From: Greg Kroah-Hartman Date: Mon, 28 Apr 2025 17:25:21 +0000 (+0200) Subject: 6.6-stable patches X-Git-Tag: v5.4.293~57 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=80864140af75d8a9ffc28fd46b01d5053e1ff473;p=thirdparty%2Fkernel%2Fstable-queue.git 6.6-stable patches added patches: char-misc-register-chrdev-region-with-all-possible-minors.patch kvm-x86-explicitly-treat-routing-entry-type-changes-as-changes.patch kvm-x86-reset-irte-to-host-control-if-new-route-isn-t-postable.patch misc-microchip-pci1xxxx-fix-incorrect-irq-status-handling-during-ack.patch misc-microchip-pci1xxxx-fix-kernel-panic-during-irq-handler-registration.patch serial-msm-configure-correct-working-mode-before-starting-earlycon.patch serial-sifive-lock-port-in-startup-shutdown-callbacks.patch usb-cdns3-fix-deadlock-when-using-ncm-gadget.patch usb-chipidea-ci_hdrc_imx-fix-call-balance-of-regulator-routines.patch usb-chipidea-ci_hdrc_imx-fix-usbmisc-handling.patch usb-chipidea-ci_hdrc_imx-implement-usb_phy_init-error-handling.patch usb-dwc3-gadget-check-that-event-count-does-not-exceed-event-buffer-length.patch usb-dwc3-xilinx-prevent-spike-in-reset-signal.patch usb-ohci-add-quirk-for-ls7a-ohci-controller-rev-0x02.patch usb-quirks-add-delay-init-quirk-for-sandisk-3.2gen1-flash-drive.patch usb-quirks-add-delay_init-quirk-for-silicon-motion-flash-drive.patch usb-serial-ftdi_sio-add-support-for-abacus-electrics-optical-probe.patch usb-serial-option-add-sierra-wireless-em9291.patch usb-serial-simple-add-owon-hds200-series-oscilloscope-support.patch usb-vli-disk-crashes-if-lpm-is-used.patch usb-wdm-add-annotation.patch usb-wdm-close-race-between-wdm_open-and-wdm_wwan_port_stop.patch usb-wdm-handle-io-errors-in-wdm_wwan_port_start.patch usb-wdm-wdm_wwan_port_tx_complete-mutex-in-atomic-context.patch usb-xhci-fix-invalid-pointer-dereference-in-etron-workaround.patch --- diff --git a/queue-6.6/char-misc-register-chrdev-region-with-all-possible-minors.patch b/queue-6.6/char-misc-register-chrdev-region-with-all-possible-minors.patch new file mode 100644 index 0000000000..144c69b76c --- /dev/null +++ b/queue-6.6/char-misc-register-chrdev-region-with-all-possible-minors.patch @@ -0,0 +1,47 @@ +From c876be906ce7e518d9ef9926478669c151999e69 Mon Sep 17 00:00:00 2001 +From: Thadeu Lima de Souza Cascardo +Date: Mon, 17 Mar 2025 10:59:55 -0300 +Subject: char: misc: register chrdev region with all possible minors + +From: Thadeu Lima de Souza Cascardo + +commit c876be906ce7e518d9ef9926478669c151999e69 upstream. + +register_chrdev will only register the first 256 minors of a major chrdev. +That means that dynamically allocated misc devices with minor above 255 +will fail to open with -ENXIO. + +This was found by kernel test robot when testing a different change that +makes all dynamically allocated minors be above 255. This has, however, +been separately tested by creating 256 serio_raw devices with the help of +userio driver. + +Ever since allowing misc devices with minors above 128, this has been +possible. + +Fix it by registering all minor numbers from 0 to MINORMASK + 1 for +MISC_MAJOR. + +Reported-by: kernel test robot +Cc: stable +Closes: https://lore.kernel.org/oe-lkp/202503171507.6c8093d0-lkp@intel.com +Fixes: ab760791c0cf ("char: misc: Increase the maximum number of dynamic misc devices to 1048448") +Signed-off-by: Thadeu Lima de Souza Cascardo +Tested-by: Hou Wenlong +Link: https://lore.kernel.org/r/20250317-misc-chrdev-v1-1-6cd05da11aef@igalia.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/char/misc.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/char/misc.c ++++ b/drivers/char/misc.c +@@ -315,7 +315,7 @@ static int __init misc_init(void) + goto fail_remove; + + err = -EIO; +- if (register_chrdev(MISC_MAJOR, "misc", &misc_fops)) ++ if (__register_chrdev(MISC_MAJOR, 0, MINORMASK + 1, "misc", &misc_fops)) + goto fail_printk; + return 0; + diff --git a/queue-6.6/kvm-x86-explicitly-treat-routing-entry-type-changes-as-changes.patch b/queue-6.6/kvm-x86-explicitly-treat-routing-entry-type-changes-as-changes.patch new file mode 100644 index 0000000000..af7e635f0a --- /dev/null +++ b/queue-6.6/kvm-x86-explicitly-treat-routing-entry-type-changes-as-changes.patch @@ -0,0 +1,35 @@ +From bcda70c56f3e718465cab2aad260cf34183ce1ce Mon Sep 17 00:00:00 2001 +From: Sean Christopherson +Date: Fri, 4 Apr 2025 12:38:18 -0700 +Subject: KVM: x86: Explicitly treat routing entry type changes as changes + +From: Sean Christopherson + +commit bcda70c56f3e718465cab2aad260cf34183ce1ce upstream. + +Explicitly treat type differences as GSI routing changes, as comparing MSI +data between two entries could get a false negative, e.g. if userspace +changed the type but left the type-specific data as-is. + +Fixes: 515a0c79e796 ("kvm: irqfd: avoid update unmodified entries of the routing") +Cc: stable@vger.kernel.org +Signed-off-by: Sean Christopherson +Message-ID: <20250404193923.1413163-4-seanjc@google.com> +Signed-off-by: Paolo Bonzini +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/kvm/x86.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/arch/x86/kvm/x86.c ++++ b/arch/x86/kvm/x86.c +@@ -13297,7 +13297,8 @@ int kvm_arch_update_irqfd_routing(struct + bool kvm_arch_irqfd_route_changed(struct kvm_kernel_irq_routing_entry *old, + struct kvm_kernel_irq_routing_entry *new) + { +- if (new->type != KVM_IRQ_ROUTING_MSI) ++ if (old->type != KVM_IRQ_ROUTING_MSI || ++ new->type != KVM_IRQ_ROUTING_MSI) + return true; + + return !!memcmp(&old->msi, &new->msi, sizeof(new->msi)); diff --git a/queue-6.6/kvm-x86-reset-irte-to-host-control-if-new-route-isn-t-postable.patch b/queue-6.6/kvm-x86-reset-irte-to-host-control-if-new-route-isn-t-postable.patch new file mode 100644 index 0000000000..f2be1a80ae --- /dev/null +++ b/queue-6.6/kvm-x86-reset-irte-to-host-control-if-new-route-isn-t-postable.patch @@ -0,0 +1,178 @@ +From 9bcac97dc42d2f4da8229d18feb0fe2b1ce523a2 Mon Sep 17 00:00:00 2001 +From: Sean Christopherson +Date: Fri, 4 Apr 2025 12:38:17 -0700 +Subject: KVM: x86: Reset IRTE to host control if *new* route isn't postable + +From: Sean Christopherson + +commit 9bcac97dc42d2f4da8229d18feb0fe2b1ce523a2 upstream. + +Restore an IRTE back to host control (remapped or posted MSI mode) if the +*new* GSI route prevents posting the IRQ directly to a vCPU, regardless of +the GSI routing type. Updating the IRTE if and only if the new GSI is an +MSI results in KVM leaving an IRTE posting to a vCPU. + +The dangling IRTE can result in interrupts being incorrectly delivered to +the guest, and in the worst case scenario can result in use-after-free, +e.g. if the VM is torn down, but the underlying host IRQ isn't freed. + +Fixes: efc644048ecd ("KVM: x86: Update IRTE for posted-interrupts") +Fixes: 411b44ba80ab ("svm: Implements update_pi_irte hook to setup posted interrupt") +Cc: stable@vger.kernel.org +Signed-off-by: Sean Christopherson +Message-ID: <20250404193923.1413163-3-seanjc@google.com> +Signed-off-by: Paolo Bonzini +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/kvm/svm/avic.c | 58 +++++++++++++++++++++-------------------- + arch/x86/kvm/vmx/posted_intr.c | 28 +++++++------------ + 2 files changed, 41 insertions(+), 45 deletions(-) + +--- a/arch/x86/kvm/svm/avic.c ++++ b/arch/x86/kvm/svm/avic.c +@@ -896,6 +896,7 @@ int avic_pi_update_irte(struct kvm *kvm, + { + struct kvm_kernel_irq_routing_entry *e; + struct kvm_irq_routing_table *irq_rt; ++ bool enable_remapped_mode = true; + int idx, ret = 0; + + if (!kvm_arch_has_assigned_device(kvm) || +@@ -933,6 +934,8 @@ int avic_pi_update_irte(struct kvm *kvm, + kvm_vcpu_apicv_active(&svm->vcpu)) { + struct amd_iommu_pi_data pi; + ++ enable_remapped_mode = false; ++ + /* Try