From: Greg Kroah-Hartman Date: Mon, 28 Apr 2025 17:25:45 +0000 (+0200) Subject: 6.14-stable patches X-Git-Tag: v5.4.293~55 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=8c93ef1767d03631f59caa074b626b1b31cec401;p=thirdparty%2Fkernel%2Fstable-queue.git 6.14-stable patches added patches: char-misc-register-chrdev-region-with-all-possible-minors.patch firmware-stratix10-svc-add-of_platform_default_populate.patch kvm-x86-explicitly-treat-routing-entry-type-changes-as-changes.patch kvm-x86-reset-irte-to-host-control-if-new-route-isn-t-postable.patch kvm-x86-take-irqfds.lock-when-adding-deleting-irq-bypass-producer.patch misc-microchip-pci1xxxx-fix-incorrect-irq-status-handling-during-ack.patch misc-microchip-pci1xxxx-fix-kernel-panic-during-irq-handler-registration.patch serial-msm-configure-correct-working-mode-before-starting-earlycon.patch serial-sifive-lock-port-in-startup-shutdown-callbacks.patch tty-require-cap_sys_admin-for-all-usages-of-tiocl_selmousereport.patch usb-cdns3-fix-deadlock-when-using-ncm-gadget.patch usb-chipidea-ci_hdrc_imx-fix-call-balance-of-regulator-routines.patch usb-chipidea-ci_hdrc_imx-fix-usbmisc-handling.patch usb-chipidea-ci_hdrc_imx-implement-usb_phy_init-error-handling.patch usb-dwc3-gadget-check-that-event-count-does-not-exceed-event-buffer-length.patch usb-dwc3-xilinx-prevent-spike-in-reset-signal.patch usb-ohci-add-quirk-for-ls7a-ohci-controller-rev-0x02.patch usb-quirks-add-delay-init-quirk-for-sandisk-3.2gen1-flash-drive.patch usb-quirks-add-delay_init-quirk-for-silicon-motion-flash-drive.patch usb-serial-ftdi_sio-add-support-for-abacus-electrics-optical-probe.patch usb-serial-option-add-sierra-wireless-em9291.patch usb-serial-simple-add-owon-hds200-series-oscilloscope-support.patch usb-typec-class-fix-null-pointer-access.patch usb-typec-class-invalidate-usb-device-pointers-on-partner-unregistration.patch usb-typec-class-unlocked-on-error-in-typec_register_partner.patch usb-vli-disk-crashes-if-lpm-is-used.patch usb-wdm-add-annotation.patch usb-wdm-close-race-between-wdm_open-and-wdm_wwan_port_stop.patch usb-wdm-handle-io-errors-in-wdm_wwan_port_start.patch usb-wdm-wdm_wwan_port_tx_complete-mutex-in-atomic-context.patch usb-xhci-fix-invalid-pointer-dereference-in-etron-workaround.patch xhci-limit-time-spent-with-xhc-interrupts-disabled-during-bus-resume.patch --- diff --git a/queue-6.14/char-misc-register-chrdev-region-with-all-possible-minors.patch b/queue-6.14/char-misc-register-chrdev-region-with-all-possible-minors.patch new file mode 100644 index 0000000000..144c69b76c --- /dev/null +++ b/queue-6.14/char-misc-register-chrdev-region-with-all-possible-minors.patch @@ -0,0 +1,47 @@ +From c876be906ce7e518d9ef9926478669c151999e69 Mon Sep 17 00:00:00 2001 +From: Thadeu Lima de Souza Cascardo +Date: Mon, 17 Mar 2025 10:59:55 -0300 +Subject: char: misc: register chrdev region with all possible minors + +From: Thadeu Lima de Souza Cascardo + +commit c876be906ce7e518d9ef9926478669c151999e69 upstream. + +register_chrdev will only register the first 256 minors of a major chrdev. +That means that dynamically allocated misc devices with minor above 255 +will fail to open with -ENXIO. + +This was found by kernel test robot when testing a different change that +makes all dynamically allocated minors be above 255. This has, however, +been separately tested by creating 256 serio_raw devices with the help of +userio driver. + +Ever since allowing misc devices with minors above 128, this has been +possible. + +Fix it by registering all minor numbers from 0 to MINORMASK + 1 for +MISC_MAJOR. + +Reported-by: kernel test robot +Cc: stable +Closes: https://lore.kernel.org/oe-lkp/202503171507.6c8093d0-lkp@intel.com +Fixes: ab760791c0cf ("char: misc: Increase the maximum number of dynamic misc devices to 1048448") +Signed-off-by: Thadeu Lima de Souza Cascardo +Tested-by: Hou Wenlong +Link: https://lore.kernel.org/r/20250317-misc-chrdev-v1-1-6cd05da11aef@igalia.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/char/misc.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/char/misc.c ++++ b/drivers/char/misc.c +@@ -315,7 +315,7 @@ static int __init misc_init(void) + goto fail_remove; + + err = -EIO; +- if (register_chrdev(MISC_MAJOR, "misc", &misc_fops)) ++ if (__register_chrdev(MISC_MAJOR, 0, MINORMASK + 1, "misc", &misc_fops)) + goto fail_printk; + return 0; + diff --git a/queue-6.14/firmware-stratix10-svc-add-of_platform_default_populate.patch b/queue-6.14/firmware-stratix10-svc-add-of_platform_default_populate.patch new file mode 100644 index 0000000000..8fa1bc0070 --- /dev/null +++ b/queue-6.14/firmware-stratix10-svc-add-of_platform_default_populate.patch @@ -0,0 +1,69 @@ +From 4d239f447f96bd2cb646f89431e9db186c1ccfd4 Mon Sep 17 00:00:00 2001 +From: Mahesh Rao +Date: Wed, 26 Mar 2025 06:54:46 -0500 +Subject: firmware: stratix10-svc: Add of_platform_default_populate() + +From: Mahesh Rao + +commit 4d239f447f96bd2cb646f89431e9db186c1ccfd4 upstream. + +Add of_platform_default_populate() to stratix10-svc +driver as the firmware/svc node was moved out of soc. +This fixes the failed probing of child drivers of +svc node. + +Cc: stable@vger.kernel.org +Fixes: 23c3ebed382a ("arm64: dts: socfpga: agilex: move firmware out of soc node") +Reviewed-by: Krzysztof Kozlowski +Reviewed-by: Xu Yilun +Signed-off-by: Mahesh Rao +Signed-off-by: Dinh Nguyen +Link: https://lore.kernel.org/r/20250326115446.36123-1-dinguyen@kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/firmware/stratix10-svc.c | 14 +++++++++++--- + 1 file changed, 11 insertions(+), 3 deletions(-) + +--- a/drivers/firmware/stratix10-svc.c ++++ b/drivers/firmware/stratix10-svc.c +@@ -1224,22 +1224,28 @@ static int stratix10_svc_drv_probe(struc + if (!svc->intel_svc_fcs) { + dev_err(dev, "failed to allocate %s device\n", INTEL_FCS); + ret = -ENOMEM; +- goto err_unregister_dev; ++ goto err_unregister_rsu_dev; + } + + ret = platform_device_add(svc->intel_svc_fcs); + if (ret) { + platform_device_put(svc->intel_svc_fcs); +- goto err_unregister_dev; ++ goto err_unregister_rsu_dev; + } + ++ ret = of_platform_default_populate(dev_of_node(dev), NULL, dev); ++ if (ret) ++ goto err_unregister_fcs_dev; ++ + dev_set_drvdata(dev, svc); + + pr_info("Intel Service Layer Driver Initialized\n"); + + return 0; + +-err_unregister_dev: ++err_unregister_fcs_dev: ++ platform_device_unregister(svc->intel_svc_fcs); ++err_unregister_rsu_dev: + platform_device_unregister(svc->stratix10_svc_rsu); + err_free_kfifo: + kfifo_free(&controller->svc_fifo); +@@ -1253,6 +1259,8 @@ static void stratix10_svc_drv_remove(str + struct stratix10_svc *svc = dev_get_drvdata(&pdev->dev); + struct stratix10_svc_controller *ctrl = platform_get_drvdata(pdev); + ++ of_platform_depopulate(ctrl->dev); ++ + platform_device_unregister(svc->intel_svc_fcs); + platform_device_unregister(svc->stratix10_svc_rsu); + diff --git a/queue-6.14/kvm-x86-explicitly-treat-routing-entry-type-changes-as-changes.patch b/queue-6.14/kvm-x86-explicitly-treat-routing-entry-type-changes-as-changes.patch new file mode 100644 index 0000000000..20f6f73886 --- /dev/null +++ b/queue-6.14/kvm-x86-explicitly-treat-routing-entry-type-changes-as-changes.patch @@ -0,0 +1,35 @@ +From bcda70c56f3e718465cab2aad260cf34183ce1ce Mon Sep 17 00:00:00 2001 +From: Sean Christopherson +Date: Fri, 4 Apr 2025 12:38:18 -0700 +Subject: KVM: x86: Explicitly treat routing entry type changes as changes + +From: Sean Christopherson + +commit bcda70c56f3e718465cab2aad260cf34183ce1ce upstream. + +Explicitly treat type differences as GSI routing changes, as comparing MSI +data between two entries could get a false negative, e.g. if userspace +changed the type but left the type-specific data as-is. + +Fixes: 515a0c79e796 ("kvm: irqfd: avoid update unmodified entries of the routing") +Cc: stable@vger.kernel.org +Signed-off-by: Sean Christopherson +Message-ID: <20250404193923.1413163-4-seanjc@google.com> +Signed-off-by: Paolo Bonzini +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/kvm/x86.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/arch/x86/kvm/x86.c ++++ b/arch/x86/kvm/x86.c +@@ -13611,7 +13611,8 @@ int kvm_arch_update_irqfd_routing(struct + bool kvm_arch_irqfd_route_changed(struct kvm_kernel_irq_routing_entry *old, + struct kvm_kernel_irq_routing_entry *new) + { +- if (new->type != KVM_IRQ_ROUTING_MSI) ++ if (old->type != KVM_IRQ_ROUTING_MSI || ++ new->type != KVM_IRQ_ROUTING_MSI) + return true; + + return !!memcmp(&old->msi, &new->msi, sizeof(new->msi)); diff --git a/queue-6.14/kvm-x86-reset-irte-to-host-control-if-new-route-isn-t-postable.patch b/queue-6.14/kvm-x86-reset-irte-to-host-control-if-new-route-isn-t-postable.patch new file mode 100644 index 0000000000..f2be1a80ae --- /dev/null +++ b/queue-6.14/kvm-x86-reset-irte-to-host-control-if-new-route-isn-t-postable.patch @@ -0,0 +1,178 @@ +From 9bcac97dc42d2f4da8229d18feb0fe2b1ce523a2 Mon Sep 17 00:00:00 2001 +From: Sean Christopherson +Date: Fri, 4 Apr 2025 12:38:17 -0700 +Subject: KVM: x86: Reset IRTE to host control if *new* route isn't postable + +From: Sean Christopherson + +commit 9bcac97dc42d2f4da8229d18feb0fe2b1ce523a2 upstream. + +Restore an IRTE back to host control (remapped or posted MSI mode) if the +*new* GSI route prevents posting the IRQ directly to a vCPU, regardless of +the GSI routing type. Updating the IRTE if and only if the new GSI is an +MSI results in KVM leaving an IRTE posting to a vCPU. + +The dangling IRTE can result in interrupts being incorrectly delivered to +the guest, and in the worst case scenario can result in use-after-free, +e.g. if the VM is torn down, but the underlying host IRQ isn't freed. + +Fixes: efc644048ecd ("KVM: x86: Update IRTE for posted-interrupts") +Fixes: 411b44ba80ab ("svm: Implements update_pi_irte hook to setup posted interrupt") +Cc: stable@vger.kernel.org +Signed-off-by: Sean Christopherson +Message-ID: <20250404193923.1413163-3-seanjc@google.com> +Signed-off-by: Paolo Bonzini +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/kvm/svm/avic.c | 58 +++++++++++++++++++++-------------------- + arch/x86/kvm/vmx/posted_intr.c | 28 +++++++------------ + 2 files changed, 41 insertions(+), 45 deletions(-) + +--- a/arch/x86/kvm/svm/avic.c ++++ b/arch/x86/kvm/svm/avic.c +@@ -896,6 +896,7 @@ int avic_pi_update_irte(struct kvm *kvm, + { + struct kvm_kernel_irq_routing_entry *e; + struct kvm_irq_routing_table *irq_rt; ++ bool enable_remapped_mode = true; + int idx, ret = 0; + + if (!kvm_arch_has_assigned_device(kvm) || +@@ -933,6 +934,8 @@ int avic_pi_update_irte(struct kvm *kvm, + kvm_vcpu_apicv_active(&svm->vcpu)) { + struct amd_iommu_pi_data pi; + ++ enable_remapped_mode = false; ++ + /* Try to enable guest_mode in IRTE */ + pi.base = __sme_set(page_to_phys(svm->avic_backing_page) & + AVIC_HPA_MASK); +@@ -951,33 +954,6 @@ int avic_pi_update_irte(struct