From: Greg Kroah-Hartman Date: Mon, 22 Jan 2024 18:48:28 +0000 (-0800) Subject: 5.10-stable patches X-Git-Tag: v4.19.306~79 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=9ce87d56af140dc9662c4f243c72347408ceabaf;p=thirdparty%2Fkernel%2Fstable-queue.git 5.10-stable patches added patches: binder-fix-race-between-mmput-and-do_exit.patch revert-usb-dwc3-don-t-reset-device-side-if-dwc3-was-configured-as-host-only.patch revert-usb-dwc3-soft-reset-phy-on-probe-for-host.patch revert-usb-typec-class-fix-typec_altmode_put_partner-to-put-plugs.patch tick-sched-fix-idle-and-iowait-sleeptime-accounting-vs-cpu-hotplug.patch usb-chipidea-wait-controller-resume-finished-for-wakeup-irq.patch usb-dwc-ep0-update-request-status-in-dwc3_ep0_stall_restart.patch usb-dwc3-gadget-handle-ep0-request-dequeuing-properly.patch usb-mon-fix-atomicity-violation-in-mon_bin_vma_fault.patch usb-phy-mxs-remove-config_usb_otg-condition-for-mxs_phy_is_otg_host.patch usb-typec-class-fix-typec_altmode_put_partner-to-put-plugs.patch xen-netback-don-t-produce-zero-size-skb-frags.patch --- diff --git a/queue-5.10/binder-fix-race-between-mmput-and-do_exit.patch b/queue-5.10/binder-fix-race-between-mmput-and-do_exit.patch new file mode 100644 index 00000000000..3c1c1ec7b7b --- /dev/null +++ b/queue-5.10/binder-fix-race-between-mmput-and-do_exit.patch @@ -0,0 +1,66 @@ +From 9a9ab0d963621d9d12199df9817e66982582d5a5 Mon Sep 17 00:00:00 2001 +From: Carlos Llamas +Date: Fri, 1 Dec 2023 17:21:32 +0000 +Subject: binder: fix race between mmput() and do_exit() + +From: Carlos Llamas + +commit 9a9ab0d963621d9d12199df9817e66982582d5a5 upstream. + +Task A calls binder_update_page_range() to allocate and insert pages on +a remote address space from Task B. For this, Task A pins the remote mm +via mmget_not_zero() first. This can race with Task B do_exit() and the +final mmput() refcount decrement will come from Task A. + + Task A | Task B + ------------------+------------------ + mmget_not_zero() | + | do_exit() + | exit_mm() + | mmput() + mmput() | + exit_mmap() | + remove_vma() | + fput() | + +In this case, the work of ____fput() from Task B is queued up in Task A +as TWA_RESUME. So in theory, Task A returns to userspace and the cleanup +work gets executed. However, Task A instead sleep, waiting for a reply +from Task B that never comes (it's dead). + +This means the binder_deferred_release() is blocked until an unrelated +binder event forces Task A to go back to userspace. All the associated +death notifications will also be delayed until then. + +In order to fix this use mmput_async() that will schedule the work in +the corresponding mm->async_put_work WQ instead of Task A. + +Fixes: 457b9a6f09f0 ("Staging: android: add binder driver") +Reviewed-by: Alice Ryhl +Signed-off-by: Carlos Llamas +Link: https://lore.kernel.org/r/20231201172212.1813387-4-cmllamas@google.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/android/binder_alloc.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/android/binder_alloc.c ++++ b/drivers/android/binder_alloc.c +@@ -271,7 +271,7 @@ static int binder_update_page_range(stru + } + if (mm) { + mmap_write_unlock(mm); +- mmput(mm); ++ mmput_async(mm); + } + return 0; + +@@ -304,7 +304,7 @@ err_page_ptr_cleared: + err_no_vma: + if (mm) { + mmap_write_unlock(mm); +- mmput(mm); ++ mmput_async(mm); + } + return vma ? -ENOMEM : -ESRCH; + } diff --git a/queue-5.10/revert-usb-dwc3-don-t-reset-device-side-if-dwc3-was-configured-as-host-only.patch b/queue-5.10/revert-usb-dwc3-don-t-reset-device-side-if-dwc3-was-configured-as-host-only.patch new file mode 100644 index 00000000000..a749582e99b --- /dev/null +++ b/queue-5.10/revert-usb-dwc3-don-t-reset-device-side-if-dwc3-was-configured-as-host-only.patch @@ -0,0 +1,42 @@ +From afe28cd686aeb77e8d9140d50fb1cf06a7ecb731 Mon Sep 17 00:00:00 2001 +From: Thinh Nguyen +Date: Fri, 22 Dec 2023 22:11:33 +0000 +Subject: Revert "usb: dwc3: don't reset device side if dwc3 was configured as host-only" + +From: Thinh Nguyen + +commit afe28cd686aeb77e8d9140d50fb1cf06a7ecb731 upstream. + +This reverts commit e835c0a4e23c38531dcee5ef77e8d1cf462658c7. + +Don't omit soft-reset. During initialization, the driver may need to +perform a soft reset to ensure the phy is ready when the controller +updates the GCTL.PRTCAPDIR or other settings by issuing phy soft-reset. +Many platforms often have access to DCTL register for soft-reset despite +being host-only. If there are actual reported issues from the platforms +that don't expose DCTL registers, then we will need to revisit (perhaps +to teach dwc3 to perform xhci's soft-reset USBCMD.HCRST). + +Cc: +Fixes: e835c0a4e23c ("usb: dwc3: don't reset device side if dwc3 was configured as host-only") +Signed-off-by: Thinh Nguyen +Link: https://lore.kernel.org/r/7668ab11a48f260820825274976eb41fec7f54d1.1703282469.git.Thinh.Nguyen@synopsys.