to enable guest_mode in IRTE */ + pi.base = __sme_set(page_to_phys(svm->avic_backing_page) & + AVIC_HPA_MASK); +@@ -951,33 +954,6 @@ int avic_pi_update_irte(struct kvm *kvm, + */ + if (!ret && pi.is_guest_mode) + svm_ir_list_add(svm, &pi); +- } else { +- /* Use legacy mode in IRTE */ +- struct amd_iommu_pi_data pi; +- +- /** +- * Here, pi is used to: +- * - Tell IOMMU to use legacy mode for this interrupt. +- * - Retrieve ga_tag of prior interrupt remapping data. +- */ +- pi.prev_ga_tag = 0; +- pi.is_guest_mode = false; +- ret = irq_set_vcpu_affinity(host_irq, &pi); +- +- /** +- * Check if the posted interrupt was previously +- * setup with the guest_mode by checking if the ga_tag +- * was cached. If so, we need to clean up the per-vcpu +- * ir_list. +- */ +- if (!ret && pi.prev_ga_tag) { +- int id = AVIC_GATAG_TO_VCPUID(pi.prev_ga_tag); +- struct kvm_vcpu *vcpu; +- +- vcpu = kvm_get_vcpu_by_id(kvm, id); +- if (vcpu) +- svm_ir_list_del(to_svm(vcpu), &pi); +- } + } + + if (!ret && svm) { +@@ -993,6 +969,34 @@ int avic_pi_update_irte(struct kvm *kvm, + } + + ret = 0; ++ if (enable_remapped_mode) { ++ /* Use legacy mode in IRTE */ ++ struct amd_iommu_pi_data pi; ++ ++ /** ++ * Here, pi is used to: ++ * - Tell IOMMU to use legacy mode for this interrupt. ++ * - Retrieve ga_tag of prior interrupt remapping data. ++ */ ++ pi.prev_ga_tag = 0; ++ pi.is_guest_mode = false; ++ ret = irq_set_vcpu_affinity(host_irq, &pi); ++ ++ /** ++ * Check if the posted interrupt was previously ++ * setup with the guest_mode by checking if the ga_tag ++ * was cached. If so, we need to clean up the per-vcpu ++ * ir_list. ++ */ ++ if (!ret && pi.prev_ga_tag) { ++ int id = AVIC_GATAG_TO_VCPUID(pi.prev_ga_tag); ++ struct kvm_vcpu *vcpu; ++ ++ vcpu = kvm_get_vcpu_by_id(kvm, id); ++ if (vcpu) ++ svm_ir_list_del(to_svm(vcpu), &pi); ++ } ++ } + out: + srcu_read_unlock(&kvm->irq_srcu, idx); + return ret; +--- a/arch/x86/kvm/vmx/posted_intr.c ++++ b/arch/x86/kvm/vmx/posted_intr.c +@@ -274,6 +274,7 @@ int vmx_pi_update_irte(struct kvm *kvm, + { + struct kvm_kernel_irq_routing_entry *e; + struct kvm_irq_routing_table *irq_rt; ++ bool enable_remapped_mode = true; + struct kvm_lapic_irq irq; + struct kvm_vcpu *vcpu; + struct vcpu_data vcpu_info; +@@ -312,21 +313,8 @@ int vmx_pi_update_irte(struct kvm *kvm, + + kvm_set_msi_irq(kvm, e, &irq); + if (!kvm_intr_is_single_vcpu(kvm, &irq, &vcpu) || +- !kvm_irq_is_postable(&irq)) { +- /* +- * Make sure the IRTE is in remapped mode if +- * we don't handle it in posted mode. +- */ +- ret = irq_set_vcpu_affinity(host_irq, NULL); +- if (ret < 0) { +- printk(KERN_INFO +- "failed to back to remapped mode, irq: %u\n", +- host_irq); +- goto out; +- } +- ++ !kvm_irq_is_postable(&irq)) + continue; +- } + + vcpu_info.pi_desc_addr = __pa(vcpu_to_pi_desc(vcpu)); + vcpu_info.vector = irq.vector; +@@ -334,11 +322,12 @@ int vmx_pi_update_irte(struct kvm *kvm, + trace_kvm_pi_irte_update(host_irq, vcpu->vcpu_id, e->gsi, + vcpu_info.vector, vcpu_info.pi_desc_addr, set); + +- if (set) +- ret = irq_set_vcpu_affinity(host_irq, &vcpu_info); +- else +- ret = irq_set_vcpu_affinity(host_irq, NULL); ++ if (!set) ++ continue; + ++ enable_remapped_mode = false; ++ ++ ret = irq_set_vcpu_affinity(host_irq, &vcpu_info); + if (ret < 0) { + printk(KERN_INFO "%s: failed to update PI IRTE\n", + __func__); +@@ -346,6 +335,9 @@ int vmx_pi_update_irte(struct kvm *kvm, + } + } + ++ if (enable_remapped_mode) ++ ret = irq_set_vcpu_affinity(host_irq, NULL); ++ + ret = 0; + out: + srcu_read_unlock(&kvm->irq_srcu, idx); diff --git a/queue-6.6/misc-microchip-pci1xxxx-fix-incorrect-irq-status-handling-during-ack.patch b/queue-6.6/misc-microchip-pci1xxxx-fix-incorrect-irq-status-handling-during-ack.patch new file mode 100644 index 0000000000..271c329fe3 --- /dev/null +++ b/queue-6.6/misc-microchip-pci1xxxx-fix-incorrect-irq-status-handling-during-ack.patch @@ -0,0 +1,35 @@ +From e9d7748a7468581859d2b85b378135f9688a0aff Mon Sep 17 00:00:00 2001 +From: Rengarajan S +Date: Thu, 13 Mar 2025 22:38:56 +0530 +Subject: misc: microchip: pci1xxxx: Fix incorrect IRQ status handling during ack + +From: Rengarajan S + +commit e9d7748a7468581859d2b85b378135f9688a0aff upstream. + +Under irq_ack, pci1xxxx_assign_bit reads the current interrupt status, +modifies and writes the entire value back. Since, the IRQ status bit +gets cleared on writing back, the better approach is to directly write +the bitmask to the register in order to preserve the value. + +Fixes: 1f4d8ae231f4 ("misc: microchip: pci1xxxx: Add gpio irq handler and irq helper functions irq_ack, irq_mask, irq_unmask and irq_set_type of irq_chip.") +Cc: stable +Signed-off-by: Rengarajan S +Link: https://lore.kernel.org/r/20250313170856.20868-3-rengarajan.s@microchip.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Greg Kroah-Hartman +--- + drivers/misc/mchp_pci1xxxx/mchp_pci1xxxx_gpio.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/misc/mchp_pci1xxxx/mchp_pci1xxxx_gpio.c ++++ b/drivers/misc/mchp_pci1xxxx/mchp_pci1xxxx_gpio.c +@@ -165,7 +165,7 @@ static void pci1xxxx_gpio_irq_ack(struct + unsigned long flags; + + spin_lock_irqsave(&priv->lock, flags); +- pci1xxx_assign_bit(priv->reg_base, INTR_STAT_OFFSET(gpio), (gpio % 32), true); ++ writel(BIT(gpio % 32), priv->reg_base + INTR_STAT_OFFSET(gpio)); + spin_unlock_irqrestore(&priv->lock, flags); + } + diff --git a/queue-6.6/misc-microchip-pci1xxxx-fix-kernel-panic-during-irq-handler-registration.patch b/queue-6.6/misc-microchip-pci1xxxx-fix-kernel-panic-during-irq-handler-registration.patch new file mode 100644 index 0000000000..f162e6fd30 --- /dev/null +++ b/queue-6.6/misc-microchip-pci1xxxx-fix-kernel-panic-during-irq-handler-registration.patch @@ -0,0 +1,58 @@ +From 18eb77c75ed01439f96ae5c0f33461eb5134b907 Mon Sep 17 00:00:00 2001 +From: Rengarajan S +Date: Thu, 13 Mar 2025 22:38:55 +0530 +Subject: misc: microchip: pci1xxxx: Fix Kernel panic during IRQ handler registration + +From: Rengarajan S + +commit 18eb77c75ed01439f96ae5c0f33461eb5134b907 upstream. + +Resolve kernel panic while accessing IRQ handler associated with the +generated IRQ. This is done by acquiring the spinlock and storing the +current interrupt state before handling the interrupt request using +generic_handle_irq. + +A previous fix patch was submitted where 'generic_handle_irq' was +replaced with 'handle_nested_irq'. However, this change also causes +the kernel panic where after determining which GPIO triggered the +interrupt and attempting to call handle_nested_irq with the mapped +IRQ number, leads to a failure in locating the registered handler. + +Fixes: 194f9f94a516 ("misc: microchip: pci1xxxx: Resolve kernel panic during GPIO IRQ handling") +Cc: stable +Signed-off-by: Rengarajan S +Link: https://lore.kernel.org/r/20250313170856.20868-2-rengarajan.s@microchip.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/misc/mchp_pci1xxxx/mchp_pci1xxxx_gpio.