From d96a27c5c8d624ea1e74b4c7a573039acaeaad11 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Mon, 10 Apr 2023 11:25:06 +0200 Subject: [PATCH] 6.1-stable patches added patches: alsa-hda-realtek-add-quirk-for-clevo-x370snw.patch alsa-hda-realtek-fix-mute-micmute-leds-for-a-hp-probook.patch drivers-iio-adc-ltc2497-fix-lsb-shift.patch dt-bindings-serial-renesas-scif-fix-4th-irq-for-4-irq-scifs.patch iio-adc-qcom-spmi-adc5-fix-the-channel-name.patch iio-adc-ti-ads7950-set-can_sleep-flag-for-gpio-chip.patch iio-adis16480-select-config_crc32.patch iio-buffer-correctly-return-bytes-written-in-output-buffers.patch iio-buffer-make-sure-o_nonblock-is-respected.patch iio-dac-cio-dac-fix-max-dac-write-value-check-for-12-bit.patch iio-light-cm32181-unregister-second-i2c-client-if-present.patch ksmbd-do-not-call-kvmalloc-with-__gfp_noretry-__gfp_no_warn.patch ksmbd-fix-slab-out-of-bounds-in-init_smb2_rsp_hdr.patch nilfs2-fix-potential-uaf-of-struct-nilfs_sc_info-in-nilfs_segctor_thread.patch nilfs2-fix-sysfs-interface-lifetime.patch serial-8250-prevent-starting-up-dma-rx-on-thri-interrupt.patch tty-serial-fsl_lpuart-avoid-checking-for-transfer-complete-when-uartctrl_sbk-is-asserted-in-lpuart32_tx_empty.patch tty-serial-sh-sci-fix-rx-on-rz-g2l-sci.patch tty-serial-sh-sci-fix-transmit-end-interrupt-handler.patch usb-cdnsp-fixes-error-uninitialized-symbol-len.patch usb-dwc3-pci-add-support-for-the-intel-meteor-lake-s.patch usb-serial-cp210x-add-silicon-labs-ifs-usb-datacable-ids.patch usb-serial-option-add-quectel-rm500u-cn-modem.patch usb-serial-option-add-telit-fe990-compositions.patch usb-typec-altmodes-displayport-fix-configure-initial-pin-assignment.patch --- ...-realtek-add-quirk-for-clevo-x370snw.patch | 31 ++ ...x-mute-micmute-leds-for-a-hp-probook.patch | 32 ++ ...rivers-iio-adc-ltc2497-fix-lsb-shift.patch | 63 ++++ ...sas-scif-fix-4th-irq-for-4-irq-scifs.patch | 43 +++ ...-qcom-spmi-adc5-fix-the-channel-name.patch | 56 ++++ ...950-set-can_sleep-flag-for-gpio-chip.patch | 37 +++ .../iio-adis16480-select-config_crc32.patch | 40 +++ ...turn-bytes-written-in-output-buffers.patch | 39 +++ ...er-make-sure-o_nonblock-is-respected.patch | 67 +++++ ...max-dac-write-value-check-for-12-bit.patch | 38 +++ ...egister-second-i2c-client-if-present.patch | 56 ++++ ...loc-with-__gfp_noretry-__gfp_no_warn.patch | 39 +++ ...b-out-of-bounds-in-init_smb2_rsp_hdr.patch | 279 ++++++++++++++++++ ...ilfs_sc_info-in-nilfs_segctor_thread.patch | 55 ++++ .../nilfs2-fix-sysfs-interface-lifetime.patch | 118 ++++++++ ...starting-up-dma-rx-on-thri-interrupt.patch | 78 +++++ queue-6.1/series | 25 ++ ...sbk-is-asserted-in-lpuart32_tx_empty.patch | 48 +++ ...y-serial-sh-sci-fix-rx-on-rz-g2l-sci.patch | 33 +++ ...i-fix-transmit-end-interrupt-handler.patch | 47 +++ ...fixes-error-uninitialized-symbol-len.patch | 43 +++ ...-support-for-the-intel-meteor-lake-s.patch | 40 +++ ...d-silicon-labs-ifs-usb-datacable-ids.patch | 31 ++ ...l-option-add-quectel-rm500u-cn-modem.patch | 132 +++++++++ ...-option-add-telit-fe990-compositions.patch | 42 +++ ...fix-configure-initial-pin-assignment.patch | 45 +++ 26 files changed, 1557 insertions(+) create mode 100644 queue-6.1/alsa-hda-realtek-add-quirk-for-clevo-x370snw.patch create mode 100644 queue-6.1/alsa-hda-realtek-fix-mute-micmute-leds-for-a-hp-probook.patch create mode 100644 queue-6.1/drivers-iio-adc-ltc2497-fix-lsb-shift.patch create mode 100644 queue-6.1/dt-bindings-serial-renesas-scif-fix-4th-irq-for-4-irq-scifs.patch create mode 100644 queue-6.1/iio-adc-qcom-spmi-adc5-fix-the-channel-name.patch create mode 100644 queue-6.1/iio-adc-ti-ads7950-set-can_sleep-flag-for-gpio-chip.patch create mode 100644 queue-6.1/iio-adis16480-select-config_crc32.patch create mode 100644 queue-6.1/iio-buffer-correctly-return-bytes-written-in-output-buffers.patch create mode 100644 queue-6.1/iio-buffer-make-sure-o_nonblock-is-respected.patch create mode 100644 queue-6.1/iio-dac-cio-dac-fix-max-dac-write-value-check-for-12-bit.patch create mode 100644 queue-6.1/iio-light-cm32181-unregister-second-i2c-client-if-present.patch create mode 100644 queue-6.1/ksmbd-do-not-call-kvmalloc-with-__gfp_noretry-__gfp_no_warn.patch create mode 100644 queue-6.1/ksmbd-fix-slab-out-of-bounds-in-init_smb2_rsp_hdr.patch create mode 100644 queue-6.1/nilfs2-fix-potential-uaf-of-struct-nilfs_sc_info-in-nilfs_segctor_thread.patch create mode 100644 queue-6.1/nilfs2-fix-sysfs-interface-lifetime.patch create mode 100644 queue-6.1/serial-8250-prevent-starting-up-dma-rx-on-thri-interrupt.patch create mode 100644 queue-6.1/tty-serial-fsl_lpuart-avoid-checking-for-transfer-complete-when-uartctrl_sbk-is-asserted-in-lpuart32_tx_empty.patch create mode 100644 queue-6.1/tty-serial-sh-sci-fix-rx-on-rz-g2l-sci.patch create mode 100644 queue-6.1/tty-serial-sh-sci-fix-transmit-end-interrupt-handler.patch create mode 100644 queue-6.1/usb-cdnsp-fixes-error-uninitialized-symbol-len.patch create mode 100644 queue-6.1/usb-dwc3-pci-add-support-for-the-intel-meteor-lake-s.patch create mode 100644 queue-6.1/usb-serial-cp210x-add-silicon-labs-ifs-usb-datacable-ids.patch create mode 100644 queue-6.1/usb-serial-option-add-quectel-rm500u-cn-modem.patch create mode 100644 queue-6.1/usb-serial-option-add-telit-fe990-compositions.patch create mode 100644 queue-6.1/usb-typec-altmodes-displayport-fix-configure-initial-pin-assignment.patch diff --git a/queue-6.1/alsa-hda-realtek-add-quirk-for-clevo-x370snw.patch b/queue-6.1/alsa-hda-realtek-add-quirk-for-clevo-x370snw.patch new file mode 100644 index 00000000000..bf954aad235 --- /dev/null +++ b/queue-6.1/alsa-hda-realtek-add-quirk-for-clevo-x370snw.patch @@ -0,0 +1,31 @@ +From 36d4d213c6d4fffae2645a601e8ae996de4c3645 Mon Sep 17 00:00:00 2001 +From: Jeremy Soller +Date: Fri, 31 Mar 2023 10:23:17 -0600 +Subject: ALSA: hda/realtek: Add quirk for Clevo X370SNW + +From: Jeremy Soller + +commit 36d4d213c6d4fffae2645a601e8ae996de4c3645 upstream. + +Fixes speaker output and headset detection on Clevo X370SNW. + +Signed-off-by: Jeremy Soller +Signed-off-by: Tim Crawford +Cc: +Link: https://lore.kernel.org/r/20230331162317.14992-1-tcrawford@system76.com +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman +--- + sound/pci/hda/patch_realtek.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/sound/pci/hda/patch_realtek.c ++++ b/sound/pci/hda/patch_realtek.c +@@ -2624,6 +2624,7 @@ static const struct snd_pci_quirk alc882 + SND_PCI_QUIRK(0x1462, 0xda57, "MSI Z270-Gaming", ALC1220_FIXUP_GB_DUAL_CODECS), + SND_PCI_QUIRK_VENDOR(0x1462, "MSI", ALC882_FIXUP_GPIO3), + SND_PCI_QUIRK(0x147b, 0x107a, "Abit AW9D-MAX", ALC882_FIXUP_ABIT_AW9D_MAX), ++ SND_PCI_QUIRK(0x1558, 0x3702, "Clevo X370SN[VW]", ALC1220_FIXUP_CLEVO_PB51ED_PINS), + SND_PCI_QUIRK(0x1558, 0x50d3, "Clevo PC50[ER][CDF]", ALC1220_FIXUP_CLEVO_PB51ED_PINS), + SND_PCI_QUIRK(0x1558, 0x65d1, "Clevo PB51[ER][CDF]", ALC1220_FIXUP_CLEVO_PB51ED_PINS), + SND_PCI_QUIRK(0x1558, 0x65d2, "Clevo PB51R[CDF]", ALC1220_FIXUP_CLEVO_PB51ED_PINS), diff --git a/queue-6.1/alsa-hda-realtek-fix-mute-micmute-leds-for-a-hp-probook.patch b/queue-6.1/alsa-hda-realtek-fix-mute-micmute-leds-for-a-hp-probook.patch new file mode 100644 index 00000000000..97289c4e2ae --- /dev/null +++ b/queue-6.1/alsa-hda-realtek-fix-mute-micmute-leds-for-a-hp-probook.patch @@ -0,0 +1,32 @@ +From 9fdc1605c504204e0fdec7892b29c916579e06f3 Mon Sep 17 00:00:00 2001 +From: Andy Chi +Date: Fri, 31 Mar 2023 16:32:41 +0800 +Subject: ALSA: hda/realtek: fix mute/micmute LEDs for a HP ProBook + +From: Andy Chi + +commit 9fdc1605c504204e0fdec7892b29c916579e06f3 upstream. + +There is a HP ProBook which using ALC236 codec and need the +ALC236_FIXUP_HP_MUTE_LED_MICMUTE_VREF quirk to make mute LED and +micmute LED work. + +Signed-off-by: Andy Chi +Cc: +Link: https://lore.kernel.org/r/20230331083242.58416-1-andy.chi@canonical.com +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman +--- + sound/pci/hda/patch_realtek.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/sound/pci/hda/patch_realtek.c ++++ b/sound/pci/hda/patch_realtek.c +@@ -9443,6 +9443,7 @@ static const struct snd_pci_quirk alc269 + SND_PCI_QUIRK(0x103c, 0x8b47, "HP", ALC245_FIXUP_CS35L41_SPI_2_HP_GPIO_LED), + SND_PCI_QUIRK(0x103c, 0x8b5d, "HP", ALC236_FIXUP_HP_MUTE_LED_MICMUTE_VREF), + SND_PCI_QUIRK(0x103c, 0x8b5e, "HP", ALC236_FIXUP_HP_MUTE_LED_MICMUTE_VREF), ++ SND_PCI_QUIRK(0x103c, 0x8b66, "HP", ALC236_FIXUP_HP_MUTE_LED_MICMUTE_VREF), + SND_PCI_QUIRK(0x103c, 0x8b7a, "HP", ALC236_FIXUP_HP_GPIO_LED), + SND_PCI_QUIRK(0x103c, 0x8b7d, "HP", ALC236_FIXUP_HP_GPIO_LED), + SND_PCI_QUIRK(0x103c, 0x8b87, "HP", ALC236_FIXUP_HP_GPIO_LED), diff --git a/queue-6.1/drivers-iio-adc-ltc2497-fix-lsb-shift.patch b/queue-6.1/drivers-iio-adc-ltc2497-fix-lsb-shift.patch new file mode 100644 index 00000000000..403f153a916 --- /dev/null +++ b/queue-6.1/drivers-iio-adc-ltc2497-fix-lsb-shift.patch @@ -0,0 +1,63 @@ +From 6327a930ab7bfa1ab33bcdffd5f5f4b1e7131504 Mon Sep 17 00:00:00 2001 +From: Ian Ray +Date: Fri, 27 Jan 2023 14:57:14 +0200 +Subject: drivers: iio: adc: ltc2497: fix LSB shift + +From: Ian Ray + +commit 6327a930ab7bfa1ab33bcdffd5f5f4b1e7131504 upstream. + +Correct the "sub_lsb" shift for the ltc2497 and drop the sub_lsb element +which is now constant. + +An earlier version of the code shifted by 14 but this was a consequence +of reading three bytes into a __be32 buffer and using be32_to_cpu(), so +eight extra bits needed to be skipped. Now we use get_unaligned_be24() +and thus the additional skip is wrong. + +Fixes: 2187cfeb3626 ("drivers: iio: adc: ltc2497: LTC2499 support") +Signed-off-by: Ian Ray +Link: https://lore.kernel.org/r/20230127125714.44608-1-ian.ray@ge.com +Cc: +Signed-off-by: Jonathan Cameron +Signed-off-by: Greg Kroah-Hartman +--- + drivers/iio/adc/ltc2497.c | 6 ++---- + 1 file changed, 2 insertions(+), 4 deletions(-) + +diff --git a/drivers/iio/adc/ltc2497.c b/drivers/iio/adc/ltc2497.c +index 17370c5eb6fe..ec198c6f13d6 100644 +--- a/drivers/iio/adc/ltc2497.c ++++ b/drivers/iio/adc/ltc2497.c +@@ -28,7 +28,6 @@ struct ltc2497_driverdata { + struct ltc2497core_driverdata common_ddata; + struct i2c_client *client; + u32 recv_size; +- u32 sub_lsb; + /* + * DMA (thus cache coherency maintenance) may require the + * transfer buffers to live in their own cache lines. +@@ -65,10 +64,10 @@ static int ltc2497_result_and_measure(struct ltc2497core_driverdata *ddata, + * equivalent to a sign extension. + */ + if (st->recv_size == 3) { +- *val = (get_unaligned_be24(st->data.d8) >> st->sub_lsb) ++ *val = (get_unaligned_be24(st->data.d8) >> 6) + - BIT(ddata->chip_info->resolution + 1); + } else { +- *val = (be32_to_cpu(st->data.d32) >> st->sub_lsb) ++ *val = (be32_to_cpu(st->data.d32) >> 6) + - BIT(ddata->chip_info->resolution + 1); + } + +@@ -122,7 +121,6 @@ static int ltc2497_probe(struct i2c_client *client) + st->common_ddata.chip_info = chip_info; + + resolution = chip_info->resolution; +- st->sub_lsb = 31 - (resolution + 1); + st->recv_size = BITS_TO_BYTES(resolution) + 1; + + return ltc2497core_probe(dev, indio_dev); +-- +2.40.0 + diff --git a/queue-6.1/dt-bindings-serial-renesas-scif-fix-4th-irq-for-4-irq-scifs.patch b/queue-6.1/dt-bindings-serial-renesas-scif-fix-4th-irq-for-4-irq-scifs.patch new file mode 100644 index 00000000000..4d39e624ca7 --- /dev/null +++ b/queue-6.1/dt-bindings-serial-renesas-scif-fix-4th-irq-for-4-irq-scifs.patch @@ -0,0 +1,43 @@ +From 7b21f329ae0ab6361c0aebfc094db95821490cd1 Mon Sep 17 00:00:00 2001 +From: Geert Uytterhoeven +Date: Fri, 17 Mar 2023 10:46:57 +0100 +Subject: dt-bindings: serial: renesas,scif: Fix 4th IRQ for 4-IRQ SCIFs + +From: Geert Uytterhoeven + +commit 7b21f329ae0ab6361c0aebfc094db95821490cd1 upstream. + +The fourth interrupt on SCIF variants with four interrupts (RZ/A1) is +the Break interrupt, not the Transmit End interrupt (like on SCI(g)). +Update the description and interrupt name to fix this. + +Fixes: 384d00fae8e51f8f ("dt-bindings: serial: sh-sci: Convert to json-schema") +Cc: stable +Signed-off-by: Geert Uytterhoeven +Acked-by: Krzysztof Kozlowski +Link: https://lore.kernel.org/r/719d1582e0ebbe3d674e3a48fc26295e1475a4c3.1679046394.git.geert+renesas@glider.be +Signed-off-by: Greg Kroah-Hartman +--- + Documentation/devicetree/bindings/serial/renesas,scif.yaml | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/Documentation/devicetree/bindings/serial/renesas,scif.yaml ++++ b/Documentation/devicetree/bindings/serial/renesas,scif.yaml +@@ -91,7 +91,7 @@ properties: + - description: Error interrupt + - description: Receive buffer full interrupt + - description: Transmit buffer empty interrupt +- - description: Transmit End interrupt ++ - description: Break interrupt + - items: + - description: Error interrupt + - description: Receive buffer full interrupt +@@ -106,7 +106,7 @@ properties: + - const: eri + - const: rxi + - const: txi +- - const: tei ++ - const: bri + - items: + - const: eri + - const: rxi diff --git a/queue-6.1/iio-adc-qcom-spmi-adc5-fix-the-channel-name.patch b/queue-6.1/iio-adc-qcom-spmi-adc5-fix-the-channel-name.patch new file mode 100644 index 00000000000..ea590c6ceec --- /dev/null +++ b/queue-6.1/iio-adc-qcom-spmi-adc5-fix-the-channel-name.patch @@ -0,0 +1,56 @@ +From 701c875aded880013aacac608832995c4b052257 Mon Sep 17 00:00:00 2001 +From: Andy Shevchenko +Date: Wed, 18 Jan 2023 12:06:23 +0200 +Subject: iio: adc: qcom-spmi-adc5: Fix the channel name + +From: Andy Shevchenko + +commit 701c875aded880013aacac608832995c4b052257 upstream. + +The node name can contain an address part which is unused +by the driver. Moreover, this string is propagated into +the userspace label, sysfs filenames *and breaking ABI*. + +Cut the address part out before assigning the channel name. + +Fixes: 4f47a236a23d ("iio: adc: qcom-spmi-adc5: convert to device properties") +Reported-by: Marijn Suijten +Signed-off-by: Andy Shevchenko +Reviewed-by: Marijn Suijten +Link: https://lore.kernel.org/r/20230118100623.42255-1-andriy.shevchenko@linux.intel.com +Cc: +Signed-off-by: Jonathan Cameron +Signed-off-by: Greg Kroah-Hartman +--- + drivers/iio/adc/qcom-spmi-adc5.c | 10 +++++++++- + 1 file changed, 9 insertions(+), 1 deletion(-) + +diff --git a/drivers/iio/adc/qcom-spmi-adc5.c b/drivers/iio/adc/qcom-spmi-adc5.c +index 821fee60a765..d1b86570768a 100644 +--- a/drivers/iio/adc/qcom-spmi-adc5.c ++++ b/drivers/iio/adc/qcom-spmi-adc5.c +@@ -626,12 +626,20 @@ static int adc5_get_fw_channel_data(struct adc5_chip *adc, + struct fwnode_handle *fwnode, + const struct adc5_data *data) + { +- const char *name = fwnode_get_name(fwnode), *channel_name; ++ const char *channel_name; ++ char *name; + u32 chan, value, varr[2]; + u32 sid = 0; + int ret; + struct device *dev = adc->dev; + ++ name = devm_kasprintf(dev, GFP_KERNEL, "%pfwP", fwnode); ++ if (!name) ++ return -ENOMEM; ++ ++ /* Cut the address part */ ++ name[strchrnul(name, '@') - name] = '\0'; ++ + ret = fwnode_property_read_u32(fwnode, "reg", &chan); + if (ret) { + dev_err(dev, "invalid channel number %s\n", name); +-- +2.40.0 + diff --git a/queue-6.1/iio-adc-ti-ads7950-set-can_sleep-flag-for-gpio-chip.patch b/queue-6.1/iio-adc-ti-ads7950-set-can_sleep-flag-for-gpio-chip.patch new file mode 100644 index 00000000000..2aecfc435af --- /dev/null +++ b/queue-6.1/iio-adc-ti-ads7950-set-can_sleep-flag-for-gpio-chip.patch @@ -0,0 +1,37 @@ +From 363c7dc72f79edd55bf1c4380e0fbf7f1bbc2c86 Mon Sep 17 00:00:00 2001 +From: Lars-Peter Clausen +Date: Sun, 12 Mar 2023 14:09:33 -0700 +Subject: iio: adc: ti-ads7950: Set `can_sleep` flag for GPIO chip + +From: Lars-Peter Clausen + +commit 363c7dc72f79edd55bf1c4380e0fbf7f1bbc2c86 upstream. + +The ads7950 uses a mutex as well as SPI transfers in its GPIO callbacks. +This means these callbacks can sleep and the `can_sleep` flag should be +set. + +Having the flag set will make sure that warnings are generated when calling +any of the callbacks from a potentially non-sleeping context. + +Fixes: c97dce792dc8 ("iio: adc: ti-ads7950: add GPIO support") +Signed-off-by: Lars-Peter Clausen +Acked-by: David Lechner +Link: https://lore.kernel.org/r/20230312210933.2275376-1-lars@metafoo.de +Cc: +Signed-off-by: Jonathan Cameron +Signed-off-by: Greg Kroah-Hartman +--- + drivers/iio/adc/ti-ads7950.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/iio/adc/ti-ads7950.c ++++ b/drivers/iio/adc/ti-ads7950.c +@@ -634,6 +634,7 @@ static int ti_ads7950_probe(struct spi_d + st->chip.label = dev_name(&st->spi->dev); + st->chip.parent = &st->spi->dev; + st->chip.owner = THIS_MODULE; ++ st->chip.can_sleep = true; + st->chip.base = -1; + st->chip.ngpio = TI_ADS7950_NUM_GPIOS; + st->chip.get_direction = ti_ads7950_get_direction; diff --git a/queue-6.1/iio-adis16480-select-config_crc32.patch b/queue-6.1/iio-adis16480-select-config_crc32.patch new file mode 100644 index 00000000000..8c7abcb9bc5 --- /dev/null +++ b/queue-6.1/iio-adis16480-select-config_crc32.patch @@ -0,0 +1,40 @@ +From d9b540ee461cca7edca0dd2c2a42625c6b9ffb8f Mon Sep 17 00:00:00 2001 +From: Arnd Bergmann +Date: Tue, 31 Jan 2023 10:46:11 +0100 +Subject: iio: adis16480: select CONFIG_CRC32 +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Arnd Bergmann + +commit d9b540ee461cca7edca0dd2c2a42625c6b9ffb8f upstream. + +In rare randconfig builds, the missing CRC32 helper causes +a link error: + +ld.lld: error: undefined symbol: crc32_le +>>> referenced by usercopy_64.c +>>> vmlinux.o:(adis16480_trigger_handler) + +Fixes: 941f130881fa ("iio: adis16480: support burst read function") +Signed-off-by: Arnd Bergmann +Reviewed-by: Nuno Sá +Link: https://lore.kernel.org/r/20230131094616.130238-1-arnd@kernel.org +Cc: +Signed-off-by: Jonathan Cameron +Signed-off-by: Greg Kroah-Hartman +--- + drivers/iio/imu/Kconfig | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/iio/imu/Kconfig ++++ b/drivers/iio/imu/Kconfig +@@ -47,6 +47,7 @@ config ADIS16480 + depends on SPI + select IIO_ADIS_LIB + select IIO_ADIS_LIB_BUFFER if IIO_BUFFER ++ select CRC32 + help + Say yes here to build support for Analog Devices ADIS16375, ADIS16480, + ADIS16485, ADIS16488 inertial sensors. diff --git a/queue-6.1/iio-buffer-correctly-return-bytes-written-in-output-buffers.patch b/queue-6.1/iio-buffer-correctly-return-bytes-written-in-output-buffers.patch new file mode 100644 index 00000000000..5cc1a768e3a --- /dev/null +++ b/queue-6.1/iio-buffer-correctly-return-bytes-written-in-output-buffers.patch @@ -0,0 +1,39 @@ +From b5184a26a28fac1d708b0bfeeb958a9260c2924c Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Nuno=20S=C3=A1?= +Date: Thu, 16 Feb 2023 11:14:50 +0100 +Subject: iio: buffer: correctly return bytes written in output buffers +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Nuno Sá + +commit b5184a26a28fac1d708b0bfeeb958a9260c2924c upstream. + +If for some reason 'rb->access->write()' does not write the full +requested data and the O_NONBLOCK is set, we would return 'n' to +userspace which is not really truth. Hence, let's return the number of +bytes we effectively wrote. + +Fixes: 9eeee3b0bf190 ("iio: Add output buffer support") +Signed-off-by: Nuno Sá +Reviewed-by: Lars-Peter Clausen +Link: https://lore.kernel.org/r/20230216101452.591805-2-nuno.sa@analog.com +Cc: +Signed-off-by: Jonathan Cameron +Signed-off-by: Greg Kroah-Hartman +--- + drivers/iio/industrialio-buffer.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/iio/industrialio-buffer.c ++++ b/drivers/iio/industrialio-buffer.c +@@ -220,7 +220,7 @@ static ssize_t iio_buffer_write(struct f + } while (ret == 0); + remove_wait_queue(&rb->pollq, &wait); + +- return ret < 0 ? ret : n; ++ return ret < 0 ? ret : written; + } + + /** diff --git a/queue-6.1/iio-buffer-make-sure-o_nonblock-is-respected.patch b/queue-6.1/iio-buffer-make-sure-o_nonblock-is-respected.patch new file mode 100644 index 00000000000..61418dc16a7 --- /dev/null +++ b/queue-6.1/iio-buffer-make-sure-o_nonblock-is-respected.patch @@ -0,0 +1,67 @@ +From 3da1814184582ed0faf039275a3f02e6f69944ee Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Nuno=20S=C3=A1?= +Date: Thu, 16 Feb 2023 11:14:51 +0100 +Subject: iio: buffer: make sure O_NONBLOCK is respected +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Nuno Sá + +commit 3da1814184582ed0faf039275a3f02e6f69944ee upstream. + +For output buffers, there's no guarantee that the buffer won't be full +in the first iteration of the loop in which case we would block +independently of userspace passing O_NONBLOCK or not. Fix it by always +checking the flag before going to sleep. + +While at it (and as it's a bit related), refactored the loop so that the +stop condition is 'written != n', i.e, run the loop until all data has +been copied into the IIO buffers. This makes the code a bit simpler. + +Fixes: 9eeee3b0bf190 ("iio: Add output buffer support") +Signed-off-by: Nuno Sá +Reviewed-by: Lars-Peter Clausen +Link: https://lore.kernel.org/r/20230216101452.591805-3-nuno.sa@analog.com +Cc: +Signed-off-by: Jonathan Cameron +Signed-off-by: Greg Kroah-Hartman +--- + drivers/iio/industrialio-buffer.c | 19 +++++++++++-------- + 1 file changed, 11 insertions(+), 8 deletions(-) + +--- a/drivers/iio/industrialio-buffer.c ++++ b/drivers/iio/industrialio-buffer.c +@@ -203,21 +203,24 @@ static ssize_t iio_buffer_write(struct f + break; + } + ++ if (filp->f_flags & O_NONBLOCK) { ++ if (!written) ++ ret = -EAGAIN; ++ break; ++ } ++ + wait_woken(&wait, TASK_INTERRUPTIBLE, + MAX_SCHEDULE_TIMEOUT); + continue; + } + + ret = rb->access->write(rb, n - written, buf + written); +- if (ret == 0 && (filp->f_flags & O_NONBLOCK)) +- ret = -EAGAIN; ++ if (ret < 0) ++ break; + +- if (ret > 0) { +- written += ret; +- if (written != n && !(filp->f_flags & O_NONBLOCK)) +- continue; +- } +- } while (ret == 0); ++ written += ret; ++ ++ } while (written != n); + remove_wait_queue(&rb->pollq, &wait); + + return ret < 0 ? ret : written; diff --git a/queue-6.1/iio-dac-cio-dac-fix-max-dac-write-value-check-for-12-bit.patch b/queue-6.1/iio-dac-cio-dac-fix-max-dac-write-value-check-for-12-bit.patch new file mode 100644 index 00000000000..866ca04f0e2 --- /dev/null +++ b/queue-6.1/iio-dac-cio-dac-fix-max-dac-write-value-check-for-12-bit.patch @@ -0,0 +1,38 @@ +From c3701185ee1973845db088d8b0fc443397ab0eb2 Mon Sep 17 00:00:00 2001 +From: William Breathitt Gray +Date: Fri, 10 Mar 2023 19:22:48 -0500 +Subject: iio: dac: cio-dac: Fix max DAC write value check for 12-bit + +From: William Breathitt Gray + +commit c3701185ee1973845db088d8b0fc443397ab0eb2 upstream. + +The CIO-DAC series of devices only supports DAC values up to 12-bit +rather than 16-bit. Trying to write a 16-bit value results in only the +lower 12 bits affecting the DAC output which is not what the user +expects. Instead, adjust the DAC write value check to reject values +larger than 12-bit so that they fail explicitly as invalid for the user. + +Fixes: 3b8df5fd526e ("iio: Add IIO support for the Measurement Computing CIO-DAC family") +Cc: stable@vger.kernel.org +Signed-off-by: William Breathitt Gray +Link: https://lore.kernel.org/r/20230311002248.8548-1-william.gray@linaro.org +Signed-off-by: Jonathan Cameron +Signed-off-by: Greg Kroah-Hartman +--- + drivers/iio/dac/cio-dac.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/iio/dac/cio-dac.c ++++ b/drivers/iio/dac/cio-dac.c +@@ -66,8 +66,8 @@ static int cio_dac_write_raw(struct iio_ + if (mask != IIO_CHAN_INFO_RAW) + return -EINVAL; + +- /* DAC can only accept up to a 16-bit value */ +- if ((unsigned int)val > 65535) ++ /* DAC can only accept up to a 12-bit value */ ++ if ((unsigned int)val > 4095) + return -EINVAL; + + priv->chan_out_states[chan->channel] = val; diff --git a/queue-6.1/iio-light-cm32181-unregister-second-i2c-client-if-present.patch b/queue-6.1/iio-light-cm32181-unregister-second-i2c-client-if-present.patch new file mode 100644 index 00000000000..e7cfa89a181 --- /dev/null +++ b/queue-6.1/iio-light-cm32181-unregister-second-i2c-client-if-present.patch @@ -0,0 +1,56 @@ +From 099cc90a5a62e68b2fe3a42da011ab929b98bf73 Mon Sep 17 00:00:00 2001 +From: Kai-Heng Feng +Date: Thu, 23 Feb 2023 10:00:59 +0800 +Subject: iio: light: cm32181: Unregister second I2C client if present + +From: Kai-Heng Feng + +commit 099cc90a5a62e68b2fe3a42da011ab929b98bf73 upstream. + +If a second dummy client that talks to the actual I2C address was +created in probe(), there should be a proper cleanup on driver and +device removal to avoid leakage. + +So unregister the dummy client via another callback. + +Reviewed-by: Hans de Goede +Suggested-by: Hans de Goede +Fixes: c1e62062ff54 ("iio: light: cm32181: Handle CM3218 ACPI devices with 2 I2C resources") +Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2152281 +Signed-off-by: Kai-Heng Feng +Link: https://lore.kernel.org/r/20230223020059.2013993-1-kai.heng.feng@canonical.com +Cc: +Signed-off-by: Jonathan Cameron +Signed-off-by: Greg Kroah-Hartman +--- + drivers/iio/light/cm32181.c | 12 ++++++++++++ + 1 file changed, 12 insertions(+) + +--- a/drivers/iio/light/cm32181.c ++++ b/drivers/iio/light/cm32181.c +@@ -429,6 +429,14 @@ static const struct iio_info cm32181_inf + .attrs = &cm32181_attribute_group, + }; + ++static void cm32181_unregister_dummy_client(void *data) ++{ ++ struct i2c_client *client = data; ++ ++ /* Unregister the dummy client */ ++ i2c_unregister_device(client); ++} ++ + static int cm32181_probe(struct i2c_client *client) + { + struct device *dev = &client->dev; +@@ -460,6 +468,10 @@ static int cm32181_probe(struct i2c_clie + client = i2c_acpi_new_device(dev, 1, &board_info); + if (IS_ERR(client)) + return PTR_ERR(client); ++ ++ ret = devm_add_action_or_reset(dev, cm32181_unregister_dummy_client, client); ++ if (ret) ++ return ret; + } + + cm32181 = iio_priv(indio_dev); diff --git a/queue-6.1/ksmbd-do-not-call-kvmalloc-with-__gfp_noretry-__gfp_no_warn.patch b/queue-6.1/ksmbd-do-not-call-kvmalloc-with-__gfp_noretry-__gfp_no_warn.patch new file mode 100644 index 00000000000..ebd4343eb3e --- /dev/null +++ b/queue-6.1/ksmbd-do-not-call-kvmalloc-with-__gfp_noretry-__gfp_no_warn.patch @@ -0,0 +1,39 @@ +From e416ea62a9166e6075a07a970cc5bf79255d2700 Mon Sep 17 00:00:00 2001 +From: Marios Makassikis +Date: Thu, 16 Mar 2023 14:40:43 +0100 +Subject: ksmbd: do not call kvmalloc() with __GFP_NORETRY | __GFP_NO_WARN + +From: Marios Makassikis + +commit e416ea62a9166e6075a07a970cc5bf79255d2700 upstream. + +Commit 83dcedd5540d ("ksmbd: fix infinite loop in ksmbd_conn_handler_loop()"), +changes GFP modifiers passed to kvmalloc(). This cause xfstests generic/551 +test to fail. We limit pdu length size according to connection status and +maximum number of connections. In the rest, memory allocation of request +is limited by credit management. so these flags are no longer needed. + +Fixes: 83dcedd5540d ("ksmbd: fix infinite loop in ksmbd_conn_handler_loop()") +Cc: stable@vger.kernel.org +Signed-off-by: Marios Makassikis +Acked-by: Namjae Jeon +Signed-off-by: Steve French +Signed-off-by: Greg Kroah-Hartman +--- + fs/ksmbd/connection.c | 5 +---- + 1 file changed, 1 insertion(+), 4 deletions(-) + +--- a/fs/ksmbd/connection.c ++++ b/fs/ksmbd/connection.c +@@ -326,10 +326,7 @@ int ksmbd_conn_handler_loop(void *p) + + /* 4 for rfc1002 length field */ + size = pdu_size + 4; +- conn->request_buf = kvmalloc(size, +- GFP_KERNEL | +- __GFP_NOWARN | +- __GFP_NORETRY); ++ conn->request_buf = kvmalloc(size, GFP_KERNEL); + if (!conn->request_buf) + break; + diff --git a/queue-6.1/ksmbd-fix-slab-out-of-bounds-in-init_smb2_rsp_hdr.patch b/queue-6.1/ksmbd-fix-slab-out-of-bounds-in-init_smb2_rsp_hdr.patch new file mode 100644 index 00000000000..9b4300c332c --- /dev/null +++ b/queue-6.1/ksmbd-fix-slab-out-of-bounds-in-init_smb2_rsp_hdr.patch @@ -0,0 +1,279 @@ +From dc8289f912387c3bcfbc5d2db29c8947fa207c11 Mon Sep 17 00:00:00 2001 +From: Namjae Jeon +Date: Sat, 1 Apr 2023 13:21:04 +0900 +Subject: ksmbd: fix slab-out-of-bounds in init_smb2_rsp_hdr + +From: Namjae Jeon + +commit dc8289f912387c3bcfbc5d2db29c8947fa207c11 upstream. + +When smb1 mount fails, KASAN detect slab-out-of-bounds in +init_smb2_rsp_hdr like the following one. +For smb1 negotiate(56bytes) , init_smb2_rsp_hdr() for smb2 is called. +The issue occurs while handling smb1 negotiate as smb2 server operations. +Add smb server operations for smb1 (get_cmd_val, init_rsp_hdr, +allocate_rsp_buf, check_user_session) to handle smb1 negotiate so that +smb2 server operation does not handle it. + +[ 411.400423] CIFS: VFS: Use of the less secure dialect vers=1.0 is +not recommended unless required for access to very old servers +[ 411.400452] CIFS: Attempting to mount \\192.168.45.139\homes +[ 411.479312] ksmbd: init_smb2_rsp_hdr : 492 +[ 411.479323] ================================================================== +[ 411.479327] BUG: KASAN: slab-out-of-bounds in +init_smb2_rsp_hdr+0x1e2/0x1f4 [ksmbd] +[ 411.479369] Read of size 16 at addr ffff888488ed0734 by task kworker/14:1/199 + +[ 411.479379] CPU: 14 PID: 199 Comm: kworker/14:1 Tainted: G + OE 6.1.21 #3 +[ 411.479386] Hardware name: ASUSTeK COMPUTER INC. Z10PA-D8 +Series/Z10PA-D8 Series, BIOS 3801 08/23/2019 +[ 411.479390] Workqueue: ksmbd-io handle_ksmbd_work [ksmbd] +[ 411.479425] Call Trace: +[ 411.479428] +[ 411.479432] dump_stack_lvl+0x49/0x63 +[ 411.479444] print_report+0x171/0x4a8 +[ 411.479452] ? kasan_complete_mode_report_info+0x3c/0x200 +[ 411.479463] ? init_smb2_rsp_hdr+0x1e2/0x1f4 [ksmbd] +[ 411.479497] kasan_report+0xb4/0x130 +[ 411.479503] ? init_smb2_rsp_hdr+0x1e2/0x1f4 [ksmbd] +[ 411.479537] kasan_check_range+0x149/0x1e0 +[ 411.479543] memcpy+0x24/0x70 +[ 411.479550] init_smb2_rsp_hdr+0x1e2/0x1f4 [ksmbd] +[ 411.479585] handle_ksmbd_work+0x109/0x760 [ksmbd] +[ 411.479616] ? _raw_spin_unlock_irqrestore+0x50/0x50 +[ 411.479624] ? smb3_encrypt_resp+0x340/0x340 [ksmbd] +[ 411.479656] process_one_work+0x49c/0x790 +[ 411.479667] worker_thread+0x2b1/0x6e0 +[ 411.479674] ? process_one_work+0x790/0x790 +[ 411.479680] kthread+0x177/0x1b0 +[ 411.479686] ? kthread_complete_and_exit+0x30/0x30 +[ 411.479692] ret_from_fork+0x22/0x30 +[ 411.479702] + +Fixes: 39b291b86b59 ("ksmbd: return unsupported error on smb1 mount") +Cc: stable@vger.kernel.org +Signed-off-by: Namjae Jeon +Signed-off-by: Steve French +Signed-off-by: Greg Kroah-Hartman +--- + fs/ksmbd/server.c | 5 - + fs/ksmbd/smb2pdu.c | 3 - + fs/ksmbd/smb_common.c | 138 +++++++++++++++++++++++++++++++++++++++----------- + fs/ksmbd/smb_common.h | 2 + 4 files changed, 111 insertions(+), 37 deletions(-) + +--- a/fs/ksmbd/server.c ++++ b/fs/ksmbd/server.c +@@ -289,10 +289,7 @@ static int queue_ksmbd_work(struct ksmbd + work->request_buf = conn->request_buf; + conn->request_buf = NULL; + +- if (ksmbd_init_smb_server(work)) { +- ksmbd_free_work_struct(work); +- return -EINVAL; +- } ++ ksmbd_init_smb_server(work); + + ksmbd_conn_enqueue_request(work); + atomic_inc(&conn->r_count); +--- a/fs/ksmbd/smb2pdu.c ++++ b/fs/ksmbd/smb2pdu.c +@@ -235,9 +235,6 @@ int init_smb2_neg_rsp(struct ksmbd_work + struct smb2_negotiate_rsp *rsp; + struct ksmbd_conn *conn = work->conn; + +- if (conn->need_neg == false) +- return -EINVAL; +- + *(__be32 *)work->response_buf = + cpu_to_be32(conn->vals->header_size); + +--- a/fs/ksmbd/smb_common.c ++++ b/fs/ksmbd/smb_common.c +@@ -283,20 +283,121 @@ err_out: + return BAD_PROT_ID; + } + +-int ksmbd_init_smb_server(struct ksmbd_work *work) ++#define SMB_COM_NEGOTIATE_EX 0x0 ++ ++/** ++ * get_smb1_cmd_val() - get smb command value from smb header ++ * @work: smb work containing smb header ++ * ++ * Return: smb command value ++ */ ++static u16 get_smb1_cmd_val(struct ksmbd_work *work) + { +- struct ksmbd_conn *conn = work->conn; ++ return SMB_COM_NEGOTIATE_EX; ++} + +- if (conn->need_neg == false) ++/** ++ * init_smb1_rsp_hdr() - initialize smb negotiate response header ++ * @work: smb work containing smb request ++ * ++ * Return: 0 on success, otherwise -EINVAL ++ */ ++static int init_smb1_rsp_hdr(struct ksmbd_work *work) ++{ ++ struct smb_hdr *rsp_hdr = (struct smb_hdr *)work->response_buf; ++ struct smb_hdr *rcv_hdr = (struct smb_hdr *)work->request_buf; ++ ++ /* ++ * Remove 4 byte direct TCP header. ++ */ ++ *(__be32 *)work->response_buf = ++ cpu_to_be32(sizeof(struct smb_hdr) - 4); ++ ++ rsp_hdr->Command = SMB_COM_NEGOTIATE; ++ *(__le32 *)rsp_hdr->Protocol = SMB1_PROTO_NUMBER; ++ rsp_hdr->Flags = SMBFLG_RESPONSE; ++ rsp_hdr->Flags2 = SMBFLG2_UNICODE | SMBFLG2_ERR_STATUS | ++ SMBFLG2_EXT_SEC | SMBFLG2_IS_LONG_NAME; ++ rsp_hdr->Pid = rcv_hdr->Pid; ++ rsp_hdr->Mid = rcv_hdr->Mid; ++ return 0; ++} ++ ++/** ++ * smb1_check_user_session() - check for valid session for a user ++ * @work: smb work containing smb request buffer ++ * ++ * Return: 0 on success, otherwise error ++ */ ++static int smb1_check_user_session(struct ksmbd_work *work) ++{ ++ unsigned int cmd = work->conn->ops->get_cmd_val(work); ++ ++ if (cmd == SMB_COM_NEGOTIATE_EX) + return 0; + +- init_smb3_11_server(conn); ++ return -EINVAL; ++} ++ ++/** ++ * smb1_allocate_rsp_buf() - allocate response buffer for a command ++ * @work: smb work containing smb request ++ * ++ * Return: 0 on success, otherwise -ENOMEM ++ */ ++static int smb1_allocate_rsp_buf(struct ksmbd_work *work) ++{ ++ work->response_buf = kmalloc(MAX_CIFS_SMALL_BUFFER_SIZE, ++ GFP_KERNEL | __GFP_ZERO); ++ work->response_sz = MAX_CIFS_SMALL_BUFFER_SIZE; ++ ++ if (!work->response_buf) { ++ pr_err("Failed to allocate %u bytes buffer\n", ++ MAX_CIFS_SMALL_BUFFER_SIZE); ++ return -ENOMEM; ++ } + +- if (conn->ops->get_cmd_val(work) != SMB_COM_NEGOTIATE) +- conn->need_neg = false; + return 0; + } + ++static struct smb_version_ops smb1_server_ops = { ++ .get_cmd_val = get_smb1_cmd_val, ++ .init_rsp_hdr = init_smb1_rsp_hdr, ++ .allocate_rsp_buf = smb1_allocate_rsp_buf, ++ .check_user_session = smb1_check_user_session, ++}; ++ ++static int smb1_negotiate(struct ksmbd_work *work) ++{ ++ return ksmbd_smb_negotiate_common(work, SMB_COM_NEGOTIATE); ++} ++ ++static struct smb_version_cmds smb1_server_cmds[1] = { ++ [SMB_COM_NEGOTIATE_EX] = { .proc = smb1_negotiate, }, ++}; ++ ++static void init_smb1_server(struct ksmbd_conn *conn) ++{ ++ conn->ops = &smb1_server_ops; ++ conn->cmds = smb1_server_cmds; ++ conn->max_cmds = ARRAY_SIZE(smb1_server_cmds); ++} ++ ++void ksmbd_init_smb_server(struct ksmbd_work *work) ++{ ++ struct ksmbd_conn *conn = work->conn; ++ __le32 proto; ++ ++ if (conn->need_neg == false) ++ return; ++ ++ proto = *(__le32 *)((struct smb_hdr *)work->request_buf)->Protocol; ++ if (proto == SMB1_PROTO_NUMBER) ++ init_smb1_server(conn); ++ else ++ init_smb3_11_server(conn); ++} ++ + int ksmbd_populate_dot_dotdot_entries(struct ksmbd_work *work, int info_level, + struct ksmbd_file *dir, + struct ksmbd_dir_info *d_info, +@@ -444,20 +545,10 @@ static int smb_handle_negotiate(struct k + + ksmbd_debug(SMB, "Unsupported SMB1 protocol\n"); + +- /* +- * Remove 4 byte direct TCP header, add 2 byte bcc and +- * 2 byte DialectIndex. +- */ +- *(__be32 *)work->response_buf = +- cpu_to_be32(sizeof(struct smb_hdr) - 4 + 2 + 2); ++ /* Add 2 byte bcc and 2 byte DialectIndex. */ ++ inc_rfc1001_len(work->response_buf, 4); + neg_rsp->hdr.Status.CifsError = STATUS_SUCCESS; + +- neg_rsp->hdr.Command = SMB_COM_NEGOTIATE; +- *(__le32 *)neg_rsp->hdr.Protocol = SMB1_PROTO_NUMBER; +- neg_rsp->hdr.Flags = SMBFLG_RESPONSE; +- neg_rsp->hdr.Flags2 = SMBFLG2_UNICODE | SMBFLG2_ERR_STATUS | +- SMBFLG2_EXT_SEC | SMBFLG2_IS_LONG_NAME; +- + neg_rsp->hdr.WordCount = 1; + neg_rsp->DialectIndex = cpu_to_le16(work->conn->dialect); + neg_rsp->ByteCount = 0; +@@ -474,23 +565,12 @@ int ksmbd_smb_negotiate_common(struct ks + ksmbd_debug(SMB, "conn->dialect 0x%x\n", conn->dialect); + + if (command == SMB2_NEGOTIATE_HE) { +- struct smb2_hdr *smb2_hdr = smb2_get_msg(work->request_buf); +- +- if (smb2_hdr->ProtocolId != SMB2_PROTO_NUMBER) { +- ksmbd_debug(SMB, "Downgrade to SMB1 negotiation\n"); +- command = SMB_COM_NEGOTIATE; +- } +- } +- +- if (command == SMB2_NEGOTIATE_HE) { + ret = smb2_handle_negotiate(work); +- init_smb2_neg_rsp(work); + return ret; + } + + if (command == SMB_COM_NEGOTIATE) { + if (__smb2_negotiate(conn)) { +- conn->need_neg = true; + init_smb3_11_server(conn); + init_smb2_neg_rsp(work); + ksmbd_debug(SMB, "Upgrade to SMB2 negotiation\n"); +--- a/fs/ksmbd/smb_common.h ++++ b/fs/ksmbd/smb_common.h +@@ -427,7 +427,7 @@ bool ksmbd_smb_request(struct ksmbd_conn + + int ksmbd_lookup_dialect_by_id(__le16 *cli_dialects, __le16 dialects_count); + +-int ksmbd_init_smb_server(struct ksmbd_work *work); ++void ksmbd_init_smb_server(struct ksmbd_work *work); + + struct ksmbd_kstat; + int ksmbd_populate_dot_dotdot_entries(struct ksmbd_work *work, diff --git a/queue-6.1/nilfs2-fix-potential-uaf-of-struct-nilfs_sc_info-in-nilfs_segctor_thread.patch b/queue-6.1/nilfs2-fix-potential-uaf-of-struct-nilfs_sc_info-in-nilfs_segctor_thread.patch new file mode 100644 index 00000000000..f168066ed1f --- /dev/null +++ b/queue-6.1/nilfs2-fix-potential-uaf-of-struct-nilfs_sc_info-in-nilfs_segctor_thread.patch @@ -0,0 +1,55 @@ +From 6be49d100c22ffea3287a4b19d7639d259888e33 Mon Sep 17 00:00:00 2001 +From: Ryusuke Konishi +Date: Tue, 28 Mar 2023 02:53:18 +0900 +Subject: nilfs2: fix potential UAF of struct nilfs_sc_info in nilfs_segctor_thread() + +From: Ryusuke Konishi + +commit 6be49d100c22ffea3287a4b19d7639d259888e33 upstream. + +The finalization of nilfs_segctor_thread() can race with +nilfs_segctor_kill_thread() which terminates that thread, potentially +causing a use-after-free BUG as KASAN detected. + +At the end of nilfs_segctor_thread(), it assigns NULL to "sc_task" member +of "struct nilfs_sc_info" to indicate the thread has finished, and then +notifies nilfs_segctor_kill_thread() of this using waitqueue +"sc_wait_task" on the struct nilfs_sc_info. + +However, here, immediately after the NULL assignment to "sc_task", it is +possible that nilfs_segctor_kill_thread() will detect it and return to +continue the deallocation, freeing the nilfs_sc_info structure before the +thread does the notification. + +This fixes the issue by protecting the NULL assignment to "sc_task" and +its notification, with spinlock "sc_state_lock" of the struct +nilfs_sc_info. Since nilfs_segctor_kill_thread() does a final check to +see if "sc_task" is NULL with "sc_state_lock" locked, this can eliminate +the race. + +Link: https://lkml.kernel.org/r/20230327175318.8060-1-konishi.ryusuke@gmail.com +Reported-by: syzbot+b08ebcc22f8f3e6be43a@syzkaller.appspotmail.com +Link: https://lkml.kernel.org/r/00000000000000660d05f7dfa877@google.com +Signed-off-by: Ryusuke Konishi +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + fs/nilfs2/segment.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +--- a/fs/nilfs2/segment.c ++++ b/fs/nilfs2/segment.c +@@ -2607,11 +2607,10 @@ static int nilfs_segctor_thread(void *ar + goto loop; + + end_thread: +- spin_unlock(&sci->sc_state_lock); +- + /* end sync. */ + sci->sc_task = NULL; + wake_up(&sci->sc_wait_task); /* for nilfs_segctor_kill_thread() */ ++ spin_unlock(&sci->sc_state_lock); + return 0; + } + diff --git a/queue-6.1/nilfs2-fix-sysfs-interface-lifetime.patch b/queue-6.1/nilfs2-fix-sysfs-interface-lifetime.patch new file mode 100644 index 00000000000..1a07ef2cdde --- /dev/null +++ b/queue-6.1/nilfs2-fix-sysfs-interface-lifetime.patch @@ -0,0 +1,118 @@ +From 42560f9c92cc43dce75dbf06cc0d840dced39b12 Mon Sep 17 00:00:00 2001 +From: Ryusuke Konishi +Date: Fri, 31 Mar 2023 05:55:15 +0900 +Subject: nilfs2: fix sysfs interface lifetime + +From: Ryusuke Konishi + +commit 42560f9c92cc43dce75dbf06cc0d840dced39b12 upstream. + +The current nilfs2 sysfs support has issues with the timing of creation +and deletion of sysfs entries, potentially leading to null pointer +dereferences, use-after-free, and lockdep warnings. + +Some of the sysfs attributes for nilfs2 per-filesystem instance refer to +metadata file "cpfile", "sufile", or "dat", but +nilfs_sysfs_create_device_group that creates those attributes is executed +before the inodes for these metadata files are loaded, and +nilfs_sysfs_delete_device_group which deletes these sysfs entries is +called after releasing their metadata file inodes. + +Therefore, access to some of these sysfs attributes may occur outside of +the lifetime of these metadata files, resulting in inode NULL pointer +dereferences or use-after-free. + +In addition, the call to nilfs_sysfs_create_device_group() is made during +the locking period of the semaphore "ns_sem" of nilfs object, so the +shrinker call caused by the memory allocation for the sysfs entries, may +derive lock dependencies "ns_sem" -> (shrinker) -> "locks acquired in +nilfs_evict_inode()". + +Since nilfs2 may acquire "ns_sem" deep in the call stack holding other +locks via its error handler __nilfs_error(), this causes lockdep to report +circular locking. This is a false positive and no circular locking +actually occurs as no inodes exist yet when +nilfs_sysfs_create_device_group() is called. Fortunately, the lockdep +warnings can be resolved by simply moving the call to +nilfs_sysfs_create_device_group() out of "ns_sem". + +This fixes these sysfs issues by revising where the device's sysfs +interface is created/deleted and keeping its lifetime within the lifetime +of the metadata files above. + +Link: https://lkml.kernel.org/r/20230330205515.6167-1-konishi.ryusuke@gmail.com +Fixes: dd70edbde262 ("nilfs2: integrate sysfs support into driver") +Signed-off-by: Ryusuke Konishi +Reported-by: syzbot+979fa7f9c0d086fdc282@syzkaller.appspotmail.com + Link: https://lkml.kernel.org/r/0000000000003414b505f7885f7e@google.com +Reported-by: syzbot+5b7d542076d9bddc3c6a@syzkaller.appspotmail.com + Link: https://lkml.kernel.org/r/0000000000006ac86605f5f44eb9@google.com +Cc: Viacheslav Dubeyko +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + fs/nilfs2/super.c | 2 ++ + fs/nilfs2/the_nilfs.c | 12 +++++++----- + 2 files changed, 9 insertions(+), 5 deletions(-) + +--- a/fs/nilfs2/super.c ++++ b/fs/nilfs2/super.c +@@ -482,6 +482,7 @@ static void nilfs_put_super(struct super + up_write(&nilfs->ns_sem); + } + ++ nilfs_sysfs_delete_device_group(nilfs); + iput(nilfs->ns_sufile); + iput(nilfs->ns_cpfile); + iput(nilfs->ns_dat); +@@ -1105,6 +1106,7 @@ nilfs_fill_super(struct super_block *sb, + nilfs_put_root(fsroot); + + failed_unload: ++ nilfs_sysfs_delete_device_group(nilfs); + iput(nilfs->ns_sufile); + iput(nilfs->ns_cpfile); + iput(nilfs->ns_dat); +--- a/fs/nilfs2/the_nilfs.c ++++ b/fs/nilfs2/the_nilfs.c +@@ -87,7 +87,6 @@ void destroy_nilfs(struct the_nilfs *nil + { + might_sleep(); + if (nilfs_init(nilfs)) { +- nilfs_sysfs_delete_device_group(nilfs); + brelse(nilfs->ns_sbh[0]); + brelse(nilfs->ns_sbh[1]); + } +@@ -305,6 +304,10 @@ int load_nilfs(struct the_nilfs *nilfs, + goto failed; + } + ++ err = nilfs_sysfs_create_device_group(sb); ++ if (unlikely(err)) ++ goto sysfs_error; ++ + if (valid_fs) + goto skip_recovery; + +@@ -366,6 +369,9 @@ int load_nilfs(struct the_nilfs *nilfs, + goto failed; + + failed_unload: ++ nilfs_sysfs_delete_device_group(nilfs); ++ ++ sysfs_error: + iput(nilfs->ns_cpfile); + iput(nilfs->ns_sufile); + iput(nilfs->ns_dat); +@@ -697,10 +703,6 @@ int init_nilfs(struct the_nilfs *nilfs, + if (err) + goto failed_sbh; + +- err = nilfs_sysfs_create_device_group(sb); +- if (err) +- goto failed_sbh; +- + set_nilfs_init(nilfs); + err = 0; + out: diff --git a/queue-6.1/serial-8250-prevent-starting-up-dma-rx-on-thri-interrupt.patch b/queue-6.1/serial-8250-prevent-starting-up-dma-rx-on-thri-interrupt.patch new file mode 100644 index 00000000000..78c71297556 --- /dev/null +++ b/queue-6.1/serial-8250-prevent-starting-up-dma-rx-on-thri-interrupt.patch @@ -0,0 +1,78 @@ +From 90b8596ac46043e4a782d9111f5b285251b13756 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Ilpo=20J=C3=A4rvinen?= +Date: Fri, 17 Mar 2023 12:30:34 +0200 +Subject: serial: 8250: Prevent starting up DMA Rx on THRI interrupt +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Ilpo Järvinen + +commit 90b8596ac46043e4a782d9111f5b285251b13756 upstream. + +Hans de Goede reported Bluetooth adapters (HCIs) connected over an UART +connection failed due corrupted Rx payload. The problem was narrowed +down to DMA Rx starting on UART_IIR_THRI interrupt. The problem occurs +despite LSR having DR bit set, which is precondition for attempting to +start DMA Rx in the first place. + +From a debug patch: +[x.807834] 8250irq: iir=cc lsr+saved=60 received=0/15 ier=0f dma_t/rx/err=0/0/0 +[x.808676] 8250irq: iir=c2 lsr+saved=61 received=0/0 ier=0f dma_t/rx/err=0/0/0 +[x.808776] 8250irq: iir=cc lsr+saved=60 received=1/12 ier=0d dma_t/rx/err=0/1/0 +[x.808870] Bluetooth: hci0: Frame reassembly failed (-84) + +In the debug snippet, received field indicates 1 byte was transferred +over DMA and 12 bytes after that with the non-DMA Rx. The sole byte DMA +handled was corrupted (gets zeroed) which leads to the HCI failure. + +This problem became apparent after commit e8ffbb71f783 ("serial: 8250: +use THRE & __stop_tx also with DMA") changed Tx stop behavior. Tx stop +is now triggered from a THRI interrupt. + +Despite that this problem looks like a HW bug, this fix is not adding +UART_BUG_xx flag to the driver beucase it seems useful in general to +avoid starting DMA when there are only a few bytes to transfer. +Skipping DMA for small transfers avoids the extra overhead DMA incurs. + +Thus, don't setup DMA Rx on UART_IIR_THRI but leave it to a subsequent +interrupt which has Rx a related IIR value. + +By returning false from handle_rx_dma(), the DMA vs non-DMA decision is +postponed until either UART_IIR_RDI (FIFO threshold worth of bytes +awaiting) or UART_IIR_TIMEOUT (inter-character timeout) triggers at a +later time which allows better to discern whether the number of bytes +warrants starting DMA or not. + +Reported-by: Hans de Goede +Tested-by: Hans de Goede +Fixes: e8ffbb71f783 ("serial: 8250: use THRE & __stop_tx also with DMA") +Cc: stable@vger.kernel.org +Signed-off-by: Ilpo Järvinen +Acked-by: Hans de Goede +Link: https://lore.kernel.org/r/20230317103034.12881-1-ilpo.jarvinen@linux.intel.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/tty/serial/8250/8250_port.c | 11 +++++++++++ + 1 file changed, 11 insertions(+) + +--- a/drivers/tty/serial/8250/8250_port.c ++++ b/drivers/tty/serial/8250/8250_port.c +@@ -1897,6 +1897,17 @@ EXPORT_SYMBOL_GPL(serial8250_modem_statu + static bool handle_rx_dma(struct uart_8250_port *up, unsigned int iir) + { + switch (iir & 0x3f) { ++ case UART_IIR_THRI: ++ /* ++ * Postpone DMA or not decision to IIR_RDI or IIR_RX_TIMEOUT ++ * because it's impossible to do an informed decision about ++ * that with IIR_THRI. ++ * ++ * This also fixes one known DMA Rx corruption issue where ++ * DR is asserted but DMA Rx only gets a corrupted zero byte ++ * (too early DR?). ++ */ ++ return false; + case UART_IIR_RDI: + if (!up->dma->rx_running) + break; diff --git a/queue-6.1/series b/queue-6.1/series index 9b02fb73434..c22b29b0ab2 100644 --- a/queue-6.1/series +++ b/queue-6.1/series @@ -62,3 +62,28 @@ pci-doe-fix-memory-leak-with-config_debug_objects-y.patch usb-xhci-tegra-fix-sleep-in-atomic-call.patch xhci-free-the-command-allocated-for-setting-lpm-if-we-return-early.patch xhci-also-avoid-the-xhci_zero_64b_regs-quirk-with-a-passthrough-iommu.patch +usb-cdnsp-fixes-error-uninitialized-symbol-len.patch +usb-dwc3-pci-add-support-for-the-intel-meteor-lake-s.patch +usb-serial-cp210x-add-silicon-labs-ifs-usb-datacable-ids.patch +usb-typec-altmodes-displayport-fix-configure-initial-pin-assignment.patch +usb-serial-option-add-telit-fe990-compositions.patch +usb-serial-option-add-quectel-rm500u-cn-modem.patch +drivers-iio-adc-ltc2497-fix-lsb-shift.patch +iio-adis16480-select-config_crc32.patch +iio-adc-qcom-spmi-adc5-fix-the-channel-name.patch +iio-adc-ti-ads7950-set-can_sleep-flag-for-gpio-chip.patch +iio-dac-cio-dac-fix-max-dac-write-value-check-for-12-bit.patch +iio-buffer-correctly-return-bytes-written-in-output-buffers.patch +iio-buffer-make-sure-o_nonblock-is-respected.patch +iio-light-cm32181-unregister-second-i2c-client-if-present.patch +tty-serial-sh-sci-fix-transmit-end-interrupt-handler.patch +tty-serial-sh-sci-fix-rx-on-rz-g2l-sci.patch +tty-serial-fsl_lpuart-avoid-checking-for-transfer-complete-when-uartctrl_sbk-is-asserted-in-lpuart32_tx_empty.patch +nilfs2-fix-potential-uaf-of-struct-nilfs_sc_info-in-nilfs_segctor_thread.patch +nilfs2-fix-sysfs-interface-lifetime.patch +dt-bindings-serial-renesas-scif-fix-4th-irq-for-4-irq-scifs.patch +serial-8250-prevent-starting-up-dma-rx-on-thri-interrupt.patch +ksmbd-do-not-call-kvmalloc-with-__gfp_noretry-__gfp_no_warn.patch +ksmbd-fix-slab-out-of-bounds-in-init_smb2_rsp_hdr.patch +alsa-hda-realtek-add-quirk-for-clevo-x370snw.patch +alsa-hda-realtek-fix-mute-micmute-leds-for-a-hp-probook.patch diff --git a/queue-6.1/tty-serial-fsl_lpuart-avoid-checking-for-transfer-complete-when-uartctrl_sbk-is-asserted-in-lpuart32_tx_empty.patch b/queue-6.1/tty-serial-fsl_lpuart-avoid-checking-for-transfer-complete-when-uartctrl_sbk-is-asserted-in-lpuart32_tx_empty.patch new file mode 100644 index 00000000000..bae9e6fbf7a --- /dev/null +++ b/queue-6.1/tty-serial-fsl_lpuart-avoid-checking-for-transfer-complete-when-uartctrl_sbk-is-asserted-in-lpuart32_tx_empty.patch @@ -0,0 +1,48 @@ +From 9425914f3de6febbd6250395f56c8279676d9c3c Mon Sep 17 00:00:00 2001 +From: Sherry Sun +Date: Thu, 23 Mar 2023 13:44:15 +0800 +Subject: tty: serial: fsl_lpuart: avoid checking for transfer complete when UARTCTRL_SBK is asserted in lpuart32_tx_empty + +From: Sherry Sun + +commit 9425914f3de6febbd6250395f56c8279676d9c3c upstream. + +According to LPUART RM, Transmission Complete Flag becomes 0 if queuing +a break character by writing 1 to CTRL[SBK], so here need to avoid +checking for transmission complete when UARTCTRL_SBK is asserted, +otherwise the lpuart32_tx_empty may never get TIOCSER_TEMT. + +Commit 2411fd94ceaa("tty: serial: fsl_lpuart: skip waiting for +transmission complete when UARTCTRL_SBK is asserted") only fix it in +lpuart32_set_termios(), here also fix it in lpuart32_tx_empty(). + +Fixes: 380c966c093e ("tty: serial: fsl_lpuart: add 32-bit register interface support") +Cc: stable +Signed-off-by: Sherry Sun +Link: https://lore.kernel.org/r/20230323054415.20363-1-sherry.sun@nxp.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/tty/serial/fsl_lpuart.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +--- a/drivers/tty/serial/fsl_lpuart.c ++++ b/drivers/tty/serial/fsl_lpuart.c +@@ -838,11 +838,17 @@ static unsigned int lpuart32_tx_empty(st + struct lpuart_port, port); + unsigned long stat = lpuart32_read(port, UARTSTAT); + unsigned long sfifo = lpuart32_read(port, UARTFIFO); ++ unsigned long ctrl = lpuart32_read(port, UARTCTRL); + + if (sport->dma_tx_in_progress) + return 0; + +- if (stat & UARTSTAT_TC && sfifo & UARTFIFO_TXEMPT) ++ /* ++ * LPUART Transmission Complete Flag may never be set while queuing a break ++ * character, so avoid checking for transmission complete when UARTCTRL_SBK ++ * is asserted. ++ */ ++ if ((stat & UARTSTAT_TC && sfifo & UARTFIFO_TXEMPT) || ctrl & UARTCTRL_SBK) + return TIOCSER_TEMT; + + return 0; diff --git a/queue-6.1/tty-serial-sh-sci-fix-rx-on-rz-g2l-sci.patch b/queue-6.1/tty-serial-sh-sci-fix-rx-on-rz-g2l-sci.patch new file mode 100644 index 00000000000..f51760d762b --- /dev/null +++ b/queue-6.1/tty-serial-sh-sci-fix-rx-on-rz-g2l-sci.patch @@ -0,0 +1,33 @@ +From f92ed0cd9328aed918ebb0ebb64d259eccbcc6e7 Mon Sep 17 00:00:00 2001 +From: Biju Das +Date: Tue, 21 Mar 2023 11:47:50 +0000 +Subject: tty: serial: sh-sci: Fix Rx on RZ/G2L SCI + +From: Biju Das + +commit f92ed0cd9328aed918ebb0ebb64d259eccbcc6e7 upstream. + +SCI IP on RZ/G2L alike SoCs do not need regshift compared to other SCI +IPs on the SH platform. Currently, it does regshift and configuring Rx +wrongly. Drop adding regshift for RZ/G2L alike SoCs. + +Fixes: dfc80387aefb ("serial: sh-sci: Compute the regshift value for SCI ports") +Cc: stable@vger.kernel.org +Signed-off-by: Biju Das +Link: https://lore.kernel.org/r/20230321114753.75038-3-biju.das.jz@bp.renesas.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/tty/serial/sh-sci.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/tty/serial/sh-sci.c ++++ b/drivers/tty/serial/sh-sci.c +@@ -2940,7 +2940,7 @@ static int sci_init_single(struct platfo + port->flags = UPF_FIXED_PORT | UPF_BOOT_AUTOCONF | p->flags; + port->fifosize = sci_port->params->fifosize; + +- if (port->type == PORT_SCI) { ++ if (port->type == PORT_SCI && !dev->dev.of_node) { + if (sci_port->reg_size >= 0x20) + port->regshift = 2; + else diff --git a/queue-6.1/tty-serial-sh-sci-fix-transmit-end-interrupt-handler.patch b/queue-6.1/tty-serial-sh-sci-fix-transmit-end-interrupt-handler.patch new file mode 100644 index 00000000000..ba64b0fd2b6 --- /dev/null +++ b/queue-6.1/tty-serial-sh-sci-fix-transmit-end-interrupt-handler.patch @@ -0,0 +1,47 @@ +From b43a18647f03c87e77d50d6fe74904b61b96323e Mon Sep 17 00:00:00 2001 +From: Biju Das +Date: Fri, 17 Mar 2023 15:04:03 +0000 +Subject: tty: serial: sh-sci: Fix transmit end interrupt handler + +From: Biju Das + +commit b43a18647f03c87e77d50d6fe74904b61b96323e upstream. + +The fourth interrupt on SCI port is transmit end interrupt compared to +the break interrupt on other port types. So, shuffle the interrupts to fix +the transmit end interrupt handler. + +Fixes: e1d0be616186 ("sh-sci: Add h8300 SCI") +Cc: stable +Suggested-by: Geert Uytterhoeven +Signed-off-by: Biju Das +Link: https://lore.kernel.org/r/20230317150403.154094-1-biju.das.jz@bp.renesas.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/tty/serial/sh-sci.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +--- a/drivers/tty/serial/sh-sci.c ++++ b/drivers/tty/serial/sh-sci.c +@@ -31,6 +31,7 @@ + #include + #include + #include ++#include + #include + #include + #include +@@ -2867,6 +2868,13 @@ static int sci_init_single(struct platfo + sci_port->irqs[i] = platform_get_irq(dev, i); + } + ++ /* ++ * The fourth interrupt on SCI port is transmit end interrupt, so ++ * shuffle the interrupts. ++ */ ++ if (p->type == PORT_SCI) ++ swap(sci_port->irqs[SCIx_BRI_IRQ], sci_port->irqs[SCIx_TEI_IRQ]); ++ + /* The SCI generates several interrupts. They can be muxed together or + * connected to different interrupt lines. In the muxed case only one + * interrupt resource is specified as there is only one interrupt ID. diff --git a/queue-6.1/usb-cdnsp-fixes-error-uninitialized-symbol-len.patch b/queue-6.1/usb-cdnsp-fixes-error-uninitialized-symbol-len.patch new file mode 100644 index 00000000000..530d6d49b3a --- /dev/null +++ b/queue-6.1/usb-cdnsp-fixes-error-uninitialized-symbol-len.patch @@ -0,0 +1,43 @@ +From 1edf48991a783d00a3a18dc0d27c88139e4030a2 Mon Sep 17 00:00:00 2001 +From: Pawel Laszczak +Date: Fri, 31 Mar 2023 05:06:00 -0400 +Subject: usb: cdnsp: Fixes error: uninitialized symbol 'len' + +From: Pawel Laszczak + +commit 1edf48991a783d00a3a18dc0d27c88139e4030a2 upstream. + +The patch 5bc38d33a5a1: "usb: cdnsp: Fixes issue with redundant +Status Stage" leads to the following Smatch static checker warning: + + drivers/usb/cdns3/cdnsp-ep0.c:470 cdnsp_setup_analyze() + error: uninitialized symbol 'len'. + +cc: +Fixes: 5bc38d33a5a1 ("usb: cdnsp: Fixes issue with redundant Status Stage") +Signed-off-by: Pawel Laszczak +Link: https://lore.kernel.org/r/20230331090600.454674-1-pawell@cadence.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/cdns3/cdnsp-ep0.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +--- a/drivers/usb/cdns3/cdnsp-ep0.c ++++ b/drivers/usb/cdns3/cdnsp-ep0.c +@@ -414,7 +414,7 @@ static int cdnsp_ep0_std_request(struct + void cdnsp_setup_analyze(struct cdnsp_device *pdev) + { + struct usb_ctrlrequest *ctrl = &pdev->setup; +- int ret = 0; ++ int ret = -EINVAL; + u16 len; + + trace_cdnsp_ctrl_req(ctrl); +@@ -424,7 +424,6 @@ void cdnsp_setup_analyze(struct cdnsp_de + + if (pdev->gadget.state == USB_STATE_NOTATTACHED) { + dev_err(pdev->dev, "ERR: Setup detected in unattached state\n"); +- ret = -EINVAL; + goto out; + } + diff --git a/queue-6.1/usb-dwc3-pci-add-support-for-the-intel-meteor-lake-s.patch b/queue-6.1/usb-dwc3-pci-add-support-for-the-intel-meteor-lake-s.patch new file mode 100644 index 00000000000..489d7aaec64 --- /dev/null +++ b/queue-6.1/usb-dwc3-pci-add-support-for-the-intel-meteor-lake-s.patch @@ -0,0 +1,40 @@ +From ec799c8a92e0be91e0940cc739a27f483242df65 Mon Sep 17 00:00:00 2001 +From: Heikki Krogerus +Date: Thu, 30 Mar 2023 18:02:24 +0300 +Subject: usb: dwc3: pci: add support for the Intel Meteor Lake-S + +From: Heikki Krogerus + +commit ec799c8a92e0be91e0940cc739a27f483242df65 upstream. + +This patch adds the necessary PCI ID for Intel Meteor Lake-S +devices. + +Signed-off-by: Heikki Krogerus +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/r/20230330150224.89316-1-heikki.krogerus@linux.intel.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/dwc3/dwc3-pci.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/drivers/usb/dwc3/dwc3-pci.c ++++ b/drivers/usb/dwc3/dwc3-pci.c +@@ -49,6 +49,7 @@ + #define PCI_DEVICE_ID_INTEL_RPLS 0x7a61 + #define PCI_DEVICE_ID_INTEL_MTLM 0x7eb1 + #define PCI_DEVICE_ID_INTEL_MTLP 0x7ec1 ++#define PCI_DEVICE_ID_INTEL_MTLS 0x7f6f + #define PCI_DEVICE_ID_INTEL_MTL 0x7e7e + #define PCI_DEVICE_ID_INTEL_TGL 0x9a15 + #define PCI_DEVICE_ID_AMD_MR 0x163a +@@ -474,6 +475,9 @@ static const struct pci_device_id dwc3_p + { PCI_VDEVICE(INTEL, PCI_DEVICE_ID_INTEL_MTLP), + (kernel_ulong_t) &dwc3_pci_intel_swnode, }, + ++ { PCI_VDEVICE(INTEL, PCI_DEVICE_ID_INTEL_MTLS), ++ (kernel_ulong_t) &dwc3_pci_intel_swnode, }, ++ + { PCI_VDEVICE(INTEL, PCI_DEVICE_ID_INTEL_MTL), + (kernel_ulong_t) &dwc3_pci_intel_swnode, }, + diff --git a/queue-6.1/usb-serial-cp210x-add-silicon-labs-ifs-usb-datacable-ids.patch b/queue-6.1/usb-serial-cp210x-add-silicon-labs-ifs-usb-datacable-ids.patch new file mode 100644 index 00000000000..c592e670504 --- /dev/null +++ b/queue-6.1/usb-serial-cp210x-add-silicon-labs-ifs-usb-datacable-ids.patch @@ -0,0 +1,31 @@ +From 71f8afa2b66e356f435b6141b4a9ccf953e18356 Mon Sep 17 00:00:00 2001 +From: Kees Jan Koster +Date: Sat, 18 Feb 2023 15:18:30 +0100 +Subject: USB: serial: cp210x: add Silicon Labs IFS-USB-DATACABLE IDs + +From: Kees Jan Koster + +commit 71f8afa2b66e356f435b6141b4a9ccf953e18356 upstream. + +The Silicon Labs IFS-USB-DATACABLE is used in conjunction with for example +the Quint UPSes. It is used to enable Modbus communication with the UPS to +query configuration, power and battery status. + +Signed-off-by: Kees Jan Koster +Cc: stable@vger.kernel.org +Signed-off-by: Johan Hovold +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/serial/cp210x.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/usb/serial/cp210x.c ++++ b/drivers/usb/serial/cp210x.c +@@ -120,6 +120,7 @@ static const struct usb_device_id id_tab + { USB_DEVICE(0x10C4, 0x826B) }, /* Cygnal Integrated Products, Inc., Fasttrax GPS demonstration module */ + { USB_DEVICE(0x10C4, 0x8281) }, /* Nanotec Plug & Drive */ + { USB_DEVICE(0x10C4, 0x8293) }, /* Telegesis ETRX2USB */ ++ { USB_DEVICE(0x10C4, 0x82AA) }, /* Silicon Labs IFS-USB-DATACABLE used with Quint UPS */ + { USB_DEVICE(0x10C4, 0x82EF) }, /* CESINEL FALCO 6105 AC Power Supply */ + { USB_DEVICE(0x10C4, 0x82F1) }, /* CESINEL MEDCAL EFD Earth Fault Detector */ + { USB_DEVICE(0x10C4, 0x82F2) }, /* CESINEL MEDCAL ST Network Analyzer */ diff --git a/queue-6.1/usb-serial-option-add-quectel-rm500u-cn-modem.patch b/queue-6.1/usb-serial-option-add-quectel-rm500u-cn-modem.patch new file mode 100644 index 00000000000..06c97666389 --- /dev/null +++ b/queue-6.1/usb-serial-option-add-quectel-rm500u-cn-modem.patch @@ -0,0 +1,132 @@ +From 7708a3858e69db91a8b69487994f33b96d20192a Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Bj=C3=B8rn=20Mork?= +Date: Tue, 28 Mar 2023 20:41:31 +0200 +Subject: USB: serial: option: add Quectel RM500U-CN modem +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Bjørn Mork + +commit 7708a3858e69db91a8b69487994f33b96d20192a upstream. + +This modem supports several modes with a class network function +and a number of serial functions, all using ff/00/00 + +The device ID is the same in all modes. + +RNDIS mode +---------- +T: Bus=01 Lev=01 Prnt=01 Port=00 Cnt=01 Dev#= 2 Spd=480 MxCh= 0 +D: Ver= 2.10 Cls=00(>ifc ) Sub=00 Prot=00 MxPS=64 #Cfgs= 1 +P: Vendor=2c7c ProdID=0900 Rev= 4.04 +S: Manufacturer=Quectel +S: Product=RM500U-CN +S: SerialNumber=0123456789ABCDEF +C:* #Ifs= 7 Cfg#= 1 Atr=c0 MxPwr=500mA +A: FirstIf#= 0 IfCount= 2 Cls=e0(wlcon) Sub=01 Prot=03 +I:* If#= 0 Alt= 0 #EPs= 1 Cls=e0(wlcon) Sub=01 Prot=03 Driver=rndis_host +E: Ad=82(I) Atr=03(Int.) MxPS= 8 Ivl=32ms +I:* If#= 1 Alt= 0 #EPs= 2 Cls=0a(data ) Sub=00 Prot=00 Driver=rndis_host +E: Ad=81(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=01(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms +I:* If#= 2 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=00 Prot=00 Driver=option +E: Ad=83(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=02(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms +I:* If#= 3 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=00 Prot=00 Driver=option +E: Ad=84(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=03(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms +I:* If#= 4 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=00 Prot=00 Driver=option +E: Ad=85(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=04(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms +I:* If#= 5 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=00 Prot=00 Driver=option +E: Ad=86(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=05(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms +I:* If#= 6 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=00 Prot=00 Driver=option +E: Ad=87(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=06(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms + +ECM mode +-------- +T: Bus=01 Lev=01 Prnt=01 Port=00 Cnt=01 Dev#= 2 Spd=480 MxCh= 0 +D: Ver= 2.10 Cls=00(>ifc ) Sub=00 Prot=00 MxPS=64 #Cfgs= 1 +P: Vendor=2c7c ProdID=0900 Rev= 4.04 +S: Manufacturer=Quectel +S: Product=RM500U-CN +S: SerialNumber=0123456789ABCDEF +C:* #Ifs= 7 Cfg#= 1 Atr=c0 MxPwr=500mA +A: FirstIf#= 0 IfCount= 2 Cls=02(comm.) Sub=06 Prot=00 +I:* If#= 0 Alt= 0 #EPs= 1 Cls=02(comm.) Sub=06 Prot=00 Driver=cdc_ether +E: Ad=82(I) Atr=03(Int.) MxPS= 16 Ivl=32ms +I: If#= 1 Alt= 0 #EPs= 0 Cls=0a(data ) Sub=00 Prot=00 Driver=cdc_ether +I:* If#= 1 Alt= 1 #EPs= 2 Cls=0a(data ) Sub=00 Prot=00 Driver=cdc_ether +E: Ad=81(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=01(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms +I:* If#= 2 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=00 Prot=00 Driver=option +E: Ad=83(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=02(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms +I:* If#= 3 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=00 Prot=00 Driver=option +E: Ad=84(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=03(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms +I:* If#= 4 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=00 Prot=00 Driver=option +E: Ad=85(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=04(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms +I:* If#= 5 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=00 Prot=00 Driver=option +E: Ad=86(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=05(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms +I:* If#= 6 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=00 Prot=00 Driver=option +E: Ad=87(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=06(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms + +NCM mode +-------- +T: Bus=01 Lev=01 Prnt=01 Port=00 Cnt=01 Dev#= 5 Spd=480 MxCh= 0 +D: Ver= 2.10 Cls=00(>ifc ) Sub=00 Prot=00 MxPS=64 #Cfgs= 1 +P: Vendor=2c7c ProdID=0900 Rev= 4.04 +S: Manufacturer=Quectel +S: Product=RM500U-CN +S: SerialNumber=0123456789ABCDEF +C:* #Ifs= 7 Cfg#= 1 Atr=c0 MxPwr=500mA +A: FirstIf#= 0 IfCount= 2 Cls=02(comm.) Sub=0d Prot=00 +I:* If#= 0 Alt= 0 #EPs= 1 Cls=02(comm.) Sub=0d Prot=00 Driver=cdc_ncm +E: Ad=82(I) Atr=03(Int.) MxPS= 16 Ivl=32ms +I: If#= 1 Alt= 0 #EPs= 0 Cls=0a(data ) Sub=00 Prot=01 Driver=cdc_ncm +I:* If#= 1 Alt= 1 #EPs= 2 Cls=0a(data ) Sub=00 Prot=01 Driver=cdc_ncm +E: Ad=81(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=01(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms +I:* If#= 2 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=00 Prot=00 Driver=option +E: Ad=83(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=02(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms +I:* If#= 3 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=00 Prot=00 Driver=option +E: Ad=84(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=03(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms +I:* If#= 4 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=00 Prot=00 Driver=option +E: Ad=85(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=04(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms +I:* If#= 5 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=00 Prot=00 Driver=option +E: Ad=86(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=05(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms +I:* If#= 6 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=00 Prot=00 Driver=option +E: Ad=87(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=06(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms + +Reported-by: Andrew Green +Cc: stable@vger.kernel.org +Signed-off-by: Bjørn Mork +Signed-off-by: Johan Hovold +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/serial/option.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/usb/serial/option.c ++++ b/drivers/usb/serial/option.c +@@ -1198,6 +1198,8 @@ static const struct usb_device_id option + { USB_DEVICE_AND_INTERFACE_INFO(QUECTEL_VENDOR_ID, QUECTEL_PRODUCT_RM520N, 0xff, 0xff, 0x30) }, + { USB_DEVICE_AND_INTERFACE_INFO(QUECTEL_VENDOR_ID, QUECTEL_PRODUCT_RM520N, 0xff, 0, 0x40) }, + { USB_DEVICE_AND_INTERFACE_INFO(QUECTEL_VENDOR_ID, QUECTEL_PRODUCT_RM520N, 0xff, 0, 0) }, ++ { USB_DEVICE_AND_INTERFACE_INFO(QUECTEL_VENDOR_ID, 0x0900, 0xff, 0, 0), /* RM500U-CN */ ++ .driver_info = ZLP }, + { USB_DEVICE_AND_INTERFACE_INFO(QUECTEL_VENDOR_ID, QUECTEL_PRODUCT_EC200U, 0xff, 0, 0) }, + { USB_DEVICE_AND_INTERFACE_INFO(QUECTEL_VENDOR_ID, QUECTEL_PRODUCT_EC200S_CN, 0xff, 0, 0) }, + { USB_DEVICE_AND_INTERFACE_INFO(QUECTEL_VENDOR_ID, QUECTEL_PRODUCT_EC200T, 0xff, 0, 0) }, diff --git a/queue-6.1/usb-serial-option-add-telit-fe990-compositions.patch b/queue-6.1/usb-serial-option-add-telit-fe990-compositions.patch new file mode 100644 index 00000000000..3d952ec4d59 --- /dev/null +++ b/queue-6.1/usb-serial-option-add-telit-fe990-compositions.patch @@ -0,0 +1,42 @@ +From 773e8e7d07b753474b2ccd605ff092faaa9e65b9 Mon Sep 17 00:00:00 2001 +From: Enrico Sau +Date: Tue, 14 Mar 2023 10:00:59 +0100 +Subject: USB: serial: option: add Telit FE990 compositions + +From: Enrico Sau + +commit 773e8e7d07b753474b2ccd605ff092faaa9e65b9 upstream. + +Add the following Telit FE990 compositions: + +0x1080: tty, adb, rmnet, tty, tty, tty, tty +0x1081: tty, adb, mbim, tty, tty, tty, tty +0x1082: rndis, tty, adb, tty, tty, tty, tty +0x1083: tty, adb, ecm, tty, tty, tty, tty + +Signed-off-by: Enrico Sau +Link: https://lore.kernel.org/r/20230314090059.77876-1-enrico.sau@gmail.com +Cc: stable@vger.kernel.org +Signed-off-by: Johan Hovold +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/serial/option.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +--- a/drivers/usb/serial/option.c ++++ b/drivers/usb/serial/option.c +@@ -1300,6 +1300,14 @@ static const struct usb_device_id option + .driver_info = NCTRL(0) | RSVD(1) }, + { USB_DEVICE_INTERFACE_CLASS(TELIT_VENDOR_ID, 0x1075, 0xff), /* Telit FN990 (PCIe) */ + .driver_info = RSVD(0) }, ++ { USB_DEVICE_INTERFACE_CLASS(TELIT_VENDOR_ID, 0x1080, 0xff), /* Telit FE990 (rmnet) */ ++ .driver_info = NCTRL(0) | RSVD(1) | RSVD(2) }, ++ { USB_DEVICE_INTERFACE_CLASS(TELIT_VENDOR_ID, 0x1081, 0xff), /* Telit FE990 (MBIM) */ ++ .driver_info = NCTRL(0) | RSVD(1) }, ++ { USB_DEVICE_INTERFACE_CLASS(TELIT_VENDOR_ID, 0x1082, 0xff), /* Telit FE990 (RNDIS) */ ++ .driver_info = NCTRL(2) | RSVD(3) }, ++ { USB_DEVICE_INTERFACE_CLASS(TELIT_VENDOR_ID, 0x1083, 0xff), /* Telit FE990 (ECM) */ ++ .driver_info = NCTRL(0) | RSVD(1) }, + { USB_DEVICE(TELIT_VENDOR_ID, TELIT_PRODUCT_ME910), + .driver_info = NCTRL(0) | RSVD(1) | RSVD(3) }, + { USB_DEVICE(TELIT_VENDOR_ID, TELIT_PRODUCT_ME910_DUAL_MODEM), diff --git a/queue-6.1/usb-typec-altmodes-displayport-fix-configure-initial-pin-assignment.patch b/queue-6.1/usb-typec-altmodes-displayport-fix-configure-initial-pin-assignment.patch new file mode 100644 index 00000000000..24f7a5676aa --- /dev/null +++ b/queue-6.1/usb-typec-altmodes-displayport-fix-configure-initial-pin-assignment.patch @@ -0,0 +1,45 @@ +From eddebe39602efe631b83ff8d03f26eba12cfd760 Mon Sep 17 00:00:00 2001 +From: RD Babiera +Date: Wed, 29 Mar 2023 21:51:59 +0000 +Subject: usb: typec: altmodes/displayport: Fix configure initial pin assignment + +From: RD Babiera + +commit eddebe39602efe631b83ff8d03f26eba12cfd760 upstream. + +While determining the initial pin assignment to be sent in the configure +message, using the DP_PIN_ASSIGN_DP_ONLY_MASK mask causes the DFP_U to +send both Pin Assignment C and E when both are supported by the DFP_U and +UFP_U. The spec (Table 5-7 DFP_U Pin Assignment Selection Mandates, +VESA DisplayPort Alt Mode Standard v2.0) indicates that the DFP_U never +selects Pin Assignment E when Pin Assignment C is offered. + +Update the DP_PIN_ASSIGN_DP_ONLY_MASK conditional to intially select only +Pin Assignment C if it is available. + +Fixes: 0e3bb7d6894d ("usb: typec: Add driver for DisplayPort alternate mode") +Cc: stable@vger.kernel.org +Signed-off-by: RD Babiera +Reviewed-by: Heikki Krogerus +Link: https://lore.kernel.org/r/20230329215159.2046932-1-rdbabiera@google.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/typec/altmodes/displayport.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +--- a/drivers/usb/typec/altmodes/displayport.c ++++ b/drivers/usb/typec/altmodes/displayport.c +@@ -112,8 +112,12 @@ static int dp_altmode_configure(struct d + if (dp->data.status & DP_STATUS_PREFER_MULTI_FUNC && + pin_assign & DP_PIN_ASSIGN_MULTI_FUNC_MASK) + pin_assign &= DP_PIN_ASSIGN_MULTI_FUNC_MASK; +- else if (pin_assign & DP_PIN_ASSIGN_DP_ONLY_MASK) ++ else if (pin_assign & DP_PIN_ASSIGN_DP_ONLY_MASK) { + pin_assign &= DP_PIN_ASSIGN_DP_ONLY_MASK; ++ /* Default to pin assign C if available */ ++ if (pin_assign & BIT(DP_PIN_ASSIGN_C)) ++ pin_assign = BIT(DP_PIN_ASSIGN_C); ++ } + + if (!pin_assign) + return -EINVAL; -- 2.47.2