From 9a39aaad6150bde23db4a8c659f3c8379271864d Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Sat, 2 Sep 2023 10:43:02 +0200 Subject: [PATCH] 6.5-stable patches added patches: alsa-usb-audio-fix-init-call-orders-for-uac1.patch arm-pxa-remove-use-of-symbol_get.patch hid-wacom-remove-the-battery-when-the-ekr-is-off.patch ksmbd-fix-slub-overflow-in-ksmbd_decode_ntlmssp_auth_blob.patch ksmbd-fix-wrong-dataoffset-validation-of-create-context.patch ksmbd-reduce-descriptor-size-if-remaining-bytes-is-less-than-request-size.patch ksmbd-replace-one-element-array-with-flex-array-member-in-struct-smb2_ea_info.patch mmc-au1xmmc-force-non-modular-build-and-remove-symbol_get-usage.patch modules-only-allow-symbol_get-of-export_symbol_gpl-modules.patch net-enetc-use-export_symbol_gpl-for-enetc_phc_index.patch rtc-ds1685-use-export_symbol_gpl-for-ds1685_rtc_poweroff.patch staging-rtl8712-fix-race-condition.patch usb-chipidea-imx-improve-logic-if-samsung-picophy-parameter-is-0.patch usb-dwc3-meson-g12a-do-post-init-to-fix-broken-usb-after-resumption.patch usb-serial-option-add-foxconn-t99w368-t99w373-product.patch usb-serial-option-add-quectel-em05g-variant-0x030e.patch --- ...-audio-fix-init-call-orders-for-uac1.patch | 68 +++++++++ .../arm-pxa-remove-use-of-symbol_get.patch | 73 +++++++++ ...move-the-battery-when-the-ekr-is-off.patch | 130 ++++++++++++++++ ...ow-in-ksmbd_decode_ntlmssp_auth_blob.patch | 34 +++++ ...aoffset-validation-of-create-context.patch | 33 +++++ ...ning-bytes-is-less-than-request-size.patch | 104 +++++++++++++ ...-array-member-in-struct-smb2_ea_info.patch | 69 +++++++++ ...ar-build-and-remove-symbol_get-usage.patch | 139 ++++++++++++++++++ ...bol_get-of-export_symbol_gpl-modules.patch | 58 ++++++++ ...xport_symbol_gpl-for-enetc_phc_index.patch | 34 +++++ ...t_symbol_gpl-for-ds1685_rtc_poweroff.patch | 34 +++++ queue-6.5/series | 16 ++ .../staging-rtl8712-fix-race-condition.patch | 50 +++++++ ...ic-if-samsung-picophy-parameter-is-0.patch | 64 ++++++++ ...t-to-fix-broken-usb-after-resumption.patch | 45 ++++++ ...-add-foxconn-t99w368-t99w373-product.patch | 66 +++++++++ ...ion-add-quectel-em05g-variant-0x030e.patch | 65 ++++++++ 17 files changed, 1082 insertions(+) create mode 100644 queue-6.5/alsa-usb-audio-fix-init-call-orders-for-uac1.patch create mode 100644 queue-6.5/arm-pxa-remove-use-of-symbol_get.patch create mode 100644 queue-6.5/hid-wacom-remove-the-battery-when-the-ekr-is-off.patch create mode 100644 queue-6.5/ksmbd-fix-slub-overflow-in-ksmbd_decode_ntlmssp_auth_blob.patch create mode 100644 queue-6.5/ksmbd-fix-wrong-dataoffset-validation-of-create-context.patch create mode 100644 queue-6.5/ksmbd-reduce-descriptor-size-if-remaining-bytes-is-less-than-request-size.patch create mode 100644 queue-6.5/ksmbd-replace-one-element-array-with-flex-array-member-in-struct-smb2_ea_info.patch create mode 100644 queue-6.5/mmc-au1xmmc-force-non-modular-build-and-remove-symbol_get-usage.patch create mode 100644 queue-6.5/modules-only-allow-symbol_get-of-export_symbol_gpl-modules.patch create mode 100644 queue-6.5/net-enetc-use-export_symbol_gpl-for-enetc_phc_index.patch create mode 100644 queue-6.5/rtc-ds1685-use-export_symbol_gpl-for-ds1685_rtc_poweroff.patch create mode 100644 queue-6.5/staging-rtl8712-fix-race-condition.patch create mode 100644 queue-6.5/usb-chipidea-imx-improve-logic-if-samsung-picophy-parameter-is-0.patch create mode 100644 queue-6.5/usb-dwc3-meson-g12a-do-post-init-to-fix-broken-usb-after-resumption.patch create mode 100644 queue-6.5/usb-serial-option-add-foxconn-t99w368-t99w373-product.patch create mode 100644 queue-6.5/usb-serial-option-add-quectel-em05g-variant-0x030e.patch diff --git a/queue-6.5/alsa-usb-audio-fix-init-call-orders-for-uac1.patch b/queue-6.5/alsa-usb-audio-fix-init-call-orders-for-uac1.patch new file mode 100644 index 00000000000..2dd1770f8e4 --- /dev/null +++ b/queue-6.5/alsa-usb-audio-fix-init-call-orders-for-uac1.patch @@ -0,0 +1,68 @@ +From 5fadc941d07530d681f3b7ec91e56d8445bc3825 Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Mon, 21 Aug 2023 13:18:57 +0200 +Subject: ALSA: usb-audio: Fix init call orders for UAC1 + +From: Takashi Iwai + +commit 5fadc941d07530d681f3b7ec91e56d8445bc3825 upstream. + +There have been reports of USB-audio driver spewing errors at the +probe time on a few devices like Jabra and Logitech. The suggested +fix there couldn't be applied as is, unfortunately, because it'll +likely break other devices. + +But, the patch suggested an interesting point: looking at the current +init code in stream.c, one may notice that it does initialize +differently from the device setup in endpoint.c. Namely, for UAC1, we +should call snd_usb_init_pitch() and snd_usb_init_sample_rate() after +setting the interface, while the init sequence at parsing calls them +before setting the interface blindly. + +This patch changes the init sequence at parsing for UAC1 (and other +devices that need a similar behavior) to be aligned with the rest of +the code, setting the interface at first. And, this fixes the +long-standing problems on a few UAC1 devices like Jabra / Logitech, +as reported, too. + +Reported-and-tested-by: Joakim Tjernlund +Closes: https://lore.kernel.org/r/202bbbc0f51522e8545783c4c5577d12a8e2d56d.camel@infinera.com +Cc: +Link: https://lore.kernel.org/r/20230821111857.28926-1-tiwai@suse.de +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman +--- + sound/usb/stream.c | 11 ++++++++++- + 1 file changed, 10 insertions(+), 1 deletion(-) + +--- a/sound/usb/stream.c ++++ b/sound/usb/stream.c +@@ -1093,6 +1093,7 @@ static int __snd_usb_parse_audio_interfa + int i, altno, err, stream; + struct audioformat *fp = NULL; + struct snd_usb_power_domain *pd = NULL; ++ bool set_iface_first; + int num, protocol; + + dev = chip->dev; +@@ -1223,11 +1224,19 @@ static int __snd_usb_parse_audio_interfa + return err; + } + ++ set_iface_first = false; ++ if (protocol == UAC_VERSION_1 || ++ (chip->quirk_flags & QUIRK_FLAG_SET_IFACE_FIRST)) ++ set_iface_first = true; ++ + /* try to set the interface... */ + usb_set_interface(chip->dev, iface_no, 0); ++ if (set_iface_first) ++ usb_set_interface(chip->dev, iface_no, altno); + snd_usb_init_pitch(chip, fp); + snd_usb_init_sample_rate(chip, fp, fp->rate_max); +- usb_set_interface(chip->dev, iface_no, altno); ++ if (!set_iface_first) ++ usb_set_interface(chip->dev, iface_no, altno); + } + return 0; + } diff --git a/queue-6.5/arm-pxa-remove-use-of-symbol_get.patch b/queue-6.5/arm-pxa-remove-use-of-symbol_get.patch new file mode 100644 index 00000000000..90ad0c9415e --- /dev/null +++ b/queue-6.5/arm-pxa-remove-use-of-symbol_get.patch @@ -0,0 +1,73 @@ +From 0faa29c4207e6e29cfc81b427df60e326c37083a Mon Sep 17 00:00:00 2001 +From: Arnd Bergmann +Date: Tue, 1 Aug 2023 19:35:40 +0200 +Subject: ARM: pxa: remove use of symbol_get() + +From: Arnd Bergmann + +commit 0faa29c4207e6e29cfc81b427df60e326c37083a upstream. + +The spitz board file uses the obscure symbol_get() function +to optionally call a function from sharpsl_pm.c if that is +built. However, the two files are always built together +these days, and have been for a long time, so this can +be changed to a normal function call. + +Link: https://lore.kernel.org/lkml/20230731162639.GA9441@lst.de/ +Signed-off-by: Arnd Bergmann +Signed-off-by: Christoph Hellwig +Signed-off-by: Luis Chamberlain +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm/mach-pxa/sharpsl_pm.c | 2 -- + arch/arm/mach-pxa/spitz.c | 14 +------------- + 2 files changed, 1 insertion(+), 15 deletions(-) + +--- a/arch/arm/mach-pxa/sharpsl_pm.c ++++ b/arch/arm/mach-pxa/sharpsl_pm.c +@@ -216,8 +216,6 @@ void sharpsl_battery_kick(void) + { + schedule_delayed_work(&sharpsl_bat, msecs_to_jiffies(125)); + } +-EXPORT_SYMBOL(sharpsl_battery_kick); +- + + static void sharpsl_battery_thread(struct work_struct *private_) + { +--- a/arch/arm/mach-pxa/spitz.c ++++ b/arch/arm/mach-pxa/spitz.c +@@ -9,7 +9,6 @@ + */ + + #include +-#include /* symbol_get ; symbol_put */ + #include + #include + #include +@@ -518,17 +517,6 @@ static struct gpiod_lookup_table spitz_a + }, + }; + +-static void spitz_bl_kick_battery(void) +-{ +- void (*kick_batt)(void); +- +- kick_batt = symbol_get(sharpsl_battery_kick); +- if (kick_batt) { +- kick_batt(); +- symbol_put(sharpsl_battery_kick); +- } +-} +- + static struct gpiod_lookup_table spitz_lcdcon_gpio_table = { + .dev_id = "spi2.1", + .table = { +@@ -556,7 +544,7 @@ static struct corgi_lcd_platform_data sp + .max_intensity = 0x2f, + .default_intensity = 0x1f, + .limit_mask = 0x0b, +- .kick_battery = spitz_bl_kick_battery, ++ .kick_battery = sharpsl_battery_kick, + }; + + static struct spi_board_info spitz_spi_devices[] = { diff --git a/queue-6.5/hid-wacom-remove-the-battery-when-the-ekr-is-off.patch b/queue-6.5/hid-wacom-remove-the-battery-when-the-ekr-is-off.patch new file mode 100644 index 00000000000..8830e0cb4ab --- /dev/null +++ b/queue-6.5/hid-wacom-remove-the-battery-when-the-ekr-is-off.patch @@ -0,0 +1,130 @@ +From 9ac6678b95b0dd9458a7a6869f46e51cd55a1d84 Mon Sep 17 00:00:00 2001 +From: Aaron Armstrong Skomra +Date: Tue, 25 Jul 2023 15:20:25 -0700 +Subject: HID: wacom: remove the battery when the EKR is off + +From: Aaron Armstrong Skomra + +commit 9ac6678b95b0dd9458a7a6869f46e51cd55a1d84 upstream. + +Currently the EKR battery remains even after we stop getting information +from the device. This can lead to a stale battery persisting indefinitely +in userspace. + +The remote sends a heartbeat every 10 seconds. Delete the battery if we +miss two heartbeats (after 21 seconds). Restore the battery once we see +a heartbeat again. + +Signed-off-by: Aaron Skomra +Signed-off-by: Aaron Armstrong Skomra +Reviewed-by: Jason Gerecke +Fixes: 9f1015d45f62 ("HID: wacom: EKR: attach the power_supply on first connection") +CC: stable@vger.kernel.org +Signed-off-by: Jiri Kosina +Signed-off-by: Greg Kroah-Hartman +--- + drivers/hid/wacom.h | 1 + + drivers/hid/wacom_sys.c | 25 +++++++++++++++++++++---- + drivers/hid/wacom_wac.c | 1 + + drivers/hid/wacom_wac.h | 1 + + 4 files changed, 24 insertions(+), 4 deletions(-) + +--- a/drivers/hid/wacom.h ++++ b/drivers/hid/wacom.h +@@ -150,6 +150,7 @@ struct wacom_remote { + struct input_dev *input; + bool registered; + struct wacom_battery battery; ++ ktime_t active_time; + } remotes[WACOM_MAX_REMOTES]; + }; + +--- a/drivers/hid/wacom_sys.c ++++ b/drivers/hid/wacom_sys.c +@@ -2523,6 +2523,18 @@ fail: + return; + } + ++static void wacom_remote_destroy_battery(struct wacom *wacom, int index) ++{ ++ struct wacom_remote *remote = wacom->remote; ++ ++ if (remote->remotes[index].battery.battery) { ++ devres_release_group(&wacom->hdev->dev, ++ &remote->remotes[index].battery.bat_desc); ++ remote->remotes[index].battery.battery = NULL; ++ remote->remotes[index].active_time = 0; ++ } ++} ++ + static void wacom_remote_destroy_one(struct wacom *wacom, unsigned int index) + { + struct wacom_remote *remote = wacom->remote; +@@ -2537,9 +2549,7 @@ static void wacom_remote_destroy_one(str + remote->remotes[i].registered = false; + spin_unlock_irqrestore(&remote->remote_lock, flags); + +- if (remote->remotes[i].battery.battery) +- devres_release_group(&wacom->hdev->dev, +- &remote->remotes[i].battery.bat_desc); ++ wacom_remote_destroy_battery(wacom, i); + + if (remote->remotes[i].group.name) + devres_release_group(&wacom->hdev->dev, +@@ -2547,7 +2557,6 @@ static void wacom_remote_destroy_one(str + + remote->remotes[i].serial = 0; + remote->remotes[i].group.name = NULL; +- remote->remotes[i].battery.battery = NULL; + wacom->led.groups[i].select = WACOM_STATUS_UNKNOWN; + } + } +@@ -2632,6 +2641,9 @@ static int wacom_remote_attach_battery(s + if (remote->remotes[index].battery.battery) + return 0; + ++ if (!remote->remotes[index].active_time) ++ return 0; ++ + if (wacom->led.groups[index].select == WACOM_STATUS_UNKNOWN) + return 0; + +@@ -2647,6 +2659,7 @@ static void wacom_remote_work(struct wor + { + struct wacom *wacom = container_of(work, struct wacom, remote_work); + struct wacom_remote *remote = wacom->remote; ++ ktime_t kt = ktime_get(); + struct wacom_remote_data data; + unsigned long flags; + unsigned int count; +@@ -2673,6 +2686,10 @@ static void wacom_remote_work(struct wor + serial = data.remote[i].serial; + if (data.remote[i].connected) { + ++ if (kt - remote->remotes[i].active_time > WACOM_REMOTE_BATTERY_TIMEOUT ++ && remote->remotes[i].active_time != 0) ++ wacom_remote_destroy_battery(wacom, i); ++ + if (remote->remotes[i].serial == serial) { + wacom_remote_attach_battery(wacom, i); + continue; +--- a/drivers/hid/wacom_wac.c ++++ b/drivers/hid/wacom_wac.c +@@ -1134,6 +1134,7 @@ static int wacom_remote_irq(struct wacom + if (index < 0 || !remote->remotes[index].registered) + goto out; + ++ remote->remotes[i].active_time = ktime_get(); + input = remote->remotes[index].input; + + input_report_key(input, BTN_0, (data[9] & 0x01)); +--- a/drivers/hid/wacom_wac.h ++++ b/drivers/hid/wacom_wac.h +@@ -13,6 +13,7 @@ + #define WACOM_NAME_MAX 64 + #define WACOM_MAX_REMOTES 5 + #define WACOM_STATUS_UNKNOWN 255 ++#define WACOM_REMOTE_BATTERY_TIMEOUT 21000000000ll + + /* packet length for individual models */ + #define WACOM_PKGLEN_BBFUN 9 diff --git a/queue-6.5/ksmbd-fix-slub-overflow-in-ksmbd_decode_ntlmssp_auth_blob.patch b/queue-6.5/ksmbd-fix-slub-overflow-in-ksmbd_decode_ntlmssp_auth_blob.patch new file mode 100644 index 00000000000..f8c83742aa8 --- /dev/null +++ b/queue-6.5/ksmbd-fix-slub-overflow-in-ksmbd_decode_ntlmssp_auth_blob.patch @@ -0,0 +1,34 @@ +From 4b081ce0d830b684fdf967abc3696d1261387254 Mon Sep 17 00:00:00 2001 +From: Namjae Jeon +Date: Fri, 25 Aug 2023 23:40:31 +0900 +Subject: ksmbd: fix slub overflow in ksmbd_decode_ntlmssp_auth_blob() + +From: Namjae Jeon + +commit 4b081ce0d830b684fdf967abc3696d1261387254 upstream. + +If authblob->SessionKey.Length is bigger than session key +size(CIFS_KEY_SIZE), slub overflow can happen in key exchange codes. +cifs_arc4_crypt copy to session key array from SessionKey from client. + +Cc: stable@vger.kernel.org +Reported-by: zdi-disclosures@trendmicro.com # ZDI-CAN-21940 +Signed-off-by: Namjae Jeon +Signed-off-by: Steve French +Signed-off-by: Greg Kroah-Hartman +--- + fs/smb/server/auth.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/fs/smb/server/auth.c ++++ b/fs/smb/server/auth.c +@@ -355,6 +355,9 @@ int ksmbd_decode_ntlmssp_auth_blob(struc + if (blob_len < (u64)sess_key_off + sess_key_len) + return -EINVAL; + ++ if (sess_key_len > CIFS_KEY_SIZE) ++ return -EINVAL; ++ + ctx_arc4 = kmalloc(sizeof(*ctx_arc4), GFP_KERNEL); + if (!ctx_arc4) + return -ENOMEM; diff --git a/queue-6.5/ksmbd-fix-wrong-dataoffset-validation-of-create-context.patch b/queue-6.5/ksmbd-fix-wrong-dataoffset-validation-of-create-context.patch new file mode 100644 index 00000000000..d7e18fcf755 --- /dev/null +++ b/queue-6.5/ksmbd-fix-wrong-dataoffset-validation-of-create-context.patch @@ -0,0 +1,33 @@ +From 17d5b135bb720832364e8f55f6a887a3c7ec8fdb Mon Sep 17 00:00:00 2001 +From: Namjae Jeon +Date: Fri, 25 Aug 2023 23:39:40 +0900 +Subject: ksmbd: fix wrong DataOffset validation of create context + +From: Namjae Jeon + +commit 17d5b135bb720832364e8f55f6a887a3c7ec8fdb upstream. + +If ->DataOffset of create context is 0, DataBuffer size is not correctly +validated. This patch change wrong validation code and consider tag +length in request. + +Cc: stable@vger.kernel.org +Reported-by: zdi-disclosures@trendmicro.com # ZDI-CAN-21824 +Signed-off-by: Namjae Jeon +Signed-off-by: Steve French +Signed-off-by: Greg Kroah-Hartman +--- + fs/smb/server/oplock.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/fs/smb/server/oplock.c ++++ b/fs/smb/server/oplock.c +@@ -1492,7 +1492,7 @@ struct create_context *smb2_find_context + name_len < 4 || + name_off + name_len > cc_len || + (value_off & 0x7) != 0 || +- (value_off && (value_off < name_off + name_len)) || ++ (value_len && value_off < name_off + (name_len < 8 ? 8 : name_len)) || + ((u64)value_off + value_len > cc_len)) + return ERR_PTR(-EINVAL); + diff --git a/queue-6.5/ksmbd-reduce-descriptor-size-if-remaining-bytes-is-less-than-request-size.patch b/queue-6.5/ksmbd-reduce-descriptor-size-if-remaining-bytes-is-less-than-request-size.patch new file mode 100644 index 00000000000..ef0a41b49c6 --- /dev/null +++ b/queue-6.5/ksmbd-reduce-descriptor-size-if-remaining-bytes-is-less-than-request-size.patch @@ -0,0 +1,104 @@ +From e628bf939aafb61fbc56e9bdac8795cea5127e25 Mon Sep 17 00:00:00 2001 +From: Namjae Jeon +Date: Tue, 29 Aug 2023 23:40:37 +0900 +Subject: ksmbd: reduce descriptor size if remaining bytes is less than request size + +From: Namjae Jeon + +commit e628bf939aafb61fbc56e9bdac8795cea5127e25 upstream. + +Create 3 kinds of files to reproduce this problem. + +dd if=/dev/urandom of=127k.bin bs=1024 count=127 +dd if=/dev/urandom of=128k.bin bs=1024 count=128 +dd if=/dev/urandom of=129k.bin bs=1024 count=129 + +When copying files from ksmbd share to windows or cifs.ko, The following +error message happen from windows client. + +"The file '129k.bin' is too large for the destination filesystem." + +We can see the error logs from ksmbd debug prints + +[48394.611537] ksmbd: RDMA r/w request 0x0: token 0x669d, length 0x20000 +[48394.612054] ksmbd: smb_direct: RDMA write, len 0x20000, needed credits 0x1 +[48394.612572] ksmbd: filename 129k.bin, offset 131072, len 131072 +[48394.614189] ksmbd: nbytes 1024, offset 132096 mincount 0 +[48394.614585] ksmbd: Failed to process 8 [-22] + +And we can reproduce it with cifs.ko, +e.g. dd if=129k.bin