From: Greg Kroah-Hartman Date: Mon, 11 Nov 2024 12:09:24 +0000 (+0100) Subject: 6.6-stable patches X-Git-Tag: v5.15.172~25 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=c69251a579f552721db7632b054940431733fcfd;p=thirdparty%2Fkernel%2Fstable-queue.git 6.6-stable patches added patches: filemap-fix-bounds-checking-in-filemap_read.patch fs-proc-fix-compile-warning-about-variable-vmcore_mmap_ops.patch i2c-designware-do-not-hold-scl-low-when-i2c_dynamic_tar_update-is-not-set.patch irqchip-gic-v3-force-propagation-of-the-active-state-with-a-read-back.patch ocfs2-remove-entry-once-instead-of-null-ptr-dereference-in-ocfs2_xa_remove.patch signal-restore-the-override_rlimit-logic.patch ucounts-fix-counter-leak-in-inc_rlimit_get_ucounts.patch usb-dwc3-fix-fault-at-system-suspend-if-device-was-already-runtime-suspended.patch usb-musb-sunxi-fix-accessing-an-released-usb-phy.patch usb-serial-io_edgeport-fix-use-after-free-in-debug-printk.patch usb-serial-option-add-fibocom-fg132-0x0112-composition.patch usb-serial-option-add-quectel-rg650v.patch usb-serial-qcserial-add-support-for-sierra-wireless-em86xx.patch usb-typec-fix-potential-out-of-bounds-in-ucsi_ccg_update_set_new_cam_cmd.patch usb-typec-qcom-pmic-init-value-of-hdr_len-txbuf_len-earlier.patch --- diff --git a/queue-6.6/filemap-fix-bounds-checking-in-filemap_read.patch b/queue-6.6/filemap-fix-bounds-checking-in-filemap_read.patch new file mode 100644 index 00000000000..8444133d78c --- /dev/null +++ b/queue-6.6/filemap-fix-bounds-checking-in-filemap_read.patch @@ -0,0 +1,37 @@ +From ace149e0830c380ddfce7e466fe860ca502fe4ee Mon Sep 17 00:00:00 2001 +From: Trond Myklebust +Date: Fri, 13 Sep 2024 13:57:04 -0400 +Subject: filemap: Fix bounds checking in filemap_read() + +From: Trond Myklebust + +commit ace149e0830c380ddfce7e466fe860ca502fe4ee upstream. + +If the caller supplies an iocb->ki_pos value that is close to the +filesystem upper limit, and an iterator with a count that causes us to +overflow that limit, then filemap_read() enters an infinite loop. + +This behaviour was discovered when testing xfstests generic/525 with the +"localio" optimisation for loopback NFS mounts. + +Reported-by: Mike Snitzer +Fixes: c2a9737f45e2 ("vfs,mm: fix a dead loop in truncate_inode_pages_range()") +Tested-by: Mike Snitzer +Signed-off-by: Trond Myklebust +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman +--- + mm/filemap.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/mm/filemap.c ++++ b/mm/filemap.c +@@ -2660,7 +2660,7 @@ ssize_t filemap_read(struct kiocb *iocb, + if (unlikely(!iov_iter_count(iter))) + return 0; + +- iov_iter_truncate(iter, inode->i_sb->s_maxbytes); ++ iov_iter_truncate(iter, inode->i_sb->s_maxbytes - iocb->ki_pos); + folio_batch_init(&fbatch); + + do { diff --git a/queue-6.6/fs-proc-fix-compile-warning-about-variable-vmcore_mmap_ops.patch b/queue-6.6/fs-proc-fix-compile-warning-about-variable-vmcore_mmap_ops.patch new file mode 100644 index 00000000000..e723743c013 --- /dev/null +++ b/queue-6.6/fs-proc-fix-compile-warning-about-variable-vmcore_mmap_ops.patch @@ -0,0 +1,58 @@ +From b8ee299855f08539e04d6c1a6acb3dc9e5423c00 Mon Sep 17 00:00:00 2001 +From: Qi Xi +Date: Fri, 1 Nov 2024 11:48:03 +0800 +Subject: fs/proc: fix compile warning about variable 'vmcore_mmap_ops' + +From: Qi Xi + +commit b8ee299855f08539e04d6c1a6acb3dc9e5423c00 upstream. + +When build with !CONFIG_MMU, the variable 'vmcore_mmap_ops' +is defined but not used: + +>> fs/proc/vmcore.c:458:42: warning: unused variable 'vmcore_mmap_ops' + 458 | static const struct vm_operations_struct vmcore_mmap_ops = { + +Fix this by only defining it when CONFIG_MMU is enabled. + +Link: https://lkml.kernel.org/r/20241101034803.9298-1-xiqi2@huawei.com +Fixes: 9cb218131de1 ("vmcore: introduce remap_oldmem_pfn_range()") +Signed-off-by: Qi Xi +Reported-by: kernel test robot +Closes: https://lore.kernel.org/lkml/202410301936.GcE8yUos-lkp@intel.com/ +Cc: Baoquan He +Cc: Dave Young +Cc: Michael Holzheu +Cc: Vivek Goyal +Cc: Wang ShaoBo +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + fs/proc/vmcore.c | 9 +++++---- + 1 file changed, 5 insertions(+), 4 deletions(-) + +--- a/fs/proc/vmcore.c ++++ b/fs/proc/vmcore.c +@@ -457,10 +457,6 @@ static vm_fault_t mmap_vmcore_fault(stru + #endif + } + +-static const struct vm_operations_struct vmcore_mmap_ops = { +- .fault = mmap_vmcore_fault, +-}; +- + /** + * vmcore_alloc_buf - allocate buffer in vmalloc memory + * @size: size of buffer +@@ -488,6 +484,11 @@ static inline char *vmcore_alloc_buf(siz + * virtually contiguous user-space in ELF layout. + */ + #ifdef CONFIG_MMU ++ ++static const struct vm_operations_struct vmcore_mmap_ops = { ++ .fault = mmap_vmcore_fault, ++}; ++ + /* + * remap_oldmem_pfn_checked - do remap_oldmem_pfn_range replacing all pages + * reported as not being ram with the zero page. diff --git a/queue-6.6/i2c-designware-do-not-hold-scl-low-when-i2c_dynamic_tar_update-is-not-set.patch b/queue-6.6/i2c-designware-do-not-hold-scl-low-when-i2c_dynamic_tar_update-is-not-set.patch new file mode 100644 index 00000000000..47dbcbdcd8c --- /dev/null +++ b/queue-6.6/i2c-designware-do-not-hold-scl-low-when-i2c_dynamic_tar_update-is-not-set.patch @@ -0,0 +1,66 @@ +From 8de3e97f3d3d62cd9f3067f073e8ac93261597db Mon Sep 17 00:00:00 2001 +From: Liu Peibao +Date: Fri, 1 Nov 2024 16:12:43 +0800 +Subject: i2c: designware: do not hold SCL low when I2C_DYNAMIC_TAR_UPDATE is not set + +From: Liu Peibao + +commit 8de3e97f3d3d62cd9f3067f073e8ac93261597db upstream. + +When the Tx FIFO is empty and the last command has no STOP bit +set, the master holds SCL low. If I2C_DYNAMIC_TAR_UPDATE is not +set, BIT(13) MST_ON_HOLD of IC_RAW_INTR_STAT is not enabled, +causing the __i2c_dw_disable() timeout. This is quite similar to +commit 2409205acd3c ("i2c: designware: fix __i2c_dw_disable() in +case master is holding SCL low"). Also check BIT(7) +MST_HOLD_TX_FIFO_EMPTY in IC_STATUS, which is available when +IC_STAT_FOR_CLK_STRETCH is set. + +Fixes: 2409205acd3c ("i2c: designware: fix __i2c_dw_disable() in case master is holding SCL low") +Co-developed-by: Xiaowu Ding +Signed-off-by: Xiaowu Ding +Co-developed-by: Angus Chen +Signed-off-by: Angus Chen +Signed-off-by: Liu Peibao +Acked-by: Jarkko Nikula +Signed-off-by: Andi Shyti +Signed-off-by: Greg Kroah-Hartman +--- + drivers/i2c/busses/i2c-designware-common.c | 6 ++++-- + drivers/i2c/busses/i2c-designware-core.h | 1 + + 2 files changed, 5 insertions(+), 2 deletions(-) + +--- a/drivers/i2c/busses/i2c-designware-common.c ++++ b/drivers/i2c/busses/i2c-designware-common.c +@@ -442,7 +442,7 @@ err_release_lock: + void __i2c_dw_disable(struct dw_i2c_dev *dev) + { + struct i2c_timings *t = &dev->timings; +- unsigned int raw_intr_stats; ++ unsigned int raw_intr_stats, ic_stats; + unsigned int enable; + int timeout = 100; + bool abort_needed; +@@ -450,9 +450,11 @@ void __i2c_dw_disable(struct dw_i2c_dev + int ret; + + regmap_read(dev->map, DW_IC_RAW_INTR_STAT, &raw_intr_stats); ++ regmap_read(dev->map, DW_IC_STATUS, &ic_stats); + regmap_read(dev->map, DW_IC_ENABLE, &enable); + +- abort_needed = raw_intr_stats & DW_IC_INTR_MST_ON_HOLD; ++ abort_needed = (raw_intr_stats & DW_IC_INTR_MST_ON_HOLD) || ++ (ic_stats & DW_IC_STATUS_MASTER_HOLD_TX_FIFO_EMPTY); + if (abort_needed) { + if (!(enable & DW_IC_ENABLE_ENABLE)) { + regmap_write(dev->map, DW_IC_ENABLE, DW_IC_ENABLE_ENABLE); +--- a/drivers/i2c/busses/i2c-designware-core.h ++++ b/drivers/i2c/busses/i2c-designware-core.h +@@ -117,6 +117,7 @@ + #define DW_IC_STATUS_RFNE BIT(3) + #define DW_IC_STATUS_MASTER_ACTIVITY BIT(5) + #define DW_IC_STATUS_SLAVE_ACTIVITY BIT(6) ++#define DW_IC_STATUS_MASTER_HOLD_TX_FIFO_EMPTY BIT(7) + + #define DW_IC_SDA_HOLD_RX_SHIFT 16 + #define DW_IC_SDA_HOLD_RX_MASK GENMASK(23, 16) diff --git a/queue-6.6/irqchip-gic-v3-force-propagation-of-the-active-state-with-a-read-back.patch b/queue-6.6/irqchip-gic-v3-force-propagation-of-the-active-state-with-a-read-back.patch new file mode 100644 index 00000000000..d5c019d39f0 --- /dev/null +++ b/queue-6.6/irqchip-gic-v3-force-propagation-of-the-active-state-with-a-read-back.patch @@ -0,0 +1,57 @@ +From 464cb98f1c07298c4c10e714ae0c36338d18d316 Mon Sep 17 00:00:00 2001 +From: Marc Zyngier +Date: Wed, 6 Nov 2024 08:44:18 +0000 +Subject: irqchip/gic-v3: Force propagation of the active state with a read-back + +From: Marc Zyngier + +commit 464cb98f1c07298c4c10e714ae0c36338d18d316 upstream. + +Christoffer reports that on some implementations, writing to +GICR_ISACTIVER0 (and similar GICD registers) can race badly with a guest +issuing a deactivation of that interrupt via the system register interface. + +There are multiple reasons to this: + + - this uses an early write-acknoledgement memory type (nGnRE), meaning + that the write may only have made it as far as some interconnect + by the time the store is considered "done" + + - the GIC itself is allowed to buffer the write until it decides to + take it into account (as long as it is in finite time) + +The effects are that the activation may not have taken effect by the time +the kernel enters the guest, forcing an immediate exit, or that a guest +deactivation occurs before the interrupt is active, doing nothing. + +In order to guarantee that the write to the ISACTIVER register has taken +effect, read back from it, forcing the interconnect to propagate the write, +and the GIC to process the write before returning the read. + +Reported-by: Christoffer Dall +Signed-off-by: Marc Zyngier +Signed-off-by: Thomas Gleixner +Acked-by: Christoffer Dall +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/all/20241106084418.3794612-1-maz@kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/irqchip/irq-gic-v3.