From: Greg Kroah-Hartman Date: Tue, 29 Nov 2022 17:01:20 +0000 (+0100) Subject: 6.0-stable patches X-Git-Tag: v5.10.157~65 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=38cfb00252fdfbcd34bcc53190b0c25c33744f56;p=thirdparty%2Fkernel%2Fstable-queue.git 6.0-stable patches added patches: arm64-dts-rockchip-lower-rk3399-puma-haikou-sd-controller-clock-frequency.patch can-gs_usb-remove-dma-allocations.patch cifs-fix-missing-unlock-in-cifs_file_copychunk_range.patch cifs-use-after-free-in-debug-code.patch dma-buf-use-dma_fence_unwrap_for_each-when-importing-fences.patch ext4-fix-use-after-free-in-ext4_ext_shift_extents.patch kbuild-fix-wimplicit-function-declaration-in-license_is_gpl_compatible.patch usb-cdnsp-fix-issue-with-clear-feature-halt-endpoint.patch usb-cdnsp-fix-issue-with-zlp-added-td_size-1.patch usb-dwc3-exynos-fix-remove-function.patch --- diff --git a/queue-6.0/arm64-dts-rockchip-lower-rk3399-puma-haikou-sd-controller-clock-frequency.patch b/queue-6.0/arm64-dts-rockchip-lower-rk3399-puma-haikou-sd-controller-clock-frequency.patch new file mode 100644 index 00000000000..683d566b75e --- /dev/null +++ b/queue-6.0/arm64-dts-rockchip-lower-rk3399-puma-haikou-sd-controller-clock-frequency.patch @@ -0,0 +1,39 @@ +From 91e8b74fe6381e083f8aa55217bb0562785ab398 Mon Sep 17 00:00:00 2001 +From: Jakob Unterwurzacher +Date: Wed, 19 Oct 2022 16:27:27 +0200 +Subject: arm64: dts: rockchip: lower rk3399-puma-haikou SD controller clock frequency + +From: Jakob Unterwurzacher + +commit 91e8b74fe6381e083f8aa55217bb0562785ab398 upstream. + +CRC errors (code -84 EILSEQ) have been observed for some SanDisk +Ultra A1 cards when running at 50MHz. + +Waveform analysis suggest that the level shifters that are used on the +RK3399-Q7 module for voltage translation between 3.0 and 3.3V don't +handle clock rates at or above 48MHz properly. Back off to 40MHz for +some safety margin. + +Cc: stable@vger.kernel.org +Fixes: 60fd9f72ce8a ("arm64: dts: rockchip: add Haikou baseboard with RK3399-Q7 SoM") +Signed-off-by: Jakob Unterwurzacher +Signed-off-by: Quentin Schulz +Link: https://lore.kernel.org/r/20221019-upstream-puma-sd-40mhz-v1-0-754a76421518@theobroma-systems.com +Signed-off-by: Heiko Stuebner +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm64/boot/dts/rockchip/rk3399-puma-haikou.dts | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/arm64/boot/dts/rockchip/rk3399-puma-haikou.dts ++++ b/arch/arm64/boot/dts/rockchip/rk3399-puma-haikou.dts +@@ -207,7 +207,7 @@ + cap-sd-highspeed; + cd-gpios = <&gpio0 RK_PA7 GPIO_ACTIVE_LOW>; + disable-wp; +- max-frequency = <150000000>; ++ max-frequency = <40000000>; + pinctrl-names = "default"; + pinctrl-0 = <&sdmmc_clk &sdmmc_cmd &sdmmc_cd &sdmmc_bus4>; + vmmc-supply = <&vcc3v3_baseboard>; diff --git a/queue-6.0/can-gs_usb-remove-dma-allocations.patch b/queue-6.0/can-gs_usb-remove-dma-allocations.patch new file mode 100644 index 00000000000..8ce42964e0c --- /dev/null +++ b/queue-6.0/can-gs_usb-remove-dma-allocations.patch @@ -0,0 +1,168 @@ +From 62f102c0d1563ff6a31082f5d83b886ad2ff7ca0 Mon Sep 17 00:00:00 2001 +From: Vasanth Sadhasivan +Date: Tue, 20 Sep 2022 11:47:24 -0400 +Subject: can: gs_usb: remove dma allocations + +From: Vasanth Sadhasivan + +commit 62f102c0d1563ff6a31082f5d83b886ad2ff7ca0 upstream. + +DMA allocated buffers are a precious resource. If there is no need for +DMA allocations, then it might be worth to use non-dma allocated +buffers. + +After testing the gs_usb driver with and without DMA allocation, there +does not seem to be a significant change in latency or CPU utilization +either