--- /dev/null
+From f85d39dd7ed89ffdd622bc1de247ffba8d961504 Mon Sep 17 00:00:00 2001
+From: Andrey Konovalov <andreyknvl@gmail.com>
+Date: Mon, 27 May 2024 19:35:38 +0200
+Subject: kcov, usb: disable interrupts in kcov_remote_start_usb_softirq
+
+From: Andrey Konovalov <andreyknvl@gmail.com>
+
+commit f85d39dd7ed89ffdd622bc1de247ffba8d961504 upstream.
+
+After commit 8fea0c8fda30 ("usb: core: hcd: Convert from tasklet to BH
+workqueue"), usb_giveback_urb_bh() runs in the BH workqueue with
+interrupts enabled.
+
+Thus, the remote coverage collection section in usb_giveback_urb_bh()->
+__usb_hcd_giveback_urb() might be interrupted, and the interrupt handler
+might invoke __usb_hcd_giveback_urb() again.
+
+This breaks KCOV, as it does not support nested remote coverage collection
+sections within the same context (neither in task nor in softirq).
+
+Update kcov_remote_start/stop_usb_softirq() to disable interrupts for the
+duration of the coverage collection section to avoid nested sections in
+the softirq context (in addition to such in the task context, which are
+already handled).
+
+Reported-by: Tetsuo Handa <penguin-kernel@i-love.sakura.ne.jp>
+Closes: https://lore.kernel.org/linux-usb/0f4d1964-7397-485b-bc48-11c01e2fcbca@I-love.SAKURA.ne.jp/
+Closes: https://syzkaller.appspot.com/bug?extid=0438378d6f157baae1a2
+Suggested-by: Alan Stern <stern@rowland.harvard.edu>
+Fixes: 8fea0c8fda30 ("usb: core: hcd: Convert from tasklet to BH workqueue")
+Cc: stable@vger.kernel.org
+Acked-by: Dmitry Vyukov <dvyukov@google.com>
+Signed-off-by: Andrey Konovalov <andreyknvl@gmail.com>
+Link: https://lore.kernel.org/r/20240527173538.4989-1-andrey.konovalov@linux.dev
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/core/hcd.c | 12 +++++++-----
+ include/linux/kcov.h | 47 ++++++++++++++++++++++++++++++++++++++---------
+ 2 files changed, 45 insertions(+), 14 deletions(-)
+
+--- a/drivers/usb/core/hcd.c
++++ b/drivers/usb/core/hcd.c
+@@ -1623,6 +1623,7 @@ static void __usb_hcd_giveback_urb(struc
+ struct usb_hcd *hcd = bus_to_hcd(urb->dev->bus);
+ struct usb_anchor *anchor = urb->anchor;
+ int status = urb->unlinked;
++ unsigned long flags;
+
+ urb->hcpriv = NULL;
+ if (unlikely((urb->transfer_flags & URB_SHORT_NOT_OK) &&
+@@ -1640,13 +1641,14 @@ static void __usb_hcd_giveback_urb(struc
+ /* pass ownership to the completion handler */
+ urb->status = status;
+ /*
+- * This function can be called in task context inside another remote
+- * coverage collection section, but kcov doesn't support that kind of
+- * recursion yet. Only collect coverage in softirq context for now.
++ * Only collect coverage in the softirq context and disable interrupts
++ * to avoid scenarios with nested remote coverage collection sections
++ * that KCOV does not support.
++ * See the comment next to kcov_remote_start_usb_softirq() for details.
+ */
+- kcov_remote_start_usb_softirq((u64)urb->dev->bus->busnum);
++ flags = kcov_remote_start_usb_softirq((u64)urb->dev->bus->busnum);
+ urb->complete(urb);
+- kcov_remote_stop_softirq();
++ kcov_remote_stop_softirq(flags);
+
+ usb_anchor_resume_wakeups(anchor);
+ atomic_dec(&urb->use_count);
+--- a/include/linux/kcov.h
++++ b/include/linux/kcov.h
+@@ -55,21 +55,47 @@ static inline void kcov_remote_start_usb
+
+ /*
+ * The softirq flavor of kcov_remote_*() functions is introduced as a temporary
+- * work around for kcov's lack of nested remote coverage sections support in
+- * task context. Adding support for nested sections is tracked in:
+- * https://bugzilla.kernel.org/show_bug.cgi?id=210337
++ * workaround for KCOV's lack of nested remote coverage sections support.
++ *
++ * Adding support is tracked in https://bugzilla.kernel.org/show_bug.cgi?id=210337.
++ *
++ * kcov_remote_start_usb_softirq():
++ *
++ * 1. Only collects coverage when called in the softirq context. This allows
++ * avoiding nested remote coverage collection sections in the task context.
++ * For example, USB/IP calls usb_hcd_giveback_urb() in the task context
++ * within an existing remote coverage collection section. Thus, KCOV should
++ * not attempt to start collecting coverage within the coverage collection
++ * section in __usb_hcd_giveback_urb() in this case.
++ *
++ * 2. Disables interrupts for the duration of the coverage collection section.
++ * This allows avoiding nested remote coverage collection sections in the
++ * softirq context (a softirq might occur during the execution of a work in
++ * the BH workqueue, which runs with in_serving_softirq() > 0).
++ * For example, usb_giveback_urb_bh() runs in the BH workqueue with
++ * interrupts enabled, so __usb_hcd_giveback_urb() might be interrupted in
++ * the middle of its remote coverage collection section, and the interrupt
++ * handler might invoke __usb_hcd_giveback_urb() again.
+ */
+
+-static inline void kcov_remote_start_usb_softirq(u64 id)
++static inline unsigned long kcov_remote_start_usb_softirq(u64 id)
+ {
+- if (in_serving_softirq())
++ unsigned long flags = 0;
++
++ if (in_serving_softirq()) {
++ local_irq_save(flags);
+ kcov_remote_start_usb(id);
++ }
++
++ return flags;
+ }
+
+-static inline void kcov_remote_stop_softirq(void)
++static inline void kcov_remote_stop_softirq(unsigned long flags)
+ {
+- if (in_serving_softirq())
++ if (in_serving_softirq()) {
+ kcov_remote_stop();
++ local_irq_restore(flags);
++ }
+ }
+
+ #ifdef CONFIG_64BIT
+@@ -103,8 +129,11 @@ static inline u64 kcov_common_handle(voi
+ }
+ static inline void kcov_remote_start_common(u64 id) {}
+ static inline void kcov_remote_start_usb(u64 id) {}
+-static inline void kcov_remote_start_usb_softirq(u64 id) {}
+-static inline void kcov_remote_stop_softirq(void) {}
++static inline unsigned long kcov_remote_start_usb_softirq(u64 id)
++{
++ return 0;
++}
++static inline void kcov_remote_stop_softirq(unsigned long flags) {}
+
+ #endif /* CONFIG_KCOV */
+ #endif /* _LINUX_KCOV_H */
--- /dev/null
+From 88da52ccd66e65f2e63a6c35c9dff55d448ef4dc Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Micka=C3=ABl=20Sala=C3=BCn?= <mic@digikod.net>
+Date: Thu, 16 May 2024 20:19:34 +0200
+Subject: landlock: Fix d_parent walk
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Mickaël Salaün <mic@digikod.net>
+
+commit 88da52ccd66e65f2e63a6c35c9dff55d448ef4dc upstream.
+
+The WARN_ON_ONCE() in collect_domain_accesses() can be triggered when
+trying to link a root mount point. This cannot work in practice because
+this directory is mounted, but the VFS check is done after the call to
+security_path_link().
+
+Do not use source directory's d_parent when the source directory is the
+mount point.
+
+Cc: Günther Noack <gnoack@google.com>
+Cc: Paul Moore <paul@paul-moore.com>
+Cc: stable@vger.kernel.org
+Reported-by: syzbot+bf4903dc7e12b18ebc87@syzkaller.appspotmail.com
+Fixes: b91c3e4ea756 ("landlock: Add support for file reparenting with LANDLOCK_ACCESS_FS_REFER")
+Closes: https://lore.kernel.org/r/000000000000553d3f0618198200@google.com
+Link: https://lore.kernel.org/r/20240516181935.1645983-2-mic@digikod.net
+[mic: Fix commit message]
+Signed-off-by: Mickaël Salaün <mic@digikod.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ security/landlock/fs.c | 13 +++++++++++--
+ 1 file changed, 11 insertions(+), 2 deletions(-)
+
+--- a/security/landlock/fs.c
++++ b/security/landlock/fs.c
+@@ -950,6 +950,7 @@ static int current_check_refer_path(stru
+ bool allow_parent1, allow_parent2;
+ access_mask_t access_request_parent1, access_request_parent2;
+ struct path mnt_dir;
++ struct dentry *old_parent;
+ layer_mask_t layer_masks_parent1[LANDLOCK_NUM_ACCESS_FS] = {},
+ layer_masks_parent2[LANDLOCK_NUM_ACCESS_FS] = {};
+
+@@ -997,9 +998,17 @@ static int current_check_refer_path(stru
+ mnt_dir.mnt = new_dir->mnt;
+ mnt_dir.dentry = new_dir->mnt->mnt_root;
+
++ /*
++ * old_dentry may be the root of the common mount point and
++ * !IS_ROOT(old_dentry) at the same time (e.g. with open_tree() and
++ * OPEN_TREE_CLONE). We do not need to call dget(old_parent) because
++ * we keep a reference to old_dentry.
++ */
++ old_parent = (old_dentry == mnt_dir.dentry) ? old_dentry :
++ old_dentry->d_parent;
++
+ /* new_dir->dentry is equal to new_dentry->d_parent */
+- allow_parent1 = collect_domain_accesses(dom, mnt_dir.dentry,
+- old_dentry->d_parent,
++ allow_parent1 = collect_domain_accesses(dom, mnt_dir.dentry, old_parent,
+ &layer_masks_parent1);
+ allow_parent2 = collect_domain_accesses(
+ dom, mnt_dir.dentry, new_dir->dentry, &layer_masks_parent2);
--- /dev/null
+From 283cb234ef95d94c61f59e1cd070cd9499b51292 Mon Sep 17 00:00:00 2001
+From: Tomas Winkler <tomas.winkler@intel.com>
+Date: Tue, 4 Jun 2024 12:07:28 +0300
+Subject: mei: me: release irq in mei_me_pci_resume error path
+
+From: Tomas Winkler <tomas.winkler@intel.com>
+
+commit 283cb234ef95d94c61f59e1cd070cd9499b51292 upstream.
+
+The mei_me_pci_resume doesn't release irq on the error path,
+in case mei_start() fails.
+
+Cc: <stable@kernel.org>
+Fixes: 33ec08263147 ("mei: revamp mei reset state machine")
+Signed-off-by: Tomas Winkler <tomas.winkler@intel.com>
+Link: https://lore.kernel.org/r/20240604090728.1027307-1-tomas.winkler@intel.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/misc/mei/pci-me.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/drivers/misc/mei/pci-me.c
++++ b/drivers/misc/mei/pci-me.c
+@@ -385,8 +385,10 @@ static int mei_me_pci_resume(struct devi
+ }
+
+ err = mei_restart(dev);
+- if (err)
++ if (err) {
++ free_irq(pdev->irq, dev);
+ return err;
++ }
+
+ /* Start timer if stopped in suspend */
+ schedule_delayed_work(&dev->timer_work, HZ);
--- /dev/null
+From 9b5e045029d8bded4c6979874ed3abc347c1415c Mon Sep 17 00:00:00 2001
+From: Wentong Wu <wentong.wu@intel.com>
+Date: Mon, 27 May 2024 20:38:35 +0800
+Subject: mei: vsc: Don't stop/restart mei device during system suspend/resume
+
+From: Wentong Wu <wentong.wu@intel.com>
+
+commit 9b5e045029d8bded4c6979874ed3abc347c1415c upstream.
+
+The dynamically created mei client device (mei csi) is used as one V4L2
+sub device of the whole video pipeline, and the V4L2 connection graph is
+built by software node. The mei_stop() and mei_restart() will delete the
+old mei csi client device and create a new mei client device, which will
+cause the software node information saved in old mei csi device lost and
+the whole video pipeline will be broken.
+
+Removing mei_stop()/mei_restart() during system suspend/resume can fix
+the issue above and won't impact hardware actual power saving logic.
+
+Fixes: f6085a96c973 ("mei: vsc: Unregister interrupt handler for system suspend")
+Cc: stable@vger.kernel.org # for 6.8+
+Reported-by: Hao Yao <hao.yao@intel.com>
+Signed-off-by: Wentong Wu <wentong.wu@intel.com>
+Reviewed-by: Sakari Ailus <sakari.ailus@linux.intel.com>
+Tested-by: Jason Chen <jason.z.chen@intel.com>
+Tested-by: Sakari Ailus <sakari.ailus@linux.intel.com>
+Acked-by: Tomas Winkler <tomas.winkler@intel.com>
+Link: https://lore.kernel.org/r/20240527123835.522384-1-wentong.wu@intel.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/misc/mei/platform-vsc.c | 39 +++++++++++++++------------------------
+ 1 file changed, 15 insertions(+), 24 deletions(-)
+
+--- a/drivers/misc/mei/platform-vsc.c
++++ b/drivers/misc/mei/platform-vsc.c
+@@ -399,41 +399,32 @@ static void mei_vsc_remove(struct platfo
+
+ static int mei_vsc_suspend(struct device *dev)
+ {
+- struct mei_device *mei_dev = dev_get_drvdata(dev);
+- struct mei_vsc_hw *hw = mei_dev_to_vsc_hw(mei_dev);
++ struct mei_device *mei_dev;
++ int ret = 0;
+
+- mei_stop(mei_dev);
++ mei_dev = dev_get_drvdata(dev);
++ if (!mei_dev)
++ return -ENODEV;
+
+- mei_disable_interrupts(mei_dev);
++ mutex_lock(&mei_dev->device_lock);
+
+- vsc_tp_free_irq(hw->tp);
++ if (!mei_write_is_idle(mei_dev))
++ ret = -EAGAIN;
+
+- return 0;
++ mutex_unlock(&mei_dev->device_lock);
++
++ return ret;
+ }
+
+ static int mei_vsc_resume(struct device *dev)
+ {
+- struct mei_device *mei_dev = dev_get_drvdata(dev);
+- struct mei_vsc_hw *hw = mei_dev_to_vsc_hw(mei_dev);
+- int ret;
+-
+- ret = vsc_tp_request_irq(hw->tp);
+- if (ret)
+- return ret;
+-
+- ret = mei_restart(mei_dev);
+- if (ret)
+- goto err_free;
++ struct mei_device *mei_dev;
+
+- /* start timer if stopped in suspend */
+- schedule_delayed_work(&mei_dev->timer_work, HZ);
++ mei_dev = dev_get_drvdata(dev);
++ if (!mei_dev)
++ return -ENODEV;
+
+ return 0;
+-
+-err_free:
+- vsc_tp_free_irq(hw->tp);
+-
+- return ret;
+ }
+
+ static DEFINE_SIMPLE_DEV_PM_OPS(mei_vsc_pm_ops, mei_vsc_suspend, mei_vsc_resume);
--- /dev/null
+From 5208e7ced520a813b4f4774451fbac4e517e78b2 Mon Sep 17 00:00:00 2001
+From: Doug Brown <doug@schmorgal.com>
+Date: Sun, 19 May 2024 12:19:30 -0700
+Subject: serial: 8250_pxa: Configure tx_loadsz to match FIFO IRQ level
+
+From: Doug Brown <doug@schmorgal.com>
+
+commit 5208e7ced520a813b4f4774451fbac4e517e78b2 upstream.
+
+The FIFO is 64 bytes, but the FCR is configured to fire the TX interrupt
+when the FIFO is half empty (bit 3 = 0). Thus, we should only write 32
+bytes when a TX interrupt occurs.
+
+This fixes a problem observed on the PXA168 that dropped a bunch of TX
+bytes during large transmissions.
+
+Fixes: ab28f51c77cd ("serial: rewrite pxa2xx-uart to use 8250_core")
+Signed-off-by: Doug Brown <doug@schmorgal.com>
+Link: https://lore.kernel.org/r/20240519191929.122202-1-doug@schmorgal.com
+Cc: stable <stable@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/tty/serial/8250/8250_pxa.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/tty/serial/8250/8250_pxa.c
++++ b/drivers/tty/serial/8250/8250_pxa.c
+@@ -125,6 +125,7 @@ static int serial_pxa_probe(struct platf
+ uart.port.iotype = UPIO_MEM32;
+ uart.port.regshift = 2;
+ uart.port.fifosize = 64;
++ uart.tx_loadsz = 32;
+ uart.dl_write = serial_pxa_dl_write;
+
+ ret = serial8250_register_8250_port(&uart);
--- /dev/null
+From ca84cd379b45e9b1775b9e026f069a3a886b409d Mon Sep 17 00:00:00 2001
+From: Douglas Anderson <dianders@chromium.org>
+Date: Fri, 31 May 2024 08:09:18 -0700
+Subject: serial: port: Don't block system suspend even if bytes are left to xmit
+
+From: Douglas Anderson <dianders@chromium.org>
+
+commit ca84cd379b45e9b1775b9e026f069a3a886b409d upstream.
+
+Recently, suspend testing on sc7180-trogdor based devices has started
+to sometimes fail with messages like this:
+
+ port a88000.serial:0.0: PM: calling pm_runtime_force_suspend+0x0/0xf8 @ 28934, parent: a88000.serial:0
+ port a88000.serial:0.0: PM: dpm_run_callback(): pm_runtime_force_suspend+0x0/0xf8 returns -16
+ port a88000.serial:0.0: PM: pm_runtime_force_suspend+0x0/0xf8 returned -16 after 33 usecs
+ port a88000.serial:0.0: PM: failed to suspend: error -16
+
+I could reproduce these problems by logging in via an agetty on the
+debug serial port (which was _not_ used for kernel console) and
+running:
+ cat /var/log/messages
+...and then (via an SSH session) forcing a few suspend/resume cycles.
+
+Tracing through the code and doing some printf()-based debugging shows
+that the -16 (-EBUSY) comes from the recently added
+serial_port_runtime_suspend().
+
+The idea of the serial_port_runtime_suspend() function is to prevent
+the port from being _runtime_ suspended if it still has bytes left to
+transmit. Having bytes left to transmit isn't a reason to block
+_system_ suspend, though. If a serdev device in the kernel needs to
+block system suspend it should block its own suspend and it can use
+serdev_device_wait_until_sent() to ensure bytes are sent.
+
+The DEFINE_RUNTIME_DEV_PM_OPS() used by the serial_port code means
+that the system suspend function will be pm_runtime_force_suspend().
+In pm_runtime_force_suspend() we can see that before calling the
+runtime suspend function we'll call pm_runtime_disable(). This should
+be a reliable way to detect that we're called from system suspend and
+that we shouldn't look for busyness.
+
+Fixes: 43066e32227e ("serial: port: Don't suspend if the port is still busy")
+Cc: stable@vger.kernel.org
+Reviewed-by: Tony Lindgren <tony.lindgren@linux.intel.com>
+Signed-off-by: Douglas Anderson <dianders@chromium.org>
+Link: https://lore.kernel.org/r/20240531080914.v3.1.I2395e66cf70c6e67d774c56943825c289b9c13e4@changeid
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/tty/serial/serial_port.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+--- a/drivers/tty/serial/serial_port.c
++++ b/drivers/tty/serial/serial_port.c
+@@ -63,6 +63,13 @@ static int serial_port_runtime_suspend(s
+ if (port->flags & UPF_DEAD)
+ return 0;
+
++ /*
++ * Nothing to do on pm_runtime_force_suspend(), see
++ * DEFINE_RUNTIME_DEV_PM_OPS.
++ */
++ if (!pm_runtime_enabled(dev))
++ return 0;
++
+ uart_port_lock_irqsave(port, &flags);
+ if (!port_dev->tx_enabled) {
+ uart_port_unlock_irqrestore(port, flags);
.editorconfig-remove-trim_trailing_whitespace-option.patch
io_uring-rsrc-don-t-lock-while-task_running.patch
io_uring-fix-cancellation-overwriting-req-flags.patch
+usb-class-cdc-wdm-fix-cpu-lockup-caused-by-excessive-log-messages.patch
+kcov-usb-disable-interrupts-in-kcov_remote_start_usb_softirq.patch
+usb-xen-hcd-traverse-host-when-config_usb_xen_hcd-is-selected.patch
+usb-typec-tcpm-fix-use-after-free-case-in-tcpm_register_source_caps.patch
+usb-typec-tcpm-ignore-received-hard-reset-in-toggling-state.patch
+mei-me-release-irq-in-mei_me_pci_resume-error-path.patch
+mei-vsc-don-t-stop-restart-mei-device-during-system-suspend-resume.patch
+tty-n_tty-fix-buffer-offsets-when-lookahead-is-used.patch
+serial-8250_pxa-configure-tx_loadsz-to-match-fifo-irq-level.patch
+serial-port-don-t-block-system-suspend-even-if-bytes-are-left-to-xmit.patch
+landlock-fix-d_parent-walk.patch
--- /dev/null
+From b19ab7ee2c4c1ec5f27c18413c3ab63907f7d55c Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Ilpo=20J=C3=A4rvinen?= <ilpo.jarvinen@linux.intel.com>
+Date: Tue, 14 May 2024 17:04:29 +0300
+Subject: tty: n_tty: Fix buffer offsets when lookahead is used
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
+
+commit b19ab7ee2c4c1ec5f27c18413c3ab63907f7d55c upstream.
+
+When lookahead has "consumed" some characters (la_count > 0),
+n_tty_receive_buf_standard() and n_tty_receive_buf_closing() for
+characters beyond the la_count are given wrong cp/fp offsets which
+leads to duplicating and losing some characters.
+
+If la_count > 0, correct buffer pointers and make count consistent too
+(the latter is not strictly necessary to fix the issue but seems more
+logical to adjust all variables immediately to keep state consistent).
+
+Reported-by: Vadym Krevs <vkrevs@yahoo.com>
+Fixes: 6bb6fa6908eb ("tty: Implement lookahead to process XON/XOFF timely")
+Closes: https://bugzilla.kernel.org/show_bug.cgi?id=218834
+Tested-by: Vadym Krevs <vkrevs@yahoo.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
+Link: https://lore.kernel.org/r/20240514140429.12087-1-ilpo.jarvinen@linux.intel.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/tty/n_tty.c | 22 ++++++++++++++++------
+ 1 file changed, 16 insertions(+), 6 deletions(-)
+
+--- a/drivers/tty/n_tty.c
++++ b/drivers/tty/n_tty.c
+@@ -1619,15 +1619,25 @@ static void __receive_buf(struct tty_str
+ else if (ldata->raw || (L_EXTPROC(tty) && !preops))
+ n_tty_receive_buf_raw(tty, cp, fp, count);
+ else if (tty->closing && !L_EXTPROC(tty)) {
+- if (la_count > 0)
++ if (la_count > 0) {
+ n_tty_receive_buf_closing(tty, cp, fp, la_count, true);
+- if (count > la_count)
+- n_tty_receive_buf_closing(tty, cp, fp, count - la_count, false);
++ cp += la_count;
++ if (fp)
++ fp += la_count;
++ count -= la_count;
++ }
++ if (count > 0)
++ n_tty_receive_buf_closing(tty, cp, fp, count, false);
+ } else {
+- if (la_count > 0)
++ if (la_count > 0) {
+ n_tty_receive_buf_standard(tty, cp, fp, la_count, true);
+- if (count > la_count)
+- n_tty_receive_buf_standard(tty, cp, fp, count - la_count, false);
++ cp += la_count;
++ if (fp)
++ fp += la_count;
++ count -= la_count;
++ }
++ if (count > 0)
++ n_tty_receive_buf_standard(tty, cp, fp, count, false);
+
+ flush_echoes(tty);
+ if (tty->ops->flush_chars)
--- /dev/null
+From 22f00812862564b314784167a89f27b444f82a46 Mon Sep 17 00:00:00 2001
+From: Alan Stern <stern@rowland.harvard.edu>
+Date: Thu, 13 Jun 2024 21:30:43 -0400
+Subject: USB: class: cdc-wdm: Fix CPU lockup caused by excessive log messages
+
+From: Alan Stern <stern@rowland.harvard.edu>
+
+commit 22f00812862564b314784167a89f27b444f82a46 upstream.
+
+The syzbot fuzzer found that the interrupt-URB completion callback in
+the cdc-wdm driver was taking too long, and the driver's immediate
+resubmission of interrupt URBs with -EPROTO status combined with the
+dummy-hcd emulation to cause a CPU lockup:
+
+cdc_wdm 1-1:1.0: nonzero urb status received: -71
+cdc_wdm 1-1:1.0: wdm_int_callback - 0 bytes
+watchdog: BUG: soft lockup - CPU#0 stuck for 26s! [syz-executor782:6625]
+CPU#0 Utilization every 4s during lockup:
+ #1: 98% system, 0% softirq, 3% hardirq, 0% idle
+ #2: 98% system, 0% softirq, 3% hardirq, 0% idle
+ #3: 98% system, 0% softirq, 3% hardirq, 0% idle
+ #4: 98% system, 0% softirq, 3% hardirq, 0% idle
+ #5: 98% system, 1% softirq, 3% hardirq, 0% idle
+Modules linked in:
+irq event stamp: 73096
+hardirqs last enabled at (73095): [<ffff80008037bc00>] console_emit_next_record kernel/printk/printk.c:2935 [inline]
+hardirqs last enabled at (73095): [<ffff80008037bc00>] console_flush_all+0x650/0xb74 kernel/printk/printk.c:2994
+hardirqs last disabled at (73096): [<ffff80008af10b00>] __el1_irq arch/arm64/kernel/entry-common.c:533 [inline]
+hardirqs last disabled at (73096): [<ffff80008af10b00>] el1_interrupt+0x24/0x68 arch/arm64/kernel/entry-common.c:551
+softirqs last enabled at (73048): [<ffff8000801ea530>] softirq_handle_end kernel/softirq.c:400 [inline]
+softirqs last enabled at (73048): [<ffff8000801ea530>] handle_softirqs+0xa60/0xc34 kernel/softirq.c:582
+softirqs last disabled at (73043): [<ffff800080020de8>] __do_softirq+0x14/0x20 kernel/softirq.c:588
+CPU: 0 PID: 6625 Comm: syz-executor782 Tainted: G W 6.10.0-rc2-syzkaller-g8867bbd4a056 #0
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/02/2024
+
+Testing showed that the problem did not occur if the two error
+messages -- the first two lines above -- were removed; apparently adding
+material to the kernel log takes a surprisingly large amount of time.
+
+In any case, the best approach for preventing these lockups and to
+avoid spamming the log with thousands of error messages per second is
+to ratelimit the two dev_err() calls. Therefore we replace them with
+dev_err_ratelimited().
+
+Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
+Suggested-by: Greg KH <gregkh@linuxfoundation.org>
+Reported-and-tested-by: syzbot+5f996b83575ef4058638@syzkaller.appspotmail.com
+Closes: https://lore.kernel.org/linux-usb/00000000000073d54b061a6a1c65@google.com/
+Reported-and-tested-by: syzbot+1b2abad17596ad03dcff@syzkaller.appspotmail.com
+Closes: https://lore.kernel.org/linux-usb/000000000000f45085061aa9b37e@google.com/
+Fixes: 9908a32e94de ("USB: remove err() macro from usb class drivers")
+Link: https://lore.kernel.org/linux-usb/40dfa45b-5f21-4eef-a8c1-51a2f320e267@rowland.harvard.edu/
+Cc: stable@vger.kernel.org
+Link: https://lore.kernel.org/r/29855215-52f5-4385-b058-91f42c2bee18@rowland.harvard.edu
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/class/cdc-wdm.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/usb/class/cdc-wdm.c
++++ b/drivers/usb/class/cdc-wdm.c
+@@ -266,14 +266,14 @@ static void wdm_int_callback(struct urb
+ dev_err(&desc->intf->dev, "Stall on int endpoint\n");
+ goto sw; /* halt is cleared in work */
+ default:
+- dev_err(&desc->intf->dev,
++ dev_err_ratelimited(&desc->intf->dev,
+ "nonzero urb status received: %d\n", status);
+ break;
+ }
+ }
+
+ if (urb->actual_length < sizeof(struct usb_cdc_notification)) {
+- dev_err(&desc->intf->dev, "wdm_int_callback - %d bytes\n",
++ dev_err_ratelimited(&desc->intf->dev, "wdm_int_callback - %d bytes\n",
+ urb->actual_length);
+ goto exit;
+ }
--- /dev/null
+From e7e921918d905544500ca7a95889f898121ba886 Mon Sep 17 00:00:00 2001
+From: Amit Sunil Dhamne <amitsd@google.com>
+Date: Tue, 14 May 2024 15:01:31 -0700
+Subject: usb: typec: tcpm: fix use-after-free case in tcpm_register_source_caps
+
+From: Amit Sunil Dhamne <amitsd@google.com>
+
+commit e7e921918d905544500ca7a95889f898121ba886 upstream.
+
+There could be a potential use-after-free case in
+tcpm_register_source_caps(). This could happen when:
+ * new (say invalid) source caps are advertised
+ * the existing source caps are unregistered
+ * tcpm_register_source_caps() returns with an error as
+ usb_power_delivery_register_capabilities() fails
+
+This causes port->partner_source_caps to hold on to the now freed source
+caps.
+
+Reset port->partner_source_caps value to NULL after unregistering
+existing source caps.
+
+Fixes: 230ecdf71a64 ("usb: typec: tcpm: unregister existing source caps before re-registration")
+Cc: stable@vger.kernel.org
+Signed-off-by: Amit Sunil Dhamne <amitsd@google.com>
+Reviewed-by: Ondrej Jirman <megi@xff.cz>
+Reviewed-by: Heikki Krogerus <heikki.krogerus@linux.intel.com>
+Reviewed-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
+Link: https://lore.kernel.org/r/20240514220134.2143181-1-amitsd@google.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/typec/tcpm/tcpm.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/drivers/usb/typec/tcpm/tcpm.c
++++ b/drivers/usb/typec/tcpm/tcpm.c
+@@ -3014,8 +3014,10 @@ static int tcpm_register_source_caps(str
+ memcpy(caps.pdo, port->source_caps, sizeof(u32) * port->nr_source_caps);
+ caps.role = TYPEC_SOURCE;
+
+- if (cap)
++ if (cap) {
+ usb_power_delivery_unregister_capabilities(cap);
++ port->partner_source_caps = NULL;
++ }
+
+ cap = usb_power_delivery_register_capabilities(port->partner_pd, &caps);
+ if (IS_ERR(cap))
--- /dev/null
+From fc8fb9eea94d8f476e15f3a4a7addeb16b3b99d6 Mon Sep 17 00:00:00 2001
+From: Kyle Tso <kyletso@google.com>
+Date: Mon, 20 May 2024 23:48:58 +0800
+Subject: usb: typec: tcpm: Ignore received Hard Reset in TOGGLING state
+
+From: Kyle Tso <kyletso@google.com>
+
+commit fc8fb9eea94d8f476e15f3a4a7addeb16b3b99d6 upstream.
+
+Similar to what fixed in Commit a6fe37f428c1 ("usb: typec: tcpm: Skip
+hard reset when in error recovery"), the handling of the received Hard
+Reset has to be skipped during TOGGLING state.
+
+[ 4086.021288] VBUS off
+[ 4086.021295] pending state change SNK_READY -> SNK_UNATTACHED @ 650 ms [rev2 NONE_AMS]
+[ 4086.022113] VBUS VSAFE0V
+[ 4086.022117] state change SNK_READY -> SNK_UNATTACHED [rev2 NONE_AMS]
+[ 4086.022447] VBUS off
+[ 4086.022450] state change SNK_UNATTACHED -> SNK_UNATTACHED [rev2 NONE_AMS]
+[ 4086.023060] VBUS VSAFE0V
+[ 4086.023064] state change SNK_UNATTACHED -> SNK_UNATTACHED [rev2 NONE_AMS]
+[ 4086.023070] disable BIST MODE TESTDATA
+[ 4086.023766] disable vbus discharge ret:0
+[ 4086.023911] Setting usb_comm capable false
+[ 4086.028874] Setting voltage/current limit 0 mV 0 mA
+[ 4086.028888] polarity 0
+[ 4086.030305] Requesting mux state 0, usb-role 0, orientation 0
+[ 4086.033539] Start toggling
+[ 4086.038496] state change SNK_UNATTACHED -> TOGGLING [rev2 NONE_AMS]
+
+// This Hard Reset is unexpected
+[ 4086.038499] Received hard reset
+[ 4086.038501] state change TOGGLING -> HARD_RESET_START [rev2 HARD_RESET]
+
+Fixes: f0690a25a140 ("staging: typec: USB Type-C Port Manager (tcpm)")
+Cc: stable@vger.kernel.org
+Signed-off-by: Kyle Tso <kyletso@google.com>
+Reviewed-by: Heikki Krogerus <heikki.krogerus@linux.intel.com>
+Link: https://lore.kernel.org/r/20240520154858.1072347-1-kyletso@google.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/typec/tcpm/tcpm.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/usb/typec/tcpm/tcpm.c
++++ b/drivers/usb/typec/tcpm/tcpm.c
+@@ -6174,6 +6174,7 @@ static void _tcpm_pd_hard_reset(struct t
+ port->tcpc->set_bist_data(port->tcpc, false);
+
+ switch (port->state) {
++ case TOGGLING:
+ case ERROR_RECOVERY:
+ case PORT_RESET:
+ case PORT_RESET_WAIT_OFF:
--- /dev/null
+From 8475ffcfb381a77075562207ce08552414a80326 Mon Sep 17 00:00:00 2001
+From: John Ernberg <john.ernberg@actia.se>
+Date: Fri, 17 May 2024 11:43:52 +0000
+Subject: USB: xen-hcd: Traverse host/ when CONFIG_USB_XEN_HCD is selected
+
+From: John Ernberg <john.ernberg@actia.se>
+
+commit 8475ffcfb381a77075562207ce08552414a80326 upstream.
+
+If no other USB HCDs are selected when compiling a small pure virutal
+machine, the Xen HCD driver cannot be built.
+
+Fix it by traversing down host/ if CONFIG_USB_XEN_HCD is selected.
+
+Fixes: 494ed3997d75 ("usb: Introduce Xen pvUSB frontend (xen hcd)")
+Cc: stable@vger.kernel.org # v5.17+
+Signed-off-by: John Ernberg <john.ernberg@actia.se>
+Link: https://lore.kernel.org/r/20240517114345.1190755-1-john.ernberg@actia.se
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/Makefile | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/usb/Makefile
++++ b/drivers/usb/Makefile
+@@ -35,6 +35,7 @@ obj-$(CONFIG_USB_R8A66597_HCD) += host/
+ obj-$(CONFIG_USB_FSL_USB2) += host/
+ obj-$(CONFIG_USB_FOTG210_HCD) += host/
+ obj-$(CONFIG_USB_MAX3421_HCD) += host/
++obj-$(CONFIG_USB_XEN_HCD) += host/
+
+ obj-$(CONFIG_USB_C67X00_HCD) += c67x00/
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
