From: Greg Kroah-Hartman Date: Mon, 22 Jan 2024 18:46:42 +0000 (-0800) Subject: 4.19-stable patches X-Git-Tag: v4.19.306~81 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=c0b402c25d82d6e927a97541de12b9f2fcc7c35a;p=thirdparty%2Fkernel%2Fstable-queue.git 4.19-stable patches added patches: binder-fix-race-between-mmput-and-do_exit.patch binder-fix-unused-alloc-free_async_space.patch revert-usb-dwc3-don-t-reset-device-side-if-dwc3-was-configured-as-host-only.patch revert-usb-dwc3-soft-reset-phy-on-probe-for-host.patch revert-usb-typec-class-fix-typec_altmode_put_partner-to-put-plugs.patch tick-sched-fix-idle-and-iowait-sleeptime-accounting-vs-cpu-hotplug.patch usb-chipidea-wait-controller-resume-finished-for-wakeup-irq.patch usb-dwc-ep0-update-request-status-in-dwc3_ep0_stall_restart.patch usb-phy-mxs-remove-config_usb_otg-condition-for-mxs_phy_is_otg_host.patch usb-typec-class-fix-typec_altmode_put_partner-to-put-plugs.patch xen-netback-don-t-produce-zero-size-skb-frags.patch --- diff --git a/queue-4.19/binder-fix-race-between-mmput-and-do_exit.patch b/queue-4.19/binder-fix-race-between-mmput-and-do_exit.patch new file mode 100644 index 00000000000..392b402c490 --- /dev/null +++ b/queue-4.19/binder-fix-race-between-mmput-and-do_exit.patch @@ -0,0 +1,68 @@ +From 9a9ab0d963621d9d12199df9817e66982582d5a5 Mon Sep 17 00:00:00 2001 +From: Carlos Llamas +Date: Fri, 1 Dec 2023 17:21:32 +0000 +Subject: binder: fix race between mmput() and do_exit() + +From: Carlos Llamas + +commit 9a9ab0d963621d9d12199df9817e66982582d5a5 upstream. + +Task A calls binder_update_page_range() to allocate and insert pages on +a remote address space from Task B. For this, Task A pins the remote mm +via mmget_not_zero() first. This can race with Task B do_exit() and the +final mmput() refcount decrement will come from Task A. + + Task A | Task B + ------------------+------------------ + mmget_not_zero() | + | do_exit() + | exit_mm() + | mmput() + mmput() | + exit_mmap() | + remove_vma() | + fput() | + +In this case, the work of ____fput() from Task B is queued up in Task A +as TWA_RESUME. So in theory, Task A returns to userspace and the cleanup +work gets executed. However, Task A instead sleep, waiting for a reply +from Task B that never comes (it's dead). + +This means the binder_deferred_release() is blocked until an unrelated +binder event forces Task A to go back to userspace. All the associated +death notifications will also be delayed until then. + +In order to fix this use mmput_async() that will schedule the work in +the corresponding mm->async_put_work WQ instead of Task A. + +Fixes: 457b9a6f09f0 ("Staging: android: add binder driver") +Reviewed-by: Alice Ryhl +Signed-off-by: Carlos Llamas +Link: https://lore.kernel.org/r/20231201172212.1813387-4-cmllamas@google.com +[cmllamas: fix trivial conflict with missing d8ed45c5dcd4.] +Signed-off-by: Carlos Llamas +Signed-off-by: Greg Kroah-Hartman +--- + drivers/android/binder_alloc.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/android/binder_alloc.c ++++ b/drivers/android/binder_alloc.c +@@ -290,7 +290,7 @@ static int binder_update_page_range(stru + } + if (mm) { + up_read(&mm->mmap_sem); +- mmput(mm); ++ mmput_async(mm); + } + return 0; + +@@ -325,7 +325,7 @@ err_page_ptr_cleared: + err_no_vma: + if (mm) { + up_read(&mm->mmap_sem); +- mmput(mm); ++ mmput_async(mm); + } + return vma ? -ENOMEM : -ESRCH; + } diff --git a/queue-4.19/binder-fix-unused-alloc-free_async_space.patch b/queue-4.19/binder-fix-unused-alloc-free_async_space.patch new file mode 100644 index 00000000000..bc78e216430 --- /dev/null +++ b/queue-4.19/binder-fix-unused-alloc-free_async_space.patch @@ -0,0 +1,73 @@ +From c6d05e0762ab276102246d24affd1e116a46aa0c Mon Sep 17 00:00:00 2001 +From: Carlos Llamas +Date: Fri, 1 Dec 2023 17:21:34 +0000 +Subject: binder: fix unused alloc->free_async_space + +From: Carlos Llamas + +commit c6d05e0762ab276102246d24affd1e116a46aa0c upstream. + +Each transaction is associated with a 'struct binder_buffer' that stores +the metadata about its buffer area. Since commit 74310e06be4d ("android: +binder: Move buffer out of area shared with user space") this struct is +no longer embedded within the buffer itself but is instead allocated on +the heap to prevent userspace access to this driver-exclusive info. + +Unfortunately, the space of this struct is still being accounted for in +the total buffer size calculation, specifically for async transactions. +This results in an additional 104 bytes added to every async buffer +request, and this area is never used. + +This wasted space can be substantial. If we consider the maximum mmap +buffer space of SZ_4M, the driver will reserve half of it for async +transactions, or 0x200000. This area should, in theory, accommodate up +to 262,144 buffers of the minimum 8-byte size. However, after adding +the extra 'sizeof(struct binder_buffer)', the total number of buffers +drops to only 18,724, which is a sad 7.14% of the actual capacity. + +This patch fixes the buffer size calculation to enable the utilization +of the entire async buffer space. This is expected to reduce the number +of -ENOSPC errors that are seen on the field. + +Fixes: 74310e06be4d ("android: binder: Move buffer out of area shared with user space") +Signed-off-by: Carlos Llamas +Reviewed-by: Alice Ryhl +Link: https://lore.kernel.org/r/20231201172212.1813387-6-cmllamas@google.com +[cmllamas: fix trivial conflict with missing 261e7818f06e.] +Signed-off-by: Carlos Llamas +Signed-off-by: Greg Kroah-Hartman +--- + drivers/android/binder_alloc.c | 8 +++----- + 1 file changed, 3 insertions(+), 5 deletions(-) + +--- a/drivers/android/binder_alloc.c ++++ b/drivers/android/binder_alloc.c +@@ -402,8 +402,7 @@ static struct binder_buffer *binder_allo + /* Pad 0-size buffers so they get assigned unique addresses */ + size = max(size, sizeof(void *)); + +- if (is_async && +- alloc->free_async_space < size + sizeof(struct binder_buffer)) { ++ if (is_async && alloc->free_async_space < size) { + binder_alloc_debug(BINDER_DEBUG_BUFFER_ALLOC, + "%d: binder_alloc_buf size %zd failed, no async space left\n", + alloc->pid, size); +@@ -509,7 +508,7 @@ static struct binder_buffer *binder_allo + buffer->async_transaction = is_async; + buffer->extra_buffers_size = extra_buffers_size; + if (is_async) { +- alloc->free_async_space -= size + sizeof(struct binder_buffer); ++ alloc->free_async_space -= size; + binder_alloc_debug(BINDER_DEBUG_BUFFER_ALLOC_ASYNC, + "%d: binder_alloc_buf size %zd async free %zd\n", + alloc->pid, size, alloc->free_async_space); +@@ -631,8 +630,7 @@ static void binder_free_buf_locked(struc + BUG_ON(buffer->data > alloc->buffer + alloc->buffer_size); + + if (buffer->async_transaction) { +- alloc->free_async_space += buffer_size + sizeof(struct binder_buffer); +- ++ alloc->free_async_space += buffer_size; + binder_alloc_debug(BINDER_DEBUG_BUFFER_ALLOC_ASYNC, + "%d: binder_free_buf size %zd async free %zd\n", + alloc->pid, size, alloc->free_async_space); diff --git a/queue-4.19/revert-usb-dwc3-don-t-reset-device-side-if-dwc3-was-configured-as-host-only.patch b/queue-4.19/revert-usb-dwc3-don-t-reset-device-side-if-dwc3-was-configured-as-host-only.patch new file mode 100644 index 00000000000..c5cea0891ca --- /dev/null +++ b/queue-4.19/revert-usb-dwc3-don-t-reset-device-side-if-dwc3-was-configured-as-host-only.patch @@ -0,0 +1,42 @@ +From afe28cd686aeb77e8d9140d50fb1cf06a7ecb731 Mon Sep 17 00:00:00 2001 +From: Thinh Nguyen +Date: Fri, 22 Dec 2023 22:11:33 +0000 +Subject: Revert "usb: dwc3: don't reset device side if dwc3 was configured as host-only" + +From: Thinh Nguyen + +commit afe28cd686aeb77e8d9140d50fb1cf06a7ecb731 upstream. + +This reverts commit e835c0a4e23c38531dcee5ef77e8d1cf462658c7. + +Don't