From: Greg Kroah-Hartman Date: Mon, 22 May 2023 17:46:02 +0000 (+0100) Subject: 6.1-stable patches X-Git-Tag: v6.3.4~25 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=5378eb8d43e0d2775d613c8cba3763f19a6bad13;p=thirdparty%2Fkernel%2Fstable-queue.git 6.1-stable patches added patches: alsa-hda-add-nvidia-codec-ids-a3-through-a7-to-patch-table.patch alsa-hda-fix-oops-by-9.1-surround-channel-names.patch alsa-hda-realtek-add-a-quirk-for-hp-elitedesk-805.patch alsa-hda-realtek-add-quirk-for-2nd-asus-gu603.patch alsa-hda-realtek-add-quirk-for-clevo-l140au.patch alsa-hda-realtek-add-quirk-for-hp-elitebook-g10-laptops.patch alsa-hda-realtek-fix-mute-and-micmute-leds-for-yet-another-hp-laptop.patch alsa-usb-audio-add-a-sample-rate-workaround-for-line6-pod-go.patch can-isotp-recvmsg-allow-msg_cmsg_compat-flag.patch can-j1939-recvmsg-allow-msg_cmsg_compat-flag.patch can-kvaser_pciefd-call-request_irq-before-enabling-interrupts.patch can-kvaser_pciefd-clear-listen-only-bit-if-not-explicitly-requested.patch can-kvaser_pciefd-disable-interrupts-in-probe-error-path.patch can-kvaser_pciefd-do-not-send-eflush-command-on-tfd-interrupt.patch can-kvaser_pciefd-empty-srb-buffer-in-probe.patch can-kvaser_pciefd-set-can_state_stopped-in-kvaser_pciefd_stop.patch ceph-force-updating-the-msg-pointer-in-non-split-case.patch ksmbd-allocate-one-more-byte-for-implied-bcc.patch ksmbd-fix-global-out-of-bounds-in-smb2_find_context_vals.patch ksmbd-fix-wrong-username-check-in-session_user.patch ksmbd-smb2-allow-messages-padded-to-8byte-boundary.patch kvm-fix-vcpu_array-races.patch maple_tree-make-maple-state-reusable-after-mas_empty_area.patch mm-fix-zswap-writeback-race-condition.patch revert-usb-gadget-udc-core-invoke-usb_gadget_connect-only-when-started.patch revert-usb-gadget-udc-core-prevent-redundant-calls-to-pullup.patch serial-8250_exar-add-support-for-usr298x-pci-modems.patch serial-add-support-for-advantech-pci-1611u-card.patch serial-qcom-geni-fix-enabling-deactivated-interrupt.patch smb3-close-all-deferred-handles-of-inode-in-case-of-handle-lease-break.patch smb3-drop-reference-to-cfile-before-sending-oplock-break.patch statfs-enforce-statfs-structure-initialization.patch thunderbolt-clear-registers-properly-when-auto-clear-isn-t-in-use.patch usb-dwc3-debugfs-resume-dwc3-before-accessing-registers.patch usb-dwc3-gadget-improve-dwc3_gadget_suspend-and-dwc3_gadget_resume.patch usb-gadget-u_ether-fix-host-mac-address-case.patch usb-storage-fix-deadlock-when-a-scsi-command-timeouts-more-than-once.patch usb-typec-altmodes-displayport-fix-pin_assignment_show.patch usb-uhci-adjust-zhaoxin-uhci-controllers-overcurrent-bit-value.patch usb-usbtmc-fix-direction-for-0-length-ioctl-control-messages.patch vc_screen-reload-load-of-struct-vc_data-pointer-in-vcs_write-to-avoid-uaf.patch wifi-rtw88-use-work-to-update-rate-to-avoid-rcu-warning.patch xhci-fix-incorrect-tracking-of-free-space-on-transfer-rings.patch xhci-pci-only-run-d3cold-avoidance-quirk-for-s2idle.patch --- diff --git a/queue-6.1/alsa-hda-add-nvidia-codec-ids-a3-through-a7-to-patch-table.patch b/queue-6.1/alsa-hda-add-nvidia-codec-ids-a3-through-a7-to-patch-table.patch new file mode 100644 index 00000000000..7369c52cc9c --- /dev/null +++ b/queue-6.1/alsa-hda-add-nvidia-codec-ids-a3-through-a7-to-patch-table.patch @@ -0,0 +1,38 @@ +From dc4f2ccaedddb489a83e7b12ebbdc347272aacc9 Mon Sep 17 00:00:00 2001 +From: Nikhil Mahale +Date: Wed, 17 May 2023 14:37:36 +0530 +Subject: ALSA: hda: Add NVIDIA codec IDs a3 through a7 to patch table + +From: Nikhil Mahale + +commit dc4f2ccaedddb489a83e7b12ebbdc347272aacc9 upstream. + +These IDs are for AD102, AD103, AD104, AD106, and AD107 gpus with +audio functions that are largely similar to the existing ones. + +Tested audio using gnome-settings, over HDMI, DP-SST and DP-MST +connections on AD106 gpu. + +Signed-off-by: Nikhil Mahale +Cc: +Link: https://lore.kernel.org/r/20230517090736.15088-1-nmahale@nvidia.com +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman +--- + sound/pci/hda/patch_hdmi.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/sound/pci/hda/patch_hdmi.c ++++ b/sound/pci/hda/patch_hdmi.c +@@ -4577,6 +4577,11 @@ HDA_CODEC_ENTRY(0x10de009d, "GPU 9d HDMI + HDA_CODEC_ENTRY(0x10de009e, "GPU 9e HDMI/DP", patch_nvhdmi), + HDA_CODEC_ENTRY(0x10de009f, "GPU 9f HDMI/DP", patch_nvhdmi), + HDA_CODEC_ENTRY(0x10de00a0, "GPU a0 HDMI/DP", patch_nvhdmi), ++HDA_CODEC_ENTRY(0x10de00a3, "GPU a3 HDMI/DP", patch_nvhdmi), ++HDA_CODEC_ENTRY(0x10de00a4, "GPU a4 HDMI/DP", patch_nvhdmi), ++HDA_CODEC_ENTRY(0x10de00a5, "GPU a5 HDMI/DP", patch_nvhdmi), ++HDA_CODEC_ENTRY(0x10de00a6, "GPU a6 HDMI/DP", patch_nvhdmi), ++HDA_CODEC_ENTRY(0x10de00a7, "GPU a7 HDMI/DP", patch_nvhdmi), + HDA_CODEC_ENTRY(0x10de8001, "MCP73 HDMI", patch_nvhdmi_2ch), + HDA_CODEC_ENTRY(0x10de8067, "MCP67/68 HDMI", patch_nvhdmi_2ch), + HDA_CODEC_ENTRY(0x11069f80, "VX900 HDMI/DP", patch_via_hdmi), diff --git a/queue-6.1/alsa-hda-fix-oops-by-9.1-surround-channel-names.patch b/queue-6.1/alsa-hda-fix-oops-by-9.1-surround-channel-names.patch new file mode 100644 index 00000000000..caa748d94be --- /dev/null +++ b/queue-6.1/alsa-hda-fix-oops-by-9.1-surround-channel-names.patch @@ -0,0 +1,57 @@ +From 3b44ec8c5c44790a82f07e90db45643c762878c6 Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Tue, 16 May 2023 20:44:12 +0200 +Subject: ALSA: hda: Fix Oops by 9.1 surround channel names + +From: Takashi Iwai + +commit 3b44ec8c5c44790a82f07e90db45643c762878c6 upstream. + +get_line_out_pfx() may trigger an Oops by overflowing the static array +with more than 8 channels. This was reported for MacBookPro 12,1 with +Cirrus codec. + +As a workaround, extend for the 9.1 channels and also fix the +potential Oops by unifying the code paths accessing the same array +with the proper size check. + +Reported-by: Olliver Schinagl +Cc: +Link: https://lore.kernel.org/r/64d95eb0-dbdb-cff8-a8b1-988dc22b24cd@schinagl.nl +Link: https://lore.kernel.org/r/20230516184412.24078-1-tiwai@suse.de +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman +--- + sound/pci/hda/hda_generic.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +--- a/sound/pci/hda/hda_generic.c ++++ b/sound/pci/hda/hda_generic.c +@@ -1155,8 +1155,8 @@ static bool path_has_mixer(struct hda_co + return path && path->ctls[ctl_type]; + } + +-static const char * const channel_name[4] = { +- "Front", "Surround", "CLFE", "Side" ++static const char * const channel_name[] = { ++ "Front", "Surround", "CLFE", "Side", "Back", + }; + + /* give some appropriate ctl name prefix for the given line out channel */ +@@ -1182,7 +1182,7 @@ static const char *get_line_out_pfx(stru + + /* multi-io channels */ + if (ch >= cfg->line_outs) +- return channel_name[ch]; ++ goto fixed_name; + + switch (cfg->line_out_type) { + case AUTO_PIN_SPEAKER_OUT: +@@ -1234,6 +1234,7 @@ static const char *get_line_out_pfx(stru + if (cfg->line_outs == 1 && !spec->multi_ios) + return "Line Out"; + ++ fixed_name: + if (ch >= ARRAY_SIZE(channel_name)) { + snd_BUG(); + return "PCM"; diff --git a/queue-6.1/alsa-hda-realtek-add-a-quirk-for-hp-elitedesk-805.patch b/queue-6.1/alsa-hda-realtek-add-a-quirk-for-hp-elitedesk-805.patch new file mode 100644 index 00000000000..317c7909322 --- /dev/null +++ b/queue-6.1/alsa-hda-realtek-add-a-quirk-for-hp-elitedesk-805.patch @@ -0,0 +1,30 @@ +From 90670ef774a8b6700c38ce1222e6aa263be54d5f Mon Sep 17 00:00:00 2001 +From: Ai Chao +Date: Sat, 6 May 2023 10:26:53 +0800 +Subject: ALSA: hda/realtek: Add a quirk for HP EliteDesk 805 + +From: Ai Chao + +commit 90670ef774a8b6700c38ce1222e6aa263be54d5f upstream. + +Add a quirk for HP EliteDesk 805 to fixup ALC3867 headset MIC no sound. + +Signed-off-by: Ai Chao +Cc: +Link: https://lore.kernel.org/r/20230506022653.2074343-1-aichao@kylinos.cn +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman +--- + sound/pci/hda/patch_realtek.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/sound/pci/hda/patch_realtek.c ++++ b/sound/pci/hda/patch_realtek.c +@@ -11664,6 +11664,7 @@ static const struct snd_pci_quirk alc662 + SND_PCI_QUIRK(0x103c, 0x1632, "HP RP5800", ALC662_FIXUP_HP_RP5800), + SND_PCI_QUIRK(0x103c, 0x870c, "HP", ALC897_FIXUP_HP_HSMIC_VERB), + SND_PCI_QUIRK(0x103c, 0x8719, "HP", ALC897_FIXUP_HP_HSMIC_VERB), ++ SND_PCI_QUIRK(0x103c, 0x872b, "HP", ALC897_FIXUP_HP_HSMIC_VERB), + SND_PCI_QUIRK(0x103c, 0x873e, "HP", ALC671_FIXUP_HP_HEADSET_MIC2), + SND_PCI_QUIRK(0x103c, 0x877e, "HP 288 Pro G6", ALC671_FIXUP_HP_HEADSET_MIC2), + SND_PCI_QUIRK(0x103c, 0x885f, "HP 288 Pro G8", ALC671_FIXUP_HP_HEADSET_MIC2), diff --git a/queue-6.1/alsa-hda-realtek-add-quirk-for-2nd-asus-gu603.patch b/queue-6.1/alsa-hda-realtek-add-quirk-for-2nd-asus-gu603.patch new file mode 100644 index 00000000000..18762200ae4 --- /dev/null +++ b/queue-6.1/alsa-hda-realtek-add-quirk-for-2nd-asus-gu603.patch @@ -0,0 +1,30 @@ +From a4671b7fba59775845ee60cfbdfc4ba64300211b Mon Sep 17 00:00:00 2001 +From: "Luke D. Jones" +Date: Sat, 6 May 2023 11:58:24 +1200 +Subject: ALSA: hda/realtek: Add quirk for 2nd ASUS GU603 + +From: Luke D. Jones + +commit a4671b7fba59775845ee60cfbdfc4ba64300211b upstream. + +Add quirk for GU603 with 0x1c62 variant of codec. + +Signed-off-by: Luke D. Jones +Cc: +Link: https://lore.kernel.org/r/20230505235824.49607-2-luke@ljones.dev +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman +--- + sound/pci/hda/patch_realtek.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/sound/pci/hda/patch_realtek.c ++++ b/sound/pci/hda/patch_realtek.c +@@ -9522,6 +9522,7 @@ static const struct snd_pci_quirk alc269 + SND_PCI_QUIRK(0x1043, 0x1b13, "Asus U41SV", ALC269_FIXUP_INV_DMIC), + SND_PCI_QUIRK(0x1043, 0x1bbd, "ASUS Z550MA", ALC255_FIXUP_ASUS_MIC_NO_PRESENCE), + SND_PCI_QUIRK(0x1043, 0x1c23, "Asus X55U", ALC269_FIXUP_LIMIT_INT_MIC_BOOST), ++ SND_PCI_QUIRK(0x1043, 0x1c62, "ASUS GU603", ALC289_FIXUP_ASUS_GA401), + SND_PCI_QUIRK(0x1043, 0x1c92, "ASUS ROG Strix G15", ALC285_FIXUP_ASUS_G533Z_PINS), + SND_PCI_QUIRK(0x1043, 0x1ccd, "ASUS X555UB", ALC256_FIXUP_ASUS_MIC), + SND_PCI_QUIRK(0x1043, 0x1d42, "ASUS Zephyrus G14 2022", ALC289_FIXUP_ASUS_GA401), diff --git a/queue-6.1/alsa-hda-realtek-add-quirk-for-clevo-l140au.patch b/queue-6.1/alsa-hda-realtek-add-quirk-for-clevo-l140au.patch new file mode 100644 index 00000000000..488c3a79c62 --- /dev/null +++ b/queue-6.1/alsa-hda-realtek-add-quirk-for-clevo-l140au.patch @@ -0,0 +1,31 @@ +From 0a6b36c5dc3dda0196f4fb65bdb34c38b8d060c3 Mon Sep 17 00:00:00 2001 +From: Jeremy Soller +Date: Fri, 5 May 2023 10:36:51 -0600 +Subject: ALSA: hda/realtek: Add quirk for Clevo L140AU + +From: Jeremy Soller + +commit 0a6b36c5dc3dda0196f4fb65bdb34c38b8d060c3 upstream. + +Fixes headset detection on Clevo L140AU. + +Signed-off-by: Jeremy Soller +Signed-off-by: Tim Crawford +Cc: +Link: https://lore.kernel.org/r/20230505163651.21257-1-tcrawford@system76.com +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman +--- + sound/pci/hda/patch_realtek.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/sound/pci/hda/patch_realtek.c ++++ b/sound/pci/hda/patch_realtek.c +@@ -9618,6 +9618,7 @@ static const struct snd_pci_quirk alc269 + SND_PCI_QUIRK(0x1558, 0x7716, "Clevo NS50PU", ALC256_FIXUP_SYSTEM76_MIC_NO_PRESENCE), + SND_PCI_QUIRK(0x1558, 0x7717, "Clevo NS70PU", ALC256_FIXUP_SYSTEM76_MIC_NO_PRESENCE), + SND_PCI_QUIRK(0x1558, 0x7718, "Clevo L140PU", ALC256_FIXUP_SYSTEM76_MIC_NO_PRESENCE), ++ SND_PCI_QUIRK(0x1558, 0x7724, "Clevo L140AU", ALC256_FIXUP_SYSTEM76_MIC_NO_PRESENCE), + SND_PCI_QUIRK(0x1558, 0x8228, "Clevo NR40BU", ALC293_FIXUP_SYSTEM76_MIC_NO_PRESENCE), + SND_PCI_QUIRK(0x1558, 0x8520, "Clevo NH50D[CD]", ALC293_FIXUP_SYSTEM76_MIC_NO_PRESENCE), + SND_PCI_QUIRK(0x1558, 0x8521, "Clevo NH77D[CD]", ALC293_FIXUP_SYSTEM76_MIC_NO_PRESENCE), diff --git a/queue-6.1/alsa-hda-realtek-add-quirk-for-hp-elitebook-g10-laptops.patch b/queue-6.1/alsa-hda-realtek-add-quirk-for-hp-elitebook-g10-laptops.patch new file mode 100644 index 00000000000..80729caa451 --- /dev/null +++ b/queue-6.1/alsa-hda-realtek-add-quirk-for-hp-elitebook-g10-laptops.patch @@ -0,0 +1,54 @@ +From 3e10f6ca76c4d00019badebd235c9d7f0068261e Mon Sep 17 00:00:00 2001 +From: Vitaly Rodionov +Date: Wed, 10 May 2023 15:22:27 +0100 +Subject: ALSA: hda/realtek: Add quirk for HP EliteBook G10 laptops + +From: Vitaly Rodionov + +commit 3e10f6ca76c4d00019badebd235c9d7f0068261e upstream. + +Add support for HP EliteBook 835/845/845W/865 G10 laptops +with CS35L41 amplifiers on I2C/SPI bus connected to Realtek codec. + +Signed-off-by: Vitaly Rodionov +Cc: +Link: https://lore.kernel.org/r/20230510142227.32945-1-vitalyr@opensource.cirrus.com +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman +--- + sound/pci/hda/patch_realtek.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +--- a/sound/pci/hda/patch_realtek.c ++++ b/sound/pci/hda/patch_realtek.c +@@ -9458,7 +9458,7 @@ static const struct snd_pci_quirk alc269 + SND_PCI_QUIRK(0x103c, 0x8aa3, "HP ProBook 450 G9 (MB 8AA1)", ALC236_FIXUP_HP_GPIO_LED), + SND_PCI_QUIRK(0x103c, 0x8aa8, "HP EliteBook 640 G9 (MB 8AA6)", ALC236_FIXUP_HP_GPIO_LED), + SND_PCI_QUIRK(0x103c, 0x8aab, "HP EliteBook 650 G9 (MB 8AA9)", ALC236_FIXUP_HP_GPIO_LED), +- SND_PCI_QUIRK(0x103c, 0x8abb, "HP ZBook Firefly 14 G9", ALC245_FIXUP_CS35L41_SPI_2_HP_GPIO_LED), ++ SND_PCI_QUIRK(0x103c, 0x8abb, "HP ZBook Firefly 14 G9", ALC245_FIXUP_CS35L41_SPI_2_HP_GPIO_LED), + SND_PCI_QUIRK(0x103c, 0x8ad1, "HP EliteBook 840 14 inch G9 Notebook PC", ALC245_FIXUP_CS35L41_SPI_2_HP_GPIO_LED), + SND_PCI_QUIRK(0x103c, 0x8ad2, "HP EliteBook 860 16 inch G9 Notebook PC", ALC245_FIXUP_CS35L41_SPI_2_HP_GPIO_LED), + SND_PCI_QUIRK(0x103c, 0x8b42, "HP", ALC245_FIXUP_CS35L41_SPI_2_HP_GPIO_LED), +@@ -9469,8 +9469,13 @@ static const struct snd_pci_quirk alc269 + SND_PCI_QUIRK(0x103c, 0x8b47, "HP", ALC245_FIXUP_CS35L41_SPI_2_HP_GPIO_LED), + SND_PCI_QUIRK(0x103c, 0x8b5d, "HP", ALC236_FIXUP_HP_MUTE_LED_MICMUTE_VREF), + SND_PCI_QUIRK(0x103c, 0x8b5e, "HP", ALC236_FIXUP_HP_MUTE_LED_MICMUTE_VREF), ++ SND_PCI_QUIRK(0x103c, 0x8b63, "HP Elite Dragonfly 13.5 inch G4", ALC245_FIXUP_CS35L41_SPI_4_HP_GPIO_LED), + SND_PCI_QUIRK(0x103c, 0x8b65, "HP ProBook 455 15.6 inch G10 Notebook PC", ALC236_FIXUP_HP_MUTE_LED_MICMUTE_VREF), + SND_PCI_QUIRK(0x103c, 0x8b66, "HP", ALC236_FIXUP_HP_MUTE_LED_MICMUTE_VREF), ++ SND_PCI_QUIRK(0x103c, 0x8b70, "HP EliteBook 835 G10", ALC287_FIXUP_CS35L41_I2C_2), ++ SND_PCI_QUIRK(0x103c, 0x8b72, "HP EliteBook 845 G10", ALC287_FIXUP_CS35L41_I2C_2), ++ SND_PCI_QUIRK(0x103c, 0x8b74, "HP EliteBook 845W G10", ALC287_FIXUP_CS35L41_I2C_2), ++ SND_PCI_QUIRK(0x103c, 0x8b77, "HP ElieBook 865 G10", ALC287_FIXUP_CS35L41_I2C_2), + SND_PCI_QUIRK(0x103c, 0x8b7a, "HP", ALC236_FIXUP_HP_GPIO_LED), + SND_PCI_QUIRK(0x103c, 0x8b7d, "HP", ALC236_FIXUP_HP_GPIO_LED), + SND_PCI_QUIRK(0x103c, 0x8b87, "HP", ALC236_FIXUP_HP_GPIO_LED), +@@ -9481,6 +9486,7 @@ static const struct snd_pci_quirk alc269 + SND_PCI_QUIRK(0x103c, 0x8b92, "HP", ALC245_FIXUP_CS35L41_SPI_2_HP_GPIO_LED), + SND_PCI_QUIRK(0x103c, 0x8b96, "HP", ALC236_FIXUP_HP_MUTE_LED_MICMUTE_VREF), + SND_PCI_QUIRK(0x103c, 0x8bf0, "HP", ALC236_FIXUP_HP_GPIO_LED), ++ SND_PCI_QUIRK(0x103c, 0x8c26, "HP HP EliteBook 800G11", ALC245_FIXUP_CS35L41_SPI_2_HP_GPIO_LED), + SND_PCI_QUIRK(0x1043, 0x103e, "ASUS X540SA", ALC256_FIXUP_ASUS_MIC), + SND_PCI_QUIRK(0x1043, 0x103f, "ASUS TX300", ALC282_FIXUP_ASUS_TX300), + SND_PCI_QUIRK(0x1043, 0x106d, "Asus K53BE", ALC269_FIXUP_LIMIT_INT_MIC_BOOST), diff --git a/queue-6.1/alsa-hda-realtek-fix-mute-and-micmute-leds-for-yet-another-hp-laptop.patch b/queue-6.1/alsa-hda-realtek-fix-mute-and-micmute-leds-for-yet-another-hp-laptop.patch new file mode 100644 index 00000000000..ce5f52ffea1 --- /dev/null +++ b/queue-6.1/alsa-hda-realtek-fix-mute-and-micmute-leds-for-yet-another-hp-laptop.patch @@ -0,0 +1,31 @@ +From 9dc68a4fe70893b000fb3c92c68b9f72369cf448 Mon Sep 17 00:00:00 2001 +From: Kai-Heng Feng +Date: Fri, 12 May 2023 16:34:16 +0800 +Subject: ALSA: hda/realtek: Fix mute and micmute LEDs for yet another HP laptop + +From: Kai-Heng Feng + +commit 9dc68a4fe70893b000fb3c92c68b9f72369cf448 upstream. + +There's yet another laptop that needs the fixup to enable mute and +micmute LEDs. So do it accordingly. + +Signed-off-by: Kai-Heng Feng +Cc: +Link: https://lore.kernel.org/r/20230512083417.157127-1-kai.heng.feng@canonical.com +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman +--- + sound/pci/hda/patch_realtek.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/sound/pci/hda/patch_realtek.c ++++ b/sound/pci/hda/patch_realtek.c +@@ -9485,6 +9485,7 @@ static const struct snd_pci_quirk alc269 + SND_PCI_QUIRK(0x103c, 0x8b8f, "HP", ALC245_FIXUP_CS35L41_SPI_2_HP_GPIO_LED), + SND_PCI_QUIRK(0x103c, 0x8b92, "HP", ALC245_FIXUP_CS35L41_SPI_2_HP_GPIO_LED), + SND_PCI_QUIRK(0x103c, 0x8b96, "HP", ALC236_FIXUP_HP_MUTE_LED_MICMUTE_VREF), ++ SND_PCI_QUIRK(0x103c, 0x8b97, "HP", ALC236_FIXUP_HP_MUTE_LED_MICMUTE_VREF), + SND_PCI_QUIRK(0x103c, 0x8bf0, "HP", ALC236_FIXUP_HP_GPIO_LED), + SND_PCI_QUIRK(0x103c, 0x8c26, "HP HP EliteBook 800G11", ALC245_FIXUP_CS35L41_SPI_2_HP_GPIO_LED), + SND_PCI_QUIRK(0x1043, 0x103e, "ASUS X540SA", ALC256_FIXUP_ASUS_MIC), diff --git a/queue-6.1/alsa-usb-audio-add-a-sample-rate-workaround-for-line6-pod-go.patch b/queue-6.1/alsa-usb-audio-add-a-sample-rate-workaround-for-line6-pod-go.patch new file mode 100644 index 00000000000..2baa9751d17 --- /dev/null +++ b/queue-6.1/alsa-usb-audio-add-a-sample-rate-workaround-for-line6-pod-go.patch @@ -0,0 +1,32 @@ +From 359b4315471181f108723c61612d96e383e56179 Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Fri, 12 May 2023 09:58:58 +0200 +Subject: ALSA: usb-audio: Add a sample rate workaround for Line6 Pod Go + +From: Takashi Iwai + +commit 359b4315471181f108723c61612d96e383e56179 upstream. + +Line6 Pod Go (0e41:424b) requires the similar workaround for the fixed +48k sample rate like other Line6 models. This patch adds the +corresponding entry to line6_parse_audio_format_rate_quirk(). + +Reported-by: John Humlick +Cc: +Link: https://lore.kernel.org/r/20230512075858.22813-1-tiwai@suse.de +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman +--- + sound/usb/format.