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +--- a/drivers/irqchip/irq-gic-v3.c ++++ b/drivers/irqchip/irq-gic-v3.c +@@ -468,6 +468,13 @@ static int gic_irq_set_irqchip_state(str + } + + gic_poke_irq(d, reg); ++ ++ /* ++ * Force read-back to guarantee that the active state has taken ++ * effect, and won't race with a guest-driven deactivation. ++ */ ++ if (reg == GICD_ISACTIVER) ++ gic_peek_irq(d, reg); + return 0; + } + diff --git a/queue-6.6/ocfs2-remove-entry-once-instead-of-null-ptr-dereference-in-ocfs2_xa_remove.patch b/queue-6.6/ocfs2-remove-entry-once-instead-of-null-ptr-dereference-in-ocfs2_xa_remove.patch new file mode 100644 index 00000000000..7fb42dfb3a2 --- /dev/null +++ b/queue-6.6/ocfs2-remove-entry-once-instead-of-null-ptr-dereference-in-ocfs2_xa_remove.patch @@ -0,0 +1,91 @@ +From 0b63c0e01fba40e3992bc627272ec7b618ccaef7 Mon Sep 17 00:00:00 2001 +From: Andrew Kanner +Date: Sun, 3 Nov 2024 20:38:45 +0100 +Subject: ocfs2: remove entry once instead of null-ptr-dereference in ocfs2_xa_remove() + +From: Andrew Kanner + +commit 0b63c0e01fba40e3992bc627272ec7b618ccaef7 upstream. + +Syzkaller is able to provoke null-ptr-dereference in ocfs2_xa_remove(): + +[ 57.319872] (a.out,1161,7):ocfs2_xa_remove:2028 ERROR: status = -12 +[ 57.320420] (a.out,1161,7):ocfs2_xa_cleanup_value_truncate:1999 ERROR: Partial truncate while removing xattr overlay.upper. Leaking 1 clusters and removing the entry +[ 57.321727] BUG: kernel NULL pointer dereference, address: 0000000000000004 +[...] +[ 57.325727] RIP: 0010:ocfs2_xa_block_wipe_namevalue+0x2a/0xc0 +[...] +[ 57.331328] Call Trace: +[ 57.331477] +[...] +[ 57.333511] ? do_user_addr_fault+0x3e5/0x740 +[ 57.333778] ? exc_page_fault+0x70/0x170 +[ 57.334016] ? asm_exc_page_fault+0x2b/0x30 +[ 57.334263] ? __pfx_ocfs2_xa_block_wipe_namevalue+0x10/0x10 +[ 57.334596] ? ocfs2_xa_block_wipe_namevalue+0x2a/0xc0 +[ 57.334913] ocfs2_xa_remove_entry+0x23/0xc0 +[ 57.335164] ocfs2_xa_set+0x704/0xcf0 +[ 57.335381] ? _raw_spin_unlock+0x1a/0x40 +[ 57.335620] ? ocfs2_inode_cache_unlock+0x16/0x20 +[ 57.335915] ? trace_preempt_on+0x1e/0x70 +[ 57.336153] ? start_this_handle+0x16c/0x500 +[ 57.336410] ? preempt_count_sub+0x50/0x80 +[ 57.336656] ? _raw_read_unlock+0x20/0x40 +[ 57.336906] ? start_this_handle+0x16c/0x500 +[ 57.337162] ocfs2_xattr_block_set+0xa6/0x1e0 +[ 57.337424] __ocfs2_xattr_set_handle+0x1fd/0x5d0 +[ 57.337706] ? ocfs2_start_trans+0x13d/0x290 +[ 57.337971] ocfs2_xattr_set+0xb13/0xfb0 +[ 57.338207] ? dput+0x46/0x1c0 +[ 57.338393] ocfs2_xattr_trusted_set+0x28/0x30 +[ 57.338665] ? ocfs2_xattr_trusted_set+0x28/0x30 +[ 57.338948] __vfs_removexattr+0x92/0xc0 +[ 57.339182] __vfs_removexattr_locked+0xd5/0x190 +[ 57.339456] ? preempt_count_sub+0x50/0x80 +[ 57.339705] vfs_removexattr+0x5f/0x100 +[...] + +Reproducer uses faultinject facility to fail ocfs2_xa_remove() -> +ocfs2_xa_value_truncate() with -ENOMEM. + +In this case the comment mentions that we can return 0 if +ocfs2_xa_cleanup_value_truncate() is going to wipe the entry +anyway. But the following 'rc' check is wrong and execution flow do +'ocfs2_xa_remove_entry(loc);' twice: +* 1st: in ocfs2_xa_cleanup_value_truncate(); +* 2nd: returning back to ocfs2_xa_remove() instead of going to 'out'. + +Fix this by skipping the 2nd removal of the same entry and making +syzkaller repro happy. + +Link: https://lkml.kernel.org/r/20241103193845.2940988-1-andrew.kanner@gmail.com +Fixes: 399ff3a748cf ("ocfs2: Handle errors while setting external xattr values.") +Signed-off-by: Andrew Kanner +Reported-by: syzbot+386ce9e60fa1b18aac5b@syzkaller.appspotmail.com +Closes: https://lore.kernel.org/all/671e13ab.050a0220.2b8c0f.01d0.GAE@google.com/T/ +Tested-by: syzbot+386ce9e60fa1b18aac5b@syzkaller.appspotmail.com +Reviewed-by: Joseph Qi +Cc: Mark Fasheh +Cc: Joel Becker +Cc: Junxiao Bi +Cc: Changwei Ge +Cc: Jun Piao +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + fs/ocfs2/xattr.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +--- a/fs/ocfs2/xattr.c ++++ b/fs/ocfs2/xattr.c +@@ -2036,8 +2036,7 @@ static int ocfs2_xa_remove(struct ocfs2_ + rc = 0; + ocfs2_xa_cleanup_value_truncate(loc, "removing", + orig_clusters); +- if (rc) +- goto out; ++ goto out; + } + } + diff --git a/queue-6.6/series b/queue-6.6/series index 86f5ea54337..99e52f0c38c 100644 --- a/queue-6.6/series +++ b/queue-6.6/series @@ -99,3 +99,18 @@ riscv-purgatory-align-riscv_kernel_entry.patch revert-wifi-mac80211-fix-rcu-list-iterations.patch revert-selftests-bpf-implement-get_hw_ring_size-function-to-retrieve-current-and-max-interface-size.patch media-uvcvideo-skip-parsing-frames-of-type-uvc_vs_undefined-in-uvc_parse_format.patch +filemap-fix-bounds-checking-in-filemap_read.patch +i2c-designware-do-not-hold-scl-low-when-i2c_dynamic_tar_update-is-not-set.patch +fs-proc-fix-compile-warning-about-variable-vmcore_mmap_ops.patch +signal-restore-the-override_rlimit-logic.patch +usb-musb-sunxi-fix-accessing-an-released-usb-phy.patch +usb-dwc3-fix-fault-at-system-suspend-if-device-was-already-runtime-suspended.patch +usb-typec-qcom-pmic-init-value-of-hdr_len-txbuf_len-earlier.patch +usb-typec-fix-potential-out-of-bounds-in-ucsi_ccg_update_set_new_cam_cmd.patch +usb-serial-io_edgeport-fix-use-after-free-in-debug-printk.patch +usb-serial-qcserial-add-support-for-sierra-wireless-em86xx.patch +usb-serial-option-add-fibocom-fg132-0x0112-composition.patch +usb-serial-option-add-quectel-rg650v.patch +irqchip-gic-v3-force-propagation-of-the-active-state-with-a-read-back.patch +ocfs2-remove-entry-once-instead-of-null-ptr-dereference-in-ocfs2_xa_remove.patch +ucounts-fix-counter-leak-in-inc_rlimit_get_ucounts.patch diff --git a/queue-6.6/signal-restore-the-override_rlimit-logic.patch