From 38f8b5af7b108701c79f4457872ef7260459c8ce Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Wed, 27 Mar 2024 16:24:23 +0100 Subject: [PATCH] 5.10-stable patches added patches: alsa-hda-realtek-fix-headset-mic-no-show-at-resume-back-for-lenovo-alc897-platform.patch fs-aio-check-iocb_aio_rw-before-the-struct-aio_kiocb-conversion.patch mei-me-add-arrow-lake-point-h-did.patch mei-me-add-arrow-lake-point-s-did.patch tee-optee-fix-kernel-panic-caused-by-incorrect-error-handling.patch tty-serial-fsl_lpuart-avoid-idle-preamble-pending-if-cts-is-enabled.patch usb-gadget-ncm-fix-handling-of-zero-block-length-packets.patch usb-port-don-t-try-to-peer-unused-usb-ports-based-on-location.patch usb-usb-storage-prevent-divide-by-0-error-in-isd200_ata_command.patch vt-fix-unicode-buffer-corruption-when-deleting-characters.patch --- ...sume-back-for-lenovo-alc897-platform.patch | 45 ++++++++ ...fore-the-struct-aio_kiocb-conversion.patch | 63 +++++++++++ .../mei-me-add-arrow-lake-point-h-did.patch | 41 +++++++ .../mei-me-add-arrow-lake-point-s-did.patch | 41 +++++++ queue-5.10/series | 10 ++ ...c-caused-by-incorrect-error-handling.patch | 59 ++++++++++ ...e-preamble-pending-if-cts-is-enabled.patch | 52 +++++++++ ...andling-of-zero-block-length-packets.patch | 63 +++++++++++ ...r-unused-usb-ports-based-on-location.patch | 59 ++++++++++ ...ide-by-0-error-in-isd200_ata_command.patch | 101 ++++++++++++++++++ ...-corruption-when-deleting-characters.patch | 34 ++++++ 11 files changed, 568 insertions(+) create mode 100644 queue-5.10/alsa-hda-realtek-fix-headset-mic-no-show-at-resume-back-for-lenovo-alc897-platform.patch create mode 100644 queue-5.10/fs-aio-check-iocb_aio_rw-before-the-struct-aio_kiocb-conversion.patch create mode 100644 queue-5.10/mei-me-add-arrow-lake-point-h-did.patch create mode 100644 queue-5.10/mei-me-add-arrow-lake-point-s-did.patch create mode 100644 queue-5.10/tee-optee-fix-kernel-panic-caused-by-incorrect-error-handling.patch create mode 100644 queue-5.10/tty-serial-fsl_lpuart-avoid-idle-preamble-pending-if-cts-is-enabled.patch create mode 100644 queue-5.10/usb-gadget-ncm-fix-handling-of-zero-block-length-packets.patch create mode 100644 queue-5.10/usb-port-don-t-try-to-peer-unused-usb-ports-based-on-location.patch create mode 100644 queue-5.10/usb-usb-storage-prevent-divide-by-0-error-in-isd200_ata_command.patch create mode 100644 queue-5.10/vt-fix-unicode-buffer-corruption-when-deleting-characters.patch diff --git a/queue-5.10/alsa-hda-realtek-fix-headset-mic-no-show-at-resume-back-for-lenovo-alc897-platform.patch b/queue-5.10/alsa-hda-realtek-fix-headset-mic-no-show-at-resume-back-for-lenovo-alc897-platform.patch new file mode 100644 index 00000000000..226e6662d23 --- /dev/null +++ b/queue-5.10/alsa-hda-realtek-fix-headset-mic-no-show-at-resume-back-for-lenovo-alc897-platform.patch @@ -0,0 +1,45 @@ +From d397b6e56151099cf3b1f7bfccb204a6a8591720 Mon Sep 17 00:00:00 2001 +From: Kailang Yang +Date: Fri, 1 Mar 2024 15:29:50 +0800 +Subject: ALSA: hda/realtek - Fix headset Mic no show at resume back for Lenovo ALC897 platform + +From: Kailang Yang + +commit d397b6e56151099cf3b1f7bfccb204a6a8591720 upstream. + +Headset Mic will no show at resume back. +This patch will fix this issue. + +Fixes: d7f32791a9fc ("ALSA: hda/realtek - Add headset Mic support for Lenovo ALC897 platform") +Cc: +Signed-off-by: Kailang Yang +Link: https://lore.kernel.org/r/4713d48a372e47f98bba0c6120fd8254@realtek.com +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman +--- + sound/pci/hda/patch_realtek.