From: Greg Kroah-Hartman Date: Tue, 28 Mar 2023 12:07:53 +0000 (+0200) Subject: 5.15-stable patches X-Git-Tag: v5.15.105~31 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=c64c63bf0bd5b04e70645a30c3860b56ad95d10e;p=thirdparty%2Fkernel%2Fstable-queue.git 5.15-stable patches added patches: arm64-dts-imx8mm-nitrogen-r2-fix-wm8960-clock-name.patch dm-thin-fix-deadlock-when-swapping-to-thin-device.patch efi-sysfb_efi-fix-dmi-quirks-not-working-for-simpledrm.patch fscrypt-destroy-keyring-after-security_sb_delete.patch fsverity-remove-wq_unbound-from-fsverity-read-workqueue.patch igb-revert-rtnl_lock-that-causes-deadlock.patch kfence-avoid-passing-g-for-test.patch lockd-set-file_lock-start-and-end-when-decoding-nlm4-testargs.patch mm-slab-fix-undefined-init_cache_node_node-for-numa-and-smp.patch usb-cdns3-fix-issue-with-using-incorrect-pci-device-function.patch usb-cdnsp-changes-pci-device-id-to-fix-conflict-with-cnds3-driver.patch usb-cdnsp-fixes-issue-with-redundant-status-stage.patch usb-chipdea-core-fix-return-einval-if-request-role-is-the-same-with-current-role.patch usb-chipidea-core-fix-possible-concurrent-when-switch-role.patch usb-typec-tcpm-fix-warning-when-handle-discover_identity-message.patch usb-ucsi-fix-null-pointer-deref-in-ucsi_connector_change.patch --- diff --git a/queue-5.15/arm64-dts-imx8mm-nitrogen-r2-fix-wm8960-clock-name.patch b/queue-5.15/arm64-dts-imx8mm-nitrogen-r2-fix-wm8960-clock-name.patch new file mode 100644 index 00000000000..037f644ecfa --- /dev/null +++ b/queue-5.15/arm64-dts-imx8mm-nitrogen-r2-fix-wm8960-clock-name.patch @@ -0,0 +1,37 @@ +From 32f86da7c86b27ebed31c24453a0713f612e43fb Mon Sep 17 00:00:00 2001 +From: Krzysztof Kozlowski +Date: Fri, 17 Feb 2023 16:06:26 +0100 +Subject: arm64: dts: imx8mm-nitrogen-r2: fix WM8960 clock name + +From: Krzysztof Kozlowski + +commit 32f86da7c86b27ebed31c24453a0713f612e43fb upstream. + +The WM8960 Linux driver expects the clock to be named "mclk". Otherwise +the clock will be ignored and not prepared/enabled by the driver. + +Fixes: 40ba2eda0a7b ("arm64: dts: imx8mm-nitrogen-r2: add audio") +Cc: +Signed-off-by: Krzysztof Kozlowski +Signed-off-by: Shawn Guo +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm64/boot/dts/freescale/imx8mm-nitrogen-r2.dts | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/arm64/boot/dts/freescale/imx8mm-nitrogen-r2.dts b/arch/arm64/boot/dts/freescale/imx8mm-nitrogen-r2.dts +index 6357078185ed..0e8f0d7161ad 100644 +--- a/arch/arm64/boot/dts/freescale/imx8mm-nitrogen-r2.dts ++++ b/arch/arm64/boot/dts/freescale/imx8mm-nitrogen-r2.dts +@@ -247,7 +247,7 @@ wm8960: codec@1a { + compatible = "wlf,wm8960"; + reg = <0x1a>; + clocks = <&clk IMX8MM_CLK_SAI1_ROOT>; +- clock-names = "mclk1"; ++ clock-names = "mclk"; + wlf,shared-lrclk; + #sound-dai-cells = <0>; + }; +-- +2.40.0 + diff --git a/queue-5.15/dm-thin-fix-deadlock-when-swapping-to-thin-device.patch b/queue-5.15/dm-thin-fix-deadlock-when-swapping-to-thin-device.patch new file mode 100644 index 00000000000..07b7b7a1416 --- /dev/null +++ b/queue-5.15/dm-thin-fix-deadlock-when-swapping-to-thin-device.patch @@ -0,0 +1,70 @@ +From 9bbf5feecc7eab2c370496c1c161bbfe62084028 Mon Sep 17 00:00:00 2001 +From: Coly Li +Date: Mon, 27 Feb 2023 23:23:17 +0800 +Subject: dm thin: fix deadlock when swapping to thin device + +From: Coly Li + +commit 9bbf5feecc7eab2c370496c1c161bbfe62084028 upstream. + +This is an already known issue that dm-thin volume cannot be used as +swap, otherwise a deadlock may happen when dm-thin internal memory +demand triggers swap I/O on the dm-thin volume itself. + +But thanks to commit a666e5c05e7c ("dm: fix deadlock when swapping to +encrypted device"), the limit_swap_bios target flag can also be used +for dm-thin to avoid the recursive I/O when it is used as swap. + +Fix is to simply set ti->limit_swap_bios to true in both pool_ctr() +and thin_ctr(). + +In my test, I create a dm-thin volume /dev/vg/swap and use it as swap +device. Then I run fio on another dm-thin volume /dev/vg/main and use +large --blocksize to trigger swap I/O onto /dev/vg/swap. + +The following fio command line is used in my test, + fio --name recursive-swap-io --lockmem 1 --iodepth 128 \ + --ioengine libaio --filename /dev/vg/main --rw randrw \ + --blocksize 1M --numjobs 32 --time_based --runtime=12h + +Without this fix, the whole system can be locked up within 15 seconds. + +With this fix, there is no any deadlock or hung task observed after +2 hours of running fio. + +Furthermore, if blocksize is changed from 1M to 128M, after around 30 +seconds fio has no visible I/O, and the out-of-memory killer message +shows up in kernel message. After around 20 minutes all fio processes +are killed and the whole system is back to being alive. + +This is exactly what is expected when recursive I/O happens on dm-thin +volume when it is used as swap. + +Depends-on: a666e5c05e7c ("dm: fix deadlock when swapping to encrypted device") +Cc: stable@vger.kernel.org +Signed-off-by: Coly Li +Acked-by: Mikulas Patocka +Signed-off-by: Mike Snitzer +Signed-off-by: Greg Kroah-Hartman +--- + drivers/md/dm-thin.