kvm *kvm, + */ + if (!ret && pi.is_guest_mode) + svm_ir_list_add(svm, &pi); +- } else { +- /* Use legacy mode in IRTE */ +- struct amd_iommu_pi_data pi; +- +- /** +- * Here, pi is used to: +- * - Tell IOMMU to use legacy mode for this interrupt. +- * - Retrieve ga_tag of prior interrupt remapping data. +- */ +- pi.prev_ga_tag = 0; +- pi.is_guest_mode = false; +- ret = irq_set_vcpu_affinity(host_irq, &pi); +- +- /** +- * Check if the posted interrupt was previously +- * setup with the guest_mode by checking if the ga_tag +- * was cached. If so, we need to clean up the per-vcpu +- * ir_list. +- */ +- if (!ret && pi.prev_ga_tag) { +- int id = AVIC_GATAG_TO_VCPUID(pi.prev_ga_tag); +- struct kvm_vcpu *vcpu; +- +- vcpu = kvm_get_vcpu_by_id(kvm, id); +- if (vcpu) +- svm_ir_list_del(to_svm(vcpu), &pi); +- } + } + + if (!ret && svm) { +@@ -993,6 +969,34 @@ int avic_pi_update_irte(struct kvm *kvm, + } + + ret = 0; ++ if (enable_remapped_mode) { ++ /* Use legacy mode in IRTE */ ++ struct amd_iommu_pi_data pi; ++ ++ /** ++ * Here, pi is used to: ++ * - Tell IOMMU to use legacy mode for this interrupt. ++ * - Retrieve ga_tag of prior interrupt remapping data. ++ */ ++ pi.prev_ga_tag = 0; ++ pi.is_guest_mode = false; ++ ret = irq_set_vcpu_affinity(host_irq, &pi); ++ ++ /** ++ * Check if the posted interrupt was previously ++ * setup with the guest_mode by checking if the ga_tag ++ * was cached. If so, we need to clean up the per-vcpu ++ * ir_list. ++ */ ++ if (!ret && pi.prev_ga_tag) { ++ int id = AVIC_GATAG_TO_VCPUID(pi.prev_ga_tag); ++ struct kvm_vcpu *vcpu; ++ ++ vcpu = kvm_get_vcpu_by_id(kvm, id); ++ if (vcpu) ++ svm_ir_list_del(to_svm(vcpu), &pi); ++ } ++ } + out: + srcu_read_unlock(&kvm->irq_srcu, idx); + return ret; +--- a/arch/x86/kvm/vmx/posted_intr.c ++++ b/arch/x86/kvm/vmx/posted_intr.c +@@ -274,6 +274,7 @@ int vmx_pi_update_irte(struct kvm *kvm, + { + struct kvm_kernel_irq_routing_entry *e; + struct kvm_irq_routing_table *irq_rt; ++ bool enable_remapped_mode = true; + struct kvm_lapic_irq irq; + struct kvm_vcpu *vcpu; + struct vcpu_data vcpu_info; +@@ -312,21 +313,8 @@ int vmx_pi_update_irte(struct kvm *kvm, + + kvm_set_msi_irq(kvm, e, &irq); + if (!kvm_intr_is_single_vcpu(kvm, &irq, &vcpu) || +- !kvm_irq_is_postable(&irq)) { +- /* +- * Make sure the IRTE is in remapped mode if +- * we don't handle it in posted mode. +- */ +- ret = irq_set_vcpu_affinity(host_irq, NULL); +- if (ret < 0) { +- printk(KERN_INFO +- "failed to back to remapped mode, irq: %u\n", +- host_irq); +- goto out; +- } +- ++ !kvm_irq_is_postable(&irq)) + continue; +- } + + vcpu_info.pi_desc_addr = __pa(vcpu_to_pi_desc(vcpu)); + vcpu_info.vector = irq.vector; +@@ -334,11 +322,12 @@ int vmx_pi_update_irte(struct kvm *kvm, + trace_kvm_pi_irte_update(host_irq, vcpu->vcpu_id, e->gsi, + vcpu_info.vector, vcpu_info.pi_desc_addr, set); + +- if (set) +- ret = irq_set_vcpu_affinity(host_irq, &vcpu_info); +- else +- ret = irq_set_vcpu_affinity(host_irq, NULL); ++ if (!set) ++ continue; + ++ enable_remapped_mode = false; ++ ++ ret = irq_set_vcpu_affinity(host_irq, &vcpu_info); + if (ret < 0) { + printk(KERN_INFO "%s: failed to update PI IRTE\n", + __func__); +@@ -346,6 +335,9 @@ int vmx_pi_update_irte(struct kvm *kvm, + } + } + ++ if (enable_remapped_mode) ++ ret = irq_set_vcpu_affinity(host_irq, NULL); ++ + ret = 0; + out: + srcu_read_unlock(&kvm->irq_srcu, idx); diff --git a/queue-6.14/kvm-x86-take-irqfds.lock-when-adding-deleting-irq-bypass-producer.patch b/queue-6.14/kvm-x86-take-irqfds.lock-when-adding-deleting-irq-bypass-producer.patch new file mode 100644 index 0000000000..d8ed6984b0 --- /dev/null +++ b/queue-6.14/kvm-x86-take-irqfds.lock-when-adding-deleting-irq-bypass-producer.patch @@ -0,0 +1,79 @@ +From f1fb088d9cecde5c3066d8ff8846789667519b7d Mon Sep 17 00:00:00 2001 +From: Sean Christopherson +Date: Fri, 4 Apr 2025 12:38:19 -0700 +Subject: KVM: x86: Take irqfds.lock when adding/deleting IRQ bypass producer + +From: Sean Christopherson + +commit f1fb088d9cecde5c3066d8ff8846789667519b7d upstream. + +Take irqfds.lock when adding/deleting an IRQ bypass producer to ensure +irqfd->producer isn't modified while kvm_irq_routing_update() is running. +The only lock held when a producer is added/removed is irqbypass's mutex. + +Fixes: 872768800652 ("KVM: x86: select IRQ_BYPASS_MANAGER") +Cc: stable@vger.kernel.org +Signed-off-by: Sean Christopherson +Message-ID: <20250404193923.1413163-5-seanjc@google.com> +Signed-off-by: Paolo Bonzini +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/kvm/x86.c | 17 +++++++++++++++-- + 1 file changed, 15 insertions(+), 2 deletions(-) + +--- a/arch/x86/kvm/x86.c ++++ b/arch/x86/kvm/x86.c +@@ -13565,15 +13565,22 @@ int kvm_arch_irq_bypass_add_producer(str + { + struct kvm_kernel_irqfd *irqfd = + container_of(cons, struct kvm_kernel_irqfd, consumer); ++ struct kvm *kvm = irqfd->kvm; + int ret; + +- irqfd->producer = prod; + kvm_arch_start_assignment(irqfd->kvm); ++ ++ spin_lock_irq(&kvm->irqfds.lock); ++ irqfd->producer = prod; ++ + ret = kvm_x86_call(pi_update_irte)(irqfd->kvm, + prod->irq, irqfd->gsi, 1); + if (ret) + kvm_arch_end_assignment(irqfd->kvm); + ++ spin_unlock_irq(&kvm->irqfds.lock); ++ ++ + return ret; + } + +@@ -13583,9 +13590,9 @@ void kvm_arch_irq_bypass_del_producer(st + int ret; + struct kvm_kernel_irqfd *irqfd = + container_of(cons, struct kvm_kernel_irqfd, consumer); ++ struct kvm *kvm = irqfd->kvm; + + WARN_ON(irqfd->producer != prod); +- irqfd->producer = NULL; + + /* + * When producer of consumer is unregistered, we change back to +@@ -13593,12 +13600,18 @@ void kvm_arch_irq_bypass_del_producer(st + * when the irq is masked/disabled or the consumer side (KVM + * int this case doesn't want to receive the interrupts. + */ ++ spin_lock_irq(&kvm->irqfds.lock); ++ irqfd->producer = NULL; ++ + ret = kvm_x86_call(pi_update_irte)(irqfd->kvm, + prod->irq, irqfd->gsi, 0); + if (ret) + printk(KERN_INFO "irq bypass consumer (token %p) unregistration" + " fails: %d\n", irqfd->consumer.token, ret); + ++ spin_unlock_irq(&kvm->irqfds.lock); ++ ++ + kvm_arch_end_assignment(irqfd->kvm); + } + diff --git a/queue-6.14/misc-microchip-pci1xxxx-fix-incorrect-irq-status-handling-during-ack.patch b/queue-6.14/misc-microchip-pci1xxxx-fix-incorrect-irq-status-handling-during-ack.patch new file mode 100644 index 0000000000..e3d6777157 --- /dev/null +++ b/queue-6.14/misc-microchip-pci1xxxx-fix-incorrect-irq-status-handling-during-ack.patch @@ -0,0 +1,35 @@ +From e9d7748a7468581859d2b85b378135f9688a0aff Mon Sep 17 00:00:00 2001 +From: Rengarajan S +Date: Thu, 13 Mar 2025 22:38:56 +0530 +Subject: misc: microchip: pci1xxxx: Fix incorrect IRQ status handling during ack + +From: Rengarajan S + +commit e9d7748a7468581859d2b85b378135f9688a0aff upstream. + +Under irq_ack, pci1xxxx_assign_bit reads the current interrupt status, +modifies and writes the entire value back. Since, the IRQ status bit +gets cleared on writing back, the better approach is to directly write +the bitmask to the register in order to preserve the value. + +Fixes: 1f4d8ae231f4 ("misc: microchip: pci1xxxx: Add gpio irq handler and irq helper functions irq_ack, irq_mask, irq_unmask and irq_set_type of irq_chip.") +Cc: stable +Signed-off-by: Rengarajan S +Link: https://lore.kernel.org/r/20250313170856.20868-3-rengarajan.s@microchip.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Greg Kroah-Hartman +--- + drivers/misc/mchp_pci1xxxx/mchp_pci1xxxx_gpio.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/misc/mchp_pci1xxxx/mchp_pci1xxxx_gpio.c ++++ b/drivers/misc/mchp_pci1xxxx/mchp_pci1xxxx_gpio.c +@@ -168,7 +168,7 @@ static void pci1xxxx_gpio_irq_ack(struct + unsigned long flags; + + spin_lock_irqsave(&priv->lock, flags); +- pci1xxx_assign_bit(priv->reg_base, INTR_STAT_OFFSET(gpio), (gpio % 32), true); ++ writel(BIT(gpio % 32), priv->reg_base + INTR_STAT_OFFSET(gpio)); + spin_unlock_irqrestore(&priv->lock, flags); + } + diff --git a/queue-6.14/misc-microchip-pci1xxxx-fix-kernel-panic-during-irq-handler-registration.patch b/queue-6.14/misc-microchip-pci1xxxx-fix-kernel-panic-during-irq-handler-registration.patch new file mode 100644 index 0000000000..f33262a31c --- /dev/null +++ b/queue-6.14/misc-microchip-pci1xxxx-fix-kernel-panic-during-irq-handler-registration.patch @@ -0,0 +1,58 @@ +From 18eb77c75ed01439f96ae5c0f33461eb5134b907 Mon Sep 17 00:00:00 2001 +From: Rengarajan S +Date: Thu, 13 Mar 2025 22:38:55 +0530 +Subject: misc: microchip: pci1xxxx: Fix Kernel panic during IRQ handler registration + +From: Rengarajan S + +commit 18eb77c75ed01439f96ae5c0f33461eb5134b907 upstream. + +Resolve kernel panic while accessing IRQ handler associated with the +generated IRQ. This is done by acquiring the spinlock and storing the +current interrupt state before handling the interrupt request using +generic_handle_irq. + +A previous fix patch was submitted where 'generic_handle_irq' was +replaced with 'handle_nested_irq'. However, this change also causes +the kernel panic where after determining which GPIO triggered the +interrupt and attempting to call handle_nested_irq with the mapped +IRQ number, leads to a failure in locating the registered handler. + +Fixes: 194f9f94a516 ("misc: microchip: pci1xxxx: Resolve kernel panic during GPIO IRQ handling") +Cc: stable +Signed-off-by: Rengarajan S +Link: https://lore.kernel.org/r/20250313170856.20868-2-rengarajan.s@microchip.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/misc/mchp_pci1xxxx/mchp_pci1xxxx_gpio.