From: Greg Kroah-Hartman Date: Sat, 13 Aug 2022 15:21:27 +0000 (+0200) Subject: 5.10-stable patches X-Git-Tag: v5.15.61~142 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=8049b0d449b81fefe79f81bf01520902c8e65023;p=thirdparty%2Fkernel%2Fstable-queue.git 5.10-stable patches added patches: arm-dts-uniphier-fix-usb-interrupts-for-pxs2-soc.patch arm64-dts-uniphier-fix-usb-interrupts-for-pxs3-soc.patch coresight-clear-the-connection-field-properly.patch epoll-autoremove-wakers-even-more-aggressively.patch lockdep-allow-tuning-tracing-capacity-constants.patch netfilter-nf_tables-do-not-allow-chain_id-to-refer-to-another-table.patch netfilter-nf_tables-do-not-allow-rule_id-to-refer-to-another-chain.patch netfilter-nf_tables-do-not-allow-set_id-to-refer-to-another-table.patch netfilter-nf_tables-fix-null-deref-due-to-zeroed-list-head.patch usb-dwc3-gadget-fix-high-speed-multiplier-setting.patch usb-dwc3-gadget-refactor-dwc3_repare_one_trb.patch usb-gadget-fix-use-after-free-read-in-usb_udc_uevent.patch usb-hcd-fix-urb-giveback-issue-in-tasklet-function.patch usb-typec-ucsi-acknowledge-the-get_error_status-command-completion.patch --- diff --git a/queue-5.10/arm-dts-uniphier-fix-usb-interrupts-for-pxs2-soc.patch b/queue-5.10/arm-dts-uniphier-fix-usb-interrupts-for-pxs2-soc.patch new file mode 100644 index 00000000000..d69f657bb53 --- /dev/null +++ b/queue-5.10/arm-dts-uniphier-fix-usb-interrupts-for-pxs2-soc.patch @@ -0,0 +1,46 @@ +From 9b0dc7abb5cc43a2dbf90690c3c6011dcadc574d Mon Sep 17 00:00:00 2001 +From: Kunihiko Hayashi +Date: Tue, 2 Aug 2022 22:36:25 +0900 +Subject: ARM: dts: uniphier: Fix USB interrupts for PXs2 SoC + +From: Kunihiko Hayashi + +commit 9b0dc7abb5cc43a2dbf90690c3c6011dcadc574d upstream. + +An interrupt for USB device are shared with USB host. Set interrupt-names +property to common "dwc_usb3" instead of "host" and "peripheral". + +Cc: stable@vger.kernel.org +Fixes: 45be1573ad19 ("ARM: dts: uniphier: Add USB3 controller nodes") +Reported-by: Ryuta NAKANISHI +Signed-off-by: Kunihiko Hayashi +Signed-off-by: Arnd Bergmann +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm/boot/dts/uniphier-pxs2.dtsi | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +--- a/arch/arm/boot/dts/uniphier-pxs2.dtsi ++++ b/arch/arm/boot/dts/uniphier-pxs2.dtsi +@@ -597,8 +597,8 @@ + compatible = "socionext,uniphier-dwc3", "snps,dwc3"; + status = "disabled"; + reg = <0x65a00000 0xcd00>; +- interrupt-names = "host", "peripheral"; +- interrupts = <0 134 4>, <0 135 4>; ++ interrupt-names = "dwc_usb3"; ++ interrupts = <0 134 4>; + pinctrl-names = "default"; + pinctrl-0 = <&pinctrl_usb0>, <&pinctrl_usb2>; + clock-names = "ref", "bus_early", "suspend"; +@@ -693,8 +693,8 @@ + compatible = "socionext,uniphier-dwc3", "snps,dwc3"; + status = "disabled"; + reg = <0x65c00000 0xcd00>; +- interrupt-names = "host", "peripheral"; +- interrupts = <0 137 4>, <0 138 4>; ++ interrupt-names = "dwc_usb3"; ++ interrupts = <0 137 4>; + pinctrl-names = "default"; + pinctrl-0 = <&pinctrl_usb1>, <&pinctrl_usb3>; + clock-names = "ref", "bus_early", "suspend"; diff --git a/queue-5.10/arm64-dts-uniphier-fix-usb-interrupts-for-pxs3-soc.patch b/queue-5.10/arm64-dts-uniphier-fix-usb-interrupts-for-pxs3-soc.patch new file mode 100644 index 00000000000..0e629f6b8b1 --- /dev/null +++ b/queue-5.10/arm64-dts-uniphier-fix-usb-interrupts-for-pxs3-soc.patch @@ -0,0 +1,46 @@ +From fe17b91a7777df140d0f1433991da67ba658796c Mon Sep 17 00:00:00 2001 +From: Kunihiko Hayashi +Date: Tue, 2 Aug 2022 22:36:47 +0900 +Subject: arm64: dts: uniphier: Fix USB interrupts for PXs3 SoC + +From: Kunihiko Hayashi + +commit fe17b91a7777df140d0f1433991da67ba658796c upstream. + +An interrupt for USB device are shared with USB host. Set interrupt-names +property to common "dwc_usb3" instead of "host" and "peripheral". + +Cc: stable@vger.kernel.org +Fixes: d7b9beb830d7 ("arm64: dts: uniphier: Add USB3 controller nodes") +Reported-by: Ryuta NAKANISHI +Signed-off-by: Kunihiko Hayashi +Signed-off-by: Arnd Bergmann +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm64/boot/dts/socionext/uniphier-pxs3.dtsi | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +--- a/arch/arm64/boot/dts/socionext/uniphier-pxs3.dtsi ++++ b/arch/arm64/boot/dts/socionext/uniphier-pxs3.dtsi +@@ -599,8 +599,8 @@ + compatible = "socionext,uniphier-dwc3", "snps,dwc3"; + status = "disabled"; + reg = <0x65a00000 0xcd00>; +- interrupt-names = "host", "peripheral"; +- interrupts = <0 134 4>, <0 135 4>; ++ interrupt-names = "dwc_usb3"; ++ interrupts = <0 134 4>; + pinctrl-names = "default"; + pinctrl-0 = <&pinctrl_usb0>, <&pinctrl_usb2>; + clock-names = "ref", "bus_early", "suspend"; +@@ -701,8 +701,8 @@ + compatible = "socionext,uniphier-dwc3", "snps,dwc3"; + status = "disabled"; + reg = <0x65c00000 0xcd00>; +- interrupt-names = "host", "peripheral"; +- interrupts = <0 137 4>, <0 138 4>; ++ interrupt-names = "dwc_usb3"; ++ interrupts = <0 137 4>; + pinctrl-names = "default"; + pinctrl-0 = <&pinctrl_usb1>, <&pinctrl_usb3>; + clock-names = "ref", "bus_early", "suspend"; diff --git a/queue-5.10/coresight-clear-the-connection-field-properly.patch b/queue-5.10/coresight-clear-the-connection-field-properly.patch new file mode 100644 index 00000000000..b4180ce4df1 --- /dev/null +++ b/queue-5.10/coresight-clear-the-connection-field-properly.patch @@ -0,0 +1,118 @@ +From 2af89ebacf299b7fba5f3087d35e8a286ec33706 Mon Sep 17 00:00:00 2001 +From: Suzuki K Poulose +Date: Tue, 14 Jun 2022 22:40:24 +0100 +Subject: coresight: Clear the connection field properly + +From: Suzuki K Poulose + +commit 2af89ebacf299b7fba5f3087d35e8a286ec33706 upstream. + +coresight devices track their connections (output connections) and +hold a reference to the fwnode. When a device goes away, we walk through +the devices on the coresight bus and make sure that the references +are dropped. This happens both ways: + a) For all output connections from the device, drop the reference to + the target device via coresight_release_platform_data() + +b) Iterate over all the devices on the coresight bus and drop the + reference to fwnode if *this* device is the target of the output + connection, via coresight_remove_conns()->coresight_remove_match(). + +However, the coresight_remove_match() doesn't clear the fwnode field, +after dropping the reference, this causes use-after-free and +additional refcount drops on the fwnode. + +e.g., if we have two devices, A and B, with a connection, A -> B. +If we remove B first, B would clear the reference on B, from A +via coresight_remove_match(). But when A is removed, it still has +a connection with fwnode still pointing to B. Thus it tries to drops +the reference in coresight_release_platform_data(), raising the bells +like : + +[ 91.990153] ------------[ cut here ]------------ +[ 91.990163] refcount_t: addition on 0; use-after-free. +[ 91.990212] WARNING: CPU: 0 PID: 461 at lib/refcount.c:25 refcount_warn_saturate+0xa0/0x144 +[ 91.990260] Modules linked in: coresight_funnel coresight_replicator coresight_etm4x(-) + crct10dif_ce coresight ip_tables x_tables ipv6 [last unloaded: coresight_cpu_debug] +[ 91.990398] CPU: 0 PID: 461 Comm: rmmod Tainted: G W T 5.19.0-rc2+ #53 +[ 91.990418] Hardware name: ARM LTD ARM Juno Development Platform/ARM Juno Development Platform, BIOS EDK II Feb 1 2019 +[ 91.990434] pstate: 600000c5 (nZCv daIF -PAN -UAO -TCO -DIT -SSBS BTYPE=--) +[ 91.990454] pc : refcount_warn_saturate+0xa0/0x144 +[ 91.990476] lr : refcount_warn_saturate+0xa0/0x144 +[ 91.990496] sp : ffff80000c843640 +[ 91.990509] x29: ffff80000c843640 x28: ffff800009957c28 x27: ffff80000c8439a8 +[ 91.990560] x26: ffff00097eff1990 x25: ffff8000092b6ad8 x24: ffff00097eff19a8 +[ 91.990610] x23: ffff80000c8439a8 x22: 0000000000000000 x21: ffff80000c8439c2 +[ 91.990659] x20: 0000000000000000 x19: ffff00097eff1a10 x18: ffff80000ab99c40 +[ 91.990708] x17: 0000000000000000 x16: 0000000000000000 x15: ffff80000abf6fa0 +[ 91.990756] x14: 000000000000001d x13: 0a2e656572662d72 x12: 657466612d657375 +[ 91.990805] x11: 203b30206e6f206e x10: 6f69746964646120 x9 : ffff8000081aba28 +[ 91.990854] x8 : 206e6f206e6f6974 x7 : 69646461203a745f x6 : 746e756f63666572 +[ 91.990903] x5 : ffff00097648ec58 x4 : 0000000000000000 x3 : 0000000000000027 +[ 91.990952] x2 : 0000000000000000 x1 : 0000000000000000 x0 : ffff00080260ba00 +[ 91.991000] Call trace: +[ 91.991012] refcount_warn_saturate+0xa0/0x144 +[ 91.991034] kobject_get+0xac/0xb0 +[ 91.991055] of_node_get+0x2c/0x40 +[ 91.991076] of_fwnode_get+0x40/0x60 +[ 91.991094] fwnode_handle_get+0x3c/0x60 +[ 91.991116] fwnode_get_nth_parent+0xf4/0x110 +[ 91.991137] fwnode_full_name_string+0x48/0xc0 +[ 91.991158] device_node_string+0x41c/0x530 +[ 91.991178] pointer+0x320/0x3ec +[ 91.991198] vsnprintf+0x23c/0x750 +[ 91.991217] vprintk_store+0x104/0x4b0 +[ 91.991238] vprintk_emit+0x8c/0x360 +[ 91.991257] vprintk_default+0x44/0x50 +[ 91.991276] vprintk+0xcc/0xf0 +[ 91.991295] _printk+0x68/0x90 +[ 91.991315] of_node_release+0x13c/0x14c +[ 91.991334] kobject_put+0x98/0x114 +[ 91.991354] of_node_put+0x24/0x34 +[ 91.991372] of_fwnode_put+0x40/0x5c +[ 91.991390] fwnode_handle_put+0x38/0x50 +[ 91.991411] coresight_release_platform_data+0x74/0xb0 [coresight] +[ 91.991472] coresight_unregister+0x64/0xcc [coresight] +[ 91.991525] etm4_remove_dev+0x64/0x78 [coresight_etm4x] +[ 91.991563] etm4_remove_amba+0x1c/0x2c [coresight_etm4x] +[ 91.991598] amba_remove+0x3c/0x19c + +Reproducible by: (Build all coresight components as modules): + + #!/bin/sh + while true + do + for m in tmc stm cpu_debug etm4x replicator funnel + do + modprobe coresight_${m} + done + + for m in tmc stm cpu_debug etm4x replicator funnel + do + rmmode coresight_${m} + done + done + +Cc: stable@vger.kernel.org +Cc: Mathieu Poirier +Cc: Mike Leach +Cc: Leo Yan +Signed-off-by: Suzuki K Poulose +Fixes: 37ea1ffddffa ("coresight: Use fwnode handle instead of device names") +Link: https://lore.kernel.org/r/20220614214024.3005275-1-suzuki.poulose@arm.com +Signed-off-by: Mathieu Poirier +Signed-off-by: Greg Kroah-Hartman +--- + drivers/hwtracing/coresight/coresight-core.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/hwtracing/coresight/coresight-core.c ++++ b/drivers/hwtracing/coresight/coresight-core.c +@@ -1382,6 +1382,7 @@ static int coresight_remove_match(struct + * platform data. + */ + fwnode_handle_put(conn->child_fwnode); ++ conn->child_fwnode = NULL; + /* No need to continue */ + break; + } diff --git a/queue-5.10/epoll-autoremove-wakers-even-more-aggressively.patch b/queue-5.10/epoll-autoremove-wakers-even-more-aggressively.patch new file mode 100644 index 00000000000..7637d27effc --- /dev/null +++ b/queue-5.10/epoll-autoremove-wakers-even-more-aggressively.patch @@ -0,0 +1,90 @@ +From a16ceb13961068f7209e34d7984f8e42d2c06159 Mon Sep 17 00:00:00 2001 +From: Benjamin Segall +Date: Wed, 15 Jun 2022 14:24:23 -0700 +Subject: epoll: autoremove wakers even more aggressively + +From: Benjamin Segall + +commit a16ceb13961068f7209e34d7984f8e42d2c06159 upstream. + +If a process is killed or otherwise exits while having active network +connections and many threads waiting on epoll_wait, the threads will all +be woken immediately, but not removed from ep->wq. Then when network +traffic scans ep->wq in wake_up, every wakeup attempt will fail, and will +not remove the entries from the list. + +This means that the cost of the wakeup attempt is far higher than usual, +does not decrease, and this also competes with the dying threads trying to +actually make progress and remove themselves from the wq. + +Handle this by removing visited epoll wq entries unconditionally, rather +than only when the wakeup succeeds - the structure of ep_poll means that +the only potential loss is the timed_out->eavail heuristic, which now can +race and result in a redundant ep_send_events attempt. (But only when +incoming data and a timeout actually race, not on every timeout) + +Shakeel added: + +: We are seeing this issue in production with real workloads and it has +: caused hard lockups. Particularly network heavy workloads with a lot +: of threads in epoll_wait() can easily trigger this issue if they get +: killed (oom-killed in our case). + +Link: https://lkml.kernel.org/r/xm26fsjotqda.fsf@google.com +Signed-off-by: Ben Segall +Tested-by: Shakeel Butt +Cc: Alexander Viro +Cc: Linus Torvalds +Cc: Shakeel Butt +Cc: Eric Dumazet +Cc: Roman Penyaev +Cc: Jason Baron +Cc: Khazhismel Kumykov +Cc: Heiher +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + fs/eventpoll.c | 22 ++++++++++++++++++++++ + 1 file changed, 22 insertions(+) + +--- a/fs/eventpoll.c ++++ b/fs/eventpoll.c +@@ -1804,6 +1804,21 @@ static inline struct timespec64 ep_set_m + return timespec64_add_safe(now, ts); + } + ++/* ++ * autoremove_wake_function, but remove even on failure to wake up, because we ++ * know that default_wake_function/ttwu will only fail if the thread is already ++ * woken, and in that case the ep_poll loop will remove the entry anyways, not ++ * try to reuse it. ++ */ ++static int ep_autoremove_wake_function(struct wait_queue_entry *wq_entry, ++ unsigned int mode, int sync, void *key) ++{ ++ int ret = default_wake_function(wq_entry, mode, sync, key); ++ ++ list_del_init(&wq_entry->entry); ++ return ret; ++} ++ + /** + * ep_poll - Retrieves ready events, and delivers them to the caller supplied + * event buffer. +@@ -1881,8 +1896,15 @@ fetch_events: + * normal wakeup path no need to call __remove_wait_queue() + * explicitly, thus ep->lock is not taken, which halts the + * event delivery. ++ * ++ * In fact, we now use an even more aggressive function that ++ * unconditionally removes, because we don't reuse the wait ++ * entry between loop iterations. This lets us also avoid the ++ * performance issue if a process is killed, causing all of its ++ * threads to wake up without being removed normally. + */ + init_wait(&wait); ++ wait.func = ep_autoremove_wake_function; + + write_lock_irq(&ep->lock); + /* diff --git a/queue-5.10/lockdep-allow-tuning-tracing-capacity-constants.patch b/queue-5.10/lockdep-allow-tuning-tracing-capacity-constants.patch new file mode 100644 index 00000000000..3073b42f2c4 --- /dev/null +++ b/queue-5.10/lockdep-allow-tuning-tracing-capacity-constants.patch @@ -0,0 +1,116 @@ +From 5dc33592e95534dc8455ce3e9baaaf3dae0fff82 Mon Sep 17 00:00:00 2001 +From: Tetsuo Handa +Date: Mon, 5 Apr 2021 20:33:57 +0900 +Subject: lockdep: Allow tuning tracing capacity constants. + +From: Tetsuo Handa + +commit 5dc33592e95534dc8455ce3e9baaaf3dae0fff82 upstream. + +Since syzkaller continues various test cases until the kernel crashes, +syzkaller tends to examine more locking dependencies than normal systems. +As a result, syzbot is reporting that the fuzz testing was terminated +due to hitting upper limits lockdep can track [1] [2] [3]. Since analysis +via /proc/lockdep* did not show any obvious culprit [4] [5], we have no +choice but allow tuning tracing capacity constants. + +[1] https://syzkaller.appspot.com/bug?id=3d97ba93fb3566000c1c59691ea427370d33ea1b +[2] https://syzkaller.appspot.com/bug?id=381cb436fe60dc03d7fd2a092b46d7f09542a72a +[3] https://syzkaller.appspot.com/bug?id=a588183ac34c1437fc0785e8f220e88282e5a29f +[4] https://lkml.kernel.org/r/4b8f7a57-fa20-47bd-48a0-ae35d860f233@i-love.sakura.ne.jp +[5] https://lkml.kernel.org/r/1c351187-253b-2d49-acaf-4563c63ae7d2@i-love.sakura.ne.jp + +References: https://lkml.kernel.org/r/1595640639-9310-1-git-send-email-penguin-kernel@I-love.SAKURA.ne.jp +Signed-off-by: Tetsuo Handa +Acked-by: Dmitry Vyukov +Signed-off-by: Alexey Khoroshilov +Signed-off-by: Greg Kroah-Hartman +--- + kernel/locking/lockdep.c | 2 - + kernel/locking/lockdep_internals.h | 8 +++---- + lib/Kconfig.debug | 40 +++++++++++++++++++++++++++++++++++++ + 3 files changed, 45 insertions(+), 5 deletions(-) + +--- a/kernel/locking/lockdep.c ++++ b/kernel/locking/lockdep.c +@@ -1397,7 +1397,7 @@ static int add_lock_to_list(struct lock_ + /* + * For good efficiency of modular, we use power of 2 + */ +-#define MAX_CIRCULAR_QUEUE_SIZE 4096UL ++#define MAX_CIRCULAR_QUEUE_SIZE (1UL << CONFIG_LOCKDEP_CIRCULAR_QUEUE_BITS) + #define CQ_MASK (MAX_CIRCULAR_QUEUE_SIZE-1) + + /* +--- a/kernel/locking/lockdep_internals.h ++++ b/kernel/locking/lockdep_internals.h +@@ -99,16 +99,16 @@ static const unsigned long LOCKF_USED_IN + #define MAX_STACK_TRACE_ENTRIES 262144UL + #define STACK_TRACE_HASH_SIZE 8192 + #else +-#define MAX_LOCKDEP_ENTRIES 32768UL ++#define MAX_LOCKDEP_ENTRIES (1UL << CONFIG_LOCKDEP_BITS) + +-#define MAX_LOCKDEP_CHAINS_BITS 16 ++#define MAX_LOCKDEP_CHAINS_BITS CONFIG_LOCKDEP_CHAINS_BITS + + /* + * Stack-trace: tightly packed array of stack backtrace + * addresses. Protected by the hash_lock. + */ +-#define MAX_STACK_TRACE_ENTRIES 524288UL +-#define STACK_TRACE_HASH_SIZE 16384 ++#define MAX_STACK_TRACE_ENTRIES (1UL << CONFIG_LOCKDEP_STACK_TRACE_BITS) ++#define STACK_TRACE_HASH_SIZE (1 << CONFIG_LOCKDEP_STACK_TRACE_HASH_BITS) + #endif + + /* +--- a/lib/Kconfig.debug ++++ b/lib/Kconfig.debug +@@ -1307,6 +1307,46 @@ config LOCKDEP + config LOCKDEP_SMALL + bool + ++config LOCKDEP_BITS ++ int "Bitsize for MAX_LOCKDEP_ENTRIES" ++ depends on LOCKDEP && !LOCKDEP_SMALL ++ range 10 30 ++ default 15 ++ help ++ Try increasing this value if you hit "BUG: MAX_LOCKDEP_ENTRIES too low!" message. ++ ++config LOCKDEP_CHAINS_BITS ++ int "Bitsize for MAX_LOCKDEP_CHAINS" ++ depends on LOCKDEP && !LOCKDEP_SMALL ++ range 10 30 ++ default 16 ++ help ++ Try increasing this value if you hit "BUG: MAX_LOCKDEP_CHAINS too low!" message. ++ ++config LOCKDEP_STACK_TRACE_BITS ++ int "Bitsize for MAX_STACK_TRACE_ENTRIES" ++ depends on LOCKDEP && !LOCKDEP_SMALL ++ range 10 30 ++ default 19 ++ help ++ Try increasing this value if you hit "BUG: MAX_STACK_TRACE_ENTRIES too low!" message. ++ ++config LOCKDEP_STACK_TRACE_HASH_BITS ++ int "Bitsize for STACK_TRACE_HASH_SIZE" ++ depends on LOCKDEP && !LOCKDEP_SMALL ++ range 10 30 ++ default 14 ++ help ++ Try increasing this value if you need large MAX_STACK_TRACE_ENTRIES. ++ ++config LOCKDEP_CIRCULAR_QUEUE_BITS ++ int "Bitsize for elements in circular_queue struct" ++ depends on LOCKDEP ++ range 10 30 ++ default 12 ++ help ++ Try increasing this value if you hit "lockdep bfs error:-1" warning due to __cq_enqueue() failure. ++ + config DEBUG_LOCKDEP + bool "Lock dependency engine debugging" + depends on DEBUG_KERNEL && LOCKDEP diff --git a/queue-5.10/netfilter-nf_tables-do-not-allow-chain_id-to-refer-to-another-table.patch b/queue-5.10/netfilter-nf_tables-do-not-allow-chain_id-to-refer-to-another-table.patch new file mode 100644 index 00000000000..470a7f6e01b --- /dev/null +++ b/queue-5.10/netfilter-nf_tables-do-not-allow-chain_id-to-refer-to-another-table.patch @@ -0,0 +1,66 @@ +From 95f466d22364a33d183509629d0879885b4f547e Mon Sep 17 00:00:00 2001 +From: Thadeu Lima de Souza Cascardo +Date: Tue, 9 Aug 2022 14:01:47 -0300 +Subject: netfilter: nf_tables: do not allow CHAIN_ID to refer to another table + +From: Thadeu Lima de Souza Cascardo + +commit 95f466d22364a33d183509629d0879885b4f547e upstream. + +When doing lookups for chains on the same batch by using its ID, a chain +from a different table can be used. If a rule is added to a table but +refers to a chain in a different table, it will be linked to the chain in +table2, but would have expressions referring to objects in table1. + +Then, when table1 is removed, the rule will not be removed as its linked to +a chain in table2. When expressions in the rule are processed or removed, +that will lead to a use-after-free. + +When looking for chains by ID, use the table that was used for the lookup +by name, and only return chains belonging to that same table. + +Fixes: 837830a4b439 ("netfilter: nf_tables: add NFTA_RULE_CHAIN_ID attribute") +Signed-off-by: Thadeu Lima de Souza Cascardo +Cc: +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Greg Kroah-Hartman +--- + net/netfilter/nf_tables_api.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/net/netfilter/nf_tables_api.c ++++ b/net/netfilter/nf_tables_api.c +@@ -2265,6 +2265,7 @@ err: + } + + static struct nft_chain *nft_chain_lookup_byid(const struct net *net, ++ const struct nft_table *table, + const struct nlattr *nla) + { + u32 id = ntohl(nla_get_be32(nla)); +@@ -2274,6 +2275,7 @@ static struct nft_chain *nft_chain_looku + struct nft_chain *chain = trans->ctx.chain; + + if (trans->msg_type == NFT_MSG_NEWCHAIN && ++ chain->table == table && + id == nft_trans_chain_id(trans)) + return chain; + } +@@ -3199,7 +3201,7 @@ static int nf_tables_newrule(struct net + return -EOPNOTSUPP; + + } else if (nla[NFTA_RULE_CHAIN_ID]) { +- chain = nft_chain_lookup_byid(net, nla[NFTA_RULE_CHAIN_ID]); ++ chain = nft_chain_lookup_byid(net, table, nla[NFTA_RULE_CHAIN_ID]); + if (IS_ERR(chain)) { + NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_CHAIN_ID]); + return PTR_ERR(chain); +@@ -8671,7 +8673,7 @@ static int nft_verdict_init(const struct + tb[NFTA_VERDICT_CHAIN], + genmask); + } else if (tb[NFTA_VERDICT_CHAIN_ID]) { +- chain = nft_chain_lookup_byid(ctx->net, ++ chain = nft_chain_lookup_byid(ctx->net, ctx->table, + tb[NFTA_VERDICT_CHAIN_ID]); + if (IS_ERR(chain)) + return PTR_ERR(chain); diff --git a/queue-5.10/netfilter-nf_tables-do-not-allow-rule_id-to-refer-to-another-chain.patch b/queue-5.10/netfilter-nf_tables-do-not-allow-rule_id-to-refer-to-another-chain.patch new file mode 100644 index 00000000000..e048f47578a --- /dev/null +++ b/queue-5.10/netfilter-nf_tables-do-not-allow-rule_id-to-refer-to-another-chain.patch @@ -0,0 +1,73 @@ +From 36d5b2913219ac853908b0f1c664345e04313856 Mon Sep 17 00:00:00 2001 +From: Thadeu Lima de Souza Cascardo +Date: Tue, 9 Aug 2022 14:01:48 -0300 +Subject: netfilter: nf_tables: do not allow RULE_ID to refer to another chain + +From: Thadeu Lima de Souza Cascardo + +commit 36d5b2913219ac853908b0f1c664345e04313856 upstream. + +When doing lookups for rules on the same batch by using its ID, a rule from +a different chain can be used. If a rule is added to a chain but tries to +be positioned next to a rule from a different chain, it will be linked to +chain2, but the use counter on chain1 would be the one to be incremented. + +When looking for rules by ID, use the chain that was used for the lookup by +name. The chain used in the context copied to the transaction needs to +match that same chain. That way, struct nft_rule does not need to get +enlarged with another member. + +Fixes: 1a94e38d254b ("netfilter: nf_tables: add NFTA_RULE_ID attribute") +Fixes: 75dd48e2e420 ("netfilter: nf_tables: Support RULE_ID reference in new rule") +Signed-off-by: Thadeu Lima de Souza Cascardo +Cc: +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Greg Kroah-Hartman +--- + net/netfilter/nf_tables_api.