vt-clear-selection-before-changing-the-font.patch
usb-serial-ftdi_sio-add-omron-cs1w-cif31-device-id.patch
binder-fix-uaf-of-ref-proc-caused-by-race-condition.patch
-usb-dwc3-qcom-fix-use-after-free-on-runtime-pm-wakeu.patch
drm-i915-reg-fix-spelling-mistake-unsupport-unsuppor.patch
clk-core-honor-clk_ops_parent_enable-for-clk-gate-op.patch
revert-clk-core-honor-clk_ops_parent_enable-for-clk-.patch
rdma-mlx5-set-local-port-to-one-when-accessing-count.patch
tcp-fix-early-etimedout-after-spurious-non-sack-rto.patch
sch_sfb-also-store-skb-len-before-calling-child-enqu.patch
+usb-dwc3-fix-phy-disable-sequence.patch
+usb-serial-ch341-fix-lost-character-on-lcr-updates.patch
+usb-serial-ch341-fix-disabled-rx-timer-on-older-devices.patch
+usb-dwc3-qcom-fix-use-after-free-on-runtime-pm-wakeup.patch
--- /dev/null
+From foo@baz Sun Sep 11 07:42:40 AM CEST 2022
+From: Johan Hovold <johan@kernel.org>
+Date: Tue, 6 Sep 2022 15:49:12 +0200
+Subject: usb: dwc3: fix PHY disable sequence
+To: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Cc: stable@vger.kernel.org, linux-kernel@vger.kernel.org, Johan Hovold <johan+linaro@kernel.org>, Andrew Halaney <ahalaney@redhat.com>, Matthias Kaehlcke <mka@chromium.org>, Manivannan Sadhasivam <manivannan.sadhasivam@linaro.org>, Johan Hovold <johan@kernel.org>
+Message-ID: <20220906134915.19225-2-johan@kernel.org>
+
+From: Johan Hovold <johan@kernel.org>
+
+From: Johan Hovold <johan+linaro@kernel.org>
+
+commit d2ac7bef95c9ead307801ccb6cb6dfbeb14247bf upstream.
+
+Generic PHYs must be powered-off before they can be tore down.
+
+Similarly, suspending legacy PHYs after having powered them off makes no
+sense.
+
+Fix the dwc3_core_exit() (e.g. called during suspend) and open-coded
+dwc3_probe() error-path sequences that got this wrong.
+
+Note that this makes dwc3_core_exit() match the dwc3_core_init() error
+path with respect to powering off the PHYs.
+
+Fixes: 03c1fd622f72 ("usb: dwc3: core: add phy cleanup for probe error handling")
+Fixes: c499ff71ff2a ("usb: dwc3: core: re-factor init and exit paths")
+Cc: stable@vger.kernel.org # 4.8
+Reviewed-by: Andrew Halaney <ahalaney@redhat.com>
+Reviewed-by: Matthias Kaehlcke <mka@chromium.org>
+Reviewed-by: Manivannan Sadhasivam <manivannan.sadhasivam@linaro.org>
+Signed-off-by: Johan Hovold <johan+linaro@kernel.org>
+Link: https://lore.kernel.org/r/20220804151001.23612-2-johan+linaro@kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+[ johan: adjust context to 4.19 ]
+Signed-off-by: Johan Hovold <johan+linaro@kernel.org>
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/dwc3/core.c | 19 ++++++++++---------
+ 1 file changed, 10 insertions(+), 9 deletions(-)
+
+--- a/drivers/usb/dwc3/core.c
++++ b/drivers/usb/dwc3/core.c
+@@ -673,15 +673,16 @@ static void dwc3_core_exit(struct dwc3 *
+ {
+ dwc3_event_buffers_cleanup(dwc);
+
++ usb_phy_set_suspend(dwc->usb2_phy, 1);
++ usb_phy_set_suspend(dwc->usb3_phy, 1);
++ phy_power_off(dwc->usb2_generic_phy);
++ phy_power_off(dwc->usb3_generic_phy);
++
+ usb_phy_shutdown(dwc->usb2_phy);
+ usb_phy_shutdown(dwc->usb3_phy);
+ phy_exit(dwc->usb2_generic_phy);
+ phy_exit(dwc->usb3_generic_phy);
+
+- usb_phy_set_suspend(dwc->usb2_phy, 1);
+- usb_phy_set_suspend(dwc->usb3_phy, 1);
+- phy_power_off(dwc->usb2_generic_phy);
+- phy_power_off(dwc->usb3_generic_phy);
+ clk_bulk_disable(dwc->num_clks, dwc->clks);
+ clk_bulk_unprepare(dwc->num_clks, dwc->clks);
+ reset_control_assert(dwc->reset);
+@@ -1509,16 +1510,16 @@ err5:
+ dwc3_debugfs_exit(dwc);
+ dwc3_event_buffers_cleanup(dwc);
+
+- usb_phy_shutdown(dwc->usb2_phy);
+- usb_phy_shutdown(dwc->usb3_phy);
+- phy_exit(dwc->usb2_generic_phy);
+- phy_exit(dwc->usb3_generic_phy);
+-
+ usb_phy_set_suspend(dwc->usb2_phy, 1);
+ usb_phy_set_suspend(dwc->usb3_phy, 1);
+ phy_power_off(dwc->usb2_generic_phy);
+ phy_power_off(dwc->usb3_generic_phy);
+
++ usb_phy_shutdown(dwc->usb2_phy);
++ usb_phy_shutdown(dwc->usb3_phy);
++ phy_exit(dwc->usb2_generic_phy);
++ phy_exit(dwc->usb3_generic_phy);
++
+ dwc3_ulpi_exit(dwc);
+
+ err4:
--- /dev/null
+From foo@baz Sun Sep 11 07:42:40 AM CEST 2022
+From: Johan Hovold <johan@kernel.org>
+Date: Tue, 6 Sep 2022 15:49:13 +0200
+Subject: usb: dwc3: qcom: fix use-after-free on runtime-PM wakeup
+To: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Cc: stable@vger.kernel.org, linux-kernel@vger.kernel.org, Johan Hovold <johan+linaro@kernel.org>, Matthias Kaehlcke <mka@chromium.org>, Manivannan Sadhasivam <manivannan.sadhasivam@linaro.org>, Johan Hovold <johan@kernel.org>
+Message-ID: <20220906134915.19225-3-johan@kernel.org>
+
+From: Johan Hovold <johan@kernel.org>
+
+From: Johan Hovold <johan+linaro@kernel.org>
+
+commit a872ab303d5ddd4c965f9cd868677781a33ce35a upstream.
+
+The Qualcomm dwc3 runtime-PM implementation checks the xhci
+platform-device pointer in the wakeup-interrupt handler to determine
+whether the controller is in host mode and if so triggers a resume.
+
+After a role switch in OTG mode the xhci platform-device would have been
+freed and the next wakeup from runtime suspend would access the freed
+memory.
+
+Note that role switching is executed from a freezable workqueue, which
+guarantees that the pointer is stable during suspend.
+
+Also note that runtime PM has been broken since commit 2664deb09306
+("usb: dwc3: qcom: Honor wakeup enabled/disabled state"), which
+incidentally also prevents this issue from being triggered.
+
+Fixes: a4333c3a6ba9 ("usb: dwc3: Add Qualcomm DWC3 glue driver")
+Cc: stable@vger.kernel.org # 4.18
+Reviewed-by: Matthias Kaehlcke <mka@chromium.org>
+Reviewed-by: Manivannan Sadhasivam <manivannan.sadhasivam@linaro.org>
+Signed-off-by: Johan Hovold <johan+linaro@kernel.org>
+Link: https://lore.kernel.org/r/20220804151001.23612-5-johan+linaro@kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+[ johan: adjust context for 5.4 ]
+Signed-off-by: Johan Hovold <johan+linaro@kernel.org>
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/dwc3/dwc3-qcom.c | 14 +++++++++++++-
+ drivers/usb/dwc3/host.c | 1 +
+ 2 files changed, 14 insertions(+), 1 deletion(-)
+
+--- a/drivers/usb/dwc3/dwc3-qcom.c
++++ b/drivers/usb/dwc3/dwc3-qcom.c
+@@ -173,6 +173,14 @@ static int dwc3_qcom_register_extcon(str
+ return 0;
+ }
+
++/* Only usable in contexts where the role can not change. */
++static bool dwc3_qcom_is_host(struct dwc3_qcom *qcom)
++{
++ struct dwc3 *dwc = platform_get_drvdata(qcom->dwc3);
++
++ return dwc->xhci;
++}
++
+ static void dwc3_qcom_disable_interrupts(struct dwc3_qcom *qcom)
+ {
+ if (qcom->hs_phy_irq) {
+@@ -280,7 +288,11 @@ static irqreturn_t qcom_dwc3_resume_irq(
+ if (qcom->pm_suspended)
+ return IRQ_HANDLED;
+
+- if (dwc->xhci)
++ /*
++ * This is safe as role switching is done from a freezable workqueue
++ * and the wakeup interrupts are disabled as part of resume.
++ */
++ if (dwc3_qcom_is_host(qcom))
+ pm_runtime_resume(&dwc->xhci->dev);
+
+ return IRQ_HANDLED;
+--- a/drivers/usb/dwc3/host.c
++++ b/drivers/usb/dwc3/host.c
+@@ -142,4 +142,5 @@ void dwc3_host_exit(struct dwc3 *dwc)
+ phy_remove_lookup(dwc->usb3_generic_phy, "usb3-phy",
+ dev_name(dwc->dev));
+ platform_device_unregister(dwc->xhci);
++ dwc->xhci = NULL;
+ }
--- /dev/null
+From foo@baz Sun Sep 11 07:42:40 AM CEST 2022
+From: Johan Hovold <johan@kernel.org>
+Date: Tue, 6 Sep 2022 15:49:15 +0200
+Subject: USB: serial: ch341: fix disabled rx timer on older devices
+To: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Cc: stable@vger.kernel.org, linux-kernel@vger.kernel.org, Johan Hovold <johan@kernel.org>, Jonathan Woithe <jwoithe@just42.net>
+Message-ID: <20220906134915.19225-5-johan@kernel.org>
+
+From: Johan Hovold <johan@kernel.org>
+
+commit 41ca302a697b64a3dab4676e01d0d11bb184737d upstream.
+
+At least one older CH341 appears to have the RX timer enable bit
+inverted so that setting it disables the RX timer and prevents the FIFO
+from emptying until it is full.
+
+Only set the RX timer enable bit for devices with version newer than
+0x27 (even though this probably affects all pre-0x30 devices).
+
+Reported-by: Jonathan Woithe <jwoithe@just42.net>
+Tested-by: Jonathan Woithe <jwoithe@just42.net>
+Link: https://lore.kernel.org/r/Ys1iPTfiZRWj2gXs@marvin.atrad.com.au
+Fixes: 4e46c410e050 ("USB: serial: ch341: reinitialize chip on reconfiguration")
+Cc: stable@vger.kernel.org # 4.10
+Signed-off-by: Johan Hovold <johan@kernel.org>
+[ johan: backport to 5.4 ]
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/serial/ch341.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+--- a/drivers/usb/serial/ch341.c
++++ b/drivers/usb/serial/ch341.c
+@@ -176,8 +176,12 @@ static int ch341_set_baudrate_lcr(struct
+ /*
+ * CH341A buffers data until a full endpoint-size packet (32 bytes)
+ * has been received unless bit 7 is set.
++ *
++ * At least one device with version 0x27 appears to have this bit
++ * inverted.
+ */
+- a |= BIT(7);
++ if (priv->version > 0x27)
++ a |= BIT(7);
+
+ r = ch341_control_out(dev, CH341_REQ_WRITE_REG, 0x1312, a);
+ if (r)
--- /dev/null
+From foo@baz Sun Sep 11 07:42:40 AM CEST 2022
+From: Johan Hovold <johan@kernel.org>
+Date: Tue, 6 Sep 2022 15:49:14 +0200
+Subject: USB: serial: ch341: fix lost character on LCR updates
+To: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Cc: stable@vger.kernel.org, linux-kernel@vger.kernel.org, Johan Hovold <johan@kernel.org>, Jonathan Woithe <jwoithe@just42.net>
+Message-ID: <20220906134915.19225-4-johan@kernel.org>
+
+From: Johan Hovold <johan@kernel.org>
+
+commit 8e83622ae7ca481c76c8fd9579877f6abae64ca2 upstream.
+
+Disable LCR updates for pre-0x30 devices which use a different (unknown)
+protocol for line control and where the current register write causes
+the next received character to be lost.
+
+Note that updating LCR using the INIT command has no effect on these
+devices either.
+
+Reported-by: Jonathan Woithe <jwoithe@just42.net>
+Tested-by: Jonathan Woithe <jwoithe@just42.net>
+Link: https://lore.kernel.org/r/Ys1iPTfiZRWj2gXs@marvin.atrad.com.au
+Fixes: 4e46c410e050 ("USB: serial: ch341: reinitialize chip on reconfiguration")
+Fixes: 55fa15b5987d ("USB: serial: ch341: fix baud rate and line-control handling")
+Cc: stable@vger.kernel.org # 4.10
+Signed-off-by: Johan Hovold <johan@kernel.org>
+[ johan: adjust context to 4.19 ]
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/serial/ch341.c | 9 ++++++++-
+ 1 file changed, 8 insertions(+), 1 deletion(-)
+
+--- a/drivers/usb/serial/ch341.c
++++ b/drivers/usb/serial/ch341.c
+@@ -96,6 +96,8 @@ struct ch341_private {
+ u8 mcr;
+ u8 msr;
+ u8 lcr;
++
++ u8 version;
+ };
+
+ static void ch341_set_termios(struct tty_struct *tty,
+@@ -181,6 +183,9 @@ static int ch341_set_baudrate_lcr(struct
+ if (r)
+ return r;
+
++ if (priv->version < 0x30)
++ return 0;
++
+ r = ch341_control_out(dev, CH341_REQ_WRITE_REG, 0x2518, lcr);
+ if (r)
+ return r;
+@@ -232,7 +237,9 @@ static int ch341_configure(struct usb_de
+ r = ch341_control_in(dev, CH341_REQ_READ_VERSION, 0, 0, buffer, size);
+ if (r < 0)
+ goto out;
+- dev_dbg(&dev->dev, "Chip version: 0x%02x\n", buffer[0]);
++
++ priv->version = buffer[0];
++ dev_dbg(&dev->dev, "Chip version: 0x%02x\n", priv->version);
+
+ r = ch341_control_out(dev, CH341_REQ_SERIAL_INIT, 0, 0);
+ if (r < 0)
projects / thirdparty / kernel / stable-queue.git / commitdiff
