From: Greg Kroah-Hartman Date: Mon, 19 Dec 2022 15:23:30 +0000 (+0100) Subject: 6.1-stable patches X-Git-Tag: v5.10.161~10 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=7e1933d6452e991c0dc7c3b3deb910d75c535683;p=thirdparty%2Fkernel%2Fstable-queue.git 6.1-stable patches added patches: cifs-fix-oops-during-encryption.patch igb-initialize-mailbox-message-for-vf-reset.patch keys-encrypted-fix-key-instantiation-with-user-provided-data.patch staging-r8188eu-fix-led-register-settings.patch usb-dwc3-pci-update-pcie-device-id-for-usb3-controller-on-cpu-sub-system-for-raptor-lake.patch usb-typec-ucsi-resume-in-separate-work.patch usb-ulpi-defer-ulpi_register-on-ulpi_read_id-timeout.patch xhci-apply-xhci_reset_to_default-quirk-to-adl-n.patch --- diff --git a/queue-6.1/cifs-fix-oops-during-encryption.patch b/queue-6.1/cifs-fix-oops-during-encryption.patch new file mode 100644 index 00000000000..22bb60dac5e --- /dev/null +++ b/queue-6.1/cifs-fix-oops-during-encryption.patch @@ -0,0 +1,391 @@ +From f7f291e14dde32a07b1f0aa06921d28f875a7b54 Mon Sep 17 00:00:00 2001 +From: Paulo Alcantara +Date: Sun, 11 Dec 2022 18:18:55 -0300 +Subject: cifs: fix oops during encryption + +From: Paulo Alcantara + +commit f7f291e14dde32a07b1f0aa06921d28f875a7b54 upstream. + +When running xfstests against Azure the following oops occurred on an +arm64 system + + Unable to handle kernel write to read-only memory at virtual address + ffff0001221cf000 + Mem abort info: + ESR = 0x9600004f + EC = 0x25: DABT (current EL), IL = 32 bits + SET = 0, FnV = 0 + EA = 0, S1PTW = 0 + FSC = 0x0f: level 3 permission fault + Data abort info: + ISV = 0, ISS = 0x0000004f + CM = 0, WnR = 1 + swapper pgtable: 4k pages, 48-bit VAs, pgdp=00000000294f3000 + [ffff0001221cf000] pgd=18000001ffff8003, p4d=18000001ffff8003, + pud=18000001ff82e003, pmd=18000001ff71d003, pte=00600001221cf787 + Internal error: Oops: 9600004f [#1] PREEMPT SMP + ... + pstate: 80000005 (Nzcv daif -PAN -UAO -TCO BTYPE=--) + pc : __memcpy+0x40/0x230 + lr : scatterwalk_copychunks+0xe0/0x200 + sp : ffff800014e92de0 + x29: ffff800014e92de0 x28: ffff000114f9de80 x27: 0000000000000008 + x26: 0000000000000008 x25: ffff800014e92e78 x24: 0000000000000008 + x23: 0000000000000001 x22: 0000040000000000 x21: ffff000000000000 + x20: 0000000000000001 x19: ffff0001037c4488 x18: 0000000000000014 + x17: 235e1c0d6efa9661 x16: a435f9576b6edd6c x15: 0000000000000058 + x14: 0000000000000001 x13: 0000000000000008 x12: ffff000114f2e590 + x11: ffffffffffffffff x10: 0000040000000000 x9 : ffff8000105c3580 + x8 : 2e9413b10000001a x7 : 534b4410fb86b005 x6 : 534b4410fb86b005 + x5 : ffff0001221cf008 x4 : ffff0001037c4490 x3 : 0000000000000001 + x2 : 0000000000000008 x1 : ffff0001037c4488 x0 : ffff0001221cf000 + Call trace: + __memcpy+0x40/0x230 + scatterwalk_map_and_copy+0x98/0x100 + crypto_ccm_encrypt+0x150/0x180 + crypto_aead_encrypt+0x2c/0x40 + crypt_message+0x750/0x880 + smb3_init_transform_rq+0x298/0x340 + smb_send_rqst.part.11+0xd8/0x180 + smb_send_rqst+0x3c/0x100 + compound_send_recv+0x534/0xbc0 + smb2_query_info_compound+0x32c/0x440 + smb2_set_ea+0x438/0x4c0 + cifs_xattr_set+0x5d4/0x7c0 + +This is because in scatterwalk_copychunks(), we attempted to write to +a buffer (@sign) that was allocated in the stack (vmalloc area) by +crypt_message() and thus accessing its remaining 8 (x2) bytes ended up +crossing a page boundary. + +To simply fix it, we could just pass @sign kmalloc'd from +crypt_message() and then we're done. Luckily, we don't seem to pass +any other vmalloc'd buffers in smb_rqst::rq_iov... + +Instead, let's map the correct pages and offsets from vmalloc buffers +as well in cifs_sg_set_buf() and then avoiding such oopses. + +Signed-off-by: Paulo Alcantara (SUSE) +Cc: stable@vger.kernel.org +Signed-off-by: Steve French +Signed-off-by: Greg Kroah-Hartman +--- + fs/cifs/cifsglob.h | 68 ++++++++++++++++++++++++ + fs/cifs/cifsproto.h | 4 - + fs/cifs/misc.c | 4 - + fs/cifs/smb2ops.c | 143 ++++++++++++++++++++++++---------------------------- + 4 files changed, 140 insertions(+), 79 deletions(-) + +--- a/fs/cifs/cifsglob.h ++++ b/fs/cifs/cifsglob.h +@@ -13,6 +13,8 @@ + #include + #include + #include ++#include ++#include + #include + #include + #include +@@ -2137,4 +2139,70 @@ static inline void move_cifs_info_to_smb + dst->FileNameLength = src->FileNameLength; + } + ++static inline unsigned int cifs_get_num_sgs(const struct smb_rqst *rqst, ++ int num_rqst, ++ const u8 *sig) ++{ ++ unsigned int len, skip; ++ unsigned int nents = 0; ++ unsigned long addr; ++ int i, j; ++ ++ /* Assumes the first rqst has a transform header as the first iov. ++ * I.e. ++ * rqst[0].rq_iov[0] is transform header ++ * rqst[0].rq_iov[1+] data to be encrypted/decrypted ++ * rqst[1+].rq_iov[0+] data to be encrypted/decrypted ++ */ ++ for (i = 0; i < num_rqst; i++) { ++ /* ++ * The first rqst has a transform header where the ++ * first 20 bytes are not part of the encrypted blob. ++ */ ++ for (j = 0; j < rqst[i].rq_nvec; j++) { ++ struct kvec *iov = &rqst[i].rq_iov[j]; ++ ++ skip = (i == 0) && (j == 0) ? 20 : 0; ++ addr = (unsigned long)iov->iov_base + skip; ++ if (unlikely(is_vmalloc_addr((void *)addr))) { ++ len = iov->iov_len - skip; ++ nents += DIV_ROUND_UP(offset_in_page(addr) + len, ++ PAGE_SIZE); ++ } else { ++ nents++; ++ } ++ } ++ nents += rqst[i].rq_npages; ++ } ++ nents += DIV_ROUND_UP(offset_in_page(sig) + SMB2_SIGNATURE_SIZE, PAGE_SIZE); ++ return nents; ++} ++ ++/* We can not use the normal sg_set_buf() as we will sometimes pass a ++ * stack object as buf. ++ */ ++static inline struct scatterlist *cifs_sg_set_buf(struct scatterlist *sg, ++ const void *buf, ++ unsigned int buflen) ++{ ++ unsigned long addr = (unsigned long)buf; ++ unsigned int off = offset_in_page(addr); ++ ++ addr &= PAGE_MASK; ++ if (unlikely(is_vmalloc_addr((void *)addr))) { ++ do { ++ unsigned int len = min_t(unsigned int, buflen, PAGE_SIZE - off); ++ ++ sg_set_page(sg++, vmalloc_to_page((void *)addr), len, off); ++ ++ off = 0; ++ addr += PAGE_SIZE; ++ buflen -= len; ++ } while (buflen); ++ } else { ++ sg_set_page(sg++, virt_to_page(addr), buflen, off); ++ } ++ return sg; ++} ++ + #endif /* _CIFS_GLOB_H */ +--- a/fs/cifs/cifsproto.h ++++ b/fs/cifs/cifsproto.h +@@ -600,8 +600,8 @@ int setup_aio_ctx_iter(struct cifs_aio_c + int cifs_alloc_hash(const char *name, struct shash_desc **sdesc); + void cifs_free_hash(struct shash_desc **sdesc); + +-extern void rqst_page_get_length(struct smb_rqst *rqst, unsigned int page, +- unsigned int *len, unsigned int *offset); ++void rqst_page_get_length(const struct smb_rqst *rqst, unsigned int page, ++ unsigned int *len, unsigned int *offset); + struct cifs_chan * + cifs_ses_find_chan(struct cifs_ses *ses, struct TCP_Server_Info *server); + int cifs_try_adding_channels(struct cifs_sb_info *cifs_sb, struct cifs_ses *ses); +--- a/fs/cifs/misc.c ++++ b/fs/cifs/misc.c +@@ -1136,8 +1136,8 @@ cifs_free_hash(struct shash_desc **sdesc + * @len: Where to store the length for this page: + * @offset: Where to store the offset for this page + */ +-void rqst_page_get_length(struct smb_rqst *rqst, unsigned int page, +- unsigned int *len, unsigned int *offset) ++void rqst_page_get_length(const struct smb_rqst *rqst, unsigned int page, ++ unsigned int *len, unsigned int *offset) + { + *len = rqst->rq_pagesz; + *offset = (page == 0) ? rqst->rq_offset : 0; +--- a/fs/cifs/smb2ops.c ++++ b/fs/cifs/smb2ops.c +@@ -4204,69 +4204,82 @@ fill_transform_hdr(struct smb2_transform + memcpy(&tr_hdr->SessionId, &shdr->SessionId, 8); + } + +-/* We can not use the normal sg_set_buf() as we will sometimes pass a +- * stack object as buf. +- */ +-static inline void smb2_sg_set_buf(struct scatterlist *sg, const void *buf, +- unsigned int buflen) ++static void *smb2_aead_req_alloc(struct crypto_aead *tfm, const struct smb_rqst *rqst, ++ int num_rqst, const u8 *sig, u8 **iv, ++ struct aead_request **req, struct scatterlist **sgl, ++ unsigned int *num_sgs) + { +- void *addr; +- /* +- * VMAP_STACK (at least) puts stack into the vmalloc address space +- */ +- if (is_vmalloc_addr(buf)) +- addr = vmalloc_to_page(buf); +- else +- addr = virt_to_page(buf); +- sg_set_page(sg, addr, buflen, offset_in_page(buf)); ++ unsigned int req_size = sizeof(**req) + crypto_aead_reqsize(tfm); ++ unsigned int iv_size = crypto_aead_ivsize(tfm); ++ unsigned int len; ++ u8 *p; ++ ++ *num_sgs = cifs_get_num_sgs(rqst, num_rqst, sig); ++ ++ len = iv_size; ++ len += crypto_aead_alignmask(tfm) & ~(crypto_tfm_ctx_alignment() - 1); ++ len = ALIGN(len, crypto_tfm_ctx_alignment()); ++ len += req_size; ++ len = ALIGN(len, __alignof__(struct scatterlist)); ++ len += *num_sgs * sizeof(**sgl); ++ ++ p = kmalloc(len, GFP_ATOMIC); ++ if (!p) ++ return NULL; ++ ++ *iv = (u8 *)PTR_ALIGN(p, crypto_aead_alignmask(tfm) + 1); ++ *req = (struct aead_request *)PTR_ALIGN(*iv + iv_size, ++ crypto_tfm_ctx_alignment()); ++ *sgl = (struct scatterlist *)PTR_ALIGN((u8 *)*req + req_size, ++ __alignof__(struct scatterlist)); ++ return p; + } + +-/* Assumes the first rqst has a transform header as the first iov. +- * I.e. +- * rqst[0].rq_iov[0] is transform header +- * rqst[0].rq_iov[1+] data to be encrypted/decrypted +- * rqst[1+].rq_iov[0+] data to be encrypted/decrypted +- */ +-static struct scatterlist * +-init_sg(int num_rqst, struct smb_rqst *rqst, u8 *sign) ++static void *smb2_get_aead_req(struct crypto_aead *tfm, const struct smb_rqst *rqst, ++ int num_rqst, const u8 *sig, u8 **iv, ++ struct aead_request **req, struct scatterlist **sgl) + { +- unsigned int sg_len; ++ unsigned int off, len, skip; + struct scatterlist *sg; +- unsigned int i; +- unsigned int j; +- unsigned int idx = 0; +- int skip; +- +- sg_len = 1; +- for (i = 0; i < num_rqst; i++) +- sg_len += rqst[i].rq_nvec + rqst[i].rq_npages; ++ unsigned int num_sgs; ++ unsigned long addr; ++ int i, j; ++ void *p; + +- sg = kmalloc_array(sg_len, sizeof(struct scatterlist), GFP_KERNEL); +- if (!sg) ++ p = smb2_aead_req_alloc(tfm, rqst, num_rqst, sig, iv, req, sgl, &num_sgs); ++ if (!p) + return NULL; + +- sg_init_table(sg, sg_len); ++ sg_init_table(*sgl, num_sgs); ++ sg = *sgl; ++ ++ /* Assumes the first rqst has a transform header as the first iov. ++ * I.e. ++ * rqst[0].rq_iov[0] is transform header ++ * rqst[0].rq_iov[1+] data to be encrypted/decrypted ++ * rqst[1+].rq_iov[0+] data to be encrypted/decrypted ++ */ + for (i = 0; i < num_rqst; i++) { ++ /* ++ * The first rqst has a transform header where the ++ * first 20 bytes are not part of the encrypted blob. ++ */ + for (j = 0; j < rqst[i].rq_nvec; j++) { +- /* +- * The first rqst has a transform header where the +- * first 20 bytes are not part of the encrypted blob +- */ +- skip = (i == 0) && (j == 0) ? 20 : 0; +- smb2_sg_set_buf(&sg[idx++], +- rqst[i].rq_iov[j].iov_base + skip, +- rqst[i].rq_iov[j].iov_len - skip); +- } ++ struct kvec *iov = &rqst[i].rq_iov[j]; + ++ skip = (i == 0) && (j == 0) ? 20 : 0; ++ addr = (unsigned long)iov->iov_base + skip; ++ len = iov->iov_len - skip; ++ sg = cifs_sg_set_buf(sg, (void *)addr, len); ++ } + for (j = 0; j < rqst[i].rq_npages; j++) { +- unsigned int len, offset; +- +- rqst_page_get_length(&rqst[i], j, &len, &offset); +- sg_set_page(&sg[idx++], rqst[i].rq_pages[j], len, offset); ++ rqst_page_get_length(&rqst[i], j, &len, &off); ++ sg_set_page(sg++, rqst[i].rq_pages[j], len, off); + } + } +- smb2_sg_set_buf(&sg[idx], sign, SMB2_SIGNATURE_SIZE); +- return sg; ++ cifs_sg_set_buf(sg, sig, SMB2_SIGNATURE_SIZE); ++ ++ return p; + } + + static int +@@ -4314,11 +4327,11 @@ crypt_message(struct TCP_Server_Info *se + u8 sign[SMB2_SIGNATURE_SIZE] = {}; + u8 key[SMB3_ENC_DEC_KEY_SIZE]; + struct aead_request *req; +- char *iv; +- unsigned int iv_len; ++ u8 *iv; + DECLARE_CRYPTO_WAIT(wait); + struct crypto_aead *tfm; + unsigned int crypt_len = le32_to_cpu(tr_hdr->OriginalMessageSize); ++ void *creq; + + rc = smb2_get_enc_key(server, le64_to_cpu(tr_hdr->SessionId), enc, key); + if (rc) { +@@ -4352,32 +4365,15 @@ crypt_message(struct TCP_Server_Info *se + return rc; + } + +- req = aead_request_alloc(tfm, GFP_KERNEL); +- if (!req) { +- cifs_server_dbg(VFS, "%s: Failed to alloc aead request\n", __func__); ++ creq = smb2_get_aead_req(tfm, rqst, num_rqst, sign, &iv, &req, &sg); ++ if (unlikely(!creq)) + return -ENOMEM; +- } + + if (!enc) { + memcpy(sign, &tr_hdr->Signature, SMB2_SIGNATURE_SIZE); + crypt_len += SMB2_SIGNATURE_SIZE; + } + +- sg = init_sg(num_rqst, rqst, sign); +- if (!sg) { +- cifs_server_dbg(VFS, "%s: Failed to init sg\n", __func__); +- rc = -ENOMEM; +- goto free_req; +- } +- +- iv_len = crypto_aead_ivsize(tfm); +- iv = kzalloc(iv_len, GFP_KERNEL); +- if (!iv) { +- cifs_server_dbg(VFS, "%s: Failed to alloc iv\n", __func__); +- rc = -ENOMEM; +- goto free_sg; +- } +- + if ((server->cipher_type == SMB2_ENCRYPTION_AES128_GCM) || + (server->cipher_type == SMB2_ENCRYPTION_AES256_GCM)) + memcpy(iv, (char *)tr_hdr->Nonce, SMB3_AES_GCM_NONCE); +@@ -4386,6 +4382,7 @@ crypt_message(struct TCP_Server_Info *se + memcpy(iv + 1, (char *)tr_hdr->Nonce, SMB3_AES_CCM_NONCE); + } + ++ aead_request_set_tfm(req, tfm); + aead_request_set_crypt(req, sg, sg, crypt_len, iv); + aead_request_set_ad(req, assoc_data_len); + +@@ -4398,11 +4395,7 @@ crypt_message(struct TCP_Server_Info *se + if (!rc && enc) + memcpy(&tr_hdr->Signature, sign, SMB2_SIGNATURE_SIZE); + +- kfree_sensitive(iv); +-free_sg: +- kfree_sensitive(sg); +-free_req: +- kfree_sensitive(req); ++ kfree_sensitive(creq); + return rc; + } + diff --git a/queue-6.1/igb-initialize-mailbox-message-for-vf-reset.patch b/queue-6.1/igb-initialize-mailbox-message-for-vf-reset.patch new file mode 100644 index 00000000000..d2bbfa5a463 --- /dev/null +++ b/queue-6.1/igb-initialize-mailbox-message-for-vf-reset.patch @@ -0,0 +1,38 @@ +From de5dc44370fbd6b46bd7f1a1e00369be54a041c8 Mon Sep 17 00:00:00 2001 +From: Tony Nguyen +Date: Mon, 12 Dec 2022 11:00:31 -0800 +Subject: igb: Initialize mailbox message for VF reset + +From: Tony Nguyen + +commit de5dc44370fbd6b46bd7f1a1e00369be54a041c8 upstream. + +When a MAC address is not assigned to the VF, that portion of the message +sent to the VF is not set. The memory, however, is allocated from the +stack meaning that information may be leaked to the VM. Initialize the +message buffer to 0 so that no information is passed to the VM in this +case. + +Fixes: 6ddbc4cf1f4d ("igb: Indicate failure on vf reset for empty mac address") +Reported-by: Akihiko Odaki +Signed-off-by: Tony Nguyen +Reviewed-by: Akihiko Odaki +Reviewed-by: Leon Romanovsky +Link: https://lore.kernel.org/r/20221212190031.3983342-1-anthony.l.nguyen@intel.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/intel/igb/igb_main.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/ethernet/intel/igb/igb_main.c ++++ b/drivers/net/ethernet/intel/igb/igb_main.c +@@ -7521,7 +7521,7 @@ static void igb_vf_reset_msg(struct igb_ + { + struct e1000_hw *hw = &adapter->hw; + unsigned char *vf_mac = adapter->vf_data[vf].vf_mac_addresses; +- u32 reg, msgbuf[3]; ++ u32 reg, msgbuf[3] = {}; + u8 *addr = (u8 *)(&msgbuf[1]); + + /* process all the same items cleared in a function level reset */ diff --git a/queue-6.1/keys-encrypted-fix-key-instantiation-with-user-provided-data.patch b/queue-6.1/keys-encrypted-fix-key-instantiation-with-user-provided-data.patch new file mode 100644 index 00000000000..0397d429117 --- /dev/null +++ b/queue-6.1/keys-encrypted-fix-key-instantiation-with-user-provided-data.patch @@ -0,0 +1,82 @@ +From 5adedd42245af0860ebda8fe0949f24f5204c1b1 Mon Sep 17 00:00:00 2001 +From: Nikolaus Voss +Date: Wed, 19 Oct 2022 18:38:20 +0200 +Subject: KEYS: encrypted: fix key instantiation with user-provided data + +From: Nikolaus Voss + +commit 5adedd42245af0860ebda8fe0949f24f5204c1b1 upstream. + +Commit cd3bc044af48 ("KEYS: encrypted: Instantiate key with +user-provided decrypted data") added key instantiation with user +provided decrypted data. The user data is hex-ascii-encoded but was +just memcpy'ed to the binary buffer. Fix this to use hex2bin instead. + +Old keys created from user provided decrypted data saved with "keyctl +pipe" are still valid, however if the key is recreated from decrypted +data the old key must be converted to the correct format. This can be +done with a small shell script, e.g.: + +BROKENKEY=abcdefABCDEF1234567890aaaaaaaaaa +NEWKEY=$(echo -ne $BROKENKEY | xxd -p -c32) +keyctl add user masterkey "$(cat masterkey.bin)" @u +keyctl add encrypted testkey "new user:masterkey 32 $NEWKEY" @u + +However, NEWKEY is still broken: If for BROKENKEY 32 bytes were +specified, a brute force attacker knowing the key properties would only +need to try at most 2^(16*8) keys, as if the key was only 16 bytes long. + +The security issue is a result of the combination of limiting the input +range to hex-ascii and using memcpy() instead of hex2bin(). It could +have been fixed either by allowing binary input or using hex2bin() (and +doubling the ascii input key length). This patch implements the latter. + +The corresponding test for the Linux Test Project ltp has also been +fixed (see link below). + +Fixes: cd3bc044af48 ("KEYS: encrypted: Instantiate key with user-provided decrypted data") +Cc: stable@kernel.org +Link: https://lore.kernel.org/ltp/20221006081709.92303897@mail.steuer-voss.de/ +Reviewed-by: Mimi Zohar +Signed-off-by: Nikolaus Voss +Signed-off-by: Mimi Zohar +Signed-off-by: Greg Kroah-Hartman +--- + Documentation/security/keys/trusted-encrypted.rst | 3 ++- + security/keys/encrypted-keys/encrypted.c | 6 +++--- + 2 files changed, 5 insertions(+), 4 deletions(-) + +--- a/Documentation/security/keys/trusted-encrypted.rst ++++ b/Documentation/security/keys/trusted-encrypted.rst +@@ -350,7 +350,8 @@ Load an encrypted key "evm" from saved b + + Instantiate an encrypted key "evm" using user-provided decrypted data:: + +- $ keyctl add encrypted evm "new default user:kmk 32 `cat evm_decrypted_data.blob`" @u ++ $ evmkey=$(dd if=/dev/urandom bs=1 count=32 | xxd -c32 -p) ++ $ keyctl add encrypted evm "new default user:kmk 32 $evmkey" @u + 794890253 + + $ keyctl print 794890253 +--- a/security/keys/encrypted-keys/encrypted.c ++++ b/security/keys/encrypted-keys/encrypted.c +@@ -627,7 +627,7 @@ static struct encrypted_key_payload *enc + pr_err("encrypted key: instantiation of keys using provided decrypted data is disabled since CONFIG_USER_DECRYPTED_DATA is set to false\n"); + return ERR_PTR(-EINVAL); + } +- if (strlen(decrypted_data) != decrypted_datalen) { ++ if (strlen(decrypted_data) != decrypted_datalen * 2) { + pr_err("encrypted key: decrypted data provided does not match decrypted data length provided\n"); + return ERR_PTR(-EINVAL); + } +@@ -791,8 +791,8 @@ static int encrypted_init(struct encrypt + ret = encrypted_key_decrypt(epayload, format, hex_encoded_iv); + } else if (decrypted_data) { + get_random_bytes(epayload->iv, ivsize); +- memcpy(epayload->decrypted_data, decrypted_data, +- epayload->decrypted_datalen); ++ ret = hex2bin(epayload->decrypted_data, decrypted_data, ++ epayload->decrypted_datalen); + } else { + get_random_bytes(epayload->iv, ivsize); + get_random_bytes(epayload->decrypted_data, epayload->decrypted_datalen); diff --git a/queue-6.1/series b/queue-6.1/series index b6ac1bd3b12..7e50e23ebea 100644 --- a/queue-6.1/series +++ b/queue-6.1/series @@ -15,3 +15,11 @@ usb-serial-cp210x-add-kamstrup-rf-sniffer-pids.patch usb-serial-f81232-fix-division-by-zero-on-line-speed-change.patch usb-serial-f81534-fix-division-by-zero-on-line-speed-change.patch alsa-hda-realtek-fix-mute-micmute-leds-for-a-hp-probook.patch +xhci-apply-xhci_reset_to_default-quirk-to-adl-n.patch +staging-r8188eu-fix-led-register-settings.patch +igb-initialize-mailbox-message-for-vf-reset.patch +usb-typec-ucsi-resume-in-separate-work.patch +usb-dwc3-pci-update-pcie-device-id-for-usb3-controller-on-cpu-sub-system-for-raptor-lake.patch +cifs-fix-oops-during-encryption.patch +keys-encrypted-fix-key-instantiation-with-user-provided-data.patch +usb-ulpi-defer-ulpi_register-on-ulpi_read_id-timeout.patch diff --git a/queue-6.1/staging-r8188eu-fix-led-register-settings.patch b/queue-6.1/staging-r8188eu-fix-led-register-settings.patch new file mode 100644 index 00000000000..220b3ab7d4f --- /dev/null +++ b/queue-6.1/staging-r8188eu-fix-led-register-settings.patch @@ -0,0 +1,81 @@ +From 12c6223fc1804fd9295dc50d358294539b4a4184 Mon Sep 17 00:00:00 2001 +From: Martin Kaiser +Date: Sat, 15 Oct 2022 17:11:06 +0200 +Subject: staging: r8188eu: fix led register settings + +From: Martin Kaiser + +commit 12c6223fc1804fd9295dc50d358294539b4a4184 upstream. + +Using an InterTech DMG-02 dongle, the led remains on when the system goes +into standby mode. After wakeup, it's no longer possible to control the +led. + +It turned out that the register settings to enable or disable the led were +not correct. They worked for some dongles like the Edimax V2 but not for +others like the InterTech DMG-02. + +This patch fixes the register settings. Bit 3 in the led_cfg2 register +controls the led status, bit 5 must always be set to be able to control +the led, bit 6 has no influence on the led. Setting the mac_pinmux_cfg +register is not necessary. + +These settings were tested with Edimax V2 and InterTech DMG-02. + +Cc: stable@vger.kernel.org +Fixes: 8cd574e6af54 ("staging: r8188eu: introduce new hal dir for RTL8188eu driver") +Suggested-by: Michael Straube +Signed-off-by: Martin Kaiser +Tested-by: Michael Straube # InterTech DMG-02, +Tested-by: Philipp Hortmann # Edimax N150 +Link: https://lore.kernel.org/r/20221015151115.232095-2-martin@kaiser.cx +Signed-off-by: Greg Kroah-Hartman +--- + drivers/staging/r8188eu/core/rtw_led.c | 25 ++----------------------- + 1 file changed, 2 insertions(+), 23 deletions(-) + +--- a/drivers/staging/r8188eu/core/rtw_led.c ++++ b/drivers/staging/r8188eu/core/rtw_led.c +@@ -32,40 +32,19 @@ static void ResetLedStatus(struct led_pr + + static void SwLedOn(struct adapter *padapter, struct led_priv *pLed) + { +- u8 LedCfg; +- int res; +- + if (padapter->bDriverStopped) + return; + +- res = rtw_read8(padapter, REG_LEDCFG2, &LedCfg); +- if (res) +- return; +- +- rtw_write8(padapter, REG_LEDCFG2, (LedCfg & 0xf0) | BIT(5) | BIT(6)); /* SW control led0 on. */ ++ rtw_write8(padapter, REG_LEDCFG2, BIT(5)); /* SW control led0 on. */ + pLed->bLedOn = true; + } + + static void SwLedOff(struct adapter *padapter, struct led_priv *pLed) + { +- u8 LedCfg; +- int res; +- + if (padapter->bDriverStopped) + goto exit; + +- res = rtw_read8(padapter, REG_LEDCFG2, &LedCfg);/* 0x4E */ +- if (res) +- goto exit; +- +- LedCfg &= 0x90; /* Set to software control. */ +- rtw_write8(padapter, REG_LEDCFG2, (LedCfg | BIT(3))); +- res = rtw_read8(padapter, REG_MAC_PINMUX_CFG, &LedCfg); +- if (res) +- goto exit; +- +- LedCfg &= 0xFE; +- rtw_write8(padapter, REG_MAC_PINMUX_CFG, LedCfg); ++ rtw_write8(padapter, REG_LEDCFG2, BIT(5) | BIT(3)); + exit: + pLed->bLedOn = false; + } diff --git a/queue-6.1/usb-dwc3-pci-update-pcie-device-id-for-usb3-controller-on-cpu-sub-system-for-raptor-lake.patch b/queue-6.1/usb-dwc3-pci-update-pcie-device-id-for-usb3-controller-on-cpu-sub-system-for-raptor-lake.patch new file mode 100644 index 00000000000..5eeb4a37dd0 --- /dev/null +++ b/queue-6.1/usb-dwc3-pci-update-pcie-device-id-for-usb3-controller-on-cpu-sub-system-for-raptor-lake.patch @@ -0,0 +1,33 @@ +From f05f80f217bf52443a2582bca19fd78188333f25 Mon Sep 17 00:00:00 2001 +From: Shruthi Sanil +Date: Fri, 25 Nov 2022 16:23:27 +0530 +Subject: usb: dwc3: pci: Update PCIe device ID for USB3 controller on CPU sub-system for Raptor Lake + +From: Shruthi Sanil + +commit f05f80f217bf52443a2582bca19fd78188333f25 upstream. + +The device ID 0xa70e is defined for the USB3 device controller in the CPU +sub-system of Raptor Lake platform. Hence updating the ID accordingly. + +Fixes: bad0d1d726ac ("usb: dwc3: pci: Add support for Intel Raptor Lake") +Cc: stable +Reviewed-by: Heikki Krogerus +Signed-off-by: Shruthi Sanil +Link: https://lore.kernel.org/r/20221125105327.27945-1-shruthi.sanil@intel.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/dwc3/dwc3-pci.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/usb/dwc3/dwc3-pci.c ++++ b/drivers/usb/dwc3/dwc3-pci.c +@@ -45,7 +45,7 @@ + #define PCI_DEVICE_ID_INTEL_ADLN 0x465e + #define PCI_DEVICE_ID_INTEL_ADLN_PCH 0x54ee + #define PCI_DEVICE_ID_INTEL_ADLS 0x7ae1 +-#define PCI_DEVICE_ID_INTEL_RPL 0x460e ++#define PCI_DEVICE_ID_INTEL_RPL 0xa70e + #define PCI_DEVICE_ID_INTEL_RPLS 0x7a61 + #define PCI_DEVICE_ID_INTEL_MTLP 0x7ec1 + #define PCI_DEVICE_ID_INTEL_MTL 0x7e7e diff --git a/queue-6.1/usb-typec-ucsi-resume-in-separate-work.patch b/queue-6.1/usb-typec-ucsi-resume-in-separate-work.patch new file mode 100644 index 00000000000..81e35e65f02 --- /dev/null +++ b/queue-6.1/usb-typec-ucsi-resume-in-separate-work.patch @@ -0,0 +1,96 @@ +From e0dced9c7d4763fd97c86a13902d135f03cc42eb Mon Sep 17 00:00:00 2001 +From: Heikki Krogerus +Date: Wed, 23 Nov 2022 11:30:21 +0200 +Subject: usb: typec: ucsi: Resume in separate work + +From: Heikki Krogerus + +commit e0dced9c7d4763fd97c86a13902d135f03cc42eb upstream. + +It can take more than one second to check each connector +when the system is resumed. So if you have, say, eight +connectors, it may take eight seconds for ucsi_resume() to +finish. That's a bit too much. + +This will modify ucsi_resume() so that it schedules a work +where the interface is actually resumed instead of checking +the connectors directly. The connections will also be +checked in separate tasks which are queued for each connector +separately. + +Link: https://bugzilla.kernel.org/show_bug.cgi?id=216706 +Fixes: 99f6d4361113 ("usb: typec: ucsi: Check the connection on resume") +Cc: +Reported-by: Todd Brandt +Signed-off-by: Heikki Krogerus +Link: https://lore.kernel.org/r/20221123093021.25981-1-heikki.krogerus@linux.intel.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/typec/ucsi/ucsi.c | 17 +++++++++++++---- + drivers/usb/typec/ucsi/ucsi.h | 1 + + 2 files changed, 14 insertions(+), 4 deletions(-) + +--- a/drivers/usb/typec/ucsi/ucsi.c ++++ b/drivers/usb/typec/ucsi/ucsi.c +@@ -1270,8 +1270,9 @@ err: + return ret; + } + +-int ucsi_resume(struct ucsi *ucsi) ++static void ucsi_resume_work(struct work_struct *work) + { ++ struct ucsi *ucsi = container_of(work, struct ucsi, resume_work); + struct ucsi_connector *con; + u64 command; + int ret; +@@ -1279,15 +1280,21 @@ int ucsi_resume(struct ucsi *ucsi) + /* Restore UCSI notification enable mask after system resume */ + command = UCSI_SET_NOTIFICATION_ENABLE | ucsi->ntfy; + ret = ucsi_send_command(ucsi, command, NULL, 0); +- if (ret < 0) +- return ret; ++ if (ret < 0) { ++ dev_err(ucsi->dev, "failed to re-enable notifications (%d)\n", ret); ++ return; ++ } + + for (con = ucsi->connector; con->port; con++) { + mutex_lock(&con->lock); +- ucsi_check_connection(con); ++ ucsi_partner_task(con, ucsi_check_connection, 1, 0); + mutex_unlock(&con->lock); + } ++} + ++int ucsi_resume(struct ucsi *ucsi) ++{ ++ queue_work(system_long_wq, &ucsi->resume_work); + return 0; + } + EXPORT_SYMBOL_GPL(ucsi_resume); +@@ -1347,6 +1354,7 @@ struct ucsi *ucsi_create(struct device * + if (!ucsi) + return ERR_PTR(-ENOMEM); + ++ INIT_WORK(&ucsi->resume_work, ucsi_resume_work); + INIT_DELAYED_WORK(&ucsi->work, ucsi_init_work); + mutex_init(&ucsi->ppm_lock); + ucsi->dev = dev; +@@ -1401,6 +1409,7 @@ void ucsi_unregister(struct ucsi *ucsi) + + /* Make sure that we are not in the middle of driver initialization */ + cancel_delayed_work_sync(&ucsi->work); ++ cancel_work_sync(&ucsi->resume_work); + + /* Disable notifications */ + ucsi->ops->async_write(ucsi, UCSI_CONTROL, &cmd, sizeof(cmd)); +--- a/drivers/usb/typec/ucsi/ucsi.h ++++ b/drivers/usb/typec/ucsi/ucsi.h +@@ -287,6 +287,7 @@ struct ucsi { + struct ucsi_capability cap; + struct ucsi_connector *connector; + ++ struct work_struct resume_work; + struct delayed_work work; + int work_count; + #define UCSI_ROLE_SWITCH_RETRY_PER_HZ 10 diff --git a/queue-6.1/usb-ulpi-defer-ulpi_register-on-ulpi_read_id-timeout.patch b/queue-6.1/usb-ulpi-defer-ulpi_register-on-ulpi_read_id-timeout.patch new file mode 100644 index 00000000000..8e85b8e3f06 --- /dev/null +++ b/queue-6.1/usb-ulpi-defer-ulpi_register-on-ulpi_read_id-timeout.patch @@ -0,0 +1,43 @@ +From 8a7b31d545d3a15f0e6f5984ae16f0ca4fd76aac Mon Sep 17 00:00:00 2001 +From: Ferry Toth +Date: Mon, 5 Dec 2022 21:15:26 +0100 +Subject: usb: ulpi: defer ulpi_register on ulpi_read_id timeout + +From: Ferry Toth + +commit 8a7b31d545d3a15f0e6f5984ae16f0ca4fd76aac upstream. + +Since commit 0f0101719138 ("usb: dwc3: Don't switch OTG -> peripheral +if extcon is present") Dual Role support on Intel Merrifield platform +broke due to rearranging the call to dwc3_get_extcon(). + +It appears to be caused by ulpi_read_id() on the first test write failing +with -ETIMEDOUT. Currently ulpi_read_id() expects to discover the phy via +DT when the test write fails and returns 0 in that case, even if DT does not +provide the phy. As a result usb probe completes without phy. + +Make ulpi_read_id() return -ETIMEDOUT to its user if the first test write +fails. The user should then handle it appropriately. A follow up patch +will make dwc3_core_init() set -EPROBE_DEFER in this case and bail out. + +Fixes: ef6a7bcfb01c ("usb: ulpi: Support device discovery via DT") +Cc: stable@vger.kernel.org +Acked-by: Heikki Krogerus +Signed-off-by: Ferry Toth +Link: https://lore.kernel.org/r/20221205201527.13525-2-ftoth@exalondelft.nl +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/common/ulpi.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/usb/common/ulpi.c ++++ b/drivers/usb/common/ulpi.c +@@ -207,7 +207,7 @@ static int ulpi_read_id(struct ulpi *ulp + /* Test the interface */ + ret = ulpi_write(ulpi, ULPI_SCRATCH, 0xaa); + if (ret < 0) +- goto err; ++ return ret; + + ret = ulpi_read(ulpi, ULPI_SCRATCH); + if (ret < 0) diff --git a/queue-6.1/xhci-apply-xhci_reset_to_default-quirk-to-adl-n.patch b/queue-6.1/xhci-apply-xhci_reset_to_default-quirk-to-adl-n.patch new file mode 100644 index 00000000000..9b0180c3c22 --- /dev/null +++ b/queue-6.1/xhci-apply-xhci_reset_to_default-quirk-to-adl-n.patch @@ -0,0 +1,48 @@ +From fed70b61ef2c0aed54456db3d485b215f6cc3209 Mon Sep 17 00:00:00 2001 +From: Reka Norman +Date: Wed, 30 Nov 2022 11:19:40 +0200 +Subject: xhci: Apply XHCI_RESET_TO_DEFAULT quirk to ADL-N + +From: Reka Norman + +commit fed70b61ef2c0aed54456db3d485b215f6cc3209 upstream. + +ADL-N systems have the same issue as ADL-P, where a large boot firmware +delay is seen if USB ports are left in U3 at shutdown. So apply the +XHCI_RESET_TO_DEFAULT quirk to ADL-N as well. + +This patch depends on commit 34cd2db408d5 ("xhci: Add quirk to reset +host back to default state at shutdown"). + +The issue it fixes is a ~20s boot time delay when booting from S5. It +affects ADL-N devices, and ADL-N support was added starting from v5.16. + +Cc: stable@vger.kernel.org +Signed-off-by: Reka Norman +Signed-off-by: Mathias Nyman +Link: https://lore.kernel.org/r/20221130091944.2171610-3-mathias.nyman@linux.intel.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/host/xhci-pci.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/drivers/usb/host/xhci-pci.c ++++ b/drivers/usb/host/xhci-pci.c +@@ -59,6 +59,7 @@ + #define PCI_DEVICE_ID_INTEL_TIGER_LAKE_XHCI 0x9a13 + #define PCI_DEVICE_ID_INTEL_MAPLE_RIDGE_XHCI 0x1138 + #define PCI_DEVICE_ID_INTEL_ALDER_LAKE_PCH_XHCI 0x51ed ++#define PCI_DEVICE_ID_INTEL_ALDER_LAKE_N_PCH_XHCI 0x54ed + + #define PCI_DEVICE_ID_AMD_RENOIR_XHCI 0x1639 + #define PCI_DEVICE_ID_AMD_PROMONTORYA_4 0x43b9 +@@ -246,7 +247,8 @@ static void xhci_pci_quirks(struct devic + xhci->quirks |= XHCI_MISSING_CAS; + + if (pdev->vendor == PCI_VENDOR_ID_INTEL && +- pdev->device == PCI_DEVICE_ID_INTEL_ALDER_LAKE_PCH_XHCI) ++ (pdev->device == PCI_DEVICE_ID_INTEL_ALDER_LAKE_PCH_XHCI || ++ pdev->device == PCI_DEVICE_ID_INTEL_ALDER_LAKE_N_PCH_XHCI)) + xhci->quirks |= XHCI_RESET_TO_DEFAULT; + + if (pdev->vendor == PCI_VENDOR_ID_INTEL &&