From: Greg Kroah-Hartman Date: Sun, 15 Dec 2024 08:26:54 +0000 (+0100) Subject: 6.6-stable patches X-Git-Tag: v5.4.288~68 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=1d60f2e9cd896a43992863f2ce1cf0228149c2fd;p=thirdparty%2Fkernel%2Fstable-queue.git 6.6-stable patches added patches: alsa-usb-audio-add-implicit-feedback-quirk-for-yamaha-thr5.patch ata-sata_highbank-fix-of-node-reference-leak-in-highbank_initialize_phys.patch blk-cgroup-fix-uaf-in-blkcg_unpin_online.patch bpf-fix-uaf-via-mismatching-bpf_prog-attachment-rcu-flavors.patch ksmbd-fix-racy-issue-from-session-lookup-and-expire.patch perf-x86-intel-ds-unconditionally-drain-pebs-ds-when-changing-pebs_data_cfg.patch riscv-fix-ipis-usage-in-kfence_protect_page.patch riscv-fix-wrong-usage-of-__pa-on-a-fixmap-address.patch scsi-ufs-core-update-compl_time_stamp_local_clock-after-completing-a-cqe.patch series splice-do-not-checksum-af_unix-sockets.patch tcp-check-space-before-adding-mptcp-syn-options.patch usb-dwc2-fix-hcd-port-connection-race.patch usb-dwc2-fix-hcd-resume.patch usb-dwc2-hcd-fix-getportstatus-setportfeature.patch usb-host-max3421-hcd-correctly-abort-a-usb-request.patch --- diff --git a/queue-6.6/alsa-usb-audio-add-implicit-feedback-quirk-for-yamaha-thr5.patch b/queue-6.6/alsa-usb-audio-add-implicit-feedback-quirk-for-yamaha-thr5.patch new file mode 100644 index 00000000000..ea57e8319d8 --- /dev/null +++ b/queue-6.6/alsa-usb-audio-add-implicit-feedback-quirk-for-yamaha-thr5.patch @@ -0,0 +1,33 @@ +From 82fdcf9b518b205da040046fbe7747fb3fd18657 Mon Sep 17 00:00:00 2001 +From: Jaakko Salo +Date: Fri, 6 Dec 2024 18:44:48 +0200 +Subject: ALSA: usb-audio: Add implicit feedback quirk for Yamaha THR5 + +From: Jaakko Salo + +commit 82fdcf9b518b205da040046fbe7747fb3fd18657 upstream. + +Use implicit feedback from the capture endpoint to fix popping +sounds during playback. + +Link: https://bugzilla.kernel.org/show_bug.cgi?id=219567 +Signed-off-by: Jaakko Salo +Cc: +Link: https://patch.msgid.link/20241206164448.8136-1-jaakkos@gmail.com +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman +--- + sound/usb/quirks.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/sound/usb/quirks.c ++++ b/sound/usb/quirks.c +@@ -2067,6 +2067,8 @@ static const struct usb_audio_quirk_flag + QUIRK_FLAG_CTL_MSG_DELAY_1M | QUIRK_FLAG_MIC_RES_384), + DEVICE_FLG(0x046d, 0x09a4, /* Logitech QuickCam E 3500 */ + QUIRK_FLAG_CTL_MSG_DELAY_1M | QUIRK_FLAG_IGNORE_CTL_ERROR), ++ DEVICE_FLG(0x0499, 0x1506, /* Yamaha THR5 */ ++ QUIRK_FLAG_GENERIC_IMPLICIT_FB), + DEVICE_FLG(0x0499, 0x1509, /* Steinberg UR22 */ + QUIRK_FLAG_GENERIC_IMPLICIT_FB), + DEVICE_FLG(0x0499, 0x3108, /* Yamaha YIT-W12TX */ diff --git a/queue-6.6/ata-sata_highbank-fix-of-node-reference-leak-in-highbank_initialize_phys.patch b/queue-6.6/ata-sata_highbank-fix-of-node-reference-leak-in-highbank_initialize_phys.patch new file mode 100644 index 00000000000..fc727385f01 --- /dev/null +++ b/queue-6.6/ata-sata_highbank-fix-of-node-reference-leak-in-highbank_initialize_phys.patch @@ -0,0 +1,30 @@ +From 676fe1f6f74db988191dab5df3bf256908177072 Mon Sep 17 00:00:00 2001 +From: Joe Hattori +Date: Thu, 5 Dec 2024 19:30:14 +0900 +Subject: ata: sata_highbank: fix OF node reference leak in highbank_initialize_phys() + +From: Joe Hattori + +commit 676fe1f6f74db988191dab5df3bf256908177072 upstream. + +The OF node reference obtained by of_parse_phandle_with_args() is not +released on early return. Add a of_node_put() call before returning. + +Fixes: 8996b89d6bc9 ("ata: add platform driver for Calxeda AHCI controller") +Signed-off-by: Joe Hattori +Signed-off-by: Damien Le Moal +Signed-off-by: Greg Kroah-Hartman +--- + drivers/ata/sata_highbank.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/ata/sata_highbank.c ++++ b/drivers/ata/sata_highbank.c +@@ -348,6 +348,7 @@ static int highbank_initialize_phys(stru + phy_nodes[phy] = phy_data.np; + cphy_base[phy] = of_iomap(phy_nodes[phy], 0); + if (cphy_base[phy] == NULL) { ++ of_node_put(phy_data.np); + return 0; + } + phy_count += 1; diff --git a/queue-6.6/blk-cgroup-fix-uaf-in-blkcg_unpin_online.patch b/queue-6.6/blk-cgroup-fix-uaf-in-blkcg_unpin_online.patch new file mode 100644 index 00000000000..f586c0d2c67 --- /dev/null +++ b/queue-6.6/blk-cgroup-fix-uaf-in-blkcg_unpin_online.patch @@ -0,0 +1,82 @@ +From 86e6ca55b83c575ab0f2e105cf08f98e58d3d7af Mon Sep 17 00:00:00 2001 +From: Tejun Heo +Date: Fri, 6 Dec 2024 07:59:51 -1000 +Subject: blk-cgroup: Fix UAF in blkcg_unpin_online() + +From: Tejun Heo + +commit 86e6ca55b83c575ab0f2e105cf08f98e58d3d7af upstream. + +blkcg_unpin_online() walks up the blkcg hierarchy putting the online pin. To +walk up, it uses blkcg_parent(blkcg) but it was calling that after +blkcg_destroy_blkgs(blkcg) which could free the blkcg, leading to the +following UAF: + + ================================================================== + BUG: KASAN: slab-use-after-free in blkcg_unpin_online+0x15a/0x270 + Read of size 8 at addr