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/dwc3/core.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/usb/dwc3/core.c ++++ b/drivers/usb/dwc3/core.c +@@ -275,9 +275,9 @@ int dwc3_core_soft_reset(struct dwc3 *dw + /* + * We're resetting only the device side because, if we're in host mode, + * XHCI driver will reset the host block. If dwc3 was configured for +- * host-only mode or current role is host, then we can return early. ++ * host-only mode, then we can return early. + */ +- if (dwc->dr_mode == USB_DR_MODE_HOST || dwc->current_dr_role == DWC3_GCTL_PRTCAP_HOST) ++ if (dwc->current_dr_role == DWC3_GCTL_PRTCAP_HOST) + return 0; + + reg = dwc3_readl(dwc->regs, DWC3_DCTL); diff --git a/queue-5.10/revert-usb-dwc3-soft-reset-phy-on-probe-for-host.patch b/queue-5.10/revert-usb-dwc3-soft-reset-phy-on-probe-for-host.patch new file mode 100644 index 00000000000..a02b16ee1f6 --- /dev/null +++ b/queue-5.10/revert-usb-dwc3-soft-reset-phy-on-probe-for-host.patch @@ -0,0 +1,78 @@ +From 7059fbebcb00554c3f31e5b5d93ef6d2d96dc7b4 Mon Sep 17 00:00:00 2001 +From: Thinh Nguyen +Date: Fri, 22 Dec 2023 22:11:27 +0000 +Subject: Revert "usb: dwc3: Soft reset phy on probe for host" +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Thinh Nguyen + +commit 7059fbebcb00554c3f31e5b5d93ef6d2d96dc7b4 upstream. + +This reverts commit 8bea147dfdf823eaa8d3baeccc7aeb041b41944b. + +The phy soft reset GUSB2PHYCFG.PHYSOFTRST only applies to UTMI phy, not +ULPI. This fix is incomplete. + +Cc: +Fixes: 8bea147dfdf8 ("usb: dwc3: Soft reset phy on probe for host") +Reported-by: Köry Maincent +Closes: https://lore.kernel.org/linux-usb/20231205151959.5236c231@kmaincent-XPS-13-7390 +Signed-off-by: Thinh Nguyen +Link: https://lore.kernel.org/r/29a26593a60eba727de872a3e580a674807b3339.1703282469.git.Thinh.Nguyen@synopsys.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/dwc3/core.c | 39 +-------------------------------------- + 1 file changed, 1 insertion(+), 38 deletions(-) + +--- a/drivers/usb/dwc3/core.c ++++ b/drivers/usb/dwc3/core.c +@@ -277,46 +277,9 @@ int dwc3_core_soft_reset(struct dwc3 *dw + * XHCI driver will reset the host block. If dwc3 was configured for + * host-only mode or current role is host, then we can return early. + */ +- if (dwc->current_dr_role == DWC3_GCTL_PRTCAP_HOST) ++ if (dwc->dr_mode == USB_DR_MODE_HOST || dwc->current_dr_role == DWC3_GCTL_PRTCAP_HOST) + return 0; + +- /* +- * If the dr_mode is host and the dwc->current_dr_role is not the +- * corresponding DWC3_GCTL_PRTCAP_HOST, then the dwc3_core_init_mode +- * isn't executed yet. Ensure the phy is ready before the controller +- * updates the GCTL.PRTCAPDIR or other settings by soft-resetting +- * the phy. +- * +- * Note: GUSB3PIPECTL[n] and GUSB2PHYCFG[n] are port settings where n +- * is port index. If this is a multiport host, then we need to reset +- * all active ports. +- */ +- if (dwc->dr_mode == USB_DR_MODE_HOST) { +- u32 usb3_port; +- u32 usb2_port; +- +- usb3_port = dwc3_readl(dwc->regs, DWC3_GUSB3PIPECTL(0)); +- usb3_port |= DWC3_GUSB3PIPECTL_PHYSOFTRST; +- dwc3_writel(dwc->regs, DWC3_GUSB3PIPECTL(0), usb3_port); +- +- usb2_port = dwc3_readl(dwc->regs, DWC3_GUSB2PHYCFG(0)); +- usb2_port |= DWC3_GUSB2PHYCFG_PHYSOFTRST; +- dwc3_writel(dwc->regs, DWC3_GUSB2PHYCFG(0), usb2_port); +- +- /* Small delay for phy reset assertion */ +- usleep_range(1000, 2000); +- +- usb3_port &= ~DWC3_GUSB3PIPECTL_PHYSOFTRST; +- dwc3_writel(dwc->regs, DWC3_GUSB3PIPECTL(0), usb3_port); +- +- usb2_port &= ~DWC3_GUSB2PHYCFG_PHYSOFTRST; +- dwc3_writel(dwc->regs, DWC3_GUSB2PHYCFG(0), usb2_port); +- +- /* Wait