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/sound/usb/format.c ++++ b/sound/usb/format.c +@@ -423,6 +423,7 @@ static int line6_parse_audio_format_rate + case USB_ID(0x0e41, 0x4248): /* Line6 Helix >= fw 2.82 */ + case USB_ID(0x0e41, 0x4249): /* Line6 Helix Rack >= fw 2.82 */ + case USB_ID(0x0e41, 0x424a): /* Line6 Helix LT >= fw 2.82 */ ++ case USB_ID(0x0e41, 0x424b): /* Line6 Pod Go */ + case USB_ID(0x19f7, 0x0011): /* Rode Rodecaster Pro */ + return set_fixed_rate(fp, 48000, SNDRV_PCM_RATE_48000); + } diff --git a/queue-6.1/can-isotp-recvmsg-allow-msg_cmsg_compat-flag.patch b/queue-6.1/can-isotp-recvmsg-allow-msg_cmsg_compat-flag.patch new file mode 100644 index 00000000000..ec1fb428435 --- /dev/null +++ b/queue-6.1/can-isotp-recvmsg-allow-msg_cmsg_compat-flag.patch @@ -0,0 +1,37 @@ +From db2773d65b02aed319a93efdfb958087771d4e19 Mon Sep 17 00:00:00 2001 +From: Oliver Hartkopp +Date: Thu, 6 Apr 2023 13:08:45 +0200 +Subject: can: isotp: recvmsg(): allow MSG_CMSG_COMPAT flag + +From: Oliver Hartkopp + +commit db2773d65b02aed319a93efdfb958087771d4e19 upstream. + +The control message provided by isotp support MSG_CMSG_COMPAT but +blocked recvmsg() syscalls that have set this flag, i.e. on 32bit user +space on 64 bit kernels. + +Link: https://github.com/hartkopp/can-isotp/issues/59 +Cc: Oleksij Rempel +Suggested-by: Marc Kleine-Budde +Signed-off-by: Oliver Hartkopp +Fixes: 42bf50a1795a ("can: isotp: support MSG_TRUNC flag when reading from socket") +Link: https://lore.kernel.org/20230505110308.81087-2-mkl@pengutronix.de +Cc: stable@vger.kernel.org +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Greg Kroah-Hartman +--- + net/can/isotp.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/can/isotp.c ++++ b/net/can/isotp.c +@@ -1106,7 +1106,7 @@ static int isotp_recvmsg(struct socket * + struct isotp_sock *so = isotp_sk(sk); + int ret = 0; + +- if (flags & ~(MSG_DONTWAIT | MSG_TRUNC | MSG_PEEK)) ++ if (flags & ~(MSG_DONTWAIT | MSG_TRUNC | MSG_PEEK | MSG_CMSG_COMPAT)) + return -EINVAL; + + if (!so->bound) diff --git a/queue-6.1/can-j1939-recvmsg-allow-msg_cmsg_compat-flag.patch b/queue-6.1/can-j1939-recvmsg-allow-msg_cmsg_compat-flag.patch new file mode 100644 index 00000000000..48a8c37e2f9 --- /dev/null +++ b/queue-6.1/can-j1939-recvmsg-allow-msg_cmsg_compat-flag.patch @@ -0,0 +1,39 @@ +From 1db080cbdbab28752bbb1c86d64daf96253a5da1 Mon Sep 17 00:00:00 2001 +From: Oliver Hartkopp +Date: Thu, 6 Apr 2023 13:08:45 +0200 +Subject: can: j1939: recvmsg(): allow MSG_CMSG_COMPAT flag + +From: Oliver Hartkopp + +commit 1db080cbdbab28752bbb1c86d64daf96253a5da1 upstream. + +The control message provided by J1939 support MSG_CMSG_COMPAT but +blocked recvmsg() syscalls that have set this flag, i.e. on 32bit user +space on 64 bit kernels. + +Link: https://github.com/hartkopp/can-isotp/issues/59 +Cc: Oleksij Rempel +Suggested-by: Marc Kleine-Budde +Signed-off-by: Oliver Hartkopp +Tested-by: Oleksij Rempel +Acked-by: Oleksij Rempel +Fixes: 9d71dd0c7009 ("can: add support of SAE J1939 protocol") +Link: https://lore.kernel.org/20230505110308.81087-3-mkl@pengutronix.de +Cc: stable@vger.kernel.org +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Greg Kroah-Hartman +--- + net/can/j1939/socket.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/can/j1939/socket.c ++++ b/net/can/j1939/socket.c +@@ -798,7 +798,7 @@ static int j1939_sk_recvmsg(struct socke + struct j1939_sk_buff_cb *skcb; + int ret = 0; + +- if (flags & ~(MSG_DONTWAIT | MSG_ERRQUEUE)) ++ if (flags & ~(MSG_DONTWAIT | MSG_ERRQUEUE | MSG_CMSG_COMPAT)) + return -EINVAL; + + if (flags & MSG_ERRQUEUE) diff --git a/queue-6.1/can-kvaser_pciefd-call-request_irq-before-enabling-interrupts.patch b/queue-6.1/can-kvaser_pciefd-call-request_irq-before-enabling-interrupts.patch new file mode 100644 index 00000000000..b64deedbc57 --- /dev/null +++ b/queue-6.1/can-kvaser_pciefd-call-request_irq-before-enabling-interrupts.patch @@ -0,0 +1,47 @@ +From 84762d8da89d29ba842317eb842973e628c27391 Mon Sep 17 00:00:00 2001 +From: Jimmy Assarsson +Date: Tue, 16 May 2023 15:43:15 +0200 +Subject: can: kvaser_pciefd: Call request_irq() before enabling interrupts + +From: Jimmy Assarsson + +commit 84762d8da89d29ba842317eb842973e628c27391 upstream. + +Make sure the interrupt handler is registered before enabling interrupts. + +Fixes: 26ad340e582d ("can: kvaser_pciefd: Add driver for Kvaser PCIEcan devices") +Cc: stable@vger.kernel.org +Signed-off-by: Jimmy Assarsson +Link: https://lore.kernel.org/r/20230516134318.104279-4-extja@kvaser.com +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/can/kvaser_pciefd.c | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +--- a/drivers/net/can/kvaser_pciefd.c ++++ b/drivers/net/can/kvaser_pciefd.c +@@ -1825,6 +1825,11 @@ static int kvaser_pciefd_probe(struct pc + if (err) + goto err_teardown_can_ctrls; + ++ err = request_irq(pcie->pci->irq, kvaser_pciefd_irq_handler, ++ IRQF_SHARED, KVASER_PCIEFD_DRV_NAME, pcie); ++ if (err) ++ goto err_teardown_can_ctrls; ++ + iowrite32(KVASER_PCIEFD_SRB_IRQ_DPD0 | KVASER_PCIEFD_SRB_IRQ_DPD1, + pcie->reg_base + KVASER_PCIEFD_SRB_IRQ_REG); + +@@ -1845,11 +1850,6 @@ static int kvaser_pciefd_probe(struct pc + iowrite32(KVASER_PCIEFD_SRB_CMD_RDB1, + pcie->reg_base + KVASER_PCIEFD_SRB_CMD_REG); + +- err = request_irq(pcie->pci->irq, kvaser_pciefd_irq_handler, +- IRQF_SHARED, KVASER_PCIEFD_DRV_NAME, pcie); +- if (err) +- goto err_teardown_can_ctrls; +- + err = kvaser_pciefd_reg_candev(pcie); + if (err) + goto err_free_irq; diff --git a/queue-6.1/can-kvaser_pciefd-clear-listen-only-bit-if-not-explicitly-requested.patch b/queue-6.1/can-kvaser_pciefd-clear-listen-only-bit-if-not-explicitly-requested.patch new file mode 100644 index 00000000000..ed07c80d7df --- /dev/null +++ b/queue-6.1/can-kvaser_pciefd-clear-listen-only-bit-if-not-explicitly-requested.patch @@ -0,0 +1,33 @@ +From bf7ac55e991ca177f1ac16be51152f1ef291a4df Mon Sep 17 00:00:00 2001 +From: Jimmy Assarsson +Date: Tue, 16 May 2023 15:43:14 +0200 +Subject: can: kvaser_pciefd: Clear listen-only bit if not explicitly requested + +From: Jimmy Assarsson + +commit bf7ac55e991ca177f1ac16be51152f1ef291a4df upstream. + +The listen-only bit was never cleared, causing the controller to +always use listen-only mode, if previously set. + +Fixes: 26ad340e582d ("can: kvaser_pciefd: Add driver for Kvaser PCIEcan devices") +Cc: stable@vger.kernel.org +Signed-off-by: Jimmy Assarsson +Link: https://lore.kernel.org/r/20230516134318.104279-3-extja@kvaser.com +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/can/kvaser_pciefd.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/net/can/kvaser_pciefd.c ++++ b/drivers/net/can/kvaser_pciefd.c +@@ -559,6 +559,8 @@ static void kvaser_pciefd_setup_controll + + if (can->can.ctrlmode & CAN_CTRLMODE_LISTENONLY) + mode |= KVASER_PCIEFD_KCAN_MODE_LOM; ++ else ++ mode &= ~KVASER_PCIEFD_KCAN_MODE_LOM; + + mode |= KVASER_PCIEFD_KCAN_MODE_EEN; + mode |= KVASER_PCIEFD_KCAN_MODE_EPEN; diff --git a/queue-6.1/can-kvaser_pciefd-disable-interrupts-in-probe-error-path.patch b/queue-6.1/can-kvaser_pciefd-disable-interrupts-in-probe-error-path.patch new file mode 100644 index 00000000000..290035c0eb7 --- /dev/null +++ b/queue-6.1/can-kvaser_pciefd-disable-interrupts-in-probe-error-path.patch @@ -0,0 +1,32 @@ +From 11164bc39459335ab93c6e99d53b7e4292fba38b Mon Sep 17 00:00:00 2001 +From: Jimmy Assarsson +Date: Tue, 16 May 2023 15:43:18 +0200 +Subject: can: kvaser_pciefd: Disable interrupts in probe error path + +From: Jimmy Assarsson + +commit 11164bc39459335ab93c6e99d53b7e4292fba38b upstream. + +Disable interrupts in error path of probe function. + +Fixes: 26ad340e582d ("can: kvaser_pciefd: Add driver for Kvaser PCIEcan devices") +Cc: stable@vger.kernel.org +Signed-off-by: Jimmy Assarsson +Link: https://lore.kernel.org/r/20230516134318.104279-7-extja@kvaser.com +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/can/kvaser_pciefd.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/net/can/kvaser_pciefd.c ++++ b/drivers/net/can/kvaser_pciefd.c +@@ -1861,6 +1861,8 @@ static int kvaser_pciefd_probe(struct pc + return 0; + + err_free_irq: ++ /* Disable PCI interrupts */ ++ iowrite32(0, pcie->reg_base + KVASER_PCIEFD_IEN_REG); + free_irq(pcie->pci->irq, pcie); + + err_teardown_can_ctrls: diff --git a/queue-6.1/can-kvaser_pciefd-do-not-send-eflush-command-on-tfd-interrupt.patch b/queue-6.1/can-kvaser_pciefd-do-not-send-eflush-command-on-tfd-interrupt.patch new file mode 100644 index 00000000000..26136d96809 --- /dev/null +++ b/queue-6.1/can-kvaser_pciefd-do-not-send-eflush-command-on-tfd-interrupt.patch @@ -0,0 +1,93 @@ +From 262d7a52ba27525e3c1203230c9f0524e48bbb34 Mon Sep 17 00:00:00 2001 +From: Jimmy Assarsson +Date: Tue, 16 May 2023 15:43:17 +0200 +Subject: can: kvaser_pciefd: Do not send EFLUSH command on TFD interrupt + +From: Jimmy Assarsson + +commit 262d7a52ba27525e3c1203230c9f0524e48bbb34 upstream. + +Under certain circumstances we send two EFLUSH commands, resulting in two +EFLUSH ack packets, while only expecting a single EFLUSH ack. +This can cause the driver Tx flush completion to get out of sync. + +To avoid this problem, don't enable the "Transmit buffer flush done" (TFD) +interrupt and remove the code handling it. +Now we only send EFLUSH command after receiving status packet with +"Init detected" (IDET) bit set. + +Fixes: 26ad340e582d ("can: kvaser_pciefd: Add driver for Kvaser PCIEcan devices") +Cc: stable@vger.kernel.org +Signed-off-by: Jimmy Assarsson +Link: https://lore.kernel.org/r/20230516134318.104279-6-extja@kvaser.com +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/can/kvaser_pciefd.c | 21 ++++----------------- + 1 file changed, 4 insertions(+), 17 deletions(-) + +--- a/drivers/net/can/kvaser_pciefd.c ++++ b/drivers/net/can/kvaser_pciefd.c +@@ -531,7 +531,7 @@ static int kvaser_pciefd_set_tx_irq(stru + KVASER_PCIEFD_KCAN_IRQ_TOF | KVASER_PCIEFD_KCAN_IRQ_ABD | + KVASER_PCIEFD_KCAN_IRQ_TAE | KVASER_PCIEFD_KCAN_IRQ_TAL | + KVASER_PCIEFD_KCAN_IRQ_FDIC | KVASER_PCIEFD_KCAN_IRQ_BPP | +- KVASER_PCIEFD_KCAN_IRQ_TAR | KVASER_PCIEFD_KCAN_IRQ_TFD; ++ KVASER_PCIEFD_KCAN_IRQ_TAR; + + iowrite32(msk, can->reg_base + KVASER_PCIEFD_KCAN_IEN_REG); + +@@ -579,7 +579,7 @@ static void kvaser_pciefd_start_controll + + spin_lock_irqsave(&can->lock, irq); + iowrite32(-1, can->reg_base + KVASER_PCIEFD_KCAN_IRQ_REG); +- iowrite32(KVASER_PCIEFD_KCAN_IRQ_ABD | KVASER_PCIEFD_KCAN_IRQ_TFD, ++ iowrite32(KVASER_PCIEFD_KCAN_IRQ_ABD, + can->reg_base + KVASER_PCIEFD_KCAN_IEN_REG); + + status = ioread32(can->reg_base + KVASER_PCIEFD_KCAN_STAT_REG); +@@ -622,7 +622,7 @@ static int kvaser_pciefd_bus_on(struct k + iowrite32(0, can->reg_base + KVASER_PCIEFD_KCAN_IEN_REG); + iowrite32(-1, can->reg_base + KVASER_PCIEFD_KCAN_IRQ_REG); + +- iowrite32(KVASER_PCIEFD_KCAN_IRQ_ABD | KVASER_PCIEFD_KCAN_IRQ_TFD, ++ iowrite32(KVASER_PCIEFD_KCAN_IRQ_ABD, + can->reg_base + KVASER_PCIEFD_KCAN_IEN_REG); + + mode = ioread32(can->reg_base + KVASER_PCIEFD_KCAN_MODE_REG); +@@ -1015,8 +1015,7 @@ static int kvaser_pciefd_setup_can_ctrls + SET_NETDEV_DEV(netdev, &pcie->pci->dev); + + iowrite32(-1, can->reg_base + KVASER_PCIEFD_KCAN_IRQ_REG); +- iowrite32(KVASER_PCIEFD_KCAN_IRQ_ABD | +- KVASER_PCIEFD_KCAN_IRQ_TFD, ++ iowrite32(KVASER_PCIEFD_KCAN_IRQ_ABD, + can->reg_base + KVASER_PCIEFD_KCAN_IEN_REG); + + pcie->can[i] = can; +@@ -1443,9 +1442,6 @@ static int kvaser_pciefd_handle_status_p + cmd = KVASER_PCIEFD_KCAN_CMD_AT; + cmd |= ++can->cmd_seq << KVASER_PCIEFD_KCAN_CMD_SEQ_SHIFT; + iowrite32(cmd, can->reg_base + KVASER_PCIEFD_KCAN_CMD_REG); +- +- iowrite32(KVASER_PCIEFD_KCAN_IRQ_TFD, +- can->reg_base + KVASER_PCIEFD_KCAN_IEN_REG); + } else if (p->header[0] & KVASER_PCIEFD_SPACK_IDET && + p->header[0] & KVASER_PCIEFD_SPACK_IRM && + cmdseq == (p->header[1] & KVASER_PCIEFD_PACKET_SEQ_MSK) && +@@ -1732,15 +1728,6 @@ static int kvaser_pciefd_transmit_irq(st + if (irq & KVASER_PCIEFD_KCAN_IRQ_TOF) + netdev_err(can->can.dev, "Tx FIFO overflow\n"); + +- if (irq & KVASER_PCIEFD_KCAN_IRQ_TFD) { +- u8 count = ioread32(can->reg_base + +- KVASER_PCIEFD_KCAN_TX_NPACKETS_REG) & 0xff; +- +- if (count == 0) +- iowrite32(KVASER_PCIEFD_KCAN_CTRL_EFLUSH, +- can->reg_base + KVASER_PCIEFD_KCAN_CTRL_REG); +- } +- + if (irq & KVASER_PCIEFD_KCAN_IRQ_BPP) + netdev_err(can->can.dev, + "Fail to change bittiming, when not in reset mode\n"); diff --git a/queue-6.1/can-kvaser_pciefd-empty-srb-buffer-in-probe.patch b/queue-6.1/can-kvaser_pciefd-empty-srb-buffer-in-probe.patch new file mode 100644 index 00000000000..15e08e3b997 --- /dev/null +++ b/queue-6.1/can-kvaser_pciefd-empty-srb-buffer-in-probe.patch @@ -0,0 +1,71 @@ +From c589557dd1426f5adf90c7a919d4fde5a3e4ef64 Mon Sep 17 00:00:00 2001 +From: Jimmy Assarsson +Date: Tue, 16 May 2023 15:43:16 +0200 +Subject: can: kvaser_pciefd: Empty SRB buffer in probe + +From: Jimmy Assarsson + +commit c589557dd1426f5adf90c7a919d4fde5a3e4ef64 upstream. + +Empty the "Shared receive buffer" (SRB) in probe, to assure we start in a +known state, and don't process any irrelevant packets. + +Fixes: 26ad340e582d ("can: kvaser_pciefd: Add driver for Kvaser PCIEcan devices") +Cc: stable@vger.kernel.org +Signed-off-by: Jimmy Assarsson +Link: https://lore.kernel.org/r/20230516134318.104279-5-extja@kvaser.com +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/can/kvaser_pciefd.c | 15 +++++++++++++++ + 1 file changed, 15 insertions(+) + +--- a/drivers/net/can/kvaser_pciefd.c ++++ b/drivers/net/can/kvaser_pciefd.c +@@ -71,10 +71,12 @@ MODULE_DESCRIPTION("CAN driver for Kvase + #define KVASER_PCIEFD_SYSID_BUILD_REG (KVASER_PCIEFD_SYSID_BASE + 0x14) + /* Shared receive buffer registers */ + #define KVASER_PCIEFD_SRB_BASE 0x1f200 ++#define KVASER_PCIEFD_SRB_FIFO_LAST_REG (KVASER_PCIEFD_SRB_BASE + 0x1f4) + #define KVASER_PCIEFD_SRB_CMD_REG (KVASER_PCIEFD_SRB_BASE + 0x200) + #define KVASER_PCIEFD_SRB_IEN_REG (KVASER_PCIEFD_SRB_BASE + 0x204) + #define KVASER_PCIEFD_SRB_IRQ_REG (KVASER_PCIEFD_SRB_BASE + 0x20c) + #define KVASER_PCIEFD_SRB_STAT_REG (KVASER_PCIEFD_SRB_BASE + 0x210) ++#define KVASER_PCIEFD_SRB_RX_NR_PACKETS_REG (KVASER_PCIEFD_SRB_BASE + 0x214) + #define KVASER_PCIEFD_SRB_CTRL_REG (KVASER_PCIEFD_SRB_BASE + 0x218) + /* EPCS flash controller registers */ + #define KVASER_PCIEFD_SPI_BASE 0x1fc00 +@@ -111,6 +113,9 @@ MODULE_DESCRIPTION("CAN driver for Kvase + /* DMA support */ + #define KVASER_PCIEFD_SRB_STAT_DMA BIT(24) + ++/* SRB current packet level */ ++#define KVASER_PCIEFD_SRB_RX_NR_PACKETS_MASK 0xff ++ + /* DMA Enable */ + #define KVASER_PCIEFD_SRB_CTRL_DMA_ENABLE BIT(0) + +@@ -1059,6 +1064,7 @@ static int kvaser_pciefd_setup_dma(struc + { + int i; + u32 srb_status; ++ u32 srb_packet_count; + dma_addr_t dma_addr[KVASER_PCIEFD_DMA_COUNT]; + + /* Disable the DMA */ +@@ -1086,6 +1092,15 @@ static int kvaser_pciefd_setup_dma(struc + KVASER_PCIEFD_SRB_CMD_RDB1, + pcie->reg_base + KVASER_PCIEFD_SRB_CMD_REG); + ++ /* Empty Rx FIFO */ ++ srb_packet_count = ioread32(pcie->reg_base + KVASER_PCIEFD_SRB_RX_NR_PACKETS_REG) & ++ KVASER_PCIEFD_SRB_RX_NR_PACKETS_MASK; ++ while (srb_packet_count) { ++ /* Drop current packet in FIFO */ ++ ioread32(pcie->reg_base + KVASER_PCIEFD_SRB_FIFO_LAST_REG); ++ srb_packet_count--; ++ } ++ + srb_status = ioread32(pcie->reg_base + KVASER_PCIEFD_SRB_STAT_REG); + if (!(srb_status & KVASER_PCIEFD_SRB_STAT_DI)) { + dev_err(&pcie->pci->dev, "DMA not idle before enabling\n"); diff --git a/queue-6.1/can-kvaser_pciefd-set-can_state_stopped-in-kvaser_pciefd_stop.patch b/queue-6.1/can-kvaser_pciefd-set-can_state_stopped-in-kvaser_pciefd_stop.patch new file mode 100644 index 00000000000..dcd395624b6 --- /dev/null +++ b/queue-6.1/can-kvaser_pciefd-set-can_state_stopped-in-kvaser_pciefd_stop.patch @@ -0,0 +1,33 @@ +From aed0e6ca7dbb8fbea9bc69c9ac663d5533c8c5d8 Mon Sep 17 00:00:00 2001 +From: Jimmy Assarsson +Date: Tue, 16 May 2023 15:43:13 +0200 +Subject: can: kvaser_pciefd: Set CAN_STATE_STOPPED in kvaser_pciefd_stop() + +From: Jimmy Assarsson + +commit aed0e6ca7dbb8fbea9bc69c9ac663d5533c8c5d8 upstream. + +Set can.state to CAN_STATE_STOPPED in kvaser_pciefd_stop(). +Without this fix, wrong CAN state was repported after the interface was +brought down. + +Fixes: 26ad340e582d ("can: kvaser_pciefd: Add driver for Kvaser PCIEcan devices") +Cc: stable@vger.kernel.org +Signed-off-by: Jimmy Assarsson +Link: https://lore.kernel.org/r/20230516134318.104279-2-extja@kvaser.com +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/can/kvaser_pciefd.