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/md/dm-thin.c ++++ b/drivers/md/dm-thin.c +@@ -3383,6 +3383,7 @@ static int pool_ctr(struct dm_target *ti + pt->low_water_blocks = low_water_blocks; + pt->adjusted_pf = pt->requested_pf = pf; + ti->num_flush_bios = 1; ++ ti->limit_swap_bios = true; + + /* + * Only need to enable discards if the pool should pass +@@ -4263,6 +4264,7 @@ static int thin_ctr(struct dm_target *ti + goto bad; + + ti->num_flush_bios = 1; ++ ti->limit_swap_bios = true; + ti->flush_supported = true; + ti->per_io_data_size = sizeof(struct dm_thin_endio_hook); + diff --git a/queue-5.15/efi-sysfb_efi-fix-dmi-quirks-not-working-for-simpledrm.patch b/queue-5.15/efi-sysfb_efi-fix-dmi-quirks-not-working-for-simpledrm.patch new file mode 100644 index 00000000000..b87f760a058 --- /dev/null +++ b/queue-5.15/efi-sysfb_efi-fix-dmi-quirks-not-working-for-simpledrm.patch @@ -0,0 +1,112 @@ +From 3615c78673c332b69aaacefbcde5937c5c706686 Mon Sep 17 00:00:00 2001 +From: Hans de Goede +Date: Tue, 14 Mar 2023 13:31:02 +0100 +Subject: efi: sysfb_efi: Fix DMI quirks not working for simpledrm + +From: Hans de Goede + +commit 3615c78673c332b69aaacefbcde5937c5c706686 upstream. + +Commit 8633ef82f101 ("drivers/firmware: consolidate EFI framebuffer setup +for all arches") moved the sysfb_apply_efi_quirks() call in sysfb_init() +from before the [sysfb_]parse_mode() call to after it. +But sysfb_apply_efi_quirks() modifies the global screen_info struct which +[sysfb_]parse_mode() parses, so doing it later is too late. + +This has broken all DMI based quirks for correcting wrong firmware efifb +settings when simpledrm is used. + +To fix this move the sysfb_apply_efi_quirks() call back to its old place +and split the new setup of the efifb_fwnode (which requires +the platform_device) into its own function and call that at +the place of the moved sysfb_apply_efi_quirks(pd) calls. + +Fixes: 8633ef82f101 ("drivers/firmware: consolidate EFI framebuffer setup for all arches") +Cc: stable@vger.kernel.org +Cc: Javier Martinez Canillas +Cc: Thomas Zimmermann +Signed-off-by: Hans de Goede +Reviewed-by: Javier Martinez Canillas +Signed-off-by: Ard Biesheuvel +Signed-off-by: Greg Kroah-Hartman +--- + drivers/firmware/efi/sysfb_efi.c | 5 ++++- + drivers/firmware/sysfb.c | 4 +++- + drivers/firmware/sysfb_simplefb.c | 2 +- + include/linux/sysfb.h | 9 +++++++-- + 4 files changed, 15 insertions(+), 5 deletions(-) + +--- a/drivers/firmware/efi/sysfb_efi.c ++++ b/drivers/firmware/efi/sysfb_efi.c +@@ -343,7 +343,7 @@ static const struct fwnode_operations ef + #ifdef CONFIG_EFI + static struct fwnode_handle efifb_fwnode; + +-__init void sysfb_apply_efi_quirks(struct platform_device *pd) ++__init void sysfb_apply_efi_quirks(void) + { + if (screen_info.orig_video_isVGA != VIDEO_TYPE_EFI || + !(screen_info.capabilities & VIDEO_CAPABILITY_SKIP_QUIRKS)) +@@ -357,7 +357,10 @@ __init void sysfb_apply_efi_quirks(struc + screen_info.lfb_height = temp; + screen_info.lfb_linelength = 4 * screen_info.lfb_width; + } ++} + ++__init void sysfb_set_efifb_fwnode(struct platform_device *pd) ++{ + if (screen_info.orig_video_isVGA == VIDEO_TYPE_EFI && IS_ENABLED(CONFIG_PCI)) { + fwnode_init(&efifb_fwnode, &efifb_fwnode_ops); + pd->dev.fwnode = &efifb_fwnode; +--- a/drivers/firmware/sysfb.c ++++ b/drivers/firmware/sysfb.c +@@ -81,6 +81,8 @@ static __init int sysfb_init(void) + if (disabled) + goto unlock_mutex; + ++ sysfb_apply_efi_quirks(); ++ + /* try to create a simple-framebuffer device */ + compatible = sysfb_parse_mode(si, &mode); + if (compatible) { +@@ -103,7 +105,7 @@ static __init int sysfb_init(void) + goto unlock_mutex; + } + +- sysfb_apply_efi_quirks(pd); ++ sysfb_set_efifb_fwnode(pd); + + ret = platform_device_add_data(pd, si, sizeof(*si)); + if (ret) +--- a/drivers/firmware/sysfb_simplefb.c ++++ b/drivers/firmware/sysfb_simplefb.c +@@ -110,7 +110,7 @@ __init struct platform_device *sysfb_cre + if (!pd) + return ERR_PTR(-ENOMEM); + +- sysfb_apply_efi_quirks(pd); ++ sysfb_set_efifb_fwnode(pd); + + ret = platform_device_add_resources(pd, &res, 1); + if (ret) +--- a/include/linux/sysfb.h ++++ b/include/linux/sysfb.h +@@ -70,11 +70,16 @@ static inline void sysfb_disable(void) + #ifdef CONFIG_EFI + + extern struct efifb_dmi_info efifb_dmi_list[]; +-void sysfb_apply_efi_quirks(struct platform_device *pd); ++void sysfb_apply_efi_quirks(void); ++void sysfb_set_efifb_fwnode(struct platform_device *pd); + + #else /* CONFIG_EFI */ + +-static inline void sysfb_apply_efi_quirks(struct platform_device *pd) ++static inline void sysfb_apply_efi_quirks(void) ++{ ++} ++ ++static inline void sysfb_set_efifb_fwnode(struct platform_device *pd) + { + } + diff --git a/queue-5.15/fscrypt-destroy-keyring-after-security_sb_delete.patch b/queue-5.15/fscrypt-destroy-keyring-after-security_sb_delete.patch new file mode 100644 index 00000000000..e2dd8bad34a --- /dev/null +++ b/queue-5.15/fscrypt-destroy-keyring-after-security_sb_delete.patch @@ -0,0 +1,58 @@ +From ccb820dc7d2236b1af0d54ae038a27b5b6d5ae5a Mon Sep 17 00:00:00 2001 +From: Eric Biggers +Date: Mon, 13 Mar 2023 15:12:29 -0700 +Subject: fscrypt: destroy keyring after security_sb_delete() + +From: Eric Biggers + +commit ccb820dc7d2236b1af0d54ae038a27b5b6d5ae5a upstream. + +fscrypt_destroy_keyring() must be called after all potentially-encrypted +inodes were evicted; otherwise it cannot safely destroy the keyring. +Since inodes that are in-use by the Landlock LSM don't get evicted until +security_sb_delete(), this means that fscrypt_destroy_keyring() must be +called *after* security_sb_delete(). + +This fixes a WARN_ON followed by a NULL dereference, only possible if +Landlock was being used on encrypted files. + +Fixes: d7e7b9af104c ("fscrypt: stop using keyrings subsystem for fscrypt_master_key") +Cc: stable@vger.kernel.org +Reported-by: syzbot+93e495f6a4f748827c88@syzkaller.appspotmail.com +Link: https://lore.kernel.org/r/00000000000044651705f6ca1e30@google.com +Reviewed-by: Christian Brauner +Link: https://lore.kernel.org/r/20230313221231.272498-2-ebiggers@kernel.org +Signed-off-by: Eric Biggers +Signed-off-by: Greg Kroah-Hartman +--- + fs/super.c | 15 ++++++++++++--- + 1 file changed, 12 insertions(+), 3 deletions(-) + +--- a/fs/super.c ++++ b/fs/super.c +@@ -450,13 +450,22 @@ void generic_shutdown_super(struct super + + cgroup_writeback_umount(); + +- /* evict all inodes with zero refcount */ ++ /* Evict all inodes with zero refcount. */ + evict_inodes(sb); +- /* only nonzero refcount inodes can have marks */ ++ ++ /* ++ * Clean up and evict any inodes that still have references due ++ * to fsnotify or the security policy. ++ */ + fsnotify_sb_delete(sb); +- fscrypt_destroy_keyring(sb); + security_sb_delete(sb); + ++ /* ++ * Now that all potentially-encrypted inodes have been evicted, ++ * the fscrypt keyring can be destroyed. ++ */ ++ fscrypt_destroy_keyring(sb); ++ + if (sb->s_dio_done_wq) { + destroy_workqueue(sb->s_dio_done_wq); + sb->s_dio_done_wq = NULL; diff --git a/queue-5.15/fsverity-remove-wq_unbound-from-fsverity-read-workqueue.patch b/queue-5.15/fsverity-remove-wq_unbound-from-fsverity-read-workqueue.patch new file mode 100644 index 00000000000..d1d1604861b --- /dev/null +++ b/queue-5.15/fsverity-remove-wq_unbound-from-fsverity-read-workqueue.patch @@ -0,0 +1,62 @@ +From f959325e6ac3f499450088b8d9c626d1177be160 Mon Sep 17 00:00:00 2001 +From: Nathan Huckleberry +Date: Fri, 10 Mar 2023 11:33:25 -0800 +Subject: fsverity: Remove WQ_UNBOUND from fsverity read workqueue + +From: Nathan Huckleberry + +commit f959325e6ac3f499450088b8d9c626d1177be160 upstream. + +WQ_UNBOUND causes significant scheduler latency on ARM64/Android. This +is problematic for latency sensitive workloads, like I/O +post-processing. + +Removing WQ_UNBOUND gives a 96% reduction in fsverity workqueue related +scheduler latency and improves app cold startup times by ~30ms. +WQ_UNBOUND was also removed from the dm-verity workqueue for the same +reason [1]. + +This code was tested by running Android app startup benchmarks and +measuring how long the fsverity workqueue spent in the runnable state. + +Before +Total workqueue scheduler latency: 553800us +After +Total workqueue scheduler latency: 18962us + +[1]: https://lore.kernel.org/all/20230202012348.885402-1-nhuck@google.com/ + +Signed-off-by: Nathan Huckleberry +Fixes: 8a1d0f9cacc9 ("fs-verity: add data verification hooks for ->readpages()") +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/r/20230310193325.620493-1-nhuck@google.com +Signed-off-by: Eric Biggers +Signed-off-by: Greg Kroah-Hartman +--- + fs/verity/verify.c | 12 ++++++------ + 1 file changed, 6 insertions(+), 6 deletions(-) + +--- a/fs/verity/verify.c ++++ b/fs/verity/verify.c +@@ -279,15 +279,15 @@ EXPORT_SYMBOL_GPL(fsverity_enqueue_verif + int __init fsverity_init_workqueue(void) + { + /* +- * Use an unbound workqueue to allow bios to be verified in parallel +- * even when they happen to complete on the same CPU. This sacrifices +- * locality, but it's worthwhile since hashing is CPU-intensive. ++ * Use a high-priority workqueue to prioritize verification work, which ++ * blocks reads from completing, over regular application tasks. + * +- * Also use a high-priority workqueue to prioritize verification work, +- * which blocks reads from completing, over regular application tasks. ++ * For performance reasons, don't use an unbound workqueue. Using an ++ * unbound workqueue for crypto operations causes excessive scheduler ++ * latency on ARM64. + */ + fsverity_read_workqueue = alloc_workqueue("fsverity_read_queue", +- WQ_UNBOUND | WQ_HIGHPRI, ++ WQ_HIGHPRI, + num_online_cpus()); + if (!fsverity_read_workqueue) + return -ENOMEM; diff --git a/queue-5.15/igb-revert-rtnl_lock-that-causes-deadlock.patch b/queue-5.15/igb-revert-rtnl_lock-that-causes-deadlock.patch new file mode 100644 index 00000000000..a06a2b56902 --- /dev/null +++ b/queue-5.15/igb-revert-rtnl_lock-that-causes-deadlock.patch @@ -0,0 +1,87 @@ +From 65f69851e44d71248b952a687e44759a7abb5016 Mon Sep 17 00:00:00 2001 +From: Lin Ma +Date: Tue, 7 Mar 2023 23:29:17 +0800 +Subject: igb: revert rtnl_lock() that causes deadlock + +From: Lin Ma + +commit 65f69851e44d71248b952a687e44759a7abb5016 upstream. + +The commit 6faee3d4ee8b ("igb: Add lock to avoid data race") adds +rtnl_lock to eliminate a false data race shown below + + (FREE from device detaching) | (USE from netdev core) +igb_remove | igb_ndo_get_vf_config + igb_disable_sriov | vf >= adapter->vfs_allocated_count? + kfree(adapter->vf_data) | + adapter->vfs_allocated_count = 0 | + | memcpy(... adapter->vf_data[vf] + +The above race will never happen and the extra rtnl_lock causes deadlock +below + +[ 141.420169] +[ 141.420672] __schedule+0x2dd/0x840 +[ 141.421427] schedule+0x50/0xc0 +[ 141.422041] schedule_preempt_disabled+0x11/0x20 +[ 141.422678] __mutex_lock.isra.13+0x431/0x6b0 +[ 141.423324] unregister_netdev+0xe/0x20 +[ 141.423578] igbvf_remove+0x45/0xe0 [igbvf] +[ 141.423791] pci_device_remove+0x36/0xb0 +[ 141.423990] device_release_driver_internal+0xc1/0x160 +[ 141.424270] pci_stop_bus_device+0x6d/0x90 +[ 141.424507] pci_stop_and_remove_bus_device+0xe/0x20 +[ 141.424789] pci_iov_remove_virtfn+0xba/0x120 +[ 141.425452] sriov_disable+0x2f/0xf0 +[ 141.425679] igb_disable_sriov+0x4e/0x100 [igb] +[ 141.426353] igb_remove+0xa0/0x130 [igb] +[ 141.426599] pci_device_remove+0x36/0xb0 +[ 141.426796] device_release_driver_internal+0xc1/0x160 +[ 141.427060] driver_detach+0x44/0x90 +[ 141.427253] bus_remove_driver+0x55/0xe0 +[ 141.427477] pci_unregister_driver+0x2a/0xa0 +[ 141.428296] __x64_sys_delete_module+0x141/0x2b0 +[ 141.429126] ? mntput_no_expire+0x4a/0x240 +[ 141.429363] ? syscall_trace_enter.isra.19+0x126/0x1a0 +[ 141.429653] do_syscall_64+0x5b/0x80 +[ 141.429847] ? exit_to_user_mode_prepare+0x14d/0x1c0 +[ 141.430109] ? syscall_exit_to_user_mode+0x12/0x30 +[ 141.430849] ? do_syscall_64+0x67/0x80 +[ 141.431083] ? syscall_exit_to_user_mode_prepare+0x183/0x1b0 +[ 141.431770] ? syscall_exit_to_user_mode+0x12/0x30 +[ 141.432482] ? do_syscall_64+0x67/0x80 +[ 141.432714] ? exc_page_fault+0x64/0x140 +[ 141.432911] entry_SYSCALL_64_after_hwframe+0x72/0xdc + +Since the igb_disable_sriov() will call