From: Greg Kroah-Hartman Date: Sun, 11 Sep 2022 05:45:15 +0000 (+0200) Subject: 4.19-stable patches X-Git-Tag: v5.19.9~32 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=2d9279f15db34fb10b4c900690c3baf189ee60e6;p=thirdparty%2Fkernel%2Fstable-queue.git 4.19-stable patches added patches: usb-dwc3-fix-phy-disable-sequence.patch usb-dwc3-qcom-fix-use-after-free-on-runtime-pm-wakeup.patch usb-serial-ch341-fix-disabled-rx-timer-on-older-devices.patch usb-serial-ch341-fix-lost-character-on-lcr-updates.patch --- diff --git a/queue-4.19/series b/queue-4.19/series index 11bec1cc293..e776491f046 100644 --- a/queue-4.19/series +++ b/queue-4.19/series @@ -22,7 +22,6 @@ staging-rtl8712-fix-use-after-free-bugs.patch vt-clear-selection-before-changing-the-font.patch usb-serial-ftdi_sio-add-omron-cs1w-cif31-device-id.patch binder-fix-uaf-of-ref-proc-caused-by-race-condition.patch -usb-dwc3-qcom-fix-use-after-free-on-runtime-pm-wakeu.patch drm-i915-reg-fix-spelling-mistake-unsupport-unsuppor.patch clk-core-honor-clk_ops_parent_enable-for-clk-gate-op.patch revert-clk-core-honor-clk_ops_parent_enable-for-clk-.patch @@ -71,3 +70,7 @@ ipv6-sr-fix-out-of-bounds-read-when-setting-hmac-dat.patch rdma-mlx5-set-local-port-to-one-when-accessing-count.patch tcp-fix-early-etimedout-after-spurious-non-sack-rto.patch sch_sfb-also-store-skb-len-before-calling-child-enqu.patch +usb-dwc3-fix-phy-disable-sequence.patch +usb-serial-ch341-fix-lost-character-on-lcr-updates.patch +usb-serial-ch341-fix-disabled-rx-timer-on-older-devices.patch +usb-dwc3-qcom-fix-use-after-free-on-runtime-pm-wakeup.patch diff --git a/queue-4.19/usb-dwc3-fix-phy-disable-sequence.patch b/queue-4.19/usb-dwc3-fix-phy-disable-sequence.patch new file mode 100644 index 00000000000..4f27a00fa51 --- /dev/null +++ b/queue-4.19/usb-dwc3-fix-phy-disable-sequence.patch @@ -0,0 +1,87 @@ +From foo@baz Sun Sep 11 07:42:40 AM CEST 2022 +From: Johan Hovold +Date: Tue, 6 Sep 2022 15:49:12 +0200 +Subject: usb: dwc3: fix PHY disable sequence +To: Greg Kroah-Hartman +Cc: stable@vger.kernel.org, linux-kernel@vger.kernel.org, Johan Hovold , Andrew Halaney , Matthias Kaehlcke , Manivannan Sadhasivam , Johan Hovold +Message-ID: <20220906134915.19225-2-johan@kernel.org> + +From: Johan Hovold + +From: Johan Hovold + +commit d2ac7bef95c9ead307801ccb6cb6dfbeb14247bf upstream. + +Generic PHYs must be powered-off before they can be tore down. + +Similarly, suspending legacy PHYs after having powered them off makes no +sense. + +Fix the dwc3_core_exit() (e.g. called during suspend) and open-coded +dwc3_probe() error-path sequences that got this wrong. + +Note that this makes dwc3_core_exit() match the dwc3_core_init() error +path with respect to powering off the PHYs. + +Fixes: 03c1fd622f72 ("usb: dwc3: core: add phy cleanup for probe error handling") +Fixes: c499ff71ff2a ("usb: dwc3: core: re-factor init and exit paths") +Cc: stable@vger.kernel.org # 4.8 +Reviewed-by: Andrew Halaney +Reviewed-by: Matthias Kaehlcke +Reviewed-by: Manivannan Sadhasivam +Signed-off-by: Johan Hovold +Link: https://lore.kernel.org/r/20220804151001.23612-2-johan+linaro@kernel.org +Signed-off-by: Greg Kroah-Hartman +[ johan: adjust context to 4.19 ] +Signed-off-by: Johan Hovold +Signed-off-by: Johan Hovold +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/dwc3/core.c | 19 ++++++++++--------- + 1 file changed, 10 insertions(+), 9 deletions(-) + +--- a/drivers/usb/dwc3/core.c ++++ b/drivers/usb/dwc3/core.c +@@ -673,15 +673,16 @@ static void dwc3_core_exit(struct dwc3 * + { + dwc3_event_buffers_cleanup(dwc); + ++ usb_phy_set_suspend(dwc->usb2_phy, 1); ++ usb_phy_set_suspend(dwc->usb3_phy, 1); ++ phy_power_off(dwc->usb2_generic_phy); ++ phy_power_off(dwc->usb3_generic_phy); ++ + usb_phy_shutdown(dwc->usb2_phy); + usb_phy_shutdown(dwc->usb3_phy); + phy_exit(dwc->usb2_generic_phy); + phy_exit(dwc->usb3_generic_phy); + +- usb_phy_set_suspend(dwc->usb2_phy, 1); +- usb_phy_set_suspend(dwc->usb3_phy, 1); +- phy_power_off(dwc->usb2_generic_phy); +- phy_power_off(dwc->usb3_generic_phy); + clk_bulk_disable(dwc->num_clks, dwc->clks); + clk_bulk_unprepare(dwc->num_clks, dwc->clks); + reset_control_assert(dwc->reset); +@@ -1509,16 +1510,16 @@ err5: + dwc3_debugfs_exit(dwc); + dwc3_event_buffers_cleanup(dwc); + +- usb_phy_shutdown(dwc->usb2_phy); +- usb_phy_shutdown(dwc->usb3_phy); +- phy_exit(dwc->usb2_generic_phy); +- phy_exit(dwc->usb3_generic_phy); +- + usb_phy_set_suspend(dwc->usb2_phy, 1); + usb_phy_set_suspend(dwc->usb3_phy, 1); + phy_power_off(dwc->usb2_generic_phy); + phy_power_off(dwc->usb3_generic_phy); + ++ usb_phy_shutdown(dwc->usb2_phy); ++ usb_phy_shutdown(dwc->usb3_phy); ++ phy_exit(dwc->usb2_generic_phy); ++ phy_exit(dwc->usb3_generic_phy); ++ + dwc3_ulpi_exit(dwc); + + err4: diff --git a/queue-4.19/usb-dwc3-qcom-fix-use-after-free-on-runtime-pm-wakeup.patch b/queue-4.19/usb-dwc3-qcom-fix-use-after-free-on-runtime-pm-wakeup.patch new file mode 100644 index 00000000000..073b2e83bac --- /dev/null +++ b/queue-4.19/usb-dwc3-qcom-fix-use-after-free-on-runtime-pm-wakeup.patch @@ -0,0 +1,83 @@ +From foo@baz Sun Sep 11 07:42:40 AM CEST 2022 +From: Johan Hovold +Date: Tue, 6 Sep 2022 15:49:13 +0200 +Subject: usb: dwc3: qcom: fix use-after-free on runtime-PM wakeup +To: Greg Kroah-Hartman +Cc: stable@vger.kernel.org, linux-kernel@vger.kernel.org, Johan Hovold , Matthias Kaehlcke , Manivannan Sadhasivam , Johan Hovold +Message-ID: <20220906134915.19225-3-johan@kernel.org> + +From: Johan Hovold + +From: Johan Hovold + +commit a872ab303d5ddd4c965f9cd868677781a33ce35a upstream. + +The Qualcomm dwc3 runtime-PM implementation checks the xhci +platform-device pointer in the wakeup-interrupt handler to determine +whether the controller is in host mode and if so triggers a resume. + +After a role switch in OTG mode the xhci platform-device would have been +freed and the next wakeup from runtime suspend would access the freed +memory. + +Note that role switching is executed from a freezable workqueue, which +guarantees that the pointer is stable during suspend. + +Also note that runtime PM has been broken since commit 2664deb09306 +("usb: dwc3: qcom: Honor