b/queue-6.6/signal-restore-the-override_rlimit-logic.patch new file mode 100644 index 00000000000..80a35ce7e9d --- /dev/null +++ b/queue-6.6/signal-restore-the-override_rlimit-logic.patch @@ -0,0 +1,91 @@ +From 9e05e5c7ee8758141d2db7e8fea2cab34500c6ed Mon Sep 17 00:00:00 2001 +From: Roman Gushchin +Date: Mon, 4 Nov 2024 19:54:19 +0000 +Subject: signal: restore the override_rlimit logic + +From: Roman Gushchin + +commit 9e05e5c7ee8758141d2db7e8fea2cab34500c6ed upstream. + +Prior to commit d64696905554 ("Reimplement RLIMIT_SIGPENDING on top of +ucounts") UCOUNT_RLIMIT_SIGPENDING rlimit was not enforced for a class of +signals. However now it's enforced unconditionally, even if +override_rlimit is set. This behavior change caused production issues. + +For example, if the limit is reached and a process receives a SIGSEGV +signal, sigqueue_alloc fails to allocate the necessary resources for the +signal delivery, preventing the signal from being delivered with siginfo. +This prevents the process from correctly identifying the fault address and +handling the error. From the user-space perspective, applications are +unaware that the limit has been reached and that the siginfo is +effectively 'corrupted'. This can lead to unpredictable behavior and +crashes, as we observed with java applications. + +Fix this by passing override_rlimit into inc_rlimit_get_ucounts() and skip +the comparison to max there if override_rlimit is set. This effectively +restores the old behavior. + +Link: https://lkml.kernel.org/r/20241104195419.3962584-1-roman.gushchin@linux.dev +Fixes: d64696905554 ("Reimplement RLIMIT_SIGPENDING on top of ucounts") +Signed-off-by: Roman Gushchin +Co-developed-by: Andrei Vagin +Signed-off-by: Andrei Vagin +Acked-by: Oleg Nesterov +Acked-by: Alexey Gladkov +Cc: Kees Cook +Cc: "Eric W. Biederman" +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + include/linux/user_namespace.h | 3 ++- + kernel/signal.c | 3 ++- + kernel/ucount.c | 6 ++++-- + 3 files changed, 8 insertions(+), 4 deletions(-) + +--- a/include/linux/user_namespace.h ++++ b/include/linux/user_namespace.h +@@ -131,7 +131,8 @@ static inline long get_rlimit_value(stru + + long inc_rlimit_ucounts(struct ucounts *ucounts, enum rlimit_type type, long v); + bool dec_rlimit_ucounts(struct ucounts *ucounts, enum rlimit_type type, long v); +-long inc_rlimit_get_ucounts(struct ucounts *ucounts, enum rlimit_type type); ++long inc_rlimit_get_ucounts(struct ucounts *ucounts, enum rlimit_type type, ++ bool override_rlimit); + void dec_rlimit_put_ucounts(struct ucounts *ucounts, enum rlimit_type type); + bool is_rlimit_overlimit(struct ucounts *ucounts, enum rlimit_type type, unsigned long max); + +--- a/kernel/signal.c ++++ b/kernel/signal.c +@@ -428,7 +428,8 @@ __sigqueue_alloc(int sig, struct task_st + */ + rcu_read_lock(); + ucounts = task_ucounts(t); +- sigpending = inc_rlimit_get_ucounts(ucounts, UCOUNT_RLIMIT_SIGPENDING); ++ sigpending = inc_rlimit_get_ucounts(ucounts, UCOUNT_RLIMIT_SIGPENDING, ++ override_rlimit); + rcu_read_unlock(); + if (!sigpending) + return NULL; +--- a/kernel/ucount.c ++++ b/kernel/ucount.c +@@ -308,7 +308,8 @@ void dec_rlimit_put_ucounts(struct ucoun + do_dec_rlimit_put_ucounts(ucounts, NULL, type); + } + +-long inc_rlimit_get_ucounts(struct ucounts *ucounts, enum rlimit_type type) ++long inc_rlimit_get_ucounts(struct ucounts *ucounts, enum rlimit_type type, ++ bool override_rlimit) + { + /* Caller must hold a reference to ucounts */ + struct ucounts *iter; +@@ -321,7 +322,8 @@ long inc_rlimit_get_ucounts(struct ucoun + goto unwind; + if (iter == ucounts) + ret = new; +- max = get_userns_rlimit_max(iter->ns, type); ++ if (!override_rlimit) ++ max = get_userns_rlimit_max(iter->ns, type); + /* + * Grab an extra ucount reference for the caller when + * the rlimit count was previously 0. diff --git a/queue-6.6/ucounts-fix-counter-leak-in-inc_rlimit_get_ucounts.patch b/queue-6.6/ucounts-fix-counter-leak-in-inc_rlimit_get_ucounts.patch new file mode 100644 index 00000000000..56858c00717 --- /dev/null +++ b/queue-6.6/ucounts-fix-counter-leak-in-inc_rlimit_get_ucounts.patch @@ -0,0 +1,51 @@ +From 432dc0654c612457285a5dcf9bb13968ac6f0804 Mon Sep 17 00:00:00 2001 +From: Andrei Vagin +Date: Fri, 1 Nov 2024 19:19:40 +0000 +Subject: ucounts: fix counter leak in inc_rlimit_get_ucounts() + +From: Andrei Vagin + +commit 432dc0654c612457285a5dcf9bb13968ac6f0804 upstream. + +The inc_rlimit_get_ucounts() increments the specified rlimit counter and +then checks its limit. If the value exceeds the limit, the function +returns an error without decrementing the counter. + +Link: https://lkml.kernel.org/r/20241101191940.3211128-1-roman.gushchin@linux.dev +Fixes: 15bc01effefe ("ucounts: Fix signal ucount refcounting") +Signed-off-by: Andrei Vagin +Co-developed-by: Roman Gushchin +Signed-off-by: Roman Gushchin +Tested-by: Roman Gushchin +Acked-by: Alexey Gladkov +Cc: Kees Cook +Cc: Andrei Vagin +Cc: "Eric W. Biederman" +Cc: Alexey Gladkov +Cc: Oleg Nesterov +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + kernel/ucount.