From: Greg Kroah-Hartman Date: Mon, 18 Oct 2021 10:02:29 +0000 (+0200) Subject: 5.14-stable patches X-Git-Tag: v4.14.252~26 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=58386e59776cfe152fa62439cba350812c6f279b;p=thirdparty%2Fkernel%2Fstable-queue.git 5.14-stable patches added patches: cb710-avoid-null-pointer-subtraction.patch edac-armada-xp-fix-output-of-uncorrectable-error-counter.patch efi-change-down_interruptible-in-virt_efi_reset_system-to-down_trylock.patch efi-cper-use-stack-buffer-for-error-record-decoding.patch input-xpad-add-support-for-another-usb-id-of-nacon-gc-100.patch mei-hbm-drop-hbm-responses-on-early-shutdown.patch mei-me-add-ice-lake-n-device-id.patch misc-fastrpc-add-missing-lock-before-accessing-find_vma.patch nvmem-fix-shift-out-of-bound-ubsan-with-byte-size-cells.patch revert-virtio-blk-add-validation-for-block-size-in-config-space.patch usb-musb-dsps-fix-the-probe-error-path.patch usb-serial-option-add-prod.-id-for-quectel-eg91.patch usb-serial-option-add-quectel-ec200s-cn-module-support.patch usb-serial-option-add-telit-le910cx-composition-0x1204.patch usb-serial-qcserial-add-em9191-qdl-support.patch usb-xhci-dbc-fix-tty-registration-race.patch virtio-blk-remove-unneeded-likely-statements.patch virtio-write-back-f_version_1-before-validate.patch xhci-add-quirk-for-host-controllers-that-don-t-update-endpoint-dcs.patch xhci-enable-trust-tx-length-quirk-for-fresco-fl11-usb-controller.patch xhci-fix-command-ring-pointer-corruption-while-aborting-a-command.patch xhci-guard-accesses-to-ep_state-in-xhci_endpoint_reset.patch --- diff --git a/queue-5.14/cb710-avoid-null-pointer-subtraction.patch b/queue-5.14/cb710-avoid-null-pointer-subtraction.patch new file mode 100644 index 00000000000..d10fa1d6b28 --- /dev/null +++ b/queue-5.14/cb710-avoid-null-pointer-subtraction.patch @@ -0,0 +1,37 @@ +From 42641042c10c757fe10cc09088cf3f436cec5007 Mon Sep 17 00:00:00 2001 +From: Arnd Bergmann +Date: Mon, 27 Sep 2021 14:13:57 +0200 +Subject: cb710: avoid NULL pointer subtraction + +From: Arnd Bergmann + +commit 42641042c10c757fe10cc09088cf3f436cec5007 upstream. + +clang-14 complains about an unusual way of converting a pointer to +an integer: + +drivers/misc/cb710/sgbuf2.c:50:15: error: performing pointer subtraction with a null pointer has undefined behavior [-Werror,-Wnull-pointer-subtraction] + return ((ptr - NULL) & 3) != 0; + +Replace this with a normal cast to uintptr_t. + +Fixes: 5f5bac8272be ("mmc: Driver for CB710/720 memory card reader (MMC part)") +Cc: stable +Signed-off-by: Arnd Bergmann +Link: https://lore.kernel.org/r/20210927121408.939246-1-arnd@kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/misc/cb710/sgbuf2.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/misc/cb710/sgbuf2.c ++++ b/drivers/misc/cb710/sgbuf2.c +@@ -47,7 +47,7 @@ static inline bool needs_unaligned_copy( + #ifdef CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS + return false; + #else +- return ((ptr - NULL) & 3) != 0; ++ return ((uintptr_t)ptr & 3) != 0; + #endif + } + diff --git a/queue-5.14/edac-armada-xp-fix-output-of-uncorrectable-error-counter.patch b/queue-5.14/edac-armada-xp-fix-output-of-uncorrectable-error-counter.patch new file mode 100644 index 00000000000..45cb6b484f0 --- /dev/null +++ b/queue-5.14/edac-armada-xp-fix-output-of-uncorrectable-error-counter.patch @@ -0,0 +1,39 @@ +From d9b7748ffc45250b4d7bcf22404383229bc495f5 Mon Sep 17 00:00:00 2001 +From: Hans Potsch +Date: Wed, 6 Oct 2021 14:13:32 +0200 +Subject: EDAC/armada-xp: Fix output of uncorrectable error counter + +From: Hans Potsch + +commit d9b7748ffc45250b4d7bcf22404383229bc495f5 upstream. + +The number of correctable errors is displayed as uncorrectable +errors because the "SBE" error count is passed to both calls of +edac_mc_handle_error(). + +Pass the correct uncorrectable error count to the second +edac_mc_handle_error() call when logging uncorrectable errors. + + [ bp: Massage commit message. ] + +Fixes: 7f6998a41257 ("ARM: 8888/1: EDAC: Add driver for the Marvell Armada XP SDRAM and L2 cache ECC") +Signed-off-by: Hans Potsch +Signed-off-by: Borislav Petkov +Cc: +Link: https://lkml.kernel.org/r/20211006121332.58788-1-hans.potsch@nokia.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/edac/armada_xp_edac.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/edac/armada_xp_edac.c ++++ b/drivers/edac/armada_xp_edac.c +@@ -178,7 +178,7 @@ static void axp_mc_check(struct mem_ctl_ + "details unavailable (multiple errors)"); + if (cnt_dbe) + edac_mc_handle_error(HW_EVENT_ERR_UNCORRECTED, mci, +- cnt_sbe, /* error count */ ++ cnt_dbe, /* error count */ + 0, 0, 0, /* pfn, offset, syndrome */ + -1, -1, -1, /* top, mid, low layer */ + mci->ctl_name, diff --git a/queue-5.14/efi-change-down_interruptible-in-virt_efi_reset_system-to-down_trylock.patch b/queue-5.14/efi-change-down_interruptible-in-virt_efi_reset_system-to-down_trylock.patch new file mode 100644 index 00000000000..d9ec1d88222 --- /dev/null +++ b/queue-5.14/efi-change-down_interruptible-in-virt_efi_reset_system-to-down_trylock.patch @@ -0,0 +1,67 @@ +From 38fa3206bf441911258e5001ac8b6738693f8d82 Mon Sep 17 00:00:00 2001 +From: Zhang Jianhua +Date: Thu, 23 Sep 2021 10:53:40 +0800 +Subject: efi: Change down_interruptible() in virt_efi_reset_system() to down_trylock() + +From: Zhang Jianhua + +commit 38fa3206bf441911258e5001ac8b6738693f8d82 upstream. + +While reboot the system by sysrq, the following bug will be occur. + +BUG: sleeping function called from invalid context at kernel/locking/semaphore.c:90 +in_atomic(): 0, irqs_disabled(): 128, non_block: 0, pid: 10052, name: rc.shutdown +CPU: 3 PID: 10052 Comm: rc.shutdown Tainted: G W O 5.10.0 #1 +Call trace: + dump_backtrace+0x0/0x1c8 + show_stack+0x18/0x28 + dump_stack+0xd0/0x110 + ___might_sleep+0x14c/0x160 + __might_sleep+0x74/0x88 + down_interruptible+0x40/0x118 + virt_efi_reset_system+0x3c/0xd0 + efi_reboot+0xd4/0x11c + machine_restart+0x60/0x9c + emergency_restart+0x1c/0x2c + sysrq_handle_reboot+0x1c/0x2c + __handle_sysrq+0xd0/0x194 + write_sysrq_trigger+0xbc/0xe4 + proc_reg_write+0xd4/0xf0 + vfs_write+0xa8/0x148 + ksys_write+0x6c/0xd8 + __arm64_sys_write+0x18/0x28 + el0_svc_common.constprop.3+0xe4/0x16c + do_el0_svc+0x1c/0x2c + el0_svc+0x20/0x30 + el0_sync_handler+0x80/0x17c + el0_sync+0x158/0x180 + +The reason for this problem is that irq has been disabled in +machine_restart() and then it calls down_interruptible() in +virt_efi_reset_system(), which would occur sleep in irq context, +it is dangerous! Commit 99409b935c9a("locking/semaphore: Add +might_sleep() to down_*() family") add might_sleep() in +down_interruptible(), so the bug info is here. down_trylock() +can solve this problem, cause there is no might_sleep. + +-------- + +Cc: +Signed-off-by: Zhang Jianhua +Signed-off-by: Ard Biesheuvel +Signed-off-by: Greg Kroah-Hartman +--- + drivers/firmware/efi/runtime-wrappers.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/firmware/efi/runtime-wrappers.c ++++ b/drivers/firmware/efi/runtime-wrappers.c +@@ -414,7 +414,7 @@ static void virt_efi_reset_system(int re + unsigned long data_size, + efi_char16_t *data) + { +- if (down_interruptible(&efi_runtime_lock)) { ++ if (down_trylock(&efi_runtime_lock)) { + pr_warn("failed to invoke the reset_system() runtime service:\n" + "could not get exclusive access to the firmware\n"); + return; diff --git a/queue-5.14/efi-cper-use-stack-buffer-for-error-record-decoding.patch b/queue-5.14/efi-cper-use-stack-buffer-for-error-record-decoding.patch new file mode 100644 index 00000000000..27aee7e078b --- /dev/null +++ b/queue-5.14/efi-cper-use-stack-buffer-for-error-record-decoding.patch @@ -0,0 +1,50 @@ +From b3a72ca80351917cc23f9e24c35f3c3979d3c121 Mon Sep 17 00:00:00 2001 +From: Ard Biesheuvel +Date: Wed, 1 Sep 2021 08:33:19 +0200 +Subject: efi/cper: use stack buffer for error record decoding + +From: Ard Biesheuvel + +commit b3a72ca80351917cc23f9e24c35f3c3979d3c121 upstream. + +Joe reports that using a statically allocated buffer for converting CPER +error records into human readable text is probably a bad idea. Even +though we are not aware of any actual issues, a stack buffer is clearly +a better choice here anyway, so let's move the buffer into the stack +frames of the two functions that refer to it. + +Cc: +Reported-by: Joe Perches +Signed-off-by: Ard Biesheuvel +Signed-off-by: Greg Kroah-Hartman +--- + drivers/firmware/efi/cper.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/firmware/efi/cper.c ++++ b/drivers/firmware/efi/cper.c +@@ -25,8 +25,6 @@ + #include + #include + +-static char rcd_decode_str[CPER_REC_LEN]; +- + /* + * CPER record ID need to be unique even after reboot, because record + * ID is used as index for ERST storage, while CPER records from +@@ -313,6 +311,7 @@ const char *cper_mem_err_unpack(struct t + struct cper_mem_err_compact *cmem) + { + const char *ret = trace_seq_buffer_ptr(p); ++ char rcd_decode_str[CPER_REC_LEN]; + + if (cper_mem_err_location(cmem, rcd_decode_str)) + trace_seq_printf(p, "%s", rcd_decode_str); +@@ -327,6 +326,7 @@ static void cper_print_mem(const char *p + int len) + { + struct cper_mem_err_compact cmem; ++ char rcd_decode_str[CPER_REC_LEN]; + + /* Don't trust UEFI 2.1/2.2 structure with bad validation bits */ + if (len == sizeof(struct cper_sec_mem_err_old) && diff --git a/queue-5.14/input-xpad-add-support-for-another-usb-id-of-nacon-gc-100.patch b/queue-5.14/input-xpad-add-support-for-another-usb-id-of-nacon-gc-100.patch new file mode 100644 index 00000000000..d720c363bc1 --- /dev/null +++ b/queue-5.14/input-xpad-add-support-for-another-usb-id-of-nacon-gc-100.patch @@ -0,0 +1,39 @@ +From 3378a07daa6cdd11e042797454c706d1c69f9ca6 Mon Sep 17 00:00:00 2001 +From: Michael Cullen +Date: Fri, 15 Oct 2021 13:17:50 -0700 +Subject: Input: xpad - add support for another USB ID of Nacon GC-100 + +From: Michael Cullen + +commit 3378a07daa6cdd11e042797454c706d1c69f9ca6 upstream. + +The Nacon GX100XF is already mapped, but it seems there is a Nacon +GC-100 (identified as NC5136Wht PCGC-100WHITE though I believe other +colours exist) with a different USB ID when in XInput mode. + +Signed-off-by: Michael Cullen +Link: https://lore.kernel.org/r/20211015192051.5196-1-michael@michaelcullen.name +Signed-off-by: Dmitry Torokhov +Signed-off-by: Greg Kroah-Hartman +--- + drivers/input/joystick/xpad.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/input/joystick/xpad.c ++++ b/drivers/input/joystick/xpad.c +@@ -334,6 +334,7 @@ static const struct xpad_device { + { 0x24c6, 0x5b03, "Thrustmaster Ferrari 458 Racing Wheel", 0, XTYPE_XBOX360 }, + { 0x24c6, 0x5d04, "Razer Sabertooth", 0, XTYPE_XBOX360 }, + { 0x24c6, 0xfafe, "Rock Candy Gamepad for Xbox 360", 0, XTYPE_XBOX360 }, ++ { 0x3285, 0x0607, "Nacon GC-100", 0, XTYPE_XBOX360 }, + { 0x3767, 0x0101, "Fanatec Speedster 3 Forceshock Wheel", 0, XTYPE_XBOX }, + { 0xffff, 0xffff, "Chinese-made Xbox Controller", 0, XTYPE_XBOX }, + { 0x0000, 0x0000, "Generic X-Box pad", 0, XTYPE_UNKNOWN } +@@ -451,6 +452,7 @@ static const struct usb_device_id xpad_t + XPAD_XBOXONE_VENDOR(0x24c6), /* PowerA Controllers */ + XPAD_XBOXONE_VENDOR(0x2e24), /* Hyperkin Duke X-Box One pad */ + XPAD_XBOX360_VENDOR(0x2f24), /* GameSir Controllers */ ++ XPAD_XBOX360_VENDOR(0x3285), /* Nacon GC-100 */ + { } + }; + diff --git a/queue-5.14/mei-hbm-drop-hbm-responses-on-early-shutdown.patch b/queue-5.14/mei-hbm-drop-hbm-responses-on-early-shutdown.patch new file mode 100644 index 00000000000..2e669117ea2 --- /dev/null +++ b/queue-5.14/mei-hbm-drop-hbm-responses-on-early-shutdown.patch @@ -0,0 +1,69 @@ +From 6d7163f2c49fda5658e43105a96b555c89a4548d Mon Sep 17 00:00:00 2001 +From: Alexander Usyskin +Date: Wed, 13 Oct 2021 10:45:52 +0300 +Subject: mei: hbm: drop hbm responses on early shutdown + +From: Alexander Usyskin + +commit 6d7163f2c49fda5658e43105a96b555c89a4548d upstream. + +Drop HBM responses also in the early shutdown phase where +the usual traffic is allowed. +Extend the rule that drop HBM responses received during the shutdown phase +by also in MEI_DEV_POWERING_DOWN state. +This resolves the stall if the driver is stopping in the middle +of the link init or link reset. + +Fixes: da3eb47c90d4 ("mei: hbm: drop hbm responses on shutdown") +Fixes: 36edb1407c3c ("mei: allow clients on bus to communicate in remove callback") +Cc: # v5.12+ +Signed-off-by: Alexander Usyskin +Signed-off-by: Tomas Winkler +Link: https://lore.kernel.org/r/20211013074552.2278419-1-tomas.winkler@intel.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/misc/mei/hbm.c | 12 ++++++++---- + 1 file changed, 8 insertions(+), 4 deletions(-) + +--- a/drivers/misc/mei/hbm.c ++++ b/drivers/misc/mei/hbm.c +@@ -1298,7 +1298,8 @@ int mei_hbm_dispatch(struct mei_device * + + if (dev->dev_state != MEI_DEV_INIT_CLIENTS || + dev->hbm_state != MEI_HBM_STARTING) { +- if (dev->dev_state == MEI_DEV_POWER_DOWN) { ++ if (dev->dev_state == MEI_DEV_POWER_DOWN || ++ dev->dev_state == MEI_DEV_POWERING_DOWN) { + dev_dbg(dev->dev, "hbm: start: on shutdown, ignoring\n"); + return 0; + } +@@ -1381,7 +1382,8 @@ int mei_hbm_dispatch(struct mei_device * + + if (dev->dev_state != MEI_DEV_INIT_CLIENTS || + dev->hbm_state != MEI_HBM_DR_SETUP) { +- if (dev->dev_state == MEI_DEV_POWER_DOWN) { ++ if (dev->dev_state == MEI_DEV_POWER_DOWN || ++ dev->dev_state == MEI_DEV_POWERING_DOWN) { + dev_dbg(dev->dev, "hbm: dma setup response: on shutdown, ignoring\n"); + return 0; + } +@@ -1448,7 +1450,8 @@ int mei_hbm_dispatch(struct mei_device * + + if (dev->dev_state != MEI_DEV_INIT_CLIENTS || + dev->hbm_state != MEI_HBM_CLIENT_PROPERTIES) { +- if (dev->dev_state == MEI_DEV_POWER_DOWN) { ++ if (dev->dev_state == MEI_DEV_POWER_DOWN || ++ dev->dev_state == MEI_DEV_POWERING_DOWN) { + dev_dbg(dev->dev, "hbm: properties response: on shutdown, ignoring\n"); + return 0; + } +@@ -1490,7 +1493,8 @@ int mei_hbm_dispatch(struct mei_device * + + if (dev->dev_state != MEI_DEV_INIT_CLIENTS || + dev->hbm_state != MEI_HBM_ENUM_CLIENTS) { +- if (dev->dev_state == MEI_DEV_POWER_DOWN) { ++ if (dev->dev_state == MEI_DEV_POWER_DOWN || ++ dev->dev_state == MEI_DEV_POWERING_DOWN) { + dev_dbg(dev->dev, "hbm: enumeration response: on shutdown, ignoring\n"); + return 0; + } diff --git a/queue-5.14/mei-me-add-ice-lake-n-device-id.patch b/queue-5.14/mei-me-add-ice-lake-n-device-id.patch new file mode 100644 index 00000000000..2684d861dc5 --- /dev/null +++ b/queue-5.14/mei-me-add-ice-lake-n-device-id.patch @@ -0,0 +1,44 @@ +From 75c10c5e7a715550afdd51ef8cfd1d975f48f9e1 Mon Sep 17 00:00:00 2001 +From: Andy Shevchenko +Date: Fri, 1 Oct 2021 20:36:44 +0300 +Subject: mei: me: add Ice Lake-N device id. + +From: Andy Shevchenko + +commit 75c10c5e7a715550afdd51ef8cfd1d975f48f9e1 upstream. + +Add Ice Lake-N device ID. + +The device can be found on MacBookPro16,2 [1]. + +[1]: https://linux-hardware.org/?probe=f1c5cf0c43 + +Signed-off-by: Andy Shevchenko +Cc: stable +Link: https://lore.kernel.org/r/20211001173644.16068-1-andriy.shevchenko@linux.intel.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/misc/mei/hw-me-regs.h | 1 + + drivers/misc/mei/pci-me.c | 1 + + 2 files changed, 2 insertions(+) + +--- a/drivers/misc/mei/hw-me-regs.h ++++ b/drivers/misc/mei/hw-me-regs.h +@@ -92,6 +92,7 @@ + #define MEI_DEV_ID_CDF 0x18D3 /* Cedar Fork */ + + #define MEI_DEV_ID_ICP_LP 0x34E0 /* Ice Lake Point LP */ ++#define MEI_DEV_ID_ICP_N 0x38E0 /* Ice Lake Point N */ + + #define MEI_DEV_ID_JSP_N 0x4DE0 /* Jasper Lake Point N */ + +--- a/drivers/misc/mei/pci-me.c ++++ b/drivers/misc/mei/pci-me.c +@@ -96,6 +96,7 @@ static const struct pci_device_id mei_me + {MEI_PCI_DEVICE(MEI_DEV_ID_CMP_H_3, MEI_ME_PCH8_ITOUCH_CFG)}, + + {MEI_PCI_DEVICE(MEI_DEV_ID_ICP_LP, MEI_ME_PCH12_CFG)}, ++ {MEI_PCI_DEVICE(MEI_DEV_ID_ICP_N, MEI_ME_PCH12_CFG)}, + + {MEI_PCI_DEVICE(MEI_DEV_ID_TGP_LP, MEI_ME_PCH15_CFG)}, + {MEI_PCI_DEVICE(MEI_DEV_ID_TGP_H, MEI_ME_PCH15_SPS_CFG)}, diff --git a/queue-5.14/misc-fastrpc-add-missing-lock-before-accessing-find_vma.patch b/queue-5.14/misc-fastrpc-add-missing-lock-before-accessing-find_vma.patch new file mode 100644 index 00000000000..d1b80829932 --- /dev/null +++ b/queue-5.14/misc-fastrpc-add-missing-lock-before-accessing-find_vma.patch @@ -0,0 +1,61 @@ +From f9a470db2736b01538ad193c316eb3f26be37d58 Mon Sep 17 00:00:00 2001 +From: Srinivas Kandagatla +Date: Wed, 22 Sep 2021 16:43:26 +0100 +Subject: misc: fastrpc: Add missing lock before accessing find_vma() + +From: Srinivas Kandagatla + +commit f9a470db2736b01538ad193c316eb3f26be37d58 upstream. + +fastrpc driver is using find_vma() without any protection, as a +result we see below warning due to recent patch 5b78ed24e8ec +("mm/pagemap: add mmap_assert_locked() annotations to find_vma*()") +which added mmap_assert_locked() in find_vma() function. + +This bug went un-noticed in previous versions. Fix this issue by adding +required protection while calling find_vma(). + +CPU: 0 PID: 209746 Comm: benchmark_model Not tainted 5.15.0-rc2-00445-ge14fe2bf817a-dirty #969 +Hardware name: Qualcomm Technologies, Inc. Robotics RB5 (DT) +pstate: 60400005 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) +pc : find_vma+0x64/0xd0 +lr : find_vma+0x60/0xd0 +sp : ffff8000158ebc40 +... + +Call trace: + find_vma+0x64/0xd0 + fastrpc_internal_invoke+0x570/0xda8 + fastrpc_device_ioctl+0x3e0/0x928 + __arm64_sys_ioctl+0xac/0xf0 + invoke_syscall+0x44/0x100 + el0_svc_common.constprop.3+0x70/0xf8 + do_el0_svc+0x24/0x88 + el0_svc+0x3c/0x138 + el0t_64_sync_handler+0x90/0xb8 + el0t_64_sync+0x180/0x184 + +Fixes: 80f3afd72bd4 ("misc: fastrpc: consider address offset before sending to DSP") +Cc: stable@vger.kernel.org +Signed-off-by: Srinivas Kandagatla +Link: https://lore.kernel.org/r/20210922154326.8927-1-srinivas.kandagatla@linaro.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/misc/fastrpc.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/misc/fastrpc.c ++++ b/drivers/misc/fastrpc.c +@@ -814,10 +814,12 @@ static int fastrpc_get_args(u32 kernel, + rpra[i].pv = (u64) ctx->args[i].ptr; + pages[i].addr = ctx->maps[i]->phys; + ++ mmap_read_lock(current->mm); + vma = find_vma(current->mm, ctx->args[i].ptr); + if (vma) + pages[i].addr += ctx->args[i].ptr - + vma->vm_start; ++ mmap_read_unlock(current->mm); + + pg_start = (ctx->args[i].ptr & PAGE_MASK) >> PAGE_SHIFT; + pg_end = ((ctx->args[i].ptr + len - 1) & PAGE_MASK) >> diff --git a/queue-5.14/nvmem-fix-shift-out-of-bound-ubsan-with-byte-size-cells.patch b/queue-5.14/nvmem-fix-shift-out-of-bound-ubsan-with-byte-size-cells.patch new file mode 100644 index 00000000000..89ea5e099cd --- /dev/null +++ b/queue-5.14/nvmem-fix-shift-out-of-bound-ubsan-with-byte-size-cells.patch @@ -0,0 +1,85 @@ +From 5d388fa01fa6eb310ac023a363a6cb216d9d8fe9 Mon Sep 17 00:00:00 2001 +From: Stephen Boyd +Date: Wed, 13 Oct 2021 13:45:11 +0100 +Subject: nvmem: Fix shift-out-of-bound (UBSAN) with byte size cells + +From: Stephen Boyd + +commit 5d388fa01fa6eb310ac023a363a6cb216d9d8fe9 upstream. + +If a cell has 'nbits' equal to a multiple of BITS_PER_BYTE the logic + + *p &= GENMASK((cell->nbits%BITS_PER_BYTE) - 1, 0); + +will become undefined behavior because nbits modulo BITS_PER_BYTE is 0, and we +subtract one from that making a large number that is then shifted more than the +number of bits that fit into an unsigned long. + +UBSAN reports this problem: + + UBSAN: shift-out-of-bounds in drivers/nvmem/core.c:1386:8 + shift exponent 64 is too large for 64-bit type 'unsigned long' + CPU: 6 PID: 7 Comm: kworker/u16:0 Not tainted 5.15.0-rc3+ #9 + Hardware name: Google Lazor (rev3+) with KB Backlight (DT) + Workqueue: events_unbound deferred_probe_work_func + Call trace: + dump_backtrace+0x0/0x170 + show_stack+0x24/0x30 + dump_stack_lvl+0x64/0x7c + dump_stack+0x18/0x38 + ubsan_epilogue+0x10/0x54 + __ubsan_handle_shift_out_of_bounds+0x180/0x194 + __nvmem_cell_read+0x1ec/0x21c + nvmem_cell_read+0x58/0x94 + nvmem_cell_read_variable_common+0x4c/0xb0 + nvmem_cell_read_variable_le_u32+0x40/0x100 + a6xx_gpu_init+0x170/0x2f4 + adreno_bind+0x174/0x284 + component_bind_all+0xf0/0x264 + msm_drm_bind+0x1d8/0x7a0 + try_to_bring_up_master+0x164/0x1ac + __component_add+0xbc/0x13c + component_add+0x20/0x2c + dp_display_probe+0x340/0x384 + platform_probe+0xc0/0x100 + really_probe+0x110/0x304 + __driver_probe_device+0xb8/0x120 + driver_probe_device+0x4c/0xfc + __device_attach_driver+0xb0/0x128 + bus_for_each_drv+0x90/0xdc + __device_attach+0xc8/0x174 + device_initial_probe+0x20/0x2c + bus_probe_device+0x40/0xa4 + deferred_probe_work_func+0x7c/0xb8 + process_one_work+0x128/0x21c + process_scheduled_works+0x40/0x54 + worker_thread+0x1ec/0x2a8 + kthread+0x138/0x158 + ret_from_fork+0x10/0x20 + +Fix it by making sure there are any bits to mask out. + +Fixes: 69aba7948cbe ("nvmem: Add a simple NVMEM framework for consumers") +Cc: Douglas Anderson +Cc: stable@vger.kernel.org +Signed-off-by: Stephen Boyd +Signed-off-by: Srinivas Kandagatla +Link: https://lore.kernel.org/r/20211013124511.18726-1-srinivas.kandagatla@linaro.org +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Greg Kroah-Hartman +--- + drivers/nvmem/core.