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +--- a/drivers/misc/mchp_pci1xxxx/mchp_pci1xxxx_gpio.c ++++ b/drivers/misc/mchp_pci1xxxx/mchp_pci1xxxx_gpio.c +@@ -37,6 +37,7 @@ + struct pci1xxxx_gpio { + struct auxiliary_device *aux_dev; + void __iomem *reg_base; ++ raw_spinlock_t wa_lock; + struct gpio_chip gpio; + spinlock_t lock; + int irq_base; +@@ -254,6 +255,7 @@ static irqreturn_t pci1xxxx_gpio_irq_han + struct pci1xxxx_gpio *priv = dev_id; + struct gpio_chip *gc = &priv->gpio; + unsigned long int_status = 0; ++ unsigned long wa_flags; + unsigned long flags; + u8 pincount; + int bit; +@@ -277,7 +279,9 @@ static irqreturn_t pci1xxxx_gpio_irq_han + writel(BIT(bit), priv->reg_base + INTR_STATUS_OFFSET(gpiobank)); + spin_unlock_irqrestore(&priv->lock, flags); + irq = irq_find_mapping(gc->irq.domain, (bit + (gpiobank * 32))); +- handle_nested_irq(irq); ++ raw_spin_lock_irqsave(&priv->wa_lock, wa_flags); ++ generic_handle_irq(irq); ++ raw_spin_unlock_irqrestore(&priv->wa_lock, wa_flags); + } + } + spin_lock_irqsave(&priv->lock, flags); diff --git a/queue-6.6/serial-msm-configure-correct-working-mode-before-starting-earlycon.patch b/queue-6.6/serial-msm-configure-correct-working-mode-before-starting-earlycon.patch new file mode 100644 index 0000000000..56ed8f107a --- /dev/null +++ b/queue-6.6/serial-msm-configure-correct-working-mode-before-starting-earlycon.patch @@ -0,0 +1,54 @@ +From 7094832b5ac861b0bd7ed8866c93cb15ef619996 Mon Sep 17 00:00:00 2001 +From: Stephan Gerhold +Date: Tue, 8 Apr 2025 19:22:47 +0200 +Subject: serial: msm: Configure correct working mode before starting earlycon + +From: Stephan Gerhold + +commit 7094832b5ac861b0bd7ed8866c93cb15ef619996 upstream. + +The MSM UART DM controller supports different working modes, e.g. DMA or +the "single-character mode", where all reads/writes operate on a single +character rather than 4 chars (32-bit) at once. When using earlycon, +__msm_console_write() always writes 4 characters at a time, but we don't +know which mode the bootloader was using and we don't set the mode either. + +This causes garbled output if the bootloader was using the single-character +mode, because only every 4th character appears in the serial console, e.g. + + "[ 00oni pi 000xf0[ 00i s 5rm9(l)l s 1 1 SPMTA 7:C 5[ 00A ade k d[ + 00ano:ameoi .Q1B[ 00ac _idaM00080oo'" + +If the bootloader was using the DMA ("DM") mode, output would likely fail +entirely. Later, when the full serial driver probes, the port is +re-initialized and output works as expected. + +Fix this also for earlycon by clearing the DMEN register and +reset+re-enable the transmitter to apply the change. This ensures the +transmitter is in the expected state before writing any output. + +Cc: stable +Fixes: 0efe72963409 ("tty: serial: msm: Add earlycon support") +Signed-off-by: Stephan Gerhold +Reviewed-by: Neil Armstrong +Link: https://lore.kernel.org/r/20250408-msm-serial-earlycon-v1-1-429080127530@linaro.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/tty/serial/msm_serial.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/drivers/tty/serial/msm_serial.c ++++ b/drivers/tty/serial/msm_serial.c +@@ -1741,6 +1741,12 @@ msm_serial_early_console_setup_dm(struct + if (!device->port.membase) + return -ENODEV; + ++ /* Disable DM / single-character modes */ ++ msm_write(&device->port, 0, UARTDM_DMEN); ++ msm_write(&device->port, MSM_UART_CR_CMD_RESET_RX, MSM_UART_CR); ++ msm_write(&device->port, MSM_UART_CR_CMD_RESET_TX, MSM_UART_CR); ++ msm_write(&device->port, MSM_UART_CR_TX_ENABLE, MSM_UART_CR); ++ + device->con->write = msm_serial_early_write_dm; + return 0; + } diff --git a/queue-6.6/serial-sifive-lock-port-in-startup-shutdown-callbacks.patch b/queue-6.6/serial-sifive-lock-port-in-startup-shutdown-callbacks.patch new file mode 100644 index 0000000000..10317f30f5 --- /dev/null +++ b/queue-6.6/serial-sifive-lock-port-in-startup-shutdown-callbacks.patch @@ -0,0 +1,59 @@ +From e1ca3ff28ab1e2c1e70713ef3fa7943c725742c3 Mon Sep 17 00:00:00 2001 +From: Ryo Takakura +Date: Sat, 12 Apr 2025 09:18:47 +0900 +Subject: serial: sifive: lock port in startup()/shutdown() callbacks + +From: Ryo Takakura + +commit e1ca3ff28ab1e2c1e70713ef3fa7943c725742c3 upstream. + +startup()/shutdown() callbacks access SIFIVE_SERIAL_IE_OFFS. +The register is also accessed from write() callback. + +If console were printing and startup()/shutdown() callback +gets called, its access to the register could be overwritten. + +Add port->lock to startup()/shutdown() callbacks to make sure +their access to SIFIVE_SERIAL_IE_OFFS is synchronized against +write() callback. + +Fixes: 45c054d0815b ("tty: serial: add driver for the SiFive UART") +Signed-off-by: Ryo Takakura +Reviewed-by: Petr Mladek +Cc: stable@vger.kernel.org +Reviewed-by: John Ogness +Rule: add +Link: https://lore.kernel.org/stable/20250330003522.386632-1-ryotkkr98%40gmail.com +Link: https://lore.kernel.org/r/20250412001847.183221-1-ryotkkr98@gmail.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/tty/serial/sifive.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/drivers/tty/serial/sifive.c ++++ b/drivers/tty/serial/sifive.c +@@ -562,8 +562,11 @@ static void sifive_serial_break_ctl(stru + static int sifive_serial_startup(struct uart_port *port) + { + struct sifive_serial_port *ssp = port_to_sifive_serial_port(port); ++ unsigned long flags; + ++ uart_port_lock_irqsave(&ssp->port, &flags); + __ssp_enable_rxwm(ssp); ++ uart_port_unlock_irqrestore(&ssp->port, flags); + + return 0; + } +@@ -571,9 +574,12 @@ static int sifive_serial_startup(struct + static void sifive_serial_shutdown(struct uart_port *port) + { + struct sifive_serial_port *ssp = port_to_sifive_serial_port(port); ++ unsigned long flags; + ++ uart_port_lock_irqsave(&ssp->port, &flags); + __ssp_disable_rxwm(ssp); + __ssp_disable_txwm(ssp); ++ uart_port_unlock_irqrestore(&ssp->port, flags); + } + + /** diff --git a/queue-6.6/series b/queue-6.6/series index 9dc45f9183..8f26c05c42 100644 --- a/queue-6.6/series +++ b/queue-6.6/series @@ -89,3 +89,28 @@ ata-libata-scsi-fix-ata_msense_control_ata_feature.patch usb-storage-quirk-for-adata-portable-hdd-ch94.patch scsi-improve-cdl-control.patch mei-me-add-panther-lake-h-did.patch +kvm-x86-explicitly-treat-routing-entry-type-changes-as-changes.patch +kvm-x86-reset-irte-to-host-control-if-new-route-isn-t-postable.patch +char-misc-register-chrdev-region-with-all-possible-minors.patch +misc-microchip-pci1xxxx-fix-kernel-panic-during-irq-handler-registration.patch +misc-microchip-pci1xxxx-fix-incorrect-irq-status-handling-during-ack.patch +serial-msm-configure-correct-working-mode-before-starting-earlycon.patch +serial-sifive-lock-port-in-startup-shutdown-callbacks.patch +usb-serial-ftdi_sio-add-support-for-abacus-electrics-optical-probe.patch +usb-serial-option-add-sierra-wireless-em9291.patch +usb-serial-simple-add-owon-hds200-series-oscilloscope-support.patch +usb-xhci-fix-invalid-pointer-dereference-in-etron-workaround.patch +usb-cdns3-fix-deadlock-when-using-ncm-gadget.patch +usb-chipidea-ci_hdrc_imx-fix-usbmisc-handling.patch +usb-chipidea-ci_hdrc_imx-fix-call-balance-of-regulator-routines.patch +usb-chipidea-ci_hdrc_imx-implement-usb_phy_init-error-handling.patch +usb-ohci-add-quirk-for-ls7a-ohci-controller-rev-0x02.patch +usb-dwc3-gadget-check-that-event-count-does-not-exceed-event-buffer-length.patch +usb-dwc3-xilinx-prevent-spike-in-reset-signal.patch +usb-quirks-add-delay_init-quirk-for-silicon-motion-flash-drive.patch +usb-quirks-add-delay-init-quirk-for-sandisk-3.2gen1-flash-drive.patch +usb-vli-disk-crashes-if-lpm-is-used.patch +usb-wdm-handle-io-errors-in-wdm_wwan_port_start.patch +usb-wdm-close-race-between-wdm_open-and-wdm_wwan_port_stop.patch +usb-wdm-wdm_wwan_port_tx_complete-mutex-in-atomic-context.patch +usb-wdm-add-annotation.patch diff --git a/queue-6.6/usb-cdns3-fix-deadlock-when-using-ncm-gadget.patch b/queue-6.6/usb-cdns3-fix-deadlock-when-using-ncm-gadget.patch new file mode 100644 index 0000000000..d781508636 --- /dev/null +++ b/queue-6.6/usb-cdns3-fix-deadlock-when-using-ncm-gadget.patch @@ -0,0 +1,48 @@ +From a1059896f2bfdcebcdc7153c3be2307ea319501f Mon Sep 17 00:00:00 2001 +From: Ralph Siemsen +Date: Tue, 18 Mar 2025 11:09:32 -0400 +Subject: usb: cdns3: Fix deadlock when using NCM gadget + +From: Ralph Siemsen + +commit a1059896f2bfdcebcdc7153c3be2307ea319501f upstream. + +The cdns3 driver has the same NCM deadlock as fixed in cdnsp by commit +58f2fcb3a845 ("usb: cdnsp: Fix deadlock issue during using NCM gadget"). + +Under PREEMPT_RT the deadlock can be readily triggered by heavy network +traffic, for example using "iperf --bidir" over NCM ethernet link. + +The deadlock occurs because the threaded interrupt handler gets +preempted by a softirq, but both are protected by the same spinlock. +Prevent deadlock by disabling softirq during threaded irq handler. + +Cc: stable +Fixes: 7733f6c32e36 ("usb: cdns3: Add Cadence USB3 DRD Driver") +Signed-off-by: Ralph Siemsen +Acked-by: Peter Chen +Reviewed-by: Sebastian Andrzej Siewior +Link: https://lore.kernel.org/r/20250318-rfs-cdns3-deadlock-v2-1-bfd9cfcee732@linaro.