of=/dev/null bs=128KB count=2 + +This problem is that ksmbd rdma return error if remaining bytes is less +than Length of Buffer Descriptor V1 Structure. + +smb_direct_rdma_xmit() +... + if (desc_buf_len == 0 || total_length > buf_len || + total_length > t->max_rdma_rw_size) + return -EINVAL; + +This patch reduce descriptor size with remaining bytes and remove the +check for total_length and buf_len. + +Cc: stable@vger.kernel.org +Signed-off-by: Namjae Jeon +Signed-off-by: Steve French +Signed-off-by: Greg Kroah-Hartman +--- + fs/smb/server/transport_rdma.c | 25 ++++++++++++++++++------- + 1 file changed, 18 insertions(+), 7 deletions(-) + +--- a/fs/smb/server/transport_rdma.c ++++ b/fs/smb/server/transport_rdma.c +@@ -1366,24 +1366,35 @@ static int smb_direct_rdma_xmit(struct s + LIST_HEAD(msg_list); + char *desc_buf; + int credits_needed; +- unsigned int desc_buf_len; +- size_t total_length = 0; ++ unsigned int desc_buf_len, desc_num = 0; + + if (t->status != SMB_DIRECT_CS_CONNECTED) + return -ENOTCONN; + ++ if (buf_len > t->max_rdma_rw_size) ++ return -EINVAL; ++ + /* calculate needed credits */ + credits_needed = 0; + desc_buf = buf; + for (i = 0; i < desc_len / sizeof(*desc); i++) { ++ if (!buf_len) ++ break; ++ + desc_buf_len = le32_to_cpu(desc[i].length); ++ if (!desc_buf_len) ++ return -EINVAL; ++ ++ if (desc_buf_len > buf_len) { ++ desc_buf_len = buf_len; ++ desc[i].length = cpu_to_le32(desc_buf_len); ++ buf_len = 0; ++ } + + credits_needed += calc_rw_credits(t, desc_buf, desc_buf_len); + desc_buf += desc_buf_len; +- total_length += desc_buf_len; +- if (desc_buf_len == 0 || total_length > buf_len || +- total_length > t->max_rdma_rw_size) +- return -EINVAL; ++ buf_len -= desc_buf_len; ++ desc_num++; + } + + ksmbd_debug(RDMA, "RDMA %s, len %#x, needed credits %#x\n", +@@ -1395,7 +1406,7 @@ static int smb_direct_rdma_xmit(struct s + + /* build rdma_rw_ctx for each descriptor */ + desc_buf = buf; +- for (i = 0; i < desc_len / sizeof(*desc); i++) { ++ for (i = 0; i < desc_num; i++) { + msg = kzalloc(offsetof(struct smb_direct_rdma_rw_msg, sg_list) + + sizeof(struct scatterlist) * SG_CHUNK_SIZE, GFP_KERNEL); + if (!msg) { diff --git a/queue-6.5/ksmbd-replace-one-element-array-with-flex-array-member-in-struct-smb2_ea_info.patch b/queue-6.5/ksmbd-replace-one-element-array-with-flex-array-member-in-struct-smb2_ea_info.patch new file mode 100644 index 00000000000..55bf806cdd5 --- /dev/null +++ b/queue-6.5/ksmbd-replace-one-element-array-with-flex-array-member-in-struct-smb2_ea_info.patch @@ -0,0 +1,69 @@ +From 0ba5439d9afa2722e7728df56f272c89987540a4 Mon Sep 17 00:00:00 2001 +From: Namjae Jeon +Date: Fri, 25 Aug 2023 23:41:58 +0900 +Subject: ksmbd: replace one-element array with flex-array member in struct smb2_ea_info + +From: Namjae Jeon + +commit 0ba5439d9afa2722e7728df56f272c89987540a4 upstream. + +UBSAN complains about out-of-bounds array indexes on 1-element arrays in +struct smb2_ea_info. + +UBSAN: array-index-out-of-bounds in fs/smb/server/smb2pdu.c:4335:15 +index 1 is out of range for type 'char [1]' +CPU: 1 PID: 354 Comm: kworker/1:4 Not tainted 6.5.0-rc4 #1 +Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop +Reference Platform, BIOS 6.00 07/22/2020 +Workqueue: ksmbd-io handle_ksmbd_work [ksmbd] +Call Trace: + + __dump_stack linux/lib/dump_stack.c:88 + dump_stack_lvl+0x48/0x70 linux/lib/dump_stack.c:106 + dump_stack+0x10/0x20 linux/lib/dump_stack.c:113 + ubsan_epilogue linux/lib/ubsan.c:217 + __ubsan_handle_out_of_bounds+0xc6/0x110 linux/lib/ubsan.c:348 + smb2_get_ea linux/fs/smb/server/smb2pdu.c:4335 + smb2_get_info_file linux/fs/smb/server/smb2pdu.c:4900 + smb2_query_info+0x63ae/0x6b20 linux/fs/smb/server/smb2pdu.c:5275 + __process_request linux/fs/smb/server/server.c:145 + __handle_ksmbd_work linux/fs/smb/server/server.c:213 + handle_ksmbd_work+0x348/0x10b0 linux/fs/smb/server/server.c:266 + process_one_work+0x85a/0x1500 linux/kernel/workqueue.c:2597 + worker_thread+0xf3/0x13a0 linux/kernel/workqueue.c:2748 + kthread+0x2b7/0x390 linux/kernel/kthread.c:389 + ret_from_fork+0x44/0x90 linux/arch/x86/kernel/process.c:145 + ret_from_fork_asm+0x1b/0x30 linux/arch/x86/entry/entry_64.S:304 + + +Cc: stable@vger.kernel.org +Signed-off-by: Namjae Jeon +Signed-off-by: Steve French +Signed-off-by: Greg Kroah-Hartman +--- + fs/smb/server/smb2pdu.c | 2 +- + fs/smb/server/smb2pdu.h | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +--- a/fs/smb/server/smb2pdu.c ++++ b/fs/smb/server/smb2pdu.c +@@ -4308,7 +4308,7 @@ static int smb2_get_ea(struct ksmbd_work + if (!strncmp(name, XATTR_USER_PREFIX, XATTR_USER_PREFIX_LEN)) + name_len -= XATTR_USER_PREFIX_LEN; + +- ptr = (char *)(&eainfo->name + name_len + 1); ++ ptr = eainfo->name + name_len + 1; + buf_free_len -= (offsetof(struct smb2_ea_info, name) + + name_len + 1); + /* bailout if xattr can't fit in buf_free_len */ +--- a/fs/smb/server/smb2pdu.h ++++ b/fs/smb/server/smb2pdu.h +@@ -361,7 +361,7 @@ struct smb2_ea_info { + __u8 Flags; + __u8 EaNameLength; + __le16 EaValueLength; +- char name[1]; ++ char name[]; + /* optionally followed by value */ + } __packed; /* level 15 Query */ + diff --git a/queue-6.5/mmc-au1xmmc-force-non-modular-build-and-remove-symbol_get-usage.patch b/queue-6.5/mmc-au1xmmc-force-non-modular-build-and-remove-symbol_get-usage.patch new file mode 100644 index 00000000000..7b0bdb38d62 --- /dev/null +++ b/queue-6.5/mmc-au1xmmc-force-non-modular-build-and-remove-symbol_get-usage.patch @@ -0,0 +1,139 @@ +From d4a5c59a955bba96b273ec1a5885bada24c56979 Mon Sep 17 00:00:00 2001 +From: Christoph Hellwig +Date: Tue, 1 Aug 2023 19:35:41 +0200 +Subject: mmc: au1xmmc: force non-modular build and remove symbol_get usage + +From: Christoph Hellwig + +commit d4a5c59a955bba96b273ec1a5885bada24c56979 upstream. + +au1xmmc is split somewhat awkwardly into the main mmc subsystem driver, +and callbacks in platform_data that sit under arch/mips/ and are +always built in. The latter than call mmc_detect_change through +symbol_get. Remove the use of symbol_get by requiring the driver +to be built in. In the future the interrupt handlers for card +insert/eject detection should probably be moved into the main driver, +and which point it can be built modular again. + +Signed-off-by: Christoph Hellwig +Acked-by: Manuel Lauss +Reviewed-by: Arnd Bergmann +[mcgrof: squashed in depends on MMC=y suggested by Arnd] +Signed-off-by: Luis Chamberlain +Signed-off-by: Greg Kroah-Hartman +--- + arch/mips/alchemy/devboards/db1000.c | 8 +------- + arch/mips/alchemy/devboards/db1200.c | 19 ++----------------- + arch/mips/alchemy/devboards/db1300.c | 10 +--------- + drivers/mmc/host/Kconfig | 5 +++-- + 4 files changed, 7 insertions(+), 35 deletions(-) + +--- a/arch/mips/alchemy/devboards/db1000.c ++++ b/arch/mips/alchemy/devboards/db1000.c +@@ -14,7 +14,6 @@ + #include + #include + #include +-#include + #include + #include + #include +@@ -167,12 +166,7 @@ static struct platform_device db1x00_aud + + static irqreturn_t db1100_mmc_cd(int irq, void *ptr) + { +- void (*mmc_cd)(struct mmc_host *, unsigned long); +- /* link against CONFIG_MMC=m */ +- mmc_cd = symbol_get(mmc_detect_change); +- mmc_cd(ptr, msecs_to_jiffies(500)); +- symbol_put(mmc_detect_change); +- ++ mmc_detect_change(ptr, msecs_to_jiffies(500)); + return IRQ_HANDLED; + } + +--- a/arch/mips/alchemy/devboards/db1200.c ++++ b/arch/mips/alchemy/devboards/db1200.c +@@ -10,7 +10,6 @@ + #include + #include + #include +-#include + #include + #include + #include +@@ -340,14 +339,7 @@ static irqreturn_t db1200_mmc_cd(int irq + + static irqreturn_t db1200_mmc_cdfn(int irq, void *ptr) + { +- void (*mmc_cd)(struct mmc_host *, unsigned long); +- +- /* link against CONFIG_MMC=m */ +- mmc_cd = symbol_get(mmc_detect_change); +- if (mmc_cd) { +- mmc_cd(ptr, msecs_to_jiffies(200)); +- symbol_put(mmc_detect_change); +- } ++ mmc_detect_change(ptr, msecs_to_jiffies(200)); + + msleep(100); /* debounce */ + if (irq == DB1200_SD0_INSERT_INT) +@@ -431,14 +423,7 @@ static irqreturn_t pb1200_mmc1_cd(int ir + + static irqreturn_t pb1200_mmc1_cdfn(int irq, void *ptr) + { +- void (*mmc_cd)(struct mmc_host *, unsigned long); +- +- /* link against CONFIG_MMC=m */ +- mmc_cd = symbol_get(mmc_detect_change); +- if (mmc_cd) { +- mmc_cd(ptr, msecs_to_jiffies(200)); +- symbol_put(mmc_detect_change); +- } ++ mmc_detect_change(ptr, msecs_to_jiffies(200)); + + msleep(100); /* debounce */ + if (irq == PB1200_SD1_INSERT_INT) +--- a/arch/mips/alchemy/devboards/db1300.c ++++ b/arch/mips/alchemy/devboards/db1300.c +@@ -17,7 +17,6 @@ + #include + #include + #include +-#include + #include + #include + #include +@@ -459,14 +458,7 @@ static irqreturn_t db1300_mmc_cd(int irq + + static irqreturn_t db1300_mmc_cdfn(int irq, void *ptr) + { +- void (*mmc_cd)(struct mmc_host *, unsigned long); +- +- /* link against CONFIG_MMC=m. We can only be called once MMC core has +- * initialized the controller, so symbol_get() should always succeed. +- */ +- mmc_cd = symbol_get(mmc_detect_change); +- mmc_cd(ptr, msecs_to_jiffies(200)); +- symbol_put(mmc_detect_change); ++ mmc_detect_change(ptr, msecs_to_jiffies(200)); + + msleep(100); /* debounce */ + if (irq == DB1300_SD1_INSERT_INT) +--- a/drivers/mmc/host/Kconfig ++++ b/drivers/mmc/host/Kconfig +@@ -526,11 +526,12 @@ config MMC_ALCOR + of Alcor Micro PCI-E card reader + + config MMC_AU1X +- tristate "Alchemy AU1XX0 MMC Card Interface support" ++ bool "Alchemy AU1XX0 MMC Card Interface support" + depends on MIPS_ALCHEMY ++ depends on MMC=y + help + This selects the AMD Alchemy(R) Multimedia card interface. +- If you have a Alchemy platform with a MMC slot, say Y or M here. ++ If you have a Alchemy platform with a MMC slot, say Y here. + + If unsure, say N. + diff --git a/queue-6.5/modules-only-allow-symbol_get-of-export_symbol_gpl-modules.patch b/queue-6.5/modules-only-allow-symbol_get-of-export_symbol_gpl-modules.patch new file mode 100644 index 00000000000..37fe430f9ab --- /dev/null +++ b/queue-6.5/modules-only-allow-symbol_get-of-export_symbol_gpl-modules.patch @@ -0,0 +1,58 @@ +From 9011e49d54dcc7653ebb8a1e05b5badb5ecfa9f9 Mon Sep 17 00:00:00 2001 +From: Christoph Hellwig +Date: Tue, 1 Aug 2023 19:35:44 +0200 +Subject: modules: only allow symbol_get of EXPORT_SYMBOL_GPL modules + +From: Christoph Hellwig + +commit 9011e49d54dcc7653ebb8a1e05b5badb5ecfa9f9 upstream. + +It has recently come to my attention that nvidia is circumventing the +protection added in 262e6ae7081d ("modules: inherit +TAINT_PROPRIETARY_MODULE") by importing exports from their proprietary +modules into an allegedly GPL licensed module and then rexporting them. + +Given that symbol_get was only ever intended for tightly cooperating +modules using very internal symbols it is logical to restrict it to +being used on EXPORT_SYMBOL_GPL and prevent nvidia from costly DMCA +Circumvention of Access Controls law suites. + +All symbols except for four used through symbol_get were already exported +as EXPORT_SYMBOL_GPL, and the remaining four ones were switched over in +the preparation patches. + +Fixes: 262e6ae7081d ("modules: inherit TAINT_PROPRIETARY_MODULE") +Signed-off-by: Christoph Hellwig +Reviewed-by: Greg Kroah-Hartman +Signed-off-by: Luis Chamberlain +Signed-off-by: Greg Kroah-Hartman +--- + kernel/module/main.c | 14 +++++++++++--- + 1 file changed, 11 insertions(+), 3 deletions(-) + +--- a/kernel/module/main.c ++++ b/kernel/module/main.c +@@ -1295,12 +1295,20 @@ void *__symbol_get(const char *symbol) + }; + + preempt_disable(); +- if (!find_symbol(&fsa) || strong_try_module_get(fsa.owner)) { +- preempt_enable(); +- return NULL; ++ if (!find_symbol(&fsa)) ++ goto fail; ++ if (fsa.license != GPL_ONLY) { ++ pr_warn("failing symbol_get of non-GPLONLY symbol %s.\n", ++ symbol); ++ goto fail; + } ++ if (strong_try_module_get(fsa.owner)) ++ goto fail; + preempt_enable(); + return (void *)kernel_symbol_value(fsa.sym); ++fail: ++ preempt_enable(); ++ return NULL; + } + EXPORT_SYMBOL_GPL(__symbol_get); + diff --git a/queue-6.5/net-enetc-use-export_symbol_gpl-for-enetc_phc_index.patch b/queue-6.5/net-enetc-use-export_symbol_gpl-for-enetc_phc_index.patch new file mode 100644 index 00000000000..350c0fa550b --- /dev/null +++ b/queue-6.5/net-enetc-use-export_symbol_gpl-for-enetc_phc_index.patch @@ -0,0 +1,34 @@ +From 569820befb16ffc755ab7af71f4f08cc5f68f0fe Mon Sep 17 00:00:00 2001 +From: Christoph Hellwig +Date: Tue, 1 Aug 2023 19:35:42 +0200 +Subject: net: enetc: use EXPORT_SYMBOL_GPL for enetc_phc_index + +From: Christoph Hellwig + +commit 569820befb16ffc755ab7af71f4f08cc5f68f0fe upstream. + +enetc_phc_index is only used via symbol_get, which was only ever +intended for very internal symbols like this one. Use EXPORT_SYMBOL_GPL +for it so that symbol_get can enforce only being used on +EXPORT_SYMBOL_GPL symbols. + +Signed-off-by: Christoph Hellwig +Reviewed-by: Jakub Kicinski +Reviewed-by: Greg Kroah-Hartman +Signed-off-by: Luis Chamberlain +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/freescale/enetc/enetc_ptp.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/ethernet/freescale/enetc/enetc_ptp.c ++++ b/drivers/net/ethernet/freescale/enetc/enetc_ptp.c +@@ -8,7 +8,7 @@ + #include "enetc.h" + + int enetc_phc_index = -1; +-EXPORT_SYMBOL(enetc_phc_index); ++EXPORT_SYMBOL_GPL(enetc_phc_index); + + static struct ptp_clock_info enetc_ptp_caps = { + .owner = THIS_MODULE, diff --git a/queue-6.5/rtc-ds1685-use-export_symbol_gpl-for-ds1685_rtc_poweroff.patch b/queue-6.5/rtc-ds1685-use-export_symbol_gpl-for-ds1685_rtc_poweroff.patch new file mode 100644 index 00000000000..8c1473a16e2 --- /dev/null +++ b/queue-6.5/rtc-ds1685-use-export_symbol_gpl-for-ds1685_rtc_poweroff.patch @@ -0,0 +1,34 @@ +From 95e7ebc6823170256a8ce19fad87912805bfa001 Mon Sep 17 00:00:00 2001 +From: Christoph Hellwig +Date: Tue, 1 Aug 2023 19:35:43 +0200 +Subject: rtc: ds1685: use EXPORT_SYMBOL_GPL for ds1685_rtc_poweroff + +From: Christoph Hellwig + +commit 95e7ebc6823170256a8ce19fad87912805bfa001 upstream. + +ds1685_rtc_poweroff is only used externally via symbol_get, which was +only ever intended for very internal symbols like this one. Use +EXPORT_SYMBOL_GPL for it so that symbol_get can enforce only being used +on EXPORT_SYMBOL_GPL symbols. + +Signed-off-by: Christoph Hellwig +Acked-by: Joshua Kinard +Reviewed-by: Greg Kroah-Hartman +Signed-off-by: Luis Chamberlain +Signed-off-by: Greg Kroah-Hartman +--- + drivers/rtc/rtc-ds1685.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/rtc/rtc-ds1685.c ++++ b/drivers/rtc/rtc-ds1685.c +@@ -1432,7 +1432,7 @@ ds1685_rtc_poweroff(struct platform_devi + unreachable(); + } + } +-EXPORT_SYMBOL(ds1685_rtc_poweroff); ++EXPORT_SYMBOL_GPL(ds1685_rtc_poweroff); + /* ----------------------------------------------------------------------- */ + + diff --git a/queue-6.5/series b/queue-6.5/series index 15a593a37f2..70a62a6461b 100644 --- a/queue-6.5/series +++ b/queue-6.5/series @@ -1,2 +1,18 @@ drm-amdgpu-correct-vmhub-index-in-gmc-v10-11.patch erofs-ensure-that-the-post-eof-tails-are-all-zeroed.patch +ksmbd-fix-wrong-dataoffset-validation-of-create-context.patch +ksmbd-fix-slub-overflow-in-ksmbd_decode_ntlmssp_auth_blob.patch +ksmbd-replace-one-element-array-with-flex-array-member-in-struct-smb2_ea_info.patch +ksmbd-reduce-descriptor-size-if-remaining-bytes-is-less-than-request-size.patch +arm-pxa-remove-use-of-symbol_get.patch +mmc-au1xmmc-force-non-modular-build-and-remove-symbol_get-usage.patch +net-enetc-use-export_symbol_gpl-for-enetc_phc_index.patch +rtc-ds1685-use-export_symbol_gpl-for-ds1685_rtc_poweroff.patch +modules-only-allow-symbol_get-of-export_symbol_gpl-modules.patch +usb-serial-option-add-quectel-em05g-variant-0x030e.patch +usb-serial-option-add-foxconn-t99w368-t99w373-product.patch +alsa-usb-audio-fix-init-call-orders-for-uac1.patch +usb-dwc3-meson-g12a-do-post-init-to-fix-broken-usb-after-resumption.patch +usb-chipidea-imx-improve-logic-if-samsung-picophy-parameter-is-0.patch +hid-wacom-remove-the-battery-when-the-ekr-is-off.patch +staging-rtl8712-fix-race-condition.patch diff --git a/queue-6.5/staging-rtl8712-fix-race-condition.patch b/queue-6.5/staging-rtl8712-fix-race-condition.patch new file mode 100644 index 00000000000..94a6aa87655 --- /dev/null +++ b/queue-6.5/staging-rtl8712-fix-race-condition.patch @@ -0,0 +1,50 @@ +From 1422b526fba994cf05fd288a152106563b875fce Mon Sep 17 00:00:00 2001 +From: Nam Cao +Date: Mon, 31 Jul 2023 13:06:20 +0200 +Subject: staging: rtl8712: fix race condition + +From: Nam Cao + +commit 1422b526fba994cf05fd288a152106563b875fce upstream. + +In probe function, request_firmware_nowait() is called to load firmware +asynchronously. At completion of firmware loading, register_netdev() is +called. However, a mutex needed by netdev is initialized after the call +to request_firmware_nowait(). Consequently, it can happen that +register_netdev() is called before the driver is ready. + +Move the mutex initialization into r8712_init_drv_sw(), which is called +before request_firmware_nowait(). + +Reported-by: syzbot+b08315e8cf5a78eed03c@syzkaller.appspotmail.com +Closes: https://lore.kernel.org/linux-staging/000000000000d9d4560601b8e0d7@google.com/T/#u +Fixes: 8c213fa59199 ("staging: r8712u: Use asynchronous firmware loading") +Cc: stable +Signed-off-by: Nam Cao +Link: https://lore.kernel.org/r/20230731110620.116562-1-namcaov@gmail.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/staging/rtl8712/os_intfs.c | 1 + + drivers/staging/rtl8712/usb_intf.c | 1 - + 2 files changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/staging/rtl8712/os_intfs.c ++++ b/drivers/staging/rtl8712/os_intfs.c +@@ -327,6 +327,7 @@ int r8712_init_drv_sw(struct _adapter *p + mp871xinit(padapter); + init_default_value(padapter); + r8712_InitSwLeds(padapter); ++ mutex_init(&padapter->mutex_start); + + return 0; + +--- a/drivers/staging/rtl8712/usb_intf.c ++++ b/drivers/staging/rtl8712/usb_intf.c +@@ -567,7 +567,6 @@ static int r871xu_drv_init(struct usb_in + if (rtl871x_load_fw(padapter)) + goto deinit_drv_sw; + init_completion(&padapter->rx_filter_ready); +- mutex_init(&padapter->mutex_start); + return 0; + + deinit_drv_sw: diff --git a/queue-6.5/usb-chipidea-imx-improve-logic-if-samsung-picophy-parameter-is-0.patch b/queue-6.5/usb-chipidea-imx-improve-logic-if-samsung-picophy-parameter-is-0.patch new file mode 100644 index 00000000000..2e3d7b85477 --- /dev/null +++ b/queue-6.5/usb-chipidea-imx-improve-logic-if-samsung-picophy-parameter-is-0.patch @@ -0,0 +1,64 @@ +From 36668515d56bf73f06765c71e08c8f7465f1e5c4 Mon Sep 17 00:00:00 2001 +From: Xu Yang +Date: Tue, 27 Jun 2023 19:21:24 +0800 +Subject: usb: chipidea: imx: improve logic if samsung,picophy-* parameter is 0 + +From: Xu Yang + +commit 36668515d56bf73f06765c71e08c8f7465f1e5c4 upstream. + +In current driver, the value of tuning parameter will not take effect +if samsung,picophy-* is assigned as 0. Because 0 is also a valid value +acccording to the description of USB_PHY_CFG1 register, this will improve +the logic to let it work. + +Fixes: 58a3cefb3840 ("usb: chipidea: imx: add two samsung picophy parameters tuning implementation") +cc: +Signed-off-by: Xu Yang +Acked-by: Peter Chen +Link: https://lore.kernel.org/r/20230627112126.1882666-1-xu.yang_2@nxp.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/chipidea/ci_hdrc_imx.c | 10 ++++++---- + drivers/usb/chipidea/usbmisc_imx.c | 6 ++++-- + 2 files changed, 10 insertions(+), 6 deletions(-) + +--- a/drivers/usb/chipidea/ci_hdrc_imx.c ++++ b/drivers/usb/chipidea/ci_hdrc_imx.c +@@ -175,10 +175,12 @@ static struct imx_usbmisc_data *usbmisc_ + if (of_usb_get_phy_mode(np) == USBPHY_INTERFACE_MODE_ULPI) + data->ulpi = 1; + +- of_property_read_u32(np, "samsung,picophy-pre-emp-curr-control", +- &data->emp_curr_control); +- of_property_read_u32(np, "samsung,picophy-dc-vol-level-adjust", +- &data->dc_vol_level_adjust); ++ if (of_property_read_u32(np, "samsung,picophy-pre-emp-curr-control", ++ &data->emp_curr_control)) ++ data->emp_curr_control = -1; ++ if (of_property_read_u32(np, "samsung,picophy-dc-vol-level-adjust", ++ &data->dc_vol_level_adjust)) ++ data->dc_vol_level_adjust = -1; + + return data; + } +--- a/drivers/usb/chipidea/usbmisc_imx.c ++++ b/drivers/usb/chipidea/usbmisc_imx.c +@@ -659,13 +659,15 @@ static int usbmisc_imx7d_init(struct imx + usbmisc->base + MX7D_USBNC_USB_CTRL2); + /* PHY tuning for signal quality */ + reg = readl(usbmisc->base + MX7D_USB_OTG_PHY_CFG1); +- if (data->emp_curr_control && data->emp_curr_control <= ++ if (data->emp_curr_control >= 0 && ++ data->emp_curr_control <= + (TXPREEMPAMPTUNE0_MASK >> TXPREEMPAMPTUNE0_BIT)) { + reg &= ~TXPREEMPAMPTUNE0_MASK; + reg |= (data->emp_curr_control << TXPREEMPAMPTUNE0_BIT); + } + +- if (data->dc_vol_level_adjust && data->dc_vol_level_adjust <= ++ if (data->dc_vol_level_adjust >= 0 && ++ data->dc_vol_level_adjust <= + (TXVREFTUNE0_MASK >> TXVREFTUNE0_BIT)) { + reg &= ~TXVREFTUNE0_MASK; + reg |= (data->dc_vol_level_adjust << TXVREFTUNE0_BIT); diff --git a/queue-6.5/usb-dwc3-meson-g12a-do-post-init-to-fix-broken-usb-after-resumption.patch b/queue-6.5/usb-dwc3-meson-g12a-do-post-init-to-fix-broken-usb-after-resumption.patch new file mode 100644 index 00000000000..bbbc9234694 --- /dev/null +++ b/queue-6.5/usb-dwc3-meson-g12a-do-post-init-to-fix-broken-usb-after-resumption.patch @@ -0,0 +1,45 @@ +From 1fa206bb764f37d2ab4bf671e483153ef0659b34 Mon Sep 17 00:00:00 2001 +From: Luke Lu +Date: Wed, 9 Aug 2023 21:29:11 +0000 +Subject: usb: dwc3: meson-g12a: do post init to fix broken usb after resumption + +From: Luke Lu + +commit 1fa206bb764f37d2ab4bf671e483153ef0659b34 upstream. + +Device connected to usb otg port of GXL-based boards can not be +recognised after resumption, doesn't recover even if disconnect and +reconnect the device. dmesg shows it disconnects during resumption. + +[ 41.492911] usb 1-2: USB disconnect, device number 3 +[ 41.499346] usb 1-2: unregistering device +[ 41.511939] usb 1-2: unregistering interface 1-2:1.0 + +Calling usb_post_init() will fix this issue, and it's tested and +verified on libretech's aml-s905x-cc board. + +Cc: stable@vger.kernel.org # v5.8+ +Fixes: c99993376f72 ("usb: dwc3: Add Amlogic G12A DWC3 glue") +Signed-off-by: Luke Lu +Acked-by: Neil Armstrong +Link: https://lore.kernel.org/r/20230809212911.18903-1-luke.lu@libre.computer +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/dwc3/dwc3-meson-g12a.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/drivers/usb/dwc3/dwc3-meson-g12a.c ++++ b/drivers/usb/dwc3/dwc3-meson-g12a.c +@@ -926,6 +926,12 @@ static int __maybe_unused dwc3_meson_g12 + return ret; + } + ++ if (priv->drvdata->usb_post_init) { ++ ret = priv->drvdata->usb_post_init(priv); ++ if (ret) ++ return ret; ++ } ++ + return 0; + } + diff --git a/queue-6.5/usb-serial-option-add-foxconn-t99w368-t99w373-product.patch b/queue-6.5/usb-serial-option-add-foxconn-t99w368-t99w373-product.patch new file mode 100644 index 00000000000..863a93fb15e --- /dev/null +++ b/queue-6.5/usb-serial-option-add-foxconn-t99w368-t99w373-product.patch @@ -0,0 +1,66 @@ +From 4d9488b294e1f8353bbcadc4c7172a7f7490199b Mon Sep 17 00:00:00 2001 +From: Slark Xiao +Date: Wed, 23 Aug 2023 15:57:51 +0800 +Subject: USB: serial: option: add FOXCONN T99W368/T99W373 product + +From: Slark Xiao + +commit 4d9488b294e1f8353bbcadc4c7172a7f7490199b upstream. + +The difference of T99W368 and T99W373 is the chip solution. +T99W368 is designed based on Qualcomm SDX65 and T99W373 is SDX62. + +Test evidence as below: +T: Bus=01 Lev=02 Prnt=05 Port=00 Cnt=01 Dev#= 7 Spd=480 MxCh= 0 +D: Ver= 2.10 Cls=ef(misc ) Sub=02 Prot=01 MxPS=64 #Cfgs= 1 +P: Vendor=0489 ProdID=e0f0 Rev=05.04 +S: Manufacturer=FII +S: Product=OLYMPIC USB WWAN Adapter +S: SerialNumber=78ada8c4 +C: #Ifs= 6 Cfg#= 1 Atr=a0 MxPwr=500mA +I: If#=0x0 Alt= 0 #EPs= 1 Cls=02(commc) Sub=0e Prot=00 Driver=cdc_mbim +I: If#=0x1 Alt= 1 #EPs= 2 Cls=0a(data ) Sub=00 Prot=02 Driver=cdc_mbim +I: If#=0x2 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=40 Driver=option +I: If#=0x3 Alt= 0 #EPs= 1 Cls=ff(vend.) Sub=ff Prot=ff Driver=(none) +I: If#=0x4 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=40 Driver=option +I: If#=0x5 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=30 Driver=option + +T: Bus=01 Lev=02 Prnt=05 Port=00 Cnt=01 Dev#= 8 Spd=480 MxCh= 0 +D: Ver= 2.10 Cls=ef(misc ) Sub=02 Prot=01 MxPS=64 #Cfgs= 1 +P: Vendor=0489 ProdID=e0ee Rev=05.04 +S: Manufacturer=FII +S: Product=OLYMPIC USB WWAN Adapter +S: SerialNumber=78ada8d5 +C: #Ifs= 6 Cfg#= 1 Atr=a0 MxPwr=500mA +I: If#=0x0 Alt= 0 #EPs= 1 Cls=02(commc) Sub=0e Prot=00 Driver=cdc_mbim +I: If#=0x1 Alt= 1 #EPs= 2 Cls=0a(data ) Sub=00 Prot=02 Driver=cdc_mbim +I: If#=0x2 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=40 Driver=option +I: If#=0x3 Alt= 0 #EPs= 1 Cls=ff(vend.) Sub=ff Prot=ff Driver=(none) +I: If#=0x4 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=40 Driver=option +I: If#=0x5 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=30 Driver=option + +Both of them share the same port configuration: +0&1: MBIM, 2: Modem, 3:GNSS, 4:NMEA, 5:Diag +GNSS port don't use serial driver. + +Signed-off-by: Slark Xiao +Cc: stable@vger.kernel.org +Signed-off-by: Johan Hovold +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/serial/option.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/drivers/usb/serial/option.c ++++ b/drivers/usb/serial/option.c +@@ -2235,6 +2235,10 @@ static const struct usb_device_id option + .driver_info = RSVD(0) | RSVD(1) | RSVD(6) }, + { USB_DEVICE_INTERFACE_CLASS(0x0489, 0xe0db, 0xff), /* Foxconn T99W265 MBIM */ + .driver_info = RSVD(3) }, ++ { USB_DEVICE_INTERFACE_CLASS(0x0489, 0xe0ee, 0xff), /* Foxconn T99W368 MBIM */ ++ .driver_info = RSVD(3) }, ++ { USB_DEVICE_INTERFACE_CLASS(0x0489, 0xe0f0, 0xff), /* Foxconn T99W373 MBIM */ ++ .driver_info = RSVD(3) }, + { USB_DEVICE(0x1508, 0x1001), /* Fibocom NL668 (IOT version) */ + .driver_info = RSVD(4) | RSVD(5) | RSVD(6) }, + { USB_DEVICE(0x1782, 0x4d10) }, /* Fibocom L610 (AT mode) */ diff --git a/queue-6.5/usb-serial-option-add-quectel-em05g-variant-0x030e.patch b/queue-6.5/usb-serial-option-add-quectel-em05g-variant-0x030e.patch new file mode 100644 index 00000000000..3296f67aca6 --- /dev/null +++ b/queue-6.5/usb-serial-option-add-quectel-em05g-variant-0x030e.patch @@ -0,0 +1,65 @@ +From 873854c02364ebb991fc06f7148c14dfb5419e1b Mon Sep 17 00:00:00 2001 +From: Martin Kohn +Date: Thu, 27 Jul 2023 22:23:00 +0000 +Subject: USB: serial: option: add Quectel EM05G variant (0x030e) + +From: Martin Kohn + +commit 873854c02364ebb991fc06f7148c14dfb5419e1b upstream. + +Add Quectel EM05G with product ID 0x030e. +Interface 4 is used for qmi. + +T: Bus=01 Lev=01 Prnt=01 Port=00 Cnt=01 Dev#= 2 Spd=480 MxCh= 0 +D: Ver= 2.00 Cls=ef(misc ) Sub=02 Prot=01 MxPS=64 #Cfgs= 1 +P: Vendor=2c7c ProdID=030e Rev= 3.18 +S: Manufacturer=Quectel +S: Product=Quectel EM05-G +C:* #Ifs= 5 Cfg#= 1 Atr=a0 MxPwr=500mA +I:* If#= 0 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=ff Driver=option +E: Ad=81(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=01(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms +I:* If#= 1 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option +E: Ad=83(I) Atr=03(Int.) MxPS= 10 Ivl=32ms +E: Ad=82(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=02(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms +I:* If#= 2 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option +E: Ad=85(I) Atr=03(Int.) MxPS= 10 Ivl=32ms +E: Ad=84(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=03(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms +I:* If#= 3 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option +E: Ad=87(I) Atr=03(Int.) MxPS= 10 Ivl=32ms +E: Ad=86(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=04(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms +I:* If#= 4 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=ff Driver=qmi_wwan +E: Ad=89(I) Atr=03(Int.) MxPS= 8 Ivl=32ms +E: Ad=88(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=05(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms + +Signed-off-by: Martin Kohn +Cc: stable@vger.kernel.org +Signed-off-by: Johan Hovold +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/serial/option.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/usb/serial/option.c ++++ b/drivers/usb/serial/option.c +@@ -259,6 +259,7 @@ static void option_instat_callback(struc + #define QUECTEL_PRODUCT_EM05G 0x030a + #define QUECTEL_PRODUCT_EM060K 0x030b + #define QUECTEL_PRODUCT_EM05G_CS 0x030c ++#define QUECTEL_PRODUCT_EM05GV2 0x030e + #define QUECTEL_PRODUCT_EM05CN_SG 0x0310 + #define QUECTEL_PRODUCT_EM05G_SG 0x0311 + #define QUECTEL_PRODUCT_EM05CN 0x0312 +@@ -1188,6 +1189,8 @@ static const struct usb_device_id option + .driver_info = RSVD(6) | ZLP }, + { USB_DEVICE_INTERFACE_CLASS(QUECTEL_VENDOR_ID, QUECTEL_PRODUCT_EM05G, 0xff), + .driver_info = RSVD(6) | ZLP }, ++ { USB_DEVICE_INTERFACE_CLASS(QUECTEL_VENDOR_ID, QUECTEL_PRODUCT_EM05GV2, 0xff), ++ .driver_info = RSVD(4) | ZLP }, + { USB_DEVICE_INTERFACE_CLASS(QUECTEL_VENDOR_ID, QUECTEL_PRODUCT_EM05G_CS, 0xff), + .driver_info = RSVD(6) | ZLP }, + { USB_DEVICE_INTERFACE_CLASS(QUECTEL_VENDOR_ID, QUECTEL_PRODUCT_EM05G_GR, 0xff), -- 2.47.3