ffff8881057678c0 by task kworker/9:1/117 + + CPU: 9 UID: 0 PID: 117 Comm: kworker/9:1 Not tainted 6.13.0-rc1-work-00182-gb8f52214c61a-dirty #48 + Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS unknown 02/02/2022 + Workqueue: cgwb_release cgwb_release_workfn + Call Trace: + + dump_stack_lvl+0x27/0x80 + print_report+0x151/0x710 + kasan_report+0xc0/0x100 + blkcg_unpin_online+0x15a/0x270 + cgwb_release_workfn+0x194/0x480 + process_scheduled_works+0x71b/0xe20 + worker_thread+0x82a/0xbd0 + kthread+0x242/0x2c0 + ret_from_fork+0x33/0x70 + ret_from_fork_asm+0x1a/0x30 + + ... + Freed by task 1944: + kasan_save_track+0x2b/0x70 + kasan_save_free_info+0x3c/0x50 + __kasan_slab_free+0x33/0x50 + kfree+0x10c/0x330 + css_free_rwork_fn+0xe6/0xb30 + process_scheduled_works+0x71b/0xe20 + worker_thread+0x82a/0xbd0 + kthread+0x242/0x2c0 + ret_from_fork+0x33/0x70 + ret_from_fork_asm+0x1a/0x30 + +Note that the UAF is not easy to trigger as the free path is indirected +behind a couple RCU grace periods and a work item execution. I could only +trigger it with artifical msleep() injected in blkcg_unpin_online(). + +Fix it by reading the parent pointer before destroying the blkcg's blkg's. + +Signed-off-by: Tejun Heo +Reported-by: Abagail ren +Suggested-by: Linus Torvalds +Fixes: 4308a434e5e0 ("blkcg: don't offline parent blkcg first") +Cc: stable@vger.kernel.org # v5.7+ +Signed-off-by: Jens Axboe +Signed-off-by: Greg Kroah-Hartman +--- + block/blk-cgroup.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +--- a/block/blk-cgroup.c ++++ b/block/blk-cgroup.c +@@ -1325,10 +1325,14 @@ void blkcg_unpin_online(struct cgroup_su + struct blkcg *blkcg = css_to_blkcg(blkcg_css); + + do { ++ struct blkcg *parent; ++ + if (!refcount_dec_and_test(&blkcg->online_pin)) + break; ++ ++ parent = blkcg_parent(blkcg); + blkcg_destroy_blkgs(blkcg); +- blkcg = blkcg_parent(blkcg); ++ blkcg = parent; + } while (blkcg); + } + diff --git a/queue-6.6/bpf-fix-uaf-via-mismatching-bpf_prog-attachment-rcu-flavors.patch b/queue-6.6/bpf-fix-uaf-via-mismatching-bpf_prog-attachment-rcu-flavors.patch new file mode 100644 index 00000000000..12e3516918c --- /dev/null +++ b/queue-6.6/bpf-fix-uaf-via-mismatching-bpf_prog-attachment-rcu-flavors.patch @@ -0,0 +1,46 @@ +From ef1b808e3b7c98612feceedf985c2fbbeb28f956 Mon Sep 17 00:00:00 2001 +From: Jann Horn +Date: Tue, 10 Dec 2024 17:32:13 +0100 +Subject: bpf: Fix UAF via mismatching bpf_prog/attachment RCU flavors + +From: Jann Horn + +commit ef1b808e3b7c98612feceedf985c2fbbeb28f956 upstream. + +Uprobes always use bpf_prog_run_array_uprobe() under tasks-trace-RCU +protection. But it is possible to attach a non-sleepable BPF program to a +uprobe, and non-sleepable BPF programs are freed via normal RCU (see +__bpf_prog_put_noref()). This leads to UAF of the bpf_prog because a normal +RCU grace period does not imply a tasks-trace-RCU grace period. + +Fix it by explicitly waiting for a tasks-trace-RCU grace period after +removing the attachment of a bpf_prog to a perf_event. + +Fixes: 8c7dcb84e3b7 ("bpf: implement sleepable uprobes by chaining gps") +Suggested-by: Andrii Nakryiko +Suggested-by: Alexei Starovoitov +Signed-off-by: Jann Horn +Signed-off-by: Andrii Nakryiko +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/bpf/20241210-bpf-fix-actual-uprobe-uaf-v1-1-19439849dd44@google.com +Signed-off-by: Greg Kroah-Hartman +--- + kernel/trace/bpf_trace.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +--- a/kernel/trace/bpf_trace.c ++++ b/kernel/trace/bpf_trace.c +@@ -2224,6 +2224,13 @@ void perf_event_detach_bpf_prog(struct p + bpf_prog_array_free_sleepable(old_array); + } + ++ /* ++ * It could be that the bpf_prog is not sleepable (and will be freed ++ * via normal RCU), but is called from a point that supports sleepable ++ * programs and uses tasks-trace-RCU. ++ */ ++ synchronize_rcu_tasks_trace(); ++ + bpf_prog_put(event->prog); + event->prog = NULL; + diff --git a/queue-6.6/ksmbd-fix-racy-issue-from-session-lookup-and-expire.patch b/queue-6.6/ksmbd-fix-racy-issue-from-session-lookup-and-expire.patch new file mode 100644 index 00000000000..76a4748ee88 --- /dev/null +++ b/queue-6.6/ksmbd-fix-racy-issue-from-session-lookup-and-expire.patch @@ -0,0 +1,196 @@ +From b95629435b84b9ecc0c765995204a4d8a913ed52 Mon Sep 17 00:00:00 2001 +From: Namjae Jeon +Date: Thu, 5 Dec 2024 21:38:47 +0900 +Subject: ksmbd: fix racy issue from session lookup and expire + +From: Namjae Jeon + +commit b95629435b84b9ecc0c765995204a4d8a913ed52 upstream. + +Increment the session reference count within the lock for lookup to avoid +racy issue with session expire. + +Cc: stable@vger.kernel.org +Reported-by: zdi-disclosures@trendmicro.com # ZDI-CAN-25737 +Signed-off-by: Namjae Jeon +Signed-off-by: Steve French +Signed-off-by: Greg Kroah-Hartman +--- + fs/smb/server/auth.c | 2 ++ + fs/smb/server/mgmt/user_session.c | 6 +++++- + fs/smb/server/server.c | 4 ++-- + fs/smb/server/smb2pdu.c | 27 ++++++++++++++------------- + 4 files changed, 