From: Greg Kroah-Hartman Date: Mon, 13 Jan 2025 10:29:24 +0000 (+0100) Subject: 6.12-stable patches X-Git-Tag: v6.1.125~33 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=7208578a593bb7f5724c0e4085c5e697380f988d;p=thirdparty%2Fkernel%2Fstable-queue.git 6.12-stable patches added patches: misc-microchip-pci1xxxx-resolve-kernel-panic-during-gpio-irq-handling.patch misc-microchip-pci1xxxx-resolve-return-code-mismatch-during-gpio-set-config.patch serial-stm32-use-port-lock-wrappers-for-break-control.patch topology-keep-the-cpumask-unchanged-when-printing-cpumap.patch tty-serial-8250-fix-another-runtime-pm-usage-counter-underflow.patch usb-chipidea-ci_hdrc_imx-decrement-device-s-refcount-in-.remove-and-in-the-error-path-of-.probe.patch usb-core-disable-lpm-only-for-non-suspended-ports.patch usb-dwc3-am62-disable-autosuspend-during-remove.patch usb-fix-reference-leak-in-usb_new_device.patch usb-gadget-configfs-ignore-trailing-lf-for-user-strings-to-cdev.patch usb-gadget-f_fs-remove-warn_on-in-functionfs_bind.patch usb-gadget-f_uac2-fix-incorrect-setting-of-bnumendpoints.patch usb-gadget-midi2-reverse-select-at-the-right-place.patch usb-gadget-u_serial-disable-ep-before-setting-port-to-null-to-fix-the-crash-caused-by-port-being-null.patch usb-host-xhci-plat-set-skip_phy_initialization-if-software-node-has-xhci_skip_phy_init-property.patch usb-typec-fix-pm-usage-counter-imbalance-in-ucsi_ccg_sync_control.patch usb-typec-tcpci-fix-null-pointer-issue-on-shared-irq-case.patch usb-typec-tcpm-tcpci_maxim-fix-error-code-in-max_contaminant_read_resistance_kohm.patch usb-usblp-return-error-when-setting-unsupported-protocol.patch x86-fpu-ensure-shadow-stack-is-active-before-getting-registers.patch --- diff --git a/queue-6.12/misc-microchip-pci1xxxx-resolve-kernel-panic-during-gpio-irq-handling.patch b/queue-6.12/misc-microchip-pci1xxxx-resolve-kernel-panic-during-gpio-irq-handling.patch new file mode 100644 index 00000000000..824774023d6 --- /dev/null +++ b/queue-6.12/misc-microchip-pci1xxxx-resolve-kernel-panic-during-gpio-irq-handling.patch @@ -0,0 +1,33 @@ +From 194f9f94a5169547d682e9bbcc5ae6d18a564735 Mon Sep 17 00:00:00 2001 +From: Rengarajan S +Date: Thu, 5 Dec 2024 19:06:25 +0530 +Subject: misc: microchip: pci1xxxx: Resolve kernel panic during GPIO IRQ handling + +From: Rengarajan S + +commit 194f9f94a5169547d682e9bbcc5ae6d18a564735 upstream. + +Resolve kernel panic caused by improper handling of IRQs while +accessing GPIO values. This is done by replacing generic_handle_irq with +handle_nested_irq. + +Fixes: 1f4d8ae231f4 ("misc: microchip: pci1xxxx: Add gpio irq handler and irq helper functions irq_ack, irq_mask, irq_unmask and irq_set_type of irq_chip.") +Cc: stable +Signed-off-by: Rengarajan S +Link: https://lore.kernel.org/r/20241205133626.1483499-2-rengarajan.s@microchip.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/misc/mchp_pci1xxxx/mchp_pci1xxxx_gpio.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/misc/mchp_pci1xxxx/mchp_pci1xxxx_gpio.c ++++ b/drivers/misc/mchp_pci1xxxx/mchp_pci1xxxx_gpio.c +@@ -277,7 +277,7 @@ static irqreturn_t pci1xxxx_gpio_irq_han + writel(BIT(bit), priv->reg_base + INTR_STATUS_OFFSET(gpiobank)); + spin_unlock_irqrestore(&priv->lock, flags); + irq = irq_find_mapping(gc->irq.domain, (bit + (gpiobank * 32))); +- generic_handle_irq(irq); ++ handle_nested_irq(irq); + } + } + spin_lock_irqsave(&priv->lock, flags); diff --git a/queue-6.12/misc-microchip-pci1xxxx-resolve-return-code-mismatch-during-gpio-set-config.patch b/queue-6.12/misc-microchip-pci1xxxx-resolve-return-code-mismatch-during-gpio-set-config.patch new file mode 100644 index 00000000000..e8b03141069 --- /dev/null +++ b/queue-6.12/misc-microchip-pci1xxxx-resolve-return-code-mismatch-during-gpio-set-config.patch @@ -0,0 +1,34 @@ +From c7a5378a0f707686de3ddb489f1653c523bb7dcc Mon Sep 17 00:00:00 2001 +From: Rengarajan S +Date: Thu, 5 Dec 2024 19:06:26 +0530 +Subject: misc: microchip: pci1xxxx: Resolve return code mismatch during GPIO set config + +From: Rengarajan S + +commit c7a5378a0f707686de3ddb489f1653c523bb7dcc upstream. + +Driver returns -EOPNOTSUPPORTED on unsupported parameters case in set +config. Upper level driver checks for -ENOTSUPP. Because of the return +code mismatch, the ioctls from userspace fail. Resolve the issue by +passing -ENOTSUPP during unsupported case. + +Fixes: 7d3e4d807df2 ("misc: microchip: pci1xxxx: load gpio driver for the gpio controller auxiliary device enumerated by the auxiliary bus driver.") +Cc: stable +Signed-off-by: Rengarajan S +Link: https://lore.kernel.org/r/20241205133626.1483499-3-rengarajan.s@microchip.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/misc/mchp_pci1xxxx/mchp_pci1xxxx_gpio.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/misc/mchp_pci1xxxx/mchp_pci1xxxx_gpio.c ++++ b/drivers/misc/mchp_pci1xxxx/mchp_pci1xxxx_gpio.c +@@ -148,7 +148,7 @@ static int pci1xxxx_gpio_set_config(stru + pci1xxx_assign_bit(priv->reg_base, OPENDRAIN_OFFSET(offset), (offset % 32), true); + break; + default: +- ret = -EOPNOTSUPP; ++ ret = -ENOTSUPP; + break; + } + spin_unlock_irqrestore(&priv->lock, flags); diff --git a/queue-6.12/serial-stm32-use-port-lock-wrappers-for-break-control.patch b/queue-6.12/serial-stm32-use-port-lock-wrappers-for-break-control.patch new file mode 100644 index 00000000000..1a98e125b21 --- /dev/null +++ b/queue-6.12/serial-stm32-use-port-lock-wrappers-for-break-control.patch @@ -0,0 +1,43 @@ +From 0cfc36ea51684b5932cd3951ded523777d807af2 Mon Sep 17 00:00:00 2001 +From: Ben Wolsieffer +Date: Mon, 16 Dec 2024 09:53:23 -0500 +Subject: serial: stm32: use port lock wrappers for break control + +From: Ben Wolsieffer + +commit 0cfc36ea51684b5932cd3951ded523777d807af2 upstream. + +Commit 30e945861f3b ("serial: stm32: add support for break control") +added another usage of the port lock, but was merged on the same day as +c5d06662551c ("serial: stm32: Use port lock wrappers"), therefore the +latter did not update this usage to use the port lock wrappers. + +Fixes: c5d06662551c ("serial: stm32: Use port lock wrappers") +Cc: stable +Signed-off-by: Ben Wolsieffer +Reviewed-by: John Ogness +Link: https://lore.kernel.org/r/20241216145323.111612-1-ben.wolsieffer@hefring.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/tty/serial/stm32-usart.