From: Greg Kroah-Hartman Date: Thu, 12 Dec 2024 13:39:26 +0000 (+0100) Subject: 6.1-stable patches X-Git-Tag: v5.4.287~16 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=82043ed2b422461ac5bfaf803bb6450af6fdd370;p=thirdparty%2Fkernel%2Fstable-queue.git 6.1-stable patches added patches: bluetooth-mgmt-fix-possible-deadlocks.patch drm-msm-devfreq_gov_simple_ondemand-is-no-longer-needed.patch fs-ntfs3-sequential-field-availability-check-in-mi_enum_attr.patch i3c-master-remove-i3c_dev_disable_ibi_locked-olddev-on-device-hotjoin.patch i3c-master-svc-fix-possible-assignment-of-the-same-address-to-two-devices.patch i3c-master-svc-fix-use-after-free-vulnerability-in-svc_i3c_master-driver-due-to-race-condition.patch pm-devfreq-fix-build-issues-with-devfreq-disabled.patch serial-amba-pl011-fix-build-regression.patch usb-dwc3-ep0-don-t-reset-resource-alloc-flag.patch --- diff --git a/queue-6.1/bluetooth-mgmt-fix-possible-deadlocks.patch b/queue-6.1/bluetooth-mgmt-fix-possible-deadlocks.patch new file mode 100644 index 00000000000..592df247f4f --- /dev/null +++ b/queue-6.1/bluetooth-mgmt-fix-possible-deadlocks.patch @@ -0,0 +1,145 @@ +From a66dfaf18fd61bb75ef8cee83db46b2aadf153d0 Mon Sep 17 00:00:00 2001 +From: Luiz Augusto von Dentz +Date: Thu, 21 Nov 2024 11:09:22 -0500 +Subject: Bluetooth: MGMT: Fix possible deadlocks + +From: Luiz Augusto von Dentz + +commit a66dfaf18fd61bb75ef8cee83db46b2aadf153d0 upstream. + +This fixes possible deadlocks like the following caused by +hci_cmd_sync_dequeue causing the destroy function to run: + + INFO: task kworker/u19:0:143 blocked for more than 120 seconds. + Tainted: G W O 6.8.0-2024-03-19-intel-next-iLS-24ww14 #1 + "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. + task:kworker/u19:0 state:D stack:0 pid:143 tgid:143 ppid:2 flags:0x00004000 + Workqueue: hci0 hci_cmd_sync_work [bluetooth] + Call Trace: + + __schedule+0x374/0xaf0 + schedule+0x3c/0xf0 + schedule_preempt_disabled+0x1c/0x30 + __mutex_lock.constprop.0+0x3ef/0x7a0 + __mutex_lock_slowpath+0x13/0x20 + mutex_lock+0x3c/0x50 + mgmt_set_connectable_complete+0xa4/0x150 [bluetooth] + ? kfree+0x211/0x2a0 + hci_cmd_sync_dequeue+0xae/0x130 [bluetooth] + ? __pfx_cmd_complete_rsp+0x10/0x10 [bluetooth] + cmd_complete_rsp+0x26/0x80 [bluetooth] + mgmt_pending_foreach+0x4d/0x70 [bluetooth] + __mgmt_power_off+0x8d/0x180 [bluetooth] + ? _raw_spin_unlock_irq+0x23/0x40 + hci_dev_close_sync+0x445/0x5b0 [bluetooth] + hci_set_powered_sync+0x149/0x250 [bluetooth] + set_powered_sync+0x24/0x60 [bluetooth] + hci_cmd_sync_work+0x90/0x150 [bluetooth] + process_one_work+0x13e/0x300 + worker_thread+0x2f7/0x420 + ? __pfx_worker_thread+0x10/0x10 + kthread+0x107/0x140 + ? __pfx_kthread+0x10/0x10 + ret_from_fork+0x3d/0x60 + ? __pfx_kthread+0x10/0x10 + ret_from_fork_asm+0x1b/0x30 + + +Tested-by: Kiran K +Fixes: f53e1c9c726d ("Bluetooth: MGMT: Fix possible crash on mgmt_index_removed") +Signed-off-by: Luiz Augusto von Dentz +Signed-off-by: Greg Kroah-Hartman +--- + net/bluetooth/mgmt.c | 27 ++++++++++++++++++--------- + 1 file changed, 18 insertions(+), 9 deletions(-) + +--- a/net/bluetooth/mgmt.c ++++ b/net/bluetooth/mgmt.c +@@ -1521,7 +1521,8 @@ static void mgmt_set_discoverable_comple + bt_dev_dbg(hdev, "err %d", err); + + /* Make sure cmd still outstanding. */ +- if (cmd != pending_find(MGMT_OP_SET_DISCOVERABLE, hdev)) ++ if (err == -ECANCELED || ++ cmd != pending_find(MGMT_OP_SET_DISCOVERABLE, hdev)) + return; + + hci_dev_lock(hdev); +@@ -1695,7 +1696,8 @@ static void mgmt_set_connectable_complet + bt_dev_dbg(hdev, "err %d", err); + + /* Make sure cmd still outstanding. */ +- if (cmd != pending_find(MGMT_OP_SET_CONNECTABLE, hdev)) ++ if (err == -ECANCELED || ++ cmd != pending_find(MGMT_OP_SET_CONNECTABLE, hdev)) + return; + + hci_dev_lock(hdev); +@@ -1928,7 +1930,7 @@ static void set_ssp_complete(struct hci_ + bool changed; + + /* Make sure cmd still outstanding. */ +- if (cmd != pending_find(MGMT_OP_SET_SSP, hdev)) ++ if (err == -ECANCELED || cmd != pending_find(MGMT_OP_SET_SSP, hdev)) + return; + + if (err) { +@@ -3853,7 +3855,8 @@ static void set_name_complete(struct hci + + bt_dev_dbg(hdev, "err %d", err); + +- if (cmd != pending_find(MGMT_OP_SET_LOCAL_NAME, hdev)) ++ if (err == -ECANCELED || ++ cmd != pending_find(MGMT_OP_SET_LOCAL_NAME, hdev)) + return; + + if (status) { +@@ -4028,7 +4031,8 @@ static void set_default_phy_complete(str + struct sk_buff *skb = cmd->skb; + u8 status = mgmt_status(err); + +- if (cmd != pending_find(MGMT_OP_SET_PHY_CONFIGURATION, hdev)) ++ if (err == -ECANCELED || ++ cmd != pending_find(MGMT_OP_SET_PHY_CONFIGURATION, hdev)) + return; + + if (!status) { +@@ -5919,13 +5923,16 @@ static void start_discovery_complete(str + { + struct mgmt_pending_cmd *cmd = data; + ++ bt_dev_dbg(hdev, "err %d", err); ++ ++ if (err == -ECANCELED) ++ return; ++ + if (cmd != pending_find(MGMT_OP_START_DISCOVERY, hdev) && + cmd != pending_find(MGMT_OP_START_LIMITED_DISCOVERY, hdev) && + cmd != pending_find(MGMT_OP_START_SERVICE_DISCOVERY, hdev)) + return; + +- bt_dev_dbg(hdev, "err %d", err); +- + mgmt_cmd_complete(cmd->sk, cmd->index, cmd->opcode, mgmt_status(err), + cmd->param, 