23 insertions(+), 16 deletions(-) + +--- a/fs/smb/server/auth.c ++++ b/fs/smb/server/auth.c +@@ -1012,6 +1012,8 @@ static int ksmbd_get_encryption_key(stru + + ses_enc_key = enc ? sess->smb3encryptionkey : + sess->smb3decryptionkey; ++ if (enc) ++ ksmbd_user_session_get(sess); + memcpy(key, ses_enc_key, SMB3_ENC_DEC_KEY_SIZE); + + return 0; +--- a/fs/smb/server/mgmt/user_session.c ++++ b/fs/smb/server/mgmt/user_session.c +@@ -262,8 +262,10 @@ struct ksmbd_session *ksmbd_session_look + + down_read(&conn->session_lock); + sess = xa_load(&conn->sessions, id); +- if (sess) ++ if (sess) { + sess->last_active = jiffies; ++ ksmbd_user_session_get(sess); ++ } + up_read(&conn->session_lock); + return sess; + } +@@ -274,6 +276,8 @@ struct ksmbd_session *ksmbd_session_look + + down_read(&sessions_table_lock); + sess = __session_lookup(id); ++ if (sess) ++ ksmbd_user_session_get(sess); + up_read(&sessions_table_lock); + + return sess; +--- a/fs/smb/server/server.c ++++ b/fs/smb/server/server.c +@@ -241,14 +241,14 @@ send: + if (work->tcon) + ksmbd_tree_connect_put(work->tcon); + smb3_preauth_hash_rsp(work); +- if (work->sess) +- ksmbd_user_session_put(work->sess); + if (work->sess && work->sess->enc && work->encrypted && + conn->ops->encrypt_resp) { + rc = conn->ops->encrypt_resp(work); + if (rc < 0) + conn->ops->set_rsp_status(work, STATUS_DATA_ERROR); + } ++ if (work->sess) ++ ksmbd_user_session_put(work->sess); + + ksmbd_conn_write(work); + } +--- a/fs/smb/server/smb2pdu.c ++++ b/fs/smb/server/smb2pdu.c +@@ -67,8 +67,10 @@ static inline bool check_session_id(stru + return false; + + sess = ksmbd_session_lookup_all(conn, id); +- if (sess) ++ if (sess) { ++ ksmbd_user_session_put(sess); + return true; ++ } + pr_err("Invalid user session id: %llu\n", id); + return false; + } +@@ -605,10 +607,8 @@ int smb2_check_user_session(struct ksmbd + + /* Check for validity of user session */ + work->sess = ksmbd_session_lookup_all(conn, sess_id); +- if (work->sess) { +- ksmbd_user_session_get(work->sess); ++ if (work->sess) + return 1; +- } + ksmbd_debug(SMB, "Invalid user session, Uid %llu\n", sess_id); + return -ENOENT; + } +@@ -1704,29 +1704,35 @@ int smb2_sess_setup(struct ksmbd_work *w + + if (conn->dialect != sess->dialect) { + rc = -EINVAL; ++ ksmbd_user_session_put(sess); + goto out_err; + } + + if (!(req->hdr.Flags & SMB2_FLAGS_SIGNED)) { + rc = -EINVAL; ++ ksmbd_user_session_put(sess); + goto out_err; + } + + if (strncmp(conn->ClientGUID, sess->ClientGUID, + SMB2_CLIENT_GUID_SIZE)) { + rc = -ENOENT; ++ ksmbd_user_session_put(sess); + goto out_err; + } + + if (sess->state == SMB2_SESSION_IN_PROGRESS) { + rc = -EACCES; ++ ksmbd_user_session_put(sess); + goto out_err; + } + + if (sess->state == SMB2_SESSION_EXPIRED) { + rc = -EFAULT; ++ ksmbd_user_session_put(sess); + goto out_err; + } ++ ksmbd_user_session_put(sess); + + if (ksmbd_conn_need_reconnect(conn)) { + rc = -EFAULT; +@@ -1734,7 +1740,8 @@ int smb2_sess_setup(struct ksmbd_work *w + goto out_err; + } + +- if (ksmbd_session_lookup(conn, sess_id)) { ++ sess = ksmbd_session_lookup(conn, sess_id); ++ if (!sess) { + rc = -EACCES; + goto out_err; + } +@@ -1745,7 +1752,6 @@ int smb2_sess_setup(struct ksmbd_work *w + } + + conn->binding = true; +- ksmbd_user_session_get(sess); + } else if ((conn->dialect < SMB30_PROT_ID || + server_conf.flags & KSMBD_GLOBAL_FLAG_SMB3_MULTICHANNEL) && + (req->Flags & SMB2_SESSION_REQ_FLAG_BINDING)) { +@@ -1772,7 +1778,6 @@ int smb2_sess_setup(struct ksmbd_work *w + } + + conn->binding = false; +- ksmbd_user_session_get(sess); + } + work->sess = sess; + +@@ -2196,9 +2201,9 @@ err_out: + int smb2_session_logoff(struct ksmbd_work *work) + { + struct ksmbd_conn *conn = work->conn; ++ struct ksmbd_session *sess = work->sess; + struct smb2_logoff_req *req; + struct smb2_logoff_rsp *rsp; +- struct ksmbd_session *sess; + u64 sess_id; + int err; + +@@ -2220,11 +2225,6 @@ int smb2_session_logoff(struct ksmbd_wor + ksmbd_close_session_fds(work); + ksmbd_conn_wait_idle(conn); + +- /* +- * Re-lookup session to validate if session is deleted +- * while waiting request complete +- */ +- sess = ksmbd_session_lookup_all(conn, sess_id); + if (ksmbd_tree_conn_session_logoff(sess)) { + ksmbd_debug(SMB, "Invalid tid %d\n", req->hdr.Id.SyncId.TreeId); + rsp->hdr.Status = STATUS_NETWORK_NAME_DELETED; +@@ -8964,6 +8964,7 @@ int smb3_decrypt_req(struct ksmbd_work * + le64_to_cpu(tr_hdr->SessionId)); + return -ECONNABORTED; + } ++ ksmbd_user_session_put(sess); + + iov[0].iov_base = buf; + iov[0].iov_len = sizeof(struct smb2_transform_hdr) + 4; diff --git a/queue-6.6/perf-x86-intel-ds-unconditionally-drain-pebs-ds-when-changing-pebs_data_cfg.patch b/queue-6.6/perf-x86-intel-ds-unconditionally-drain-pebs-ds-when-changing-pebs_data_cfg.patch new file mode 100644 index 00000000000..1916ad99ab5 --- /dev/null +++ b/queue-6.6/perf-x86-intel-ds-unconditionally-drain-pebs-ds-when-changing-pebs_data_cfg.patch @@ -0,0 +1,65 @@ +From 9f3de72a0c37005f897d69e4bdd59c25b8898447 