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/cdns3/cdns3-gadget.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/usb/cdns3/cdns3-gadget.c ++++ b/drivers/usb/cdns3/cdns3-gadget.c +@@ -1962,6 +1962,7 @@ static irqreturn_t cdns3_device_thread_i + unsigned int bit; + unsigned long reg; + ++ local_bh_disable(); + spin_lock_irqsave(&priv_dev->lock, flags); + + reg = readl(&priv_dev->regs->usb_ists); +@@ -2003,6 +2004,7 @@ static irqreturn_t cdns3_device_thread_i + irqend: + writel(~0, &priv_dev->regs->ep_ien); + spin_unlock_irqrestore(&priv_dev->lock, flags); ++ local_bh_enable(); + + return ret; + } diff --git a/queue-6.6/usb-chipidea-ci_hdrc_imx-fix-call-balance-of-regulator-routines.patch b/queue-6.6/usb-chipidea-ci_hdrc_imx-fix-call-balance-of-regulator-routines.patch new file mode 100644 index 0000000000..cc3fcac4de --- /dev/null +++ b/queue-6.6/usb-chipidea-ci_hdrc_imx-fix-call-balance-of-regulator-routines.patch @@ -0,0 +1,92 @@ +From 8cab0e9a3f3e8d700179e0d6141643d54a267fd5 Mon Sep 17 00:00:00 2001 +From: Fedor Pchelkin +Date: Sun, 16 Mar 2025 13:26:55 +0300 +Subject: usb: chipidea: ci_hdrc_imx: fix call balance of regulator routines + +From: Fedor Pchelkin + +commit 8cab0e9a3f3e8d700179e0d6141643d54a267fd5 upstream. + +Upon encountering errors during the HSIC pinctrl handling section the +regulator should be disabled. + +Use devm_add_action_or_reset() to let the regulator-disabling routine be +handled by device resource management stack. + +Found by Linux Verification Center (linuxtesting.org). + +Fixes: 4d6141288c33 ("usb: chipidea: imx: pinctrl for HSIC is optional") +Cc: stable +Signed-off-by: Fedor Pchelkin +Acked-by: Peter Chen +Link: https://lore.kernel.org/r/20250316102658.490340-3-pchelkin@ispras.ru +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/chipidea/ci_hdrc_imx.c | 25 +++++++++++++++++-------- + 1 file changed, 17 insertions(+), 8 deletions(-) + +--- a/drivers/usb/chipidea/ci_hdrc_imx.c ++++ b/drivers/usb/chipidea/ci_hdrc_imx.c +@@ -328,6 +328,13 @@ static int ci_hdrc_imx_notify_event(stru + return ret; + } + ++static void ci_hdrc_imx_disable_regulator(void *arg) ++{ ++ struct ci_hdrc_imx_data *data = arg; ++ ++ regulator_disable(data->hsic_pad_regulator); ++} ++ + static int ci_hdrc_imx_probe(struct platform_device *pdev) + { + struct ci_hdrc_imx_data *data; +@@ -386,6 +393,13 @@ static int ci_hdrc_imx_probe(struct plat + "Failed to enable HSIC pad regulator\n"); + goto err_put; + } ++ ret = devm_add_action_or_reset(dev, ++ ci_hdrc_imx_disable_regulator, data); ++ if (ret) { ++ dev_err(dev, ++ "Failed to add regulator devm action\n"); ++ goto err_put; ++ } + } + } + +@@ -424,11 +438,11 @@ static int ci_hdrc_imx_probe(struct plat + + ret = imx_get_clks(dev); + if (ret) +- goto disable_hsic_regulator; ++ goto qos_remove_request; + + ret = imx_prepare_enable_clks(dev); + if (ret) +- goto disable_hsic_regulator; ++ goto qos_remove_request; + + data->phy = devm_usb_get_phy_by_phandle(dev, "fsl,usbphy", 0); + if (IS_ERR(data->phy)) { +@@ -512,10 +526,7 @@ disable_device: + ci_hdrc_remove_device(data->ci_pdev); + err_clk: + imx_disable_unprepare_clks(dev); +-disable_hsic_regulator: +- if (data->hsic_pad_regulator) +- /* don't overwrite original ret (cf. EPROBE_DEFER) */ +- regulator_disable(data->hsic_pad_regulator); ++qos_remove_request: + if (pdata.flags & CI_HDRC_PMQOS) + cpu_latency_qos_remove_request(&data->pm_qos_req); + data->ci_pdev = NULL; +@@ -542,8 +553,6 @@ static void ci_hdrc_imx_remove(struct pl + imx_disable_unprepare_clks(&pdev->dev); + if (data->plat_data->flags & CI_HDRC_PMQOS) + cpu_latency_qos_remove_request(&data->pm_qos_req); +- if (data->hsic_pad_regulator) +- regulator_disable(data->hsic_pad_regulator); + } + if (data->usbmisc_data) + put_device(data->usbmisc_data->dev); diff --git a/queue-6.6/usb-chipidea-ci_hdrc_imx-fix-usbmisc-handling.patch b/queue-6.6/usb-chipidea-ci_hdrc_imx-fix-usbmisc-handling.patch new file mode 100644 index 0000000000..703ee7de15 --- /dev/null +++ b/queue-6.6/usb-chipidea-ci_hdrc_imx-fix-usbmisc-handling.patch @@ -0,0 +1,49 @@ +From 4e28f79e3dffa52d327b46d1a78dac16efb5810b Mon Sep 17 00:00:00 2001 +From: Fedor Pchelkin +Date: Sun, 16 Mar 2025 13:26:54 +0300 +Subject: usb: chipidea: ci_hdrc_imx: fix usbmisc handling + +From: Fedor Pchelkin + +commit 4e28f79e3dffa52d327b46d1a78dac16efb5810b upstream. + +usbmisc is an optional device property so it is totally valid for the +corresponding data->usbmisc_data to have a NULL value. + +Check that before dereferencing the pointer. + +Found by Linux Verification Center (linuxtesting.org) with Svace static +analysis tool. + +Fixes: 74adad500346 ("usb: chipidea: ci_hdrc_imx: decrement device's refcount in .remove() and in the error path of .probe()") +Cc: stable +Signed-off-by: Fedor Pchelkin +Acked-by: Peter Chen +Link: https://lore.kernel.org/r/20250316102658.490340-2-pchelkin@ispras.ru +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/chipidea/ci_hdrc_imx.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/drivers/usb/chipidea/ci_hdrc_imx.c ++++ b/drivers/usb/chipidea/ci_hdrc_imx.c +@@ -520,7 +520,8 @@ disable_hsic_regulator: + cpu_latency_qos_remove_request(&data->pm_qos_req); + data->ci_pdev = NULL; + err_put: +- put_device(data->usbmisc_data->dev); ++ if (data->usbmisc_data) ++ put_device(data->usbmisc_data->dev); + return ret; + } + +@@ -544,7 +545,8 @@ static void ci_hdrc_imx_remove(struct pl + if (data->hsic_pad_regulator) + regulator_disable(data->hsic_pad_regulator); + } +- put_device(data->usbmisc_data->dev); ++ if (data->usbmisc_data) ++ put_device(data->usbmisc_data->dev); + } + + static void ci_hdrc_imx_shutdown(struct platform_device *pdev) diff --git a/queue-6.6/usb-chipidea-ci_hdrc_imx-implement-usb_phy_init-error-handling.patch b/queue-6.6/usb-chipidea-ci_hdrc_imx-implement-usb_phy_init-error-handling.patch new file mode 100644 index 0000000000..d295308e32 --- /dev/null +++ b/queue-6.6/usb-chipidea-ci_hdrc_imx-implement-usb_phy_init-error-handling.patch @@ -0,0 +1,68 @@ +From 8c531e0a8c2d82509ad97c6d3a1e6217c7ed136d Mon Sep 17 00:00:00 2001 +From: Fedor Pchelkin +Date: Sun, 16 Mar 2025 13:26:56 +0300 +Subject: usb: chipidea: ci_hdrc_imx: implement usb_phy_init() error handling + +From: Fedor Pchelkin + +commit 8c531e0a8c2d82509ad97c6d3a1e6217c7ed136d upstream. + +usb_phy_init() may return an error code if e.g. its implementation fails +to prepare/enable some clocks. And properly rollback on probe error path +by calling the counterpart usb_phy_shutdown(). + +Found by Linux Verification Center (linuxtesting.org). + +Fixes: be9cae2479f4 ("usb: chipidea: imx: Fix ULPI on imx53") +Cc: stable +Signed-off-by: Fedor Pchelkin +Acked-by: Peter Chen +Link: https://lore.kernel.org/r/20250316102658.490340-4-pchelkin@ispras.ru +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/chipidea/ci_hdrc_imx.c | 13 ++++++++++--- + 1 file changed, 10 insertions(+), 3 deletions(-) + +--- a/drivers/usb/chipidea/ci_hdrc_imx.c ++++ b/drivers/usb/chipidea/ci_hdrc_imx.c +@@ -472,7 +472,11 @@ static int