From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Mon, 17 Jun 2024 09:13:06 +0000 (+0200)
Subject: 5.15-stable patches
X-Git-Tag: v6.1.95~131
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=43f3536cf6868afeb567d55515047529539fb835;p=thirdparty%2Fkernel%2Fstable-queue.git

5.15-stable patches

added patches:
	mei-me-release-irq-in-mei_me_pci_resume-error-path.patch
	usb-class-cdc-wdm-fix-cpu-lockup-caused-by-excessive-log-messages.patch
	usb-typec-tcpm-ignore-received-hard-reset-in-toggling-state.patch
---

diff --git a/queue-5.15/mei-me-release-irq-in-mei_me_pci_resume-error-path.patch b/queue-5.15/mei-me-release-irq-in-mei_me_pci_resume-error-path.patch
new file mode 100644
index 00000000000..ad465ed2c21
--- /dev/null
+++ b/queue-5.15/mei-me-release-irq-in-mei_me_pci_resume-error-path.patch
@@ -0,0 +1,35 @@
+From 283cb234ef95d94c61f59e1cd070cd9499b51292 Mon Sep 17 00:00:00 2001
+From: Tomas Winkler <tomas.winkler@intel.com>
+Date: Tue, 4 Jun 2024 12:07:28 +0300
+Subject: mei: me: release irq in mei_me_pci_resume error path
+
+From: Tomas Winkler <tomas.winkler@intel.com>
+
+commit 283cb234ef95d94c61f59e1cd070cd9499b51292 upstream.
+
+The mei_me_pci_resume doesn't release irq on the error path,
+in case mei_start() fails.
+
+Cc: <stable@kernel.org>
+Fixes: 33ec08263147 ("mei: revamp mei reset state machine")
+Signed-off-by: Tomas Winkler <tomas.winkler@intel.com>
+Link: https://lore.kernel.org/r/20240604090728.1027307-1-tomas.winkler@intel.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/misc/mei/pci-me.c |    4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/drivers/misc/mei/pci-me.c
++++ b/drivers/misc/mei/pci-me.c
+@@ -400,8 +400,10 @@ static int mei_me_pci_resume(struct devi
+ 	}
+ 
+ 	err = mei_restart(dev);
+-	if (err)
++	if (err) {
++		free_irq(pdev->irq, dev);
+ 		return err;
++	}
+ 
+ 	/* Start timer if stopped in suspend */
+ 	schedule_delayed_work(&dev->timer_work, HZ);
diff --git a/queue-5.15/series b/queue-5.15/series
index eac553070fe..74588bf9225 100644
--- a/queue-5.15/series
+++ b/queue-5.15/series
@@ -84,3 +84,6 @@ btrfs-fix-leak-of-qgroup-extent-records-after-transa.patch
 nilfs2-remove-check-for-pageerror.patch
 nilfs2-return-the-mapped-address-from-nilfs_get_page.patch
 nilfs2-fix-nilfs_empty_dir-misjudgment-and-long-loop.patch
+usb-class-cdc-wdm-fix-cpu-lockup-caused-by-excessive-log-messages.patch
+usb-typec-tcpm-ignore-received-hard-reset-in-toggling-state.patch
+mei-me-release-irq-in-mei_me_pci_resume-error-path.patch
diff --git a/queue-5.15/usb-class-cdc-wdm-fix-cpu-lockup-caused-by-excessive-log-messages.patch b/queue-5.15/usb-class-cdc-wdm-fix-cpu-lockup-caused-by-excessive-log-messages.patch
new file mode 100644
index 00000000000..8558bedaa3d
--- /dev/null
+++ b/queue-5.15/usb-class-cdc-wdm-fix-cpu-lockup-caused-by-excessive-log-messages.patch
@@ -0,0 +1,78 @@
+From 22f00812862564b314784167a89f27b444f82a46 Mon Sep 17 00:00:00 2001
+From: Alan Stern <stern@rowland.harvard.edu>
+Date: Thu, 13 Jun 2024 21:30:43 -0400
+Subject: USB: class: cdc-wdm: Fix CPU lockup caused by excessive log messages
+
+From: Alan Stern <stern@rowland.harvard.edu>
+
+commit 22f00812862564b314784167a89f27b444f82a46 upstream.
