From 90ef78c458a64a4c56394d1f2862d74a18a320ee Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Tue, 28 Mar 2023 14:08:17 +0200 Subject: [PATCH] 6.2-stable patches added patches: arm64-dts-imx8mm-nitrogen-r2-fix-wm8960-clock-name.patch arm64-efi-set-nx-compat-flag-in-pe-coff-header.patch bluetooth-fix-race-condition-in-hci_cmd_sync_clear.patch btrfs-zoned-fix-btrfs_can_activate_zone-to-support-dup-profile.patch dm-thin-fix-deadlock-when-swapping-to-thin-device.patch efi-libstub-zboot-mark-zboot-efi-application-as-nx-compatible.patch efi-sysfb_efi-fix-dmi-quirks-not-working-for-simpledrm.patch fscrypt-destroy-keyring-after-security_sb_delete.patch fsverity-remove-wq_unbound-from-fsverity-read-workqueue.patch igb-revert-rtnl_lock-that-causes-deadlock.patch io_uring-net-avoid-sending-econnaborted-on-repeated-connection-requests.patch io_uring-rsrc-fix-null-ptr-deref-in-io_file_bitmap_get.patch kfence-avoid-passing-g-for-test.patch lockd-set-file_lock-start-and-end-when-decoding-nlm4-testargs.patch mm-kfence-fix-using-kfence_metadata-without-initialization-in-show_object.patch mm-slab-fix-undefined-init_cache_node_node-for-numa-and-smp.patch usb-cdns3-fix-issue-with-using-incorrect-pci-device-function.patch usb-cdnsp-changes-pci-device-id-to-fix-conflict-with-cnds3-driver.patch usb-cdnsp-fixes-issue-with-redundant-status-stage.patch usb-chipdea-core-fix-return-einval-if-request-role-is-the-same-with-current-role.patch usb-chipidea-core-fix-possible-concurrent-when-switch-role.patch usb-dwc3-gadget-add-1ms-delay-after-end-transfer-command-without-ioc.patch usb-typec-tcpm-fix-create-duplicate-source-capabilities-file.patch usb-typec-tcpm-fix-warning-when-handle-discover_identity-message.patch usb-ucsi-fix-null-pointer-deref-in-ucsi_connector_change.patch usb-ucsi_acpi-increase-the-command-completion-timeout.patch --- ...mm-nitrogen-r2-fix-wm8960-clock-name.patch | 32 +++++ ...set-nx-compat-flag-in-pe-coff-header.patch | 44 +++++++ ...race-condition-in-hci_cmd_sync_clear.patch | 99 ++++++++++++++ ...activate_zone-to-support-dup-profile.patch | 51 ++++++++ ...eadlock-when-swapping-to-thin-device.patch | 70 ++++++++++ ...oot-efi-application-as-nx-compatible.patch | 33 +++++ ...dmi-quirks-not-working-for-simpledrm.patch | 112 ++++++++++++++++ ...roy-keyring-after-security_sb_delete.patch | 58 +++++++++ ...unbound-from-fsverity-read-workqueue.patch | 62 +++++++++ ...evert-rtnl_lock-that-causes-deadlock.patch | 87 +++++++++++++ ...rted-on-repeated-connection-requests.patch | 76 +++++++++++ ...null-ptr-deref-in-io_file_bitmap_get.patch | 69 ++++++++++ .../kfence-avoid-passing-g-for-test.patch | 53 ++++++++ ...-and-end-when-decoding-nlm4-testargs.patch | 95 ++++++++++++++ ...ithout-initialization-in-show_object.patch | 60 +++++++++ ...nit_cache_node_node-for-numa-and-smp.patch | 49 +++++++ queue-6.2/series | 26 ++++ ...-using-incorrect-pci-device-function.patch | 39 ++++++ ...id-to-fix-conflict-with-cnds3-driver.patch | 72 +++++++++++ ...es-issue-with-redundant-status-stage.patch | 67 ++++++++++ ...t-role-is-the-same-with-current-role.patch | 38 ++++++ ...possible-concurrent-when-switch-role.patch | 107 +++++++++++++++ ...ter-end-transfer-command-without-ioc.patch | 80 ++++++++++++ ...e-duplicate-source-capabilities-file.patch | 63 +++++++++ ...hen-handle-discover_identity-message.patch | 122 ++++++++++++++++++ ...inter-deref-in-ucsi_connector_change.patch | 67 ++++++++++ ...rease-the-command-completion-timeout.patch | 51 ++++++++ 27 files changed, 1782 insertions(+) create mode 100644 queue-6.2/arm64-dts-imx8mm-nitrogen-r2-fix-wm8960-clock-name.patch create mode 100644 queue-6.2/arm64-efi-set-nx-compat-flag-in-pe-coff-header.patch create mode 100644 queue-6.2/bluetooth-fix-race-condition-in-hci_cmd_sync_clear.patch create mode 100644 queue-6.2/btrfs-zoned-fix-btrfs_can_activate_zone-to-support-dup-profile.patch create mode 100644 queue-6.2/dm-thin-fix-deadlock-when-swapping-to-thin-device.patch create mode 100644 queue-6.2/efi-libstub-zboot-mark-zboot-efi-application-as-nx-compatible.patch create mode 100644 queue-6.2/efi-sysfb_efi-fix-dmi-quirks-not-working-for-simpledrm.patch create mode 100644 queue-6.2/fscrypt-destroy-keyring-after-security_sb_delete.patch create mode 100644 queue-6.2/fsverity-remove-wq_unbound-from-fsverity-read-workqueue.patch create mode 100644 queue-6.2/igb-revert-rtnl_lock-that-causes-deadlock.patch create mode 100644 queue-6.2/io_uring-net-avoid-sending-econnaborted-on-repeated-connection-requests.patch create mode 100644 queue-6.2/io_uring-rsrc-fix-null-ptr-deref-in-io_file_bitmap_get.patch create mode 100644 queue-6.2/kfence-avoid-passing-g-for-test.patch create mode 100644 queue-6.2/lockd-set-file_lock-start-and-end-when-decoding-nlm4-testargs.patch create mode 100644 queue-6.2/mm-kfence-fix-using-kfence_metadata-without-initialization-in-show_object.patch create mode 100644 queue-6.2/mm-slab-fix-undefined-init_cache_node_node-for-numa-and-smp.patch create mode 100644 queue-6.2/usb-cdns3-fix-issue-with-using-incorrect-pci-device-function.patch create mode 100644 queue-6.2/usb-cdnsp-changes-pci-device-id-to-fix-conflict-with-cnds3-driver.patch create mode 100644 queue-6.2/usb-cdnsp-fixes-issue-with-redundant-status-stage.patch create mode 100644 queue-6.2/usb-chipdea-core-fix-return-einval-if-request-role-is-the-same-with-current-role.patch create mode 100644 queue-6.2/usb-chipidea-core-fix-possible-concurrent-when-switch-role.patch create mode 100644 queue-6.2/usb-dwc3-gadget-add-1ms-delay-after-end-transfer-command-without-ioc.patch create mode 100644 queue-6.2/usb-typec-tcpm-fix-create-duplicate-source-capabilities-file.patch create mode 100644 queue-6.2/usb-typec-tcpm-fix-warning-when-handle-discover_identity-message.patch create mode 100644 queue-6.2/usb-ucsi-fix-null-pointer-deref-in-ucsi_connector_change.patch create mode 100644 queue-6.2/usb-ucsi_acpi-increase-the-command-completion-timeout.patch diff --git a/queue-6.2/arm64-dts-imx8mm-nitrogen-r2-fix-wm8960-clock-name.patch b/queue-6.2/arm64-dts-imx8mm-nitrogen-r2-fix-wm8960-clock-name.patch new file mode 100644 index 00000000000..90294d8864b --- /dev/null +++ b/queue-6.2/arm64-dts-imx8mm-nitrogen-r2-fix-wm8960-clock-name.patch @@ -0,0 +1,32 @@ +From 32f86da7c86b27ebed31c24453a0713f612e43fb Mon Sep 17 00:00:00 2001 +From: Krzysztof Kozlowski +Date: Fri, 17 Feb 2023 16:06:26 +0100 +Subject: arm64: dts: imx8mm-nitrogen-r2: fix WM8960 clock name + +From: Krzysztof Kozlowski + +commit 32f86da7c86b27ebed31c24453a0713f612e43fb upstream. + +The WM8960 Linux driver expects the clock to be named "mclk". Otherwise +the clock will be ignored and not prepared/enabled by the driver. + +Fixes: 40ba2eda0a7b ("arm64: dts: imx8mm-nitrogen-r2: add audio") +Cc: +Signed-off-by: Krzysztof Kozlowski +Signed-off-by: Shawn Guo +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm64/boot/dts/freescale/imx8mm-nitrogen-r2.dts | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/arm64/boot/dts/freescale/imx8mm-nitrogen-r2.dts ++++ b/arch/arm64/boot/dts/freescale/imx8mm-nitrogen-r2.dts +@@ -247,7 +247,7 @@ + compatible = "wlf,wm8960"; + reg = <0x1a>; + clocks = <&clk IMX8MM_CLK_SAI1_ROOT>; +- clock-names = "mclk1"; ++ clock-names = "mclk"; + wlf,shared-lrclk; + #sound-dai-cells = <0>; + }; diff --git a/queue-6.2/arm64-efi-set-nx-compat-flag-in-pe-coff-header.patch b/queue-6.2/arm64-efi-set-nx-compat-flag-in-pe-coff-header.patch new file mode 100644 index 00000000000..3bcac950de5 --- /dev/null +++ b/queue-6.2/arm64-efi-set-nx-compat-flag-in-pe-coff-header.patch @@ -0,0 +1,44 @@ +From 3c66bb1918c262dd52fb4221a8d372619c5da70a Mon Sep 17 00:00:00 2001 +From: Ard Biesheuvel +Date: Fri, 10 Mar 2023 13:30:05 +0100 +Subject: arm64: efi: Set NX compat flag in PE/COFF header + +From: Ard Biesheuvel + +commit 3c66bb1918c262dd52fb4221a8d372619c5da70a upstream. + +The PE/COFF header has a NX compat flag which informs the firmware that +the application does not rely on memory regions being mapped with both +executable and writable permissions at the same time. + +This is typically used by the firmware to decide whether it can set the +NX attribute on all allocations it returns, but going forward, it may be +used to enforce a policy that only permits applications with the NX flag +set to be loaded to begin wiht in some configurations, e.g., when Secure +Boot is in effect. + +Even though the arm64 version of the EFI stub may relocate the kernel +before executing it, it always did so after disabling the MMU, and so we +were always in line with what the NX compat flag conveys, we just never +bothered to set it. + +So let's set the flag now. + +Cc: +Signed-off-by: Ard Biesheuvel +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm64/kernel/efi-header.S | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/arm64/kernel/efi-header.S ++++ b/arch/arm64/kernel/efi-header.S +@@ -66,7 +66,7 @@ + .long .Lefi_header_end - .L_head // SizeOfHeaders + .long 0 // CheckSum + .short IMAGE_SUBSYSTEM_EFI_APPLICATION // Subsystem +- .short 0 // DllCharacteristics ++ .short IMAGE_DLL_CHARACTERISTICS_NX_COMPAT // DllCharacteristics + .quad 0 // SizeOfStackReserve + .quad 0 // SizeOfStackCommit + .quad 0 // SizeOfHeapReserve diff --git a/queue-6.2/bluetooth-fix-race-condition-in-hci_cmd_sync_clear.patch b/queue-6.2/bluetooth-fix-race-condition-in-hci_cmd_sync_clear.patch new file mode 100644 index 00000000000..b7c69729b60 --- /dev/null +++ b/queue-6.2/bluetooth-fix-race-condition-in-hci_cmd_sync_clear.patch @@ -0,0 +1,99 @@ +From 1c66bee492a5fe00ae3fe890bb693bfc99f994c6 Mon Sep 