ci_hdrc_imx_probe(struct plat + of_usb_get_phy_mode(np) == USBPHY_INTERFACE_MODE_ULPI) { + pdata.flags |= CI_HDRC_OVERRIDE_PHY_CONTROL; + data->override_phy_control = true; +- usb_phy_init(pdata.usb_phy); ++ ret = usb_phy_init(pdata.usb_phy); ++ if (ret) { ++ dev_err(dev, "Failed to init phy\n"); ++ goto err_clk; ++ } + } + + if (pdata.flags & CI_HDRC_SUPPORTS_RUNTIME_PM) +@@ -481,7 +485,7 @@ static int ci_hdrc_imx_probe(struct plat + ret = imx_usbmisc_init(data->usbmisc_data); + if (ret) { + dev_err(dev, "usbmisc init failed, ret=%d\n", ret); +- goto err_clk; ++ goto phy_shutdown; + } + + data->ci_pdev = ci_hdrc_add_device(dev, +@@ -490,7 +494,7 @@ static int ci_hdrc_imx_probe(struct plat + if (IS_ERR(data->ci_pdev)) { + ret = PTR_ERR(data->ci_pdev); + dev_err_probe(dev, ret, "ci_hdrc_add_device failed\n"); +- goto err_clk; ++ goto phy_shutdown; + } + + if (data->usbmisc_data) { +@@ -524,6 +528,9 @@ static int ci_hdrc_imx_probe(struct plat + + disable_device: + ci_hdrc_remove_device(data->ci_pdev); ++phy_shutdown: ++ if (data->override_phy_control) ++ usb_phy_shutdown(data->phy); + err_clk: + imx_disable_unprepare_clks(dev); + qos_remove_request: diff --git a/queue-6.6/usb-dwc3-gadget-check-that-event-count-does-not-exceed-event-buffer-length.patch b/queue-6.6/usb-dwc3-gadget-check-that-event-count-does-not-exceed-event-buffer-length.patch new file mode 100644 index 0000000000..33bc7ecc64 --- /dev/null +++ b/queue-6.6/usb-dwc3-gadget-check-that-event-count-does-not-exceed-event-buffer-length.patch @@ -0,0 +1,49 @@ +From 63ccd26cd1f6600421795f6ca3e625076be06c9f Mon Sep 17 00:00:00 2001 +From: Frode Isaksen +Date: Thu, 3 Apr 2025 09:28:03 +0200 +Subject: usb: dwc3: gadget: check that event count does not exceed event buffer length + +From: Frode Isaksen + +commit 63ccd26cd1f6600421795f6ca3e625076be06c9f upstream. + +The event count is read from register DWC3_GEVNTCOUNT. +There is a check for the count being zero, but not for exceeding the +event buffer length. +Check that event count does not exceed event buffer length, +avoiding an out-of-bounds access when memcpy'ing the event. +Crash log: +Unable to handle kernel paging request at virtual address ffffffc0129be000 +pc : __memcpy+0x114/0x180 +lr : dwc3_check_event_buf+0xec/0x348 +x3 : 0000000000000030 x2 : 000000000000dfc4 +x1 : ffffffc0129be000 x0 : ffffff87aad60080 +Call trace: +__memcpy+0x114/0x180 +dwc3_interrupt+0x24/0x34 + +Signed-off-by: Frode Isaksen +Fixes: 72246da40f37 ("usb: Introduce DesignWare USB3 DRD Driver") +Cc: stable +Acked-by: Thinh Nguyen +Link: https://lore.kernel.org/r/20250403072907.448524-1-fisaksen@baylibre.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/dwc3/gadget.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/drivers/usb/dwc3/gadget.c ++++ b/drivers/usb/dwc3/gadget.c +@@ -4570,6 +4570,12 @@ static irqreturn_t dwc3_check_event_buf( + if (!count) + return IRQ_NONE; + ++ if (count > evt->length) { ++ dev_err_ratelimited(dwc->dev, "invalid count(%u) > evt->length(%u)\n", ++ count, evt->length); ++ return IRQ_NONE; ++ } ++ + evt->count = count; + evt->flags |= DWC3_EVENT_PENDING; + diff --git a/queue-6.6/usb-dwc3-xilinx-prevent-spike-in-reset-signal.patch b/queue-6.6/usb-dwc3-xilinx-prevent-spike-in-reset-signal.patch new file mode 100644 index 0000000000..36b4e8da90 --- /dev/null +++ b/queue-6.6/usb-dwc3-xilinx-prevent-spike-in-reset-signal.patch @@ -0,0 +1,72 @@ +From 38d6e60b6f3a99f8f13bee22eab616136c2c0675 Mon Sep 17 00:00:00 2001 +From: Mike Looijmans +Date: Tue, 18 Mar 2025 07:44:52 +0100 +Subject: usb: dwc3: xilinx: Prevent spike in reset signal + +From: Mike Looijmans + +commit 38d6e60b6f3a99f8f13bee22eab616136c2c0675 upstream. + +The "reset" GPIO controls the RESET signal to an external, usually +ULPI PHY, chip. The original code path acquires the signal in LOW +state, and then immediately asserts it HIGH again, if the reset +signal defaulted to asserted, there'd be a short "spike" before the +reset. + +Here is what happens depending on the pre-existing state of the reset +signal: +Reset (previously asserted): ~~~|_|~~~~|_______ +Reset (previously deasserted): _____|~~~~|_______ + ^ ^ ^ + A B C + +At point A, the low going transition is because the reset line is +requested using GPIOD_OUT_LOW. If the line is successfully requested, +the first thing we do is set it high _without_ any delay. This is +point B. So, a glitch occurs between A and B. + +Requesting the line using GPIOD_OUT_HIGH eliminates the A and B +transitions. Instead we get: + +Reset (previously asserted) : ~~~~~~~~~~|______ +Reset (previously deasserted): ____|~~~~~|______ + ^ ^ + A C + +Where A and C are the points described above in the code. Point B +has been eliminated. + +The issue was found during code inspection. + +Also remove the cryptic "toggle ulpi .." comment. + +Fixes: ca05b38252d7 ("usb: dwc3: xilinx: Add gpio-reset support") +Cc: stable +Signed-off-by: Mike Looijmans +Reviewed-by: Radhey Shyam Pandey +Acked-by: Thinh Nguyen +Link: https://lore.kernel.org/r/20250318064518.9320-1-mike.looijmans@topic.nl +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/dwc3/dwc3-xilinx.c | 4 +--- + 1 file changed, 1 insertion(+), 3 deletions(-) + +--- a/drivers/usb/dwc3/dwc3-xilinx.c ++++ b/drivers/usb/dwc3/dwc3-xilinx.c +@@ -207,15 +207,13 @@ static int dwc3_xlnx_init_zynqmp(struct + + skip_usb3_phy: + /* ulpi reset via gpio-modepin or gpio-framework driver */ +- reset_gpio = devm_gpiod_get_optional(dev, "reset", GPIOD_OUT_LOW); ++ reset_gpio = devm_gpiod_get_optional(dev, "reset", GPIOD_OUT_HIGH); + if (IS_ERR(reset_gpio)) { + return dev_err_probe(dev, PTR_ERR(reset_gpio), + "Failed to request reset GPIO\n"); + } + + if (reset_gpio) { +- /* Toggle ulpi to reset the phy. */ +- gpiod_set_value_cansleep(reset_gpio, 1); + usleep_range(5000, 10000); + gpiod_set_value_cansleep(reset_gpio, 0); + usleep_range(5000, 10000); diff --git a/queue-6.6/usb-ohci-add-quirk-for-ls7a-ohci-controller-rev-0x02.patch b/queue-6.6/usb-ohci-add-quirk-for-ls7a-ohci-controller-rev-0x02.patch new file mode 100644 index 0000000000..2cbc5b3998 --- /dev/null +++ b/queue-6.6/usb-ohci-add-quirk-for-ls7a-ohci-controller-rev-0x02.patch @@ -0,0 +1,67 @@ +From bcb60d438547355b8f9ad48645909139b64d3482 Mon Sep 17 00:00:00 2001 +From: Huacai Chen +Date: Fri, 28 Mar 2025 12:00:59 +0800 +Subject: USB: OHCI: Add quirk for LS7A OHCI controller (rev 0x02) + +From: Huacai Chen + +commit bcb60d438547355b8f9ad48645909139b64d3482 upstream. + +The OHCI controller (rev 0x02) under LS7A PCI host has a hardware flaw. +MMIO register with offset 0x60/0x64 is treated as legacy PS2-compatible +keyboard/mouse interface, which confuse the OHCI controller. Since OHCI +only use a 4KB BAR resource indeed, the LS7A OHCI controller's 32KB BAR +is wrapped around (the second 4KB BAR space is the same as the first 4KB +internally). So we can add an 4KB offset (0x1000) to the OHCI registers +(from the PCI BAR resource) as a quirk. + +Cc: stable +Suggested-by: Bjorn Helgaas +Reviewed-by: Alan Stern +Tested-by: Mingcong Bai +Signed-off-by: Huacai Chen +Link: https://lore.kernel.org/r/20250328040059.3672979-1-chenhuacai@loongson.cn +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/host/ohci-pci.c | 23 +++++++++++++++++++++++ + 1 file changed, 23 insertions(+) + +--- a/drivers/usb/host/ohci-pci.c ++++ b/drivers/usb/host/ohci-pci.c +@@ -165,6 +165,25 @@ static int ohci_quirk_amd700(struct usb_ + return 0; + } + ++static int ohci_quirk_loongson(struct usb_hcd *hcd) ++{ ++ struct pci_dev *pdev = to_pci_dev(hcd->self.controller); ++ ++ /* ++ * Loongson's LS7A OHCI controller (rev 0x02) has a ++ * flaw. MMIO register with offset 0x60/64 is treated ++ * as legacy