From: Greg Kroah-Hartman Date: Tue, 1 Oct 2024 10:52:18 +0000 (+0200) Subject: 6.11-stable patches X-Git-Tag: v6.6.54~76 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=3433c7f4b3f1a2b350fede7b1e541fd1c34ed5ca;p=thirdparty%2Fkernel%2Fstable-queue.git 6.11-stable patches added patches: arm64-dts-mediatek-mt8195-cherry-mark-usb-3.0-on-xhci1-as-disabled.patch arm64-dts-mediatek-mt8395-nio-12l-mark-usb-3.0-on-xhci1-as-disabled.patch ata-libata-scsi-fix-ata_msense_control-cdl-page-reporting.patch bus-integrator-lm-fix-of-node-leak-in-probe.patch bus-mhi-host-pci_generic-fix-the-name-for-the-telit-fe990a.patch bus-mhi-host-pci_generic-update-edl-firmware-path-for-foxconn-modems.patch can-esd_usb-remove-can_ctrlmode_3_samples-for-can-usb-3-fd.patch crypto-ccp-properly-unregister-dev-sev-on-sev-platform_status-failure.patch crypto-qcom-rng-fix-support-for-acpi-based-systems.patch firmware_loader-block-path-traversal.patch keys-prevent-null-pointer-dereference-in-find_asymmetric_key.patch ksmbd-allow-write-with-file_append_data.patch ksmbd-handle-caseless-file-creation.patch ksmbd-make-__dir_empty-compatible-with-posix.patch objtool-handle-frame-pointer-related-instructions.patch powerpc-atomic-use-yz-constraints-for-ds-form-instructions.patch pps-add-an-error-check-in-parport_attach.patch scsi-lpfc-restrict-support-for-32-byte-cdbs-to-specific-hbas.patch scsi-mac_scsi-disallow-bus-errors-during-pdma-send.patch scsi-mac_scsi-refactor-polling-loop.patch scsi-mac_scsi-revise-printk-kern_debug-...-messages.patch scsi-sd-fix-off-by-one-error-in-sd_read_block_characteristics.patch scsi-ufs-qcom-update-mode_max-cfg_bw-value.patch serial-don-t-use-uninitialized-value-in-uart_poll_init.patch serial-qcom-geni-fix-false-console-tx-restart.patch serial-qcom-geni-fix-fifo-polling-timeout.patch tty-rp2-fix-reset-with-non-forgiving-pcie-host-bridges.patch usb-appledisplay-close-race-between-probe-and-completion-handler.patch usb-cdnsp-fix-incorrect-usb_request-status.patch usb-class-cdc-acm-fix-race-between-get_serial-and-set_serial.patch usb-dwc2-drd-fix-clock-gating-on-usb-role-switch.patch usb-gadget-dummy_hcd-execute-hrtimer-callback-in-softirq-context.patch usb-misc-cypress_cy7c63-check-for-short-transfer.patch usb-misc-yurex-fix-race-between-read-and-write.patch usb-xhci-add-xhci_reset_on_resume-quirk-for-phytium-xhci-host.patch usb-xhci-fix-loss-of-data-on-cadence-xhc.patch usbnet-fix-cyclical-race-on-disconnect-with-work-queue.patch wifi-rtw88-fix-usb-sdio-devices-not-transmitting-beacons.patch x86-tdx-fix-in-kernel-mmio-check.patch xhci-set-quirky-xhc-pci-hosts-to-d3-_after_-stopping-and-freeing-them.patch --- diff --git a/queue-6.11/arm64-dts-mediatek-mt8195-cherry-mark-usb-3.0-on-xhci1-as-disabled.patch b/queue-6.11/arm64-dts-mediatek-mt8195-cherry-mark-usb-3.0-on-xhci1-as-disabled.patch new file mode 100644 index 00000000000..e962bccd693 --- /dev/null +++ b/queue-6.11/arm64-dts-mediatek-mt8195-cherry-mark-usb-3.0-on-xhci1-as-disabled.patch @@ -0,0 +1,41 @@ +From 09d385679487c58f0859c1ad4f404ba3df2f8830 Mon Sep 17 00:00:00 2001 +From: Chen-Yu Tsai +Date: Wed, 31 Jul 2024 11:44:08 +0800 +Subject: arm64: dts: mediatek: mt8195-cherry: Mark USB 3.0 on xhci1 as disabled +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Chen-Yu Tsai + +commit 09d385679487c58f0859c1ad4f404ba3df2f8830 upstream. + +USB 3.0 on xhci1 is not used, as the controller shares the same PHY as +pcie1. The latter is enabled to support the M.2 PCIe WLAN card on this +design. + +Mark USB 3.0 as disabled on this controller using the +"mediatek,u3p-dis-msk" property. + +Reported-by: Nícolas F. R. A. Prado #KernelCI +Closes: https://lore.kernel.org/all/9fce9838-ef87-4d1b-b3df-63e1ddb0ec51@notapiano/ +Fixes: b6267a396e1c ("arm64: dts: mediatek: cherry: Enable T-PHYs and USB XHCI controllers") +Cc: stable@vger.kernel.org +Signed-off-by: Chen-Yu Tsai +Link: https://lore.kernel.org/r/20240731034411.371178-2-wenst@chromium.org +Signed-off-by: AngeloGioacchino Del Regno +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm64/boot/dts/mediatek/mt8195-cherry.dtsi | 1 + + 1 file changed, 1 insertion(+) + +--- a/arch/arm64/boot/dts/mediatek/mt8195-cherry.dtsi ++++ b/arch/arm64/boot/dts/mediatek/mt8195-cherry.dtsi +@@ -1404,6 +1404,7 @@ + rx-fifo-depth = <3072>; + vusb33-supply = <&mt6359_vusb_ldo_reg>; + vbus-supply = <&usb_vbus>; ++ mediatek,u3p-dis-msk = <1>; + }; + + &xhci2 { diff --git a/queue-6.11/arm64-dts-mediatek-mt8395-nio-12l-mark-usb-3.0-on-xhci1-as-disabled.patch b/queue-6.11/arm64-dts-mediatek-mt8395-nio-12l-mark-usb-3.0-on-xhci1-as-disabled.patch new file mode 100644 index 00000000000..526ae146068 --- /dev/null +++ b/queue-6.11/arm64-dts-mediatek-mt8395-nio-12l-mark-usb-3.0-on-xhci1-as-disabled.patch @@ -0,0 +1,36 @@ +From be985531a5dd9ca50fc9f3f85b8adeb2a4a75a58 Mon Sep 17 00:00:00 2001 +From: Chen-Yu Tsai +Date: Wed, 31 Jul 2024 11:44:09 +0800 +Subject: arm64: dts: mediatek: mt8395-nio-12l: Mark USB 3.0 on xhci1 as disabled + +From: Chen-Yu Tsai + +commit be985531a5dd9ca50fc9f3f85b8adeb2a4a75a58 upstream. + +USB 3.0 on xhci1 is not used, as the controller shares the same PHY as +pcie1. The latter is enabled to support the M.2 PCIe WLAN card on this +design. + +Mark USB 3.0 as disabled on this controller using the +"mediatek,u3p-dis-msk" property. + +Fixes: 96564b1e2ea4 ("arm64: dts: mediatek: Introduce the MT8395 Radxa NIO 12L board") +Cc: stable@vger.kernel.org +Signed-off-by: Chen-Yu Tsai +Link: https://lore.kernel.org/r/20240731034411.371178-3-wenst@chromium.org +Signed-off-by: AngeloGioacchino Del Regno +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm64/boot/dts/mediatek/mt8395-radxa-nio-12l.dts | 1 + + 1 file changed, 1 insertion(+) + +--- a/arch/arm64/boot/dts/mediatek/mt8395-radxa-nio-12l.dts ++++ b/arch/arm64/boot/dts/mediatek/mt8395-radxa-nio-12l.dts +@@ -898,6 +898,7 @@ + usb2-lpm-disable; + vusb33-supply = <&mt6359_vusb_ldo_reg>; + vbus-supply = <&vsys>; ++ mediatek,u3p-dis-msk = <1>; + status = "okay"; + }; + diff --git a/queue-6.11/ata-libata-scsi-fix-ata_msense_control-cdl-page-reporting.patch b/queue-6.11/ata-libata-scsi-fix-ata_msense_control-cdl-page-reporting.patch new file mode 100644 index 00000000000..c4ae184778c --- /dev/null +++ b/queue-6.11/ata-libata-scsi-fix-ata_msense_control-cdl-page-reporting.patch @@ -0,0 +1,35 @@ +From 0e9a2990a93f27daa643b6fa73cfa47b128947a7 Mon Sep 17 00:00:00 2001 +From: Damien Le Moal +Date: Mon, 23 Sep 2024 18:14:36 +0900 +Subject: ata: libata-scsi: Fix ata_msense_control() CDL page reporting + +From: Damien Le Moal + +commit 0e9a2990a93f27daa643b6fa73cfa47b128947a7 upstream. + +When the user requests the ALL_SUB_MPAGES mode sense page, +ata_msense_control() adds the CDL_T2A_SUB_MPAGE twice instead of adding +the CDL_T2A_SUB_MPAGE and CDL_T2B_SUB_MPAGE pages information. Correct +the second call to ata_msense_control_spgt2() to report the +CDL_T2B_SUB_MPAGE page. + +Fixes: 673b2fe6ff1d ("scsi: ata: libata-scsi: Add support for CDL pages mode sense") +Cc: stable@vger.kernel.org +Signed-off-by: Damien Le Moal +Reviewed-by: Hannes Reinecke +Signed-off-by: Greg Kroah-Hartman +--- + drivers/ata/libata-scsi.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/ata/libata-scsi.c ++++ b/drivers/ata/libata-scsi.c +@@ -2356,7 +2356,7 @@ static unsigned int ata_msense_control(s + case ALL_SUB_MPAGES: + n = ata_msense_control_spg0(dev, buf, changeable); + n += ata_msense_control_spgt2(dev, buf + n, CDL_T2A_SUB_MPAGE); +- n += ata_msense_control_spgt2(dev, buf + n, CDL_T2A_SUB_MPAGE); ++ n += ata_msense_control_spgt2(dev, buf + n, CDL_T2B_SUB_MPAGE); + n += ata_msense_control_ata_feature(dev, buf + n); + return n; + default: diff --git a/queue-6.11/bus-integrator-lm-fix-of-node-leak-in-probe.patch b/queue-6.11/bus-integrator-lm-fix-of-node-leak-in-probe.patch new file mode 100644 index 00000000000..347e8c72def --- /dev/null +++ b/queue-6.11/bus-integrator-lm-fix-of-node-leak-in-probe.patch @@ -0,0 +1,33 @@ +From 15a62b81175885b5adfcaf49870466e3603f06c7 Mon Sep 17 00:00:00 2001 +From: Krzysztof Kozlowski +Date: Mon, 26 Aug 2024 07:49:34 +0200 +Subject: bus: integrator-lm: fix OF node leak in probe() + +From: Krzysztof Kozlowski + +commit 15a62b81175885b5adfcaf49870466e3603f06c7 upstream. + +Driver code is leaking OF node reference from of_find_matching_node() in +probe(). + +Fixes: ccea5e8a5918 ("bus: Add driver for Integrator/AP logic modules") +Cc: stable@vger.kernel.org +Signed-off-by: Krzysztof Kozlowski +Acked-by: Liviu Dudau +Link: https://lore.kernel.org/20240826054934.10724-2-krzysztof.kozlowski@linaro.org +Signed-off-by: Linus Walleij +Signed-off-by: Greg Kroah-Hartman +--- + drivers/bus/arm-integrator-lm.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/bus/arm-integrator-lm.c ++++ b/drivers/bus/arm-integrator-lm.c +@@ -85,6 +85,7 @@ static int integrator_ap_lm_probe(struct + return -ENODEV; + } + map = syscon_node_to_regmap(syscon); ++ of_node_put(syscon); + if (IS_ERR(map)) { + dev_err(dev, + "could not find Integrator/AP system controller\n"); diff --git a/queue-6.11/bus-mhi-host-pci_generic-fix-the-name-for-the-telit-fe990a.patch b/queue-6.11/bus-mhi-host-pci_generic-fix-the-name-for-the-telit-fe990a.patch new file mode 100644 index 00000000000..05f557c0818 --- /dev/null +++ b/queue-6.11/bus-mhi-host-pci_generic-fix-the-name-for-the-telit-fe990a.patch @@ -0,0 +1,53 @@ +From bfc5ca0fd1ea7aceae0b682fa4bd8079c52f96c8 Mon Sep 17 00:00:00 2001 +From: Fabio Porcedda +Date: Tue, 20 Aug 2024 10:04:39 +0200 +Subject: bus: mhi: host: pci_generic: Fix the name for the Telit FE990A + +From: Fabio Porcedda + +commit bfc5ca0fd1ea7aceae0b682fa4bd8079c52f96c8 upstream. + +Add a mhi_pci_dev_info struct specific for the Telit FE990A modem in +order to use the correct product name. + +Cc: stable@vger.kernel.org # 6.1+ +Fixes: 0724869ede9c ("bus: mhi: host: pci_generic: add support for Telit FE990 modem") +Signed-off-by: Fabio Porcedda +Reviewed-by: Manivannan Sadhasivam +Link: https://lore.kernel.org/r/20240820080439.837666-1-fabio.porcedda@gmail.com +Signed-off-by: Manivannan Sadhasivam +Signed-off-by: Greg Kroah-Hartman +--- + drivers/bus/mhi/host/pci_generic.c | 13 +++++++++++-- + 1 file changed, 11 insertions(+), 2 deletions(-) + +--- a/drivers/bus/mhi/host/pci_generic.c ++++ b/drivers/bus/mhi/host/pci_generic.c +@@ -677,6 +677,15 @@ static const struct mhi_pci_dev_info mhi + .mru_default = 32768, + }; + ++static const struct mhi_pci_dev_info mhi_telit_fe990a_info = { ++ .name = "telit-fe990a", ++ .config = &modem_telit_fn990_config, ++ .bar_num = MHI_PCI_DEFAULT_BAR_NUM, ++ .dma_data_width = 32, ++ .sideband_wake = false, ++ .mru_default = 32768, ++}; ++ + /* Keep the list sorted based on the PID. New VID should be added as the last entry */ + static const struct pci_device_id mhi_pci_id_table[] = { + { PCI_DEVICE(PCI_VENDOR_ID_QCOM, 0x0304), +@@ -694,9 +703,9 @@ static const struct pci_device_id mhi_pc + /* Telit FN990 */ + { PCI_DEVICE_SUB(PCI_VENDOR_ID_QCOM, 0x0308, 0x1c5d, 0x2010), + .driver_data = (kernel_ulong_t) &mhi_telit_fn990_info }, +- /* Telit FE990 */ ++ /* Telit FE990A */ + { PCI_DEVICE_SUB(PCI_VENDOR_ID_QCOM, 0x0308, 0x1c5d, 0x2015), +- .driver_data = (kernel_ulong_t) &mhi_telit_fn990_info }, ++ .driver_data = (kernel_ulong_t) &mhi_telit_fe990a_info }, + { PCI_DEVICE(PCI_VENDOR_ID_QCOM, 0x0308), + .driver_data = (kernel_ulong_t) &mhi_qcom_sdx65_info }, + { PCI_DEVICE(PCI_VENDOR_ID_QCOM, 0x0309), diff --git a/queue-6.11/bus-mhi-host-pci_generic-update-edl-firmware-path-for-foxconn-modems.patch b/queue-6.11/bus-mhi-host-pci_generic-update-edl-firmware-path-for-foxconn-modems.patch new file mode 100644 index 00000000000..aa992ec6485 --- /dev/null +++ b/queue-6.11/bus-mhi-host-pci_generic-update-edl-firmware-path-for-foxconn-modems.patch @@ -0,0 +1,78 @@ +From a7bc66fe8093b48e86386cf73dd601feaaa7949c Mon Sep 17 00:00:00 2001 +From: Slark Xiao +Date: Thu, 25 Jul 2024 10:29:40 +0800 +Subject: bus: mhi: host: pci_generic: Update EDL firmware path for Foxconn modems + +From: Slark Xiao + +commit a7bc66fe8093b48e86386cf73dd601feaaa7949c upstream. + +Foxconn uses a unique firmware for their MHI based modems. So the generic +firmware from Qcom won't work. Hence, update the EDL firmware path to +include the 'foxconn' subdirectory based on the modem SoC so that the +Foxconn specific firmware could be used. + +Respective firmware will be upstreamed to linux-firmware repo. + +Cc: stable@vger.kernel.org # 6.11 +Fixes: bf30a75e6e00 ("bus: mhi: host: Add support for Foxconn SDX72 modems") +Signed-off-by: Slark Xiao +Reviewed-by: Manivannan Sadhasivam +Link: https://lore.kernel.org/r/20240725022941.65948-1-slark_xiao@163.com +[mani: Reworded the subject and description] +Signed-off-by: Manivannan Sadhasivam +Signed-off-by: Greg Kroah-Hartman +--- + drivers/bus/mhi/host/pci_generic.c | 13 +++++-------- + 1 file changed, 5 insertions(+), 8 deletions(-) + +--- a/drivers/bus/mhi/host/pci_generic.c ++++ b/drivers/bus/mhi/host/pci_generic.c +@@ -433,8 +433,7 @@ static const struct mhi_controller_confi + + static const struct mhi_pci_dev_info mhi_foxconn_sdx55_info = { + .name = "foxconn-sdx55", +- .fw = "qcom/sdx55m/sbl1.mbn", +- .edl = "qcom/sdx55m/edl.mbn", ++ .edl = "qcom/sdx55m/foxconn/prog_firehose_sdx55.mbn", + .config = &modem_foxconn_sdx55_config, + .bar_num = MHI_PCI_DEFAULT_BAR_NUM, + .dma_data_width = 32, +@@ -444,8 +443,7 @@ static const struct mhi_pci_dev_info mhi + + static const struct mhi_pci_dev_info mhi_foxconn_t99w175_info = { + .name = "foxconn-t99w175", +- .fw = "qcom/sdx55m/sbl1.mbn", +- .edl = "qcom/sdx55m/edl.mbn", ++ .edl = "qcom/sdx55m/foxconn/prog_firehose_sdx55.mbn", + .config = &modem_foxconn_sdx55_config, + .bar_num = MHI_PCI_DEFAULT_BAR_NUM, + .dma_data_width = 32, +@@ -455,8 +453,7 @@ static const struct mhi_pci_dev_info mhi + + static const struct mhi_pci_dev_info mhi_foxconn_dw5930e_info = { + .name = "foxconn-dw5930e", +- .fw = "qcom/sdx55m/sbl1.mbn", +- .edl = "qcom/sdx55m/edl.mbn", ++ .edl = "qcom/sdx55m/foxconn/prog_firehose_sdx55.mbn", + .config = &modem_foxconn_sdx55_config, + .bar_num = MHI_PCI_DEFAULT_BAR_NUM, + .dma_data_width = 32, +@@ -502,7 +499,7 @@ static const struct mhi_pci_dev_info mhi + + static const struct mhi_pci_dev_info mhi_foxconn_t99w515_info = { + .name = "foxconn-t99w515", +- .edl = "fox/sdx72m/edl.mbn", ++ .edl = "qcom/sdx72m/foxconn/edl.mbn", + .edl_trigger = true, + .config = &modem_foxconn_sdx72_config, + .bar_num = MHI_PCI_DEFAULT_BAR_NUM, +@@ -513,7 +510,7 @@ static const struct mhi_pci_dev_info mhi + + static const struct mhi_pci_dev_info mhi_foxconn_dw5934e_info = { + .name = "foxconn-dw5934e", +- .edl = "fox/sdx72m/edl.mbn", ++ .edl = "qcom/sdx72m/foxconn/edl.mbn", + .edl_trigger = true, + .config = &modem_foxconn_sdx72_config, + .bar_num = MHI_PCI_DEFAULT_BAR_NUM, diff --git a/queue-6.11/can-esd_usb-remove-can_ctrlmode_3_samples-for-can-usb-3-fd.patch b/queue-6.11/can-esd_usb-remove-can_ctrlmode_3_samples-for-can-usb-3-fd.patch new file mode 100644 index 00000000000..6b0fb2276ea --- /dev/null +++ b/queue-6.11/can-esd_usb-remove-can_ctrlmode_3_samples-for-can-usb-3-fd.patch @@ -0,0 +1,59 @@ +From 75b3189540578f96b4996e4849b6649998f49455 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Stefan=20M=C3=A4tje?= +Date: Thu, 5 Sep 2024 00:27:40 +0200 +Subject: can: esd_usb: Remove CAN_CTRLMODE_3_SAMPLES for CAN-USB/3-FD +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Stefan Mätje + +commit 75b3189540578f96b4996e4849b6649998f49455 upstream. + +Remove the CAN_CTRLMODE_3_SAMPLES announcement for CAN-USB/3-FD devices +because these devices don't support it. + +The hardware has a Microchip SAM E70 microcontroller that uses a Bosch +MCAN IP core as CAN FD controller. But this MCAN core doesn't support +triple sampling. + +Fixes: 80662d943075 ("can: esd_usb: Add support for esd CAN-USB/3") +Cc: stable@vger.kernel.org +Signed-off-by: Stefan Mätje +Reviewed-by: Vincent Mailhol +Link: https://patch.msgid.link/20240904222740.2985864-2-stefan.maetje@esd.eu +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/can/usb/esd_usb.c | 6 +----- + 1 file changed, 1 insertion(+), 5 deletions(-) + +--- a/drivers/net/can/usb/esd_usb.c ++++ b/drivers/net/can/usb/esd_usb.c +@@ -3,7 +3,7 @@ + * CAN driver for esd electronics gmbh CAN-USB/2, CAN-USB/3 and CAN-USB/Micro + * + * Copyright (C) 2010-2012 esd electronic system design gmbh, Matthias Fuchs +- * Copyright (C) 2022-2023 esd electronics gmbh, Frank Jungclaus ++ * Copyright (C) 2022-2024 esd electronics gmbh, Frank Jungclaus + */ + + #include +@@ -1116,9 +1116,6 @@ static int esd_usb_3_set_bittiming(struc + if (priv->can.ctrlmode & CAN_CTRLMODE_LISTENONLY) + flags |= ESD_USB_3_BAUDRATE_FLAG_LOM; + +- if (priv->can.ctrlmode & CAN_CTRLMODE_3_SAMPLES) +- flags |= ESD_USB_3_BAUDRATE_FLAG_TRS; +- + baud_x->nom.brp = cpu_to_le16(nom_bt->brp & (nom_btc->brp_max - 1)); + baud_x->nom.sjw = cpu_to_le16(nom_bt->sjw & (nom_btc->sjw_max - 1)); + baud_x->nom.tseg1 = cpu_to_le16((nom_bt->prop_seg + nom_bt->phase_seg1) +@@ -1219,7 +1216,6 @@ static int esd_usb_probe_one_net(struct + switch (le16_to_cpu(dev->udev->descriptor.idProduct)) { + case ESD_USB_CANUSB3_PRODUCT_ID: + priv->can.clock.freq = ESD_USB_3_CAN_CLOCK; +- priv->can.ctrlmode_supported |= CAN_CTRLMODE_3_SAMPLES; + priv->can.ctrlmode_supported |= CAN_CTRLMODE_FD; + priv->can.bittiming_const = &esd_usb_3_nom_bittiming_const; + priv->can.data_bittiming_const = &esd_usb_3_data_bittiming_const; diff --git a/queue-6.11/crypto-ccp-properly-unregister-dev-sev-on-sev-platform_status-failure.patch b/queue-6.11/crypto-ccp-properly-unregister-dev-sev-on-sev-platform_status-failure.patch new file mode 100644 index 00000000000..a4464d41167 --- /dev/null +++ b/queue-6.11/crypto-ccp-properly-unregister-dev-sev-on-sev-platform_status-failure.patch @@ -0,0 +1,80 @@ +From ce3d2d6b150ba8528f3218ebf0cee2c2c572662d Mon Sep 17 00:00:00 2001 +From: Pavan Kumar Paluri +Date: Thu, 15 Aug 2024 07:25:00 -0500 +Subject: crypto: ccp - Properly unregister /dev/sev on sev PLATFORM_STATUS failure + +From: Pavan Kumar Paluri + +commit ce3d2d6b150ba8528f3218ebf0cee2c2c572662d upstream. + +In case of sev PLATFORM_STATUS failure, sev_get_api_version() fails +resulting in sev_data field of psp_master nulled out. This later becomes +a problem when unloading the ccp module because the device has not been +unregistered (via misc_deregister()) before clearing the sev_data field +of psp_master. As a result, on reloading the ccp module, a duplicate +device issue is encountered as can be seen from the dmesg log below. + +on reloading ccp module via modprobe ccp + +Call Trace: + + dump_stack_lvl+0xd7/0xf0 + dump_stack+0x10/0x20 + sysfs_warn_dup+0x5c/0x70 + sysfs_create_dir_ns+0xbc/0xd + kobject_add_internal+0xb1/0x2f0 + kobject_add+0x7a/0xe0 + ? srso_alias_return_thunk+0x5/0xfbef5 + ? get_device_parent+0xd4/0x1e0 + ? __pfx_klist_children_get+0x10/0x10 + device_add+0x121/0x870 + ? srso_alias_return_thunk+0x5/0xfbef5 + device_create_groups_vargs+0xdc/0x100 + device_create_with_groups+0x3f/0x60 + misc_register+0x13b/0x1c0 + sev_dev_init+0x1d4/0x290 [ccp] + psp_dev_init+0x136/0x300 [ccp] + sp_init+0x6f/0x80 [ccp] + sp_pci_probe+0x2a6/0x310 [ccp] + ? srso_alias_return_thunk+0x5/0xfbef5 + local_pci_probe+0x4b/0xb0 + work_for_cpu_fn+0x1a/0x30 + process_one_work+0x203/0x600 + worker_thread+0x19e/0x350 + ? __pfx_worker_thread+0x10/0x10 + kthread+0xeb/0x120 + ? __pfx_kthread+0x10/0x10 + ret_from_fork+0x3c/0x60 + ? __pfx_kthread+0x10/0x10 + ret_from_fork_asm+0x1a/0x30 + + kobject: kobject_add_internal failed for sev with -EEXIST, don't try to register things with the same name in the same directory. + ccp 0000:22:00.1: sev initialization failed + ccp 0000:22:00.1: psp initialization failed + ccp 0000:a2:00.1: no command queues available + ccp 0000:a2:00.1: psp enabled + +Address this issue by unregistering the /dev/sev before clearing out +sev_data in case of PLATFORM_STATUS failure. + +Fixes: 200664d5237f ("crypto: ccp: Add Secure Encrypted Virtualization (SEV) command support") +Cc: stable@vger.kernel.org +Signed-off-by: Pavan Kumar Paluri +Acked-by: Tom Lendacky +Signed-off-by: Herbert Xu +Signed-off-by: Greg Kroah-Hartman +--- + drivers/crypto/ccp/sev-dev.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/crypto/ccp/sev-dev.c ++++ b/drivers/crypto/ccp/sev-dev.c +@@ -2421,6 +2421,8 @@ void sev_pci_init(void) + return; + + err: ++ sev_dev_destroy(psp_master); ++ + psp_master->sev_data = NULL; + } + diff --git a/queue-6.11/crypto-qcom-rng-fix-support-for-acpi-based-systems.patch b/queue-6.11/crypto-qcom-rng-fix-support-for-acpi-based-systems.patch new file mode 100644 index 00000000000..94e55e90c1c --- /dev/null +++ b/queue-6.11/crypto-qcom-rng-fix-support-for-acpi-based-systems.patch @@ -0,0 +1,54 @@ +From 3e87031a6ce68f13722155497cd511a00b56a2ae Mon Sep 17 00:00:00 2001 +From: Brian Masney +Date: Thu, 5 Sep 2024 20:25:20 -0400 +Subject: crypto: qcom-rng - fix support for ACPI-based systems +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Brian Masney + +commit 3e87031a6ce68f13722155497cd511a00b56a2ae upstream. + +The qcom-rng driver supports both ACPI and device tree-based systems. +ACPI support was broken when the hw_random interface support was added. +Let's go ahead and fix this by adding the appropriate driver data to the +ACPI match table, and change the of_device_get_match_data() call to +device_get_match_data() so that it will also work on ACPI-based systems. + +This fix was boot tested on a Qualcomm Amberwing server (ACPI based) and +on a Qualcomm SA8775p Automotive Development Board (DT based). I also +verified that qcom-rng shows up in /proc/crypto on both systems. + +Fixes: f29cd5bb64c2 ("crypto: qcom-rng - Add hw_random interface support") +Reported-by: Ernesto A. Fernández +Closes: https://lore.kernel.org/linux-arm-msm/20240828184019.GA21181@eaf/ +Cc: stable@vger.kernel.org +Signed-off-by: Brian Masney +Reviewed-by: Dmitry Baryshkov +Signed-off-by: Herbert Xu +Signed-off-by: Greg Kroah-Hartman +--- + drivers/crypto/qcom-rng.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/crypto/qcom-rng.c ++++ b/drivers/crypto/qcom-rng.c +@@ -196,7 +196,7 @@ static int qcom_rng_probe(struct platfor + if (IS_ERR(rng->clk)) + return PTR_ERR(rng->clk); + +- rng->of_data = (struct qcom_rng_of_data *)of_device_get_match_data(&pdev->dev); ++ rng->of_data = (struct qcom_rng_of_data *)device_get_match_data(&pdev->dev); + + qcom_rng_dev = rng; + ret = crypto_register_rng(&qcom_rng_alg); +@@ -247,7 +247,7 @@ static struct qcom_rng_of_data qcom_trng + }; + + static const struct acpi_device_id __maybe_unused qcom_rng_acpi_match[] = { +- { .id = "QCOM8160", .driver_data = 1 }, ++ { .id = "QCOM8160", .driver_data = (kernel_ulong_t)&qcom_prng_ee_of_data }, + {} + }; + MODULE_DEVICE_TABLE(acpi, qcom_rng_acpi_match); diff --git a/queue-6.11/firmware_loader-block-path-traversal.patch b/queue-6.11/firmware_loader-block-path-traversal.patch new file mode 100644 index 00000000000..64d173cc97f --- /dev/null +++ b/queue-6.11/firmware_loader-block-path-traversal.patch @@ -0,0 +1,106 @@ +From f0e5311aa8022107d63c54e2f03684ec097d1394 Mon Sep 17 00:00:00 2001 +From: Jann Horn +Date: Wed, 28 Aug 2024 01:45:48 +0200 +Subject: firmware_loader: Block path traversal + +From: Jann Horn + +commit f0e5311aa8022107d63c54e2f03684ec097d1394 upstream. + +Most firmware names are hardcoded strings, or are constructed from fairly +constrained format strings where the dynamic parts are just some hex +numbers or such. + +However, there are a couple codepaths in the kernel where firmware file +names contain string components that are passed through from a device or +semi-privileged userspace; the ones I could find (not counting interfaces +that require root privileges) are: + + - lpfc_sli4_request_firmware_update() seems to construct the firmware + filename from "ModelName", a string that was previously parsed out of + some descriptor ("Vital Product Data") in lpfc_fill_vpd() + - nfp_net_fw_find() seems to construct a firmware filename from a model + name coming from nfp_hwinfo_lookup(pf->hwinfo, "nffw.partno"), which I + think parses some descriptor that was read from the device. + (But this case likely isn't exploitable because the format string looks + like "netronome/nic_%s", and there shouldn't be any *folders* starting + with "netronome/nic_". The previous case was different because there, + the "%s" is *at the start* of the format string.) + - module_flash_fw_schedule() is reachable from the + ETHTOOL_MSG_MODULE_FW_FLASH_ACT netlink command, which is marked as + GENL_UNS_ADMIN_PERM (meaning CAP_NET_ADMIN inside a user namespace is + enough to pass the privilege check), and takes a userspace-provided + firmware name. + (But I think to reach this case, you need to have CAP_NET_ADMIN over a + network namespace that a special kind of ethernet device is mapped into, + so I think this is not a viable attack path in practice.) + +Fix it by rejecting any firmware names containing ".." path components. + +For what it's worth, I went looking and haven't found any USB device +drivers that use the firmware loader dangerously. + +Cc: stable@vger.kernel.org +Reviewed-by: Danilo Krummrich +Fixes: abb139e75c2c ("firmware: teach the kernel to load firmware files directly from the filesystem") +Signed-off-by: Jann Horn +Acked-by: Luis Chamberlain +Link: https://lore.kernel.org/r/20240828-firmware-traversal-v3-1-c76529c63b5f@google.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/base/firmware_loader/main.c | 30 ++++++++++++++++++++++++++++++ + 1 file changed, 30 insertions(+) + +--- a/drivers/base/firmware_loader/main.c ++++ b/drivers/base/firmware_loader/main.c +@@ -849,6 +849,26 @@ static void fw_log_firmware_info(const s + {} + #endif + ++/* ++ * Reject firmware file names with ".." path components. ++ * There are drivers that construct firmware file names from device-supplied ++ * strings, and we don't want some device to be able to tell us "I would like to ++ * be sent my firmware from ../../../etc/shadow, please". ++ * ++ * Search for ".." surrounded by either '/' or start/end of string. ++ * ++ * This intentionally only looks at the firmware name, not at the firmware base ++ * directory or at symlink contents. ++ */ ++static bool name_contains_dotdot(const char *name) ++{ ++ size_t name_len = strlen(name); ++ ++ return strcmp(name, "..") == 0 || strncmp(name, "../", 3) == 0 || ++ strstr(name, "/../") != NULL || ++ (name_len >= 3 && strcmp(name+name_len-3, "/..") == 0); ++} ++ + /* called from request_firmware() and request_firmware_work_func() */ + static int + _request_firmware(const struct firmware **firmware_p, const char *name, +@@ -869,6 +889,14 @@ _request_firmware(const struct firmware + goto out; + } + ++ if (name_contains_dotdot(name)) { ++ dev_warn(device, ++ "Firmware load for '%s' refused, path contains '..' component\n", ++ name); ++ ret = -EINVAL; ++ goto out; ++ } ++ + ret = _request_firmware_prepare(&fw, name, device, buf, size, + offset, opt_flags); + if (ret <= 0) /* error or already assigned */ +@@ -946,6 +974,8 @@ out: + * @name will be used as $FIRMWARE in the uevent environment and + * should be distinctive enough not to be confused with any other + * firmware image for this or any other device. ++ * It must not contain any ".." path components - "foo/bar..bin" is ++ * allowed, but "foo/../bar.bin" is not. + * + * Caller must hold the reference count of @device. + * diff --git a/queue-6.11/keys-prevent-null-pointer-dereference-in-find_asymmetric_key.patch b/queue-6.11/keys-prevent-null-pointer-dereference-in-find_asymmetric_key.patch new file mode 100644 index 00000000000..b099c42ad00 --- /dev/null +++ b/queue-6.11/keys-prevent-null-pointer-dereference-in-find_asymmetric_key.patch @@ -0,0 +1,55 @@ +From 70fd1966c93bf3bfe3fe6d753eb3d83a76597eef Mon Sep 17 00:00:00 2001 +From: Roman Smirnov +Date: Tue, 17 Sep 2024 18:54:53 +0300 +Subject: KEYS: prevent NULL pointer dereference in find_asymmetric_key() + +From: Roman Smirnov + +commit 70fd1966c93bf3bfe3fe6d753eb3d83a76597eef upstream. + +In find_asymmetric_key(), if all NULLs are passed in the id_{0,1,2} +arguments, the kernel will first emit WARN but then have an oops +because id_2 gets dereferenced anyway. + +Add the missing id_2 check and move WARN_ON() to the final else branch +to avoid duplicate NULL checks. + +Found by Linux Verification Center (linuxtesting.org) with Svace static +analysis tool. + +Cc: stable@vger.kernel.org # v5.17+ +Fixes: 7d30198ee24f ("keys: X.509 public key issuer lookup without AKID") +Suggested-by: Sergey Shtylyov +Signed-off-by: Roman Smirnov +Reviewed-by: Sergey Shtylyov +Reviewed-by: Jarkko Sakkinen +Signed-off-by: Jarkko Sakkinen +Signed-off-by: Greg Kroah-Hartman +--- + crypto/asymmetric_keys/asymmetric_type.