17 00:00:00 2001 +From: Min Li +Date: Sat, 4 Mar 2023 21:50:35 +0800 +Subject: Bluetooth: Fix race condition in hci_cmd_sync_clear + +From: Min Li + +commit 1c66bee492a5fe00ae3fe890bb693bfc99f994c6 upstream. + +There is a potential race condition in hci_cmd_sync_work and +hci_cmd_sync_clear, and could lead to use-after-free. For instance, +hci_cmd_sync_work is added to the 'req_workqueue' after cancel_work_sync +The entry of 'cmd_sync_work_list' may be freed in hci_cmd_sync_clear, and +causing kernel panic when it is used in 'hci_cmd_sync_work'. + +Here's the call trace: + +dump_stack_lvl+0x49/0x63 +print_report.cold+0x5e/0x5d3 +? hci_cmd_sync_work+0x282/0x320 +kasan_report+0xaa/0x120 +? hci_cmd_sync_work+0x282/0x320 +__asan_report_load8_noabort+0x14/0x20 +hci_cmd_sync_work+0x282/0x320 +process_one_work+0x77b/0x11c0 +? _raw_spin_lock_irq+0x8e/0xf0 +worker_thread+0x544/0x1180 +? poll_idle+0x1e0/0x1e0 +kthread+0x285/0x320 +? process_one_work+0x11c0/0x11c0 +? kthread_complete_and_exit+0x30/0x30 +ret_from_fork+0x22/0x30 + + +Allocated by task 266: +kasan_save_stack+0x26/0x50 +__kasan_kmalloc+0xae/0xe0 +kmem_cache_alloc_trace+0x191/0x350 +hci_cmd_sync_queue+0x97/0x2b0 +hci_update_passive_scan+0x176/0x1d0 +le_conn_complete_evt+0x1b5/0x1a00 +hci_le_conn_complete_evt+0x234/0x340 +hci_le_meta_evt+0x231/0x4e0 +hci_event_packet+0x4c5/0xf00 +hci_rx_work+0x37d/0x880 +process_one_work+0x77b/0x11c0 +worker_thread+0x544/0x1180 +kthread+0x285/0x320 +ret_from_fork+0x22/0x30 + +Freed by task 269: +kasan_save_stack+0x26/0x50 +kasan_set_track+0x25/0x40 +kasan_set_free_info+0x24/0x40 +____kasan_slab_free+0x176/0x1c0 +__kasan_slab_free+0x12/0x20 +slab_free_freelist_hook+0x95/0x1a0 +kfree+0xba/0x2f0 +hci_cmd_sync_clear+0x14c/0x210 +hci_unregister_dev+0xff/0x440 +vhci_release+0x7b/0xf0 +__fput+0x1f3/0x970 +____fput+0xe/0x20 +task_work_run+0xd4/0x160 +do_exit+0x8b0/0x22a0 +do_group_exit+0xba/0x2a0 +get_signal+0x1e4a/0x25b0 +arch_do_signal_or_restart+0x93/0x1f80 +exit_to_user_mode_prepare+0xf5/0x1a0 +syscall_exit_to_user_mode+0x26/0x50 +ret_from_fork+0x15/0x30 + +Fixes: 6a98e3836fa2 ("Bluetooth: Add helper for serialized HCI command execution") +Cc: stable@vger.kernel.org +Signed-off-by: Min Li +Signed-off-by: Luiz Augusto von Dentz +Signed-off-by: Greg Kroah-Hartman +--- + net/bluetooth/hci_sync.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/net/bluetooth/hci_sync.c ++++ b/net/bluetooth/hci_sync.c +@@ -643,6 +643,7 @@ void hci_cmd_sync_clear(struct hci_dev * + cancel_work_sync(&hdev->cmd_sync_work); + cancel_work_sync(&hdev->reenable_adv_work); + ++ mutex_lock(&hdev->cmd_sync_work_lock); + list_for_each_entry_safe(entry, tmp, &hdev->cmd_sync_work_list, list) { + if (entry->destroy) + entry->destroy(hdev, entry->data, -ECANCELED); +@@ -650,6 +651,7 @@ void hci_cmd_sync_clear(struct hci_dev * + list_del(&entry->list); + kfree(entry); + } ++ mutex_unlock(&hdev->cmd_sync_work_lock); + } + + void __hci_cmd_sync_cancel(struct hci_dev *hdev, int err) diff --git a/queue-6.2/btrfs-zoned-fix-btrfs_can_activate_zone-to-support-dup-profile.patch b/queue-6.2/btrfs-zoned-fix-btrfs_can_activate_zone-to-support-dup-profile.patch new file mode 100644 index 00000000000..17d0844a18d --- /dev/null +++ b/queue-6.2/btrfs-zoned-fix-btrfs_can_activate_zone-to-support-dup-profile.patch @@ -0,0 +1,51 @@ +From 9e1cdf0c354e46e428c0e0cab008abbe81b6013d Mon Sep 17 00:00:00 2001 +From: Naohiro Aota +Date: Mon, 13 Mar 2023 16:29:49 +0900 +Subject: btrfs: zoned: fix btrfs_can_activate_zone() to support DUP profile + +From: Naohiro Aota + +commit 9e1cdf0c354e46e428c0e0cab008abbe81b6013d upstream. + +btrfs_can_activate_zone() returns true if at least one device has one zone +available for activation. This is OK for the single profile, but not OK for +DUP profile. We need two zones to create a DUP block group. Fix it by +properly handling the case with the profile flags. + +Fixes: 265f7237dd25 ("btrfs: zoned: allow DUP on meta-data block groups") +CC: stable@vger.kernel.org # 6.1+ +Reviewed-by: Johannes Thumshirn +Signed-off-by: Naohiro Aota +Reviewed-by: David Sterba +Signed-off-by: David Sterba +Signed-off-by: Greg Kroah-Hartman +--- + fs/btrfs/zoned.c | 14 ++++++++++++-- + 1 file changed, 12 insertions(+), 2 deletions(-) + +--- a/fs/btrfs/zoned.c ++++ b/fs/btrfs/zoned.c +@@ -2100,11 +2100,21 @@ bool btrfs_can_activate_zone(struct btrf + if (!device->bdev) + continue; + +- if (!zinfo->max_active_zones || +- atomic_read(&zinfo->active_zones_left)) { ++ if (!zinfo->max_active_zones) { + ret = true; + break; + } ++ ++ switch (flags & BTRFS_BLOCK_GROUP_PROFILE_MASK) { ++ case 0: /* single */ ++ ret = (atomic_read(&zinfo->active_zones_left) >= 1); ++ break; ++ case BTRFS_BLOCK_GROUP_DUP: ++ ret = (atomic_read(&zinfo->active_zones_left) >= 2); ++ break; ++ } ++ if (ret) ++ break; + } + mutex_unlock(&fs_info->chunk_mutex); + diff --git a/queue-6.2/dm-thin-fix-deadlock-when-swapping-to-thin-device.patch b/queue-6.2/dm-thin-fix-deadlock-when-swapping-to-thin-device.patch new file mode 100644 index 00000000000..023c90538ac --- /dev/null +++ b/queue-6.2/dm-thin-fix-deadlock-when-swapping-to-thin-device.patch @@ -0,0 +1,70 @@ +From 9bbf5feecc7eab2c370496c1c161bbfe62084028 Mon Sep 17 00:00:00 2001 +From: Coly Li +Date: Mon, 27 Feb 2023 23:23:17 +0800 +Subject: dm thin: fix deadlock when swapping to thin device + +From: Coly Li + +commit 9bbf5feecc7eab2c370496c1c161bbfe62084028 upstream. + +This is an already known issue that dm-thin volume cannot be used as +swap, otherwise a deadlock may happen when dm-thin internal memory +demand triggers swap I/O on the dm-thin volume itself. + +But thanks to commit a666e5c05e7c ("dm: fix deadlock when swapping to +encrypted device"), the limit_swap_bios target flag can also be used +for dm-thin to avoid the recursive I/O when it is used as swap. + +Fix is to simply set ti->limit_swap_bios to true in both pool_ctr() +and thin_ctr(). + +In my test, I create a dm-thin volume /dev/vg/swap and use it as swap +device. Then I run fio on another dm-thin volume /dev/vg/main and use +large --blocksize to trigger swap I/O onto /dev/vg/swap. + +The following fio command line is used in my test, + fio --name recursive-swap-io --lockmem 1 --iodepth 128 \ + --ioengine libaio --filename /dev/vg/main --rw randrw \ + --blocksize 1M --numjobs 32 --time_based --runtime=12h + +Without this fix, the whole system can be locked up within 15 seconds. + +With this fix, there is no any deadlock or hung task observed after +2 hours of running fio. + +Furthermore, if blocksize is changed from 1M to 128M, after around 30 +seconds fio has no visible I/O, and the out-of-memory killer message +shows up in kernel message. After around 20 minutes all fio processes +are killed and the whole system is back to being alive. + +This is exactly what is expected when recursive I/O happens on dm-thin +volume when it is used as swap. + +Depends-on: a666e5c05e7c ("dm: fix deadlock when swapping to encrypted device") +Cc: stable@vger.kernel.org +Signed-off-by: Coly Li +Acked-by: Mikulas Patocka +Signed-off-by: Mike Snitzer +Signed-off-by: Greg Kroah-Hartman +--- + drivers/md/dm-thin.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/md/dm-thin.c ++++ b/drivers/md/dm-thin.c +@@ -3357,6 +3357,7 @@ static int pool_ctr(struct dm_target *ti + pt->low_water_blocks = low_water_blocks; + pt->adjusted_pf = pt->requested_pf = pf; + ti->num_flush_bios = 1; ++ ti->limit_swap_bios = true; + + /* + * Only need to enable discards if the pool should pass +@@ -4235,6 +4236,7 @@ static int thin_ctr(struct dm_target *ti + goto bad; + + ti->num_flush_bios = 1; ++ ti->limit_swap_bios = true; + ti->flush_supported = true; + ti->accounts_remapped_io = true; + ti->per_io_data_size = sizeof(struct dm_thin_endio_hook); diff --git a/queue-6.2/efi-libstub-zboot-mark-zboot-efi-application-as-nx-compatible.patch b/queue-6.2/efi-libstub-zboot-mark-zboot-efi-application-as-nx-compatible.patch new file mode 100644 index 00000000000..2977246881e --- /dev/null +++ b/queue-6.2/efi-libstub-zboot-mark-zboot-efi-application-as-nx-compatible.patch @@ -0,0 +1,33 @@ +From c7d9e628b8ff4d52a365a441bdacb3209ee83c81 Mon Sep 17 00:00:00 2001 +From: Ard Biesheuvel +Date: Fri, 10 Mar 2023 12:15:24 +0100 +Subject: efi/libstub: zboot: Mark zboot EFI application as NX compatible + +From: Ard Biesheuvel + +commit c7d9e628b8ff4d52a365a441bdacb3209ee83c81 upstream. + +Now that the zboot loader will invoke the EFI memory attributes protocol +to remap the decompressed code and rodata as read-only/executable, we +can set the PE/COFF header flag that indicates to the firmware that the +application does not rely on writable memory being executable at the +same time. + +Cc: # v6.2+ +Signed-off-by: Ard Biesheuvel +Signed-off-by: Greg Kroah-Hartman +--- + drivers/firmware/efi/libstub/zboot-header.S | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/firmware/efi/libstub/zboot-header.S ++++ b/drivers/firmware/efi/libstub/zboot-header.S +@@ -63,7 +63,7 @@ __efistub_efi_zboot_header: + .long .Lefi_header_end - .Ldoshdr + .long 0 + .short IMAGE_SUBSYSTEM_EFI_APPLICATION +- .short 0 ++ .short IMAGE_DLL_CHARACTERISTICS_NX_COMPAT + #ifdef CONFIG_64BIT + .quad 0, 0, 0, 0 + #else diff --git a/queue-6.2/efi-sysfb_efi-fix-dmi-quirks-not-working-for-simpledrm.patch b/queue-6.2/efi-sysfb_efi-fix-dmi-quirks-not-working-for-simpledrm.patch new file mode 100644 index 00000000000..6ed4fb85542 --- /dev/null +++ b/queue-6.2/efi-sysfb_efi-fix-dmi-quirks-not-working-for-simpledrm.patch @@ -0,0 +1,112 @@ +From 3615c78673c332b69aaacefbcde5937c5c706686 