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/nvmem/core.c ++++ b/drivers/nvmem/core.c +@@ -1383,7 +1383,8 @@ static void nvmem_shift_read_buffer_in_p + *p-- = 0; + + /* clear msb bits if any leftover in the last byte */ +- *p &= GENMASK((cell->nbits%BITS_PER_BYTE) - 1, 0); ++ if (cell->nbits % BITS_PER_BYTE) ++ *p &= GENMASK((cell->nbits % BITS_PER_BYTE) - 1, 0); + } + + static int __nvmem_cell_read(struct nvmem_device *nvmem, diff --git a/queue-5.14/revert-virtio-blk-add-validation-for-block-size-in-config-space.patch b/queue-5.14/revert-virtio-blk-add-validation-for-block-size-in-config-space.patch new file mode 100644 index 00000000000..94d795c4f2a --- /dev/null +++ b/queue-5.14/revert-virtio-blk-add-validation-for-block-size-in-config-space.patch @@ -0,0 +1,113 @@ +From ff63198850f33eab54b2da6905380fd4d4fc0739 Mon Sep 17 00:00:00 2001 +From: "Michael S. Tsirkin" +Date: Mon, 4 Oct 2021 11:31:00 -0400 +Subject: Revert "virtio-blk: Add validation for block size in config space" + +From: Michael S. Tsirkin + +commit ff63198850f33eab54b2da6905380fd4d4fc0739 upstream. + +It turns out that access to config space before completing the feature +negotiation is broken for big endian guests at least with QEMU hosts up +to 6.1 inclusive. This affects any device that accesses config space in +the validate callback: at the moment that is virtio-net with +VIRTIO_NET_F_MTU but since 82e89ea077b9 ("virtio-blk: Add validation for +block size in config space") that also started affecting virtio-blk with +VIRTIO_BLK_F_BLK_SIZE. Further, unlike VIRTIO_NET_F_MTU which is off by +default on QEMU, VIRTIO_BLK_F_BLK_SIZE is on by default, which resulted +in lots of people not being able to boot VMs on BE. + +The spec is very clear that what we are doing is legal so QEMU needs to +be fixed, but given it's been broken for so many years and no one +noticed, we need to give QEMU a bit more time before applying this. + +Further, this patch is incomplete (does not check blk size is a power +of two) and it duplicates the logic from nbd. + +Revert for now, and we'll reapply a cleaner logic in the next release. + +Cc: stable@vger.kernel.org +Fixes: 82e89ea077b9 ("virtio-blk: Add validation for block size in config space") +Cc: Xie Yongji +Signed-off-by: Michael S. Tsirkin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/block/virtio_blk.c | 39 ++++++--------------------------------- + 1 file changed, 6 insertions(+), 33 deletions(-) + +--- a/drivers/block/virtio_blk.c ++++ b/drivers/block/virtio_blk.c +@@ -692,28 +692,6 @@ static const struct blk_mq_ops virtio_mq + static unsigned int virtblk_queue_depth; + module_param_named(queue_depth, virtblk_queue_depth, uint, 0444); + +-static int virtblk_validate(struct virtio_device *vdev) +-{ +- u32 blk_size; +- +- if (!vdev->config->get) { +- dev_err(&vdev->dev, "%s failure: config access disabled\n", +- __func__); +- return -EINVAL; +- } +- +- if (!virtio_has_feature(vdev, VIRTIO_BLK_F_BLK_SIZE)) +- return 0; +- +- blk_size = virtio_cread32(vdev, +- offsetof(struct virtio_blk_config, blk_size)); +- +- if (blk_size < SECTOR_SIZE || blk_size > PAGE_SIZE) +- __virtio_clear_bit(vdev, VIRTIO_BLK_F_BLK_SIZE); +- +- return 0; +-} +- + static int virtblk_probe(struct virtio_device *vdev) + { + struct virtio_blk *vblk; +@@ -725,6 +703,12 @@ static int virtblk_probe(struct virtio_d + u8 physical_block_exp, alignment_offset; + unsigned int queue_depth; + ++ if (!vdev->config->get) { ++ dev_err(&vdev->dev, "%s failure: config access disabled\n", ++ __func__); ++ return -EINVAL; ++ } ++ + err = ida_simple_get(&vd_index_ida, 0, minor_to_index(1 << MINORBITS), + GFP_KERNEL); + if (err < 0) +@@ -839,14 +823,6 @@ static int virtblk_probe(struct virtio_d + else + blk_size = queue_logical_block_size(q); + +- if (blk_size < SECTOR_SIZE || blk_size > PAGE_SIZE) { +- dev_err(&vdev->dev, +- "block size is changed unexpectedly, now is %u\n", +- blk_size); +- err = -EINVAL; +- goto err_cleanup_disk; +- } +- + /* Use topology information if available */ + err = virtio_cread_feature(vdev, VIRTIO_BLK_F_TOPOLOGY, + struct virtio_blk_config, physical_block_exp, +@@ -905,8 +881,6 @@ static int virtblk_probe(struct virtio_d + device_add_disk(&vdev->dev, vblk->disk, virtblk_attr_groups); + return 0; + +-err_cleanup_disk: +- blk_cleanup_disk(vblk->disk); + out_free_tags: + blk_mq_free_tag_set(&vblk->tag_set); + out_free_vq: +@@ -1009,7 +983,6 @@ static struct virtio_driver virtio_blk = + .driver.name = KBUILD_MODNAME, + .driver.owner = THIS_MODULE, + .id_table = id_table, +- .validate = virtblk_validate, + .probe = virtblk_probe, + .remove = virtblk_remove, + .config_changed = virtblk_config_changed, diff --git a/queue-5.14/series b/queue-5.14/series index c52aec43eaf..12f146fe9e0 100644 --- a/queue-5.14/series +++ b/queue-5.14/series @@ -35,3 +35,25 @@ btrfs-update-refs-for-any-root-except-tree-log-roots.patch btrfs-fix-abort-logic-in-btrfs_replace_file_extents.patch module-fix-clang-cfi-with-module_unload-n.patch x86-resctrl-free-the-ctrlval-arrays-when-domain_setup_mon_state-fails.patch +mei-me-add-ice-lake-n-device-id.patch +mei-hbm-drop-hbm-responses-on-early-shutdown.patch +usb-xhci-dbc-fix-tty-registration-race.patch +xhci-guard-accesses-to-ep_state-in-xhci_endpoint_reset.patch +xhci-add-quirk-for-host-controllers-that-don-t-update-endpoint-dcs.patch +xhci-fix-command-ring-pointer-corruption-while-aborting-a-command.patch +xhci-enable-trust-tx-length-quirk-for-fresco-fl11-usb-controller.patch +cb710-avoid-null-pointer-subtraction.patch +efi-cper-use-stack-buffer-for-error-record-decoding.patch +efi-change-down_interruptible-in-virt_efi_reset_system-to-down_trylock.patch +usb-musb-dsps-fix-the-probe-error-path.patch +input-xpad-add-support-for-another-usb-id-of-nacon-gc-100.patch +usb-serial-qcserial-add-em9191-qdl-support.patch +usb-serial-option-add-quectel-ec200s-cn-module-support.patch +usb-serial-option-add-telit-le910cx-composition-0x1204.patch +usb-serial-option-add-prod.-id-for-quectel-eg91.patch +misc-fastrpc-add-missing-lock-before-accessing-find_vma.patch +virtio-write-back-f_version_1-before-validate.patch +edac-armada-xp-fix-output-of-uncorrectable-error-counter.patch +nvmem-fix-shift-out-of-bound-ubsan-with-byte-size-cells.patch +virtio-blk-remove-unneeded-likely-statements.patch +revert-virtio-blk-add-validation-for-block-size-in-config-space.patch diff --git a/queue-5.14/usb-musb-dsps-fix-the-probe-error-path.patch b/queue-5.14/usb-musb-dsps-fix-the-probe-error-path.patch new file mode 100644 index 00000000000..97330ec2355 --- /dev/null +++ b/queue-5.14/usb-musb-dsps-fix-the-probe-error-path.patch @@ -0,0 +1,65 @@ +From c2115b2b16421d93d4993f3fe4c520e91d6fe801 Mon Sep 17 00:00:00 2001 +From: Miquel Raynal +Date: Wed, 6 Oct 2021 00:16:31 +0200 +Subject: usb: musb: dsps: Fix the probe error path + +From: Miquel Raynal + +commit c2115b2b16421d93d4993f3fe4c520e91d6fe801 upstream. + +Commit 7c75bde329d7 ("usb: musb: musb_dsps: request_irq() after +initializing musb") has inverted the calls to +dsps_setup_optional_vbus_irq() and dsps_create_musb_pdev() without +updating correctly the error path. dsps_create_musb_pdev() allocates and +registers a new platform device which must be unregistered and freed +with platform_device_unregister(), and this is missing upon +dsps_setup_optional_vbus_irq() error. + +While on the master branch it seems not to trigger any issue, I observed +a kernel crash because of a NULL pointer dereference with a v5.10.70 +stable kernel where the patch mentioned above was backported. With this +kernel version, -EPROBE_DEFER is returned the first time +dsps_setup_optional_vbus_irq() is called which triggers the probe to +error out without unregistering the platform device. Unfortunately, on +the Beagle Bone Black Wireless, the platform device still living in the +system is being used by the USB Ethernet gadget driver, which during the +boot phase triggers the crash. + +My limited knowledge of the musb world prevents me to revert this commit +which was sent to silence a robot warning which, as far as I understand, +does not make sense. The goal of this patch was to prevent an IRQ to +fire before the platform device being registered. I think this cannot +ever happen due to the fact that enabling the interrupts is done by the +->enable() callback of the platform musb device, and this platform +device must be already registered in order for the core or any other +user to use this callback. + +Hence, I decided to fix the error path, which might prevent future +errors on mainline kernels while also fixing older ones. + +Fixes: 7c75bde329d7 ("usb: musb: musb_dsps: request_irq() after initializing musb") +Cc: stable@vger.kernel.org +Signed-off-by: Miquel Raynal +Link: https://lore.kernel.org/r/20211005221631.1529448-1-miquel.raynal@bootlin.