From 7f996f1eceb3cc6a94413042acf9ae584a711135 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Mon, 21 Oct 2024 10:00:15 +0200 Subject: [PATCH] 6.11-stable patches added patches: bluetooth-btusb-fix-not-being-able-to-reconnect-after-suspend.patch bluetooth-btusb-fix-regression-with-fake-csr-controllers-0a12-0001.patch bluetooth-call-iso_exit-on-module-unload.patch bluetooth-iso-fix-multiple-init-when-debugfs-is-disabled.patch bluetooth-remove-debugfs-directory-on-module-init-failure.patch misc-microchip-pci1xxxx-add-support-for-nvmem_devid_auto-for-eeprom-device.patch misc-microchip-pci1xxxx-add-support-for-nvmem_devid_auto-for-otp-device.patch parport-proper-fix-for-array-out-of-bounds-access.patch serial-imx-update-mctrl-old_status-on-rtsd-interrupt.patch tty-n_gsm-fix-use-after-free-in-gsm_cleanup_mux.patch usb-dwc3-core-fix-system-suspend-on-ti-am62-platforms.patch usb-dwc3-wait-for-endxfer-completion-before-restoring-gusb2phycfg.patch usb-gadget-dummy-hcd-fix-task-hung-problem.patch usb-gadget-f_uac2-fix-return-value-for-uac2_attribute_string-store.patch usb-serial-option-add-support-for-quectel-eg916q-gl.patch usb-serial-option-add-telit-fn920c04-mbim-compositions.patch usb-typec-qcom-pmic-typec-fix-sink-status-being-overwritten-with-rp_def.patch vt-prevent-kernel-infoleak-in-con_font_get.patch x86-apic-always-explicitly-disarm-tsc-deadline-timer.patch x86-cpu-amd-only-apply-zenbleed-fix-for-zen2-during-late-microcode-load.patch x86-entry_32-clear-cpu-buffers-after-register-restore-in-nmi-return.patch x86-entry_32-do-not-clobber-user-eflags.zf.patch x86-resctrl-annotate-get_mem_config-functions-as-__init.patch xhci-fix-incorrect-stream-context-type-macro.patch xhci-mitigate-failed-set-dequeue-pointer-commands.patch xhci-tegra-fix-checked-usb2-port-number.patch --- ...eing-able-to-reconnect-after-suspend.patch | 70 ++++++++++ ...-with-fake-csr-controllers-0a12-0001.patch | 67 ++++++++++ ...tooth-call-iso_exit-on-module-unload.patch | 55 ++++++++ ...ltiple-init-when-debugfs-is-disabled.patch | 68 ++++++++++ ...gfs-directory-on-module-init-failure.patch | 74 +++++++++++ ...r-nvmem_devid_auto-for-eeprom-device.patch | 32 +++++ ...-for-nvmem_devid_auto-for-otp-device.patch | 32 +++++ ...r-fix-for-array-out-of-bounds-access.patch | 105 +++++++++++++++ ...e-mctrl-old_status-on-rtsd-interrupt.patch | 83 ++++++++++++ queue-6.11/series | 26 ++++ ...ix-use-after-free-in-gsm_cleanup_mux.patch | 77 +++++++++++ ...-system-suspend-on-ti-am62-platforms.patch | 103 +++++++++++++++ ...pletion-before-restoring-gusb2phycfg.patch | 56 ++++++++ ...dget-dummy-hcd-fix-task-hung-problem.patch | 123 ++++++++++++++++++ ...alue-for-uac2_attribute_string-store.patch | 52 ++++++++ ...on-add-support-for-quectel-eg916q-gl.patch | 73 +++++++++++ ...add-telit-fn920c04-mbim-compositions.patch | 114 ++++++++++++++++ ...status-being-overwritten-with-rp_def.patch | 35 +++++ ...vent-kernel-infoleak-in-con_font_get.patch | 35 +++++ ...explicitly-disarm-tsc-deadline-timer.patch | 73 +++++++++++ ...-for-zen2-during-late-microcode-load.patch | 46 +++++++ ...after-register-restore-in-nmi-return.patch | 53 ++++++++ ...try_32-do-not-clobber-user-eflags.zf.patch | 46 +++++++ ...e-get_mem_config-functions-as-__init.patch | 60 +++++++++ ...-incorrect-stream-context-type-macro.patch | 44 +++++++ ...-failed-set-dequeue-pointer-commands.patch | 39 ++++++ ...i-tegra-fix-checked-usb2-port-number.patch | 52 ++++++++ 27 files changed, 1693 insertions(+) create mode 100644 queue-6.11/bluetooth-btusb-fix-not-being-able-to-reconnect-after-suspend.patch create mode 100644 queue-6.11/bluetooth-btusb-fix-regression-with-fake-csr-controllers-0a12-0001.patch create mode 100644 queue-6.11/bluetooth-call-iso_exit-on-module-unload.patch create mode 100644 queue-6.11/bluetooth-iso-fix-multiple-init-when-debugfs-is-disabled.patch create mode 100644 queue-6.11/bluetooth-remove-debugfs-directory-on-module-init-failure.patch create mode 100644 queue-6.11/misc-microchip-pci1xxxx-add-support-for-nvmem_devid_auto-for-eeprom-device.patch create mode 100644 queue-6.11/misc-microchip-pci1xxxx-add-support-for-nvmem_devid_auto-for-otp-device.patch create mode 100644 queue-6.11/parport-proper-fix-for-array-out-of-bounds-access.patch create mode 100644 queue-6.11/serial-imx-update-mctrl-old_status-on-rtsd-interrupt.patch create mode 100644 queue-6.11/tty-n_gsm-fix-use-after-free-in-gsm_cleanup_mux.patch create mode 100644 queue-6.11/usb-dwc3-core-fix-system-suspend-on-ti-am62-platforms.patch create mode 100644 queue-6.11/usb-dwc3-wait-for-endxfer-completion-before-restoring-gusb2phycfg.patch create mode 100644 queue-6.11/usb-gadget-dummy-hcd-fix-task-hung-problem.patch create mode 100644 queue-6.11/usb-gadget-f_uac2-fix-return-value-for-uac2_attribute_string-store.patch create mode 100644 queue-6.11/usb-serial-option-add-support-for-quectel-eg916q-gl.patch create mode 100644 queue-6.11/usb-serial-option-add-telit-fn920c04-mbim-compositions.patch create mode 100644 queue-6.11/usb-typec-qcom-pmic-typec-fix-sink-status-being-overwritten-with-rp_def.patch create mode 100644 queue-6.11/vt-prevent-kernel-infoleak-in-con_font_get.patch create mode 100644 queue-6.11/x86-apic-always-explicitly-disarm-tsc-deadline-timer.patch create mode 100644 queue-6.11/x86-cpu-amd-only-apply-zenbleed-fix-for-zen2-during-late-microcode-load.patch create mode 100644 queue-6.11/x86-entry_32-clear-cpu-buffers-after-register-restore-in-nmi-return.patch create mode 100644 queue-6.11/x86-entry_32-do-not-clobber-user-eflags.zf.patch create mode 100644 queue-6.11/x86-resctrl-annotate-get_mem_config-functions-as-__init.patch create mode 100644 queue-6.11/xhci-fix-incorrect-stream-context-type-macro.patch create mode 100644 queue-6.11/xhci-mitigate-failed-set-dequeue-pointer-commands.patch create mode 100644 queue-6.11/xhci-tegra-fix-checked-usb2-port-number.patch diff --git a/queue-6.11/bluetooth-btusb-fix-not-being-able-to-reconnect-after-suspend.patch b/queue-6.11/bluetooth-btusb-fix-not-being-able-to-reconnect-after-suspend.patch new file mode 100644 index 00000000000..ca8f7c67341 --- /dev/null +++ b/queue-6.11/bluetooth-btusb-fix-not-being-able-to-reconnect-after-suspend.patch @@ -0,0 +1,70 @@ +From 4084286151fc91cd093578f615bfb68f9efbbfcb Mon Sep 17 00:00:00 2001 +From: Luiz Augusto von Dentz +Date: Mon, 14 Oct 2024 16:23:26 -0400 +Subject: Bluetooth: btusb: Fix not being able to reconnect after suspend + +From: Luiz Augusto von Dentz + +commit 4084286151fc91cd093578f615bfb68f9efbbfcb upstream. + +This partially reverts 81b3e33bb054 ("Bluetooth: btusb: Don't fail +external suspend requests") as it introduced a call to hci_suspend_dev +that assumes the system-suspend which doesn't work well when just the +device is being suspended because wakeup flag is only set for remote +devices that can wakeup the system. + +Reported-by: Rafael J. Wysocki +Reported-by: Heiner Kallweit +Reported-by: Kenneth Crudup +Fixes: 610712298b11 ("Bluetooth: btusb: Don't fail external suspend requests") +Signed-off-by: Luiz Augusto von Dentz +Tested-by: Rafael J. Wysocki +Signed-off-by: Greg Kroah-Hartman +--- + drivers/bluetooth/btusb.c | 14 -------------- + 1 file changed, 14 deletions(-) + +--- a/drivers/bluetooth/btusb.c ++++ b/drivers/bluetooth/btusb.c +@@ -4092,7 +4092,6 @@ static void btusb_disconnect(struct usb_ + static int btusb_suspend(struct usb_interface *intf, pm_message_t message) + { + struct btusb_data *data = usb_get_intfdata(intf); +- int err; + + BT_DBG("intf %p", intf); + +@@ -4105,16 +4104,6 @@ static int btusb_suspend(struct usb_inte + if (data->suspend_count++) + return 0; + +- /* Notify Host stack to suspend; this has to be done before stopping +- * the traffic since the hci_suspend_dev itself may generate some +- * traffic. +- */ +- err = hci_suspend_dev(data->hdev); +- if (err) { +- data->suspend_count--; +- return err; +- } +- + spin_lock_irq(&data->txlock); + if (!(PMSG_IS_AUTO(message) && data->tx_in_flight)) { + set_bit(BTUSB_SUSPENDING, &data->flags); +@@ -4122,7 +4111,6 @@ static int btusb_suspend(struct usb_inte + } else { + spin_unlock_irq(&data->txlock); + data->suspend_count--; +- hci_resume_dev(data->hdev); + return -EBUSY; + } + +@@ -4243,8 +4231,6 @@ static int btusb_resume(struct usb_inter + spin_unlock_irq(&data->txlock); + schedule_work(&data->work); + +- hci_resume_dev(data->hdev); +- + return 0; + + failed: diff --git a/queue-6.11/bluetooth-btusb-fix-regression-with-fake-csr-controllers-0a12-0001.patch b/queue-6.11/bluetooth-btusb-fix-regression-with-fake-csr-controllers-0a12-0001.patch new file mode 100644 index 00000000000..e189d853654 --- /dev/null +++ b/queue-6.11/bluetooth-btusb-fix-regression-with-fake-csr-controllers-0a12-0001.patch @@ -0,0 +1,67 @@ +From 2c1dda2acc4192d826e84008d963b528e24d12bc Mon Sep 17 00:00:00 2001 +From: Luiz Augusto von Dentz +Date: Wed, 16 Oct 2024 11:47:00 -0400 +Subject: Bluetooth: btusb: Fix regression with fake CSR controllers 0a12:0001 +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Luiz Augusto von Dentz + +commit 2c1dda2acc4192d826e84008d963b528e24d12bc upstream. + +Fake CSR controllers don't seem to handle short-transfer properly which +cause command to time out: + +kernel: usb 1-1: new full-speed USB device number 19 using xhci_hcd +kernel: usb 1-1: New USB device found, idVendor=0a12, idProduct=0001, bcdDevice=88.91 +kernel: usb 1-1: New USB device strings: Mfr=0, Product=2, SerialNumber=0 +kernel: usb 1-1: Product: BT DONGLE10 +... +Bluetooth: hci1: Opcode 0x1004 failed: -110 +kernel: Bluetooth: hci1: command 0x1004 tx timeout + +According to USB Spec 2.0 Section 5.7.3 Interrupt Transfer Packet Size +Constraints a interrupt transfer is considered complete when the size is 0 +(ZPL) or < wMaxPacketSize: + + 'When an interrupt transfer involves more data than can fit in one + data payload of the currently established maximum size, all data + payloads are required to be maximum-sized except for the last data + payload, which will contain the remaining data. An interrupt transfer + is complete when the endpoint does one of the following: + + • Has transferred exactly the amount of data expected + • Transfers a packet with a payload size less than wMaxPacketSize or + transfers a zero-length packet' + +Link: https://bugzilla.kernel.org/show_bug.cgi?id=219365 +Fixes: 7b05933340f4 ("Bluetooth: btusb: Fix not handling ZPL/short-transfer") +Signed-off-by: Luiz Augusto von Dentz +Signed-off-by: Greg Kroah-Hartman +--- + drivers/bluetooth/btusb.c | 13 +++++++++---- + 1 file changed, 9 insertions(+), 4 deletions(-) + +--- a/drivers/bluetooth/btusb.c ++++ b/drivers/bluetooth/btusb.c +@@ -1399,10 +1399,15 @@ static int btusb_submit_intr_urb(struct + if (!urb) + return -ENOMEM; + +- /* Use maximum HCI Event size so the USB stack handles +- * ZPL/short-transfer automatically. +- */ +- size = HCI_MAX_EVENT_SIZE; ++ if (le16_to_cpu(data->udev->descriptor.idVendor) == 0x0a12 && ++ le16_to_cpu(data->udev->descriptor.idProduct) == 0x0001) ++ /* Fake CSR devices don't seem to support sort-transter */ ++ size = le16_to_cpu(data->intr_ep->wMaxPacketSize); ++ else ++ /* Use maximum HCI Event size so the USB stack handles ++ * ZPL/short-transfer automatically. ++ */ ++ size = HCI_MAX_EVENT_SIZE; + + buf = kmalloc(size, mem_flags); + if (!buf) { diff --git a/queue-6.11/bluetooth-call-iso_exit-on-module-unload.patch b/queue-6.11/bluetooth-call-iso_exit-on-module-unload.patch new file mode 100644 index 00000000000..9c23475cb9f --- /dev/null +++ b/queue-6.11/bluetooth-call-iso_exit-on-module-unload.patch @@ -0,0 +1,55 @@ +From d458cd1221e9e56da3b2cc5518ad3225caa91f20 Mon Sep 17 00:00:00 2001 +From: Aaron Thompson +Date: Fri, 4 Oct 2024 23:04:09 +0000 +Subject: Bluetooth: Call iso_exit() on module unload + +From: Aaron Thompson + +commit d458cd1221e9e56da3b2cc5518ad3225caa91f20 upstream. + +If iso_init() has been called, iso_exit() must be called on module +unload. Without that, the struct proto that iso_init() registered with +proto_register() becomes invalid, which could cause unpredictable +problems later. In my case, with CONFIG_LIST_HARDENED and +CONFIG_BUG_ON_DATA_CORRUPTION enabled, loading the module again usually +triggers this BUG(): + + list_add corruption. next->prev should be prev (ffffffffb5355fd0), + but was 0000000000000068. (next=ffffffffc0a010d0). + ------------[ cut here ]------------ + kernel BUG at lib/list_debug.c:29! + Oops: invalid opcode: 0000 [#1] PREEMPT SMP PTI + CPU: 1 PID: 4159 Comm: modprobe Not tainted 6.10.11-4+bt2-ao-desktop #1 + RIP: 0010:__list_add_valid_or_report+0x61/0xa0 + ... + __list_add_valid_or_report+0x61/0xa0 + proto_register+0x299/0x320 + hci_sock_init+0x16/0xc0 [bluetooth] + bt_init+0x68/0xd0 [bluetooth] + __pfx_bt_init+0x10/0x10 [bluetooth] + do_one_initcall+0x80/0x2f0 + do_init_module+0x8b/0x230 + __do_sys_init_module+0x15f/0x190 + do_syscall_64+0x68/0x110 + ... + +Cc: stable@vger.kernel.org +Fixes: ccf74f2390d6 ("Bluetooth: Add BTPROTO_ISO socket type") +Signed-off-by: Aaron Thompson +Signed-off-by: Luiz Augusto von Dentz +Signed-off-by: Greg Kroah-Hartman +--- + net/bluetooth/af_bluetooth.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/net/bluetooth/af_bluetooth.c ++++ b/net/bluetooth/af_bluetooth.c +@@ -830,6 +830,8 @@ cleanup_led: + + static void __exit bt_exit(void) + { ++ iso_exit(); ++ + mgmt_exit(); + + sco_exit(); diff --git a/queue-6.11/bluetooth-iso-fix-multiple-init-when-debugfs-is-disabled.patch b/queue-6.11/bluetooth-iso-fix-multiple-init-when-debugfs-is-disabled.patch new file mode 100644 index 00000000000..679a1a2a023 --- /dev/null +++ b/queue-6.11/bluetooth-iso-fix-multiple-init-when-debugfs-is-disabled.patch @@ -0,0 +1,68 @@ +From a9b7b535ba192c6b77e6c15a4c82d853163eab8c Mon Sep 17 00:00:00 2001 +From: Aaron Thompson +Date: Fri, 4 Oct 2024 23:04:08 +0000 +Subject: Bluetooth: ISO: Fix multiple init when debugfs is disabled + +From: Aaron Thompson + +commit a9b7b535ba192c6b77e6c15a4c82d853163eab8c upstream. + +If bt_debugfs is not created successfully, which happens if either +CONFIG_DEBUG_FS or CONFIG_DEBUG_FS_ALLOW_ALL is unset, then iso_init() +returns early and does not set iso_inited to true. This means that a +subsequent call to iso_init() will result in duplicate calls to +proto_register(), bt_sock_register(), etc. + +With CONFIG_LIST_HARDENED and CONFIG_BUG_ON_DATA_CORRUPTION enabled, the +duplicate call to proto_register() triggers this BUG(): + + list_add double add: new=ffffffffc0b280d0, prev=ffffffffbab56250, + next=ffffffffc0b280d0. + ------------[ cut here ]------------ + kernel BUG at lib/list_debug.c:35! + Oops: invalid opcode: 0000 [#1] PREEMPT SMP PTI + CPU: 2 PID: 887 Comm: bluetoothd Not tainted 6.10.11-1-ao-desktop #1 + RIP: 0010:__list_add_valid_or_report+0x9a/0xa0 + ... + __list_add_valid_or_report+0x9a/0xa0 + proto_register+0x2b5/0x340 + iso_init+0x23/0x150 [bluetooth] + set_iso_socket_func+0x68/0x1b0 [bluetooth] + kmem_cache_free+0x308/0x330 + hci_sock_sendmsg+0x990/0x9e0 [bluetooth] + __sock_sendmsg+0x7b/0x80 + sock_write_iter+0x9a/0x110 + do_iter_readv_writev+0x11d/0x220 + vfs_writev+0x180/0x3e0 + do_writev+0xca/0x100 + ... + +This change removes the early return. The check for iso_debugfs being +NULL was unnecessary, it is always NULL when iso_inited is false. + +Cc: stable@vger.kernel.org +Fixes: ccf74f2390d6 ("Bluetooth: Add BTPROTO_ISO socket type") +Signed-off-by: Aaron Thompson +Signed-off-by: Luiz Augusto von Dentz +Signed-off-by: Greg Kroah-Hartman +--- + net/bluetooth/iso.c | 6 +----- + 1 file changed, 1 insertion(+), 5 deletions(-) + +--- a/net/bluetooth/iso.c ++++ b/net/bluetooth/iso.c +@@ -2301,13 +2301,9 @@ int iso_init(void) + + hci_register_cb(&iso_cb); + +- if (IS_ERR_OR_NULL(bt_debugfs)) +- return 0; +- +- if (!iso_debugfs) { ++ if (!IS_ERR_OR_NULL(bt_debugfs)) + iso_debugfs = debugfs_create_file("iso", 0444, bt_debugfs, + NULL, &iso_debugfs_fops); +- } + + iso_inited = true; + diff --git a/queue-6.11/bluetooth-remove-debugfs-directory-on-module-init-failure.patch b/queue-6.11/bluetooth-remove-debugfs-directory-on-module-init-failure.patch new file mode 100644 index 00000000000..353a5fe4ea2 --- /dev/null +++ b/queue-6.11/bluetooth-remove-debugfs-directory-on-module-init-failure.patch @@ -0,0 +1,74 @@ +From 1db4564f101b47188c1b71696bd342ef09172b22 Mon Sep 17 00:00:00 2001 +From: Aaron Thompson +Date: Fri, 4 Oct 2024 23:04:10 +0000 +Subject: Bluetooth: Remove debugfs directory on module init failure + +From: Aaron Thompson + +commit 1db4564f101b47188c1b71696bd342ef09172b22 upstream. + +If bt_init() fails, the debugfs directory currently is not removed. If +the module is loaded again after that, the debugfs directory is not set +up properly due to the existing directory. + + # modprobe bluetooth + # ls -laF /sys/kernel/debug/bluetooth + total 0 + drwxr-xr-x 2 root root 0 Sep 27 14:26 ./ + drwx------ 31 root root 0 Sep 27 14:25 ../ + -r--r--r-- 1 root root 0 Sep 27 14:26 l2cap + -r--r--r-- 1 root root 0 Sep 27 14:26 sco + # modprobe -r bluetooth + # ls -laF /sys/kernel/debug/bluetooth + ls: cannot access '/sys/kernel/debug/bluetooth': No such file or directory + # + + # modprobe bluetooth + modprobe: ERROR: could not insert 'bluetooth': Invalid argument + # dmesg | tail -n 6 + Bluetooth: Core ver 2.22 + NET: Registered PF_BLUETOOTH protocol family + Bluetooth: HCI device and connection manager initialized + Bluetooth: HCI socket layer initialized + Bluetooth: Faking l2cap_init() failure for testing + NET: Unregistered PF_BLUETOOTH protocol family + # ls -laF /sys/kernel/debug/bluetooth + total 0 + drwxr-xr-x 2 root root 0 Sep 27 14:31 ./ + drwx------ 31 root root 0 Sep 27 14:26 ../ + # + + # modprobe bluetooth + # dmesg | tail -n 7 + Bluetooth: Core ver 2.22 + debugfs: Directory 'bluetooth' with parent '/' already present! + NET: Registered PF_BLUETOOTH protocol family + Bluetooth: HCI device and connection manager initialized + Bluetooth: HCI socket layer initialized + Bluetooth: L2CAP socket layer initialized + Bluetooth: SCO socket layer initialized + # ls -laF /sys/kernel/debug/bluetooth + total 0 + drwxr-xr-x 2 root root 0 Sep 27 14:31 ./ + drwx------ 31 root root 0 Sep 27 14:26 ../ + # + +Cc: stable@vger.kernel.org +Fixes: ffcecac6a738 ("Bluetooth: Create root debugfs directory during module init") +Signed-off-by: Aaron Thompson +Signed-off-by: Luiz Augusto von Dentz +Signed-off-by: Greg Kroah-Hartman +--- + net/bluetooth/af_bluetooth.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/net/bluetooth/af_bluetooth.c ++++ b/net/bluetooth/af_bluetooth.c +@@ -825,6 +825,7 @@ cleanup_sysfs: + bt_sysfs_cleanup(); + cleanup_led: + bt_leds_cleanup(); ++ debugfs_remove_recursive(bt_debugfs); + return err; + } + diff --git a/queue-6.11/misc-microchip-pci1xxxx-add-support-for-nvmem_devid_auto-for-eeprom-device.patch b/queue-6.11/misc-microchip-pci1xxxx-add-support-for-nvmem_devid_auto-for-eeprom-device.patch new file mode 100644 index 00000000000..f6892a77989 --- /dev/null +++ b/queue-6.11/misc-microchip-pci1xxxx-add-support-for-nvmem_devid_auto-for-eeprom-device.patch @@ -0,0 +1,32 @@ +From 3c2d73de49be528276474c1a53f78b38ee11c1fa Mon Sep 17 00:00:00 2001 +From: Heiko Thiery +Date: Mon, 7 Oct 2024 09:11:20 +0200 +Subject: misc: microchip: pci1xxxx: add support for NVMEM_DEVID_AUTO for EEPROM device + +From: Heiko Thiery + +commit 3c2d73de49be528276474c1a53f78b38ee11c1fa upstream. + +By using NVMEM_DEVID_AUTO we support more than 1 device and +automatically enumerate. + +Fixes: 9ab5465349c0 ("misc: microchip: pci1xxxx: Add support to read and write into PCI1XXXX EEPROM via NVMEM sysfs") +Cc: stable@vger.kernel.org +Signed-off-by: Heiko Thiery +Reviewed-by: Michael Walle +Link: https://lore.kernel.org/r/20241007071120.9522-1-heiko.thiery@gmail.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/misc/mchp_pci1xxxx/mchp_pci1xxxx_otpe2p.