1); + mgmt_pending_remove(cmd); +@@ -6158,7 +6165,8 @@ static void stop_discovery_complete(stru + { + struct mgmt_pending_cmd *cmd = data; + +- if (cmd != pending_find(MGMT_OP_STOP_DISCOVERY, hdev)) ++ if (err == -ECANCELED || ++ cmd != pending_find(MGMT_OP_STOP_DISCOVERY, hdev)) + return; + + bt_dev_dbg(hdev, "err %d", err); +@@ -8105,7 +8113,8 @@ static void read_local_oob_ext_data_comp + u8 status = mgmt_status(err); + u16 eir_len; + +- if (cmd != pending_find(MGMT_OP_READ_LOCAL_OOB_EXT_DATA, hdev)) ++ if (err == -ECANCELED || ++ cmd != pending_find(MGMT_OP_READ_LOCAL_OOB_EXT_DATA, hdev)) + return; + + if (!status) { diff --git a/queue-6.1/checkpatch-always-parse-orig_commit-in-fixes-tag.patch b/queue-6.1/checkpatch-always-parse-orig_commit-in-fixes-tag.patch deleted file mode 100644 index 69a286dbf3b..00000000000 --- a/queue-6.1/checkpatch-always-parse-orig_commit-in-fixes-tag.patch +++ /dev/null @@ -1,120 +0,0 @@ -From e62b1abfe399d2220fa072c493f54ee685d3fbdc Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Fri, 25 Oct 2024 19:43:19 -0400 -Subject: checkpatch: always parse orig_commit in fixes tag -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -From: Tamir Duberstein - -[ Upstream commit 2f07b652384969f5d0b317e1daa5f2eb967bc73d ] - -Do not require the presence of `$balanced_parens` to get the commit SHA; -this allows a `Fixes: deadbeef` tag to get a correct suggestion rather -than a suggestion containing a reference to HEAD. - -Given this patch: - -: From: Tamir Duberstein -: Subject: Test patch -: Date: Fri, 25 Oct 2024 19:30:51 -0400 -: -: This is a test patch. -: -: Fixes: bd17e036b495 -: Signed-off-by: Tamir Duberstein -: --- /dev/null -: +++ b/new-file -: @@ -0,0 +1 @@ -: +Test. - -Before: - -WARNING: Please use correct Fixes: style 'Fixes: <12 chars of sha1> ("")' - ie: 'Fixes: c10a7d25e68f ("Test patch")' - -After: - -WARNING: Please use correct Fixes: style 'Fixes: <12 chars of sha1> ("<title line>")' - ie: 'Fixes: bd17e036b495 ("checkpatch: warn for non-standard fixes tag style")' - -The prior behavior incorrectly suggested the patch's own SHA and title -line rather than the referenced commit's. This fixes that. - -Ironically this: - -Fixes: bd17e036b495 ("checkpatch: warn for non-standard fixes tag style") -Signed-off-by: Tamir Duberstein <tamird@gmail.com> -Cc: Andy Whitcroft <apw@canonical.com> -Cc: Dwaipayan Ray <dwaipayanray1@gmail.com> -Cc: Joe Perches <joe@perches.com> -Cc: Louis Peens <louis.peens@corigine.com> -Cc: Lukas Bulwahn <lukas.bulwahn@gmail.com> -Cc: Niklas Söderlund <niklas.soderlund+renesas@ragnatech.se> -Cc: Philippe Schenker <philippe.schenker@toradex.com> -Cc: Simon Horman <horms@kernel.org> -Signed-off-by: Andrew Morton <akpm@linux-foundation.org> -Signed-off-by: Sasha Levin <sashal@kernel.org> ---- - scripts/checkpatch.pl | 37 ++++++++++++++++--------------------- - 1 file changed, 16 insertions(+), 21 deletions(-) - -diff --git a/scripts/checkpatch.pl b/scripts/checkpatch.pl -index 9ec205e6d48e2..12742da6504e0 100755 ---- a/scripts/checkpatch.pl -+++ b/scripts/checkpatch.pl -@@ -3177,36 +3177,31 @@ sub process { - - # Check Fixes: styles is correct - if (!$in_header_lines && -- $line =~ /^\s*fixes:?\s*(?:commit\s*)?[0-9a-f]{5,}\b/i) { -- my $orig_commit = ""; -- my $id = "0123456789ab"; -- my $title = "commit title"; -- my $tag_case = 1; -- my $tag_space = 1; -- my $id_length = 1; -- my $id_case = 1; -+ $line =~ /^\s*(fixes:?)\s*(?:commit\s*)?([0-9a-f]{5,40})(?:\s*($balanced_parens))?/i) { -+ my $tag = $1; -+ my $orig_commit = $2; -+ my $title; - my $title_has_quotes = 0; - $fixes_tag = 1; -- -- if ($line =~ /(\s*fixes:?)\s+([0-9a-f]{5,})\s+($balanced_parens)/i) { -- my $tag = $1; -- $orig_commit = $2; -- $title = $3; -- -- $tag_case = 0 if $tag eq "Fixes:"; -- $tag_space = 0 if ($line =~ /^fixes:? [0-9a-f]{5,} ($balanced_parens)/i); -- -- $id_length = 0 if ($orig_commit =~ /^[0-9a-f]{12}$/i); -- $id_case = 0 if ($orig_commit !~ /[A-F]/); -- -+ if (defined $3) { - # Always strip leading/trailing parens then double quotes if existing -- $title = substr($title, 1, -1); -+ $title = substr($3, 1, -1); - if ($title =~ /^".*"$/) { - $title = substr($title, 1, -1); - $title_has_quotes = 1; - } -+ } else { -+ $title = "commit title" - } - -+ -+ my $tag_case = not ($tag eq "Fixes:"); -+ my $tag_space = not ($line =~ /^fixes:? [0-9a-f]{5,40} ($balanced_parens)/i); -+ -+ my $id_length = not ($orig_commit =~ /^[0-9a-f]{12}$/i); -+ my $id_case = not ($orig_commit !~ /[A-F]/); -+ -+ my $id = "0123456789ab"; - my ($cid, $ctitle) = git_commit_info($orig_commit, $id, - $title); - --- -2.43.0 - diff --git a/queue-6.1/checkpatch-check-for-missing-fixes-tags.patch b/queue-6.1/checkpatch-check-for-missing-fixes-tags.patch deleted file mode 100644 index 58384753eca..00000000000 --- a/queue-6.1/checkpatch-check-for-missing-fixes-tags.patch +++ /dev/null @@ -1,147 +0,0 @@ -From 96377d94dc9d87416d293a5c17ac5f9c0bc86336 Mon Sep 17 00:00:00 2001 -From: Sasha Levin <sashal@kernel.org> -Date: Tue, 11 Jun 2024 16:43:29 +0300 -Subject: checkpatch: check for missing Fixes tags - -From: Dan Carpenter <dan.carpenter@linaro.org> - -[ Upstream commit d5d6281ae8e0c929c3ff188652f5b12c680fe8bf ] - -This check looks for common words that probably indicate a patch -is a fix. For now the regex is: - - (?:(?:BUG: K.