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/musb/musb_dsps.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/drivers/usb/musb/musb_dsps.c ++++ b/drivers/usb/musb/musb_dsps.c +@@ -899,11 +899,13 @@ static int dsps_probe(struct platform_de + if (usb_get_dr_mode(&pdev->dev) == USB_DR_MODE_PERIPHERAL) { + ret = dsps_setup_optional_vbus_irq(pdev, glue); + if (ret) +- goto err; ++ goto unregister_pdev; + } + + return 0; + ++unregister_pdev: ++ platform_device_unregister(glue->musb); + err: + pm_runtime_disable(&pdev->dev); + iounmap(glue->usbss_base); diff --git a/queue-5.14/usb-serial-option-add-prod.-id-for-quectel-eg91.patch b/queue-5.14/usb-serial-option-add-prod.-id-for-quectel-eg91.patch new file mode 100644 index 00000000000..c35f870bee4 --- /dev/null +++ b/queue-5.14/usb-serial-option-add-prod.-id-for-quectel-eg91.patch @@ -0,0 +1,62 @@ +From c184accc4a42c7872dc8e8d0fc97a740dc61fe24 Mon Sep 17 00:00:00 2001 +From: Tomaz Solc +Date: Wed, 6 Oct 2021 14:57:50 +0200 +Subject: USB: serial: option: add prod. id for Quectel EG91 + +From: Tomaz Solc + +commit c184accc4a42c7872dc8e8d0fc97a740dc61fe24 upstream. + +Adding support for Quectel EG91 LTE module. + +The interface layout is same as for EG95. + +usb-devices output: +T: Bus=01 Lev=02 Prnt=02 Port=00 Cnt=01 Dev#= 3 Spd=480 MxCh= 0 +D: Ver= 2.00 Cls=ef(misc ) Sub=02 Prot=01 MxPS=64 #Cfgs= 1 +P: Vendor=2c7c ProdID=0191 Rev=03.18 +S: Manufacturer=Android +S: Product=Android +C: #Ifs= 5 Cfg#= 1 Atr=a0 MxPwr=500mA +I: If#=0x0 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=ff Driver=(none) +I: If#=0x1 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=(none) +I: If#=0x2 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=(none) +I: If#=0x3 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=(none) +I: If#=0x4 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=ff Driver=qmi_wwan + +Interfaces: + +0: Diag +1: GNSS +2: AT-command interface/modem +3: Modem +4: QMI + +Signed-off-by: Tomaz Solc +Cc: stable@vger.kernel.org +Signed-off-by: Johan Hovold +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/serial/option.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/drivers/usb/serial/option.c ++++ b/drivers/usb/serial/option.c +@@ -246,6 +246,7 @@ static void option_instat_callback(struc + /* These Quectel products use Quectel's vendor ID */ + #define QUECTEL_PRODUCT_EC21 0x0121 + #define QUECTEL_PRODUCT_EC25 0x0125 ++#define QUECTEL_PRODUCT_EG91 0x0191 + #define QUECTEL_PRODUCT_EG95 0x0195 + #define QUECTEL_PRODUCT_BG96 0x0296 + #define QUECTEL_PRODUCT_EP06 0x0306 +@@ -1112,6 +1113,9 @@ static const struct usb_device_id option + { USB_DEVICE_AND_INTERFACE_INFO(QUECTEL_VENDOR_ID, QUECTEL_PRODUCT_EC25, 0xff, 0xff, 0xff), + .driver_info = NUMEP2 }, + { USB_DEVICE_AND_INTERFACE_INFO(QUECTEL_VENDOR_ID, QUECTEL_PRODUCT_EC25, 0xff, 0, 0) }, ++ { USB_DEVICE_AND_INTERFACE_INFO(QUECTEL_VENDOR_ID, QUECTEL_PRODUCT_EG91, 0xff, 0xff, 0xff), ++ .driver_info = NUMEP2 }, ++ { USB_DEVICE_AND_INTERFACE_INFO(QUECTEL_VENDOR_ID, QUECTEL_PRODUCT_EG91, 0xff, 0, 0) }, + { USB_DEVICE_AND_INTERFACE_INFO(QUECTEL_VENDOR_ID, QUECTEL_PRODUCT_EG95, 0xff, 0xff, 0xff), + .driver_info = NUMEP2 }, + { USB_DEVICE_AND_INTERFACE_INFO(QUECTEL_VENDOR_ID, QUECTEL_PRODUCT_EG95, 0xff, 0, 0) }, diff --git a/queue-5.14/usb-serial-option-add-quectel-ec200s-cn-module-support.patch b/queue-5.14/usb-serial-option-add-quectel-ec200s-cn-module-support.patch new file mode 100644 index 00000000000..01643bd0332 --- /dev/null +++ b/queue-5.14/usb-serial-option-add-quectel-ec200s-cn-module-support.patch @@ -0,0 +1,52 @@ +From 2263eb7370060bdb0013bc14e1a7c9bf33617a55 Mon Sep 17 00:00:00 2001 +From: Yu-Tung Chang +Date: Thu, 30 Sep 2021 10:11:12 +0800 +Subject: USB: serial: option: add Quectel EC200S-CN module support + +From: Yu-Tung Chang + +commit 2263eb7370060bdb0013bc14e1a7c9bf33617a55 upstream. + +Add usb product id of the Quectel EC200S-CN module. + +usb-devices output for 0x6002: +T: Bus=01 Lev=01 Prnt=01 Port=00 Cnt=01 Dev#= 3 Spd=480 MxCh= 0 +D: Ver= 2.00 Cls=ef(misc ) Sub=02 Prot=01 MxPS=64 #Cfgs= 1 +P: Vendor=2c7c ProdID=6002 Rev=03.18 +S: Manufacturer=Android +S: Product=Android +S: SerialNumber=0000 +C: #Ifs= 5 Cfg#= 1 Atr=e0 MxPwr=500mA +I: If#=0x0 Alt= 0 #EPs= 1 Cls=02(commc) Sub=06 Prot=00 Driver=cdc_ether +I: If#=0x1 Alt= 1 #EPs= 2 Cls=0a(data ) Sub=00 Prot=00 Driver=cdc_ether +I: If#=0x2 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=00 Prot=00 Driver=(none) +I: If#=0x3 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=(none) +I: If#=0x4 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=(none) + +Signed-off-by: Yu-Tung Chang +Link: https://lore.kernel.org/r/20210930021112.330396-1-mtwget@gmail.com +Cc: stable@vger.kernel.org +Signed-off-by: Johan Hovold +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/serial/option.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/usb/serial/option.c ++++ b/drivers/usb/serial/option.c +@@ -251,6 +251,7 @@ static void option_instat_callback(struc + #define QUECTEL_PRODUCT_EP06 0x0306 + #define QUECTEL_PRODUCT_EM12 0x0512 + #define QUECTEL_PRODUCT_RM500Q 0x0800 ++#define QUECTEL_PRODUCT_EC200S_CN 0x6002 + #define QUECTEL_PRODUCT_EC200T 0x6026 + + #define CMOTECH_VENDOR_ID 0x16d8 +@@ -1128,6 +1129,7 @@ static const struct usb_device_id option + { USB_DEVICE_AND_INTERFACE_INFO(QUECTEL_VENDOR_ID, QUECTEL_PRODUCT_RM500Q, 0xff, 0, 0) }, + { USB_DEVICE_AND_INTERFACE_INFO(QUECTEL_VENDOR_ID, QUECTEL_PRODUCT_RM500Q, 0xff, 0xff, 0x10), + .driver_info = ZLP }, ++ { USB_DEVICE_AND_INTERFACE_INFO(QUECTEL_VENDOR_ID, QUECTEL_PRODUCT_EC200S_CN, 0xff, 0, 0) }, + { USB_DEVICE_AND_INTERFACE_INFO(QUECTEL_VENDOR_ID, QUECTEL_PRODUCT_EC200T, 0xff, 0, 0) }, + + { USB_DEVICE(CMOTECH_VENDOR_ID, CMOTECH_PRODUCT_6001) }, diff --git a/queue-5.14/usb-serial-option-add-telit-le910cx-composition-0x1204.patch b/queue-5.14/usb-serial-option-add-telit-le910cx-composition-0x1204.patch new file mode 100644 index 00000000000..142085857c7 --- /dev/null +++ b/queue-5.14/usb-serial-option-add-telit-le910cx-composition-0x1204.patch @@ -0,0 +1,33 @@ +From f5a8a07edafed8bede17a95ef8940fe3a57a77d5 Mon Sep 17 00:00:00 2001 +From: Daniele Palmas +Date: Mon, 4 Oct 2021 12:56:55 +0200 +Subject: USB: serial: option: add Telit LE910Cx composition 0x1204 + +From: Daniele Palmas + +commit f5a8a07edafed8bede17a95ef8940fe3a57a77d5 upstream. + +Add the following Telit LE910Cx composition: + +0x1204: tty, adb, mbim, tty, tty, tty, tty + +Signed-off-by: Daniele Palmas +Link: https://lore.kernel.org/r/20211004105655.8515-1-dnlplm@gmail.com +Cc: stable@vger.kernel.org +Signed-off-by: Johan Hovold +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/serial/option.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/usb/serial/option.c ++++ b/drivers/usb/serial/option.c +@@ -1229,6 +1229,8 @@ static const struct usb_device_id option + .driver_info = NCTRL(0) | RSVD(1) | RSVD(2) }, + { USB_DEVICE_INTERFACE_CLASS(TELIT_VENDOR_ID, 0x1203, 0xff), /* Telit LE910Cx (RNDIS) */ + .driver_info = NCTRL(2) | RSVD(3) }, ++ { USB_DEVICE_INTERFACE_CLASS(TELIT_VENDOR_ID, 0x1204, 0xff), /* Telit LE910Cx (MBIM) */ ++ .driver_info = NCTRL(0) | RSVD(1) }, + { USB_DEVICE(TELIT_VENDOR_ID, TELIT_PRODUCT_LE910_USBCFG4), + .driver_info = NCTRL(0) | RSVD(1) | RSVD(2) | RSVD(3) }, + { USB_DEVICE(TELIT_VENDOR_ID, TELIT_PRODUCT_LE920), diff --git a/queue-5.14/usb-serial-qcserial-add-em9191-qdl-support.patch b/queue-5.14/usb-serial-qcserial-add-em9191-qdl-support.patch new file mode 100644 index 00000000000..e6b1001e166 --- /dev/null +++ b/queue-5.14/usb-serial-qcserial-add-em9191-qdl-support.patch @@ -0,0 +1,40 @@ +From 11c52d250b34a0862edc29db03fbec23b30db6da Mon Sep 17 00:00:00 2001 +From: Aleksander Morgado +Date: Thu, 7 Oct 2021 14:25:01 +0200 +Subject: USB: serial: qcserial: add EM9191 QDL support + +From: Aleksander Morgado + +commit 11c52d250b34a0862edc29db03fbec23b30db6da upstream. + +When the module boots into QDL download mode it exposes the 1199:90d2 +ids, which can be mapped to the qcserial driver, and used to run +firmware upgrades (e.g. with the qmi-firmware-update program). + + T: Bus=01 Lev=03 Prnt=08 Port=03 Cnt=01 Dev#= 10 Spd=480 MxCh= 0 + D: Ver= 2.10 Cls=00(>ifc ) Sub=00 Prot=00 MxPS=64 #Cfgs= 1 + P: Vendor=1199 ProdID=90d2 Rev=00.00 + S: Manufacturer=Sierra Wireless, Incorporated + S: Product=Sierra Wireless EM9191 + S: SerialNumber=8W0382004102A109 + C: #Ifs= 1 Cfg#= 1 Atr=a0 MxPwr=2mA + I: If#=0x0 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=10 Driver=qcserial + +Signed-off-by: Aleksander Morgado +Cc: stable@vger.kernel.org +Signed-off-by: Johan Hovold +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/serial/qcserial.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/usb/serial/qcserial.c ++++ b/drivers/usb/serial/qcserial.c +@@ -165,6 +165,7 @@ static const struct usb_device_id id_tab + {DEVICE_SWI(0x1199, 0x907b)}, /* Sierra Wireless EM74xx */ + {DEVICE_SWI(0x1199, 0x9090)}, /* Sierra Wireless EM7565 QDL */ + {DEVICE_SWI(0x1199, 0x9091)}, /* Sierra Wireless EM7565 */ ++ {DEVICE_SWI(0x1199, 0x90d2)}, /* Sierra Wireless EM9191 QDL */ + {DEVICE_SWI(0x413c, 0x81a2)}, /* Dell Wireless 5806 Gobi(TM) 4G LTE Mobile Broadband Card */ + {DEVICE_SWI(0x413c, 0x81a3)}, /* Dell Wireless 5570 HSPA+ (42Mbps) Mobile Broadband Card */ + {DEVICE_SWI(0x413c, 0x81a4)}, /* Dell Wireless 5570e HSPA+ (42Mbps) Mobile Broadband Card */ diff --git a/queue-5.14/usb-xhci-dbc-fix-tty-registration-race.patch b/queue-5.14/usb-xhci-dbc-fix-tty-registration-race.patch new file mode 100644 index 00000000000..ca20cf283e8 --- /dev/null +++ b/queue-5.14/usb-xhci-dbc-fix-tty-registration-race.patch @@ -0,0 +1,80 @@ +From 880de403777376e50bdf60def359fa50a722006f Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Fri, 8 Oct 2021 12:25:45 +0300 +Subject: USB: xhci: dbc: fix tty registration race + +From: Johan Hovold + +commit 880de403777376e50bdf60def359fa50a722006f upstream. + +Make sure to allocate resources before registering the tty device to +avoid having a racing open() and write() fail to enable rx or +dereference a NULL pointer when accessing the uninitialised fifo. + +Fixes: dfba2174dc42 ("usb: xhci: Add DbC support in xHCI driver") +Cc: stable@vger.kernel.org # 4.16 +Cc: Lu Baolu +Signed-off-by: Johan Hovold +Signed-off-by: Mathias Nyman +Link: https://lore.kernel.org/r/20211008092547.3996295-4-mathias.nyman@linux.intel.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/host/xhci-dbgtty.c | 28 +++++++++++++--------------- + 1 file changed, 13 insertions(+), 15 deletions(-) + +--- a/drivers/usb/host/xhci-dbgtty.c ++++ b/drivers/usb/host/xhci-dbgtty.c +@@ -408,40 +408,38 @@ static int xhci_dbc_tty_register_device( + return -EBUSY; + + xhci_dbc_tty_init_port(dbc, port); +- tty_dev = tty_port_register_device(&port->port, +- dbc_tty_driver, 0, NULL); +- if (IS_ERR(tty_dev)) { +- ret = PTR_ERR(tty_dev); +- goto register_fail; +- } + + ret = kfifo_alloc(&port->write_fifo, DBC_WRITE_BUF_SIZE, GFP_KERNEL); + if (ret) +- goto buf_alloc_fail; ++ goto err_exit_port; + + ret = xhci_dbc_alloc_requests(dbc, BULK_IN, &port->read_pool, + dbc_read_complete); + if (ret) +- goto request_fail; ++ goto err_free_fifo; + + ret = xhci_dbc_alloc_requests(dbc, BULK_OUT, &port->write_pool, + dbc_write_complete); + if (ret) +- goto request_fail; ++ goto err_free_requests; ++ ++ tty_dev = tty_port_register_device(&port->port, ++ dbc_tty_driver, 0, NULL); ++ if (IS_ERR(tty_dev)) { ++ ret = PTR_ERR(tty_dev); ++ goto err_free_requests; ++ } + + port->registered = true; + + return 0; + +-request_fail: ++err_free_requests: + xhci_dbc_free_requests(&port->read_pool); + xhci_dbc_free_requests(&port->write_pool); ++err_free_fifo: + kfifo_free(&port->write_fifo); +- +-buf_alloc_fail: +- tty_unregister_device(dbc_tty_driver, 0); +- +-register_fail: ++err_exit_port: + xhci_dbc_tty_exit_port(port); + + dev_err(dbc->dev, "can't register tty port, err %d\n", ret); diff --git a/queue-5.14/virtio-blk-remove-unneeded-likely-statements.patch b/queue-5.14/virtio-blk-remove-unneeded-likely-statements.patch new file mode 100644 index 00000000000..f075d69a9d6 --- /dev/null +++ b/queue-5.14/virtio-blk-remove-unneeded-likely-statements.patch @@ -0,0 +1,45 @@ +From 6105d1fe6f4c24ce8c13e2e6568b16b76e04983d Mon Sep 17 00:00:00 2001 +From: Max Gurtovoy +Date: Sun, 5 Sep 2021 11:57:17 +0300 +Subject: virtio-blk: remove unneeded "likely" statements + +From: Max Gurtovoy + +commit 6105d1fe6f4c24ce8c13e2e6568b16b76e04983d upstream. + +Usually we use "likely/unlikely" to optimize the fast path. Remove +redundant "likely/unlikely" statements in the control path to simplify +the code and make it easier to read. + +Reviewed-by: Stefan Hajnoczi +Signed-off-by: Max Gurtovoy +Link: https://lore.kernel.org/r/20210905085717.7427-1-mgurtovoy@nvidia.com +Signed-off-by: Michael S. Tsirkin +Reviewed-by: Chaitanya Kulkarni +Reviewed-by: Christoph Hellwig +Reviewed-by: Stefan Hajnoczi +Signed-off-by: Greg Kroah-Hartman +--- + drivers/block/virtio_blk.