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/misc/mchp_pci1xxxx/mchp_pci1xxxx_otpe2p.c ++++ b/drivers/misc/mchp_pci1xxxx/mchp_pci1xxxx_otpe2p.c +@@ -364,6 +364,7 @@ static int pci1xxxx_otp_eeprom_probe(str + if (is_eeprom_responsive(priv)) { + priv->nvmem_config_eeprom.type = NVMEM_TYPE_EEPROM; + priv->nvmem_config_eeprom.name = EEPROM_NAME; ++ priv->nvmem_config_eeprom.id = NVMEM_DEVID_AUTO; + priv->nvmem_config_eeprom.dev = &aux_dev->dev; + priv->nvmem_config_eeprom.owner = THIS_MODULE; + priv->nvmem_config_eeprom.reg_read = pci1xxxx_eeprom_read; diff --git a/queue-6.11/misc-microchip-pci1xxxx-add-support-for-nvmem_devid_auto-for-otp-device.patch b/queue-6.11/misc-microchip-pci1xxxx-add-support-for-nvmem_devid_auto-for-otp-device.patch new file mode 100644 index 00000000000..009fd9e7e7e --- /dev/null +++ b/queue-6.11/misc-microchip-pci1xxxx-add-support-for-nvmem_devid_auto-for-otp-device.patch @@ -0,0 +1,32 @@ +From 2471787c1f0dae6721f60ab44be37460635d3732 Mon Sep 17 00:00:00 2001 +From: Heiko Thiery +Date: Mon, 7 Oct 2024 09:11:22 +0200 +Subject: misc: microchip: pci1xxxx: add support for NVMEM_DEVID_AUTO for OTP device + +From: Heiko Thiery + +commit 2471787c1f0dae6721f60ab44be37460635d3732 upstream. + +By using NVMEM_DEVID_AUTO we support more than 1 device and +automatically enumerate. + +Fixes: 0969001569e4 ("misc: microchip: pci1xxxx: Add support to read and write into PCI1XXXX OTP via NVMEM sysfs") +Cc: stable@vger.kernel.org +Signed-off-by: Heiko Thiery +Reviewed-by: Michael Walle +Link: https://lore.kernel.org/r/20241007071120.9522-2-heiko.thiery@gmail.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/misc/mchp_pci1xxxx/mchp_pci1xxxx_otpe2p.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/misc/mchp_pci1xxxx/mchp_pci1xxxx_otpe2p.c ++++ b/drivers/misc/mchp_pci1xxxx/mchp_pci1xxxx_otpe2p.c +@@ -384,6 +384,7 @@ static int pci1xxxx_otp_eeprom_probe(str + + priv->nvmem_config_otp.type = NVMEM_TYPE_OTP; + priv->nvmem_config_otp.name = OTP_NAME; ++ priv->nvmem_config_otp.id = NVMEM_DEVID_AUTO; + priv->nvmem_config_otp.dev = &aux_dev->dev; + priv->nvmem_config_otp.owner = THIS_MODULE; + priv->nvmem_config_otp.reg_read = pci1xxxx_otp_read; diff --git a/queue-6.11/parport-proper-fix-for-array-out-of-bounds-access.patch b/queue-6.11/parport-proper-fix-for-array-out-of-bounds-access.patch new file mode 100644 index 00000000000..9b45381bf0c --- /dev/null +++ b/queue-6.11/parport-proper-fix-for-array-out-of-bounds-access.patch @@ -0,0 +1,105 @@ +From 02ac3a9ef3a18b58d8f3ea2b6e46de657bf6c4f9 Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Fri, 20 Sep 2024 12:32:19 +0200 +Subject: parport: Proper fix for array out-of-bounds access + +From: Takashi Iwai + +commit 02ac3a9ef3a18b58d8f3ea2b6e46de657bf6c4f9 upstream. + +The recent fix for array out-of-bounds accesses replaced sprintf() +calls blindly with snprintf(). However, since snprintf() returns the +would-be-printed size, not the actually output size, the length +calculation can still go over the given limit. + +Use scnprintf() instead of snprintf(), which returns the actually +output letters, for addressing the potential out-of-bounds access +properly. + +Fixes: ab11dac93d2d ("dev/parport: fix the array out-of-bounds risk") +Cc: stable@vger.kernel.org +Signed-off-by: Takashi Iwai +Link: https://lore.kernel.org/r/20240920103318.19271-1-tiwai@suse.de +Signed-off-by: Greg Kroah-Hartman +--- + drivers/parport/procfs.c | 22 +++++++++++----------- + 1 file changed, 11 insertions(+), 11 deletions(-) + +--- a/drivers/parport/procfs.c ++++ b/drivers/parport/procfs.c +@@ -51,12 +51,12 @@ static int do_active_device(const struct + + for (dev = port->devices; dev ; dev = dev->next) { + if(dev == port->cad) { +- len += snprintf(buffer, sizeof(buffer), "%s\n", dev->name); ++ len += scnprintf(buffer, sizeof(buffer), "%s\n", dev->name); + } + } + + if(!len) { +- len += snprintf(buffer, sizeof(buffer), "%s\n", "none"); ++ len += scnprintf(buffer, sizeof(buffer), "%s\n", "none"); + } + + if (len > *lenp) +@@ -87,19 +87,19 @@ static int do_autoprobe(const struct ctl + } + + if ((str = info->class_name) != NULL) +- len += snprintf (buffer + len, sizeof(buffer) - len, "CLASS:%s;\n", str); ++ len += scnprintf (buffer + len, sizeof(buffer) - len, "CLASS:%s;\n", str); + + if ((str = info->model) != NULL) +- len += snprintf (buffer + len, sizeof(buffer) - len, "MODEL:%s;\n", str); ++ len += scnprintf (buffer + len, sizeof(buffer) - len, "MODEL:%s;\n", str); + + if ((str = info->mfr) != NULL) +- len += snprintf (buffer + len, sizeof(buffer) - len, "MANUFACTURER:%s;\n", str); ++ len += scnprintf (buffer + len, sizeof(buffer) - len, "MANUFACTURER:%s;\n", str); + + if ((str = info->description) != NULL) +- len += snprintf (buffer + len, sizeof(buffer) - len, "DESCRIPTION:%s;\n", str); ++ len += scnprintf (buffer + len, sizeof(buffer) - len, "DESCRIPTION:%s;\n", str); + + if ((str = info->cmdset) != NULL) +- len += snprintf (buffer + len, sizeof(buffer) - len, "COMMAND SET:%s;\n", str); ++ len += scnprintf (buffer + len, sizeof(buffer) - len, "COMMAND SET:%s;\n", str); + + if (len > *lenp) + len = *lenp; +@@ -128,7 +128,7 @@ static int do_hardware_base_addr(const s + if (write) /* permissions prevent this anyway */ + return -EACCES; + +- len += snprintf (buffer, sizeof(buffer), "%lu\t%lu\n", port->base, port->base_hi); ++ len += scnprintf (buffer, sizeof(buffer), "%lu\t%lu\n", port->base, port->base_hi); + + if (len > *lenp) + len = *lenp; +@@ -155,7 +155,7 @@ static int do_hardware_irq(const struct + if (write) /* permissions prevent this anyway */ + return -EACCES; + +- len += snprintf (buffer, sizeof(buffer), "%d\n", port->irq); ++ len += scnprintf (buffer, sizeof(buffer), "%d\n", port->irq); + + if (len > *lenp) + len = *lenp; +@@ -182,7 +182,7 @@ static int do_hardware_dma(const struct + if (write) /* permissions prevent this anyway */ + return -EACCES; + +- len += snprintf (buffer, sizeof(buffer), "%d\n", port->dma); ++ len += scnprintf (buffer, sizeof(buffer), "%d\n", port->dma); + + if (len > *lenp) + len = *lenp; +@@ -213,7 +213,7 @@ static int do_hardware_modes(const struc + #define printmode(x) \ + do { \ + if (port->modes & PARPORT_MODE_##x) \ +- len += snprintf(buffer + len, sizeof(buffer) - len, "%s%s", f++ ? "," : "", #x); \ ++ len += scnprintf(buffer + len, sizeof(buffer) - len, "%s%s", f++ ? "," : "", #x); \ + } while (0) + int f = 0; + printmode(PCSPP); diff --git a/queue-6.11/serial-imx-update-mctrl-old_status-on-rtsd-interrupt.patch b/queue-6.11/serial-imx-update-mctrl-old_status-on-rtsd-interrupt.patch new file mode 100644 index 00000000000..18f1c286454 --- /dev/null +++ b/queue-6.11/serial-imx-update-mctrl-old_status-on-rtsd-interrupt.patch @@ -0,0 +1,83 @@ +From 40d7903386df4d18f04d90510ba90eedee260085 Mon Sep 17 00:00:00 2001 +From: Marek Vasut +Date: Wed, 2 Oct 2024 20:40:38 +0200 +Subject: serial: imx: Update mctrl old_status on RTSD interrupt + +From: Marek Vasut + +commit 40d7903386df4d18f04d90510ba90eedee260085 upstream. + +When sending data using DMA at high baudrate (4 Mbdps in local test case) to +a device with small RX buffer which keeps asserting RTS after every received +byte, it is possible that the iMX UART driver would not recognize the falling +edge of RTS input signal and get stuck, unable to transmit any more data. + +This condition happens when the following sequence of events occur: +- imx_uart_mctrl_check() is called at some point and takes a snapshot of UART + control signal status into sport->old_status using imx_uart_get_hwmctrl(). + The RTSS/TIOCM_CTS bit is of interest here (*). +- DMA transfer occurs, the remote device asserts RTS signal after each byte. + The i.MX UART driver recognizes each such RTS signal change, raises an + interrupt with USR1 register RTSD bit set, which leads to invocation of + __imx_uart_rtsint(), which calls uart_handle_cts_change(). + - If the RTS signal is deasserted, uart_handle_cts_change() clears + port->hw_stopped and unblocks the port for further data transfers. + - If the RTS is asserted, uart_handle_cts_change() sets port->hw_stopped + and blocks the port for further data transfers. This may occur as the + last interrupt of a transfer, which means port->hw_stopped remains set + and the port remains blocked (**). +- Any further data transfer attempts will trigger imx_uart_mctrl_check(), + which will read current status of UART control signals by calling + imx_uart_get_hwmctrl() (***) and compare it with sport->old_status . + - If current status differs from sport->old_status for RTS signal, + uart_handle_cts_change() is called and possibly unblocks the port + by clearing port->hw_stopped . + - If current status does not differ from sport->old_status for RTS + signal, no action occurs. This may occur in case prior snapshot (*) + was taken before any transfer so the RTS is deasserted, current + snapshot (***) was taken after a transfer and therefore RTS is + deasserted again, which means current status and sport->old_status + are identical. In case (**) triggered when RTS got asserted, and + made port->hw_stopped set, the port->hw_stopped will remain set + because no change on RTS line is recognized by this driver and + uart_handle_cts_change() is not called from here to unblock the + port->hw_stopped. + +Update sport->old_status in __imx_uart_rtsint() accordingly to make +imx_uart_mctrl_check() detect such RTS change. Note that TIOCM_CAR +and TIOCM_RI bits in sport->old_status do not suffer from this problem. + +Fixes: ceca629e0b48 ("[ARM] 2971/1: i.MX uart handle rts irq") +Cc: stable +Reviewed-by: Esben Haabendal +Signed-off-by: Marek Vasut +Link: https://lore.kernel.org/r/20241002184133.19427-1-marex@denx.de +Signed-off-by: Greg Kroah-Hartman +--- + drivers/tty/serial/imx.c | 15 +++++++++++++++ + 1 file changed, 15 insertions(+) + +--- a/drivers/tty/serial/imx.c ++++ b/drivers/tty/serial/imx.c +@@ -762,6 +762,21 @@ static irqreturn_t __imx_uart_rtsint(int + + imx_uart_writel(sport, USR1_RTSD, USR1); + usr1 = imx_uart_readl(sport, USR1) & USR1_RTSS; ++ /* ++ * Update sport->old_status here, so any follow-up calls to ++ * imx_uart_mctrl_check() will be able to recognize that RTS ++ * state changed since