PS2-compatible keyboard/mouse interface. ++ * Since OHCI only use 4KB BAR resource, LS7A OHCI's ++ * 32KB BAR is wrapped around (the 2nd 4KB BAR space ++ * is the same as the 1st 4KB internally). So add 4KB ++ * offset (0x1000) to the OHCI registers as a quirk. ++ */ ++ if (pdev->revision == 0x2) ++ hcd->regs += SZ_4K; /* SZ_4K = 0x1000 */ ++ ++ return 0; ++} ++ + static int ohci_quirk_qemu(struct usb_hcd *hcd) + { + struct ohci_hcd *ohci = hcd_to_ohci(hcd); +@@ -225,6 +244,10 @@ static const struct pci_device_id ohci_p + .driver_data = (unsigned long)ohci_quirk_amd700, + }, + { ++ PCI_DEVICE(PCI_VENDOR_ID_LOONGSON, 0x7a24), ++ .driver_data = (unsigned long)ohci_quirk_loongson, ++ }, ++ { + .vendor = PCI_VENDOR_ID_APPLE, + .device = 0x003f, + .subvendor = PCI_SUBVENDOR_ID_REDHAT_QUMRANET, diff --git a/queue-6.6/usb-quirks-add-delay-init-quirk-for-sandisk-3.2gen1-flash-drive.patch b/queue-6.6/usb-quirks-add-delay-init-quirk-for-sandisk-3.2gen1-flash-drive.patch new file mode 100644 index 0000000000..3017a190de --- /dev/null +++ b/queue-6.6/usb-quirks-add-delay-init-quirk-for-sandisk-3.2gen1-flash-drive.patch @@ -0,0 +1,37 @@ +From 37ffdbd695c02189dbf23d6e7d2385e0299587ca Mon Sep 17 00:00:00 2001 +From: Miao Li +Date: Mon, 14 Apr 2025 14:29:35 +0800 +Subject: usb: quirks: Add delay init quirk for SanDisk 3.2Gen1 Flash Drive + +From: Miao Li + +commit 37ffdbd695c02189dbf23d6e7d2385e0299587ca upstream. + +The SanDisk 3.2Gen1 Flash Drive, which VID:PID is in 0781:55a3, +just like Silicon Motion Flash Drive: +https://lore.kernel.org/r/20250401023027.44894-1-limiao870622@163.com +also needs the DELAY_INIT quirk, or it will randomly work incorrectly +(e.g.: lsusb and can't list this device info) when connecting Huawei +hisi platforms and doing thousand of reboot test circles. + +Cc: stable +Signed-off-by: Miao Li +Signed-off-by: Lei Huang +Link: https://lore.kernel.org/r/20250414062935.159024-1-limiao870622@163.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/core/quirks.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/usb/core/quirks.c ++++ b/drivers/usb/core/quirks.c +@@ -369,6 +369,9 @@ static const struct usb_device_id usb_qu + { USB_DEVICE(0x0781, 0x5583), .driver_info = USB_QUIRK_NO_LPM }, + { USB_DEVICE(0x0781, 0x5591), .driver_info = USB_QUIRK_NO_LPM }, + ++ /* SanDisk Corp. SanDisk 3.2Gen1 */ ++ { USB_DEVICE(0x0781, 0x55a3), .driver_info = USB_QUIRK_DELAY_INIT }, ++ + /* Realforce 87U Keyboard */ + { USB_DEVICE(0x0853, 0x011b), .driver_info = USB_QUIRK_NO_LPM }, + diff --git a/queue-6.6/usb-quirks-add-delay_init-quirk-for-silicon-motion-flash-drive.patch b/queue-6.6/usb-quirks-add-delay_init-quirk-for-silicon-motion-flash-drive.patch new file mode 100644 index 0000000000..7adcf8a35c --- /dev/null +++ b/queue-6.6/usb-quirks-add-delay_init-quirk-for-silicon-motion-flash-drive.patch @@ -0,0 +1,34 @@ +From 2932b6b547ec36ad2ed60fbf2117c0e46bb7d40a Mon Sep 17 00:00:00 2001 +From: Miao Li +Date: Tue, 1 Apr 2025 10:30:27 +0800 +Subject: usb: quirks: add DELAY_INIT quirk for Silicon Motion Flash Drive + +From: Miao Li + +commit 2932b6b547ec36ad2ed60fbf2117c0e46bb7d40a upstream. + +Silicon Motion Flash Drive connects to Huawei hisi platforms and +performs a system reboot test for two thousand circles, it will +randomly work incorrectly on boot, set DELAY_INIT quirk can workaround +this issue. + +Signed-off-by: Miao Li +Cc: stable +Link: https://lore.kernel.org/r/20250401023027.44894-1-limiao870622@163.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/core/quirks.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/usb/core/quirks.c ++++ b/drivers/usb/core/quirks.c +@@ -383,6 +383,9 @@ static const struct usb_device_id usb_qu + { USB_DEVICE(0x0904, 0x6103), .driver_info = + USB_QUIRK_LINEAR_FRAME_INTR_BINTERVAL }, + ++ /* Silicon Motion Flash Drive */ ++ { USB_DEVICE(0x090c, 0x1000), .driver_info = USB_QUIRK_DELAY_INIT }, ++ + /* Sound Devices USBPre2 */ + { USB_DEVICE(0x0926, 0x0202), .driver_info = + USB_QUIRK_ENDPOINT_IGNORE }, diff --git a/queue-6.6/usb-serial-ftdi_sio-add-support-for-abacus-electrics-optical-probe.patch b/queue-6.6/usb-serial-ftdi_sio-add-support-for-abacus-electrics-optical-probe.patch new file mode 100644 index 0000000000..6f9207c854 --- /dev/null +++ b/queue-6.6/usb-serial-ftdi_sio-add-support-for-abacus-electrics-optical-probe.patch @@ -0,0 +1,50 @@ +From b399078f882b6e5d32da18b6c696cc84b12f90d5 Mon Sep 17 00:00:00 2001 +From: Michael Ehrenreich +Date: Mon, 17 Mar 2025 06:17:15 +0100 +Subject: USB: serial: ftdi_sio: add support for Abacus Electrics Optical Probe + +From: Michael Ehrenreich + +commit b399078f882b6e5d32da18b6c696cc84b12f90d5 upstream. + +Abacus Electrics makes optical probes for interacting with smart meters +over an optical interface. + +At least one version uses an FT232B chip (as detected by ftdi_sio) with +a custom USB PID, which needs to be added to the list to make the device +work in a plug-and-play fashion. + +Signed-off-by: Michael Ehrenreich +Cc: stable@vger.kernel.org +Signed-off-by: Johan Hovold +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/serial/ftdi_sio.c | 2 ++ + drivers/usb/serial/ftdi_sio_ids.h | 5 +++++ + 2 files changed, 7 insertions(+) + +--- a/drivers/usb/serial/ftdi_sio.c ++++ b/drivers/usb/serial/ftdi_sio.c +@@ -1093,6 +1093,8 @@ static const struct usb_device_id id_tab + { USB_DEVICE_INTERFACE_NUMBER(ALTERA_VID, ALTERA_UB3_602E_PID, 1) }, + { USB_DEVICE_INTERFACE_NUMBER(ALTERA_VID, ALTERA_UB3_602E_PID, 2) }, + { USB_DEVICE_INTERFACE_NUMBER(ALTERA_VID, ALTERA_UB3_602E_PID, 3) }, ++ /* Abacus Electrics */ ++ { USB_DEVICE(FTDI_VID, ABACUS_OPTICAL_PROBE_PID) }, + { } /* Terminating entry */ + }; + +--- a/drivers/usb/serial/ftdi_sio_ids.h ++++ b/drivers/usb/serial/ftdi_sio_ids.h +@@ -443,6 +443,11 @@ + #define LINX_FUTURE_2_PID 0xF44C /* Linx future device */ + + /* ++ * Abacus Electrics ++ */ ++#define ABACUS_OPTICAL_PROBE_PID 0xf458 /* ABACUS ELECTRICS Optical Probe */ ++ ++/* + * Oceanic product ids + */ + #define FTDI_OCEANIC_PID 0xF460 /* Oceanic dive instrument */ diff --git a/queue-6.6/usb-serial-option-add-sierra-wireless-em9291.patch b/queue-6.6/usb-serial-option-add-sierra-wireless-em9291.patch new file mode 100644 index 0000000000..c28dcccce8 --- /dev/null +++ b/queue-6.6/usb-serial-option-add-sierra-wireless-em9291.patch @@ -0,0 +1,63 @@ +From 968e1cbb1f6293c3add9607f80b5ce3d29f57583 Mon Sep 17 00:00:00 2001 +From: Adam Xue +Date: Mon, 14 Apr 2025 14:14:37 -0700 +Subject: USB: serial: option: add Sierra Wireless EM9291 + +From: Adam Xue + +commit 968e1cbb1f6293c3add9607f80b5ce3d29f57583 upstream. + +Add Sierra Wireless EM9291. + +Interface 0: MBIM control + 1: MBIM data + 3: AT port + 4: Diagnostic port + +T: Bus=01 Lev=01 Prnt=01 Port=00 Cnt=01 Dev#= 2 Spd=480 MxCh= 0 +D: Ver= 2.10 Cls=00(>ifc ) Sub=00 Prot=00 MxPS=64 #Cfgs= 1 +P: Vendor=1199 ProdID=90e3 Rev=00.06 +S: Manufacturer=Sierra Wireless, Incorporated +S: Product=Sierra Wireless EM9291 +S: SerialNumber=xxxxxxxxxxxxxxxx +C: #Ifs= 4 Cfg#= 1 Atr=a0 MxPwr=500mA +I: If#= 0 Alt= 0 #EPs= 1 Cls=02(commc) Sub=0e Prot=00 Driver=cdc_mbim +E: Ad=81(I) Atr=03(Int.) MxPS= 64 Ivl=32ms +I: If#= 1 Alt= 1 #EPs= 2 Cls=0a(data ) Sub=00 Prot=02 Driver=cdc_mbim +E: Ad=0f(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=8e(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms +I: If#= 3 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=40 Driver=(none) +E: Ad=01(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=82(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=83(I) Atr=03(Int.) MxPS= 10 Ivl=32ms +I: If#= 4 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=30 Driver=(none) +E: Ad=02(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=84(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms + +Signed-off-by: Adam Xue +Cc: stable@vger.kernel.org +Signed-off-by: Johan Hovold +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/serial/option.