Mon Sep 17 00:00:00 2001 +From: Kan Liang +Date: Tue, 19 Nov 2024 05:55:01 -0800 +Subject: perf/x86/intel/ds: Unconditionally drain PEBS DS when changing PEBS_DATA_CFG + +From: Kan Liang + +commit 9f3de72a0c37005f897d69e4bdd59c25b8898447 upstream. + +The PEBS kernel warnings can still be observed with the below case. + +when the below commands are running in parallel for a while. + + while true; + do + perf record --no-buildid -a --intr-regs=AX \ + -e cpu/event=0xd0,umask=0x81/pp \ + -c 10003 -o /dev/null ./triad; + done & + + while true; + do + perf record -e 'cpu/mem-loads,ldlat=3/uP' -W -d -- ./dtlb + done + +The commit b752ea0c28e3 ("perf/x86/intel/ds: Flush PEBS DS when changing +PEBS_DATA_CFG") intends to flush the entire PEBS buffer before the +hardware is reprogrammed. However, it fails in the above case. + +The first perf command utilizes the large PEBS, while the second perf +command only utilizes a single PEBS. When the second perf event is +added, only the n_pebs++. The intel_pmu_pebs_enable() is invoked after +intel_pmu_pebs_add(). So the cpuc->n_pebs == cpuc->n_large_pebs check in +the intel_pmu_drain_large_pebs() fails. The PEBS DS is not flushed. +The new PEBS event should not be taken into account when flushing the +existing PEBS DS. + +The check is unnecessary here. Before the hardware is reprogrammed, all +the stale records must be drained unconditionally. + +For single PEBS or PEBS-vi-pt, the DS must be empty. The drain_pebs() +can handle the empty case. There is no harm to unconditionally drain the +PEBS DS. + +Fixes: b752ea0c28e3 ("perf/x86/intel/ds: Flush PEBS DS when changing PEBS_DATA_CFG") +Signed-off-by: Kan Liang +Signed-off-by: Peter Zijlstra (Intel) +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/r/20241119135504.1463839-2-kan.liang@linux.intel.com +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/events/intel/ds.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/x86/events/intel/ds.c ++++ b/arch/x86/events/intel/ds.c +@@ -1354,7 +1354,7 @@ void intel_pmu_pebs_enable(struct perf_e + * hence we need to drain when changing said + * size. + */ +- intel_pmu_drain_large_pebs(cpuc); ++ intel_pmu_drain_pebs_buffer(); + adaptive_pebs_record_size_update(); + wrmsrl(MSR_PEBS_DATA_CFG, pebs_data_cfg); + cpuc->active_pebs_data_cfg = pebs_data_cfg; diff --git a/queue-6.6/riscv-fix-ipis-usage-in-kfence_protect_page.patch b/queue-6.6/riscv-fix-ipis-usage-in-kfence_protect_page.patch new file mode 100644 index 00000000000..2757bc27539 --- /dev/null +++ b/queue-6.6/riscv-fix-ipis-usage-in-kfence_protect_page.patch @@ -0,0 +1,81 @@ +From b3431a8bb336cece8adc452437befa7d4534b2fd Mon Sep 17 00:00:00 2001 +From: Alexandre Ghiti +Date: Mon, 9 Dec 2024 08:41:25 +0100 +Subject: riscv: Fix IPIs usage in kfence_protect_page() + +From: Alexandre Ghiti + +commit b3431a8bb336cece8adc452437befa7d4534b2fd upstream. + +flush_tlb_kernel_range() may use IPIs to flush the TLBs of all the +cores, which triggers the following warning when the irqs are disabled: + +[ 3.455330] WARNING: CPU: 1 PID: 0 at kernel/smp.c:815 smp_call_function_many_cond+0x452/0x520 +[ 3.456647] Modules linked in: +[ 3.457218] CPU: 1 UID: 0 PID: 0 Comm: swapper/1 Not tainted 6.12.0-rc7-00010-g91d3de7240b8 #1 +[ 3.457416] Hardware name: QEMU QEMU Virtual Machine, BIOS +[ 3.457633] epc : smp_call_function_many_cond+0x452/0x520 +[ 3.457736] ra : on_each_cpu_cond_mask+0x1e/0x30 +[ 3.457786] epc : ffffffff800b669a ra : ffffffff800b67c2 sp : ff2000000000bb50 +[ 3.457824] gp : ffffffff815212b8 tp : ff6000008014f080 t0 : 000000000000003f +[ 3.457859] t1 : ffffffff815221e0 t2 : 000000000000000f s0 : ff2000000000bc10 +[ 3.457920] s1 : 0000000000000040 a0 : ffffffff815221e0 a1 : 0000000000000001 +[ 3.457953] a2 : 0000000000010000 a3 : 0000000000000003 a4 : 0000000000000000 +[ 3.458006] a5 : 0000000000000000 a6 : ffffffffffffffff a7 : 0000000000000000 +[ 3.458042] s2 : ffffffff815223be s3 : 00fffffffffff000 s4 : ff600001ffe38fc0 +[ 3.458076] s5 : ff600001ff950d00 s6 : 0000000200000120 s7 : 0000000000000001 +[ 3.458109] s8 : 0000000000000001 s9 : ff60000080841ef0 s10: 0000000000000001 +[ 3.458141] s11: ffffffff81524812 t3 : 0000000000000001 t4 : ff60000080092bc0 +[ 3.458172] t5 : 0000000000000000 t6 : ff200000000236d0 +[ 3.458203] status: 0000000200000100 badaddr: ffffffff800b669a cause: 0000000000000003 +[ 3.458373] [] smp_call_function_many_cond+0x452/0x520 +[ 3.458593] [] on_each_cpu_cond_mask+0x1e/0x30 +[ 3.458625] [] __flush_tlb_range+0x118/0x1ca +[ 3.458656] [] flush_tlb_kernel_range+0x1e/0x26 +[ 3.458683] [] kfence_protect+0xc0/0xce +[ 3.458717] [] kfence_guarded_free+0xc6/0x1c0 +[ 3.458742] [] __kfence_free+0x62/0xc6 +[ 3.458764] [] kfree+0x106/0x32c +[ 3.458786] [] detach_buf_split+0x188/0x1a8 +[ 3.458816] [] virtqueue_get_buf_ctx+0xb6/0x1f6 +[ 3.458839] [] virtqueue_get_buf+0xe/0x16 +[ 3.458880] [] virtblk_done+0x5c/0xe2 +[ 3.458908] [] vring_interrupt+0x6a/0x74 +[ 3.458930] [] __handle_irq_event_percpu+0x7c/0xe2 +[ 3.458956] [] handle_irq_event+0x3c/0x86 +[ 3.458978] [] handle_simple_irq+0x9e/0xbe +[ 3.459004] [] generic_handle_domain_irq+0x1c/0x2a +[ 3.459027] [] imsic_handle_irq+0xba/0x120 +[ 3.459056] [] generic_handle_domain_irq+0x1c/0x2a +[ 3.459080] [] riscv_intc_aia_irq+0x24/0x34 +[ 3.459103] [] handle_riscv_irq+0x2e/0x4c +[ 3.459133] [] call_on_irq_stack+0x32/0x40 + +So only flush the local TLB and let the lazy kfence page fault handling +deal with the faults which could happen when a core has an old protected +pte version cached in its TLB. That leads to potential inaccuracies which +can be tolerated when using kfence. + +Fixes: 47513f243b45 ("riscv: Enable KFENCE for riscv64") +Signed-off-by: Alexandre Ghiti +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/r/20241209074125.52322-1-alexghiti@rivosinc.com +Signed-off-by: Palmer Dabbelt +Signed-off-by: Greg Kroah-Hartman +--- + arch/riscv/include/asm/kfence.h | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/arch/riscv/include/asm/kfence.h ++++ b/arch/riscv/include/asm/kfence.h +@@ -22,7 +22,9 @@ static inline bool kfence_protect_page(u + else + set_pte(pte, __pte(pte_val(ptep_get(pte)) | _PAGE_PRESENT)); + +- flush_tlb_kernel_range(addr, addr + PAGE_SIZE); ++ preempt_disable(); ++ local_flush_tlb_kernel_range(addr, addr + PAGE_SIZE); ++ preempt_enable(); + + return true; + } diff --git a/queue-6.6/riscv-fix-wrong-usage-of-__pa-on-a-fixmap-address.patch b/queue-6.6/riscv-fix-wrong-usage-of-__pa-on-a-fixmap-address.patch new file mode 100644 index 00000000000..18caa9c0ca5 --- /dev/null +++ b/queue-6.6/riscv-fix-wrong-usage-of-__pa-on-a-fixmap-address.patch @@ -0,0 +1,33 @@ +From c796e187201242992d6d292bfeff41aadfdf3f29 Mon Sep 17 00:00:00 2001 +From: Alexandre Ghiti +Date: Mon, 9 Dec 2024 08:45:08 +0100 +Subject: riscv: Fix wrong usage of __pa() on a fixmap address + +From: Alexandre Ghiti + +commit c796e187201242992d6d292bfeff41aadfdf3f29 upstream. + +riscv uses fixmap addresses to map the dtb so we can't use __pa() which +is reserved for linear mapping addresses. + +Fixes: b2473a359763 ("of/fdt: add dt_phys arg to early_init_dt_scan and early_init_dt_verify") +Signed-off-by: Alexandre Ghiti +Link: https://lore.kernel.org/r/20241209074508.53037-1-alexghiti@rivosinc.com +Cc: stable@vger.kernel.org +Signed-off-by: Palmer Dabbelt +Signed-off-by: Greg Kroah-Hartman +--- + arch/riscv/kernel/setup.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/riscv/kernel/setup.c ++++ b/arch/riscv/kernel/setup.c +@@ -246,7 +246,7 @@ static void __init init_resources(void) + static void __init parse_dtb(void) + { + /* Early scan of device tree from init memory */ +- if (early_init_dt_scan(dtb_early_va, __pa(dtb_early_va))) { ++ if (early_init_dt_scan(dtb_early_va, dtb_early_pa)) { + const char *name = of_flat_dt_get_machine_name(); + + if (name) { diff --git a/queue-6.6/scsi-ufs-core-update-compl_time_stamp_local_clock-after-completing-a-cqe.patch b/queue-6.6/scsi-ufs-core-update-compl_time_stamp_local_clock-after-completing-a-cqe.patch new file mode 100644 index 00000000000..79060818a1b --- /dev/null +++ b/queue-6.6/scsi-ufs-core-update-compl_time_stamp_local_clock-after-completing-a-cqe.patch @@ -0,0 +1,42 @@ +From f103396ae31851d00b561ff9f8a32a441953ff8b Mon Sep 17 00:00:00 2001 +From: liuderong +Date: Fri, 6 Dec 2024 15:29:42 +0800 +Subject: scsi: ufs: core: Update compl_time_stamp_local_clock after completing a cqe + +From: liuderong + +commit f103396ae31851d00b561ff9f8a32a441953ff8b upstream. + +lrbp->compl_time_stamp_local_clock is set to zero after sending a sqe +but it is not updated after completing a cqe. Thus the printed +information in ufshcd_print_tr() will always be zero. + +Update lrbp->cmpl_time_stamp_local_clock after completing a cqe. + +Log sample: + +ufshcd-qcom 1d84000.ufshc: UPIU[8] - issue time 8750227249 us +ufshcd-qcom 1d84000.ufshc: UPIU[8] - complete time 0 us + +Fixes: c30d8d010b5e ("scsi: ufs: core: Prepare for completion in MCQ") +Reviewed-by: Bean Huo +Reviewed-by: Peter Wang +Signed-off-by: liuderong +Link: https://lore.kernel.org/r/1733470182-220841-1-git-send-email-liuderong@oppo.com +Reviewed-by: Avri Altman +Signed-off-by: Martin K. Petersen +Signed-off-by: Greg Kroah-Hartman +--- + drivers/ufs/core/ufshcd.