|UB)SAN: |Call Trace:|stable\@|syzkaller)/) - -Why are stable patches encouraged to have a fixes tag? Some people mark -their stable patches as "# 5.10" etc. This is useful but a Fixes tag is -still a good idea. For example, the Fixes tag helps in review. It -helps people to not cherry-pick buggy patches without also -cherry-picking the fix. - -Also if a bug affects the 5.7 kernel some people will round it up to -5.10+ because 5.7 is not supported on kernel.org. It's possible the Bad -Binder bug was caused by this sort of gap where companies outside of -kernel.org are supporting different kernels from kernel.org. - -Should it be counted as a Fix when a patch just silences harmless -WARN_ON() stack trace. Yes. Definitely. - -Is silencing compiler warnings a fix? It seems unfair to the original -authors, but we use -Werror now, and warnings break the build so let's -just add Fixes tags. I tell people that silencing static checker -warnings is not a fix but the rules on this vary by subsystem. - -Is fixing a minor LTP issue (Linux Test Project) a fix? Probably? It's -hard to know what to do if the LTP test has technically always been -broken. - -One clear false positive from this check is when someone updated their -debug output and included before and after Call Traces. Or when crashes -are introduced deliberately for testing. In those cases, you should -just ignore checkpatch. - -Link: https://lkml.kernel.org/r/ZmhUgZBKeF_8ixA6@moroto -Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org> -Acked-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> -Reviewed-by: Kees Cook <keescook@chromium.org> -Cc: Andy Whitcroft <apw@canonical.com> -Cc: Arnd Bergmann <arnd@arndb.de> -Cc: Dwaipayan Ray <dwaipayanray1@gmail.com> -Cc: Joe Perches <joe@perches.com> -Cc: Lukas Bulwahn <lukas.bulwahn@gmail.com> -Cc: Sasha Levin <sashal@kernel.org> -Cc: Thorsten Leemhuis <linux@leemhuis.info> -Signed-off-by: Andrew Morton <akpm@linux-foundation.org> -Stable-dep-of: 2f07b6523849 ("checkpatch: always parse orig_commit in fixes tag") -Signed-off-by: Sasha Levin <sashal@kernel.org> ---- - scripts/checkpatch.pl | 24 ++++++++++++++++++++++++ - 1 file changed, 24 insertions(+) - -diff --git a/scripts/checkpatch.pl b/scripts/checkpatch.pl -index 32dc82c0c7ace..9ec205e6d48e2 100755 ---- a/scripts/checkpatch.pl -+++ b/scripts/checkpatch.pl -@@ -28,6 +28,7 @@ my %verbose_messages = (); - my %verbose_emitted = (); - my $tree = 1; - my $chk_signoff = 1; -+my $chk_fixes_tag = 1; - my $chk_patch = 1; - my $tst_only; - my $emacs = 0; -@@ -86,6 +87,7 @@ Options: - -v, --verbose verbose mode - --no-tree run without a kernel tree - --no-signoff do not check for 'Signed-off-by' line -+ --no-fixes-tag do not check for 'Fixes:' tag - --patch treat FILE as patchfile (default) - --emacs emacs compile window format - --terse one line per report -@@ -293,6 +295,7 @@ GetOptions( - 'v|verbose!' => \$verbose, - 'tree!' => \$tree, - 'signoff!' => \$chk_signoff, -+ 'fixes-tag!' => \$chk_fixes_tag, - 'patch!' => \$chk_patch, - 'emacs!' => \$emacs, - 'terse!' => \$terse, -@@ -1225,6 +1228,7 @@ sub git_commit_info { - } - - $chk_signoff = 0 if ($file); -+$chk_fixes_tag = 0 if ($file); - - my @rawlines = (); - my @lines = (); -@@ -2604,6 +2608,9 @@ sub process { - - our $clean = 1; - my $signoff = 0; -+ my $fixes_tag = 0; -+ my $is_revert = 0; -+ my $needs_fixes_tag = ""; - my $author = ''; - my $authorsignoff = 0; - my $author_sob = ''; -@@ -3157,6 +3164,16 @@ sub process { - } - } - -+# These indicate a bug fix -+ if (!$in_header_lines && !$is_patch && -+ $line =~ /^This reverts commit/) { -+ $is_revert = 1; -+ } -+ -+ if (!$in_header_lines && !$is_patch && -+ $line =~ /((?:(?:BUG: K.|UB)SAN: |Call Trace:|stable\@|syzkaller))/) { -+ $needs_fixes_tag = $1; -+ } - - # Check Fixes: styles is correct - if (!$in_header_lines && -@@ -3169,6 +3186,7 @@ sub process { - my $id_length = 1; - my $id_case = 1; - my $title_has_quotes = 0; -+ $fixes_tag = 1; - - if ($line =~ /(\s*fixes:?)\s+([0-9a-f]{5,})\s+($balanced_parens)/i) { - my $tag = $1; -@@ -7539,6 +7557,12 @@ sub process { - ERROR("NOT_UNIFIED_DIFF", - "Does not appear to be a unified-diff format patch\n"); - } -+ if ($is_patch && $has_commit_log && $chk_fixes_tag) { -+ if ($needs_fixes_tag ne "" && !$is_revert && !$fixes_tag) { -+ WARN("MISSING_FIXES_TAG", -+ "The commit message has '$needs_fixes_tag', perhaps it also needs a 'Fixes:' tag?