last imx_uart_mctrl_check() call. ++ * ++ * In case RTS has been detected as asserted here and later on ++ * deasserted by the time imx_uart_mctrl_check() was called, ++ * imx_uart_mctrl_check() can detect the RTS state change and ++ * trigger uart_handle_cts_change() to unblock the port for ++ * further TX transfers. ++ */ ++ if (usr1 & USR1_RTSS) ++ sport->old_status |= TIOCM_CTS; ++ else ++ sport->old_status &= ~TIOCM_CTS; + uart_handle_cts_change(&sport->port, usr1); + wake_up_interruptible(&sport->port.state->port.delta_msr_wait); + diff --git a/queue-6.11/series b/queue-6.11/series index 54487055af7..1ed6552b93b 100644 --- a/queue-6.11/series +++ b/queue-6.11/series @@ -91,3 +91,29 @@ iio-adc-ti-ads124s08-add-missing-select-iio_-triggered_-buffer-in-kconfig.patch iio-resolver-ad2s1210-add-missing-select-triggered_-buffer-in-kconfig.patch iio-adc-ad7944-add-missing-select-iio_-triggered_-buffer-in-kconfig.patch iio-accel-kx022a-add-missing-select-iio_-triggered_-buffer-in-kconfig.patch +bluetooth-call-iso_exit-on-module-unload.patch +bluetooth-remove-debugfs-directory-on-module-init-failure.patch +bluetooth-iso-fix-multiple-init-when-debugfs-is-disabled.patch +bluetooth-btusb-fix-not-being-able-to-reconnect-after-suspend.patch +bluetooth-btusb-fix-regression-with-fake-csr-controllers-0a12-0001.patch +vt-prevent-kernel-infoleak-in-con_font_get.patch +xhci-tegra-fix-checked-usb2-port-number.patch +xhci-fix-incorrect-stream-context-type-macro.patch +xhci-mitigate-failed-set-dequeue-pointer-commands.patch +usb-serial-option-add-support-for-quectel-eg916q-gl.patch +usb-serial-option-add-telit-fn920c04-mbim-compositions.patch +usb-typec-qcom-pmic-typec-fix-sink-status-being-overwritten-with-rp_def.patch +usb-gadget-dummy-hcd-fix-task-hung-problem.patch +usb-gadget-f_uac2-fix-return-value-for-uac2_attribute_string-store.patch +usb-dwc3-wait-for-endxfer-completion-before-restoring-gusb2phycfg.patch +usb-dwc3-core-fix-system-suspend-on-ti-am62-platforms.patch +misc-microchip-pci1xxxx-add-support-for-nvmem_devid_auto-for-eeprom-device.patch +misc-microchip-pci1xxxx-add-support-for-nvmem_devid_auto-for-otp-device.patch +serial-imx-update-mctrl-old_status-on-rtsd-interrupt.patch +parport-proper-fix-for-array-out-of-bounds-access.patch +x86-resctrl-annotate-get_mem_config-functions-as-__init.patch +x86-apic-always-explicitly-disarm-tsc-deadline-timer.patch +x86-cpu-amd-only-apply-zenbleed-fix-for-zen2-during-late-microcode-load.patch +x86-entry_32-do-not-clobber-user-eflags.zf.patch +x86-entry_32-clear-cpu-buffers-after-register-restore-in-nmi-return.patch +tty-n_gsm-fix-use-after-free-in-gsm_cleanup_mux.patch diff --git a/queue-6.11/tty-n_gsm-fix-use-after-free-in-gsm_cleanup_mux.patch b/queue-6.11/tty-n_gsm-fix-use-after-free-in-gsm_cleanup_mux.patch new file mode 100644 index 00000000000..c6abcc6548b --- /dev/null +++ b/queue-6.11/tty-n_gsm-fix-use-after-free-in-gsm_cleanup_mux.patch @@ -0,0 +1,77 @@ +From 9462f4ca56e7d2430fdb6dcc8498244acbfc4489 Mon Sep 17 00:00:00 2001 +From: Longlong Xia +Date: Thu, 26 Sep 2024 21:02:13 +0800 +Subject: tty: n_gsm: Fix use-after-free in gsm_cleanup_mux + +From: Longlong Xia + +commit 9462f4ca56e7d2430fdb6dcc8498244acbfc4489 upstream. + +BUG: KASAN: slab-use-after-free in gsm_cleanup_mux+0x77b/0x7b0 +drivers/tty/n_gsm.c:3160 [n_gsm] +Read of size 8 at addr ffff88815fe99c00 by task poc/3379 +CPU: 0 UID: 0 PID: 3379 Comm: poc Not tainted 6.11.0+ #56 +Hardware name: VMware, Inc. VMware Virtual Platform/440BX +Desktop Reference Platform, BIOS 6.00 11/12/2020 +Call Trace: + + gsm_cleanup_mux+0x77b/0x7b0 drivers/tty/n_gsm.c:3160 [n_gsm] + __pfx_gsm_cleanup_mux+0x10/0x10 drivers/tty/n_gsm.c:3124 [n_gsm] + __pfx_sched_clock_cpu+0x10/0x10 kernel/sched/clock.c:389 + update_load_avg+0x1c1/0x27b0 kernel/sched/fair.c:4500 + __pfx_min_vruntime_cb_rotate+0x10/0x10 kernel/sched/fair.c:846 + __rb_insert_augmented+0x492/0xbf0 lib/rbtree.c:161 + gsmld_ioctl+0x395/0x1450 drivers/tty/n_gsm.c:3408 [n_gsm] + _raw_spin_lock_irqsave+0x92/0xf0 arch/x86/include/asm/atomic.h:107 + __pfx_gsmld_ioctl+0x10/0x10 drivers/tty/n_gsm.c:3822 [n_gsm] + ktime_get+0x5e/0x140 kernel/time/timekeeping.c:195 + ldsem_down_read+0x94/0x4e0 arch/x86/include/asm/atomic64_64.h:79 + __pfx_ldsem_down_read+0x10/0x10 drivers/tty/tty_ldsem.c:338 + __pfx_do_vfs_ioctl+0x10/0x10 fs/ioctl.c:805 + tty_ioctl+0x643/0x1100 drivers/tty/tty_io.c:2818 + +Allocated by task 65: + gsm_data_alloc.constprop.0+0x27/0x190 drivers/tty/n_gsm.c:926 [n_gsm] + gsm_send+0x2c/0x580 drivers/tty/n_gsm.c:819 [n_gsm] + gsm1_receive+0x547/0xad0 drivers/tty/n_gsm.c:3038 [n_gsm] + gsmld_receive_buf+0x176/0x280 drivers/tty/n_gsm.c:3609 [n_gsm] + tty_ldisc_receive_buf+0x101/0x1e0 drivers/tty/tty_buffer.c:391 + tty_port_default_receive_buf+0x61/0xa0 drivers/tty/tty_port.c:39 + flush_to_ldisc+0x1b0/0x750 drivers/tty/tty_buffer.c:445 + process_scheduled_works+0x2b0/0x10d0 kernel/workqueue.c:3229 + worker_thread+0x3dc/0x950 kernel/workqueue.c:3391 + kthread+0x2a3/0x370 kernel/kthread.c:389 + ret_from_fork+0x2d/0x70 arch/x86/kernel/process.c:147 + ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:257 + +Freed by task 3367: + kfree+0x126/0x420 mm/slub.c:4580 + gsm_cleanup_mux+0x36c/0x7b0 drivers/tty/n_gsm.c:3160 [n_gsm] + gsmld_ioctl+0x395/0x1450 drivers/tty/n_gsm.c:3408 [n_gsm] + tty_ioctl+0x643/0x1100 drivers/tty/tty_io.c:2818 + +[Analysis] +gsm_msg on the tx_ctrl_list or tx_data_list of gsm_mux +can be freed by multi threads through ioctl,which leads +to the occurrence of uaf. Protect it by gsm tx lock. + +Signed-off-by: Longlong Xia +Cc: stable +Suggested-by: Jiri Slaby +Link: https://lore.kernel.org/r/20240926130213.531959-1-xialonglong@kylinos.cn +Signed-off-by: Greg Kroah-Hartman +--- + drivers/tty/n_gsm.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/tty/n_gsm.c ++++ b/drivers/tty/n_gsm.c +@@ -3157,6 +3157,8 @@ static void gsm_cleanup_mux(struct gsm_m + mutex_unlock(&gsm->mutex); + /* Now wipe the queues */ + tty_ldisc_flush(gsm->tty); ++ ++ guard(spinlock_irqsave)(&gsm->tx_lock); + list_for_each_entry_safe(txq, ntxq, &gsm->tx_ctrl_list, list) + kfree(txq); + INIT_LIST_HEAD(&gsm->tx_ctrl_list); diff --git a/queue-6.11/usb-dwc3-core-fix-system-suspend-on-ti-am62-platforms.patch b/queue-6.11/usb-dwc3-core-fix-system-suspend-on-ti-am62-platforms.patch new file mode 100644 index 00000000000..1b1055367b9 --- /dev/null +++ b/queue-6.11/usb-dwc3-core-fix-system-suspend-on-ti-am62-platforms.patch @@ -0,0 +1,103 @@ +From 705e3ce37bccdf2ed6f848356ff355f480d51a91 Mon Sep 17 00:00:00 2001 +From: Roger Quadros +Date: Fri, 11 Oct 2024 13:53:24 +0300 +Subject: usb: dwc3: core: Fix system suspend on TI AM62 platforms + +From: Roger Quadros + +commit 705e3ce37bccdf2ed6f848356ff355f480d51a91 upstream. + +Since commit 6d735722063a ("usb: dwc3: core: Prevent phy suspend during init"), +system suspend is broken on AM62 TI platforms. + +Before that commit, both DWC3_GUSB3PIPECTL_SUSPHY and DWC3_GUSB2PHYCFG_SUSPHY +bits (hence forth called 2 SUSPHY bits) were being set during core +initialization and even during core re-initialization after a system +suspend/resume. + +These bits are required to be set for system suspend/resume to work correctly +on AM62 platforms. + +Since that commit, the 2 SUSPHY bits are not set for DEVICE/OTG mode if gadget +driver is not loaded and started. +For Host mode, the 2 SUSPHY bits are set before the first system suspend but +get cleared at system resume during core re-init and are never set again. + +This patch resovles these two issues by ensuring the 2 SUSPHY bits are set +before system suspend and restored to the original state during system resume. + +Cc: stable@vger.kernel.org # v6.9+ +Fixes: 6d735722063a ("usb: dwc3: core: Prevent phy suspend during init") +Link: https://lore.kernel.org/all/1519dbe7-73b6-4afc-bfe3-23f4f75d772f@kernel.org/ +Signed-off-by: Roger Quadros +Acked-by: Thinh Nguyen +Tested-by: Markus Schneider-Pargmann +Reviewed-by: Dhruva Gole +Link: https://lore.kernel.org/r/20241011-am62-lpm-usb-v3-1-562d445625b5@kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/dwc3/core.c | 19 +++++++++++++++++++ + drivers/usb/dwc3/core.h | 3 +++ + 2 files changed, 22 insertions(+) + +--- a/drivers/usb/dwc3/core.c ++++ b/drivers/usb/dwc3/core.c +@@ -2342,6 +2342,11 @@ static int dwc3_suspend_common(struct dw + u32 reg; + int i; + ++ dwc->susphy_state = (dwc3_readl(dwc->regs, DWC3_GUSB2PHYCFG(0)) & ++ DWC3_GUSB2PHYCFG_SUSPHY) || ++ (dwc3_readl(dwc->regs, DWC3_GUSB3PIPECTL(0)) & ++ DWC3_GUSB3PIPECTL_SUSPHY); ++ + switch (dwc->current_dr_role) { + case DWC3_GCTL_PRTCAP_DEVICE: + if (pm_runtime_suspended(dwc->dev)) +@@ -2393,6 +2398,15 @@ static int dwc3_suspend_common(struct dw + break; + } + ++ if (!PMSG_IS_AUTO(msg)) { ++ /* ++ * TI AM62 platform requires SUSPHY to be ++ * enabled for system suspend to work. ++ */ ++ if (!dwc->susphy_state) ++ dwc3_enable_susphy(dwc, true); ++ } ++ + return 0; + } + +@@ -2460,6 +2474,11 @@ static int dwc3_resume_common(struct dwc + break; + } + ++ if (!PMSG_IS_AUTO(msg)) { ++ /* restore SUSPHY state to that before system suspend. */ ++ dwc3_enable_susphy(dwc, dwc->susphy_state); ++ } ++ + return 0; + } + +--- a/drivers/usb/dwc3/core.h ++++ b/drivers/usb/dwc3/core.h +@@ -1150,6 +1150,8 @@ struct dwc3_scratchpad_array { + * @sys_wakeup: set if the device may do system wakeup. + * @wakeup_configured: set if the device is configured for remote wakeup. + * @suspended: set to track suspend event due to U3/L2. ++ * @susphy_state: state of DWC3_GUSB2PHYCFG_SUSPHY + DWC3_GUSB3PIPECTL_SUSPHY ++ * before PM suspend. + * @imod_interval: set the interrupt moderation interval in 250ns + * increments or 0 to disable. + * @max_cfg_eps: current max number of IN eps used across all USB configs. +@@ -1382,6 +1384,7 @@ struct dwc3 { + unsigned sys_wakeup:1; + unsigned wakeup_configured:1; + unsigned suspended:1; ++ unsigned susphy_state:1; + + u16 imod_interval; + diff --git a/queue-6.11/usb-dwc3-wait-for-endxfer-completion-before-restoring-gusb2phycfg.patch b/queue-6.11/usb-dwc3-wait-for-endxfer-completion-before-restoring-gusb2phycfg.patch new file mode 100644 index 00000000000..8787080fd8a --- /dev/null +++ b/queue-6.11/usb-dwc3-wait-for-endxfer-completion-before-restoring-gusb2phycfg.patch @@ -0,0 +1,56 @@ +From c96e31252110a84dcc44412e8a7b456b33c3e298 Mon Sep 17 00:00:00 2001 +From: Prashanth K +Date: Tue, 24 Sep 2024 15:02:08 +0530 +Subject: usb: dwc3: Wait for EndXfer completion before restoring GUSB2PHYCFG + +From: Prashanth K + +commit c96e31252110a84dcc44412e8a7b456b33c3e298 upstream. + +DWC3 programming guide mentions that when operating in USB2.0 speeds, +if GUSB2PHYCFG[6] or GUSB2PHYCFG[8] is set, it must be cleared prior +to issuing commands and may be set again after the command completes. +But currently while issuing EndXfer command without CmdIOC set, we +wait for 1ms after GUSB2PHYCFG is restored. This results in cases +where EndXfer command doesn't get completed and causes SMMU faults +since requests are unmapped afterwards. Hence restore GUSB2PHYCFG +after waiting for EndXfer command completion. + +Cc: stable@vger.kernel.org +Fixes: 1d26ba0944d3 ("usb: dwc3: Wait unconditionally after issuing EndXfer command") +Signed-off-by: Prashanth K +Acked-by: Thinh Nguyen +Link: https://lore.kernel.org/r/20240924093208.2524531-1-quic_prashk@quicinc.