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/usb/serial/option.c ++++ b/drivers/usb/serial/option.c +@@ -611,6 +611,7 @@ static void option_instat_callback(struc + /* Sierra Wireless products */ + #define SIERRA_VENDOR_ID 0x1199 + #define SIERRA_PRODUCT_EM9191 0x90d3 ++#define SIERRA_PRODUCT_EM9291 0x90e3 + + /* UNISOC (Spreadtrum) products */ + #define UNISOC_VENDOR_ID 0x1782 +@@ -2432,6 +2433,8 @@ static const struct usb_device_id option + { USB_DEVICE_AND_INTERFACE_INFO(SIERRA_VENDOR_ID, SIERRA_PRODUCT_EM9191, 0xff, 0xff, 0x30) }, + { USB_DEVICE_AND_INTERFACE_INFO(SIERRA_VENDOR_ID, SIERRA_PRODUCT_EM9191, 0xff, 0xff, 0x40) }, + { USB_DEVICE_AND_INTERFACE_INFO(SIERRA_VENDOR_ID, SIERRA_PRODUCT_EM9191, 0xff, 0, 0) }, ++ { USB_DEVICE_AND_INTERFACE_INFO(SIERRA_VENDOR_ID, SIERRA_PRODUCT_EM9291, 0xff, 0xff, 0x30) }, ++ { USB_DEVICE_AND_INTERFACE_INFO(SIERRA_VENDOR_ID, SIERRA_PRODUCT_EM9291, 0xff, 0xff, 0x40) }, + { USB_DEVICE_AND_INTERFACE_INFO(UNISOC_VENDOR_ID, TOZED_PRODUCT_LT70C, 0xff, 0, 0) }, + { USB_DEVICE_AND_INTERFACE_INFO(UNISOC_VENDOR_ID, LUAT_PRODUCT_AIR720U, 0xff, 0, 0) }, + { USB_DEVICE_INTERFACE_CLASS(0x1bbb, 0x0530, 0xff), /* TCL IK512 MBIM */ diff --git a/queue-6.6/usb-serial-simple-add-owon-hds200-series-oscilloscope-support.patch b/queue-6.6/usb-serial-simple-add-owon-hds200-series-oscilloscope-support.patch new file mode 100644 index 0000000000..634b22f4eb --- /dev/null +++ b/queue-6.6/usb-serial-simple-add-owon-hds200-series-oscilloscope-support.patch @@ -0,0 +1,129 @@ +From 4cc01410e1c1dd075df10f750775c81d1cb6672b Mon Sep 17 00:00:00 2001 +From: Craig Hesling +Date: Tue, 8 Apr 2025 16:27:03 -0700 +Subject: USB: serial: simple: add OWON HDS200 series oscilloscope support + +From: Craig Hesling + +commit 4cc01410e1c1dd075df10f750775c81d1cb6672b upstream. + +Add serial support for OWON HDS200 series oscilloscopes and likely +many other pieces of OWON test equipment. + +OWON HDS200 series devices host two USB endpoints, designed to +facilitate bidirectional SCPI. SCPI is a predominately ASCII text +protocol for test/measurement equipment. Having a serial/tty interface +for these devices lowers the barrier to entry for anyone trying to +write programs to communicate with them. + +The following shows the USB descriptor for the OWON HDS272S running +firmware V5.7.1: + +Bus 001 Device 068: ID 5345:1234 Owon PDS6062T Oscilloscope +Negotiated speed: Full Speed (12Mbps) +Device Descriptor: + bLength 18 + bDescriptorType 1 + bcdUSB 2.00 + bDeviceClass 0 [unknown] + bDeviceSubClass 0 [unknown] + bDeviceProtocol 0 + bMaxPacketSize0 64 + idVendor 0x5345 Owon + idProduct 0x1234 PDS6062T Oscilloscope + bcdDevice 1.00 + iManufacturer 1 oscilloscope + iProduct 2 oscilloscope + iSerial 3 oscilloscope + bNumConfigurations 1 + Configuration Descriptor: + bLength 9 + bDescriptorType 2 + wTotalLength 0x0029 + bNumInterfaces 1 + bConfigurationValue 1 + iConfiguration 0 + bmAttributes 0x80 + (Bus Powered) + MaxPower 100mA + Interface Descriptor: + bLength 9 + bDescriptorType 4 + bInterfaceNumber 0 + bAlternateSetting 0 + bNumEndpoints 2 + bInterfaceClass 5 Physical Interface Device + bInterfaceSubClass 0 [unknown] + bInterfaceProtocol 0 + iInterface 0 + ** UNRECOGNIZED: 09 21 11 01 00 01 22 5f 00 + Endpoint Descriptor: + bLength 7 + bDescriptorType 5 + bEndpointAddress 0x81 EP 1 IN + bmAttributes 2 + Transfer Type Bulk + Synch Type None + Usage Type Data + wMaxPacketSize 0x0040 1x 64 bytes + bInterval 32 + Endpoint Descriptor: + bLength 7 + bDescriptorType 5 + bEndpointAddress 0x01 EP 1 OUT + bmAttributes 2 + Transfer Type Bulk + Synch Type None + Usage Type Data + wMaxPacketSize 0x0040 1x 64 bytes + bInterval 32 +Device Status: 0x0000 + (Bus Powered) + +OWON appears to be using the same USB Vendor and Product ID for many +of their oscilloscopes. Looking at the discussion about the USB +vendor/product ID, in the link bellow, suggests that this VID/PID is +shared with VDS, SDS, PDS, and now the HDS series oscilloscopes. +Available documentation for these devices seems to indicate that all +use a similar SCPI protocol, some with RS232 options. It is likely that +this same simple serial setup would work correctly for them all. + +Link: https://usb-ids.gowdy.us/read/UD/5345/1234 +Signed-off-by: Craig Hesling +Cc: stable@vger.kernel.org +Signed-off-by: Johan Hovold +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/serial/usb-serial-simple.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +--- a/drivers/usb/serial/usb-serial-simple.c ++++ b/drivers/usb/serial/usb-serial-simple.c +@@ -101,6 +101,11 @@ DEVICE(nokia, NOKIA_IDS); + { USB_DEVICE(0x09d7, 0x0100) } /* NovAtel FlexPack GPS */ + DEVICE_N(novatel_gps, NOVATEL_IDS, 3); + ++/* OWON electronic test and measurement equipment driver */ ++#define OWON_IDS() \ ++ { USB_DEVICE(0x5345, 0x1234) } /* HDS200 oscilloscopes and others */ ++DEVICE(owon, OWON_IDS); ++ + /* Siemens USB/MPI adapter */ + #define SIEMENS_IDS() \ + { USB_DEVICE(0x908, 0x0004) } +@@ -135,6 +140,7 @@ static struct usb_serial_driver * const + &motorola_tetra_device, + &nokia_device, + &novatel_gps_device, ++ &owon_device, + &siemens_mpi_device, + &suunto_device, + &vivopay_device, +@@ -154,6 +160,7 @@ static const struct usb_device_id id_tab + MOTOROLA_TETRA_IDS(), + NOKIA_IDS(), + NOVATEL_IDS(), ++ OWON_IDS(), + SIEMENS_IDS(), + SUUNTO_IDS(), + VIVOPAY_IDS(), diff --git a/queue-6.6/usb-vli-disk-crashes-if-lpm-is-used.patch b/queue-6.6/usb-vli-disk-crashes-if-lpm-is-used.patch new file mode 100644 index 0000000000..d3722ebbac --- /dev/null +++ b/queue-6.6/usb-vli-disk-crashes-if-lpm-is-used.patch @@ -0,0 +1,31 @@ +From e00b39a4f3552c730f1e24c8d62c4a8c6aad4e5d Mon Sep 17 00:00:00 2001 +From: Oliver Neukum +Date: Tue, 8 Apr 2025 15:57:46 +0200 +Subject: USB: VLI disk crashes if LPM is used + +From: Oliver Neukum + +commit e00b39a4f3552c730f1e24c8d62c4a8c6aad4e5d upstream. + +This device needs the NO_LPM quirk. + +Cc: stable +Signed-off-by: Oliver Neukum +Link: https://lore.kernel.org/r/20250408135800.792515-1-oneukum@suse.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/core/quirks.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/usb/core/quirks.c ++++ b/drivers/usb/core/quirks.c +@@ -542,6 +542,9 @@ static const struct usb_device_id usb_qu + { USB_DEVICE(0x2040, 0x7200), .driver_info = + USB_QUIRK_CONFIG_INTF_STRINGS }, + ++ /* VLI disk */ ++ { USB_DEVICE(0x2109, 0x0711), .driver_info = USB_QUIRK_NO_LPM }, ++ + /* Raydium Touchscreen */ + { USB_DEVICE(0x2386, 0x3114), .driver_info = USB_QUIRK_NO_LPM }, + diff --git a/queue-6.6/usb-wdm-add-annotation.patch b/queue-6.6/usb-wdm-add-annotation.patch new file mode 100644 index 0000000000..4eaaaff975 --- /dev/null +++ b/queue-6.6/usb-wdm-add-annotation.patch @@ -0,0 +1,31 @@ +From 73e9cc1ffd3650b12c4eb059dfdafd56e725ceda Mon Sep 17 00:00:00 2001 +From: Oliver Neukum +Date: Tue, 1 Apr 2025 10:45:41 +0200 +Subject: USB: wdm: add annotation + +From: Oliver Neukum + +commit 73e9cc1ffd3650b12c4eb059dfdafd56e725ceda upstream. + +This is not understandable without a comment on endianness + +Fixes: afba937e540c9 ("USB: CDC WDM driver") +Cc: stable +Signed-off-by: Oliver Neukum +Link: https://lore.kernel.org/r/20250401084749.175246-5-oneukum@suse.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/class/cdc-wdm.