+
+The syzbot fuzzer found that the interrupt-URB completion callback in
+the cdc-wdm driver was taking too long, and the driver's immediate
+resubmission of interrupt URBs with -EPROTO status combined with the
+dummy-hcd emulation to cause a CPU lockup:
+
+cdc_wdm 1-1:1.0: nonzero urb status received: -71
+cdc_wdm 1-1:1.0: wdm_int_callback - 0 bytes
+watchdog: BUG: soft lockup - CPU#0 stuck for 26s! [syz-executor782:6625]
+CPU#0 Utilization every 4s during lockup:
+	#1:  98% system,	  0% softirq,	  3% hardirq,	  0% idle
+	#2:  98% system,	  0% softirq,	  3% hardirq,	  0% idle
+	#3:  98% system,	  0% softirq,	  3% hardirq,	  0% idle
+	#4:  98% system,	  0% softirq,	  3% hardirq,	  0% idle
+	#5:  98% system,	  1% softirq,	  3% hardirq,	  0% idle
+Modules linked in:
+irq event stamp: 73096
+hardirqs last  enabled at (73095): [<ffff80008037bc00>] console_emit_next_record kernel/printk/printk.c:2935 [inline]
+hardirqs last  enabled at (73095): [<ffff80008037bc00>] console_flush_all+0x650/0xb74 kernel/printk/printk.c:2994
+hardirqs last disabled at (73096): [<ffff80008af10b00>] __el1_irq arch/arm64/kernel/entry-common.c:533 [inline]
+hardirqs last disabled at (73096): [<ffff80008af10b00>] el1_interrupt+0x24/0x68 arch/arm64/kernel/entry-common.c:551
+softirqs last  enabled at (73048): [<ffff8000801ea530>] softirq_handle_end kernel/softirq.c:400 [inline]
+softirqs last  enabled at (73048): [<ffff8000801ea530>] handle_softirqs+0xa60/0xc34 kernel/softirq.c:582
+softirqs last disabled at (73043): [<ffff800080020de8>] __do_softirq+0x14/0x20 kernel/softirq.c:588
+CPU: 0 PID: 6625 Comm: syz-executor782 Tainted: G        W          6.10.0-rc2-syzkaller-g8867bbd4a056 #0
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/02/2024
+
+Testing showed that the problem did not occur if the two error
+messages -- the first two lines above -- were removed; apparently adding
+material to the kernel log takes a surprisingly large amount of time.
+
+In any case, the best approach for preventing these lockups and to
+avoid spamming the log with thousands of error messages per second is
+to ratelimit the two dev_err() calls.  Therefore we replace them with
+dev_err_ratelimited().
+
+Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
+Suggested-by: Greg KH <gregkh@linuxfoundation.org>
+Reported-and-tested-by: syzbot+5f996b83575ef4058638@syzkaller.appspotmail.com
+Closes: https://lore.kernel.org/linux-usb/00000000000073d54b061a6a1c65@google.com/
+Reported-and-tested-by: syzbot+1b2abad17596ad03dcff@syzkaller.appspotmail.com
+Closes: https://lore.kernel.org/linux-usb/000000000000f45085061aa9b37e@google.com/
+Fixes: 9908a32e94de ("USB: remove err() macro from usb class drivers")
+Link: https://lore.kernel.org/linux-usb/40dfa45b-5f21-4eef-a8c1-51a2f320e267@rowland.harvard.edu/
+Cc: stable@vger.kernel.org
+Link: https://lore.kernel.org/r/29855215-52f5-4385-b058-91f42c2bee18@rowland.harvard.edu
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/class/cdc-wdm.c |    4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/usb/class/cdc-wdm.c
++++ b/drivers/usb/class/cdc-wdm.c