for clock synchronization */ +- msleep(50); +- return 0; +- } +- + reg = dwc3_readl(dwc->regs, DWC3_DCTL); + reg |= DWC3_DCTL_CSFTRST; + reg &= ~DWC3_DCTL_RUN_STOP; diff --git a/queue-5.10/revert-usb-typec-class-fix-typec_altmode_put_partner-to-put-plugs.patch b/queue-5.10/revert-usb-typec-class-fix-typec_altmode_put_partner-to-put-plugs.patch new file mode 100644 index 00000000000..8bdc4f45838 --- /dev/null +++ b/queue-5.10/revert-usb-typec-class-fix-typec_altmode_put_partner-to-put-plugs.patch @@ -0,0 +1,47 @@ +From 9c6b789e954fae73c548f39332bcc56bdf0d4373 Mon Sep 17 00:00:00 2001 +From: Heikki Krogerus +Date: Tue, 2 Jan 2024 11:11:41 +0200 +Subject: Revert "usb: typec: class: fix typec_altmode_put_partner to put plugs" + +From: Heikki Krogerus + +commit 9c6b789e954fae73c548f39332bcc56bdf0d4373 upstream. + +This reverts commit b17b7fe6dd5c6ff74b38b0758ca799cdbb79e26e. + +That commit messed up the reference counting, so it needs to +be rethought. + +Fixes: b17b7fe6dd5c ("usb: typec: class: fix typec_altmode_put_partner to put plugs") +Cc: +Cc: RD Babiera +Reported-by: Chris Bainbridge +Closes: https://lore.kernel.org/lkml/CAP-bSRb3SXpgo_BEdqZB-p1K5625fMegRZ17ZkPE1J8ZYgEHDg@mail.gmail.com/ +Signed-off-by: Heikki Krogerus +Link: https://lore.kernel.org/r/20240102091142.2136472-1-heikki.krogerus@linux.intel.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/typec/class.c | 5 ++--- + 1 file changed, 2 insertions(+), 3 deletions(-) + +--- a/drivers/usb/typec/class.c ++++ b/drivers/usb/typec/class.c +@@ -194,7 +194,7 @@ static void typec_altmode_put_partner(st + if (!partner) + return; + +- adev = &altmode->adev; ++ adev = &partner->adev; + + if (is_typec_plug(adev->dev.parent)) { + struct typec_plug *plug = to_typec_plug(adev->dev.parent); +@@ -424,8 +424,7 @@ static void typec_altmode_release(struct + { + struct altmode *alt = to_altmode(to_typec_altmode(dev)); + +- if (!is_typec_port(dev->parent)) +- typec_altmode_put_partner(alt); ++ typec_altmode_put_partner(alt); + + altmode_id_remove(alt->adev.dev.parent, alt->id); + kfree(alt); diff --git a/queue-5.10/series b/queue-5.10/series index 981f836411f..c9f7b436268 100644 --- a/queue-5.10/series +++ b/queue-5.10/series @@ -205,3 +205,15 @@ virtio-crypto-fix-memory-leak-in-virtio_crypto_alg_skcipher_close_session.patch revert-asoc-atmel-remove-system-clock-tree-configuration-for-at91sam9g20ek.patch kprobes-fix-to-handle-forcibly-unoptimized-kprobes-on-freeing_list.patch net-ethernet-mtk_eth_soc-remove-duplicate-if-statements.patch +xen-netback-don-t-produce-zero-size-skb-frags.patch +binder-fix-race-between-mmput-and-do_exit.patch +tick-sched-fix-idle-and-iowait-sleeptime-accounting-vs-cpu-hotplug.patch +usb-phy-mxs-remove-config_usb_otg-condition-for-mxs_phy_is_otg_host.patch +usb-dwc-ep0-update-request-status-in-dwc3_ep0_stall_restart.patch +usb-dwc3-gadget-handle-ep0-request-dequeuing-properly.patch +revert-usb-dwc3-soft-reset-phy-on-probe-for-host.patch +revert-usb-dwc3-don-t-reset-device-side-if-dwc3-was-configured-as-host-only.patch +usb-chipidea-wait-controller-resume-finished-for-wakeup-irq.patch +revert-usb-typec-class-fix-typec_altmode_put_partner-to-put-plugs.patch +usb-typec-class-fix-typec_altmode_put_partner-to-put-plugs.patch +usb-mon-fix-atomicity-violation-in-mon_bin_vma_fault.patch diff --git a/queue-5.10/tick-sched-fix-idle-and-iowait-sleeptime-accounting-vs-cpu-hotplug.patch b/queue-5.10/tick-sched-fix-idle-and-iowait-sleeptime-accounting-vs-cpu-hotplug.patch new file mode 100644 index 00000000000..10bb3ade39a --- /dev/null +++ b/queue-5.10/tick-sched-fix-idle-and-iowait-sleeptime-accounting-vs-cpu-hotplug.patch @@ -0,0 +1,85 @@ +From 71fee48fb772ac4f6cfa63dbebc5629de8b4cc09 Mon Sep 17 00:00:00 2001 +From: Heiko Carstens +Date: Mon, 15 Jan 2024 17:35:55 +0100 +Subject: tick-sched: Fix idle and iowait sleeptime accounting vs CPU hotplug + +From: Heiko Carstens + +commit 71fee48fb772ac4f6cfa63dbebc5629de8b4cc09 upstream. + +When offlining and onlining CPUs the overall reported idle and iowait +times as reported by /proc/stat jump backward and forward: + +cpu 132 0 176 225249 47 6 6 21 0 0 +cpu0 80 0 115 112575 33 3 4 18 0 0 +cpu1 52 0 60 112673 13 3 1 2 0 0 + +cpu 133 0 177 