\n"); -+ } -+ } - if ($is_patch && $has_commit_log && $chk_signoff) { - if ($signoff == 0) { - ERROR("MISSING_SIGN_OFF", --- -2.43.0 - diff --git a/queue-6.1/checkpatch-warn-when-reported-by-is-not-followed-by-.patch b/queue-6.1/checkpatch-warn-when-reported-by-is-not-followed-by-.patch deleted file mode 100644 index 9e302b415ee..00000000000 --- a/queue-6.1/checkpatch-warn-when-reported-by-is-not-followed-by-.patch +++ /dev/null @@ -1,88 +0,0 @@ -From 3d244247e264a8ff5ffc3be98e47291c8abc9673 Mon Sep 17 00:00:00 2001 -From: Sasha Levin <sashal@kernel.org> -Date: Fri, 20 Jan 2023 13:35:19 +0100 -Subject: checkpatch: warn when Reported-by: is not followed by Link: -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -From: Kai Wasserbäch <kai@dev.carbon-project.org> - -[ Upstream commit d7f1d71e5ef630ab9e15b5821d297a9e1a5fa1da ] - -Encourage patch authors to link to reports by issuing a warning, if a -Reported-by: is not accompanied by a link to the report. Those links are -often extremely useful for any code archaeologist that wants to know more -about the backstory of a change than the commit message provides. That -includes maintainers higher up in the patch-flow hierarchy, which is why -Linus asks developers to add such links [1, 2, 3]. To quote [1]: - -> Again, the commit has a link to the patch *submission*, which is -> almost entirely useless. There's no link to the actual problem the -> patch fixes. -> -> [...] -> -> Put another way: I can see that -> -> Reported-by: Zhangfei Gao <zhangfei.gao@foxmail.com> -> -> in the commit, but I don't have a clue what the actual report was, and -> there really isn't enough information in the commit itself, except for -> a fairly handwavy "Device drivers might, for instance, still need to -> flush operations.." -> -> I don't want to know what device drivers _might_ do. I would want to -> have an actual pointer to what they do and where. - -Another reason why these links are wanted: the ongoing regression tracking -efforts can only scale with them, as they allow the regression tracking -bot 'regzbot' to automatically connect tracked reports with patches that -are posted or committed to fix tracked regressions. - -Link: https://lore.kernel.org/all/CAHk-=wjMmSZzMJ3Xnskdg4+GGz=5p5p+GSYyFBTh0f-DgvdBWg@mail.gmail.com/ [1] -Link: https://lore.kernel.org/all/CAHk-=wgs38ZrfPvy=nOwVkVzjpM3VFU1zobP37Fwd_h9iAD5JQ@mail.gmail.com/ [2] -Link: https://lore.kernel.org/all/CAHk-=wjxzafG-=J8oT30s7upn4RhBs6TX-uVFZ5rME+L5_DoJA@mail.gmail.com/ [3] -Link: https://lkml.kernel.org/r/bb5dfd55ea2026303ab2296f4a6df3da7dd64006.1674217480.git.linux@leemhuis.info -Signed-off-by: Kai Wasserbäch <kai@dev.carbon-project.org> -Co-developed-by: Thorsten Leemhuis <linux@leemhuis.info> -Signed-off-by: Thorsten Leemhuis <linux@leemhuis.info> -Cc: Andy Whitcroft <apw@canonical.com> -Cc: Dwaipayan Ray <dwaipayanray1@gmail.com> -Cc: Joe Perches <joe@perches.com> -Cc: Lukas Bulwahn <lukas.bulwahn@gmail.com> -Signed-off-by: Andrew Morton <akpm@linux-foundation.org> -Stable-dep-of: 2f07b6523849 ("checkpatch: always parse orig_commit in fixes tag") -Signed-off-by: Sasha Levin <sashal@kernel.org> ---- - scripts/checkpatch.pl | 12 ++++++++++++ - 1 file changed, 12 insertions(+) - -diff --git a/scripts/checkpatch.pl b/scripts/checkpatch.pl -index ecf4250b0d2d2..32dc82c0c7ace 100755 ---- a/scripts/checkpatch.pl -+++ b/scripts/checkpatch.pl -@@ -3144,8 +3144,20 @@ sub process { - "Co-developed-by and Signed-off-by: name/email do not match \n" . "$here\n" . $rawline . "\n" .$rawlines[$linenr]); - } - } -+ -+# check if Reported-by: is followed by a Link: -+ if ($sign_off =~ /^reported(?:|-and-tested)-by:$/i) { -+ if (!defined $lines[$linenr]) { -+ WARN("BAD_REPORTED_BY_LINK", -+ "Reported-by: should be immediately followed by Link: to the report\n" . $herecurr . $rawlines[$linenr] . "\n"); -+ } elsif ($rawlines[$linenr] !~ m{^link:\s*https?://}i) { -+ WARN("BAD_REPORTED_BY_LINK", -+ "Reported-by: should be immediately followed by Link: with a URL to the report\n" . $herecurr . $rawlines[$linenr] . "\n"); -+ } -+ } - } - -+ - # Check Fixes: styles is correct - if (!$in_header_lines && - $line =~ /^\s*fixes:?\s*(?:commit\s*)?[0-9a-f]{5,}\b/i) { --- -2.43.0 - diff --git a/queue-6.1/drm-msm-devfreq_gov_simple_ondemand-is-no-longer-needed.patch b/queue-6.1/drm-msm-devfreq_gov_simple_ondemand-is-no-longer-needed.patch new file mode 100644 index 00000000000..32c97806554 --- /dev/null +++ b/queue-6.1/drm-msm-devfreq_gov_simple_ondemand-is-no-longer-needed.patch @@ -0,0 +1,44 @@ +From a722511b18268bd1f7084eee243af416b85f288f Mon Sep 17 00:00:00 2001 +From: Randy Dunlap <rdunlap@infradead.org> +Date: Sun, 19 Feb 2023 17:04:28 -0800 +Subject: drm/msm: DEVFREQ_GOV_SIMPLE_ONDEMAND is no longer needed + +From: Randy Dunlap <rdunlap@infradead.org> + +commit a722511b18268bd1f7084eee243af416b85f288f upstream. + +DRM_MSM no longer needs DEVFREQ_GOV_SIMPLE_ONDEMAND (since commit +dbd7a2a941b8 ("PM / devfreq: Fix build issues with devfreq disabled") +in linux-next), so remove that select from the DRM_MSM Kconfig file. + +Fixes: 6563f60f14cb ("drm/msm/gpu: Add devfreq tuning debugfs") +Signed-off-by: Randy Dunlap <rdunlap@infradead.org> +Cc: Rob Clark <robdclark@gmail.com> +Cc: Abhinav Kumar <quic_abhinavk@quicinc.com> +Cc: Dmitry Baryshkov <dmitry.baryshkov@linaro.org> +Cc: Sean Paul <sean@poorly.run> +Cc: David Airlie <airlied@gmail.com> +Cc: Daniel Vetter <daniel@ffwll.ch> +Cc: linux-arm-msm@vger.kernel.org +Cc: dri-devel@lists.freedesktop.org +Cc: freedreno@lists.freedesktop.org +Reviewed-by: Rob Clark <robdclark@gmail.com> +Patchwork: https://patchwork.freedesktop.org/patch/523353/ +Link: https://lore.kernel.org/r/20230220010428.16910-1-rdunlap@infradead.org +[rob: tweak commit message to make checkpatch.pl happy] +Signed-off-by: Rob Clark <robdclark@chromium.org> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +--- + drivers/gpu/drm/msm/Kconfig | 1 - + 1 file changed, 1 deletion(-) + +--- a/drivers/gpu/drm/msm/Kconfig ++++ b/drivers/gpu/drm/msm/Kconfig +@@ -23,7 +23,6 @@ config DRM_MSM + select SHMEM + select TMPFS + select QCOM_SCM +- select DEVFREQ_GOV_SIMPLE_ONDEMAND + select WANT_DEV_COREDUMP + select SND_SOC_HDMI_CODEC if SND_SOC + select SYNC_FILE diff --git a/queue-6.1/fs-ntfs3-sequential-field-availability-check-in-mi_enum_attr.patch b/queue-6.1/fs-ntfs3-sequential-field-availability-check-in-mi_enum_attr.patch new file mode 100644 index 00000000000..0c4e0c2009e --- /dev/null +++ b/queue-6.1/fs-ntfs3-sequential-field-availability-check-in-mi_enum_attr.patch @@ -0,0 +1,71 @@ +From 090f612756a9720ec18b0b130e28be49839d7cb5 Mon Sep 17 00:00:00 2001 +From: Konstantin Komarov <almaz.alexandrovich@paragon-software.com> +Date: Thu, 5 Sep 2024 15:03:48 +0300 +Subject: fs/ntfs3: Sequential field availability check in mi_enum_attr() + +From: Konstantin Komarov <almaz.alexandrovich@paragon-software.com> + +commit 090f612756a9720ec18b0b130e28be49839d7cb5 upstream. + +The code is slightly reformatted to consistently check field availability +without duplication. + +Fixes: 556bdf27c2dd ("ntfs3: Add bounds checking to mi_enum_attr()") +Signed-off-by: Konstantin Komarov <almaz.alexandrovich@paragon-software.com> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +--- + fs/ntfs3/record.c | 15 +++++++-------- + 1 file changed, 7 insertions(+), 8 deletions(-) + +--- a/fs/ntfs3/record.c ++++ b/fs/ntfs3/record.c +@@ -231,6 +231,7 @@ struct ATTRIB *mi_enum_attr(struct mft_i + } + + /* Can we use the first field (attr->type). */ ++ /* NOTE: this code also checks attr->size availability. */ + if (off + 8 > used) { + static_assert(ALIGN(sizeof(enum ATTR_TYPE), 8) == 8); + return NULL; +@@ -251,10 +252,6 @@ struct ATTRIB *mi_enum_attr(struct mft_i + return NULL; + + asize = le32_to_cpu(attr->size); +- if (asize < SIZEOF_RESIDENT) { +- /* Impossible 'cause we should not return such attribute. */ +- return NULL; +- } + + /* Check overflow and boundary. */ + if (off + asize < off || off + asize > used) +@@ -285,6 +282,10 @@ struct ATTRIB *mi_enum_attr(struct mft_i + if (attr->non_res != 1) + return NULL; + ++ /* Can we use memory including attr->nres.valid_size? */ ++ if (asize < SIZEOF_NONRESIDENT) ++ return NULL; ++ + t16 = le16_to_cpu(attr->nres.run_off); + if (t16 > asize) + return NULL; +@@ -311,7 +312,8 @@ struct ATTRIB *mi_enum_attr(struct mft_i + + if (!attr->nres.svcn && is_attr_ext(attr)) { + /* First segment of sparse/compressed attribute */ +- if (asize + 8 < SIZEOF_NONRESIDENT_EX) ++ /* Can we use memory including attr->nres.total_size? */ ++ if (asize < SIZEOF_NONRESIDENT_EX) + return NULL; + + tot_size = le64_to_cpu(attr->nres.total_size); +@@ -321,9 +323,6 @@ struct ATTRIB *mi_enum_attr(struct mft_i + if (tot_size > alloc_size) + return NULL; + } else { +- if (asize + 8 < SIZEOF_NONRESIDENT) +- return NULL; +- + if (attr->nres.c_unit) + return NULL; + } diff --git a/queue-6.1/i3c-master-remove-i3c_dev_disable_ibi_locked-olddev-on-device-hotjoin.patch b/queue-6.1/i3c-master-remove-i3c_dev_disable_ibi_locked-olddev-on-device-hotjoin.patch new file mode 100644 index 00000000000..fe739f44751 --- /dev/null +++ b/queue-6.1/i3c-master-remove-i3c_dev_disable_ibi_locked-olddev-on-device-hotjoin.patch @@ -0,0 +1,76 @@ +From 36faa04ce3d9c962b4b29d285ad07ca29e2988e4 Mon Sep 17 00:00:00 2001 +From: Frank Li <Frank.Li@nxp.com> +Date: Tue, 1 Oct 2024 12:22:32 -0400 +Subject: i3c: master: Remove i3c_dev_disable_ibi_locked(olddev) on device hotjoin + +From: Frank Li <Frank.Li@nxp.com> + +commit 36faa04ce3d9c962b4b29d285ad07ca29e2988e4 upstream. + +When a new device hotjoins, a new dynamic address is assigned. +i3c_master_add_i3c_dev_locked() identifies that the device was previously +attached to the bus and locates the olddev. + +i3c_master_add_i3c_dev_locked() +{ + ... + olddev = i3c_master_search_i3c_dev_duplicate(newdev); + ... + if (olddev) { + ... + i3c_dev_disable_ibi_locked(olddev); + ^^^^^^ + The olddev should not receive any commands on the i3c bus as it + does not exist and has been assigned a new address. This will + result in NACK or timeout. So remove it. + } + + i3c_dev_free_ibi_locked(olddev); + ^^^^^^^^ + This function internally calls i3c_dev_disable_ibi_locked() function + causing to send DISEC command with old Address. + + The olddev should not receive any commands on the i3c bus as it + does not exist and has been assigned a new address. This will + result in NACK or timeout. So, update the olddev->ibi->enabled + flag to false to avoid DISEC with OldAddr. +} + +Include part of Ravindra Yashvant Shinde's work: +https://lore.kernel.org/linux-i3c/20240820151917.3904956-1-ravindra.yashvant.shinde@nxp.com/T/#u + +Fixes: 317bacf960a4 ("i3c: master: add enable(disable) hot join in sys entry") +Co-developed-by: Ravindra Yashvant Shinde <ravindra.yashvant.shinde@nxp.com> +Signed-off-by: Ravindra Yashvant Shinde <ravindra.yashvant.shinde@nxp.com> +Reviewed-by: Miquel Raynal <miquel.raynal@bootlin.com> +Signed-off-by: Frank Li <Frank.Li@nxp.com> +Link: https://lore.kernel.org/r/20241001162232.223724-1-Frank.Li@nxp.com +Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +--- + drivers/i3c/master.c | 13 +++++++++---- + 1 file changed, 9 insertions(+), 4 deletions(-) + +--- a/drivers/i3c/master.c ++++ b/drivers/i3c/master.c +@@ -2031,11 +2031,16 @@ int i3c_master_add_i3c_dev_locked(struct + ibireq.max_payload_len = olddev->ibi->max_payload_len; + ibireq.num_slots = olddev->ibi->num_slots; + +- if (olddev->ibi->enabled) { ++ if (olddev->ibi->enabled) + enable_ibi = true; +- i3c_dev_disable_ibi_locked(olddev); +- } +- ++ /* ++ * The olddev should not receive any commands on the ++ * i3c bus as it does not exist and has been assigned ++ * a new address. This will result in NACK or timeout. ++ * So, update the olddev->ibi->enabled flag to false ++ * to avoid DISEC with OldAddr. ++ */ ++ olddev->ibi->enabled = false; + i3c_dev_free_ibi_locked(olddev); + } + mutex_unlock(&olddev->ibi_lock); diff --git a/queue-6.1/i3c-master-svc-fix-possible-assignment-of-the-same-address-to-two-devices.patch b/queue-6.1/i3c-master-svc-fix-possible-assignment-of-the-same-address-to-two-devices.patch new file mode 100644 index 00000000000..0409b97700a --- /dev/null +++ b/queue-6.1/i3c-master-svc-fix-possible-assignment-of-the-same-address-to-two-devices.patch @@ -0,0 +1,81 @@ +From 3b2ac810d86eb96e882db80a3320a3848b133208 Mon Sep 17 00:00:00 2001 +From: Frank Li <Frank.Li@nxp.com> +Date: Wed, 2 Oct 2024 10:50:38 -0400 +Subject: i3c: master: svc: fix possible assignment of the same address to two devices + +From: Frank Li <Frank.Li@nxp.com> + +commit 3b2ac810d86eb96e882db80a3320a3848b133208 upstream. + +svc_i3c_master_do_daa() { + ... + for (i = 0; i < dev_nb; i++) { + ret = i3c_master_add_i3c_dev_locked(m, addrs[i]); + if (ret) + goto rpm_out; + } +} + +If two devices (A and B) are detected in DAA and address 0xa is assigned to +device A and 0xb to device B, a failure in i3c_master_add_i3c_dev_locked() +for device A (addr: 0xa) could prevent device B (addr: 0xb) from being +registered on the bus. The I3C stack might still consider 0xb a free +address. If a subsequent Hotjoin occurs, 0xb might be assigned to Device A, +causing both devices A and B to use the same address 0xb, violating the I3C +specification. + +The return value for i3c_master_add_i3c_dev_locked() should not be checked +because subsequent steps will scan the entire I3C bus, independent of +whether i3c_master_add_i3c_dev_locked() returns success. + +If device A registration fails, there is still a chance to register device +B. i3c_master_add_i3c_dev_locked() can reset DAA if a failure occurs while +retrieving device information. + +Cc: stable@kernel.org +Fixes: 317bacf960a4 ("i3c: master: add enable(disable) hot join in sys entry") +Reviewed-by: Miquel Raynal <miquel.raynal@bootlin.com> +Signed-off-by: Frank Li <Frank.Li@nxp.com> +Link: https://lore.kernel.org/r/20241002-svc-i3c-hj-v6-6-7e6e1d3569ae@nxp.com +Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +--- + drivers/i3c/master/svc-i3c-master.c | 27 +++++++++++++++++++++------ + 1 file changed, 21 insertions(+), 6 deletions(-) + +--- a/drivers/i3c/master/svc-i3c-master.c ++++ b/drivers/i3c/master/svc-i3c-master.c +@@ -1010,12 +1010,27 @@ static int svc_i3c_master_do_daa(struct + goto rpm_out; + } + +- /* Register all devices who participated to the core */ +- for (i = 0; i < dev_nb; i++) { +- ret = i3c_master_add_i3c_dev_locked(m, addrs[i]); +- if (ret) +- goto rpm_out; +- } ++ /* ++ * Register all devices who participated to the core ++ * ++ * If two devices (A and B) are detected in DAA and address 0xa is assigned to ++ * device A and 0xb to device B, a failure in i3c_master_add_i3c_dev_locked() ++ * for device A (addr: 0xa) could prevent device B (addr: 0xb) from being ++ * registered on the bus. The I3C stack might still consider 0xb a free ++ * address. If a subsequent Hotjoin occurs, 0xb might be assigned to Device A, ++ * causing both devices A and B to use the same address 0xb, violating the I3C ++ * specification. ++ * ++ * The return value for i3c_master_add_i3c_dev_locked() should not be checked ++ * because subsequent steps will scan the entire I3C bus, independent of ++ * whether i3c_master_add_i3c_dev_locked() returns success. ++ * ++ * If device A registration fails, there is still a chance to register device ++ * B. i3c_master_add_i3c_dev_locked() can reset DAA if a failure occurs while ++ * retrieving device information. ++ */ ++ for (i = 0; i < dev_nb; i++) ++ i3c_master_add_i3c_dev_locked(m, addrs[i]); + + /* Configure IBI auto-rules */ + ret = svc_i3c_update_ibirules(master); diff --git a/queue-6.1/i3c-master-svc-fix-use-after-free-vulnerability-in-svc_i3c_master-driver-due-to-race-condition.patch