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +--- a/kernel/ucount.c ++++ b/kernel/ucount.c +@@ -319,7 +319,7 @@ long inc_rlimit_get_ucounts(struct ucoun + for (iter = ucounts; iter; iter = iter->ns->ucounts) { + long new = atomic_long_add_return(1, &iter->rlimit[type]); + if (new < 0 || new > max) +- goto unwind; ++ goto dec_unwind; + if (iter == ucounts) + ret = new; + if (!override_rlimit) +@@ -337,7 +337,6 @@ long inc_rlimit_get_ucounts(struct ucoun + dec_unwind: + dec = atomic_long_sub_return(1, &iter->rlimit[type]); + WARN_ON_ONCE(dec < 0); +-unwind: + do_dec_rlimit_put_ucounts(ucounts, iter, type); + return 0; + } diff --git a/queue-6.6/usb-dwc3-fix-fault-at-system-suspend-if-device-was-already-runtime-suspended.patch b/queue-6.6/usb-dwc3-fix-fault-at-system-suspend-if-device-was-already-runtime-suspended.patch new file mode 100644 index 00000000000..47d7bd885ad --- /dev/null +++ b/queue-6.6/usb-dwc3-fix-fault-at-system-suspend-if-device-was-already-runtime-suspended.patch @@ -0,0 +1,69 @@ +From 9cfb31e4c89d200d8ab7cb1e0bb9e6e8d621ca0b Mon Sep 17 00:00:00 2001 +From: Roger Quadros +Date: Mon, 4 Nov 2024 16:00:11 +0200 +Subject: usb: dwc3: fix fault at system suspend if device was already runtime suspended + +From: Roger Quadros + +commit 9cfb31e4c89d200d8ab7cb1e0bb9e6e8d621ca0b upstream. + +If the device was already runtime suspended then during system suspend +we cannot access the device registers else it will crash. + +Also we cannot access any registers after dwc3_core_exit() on some +platforms so move the dwc3_enable_susphy() call to the top. + +Cc: stable@vger.kernel.org # v5.15+ +Reported-by: William McVicker +Closes: https://lore.kernel.org/all/ZyVfcUuPq56R2m1Y@google.com +Fixes: 705e3ce37bcc ("usb: dwc3: core: Fix system suspend on TI AM62 platforms") +Signed-off-by: Roger Quadros +Acked-by: Thinh Nguyen +Tested-by: Will McVicker +Link: https://lore.kernel.org/r/20241104-am62-lpm-usb-fix-v1-1-e93df73a4f0d@kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/dwc3/core.c | 25 ++++++++++++------------- + 1 file changed, 12 insertions(+), 13 deletions(-) + +--- a/drivers/usb/dwc3/core.c ++++ b/drivers/usb/dwc3/core.c +@@ -2106,10 +2106,18 @@ static int dwc3_suspend_common(struct dw + { + u32 reg; + +- dwc->susphy_state = (dwc3_readl(dwc->regs, DWC3_GUSB2PHYCFG(0)) & +- DWC3_GUSB2PHYCFG_SUSPHY) || +- (dwc3_readl(dwc->regs, DWC3_GUSB3PIPECTL(0)) & +- DWC3_GUSB3PIPECTL_SUSPHY); ++ if (!pm_runtime_suspended(dwc->dev) && !PMSG_IS_AUTO(msg)) { ++ dwc->susphy_state = (dwc3_readl(dwc->regs, DWC3_GUSB2PHYCFG(0)) & ++ DWC3_GUSB2PHYCFG_SUSPHY) || ++ (dwc3_readl(dwc->regs, DWC3_GUSB3PIPECTL(0)) & ++ DWC3_GUSB3PIPECTL_SUSPHY); ++ /* ++ * TI AM62 platform requires SUSPHY to be ++ * enabled for system suspend to work. ++ */ ++ if (!dwc->susphy_state) ++ dwc3_enable_susphy(dwc, true); ++ } + + switch (dwc->current_dr_role) { + case DWC3_GCTL_PRTCAP_DEVICE: +@@ -2158,15 +2166,6 @@ static int dwc3_suspend_common(struct dw + break; + } + +- if (!PMSG_IS_AUTO(msg)) { +- /* +- * TI AM62 platform requires SUSPHY to be +- * enabled for system suspend to work. +- */ +- if (!dwc->susphy_state) +- dwc3_enable_susphy(dwc, true); +- } +- + return 0; + } + diff --git a/queue-6.6/usb-musb-sunxi-fix-accessing-an-released-usb-phy.patch b/queue-6.6/usb-musb-sunxi-fix-accessing-an-released-usb-phy.patch new file mode 100644 index 00000000000..22c62a42710 --- /dev/null +++ b/queue-6.6/usb-musb-sunxi-fix-accessing-an-released-usb-phy.patch @@ -0,0 +1,50 @@ +From 498dbd9aea205db9da674994b74c7bf8e18448bd Mon Sep 17 00:00:00 2001 +From: Zijun Hu +Date: Tue, 29 Oct 2024 23:13:38 +0800 +Subject: usb: musb: sunxi: Fix accessing an released usb phy + +From: Zijun Hu + +commit 498dbd9aea205db9da674994b74c7bf8e18448bd upstream. + +Commit 6ed05c68cbca ("usb: musb: sunxi: Explicitly release USB PHY on +exit") will cause that usb phy @glue->xceiv is accessed after released. + +1) register platform driver @sunxi_musb_driver +// get the usb phy @glue->xceiv +sunxi_musb_probe() -> devm_usb_get_phy(). + +2) register and unregister platform driver @musb_driver +musb_probe() -> sunxi_musb_init() +use the phy here +//the phy is released here +musb_remove() -> sunxi_musb_exit() -> devm_usb_put_phy() + +3) register @musb_driver again +musb_probe() -> sunxi_musb_init() +use the phy here but the phy has been released at 2). +... + +Fixed by reverting the commit, namely, removing devm_usb_put_phy() +from sunxi_musb_exit(). + +Fixes: 6ed05c68cbca ("usb: musb: sunxi: Explicitly release USB PHY on exit") +Cc: stable@vger.kernel.org +Signed-off-by: Zijun Hu +Link: https://lore.kernel.org/r/20241029-sunxi_fix-v1-1-9431ed2ab826@quicinc.