omit soft-reset. During initialization, the driver may need to +perform a soft reset to ensure the phy is ready when the controller +updates the GCTL.PRTCAPDIR or other settings by issuing phy soft-reset. +Many platforms often have access to DCTL register for soft-reset despite +being host-only. If there are actual reported issues from the platforms +that don't expose DCTL registers, then we will need to revisit (perhaps +to teach dwc3 to perform xhci's soft-reset USBCMD.HCRST). + +Cc: +Fixes: e835c0a4e23c ("usb: dwc3: don't reset device side if dwc3 was configured as host-only") +Signed-off-by: Thinh Nguyen +Link: https://lore.kernel.org/r/7668ab11a48f260820825274976eb41fec7f54d1.1703282469.git.Thinh.Nguyen@synopsys.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/dwc3/core.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/usb/dwc3/core.c ++++ b/drivers/usb/dwc3/core.c +@@ -242,9 +242,9 @@ static int dwc3_core_soft_reset(struct d + /* + * We're resetting only the device side because, if we're in host mode, + * XHCI driver will reset the host block. If dwc3 was configured for +- * host-only mode or current role is host, then we can return early. ++ * host-only mode, then we can return early. + */ +- if (dwc->dr_mode == USB_DR_MODE_HOST || dwc->current_dr_role == DWC3_GCTL_PRTCAP_HOST) ++ if (dwc->current_dr_role == DWC3_GCTL_PRTCAP_HOST) + return 0; + + reg = dwc3_readl(dwc->regs, DWC3_DCTL); diff --git a/queue-4.19/revert-usb-dwc3-soft-reset-phy-on-probe-for-host.patch b/queue-4.19/revert-usb-dwc3-soft-reset-phy-on-probe-for-host.patch new file mode 100644 index 00000000000..70aa703ba93 --- /dev/null +++ b/queue-4.19/revert-usb-dwc3-soft-reset-phy-on-probe-for-host.patch @@ -0,0 +1,78 @@ +From 7059fbebcb00554c3f31e5b5d93ef6d2d96dc7b4 Mon Sep 17 00:00:00 2001 +From: Thinh Nguyen +Date: Fri, 22 Dec 2023 22:11:27 +0000 +Subject: Revert "usb: dwc3: Soft reset phy on probe for host" +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Thinh Nguyen + +commit 7059fbebcb00554c3f31e5b5d93ef6d2d96dc7b4 upstream. + +This reverts commit 8bea147dfdf823eaa8d3baeccc7aeb041b41944b. + +The phy soft reset GUSB2PHYCFG.PHYSOFTRST only applies to UTMI phy, not +ULPI. This fix is incomplete. + +Cc: +Fixes: 8bea147dfdf8 ("usb: dwc3: Soft reset phy on probe for host") +Reported-by: Köry Maincent +Closes: https://lore.kernel.org/linux-usb/20231205151959.5236c231@kmaincent-XPS-13-7390 +Signed-off-by: Thinh Nguyen +Link: https://lore.kernel.org/r/29a26593a60eba727de872a3e580a674807b3339.1703282469.git.Thinh.Nguyen@synopsys.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/dwc3/core.c | 39 +-------------------------------------- + 1 file changed, 1 insertion(+), 38 deletions(-) + +--- a/drivers/usb/dwc3/core.c ++++ b/drivers/usb/dwc3/core.c +@@ -244,46 +244,9 @@ static int dwc3_core_soft_reset(struct d + * XHCI driver will reset the host block. If dwc3 was configured for + * host-only mode or current role is host, then we can return early. + */ +- if (dwc->current_dr_role == DWC3_GCTL_PRTCAP_HOST) ++ if (dwc->dr_mode == USB_DR_MODE_HOST || dwc->current_dr_role == DWC3_GCTL_PRTCAP_HOST) + return 0; + +- /* +- * If the dr_mode is host and the dwc->current_dr_role is not the +- * corresponding DWC3_GCTL_PRTCAP_HOST, then the dwc3_core_init_mode +- * isn't executed yet. Ensure the phy is ready before the controller +- * updates the GCTL.PRTCAPDIR or other settings by soft-resetting +- * the phy. +- * +- * Note: GUSB3PIPECTL[n] and GUSB2PHYCFG[n] are port settings where n +- * is port index. If this is a multiport host, then we need to reset +- * all active ports. +- */ +- if (dwc->dr_mode == USB_DR_MODE_HOST) { +- u32 usb3_port; +- u32 usb2_port; +- +- usb3_port = dwc3_readl(dwc->regs, DWC3_GUSB3PIPECTL(0)); +- usb3_port |= DWC3_GUSB3PIPECTL_PHYSOFTRST; +- dwc3_writel(dwc->regs, DWC3_GUSB3PIPECTL(0), usb3_port); +- +- usb2_port = dwc3_readl(dwc->regs, DWC3_GUSB2PHYCFG(0)); +- usb2_port |= DWC3_GUSB2PHYCFG_PHYSOFTRST; +- dwc3_writel(dwc->regs, DWC3_GUSB2PHYCFG(0), usb2_port); +- +- /* Small delay for phy reset assertion */ +- usleep_range(1000, 2000); +- +- usb3_port &= ~DWC3_GUSB3PIPECTL_PHYSOFTRST; +- dwc3_writel(dwc->regs, DWC3_GUSB3PIPECTL(0), usb3_port); +- +- usb2_port &= ~DWC3_GUSB2PHYCFG_PHYSOFTRST; +- dwc3_writel(dwc->regs, DWC3_GUSB2PHYCFG(0), usb2_port); +- +- /* Wait for clock synchronization */ +- msleep(50); +- return 0; +- } +- + reg = dwc3_readl(dwc->regs, DWC3_DCTL); + reg |= DWC3_DCTL_CSFTRST; + dwc3_writel(dwc->regs, DWC3_DCTL, reg); diff --git a/queue-4.19/revert-usb-typec-class-fix-typec_altmode_put_partner-to-put-plugs.patch b/queue-4.19/revert-usb-typec-class-fix-typec_altmode_put_partner-to-put-plugs.patch new file mode 100644 index 00000000000..568065b1f1a --- /dev/null +++ b/queue-4.19/revert-usb-typec-class-fix-typec_altmode_put_partner-to-put-plugs.patch @@ -0,0 +1,47 @@ +From 9c6b789e954fae73c548f39332bcc56bdf0d4373 Mon Sep 17 00:00:00 2001 +From: Heikki Krogerus +Date: Tue, 2 Jan 2024 11:11:41 +0200 +Subject: Revert "usb: typec: class: fix typec_altmode_put_partner to put plugs" + +From: Heikki Krogerus + +commit 9c6b789e954fae73c548f39332bcc56bdf0d4373 upstream. + +This reverts commit b17b7fe6dd5c6ff74b38b0758ca799cdbb79e26e. + +That commit messed up the reference counting, so it needs to +be rethought. + +Fixes: b17b7fe6dd5c ("usb: typec: class: fix typec_altmode_put_partner to put plugs") +Cc: +Cc: RD Babiera +Reported-by: Chris Bainbridge +Closes: https://lore.kernel.org/lkml/CAP-bSRb3SXpgo_BEdqZB-p1K5625fMegRZ17ZkPE1J8ZYgEHDg@mail.gmail.com/ +Signed-off-by: Heikki Krogerus +Link: https://lore.kernel.org/r/20240102091142.2136472-1-heikki.krogerus@linux.intel.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/typec/class.c | 5 ++--- + 1 file changed, 2 insertions(+), 3 deletions(-) + +--- a/drivers/usb/typec/class.c ++++ b/drivers/usb/typec/class.c +@@ -192,7 +192,7 @@ static void typec_altmode_put_partner(st + if (!partner) + return; + +- adev = &altmode->adev; ++ adev = &partner->adev; + + if (is_typec_plug(adev->dev.parent)) { + struct typec_plug *plug = to_typec_plug(adev->dev.parent); +@@ -459,8 +459,7 @@ static void typec_altmode_release(struct + { + struct altmode *alt = to_altmode(to_typec_altmode(dev)); + +- if (!is_typec_port(dev->parent)) +- typec_altmode_put_partner(alt); ++ typec_altmode_put_partner(alt); + + altmode_id_remove(alt->adev.dev.parent, alt->id); + kfree(alt); diff --git a/queue-4.19/series b/queue-4.19/series index 0ca7732baca..168afbdcc84 100644 --- a/queue-4.19/series +++ b/queue-4.19/series @@ -112,3 +112,14 @@ of-unittest-fix-of_count_phandle_with_args-expected-.patch binder-fix-async-space-check-for-0-sized-buffers.patch input-atkbd-use-ab83-as-id-when-skipping-the-getid-command.patch revert-asoc-atmel-remove-system-clock-tree-configuration-for-at91sam9g20ek.patch +xen-netback-don-t-produce-zero-size-skb-frags.patch +binder-fix-race-between-mmput-and-do_exit.patch +binder-fix-unused-alloc-free_async_space.patch +tick-sched-fix-idle-and-iowait-sleeptime-accounting-vs-cpu-hotplug.patch +usb-phy-mxs-remove-config_usb_otg-condition-for-mxs_phy_is_otg_host.patch +usb-dwc-ep0-update-request-status-in-dwc3_ep0_stall_restart.patch +revert-usb-dwc3-soft-reset-phy-on-probe-for-host.patch +revert-usb-dwc3-don-t-reset-device-side-if-dwc3-was-configured-as-host-only.patch +usb-chipidea-wait-controller-resume-finished-for-wakeup-irq.patch +revert-usb-typec-class-fix-typec_altmode_put_partner-to-put-plugs.patch +usb-typec-class-fix-typec_altmode_put_partner-to-put-plugs.patch diff --git a/queue-4.19/tick-sched-fix-idle-and-iowait-sleeptime-accounting-vs-cpu-hotplug.patch b/queue-4.19/tick-sched-fix-idle-and-iowait-sleeptime-accounting-vs-cpu-hotplug.patch