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/usb/class/cdc-wdm.c ++++ b/drivers/usb/class/cdc-wdm.c +@@ -909,7 +909,7 @@ static int wdm_wwan_port_tx(struct wwan_ + req->bRequestType = (USB_DIR_OUT | USB_TYPE_CLASS | USB_RECIP_INTERFACE); + req->bRequest = USB_CDC_SEND_ENCAPSULATED_COMMAND; + req->wValue = 0; +- req->wIndex = desc->inum; ++ req->wIndex = desc->inum; /* already converted */ + req->wLength = cpu_to_le16(skb->len); + + skb_shinfo(skb)->destructor_arg = desc; diff --git a/queue-6.6/usb-wdm-close-race-between-wdm_open-and-wdm_wwan_port_stop.patch b/queue-6.6/usb-wdm-close-race-between-wdm_open-and-wdm_wwan_port_stop.patch new file mode 100644 index 0000000000..9143e2eaff --- /dev/null +++ b/queue-6.6/usb-wdm-close-race-between-wdm_open-and-wdm_wwan_port_stop.patch @@ -0,0 +1,44 @@ +From c1846ed4eb527bdfe6b3b7dd2c78e2af4bf98f4f Mon Sep 17 00:00:00 2001 +From: Oliver Neukum +Date: Tue, 1 Apr 2025 10:45:39 +0200 +Subject: USB: wdm: close race between wdm_open and wdm_wwan_port_stop + +From: Oliver Neukum + +commit c1846ed4eb527bdfe6b3b7dd2c78e2af4bf98f4f upstream. + +Clearing WDM_WWAN_IN_USE must be the last action or +we can open a chardev whose URBs are still poisoned + +Fixes: cac6fb015f71 ("usb: class: cdc-wdm: WWAN framework integration") +Cc: stable +Signed-off-by: Oliver Neukum +Link: https://lore.kernel.org/r/20250401084749.175246-3-oneukum@suse.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/class/cdc-wdm.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/drivers/usb/class/cdc-wdm.c ++++ b/drivers/usb/class/cdc-wdm.c +@@ -726,7 +726,7 @@ static int wdm_open(struct inode *inode, + rv = -EBUSY; + goto out; + } +- ++ smp_rmb(); /* ordered against wdm_wwan_port_stop() */ + rv = usb_autopm_get_interface(desc->intf); + if (rv < 0) { + dev_err(&desc->intf->dev, "Error autopm - %d\n", rv); +@@ -868,8 +868,10 @@ static void wdm_wwan_port_stop(struct ww + poison_urbs(desc); + desc->manage_power(desc->intf, 0); + clear_bit(WDM_READ, &desc->flags); +- clear_bit(WDM_WWAN_IN_USE, &desc->flags); + unpoison_urbs(desc); ++ smp_wmb(); /* ordered against wdm_open() */ ++ /* this must be last lest we open a poisoned device */ ++ clear_bit(WDM_WWAN_IN_USE, &desc->flags); + } + + static void wdm_wwan_port_tx_complete(struct urb *urb) diff --git a/queue-6.6/usb-wdm-handle-io-errors-in-wdm_wwan_port_start.patch b/queue-6.6/usb-wdm-handle-io-errors-in-wdm_wwan_port_start.patch new file mode 100644 index 0000000000..bbdd9342c2 --- /dev/null +++ b/queue-6.6/usb-wdm-handle-io-errors-in-wdm_wwan_port_start.patch @@ -0,0 +1,48 @@ +From 9697f5efcf5fdea65b8390b5eb81bebe746ceedc Mon Sep 17 00:00:00 2001 +From: Oliver Neukum +Date: Tue, 1 Apr 2025 10:45:38 +0200 +Subject: USB: wdm: handle IO errors in wdm_wwan_port_start + +From: Oliver Neukum + +commit 9697f5efcf5fdea65b8390b5eb81bebe746ceedc upstream. + +In case submitting the URB fails we must undo +what we've done so far. + +Fixes: cac6fb015f71 ("usb: class: cdc-wdm: WWAN framework integration") +Cc: stable +Signed-off-by: Oliver Neukum +Link: https://lore.kernel.org/r/20250401084749.175246-2-oneukum@suse.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/class/cdc-wdm.c | 11 ++++++++++- + 1 file changed, 10 insertions(+), 1 deletion(-) + +--- a/drivers/usb/class/cdc-wdm.c ++++ b/drivers/usb/class/cdc-wdm.c +@@ -829,6 +829,7 @@ static struct usb_class_driver wdm_class + static int wdm_wwan_port_start(struct wwan_port *port) + { + struct wdm_device *desc = wwan_port_get_drvdata(port); ++ int rv; + + /* The interface is both exposed via the WWAN framework and as a + * legacy usbmisc chardev. If chardev is already open, just fail +@@ -848,7 +849,15 @@ static int wdm_wwan_port_start(struct ww + wwan_port_txon(port); + + /* Start getting events */ +- return usb_submit_urb(desc->validity, GFP_KERNEL); ++ rv = usb_submit_urb(desc->validity, GFP_KERNEL); ++ if (rv < 0) { ++ wwan_port_txoff(port); ++ desc->manage_power(desc->intf, 0); ++ /* this must be last lest we race with chardev open */ ++ clear_bit(WDM_WWAN_IN_USE, &desc->flags); ++ } ++ ++ return rv; + } + + static void wdm_wwan_port_stop(struct wwan_port *port) diff --git a/queue-6.6/usb-wdm-wdm_wwan_port_tx_complete-mutex-in-atomic-context.patch b/queue-6.6/usb-wdm-wdm_wwan_port_tx_complete-mutex-in-atomic-context.patch new file mode 100644 index 0000000000..464028900a --- /dev/null +++ b/queue-6.6/usb-wdm-wdm_wwan_port_tx_complete-mutex-in-atomic-context.patch @@ -0,0 +1,34 @@ +From 1fdc4dca350c0b8ada0b8ebf212504e1ad55e511 Mon Sep 17 00:00:00 2001 +From: Oliver Neukum +Date: Tue, 1 Apr 2025 10:45:40 +0200 +Subject: USB: wdm: wdm_wwan_port_tx_complete mutex in atomic context + +From: Oliver Neukum + +commit 1fdc4dca350c0b8ada0b8ebf212504e1ad55e511 upstream. + +wdm_wwan_port_tx_complete is called from a completion +handler with irqs disabled and possible in IRQ context +usb_autopm_put_interface can take a mutex. +Hence usb_autopm_put_interface_async must be used. + +Fixes: cac6fb015f71 ("usb: class: cdc-wdm: WWAN framework integration") +Cc: stable +Signed-off-by: Oliver Neukum +Link: https://lore.kernel.org/r/20250401084749.175246-4-oneukum@suse.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/class/cdc-wdm.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/usb/class/cdc-wdm.c ++++ b/drivers/usb/class/cdc-wdm.c +@@ -879,7 +879,7 @@ static void wdm_wwan_port_tx_complete(st + struct sk_buff *skb = urb->context; + struct wdm_device *desc = skb_shinfo(skb)->destructor_arg; + +- usb_autopm_put_interface(desc->intf); ++ usb_autopm_put_interface_async(desc->intf); + wwan_port_txon(desc->wwanp); + kfree_skb(skb); + } diff --git a/queue-6.6/usb-xhci-fix-invalid-pointer-dereference-in-etron-workaround.patch b/queue-6.6/usb-xhci-fix-invalid-pointer-dereference-in-etron-workaround.patch new file mode 100644 index 0000000000..ed29162d1d --- /dev/null +++ b/queue-6.6/usb-xhci-fix-invalid-pointer-dereference-in-etron-workaround.patch @@ -0,0 +1,46 @@ +From 1ea050da5562af9b930d17cbbe9632d30f5df43a Mon Sep 17 00:00:00 2001 +From: Michal Pecio +Date: Thu, 10 Apr 2025 18:18:26 +0300 +Subject: usb: xhci: Fix invalid pointer dereference in Etron workaround + +From: Michal Pecio + +commit 1ea050da5562af9b930d17cbbe9632d30f5df43a upstream. + +This check is performed before prepare_transfer() and prepare_ring(), so +enqueue can already point at the final link TRB of a segment. And indeed +it will, some 0.4% of times this code is called. + +Then enqueue + 1 is an invalid pointer. It will crash the kernel right +away or load some junk which may look like a link TRB and cause the real +link TRB to be replaced with a NOOP. This wouldn't end well. + +Use a functionally equivalent test which doesn't dereference the pointer +and always gives correct result. + +Something has crashed my machine twice in recent days while playing with +an Etron HC, and a control transfer stress test ran for confirmation has +just crashed it again. The same test passes with this patch applied. + +Fixes: 5e1c67abc930 ("xhci: Fix control transfer error on Etron xHCI host") +Cc: stable@vger.kernel.org +Signed-off-by: Michal Pecio +Signed-off-by: Mathias Nyman +Reviewed-by: Kuangyi Chiang +Link: https://lore.kernel.org/r/20250410151828.2868740-5-mathias.nyman@linux.intel.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/host/xhci-ring.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/usb/host/xhci-ring.c ++++ b/drivers/usb/host/xhci-ring.c +@@ -3876,7 +3876,7 @@ int xhci_queue_ctrl_tx(struct xhci_hcd * + * enqueue a No Op TRB, this can prevent the Setup and Data Stage + * TRB to be breaked by the Link TRB. + */ +- if (trb_is_link(ep_ring->enqueue + 1)) { ++ if (last_trb_on_seg(ep_ring->enq_seg, ep_ring->enqueue + 1)) { + field = TRB_TYPE(TRB_TR_NOOP) | ep_ring->cycle_state; + queue_trb(xhci, ep_ring, false, 0, 0, + TRB_INTR_TARGET(0), field);