From: Greg Kroah-Hartman Date: Mon, 21 Nov 2022 12:03:43 +0000 (+0100) Subject: 6.0-stable patches X-Git-Tag: v4.19.266~28 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=721234514915f8f767511a7300c107d321a2f6eb;p=thirdparty%2Fkernel%2Fstable-queue.git 6.0-stable patches added patches: ceph-avoid-putting-the-realm-twice-when-decoding-snaps-fails.patch dm-bufio-fix-missing-decrement-of-no_sleep_enabled-if-dm_bufio_client_create-failed.patch dm-ioctl-fix-misbehavior-if-list_versions-races-with-module-loading.patch iio-accel-bma400-ensure-vddio-is-enable-defore-reading-the-chip-id.patch iio-adc-at91_adc-fix-possible-memory-leak-in-at91_adc_allocate_trigger.patch iio-adc-mp2629-fix-potential-array-out-of-bound-access.patch iio-adc-mp2629-fix-wrong-comparison-of-channel.patch iio-pressure-ms5611-changed-hardcoded-spi-speed-to-value-limited.patch iio-pressure-ms5611-fixed-value-compensation-bug.patch iio-trigger-sysfs-fix-possible-memory-leak-in-iio_sysfs_trig_init.patch input-iforce-invert-valid-length-check-when-fetching-device-ids.patch io_uring-disallow-self-propelled-ring-polling.patch io_uring-fix-multishot-accept-request-leaks.patch io_uring-fix-multishot-recv-request-leaks.patch io_uring-fix-tw-losing-poll-events.patch maccess-fix-writing-offset-in-case-of-fault-in-strncpy_from_kernel_nofault.patch net-phy-marvell-add-sleep-time-after-enabling-the-loopback-bit.patch nvme-pci-add-nvme_quirk_bogus_nid-for-micron-nitro.patch nvme-pci-add-nvme_quirk_bogus_nid-for-netac-nv7000.patch scsi-zfcp-fix-double-free-of-fsf-request-when-qdio-send-fails.patch serial-8250-fall-back-to-non-dma-rx-if-iir_rdi-occurs.patch serial-8250-flush-dma-rx-on-rlsi.patch serial-8250_lpss-configure-dma-also-w-o-dma-filter.patch serial-8250_lpss-use-16b-dma-burst-with-elkhart-lake.patch slimbus-qcom-ngd-fix-build-error-when-config_slim_qcom_ngd_ctrl-y-config_qcom_rproc_common-m.patch slimbus-stream-correct-presence-rate-frequencies.patch speakup-fix-a-segfault-caused-by-switching-consoles.patch speakup-replace-utils-u_char-with-unsigned-char.patch usb-add-no_lpm-quirk-for-realforce-87u-keyboard.patch usb-bcma-make-gpio-explicitly-optional.patch usb-cdns3-host-fix-endless-superspeed-hub-port-reset.patch usb-chipidea-fix-deadlock-in-ci_otg_del_timer.patch usb-serial-option-add-fibocom-fm160-0x0111-composition.patch usb-serial-option-add-sierra-wireless-em9191.patch usb-serial-option-add-u-blox-lara-l6-modem.patch usb-serial-option-add-u-blox-lara-r6-00b-modem.patch usb-serial-option-remove-old-lara-r6-pid.patch usb-typec-mux-enter-safe-mode-only-when-pins-need-to-be-reconfigured.patch usb-typec-tipd-prevent-uninitialized-event-1-2-in-irq-handler.patch --- diff --git a/queue-6.0/ceph-avoid-putting-the-realm-twice-when-decoding-snaps-fails.patch b/queue-6.0/ceph-avoid-putting-the-realm-twice-when-decoding-snaps-fails.patch new file mode 100644 index 00000000000..f4ec819dff6 --- /dev/null +++ b/queue-6.0/ceph-avoid-putting-the-realm-twice-when-decoding-snaps-fails.patch @@ -0,0 +1,43 @@ +From 51884d153f7ec85e18d607b2467820a90e0f4359 Mon Sep 17 00:00:00 2001 +From: Xiubo Li +Date: Wed, 9 Nov 2022 11:00:39 +0800 +Subject: ceph: avoid putting the realm twice when decoding snaps fails + +From: Xiubo Li + +commit 51884d153f7ec85e18d607b2467820a90e0f4359 upstream. + +When decoding the snaps fails it maybe leaving the 'first_realm' +and 'realm' pointing to the same snaprealm memory. And then it'll +put it twice and could cause random use-after-free, BUG_ON, etc +issues. + +Cc: stable@vger.kernel.org +Link: https://tracker.ceph.com/issues/57686 +Signed-off-by: Xiubo Li +Reviewed-by: Ilya Dryomov +Signed-off-by: Ilya Dryomov +Signed-off-by: Greg Kroah-Hartman +--- + fs/ceph/snap.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/fs/ceph/snap.c ++++ b/fs/ceph/snap.c +@@ -763,7 +763,7 @@ int ceph_update_snap_trace(struct ceph_m + struct ceph_mds_snap_realm *ri; /* encoded */ + __le64 *snaps; /* encoded */ + __le64 *prior_parent_snaps; /* encoded */ +- struct ceph_snap_realm *realm = NULL; ++ struct ceph_snap_realm *realm; + struct ceph_snap_realm *first_realm = NULL; + struct ceph_snap_realm *realm_to_rebuild = NULL; + int rebuild_snapcs; +@@ -774,6 +774,7 @@ int ceph_update_snap_trace(struct ceph_m + + dout("%s deletion=%d\n", __func__, deletion); + more: ++ realm = NULL; + rebuild_snapcs = 0; + ceph_decode_need(&p, e, sizeof(*ri), bad); + ri = p; diff --git a/queue-6.0/dm-bufio-fix-missing-decrement-of-no_sleep_enabled-if-dm_bufio_client_create-failed.patch b/queue-6.0/dm-bufio-fix-missing-decrement-of-no_sleep_enabled-if-dm_bufio_client_create-failed.patch new file mode 100644 index 00000000000..607af956f52 --- /dev/null +++ b/queue-6.0/dm-bufio-fix-missing-decrement-of-no_sleep_enabled-if-dm_bufio_client_create-failed.patch @@ -0,0 +1,40 @@ +From 0dfc1f4ceae86a0d09d880ab87625c86c61ed33c Mon Sep 17 00:00:00 2001 +From: Zhihao Cheng +Date: Fri, 11 Nov 2022 20:10:27 +0800 +Subject: dm bufio: Fix missing decrement of no_sleep_enabled if dm_bufio_client_create failed + +From: Zhihao Cheng + +commit 0dfc1f4ceae86a0d09d880ab87625c86c61ed33c upstream. + +The 'no_sleep_enabled' should be decreased in error handling path +in dm_bufio_client_create() when the DM_BUFIO_CLIENT_NO_SLEEP flag +is set, otherwise static_branch_unlikely() will always return true +even if no dm_bufio_client instances have DM_BUFIO_CLIENT_NO_SLEEP +flag set. + +Cc: stable@vger.kernel.org +Fixes: 3c1c875d0586 ("dm bufio: conditionally enable branching for DM_BUFIO_CLIENT_NO_SLEEP") +Signed-off-by: Zhihao Cheng +Signed-off-by: Mike Snitzer +Signed-off-by: Greg Kroah-Hartman +--- + drivers/md/dm-bufio.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/md/dm-bufio.c b/drivers/md/dm-bufio.c +index 9c5ef818ca36..bb786c39545e 100644 +--- a/drivers/md/dm-bufio.c ++++ b/drivers/md/dm-bufio.c +@@ -1858,6 +1858,8 @@ struct dm_bufio_client *dm_bufio_client_create(struct block_device *bdev, unsign + dm_io_client_destroy(c->dm_io); + bad_dm_io: + mutex_destroy(&c->lock); ++ if (c->no_sleep) ++ static_branch_dec(&no_sleep_enabled); + kfree(c); + bad_client: + return ERR_PTR(r); +-- +2.38.1 + diff --git a/queue-6.0/dm-ioctl-fix-misbehavior-if-list_versions-races-with-module-loading.patch b/queue-6.0/dm-ioctl-fix-misbehavior-if-list_versions-races-with-module-loading.patch new file mode 100644 index 00000000000..278a38e5d45 --- /dev/null +++ b/queue-6.0/dm-ioctl-fix-misbehavior-if-list_versions-races-with-module-loading.patch @@ -0,0 +1,70 @@ +From 4fe1ec995483737f3d2a14c3fe1d8fe634972979 Mon Sep 17 00:00:00 2001 +From: Mikulas Patocka +Date: Tue, 1 Nov 2022 16:53:35 -0400 +Subject: dm ioctl: fix misbehavior if list_versions races with module loading + +From: Mikulas Patocka + +commit 4fe1ec995483737f3d2a14c3fe1d8fe634972979 upstream. + +__list_versions will first estimate the required space using the +"dm_target_iterate(list_version_get_needed, &needed)" call and then will +fill the space using the "dm_target_iterate(list_version_get_info, +&iter_info)" call. Each of these calls locks the targets using the +"down_read(&_lock)" and "up_read(&_lock)" calls, however between the first +and second "dm_target_iterate" there is no lock held and the target +modules can be loaded at this point, so the second "dm_target_iterate" +call may need more space than what was the first "dm_target_iterate" +returned. + +The code tries to handle this overflow (see the beginning of +list_version_get_info), however this handling is incorrect. + +The code sets "param->data_size = param->data_start + needed" and +"iter_info.end = (char *)vers+len" - "needed" is the size returned by the +first dm_target_iterate call; "len" is the size of the buffer allocated by +userspace. + +"len" may be greater than "needed"; in this case, the code will write up +to "len" bytes into the buffer, however param->data_size is set to +"needed", so it may write data past the param->data_size value. The ioctl +interface copies only up to param->data_size into userspace, thus part of +the result will be truncated. + +Fix this bug by setting "iter_info.end = (char *)vers + needed;" - this +guarantees that the second "dm_target_iterate" call will write only up to +the "needed" buffer and it will exit with "DM_BUFFER_FULL_FLAG" if it +overflows the "needed" space - in this case, userspace will allocate a +larger buffer and retry. + +Note that there is also a bug in list_version_get_needed - we need to add +"strlen(tt->name) + 1" to the needed size, not "strlen(tt->name)". + +Cc: stable@vger.kernel.org +Signed-off-by: Mikulas Patocka +Signed-off-by: Mike Snitzer +Signed-off-by: Greg Kroah-Hartman +--- + drivers/md/dm-ioctl.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/md/dm-ioctl.c ++++ b/drivers/md/dm-ioctl.c +@@ -655,7 +655,7 @@ static void list_version_get_needed(stru + size_t *needed = needed_param; + + *needed += sizeof(struct dm_target_versions); +- *needed += strlen(tt->name); ++ *needed += strlen(tt->name) + 1; + *needed += ALIGN_MASK; + } + +@@ -720,7 +720,7 @@ static int __list_versions(struct dm_ioc + iter_info.old_vers = NULL; + iter_info.vers = vers; + iter_info.flags = 0; +- iter_info.end = (char *)vers+len; ++ iter_info.end = (char *)vers + needed; + + /* + * Now loop through filling out the names & versions. diff --git a/queue-6.0/iio-accel-bma400-ensure-vddio-is-enable-defore-reading-the-chip-id.patch b/queue-6.0/iio-accel-bma400-ensure-vddio-is-enable-defore-reading-the-chip-id.patch new file mode 100644 index 00000000000..7f3339b09cc --- /dev/null +++ b/queue-6.0/iio-accel-bma400-ensure-vddio-is-enable-defore-reading-the-chip-id.patch @@ -0,0 +1,65 @@ +From 57572cacd36e6d4be7722d7770d23f4430219827 Mon Sep 17 00:00:00 2001 +From: Jonathan Cameron +Date: Sun, 2 Oct 2022 15:41:33 +0100 +Subject: iio: accel: bma400: Ensure VDDIO is enable defore reading the chip ID. + +From: Jonathan Cameron + +commit 57572cacd36e6d4be7722d7770d23f4430219827 upstream. + +The regulator enables were after the check on the chip variant, which was +very unlikely to return a correct value when not powered. +Presumably all the device anyone is testing on have a regulator that +is already powered up when this code runs for reasons beyond the scope +of this driver. Move the read call down a few lines. + +Fixes: 3cf7ded15e40 ("iio: accel: bma400: basic regulator support") +Signed-off-by: Jonathan Cameron +Reviewed-by: Dan Robertson +Cc: +Link: https://lore.kernel.org/r/20221002144133.3771029-1-jic23@kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/iio/accel/bma400_core.c | 24 ++++++++++++------------ + 1 file changed, 12 insertions(+), 12 deletions(-) + +--- a/drivers/iio/accel/bma400_core.c ++++ b/drivers/iio/accel/bma400_core.c +@@ -737,18 +737,6 @@ static int bma400_init(struct bma400_dat + unsigned int val; + int ret; + +- /* Try to read chip_id register. It must return 0x90. */ +- ret = regmap_read(data->regmap, BMA400_CHIP_ID_REG, &val); +- if (ret) { +- dev_err(data->dev, "Failed to read chip id register\n"); +- return ret; +- } +- +- if (val != BMA400_ID_REG_VAL) { +- dev_err(data->dev, "Chip ID mismatch\n"); +- return -ENODEV; +- } +- + data->regulators[BMA400_VDD_REGULATOR].supply = "vdd"; + data->regulators[BMA400_VDDIO_REGULATOR].supply = "vddio"; + ret = devm_regulator_bulk_get(data->dev, +@@ -774,6 +762,18 @@ static int bma400_init(struct bma400_dat + if (ret) + return ret; + ++ /* Try to read chip_id register. It must return 0x90. */ ++ ret = regmap_read(data->regmap, BMA400_CHIP_ID_REG, &val); ++ if (ret) { ++ dev_err(data->dev, "Failed to read chip id register\n"); ++ return ret; ++ } ++ ++ if (val != BMA400_ID_REG_VAL) { ++ dev_err(data->dev, "Chip ID mismatch\n"); ++ return -ENODEV; ++ } ++ + ret = bma400_get_power_mode(data); + if (ret) { + dev_err(data->dev, "Failed to get the initial power-mode\n"); diff --git a/queue-6.0/iio-adc-at91_adc-fix-possible-memory-leak-in-at91_adc_allocate_trigger.patch b/queue-6.0/iio-adc-at91_adc-fix-possible-memory-leak-in-at91_adc_allocate_trigger.patch new file mode 100644 index 00000000000..3b324bad848 --- /dev/null +++ b/queue-6.0/iio-adc-at91_adc-fix-possible-memory-leak-in-at91_adc_allocate_trigger.patch @@ -0,0 +1,37 @@ +From 65f20301607d07ee279b0804d11a05a62a6c1a1c Mon Sep 17 00:00:00 2001 +From: Yang Yingliang +Date: Mon, 24 Oct 2022 16:45:11 +0800 +Subject: iio: adc: at91_adc: fix possible memory leak in at91_adc_allocate_trigger() + +From: Yang Yingliang + +commit 65f20301607d07ee279b0804d11a05a62a6c1a1c upstream. + +If iio_trigger_register() returns error, it should call iio_trigger_free() +to give up the reference that hold in iio_trigger_alloc(), so that it can +call iio_trig_release() to free memory when the refcount hit to 0. + +Fixes: 0e589d5fb317 ("ARM: AT91: IIO: Add AT91 ADC driver.") +Signed-off-by: Yang Yingliang +Link: https://lore.kernel.org/r/20221024084511.815096-1-yangyingliang@huawei.com +Cc: +Signed-off-by: Jonathan Cameron +Signed-off-by: Greg Kroah-Hartman +--- + drivers/iio/adc/at91_adc.