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/net/can/kvaser_pciefd.c ++++ b/drivers/net/can/kvaser_pciefd.c +@@ -719,6 +719,7 @@ static int kvaser_pciefd_stop(struct net + iowrite32(0, can->reg_base + KVASER_PCIEFD_KCAN_IEN_REG); + del_timer(&can->bec_poll_timer); + } ++ can->can.state = CAN_STATE_STOPPED; + close_candev(netdev); + + return ret; diff --git a/queue-6.1/ceph-force-updating-the-msg-pointer-in-non-split-case.patch b/queue-6.1/ceph-force-updating-the-msg-pointer-in-non-split-case.patch new file mode 100644 index 00000000000..901e25a8f6b --- /dev/null +++ b/queue-6.1/ceph-force-updating-the-msg-pointer-in-non-split-case.patch @@ -0,0 +1,46 @@ +From 4cafd0400bcb6187c0d4ab4d4b0229a89ac4f8c2 Mon Sep 17 00:00:00 2001 +From: Xiubo Li +Date: Thu, 18 May 2023 09:47:23 +0800 +Subject: ceph: force updating the msg pointer in non-split case + +From: Xiubo Li + +commit 4cafd0400bcb6187c0d4ab4d4b0229a89ac4f8c2 upstream. + +When the MClientSnap reqeust's op is not CEPH_SNAP_OP_SPLIT the +request may still contain a list of 'split_realms', and we need +to skip it anyway. Or it will be parsed as a corrupt snaptrace. + +Cc: stable@vger.kernel.org +Link: https://tracker.ceph.com/issues/61200 +Reported-by: Frank Schilder +Signed-off-by: Xiubo Li +Reviewed-by: Ilya Dryomov +Signed-off-by: Ilya Dryomov +Signed-off-by: Greg Kroah-Hartman +--- + fs/ceph/snap.c | 13 +++++++++++++ + 1 file changed, 13 insertions(+) + +--- a/fs/ceph/snap.c ++++ b/fs/ceph/snap.c +@@ -1111,6 +1111,19 @@ skip_inode: + continue; + adjust_snap_realm_parent(mdsc, child, realm->ino); + } ++ } else { ++ /* ++ * In the non-split case both 'num_split_inos' and ++ * 'num_split_realms' should be 0, making this a no-op. ++ * However the MDS happens to populate 'split_realms' list ++ * in one of the UPDATE op cases by mistake. ++ * ++ * Skip both lists just in case to ensure that 'p' is ++ * positioned at the start of realm info, as expected by ++ * ceph_update_snap_trace(). ++ */ ++ p += sizeof(u64) * num_split_inos; ++ p += sizeof(u64) * num_split_realms; + } + + /* diff --git a/queue-6.1/ksmbd-allocate-one-more-byte-for-implied-bcc.patch b/queue-6.1/ksmbd-allocate-one-more-byte-for-implied-bcc.patch new file mode 100644 index 00000000000..05c4e96fc41 --- /dev/null +++ b/queue-6.1/ksmbd-allocate-one-more-byte-for-implied-bcc.patch @@ -0,0 +1,34 @@ +From 443d61d1fa9faa60ef925513d83742902390100f Mon Sep 17 00:00:00 2001 +From: Chih-Yen Chang +Date: Sat, 6 May 2023 00:03:54 +0900 +Subject: ksmbd: allocate one more byte for implied bcc[0] + +From: Chih-Yen Chang + +commit 443d61d1fa9faa60ef925513d83742902390100f upstream. + +ksmbd_smb2_check_message allows client to return one byte more, so we +need to allocate additional memory in ksmbd_conn_handler_loop to avoid +out-of-bound access. + +Cc: stable@vger.kernel.org +Signed-off-by: Chih-Yen Chang +Acked-by: Namjae Jeon +Signed-off-by: Steve French +Signed-off-by: Greg Kroah-Hartman +--- + fs/ksmbd/connection.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/fs/ksmbd/connection.c ++++ b/fs/ksmbd/connection.c +@@ -353,7 +353,8 @@ int ksmbd_conn_handler_loop(void *p) + break; + + /* 4 for rfc1002 length field */ +- size = pdu_size + 4; ++ /* 1 for implied bcc[0] */ ++ size = pdu_size + 4 + 1; + conn->request_buf = kvmalloc(size, GFP_KERNEL); + if (!conn->request_buf) + break; diff --git a/queue-6.1/ksmbd-fix-global-out-of-bounds-in-smb2_find_context_vals.patch b/queue-6.1/ksmbd-fix-global-out-of-bounds-in-smb2_find_context_vals.patch new file mode 100644 index 00000000000..6e3b294f59a --- /dev/null +++ b/queue-6.1/ksmbd-fix-global-out-of-bounds-in-smb2_find_context_vals.patch @@ -0,0 +1,144 @@ +From 02f76c401d17e409ed45bf7887148fcc22c93c85 Mon Sep 17 00:00:00 2001 +From: Chih-Yen Chang +Date: Sun, 14 May 2023 12:05:05 +0900 +Subject: ksmbd: fix global-out-of-bounds in smb2_find_context_vals + +From: Chih-Yen Chang + +commit 02f76c401d17e409ed45bf7887148fcc22c93c85 upstream. + +Add tag_len argument in smb2_find_context_vals() to avoid out-of-bound +read when create_context's name_len is larger than tag length. + +[ 7.995411] ================================================================== +[ 7.995866] BUG: KASAN: global-out-of-bounds in memcmp+0x83/0xa0 +[ 7.996248] Read of size 8 at addr ffffffff8258d940 by task kworker/0:0/7 +... +[ 7.998191] Call Trace: +[ 7.998358] +[ 7.998503] dump_stack_lvl+0x33/0x50 +[ 7.998743] print_report+0xcc/0x620 +[ 7.999458] kasan_report+0xae/0xe0 +[ 7.999895] kasan_check_range+0x35/0x1b0 +[ 8.000152] memcmp+0x83/0xa0 +[ 8.000347] smb2_find_context_vals+0xf7/0x1e0 +[ 8.000635] smb2_open+0x1df2/0x43a0 +[ 8.006398] handle_ksmbd_work+0x274/0x810 +[ 8.006666] process_one_work+0x419/0x760 +[ 8.006922] worker_thread+0x2a2/0x6f0 +[ 8.007429] kthread+0x160/0x190 +[ 8.007946] ret_from_fork+0x1f/0x30 +[ 8.008181] + +Cc: stable@vger.kernel.org +Signed-off-by: Chih-Yen Chang +Acked-by: Namjae Jeon +Signed-off-by: Steve French +Signed-off-by: Greg Kroah-Hartman +--- + fs/ksmbd/oplock.c | 5 +++-- + fs/ksmbd/oplock.h | 2 +- + fs/ksmbd/smb2pdu.c | 14 +++++++------- + 3 files changed, 11 insertions(+), 10 deletions(-) + +--- a/fs/ksmbd/oplock.c ++++ b/fs/ksmbd/oplock.c +@@ -1449,11 +1449,12 @@ struct lease_ctx_info *parse_lease_state + * smb2_find_context_vals() - find a particular context info in open request + * @open_req: buffer containing smb2 file open(create) request + * @tag: context name to search for ++ * @tag_len: the length of tag + * + * Return: pointer to requested context, NULL if @str context not found + * or error pointer if name length is invalid. + */ +-struct create_context *smb2_find_context_vals(void *open_req, const char *tag) ++struct create_context *smb2_find_context_vals(void *open_req, const char *tag, int tag_len) + { + struct create_context *cc; + unsigned int next = 0; +@@ -1492,7 +1493,7 @@ struct create_context *smb2_find_context + return ERR_PTR(-EINVAL); + + name = (char *)cc + name_off; +- if (memcmp(name, tag, name_len) == 0) ++ if (name_len == tag_len && !memcmp(name, tag, name_len)) + return cc; + + remain_len -= next; +--- a/fs/ksmbd/oplock.h ++++ b/fs/ksmbd/oplock.h +@@ -118,7 +118,7 @@ void create_durable_v2_rsp_buf(char *cc, + void create_mxac_rsp_buf(char *cc, int maximal_access); + void create_disk_id_rsp_buf(char *cc, __u64 file_id, __u64 vol_id); + void create_posix_rsp_buf(char *cc, struct ksmbd_file *fp); +-struct create_context *smb2_find_context_vals(void *open_req, const char *str); ++struct create_context *smb2_find_context_vals(void *open_req, const char *tag, int tag_len); + struct oplock_info *lookup_lease_in_table(struct ksmbd_conn *conn, + char *lease_key); + int find_same_lease_key(struct ksmbd_session *sess, struct ksmbd_inode *ci, +--- a/fs/ksmbd/smb2pdu.c ++++ b/fs/ksmbd/smb2pdu.c +@@ -2478,7 +2478,7 @@ static int smb2_create_sd_buffer(struct + return -ENOENT; + + /* Parse SD BUFFER create contexts */ +- context = smb2_find_context_vals(req, SMB2_CREATE_SD_BUFFER); ++ context = smb2_find_context_vals(req, SMB2_CREATE_SD_BUFFER, 4); + if (!context) + return -ENOENT; + else if (IS_ERR(context)) +@@ -2680,7 +2680,7 @@ int smb2_open(struct ksmbd_work *work) + + if (req->CreateContextsOffset) { + /* Parse non-durable handle create contexts */ +- context = smb2_find_context_vals(req, SMB2_CREATE_EA_BUFFER); ++ context = smb2_find_context_vals(req, SMB2_CREATE_EA_BUFFER, 4); + if (IS_ERR(context)) { + rc = PTR_ERR(context); + goto err_out1; +@@ -2700,7 +2700,7 @@ int smb2_open(struct ksmbd_work *work) + } + + context = smb2_find_context_vals(req, +- SMB2_CREATE_QUERY_MAXIMAL_ACCESS_REQUEST); ++ SMB2_CREATE_QUERY_MAXIMAL_ACCESS_REQUEST, 4); + if (IS_ERR(context)) { + rc = PTR_ERR(context); + goto err_out1; +@@ -2711,7 +2711,7 @@ int smb2_open(struct ksmbd_work *work) + } + + context = smb2_find_context_vals(req, +- SMB2_CREATE_TIMEWARP_REQUEST); ++ SMB2_CREATE_TIMEWARP_REQUEST, 4); + if (IS_ERR(context)) { + rc = PTR_ERR(context); + goto err_out1; +@@ -2723,7 +2723,7 @@ int smb2_open(struct ksmbd_work *work) + + if (tcon->posix_extensions) { + context = smb2_find_context_vals(req, +- SMB2_CREATE_TAG_POSIX); ++ SMB2_CREATE_TAG_POSIX, 16); + if (IS_ERR(context)) { + rc = PTR_ERR(context); + goto err_out1; +@@ -3122,7 +3122,7 @@ int smb2_open(struct ksmbd_work *work) + struct create_alloc_size_req *az_req; + + az_req = (struct create_alloc_size_req *)smb2_find_context_vals(req, +- SMB2_CREATE_ALLOCATION_SIZE); ++ SMB2_CREATE_ALLOCATION_SIZE, 4); + if (IS_ERR(az_req)) { + rc = PTR_ERR(az_req); + goto err_out; +@@ -3149,7 +3149,7 @@ int smb2_open(struct ksmbd_work *work) + err); + } + +- context = smb2_find_context_vals(req, SMB2_CREATE_QUERY_ON_DISK_ID); ++ context = smb2_find_context_vals(req, SMB2_CREATE_QUERY_ON_DISK_ID, 4); + if (IS_ERR(context)) { + rc = PTR_ERR(context); + goto err_out; diff --git a/queue-6.1/ksmbd-fix-wrong-username-check-in-session_user.patch b/queue-6.1/ksmbd-fix-wrong-username-check-in-session_user.patch new file mode 100644 index 00000000000..daa7de7eda0 --- /dev/null +++ b/queue-6.1/ksmbd-fix-wrong-username-check-in-session_user.patch @@ -0,0 +1,63 @@ +From f0a96d1aafd8964e1f9955c830a3e5cb3c60a90f Mon Sep 17 00:00:00 2001 +From: Chih-Yen Chang +Date: Sat, 6 May 2023 00:01:54 +0900 +Subject: ksmbd: fix wrong UserName check in session_user + +From: Chih-Yen Chang + +commit f0a96d1aafd8964e1f9955c830a3e5cb3c60a90f upstream. + +The offset of UserName is related to the address of security +buffer. To ensure the validaty of UserName, we need to compare name_off ++ name_len with secbuf_len instead of auth_msg_len. + +[ 27.096243] ================================================================== +[ 27.096890] BUG: KASAN: slab-out-of-bounds in smb_strndup_from_utf16+0x188/0x350 +[ 27.097609] Read of size 2 at addr ffff888005e3b542 by task kworker/0:0/7 +... +[ 27.099950] Call Trace: +[ 27.100194] +[ 27.100397] dump_stack_lvl+0x33/0x50 +[ 27.100752] print_report+0xcc/0x620 +[ 27.102305] kasan_report+0xae/0xe0 +[ 27.103072] kasan_check_range+0x35/0x1b0 +[ 27.103757] smb_strndup_from_utf16+0x188/0x350 +[ 27.105474] smb2_sess_setup+0xaf8/0x19c0 +[ 27.107935] handle_ksmbd_work+0x274/0x810 +[ 27.108315] process_one_work+0x419/0x760 +[ 27.108689] worker_thread+0x2a2/0x6f0 +[ 27.109385] kthread+0x160/0x190 +[ 27.110129] ret_from_fork+0x1f/0x30 +[ 27.110454] + +Cc: stable@vger.kernel.org +Signed-off-by: Chih-Yen Chang +Acked-by: Namjae Jeon +Signed-off-by: Steve French +Signed-off-by: Greg Kroah-Hartman +--- + fs/ksmbd/smb2pdu.c | 5 ++--- + 1 file changed, 2 insertions(+), 3 deletions(-) + +--- a/fs/ksmbd/smb2pdu.c ++++ b/fs/ksmbd/smb2pdu.c +@@ -1373,7 +1373,7 @@ static struct ksmbd_user *session_user(s + struct authenticate_message *authblob; + struct ksmbd_user *user; + char *name; +- unsigned int auth_msg_len, name_off, name_len, secbuf_len; ++ unsigned int name_off, name_len, secbuf_len; + + secbuf_len = le16_to_cpu(req->SecurityBufferLength); + if (secbuf_len < sizeof(struct authenticate_message)) { +@@ -1383,9 +1383,8 @@ static struct ksmbd_user *session_user(s + authblob = user_authblob(conn, req); + name_off = le32_to_cpu(authblob->UserName.BufferOffset); + name_len = le16_to_cpu(authblob->UserName.Length); +- auth_msg_len = le16_to_cpu(req->SecurityBufferOffset) + secbuf_len; + +- if (auth_msg_len < (u64)name_off + name_len) ++ if (secbuf_len < (u64)name_off + name_len) + return NULL; + + name = smb_strndup_from_utf16((const char *)authblob + name_off, diff --git a/queue-6.1/ksmbd-smb2-allow-messages-padded-to-8byte-boundary.patch b/queue-6.1/ksmbd-smb2-allow-messages-padded-to-8byte-boundary.patch new file mode 100644 index 00000000000..a5e54cde362 --- /dev/null +++ b/queue-6.1/ksmbd-smb2-allow-messages-padded-to-8byte-boundary.patch @@ -0,0 +1,42 @@ +From e7b8b8ed9960bf699bf4029f482d9e869c094ed6 Mon Sep 17 00:00:00 2001 +From: Gustav Johansson +Date: Sat, 6 May 2023 00:05:07 +0900 +Subject: ksmbd: smb2: Allow messages padded to 8byte boundary + +From: Gustav Johansson + +commit e7b8b8ed9960bf699bf4029f482d9e869c094ed6 upstream. + +clc length is now accepted to <= 8 less than length, +rather than < 8. + +Solve issues on some of Axis's smb clients which send +messages where clc length is 8 bytes less than length. + +The specific client was running kernel 4.19.217 with +smb dialect 3.0.2 on armv7l. + +Cc: stable@vger.kernel.org +Signed-off-by: Gustav Johansson +Acked-by: Namjae Jeon +Signed-off-by: Steve French +Signed-off-by: Greg Kroah-Hartman +--- + fs/ksmbd/smb2misc.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +--- a/fs/ksmbd/smb2misc.c ++++ b/fs/ksmbd/smb2misc.c +@@ -416,8 +416,11 @@ int ksmbd_smb2_check_message(struct ksmb + + /* + * Allow a message that padded to 8byte boundary. ++ * Linux 4.19.217 with smb 3.0.2 are sometimes ++ * sending messages where the cls_len is exactly ++ * 8 bytes less than len. + */ +- if (clc_len < len && (len - clc_len) < 8) ++ if (clc_len < len && (len - clc_len) <= 8) + goto validate_credit; + + pr_err_ratelimited( diff --git a/queue-6.1/kvm-fix-vcpu_array-races.patch b/queue-6.1/kvm-fix-vcpu_array-races.patch new file mode 100644 index 00000000000..888c9fd2ad6 --- /dev/null +++ b/queue-6.1/kvm-fix-vcpu_array-races.patch @@ -0,0 +1,105 @@ +From afb2acb2e3a32e4d56f7fbd819769b98ed1b7520 Mon Sep 17 00:00:00 2001 +From: Michal Luczaj +Date: Wed, 10 May 2023 16:04:09 +0200 +Subject: KVM: Fix vcpu_array[0] races + +From: Michal Luczaj + +commit afb2acb2e3a32e4d56f7fbd819769b98ed1b7520 upstream. + +In kvm_vm_ioctl_create_vcpu(), add vcpu to vcpu_array iff it's safe to +access vcpu via kvm_get_vcpu() and kvm_for_each_vcpu(), i.e. when there's +no failure path requiring vcpu removal and destruction. Such order is +important because vcpu_array accessors may end up referencing vcpu at +vcpu_array[0] even before online_vcpus is set to 1. + +When online_vcpus=0, any call to kvm_get_vcpu() goes through +array_index_nospec() and ends with an attempt to xa_load(vcpu_array, 0): + + int num_vcpus = atomic_read(&kvm->online_vcpus); + i = array_index_nospec(i, num_vcpus); + return xa_load(&kvm->vcpu_array, i); + +Similarly, when online_vcpus=0, a kvm_for_each_vcpu() does not iterate over +an "empty" range, but actually [0, ULONG_MAX]: + + xa_for_each_range(&kvm->vcpu_array, idx, vcpup, 0, \ + (atomic_read(&kvm->online_vcpus) - 1)) + +In both cases, such online_vcpus=0 edge case, even if leading to +unnecessary calls to XArray API, should not be an issue; requesting +unpopulated indexes/ranges is handled by xa_load() and xa_for_each_range(). + +However, this means that when the first vCPU is created and inserted in +vcpu_array *and* before online_vcpus is incremented, code calling +kvm_get_vcpu()/kvm_for_each_vcpu() already has access to that first vCPU. + +This should not pose a problem assuming that once a vcpu is stored in +vcpu_array, it will remain there, but that's not the case: +kvm_vm_ioctl_create_vcpu() first inserts to vcpu_array, then requests a +file descriptor. If create_vcpu_fd() fails, newly inserted vcpu is removed +from the vcpu_array, then destroyed: + + vcpu->vcpu_idx = atomic_read(&kvm->online_vcpus); + r = xa_insert(&kvm->vcpu_array, vcpu->vcpu_idx, vcpu, GFP_KERNEL_ACCOUNT); + kvm_get_kvm(kvm); + r = create_vcpu_fd(vcpu); + if (r < 0) { + xa_erase(&kvm->vcpu_array, vcpu->vcpu_idx); + kvm_put_kvm_no_destroy(kvm); + goto unlock_vcpu_destroy; + } + atomic_inc(&kvm->online_vcpus); + +This results in a possible race condition when a reference to a vcpu is +acquired (via kvm_get_vcpu() or kvm_for_each_vcpu()) moments before said +vcpu is destroyed. + +Signed-off-by: Michal Luczaj +Message-Id: <20230510140410.1093987-2-mhal@rbox.co> +Cc: stable@vger.kernel.org +Fixes: c5b077549136 ("KVM: Convert the kvm->vcpus array to a xarray", 2021-12-08) +Signed-off-by: Paolo Bonzini +Signed-off-by: Greg Kroah-Hartman +--- + virt/kvm/kvm_main.c | 16 ++++++++++------ + 1 file changed, 10 insertions(+), 6 deletions(-) + +--- a/virt/kvm/kvm_main.c ++++ b/virt/kvm/kvm_main.c +@@ -3947,18 +3947,19 @@ static int kvm_vm_ioctl_create_vcpu(stru + } + + vcpu->vcpu_idx = atomic_read(&kvm->online_vcpus); +- r = xa_insert(&kvm->vcpu_array, vcpu->vcpu_idx, vcpu, GFP_KERNEL_ACCOUNT); +- BUG_ON(r == -EBUSY); ++ r = xa_reserve(&kvm->vcpu_array, vcpu->vcpu_idx, GFP_KERNEL_ACCOUNT); + if (r) + goto unlock_vcpu_destroy; + + /* Now it's all set up, let userspace reach it */ + kvm_get_kvm(kvm); + r = create_vcpu_fd(vcpu); +- if (r < 0) { +- xa_erase(&kvm->vcpu_array, vcpu->vcpu_idx); +- kvm_put_kvm_no_destroy(kvm); +- goto unlock_vcpu_destroy; ++ if (r < 0) ++ goto kvm_put_xa_release; ++ ++ if (KVM_BUG_ON(!!xa_store(&kvm->vcpu_array, vcpu->vcpu_idx, vcpu, 0), kvm)) { ++ r = -EINVAL; ++ goto kvm_put_xa_release; + } + + /* +@@ -3973,6 +3974,9 @@ static int kvm_vm_ioctl_create_vcpu(stru + kvm_create_vcpu_debugfs(vcpu); + return r; + ++kvm_put_xa_release: ++ kvm_put_kvm_no_destroy(kvm); ++ xa_release(&kvm->vcpu_array, vcpu->vcpu_idx); + unlock_vcpu_destroy: + mutex_unlock(&kvm->lock); + kvm_dirty_ring_free(&vcpu->dirty_ring); diff --git a/queue-6.1/maple_tree-make-maple-state-reusable-after-mas_empty_area.patch b/queue-6.1/maple_tree-make-maple-state-reusable-after-mas_empty_area.patch new file mode 100644 index 00000000000..fdfc16e4fc5 --- /dev/null +++ b/queue-6.1/maple_tree-make-maple-state-reusable-after-mas_empty_area.patch @@ -0,0 +1,55 @@ +From 0257d9908d38c0b1669af4bb1bc4dbca1f273fe6 Mon Sep 17 00:00:00 2001 +From: Peng Zhang +Date: Fri, 5 May 2023 22:58:29 +0800 +Subject: maple_tree: make maple state reusable after mas_empty_area() + +From: Peng Zhang + +commit 0257d9908d38c0b1669af4bb1bc4dbca1f273fe6 upstream. + +Make mas->min and mas->max point to a node