+@@ -266,14 +266,14 @@ static void wdm_int_callback(struct urb
+ 			dev_err(&desc->intf->dev, "Stall on int endpoint\n");
+ 			goto sw; /* halt is cleared in work */
+ 		default:
+-			dev_err(&desc->intf->dev,
++			dev_err_ratelimited(&desc->intf->dev,
+ 				"nonzero urb status received: %d\n", status);
+ 			break;
+ 		}
+ 	}
+ 
+ 	if (urb->actual_length < sizeof(struct usb_cdc_notification)) {
+-		dev_err(&desc->intf->dev, "wdm_int_callback - %d bytes\n",
++		dev_err_ratelimited(&desc->intf->dev, "wdm_int_callback - %d bytes\n",
+ 			urb->actual_length);
+ 		goto exit;
+ 	}
diff --git a/queue-5.15/usb-typec-tcpm-ignore-received-hard-reset-in-toggling-state.patch b/queue-5.15/usb-typec-tcpm-ignore-received-hard-reset-in-toggling-state.patch
new file mode 100644
index 00000000000..5ae08bd117a
--- /dev/null
+++ b/queue-5.15/usb-typec-tcpm-ignore-received-hard-reset-in-toggling-state.patch
@@ -0,0 +1,54 @@
+From fc8fb9eea94d8f476e15f3a4a7addeb16b3b99d6 Mon Sep 17 00:00:00 2001
+From: Kyle Tso <kyletso@google.com>
+Date: Mon, 20 May 2024 23:48:58 +0800
+Subject: usb: typec: tcpm: Ignore received Hard Reset in TOGGLING state
+
+From: Kyle Tso <kyletso@google.com>
+
+commit fc8fb9eea94d8f476e15f3a4a7addeb16b3b99d6 upstream.
+
+Similar to what fixed in Commit a6fe37f428c1 ("usb: typec: tcpm: Skip
+hard reset when in error recovery"), the handling of the received Hard
+Reset has to be skipped during TOGGLING state.
+
+[ 4086.021288] VBUS off
+[ 4086.021295] pending state change SNK_READY -> SNK_UNATTACHED @ 650 ms [rev2 NONE_AMS]
+[ 4086.022113] VBUS VSAFE0V
+[ 4086.022117] state change SNK_READY -> SNK_UNATTACHED [rev2 NONE_AMS]
+[ 4086.022447] VBUS off
+[ 4086.022450] state change SNK_UNATTACHED -> SNK_UNATTACHED [rev2 NONE_AMS]
+[ 4086.023060] VBUS VSAFE0V
+[ 4086.023064] state change SNK_UNATTACHED -> SNK_UNATTACHED [rev2 NONE_AMS]
+[ 4086.023070] disable BIST MODE TESTDATA
+[ 4086.023766] disable vbus discharge ret:0
+[ 4086.023911] Setting usb_comm capable false
+[ 4086.028874] Setting voltage/current limit 0 mV 0 mA
+[ 4086.028888] polarity 0
+[ 4086.030305] Requesting mux state 0, usb-role 0, orientation 0
+[ 4086.033539] Start toggling
+[ 4086.038496] state change SNK_UNATTACHED -> TOGGLING [rev2 NONE_AMS]
+
+// This Hard Reset is unexpected
+[ 4086.038499] Received hard reset
+[ 4086.038501] state change TOGGLING -> HARD_RESET_START [rev2 HARD_RESET]
+
+Fixes: f0690a25a140 ("staging: typec: USB Type-C Port Manager (tcpm)")
+Cc: stable@vger.kernel.org
+Signed-off-by: Kyle Tso <kyletso@google.com>
+Reviewed-by: Heikki Krogerus <heikki.krogerus@linux.intel.com>
+Link: https://lore.kernel.org/r/20240520154858.1072347-1-kyletso@google.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/typec/tcpm/tcpm.c |    1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/usb/typec/tcpm/tcpm.c
++++ b/drivers/usb/typec/tcpm/tcpm.c
+@@ -5351,6 +5351,7 @@ static void _tcpm_pd_hard_reset(struct t
+ 		port->tcpc->set_bist_data(port->tcpc, false);
+ 
+ 	switch (port->state) {
++	case TOGGLING:
+ 	case ERROR_RECOVERY:
+ 	case PORT_RESET:
+ 	case PORT_RESET_WAIT_OFF: