR_ID, MEIGSMART_PRODUCT_SRM825L, 0xff, 0xff, 0x60) }, /* MeiG Smart SRM825L */ + { USB_DEVICE_INTERFACE_CLASS(0x1bbb, 0x0530, 0xff), /* TCL IK512 MBIM */ + .driver_info = NCTRL(1) }, + { USB_DEVICE_INTERFACE_CLASS(0x1bbb, 0x0640, 0xff), /* TCL IK512 ECM */ diff --git a/queue-6.1/usb-serial-option-fix-telit-cinterion-fn990a-name.patch b/queue-6.1/usb-serial-option-fix-telit-cinterion-fn990a-name.patch new file mode 100644 index 0000000000..3ee474d0b8 --- /dev/null +++ b/queue-6.1/usb-serial-option-fix-telit-cinterion-fn990a-name.patch @@ -0,0 +1,43 @@ +From 12606fe73f33647c5e79bf666833bf0b225e649d Mon Sep 17 00:00:00 2001 +From: Fabio Porcedda +Date: Wed, 5 Feb 2025 18:16:47 +0100 +Subject: USB: serial: option: fix Telit Cinterion FN990A name + +From: Fabio Porcedda + +commit 12606fe73f33647c5e79bf666833bf0b225e649d upstream. + +The correct name for FN990 is FN990A so use it in order to avoid +confusion with FN990B. + +Signed-off-by: Fabio Porcedda +Cc: stable@vger.kernel.org +Signed-off-by: Johan Hovold +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/serial/option.c | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +--- a/drivers/usb/serial/option.c ++++ b/drivers/usb/serial/option.c +@@ -1370,15 +1370,15 @@ static const struct usb_device_id option + .driver_info = NCTRL(2) | RSVD(3) }, + { USB_DEVICE_INTERFACE_CLASS(TELIT_VENDOR_ID, 0x1063, 0xff), /* Telit LN920 (ECM) */ + .driver_info = NCTRL(0) | RSVD(1) }, +- { USB_DEVICE_INTERFACE_CLASS(TELIT_VENDOR_ID, 0x1070, 0xff), /* Telit FN990 (rmnet) */ ++ { USB_DEVICE_INTERFACE_CLASS(TELIT_VENDOR_ID, 0x1070, 0xff), /* Telit FN990A (rmnet) */ + .driver_info = NCTRL(0) | RSVD(1) | RSVD(2) }, +- { USB_DEVICE_INTERFACE_CLASS(TELIT_VENDOR_ID, 0x1071, 0xff), /* Telit FN990 (MBIM) */ ++ { USB_DEVICE_INTERFACE_CLASS(TELIT_VENDOR_ID, 0x1071, 0xff), /* Telit FN990A (MBIM) */ + .driver_info = NCTRL(0) | RSVD(1) }, +- { USB_DEVICE_INTERFACE_CLASS(TELIT_VENDOR_ID, 0x1072, 0xff), /* Telit FN990 (RNDIS) */ ++ { USB_DEVICE_INTERFACE_CLASS(TELIT_VENDOR_ID, 0x1072, 0xff), /* Telit FN990A (RNDIS) */ + .driver_info = NCTRL(2) | RSVD(3) }, +- { USB_DEVICE_INTERFACE_CLASS(TELIT_VENDOR_ID, 0x1073, 0xff), /* Telit FN990 (ECM) */ ++ { USB_DEVICE_INTERFACE_CLASS(TELIT_VENDOR_ID, 0x1073, 0xff), /* Telit FN990A (ECM) */ + .driver_info = NCTRL(0) | RSVD(1) }, +- { USB_DEVICE_INTERFACE_CLASS(TELIT_VENDOR_ID, 0x1075, 0xff), /* Telit FN990 (PCIe) */ ++ { USB_DEVICE_INTERFACE_CLASS(TELIT_VENDOR_ID, 0x1075, 0xff), /* Telit FN990A (PCIe) */ + .driver_info = RSVD(0) }, + { USB_DEVICE_INTERFACE_CLASS(TELIT_VENDOR_ID, 0x1080, 0xff), /* Telit FE990 (rmnet) */ + .driver_info = NCTRL(0) | RSVD(1) | RSVD(2) },