way. Therefore, DMA allocation is not necessary and removed. + +Internal buffers used within urbs were managed and freed manually. +These buffers are no longer needed to be managed by the driver. The +URB_FREE_BUFFER flag, allows for the buffers in question to be +automatically freed. + +Co-developed-by: Rhett Aultman +Signed-off-by: Rhett Aultman +Signed-off-by: Vasanth Sadhasivan +Link: https://lore.kernel.org/all/20220920154724.861093-2-rhett.aultman@samsara.com +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/can/usb/gs_usb.c | 39 ++++++--------------------------------- + 1 file changed, 6 insertions(+), 33 deletions(-) + +--- a/drivers/net/can/usb/gs_usb.c ++++ b/drivers/net/can/usb/gs_usb.c +@@ -268,8 +268,6 @@ struct gs_can { + + struct usb_anchor tx_submitted; + atomic_t active_tx_urbs; +- void *rxbuf[GS_MAX_RX_URBS]; +- dma_addr_t rxbuf_dma[GS_MAX_RX_URBS]; + }; + + /* usb interface struct */ +@@ -587,9 +585,6 @@ static void gs_usb_xmit_callback(struct + + if (urb->status) + netdev_info(netdev, "usb xmit fail %u\n", txc->echo_id); +- +- usb_free_coherent(urb->dev, urb->transfer_buffer_length, +- urb->transfer_buffer, urb->transfer_dma); + } + + static netdev_tx_t gs_can_start_xmit(struct sk_buff *skb, +@@ -618,8 +613,7 @@ static netdev_tx_t gs_can_start_xmit(str + if (!urb) + goto nomem_urb; + +- hf = usb_alloc_coherent(dev->udev, dev->hf_size_tx, GFP_ATOMIC, +- &urb->transfer_dma); ++ hf = kmalloc(dev->hf_size_tx, GFP_ATOMIC); + if (!hf) { + netdev_err(netdev, "No memory left for USB buffer\n"); + goto nomem_hf; +@@ -663,7 +657,7 @@ static netdev_tx_t gs_can_start_xmit(str + hf, dev->hf_size_tx, + gs_usb_xmit_callback, txc); + +- urb->transfer_flags |= URB_NO_TRANSFER_DMA_MAP; ++ urb->transfer_flags |= URB_FREE_BUFFER; + usb_anchor_urb(urb, &dev->tx_submitted); + + can_put_echo_skb(skb, netdev, idx, 0); +@@ -678,8 +672,6 @@ static netdev_tx_t gs_can_start_xmit(str + gs_free_tx_context(txc); + + usb_unanchor_urb(urb); +- usb_free_coherent(dev->udev, urb->transfer_buffer_length, +- urb->transfer_buffer, urb->transfer_dma); + + if (rc == -ENODEV) { + netif_device_detach(netdev); +@@ -699,8 +691,7 @@ static netdev_tx_t gs_can_start_xmit(str + return NETDEV_TX_OK; + + badidx: +- usb_free_coherent(dev->udev, urb->transfer_buffer_length, +- urb->transfer_buffer, urb->transfer_dma); ++ kfree(hf); + nomem_hf: + usb_free_urb(urb); + +@@ -744,7 +735,6 @@ static int gs_can_open(struct net_device + for (i = 0; i < GS_MAX_RX_URBS; i++) { + struct urb *urb; + u8 *buf; +- dma_addr_t buf_dma; + + /* alloc rx urb */ + urb = usb_alloc_urb(0, GFP_KERNEL); +@@ -752,10 +742,8 @@ static int gs_can_open(struct net_device + return -ENOMEM; + + /* alloc rx buffer */ +- buf = usb_alloc_coherent(dev->udev, +- dev->parent->hf_size_rx, +- GFP_KERNEL, +- &buf_dma); ++ buf = kmalloc(dev->parent->hf_size_rx, ++ GFP_KERNEL); + if (!buf) { + netdev_err(netdev, + "No memory left for USB buffer\n"); +@@ -763,8 +751,6 @@ static int gs_can_open(struct net_device + return -ENOMEM; + } + +- urb->transfer_dma = buf_dma; +- + /* fill, anchor, and submit rx urb */ + usb_fill_bulk_urb(urb, + dev->udev, +@@ -773,7 +759,7 @@ static int gs_can_open(struct net_device + buf, + dev->parent->hf_size_rx, + gs_usb_receive_bulk_callback, parent); +- urb->transfer_flags |= URB_NO_TRANSFER_DMA_MAP; ++ urb->transfer_flags |= URB_FREE_BUFFER; + + usb_anchor_urb(urb, &parent->rx_submitted); + +@@ -786,17 +772,10 @@ static int gs_can_open(struct net_device + "usb_submit failed (err=%d)\n", rc); + + usb_unanchor_urb(urb); +- usb_free_coherent(dev->udev, +- sizeof(struct