226681 47 6 6 21 0 0 +cpu0 80 0 116 113387 33 3 4 18 0 0 + +cpu 133 0 178 114431 33 6 6 21 0 0 <---- jump backward +cpu0 80 0 116 114247 33 3 4 18 0 0 +cpu1 52 0 61 183 0 3 1 2 0 0 <---- idle + iowait start with 0 + +cpu 133 0 178 228956 47 6 6 21 0 0 <---- jump forward +cpu0 81 0 117 114929 33 3 4 18 0 0 + +Reason for this is that get_idle_time() in fs/proc/stat.c has different +sources for both values depending on if a CPU is online or offline: + +- if a CPU is online the values may be taken from its per cpu + tick_cpu_sched structure + +- if a CPU is offline the values are taken from its per cpu cpustat + structure + +The problem is that the per cpu tick_cpu_sched structure is set to zero on +CPU offline. See tick_cancel_sched_timer() in kernel/time/tick-sched.c. + +Therefore when a CPU is brought offline and online afterwards both its idle +and iowait sleeptime will be zero, causing a jump backward in total system +idle and iowait sleeptime. In a similar way if a CPU is then brought +offline again the total idle and iowait sleeptimes will jump forward. + +It looks like this behavior was introduced with commit 4b0c0f294f60 +("tick: Cleanup NOHZ per cpu data on cpu down"). + +This was only noticed now on s390, since we switched to generic idle time +reporting with commit be76ea614460 ("s390/idle: remove arch_cpu_idle_time() +and corresponding code"). + +Fix this by preserving the values of idle_sleeptime and iowait_sleeptime +members of the per-cpu tick_sched structure on CPU hotplug. + +Fixes: 4b0c0f294f60 ("tick: Cleanup NOHZ per cpu data on cpu down") +Reported-by: Gerald Schaefer +Signed-off-by: Heiko Carstens +Signed-off-by: Thomas Gleixner +Reviewed-by: Frederic Weisbecker +Link: https://lore.kernel.org/r/20240115163555.1004144-1-hca@linux.ibm.com +Signed-off-by: Greg Kroah-Hartman +--- + kernel/time/tick-sched.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/kernel/time/tick-sched.c ++++ b/kernel/time/tick-sched.c +@@ -1439,13 +1439,18 @@ void tick_setup_sched_timer(void) + void tick_cancel_sched_timer(int cpu) + { + struct tick_sched *ts = &per_cpu(tick_cpu_sched, cpu); ++ ktime_t idle_sleeptime, iowait_sleeptime; + + # ifdef CONFIG_HIGH_RES_TIMERS + if (ts->sched_timer.base) + hrtimer_cancel(&ts->sched_timer); + # endif + ++ idle_sleeptime = ts->idle_sleeptime; ++ iowait_sleeptime = ts->iowait_sleeptime; + memset(ts, 0, sizeof(*ts)); ++ ts->idle_sleeptime = idle_sleeptime; ++ ts->iowait_sleeptime = iowait_sleeptime; + } + #endif + diff --git a/queue-5.10/usb-chipidea-wait-controller-resume-finished-for-wakeup-irq.patch b/queue-5.10/usb-chipidea-wait-controller-resume-finished-for-wakeup-irq.patch new file mode 100644 index 00000000000..c95110fa7ab --- /dev/null +++ b/queue-5.10/usb-chipidea-wait-controller-resume-finished-for-wakeup-irq.patch @@ -0,0 +1,46 @@ +From 128d849074d05545becf86e713715ce7676fc074 Mon Sep 17 00:00:00 2001 +From: Xu Yang +Date: Thu, 28 Dec 2023 19:07:52 +0800 +Subject: usb: chipidea: wait controller resume finished for wakeup irq + +From: Xu Yang + +commit 128d849074d05545becf86e713715ce7676fc074 upstream. + +After the chipidea driver introduce extcon for id and vbus, it's able +to wakeup from another irq source, in case the system with extcon ID +cable, wakeup from usb ID cable and device removal, the usb device +disconnect irq may come firstly before the extcon notifier while system +resume, so we will get 2 "wakeup" irq, one for usb device disconnect; +and one for extcon ID cable change(real wakeup event), current driver +treat them as 2 successive wakeup irq so can't handle it correctly, then +finally the usb irq can't be enabled. This patch adds a check to bypass +further usb events before controller resume finished to fix it. + +Fixes: 1f874edcb731 ("usb: chipidea: add runtime power management support") +cc: +Acked-by: Peter Chen +Signed-off-by: Xu Yang +Signed-off-by: Li Jun +Link: https://lore.kernel.org/r/20231228110753.1755756-2-xu.yang_2@nxp.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/chipidea/core.