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/musb/sunxi.c | 2 -- + 1 file changed, 2 deletions(-) + +--- a/drivers/usb/musb/sunxi.c ++++ b/drivers/usb/musb/sunxi.c +@@ -293,8 +293,6 @@ static int sunxi_musb_exit(struct musb * + if (test_bit(SUNXI_MUSB_FL_HAS_SRAM, &glue->flags)) + sunxi_sram_release(musb->controller->parent); + +- devm_usb_put_phy(glue->dev, glue->xceiv); +- + return 0; + } + diff --git a/queue-6.6/usb-serial-io_edgeport-fix-use-after-free-in-debug-printk.patch b/queue-6.6/usb-serial-io_edgeport-fix-use-after-free-in-debug-printk.patch new file mode 100644 index 00000000000..298f71a9e57 --- /dev/null +++ b/queue-6.6/usb-serial-io_edgeport-fix-use-after-free-in-debug-printk.patch @@ -0,0 +1,49 @@ +From 37bb5628379295c1254c113a407cab03a0f4d0b4 Mon Sep 17 00:00:00 2001 +From: Dan Carpenter +Date: Thu, 31 Oct 2024 12:48:30 +0300 +Subject: USB: serial: io_edgeport: fix use after free in debug printk + +From: Dan Carpenter + +commit 37bb5628379295c1254c113a407cab03a0f4d0b4 upstream. + +The "dev_dbg(&urb->dev->dev, ..." which happens after usb_free_urb(urb) +is a use after free of the "urb" pointer. Store the "dev" pointer at the +start of the function to avoid this issue. + +Fixes: 984f68683298 ("USB: serial: io_edgeport.c: remove dbg() usage") +Cc: stable@vger.kernel.org +Signed-off-by: Dan Carpenter +Signed-off-by: Johan Hovold +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/serial/io_edgeport.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +--- a/drivers/usb/serial/io_edgeport.c ++++ b/drivers/usb/serial/io_edgeport.c +@@ -770,11 +770,12 @@ static void edge_bulk_out_data_callback( + static void edge_bulk_out_cmd_callback(struct urb *urb) + { + struct edgeport_port *edge_port = urb->context; ++ struct device *dev = &urb->dev->dev; + int status = urb->status; + + atomic_dec(&CmdUrbs); +- dev_dbg(&urb->dev->dev, "%s - FREE URB %p (outstanding %d)\n", +- __func__, urb, atomic_read(&CmdUrbs)); ++ dev_dbg(dev, "%s - FREE URB %p (outstanding %d)\n", __func__, urb, ++ atomic_read(&CmdUrbs)); + + + /* clean up the transfer buffer */ +@@ -784,8 +785,7 @@ static void edge_bulk_out_cmd_callback(s + usb_free_urb(urb); + + if (status) { +- dev_dbg(&urb->dev->dev, +- "%s - nonzero write bulk status received: %d\n", ++ dev_dbg(dev, "%s - nonzero write bulk status received: %d\n", + __func__, status); + return; + } diff --git a/queue-6.6/usb-serial-option-add-fibocom-fg132-0x0112-composition.patch b/queue-6.6/usb-serial-option-add-fibocom-fg132-0x0112-composition.patch new file mode 100644 index 00000000000..665899a15e6 --- /dev/null +++ b/queue-6.6/usb-serial-option-add-fibocom-fg132-0x0112-composition.patch @@ -0,0 +1,53 @@ +From 393c74ccbd847bacf18865a01b422586fc7341cf Mon Sep 17 00:00:00 2001 +From: Reinhard Speyerer +Date: Fri, 18 Oct 2024 23:07:06 +0200 +Subject: USB: serial: option: add Fibocom FG132 0x0112 composition + +From: Reinhard Speyerer + +commit 393c74ccbd847bacf18865a01b422586fc7341cf upstream. + +Add Fibocom FG132 0x0112 composition: + +T: Bus=03 Lev=02 Prnt=06 Port=01 Cnt=02 Dev#= 10 Spd=12 MxCh= 0 +D: Ver= 2.01 Cls=00(>ifc ) Sub=00 Prot=00 MxPS=64 #Cfgs= 1 +P: Vendor=2cb7 ProdID=0112 Rev= 5.15 +S: Manufacturer=Fibocom Wireless Inc. +S: Product=Fibocom Module +S: SerialNumber=xxxxxxxx +C:* #Ifs= 4 Cfg#= 1 Atr=a0 MxPwr=500mA +I:* If#= 0 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=50 Driver=qmi_wwan +E: Ad=82(I) Atr=03(Int.) MxPS= 8 Ivl=32ms +E: Ad=81(I) Atr=02(Bulk) MxPS= 64 Ivl=0ms +E: Ad=01(O) Atr=02(Bulk) MxPS= 64 Ivl=0ms +I:* If#= 1 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=30 Driver=option +E: Ad=02(O) Atr=02(Bulk) MxPS= 64 Ivl=0ms +E: Ad=83(I) Atr=02(Bulk) MxPS= 64 Ivl=0ms +I:* If#= 2 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=40 Driver=option +E: Ad=85(I) Atr=03(Int.) MxPS= 10 Ivl=32ms +E: Ad=84(I) Atr=02(Bulk) MxPS= 64 Ivl=0ms +E: Ad=03(O) Atr=02(Bulk) MxPS= 64 Ivl=0ms +I:* If#= 3 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=00 Prot=00 Driver=option +E: Ad=86(I) Atr=02(Bulk) MxPS= 64 Ivl=0ms +E: Ad=04(O) Atr=02(Bulk) MxPS= 64 Ivl=0ms + +Signed-off-by: Reinhard Speyerer +Cc: stable@vger.kernel.org +Signed-off-by: Johan Hovold +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/serial/option.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/usb/serial/option.c ++++ b/drivers/usb/serial/option.c +@@ -2320,6 +2320,9 @@ static const struct usb_device_id option + { USB_DEVICE_AND_INTERFACE_INFO(0x2cb7, 0x010b, 0xff, 0xff, 0x30) }, /* Fibocom FG150 Diag */ + { USB_DEVICE_AND_INTERFACE_INFO(0x2cb7, 0x010b, 0xff, 0, 0) }, /* Fibocom FG150 AT */ + { USB_DEVICE_INTERFACE_CLASS(0x2cb7, 0x0111, 0xff) }, /* Fibocom FM160 (MBIM mode) */ ++ { USB_DEVICE_AND_INTERFACE_INFO(0x2cb7, 0x0112, 0xff, 0xff, 0x30) }, /* Fibocom FG132 Diag */ ++ { USB_DEVICE_AND_INTERFACE_INFO(0x2cb7, 0x0112, 0xff, 0xff, 0x40) }, /* Fibocom FG132 AT */ ++ { USB_DEVICE_AND_INTERFACE_INFO(0x2cb7, 0x0112, 0xff, 0, 0) }, /* Fibocom FG132 NMEA */ + { USB_DEVICE_INTERFACE_CLASS(0x2cb7, 0x0115, 0xff), /* Fibocom FM135 (laptop MBIM) */ + .driver_info = RSVD(5) }, + { USB_DEVICE_INTERFACE_CLASS(0x2cb7, 0x01a0, 0xff) }, /* Fibocom NL668-AM/NL652-EU (laptop MBIM) */ diff --git a/queue-6.6/usb-serial-option-add-quectel-rg650v.patch b/queue-6.6/usb-serial-option-add-quectel-rg650v.patch new file mode 100644 index 00000000000..057ea549513 --- /dev/null +++ b/queue-6.6/usb-serial-option-add-quectel-rg650v.patch @@ -0,0 +1,68 @@ +From 3b05949ba39f305b585452d0e177470607842165 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Beno=C3=AEt=20Monin?