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +--- a/crypto/asymmetric_keys/asymmetric_type.c ++++ b/crypto/asymmetric_keys/asymmetric_type.c +@@ -60,17 +60,18 @@ struct key *find_asymmetric_key(struct k + char *req, *p; + int len; + +- WARN_ON(!id_0 && !id_1 && !id_2); +- + if (id_0) { + lookup = id_0->data; + len = id_0->len; + } else if (id_1) { + lookup = id_1->data; + len = id_1->len; +- } else { ++ } else if (id_2) { + lookup = id_2->data; + len = id_2->len; ++ } else { ++ WARN_ON(1); ++ return ERR_PTR(-EINVAL); + } + + /* Construct an identifier "id:". */ diff --git a/queue-6.11/ksmbd-allow-write-with-file_append_data.patch b/queue-6.11/ksmbd-allow-write-with-file_append_data.patch new file mode 100644 index 00000000000..08817306278 --- /dev/null +++ b/queue-6.11/ksmbd-allow-write-with-file_append_data.patch @@ -0,0 +1,36 @@ +From 2fb9b5dc80cabcee636a6ccd020740dd925b4580 Mon Sep 17 00:00:00 2001 +From: Namjae Jeon +Date: Tue, 3 Sep 2024 20:26:33 +0900 +Subject: ksmbd: allow write with FILE_APPEND_DATA + +From: Namjae Jeon + +commit 2fb9b5dc80cabcee636a6ccd020740dd925b4580 upstream. + +Windows client write with FILE_APPEND_DATA when using git. +ksmbd should allow write it with this flags. + +Z:\test>git commit -m "test" +fatal: cannot update the ref 'HEAD': unable to append to + '.git/logs/HEAD': Bad file descriptor + +Fixes: 0626e6641f6b ("cifsd: add server handler for central processing and tranport layers") +Cc: stable@vger.kernel.org # v5.15+ +Signed-off-by: Namjae Jeon +Signed-off-by: Steve French +Signed-off-by: Greg Kroah-Hartman +--- + fs/smb/server/vfs.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/fs/smb/server/vfs.c ++++ b/fs/smb/server/vfs.c +@@ -496,7 +496,7 @@ int ksmbd_vfs_write(struct ksmbd_work *w + int err = 0; + + if (work->conn->connection_type) { +- if (!(fp->daccess & FILE_WRITE_DATA_LE)) { ++ if (!(fp->daccess & (FILE_WRITE_DATA_LE | FILE_APPEND_DATA_LE))) { + pr_err("no right to write(%pD)\n", fp->filp); + err = -EACCES; + goto out; diff --git a/queue-6.11/ksmbd-handle-caseless-file-creation.patch b/queue-6.11/ksmbd-handle-caseless-file-creation.patch new file mode 100644 index 00000000000..f248fc1ae0b --- /dev/null +++ b/queue-6.11/ksmbd-handle-caseless-file-creation.patch @@ -0,0 +1,63 @@ +From c5a709f08d40b1a082e44ffcde1aea4d2822ddd5 Mon Sep 17 00:00:00 2001 +From: Namjae Jeon +Date: Sun, 8 Sep 2024 15:23:48 +0900 +Subject: ksmbd: handle caseless file creation + +From: Namjae Jeon + +commit c5a709f08d40b1a082e44ffcde1aea4d2822ddd5 upstream. + +Ray Zhang reported ksmbd can not create file if parent filename is +caseless. + +Y:\>mkdir A +Y:\>echo 123 >a\b.txt +The system cannot find the path specified. +Y:\>echo 123 >A\b.txt + +This patch convert name obtained by caseless lookup to parent name. + +Cc: stable@vger.kernel.org # v5.15+ +Reported-by: Ray Zhang +Signed-off-by: Namjae Jeon +Signed-off-by: Steve French +Signed-off-by: Greg Kroah-Hartman +--- + fs/smb/server/vfs.c | 10 +++------- + 1 file changed, 3 insertions(+), 7 deletions(-) + +--- a/fs/smb/server/vfs.c ++++ b/fs/smb/server/vfs.c +@@ -1167,7 +1167,7 @@ static bool __caseless_lookup(struct dir + if (cmp < 0) + cmp = strncasecmp((char *)buf->private, name, namlen); + if (!cmp) { +- memcpy((char *)buf->private, name, namlen); ++ memcpy((char *)buf->private, name, buf->used); + buf->dirent_count = 1; + return false; + } +@@ -1235,10 +1235,7 @@ int ksmbd_vfs_kern_path_locked(struct ks + char *filepath; + size_t path_len, remain_len; + +- filepath = kstrdup(name, GFP_KERNEL); +- if (!filepath) +- return -ENOMEM; +- ++ filepath = name; + path_len = strlen(filepath); + remain_len = path_len; + +@@ -1281,10 +1278,9 @@ int ksmbd_vfs_kern_path_locked(struct ks + err = -EINVAL; + out2: + path_put(parent_path); +-out1: +- kfree(filepath); + } + ++out1: + if (!err) { + err = mnt_want_write(parent_path->mnt); + if (err) { diff --git a/queue-6.11/ksmbd-make-__dir_empty-compatible-with-posix.patch b/queue-6.11/ksmbd-make-__dir_empty-compatible-with-posix.patch new file mode 100644 index 00000000000..4d0dd93b1bd --- /dev/null +++ b/queue-6.11/ksmbd-make-__dir_empty-compatible-with-posix.patch @@ -0,0 +1,48 @@ +From ca4974ca954561e79f8871d220bb08f14f64f57c Mon Sep 17 00:00:00 2001 +From: Hobin Woo +Date: Wed, 4 Sep 2024 13:36:35 +0900 +Subject: ksmbd: make __dir_empty() compatible with POSIX + +From: Hobin Woo + +commit ca4974ca954561e79f8871d220bb08f14f64f57c upstream. + +Some file systems may not provide dot (.) and dot-dot (..) as they are +optional in POSIX. ksmbd can misjudge emptiness of a directory in those +file systems, since it assumes there are always at least two entries: +dot and dot-dot. +Just don't count dot and dot-dot. + +Cc: stable@vger.kernel.org # v6.1+ +Signed-off-by: Hobin Woo +Acked-by: Namjae Jeon +Signed-off-by: Steve French +Signed-off-by: Greg Kroah-Hartman +--- + fs/smb/server/vfs.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +--- a/fs/smb/server/vfs.c ++++ b/fs/smb/server/vfs.c +@@ -1115,9 +1115,10 @@ static bool __dir_empty(struct dir_conte + struct ksmbd_readdir_data *buf; + + buf = container_of(ctx, struct ksmbd_readdir_data, ctx); +- buf->dirent_count++; ++ if (!is_dot_dotdot(name, namlen)) ++ buf->dirent_count++; + +- return buf->dirent_count <= 2; ++ return !buf->dirent_count; + } + + /** +@@ -1137,7 +1138,7 @@ int ksmbd_vfs_empty_dir(struct ksmbd_fil + readdir_data.dirent_count = 0; + + err = iterate_dir(fp->filp, &readdir_data.ctx); +- if (readdir_data.dirent_count > 2) ++ if (readdir_data.dirent_count) + err = -ENOTEMPTY; + else + err = 0; diff --git a/queue-6.11/objtool-handle-frame-pointer-related-instructions.patch b/queue-6.11/objtool-handle-frame-pointer-related-instructions.patch new file mode 100644 index 00000000000..ea29848e91e --- /dev/null +++ b/queue-6.11/objtool-handle-frame-pointer-related-instructions.patch @@ -0,0 +1,162 @@ +From da5b2ad1c2f18834cb1ce429e2e5a5cf5cbdf21b Mon Sep 17 00:00:00 2001 +From: Tiezhu Yang +Date: Tue, 17 Sep 2024 22:23:09 +0800 +Subject: objtool: Handle frame pointer related instructions + +From: Tiezhu Yang + +commit da5b2ad1c2f18834cb1ce429e2e5a5cf5cbdf21b upstream. + +After commit a0f7085f6a63 ("LoongArch: Add RANDOMIZE_KSTACK_OFFSET +support"), there are three new instructions "addi.d $fp, $sp, 32", +"sub.d $sp, $sp, $t0" and "addi.d $sp, $fp, -32" for the secondary +stack in do_syscall(), then there is a objtool warning "return with +modified stack frame" and no handle_syscall() which is the previous +frame of do_syscall() in the call trace when executing the command +"echo l > /proc/sysrq-trigger". + +objdump shows something like this: + +0000000000000000 : + 0: 02ff8063 addi.d $sp, $sp, -32 + 4: 29c04076 st.d $fp, $sp, 16 + 8: 29c02077 st.d $s0, $sp, 8 + c: 29c06061 st.d $ra, $sp, 24 + 10: 02c08076 addi.d $fp, $sp, 32 + ... + 74: 0011b063 sub.d $sp, $sp, $t0 + ... + a8: 4c000181 jirl $ra, $t0, 0 + ... + dc: 02ff82c3 addi.d $sp, $fp, -32 + e0: 28c06061 ld.d $ra, $sp, 24 + e4: 28c04076 ld.d $fp, $sp, 16 + e8: 28c02077 ld.d $s0, $sp, 8 + ec: 02c08063 addi.d $sp, $sp, 32 + f0: 4c000020 jirl $zero, $ra, 0 + +The instruction "sub.d $sp, $sp, $t0" changes the stack bottom and the +new stack size is a random value, in order to find the return address of +do_syscall() which is stored in the original stack frame after executing +"jirl $ra, $t0, 0", it should use fp which points to the original stack +top. + +At the beginning, the thought is tended to decode the secondary stack +instruction "sub.d $sp, $sp, $t0" and set it as a label, then check this +label for the two frame pointer instructions to change the cfa base and +cfa offset during the period of secondary stack in update_cfi_state(). +This is valid for GCC but invalid for Clang due to there are different +secondary stack instructions for ClangBuiltLinux on LoongArch, something +like this: + +0000000000000000 : + ... + 88: 00119064 sub.d $a0, $sp, $a0 + 8c: 00150083 or $sp, $a0, $zero + ... + +Actually, it equals to a single instruction "sub.d $sp, $sp, $a0", but +there is no proper condition to check it as a label like GCC, and so the +beginning thought is not a good way. + +Essentially, there are two special frame pointer instructions which are +"addi.d $fp, $sp, imm" and "addi.d $sp, $fp, imm", the first one points +fp to the original stack top and the second one restores the original +stack bottom from fp. + +Based on the above analysis, in order to avoid adding an arch-specific +update_cfi_state(), we just add a member "frame_pointer" in the "struct +symbol" as a label to avoid affecting the current normal case, then set +it as true only if there is "addi.d $sp, $fp, imm". The last is to check +this label for the two frame pointer instructions to change the cfa base +and cfa offset in update_cfi_state(). + +Tested with the following two configs: +(1) CONFIG_RANDOMIZE_KSTACK_OFFSET=y && + CONFIG_RANDOMIZE_KSTACK_OFFSET_DEFAULT=n +(2) CONFIG_RANDOMIZE_KSTACK_OFFSET=y && + CONFIG_RANDOMIZE_KSTACK_OFFSET_DEFAULT=y + +By the way, there is no effect for x86 with this patch, tested on the +x86 machine with Fedora 40 system. + +Cc: stable@vger.kernel.org # 6.9+ +Signed-off-by: Tiezhu Yang +Signed-off-by: Huacai Chen +Signed-off-by: Greg Kroah-Hartman +--- + tools/objtool/arch/loongarch/decode.c | 11 ++++++++++- + tools/objtool/check.c | 23 ++++++++++++++++++++--- + tools/objtool/include/objtool/elf.h | 1 + + 3 files changed, 31 insertions(+), 4 deletions(-) + +--- a/tools/objtool/arch/loongarch/decode.c ++++ b/tools/objtool/arch/loongarch/decode.c +@@ -122,7 +122,7 @@ static bool decode_insn_reg2i12_fomat(un + switch (inst.reg2i12_format.opcode) { + case addid_op: + if ((inst.reg2i12_format.rd == CFI_SP) || (inst.reg2i12_format.rj == CFI_SP)) { +- /* addi.d sp,sp,si12 or addi.d fp,sp,si12 */ ++ /* addi.d sp,sp,si12 or addi.d fp,sp,si12 or addi.d sp,fp,si12 */ + insn->immediate = sign_extend64(inst.reg2i12_format.immediate, 11); + ADD_OP(op) { + op->src.type = OP_SRC_ADD; +@@ -132,6 +132,15 @@ static bool decode_insn_reg2i12_fomat(un + op->dest.reg = inst.reg2i12_format.rd; + } + } ++ if ((inst.reg2i12_format.rd == CFI_SP) && (inst.reg2i12_format.rj == CFI_FP)) { ++ /* addi.d sp,fp,si12 */ ++ struct symbol *func = find_func_containing(insn->sec, insn->offset); ++ ++ if (!func) ++ return false; ++ ++ func->frame_pointer = true; ++ } + break; + case ldd_op: + if (inst.reg2i12_format.rj == CFI_SP) { +--- a/tools/objtool/check.c ++++ b/tools/objtool/check.c +@@ -2993,10 +2993,27 @@ static int update_cfi_state(struct instr + break; + } + +- if (op->dest.reg == CFI_SP && op->src.reg == CFI_BP) { ++ if (op->dest.reg == CFI_BP && op->src.reg == CFI_SP && ++ insn->sym->frame_pointer) { ++ /* addi.d fp,sp,imm on LoongArch */ ++ if (cfa->base == CFI_SP && cfa->offset == op->src.offset) { ++ cfa->base = CFI_BP; ++ cfa->offset = 0; ++ } ++ break; ++ } + +- /* lea disp(%rbp), %rsp */ +- cfi->stack_size = -(op->src.offset + regs[CFI_BP].offset); ++ if (op->dest.reg == CFI_SP && op->src.reg == CFI_BP) { ++ /* addi.d sp,fp,imm on LoongArch */ ++ if (cfa->base == CFI_BP && cfa->offset == 0) { ++ if (insn->sym->frame_pointer) { ++ cfa->base = CFI_SP; ++ cfa->offset = -op->src.offset; ++ } ++ } else { ++ /* lea disp(%rbp), %rsp */ ++ cfi->stack_size = -(op->src.offset + regs[CFI_BP].offset); ++ } + break; + } + +--- a/tools/objtool/include/objtool/elf.h ++++ b/tools/objtool/include/objtool/elf.h +@@ -68,6 +68,7 @@ struct symbol { + u8 warned : 1; + u8 embedded_insn : 1; + u8 local_label : 1; ++ u8 frame_pointer : 1; + struct list_head pv_target; + struct reloc *relocs; + }; diff --git a/queue-6.11/powerpc-atomic-use-yz-constraints-for-ds-form-instructions.patch b/queue-6.11/powerpc-atomic-use-yz-constraints-for-ds-form-instructions.patch new file mode 100644 index 00000000000..12f40586238 --- /dev/null +++ b/queue-6.11/powerpc-atomic-use-yz-constraints-for-ds-form-instructions.patch @@ -0,0 +1,112 @@ +From 39190ac7cff1fd15135fa8e658030d9646fdb5f2 Mon Sep 17 00:00:00 2001 +From: Michael Ellerman +Date: Mon, 16 Sep 2024 22:05:10 +1000 +Subject: powerpc/atomic: Use YZ constraints for DS-form instructions + +From: Michael Ellerman + +commit 39190ac7cff1fd15135fa8e658030d9646fdb5f2 upstream. + +The 'ld' and 'std' instructions require a 4-byte aligned displacement +because they are DS-form instructions. But the "m" asm constraint +doesn't enforce that. + +That can lead to build errors if the compiler chooses a non-aligned +displacement, as seen with GCC 14: + + /tmp/ccuSzwiR.s: Assembler messages: + /tmp/ccuSzwiR.s:2579: Error: operand out of domain (39 is not a multiple of 4) + make[5]: *** [scripts/Makefile.build:229: net/core/page_pool.o] Error 1 + +Dumping the generated assembler shows: + + ld 8,39(8) # MEM[(const struct atomic64_t *)_29].counter, t + +Use the YZ constraints to tell the compiler either to generate a DS-form +displacement, or use an X-form instruction, either of which prevents the +build error. + +See commit 2d43cc701b96 ("powerpc/uaccess: Fix build errors seen with +GCC 13/14") for more details on the constraint letters. + +Fixes: 9f0cbea0d8cc ("[POWERPC] Implement atomic{, 64}_{read, write}() without volatile") +Cc: stable@vger.kernel.org # v2.6.24+ +Reported-by: Stephen Rothwell +Closes: https://lore.kernel.org/all/20240913125302.0a06b4c7@canb.auug.org.au +Tested-by: Mina Almasry +Reviewed-by: Segher Boessenkool +Signed-off-by: Michael Ellerman +Link: https://msgid.link/20240916120510.2017749-1-mpe@ellerman.id.au +Signed-off-by: Greg Kroah-Hartman +--- + arch/powerpc/include/asm/asm-compat.h | 6 ++++++ + arch/powerpc/include/asm/atomic.h | 5 +++-- + arch/powerpc/include/asm/uaccess.h | 7 +------ + 3 files changed, 10 insertions(+), 8 deletions(-) + +--- a/arch/powerpc/include/asm/asm-compat.h ++++ b/arch/powerpc/include/asm/asm-compat.h +@@ -39,6 +39,12 @@ + #define STDX_BE stringify_in_c(stdbrx) + #endif + ++#ifdef CONFIG_CC_IS_CLANG ++#define DS_FORM_CONSTRAINT "Z<>" ++#else ++#define DS_FORM_CONSTRAINT "YZ<>" ++#endif ++ + #else /* 32-bit */ + + /* operations for longs and pointers */ +--- a/arch/powerpc/include/asm/atomic.h ++++ b/arch/powerpc/include/asm/atomic.h +@@ -11,6 +11,7 @@ + #include + #include + #include ++#include + + /* + * Since *_return_relaxed and {cmp}xchg_relaxed are implemented with +@@ -197,7 +198,7 @@ static __inline__ s64 arch_atomic64_read + if (IS_ENABLED(CONFIG_PPC_KERNEL_PREFIXED)) + __asm__ __volatile__("ld %0,0(%1)" : "=r"(t) : "b"(&v->counter)); + else +- __asm__ __volatile__("ld%U1%X1 %0,%1" : "=r"(t) : "m<>"(v->counter)); ++ __asm__ __volatile__("ld%U1%X1 %0,%1" : "=r"(t) : DS_FORM_CONSTRAINT (v->counter)); + + return t; + } +@@ -208,7 +209,7 @@ static __inline__ void arch_atomic64_set + if (IS_ENABLED(CONFIG_PPC_KERNEL_PREFIXED)) + __asm__ __volatile__("std %1,0(%2)" : "=m"(v->counter) : "r"(i), "b"(&v->counter)); + else +- __asm__ __volatile__("std%U0%X0 %1,%0" : "=m<>"(v->counter) : "r"(i)); ++ __asm__ __volatile__("std%U0%X0 %1,%0" : "=" DS_FORM_CONSTRAINT (v->counter) : "r"(i)); + } + + #define ATOMIC64_OP(op, asm_op) \ +--- a/arch/powerpc/include/asm/uaccess.h ++++ b/arch/powerpc/include/asm/uaccess.h +@@ -6,6 +6,7 @@ + #include + #include + #include ++#include + + #ifdef __powerpc64__ + /* We use TASK_SIZE_USER64 as TASK_SIZE is not constant */ +@@ -92,12 +93,6 @@ __pu_failed: \ + : label) + #endif + +-#ifdef CONFIG_CC_IS_CLANG +-#define DS_FORM_CONSTRAINT "Z<>" +-#else +-#define DS_FORM_CONSTRAINT "YZ<>" +-#endif +- + #ifdef __powerpc64__ + #ifdef CONFIG_PPC_KERNEL_PREFIXED + #define __put_user_asm2_goto(x, ptr, label) \ diff --git a/queue-6.11/pps-add-an-error-check-in-parport_attach.patch b/queue-6.11/pps-add-an-error-check-in-parport_attach.patch new file mode 100644 index 00000000000..84ebacf52ab --- /dev/null +++ b/queue-6.11/pps-add-an-error-check-in-parport_attach.patch @@ -0,0 +1,59 @@ +From 62c5a01a5711c8e4be8ae7b6f0db663094615d48 Mon Sep 17 00:00:00 2001 +From: Ma Ke +Date: Wed, 28 Aug 2024 21:18:14 +0800 +Subject: pps: add an error check in parport_attach + +From: Ma Ke + +commit 62c5a01a5711c8e4be8ae7b6f0db663094615d48 upstream. + +In parport_attach, the return value of ida_alloc is unchecked, witch leads +to the use of an invalid index value. + +To address this issue, index should be checked. When the index value is +abnormal, the device should be freed. + +Found by code review, compile tested only. + +Cc: stable@vger.kernel.org +Fixes: fb56d97df70e ("pps: client: use new parport device model") +Signed-off-by: Ma Ke +Acked-by: Rodolfo Giometti +Link: https://lore.kernel.org/r/20240828131814.3034338-1-make24@iscas.ac.cn +Signed-off-by: Greg Kroah-Hartman +--- + drivers/pps/clients/pps_parport.