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/block/virtio_blk.c ++++ b/drivers/block/virtio_blk.c +@@ -765,7 +765,7 @@ static int virtblk_probe(struct virtio_d + goto out_free_vblk; + + /* Default queue sizing is to fill the ring. */ +- if (likely(!virtblk_queue_depth)) { ++ if (!virtblk_queue_depth) { + queue_depth = vblk->vqs[0].vq->num_free; + /* ... but without indirect descs, we use 2 descs per req */ + if (!virtio_has_feature(vdev, VIRTIO_RING_F_INDIRECT_DESC)) +@@ -839,7 +839,7 @@ static int virtblk_probe(struct virtio_d + else + blk_size = queue_logical_block_size(q); + +- if (unlikely(blk_size < SECTOR_SIZE || blk_size > PAGE_SIZE)) { ++ if (blk_size < SECTOR_SIZE || blk_size > PAGE_SIZE) { + dev_err(&vdev->dev, + "block size is changed unexpectedly, now is %u\n", + blk_size); diff --git a/queue-5.14/virtio-write-back-f_version_1-before-validate.patch b/queue-5.14/virtio-write-back-f_version_1-before-validate.patch new file mode 100644 index 00000000000..1cd760017e9 --- /dev/null +++ b/queue-5.14/virtio-write-back-f_version_1-before-validate.patch @@ -0,0 +1,80 @@ +From 2f9a174f918e29608564c7a4e8329893ab604fb4 Mon Sep 17 00:00:00 2001 +From: Halil Pasic +Date: Mon, 11 Oct 2021 07:39:21 +0200 +Subject: virtio: write back F_VERSION_1 before validate + +From: Halil Pasic + +commit 2f9a174f918e29608564c7a4e8329893ab604fb4 upstream. + +The virtio specification virtio-v1.1-cs01 states: "Transitional devices +MUST detect Legacy drivers by detecting that VIRTIO_F_VERSION_1 has not +been acknowledged by the driver." This is exactly what QEMU as of 6.1 +has done relying solely on VIRTIO_F_VERSION_1 for detecting that. + +However, the specification also says: "... the driver MAY read (but MUST +NOT write) the device-specific configuration fields to check that it can +support the device ..." before setting FEATURES_OK. + +In that case, any transitional device relying solely on +VIRTIO_F_VERSION_1 for detecting legacy drivers will return data in +legacy format. In particular, this implies that it is in big endian +format for big endian guests. This naturally confuses the driver which +expects little endian in the modern mode. + +It is probably a good idea to amend the spec to clarify that +VIRTIO_F_VERSION_1 can only be relied on after the feature negotiation +is complete. Before validate callback existed, config space was only +read after FEATURES_OK. However, we already have two regressions, so +let's address this here as well. + +The regressions affect the VIRTIO_NET_F_MTU feature of virtio-net and +the VIRTIO_BLK_F_BLK_SIZE feature of virtio-blk for BE guests when +virtio 1.0 is used on both sides. The latter renders virtio-blk unusable +with DASD backing, because things simply don't work with the default. +See Fixes tags for relevant commits. + +For QEMU, we can work around the issue by writing out the feature bits +with VIRTIO_F_VERSION_1 bit set. We (ab)use the finalize_features +config op for this. This isn't enough to address all vhost devices since +these do not get the features until FEATURES_OK, however it looks like +the affected devices actually never handled the endianness for legacy +mode correctly, so at least that's not a regression. + +No devices except virtio net and virtio blk seem to be affected. + +Long term the right thing to do is to fix the hypervisors. + +Cc: #v4.11 +Signed-off-by: Halil Pasic +Fixes: 82e89ea077b9 ("virtio-blk: Add validation for block size in config space") +Fixes: fe36cbe0671e ("virtio_net: clear MTU when out of range") +Reported-by: markver@us.ibm.com +Reviewed-by: Cornelia Huck +Link: https://lore.kernel.org/r/20211011053921.1198936-1-pasic@linux.ibm.com +Signed-off-by: Michael S. Tsirkin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/virtio/virtio.c | 11 +++++++++++ + 1 file changed, 11 insertions(+) + +--- a/drivers/virtio/virtio.c ++++ b/drivers/virtio/virtio.c +@@ -238,6 +238,17 @@ static int virtio_dev_probe(struct devic + driver_features_legacy = driver_features; + } + ++ /* ++ * Some devices detect legacy solely via F_VERSION_1. Write ++ * F_VERSION_1 to force LE config space accesses before FEATURES_OK for ++ * these when needed. ++ */ ++ if (drv->validate && !virtio_legacy_is_little_endian() ++ && device_features & BIT_ULL(VIRTIO_F_VERSION_1)) { ++ dev->features = BIT_ULL(VIRTIO_F_VERSION_1); ++ dev->config->finalize_features(dev); ++ } ++ + if (device_features & (1ULL << VIRTIO_F_VERSION_1)) + dev->features = driver_features & device_features; + else diff --git a/queue-5.14/xhci-add-quirk-for-host-controllers-that-don-t-update-endpoint-dcs.patch b/queue-5.14/xhci-add-quirk-for-host-controllers-that-don-t-update-endpoint-dcs.patch new file mode 100644 index 00000000000..1590cb791c7 --- /dev/null +++ b/queue-5.14/xhci-add-quirk-for-host-controllers-that-don-t-update-endpoint-dcs.patch @@ -0,0 +1,102 @@ +From 5255660b208aebfdb71d574f3952cf48392f4306 Mon Sep 17 00:00:00 2001 +From: Jonathan Bell +Date: Fri, 8 Oct 2021 12:25:44 +0300 +Subject: xhci: add quirk for host controllers that don't update endpoint DCS +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Jonathan Bell + +commit 5255660b208aebfdb71d574f3952cf48392f4306 upstream. + +Seen on a VLI VL805 PCIe to USB controller. For non-stream endpoints +at least, if the xHC halts on a particular TRB due to an error then +the DCS field in the Out Endpoint Context maintained by the hardware +is not updated with the current cycle state. + +Using the quirk XHCI_EP_CTX_BROKEN_DCS and instead fetch the DCS bit +from the TRB that the xHC stopped on. + +[ bjorn: rebased to v5.14-rc2 ] + +Link: https://github.com/raspberrypi/linux/issues/3060 +Cc: stable@vger.kernel.org +Signed-off-by: Jonathan Bell +Signed-off-by: Bjørn Mork +Signed-off-by: Mathias Nyman +Link: https://lore.kernel.org/r/20211008092547.3996295-3-mathias.nyman@linux.intel.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/host/xhci-pci.c | 4 +++- + drivers/usb/host/xhci-ring.c | 25 ++++++++++++++++++++++++- + drivers/usb/host/xhci.h | 1 + + 3 files changed, 28 insertions(+), 2 deletions(-) + +--- a/drivers/usb/host/xhci-pci.c ++++ b/drivers/usb/host/xhci-pci.c +@@ -279,8 +279,10 @@ static void xhci_pci_quirks(struct devic + pdev->device == 0x3432) + xhci->quirks |= XHCI_BROKEN_STREAMS; + +- if (pdev->vendor == PCI_VENDOR_ID_VIA && pdev->device == 0x3483) ++ if (pdev->vendor == PCI_VENDOR_ID_VIA && pdev->device == 0x3483) { + xhci->quirks |= XHCI_LPM_SUPPORT; ++ xhci->quirks |= XHCI_EP_CTX_BROKEN_DCS; ++ } + + if (pdev->vendor == PCI_VENDOR_ID_ASMEDIA && + pdev->device == PCI_DEVICE_ID_ASMEDIA_1042_XHCI) +--- a/drivers/usb/host/xhci-ring.c ++++ b/drivers/usb/host/xhci-ring.c +@@ -559,8 +559,11 @@ static int xhci_move_dequeue_past_td(str + struct xhci_ring *ep_ring; + struct xhci_command *cmd; + struct xhci_segment *new_seg; ++ struct xhci_segment *halted_seg = NULL; + union xhci_trb *new_deq; + int new_cycle; ++ union xhci_trb *halted_trb; ++ int index = 0; + dma_addr_t addr; + u64 hw_dequeue; + bool cycle_found = false; +@@ -598,7 +601,27 @@ static int xhci_move_dequeue_past_td(str + hw_dequeue = xhci_get_hw_deq(xhci, dev, ep_index, stream_id); + new_seg = ep_ring->deq_seg; + new_deq = ep_ring->dequeue; +- new_cycle = hw_dequeue & 0x1; ++ ++ /* ++ * Quirk: xHC write-back of the DCS field in the hardware dequeue ++ * pointer is wrong - use the cycle state of the TRB pointed to by ++ * the dequeue pointer. ++ */ ++ if (xhci->quirks & XHCI_EP_CTX_BROKEN_DCS && ++ !(ep->ep_state & EP_HAS_STREAMS)) ++ halted_seg = trb_in_td(xhci, td->start_seg, ++ td->first_trb, td->last_trb, ++ hw_dequeue & ~0xf, false); ++ if (halted_seg) { ++ index = ((dma_addr_t)(hw_dequeue & ~0xf) - halted_seg->dma) / ++ sizeof(*halted_trb); ++ halted_trb = &halted_seg->trbs[index]; ++ new_cycle = halted_trb->generic.field[3] & 0x1; ++ xhci_dbg(xhci, "Endpoint DCS = %d TRB index = %d cycle = %d\n", ++ (u8)(hw_dequeue & 0x1), index, new_cycle); ++ } else { ++ new_cycle = hw_dequeue & 0x1; ++ } + + /* + * We want to find the pointer, segment and cycle state of the new trb +--- a/drivers/usb/host/xhci.h ++++ b/drivers/usb/host/xhci.h +@@ -1899,6 +1899,7 @@ struct xhci_hcd { + #define XHCI_SG_TRB_CACHE_SIZE_QUIRK BIT_ULL(39) + #define XHCI_NO_SOFT_RETRY BIT_ULL(40) + #define XHCI_BROKEN_D3COLD BIT_ULL(41) ++#define XHCI_EP_CTX_BROKEN_DCS BIT_ULL(42) + + unsigned int num_active_eps; + unsigned int limit_active_eps; diff --git a/queue-5.14/xhci-enable-trust-tx-length-quirk-for-fresco-fl11-usb-controller.patch b/queue-5.14/xhci-enable-trust-tx-length-quirk-for-fresco-fl11-usb-controller.patch new file mode 100644 index 00000000000..03ff05e82c8 --- /dev/null +++ b/queue-5.14/xhci-enable-trust-tx-length-quirk-for-fresco-fl11-usb-controller.patch @@ -0,0 +1,43 @@ +From ea0f69d8211963c4b2cc1998b86779a500adb502 Mon Sep 17 00:00:00 2001 +From: Nikolay Martynov +Date: Fri, 8 Oct 2021 12:25:47 +0300 +Subject: xhci: Enable trust tx length quirk for Fresco FL11 USB controller + +From: Nikolay Martynov + +commit ea0f69d8211963c4b2cc1998b86779a500adb502 upstream. + +Tested on SD5200T TB3 dock which has Fresco Logic FL1100 USB 3.0 Host +Controller. +Before this patch streaming video from USB cam made mouse and keyboard +connected to the same USB bus unusable. Also video was jerky. +With this patch streaming video doesn't have any effect on other +periferals and video is smooth. + +Cc: stable@vger.kernel.org +Signed-off-by: Nikolay Martynov +Signed-off-by: Mathias Nyman +Link: https://lore.kernel.org/r/20211008092547.3996295-6-mathias.nyman@linux.intel.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/host/xhci-pci.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/usb/host/xhci-pci.c ++++ b/drivers/usb/host/xhci-pci.c +@@ -30,6 +30,7 @@ + #define PCI_VENDOR_ID_FRESCO_LOGIC 0x1b73 + #define PCI_DEVICE_ID_FRESCO_LOGIC_PDK 0x1000 + #define PCI_DEVICE_ID_FRESCO_LOGIC_FL1009 0x1009 ++#define PCI_DEVICE_ID_FRESCO_LOGIC_FL1100 0x1100 + #define PCI_DEVICE_ID_FRESCO_LOGIC_FL1400 0x1400 + + #define PCI_VENDOR_ID_ETRON 0x1b6f +@@ -113,6 +114,7 @@ static void xhci_pci_quirks(struct devic + /* Look for vendor-specific quirks */ + if (pdev->vendor == PCI_VENDOR_ID_FRESCO_LOGIC && + (pdev->device == PCI_DEVICE_ID_FRESCO_LOGIC_PDK || ++ pdev->device == PCI_DEVICE_ID_FRESCO_LOGIC_FL1100 || + pdev->device == PCI_DEVICE_ID_FRESCO_LOGIC_FL1400)) { + if (pdev->device == PCI_DEVICE_ID_FRESCO_LOGIC_PDK && + pdev->revision == 0x0) { diff --git a/queue-5.14/xhci-fix-command-ring-pointer-corruption-while-aborting-a-command.patch b/queue-5.14/xhci-fix-command-ring-pointer-corruption-while-aborting-a-command.patch new file mode 100644 index 00000000000..74c90e683b4 --- /dev/null +++ b/queue-5.14/xhci-fix-command-ring-pointer-corruption-while-aborting-a-command.patch @@ -0,0 +1,60 @@ +From ff0e50d3564f33b7f4b35cadeabd951d66cfc570 Mon Sep 17 00:00:00 2001 +From: Pavankumar Kondeti +Date: Fri, 8 Oct 2021 12:25:46 +0300 +Subject: xhci: Fix command ring pointer corruption while aborting a command + +From: Pavankumar Kondeti + +commit ff0e50d3564f33b7f4b35cadeabd951d66cfc570 upstream. + +The command ring pointer is located at [6:63] bits of the command +ring control register (CRCR). All the control bits like command stop, +abort are located at [0:3] bits. While aborting a command, we read the +CRCR and set the abort bit and write to the CRCR. The read will always +give command ring pointer as all zeros. So we essentially write only +the control bits. Since we split the 64 bit write into two 32 bit writes, +there is a possibility of xHC command ring stopped before the upper +dword (all zeros) is written. If that happens, xHC updates the upper +dword of its internal command ring pointer with all zeros. Next time, +when the command ring is restarted, we see xHC memory access failures. +Fix this issue by only writing to the lower dword of CRCR where all +control bits are located. + +Cc: stable@vger.kernel.org +Signed-off-by: Pavankumar Kondeti +Signed-off-by: Mathias Nyman +Link: https://lore.kernel.org/r/20211008092547.3996295-5-mathias.nyman@linux.intel.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/host/xhci-ring.c | 14 ++++++++++---- + 1 file changed, 10 insertions(+), 4 deletions(-) + +--- a/drivers/usb/host/xhci-ring.c ++++ b/drivers/usb/host/xhci-ring.c +@@ -366,16 +366,22 @@ static void xhci_handle_stopped_cmd_ring + /* Must be called with xhci->lock held, releases and aquires lock back */ + static int xhci_abort_cmd_ring(struct xhci_hcd *xhci, unsigned long flags) + { +- u64 temp_64; ++ u32 temp_32; + int ret; + + xhci_dbg(xhci, "Abort command ring\n"); + + reinit_completion(&xhci->cmd_ring_stop_completion); + +- temp_64 = xhci_read_64(xhci, &xhci->op_regs->cmd_ring); +- xhci_write_64(xhci, temp_64 | CMD_RING_ABORT, +- &xhci->op_regs->cmd_ring); ++ /* ++ * The control bits like command stop, abort are located in lower ++ * dword of the command ring control register. Limit the write ++ * to the lower dword to avoid corrupting the command ring pointer ++ * in case if the command ring is stopped by the time upper dword ++ * is written. ++ */ ++ temp_32 = readl(&xhci->op_regs->cmd_ring); ++ writel(temp_32 | CMD_RING_ABORT, &xhci->op_regs->cmd_ring); + + /* Section 4.6.1.2 of xHCI 1.0 spec says software should also time the + * completion of the Command Abort operation. If CRR is not negated in 5 diff --git a/queue-5.14/xhci-guard-accesses-to-ep_state-in-xhci_endpoint_reset.patch b/queue-5.14/xhci-guard-accesses-to-ep_state-in-xhci_endpoint_reset.patch new file mode 100644 index 00000000000..659b26fce1b --- /dev/null +++ b/queue-5.14/xhci-guard-accesses-to-ep_state-in-xhci_endpoint_reset.patch @@ -0,0 +1,51 @@ +From a01ba2a3378be85538e0183ae5367c1bc1d5aaf3 Mon Sep 17 00:00:00 2001 +From: Jonathan Bell +Date: Fri, 8 Oct 2021 12:25:43 +0300 +Subject: xhci: guard accesses to ep_state in xhci_endpoint_reset() + +From: Jonathan Bell + +commit a01ba2a3378be85538e0183ae5367c1bc1d5aaf3 upstream. + +See https://github.com/raspberrypi/linux/issues/3981 + +Two read-modify-write cycles on ep->ep_state are not guarded by +xhci->lock. Fix these. + +Fixes: f5249461b504 ("xhci: Clear the host side toggle manually when endpoint is soft reset") +Cc: stable@vger.kernel.org +Signed-off-by: Jonathan Bell +Signed-off-by: Mathias Nyman +Link: https://lore.kernel.org/r/20211008092547.3996295-2-mathias.nyman@linux.intel.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/host/xhci.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/drivers/usb/host/xhci.c ++++ b/drivers/usb/host/xhci.c +@@ -3212,10 +3212,13 @@ static void xhci_endpoint_reset(struct u + return; + + /* Bail out if toggle is already being cleared by a endpoint reset */ ++ spin_lock_irqsave(&xhci->lock, flags); + if (ep->ep_state & EP_HARD_CLEAR_TOGGLE) { + ep->ep_state &= ~EP_HARD_CLEAR_TOGGLE; ++ spin_unlock_irqrestore(&xhci->lock, flags); + return; + } ++ spin_unlock_irqrestore(&xhci->lock, flags); + /* Only interrupt and bulk ep's use data toggle, USB2 spec 5.5.4-> */ + if (usb_endpoint_xfer_control(&host_ep->desc) || + usb_endpoint_xfer_isoc(&host_ep->desc)) +@@ -3301,8 +3304,10 @@ static void xhci_endpoint_reset(struct u + xhci_free_command(xhci, cfg_cmd); + cleanup: + xhci_free_command(xhci, stop_cmd); ++ spin_lock_irqsave(&xhci->lock, flags); + if (ep->ep_state & EP_SOFT_CLEAR_TOGGLE) + ep->ep_state &= ~EP_SOFT_CLEAR_TOGGLE; ++ spin_unlock_irqrestore(&xhci->lock, flags); + } + + static int xhci_check_streams_endpoint(struct xhci_hcd *xhci,