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +--- a/sound/pci/hda/patch_realtek.c ++++ b/sound/pci/hda/patch_realtek.c +@@ -10692,8 +10692,7 @@ static void alc897_hp_automute_hook(stru + + snd_hda_gen_hp_automute(codec, jack); + vref = spec->gen.hp_jack_present ? (PIN_HP | AC_PINCTL_VREF_100) : PIN_HP; +- snd_hda_codec_write(codec, 0x1b, 0, AC_VERB_SET_PIN_WIDGET_CONTROL, +- vref); ++ snd_hda_set_pin_ctl(codec, 0x1b, vref); + } + + static void alc897_fixup_lenovo_headset_mic(struct hda_codec *codec, +@@ -10702,6 +10701,10 @@ static void alc897_fixup_lenovo_headset_ + struct alc_spec *spec = codec->spec; + if (action == HDA_FIXUP_ACT_PRE_PROBE) { + spec->gen.hp_automute_hook = alc897_hp_automute_hook; ++ spec->no_shutup_pins = 1; ++ } ++ if (action == HDA_FIXUP_ACT_PROBE) { ++ snd_hda_set_pin_ctl_cache(codec, 0x1a, PIN_IN | AC_PINCTL_VREF_100); + } + } + diff --git a/queue-5.10/fs-aio-check-iocb_aio_rw-before-the-struct-aio_kiocb-conversion.patch b/queue-5.10/fs-aio-check-iocb_aio_rw-before-the-struct-aio_kiocb-conversion.patch new file mode 100644 index 00000000000..8a7c838df56 --- /dev/null +++ b/queue-5.10/fs-aio-check-iocb_aio_rw-before-the-struct-aio_kiocb-conversion.patch @@ -0,0 +1,63 @@ +From 961ebd120565cb60cebe21cb634fbc456022db4a Mon Sep 17 00:00:00 2001 +From: Bart Van Assche +Date: Mon, 4 Mar 2024 15:57:15 -0800 +Subject: fs/aio: Check IOCB_AIO_RW before the struct aio_kiocb conversion + +From: Bart Van Assche + +commit 961ebd120565cb60cebe21cb634fbc456022db4a upstream. + +The first kiocb_set_cancel_fn() argument may point at a struct kiocb +that is not embedded inside struct aio_kiocb. With the current code, +depending on the compiler, the req->ki_ctx read happens either before +the IOCB_AIO_RW test or after that test. Move the req->ki_ctx read such +that it is guaranteed that the IOCB_AIO_RW test happens first. + +Reported-by: Eric Biggers +Cc: Benjamin LaHaise +Cc: Eric Biggers +Cc: Christoph Hellwig +Cc: Avi Kivity +Cc: Sandeep Dhavale +Cc: Jens Axboe +Cc: Greg Kroah-Hartman +Cc: Kent Overstreet +Cc: stable@vger.kernel.org +Fixes: b820de741ae4 ("fs/aio: Restrict kiocb_set_cancel_fn() to I/O submitted via libaio") +Signed-off-by: Bart Van Assche +Link: https://lore.kernel.org/r/20240304235715.3790858-1-bvanassche@acm.org +Reviewed-by: Jens Axboe +Reviewed-by: Eric Biggers +Signed-off-by: Christian Brauner +Signed-off-by: Greg Kroah-Hartman +--- + fs/aio.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +--- a/fs/aio.c ++++ b/fs/aio.c +@@ -565,8 +565,8 @@ static int aio_setup_ring(struct kioctx + + void kiocb_set_cancel_fn(struct kiocb *iocb, kiocb_cancel_fn *cancel) + { +- struct aio_kiocb *req = container_of(iocb, struct aio_kiocb, rw); +- struct kioctx *ctx = req->ki_ctx; ++ struct aio_kiocb *req; ++ struct kioctx *ctx; + unsigned long flags; + + /* +@@ -576,9 +576,13 @@ void kiocb_set_cancel_fn(struct kiocb *i + if (!