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +--- a/drivers/pps/clients/pps_parport.c ++++ b/drivers/pps/clients/pps_parport.c +@@ -149,6 +149,9 @@ static void parport_attach(struct parpor + } + + index = ida_alloc(&pps_client_index, GFP_KERNEL); ++ if (index < 0) ++ goto err_free_device; ++ + memset(&pps_client_cb, 0, sizeof(pps_client_cb)); + pps_client_cb.private = device; + pps_client_cb.irq_func = parport_irq; +@@ -159,7 +162,7 @@ static void parport_attach(struct parpor + index); + if (!device->pardev) { + pr_err("couldn't register with %s\n", port->name); +- goto err_free; ++ goto err_free_ida; + } + + if (parport_claim_or_block(device->pardev) < 0) { +@@ -187,8 +190,9 @@ err_release_dev: + parport_release(device->pardev); + err_unregister_dev: + parport_unregister_device(device->pardev); +-err_free: ++err_free_ida: + ida_free(&pps_client_index, index); ++err_free_device: + kfree(device); + } + diff --git a/queue-6.11/scsi-lpfc-restrict-support-for-32-byte-cdbs-to-specific-hbas.patch b/queue-6.11/scsi-lpfc-restrict-support-for-32-byte-cdbs-to-specific-hbas.patch new file mode 100644 index 00000000000..24755d1d2ae --- /dev/null +++ b/queue-6.11/scsi-lpfc-restrict-support-for-32-byte-cdbs-to-specific-hbas.patch @@ -0,0 +1,103 @@ +From 05ab4e7846f1103377133c00295a9a910cc6dfc2 Mon Sep 17 00:00:00 2001 +From: Justin Tee +Date: Thu, 12 Sep 2024 16:24:42 -0700 +Subject: scsi: lpfc: Restrict support for 32 byte CDBs to specific HBAs + +From: Justin Tee + +commit 05ab4e7846f1103377133c00295a9a910cc6dfc2 upstream. + +An older generation of HBAs are failing FCP discovery due to usage of an +outdated field in FCP command WQEs. + +Fix by checking the SLI Interface Type register for applicable support of +32 Byte CDB commands, and restore a setting for a WQE path using normal 16 +byte CDBs. + +Fixes: af20bb73ac25 ("scsi: lpfc: Add support for 32 byte CDBs") +Cc: stable@vger.kernel.org # v6.10+ +Signed-off-by: Justin Tee +Link: https://lore.kernel.org/r/20240912232447.45607-4-justintee8345@gmail.com +Signed-off-by: Martin K. Petersen +Signed-off-by: Greg Kroah-Hartman +--- + drivers/scsi/lpfc/lpfc_hw4.h | 3 +++ + drivers/scsi/lpfc/lpfc_init.c | 21 ++++++++++++++++++--- + drivers/scsi/lpfc/lpfc_scsi.c | 2 +- + 3 files changed, 22 insertions(+), 4 deletions(-) + +--- a/drivers/scsi/lpfc/lpfc_hw4.h ++++ b/drivers/scsi/lpfc/lpfc_hw4.h +@@ -4847,6 +4847,7 @@ struct fcp_iwrite64_wqe { + #define cmd_buff_len_SHIFT 16 + #define cmd_buff_len_MASK 0x00000ffff + #define cmd_buff_len_WORD word3 ++/* Note: payload_offset_len field depends on ASIC support */ + #define payload_offset_len_SHIFT 0 + #define payload_offset_len_MASK 0x0000ffff + #define payload_offset_len_WORD word3 +@@ -4863,6 +4864,7 @@ struct fcp_iread64_wqe { + #define cmd_buff_len_SHIFT 16 + #define cmd_buff_len_MASK 0x00000ffff + #define cmd_buff_len_WORD word3 ++/* Note: payload_offset_len field depends on ASIC support */ + #define payload_offset_len_SHIFT 0 + #define payload_offset_len_MASK 0x0000ffff + #define payload_offset_len_WORD word3 +@@ -4879,6 +4881,7 @@ struct fcp_icmnd64_wqe { + #define cmd_buff_len_SHIFT 16 + #define cmd_buff_len_MASK 0x00000ffff + #define cmd_buff_len_WORD word3 ++/* Note: payload_offset_len field depends on ASIC support */ + #define payload_offset_len_SHIFT 0 + #define payload_offset_len_MASK 0x0000ffff + #define payload_offset_len_WORD word3 +--- a/drivers/scsi/lpfc/lpfc_init.c ++++ b/drivers/scsi/lpfc/lpfc_init.c +@@ -4699,6 +4699,7 @@ lpfc_create_port(struct lpfc_hba *phba, + uint64_t wwn; + bool use_no_reset_hba = false; + int rc; ++ u8 if_type; + + if (lpfc_no_hba_reset_cnt) { + if (phba->sli_rev < LPFC_SLI_REV4 && +@@ -4773,10 +4774,24 @@ lpfc_create_port(struct lpfc_hba *phba, + shost->max_id = LPFC_MAX_TARGET; + shost->max_lun = vport->cfg_max_luns; + shost->this_id = -1; +- if (phba->sli_rev == LPFC_SLI_REV4) +- shost->max_cmd_len = LPFC_FCP_CDB_LEN_32; +- else ++ ++ /* Set max_cmd_len applicable to ASIC support */ ++ if (phba->sli_rev == LPFC_SLI_REV4) { ++ if_type = bf_get(lpfc_sli_intf_if_type, ++ &phba->sli4_hba.sli_intf); ++ switch (if_type) { ++ case LPFC_SLI_INTF_IF_TYPE_2: ++ fallthrough; ++ case LPFC_SLI_INTF_IF_TYPE_6: ++ shost->max_cmd_len = LPFC_FCP_CDB_LEN_32; ++ break; ++ default: ++ shost->max_cmd_len = LPFC_FCP_CDB_LEN; ++ break; ++ } ++ } else { + shost->max_cmd_len = LPFC_FCP_CDB_LEN; ++ } + + if (phba->sli_rev == LPFC_SLI_REV4) { + if (!phba->cfg_fcp_mq_threshold || +--- a/drivers/scsi/lpfc/lpfc_scsi.c ++++ b/drivers/scsi/lpfc/lpfc_scsi.c +@@ -4760,7 +4760,7 @@ static int lpfc_scsi_prep_cmnd_buf_s4(st + + /* Word 3 */ + bf_set(payload_offset_len, &wqe->fcp_icmd, +- sizeof(struct fcp_cmnd32) + sizeof(struct fcp_rsp)); ++ sizeof(struct fcp_cmnd) + sizeof(struct fcp_rsp)); + + /* Word 6 */ + bf_set(wqe_ctxt_tag, &wqe->generic.wqe_com, diff --git a/queue-6.11/scsi-mac_scsi-disallow-bus-errors-during-pdma-send.patch b/queue-6.11/scsi-mac_scsi-disallow-bus-errors-during-pdma-send.patch new file mode 100644 index 00000000000..c971f962d36 --- /dev/null +++ b/queue-6.11/scsi-mac_scsi-disallow-bus-errors-during-pdma-send.patch @@ -0,0 +1,143 @@ +From 5551bc30e4a69ad86d0d008e2f56cd59b6583476 Mon Sep 17 00:00:00 2001 +From: Finn Thain +Date: Wed, 7 Aug 2024 13:36:28 +1000 +Subject: scsi: mac_scsi: Disallow bus errors during PDMA send + +From: Finn Thain + +commit 5551bc30e4a69ad86d0d008e2f56cd59b6583476 upstream. + +SD cards can produce write latency spikes on the order of a hundred +milliseconds. If the target firmware does not hide that latency during DATA +IN and OUT phases it can cause the PDMA circuitry to raise a processor bus +fault which in turn leads to an unreliable byte count and a DMA overrun. + +The Last Byte Sent flag is used to detect the overrun but this mechanism is +unreliable on some systems. Instead, set a DID_ERROR result whenever there +is a bus fault during a PDMA send, unless the cause was a phase mismatch. + +Cc: stable@vger.kernel.org # 5.15+ +Reported-and-tested-by: Stan Johnson +Fixes: 7c1f3e3447a1 ("scsi: mac_scsi: Treat Last Byte Sent time-out as failure") +Signed-off-by: Finn Thain +Link: https://lore.kernel.org/r/cc38df687ace2c4ffc375a683b2502fc476b600d.1723001788.git.fthain@linux-m68k.org +Signed-off-by: Martin K. Petersen +Signed-off-by: Greg Kroah-Hartman +--- + drivers/scsi/mac_scsi.c | 44 +++++++++++++++++++------------------------- + 1 file changed, 19 insertions(+), 25 deletions(-) + +--- a/drivers/scsi/mac_scsi.c ++++ b/drivers/scsi/mac_scsi.c +@@ -102,11 +102,15 @@ __setup("mac5380=", mac_scsi_setup); + * Linux SCSI drivers lack knowledge of the timing behaviour of SCSI targets + * so bus errors are unavoidable. + * +- * If a MOVE.B instruction faults, we assume that zero bytes were transferred +- * and simply retry. That assumption probably depends on target behaviour but +- * seems to hold up okay. The NOP provides synchronization: without it the +- * fault can sometimes occur after the program counter has moved past the +- * offending instruction. Post-increment addressing can't be used. ++ * If a MOVE.B instruction faults during a receive operation, we assume the ++ * target sent nothing and try again. That assumption probably depends on ++ * target firmware but it seems to hold up okay. If a fault happens during a ++ * send operation, the target may or may not have seen /ACK and got the byte. ++ * It's uncertain so the whole SCSI command gets retried. ++ * ++ * The NOP is needed for synchronization because the fault address in the ++ * exception stack frame may or may not be the instruction that actually ++ * caused the bus error. Post-increment addressing can't be used. + */ + + #define MOVE_BYTE(operands) \ +@@ -243,22 +247,21 @@ static inline int mac_pdma_send(unsigned + if (n >= 1) { + MOVE_BYTE("%0@,%3@"); + if (result) +- goto out; ++ return -1; + } + if (n >= 1 && ((unsigned long)addr & 1)) { + MOVE_BYTE("%0@,%3@"); + if (result) +- goto out; ++ return -2; + } + while (n >= 32) + MOVE_16_WORDS("%0@+,%3@"); + while (n >= 2) + MOVE_WORD("%0@+,%3@"); + if (result) +- return start - addr; /* Negated to indicate uncertain length */ ++ return start - addr - 1; /* Negated to indicate uncertain length */ + if (n == 1) + MOVE_BYTE("%0@,%3@"); +-out: + return addr - start; + } + +@@ -307,7 +310,6 @@ static inline int macscsi_pread(struct N + { + u8 __iomem *s = hostdata->pdma_io + (INPUT_DATA_REG << 4); + unsigned char *d = dst; +- int result = 0; + + hostdata->pdma_residual = len; + +@@ -343,11 +345,12 @@ static inline int macscsi_pread(struct N + if (bytes == 0) + continue; + +- result = -1; ++ if (macscsi_wait_for_drq(hostdata) <= 0) ++ set_host_byte(hostdata->connected, DID_ERROR); + break; + } + +- return result; ++ return 0; + } + + static inline int macscsi_pwrite(struct NCR5380_hostdata *hostdata, +@@ -355,7 +358,6 @@ static inline int macscsi_pwrite(struct + { + unsigned char *s = src; + u8 __iomem *d = hostdata->pdma_io + (OUTPUT_DATA_REG << 4); +- int result = 0; + + hostdata->pdma_residual = len; + +@@ -377,17 +379,8 @@ static inline int macscsi_pwrite(struct + hostdata->pdma_residual -= bytes; + } + +- if (hostdata->pdma_residual == 0) { +- if (NCR5380_poll_politely(hostdata, TARGET_COMMAND_REG, +- TCR_LAST_BYTE_SENT, +- TCR_LAST_BYTE_SENT, +- 0) < 0) { +- scmd_printk(KERN_ERR, hostdata->connected, +- "%s: Last Byte Sent timeout\n", __func__); +- result = -1; +- } ++ if (hostdata->pdma_residual == 0) + break; +- } + + if (bytes > 0) + continue; +@@ -400,11 +393,12 @@ static inline int macscsi_pwrite(struct + if (bytes == 0) + continue; + +- result = -1; ++ if (macscsi_wait_for_drq(hostdata) <= 0) ++ set_host_byte(hostdata->connected, DID_ERROR); + break; + } + +- return result; ++ return 0; + } + + static int macscsi_dma_xfer_len(struct NCR5380_hostdata *hostdata, diff --git a/queue-6.11/scsi-mac_scsi-refactor-polling-loop.patch b/queue-6.11/scsi-mac_scsi-refactor-polling-loop.patch new file mode 100644 index 00000000000..05fc4d03a76 --- /dev/null +++ b/queue-6.11/scsi-mac_scsi-refactor-polling-loop.patch @@ -0,0 +1,180 @@ +From 5545c3165cbc98615fe65a44f41167cbb557e410 Mon Sep 17 00:00:00 2001 +From: Finn Thain +Date: Wed, 7 Aug 2024 13:36:28 +1000 +Subject: scsi: mac_scsi: Refactor polling loop + +From: Finn Thain + +commit 5545c3165cbc98615fe65a44f41167cbb557e410 upstream. + +Before the error handling can be revised, some preparation is needed. +Refactor the polling loop with a new function, macscsi_wait_for_drq(). +This function will gain more call sites in the next patch. + +Cc: stable@vger.kernel.org # 5.15+ +Tested-by: Stan Johnson +Signed-off-by: Finn Thain +Link: https://lore.kernel.org/r/6a5ffabb4290c0d138c6d285fda8fa3902e926f0.1723001788.git.fthain@linux-m68k.org +Signed-off-by: Martin K. Petersen +Signed-off-by: Greg Kroah-Hartman +--- + drivers/scsi/mac_scsi.c | 80 +++++++++++++++++++++++++----------------------- + 1 file changed, 42 insertions(+), 38 deletions(-) + +--- a/drivers/scsi/mac_scsi.c ++++ b/drivers/scsi/mac_scsi.c +@@ -208,8 +208,6 @@ __setup("mac5380=", mac_scsi_setup); + ".previous \n" \ + : "+a" (addr), "+r" (n), "+r" (result) : "a" (io)) + +-#define MAC_PDMA_DELAY 32 +- + static inline int mac_pdma_recv(void __iomem *io, unsigned char *start, int n) + { + unsigned char *addr = start; +@@ -274,6 +272,36 @@ static inline void write_ctrl_reg(struct + out_be32(hostdata->io + (CTRL_REG << 4), value); + } + ++static inline int macscsi_wait_for_drq(struct NCR5380_hostdata *hostdata) ++{ ++ unsigned int n = 1; /* effectively multiplies NCR5380_REG_POLL_TIME */ ++ unsigned char basr; ++ ++again: ++ basr = NCR5380_read(BUS_AND_STATUS_REG); ++ ++ if (!(basr & BASR_PHASE_MATCH)) ++ return 1; ++ ++ if (basr & BASR_IRQ) ++ return -1; ++ ++ if (basr & BASR_DRQ) ++ return 0; ++ ++ if (n-- == 0) { ++ NCR5380_dprint(NDEBUG_PSEUDO_DMA, hostdata->host); ++ dsprintk(NDEBUG_PSEUDO_DMA, hostdata->host, ++ "%s: DRQ timeout\n", __func__); ++ return -1; ++ } ++ ++ NCR5380_poll_politely2(hostdata, ++ BUS_AND_STATUS_REG, BASR_DRQ, BASR_DRQ, ++ BUS_AND_STATUS_REG, BASR_PHASE_MATCH, 0, 0); ++ goto again; ++} ++ + static inline int macscsi_pread(struct NCR5380_hostdata *hostdata, + unsigned char *dst, int len) + { +@@ -283,9 +311,7 @@ static inline int macscsi_pread(struct N + + hostdata->pdma_residual = len; + +- while (!NCR5380_poll_politely(hostdata, BUS_AND_STATUS_REG, +- BASR_DRQ | BASR_PHASE_MATCH, +- BASR_DRQ | BASR_PHASE_MATCH, 0)) { ++ while (macscsi_wait_for_drq(hostdata) == 0) { + int bytes, chunk_bytes; + + if (macintosh_config->ident == MAC_MODEL_IIFX) +@@ -295,19 +321,16 @@ static inline int macscsi_pread(struct N + chunk_bytes = min(hostdata->pdma_residual, 512); + bytes = mac_pdma_recv(s, d, chunk_bytes); + ++ if (macintosh_config->ident == MAC_MODEL_IIFX) ++ write_ctrl_reg(hostdata, CTRL_INTERRUPTS_ENABLE); ++ + if (bytes > 0) { + d += bytes; + hostdata->pdma_residual -= bytes; + } + + if (hostdata->pdma_residual == 0) +- goto out; +- +- if (!