range instead of a leaf entry +range. This allows mas to still be usable after mas_empty_area() returns. +Users would get unexpected results from other operations on the maple +state after calling the affected function. + +For example, x86 MAP_32BIT mmap() acts as if there is no suitable gap when +there should be one. + +Link: https://lkml.kernel.org/r/20230505145829.74574-1-zhangpeng.00@bytedance.com +Fixes: 54a611b60590 ("Maple Tree: add new data structure") +Signed-off-by: Peng Zhang +Reported-by: "Edgecombe, Rick P" +Reported-by: Tad +Reported-by: Michael Keyes + Link: https://lore.kernel.org/linux-mm/32f156ba80010fd97dbaf0a0cdfc84366608624d.camel@intel.com/ + Link: https://lore.kernel.org/linux-mm/e6108286ac025c268964a7ead3aab9899f9bc6e9.camel@spotco.us/ +Reviewed-by: Liam R. Howlett +Tested-by: Rick Edgecombe +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + lib/maple_tree.c | 12 +++--------- + 1 file changed, 3 insertions(+), 9 deletions(-) + +--- a/lib/maple_tree.c ++++ b/lib/maple_tree.c +@@ -5338,15 +5338,9 @@ int mas_empty_area(struct ma_state *mas, + + mt = mte_node_type(mas->node); + pivots = ma_pivots(mas_mn(mas), mt); +- if (offset) +- mas->min = pivots[offset - 1] + 1; +- +- if (offset < mt_pivots[mt]) +- mas->max = pivots[offset]; +- +- if (mas->index < mas->min) +- mas->index = mas->min; +- ++ min = mas_safe_min(mas, pivots, offset); ++ if (mas->index < min) ++ mas->index = min; + mas->last = mas->index + size - 1; + return 0; + } diff --git a/queue-6.1/mm-fix-zswap-writeback-race-condition.patch b/queue-6.1/mm-fix-zswap-writeback-race-condition.patch new file mode 100644 index 00000000000..f37cf5b609b --- /dev/null +++ b/queue-6.1/mm-fix-zswap-writeback-race-condition.patch @@ -0,0 +1,92 @@ +From 04fc7816089c5a32c29a04ec94b998e219dfb946 Mon Sep 17 00:00:00 2001 +From: Domenico Cerasuolo +Date: Wed, 3 May 2023 17:12:00 +0200 +Subject: mm: fix zswap writeback race condition + +From: Domenico Cerasuolo + +commit 04fc7816089c5a32c29a04ec94b998e219dfb946 upstream. + +The zswap writeback mechanism can cause a race condition resulting in +memory corruption, where a swapped out page gets swapped in with data that +was written to a different page. + +The race unfolds like this: +1. a page with data A and swap offset X is stored in zswap +2. page A is removed off the LRU by zpool driver for writeback in + zswap-shrink work, data for A is mapped by zpool driver +3. user space program faults and invalidates page entry A, offset X is + considered free +4. kswapd stores page B at offset X in zswap (zswap could also be + full, if so, page B would then be IOed to X, then skip step 5.) +5. entry A is replaced by B in tree->rbroot, this doesn't affect the + local reference held by zswap-shrink work +6. zswap-shrink work writes back A at X, and frees zswap entry A +7. swapin of slot X brings A in memory instead of B + +The fix: +Once the swap page cache has been allocated (case ZSWAP_SWAPCACHE_NEW), +zswap-shrink work just checks that the local zswap_entry reference is +still the same as the one in the tree. If it's not the same it means that +it's either been invalidated or replaced, in both cases the writeback is +aborted because the local entry contains stale data. + +Reproducer: +I originally found this by running `stress` overnight to validate my work +on the zswap writeback mechanism, it manifested after hours on my test +machine. The key to make it happen is having zswap writebacks, so +whatever setup pumps /sys/kernel/debug/zswap/written_back_pages should do +the trick. + +In order to reproduce this faster on a vm, I setup a system with ~100M of +available memory and a 500M swap file, then running `stress --vm 1 +--vm-bytes 300000000 --vm-stride 4000` makes it happen in matter of tens +of minutes. One can speed things up even more by swinging +/sys/module/zswap/parameters/max_pool_percent up and down between, say, 20 +and 1; this makes it reproduce in tens of seconds. It's crucial to set +`--vm-stride` to something other than 4096 otherwise `stress` won't +realize that memory has been corrupted because all pages would have the +same data. + +Link: https://lkml.kernel.org/r/20230503151200.19707-1-cerasuolodomenico@gmail.com +Signed-off-by: Domenico Cerasuolo +Acked-by: Johannes Weiner +Reviewed-by: Chris Li (Google) +Cc: Dan Streetman +Cc: Johannes Weiner +Cc: Minchan Kim +Cc: Nitin Gupta +Cc: Seth Jennings +Cc: Vitaly Wool +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + mm/zswap.c | 16 ++++++++++++++++ + 1 file changed, 16 insertions(+) + +--- a/mm/zswap.c ++++ b/mm/zswap.c +@@ -1002,6 +1002,22 @@ static int zswap_writeback_entry(struct + goto fail; + + case ZSWAP_SWAPCACHE_NEW: /* page is locked */ ++ /* ++ * Having a local reference to the zswap entry doesn't exclude ++ * swapping from invalidating and recycling the swap slot. Once ++ * the swapcache is secured against concurrent swapping to and ++ * from the slot, recheck that the entry is still current before ++ * writing. ++ */ ++ spin_lock(&tree->lock); ++ if (zswap_rb_search(&tree->rbroot, entry->offset) != entry) { ++ spin_unlock(&tree->lock); ++ delete_from_swap_cache(page_folio(page)); ++ ret = -ENOMEM; ++ goto fail; ++ } ++ spin_unlock(&tree->lock); ++ + /* decompress */ + acomp_ctx = raw_cpu_ptr(entry->pool->acomp_ctx); + dlen = PAGE_SIZE; diff --git a/queue-6.1/revert-usb-gadget-udc-core-invoke-usb_gadget_connect-only-when-started.patch b/queue-6.1/revert-usb-gadget-udc-core-invoke-usb_gadget_connect-only-when-started.patch new file mode 100644 index 00000000000..5ce6efdcdc4 --- /dev/null +++ b/queue-6.1/revert-usb-gadget-udc-core-invoke-usb_gadget_connect-only-when-started.patch @@ -0,0 +1,351 @@ +From f22e9b67f19ccc73de1ae04375d4b30684e261f8 Mon Sep 17 00:00:00 2001 +From: Francesco Dolcini +Date: Fri, 12 May 2023 15:14:35 +0200 +Subject: Revert "usb: gadget: udc: core: Invoke usb_gadget_connect only when started" + +From: Francesco Dolcini + +commit f22e9b67f19ccc73de1ae04375d4b30684e261f8 upstream. + +This reverts commit 0db213ea8eed5534a5169e807f28103cbc9d23df. + +It introduces an issues with configuring the USB gadget hangs forever +on multiple Qualcomm and NXP i.MX SoC at least. + +Cc: stable@vger.kernel.org +Fixes: 0db213ea8eed ("usb: gadget: udc: core: Invoke usb_gadget_connect only when started") +Reported-by: Stephan Gerhold +Reported-by: Francesco Dolcini +Link: https://lore.kernel.org/all/ZF4BvgsOyoKxdPFF@francesco-nb.int.toradex.com/ +Signed-off-by: Francesco Dolcini +Link: https://lore.kernel.org/r/20230512131435.205464-3-francesco@dolcini.it +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/gadget/udc/core.c | 148 ++++++++++++------------------------------ + 1 file changed, 44 insertions(+), 104 deletions(-) + +--- a/drivers/usb/gadget/udc/core.c ++++ b/drivers/usb/gadget/udc/core.c +@@ -37,10 +37,6 @@ static struct bus_type gadget_bus_type; + * @vbus: for udcs who care about vbus status, this value is real vbus status; + * for udcs who do not care about vbus status, this value is always true + * @started: the UDC's started state. True if the UDC had started. +- * @connect_lock: protects udc->vbus, udc->started, gadget->connect, gadget->deactivate related +- * functions. usb_gadget_connect_locked, usb_gadget_disconnect_locked, +- * usb_udc_connect_control_locked, usb_gadget_udc_start_locked, usb_gadget_udc_stop_locked are +- * called with this lock held. + * + * This represents the internal data structure which is used by the UDC-class + * to hold information about udc driver and gadget together. +@@ -52,7 +48,6 @@ struct usb_udc { + struct list_head list; + bool vbus; + bool started; +- struct mutex connect_lock; + }; + + static struct class *udc_class; +@@ -665,9 +660,17 @@ out: + } + EXPORT_SYMBOL_GPL(usb_gadget_vbus_disconnect); + +-/* Internal version of usb_gadget_connect needs to be called with connect_lock held. */ +-static int usb_gadget_connect_locked(struct usb_gadget *gadget) +- __must_hold(&gadget->udc->connect_lock) ++/** ++ * usb_gadget_connect - software-controlled connect to USB host ++ * @gadget:the peripheral being connected ++ * ++ * Enables the D+ (or potentially D-) pullup. The host will start ++ * enumerating this gadget when the pullup is active and a VBUS session ++ * is active (the link is powered). ++ * ++ * Returns zero on success, else negative errno. ++ */ ++int usb_gadget_connect(struct usb_gadget *gadget) + { + int ret = 0; + +@@ -676,12 +679,10 @@ static int usb_gadget_connect_locked(str + goto out; + } + +- if (gadget->deactivated || !gadget->udc->started) { ++ if (gadget->deactivated) { + /* + * If gadget is deactivated we only save new state. + * Gadget will be connected automatically after activation. +- * +- * udc first needs to be started before gadget can be pulled up. + */ + gadget->connected = true; + goto out; +@@ -696,32 +697,22 @@ out: + + return ret; + } ++EXPORT_SYMBOL_GPL(usb_gadget_connect); + + /** +- * usb_gadget_connect - software-controlled connect to USB host +- * @gadget:the peripheral being connected ++ * usb_gadget_disconnect - software-controlled disconnect from USB host ++ * @gadget:the peripheral being disconnected + * +- * Enables the D+ (or potentially D-) pullup. The host will start +- * enumerating this gadget when the pullup is active and a VBUS session +- * is active (the link is powered). ++ * Disables the D+ (or potentially D-) pullup, which the host may see ++ * as a disconnect (when a VBUS session is active). Not all systems ++ * support software pullup controls. ++ * ++ * Following a successful disconnect, invoke the ->disconnect() callback ++ * for the current gadget driver so that UDC drivers don't need to. + * + * Returns zero on success, else negative errno. + */ +-int usb_gadget_connect(struct usb_gadget *gadget) +-{ +- int ret; +- +- mutex_lock(&gadget->udc->connect_lock); +- ret = usb_gadget_connect_locked(gadget); +- mutex_unlock(&gadget->udc->connect_lock); +- +- return ret; +-} +-EXPORT_SYMBOL_GPL(usb_gadget_connect); +- +-/* Internal version of usb_gadget_disconnect needs to be called with connect_lock held. */ +-static int usb_gadget_disconnect_locked(struct usb_gadget *gadget) +- __must_hold(&gadget->udc->connect_lock) ++int usb_gadget_disconnect(struct usb_gadget *gadget) + { + int ret = 0; + +@@ -733,12 +724,10 @@ static int usb_gadget_disconnect_locked( + if (!gadget->connected) + goto out; + +- if (gadget->deactivated || !gadget->udc->started) { ++ if (gadget->deactivated) { + /* + * If gadget is deactivated we only save new state. + * Gadget will stay disconnected after activation. +- * +- * udc should have been started before gadget being pulled down. + */ + gadget->connected = false; + goto out; +@@ -758,30 +747,6 @@ out: + + return ret; + } +- +-/** +- * usb_gadget_disconnect - software-controlled disconnect from USB host +- * @gadget:the peripheral being disconnected +- * +- * Disables the D+ (or potentially D-) pullup, which the host may see +- * as a disconnect (when a VBUS session is active). Not all systems +- * support software pullup controls. +- * +- * Following a successful disconnect, invoke the ->disconnect() callback +- * for the current gadget driver so that UDC drivers don't need to. +- * +- * Returns zero on success, else negative errno. +- */ +-int usb_gadget_disconnect(struct usb_gadget *gadget) +-{ +- int ret; +- +- mutex_lock(&gadget->udc->connect_lock); +- ret = usb_gadget_disconnect_locked(gadget); +- mutex_unlock(&gadget->udc->connect_lock); +- +- return ret; +-} + EXPORT_SYMBOL_GPL(usb_gadget_disconnect); + + /** +@@ -802,11 +767,10 @@ int usb_gadget_deactivate(struct usb_gad + if (gadget->deactivated) + goto out; + +- mutex_lock(&gadget->udc->connect_lock); + if (gadget->connected) { +- ret = usb_gadget_disconnect_locked(gadget); ++ ret = usb_gadget_disconnect(gadget); + if (ret) +- goto unlock; ++ goto out; + + /* + * If gadget was being connected before deactivation, we want +@@ -816,8 +780,6 @@ int usb_gadget_deactivate(struct usb_gad + } + gadget->deactivated = true; + +-unlock: +- mutex_unlock(&gadget->udc->connect_lock); + out: + trace_usb_gadget_deactivate(gadget, ret); + +@@ -841,7 +803,6 @@ int usb_gadget_activate(struct usb_gadge + if (!gadget->deactivated) + goto out; + +- mutex_lock(&gadget->udc->connect_lock); + gadget->deactivated = false; + + /* +@@ -849,8 +810,7 @@ int usb_gadget_activate(struct usb_gadge + * while it was being deactivated, we call usb_gadget_connect(). + */ + if (gadget->connected) +- ret = usb_gadget_connect_locked(gadget); +- mutex_unlock(&gadget->udc->connect_lock); ++ ret = usb_gadget_connect(gadget); + + out: + trace_usb_gadget_activate(gadget, ret); +@@ -1091,13 +1051,12 @@ EXPORT_SYMBOL_GPL(usb_gadget_set_state); + + /* ------------------------------------------------------------------------- */ + +-/* Acquire connect_lock before calling this function. */ +-static void usb_udc_connect_control_locked(struct usb_udc *udc) __must_hold(&udc->connect_lock) ++static void usb_udc_connect_control(struct usb_udc *udc) + { +- if (udc->vbus && udc->started) +- usb_gadget_connect_locked(udc->gadget); ++ if (udc->vbus) ++ usb_gadget_connect(udc->gadget); + else +- usb_gadget_disconnect_locked(udc->gadget); ++ usb_gadget_disconnect(udc->gadget); + } + + /** +@@ -1113,12 +1072,10 @@ void usb_udc_vbus_handler(struct usb_gad + { + struct usb_udc *udc = gadget->udc; + +- mutex_lock(&udc->connect_lock); + if (udc) { + udc->vbus = status; +- usb_udc_connect_control_locked(udc); ++ usb_udc_connect_control(udc); + } +- mutex_unlock(&udc->connect_lock); + } + EXPORT_SYMBOL_GPL(usb_udc_vbus_handler); + +@@ -1140,7 +1097,7 @@ void usb_gadget_udc_reset(struct usb_gad + EXPORT_SYMBOL_GPL(usb_gadget_udc_reset); + + /** +- * usb_gadget_udc_start_locked - tells usb device controller to start up ++ * usb_gadget_udc_start - tells usb device controller to start up + * @udc: The UDC to be started + * + * This call is issued by the UDC Class driver when it's about +@@ -1151,11 +1108,8 @@ EXPORT_SYMBOL_GPL(usb_gadget_udc_reset); + * necessary to have it powered on. + * + * Returns zero on success, else negative errno. +- * +- * Caller should acquire connect_lock before invoking this function. + */ +-static inline int usb_gadget_udc_start_locked(struct usb_udc *udc) +- __must_hold(&udc->connect_lock) ++static inline int usb_gadget_udc_start(struct usb_udc *udc) + { + int ret; + +@@ -1172,7 +1126,7 @@ static inline int usb_gadget_udc_start_l + } + + /** +- * usb_gadget_udc_stop_locked - tells usb device controller we don't need it anymore ++ * usb_gadget_udc_stop - tells usb device controller we don't need it anymore + * @udc: The UDC to be stopped + * + * This call is issued by the UDC Class driver after calling +@@ -1181,11 +1135,8 @@ static inline int usb_gadget_udc_start_l + * The details are implementation specific, but it can go as + * far as powering off UDC completely and disable its data + * line pullups. +- * +- * Caller should acquire connect lock before invoking this function. + */ +-static inline void usb_gadget_udc_stop_locked(struct usb_udc *udc) +- __must_hold(&udc->connect_lock) ++static inline void usb_gadget_udc_stop(struct usb_udc *udc) + { + if (!udc->started) { + dev_err(&udc->dev, "UDC had already stopped\n"); +@@ -1344,7 +1295,6 @@ int usb_add_gadget(struct usb_gadget *ga + + udc->gadget = gadget; + gadget->udc = udc; +- mutex_init(&udc->connect_lock); + + udc->started = false; + +@@ -1546,15 +1496,11 @@ static int gadget_bind_driver(struct dev + if (ret) + goto err_bind; + +- mutex_lock(&udc->connect_lock); +- ret = usb_gadget_udc_start_locked(udc); +- if (ret) { +- mutex_unlock(&udc->connect_lock); ++ ret = usb_gadget_udc_start(udc); ++ if (ret) + goto err_start; +- } + usb_gadget_enable_async_callbacks(udc); +- usb_udc_connect_control_locked(udc); +- mutex_unlock(&udc->connect_lock); ++ usb_udc_connect_control(udc); + + kobject_uevent(&udc->dev.kobj, KOBJ_CHANGE); + return 0; +@@ -1585,14 +1531,12 @@ static void gadget_unbind_driver(struct + + kobject_uevent(&udc->dev.kobj, KOBJ_CHANGE); + +- mutex_lock(&udc->connect_lock); +- usb_gadget_disconnect_locked(gadget); ++ usb_gadget_disconnect(gadget); + usb_gadget_disable_async_callbacks(udc); + if (gadget->irq) + synchronize_irq(gadget->irq); + udc->driver->unbind(gadget); +- usb_gadget_udc_stop_locked(udc); +- mutex_unlock(&udc->connect_lock); ++ usb_gadget_udc_stop(udc); + + mutex_lock(&udc_lock); + driver->is_bound = false; +@@ -1678,15 +1622,11 @@ static ssize_t soft_connect_store(struct + } + + if (sysfs_streq(buf, "connect")) { +- mutex_lock(&udc->connect_lock); +- usb_gadget_udc_start_locked(udc); +- usb_gadget_connect_locked(udc->gadget); +- mutex_unlock(&udc->connect_lock); ++ usb_gadget_udc_start(udc); ++ usb_gadget_connect(udc->gadget); + } else if (sysfs_streq(buf, "disconnect")) { +- mutex_lock(&udc->connect_lock); +- usb_gadget_disconnect_locked(udc->gadget); +- usb_gadget_udc_stop_locked(udc); +- mutex_unlock(&udc->connect_lock); ++ usb_gadget_disconnect(udc->gadget); ++ usb_gadget_udc_stop(udc); + } else { + dev_err(dev, "unsupported command '%s'\n", buf); + ret = -EINVAL; diff --git a/queue-6.1/revert-usb-gadget-udc-core-prevent-redundant-calls-to-pullup.patch b/queue-6.1/revert-usb-gadget-udc-core-prevent-redundant-calls-to-pullup.patch new file mode 100644 index 00000000000..97ee8ab478a --- /dev/null +++ b/queue-6.1/revert-usb-gadget-udc-core-prevent-redundant-calls-to-pullup.patch @@ -0,0 +1,38 @@ +From 5e1617210aede9f1b91bb9819c93097b6da481f9 Mon Sep 17 00:00:00 2001 +From: Francesco Dolcini +Date: Fri, 12 May 2023 15:14:34 +0200 +Subject: Revert "usb: gadget: udc: core: Prevent redundant calls to pullup" + +From: Francesco Dolcini + +commit 5e1617210aede9f1b91bb9819c93097b6da481f9 upstream. + +This reverts commit a3afbf5cc887fc3401f012fe629810998ed61859. + +This depends on commit 0db213ea8eed ("usb: gadget: udc: core: Invoke +usb_gadget_connect only when started") that introduces a regression, +revert it till the issue is fixed. + +Cc: stable@vger.kernel.org +Reported-by: Stephan Gerhold +Reported-by: Francesco Dolcini +Link: https://lore.kernel.org/all/ZF4BvgsOyoKxdPFF@francesco-nb.int.toradex.com/ +Signed-off-by: Francesco Dolcini +Link: https://lore.kernel.org/r/20230512131435.205464-2-francesco@dolcini.it +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/gadget/udc/core.c | 3 --- + 1 file changed, 3 deletions(-) + +--- a/drivers/usb/gadget/udc/core.c ++++ b/drivers/usb/gadget/udc/core.c +@@ -676,9 +676,6 @@ static int usb_gadget_connect_locked(str + goto out; + } + +- if (gadget->connected) +- goto out; +- + if (gadget->deactivated || !gadget->udc->started) { + /* + * If gadget is deactivated we only save new state. diff --git a/queue-6.1/serial-8250_exar-add-support-for-usr298x-pci-modems.patch b/queue-6.1/serial-8250_exar-add-support-for-usr298x-pci-modems.patch new file mode 100644 index 00000000000..f636a0fab24 --- /dev/null +++ b/queue-6.1/serial-8250_exar-add-support-for-usr298x-pci-modems.patch @@ -0,0 +1,73 @@ +From 95d698869b404772cc8b72560df71548491c10bc Mon Sep 17 00:00:00 2001 +From: Andrew Davis +Date: Thu, 20 Apr 2023 11:02:09 -0500 +Subject: serial: 8250_exar: Add support for USR298x PCI Modems + +From: Andrew Davis + +commit 95d698869b404772cc8b72560df71548491c10bc upstream. + +Possibly the last PCI controller-based (i.e. not a soft/winmodem) +dial-up modem one can still buy. + +Looks to have a stock XR17C154 PCI UART chip for communication, but for +some reason when provisioning the PCI IDs they swapped the vendor and +subvendor IDs. Otherwise this card would have worked out of the box. + +Searching online, some folks seem to not have this issue and others do, +so it is possible only some batches of cards have this error. + +Create a new macro to handle the switched IDs and add support here. + +Signed-off-by: Andrew Davis +Cc: stable +Reviewed-by: Andy Shevchenko +Link: https://lore.kernel.org/r/20230420160209.28221-1-afd@ti.