= +Date: Thu, 24 Oct 2024 17:09:19 +0200 +Subject: USB: serial: option: add Quectel RG650V +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Benoît Monin + +commit 3b05949ba39f305b585452d0e177470607842165 upstream. + +Add support for Quectel RG650V which is based on Qualcomm SDX65 chip. +The composition is DIAG / NMEA / AT / AT / QMI. + +T: Bus=02 Lev=01 Prnt=01 Port=03 Cnt=01 Dev#= 4 Spd=5000 MxCh= 0 +D: Ver= 3.20 Cls=00(>ifc ) Sub=00 Prot=00 MxPS= 9 #Cfgs= 1 +P: Vendor=2c7c ProdID=0122 Rev=05.15 +S: Manufacturer=Quectel +S: Product=RG650V-EU +S: SerialNumber=xxxxxxx +C: #Ifs= 5 Cfg#= 1 Atr=a0 MxPwr=896mA +I: If#= 0 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=30 Driver=option +E: Ad=01(O) Atr=02(Bulk) MxPS=1024 Ivl=0ms +E: Ad=81(I) Atr=02(Bulk) MxPS=1024 Ivl=0ms +I: If#= 1 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=00 Prot=00 Driver=option +E: Ad=02(O) Atr=02(Bulk) MxPS=1024 Ivl=0ms +E: Ad=82(I) Atr=02(Bulk) MxPS=1024 Ivl=0ms +I: If#= 2 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option +E: Ad=03(O) Atr=02(Bulk) MxPS=1024 Ivl=0ms +E: Ad=83(I) Atr=02(Bulk) MxPS=1024 Ivl=0ms +E: Ad=84(I) Atr=03(Int.) MxPS= 10 Ivl=9ms +I: If#= 3 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option +E: Ad=04(O) Atr=02(Bulk) MxPS=1024 Ivl=0ms +E: Ad=85(I) Atr=02(Bulk) MxPS=1024 Ivl=0ms +E: Ad=86(I) Atr=03(Int.) MxPS= 10 Ivl=9ms +I: If#= 4 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=ff Driver=qmi_wwan +E: Ad=05(O) Atr=02(Bulk) MxPS=1024 Ivl=0ms +E: Ad=87(I) Atr=02(Bulk) MxPS=1024 Ivl=0ms +E: Ad=88(I) Atr=03(Int.) MxPS= 8 Ivl=9ms + +Signed-off-by: Benoît Monin +Cc: stable@vger.kernel.org +Signed-off-by: Johan Hovold +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/serial/option.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/usb/serial/option.c ++++ b/drivers/usb/serial/option.c +@@ -251,6 +251,7 @@ static void option_instat_callback(struc + #define QUECTEL_VENDOR_ID 0x2c7c + /* These Quectel products use Quectel's vendor ID */ + #define QUECTEL_PRODUCT_EC21 0x0121 ++#define QUECTEL_PRODUCT_RG650V 0x0122 + #define QUECTEL_PRODUCT_EM061K_LTA 0x0123 + #define QUECTEL_PRODUCT_EM061K_LMS 0x0124 + #define QUECTEL_PRODUCT_EC25 0x0125 +@@ -1273,6 +1274,8 @@ static const struct usb_device_id option + { USB_DEVICE_AND_INTERFACE_INFO(QUECTEL_VENDOR_ID, QUECTEL_PRODUCT_EG912Y, 0xff, 0, 0) }, + { USB_DEVICE_AND_INTERFACE_INFO(QUECTEL_VENDOR_ID, QUECTEL_PRODUCT_EG916Q, 0xff, 0x00, 0x00) }, + { USB_DEVICE_AND_INTERFACE_INFO(QUECTEL_VENDOR_ID, QUECTEL_PRODUCT_RM500K, 0xff, 0x00, 0x00) }, ++ { USB_DEVICE_AND_INTERFACE_INFO(QUECTEL_VENDOR_ID, QUECTEL_PRODUCT_RG650V, 0xff, 0xff, 0x30) }, ++ { USB_DEVICE_AND_INTERFACE_INFO(QUECTEL_VENDOR_ID, QUECTEL_PRODUCT_RG650V, 0xff, 0, 0) }, + + { USB_DEVICE(CMOTECH_VENDOR_ID, CMOTECH_PRODUCT_6001) }, + { USB_DEVICE(CMOTECH_VENDOR_ID, CMOTECH_PRODUCT_CMU_300) }, diff --git a/queue-6.6/usb-serial-qcserial-add-support-for-sierra-wireless-em86xx.patch b/queue-6.6/usb-serial-qcserial-add-support-for-sierra-wireless-em86xx.patch new file mode 100644 index 00000000000..86803037417 --- /dev/null +++ b/queue-6.6/usb-serial-qcserial-add-support-for-sierra-wireless-em86xx.patch @@ -0,0 +1,70 @@ +From 25eb47eed52979c2f5eee3f37e6c67714e02c49c Mon Sep 17 00:00:00 2001 +From: Jack Wu +Date: Wed, 6 Nov 2024 18:50:29 +0800 +Subject: USB: serial: qcserial: add support for Sierra Wireless EM86xx + +From: Jack Wu + +commit 25eb47eed52979c2f5eee3f37e6c67714e02c49c upstream. + +Add support for Sierra Wireless EM86xx with USB-id 0x1199:0x90e5 and +0x1199:0x90e4. + +0x1199:0x90e5 +T: Bus=03 Lev=01 Prnt=01 Port=05 Cnt=01 Dev#= 14 Spd=480 MxCh= 0 +D: Ver= 2.00 Cls=ef(misc ) Sub=02 Prot=01 MxPS=64 #Cfgs= 1 +P: Vendor=1199 ProdID=90e5 Rev= 5.15 +S: Manufacturer=Sierra Wireless, Incorporated +S: Product=Semtech EM8695 Mobile Broadband Adapter +S: SerialNumber=004403161882339 +C:* #Ifs= 6 Cfg#= 1 Atr=a0 MxPwr=500mA +A: FirstIf#=12 IfCount= 2 Cls=02(comm.) Sub=0e Prot=00 +I:* If#= 0 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=30 Driver=qcserial +E: Ad=01(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=81(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms +I:* If#= 1 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=42 Prot=01 Driver=usbfs +E: Ad=02(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=82(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms +I:* If#= 3 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=40 Driver=qcserial +E: Ad=84(I) Atr=03(Int.) MxPS= 10 Ivl=32ms +E: Ad=83(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=03(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms +I:* If#= 4 Alt= 0 #EPs= 1 Cls=ff(vend.) Sub=ff Prot=ff Driver=(none) +E: Ad=85(I) Atr=03(Int.) MxPS= 64 Ivl=32ms +I:* If#=12 Alt= 0 #EPs= 1 Cls=02(comm.) Sub=0e Prot=00 Driver=cdc_mbim +E: Ad=87(I) Atr=03(Int.) MxPS= 64 Ivl=32ms +I: If#=13 Alt= 0 #EPs= 0 Cls=0a(data ) Sub=00 Prot=02 Driver=cdc_mbim +I:* If#=13 Alt= 1 #EPs= 2 Cls=0a(data ) Sub=00 Prot=02 Driver=cdc_mbim +E: Ad=86(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=04(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms + +0x1199:0x90e4 +T: Bus=03 Lev=01 Prnt=01 Port=05 Cnt=01 Dev#= 16 Spd=480 MxCh= 0 +D: Ver= 2.00 Cls=00(>ifc ) Sub=00 Prot=00 MxPS=64 #Cfgs= 1 +P: Vendor=1199 ProdID=90e4 Rev= 0.00 +S: Manufacturer=Sierra Wireless, Incorporated +S: SerialNumber=004403161882339 +C:* #Ifs= 1 Cfg#= 1 Atr=a0 MxPwr= 2mA +I:* If#= 0 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=10 Driver=qcserial +E: Ad=81(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=01(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms + +Signed-off-by: Jack Wu +Cc: stable@vger.kernel.org +Signed-off-by: Johan Hovold +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/serial/qcserial.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/usb/serial/qcserial.c ++++ b/drivers/usb/serial/qcserial.c +@@ -166,6 +166,8 @@ static const struct usb_device_id id_tab + {DEVICE_SWI(0x1199, 0x9090)}, /* Sierra Wireless EM7565 QDL */ + {DEVICE_SWI(0x1199, 0x9091)}, /* Sierra Wireless EM7565 */ + {DEVICE_SWI(0x1199, 0x90d2)}, /* Sierra Wireless EM9191 QDL */ ++ {DEVICE_SWI(0x1199, 0x90e4)}, /* Sierra Wireless EM86xx QDL*/ ++ {DEVICE_SWI(0x1199, 0x90e5)}, /* Sierra Wireless EM86xx */ + {DEVICE_SWI(0x1199, 0xc080)}, /* Sierra Wireless EM7590 QDL */ + {DEVICE_SWI(0x1199, 0xc081)}, /* Sierra Wireless EM7590 */ + {DEVICE_SWI(0x413c, 0x81a2)}, /* Dell Wireless 5806 Gobi(TM) 4G LTE Mobile Broadband Card */ diff --git a/queue-6.6/usb-typec-fix-potential-out-of-bounds-in-ucsi_ccg_update_set_new_cam_cmd.patch b/queue-6.6/usb-typec-fix-potential-out-of-bounds-in-ucsi_ccg_update_set_new_cam_cmd.patch new file mode 100644 index 00000000000..0b4f5020484 --- /dev/null +++ b/queue-6.6/usb-typec-fix-potential-out-of-bounds-in-ucsi_ccg_update_set_new_cam_cmd.patch @@ -0,0 +1,41 @@ +From 7dd08a0b4193087976db6b3ee7807de7e8316f96 Mon Sep 17 00:00:00 2001 +From: Dan Carpenter +Date: Mon, 4 Nov 2024 20:16:42 +0300 +Subject: usb: typec: fix potential out of bounds in ucsi_ccg_update_set_new_cam_cmd() + +From: Dan Carpenter + +commit 7dd08a0b4193087976db6b3ee7807de7e8316f96 upstream. + +The "*cmd" variable can be controlled by the user via debugfs. That means +"new_cam" can be as high as 255 while the size of the uc->updated[] array +is UCSI_MAX_ALTMODES (30). + +The call tree is: +ucsi_cmd() // val comes from simple_attr_write_xsigned() +-> ucsi_send_command() + -> ucsi_send_command_common() + -> ucsi_run_command() // calls ucsi->ops->sync_control() + -> ucsi_ccg_sync_control() + +Fixes: 170a6726d0e2 ("usb: typec: ucsi: add support for separate DP altmode devices") +Cc: stable +Signed-off-by: Dan Carpenter +Reviewed-by: Heikki Krogerus +Link: https://lore.kernel.org/r/325102b3-eaa8-4918-a947-22aca1146586@stanley.mountain +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/typec/ucsi/ucsi_ccg.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/usb/typec/ucsi/ucsi_ccg.c ++++ b/drivers/usb/typec/ucsi/ucsi_ccg.c +@@ -441,6 +441,8 @@ static void ucsi_ccg_update_set_new_cam_ + + port = uc->orig; + new_cam = UCSI_SET_NEW_CAM_GET_AM(*cmd); ++ if (new_cam >= ARRAY_SIZE(uc->updated)) ++ return; + new_port = &uc->updated[new_cam]; + cam = new_port->linked_idx; + enter_new_mode = UCSI_SET_NEW_CAM_ENTER(*cmd); diff --git a/queue-6.6/usb-typec-qcom-pmic-init-value-of-hdr_len-txbuf_len-earlier.patch b/queue-6.6/usb-typec-qcom-pmic-init-value-of-hdr_len-txbuf_len-earlier.patch new file mode 100644 index 00000000000..785573d9f73 --- /dev/null +++ b/queue-6.6/usb-typec-qcom-pmic-init-value-of-hdr_len-txbuf_len-earlier.patch @@ -0,0 +1,49 @@ +From 029778a4fd2c90c2e76a902b797c2348a722f1b8 Mon Sep 17 00:00:00 2001 +From: Rex Nie +Date: Wed, 30 Oct 2024 21:36:32 +0800 +Subject: usb: typec: qcom-pmic: init value of hdr_len/txbuf_len earlier + +From: Rex Nie + +commit 029778a4fd2c90c2e76a902b797c2348a722f1b8 upstream. + +If the read of USB_PDPHY_RX_ACKNOWLEDGE_REG failed, then hdr_len and +txbuf_len are uninitialized. This commit stops to print uninitialized +value and misleading/false data. + +Cc: stable@vger.kernel.org +Fixes: a4422ff22142 (" usb: typec: qcom: Add Qualcomm PMIC Type-C driver") +Signed-off-by: Rex Nie +Reviewed-by: Heikki Krogerus +Reviewed-by: Bjorn Andersson +Acked-by: Bryan O'Donoghue +Link: https://lore.kernel.org/r/20241030133632.2116-1-rex.nie@jaguarmicro.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/typec/tcpm/qcom/qcom_pmic_typec_pdphy.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +--- a/drivers/usb/typec/tcpm/qcom/qcom_pmic_typec_pdphy.c ++++ b/drivers/usb/typec/tcpm/qcom/qcom_pmic_typec_pdphy.c +@@ -161,6 +161,10 @@ qcom_pmic_typec_pdphy_pd_transmit_payloa + + spin_lock_irqsave(&pmic_typec_pdphy->lock, flags); + ++ hdr_len = sizeof(msg->header); ++ txbuf_len = pd_header_cnt_le(msg->header) * 4; ++ txsize_len = hdr_len + txbuf_len - 1; ++ + ret = regmap_read(pmic_typec_pdphy->regmap, + pmic_typec_pdphy->base + USB_PDPHY_RX_ACKNOWLEDGE_REG, + &val); +@@ -178,10 +182,6 @@ qcom_pmic_typec_pdphy_pd_transmit_payloa + if (ret) + goto done; + +- hdr_len = sizeof(msg->header); +- txbuf_len = pd_header_cnt_le(msg->header) * 4; +- txsize_len = hdr_len + txbuf_len - 1; +- + /* Write message header sizeof(u16) to USB_PDPHY_TX_BUFFER_HDR_REG */ + ret = regmap_bulk_write(pmic_typec_pdphy->regmap, + pmic_typec_pdphy->base + USB_PDPHY_TX_BUFFER_HDR_REG,