(NCR5380_read(BUS_AND_STATUS_REG) & BASR_PHASE_MATCH)) +- goto out; +- +- if (bytes == 0) +- udelay(MAC_PDMA_DELAY); ++ break; + + if (bytes > 0) + continue; +@@ -321,16 +344,9 @@ static inline int macscsi_pread(struct N + continue; + + result = -1; +- goto out; ++ break; + } + +- scmd_printk(KERN_ERR, hostdata->connected, +- "%s: phase mismatch or !DRQ\n", __func__); +- NCR5380_dprint(NDEBUG_PSEUDO_DMA, hostdata->host); +- result = -1; +-out: +- if (macintosh_config->ident == MAC_MODEL_IIFX) +- write_ctrl_reg(hostdata, CTRL_INTERRUPTS_ENABLE); + return result; + } + +@@ -343,9 +359,7 @@ static inline int macscsi_pwrite(struct + + hostdata->pdma_residual = len; + +- while (!NCR5380_poll_politely(hostdata, BUS_AND_STATUS_REG, +- BASR_DRQ | BASR_PHASE_MATCH, +- BASR_DRQ | BASR_PHASE_MATCH, 0)) { ++ while (macscsi_wait_for_drq(hostdata) == 0) { + int bytes, chunk_bytes; + + if (macintosh_config->ident == MAC_MODEL_IIFX) +@@ -355,6 +369,9 @@ static inline int macscsi_pwrite(struct + chunk_bytes = min(hostdata->pdma_residual, 512); + bytes = mac_pdma_send(s, d, chunk_bytes); + ++ if (macintosh_config->ident == MAC_MODEL_IIFX) ++ write_ctrl_reg(hostdata, CTRL_INTERRUPTS_ENABLE); ++ + if (bytes > 0) { + s += bytes; + hostdata->pdma_residual -= bytes; +@@ -369,15 +386,9 @@ static inline int macscsi_pwrite(struct + "%s: Last Byte Sent timeout\n", __func__); + result = -1; + } +- goto out; ++ break; + } + +- if (!(NCR5380_read(BUS_AND_STATUS_REG) & BASR_PHASE_MATCH)) +- goto out; +- +- if (bytes == 0) +- udelay(MAC_PDMA_DELAY); +- + if (bytes > 0) + continue; + +@@ -390,16 +401,9 @@ static inline int macscsi_pwrite(struct + continue; + + result = -1; +- goto out; ++ break; + } + +- scmd_printk(KERN_ERR, hostdata->connected, +- "%s: phase mismatch or !DRQ\n", __func__); +- NCR5380_dprint(NDEBUG_PSEUDO_DMA, hostdata->host); +- result = -1; +-out: +- if (macintosh_config->ident == MAC_MODEL_IIFX) +- write_ctrl_reg(hostdata, CTRL_INTERRUPTS_ENABLE); + return result; + } + diff --git a/queue-6.11/scsi-mac_scsi-revise-printk-kern_debug-...-messages.patch b/queue-6.11/scsi-mac_scsi-revise-printk-kern_debug-...-messages.patch new file mode 100644 index 00000000000..a0b8e2ca244 --- /dev/null +++ b/queue-6.11/scsi-mac_scsi-revise-printk-kern_debug-...-messages.patch @@ -0,0 +1,124 @@ +From 5ec4f820cb9766e4583df947150a6febce8da794 Mon Sep 17 00:00:00 2001 +From: Finn Thain +Date: Wed, 7 Aug 2024 13:36:28 +1000 +Subject: scsi: mac_scsi: Revise printk(KERN_DEBUG ...) messages + +From: Finn Thain + +commit 5ec4f820cb9766e4583df947150a6febce8da794 upstream. + +After a bus fault, capture and log the chip registers immediately, if the +NDEBUG_PSEUDO_DMA macro is defined. Remove some printk(KERN_DEBUG ...) +messages that aren't needed any more. Don't skip the debug message when +bytes == 0. Show all of the byte counters in the debug messages. + +Cc: stable@vger.kernel.org # 5.15+ +Tested-by: Stan Johnson +Signed-off-by: Finn Thain +Link: https://lore.kernel.org/r/7573c79f4e488fc00af2b8a191e257ca945e0409.1723001788.git.fthain@linux-m68k.org +Signed-off-by: Martin K. Petersen +Signed-off-by: Greg Kroah-Hartman +--- + drivers/scsi/mac_scsi.c | 42 ++++++++++++++++++++++-------------------- + 1 file changed, 22 insertions(+), 20 deletions(-) + +--- a/drivers/scsi/mac_scsi.c ++++ b/drivers/scsi/mac_scsi.c +@@ -286,13 +286,14 @@ static inline int macscsi_pread(struct N + while (!NCR5380_poll_politely(hostdata, BUS_AND_STATUS_REG, + BASR_DRQ | BASR_PHASE_MATCH, + BASR_DRQ | BASR_PHASE_MATCH, 0)) { +- int bytes; ++ int bytes, chunk_bytes; + + if (macintosh_config->ident == MAC_MODEL_IIFX) + write_ctrl_reg(hostdata, CTRL_HANDSHAKE_MODE | + CTRL_INTERRUPTS_ENABLE); + +- bytes = mac_pdma_recv(s, d, min(hostdata->pdma_residual, 512)); ++ chunk_bytes = min(hostdata->pdma_residual, 512); ++ bytes = mac_pdma_recv(s, d, chunk_bytes); + + if (bytes > 0) { + d += bytes; +@@ -302,23 +303,23 @@ static inline int macscsi_pread(struct N + if (hostdata->pdma_residual == 0) + goto out; + +- if (NCR5380_poll_politely2(hostdata, STATUS_REG, SR_REQ, SR_REQ, +- BUS_AND_STATUS_REG, BASR_ACK, +- BASR_ACK, 0) < 0) +- scmd_printk(KERN_DEBUG, hostdata->connected, +- "%s: !REQ and !ACK\n", __func__); + if (!(NCR5380_read(BUS_AND_STATUS_REG) & BASR_PHASE_MATCH)) + goto out; + + if (bytes == 0) + udelay(MAC_PDMA_DELAY); + +- if (bytes >= 0) ++ if (bytes > 0) + continue; + +- dsprintk(NDEBUG_PSEUDO_DMA, hostdata->host, +- "%s: bus error (%d/%d)\n", __func__, d - dst, len); + NCR5380_dprint(NDEBUG_PSEUDO_DMA, hostdata->host); ++ dsprintk(NDEBUG_PSEUDO_DMA, hostdata->host, ++ "%s: bus error [%d/%d] (%d/%d)\n", ++ __func__, d - dst, len, bytes, chunk_bytes); ++ ++ if (bytes == 0) ++ continue; ++ + result = -1; + goto out; + } +@@ -345,13 +346,14 @@ static inline int macscsi_pwrite(struct + while (!NCR5380_poll_politely(hostdata, BUS_AND_STATUS_REG, + BASR_DRQ | BASR_PHASE_MATCH, + BASR_DRQ | BASR_PHASE_MATCH, 0)) { +- int bytes; ++ int bytes, chunk_bytes; + + if (macintosh_config->ident == MAC_MODEL_IIFX) + write_ctrl_reg(hostdata, CTRL_HANDSHAKE_MODE | + CTRL_INTERRUPTS_ENABLE); + +- bytes = mac_pdma_send(s, d, min(hostdata->pdma_residual, 512)); ++ chunk_bytes = min(hostdata->pdma_residual, 512); ++ bytes = mac_pdma_send(s, d, chunk_bytes); + + if (bytes > 0) { + s += bytes; +@@ -370,23 +372,23 @@ static inline int macscsi_pwrite(struct + goto out; + } + +- if (NCR5380_poll_politely2(hostdata, STATUS_REG, SR_REQ, SR_REQ, +- BUS_AND_STATUS_REG, BASR_ACK, +- BASR_ACK, 0) < 0) +- scmd_printk(KERN_DEBUG, hostdata->connected, +- "%s: !REQ and !ACK\n", __func__); + if (!(NCR5380_read(BUS_AND_STATUS_REG) & BASR_PHASE_MATCH)) + goto out; + + if (bytes == 0) + udelay(MAC_PDMA_DELAY); + +- if (bytes >= 0) ++ if (bytes > 0) + continue; + +- dsprintk(NDEBUG_PSEUDO_DMA, hostdata->host, +- "%s: bus error (%d/%d)\n", __func__, s - src, len); + NCR5380_dprint(NDEBUG_PSEUDO_DMA, hostdata->host); ++ dsprintk(NDEBUG_PSEUDO_DMA, hostdata->host, ++ "%s: bus error [%d/%d] (%d/%d)\n", ++ __func__, s - src, len, bytes, chunk_bytes); ++ ++ if (bytes == 0) ++ continue; ++ + result = -1; + goto out; + } diff --git a/queue-6.11/scsi-sd-fix-off-by-one-error-in-sd_read_block_characteristics.patch b/queue-6.11/scsi-sd-fix-off-by-one-error-in-sd_read_block_characteristics.patch new file mode 100644 index 00000000000..140361a8ccd --- /dev/null +++ b/queue-6.11/scsi-sd-fix-off-by-one-error-in-sd_read_block_characteristics.patch @@ -0,0 +1,34 @@ +From f81eaf08385ddd474a2f41595a7757502870c0eb Mon Sep 17 00:00:00 2001 +From: Martin Wilck +Date: Thu, 12 Sep 2024 15:43:08 +0200 +Subject: scsi: sd: Fix off-by-one error in sd_read_block_characteristics() + +From: Martin Wilck + +commit f81eaf08385ddd474a2f41595a7757502870c0eb upstream. + +Ff the device returns page 0xb1 with length 8 (happens with qemu v2.x, for +example), sd_read_block_characteristics() may attempt an out-of-bounds +memory access when accessing the zoned field at offset 8. + +Fixes: 7fb019c46eee ("scsi: sd: Switch to using scsi_device VPD pages") +Cc: stable@vger.kernel.org +Signed-off-by: Martin Wilck +Link: https://lore.kernel.org/r/20240912134308.282824-1-mwilck@suse.com +Signed-off-by: Martin K. Petersen +Signed-off-by: Greg Kroah-Hartman +--- + drivers/scsi/sd.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/scsi/sd.c ++++ b/drivers/scsi/sd.c +@@ -3404,7 +3404,7 @@ static void sd_read_block_characteristic + rcu_read_lock(); + vpd = rcu_dereference(sdkp->device->vpd_pgb1); + +- if (!vpd || vpd->len < 8) { ++ if (!vpd || vpd->len <= 8) { + rcu_read_unlock(); + return; + } diff --git a/queue-6.11/scsi-ufs-qcom-update-mode_max-cfg_bw-value.patch b/queue-6.11/scsi-ufs-qcom-update-mode_max-cfg_bw-value.patch new file mode 100644 index 00000000000..7fe0f8c8bac --- /dev/null +++ b/queue-6.11/scsi-ufs-qcom-update-mode_max-cfg_bw-value.patch @@ -0,0 +1,37 @@ +From 0c40f079f1c808e7e480c795a79009f200366eb1 Mon Sep 17 00:00:00 2001 +From: Manish Pandey +Date: Tue, 3 Sep 2024 12:07:09 +0530 +Subject: scsi: ufs: qcom: Update MODE_MAX cfg_bw value + +From: Manish Pandey + +commit 0c40f079f1c808e7e480c795a79009f200366eb1 upstream. + +Commit 8db8f6ce556a ("scsi: ufs: qcom: Add missing interconnect bandwidth +values for Gear 5") updated the ufs_qcom_bw_table for Gear 5. However, it +missed updating the cfg_bw value for the max mode. + +Hence update the cfg_bw value for the max mode for UFS 4.x devices. + +Fixes: 8db8f6ce556a ("scsi: ufs: qcom: Add missing interconnect bandwidth values for Gear 5") +Cc: stable@vger.kernel.org +Signed-off-by: Manish Pandey +Link: https://lore.kernel.org/r/20240903063709.4335-1-quic_mapa@quicinc.com +Reviewed-by: Manivannan Sadhasivam +Signed-off-by: Martin K. Petersen +Signed-off-by: Greg Kroah-Hartman +--- + drivers/ufs/host/ufs-qcom.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/ufs/host/ufs-qcom.c ++++ b/drivers/ufs/host/ufs-qcom.c +@@ -93,7 +93,7 @@ static const struct __ufs_qcom_bw_table + [MODE_HS_RB][UFS_HS_G3][UFS_LANE_2] = { 1492582, 204800 }, + [MODE_HS_RB][UFS_HS_G4][UFS_LANE_2] = { 2915200, 409600 }, + [MODE_HS_RB][UFS_HS_G5][UFS_LANE_2] = { 5836800, 819200 }, +- [MODE_MAX][0][0] = { 7643136, 307200 }, ++ [MODE_MAX][0][0] = { 7643136, 819200 }, + }; + + static void ufs_qcom_get_default_testbus_cfg(struct ufs_qcom_host *host); diff --git a/queue-6.11/serial-don-t-use-uninitialized-value-in-uart_poll_init.patch b/queue-6.11/serial-don-t-use-uninitialized-value-in-uart_poll_init.patch new file mode 100644 index 00000000000..cb2fa8811bd --- /dev/null +++ b/queue-6.11/serial-don-t-use-uninitialized-value-in-uart_poll_init.patch @@ -0,0 +1,67 @@ +From d0009a32c9e4e083358092f3c97e3c6e803a8930 Mon Sep 17 00:00:00 2001 +From: "Jiri Slaby (SUSE)" +Date: Mon, 5 Aug 2024 12:20:36 +0200 +Subject: serial: don't use uninitialized value in uart_poll_init() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Jiri Slaby (SUSE) + +commit d0009a32c9e4e083358092f3c97e3c6e803a8930 upstream. + +Coverity reports (as CID 1536978) that uart_poll_init() passes +uninitialized pm_state to uart_change_pm(). It is in case the first 'if' +takes the true branch (does "goto out;"). + +Fix this and simplify the function by simple guard(mutex). The code +needs no labels after this at all. And it is pretty clear that the code +has not fiddled with pm_state at that point. + +Signed-off-by: Jiri Slaby (SUSE) +Fixes: 5e227ef2aa38 (serial: uart_poll_init() should power on the UART) +Cc: stable@vger.kernel.org +Cc: Douglas Anderson +Cc: Greg Kroah-Hartman +Reviewed-by: Ilpo Järvinen +Reviewed-by: Douglas Anderson +Link: https://lore.kernel.org/r/20240805102046.307511-4-jirislaby@kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/tty/serial/serial_core.c | 13 ++++++------- + 1 file changed, 6 insertions(+), 7 deletions(-) + +--- a/drivers/tty/serial/serial_core.c ++++ b/drivers/tty/serial/serial_core.c +@@ -2696,14 +2696,13 @@ static int uart_poll_init(struct tty_dri + int ret = 0; + + tport = &state->port; +- mutex_lock(&tport->mutex); ++ ++ guard(mutex)(&tport->mutex); + + port = uart_port_check(state); + if (!port || port->type == PORT_UNKNOWN || +- !(port->ops->poll_get_char && port->ops->poll_put_char)) { +- ret = -1; +- goto out; +- } ++ !(port->ops->poll_get_char && port->ops->poll_put_char)) ++ return -1; + + pm_state = state->pm_state; + uart_change_pm(state, UART_PM_STATE_ON); +@@ -2723,10 +2722,10 @@ static int uart_poll_init(struct tty_dri + ret = uart_set_options(port, NULL, baud, parity, bits, flow); + console_list_unlock(); + } +-out: ++ + if (ret) + uart_change_pm(state, pm_state); +- mutex_unlock(&tport->mutex); ++ + return ret; + } + diff --git a/queue-6.11/serial-qcom-geni-fix-false-console-tx-restart.patch b/queue-6.11/serial-qcom-geni-fix-false-console-tx-restart.patch new file mode 100644 index 00000000000..58a656b6be7 --- /dev/null +++ b/queue-6.11/serial-qcom-geni-fix-false-console-tx-restart.patch @@ -0,0 +1,94 @@ +From f97cdbbf187fefcf1fe19689cd9fdca11fe9c3eb Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Fri, 6 Sep 2024 15:13:30 +0200 +Subject: serial: qcom-geni: fix false console tx restart +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Johan Hovold + +commit f97cdbbf187fefcf1fe19689cd9fdca11fe9c3eb upstream. + +Commit 663abb1a7a7f ("tty: serial: qcom_geni_serial: Fix UART hang") +addressed an issue with stalled tx after the console code interrupted +the last bytes of a tx command by reenabling the watermark interrupt if +there is data in write buffer. This can however break software flow +control by re-enabling tx after the user has stopped it. + +Address the original issue by not clearing the CMD_DONE flag after +polling for command completion. This allows the interrupt handler to +start another transfer when the CMD_DONE interrupt has not been disabled +due to flow control. + +Fixes: c4f528795d1a ("tty: serial: msm_geni_serial: Add serial driver support for GENI based QUP") +Fixes: 663abb1a7a7f ("tty: serial: qcom_geni_serial: Fix UART hang") +Cc: stable@vger.kernel.org # 4.17 +Reviewed-by: Douglas Anderson +Tested-by: Nícolas F. R. A. Prado +Signed-off-by: Johan Hovold +Link: https://lore.kernel.org/r/20240906131336.23625-3-johan+linaro@kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/tty/serial/qcom_geni_serial.c | 13 +++---------- + 1 file changed, 3 insertions(+), 10 deletions(-) + +--- a/drivers/tty/serial/qcom_geni_serial.c ++++ b/drivers/tty/serial/qcom_geni_serial.c +@@ -306,18 +306,16 @@ static void qcom_geni_serial_setup_tx(st + static void qcom_geni_serial_poll_tx_done(struct uart_port *uport) + { + int done; +- u32 irq_clear = M_CMD_DONE_EN; + + done = qcom_geni_serial_poll_bit(uport, SE_GENI_M_IRQ_STATUS, + M_CMD_DONE_EN, true); + if (!done) { + writel(M_GENI_CMD_ABORT, uport->membase + + SE_GENI_M_CMD_CTRL_REG); +- irq_clear |= M_CMD_ABORT_EN; + qcom_geni_serial_poll_bit(uport, SE_GENI_M_IRQ_STATUS, + M_CMD_ABORT_EN, true); ++ writel(M_CMD_ABORT_EN, uport->membase + SE_GENI_M_IRQ_CLEAR); + } +- writel(irq_clear, uport->membase + SE_GENI_M_IRQ_CLEAR); + } + + static void qcom_geni_serial_abort_rx(struct uart_port *uport) +@@ -378,6 +376,7 @@ static void qcom_geni_serial_poll_put_ch + unsigned char c) + { + writel(DEF_TX_WM, uport->membase + SE_GENI_TX_WATERMARK_REG); ++ writel(M_CMD_DONE_EN, uport->membase + SE_GENI_M_IRQ_CLEAR); + qcom_geni_serial_setup_tx(uport, 1); + WARN_ON(!qcom_geni_serial_poll_bit(uport, SE_GENI_M_IRQ_STATUS, + M_TX_FIFO_WATERMARK_EN, true)); +@@ -422,6 +421,7 @@ __qcom_geni_serial_console_write(struct + } + + writel(DEF_TX_WM, uport->membase + SE_GENI_TX_WATERMARK_REG); ++ writel(M_CMD_DONE_EN, uport->membase + SE_GENI_M_IRQ_CLEAR); + qcom_geni_serial_setup_tx(uport, bytes_to_send); + for (i = 0; i < count; ) { + size_t chars_to_write = 0; +@@ -463,7 +463,6 @@ static void qcom_geni_serial_console_wri + bool locked = true; + unsigned long flags; + u32 geni_status; +- u32 irq_en; + + WARN_ON(co->index < 0 || co->index >= GENI_UART_CONS_PORTS); + +@@ -495,12 +494,6 @@ static void qcom_geni_serial_console_wri + * has been sent, in which case we need to look for done first. + */ + qcom_geni_serial_poll_tx_done(uport); +- +- if (!kfifo_is_empty(&uport->state->port.xmit_fifo)) { +- irq_en = readl(uport->membase + SE_GENI_M_IRQ_EN); +- writel(irq_en | M_TX_FIFO_WATERMARK_EN, +- uport->membase + SE_GENI_M_IRQ_EN); +- } + } + + __qcom_geni_serial_console_write(uport, s, count); diff --git a/queue-6.11/serial-qcom-geni-fix-fifo-polling-timeout.patch b/queue-6.11/serial-qcom-geni-fix-fifo-polling-timeout.patch new file mode 100644 index 00000000000..d97df7c39dd --- /dev/null +++ b/queue-6.11/serial-qcom-geni-fix-fifo-polling-timeout.patch @@ -0,0 +1,119 @@ +From c80ee36ac8f9e9c27d8e097a2eaaf198e7534c83 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Fri, 6 Sep 2024 15:13:29 +0200 +Subject: serial: qcom-geni: fix fifo polling timeout +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Johan Hovold + +commit c80ee36ac8f9e9c27d8e097a2eaaf198e7534c83 upstream. + +The qcom_geni_serial_poll_bit() can be used to wait for events like +command completion and is supposed to wait for the time it takes to +clear a full fifo before timing out. + +As noted by Doug, the current implementation does not account for start, +stop and parity bits when determining the timeout. The helper also does +not currently account for the shift register and the two-word +intermediate transfer register. + +A too short timeout can specifically lead to lost characters when +waiting for a transfer to complete as the transfer is cancelled on +timeout. + +Instead of determining the poll timeout on every call, store the fifo +timeout when updating it in set_termios() and make sure to take the +shift and intermediate registers into account. Note that serial core has +already added a 20 ms margin to the fifo timeout. + +Also note that the current uart_fifo_timeout() interface does +unnecessary calculations on every call and did not exist in earlier +kernels so only store its result once. This facilitates backports too as +earlier kernels can derive the timeout from uport->timeout, which has +since been removed. + +Fixes: c4f528795d1a ("tty: serial: msm_geni_serial: Add serial driver support for GENI based QUP") +Cc: stable@vger.kernel.org # 4.17 +Reported-by: Douglas Anderson +Tested-by: Nícolas F. R. A. Prado +Signed-off-by: Johan Hovold +Link: https://lore.kernel.org/r/20240906131336.23625-2-johan+linaro@kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/tty/serial/qcom_geni_serial.c | 31 +++++++++++++++++-------------- + 1 file changed, 17 insertions(+), 14 deletions(-) + +--- a/drivers/tty/serial/qcom_geni_serial.c ++++ b/drivers/tty/serial/qcom_geni_serial.c +@@ -124,7 +124,7 @@ struct qcom_geni_serial_port { + dma_addr_t tx_dma_addr; + dma_addr_t rx_dma_addr; + bool setup; +- unsigned int baud; ++ unsigned long poll_timeout_us; + unsigned long clk_rate; + void *rx_buf; + u32 loopback; +@@ -270,22 +270,13 @@ static bool qcom_geni_serial_poll_bit(st + { + u32 reg; + struct qcom_geni_serial_port *port; +- unsigned int baud; +- unsigned int fifo_bits; + unsigned long timeout_us = 20000; + struct qcom_geni_private_data *private_data = uport->private_data; + + if (private_data->drv) { + port = to_dev_port(uport); +- baud = port->baud; +- if (!baud) +- baud = 115200; +- fifo_bits = port->tx_fifo_depth * port->tx_fifo_width; +- /* +- * Total polling iterations based on FIFO worth of bytes to be +- * sent at current baud. Add a little fluff to the wait. +- */ +- timeout_us = ((fifo_bits * USEC_PER_SEC) / baud) + 500; ++ if (port->poll_timeout_us) ++ timeout_us = port->poll_timeout_us; + } + + /* +@@ -1244,11 +1235,11 @@ static void qcom_geni_serial_set_termios + unsigned long clk_rate; + u32 ver, sampling_rate; + unsigned int avg_bw_core; ++ unsigned long timeout; + + qcom_geni_serial_stop_rx(uport); + /* baud rate */ + baud = uart_get_baud_rate(uport, termios, old, 300, 4000000); +- port->baud = baud; + + sampling_rate = UART_OVERSAMPLING; + /* Sampling rate is halved for IP versions >= 2.5 */ +@@ -1326,9 +1317,21 @@ static void qcom_geni_serial_set_termios + else + tx_trans_cfg |= UART_CTS_MASK; + +- if (baud) ++ if (baud) { + uart_update_timeout(uport, termios->c_cflag, baud); + ++ /* ++ * Make sure that qcom_geni_serial_poll_bitfield() waits for ++ * the FIFO, two-word intermediate transfer register and shift ++ * register to clear. ++ * ++ * Note that uart_fifo_timeout() also adds a 20 ms margin. ++ */ ++ timeout = jiffies_to_usecs(uart_fifo_timeout(uport)); ++ timeout += 3 * timeout / port->tx_fifo_depth; ++ WRITE_ONCE(port->poll_timeout_us, timeout); ++ } ++ + if (!uart_console(uport)) + writel(port->loopback, + uport->membase + SE_UART_LOOPBACK_CFG); diff --git a/queue-6.11/series b/queue-6.11/series index ab28e24f837..2851344d09e 100644 --- a/queue-6.11/series +++ b/queue-6.11/series @@ -572,3 +572,43 @@ drm-amd-display-enable-dml2-override_det_buffer_size_kbytes.patch drm-amd-display-skip-to-enable-dsc-if-it-has-been-off.patch drm-amd-display-fix-underflow-when-setting-underscan-on-dcn401.patch drm-amd-display-update-ips-default-mode-for-dcn35-dcn351.patch +objtool-handle-frame-pointer-related-instructions.patch +x86-tdx-fix-in-kernel-mmio-check.patch +keys-prevent-null-pointer-dereference-in-find_asymmetric_key.patch +powerpc-atomic-use-yz-constraints-for-ds-form-instructions.patch +ksmbd-make-__dir_empty-compatible-with-posix.patch +ksmbd-allow-write-with-file_append_data.patch +ksmbd-handle-caseless-file-creation.patch +ata-libata-scsi-fix-ata_msense_control-cdl-page-reporting.patch +scsi-sd-fix-off-by-one-error-in-sd_read_block_characteristics.patch +scsi-ufs-qcom-update-mode_max-cfg_bw-value.patch +scsi-lpfc-restrict-support-for-32-byte-cdbs-to-specific-hbas.patch +scsi-mac_scsi-revise-printk-kern_debug-...-messages.patch +scsi-mac_scsi-refactor-polling-loop.patch +scsi-mac_scsi-disallow-bus-errors-during-pdma-send.patch +can-esd_usb-remove-can_ctrlmode_3_samples-for-can-usb-3-fd.patch +wifi-rtw88-fix-usb-sdio-devices-not-transmitting-beacons.patch +usbnet-fix-cyclical-race-on-disconnect-with-work-queue.patch +arm64-dts-mediatek-mt8195-cherry-mark-usb-3.0-on-xhci1-as-disabled.patch +arm64-dts-mediatek-mt8395-nio-12l-mark-usb-3.0-on-xhci1-as-disabled.patch +usb-appledisplay-close-race-between-probe-and-completion-handler.patch +usb-misc-cypress_cy7c63-check-for-short-transfer.patch +usb-class-cdc-acm-fix-race-between-get_serial-and-set_serial.patch +usb-misc-yurex-fix-race-between-read-and-write.patch +usb-xhci-fix-loss-of-data-on-cadence-xhc.patch +usb-cdnsp-fix-incorrect-usb_request-status.patch +usb-xhci-add-xhci_reset_on_resume-quirk-for-phytium-xhci-host.patch +usb-gadget-dummy_hcd-execute-hrtimer-callback-in-softirq-context.patch +usb-dwc2-drd-fix-clock-gating-on-usb-role-switch.patch +bus-integrator-lm-fix-of-node-leak-in-probe.patch +bus-mhi-host-pci_generic-update-edl-firmware-path-for-foxconn-modems.patch +bus-mhi-host-pci_generic-fix-the-name-for-the-telit-fe990a.patch +firmware_loader-block-path-traversal.patch +tty-rp2-fix-reset-with-non-forgiving-pcie-host-bridges.patch +pps-add-an-error-check-in-parport_attach.patch +serial-don-t-use-uninitialized-value-in-uart_poll_init.patch +xhci-set-quirky-xhc-pci-hosts-to-d3-_after_-stopping-and-freeing-them.patch +serial-qcom-geni-fix-fifo-polling-timeout.patch +serial-qcom-geni-fix-false-console-tx-restart.patch +crypto-qcom-rng-fix-support-for-acpi-based-systems.patch +crypto-ccp-properly-unregister-dev-sev-on-sev-platform_status-failure.patch diff --git a/queue-6.11/tty-rp2-fix-reset-with-non-forgiving-pcie-host-bridges.patch b/queue-6.11/tty-rp2-fix-reset-with-non-forgiving-pcie-host-bridges.patch new file mode 100644 index 00000000000..0fac5b8f954 --- /dev/null +++ b/queue-6.11/tty-rp2-fix-reset-with-non-forgiving-pcie-host-bridges.patch @@ -0,0 +1,44 @@ +From f16dd10ba342c429b1e36ada545fb36d4d1f0e63 Mon Sep 17 00:00:00 2001 +From: Florian Fainelli +Date: Fri, 6 Sep 2024 15:54:33 -0700 +Subject: tty: rp2: Fix reset with non forgiving PCIe host bridges + +From: Florian Fainelli + +commit f16dd10ba342c429b1e36ada545fb36d4d1f0e63 upstream. + +The write to RP2_GLOBAL_CMD followed by an immediate read of +RP2_GLOBAL_CMD in rp2_reset_asic() is intented to flush out the write, +however by then the device is already in reset and cannot respond to a +memory cycle access. + +On platforms such as the Raspberry Pi 4 and others using the +pcie-brcmstb.c driver, any memory access to a device that cannot respond +is met with a fatal system error, rather than being substituted with all +1s as is usually the case on PC platforms. + +Swapping the delay and the read ensures that the device has finished +resetting before we attempt to read from it. + +Fixes: 7d9f49afa451 ("serial: rp2: New driver for Comtrol RocketPort 2 cards") +Cc: stable +Suggested-by: Jim Quinlan +Signed-off-by: Florian Fainelli +Link: https://lore.kernel.org/r/20240906225435.707837-1-florian.fainelli@broadcom.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/tty/serial/rp2.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/tty/serial/rp2.c ++++ b/drivers/tty/serial/rp2.c +@@ -577,8 +577,8 @@ static void rp2_reset_asic(struct rp2_ca + u32 clk_cfg; + + writew(1, base + RP2_GLOBAL_CMD); +- readw(base + RP2_GLOBAL_CMD); + msleep(100); ++ readw(base + RP2_GLOBAL_CMD); + writel(0, base + RP2_CLK_PRESCALER); + + /* TDM clock configuration */ diff --git a/queue-6.11/usb-appledisplay-close-race-between-probe-and-completion-handler.patch b/queue-6.11/usb-appledisplay-close-race-between-probe-and-completion-handler.patch new file mode 100644 index 00000000000..ba0fa1c5058 --- /dev/null +++ b/queue-6.11/usb-appledisplay-close-race-between-probe-and-completion-handler.patch @@ -0,0 +1,66 @@ +From 8265d06b7794493d82c5c21a12d7ba43eccc30cb Mon Sep 17 00:00:00 2001 +From: Oliver Neukum +Date: Thu, 12 Sep 2024 14:32:59 +0200 +Subject: USB: appledisplay: close race between probe and completion handler + +From: Oliver Neukum + +commit 8265d06b7794493d82c5c21a12d7ba43eccc30cb upstream. + +There is a small window during probing when IO is running +but the backlight is not registered. Processing events +during that time will crash. The completion handler +needs to check for a backlight before scheduling work. + +The bug is as old as the driver. + +Signed-off-by: Oliver Neukum +CC: stable@vger.kernel.org +Link: https://lore.kernel.org/r/20240912123317.1026049-1-oneukum@suse.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/misc/appledisplay.c | 15 +++++++++++---- + 1 file changed, 11 insertions(+), 4 deletions(-) + +--- a/drivers/usb/misc/appledisplay.c ++++ b/drivers/usb/misc/appledisplay.c +@@ -107,7 +107,12 @@ static void appledisplay_complete(struct + case ACD_BTN_BRIGHT_UP: + case ACD_BTN_BRIGHT_DOWN: + pdata->button_pressed = 1; +- schedule_delayed_work(&pdata->work, 0); ++ /* ++ * there is a window during which no device ++ * is registered ++ */ ++ if (pdata->bd ) ++ schedule_delayed_work(&pdata->work, 0); + break; + case ACD_BTN_NONE: + default: +@@ -202,6 +207,7 @@ static int appledisplay_probe(struct usb + const struct usb_device_id *id) + { + struct backlight_properties props; ++ struct backlight_device *backlight; + struct appledisplay *pdata; + struct usb_device *udev = interface_to_usbdev(iface); + struct usb_endpoint_descriptor *endpoint; +@@ -272,13 +278,14 @@ static int appledisplay_probe(struct usb + memset(&props, 0, sizeof(struct backlight_properties)); + props.type = BACKLIGHT_RAW; + props.max_brightness = 0xff; +- pdata->bd = backlight_device_register(bl_name, NULL, pdata, ++ backlight = backlight_device_register(bl_name, NULL, pdata, + &appledisplay_bl_data, &props); +- if (IS_ERR(pdata->bd)) { ++ if (IS_ERR(backlight)) { + dev_err(&iface->dev, "Backlight registration failed\n"); +- retval = PTR_ERR(pdata->bd); ++ retval = PTR_ERR(backlight); + goto error; + } ++ pdata->bd = backlight; + + /* Try to get brightness */ + brightness = appledisplay_bl_get_brightness(pdata->bd); diff --git a/queue-6.11/usb-cdnsp-fix-incorrect-usb_request-status.patch b/queue-6.11/usb-cdnsp-fix-incorrect-usb_request-status.patch new file mode 100644 index 00000000000..5dc6d66426c --- /dev/null +++ b/queue-6.11/usb-cdnsp-fix-incorrect-usb_request-status.patch @@ -0,0 +1,54 @@ +From 1702bec4477cc7d31adb4a760d14d33fac928b7a Mon Sep 17 00:00:00 2001 +From: Pawel Laszczak +Date: Fri, 6 Sep 2024 06:48:54 +0000 +Subject: usb: cdnsp: Fix incorrect usb_request status + +From: Pawel Laszczak + +commit 1702bec4477cc7d31adb4a760d14d33fac928b7a upstream. + +Fix changes incorrect usb_request->status returned during disabling +endpoints. Before fix the status returned during dequeuing requests +while disabling endpoint was ECONNRESET. +Patch change it to ESHUTDOWN. + +Patch fixes issue detected during testing UVC gadget. +During stopping streaming the class starts dequeuing usb requests and +controller driver returns the -ECONNRESET status. After completion +requests the class or application "uvc-gadget" try to queue this +request again. Changing this status to ESHUTDOWN cause that UVC assumes +that endpoint is disabled, or device is disconnected and stops +re-queuing usb requests. + +Fixes: 3d82904559f4 ("usb: cdnsp: cdns3 Add main part of Cadence USBSSP DRD Driver") +cc: stable@vger.kernel.org +Signed-off-by: Pawel Laszczak +Reviewed-by: Peter Chen +Link: https://lore.kernel.org/r/PH7PR07MB9538E8CA7A2096AAF6A3718FDD9E2@PH7PR07MB9538.namprd07.prod.outlook.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/cdns3/cdnsp-ring.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/drivers/usb/cdns3/cdnsp-ring.c ++++ b/drivers/usb/cdns3/cdnsp-ring.c +@@ -718,7 +718,8 @@ int cdnsp_remove_request(struct cdnsp_de + seg = cdnsp_trb_in_td(pdev, cur_td->start_seg, cur_td->first_trb, + cur_td->last_trb, hw_deq); + +- if (seg && (pep->ep_state & EP_ENABLED)) ++ if (seg && (pep->ep_state & EP_ENABLED) && ++ !