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/tty/serial/8250/8250_exar.c | 17 +++++++++++++++++ + 1 file changed, 17 insertions(+) + +--- a/drivers/tty/serial/8250/8250_exar.c ++++ b/drivers/tty/serial/8250/8250_exar.c +@@ -40,9 +40,13 @@ + #define PCI_DEVICE_ID_COMMTECH_4224PCIE 0x0020 + #define PCI_DEVICE_ID_COMMTECH_4228PCIE 0x0021 + #define PCI_DEVICE_ID_COMMTECH_4222PCIE 0x0022 ++ + #define PCI_DEVICE_ID_EXAR_XR17V4358 0x4358 + #define PCI_DEVICE_ID_EXAR_XR17V8358 0x8358 + ++#define PCI_SUBDEVICE_ID_USR_2980 0x0128 ++#define PCI_SUBDEVICE_ID_USR_2981 0x0129 ++ + #define PCI_DEVICE_ID_SEALEVEL_710xC 0x1001 + #define PCI_DEVICE_ID_SEALEVEL_720xC 0x1002 + #define PCI_DEVICE_ID_SEALEVEL_740xC 0x1004 +@@ -829,6 +833,15 @@ static const struct exar8250_board pbn_e + (kernel_ulong_t)&bd \ + } + ++#define USR_DEVICE(devid, sdevid, bd) { \ ++ PCI_DEVICE_SUB( \ ++ PCI_VENDOR_ID_USR, \ ++ PCI_DEVICE_ID_EXAR_##devid, \ ++ PCI_VENDOR_ID_EXAR, \ ++ PCI_SUBDEVICE_ID_USR_##sdevid), 0, 0, \ ++ (kernel_ulong_t)&bd \ ++ } ++ + static const struct pci_device_id exar_pci_tbl[] = { + EXAR_DEVICE(ACCESSIO, COM_2S, pbn_exar_XR17C15x), + EXAR_DEVICE(ACCESSIO, COM_4S, pbn_exar_XR17C15x), +@@ -853,6 +866,10 @@ static const struct pci_device_id exar_p + + IBM_DEVICE(XR17C152, SATURN_SERIAL_ONE_PORT, pbn_exar_ibm_saturn), + ++ /* USRobotics USR298x-OEM PCI Modems */ ++ USR_DEVICE(XR17C152, 2980, pbn_exar_XR17C15x), ++ USR_DEVICE(XR17C152, 2981, pbn_exar_XR17C15x), ++ + /* Exar Corp. XR17C15[248] Dual/Quad/Octal UART */ + EXAR_DEVICE(EXAR, XR17C152, pbn_exar_XR17C15x), + EXAR_DEVICE(EXAR, XR17C154, pbn_exar_XR17C15x), diff --git a/queue-6.1/serial-add-support-for-advantech-pci-1611u-card.patch b/queue-6.1/serial-add-support-for-advantech-pci-1611u-card.patch new file mode 100644 index 00000000000..ebf6a9eebe5 --- /dev/null +++ b/queue-6.1/serial-add-support-for-advantech-pci-1611u-card.patch @@ -0,0 +1,48 @@ +From d2b00516de0e1d696724247098f6733a6ea53908 Mon Sep 17 00:00:00 2001 +From: Vitaliy Tomin +Date: Sun, 23 Apr 2023 11:45:12 +0800 +Subject: serial: Add support for Advantech PCI-1611U card + +From: Vitaliy Tomin + +commit d2b00516de0e1d696724247098f6733a6ea53908 upstream. + +Add support for Advantech PCI-1611U card + +Advantech provides opensource drivers for this and many others card +based on legacy copy of 8250_pci driver called adv950 + +https://www.advantech.com/emt/support/details/driver?id=1-TDOIMJ + +It is hard to maintain to run as out of tree module on newer kernels. +Just adding PCI ID to kernel 8250_pci works perfect. + +Signed-off-by: Vitaliy Tomin +Cc: stable +Link: https://lore.kernel.org/r/20230423034512.2671157-1-tomin@iszf.irk.ru +Signed-off-by: Greg Kroah-Hartman +--- + drivers/tty/serial/8250/8250_pci.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/drivers/tty/serial/8250/8250_pci.c ++++ b/drivers/tty/serial/8250/8250_pci.c +@@ -1940,6 +1940,8 @@ pci_moxa_setup(struct serial_private *pr + #define PCI_SUBDEVICE_ID_SIIG_DUAL_30 0x2530 + #define PCI_VENDOR_ID_ADVANTECH 0x13fe + #define PCI_DEVICE_ID_INTEL_CE4100_UART 0x2e66 ++#define PCI_DEVICE_ID_ADVANTECH_PCI1600 0x1600 ++#define PCI_DEVICE_ID_ADVANTECH_PCI1600_1611 0x1611 + #define PCI_DEVICE_ID_ADVANTECH_PCI3620 0x3620 + #define PCI_DEVICE_ID_ADVANTECH_PCI3618 0x3618 + #define PCI_DEVICE_ID_ADVANTECH_PCIf618 0xf618 +@@ -4105,6 +4107,9 @@ static SIMPLE_DEV_PM_OPS(pciserial_pm_op + pciserial_resume_one); + + static const struct pci_device_id serial_pci_tbl[] = { ++ { PCI_VENDOR_ID_ADVANTECH, PCI_DEVICE_ID_ADVANTECH_PCI1600, ++ PCI_DEVICE_ID_ADVANTECH_PCI1600_1611, PCI_ANY_ID, 0, 0, ++ pbn_b0_4_921600 }, + /* Advantech use PCI_DEVICE_ID_ADVANTECH_PCI3620 (0x3620) as 'PCI_SUBVENDOR_ID' */ + { PCI_VENDOR_ID_ADVANTECH, PCI_DEVICE_ID_ADVANTECH_PCI3620, + PCI_DEVICE_ID_ADVANTECH_PCI3620, 0x0001, 0, 0, diff --git a/queue-6.1/serial-qcom-geni-fix-enabling-deactivated-interrupt.patch b/queue-6.1/serial-qcom-geni-fix-enabling-deactivated-interrupt.patch new file mode 100644 index 00000000000..469553c9e36 --- /dev/null +++ b/queue-6.1/serial-qcom-geni-fix-enabling-deactivated-interrupt.patch @@ -0,0 +1,84 @@ +From 5f949f140f73696f64acb89a1f16ff9153d017e0 Mon Sep 17 00:00:00 2001 +From: Krzysztof Kozlowski +Date: Fri, 5 May 2023 17:23:01 +0200 +Subject: serial: qcom-geni: fix enabling deactivated interrupt + +From: Krzysztof Kozlowski + +commit 5f949f140f73696f64acb89a1f16ff9153d017e0 upstream. + +The driver have a race, experienced only with PREEMPT_RT patchset: + +CPU0 | CPU1 +================================================================== +qcom_geni_serial_probe | + uart_add_one_port | + | serdev_drv_probe + | qca_serdev_probe + | serdev_device_open + | uart_open + | uart_startup + | qcom_geni_serial_startup + | enable_irq + | __irq_startup + | WARN_ON() + | IRQ not activated + request_threaded_irq | + irq_domain_activate_irq | + +The warning: + + 894000.serial: ttyHS1 at MMIO 0x894000 (irq = 144, base_baud = 0) is a MSM + serial serial0: tty port ttyHS1 registered + WARNING: CPU: 7 PID: 107 at kernel/irq/chip.c:241 __irq_startup+0x78/0xd8 + ... + qcom_geni_serial 894000.serial: serial engine reports 0 RX bytes in! + +Adding UART port triggers probe of child serial devices - serdev and +eventually Qualcomm Bluetooth hci_qca driver. This opens UART port +which enables the interrupt before it got activated in +request_threaded_irq(). The issue originates in commit f3974413cf02 +("tty: serial: qcom_geni_serial: Wakeup IRQ cleanup") and discussion on +mailing list [1]. However the above commit does not explain why the +uart_add_one_port() is moved above requesting interrupt. + +[1] https://lore.kernel.org/all/5d9f3dfa.1c69fb81.84c4b.30bf@mx.google.com/ + +Fixes: f3974413cf02 ("tty: serial: qcom_geni_serial: Wakeup IRQ cleanup") +Cc: +Cc: Stephen Boyd +Signed-off-by: Krzysztof Kozlowski +Reviewed-by: Stephen Boyd +Link: https://lore.kernel.org/r/20230505152301.2181270-1-krzysztof.kozlowski@linaro.org +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Greg Kroah-Hartman +--- + drivers/tty/serial/qcom_geni_serial.c | 9 ++++----- + 1 file changed, 4 insertions(+), 5 deletions(-) + +--- a/drivers/tty/serial/qcom_geni_serial.c ++++ b/drivers/tty/serial/qcom_geni_serial.c +@@ -1483,19 +1483,18 @@ static int qcom_geni_serial_probe(struct + platform_set_drvdata(pdev, port); + port->handle_rx = console ? handle_rx_console : handle_rx_uart; + +- ret = uart_add_one_port(drv, uport); +- if (ret) +- return ret; +- + irq_set_status_flags(uport->irq, IRQ_NOAUTOEN); + ret = devm_request_irq(uport->dev, uport->irq, qcom_geni_serial_isr, + IRQF_TRIGGER_HIGH, port->name, uport); + if (ret) { + dev_err(uport->dev, "Failed to get IRQ ret %d\n", ret); +- uart_remove_one_port(drv, uport); + return ret; + } + ++ ret = uart_add_one_port(drv, uport); ++ if (ret) ++ return ret; ++ + /* + * Set pm_runtime status as ACTIVE so that wakeup_irq gets + * enabled/disabled from dev_pm_arm_wake_irq during system diff --git a/queue-6.1/series b/queue-6.1/series index 0c75ca8ca58..7c15cdd58cf 100644 --- a/queue-6.1/series +++ b/queue-6.1/series @@ -223,3 +223,47 @@ net-selftests-fix-optstring.patch netfilter-nf_tables-fix-nft_trans-type-confusion.patch netfilter-nft_set_rbtree-fix-null-deref-on-element-i.patch bridge-always-declare-tunnel-functions.patch +alsa-usb-audio-add-a-sample-rate-workaround-for-line6-pod-go.patch +usb-usbtmc-fix-direction-for-0-length-ioctl-control-messages.patch +usb-storage-fix-deadlock-when-a-scsi-command-timeouts-more-than-once.patch +usb-uhci-adjust-zhaoxin-uhci-controllers-overcurrent-bit-value.patch +usb-dwc3-gadget-improve-dwc3_gadget_suspend-and-dwc3_gadget_resume.patch +usb-dwc3-debugfs-resume-dwc3-before-accessing-registers.patch +usb-gadget-u_ether-fix-host-mac-address-case.patch +usb-typec-altmodes-displayport-fix-pin_assignment_show.patch +revert-usb-gadget-udc-core-prevent-redundant-calls-to-pullup.patch +revert-usb-gadget-udc-core-invoke-usb_gadget_connect-only-when-started.patch +xhci-pci-only-run-d3cold-avoidance-quirk-for-s2idle.patch +xhci-fix-incorrect-tracking-of-free-space-on-transfer-rings.patch +alsa-hda-fix-oops-by-9.1-surround-channel-names.patch +alsa-hda-add-nvidia-codec-ids-a3-through-a7-to-patch-table.patch +alsa-hda-realtek-add-quirk-for-clevo-l140au.patch +alsa-hda-realtek-add-a-quirk-for-hp-elitedesk-805.patch +alsa-hda-realtek-add-quirk-for-2nd-asus-gu603.patch +alsa-hda-realtek-add-quirk-for-hp-elitebook-g10-laptops.patch +alsa-hda-realtek-fix-mute-and-micmute-leds-for-yet-another-hp-laptop.patch +can-j1939-recvmsg-allow-msg_cmsg_compat-flag.patch +can-isotp-recvmsg-allow-msg_cmsg_compat-flag.patch +can-kvaser_pciefd-set-can_state_stopped-in-kvaser_pciefd_stop.patch +can-kvaser_pciefd-call-request_irq-before-enabling-interrupts.patch +can-kvaser_pciefd-empty-srb-buffer-in-probe.patch +can-kvaser_pciefd-clear-listen-only-bit-if-not-explicitly-requested.patch +can-kvaser_pciefd-do-not-send-eflush-command-on-tfd-interrupt.patch +can-kvaser_pciefd-disable-interrupts-in-probe-error-path.patch +wifi-rtw88-use-work-to-update-rate-to-avoid-rcu-warning.patch +smb3-close-all-deferred-handles-of-inode-in-case-of-handle-lease-break.patch +smb3-drop-reference-to-cfile-before-sending-oplock-break.patch +ksmbd-smb2-allow-messages-padded-to-8byte-boundary.patch +ksmbd-allocate-one-more-byte-for-implied-bcc.patch +ksmbd-fix-wrong-username-check-in-session_user.patch +ksmbd-fix-global-out-of-bounds-in-smb2_find_context_vals.patch +kvm-fix-vcpu_array-races.patch +statfs-enforce-statfs-structure-initialization.patch +maple_tree-make-maple-state-reusable-after-mas_empty_area.patch +mm-fix-zswap-writeback-race-condition.patch +serial-add-support-for-advantech-pci-1611u-card.patch +serial-8250_exar-add-support-for-usr298x-pci-modems.patch +serial-qcom-geni-fix-enabling-deactivated-interrupt.patch +thunderbolt-clear-registers-properly-when-auto-clear-isn-t-in-use.patch +vc_screen-reload-load-of-struct-vc_data-pointer-in-vcs_write-to-avoid-uaf.patch +ceph-force-updating-the-msg-pointer-in-non-split-case.patch diff --git a/queue-6.1/smb3-close-all-deferred-handles-of-inode-in-case-of-handle-lease-break.patch b/queue-6.1/smb3-close-all-deferred-handles-of-inode-in-case-of-handle-lease-break.patch new file mode 100644 index 00000000000..6ecc29afa93 --- /dev/null +++ b/queue-6.1/smb3-close-all-deferred-handles-of-inode-in-case-of-handle-lease-break.patch @@ -0,0 +1,63 @@ +From 47592fa8eb03742048b096b4696ec133384c45eb Mon Sep 17 00:00:00 2001 +From: Bharath SM +Date: Wed, 3 May 2023 14:38:35 +0000 +Subject: SMB3: Close all deferred handles of inode in case of handle lease break + +From: Bharath SM + +commit 47592fa8eb03742048b096b4696ec133384c45eb upstream. + +Oplock break may occur for different file handle than the deferred +handle. Check for inode deferred closes list, if it's not empty then +close all the deferred handles of inode because we should not cache +handles if we dont have handle lease. + +Eg: If openfilelist has one deferred file handle and another open file +handle from app for a same file, then on a lease break we choose the +first handle in openfile list. The first handle in list can be deferred +handle or actual open file handle from app. In case if it is actual open +handle then today, we don't close deferred handles if we lose handle lease +on a file. Problem with this is, later if app decides to close the existing +open handle then we still be caching deferred handles until deferred close +timeout. Leaving open handle may result in sharing violation when windows +client tries to open a file with limited file share access. + +So we should check for deferred list of inode and walk through the list of +deferred files in inode and close all deferred files. + +Fixes: 9e31678fb403 ("SMB3: fix lease break timeout when multiple deferred close handles for the same file.") +Cc: stable@kernel.org +Signed-off-by: Bharath SM +Signed-off-by: Steve French +Signed-off-by: Greg Kroah-Hartman +--- + fs/cifs/file.c | 9 +-------- + 1 file changed, 1 insertion(+), 8 deletions(-) + +--- a/fs/cifs/file.c ++++ b/fs/cifs/file.c +@@ -5087,8 +5087,6 @@ void cifs_oplock_break(struct work_struc + struct TCP_Server_Info *server = tcon->ses->server; + int rc = 0; + bool purge_cache = false; +- struct cifs_deferred_close *dclose; +- bool is_deferred = false; + + wait_on_bit(&cinode->flags, CIFS_INODE_PENDING_WRITERS, + TASK_UNINTERRUPTIBLE); +@@ -5129,14 +5127,9 @@ oplock_break_ack: + * file handles but cached, then schedule deferred close immediately. + * So, new open will not use cached handle. + */ +- spin_lock(&CIFS_I(inode)->deferred_lock); +- is_deferred = cifs_is_deferred_close(cfile, &dclose); +- spin_unlock(&CIFS_I(inode)->deferred_lock); + +- if (!CIFS_CACHE_HANDLE(cinode) && is_deferred && +- cfile->deferred_close_scheduled && delayed_work_pending(&cfile->deferred)) { ++ if (!CIFS_CACHE_HANDLE(cinode) && !list_empty(&cinode->deferred_closes)) + cifs_close_deferred_file(cinode); +- } + + /* + * releasing stale oplock after recent reconnect of smb session using diff --git a/queue-6.1/smb3-drop-reference-to-cfile-before-sending-oplock-break.patch b/queue-6.1/smb3-drop-reference-to-cfile-before-sending-oplock-break.patch new file mode 100644 index 00000000000..32bfb3256f7 --- /dev/null +++ b/queue-6.1/smb3-drop-reference-to-cfile-before-sending-oplock-break.patch @@ -0,0 +1,128 @@ +From 59a556aebc43dded08535fe97d94ca3f657915e4 Mon Sep 17 00:00:00 2001 +From: Bharath SM +Date: Mon, 15 May 2023 21:25:12 +0000 +Subject: SMB3: drop reference to cfile before sending oplock break + +From: Bharath SM + +commit 59a556aebc43dded08535fe97d94ca3f657915e4 upstream. + +In cifs_oplock_break function we drop reference to a cfile at +the end of function, due to which close command goes on wire +after lease break acknowledgment even if file is already closed +by application but we had deferred the handle close. +If other client with limited file shareaccess waiting on lease +break ack proceeds operation on that file as soon as first client +sends ack, then we may encounter status sharing violation error +because of open handle. +Solution is to put reference to cfile(send close on wire if last ref) +and then send oplock acknowledgment to server. + +Fixes: 9e31678fb403 ("SMB3: fix lease break timeout when multiple deferred close handles for the same file.") +Cc: stable@kernel.org +Signed-off-by: Bharath SM +Reviewed-by: Shyam Prasad N +Signed-off-by: Steve French +Signed-off-by: Greg Kroah-Hartman +--- + fs/cifs/cifsglob.h | 4 ++-- + fs/cifs/file.c | 17 ++++++++++++----- + fs/cifs/smb1ops.c | 9 ++++----- + fs/cifs/smb2ops.c | 7 +++---- + 4 files changed, 21 insertions(+), 16 deletions(-) + +--- a/fs/cifs/cifsglob.h ++++ b/fs/cifs/cifsglob.h +@@ -428,8 +428,8 @@ struct smb_version_operations { + /* check for STATUS_NETWORK_SESSION_EXPIRED */ + bool (*is_session_expired)(char *); + /* send oplock break response */ +- int (*oplock_response)(struct cifs_tcon *, struct cifs_fid *, +- struct cifsInodeInfo *); ++ int (*oplock_response)(struct cifs_tcon *tcon, __u64 persistent_fid, __u64 volatile_fid, ++ __u16 net_fid, struct cifsInodeInfo *cifs_inode); + /* query remote filesystem */ + int (*queryfs)(const unsigned int, struct cifs_tcon *, + struct cifs_sb_info *, struct kstatfs *); +--- a/fs/cifs/file.c ++++ b/fs/cifs/file.c +@@ -5086,7 +5086,9 @@ void cifs_oplock_break(struct work_struc + struct cifs_tcon *tcon = tlink_tcon(cfile->tlink); + struct TCP_Server_Info *server = tcon->ses->server; + int rc = 0; +- bool purge_cache = false; ++ bool purge_cache = false, oplock_break_cancelled; ++ __u64 persistent_fid, volatile_fid; ++ __u16 net_fid; + + wait_on_bit(&cinode->flags, CIFS_INODE_PENDING_WRITERS, + TASK_UNINTERRUPTIBLE); +@@ -5131,19 +5133,24 @@ oplock_break_ack: + if (!CIFS_CACHE_HANDLE(cinode) && !list_empty(&cinode->deferred_closes)) + cifs_close_deferred_file(cinode); + ++ persistent_fid = cfile->fid.persistent_fid; ++ volatile_fid = cfile->fid.volatile_fid; ++ net_fid = cfile->fid.netfid; ++ oplock_break_cancelled = cfile->oplock_break_cancelled; ++ ++ _cifsFileInfo_put(cfile, false /* do not wait for ourself */, false); + /* + * releasing stale oplock after recent reconnect of smb session using + * a now incorrect file handle is not a data integrity issue but do + * not bother sending an oplock release if session to server still is + * disconnected since oplock already released by the server + */ +- if (!cfile->oplock_break_cancelled) { +- rc = tcon->ses->server->ops->oplock_response(tcon, &cfile->fid, +- cinode); ++ if (!oplock_break_cancelled) { ++ rc = tcon->ses->server->ops->oplock_response(tcon, persistent_fid, ++ volatile_fid, net_fid, cinode); + cifs_dbg(FYI, "Oplock release rc = %d\n", rc); + } + +- _cifsFileInfo_put(cfile, false /* do not wait for ourself */, false); + cifs_done_oplock_break(cinode); + } + +--- a/fs/cifs/smb1ops.c ++++ b/fs/cifs/smb1ops.c +@@ -897,12 +897,11 @@ cifs_close_dir(const unsigned int xid, s + } + + static int +-cifs_oplock_response(struct cifs_tcon *tcon, struct cifs_fid *fid, +- struct cifsInodeInfo *cinode) ++cifs_oplock_response(struct cifs_tcon *tcon, __u64 persistent_fid, ++ __u64 volatile_fid, __u16 net_fid, struct cifsInodeInfo *cinode) + { +- return CIFSSMBLock(0, tcon, fid->netfid, current->tgid, 0, 0, 0, 0, +- LOCKING_ANDX_OPLOCK_RELEASE, false, +- CIFS_CACHE_READ(cinode) ? 1 : 0); ++ return CIFSSMBLock(0, tcon, net_fid, current->tgid, 0, 0, 0, 0, ++ LOCKING_ANDX_OPLOCK_RELEASE, false, CIFS_CACHE_READ(cinode) ? 1 : 0); + } + + static int +--- a/fs/cifs/smb2ops.c ++++ b/fs/cifs/smb2ops.c +@@ -2383,15 +2383,14 @@ smb2_is_network_name_deleted(char *buf, + } + + static int +-smb2_oplock_response(struct cifs_tcon *tcon, struct cifs_fid *fid, +- struct cifsInodeInfo *cinode) ++smb2_oplock_response(struct cifs_tcon *tcon, __u64 persistent_fid, ++ __u64 volatile_fid, __u16 net_fid, struct cifsInodeInfo *cinode) + { + if (tcon->ses->server->capabilities & SMB2_GLOBAL_CAP_LEASING) + return SMB2_lease_break(0, tcon, cinode->lease_key, + smb2_get_lease_state(cinode)); + +- return SMB2_oplock_break(0, tcon, fid->persistent_fid, +- fid->volatile_fid, ++ return SMB2_oplock_break(0, tcon, persistent_fid, volatile_fid, + CIFS_CACHE_READ(cinode) ? 1 : 0); + } + diff --git a/queue-6.1/statfs-enforce-statfs-structure-initialization.patch b/queue-6.1/statfs-enforce-statfs-structure-initialization.patch new file mode 100644 index 00000000000..dd2b4ea0ffb --- /dev/null +++ b/queue-6.1/statfs-enforce-statfs-structure-initialization.patch @@ -0,0 +1,62 @@ +From ed40866ec7d328b3dfb70db7e2011640a16202c3 Mon Sep 17 00:00:00 2001 +From: Ilya Leoshkevich +Date: Thu, 4 May 2023 16:40:20 +0200 +Subject: statfs: enforce statfs[64] structure initialization + +From: Ilya Leoshkevich + +commit ed40866ec7d328b3dfb70db7e2011640a16202c3 upstream. + +s390's struct statfs and struct statfs64 contain padding, which +field-by-field copying does not set. Initialize the respective structs +with zeros before filling them and copying them to userspace, like it's +already done for the compat versions of these structs. + +Found by KMSAN. + +[agordeev@linux.ibm.com: fixed typo in patch description] +Acked-by: Heiko Carstens +Cc: stable@vger.kernel.org # v4.14+ +Signed-off-by: Ilya Leoshkevich +Reviewed-by: Andrew Morton +Link: https://lore.kernel.org/r/20230504144021.808932-2-iii@linux.ibm.com +Signed-off-by: Alexander Gordeev +Signed-off-by: Greg Kroah-Hartman +--- + fs/statfs.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/fs/statfs.c ++++ b/fs/statfs.c +@@ -130,6 +130,7 @@ static int do_statfs_native(struct kstat + if (sizeof(buf) == sizeof(*st)) + memcpy(&buf, st, sizeof(*st)); + else { ++ memset(&buf, 0, sizeof(buf)); + if (sizeof buf.f_blocks == 4) { + if ((st->f_blocks | st->f_bfree | st->f_bavail | + st->f_bsize | st->f_frsize) & +@@ -158,7 +159,6 @@ static int do_statfs_native(struct kstat + buf.f_namelen = st->f_namelen; + buf.f_frsize = st->f_frsize; + buf.f_flags = st->f_flags; +- memset(buf.f_spare, 0, sizeof(buf.f_spare)); + } + if (copy_to_user(p, &buf, sizeof(buf))) + return -EFAULT; +@@ -171,6 +171,7 @@ static int do_statfs64(struct kstatfs *s + if (sizeof(buf) == sizeof(*st)) + memcpy(&buf, st, sizeof(*st)); + else { ++ memset(&buf, 0, sizeof(buf)); + buf.f_type = st->f_type; + buf.f_bsize = st->f_bsize; + buf.f_blocks = st->f_blocks; +@@ -182,7 +183,6 @@ static int do_statfs64(struct kstatfs *s + buf.f_namelen = st->f_namelen; + buf.f_frsize = st->f_frsize; + buf.f_flags = st->f_flags; +- memset(buf.f_spare, 0, sizeof(buf.f_spare)); + } + if (copy_to_user(p, &buf, sizeof(buf))) + return -EFAULT; diff --git a/queue-6.1/thunderbolt-clear-registers-properly-when-auto-clear-isn-t-in-use.patch b/queue-6.1/thunderbolt-clear-registers-properly-when-auto-clear-isn-t-in-use.patch new file mode 100644 index 00000000000..b590552df22 --- /dev/null +++ b/queue-6.1/thunderbolt-clear-registers-properly-when-auto-clear-isn-t-in-use.patch @@ -0,0 +1,101 @@ +From c4af8e3fecd03b0aedcd38145955605cfebe7e3a Mon Sep 17 00:00:00 2001 +From: Mario Limonciello +Date: Mon, 24 Apr 2023 14:55:54 -0500 +Subject: thunderbolt: Clear registers properly when auto clear isn't in use + +From: Mario Limonciello + +commit c4af8e3fecd03b0aedcd38145955605cfebe7e3a upstream. + +When `QUIRK_AUTO_CLEAR_INT` isn't set, interrupt masking should be +cleared by writing to Interrupt Mask Clear (IMR) and interrupt +status should be cleared properly at shutdown/init. + +This fixes an error where interrupts are left enabled during resume +from hibernation with `CONFIG_USB4=y`. + +Fixes: 468c49f44759 ("thunderbolt: Disable interrupt auto clear for rings") +Cc: stable@vger.kernel.org # v6.3 +Reported-by: Takashi Iwai +Link: https://bugzilla.kernel.org/show_bug.cgi?id=217343 +Signed-off-by: Mario Limonciello +Signed-off-by: Mika Westerberg +Signed-off-by: Greg Kroah-Hartman +--- + drivers/thunderbolt/nhi.c | 29 ++++++++++++++++++++++++----- + drivers/thunderbolt/nhi_regs.h | 2 ++ + 2 files changed, 26 insertions(+), 5 deletions(-) + +--- a/drivers/thunderbolt/nhi.c ++++ b/drivers/thunderbolt/nhi.c +@@ -54,6 +54,21 @@ static int ring_interrupt_index(const st + return bit; + } + ++static void nhi_mask_interrupt(struct tb_nhi *nhi, int mask, int ring) ++{ ++ if (nhi->quirks & QUIRK_AUTO_CLEAR_INT) ++ return; ++ iowrite32(mask, nhi->iobase + REG_RING_INTERRUPT_MASK_CLEAR_BASE + ring); ++} ++ ++static void nhi_clear_interrupt(struct tb_nhi *nhi, int ring) ++{ ++ if (nhi->quirks & QUIRK_AUTO_CLEAR_INT) ++ ioread32(nhi->iobase + REG_RING_NOTIFY_BASE + ring); ++ else ++ iowrite32(~0, nhi->iobase + REG_RING_INT_CLEAR + ring); ++} ++ + /* + * ring_interrupt_active() - activate/deactivate interrupts for a single ring + * +@@ -61,8 +76,8 @@ static int ring_interrupt_index(const st + */ + static void ring_interrupt_active(struct tb_ring *ring, bool active) + { +- int reg = REG_RING_INTERRUPT_BASE + +- ring_interrupt_index(ring) / 32 * 4; ++ int index = ring_interrupt_index(ring) / 32 * 4; ++ int reg = REG_RING_INTERRUPT_BASE + index; + int interrupt_bit = ring_interrupt_index(ring) & 31; + int mask = 1 << interrupt_bit; + u32 old, new; +@@ -123,7 +138,11 @@ static void ring_interrupt_active(struct + "interrupt for %s %d is already %s\n", + RING_TYPE(ring), ring->hop, + active ? "enabled" : "disabled"); +- iowrite32(new, ring->nhi->iobase + reg); ++ ++ if (active) ++ iowrite32(new, ring->nhi->iobase + reg); ++ else ++ nhi_mask_interrupt(ring->nhi, mask, index); + } + + /* +@@ -136,11 +155,11 @@ static void nhi_disable_interrupts(struc + int i = 0; + /* disable interrupts */ + for (i = 0; i < RING_INTERRUPT_REG_COUNT(nhi); i++) +- iowrite32(0, nhi->iobase + REG_RING_INTERRUPT_BASE + 4 * i); ++ nhi_mask_interrupt(nhi, ~0, 4 * i); + + /* clear interrupt status bits */ + for (i = 0; i < RING_NOTIFY_REG_COUNT(nhi); i++) +- ioread32(nhi->iobase + REG_RING_NOTIFY_BASE + 4 * i); ++ nhi_clear_interrupt(nhi, 4 * i); + } + + /* ring helper methods */ +--- a/drivers/thunderbolt/nhi_regs.h ++++ b/drivers/thunderbolt/nhi_regs.h +@@ -93,6 +93,8 @@ struct ring_desc { + #define REG_RING_INTERRUPT_BASE 0x38200 + #define RING_INTERRUPT_REG_COUNT(nhi) ((31 + 2 * nhi->hop_count) / 32) + ++#define REG_RING_INTERRUPT_MASK_CLEAR_BASE 0x38208 ++ + #define REG_INT_THROTTLING_RATE 0x38c00 + + /* Interrupt Vector Allocation */ diff --git a/queue-6.1/usb-dwc3-debugfs-resume-dwc3-before-accessing-registers.patch b/queue-6.1/usb-dwc3-debugfs-resume-dwc3-before-accessing-registers.patch new file mode 100644 index 00000000000..13adfe20539 --- /dev/null +++ b/queue-6.1/usb-dwc3-debugfs-resume-dwc3-before-accessing-registers.patch @@ -0,0 +1,379 @@ +From 614ce6a2ea50068b45339257891e51e639ac9001 Mon Sep 17 00:00:00 2001 +From: Udipto Goswami +Date: Tue, 9 May 2023 20:18:36 +0530 +Subject: usb: dwc3: debugfs: Resume dwc3 before accessing registers + +From: Udipto Goswami + +commit 614ce6a2ea50068b45339257891e51e639ac9001 upstream. + +When the dwc3 device is runtime suspended, various required clocks are in +disabled state and it is not guaranteed that access to any registers would +work. Depending on the SoC glue, a register read could be as benign as +returning 0 or be fatal enough to hang the system. + +In order to prevent such scenarios of fatal errors, make sure to resume +dwc3 then allow the function to proceed. + +Fixes: 72246da40f37 ("usb: Introduce DesignWare USB3 DRD Driver") +Cc: stable@vger.kernel.org #3.2: 30332eeefec8: debugfs: regset32: Add Runtime PM support +Signed-off-by: Udipto Goswami +Reviewed-by: Johan Hovold +Tested-by: Johan Hovold +Acked-by: Thinh Nguyen +Link: https://lore.kernel.org/r/20230509144836.6803-1-quic_ugoswami@quicinc.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/dwc3/debugfs.c | 109 +++++++++++++++++++++++++++++++++++++++++++++ + 1 file changed, 109 insertions(+) + +--- a/drivers/usb/dwc3/debugfs.c ++++ b/drivers/usb/dwc3/debugfs.c +@@ -327,6 +327,11 @@ static int dwc3_lsp_show(struct seq_file + unsigned int current_mode; + unsigned long flags; + u32 reg; ++ int ret; ++ ++ ret = pm_runtime_resume_and_get(dwc->dev); ++ if (ret < 0) ++ return ret; + + spin_lock_irqsave(&dwc->lock, flags); + reg = dwc3_readl(dwc->regs, DWC3_GSTS); +@@ -345,6 +350,8 @@ static int dwc3_lsp_show(struct seq_file + } + spin_unlock_irqrestore(&dwc->lock, flags); + ++ pm_runtime_put_sync(dwc->dev); ++ + return 0; + } + +@@ -390,6 +397,11 @@ static int dwc3_mode_show(struct seq_fil + struct dwc3 *dwc = s->private; + unsigned long flags; + u32 reg; ++ int ret; ++ ++ ret = pm_runtime_resume_and_get(dwc->dev); ++ if (ret < 0) ++ return ret; + + spin_lock_irqsave(&dwc->lock, flags); + reg = dwc3_readl(dwc->regs, DWC3_GCTL); +@@ -409,6 +421,8 @@ static int dwc3_mode_show(struct seq_fil + seq_printf(s, "UNKNOWN %08x\n", DWC3_GCTL_PRTCAP(reg)); + } + ++ pm_runtime_put_sync(dwc->dev); ++ + return 0; + } + +@@ -458,6 +472,11 @@ static int dwc3_testmode_show(struct seq + struct dwc3 *dwc = s->private; + unsigned long flags; + u32 reg; ++ int ret; ++ ++ ret = pm_runtime_resume_and_get(dwc->dev); ++ if (ret < 0) ++ return ret; + + spin_lock_irqsave(&dwc->lock, flags); + reg = dwc3_readl(dwc->regs, DWC3_DCTL); +@@ -488,6 +507,8 @@ static int dwc3_testmode_show(struct seq + seq_printf(s, "UNKNOWN %d\n", reg); + } + ++ pm_runtime_put_sync(dwc->dev); ++ + return 0; + } + +@@ -504,6 +525,7 @@ static ssize_t dwc3_testmode_write(struc + unsigned long flags; + u32 testmode = 0; + char buf[32]; ++ int ret; + + if (copy_from_user(&buf, ubuf, min_t(size_t, sizeof(buf) - 1, count))) + return -EFAULT; +@@ -521,10 +543,16 @@ static ssize_t dwc3_testmode_write(struc + else + testmode = 0; + ++ ret = pm_runtime_resume_and_get(dwc->dev); ++ if (ret < 0) ++ return ret; ++ + spin_lock_irqsave(&dwc->lock, flags); + dwc3_gadget_set_test_mode(dwc, testmode); + spin_unlock_irqrestore(&dwc->lock, flags); + ++ pm_runtime_put_sync(dwc->dev); ++ + return count; + } + +@@ -543,12 +571,18 @@ static int dwc3_link_state_show(struct s + enum dwc3_link_state state; + u32 reg; + u8 speed; ++ int ret; ++ ++ ret = pm_runtime_resume_and_get(dwc->dev); ++ if (ret < 0) ++ return ret; + + spin_lock_irqsave(&dwc->lock, flags); + reg = dwc3_readl(dwc->regs, DWC3_GSTS); + if (DWC3_GSTS_CURMOD(reg) != DWC3_GSTS_CURMOD_DEVICE) { + seq_puts(s, "Not available\n"); + spin_unlock_irqrestore(&dwc->lock, flags); ++ pm_runtime_put_sync(dwc->dev); + return 0; + } + +@@ -561,6 +595,8 @@ static int dwc3_link_state_show(struct s + dwc3_gadget_hs_link_string(state)); + spin_unlock_irqrestore(&dwc->lock, flags); + ++ pm_runtime_put_sync(dwc->dev); ++ + return 0; + } + +@@ -579,6 +615,7 @@ static ssize_t dwc3_link_state_write(str + char buf[32]; + u32 reg; + u8 speed; ++ int ret; + + if (copy_from_user(&buf, ubuf, min_t(size_t, sizeof(buf) - 1, count))) + return -EFAULT; +@@ -598,10 +635,15 @@ static ssize_t dwc3_link_state_write(str + else + return -EINVAL; + ++ ret = pm_runtime_resume_and_get(dwc->dev); ++ if (ret < 0) ++ return ret; ++ + spin_lock_irqsave(&dwc->lock, flags); + reg = dwc3_readl(dwc->regs, DWC3_GSTS); + if (DWC3_GSTS_CURMOD(reg) != DWC3_GSTS_CURMOD_DEVICE) { + spin_unlock_irqrestore(&dwc->lock, flags); ++ pm_runtime_put_sync(dwc->dev); + return -EINVAL; + } + +@@ -611,12 +653,15 @@ static ssize_t dwc3_link_state_write(str + if (speed < DWC3_DSTS_SUPERSPEED && + state != DWC3_LINK_STATE_RECOV) { + spin_unlock_irqrestore(&dwc->lock, flags); ++ pm_runtime_put_sync(dwc->dev); + return -EINVAL; + } + + dwc3_gadget_set_link_state(dwc, state); + spin_unlock_irqrestore(&dwc->lock, flags); + ++ pm_runtime_put_sync(dwc->dev); ++ + return count; + } + +@@ -640,6 +685,11 @@ static int dwc3_tx_fifo_size_show(struct + unsigned long flags; + u32 mdwidth; + u32 val; ++ int ret; ++ ++ ret = pm_runtime_resume_and_get(dwc->dev); ++ if (ret < 0) ++ return ret; + + spin_lock_irqsave(&dwc->lock, flags); + val = dwc3_core_fifo_space(dep, DWC3_TXFIFO); +@@ -652,6 +702,8 @@ static int dwc3_tx_fifo_size_show(struct + seq_printf(s, "%u\n", val); + spin_unlock_irqrestore(&dwc->lock, flags); + ++ pm_runtime_put_sync(dwc->dev); ++ + return 0; + } + +@@ -662,6 +714,11 @@ static int dwc3_rx_fifo_size_show(struct + unsigned long flags; + u32 mdwidth; + u32 val; ++ int ret; ++ ++ ret = pm_runtime_resume_and_get(dwc->dev); ++ if (ret < 0) ++ return ret; + + spin_lock_irqsave(&dwc->lock, flags); + val = dwc3_core_fifo_space(dep, DWC3_RXFIFO); +@@ -674,6 +731,8 @@ static int dwc3_rx_fifo_size_show(struct + seq_printf(s, "%u\n", val); + spin_unlock_irqrestore(&dwc->lock, flags); + ++ pm_runtime_put_sync(dwc->dev); ++ + return 0; + } + +@@ -683,12 +742,19 @@ static int dwc3_tx_request_queue_show(st + struct dwc3 *dwc = dep->dwc; + unsigned long flags; + u32 val; ++ int ret; ++ ++ ret = pm_runtime_resume_and_get(dwc->dev); ++ if (ret < 0) ++ return ret; + + spin_lock_irqsave(&dwc->lock, flags); + val = dwc3_core_fifo_space(dep, DWC3_TXREQQ); + seq_printf(s, "%u\n", val); + spin_unlock_irqrestore(&dwc->lock, flags); + ++ pm_runtime_put_sync(dwc->dev); ++ + return 0; + } + +@@ -698,12 +764,19 @@ static int dwc3_rx_request_queue_show(st + struct dwc3 *dwc = dep->dwc; + unsigned long flags; + u32 val; ++ int ret; ++ ++ ret = pm_runtime_resume_and_get(dwc->dev); ++ if (ret < 0) ++ return ret; + + spin_lock_irqsave(&dwc->lock, flags); + val = dwc3_core_fifo_space(dep, DWC3_RXREQQ); + seq_printf(s, "%u\n", val); + spin_unlock_irqrestore(&dwc->lock, flags); + ++ pm_runtime_put_sync(dwc->dev); ++ + return 0; + } + +@@ -713,12 +786,19 @@ static int dwc3_rx_info_queue_show(struc + struct dwc3 *dwc = dep->dwc; + unsigned long flags; + u32 val; ++ int ret; ++ ++ ret = pm_runtime_resume_and_get(dwc->dev); ++ if (ret < 0) ++ return ret; + + spin_lock_irqsave(&dwc->lock, flags); + val = dwc3_core_fifo_space(dep, DWC3_RXINFOQ); + seq_printf(s, "%u\n", val); + spin_unlock_irqrestore(&dwc->lock, flags); + ++ pm_runtime_put_sync(dwc->dev); ++ + return 0; + } + +@@ -728,12 +808,19 @@ static int dwc3_descriptor_fetch_queue_s + struct dwc3 *dwc = dep->dwc; + unsigned long flags; + u32 val; ++ int ret; ++ ++ ret = pm_runtime_resume_and_get(dwc->dev); ++ if (ret < 0) ++ return ret; + + spin_lock_irqsave(&dwc->lock, flags); + val = dwc3_core_fifo_space(dep, DWC3_DESCFETCHQ); + seq_printf(s, "%u\n", val); + spin_unlock_irqrestore(&dwc->lock, flags); + ++ pm_runtime_put_sync(dwc->dev); ++ + return 0; + } + +@@ -743,12 +830,19 @@ static int