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/drivers/iio/adc/at91_adc.c ++++ b/drivers/iio/adc/at91_adc.c +@@ -634,8 +634,10 @@ static struct iio_trigger *at91_adc_allo + trig->ops = &at91_adc_trigger_ops; + + ret = iio_trigger_register(trig); +- if (ret) ++ if (ret) { ++ iio_trigger_free(trig); + return NULL; ++ } + + return trig; + } diff --git a/queue-6.0/iio-adc-mp2629-fix-potential-array-out-of-bound-access.patch b/queue-6.0/iio-adc-mp2629-fix-potential-array-out-of-bound-access.patch new file mode 100644 index 00000000000..e1c4acd49e6 --- /dev/null +++ b/queue-6.0/iio-adc-mp2629-fix-potential-array-out-of-bound-access.patch @@ -0,0 +1,34 @@ +From ca1547ab15f48dc81624183ae17a2fd1bad06dfc Mon Sep 17 00:00:00 2001 +From: Saravanan Sekar +Date: Sat, 29 Oct 2022 11:29:55 +0200 +Subject: iio: adc: mp2629: fix potential array out of bound access + +From: Saravanan Sekar + +commit ca1547ab15f48dc81624183ae17a2fd1bad06dfc upstream. + +Add sentinel at end of maps to avoid potential array out of +bound access in iio core. + +Fixes: 7abd9fb64682 ("iio: adc: mp2629: Add support for mp2629 ADC driver") +Signed-off-by: Saravanan Sekar +Link: https://lore.kernel.org/r/20221029093000.45451-4-sravanhome@gmail.com +Cc: +Signed-off-by: Jonathan Cameron +Signed-off-by: Greg Kroah-Hartman +--- + drivers/iio/adc/mp2629_adc.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/iio/adc/mp2629_adc.c ++++ b/drivers/iio/adc/mp2629_adc.c +@@ -57,7 +57,8 @@ static struct iio_map mp2629_adc_maps[] + MP2629_MAP(SYSTEM_VOLT, "system-volt"), + MP2629_MAP(INPUT_VOLT, "input-volt"), + MP2629_MAP(BATT_CURRENT, "batt-current"), +- MP2629_MAP(INPUT_CURRENT, "input-current") ++ MP2629_MAP(INPUT_CURRENT, "input-current"), ++ { } + }; + + static int mp2629_read_raw(struct iio_dev *indio_dev, diff --git a/queue-6.0/iio-adc-mp2629-fix-wrong-comparison-of-channel.patch b/queue-6.0/iio-adc-mp2629-fix-wrong-comparison-of-channel.patch new file mode 100644 index 00000000000..07f79067068 --- /dev/null +++ b/queue-6.0/iio-adc-mp2629-fix-wrong-comparison-of-channel.patch @@ -0,0 +1,34 @@ +From 1eb20332a082fa801fb89c347c5e62de916a4001 Mon Sep 17 00:00:00 2001 +From: Saravanan Sekar +Date: Sat, 29 Oct 2022 11:29:53 +0200 +Subject: iio: adc: mp2629: fix wrong comparison of channel + +From: Saravanan Sekar + +commit 1eb20332a082fa801fb89c347c5e62de916a4001 upstream. + +Input voltage channel enum is compared against iio address instead +of the channel. + +Fixes: 7abd9fb64682 ("iio: adc: mp2629: Add support for mp2629 ADC driver") +Signed-off-by: Saravanan Sekar +Reviewed-by: Andy Shevchenko +Link: https://lore.kernel.org/r/20221029093000.45451-2-sravanhome@gmail.com +Cc: +Signed-off-by: Jonathan Cameron +Signed-off-by: Greg Kroah-Hartman +--- + drivers/iio/adc/mp2629_adc.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/iio/adc/mp2629_adc.c ++++ b/drivers/iio/adc/mp2629_adc.c +@@ -74,7 +74,7 @@ static int mp2629_read_raw(struct iio_de + if (ret) + return ret; + +- if (chan->address == MP2629_INPUT_VOLT) ++ if (chan->channel == MP2629_INPUT_VOLT) + rval &= GENMASK(6, 0); + *val = rval; + return IIO_VAL_INT; diff --git a/queue-6.0/iio-pressure-ms5611-changed-hardcoded-spi-speed-to-value-limited.patch b/queue-6.0/iio-pressure-ms5611-changed-hardcoded-spi-speed-to-value-limited.patch new file mode 100644 index 00000000000..0c490e42347 --- /dev/null +++ b/queue-6.0/iio-pressure-ms5611-changed-hardcoded-spi-speed-to-value-limited.patch @@ -0,0 +1,32 @@ +From 741cec30cc52058d1c10d415f3b98319887e4f73 Mon Sep 17 00:00:00 2001 +From: Mitja Spes +Date: Fri, 21 Oct 2022 15:58:21 +0200 +Subject: iio: pressure: ms5611: changed hardcoded SPI speed to value limited + +From: Mitja Spes + +commit 741cec30cc52058d1c10d415f3b98319887e4f73 upstream. + +Don't hardcode the ms5611 SPI speed, limit it instead. + +Signed-off-by: Mitja Spes +Fixes: c0644160a8b5 ("iio: pressure: add support for MS5611 pressure and temperature sensor") +Link: https://lore.kernel.org/r/20221021135827.1444793-3-mitja@lxnav.com +Cc: +Signed-off-by: Jonathan Cameron +Signed-off-by: Greg Kroah-Hartman +--- + drivers/iio/pressure/ms5611_spi.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/iio/pressure/ms5611_spi.c ++++ b/drivers/iio/pressure/ms5611_spi.c +@@ -91,7 +91,7 @@ static int ms5611_spi_probe(struct spi_d + spi_set_drvdata(spi, indio_dev); + + spi->mode = SPI_MODE_0; +- spi->max_speed_hz = 20000000; ++ spi->max_speed_hz = min(spi->max_speed_hz, 20000000U); + spi->bits_per_word = 8; + ret = spi_setup(spi); + if (ret < 0) diff --git a/queue-6.0/iio-pressure-ms5611-fixed-value-compensation-bug.patch b/queue-6.0/iio-pressure-ms5611-fixed-value-compensation-bug.patch new file mode 100644 index 00000000000..75f5fffea5b --- /dev/null +++ b/queue-6.0/iio-pressure-ms5611-fixed-value-compensation-bug.patch @@ -0,0 +1,166 @@ +From 17f442e7e47579d3881fc4d47354eaef09302e6f Mon Sep 17 00:00:00 2001 +From: Mitja Spes +Date: Fri, 21 Oct 2022 15:58:20 +0200 +Subject: iio: pressure: ms5611: fixed value compensation bug + +From: Mitja Spes + +commit 17f442e7e47579d3881fc4d47354eaef09302e6f upstream. + +When using multiple instances of this driver the compensation PROM was +overwritten by the last initialized sensor. Now each sensor has own PROM +storage. + +Signed-off-by: Mitja Spes +Fixes: 9690d81a02dc ("iio: pressure: ms5611: add support for MS5607 temperature and pressure sensor") +Link: https://lore.kernel.org/r/20221021135827.1444793-2-mitja@lxnav.com +Cc: +Signed-off-by: Jonathan Cameron +Signed-off-by: Greg Kroah-Hartman +--- + drivers/iio/pressure/ms5611.h | 12 ++------ + drivers/iio/pressure/ms5611_core.c | 51 +++++++++++++++++++------------------ + 2 files changed, 31 insertions(+), 32 deletions(-) + +--- a/drivers/iio/pressure/ms5611.h ++++ b/drivers/iio/pressure/ms5611.h +@@ -25,13 +25,6 @@ enum { + MS5607, + }; + +-struct ms5611_chip_info { +- u16 prom[MS5611_PROM_WORDS_NB]; +- +- int (*temp_and_pressure_compensate)(struct ms5611_chip_info *chip_info, +- s32 *temp, s32 *pressure); +-}; +- + /* + * OverSampling Rate descriptor. + * Warning: cmd MUST be kept aligned on a word boundary (see +@@ -50,12 +43,15 @@ struct ms5611_state { + const struct ms5611_osr *pressure_osr; + const struct ms5611_osr *temp_osr; + ++ u16 prom[MS5611_PROM_WORDS_NB]; ++ + int (*reset)(struct ms5611_state *st); + int (*read_prom_word)(struct ms5611_state *st, int index, u16 *word); + int (*read_adc_temp_and_pressure)(struct ms5611_state *st, + s32 *temp, s32 *pressure); + +- struct ms5611_chip_info *chip_info; ++ int (*compensate_temp_and_pressure)(struct ms5611_state *st, s32 *temp, ++ s32 *pressure); + struct regulator *vdd; + }; + +--- a/drivers/iio/pressure/ms5611_core.c ++++ b/drivers/iio/pressure/ms5611_core.c +@@ -85,7 +85,7 @@ static int ms5611_read_prom(struct iio_d + struct ms5611_state *st = iio_priv(indio_dev); + + for (i = 0; i < MS5611_PROM_WORDS_NB; i++) { +- ret = st->read_prom_word(st, i, &st->chip_info->prom[i]); ++ ret = st->read_prom_word(st, i, &st->prom[i]); + if (ret < 0) { + dev_err(&indio_dev->dev, + "failed to read prom at %d\n", i); +@@ -93,7 +93,7 @@ static int ms5611_read_prom(struct iio_d + } + } + +- if (!ms5611_prom_is_valid(st->chip_info->prom, MS5611_PROM_WORDS_NB)) { ++ if (!ms5611_prom_is_valid(st->prom, MS5611_PROM_WORDS_NB)) { + dev_err(&indio_dev->dev, "PROM integrity check failed\n"); + return -ENODEV; + } +@@ -114,21 +114,20 @@ static int ms5611_read_temp_and_pressure + return ret; + } + +- return st->chip_info->temp_and_pressure_compensate(st->chip_info, +- temp, pressure); ++ return st->compensate_temp_and_pressure(st, temp, pressure); + } + +-static int ms5611_temp_and_pressure_compensate(struct ms5611_chip_info *chip_info, ++static int ms5611_temp_and_pressure_compensate(struct ms5611_state *st, + s32 *temp, s32 *pressure) + { + s32 t = *temp, p = *pressure; + s64 off, sens, dt; + +- dt = t - (chip_info->prom[5] << 8); +- off = ((s64)chip_info->prom[2] << 16) + ((chip_info->prom[4] * dt) >> 7); +- sens = ((s64)chip_info->prom[1] << 15) + ((chip_info->prom[3] * dt) >> 8); ++ dt = t - (st->prom[5] << 8); ++ off = ((s64)st->prom[2] << 16) + ((st->prom[4] * dt) >> 7); ++ sens = ((s64)st->prom[1] << 15) + ((st->prom[3] * dt) >> 8); + +- t = 2000 + ((chip_info->prom[6] * dt) >> 23); ++ t = 2000 + ((st->prom[6] * dt) >> 23); + if (t < 2000) { + s64 off2, sens2, t2; + +@@ -154,17 +153,17 @@ static int ms5611_temp_and_pressure_comp + return 0; + } + +-static int ms5607_temp_and_pressure_compensate(struct ms5611_chip_info *chip_info, ++static int ms5607_temp_and_pressure_compensate(struct ms5611_state *st, + s32 *temp, s32 *pressure) + { + s32 t = *temp, p = *pressure; + s64 off, sens, dt; + +- dt = t - (chip_info->prom[5] << 8); +- off = ((s64)chip_info->prom[2] << 17) + ((chip_info->prom[4] * dt) >> 6); +- sens = ((s64)chip_info->prom[1] << 16) + ((chip_info->prom[3] * dt) >> 7); ++ dt = t - (st->prom[5] << 8); ++ off = ((s64)st->prom[2] << 17) + ((st->prom[4] * dt) >> 6); ++ sens = ((s64)st->prom[1] << 16) + ((st->prom[3] * dt) >> 7); + +- t = 2000 + ((chip_info->prom[6] * dt) >> 23); ++ t = 2000 + ((st->prom[6] * dt) >> 23); + if (t < 2000) { + s64 off2, sens2, t2, tmp; + +@@ -342,15 +341,6 @@ static int ms5611_write_raw(struct iio_d + + static const unsigned long ms5611_scan_masks[] = {0x3, 0}; + +-static struct ms5611_chip_info chip_info_tbl[] = { +- [MS5611] = { +- .temp_and_pressure_compensate = ms5611_temp_and_pressure_compensate, +- }, +- [MS5607] = { +- .temp_and_pressure_compensate = ms5607_temp_and_pressure_compensate, +- } +-}; +- + static const struct iio_chan_spec ms5611_channels[] = { + { + .type = IIO_PRESSURE, +@@ -433,7 +423,20 @@ int ms5611_probe(struct iio_dev *indio_d + struct ms5611_state *st = iio_priv(indio_dev); + + mutex_init(&st->lock); +- st->chip_info = &chip_info_tbl[type]; ++ ++ switch (type) { ++ case MS5611: ++ st->compensate_temp_and_pressure = ++ ms5611_temp_and_pressure_compensate; ++ break; ++ case MS5607: ++ st->compensate_temp_and_pressure = ++ ms5607_temp_and_pressure_compensate; ++ break; ++ default: ++ return -EINVAL; ++ } ++ + st->temp_osr = + &ms5611_avail_temp_osr[ARRAY_SIZE(ms5611_avail_temp_osr) - 1]; + st->pressure_osr = diff --git a/queue-6.0/iio-trigger-sysfs-fix-possible-memory-leak-in-iio_sysfs_trig_init.patch b/queue-6.0/iio-trigger-sysfs-fix-possible-memory-leak-in-iio_sysfs_trig_init.patch new file mode 100644 index 00000000000..dc3e28d813e --- /dev/null +++ b/queue-6.0/iio-trigger-sysfs-fix-possible-memory-leak-in-iio_sysfs_trig_init.patch @@ -0,0 +1,55 @@ +From efa17e90e1711bdb084e3954fa44afb6647331c0 Mon Sep 17 00:00:00 2001 +From: Yang Yingliang +Date: Sat, 22 Oct 2022 15:42:12 +0800 +Subject: iio: trigger: sysfs: fix possible memory leak in iio_sysfs_trig_init() + +From: Yang Yingliang + +commit efa17e90e1711bdb084e3954fa44afb6647331c0 upstream. + +dev_set_name() allocates memory for name, it need be freed +when device_add() fails, call put_device() to give up the +reference that hold in device_initialize(), so that it can +be freed in kobject_cleanup() when the refcount hit to 0. + +Fault injection test can trigger this: + +unreferenced object 0xffff8e8340a7b4c0 (size 32): + comm "modprobe", pid 243, jiffies 4294678145 (age 48.845s) + hex dump (first 32 bytes): + 69 69 6f 5f 73 79 73 66 73 5f 74 72 69 67 67 65 iio_sysfs_trigge + 72 00 a7 40 83 8e ff ff 00 86 13 c4 f6 ee ff ff r..@............ + backtrace: + [<0000000074999de8>] __kmem_cache_alloc_node+0x1e9/0x360 + [<00000000497fd30b>] __kmalloc_node_track_caller+0x44/0x1a0 + [<000000003636c520>] kstrdup+0x2d/0x60 + [<0000000032f84da2>] kobject_set_name_vargs+0x1e/0x90 + [<0000000092efe493>] dev_set_name+0x4e/0x70 + +Fixes: 1f785681a870 ("staging:iio:trigger sysfs userspace trigger rework.") +Signed-off-by: Yang Yingliang +Cc: +Link: https://lore.kernel.org/r/20221022074212.1386424-1-yangyingliang@huawei.com +Signed-off-by: Jonathan Cameron +Signed-off-by: Greg Kroah-Hartman +--- + drivers/iio/trigger/iio-trig-sysfs.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +--- a/drivers/iio/trigger/iio-trig-sysfs.c ++++ b/drivers/iio/trigger/iio-trig-sysfs.c +@@ -203,9 +203,13 @@ static int iio_sysfs_trigger_remove(int + + static int __init iio_sysfs_trig_init(void) + { ++ int ret; + device_initialize(&iio_sysfs_trig_dev); + dev_set_name(&iio_sysfs_trig_dev, "iio_sysfs_trigger"); +- return device_add(&iio_sysfs_trig_dev); ++ ret = device_add(&iio_sysfs_trig_dev); ++ if (ret) ++ put_device(&iio_sysfs_trig_dev); ++ return ret; + } + module_init(iio_sysfs_trig_init); + diff --git a/queue-6.0/input-iforce-invert-valid-length-check-when-fetching-device-ids.patch b/queue-6.0/input-iforce-invert-valid-length-check-when-fetching-device-ids.patch new file mode 100644 index 00000000000..5815d37a916 --- /dev/null +++ b/queue-6.0/input-iforce-invert-valid-length-check-when-fetching-device-ids.patch @@ -0,0 +1,56 @@ +From b8ebf250997c5fb253582f42bfe98673801ebebd Mon Sep 17 00:00:00 2001 +From: Tetsuo Handa +Date: Mon, 7 Nov 2022 10:21:40 -0800 +Subject: Input: iforce - invert valid length check when fetching device IDs + +From: Tetsuo Handa + +commit b8ebf250997c5fb253582f42bfe98673801ebebd upstream. + +syzbot is reporting uninitialized value at iforce_init_device() [1], for +commit 6ac0aec6b0a6 ("Input: iforce - allow callers supply data buffer +when fetching device IDs") is checking that valid length is shorter than +bytes to read. Since iforce_get_id_packet() stores valid length when +returning 0, the caller needs to check that valid length is longer than or +equals to bytes to read. + +Reported-by: syzbot +Signed-off-by: Tetsuo Handa +Fixes: 6ac0aec6b0a6 ("Input: iforce - allow callers supply data buffer when fetching device IDs") +Link: https://lore.kernel.org/r/531fb432-7396-ad37-ecba-3e42e7f56d5c@I-love.SAKURA.ne.jp +Cc: stable@vger.kernel.org +Signed-off-by: Dmitry Torokhov +Signed-off-by: Greg Kroah-Hartman +--- + drivers/input/joystick/iforce/iforce-main.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +--- a/drivers/input/joystick/iforce/iforce-main.c ++++ b/drivers/input/joystick/iforce/iforce-main.c +@@ -273,22 +273,22 @@ int iforce_init_device(struct device *pa + * Get device info. + */ + +- if (!iforce_get_id_packet(iforce, 'M', buf, &len) || len < 3) ++ if (!iforce_get_id_packet(iforce, 'M', buf, &len) && len >= 3) + input_dev->id.vendor = get_unaligned_le16(buf + 1); + else + dev_warn(&iforce->dev->dev, "Device does not respond to id packet M\n"); + +- if (!iforce_get_id_packet(iforce, 'P', buf, &len) || len < 3) ++ if (!iforce_get_id_packet(iforce, 'P', buf, &len) && len >= 3) + input_dev->id.product = get_unaligned_le16(buf + 1); + else + dev_warn(&iforce->dev->dev, "Device does not respond to id packet P\n"); + +- if (!iforce_get_id_packet(iforce, 'B', buf, &len) || len < 3) ++ if (!iforce_get_id_packet(iforce, 'B', buf, &len) && len >= 3) + iforce->device_memory.end = get_unaligned_le16(buf + 1); + else + dev_warn(&iforce->dev->dev, "Device does not respond to id packet B\n"); + +- if (!iforce_get_id_packet(iforce, 'N', buf, &len) || len < 2) ++ if (!iforce_get_id_packet(iforce, 'N', buf, &len) && len >= 2) + ff_effects = buf[1]; + else + dev_warn(&iforce->dev->dev, "Device does not respond to id packet N\n"); diff --git a/queue-6.0/io_uring-disallow-self-propelled-ring-polling.patch b/queue-6.0/io_uring-disallow-self-propelled-ring-polling.patch new file mode 100644 index 00000000000..29dbc8d32d6 --- /dev/null +++ b/queue-6.0/io_uring-disallow-self-propelled-ring-polling.patch @@ -0,0 +1,40 @@ +From 7fdbc5f014c3f71bc44673a2d6c5bb2d12d45f25 Mon Sep 17 00:00:00 2001 +From: Pavel Begunkov +Date: Fri, 18 Nov 2022 15:41:41 +0000 +Subject: io_uring: disallow self-propelled ring polling + +From: Pavel Begunkov + +commit 7fdbc5f014c3f71bc44673a2d6c5bb2d12d45f25 upstream. + +When we post a CQE we wake all ring pollers as it normally should be. +However, if a CQE was generated by a multishot poll request targeting +its own ring, it'll wake that request up, which will make it to post +a new CQE, which will wake the request and so on until it exhausts all +CQ entries. + +Don't allow multishot polling io_uring files but downgrade them to +oneshots, which was always stated as a correct behaviour that the +userspace should check for. + +Cc: stable@vger.kernel.org +Fixes: aa43477b04025 ("io_uring: poll rework") +Signed-off-by: Pavel Begunkov +Link: https://lore.kernel.org/r/3124038c0e7474d427538c2d915335ec28c92d21.1668785722.git.asml.silence@gmail.com +Signed-off-by: Jens Axboe +Signed-off-by: Greg Kroah-Hartman +--- + io_uring/poll.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/io_uring/poll.c ++++ b/io_uring/poll.c +@@ -244,6 +244,8 @@ static int io_poll_check_events(struct i + continue; + if (req->apoll_events & EPOLLONESHOT) + return IOU_POLL_DONE; ++ if (io_is_uring_fops(req->file)) ++ return IOU_POLL_DONE; + + /* multishot, just fill a CQE and proceed */ + if (!(req->flags & REQ_F_APOLL_MULTISHOT)) { diff --git a/queue-6.0/io_uring-fix-multishot-accept-request-leaks.patch b/queue-6.0/io_uring-fix-multishot-accept-request-leaks.patch new file mode 100644 index 00000000000..37f7515eee9 --- /dev/null +++ b/queue-6.0/io_uring-fix-multishot-accept-request-leaks.patch @@ -0,0 +1,87 @@ +From 91482864768a874c4290ef93b84a78f4f1dac51b Mon Sep 17 00:00:00 2001 +From: Pavel Begunkov +Date: Thu, 17 Nov 2022 18:40:16 +0000 +Subject: io_uring: fix multishot accept request leaks + +From: Pavel Begunkov + +commit 91482864768a874c4290ef93b84a78f4f1dac51b upstream. + +Having REQ_F_POLLED set doesn't guarantee that the request is +executed as a multishot from the polling path. Fortunately for us, if +the code thinks it's multishot issue when it's not, it can only ask to +skip completion so leaking the request. Use issue_flags to mark +multipoll issues. + +Cc: stable@vger.kernel.org +Fixes: 390ed29b5e425 ("io_uring: add IORING_ACCEPT_MULTISHOT for accept") +Signed-off-by: Pavel Begunkov +Link: https://lore.kernel.org/r/7700ac57653f2823e30b34dc74da68678c0c5f13.1668710222.git.asml.silence@gmail.com +Signed-off-by: Jens Axboe +Signed-off-by: Greg Kroah-Hartman +--- + include/linux/io_uring.h | 3 +++ + io_uring/io_uring.c | 2 +- + io_uring/io_uring.h | 4 ++-- + io_uring/net.c | 7 ++----- + 4 files changed, 8 insertions(+), 8 deletions(-) + +--- a/include/linux/io_uring.h ++++ b/include/linux/io_uring.h +@@ -15,6 +15,9 @@ enum io_uring_cmd_flags { + IO_URING_F_SQE128 = 4, + IO_URING_F_CQE32 = 8, + IO_URING_F_IOPOLL = 16, ++ ++ /* the request is executed from poll, it should not be freed */ ++ IO_URING_F_MULTISHOT = 32, + }; + + struct io_uring_cmd { +--- a/io_uring/io_uring.c ++++ b/io_uring/io_uring.c +@@ -1618,7 +1618,7 @@ int io_poll_issue(struct io_kiocb *req, + io_tw_lock(req->ctx, locked); + if (unlikely(req->task->flags & PF_EXITING)) + return -EFAULT; +- return io_issue_sqe(req, IO_URING_F_NONBLOCK); ++ return io_issue_sqe(req, IO_URING_F_NONBLOCK|IO_URING_F_MULTISHOT); + } + + struct io_wq_work *io_wq_free_work(struct io_wq_work *work) +--- a/io_uring/io_uring.h ++++ b/io_uring/io_uring.h +@@ -17,8 +17,8 @@ enum { + IOU_ISSUE_SKIP_COMPLETE = -EIOCBQUEUED, + + /* +- * Intended only when both REQ_F_POLLED and REQ_F_APOLL_MULTISHOT +- * are set to indicate to the poll runner that multishot should be ++ * Intended only when both IO_URING_F_MULTISHOT is passed ++ * to indicate to the poll runner that multishot should be + * removed and the result is set on req->cqe.res. + */ + IOU_STOP_MULTISHOT = -ECANCELED, +--- a/io_uring/net.c ++++ b/io_uring/net.c +@@ -1168,8 +1168,7 @@ retry: + * return EAGAIN to arm the poll infra since it + * has already been done + */ +- if ((req->flags & IO_APOLL_MULTI_POLLED) == +- IO_APOLL_MULTI_POLLED) ++ if (issue_flags & IO_URING_F_MULTISHOT) + ret = IOU_ISSUE_SKIP_COMPLETE; + return ret; + } +@@ -1194,9 +1193,7 @@ retry: + goto retry; + + io_req_set_res(req, ret, 0); +- if (req->flags & REQ_F_POLLED) +- return IOU_STOP_MULTISHOT; +- return IOU_OK; ++ return (issue_flags & IO_URING_F_MULTISHOT) ? IOU_STOP_MULTISHOT : IOU_OK; + } + + int io_socket_prep(struct io_kiocb *req, const struct io_uring_sqe *sqe) diff --git a/queue-6.0/io_uring-fix-multishot-recv-request-leaks.patch b/queue-6.0/io_uring-fix-multishot-recv-request-leaks.patch new file mode 100644 index 00000000000..8997d249ca6 --- /dev/null +++ b/queue-6.0/io_uring-fix-multishot-recv-request-leaks.patch @@ -0,0 +1,92 @@ +From 100d6b17c06ee4c2b42fdddf0fe4ab77c86eb77e Mon Sep 17 00:00:00 2001 +From: Pavel Begunkov +Date: Thu, 17 Nov 2022 18:40:17 +0000 +Subject: io_uring: fix multishot recv request leaks + +From: Pavel Begunkov + +commit 100d6b17c06ee4c2b42fdddf0fe4ab77c86eb77e upstream. + +Having REQ_F_POLLED set doesn't guarantee that the request is +executed as a multishot from the polling path. Fortunately for us, if +the code thinks it's multishot issue when it's not, it can only ask to +skip completion so leaking the request. Use issue_flags to mark +multipoll issues. + +Cc: stable@vger.kernel.org +Fixes: 1300ebb20286b ("io_uring: multishot recv") +Signed-off-by: Pavel Begunkov +Link: https://lore.kernel.org/r/37762040ba9c52b81b92a2f5ebfd4ee484088951.1668710222.git.asml.silence@gmail.com +Signed-off-by: Jens Axboe +Signed-off-by: Greg Kroah-Hartman +--- + io_uring/net.c | 16 +++++++--------- + 1 file changed, 7 insertions(+), 9 deletions(-) + +--- a/io_uring/net.c ++++ b/io_uring/net.c +@@ -66,8 +66,6 @@ struct io_sr_msg { + struct io_kiocb *notif; + }; + +-#define IO_APOLL_MULTI_POLLED (REQ_F_APOLL_MULTISHOT | REQ_F_POLLED) +- + int io_shutdown_prep(struct io_kiocb *req, const struct io_uring_sqe *sqe) + { + struct io_shutdown *shutdown = io_kiocb_to_cmd(req, struct io_shutdown); +@@ -558,7 +556,8 @@ static inline void io_recv_prep_retry(st + * again (for multishot). + */ + static inline bool io_recv_finish(struct io_kiocb *req, int *ret, +- unsigned int cflags, bool mshot_finished) ++ unsigned int cflags, bool mshot_finished, ++ unsigned issue_flags) + { + if (!(req->flags & REQ_F_APOLL_MULTISHOT)) { + io_req_set_res(req, *ret, cflags); +@@ -581,7 +580,7 @@ static inline bool io_recv_finish(struct + + io_req_set_res(req, *ret, cflags); + +- if (req->flags & REQ_F_POLLED) ++ if (issue_flags & IO_URING_F_MULTISHOT) + *ret = IOU_STOP_MULTISHOT; + else + *ret = IOU_OK; +@@ -740,8 +739,7 @@ retry_multishot: + if (ret < min_ret) { + if (ret == -EAGAIN && force_nonblock) { + ret = io_setup_async_msg(req, kmsg, issue_flags); +- if (ret == -EAGAIN && (req->flags & IO_APOLL_MULTI_POLLED) == +- IO_APOLL_MULTI_POLLED) { ++ if (ret == -EAGAIN && (issue_flags & IO_URING_F_MULTISHOT)) { + io_kbuf_recycle(req, issue_flags); + return IOU_ISSUE_SKIP_COMPLETE; + } +@@ -770,7 +768,7 @@ retry_multishot: + if (kmsg->msg.msg_inq) + cflags |= IORING_CQE_F_SOCK_NONEMPTY; + +- if (!io_recv_finish(req, &ret, cflags, mshot_finished)) ++ if (!io_recv_finish(req, &ret, cflags, mshot_finished, issue_flags)) + goto retry_multishot; + + if (mshot_finished) { +@@ -836,7 +834,7 @@ retry_multishot: + ret = sock_recvmsg(sock, &msg, flags); + if (ret < min_ret) { + if (ret == -EAGAIN && force_nonblock) { +- if ((req->flags & IO_APOLL_MULTI_POLLED) == IO_APOLL_MULTI_POLLED) { ++ if (issue_flags & IO_URING_F_MULTISHOT) { + io_kbuf_recycle(req, issue_flags); + return IOU_ISSUE_SKIP_COMPLETE; + } +@@ -869,7 +867,7 @@ out_free: + if (msg.msg_inq) + cflags |= IORING_CQE_F_SOCK_NONEMPTY; + +- if (!io_recv_finish(req, &ret, cflags, ret <= 0)) ++ if (!io_recv_finish(req, &ret, cflags, ret <= 0, issue_flags)) + goto retry_multishot; + + return ret; diff --git a/queue-6.0/io_uring-fix-tw-losing-poll-events.patch b/queue-6.0/io_uring-fix-tw-losing-poll-events.patch new file mode 100644 index 00000000000..60a4f927648 --- /dev/null +++ b/queue-6.0/io_uring-fix-tw-losing-poll-events.patch @@ -0,0 +1,39 @@ +From 539bcb57da2f58886d7d5c17134236b0ec9cd15d Mon Sep 17 00:00:00 2001 +From: Pavel Begunkov +Date: Thu, 17 Nov 2022 18:40:15 +0000 +Subject: io_uring: fix tw losing poll events + +From: Pavel Begunkov + +commit 539bcb57da2f58886d7d5c17134236b0ec9cd15d upstream. + +We may never try to process a poll wake and its mask if there was +multiple wake ups racing for queueing up a tw. Force +io_poll_check_events() to update the mask by vfs_poll(). + +Cc: stable@vger.kernel.org +Fixes: aa43477b04025 ("io_uring: poll rework") +Signed-off-by: Pavel Begunkov +Link: https://lore.kernel.org/r/00344d60f8b18907171178d7cf598de71d127b0b.1668710222.git.asml.silence@gmail.com +Signed-off-by: Jens Axboe +Signed-off-by: Greg Kroah-Hartman +--- + io_uring/poll.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +--- a/io_uring/poll.c ++++ b/io_uring/poll.c +@@ -226,6 +226,13 @@ static int io_poll_check_events(struct i + return IOU_POLL_DONE; + if (v & IO_POLL_CANCEL_FLAG) + return -ECANCELED; ++ /* ++ * cqe.res contains only events of the first wake up ++ * and all others are be lost. Redo vfs_poll() to get ++ * up to date state. ++ */ ++ if ((v & IO_POLL_REF_MASK) != 1) ++ req->cqe.res = 0; + + /* the mask was stashed in __io_poll_execute */ + if (!req->cqe.res) { diff --git a/queue-6.0/maccess-fix-writing-offset-in-case-of-fault-in-strncpy_from_kernel_nofault.patch b/queue-6.0/maccess-fix-writing-offset-in-case-of-fault-in-strncpy_from_kernel_nofault.patch new file mode 100644 index 00000000000..d4191ec403d --- /dev/null +++ b/queue-6.0/maccess-fix-writing-offset-in-case-of-fault-in-strncpy_from_kernel_nofault.patch @@ -0,0 +1,37 @@ +From 8678ea06852cd1f819b870c773d43df888d15d46 Mon Sep 17 00:00:00 2001 +From: Alban Crequy +Date: Thu, 10 Nov 2022 09:56:13 +0100 +Subject: maccess: Fix writing offset in case of fault in strncpy_from_kernel_nofault() + +From: Alban Crequy + +commit 8678ea06852cd1f819b870c773d43df888d15d46 upstream. + +If a page fault occurs while copying the first byte, this function resets one +byte before dst. +As a consequence, an address could be modified and leaded to kernel crashes if +case the modified address was accessed later. + +Fixes: b58294ead14c ("maccess: allow architectures to provide kernel probing directly") +Signed-off-by: Alban Crequy +Signed-off-by: Andrii Nakryiko +Tested-by: Francis Laniel +Reviewed-by: Andrew Morton +Cc: [5.8] +Link: https://lore.kernel.org/bpf/20221110085614.111213-2-albancrequy@linux.microsoft.com +Signed-off-by: Greg Kroah-Hartman +--- + mm/maccess.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/mm/maccess.c ++++ b/mm/maccess.c +@@ -97,7 +97,7 @@ long strncpy_from_kernel_nofault(char *d + return src - unsafe_addr; + Efault: + pagefault_enable(); +- dst[-1] = '\0'; ++ dst[0] = '\0'; + return -EFAULT; + } + diff --git a/queue-6.0/net-phy-marvell-add-sleep-time-after-enabling-the-loopback-bit.patch b/queue-6.0/net-phy-marvell-add-sleep-time-after-enabling-the-loopback-bit.patch new file mode 100644 index 00000000000..78adafa294c --- /dev/null +++ b/queue-6.0/net-phy-marvell-add-sleep-time-after-enabling-the-loopback-bit.patch @@ -0,0 +1,49 @@ +From 18c532e44939caa17f1fa380f7ac50dbc0718dbb Mon Sep 17 00:00:00 2001 +From: Aminuddin Jamaluddin +Date: Mon, 14 Nov 2022 14:53:02 +0800 +Subject: net: phy: marvell: add sleep time after enabling the loopback bit + +From: Aminuddin Jamaluddin + +commit 18c532e44939caa17f1fa380f7ac50dbc0718dbb upstream. + +Sleep time is added to ensure the phy to be ready after loopback +bit was set. This to prevent the phy loopback test from failing. + +Fixes: 020a45aff119 ("net: phy: marvell: add Marvell specific PHY loopback") +Cc: # 5.15.x +Signed-off-by: Muhammad Husaini Zulkifli +Signed-off-by: Aminuddin Jamaluddin +Link: https://lore.kernel.org/r/20221114065302.10625-1-aminuddin.jamaluddin@intel.com +Signed-off-by: Paolo Abeni +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/phy/marvell.c | 16 +++++++++------- + 1 file changed, 9 insertions(+), 7 deletions(-) + +--- a/drivers/net/phy/marvell.c ++++ b/drivers/net/phy/marvell.c +@@ -2015,14 +2015,16 @@ static int m88e1510_loopback(struct phy_ + if (err < 0) + return err; + +- /* FIXME: Based on trial and error test, it seem 1G need to have +- * delay between soft reset and loopback enablement. +- */ +- if (phydev->speed == SPEED_1000) +- msleep(1000); ++ err = phy_modify(phydev, MII_BMCR, BMCR_LOOPBACK, ++ BMCR_LOOPBACK); + +- return phy_modify(phydev, MII_BMCR, BMCR_LOOPBACK, +- BMCR_LOOPBACK); ++ if (!err) { ++ /* It takes some time for PHY device to switch ++ * into/out-of loopback mode. ++ */ ++ msleep(1000); ++ } ++ return err; + } else { + err = phy_modify(phydev, MII_BMCR, BMCR_LOOPBACK, 0); + if (err < 0) diff --git a/queue-6.0/nvme-pci-add-nvme_quirk_bogus_nid-for-micron-nitro.patch b/queue-6.0/nvme-pci-add-nvme_quirk_bogus_nid-for-micron-nitro.patch new file mode 100644 index 00000000000..96ff04faa49 --- /dev/null +++ b/queue-6.0/nvme-pci-add-nvme_quirk_bogus_nid-for-micron-nitro.patch @@ -0,0 +1,30 @@ +From d5ceb4d1c50786d21de3d4b06c3f43109ec56dd8 Mon Sep 17 00:00:00 2001 +From: Bean Huo +Date: Mon, 14 Nov 2022 14:48:52 +0100 +Subject: nvme-pci: add NVME_QUIRK_BOGUS_NID for Micron Nitro + +From: Bean Huo + +commit d5ceb4d1c50786d21de3d4b06c3f43109ec56dd8 upstream. + +Added a quirk to fix Micron Nitro NVMe reporting duplicate NGUIDs. + +Cc: +Signed-off-by: Bean Huo +Signed-off-by: Christoph Hellwig +Signed-off-by: Greg Kroah-Hartman +--- + drivers/nvme/host/pci.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/nvme/host/pci.c ++++ b/drivers/nvme/host/pci.c +@@ -3488,6 +3488,8 @@ static const struct pci_device_id nvme_i + NVME_QUIRK_IGNORE_DEV_SUBNQN, }, + { PCI_DEVICE(0x1344, 0x5407), /* Micron Technology Inc NVMe SSD */ + .driver_data = NVME_QUIRK_IGNORE_DEV_SUBNQN }, ++ { PCI_DEVICE(0x1344, 0x6001), /* Micron Nitro NVMe */ ++ .driver_data = NVME_QUIRK_BOGUS_NID, }, + { PCI_DEVICE(0x1c5c, 0x1504), /* SK Hynix PC400 */ + .driver_data = NVME_QUIRK_DISABLE_WRITE_ZEROES, }, + { PCI_DEVICE(0x1c5c, 0x174a), /* SK Hynix P31 SSD */ diff --git a/queue-6.0/nvme-pci-add-nvme_quirk_bogus_nid-for-netac-nv7000.patch b/queue-6.0/nvme-pci-add-nvme_quirk_bogus_nid-for-netac-nv7000.patch new file mode 100644 index 00000000000..c6ce73b2621 --- /dev/null +++ b/queue-6.0/nvme-pci-add-nvme_quirk_bogus_nid-for-netac-nv7000.patch @@ -0,0 +1,31 @@ +From 8d6e38f636ac063e8062a21e7616f7d9bf0df5d8 Mon Sep 17 00:00:00 2001 +From: Tiago Dias Ferreira +Date: Wed, 16 Nov 2022 00:17:56 -0300 +Subject: nvme-pci: add NVME_QUIRK_BOGUS_NID for Netac NV7000 + +From: Tiago Dias Ferreira + +commit 8d6e38f636ac063e8062a21e7616f7d9bf0df5d8 upstream. + +Added a quirk to fix the Netac NV7000 SSD reporting duplicate NGUIDs. + +Cc: +Signed-off-by: Tiago Dias Ferreira +Reviewed-by: Chaitanya Kulkarni +Signed-off-by: Christoph Hellwig +Signed-off-by: Greg Kroah-Hartman +--- + drivers/nvme/host/pci.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/nvme/host/pci.c ++++ b/drivers/nvme/host/pci.c +@@ -3520,6 +3520,8 @@ static const struct pci_device_id nvme_i + .driver_data = NVME_QUIRK_DISABLE_WRITE_ZEROES, }, + { PCI_DEVICE(0x2646, 0x501E), /* KINGSTON OM3PGP4xxxxQ OS21011 NVMe SSD */ + .driver_data = NVME_QUIRK_DISABLE_WRITE_ZEROES, }, ++ { PCI_DEVICE(0x1f40, 0x5236), /* Netac Technologies Co. NV7000 NVMe SSD */ ++ .driver_data = NVME_QUIRK_BOGUS_NID, }, + { PCI_DEVICE(0x1e4B, 0x1001), /* MAXIO MAP1001 */ + .driver_data = NVME_QUIRK_BOGUS_NID, }, + { PCI_DEVICE(0x1e4B, 0x1002), /* MAXIO MAP1002 */ diff --git a/queue-6.0/scsi-zfcp-fix-double-free-of-fsf-request-when-qdio-send-fails.patch b/queue-6.0/scsi-zfcp-fix-double-free-of-fsf-request-when-qdio-send-fails.patch new file mode 100644 index 00000000000..128ed965b56 --- /dev/null +++ b/queue-6.0/scsi-zfcp-fix-double-free-of-fsf-request-when-qdio-send-fails.patch @@ -0,0 +1,200 @@ +From 0954256e970ecf371b03a6c9af2cf91b9c4085ff Mon Sep 17 00:00:00 2001 +From: Benjamin Block +Date: Wed, 16 Nov 2022 11:50:37 +0100 +Subject: scsi: zfcp: Fix double free of FSF request when qdio send fails + +From: Benjamin Block + +commit 0954256e970ecf371b03a6c9af2cf91b9c4085ff upstream. + +We used to use the wrong type of integer in 'zfcp_fsf_req_send()' to cache +the FSF request ID when sending a new FSF request. This is used in case the +sending fails and we need to remove the request from our internal hash +table again (so we don't keep an invalid reference and use it when we free +the request again). + +In 'zfcp_fsf_req_send()' we used to cache the ID as 'int' (signed and 32 +bit wide), but the rest of the zfcp code (and the firmware specification) +handles the ID as 'unsigned long'/'u64' (unsigned and 64 bit wide [s390x +ELF ABI]). For one this has the obvious problem that when the ID grows +past 32 bit (this can happen reasonably fast) it is truncated to 32 bit +when storing it in the cache variable and so doesn't match the original ID +anymore. The second less obvious problem is that even when the original ID +has not yet grown past 32 bit, as soon as the 32nd bit is set in the +original ID (0x80000000 = 2'147'483'648) we will have a mismatch when we +cast it back to 'unsigned long'. As the cached variable is of a signed +type, the compiler will choose a sign-extending instruction to load the 32 +bit variable into a 64 bit register (e.g.: 'lgf %r11,188(%r15)'). So once +we pass the cached variable into 'zfcp_reqlist_find_rm()' to remove the +request again all the leading zeros will be flipped to ones to extend the +sign and won't match the original ID anymore (this has been observed in +practice). + +If we can't successfully remove the request from the hash table again after +'zfcp_qdio_send()' fails (this happens regularly when zfcp cannot notify +the adapter about new work because the adapter is already gone during +e.g. a ChpID toggle) we will end up with a double free. We unconditionally +free the request in the calling function when 'zfcp_fsf_req_send()' fails, +but because the request is still in the hash table we end up with a stale +memory reference, and once the zfcp adapter is either reset during recovery +or shutdown we end up freeing the same memory twice. + +The resulting stack traces vary depending on the kernel and have no direct +correlation to the place where the bug occurs. Here are three examples that +have been seen in practice: + + list_del corruption. next->prev should be 00000001b9d13800, but was 00000000dead4ead. (next=00000001bd131a00) + ------------[ cut here ]------------ + kernel BUG at lib/list_debug.c:62! + monitor event: 0040 ilc:2 [#1] PREEMPT SMP + Modules linked in: ... + CPU: 9 PID: 1617 Comm: zfcperp0.0.1740 Kdump: loaded + Hardware name: ... + Krnl PSW : 0704d00180000000 00000003cbeea1f8 (__list_del_entry_valid+0x98/0x140) + R:0 T:1 IO:1 EX:1 Key:0 M:1 W:0 P:0 AS:3 CC:1 PM:0 RI:0 EA:3 + Krnl GPRS: 00000000916d12f1 0000000080000000 000000000000006d 00000003cb665cd6 + 0000000000000001 0000000000000000 0000000000000000 00000000d28d21e8 + 00000000d3844000 00000380099efd28 00000001bd131a00 00000001b9d13800 + 00000000d3290100 0000000000000000 00000003cbeea1f4 00000380099efc70 + Krnl Code: 00000003cbeea1e8: c020004f68a7 larl %r2,00000003cc8d7336 + 00000003cbeea1ee: c0e50027fd65 brasl %r14,00000003cc3e9cb8 + #00000003cbeea1f4: af000000 mc 0,0 + >00000003cbeea1f8: c02000920440 larl %r2,00000003cd12aa78 + 00000003cbeea1fe: c0e500289c25 brasl %r14,00000003cc3fda48 + 00000003cbeea204: b9040043 lgr %r4,%r3 + 00000003cbeea208: b9040051 lgr %r5,%r1 + 00000003cbeea20c: b9040032 lgr %r3,%r2 + Call Trace: + [<00000003cbeea1f8>] __list_del_entry_valid+0x98/0x140 + ([<00000003cbeea1f4>] __list_del_entry_valid+0x94/0x140) + [<000003ff7ff502fe>] zfcp_fsf_req_dismiss_all+0xde/0x150 [zfcp] + [<000003ff7ff49cd0>] zfcp_erp_strategy_do_action+0x160/0x280 [zfcp] + [<000003ff7ff4a22e>] zfcp_erp_strategy+0x21e/0xca0 [zfcp] + [<000003ff7ff4ad34>] zfcp_erp_thread+0x84/0x1a0 [zfcp] + [<00000003cb5eece8>] kthread+0x138/0x150 + [<00000003cb557f3c>] __ret_from_fork+0x3c/0x60 + [<00000003cc4172ea>] ret_from_fork+0xa/0x40 + INFO: lockdep is turned off. + Last Breaking-Event-Address: + [<00000003cc3e9d04>] _printk+0x4c/0x58 + Kernel panic - not syncing: Fatal exception: panic_on_oops + +or: + + Unable to handle kernel pointer dereference in virtual kernel address space + Failing address: 6b6b6b6b6b6b6000 TEID: 6b6b6b6b6b6b6803 + Fault in home space mode while using kernel ASCE. + AS:0000000063b10007 R3:0000000000000024 + Oops: 0038 ilc:3 [#1] SMP + Modules linked in: ... + CPU: 10 PID: 0 Comm: swapper/10 Kdump: loaded + Hardware name: ... + Krnl PSW : 0404d00180000000 000003ff7febaf8e (zfcp_fsf_reqid_check+0x86/0x158 [zfcp]) + R:0 T:1 IO:0 EX:0 Key:0 M:1 W:0 P:0 AS:3 CC:1 PM:0 RI:0 EA:3 + Krnl GPRS: 5a6f1cfa89c49ac3 00000000aff2c4c8 6b6b6b6b6b6b6b6b 00000000000002a8 + 0000000000000000 0000000000000055 0000000000000000 00000000a8515800 + 0700000000000000 00000000a6e14500 00000000aff2c000 000000008003c44c + 000000008093c700 0000000000000010 00000380009ebba8 00000380009ebb48 + Krnl Code: 000003ff7febaf7e: a7f4003d brc 15,000003ff7febaff8 + 000003ff7febaf82: e32020000004 lg %r2,0(%r2) + #000003ff7febaf88: ec2100388064 cgrj %r2,%r1,8,000003ff7febaff8 + >000003ff7febaf8e: e3b020100020 cg %r11,16(%r2) + 000003ff7febaf94: a774fff7 brc 7,000003ff7febaf82 + 000003ff7febaf98: ec280030007c cgij %r2,0,8,000003ff7febaff8 + 000003ff7febaf9e: e31020080004 lg %r1,8(%r2) + 000003ff7febafa4: e33020000004 lg %r3,0(%r2) + Call Trace: + [<000003ff7febaf8e>] zfcp_fsf_reqid_check+0x86/0x158 [zfcp] + [<000003ff7febbdbc>] zfcp_qdio_int_resp+0x6c/0x170 [zfcp] + [<000003ff7febbf90>] zfcp_qdio_irq_tasklet+0xd0/0x108 [zfcp] + [<0000000061d90a04>] tasklet_action_common.constprop.0+0xdc/0x128 + [<000000006292f300>] __do_softirq+0x130/0x3c0 + [<0000000061d906c6>] irq_exit_rcu+0xfe/0x118 + [<000000006291e818>] do_io_irq+0xc8/0x168 + [<000000006292d516>] io_int_handler+0xd6/0x110 + [<000000006292d596>] psw_idle_exit+0x0/0xa + ([<0000000061d3be50>] arch_cpu_idle+0x40/0xd0) + [<000000006292ceea>] default_idle_call+0x52/0xf8 + [<0000000061de4fa4>] do_idle+0xd4/0x168 + [<0000000061de51fe>] cpu_startup_entry+0x36/0x40 + [<0000000061d4faac>] smp_start_secondary+0x12c/0x138 + [<000000006292d88e>] restart_int_handler+0x6e/0x90 + Last Breaking-Event-Address: + [<000003ff7febaf94>] zfcp_fsf_reqid_check+0x8c/0x158 [zfcp] + Kernel panic - not syncing: Fatal exception in interrupt + +or: + + Unable to handle kernel pointer dereference in virtual kernel address space + Failing address: 523b05d3ae76a000 TEID: 523b05d3ae76a803 + Fault in home space mode while using kernel ASCE. + AS:0000000077c40007 R3:0000000000000024 + Oops: 0038 ilc:3 [#1] SMP + Modules linked in: ... + CPU: 3 PID: 453 Comm: kworker/3:1H Kdump: loaded + Hardware name: ... + Workqueue: kblockd blk_mq_run_work_fn + Krnl PSW : 0404d00180000000 0000000076fc0312 (__kmalloc+0xd2/0x398) + R:0 T:1 IO:0 EX:0 Key:0 M:1 W:0 P:0 AS:3 CC:1 PM:0 RI:0 EA:3 + Krnl GPRS: ffffffffffffffff 523b05d3ae76abf6 0000000000000000 0000000000092a20 + 0000000000000002 00000007e49b5cc0 00000007eda8f000 0000000000092a20 + 00000007eda8f000 00000003b02856b9 00000000000000a8 523b05d3ae76abf6 + 00000007dd662000 00000007eda8f000 0000000076fc02b2 000003e0037637a0 + Krnl Code: 0000000076fc0302: c004000000d4 brcl 0,76fc04aa + 0000000076fc0308: b904001b lgr %r1,%r11 + #0000000076fc030c: e3106020001a algf %r1,32(%r6) + >0000000076fc0312: e31010000082 xg %r1,0(%r1) + 0000000076fc0318: b9040001 lgr %r0,%r1 + 0000000076fc031c: e30061700082 xg %r0,368(%r6) + 0000000076fc0322: ec59000100d9 aghik %r5,%r9,1 + 0000000076fc0328: e34003b80004 lg %r4,952 + Call Trace: + [<0000000076fc0312>] __kmalloc+0xd2/0x398 + [<0000000076f318f2>] mempool_alloc+0x72/0x1f8 + [<000003ff8027c5f8>] zfcp_fsf_req_create.isra.7+0x40/0x268 [zfcp] + [<000003ff8027f1bc>] zfcp_fsf_fcp_cmnd+0xac/0x3f0 [zfcp] + [<000003ff80280f1a>] zfcp_scsi_queuecommand+0x122/0x1d0 [zfcp] + [<000003ff800b4218>] scsi_queue_rq+0x778/0xa10 [scsi_mod] + [<00000000771782a0>] __blk_mq_try_issue_directly+0x130/0x208 + [<000000007717a124>] blk_mq_request_issue_directly+0x4c/0xa8 + [<000003ff801302e2>] dm_mq_queue_rq+0x2ea/0x468 [dm_mod] + [<0000000077178c12>] blk_mq_dispatch_rq_list+0x33a/0x818 + [<000000007717f064>] __blk_mq_do_dispatch_sched+0x284/0x2f0 + [<000000007717f44c>] __blk_mq_sched_dispatch_requests+0x1c4/0x218 + [<000000007717fa7a>] blk_mq_sched_dispatch_requests+0x52/0x90 + [<0000000077176d74>] __blk_mq_run_hw_queue+0x9c/0xc0 + [<0000000076da6d74>] process_one_work+0x274/0x4d0 + [<0000000076da7018>] worker_thread+0x48/0x560 + [<0000000076daef18>] kthread+0x140/0x160 + [<000000007751d144>] ret_from_fork+0x28/0x30 + Last Breaking-Event-Address: + [<0000000076fc0474>] __kmalloc+0x234/0x398 + Kernel panic - not syncing: Fatal exception: panic_on_oops + +To fix this, simply change the type of the cache variable to 'unsigned +long', like the rest of zfcp and also the argument for +'zfcp_reqlist_find_rm()'. This prevents truncation and wrong sign extension +and so can successfully remove the request from the hash table. + +Fixes: e60a6d69f1f8 ("[SCSI] zfcp: Remove function zfcp_reqlist_find_safe") +Cc: #v2.6.34+ +Signed-off-by: Benjamin Block +Link: https://lore.kernel.org/r/979f6e6019d15f91ba56182f1aaf68d61bf37fc6.1668595505.git.bblock@linux.ibm.com +Reviewed-by: Steffen Maier +Signed-off-by: Martin K. Petersen +Signed-off-by: Greg Kroah-Hartman +--- + drivers/s390/scsi/zfcp_fsf.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/s390/scsi/zfcp_fsf.c ++++ b/drivers/s390/scsi/zfcp_fsf.c +@@ -884,7 +884,7 @@ static int zfcp_fsf_req_send(struct zfcp + const bool is_srb = zfcp_fsf_req_is_status_read_buffer(req); + struct zfcp_adapter *adapter = req->adapter; + struct zfcp_qdio *qdio = adapter->qdio; +- int req_id = req->req_id; ++ unsigned long req_id = req->req_id; + + zfcp_reqlist_add(adapter->req_list, req); + diff --git a/queue-6.0/serial-8250-fall-back-to-non-dma-rx-if-iir_rdi-occurs.patch b/queue-6.0/serial-8250-fall-back-to-non-dma-rx-if-iir_rdi-occurs.patch new file mode 100644 index 00000000000..c435c614d74 --- /dev/null +++ b/queue-6.0/serial-8250-fall-back-to-non-dma-rx-if-iir_rdi-occurs.patch @@ -0,0 +1,53 @@ +From a931237cbea256aff13bb403da13a97b2d1605d9 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Ilpo=20J=C3=A4rvinen?= +Date: Tue, 8 Nov 2022 14:19:49 +0200 +Subject: serial: 8250: Fall back to non-DMA Rx if IIR_RDI occurs +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Ilpo Järvinen + +commit a931237cbea256aff13bb403da13a97b2d1605d9 upstream. + +DW UART sometimes triggers IIR_RDI during DMA Rx when IIR_RX_TIMEOUT +should have been triggered instead. Since IIR_RDI has higher priority +than IIR_RX_TIMEOUT, this causes the Rx to hang into interrupt loop. +The problem seems to occur at least with some combinations of +small-sized transfers (I've reproduced the problem on Elkhart Lake PSE +UARTs). + +If there's already an on-going Rx DMA and IIR_RDI triggers, fall +graciously back to non-DMA Rx. That is, behave as if IIR_RX_TIMEOUT had +occurred. + +8250_omap already considers IIR_RDI similar to this change so its +nothing unheard of. + +Fixes: 75df022b5f89 ("serial: 8250_dma: Fix RX handling") +Cc: +Co-developed-by: Srikanth Thokala +Signed-off-by: Srikanth Thokala +Co-developed-by: Aman Kumar +Signed-off-by: Aman Kumar +Signed-off-by: Ilpo Järvinen +Reviewed-by: Andy Shevchenko +Link: https://lore.kernel.org/r/20221108121952.5497-2-ilpo.jarvinen@linux.intel.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/tty/serial/8250/8250_port.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/drivers/tty/serial/8250/8250_port.c ++++ b/drivers/tty/serial/8250/8250_port.c +@@ -1892,6 +1892,10 @@ EXPORT_SYMBOL_GPL(serial8250_modem_statu + static bool handle_rx_dma(struct uart_8250_port *up, unsigned int iir) + { + switch (iir & 0x3f) { ++ case UART_IIR_RDI: ++ if (!up->dma->rx_running) ++ break; ++ fallthrough; + case UART_IIR_RX_TIMEOUT: + serial8250_rx_dma_flush(up); + fallthrough; diff --git a/queue-6.0/serial-8250-flush-dma-rx-on-rlsi.patch b/queue-6.0/serial-8250-flush-dma-rx-on-rlsi.patch new file mode 100644 index 00000000000..1e03e69ac2c --- /dev/null +++ b/queue-6.0/serial-8250-flush-dma-rx-on-rlsi.patch @@ -0,0 +1,41 @@ +From 1980860e0c8299316cddaf0992dd9e1258ec9d88 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Ilpo=20J=C3=A4rvinen?= +Date: Tue, 8 Nov 2022 14:19:52 +0200 +Subject: serial: 8250: Flush DMA Rx on RLSI +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Ilpo Järvinen + +commit 1980860e0c8299316cddaf0992dd9e1258ec9d88 upstream. + +Returning true from handle_rx_dma() without flushing DMA first creates +a data ordering hazard. If DMA Rx has handled any character at the +point when RLSI occurs, the non-DMA path handles any pending characters +jumping them ahead of those characters that are pending under DMA. + +Fixes: 75df022b5f89 ("serial: 8250_dma: Fix RX handling") +Cc: +Signed-off-by: Ilpo Järvinen +Reviewed-by: Andy Shevchenko +Link: https://lore.kernel.org/r/20221108121952.5497-5-ilpo.jarvinen@linux.intel.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/tty/serial/8250/8250_port.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +--- a/drivers/tty/serial/8250/8250_port.c ++++ b/drivers/tty/serial/8250/8250_port.c +@@ -1896,10 +1896,9 @@ static bool handle_rx_dma(struct uart_82 + if (!up->dma->rx_running) + break; + fallthrough; ++ case UART_IIR_RLSI: + case UART_IIR_RX_TIMEOUT: + serial8250_rx_dma_flush(up); +- fallthrough; +- case UART_IIR_RLSI: + return true; + } + return up->dma->rx_dma(up); diff --git a/queue-6.0/serial-8250_lpss-configure-dma-also-w-o-dma-filter.patch b/queue-6.0/serial-8250_lpss-configure-dma-also-w-o-dma-filter.patch new file mode 100644 index 00000000000..e672b87bc68 --- /dev/null +++ b/queue-6.0/serial-8250_lpss-configure-dma-also-w-o-dma-filter.patch @@ -0,0 +1,66 @@ +From 1bfcbe5805d0cfc83c3544dcd01e0a282c1f6790 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Ilpo=20J=C3=A4rvinen?= +Date: Tue, 8 Nov 2022 14:19:50 +0200 +Subject: serial: 8250_lpss: Configure DMA also w/o DMA filter +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Ilpo Järvinen + +commit 1bfcbe5805d0cfc83c3544dcd01e0a282c1f6790 upstream. + +If the platform doesn't use DMA device filter (as is the case with +Elkhart Lake), whole lpss8250_dma_setup() setup is skipped. This +results in skipping also *_maxburst setup which is undesirable. +Refactor lpss8250_dma_setup() to configure DMA even if filter is not +setup. + +Cc: stable +Signed-off-by: Ilpo Järvinen +Reviewed-by: Andy Shevchenko +Link: https://lore.kernel.org/r/20221108121952.5497-3-ilpo.jarvinen@linux.intel.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/tty/serial/8250/8250_lpss.c | 15 +++++++++++---- + 1 file changed, 11 insertions(+), 4 deletions(-) + +--- a/drivers/tty/serial/8250/8250_lpss.c ++++ b/drivers/tty/serial/8250/8250_lpss.c +@@ -277,8 +277,13 @@ static int lpss8250_dma_setup(struct lps + struct dw_dma_slave *rx_param, *tx_param; + struct device *dev = port->port.dev; + +- if (!lpss->dma_param.dma_dev) ++ if (!lpss->dma_param.dma_dev) { ++ dma = port->dma; ++ if (dma) ++ goto out_configuration_only; ++ + return 0; ++ } + + rx_param = devm_kzalloc(dev, sizeof(*rx_param), GFP_KERNEL); + if (!rx_param) +@@ -289,16 +294,18 @@ static int lpss8250_dma_setup(struct lps + return -ENOMEM; + + *rx_param = lpss->dma_param; +- dma->rxconf.src_maxburst = lpss->dma_maxburst; +- + *tx_param = lpss->dma_param; +- dma->txconf.dst_maxburst = lpss->dma_maxburst; + + dma->fn = lpss8250_dma_filter; + dma->rx_param = rx_param; + dma->tx_param = tx_param; + + port->dma = dma; ++ ++out_configuration_only: ++ dma->rxconf.src_maxburst = lpss->dma_maxburst; ++ dma->txconf.dst_maxburst = lpss->dma_maxburst; ++ + return 0; + } + diff --git a/queue-6.0/serial-8250_lpss-use-16b-dma-burst-with-elkhart-lake.patch b/queue-6.0/serial-8250_lpss-use-16b-dma-burst-with-elkhart-lake.patch new file mode 100644 index 00000000000..43ee4d1d138 --- /dev/null +++ b/queue-6.0/serial-8250_lpss-use-16b-dma-burst-with-elkhart-lake.patch @@ -0,0 +1,42 @@ +From 7090abd6ad0610a144523ce4ffcb8560909bf2a8 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Ilpo=20J=C3=A4rvinen?= +Date: Tue, 8 Nov 2022 14:19:51 +0200 +Subject: serial: 8250_lpss: Use 16B DMA burst with Elkhart Lake +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Ilpo Järvinen + +commit 7090abd6ad0610a144523ce4ffcb8560909bf2a8 upstream. + +Configure DMA to use 16B burst size with Elkhart Lake. This makes the +bus use more efficient and works around an issue which occurs with the +previously used 1B. + +The fix was initially developed by Srikanth Thokala and Aman Kumar. +This together with the previous config change is the cleaned up version +of the original fix. + +Fixes: 0a9410b981e9 ("serial: 8250_lpss: Enable DMA on Intel Elkhart Lake") +Cc: # serial: 8250_lpss: Configure DMA also w/o DMA filter +Reported-by: Wentong Wu +Signed-off-by: Ilpo Järvinen +Reviewed-by: Andy Shevchenko +Link: https://lore.kernel.org/r/20221108121952.5497-4-ilpo.jarvinen@linux.intel.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/tty/serial/8250/8250_lpss.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/tty/serial/8250/8250_lpss.c ++++ b/drivers/tty/serial/8250/8250_lpss.c +@@ -174,6 +174,8 @@ static int ehl_serial_setup(struct lpss8 + */ + up->dma = dma; + ++ lpss->dma_maxburst = 16; ++ + port->set_termios = dw8250_do_set_termios; + + return 0; diff --git a/queue-6.0/series b/queue-6.0/series index 5fd70fe0575..3925e0f5c78 100644 --- a/queue-6.0/series +++ b/queue-6.0/series @@ -224,3 +224,42 @@ alsa-hda-realtek-fix-the-speaker-output-on-samsung-galaxy-book-pro-360.patch revert-usb-dwc3-disable-usb-core-phy-management.patch usb-dwc3-do-not-get-extcon-device-when-usb-role-switch-is-used.patch io_uring-update-res-mask-in-io_poll_check_events.patch +nvme-pci-add-nvme_quirk_bogus_nid-for-micron-nitro.patch +nvme-pci-add-nvme_quirk_bogus_nid-for-netac-nv7000.patch +slimbus-qcom-ngd-fix-build-error-when-config_slim_qcom_ngd_ctrl-y-config_qcom_rproc_common-m.patch +slimbus-stream-correct-presence-rate-frequencies.patch +speakup-fix-a-segfault-caused-by-switching-consoles.patch +speakup-replace-utils-u_char-with-unsigned-char.patch +usb-bcma-make-gpio-explicitly-optional.patch +usb-serial-option-add-sierra-wireless-em9191.patch +usb-serial-option-remove-old-lara-r6-pid.patch +usb-serial-option-add-u-blox-lara-r6-00b-modem.patch +usb-serial-option-add-u-blox-lara-l6-modem.patch +usb-serial-option-add-fibocom-fm160-0x0111-composition.patch +usb-add-no_lpm-quirk-for-realforce-87u-keyboard.patch +usb-chipidea-fix-deadlock-in-ci_otg_del_timer.patch +usb-cdns3-host-fix-endless-superspeed-hub-port-reset.patch +usb-typec-mux-enter-safe-mode-only-when-pins-need-to-be-reconfigured.patch +usb-typec-tipd-prevent-uninitialized-event-1-2-in-irq-handler.patch +iio-accel-bma400-ensure-vddio-is-enable-defore-reading-the-chip-id.patch +iio-adc-at91_adc-fix-possible-memory-leak-in-at91_adc_allocate_trigger.patch +iio-trigger-sysfs-fix-possible-memory-leak-in-iio_sysfs_trig_init.patch +iio-adc-mp2629-fix-wrong-comparison-of-channel.patch +iio-adc-mp2629-fix-potential-array-out-of-bound-access.patch +iio-pressure-ms5611-fixed-value-compensation-bug.patch +iio-pressure-ms5611-changed-hardcoded-spi-speed-to-value-limited.patch +dm-bufio-fix-missing-decrement-of-no_sleep_enabled-if-dm_bufio_client_create-failed.patch +dm-ioctl-fix-misbehavior-if-list_versions-races-with-module-loading.patch +serial-8250-fall-back-to-non-dma-rx-if-iir_rdi-occurs.patch +serial-8250-flush-dma-rx-on-rlsi.patch +serial-8250_lpss-configure-dma-also-w-o-dma-filter.patch +serial-8250_lpss-use-16b-dma-burst-with-elkhart-lake.patch +io_uring-fix-tw-losing-poll-events.patch +io_uring-fix-multishot-accept-request-leaks.patch +io_uring-fix-multishot-recv-request-leaks.patch +io_uring-disallow-self-propelled-ring-polling.patch +ceph-avoid-putting-the-realm-twice-when-decoding-snaps-fails.patch +input-iforce-invert-valid-length-check-when-fetching-device-ids.patch +maccess-fix-writing-offset-in-case-of-fault-in-strncpy_from_kernel_nofault.patch +net-phy-marvell-add-sleep-time-after-enabling-the-loopback-bit.patch +scsi-zfcp-fix-double-free-of-fsf-request-when-qdio-send-fails.patch diff --git a/queue-6.0/slimbus-qcom-ngd-fix-build-error-when-config_slim_qcom_ngd_ctrl-y-config_qcom_rproc_common-m.patch b/queue-6.0/slimbus-qcom-ngd-fix-build-error-when-config_slim_qcom_ngd_ctrl-y-config_qcom_rproc_common-m.patch new file mode 100644 index 00000000000..6276f7c7134 --- /dev/null +++ b/queue-6.0/slimbus-qcom-ngd-fix-build-error-when-config_slim_qcom_ngd_ctrl-y-config_qcom_rproc_common-m.patch @@ -0,0 +1,41 @@ +From e54fad8044db18cc400df8d01bfb86cada08b7cb Mon Sep 17 00:00:00 2001 +From: Zheng Bin +Date: Thu, 27 Oct 2022 17:59:04 +0800 +Subject: slimbus: qcom-ngd: Fix build error when CONFIG_SLIM_QCOM_NGD_CTRL=y && CONFIG_QCOM_RPROC_COMMON=m + +From: Zheng Bin + +commit e54fad8044db18cc400df8d01bfb86cada08b7cb upstream. + +If CONFIG_SLIM_QCOM_NGD_CTRL=y, CONFIG_QCOM_RPROC_COMMON=m, COMPILE_TEST=y, +bulding fails: + +drivers/slimbus/qcom-ngd-ctrl.o: In function `qcom_slim_ngd_ctrl_probe': +qcom-ngd-ctrl.c:(.text+0x330): undefined reference to `qcom_register_ssr_notifier' +qcom-ngd-ctrl.c:(.text+0x5fc): undefined reference to `qcom_unregister_ssr_notifier' +drivers/slimbus/qcom-ngd-ctrl.o: In function `qcom_slim_ngd_remove': +qcom-ngd-ctrl.c:(.text+0x90c): undefined reference to `qcom_unregister_ssr_notifier' + +Make SLIM_QCOM_NGD_CTRL depends on QCOM_RPROC_COMMON || (COMPILE_TEST && !QCOM_RPROC_COMMON) to fix this. + +Fixes: e291691c6977 ("slimbus: qcom-ngd-ctrl: allow compile testing without QCOM_RPROC_COMMON") +Cc: stable +Signed-off-by: Zheng Bin +Reviewed-by: Krzysztof Kozlowski +Link: https://lore.kernel.org/r/20221027095904.3388959-1-zhengbin13@huawei.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/slimbus/Kconfig | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/slimbus/Kconfig ++++ b/drivers/slimbus/Kconfig +@@ -23,7 +23,7 @@ config SLIM_QCOM_CTRL + config SLIM_QCOM_NGD_CTRL + tristate "Qualcomm SLIMbus Satellite Non-Generic Device Component" + depends on HAS_IOMEM && DMA_ENGINE && NET && QCOM_RPROC_COMMON +- depends on ARCH_QCOM || COMPILE_TEST ++ depends on ARCH_QCOM || (COMPILE_TEST && !QCOM_RPROC_COMMON) + select QCOM_QMI_HELPERS + select QCOM_PDR_HELPERS + help diff --git a/queue-6.0/slimbus-stream-correct-presence-rate-frequencies.patch b/queue-6.0/slimbus-stream-correct-presence-rate-frequencies.patch new file mode 100644 index 00000000000..a43d3b24258 --- /dev/null +++ b/queue-6.0/slimbus-stream-correct-presence-rate-frequencies.patch @@ -0,0 +1,38 @@ +From b9c1939627f8185dec8ba6d741e9573a4c7a5834 Mon Sep 17 00:00:00 2001 +From: Krzysztof Kozlowski +Date: Thu, 29 Sep 2022 18:52:02 +0200 +Subject: slimbus: stream: correct presence rate frequencies + +From: Krzysztof Kozlowski + +commit b9c1939627f8185dec8ba6d741e9573a4c7a5834 upstream. + +Correct few frequencies in presence rate table - multiplied by 10 +(110250 instead of 11025 Hz). + +Fixes: abb9c9b8b51b ("slimbus: stream: add stream support") +Cc: +Signed-off-by: Krzysztof Kozlowski +Link: https://lore.kernel.org/r/20220929165202.410937-1-krzysztof.kozlowski@linaro.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/slimbus/stream.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +--- a/drivers/slimbus/stream.c ++++ b/drivers/slimbus/stream.c +@@ -67,10 +67,10 @@ static const int slim_presence_rate_tabl + 384000, + 768000, + 0, /* Reserved */ +- 110250, +- 220500, +- 441000, +- 882000, ++ 11025, ++ 22050, ++ 44100, ++ 88200, + 176400, + 352800, + 705600, diff --git a/queue-6.0/speakup-fix-a-segfault-caused-by-switching-consoles.patch b/queue-6.0/speakup-fix-a-segfault-caused-by-switching-consoles.patch new file mode 100644 index 00000000000..a6076a2b11e --- /dev/null +++ b/queue-6.0/speakup-fix-a-segfault-caused-by-switching-consoles.patch @@ -0,0 +1,61 @@ +From 0fc801f8018000c8e64a275a20cb1da7c54e46df Mon Sep 17 00:00:00 2001 +From: Mushahid Hussain +Date: Mon, 10 Oct 2022 21:57:20 +0500 +Subject: speakup: fix a segfault caused by switching consoles + +From: Mushahid Hussain + +commit 0fc801f8018000c8e64a275a20cb1da7c54e46df upstream. + +This patch fixes a segfault by adding a null check on synth in +speakup_con_update(). The segfault can be reproduced as follows: + + - Login into a text console + + - Load speakup and speakup_soft modules + + - Remove speakup_soft + + - Switch to a graphics console + +This is caused by lack of a null check on `synth` in +speakup_con_update(). + +Here's the sequence that causes the segfault: + + - When we remove the speakup_soft, synth_release() sets the synth + to null. + + - After that, when we change the virtual console to graphics + console, vt_notifier_call() is fired, which then calls + speakup_con_update(). + + - Inside speakup_con_update() there's no null check on synth, + so it calls synth_printf(). + + - Inside synth_printf(), synth_buffer_add() and synth_start(), + both access synth, when it is null and causing a segfault. + +Therefore adding a null check on synth solves the issue. + +Fixes: 2610df41489f ("staging: speakup: Add pause command used on switching to graphical mode") +Cc: stable +Signed-off-by: Mushahid Hussain +Signed-off-by: Samuel Thibault +Link: https://lore.kernel.org/r/20221010165720.397042-1-mushi.shar@gmail.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/accessibility/speakup/main.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/accessibility/speakup/main.c ++++ b/drivers/accessibility/speakup/main.c +@@ -1778,7 +1778,7 @@ static void speakup_con_update(struct vc + { + unsigned long flags; + +- if (!speakup_console[vc->vc_num] || spk_parked) ++ if (!speakup_console[vc->vc_num] || spk_parked || !synth) + return; + if (!spin_trylock_irqsave(&speakup_info.spinlock, flags)) + /* Speakup output, discard */ diff --git a/queue-6.0/speakup-replace-utils-u_char-with-unsigned-char.patch b/queue-6.0/speakup-replace-utils-u_char-with-unsigned-char.patch new file mode 100644 index 00000000000..11864984173 --- /dev/null +++ b/queue-6.0/speakup-replace-utils-u_char-with-unsigned-char.patch @@ -0,0 +1,41 @@ +From 92ca969ff8815f3feef2645199bd39bf594e5eeb Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?=C4=90o=C3=A0n=20Tr=E1=BA=A7n=20C=C3=B4ng=20Danh?= + +Date: Mon, 17 Oct 2022 15:09:36 +0700 +Subject: speakup: replace utils' u_char with unsigned char +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Đoàn Trần Công Danh + +commit 92ca969ff8815f3feef2645199bd39bf594e5eeb upstream. + +drivers/accessibility/speakup/utils.h will be used to compile host tool +to generate metadata. + +"u_char" is a non-standard type, which is defined to "unsigned char" +on glibc but not defined by some libc, e.g. musl. + +Let's replace "u_char" with "unsigned char" + +Signed-off-by: Đoàn Trần Công Danh +Reviewed-by: Samuel Thibault +Cc: stable +Link: https://lore.kernel.org/r/b75743026aaee2d81efe3d7f2e8fa47f7d0b8ea7.1665736571.git.congdanhqx@gmail.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/accessibility/speakup/utils.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/accessibility/speakup/utils.h ++++ b/drivers/accessibility/speakup/utils.h +@@ -54,7 +54,7 @@ static inline int oops(const char *msg, + + static inline struct st_key *hash_name(char *name) + { +- u_char *pn = (u_char *)name; ++ unsigned char *pn = (unsigned char *)name; + int hash = 0; + + while (*pn) { diff --git a/queue-6.0/usb-add-no_lpm-quirk-for-realforce-87u-keyboard.patch b/queue-6.0/usb-add-no_lpm-quirk-for-realforce-87u-keyboard.patch new file mode 100644 index 00000000000..b039f361698 --- /dev/null +++ b/queue-6.0/usb-add-no_lpm-quirk-for-realforce-87u-keyboard.patch @@ -0,0 +1,50 @@ +From 181135bb20dcb184edd89817831b888eb8132741 Mon Sep 17 00:00:00 2001 +From: Nicolas Dumazet +Date: Wed, 9 Nov 2022 13:29:46 +0100 +Subject: usb: add NO_LPM quirk for Realforce 87U Keyboard + +From: Nicolas Dumazet + +commit 181135bb20dcb184edd89817831b888eb8132741 upstream. + +Before adding this quirk, this (mechanical keyboard) device would not be +recognized, logging: + + new full-speed USB device number 56 using xhci_hcd + unable to read config index 0 descriptor/start: -32 + chopping to 0 config(s) + +It would take dozens of plugging/unpuggling cycles for the keyboard to +be recognized. Keyboard seems to simply work after applying this quirk. + +This issue had been reported by users in two places already ([1], [2]) +but nobody tried upstreaming a patch yet. After testing I believe their +suggested fix (DELAY_INIT + NO_LPM + DEVICE_QUALIFIER) was probably a +little overkill. I assume this particular combination was tested because +it had been previously suggested in [3], but only NO_LPM seems +sufficient for this device. + +[1]: https://qiita.com/float168/items/fed43d540c8e2201b543 +[2]: https://blog.kostic.dev/posts/making-the-realforce-87ub-work-with-usb30-on-Ubuntu/ +[3]: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1678477 + +Cc: stable@vger.kernel.org +Signed-off-by: Nicolas Dumazet +Link: https://lore.kernel.org/r/20221109122946.706036-1-ndumazet@google.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/core/quirks.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/usb/core/quirks.c ++++ b/drivers/usb/core/quirks.c +@@ -362,6 +362,9 @@ static const struct usb_device_id usb_qu + { USB_DEVICE(0x0781, 0x5583), .driver_info = USB_QUIRK_NO_LPM }, + { USB_DEVICE(0x0781, 0x5591), .driver_info = USB_QUIRK_NO_LPM }, + ++ /* Realforce 87U Keyboard */ ++ { USB_DEVICE(0x0853, 0x011b), .driver_info = USB_QUIRK_NO_LPM }, ++ + /* M-Systems Flash Disk Pioneers */ + { USB_DEVICE(0x08ec, 0x1000), .driver_info = USB_QUIRK_RESET_RESUME }, + diff --git a/queue-6.0/usb-bcma-make-gpio-explicitly-optional.patch b/queue-6.0/usb-bcma-make-gpio-explicitly-optional.patch new file mode 100644 index 00000000000..d74c9353833 --- /dev/null +++ b/queue-6.0/usb-bcma-make-gpio-explicitly-optional.patch @@ -0,0 +1,65 @@ +From cd136706b4f925aa5d316642543babac90d45910 Mon Sep 17 00:00:00 2001 +From: Linus Walleij +Date: Mon, 7 Nov 2022 10:07:53 +0100 +Subject: USB: bcma: Make GPIO explicitly optional +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Linus Walleij + +commit cd136706b4f925aa5d316642543babac90d45910 upstream. + +What the code does is to not check the return value from +devm_gpiod_get() and then avoid using an erroneous GPIO descriptor +with IS_ERR_OR_NULL(). + +This will miss real errors from the GPIO core that should not be +ignored, such as probe deferral. + +Instead request the GPIO as explicitly optional, which means that +if it doesn't exist, the descriptor returned will be NULL. + +Then we can add error handling and also avoid just doing this on +the device tree path, and simplify the site where the optional +GPIO descriptor is used. + +There were some problems with cleaning up this GPIO descriptor +use in the past, but this is the proper way to deal with it. + +Cc: Rafał Miłecki +Cc: Chuhong Yuan +Signed-off-by: Linus Walleij +Cc: stable +Link: https://lore.kernel.org/r/20221107090753.1404679-1-linus.walleij@linaro.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/host/bcma-hcd.c | 10 ++++++---- + 1 file changed, 6 insertions(+), 4 deletions(-) + +--- a/drivers/usb/host/bcma-hcd.c ++++ b/drivers/usb/host/bcma-hcd.c +@@ -285,7 +285,7 @@ static void bcma_hci_platform_power_gpio + { + struct bcma_hcd_device *usb_dev = bcma_get_drvdata(dev); + +- if (IS_ERR_OR_NULL(usb_dev->gpio_desc)) ++ if (!usb_dev->gpio_desc) + return; + + gpiod_set_value(usb_dev->gpio_desc, val); +@@ -406,9 +406,11 @@ static int bcma_hcd_probe(struct bcma_de + return -ENOMEM; + usb_dev->core = core; + +- if (core->dev.of_node) +- usb_dev->gpio_desc = devm_gpiod_get(&core->dev, "vcc", +- GPIOD_OUT_HIGH); ++ usb_dev->gpio_desc = devm_gpiod_get_optional(&core->dev, "vcc", ++ GPIOD_OUT_HIGH); ++ if (IS_ERR(usb_dev->gpio_desc)) ++ return dev_err_probe(&core->dev, PTR_ERR(usb_dev->gpio_desc), ++ "error obtaining VCC GPIO"); + + switch (core->id.id) { + case BCMA_CORE_USB20_HOST: diff --git a/queue-6.0/usb-cdns3-host-fix-endless-superspeed-hub-port-reset.patch b/queue-6.0/usb-cdns3-host-fix-endless-superspeed-hub-port-reset.patch new file mode 100644 index 00000000000..44af40eda83 --- /dev/null +++ b/queue-6.0/usb-cdns3-host-fix-endless-superspeed-hub-port-reset.patch @@ -0,0 +1,131 @@ +From 9d5333c931347005352d5b8beaa43528c94cfc9c Mon Sep 17 00:00:00 2001 +From: Li Jun +Date: Wed, 26 Oct 2022 15:07:49 -0400 +Subject: usb: cdns3: host: fix endless superspeed hub port reset + +From: Li Jun + +commit 9d5333c931347005352d5b8beaa43528c94cfc9c upstream. + +When usb 3.0 hub connect with one USB 2.0 device and NO USB 3.0 device, +some usb hub reports endless port reset message. + +[ 190.324169] usb 2-1: new SuperSpeed USB device number 88 using xhci-hcd +[ 190.352834] hub 2-1:1.0: USB hub found +[ 190.356995] hub 2-1:1.0: 4 ports detected +[ 190.700056] usb 2-1: USB disconnect, device number 88 +[ 192.472139] usb 2-1: new SuperSpeed USB device number 89 using xhci-hcd +[ 192.500820] hub 2-1:1.0: USB hub found +[ 192.504977] hub 2-1:1.0: 4 ports detected +[ 192.852066] usb 2-1: USB disconnect, device number 89 + +The reason is the runtime pm state of USB2.0 port is active and +USB 3.0 port is suspend, so parent device is active state. + + cat /sys/bus/platform/devices/5b110000.usb/5b130000.usb/xhci-hcd.1.auto/usb2/power/runtime_status + + suspended + + cat /sys/bus/platform/devices/5b110000.usb/5b130000.usb/xhci-hcd.1.auto/usb1/power/runtime_status + + active + + cat /sys/bus/platform/devices/5b110000.usb/5b130000.usb/xhci-hcd.1.auto/power/runtime_status + + active + + cat /sys/bus/platform/devices/5b110000.usb/5b130000.usb/power/runtime_status + + active + +So xhci_cdns3_suspend_quirk() have not called. U3 configure is not applied. + +move U3 configure into host start. Reinit again in resume function in case +controller power lost during suspend. + +Cc: stable@vger.kernel.org 5.10 +Signed-off-by: Li Jun +Signed-off-by: Frank Li +Reviewed-by: Peter Chen +Acked-by: Alexander Stein +Link: https://lore.kernel.org/r/20221026190749.2280367-1-Frank.Li@nxp.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/cdns3/host.c | 56 +++++++++++++++++++++++------------------------ + 1 file changed, 28 insertions(+), 28 deletions(-) + +--- a/drivers/usb/cdns3/host.c ++++ b/drivers/usb/cdns3/host.c +@@ -24,11 +24,37 @@ + #define CFG_RXDET_P3_EN BIT(15) + #define LPM_2_STB_SWITCH_EN BIT(25) + +-static int xhci_cdns3_suspend_quirk(struct usb_hcd *hcd); ++static void xhci_cdns3_plat_start(struct usb_hcd *hcd) ++{ ++ struct xhci_hcd *xhci = hcd_to_xhci(hcd); ++ u32 value; ++ ++ /* set usbcmd.EU3S */ ++ value = readl(&xhci->op_regs->command); ++ value |= CMD_PM_INDEX; ++ writel(value, &xhci->op_regs->command); ++ ++ if (hcd->regs) { ++ value = readl(hcd->regs + XECP_AUX_CTRL_REG1); ++ value |= CFG_RXDET_P3_EN; ++ writel(value, hcd->regs + XECP_AUX_CTRL_REG1); ++ ++ value = readl(hcd->regs + XECP_PORT_CAP_REG); ++ value |= LPM_2_STB_SWITCH_EN; ++ writel(value, hcd->regs + XECP_PORT_CAP_REG); ++ } ++} ++ ++static int xhci_cdns3_resume_quirk(struct usb_hcd *hcd) ++{ ++ xhci_cdns3_plat_start(hcd); ++ return 0; ++} + + static const struct xhci_plat_priv xhci_plat_cdns3_xhci = { + .quirks = XHCI_SKIP_PHY_INIT | XHCI_AVOID_BEI, +- .suspend_quirk = xhci_cdns3_suspend_quirk, ++ .plat_start = xhci_cdns3_plat_start, ++ .resume_quirk = xhci_cdns3_resume_quirk, + }; + + static int __cdns_host_init(struct cdns *cdns) +@@ -90,32 +116,6 @@ err1: + return ret; + } + +-static int xhci_cdns3_suspend_quirk(struct usb_hcd *hcd) +-{ +- struct xhci_hcd *xhci = hcd_to_xhci(hcd); +- u32 value; +- +- if (pm_runtime_status_suspended(hcd->self.controller)) +- return 0; +- +- /* set usbcmd.EU3S */ +- value = readl(&xhci->op_regs->command); +- value |= CMD_PM_INDEX; +- writel(value, &xhci->op_regs->command); +- +- if (hcd->regs) { +- value = readl(hcd->regs + XECP_AUX_CTRL_REG1); +- value |= CFG_RXDET_P3_EN; +- writel(value, hcd->regs + XECP_AUX_CTRL_REG1); +- +- value = readl(hcd->regs + XECP_PORT_CAP_REG); +- value |= LPM_2_STB_SWITCH_EN; +- writel(value, hcd->regs + XECP_PORT_CAP_REG); +- } +- +- return 0; +-} +- + static void cdns_host_exit(struct cdns *cdns) + { + kfree(cdns->xhci_plat_data); diff --git a/queue-6.0/usb-chipidea-fix-deadlock-in-ci_otg_del_timer.patch b/queue-6.0/usb-chipidea-fix-deadlock-in-ci_otg_del_timer.patch new file mode 100644 index 00000000000..f15216f44c7 --- /dev/null +++ b/queue-6.0/usb-chipidea-fix-deadlock-in-ci_otg_del_timer.patch @@ -0,0 +1,56 @@ +From 7a58b8d6021426b796eebfae80983374d9a80a75 Mon Sep 17 00:00:00 2001 +From: Duoming Zhou +Date: Sun, 18 Sep 2022 11:33:12 +0800 +Subject: usb: chipidea: fix deadlock in ci_otg_del_timer + +From: Duoming Zhou + +commit 7a58b8d6021426b796eebfae80983374d9a80a75 upstream. + +There is a deadlock in ci_otg_del_timer(), the process is +shown below: + + (thread 1) | (thread 2) +ci_otg_del_timer() | ci_otg_hrtimer_func() + ... | + spin_lock_irqsave() //(1) | ... + ... | + hrtimer_cancel() | spin_lock_irqsave() //(2) + (block forever) + +We hold ci->lock in position (1) and use hrtimer_cancel() to +wait ci_otg_hrtimer_func() to stop, but ci_otg_hrtimer_func() +also need ci->lock in position (2). As a result, the +hrtimer_cancel() in ci_otg_del_timer() will be blocked forever. + +This patch extracts hrtimer_cancel() from the protection of +spin_lock_irqsave() in order that the ci_otg_hrtimer_func() +could obtain the ci->lock. + +What`s more, there will be no race happen. Because the +"next_timer" is always under the protection of +spin_lock_irqsave() and we only check whether "next_timer" +equals to NUM_OTG_FSM_TIMERS in the following code. + +Fixes: 3a316ec4c91c ("usb: chipidea: use hrtimer for otg fsm timers") +Cc: stable +Signed-off-by: Duoming Zhou +Link: https://lore.kernel.org/r/20220918033312.94348-1-duoming@zju.edu.cn +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/chipidea/otg_fsm.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/usb/chipidea/otg_fsm.c ++++ b/drivers/usb/chipidea/otg_fsm.c +@@ -256,8 +256,10 @@ static void ci_otg_del_timer(struct ci_h + ci->enabled_otg_timer_bits &= ~(1 << t); + if (ci->next_otg_timer == t) { + if (ci->enabled_otg_timer_bits == 0) { ++ spin_unlock_irqrestore(&ci->lock, flags); + /* No enabled timers after delete it */ + hrtimer_cancel(&ci->otg_fsm_hrtimer); ++ spin_lock_irqsave(&ci->lock, flags); + ci->next_otg_timer = NUM_OTG_FSM_TIMERS; + } else { + /* Find the next timer */ diff --git a/queue-6.0/usb-serial-option-add-fibocom-fm160-0x0111-composition.patch b/queue-6.0/usb-serial-option-add-fibocom-fm160-0x0111-composition.patch new file mode 100644 index 00000000000..806032da675 --- /dev/null +++ b/queue-6.0/usb-serial-option-add-fibocom-fm160-0x0111-composition.patch @@ -0,0 +1,57 @@ +From 148f4b32b4504d8a32cf82049b7b9499a4b299ab Mon Sep 17 00:00:00 2001 +From: Reinhard Speyerer +Date: Wed, 9 Nov 2022 22:24:15 +0100 +Subject: USB: serial: option: add Fibocom FM160 0x0111 composition + +From: Reinhard Speyerer + +commit 148f4b32b4504d8a32cf82049b7b9499a4b299ab upstream. + +Add support for the following Fibocom FM160 composition: + +0x0111: MBIM + MODEM + DIAG + AT + +T: Bus=01 Lev=02 Prnt=125 Port=01 Cnt=02 Dev#= 93 Spd=480 MxCh= 0 +D: Ver= 2.10 Cls=00(>ifc ) Sub=00 Prot=00 MxPS=64 #Cfgs= 1 +P: Vendor=2cb7 ProdID=0111 Rev= 5.04 +S: Manufacturer=Fibocom +S: Product=Fibocom FM160 Modem_SN:12345678 +S: SerialNumber=12345678 +C:* #Ifs= 5 Cfg#= 1 Atr=a0 MxPwr=500mA +A: FirstIf#= 0 IfCount= 2 Cls=02(comm.) Sub=0e Prot=00 +I:* If#= 0 Alt= 0 #EPs= 1 Cls=02(comm.) Sub=0e Prot=00 Driver=cdc_mbim +E: Ad=81(I) Atr=03(Int.) MxPS= 64 Ivl=32ms +I: If#= 1 Alt= 0 #EPs= 0 Cls=0a(data ) Sub=00 Prot=02 Driver=cdc_mbim +I:* If#= 1 Alt= 1 #EPs= 2 Cls=0a(data ) Sub=00 Prot=02 Driver=cdc_mbim +E: Ad=8e(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=0f(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms +I:* If#= 2 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=40 Driver=option +E: Ad=83(I) Atr=03(Int.) MxPS= 10 Ivl=32ms +E: Ad=82(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=01(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms +I:* If#= 3 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=30 Driver=option +E: Ad=02(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=84(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms +I:* If#= 4 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=40 Driver=option +E: Ad=86(I) Atr=03(Int.) MxPS= 10 Ivl=32ms +E: Ad=85(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=03(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms + +Signed-off-by: Reinhard Speyerer +Cc: stable@vger.kernel.org +Signed-off-by: Johan Hovold +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/serial/option.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/usb/serial/option.c ++++ b/drivers/usb/serial/option.c +@@ -2179,6 +2179,7 @@ static const struct usb_device_id option + { USB_DEVICE_INTERFACE_CLASS(0x2cb7, 0x010a, 0xff) }, /* Fibocom MA510 (ECM mode) */ + { USB_DEVICE_AND_INTERFACE_INFO(0x2cb7, 0x010b, 0xff, 0xff, 0x30) }, /* Fibocom FG150 Diag */ + { USB_DEVICE_AND_INTERFACE_INFO(0x2cb7, 0x010b, 0xff, 0, 0) }, /* Fibocom FG150 AT */ ++ { USB_DEVICE_INTERFACE_CLASS(0x2cb7, 0x0111, 0xff) }, /* Fibocom FM160 (MBIM mode) */ + { USB_DEVICE_INTERFACE_CLASS(0x2cb7, 0x01a0, 0xff) }, /* Fibocom NL668-AM/NL652-EU (laptop MBIM) */ + { USB_DEVICE_INTERFACE_CLASS(0x2cb7, 0x01a2, 0xff) }, /* Fibocom FM101-GL (laptop MBIM) */ + { USB_DEVICE_INTERFACE_CLASS(0x2cb7, 0x01a4, 0xff), /* Fibocom FM101-GL (laptop MBIM) */ diff --git a/queue-6.0/usb-serial-option-add-sierra-wireless-em9191.patch b/queue-6.0/usb-serial-option-add-sierra-wireless-em9191.patch new file mode 100644 index 00000000000..45f65f9760e --- /dev/null +++ b/queue-6.0/usb-serial-option-add-sierra-wireless-em9191.patch @@ -0,0 +1,58 @@ +From df3414b0a245f43476061fddd78cee7d6cff797f Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Beno=C3=AEt=20Monin?= +Date: Thu, 13 Oct 2022 16:26:48 +0200 +Subject: USB: serial: option: add Sierra Wireless EM9191 +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Benoît Monin + +commit df3414b0a245f43476061fddd78cee7d6cff797f upstream. + +Add support for the AT and diag ports, similar to other qualcomm SDX55 +modems. In QDL mode, the modem uses a different device ID and support +is provided by qcserial in commit 11c52d250b34 ("USB: serial: qcserial: +add EM9191 QDL support"). + +T: Bus=08 Lev=01 Prnt=01 Port=01 Cnt=01 Dev#= 3 Spd=5000 MxCh= 0 +D: Ver= 3.20 Cls=00(>ifc ) Sub=00 Prot=00 MxPS= 9 #Cfgs= 1 +P: Vendor=1199 ProdID=90d3 Rev=00.06 +S: Manufacturer=Sierra Wireless, Incorporated +S: Product=Sierra Wireless EM9191 +S: SerialNumber=xxxxxxxxxxxxxxxx +C: #Ifs= 4 Cfg#= 1 Atr=a0 MxPwr=896mA +I: If#=0x0 Alt= 0 #EPs= 1 Cls=02(commc) Sub=0e Prot=00 Driver=cdc_mbim +I: If#=0x1 Alt= 1 #EPs= 2 Cls=0a(data ) Sub=00 Prot=02 Driver=cdc_mbim +I: If#=0x3 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=(none) +I: If#=0x4 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=30 Driver=(none) + +Signed-off-by: Benoît Monin +Cc: stable@vger.kernel.org +Signed-off-by: Johan Hovold +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/serial/option.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/drivers/usb/serial/option.c ++++ b/drivers/usb/serial/option.c +@@ -581,6 +581,9 @@ static void option_instat_callback(struc + #define OPPO_VENDOR_ID 0x22d9 + #define OPPO_PRODUCT_R11 0x276c + ++/* Sierra Wireless products */ ++#define SIERRA_VENDOR_ID 0x1199 ++#define SIERRA_PRODUCT_EM9191 0x90d3 + + /* Device flags */ + +@@ -2176,6 +2179,8 @@ static const struct usb_device_id option + { USB_DEVICE_INTERFACE_CLASS(0x305a, 0x1405, 0xff) }, /* GosunCn GM500 MBIM */ + { USB_DEVICE_INTERFACE_CLASS(0x305a, 0x1406, 0xff) }, /* GosunCn GM500 ECM/NCM */ + { USB_DEVICE_AND_INTERFACE_INFO(OPPO_VENDOR_ID, OPPO_PRODUCT_R11, 0xff, 0xff, 0x30) }, ++ { USB_DEVICE_AND_INTERFACE_INFO(SIERRA_VENDOR_ID, SIERRA_PRODUCT_EM9191, 0xff, 0xff, 0x30) }, ++ { USB_DEVICE_AND_INTERFACE_INFO(SIERRA_VENDOR_ID, SIERRA_PRODUCT_EM9191, 0xff, 0, 0) }, + { } /* Terminating entry */ + }; + MODULE_DEVICE_TABLE(usb, option_ids); diff --git a/queue-6.0/usb-serial-option-add-u-blox-lara-l6-modem.patch b/queue-6.0/usb-serial-option-add-u-blox-lara-l6-modem.patch new file mode 100644 index 00000000000..0d930af4907 --- /dev/null +++ b/queue-6.0/usb-serial-option-add-u-blox-lara-l6-modem.patch @@ -0,0 +1,73 @@ +From c1547f12df8b8e9ca2686accee43213ecd117efe Mon Sep 17 00:00:00 2001 +From: Davide Tronchin +Date: Wed, 16 Nov 2022 16:59:50 +0100 +Subject: USB: serial: option: add u-blox LARA-L6 modem + +From: Davide Tronchin + +commit c1547f12df8b8e9ca2686accee43213ecd117efe upstream. + +Add LARA-L6 PIDs for three different USB compositions. + +LARA-L6 module can be configured (by AT interface) in three different +USB modes: +* Default mode (Vendor ID: 0x1546 Product ID: 0x1341) with 4 serial +interfaces +* RmNet mode (Vendor ID: 0x1546 Product ID: 0x1342) with 4 serial +interfaces and 1 RmNet virtual network interface +* CDC-ECM mode (Vendor ID: 0x1546 Product ID: 0x1343) with 4 serial +interface and 1 CDC-ECM virtual network interface + +In default mode LARA-L6 exposes the following interfaces: +If 0: Diagnostic +If 1: AT parser +If 2: AT parser +If 3: AT parser/alternative functions + +In RmNet mode LARA-L6 exposes the following interfaces: +If 0: Diagnostic +If 1: AT parser +If 2: AT parser +If 3: AT parset/alternative functions +If 4: RMNET interface + +In CDC-ECM mode LARA-L6 exposes the following interfaces: +If 0: Diagnostic +If 1: AT parser +If 2: AT parser +If 3: AT parset/alternative functions +If 4: CDC-ECM interface + +Signed-off-by: Davide Tronchin +[ johan: drop PID defines in favour of comments ] +Cc: stable@vger.kernel.org +Signed-off-by: Johan Hovold +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/serial/option.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +--- a/drivers/usb/serial/option.c ++++ b/drivers/usb/serial/option.c +@@ -162,6 +162,8 @@ static void option_instat_callback(struc + #define NOVATELWIRELESS_PRODUCT_G2 0xA010 + #define NOVATELWIRELESS_PRODUCT_MC551 0xB001 + ++#define UBLOX_VENDOR_ID 0x1546 ++ + /* AMOI PRODUCTS */ + #define AMOI_VENDOR_ID 0x1614 + #define AMOI_PRODUCT_H01 0x0800 +@@ -1130,6 +1132,12 @@ static const struct usb_device_id option + .driver_info = RSVD(4) }, + { USB_DEVICE(QUALCOMM_VENDOR_ID, 0x90fa), + .driver_info = RSVD(3) }, ++ /* u-blox products */ ++ { USB_DEVICE(UBLOX_VENDOR_ID, 0x1341) }, /* u-blox LARA-L6 */ ++ { USB_DEVICE(UBLOX_VENDOR_ID, 0x1342), /* u-blox LARA-L6 (RMNET) */ ++ .driver_info = RSVD(4) }, ++ { USB_DEVICE(UBLOX_VENDOR_ID, 0x1343), /* u-blox LARA-L6 (ECM) */ ++ .driver_info = RSVD(4) }, + /* Quectel products using Quectel vendor ID */ + { USB_DEVICE_AND_INTERFACE_INFO(QUECTEL_VENDOR_ID, QUECTEL_PRODUCT_EC21, 0xff, 0xff, 0xff), + .driver_info = NUMEP2 }, diff --git a/queue-6.0/usb-serial-option-add-u-blox-lara-r6-00b-modem.patch b/queue-6.0/usb-serial-option-add-u-blox-lara-r6-00b-modem.patch new file mode 100644 index 00000000000..56524c9253a --- /dev/null +++ b/queue-6.0/usb-serial-option-add-u-blox-lara-r6-00b-modem.patch @@ -0,0 +1,38 @@ +From d9e37a5c4d80ea25a7171ab8557a449115554e76 Mon Sep 17 00:00:00 2001 +From: Davide Tronchin +Date: Wed, 16 Nov 2022 16:59:49 +0100 +Subject: USB: serial: option: add u-blox LARA-R6 00B modem + +From: Davide Tronchin + +commit d9e37a5c4d80ea25a7171ab8557a449115554e76 upstream. + +The official LARA-R6 (00B) modem uses 0x908b PID. LARA-R6 00B does not +implement a QMI interface on port 4, the reservation (RSVD(4)) has been +added to meet other companies that implement QMI on that interface. + +LARA-R6 00B USB composition exposes the following interfaces: +If 0: Diagnostic +If 1: AT parser +If 2: AT parser +If 3: AT parser/alternative functions + +Signed-off-by: Davide Tronchin +Cc: stable@vger.kernel.org +Signed-off-by: Johan Hovold +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/serial/option.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/usb/serial/option.c ++++ b/drivers/usb/serial/option.c +@@ -1126,6 +1126,8 @@ static const struct usb_device_id option + /* u-blox products using Qualcomm vendor ID */ + { USB_DEVICE(QUALCOMM_VENDOR_ID, UBLOX_PRODUCT_R410M), + .driver_info = RSVD(1) | RSVD(3) }, ++ { USB_DEVICE(QUALCOMM_VENDOR_ID, 0x908b), /* u-blox LARA-R6 00B */ ++ .driver_info = RSVD(4) }, + { USB_DEVICE(QUALCOMM_VENDOR_ID, 0x90fa), + .driver_info = RSVD(3) }, + /* Quectel products using Quectel vendor ID */ diff --git a/queue-6.0/usb-serial-option-remove-old-lara-r6-pid.patch b/queue-6.0/usb-serial-option-remove-old-lara-r6-pid.patch new file mode 100644 index 00000000000..008ccba30c7 --- /dev/null +++ b/queue-6.0/usb-serial-option-remove-old-lara-r6-pid.patch @@ -0,0 +1,45 @@ +From 2ec106b96afc19698ff934323b633c0729d4c7f8 Mon Sep 17 00:00:00 2001 +From: Davide Tronchin +Date: Wed, 16 Nov 2022 16:59:48 +0100 +Subject: USB: serial: option: remove old LARA-R6 PID + +From: Davide Tronchin + +commit 2ec106b96afc19698ff934323b633c0729d4c7f8 upstream. + +Remove the UBLOX_PRODUCT_R6XX 0x90fa association since LARA-R6 00B final +product uses a new USB composition with different PID. 0x90fa PID used +only by LARA-R6 internal prototypes. + +Move 0x90fa PID directly in the option_ids array since used by other +Qualcomm based modem vendors as pointed out in: + + https://lore.kernel.org/all/6572c4e6-d8bc-b8d3-4396-d879e4e76338@gmail.com + +Signed-off-by: Davide Tronchin +Cc: stable@vger.kernel.org +Signed-off-by: Johan Hovold +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/serial/option.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +--- a/drivers/usb/serial/option.c ++++ b/drivers/usb/serial/option.c +@@ -240,7 +240,6 @@ static void option_instat_callback(struc + #define QUECTEL_PRODUCT_UC15 0x9090 + /* These u-blox products use Qualcomm's vendor ID */ + #define UBLOX_PRODUCT_R410M 0x90b2 +-#define UBLOX_PRODUCT_R6XX 0x90fa + /* These Yuga products use Qualcomm's vendor ID */ + #define YUGA_PRODUCT_CLM920_NC5 0x9625 + +@@ -1127,7 +1126,7 @@ static const struct usb_device_id option + /* u-blox products using Qualcomm vendor ID */ + { USB_DEVICE(QUALCOMM_VENDOR_ID, UBLOX_PRODUCT_R410M), + .driver_info = RSVD(1) | RSVD(3) }, +- { USB_DEVICE(QUALCOMM_VENDOR_ID, UBLOX_PRODUCT_R6XX), ++ { USB_DEVICE(QUALCOMM_VENDOR_ID, 0x90fa), + .driver_info = RSVD(3) }, + /* Quectel products using Quectel vendor ID */ + { USB_DEVICE_AND_INTERFACE_INFO(QUECTEL_VENDOR_ID, QUECTEL_PRODUCT_EC21, 0xff, 0xff, 0xff), diff --git a/queue-6.0/usb-typec-mux-enter-safe-mode-only-when-pins-need-to-be-reconfigured.patch b/queue-6.0/usb-typec-mux-enter-safe-mode-only-when-pins-need-to-be-reconfigured.patch new file mode 100644 index 00000000000..ea3b2048717 --- /dev/null +++ b/queue-6.0/usb-typec-mux-enter-safe-mode-only-when-pins-need-to-be-reconfigured.patch @@ -0,0 +1,72 @@ +From 40bf8f162d0f95e0716e479d7db41443d931765c Mon Sep 17 00:00:00 2001 +From: Rajat Khandelwal +Date: Mon, 24 Oct 2022 22:46:11 +0530 +Subject: usb: typec: mux: Enter safe mode only when pins need to be reconfigured + +From: Rajat Khandelwal + +commit 40bf8f162d0f95e0716e479d7db41443d931765c upstream. + +There is no point to enter safe mode during DP/TBT configuration +if the DP/TBT was already configured in mux. This is because safe +mode is only applicable when there is a need to reconfigure the +pins in order to avoid damage within/to port partner. + +In some chrome systems, IOM/mux is already configured before OS +comes up. Thus, when driver is probed, it blindly enters safe +mode due to PD negotiations but only after gfx driver lowers +dp_phy_ownership, will the IOM complete safe mode and send an +ack to PMC. +Since, that never happens, we see IPC timeout. + +Hence, allow safe mode only when pin reconfiguration is not +required, which makes sense. + +Fixes: 43d596e32276 ("usb: typec: intel_pmc_mux: Check the port status before connect") +Cc: stable +Signed-off-by: Rajat Khandelwal +Signed-off-by: Lee Shawn C +Reviewed-by: Heikki Krogerus +Link: https://lore.kernel.org/r/20221024171611.181468-1-rajat.khandelwal@linux.intel.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/typec/mux/intel_pmc_mux.c | 15 +++++++++++++-- + 1 file changed, 13 insertions(+), 2 deletions(-) + +--- a/drivers/usb/typec/mux/intel_pmc_mux.c ++++ b/drivers/usb/typec/mux/intel_pmc_mux.c +@@ -369,13 +369,24 @@ pmc_usb_mux_usb4(struct pmc_usb_port *po + return pmc_usb_command(port, (void *)&req, sizeof(req)); + } + +-static int pmc_usb_mux_safe_state(struct pmc_usb_port *port) ++static int pmc_usb_mux_safe_state(struct pmc_usb_port *port, ++ struct typec_mux_state *state) + { + u8 msg; + + if (IOM_PORT_ACTIVITY_IS(port->iom_status, SAFE_MODE)) + return 0; + ++ if ((IOM_PORT_ACTIVITY_IS(port->iom_status, DP) || ++ IOM_PORT_ACTIVITY_IS(port->iom_status, DP_MFD)) && ++ state->alt && state->alt->svid == USB_TYPEC_DP_SID) ++ return 0; ++ ++ if ((IOM_PORT_ACTIVITY_IS(port->iom_status, TBT) || ++ IOM_PORT_ACTIVITY_IS(port->iom_status, ALT_MODE_TBT_USB)) && ++ state->alt && state->alt->svid == USB_TYPEC_TBT_SID) ++ return 0; ++ + msg = PMC_USB_SAFE_MODE; + msg |= port->usb3_port << PMC_USB_MSG_USB3_PORT_SHIFT; + +@@ -443,7 +454,7 @@ pmc_usb_mux_set(struct typec_mux_dev *mu + return 0; + + if (state->mode == TYPEC_STATE_SAFE) +- return pmc_usb_mux_safe_state(port); ++ return pmc_usb_mux_safe_state(port, state); + if (state->mode == TYPEC_STATE_USB) + return pmc_usb_connect(port, port->role); + diff --git a/queue-6.0/usb-typec-tipd-prevent-uninitialized-event-1-2-in-irq-handler.patch b/queue-6.0/usb-typec-tipd-prevent-uninitialized-event-1-2-in-irq-handler.patch new file mode 100644 index 00000000000..32b8ac296ef --- /dev/null +++ b/queue-6.0/usb-typec-tipd-prevent-uninitialized-event-1-2-in-irq-handler.patch @@ -0,0 +1,51 @@ +From 6d8fc203b28ff8f6115fbe5eaf584de8b824f4fa Mon Sep 17 00:00:00 2001 +From: Sven Peter +Date: Wed, 2 Nov 2022 17:15:42 +0100 +Subject: usb: typec: tipd: Prevent uninitialized event{1,2} in IRQ handler +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Sven Peter + +commit 6d8fc203b28ff8f6115fbe5eaf584de8b824f4fa upstream. + +If reading TPS_REG_INT_EVENT1/2 fails in the interrupt handler event1 +and event2 may be uninitialized when they are used to determine +IRQ_HANDLED vs. IRQ_NONE in the error path. + +Fixes: c7260e29dd20 ("usb: typec: tipd: Add short-circuit for no irqs") +Fixes: 45188f27b3d0 ("usb: typec: tipd: Add support for Apple CD321X") +Cc: stable +Signed-off-by: Sven Peter +Reviewed-by: Eric Curtin +Reviewed-by: Heikki Krogerus +Reviewed-by: Guido Günther +Link: https://lore.kernel.org/r/20221102161542.30669-1-sven@svenpeter.dev +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/typec/tipd/core.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/drivers/usb/typec/tipd/core.c ++++ b/drivers/usb/typec/tipd/core.c +@@ -474,7 +474,7 @@ static void tps6598x_handle_plug_event(s + static irqreturn_t cd321x_interrupt(int irq, void *data) + { + struct tps6598x *tps = data; +- u64 event; ++ u64 event = 0; + u32 status; + int ret; + +@@ -519,8 +519,8 @@ err_unlock: + static irqreturn_t tps6598x_interrupt(int irq, void *data) + { + struct tps6598x *tps = data; +- u64 event1; +- u64 event2; ++ u64 event1 = 0; ++ u64 event2 = 0; + u32 status; + int ret; +