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/tty/serial/stm32-usart.c ++++ b/drivers/tty/serial/stm32-usart.c +@@ -1051,14 +1051,14 @@ static void stm32_usart_break_ctl(struct + const struct stm32_usart_offsets *ofs = &stm32_port->info->ofs; + unsigned long flags; + +- spin_lock_irqsave(&port->lock, flags); ++ uart_port_lock_irqsave(port, &flags); + + if (break_state) + stm32_usart_set_bits(port, ofs->rqr, USART_RQR_SBKRQ); + else + stm32_usart_clr_bits(port, ofs->rqr, USART_RQR_SBKRQ); + +- spin_unlock_irqrestore(&port->lock, flags); ++ uart_port_unlock_irqrestore(port, flags); + } + + static int stm32_usart_startup(struct uart_port *port) diff --git a/queue-6.12/series b/queue-6.12/series index 874b4d36692..403d036dbc2 100644 --- a/queue-6.12/series +++ b/queue-6.12/series @@ -134,3 +134,23 @@ staging-iio-ad9832-correct-phase-range-check.patch usb-storage-add-max-sectors-quirk-for-nokia-208.patch usb-serial-cp210x-add-phoenix-contact-ups-device.patch usb-dwc3-gadget-fix-writing-nyet-threshold.patch +topology-keep-the-cpumask-unchanged-when-printing-cpumap.patch +misc-microchip-pci1xxxx-resolve-kernel-panic-during-gpio-irq-handling.patch +misc-microchip-pci1xxxx-resolve-return-code-mismatch-during-gpio-set-config.patch +tty-serial-8250-fix-another-runtime-pm-usage-counter-underflow.patch +serial-stm32-use-port-lock-wrappers-for-break-control.patch +usb-gadget-u_serial-disable-ep-before-setting-port-to-null-to-fix-the-crash-caused-by-port-being-null.patch +x86-fpu-ensure-shadow-stack-is-active-before-getting-registers.patch +usb-dwc3-am62-disable-autosuspend-during-remove.patch +usb-usblp-return-error-when-setting-unsupported-protocol.patch +usb-core-disable-lpm-only-for-non-suspended-ports.patch +usb-fix-reference-leak-in-usb_new_device.patch +usb-gadget-midi2-reverse-select-at-the-right-place.patch +usb-chipidea-ci_hdrc_imx-decrement-device-s-refcount-in-.remove-and-in-the-error-path-of-.probe.patch +usb-typec-tcpci-fix-null-pointer-issue-on-shared-irq-case.patch +usb-gadget-f_uac2-fix-incorrect-setting-of-bnumendpoints.patch +usb-typec-tcpm-tcpci_maxim-fix-error-code-in-max_contaminant_read_resistance_kohm.patch +usb-gadget-f_fs-remove-warn_on-in-functionfs_bind.patch +usb-gadget-configfs-ignore-trailing-lf-for-user-strings-to-cdev.patch +usb-host-xhci-plat-set-skip_phy_initialization-if-software-node-has-xhci_skip_phy_init-property.patch +usb-typec-fix-pm-usage-counter-imbalance-in-ucsi_ccg_sync_control.patch diff --git a/queue-6.12/topology-keep-the-cpumask-unchanged-when-printing-cpumap.patch b/queue-6.12/topology-keep-the-cpumask-unchanged-when-printing-cpumap.patch new file mode 100644 index 00000000000..441b076e3e0 --- /dev/null +++ b/queue-6.12/topology-keep-the-cpumask-unchanged-when-printing-cpumap.patch @@ -0,0 +1,100 @@ +From cbd399f78e23ad4492c174fc5e6b3676dba74a52 Mon Sep 17 00:00:00 2001 +From: Li Huafei +Date: Thu, 14 Nov 2024 19:01:41 +0800 +Subject: topology: Keep the cpumask unchanged when printing cpumap + +From: Li Huafei + +commit cbd399f78e23ad4492c174fc5e6b3676dba74a52 upstream. + +During fuzz testing, the following warning was discovered: + + different return values (15 and 11) from vsnprintf("%*pbl + ", ...) + + test:keyward is WARNING in kvasprintf + WARNING: CPU: 55 PID: 1168477 at lib/kasprintf.c:30 kvasprintf+0x121/0x130 + Call Trace: + kvasprintf+0x121/0x130 + kasprintf+0xa6/0xe0 + bitmap_print_to_buf+0x89/0x100 + core_siblings_list_read+0x7e/0xb0 + kernfs_file_read_iter+0x15b/0x270 + new_sync_read+0x153/0x260 + vfs_read+0x215/0x290 + ksys_read+0xb9/0x160 + do_syscall_64+0x56/0x100 + entry_SYSCALL_64_after_hwframe+0x78/0xe2 + +The call trace shows that kvasprintf() reported this warning during the +printing of core_siblings_list. kvasprintf() has several steps: + + (1) First, calculate the length of the resulting formatted string. + + (2) Allocate a buffer based on the returned length. + + (3) Then, perform the actual string formatting. + + (4) Check whether the lengths of the formatted strings returned in + steps (1) and (2) are consistent. + +If the core_cpumask is modified between steps (1) and (3), the lengths +obtained in these two steps may not match. Indeed our test includes cpu +hotplugging, which should modify core_cpumask while printing. + +To fix this issue, cache the cpumask into a temporary variable before +calling cpumap_print_{list, cpumask}_to_buf(), to keep it unchanged +during the printing process. + +Fixes: bb9ec13d156e ("topology: use bin_attribute to break the size limitation of cpumap ABI") +Cc: stable +Signed-off-by: Li Huafei +Reviewed-by: Jonathan Cameron +Link: https://lore.kernel.org/r/20241114110141.94725-1-lihuafei1@huawei.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/base/topology.c | 24 ++++++++++++++++++++---- + 1 file changed, 20 insertions(+), 4 deletions(-) + +--- a/drivers/base/topology.c ++++ b/drivers/base/topology.c +@@ -27,9 +27,17 @@ static ssize_t name##_read(struct file * + loff_t off, size_t count) \ + { \ + struct device *dev = kobj_to_dev(kobj); \ ++ cpumask_var_t mask; \ ++ ssize_t n; \ + \ +- return cpumap_print_bitmask_to_buf(buf, topology_##mask(dev->id), \ +- off, count); \ ++ if (!alloc_cpumask_var(&mask, GFP_KERNEL)) \ ++ return -ENOMEM; \ ++ \ ++ cpumask_copy(mask, topology_##mask(dev->id)); \ ++ n = cpumap_print_bitmask_to_buf(buf, mask, off, count); \ ++ free_cpumask_var(mask); \ ++ \ ++ return n; \ + } \ + \ + static ssize_t name##_list_read(struct file *file, struct kobject *kobj, \ +@@ -37,9 +45,17 @@ static ssize_t name##_list_read(struct f + loff_t off, size_t count) \ + { \ + struct device *dev = kobj_to_dev(kobj); \ ++ cpumask_var_t mask; \ ++ ssize_t n; \ ++ \ ++ if (!alloc_cpumask_var(&mask, GFP_KERNEL)) \ ++ return -ENOMEM; \ ++ \ ++ cpumask_copy(mask, topology_##mask(dev->id)); \ ++ n = cpumap_print_list_to_buf(buf, mask, off, count); \ ++ free_cpumask_var(mask); \ + \ +- return cpumap_print_list_to_buf(buf, topology_##mask(dev->id), \ +- off, count); \ ++ return n; \ + } + + define_id_show_func(physical_package_id, "%d"); diff --git a/queue-6.12/tty-serial-8250-fix-another-runtime-pm-usage-counter-underflow.patch b/queue-6.12/tty-serial-8250-fix-another-runtime-pm-usage-counter-underflow.patch new file mode 100644 index 00000000000..a4d276c002f --- /dev/null +++ b/queue-6.12/tty-serial-8250-fix-another-runtime-pm-usage-counter-underflow.patch @@ -0,0 +1,44 @@ +From ed2761958ad77e54791802b07095786150eab844 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Ilpo=20J=C3=A4rvinen?= +Date: Tue, 10 Dec 2024 19:01:20 +0200 +Subject: tty: serial: 8250: Fix another runtime PM usage counter underflow +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Ilpo Järvinen + +commit ed2761958ad77e54791802b07095786150eab844 upstream. + +The commit f9b11229b79c ("serial: 8250: Fix PM usage_count for console +handover") fixed one runtime PM usage counter balance problem that +occurs because .dev is not set during univ8250 setup preventing call to +pm_runtime_get_sync(). Later, univ8250_console_exit() will trigger the +runtime PM usage counter underflow as .dev is already set at that time. + +Call pm_runtime_get_sync() to balance the RPM usage counter also in +serial8250_register_8250_port() before trying to add the port. + +Reported-by: Borislav Petkov (AMD) +Fixes: bedb404e91bb ("serial: 8250_port: Don't use power management for kernel console") +Cc: stable +Tested-by: Borislav Petkov (AMD) +Signed-off-by: Ilpo Järvinen +Link: https://lore.kernel.org/r/20241210170120.2231-1-ilpo.jarvinen@linux.intel.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/tty/serial/8250/8250_core.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/tty/serial/8250/8250_core.c ++++ b/drivers/tty/serial/8250/8250_core.c +@@ -812,6 +812,9 @@ int serial8250_register_8250_port(const + uart->dl_write = up->dl_write; + + if (uart->port.type != PORT_8250_CIR) { ++ if (uart_console_registered(&uart->port)) ++ pm_runtime_get_sync(uart->port.dev); ++ + if (serial8250_isa_config != NULL) + serial8250_isa_config(0, &uart->port, + &uart->capabilities); diff --git a/queue-6.12/usb-chipidea-ci_hdrc_imx-decrement-device-s-refcount-in-.remove-and-in-the-error-path-of-.probe.patch b/queue-6.12/usb-chipidea-ci_hdrc_imx-decrement-device-s-refcount-in-.remove-and-in-the-error-path-of-.probe.patch new file mode 100644 index 00000000000..3cc2a77070e --- /dev/null +++ b/queue-6.12/usb-chipidea-ci_hdrc_imx-decrement-device-s-refcount-in-.remove-and-in-the-error-path-of-.probe.patch @@ -0,0 +1,108 @@ +From 74adad500346fb07d69af2c79acbff4adb061134 Mon Sep 17 00:00:00 2001 +From: Joe Hattori +Date: Mon, 16 Dec 2024 10:55:39 +0900 +Subject: usb: chipidea: ci_hdrc_imx: decrement device's refcount in .remove() and in the error path of .probe() + +From: Joe Hattori + +commit 74adad500346fb07d69af2c79acbff4adb061134 upstream. + +Current implementation of ci_hdrc_imx_driver does not decrement the +refcount of the device obtained in usbmisc_get_init_data(). Add a +put_device() call in .remove() and in .probe() before returning an +error. + +This bug was found by an experimental static analysis tool that I am +developing. + +Cc: stable +Fixes: f40017e0f332 ("chipidea: usbmisc_imx: Add USB support for VF610 SoCs") +Signed-off-by: Joe Hattori +Acked-by: Peter Chen +Link: https://lore.kernel.org/r/20241216015539.352579-1-joe@pf.is.s.u-tokyo.ac.jp +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/chipidea/ci_hdrc_imx.c | 25 +++++++++++++++++-------- + 1 file changed, 17 insertions(+), 8 deletions(-) + +--- a/drivers/usb/chipidea/ci_hdrc_imx.c ++++ b/drivers/usb/chipidea/ci_hdrc_imx.c +@@ -370,25 +370,29 @@ static int ci_hdrc_imx_probe(struct plat + data->pinctrl = devm_pinctrl_get(dev); + if (PTR_ERR(data->pinctrl) == -ENODEV) + data->pinctrl = NULL; +- else if (IS_ERR(data->pinctrl)) +- return dev_err_probe(dev, PTR_ERR(data->pinctrl), ++ else if (IS_ERR(data->pinctrl)) { ++ ret = dev_err_probe(dev, PTR_ERR(data->pinctrl), + "pinctrl get failed\n"); ++ goto err_put; ++ } + + data->hsic_pad_regulator = + devm_regulator_get_optional(dev, "hsic"); + if (PTR_ERR(data->hsic_pad_regulator) == -ENODEV) { + /* no pad regulator is needed */ + data->hsic_pad_regulator = NULL; +- } else if (IS_ERR(data->hsic_pad_regulator)) +- return dev_err_probe(dev, PTR_ERR(data->hsic_pad_regulator), ++ } else if (IS_ERR(data->hsic_pad_regulator)) { ++ ret = dev_err_probe(dev, PTR_ERR(data->hsic_pad_regulator), + "Get HSIC pad regulator error\n"); ++ goto err_put; ++ } + + if (data->hsic_pad_regulator) { + ret = regulator_enable(data->hsic_pad_regulator); + if (ret) { + dev_err(dev, + "Failed to enable HSIC pad regulator\n"); +- return ret; ++ goto err_put; + } + } + } +@@ -402,13 +406,14 @@ static int ci_hdrc_imx_probe(struct plat + dev_err(dev, + "pinctrl_hsic_idle lookup failed, err=%ld\n", + PTR_ERR(pinctrl_hsic_idle)); +- return PTR_ERR(pinctrl_hsic_idle); ++ ret = PTR_ERR(pinctrl_hsic_idle); ++ goto err_put; + } + + ret = pinctrl_select_state(data->pinctrl, pinctrl_hsic_idle); + if (ret) { + dev_err(dev, "hsic_idle select failed, err=%d\n", ret); +- return ret; ++ goto err_put; + } + + data->pinctrl_hsic_active = pinctrl_lookup_state(data->pinctrl, +@@ -417,7 +422,8 @@ static int ci_hdrc_imx_probe(struct plat + dev_err(dev, + "pinctrl_hsic_active lookup failed, err=%ld\n", + PTR_ERR(data->pinctrl_hsic_active)); +- return PTR_ERR(data->pinctrl_hsic_active); ++ ret = PTR_ERR(data->pinctrl_hsic_active); ++ goto err_put; + } + } + +@@ -527,6 +533,8 @@ disable_hsic_regulator: + if (pdata.flags & CI_HDRC_PMQOS) + cpu_latency_qos_remove_request(&data->pm_qos_req); + data->ci_pdev = NULL; ++err_put: ++ put_device(data->usbmisc_data->dev); + return ret; + } + +@@ -551,6 +559,7 @@ static void ci_hdrc_imx_remove(struct pl + if (data->hsic_pad_regulator) + regulator_disable(data->hsic_pad_regulator); + } ++ put_device(data->usbmisc_data->dev); + } + + static void ci_hdrc_imx_shutdown(struct platform_device *pdev) diff --git a/queue-6.12/usb-core-disable-lpm-only-for-non-suspended-ports.patch b/queue-6.12/usb-core-disable-lpm-only-for-non-suspended-ports.patch new file mode 100644 index 00000000000..39460a94061 --- /dev/null +++ b/queue-6.12/usb-core-disable-lpm-only-for-non-suspended-ports.patch @@ -0,0 +1,52 @@ +From 59bfeaf5454b7e764288d84802577f4a99bf0819 Mon Sep 17 00:00:00 2001 +From: Kai-Heng Feng +Date: Fri, 6 Dec 2024 15:48:17 +0800 +Subject: USB: core: Disable LPM only for non-suspended ports + +From: Kai-Heng Feng + +commit 59bfeaf5454b7e764288d84802577f4a99bf0819 upstream. + +There's USB error when tegra board is shutting down: +[ 180.919315] usb 2-3: Failed to set U1 timeout to 0x0,error code -113 +[ 180.919995] usb 2-3: Failed to set U1 timeout to 0xa,error code -113 +[ 180.920512] usb 2-3: Failed to set U2 timeout to 0x4,error code -113 +[ 186.157172] tegra-xusb 3610000.usb: xHCI host controller not responding, assume dead +[ 186.157858] tegra-xusb 3610000.usb: HC died; cleaning up +[ 186.317280] tegra-xusb 3610000.usb: Timeout while waiting for evaluate context command + +The issue is caused by disabling LPM on already suspended ports. + +For USB2 LPM, the LPM is already disabled during port suspend. For USB3 +LPM, port won't transit to U1/U2 when it's already suspended in U3, +hence disabling LPM is only needed for ports that are not suspended. + +Cc: Wayne Chang +Cc: stable +Fixes: d920a2ed8620 ("usb: Disable USB3 LPM at shutdown") +Signed-off-by: Kai-Heng Feng +Acked-by: Alan Stern +Tested-by: Jon Hunter +Link: https://lore.kernel.org/r/20241206074817.89189-1-kaihengf@nvidia.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/core/port.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +--- a/drivers/usb/core/port.c ++++ b/drivers/usb/core/port.c +@@ -452,10 +452,11 @@ static int usb_port_runtime_suspend(stru + static void usb_port_shutdown(struct device *dev) + { + struct usb_port *port_dev = to_usb_port(dev); ++ struct usb_device *udev = port_dev->child; + +- if (port_dev->child) { +- usb_disable_usb2_hardware_lpm(port_dev->child); +- usb_unlocked_disable_lpm(port_dev->child); ++ if (udev && !udev->port_is_suspended) { ++ usb_disable_usb2_hardware_lpm(udev); ++ usb_unlocked_disable_lpm(udev); + } + } + diff --git a/queue-6.12/usb-dwc3-am62-disable-autosuspend-during-remove.patch b/queue-6.12/usb-dwc3-am62-disable-autosuspend-during-remove.patch new file mode 100644 index 00000000000..ce9c625e9e7 --- /dev/null +++ b/queue-6.12/usb-dwc3-am62-disable-autosuspend-during-remove.patch @@ -0,0 +1,35 @@ +From 625e70ccb7bbbb2cc912e23c63390946170c085c Mon Sep 17 00:00:00 2001 +From: Prashanth K +Date: Mon, 9 Dec 2024 16:27:28 +0530 +Subject: usb: dwc3-am62: Disable autosuspend during remove + +From: Prashanth K + +commit 625e70ccb7bbbb2cc912e23c63390946170c085c upstream. + +Runtime PM documentation (Section 5) mentions, during remove() +callbacks, drivers should undo the runtime PM changes done in +probe(). Usually this means calling pm_runtime_disable(), +pm_runtime_dont_use_autosuspend() etc. Hence add missing +function to disable autosuspend on dwc3-am62 driver unbind. + +Fixes: e8784c0aec03 ("drivers: usb: dwc3: Add AM62 USB wrapper driver") +Cc: stable +Signed-off-by: Prashanth K +Acked-by: Thinh Nguyen +Link: https://lore.kernel.org/r/20241209105728.3216872-1-quic_prashk@quicinc.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/dwc3/dwc3-am62.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/usb/dwc3/dwc3-am62.c ++++ b/drivers/usb/dwc3/dwc3-am62.c +@@ -309,6 +309,7 @@ static void dwc3_ti_remove(struct platfo + + pm_runtime_put_sync(dev); + pm_runtime_disable(dev); ++ pm_runtime_dont_use_autosuspend(dev); + pm_runtime_set_suspended(dev); + } + diff --git a/queue-6.12/usb-fix-reference-leak-in-usb_new_device.patch b/queue-6.12/usb-fix-reference-leak-in-usb_new_device.patch new file mode 100644 index 00000000000..329dfadb405 --- /dev/null +++ b/queue-6.12/usb-fix-reference-leak-in-usb_new_device.patch @@ -0,0 +1,54 @@ +From 0df11fa8cee5a9cf8753d4e2672bb3667138c652 Mon Sep 17 00:00:00 2001 +From: Ma Ke +Date: Wed, 18 Dec 2024 15:13:46 +0800 +Subject: usb: fix reference leak in usb_new_device() + +From: Ma Ke + +commit 0df11fa8cee5a9cf8753d4e2672bb3667138c652 upstream. + +When device_add(&udev->dev) succeeds and a later call fails, +usb_new_device() does not properly call device_del(). As comment of +device_add() says, 'if device_add() succeeds, you should call +device_del() when you want to get rid of it. If device_add() has not +succeeded, use only put_device() to drop the reference count'. + +Found by code review. + +Cc: stable +Fixes: 9f8b17e643fe ("USB: make usbdevices export their device nodes instead of using a separate class") +Signed-off-by: Ma Ke +Reviewed-by: Alan Stern +Link: https://lore.kernel.org/r/20241218071346.2973980-1-make_ruc2021@163.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/core/hub.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/drivers/usb/core/hub.c ++++ b/drivers/usb/core/hub.c +@@ -2663,13 +2663,13 @@ int usb_new_device(struct usb_device *ud + err = sysfs_create_link(&udev->dev.kobj, + &port_dev->dev.kobj, "port"); + if (err) +- goto fail; ++ goto out_del_dev; + + err = sysfs_create_link(&port_dev->dev.kobj, + &udev->dev.kobj, "device"); + if (err) { + sysfs_remove_link(&udev->dev.kobj, "port"); +- goto fail; ++ goto out_del_dev; + } + + if (!test_and_set_bit(port1, hub->child_usage_bits)) +@@ -2683,6 +2683,8 @@ int usb_new_device(struct usb_device *ud + pm_runtime_put_sync_autosuspend(&udev->dev); + return err; + ++out_del_dev: ++ device_del(&udev->dev); + fail: + usb_set_device_state(udev, USB_STATE_NOTATTACHED); + pm_runtime_disable(&udev->dev); diff --git a/queue-6.12/usb-gadget-configfs-ignore-trailing-lf-for-user-strings-to-cdev.patch b/queue-6.12/usb-gadget-configfs-ignore-trailing-lf-for-user-strings-to-cdev.patch new file mode 100644 index 00000000000..d3fbecc75e5 --- /dev/null +++ b/queue-6.12/usb-gadget-configfs-ignore-trailing-lf-for-user-strings-to-cdev.patch @@ -0,0 +1,54 @@ +From 9466545720e231fc02acd69b5f4e9138e09a26f6 Mon Sep 17 00:00:00 2001 +From: Ingo Rohloff +Date: Thu, 12 Dec 2024 16:41:14 +0100 +Subject: usb: gadget: configfs: Ignore trailing LF for user strings to cdev + +From: Ingo Rohloff + +commit 9466545720e231fc02acd69b5f4e9138e09a26f6 upstream. + +Since commit c033563220e0f7a8 +("usb: gadget: configfs: Attach arbitrary strings to cdev") +a user can provide extra string descriptors to a USB gadget via configfs. + +For "manufacturer", "product", "serialnumber", setting the string via +configfs ignores a trailing LF. + +For the arbitrary strings the LF was not ignored. + +This patch ignores a trailing LF to make this consistent with the existing +behavior for "manufacturer", ... string descriptors. + +Fixes: c033563220e0 ("usb: gadget: configfs: Attach arbitrary strings to cdev") +Cc: stable +Signed-off-by: Ingo Rohloff +Link: https://lore.kernel.org/r/20241212154114.29295-1-ingo.rohloff@lauterbach.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/gadget/configfs.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/drivers/usb/gadget/configfs.c b/drivers/usb/gadget/configfs.c +index 6499a88d346c..fba2a56dae97 100644 +--- a/drivers/usb/gadget/configfs.c ++++ b/drivers/usb/gadget/configfs.c +@@ -827,11 +827,15 @@ static ssize_t gadget_string_s_store(struct config_item *item, const char *page, + { + struct gadget_string *string = to_gadget_string(item); + int size = min(sizeof(string->string), len + 1); ++ ssize_t cpy_len; + + if (len > USB_MAX_STRING_LEN) + return -EINVAL; + +- return strscpy(string->string, page, size); ++ cpy_len = strscpy(string->string, page, size); ++ if (cpy_len > 0 && string->string[cpy_len - 1] == '\n') ++ string->string[cpy_len - 1] = 0; ++ return len; + } + CONFIGFS_ATTR(gadget_string_, s); + +-- +2.48.0 + diff --git a/queue-6.12/usb-gadget-f_fs-remove-warn_on-in-functionfs_bind.patch b/queue-6.12/usb-gadget-f_fs-remove-warn_on-in-functionfs_bind.patch new file mode 100644 index 00000000000..5e2068eb236 --- /dev/null +++ b/queue-6.12/usb-gadget-f_fs-remove-warn_on-in-functionfs_bind.patch @@ -0,0 +1,75 @@ +From dfc51e48bca475bbee984e90f33fdc537ce09699 Mon Sep 17 00:00:00 2001 +From: Akash M +Date: Thu, 19 Dec 2024 18:22:19 +0530 +Subject: usb: gadget: f_fs: Remove WARN_ON in functionfs_bind + +From: Akash M + +commit dfc51e48bca475bbee984e90f33fdc537ce09699 upstream. + +This commit addresses an issue related to below kernel panic where +panic_on_warn is enabled. It is caused by the unnecessary use of WARN_ON +in functionsfs_bind, which easily leads to the following scenarios. + +1.adb_write in adbd 2. UDC write via configfs + ================= ===================== + +->usb_ffs_open_thread() ->UDC write + ->open_functionfs() ->configfs_write_iter() + ->adb_open() ->gadget_dev_desc_UDC_store() + ->adb_write() ->usb_gadget_register_driver_owner + ->driver_register() +->StartMonitor() ->bus_add_driver() + ->adb_read() ->gadget_bind_driver() + ->configfs_composite_bind() + ->usb_add_function() +->open_functionfs() ->ffs_func_bind() + ->adb_open() ->functionfs_bind() + state !=FFS_ACTIVE> + +The adb_open, adb_read, and adb_write operations are invoked from the +daemon, but trying to bind the function is a process that is invoked by +UDC write through configfs, which opens up the possibility of a race +condition between the two paths. In this race scenario, the kernel panic +occurs due to the WARN_ON from functionfs_bind when panic_on_warn is +enabled. This commit fixes the kernel panic by removing the unnecessary +WARN_ON. + +Kernel panic - not syncing: kernel: panic_on_warn set ... +[ 14.542395] Call trace: +[ 14.542464] ffs_func_bind+0x1c8/0x14a8 +[ 14.542468] usb_add_function+0xcc/0x1f0 +[ 14.542473] configfs_composite_bind+0x468/0x588 +[ 14.542478] gadget_bind_driver+0x108/0x27c +[ 14.542483] really_probe+0x190/0x374 +[ 14.542488] __driver_probe_device+0xa0/0x12c +[ 14.542492] driver_probe_device+0x3c/0x220 +[ 14.542498] __driver_attach+0x11c/0x1fc +[ 14.542502] bus_for_each_dev+0x104/0x160 +[ 14.542506] driver_attach+0x24/0x34 +[ 14.542510] bus_add_driver+0x154/0x270 +[ 14.542514] driver_register+0x68/0x104 +[ 14.542518] usb_gadget_register_driver_owner+0x48/0xf4 +[ 14.542523] gadget_dev_desc_UDC_store+0xf8/0x144 +[ 14.542526] configfs_write_iter+0xf0/0x138 + +Fixes: ddf8abd25994 ("USB: f_fs: the FunctionFS driver") +Cc: stable +Signed-off-by: Akash M +Link: https://lore.kernel.org/r/20241219125221.1679-1-akash.m5@samsung.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/gadget/function/f_fs.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/usb/gadget/function/f_fs.c ++++ b/drivers/usb/gadget/function/f_fs.c +@@ -2285,7 +2285,7 @@ static int functionfs_bind(struct ffs_da + struct usb_gadget_strings **lang; + int first_id; + +- if (WARN_ON(ffs->state != FFS_ACTIVE ++ if ((ffs->state != FFS_ACTIVE + || test_and_set_bit(FFS_FL_BOUND, &ffs->flags))) + return -EBADFD; + diff --git a/queue-6.12/usb-gadget-f_uac2-fix-incorrect-setting-of-bnumendpoints.patch b/queue-6.12/usb-gadget-f_uac2-fix-incorrect-setting-of-bnumendpoints.patch new file mode 100644 index 00000000000..4c42d57a04a --- /dev/null +++ b/queue-6.12/usb-gadget-f_uac2-fix-incorrect-setting-of-bnumendpoints.patch @@ -0,0 +1,36 @@ +From 057bd54dfcf68b1f67e6dfc32a47a72e12198495 Mon Sep 17 00:00:00 2001 +From: Prashanth K +Date: Wed, 11 Dec 2024 17:29:15 +0530 +Subject: usb: gadget: f_uac2: Fix incorrect setting of bNumEndpoints + +From: Prashanth K + +commit 057bd54dfcf68b1f67e6dfc32a47a72e12198495 upstream. + +Currently afunc_bind sets std_ac_if_desc.bNumEndpoints to 1 if +controls (mute/volume) are enabled. During next afunc_bind call, +bNumEndpoints would be unchanged and incorrectly set to 1 even +if the controls aren't enabled. + +Fix this by resetting the value of bNumEndpoints to 0 on every +afunc_bind call. + +Fixes: eaf6cbe09920 ("usb: gadget: f_uac2: add volume and mute support") +Cc: stable +Signed-off-by: Prashanth K +Link: https://lore.kernel.org/r/20241211115915.159864-1-quic_prashk@quicinc.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/gadget/function/f_uac2.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/usb/gadget/function/f_uac2.c ++++ b/drivers/usb/gadget/function/f_uac2.c +@@ -1185,6 +1185,7 @@ afunc_bind(struct usb_configuration *cfg + uac2->as_in_alt = 0; + } + ++ std_ac_if_desc.bNumEndpoints = 0; + if (FUOUT_EN(uac2_opts) || FUIN_EN(uac2_opts)) { + uac2->int_ep = usb_ep_autoconfig(gadget, &fs_ep_int_desc); + if (!uac2->int_ep) { diff --git a/queue-6.12/usb-gadget-midi2-reverse-select-at-the-right-place.patch b/queue-6.12/usb-gadget-midi2-reverse-select-at-the-right-place.patch new file mode 100644 index 00000000000..7c545a7c708 --- /dev/null +++ b/queue-6.12/usb-gadget-midi2-reverse-select-at-the-right-place.patch @@ -0,0 +1,43 @@ +From 6f660ffce7c938f2a5d8473c0e0b45e4fb25ef7f Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Wed, 1 Jan 2025 14:11:19 +0100 +Subject: usb: gadget: midi2: Reverse-select at the right place + +From: Takashi Iwai + +commit 6f660ffce7c938f2a5d8473c0e0b45e4fb25ef7f upstream. + +We should do reverse selection of other components from +CONFIG_USB_F_MIDI2 which is tristate, instead of +CONFIG_USB_CONFIGFS_F_MIDI2 which is bool, for satisfying subtle +module dependencies. + +Fixes: 8b645922b223 ("usb: gadget: Add support for USB MIDI 2.0 function driver") +Cc: stable +Signed-off-by: Takashi Iwai +Link: https://lore.kernel.org/r/20250101131124.27599-1-tiwai@suse.de +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/gadget/Kconfig | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/usb/gadget/Kconfig ++++ b/drivers/usb/gadget/Kconfig +@@ -211,6 +211,8 @@ config USB_F_MIDI + + config USB_F_MIDI2 + tristate ++ select SND_UMP ++ select SND_UMP_LEGACY_RAWMIDI + + config USB_F_HID + tristate +@@ -445,8 +447,6 @@ config USB_CONFIGFS_F_MIDI2 + depends on USB_CONFIGFS + depends on SND + select USB_LIBCOMPOSITE +- select SND_UMP +- select SND_UMP_LEGACY_RAWMIDI + select USB_F_MIDI2 + help + The MIDI 2.0 function driver provides the generic emulated diff --git a/queue-6.12/usb-gadget-u_serial-disable-ep-before-setting-port-to-null-to-fix-the-crash-caused-by-port-being-null.patch b/queue-6.12/usb-gadget-u_serial-disable-ep-before-setting-port-to-null-to-fix-the-crash-caused-by-port-being-null.patch new file mode 100644 index 00000000000..0f4e4608784 --- /dev/null +++ b/queue-6.12/usb-gadget-u_serial-disable-ep-before-setting-port-to-null-to-fix-the-crash-caused-by-port-being-null.patch @@ -0,0 +1,69 @@ +From 13014969cbf07f18d62ceea40bd8ca8ec9d36cec Mon Sep 17 00:00:00 2001 +From: Lianqin Hu +Date: Tue, 17 Dec 2024 07:58:44 +0000 +Subject: usb: gadget: u_serial: Disable ep before setting port to null to fix the crash caused by port being null + +From: Lianqin Hu + +commit 13014969cbf07f18d62ceea40bd8ca8ec9d36cec upstream. + +Considering that in some extreme cases, when performing the +unbinding operation, gserial_disconnect has cleared gser->ioport, +which triggers gadget reconfiguration, and then calls gs_read_complete, +resulting in access to a null pointer. Therefore, ep is disabled before +gserial_disconnect sets port to null to prevent this from happening. + +Call trace: + gs_read_complete+0x58/0x240 + usb_gadget_giveback_request+0x40/0x160 + dwc3_remove_requests+0x170/0x484 + dwc3_ep0_out_start+0xb0/0x1d4 + __dwc3_gadget_start+0x25c/0x720 + kretprobe_trampoline.cfi_jt+0x0/0x8 + kretprobe_trampoline.cfi_jt+0x0/0x8 + udc_bind_to_driver+0x1d8/0x300 + usb_gadget_probe_driver+0xa8/0x1dc + gadget_dev_desc_UDC_store+0x13c/0x188 + configfs_write_iter+0x160/0x1f4 + vfs_write+0x2d0/0x40c + ksys_write+0x7c/0xf0 + __arm64_sys_write+0x20/0x30 + invoke_syscall+0x60/0x150 + el0_svc_common+0x8c/0xf8 + do_el0_svc+0x28/0xa0 + el0_svc+0x24/0x84 + +Fixes: c1dca562be8a ("usb gadget: split out serial core") +Cc: stable +Suggested-by: Greg Kroah-Hartman +Signed-off-by: Lianqin Hu +Link: https://lore.kernel.org/r/TYUPR06MB621733B5AC690DBDF80A0DCCD2042@TYUPR06MB6217.apcprd06.prod.outlook.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/gadget/function/u_serial.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +--- a/drivers/usb/gadget/function/u_serial.c ++++ b/drivers/usb/gadget/function/u_serial.c +@@ -1420,6 +1420,10 @@ void gserial_disconnect(struct gserial * + /* REVISIT as above: how best to track this? */ + port->port_line_coding = gser->port_line_coding; + ++ /* disable endpoints, aborting down any active I/O */ ++ usb_ep_disable(gser->out); ++ usb_ep_disable(gser->in); ++ + port->port_usb = NULL; + gser->ioport = NULL; + if (port->port.count > 0) { +@@ -1431,10 +1435,6 @@ void gserial_disconnect(struct gserial * + spin_unlock(&port->port_lock); + spin_unlock_irqrestore(&serial_port_lock, flags); + +- /* disable endpoints, aborting down any active I/O */ +- usb_ep_disable(gser->out); +- usb_ep_disable(gser->in); +- + /* finally, free any unused/unusable I/O buffers */ + spin_lock_irqsave(&port->port_lock, flags); + if (port->port.count == 0) diff --git a/queue-6.12/usb-host-xhci-plat-set-skip_phy_initialization-if-software-node-has-xhci_skip_phy_init-property.patch b/queue-6.12/usb-host-xhci-plat-set-skip_phy_initialization-if-software-node-has-xhci_skip_phy_init-property.patch new file mode 100644 index 00000000000..8d72626b212 --- /dev/null +++ b/queue-6.12/usb-host-xhci-plat-set-skip_phy_initialization-if-software-node-has-xhci_skip_phy_init-property.patch @@ -0,0 +1,39 @@ +From e19852d0bfecbc80976b1423cf2af87ca514a58c Mon Sep 17 00:00:00 2001 +From: Xu Yang +Date: Mon, 9 Dec 2024 19:14:23 +0800 +Subject: usb: host: xhci-plat: set skip_phy_initialization if software node has XHCI_SKIP_PHY_INIT property + +From: Xu Yang + +commit e19852d0bfecbc80976b1423cf2af87ca514a58c upstream. + +The source of quirk XHCI_SKIP_PHY_INIT comes from xhci_plat_priv.quirks or +software node property. This will set skip_phy_initialization if software +node also has XHCI_SKIP_PHY_INIT property. + +Fixes: a6cd2b3fa894 ("usb: host: xhci-plat: Parse xhci-missing_cas_quirk and apply quirk") +Cc: stable +Signed-off-by: Xu Yang +Link: https://lore.kernel.org/r/20241209111423.4085548-1-xu.yang_2@nxp.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/host/xhci-plat.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/usb/host/xhci-plat.c b/drivers/usb/host/xhci-plat.c +index e6c9006bd568..db109b570c5c 100644 +--- a/drivers/usb/host/xhci-plat.c ++++ b/drivers/usb/host/xhci-plat.c +@@ -290,7 +290,8 @@ int xhci_plat_probe(struct platform_device *pdev, struct device *sysdev, const s + + hcd->tpl_support = of_usb_host_tpl_support(sysdev->of_node); + +- if (priv && (priv->quirks & XHCI_SKIP_PHY_INIT)) ++ if ((priv && (priv->quirks & XHCI_SKIP_PHY_INIT)) || ++ (xhci->quirks & XHCI_SKIP_PHY_INIT)) + hcd->skip_phy_initialization = 1; + + if (priv && (priv->quirks & XHCI_SG_TRB_CACHE_SIZE_QUIRK)) +-- +2.48.0 + diff --git a/queue-6.12/usb-typec-fix-pm-usage-counter-imbalance-in-ucsi_ccg_sync_control.patch b/queue-6.12/usb-typec-fix-pm-usage-counter-imbalance-in-ucsi_ccg_sync_control.patch new file mode 100644 index 00000000000..459a33b4c5d --- /dev/null +++ b/queue-6.12/usb-typec-fix-pm-usage-counter-imbalance-in-ucsi_ccg_sync_control.patch @@ -0,0 +1,45 @@ +From b0e525d7a22ea350e75e2aec22e47fcfafa4cacd Mon Sep 17 00:00:00 2001 +From: GONG Ruiqi +Date: Tue, 7 Jan 2025 09:57:50 +0800 +Subject: usb: typec: fix pm usage counter imbalance in ucsi_ccg_sync_control() + +From: GONG Ruiqi + +commit b0e525d7a22ea350e75e2aec22e47fcfafa4cacd upstream. + +The error handling for the case `con_index == 0` should involve dropping +the pm usage counter, as ucsi_ccg_sync_control() gets it at the +beginning. Fix it. + +Cc: stable +Fixes: e56aac6e5a25 ("usb: typec: fix potential array underflow in ucsi_ccg_sync_control()") +Signed-off-by: GONG Ruiqi +Reviewed-by: Dan Carpenter +Reviewed-by: Heikki Krogerus +Link: https://lore.kernel.org/r/20250107015750.2778646-1-gongruiqi1@huawei.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/typec/ucsi/ucsi_ccg.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/usb/typec/ucsi/ucsi_ccg.c ++++ b/drivers/usb/typec/ucsi/ucsi_ccg.c +@@ -646,7 +646,7 @@ static int ucsi_ccg_sync_control(struct + UCSI_CMD_CONNECTOR_MASK; + if (con_index == 0) { + ret = -EINVAL; +- goto unlock; ++ goto err_put; + } + con = &uc->ucsi->connector[con_index - 1]; + ucsi_ccg_update_set_new_cam_cmd(uc, con, &command); +@@ -654,8 +654,8 @@ static int ucsi_ccg_sync_control(struct + + ret = ucsi_sync_control_common(ucsi, command); + ++err_put: + pm_runtime_put_sync(uc->dev); +-unlock: + mutex_unlock(&uc->lock); + + return ret; diff --git a/queue-6.12/usb-typec-tcpci-fix-null-pointer-issue-on-shared-irq-case.patch b/queue-6.12/usb-typec-tcpci-fix-null-pointer-issue-on-shared-irq-case.patch new file mode 100644 index 00000000000..006a898445f --- /dev/null +++ b/queue-6.12/usb-typec-tcpci-fix-null-pointer-issue-on-shared-irq-case.patch @@ -0,0 +1,140 @@ +From 862a9c0f68487fd6ced15622d9cdcec48f8b5aaa Mon Sep 17 00:00:00 2001 +From: Xu Yang +Date: Wed, 18 Dec 2024 17:53:28 +0800 +Subject: usb: typec: tcpci: fix NULL pointer issue on shared irq case + +From: Xu Yang + +commit 862a9c0f68487fd6ced15622d9cdcec48f8b5aaa upstream. + +The tcpci_irq() may meet below NULL pointer dereference issue: + +[ 2.641851] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000010 +[ 2.641951] status 0x1, 0x37f +[ 2.650659] Mem abort info: +[ 2.656490] ESR = 0x0000000096000004 +[ 2.660230] EC = 0x25: DABT (current EL), IL = 32 bits +[ 2.665532] SET = 0, FnV = 0 +[ 2.668579] EA = 0, S1PTW = 0 +[ 2.671715] FSC = 0x04: level 0 translation fault +[ 2.676584] Data abort info: +[ 2.679459] ISV = 0, ISS = 0x00000004, ISS2 = 0x00000000 +[ 2.684936] CM = 0, WnR = 0, TnD = 0, TagAccess = 0 +[ 2.689980] GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0 +[ 2.695284] [0000000000000010] user address but active_mm is swapper +[ 2.701632] Internal error: Oops: 0000000096000004 [#1] PREEMPT SMP +[ 2.707883] Modules linked in: +[ 2.710936] CPU: 1 UID: 0 PID: 87 Comm: irq/111-2-0051 Not tainted 6.12.0-rc6-06316-g7f63786ad3d1-dirty #4 +[ 2.720570] Hardware name: NXP i.MX93 11X11 EVK board (DT) +[ 2.726040] pstate: 60400009 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) +[ 2.732989] pc : tcpci_irq+0x38/0x318 +[ 2.736647] lr : _tcpci_irq+0x14/0x20 +[ 2.740295] sp : ffff80008324bd30 +[ 2.743597] x29: ffff80008324bd70 x28: ffff800080107894 x27: ffff800082198f70 +[ 2.750721] x26: ffff0000050e6680 x25: ffff000004d172ac x24: ffff0000050f0000 +[ 2.757845] x23: ffff000004d17200 x22: 0000000000000001 x21: ffff0000050f0000 +[ 2.764969] x20: ffff000004d17200 x19: 0000000000000000 x18: 0000000000000001 +[ 2.772093] x17: 0000000000000000 x16: ffff80008183d8a0 x15: ffff00007fbab040 +[ 2.779217] x14: ffff00007fb918c0 x13: 0000000000000000 x12: 000000000000017a +[ 2.786341] x11: 0000000000000001 x10: 0000000000000a90 x9 : ffff80008324bd00 +[ 2.793465] x8 : ffff0000050f0af0 x7 : ffff00007fbaa840 x6 : 0000000000000031 +[ 2.800589] x5 : 000000000000017a x4 : 0000000000000002 x3 : 0000000000000002 +[ 2.807713] x2 : ffff80008324bd3a x1 : 0000000000000010 x0 : 0000000000000000 +[ 2.814838] Call trace: +[ 2.817273] tcpci_irq+0x38/0x318 +[ 2.820583] _tcpci_irq+0x14/0x20 +[ 2.823885] irq_thread_fn+0x2c/0xa8 +[ 2.827456] irq_thread+0x16c/0x2f4 +[ 2.830940] kthread+0x110/0x114 +[ 2.834164] ret_from_fork+0x10/0x20 +[ 2.837738] Code: f9426420 f9001fe0 d2800000 52800201 (f9400a60) + +This may happen on shared irq case. Such as two Type-C ports share one +irq. After the first port finished tcpci_register_port(), it may trigger +interrupt. However, if the interrupt comes by chance the 2nd port finishes +devm_request_threaded_irq(), the 2nd port interrupt handler will run at +first. Then the above issue happens due to tcpci is still a NULL pointer +in tcpci_irq() when dereference to regmap. + + devm_request_threaded_irq() + <-- port1 irq comes + disable_irq(client->irq); + tcpci_register_port() + +This will restore the logic to the state before commit (77e85107a771 "usb: +typec: tcpci: support edge irq"). + +However, moving tcpci_register_port() earlier creates a problem when use +edge irq because tcpci_init() will be called before +devm_request_threaded_irq(). The tcpci_init() writes the ALERT_MASK to +the hardware to tell it to start generating interrupts but we're not ready +to deal with them yet, then the ALERT events may be missed and ALERT line +will not recover to high level forever. To avoid the issue, this will also +set ALERT_MASK register after devm_request_threaded_irq() return. + +Fixes: 77e85107a771 ("usb: typec: tcpci: support edge irq") +Cc: stable +Tested-by: Emanuele Ghidoli +Signed-off-by: Xu Yang +Reviewed-by: Francesco Dolcini +Reviewed-by: Heikki Krogerus +Reviewed-by: Dan Carpenter +Link: https://lore.kernel.org/r/20241218095328.2604607-1-xu.yang_2@nxp.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/typec/tcpm/tcpci.c | 25 +++++++++++++++---------- + 1 file changed, 15 insertions(+), 10 deletions(-) + +diff --git a/drivers/usb/typec/tcpm/tcpci.c b/drivers/usb/typec/tcpm/tcpci.c +index ed32583829be..24a6a4354df8 100644 +--- a/drivers/usb/typec/tcpm/tcpci.c ++++ b/drivers/usb/typec/tcpm/tcpci.c +@@ -700,7 +700,7 @@ static int tcpci_init(struct tcpc_dev *tcpc) + + tcpci->alert_mask = reg; + +- return tcpci_write16(tcpci, TCPC_ALERT_MASK, reg); ++ return 0; + } + + irqreturn_t tcpci_irq(struct tcpci *tcpci) +@@ -923,22 +923,27 @@ static int tcpci_probe(struct i2c_client *client) + + chip->data.set_orientation = err; + ++ chip->tcpci = tcpci_register_port(&client->dev, &chip->data); ++ if (IS_ERR(chip->tcpci)) ++ return PTR_ERR(chip->tcpci); ++ + err = devm_request_threaded_irq(&client->dev, client->irq, NULL, + _tcpci_irq, + IRQF_SHARED | IRQF_ONESHOT, + dev_name(&client->dev), chip); + if (err < 0) +- return err; ++ goto unregister_port; + +- /* +- * Disable irq while registering port. If irq is configured as an edge +- * irq this allow to keep track and process the irq as soon as it is enabled. +- */ +- disable_irq(client->irq); +- chip->tcpci = tcpci_register_port(&client->dev, &chip->data); +- enable_irq(client->irq); ++ /* Enable chip interrupts at last */ ++ err = tcpci_write16(chip->tcpci, TCPC_ALERT_MASK, chip->tcpci->alert_mask); ++ if (err < 0) ++ goto unregister_port; + +- return PTR_ERR_OR_ZERO(chip->tcpci); ++ return 0; ++ ++unregister_port: ++ tcpci_unregister_port(chip->tcpci); ++ return err; + } + + static void tcpci_remove(struct i2c_client *client) +-- +2.48.0 + diff --git a/queue-6.12/usb-typec-tcpm-tcpci_maxim-fix-error-code-in-max_contaminant_read_resistance_kohm.patch b/queue-6.12/usb-typec-tcpm-tcpci_maxim-fix-error-code-in-max_contaminant_read_resistance_kohm.patch new file mode 100644 index 00000000000..74e862b3ff4 --- /dev/null +++ b/queue-6.12/usb-typec-tcpm-tcpci_maxim-fix-error-code-in-max_contaminant_read_resistance_kohm.patch @@ -0,0 +1,46 @@ +From b9711ff7cde0cfbcdd44cb1fac55b6eec496e690 Mon Sep 17 00:00:00 2001 +From: Dan Carpenter +Date: Fri, 6 Dec 2024 16:09:18 +0300 +Subject: usb: typec: tcpm/tcpci_maxim: fix error code in max_contaminant_read_resistance_kohm() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Dan Carpenter + +commit b9711ff7cde0cfbcdd44cb1fac55b6eec496e690 upstream. + +If max_contaminant_read_adc_mv() fails, then return the error code. Don't +return zero. + +Fixes: 02b332a06397 ("usb: typec: maxim_contaminant: Implement check_contaminant callback") +Cc: stable +Signed-off-by: Dan Carpenter +Reviewed-by: André Draszik +Reviewed-by: Heikki Krogerus +Link: https://lore.kernel.org/r/f1bf3768-419e-40dd-989c-f7f455d6c824@stanley.mountain +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/typec/tcpm/maxim_contaminant.