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +--- a/drivers/misc/mchp_pci1xxxx/mchp_pci1xxxx_gpio.c ++++ b/drivers/misc/mchp_pci1xxxx/mchp_pci1xxxx_gpio.c +@@ -37,6 +37,7 @@ + struct pci1xxxx_gpio { + struct auxiliary_device *aux_dev; + void __iomem *reg_base; ++ raw_spinlock_t wa_lock; + struct gpio_chip gpio; + spinlock_t lock; + int irq_base; +@@ -257,6 +258,7 @@ static irqreturn_t pci1xxxx_gpio_irq_han + struct pci1xxxx_gpio *priv = dev_id; + struct gpio_chip *gc = &priv->gpio; + unsigned long int_status = 0; ++ unsigned long wa_flags; + unsigned long flags; + u8 pincount; + int bit; +@@ -280,7 +282,9 @@ static irqreturn_t pci1xxxx_gpio_irq_han + writel(BIT(bit), priv->reg_base + INTR_STATUS_OFFSET(gpiobank)); + spin_unlock_irqrestore(&priv->lock, flags); + irq = irq_find_mapping(gc->irq.domain, (bit + (gpiobank * 32))); +- handle_nested_irq(irq); ++ raw_spin_lock_irqsave(&priv->wa_lock, wa_flags); ++ generic_handle_irq(irq); ++ raw_spin_unlock_irqrestore(&priv->wa_lock, wa_flags); + } + } + spin_lock_irqsave(&priv->lock, flags); diff --git a/queue-6.14/serial-msm-configure-correct-working-mode-before-starting-earlycon.patch b/queue-6.14/serial-msm-configure-correct-working-mode-before-starting-earlycon.patch new file mode 100644 index 0000000000..e482424a03 --- /dev/null +++ b/queue-6.14/serial-msm-configure-correct-working-mode-before-starting-earlycon.patch @@ -0,0 +1,54 @@ +From 7094832b5ac861b0bd7ed8866c93cb15ef619996 Mon Sep 17 00:00:00 2001 +From: Stephan Gerhold +Date: Tue, 8 Apr 2025 19:22:47 +0200 +Subject: serial: msm: Configure correct working mode before starting earlycon + +From: Stephan Gerhold + +commit 7094832b5ac861b0bd7ed8866c93cb15ef619996 upstream. + +The MSM UART DM controller supports different working modes, e.g. DMA or +the "single-character mode", where all reads/writes operate on a single +character rather than 4 chars (32-bit) at once. When using earlycon, +__msm_console_write() always writes 4 characters at a time, but we don't +know which mode the bootloader was using and we don't set the mode either. + +This causes garbled output if the bootloader was using the single-character +mode, because only every 4th character appears in the serial console, e.g. + + "[ 00oni pi 000xf0[ 00i s 5rm9(l)l s 1 1 SPMTA 7:C 5[ 00A ade k d[ + 00ano:ameoi .Q1B[ 00ac _idaM00080oo'" + +If the bootloader was using the DMA ("DM") mode, output would likely fail +entirely. Later, when the full serial driver probes, the port is +re-initialized and output works as expected. + +Fix this also for earlycon by clearing the DMEN register and +reset+re-enable the transmitter to apply the change. This ensures the +transmitter is in the expected state before writing any output. + +Cc: stable +Fixes: 0efe72963409 ("tty: serial: msm: Add earlycon support") +Signed-off-by: Stephan Gerhold +Reviewed-by: Neil Armstrong +Link: https://lore.kernel.org/r/20250408-msm-serial-earlycon-v1-1-429080127530@linaro.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/tty/serial/msm_serial.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/drivers/tty/serial/msm_serial.c ++++ b/drivers/tty/serial/msm_serial.c +@@ -1746,6 +1746,12 @@ msm_serial_early_console_setup_dm(struct + if (!device->port.membase) + return -ENODEV; + ++ /* Disable DM / single-character modes */ ++ msm_write(&device->port, 0, UARTDM_DMEN); ++ msm_write(&device->port, MSM_UART_CR_CMD_RESET_RX, MSM_UART_CR); ++ msm_write(&device->port, MSM_UART_CR_CMD_RESET_TX, MSM_UART_CR); ++ msm_write(&device->port, MSM_UART_CR_TX_ENABLE, MSM_UART_CR); ++ + device->con->write = msm_serial_early_write_dm; + return 0; + } diff --git a/queue-6.14/serial-sifive-lock-port-in-startup-shutdown-callbacks.patch b/queue-6.14/serial-sifive-lock-port-in-startup-shutdown-callbacks.patch new file mode 100644 index 0000000000..e2ad41bbb7 --- /dev/null +++ b/queue-6.14/serial-sifive-lock-port-in-startup-shutdown-callbacks.patch @@ -0,0 +1,59 @@ +From e1ca3ff28ab1e2c1e70713ef3fa7943c725742c3 Mon Sep 17 00:00:00 2001 +From: Ryo Takakura +Date: Sat, 12 Apr 2025 09:18:47 +0900 +Subject: serial: sifive: lock port in startup()/shutdown() callbacks + +From: Ryo Takakura + +commit e1ca3ff28ab1e2c1e70713ef3fa7943c725742c3 upstream. + +startup()/shutdown() callbacks access SIFIVE_SERIAL_IE_OFFS. +The register is also accessed from write() callback. + +If console were printing and startup()/shutdown() callback +gets called, its access to the register could be overwritten. + +Add port->lock to startup()/shutdown() callbacks to make sure +their access to SIFIVE_SERIAL_IE_OFFS is synchronized against +write() callback. + +Fixes: 45c054d0815b ("tty: serial: add driver for the SiFive UART") +Signed-off-by: Ryo Takakura +Reviewed-by: Petr Mladek +Cc: stable@vger.kernel.org +Reviewed-by: John Ogness +Rule: add +Link: https://lore.kernel.org/stable/20250330003522.386632-1-ryotkkr98%40gmail.com +Link: https://lore.kernel.org/r/20250412001847.183221-1-ryotkkr98@gmail.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/tty/serial/sifive.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/drivers/tty/serial/sifive.c ++++ b/drivers/tty/serial/sifive.c +@@ -563,8 +563,11 @@ static void sifive_serial_break_ctl(stru + static int sifive_serial_startup(struct uart_port *port) + { + struct sifive_serial_port *ssp = port_to_sifive_serial_port(port); ++ unsigned long flags; + ++ uart_port_lock_irqsave(&ssp->port, &flags); + __ssp_enable_rxwm(ssp); ++ uart_port_unlock_irqrestore(&ssp->port, flags); + + return 0; + } +@@ -572,9 +575,12 @@ static int sifive_serial_startup(struct + static void sifive_serial_shutdown(struct uart_port *port) + { + struct sifive_serial_port *ssp = port_to_sifive_serial_port(port); ++ unsigned long flags; + ++ uart_port_lock_irqsave(&ssp->port, &flags); + __ssp_disable_rxwm(ssp); + __ssp_disable_txwm(ssp); ++ uart_port_unlock_irqrestore(&ssp->port, flags); + } + + /** diff --git a/queue-6.14/series b/queue-6.14/series index fa45a98354..222b9960dd 100644 --- a/queue-6.14/series +++ b/queue-6.14/series @@ -142,3 +142,35 @@ usb-storage-quirk-for-adata-portable-hdd-ch94.patch scsi-improve-cdl-control.patch mei-me-add-panther-lake-h-did.patch mei-vsc-fix-fortify-panic-caused-by-invalid-counted_by-use.patch +kvm-x86-explicitly-treat-routing-entry-type-changes-as-changes.patch +kvm-x86-reset-irte-to-host-control-if-new-route-isn-t-postable.patch +kvm-x86-take-irqfds.lock-when-adding-deleting-irq-bypass-producer.patch +char-misc-register-chrdev-region-with-all-possible-minors.patch +misc-microchip-pci1xxxx-fix-kernel-panic-during-irq-handler-registration.patch +misc-microchip-pci1xxxx-fix-incorrect-irq-status-handling-during-ack.patch +firmware-stratix10-svc-add-of_platform_default_populate.patch +tty-require-cap_sys_admin-for-all-usages-of-tiocl_selmousereport.patch +serial-msm-configure-correct-working-mode-before-starting-earlycon.patch +serial-sifive-lock-port-in-startup-shutdown-callbacks.patch +usb-serial-ftdi_sio-add-support-for-abacus-electrics-optical-probe.patch +usb-serial-option-add-sierra-wireless-em9291.patch +usb-serial-simple-add-owon-hds200-series-oscilloscope-support.patch +xhci-limit-time-spent-with-xhc-interrupts-disabled-during-bus-resume.patch +usb-xhci-fix-invalid-pointer-dereference-in-etron-workaround.patch +usb-cdns3-fix-deadlock-when-using-ncm-gadget.patch +usb-chipidea-ci_hdrc_imx-fix-usbmisc-handling.patch +usb-chipidea-ci_hdrc_imx-fix-call-balance-of-regulator-routines.patch +usb-chipidea-ci_hdrc_imx-implement-usb_phy_init-error-handling.patch +usb-ohci-add-quirk-for-ls7a-ohci-controller-rev-0x02.patch +usb-dwc3-gadget-check-that-event-count-does-not-exceed-event-buffer-length.patch +usb-dwc3-xilinx-prevent-spike-in-reset-signal.patch +usb-quirks-add-delay_init-quirk-for-silicon-motion-flash-drive.patch +usb-quirks-add-delay-init-quirk-for-sandisk-3.2gen1-flash-drive.patch +usb-vli-disk-crashes-if-lpm-is-used.patch +usb-typec-class-fix-null-pointer-access.patch +usb-typec-class-invalidate-usb-device-pointers-on-partner-unregistration.patch +usb-typec-class-unlocked-on-error-in-typec_register_partner.patch +usb-wdm-handle-io-errors-in-wdm_wwan_port_start.patch +usb-wdm-close-race-between-wdm_open-and-wdm_wwan_port_stop.patch +usb-wdm-wdm_wwan_port_tx_complete-mutex-in-atomic-context.patch +usb-wdm-add-annotation.patch diff --git a/queue-6.14/tty-require-cap_sys_admin-for-all-usages-of-tiocl_selmousereport.patch b/queue-6.14/tty-require-cap_sys_admin-for-all-usages-of-tiocl_selmousereport.patch new file mode 100644 index 0000000000..10a64c0f5c --- /dev/null +++ b/queue-6.14/tty-require-cap_sys_admin-for-all-usages-of-tiocl_selmousereport.patch @@ -0,0 +1,138 @@ +From ee6a44da3c87cf64d67dd02be8c0127a5bf56175 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?G=C3=BCnther=20Noack?= +Date: Fri, 11 Apr 2025 09:01:45 +0200 +Subject: tty: Require CAP_SYS_ADMIN for all usages of TIOCL_SELMOUSEREPORT +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Günther Noack + +commit ee6a44da3c87cf64d67dd02be8c0127a5bf56175 upstream. + +This requirement was overeagerly loosened in commit 2f83e38a095f +("tty: Permit some TIOCL_SETSEL modes without CAP_SYS_ADMIN"), but as +it turns out, + + (1) the logic I implemented there was inconsistent (apologies!), + + (2) TIOCL_SELMOUSEREPORT might actually be a small security risk + after all, and + + (3) TIOCL_SELMOUSEREPORT is only meant to be used by the mouse + daemon (GPM or Consolation), which runs as CAP_SYS_ADMIN + already. + +In more detail: + +1. The previous patch has inconsistent logic: + + In commit 2f83e38a095f ("tty: Permit some TIOCL_SETSEL modes + without CAP_SYS_ADMIN"), we checked for sel_mode == + TIOCL_SELMOUSEREPORT, but overlooked that the lower four bits of + this "mode" parameter were actually used as an additional way to + pass an argument. So the patch did actually still require + CAP_SYS_ADMIN, if any of the mouse button bits are set, but did not + require it if none of the mouse buttons bits are set. + + This logic is inconsistent and was not intentional. We should have + the same policies for using TIOCL_SELMOUSEREPORT independent of the + value of the "hidden" mouse button argument. + + I sent a separate documentation patch to the man page list with + more details on TIOCL_SELMOUSEREPORT: + https://lore.kernel.org/all/20250223091342.35523-2-gnoack3000@gmail.com/ + +2. TIOCL_SELMOUSEREPORT is indeed a potential security risk which can + let an attacker simulate "keyboard" input to command line + applications on the same terminal, like TIOCSTI and some other + TIOCLINUX "selection mode" IOCTLs. + + By enabling mouse reporting on a terminal and then injecting mouse + reports through TIOCL_SELMOUSEREPORT, an attacker can simulate + mouse movements on the same terminal, similar to the TIOCSTI + keystroke injection attacks that were previously possible with + TIOCSTI and other TIOCL_SETSEL selection modes. + + Many programs (including libreadline/bash) are then prone to + misinterpret these mouse reports as normal keyboard input because + they do not expect input in the X11 mouse protocol form. The + attacker does not have complete control over the escape sequence, + but they can at least control the values of two consecutive bytes + in the binary mouse reporting escape sequence. + + I went into more detail on that in the discussion at + https://lore.kernel.org/all/20250221.0a947528d8f3@gnoack.org/ + + It is not equally trivial to simulate arbitrary keystrokes as it + was with TIOCSTI (commit 83efeeeb3d04 ("tty: Allow TIOCSTI to be + disabled")), but the general mechanism is there, and together with + the small number of existing legit use cases (see below), it would + be better to revert back to requiring CAP_SYS_ADMIN for + TIOCL_SELMOUSEREPORT, as it was already the case before + commit 2f83e38a095f ("tty: Permit some TIOCL_SETSEL modes without + CAP_SYS_ADMIN"). + +3. TIOCL_SELMOUSEREPORT is only used by the mouse daemons (GPM or + Consolation), and they are the only legit use case: + + To quote console_codes(4): + + The mouse tracking facility is intended to return + xterm(1)-compatible mouse status reports. Because the console + driver has no way to know the device or type of the mouse, these + reports are returned in the console input stream only when the + virtual terminal driver receives a mouse update ioctl. These + ioctls must be generated by a mouse-aware user-mode application + such as the gpm(8) daemon. + + Jared Finder has also confirmed in + https://lore.kernel.org/all/491f3df9de6593df8e70dbe77614b026@finder.org/ + that Emacs does not call TIOCL_SELMOUSEREPORT directly, and it + would be difficult to find good reasons for doing that, given that + it would interfere with the reports that GPM is sending. + + More information on the interaction between GPM, terminals and the + kernel with additional pointers is also available in this patch: + https://lore.kernel.org/all/a773e48920aa104a65073671effbdee665c105fc.1603963593.git.tammo.block@gmail.com/ + + For background on who else uses TIOCL_SELMOUSEREPORT: Debian Code + search finds one page of results, the only two known callers are + the two mouse daemons GPM and Consolation. (GPM does not show up + in the search results because it uses literal numbers to refer to + TIOCLINUX-related enums. I looked through GPM by hand instead. + TIOCL_SELMOUSEREPORT is also not used from libgpm.) + https://codesearch.debian.net/search?q=TIOCL_SELMOUSEREPORT + +Cc: Jared Finder +Cc: Jann Horn +Cc: Hanno Böck +Cc: Jiri Slaby +Cc: Kees Cook +Cc: stable +Fixes: 2f83e38a095f ("tty: Permit some TIOCL_SETSEL modes without CAP_SYS_ADMIN") +Signed-off-by: Günther Noack +Link: https://lore.kernel.org/r/20250411070144.3959-2-gnoack3000@gmail.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/tty/vt/selection.c | 5 ++--- + 1 file changed, 2 insertions(+), 3 deletions(-) + +--- a/drivers/tty/vt/selection.c ++++ b/drivers/tty/vt/selection.c +@@ -193,13 +193,12 @@ int set_selection_user(const struct tioc + return -EFAULT; + + /* +- * TIOCL_SELCLEAR, TIOCL_SELPOINTER and TIOCL_SELMOUSEREPORT are OK to +- * use without CAP_SYS_ADMIN as they do not modify the selection. ++ * TIOCL_SELCLEAR and TIOCL_SELPOINTER are OK to use without ++ * CAP_SYS_ADMIN as they do not modify the selection. + */ + switch (v.sel_mode) { + case TIOCL_SELCLEAR: + case TIOCL_SELPOINTER: +- case TIOCL_SELMOUSEREPORT: + break; + default: + if (!capable(CAP_SYS_ADMIN)) diff --git a/queue-6.14/usb-cdns3-fix-deadlock-when-using-ncm-gadget.patch b/queue-6.14/usb-cdns3-fix-deadlock-when-using-ncm-gadget.patch new file mode 100644 index 0000000000..d0857143dc --- /dev/null +++ b/queue-6.14/usb-cdns3-fix-deadlock-when-using-ncm-gadget.patch @@ -0,0 +1,48 @@ +From a1059896f2bfdcebcdc7153c3be2307ea319501f Mon Sep 17 00:00:00 2001 +From: Ralph Siemsen +Date: Tue, 18 Mar 2025 11:09:32 -0400 +Subject: usb: cdns3: Fix deadlock when using NCM gadget + +From: Ralph Siemsen + +commit a1059896f2bfdcebcdc7153c3be2307ea319501f upstream. + +The cdns3 driver has the same NCM deadlock as fixed in cdnsp by commit +58f2fcb3a845 ("usb: cdnsp: Fix deadlock issue during using NCM gadget"). + +Under PREEMPT_RT the deadlock can be readily triggered by heavy network +traffic, for example using "iperf --bidir" over NCM ethernet link. + +The deadlock occurs because the threaded interrupt handler gets +preempted by a softirq, but both are protected by the same spinlock. +Prevent deadlock by disabling softirq during threaded irq handler. + +Cc: stable +Fixes: 7733f6c32e36 ("usb: cdns3: Add Cadence USB3 DRD Driver") +Signed-off-by: Ralph Siemsen +Acked-by: Peter Chen +Reviewed-by: Sebastian Andrzej Siewior +Link: https://lore.kernel.org/r/20250318-rfs-cdns3-deadlock-v2-1-bfd9cfcee732@linaro.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/cdns3/cdns3-gadget.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/usb/cdns3/cdns3-gadget.c ++++ b/drivers/usb/cdns3/cdns3-gadget.c +@@ -1963,6 +1963,7 @@ static irqreturn_t cdns3_device_thread_i + unsigned int bit; + unsigned long reg; + ++ local_bh_disable(); + spin_lock_irqsave(&priv_dev->lock, flags); + + reg = readl(&priv_dev->regs->usb_ists); +@@ -2004,6 +2005,7 @@ static irqreturn_t cdns3_device_thread_i + irqend: + writel(~0, &priv_dev->regs->ep_ien); + spin_unlock_irqrestore(&priv_dev->lock, flags); ++ local_bh_enable(); + + return ret; + } diff --git a/queue-6.14/usb-chipidea-ci_hdrc_imx-fix-call-balance-of-regulator-routines.patch b/queue-6.14/usb-chipidea-ci_hdrc_imx-fix-call-balance-of-regulator-routines.patch new file mode 100644 index 0000000000..de6c20c238 --- /dev/null +++ b/queue-6.14/usb-chipidea-ci_hdrc_imx-fix-call-balance-of-regulator-routines.patch @@ -0,0 +1,92 @@ +From 8cab0e9a3f3e8d700179e0d6141643d54a267fd5 Mon Sep 17 00:00:00 2001 +From: Fedor Pchelkin +Date: Sun, 16 Mar 2025 13:26:55 +0300 +Subject: usb: chipidea: ci_hdrc_imx: fix call balance of regulator routines + +From: Fedor Pchelkin + +commit 8cab0e9a3f3e8d700179e0d6141643d54a267fd5 upstream. + +Upon encountering errors during the HSIC pinctrl handling section the +regulator should be disabled. + +Use devm_add_action_or_reset() to let the regulator-disabling routine be +handled by device resource management stack. + +Found by Linux Verification Center (linuxtesting.org). + +Fixes: 4d6141288c33 ("usb: chipidea: imx: pinctrl for HSIC is optional") +Cc: stable +Signed-off-by: Fedor Pchelkin +Acked-by: Peter Chen +Link: https://lore.kernel.org/r/20250316102658.490340-3-pchelkin@ispras.ru +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/chipidea/ci_hdrc_imx.c | 25 +++++++++++++++++-------- + 1 file changed, 17 insertions(+), 8 deletions(-) + +--- a/drivers/usb/chipidea/ci_hdrc_imx.c ++++ b/drivers/usb/chipidea/ci_hdrc_imx.c +@@ -336,6 +336,13 @@ static int ci_hdrc_imx_notify_event(stru + return ret; + } + ++static void ci_hdrc_imx_disable_regulator(void *arg) ++{ ++ struct ci_hdrc_imx_data *data = arg; ++ ++ regulator_disable(data->hsic_pad_regulator); ++} ++ + static int ci_hdrc_imx_probe(struct platform_device *pdev) + { + struct ci_hdrc_imx_data *data; +@@ -394,6 +401,13 @@ static int ci_hdrc_imx_probe(struct plat + "Failed to enable HSIC pad regulator\n"); + goto err_put; + } ++ ret = devm_add_action_or_reset(dev, ++ ci_hdrc_imx_disable_regulator, data); ++ if (ret) { ++ dev_err(dev, ++ "Failed to add regulator devm action\n"); ++ goto err_put; ++ } + } + } + +@@ -432,11 +446,11 @@ static int ci_hdrc_imx_probe(struct plat + + ret = imx_get_clks(dev); + if (ret) +- goto disable_hsic_regulator; ++ goto qos_remove_request; + + ret = imx_prepare_enable_clks(dev); + if (ret) +- goto disable_hsic_regulator; ++ goto qos_remove_request; + + ret = clk_prepare_enable(data->clk_wakeup); + if (ret) +@@ -526,10 +540,7 @@ err_clk: + clk_disable_unprepare(data->clk_wakeup); + err_wakeup_clk: + imx_disable_unprepare_clks(dev); +-disable_hsic_regulator: +- if (data->hsic_pad_regulator) +- /* don't overwrite original ret (cf. EPROBE_DEFER) */ +- regulator_disable(data->hsic_pad_regulator); ++qos_remove_request: + if (pdata.flags & CI_HDRC_PMQOS) + cpu_latency_qos_remove_request(&data->pm_qos_req); + data->ci_pdev = NULL; +@@ -557,8 +568,6 @@ static void ci_hdrc_imx_remove(struct pl + clk_disable_unprepare(data->clk_wakeup); + if (data->plat_data->flags & CI_HDRC_PMQOS) + cpu_latency_qos_remove_request(&data->pm_qos_req); +- if (data->hsic_pad_regulator) +- regulator_disable(data->hsic_pad_regulator); + } + if (data->usbmisc_data) + put_device(data->usbmisc_data->dev); diff --git a/queue-6.14/usb-chipidea-ci_hdrc_imx-fix-usbmisc-handling.patch b/queue-6.14/usb-chipidea-ci_hdrc_imx-fix-usbmisc-handling.patch new file mode 100644 index 0000000000..1f6892a8e4 --- /dev/null +++ b/queue-6.14/usb-chipidea-ci_hdrc_imx-fix-usbmisc-handling.patch @@ -0,0 +1,49 @@ +From 4e28f79e3dffa52d327b46d1a78dac16efb5810b Mon Sep 17 00:00:00 2001 +From: Fedor Pchelkin +Date: Sun, 16 Mar 2025 13:26:54 +0300 +Subject: usb: chipidea: ci_hdrc_imx: fix usbmisc handling + +From: Fedor Pchelkin + +commit 4e28f79e3dffa52d327b46d1a78dac16efb5810b upstream. + +usbmisc is an optional device property so it is totally valid for the +corresponding data->usbmisc_data to have a NULL value. + +Check that before dereferencing the pointer. + +Found by Linux Verification Center (linuxtesting.org) with Svace static +analysis tool. + +Fixes: 74adad500346 ("usb: chipidea: ci_hdrc_imx: decrement device's refcount in .remove() and in the error path of .probe()") +Cc: stable +Signed-off-by: Fedor Pchelkin +Acked-by: Peter Chen +Link: https://lore.kernel.org/r/20250316102658.490340-2-pchelkin@ispras.ru +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/chipidea/ci_hdrc_imx.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/drivers/usb/chipidea/ci_hdrc_imx.c ++++ b/drivers/usb/chipidea/ci_hdrc_imx.c +@@ -534,7 +534,8 @@ disable_hsic_regulator: + cpu_latency_qos_remove_request(&data->pm_qos_req); + data->ci_pdev = NULL; + err_put: +- put_device(data->usbmisc_data->dev); ++ if (data->usbmisc_data) ++ put_device(data->usbmisc_data->dev); + return ret; + } + +@@ -559,7 +560,8 @@ static void ci_hdrc_imx_remove(struct pl + if (data->hsic_pad_regulator) + regulator_disable(data->hsic_pad_regulator); + } +- put_device(data->usbmisc_data->dev); ++ if (data->usbmisc_data) ++ put_device(data->usbmisc_data->dev); + } + + static void ci_hdrc_imx_shutdown(struct platform_device *pdev) diff --git a/queue-6.14/usb-chipidea-ci_hdrc_imx-implement-usb_phy_init-error-handling.patch b/queue-6.14/usb-chipidea-ci_hdrc_imx-implement-usb_phy_init-error-handling.patch new file mode 100644 index 0000000000..b306526db3 --- /dev/null +++ b/queue-6.14/usb-chipidea-ci_hdrc_imx-implement-usb_phy_init-error-handling.patch @@ -0,0 +1,68 @@ +From 8c531e0a8c2d82509ad97c6d3a1e6217c7ed136d Mon Sep 17 00:00:00 2001 +From: Fedor Pchelkin +Date: Sun, 16 Mar 2025 13:26:56 +0300 +Subject: usb: chipidea: ci_hdrc_imx: implement usb_phy_init() error handling + +From: Fedor Pchelkin + +commit 8c531e0a8c2d82509ad97c6d3a1e6217c7ed136d upstream. + +usb_phy_init() may return an error code if e.g. its implementation fails +to prepare/enable some clocks. And properly rollback on probe error path +by calling the counterpart usb_phy_shutdown(). + +Found by Linux Verification Center (linuxtesting.org). + +Fixes: be9cae2479f4 ("usb: chipidea: imx: Fix ULPI on imx53") +Cc: stable +Signed-off-by: Fedor Pchelkin +Acked-by: Peter Chen +Link: https://lore.kernel.org/r/20250316102658.490340-4-pchelkin@ispras.ru +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/chipidea/ci_hdrc_imx.c | 13 ++++++++++--- + 1 file changed, 10 insertions(+), 3 deletions(-) + +--- a/drivers/usb/chipidea/ci_hdrc_imx.c ++++ b/drivers/usb/chipidea/ci_hdrc_imx.c +@@ -484,7 +484,11 @@ static int ci_hdrc_imx_probe(struct plat + of_usb_get_phy_mode(np) == USBPHY_INTERFACE_MODE_ULPI) { + pdata.flags |= CI_HDRC_OVERRIDE_PHY_CONTROL; + data->override_phy_control = true; +- usb_phy_init(pdata.usb_phy); ++ ret = usb_phy_init(pdata.usb_phy); ++ if (ret) { ++ dev_err(dev, "Failed to init phy\n"); ++ goto err_clk; ++ } + } + + if (pdata.flags & CI_HDRC_SUPPORTS_RUNTIME_PM) +@@ -493,7 +497,7 @@ static int ci_hdrc_imx_probe(struct plat + ret = imx_usbmisc_init(data->usbmisc_data); + if (ret) { + dev_err(dev, "usbmisc init failed, ret=%d\n", ret); +- goto err_clk; ++ goto phy_shutdown; + } + + data->ci_pdev = ci_hdrc_add_device(dev, +@@ -502,7 +506,7 @@ static int ci_hdrc_imx_probe(struct plat + if (IS_ERR(data->ci_pdev)) { + ret = PTR_ERR(data->ci_pdev); + dev_err_probe(dev, ret, "ci_hdrc_add_device failed\n"); +- goto err_clk; ++ goto phy_shutdown; + } + + if (data->usbmisc_data) { +@@ -536,6 +540,9 @@ static int ci_hdrc_imx_probe(struct plat + + disable_device: + ci_hdrc_remove_device(data->ci_pdev); ++phy_shutdown: ++ if (data->override_phy_control) ++ usb_phy_shutdown(data->phy); + err_clk: + clk_disable_unprepare(data->clk_wakeup); + err_wakeup_clk: diff --git a/queue-6.14/usb-dwc3-gadget-check-that-event-count-does-not-exceed-event-buffer-length.patch b/queue-6.14/usb-dwc3-gadget-check-that-event-count-does-not-exceed-event-buffer-length.patch new file mode 100644 index 0000000000..ef600d0b58 --- /dev/null +++ b/queue-6.14/usb-dwc3-gadget-check-that-event-count-does-not-exceed-event-buffer-length.patch @@ -0,0 +1,49 @@ +From 63ccd26cd1f6600421795f6ca3e625076be06c9f Mon Sep 17 00:00:00 2001 +From: Frode Isaksen +Date: Thu, 3 Apr 2025 09:28:03 +0200 +Subject: usb: dwc3: gadget: check that event count does not exceed event buffer length + +From: Frode Isaksen + +commit 63ccd26cd1f6600421795f6ca3e625076be06c9f upstream. + +The event count is read from register DWC3_GEVNTCOUNT. +There is a check for the count being zero, but not for exceeding the +event buffer length. +Check that event count does not exceed event buffer length, +avoiding an out-of-bounds access when memcpy'ing the event. +Crash log: +Unable to handle kernel paging request at virtual address ffffffc0129be000 +pc : __memcpy+0x114/0x180 +lr : dwc3_check_event_buf+0xec/0x348 +x3 : 0000000000000030 x2 : 000000000000dfc4 +x1 : ffffffc0129be000 x0 : ffffff87aad60080 +Call trace: +__memcpy+0x114/0x180 +dwc3_interrupt+0x24/0x34 + +Signed-off-by: Frode Isaksen +Fixes: 72246da40f37 ("usb: Introduce DesignWare USB3 DRD Driver") +Cc: stable +Acked-by: Thinh Nguyen +Link: https://lore.kernel.org/r/20250403072907.448524-1-fisaksen@baylibre.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/dwc3/gadget.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/drivers/usb/dwc3/gadget.c ++++ b/drivers/usb/dwc3/gadget.c +@@ -4564,6 +4564,12 @@ static irqreturn_t dwc3_check_event_buf( + if (!count) + return IRQ_NONE; + ++ if (count > evt->length) { ++ dev_err_ratelimited(dwc->dev, "invalid count(%u) > evt->length(%u)\n", ++ count, evt->length); ++ return IRQ_NONE; ++ } ++ + evt->count = count; + evt->flags |= DWC3_EVENT_PENDING; + diff --git a/queue-6.14/usb-dwc3-xilinx-prevent-spike-in-reset-signal.patch b/queue-6.14/usb-dwc3-xilinx-prevent-spike-in-reset-signal.patch new file mode 100644 index 0000000000..36b4e8da90 --- /dev/null +++ b/queue-6.14/usb-dwc3-xilinx-prevent-spike-in-reset-signal.patch @@ -0,0 +1,72 @@ +From 38d6e60b6f3a99f8f13bee22eab616136c2c0675 Mon Sep 17 00:00:00 2001 +From: Mike Looijmans +Date: Tue, 18 Mar 2025 07:44:52 +0100 +Subject: usb: dwc3: xilinx: Prevent spike in reset signal + +From: Mike Looijmans + +commit 38d6e60b6f3a99f8f13bee22eab616136c2c0675 upstream. + +The "reset" GPIO controls the RESET signal to an external, usually +ULPI PHY, chip. The original code path acquires the signal in LOW +state, and then immediately asserts it HIGH again, if the reset +signal defaulted to asserted, there'd be a short "spike" before the +reset. + +Here is what happens depending on the pre-existing state of the reset +signal: +Reset (previously asserted): ~~~|_|~~~~|_______ +Reset (previously deasserted): _____|~~~~|_______ + ^ ^ ^ + A B C + +At point A, the low going transition is because the reset line is +requested using GPIOD_OUT_LOW. If the line is successfully requested, +the first thing we do is set it high _without_ any delay. This is +point B. So, a glitch occurs between A and B. + +Requesting the line using GPIOD_OUT_HIGH eliminates the A and B +transitions. Instead we get: + +Reset (previously asserted) : ~~~~~~~~~~|______ +Reset (previously deasserted): ____|~~~~~|______ + ^ ^ + A C + +Where A and C are the points described above in the code. Point B +has been eliminated. + +The issue was found during code inspection. + +Also remove the cryptic "toggle ulpi .." comment. + +Fixes: ca05b38252d7 ("usb: dwc3: xilinx: Add gpio-reset support") +Cc: stable +Signed-off-by: Mike Looijmans +Reviewed-by: Radhey Shyam Pandey +Acked-by: Thinh Nguyen +Link: https://lore.kernel.org/r/20250318064518.9320-1-mike.looijmans@topic.nl +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/dwc3/dwc3-xilinx.c | 4 +--- + 1 file changed, 1 insertion(+), 3 deletions(-) + +--- a/drivers/usb/dwc3/dwc3-xilinx.c ++++ b/drivers/usb/dwc3/dwc3-xilinx.c +@@ -207,15 +207,13 @@ static int dwc3_xlnx_init_zynqmp(struct + + skip_usb3_phy: + /* ulpi reset via gpio-modepin or gpio-framework driver */ +- reset_gpio = devm_gpiod_get_optional(dev, "reset", GPIOD_OUT_LOW); ++ reset_gpio = devm_gpiod_get_optional(dev, "reset", GPIOD_OUT_HIGH); + if (IS_ERR(reset_gpio)) { + return dev_err_probe(dev, PTR_ERR(reset_gpio), + "Failed to request reset GPIO\n"); + } + + if (reset_gpio) { +- /* Toggle ulpi to reset the phy. */ +- gpiod_set_value_cansleep(reset_gpio, 1); + usleep_range(5000, 10000); + gpiod_set_value_cansleep(reset_gpio, 0); + usleep_range(5000, 10000); diff --git a/queue-6.14/usb-ohci-add-quirk-for-ls7a-ohci-controller-rev-0x02.patch b/queue-6.14/usb-ohci-add-quirk-for-ls7a-ohci-controller-rev-0x02.patch new file mode 100644 index 0000000000..2cbc5b3998 --- /dev/null +++ b/queue-6.14/usb-ohci-add-quirk-for-ls7a-ohci-controller-rev-0x02.patch @@ -0,0 +1,67 @@ +From bcb60d438547355b8f9ad48645909139b64d3482 Mon Sep 17 00:00:00 2001 +From: Huacai Chen +Date: Fri, 28 Mar 2025 12:00:59 +0800 +Subject: USB: OHCI: Add quirk for LS7A OHCI controller (rev 0x02) + +From: Huacai Chen + +commit bcb60d438547355b8f9ad48645909139b64d3482 upstream. + +The OHCI controller (rev 0x02) under LS7A PCI host has a hardware flaw. +MMIO register with offset 0x60/0x64 is treated as legacy PS2-compatible +keyboard/mouse interface, which confuse the OHCI controller. Since OHCI +only use a 4KB BAR resource indeed, the LS7A OHCI controller's 32KB BAR +is wrapped around (the second 4KB BAR space is the same as the first 4KB +internally). So we can add an 4KB offset (0x1000) to the OHCI registers +(from the PCI BAR resource) as a quirk. + +Cc: stable +Suggested-by: Bjorn Helgaas +Reviewed-by: Alan Stern +Tested-by: Mingcong Bai +Signed-off-by: Huacai Chen +Link: https://lore.kernel.org/r/20250328040059.3672979-1-chenhuacai@loongson.cn +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/host/ohci-pci.c | 23 +++++++++++++++++++++++ + 1 file changed, 23 insertions(+) + +--- a/drivers/usb/host/ohci-pci.c ++++ b/drivers/usb/host/ohci-pci.c +@@ -165,6 +165,25 @@ static int ohci_quirk_amd700(struct usb_ + return 0; + } + ++static int ohci_quirk_loongson(struct usb_hcd *hcd) ++{ ++ struct pci_dev *pdev = to_pci_dev(hcd->self.controller); ++ ++ /* ++ * Loongson's LS7A OHCI controller (rev 0x02) has a ++ * flaw. MMIO register with offset 0x60/64 is treated ++ * as legacy PS2-compatible keyboard/mouse interface. ++ * Since OHCI only use 4KB BAR resource, LS7A OHCI's ++ * 32KB BAR is wrapped around (the 2nd 4KB BAR space ++ * is the same as the 1st 4KB internally). So add 4KB ++ * offset (0x1000) to the OHCI registers as a quirk. ++ */ ++ if (pdev->revision == 0x2) ++ hcd->regs += SZ_4K; /* SZ_4K = 0x1000 */ ++ ++ return 0; ++} ++ + static int ohci_quirk_qemu(struct usb_hcd *hcd) + { + struct ohci_hcd *ohci = hcd_to_ohci(hcd); +@@ -225,6 +244,10 @@ static const struct pci_device_id ohci_p + .driver_data = (unsigned long)ohci_quirk_amd700, + }, + { ++ PCI_DEVICE(PCI_VENDOR_ID_LOONGSON, 0x7a24), ++ .driver_data = (unsigned long)ohci_quirk_loongson, ++ }, ++ { + .vendor = PCI_VENDOR_ID_APPLE, + .device = 0x003f, + .subvendor = PCI_SUBVENDOR_ID_REDHAT_QUMRANET, diff --git a/queue-6.14/usb-quirks-add-delay-init-quirk-for-sandisk-3.2gen1-flash-drive.patch b/queue-6.14/usb-quirks-add-delay-init-quirk-for-sandisk-3.2gen1-flash-drive.patch new file mode 100644 index 0000000000..3017a190de --- /dev/null +++ b/queue-6.14/usb-quirks-add-delay-init-quirk-for-sandisk-3.2gen1-flash-drive.patch @@ -0,0 +1,37 @@ +From 37ffdbd695c02189dbf23d6e7d2385e0299587ca Mon Sep 17 00:00:00 2001 +From: Miao Li +Date: Mon, 14 Apr 2025 14:29:35 +0800 +Subject: usb: quirks: Add delay init quirk for SanDisk 3.2Gen1 Flash Drive + +From: Miao Li + +commit 37ffdbd695c02189dbf23d6e7d2385e0299587ca upstream. + +The SanDisk 3.2Gen1 Flash Drive, which VID:PID is in 0781:55a3, +just like Silicon Motion Flash Drive: +https://lore.kernel.org/r/20250401023027.44894-1-limiao870622@163.com +also needs the DELAY_INIT quirk, or it will randomly work incorrectly +(e.g.: lsusb and can't list this device info) when connecting Huawei +hisi platforms and doing thousand of reboot test circles. + +Cc: stable +Signed-off-by: Miao Li +Signed-off-by: Lei Huang +Link: https://lore.kernel.org/r/20250414062935.159024-1-limiao870622@163.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/core/quirks.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/usb/core/quirks.c ++++ b/drivers/usb/core/quirks.c +@@ -369,6 +369,9 @@ static const struct usb_device_id usb_qu + { USB_DEVICE(0x0781, 0x5583), .driver_info = USB_QUIRK_NO_LPM }, + { USB_DEVICE(0x0781, 0x5591), .driver_info = USB_QUIRK_NO_LPM }, + ++ /* SanDisk Corp. SanDisk 3.2Gen1 */ ++ { USB_DEVICE(0x0781, 0x55a3), .driver_info = USB_QUIRK_DELAY_INIT }, ++ + /* Realforce 87U Keyboard */ + { USB_DEVICE(0x0853, 0x011b), .driver_info = USB_QUIRK_NO_LPM }, + diff --git a/queue-6.14/usb-quirks-add-delay_init-quirk-for-silicon-motion-flash-drive.patch b/queue-6.14/usb-quirks-add-delay_init-quirk-for-silicon-motion-flash-drive.patch new file mode 100644 index 0000000000..7adcf8a35c --- /dev/null +++ b/queue-6.14/usb-quirks-add-delay_init-quirk-for-silicon-motion-flash-drive.patch @@ -0,0 +1,34 @@ +From 2932b6b547ec36ad2ed60fbf2117c0e46bb7d40a Mon Sep 17 00:00:00 2001 +From: Miao Li +Date: Tue, 1 Apr 2025 10:30:27 +0800 +Subject: usb: quirks: add DELAY_INIT quirk for Silicon Motion Flash Drive + +From: Miao Li + +commit 2932b6b547ec36ad2ed60fbf2117c0e46bb7d40a upstream. + +Silicon Motion Flash Drive connects to Huawei hisi platforms and +performs a system reboot test for two thousand circles, it will +randomly work incorrectly on boot, set DELAY_INIT quirk can workaround +this issue. + +Signed-off-by: Miao Li +Cc: stable +Link: https://lore.kernel.org/r/20250401023027.44894-1-limiao870622@163.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/core/quirks.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/usb/core/quirks.c ++++ b/drivers/usb/core/quirks.c +@@ -383,6 +383,9 @@ static const struct usb_device_id usb_qu + { USB_DEVICE(0x0904, 0x6103), .driver_info = + USB_QUIRK_LINEAR_FRAME_INTR_BINTERVAL }, + ++ /* Silicon Motion Flash Drive */ ++ { USB_DEVICE(0x090c, 0x1000), .driver_info = USB_QUIRK_DELAY_INIT }, ++ + /* Sound Devices USBPre2 */ + { USB_DEVICE(0x0926, 0x0202), .driver_info = + USB_QUIRK_ENDPOINT_IGNORE }, diff --git a/queue-6.14/usb-serial-ftdi_sio-add-support-for-abacus-electrics-optical-probe.patch b/queue-6.14/usb-serial-ftdi_sio-add-support-for-abacus-electrics-optical-probe.patch new file mode 100644 index 0000000000..6f9207c854 --- /dev/null +++ b/queue-6.14/usb-serial-ftdi_sio-add-support-for-abacus-electrics-optical-probe.patch @@ -0,0 +1,50 @@ +From b399078f882b6e5d32da18b6c696cc84b12f90d5 Mon Sep 17 00:00:00 2001 +From: Michael Ehrenreich +Date: Mon, 17 Mar 2025 06:17:15 +0100 +Subject: USB: serial: ftdi_sio: add support for Abacus Electrics Optical Probe + +From: Michael Ehrenreich + +commit b399078f882b6e5d32da18b6c696cc84b12f90d5 upstream. + +Abacus Electrics makes optical probes for interacting with smart meters +over an optical interface. + +At least one version uses an FT232B chip (as detected by ftdi_sio) with +a custom USB PID, which needs to be added to the list to make the device +work in a plug-and-play fashion. + +Signed-off-by: Michael Ehrenreich +Cc: stable@vger.kernel.org +Signed-off-by: Johan Hovold +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/serial/ftdi_sio.c | 2 ++ + drivers/usb/serial/ftdi_sio_ids.h | 5 +++++ + 2 files changed, 7 insertions(+) + +--- a/drivers/usb/serial/ftdi_sio.c ++++ b/drivers/usb/serial/ftdi_sio.c +@@ -1093,6 +1093,8 @@ static const struct usb_device_id id_tab + { USB_DEVICE_INTERFACE_NUMBER(ALTERA_VID, ALTERA_UB3_602E_PID, 1) }, + { USB_DEVICE_INTERFACE_NUMBER(ALTERA_VID, ALTERA_UB3_602E_PID, 2) }, + { USB_DEVICE_INTERFACE_NUMBER(ALTERA_VID, ALTERA_UB3_602E_PID, 3) }, ++ /* Abacus Electrics */ ++ { USB_DEVICE(FTDI_VID, ABACUS_OPTICAL_PROBE_PID) }, + { } /* Terminating entry */ + }; + +--- a/drivers/usb/serial/ftdi_sio_ids.h ++++ b/drivers/usb/serial/ftdi_sio_ids.h +@@ -443,6 +443,11 @@ + #define LINX_FUTURE_2_PID 0xF44C /* Linx future device */ + + /* ++ * Abacus Electrics ++ */ ++#define ABACUS_OPTICAL_PROBE_PID 0xf458 /* ABACUS ELECTRICS Optical Probe */ ++ ++/* + * Oceanic product ids + */ + #define FTDI_OCEANIC_PID 0xF460 /* Oceanic dive instrument */ diff --git a/queue-6.14/usb-serial-option-add-sierra-wireless-em9291.patch b/queue-6.14/usb-serial-option-add-sierra-wireless-em9291.patch new file mode 100644 index 0000000000..c28dcccce8 --- /dev/null +++ b/queue-6.14/usb-serial-option-add-sierra-wireless-em9291.patch @@ -0,0 +1,63 @@ +From 968e1cbb1f6293c3add9607f80b5ce3d29f57583 Mon Sep 17 00:00:00 2001 +From: Adam Xue +Date: Mon, 14 Apr 2025 14:14:37 -0700 +Subject: USB: serial: option: add Sierra Wireless EM9291 + +From: Adam Xue + +commit 968e1cbb1f6293c3add9607f80b5ce3d29f57583 upstream. + +Add Sierra Wireless EM9291. + +Interface 0: MBIM control + 1: MBIM data + 3: AT port + 4: Diagnostic port + +T: Bus=01 Lev=01 Prnt=01 Port=00 Cnt=01 Dev#= 2 Spd=480 MxCh= 0 +D: Ver= 2.10 Cls=00(>ifc ) Sub=00 Prot=00 MxPS=64 #Cfgs= 1 +P: Vendor=1199 ProdID=90e3 Rev=00.06 +S: Manufacturer=Sierra Wireless, Incorporated +S: Product=Sierra Wireless EM9291 +S: SerialNumber=xxxxxxxxxxxxxxxx +C: #Ifs= 4 Cfg#= 1 Atr=a0 MxPwr=500mA +I: If#= 0 Alt= 0 #EPs= 1 Cls=02(commc) Sub=0e Prot=00 Driver=cdc_mbim +E: Ad=81(I) Atr=03(Int.) MxPS= 64 Ivl=32ms +I: If#= 1 Alt= 1 #EPs= 2 Cls=0a(data ) Sub=00 Prot=02 Driver=cdc_mbim +E: Ad=0f(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=8e(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms +I: If#= 3 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=40 Driver=(none) +E: Ad=01(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=82(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=83(I) Atr=03(Int.) MxPS= 10 Ivl=32ms +I: If#= 4 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=30 Driver=(none) +E: Ad=02(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=84(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms + +Signed-off-by: Adam Xue +Cc: stable@vger.kernel.org +Signed-off-by: Johan Hovold +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/serial/option.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/usb/serial/option.c ++++ b/drivers/usb/serial/option.c +@@ -611,6 +611,7 @@ static void option_instat_callback(struc + /* Sierra Wireless products */ + #define SIERRA_VENDOR_ID 0x1199 + #define SIERRA_PRODUCT_EM9191 0x90d3 ++#define SIERRA_PRODUCT_EM9291 0x90e3 + + /* UNISOC (Spreadtrum) products */ + #define UNISOC_VENDOR_ID 0x1782 +@@ -2432,6 +2433,8 @@ static const struct usb_device_id option + { USB_DEVICE_AND_INTERFACE_INFO(SIERRA_VENDOR_ID, SIERRA_PRODUCT_EM9191, 0xff, 0xff, 0x30) }, + { USB_DEVICE_AND_INTERFACE_INFO(SIERRA_VENDOR_ID, SIERRA_PRODUCT_EM9191, 0xff, 0xff, 0x40) }, + { USB_DEVICE_AND_INTERFACE_INFO(SIERRA_VENDOR_ID, SIERRA_PRODUCT_EM9191, 0xff, 0, 0) }, ++ { USB_DEVICE_AND_INTERFACE_INFO(SIERRA_VENDOR_ID, SIERRA_PRODUCT_EM9291, 0xff, 0xff, 0x30) }, ++ { USB_DEVICE_AND_INTERFACE_INFO(SIERRA_VENDOR_ID, SIERRA_PRODUCT_EM9291, 0xff, 0xff, 0x40) }, + { USB_DEVICE_AND_INTERFACE_INFO(UNISOC_VENDOR_ID, TOZED_PRODUCT_LT70C, 0xff, 0, 0) }, + { USB_DEVICE_AND_INTERFACE_INFO(UNISOC_VENDOR_ID, LUAT_PRODUCT_AIR720U, 0xff, 0, 0) }, + { USB_DEVICE_INTERFACE_CLASS(0x1bbb, 0x0530, 0xff), /* TCL IK512 MBIM */ diff --git a/queue-6.14/usb-serial-simple-add-owon-hds200-series-oscilloscope-support.patch b/queue-6.14/usb-serial-simple-add-owon-hds200-series-oscilloscope-support.patch new file mode 100644 index 0000000000..40a104f760 --- /dev/null +++ b/queue-6.14/usb-serial-simple-add-owon-hds200-series-oscilloscope-support.patch @@ -0,0 +1,129 @@ +From 4cc01410e1c1dd075df10f750775c81d1cb6672b Mon Sep 17 00:00:00 2001 +From: Craig Hesling +Date: Tue, 8 Apr 2025 16:27:03 -0700 +Subject: USB: serial: simple: add OWON HDS200 series oscilloscope support + +From: Craig Hesling + +commit 4cc01410e1c1dd075df10f750775c81d1cb6672b upstream. + +Add serial support for OWON HDS200 series oscilloscopes and likely +many other pieces of OWON test equipment. + +OWON HDS200 series devices host two USB endpoints, designed to +facilitate bidirectional SCPI. SCPI is a predominately ASCII text +protocol for test/measurement equipment. Having a serial/tty interface +for these devices lowers the barrier to entry for anyone trying to +write programs to communicate with them. + +The following shows the USB descriptor for the OWON HDS272S running +firmware V5.7.1: + +Bus 001 Device 068: ID 5345:1234 Owon PDS6062T Oscilloscope +Negotiated speed: Full Speed (12Mbps) +Device Descriptor: + bLength 18 + bDescriptorType 1 + bcdUSB 2.00 + bDeviceClass 0 [unknown] + bDeviceSubClass 0 [unknown] + bDeviceProtocol 0 + bMaxPacketSize0 64 + idVendor 0x5345 Owon + idProduct 0x1234 PDS6062T Oscilloscope + bcdDevice 1.00 + iManufacturer 1 oscilloscope + iProduct 2 oscilloscope + iSerial 3 oscilloscope + bNumConfigurations 1 + Configuration Descriptor: + bLength 9 + bDescriptorType 2 + wTotalLength 0x0029 + bNumInterfaces 1 + bConfigurationValue 1 + iConfiguration 0 + bmAttributes 0x80 + (Bus Powered) + MaxPower 100mA + Interface Descriptor: + bLength 9 + bDescriptorType 4 + bInterfaceNumber 0 + bAlternateSetting 0 + bNumEndpoints 2 + bInterfaceClass 5 Physical Interface Device + bInterfaceSubClass 0 [unknown] + bInterfaceProtocol 0 + iInterface 0 + ** UNRECOGNIZED: 09 21 11 01 00 01 22 5f 00 + Endpoint Descriptor: + bLength 7 + bDescriptorType 5 + bEndpointAddress 0x81 EP 1 IN + bmAttributes 2 + Transfer Type Bulk + Synch Type None + Usage Type Data + wMaxPacketSize 0x0040 1x 64 bytes + bInterval 32 + Endpoint Descriptor: + bLength 7 + bDescriptorType 5 + bEndpointAddress 0x01 EP 1 OUT + bmAttributes 2 + Transfer Type Bulk + Synch Type None + Usage Type Data + wMaxPacketSize 0x0040 1x 64 bytes + bInterval 32 +Device Status: 0x0000 + (Bus Powered) + +OWON appears to be using the same USB Vendor and Product ID for many +of their oscilloscopes. Looking at the discussion about the USB +vendor/product ID, in the link bellow, suggests that this VID/PID is +shared with VDS, SDS, PDS, and now the HDS series oscilloscopes. +Available documentation for these devices seems to indicate that all +use a similar SCPI protocol, some with RS232 options. It is likely that +this same simple serial setup would work correctly for them all. + +Link: https://usb-ids.gowdy.us/read/UD/5345/1234 +Signed-off-by: Craig Hesling +Cc: stable@vger.kernel.org +Signed-off-by: Johan Hovold +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/serial/usb-serial-simple.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +--- a/drivers/usb/serial/usb-serial-simple.c ++++ b/drivers/usb/serial/usb-serial-simple.c +@@ -100,6 +100,11 @@ DEVICE(nokia, NOKIA_IDS); + { USB_DEVICE(0x09d7, 0x0100) } /* NovAtel FlexPack GPS */ + DEVICE_N(novatel_gps, NOVATEL_IDS, 3); + ++/* OWON electronic test and measurement equipment driver */ ++#define OWON_IDS() \ ++ { USB_DEVICE(0x5345, 0x1234) } /* HDS200 oscilloscopes and others */ ++DEVICE(owon, OWON_IDS); ++ + /* Siemens USB/MPI adapter */ + #define SIEMENS_IDS() \ + { USB_DEVICE(0x908, 0x0004) } +@@ -134,6 +139,7 @@ static struct usb_serial_driver * const + &motorola_tetra_device, + &nokia_device, + &novatel_gps_device, ++ &owon_device, + &siemens_mpi_device, + &suunto_device, + &vivopay_device, +@@ -153,6 +159,7 @@ static const struct usb_device_id id_tab + MOTOROLA_TETRA_IDS(), + NOKIA_IDS(), + NOVATEL_IDS(), ++ OWON_IDS(), + SIEMENS_IDS(), + SUUNTO_IDS(), + VIVOPAY_IDS(), diff --git a/queue-6.14/usb-typec-class-fix-null-pointer-access.patch b/queue-6.14/usb-typec-class-fix-null-pointer-access.patch new file mode 100644 index 0000000000..dd03ade91f --- /dev/null +++ b/queue-6.14/usb-typec-class-fix-null-pointer-access.patch @@ -0,0 +1,122 @@ +From ec27386de23a511008c53aa2f3434ad180a3ca9a Mon Sep 17 00:00:00 2001 +From: Andrei Kuchynski +Date: Fri, 21 Mar 2025 14:37:26 +0000 +Subject: usb: typec: class: Fix NULL pointer access + +From: Andrei Kuchynski + +commit ec27386de23a511008c53aa2f3434ad180a3ca9a upstream. + +Concurrent calls to typec_partner_unlink_device can lead to a NULL pointer +dereference. This patch adds a mutex to protect USB device pointers and +prevent this issue. The same mutex protects both the device pointers and +the partner device registration. + +Cc: stable@vger.kernel.org +Fixes: 59de2a56d127 ("usb: typec: Link enumerated USB devices with Type-C partner") +Signed-off-by: Andrei Kuchynski +Reviewed-by: Benson Leung +Reviewed-by: Heikki Krogerus +Link: https://lore.kernel.org/r/20250321143728.4092417-2-akuchynski@chromium.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/typec/class.c | 15 +++++++++++++-- + drivers/usb/typec/class.h | 1 + + 2 files changed, 14 insertions(+), 2 deletions(-) + +--- a/drivers/usb/typec/class.c ++++ b/drivers/usb/typec/class.c +@@ -1052,6 +1052,7 @@ struct typec_partner *typec_register_par + partner->usb_mode = USB_MODE_USB3; + } + ++ mutex_lock(&port->partner_link_lock); + ret = device_register(&partner->dev); + if (ret) { + dev_err(&port->dev, "failed to register partner (%d)\n", ret); +@@ -1063,6 +1064,7 @@ struct typec_partner *typec_register_par + typec_partner_link_device(partner, port->usb2_dev); + if (port->usb3_dev) + typec_partner_link_device(partner, port->usb3_dev); ++ mutex_unlock(&port->partner_link_lock); + + return partner; + } +@@ -1083,12 +1085,14 @@ void typec_unregister_partner(struct typ + + port = to_typec_port(partner->dev.parent); + ++ mutex_lock(&port->partner_link_lock); + if (port->usb2_dev) + typec_partner_unlink_device(partner, port->usb2_dev); + if (port->usb3_dev) + typec_partner_unlink_device(partner, port->usb3_dev); + + device_unregister(&partner->dev); ++ mutex_unlock(&port->partner_link_lock); + } + EXPORT_SYMBOL_GPL(typec_unregister_partner); + +@@ -2041,10 +2045,11 @@ static struct typec_partner *typec_get_p + static void typec_partner_attach(struct typec_connector *con, struct device *dev) + { + struct typec_port *port = container_of(con, struct typec_port, con); +- struct typec_partner *partner = typec_get_partner(port); ++ struct typec_partner *partner; + struct usb_device *udev = to_usb_device(dev); + enum usb_mode usb_mode; + ++ mutex_lock(&port->partner_link_lock); + if (udev->speed < USB_SPEED_SUPER) { + usb_mode = USB_MODE_USB2; + port->usb2_dev = dev; +@@ -2053,18 +2058,22 @@ static void typec_partner_attach(struct + port->usb3_dev = dev; + } + ++ partner = typec_get_partner(port); + if (partner) { + typec_partner_set_usb_mode(partner, usb_mode); + typec_partner_link_device(partner, dev); + put_device(&partner->dev); + } ++ mutex_unlock(&port->partner_link_lock); + } + + static void typec_partner_deattach(struct typec_connector *con, struct device *dev) + { + struct typec_port *port = container_of(con, struct typec_port, con); +- struct typec_partner *partner = typec_get_partner(port); ++ struct typec_partner *partner; + ++ mutex_lock(&port->partner_link_lock); ++ partner = typec_get_partner(port); + if (partner) { + typec_partner_unlink_device(partner, dev); + put_device(&partner->dev); +@@ -2074,6 +2083,7 @@ static void typec_partner_deattach(struc + port->usb2_dev = NULL; + else if (port->usb3_dev == dev) + port->usb3_dev = NULL; ++ mutex_unlock(&port->partner_link_lock); + } + + /** +@@ -2614,6 +2624,7 @@ struct typec_port *typec_register_port(s + + ida_init(&port->mode_ids); + mutex_init(&port->port_type_lock); ++ mutex_init(&port->partner_link_lock); + + port->id = id; + port->ops = cap->ops; +--- a/drivers/usb/typec/class.h ++++ b/drivers/usb/typec/class.h +@@ -59,6 +59,7 @@ struct typec_port { + enum typec_port_type port_type; + enum usb_mode usb_mode; + struct mutex port_type_lock; ++ struct mutex partner_link_lock; + + enum typec_orientation orientation; + struct typec_switch *sw; diff --git a/queue-6.14/usb-typec-class-invalidate-usb-device-pointers-on-partner-unregistration.patch b/queue-6.14/usb-typec-class-invalidate-usb-device-pointers-on-partner-unregistration.patch new file mode 100644 index 0000000000..0a41834d3e --- /dev/null +++ b/queue-6.14/usb-typec-class-invalidate-usb-device-pointers-on-partner-unregistration.patch @@ -0,0 +1,43 @@ +From 66e1a887273c6b89f09bc11a40d0a71d5a081a8e Mon Sep 17 00:00:00 2001 +From: Andrei Kuchynski +Date: Fri, 21 Mar 2025 14:37:27 +0000 +Subject: usb: typec: class: Invalidate USB device pointers on partner unregistration + +From: Andrei Kuchynski + +commit 66e1a887273c6b89f09bc11a40d0a71d5a081a8e upstream. + +To avoid using invalid USB device pointers after a Type-C partner +disconnects, this patch clears the pointers upon partner unregistration. +This ensures a clean state for future connections. + +Cc: stable@vger.kernel.org +Fixes: 59de2a56d127 ("usb: typec: Link enumerated USB devices with Type-C partner") +Signed-off-by: Andrei Kuchynski +Reviewed-by: Heikki Krogerus +Reviewed-by: Benson Leung +Link: https://lore.kernel.org/r/20250321143728.4092417-3-akuchynski@chromium.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/typec/class.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +--- a/drivers/usb/typec/class.c ++++ b/drivers/usb/typec/class.c +@@ -1086,10 +1086,14 @@ void typec_unregister_partner(struct typ + port = to_typec_port(partner->dev.parent); + + mutex_lock(&port->partner_link_lock); +- if (port->usb2_dev) ++ if (port->usb2_dev) { + typec_partner_unlink_device(partner, port->usb2_dev); +- if (port->usb3_dev) ++ port->usb2_dev = NULL; ++ } ++ if (port->usb3_dev) { + typec_partner_unlink_device(partner, port->usb3_dev); ++ port->usb3_dev = NULL; ++ } + + device_unregister(&partner->dev); + mutex_unlock(&port->partner_link_lock); diff --git a/queue-6.14/usb-typec-class-unlocked-on-error-in-typec_register_partner.patch b/queue-6.14/usb-typec-class-unlocked-on-error-in-typec_register_partner.patch new file mode 100644 index 0000000000..07204af631 --- /dev/null +++ b/queue-6.14/usb-typec-class-unlocked-on-error-in-typec_register_partner.patch @@ -0,0 +1,32 @@ +From 429a98abfc01d3d4378b7a00969437dc3e8f647c Mon Sep 17 00:00:00 2001 +From: Dan Carpenter +Date: Tue, 15 Apr 2025 13:45:08 +0300 +Subject: usb: typec: class: Unlocked on error in typec_register_partner() + +From: Dan Carpenter + +commit 429a98abfc01d3d4378b7a00969437dc3e8f647c upstream. + +We recently added some locking to this function but this error path +was accidentally missed. Unlock before returning. + +Fixes: ec27386de23a ("usb: typec: class: Fix NULL pointer access") +Cc: stable +Signed-off-by: Dan Carpenter +Reviewed-by: Heikki Krogerus +Link: https://lore.kernel.org/r/Z_44tOtmml89wQcM@stanley.mountain +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/typec/class.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/usb/typec/class.c ++++ b/drivers/usb/typec/class.c +@@ -1056,6 +1056,7 @@ struct typec_partner *typec_register_par + ret = device_register(&partner->dev); + if (ret) { + dev_err(&port->dev, "failed to register partner (%d)\n", ret); ++ mutex_unlock(&port->partner_link_lock); + put_device(&partner->dev); + return ERR_PTR(ret); + } diff --git a/queue-6.14/usb-vli-disk-crashes-if-lpm-is-used.patch b/queue-6.14/usb-vli-disk-crashes-if-lpm-is-used.patch new file mode 100644 index 0000000000..f136886b41 --- /dev/null +++ b/queue-6.14/usb-vli-disk-crashes-if-lpm-is-used.patch @@ -0,0 +1,31 @@ +From e00b39a4f3552c730f1e24c8d62c4a8c6aad4e5d Mon Sep 17 00:00:00 2001 +From: Oliver Neukum +Date: Tue, 8 Apr 2025 15:57:46 +0200 +Subject: USB: VLI disk crashes if LPM is used + +From: Oliver Neukum + +commit e00b39a4f3552c730f1e24c8d62c4a8c6aad4e5d upstream. + +This device needs the NO_LPM quirk. + +Cc: stable +Signed-off-by: Oliver Neukum +Link: https://lore.kernel.org/r/20250408135800.792515-1-oneukum@suse.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/core/quirks.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/usb/core/quirks.c ++++ b/drivers/usb/core/quirks.c +@@ -545,6 +545,9 @@ static const struct usb_device_id usb_qu + { USB_DEVICE(0x2040, 0x7200), .driver_info = + USB_QUIRK_CONFIG_INTF_STRINGS }, + ++ /* VLI disk */ ++ { USB_DEVICE(0x2109, 0x0711), .driver_info = USB_QUIRK_NO_LPM }, ++ + /* Raydium Touchscreen */ + { USB_DEVICE(0x2386, 0x3114), .driver_info = USB_QUIRK_NO_LPM }, + diff --git a/queue-6.14/usb-wdm-add-annotation.patch b/queue-6.14/usb-wdm-add-annotation.patch new file mode 100644 index 0000000000..4eaaaff975 --- /dev/null +++ b/queue-6.14/usb-wdm-add-annotation.patch @@ -0,0 +1,31 @@ +From 73e9cc1ffd3650b12c4eb059dfdafd56e725ceda Mon Sep 17 00:00:00 2001 +From: Oliver Neukum +Date: Tue, 1 Apr 2025 10:45:41 +0200 +Subject: USB: wdm: add annotation + +From: Oliver Neukum + +commit 73e9cc1ffd3650b12c4eb059dfdafd56e725ceda upstream. + +This is not understandable without a comment on endianness + +Fixes: afba937e540c9 ("USB: CDC WDM driver") +Cc: stable +Signed-off-by: Oliver Neukum +Link: https://lore.kernel.org/r/20250401084749.175246-5-oneukum@suse.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/class/cdc-wdm.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/usb/class/cdc-wdm.c ++++ b/drivers/usb/class/cdc-wdm.c +@@ -909,7 +909,7 @@ static int wdm_wwan_port_tx(struct wwan_ + req->bRequestType = (USB_DIR_OUT | USB_TYPE_CLASS | USB_RECIP_INTERFACE); + req->bRequest = USB_CDC_SEND_ENCAPSULATED_COMMAND; + req->wValue = 0; +- req->wIndex = desc->inum; ++ req->wIndex = desc->inum; /* already converted */ + req->wLength = cpu_to_le16(skb->len); + + skb_shinfo(skb)->destructor_arg = desc; diff --git a/queue-6.14/usb-wdm-close-race-between-wdm_open-and-wdm_wwan_port_stop.patch b/queue-6.14/usb-wdm-close-race-between-wdm_open-and-wdm_wwan_port_stop.patch new file mode 100644 index 0000000000..9143e2eaff --- /dev/null +++ b/queue-6.14/usb-wdm-close-race-between-wdm_open-and-wdm_wwan_port_stop.patch @@ -0,0 +1,44 @@ +From c1846ed4eb527bdfe6b3b7dd2c78e2af4bf98f4f Mon Sep 17 00:00:00 2001 +From: Oliver Neukum +Date: Tue, 1 Apr 2025 10:45:39 +0200 +Subject: USB: wdm: close race between wdm_open and wdm_wwan_port_stop + +From: Oliver Neukum + +commit c1846ed4eb527bdfe6b3b7dd2c78e2af4bf98f4f upstream. + +Clearing WDM_WWAN_IN_USE must be the last action or +we can open a chardev whose URBs are still poisoned + +Fixes: cac6fb015f71 ("usb: class: cdc-wdm: WWAN framework integration") +Cc: stable +Signed-off-by: Oliver Neukum +Link: https://lore.kernel.org/r/20250401084749.175246-3-oneukum@suse.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/class/cdc-wdm.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/drivers/usb/class/cdc-wdm.c ++++ b/drivers/usb/class/cdc-wdm.c +@@ -726,7 +726,7 @@ static int wdm_open(struct inode *inode, + rv = -EBUSY; + goto out; + } +- ++ smp_rmb(); /* ordered against wdm_wwan_port_stop() */ + rv = usb_autopm_get_interface(desc->intf); + if (rv < 0) { + dev_err(&desc->intf->dev, "Error autopm - %d\n", rv); +@@ -868,8 +868,10 @@ static void wdm_wwan_port_stop(struct ww + poison_urbs(desc); + desc->manage_power(desc->intf, 0); + clear_bit(WDM_READ, &desc->flags); +- clear_bit(WDM_WWAN_IN_USE, &desc->flags); + unpoison_urbs(desc); ++ smp_wmb(); /* ordered against wdm_open() */ ++ /* this must be last lest we open a poisoned device */ ++ clear_bit(WDM_WWAN_IN_USE, &desc->flags); + } + + static void wdm_wwan_port_tx_complete(struct urb *urb) diff --git a/queue-6.14/usb-wdm-handle-io-errors-in-wdm_wwan_port_start.patch b/queue-6.14/usb-wdm-handle-io-errors-in-wdm_wwan_port_start.patch new file mode 100644 index 0000000000..bbdd9342c2 --- /dev/null +++ b/queue-6.14/usb-wdm-handle-io-errors-in-wdm_wwan_port_start.patch @@ -0,0 +1,48 @@ +From 9697f5efcf5fdea65b8390b5eb81bebe746ceedc Mon Sep 17 00:00:00 2001 +From: Oliver Neukum +Date: Tue, 1 Apr 2025 10:45:38 +0200 +Subject: USB: wdm: handle IO errors in wdm_wwan_port_start + +From: Oliver Neukum + +commit 9697f5efcf5fdea65b8390b5eb81bebe746ceedc upstream. + +In case submitting the URB fails we must undo +what we've done so far. + +Fixes: cac6fb015f71 ("usb: class: cdc-wdm: WWAN framework integration") +Cc: stable +Signed-off-by: Oliver Neukum +Link: https://lore.kernel.org/r/20250401084749.175246-2-oneukum@suse.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/class/cdc-wdm.c | 11 ++++++++++- + 1 file changed, 10 insertions(+), 1 deletion(-) + +--- a/drivers/usb/class/cdc-wdm.c ++++ b/drivers/usb/class/cdc-wdm.c +@@ -829,6 +829,7 @@ static struct usb_class_driver wdm_class + static int wdm_wwan_port_start(struct wwan_port *port) + { + struct wdm_device *desc = wwan_port_get_drvdata(port); ++ int rv; + + /* The interface is both exposed via the WWAN framework and as a + * legacy usbmisc chardev. If chardev is already open, just fail +@@ -848,7 +849,15 @@ static int wdm_wwan_port_start(struct ww + wwan_port_txon(port); + + /* Start getting events */ +- return usb_submit_urb(desc->validity, GFP_KERNEL); ++ rv = usb_submit_urb(desc->validity, GFP_KERNEL); ++ if (rv < 0) { ++ wwan_port_txoff(port); ++ desc->manage_power(desc->intf, 0); ++ /* this must be last lest we race with chardev open */ ++ clear_bit(WDM_WWAN_IN_USE, &desc->flags); ++ } ++ ++ return rv; + } + + static void wdm_wwan_port_stop(struct wwan_port *port) diff --git a/queue-6.14/usb-wdm-wdm_wwan_port_tx_complete-mutex-in-atomic-context.patch b/queue-6.14/usb-wdm-wdm_wwan_port_tx_complete-mutex-in-atomic-context.patch new file mode 100644 index 0000000000..464028900a --- /dev/null +++ b/queue-6.14/usb-wdm-wdm_wwan_port_tx_complete-mutex-in-atomic-context.patch @@ -0,0 +1,34 @@ +From 1fdc4dca350c0b8ada0b8ebf212504e1ad55e511 Mon Sep 17 00:00:00 2001 +From: Oliver Neukum +Date: Tue, 1 Apr 2025 10:45:40 +0200 +Subject: USB: wdm: wdm_wwan_port_tx_complete mutex in atomic context + +From: Oliver Neukum + +commit 1fdc4dca350c0b8ada0b8ebf212504e1ad55e511 upstream. + +wdm_wwan_port_tx_complete is called from a completion +handler with irqs disabled and possible in IRQ context +usb_autopm_put_interface can take a mutex. +Hence usb_autopm_put_interface_async must be used. + +Fixes: cac6fb015f71 ("usb: class: cdc-wdm: WWAN framework integration") +Cc: stable +Signed-off-by: Oliver Neukum +Link: https://lore.kernel.org/r/20250401084749.175246-4-oneukum@suse.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/class/cdc-wdm.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/usb/class/cdc-wdm.c ++++ b/drivers/usb/class/cdc-wdm.c +@@ -879,7 +879,7 @@ static void wdm_wwan_port_tx_complete(st + struct sk_buff *skb = urb->context; + struct wdm_device *desc = skb_shinfo(skb)->destructor_arg; + +- usb_autopm_put_interface(desc->intf); ++ usb_autopm_put_interface_async(desc->intf); + wwan_port_txon(desc->wwanp); + kfree_skb(skb); + } diff --git a/queue-6.14/usb-xhci-fix-invalid-pointer-dereference-in-etron-workaround.patch b/queue-6.14/usb-xhci-fix-invalid-pointer-dereference-in-etron-workaround.patch new file mode 100644 index 0000000000..3982f395c8 --- /dev/null +++ b/queue-6.14/usb-xhci-fix-invalid-pointer-dereference-in-etron-workaround.patch @@ -0,0 +1,46 @@ +From 1ea050da5562af9b930d17cbbe9632d30f5df43a Mon Sep 17 00:00:00 2001 +From: Michal Pecio +Date: Thu, 10 Apr 2025 18:18:26 +0300 +Subject: usb: xhci: Fix invalid pointer dereference in Etron workaround + +From: Michal Pecio + +commit 1ea050da5562af9b930d17cbbe9632d30f5df43a upstream. + +This check is performed before prepare_transfer() and prepare_ring(), so +enqueue can already point at the final link TRB of a segment. And indeed +it will, some 0.4% of times this code is called. + +Then enqueue + 1 is an invalid pointer. It will crash the kernel right +away or load some junk which may look like a link TRB and cause the real +link TRB to be replaced with a NOOP. This wouldn't end well. + +Use a functionally equivalent test which doesn't dereference the pointer +and always gives correct result. + +Something has crashed my machine twice in recent days while playing with +an Etron HC, and a control transfer stress test ran for confirmation has +just crashed it again. The same test passes with this patch applied. + +Fixes: 5e1c67abc930 ("xhci: Fix control transfer error on Etron xHCI host") +Cc: stable@vger.kernel.org +Signed-off-by: Michal Pecio +Signed-off-by: Mathias Nyman +Reviewed-by: Kuangyi Chiang +Link: https://lore.kernel.org/r/20250410151828.2868740-5-mathias.nyman@linux.intel.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/host/xhci-ring.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/usb/host/xhci-ring.c ++++ b/drivers/usb/host/xhci-ring.c +@@ -3780,7 +3780,7 @@ int xhci_queue_ctrl_tx(struct xhci_hcd * + * enqueue a No Op TRB, this can prevent the Setup and Data Stage + * TRB to be breaked by the Link TRB. + */ +- if (trb_is_link(ep_ring->enqueue + 1)) { ++ if (last_trb_on_seg(ep_ring->enq_seg, ep_ring->enqueue + 1)) { + field = TRB_TYPE(TRB_TR_NOOP) | ep_ring->cycle_state; + queue_trb(xhci, ep_ring, false, 0, 0, + TRB_INTR_TARGET(0), field); diff --git a/queue-6.14/xhci-limit-time-spent-with-xhc-interrupts-disabled-during-bus-resume.patch b/queue-6.14/xhci-limit-time-spent-with-xhc-interrupts-disabled-during-bus-resume.patch new file mode 100644 index 0000000000..218e6a7583 --- /dev/null +++ b/queue-6.14/xhci-limit-time-spent-with-xhc-interrupts-disabled-during-bus-resume.patch @@ -0,0 +1,140 @@ +From bea5892d0ed274e03655223d1977cf59f9aff2f2 Mon Sep 17 00:00:00 2001 +From: Mathias Nyman +Date: Thu, 10 Apr 2025 18:18:27 +0300 +Subject: xhci: Limit time spent with xHC interrupts disabled during bus resume + +From: Mathias Nyman + +commit bea5892d0ed274e03655223d1977cf59f9aff2f2 upstream. + +Current xhci bus resume implementation prevents xHC host from generating +interrupts during high-speed USB 2 and super-speed USB 3 bus resume. + +Only reason to disable interrupts during bus resume would be to prevent +the interrupt handler from interfering with the resume process of USB 2 +ports. + +Host initiated resume of USB 2 ports is done in two stages. + +The xhci driver first transitions the port from 'U3' to 'Resume' state, +then wait in Resume for 20ms, and finally moves port to U0 state. +xhci driver can't prevent interrupts by keeping the xhci spinlock +due to this 20ms sleep. + +Limit interrupt disabling to the USB 2 port resume case only. +resuming USB 2 ports in bus resume is only done in special cases where +USB 2 ports had to be forced to suspend during bus suspend. + +The current way of preventing interrupts by clearing the 'Interrupt +Enable' (INTE) bit in USBCMD register won't prevent the Interrupter +registers 'Interrupt Pending' (IP), 'Event Handler Busy' (EHB) and +USBSTS register Event Interrupt (EINT) bits from being set. + +New interrupts can't be issued before those bits are properly clered. + +Disable interrupts by clearing the interrupter register 'Interrupt +Enable' (IE) bit instead. This way IP, EHB and INTE won't be set +before IE is enabled again and a new interrupt is triggered. + +Reported-by: Devyn Liu +Closes: https://lore.kernel.org/linux-usb/b1a9e2d51b4d4ff7a304f77c5be8164e@huawei.com/ +Cc: stable@vger.kernel.org +Tested-by: Devyn Liu +Signed-off-by: Mathias Nyman +Link: https://lore.kernel.org/r/20250410151828.2868740-6-mathias.nyman@linux.intel.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/host/xhci-hub.c | 30 ++++++++++++++++-------------- + drivers/usb/host/xhci.c | 4 ++-- + drivers/usb/host/xhci.h | 2 ++ + 3 files changed, 20 insertions(+), 16 deletions(-) + +--- a/drivers/usb/host/xhci-hub.c ++++ b/drivers/usb/host/xhci-hub.c +@@ -1878,9 +1878,10 @@ int xhci_bus_resume(struct usb_hcd *hcd) + int max_ports, port_index; + int sret; + u32 next_state; +- u32 temp, portsc; ++ u32 portsc; + struct xhci_hub *rhub; + struct xhci_port **ports; ++ bool disabled_irq = false; + + rhub = xhci_get_rhub(hcd); + ports = rhub->ports; +@@ -1896,17 +1897,20 @@ int xhci_bus_resume(struct usb_hcd *hcd) + return -ESHUTDOWN; + } + +- /* delay the irqs */ +- temp = readl(&xhci->op_regs->command); +- temp &= ~CMD_EIE; +- writel(temp, &xhci->op_regs->command); +- + /* bus specific resume for ports we suspended at bus_suspend */ +- if (hcd->speed >= HCD_USB3) ++ if (hcd->speed >= HCD_USB3) { + next_state = XDEV_U0; +- else ++ } else { + next_state = XDEV_RESUME; +- ++ if (bus_state->bus_suspended) { ++ /* ++ * prevent port event interrupts from interfering ++ * with usb2 port resume process ++ */ ++ xhci_disable_interrupter(xhci->interrupters[0]); ++ disabled_irq = true; ++ } ++ } + port_index = max_ports; + while (port_index--) { + portsc = readl(ports[port_index]->addr); +@@ -1974,11 +1978,9 @@ int xhci_bus_resume(struct usb_hcd *hcd) + (void) readl(&xhci->op_regs->command); + + bus_state->next_statechange = jiffies + msecs_to_jiffies(5); +- /* re-enable irqs */ +- temp = readl(&xhci->op_regs->command); +- temp |= CMD_EIE; +- writel(temp, &xhci->op_regs->command); +- temp = readl(&xhci->op_regs->command); ++ /* re-enable interrupter */ ++ if (disabled_irq) ++ xhci_enable_interrupter(xhci->interrupters[0]); + + spin_unlock_irqrestore(&xhci->lock, flags); + return 0; +--- a/drivers/usb/host/xhci.c ++++ b/drivers/usb/host/xhci.c +@@ -322,7 +322,7 @@ static void xhci_zero_64b_regs(struct xh + xhci_info(xhci, "Fault detected\n"); + } + +-static int xhci_enable_interrupter(struct xhci_interrupter *ir) ++int xhci_enable_interrupter(struct xhci_interrupter *ir) + { + u32 iman; + +@@ -335,7 +335,7 @@ static int xhci_enable_interrupter(struc + return 0; + } + +-static int xhci_disable_interrupter(struct xhci_interrupter *ir) ++int xhci_disable_interrupter(struct xhci_interrupter *ir) + { + u32 iman; + +--- a/drivers/usb/host/xhci.h ++++ b/drivers/usb/host/xhci.h +@@ -1890,6 +1890,8 @@ int xhci_alloc_tt_info(struct xhci_hcd * + struct usb_tt *tt, gfp_t mem_flags); + int xhci_set_interrupter_moderation(struct xhci_interrupter *ir, + u32 imod_interval); ++int xhci_enable_interrupter(struct xhci_interrupter *ir); ++int xhci_disable_interrupter(struct xhci_interrupter *ir); + + /* xHCI ring, segment, TRB, and TD functions */ + dma_addr_t xhci_trb_virt_to_dma(struct xhci_segment *seg, union xhci_trb *trb);