pci_disable_sriov() before +releasing any resources, the netdev core will synchronize the cleanup to +avoid any races. This patch removes the useless rtnl_(un)lock to guarantee +correctness. + +CC: stable@vger.kernel.org +Fixes: 6faee3d4ee8b ("igb: Add lock to avoid data race") +Reported-by: Corinna Vinschen +Link: https://lore.kernel.org/intel-wired-lan/ZAcJvkEPqWeJHO2r@calimero.vinschen.de/ +Signed-off-by: Lin Ma +Tested-by: Corinna Vinschen +Reviewed-by: Jacob Keller +Reviewed-by: Simon Horman +Tested-by: Rafal Romanowski +Signed-off-by: Tony Nguyen +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/intel/igb/igb_main.c | 2 -- + 1 file changed, 2 deletions(-) + +--- a/drivers/net/ethernet/intel/igb/igb_main.c ++++ b/drivers/net/ethernet/intel/igb/igb_main.c +@@ -3820,9 +3820,7 @@ static void igb_remove(struct pci_dev *p + igb_release_hw_control(adapter); + + #ifdef CONFIG_PCI_IOV +- rtnl_lock(); + igb_disable_sriov(pdev); +- rtnl_unlock(); + #endif + + unregister_netdev(netdev); diff --git a/queue-5.15/kfence-avoid-passing-g-for-test.patch b/queue-5.15/kfence-avoid-passing-g-for-test.patch new file mode 100644 index 00000000000..edc89958a7a --- /dev/null +++ b/queue-5.15/kfence-avoid-passing-g-for-test.patch @@ -0,0 +1,53 @@ +From 2e08ca1802441224f5b7cc6bffbb687f7406de95 Mon Sep 17 00:00:00 2001 +From: Marco Elver +Date: Thu, 16 Mar 2023 23:47:04 +0100 +Subject: kfence: avoid passing -g for test + +From: Marco Elver + +commit 2e08ca1802441224f5b7cc6bffbb687f7406de95 upstream. + +Nathan reported that when building with GNU as and a version of clang that +defaults to DWARF5: + + $ make -skj"$(nproc)" ARCH=riscv CROSS_COMPILE=riscv64-linux-gnu- \ + LLVM=1 LLVM_IAS=0 O=build \ + mrproper allmodconfig mm/kfence/kfence_test.o + /tmp/kfence_test-08a0a0.s: Assembler messages: + /tmp/kfence_test-08a0a0.s:14627: Error: non-constant .uleb128 is not supported + /tmp/kfence_test-08a0a0.s:14628: Error: non-constant .uleb128 is not supported + /tmp/kfence_test-08a0a0.s:14632: Error: non-constant .uleb128 is not supported + /tmp/kfence_test-08a0a0.s:14633: Error: non-constant .uleb128 is not supported + /tmp/kfence_test-08a0a0.s:14639: Error: non-constant .uleb128 is not supported + ... + +This is because `-g` defaults to the compiler debug info default. If the +assembler does not support some of the directives used, the above errors +occur. To fix, remove the explicit passing of `-g`. + +All the test wants is that stack traces print valid function names, and +debug info is not required for that. (I currently cannot recall why I +added the explicit `-g`.) + +Link: https://lkml.kernel.org/r/20230316224705.709984-1-elver@google.com +Fixes: bc8fbc5f305a ("kfence: add test suite") +Signed-off-by: Marco Elver +Reported-by: Nathan Chancellor +Cc: Alexander Potapenko +Cc: Dmitry Vyukov +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + mm/kfence/Makefile | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/mm/kfence/Makefile ++++ b/mm/kfence/Makefile +@@ -2,5 +2,5 @@ + + obj-$(CONFIG_KFENCE) := core.o report.o + +-CFLAGS_kfence_test.o := -g -fno-omit-frame-pointer -fno-optimize-sibling-calls ++CFLAGS_kfence_test.o := -fno-omit-frame-pointer -fno-optimize-sibling-calls + obj-$(CONFIG_KFENCE_KUNIT_TEST) += kfence_test.o diff --git a/queue-5.15/lockd-set-file_lock-start-and-end-when-decoding-nlm4-testargs.patch b/queue-5.15/lockd-set-file_lock-start-and-end-when-decoding-nlm4-testargs.patch new file mode 100644 index 00000000000..59c147f6768 --- /dev/null +++ b/queue-5.15/lockd-set-file_lock-start-and-end-when-decoding-nlm4-testargs.patch @@ -0,0 +1,96 @@ +From 7ff84910c66c9144cc0de9d9deed9fb84c03aff0 Mon Sep 17 00:00:00 2001 +From: Jeff Layton +Date: Tue, 14 Mar 2023 06:20:58 -0400 +Subject: lockd: set file_lock start and end when decoding nlm4 testargs + +From: Jeff Layton + +commit 7ff84910c66c9144cc0de9d9deed9fb84c03aff0 upstream. + +Commit 6930bcbfb6ce dropped the setting of the file_lock range when +decoding a nlm_lock off the wire. This causes the client side grant +callback to miss matching blocks and reject the lock, only to rerequest +it 30s later. + +Add a helper function to set the file_lock range from the start and end +values that the protocol uses, and have the nlm_lock decoder call that to +set up the file_lock args properly. + +Fixes: 6930bcbfb6ce ("lockd: detect and reject lock arguments that overflow") +Reported-by: Amir Goldstein +Signed-off-by: Jeff Layton +Tested-by: Amir Goldstein +Cc: stable@vger.kernel.org #6.0 +Signed-off-by: Anna Schumaker +Signed-off-by: Amir Goldstein +Signed-off-by: Greg Kroah-Hartman +--- + fs/lockd/clnt4xdr.c | 9 +-------- + fs/lockd/xdr4.c | 13 ++++++++++++- + include/linux/lockd/xdr4.h | 1 + + 3 files changed, 14 insertions(+), 9 deletions(-) + +--- a/fs/lockd/clnt4xdr.c ++++ b/fs/lockd/clnt4xdr.c +@@ -261,7 +261,6 @@ static int decode_nlm4_holder(struct xdr + u32 exclusive; + int error; + __be32 *p; +- s32 end; + + memset(lock, 0, sizeof(*lock)); + locks_init_lock(fl); +@@ -285,13 +284,7 @@ static int decode_nlm4_holder(struct xdr + fl->fl_type = exclusive != 0 ? F_WRLCK : F_RDLCK; + p = xdr_decode_hyper(p, &l_offset); + xdr_decode_hyper(p, &l_len); +- end = l_offset + l_len - 1; +- +- fl->fl_start = (loff_t)l_offset; +- if (l_len == 0 || end < 0) +- fl->fl_end = OFFSET_MAX; +- else +- fl->fl_end = (loff_t)end; ++ nlm4svc_set_file_lock_range(fl, l_offset, l_len); + error = 0; + out: + return error; +--- a/fs/lockd/xdr4.c ++++ b/fs/lockd/xdr4.c +@@ -33,6 +33,17 @@ loff_t_to_s64(loff_t offset) + return res; + } + ++void nlm4svc_set_file_lock_range(struct file_lock *fl, u64 off, u64 len) ++{ ++ s64 end = off + len - 1; ++ ++ fl->fl_start = off; ++ if (len == 0 || end < 0) ++ fl->fl_end = OFFSET_MAX; ++ else ++ fl->fl_end = end; ++} ++ + /* + * NLM file handles are defined by specification to be a variable-length + * XDR opaque no longer than 1024 bytes. However, this implementation +@@ -80,7 +91,7 @@ svcxdr_decode_lock(struct xdr_stream *xd + locks_init_lock(fl); + fl->fl_flags = FL_POSIX; + fl->fl_type = F_RDLCK; +- ++ nlm4svc_set_file_lock_range(fl, lock->lock_start, lock->lock_len); + return true; + } + +--- a/include/linux/lockd/xdr4.h ++++ b/include/linux/lockd/xdr4.h +@@ -24,6 +24,7 @@ + + + ++void nlm4svc_set_file_lock_range(struct file_lock *fl, u64 off, u64 len); + int nlm4svc_decode_testargs(struct svc_rqst *, __be32 *); + int nlm4svc_encode_testres(struct svc_rqst *, __be32 *); + int nlm4svc_decode_lockargs(struct svc_rqst *, __be32 *); diff --git a/queue-5.15/mm-slab-fix-undefined-init_cache_node_node-for-numa-and-smp.patch b/queue-5.15/mm-slab-fix-undefined-init_cache_node_node-for-numa-and-smp.patch new file mode 100644 index 00000000000..26fd0881519 --- /dev/null +++ b/queue-5.15/mm-slab-fix-undefined-init_cache_node_node-for-numa-and-smp.patch @@ -0,0 +1,49 @@ +From 66a1c22b709178e7b823d44465d0c2e5ed7492fb Mon Sep 17 00:00:00 2001 +From: Geert Uytterhoeven +Date: Tue, 21 Mar 2023 09:30:59 +0100 +Subject: mm/slab: Fix undefined init_cache_node_node() for NUMA and !SMP +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Geert Uytterhoeven + +commit 66a1c22b709178e7b823d44465d0c2e5ed7492fb upstream. + +sh/migor_defconfig: + + mm/slab.c: In function ‘slab_memory_callback’: + mm/slab.c:1127:23: error: implicit declaration of function ‘init_cache_node_node’; did you mean ‘drain_cache_node_node’? [-Werror=implicit-function-declaration] + 1127 | ret = init_cache_node_node(nid); + | ^~~~~~~~~~~~~~~~~~~~ + | drain_cache_node_node + +The #ifdef condition protecting the definition of init_cache_node_node() +no longer matches the conditions protecting the (multiple) users. + +Fix this by syncing the conditions. + +Fixes: 76af6a054da40553 ("mm/migrate: add CPU hotplug to demotion #ifdef") +Reported-by: Randy Dunlap +Link: https://lore.kernel.org/r/b5bdea22-ed2f-3187-6efe-0c72330270a4@infradead.org +Signed-off-by: Geert Uytterhoeven +Reviewed-by: John Paul Adrian Glaubitz +Acked-by: Randy Dunlap +Cc: +Signed-off-by: Vlastimil Babka +Signed-off-by: Greg Kroah-Hartman +--- + mm/slab.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/mm/slab.c ++++ b/mm/slab.c +@@ -855,7 +855,7 @@ static int init_cache_node(struct kmem_c + return 0; + } + +-#if (defined(CONFIG_NUMA) && defined(CONFIG_MEMORY_HOTPLUG)) || defined(CONFIG_SMP) ++#if defined(CONFIG_NUMA) || defined(CONFIG_SMP) + /* + * Allocates and initializes node for a node on each slab cache, used for + * either memory or cpu hotplug. If memory is being hot-added, the kmem_cache_node diff --git a/queue-5.15/series b/queue-5.15/series index 7165801524d..460f110cb53 100644 --- a/queue-5.15/series +++ b/queue-5.15/series @@ -104,3 +104,19 @@ cifs-print-session-id-while-listing-open-files.patch scsi-core-add-blist_skip_vpd_pages-for-skhynix-h28u74301amr.patch usb-dwc2-fix-a-devres-leak-in-hw_enable-upon-suspend-resume.patch usb-gadget-u_audio-don-t-let-userspace-block-driver-unbind.patch +efi-sysfb_efi-fix-dmi-quirks-not-working-for-simpledrm.patch +mm-slab-fix-undefined-init_cache_node_node-for-numa-and-smp.patch +fscrypt-destroy-keyring-after-security_sb_delete.patch +fsverity-remove-wq_unbound-from-fsverity-read-workqueue.patch +lockd-set-file_lock-start-and-end-when-decoding-nlm4-testargs.patch +arm64-dts-imx8mm-nitrogen-r2-fix-wm8960-clock-name.patch +igb-revert-rtnl_lock-that-causes-deadlock.patch +dm-thin-fix-deadlock-when-swapping-to-thin-device.patch +usb-typec-tcpm-fix-warning-when-handle-discover_identity-message.patch +usb-cdns3-fix-issue-with-using-incorrect-pci-device-function.patch +usb-cdnsp-fixes-issue-with-redundant-status-stage.patch +usb-cdnsp-changes-pci-device-id-to-fix-conflict-with-cnds3-driver.patch +usb-chipdea-core-fix-return-einval-if-request-role-is-the-same-with-current-role.patch +usb-chipidea-core-fix-possible-concurrent-when-switch-role.patch +usb-ucsi-fix-null-pointer-deref-in-ucsi_connector_change.patch +kfence-avoid-passing-g-for-test.patch diff --git a/queue-5.15/usb-cdns3-fix-issue-with-using-incorrect-pci-device-function.patch b/queue-5.15/usb-cdns3-fix-issue-with-using-incorrect-pci-device-function.patch new file mode 100644 index 00000000000..8d7ef56f736 --- /dev/null +++ b/queue-5.15/usb-cdns3-fix-issue-with-using-incorrect-pci-device-function.patch @@ -0,0 +1,39 @@ +From 1272fd652a226ccb34e9f47371b6121948048438 Mon Sep 17 00:00:00 2001 +From: Pawel Laszczak +Date: Wed, 8 Mar 2023 07:44:27 -0500 +Subject: usb: cdns3: Fix issue with using incorrect PCI device function + +From: Pawel Laszczak + +commit 1272fd652a226ccb34e9f47371b6121948048438 upstream. + +PCI based platform can have more than two PCI functions. +USBSS PCI Glue driver during initialization should +consider only DRD/HOST/DEVICE PCI functions and +all other should be ignored. This patch adds additional +condition which causes that only DRD and HOST/DEVICE +function will be accepted. + +cc: +Fixes: 7733f6c32e36 ("usb: cdns3: Add Cadence USB3 DRD Driver") +Signed-off-by: Pawel Laszczak +Link: https://lore.kernel.org/r/20230308124427.311245-1-pawell@cadence.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/cdns3/cdns3-pci-wrap.