--- /dev/null
+From 9b0dc7abb5cc43a2dbf90690c3c6011dcadc574d Mon Sep 17 00:00:00 2001
+From: Kunihiko Hayashi <hayashi.kunihiko@socionext.com>
+Date: Tue, 2 Aug 2022 22:36:25 +0900
+Subject: ARM: dts: uniphier: Fix USB interrupts for PXs2 SoC
+
+From: Kunihiko Hayashi <hayashi.kunihiko@socionext.com>
+
+commit 9b0dc7abb5cc43a2dbf90690c3c6011dcadc574d upstream.
+
+An interrupt for USB device are shared with USB host. Set interrupt-names
+property to common "dwc_usb3" instead of "host" and "peripheral".
+
+Cc: stable@vger.kernel.org
+Fixes: 45be1573ad19 ("ARM: dts: uniphier: Add USB3 controller nodes")
+Reported-by: Ryuta NAKANISHI <nakanishi.ryuta@socionext.com>
+Signed-off-by: Kunihiko Hayashi <hayashi.kunihiko@socionext.com>
+Signed-off-by: Arnd Bergmann <arnd@arndb.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/arm/boot/dts/uniphier-pxs2.dtsi | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+--- a/arch/arm/boot/dts/uniphier-pxs2.dtsi
++++ b/arch/arm/boot/dts/uniphier-pxs2.dtsi
+@@ -597,8 +597,8 @@
+ compatible = "socionext,uniphier-dwc3", "snps,dwc3";
+ status = "disabled";
+ reg = <0x65a00000 0xcd00>;
+- interrupt-names = "host", "peripheral";
+- interrupts = <0 134 4>, <0 135 4>;
++ interrupt-names = "dwc_usb3";
++ interrupts = <0 134 4>;
+ pinctrl-names = "default";
+ pinctrl-0 = <&pinctrl_usb0>, <&pinctrl_usb2>;
+ clock-names = "ref", "bus_early", "suspend";
+@@ -693,8 +693,8 @@
+ compatible = "socionext,uniphier-dwc3", "snps,dwc3";
+ status = "disabled";
+ reg = <0x65c00000 0xcd00>;
+- interrupt-names = "host", "peripheral";
+- interrupts = <0 137 4>, <0 138 4>;
++ interrupt-names = "dwc_usb3";
++ interrupts = <0 137 4>;
+ pinctrl-names = "default";
+ pinctrl-0 = <&pinctrl_usb1>, <&pinctrl_usb3>;
+ clock-names = "ref", "bus_early", "suspend";
--- /dev/null
+From fe17b91a7777df140d0f1433991da67ba658796c Mon Sep 17 00:00:00 2001
+From: Kunihiko Hayashi <hayashi.kunihiko@socionext.com>
+Date: Tue, 2 Aug 2022 22:36:47 +0900
+Subject: arm64: dts: uniphier: Fix USB interrupts for PXs3 SoC
+
+From: Kunihiko Hayashi <hayashi.kunihiko@socionext.com>
+
+commit fe17b91a7777df140d0f1433991da67ba658796c upstream.
+
+An interrupt for USB device are shared with USB host. Set interrupt-names
+property to common "dwc_usb3" instead of "host" and "peripheral".
+
+Cc: stable@vger.kernel.org
+Fixes: d7b9beb830d7 ("arm64: dts: uniphier: Add USB3 controller nodes")
+Reported-by: Ryuta NAKANISHI <nakanishi.ryuta@socionext.com>
+Signed-off-by: Kunihiko Hayashi <hayashi.kunihiko@socionext.com>
+Signed-off-by: Arnd Bergmann <arnd@arndb.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/arm64/boot/dts/socionext/uniphier-pxs3.dtsi | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+--- a/arch/arm64/boot/dts/socionext/uniphier-pxs3.dtsi
++++ b/arch/arm64/boot/dts/socionext/uniphier-pxs3.dtsi
+@@ -599,8 +599,8 @@
+ compatible = "socionext,uniphier-dwc3", "snps,dwc3";
+ status = "disabled";
+ reg = <0x65a00000 0xcd00>;
+- interrupt-names = "host", "peripheral";
+- interrupts = <0 134 4>, <0 135 4>;
++ interrupt-names = "dwc_usb3";
++ interrupts = <0 134 4>;
+ pinctrl-names = "default";
+ pinctrl-0 = <&pinctrl_usb0>, <&pinctrl_usb2>;
+ clock-names = "ref", "bus_early", "suspend";
+@@ -701,8 +701,8 @@
+ compatible = "socionext,uniphier-dwc3", "snps,dwc3";
+ status = "disabled";
+ reg = <0x65c00000 0xcd00>;
+- interrupt-names = "host", "peripheral";
+- interrupts = <0 137 4>, <0 138 4>;
++ interrupt-names = "dwc_usb3";
++ interrupts = <0 137 4>;
+ pinctrl-names = "default";
+ pinctrl-0 = <&pinctrl_usb1>, <&pinctrl_usb3>;
+ clock-names = "ref", "bus_early", "suspend";
--- /dev/null
+From 2af89ebacf299b7fba5f3087d35e8a286ec33706 Mon Sep 17 00:00:00 2001
+From: Suzuki K Poulose <suzuki.poulose@arm.com>
+Date: Tue, 14 Jun 2022 22:40:24 +0100
+Subject: coresight: Clear the connection field properly
+
+From: Suzuki K Poulose <suzuki.poulose@arm.com>
+
+commit 2af89ebacf299b7fba5f3087d35e8a286ec33706 upstream.
+
+coresight devices track their connections (output connections) and
+hold a reference to the fwnode. When a device goes away, we walk through
+the devices on the coresight bus and make sure that the references
+are dropped. This happens both ways:
+ a) For all output connections from the device, drop the reference to
+ the target device via coresight_release_platform_data()
+
+b) Iterate over all the devices on the coresight bus and drop the
+ reference to fwnode if *this* device is the target of the output
+ connection, via coresight_remove_conns()->coresight_remove_match().
+
+However, the coresight_remove_match() doesn't clear the fwnode field,
+after dropping the reference, this causes use-after-free and
+additional refcount drops on the fwnode.
+
+e.g., if we have two devices, A and B, with a connection, A -> B.
+If we remove B first, B would clear the reference on B, from A
+via coresight_remove_match(). But when A is removed, it still has
+a connection with fwnode still pointing to B. Thus it tries to drops
+the reference in coresight_release_platform_data(), raising the bells
+like :
+
+[ 91.990153] ------------[ cut here ]------------
+[ 91.990163] refcount_t: addition on 0; use-after-free.
+[ 91.990212] WARNING: CPU: 0 PID: 461 at lib/refcount.c:25 refcount_warn_saturate+0xa0/0x144
+[ 91.990260] Modules linked in: coresight_funnel coresight_replicator coresight_etm4x(-)
+ crct10dif_ce coresight ip_tables x_tables ipv6 [last unloaded: coresight_cpu_debug]
+[ 91.990398] CPU: 0 PID: 461 Comm: rmmod Tainted: G W T 5.19.0-rc2+ #53
+[ 91.990418] Hardware name: ARM LTD ARM Juno Development Platform/ARM Juno Development Platform, BIOS EDK II Feb 1 2019
+[ 91.990434] pstate: 600000c5 (nZCv daIF -PAN -UAO -TCO -DIT -SSBS BTYPE=--)
+[ 91.990454] pc : refcount_warn_saturate+0xa0/0x144
+[ 91.990476] lr : refcount_warn_saturate+0xa0/0x144
+[ 91.990496] sp : ffff80000c843640
+[ 91.990509] x29: ffff80000c843640 x28: ffff800009957c28 x27: ffff80000c8439a8
+[ 91.990560] x26: ffff00097eff1990 x25: ffff8000092b6ad8 x24: ffff00097eff19a8
+[ 91.990610] x23: ffff80000c8439a8 x22: 0000000000000000 x21: ffff80000c8439c2
+[ 91.990659] x20: 0000000000000000 x19: ffff00097eff1a10 x18: ffff80000ab99c40
+[ 91.990708] x17: 0000000000000000 x16: 0000000000000000 x15: ffff80000abf6fa0
+[ 91.990756] x14: 000000000000001d x13: 0a2e656572662d72 x12: 657466612d657375
+[ 91.990805] x11: 203b30206e6f206e x10: 6f69746964646120 x9 : ffff8000081aba28
+[ 91.990854] x8 : 206e6f206e6f6974 x7 : 69646461203a745f x6 : 746e756f63666572
+[ 91.990903] x5 : ffff00097648ec58 x4 : 0000000000000000 x3 : 0000000000000027
+[ 91.990952] x2 : 0000000000000000 x1 : 0000000000000000 x0 : ffff00080260ba00
+[ 91.991000] Call trace:
+[ 91.991012] refcount_warn_saturate+0xa0/0x144
+[ 91.991034] kobject_get+0xac/0xb0
+[ 91.991055] of_node_get+0x2c/0x40
+[ 91.991076] of_fwnode_get+0x40/0x60
+[ 91.991094] fwnode_handle_get+0x3c/0x60
+[ 91.991116] fwnode_get_nth_parent+0xf4/0x110
+[ 91.991137] fwnode_full_name_string+0x48/0xc0
+[ 91.991158] device_node_string+0x41c/0x530
+[ 91.991178] pointer+0x320/0x3ec
+[ 91.991198] vsnprintf+0x23c/0x750
+[ 91.991217] vprintk_store+0x104/0x4b0
+[ 91.991238] vprintk_emit+0x8c/0x360
+[ 91.991257] vprintk_default+0x44/0x50
+[ 91.991276] vprintk+0xcc/0xf0
+[ 91.991295] _printk+0x68/0x90
+[ 91.991315] of_node_release+0x13c/0x14c
+[ 91.991334] kobject_put+0x98/0x114
+[ 91.991354] of_node_put+0x24/0x34
+[ 91.991372] of_fwnode_put+0x40/0x5c
+[ 91.991390] fwnode_handle_put+0x38/0x50
+[ 91.991411] coresight_release_platform_data+0x74/0xb0 [coresight]
+[ 91.991472] coresight_unregister+0x64/0xcc [coresight]
+[ 91.991525] etm4_remove_dev+0x64/0x78 [coresight_etm4x]
+[ 91.991563] etm4_remove_amba+0x1c/0x2c [coresight_etm4x]
+[ 91.991598] amba_remove+0x3c/0x19c
+
+Reproducible by: (Build all coresight components as modules):
+
+ #!/bin/sh
+ while true
+ do
+ for m in tmc stm cpu_debug etm4x replicator funnel
+ do
+ modprobe coresight_${m}
+ done
+
+ for m in tmc stm cpu_debug etm4x replicator funnel
+ do
+ rmmode coresight_${m}
+ done
+ done
+
+Cc: stable@vger.kernel.org
+Cc: Mathieu Poirier <mathieu.poirier@linaro.org>
+Cc: Mike Leach <mike.leach@linaro.org>
+Cc: Leo Yan <leo.yan@linaro.org>
+Signed-off-by: Suzuki K Poulose <suzuki.poulose@arm.com>
+Fixes: 37ea1ffddffa ("coresight: Use fwnode handle instead of device names")
+Link: https://lore.kernel.org/r/20220614214024.3005275-1-suzuki.poulose@arm.com
+Signed-off-by: Mathieu Poirier <mathieu.poirier@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/hwtracing/coresight/coresight-core.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/hwtracing/coresight/coresight-core.c
++++ b/drivers/hwtracing/coresight/coresight-core.c
+@@ -1382,6 +1382,7 @@ static int coresight_remove_match(struct
+ * platform data.
+ */
+ fwnode_handle_put(conn->child_fwnode);
++ conn->child_fwnode = NULL;
+ /* No need to continue */
+ break;
+ }
--- /dev/null
+From a16ceb13961068f7209e34d7984f8e42d2c06159 Mon Sep 17 00:00:00 2001
+From: Benjamin Segall <bsegall@google.com>
+Date: Wed, 15 Jun 2022 14:24:23 -0700
+Subject: epoll: autoremove wakers even more aggressively
+
+From: Benjamin Segall <bsegall@google.com>
+
+commit a16ceb13961068f7209e34d7984f8e42d2c06159 upstream.
+
+If a process is killed or otherwise exits while having active network
+connections and many threads waiting on epoll_wait, the threads will all
+be woken immediately, but not removed from ep->wq. Then when network
+traffic scans ep->wq in wake_up, every wakeup attempt will fail, and will
+not remove the entries from the list.
+
+This means that the cost of the wakeup attempt is far higher than usual,
+does not decrease, and this also competes with the dying threads trying to
+actually make progress and remove themselves from the wq.
+
+Handle this by removing visited epoll wq entries unconditionally, rather
+than only when the wakeup succeeds - the structure of ep_poll means that
+the only potential loss is the timed_out->eavail heuristic, which now can
+race and result in a redundant ep_send_events attempt. (But only when
+incoming data and a timeout actually race, not on every timeout)
+
+Shakeel added:
+
+: We are seeing this issue in production with real workloads and it has
+: caused hard lockups. Particularly network heavy workloads with a lot
+: of threads in epoll_wait() can easily trigger this issue if they get
+: killed (oom-killed in our case).
+
+Link: https://lkml.kernel.org/r/xm26fsjotqda.fsf@google.com
+Signed-off-by: Ben Segall <bsegall@google.com>
+Tested-by: Shakeel Butt <shakeelb@google.com>
+Cc: Alexander Viro <viro@zeniv.linux.org.uk>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Shakeel Butt <shakeelb@google.com>
+Cc: Eric Dumazet <edumazet@google.com>
+Cc: Roman Penyaev <rpenyaev@suse.de>
+Cc: Jason Baron <jbaron@akamai.com>
+Cc: Khazhismel Kumykov <khazhy@google.com>
+Cc: Heiher <r@hev.cc>
+Cc: <stable@kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/eventpoll.c | 22 ++++++++++++++++++++++
+ 1 file changed, 22 insertions(+)
+
+--- a/fs/eventpoll.c
++++ b/fs/eventpoll.c
+@@ -1804,6 +1804,21 @@ static inline struct timespec64 ep_set_m
+ return timespec64_add_safe(now, ts);
+ }
+
++/*
++ * autoremove_wake_function, but remove even on failure to wake up, because we
++ * know that default_wake_function/ttwu will only fail if the thread is already
++ * woken, and in that case the ep_poll loop will remove the entry anyways, not
++ * try to reuse it.
++ */
++static int ep_autoremove_wake_function(struct wait_queue_entry *wq_entry,
++ unsigned int mode, int sync, void *key)
++{
++ int ret = default_wake_function(wq_entry, mode, sync, key);
++
++ list_del_init(&wq_entry->entry);
++ return ret;
++}
++
+ /**
+ * ep_poll - Retrieves ready events, and delivers them to the caller supplied
+ * event buffer.
+@@ -1881,8 +1896,15 @@ fetch_events:
+ * normal wakeup path no need to call __remove_wait_queue()
+ * explicitly, thus ep->lock is not taken, which halts the
+ * event delivery.
++ *
++ * In fact, we now use an even more aggressive function that
++ * unconditionally removes, because we don't reuse the wait
++ * entry between loop iterations. This lets us also avoid the
++ * performance issue if a process is killed, causing all of its
++ * threads to wake up without being removed normally.
+ */
+ init_wait(&wait);
++ wait.func = ep_autoremove_wake_function;
+
+ write_lock_irq(&ep->lock);
+ /*
--- /dev/null
+From 5dc33592e95534dc8455ce3e9baaaf3dae0fff82 Mon Sep 17 00:00:00 2001
+From: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
+Date: Mon, 5 Apr 2021 20:33:57 +0900
+Subject: lockdep: Allow tuning tracing capacity constants.
+
+From: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
+
+commit 5dc33592e95534dc8455ce3e9baaaf3dae0fff82 upstream.
+
+Since syzkaller continues various test cases until the kernel crashes,
+syzkaller tends to examine more locking dependencies than normal systems.
+As a result, syzbot is reporting that the fuzz testing was terminated
+due to hitting upper limits lockdep can track [1] [2] [3]. Since analysis
+via /proc/lockdep* did not show any obvious culprit [4] [5], we have no
+choice but allow tuning tracing capacity constants.
+
+[1] https://syzkaller.appspot.com/bug?id=3d97ba93fb3566000c1c59691ea427370d33ea1b
+[2] https://syzkaller.appspot.com/bug?id=381cb436fe60dc03d7fd2a092b46d7f09542a72a
+[3] https://syzkaller.appspot.com/bug?id=a588183ac34c1437fc0785e8f220e88282e5a29f
+[4] https://lkml.kernel.org/r/4b8f7a57-fa20-47bd-48a0-ae35d860f233@i-love.sakura.ne.jp
+[5] https://lkml.kernel.org/r/1c351187-253b-2d49-acaf-4563c63ae7d2@i-love.sakura.ne.jp
+
+References: https://lkml.kernel.org/r/1595640639-9310-1-git-send-email-penguin-kernel@I-love.SAKURA.ne.jp
+Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
+Acked-by: Dmitry Vyukov <dvyukov@google.com>
+Signed-off-by: Alexey Khoroshilov <khoroshilov@ispras.ru>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ kernel/locking/lockdep.c | 2 -
+ kernel/locking/lockdep_internals.h | 8 +++----
+ lib/Kconfig.debug | 40 +++++++++++++++++++++++++++++++++++++
+ 3 files changed, 45 insertions(+), 5 deletions(-)
+
+--- a/kernel/locking/lockdep.c
++++ b/kernel/locking/lockdep.c
+@@ -1397,7 +1397,7 @@ static int add_lock_to_list(struct lock_
+ /*
+ * For good efficiency of modular, we use power of 2
+ */
+-#define MAX_CIRCULAR_QUEUE_SIZE 4096UL
++#define MAX_CIRCULAR_QUEUE_SIZE (1UL << CONFIG_LOCKDEP_CIRCULAR_QUEUE_BITS)
+ #define CQ_MASK (MAX_CIRCULAR_QUEUE_SIZE-1)
+
+ /*
+--- a/kernel/locking/lockdep_internals.h
++++ b/kernel/locking/lockdep_internals.h
+@@ -99,16 +99,16 @@ static const unsigned long LOCKF_USED_IN
+ #define MAX_STACK_TRACE_ENTRIES 262144UL
+ #define STACK_TRACE_HASH_SIZE 8192
+ #else
+-#define MAX_LOCKDEP_ENTRIES 32768UL
++#define MAX_LOCKDEP_ENTRIES (1UL << CONFIG_LOCKDEP_BITS)
+
+-#define MAX_LOCKDEP_CHAINS_BITS 16
++#define MAX_LOCKDEP_CHAINS_BITS CONFIG_LOCKDEP_CHAINS_BITS
+
+ /*
+ * Stack-trace: tightly packed array of stack backtrace
+ * addresses. Protected by the hash_lock.
+ */
+-#define MAX_STACK_TRACE_ENTRIES 524288UL
+-#define STACK_TRACE_HASH_SIZE 16384
++#define MAX_STACK_TRACE_ENTRIES (1UL << CONFIG_LOCKDEP_STACK_TRACE_BITS)
++#define STACK_TRACE_HASH_SIZE (1 << CONFIG_LOCKDEP_STACK_TRACE_HASH_BITS)
+ #endif
+
+ /*
+--- a/lib/Kconfig.debug
++++ b/lib/Kconfig.debug
+@@ -1307,6 +1307,46 @@ config LOCKDEP
+ config LOCKDEP_SMALL
+ bool
+
++config LOCKDEP_BITS
++ int "Bitsize for MAX_LOCKDEP_ENTRIES"
++ depends on LOCKDEP && !LOCKDEP_SMALL
++ range 10 30
++ default 15
++ help
++ Try increasing this value if you hit "BUG: MAX_LOCKDEP_ENTRIES too low!" message.
++
++config LOCKDEP_CHAINS_BITS
++ int "Bitsize for MAX_LOCKDEP_CHAINS"
++ depends on LOCKDEP && !LOCKDEP_SMALL
++ range 10 30
++ default 16
++ help
++ Try increasing this value if you hit "BUG: MAX_LOCKDEP_CHAINS too low!" message.
++
++config LOCKDEP_STACK_TRACE_BITS
++ int "Bitsize for MAX_STACK_TRACE_ENTRIES"
++ depends on LOCKDEP && !LOCKDEP_SMALL
++ range 10 30
++ default 19
++ help
++ Try increasing this value if you hit "BUG: MAX_STACK_TRACE_ENTRIES too low!" message.
++
++config LOCKDEP_STACK_TRACE_HASH_BITS
++ int "Bitsize for STACK_TRACE_HASH_SIZE"
++ depends on LOCKDEP && !LOCKDEP_SMALL
++ range 10 30
++ default 14
++ help
++ Try increasing this value if you need large MAX_STACK_TRACE_ENTRIES.
++
++config LOCKDEP_CIRCULAR_QUEUE_BITS
++ int "Bitsize for elements in circular_queue struct"
++ depends on LOCKDEP
++ range 10 30
++ default 12
++ help
++ Try increasing this value if you hit "lockdep bfs error:-1" warning due to __cq_enqueue() failure.
++
+ config DEBUG_LOCKDEP
+ bool "Lock dependency engine debugging"
+ depends on DEBUG_KERNEL && LOCKDEP
--- /dev/null
+From 95f466d22364a33d183509629d0879885b4f547e Mon Sep 17 00:00:00 2001
+From: Thadeu Lima de Souza Cascardo <cascardo@canonical.com>
+Date: Tue, 9 Aug 2022 14:01:47 -0300
+Subject: netfilter: nf_tables: do not allow CHAIN_ID to refer to another table
+
+From: Thadeu Lima de Souza Cascardo <cascardo@canonical.com>
+
+commit 95f466d22364a33d183509629d0879885b4f547e upstream.
+
+When doing lookups for chains on the same batch by using its ID, a chain
+from a different table can be used. If a rule is added to a table but
+refers to a chain in a different table, it will be linked to the chain in
+table2, but would have expressions referring to objects in table1.
+
+Then, when table1 is removed, the rule will not be removed as its linked to
+a chain in table2. When expressions in the rule are processed or removed,
+that will lead to a use-after-free.
+
+When looking for chains by ID, use the table that was used for the lookup
+by name, and only return chains belonging to that same table.
+
+Fixes: 837830a4b439 ("netfilter: nf_tables: add NFTA_RULE_CHAIN_ID attribute")
+Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@canonical.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/netfilter/nf_tables_api.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+--- a/net/netfilter/nf_tables_api.c
++++ b/net/netfilter/nf_tables_api.c
+@@ -2265,6 +2265,7 @@ err:
+ }
+
+ static struct nft_chain *nft_chain_lookup_byid(const struct net *net,
++ const struct nft_table *table,
+ const struct nlattr *nla)
+ {
+ u32 id = ntohl(nla_get_be32(nla));
+@@ -2274,6 +2275,7 @@ static struct nft_chain *nft_chain_looku
+ struct nft_chain *chain = trans->ctx.chain;
+
+ if (trans->msg_type == NFT_MSG_NEWCHAIN &&
++ chain->table == table &&
+ id == nft_trans_chain_id(trans))
+ return chain;
+ }
+@@ -3199,7 +3201,7 @@ static int nf_tables_newrule(struct net
+ return -EOPNOTSUPP;
+
+ } else if (nla[NFTA_RULE_CHAIN_ID]) {
+- chain = nft_chain_lookup_byid(net, nla[NFTA_RULE_CHAIN_ID]);
++ chain = nft_chain_lookup_byid(net, table, nla[NFTA_RULE_CHAIN_ID]);
+ if (IS_ERR(chain)) {
+ NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_CHAIN_ID]);
+ return PTR_ERR(chain);
+@@ -8671,7 +8673,7 @@ static int nft_verdict_init(const struct
+ tb[NFTA_VERDICT_CHAIN],
+ genmask);
+ } else if (tb[NFTA_VERDICT_CHAIN_ID]) {
+- chain = nft_chain_lookup_byid(ctx->net,
++ chain = nft_chain_lookup_byid(ctx->net, ctx->table,
+ tb[NFTA_VERDICT_CHAIN_ID]);
+ if (IS_ERR(chain))
+ return PTR_ERR(chain);
--- /dev/null
+From 36d5b2913219ac853908b0f1c664345e04313856 Mon Sep 17 00:00:00 2001
+From: Thadeu Lima de Souza Cascardo <cascardo@canonical.com>
+Date: Tue, 9 Aug 2022 14:01:48 -0300
+Subject: netfilter: nf_tables: do not allow RULE_ID to refer to another chain
+
+From: Thadeu Lima de Souza Cascardo <cascardo@canonical.com>
+
+commit 36d5b2913219ac853908b0f1c664345e04313856 upstream.
+
+When doing lookups for rules on the same batch by using its ID, a rule from
+a different chain can be used. If a rule is added to a chain but tries to
+be positioned next to a rule from a different chain, it will be linked to
+chain2, but the use counter on chain1 would be the one to be incremented.
+
+When looking for rules by ID, use the chain that was used for the lookup by
+name. The chain used in the context copied to the transaction needs to
+match that same chain. That way, struct nft_rule does not need to get
+enlarged with another member.
+
+Fixes: 1a94e38d254b ("netfilter: nf_tables: add NFTA_RULE_ID attribute")
+Fixes: 75dd48e2e420 ("netfilter: nf_tables: Support RULE_ID reference in new rule")
+Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@canonical.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/netfilter/nf_tables_api.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+--- a/net/netfilter/nf_tables_api.c
++++ b/net/netfilter/nf_tables_api.c
+@@ -3156,6 +3156,7 @@ static int nft_table_validate(struct net
+ }
+
+ static struct nft_rule *nft_rule_lookup_byid(const struct net *net,
++ const struct nft_chain *chain,
+ const struct nlattr *nla);
+
+ #define NFT_RULE_MAXEXPRS 128
+@@ -3243,7 +3244,7 @@ static int nf_tables_newrule(struct net
+ return PTR_ERR(old_rule);
+ }
+ } else if (nla[NFTA_RULE_POSITION_ID]) {
+- old_rule = nft_rule_lookup_byid(net, nla[NFTA_RULE_POSITION_ID]);
++ old_rule = nft_rule_lookup_byid(net, chain, nla[NFTA_RULE_POSITION_ID]);
+ if (IS_ERR(old_rule)) {
+ NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_POSITION_ID]);
+ return PTR_ERR(old_rule);
+@@ -3382,6 +3383,7 @@ err1:
+ }
+
+ static struct nft_rule *nft_rule_lookup_byid(const struct net *net,
++ const struct nft_chain *chain,
+ const struct nlattr *nla)
+ {
+ u32 id = ntohl(nla_get_be32(nla));
+@@ -3391,6 +3393,7 @@ static struct nft_rule *nft_rule_lookup_
+ struct nft_rule *rule = nft_trans_rule(trans);
+
+ if (trans->msg_type == NFT_MSG_NEWRULE &&
++ trans->ctx.chain == chain &&
+ id == nft_trans_rule_id(trans))
+ return rule;
+ }
+@@ -3439,7 +3442,7 @@ static int nf_tables_delrule(struct net
+
+ err = nft_delrule(&ctx, rule);
+ } else if (nla[NFTA_RULE_ID]) {
+- rule = nft_rule_lookup_byid(net, nla[NFTA_RULE_ID]);
++ rule = nft_rule_lookup_byid(net, chain, nla[NFTA_RULE_ID]);
+ if (IS_ERR(rule)) {
+ NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_ID]);
+ return PTR_ERR(rule);
--- /dev/null
+From 470ee20e069a6d05ae549f7d0ef2bdbcee6a81b2 Mon Sep 17 00:00:00 2001
+From: Thadeu Lima de Souza Cascardo <cascardo@canonical.com>
+Date: Tue, 9 Aug 2022 14:01:46 -0300
+Subject: netfilter: nf_tables: do not allow SET_ID to refer to another table
+
+From: Thadeu Lima de Souza Cascardo <cascardo@canonical.com>
+
+commit 470ee20e069a6d05ae549f7d0ef2bdbcee6a81b2 upstream.
+
+When doing lookups for sets on the same batch by using its ID, a set from a
+different table can be used.
+
+Then, when the table is removed, a reference to the set may be kept after
+the set is freed, leading to a potential use-after-free.
+
+When looking for sets by ID, use the table that was used for the lookup by
+name, and only return sets belonging to that same table.
+
+This fixes CVE-2022-2586, also reported as ZDI-CAN-17470.
+
+Reported-by: Team Orca of Sea Security (@seasecresponse)
+Fixes: 958bee14d071 ("netfilter: nf_tables: use new transaction infrastructure to handle sets")
+Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@canonical.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/netfilter/nf_tables_api.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/net/netfilter/nf_tables_api.c
++++ b/net/netfilter/nf_tables_api.c
+@@ -3638,6 +3638,7 @@ static struct nft_set *nft_set_lookup_by
+ }
+
+ static struct nft_set *nft_set_lookup_byid(const struct net *net,
++ const struct nft_table *table,
+ const struct nlattr *nla, u8 genmask)
+ {
+ struct nft_trans *trans;
+@@ -3648,6 +3649,7 @@ static struct nft_set *nft_set_lookup_by
+ struct nft_set *set = nft_trans_set(trans);
+
+ if (id == nft_trans_set_id(trans) &&
++ set->table == table &&
+ nft_active_genmask(set, genmask))
+ return set;
+ }
+@@ -3668,7 +3670,7 @@ struct nft_set *nft_set_lookup_global(co
+ if (!nla_set_id)
+ return set;
+
+- set = nft_set_lookup_byid(net, nla_set_id, genmask);
++ set = nft_set_lookup_byid(net, table, nla_set_id, genmask);
+ }
+ return set;
+ }
--- /dev/null
+From 580077855a40741cf511766129702d97ff02f4d9 Mon Sep 17 00:00:00 2001
+From: Florian Westphal <fw@strlen.de>
+Date: Tue, 9 Aug 2022 18:34:02 +0200
+Subject: netfilter: nf_tables: fix null deref due to zeroed list head
+
+From: Florian Westphal <fw@strlen.de>
+
+commit 580077855a40741cf511766129702d97ff02f4d9 upstream.
+
+In nf_tables_updtable, if nf_tables_table_enable returns an error,
+nft_trans_destroy is called to free the transaction object.
+
+nft_trans_destroy() calls list_del(), but the transaction was never
+placed on a list -- the list head is all zeroes, this results in
+a null dereference:
+
+BUG: KASAN: null-ptr-deref in nft_trans_destroy+0x26/0x59
+Call Trace:
+ nft_trans_destroy+0x26/0x59
+ nf_tables_newtable+0x4bc/0x9bc
+ [..]
+
+Its sane to assume that nft_trans_destroy() can be called
+on the transaction object returned by nft_trans_alloc(), so
+make sure the list head is initialised.
+
+Fixes: 55dd6f93076b ("netfilter: nf_tables: use new transaction infrastructure to handle table")
+Reported-by: mingi cho <mgcho.minic@gmail.com>
+Signed-off-by: Florian Westphal <fw@strlen.de>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/netfilter/nf_tables_api.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/net/netfilter/nf_tables_api.c
++++ b/net/netfilter/nf_tables_api.c
+@@ -114,6 +114,7 @@ static struct nft_trans *nft_trans_alloc
+ if (trans == NULL)
+ return NULL;
+
++ INIT_LIST_HEAD(&trans->list);
+ trans->msg_type = msg_type;
+ trans->ctx = *ctx;
+
powerpc-ptdump-fix-display-of-rw-pages-on-fsl_book3e.patch
powerpc-powernv-avoid-crashing-if-rng-is-null.patch
mips-cpuinfo-fix-a-warning-for-config_cpumask_offstack.patch
+coresight-clear-the-connection-field-properly.patch
+usb-typec-ucsi-acknowledge-the-get_error_status-command-completion.patch
+usb-hcd-fix-urb-giveback-issue-in-tasklet-function.patch
+arm-dts-uniphier-fix-usb-interrupts-for-pxs2-soc.patch
+arm64-dts-uniphier-fix-usb-interrupts-for-pxs3-soc.patch
+usb-gadget-fix-use-after-free-read-in-usb_udc_uevent.patch
+usb-dwc3-gadget-refactor-dwc3_repare_one_trb.patch
+usb-dwc3-gadget-fix-high-speed-multiplier-setting.patch
+lockdep-allow-tuning-tracing-capacity-constants.patch
+netfilter-nf_tables-do-not-allow-set_id-to-refer-to-another-table.patch
+netfilter-nf_tables-do-not-allow-chain_id-to-refer-to-another-table.patch
+netfilter-nf_tables-do-not-allow-rule_id-to-refer-to-another-chain.patch
+netfilter-nf_tables-fix-null-deref-due-to-zeroed-list-head.patch
+epoll-autoremove-wakers-even-more-aggressively.patch
--- /dev/null
+From 8affe37c525d800a2628c4ecfaed13b77dc5634a Mon Sep 17 00:00:00 2001
+From: Michael Grzeschik <m.grzeschik@pengutronix.de>
+Date: Mon, 4 Jul 2022 16:18:12 +0200
+Subject: usb: dwc3: gadget: fix high speed multiplier setting
+
+From: Michael Grzeschik <m.grzeschik@pengutronix.de>
+
+commit 8affe37c525d800a2628c4ecfaed13b77dc5634a upstream.
+
+For High-Speed Transfers the prepare_one_trb function is calculating the
+multiplier setting for the trb based on the length parameter of the trb
+currently prepared. This assumption is wrong. For trbs with a sg list,
+the length of the actual request has to be taken instead.
+
+Fixes: 40d829fb2ec6 ("usb: dwc3: gadget: Correct ISOC DATA PIDs for short packets")
+Cc: stable <stable@kernel.org>
+Signed-off-by: Michael Grzeschik <m.grzeschik@pengutronix.de>
+Link: https://lore.kernel.org/r/20220704141812.1532306-3-m.grzeschik@pengutronix.de
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/dwc3/gadget.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/usb/dwc3/gadget.c
++++ b/drivers/usb/dwc3/gadget.c
+@@ -1052,10 +1052,10 @@ static void dwc3_prepare_one_trb(struct
+ unsigned int mult = 2;
+ unsigned int maxp = usb_endpoint_maxp(ep->desc);
+
+- if (trb_length <= (2 * maxp))
++ if (req->request.length <= (2 * maxp))
+ mult--;
+
+- if (trb_length <= maxp)
++ if (req->request.length <= maxp)
+ mult--;
+
+ trb->size |= DWC3_TRB_SIZE_PCM1(mult);
--- /dev/null
+From 23385cec5f354794dadced7f28c31da7ae3eb54c Mon Sep 17 00:00:00 2001
+From: Michael Grzeschik <m.grzeschik@pengutronix.de>
+Date: Mon, 4 Jul 2022 16:18:11 +0200
+Subject: usb: dwc3: gadget: refactor dwc3_repare_one_trb
+
+From: Michael Grzeschik <m.grzeschik@pengutronix.de>
+
+commit 23385cec5f354794dadced7f28c31da7ae3eb54c upstream.
+
+The function __dwc3_prepare_one_trb has many parameters. Since it is
+only used in dwc3_prepare_one_trb there is no point in keeping the
+function. We merge both functions and get rid of the big list of
+parameters.
+
+Fixes: 40d829fb2ec6 ("usb: dwc3: gadget: Correct ISOC DATA PIDs for short packets")
+Cc: stable <stable@kernel.org>
+Signed-off-by: Michael Grzeschik <m.grzeschik@pengutronix.de>
+Link: https://lore.kernel.org/r/20220704141812.1532306-2-m.grzeschik@pengutronix.de
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/dwc3/gadget.c | 92 ++++++++++++++++++++--------------------------
+ 1 file changed, 40 insertions(+), 52 deletions(-)
+
+--- a/drivers/usb/dwc3/gadget.c
++++ b/drivers/usb/dwc3/gadget.c
+@@ -970,17 +970,49 @@ static u32 dwc3_calc_trbs_left(struct dw
+ return trbs_left;
+ }
+
+-static void __dwc3_prepare_one_trb(struct dwc3_ep *dep, struct dwc3_trb *trb,
+- dma_addr_t dma, unsigned int length, unsigned int chain,
+- unsigned int node, unsigned int stream_id,
+- unsigned int short_not_ok, unsigned int no_interrupt,
+- unsigned int is_last, bool must_interrupt)
++/**
++ * dwc3_prepare_one_trb - setup one TRB from one request
++ * @dep: endpoint for which this request is prepared
++ * @req: dwc3_request pointer
++ * @trb_length: buffer size of the TRB
++ * @chain: should this TRB be chained to the next?
++ * @node: only for isochronous endpoints. First TRB needs different type.
++ * @use_bounce_buffer: set to use bounce buffer
++ * @must_interrupt: set to interrupt on TRB completion
++ */
++static void dwc3_prepare_one_trb(struct dwc3_ep *dep,
++ struct dwc3_request *req, unsigned int trb_length,
++ unsigned int chain, unsigned int node, bool use_bounce_buffer,
++ bool must_interrupt)
+ {
++ struct dwc3_trb *trb;
++ dma_addr_t dma;
++ unsigned int stream_id = req->request.stream_id;
++ unsigned int short_not_ok = req->request.short_not_ok;
++ unsigned int no_interrupt = req->request.no_interrupt;
++ unsigned int is_last = req->request.is_last;
+ struct dwc3 *dwc = dep->dwc;
+ struct usb_gadget *gadget = dwc->gadget;
+ enum usb_device_speed speed = gadget->speed;
+
+- trb->size = DWC3_TRB_SIZE_LENGTH(length);
++ if (use_bounce_buffer)
++ dma = dep->dwc->bounce_addr;
++ else if (req->request.num_sgs > 0)
++ dma = sg_dma_address(req->start_sg);
++ else
++ dma = req->request.dma;
++
++ trb = &dep->trb_pool[dep->trb_enqueue];
++
++ if (!req->trb) {
++ dwc3_gadget_move_started_request(req);
++ req->trb = trb;
++ req->trb_dma = dwc3_trb_dma_offset(dep, trb);
++ }
++
++ req->num_trbs++;
++
++ trb->size = DWC3_TRB_SIZE_LENGTH(trb_length);
+ trb->bpl = lower_32_bits(dma);
+ trb->bph = upper_32_bits(dma);
+
+@@ -1020,10 +1052,10 @@ static void __dwc3_prepare_one_trb(struc
+ unsigned int mult = 2;
+ unsigned int maxp = usb_endpoint_maxp(ep->desc);
+
+- if (length <= (2 * maxp))
++ if (trb_length <= (2 * maxp))
+ mult--;
+
+- if (length <= maxp)
++ if (trb_length <= maxp)
+ mult--;
+
+ trb->size |= DWC3_TRB_SIZE_PCM1(mult);
+@@ -1092,50 +1124,6 @@ static void __dwc3_prepare_one_trb(struc
+ trace_dwc3_prepare_trb(dep, trb);
+ }
+
+-/**
+- * dwc3_prepare_one_trb - setup one TRB from one request
+- * @dep: endpoint for which this request is prepared
+- * @req: dwc3_request pointer
+- * @trb_length: buffer size of the TRB
+- * @chain: should this TRB be chained to the next?
+- * @node: only for isochronous endpoints. First TRB needs different type.
+- * @use_bounce_buffer: set to use bounce buffer
+- * @must_interrupt: set to interrupt on TRB completion
+- */
+-static void dwc3_prepare_one_trb(struct dwc3_ep *dep,
+- struct dwc3_request *req, unsigned int trb_length,
+- unsigned int chain, unsigned int node, bool use_bounce_buffer,
+- bool must_interrupt)
+-{
+- struct dwc3_trb *trb;
+- dma_addr_t dma;
+- unsigned int stream_id = req->request.stream_id;
+- unsigned int short_not_ok = req->request.short_not_ok;
+- unsigned int no_interrupt = req->request.no_interrupt;
+- unsigned int is_last = req->request.is_last;
+-
+- if (use_bounce_buffer)
+- dma = dep->dwc->bounce_addr;
+- else if (req->request.num_sgs > 0)
+- dma = sg_dma_address(req->start_sg);
+- else
+- dma = req->request.dma;
+-
+- trb = &dep->trb_pool[dep->trb_enqueue];
+-
+- if (!req->trb) {
+- dwc3_gadget_move_started_request(req);
+- req->trb = trb;
+- req->trb_dma = dwc3_trb_dma_offset(dep, trb);
+- }
+-
+- req->num_trbs++;
+-
+- __dwc3_prepare_one_trb(dep, trb, dma, trb_length, chain, node,
+- stream_id, short_not_ok, no_interrupt, is_last,
+- must_interrupt);
+-}
+-
+ static bool dwc3_needs_extra_trb(struct dwc3_ep *dep, struct dwc3_request *req)
+ {
+ unsigned int maxp = usb_endpoint_maxp(dep->endpoint.desc);
--- /dev/null
+From 2191c00855b03aa59c20e698be713d952d51fc18 Mon Sep 17 00:00:00 2001
+From: Alan Stern <stern@rowland.harvard.edu>
+Date: Thu, 21 Jul 2022 11:07:10 -0400
+Subject: USB: gadget: Fix use-after-free Read in usb_udc_uevent()
+
+From: Alan Stern <stern@rowland.harvard.edu>
+
+commit 2191c00855b03aa59c20e698be713d952d51fc18 upstream.
+
+The syzbot fuzzer found a race between uevent callbacks and gadget
+driver unregistration that can cause a use-after-free bug:
+
+---------------------------------------------------------------
+BUG: KASAN: use-after-free in usb_udc_uevent+0x11f/0x130
+drivers/usb/gadget/udc/core.c:1732
+Read of size 8 at addr ffff888078ce2050 by task udevd/2968
+
+CPU: 1 PID: 2968 Comm: udevd Not tainted 5.19.0-rc4-next-20220628-syzkaller #0
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google
+06/29/2022
+Call Trace:
+ <TASK>
+ __dump_stack lib/dump_stack.c:88 [inline]
+ dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106
+ print_address_description mm/kasan/report.c:317 [inline]
+ print_report.cold+0x2ba/0x719 mm/kasan/report.c:433
+ kasan_report+0xbe/0x1f0 mm/kasan/report.c:495
+ usb_udc_uevent+0x11f/0x130 drivers/usb/gadget/udc/core.c:1732
+ dev_uevent+0x290/0x770 drivers/base/core.c:2424
+---------------------------------------------------------------
+
+The bug occurs because usb_udc_uevent() dereferences udc->driver but
+does so without acquiring the udc_lock mutex, which protects this
+field. If the gadget driver is unbound from the udc concurrently with
+uevent processing, the driver structure may be accessed after it has
+been deallocated.
+
+To prevent the race, we make sure that the routine holds the mutex
+around the racing accesses.
+
+Link: <https://lore.kernel.org/all/0000000000004de90405a719c951@google.com>
+CC: stable@vger.kernel.org # fc274c1e9973
+Reported-and-tested-by: syzbot+b0de012ceb1e2a97891b@syzkaller.appspotmail.com
+Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
+Link: https://lore.kernel.org/r/YtlrnhHyrHsSky9m@rowland.harvard.edu
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/gadget/udc/core.c | 11 ++++++-----
+ 1 file changed, 6 insertions(+), 5 deletions(-)
+
+--- a/drivers/usb/gadget/udc/core.c
++++ b/drivers/usb/gadget/udc/core.c
+@@ -1647,13 +1647,14 @@ static int usb_udc_uevent(struct device
+ return ret;
+ }
+
+- if (udc->driver) {
++ mutex_lock(&udc_lock);
++ if (udc->driver)
+ ret = add_uevent_var(env, "USB_UDC_DRIVER=%s",
+ udc->driver->function);
+- if (ret) {
+- dev_err(dev, "failed to add uevent USB_UDC_DRIVER\n");
+- return ret;
+- }
++ mutex_unlock(&udc_lock);
++ if (ret) {
++ dev_err(dev, "failed to add uevent USB_UDC_DRIVER\n");
++ return ret;
+ }
+
+ return 0;
--- /dev/null
+From 26c6c2f8a907c9e3a2f24990552a4d77235791e6 Mon Sep 17 00:00:00 2001
+From: Weitao Wang <WeitaoWang-oc@zhaoxin.com>
+Date: Tue, 26 Jul 2022 15:49:18 +0800
+Subject: USB: HCD: Fix URB giveback issue in tasklet function
+
+From: Weitao Wang <WeitaoWang-oc@zhaoxin.com>
+
+commit 26c6c2f8a907c9e3a2f24990552a4d77235791e6 upstream.
+
+Usb core introduce the mechanism of giveback of URB in tasklet context to
+reduce hardware interrupt handling time. On some test situation(such as
+FIO with 4KB block size), when tasklet callback function called to
+giveback URB, interrupt handler add URB node to the bh->head list also.
+If check bh->head list again after finish all URB giveback of local_list,
+then it may introduce a "dynamic balance" between giveback URB and add URB
+to bh->head list. This tasklet callback function may not exit for a long
+time, which will cause other tasklet function calls to be delayed. Some
+real-time applications(such as KB and Mouse) will see noticeable lag.
+
+In order to prevent the tasklet function from occupying the cpu for a long
+time at a time, new URBS will not be added to the local_list even though
+the bh->head list is not empty. But also need to ensure the left URB
+giveback to be processed in time, so add a member high_prio for structure
+giveback_urb_bh to prioritize tasklet and schelule this tasklet again if
+bh->head list is not empty.
+
+At the same time, we are able to prioritize tasklet through structure
+member high_prio. So, replace the local high_prio_bh variable with this
+structure member in usb_hcd_giveback_urb.
+
+Fixes: 94dfd7edfd5c ("USB: HCD: support giveback of URB in tasklet context")
+Cc: stable <stable@kernel.org>
+Reviewed-by: Alan Stern <stern@rowland.harvard.edu>
+Signed-off-by: Weitao Wang <WeitaoWang-oc@zhaoxin.com>
+Link: https://lore.kernel.org/r/20220726074918.5114-1-WeitaoWang-oc@zhaoxin.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/core/hcd.c | 26 +++++++++++++++-----------
+ include/linux/usb/hcd.h | 1 +
+ 2 files changed, 16 insertions(+), 11 deletions(-)
+
+--- a/drivers/usb/core/hcd.c
++++ b/drivers/usb/core/hcd.c
+@@ -1692,7 +1692,6 @@ static void usb_giveback_urb_bh(struct t
+
+ spin_lock_irq(&bh->lock);
+ bh->running = true;
+- restart:
+ list_replace_init(&bh->head, &local_list);
+ spin_unlock_irq(&bh->lock);
+
+@@ -1706,10 +1705,17 @@ static void usb_giveback_urb_bh(struct t
+ bh->completing_ep = NULL;
+ }
+
+- /* check if there are new URBs to giveback */
++ /*
++ * giveback new URBs next time to prevent this function
++ * from not exiting for a long time.
++ */
+ spin_lock_irq(&bh->lock);
+- if (!list_empty(&bh->head))
+- goto restart;
++ if (!list_empty(&bh->head)) {
++ if (bh->high_prio)
++ tasklet_hi_schedule(&bh->bh);
++ else
++ tasklet_schedule(&bh->bh);
++ }
+ bh->running = false;
+ spin_unlock_irq(&bh->lock);
+ }
+@@ -1734,7 +1740,7 @@ static void usb_giveback_urb_bh(struct t
+ void usb_hcd_giveback_urb(struct usb_hcd *hcd, struct urb *urb, int status)
+ {
+ struct giveback_urb_bh *bh;
+- bool running, high_prio_bh;
++ bool running;
+
+ /* pass status to tasklet via unlinked */
+ if (likely(!urb->unlinked))
+@@ -1745,13 +1751,10 @@ void usb_hcd_giveback_urb(struct usb_hcd
+ return;
+ }
+
+- if (usb_pipeisoc(urb->pipe) || usb_pipeint(urb->pipe)) {
++ if (usb_pipeisoc(urb->pipe) || usb_pipeint(urb->pipe))
+ bh = &hcd->high_prio_bh;
+- high_prio_bh = true;
+- } else {
++ else
+ bh = &hcd->low_prio_bh;
+- high_prio_bh = false;
+- }
+
+ spin_lock(&bh->lock);
+ list_add_tail(&urb->urb_list, &bh->head);
+@@ -1760,7 +1763,7 @@ void usb_hcd_giveback_urb(struct usb_hcd
+
+ if (running)
+ ;
+- else if (high_prio_bh)
++ else if (bh->high_prio)
+ tasklet_hi_schedule(&bh->bh);
+ else
+ tasklet_schedule(&bh->bh);
+@@ -2800,6 +2803,7 @@ int usb_add_hcd(struct usb_hcd *hcd,
+
+ /* initialize tasklets */
+ init_giveback_urb_bh(&hcd->high_prio_bh);
++ hcd->high_prio_bh.high_prio = true;
+ init_giveback_urb_bh(&hcd->low_prio_bh);
+
+ /* enable irqs just before we start the controller,
+--- a/include/linux/usb/hcd.h
++++ b/include/linux/usb/hcd.h
+@@ -66,6 +66,7 @@
+
+ struct giveback_urb_bh {
+ bool running;
++ bool high_prio;
+ spinlock_t lock;
+ struct list_head head;
+ struct tasklet_struct bh;
--- /dev/null
+From a7dc438b5e446afcd1b3b6651da28271400722f2 Mon Sep 17 00:00:00 2001
+From: Linyu Yuan <quic_linyyuan@quicinc.com>
+Date: Tue, 26 Jul 2022 14:45:49 +0800
+Subject: usb: typec: ucsi: Acknowledge the GET_ERROR_STATUS command completion
+
+From: Linyu Yuan <quic_linyyuan@quicinc.com>
+
+commit a7dc438b5e446afcd1b3b6651da28271400722f2 upstream.
+
+We found PPM will not send any notification after it report error status
+and OPM issue GET_ERROR_STATUS command to read the details about error.
+
+According UCSI spec, PPM may clear the Error Status Data after the OPM
+has acknowledged the command completion.
+
+This change add operation to acknowledge the command completion from PPM.
+
+Fixes: bdc62f2bae8f (usb: typec: ucsi: Simplified registration and I/O API)
+Cc: <stable@vger.kernel.org> # 5.10
+Signed-off-by: Jack Pham <quic_jackp@quicinc.com>
+Signed-off-by: Linyu Yuan <quic_linyyuan@quicinc.com>
+Link: https://lore.kernel.org/r/1658817949-4632-1-git-send-email-quic_linyyuan@quicinc.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/typec/ucsi/ucsi.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/drivers/usb/typec/ucsi/ucsi.c
++++ b/drivers/usb/typec/ucsi/ucsi.c
+@@ -76,6 +76,10 @@ static int ucsi_read_error(struct ucsi *
+ if (ret)
+ return ret;
+
++ ret = ucsi_acknowledge_command(ucsi);
++ if (ret)
++ return ret;
++
+ switch (error) {
+ case UCSI_ERROR_INCOMPATIBLE_PARTNER:
+ return -EOPNOTSUPP;
projects / thirdparty / kernel / stable-queue.git / commitdiff