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +--- a/net/netfilter/nf_tables_api.c ++++ b/net/netfilter/nf_tables_api.c +@@ -3156,6 +3156,7 @@ static int nft_table_validate(struct net + } + + static struct nft_rule *nft_rule_lookup_byid(const struct net *net, ++ const struct nft_chain *chain, + const struct nlattr *nla); + + #define NFT_RULE_MAXEXPRS 128 +@@ -3243,7 +3244,7 @@ static int nf_tables_newrule(struct net + return PTR_ERR(old_rule); + } + } else if (nla[NFTA_RULE_POSITION_ID]) { +- old_rule = nft_rule_lookup_byid(net, nla[NFTA_RULE_POSITION_ID]); ++ old_rule = nft_rule_lookup_byid(net, chain, nla[NFTA_RULE_POSITION_ID]); + if (IS_ERR(old_rule)) { + NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_POSITION_ID]); + return PTR_ERR(old_rule); +@@ -3382,6 +3383,7 @@ err1: + } + + static struct nft_rule *nft_rule_lookup_byid(const struct net *net, ++ const struct nft_chain *chain, + const struct nlattr *nla) + { + u32 id = ntohl(nla_get_be32(nla)); +@@ -3391,6 +3393,7 @@ static struct nft_rule *nft_rule_lookup_ + struct nft_rule *rule = nft_trans_rule(trans); + + if (trans->msg_type == NFT_MSG_NEWRULE && ++ trans->ctx.chain == chain && + id == nft_trans_rule_id(trans)) + return rule; + } +@@ -3439,7 +3442,7 @@ static int nf_tables_delrule(struct net + + err = nft_delrule(&ctx, rule); + } else if (nla[NFTA_RULE_ID]) { +- rule = nft_rule_lookup_byid(net, nla[NFTA_RULE_ID]); ++ rule = nft_rule_lookup_byid(net, chain, nla[NFTA_RULE_ID]); + if (IS_ERR(rule)) { + NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_ID]); + return PTR_ERR(rule); diff --git a/queue-5.10/netfilter-nf_tables-do-not-allow-set_id-to-refer-to-another-table.patch b/queue-5.10/netfilter-nf_tables-do-not-allow-set_id-to-refer-to-another-table.patch new file mode 100644 index 00000000000..e06441faabe --- /dev/null +++ b/queue-5.10/netfilter-nf_tables-do-not-allow-set_id-to-refer-to-another-table.patch @@ -0,0 +1,57 @@ +From 470ee20e069a6d05ae549f7d0ef2bdbcee6a81b2 Mon Sep 17 00:00:00 2001 +From: Thadeu Lima de Souza Cascardo +Date: Tue, 9 Aug 2022 14:01:46 -0300 +Subject: netfilter: nf_tables: do not allow SET_ID to refer to another table + +From: Thadeu Lima de Souza Cascardo + +commit 470ee20e069a6d05ae549f7d0ef2bdbcee6a81b2 upstream. + +When doing lookups for sets on the same batch by using its ID, a set from a +different table can be used. + +Then, when the table is removed, a reference to the set may be kept after +the set is freed, leading to a potential use-after-free. + +When looking for sets by ID, use the table that was used for the lookup by +name, and only return sets belonging to that same table. + +This fixes CVE-2022-2586, also reported as ZDI-CAN-17470. + +Reported-by: Team Orca of Sea Security (@seasecresponse) +Fixes: 958bee14d071 ("netfilter: nf_tables: use new transaction infrastructure to handle sets") +Signed-off-by: Thadeu Lima de Souza Cascardo +Cc: +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Greg Kroah-Hartman +--- + net/netfilter/nf_tables_api.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/net/netfilter/nf_tables_api.c ++++ b/net/netfilter/nf_tables_api.c +@@ -3638,6 +3638,7 @@ static struct nft_set *nft_set_lookup_by + } + + static struct nft_set *nft_set_lookup_byid(const struct net *net, ++ const struct nft_table *table, + const struct nlattr *nla, u8 genmask) + { + struct nft_trans *trans; +@@ -3648,6 +3649,7 @@ static struct nft_set *nft_set_lookup_by + struct nft_set *set = nft_trans_set(trans); + + if (id == nft_trans_set_id(trans) && ++ set->table == table && + nft_active_genmask(set, genmask)) + return set; + } +@@ -3668,7 +3670,7 @@ struct nft_set *nft_set_lookup_global(co + if (!nla_set_id) + return set; + +- set = nft_set_lookup_byid(net, nla_set_id, genmask); ++ set = nft_set_lookup_byid(net, table, nla_set_id, genmask); + } + return set; + } diff --git a/queue-5.10/netfilter-nf_tables-fix-null-deref-due-to-zeroed-list-head.patch b/queue-5.10/netfilter-nf_tables-fix-null-deref-due-to-zeroed-list-head.patch new file mode 100644 index 00000000000..4fdf341149b --- /dev/null +++ b/queue-5.10/netfilter-nf_tables-fix-null-deref-due-to-zeroed-list-head.patch @@ -0,0 +1,45 @@ +From 580077855a40741cf511766129702d97ff02f4d9 Mon Sep 17 00:00:00 2001 +From: Florian Westphal +Date: Tue, 9 Aug 2022 18:34:02 +0200 +Subject: netfilter: nf_tables: fix null deref due to zeroed list head + +From: Florian Westphal + +commit 580077855a40741cf511766129702d97ff02f4d9 upstream. + +In nf_tables_updtable, if nf_tables_table_enable returns an error, +nft_trans_destroy is called to free the transaction object. + +nft_trans_destroy() calls list_del(), but the transaction was never +placed on a list -- the list head is all zeroes, this results in +a null dereference: + +BUG: KASAN: null-ptr-deref in nft_trans_destroy+0x26/0x59 +Call Trace: + nft_trans_destroy+0x26/0x59 + nf_tables_newtable+0x4bc/0x9bc + [..] + +Its sane to assume that nft_trans_destroy() can be called +on the transaction object returned by nft_trans_alloc(), so +make sure the list head is initialised. + +Fixes: 55dd6f93076b ("netfilter: nf_tables: use new transaction infrastructure to handle table") +Reported-by: mingi cho +Signed-off-by: Florian Westphal +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Greg Kroah-Hartman +--- + net/netfilter/nf_tables_api.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/net/netfilter/nf_tables_api.c ++++ b/net/netfilter/nf_tables_api.c +@@ -114,6 +114,7 @@ static struct nft_trans *nft_trans_alloc + if (trans == NULL) + return NULL; + ++ INIT_LIST_HEAD(&trans->list); + trans->msg_type = msg_type; + trans->ctx = *ctx; + diff --git a/queue-5.10/series b/queue-5.10/series index f9963b88f5b..4e25bca0c38 100644 --- a/queue-5.10/series +++ b/queue-5.10/series @@ -62,3 +62,17 @@ powerpc-fsl-pci-fix-class-code-of-pcie-root-port.patch powerpc-ptdump-fix-display-of-rw-pages-on-fsl_book3e.patch powerpc-powernv-avoid-crashing-if-rng-is-null.patch mips-cpuinfo-fix-a-warning-for-config_cpumask_offstack.patch +coresight-clear-the-connection-field-properly.patch +usb-typec-ucsi-acknowledge-the-get_error_status-command-completion.patch +usb-hcd-fix-urb-giveback-issue-in-tasklet-function.patch +arm-dts-uniphier-fix-usb-interrupts-for-pxs2-soc.patch +arm64-dts-uniphier-fix-usb-interrupts-for-pxs3-soc.patch +usb-gadget-fix-use-after-free-read-in-usb_udc_uevent.patch +usb-dwc3-gadget-refactor-dwc3_repare_one_trb.patch +usb-dwc3-gadget-fix-high-speed-multiplier-setting.patch +lockdep-allow-tuning-tracing-capacity-constants.patch +netfilter-nf_tables-do-not-allow-set_id-to-refer-to-another-table.patch +netfilter-nf_tables-do-not-allow-chain_id-to-refer-to-another-table.patch +netfilter-nf_tables-do-not-allow-rule_id-to-refer-to-another-chain.patch +netfilter-nf_tables-fix-null-deref-due-to-zeroed-list-head.patch +epoll-autoremove-wakers-even-more-aggressively.patch diff --git a/queue-5.10/usb-dwc3-gadget-fix-high-speed-multiplier-setting.patch b/queue-5.10/usb-dwc3-gadget-fix-high-speed-multiplier-setting.patch new file mode 100644 index 00000000000..1b20679c879 --- /dev/null +++ b/queue-5.10/usb-dwc3-gadget-fix-high-speed-multiplier-setting.patch @@ -0,0 +1,38 @@ +From 8affe37c525d800a2628c4ecfaed13b77dc5634a Mon Sep 17 00:00:00 2001 +From: Michael Grzeschik +Date: Mon, 4 Jul 2022 16:18:12 +0200 +Subject: usb: dwc3: gadget: fix high speed multiplier setting + +From: Michael Grzeschik + +commit 8affe37c525d800a2628c4ecfaed13b77dc5634a upstream. + +For High-Speed Transfers the prepare_one_trb function is calculating the +multiplier setting for the trb based on the length parameter of the trb +currently prepared. This assumption is wrong. For trbs with a sg list, +the length of the actual request has to be taken instead. + +Fixes: 40d829fb2ec6 ("usb: dwc3: gadget: Correct ISOC DATA PIDs for short packets") +Cc: stable +Signed-off-by: Michael Grzeschik +Link: https://lore.kernel.org/r/20220704141812.1532306-3-m.grzeschik@pengutronix.de +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/dwc3/gadget.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/usb/dwc3/gadget.c ++++ b/drivers/usb/dwc3/gadget.c +@@ -1052,10 +1052,10 @@ static void dwc3_prepare_one_trb(struct + unsigned int mult = 2; + unsigned int maxp = usb_endpoint_maxp(ep->desc); + +- if (trb_length <= (2 * maxp)) ++ if (req->request.length <= (2 * maxp)) + mult--; + +- if (trb_length <= maxp) ++ if (req->request.length <= maxp) + mult--; + + trb->size |= DWC3_TRB_SIZE_PCM1(mult); diff --git a/queue-5.10/usb-dwc3-gadget-refactor-dwc3_repare_one_trb.patch b/queue-5.10/usb-dwc3-gadget-refactor-dwc3_repare_one_trb.patch new file mode 100644 index 00000000000..d92f537c397 --- /dev/null +++ b/queue-5.10/usb-dwc3-gadget-refactor-dwc3_repare_one_trb.patch @@ -0,0 +1,145 @@ +From 23385cec5f354794dadced7f28c31da7ae3eb54c Mon Sep 17 00:00:00 2001 +From: Michael Grzeschik +Date: Mon, 4 Jul 2022 16:18:11 +0200 +Subject: usb: dwc3: gadget: refactor dwc3_repare_one_trb + +From: Michael Grzeschik + +commit 23385cec5f354794dadced7f28c31da7ae3eb54c upstream. + +The function __dwc3_prepare_one_trb has many parameters. Since it is +only used in dwc3_prepare_one_trb there is no point in keeping the +function. We merge both functions and get rid of the big list of +parameters. + +Fixes: 40d829fb2ec6 ("usb: dwc3: gadget: Correct ISOC DATA PIDs for short packets") +Cc: stable +Signed-off-by: Michael Grzeschik +Link: https://lore.kernel.org/r/20220704141812.1532306-2-m.grzeschik@pengutronix.de +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/dwc3/gadget.c | 92 ++++++++++++++++++++-------------------------- + 1 file changed, 40 insertions(+), 52 deletions(-) + +--- a/drivers/usb/dwc3/gadget.c ++++ b/drivers/usb/dwc3/gadget.c +@@ -970,17 +970,49 @@ static u32 dwc3_calc_trbs_left(struct dw + return trbs_left; + } + +-static void __dwc3_prepare_one_trb(struct dwc3_ep *dep, struct dwc3_trb *trb, +- dma_addr_t dma, unsigned int length, unsigned int chain, +- unsigned int node, unsigned int stream_id, +- unsigned int short_not_ok, unsigned int no_interrupt, +- unsigned int is_last, bool must_interrupt) ++/** ++ * dwc3_prepare_one_trb - setup one TRB from one request ++ * @dep: endpoint for which this request is prepared ++ * @req: dwc3_request pointer ++ * @trb_length: buffer size of the TRB ++ * @chain: should this TRB be chained to the next? ++ * @node: only for isochronous endpoints. First TRB needs different type. ++ * @use_bounce_buffer: set to use bounce buffer ++ * @must_interrupt: set to interrupt on TRB completion ++ */ ++static void dwc3_prepare_one_trb(struct dwc3_ep *dep, ++ struct dwc3_request *req, unsigned int trb_length, ++ unsigned int chain, unsigned int node, bool use_bounce_buffer, ++ bool must_interrupt) + { ++ struct dwc3_trb *trb; ++ dma_addr_t dma; ++ unsigned int stream_id = req->request.stream_id; ++ unsigned int short_not_ok = req->request.short_not_ok; ++ unsigned int no_interrupt = req->request.no_interrupt; ++ unsigned int is_last = req->request.is_last; + struct dwc3 *dwc = dep->dwc; + struct usb_gadget *gadget = dwc->gadget; + enum usb_device_speed speed = gadget->speed; + +- trb->size = DWC3_TRB_SIZE_LENGTH(length); ++ if (use_bounce_buffer) ++ dma = dep->dwc->bounce_addr; ++ else if (req->request.num_sgs > 0) ++ dma = sg_dma_address(req->start_sg); ++ else ++ dma = req->request.dma; ++ ++ trb = &dep->trb_pool[dep->trb_enqueue]; ++ ++ if (!req->trb) { ++ dwc3_gadget_move_started_request(req); ++ req->trb = trb; ++ req->trb_dma = dwc3_trb_dma_offset(dep, trb); ++ } ++ ++ req->num_trbs++; ++ ++ trb->size = DWC3_TRB_SIZE_LENGTH(trb_length); + trb->bpl = lower_32_bits(dma); + trb->bph = upper_32_bits(dma); + +@@ -1020,10 +1052,10 @@ static void __dwc3_prepare_one_trb(struc + unsigned int mult = 2; + unsigned int maxp = usb_endpoint_maxp(ep->desc); + +- if (length <= (2 * maxp)) ++ if (trb_length <= (2 * maxp)) + mult--; + +- if (length <= maxp) ++ if (trb_length <= maxp) + mult--; + + trb->size |= DWC3_TRB_SIZE_PCM1(mult); +@@ -1092,50 +1124,6 @@ static void __dwc3_prepare_one_trb(struc + trace_dwc3_prepare_trb(dep, trb); + } + +-/** +- * dwc3_prepare_one_trb - setup one TRB from one request +- * @dep: endpoint for which this request is prepared +- * @req: dwc3_request pointer +- * @trb_length: buffer size of the TRB +- * @chain: should this TRB be chained to the next? +- * @node: only for isochronous endpoints. First TRB needs different type. +- * @use_bounce_buffer: set to use bounce buffer +- * @must_interrupt: set to interrupt on TRB completion +- */ +-static void dwc3_prepare_one_trb(struct dwc3_ep *dep, +- struct dwc3_request *req, unsigned int trb_length, +- unsigned int chain, unsigned int node, bool use_bounce_buffer, +- bool must_interrupt) +-{ +- struct dwc3_trb *trb; +- dma_addr_t dma; +- unsigned int stream_id = req->request.stream_id; +- unsigned int short_not_ok = req->request.short_not_ok; +- unsigned int no_interrupt = req->request.no_interrupt; +- unsigned int is_last = req->request.is_last; +- +- if (use_bounce_buffer) +- dma = dep->dwc->bounce_addr; +- else if (req->request.num_sgs > 0) +- dma = sg_dma_address(req->start_sg); +- else +- dma = req->request.dma; +- +- trb = &dep->trb_pool[dep->trb_enqueue]; +- +- if (!req->trb) { +- dwc3_gadget_move_started_request(req); +- req->trb = trb; +- req->trb_dma = dwc3_trb_dma_offset(dep, trb); +- } +- +- req->num_trbs++; +- +- __dwc3_prepare_one_trb(dep, trb, dma, trb_length, chain, node, +- stream_id, short_not_ok, no_interrupt, is_last, +- must_interrupt); +-} +- + static bool dwc3_needs_extra_trb(struct dwc3_ep *dep, struct dwc3_request *req) + { + unsigned int maxp = usb_endpoint_maxp(dep->endpoint.desc); diff --git a/queue-5.10/usb-gadget-fix-use-after-free-read-in-usb_udc_uevent.patch b/queue-5.10/usb-gadget-fix-use-after-free-read-in-usb_udc_uevent.patch new file mode 100644 index 00000000000..1ba25dbb650 --- /dev/null +++ b/queue-5.10/usb-gadget-fix-use-after-free-read-in-usb_udc_uevent.patch @@ -0,0 +1,72 @@ +From 2191c00855b03aa59c20e698be713d952d51fc18 Mon Sep 17 00:00:00 2001 +From: Alan Stern +Date: Thu, 21 Jul 2022 11:07:10 -0400 +Subject: USB: gadget: Fix use-after-free Read in usb_udc_uevent() + +From: Alan Stern + +commit 2191c00855b03aa59c20e698be713d952d51fc18 upstream. + +The syzbot fuzzer found a race between uevent callbacks and gadget +driver unregistration that can cause a use-after-free bug: + +--------------------------------------------------------------- +BUG: KASAN: use-after-free in usb_udc_uevent+0x11f/0x130 +drivers/usb/gadget/udc/core.c:1732 +Read of size 8 at addr ffff888078ce2050 by task udevd/2968 + +CPU: 1 PID: 2968 Comm: udevd Not tainted 5.19.0-rc4-next-20220628-syzkaller #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google +06/29/2022 +Call Trace: + + __dump_stack lib/dump_stack.c:88 [inline] + dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106 + print_address_description mm/kasan/report.c:317 [inline] + print_report.cold+0x2ba/0x719 mm/kasan/report.c:433 + kasan_report+0xbe/0x1f0 mm/kasan/report.c:495 + usb_udc_uevent+0x11f/0x130 drivers/usb/gadget/udc/core.c:1732 + dev_uevent+0x290/0x770 drivers/base/core.c:2424 +--------------------------------------------------------------- + +The bug occurs because usb_udc_uevent() dereferences udc->driver but +does so without acquiring the udc_lock mutex, which protects this +field. If the gadget driver is unbound from the udc concurrently with +uevent processing, the driver structure may be accessed after it has +been deallocated. + +To prevent the race, we make sure that the routine holds the mutex +around the racing accesses. + +Link: +CC: stable@vger.kernel.org # fc274c1e9973 +Reported-and-tested-by: syzbot+b0de012ceb1e2a97891b@syzkaller.appspotmail.com +Signed-off-by: Alan Stern +Link: https://lore.kernel.org/r/YtlrnhHyrHsSky9m@rowland.harvard.edu +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/gadget/udc/core.c | 11 ++++++----- + 1 file changed, 6 insertions(+), 5 deletions(-) + +--- a/drivers/usb/gadget/udc/core.c ++++ b/drivers/usb/gadget/udc/core.c +@@ -1647,13 +1647,14 @@ static int usb_udc_uevent(struct device + return ret; + } + +- if (udc->driver) { ++ mutex_lock(&udc_lock); ++ if (udc->driver) + ret = add_uevent_var(env, "USB_UDC_DRIVER=%s", + udc->driver->function); +- if (ret) { +- dev_err(dev, "failed to add uevent USB_UDC_DRIVER\n"); +- return ret; +- } ++ mutex_unlock(&udc_lock); ++ if (ret) { ++ dev_err(dev, "failed to add uevent USB_UDC_DRIVER\n"); ++ return ret; + } + + return 0; diff --git a/queue-5.10/usb-hcd-fix-urb-giveback-issue-in-tasklet-function.patch b/queue-5.10/usb-hcd-fix-urb-giveback-issue-in-tasklet-function.patch new file mode 100644 index 00000000000..79435db2a29 --- /dev/null +++ b/queue-5.10/usb-hcd-fix-urb-giveback-issue-in-tasklet-function.patch @@ -0,0 +1,124 @@ +From 26c6c2f8a907c9e3a2f24990552a4d77235791e6 Mon Sep 17 00:00:00 2001 +From: Weitao Wang +Date: Tue, 26 Jul 2022 15:49:18 +0800 +Subject: USB: HCD: Fix URB giveback issue in tasklet function + +From: Weitao Wang + +commit 26c6c2f8a907c9e3a2f24990552a4d77235791e6 upstream. + +Usb core introduce the mechanism of giveback of URB in tasklet context to +reduce hardware interrupt handling time. On some test situation(such as +FIO with 4KB block size), when tasklet callback function called to +giveback URB, interrupt handler add URB node to the bh->head list also. +If check bh->head list again after finish all URB giveback of local_list, +then it may introduce a "dynamic balance" between giveback URB and add URB +to bh->head list. This tasklet callback function may not exit for a long +time, which will cause other tasklet function calls to be delayed. Some +real-time applications(such as KB and Mouse) will see noticeable lag. + +In order to prevent the tasklet function from occupying the cpu for a long +time at a time, new URBS will not be added to the local_list even though +the bh->head list is not empty. But also need to ensure the left URB +giveback to be processed in time, so add a member high_prio for structure +giveback_urb_bh to prioritize tasklet and schelule this tasklet again if +bh->head list is not empty. + +At the same time, we are able to prioritize tasklet through structure +member high_prio. So, replace the local high_prio_bh variable with this +structure member in usb_hcd_giveback_urb. + +Fixes: 94dfd7edfd5c ("USB: HCD: support giveback of URB in tasklet context") +Cc: stable +Reviewed-by: Alan Stern +Signed-off-by: Weitao Wang +Link: https://lore.kernel.org/r/20220726074918.5114-1-WeitaoWang-oc@zhaoxin.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/core/hcd.c | 26 +++++++++++++++----------- + include/linux/usb/hcd.h | 1 + + 2 files changed, 16 insertions(+), 11 deletions(-) + +--- a/drivers/usb/core/hcd.c ++++ b/drivers/usb/core/hcd.c +@@ -1692,7 +1692,6 @@ static void usb_giveback_urb_bh(struct t + + spin_lock_irq(&bh->lock); + bh->running = true; +- restart: + list_replace_init(&bh->head, &local_list); + spin_unlock_irq(&bh->lock); + +@@ -1706,10 +1705,17 @@ static void usb_giveback_urb_bh(struct t + bh->completing_ep = NULL; + } + +- /* check if there are new URBs to giveback */ ++ /* ++ * giveback new URBs next time to prevent this function ++ * from not exiting for a long time. ++ */ + spin_lock_irq(&bh->lock); +- if (!list_empty(&bh->head)) +- goto restart; ++ if (!list_empty(&bh->head)) { ++ if (bh->high_prio) ++ tasklet_hi_schedule(&bh->bh); ++ else ++ tasklet_schedule(&bh->bh); ++ } + bh->running = false; + spin_unlock_irq(&bh->lock); + } +@@ -1734,7 +1740,7 @@ static void usb_giveback_urb_bh(struct t + void usb_hcd_giveback_urb(struct usb_hcd *hcd, struct urb *urb, int status) + { + struct giveback_urb_bh *bh; +- bool running, high_prio_bh; ++ bool running; + + /* pass status to tasklet via unlinked */ + if (likely(!urb->unlinked)) +@@ -1745,13 +1751,10 @@ void usb_hcd_giveback_urb(struct usb_hcd + return; + } + +- if (usb_pipeisoc(urb->pipe) || usb_pipeint(urb->pipe)) { ++ if (usb_pipeisoc(urb->pipe) || usb_pipeint(urb->pipe)) + bh = &hcd->high_prio_bh; +- high_prio_bh = true; +- } else { ++ else + bh = &hcd->low_prio_bh; +- high_prio_bh = false; +- } + + spin_lock(&bh->lock); + list_add_tail(&urb->urb_list, &bh->head); +@@ -1760,7 +1763,7 @@ void usb_hcd_giveback_urb(struct usb_hcd + + if (running) + ; +- else if (high_prio_bh) ++ else if (bh->high_prio) + tasklet_hi_schedule(&bh->bh); + else + tasklet_schedule(&bh->bh); +@@ -2800,6 +2803,7 @@ int usb_add_hcd(struct usb_hcd *hcd, + + /* initialize tasklets */ + init_giveback_urb_bh(&hcd->high_prio_bh); ++ hcd->high_prio_bh.high_prio = true; + init_giveback_urb_bh(&hcd->low_prio_bh); + + /* enable irqs just before we start the controller, +--- a/include/linux/usb/hcd.h ++++ b/include/linux/usb/hcd.h +@@ -66,6 +66,7 @@ + + struct giveback_urb_bh { + bool running; ++ bool high_prio; + spinlock_t lock; + struct list_head head; + struct tasklet_struct bh; diff --git a/queue-5.10/usb-typec-ucsi-acknowledge-the-get_error_status-command-completion.patch b/queue-5.10/usb-typec-ucsi-acknowledge-the-get_error_status-command-completion.patch new file mode 100644 index 00000000000..981c97bf98d --- /dev/null +++ b/queue-5.10/usb-typec-ucsi-acknowledge-the-get_error_status-command-completion.patch @@ -0,0 +1,40 @@ +From a7dc438b5e446afcd1b3b6651da28271400722f2 Mon Sep 17 00:00:00 2001 +From: Linyu Yuan +Date: Tue, 26 Jul 2022 14:45:49 +0800 +Subject: usb: typec: ucsi: Acknowledge the GET_ERROR_STATUS command completion + +From: Linyu Yuan + +commit a7dc438b5e446afcd1b3b6651da28271400722f2 upstream. + +We found PPM will not send any notification after it report error status +and OPM issue GET_ERROR_STATUS command to read the details about error. + +According UCSI spec, PPM may clear the Error Status Data after the OPM +has acknowledged the command completion. + +This change add operation to acknowledge the command completion from PPM. + +Fixes: bdc62f2bae8f (usb: typec: ucsi: Simplified registration and I/O API) +Cc: # 5.10 +Signed-off-by: Jack Pham +Signed-off-by: Linyu Yuan +Link: https://lore.kernel.org/r/1658817949-4632-1-git-send-email-quic_linyyuan@quicinc.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/typec/ucsi/ucsi.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/drivers/usb/typec/ucsi/ucsi.c ++++ b/drivers/usb/typec/ucsi/ucsi.c +@@ -76,6 +76,10 @@ static int ucsi_read_error(struct ucsi * + if (ret) + return ret; + ++ ret = ucsi_acknowledge_command(ucsi); ++ if (ret) ++ return ret; ++ + switch (error) { + case UCSI_ERROR_INCOMPATIBLE_PARTNER: + return -EOPNOTSUPP;