gs_host_frame), +- buf, +- buf_dma); + usb_free_urb(urb); + break; + } + +- dev->rxbuf[i] = buf; +- dev->rxbuf_dma[i] = buf_dma; +- + /* Drop reference, + * USB core will take care of freeing it + */ +@@ -854,7 +833,6 @@ static int gs_can_close(struct net_devic + int rc; + struct gs_can *dev = netdev_priv(netdev); + struct gs_usb *parent = dev->parent; +- unsigned int i; + + netif_stop_queue(netdev); + +@@ -862,11 +840,6 @@ static int gs_can_close(struct net_devic + parent->active_channels--; + if (!parent->active_channels) { + usb_kill_anchored_urbs(&parent->rx_submitted); +- for (i = 0; i < GS_MAX_RX_URBS; i++) +- usb_free_coherent(dev->udev, +- sizeof(struct gs_host_frame), +- dev->rxbuf[i], +- dev->rxbuf_dma[i]); + } + + /* Stop sending URBs */ diff --git a/queue-6.0/cifs-fix-missing-unlock-in-cifs_file_copychunk_range.patch b/queue-6.0/cifs-fix-missing-unlock-in-cifs_file_copychunk_range.patch new file mode 100644 index 00000000000..198dd24940c --- /dev/null +++ b/queue-6.0/cifs-fix-missing-unlock-in-cifs_file_copychunk_range.patch @@ -0,0 +1,56 @@ +From 502487847743018c93d75b401eac2ea4c4973123 Mon Sep 17 00:00:00 2001 +From: ChenXiaoSong +Date: Sat, 19 Nov 2022 12:51:59 +0800 +Subject: cifs: fix missing unlock in cifs_file_copychunk_range() + +From: ChenXiaoSong + +commit 502487847743018c93d75b401eac2ea4c4973123 upstream. + +xfstests generic/013 and generic/476 reported WARNING as follows: + + WARNING: lock held when returning to user space! + 6.1.0-rc5+ #4 Not tainted + ------------------------------------------------ + fsstress/504233 is leaving the kernel with locks still held! + 2 locks held by fsstress/504233: + #0: ffff888054c38850 (&sb->s_type->i_mutex_key#21){+.+.}-{3:3}, at: + lock_two_nondirectories+0xcf/0xf0 + #1: ffff8880b8fec750 (&sb->s_type->i_mutex_key#21/4){+.+.}-{3:3}, at: + lock_two_nondirectories+0xb7/0xf0 + +This will lead to deadlock and hungtask. + +Fix this by releasing locks when failed to write out on a file range in +cifs_file_copychunk_range(). + +Fixes: 3e3761f1ec7d ("smb3: use filemap_write_and_wait_range instead of filemap_write_and_wait") +Cc: stable@vger.kernel.org # 6.0 +Reviewed-by: Paulo Alcantara (SUSE) +Signed-off-by: ChenXiaoSong +Signed-off-by: Steve French +Signed-off-by: Greg Kroah-Hartman +--- + fs/cifs/cifsfs.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/fs/cifs/cifsfs.c ++++ b/fs/cifs/cifsfs.c +@@ -1252,7 +1252,7 @@ ssize_t cifs_file_copychunk_range(unsign + rc = filemap_write_and_wait_range(src_inode->i_mapping, off, + off + len - 1); + if (rc) +- goto out; ++ goto unlock; + + /* should we flush first and last page first */ + truncate_inode_pages(&target_inode->i_data, 0); +@@ -1268,6 +1268,8 @@ ssize_t cifs_file_copychunk_range(unsign + * that target is updated on the server + */ + CIFS_I(target_inode)->time = 0; ++ ++unlock: + /* although unlocking in the reverse order from locking is not + * strictly necessary here it is a little cleaner to be consistent + */ diff --git a/queue-6.0/cifs-use-after-free-in-debug-code.patch b/queue-6.0/cifs-use-after-free-in-debug-code.patch new file mode 100644 index 00000000000..41fd87b6203 --- /dev/null +++ b/queue-6.0/cifs-use-after-free-in-debug-code.patch @@ -0,0 +1,47 @@ +From f391d6ee002ea022c62dc0b09d0578f3ccce81be Mon Sep 17 00:00:00 2001 +From: Dan Carpenter +Date: Fri, 18 Nov 2022 14:48:00 +0300 +Subject: cifs: Use after free in debug code + +From: Dan Carpenter + +commit f391d6ee002ea022c62dc0b09d0578f3ccce81be upstream. + +This debug code dereferences "old_iface" after it was already freed by +the call to release_iface(). Re-order the debugging to avoid this +issue. + +Fixes: b54034a73baf ("cifs: during reconnect, update interface if necessary") +Cc: stable@vger.kernel.org # 5.19+ +Reviewed-by: Paulo Alcantara (SUSE) +Signed-off-by: Dan Carpenter +Signed-off-by: Steve French +Signed-off-by: Greg Kroah-Hartman +--- + fs/cifs/sess.