(pep->ep_state & EP_DIS_IN_RROGRESS)) + cdnsp_find_new_dequeue_state(pdev, pep, preq->request.stream_id, + cur_td, &deq_state); + else +@@ -736,7 +737,8 @@ int cdnsp_remove_request(struct cdnsp_de + * During disconnecting all endpoint will be disabled so we don't + * have to worry about updating dequeue pointer. + */ +- if (pdev->cdnsp_state & CDNSP_STATE_DISCONNECT_PENDING) { ++ if (pdev->cdnsp_state & CDNSP_STATE_DISCONNECT_PENDING || ++ pep->ep_state & EP_DIS_IN_RROGRESS) { + status = -ESHUTDOWN; + ret = cdnsp_cmd_set_deq(pdev, pep, &deq_state); + } diff --git a/queue-6.11/usb-class-cdc-acm-fix-race-between-get_serial-and-set_serial.patch b/queue-6.11/usb-class-cdc-acm-fix-race-between-get_serial-and-set_serial.patch new file mode 100644 index 00000000000..ec4dc235de6 --- /dev/null +++ b/queue-6.11/usb-class-cdc-acm-fix-race-between-get_serial-and-set_serial.patch @@ -0,0 +1,41 @@ +From b41c1fa155ba56d125885b0191aabaf3c508d0a3 Mon Sep 17 00:00:00 2001 +From: Oliver Neukum +Date: Thu, 12 Sep 2024 16:19:06 +0200 +Subject: USB: class: CDC-ACM: fix race between get_serial and set_serial + +From: Oliver Neukum + +commit b41c1fa155ba56d125885b0191aabaf3c508d0a3 upstream. + +TIOCGSERIAL is an ioctl. Thus it must be atomic. It returns +two values. Racing with set_serial it can return an inconsistent +result. The mutex must be taken. + +In terms of logic the bug is as old as the driver. In terms of +code it goes back to the conversion to the get_serial and +set_serial methods. + +Signed-off-by: Oliver Neukum +Cc: stable +Fixes: 99f75a1fcd865 ("cdc-acm: switch to ->[sg]et_serial()") +Link: https://lore.kernel.org/r/20240912141916.1044393-1-oneukum@suse.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/class/cdc-acm.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/usb/class/cdc-acm.c ++++ b/drivers/usb/class/cdc-acm.c +@@ -962,10 +962,12 @@ static int get_serial_info(struct tty_st + struct acm *acm = tty->driver_data; + + ss->line = acm->minor; ++ mutex_lock(&acm->port.mutex); + ss->close_delay = jiffies_to_msecs(acm->port.close_delay) / 10; + ss->closing_wait = acm->port.closing_wait == ASYNC_CLOSING_WAIT_NONE ? + ASYNC_CLOSING_WAIT_NONE : + jiffies_to_msecs(acm->port.closing_wait) / 10; ++ mutex_unlock(&acm->port.mutex); + return 0; + } + diff --git a/queue-6.11/usb-dwc2-drd-fix-clock-gating-on-usb-role-switch.patch b/queue-6.11/usb-dwc2-drd-fix-clock-gating-on-usb-role-switch.patch new file mode 100644 index 00000000000..2bd5decfc50 --- /dev/null +++ b/queue-6.11/usb-dwc2-drd-fix-clock-gating-on-usb-role-switch.patch @@ -0,0 +1,45 @@ +From 2c6b6afa59e78bebcb65bbc8a76b3459f139547c Mon Sep 17 00:00:00 2001 +From: Tomas Marek +Date: Fri, 6 Sep 2024 07:50:25 +0200 +Subject: usb: dwc2: drd: fix clock gating on USB role switch + +From: Tomas Marek + +commit 2c6b6afa59e78bebcb65bbc8a76b3459f139547c upstream. + +The dwc2_handle_usb_suspend_intr() function disables gadget clocks in USB +peripheral mode when no other power-down mode is available (introduced by +commit 0112b7ce68ea ("usb: dwc2: Update dwc2_handle_usb_suspend_intr function.")). +However, the dwc2_drd_role_sw_set() USB role update handler attempts to +read DWC2 registers if the USB role has changed while the USB is in suspend +mode (when the clocks are gated). This causes the system to hang. + +Release the gadget clocks before handling the USB role update. + +Fixes: 0112b7ce68ea ("usb: dwc2: Update dwc2_handle_usb_suspend_intr function.") +Cc: stable@vger.kernel.org +Signed-off-by: Tomas Marek +Link: https://lore.kernel.org/r/20240906055025.25057-1-tomas.marek@elrest.cz +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/dwc2/drd.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +--- a/drivers/usb/dwc2/drd.c ++++ b/drivers/usb/dwc2/drd.c +@@ -127,6 +127,15 @@ static int dwc2_drd_role_sw_set(struct u + role = USB_ROLE_DEVICE; + } + ++ if ((IS_ENABLED(CONFIG_USB_DWC2_PERIPHERAL) || ++ IS_ENABLED(CONFIG_USB_DWC2_DUAL_ROLE)) && ++ dwc2_is_device_mode(hsotg) && ++ hsotg->lx_state == DWC2_L2 && ++ hsotg->params.power_down == DWC2_POWER_DOWN_PARAM_NONE && ++ hsotg->bus_suspended && ++ !hsotg->params.no_clock_gating) ++ dwc2_gadget_exit_clock_gating(hsotg, 0); ++ + if (role == USB_ROLE_HOST) { + already = dwc2_ovr_avalid(hsotg, true); + } else if (role == USB_ROLE_DEVICE) { diff --git a/queue-6.11/usb-gadget-dummy_hcd-execute-hrtimer-callback-in-softirq-context.patch b/queue-6.11/usb-gadget-dummy_hcd-execute-hrtimer-callback-in-softirq-context.patch new file mode 100644 index 00000000000..ad0c884ed35 --- /dev/null +++ b/queue-6.11/usb-gadget-dummy_hcd-execute-hrtimer-callback-in-softirq-context.patch @@ -0,0 +1,112 @@ +From 9313d139aa25e572d860f6f673b73a20f32d7f93 Mon Sep 17 00:00:00 2001 +From: Andrey Konovalov +Date: Wed, 4 Sep 2024 03:30:51 +0200 +Subject: usb: gadget: dummy_hcd: execute hrtimer callback in softirq context + +From: Andrey Konovalov + +commit 9313d139aa25e572d860f6f673b73a20f32d7f93 upstream. + +Commit a7f3813e589f ("usb: gadget: dummy_hcd: Switch to hrtimer transfer +scheduler") switched dummy_hcd to use hrtimer and made the timer's +callback be executed in the hardirq context. + +With that change, __usb_hcd_giveback_urb now gets executed in the hardirq +context, which causes problems for KCOV and KMSAN. + +One problem is that KCOV now is unable to collect coverage from +the USB code that gets executed from the dummy_hcd's timer callback, +as KCOV cannot collect coverage in the hardirq context. + +Another problem is that the dummy_hcd hrtimer might get triggered in the +middle of a softirq with KCOV remote coverage collection enabled, and that +causes a WARNING in KCOV, as reported by syzbot. (I sent a separate patch +to shut down this WARNING, but that doesn't fix the other two issues.) + +Finally, KMSAN appears to ignore tracking memory copying operations +that happen in the hardirq context, which causes false positive +kernel-infoleaks, as reported by syzbot. + +Change the hrtimer in dummy_hcd to execute the callback in the softirq +context. + +Reported-by: syzbot+2388cdaeb6b10f0c13ac@syzkaller.appspotmail.com +Closes: https://syzkaller.appspot.com/bug?extid=2388cdaeb6b10f0c13ac +Reported-by: syzbot+17ca2339e34a1d863aad@syzkaller.appspotmail.com +Closes: https://syzkaller.appspot.com/bug?extid=17ca2339e34a1d863aad +Reported-by: syzbot+c793a7eca38803212c61@syzkaller.appspotmail.com +Closes: https://syzkaller.appspot.com/bug?extid=c793a7eca38803212c61 +Reported-by: syzbot+1e6e0b916b211bee1bd6@syzkaller.appspotmail.com +Closes: https://syzkaller.appspot.com/bug?extid=1e6e0b916b211bee1bd6 +Reported-by: kernel test robot +Closes: https://lore.kernel.org/oe-lkp/202406141323.413a90d2-lkp@intel.com +Fixes: a7f3813e589f ("usb: gadget: dummy_hcd: Switch to hrtimer transfer scheduler") +Cc: stable@vger.kernel.org +Acked-by: Marcello Sylvester Bauer +Signed-off-by: Andrey Konovalov +Reported-by: syzbot+edd9fe0d3a65b14588d5@syzkaller.appspotmail.com +Closes: https://syzkaller.appspot.com/bug?extid=edd9fe0d3a65b14588d5 +Link: https://lore.kernel.org/r/20240904013051.4409-1-andrey.konovalov@linux.dev +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/gadget/udc/dummy_hcd.c | 14 ++++++++------ + 1 file changed, 8 insertions(+), 6 deletions(-) + +--- a/drivers/usb/gadget/udc/dummy_hcd.c ++++ b/drivers/usb/gadget/udc/dummy_hcd.c +@@ -1304,7 +1304,8 @@ static int dummy_urb_enqueue( + + /* kick the scheduler, it'll do the rest */ + if (!hrtimer_active(&dum_hcd->timer)) +- hrtimer_start(&dum_hcd->timer, ns_to_ktime(DUMMY_TIMER_INT_NSECS), HRTIMER_MODE_REL); ++ hrtimer_start(&dum_hcd->timer, ns_to_ktime(DUMMY_TIMER_INT_NSECS), ++ HRTIMER_MODE_REL_SOFT); + + done: + spin_unlock_irqrestore(&dum_hcd->dum->lock, flags); +@@ -1325,7 +1326,7 @@ static int dummy_urb_dequeue(struct usb_ + rc = usb_hcd_check_unlink_urb(hcd, urb, status); + if (!rc && dum_hcd->rh_state != DUMMY_RH_RUNNING && + !list_empty(&dum_hcd->urbp_list)) +- hrtimer_start(&dum_hcd->timer, ns_to_ktime(0), HRTIMER_MODE_REL); ++ hrtimer_start(&dum_hcd->timer, ns_to_ktime(0), HRTIMER_MODE_REL_SOFT); + + spin_unlock_irqrestore(&dum_hcd->dum->lock, flags); + return rc; +@@ -1995,7 +1996,8 @@ return_urb: + dum_hcd->udev = NULL; + } else if (dum_hcd->rh_state == DUMMY_RH_RUNNING) { + /* want a 1 msec delay here */ +- hrtimer_start(&dum_hcd->timer, ns_to_ktime(DUMMY_TIMER_INT_NSECS), HRTIMER_MODE_REL); ++ hrtimer_start(&dum_hcd->timer, ns_to_ktime(DUMMY_TIMER_INT_NSECS), ++ HRTIMER_MODE_REL_SOFT); + } + + spin_unlock_irqrestore(&dum->lock, flags); +@@ -2389,7 +2391,7 @@ static int dummy_bus_resume(struct usb_h + dum_hcd->rh_state = DUMMY_RH_RUNNING; + set_link_state(dum_hcd); + if (!list_empty(&dum_hcd->urbp_list)) +- hrtimer_start(&dum_hcd->timer, ns_to_ktime(0), HRTIMER_MODE_REL); ++ hrtimer_start(&dum_hcd->timer, ns_to_ktime(0), HRTIMER_MODE_REL_SOFT); + hcd->state = HC_STATE_RUNNING; + } + spin_unlock_irq(&dum_hcd->dum->lock); +@@ -2467,7 +2469,7 @@ static DEVICE_ATTR_RO(urbs); + + static int dummy_start_ss(struct dummy_hcd *dum_hcd) + { +- hrtimer_init(&dum_hcd->timer, CLOCK_MONOTONIC, HRTIMER_MODE_REL); ++ hrtimer_init(&dum_hcd->timer, CLOCK_MONOTONIC, HRTIMER_MODE_REL_SOFT); + dum_hcd->timer.function = dummy_timer; + dum_hcd->rh_state = DUMMY_RH_RUNNING; + dum_hcd->stream_en_ep = 0; +@@ -2497,7 +2499,7 @@ static int dummy_start(struct usb_hcd *h + return dummy_start_ss(dum_hcd); + + spin_lock_init(&dum_hcd->dum->lock); +- hrtimer_init(&dum_hcd->timer, CLOCK_MONOTONIC, HRTIMER_MODE_REL); ++ hrtimer_init(&dum_hcd->timer, CLOCK_MONOTONIC, HRTIMER_MODE_REL_SOFT); + dum_hcd->timer.function = dummy_timer; + dum_hcd->rh_state = DUMMY_RH_RUNNING; + diff --git a/queue-6.11/usb-misc-cypress_cy7c63-check-for-short-transfer.patch b/queue-6.11/usb-misc-cypress_cy7c63-check-for-short-transfer.patch new file mode 100644 index 00000000000..5a3754bcb5f --- /dev/null +++ b/queue-6.11/usb-misc-cypress_cy7c63-check-for-short-transfer.patch @@ -0,0 +1,42 @@ +From 49cd2f4d747eeb3050b76245a7f72aa99dbd3310 Mon Sep 17 00:00:00 2001 +From: Oliver Neukum +Date: Thu, 12 Sep 2024 14:54:43 +0200 +Subject: USB: misc: cypress_cy7c63: check for short transfer + +From: Oliver Neukum + +commit 49cd2f4d747eeb3050b76245a7f72aa99dbd3310 upstream. + +As we process the second byte of a control transfer, transfers +of less than 2 bytes must be discarded. + +This bug is as old as the driver. + +SIgned-off-by: Oliver Neukum +CC: stable@vger.kernel.org +Link: https://lore.kernel.org/r/20240912125449.1030536-1-oneukum@suse.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/misc/cypress_cy7c63.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/drivers/usb/misc/cypress_cy7c63.c ++++ b/drivers/usb/misc/cypress_cy7c63.c +@@ -88,6 +88,9 @@ static int vendor_command(struct cypress + USB_DIR_IN | USB_TYPE_VENDOR | USB_RECIP_OTHER, + address, data, iobuf, CYPRESS_MAX_REQSIZE, + USB_CTRL_GET_TIMEOUT); ++ /* we must not process garbage */ ++ if (retval < 2) ++ goto err_buf; + + /* store returned data (more READs to be added) */ + switch (request) { +@@ -107,6 +110,7 @@ static int vendor_command(struct cypress + break; + } + ++err_buf: + kfree(iobuf); + error: + return retval; diff --git a/queue-6.11/usb-misc-yurex-fix-race-between-read-and-write.patch b/queue-6.11/usb-misc-yurex-fix-race-between-read-and-write.patch new file mode 100644 index 00000000000..a9389a199e8 --- /dev/null +++ b/queue-6.11/usb-misc-yurex-fix-race-between-read-and-write.patch @@ -0,0 +1,57 @@ +From 93907620b308609c72ba4b95b09a6aa2658bb553 Mon Sep 17 00:00:00 2001 +From: Oliver Neukum +Date: Thu, 12 Sep 2024 15:21:22 +0200 +Subject: USB: misc: yurex: fix race between read and write + +From: Oliver Neukum + +commit 93907620b308609c72ba4b95b09a6aa2658bb553 upstream. + +The write code path touches the bbu member in a non atomic manner +without taking the spinlock. Fix it. + +The bug is as old as the driver. + +Signed-off-by: Oliver Neukum +CC: stable@vger.kernel.org +Link: https://lore.kernel.org/r/20240912132126.1034743-1-oneukum@suse.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/misc/yurex.c | 10 ++++++---- + 1 file changed, 6 insertions(+), 4 deletions(-) + +--- a/drivers/usb/misc/yurex.c ++++ b/drivers/usb/misc/yurex.c +@@ -404,7 +404,6 @@ static ssize_t yurex_read(struct file *f + struct usb_yurex *dev; + int len = 0; + char in_buffer[MAX_S64_STRLEN]; +- unsigned long flags; + + dev = file->private_data; + +@@ -419,9 +418,9 @@ static ssize_t yurex_read(struct file *f + return -EIO; + } + +- spin_lock_irqsave(&dev->lock, flags); ++ spin_lock_irq(&dev->lock); + scnprintf(in_buffer, MAX_S64_STRLEN, "%lld\n", dev->bbu); +- spin_unlock_irqrestore(&dev->lock, flags); ++ spin_unlock_irq(&dev->lock); + mutex_unlock(&dev->io_mutex); + + return simple_read_from_buffer(buffer, count, ppos, in_buffer, len); +@@ -511,8 +510,11 @@ static ssize_t yurex_write(struct file * + __func__, retval); + goto error; + } +- if (set && timeout) ++ if (set && timeout) { ++ spin_lock_irq(&dev->lock); + dev->bbu = c2; ++ spin_unlock_irq(&dev->lock); ++ } + return timeout ? count : -EIO; + + error: diff --git a/queue-6.11/usb-xhci-add-xhci_reset_on_resume-quirk-for-phytium-xhci-host.patch b/queue-6.11/usb-xhci-add-xhci_reset_on_resume-quirk-for-phytium-xhci-host.patch new file mode 100644 index 00000000000..bc39e07138b --- /dev/null +++ b/queue-6.11/usb-xhci-add-xhci_reset_on_resume-quirk-for-phytium-xhci-host.patch @@ -0,0 +1,54 @@ +From 118ecef16cc221a23f96617016f7a205b070109f Mon Sep 17 00:00:00 2001 +From: WangYuli +Date: Thu, 5 Sep 2024 12:09:16 +0800 +Subject: usb: xHCI: add XHCI_RESET_ON_RESUME quirk for Phytium xHCI host + +From: WangYuli + +commit 118ecef16cc221a23f96617016f7a205b070109f upstream. + +The resume operation of Phytium Px210 xHCI host would failed +to restore state. Use the XHCI_RESET_ON_RESUME quirk to skip +it and reset the controller after resume. + +Co-developed-by: Chen Baozi +Signed-off-by: Chen Baozi +Co-developed-by: Wang Zhimin +Signed-off-by: Wang Zhimin +Co-developed-by: Chen Zhenhua +Signed-off-by: Chen Zhenhua +Co-developed-by: Wang Yinfeng +Signed-off-by: Wang Yinfeng +Co-developed-by: Jiakun Shuai +Signed-off-by: Jiakun Shuai +Signed-off-by: WangYuli +Link: https://lore.kernel.org/r/2C1FDC3BB34715BE+20240905040916.63199-1-wangyuli@uniontech.com +Cc: stable +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/host/xhci-pci.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +--- a/drivers/usb/host/xhci-pci.c ++++ b/drivers/usb/host/xhci-pci.c +@@ -55,6 +55,9 @@ + #define PCI_DEVICE_ID_INTEL_ALDER_LAKE_PCH_XHCI 0x51ed + #define PCI_DEVICE_ID_INTEL_ALDER_LAKE_N_PCH_XHCI 0x54ed + ++#define PCI_VENDOR_ID_PHYTIUM 0x1db7 ++#define PCI_DEVICE_ID_PHYTIUM_XHCI 0xdc27 ++ + /* Thunderbolt */ + #define PCI_DEVICE_ID_INTEL_MAPLE_RIDGE_XHCI 0x1138 + #define PCI_DEVICE_ID_INTEL_ALPINE_RIDGE_2C_XHCI 0x15b5 +@@ -419,6 +422,10 @@ static void xhci_pci_quirks(struct devic + if (pdev->vendor == PCI_VENDOR_ID_VIA) + xhci->quirks |= XHCI_RESET_ON_RESUME; + ++ if (pdev->vendor == PCI_VENDOR_ID_PHYTIUM && ++ pdev->device == PCI_DEVICE_ID_PHYTIUM_XHCI) ++ xhci->quirks |= XHCI_RESET_ON_RESUME; ++ + /* See https://bugzilla.kernel.org/show_bug.cgi?id=79511 */ + if (pdev->vendor == PCI_VENDOR_ID_VIA && + pdev->device == 0x3432) diff --git a/queue-6.11/usb-xhci-fix-loss-of-data-on-cadence-xhc.patch b/queue-6.11/usb-xhci-fix-loss-of-data-on-cadence-xhc.patch new file mode 100644 index 00000000000..03abbba9ebd --- /dev/null +++ b/queue-6.11/usb-xhci-fix-loss-of-data-on-cadence-xhc.patch @@ -0,0 +1,105 @@ +From e5fa8db0be3e8757e8641600c518425a4589b85c Mon Sep 17 00:00:00 2001 +From: Pawel Laszczak +Date: Thu, 5 Sep 2024 07:03:28 +0000 +Subject: usb: xhci: fix loss of data on Cadence xHC + +From: Pawel Laszczak + +commit e5fa8db0be3e8757e8641600c518425a4589b85c upstream. + +Streams should flush their TRB cache, re-read TRBs, and start executing +TRBs from the beginning of the new dequeue pointer after a 'Set TR Dequeue +Pointer' command. + +Cadence controllers may fail to start from the beginning of the dequeue +TRB as it doesn't clear the Opaque 'RsvdO' field of the stream context +during 'Set TR Dequeue' command. This stream context area is where xHC +stores information about the last partially executed TD when a stream +is stopped. xHC uses this information to resume the transfer where it left +mid TD, when the stream is restarted. + +Patch fixes this by clearing out all RsvdO fields before initializing new +Stream transfer using a 'Set TR Dequeue Pointer' command. + +Fixes: 3d82904559f4 ("usb: cdnsp: cdns3 Add main part of Cadence USBSSP DRD Driver") +cc: stable@vger.kernel.org +Signed-off-by: Pawel Laszczak +Reviewed-by: Peter Chen +Link: https://lore.kernel.org/r/PH7PR07MB95386A40146E3EC64086F409DD9D2@PH7PR07MB9538.namprd07.prod.outlook.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/cdns3/host.c | 4 +++- + drivers/usb/host/xhci-pci.c | 7 +++++++ + drivers/usb/host/xhci-ring.c | 14 ++++++++++++++ + drivers/usb/host/xhci.h | 1 + + 4 files changed, 25 insertions(+), 1 deletion(-) + +--- a/drivers/usb/cdns3/host.c ++++ b/drivers/usb/cdns3/host.c +@@ -62,7 +62,9 @@ static const struct xhci_plat_priv xhci_ + .resume_quirk = xhci_cdns3_resume_quirk, + }; + +-static const struct xhci_plat_priv xhci_plat_cdnsp_xhci; ++static const struct xhci_plat_priv xhci_plat_cdnsp_xhci = { ++ .quirks = XHCI_CDNS_SCTX_QUIRK, ++}; + + static int __cdns_host_init(struct cdns *cdns) + { +--- a/drivers/usb/host/xhci-pci.c ++++ b/drivers/usb/host/xhci-pci.c +@@ -78,6 +78,9 @@ + #define PCI_DEVICE_ID_ASMEDIA_2142_XHCI 0x2142 + #define PCI_DEVICE_ID_ASMEDIA_3242_XHCI 0x3242 + ++#define PCI_DEVICE_ID_CADENCE 0x17CD ++#define PCI_DEVICE_ID_CADENCE_SSP 0x0200 ++ + static const char hcd_name[] = "xhci_hcd"; + + static struct hc_driver __read_mostly xhci_pci_hc_driver; +@@ -473,6 +476,10 @@ static void xhci_pci_quirks(struct devic + xhci->quirks |= XHCI_ZHAOXIN_TRB_FETCH; + } + ++ if (pdev->vendor == PCI_DEVICE_ID_CADENCE && ++ pdev->device == PCI_DEVICE_ID_CADENCE_SSP) ++ xhci->quirks |= XHCI_CDNS_SCTX_QUIRK; ++ + /* xHC spec requires PCI devices to support D3hot and D3cold */ + if (xhci->hci_version >= 0x120) + xhci->quirks |= XHCI_DEFAULT_PM_RUNTIME_ALLOW; +--- a/drivers/usb/host/xhci-ring.c ++++ b/drivers/usb/host/xhci-ring.c +@@ -1399,6 +1399,20 @@ static void xhci_handle_cmd_set_deq(stru + struct xhci_stream_ctx *ctx = + &ep->stream_info->stream_ctx_array[stream_id]; + deq = le64_to_cpu(ctx->stream_ring) & SCTX_DEQ_MASK; ++ ++ /* ++ * Cadence xHCI controllers store some endpoint state ++ * information within Rsvd0 fields of Stream Endpoint ++ * context. This field is not cleared during Set TR ++ * Dequeue Pointer command which causes XDMA to skip ++ * over transfer ring and leads to data loss on stream ++ * pipe. ++ * To fix this issue driver must clear Rsvd0 field. ++ */ ++ if (xhci->quirks & XHCI_CDNS_SCTX_QUIRK) { ++ ctx->reserved[0] = 0; ++ ctx->reserved[1] = 0; ++ } + } else { + deq = le64_to_cpu(ep_ctx->deq) & ~EP_CTX_CYCLE_MASK; + } +--- a/drivers/usb/host/xhci.h ++++ b/drivers/usb/host/xhci.h +@@ -1628,6 +1628,7 @@ struct xhci_hcd { + #define XHCI_ZHAOXIN_TRB_FETCH BIT_ULL(45) + #define XHCI_ZHAOXIN_HOST BIT_ULL(46) + #define XHCI_WRITE_64_HI_LO BIT_ULL(47) ++#define XHCI_CDNS_SCTX_QUIRK BIT_ULL(48) + + unsigned int num_active_eps; + unsigned int limit_active_eps; diff --git a/queue-6.11/usbnet-fix-cyclical-race-on-disconnect-with-work-queue.patch b/queue-6.11/usbnet-fix-cyclical-race-on-disconnect-with-work-queue.patch new file mode 100644 index 00000000000..be2e8d3d0e5 --- /dev/null +++ b/queue-6.11/usbnet-fix-cyclical-race-on-disconnect-with-work-queue.patch @@ -0,0 +1,140 @@ +From 04e906839a053f092ef53f4fb2d610983412b904 Mon Sep 17 00:00:00 2001 +From: Oliver Neukum +Date: Thu, 19 Sep 2024 14:33:42 +0200 +Subject: usbnet: fix cyclical race on disconnect with work queue + +From: Oliver Neukum + +commit 04e906839a053f092ef53f4fb2d610983412b904 upstream. + +The work can submit URBs and the URBs can schedule the work. +This cycle needs to be broken, when a device is to be stopped. +Use a flag to do so. +This is a design issue as old as the driver. + +Signed-off-by: Oliver Neukum +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +CC: stable@vger.kernel.org +Link: https://patch.msgid.link/20240919123525.688065-1-oneukum@suse.com +Signed-off-by: Paolo Abeni +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/usb/usbnet.c | 37 ++++++++++++++++++++++++++++--------- + include/linux/usb/usbnet.h | 15 +++++++++++++++ + 2 files changed, 43 insertions(+), 9 deletions(-) + +--- a/drivers/net/usb/usbnet.c ++++ b/drivers/net/usb/usbnet.c +@@ -464,10 +464,15 @@ static enum skb_state defer_bh(struct us + void usbnet_defer_kevent (struct usbnet *dev, int work) + { + set_bit (work, &dev->flags); +- if (!schedule_work (&dev->kevent)) +- netdev_dbg(dev->net, "kevent %s may have been dropped\n", usbnet_event_names[work]); +- else +- netdev_dbg(dev->net, "kevent %s scheduled\n", usbnet_event_names[work]); ++ if (!usbnet_going_away(dev)) { ++ if (!schedule_work(&dev->kevent)) ++ netdev_dbg(dev->net, ++ "kevent %s may have been dropped\n", ++ usbnet_event_names[work]); ++ else ++ netdev_dbg(dev->net, ++ "kevent %s scheduled\n", usbnet_event_names[work]); ++ } + } + EXPORT_SYMBOL_GPL(usbnet_defer_kevent); + +@@ -535,7 +540,8 @@ static int rx_submit (struct usbnet *dev + tasklet_schedule (&dev->bh); + break; + case 0: +- __usbnet_queue_skb(&dev->rxq, skb, rx_start); ++ if (!usbnet_going_away(dev)) ++ __usbnet_queue_skb(&dev->rxq, skb, rx_start); + } + } else { + netif_dbg(dev, ifdown, dev->net, "rx: stopped\n"); +@@ -843,9 +849,18 @@ int usbnet_stop (struct net_device *net) + + /* deferred work (timer, softirq, task) must also stop */ + dev->flags = 0; +- del_timer_sync (&dev->delay); +- tasklet_kill (&dev->bh); ++ del_timer_sync(&dev->delay); ++ tasklet_kill(&dev->bh); + cancel_work_sync(&dev->kevent); ++ ++ /* We have cyclic dependencies. Those calls are needed ++ * to break a cycle. We cannot fall into the gaps because ++ * we have a flag ++ */ ++ tasklet_kill(&dev->bh); ++ del_timer_sync(&dev->delay); ++ cancel_work_sync(&dev->kevent); ++ + if (!pm) + usb_autopm_put_interface(dev->intf); + +@@ -1171,7 +1186,8 @@ fail_halt: + status); + } else { + clear_bit (EVENT_RX_HALT, &dev->flags); +- tasklet_schedule (&dev->bh); ++ if (!usbnet_going_away(dev)) ++ tasklet_schedule(&dev->bh); + } + } + +@@ -1196,7 +1212,8 @@ fail_halt: + usb_autopm_put_interface(dev->intf); + fail_lowmem: + if (resched) +- tasklet_schedule (&dev->bh); ++ if (!usbnet_going_away(dev)) ++ tasklet_schedule(&dev->bh); + } + } + +@@ -1559,6 +1576,7 @@ static void usbnet_bh (struct timer_list + } else if (netif_running (dev->net) && + netif_device_present (dev->net) && + netif_carrier_ok(dev->net) && ++ !usbnet_going_away(dev) && + !timer_pending(&dev->delay) && + !test_bit(EVENT_RX_PAUSED, &dev->flags) && + !test_bit(EVENT_RX_HALT, &dev->flags)) { +@@ -1606,6 +1624,7 @@ void usbnet_disconnect (struct usb_inter + usb_set_intfdata(intf, NULL); + if (!dev) + return; ++ usbnet_mark_going_away(dev); + + xdev = interface_to_usbdev (intf); + +--- a/include/linux/usb/usbnet.h ++++ b/include/linux/usb/usbnet.h +@@ -76,8 +76,23 @@ struct usbnet { + # define EVENT_LINK_CHANGE 11 + # define EVENT_SET_RX_MODE 12 + # define EVENT_NO_IP_ALIGN 13 ++/* This one is special, as it indicates that the device is going away ++ * there are cyclic dependencies between tasklet, timer and bh ++ * that must be broken ++ */ ++# define EVENT_UNPLUG 31 + }; + ++static inline bool usbnet_going_away(struct usbnet *ubn) ++{ ++ return test_bit(EVENT_UNPLUG, &ubn->flags); ++} ++ ++static inline void usbnet_mark_going_away(struct usbnet *ubn) ++{ ++ set_bit(EVENT_UNPLUG, &ubn->flags); ++} ++ + static inline struct usb_driver *driver_of(struct usb_interface *intf) + { + return to_usb_driver(intf->dev.driver); diff --git a/queue-6.11/wifi-rtw88-fix-usb-sdio-devices-not-transmitting-beacons.patch b/queue-6.11/wifi-rtw88-fix-usb-sdio-devices-not-transmitting-beacons.patch new file mode 100644 index 00000000000..01194766e92 --- /dev/null +++ b/queue-6.11/wifi-rtw88-fix-usb-sdio-devices-not-transmitting-beacons.patch @@ -0,0 +1,55 @@ +From faa2e484b393c56bc1243dca6676a70bc485f775 Mon Sep 17 00:00:00 2001 +From: Bitterblue Smith +Date: Wed, 21 Aug 2024 16:11:03 +0300 +Subject: wifi: rtw88: Fix USB/SDIO devices not transmitting beacons + +From: Bitterblue Smith + +commit faa2e484b393c56bc1243dca6676a70bc485f775 upstream. + +All USB devices supported by rtw88 have the same problem: they don't +transmit beacons in AP mode. (Some?) SDIO devices are also affected. +The cause appears to be clearing BIT_EN_BCNQ_DL of REG_FWHW_TXQ_CTRL +before uploading the beacon reserved page, so don't clear the bit for +USB and SDIO devices. + +Tested with RTL8811CU and RTL8723DU. + +Cc: # 6.6.x +Signed-off-by: Bitterblue Smith +Signed-off-by: Ping-Ke Shih +Link: https://patch.msgid.link/49de73b5-698f-4865-ab63-100e28dfc4a1@gmail.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/wireless/realtek/rtw88/fw.c | 13 ++++++++----- + 1 file changed, 8 insertions(+), 5 deletions(-) + +--- a/drivers/net/wireless/realtek/rtw88/fw.c ++++ b/drivers/net/wireless/realtek/rtw88/fw.c +@@ -1468,10 +1468,12 @@ int rtw_fw_write_data_rsvd_page(struct r + val |= BIT_ENSWBCN >> 8; + rtw_write8(rtwdev, REG_CR + 1, val); + +- val = rtw_read8(rtwdev, REG_FWHW_TXQ_CTRL + 2); +- bckp[1] = val; +- val &= ~(BIT_EN_BCNQ_DL >> 16); +- rtw_write8(rtwdev, REG_FWHW_TXQ_CTRL + 2, val); ++ if (rtw_hci_type(rtwdev) == RTW_HCI_TYPE_PCIE) { ++ val = rtw_read8(rtwdev, REG_FWHW_TXQ_CTRL + 2); ++ bckp[1] = val; ++ val &= ~(BIT_EN_BCNQ_DL >> 16); ++ rtw_write8(rtwdev, REG_FWHW_TXQ_CTRL + 2, val); ++ } + + ret = rtw_hci_write_data_rsvd_page(rtwdev, buf, size); + if (ret) { +@@ -1496,7 +1498,8 @@ restore: + rsvd_pg_head = rtwdev->fifo.rsvd_boundary; + rtw_write16(rtwdev, REG_FIFOPAGE_CTRL_2, + rsvd_pg_head | BIT_BCN_VALID_V1); +- rtw_write8(rtwdev, REG_FWHW_TXQ_CTRL + 2, bckp[1]); ++ if (rtw_hci_type(rtwdev) == RTW_HCI_TYPE_PCIE) ++ rtw_write8(rtwdev, REG_FWHW_TXQ_CTRL + 2, bckp[1]); + rtw_write8(rtwdev, REG_CR + 1, bckp[0]); + + return ret; diff --git a/queue-6.11/x86-tdx-fix-in-kernel-mmio-check.patch b/queue-6.11/x86-tdx-fix-in-kernel-mmio-check.patch new file mode 100644 index 00000000000..512fde1efc8 --- /dev/null +++ b/queue-6.11/x86-tdx-fix-in-kernel-mmio-check.patch @@ -0,0 +1,55 @@ +From d4fc4d01471528da8a9797a065982e05090e1d81 Mon Sep 17 00:00:00 2001 +From: "Alexey Gladkov (Intel)" +Date: Fri, 13 Sep 2024 19:05:56 +0200 +Subject: x86/tdx: Fix "in-kernel MMIO" check + +From: Alexey Gladkov (Intel) + +commit d4fc4d01471528da8a9797a065982e05090e1d81 upstream. + +TDX only supports kernel-initiated MMIO operations. The handle_mmio() +function checks if the #VE exception occurred in the kernel and rejects +the operation if it did not. + +However, userspace can deceive the kernel into performing MMIO on its +behalf. For example, if userspace can point a syscall to an MMIO address, +syscall does get_user() or put_user() on it, triggering MMIO #VE. The +kernel will treat the #VE as in-kernel MMIO. + +Ensure that the target MMIO address is within the kernel before decoding +instruction. + +Fixes: 31d58c4e557d ("x86/tdx: Handle in-kernel MMIO") +Signed-off-by: Alexey Gladkov (Intel) +Signed-off-by: Dave Hansen +Reviewed-by: Kirill A. Shutemov +Acked-by: Dave Hansen +Cc:stable@vger.kernel.org +Link: https://lore.kernel.org/all/565a804b80387970460a4ebc67c88d1380f61ad1.1726237595.git.legion%40kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/coco/tdx/tdx.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/arch/x86/coco/tdx/tdx.c ++++ b/arch/x86/coco/tdx/tdx.c +@@ -16,6 +16,7 @@ + #include + #include + #include ++#include + + /* MMIO direction */ + #define EPT_READ 0 +@@ -433,6 +434,11 @@ static int handle_mmio(struct pt_regs *r + return -EINVAL; + } + ++ if (!fault_in_kernel_space(ve->gla)) { ++ WARN_ONCE(1, "Access to userspace address is not supported"); ++ return -EINVAL; ++ } ++ + /* + * Reject EPT violation #VEs that split pages. + * diff --git a/queue-6.11/xhci-set-quirky-xhc-pci-hosts-to-d3-_after_-stopping-and-freeing-them.patch b/queue-6.11/xhci-set-quirky-xhc-pci-hosts-to-d3-_after_-stopping-and-freeing-them.patch new file mode 100644 index 00000000000..99707ffe86f --- /dev/null +++ b/queue-6.11/xhci-set-quirky-xhc-pci-hosts-to-d3-_after_-stopping-and-freeing-them.patch @@ -0,0 +1,53 @@ +From f81dfa3b57c624c56f2bff171c431bc7f5b558f2 Mon Sep 17 00:00:00 2001 +From: Mathias Nyman +Date: Thu, 5 Sep 2024 17:32:59 +0300 +Subject: xhci: Set quirky xHC PCI hosts to D3 _after_ stopping and freeing them. + +From: Mathias Nyman + +commit f81dfa3b57c624c56f2bff171c431bc7f5b558f2 upstream. + +PCI xHC host should be stopped and xhci driver memory freed before putting +host to PCI D3 state during PCI remove callback. + +Hosts with XHCI_SPURIOUS_WAKEUP quirk did this the wrong way around +and set the host to D3 before calling usb_hcd_pci_remove(dev), which will +access the host to stop it, and then free xhci. + +Fixes: f1f6d9a8b540 ("xhci: don't dereference a xhci member after removing xhci") +Cc: stable@vger.kernel.org +Signed-off-by: Mathias Nyman +Link: https://lore.kernel.org/r/20240905143300.1959279-12-mathias.nyman@linux.intel.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/host/xhci-pci.c | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +--- a/drivers/usb/host/xhci-pci.c ++++ b/drivers/usb/host/xhci-pci.c +@@ -669,8 +669,10 @@ put_runtime_pm: + static void xhci_pci_remove(struct pci_dev *dev) + { + struct xhci_hcd *xhci; ++ bool set_power_d3; + + xhci = hcd_to_xhci(pci_get_drvdata(dev)); ++ set_power_d3 = xhci->quirks & XHCI_SPURIOUS_WAKEUP; + + xhci->xhc_state |= XHCI_STATE_REMOVING; + +@@ -683,11 +685,11 @@ static void xhci_pci_remove(struct pci_d + xhci->shared_hcd = NULL; + } + ++ usb_hcd_pci_remove(dev); ++ + /* Workaround for spurious wakeups at shutdown with HSW */ +- if (xhci->quirks & XHCI_SPURIOUS_WAKEUP) ++ if (set_power_d3) + pci_set_power_state(dev, PCI_D3hot); +- +- usb_hcd_pci_remove(dev); + } + + /*