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/ufs/core/ufshcd.c ++++ b/drivers/ufs/core/ufshcd.c +@@ -5439,6 +5439,7 @@ void ufshcd_compl_one_cqe(struct ufs_hba + + lrbp = &hba->lrb[task_tag]; + lrbp->compl_time_stamp = ktime_get(); ++ lrbp->compl_time_stamp_local_clock = local_clock(); + cmd = lrbp->cmd; + if (cmd) { + if (unlikely(ufshcd_should_inform_monitor(hba, lrbp))) diff --git a/queue-6.6/series b/queue-6.6/series new file mode 100644 index 00000000000..6900204eb76 --- /dev/null +++ b/queue-6.6/series @@ -0,0 +1,15 @@ +bpf-fix-uaf-via-mismatching-bpf_prog-attachment-rcu-flavors.patch +perf-x86-intel-ds-unconditionally-drain-pebs-ds-when-changing-pebs_data_cfg.patch +ksmbd-fix-racy-issue-from-session-lookup-and-expire.patch +splice-do-not-checksum-af_unix-sockets.patch +tcp-check-space-before-adding-mptcp-syn-options.patch +riscv-fix-wrong-usage-of-__pa-on-a-fixmap-address.patch +blk-cgroup-fix-uaf-in-blkcg_unpin_online.patch +alsa-usb-audio-add-implicit-feedback-quirk-for-yamaha-thr5.patch +riscv-fix-ipis-usage-in-kfence_protect_page.patch +usb-host-max3421-hcd-correctly-abort-a-usb-request.patch +ata-sata_highbank-fix-of-node-reference-leak-in-highbank_initialize_phys.patch +usb-dwc2-fix-hcd-resume.patch +usb-dwc2-hcd-fix-getportstatus-setportfeature.patch +usb-dwc2-fix-hcd-port-connection-race.patch +scsi-ufs-core-update-compl_time_stamp_local_clock-after-completing-a-cqe.patch diff --git a/queue-6.6/splice-do-not-checksum-af_unix-sockets.patch b/queue-6.6/splice-do-not-checksum-af_unix-sockets.patch new file mode 100644 index 00000000000..1350f81d72f --- /dev/null +++ b/queue-6.6/splice-do-not-checksum-af_unix-sockets.patch @@ -0,0 +1,44 @@ +From 6bd8614fc2d076fc21b7488c9f279853960964e2 Mon Sep 17 00:00:00 2001 +From: Frederik Deweerdt +Date: Mon, 9 Dec 2024 21:06:48 -0800 +Subject: splice: do not checksum AF_UNIX sockets + +From: Frederik Deweerdt + +commit 6bd8614fc2d076fc21b7488c9f279853960964e2 upstream. + +When `skb_splice_from_iter` was introduced, it inadvertently added +checksumming for AF_UNIX sockets. This resulted in significant +slowdowns, for example when using sendfile over unix sockets. + +Using the test code in [1] in my test setup (2G single core qemu), +the client receives a 1000M file in: +- without the patch: 1482ms (+/- 36ms) +- with the patch: 652.5ms (+/- 22.9ms) + +This commit addresses the issue by marking checksumming as unnecessary in +`unix_stream_sendmsg` + +Cc: stable@vger.kernel.org +Signed-off-by: Frederik Deweerdt +Fixes: 2e910b95329c ("net: Add a function to splice pages into an skbuff for MSG_SPLICE_PAGES") +Reviewed-by: Kuniyuki Iwashima +Reviewed-by: Eric Dumazet +Reviewed-by: Joe Damato +Link: https://patch.msgid.link/Z1fMaHkRf8cfubuE@xiberoa +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + net/unix/af_unix.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/net/unix/af_unix.c ++++ b/net/unix/af_unix.c +@@ -2219,6 +2219,7 @@ static int unix_stream_sendmsg(struct so + fds_sent = true; + + if (unlikely(msg->msg_flags & MSG_SPLICE_PAGES)) { ++ skb->ip_summed = CHECKSUM_UNNECESSARY; + err = skb_splice_from_iter(skb, &msg->msg_iter, size, + sk->sk_allocation); + if (err < 0) { diff --git a/queue-6.6/tcp-check-space-before-adding-mptcp-syn-options.patch b/queue-6.6/tcp-check-space-before-adding-mptcp-syn-options.patch new file mode 100644 index 00000000000..12a9bb11cdf --- /dev/null +++ b/queue-6.6/tcp-check-space-before-adding-mptcp-syn-options.patch @@ -0,0 +1,44 @@ +From 06d64ab46f19ac12f59a1d2aa8cd196b2e4edb5b Mon Sep 17 00:00:00 2001 +From: MoYuanhao +Date: Mon, 9 Dec 2024 13:28:14 +0100 +Subject: tcp: check space before adding MPTCP SYN options + +From: MoYuanhao + +commit 06d64ab46f19ac12f59a1d2aa8cd196b2e4edb5b upstream. + +Ensure there is enough space before adding MPTCP options in +tcp_syn_options(). + +Without this check, 'remaining' could underflow, and causes issues. If +there is not enough space, MPTCP should not be used. + +Signed-off-by: MoYuanhao +Fixes: cec37a6e41aa ("mptcp: Handle MP_CAPABLE options for outgoing connections") +Cc: stable@vger.kernel.org +Acked-by: Matthieu Baerts (NGI0) +[ Matt: Add Fixes, cc Stable, update Description ] +Signed-off-by: Matthieu Baerts (NGI0) +Reviewed-by: Eric Dumazet +Link: https://patch.msgid.link/20241209-net-mptcp-check-space-syn-v1-1-2da992bb6f74@kernel.org +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv4/tcp_output.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/net/ipv4/tcp_output.c ++++ b/net/ipv4/tcp_output.c +@@ -837,8 +837,10 @@ static unsigned int tcp_syn_options(stru + unsigned int size; + + if (mptcp_syn_options(sk, skb, &size, &opts->mptcp)) { +- opts->options |= OPTION_MPTCP; +- remaining -= size; ++ if (remaining >= size) { ++ opts->options |= OPTION_MPTCP; ++ remaining -= size; ++ } + } + } + diff --git a/queue-6.6/usb-dwc2-fix-hcd-port-connection-race.patch b/queue-6.6/usb-dwc2-fix-hcd-port-connection-race.patch new file mode 100644 index 00000000000..c01e9e28c70 --- /dev/null +++ b/queue-6.6/usb-dwc2-fix-hcd-port-connection-race.patch @@ -0,0 +1,68 @@ +From 1cf1bd88f129f3bd647fead4dca270a5894274bb Mon Sep 17 00:00:00 2001 +From: Stefan Wahren +Date: Mon, 2 Dec 2024 01:16:31 +0100 +Subject: usb: dwc2: Fix HCD port connection race + +From: Stefan Wahren + +commit 1cf1bd88f129f3bd647fead4dca270a5894274bb upstream. + +On Raspberry Pis without onboard USB hub frequent device reconnects +can trigger a interrupt storm after DWC2 entered host clock gating. +This is caused by a race between _dwc2_hcd_suspend() and the port +interrupt, which sets port_connect_status. The issue occurs if +port_connect_status is still 1, but there is no connection