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +--- a/drivers/usb/chipidea/core.c ++++ b/drivers/usb/chipidea/core.c +@@ -516,6 +516,13 @@ static irqreturn_t ci_irq_handler(int ir + u32 otgsc = 0; + + if (ci->in_lpm) { ++ /* ++ * If we already have a wakeup irq pending there, ++ * let's just return to wait resume finished firstly. ++ */ ++ if (ci->wakeup_int) ++ return IRQ_HANDLED; ++ + disable_irq_nosync(irq); + ci->wakeup_int = true; + pm_runtime_get(ci->dev); diff --git a/queue-5.10/usb-dwc-ep0-update-request-status-in-dwc3_ep0_stall_restart.patch b/queue-5.10/usb-dwc-ep0-update-request-status-in-dwc3_ep0_stall_restart.patch new file mode 100644 index 00000000000..589f65309f1 --- /dev/null +++ b/queue-5.10/usb-dwc-ep0-update-request-status-in-dwc3_ep0_stall_restart.patch @@ -0,0 +1,57 @@ +From e9d40b215e38480fd94c66b06d79045717a59e9c Mon Sep 17 00:00:00 2001 +From: Uttkarsh Aggarwal +Date: Fri, 22 Dec 2023 15:17:04 +0530 +Subject: usb: dwc: ep0: Update request status in dwc3_ep0_stall_restart + +From: Uttkarsh Aggarwal + +commit e9d40b215e38480fd94c66b06d79045717a59e9c upstream. + +Current implementation blocks the running operations when Plug-out and +Plug-In is performed continuously, process gets stuck in +dwc3_thread_interrupt(). + +Code Flow: + + CPU1 + + ->Gadget_start + ->dwc3_interrupt + ->dwc3_thread_interrupt + ->dwc3_process_event_buf + ->dwc3_process_event_entry + ->dwc3_endpoint_interrupt + ->dwc3_ep0_interrupt + ->dwc3_ep0_inspect_setup + ->dwc3_ep0_stall_and_restart + +By this time if pending_list is not empty, it will get the next request +on the given list and calls dwc3_gadget_giveback which will unmap request +and call its complete() callback to notify upper layers that it has +completed. Currently dwc3_gadget_giveback status is set to -ECONNRESET, +whereas it should be -ESHUTDOWN based on condition if not dwc->connected +is true. + +Cc: +Fixes: d742220b3577 ("usb: dwc3: ep0: giveback requests on stall_and_restart") +Signed-off-by: Uttkarsh Aggarwal +Link: https://lore.kernel.org/r/20231222094704.20276-1-quic_uaggarwa@quicinc.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/dwc3/ep0.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +--- a/drivers/usb/dwc3/ep0.c ++++ b/drivers/usb/dwc3/ep0.c +@@ -236,7 +236,10 @@ static void dwc3_ep0_stall_and_restart(s + struct dwc3_request *req; + + req = next_request(&dep->pending_list); +- dwc3_gadget_giveback(dep, req, -ECONNRESET); ++ if (!dwc->connected) ++ dwc3_gadget_giveback(dep, req, -ESHUTDOWN); ++ else ++ dwc3_gadget_giveback(dep, req, -ECONNRESET); + } + + dwc->ep0state = EP0_SETUP_PHASE; diff --git a/queue-5.10/usb-dwc3-gadget-handle-ep0-request-dequeuing-properly.patch b/queue-5.10/usb-dwc3-gadget-handle-ep0-request-dequeuing-properly.patch new file mode 100644 index 00000000000..a6be8e53307 --- /dev/null +++ b/queue-5.10/usb-dwc3-gadget-handle-ep0-request-dequeuing-properly.patch @@ -0,0 +1,67 @@ +From 730e12fbec53ab59dd807d981a204258a4cfb29a Mon Sep 17 00:00:00 2001 +From: Wesley Cheng +Date: Wed, 6 Dec 2023 12:18:14 -0800 +Subject: usb: dwc3: gadget: Handle EP0 request dequeuing properly + +From: Wesley Cheng + +commit 730e12fbec53ab59dd807d981a204258a4cfb29a upstream. + +Current EP0 dequeue path will share the same as other EPs. However, there +are some special considerations that need to be made for EP0 transfers: + + - EP0 transfers never transition into the started_list + - EP0 only has one active request at a time + +In case there is a vendor specific control message for a function over USB +FFS, then there is no guarantee on the timeline which the DATA/STATUS stage +is responded to. While this occurs, any attempt to end transfers on +non-control EPs will end up having the DWC3_EP_DELAY_STOP flag set, and +defer issuing of the end transfer command. If the USB FFS application +decides to timeout the control transfer, or if USB FFS AIO path exits, the +USB FFS driver will issue a call to usb_ep_dequeue() for the ep0 request. + +In case of the AIO exit path, the AIO FS blocks until all pending USB +requests utilizing the AIO path is completed. However, since the dequeue +of ep0 req does not happen properly, all non-control EPs with the +DWC3_EP_DELAY_STOP flag set will not be handled, and the AIO exit path will +be stuck waiting for the USB FFS data endpoints to receive a completion +callback. + +Fix is to utilize dwc3_ep0_reset_state() in the dequeue API to ensure EP0 +is brought back to the SETUP state, and ensures that any deferred end +transfer commands are handled. This also will end any active transfers +on EP0, compared to the previous implementation which directly called +giveback only. + +Fixes: fcd2def66392 ("usb: dwc3: gadget: Refactor dwc3_gadget_ep_dequeue") +Cc: stable +Signed-off-by: Wesley Cheng +Acked-by: Thinh Nguyen +Link: https://lore.kernel.org/r/20231206201814.32664-1-quic_wcheng@quicinc.