new file mode 100644 index 00000000000..27e3f26a269 --- /dev/null +++ b/queue-4.19/tick-sched-fix-idle-and-iowait-sleeptime-accounting-vs-cpu-hotplug.patch @@ -0,0 +1,85 @@ +From 71fee48fb772ac4f6cfa63dbebc5629de8b4cc09 Mon Sep 17 00:00:00 2001 +From: Heiko Carstens +Date: Mon, 15 Jan 2024 17:35:55 +0100 +Subject: tick-sched: Fix idle and iowait sleeptime accounting vs CPU hotplug + +From: Heiko Carstens + +commit 71fee48fb772ac4f6cfa63dbebc5629de8b4cc09 upstream. + +When offlining and onlining CPUs the overall reported idle and iowait +times as reported by /proc/stat jump backward and forward: + +cpu 132 0 176 225249 47 6 6 21 0 0 +cpu0 80 0 115 112575 33 3 4 18 0 0 +cpu1 52 0 60 112673 13 3 1 2 0 0 + +cpu 133 0 177 226681 47 6 6 21 0 0 +cpu0 80 0 116 113387 33 3 4 18 0 0 + +cpu 133 0 178 114431 33 6 6 21 0 0 <---- jump backward +cpu0 80 0 116 114247 33 3 4 18 0 0 +cpu1 52 0 61 183 0 3 1 2 0 0 <---- idle + iowait start with 0 + +cpu 133 0 178 228956 47 6 6 21 0 0 <---- jump forward +cpu0 81 0 117 114929 33 3 4 18 0 0 + +Reason for this is that get_idle_time() in fs/proc/stat.c has different +sources for both values depending on if a CPU is online or offline: + +- if a CPU is online the values may be taken from its per cpu + tick_cpu_sched structure + +- if a CPU is offline the values are taken from its per cpu cpustat + structure + +The problem is that the per cpu tick_cpu_sched structure is set to zero on +CPU offline. See tick_cancel_sched_timer() in kernel/time/tick-sched.c. + +Therefore when a CPU is brought offline and online afterwards both its idle +and iowait sleeptime will be zero, causing a jump backward in total system +idle and iowait sleeptime. In a similar way if a CPU is then brought +offline again the total idle and iowait sleeptimes will jump forward. + +It looks like this behavior was introduced with commit 4b0c0f294f60 +("tick: Cleanup NOHZ per cpu data on cpu down"). + +This was only noticed now on s390, since we switched to generic idle time +reporting with commit be76ea614460 ("s390/idle: remove arch_cpu_idle_time() +and corresponding code"). + +Fix this by preserving the values of idle_sleeptime and iowait_sleeptime +members of the per-cpu tick_sched structure on CPU hotplug. + +Fixes: 4b0c0f294f60 ("tick: Cleanup NOHZ per cpu data on cpu down") +Reported-by: Gerald Schaefer +Signed-off-by: Heiko Carstens +Signed-off-by: Thomas Gleixner +Reviewed-by: Frederic Weisbecker +Link: https://lore.kernel.org/r/20240115163555.1004144-1-hca@linux.ibm.com +Signed-off-by: Greg Kroah-Hartman +--- + kernel/time/tick-sched.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/kernel/time/tick-sched.c ++++ b/kernel/time/tick-sched.c +@@ -1345,13 +1345,18 @@ void tick_setup_sched_timer(void) + void tick_cancel_sched_timer(int cpu) + { + struct tick_sched *ts = &per_cpu(tick_cpu_sched, cpu); ++ ktime_t idle_sleeptime, iowait_sleeptime; + + # ifdef CONFIG_HIGH_RES_TIMERS + if (ts->sched_timer.base) + hrtimer_cancel(&ts->sched_timer); + # endif + ++ idle_sleeptime = ts->idle_sleeptime; ++ iowait_sleeptime = ts->iowait_sleeptime; + memset(ts, 0, sizeof(*ts)); ++ ts->idle_sleeptime = idle_sleeptime; ++ ts->iowait_sleeptime = iowait_sleeptime; + } + #endif + diff --git a/queue-4.19/usb-chipidea-wait-controller-resume-finished-for-wakeup-irq.patch b/queue-4.19/usb-chipidea-wait-controller-resume-finished-for-wakeup-irq.patch new file mode 100644 index 00000000000..70c41650a9f --- /dev/null +++ b/queue-4.19/usb-chipidea-wait-controller-resume-finished-for-wakeup-irq.patch @@ -0,0 +1,46 @@ +From 128d849074d05545becf86e713715ce7676fc074 Mon Sep 17 00:00:00 2001 +From: Xu Yang +Date: Thu, 28 Dec 2023 19:07:52 +0800 +Subject: usb: chipidea: wait controller resume finished for wakeup irq + +From: Xu Yang + +commit 128d849074d05545becf86e713715ce7676fc074 upstream. + +After the chipidea driver introduce extcon for id and vbus, it's able +to wakeup from another irq source, in case the system with extcon ID +cable, wakeup from usb ID cable and device removal, the usb device +disconnect irq may come firstly before the extcon notifier while system +resume, so we will get 2 "wakeup" irq, one for usb device disconnect; +and one for extcon ID cable change(real wakeup event), current driver +treat them as 2 successive wakeup irq so can't handle it correctly, then +finally the usb irq can't be enabled. This patch adds a check to bypass +further usb events before controller resume finished to fix it. + +Fixes: 1f874edcb731 ("usb: chipidea: add runtime power management support") +cc: +Acked-by: Peter Chen +Signed-off-by: Xu Yang +Signed-off-by: Li Jun +Link: https://lore.kernel.org/r/20231228110753.1755756-2-xu.yang_2@nxp.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/chipidea/core.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +--- a/drivers/usb/chipidea/core.c ++++ b/drivers/usb/chipidea/core.c +@@ -539,6 +539,13 @@ static irqreturn_t ci_irq_handler(int ir + u32 otgsc = 0; + + if (ci->in_lpm) { ++ /* ++ * If we already have a wakeup irq pending there, ++ * let's just return to wait resume finished firstly. ++ */ ++ if (ci->wakeup_int) ++ return IRQ_HANDLED; ++ + disable_irq_nosync(irq); + ci->wakeup_int = true; + pm_runtime_get(ci->dev); diff --git a/queue-4.19/usb-dwc-ep0-update-request-status-in-dwc3_ep0_stall_restart.patch b/queue-4.19/usb-dwc-ep0-update-request-status-in-dwc3_ep0_stall_restart.patch new file mode 100644 index 00000000000..589f65309f1 --- /dev/null +++ b/queue-4.19/usb-dwc-ep0-update-request-status-in-dwc3_ep0_stall_restart.patch @@ -0,0 +1,57 @@ +From e9d40b215e38480fd94c66b06d79045717a59e9c Mon Sep 17 00:00:00 2001 +From: Uttkarsh Aggarwal +Date: Fri, 22 Dec 2023 15:17:04 +0530 +Subject: usb: dwc: ep0: Update request status in dwc3_ep0_stall_restart + +From: Uttkarsh Aggarwal + +commit e9d40b215e38480fd94c66b06d79045717a59e9c upstream. + +Current implementation blocks the running operations when Plug-out and +Plug-In is performed continuously, process gets stuck in +dwc3_thread_interrupt(). + +Code Flow: + + CPU1 + + ->Gadget_start + ->dwc3_interrupt + ->dwc3_thread_interrupt + ->dwc3_process_event_buf + ->dwc3_process_event_entry + ->dwc3_endpoint_interrupt + ->dwc3_ep0_interrupt + ->dwc3_ep0_inspect_setup + ->dwc3_ep0_stall_and_restart + +By this time if pending_list is not empty, it will get the next request +on the given list and calls dwc3_gadget_giveback which will unmap request +and call its complete() callback to notify upper layers that it has +completed. Currently dwc3_gadget_giveback status is set to -ECONNRESET, +whereas it should be -ESHUTDOWN based on condition if not dwc->connected +is true. + +Cc: +Fixes: d742220b3577 ("usb: dwc3: ep0: giveback requests on stall_and_restart") +Signed-off-by: Uttkarsh Aggarwal +Link: https://lore.kernel.org/r/20231222094704.20276-1-quic_uaggarwa@quicinc.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/dwc3/ep0.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +--- a/drivers/usb/dwc3/ep0.c ++++ b/drivers/usb/dwc3/ep0.c +@@ -236,7 +236,10 @@ static void dwc3_ep0_stall_and_restart(s + struct dwc3_request *req; + + req = next_request(&dep->pending_list); +- dwc3_gadget_giveback(dep, req, -ECONNRESET); ++ if (!dwc->connected) ++ dwc3_gadget_giveback(dep, req, -ESHUTDOWN); ++ else ++ dwc3_gadget_giveback(dep, req, -ECONNRESET); + } + + dwc->ep0state = EP0_SETUP_PHASE; diff --git a/queue-4.19/usb-phy-mxs-remove-config_usb_otg-condition-for-mxs_phy_is_otg_host.patch b/queue-4.19/usb-phy-mxs-remove-config_usb_otg-condition-for-mxs_phy_is_otg_host.patch new file mode 100644 index 00000000000..dbf78feb9c4 --- /dev/null +++ b/queue-4.19/usb-phy-mxs-remove-config_usb_otg-condition-for-mxs_phy_is_otg_host.patch @@ -0,0 +1,36 @@ +From ff2b89de471da942a4d853443688113a44fd35ed Mon Sep 17 00:00:00 2001 +From: Xu Yang +Date: Thu, 28 Dec 2023 19:07:53 +0800 +Subject: usb: phy: mxs: remove CONFIG_USB_OTG condition for mxs_phy_is_otg_host() + +From: Xu Yang + +commit ff2b89de471da942a4d853443688113a44fd35ed upstream. + +When CONFIG_USB_OTG is not set, mxs_phy_is_otg_host() will always return +false. This behaviour is wrong. Since phy.last_event will always be set +for either host or device mode. Therefore, CONFIG_USB_OTG condition +can be removed. + +Fixes: 5eda42aebb76 ("usb: phy: mxs: fix getting wrong state with mxs_phy_is_otg_host()") +cc: +Acked-by: Peter Chen +Signed-off-by: Xu Yang +Link: https://lore.kernel.org/r/20231228110753.1755756-3-xu.yang_2@nxp.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/phy/phy-mxs-usb.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +--- a/drivers/usb/phy/phy-mxs-usb.c ++++ b/drivers/usb/phy/phy-mxs-usb.c +@@ -312,8 +312,7 @@ static void __mxs_phy_disconnect_line(st + + static bool mxs_phy_is_otg_host(struct mxs_phy *mxs_phy) + { +- return IS_ENABLED(CONFIG_USB_OTG) && +- mxs_phy->phy.last_event == USB_EVENT_ID; ++ return mxs_phy->phy.last_event == USB_EVENT_ID; + } + + static void mxs_phy_disconnect_line(struct mxs_phy *mxs_phy, bool on) diff --git a/queue-4.19/usb-typec-class-fix-typec_altmode_put_partner-to-put-plugs.patch b/queue-4.19/usb-typec-class-fix-typec_altmode_put_partner-to-put-plugs.patch new file mode 100644 index 00000000000..f217465d1f1 --- /dev/null +++ b/queue-4.19/usb-typec-class-fix-typec_altmode_put_partner-to-put-plugs.patch @@ -0,0 +1,71 @@ +From 5962ded777d689cd8bf04454273e32228d7fb71f Mon Sep 17 00:00:00 2001 +From: RD Babiera +Date: Wed, 3 Jan 2024 18:17:55 +0000 +Subject: usb: typec: class: fix typec_altmode_put_partner to put plugs + +From: RD Babiera + +commit 5962ded777d689cd8bf04454273e32228d7fb71f upstream. + +When typec_altmode_put_partner is called by a plug altmode upon release, +the port altmode the plug belongs to will not remove its reference to the +plug. The check to see if the altmode being released is a plug evaluates +against the released altmode's partner instead of the calling altmode, so +change adev in typec_altmode_put_partner to properly refer to the altmode +being released. + +Because typec_altmode_set_partner calls get_device() on the port altmode, +add partner_adev that points to the port altmode in typec_put_partner to +call put_device() on. typec_altmode_set_partner is not called for port +altmodes, so add a check in typec_altmode_release to prevent +typec_altmode_put_partner() calls on port altmode release. + +Fixes: 8a37d87d72f0 ("usb: typec: Bus type for alternate modes") +Cc: +Co-developed-by: Christian A. Ehrhardt +Signed-off-by: Christian A. Ehrhardt +Signed-off-by: RD Babiera +Tested-by: Christian A. Ehrhardt +Acked-by: Heikki Krogerus +Link: https://lore.kernel.org/r/20240103181754.2492492-2-rdbabiera@google.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/typec/class.c | 9 ++++++--- + 1 file changed, 6 insertions(+), 3 deletions(-) + +--- a/drivers/usb/typec/class.c ++++ b/drivers/usb/typec/class.c +@@ -188,11 +188,13 @@ static void typec_altmode_put_partner(st + { + struct altmode *partner = altmode->partner; + struct typec_altmode *adev; ++ struct typec_altmode *partner_adev; + + if (!partner) + return; + +- adev = &partner->adev; ++ adev = &altmode->adev; ++ partner_adev = &partner->adev; + + if (is_typec_plug(adev->dev.parent)) { + struct typec_plug *plug = to_typec_plug(adev->dev.parent); +@@ -201,7 +203,7 @@ static void typec_altmode_put_partner(st + } else { + partner->partner = NULL; + } +- put_device(&adev->dev); ++ put_device(&partner_adev->dev); + } + + static int __typec_port_match(struct device *dev, const void *name) +@@ -459,7 +461,8 @@ static void typec_altmode_release(struct + { + struct altmode *alt = to_altmode(to_typec_altmode(dev)); + +- typec_altmode_put_partner(alt); ++ if (!is_typec_port(dev->parent)) ++ typec_altmode_put_partner(alt); + + altmode_id_remove(alt->adev.dev.parent, alt->id); + kfree(alt); diff --git a/queue-4.19/xen-netback-don-t-produce-zero-size-skb-frags.patch b/queue-4.19/xen-netback-don-t-produce-zero-size-skb-frags.patch new file mode 100644 index 00000000000..14b5a332229 --- /dev/null +++ b/queue-4.19/xen-netback-don-t-produce-zero-size-skb-frags.patch @@ -0,0 +1,106 @@ +From 1a420204d264d87f0e26cc6b84990937df0f2319 Mon Sep 17 00:00:00 2001 +From: Jan Beulich +Date: Mon, 8 Jan 2024 11:00:14 +0100 +Subject: xen-netback: don't produce zero-size SKB frags + +From: Jan Beulich + +commit c7ec4f2d684e17d69bbdd7c4324db0ef5daac26a upstream. + +While frontends may submit zero-size requests (wasting a precious slot), +core networking code as of at least 3ece782693c4b ("sock: skb_copy_ubufs +support for compound pages") can't deal with SKBs when they have all +zero-size fragments. Respond to empty requests right when populating +fragments; all further processing is fragment based and hence won't +encounter these empty requests anymore. + +In a way this should have been that way from the beginning: When no data +is to be transferred for a particular request, there's not even a point +in validating the respective grant ref. That's no different from e.g. +passing NULL into memcpy() when at the same time the size is 0. + +This is XSA-448 / CVE-2023-46838. + +Cc: stable@vger.kernel.org +Signed-off-by: Jan Beulich +Reviewed-by: Juergen Gross +Reviewed-by: Paul Durrant +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/xen-netback/netback.c | 44 ++++++++++++++++++++++++++++++++------ + 1 file changed, 38 insertions(+), 6 deletions(-) + +--- a/drivers/net/xen-netback/netback.c ++++ b/drivers/net/xen-netback/netback.c +@@ -456,12 +456,25 @@ static void xenvif_get_requests(struct x + } + + for (shinfo->nr_frags = 0; nr_slots > 0 && shinfo->nr_frags < MAX_SKB_FRAGS; +- shinfo->nr_frags++, gop++, nr_slots--) { ++ nr_slots--) { ++ if (unlikely(!txp->size)) { ++ unsigned long flags; ++ ++ spin_lock_irqsave(&queue->response_lock, flags); ++ make_tx_response(queue, txp, 0, XEN_NETIF_RSP_OKAY); ++ push_tx_responses(queue); ++ spin_unlock_irqrestore(&queue->response_lock, flags); ++ ++txp; ++ continue; ++ } ++ + index = pending_index(queue->pending_cons++); + pending_idx = queue->pending_ring[index]; + xenvif_tx_create_map_op(queue, pending_idx, txp, + txp == first ? extra_count : 0, gop); + frag_set_pending_idx(&frags[shinfo->nr_frags], pending_idx); ++ ++shinfo->nr_frags; ++ ++gop; + + if (txp == first) + txp = txfrags; +@@ -474,20 +487,39 @@ static void xenvif_get_requests(struct x + shinfo = skb_shinfo(nskb); + frags = shinfo->frags; + +- for (shinfo->nr_frags = 0; shinfo->nr_frags < nr_slots; +- shinfo->nr_frags++, txp++, gop++) { ++ for (shinfo->nr_frags = 0; shinfo->nr_frags < nr_slots; ++txp) { ++ if (unlikely(!txp->size)) { ++ unsigned long flags; ++ ++ spin_lock_irqsave(&queue->response_lock, flags); ++ make_tx_response(queue, txp, 0, ++ XEN_NETIF_RSP_OKAY); ++ push_tx_responses(queue); ++ spin_unlock_irqrestore(&queue->response_lock, ++ flags); ++ continue; ++ } ++ + index = pending_index(queue->pending_cons++); + pending_idx = queue->pending_ring[index]; + xenvif_tx_create_map_op(queue, pending_idx, txp, 0, + gop); + frag_set_pending_idx(&frags[shinfo->nr_frags], + pending_idx); ++ ++shinfo->nr_frags; ++ ++gop; + } + +- skb_shinfo(skb)->frag_list = nskb; +- } else if (nskb) { ++ if (shinfo->nr_frags) { ++ skb_shinfo(skb)->frag_list = nskb; ++ nskb = NULL; ++ } ++ } ++ ++ if (nskb) { + /* A frag_list skb was allocated but it is no longer needed +- * because enough slots were converted to copy ops above. ++ * because enough slots were converted to copy ops above or some ++ * were empty. + */ + kfree_skb(nskb); + }