b/queue-6.1/i3c-master-svc-fix-use-after-free-vulnerability-in-svc_i3c_master-driver-due-to-race-condition.patch new file mode 100644 index 00000000000..b658430950a --- /dev/null +++ b/queue-6.1/i3c-master-svc-fix-use-after-free-vulnerability-in-svc_i3c_master-driver-due-to-race-condition.patch @@ -0,0 +1,56 @@ +From 61850725779709369c7e907ae8c7c75dc7cec4f3 Mon Sep 17 00:00:00 2001 +From: Kaixin Wang <kxwang23@m.fudan.edu.cn> +Date: Sun, 15 Sep 2024 00:39:33 +0800 +Subject: i3c: master: svc: Fix use after free vulnerability in svc_i3c_master Driver Due to Race Condition + +From: Kaixin Wang <kxwang23@m.fudan.edu.cn> + +commit 61850725779709369c7e907ae8c7c75dc7cec4f3 upstream. + +In the svc_i3c_master_probe function, &master->hj_work is bound with +svc_i3c_master_hj_work, &master->ibi_work is bound with +svc_i3c_master_ibi_work. And svc_i3c_master_ibi_work can start the +hj_work, svc_i3c_master_irq_handler can start the ibi_work. + +If we remove the module which will call svc_i3c_master_remove to +make cleanup, it will free master->base through i3c_master_unregister +while the work mentioned above will be used. The sequence of operations +that may lead to a UAF bug is as follows: + +CPU0 CPU1 + + | svc_i3c_master_hj_work +svc_i3c_master_remove | +i3c_master_unregister(&master->base)| +device_unregister(&master->dev) | +device_release | +//free master->base | + | i3c_master_do_daa(&master->base) + | //use master->base + +Fix it by ensuring that the work is canceled before proceeding with the +cleanup in svc_i3c_master_remove. + +Fixes: 0f74f8b6675c ("i3c: Make i3c_master_unregister() return void") +Cc: stable@vger.kernel.org +Signed-off-by: Kaixin Wang <kxwang23@m.fudan.edu.cn> +Reviewed-by: Miquel Raynal <miquel.raynal@bootlin.com> +Reviewed-by: Frank Li <Frank.Li@nxp.com> +Link: https://lore.kernel.org/stable/20240914154030.180-1-kxwang23%40m.fudan.edu.cn +Link: https://lore.kernel.org/r/20240914163932.253-1-kxwang23@m.fudan.edu.cn +Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +--- + drivers/i3c/master/svc-i3c-master.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/i3c/master/svc-i3c-master.c ++++ b/drivers/i3c/master/svc-i3c-master.c +@@ -1772,6 +1772,7 @@ static int svc_i3c_master_remove(struct + { + struct svc_i3c_master *master = platform_get_drvdata(pdev); + ++ cancel_work_sync(&master->hj_work); + i3c_master_unregister(&master->base); + + pm_runtime_dont_use_autosuspend(&pdev->dev); diff --git a/queue-6.1/pm-devfreq-fix-build-issues-with-devfreq-disabled.patch b/queue-6.1/pm-devfreq-fix-build-issues-with-devfreq-disabled.patch new file mode 100644 index 00000000000..afa7cd57915 --- /dev/null +++ b/queue-6.1/pm-devfreq-fix-build-issues-with-devfreq-disabled.patch @@ -0,0 +1,57 @@ +From dbd7a2a941b8cbf9e5f79a777ed9fe0090eebb61 Mon Sep 17 00:00:00 2001 +From: Rob Clark <robdclark@chromium.org> +Date: Mon, 23 Jan 2023 07:37:45 -0800 +Subject: PM / devfreq: Fix build issues with devfreq disabled + +From: Rob Clark <robdclark@chromium.org> + +commit dbd7a2a941b8cbf9e5f79a777ed9fe0090eebb61 upstream. + +The existing no-op shims for when PM_DEVFREQ (or an individual governor) +only do half the job. The governor specific config/tuning structs need +to be available to avoid compile errors in drivers using devfreq. + +Fixes: 6563f60f14cb ("drm/msm/gpu: Add devfreq tuning debugfs") +Signed-off-by: Rob Clark <robdclark@chromium.org> +Acked-by: MyungJoo Ham <myungjoo.ham@samsung.com> +Acked-by: Chanwoo Choi <cw00.choi@samsung.com> +Patchwork: https://patchwork.freedesktop.org/patch/519801/ +Link: https://lore.kernel.org/r/20230123153745.3185032-1-robdclark@gmail.com +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +--- + include/linux/devfreq.h | 7 ++----- + 1 file changed, 2 insertions(+), 5 deletions(-) + +--- a/include/linux/devfreq.h ++++ b/include/linux/devfreq.h +@@ -273,8 +273,8 @@ void devm_devfreq_unregister_notifier(st + struct devfreq *devfreq_get_devfreq_by_node(struct device_node *node); + struct devfreq *devfreq_get_devfreq_by_phandle(struct device *dev, + const char *phandle_name, int index); ++#endif /* CONFIG_PM_DEVFREQ */ + +-#if IS_ENABLED(CONFIG_DEVFREQ_GOV_SIMPLE_ONDEMAND) + /** + * struct devfreq_simple_ondemand_data - ``void *data`` fed to struct devfreq + * and devfreq_add_device +@@ -292,9 +292,7 @@ struct devfreq_simple_ondemand_data { + unsigned int upthreshold; + unsigned int downdifferential; + }; +-#endif + +-#if IS_ENABLED(CONFIG_DEVFREQ_GOV_PASSIVE) + enum devfreq_parent_dev_type { + DEVFREQ_PARENT_DEV, + CPUFREQ_PARENT_DEV, +@@ -337,9 +335,8 @@ struct devfreq_passive_data { + struct notifier_block nb; + struct list_head cpu_data_list; + }; +-#endif + +-#else /* !CONFIG_PM_DEVFREQ */ ++#if !defined(CONFIG_PM_DEVFREQ) + static inline struct devfreq *devfreq_add_device(struct device *dev, + struct devfreq_dev_profile *profile, + const char *governor_name, diff --git a/queue-6.1/serial-amba-pl011-fix-build-regression.patch b/queue-6.1/serial-amba-pl011-fix-build-regression.patch new file mode 100644 index 00000000000..593f867c972 --- /dev/null +++ b/queue-6.1/serial-amba-pl011-fix-build-regression.patch @@ -0,0 +1,51 @@ +From b5a23a60e8ab5711f4952912424347bf3864ce8d Mon Sep 17 00:00:00 2001 +From: Arnd Bergmann <arnd@arndb.de> +Date: Fri, 15 Nov 2024 11:59:54 +0100 +Subject: serial: amba-pl011: fix build regression + +From: Arnd Bergmann <arnd@arndb.de> + +commit b5a23a60e8ab5711f4952912424347bf3864ce8d upstream. + +When CONFIG_DMA_ENGINE is disabled, the driver now fails to build: + +drivers/tty/serial/amba-pl011.c: In function 'pl011_unthrottle_rx': +drivers/tty/serial/amba-pl011.c:1822:16: error: 'struct uart_amba_port' has no member named 'using_rx_dma' + 1822 | if (uap->using_rx_dma) { + | ^~ +drivers/tty/serial/amba-pl011.c:1823:20: error: 'struct uart_amba_port' has no member named 'dmacr' + 1823 | uap->dmacr |= UART011_RXDMAE; + | ^~ +drivers/tty/serial/amba-pl011.c:1824:32: error: 'struct uart_amba_port' has no member named 'dmacr' + 1824 | pl011_write(uap->dmacr, uap, REG_DMACR); + | ^~ + +Add the missing #ifdef check around these field accesses, matching +what other parts of this driver do. + +Fixes: 2bcacc1c87ac ("serial: amba-pl011: Fix RX stall when DMA is used") +Cc: stable <stable@kernel.org> +Reported-by: kernel test robot <lkp@intel.com> +Closes: https://lore.kernel.org/oe-kbuild-all/202411140617.nkjeHhsK-lkp@intel.com/ +Signed-off-by: Arnd Bergmann <arnd@arndb.de> +Link: https://lore.kernel.org/r/20241115110021.744332-1-arnd@kernel.org +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +--- + drivers/tty/serial/amba-pl011.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/tty/serial/amba-pl011.c ++++ b/drivers/tty/serial/amba-pl011.c +@@ -1837,10 +1837,12 @@ static void pl011_unthrottle_rx(struct u + + pl011_write(uap->im, uap, REG_IMSC); + ++#ifdef CONFIG_DMA_ENGINE + if (uap->using_rx_dma) { + uap->dmacr |= UART011_RXDMAE; + pl011_write(uap->dmacr, uap, REG_DMACR); + } ++#endif + + uart_port_unlock_irqrestore(&uap->port, flags); + } diff --git a/queue-6.1/series b/queue-6.1/series index 0f0bfe1d7a1..529642d7cb1 100644 --- a/queue-6.1/series +++ b/queue-6.1/series @@ -234,9 +234,6 @@ clk-imx-fracn-gppll-fix-pll-power-up.patch clk-imx-clk-scu-fix-clk-enable-state-save-and-restor.patch iommu-vt-d-fix-checks-and-print-in-dmar_fault_dump_p.patch iommu-vt-d-fix-checks-and-print-in-pgtable_walk.patch -checkpatch-warn-when-reported-by-is-not-followed-by-.patch -checkpatch-check-for-missing-fixes-tags.patch -checkpatch-always-parse-orig_commit-in-fixes-tag.patch mfd-rt5033-fix-missing-regmap_del_irq_chip.patch fs-proc-kcore.c-fix-coccinelle-reported-error-instan.patch scsi-bfa-fix-use-after-free-in-bfad_im_module_exit.patch @@ -765,3 +762,12 @@ veth-use-tstats-per-cpu-traffic-counters.patch drm-ttm-make-sure-the-mapped-tt-pages-are-decrypted-when-needed.patch drm-ttm-print-the-memory-decryption-status-just-once.patch drm-amdgpu-rework-resume-handling-for-display-v2.patch +usb-dwc3-ep0-don-t-reset-resource-alloc-flag.patch +serial-amba-pl011-fix-build-regression.patch +i3c-master-remove-i3c_dev_disable_ibi_locked-olddev-on-device-hotjoin.patch +i3c-master-svc-fix-possible-assignment-of-the-same-address-to-two-devices.patch +pm-devfreq-fix-build-issues-with-devfreq-disabled.patch +drm-msm-devfreq_gov_simple_ondemand-is-no-longer-needed.patch +fs-ntfs3-sequential-field-availability-check-in-mi_enum_attr.patch +i3c-master-svc-fix-use-after-free-vulnerability-in-svc_i3c_master-driver-due-to-race-condition.patch +bluetooth-mgmt-fix-possible-deadlocks.patch diff --git a/queue-6.1/usb-dwc3-ep0-don-t-reset-resource-alloc-flag.patch b/queue-6.1/usb-dwc3-ep0-don-t-reset-resource-alloc-flag.patch new file mode 100644 index 00000000000..986a8a175bb --- /dev/null +++ b/queue-6.1/usb-dwc3-ep0-don-t-reset-resource-alloc-flag.patch @@ -0,0 +1,36 @@ +From f2e0eee4703869dc5edb5302a919861566ca7797 Mon Sep 17 00:00:00 2001 +From: Thinh Nguyen <Thinh.Nguyen@synopsys.com> +Date: Tue, 16 Apr 2024 01:23:07 +0000 +Subject: usb: dwc3: ep0: Don't reset resource alloc flag + +From: Thinh Nguyen <Thinh.Nguyen@synopsys.com> + +commit f2e0eee4703869dc5edb5302a919861566ca7797 upstream. + +The DWC3_EP_RESOURCE_ALLOCATED flag ensures that the resource of an +endpoint is only assigned once. Unless the endpoint is reset, don't +clear this flag. Otherwise we may set endpoint resource again, which +prevents the driver from initiate transfer after handling a STALL or +endpoint halt to the control endpoint. + +Cc: stable@vger.kernel.org +Fixes: b311048c174d ("usb: dwc3: gadget: Rewrite endpoint allocation flow") +Signed-off-by: Thinh Nguyen <Thinh.Nguyen@synopsys.com> +Link: https://lore.kernel.org/r/00122b7cc5be06abef461776e7cc9f5ebc8bc1cb.1713229786.git.Thinh.Nguyen@synopsys.com +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +--- + drivers/usb/dwc3/ep0.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/usb/dwc3/ep0.c ++++ b/drivers/usb/dwc3/ep0.c +@@ -224,7 +224,8 @@ void dwc3_ep0_stall_and_restart(struct d + + /* reinitialize physical ep1 */ + dep = dwc->eps[1]; +- dep->flags = DWC3_EP_ENABLED; ++ dep->flags &= DWC3_EP_RESOURCE_ALLOCATED; ++ dep->flags |= DWC3_EP_ENABLED; + + /* stall is always issued on EP0 */ + dep = dwc->eps[0];