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/dwc3/gadget.c | 10 ++++++---- + 1 file changed, 6 insertions(+), 4 deletions(-) + +--- a/drivers/usb/dwc3/gadget.c ++++ b/drivers/usb/dwc3/gadget.c +@@ -438,6 +438,10 @@ skip_status: + dwc3_gadget_ep_get_transfer_index(dep); + } + ++ if (DWC3_DEPCMD_CMD(cmd) == DWC3_DEPCMD_ENDTRANSFER && ++ !(cmd & DWC3_DEPCMD_CMDIOC)) ++ mdelay(1); ++ + if (saved_config) { + reg = dwc3_readl(dwc->regs, DWC3_GUSB2PHYCFG(0)); + reg |= saved_config; +@@ -1715,12 +1719,10 @@ static int __dwc3_stop_active_transfer(s + WARN_ON_ONCE(ret); + dep->resource_index = 0; + +- if (!interrupt) { +- mdelay(1); ++ if (!interrupt) + dep->flags &= ~DWC3_EP_TRANSFER_STARTED; +- } else if (!ret) { ++ else if (!ret) + dep->flags |= DWC3_EP_END_TRANSFER_PENDING; +- } + + dep->flags &= ~DWC3_EP_DELAY_STOP; + return ret; diff --git a/queue-6.11/usb-gadget-dummy-hcd-fix-task-hung-problem.patch b/queue-6.11/usb-gadget-dummy-hcd-fix-task-hung-problem.patch new file mode 100644 index 00000000000..7ae53cd56b1 --- /dev/null +++ b/queue-6.11/usb-gadget-dummy-hcd-fix-task-hung-problem.patch @@ -0,0 +1,123 @@ +From 5189df7b8088268012882c220d6aca4e64981348 Mon Sep 17 00:00:00 2001 +From: Alan Stern +Date: Wed, 16 Oct 2024 11:44:45 -0400 +Subject: USB: gadget: dummy-hcd: Fix "task hung" problem + +From: Alan Stern + +commit 5189df7b8088268012882c220d6aca4e64981348 upstream. + +The syzbot fuzzer has been encountering "task hung" problems ever +since the dummy-hcd driver was changed to use hrtimers instead of +regular timers. It turns out that the problems are caused by a subtle +difference between the timer_pending() and hrtimer_active() APIs. + +The changeover blindly replaced the first by the second. However, +timer_pending() returns True when the timer is queued but not when its +callback is running, whereas hrtimer_active() returns True when the +hrtimer is queued _or_ its callback is running. This difference +occasionally caused dummy_urb_enqueue() to think that the callback +routine had not yet started when in fact it was almost finished. As a +result the hrtimer was not restarted, which made it impossible for the +driver to dequeue later the URB that was just enqueued. This caused +usb_kill_urb() to hang, and things got worse from there. + +Since hrtimers have no API for telling when they are queued and the +callback isn't running, the driver must keep track of this for itself. +That's what this patch does, adding a new "timer_pending" flag and +setting or clearing it at the appropriate times. + +Reported-by: syzbot+f342ea16c9d06d80b585@syzkaller.appspotmail.com +Closes: https://lore.kernel.org/linux-usb/6709234e.050a0220.3e960.0011.GAE@google.com/ +Tested-by: syzbot+f342ea16c9d06d80b585@syzkaller.appspotmail.com +Signed-off-by: Alan Stern +Fixes: a7f3813e589f ("usb: gadget: dummy_hcd: Switch to hrtimer transfer scheduler") +Cc: Marcello Sylvester Bauer +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/r/2dab644e-ef87-4de8-ac9a-26f100b2c609@rowland.harvard.edu +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/gadget/udc/dummy_hcd.c | 20 +++++++++++++++----- + 1 file changed, 15 insertions(+), 5 deletions(-) + +diff --git a/drivers/usb/gadget/udc/dummy_hcd.c b/drivers/usb/gadget/udc/dummy_hcd.c +index 8820d9924448..081ac7683c0b 100644 +--- a/drivers/usb/gadget/udc/dummy_hcd.c ++++ b/drivers/usb/gadget/udc/dummy_hcd.c +@@ -254,6 +254,7 @@ struct dummy_hcd { + u32 stream_en_ep; + u8 num_stream[30 / 2]; + ++ unsigned timer_pending:1; + unsigned active:1; + unsigned old_active:1; + unsigned resuming:1; +@@ -1303,9 +1304,11 @@ static int dummy_urb_enqueue( + urb->error_count = 1; /* mark as a new urb */ + + /* kick the scheduler, it'll do the rest */ +- if (!hrtimer_active(&dum_hcd->timer)) ++ if (!dum_hcd->timer_pending) { ++ dum_hcd->timer_pending = 1; + hrtimer_start(&dum_hcd->timer, ns_to_ktime(DUMMY_TIMER_INT_NSECS), + HRTIMER_MODE_REL_SOFT); ++ } + + done: + spin_unlock_irqrestore(&dum_hcd->dum->lock, flags); +@@ -1324,9 +1327,10 @@ static int dummy_urb_dequeue(struct usb_hcd *hcd, struct urb *urb, int status) + spin_lock_irqsave(&dum_hcd->dum->lock, flags); + + rc = usb_hcd_check_unlink_urb(hcd, urb, status); +- if (!rc && dum_hcd->rh_state != DUMMY_RH_RUNNING && +- !list_empty(&dum_hcd->urbp_list)) ++ if (rc == 0 && !dum_hcd->timer_pending) { ++ dum_hcd->timer_pending = 1; + hrtimer_start(&dum_hcd->timer, ns_to_ktime(0), HRTIMER_MODE_REL_SOFT); ++ } + + spin_unlock_irqrestore(&dum_hcd->dum->lock, flags); + return rc; +@@ -1813,6 +1817,7 @@ static enum hrtimer_restart dummy_timer(struct hrtimer *t) + + /* look at each urb queued by the host side driver */ + spin_lock_irqsave(&dum->lock, flags); ++ dum_hcd->timer_pending = 0; + + if (!dum_hcd->udev) { + dev_err(dummy_dev(dum_hcd), +@@ -1994,8 +1999,10 @@ static enum hrtimer_restart dummy_timer(struct hrtimer *t) + if (list_empty(&dum_hcd->urbp_list)) { + usb_put_dev(dum_hcd->udev); + dum_hcd->udev = NULL; +- } else if (dum_hcd->rh_state == DUMMY_RH_RUNNING) { ++ } else if (!dum_hcd->timer_pending && ++ dum_hcd->rh_state == DUMMY_RH_RUNNING) { + /* want a 1 msec delay here */ ++ dum_hcd->timer_pending = 1; + hrtimer_start(&dum_hcd->timer, ns_to_ktime(DUMMY_TIMER_INT_NSECS), + HRTIMER_MODE_REL_SOFT); + } +@@ -2390,8 +2397,10 @@ static int dummy_bus_resume(struct usb_hcd *hcd) + } else { + dum_hcd->rh_state = DUMMY_RH_RUNNING; + set_link_state(dum_hcd); +- if (!list_empty(&dum_hcd->urbp_list)) ++ if (!list_empty(&dum_hcd->urbp_list)) { ++ dum_hcd->timer_pending = 1; + hrtimer_start(&dum_hcd->timer, ns_to_ktime(0), HRTIMER_MODE_REL_SOFT); ++ } + hcd->state = HC_STATE_RUNNING; + } + spin_unlock_irq(&dum_hcd->dum->lock); +@@ -2522,6 +2531,7 @@ static void dummy_stop(struct usb_hcd *hcd) + struct dummy_hcd *dum_hcd = hcd_to_dummy_hcd(hcd); + + hrtimer_cancel(&dum_hcd->timer); ++ dum_hcd->timer_pending = 0; + device_remove_file(dummy_dev(dum_hcd), &dev_attr_urbs); + dev_info(dummy_dev(dum_hcd), "stopped\n"); + } +-- +2.47.0 + diff --git a/queue-6.11/usb-gadget-f_uac2-fix-return-value-for-uac2_attribute_string-store.patch b/queue-6.11/usb-gadget-f_uac2-fix-return-value-for-uac2_attribute_string-store.patch new file mode 100644 index 00000000000..a1df86233ce --- /dev/null +++ b/queue-6.11/usb-gadget-f_uac2-fix-return-value-for-uac2_attribute_string-store.patch @@ -0,0 +1,52 @@ +From 9499327714de7bc5cf6c792112c1474932d8ad31 Mon Sep 17 00:00:00 2001 +From: Kevin Groeneveld +Date: Sun, 6 Oct 2024 19:26:31 -0400 +Subject: usb: gadget: f_uac2: fix return value for UAC2_ATTRIBUTE_STRING store + +From: Kevin Groeneveld + +commit 9499327714de7bc5cf6c792112c1474932d8ad31 upstream. + +The configfs store callback should return the number of bytes consumed +not the total number of bytes we actually stored. These could differ if +for example the passed in string had a newline we did not store. + +If the returned value does not match the number of bytes written the +writer might assume a failure or keep trying to write the remaining bytes. + +For example the following command will hang trying to write the final +newline over and over again (tested on bash 2.05b): + + echo foo > function_name + +Fixes: 993a44fa85c1 ("usb: gadget: f_uac2: allow changing interface name via configfs") +Cc: stable +Signed-off-by: Kevin Groeneveld +Link: https://lore.kernel.org/r/20241006232637.4267-1-kgroeneveld@lenbrook.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/gadget/function/f_uac2.