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/dwc3/gadget.c | 12 +++++++++++- + 1 file changed, 11 insertions(+), 1 deletion(-) + +--- a/drivers/usb/dwc3/gadget.c ++++ b/drivers/usb/dwc3/gadget.c +@@ -1802,7 +1802,17 @@ static int dwc3_gadget_ep_dequeue(struct + + list_for_each_entry(r, &dep->pending_list, list) { + if (r == req) { +- dwc3_gadget_giveback(dep, req, -ECONNRESET); ++ /* ++ * Explicitly check for EP0/1 as dequeue for those ++ * EPs need to be handled differently. Control EP ++ * only deals with one USB req, and giveback will ++ * occur during dwc3_ep0_stall_and_restart(). EP0 ++ * requests are never added to started_list. ++ */ ++ if (dep->number > 1) ++ dwc3_gadget_giveback(dep, req, -ECONNRESET); ++ else ++ dwc3_ep0_reset_state(dwc); + goto out; + } + } diff --git a/queue-5.10/usb-mon-fix-atomicity-violation-in-mon_bin_vma_fault.patch b/queue-5.10/usb-mon-fix-atomicity-violation-in-mon_bin_vma_fault.patch new file mode 100644 index 00000000000..27ba6a6cdb9 --- /dev/null +++ b/queue-5.10/usb-mon-fix-atomicity-violation-in-mon_bin_vma_fault.patch @@ -0,0 +1,90 @@ +From 2dd23cc4d0e6aa55cf9fb3b05f2f4165b01de81c Mon Sep 17 00:00:00 2001 +From: Gui-Dong Han <2045gemini@gmail.com> +Date: Fri, 5 Jan 2024 13:24:12 +0800 +Subject: usb: mon: Fix atomicity violation in mon_bin_vma_fault + +From: Gui-Dong Han <2045gemini@gmail.com> + +commit 2dd23cc4d0e6aa55cf9fb3b05f2f4165b01de81c upstream. + +In mon_bin_vma_fault(): + offset = vmf->pgoff << PAGE_SHIFT; + if (offset >= rp->b_size) + return VM_FAULT_SIGBUS; + chunk_idx = offset / CHUNK_SIZE; + pageptr = rp->b_vec[chunk_idx].pg; +The code is executed without holding any lock. + +In mon_bin_vma_close(): + spin_lock_irqsave(&rp->b_lock, flags); + rp->mmap_active--; + spin_unlock_irqrestore(&rp->b_lock, flags); + +In mon_bin_ioctl(): + spin_lock_irqsave(&rp->b_lock, flags); + if (rp->mmap_active) { + ... + } else { + ... + kfree(rp->b_vec); + rp->b_vec = vec; + rp->b_size = size; + ... + } + spin_unlock_irqrestore(&rp->b_lock, flags); + +Concurrent execution of mon_bin_vma_fault() with mon_bin_vma_close() and +mon_bin_ioctl() could lead to atomicity violations. mon_bin_vma_fault() +accesses rp->b_size and rp->b_vec without locking, risking array +out-of-bounds access or use-after-free bugs due to possible modifications +in mon_bin_ioctl(). + +This possible bug is found by an experimental static analysis tool +developed by our team, BassCheck[1]. This tool analyzes the locking APIs +to extract function pairs that can be concurrently executed, and then +analyzes the instructions in the paired functions to identify possible +concurrency bugs including data races and atomicity violations. The above +possible bug is reported when our tool analyzes the source code of +Linux 6.2. + +To address this issue, it is proposed to add a spin lock pair in +mon_bin_vma_fault() to ensure atomicity. With this patch applied, our tool +never reports the possible bug, with the kernel configuration allyesconfig +for x86_64. Due to the lack of associated hardware, we cannot test the +patch in runtime testing, and just verify it according to the code logic. + +[1] https://sites.google.com/view/basscheck/ + +Fixes: 19e6317d24c2 ("usb: mon: Fix a deadlock in usbmon between ...") +Cc: +Signed-off-by: Gui-Dong Han <2045gemini@gmail.com> +Link: https://lore.kernel.org/r/20240105052412.9377-1-2045gemini@gmail.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/mon/mon_bin.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +--- a/drivers/usb/mon/mon_bin.c ++++ b/drivers/usb/mon/mon_bin.c +@@ -1247,14 +1247,19 @@ static vm_fault_t mon_bin_vma_fault(stru + struct mon_reader_bin *rp = vmf->vma->vm_private_data; + unsigned long offset, chunk_idx; + struct page *pageptr; ++ unsigned long flags; + ++ spin_lock_irqsave(&rp->b_lock, flags); + offset = vmf->pgoff << PAGE_SHIFT; +- if (offset >= rp->b_size) ++ if (offset >= rp->b_size) { ++ spin_unlock_irqrestore(&rp->b_lock, flags); + return VM_FAULT_SIGBUS; ++ } + chunk_idx = offset / CHUNK_SIZE; + pageptr = rp->b_vec[chunk_idx].pg; + get_page(pageptr); + vmf->page = pageptr; ++ spin_unlock_irqrestore(&rp->b_lock, flags); + return 0; + } + diff --git a/queue-5.10/usb-phy-mxs-remove-config_usb_otg-condition-for-mxs_phy_is_otg_host.patch b/queue-5.10/usb-phy-mxs-remove-config_usb_otg-condition-for-mxs_phy_is_otg_host.patch new file mode 100644 index 00000000000..ee2ce072553 --- /dev/null +++ b/queue-5.10/usb-phy-mxs-remove-config_usb_otg-condition-for-mxs_phy_is_otg_host.patch @@ -0,0 +1,36 @@ +From ff2b89de471da942a4d853443688113a44fd35ed Mon Sep 17 00:00:00 2001 +From: Xu Yang +Date: Thu, 28 Dec 2023 19:07:53 +0800 +Subject: usb: phy: mxs: remove CONFIG_USB_OTG condition for mxs_phy_is_otg_host() + +From: Xu Yang + +commit ff2b89de471da942a4d853443688113a44fd35ed upstream. + +When CONFIG_USB_OTG is not set, mxs_phy_is_otg_host() will always return +false. This behaviour is wrong. Since phy.last_event will always be set +for either host or device mode. Therefore, CONFIG_USB_OTG condition +can be removed. + +Fixes: 5eda42aebb76 ("usb: phy: mxs: fix getting wrong state with mxs_phy_is_otg_host()") +cc: +Acked-by: Peter Chen +Signed-off-by: Xu Yang +Link: https://lore.kernel.org/r/20231228110753.1755756-3-xu.yang_2@nxp.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/phy/phy-mxs-usb.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +--- a/drivers/usb/phy/phy-mxs-usb.c ++++ b/drivers/usb/phy/phy-mxs-usb.c +@@ -388,8 +388,7 @@ static void __mxs_phy_disconnect_line(st + + static bool mxs_phy_is_otg_host(struct mxs_phy *mxs_phy) + { +- return IS_ENABLED(CONFIG_USB_OTG) && +- mxs_phy->phy.last_event == USB_EVENT_ID; ++ return mxs_phy->phy.last_event == USB_EVENT_ID; + } + + static void mxs_phy_disconnect_line(struct mxs_phy *mxs_phy, bool on) diff --git a/queue-5.10/usb-typec-class-fix-typec_altmode_put_partner-to-put-plugs.patch b/queue-5.10/usb-typec-class-fix-typec_altmode_put_partner-to-put-plugs.patch new file mode 100644 index 00000000000..9478a50bb55 --- /dev/null +++ b/queue-5.10/usb-typec-class-fix-typec_altmode_put_partner-to-put-plugs.patch @@ -0,0 +1,71 @@ +From 5962ded777d689cd8bf04454273e32228d7fb71f Mon Sep 17 00:00:00 2001 +From: RD Babiera +Date: Wed, 3 Jan 2024 18:17:55 +0000 +Subject: usb: typec: class: fix typec_altmode_put_partner to put plugs + +From: RD Babiera + +commit 5962ded777d689cd8bf04454273e32228d7fb71f upstream. + +When typec_altmode_put_partner is called by a plug altmode upon release, +the port altmode the plug belongs to will not remove its reference to the +plug. The check to see if the altmode being released is a plug evaluates +against the released altmode's partner instead of the calling altmode, so +change adev in typec_altmode_put_partner to properly refer to the altmode +being released. + +Because typec_altmode_set_partner calls get_device() on the port altmode, +add partner_adev that points to the port altmode in typec_put_partner to +call put_device() on. typec_altmode_set_partner is not called for port +altmodes, so add a check in typec_altmode_release to prevent +typec_altmode_put_partner() calls on port altmode release. + +Fixes: 8a37d87d72f0 ("usb: typec: Bus type for alternate modes") +Cc: +Co-developed-by: Christian A. Ehrhardt +Signed-off-by: Christian A. Ehrhardt +Signed-off-by: RD Babiera +Tested-by: Christian A. Ehrhardt +Acked-by: Heikki Krogerus +Link: https://lore.kernel.org/r/20240103181754.2492492-2-rdbabiera@google.