dwc3_event_queue_show(struct + struct dwc3 *dwc = dep->dwc; + unsigned long flags; + u32 val; ++ int ret; ++ ++ ret = pm_runtime_resume_and_get(dwc->dev); ++ if (ret < 0) ++ return ret; + + spin_lock_irqsave(&dwc->lock, flags); + val = dwc3_core_fifo_space(dep, DWC3_EVENTQ); + seq_printf(s, "%u\n", val); + spin_unlock_irqrestore(&dwc->lock, flags); + ++ pm_runtime_put_sync(dwc->dev); ++ + return 0; + } + +@@ -793,6 +887,11 @@ static int dwc3_trb_ring_show(struct seq + struct dwc3 *dwc = dep->dwc; + unsigned long flags; + int i; ++ int ret; ++ ++ ret = pm_runtime_resume_and_get(dwc->dev); ++ if (ret < 0) ++ return ret; + + spin_lock_irqsave(&dwc->lock, flags); + if (dep->number <= 1) { +@@ -822,6 +921,8 @@ static int dwc3_trb_ring_show(struct seq + out: + spin_unlock_irqrestore(&dwc->lock, flags); + ++ pm_runtime_put_sync(dwc->dev); ++ + return 0; + } + +@@ -834,6 +935,11 @@ static int dwc3_ep_info_register_show(st + u32 lower_32_bits; + u32 upper_32_bits; + u32 reg; ++ int ret; ++ ++ ret = pm_runtime_resume_and_get(dwc->dev); ++ if (ret < 0) ++ return ret; + + spin_lock_irqsave(&dwc->lock, flags); + reg = DWC3_GDBGLSPMUX_EPSELECT(dep->number); +@@ -846,6 +952,8 @@ static int dwc3_ep_info_register_show(st + seq_printf(s, "0x%016llx\n", ep_info); + spin_unlock_irqrestore(&dwc->lock, flags); + ++ pm_runtime_put_sync(dwc->dev); ++ + return 0; + } + +@@ -905,6 +1013,7 @@ void dwc3_debugfs_init(struct dwc3 *dwc) + dwc->regset->regs = dwc3_regs; + dwc->regset->nregs = ARRAY_SIZE(dwc3_regs); + dwc->regset->base = dwc->regs - DWC3_GLOBALS_REGS_START; ++ dwc->regset->dev = dwc->dev; + + root = debugfs_create_dir(dev_name(dwc->dev), usb_debug_root); + dwc->debug_root = root; diff --git a/queue-6.1/usb-dwc3-gadget-improve-dwc3_gadget_suspend-and-dwc3_gadget_resume.patch b/queue-6.1/usb-dwc3-gadget-improve-dwc3_gadget_suspend-and-dwc3_gadget_resume.patch new file mode 100644 index 00000000000..62c3c6ebf24 --- /dev/null +++ b/queue-6.1/usb-dwc3-gadget-improve-dwc3_gadget_suspend-and-dwc3_gadget_resume.patch @@ -0,0 +1,137 @@ +From c8540870af4ce6ddeb27a7bb5498b75fb29b643c Mon Sep 17 00:00:00 2001 +From: Roger Quadros +Date: Wed, 3 May 2023 14:00:48 +0300 +Subject: usb: dwc3: gadget: Improve dwc3_gadget_suspend() and dwc3_gadget_resume() + +From: Roger Quadros + +commit c8540870af4ce6ddeb27a7bb5498b75fb29b643c upstream. + +Prevent -ETIMEDOUT error on .suspend(). +e.g. If gadget driver is loaded and we are connected to a USB host, +all transfers must be stopped before stopping the controller else +we will not get a clean stop i.e. dwc3_gadget_run_stop() will take +several seconds to complete and will return -ETIMEDOUT. + +Handle error cases properly in dwc3_gadget_suspend(). +Simplify dwc3_gadget_resume() by using the introduced helper function. + +Fixes: 9f8a67b65a49 ("usb: dwc3: gadget: fix gadget suspend/resume") +Cc: stable@vger.kernel.org +Suggested-by: Thinh Nguyen +Signed-off-by: Roger Quadros +Acked-by: Thinh Nguyen +Link: https://lore.kernel.org/r/20230503110048.30617-1-rogerq@kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/dwc3/gadget.c | 67 +++++++++++++++++++++++----------------------- + 1 file changed, 34 insertions(+), 33 deletions(-) + +--- a/drivers/usb/dwc3/gadget.c ++++ b/drivers/usb/dwc3/gadget.c +@@ -2587,6 +2587,21 @@ static int dwc3_gadget_soft_disconnect(s + return ret; + } + ++static int dwc3_gadget_soft_connect(struct dwc3 *dwc) ++{ ++ /* ++ * In the Synopsys DWC_usb31 1.90a programming guide section ++ * 4.1.9, it specifies that for a reconnect after a ++ * device-initiated disconnect requires a core soft reset ++ * (DCTL.CSftRst) before enabling the run/stop bit. ++ */ ++ dwc3_core_soft_reset(dwc); ++ ++ dwc3_event_buffers_setup(dwc); ++ __dwc3_gadget_start(dwc); ++ return dwc3_gadget_run_stop(dwc, true); ++} ++ + static int dwc3_gadget_pullup(struct usb_gadget *g, int is_on) + { + struct dwc3 *dwc = gadget_to_dwc(g); +@@ -2625,21 +2640,10 @@ static int dwc3_gadget_pullup(struct usb + + synchronize_irq(dwc->irq_gadget); + +- if (!is_on) { ++ if (!is_on) + ret = dwc3_gadget_soft_disconnect(dwc); +- } else { +- /* +- * In the Synopsys DWC_usb31 1.90a programming guide section +- * 4.1.9, it specifies that for a reconnect after a +- * device-initiated disconnect requires a core soft reset +- * (DCTL.CSftRst) before enabling the run/stop bit. +- */ +- dwc3_core_soft_reset(dwc); +- +- dwc3_event_buffers_setup(dwc); +- __dwc3_gadget_start(dwc); +- ret = dwc3_gadget_run_stop(dwc, true); +- } ++ else ++ ret = dwc3_gadget_soft_connect(dwc); + + pm_runtime_put(dwc->dev); + +@@ -4555,42 +4559,39 @@ void dwc3_gadget_exit(struct dwc3 *dwc) + int dwc3_gadget_suspend(struct dwc3 *dwc) + { + unsigned long flags; ++ int ret; + + if (!dwc->gadget_driver) + return 0; + +- dwc3_gadget_run_stop(dwc, false); ++ ret = dwc3_gadget_soft_disconnect(dwc); ++ if (ret) ++ goto err; + + spin_lock_irqsave(&dwc->lock, flags); + dwc3_disconnect_gadget(dwc); +- __dwc3_gadget_stop(dwc); + spin_unlock_irqrestore(&dwc->lock, flags); + + return 0; ++ ++err: ++ /* ++ * Attempt to reset the controller's state. Likely no ++ * communication can be established until the host ++ * performs a port reset. ++ */ ++ if (dwc->softconnect) ++ dwc3_gadget_soft_connect(dwc); ++ ++ return ret; + } + + int dwc3_gadget_resume(struct dwc3 *dwc) + { +- int ret; +- + if (!dwc->gadget_driver || !dwc->softconnect) + return 0; + +- ret = __dwc3_gadget_start(dwc); +- if (ret < 0) +- goto err0; +- +- ret = dwc3_gadget_run_stop(dwc, true); +- if (ret < 0) +- goto err1; +- +- return 0; +- +-err1: +- __dwc3_gadget_stop(dwc); +- +-err0: +- return ret; ++ return dwc3_gadget_soft_connect(dwc); + } + + void dwc3_gadget_process_pending_events(struct dwc3 *dwc) diff --git a/queue-6.1/usb-gadget-u_ether-fix-host-mac-address-case.patch b/queue-6.1/usb-gadget-u_ether-fix-host-mac-address-case.patch new file mode 100644 index 00000000000..bd1602cbcf2 --- /dev/null +++ b/queue-6.1/usb-gadget-u_ether-fix-host-mac-address-case.patch @@ -0,0 +1,58 @@ +From 3c0f4f09c063e143822393d99cb2b19a85451c07 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Konrad=20Gr=C3=A4fe?= +Date: Fri, 5 May 2023 16:36:40 +0200 +Subject: usb: gadget: u_ether: Fix host MAC address case +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Konrad Gräfe + +commit 3c0f4f09c063e143822393d99cb2b19a85451c07 upstream. + +The CDC-ECM specification [1] requires to send the host MAC address as +an uppercase hexadecimal string in chapter "5.4 Ethernet Networking +Functional Descriptor": + The Unicode character is chosen from the set of values 30h through + 39h and 41h through 46h (0-9 and A-F). + +However, snprintf(.., "%pm", ..) generates a lowercase MAC address +string. While most host drivers are tolerant to this, UsbNcm.sys on +Windows 10 is not. Instead it uses a different MAC address with all +bytes set to zero including and after the first byte containing a +lowercase letter. On Windows 11 Microsoft fixed it, but apparently they +did not backport the fix. + +This change fixes the issue by upper-casing the MAC to comply with the +specification. + +[1]: https://www.usb.org/document-library/class-definitions-communication-devices-12, file ECM120.pdf + +Fixes: bcd4a1c40bee ("usb: gadget: u_ether: construct with default values and add setters/getters") +Cc: stable@vger.kernel.org +Signed-off-by: Konrad Gräfe +Link: https://lore.kernel.org/r/20230505143640.443014-1-k.graefe@gateware.de +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/gadget/function/u_ether.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/usb/gadget/function/u_ether.c ++++ b/drivers/usb/gadget/function/u_ether.c +@@ -17,6 +17,7 @@ + #include + #include + #include ++#include + + #include "u_ether.h" + +@@ -978,6 +979,8 @@ int gether_get_host_addr_cdc(struct net_ + dev = netdev_priv(net); + snprintf(host_addr, len, "%pm", dev->host_mac); + ++ string_upper(host_addr, host_addr); ++ + return strlen(host_addr); + } + EXPORT_SYMBOL_GPL(gether_get_host_addr_cdc); diff --git a/queue-6.1/usb-storage-fix-deadlock-when-a-scsi-command-timeouts-more-than-once.patch b/queue-6.1/usb-storage-fix-deadlock-when-a-scsi-command-timeouts-more-than-once.patch new file mode 100644 index 00000000000..125ea91f380 --- /dev/null +++ b/queue-6.1/usb-storage-fix-deadlock-when-a-scsi-command-timeouts-more-than-once.patch @@ -0,0 +1,108 @@ +From a398d5eac6984316e71474e25b975688f282379b Mon Sep 17 00:00:00 2001 +From: Maxime Bizon +Date: Fri, 5 May 2023 13:47:59 +0200 +Subject: usb-storage: fix deadlock when a scsi command timeouts more than once + +From: Maxime Bizon + +commit a398d5eac6984316e71474e25b975688f282379b upstream. + +With faulty usb-storage devices, read/write can timeout, in that case +the SCSI layer will abort and re-issue the command. USB storage has no +internal timeout, it relies on SCSI layer aborting commands via +.eh_abort_handler() for non those responsive devices. + +After two consecutive timeouts of the same command, SCSI layer calls +.eh_device_reset_handler(), without calling .eh_abort_handler() first. + +With usb-storage, this causes a deadlock: + + -> .eh_device_reset_handler + -> device_reset + -> mutex_lock(&(us->dev_mutex)); + +mutex already by usb_stor_control_thread(), which is waiting for +command completion: + + -> usb_stor_control_thread (mutex taken here) + -> usb_stor_invoke_transport + -> usb_stor_Bulk_transport + -> usb_stor_bulk_srb + -> usb_stor_bulk_transfer_sglist + -> usb_sg_wait + +Make sure we cancel any pending command in .eh_device_reset_handler() +to avoid this. + +Signed-off-by: Maxime Bizon +Cc: linux-usb@vger.kernel.org +Cc: stable +Link: https://lore.kernel.org/all/ZEllnjMKT8ulZbJh@sakura/ +Reviewed-by: Alan Stern +Acked-by: Alan Stern +Link: https://lore.kernel.org/r/20230505114759.1189741-1-mbizon@freebox.fr +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/storage/scsiglue.c | 28 +++++++++++++++++++++------- + 1 file changed, 21 insertions(+), 7 deletions(-) + +--- a/drivers/usb/storage/scsiglue.c ++++ b/drivers/usb/storage/scsiglue.c +@@ -406,22 +406,25 @@ static DEF_SCSI_QCMD(queuecommand) + ***********************************************************************/ + + /* Command timeout and abort */ +-static int command_abort(struct scsi_cmnd *srb) ++static int command_abort_matching(struct us_data *us, struct scsi_cmnd *srb_match) + { +- struct us_data *us = host_to_us(srb->device->host); +- +- usb_stor_dbg(us, "%s called\n", __func__); +- + /* + * us->srb together with the TIMED_OUT, RESETTING, and ABORTING + * bits are protected by the host lock. + */ + scsi_lock(us_to_host(us)); + +- /* Is this command still active? */ +- if (us->srb != srb) { ++ /* is there any active pending command to abort ? */ ++ if (!us->srb) { + scsi_unlock(us_to_host(us)); + usb_stor_dbg(us, "-- nothing to abort\n"); ++ return SUCCESS; ++ } ++ ++ /* Does the command match the passed srb if any ? */ ++ if (srb_match && us->srb != srb_match) { ++ scsi_unlock(us_to_host(us)); ++ usb_stor_dbg(us, "-- pending command mismatch\n"); + return FAILED; + } + +@@ -444,6 +447,14 @@ static int command_abort(struct scsi_cmn + return SUCCESS; + } + ++static int command_abort(struct scsi_cmnd *srb) ++{ ++ struct us_data *us = host_to_us(srb->device->host); ++ ++ usb_stor_dbg(us, "%s called\n", __func__); ++ return command_abort_matching(us, srb); ++} ++ + /* + * This invokes the transport reset mechanism to reset the state of the + * device +@@ -455,6 +466,9 @@ static int device_reset(struct scsi_cmnd + + usb_stor_dbg(us, "%s called\n", __func__); + ++ /* abort any pending command before reset */ ++ command_abort_matching(us, NULL); ++ + /* lock the device pointers and do the reset */ + mutex_lock(&(us->dev_mutex)); + result = us->transport_reset(us); diff --git a/queue-6.1/usb-typec-altmodes-displayport-fix-pin_assignment_show.patch b/queue-6.1/usb-typec-altmodes-displayport-fix-pin_assignment_show.patch new file mode 100644 index 00000000000..6fb8f0a2478 --- /dev/null +++ b/queue-6.1/usb-typec-altmodes-displayport-fix-pin_assignment_show.patch @@ -0,0 +1,53 @@ +From d8f28269dd4bf9b55c3fb376ae31512730a96fce Mon Sep 17 00:00:00 2001 +From: Badhri Jagan Sridharan +Date: Mon, 8 May 2023 21:44:43 +0000 +Subject: usb: typec: altmodes/displayport: fix pin_assignment_show + +From: Badhri Jagan Sridharan + +commit d8f28269dd4bf9b55c3fb376ae31512730a96fce upstream. + +This patch fixes negative indexing of buf array in pin_assignment_show +when get_current_pin_assignments returns 0 i.e. no compatible pin +assignments are found. + +BUG: KASAN: use-after-free in pin_assignment_show+0x26c/0x33c +... +Call trace: +dump_backtrace+0x110/0x204 +dump_stack_lvl+0x84/0xbc +print_report+0x358/0x974 +kasan_report+0x9c/0xfc +__do_kernel_fault+0xd4/0x2d4 +do_bad_area+0x48/0x168 +do_tag_check_fault+0x24/0x38 +do_mem_abort+0x6c/0x14c +el1_abort+0x44/0x68 +el1h_64_sync_handler+0x64/0xa4 +el1h_64_sync+0x78/0x7c +pin_assignment_show+0x26c/0x33c +dev_attr_show+0x50/0xc0 + +Fixes: 0e3bb7d6894d ("usb: typec: Add driver for DisplayPort alternate mode") +Cc: stable@vger.kernel.org +Signed-off-by: Badhri Jagan Sridharan +Reviewed-by: Heikki Krogerus +Link: https://lore.kernel.org/r/20230508214443.893436-1-badhri@google.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/typec/altmodes/displayport.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/drivers/usb/typec/altmodes/displayport.c ++++ b/drivers/usb/typec/altmodes/displayport.c +@@ -513,6 +513,10 @@ static ssize_t pin_assignment_show(struc + + mutex_unlock(&dp->lock); + ++ /* get_current_pin_assignments can return 0 when no matching pin assignments are found */ ++ if (len == 0) ++ len++; ++ + buf[len - 1] = '\n'; + return len; + } diff --git a/queue-6.1/usb-uhci-adjust-zhaoxin-uhci-controllers-overcurrent-bit-value.patch b/queue-6.1/usb-uhci-adjust-zhaoxin-uhci-controllers-overcurrent-bit-value.patch new file mode 100644 index 00000000000..9088bc78a18 --- /dev/null +++ b/queue-6.1/usb-uhci-adjust-zhaoxin-uhci-controllers-overcurrent-bit-value.patch @@ -0,0 +1,44 @@ +From dddb342b5b9e482bb213aecc08cbdb201ea4f8da Mon Sep 17 00:00:00 2001 +From: Weitao Wang +Date: Sun, 23 Apr 2023 18:59:52 +0800 +Subject: USB: UHCI: adjust zhaoxin UHCI controllers OverCurrent bit value + +From: Weitao Wang + +commit dddb342b5b9e482bb213aecc08cbdb201ea4f8da upstream. + +OverCurrent condition is not standardized in the UHCI spec. +Zhaoxin UHCI controllers report OverCurrent bit active off. +In order to handle OverCurrent condition correctly, the uhci-hcd +driver needs to be told to expect the active-off behavior. + +Suggested-by: Alan Stern +Cc: stable@vger.kernel.org +Signed-off-by: Weitao Wang +Acked-by: Alan Stern +Link: https://lore.kernel.org/r/20230423105952.4526-1-WeitaoWang-oc@zhaoxin.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/host/uhci-pci.c | 10 ++++++---- + 1 file changed, 6 insertions(+), 4 deletions(-) + +--- a/drivers/usb/host/uhci-pci.c ++++ b/drivers/usb/host/uhci-pci.c +@@ -119,11 +119,13 @@ static int uhci_pci_init(struct usb_hcd + + uhci->rh_numports = uhci_count_ports(hcd); + +- /* Intel controllers report the OverCurrent bit active on. +- * VIA controllers report it active off, so we'll adjust the +- * bit value. (It's not standardized in the UHCI spec.) ++ /* ++ * Intel controllers report the OverCurrent bit active on. VIA ++ * and ZHAOXIN controllers report it active off, so we'll adjust ++ * the bit value. (It's not standardized in the UHCI spec.) + */ +- if (to_pci_dev(uhci_dev(uhci))->vendor == PCI_VENDOR_ID_VIA) ++ if (to_pci_dev(uhci_dev(uhci))->vendor == PCI_VENDOR_ID_VIA || ++ to_pci_dev(uhci_dev(uhci))->vendor == PCI_VENDOR_ID_ZHAOXIN) + uhci->oc_low = 1; + + /* HP's server management chip requires a longer port reset delay. */ diff --git a/queue-6.1/usb-usbtmc-fix-direction-for-0-length-ioctl-control-messages.patch b/queue-6.1/usb-usbtmc-fix-direction-for-0-length-ioctl-control-messages.patch new file mode 100644 index 00000000000..2764c7e72bd --- /dev/null +++ b/queue-6.1/usb-usbtmc-fix-direction-for-0-length-ioctl-control-messages.patch @@ -0,0 +1,64 @@ +From 94d25e9128988c6a1fc9070f6e98215a95795bd8 Mon Sep 17 00:00:00 2001 +From: Alan Stern +Date: Mon, 1 May 2023 14:22:35 -0400 +Subject: USB: usbtmc: Fix direction for 0-length ioctl control messages + +From: Alan Stern + +commit 94d25e9128988c6a1fc9070f6e98215a95795bd8 upstream. + +The syzbot fuzzer found a problem in the usbtmc driver: When a user +submits an ioctl for a 0-length control transfer, the driver does not +check that the direction is set to OUT: + +------------[ cut here ]------------ +usb 3-1: BOGUS control dir, pipe 80000b80 doesn't match bRequestType fd +WARNING: CPU: 0 PID: 5100 at drivers/usb/core/urb.c:411 usb_submit_urb+0x14a7/0x1880 drivers/usb/core/urb.c:411 +Modules linked in: +CPU: 0 PID: 5100 Comm: syz-executor428 Not tainted 6.3.0-syzkaller-12049-g58390c8ce1bd #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/14/2023 +RIP: 0010:usb_submit_urb+0x14a7/0x1880 drivers/usb/core/urb.c:411 +Code: 7c 24 40 e8 1b 13 5c fb 48 8b 7c 24 40 e8 21 1d f0 fe 45 89 e8 44 89 f1 4c 89 e2 48 89 c6 48 c7 c7 e0 b5 fc 8a e8 19 c8 23 fb <0f> 0b e9 9f ee ff ff e8 ed 12 5c fb 0f b6 1d 12 8a 3c 08 31 ff 41 +RSP: 0018:ffffc90003d2fb00 EFLAGS: 00010282 +RAX: 0000000000000000 RBX: ffff8880789e9058 RCX: 0000000000000000 +RDX: ffff888029593b80 RSI: ffffffff814c1447 RDI: 0000000000000001 +RBP: ffff88801ea742f8 R08: 0000000000000001 R09: 0000000000000000 +R10: 0000000000000001 R11: 0000000000000001 R12: ffff88802915e528 +R13: 00000000000000fd R14: 0000000080000b80 R15: ffff8880222b3100 +FS: 0000555556ca63c0(0000) GS:ffff8880b9800000(0000) knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: 00007f9ef4d18150 CR3: 0000000073e5b000 CR4: 00000000003506f0 +DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 +Call Trace: + + usb_start_wait_urb+0x101/0x4b0 drivers/usb/core/message.c:58 + usb_internal_control_msg drivers/usb/core/message.c:102 [inline] + usb_control_msg+0x320/0x4a0 drivers/usb/core/message.c:153 + usbtmc_ioctl_request drivers/usb/class/usbtmc.c:1954 [inline] + usbtmc_ioctl+0x1b3d/0x2840 drivers/usb/class/usbtmc.c:2097 + +To fix this, we must override the direction in the bRequestType field +of the control request structure when the length is 0. + +Reported-and-tested-by: syzbot+ce77725b89b7bd52425c@syzkaller.appspotmail.com +Signed-off-by: Alan Stern +Link: https://lore.kernel.org/linux-usb/000000000000716a3705f9adb8ee@google.com/ +CC: +Link: https://lore.kernel.org/r/ede1ee02-b718-49e7-a44c-51339fec706b@rowland.harvard.edu +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/class/usbtmc.