anymore: + +usb 1-1: USB disconnect, device number 25 +dwc2 3f980000.usb: _dwc2_hcd_suspend: port_connect_status: 1 +dwc2 3f980000.usb: Entering host clock gating. +Disabling IRQ #66 +irq 66: nobody cared (try booting with the "irqpoll" option) +CPU: 0 UID: 0 PID: 0 Comm: swapper/0 Not tainted 6.12.0-gc1bb81b13202-dirty #322 +Hardware name: BCM2835 +Call trace: + unwind_backtrace from show_stack+0x10/0x14 + show_stack from dump_stack_lvl+0x50/0x64 + dump_stack_lvl from __report_bad_irq+0x38/0xc0 + __report_bad_irq from note_interrupt+0x2ac/0x2f4 + note_interrupt from handle_irq_event+0x88/0x8c + handle_irq_event from handle_level_irq+0xb4/0x1ac + handle_level_irq from generic_handle_domain_irq+0x24/0x34 + generic_handle_domain_irq from bcm2836_chained_handle_irq+0x24/0x28 + bcm2836_chained_handle_irq from generic_handle_domain_irq+0x24/0x34 + generic_handle_domain_irq from generic_handle_arch_irq+0x34/0x44 + generic_handle_arch_irq from __irq_svc+0x88/0xb0 + Exception stack(0xc1d01f20 to 0xc1d01f68) + 1f20: 0004ef3c 00000001 00000000 00000000 c1d09780 c1f6bb5c c1d04e54 c1c60ca8 + 1f40: c1d04e94 00000000 00000000 c1d092a8 c1f6af20 c1d01f70 c1211b98 c1212f40 + 1f60: 60000013 ffffffff + __irq_svc from default_idle_call+0x1c/0xb0 + default_idle_call from do_idle+0x21c/0x284 + do_idle from cpu_startup_entry+0x28/0x2c + cpu_startup_entry from kernel_init+0x0/0x12c +handlers: + [] dwc2_handle_common_intr + [<58bf98a3>] usb_hcd_irq +Disabling IRQ #66 + +So avoid this by reading the connection status directly. + +Fixes: 113f86d0c302 ("usb: dwc2: Update partial power down entering by system suspend") +Signed-off-by: Stefan Wahren +Link: https://lore.kernel.org/r/20241202001631.75473-4-wahrenst@gmx.net +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/dwc2/hcd.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/usb/dwc2/hcd.c ++++ b/drivers/usb/dwc2/hcd.c +@@ -4345,7 +4345,7 @@ static int _dwc2_hcd_suspend(struct usb_ + if (hsotg->bus_suspended) + goto skip_power_saving; + +- if (hsotg->flags.b.port_connect_status == 0) ++ if (!(dwc2_read_hprt0(hsotg) & HPRT0_CONNSTS)) + goto skip_power_saving; + + switch (hsotg->params.power_down) { diff --git a/queue-6.6/usb-dwc2-fix-hcd-resume.patch b/queue-6.6/usb-dwc2-fix-hcd-resume.patch new file mode 100644 index 00000000000..b76ea76496d --- /dev/null +++ b/queue-6.6/usb-dwc2-fix-hcd-resume.patch @@ -0,0 +1,66 @@ +From 336f72d3cbf5cc17df2947bbbd2ba6e2509f17e8 Mon Sep 17 00:00:00 2001 +From: Stefan Wahren +Date: Mon, 2 Dec 2024 01:16:29 +0100 +Subject: usb: dwc2: Fix HCD resume + +From: Stefan Wahren + +commit 336f72d3cbf5cc17df2947bbbd2ba6e2509f17e8 upstream. + +The Raspberry Pi can suffer on interrupt storms on HCD resume. The dwc2 +driver sometimes misses to enable HCD_FLAG_HW_ACCESSIBLE before re-enabling +the interrupts. This causes a situation where both handler ignore a incoming +port interrupt and force the upper layers to disable the dwc2 interrupt +line. This leaves the USB interface in a unusable state: + +irq 66: nobody cared (try booting with the "irqpoll" option) +CPU: 0 PID: 0 Comm: swapper/0 Tainted: G W 6.10.0-rc3 +Hardware name: BCM2835 +Call trace: +unwind_backtrace from show_stack+0x10/0x14 +show_stack from dump_stack_lvl+0x50/0x64 +dump_stack_lvl from __report_bad_irq+0x38/0xc0 +__report_bad_irq from note_interrupt+0x2ac/0x2f4 +note_interrupt from handle_irq_event+0x88/0x8c +handle_irq_event from handle_level_irq+0xb4/0x1ac +handle_level_irq from generic_handle_domain_irq+0x24/0x34 +generic_handle_domain_irq from bcm2836_chained_handle_irq+0x24/0x28 +bcm2836_chained_handle_irq from generic_handle_domain_irq+0x24/0x34 +generic_handle_domain_irq from generic_handle_arch_irq+0x34/0x44 +generic_handle_arch_irq from __irq_svc+0x88/0xb0 +Exception stack(0xc1b01f20 to 0xc1b01f68) +1f20: 0005c0d4 00000001 00000000 00000000 c1b09780 c1d6b32c c1b04e54 c1a5eae8 +1f40: c1b04e90 00000000 00000000 00000000 c1d6a8a0 c1b01f70 c11d2da8 c11d4160 +1f60: 60000013 ffffffff +__irq_svc from default_idle_call+0x1c/0xb0 +default_idle_call from do_idle+0x21c/0x284 +do_idle from cpu_startup_entry+0x28/0x2c +cpu_startup_entry from kernel_init+0x0/0x12c +handlers: +[] dwc2_handle_common_intr +[<75cd278b>] usb_hcd_irq +Disabling IRQ #66 + +So enable the HCD_FLAG_HW_ACCESSIBLE flag in case there is a port +connection. + +Fixes: c74c26f6e398 ("usb: dwc2: Fix partial power down exiting by system resume") +Closes: https://lore.kernel.org/linux-usb/3fd0c2fb-4752-45b3-94eb-42352703e1fd@gmx.net/T/ +Link: https://lore.kernel.org/all/5e8cbce0-3260-2971-484f-fc73a3b2bd28@synopsys.com/ +Signed-off-by: Stefan Wahren +Link: https://lore.kernel.org/r/20241202001631.75473-2-wahrenst@gmx.net +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/dwc2/hcd.