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/drivers/usb/cdns3/cdns3-pci-wrap.c ++++ b/drivers/usb/cdns3/cdns3-pci-wrap.c +@@ -60,6 +60,11 @@ static struct pci_dev *cdns3_get_second_ + return NULL; + } + ++ if (func->devfn != PCI_DEV_FN_HOST_DEVICE && ++ func->devfn != PCI_DEV_FN_OTG) { ++ return NULL; ++ } ++ + return func; + } + diff --git a/queue-5.15/usb-cdnsp-changes-pci-device-id-to-fix-conflict-with-cnds3-driver.patch b/queue-5.15/usb-cdnsp-changes-pci-device-id-to-fix-conflict-with-cnds3-driver.patch new file mode 100644 index 00000000000..0a1734f5f72 --- /dev/null +++ b/queue-5.15/usb-cdnsp-changes-pci-device-id-to-fix-conflict-with-cnds3-driver.patch @@ -0,0 +1,72 @@ +From 96b96b2a567fb34dd41c87e6cf01f6902ce8cae4 Mon Sep 17 00:00:00 2001 +From: Pawel Laszczak +Date: Thu, 9 Mar 2023 01:30:48 -0500 +Subject: usb: cdnsp: changes PCI Device ID to fix conflict with CNDS3 driver + +From: Pawel Laszczak + +commit 96b96b2a567fb34dd41c87e6cf01f6902ce8cae4 upstream. + +Patch changes CDNS_DEVICE_ID in USBSSP PCI Glue driver to remove +the conflict with Cadence USBSS driver. + +cc: +Fixes: 3d82904559f4 ("usb: cdnsp: cdns3 Add main part of Cadence USBSSP DRD Driver") +Signed-off-by: Pawel Laszczak +Link: https://lore.kernel.org/r/20230309063048.299378-1-pawell@cadence.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/cdns3/cdnsp-pci.c | 27 +++++++++++---------------- + 1 file changed, 11 insertions(+), 16 deletions(-) + +--- a/drivers/usb/cdns3/cdnsp-pci.c ++++ b/drivers/usb/cdns3/cdnsp-pci.c +@@ -29,30 +29,23 @@ + #define PLAT_DRIVER_NAME "cdns-usbssp" + + #define CDNS_VENDOR_ID 0x17cd +-#define CDNS_DEVICE_ID 0x0100 ++#define CDNS_DEVICE_ID 0x0200 ++#define CDNS_DRD_ID 0x0100 + #define CDNS_DRD_IF (PCI_CLASS_SERIAL_USB << 8 | 0x80) + + static struct pci_dev *cdnsp_get_second_fun(struct pci_dev *pdev) + { +- struct pci_dev *func; +- + /* + * Gets the second function. +- * It's little tricky, but this platform has two function. +- * The fist keeps resources for Host/Device while the second +- * keeps resources for DRD/OTG. ++ * Platform has two function. The fist keeps resources for ++ * Host/Device while the secon keeps resources for DRD/OTG. + */ +- func = pci_get_device(pdev->vendor, pdev->device, NULL); +- if (!func) +- return NULL; ++ if (pdev->device == CDNS_DEVICE_ID) ++ return pci_get_device(pdev->vendor, CDNS_DRD_ID, NULL); ++ else if (pdev->device == CDNS_DRD_ID) ++ return pci_get_device(pdev->vendor, CDNS_DEVICE_ID, NULL); + +- if (func->devfn == pdev->devfn) { +- func = pci_get_device(pdev->vendor, pdev->device, func); +- if (!func) +- return NULL; +- } +- +- return func; ++ return NULL; + } + + static int cdnsp_pci_probe(struct pci_dev *pdev, +@@ -232,6 +225,8 @@ static const struct pci_device_id cdnsp_ + PCI_CLASS_SERIAL_USB_DEVICE, PCI_ANY_ID }, + { PCI_VENDOR_ID_CDNS, CDNS_DEVICE_ID, PCI_ANY_ID, PCI_ANY_ID, + CDNS_DRD_IF, PCI_ANY_ID }, ++ { PCI_VENDOR_ID_CDNS, CDNS_DRD_ID, PCI_ANY_ID, PCI_ANY_ID, ++ CDNS_DRD_IF, PCI_ANY_ID }, + { 0, } + }; + diff --git a/queue-5.15/usb-cdnsp-fixes-issue-with-redundant-status-stage.patch b/queue-5.15/usb-cdnsp-fixes-issue-with-redundant-status-stage.patch new file mode 100644 index 00000000000..e107425c631 --- /dev/null +++ b/queue-5.15/usb-cdnsp-fixes-issue-with-redundant-status-stage.patch @@ -0,0 +1,67 @@ +From 5bc38d33a5a1209fd4de65101d1ae8255ea12c6e Mon Sep 17 00:00:00 2001 +From: Pawel Laszczak +Date: Tue, 7 Mar 2023 06:14:20 -0500 +Subject: usb: cdnsp: Fixes issue with redundant Status Stage + +From: Pawel Laszczak + +commit 5bc38d33a5a1209fd4de65101d1ae8255ea12c6e upstream. + +In some cases, driver trees to send Status Stage twice. +The first one from upper layer of gadget usb subsystem and +second time from controller driver. +This patch fixes this issue and remove tricky handling of +SET_INTERFACE from controller driver which is no longer +needed. + +cc: +Fixes: 3d82904559f4 ("usb: cdnsp: cdns3 Add main part of Cadence USBSSP DRD Driver") +Signed-off-by: Pawel Laszczak +Link: https://lore.kernel.org/r/20230307111420.376056-1-pawell@cadence.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/cdns3/cdnsp-ep0.c | 19 +------------------ + 1 file changed, 1 insertion(+), 18 deletions(-) + +--- a/drivers/usb/cdns3/cdnsp-ep0.c ++++ b/drivers/usb/cdns3/cdnsp-ep0.c +@@ -403,20 +403,6 @@ static int cdnsp_ep0_std_request(struct + case USB_REQ_SET_ISOCH_DELAY: + ret = cdnsp_ep0_set_isoch_delay(pdev, ctrl); + break; +- case USB_REQ_SET_INTERFACE: +- /* +- * Add request into pending list to block sending status stage +- * by libcomposite. +- */ +- list_add_tail(&pdev->ep0_preq.list, +- &pdev->ep0_preq.pep->pending_list); +- +- ret = cdnsp_ep0_delegate_req(pdev, ctrl); +- if (ret == -EBUSY) +- ret = 0; +- +- list_del(&pdev->ep0_preq.list); +- break; + default: + ret = cdnsp_ep0_delegate_req(pdev, ctrl); + break; +@@ -474,9 +460,6 @@ void cdnsp_setup_analyze(struct cdnsp_de + else + ret = cdnsp_ep0_delegate_req(pdev, ctrl); + +- if (!len) +- pdev->ep0_stage = CDNSP_STATUS_STAGE; +- + if (ret == USB_GADGET_DELAYED_STATUS) { + trace_cdnsp_ep0_status_stage("delayed"); + return; +@@ -484,6 +467,6 @@ void cdnsp_setup_analyze(struct cdnsp_de + out: + if (ret < 0) + cdnsp_ep0_stall(pdev); +- else if (pdev->ep0_stage == CDNSP_STATUS_STAGE) ++ else if (!len && pdev->ep0_stage != CDNSP_STATUS_STAGE) + cdnsp_status_stage(pdev); + } diff --git a/queue-5.15/usb-chipdea-core-fix-return-einval-if-request-role-is-the-same-with-current-role.patch b/queue-5.15/usb-chipdea-core-fix-return-einval-if-request-role-is-the-same-with-current-role.patch new file mode 100644 index 00000000000..534ebd28c4c --- /dev/null +++ b/queue-5.15/usb-chipdea-core-fix-return-einval-if-request-role-is-the-same-with-current-role.patch @@ -0,0 +1,38 @@ +From 3670de80678961eda7fa2220883fc77c16868951 Mon Sep 17 00:00:00 2001 +From: Xu Yang +Date: Fri, 17 Mar 2023 14:15:15 +0800 +Subject: usb: chipdea: core: fix return -EINVAL if request role is the same with current role + +From: Xu Yang + +commit 3670de80678961eda7fa2220883fc77c16868951 upstream. + +It should not return -EINVAL if the request role is the same with current +role, return non-error and without do anything instead. + +Fixes: a932a8041ff9 ("usb: chipidea: core: add sysfs group") +cc: +Acked-by: Peter Chen +Signed-off-by: Xu Yang +Link: https://lore.kernel.org/r/20230317061516.2451728-1-xu.yang_2@nxp.