(iocb->ki_flags & IOCB_AIO_RW)) + return; + ++ req = container_of(iocb, struct aio_kiocb, rw); ++ + if (WARN_ON_ONCE(!list_empty(&req->ki_list))) + return; + ++ ctx = req->ki_ctx; ++ + spin_lock_irqsave(&ctx->ctx_lock, flags); + list_add_tail(&req->ki_list, &ctx->active_reqs); + req->ki_cancel = cancel; diff --git a/queue-5.10/mei-me-add-arrow-lake-point-h-did.patch b/queue-5.10/mei-me-add-arrow-lake-point-h-did.patch new file mode 100644 index 00000000000..2ea7f46ffad --- /dev/null +++ b/queue-5.10/mei-me-add-arrow-lake-point-h-did.patch @@ -0,0 +1,41 @@ +From 8436f25802ec028ac7254990893f3e01926d9b79 Mon Sep 17 00:00:00 2001 +From: Alexander Usyskin +Date: Sun, 11 Feb 2024 12:39:12 +0200 +Subject: mei: me: add arrow lake point H DID + +From: Alexander Usyskin + +commit 8436f25802ec028ac7254990893f3e01926d9b79 upstream. + +Add Arrow Lake H device id. + +Cc: stable@vger.kernel.org +Signed-off-by: Alexander Usyskin +Signed-off-by: Tomas Winkler +Link: https://lore.kernel.org/r/20240211103912.117105-2-tomas.winkler@intel.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/misc/mei/hw-me-regs.h | 1 + + drivers/misc/mei/pci-me.c | 1 + + 2 files changed, 2 insertions(+) + +--- a/drivers/misc/mei/hw-me-regs.h ++++ b/drivers/misc/mei/hw-me-regs.h +@@ -113,6 +113,7 @@ + + #define MEI_DEV_ID_MTL_M 0x7E70 /* Meteor Lake Point M */ + #define MEI_DEV_ID_ARL_S 0x7F68 /* Arrow Lake Point S */ ++#define MEI_DEV_ID_ARL_H 0x7770 /* Arrow Lake Point H */ + + /* + * MEI HW Section +--- a/drivers/misc/mei/pci-me.c ++++ b/drivers/misc/mei/pci-me.c +@@ -119,6 +119,7 @@ static const struct pci_device_id mei_me + + {MEI_PCI_DEVICE(MEI_DEV_ID_MTL_M, MEI_ME_PCH15_CFG)}, + {MEI_PCI_DEVICE(MEI_DEV_ID_ARL_S, MEI_ME_PCH15_CFG)}, ++ {MEI_PCI_DEVICE(MEI_DEV_ID_ARL_H, MEI_ME_PCH15_CFG)}, + + /* required last entry */ + {0, } diff --git a/queue-5.10/mei-me-add-arrow-lake-point-s-did.patch b/queue-5.10/mei-me-add-arrow-lake-point-s-did.patch new file mode 100644 index 00000000000..c3f92f0143e --- /dev/null +++ b/queue-5.10/mei-me-add-arrow-lake-point-s-did.patch @@ -0,0 +1,41 @@ +From 7a9b9012043e126f6d6f4683e67409312d1b707b Mon Sep 17 00:00:00 2001 +From: Alexander Usyskin +Date: Sun, 11 Feb 2024 12:39:11 +0200 +Subject: mei: me: add arrow lake point S DID + +From: Alexander Usyskin + +commit 7a9b9012043e126f6d6f4683e67409312d1b707b upstream. + +Add Arrow Lake S device id. + +Cc: stable@vger.kernel.org +Signed-off-by: Alexander Usyskin +Signed-off-by: Tomas Winkler +Link: https://lore.kernel.org/r/20240211103912.117105-1-tomas.winkler@intel.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/misc/mei/hw-me-regs.h | 1 + + drivers/misc/mei/pci-me.c | 1 + + 2 files changed, 2 insertions(+) + +--- a/drivers/misc/mei/hw-me-regs.h ++++ b/drivers/misc/mei/hw-me-regs.h +@@ -112,6 +112,7 @@ + #define MEI_DEV_ID_RPL_S 0x7A68 /* Raptor Lake Point S */ + + #define MEI_DEV_ID_MTL_M 0x7E70 /* Meteor Lake Point M */ ++#define MEI_DEV_ID_ARL_S 0x7F68 /* Arrow Lake Point S */ + + /* + * MEI HW Section +--- a/drivers/misc/mei/pci-me.c ++++ b/drivers/misc/mei/pci-me.c +@@ -118,6 +118,7 @@ static const struct pci_device_id mei_me + {MEI_PCI_DEVICE(MEI_DEV_ID_RPL_S, MEI_ME_PCH15_CFG)}, + + {MEI_PCI_DEVICE(MEI_DEV_ID_MTL_M, MEI_ME_PCH15_CFG)}, ++ {MEI_PCI_DEVICE(MEI_DEV_ID_ARL_S, MEI_ME_PCH15_CFG)}, + + /* required last entry */ + {0, } diff --git a/queue-5.10/series b/queue-5.10/series index 5afaa5a259f..aa0d46318e2 100644 --- a/queue-5.10/series +++ b/queue-5.10/series @@ -122,3 +122,13 @@ netfilter-nf_tables-reject-constant-set-with-timeout.patch drivers-hv-vmbus-calculate-ring-buffer-size-for-more-efficient-use-of-memory.patch xfrm-avoid-clang-fortify-warning-in-copy_to_user_tmpl.patch kvm-svm-flush-pages-under-kvm-lock-to-fix-uaf-in-svm_register_enc_region.patch +alsa-hda-realtek-fix-headset-mic-no-show-at-resume-back-for-lenovo-alc897-platform.patch +usb-usb-storage-prevent-divide-by-0-error-in-isd200_ata_command.patch +usb-gadget-ncm-fix-handling-of-zero-block-length-packets.patch +usb-port-don-t-try-to-peer-unused-usb-ports-based-on-location.patch +tty-serial-fsl_lpuart-avoid-idle-preamble-pending-if-cts-is-enabled.patch +mei-me-add-arrow-lake-point-s-did.patch +mei-me-add-arrow-lake-point-h-did.patch +vt-fix-unicode-buffer-corruption-when-deleting-characters.patch +fs-aio-check-iocb_aio_rw-before-the-struct-aio_kiocb-conversion.patch +tee-optee-fix-kernel-panic-caused-by-incorrect-error-handling.patch diff --git a/queue-5.10/tee-optee-fix-kernel-panic-caused-by-incorrect-error-handling.patch b/queue-5.10/tee-optee-fix-kernel-panic-caused-by-incorrect-error-handling.patch new file mode 100644 index 00000000000..a911514993b --- /dev/null +++ b/queue-5.10/tee-optee-fix-kernel-panic-caused-by-incorrect-error-handling.patch @@ -0,0 +1,59 @@ +From 95915ba4b987cf2b222b0f251280228a1ff977ac Mon Sep 17 00:00:00 2001 +From: Sumit Garg +Date: Fri, 1 Mar 2024 20:07:31 +0530 +Subject: tee: optee: Fix kernel panic caused by incorrect error handling + +From: Sumit Garg + +commit 95915ba4b987cf2b222b0f251280228a1ff977ac upstream. + +The error path while failing to register devices on the TEE bus has a +bug leading to kernel panic as follows: + +[ 15.398930] Unable to handle kernel paging request at virtual address ffff07ed00626d7c +[ 15.406913] Mem abort info: +[ 15.409722] ESR = 0x0000000096000005 +[ 15.413490] EC = 0x25: DABT (current EL), IL = 32 bits +[ 15.418814] SET = 0, FnV = 0 +[ 15.421878] EA = 0, S1PTW = 0 +[ 15.425031] FSC = 0x05: level 1 translation fault +[ 15.429922] Data abort info: +[ 15.432813] ISV = 0, ISS = 0x00000005, ISS2 = 0x00000000 +[ 15.438310] CM = 0, WnR = 0, TnD = 0, TagAccess = 0 +[ 15.443372] GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0 +[ 15.448697] swapper pgtable: 4k pages, 48-bit VAs, pgdp=00000000d9e3e000 +[ 15.455413] [ffff07ed00626d7c] pgd=1800000bffdf9003, p4d=1800000bffdf9003, pud=0000000000000000 +[ 15.464146] Internal error: Oops: 0000000096000005 [#1] PREEMPT SMP + +Commit 7269cba53d90 ("tee: optee: Fix supplicant based device enumeration") +lead to the introduction of this bug. So fix it appropriately. + +Reported-by: Mikko Rapeli +Closes: https://bugzilla.kernel.org/show_bug.cgi?id=218542 +Fixes: 7269cba53d90 ("tee: optee: Fix supplicant based device enumeration") +Cc: stable@vger.kernel.org +Signed-off-by: Sumit Garg +Signed-off-by: Jens Wiklander +Signed-off-by: Greg Kroah-Hartman +--- + drivers/tee/optee/device.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/tee/optee/device.c ++++ b/drivers/tee/optee/device.c +@@ -90,13 +90,14 @@ static int optee_register_device(const u + if (rc) { + pr_err("device registration failed, err: %d\n", rc); + put_device(&optee_device->dev); ++ return rc; + } + + if (func == PTA_CMD_GET_DEVICES_SUPP) + device_create_file(&optee_device->dev, + &dev_attr_need_supplicant); + +- return rc; ++ return 0; + } + + static int __optee_enumerate_devices(u32 func) diff --git a/queue-5.10/tty-serial-fsl_lpuart-avoid-idle-preamble-pending-if-cts-is-enabled.patch b/queue-5.10/tty-serial-fsl_lpuart-avoid-idle-preamble-pending-if-cts-is-enabled.patch new file mode 100644 index 00000000000..1fe280aed87 --- /dev/null +++ b/queue-5.10/tty-serial-fsl_lpuart-avoid-idle-preamble-pending-if-cts-is-enabled.patch @@ -0,0 +1,52 @@ +From 74cb7e0355fae9641f825afa389d3fba3b617714 Mon Sep 17 00:00:00 2001 +From: Sherry Sun +Date: Tue, 5 Mar 2024 09:57:06 +0800 +Subject: tty: serial: fsl_lpuart: avoid idle preamble pending if CTS is enabled +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Sherry Sun + +commit 74cb7e0355fae9641f825afa389d3fba3b617714 upstream. + +If the remote uart device is not connected or not enabled after booting +up, the CTS line is high by default. At this time, if we enable the flow +control when opening the device(for example, using “stty -F /dev/ttyLP4 +crtscts” command), there will be a pending idle preamble(first writing 0 +and then writing 1 to UARTCTRL_TE will queue an idle preamble) that +cannot be sent out, resulting in the uart port fail to close(waiting for +TX empty), so the user space stty will have to wait for a long time or +forever. + +This is an LPUART IP bug(idle preamble has higher priority than CTS), +here add a workaround patch to enable TX CTS after enabling UARTCTRL_TE, +so that the idle preamble does not get stuck due to CTS is deasserted. + +Fixes: 380c966c093e ("tty: serial: fsl_lpuart: add 32-bit register interface support") +Cc: stable +Signed-off-by: Sherry Sun +Reviewed-by: Alexander Sverdlin +Link: https://lore.kernel.org/r/20240305015706.1050769-1-sherry.sun@nxp.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/tty/serial/fsl_lpuart.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +--- a/drivers/tty/serial/fsl_lpuart.c ++++ b/drivers/tty/serial/fsl_lpuart.c +@@ -2178,9 +2178,12 @@ lpuart32_set_termios(struct uart_port *p + UARTCTRL); + + lpuart32_serial_setbrg(sport, baud); +- lpuart32_write(&sport->port, modem, UARTMODIR); +- lpuart32_write(&sport->port, ctrl, UARTCTRL); ++ /* disable CTS before enabling UARTCTRL_TE to avoid pending idle preamble */ ++ lpuart32_write(&sport->port, modem & ~UARTMODIR_TXCTSE, UARTMODIR); + /* restore control register */ ++ lpuart32_write(&sport->port, ctrl, UARTCTRL); ++ /* re-enable the CTS if needed */ ++ lpuart32_write(&sport->port, modem, UARTMODIR); + + if (old && sport->lpuart_dma_rx_use) { + if (!lpuart_start_rx_dma(sport)) diff --git a/queue-5.10/usb-gadget-ncm-fix-handling-of-zero-block-length-packets.patch b/queue-5.10/usb-gadget-ncm-fix-handling-of-zero-block-length-packets.patch new file mode 100644 index 00000000000..7ca71cc3072 --- /dev/null +++ b/queue-5.10/usb-gadget-ncm-fix-handling-of-zero-block-length-packets.patch @@ -0,0 +1,63 @@ +From f90ce1e04cbcc76639d6cba0fdbd820cd80b3c70 Mon Sep 17 00:00:00 2001 +From: Krishna Kurapati +Date: Wed, 28 Feb 2024 17:24:41 +0530 +Subject: usb: gadget: ncm: Fix handling of zero block length packets +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Krishna Kurapati + +commit f90ce1e04cbcc76639d6cba0fdbd820cd80b3c70 upstream. + +While connecting to a Linux host with CDC_NCM_NTB_DEF_SIZE_TX +set to 65536, it has been observed that we receive short packets, +which come at interval of 5-10 seconds sometimes and have block +length zero but still contain 1-2 valid datagrams present. + +According to the NCM spec: + +"If wBlockLength = 0x0000, the block is terminated by a +short packet. In this case, the USB transfer must still +be shorter than dwNtbInMaxSize or dwNtbOutMaxSize. If +exactly dwNtbInMaxSize or dwNtbOutMaxSize bytes are sent, +and the size is a multiple of wMaxPacketSize for the +given pipe, then no ZLP shall be sent. + +wBlockLength= 0x0000 must be used with extreme care, because +of the possibility that the host and device may get out of +sync, and because of test issues. + +wBlockLength = 0x0000 allows the sender to reduce latency by +starting to send a very large NTB, and then shortening it when +the sender discovers that there’s not sufficient data to justify +sending a large NTB" + +However, there is a potential issue with the current implementation, +as it checks for the occurrence of multiple NTBs in a single +giveback by verifying if the leftover bytes to be processed is zero +or not. If the block length reads zero, we would process the same +NTB infintely because the leftover bytes is never zero and it leads +to a crash. Fix this by bailing out if block length reads zero. + +Cc: stable@vger.kernel.org +Fixes: 427694cfaafa ("usb: gadget: ncm: Handle decoding of multiple NTB's in unwrap call") +Signed-off-by: Krishna Kurapati +Reviewed-by: Maciej Żenczykowski +Link: https://lore.kernel.org/r/20240228115441.2105585-1-quic_kriskura@quicinc.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/gadget/function/f_ncm.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/usb/gadget/function/f_ncm.c ++++ b/drivers/usb/gadget/function/f_ncm.c +@@ -1357,7 +1357,7 @@ parse_ntb: + if (to_process == 1 && + (*(unsigned char *)(ntb_ptr + block_len) == 0x00)) { + to_process--; +- } else if (to_process > 0) { ++ } else if ((to_process > 0) && (block_len != 0)) { + ntb_ptr = (unsigned char *)(ntb_ptr + block_len); + goto parse_ntb; + } diff --git a/queue-5.10/usb-port-don-t-try-to-peer-unused-usb-ports-based-on-location.patch b/queue-5.10/usb-port-don-t-try-to-peer-unused-usb-ports-based-on-location.patch new file mode 100644 index 00000000000..76258ca37f4 --- /dev/null +++ b/queue-5.10/usb-port-don-t-try-to-peer-unused-usb-ports-based-on-location.patch @@ -0,0 +1,59 @@ +From 69c63350e573367f9c8594162288cffa8a26d0d1 Mon Sep 17 00:00:00 2001 +From: Mathias Nyman +Date: Fri, 23 Feb 2024 01:33:43 +0200 +Subject: usb: port: Don't try to peer unused USB ports based on location + +From: Mathias Nyman + +commit 69c63350e573367f9c8594162288cffa8a26d0d1 upstream. + +Unused USB ports may have bogus location data in ACPI PLD tables. +This causes port peering failures as these unused USB2 and USB3 ports +location may match. + +Due to these failures the driver prints a +"usb: port power management may be unreliable" warning, and +unnecessarily blocks port power off during runtime suspend. + +This was debugged on a couple DELL systems where the unused ports +all returned zeroes in their location data. +Similar bugreports exist for other systems. + +Don't try to peer or match ports that have connect type set to +USB_PORT_NOT_USED. + +Fixes: 3bfd659baec8 ("usb: find internal hub tier mismatch via acpi") +Closes: https://bugzilla.kernel.org/show_bug.cgi?id=218465 +Closes: https://bugzilla.kernel.org/show_bug.cgi?id=218486 +Tested-by: Paul Menzel +Link: https://lore.kernel.org/linux-usb/5406d361-f5b7-4309-b0e6-8c94408f7d75@molgen.mpg.de +Cc: stable@vger.kernel.org # v3.16+ +Signed-off-by: Mathias Nyman +Closes: https://bugzilla.kernel.org/show_bug.cgi?id=218490 +Link: https://lore.kernel.org/r/20240222233343.71856-1-mathias.nyman@linux.intel.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/core/port.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +--- a/drivers/usb/core/port.c ++++ b/drivers/usb/core/port.c +@@ -450,7 +450,7 @@ static int match_location(struct usb_dev + struct usb_hub *peer_hub = usb_hub_to_struct_hub(peer_hdev); + struct usb_device *hdev = to_usb_device(port_dev->dev.parent->parent); + +- if (!peer_hub) ++ if (!peer_hub || port_dev->connect_type == USB_PORT_NOT_USED) + return 0; + + hcd = bus_to_hcd(hdev->bus); +@@ -461,7 +461,8 @@ static int match_location(struct usb_dev + + for (port1 = 1; port1 <= peer_hdev->maxchild; port1++) { + peer = peer_hub->ports[port1 - 1]; +- if (peer && peer->location == port_dev->location) { ++ if (peer && peer->connect_type != USB_PORT_NOT_USED && ++ peer->location == port_dev->location) { + link_peers_report(port_dev, peer); + return 1; /* done */ + } diff --git a/queue-5.10/usb-usb-storage-prevent-divide-by-0-error-in-isd200_ata_command.patch b/queue-5.10/usb-usb-storage-prevent-divide-by-0-error-in-isd200_ata_command.patch new file mode 100644 index 00000000000..4843a7bf416 --- /dev/null +++ b/queue-5.10/usb-usb-storage-prevent-divide-by-0-error-in-isd200_ata_command.patch @@ -0,0 +1,101 @@ +From 014bcf41d946b36a8f0b8e9b5d9529efbb822f49 Mon Sep 17 00:00:00 2001 +From: Alan Stern +Date: Thu, 29 Feb 2024 14:30:06 -0500 +Subject: USB: usb-storage: Prevent divide-by-0 error in isd200_ata_command + +From: Alan Stern + +commit 014bcf41d946b36a8f0b8e9b5d9529efbb822f49 upstream. + +The isd200 sub-driver in usb-storage uses the HEADS and SECTORS values +in the ATA ID information to calculate cylinder and head values when +creating a CDB for READ or WRITE commands. The calculation involves +division and modulus operations, which will cause a crash if either of +these values is 0. While this never happens with a genuine device, it +could happen with a flawed or subversive emulation, as reported by the +syzbot fuzzer. + +Protect against this possibility by refusing to bind to the device if +either the ATA_ID_HEADS or ATA_ID_SECTORS value in the device's ID +information is 0. This requires isd200_Initialization() to return a +negative error code when initialization fails; currently it always +returns 0 (even when there is an error). + +Signed-off-by: Alan Stern +Reported-and-tested-by: syzbot+28748250ab47a8f04100@syzkaller.appspotmail.com +Link: https://lore.kernel.org/linux-usb/0000000000003eb868061245ba7f@google.com/ +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Cc: stable@vger.kernel.org +Reviewed-by: PrasannaKumar Muralidharan +Reviewed-by: Martin K. Petersen +Link: https://lore.kernel.org/r/b1e605ea-333f-4ac0-9511-da04f411763e@rowland.harvard.edu +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/storage/isd200.c | 23 ++++++++++++++++++----- + 1 file changed, 18 insertions(+), 5 deletions(-) + +--- a/drivers/usb/storage/isd200.c ++++ b/drivers/usb/storage/isd200.c +@@ -1105,7 +1105,7 @@ static void isd200_dump_driveid(struct u + static int isd200_get_inquiry_data( struct us_data *us ) + { + struct isd200_info *info = (struct isd200_info *)us->extra; +- int retStatus = ISD200_GOOD; ++ int retStatus; + u16 *id = info->id; + + usb_stor_dbg(us, "Entering isd200_get_inquiry_data\n"); +@@ -1137,6 +1137,13 @@ static int isd200_get_inquiry_data( stru + isd200_fix_driveid(id); + isd200_dump_driveid(us, id); + ++ /* Prevent division by 0 in isd200_scsi_to_ata() */ ++ if (id[ATA_ID_HEADS] == 0 || id[ATA_ID_SECTORS] == 0) { ++ usb_stor_dbg(us, " Invalid ATA Identify data\n"); ++ retStatus = ISD200_ERROR; ++ goto Done; ++ } ++ + memset(&info->InquiryData, 0, sizeof(info->InquiryData)); + + /* Standard IDE interface only supports disks */ +@@ -1202,6 +1209,7 @@ static int isd200_get_inquiry_data( stru + } + } + ++ Done: + usb_stor_dbg(us, "Leaving isd200_get_inquiry_data %08X\n", retStatus); + + return(retStatus); +@@ -1481,22 +1489,27 @@ static int isd200_init_info(struct us_da + + static int isd200_Initialization(struct us_data *us) + { ++ int rc = 0; ++ + usb_stor_dbg(us, "ISD200 Initialization...\n"); + + /* Initialize ISD200 info struct */ + +- if (isd200_init_info(us) == ISD200_ERROR) { ++ if (isd200_init_info(us) < 0) { + usb_stor_dbg(us, "ERROR Initializing ISD200 Info struct\n"); ++ rc = -ENOMEM; + } else { + /* Get device specific data */ + +- if (isd200_get_inquiry_data(us) != ISD200_GOOD) ++ if (isd200_get_inquiry_data(us) != ISD200_GOOD) { + usb_stor_dbg(us, "ISD200 Initialization Failure\n"); +- else ++ rc = -EINVAL; ++ } else { + usb_stor_dbg(us, "ISD200 Initialization complete\n"); ++ } + } + +- return 0; ++ return rc; + } + + diff --git a/queue-5.10/vt-fix-unicode-buffer-corruption-when-deleting-characters.patch b/queue-5.10/vt-fix-unicode-buffer-corruption-when-deleting-characters.patch new file mode 100644 index 00000000000..2b06df85eb8 --- /dev/null +++ b/queue-5.10/vt-fix-unicode-buffer-corruption-when-deleting-characters.patch @@ -0,0 +1,34 @@ +From 1581dafaf0d34bc9c428a794a22110d7046d186d Mon Sep 17 00:00:00 2001 +From: Nicolas Pitre +Date: Thu, 29 Feb 2024 17:15:27 -0500 +Subject: vt: fix unicode buffer corruption when deleting characters + +From: Nicolas Pitre + +commit 1581dafaf0d34bc9c428a794a22110d7046d186d upstream. + +This is the same issue that was fixed for the VGA text buffer in commit +39cdb68c64d8 ("vt: fix memory overlapping when deleting chars in the +buffer"). The cure is also the same i.e. replace memcpy() with memmove() +due to the overlaping buffers. + +Signed-off-by: Nicolas Pitre +Fixes: 81732c3b2fed ("tty vt: Fix line garbage in virtual console on command line edition") +Cc: stable +Link: https://lore.kernel.org/r/sn184on2-3p0q-0qrq-0218-895349s4753o@syhkavp.arg +Signed-off-by: Greg Kroah-Hartman +--- + drivers/tty/vt/vt.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/tty/vt/vt.c ++++ b/drivers/tty/vt/vt.c +@@ -398,7 +398,7 @@ static void vc_uniscr_delete(struct vc_d + char32_t *ln = uniscr->lines[vc->state.y]; + unsigned int x = vc->state.x, cols = vc->vc_cols; + +- memcpy(&ln[x], &ln[x + nr], (cols - x - nr) * sizeof(*ln)); ++ memmove(&ln[x], &ln[x + nr], (cols - x - nr) * sizeof(*ln)); + memset32(&ln[cols - nr], ' ', nr); + } + } -- 2.47.3