wakeup enabled/disabled state"), which +incidentally also prevents this issue from being triggered. + +Fixes: a4333c3a6ba9 ("usb: dwc3: Add Qualcomm DWC3 glue driver") +Cc: stable@vger.kernel.org # 4.18 +Reviewed-by: Matthias Kaehlcke +Reviewed-by: Manivannan Sadhasivam +Signed-off-by: Johan Hovold +Link: https://lore.kernel.org/r/20220804151001.23612-5-johan+linaro@kernel.org +Signed-off-by: Greg Kroah-Hartman +[ johan: adjust context for 5.4 ] +Signed-off-by: Johan Hovold +Signed-off-by: Johan Hovold +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/dwc3/dwc3-qcom.c | 14 +++++++++++++- + drivers/usb/dwc3/host.c | 1 + + 2 files changed, 14 insertions(+), 1 deletion(-) + +--- a/drivers/usb/dwc3/dwc3-qcom.c ++++ b/drivers/usb/dwc3/dwc3-qcom.c +@@ -173,6 +173,14 @@ static int dwc3_qcom_register_extcon(str + return 0; + } + ++/* Only usable in contexts where the role can not change. */ ++static bool dwc3_qcom_is_host(struct dwc3_qcom *qcom) ++{ ++ struct dwc3 *dwc = platform_get_drvdata(qcom->dwc3); ++ ++ return dwc->xhci; ++} ++ + static void dwc3_qcom_disable_interrupts(struct dwc3_qcom *qcom) + { + if (qcom->hs_phy_irq) { +@@ -280,7 +288,11 @@ static irqreturn_t qcom_dwc3_resume_irq( + if (qcom->pm_suspended) + return IRQ_HANDLED; + +- if (dwc->xhci) ++ /* ++ * This is safe as role switching is done from a freezable workqueue ++ * and the wakeup interrupts are disabled as part of resume. ++ */ ++ if (dwc3_qcom_is_host(qcom)) + pm_runtime_resume(&dwc->xhci->dev); + + return IRQ_HANDLED; +--- a/drivers/usb/dwc3/host.c ++++ b/drivers/usb/dwc3/host.c +@@ -142,4 +142,5 @@ void dwc3_host_exit(struct dwc3 *dwc) + phy_remove_lookup(dwc->usb3_generic_phy, "usb3-phy", + dev_name(dwc->dev)); + platform_device_unregister(dwc->xhci); ++ dwc->xhci = NULL; + } diff --git a/queue-4.19/usb-serial-ch341-fix-disabled-rx-timer-on-older-devices.patch b/queue-4.19/usb-serial-ch341-fix-disabled-rx-timer-on-older-devices.patch new file mode 100644 index 00000000000..13f23c6dd0d --- /dev/null +++ b/queue-4.19/usb-serial-ch341-fix-disabled-rx-timer-on-older-devices.patch @@ -0,0 +1,48 @@ +From foo@baz Sun Sep 11 07:42:40 AM CEST 2022 +From: Johan Hovold +Date: Tue, 6 Sep 2022 15:49:15 +0200 +Subject: USB: serial: ch341: fix disabled rx timer on older devices +To: Greg Kroah-Hartman +Cc: stable@vger.kernel.org, linux-kernel@vger.kernel.org, Johan Hovold , Jonathan Woithe +Message-ID: <20220906134915.19225-5-johan@kernel.org> + +From: Johan Hovold + +commit 41ca302a697b64a3dab4676e01d0d11bb184737d upstream. + +At least one older CH341 appears to have the RX timer enable bit +inverted so that setting it disables the RX timer and prevents the FIFO +from emptying until it is full. + +Only set the RX timer enable bit for devices with version newer than +0x27 (even though this probably affects all pre-0x30 devices). + +Reported-by: Jonathan Woithe +Tested-by: Jonathan Woithe +Link: https://lore.kernel.org/r/Ys1iPTfiZRWj2gXs@marvin.atrad.com.au +Fixes: 4e46c410e050 ("USB: serial: ch341: reinitialize chip on reconfiguration") +Cc: stable@vger.kernel.org # 4.10 +Signed-off-by: Johan Hovold +[ johan: backport to 5.4 ] +Signed-off-by: Johan Hovold +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/serial/ch341.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +--- a/drivers/usb/serial/ch341.c ++++ b/drivers/usb/serial/ch341.c +@@ -176,8 +176,12 @@ static int ch341_set_baudrate_lcr(struct + /* + * CH341A buffers data until a full endpoint-size packet (32 bytes) + * has been received unless bit 7 is set. ++ * ++ * At least one device with version 0x27 appears to have this bit ++ * inverted. + */ +- a |= BIT(7); ++ if (priv->version > 0x27) ++ a |= BIT(7); + + r = ch341_control_out(dev, CH341_REQ_WRITE_REG, 0x1312, a); + if (r) diff --git a/queue-4.19/usb-serial-ch341-fix-lost-character-on-lcr-updates.patch b/queue-4.19/usb-serial-ch341-fix-lost-character-on-lcr-updates.patch new file mode 100644 index 00000000000..a4c92b838fb --- /dev/null +++ b/queue-4.19/usb-serial-ch341-fix-lost-character-on-lcr-updates.patch @@ -0,0 +1,65 @@ +From foo@baz Sun Sep 11 07:42:40 AM CEST 2022 +From: Johan Hovold +Date: Tue, 6 Sep 2022 15:49:14 +0200 +Subject: USB: serial: ch341: fix lost character on LCR updates +To: Greg Kroah-Hartman +Cc: stable@vger.kernel.org, linux-kernel@vger.kernel.org, Johan Hovold , Jonathan Woithe +Message-ID: <20220906134915.19225-4-johan@kernel.org> + +From: Johan Hovold + +commit 8e83622ae7ca481c76c8fd9579877f6abae64ca2 upstream. + +Disable LCR updates for pre-0x30 devices which use a different (unknown) +protocol for line control and where the current register write causes +the next received character to be lost. + +Note that updating LCR using the INIT command has no effect on these +devices either. + +Reported-by: Jonathan Woithe +Tested-by: Jonathan Woithe +Link: https://lore.kernel.org/r/Ys1iPTfiZRWj2gXs@marvin.atrad.com.au +Fixes: 4e46c410e050 ("USB: serial: ch341: reinitialize chip on reconfiguration") +Fixes: 55fa15b5987d ("USB: serial: ch341: fix baud rate and line-control handling") +Cc: stable@vger.kernel.org # 4.10 +Signed-off-by: Johan Hovold +[ johan: adjust context to 4.19 ] +Signed-off-by: Johan Hovold +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/serial/ch341.c | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) + +--- a/drivers/usb/serial/ch341.c ++++ b/drivers/usb/serial/ch341.c +@@ -96,6 +96,8 @@ struct ch341_private { + u8 mcr; + u8 msr; + u8 lcr; ++ ++ u8 version; + }; + + static void ch341_set_termios(struct tty_struct *tty, +@@ -181,6 +183,9 @@ static int ch341_set_baudrate_lcr(struct + if (r) + return r; + ++ if (priv->version < 0x30) ++ return 0; ++ + r = ch341_control_out(dev, CH341_REQ_WRITE_REG, 0x2518, lcr); + if (r) + return r; +@@ -232,7 +237,9 @@ static int ch341_configure(struct usb_de + r = ch341_control_in(dev, CH341_REQ_READ_VERSION, 0, 0, buffer, size); + if (r < 0) + goto out; +- dev_dbg(&dev->dev, "Chip version: 0x%02x\n", buffer[0]); ++ ++ priv->version = buffer[0]; ++ dev_dbg(&dev->dev, "Chip version: 0x%02x\n", priv->version); + + r = ch341_control_out(dev, CH341_REQ_SERIAL_INIT, 0, 0); + if (r < 0)