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/chipidea/core.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +--- a/drivers/usb/chipidea/core.c ++++ b/drivers/usb/chipidea/core.c +@@ -974,9 +974,12 @@ static ssize_t role_store(struct device + strlen(ci->roles[role]->name))) + break; + +- if (role == CI_ROLE_END || role == ci->role) ++ if (role == CI_ROLE_END) + return -EINVAL; + ++ if (role == ci->role) ++ return n; ++ + pm_runtime_get_sync(dev); + disable_irq(ci->irq); + ci_role_stop(ci); diff --git a/queue-5.15/usb-chipidea-core-fix-possible-concurrent-when-switch-role.patch b/queue-5.15/usb-chipidea-core-fix-possible-concurrent-when-switch-role.patch new file mode 100644 index 00000000000..aa273be5ac5 --- /dev/null +++ b/queue-5.15/usb-chipidea-core-fix-possible-concurrent-when-switch-role.patch @@ -0,0 +1,98 @@ +From 451b15ed138ec15bffbebb58a00ebdd884c3e659 Mon Sep 17 00:00:00 2001 +From: Xu Yang +Date: Fri, 17 Mar 2023 14:15:16 +0800 +Subject: usb: chipidea: core: fix possible concurrent when switch role + +From: Xu Yang + +commit 451b15ed138ec15bffbebb58a00ebdd884c3e659 upstream. + +The user may call role_store() when driver is handling +ci_handle_id_switch() which is triggerred by otg event or power lost +event. Unfortunately, the controller may go into chaos in this case. +Fix this by protecting it with mutex lock. + +Fixes: a932a8041ff9 ("usb: chipidea: core: add sysfs group") +cc: +Acked-by: Peter Chen +Signed-off-by: Xu Yang +Link: https://lore.kernel.org/r/20230317061516.2451728-2-xu.yang_2@nxp.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/chipidea/ci.h | 2 ++ + drivers/usb/chipidea/core.c | 8 +++++++- + drivers/usb/chipidea/otg.c | 5 ++++- + 3 files changed, 13 insertions(+), 2 deletions(-) + +--- a/drivers/usb/chipidea/ci.h ++++ b/drivers/usb/chipidea/ci.h +@@ -203,6 +203,7 @@ struct hw_bank { + * @in_lpm: if the core in low power mode + * @wakeup_int: if wakeup interrupt occur + * @rev: The revision number for controller ++ * @mutex: protect code from concorrent running when doing role switch + */ + struct ci_hdrc { + struct device *dev; +@@ -255,6 +256,7 @@ struct ci_hdrc { + bool in_lpm; + bool wakeup_int; + enum ci_revision rev; ++ struct mutex mutex; + }; + + static inline struct ci_role_driver *ci_role(struct ci_hdrc *ci) +--- a/drivers/usb/chipidea/core.c ++++ b/drivers/usb/chipidea/core.c +@@ -977,8 +977,12 @@ static ssize_t role_store(struct device + if (role == CI_ROLE_END) + return -EINVAL; + +- if (role == ci->role) ++ mutex_lock(&ci->mutex); ++ ++ if (role == ci->role) { ++ mutex_unlock(&ci->mutex); + return n; ++ } + + pm_runtime_get_sync(dev); + disable_irq(ci->irq); +@@ -988,6 +992,7 @@ static ssize_t role_store(struct device + ci_handle_vbus_change(ci); + enable_irq(ci->irq); + pm_runtime_put_sync(dev); ++ mutex_unlock(&ci->mutex); + + return (ret == 0) ? n : ret; + } +@@ -1023,6 +1028,7 @@ static int ci_hdrc_probe(struct platform + return -ENOMEM; + + spin_lock_init(&ci->lock); ++ mutex_init(&ci->mutex); + ci->dev = dev; + ci->platdata = dev_get_platdata(dev); + ci->imx28_write_fix = !!(ci->platdata->flags & +--- a/drivers/usb/chipidea/otg.c ++++ b/drivers/usb/chipidea/otg.c +@@ -167,8 +167,10 @@ static int hw_wait_vbus_lower_bsv(struct + + static void ci_handle_id_switch(struct ci_hdrc *ci) + { +- enum ci_role role = ci_otg_role(ci); ++ enum ci_role role; + ++ mutex_lock(&ci->mutex); ++ role = ci_otg_role(ci); + if (role != ci->role) { + dev_dbg(ci->dev, "switching from %s to %s\n", + ci_role(ci)->name, ci->roles[role]->name); +@@ -198,6 +200,7 @@ static void ci_handle_id_switch(struct c + if (role == CI_ROLE_GADGET) + ci_handle_vbus_change(ci); + } ++ mutex_unlock(&ci->mutex); + } + /** + * ci_otg_work - perform otg (vbus/id) event handle diff --git a/queue-5.15/usb-typec-tcpm-fix-warning-when-handle-discover_identity-message.patch b/queue-5.15/usb-typec-tcpm-fix-warning-when-handle-discover_identity-message.patch new file mode 100644 index 00000000000..65539f30602 --- /dev/null +++ b/queue-5.15/usb-typec-tcpm-fix-warning-when-handle-discover_identity-message.patch @@ -0,0 +1,122 @@ +From abfc4fa28f0160df61c7149567da4f6494dfb488 Mon Sep 17 00:00:00 2001 +From: Xu Yang +Date: Thu, 16 Feb 2023 11:15:15 +0800 +Subject: usb: typec: tcpm: fix warning when handle discover_identity message + +From: Xu Yang + +commit abfc4fa28f0160df61c7149567da4f6494dfb488 upstream. + +Since both source and sink device can send discover_identity message in +PD3, kernel may dump below warning: + +------------[ cut here ]------------ +WARNING: CPU: 0 PID: 169 at drivers/usb/typec/tcpm/tcpm.c:1446 tcpm_queue_vdm+0xe0/0xf0 +Modules linked in: +CPU: 0 PID: 169 Comm: 1-0050 Not tainted 6.1.1-00038-g6a3c36cf1da2-dirty #567 +Hardware name: NXP i.MX8MPlus EVK board (DT) +pstate: 20000005 (nzCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--) +pc : tcpm_queue_vdm+0xe0/0xf0 +lr : tcpm_queue_vdm+0x2c/0xf0 +sp : ffff80000c19bcd0 +x29: ffff80000c19bcd0 x28: 0000000000000001 x27: ffff0000d11c8ab8 +x26: ffff0000d11cc000 x25: 0000000000000000 x24: 00000000ff008081 +x23: 0000000000000001 x22: 00000000ff00a081 x21: ffff80000c19bdbc +x20: 0000000000000000 x19: ffff0000d11c8080 x18: ffffffffffffffff +x17: 0000000000000000 x16: 0000000000000000 x15: ffff0000d716f580 +x14: 0000000000000001 x13: ffff0000d716f507 x12: 0000000000000001 +x11: 0000000000000000 x10: 0000000000000020 x9 : 00000000000ee098 +x8 : 00000000ffffffff x7 : 000000000000001c x6 : ffff0000d716f580 +x5 : 0000000000000000 x4 : 0000000000000000 x3 : 0000000000000000 +x2 : ffff80000c19bdbc x1 : 00000000ff00a081 x0 : 0000000000000004 +Call trace: +tcpm_queue_vdm+0xe0/0xf0 +tcpm_pd_rx_handler+0x340/0x1ab0 +kthread_worker_fn+0xcc/0x18c +kthread+0x10c/0x110 +ret_from_fork+0x10/0x20 +---[ end trace 0000000000000000 ]--- + +Below sequences may trigger this warning: + +tcpm_send_discover_work(work) + tcpm_send_vdm(port, USB_SID_PD, CMD_DISCOVER_IDENT, NULL, 0); + tcpm_queue_vdm(port, header, data, count); + port->vdm_state = VDM_STATE_READY; + +vdm_state_machine_work(work); + <-- received discover_identity from partner + vdm_run_state_machine(port); + port->vdm_state = VDM_STATE_SEND_MESSAGE; + mod_vdm_delayed_work(port, x); + +tcpm_pd_rx_handler(work); + tcpm_pd_data_request(port, msg); + tcpm_handle_vdm_request(port, msg->payload, cnt); + tcpm_queue_vdm(port, response[0], &response[1], rlen - 1); +--> WARN_ON(port->vdm_state > VDM_STATE_DONE); + +For this case, the state machine could still send out discover +identity message later if we skip current discover_identity message. +So we should handle the received message firstly and override the pending +discover_identity message without warning in this case. Then, a delayed +send_discover work will send discover_identity message again. + +Fixes: e00943e91678 ("usb: typec: tcpm: PD3.0 sinks can send Discover Identity even in device mode") +cc: +Signed-off-by: Xu Yang +Reviewed-by: Guenter Roeck +Reviewed-by: Heikki Krogerus +Link: https://lore.kernel.org/r/20230216031515.4151117-1-xu.yang_2@nxp.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/typec/tcpm/tcpm.c | 19 +++++++++++++++---- + 1 file changed, 15 insertions(+), 4 deletions(-) + +--- a/drivers/usb/typec/tcpm/tcpm.c ++++ b/drivers/usb/typec/tcpm/tcpm.c +@@ -1428,10 +1428,18 @@ static int tcpm_ams_start(struct tcpm_po + static void tcpm_queue_vdm(struct tcpm_port *port, const u32 header, + const u32 *data, int cnt) + { ++ u32 vdo_hdr = port->vdo_data[0]; ++ + WARN_ON(!mutex_is_locked(&port->lock)); + +- /* Make sure we are not still processing a previous VDM packet */ +- WARN_ON(port->vdm_state > VDM_STATE_DONE); ++ /* If is sending discover_identity, handle received message first */ ++ if (PD_VDO_SVDM(vdo_hdr) && PD_VDO_CMD(vdo_hdr) == CMD_DISCOVER_IDENT) { ++ port->send_discover = true; ++ mod_send_discover_delayed_work(port, SEND_DISCOVER_RETRY_MS); ++ } else { ++ /* Make sure we are not still processing a previous VDM packet */ ++ WARN_ON(port->vdm_state > VDM_STATE_DONE); ++ } + + port->vdo_count = cnt + 1; + port->vdo_data[0] = header; +@@ -1934,11 +1942,13 @@ static void vdm_run_state_machine(struct + switch (PD_VDO_CMD(vdo_hdr)) { + case CMD_DISCOVER_IDENT: + res = tcpm_ams_start(port, DISCOVER_IDENTITY); +- if (res == 0) ++ if (res == 0) { + port->send_discover = false; +- else if (res == -EAGAIN) ++ } else if (res == -EAGAIN) { ++ port->vdo_data[0] = 0; + mod_send_discover_delayed_work(port, + SEND_DISCOVER_RETRY_MS); ++ } + break; + case CMD_DISCOVER_SVID: + res = tcpm_ams_start(port, DISCOVER_SVIDS); +@@ -2021,6 +2031,7 @@ static void vdm_run_state_machine(struct + unsigned long timeout; + + port->vdm_retries = 0; ++ port->vdo_data[0] = 0; + port->vdm_state = VDM_STATE_BUSY; + timeout = vdm_ready_timeout(vdo_hdr); + mod_vdm_delayed_work(port, timeout); diff --git a/queue-5.15/usb-ucsi-fix-null-pointer-deref-in-ucsi_connector_change.patch b/queue-5.15/usb-ucsi-fix-null-pointer-deref-in-ucsi_connector_change.patch new file mode 100644 index 00000000000..8376974b17a --- /dev/null +++ b/queue-5.15/usb-ucsi-fix-null-pointer-deref-in-ucsi_connector_change.patch @@ -0,0 +1,67 @@ +From f87fb985452ab2083967103ac00bfd68fb182764 Mon Sep 17 00:00:00 2001 +From: Hans de Goede +Date: Wed, 8 Mar 2023 16:42:42 +0100 +Subject: usb: ucsi: Fix NULL pointer deref in ucsi_connector_change() + +From: Hans de Goede + +commit f87fb985452ab2083967103ac00bfd68fb182764 upstream. + +When ucsi_init() fails, ucsi->connector is NULL, yet in case of +ucsi_acpi we may still get events which cause the ucs_acpi code to call +ucsi_connector_change(), which then derefs the NULL ucsi->connector +pointer. + +Fix this by not setting ucsi->ntfy inside ucsi_init() until ucsi_init() +has succeeded, so that ucsi_connector_change() ignores the events +because UCSI_ENABLE_NTFY_CONNECTOR_CHANGE is not set in the ntfy mask. + +Fixes: bdc62f2bae8f ("usb: typec: ucsi: Simplified registration and I/O API") +Link: https://bugzilla.kernel.org/show_bug.cgi?id=217106 +Cc: stable@vger.kernel.org +Reviewed-by: Heikki Krogerus +Signed-off-by: Hans de Goede +Link: https://lore.kernel.org/r/20230308154244.722337-2-hdegoede@redhat.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/typec/ucsi/ucsi.c | 11 ++++++----- + 1 file changed, 6 insertions(+), 5 deletions(-) + +--- a/drivers/usb/typec/ucsi/ucsi.c ++++ b/drivers/usb/typec/ucsi/ucsi.c +@@ -1202,7 +1202,7 @@ out_unlock: + static int ucsi_init(struct ucsi *ucsi) + { + struct ucsi_connector *con; +- u64 command; ++ u64 command, ntfy; + int ret; + int i; + +@@ -1214,8 +1214,8 @@ static int ucsi_init(struct ucsi *ucsi) + } + + /* Enable basic notifications */ +- ucsi->ntfy = UCSI_ENABLE_NTFY_CMD_COMPLETE | UCSI_ENABLE_NTFY_ERROR; +- command = UCSI_SET_NOTIFICATION_ENABLE | ucsi->ntfy; ++ ntfy = UCSI_ENABLE_NTFY_CMD_COMPLETE | UCSI_ENABLE_NTFY_ERROR; ++ command = UCSI_SET_NOTIFICATION_ENABLE | ntfy; + ret = ucsi_send_command(ucsi, command, NULL, 0); + if (ret < 0) + goto err_reset; +@@ -1247,12 +1247,13 @@ static int ucsi_init(struct ucsi *ucsi) + } + + /* Enable all notifications */ +- ucsi->ntfy = UCSI_ENABLE_NTFY_ALL; +- command = UCSI_SET_NOTIFICATION_ENABLE | ucsi->ntfy; ++ ntfy = UCSI_ENABLE_NTFY_ALL; ++ command = UCSI_SET_NOTIFICATION_ENABLE | ntfy; + ret = ucsi_send_command(ucsi, command, NULL, 0); + if (ret < 0) + goto err_unregister; + ++ ucsi->ntfy = ntfy; + return 0; + + err_unregister: