--- /dev/null
+From dc27db64bb7d431a853e5dcc5da01718b58bdd29 Mon Sep 17 00:00:00 2001
+From: Jens Axboe <axboe@kernel.dk>
+Date: Tue, 11 Jul 2023 09:35:30 -0600
+Subject: io_uring: ensure IOPOLL locks around deferred work
+
+From: Jens Axboe <axboe@kernel.dk>
+
+No direct upstream commit exists for this issue. It was fixed in
+5.18 as part of a larger rework of the completion side.
+
+io_commit_cqring() writes the CQ ring tail to make it visible, but it
+also kicks off any deferred work we have. A ring setup with IOPOLL
+does not need any locking around the CQ ring updates, as we're always
+under the ctx uring_lock. But if we have deferred work that needs
+processing, then io_queue_deferred() assumes that the completion_lock
+is held, as it is for !IOPOLL.
+
+Add a lockdep assertion to check and document this fact, and have
+io_iopoll_complete() check if we have deferred work and run that
+separately with the appropriate lock grabbed.
+
+Cc: stable@vger.kernel.org # 5.10, 5.15
+Reported-by: dghost david <daviduniverse18@gmail.com>
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ io_uring/io_uring.c | 25 +++++++++++++++++++++----
+ 1 file changed, 21 insertions(+), 4 deletions(-)
+
+--- a/io_uring/io_uring.c
++++ b/io_uring/io_uring.c
+@@ -1521,6 +1521,8 @@ static void io_kill_timeout(struct io_ki
+
+ static void io_queue_deferred(struct io_ring_ctx *ctx)
+ {
++ lockdep_assert_held(&ctx->completion_lock);
++
+ while (!list_empty(&ctx->defer_list)) {
+ struct io_defer_entry *de = list_first_entry(&ctx->defer_list,
+ struct io_defer_entry, list);
+@@ -1572,14 +1574,24 @@ static void __io_commit_cqring_flush(str
+ io_queue_deferred(ctx);
+ }
+
+-static inline void io_commit_cqring(struct io_ring_ctx *ctx)
++static inline bool io_commit_needs_flush(struct io_ring_ctx *ctx)
++{
++ return ctx->off_timeout_used || ctx->drain_active;
++}
++
++static inline void __io_commit_cqring(struct io_ring_ctx *ctx)
+ {
+- if (unlikely(ctx->off_timeout_used || ctx->drain_active))
+- __io_commit_cqring_flush(ctx);
+ /* order cqe stores with ring update */
+ smp_store_release(&ctx->rings->cq.tail, ctx->cached_cq_tail);
+ }
+
++static inline void io_commit_cqring(struct io_ring_ctx *ctx)
++{
++ if (unlikely(io_commit_needs_flush(ctx)))
++ __io_commit_cqring_flush(ctx);
++ __io_commit_cqring(ctx);
++}
++
+ static inline bool io_sqring_full(struct io_ring_ctx *ctx)
+ {
+ struct io_rings *r = ctx->rings;
+@@ -2518,7 +2530,12 @@ static void io_iopoll_complete(struct io
+ io_req_free_batch(&rb, req, &ctx->submit_state);
+ }
+
+- io_commit_cqring(ctx);
++ if (io_commit_needs_flush(ctx)) {
++ spin_lock(&ctx->completion_lock);
++ __io_commit_cqring_flush(ctx);
++ spin_unlock(&ctx->completion_lock);
++ }
++ __io_commit_cqring(ctx);
+ io_cqring_ev_posted_iopoll(ctx);
+ io_req_free_batch_finish(ctx, &rb);
+ }
--- /dev/null
+From c0c2fcb1325d0d4f3b322b5ee49385f8eca2560d Mon Sep 17 00:00:00 2001
+From: EJ Hsu <ejh@nvidia.com>
+Date: Fri, 9 Jun 2023 14:29:32 +0800
+Subject: phy: tegra: xusb: Clear the driver reference in usb-phy dev
+
+From: EJ Hsu <ejh@nvidia.com>
+
+commit c0c2fcb1325d0d4f3b322b5ee49385f8eca2560d upstream.
+
+For the dual-role port, it will assign the phy dev to usb-phy dev and
+use the port dev driver as the dev driver of usb-phy.
+
+When we try to destroy the port dev, it will destroy its dev driver
+as well. But we did not remove the reference from usb-phy dev. This
+might cause the use-after-free issue in KASAN.
+
+Fixes: e8f7d2f409a1 ("phy: tegra: xusb: Add usb-phy support")
+Cc: stable@vger.kernel.org
+
+Signed-off-by: EJ Hsu <ejh@nvidia.com>
+Signed-off-by: Haotien Hsu <haotienh@nvidia.com>
+Acked-by: Thierry Reding <treding@nvidia.com>
+Acked-by: Jon Hunter <jonathanh@nvidia.com>
+Link: https://lore.kernel.org/r/20230609062932.3276509-1-haotienh@nvidia.com
+Signed-off-by: Vinod Koul <vkoul@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/phy/tegra/xusb.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/phy/tegra/xusb.c
++++ b/drivers/phy/tegra/xusb.c
+@@ -556,6 +556,7 @@ static void tegra_xusb_port_unregister(s
+ usb_role_switch_unregister(port->usb_role_sw);
+ cancel_work_sync(&port->usb_phy_work);
+ usb_remove_phy(&port->usb_phy);
++ port->usb_phy.dev->driver = NULL;
+ }
+
+ if (port->ops->remove)
dax-fix-dax_mapping_release-use-after-free.patch
dax-introduce-alloc_dev_dax_id.patch
hwrng-st-keep-clock-enabled-while-hwrng-is-registere.patch
+io_uring-ensure-iopoll-locks-around-deferred-work.patch
+usb-serial-option-add-lara-r6-01b-pids.patch
+usb-dwc3-gadget-propagate-core-init-errors-to-udc-during-pullup.patch
+phy-tegra-xusb-clear-the-driver-reference-in-usb-phy-dev.patch
--- /dev/null
+From c0aabed9cabe057309779a9e26fe86a113d24dad Mon Sep 17 00:00:00 2001
+From: Krishna Kurapati <quic_kriskura@quicinc.com>
+Date: Sun, 18 Jun 2023 17:39:49 +0530
+Subject: usb: dwc3: gadget: Propagate core init errors to UDC during pullup
+
+From: Krishna Kurapati <quic_kriskura@quicinc.com>
+
+commit c0aabed9cabe057309779a9e26fe86a113d24dad upstream.
+
+In scenarios where pullup relies on resume (get sync) to initialize
+the controller and set the run stop bit, then core_init is followed by
+gadget_resume which will eventually set run stop bit.
+
+But in cases where the core_init fails, the return value is not sent
+back to udc appropriately. So according to UDC the controller has
+started but in reality we never set the run stop bit.
+
+On systems like Android, there are uevents sent to HAL depending on
+whether the configfs_bind / configfs_disconnect were invoked. In the
+above mentioned scnenario, if the core init fails, the run stop won't
+be set and the cable plug-out won't result in generation of any
+disconnect event and userspace would never get any uevent regarding
+cable plug out and we never call pullup(0) again. Furthermore none of
+the next Plug-In/Plug-Out's would be known to configfs.
+
+Return back the appropriate result to UDC to let the userspace/
+configfs know that the pullup failed so they can take appropriate
+action.
+
+Fixes: 77adb8bdf422 ("usb: dwc3: gadget: Allow runtime suspend if UDC unbinded")
+Cc: stable <stable@kernel.org>
+Signed-off-by: Krishna Kurapati <quic_kriskura@quicinc.com>
+Acked-by: Thinh Nguyen <Thinh.Nguyen@synopsys.com>
+Message-ID: <20230618120949.14868-1-quic_kriskura@quicinc.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/dwc3/gadget.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/drivers/usb/dwc3/gadget.c
++++ b/drivers/usb/dwc3/gadget.c
+@@ -2215,7 +2215,9 @@ static int dwc3_gadget_pullup(struct usb
+ ret = pm_runtime_get_sync(dwc->dev);
+ if (!ret || ret < 0) {
+ pm_runtime_put(dwc->dev);
+- return 0;
++ if (ret < 0)
++ pm_runtime_set_suspended(dwc->dev);
++ return ret;
+ }
+
+ if (dwc->pullups_connected == is_on) {
--- /dev/null
+From ffa5f7a3bf28c1306eef85d4056539c2d4b8eb09 Mon Sep 17 00:00:00 2001
+From: Davide Tronchin <davide.tronchin.94@gmail.com>
+Date: Thu, 22 Jun 2023 11:29:21 +0200
+Subject: USB: serial: option: add LARA-R6 01B PIDs
+
+From: Davide Tronchin <davide.tronchin.94@gmail.com>
+
+commit ffa5f7a3bf28c1306eef85d4056539c2d4b8eb09 upstream.
+
+The new LARA-R6 product variant identified by the "01B" string can be
+configured (by AT interface) in three different USB modes:
+
+* Default mode (Vendor ID: 0x1546 Product ID: 0x1311) with 4 serial
+interfaces
+
+* RmNet mode (Vendor ID: 0x1546 Product ID: 0x1312) with 4 serial
+interfaces and 1 RmNet virtual network interface
+
+* CDC-ECM mode (Vendor ID: 0x1546 Product ID: 0x1313) with 4 serial
+interface and 1 CDC-ECM virtual network interface
+The first 4 interfaces of all the 3 USB configurations (default, RmNet,
+CDC-ECM) are the same.
+
+In default mode LARA-R6 01B exposes the following interfaces:
+If 0: Diagnostic
+If 1: AT parser
+If 2: AT parser
+If 3: AT parser/alternative functions
+
+In RmNet mode LARA-R6 01B exposes the following interfaces:
+If 0: Diagnostic
+If 1: AT parser
+If 2: AT parser
+If 3: AT parser/alternative functions
+If 4: RMNET interface
+
+In CDC-ECM mode LARA-R6 01B exposes the following interfaces:
+If 0: Diagnostic
+If 1: AT parser
+If 2: AT parser
+If 3: AT parser/alternative functions
+If 4: CDC-ECM interface
+
+Signed-off-by: Davide Tronchin <davide.tronchin.94@gmail.com>
+Link: https://lore.kernel.org/r/20230622092921.12651-1-davide.tronchin.94@gmail.com
+Cc: stable@vger.kernel.org
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/serial/option.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/drivers/usb/serial/option.c
++++ b/drivers/usb/serial/option.c
+@@ -1151,6 +1151,10 @@ static const struct usb_device_id option
+ { USB_DEVICE(QUALCOMM_VENDOR_ID, 0x90fa),
+ .driver_info = RSVD(3) },
+ /* u-blox products */
++ { USB_DEVICE(UBLOX_VENDOR_ID, 0x1311) }, /* u-blox LARA-R6 01B */
++ { USB_DEVICE(UBLOX_VENDOR_ID, 0x1312), /* u-blox LARA-R6 01B (RMNET) */
++ .driver_info = RSVD(4) },
++ { USB_DEVICE_INTERFACE_CLASS(UBLOX_VENDOR_ID, 0x1313, 0xff) }, /* u-blox LARA-R6 01B (ECM) */
+ { USB_DEVICE(UBLOX_VENDOR_ID, 0x1341) }, /* u-blox LARA-L6 */
+ { USB_DEVICE(UBLOX_VENDOR_ID, 0x1342), /* u-blox LARA-L6 (RMNET) */
+ .driver_info = RSVD(4) },
projects / thirdparty / kernel / stable-queue.git / commitdiff