Mon Sep 17 00:00:00 2001 +From: Hans de Goede +Date: Tue, 14 Mar 2023 13:31:02 +0100 +Subject: efi: sysfb_efi: Fix DMI quirks not working for simpledrm + +From: Hans de Goede + +commit 3615c78673c332b69aaacefbcde5937c5c706686 upstream. + +Commit 8633ef82f101 ("drivers/firmware: consolidate EFI framebuffer setup +for all arches") moved the sysfb_apply_efi_quirks() call in sysfb_init() +from before the [sysfb_]parse_mode() call to after it. +But sysfb_apply_efi_quirks() modifies the global screen_info struct which +[sysfb_]parse_mode() parses, so doing it later is too late. + +This has broken all DMI based quirks for correcting wrong firmware efifb +settings when simpledrm is used. + +To fix this move the sysfb_apply_efi_quirks() call back to its old place +and split the new setup of the efifb_fwnode (which requires +the platform_device) into its own function and call that at +the place of the moved sysfb_apply_efi_quirks(pd) calls. + +Fixes: 8633ef82f101 ("drivers/firmware: consolidate EFI framebuffer setup for all arches") +Cc: stable@vger.kernel.org +Cc: Javier Martinez Canillas +Cc: Thomas Zimmermann +Signed-off-by: Hans de Goede +Reviewed-by: Javier Martinez Canillas +Signed-off-by: Ard Biesheuvel +Signed-off-by: Greg Kroah-Hartman +--- + drivers/firmware/efi/sysfb_efi.c | 5 ++++- + drivers/firmware/sysfb.c | 4 +++- + drivers/firmware/sysfb_simplefb.c | 2 +- + include/linux/sysfb.h | 9 +++++++-- + 4 files changed, 15 insertions(+), 5 deletions(-) + +--- a/drivers/firmware/efi/sysfb_efi.c ++++ b/drivers/firmware/efi/sysfb_efi.c +@@ -341,7 +341,7 @@ static const struct fwnode_operations ef + #ifdef CONFIG_EFI + static struct fwnode_handle efifb_fwnode; + +-__init void sysfb_apply_efi_quirks(struct platform_device *pd) ++__init void sysfb_apply_efi_quirks(void) + { + if (screen_info.orig_video_isVGA != VIDEO_TYPE_EFI || + !(screen_info.capabilities & VIDEO_CAPABILITY_SKIP_QUIRKS)) +@@ -355,7 +355,10 @@ __init void sysfb_apply_efi_quirks(struc + screen_info.lfb_height = temp; + screen_info.lfb_linelength = 4 * screen_info.lfb_width; + } ++} + ++__init void sysfb_set_efifb_fwnode(struct platform_device *pd) ++{ + if (screen_info.orig_video_isVGA == VIDEO_TYPE_EFI && IS_ENABLED(CONFIG_PCI)) { + fwnode_init(&efifb_fwnode, &efifb_fwnode_ops); + pd->dev.fwnode = &efifb_fwnode; +--- a/drivers/firmware/sysfb.c ++++ b/drivers/firmware/sysfb.c +@@ -81,6 +81,8 @@ static __init int sysfb_init(void) + if (disabled) + goto unlock_mutex; + ++ sysfb_apply_efi_quirks(); ++ + /* try to create a simple-framebuffer device */ + compatible = sysfb_parse_mode(si, &mode); + if (compatible) { +@@ -107,7 +109,7 @@ static __init int sysfb_init(void) + goto unlock_mutex; + } + +- sysfb_apply_efi_quirks(pd); ++ sysfb_set_efifb_fwnode(pd); + + ret = platform_device_add_data(pd, si, sizeof(*si)); + if (ret) +--- a/drivers/firmware/sysfb_simplefb.c ++++ b/drivers/firmware/sysfb_simplefb.c +@@ -110,7 +110,7 @@ __init struct platform_device *sysfb_cre + if (!pd) + return ERR_PTR(-ENOMEM); + +- sysfb_apply_efi_quirks(pd); ++ sysfb_set_efifb_fwnode(pd); + + ret = platform_device_add_resources(pd, &res, 1); + if (ret) +--- a/include/linux/sysfb.h ++++ b/include/linux/sysfb.h +@@ -70,11 +70,16 @@ static inline void sysfb_disable(void) + #ifdef CONFIG_EFI + + extern struct efifb_dmi_info efifb_dmi_list[]; +-void sysfb_apply_efi_quirks(struct platform_device *pd); ++void sysfb_apply_efi_quirks(void); ++void sysfb_set_efifb_fwnode(struct platform_device *pd); + + #else /* CONFIG_EFI */ + +-static inline void sysfb_apply_efi_quirks(struct platform_device *pd) ++static inline void sysfb_apply_efi_quirks(void) ++{ ++} ++ ++static inline void sysfb_set_efifb_fwnode(struct platform_device *pd) + { + } + diff --git a/queue-6.2/fscrypt-destroy-keyring-after-security_sb_delete.patch b/queue-6.2/fscrypt-destroy-keyring-after-security_sb_delete.patch new file mode 100644 index 00000000000..fdd6b614831 --- /dev/null +++ b/queue-6.2/fscrypt-destroy-keyring-after-security_sb_delete.patch @@ -0,0 +1,58 @@ +From ccb820dc7d2236b1af0d54ae038a27b5b6d5ae5a Mon Sep 17 00:00:00 2001 +From: Eric Biggers +Date: Mon, 13 Mar 2023 15:12:29 -0700 +Subject: fscrypt: destroy keyring after security_sb_delete() + +From: Eric Biggers + +commit ccb820dc7d2236b1af0d54ae038a27b5b6d5ae5a upstream. + +fscrypt_destroy_keyring() must be called after all potentially-encrypted +inodes were evicted; otherwise it cannot safely destroy the keyring. +Since inodes that are in-use by the Landlock LSM don't get evicted until +security_sb_delete(), this means that fscrypt_destroy_keyring() must be +called *after* security_sb_delete(). + +This fixes a WARN_ON followed by a NULL dereference, only possible if +Landlock was being used on encrypted files. + +Fixes: d7e7b9af104c ("fscrypt: stop using keyrings subsystem for fscrypt_master_key") +Cc: stable@vger.kernel.org +Reported-by: syzbot+93e495f6a4f748827c88@syzkaller.appspotmail.com +Link: https://lore.kernel.org/r/00000000000044651705f6ca1e30@google.com +Reviewed-by: Christian Brauner +Link: https://lore.kernel.org/r/20230313221231.272498-2-ebiggers@kernel.org +Signed-off-by: Eric Biggers +Signed-off-by: Greg Kroah-Hartman +--- + fs/super.c | 15 ++++++++++++--- + 1 file changed, 12 insertions(+), 3 deletions(-) + +--- a/fs/super.c ++++ b/fs/super.c +@@ -476,13 +476,22 @@ void generic_shutdown_super(struct super + + cgroup_writeback_umount(); + +- /* evict all inodes with zero refcount */ ++ /* Evict all inodes with zero refcount. */ + evict_inodes(sb); +- /* only nonzero refcount inodes can have marks */ ++ ++ /* ++ * Clean up and evict any inodes that still have references due ++ * to fsnotify or the security policy. ++ */ + fsnotify_sb_delete(sb); +- fscrypt_destroy_keyring(sb); + security_sb_delete(sb); + ++ /* ++ * Now that all potentially-encrypted inodes have been evicted, ++ * the fscrypt keyring can be destroyed. ++ */ ++ fscrypt_destroy_keyring(sb); ++ + if (sb->s_dio_done_wq) { + destroy_workqueue(sb->s_dio_done_wq); + sb->s_dio_done_wq = NULL; diff --git a/queue-6.2/fsverity-remove-wq_unbound-from-fsverity-read-workqueue.patch b/queue-6.2/fsverity-remove-wq_unbound-from-fsverity-read-workqueue.patch new file mode 100644 index 00000000000..da841c61615 --- /dev/null +++ b/queue-6.2/fsverity-remove-wq_unbound-from-fsverity-read-workqueue.patch @@ -0,0 +1,62 @@ +From f959325e6ac3f499450088b8d9c626d1177be160 Mon Sep 17 00:00:00 2001 +From: Nathan Huckleberry +Date: Fri, 10 Mar 2023 11:33:25 -0800 +Subject: fsverity: Remove WQ_UNBOUND from fsverity read workqueue + +From: Nathan Huckleberry + +commit f959325e6ac3f499450088b8d9c626d1177be160 upstream. + +WQ_UNBOUND causes significant scheduler latency on ARM64/Android. This +is problematic for latency sensitive workloads, like I/O +post-processing. + +Removing WQ_UNBOUND gives a 96% reduction in fsverity workqueue related +scheduler latency and improves app cold startup times by ~30ms. +WQ_UNBOUND was also removed from the dm-verity workqueue for the same +reason [1]. + +This code was tested by running Android app startup benchmarks and +measuring how long the fsverity workqueue spent in the runnable state. + +Before +Total workqueue scheduler latency: 553800us +After +Total workqueue scheduler latency: 18962us + +[1]: https://lore.kernel.org/all/20230202012348.885402-1-nhuck@google.com/ + +Signed-off-by: Nathan Huckleberry +Fixes: 8a1d0f9cacc9 ("fs-verity: add data verification hooks for ->readpages()") +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/r/20230310193325.620493-1-nhuck@google.com +Signed-off-by: Eric Biggers +Signed-off-by: Greg Kroah-Hartman +--- + fs/verity/verify.c | 12 ++++++------ + 1 file changed, 6 insertions(+), 6 deletions(-) + +--- a/fs/verity/verify.c ++++ b/fs/verity/verify.c +@@ -269,15 +269,15 @@ EXPORT_SYMBOL_GPL(fsverity_enqueue_verif + int __init fsverity_init_workqueue(void) + { + /* +- * Use an unbound workqueue to allow bios to be verified in parallel +- * even when they happen to complete on the same CPU. This sacrifices +- * locality, but it's worthwhile since hashing is CPU-intensive. ++ * Use a high-priority workqueue to prioritize verification work, which ++ * blocks reads from completing, over regular application tasks. + * +- * Also use a high-priority workqueue to prioritize verification work, +- * which blocks reads from completing, over regular application tasks. ++ * For performance reasons, don't use an unbound workqueue. Using an ++ * unbound workqueue for crypto operations causes excessive scheduler ++ * latency on ARM64. + */ + fsverity_read_workqueue = alloc_workqueue("fsverity_read_queue", +- WQ_UNBOUND | WQ_HIGHPRI, ++ WQ_HIGHPRI, + num_online_cpus()); + if (!fsverity_read_workqueue) + return -ENOMEM; diff --git a/queue-6.2/igb-revert-rtnl_lock-that-causes-deadlock.patch b/queue-6.2/igb-revert-rtnl_lock-that-causes-deadlock.patch new file mode 100644 index 00000000000..29972201fab --- /dev/null +++ b/queue-6.2/igb-revert-rtnl_lock-that-causes-deadlock.patch @@ -0,0 +1,87 @@ +From 65f69851e44d71248b952a687e44759a7abb5016 Mon Sep 17 00:00:00 2001 +From: Lin Ma +Date: Tue, 7 Mar 2023 23:29:17 +0800 +Subject: igb: revert rtnl_lock() that causes deadlock + +From: Lin Ma + +commit 65f69851e44d71248b952a687e44759a7abb5016 upstream. + +The commit 6faee3d4ee8b ("igb: Add lock to avoid data race") adds +rtnl_lock to eliminate a false data race shown below + + (FREE from device detaching) | (USE from netdev core) +igb_remove | igb_ndo_get_vf_config + igb_disable_sriov | vf >= adapter->vfs_allocated_count? + kfree(adapter->vf_data) | + adapter->vfs_allocated_count = 0 | + | memcpy(... adapter->vf_data[vf] + +The above race will never happen and the extra rtnl_lock causes deadlock +below + +[ 141.420169] +[ 141.420672] __schedule+0x2dd/0x840 +[ 141.421427] schedule+0x50/0xc0 +[ 141.422041] schedule_preempt_disabled+0x11/0x20 +[ 141.422678] __mutex_lock.isra.13+0x431/0x6b0 +[ 141.423324] unregister_netdev+0xe/0x20 +[ 141.423578] igbvf_remove+0x45/0xe0 [igbvf] +[ 141.423791] pci_device_remove+0x36/0xb0 +[ 141.423990] device_release_driver_internal+0xc1/0x160 +[ 141.424270] pci_stop_bus_device+0x6d/0x90 +[ 141.424507] pci_stop_and_remove_bus_device+0xe/0x20 +[ 141.424789] pci_iov_remove_virtfn+0xba/0x120 +[ 141.425452] sriov_disable+0x2f/0xf0 +[ 141.425679] igb_disable_sriov+0x4e/0x100 [igb] +[ 141.426353] igb_remove+0xa0/0x130 [igb] +[ 141.426599] pci_device_remove+0x36/0xb0 +[ 141.426796] device_release_driver_internal+0xc1/0x160 +[ 141.427060] driver_detach+0x44/0x90 +[ 141.427253] bus_remove_driver+0x55/0xe0 +[ 141.427477] pci_unregister_driver+0x2a/0xa0 +[ 141.428296] __x64_sys_delete_module+0x141/0x2b0 +[ 141.429126] ? mntput_no_expire+0x4a/0x240 +[ 141.429363] ? syscall_trace_enter.isra.19+0x126/0x1a0 +[ 141.429653] do_syscall_64+0x5b/0x80 +[ 141.429847] ? exit_to_user_mode_prepare+0x14d/0x1c0 +[ 141.430109] ? syscall_exit_to_user_mode+0x12/0x30 +[ 141.430849] ? do_syscall_64+0x67/0x80 +[ 141.431083] ? syscall_exit_to_user_mode_prepare+0x183/0x1b0 +[ 141.431770] ? syscall_exit_to_user_mode+0x12/0x30 +[ 141.432482] ? do_syscall_64+0x67/0x80 +[ 141.432714] ? exc_page_fault+0x64/0x140 +[ 141.432911] entry_SYSCALL_64_after_hwframe+0x72/0xdc + +Since the igb_disable_sriov() will call pci_disable_sriov() before +releasing any resources, the netdev core will synchronize the cleanup to +avoid any races. This patch removes the useless rtnl_(un)lock to guarantee +correctness. + +CC: stable@vger.kernel.org +Fixes: 6faee3d4ee8b ("igb: Add lock to avoid data race") +Reported-by: Corinna Vinschen +Link: https://lore.kernel.org/intel-wired-lan/ZAcJvkEPqWeJHO2r@calimero.vinschen.de/ +Signed-off-by: Lin Ma +Tested-by: Corinna Vinschen +Reviewed-by: Jacob Keller +Reviewed-by: Simon Horman +Tested-by: Rafal Romanowski +Signed-off-by: Tony Nguyen +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/intel/igb/igb_main.c | 2 -- + 1 file changed, 2 deletions(-) + +--- a/drivers/net/ethernet/intel/igb/igb_main.c ++++ b/drivers/net/ethernet/intel/igb/igb_main.c +@@ -3841,9 +3841,7 @@ static void igb_remove(struct pci_dev *p + igb_release_hw_control(adapter); + + #ifdef CONFIG_PCI_IOV +- rtnl_lock(); + igb_disable_sriov(pdev); +- rtnl_unlock(); + #endif + + unregister_netdev(netdev); diff --git a/queue-6.2/io_uring-net-avoid-sending-econnaborted-on-repeated-connection-requests.patch b/queue-6.2/io_uring-net-avoid-sending-econnaborted-on-repeated-connection-requests.patch new file mode 100644 index 00000000000..ad77dfc3214 --- /dev/null +++ b/queue-6.2/io_uring-net-avoid-sending-econnaborted-on-repeated-connection-requests.patch @@ -0,0 +1,76 @@ +From 74e2e17ee1f8d8a0928b90434ad7e2df70f8483e Mon Sep 17 00:00:00 2001 +From: Jens Axboe +Date: Mon, 20 Mar 2023 11:13:49 -0600 +Subject: io_uring/net: avoid sending -ECONNABORTED on repeated connection requests + +From: Jens Axboe + +commit 74e2e17ee1f8d8a0928b90434ad7e2df70f8483e upstream. + +Since io_uring does nonblocking connect requests, if we do two repeated +ones without having a listener, the second will get -ECONNABORTED rather +than the expected -ECONNREFUSED. Treat -ECONNABORTED like a normal retry +condition if we're nonblocking, if we haven't already seen it. + +Cc: stable@vger.kernel.org +Fixes: 3fb1bd688172 ("io_uring/net: handle -EINPROGRESS correct for IORING_OP_CONNECT") +Link: https://github.com/axboe/liburing/issues/828 +Reported-by: Hui, Chunyang +Signed-off-by: Jens Axboe +Signed-off-by: Greg Kroah-Hartman +--- + io_uring/net.c | 25 ++++++++++++++++--------- + 1 file changed, 16 insertions(+), 9 deletions(-) + +--- a/io_uring/net.c ++++ b/io_uring/net.c +@@ -47,6 +47,7 @@ struct io_connect { + struct sockaddr __user *addr; + int addr_len; + bool in_progress; ++ bool seen_econnaborted; + }; + + struct io_sr_msg { +@@ -1431,7 +1432,7 @@ int io_connect_prep(struct io_kiocb *req + + conn->addr = u64_to_user_ptr(READ_ONCE(sqe->addr)); + conn->addr_len = READ_ONCE(sqe->addr2); +- conn->in_progress = false; ++ conn->in_progress = conn->seen_econnaborted = false; + return 0; + } + +@@ -1468,18 +1469,24 @@ int io_connect(struct io_kiocb *req, uns + + ret = __sys_connect_file(req->file, &io->address, + connect->addr_len, file_flags); +- if ((ret == -EAGAIN || ret == -EINPROGRESS) && force_nonblock) { ++ if ((ret == -EAGAIN || ret == -EINPROGRESS || ret == -ECONNABORTED) ++ && force_nonblock) { + if (ret == -EINPROGRESS) { + connect->in_progress = true; +- } else { +- if (req_has_async_data(req)) +- return -EAGAIN; +- if (io_alloc_async_data(req)) { +- ret = -ENOMEM; ++ return -EAGAIN; ++ } ++ if (ret == -ECONNABORTED) { ++ if (connect->seen_econnaborted) + goto out; +- } +- memcpy(req->async_data, &__io, sizeof(__io)); ++ connect->seen_econnaborted = true; ++ } ++ if (req_has_async_data(req)) ++ return -EAGAIN; ++ if (io_alloc_async_data(req)) { ++ ret = -ENOMEM; ++ goto out; + } ++ memcpy(req->async_data, &__io, sizeof(__io)); + return -EAGAIN; + } + if (ret == -ERESTARTSYS) diff --git a/queue-6.2/io_uring-rsrc-fix-null-ptr-deref-in-io_file_bitmap_get.patch b/queue-6.2/io_uring-rsrc-fix-null-ptr-deref-in-io_file_bitmap_get.patch new file mode 100644 index 00000000000..935f1ed7323 --- /dev/null +++ b/queue-6.2/io_uring-rsrc-fix-null-ptr-deref-in-io_file_bitmap_get.patch @@ -0,0 +1,69 @@ +From 02a4d923e4400a36d340ea12d8058f69ebf3a383 Mon Sep 17 00:00:00 2001 +From: Savino Dicanosa +Date: Tue, 21 Mar 2023 19:44:02 +0000 +Subject: io_uring/rsrc: fix null-ptr-deref in io_file_bitmap_get() + +From: Savino Dicanosa + +commit 02a4d923e4400a36d340ea12d8058f69ebf3a383 upstream. + +When fixed files are unregistered, file_alloc_end and alloc_hint +are not cleared. This can later cause a NULL pointer dereference in +io_file_bitmap_get() if auto index selection is enabled via +IORING_FILE_INDEX_ALLOC: + +[ 6.519129] BUG: kernel NULL pointer dereference, address: 0000000000000000 +[...] +[ 6.541468] RIP: 0010:_find_next_zero_bit+0x1a/0x70 +[...] +[ 6.560906] Call Trace: +[ 6.561322] +[ 6.561672] io_file_bitmap_get+0x38/0x60 +[ 6.562281] io_fixed_fd_install+0x63/0xb0 +[ 6.562851] ? __pfx_io_socket+0x10/0x10 +[ 6.563396] io_socket+0x93/0xf0 +[ 6.563855] ? __pfx_io_socket+0x10/0x10 +[ 6.564411] io_issue_sqe+0x5b/0x3d0 +[ 6.564914] io_submit_sqes+0x1de/0x650 +[ 6.565452] __do_sys_io_uring_enter+0x4fc/0xb20 +[ 6.566083] ? __do_sys_io_uring_register+0x11e/0xd80 +[ 6.566779] do_syscall_64+0x3c/0x90 +[ 6.567247] entry_SYSCALL_64_after_hwframe+0x72/0xdc +[...] + +To fix the issue, set file alloc range and alloc_hint to zero after +file tables are freed. + +Cc: stable@vger.kernel.org +Fixes: 4278a0deb1f6 ("io_uring: defer alloc_hint update to io_file_bitmap_set()") +Signed-off-by: Savino Dicanosa +[axboe: add explicit bitmap == NULL check as well] +Signed-off-by: Jens Axboe +Signed-off-by: Greg Kroah-Hartman +--- + io_uring/filetable.c | 3 +++ + io_uring/rsrc.c | 1 + + 2 files changed, 4 insertions(+) + +--- a/io_uring/filetable.c ++++ b/io_uring/filetable.c +@@ -19,6 +19,9 @@ static int io_file_bitmap_get(struct io_ + unsigned long nr = ctx->file_alloc_end; + int ret; + ++ if (!table->bitmap) ++ return -ENFILE; ++ + do { + ret = find_next_zero_bit(table->bitmap, nr, table->alloc_hint); + if (ret != nr) +--- a/io_uring/rsrc.c ++++ b/io_uring/rsrc.c +@@ -794,6 +794,7 @@ void __io_sqe_files_unregister(struct io + } + #endif + io_free_file_tables(&ctx->file_table); ++ io_file_table_set_alloc_range(ctx, 0, 0); + io_rsrc_data_free(ctx->file_data); + ctx->file_data = NULL; + ctx->nr_user_files = 0; diff --git a/queue-6.2/kfence-avoid-passing-g-for-test.patch b/queue-6.2/kfence-avoid-passing-g-for-test.patch new file mode 100644 index 00000000000..1eb34ce56f9 --- /dev/null +++ b/queue-6.2/kfence-avoid-passing-g-for-test.patch @@ -0,0 +1,53 @@ +From 2e08ca1802441224f5b7cc6bffbb687f7406de95 Mon Sep 17 00:00:00 2001 +From: Marco Elver +Date: Thu, 16 Mar 2023 23:47:04 +0100 +Subject: kfence: avoid passing -g for test + +From: Marco Elver + +commit 2e08ca1802441224f5b7cc6bffbb687f7406de95 upstream. + +Nathan reported that when building with GNU as and a version of clang that +defaults to DWARF5: + + $ make -skj"$(nproc)" ARCH=riscv CROSS_COMPILE=riscv64-linux-gnu- \ + LLVM=1 LLVM_IAS=0 O=build \ + mrproper allmodconfig mm/kfence/kfence_test.o + /tmp/kfence_test-08a0a0.s: Assembler messages: + /tmp/kfence_test-08a0a0.s:14627: Error: non-constant .uleb128 is not supported + /tmp/kfence_test-08a0a0.s:14628: Error: non-constant .uleb128 is not supported + /tmp/kfence_test-08a0a0.s:14632: Error: non-constant .uleb128 is not supported + /tmp/kfence_test-08a0a0.s:14633: Error: non-constant .uleb128 is not supported + /tmp/kfence_test-08a0a0.s:14639: Error: non-constant .uleb128 is not supported + ... + +This is because `-g` defaults to the compiler debug info default. If the +assembler does not support some of the directives used, the above errors +occur. To fix, remove the explicit passing of `-g`. + +All the test wants is that stack traces print valid function names, and +debug info is not required for that. (I currently cannot recall why I +added the explicit `-g`.) + +Link: https://lkml.kernel.org/r/20230316224705.709984-1-elver@google.com +Fixes: bc8fbc5f305a ("kfence: add test suite") +Signed-off-by: Marco Elver +Reported-by: Nathan Chancellor +Cc: Alexander Potapenko +Cc: Dmitry Vyukov +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + mm/kfence/Makefile | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/mm/kfence/Makefile ++++ b/mm/kfence/Makefile +@@ -2,5 +2,5 @@ + + obj-y := core.o report.o + +-CFLAGS_kfence_test.o := -g -fno-omit-frame-pointer -fno-optimize-sibling-calls ++CFLAGS_kfence_test.o := -fno-omit-frame-pointer -fno-optimize-sibling-calls + obj-$(CONFIG_KFENCE_KUNIT_TEST) += kfence_test.o diff --git a/queue-6.2/lockd-set-file_lock-start-and-end-when-decoding-nlm4-testargs.patch b/queue-6.2/lockd-set-file_lock-start-and-end-when-decoding-nlm4-testargs.patch new file mode 100644 index 00000000000..0c0f638b939 --- /dev/null +++ b/queue-6.2/lockd-set-file_lock-start-and-end-when-decoding-nlm4-testargs.patch @@ -0,0 +1,95 @@ +From 7ff84910c66c9144cc0de9d9deed9fb84c03aff0 Mon Sep 17 00:00:00 2001 +From: Jeff Layton +Date: Tue, 14 Mar 2023 06:20:58 -0400 +Subject: lockd: set file_lock start and end when decoding nlm4 testargs + +From: Jeff Layton + +commit 7ff84910c66c9144cc0de9d9deed9fb84c03aff0 upstream. + +Commit 6930bcbfb6ce dropped the setting of the file_lock range when +decoding a nlm_lock off the wire. This causes the client side grant +callback to miss matching blocks and reject the lock, only to rerequest +it 30s later. + +Add a helper function to set the file_lock range from the start and end +values that the protocol uses, and have the nlm_lock decoder call that to +set up the file_lock args properly. + +Fixes: 6930bcbfb6ce ("lockd: detect and reject lock arguments that overflow") +Reported-by: Amir Goldstein +Signed-off-by: Jeff Layton +Tested-by: Amir Goldstein +Cc: stable@vger.kernel.org #6.0 +Signed-off-by: Anna Schumaker +Signed-off-by: Greg Kroah-Hartman +--- + fs/lockd/clnt4xdr.c | 9 +-------- + fs/lockd/xdr4.c | 13 ++++++++++++- + include/linux/lockd/xdr4.h | 1 + + 3 files changed, 14 insertions(+), 9 deletions(-) + +--- a/fs/lockd/clnt4xdr.c ++++ b/fs/lockd/clnt4xdr.c +@@ -261,7 +261,6 @@ static int decode_nlm4_holder(struct xdr + u32 exclusive; + int error; + __be32 *p; +- s32 end; + + memset(lock, 0, sizeof(*lock)); + locks_init_lock(fl); +@@ -285,13 +284,7 @@ static int decode_nlm4_holder(struct xdr + fl->fl_type = exclusive != 0 ? F_WRLCK : F_RDLCK; + p = xdr_decode_hyper(p, &l_offset); + xdr_decode_hyper(p, &l_len); +- end = l_offset + l_len - 1; +- +- fl->fl_start = (loff_t)l_offset; +- if (l_len == 0 || end < 0) +- fl->fl_end = OFFSET_MAX; +- else +- fl->fl_end = (loff_t)end; ++ nlm4svc_set_file_lock_range(fl, l_offset, l_len); + error = 0; + out: + return error; +--- a/fs/lockd/xdr4.c ++++ b/fs/lockd/xdr4.c +@@ -33,6 +33,17 @@ loff_t_to_s64(loff_t offset) + return res; + } + ++void nlm4svc_set_file_lock_range(struct file_lock *fl, u64 off, u64 len) ++{ ++ s64 end = off + len - 1; ++ ++ fl->fl_start = off; ++ if (len == 0 || end < 0) ++ fl->fl_end = OFFSET_MAX; ++ else ++ fl->fl_end = end; ++} ++ + /* + * NLM file handles are defined by specification to be a variable-length + * XDR opaque no longer than 1024 bytes. However, this implementation +@@ -80,7 +91,7 @@ svcxdr_decode_lock(struct xdr_stream *xd + locks_init_lock(fl); + fl->fl_flags = FL_POSIX; + fl->fl_type = F_RDLCK; +- ++ nlm4svc_set_file_lock_range(fl, lock->lock_start, lock->lock_len); + return true; + } + +--- a/include/linux/lockd/xdr4.h ++++ b/include/linux/lockd/xdr4.h +@@ -22,6 +22,7 @@ + #define nlm4_fbig cpu_to_be32(NLM_FBIG) + #define nlm4_failed cpu_to_be32(NLM_FAILED) + ++void nlm4svc_set_file_lock_range(struct file_lock *fl, u64 off, u64 len); + bool nlm4svc_decode_void(struct svc_rqst *rqstp, struct xdr_stream *xdr); + bool nlm4svc_decode_testargs(struct svc_rqst *rqstp, struct xdr_stream *xdr); + bool nlm4svc_decode_lockargs(struct svc_rqst *rqstp, struct xdr_stream *xdr); diff --git a/queue-6.2/mm-kfence-fix-using-kfence_metadata-without-initialization-in-show_object.patch b/queue-6.2/mm-kfence-fix-using-kfence_metadata-without-initialization-in-show_object.patch new file mode 100644 index 00000000000..e1615ca9ac5 --- /dev/null +++ b/queue-6.2/mm-kfence-fix-using-kfence_metadata-without-initialization-in-show_object.patch @@ -0,0 +1,60 @@ +From 1c86a188e03156223a34d09ce290b49bd4dd0403 Mon Sep 17 00:00:00 2001 +From: Muchun Song +Date: Wed, 15 Mar 2023 11:44:41 +0800 +Subject: mm: kfence: fix using kfence_metadata without initialization in show_object() + +From: Muchun Song + +commit 1c86a188e03156223a34d09ce290b49bd4dd0403 upstream. + +The variable kfence_metadata is initialized in kfence_init_pool(), then, +it is not initialized if kfence is disabled after booting. In this case, +kfence_metadata will be used (e.g. ->lock and ->state fields) without +initialization when reading /sys/kernel/debug/kfence/objects. There will +be a warning if you enable CONFIG_DEBUG_SPINLOCK. Fix it by creating +debugfs files when necessary. + +Link: https://lkml.kernel.org/r/20230315034441.44321-1-songmuchun@bytedance.com +Fixes: 0ce20dd84089 ("mm: add Kernel Electric-Fence infrastructure") +Signed-off-by: Muchun Song +Tested-by: Marco Elver +Reviewed-by: Marco Elver +Cc: Alexander Potapenko +Cc: Dmitry Vyukov +Cc: Jann Horn +Cc: SeongJae Park +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + mm/kfence/core.c | 10 ++++++++-- + 1 file changed, 8 insertions(+), 2 deletions(-) + +--- a/mm/kfence/core.c ++++ b/mm/kfence/core.c +@@ -726,10 +726,14 @@ static const struct seq_operations objec + }; + DEFINE_SEQ_ATTRIBUTE(objects); + +-static int __init kfence_debugfs_init(void) ++static int kfence_debugfs_init(void) + { +- struct dentry *kfence_dir = debugfs_create_dir("kfence", NULL); ++ struct dentry *kfence_dir; + ++ if (!READ_ONCE(kfence_enabled)) ++ return 0; ++ ++ kfence_dir = debugfs_create_dir("kfence", NULL); + debugfs_create_file("stats", 0444, kfence_dir, NULL, &stats_fops); + debugfs_create_file("objects", 0400, kfence_dir, NULL, &objects_fops); + return 0; +@@ -883,6 +887,8 @@ static int kfence_init_late(void) + } + + kfence_init_enable(); ++ kfence_debugfs_init(); ++ + return 0; + } + diff --git a/queue-6.2/mm-slab-fix-undefined-init_cache_node_node-for-numa-and-smp.patch b/queue-6.2/mm-slab-fix-undefined-init_cache_node_node-for-numa-and-smp.patch new file mode 100644 index 00000000000..35eb81af44e --- /dev/null +++ b/queue-6.2/mm-slab-fix-undefined-init_cache_node_node-for-numa-and-smp.patch @@ -0,0 +1,49 @@ +From 66a1c22b709178e7b823d44465d0c2e5ed7492fb Mon Sep 17 00:00:00 2001 +From: Geert Uytterhoeven +Date: Tue, 21 Mar 2023 09:30:59 +0100 +Subject: mm/slab: Fix undefined init_cache_node_node() for NUMA and !SMP +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Geert Uytterhoeven + +commit 66a1c22b709178e7b823d44465d0c2e5ed7492fb upstream. + +sh/migor_defconfig: + + mm/slab.c: In function ‘slab_memory_callback’: + mm/slab.c:1127:23: error: implicit declaration of function ‘init_cache_node_node’; did you mean ‘drain_cache_node_node’? [-Werror=implicit-function-declaration] + 1127 | ret = init_cache_node_node(nid); + | ^~~~~~~~~~~~~~~~~~~~ + | drain_cache_node_node + +The #ifdef condition protecting the definition of init_cache_node_node() +no longer matches the conditions protecting the (multiple) users. + +Fix this by syncing the conditions. + +Fixes: 76af6a054da40553 ("mm/migrate: add CPU hotplug to demotion #ifdef") +Reported-by: Randy Dunlap +Link: https://lore.kernel.org/r/b5bdea22-ed2f-3187-6efe-0c72330270a4@infradead.org +Signed-off-by: Geert Uytterhoeven +Reviewed-by: John Paul Adrian Glaubitz +Acked-by: Randy Dunlap +Cc: +Signed-off-by: Vlastimil Babka +Signed-off-by: Greg Kroah-Hartman +--- + mm/slab.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/mm/slab.c ++++ b/mm/slab.c +@@ -840,7 +840,7 @@ static int init_cache_node(struct kmem_c + return 0; + } + +-#if (defined(CONFIG_NUMA) && defined(CONFIG_MEMORY_HOTPLUG)) || defined(CONFIG_SMP) ++#if defined(CONFIG_NUMA) || defined(CONFIG_SMP) + /* + * Allocates and initializes node for a node on each slab cache, used for + * either memory or cpu hotplug. If memory is being hot-added, the kmem_cache_node diff --git a/queue-6.2/series b/queue-6.2/series index 3134ee29c62..0fc9f36cfb3 100644 --- a/queue-6.2/series +++ b/queue-6.2/series @@ -176,3 +176,29 @@ usb-dwc2-drd-fix-inconsistent-mode-if-role-switch-default-mode-host.patch usb-dwc2-fix-a-devres-leak-in-hw_enable-upon-suspend-resume.patch block-io_uring-pass-in-issue_flags-for-uring_cmd-task_work-handling.patch usb-gadget-u_audio-don-t-let-userspace-block-driver-unbind.patch +btrfs-zoned-fix-btrfs_can_activate_zone-to-support-dup-profile.patch +bluetooth-fix-race-condition-in-hci_cmd_sync_clear.patch +efi-sysfb_efi-fix-dmi-quirks-not-working-for-simpledrm.patch +mm-slab-fix-undefined-init_cache_node_node-for-numa-and-smp.patch +efi-libstub-zboot-mark-zboot-efi-application-as-nx-compatible.patch +arm64-efi-set-nx-compat-flag-in-pe-coff-header.patch +fscrypt-destroy-keyring-after-security_sb_delete.patch +fsverity-remove-wq_unbound-from-fsverity-read-workqueue.patch +lockd-set-file_lock-start-and-end-when-decoding-nlm4-testargs.patch +arm64-dts-imx8mm-nitrogen-r2-fix-wm8960-clock-name.patch +igb-revert-rtnl_lock-that-causes-deadlock.patch +dm-thin-fix-deadlock-when-swapping-to-thin-device.patch +usb-typec-tcpm-fix-create-duplicate-source-capabilities-file.patch +usb-typec-tcpm-fix-warning-when-handle-discover_identity-message.patch +usb-cdns3-fix-issue-with-using-incorrect-pci-device-function.patch +usb-cdnsp-fixes-issue-with-redundant-status-stage.patch +usb-cdnsp-changes-pci-device-id-to-fix-conflict-with-cnds3-driver.patch +usb-chipdea-core-fix-return-einval-if-request-role-is-the-same-with-current-role.patch +usb-chipidea-core-fix-possible-concurrent-when-switch-role.patch +usb-dwc3-gadget-add-1ms-delay-after-end-transfer-command-without-ioc.patch +usb-ucsi-fix-null-pointer-deref-in-ucsi_connector_change.patch +usb-ucsi_acpi-increase-the-command-completion-timeout.patch +mm-kfence-fix-using-kfence_metadata-without-initialization-in-show_object.patch +kfence-avoid-passing-g-for-test.patch +io_uring-net-avoid-sending-econnaborted-on-repeated-connection-requests.patch +io_uring-rsrc-fix-null-ptr-deref-in-io_file_bitmap_get.patch diff --git a/queue-6.2/usb-cdns3-fix-issue-with-using-incorrect-pci-device-function.patch b/queue-6.2/usb-cdns3-fix-issue-with-using-incorrect-pci-device-function.patch new file mode 100644 index 00000000000..8d7ef56f736 --- /dev/null +++ b/queue-6.2/usb-cdns3-fix-issue-with-using-incorrect-pci-device-function.patch @@ -0,0 +1,39 @@ +From 1272fd652a226ccb34e9f47371b6121948048438 Mon Sep 17 00:00:00 2001 +From: Pawel Laszczak +Date: Wed, 8 Mar 2023 07:44:27 -0500 +Subject: usb: cdns3: Fix issue with using incorrect PCI device function + +From: Pawel Laszczak + +commit 1272fd652a226ccb34e9f47371b6121948048438 upstream. + +PCI based platform can have more than two PCI functions. +USBSS PCI Glue driver during initialization should +consider only DRD/HOST/DEVICE PCI functions and +all other should be ignored. This patch adds additional +condition which causes that only DRD and HOST/DEVICE +function will be accepted. + +cc: +Fixes: 7733f6c32e36 ("usb: cdns3: Add Cadence USB3 DRD Driver") +Signed-off-by: Pawel Laszczak +Link: https://lore.kernel.org/r/20230308124427.311245-1-pawell@cadence.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/cdns3/cdns3-pci-wrap.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/drivers/usb/cdns3/cdns3-pci-wrap.c ++++ b/drivers/usb/cdns3/cdns3-pci-wrap.c +@@ -60,6 +60,11 @@ static struct pci_dev *cdns3_get_second_ + return NULL; + } + ++ if (func->devfn != PCI_DEV_FN_HOST_DEVICE && ++ func->devfn != PCI_DEV_FN_OTG) { ++ return NULL; ++ } ++ + return func; + } + diff --git a/queue-6.2/usb-cdnsp-changes-pci-device-id-to-fix-conflict-with-cnds3-driver.patch b/queue-6.2/usb-cdnsp-changes-pci-device-id-to-fix-conflict-with-cnds3-driver.patch new file mode 100644 index 00000000000..108e170c0a3 --- /dev/null +++ b/queue-6.2/usb-cdnsp-changes-pci-device-id-to-fix-conflict-with-cnds3-driver.patch @@ -0,0 +1,72 @@ +From 96b96b2a567fb34dd41c87e6cf01f6902ce8cae4 Mon Sep 17 00:00:00 2001 +From: Pawel Laszczak +Date: Thu, 9 Mar 2023 01:30:48 -0500 +Subject: usb: cdnsp: changes PCI Device ID to fix conflict with CNDS3 driver + +From: Pawel Laszczak + +commit 96b96b2a567fb34dd41c87e6cf01f6902ce8cae4 upstream. + +Patch changes CDNS_DEVICE_ID in USBSSP PCI Glue driver to remove +the conflict with Cadence USBSS driver. + +cc: +Fixes: 3d82904559f4 ("usb: cdnsp: cdns3 Add main part of Cadence USBSSP DRD Driver") +Signed-off-by: Pawel Laszczak +Link: https://lore.kernel.org/r/20230309063048.299378-1-pawell@cadence.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/cdns3/cdnsp-pci.c | 27 +++++++++++---------------- + 1 file changed, 11 insertions(+), 16 deletions(-) + +--- a/drivers/usb/cdns3/cdnsp-pci.c ++++ b/drivers/usb/cdns3/cdnsp-pci.c +@@ -29,30 +29,23 @@ + #define PLAT_DRIVER_NAME "cdns-usbssp" + + #define CDNS_VENDOR_ID 0x17cd +-#define CDNS_DEVICE_ID 0x0100 ++#define CDNS_DEVICE_ID 0x0200 ++#define CDNS_DRD_ID 0x0100 + #define CDNS_DRD_IF (PCI_CLASS_SERIAL_USB << 8 | 0x80) + + static struct pci_dev *cdnsp_get_second_fun(struct pci_dev *pdev) + { +- struct pci_dev *func; +- + /* + * Gets the second function. +- * It's little tricky, but this platform has two function. +- * The fist keeps resources for Host/Device while the second +- * keeps resources for DRD/OTG. ++ * Platform has two function. The fist keeps resources for ++ * Host/Device while the secon keeps resources for DRD/OTG. + */ +- func = pci_get_device(pdev->vendor, pdev->device, NULL); +- if (!func) +- return NULL; ++ if (pdev->device == CDNS_DEVICE_ID) ++ return pci_get_device(pdev->vendor, CDNS_DRD_ID, NULL); ++ else if (pdev->device == CDNS_DRD_ID) ++ return pci_get_device(pdev->vendor, CDNS_DEVICE_ID, NULL); + +- if (func->devfn == pdev->devfn) { +- func = pci_get_device(pdev->vendor, pdev->device, func); +- if (!func) +- return NULL; +- } +- +- return func; ++ return NULL; + } + + static int cdnsp_pci_probe(struct pci_dev *pdev, +@@ -230,6 +223,8 @@ static const struct pci_device_id cdnsp_ + PCI_CLASS_SERIAL_USB_DEVICE, PCI_ANY_ID }, + { PCI_VENDOR_ID_CDNS, CDNS_DEVICE_ID, PCI_ANY_ID, PCI_ANY_ID, + CDNS_DRD_IF, PCI_ANY_ID }, ++ { PCI_VENDOR_ID_CDNS, CDNS_DRD_ID, PCI_ANY_ID, PCI_ANY_ID, ++ CDNS_DRD_IF, PCI_ANY_ID }, + { 0, } + }; + diff --git a/queue-6.2/usb-cdnsp-fixes-issue-with-redundant-status-stage.patch b/queue-6.2/usb-cdnsp-fixes-issue-with-redundant-status-stage.patch new file mode 100644 index 00000000000..e107425c631 --- /dev/null +++ b/queue-6.2/usb-cdnsp-fixes-issue-with-redundant-status-stage.patch @@ -0,0 +1,67 @@ +From 5bc38d33a5a1209fd4de65101d1ae8255ea12c6e Mon Sep 17 00:00:00 2001 +From: Pawel Laszczak +Date: Tue, 7 Mar 2023 06:14:20 -0500 +Subject: usb: cdnsp: Fixes issue with redundant Status Stage + +From: Pawel Laszczak + +commit 5bc38d33a5a1209fd4de65101d1ae8255ea12c6e upstream. + +In some cases, driver trees to send Status Stage twice. +The first one from upper layer of gadget usb subsystem and +second time from controller driver. +This patch fixes this issue and remove tricky handling of +SET_INTERFACE from controller driver which is no longer +needed. + +cc: +Fixes: 3d82904559f4 ("usb: cdnsp: cdns3 Add main part of Cadence USBSSP DRD Driver") +Signed-off-by: Pawel Laszczak +Link: https://lore.kernel.org/r/20230307111420.376056-1-pawell@cadence.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/cdns3/cdnsp-ep0.c | 19 +------------------ + 1 file changed, 1 insertion(+), 18 deletions(-) + +--- a/drivers/usb/cdns3/cdnsp-ep0.c ++++ b/drivers/usb/cdns3/cdnsp-ep0.c +@@ -403,20 +403,6 @@ static int cdnsp_ep0_std_request(struct + case USB_REQ_SET_ISOCH_DELAY: + ret = cdnsp_ep0_set_isoch_delay(pdev, ctrl); + break; +- case USB_REQ_SET_INTERFACE: +- /* +- * Add request into pending list to block sending status stage +- * by libcomposite. +- */ +- list_add_tail(&pdev->ep0_preq.list, +- &pdev->ep0_preq.pep->pending_list); +- +- ret = cdnsp_ep0_delegate_req(pdev, ctrl); +- if (ret == -EBUSY) +- ret = 0; +- +- list_del(&pdev->ep0_preq.list); +- break; + default: + ret = cdnsp_ep0_delegate_req(pdev, ctrl); + break; +@@ -474,9 +460,6 @@ void cdnsp_setup_analyze(struct cdnsp_de + else + ret = cdnsp_ep0_delegate_req(pdev, ctrl); + +- if (!len) +- pdev->ep0_stage = CDNSP_STATUS_STAGE; +- + if (ret == USB_GADGET_DELAYED_STATUS) { + trace_cdnsp_ep0_status_stage("delayed"); + return; +@@ -484,6 +467,6 @@ void cdnsp_setup_analyze(struct cdnsp_de + out: + if (ret < 0) + cdnsp_ep0_stall(pdev); +- else if (pdev->ep0_stage == CDNSP_STATUS_STAGE) ++ else if (!len && pdev->ep0_stage != CDNSP_STATUS_STAGE) + cdnsp_status_stage(pdev); + } diff --git a/queue-6.2/usb-chipdea-core-fix-return-einval-if-request-role-is-the-same-with-current-role.patch b/queue-6.2/usb-chipdea-core-fix-return-einval-if-request-role-is-the-same-with-current-role.patch new file mode 100644 index 00000000000..698de593969 --- /dev/null +++ b/queue-6.2/usb-chipdea-core-fix-return-einval-if-request-role-is-the-same-with-current-role.patch @@ -0,0 +1,38 @@ +From 3670de80678961eda7fa2220883fc77c16868951 Mon Sep 17 00:00:00 2001 +From: Xu Yang +Date: Fri, 17 Mar 2023 14:15:15 +0800 +Subject: usb: chipdea: core: fix return -EINVAL if request role is the same with current role + +From: Xu Yang + +commit 3670de80678961eda7fa2220883fc77c16868951 upstream. + +It should not return -EINVAL if the request role is the same with current +role, return non-error and without do anything instead. + +Fixes: a932a8041ff9 ("usb: chipidea: core: add sysfs group") +cc: +Acked-by: Peter Chen +Signed-off-by: Xu Yang +Link: https://lore.kernel.org/r/20230317061516.2451728-1-xu.yang_2@nxp.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/chipidea/core.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +--- a/drivers/usb/chipidea/core.c ++++ b/drivers/usb/chipidea/core.c +@@ -984,9 +984,12 @@ static ssize_t role_store(struct device + strlen(ci->roles[role]->name))) + break; + +- if (role == CI_ROLE_END || role == ci->role) ++ if (role == CI_ROLE_END) + return -EINVAL; + ++ if (role == ci->role) ++ return n; ++ + pm_runtime_get_sync(dev); + disable_irq(ci->irq); + ci_role_stop(ci); diff --git a/queue-6.2/usb-chipidea-core-fix-possible-concurrent-when-switch-role.patch b/queue-6.2/usb-chipidea-core-fix-possible-concurrent-when-switch-role.patch new file mode 100644 index 00000000000..78494e47816 --- /dev/null +++ b/queue-6.2/usb-chipidea-core-fix-possible-concurrent-when-switch-role.patch @@ -0,0 +1,107 @@ +From 451b15ed138ec15bffbebb58a00ebdd884c3e659 Mon Sep 17 00:00:00 2001 +From: Xu Yang +Date: Fri, 17 Mar 2023 14:15:16 +0800 +Subject: usb: chipidea: core: fix possible concurrent when switch role + +From: Xu Yang + +commit 451b15ed138ec15bffbebb58a00ebdd884c3e659 upstream. + +The user may call role_store() when driver is handling +ci_handle_id_switch() which is triggerred by otg event or power lost +event. Unfortunately, the controller may go into chaos in this case. +Fix this by protecting it with mutex lock. + +Fixes: a932a8041ff9 ("usb: chipidea: core: add sysfs group") +cc: +Acked-by: Peter Chen +Signed-off-by: Xu Yang +Link: https://lore.kernel.org/r/20230317061516.2451728-2-xu.yang_2@nxp.