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/usb/typec/tcpm/maxim_contaminant.c ++++ b/drivers/usb/typec/tcpm/maxim_contaminant.c +@@ -135,7 +135,7 @@ static int max_contaminant_read_resistan + + mv = max_contaminant_read_adc_mv(chip, channel, sleep_msec, raw, true); + if (mv < 0) +- return ret; ++ return mv; + + /* OVP enable */ + ret = regmap_update_bits(regmap, TCPC_VENDOR_CC_CTRL2, CCOVPDIS, 0); +@@ -157,7 +157,7 @@ static int max_contaminant_read_resistan + + mv = max_contaminant_read_adc_mv(chip, channel, sleep_msec, raw, true); + if (mv < 0) +- return ret; ++ return mv; + /* Disable current source */ + ret = regmap_update_bits(regmap, TCPC_VENDOR_CC_CTRL2, SBURPCTRL, 0); + if (ret < 0) diff --git a/queue-6.12/usb-usblp-return-error-when-setting-unsupported-protocol.patch b/queue-6.12/usb-usblp-return-error-when-setting-unsupported-protocol.patch new file mode 100644 index 00000000000..475362b9e20 --- /dev/null +++ b/queue-6.12/usb-usblp-return-error-when-setting-unsupported-protocol.patch @@ -0,0 +1,43 @@ +From 7a3d76a0b60b3f6fc3375e4de2174bab43f64545 Mon Sep 17 00:00:00 2001 +From: Jun Yan +Date: Thu, 12 Dec 2024 22:38:52 +0800 +Subject: USB: usblp: return error when setting unsupported protocol + +From: Jun Yan + +commit 7a3d76a0b60b3f6fc3375e4de2174bab43f64545 upstream. + +Fix the regression introduced by commit d8c6edfa3f4e ("USB: +usblp: don't call usb_set_interface if there's a single alt"), +which causes that unsupported protocols can also be set via +ioctl when the num_altsetting of the device is 1. + +Move the check for protocol support to the earlier stage. + +Fixes: d8c6edfa3f4e ("USB: usblp: don't call usb_set_interface if there's a single alt") +Cc: stable +Signed-off-by: Jun Yan +Link: https://lore.kernel.org/r/20241212143852.671889-1-jerrysteve1101@gmail.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/class/usblp.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +--- a/drivers/usb/class/usblp.c ++++ b/drivers/usb/class/usblp.c +@@ -1337,11 +1337,12 @@ static int usblp_set_protocol(struct usb + if (protocol < USBLP_FIRST_PROTOCOL || protocol > USBLP_LAST_PROTOCOL) + return -EINVAL; + ++ alts = usblp->protocol[protocol].alt_setting; ++ if (alts < 0) ++ return -EINVAL; ++ + /* Don't unnecessarily set the interface if there's a single alt. */ + if (usblp->intf->num_altsetting > 1) { +- alts = usblp->protocol[protocol].alt_setting; +- if (alts < 0) +- return -EINVAL; + r = usb_set_interface(usblp->dev, usblp->ifnum, alts); + if (r < 0) { + printk(KERN_ERR "usblp: can't set desired altsetting %d on interface %d\n", diff --git a/queue-6.12/x86-fpu-ensure-shadow-stack-is-active-before-getting-registers.patch b/queue-6.12/x86-fpu-ensure-shadow-stack-is-active-before-getting-registers.patch new file mode 100644 index 00000000000..8458b3fafe4 --- /dev/null +++ b/queue-6.12/x86-fpu-ensure-shadow-stack-is-active-before-getting-registers.patch @@ -0,0 +1,88 @@ +From a9d9c33132d49329ada647e4514d210d15e31d81 Mon Sep 17 00:00:00 2001 +From: Rick Edgecombe +Date: Tue, 7 Jan 2025 15:30:56 -0800 +Subject: x86/fpu: Ensure shadow stack is active before "getting" registers + +From: Rick Edgecombe + +commit a9d9c33132d49329ada647e4514d210d15e31d81 upstream. + +The x86 shadow stack support has its own set of registers. Those registers +are XSAVE-managed, but they are "supervisor state components" which means +that userspace can not touch them with XSAVE/XRSTOR. It also means that +they are not accessible from the existing ptrace ABI for XSAVE state. +Thus, there is a new ptrace get/set interface for it. + +The regset code that ptrace uses provides an ->active() handler in +addition to the get/set ones. For shadow stack this ->active() handler +verifies that shadow stack is enabled via the ARCH_SHSTK_SHSTK bit in the +thread struct. The ->active() handler is checked from some call sites of +the regset get/set handlers, but not the ptrace ones. This was not +understood when shadow stack support was put in place. + +As a result, both the set/get handlers can be called with +XFEATURE_CET_USER in its init state, which would cause get_xsave_addr() to +return NULL and trigger a WARN_ON(). The ssp_set() handler luckily has an +ssp_active() check to avoid surprising the kernel with shadow stack +behavior when the kernel is not ready for it (ARCH_SHSTK_SHSTK==0). That +check just happened to avoid the warning. + +But the ->get() side wasn't so lucky. It can be called with shadow stacks +disabled, triggering the warning in practice, as reported by Christina +Schimpe: + +WARNING: CPU: 5 PID: 1773 at arch/x86/kernel/fpu/regset.c:198 ssp_get+0x89/0xa0 +[...] +Call Trace: + +? show_regs+0x6e/0x80 +? ssp_get+0x89/0xa0 +? __warn+0x91/0x150 +? ssp_get+0x89/0xa0 +? report_bug+0x19d/0x1b0 +? handle_bug+0x46/0x80 +? exc_invalid_op+0x1d/0x80 +? asm_exc_invalid_op+0x1f/0x30 +? __pfx_ssp_get+0x10/0x10 +? ssp_get+0x89/0xa0 +? ssp_get+0x52/0xa0 +__regset_get+0xad/0xf0 +copy_regset_to_user+0x52/0xc0 +ptrace_regset+0x119/0x140 +ptrace_request+0x13c/0x850 +? wait_task_inactive+0x142/0x1d0 +? do_syscall_64+0x6d/0x90 +arch_ptrace+0x102/0x300 +[...] + +Ensure that shadow stacks are active in a thread before looking them up +in the XSAVE buffer. Since ARCH_SHSTK_SHSTK and user_ssp[SHSTK_EN] are +set at the same time, the active check ensures that there will be +something to find in the XSAVE buffer. + +[ dhansen: changelog/subject tweaks ] + +Fixes: 2fab02b25ae7 ("x86: Add PTRACE interface for shadow stack") +Reported-by: Christina Schimpe +Signed-off-by: Rick Edgecombe +Signed-off-by: Dave Hansen +Tested-by: Christina Schimpe +Cc:stable@vger.kernel.org +Link: https://lore.kernel.org/all/20250107233056.235536-1-rick.p.edgecombe%40intel.com +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/kernel/fpu/regset.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/arch/x86/kernel/fpu/regset.c ++++ b/arch/x86/kernel/fpu/regset.c +@@ -190,7 +190,8 @@ int ssp_get(struct task_struct *target, + struct fpu *fpu = &target->thread.fpu; + struct cet_user_state *cetregs; + +- if (!cpu_feature_enabled(X86_FEATURE_USER_SHSTK)) ++ if (!cpu_feature_enabled(X86_FEATURE_USER_SHSTK) || ++ !ssp_active(target, regset)) + return -ENODEV; + + sync_fpstate(fpu);