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/drivers/usb/gadget/function/f_uac2.c ++++ b/drivers/usb/gadget/function/f_uac2.c +@@ -2055,7 +2055,7 @@ static ssize_t f_uac2_opts_##name##_stor + const char *page, size_t len) \ + { \ + struct f_uac2_opts *opts = to_f_uac2_opts(item); \ +- int ret = 0; \ ++ int ret = len; \ + \ + mutex_lock(&opts->lock); \ + if (opts->refcnt) { \ +@@ -2066,8 +2066,8 @@ static ssize_t f_uac2_opts_##name##_stor + if (len && page[len - 1] == '\n') \ + len--; \ + \ +- ret = scnprintf(opts->name, min(sizeof(opts->name), len + 1), \ +- "%s", page); \ ++ scnprintf(opts->name, min(sizeof(opts->name), len + 1), \ ++ "%s", page); \ + \ + end: \ + mutex_unlock(&opts->lock); \ diff --git a/queue-6.11/usb-serial-option-add-support-for-quectel-eg916q-gl.patch b/queue-6.11/usb-serial-option-add-support-for-quectel-eg916q-gl.patch new file mode 100644 index 00000000000..9a46d01ce35 --- /dev/null +++ b/queue-6.11/usb-serial-option-add-support-for-quectel-eg916q-gl.patch @@ -0,0 +1,73 @@ +From 540eff5d7faf0c9330ec762da49df453263f7676 Mon Sep 17 00:00:00 2001 +From: "Benjamin B. Frost" +Date: Wed, 11 Sep 2024 10:54:05 +0200 +Subject: USB: serial: option: add support for Quectel EG916Q-GL + +From: Benjamin B. Frost + +commit 540eff5d7faf0c9330ec762da49df453263f7676 upstream. + +Add Quectel EM916Q-GL with product ID 0x6007 + +T: Bus=01 Lev=02 Prnt=02 Port=01 Cnt=01 Dev#= 3 Spd=480 MxCh= 0 +D: Ver= 2.00 Cls=ef(misc ) Sub=02 Prot=01 MxPS=64 #Cfgs= 1 +P: Vendor=2c7c ProdID=6007 Rev= 2.00 +S: Manufacturer=Quectel +S: Product=EG916Q-GL +C:* #Ifs= 6 Cfg#= 1 Atr=a0 MxPwr=200mA +A: FirstIf#= 4 IfCount= 2 Cls=02(comm.) Sub=06 Prot=00 +I:* If#= 0 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=00 Prot=00 Driver=option +E: Ad=01(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=81(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms +I:* If#= 1 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option +E: Ad=82(I) Atr=03(Int.) MxPS= 16 Ivl=32ms +E: Ad=83(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=02(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms +I:* If#= 2 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option +E: Ad=84(I) Atr=03(Int.) MxPS= 16 Ivl=32ms +E: Ad=85(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=03(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms +I:* If#= 3 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option +E: Ad=86(I) Atr=03(Int.) MxPS= 16 Ivl=32ms +E: Ad=87(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=04(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms +I:* If#= 4 Alt= 0 #EPs= 1 Cls=02(comm.) Sub=06 Prot=00 Driver=cdc_ether +E: Ad=88(I) Atr=03(Int.) MxPS= 32 Ivl=32ms +I: If#= 5 Alt= 0 #EPs= 0 Cls=0a(data ) Sub=00 Prot=00 Driver=cdc_ether +I:* If#= 5 Alt= 1 #EPs= 2 Cls=0a(data ) Sub=00 Prot=00 Driver=cdc_ether +E: Ad=05(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=89(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms + +MI_00 Quectel USB Diag Port +MI_01 Quectel USB NMEA Port +MI_02 Quectel USB AT Port +MI_03 Quectel USB Modem Port +MI_04 Quectel USB Net Port + +Signed-off-by: Benjamin B. Frost +Reviewed-by: Lars Melin +Cc: stable@vger.kernel.org +Signed-off-by: Johan Hovold +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/serial/option.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/usb/serial/option.c ++++ b/drivers/usb/serial/option.c +@@ -279,6 +279,7 @@ static void option_instat_callback(struc + #define QUECTEL_PRODUCT_EG912Y 0x6001 + #define QUECTEL_PRODUCT_EC200S_CN 0x6002 + #define QUECTEL_PRODUCT_EC200A 0x6005 ++#define QUECTEL_PRODUCT_EG916Q 0x6007 + #define QUECTEL_PRODUCT_EM061K_LWW 0x6008 + #define QUECTEL_PRODUCT_EM061K_LCN 0x6009 + #define QUECTEL_PRODUCT_EC200T 0x6026 +@@ -1270,6 +1271,7 @@ static const struct usb_device_id option + { USB_DEVICE_AND_INTERFACE_INFO(QUECTEL_VENDOR_ID, QUECTEL_PRODUCT_EC200S_CN, 0xff, 0, 0) }, + { USB_DEVICE_AND_INTERFACE_INFO(QUECTEL_VENDOR_ID, QUECTEL_PRODUCT_EC200T, 0xff, 0, 0) }, + { USB_DEVICE_AND_INTERFACE_INFO(QUECTEL_VENDOR_ID, QUECTEL_PRODUCT_EG912Y, 0xff, 0, 0) }, ++ { USB_DEVICE_AND_INTERFACE_INFO(QUECTEL_VENDOR_ID, QUECTEL_PRODUCT_EG916Q, 0xff, 0x00, 0x00) }, + { USB_DEVICE_AND_INTERFACE_INFO(QUECTEL_VENDOR_ID, QUECTEL_PRODUCT_RM500K, 0xff, 0x00, 0x00) }, + + { USB_DEVICE(CMOTECH_VENDOR_ID, CMOTECH_PRODUCT_6001) }, diff --git a/queue-6.11/usb-serial-option-add-telit-fn920c04-mbim-compositions.patch b/queue-6.11/usb-serial-option-add-telit-fn920c04-mbim-compositions.patch new file mode 100644 index 00000000000..9662725f5bd --- /dev/null +++ b/queue-6.11/usb-serial-option-add-telit-fn920c04-mbim-compositions.patch @@ -0,0 +1,114 @@ +From 6d951576ee16430822a8dee1e5c54d160e1de87d Mon Sep 17 00:00:00 2001 +From: Daniele Palmas +Date: Thu, 3 Oct 2024 11:38:08 +0200 +Subject: USB: serial: option: add Telit FN920C04 MBIM compositions + +From: Daniele Palmas + +commit 6d951576ee16430822a8dee1e5c54d160e1de87d upstream. + +Add the following Telit FN920C04 compositions: + +0x10a2: MBIM + tty (AT/NMEA) + tty (AT) + tty (diag) +T: Bus=03 Lev=01 Prnt=03 Port=06 Cnt=01 Dev#= 17 Spd=480 MxCh= 0 +D: Ver= 2.00 Cls=ef(misc ) Sub=02 Prot=01 MxPS=64 #Cfgs= 1 +P: Vendor=1bc7 ProdID=10a2 Rev=05.15 +S: Manufacturer=Telit Cinterion +S: Product=FN920 +S: SerialNumber=92c4c4d8 +C: #Ifs= 5 Cfg#= 1 Atr=e0 MxPwr=500mA +I: If#= 0 Alt= 0 #EPs= 1 Cls=02(commc) Sub=0e Prot=00 Driver=cdc_mbim +E: Ad=82(I) Atr=03(Int.) MxPS= 64 Ivl=32ms +I: If#= 1 Alt= 1 #EPs= 2 Cls=0a(data ) Sub=00 Prot=02 Driver=cdc_mbim +E: Ad=01(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=81(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms +I: If#= 2 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=60 Driver=option +E: Ad=02(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=83(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=84(I) Atr=03(Int.) MxPS= 10 Ivl=32ms +I: If#= 3 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=40 Driver=option +E: Ad=03(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=85(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=86(I) Atr=03(Int.) MxPS= 10 Ivl=32ms +I: If#= 4 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=30 Driver=option +E: Ad=04(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=87(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms + +0x10a7: MBIM + tty (AT) + tty (AT) + tty (diag) +T: Bus=03 Lev=01 Prnt=03 Port=06 Cnt=01 Dev#= 18 Spd=480 MxCh= 0 +D: Ver= 2.00 Cls=ef(misc ) Sub=02 Prot=01 MxPS=64 #Cfgs= 1 +P: Vendor=1bc7 ProdID=10a7 Rev=05.15 +S: Manufacturer=Telit Cinterion +S: Product=FN920 +S: SerialNumber=92c4c4d8 +C: #Ifs= 5 Cfg#= 1 Atr=e0 MxPwr=500mA +I: If#= 0 Alt= 0 #EPs= 1 Cls=02(commc) Sub=0e Prot=00 Driver=cdc_mbim +E: Ad=82(I) Atr=03(Int.) MxPS= 64 Ivl=32ms +I: If#= 1 Alt= 1 #EPs= 2 Cls=0a(data ) Sub=00 Prot=02 Driver=cdc_mbim +E: Ad=01(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=81(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms +I: If#= 2 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=40 Driver=option +E: Ad=02(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=83(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=84(I) Atr=03(Int.) MxPS= 10 Ivl=32ms +I: If#= 3 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=40 Driver=option +E: Ad=03(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=85(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=86(I) Atr=03(Int.) MxPS= 10 Ivl=32ms +I: If#= 4 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=30 Driver=option +E: Ad=04(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=87(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms + +0x10aa: MBIM + tty (AT) + tty (diag) + DPL (data packet logging) + adb +T: Bus=03 Lev=01 Prnt=03 Port=06 Cnt=01 Dev#= 15 Spd=480 MxCh= 0 +D: Ver= 2.00 Cls=ef(misc ) Sub=02 Prot=01 MxPS=64 #Cfgs= 1 +P: Vendor=1bc7 ProdID=10aa Rev=05.15 +S: Manufacturer=Telit Cinterion +S: Product=FN920 +S: SerialNumber=92c4c4d8 +C: #Ifs= 6 Cfg#= 1 Atr=e0 MxPwr=500mA +I: If#= 0 Alt= 0 #EPs= 1 Cls=02(commc) Sub=0e Prot=00 Driver=cdc_mbim +E: Ad=82(I) Atr=03(Int.) MxPS= 64 Ivl=32ms +I: If#= 1 Alt= 1 #EPs= 2 Cls=0a(data ) Sub=00 Prot=02 Driver=cdc_mbim +E: Ad=01(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=81(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms +I: If#= 2 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=40 Driver=option +E: Ad=02(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=83(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=84(I) Atr=03(Int.) MxPS= 10 Ivl=32ms +I: If#= 3 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=30 Driver=option +E: Ad=03(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=85(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms +I: If#= 4 Alt= 0 #EPs= 1 Cls=ff(vend.) Sub=ff Prot=80 Driver=(none) +E: Ad=86(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms +I: If#= 5 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=42 Prot=01 Driver=(none) +E: Ad=04(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=87(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms + +Signed-off-by: Daniele Palmas +Cc: stable@vger.kernel.org +Signed-off-by: Johan Hovold +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/serial/option.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/drivers/usb/serial/option.c ++++ b/drivers/usb/serial/option.c +@@ -1382,10 +1382,16 @@ static const struct usb_device_id option + .driver_info = NCTRL(0) | RSVD(1) }, + { USB_DEVICE_INTERFACE_CLASS(TELIT_VENDOR_ID, 0x10a0, 0xff), /* Telit FN20C04 (rmnet) */ + .driver_info = RSVD(0) | NCTRL(3) }, ++ { USB_DEVICE_INTERFACE_CLASS(TELIT_VENDOR_ID, 0x10a2, 0xff), /* Telit FN920C04 (MBIM) */ ++ .driver_info = NCTRL(4) }, + { USB_DEVICE_INTERFACE_CLASS(TELIT_VENDOR_ID, 0x10a4, 0xff), /* Telit FN20C04 (rmnet) */ + .driver_info = RSVD(0) | NCTRL(3) }, ++ { USB_DEVICE_INTERFACE_CLASS(TELIT_VENDOR_ID, 0x10a7, 0xff), /* Telit FN920C04 (MBIM) */ ++ .driver_info = NCTRL(4) }, + { USB_DEVICE_INTERFACE_CLASS(TELIT_VENDOR_ID, 0x10a9, 0xff), /* Telit FN20C04 (rmnet) */ + .driver_info = RSVD(0) | NCTRL(2) | RSVD(3) | RSVD(4) }, ++ { USB_DEVICE_INTERFACE_CLASS(TELIT_VENDOR_ID, 0x10aa, 0xff), /* Telit FN920C04 (MBIM) */ ++ .driver_info = NCTRL(3) | RSVD(4) | RSVD(5) }, + { USB_DEVICE(TELIT_VENDOR_ID, TELIT_PRODUCT_ME910), + .driver_info = NCTRL(0) | RSVD(1) | RSVD(3) }, + { USB_DEVICE(TELIT_VENDOR_ID, TELIT_PRODUCT_ME910_DUAL_MODEM), diff --git a/queue-6.11/usb-typec-qcom-pmic-typec-fix-sink-status-being-overwritten-with-rp_def.patch b/queue-6.11/usb-typec-qcom-pmic-typec-fix-sink-status-being-overwritten-with-rp_def.patch new file mode 100644 index 00000000000..69ea8d5f539 --- /dev/null +++ b/queue-6.11/usb-typec-qcom-pmic-typec-fix-sink-status-being-overwritten-with-rp_def.patch @@ -0,0 +1,35 @@ +From ffe85c24d7ca5de7d57690c0ab194b3838674935 Mon Sep 17 00:00:00 2001 +From: Jonathan Marek +Date: Sat, 5 Oct 2024 10:41:46 -0400 +Subject: usb: typec: qcom-pmic-typec: fix sink status being overwritten with RP_DEF + +From: Jonathan Marek + +commit ffe85c24d7ca5de7d57690c0ab194b3838674935 upstream. + +This line is overwriting the result of the above switch-case. + +This fixes the tcpm driver getting stuck in a "Sink TX No Go" loop. + +Fixes: a4422ff22142 ("usb: typec: qcom: Add Qualcomm PMIC Type-C driver") +Cc: stable +Signed-off-by: Jonathan Marek +Acked-by: Bryan O'Donoghue +Reviewed-by: Heikki Krogerus +Reviewed-by: Dmitry Baryshkov +Link: https://lore.kernel.org/r/20241005144146.2345-1-jonathan@marek.ca +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/typec/tcpm/qcom/qcom_pmic_typec_port.c | 1 - + 1 file changed, 1 deletion(-) + +--- a/drivers/usb/typec/tcpm/qcom/qcom_pmic_typec_port.c ++++ b/drivers/usb/typec/tcpm/qcom/qcom_pmic_typec_port.c +@@ -432,7 +432,6 @@ static int qcom_pmic_typec_port_get_cc(s + val = TYPEC_CC_RP_DEF; + break; + } +- val = TYPEC_CC_RP_DEF; + } + + if (misc & CC_ORIENTATION) diff --git a/queue-6.11/vt-prevent-kernel-infoleak-in-con_font_get.patch b/queue-6.11/vt-prevent-kernel-infoleak-in-con_font_get.patch new file mode 100644 index 00000000000..b8c4c8959c9 --- /dev/null +++ b/queue-6.11/vt-prevent-kernel-infoleak-in-con_font_get.patch @@ -0,0 +1,35 @@ +From f956052e00de211b5c9ebaa1958366c23f82ee9e Mon Sep 17 00:00:00 2001 +From: Jeongjun Park +Date: Fri, 11 Oct 2024 02:46:19 +0900 +Subject: vt: prevent kernel-infoleak in con_font_get() + +From: Jeongjun Park + +commit f956052e00de211b5c9ebaa1958366c23f82ee9e upstream. + +font.data may not initialize all memory spaces depending on the implementation +of vc->vc_sw->con_font_get. This may cause info-leak, so to prevent this, it +is safest to modify it to initialize the allocated memory space to 0, and it +generally does not affect the overall performance of the system. + +Cc: stable@vger.kernel.org +Reported-by: syzbot+955da2d57931604ee691@syzkaller.appspotmail.com +Fixes: 05e2600cb0a4 ("VT: Bump font size limitation to 64x128 pixels") +Signed-off-by: Jeongjun Park +Link: https://lore.kernel.org/r/20241010174619.59662-1-aha310510@gmail.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/tty/vt/vt.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/tty/vt/vt.c ++++ b/drivers/tty/vt/vt.c +@@ -4726,7 +4726,7 @@ static int con_font_get(struct vc_data * + return -EINVAL; + + if (op->data) { +- font.data = kvmalloc(max_font_size, GFP_KERNEL); ++ font.data = kvzalloc(max_font_size, GFP_KERNEL); + if (!font.data) + return -ENOMEM; + } else diff --git a/queue-6.11/x86-apic-always-explicitly-disarm-tsc-deadline-timer.patch b/queue-6.11/x86-apic-always-explicitly-disarm-tsc-deadline-timer.patch new file mode 100644 index 00000000000..36d8b957589 --- /dev/null +++ b/queue-6.11/x86-apic-always-explicitly-disarm-tsc-deadline-timer.patch @@ -0,0 +1,73 @@ +From ffd95846c6ec6cf1f93da411ea10d504036cab42 Mon Sep 17 00:00:00 2001 +From: Zhang Rui +Date: Tue, 15 Oct 2024 14:15:22 +0800 +Subject: x86/apic: Always explicitly disarm TSC-deadline timer + +From: Zhang Rui + +commit ffd95846c6ec6cf1f93da411ea10d504036cab42 upstream. + +New processors have become pickier about the local APIC timer state +before entering low power modes. These low power modes are used (for +example) when you close your laptop lid and suspend. If you put your +laptop in a bag and it is not in this low power mode, it is likely +to get quite toasty while it quickly sucks the battery dry. + +The problem boils down to some CPUs' inability to power down until the +CPU recognizes that the local APIC timer is shut down. The current +kernel code works in one-shot and periodic modes but does not work for +deadline mode. Deadline mode has been the supported and preferred mode +on Intel CPUs for over a decade and uses an MSR to drive the timer +instead of an APIC register. + +Disable the TSC Deadline timer in lapic_timer_shutdown() by writing to +MSR_IA32_TSC_DEADLINE when in TSC-deadline mode. Also avoid writing +to the initial-count register (APIC_TMICT) which is ignored in +TSC-deadline mode. + +Note: The APIC_LVTT|=APIC_LVT_MASKED operation should theoretically be +enough to tell the hardware that the timer will not fire in any of the +timer modes. But mitigating AMD erratum 411[1] also requires clearing +out APIC_TMICT. Solely setting APIC_LVT_MASKED is also ineffective in +practice on Intel Lunar Lake systems, which is the motivation for this +change. + +1. 411 Processor May Exit Message-Triggered C1E State Without an Interrupt if Local APIC Timer Reaches Zero - https://www.amd.com/content/dam/amd/en/documents/archived-tech-docs/revision-guides/41322_10h_Rev_Gd.pdf + +Fixes: 279f1461432c ("x86: apic: Use tsc deadline for oneshot when available") +Suggested-by: Dave Hansen +Signed-off-by: Zhang Rui +Signed-off-by: Dave Hansen +Reviewed-by: Rafael J. Wysocki +Tested-by: Srinivas Pandruvada +Tested-by: Todd Brandt +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/all/20241015061522.25288-1-rui.zhang%40intel.com +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/kernel/apic/apic.c | 14 +++++++++++++- + 1 file changed, 13 insertions(+), 1 deletion(-) + +--- a/arch/x86/kernel/apic/apic.c ++++ b/arch/x86/kernel/apic/apic.c +@@ -440,7 +440,19 @@ static int lapic_timer_shutdown(struct c + v = apic_read(APIC_LVTT); + v |= (APIC_LVT_MASKED | LOCAL_TIMER_VECTOR); + apic_write(APIC_LVTT, v); +- apic_write(APIC_TMICT, 0); ++ ++ /* ++ * Setting APIC_LVT_MASKED (above) should be enough to tell ++ * the hardware that this timer will never fire. But AMD ++ * erratum 411 and some Intel CPU behavior circa 2024 say ++ * otherwise. Time for belt and suspenders programming: mask ++ * the timer _and_ zero the counter registers: ++ */ ++ if (v & APIC_LVT_TIMER_TSCDEADLINE) ++ wrmsrl(MSR_IA32_TSC_DEADLINE, 0); ++ else ++ apic_write(APIC_TMICT, 0); ++ + return 0; + } + diff --git a/queue-6.11/x86-cpu-amd-only-apply-zenbleed-fix-for-zen2-during-late-microcode-load.patch b/queue-6.11/x86-cpu-amd-only-apply-zenbleed-fix-for-zen2-during-late-microcode-load.patch new file mode 100644 index 00000000000..47e6240a6a4 --- /dev/null +++ b/queue-6.11/x86-cpu-amd-only-apply-zenbleed-fix-for-zen2-during-late-microcode-load.patch @@ -0,0 +1,46 @@ +From ee4d4e8d2c3bec6ee652599ab31991055a72c322 Mon Sep 17 00:00:00 2001 +From: John Allen +Date: Mon, 23 Sep 2024 16:44:04 +0000 +Subject: x86/CPU/AMD: Only apply Zenbleed fix for Zen2 during late microcode load + +From: John Allen + +commit ee4d4e8d2c3bec6ee652599ab31991055a72c322 upstream. + +Commit + + f69759be251d ("x86/CPU/AMD: Move Zenbleed check to the Zen2 init function") + +causes a bit in the DE_CFG MSR to get set erroneously after a microcode late +load. + +The microcode late load path calls into amd_check_microcode() and subsequently +zen2_zenbleed_check(). Since the above commit removes the cpu_has_amd_erratum() +call from zen2_zenbleed_check(), this will cause all non-Zen2 CPUs to go +through the function and set the bit in the DE_CFG MSR. + +Call into the Zenbleed fix path on Zen2 CPUs only. + + [ bp: Massage commit message, use cpu_feature_enabled(). ] + +Fixes: f69759be251d ("x86/CPU/AMD: Move Zenbleed check to the Zen2 init function") +Signed-off-by: John Allen +Signed-off-by: Borislav Petkov (AMD) +Acked-by: Borislav Petkov (AMD) +Cc: +Link: https://lore.kernel.org/r/20240923164404.27227-1-john.allen@amd.com +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/kernel/cpu/amd.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/arch/x86/kernel/cpu/amd.c ++++ b/arch/x86/kernel/cpu/amd.c +@@ -1218,5 +1218,6 @@ void amd_check_microcode(void) + if (boot_cpu_data.x86_vendor != X86_VENDOR_AMD) + return; + +- on_each_cpu(zenbleed_check_cpu, NULL, 1); ++ if (cpu_feature_enabled(X86_FEATURE_ZEN2)) ++ on_each_cpu(zenbleed_check_cpu, NULL, 1); + } diff --git a/queue-6.11/x86-entry_32-clear-cpu-buffers-after-register-restore-in-nmi-return.patch b/queue-6.11/x86-entry_32-clear-cpu-buffers-after-register-restore-in-nmi-return.patch new file mode 100644 index 00000000000..ddcc8a78be6 --- /dev/null +++ b/queue-6.11/x86-entry_32-clear-cpu-buffers-after-register-restore-in-nmi-return.patch @@ -0,0 +1,53 @@ +From 48a2440d0f20c826b884e04377ccc1e4696c84e9 Mon Sep 17 00:00:00 2001 +From: Pawan Gupta +Date: Wed, 25 Sep 2024 15:25:44 -0700 +Subject: x86/entry_32: Clear CPU buffers after register restore in NMI return + +From: Pawan Gupta + +commit 48a2440d0f20c826b884e04377ccc1e4696c84e9 upstream. + +CPU buffers are currently cleared after call to exc_nmi, but before +register state is restored. This may be okay for MDS mitigation but not for +RDFS. Because RDFS mitigation requires CPU buffers to be cleared when +registers don't have any sensitive data. + +Move CLEAR_CPU_BUFFERS after RESTORE_ALL_NMI. + +Fixes: a0e2dab44d22 ("x86/entry_32: Add VERW just before userspace transition") +Suggested-by: Dave Hansen +Signed-off-by: Pawan Gupta +Signed-off-by: Dave Hansen +Cc:stable@vger.kernel.org +Link: https://lore.kernel.org/all/20240925-fix-dosemu-vm86-v7-2-1de0daca2d42%40linux.intel.com +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/entry/entry_32.S | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/arch/x86/entry/entry_32.S ++++ b/arch/x86/entry/entry_32.S +@@ -1145,7 +1145,6 @@ SYM_CODE_START(asm_exc_nmi) + + /* Not on SYSENTER stack. */ + call exc_nmi +- CLEAR_CPU_BUFFERS + jmp .Lnmi_return + + .Lnmi_from_sysenter_stack: +@@ -1166,6 +1165,7 @@ SYM_CODE_START(asm_exc_nmi) + + CHECK_AND_APPLY_ESPFIX + RESTORE_ALL_NMI cr3_reg=%edi pop=4 ++ CLEAR_CPU_BUFFERS + jmp .Lirq_return + + #ifdef CONFIG_X86_ESPFIX32 +@@ -1207,6 +1207,7 @@ SYM_CODE_START(asm_exc_nmi) + * 1 - orig_ax + */ + lss (1+5+6)*4(%esp), %esp # back to espfix stack ++ CLEAR_CPU_BUFFERS + jmp .Lirq_return + #endif + SYM_CODE_END(asm_exc_nmi) diff --git a/queue-6.11/x86-entry_32-do-not-clobber-user-eflags.zf.patch b/queue-6.11/x86-entry_32-do-not-clobber-user-eflags.zf.patch new file mode 100644 index 00000000000..5c74265f6b8 --- /dev/null +++ b/queue-6.11/x86-entry_32-do-not-clobber-user-eflags.zf.patch @@ -0,0 +1,46 @@ +From 2e2e5143d4868163d6756c8c6a4d28cbfa5245e5 Mon Sep 17 00:00:00 2001 +From: Pawan Gupta +Date: Wed, 25 Sep 2024 15:25:38 -0700 +Subject: x86/entry_32: Do not clobber user EFLAGS.ZF + +From: Pawan Gupta + +commit 2e2e5143d4868163d6756c8c6a4d28cbfa5245e5 upstream. + +Opportunistic SYSEXIT executes VERW to clear CPU buffers after user EFLAGS +are restored. This can clobber user EFLAGS.ZF. + +Move CLEAR_CPU_BUFFERS before the user EFLAGS are restored. This ensures +that the user EFLAGS.ZF is not clobbered. + +Closes: https://lore.kernel.org/lkml/yVXwe8gvgmPADpRB6lXlicS2fcHoV5OHHxyuFbB_MEleRPD7-KhGe5VtORejtPe-KCkT8Uhcg5d7-IBw4Ojb4H7z5LQxoZylSmJ8KNL3A8o=@protonmail.com/ +Fixes: a0e2dab44d22 ("x86/entry_32: Add VERW just before userspace transition") +Reported-by: Jari Ruusu +Signed-off-by: Pawan Gupta +Signed-off-by: Dave Hansen +Cc:stable@vger.kernel.org +Link: https://lore.kernel.org/all/20240925-fix-dosemu-vm86-v7-1-1de0daca2d42%40linux.intel.com +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/entry/entry_32.S | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/arch/x86/entry/entry_32.S ++++ b/arch/x86/entry/entry_32.S +@@ -871,6 +871,8 @@ SYM_FUNC_START(entry_SYSENTER_32) + + /* Now ready to switch the cr3 */ + SWITCH_TO_USER_CR3 scratch_reg=%eax ++ /* Clobbers ZF */ ++ CLEAR_CPU_BUFFERS + + /* + * Restore all flags except IF. (We restore IF separately because +@@ -881,7 +883,6 @@ SYM_FUNC_START(entry_SYSENTER_32) + BUG_IF_WRONG_CR3 no_user_check=1 + popfl + popl %eax +- CLEAR_CPU_BUFFERS + + /* + * Return back to the vDSO, which will pop ecx and edx. diff --git a/queue-6.11/x86-resctrl-annotate-get_mem_config-functions-as-__init.patch b/queue-6.11/x86-resctrl-annotate-get_mem_config-functions-as-__init.patch new file mode 100644 index 00000000000..bdbc00cb1c1 --- /dev/null +++ b/queue-6.11/x86-resctrl-annotate-get_mem_config-functions-as-__init.patch @@ -0,0 +1,60 @@ +From d5fd042bf4cfb557981d65628e1779a492cd8cfa Mon Sep 17 00:00:00 2001 +From: Nathan Chancellor +Date: Tue, 17 Sep 2024 09:02:53 -0700 +Subject: x86/resctrl: Annotate get_mem_config() functions as __init + +From: Nathan Chancellor + +commit d5fd042bf4cfb557981d65628e1779a492cd8cfa upstream. + +After a recent LLVM change [1] that deduces __cold on functions that only call +cold code (such as __init functions), there is a section mismatch warning from +__get_mem_config_intel(), which got moved to .text.unlikely. as a result of +that optimization: + + WARNING: modpost: vmlinux: section mismatch in reference: \ + __get_mem_config_intel+0x77 (section: .text.unlikely.) -> thread_throttle_mode_init (section: .init.text) + +Mark __get_mem_config_intel() as __init as well since it is only called +from __init code, which clears up the warning. + +While __rdt_get_mem_config_amd() does not exhibit a warning because it +does not call any __init code, it is a similar function that is only +called from __init code like __get_mem_config_intel(), so mark it __init +as well to keep the code symmetrical. + +CONFIG_SECTION_MISMATCH_WARN_ONLY=n would turn this into a fatal error. + +Fixes: 05b93417ce5b ("x86/intel_rdt/mba: Add primary support for Memory Bandwidth Allocation (MBA)") +Fixes: 4d05bf71f157 ("x86/resctrl: Introduce AMD QOS feature") +Signed-off-by: Nathan Chancellor +Signed-off-by: Borislav Petkov (AMD) +Reviewed-by: Reinette Chatre +Cc: +Link: https://github.com/llvm/llvm-project/commit/6b11573b8c5e3d36beee099dbe7347c2a007bf53 [1] +Link: https://lore.kernel.org/r/20240917-x86-restctrl-get_mem_config_intel-init-v3-1-10d521256284@kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/kernel/cpu/resctrl/core.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/arch/x86/kernel/cpu/resctrl/core.c ++++ b/arch/x86/kernel/cpu/resctrl/core.c +@@ -207,7 +207,7 @@ static inline bool rdt_get_mb_table(stru + return false; + } + +-static bool __get_mem_config_intel(struct rdt_resource *r) ++static __init bool __get_mem_config_intel(struct rdt_resource *r) + { + struct rdt_hw_resource *hw_res = resctrl_to_arch_res(r); + union cpuid_0x10_3_eax eax; +@@ -241,7 +241,7 @@ static bool __get_mem_config_intel(struc + return true; + } + +-static bool __rdt_get_mem_config_amd(struct rdt_resource *r) ++static __init bool __rdt_get_mem_config_amd(struct rdt_resource *r) + { + struct rdt_hw_resource *hw_res = resctrl_to_arch_res(r); + u32 eax, ebx, ecx, edx, subleaf; diff --git a/queue-6.11/xhci-fix-incorrect-stream-context-type-macro.patch b/queue-6.11/xhci-fix-incorrect-stream-context-type-macro.patch new file mode 100644 index 00000000000..3ccebe682e8 --- /dev/null +++ b/queue-6.11/xhci-fix-incorrect-stream-context-type-macro.patch @@ -0,0 +1,44 @@ +From 6599b6a6fa8060145046d0744456b6abdb3122a7 Mon Sep 17 00:00:00 2001 +From: Mathias Nyman +Date: Wed, 16 Oct 2024 16:59:57 +0300 +Subject: xhci: Fix incorrect stream context type macro + +From: Mathias Nyman + +commit 6599b6a6fa8060145046d0744456b6abdb3122a7 upstream. + +The stream contex type (SCT) bitfield is used both in the stream context +data structure, and in the 'Set TR Dequeue pointer' command TRB. +In both cases it uses bits 3:1 + +The SCT_FOR_TRB(p) macro used to set the stream context type (SCT) field +for the 'Set TR Dequeue pointer' command TRB incorrectly shifts the value +1 bit left before masking the three bits. + +Fix this by first masking and rshifting, just like the similar +SCT_FOR_CTX(p) macro does + +This issue has not been visibile as the lost bit 3 is only used with +secondary stream arrays (SSA). Xhci driver currently only supports using +a primary stream array with Linear stream addressing. + +Fixes: 95241dbdf828 ("xhci: Set SCT field for Set TR dequeue on streams") +Cc: stable@vger.kernel.org +Signed-off-by: Mathias Nyman +Link: https://lore.kernel.org/r/20241016140000.783905-2-mathias.nyman@linux.intel.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/host/xhci.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/usb/host/xhci.h ++++ b/drivers/usb/host/xhci.h +@@ -1001,7 +1001,7 @@ enum xhci_setup_dev { + /* Set TR Dequeue Pointer command TRB fields, 6.4.3.9 */ + #define TRB_TO_STREAM_ID(p) ((((p) & (0xffff << 16)) >> 16)) + #define STREAM_ID_FOR_TRB(p) ((((p)) & 0xffff) << 16) +-#define SCT_FOR_TRB(p) (((p) << 1) & 0x7) ++#define SCT_FOR_TRB(p) (((p) & 0x7) << 1) + + /* Link TRB specific fields */ + #define TRB_TC (1<<1) diff --git a/queue-6.11/xhci-mitigate-failed-set-dequeue-pointer-commands.patch b/queue-6.11/xhci-mitigate-failed-set-dequeue-pointer-commands.patch new file mode 100644 index 00000000000..1db8043ae6d --- /dev/null +++ b/queue-6.11/xhci-mitigate-failed-set-dequeue-pointer-commands.patch @@ -0,0 +1,39 @@ +From fe49df60cdb7c2975aa743dc295f8786e4b7db10 Mon Sep 17 00:00:00 2001 +From: Mathias Nyman +Date: Wed, 16 Oct 2024 16:59:58 +0300 +Subject: xhci: Mitigate failed set dequeue pointer commands + +From: Mathias Nyman + +commit fe49df60cdb7c2975aa743dc295f8786e4b7db10 upstream. + +Avoid xHC host from processing a cancelled URB by always turning +cancelled URB TDs into no-op TRBs before queuing a 'Set TR Deq' command. + +If the command fails then xHC will start processing the cancelled TD +instead of skipping it once endpoint is restarted, causing issues like +Babble error. + +This is not a complete solution as a failed 'Set TR Deq' command does not +guarantee xHC TRB caches are cleared. + +Fixes: 4db356924a50 ("xhci: turn cancelled td cleanup to its own function") +Cc: stable@vger.kernel.org +Signed-off-by: Mathias Nyman +Link: https://lore.kernel.org/r/20241016140000.783905-3-mathias.nyman@linux.intel.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/host/xhci-ring.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/usb/host/xhci-ring.c ++++ b/drivers/usb/host/xhci-ring.c +@@ -1023,7 +1023,7 @@ static int xhci_invalidate_cancelled_tds + td_to_noop(xhci, ring, cached_td, false); + cached_td->cancel_status = TD_CLEARED; + } +- ++ td_to_noop(xhci, ring, td, false); + td->cancel_status = TD_CLEARING_CACHE; + cached_td = td; + break; diff --git a/queue-6.11/xhci-tegra-fix-checked-usb2-port-number.patch b/queue-6.11/xhci-tegra-fix-checked-usb2-port-number.patch new file mode 100644 index 00000000000..8b75f75f216 --- /dev/null +++ b/queue-6.11/xhci-tegra-fix-checked-usb2-port-number.patch @@ -0,0 +1,52 @@ +From 7d381137cb6ecf558ef6698c7730ddd482d4c8f2 Mon Sep 17 00:00:00 2001 +From: Henry Lin +Date: Mon, 14 Oct 2024 12:21:34 +0800 +Subject: xhci: tegra: fix checked USB2 port number + +From: Henry Lin + +commit 7d381137cb6ecf558ef6698c7730ddd482d4c8f2 upstream. + +If USB virtualizatoin is enabled, USB2 ports are shared between all +Virtual Functions. The USB2 port number owned by an USB2 root hub in +a Virtual Function may be less than total USB2 phy number supported +by the Tegra XUSB controller. + +Using total USB2 phy number as port number to check all PORTSC values +would cause invalid memory access. + +[ 116.923438] Unable to handle kernel paging request at virtual address 006c622f7665642f +... +[ 117.213640] Call trace: +[ 117.216783] tegra_xusb_enter_elpg+0x23c/0x658 +[ 117.222021] tegra_xusb_runtime_suspend+0x40/0x68 +[ 117.227260] pm_generic_runtime_suspend+0x30/0x50 +[ 117.232847] __rpm_callback+0x84/0x3c0 +[ 117.237038] rpm_suspend+0x2dc/0x740 +[ 117.241229] pm_runtime_work+0xa0/0xb8 +[ 117.245769] process_scheduled_works+0x24c/0x478 +[ 117.251007] worker_thread+0x23c/0x328 +[ 117.255547] kthread+0x104/0x1b0 +[ 117.259389] ret_from_fork+0x10/0x20 +[ 117.263582] Code: 54000222 f9461ae8 f8747908 b4ffff48 (f9400100) + +Cc: stable@vger.kernel.org # v6.3+ +Fixes: a30951d31b25 ("xhci: tegra: USB2 pad power controls") +Signed-off-by: Henry Lin +Link: https://lore.kernel.org/r/20241014042134.27664-1-henryl@nvidia.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/host/xhci-tegra.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/usb/host/xhci-tegra.c ++++ b/drivers/usb/host/xhci-tegra.c +@@ -2183,7 +2183,7 @@ static int tegra_xusb_enter_elpg(struct + goto out; + } + +- for (i = 0; i < tegra->num_usb_phys; i++) { ++ for (i = 0; i < xhci->usb2_rhub.num_ports; i++) { + if (!xhci->usb2_rhub.ports[i]) + continue; + portsc = readl(xhci->usb2_rhub.ports[i]->addr); -- 2.47.3