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/chipidea/ci.h | 2 ++ + drivers/usb/chipidea/core.c | 8 +++++++- + drivers/usb/chipidea/otg.c | 5 ++++- + 3 files changed, 13 insertions(+), 2 deletions(-) + +diff --git a/drivers/usb/chipidea/ci.h b/drivers/usb/chipidea/ci.h +index 005c67cb3afb..f210b7489fd5 100644 +--- a/drivers/usb/chipidea/ci.h ++++ b/drivers/usb/chipidea/ci.h +@@ -208,6 +208,7 @@ struct hw_bank { + * @in_lpm: if the core in low power mode + * @wakeup_int: if wakeup interrupt occur + * @rev: The revision number for controller ++ * @mutex: protect code from concorrent running when doing role switch + */ + struct ci_hdrc { + struct device *dev; +@@ -260,6 +261,7 @@ struct ci_hdrc { + bool in_lpm; + bool wakeup_int; + enum ci_revision rev; ++ struct mutex mutex; + }; + + static inline struct ci_role_driver *ci_role(struct ci_hdrc *ci) +diff --git a/drivers/usb/chipidea/core.c b/drivers/usb/chipidea/core.c +index b6f2a41de20e..281fc51720ce 100644 +--- a/drivers/usb/chipidea/core.c ++++ b/drivers/usb/chipidea/core.c +@@ -987,8 +987,12 @@ static ssize_t role_store(struct device *dev, + if (role == CI_ROLE_END) + return -EINVAL; + +- if (role == ci->role) ++ mutex_lock(&ci->mutex); ++ ++ if (role == ci->role) { ++ mutex_unlock(&ci->mutex); + return n; ++ } + + pm_runtime_get_sync(dev); + disable_irq(ci->irq); +@@ -998,6 +1002,7 @@ static ssize_t role_store(struct device *dev, + ci_handle_vbus_change(ci); + enable_irq(ci->irq); + pm_runtime_put_sync(dev); ++ mutex_unlock(&ci->mutex); + + return (ret == 0) ? n : ret; + } +@@ -1033,6 +1038,7 @@ static int ci_hdrc_probe(struct platform_device *pdev) + return -ENOMEM; + + spin_lock_init(&ci->lock); ++ mutex_init(&ci->mutex); + ci->dev = dev; + ci->platdata = dev_get_platdata(dev); + ci->imx28_write_fix = !!(ci->platdata->flags & +diff --git a/drivers/usb/chipidea/otg.c b/drivers/usb/chipidea/otg.c +index 622c3b68aa1e..f5490f2a5b6b 100644 +--- a/drivers/usb/chipidea/otg.c ++++ b/drivers/usb/chipidea/otg.c +@@ -167,8 +167,10 @@ static int hw_wait_vbus_lower_bsv(struct ci_hdrc *ci) + + void ci_handle_id_switch(struct ci_hdrc *ci) + { +- enum ci_role role = ci_otg_role(ci); ++ enum ci_role role; + ++ mutex_lock(&ci->mutex); ++ role = ci_otg_role(ci); + if (role != ci->role) { + dev_dbg(ci->dev, "switching from %s to %s\n", + ci_role(ci)->name, ci->roles[role]->name); +@@ -198,6 +200,7 @@ void ci_handle_id_switch(struct ci_hdrc *ci) + if (role == CI_ROLE_GADGET) + ci_handle_vbus_change(ci); + } ++ mutex_unlock(&ci->mutex); + } + /** + * ci_otg_work - perform otg (vbus/id) event handle +-- +2.40.0 + diff --git a/queue-6.2/usb-dwc3-gadget-add-1ms-delay-after-end-transfer-command-without-ioc.patch b/queue-6.2/usb-dwc3-gadget-add-1ms-delay-after-end-transfer-command-without-ioc.patch new file mode 100644 index 00000000000..2778c618d51 --- /dev/null +++ b/queue-6.2/usb-dwc3-gadget-add-1ms-delay-after-end-transfer-command-without-ioc.patch @@ -0,0 +1,80 @@ +From d8a2bb4eb75866275b5cf7de2e593ac3449643e2 Mon Sep 17 00:00:00 2001 +From: Wesley Cheng +Date: Mon, 6 Mar 2023 12:05:57 -0800 +Subject: usb: dwc3: gadget: Add 1ms delay after end transfer command without IOC + +From: Wesley Cheng + +commit d8a2bb4eb75866275b5cf7de2e593ac3449643e2 upstream. + +Previously, there was a 100uS delay inserted after issuing an end transfer +command for specific controller revisions. This was due to the fact that +there was a GUCTL2 bit field which enabled synchronous completion of the +end transfer command once the CMDACT bit was cleared in the DEPCMD +register. Since this bit does not exist for all controller revisions and +the current implementation heavily relies on utizling the EndTransfer +command completion interrupt, add the delay back in for uses where the +interrupt on completion bit is not set, and increase the duration to 1ms +for the controller to complete the command. + +An issue was seen where the USB request buffer was unmapped while the DWC3 +controller was still accessing the TRB. However, it was confirmed that the +end transfer command was successfully submitted. (no end transfer timeout) +In situations, such as dwc3_gadget_soft_disconnect() and +__dwc3_gadget_ep_disable(), the dwc3_remove_request() is utilized, which +will issue the end transfer command, and follow up with +dwc3_gadget_giveback(). At least for the USB ep disable path, it is +required for any pending and started requests to be completed and returned +to the function driver in the same context of the disable call. Without +the GUCTL2 bit, it is not ensured that the end transfer is completed before +the buffers are unmapped. + +Fixes: cf2f8b63f7f1 ("usb: dwc3: gadget: Remove END_TRANSFER delay") +Cc: stable +Signed-off-by: Wesley Cheng +Acked-by: Thinh Nguyen +Link: https://lore.kernel.org/r/20230306200557.29387-1-quic_wcheng@quicinc.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/dwc3/gadget.c | 14 +++++++++++--- + 1 file changed, 11 insertions(+), 3 deletions(-) + +--- a/drivers/usb/dwc3/gadget.c ++++ b/drivers/usb/dwc3/gadget.c +@@ -1699,6 +1699,7 @@ static int __dwc3_gadget_get_frame(struc + */ + static int __dwc3_stop_active_transfer(struct dwc3_ep *dep, bool force, bool interrupt) + { ++ struct dwc3 *dwc = dep->dwc; + struct dwc3_gadget_ep_cmd_params params; + u32 cmd; + int ret; +@@ -1722,10 +1723,13 @@ static int __dwc3_stop_active_transfer(s + WARN_ON_ONCE(ret); + dep->resource_index = 0; + +- if (!interrupt) ++ if (!interrupt) { ++ if (!DWC3_IP_IS(DWC3) || DWC3_VER_IS_PRIOR(DWC3, 310A)) ++ mdelay(1); + dep->flags &= ~DWC3_EP_TRANSFER_STARTED; +- else if (!ret) ++ } else if (!ret) { + dep->flags |= DWC3_EP_END_TRANSFER_PENDING; ++ } + + dep->flags &= ~DWC3_EP_DELAY_STOP; + return ret; +@@ -3774,7 +3778,11 @@ void dwc3_stop_active_transfer(struct dw + * enabled, the EndTransfer command will have completed upon + * returning from this function. + * +- * This mode is NOT available on the DWC_usb31 IP. ++ * This mode is NOT available on the DWC_usb31 IP. In this ++ * case, if the IOC bit is not set, then delay by 1ms ++ * after issuing the EndTransfer command. This allows for the ++ * controller to handle the command completely before DWC3 ++ * remove requests attempts to unmap USB request buffers. + */ + + __dwc3_stop_active_transfer(dep, force, interrupt); diff --git a/queue-6.2/usb-typec-tcpm-fix-create-duplicate-source-capabilities-file.patch b/queue-6.2/usb-typec-tcpm-fix-create-duplicate-source-capabilities-file.patch new file mode 100644 index 00000000000..d34fc44a6de --- /dev/null +++ b/queue-6.2/usb-typec-tcpm-fix-create-duplicate-source-capabilities-file.patch @@ -0,0 +1,63 @@ +From a826492fc9dfe32afd70fff93955ae8174bbf14b Mon Sep 17 00:00:00 2001 +From: Xu Yang +Date: Wed, 15 Feb 2023 13:49:51 +0800 +Subject: usb: typec: tcpm: fix create duplicate source-capabilities file + +From: Xu Yang + +commit a826492fc9dfe32afd70fff93955ae8174bbf14b upstream. + +The kernel will dump in the below cases: +sysfs: cannot create duplicate filename +'/devices/virtual/usb_power_delivery/pd1/source-capabilities' + +1. After soft reset has completed, an Explicit Contract negotiation occurs. +The sink device will receive source capabilitys again. This will cause +a duplicate source-capabilities file be created. +2. Power swap twice on a device that is initailly sink role. + +This will unregister existing capabilities when above cases occurs. + +Fixes: 8203d26905ee ("usb: typec: tcpm: Register USB Power Delivery Capabilities") +cc: +Signed-off-by: Xu Yang +Reviewed-by: Heikki Krogerus +Reviewed-by: Guenter Roeck +Link: https://lore.kernel.org/r/20230215054951.238394-1-xu.yang_2@nxp.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/typec/tcpm/tcpm.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +--- a/drivers/usb/typec/tcpm/tcpm.c ++++ b/drivers/usb/typec/tcpm/tcpm.c +@@ -4547,6 +4547,9 @@ static void run_state_machine(struct tcp + case SOFT_RESET: + port->message_id = 0; + port->rx_msgid = -1; ++ /* remove existing capabilities */ ++ usb_power_delivery_unregister_capabilities(port->partner_source_caps); ++ port->partner_source_caps = NULL; + tcpm_pd_send_control(port, PD_CTRL_ACCEPT); + tcpm_ams_finish(port); + if (port->pwr_role == TYPEC_SOURCE) { +@@ -4566,6 +4569,9 @@ static void run_state_machine(struct tcp + case SOFT_RESET_SEND: + port->message_id = 0; + port->rx_msgid = -1; ++ /* remove existing capabilities */ ++ usb_power_delivery_unregister_capabilities(port->partner_source_caps); ++ port->partner_source_caps = NULL; + if (tcpm_pd_send_control(port, PD_CTRL_SOFT_RESET)) + tcpm_set_state_cond(port, hard_reset_state(port), 0); + else +@@ -4695,6 +4701,9 @@ static void run_state_machine(struct tcp + tcpm_set_state(port, SNK_STARTUP, 0); + break; + case PR_SWAP_SNK_SRC_SINK_OFF: ++ /* will be source, remove existing capabilities */ ++ usb_power_delivery_unregister_capabilities(port->partner_source_caps); ++ port->partner_source_caps = NULL; + /* + * Prevent vbus discharge circuit from turning on during PR_SWAP + * as this is not a disconnect. diff --git a/queue-6.2/usb-typec-tcpm-fix-warning-when-handle-discover_identity-message.patch b/queue-6.2/usb-typec-tcpm-fix-warning-when-handle-discover_identity-message.patch new file mode 100644 index 00000000000..3ac484394d1 --- /dev/null +++ b/queue-6.2/usb-typec-tcpm-fix-warning-when-handle-discover_identity-message.patch @@ -0,0 +1,122 @@ +From abfc4fa28f0160df61c7149567da4f6494dfb488 Mon Sep 17 00:00:00 2001 +From: Xu Yang +Date: Thu, 16 Feb 2023 11:15:15 +0800 +Subject: usb: typec: tcpm: fix warning when handle discover_identity message + +From: Xu Yang + +commit abfc4fa28f0160df61c7149567da4f6494dfb488 upstream. + +Since both source and sink device can send discover_identity message in +PD3, kernel may dump below warning: + +------------[ cut here ]------------ +WARNING: CPU: 0 PID: 169 at drivers/usb/typec/tcpm/tcpm.c:1446 tcpm_queue_vdm+0xe0/0xf0 +Modules linked in: +CPU: 0 PID: 169 Comm: 1-0050 Not tainted 6.1.1-00038-g6a3c36cf1da2-dirty #567 +Hardware name: NXP i.MX8MPlus EVK board (DT) +pstate: 20000005 (nzCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--) +pc : tcpm_queue_vdm+0xe0/0xf0 +lr : tcpm_queue_vdm+0x2c/0xf0 +sp : ffff80000c19bcd0 +x29: ffff80000c19bcd0 x28: 0000000000000001 x27: ffff0000d11c8ab8 +x26: ffff0000d11cc000 x25: 0000000000000000 x24: 00000000ff008081 +x23: 0000000000000001 x22: 00000000ff00a081 x21: ffff80000c19bdbc +x20: 0000000000000000 x19: ffff0000d11c8080 x18: ffffffffffffffff +x17: 0000000000000000 x16: 0000000000000000 x15: ffff0000d716f580 +x14: 0000000000000001 x13: ffff0000d716f507 x12: 0000000000000001 +x11: 0000000000000000 x10: 0000000000000020 x9 : 00000000000ee098 +x8 : 00000000ffffffff x7 : 000000000000001c x6 : ffff0000d716f580 +x5 : 0000000000000000 x4 : 0000000000000000 x3 : 0000000000000000 +x2 : ffff80000c19bdbc x1 : 00000000ff00a081 x0 : 0000000000000004 +Call trace: +tcpm_queue_vdm+0xe0/0xf0 +tcpm_pd_rx_handler+0x340/0x1ab0 +kthread_worker_fn+0xcc/0x18c +kthread+0x10c/0x110 +ret_from_fork+0x10/0x20 +---[ end trace 0000000000000000 ]--- + +Below sequences may trigger this warning: + +tcpm_send_discover_work(work) + tcpm_send_vdm(port, USB_SID_PD, CMD_DISCOVER_IDENT, NULL, 0); + tcpm_queue_vdm(port, header, data, count); + port->vdm_state = VDM_STATE_READY; + +vdm_state_machine_work(work); + <-- received discover_identity from partner + vdm_run_state_machine(port); + port->vdm_state = VDM_STATE_SEND_MESSAGE; + mod_vdm_delayed_work(port, x); + +tcpm_pd_rx_handler(work); + tcpm_pd_data_request(port, msg); + tcpm_handle_vdm_request(port, msg->payload, cnt); + tcpm_queue_vdm(port, response[0], &response[1], rlen - 1); +--> WARN_ON(port->vdm_state > VDM_STATE_DONE); + +For this case, the state machine could still send out discover +identity message later if we skip current discover_identity message. +So we should handle the received message firstly and override the pending +discover_identity message without warning in this case. Then, a delayed +send_discover work will send discover_identity message again. + +Fixes: e00943e91678 ("usb: typec: tcpm: PD3.0 sinks can send Discover Identity even in device mode") +cc: +Signed-off-by: Xu Yang +Reviewed-by: Guenter Roeck +Reviewed-by: Heikki Krogerus +Link: https://lore.kernel.org/r/20230216031515.4151117-1-xu.yang_2@nxp.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/typec/tcpm/tcpm.c | 19 +++++++++++++++---- + 1 file changed, 15 insertions(+), 4 deletions(-) + +--- a/drivers/usb/typec/tcpm/tcpm.c ++++ b/drivers/usb/typec/tcpm/tcpm.c +@@ -1436,10 +1436,18 @@ static int tcpm_ams_start(struct tcpm_po + static void tcpm_queue_vdm(struct tcpm_port *port, const u32 header, + const u32 *data, int cnt) + { ++ u32 vdo_hdr = port->vdo_data[0]; ++ + WARN_ON(!mutex_is_locked(&port->lock)); + +- /* Make sure we are not still processing a previous VDM packet */ +- WARN_ON(port->vdm_state > VDM_STATE_DONE); ++ /* If is sending discover_identity, handle received message first */ ++ if (PD_VDO_SVDM(vdo_hdr) && PD_VDO_CMD(vdo_hdr) == CMD_DISCOVER_IDENT) { ++ port->send_discover = true; ++ mod_send_discover_delayed_work(port, SEND_DISCOVER_RETRY_MS); ++ } else { ++ /* Make sure we are not still processing a previous VDM packet */ ++ WARN_ON(port->vdm_state > VDM_STATE_DONE); ++ } + + port->vdo_count = cnt + 1; + port->vdo_data[0] = header; +@@ -1942,11 +1950,13 @@ static void vdm_run_state_machine(struct + switch (PD_VDO_CMD(vdo_hdr)) { + case CMD_DISCOVER_IDENT: + res = tcpm_ams_start(port, DISCOVER_IDENTITY); +- if (res == 0) ++ if (res == 0) { + port->send_discover = false; +- else if (res == -EAGAIN) ++ } else if (res == -EAGAIN) { ++ port->vdo_data[0] = 0; + mod_send_discover_delayed_work(port, + SEND_DISCOVER_RETRY_MS); ++ } + break; + case CMD_DISCOVER_SVID: + res = tcpm_ams_start(port, DISCOVER_SVIDS); +@@ -2029,6 +2039,7 @@ static void vdm_run_state_machine(struct + unsigned long timeout; + + port->vdm_retries = 0; ++ port->vdo_data[0] = 0; + port->vdm_state = VDM_STATE_BUSY; + timeout = vdm_ready_timeout(vdo_hdr); + mod_vdm_delayed_work(port, timeout); diff --git a/queue-6.2/usb-ucsi-fix-null-pointer-deref-in-ucsi_connector_change.patch b/queue-6.2/usb-ucsi-fix-null-pointer-deref-in-ucsi_connector_change.patch new file mode 100644 index 00000000000..85f0652a465 --- /dev/null +++ b/queue-6.2/usb-ucsi-fix-null-pointer-deref-in-ucsi_connector_change.patch @@ -0,0 +1,67 @@ +From f87fb985452ab2083967103ac00bfd68fb182764 Mon Sep 17 00:00:00 2001 +From: Hans de Goede +Date: Wed, 8 Mar 2023 16:42:42 +0100 +Subject: usb: ucsi: Fix NULL pointer deref in ucsi_connector_change() + +From: Hans de Goede + +commit f87fb985452ab2083967103ac00bfd68fb182764 upstream. + +When ucsi_init() fails, ucsi->connector is NULL, yet in case of +ucsi_acpi we may still get events which cause the ucs_acpi code to call +ucsi_connector_change(), which then derefs the NULL ucsi->connector +pointer. + +Fix this by not setting ucsi->ntfy inside ucsi_init() until ucsi_init() +has succeeded, so that ucsi_connector_change() ignores the events +because UCSI_ENABLE_NTFY_CONNECTOR_CHANGE is not set in the ntfy mask. + +Fixes: bdc62f2bae8f ("usb: typec: ucsi: Simplified registration and I/O API") +Link: https://bugzilla.kernel.org/show_bug.cgi?id=217106 +Cc: stable@vger.kernel.org +Reviewed-by: Heikki Krogerus +Signed-off-by: Hans de Goede +Link: https://lore.kernel.org/r/20230308154244.722337-2-hdegoede@redhat.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/typec/ucsi/ucsi.c | 11 ++++++----- + 1 file changed, 6 insertions(+), 5 deletions(-) + +--- a/drivers/usb/typec/ucsi/ucsi.c ++++ b/drivers/usb/typec/ucsi/ucsi.c +@@ -1205,7 +1205,7 @@ out_unlock: + static int ucsi_init(struct ucsi *ucsi) + { + struct ucsi_connector *con; +- u64 command; ++ u64 command, ntfy; + int ret; + int i; + +@@ -1217,8 +1217,8 @@ static int ucsi_init(struct ucsi *ucsi) + } + + /* Enable basic notifications */ +- ucsi->ntfy = UCSI_ENABLE_NTFY_CMD_COMPLETE | UCSI_ENABLE_NTFY_ERROR; +- command = UCSI_SET_NOTIFICATION_ENABLE | ucsi->ntfy; ++ ntfy = UCSI_ENABLE_NTFY_CMD_COMPLETE | UCSI_ENABLE_NTFY_ERROR; ++ command = UCSI_SET_NOTIFICATION_ENABLE | ntfy; + ret = ucsi_send_command(ucsi, command, NULL, 0); + if (ret < 0) + goto err_reset; +@@ -1250,12 +1250,13 @@ static int ucsi_init(struct ucsi *ucsi) + } + + /* Enable all notifications */ +- ucsi->ntfy = UCSI_ENABLE_NTFY_ALL; +- command = UCSI_SET_NOTIFICATION_ENABLE | ucsi->ntfy; ++ ntfy = UCSI_ENABLE_NTFY_ALL; ++ command = UCSI_SET_NOTIFICATION_ENABLE | ntfy; + ret = ucsi_send_command(ucsi, command, NULL, 0); + if (ret < 0) + goto err_unregister; + ++ ucsi->ntfy = ntfy; + return 0; + + err_unregister: diff --git a/queue-6.2/usb-ucsi_acpi-increase-the-command-completion-timeout.patch b/queue-6.2/usb-ucsi_acpi-increase-the-command-completion-timeout.patch new file mode 100644 index 00000000000..dc0ae5f6523 --- /dev/null +++ b/queue-6.2/usb-ucsi_acpi-increase-the-command-completion-timeout.patch @@ -0,0 +1,51 @@ +From 02d210f434249a7edbc160969b75df030dc6934d Mon Sep 17 00:00:00 2001 +From: Hans de Goede +Date: Wed, 8 Mar 2023 16:42:44 +0100 +Subject: usb: ucsi_acpi: Increase the command completion timeout + +From: Hans de Goede + +commit 02d210f434249a7edbc160969b75df030dc6934d upstream. + +Commit 130a96d698d7 ("usb: typec: ucsi: acpi: Increase command +completion timeout value") increased the timeout from 5 seconds +to 60 seconds due to issues related to alternate mode discovery. + +After the alternate mode discovery switch to polled mode +the timeout was reduced, but instead of being set back to +5 seconds it was reduced to 1 second. + +This is causing problems when using a Lenovo ThinkPad X1 yoga gen7 +connected over Type-C to a LG 27UL850-W (charging DP over Type-C). + +When the monitor is already connected at boot the following error +is logged: "PPM init failed (-110)", /sys/class/typec is empty and +on unplugging the NULL pointer deref fixed earlier in this series +happens. + +When the monitor is connected after boot the following error +is logged instead: "GET_CONNECTOR_STATUS failed (-110)". + +Setting the timeout back to 5 seconds fixes both cases. + +Fixes: e08065069fc7 ("usb: typec: ucsi: acpi: Reduce the command completion timeout") +Cc: stable@vger.kernel.org +Reviewed-by: Heikki Krogerus +Signed-off-by: Hans de Goede +Link: https://lore.kernel.org/r/20230308154244.722337-4-hdegoede@redhat.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/typec/ucsi/ucsi_acpi.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/usb/typec/ucsi/ucsi_acpi.c ++++ b/drivers/usb/typec/ucsi/ucsi_acpi.c +@@ -78,7 +78,7 @@ static int ucsi_acpi_sync_write(struct u + if (ret) + goto out_clear_bit; + +- if (!wait_for_completion_timeout(&ua->complete, HZ)) ++ if (!wait_for_completion_timeout(&ua->complete, 5 * HZ)) + ret = -ETIMEDOUT; + + out_clear_bit: -- 2.47.3