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/usb/class/usbtmc.c ++++ b/drivers/usb/class/usbtmc.c +@@ -1928,6 +1928,8 @@ static int usbtmc_ioctl_request(struct u + + if (request.req.wLength > USBTMC_BUFSIZE) + return -EMSGSIZE; ++ if (request.req.wLength == 0) /* Length-0 requests are never IN */ ++ request.req.bRequestType &= ~USB_DIR_IN; + + is_in = request.req.bRequestType & USB_DIR_IN; + diff --git a/queue-6.1/vc_screen-reload-load-of-struct-vc_data-pointer-in-vcs_write-to-avoid-uaf.patch b/queue-6.1/vc_screen-reload-load-of-struct-vc_data-pointer-in-vcs_write-to-avoid-uaf.patch new file mode 100644 index 00000000000..5d470591365 --- /dev/null +++ b/queue-6.1/vc_screen-reload-load-of-struct-vc_data-pointer-in-vcs_write-to-avoid-uaf.patch @@ -0,0 +1,113 @@ +From 8fb9ea65c9d1338b0d2bb0a9122dc942cdd32357 Mon Sep 17 00:00:00 2001 +From: George Kennedy +Date: Fri, 12 May 2023 06:08:48 -0500 +Subject: vc_screen: reload load of struct vc_data pointer in vcs_write() to avoid UAF +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: George Kennedy + +commit 8fb9ea65c9d1338b0d2bb0a9122dc942cdd32357 upstream. + +After a call to console_unlock() in vcs_write() the vc_data struct can be +freed by vc_port_destruct(). Because of that, the struct vc_data pointer +must be reloaded in the while loop in vcs_write() after console_lock() to +avoid a UAF when vcs_size() is called. + +Syzkaller reported a UAF in vcs_size(). + +BUG: KASAN: slab-use-after-free in vcs_size (drivers/tty/vt/vc_screen.c:215) +Read of size 4 at addr ffff8880beab89a8 by task repro_vcs_size/4119 + +Call Trace: + +__asan_report_load4_noabort (mm/kasan/report_generic.c:380) +vcs_size (drivers/tty/vt/vc_screen.c:215) +vcs_write (drivers/tty/vt/vc_screen.c:664) +vfs_write (fs/read_write.c:582 fs/read_write.c:564) +... + + +Allocated by task 1213: +kmalloc_trace (mm/slab_common.c:1064) +vc_allocate (./include/linux/slab.h:559 ./include/linux/slab.h:680 + drivers/tty/vt/vt.c:1078 drivers/tty/vt/vt.c:1058) +con_install (drivers/tty/vt/vt.c:3334) +tty_init_dev (drivers/tty/tty_io.c:1303 drivers/tty/tty_io.c:1415 + drivers/tty/tty_io.c:1392) +tty_open (drivers/tty/tty_io.c:2082 drivers/tty/tty_io.c:2128) +chrdev_open (fs/char_dev.c:415) +do_dentry_open (fs/open.c:921) +vfs_open (fs/open.c:1052) +... + +Freed by task 4116: +kfree (mm/slab_common.c:1016) +vc_port_destruct (drivers/tty/vt/vt.c:1044) +tty_port_destructor (drivers/tty/tty_port.c:296) +tty_port_put (drivers/tty/tty_port.c:312) +vt_disallocate_all (drivers/tty/vt/vt_ioctl.c:662 (discriminator 2)) +vt_ioctl (drivers/tty/vt/vt_ioctl.c:903) +tty_ioctl (drivers/tty/tty_io.c:2778) +... + +The buggy address belongs to the object at ffff8880beab8800 + which belongs to the cache kmalloc-1k of size 1024 +The buggy address is located 424 bytes inside of + freed 1024-byte region [ffff8880beab8800, ffff8880beab8c00) + +The buggy address belongs to the physical page: +page:00000000afc77580 refcount:1 mapcount:0 mapping:0000000000000000 + index:0x0 pfn:0xbeab8 +head:00000000afc77580 order:3 entire_mapcount:0 nr_pages_mapped:0 + pincount:0 +flags: 0xfffffc0010200(slab|head|node=0|zone=1|lastcpupid=0x1fffff) +page_type: 0xffffffff() +raw: 000fffffc0010200 ffff888100042dc0 ffffea000426de00 dead000000000002 +raw: 0000000000000000 0000000000100010 00000001ffffffff 0000000000000000 +page dumped because: kasan: bad access detected + +Memory state around the buggy address: + ffff8880beab8880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb + ffff8880beab8900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb +>ffff8880beab8980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb + ^ + ffff8880beab8a00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb + ffff8880beab8a80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb +================================================================== +Disabling lock debugging due to kernel taint + +Fixes: ac751efa6a0d ("console: rename acquire/release_console_sem() to console_lock/unlock()") +Cc: stable +Reported-by: syzkaller +Signed-off-by: George Kennedy +Reviewed-by: Thomas Weißschuh +Link: https://lore.kernel.org/r/1683889728-10411-1-git-send-email-george.kennedy@oracle.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/tty/vt/vc_screen.c | 11 +++++++++-- + 1 file changed, 9 insertions(+), 2 deletions(-) + +--- a/drivers/tty/vt/vc_screen.c ++++ b/drivers/tty/vt/vc_screen.c +@@ -656,10 +656,17 @@ vcs_write(struct file *file, const char + } + } + +- /* The vcs_size might have changed while we slept to grab +- * the user buffer, so recheck. ++ /* The vc might have been freed or vcs_size might have changed ++ * while we slept to grab the user buffer, so recheck. + * Return data written up to now on failure. + */ ++ vc = vcs_vc(inode, &viewed); ++ if (!vc) { ++ if (written) ++ break; ++ ret = -ENXIO; ++ goto unlock_out; ++ } + size = vcs_size(vc, attr, false); + if (size < 0) { + if (written) diff --git a/queue-6.1/wifi-rtw88-use-work-to-update-rate-to-avoid-rcu-warning.patch b/queue-6.1/wifi-rtw88-use-work-to-update-rate-to-avoid-rcu-warning.patch new file mode 100644 index 00000000000..5429286d123 --- /dev/null +++ b/queue-6.1/wifi-rtw88-use-work-to-update-rate-to-avoid-rcu-warning.patch @@ -0,0 +1,136 @@ +From bcafcb959a57a6890e900199690c5fc47da1a304 Mon Sep 17 00:00:00 2001 +From: Ping-Ke Shih +Date: Mon, 8 May 2023 16:54:29 +0800 +Subject: wifi: rtw88: use work to update rate to avoid RCU warning + +From: Ping-Ke Shih + +commit bcafcb959a57a6890e900199690c5fc47da1a304 upstream. + +The ieee80211_ops::sta_rc_update must be atomic, because +ieee80211_chan_bw_change() holds rcu_read lock while calling +drv_sta_rc_update(), so create a work to do original things. + + Voluntary context switch within RCU read-side critical section! + WARNING: CPU: 0 PID: 4621 at kernel/rcu/tree_plugin.h:318 + rcu_note_context_switch+0x571/0x5d0 + CPU: 0 PID: 4621 Comm: kworker/u16:2 Tainted: G W OE + Workqueue: phy3 ieee80211_chswitch_work [mac80211] + RIP: 0010:rcu_note_context_switch+0x571/0x5d0 + Call Trace: + + __schedule+0xb0/0x1460 + ? __mod_timer+0x116/0x360 + schedule+0x5a/0xc0 + schedule_timeout+0x87/0x150 + ? trace_raw_output_tick_stop+0x60/0x60 + wait_for_completion_timeout+0x7b/0x140 + usb_start_wait_urb+0x82/0x160 [usbcore + usb_control_msg+0xe3/0x140 [usbcore + rtw_usb_read+0x88/0xe0 [rtw_usb + rtw_usb_read8+0xf/0x10 [rtw_usb + rtw_fw_send_h2c_command+0xa0/0x170 [rtw_core + rtw_fw_send_ra_info+0xc9/0xf0 [rtw_core + drv_sta_rc_update+0x7c/0x160 [mac80211 + ieee80211_chan_bw_change+0xfb/0x110 [mac80211 + ieee80211_change_chanctx+0x38/0x130 [mac80211 + ieee80211_vif_use_reserved_switch+0x34e/0x900 [mac80211 + ieee80211_link_use_reserved_context+0x88/0xe0 [mac80211 + ieee80211_chswitch_work+0x95/0x170 [mac80211 + process_one_work+0x201/0x410 + worker_thread+0x4a/0x3b0 + ? process_one_work+0x410/0x410 + kthread+0xe1/0x110 + ? kthread_complete_and_exit+0x20/0x20 + ret_from_fork+0x1f/0x30 + + +Cc: stable@vger.kernel.org +Fixes: c1edc86472fc ("rtw88: add ieee80211:sta_rc_update ops") +Reported-by: Larry Finger +Link: https://lore.kernel.org/linux-wireless/f1e31e8e-f84e-3791-50fb-663a83c5c6e9@lwfinger.net/T/#t +Signed-off-by: Ping-Ke Shih +Tested-by: Larry Finger +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20230508085429.46653-1-pkshih@realtek.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/wireless/realtek/rtw88/mac80211.c | 2 +- + drivers/net/wireless/realtek/rtw88/main.c | 15 +++++++++++++++ + drivers/net/wireless/realtek/rtw88/main.h | 3 +++ + 3 files changed, 19 insertions(+), 1 deletion(-) + +--- a/drivers/net/wireless/realtek/rtw88/mac80211.c ++++ b/drivers/net/wireless/realtek/rtw88/mac80211.c +@@ -891,7 +891,7 @@ static void rtw_ops_sta_rc_update(struct + struct rtw_sta_info *si = (struct rtw_sta_info *)sta->drv_priv; + + if (changed & IEEE80211_RC_BW_CHANGED) +- rtw_update_sta_info(rtwdev, si, true); ++ ieee80211_queue_work(rtwdev->hw, &si->rc_work); + } + + const struct ieee80211_ops rtw_ops = { +--- a/drivers/net/wireless/realtek/rtw88/main.c ++++ b/drivers/net/wireless/realtek/rtw88/main.c +@@ -296,6 +296,17 @@ static u8 rtw_acquire_macid(struct rtw_d + return mac_id; + } + ++static void rtw_sta_rc_work(struct work_struct *work) ++{ ++ struct rtw_sta_info *si = container_of(work, struct rtw_sta_info, ++ rc_work); ++ struct rtw_dev *rtwdev = si->rtwdev; ++ ++ mutex_lock(&rtwdev->mutex); ++ rtw_update_sta_info(rtwdev, si, true); ++ mutex_unlock(&rtwdev->mutex); ++} ++ + int rtw_sta_add(struct rtw_dev *rtwdev, struct ieee80211_sta *sta, + struct ieee80211_vif *vif) + { +@@ -306,12 +317,14 @@ int rtw_sta_add(struct rtw_dev *rtwdev, + if (si->mac_id >= RTW_MAX_MAC_ID_NUM) + return -ENOSPC; + ++ si->rtwdev = rtwdev; + si->sta = sta; + si->vif = vif; + si->init_ra_lv = 1; + ewma_rssi_init(&si->avg_rssi); + for (i = 0; i < ARRAY_SIZE(sta->txq); i++) + rtw_txq_init(rtwdev, sta->txq[i]); ++ INIT_WORK(&si->rc_work, rtw_sta_rc_work); + + rtw_update_sta_info(rtwdev, si, true); + rtw_fw_media_status_report(rtwdev, si->mac_id, true); +@@ -330,6 +343,8 @@ void rtw_sta_remove(struct rtw_dev *rtwd + struct rtw_sta_info *si = (struct rtw_sta_info *)sta->drv_priv; + int i; + ++ cancel_work_sync(&si->rc_work); ++ + rtw_release_macid(rtwdev, si->mac_id); + if (fw_exist) + rtw_fw_media_status_report(rtwdev, si->mac_id, false); +--- a/drivers/net/wireless/realtek/rtw88/main.h ++++ b/drivers/net/wireless/realtek/rtw88/main.h +@@ -734,6 +734,7 @@ struct rtw_txq { + DECLARE_EWMA(rssi, 10, 16); + + struct rtw_sta_info { ++ struct rtw_dev *rtwdev; + struct ieee80211_sta *sta; + struct ieee80211_vif *vif; + +@@ -758,6 +759,8 @@ struct rtw_sta_info { + + bool use_cfg_mask; + struct cfg80211_bitrate_mask *mask; ++ ++ struct work_struct rc_work; + }; + + enum rtw_bfee_role { diff --git a/queue-6.1/xhci-fix-incorrect-tracking-of-free-space-on-transfer-rings.patch b/queue-6.1/xhci-fix-incorrect-tracking-of-free-space-on-transfer-rings.patch new file mode 100644 index 00000000000..b94c12a3a3d --- /dev/null +++ b/queue-6.1/xhci-fix-incorrect-tracking-of-free-space-on-transfer-rings.patch @@ -0,0 +1,90 @@ +From fe82f16aafdaf8002281d3b9524291d4a4a28460 Mon Sep 17 00:00:00 2001 +From: Mathias Nyman +Date: Mon, 15 May 2023 16:40:59 +0300 +Subject: xhci: Fix incorrect tracking of free space on transfer rings + +From: Mathias Nyman + +commit fe82f16aafdaf8002281d3b9524291d4a4a28460 upstream. + +This incorrect tracking caused unnecessary ring expansion in some +usecases which over days of use consume a lot of memory. + +xhci driver tries to keep track of free transfer blocks (TRBs) on the +ring buffer, but failed to add back some cancelled transfers that were +turned into no-op operations instead of just moving past them. + +This can happen if there are several queued pending transfers which +then are cancelled in reverse order. + +Solve this by counting the numer of steps we move the dequeue pointer +once we complete a transfer, and add it to the number of free trbs +instead of just adding the trb number of the current transfer. +This way we ensure we count the no-op trbs on the way as well. + +Fixes: 55f6153d8cc8 ("xhci: remove extra loop in interrupt context") +Cc: stable@vger.kernel.org +Reported-by: Miller Hunter +Closes: https://bugzilla.kernel.org/show_bug.cgi?id=217242 +Tested-by: Miller Hunter +Signed-off-by: Mathias Nyman +Link: https://lore.kernel.org/r/20230515134059.161110-3-mathias.nyman@linux.intel.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/host/xhci-ring.c | 29 ++++++++++++++++++++++++++++- + 1 file changed, 28 insertions(+), 1 deletion(-) + +--- a/drivers/usb/host/xhci-ring.c ++++ b/drivers/usb/host/xhci-ring.c +@@ -276,6 +276,26 @@ static void inc_enq(struct xhci_hcd *xhc + trace_xhci_inc_enq(ring); + } + ++static int xhci_num_trbs_to(struct xhci_segment *start_seg, union xhci_trb *start, ++ struct xhci_segment *end_seg, union xhci_trb *end, ++ unsigned int num_segs) ++{ ++ union xhci_trb *last_on_seg; ++ int num = 0; ++ int i = 0; ++ ++ do { ++ if (start_seg == end_seg && end >= start) ++ return num + (end - start); ++ last_on_seg = &start_seg->trbs[TRBS_PER_SEGMENT - 1]; ++ num += last_on_seg - start; ++ start_seg = start_seg->next; ++ start = start_seg->trbs; ++ } while (i++ <= num_segs); ++ ++ return -EINVAL; ++} ++ + /* + * Check to see if there's room to enqueue num_trbs on the ring and make sure + * enqueue pointer will not advance into dequeue segment. See rules above. +@@ -2141,6 +2161,7 @@ static int finish_td(struct xhci_hcd *xh + u32 trb_comp_code) + { + struct xhci_ep_ctx *ep_ctx; ++ int trbs_freed; + + ep_ctx = xhci_get_ep_ctx(xhci, ep->vdev->out_ctx, ep->ep_index); + +@@ -2212,9 +2233,15 @@ static int finish_td(struct xhci_hcd *xh + } + + /* Update ring dequeue pointer */ ++ trbs_freed = xhci_num_trbs_to(ep_ring->deq_seg, ep_ring->dequeue, ++ td->last_trb_seg, td->last_trb, ++ ep_ring->num_segs); ++ if (trbs_freed < 0) ++ xhci_dbg(xhci, "Failed to count freed trbs at TD finish\n"); ++ else ++ ep_ring->num_trbs_free += trbs_freed; + ep_ring->dequeue = td->last_trb; + ep_ring->deq_seg = td->last_trb_seg; +- ep_ring->num_trbs_free += td->num_trbs - 1; + inc_deq(xhci, ep_ring); + + return xhci_td_cleanup(xhci, td, ep_ring, td->status); diff --git a/queue-6.1/xhci-pci-only-run-d3cold-avoidance-quirk-for-s2idle.patch b/queue-6.1/xhci-pci-only-run-d3cold-avoidance-quirk-for-s2idle.patch new file mode 100644 index 00000000000..8e151e61c49 --- /dev/null +++ b/queue-6.1/xhci-pci-only-run-d3cold-avoidance-quirk-for-s2idle.patch @@ -0,0 +1,77 @@ +From 2a821fc3136d5d99dcb9de152be8a052ca27d870 Mon Sep 17 00:00:00 2001 +From: Mario Limonciello +Date: Mon, 15 May 2023 16:40:58 +0300 +Subject: xhci-pci: Only run d3cold avoidance quirk for s2idle + +From: Mario Limonciello + +commit 2a821fc3136d5d99dcb9de152be8a052ca27d870 upstream. + +Donghun reports that a notebook that has an AMD Ryzen 5700U but supports +S3 has problems with USB after resuming from suspend. The issue was +bisected down to commit d1658268e439 ("usb: pci-quirks: disable D3cold on +xhci suspend for s2idle on AMD Renoir"). + +As this issue only happens on S3, narrow the broken D3cold quirk to only +run in s2idle. + +Fixes: d1658268e439 ("usb: pci-quirks: disable D3cold on xhci suspend for s2idle on AMD Renoir") +Reported-and-tested-by: Donghun Yoon +Cc: stable@vger.kernel.org +Signed-off-by: Mario Limonciello +Signed-off-by: Mathias Nyman +Link: https://lore.kernel.org/r/20230515134059.161110-2-mathias.nyman@linux.intel.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/host/xhci-pci.c | 12 ++++++++++-- + drivers/usb/host/xhci.h | 2 +- + 2 files changed, 11 insertions(+), 3 deletions(-) + +--- a/drivers/usb/host/xhci-pci.c ++++ b/drivers/usb/host/xhci-pci.c +@@ -13,6 +13,7 @@ + #include + #include + #include ++#include + + #include "xhci.h" + #include "xhci-trace.h" +@@ -194,7 +195,7 @@ static void xhci_pci_quirks(struct devic + + if (pdev->vendor == PCI_VENDOR_ID_AMD && + pdev->device == PCI_DEVICE_ID_AMD_RENOIR_XHCI) +- xhci->quirks |= XHCI_BROKEN_D3COLD; ++ xhci->quirks |= XHCI_BROKEN_D3COLD_S2I; + + if (pdev->vendor == PCI_VENDOR_ID_INTEL) { + xhci->quirks |= XHCI_LPM_SUPPORT; +@@ -609,9 +610,16 @@ static int xhci_pci_suspend(struct usb_h + * Systems with the TI redriver that loses port status change events + * need to have the registers polled during D3, so avoid D3cold. + */ +- if (xhci->quirks & (XHCI_COMP_MODE_QUIRK | XHCI_BROKEN_D3COLD)) ++ if (xhci->quirks & XHCI_COMP_MODE_QUIRK) + pci_d3cold_disable(pdev); + ++#ifdef CONFIG_SUSPEND ++ /* d3cold is broken, but only when s2idle is used */ ++ if (pm_suspend_target_state == PM_SUSPEND_TO_IDLE && ++ xhci->quirks & (XHCI_BROKEN_D3COLD_S2I)) ++ pci_d3cold_disable(pdev); ++#endif ++ + if (xhci->quirks & XHCI_PME_STUCK_QUIRK) + xhci_pme_quirk(hcd); + +--- a/drivers/usb/host/xhci.h ++++ b/drivers/usb/host/xhci.h +@@ -1895,7 +1895,7 @@ struct xhci_hcd { + #define XHCI_DISABLE_SPARSE BIT_ULL(38) + #define XHCI_SG_TRB_CACHE_SIZE_QUIRK BIT_ULL(39) + #define XHCI_NO_SOFT_RETRY BIT_ULL(40) +-#define XHCI_BROKEN_D3COLD BIT_ULL(41) ++#define XHCI_BROKEN_D3COLD_S2I BIT_ULL(41) + #define XHCI_EP_CTX_BROKEN_DCS BIT_ULL(42) + #define XHCI_SUSPEND_RESUME_CLKS BIT_ULL(43) + #define XHCI_RESET_TO_DEFAULT BIT_ULL(44)