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/usb/dwc2/hcd.c ++++ b/drivers/usb/dwc2/hcd.c +@@ -4431,6 +4431,7 @@ static int _dwc2_hcd_resume(struct usb_h + * Power Down mode. + */ + if (hprt0 & HPRT0_CONNSTS) { ++ set_bit(HCD_FLAG_HW_ACCESSIBLE, &hcd->flags); + hsotg->lx_state = DWC2_L0; + goto unlock; + } diff --git a/queue-6.6/usb-dwc2-hcd-fix-getportstatus-setportfeature.patch b/queue-6.6/usb-dwc2-hcd-fix-getportstatus-setportfeature.patch new file mode 100644 index 00000000000..bcd1ed5c838 --- /dev/null +++ b/queue-6.6/usb-dwc2-hcd-fix-getportstatus-setportfeature.patch @@ -0,0 +1,66 @@ +From a8d3e4a734599c7d0f6735f8db8a812e503395dd Mon Sep 17 00:00:00 2001 +From: Stefan Wahren +Date: Mon, 2 Dec 2024 01:16:30 +0100 +Subject: usb: dwc2: hcd: Fix GetPortStatus & SetPortFeature + +From: Stefan Wahren + +commit a8d3e4a734599c7d0f6735f8db8a812e503395dd upstream. + +On Rasperry Pis without onboard USB hub the power cycle during +power connect init only disable the port but never enabled it again: + + usb usb1-port1: attempt power cycle + +The port relevant part in dwc2_hcd_hub_control() is skipped in case +port_connect_status = 0 under the assumption the core is or will be soon +in device mode. But this assumption is wrong, because after ClearPortFeature +USB_PORT_FEAT_POWER the port_connect_status will also be 0 and +SetPortFeature (incl. USB_PORT_FEAT_POWER) will be a no-op. + +Fix the behavior of dwc2_hcd_hub_control() by replacing the +port_connect_status check with dwc2_is_device_mode(). + +Link: https://github.com/raspberrypi/linux/issues/6247 +Fixes: 7359d482eb4d ("staging: HCD files for the DWC2 driver") +Signed-off-by: Stefan Wahren +Link: https://lore.kernel.org/r/20241202001631.75473-3-wahrenst@gmx.net +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/dwc2/hcd.c | 16 ++++++---------- + 1 file changed, 6 insertions(+), 10 deletions(-) + +--- a/drivers/usb/dwc2/hcd.c ++++ b/drivers/usb/dwc2/hcd.c +@@ -3546,11 +3546,9 @@ static int dwc2_hcd_hub_control(struct d + port_status |= USB_PORT_STAT_C_OVERCURRENT << 16; + } + +- if (!hsotg->flags.b.port_connect_status) { ++ if (dwc2_is_device_mode(hsotg)) { + /* +- * The port is disconnected, which means the core is +- * either in device mode or it soon will be. Just +- * return 0's for the remainder of the port status ++ * Just return 0's for the remainder of the port status + * since the port register can't be read if the core + * is in device mode. + */ +@@ -3620,13 +3618,11 @@ static int dwc2_hcd_hub_control(struct d + if (wvalue != USB_PORT_FEAT_TEST && (!windex || windex > 1)) + goto error; + +- if (!hsotg->flags.b.port_connect_status) { ++ if (dwc2_is_device_mode(hsotg)) { + /* +- * The port is disconnected, which means the core is +- * either in device mode or it soon will be. Just +- * return without doing anything since the port +- * register can't be written if the core is in device +- * mode. ++ * Just return 0's for the remainder of the port status ++ * since the port register can't be read if the core ++ * is in device mode. + */ + break; + } diff --git a/queue-6.6/usb-host-max3421-hcd-correctly-abort-a-usb-request.patch b/queue-6.6/usb-host-max3421-hcd-correctly-abort-a-usb-request.patch new file mode 100644 index 00000000000..1b70d3037db --- /dev/null +++ b/queue-6.6/usb-host-max3421-hcd-correctly-abort-a-usb-request.patch @@ -0,0 +1,50 @@ +From 0d2ada05227881f3d0722ca2364e3f7a860a301f Mon Sep 17 00:00:00 2001 +From: Mark Tomlinson +Date: Mon, 25 Nov 2024 11:14:30 +1300 +Subject: usb: host: max3421-hcd: Correctly abort a USB request. + +From: Mark Tomlinson + +commit 0d2ada05227881f3d0722ca2364e3f7a860a301f upstream. + +If the current USB request was aborted, the spi thread would not respond +to any further requests. This is because the "curr_urb" pointer would +not become NULL, so no further requests would be taken off the queue. +The solution here is to set the "urb_done" flag, as this will cause the +correct handling of the URB. Also clear interrupts that should only be +expected if an URB is in progress. + +Fixes: 2d53139f3162 ("Add support for using a MAX3421E chip as a host driver.") +Cc: stable +Signed-off-by: Mark Tomlinson +Link: https://lore.kernel.org/r/20241124221430.1106080-1-mark.tomlinson@alliedtelesis.co.nz +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/host/max3421-hcd.c | 16 +++++++++++----- + 1 file changed, 11 insertions(+), 5 deletions(-) + +--- a/drivers/usb/host/max3421-hcd.c ++++ b/drivers/usb/host/max3421-hcd.c +@@ -779,11 +779,17 @@ max3421_check_unlink(struct usb_hcd *hcd + retval = 1; + dev_dbg(&spi->dev, "%s: URB %p unlinked=%d", + __func__, urb, urb->unlinked); +- usb_hcd_unlink_urb_from_ep(hcd, urb); +- spin_unlock_irqrestore(&max3421_hcd->lock, +- flags); +- usb_hcd_giveback_urb(hcd, urb, 0); +- spin_lock_irqsave(&max3421_hcd->lock, flags); ++ if (urb == max3421_hcd->curr_urb) { ++ max3421_hcd->urb_done = 1; ++ max3421_hcd->hien &= ~(BIT(MAX3421_HI_HXFRDN_BIT) | ++ BIT(MAX3421_HI_RCVDAV_BIT)); ++ } else { ++ usb_hcd_unlink_urb_from_ep(hcd, urb); ++ spin_unlock_irqrestore(&max3421_hcd->lock, ++ flags); ++ usb_hcd_giveback_urb(hcd, urb, 0); ++ spin_lock_irqsave(&max3421_hcd->lock, flags); ++ } + } + } + }