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/typec/class.c | 9 ++++++--- + 1 file changed, 6 insertions(+), 3 deletions(-) + +--- a/drivers/usb/typec/class.c ++++ b/drivers/usb/typec/class.c +@@ -190,11 +190,13 @@ static void typec_altmode_put_partner(st + { + struct altmode *partner = altmode->partner; + struct typec_altmode *adev; ++ struct typec_altmode *partner_adev; + + if (!partner) + return; + +- adev = &partner->adev; ++ adev = &altmode->adev; ++ partner_adev = &partner->adev; + + if (is_typec_plug(adev->dev.parent)) { + struct typec_plug *plug = to_typec_plug(adev->dev.parent); +@@ -203,7 +205,7 @@ static void typec_altmode_put_partner(st + } else { + partner->partner = NULL; + } +- put_device(&adev->dev); ++ put_device(&partner_adev->dev); + } + + /** +@@ -424,7 +426,8 @@ static void typec_altmode_release(struct + { + struct altmode *alt = to_altmode(to_typec_altmode(dev)); + +- typec_altmode_put_partner(alt); ++ if (!is_typec_port(dev->parent)) ++ typec_altmode_put_partner(alt); + + altmode_id_remove(alt->adev.dev.parent, alt->id); + kfree(alt); diff --git a/queue-5.10/xen-netback-don-t-produce-zero-size-skb-frags.patch b/queue-5.10/xen-netback-don-t-produce-zero-size-skb-frags.patch new file mode 100644 index 00000000000..8371956c076 --- /dev/null +++ b/queue-5.10/xen-netback-don-t-produce-zero-size-skb-frags.patch @@ -0,0 +1,106 @@ +From 399537842ec57480149e8484d9641701fb67b5ec Mon Sep 17 00:00:00 2001 +From: Jan Beulich +Date: Mon, 8 Jan 2024 10:38:12 +0100 +Subject: xen-netback: don't produce zero-size SKB frags + +From: Jan Beulich + +commit c7ec4f2d684e17d69bbdd7c4324db0ef5daac26a upstream. + +While frontends may submit zero-size requests (wasting a precious slot), +core networking code as of at least 3ece782693c4b ("sock: skb_copy_ubufs +support for compound pages") can't deal with SKBs when they have all +zero-size fragments. Respond to empty requests right when populating +fragments; all further processing is fragment based and hence won't +encounter these empty requests anymore. + +In a way this should have been that way from the beginning: When no data +is to be transferred for a particular request, there's not even a point +in validating the respective grant ref. That's no different from e.g. +passing NULL into memcpy() when at the same time the size is 0. + +This is XSA-448 / CVE-2023-46838. + +Cc: stable@vger.kernel.org +Signed-off-by: Jan Beulich +Reviewed-by: Juergen Gross +Reviewed-by: Paul Durrant +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/xen-netback/netback.c | 44 ++++++++++++++++++++++++++++++++------ + 1 file changed, 38 insertions(+), 6 deletions(-) + +--- a/drivers/net/xen-netback/netback.c ++++ b/drivers/net/xen-netback/netback.c +@@ -463,12 +463,25 @@ static void xenvif_get_requests(struct x + } + + for (shinfo->nr_frags = 0; nr_slots > 0 && shinfo->nr_frags < MAX_SKB_FRAGS; +- shinfo->nr_frags++, gop++, nr_slots--) { ++ nr_slots--) { ++ if (unlikely(!txp->size)) { ++ unsigned long flags; ++ ++ spin_lock_irqsave(&queue->response_lock, flags); ++ make_tx_response(queue, txp, 0, XEN_NETIF_RSP_OKAY); ++ push_tx_responses(queue); ++ spin_unlock_irqrestore(&queue->response_lock, flags); ++ ++txp; ++ continue; ++ } ++ + index = pending_index(queue->pending_cons++); + pending_idx = queue->pending_ring[index]; + xenvif_tx_create_map_op(queue, pending_idx, txp, + txp == first ? extra_count : 0, gop); + frag_set_pending_idx(&frags[shinfo->nr_frags], pending_idx); ++ ++shinfo->nr_frags; ++ ++gop; + + if (txp == first) + txp = txfrags; +@@ -481,20 +494,39 @@ static void xenvif_get_requests(struct x + shinfo = skb_shinfo(nskb); + frags = shinfo->frags; + +- for (shinfo->nr_frags = 0; shinfo->nr_frags < nr_slots; +- shinfo->nr_frags++, txp++, gop++) { ++ for (shinfo->nr_frags = 0; shinfo->nr_frags < nr_slots; ++txp) { ++ if (unlikely(!txp->size)) { ++ unsigned long flags; ++ ++ spin_lock_irqsave(&queue->response_lock, flags); ++ make_tx_response(queue, txp, 0, ++ XEN_NETIF_RSP_OKAY); ++ push_tx_responses(queue); ++ spin_unlock_irqrestore(&queue->response_lock, ++ flags); ++ continue; ++ } ++ + index = pending_index(queue->pending_cons++); + pending_idx = queue->pending_ring[index]; + xenvif_tx_create_map_op(queue, pending_idx, txp, 0, + gop); + frag_set_pending_idx(&frags[shinfo->nr_frags], + pending_idx); ++ ++shinfo->nr_frags; ++ ++gop; + } + +- skb_shinfo(skb)->frag_list = nskb; +- } else if (nskb) { ++ if (shinfo->nr_frags) { ++ skb_shinfo(skb)->frag_list = nskb; ++ nskb = NULL; ++ } ++ } ++ ++ if (nskb) { + /* A frag_list skb was allocated but it is no longer needed +- * because enough slots were converted to copy ops above. ++ * because enough slots were converted to copy ops above or some ++ * were empty. + */ + kfree_skb(nskb); + }