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/fs/cifs/sess.c b/fs/cifs/sess.c +index 92e4278ec35d..9e7d9f0baa18 100644 +--- a/fs/cifs/sess.c ++++ b/fs/cifs/sess.c +@@ -302,14 +302,14 @@ cifs_chan_update_iface(struct cifs_ses *ses, struct TCP_Server_Info *server) + + /* now drop the ref to the current iface */ + if (old_iface && iface) { +- kref_put(&old_iface->refcount, release_iface); + cifs_dbg(FYI, "replacing iface: %pIS with %pIS\n", + &old_iface->sockaddr, + &iface->sockaddr); +- } else if (old_iface) { + kref_put(&old_iface->refcount, release_iface); ++ } else if (old_iface) { + cifs_dbg(FYI, "releasing ref to iface: %pIS\n", + &old_iface->sockaddr); ++ kref_put(&old_iface->refcount, release_iface); + } else { + WARN_ON(!iface); + cifs_dbg(FYI, "adding new iface: %pIS\n", &iface->sockaddr); +-- +2.38.1 + diff --git a/queue-6.0/dma-buf-use-dma_fence_unwrap_for_each-when-importing-fences.patch b/queue-6.0/dma-buf-use-dma_fence_unwrap_for_each-when-importing-fences.patch new file mode 100644 index 00000000000..4cd90617d7e --- /dev/null +++ b/queue-6.0/dma-buf-use-dma_fence_unwrap_for_each-when-importing-fences.patch @@ -0,0 +1,84 @@ +From c19083c72ea72a1c12037bb3d708014632df80e4 Mon Sep 17 00:00:00 2001 +From: Jason Ekstrand +Date: Tue, 2 Aug 2022 16:01:58 -0500 +Subject: dma-buf: Use dma_fence_unwrap_for_each when importing fences +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Jason Ekstrand + +commit c19083c72ea72a1c12037bb3d708014632df80e4 upstream. + +Ever since 68129f431faa ("dma-buf: warn about containers in dma_resv object"), +dma_resv_add_shared_fence will warn if you attempt to add a container fence. +While most drivers were fine, fences can also be added to a dma_resv via the +recently added DMA_BUF_IOCTL_IMPORT_SYNC_FILE. Use dma_fence_unwrap_for_each +to add each fence one at a time. + +Fixes: 594740497e99 ("dma-buf: Add an API for importing sync files (v10)") +Signed-off-by: Jason Ekstrand +Reported-by: Sarah Walker +Reviewed-by: Christian König +CC: stable@vger.kernel.org +Link: https://patchwork.freedesktop.org/patch/msgid/20220802210158.4162525-1-jason.ekstrand@collabora.com +Signed-off-by: Christian König +Signed-off-by: Greg Kroah-Hartman +--- + drivers/dma-buf/dma-buf.c | 23 +++++++++++++++++------ + 1 file changed, 17 insertions(+), 6 deletions(-) + +diff --git a/drivers/dma-buf/dma-buf.c b/drivers/dma-buf/dma-buf.c +index dd0f83ee505b..e6f36c014c4c 100644 +--- a/drivers/dma-buf/dma-buf.c ++++ b/drivers/dma-buf/dma-buf.c +@@ -15,6 +15,7 @@ + #include + #include + #include ++#include + #include + #include + #include +@@ -391,8 +392,10 @@ static long dma_buf_import_sync_file(struct dma_buf *dmabuf, + const void __user *user_data) + { + struct dma_buf_import_sync_file arg; +- struct dma_fence *fence; ++ struct dma_fence *fence, *f; + enum dma_resv_usage usage; ++ struct dma_fence_unwrap iter; ++ unsigned int num_fences; + int ret = 0; + + if (copy_from_user(&arg, user_data, sizeof(arg))) +@@ -411,13 +414,21 @@ static long dma_buf_import_sync_file(struct dma_buf *dmabuf, + usage = (arg.flags & DMA_BUF_SYNC_WRITE) ? DMA_RESV_USAGE_WRITE : + DMA_RESV_USAGE_READ; + +- dma_resv_lock(dmabuf->resv, NULL); ++ num_fences = 0; ++ dma_fence_unwrap_for_each(f, &iter, fence) ++ ++num_fences; + +- ret = dma_resv_reserve_fences(dmabuf->resv, 1); +- if (!ret) +- dma_resv_add_fence(dmabuf->resv, fence, usage); ++ if (num_fences > 0) { ++ dma_resv_lock(dmabuf->resv, NULL); + +- dma_resv_unlock(dmabuf->resv); ++ ret = dma_resv_reserve_fences(dmabuf->resv, num_fences); ++ if (!ret) { ++ dma_fence_unwrap_for_each(f, &iter, fence) ++ dma_resv_add_fence(dmabuf->resv, f, usage); ++ } ++ ++ dma_resv_unlock(dmabuf->resv); ++ } + + dma_fence_put(fence); + +-- +2.38.1 + diff --git a/queue-6.0/ext4-fix-use-after-free-in-ext4_ext_shift_extents.patch b/queue-6.0/ext4-fix-use-after-free-in-ext4_ext_shift_extents.patch new file mode 100644 index 00000000000..f1b0665673d --- /dev/null +++ b/queue-6.0/ext4-fix-use-after-free-in-ext4_ext_shift_extents.patch @@ -0,0 +1,101 @@ +From f6b1a1cf1c3ee430d3f5e47847047ce789a690aa Mon Sep 17 00:00:00 2001 +From: Baokun Li +Date: Thu, 22 Sep 2022 20:04:34 +0800 +Subject: ext4: fix use-after-free in ext4_ext_shift_extents +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Baokun Li + +commit f6b1a1cf1c3ee430d3f5e47847047ce789a690aa upstream. + +If the starting position of our insert range happens to be in the hole +between the two ext4_extent_idx, because the lblk of the ext4_extent in +the previous ext4_extent_idx is always less than the start, which leads +to the "extent" variable access across the boundary, the following UAF is +triggered: +================================================================== +BUG: KASAN: use-after-free in ext4_ext_shift_extents+0x257/0x790 +Read of size 4 at addr ffff88819807a008 by task fallocate/8010 +CPU: 3 PID: 8010 Comm: fallocate Tainted: G E 5.10.0+ #492 +Call Trace: + dump_stack+0x7d/0xa3 + print_address_description.constprop.0+0x1e/0x220 + kasan_report.cold+0x67/0x7f + ext4_ext_shift_extents+0x257/0x790 + ext4_insert_range+0x5b6/0x700 + ext4_fallocate+0x39e/0x3d0 + vfs_fallocate+0x26f/0x470 + ksys_fallocate+0x3a/0x70 + __x64_sys_fallocate+0x4f/0x60 + do_syscall_64+0x33/0x40 + entry_SYSCALL_64_after_hwframe+0x44/0xa9 +================================================================== + +For right shifts, we can divide them into the following situations: + +1. When the first ee_block of ext4_extent_idx is greater than or equal to + start, make right shifts directly from the first ee_block. + 1) If it is greater than start, we need to continue searching in the + previous ext4_extent_idx. + 2) If it is equal to start, we can exit the loop (iterator=NULL). + +2. When the first ee_block of ext4_extent_idx is less than start, then + traverse from the last extent to find the first extent whose ee_block + is less than start. + 1) If extent is still the last extent after traversal, it means that + the last ee_block of ext4_extent_idx is less than start, that is, + start is located in the hole between idx and (idx+1), so we can + exit the loop directly (break) without right shifts. + 2) Otherwise, make right shifts at the corresponding position of the + found extent, and then exit the loop (iterator=NULL). + +Fixes: 331573febb6a ("ext4: Add support FALLOC_FL_INSERT_RANGE for fallocate") +Cc: stable@vger.kernel.org # v4.2+ +Signed-off-by: Zhihao Cheng +Signed-off-by: Baokun Li +Link: https://lore.kernel.org/r/20220922120434.1294789-1-libaokun1@huawei.com +Signed-off-by: Theodore Ts'o +Signed-off-by: Greg Kroah-Hartman +--- + fs/ext4/extents.c | 18 +++++++++++++----- + 1 file changed, 13 insertions(+), 5 deletions(-) + +--- a/fs/ext4/extents.c ++++ b/fs/ext4/extents.c +@@ -5183,6 +5183,7 @@ ext4_ext_shift_extents(struct inode *ino + * and it is decreased till we reach start. + */ + again: ++ ret = 0; + if (SHIFT == SHIFT_LEFT) + iterator = &start; + else +@@ -5226,14 +5227,21 @@ again: + ext4_ext_get_actual_len(extent); + } else { + extent = EXT_FIRST_EXTENT(path[depth].p_hdr); +- if (le32_to_cpu(extent->ee_block) > 0) ++ if (le32_to_cpu(extent->ee_block) > start) + *iterator = le32_to_cpu(extent->ee_block) - 1; +- else +- /* Beginning is reached, end of the loop */ ++ else if (le32_to_cpu(extent->ee_block) == start) + iterator = NULL; +- /* Update path extent in case we need to stop */ +- while (le32_to_cpu(extent->ee_block) < start) ++ else { ++ extent = EXT_LAST_EXTENT(path[depth].p_hdr); ++ while (le32_to_cpu(extent->ee_block) >= start) ++ extent--; ++ ++ if (extent == EXT_LAST_EXTENT(path[depth].p_hdr)) ++ break; ++ + extent++; ++ iterator = NULL; ++ } + path[depth].p_ext = extent; + } + ret = ext4_ext_shift_path_extents(path, shift, inode, diff --git a/queue-6.0/kbuild-fix-wimplicit-function-declaration-in-license_is_gpl_compatible.patch b/queue-6.0/kbuild-fix-wimplicit-function-declaration-in-license_is_gpl_compatible.patch new file mode 100644 index 00000000000..7f88290c213 --- /dev/null +++ b/queue-6.0/kbuild-fix-wimplicit-function-declaration-in-license_is_gpl_compatible.patch @@ -0,0 +1,44 @@ +From 50c697215a8cc22f0e58c88f06f2716c05a26e85 Mon Sep 17 00:00:00 2001 +From: Sam James +Date: Wed, 16 Nov 2022 18:26:34 +0000 +Subject: kbuild: fix -Wimplicit-function-declaration in license_is_gpl_compatible + +From: Sam James + +commit 50c697215a8cc22f0e58c88f06f2716c05a26e85 upstream. + +Add missing include for strcmp. + +Clang 16 makes -Wimplicit-function-declaration an error by default. +Unfortunately, out of tree modules may use this in configure scripts, +which means failure might cause silent miscompilation or misconfiguration. + +For more information, see LWN.net [0] or LLVM's Discourse [1], gentoo-dev@ [2], +or the (new) c-std-porting mailing list [3]. + +[0] https://lwn.net/Articles/913505/ +[1] https://discourse.llvm.org/t/configure-script-breakage-with-the-new-werror-implicit-function-declaration/65213 +[2] https://archives.gentoo.org/gentoo-dev/message/dd9f2d3082b8b6f8dfbccb0639e6e240 +[3] hosted at lists.linux.dev. + +[akpm@linux-foundation.org: remember "linux/"] +Link: https://lkml.kernel.org/r/20221116182634.2823136-1-sam@gentoo.org +Signed-off-by: Sam James +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + include/linux/license.h | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/include/linux/license.h ++++ b/include/linux/license.h +@@ -2,6 +2,8 @@ + #ifndef __LICENSE_H + #define __LICENSE_H + ++#include ++ + static inline int license_is_gpl_compatible(const char *license) + { + return (strcmp(license, "GPL") == 0 diff --git a/queue-6.0/series b/queue-6.0/series index bbbf3a90de9..8315de05453 100644 --- a/queue-6.0/series +++ b/queue-6.0/series @@ -158,6 +158,16 @@ s390-crashdump-fix-tod-programmable-field-size.patch io_uring-filetable-fix-file-reference-underflow.patch io_uring-poll-fix-poll_refs-race-with-cancelation.patch lib-vdso-use-grep-e-instead-of-egrep.patch +can-gs_usb-remove-dma-allocations.patch +usb-dwc3-exynos-fix-remove-function.patch +usb-cdnsp-fix-issue-with-clear-feature-halt-endpoint.patch +usb-cdnsp-fix-issue-with-zlp-added-td_size-1.patch +dma-buf-use-dma_fence_unwrap_for_each-when-importing-fences.patch +cifs-fix-missing-unlock-in-cifs_file_copychunk_range.patch +cifs-use-after-free-in-debug-code.patch +ext4-fix-use-after-free-in-ext4_ext_shift_extents.patch +arm64-dts-rockchip-lower-rk3399-puma-haikou-sd-controller-clock-frequency.patch +kbuild-fix-wimplicit-function-declaration-in-license_is_gpl_compatible.patch init-kconfig-fix-cc_has_asm_goto_tied_output-test-wi.patch nfsd-fix-reads-with-a-non-zero-offset-that-don-t-end.patch nios2-add-force-for-vmlinuz.gz.patch diff --git a/queue-6.0/usb-cdnsp-fix-issue-with-clear-feature-halt-endpoint.patch b/queue-6.0/usb-cdnsp-fix-issue-with-clear-feature-halt-endpoint.patch new file mode 100644 index 00000000000..2163aa24396 --- /dev/null +++ b/queue-6.0/usb-cdnsp-fix-issue-with-clear-feature-halt-endpoint.patch @@ -0,0 +1,66 @@ +From b25264f22b498dff3fa5c70c9bea840e83fff0d1 Mon Sep 17 00:00:00 2001 +From: Pawel Laszczak +Date: Thu, 10 Nov 2022 01:30:05 -0500 +Subject: usb: cdnsp: Fix issue with Clear Feature Halt Endpoint + +From: Pawel Laszczak + +commit b25264f22b498dff3fa5c70c9bea840e83fff0d1 upstream. + +During handling Clear Halt Endpoint Feature request, driver invokes +Reset Endpoint command. Because this command has some issue with +transition endpoint from Running to Idle state the driver must +stop the endpoint by using Stop Endpoint command. + +cc: +Fixes: 3d82904559f4 ("usb: cdnsp: cdns3 Add main part of Cadence USBSSP DRD Driver") +Reviewed-by: Peter Chen +Signed-off-by: Pawel Laszczak +Link: https://lore.kernel.org/r/20221110063005.370656-1-pawell@cadence.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/cdns3/cdnsp-gadget.c | 12 ++++-------- + drivers/usb/cdns3/cdnsp-ring.c | 3 ++- + 2 files changed, 6 insertions(+), 9 deletions(-) + +--- a/drivers/usb/cdns3/cdnsp-gadget.c ++++ b/drivers/usb/cdns3/cdnsp-gadget.c +@@ -600,11 +600,11 @@ int cdnsp_halt_endpoint(struct cdnsp_dev + + trace_cdnsp_ep_halt(value ? "Set" : "Clear"); + +- if (value) { +- ret = cdnsp_cmd_stop_ep(pdev, pep); +- if (ret) +- return ret; ++ ret = cdnsp_cmd_stop_ep(pdev, pep); ++ if (ret) ++ return ret; + ++ if (value) { + if (GET_EP_CTX_STATE(pep->out_ctx) == EP_STATE_STOPPED) { + cdnsp_queue_halt_endpoint(pdev, pep->idx); + cdnsp_ring_cmd_db(pdev); +@@ -613,10 +613,6 @@ int cdnsp_halt_endpoint(struct cdnsp_dev + + pep->ep_state |= EP_HALTED; + } else { +- /* +- * In device mode driver can call reset endpoint command +- * from any endpoint state. +- */ + cdnsp_queue_reset_ep(pdev, pep->idx); + cdnsp_ring_cmd_db(pdev); + ret = cdnsp_wait_for_cmd_compl(pdev); +--- a/drivers/usb/cdns3/cdnsp-ring.c ++++ b/drivers/usb/cdns3/cdnsp-ring.c +@@ -2076,7 +2076,8 @@ int cdnsp_cmd_stop_ep(struct cdnsp_devic + u32 ep_state = GET_EP_CTX_STATE(pep->out_ctx); + int ret = 0; + +- if (ep_state == EP_STATE_STOPPED || ep_state == EP_STATE_DISABLED) { ++ if (ep_state == EP_STATE_STOPPED || ep_state == EP_STATE_DISABLED || ++ ep_state == EP_STATE_HALTED) { + trace_cdnsp_ep_stopped_or_disabled(pep->out_ctx); + goto ep_stopped; + } diff --git a/queue-6.0/usb-cdnsp-fix-issue-with-zlp-added-td_size-1.patch b/queue-6.0/usb-cdnsp-fix-issue-with-zlp-added-td_size-1.patch new file mode 100644 index 00000000000..83820c65766 --- /dev/null +++ b/queue-6.0/usb-cdnsp-fix-issue-with-zlp-added-td_size-1.patch @@ -0,0 +1,70 @@ +From 7a21b27aafa3edead79ed97e6f22236be6b9f447 Mon Sep 17 00:00:00 2001 +From: Pawel Laszczak +Date: Tue, 15 Nov 2022 04:22:18 -0500 +Subject: usb: cdnsp: fix issue with ZLP - added TD_SIZE = 1 + +From: Pawel Laszczak + +commit 7a21b27aafa3edead79ed97e6f22236be6b9f447 upstream. + +Patch modifies the TD_SIZE in TRB before ZLP TRB. +The TD_SIZE in TRB before ZLP TRB must be set to 1 to force +processing ZLP TRB by controller. + +cc: +Fixes: 3d82904559f4 ("usb: cdnsp: cdns3 Add main part of Cadence USBSSP DRD Driver") +Signed-off-by: Pawel Laszczak +Reviewed-by: Peter Chen +Link: https://lore.kernel.org/r/20221115092218.421267-1-pawell@cadence.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/cdns3/cdnsp-ring.c | 14 ++++++++++---- + 1 file changed, 10 insertions(+), 4 deletions(-) + +--- a/drivers/usb/cdns3/cdnsp-ring.c ++++ b/drivers/usb/cdns3/cdnsp-ring.c +@@ -1763,10 +1763,15 @@ static u32 cdnsp_td_remainder(struct cdn + int trb_buff_len, + unsigned int td_total_len, + struct cdnsp_request *preq, +- bool more_trbs_coming) ++ bool more_trbs_coming, ++ bool zlp) + { + u32 maxp, total_packet_count; + ++ /* Before ZLP driver needs set TD_SIZE = 1. */ ++ if (zlp) ++ return 1; ++ + /* One TRB with a zero-length data packet. */ + if (!more_trbs_coming || (transferred == 0 && trb_buff_len == 0) || + trb_buff_len == td_total_len) +@@ -1960,7 +1965,8 @@ int cdnsp_queue_bulk_tx(struct cdnsp_dev + /* Set the TRB length, TD size, and interrupter fields. */ + remainder = cdnsp_td_remainder(pdev, enqd_len, trb_buff_len, + full_len, preq, +- more_trbs_coming); ++ more_trbs_coming, ++ zero_len_trb); + + length_field = TRB_LEN(trb_buff_len) | TRB_TD_SIZE(remainder) | + TRB_INTR_TARGET(0); +@@ -2025,7 +2031,7 @@ int cdnsp_queue_ctrl_tx(struct cdnsp_dev + + if (preq->request.length > 0) { + remainder = cdnsp_td_remainder(pdev, 0, preq->request.length, +- preq->request.length, preq, 1); ++ preq->request.length, preq, 1, 0); + + length_field = TRB_LEN(preq->request.length) | + TRB_TD_SIZE(remainder) | TRB_INTR_TARGET(0); +@@ -2226,7 +2232,7 @@ static int cdnsp_queue_isoc_tx(struct cd + /* Set the TRB length, TD size, & interrupter fields. */ + remainder = cdnsp_td_remainder(pdev, running_total, + trb_buff_len, td_len, preq, +- more_trbs_coming); ++ more_trbs_coming, 0); + + length_field = TRB_LEN(trb_buff_len) | TRB_INTR_TARGET(0); + diff --git a/queue-6.0/usb-dwc3-exynos-fix-remove-function.patch b/queue-6.0/usb-dwc3-exynos-fix-remove-function.patch new file mode 100644 index 00000000000..5f2c8b0caaa --- /dev/null +++ b/queue-6.0/usb-dwc3-exynos-fix-remove-function.patch @@ -0,0 +1,51 @@ +From e0481e5b3cc12ea7ccf4552d41518c89d3509004 Mon Sep 17 00:00:00 2001 +From: Marek Szyprowski +Date: Thu, 10 Nov 2022 16:41:31 +0100 +Subject: usb: dwc3: exynos: Fix remove() function + +From: Marek Szyprowski + +commit e0481e5b3cc12ea7ccf4552d41518c89d3509004 upstream. + +The core DWC3 device node was not properly removed by the custom +dwc3_exynos_remove_child() function. Replace it with generic +of_platform_depopulate() which does that job right. + +Fixes: adcf20dcd262 ("usb: dwc3: exynos: Use of_platform API to create dwc3 core pdev") +Signed-off-by: Marek Szyprowski +Acked-by: Thinh Nguyen +Cc: stable@vger.kernel.org +Reviewed-by: Sam Protsenko +Link: https://lore.kernel.org/r/20221110154131.2577-1-m.szyprowski@samsung.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/dwc3/dwc3-exynos.c | 11 +---------- + 1 file changed, 1 insertion(+), 10 deletions(-) + +--- a/drivers/usb/dwc3/dwc3-exynos.c ++++ b/drivers/usb/dwc3/dwc3-exynos.c +@@ -37,15 +37,6 @@ struct dwc3_exynos { + struct regulator *vdd10; + }; + +-static int dwc3_exynos_remove_child(struct device *dev, void *unused) +-{ +- struct platform_device *pdev = to_platform_device(dev); +- +- platform_device_unregister(pdev); +- +- return 0; +-} +- + static int dwc3_exynos_probe(struct platform_device *pdev) + { + struct dwc3_exynos *exynos; +@@ -142,7 +133,7 @@ static int dwc3_exynos_remove(struct pla + struct dwc3_exynos *exynos = platform_get_drvdata(pdev); + int i; + +- device_for_each_child(&pdev->dev, NULL, dwc3_exynos_remove_child); ++ of_platform_depopulate(&pdev->dev); + + for (i = exynos->num_clks - 1; i >= 0; i--) + clk_disable_unprepare(exynos->clks[i]);