From: Greg Kroah-Hartman Date: Mon, 18 Oct 2021 10:01:56 +0000 (+0200) Subject: 5.4-stable patches X-Git-Tag: v4.14.252~28 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=b6217f437cf0e82a8a6806193abb37629089ed2a;p=thirdparty%2Fkernel%2Fstable-queue.git 5.4-stable patches added patches: cb710-avoid-null-pointer-subtraction.patch edac-armada-xp-fix-output-of-uncorrectable-error-counter.patch efi-change-down_interruptible-in-virt_efi_reset_system-to-down_trylock.patch efi-cper-use-stack-buffer-for-error-record-decoding.patch input-xpad-add-support-for-another-usb-id-of-nacon-gc-100.patch mei-me-add-ice-lake-n-device-id.patch nvmem-fix-shift-out-of-bound-ubsan-with-byte-size-cells.patch usb-musb-dsps-fix-the-probe-error-path.patch usb-serial-option-add-prod.-id-for-quectel-eg91.patch usb-serial-option-add-quectel-ec200s-cn-module-support.patch usb-serial-option-add-telit-le910cx-composition-0x1204.patch usb-serial-qcserial-add-em9191-qdl-support.patch virtio-write-back-f_version_1-before-validate.patch xhci-enable-trust-tx-length-quirk-for-fresco-fl11-usb-controller.patch xhci-fix-command-ring-pointer-corruption-while-aborting-a-command.patch xhci-guard-accesses-to-ep_state-in-xhci_endpoint_reset.patch --- diff --git a/queue-5.4/cb710-avoid-null-pointer-subtraction.patch b/queue-5.4/cb710-avoid-null-pointer-subtraction.patch new file mode 100644 index 00000000000..d10fa1d6b28 --- /dev/null +++ b/queue-5.4/cb710-avoid-null-pointer-subtraction.patch @@ -0,0 +1,37 @@ +From 42641042c10c757fe10cc09088cf3f436cec5007 Mon Sep 17 00:00:00 2001 +From: Arnd Bergmann +Date: Mon, 27 Sep 2021 14:13:57 +0200 +Subject: cb710: avoid NULL pointer subtraction + +From: Arnd Bergmann + +commit 42641042c10c757fe10cc09088cf3f436cec5007 upstream. + +clang-14 complains about an unusual way of converting a pointer to +an integer: + +drivers/misc/cb710/sgbuf2.c:50:15: error: performing pointer subtraction with a null pointer has undefined behavior [-Werror,-Wnull-pointer-subtraction] + return ((ptr - NULL) & 3) != 0; + +Replace this with a normal cast to uintptr_t. + +Fixes: 5f5bac8272be ("mmc: Driver for CB710/720 memory card reader (MMC part)") +Cc: stable +Signed-off-by: Arnd Bergmann +Link: https://lore.kernel.org/r/20210927121408.939246-1-arnd@kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/misc/cb710/sgbuf2.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/misc/cb710/sgbuf2.c ++++ b/drivers/misc/cb710/sgbuf2.c +@@ -47,7 +47,7 @@ static inline bool needs_unaligned_copy( + #ifdef CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS + return false; + #else +- return ((ptr - NULL) & 3) != 0; ++ return ((uintptr_t)ptr & 3) != 0; + #endif + } + diff --git a/queue-5.4/edac-armada-xp-fix-output-of-uncorrectable-error-counter.patch b/queue-5.4/edac-armada-xp-fix-output-of-uncorrectable-error-counter.patch new file mode 100644 index 00000000000..45cb6b484f0 --- /dev/null +++ b/queue-5.4/edac-armada-xp-fix-output-of-uncorrectable-error-counter.patch @@ -0,0 +1,39 @@ +From d9b7748ffc45250b4d7bcf22404383229bc495f5 Mon Sep 17 00:00:00 2001 +From: Hans Potsch +Date: Wed, 6 Oct 2021 14:13:32 +0200 +Subject: EDAC/armada-xp: Fix output of uncorrectable error counter + +From: Hans Potsch + +commit d9b7748ffc45250b4d7bcf22404383229bc495f5 upstream. + +The number of correctable errors is displayed as uncorrectable +errors because the "SBE" error count is passed to both calls of +edac_mc_handle_error(). + +Pass the correct uncorrectable error count to the second +edac_mc_handle_error() call when logging uncorrectable errors. + + [ bp: Massage commit message. ] + +Fixes: 7f6998a41257 ("ARM: 8888/1: EDAC: Add driver for the Marvell Armada XP SDRAM and L2 cache ECC") +Signed-off-by: Hans Potsch +Signed-off-by: Borislav Petkov +Cc: +Link: https://lkml.kernel.org/r/20211006121332.58788-1-hans.potsch@nokia.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/edac/armada_xp_edac.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/edac/armada_xp_edac.c ++++ b/drivers/edac/armada_xp_edac.c +@@ -178,7 +178,7 @@ static void axp_mc_check(struct mem_ctl_ + "details unavailable (multiple errors)"); + if (cnt_dbe) + edac_mc_handle_error(HW_EVENT_ERR_UNCORRECTED, mci, +- cnt_sbe, /* error count */ ++ cnt_dbe, /* error count */ + 0, 0, 0, /* pfn, offset, syndrome */ + -1, -1, -1, /* top, mid, low layer */ + mci->ctl_name, diff --git a/queue-5.4/efi-change-down_interruptible-in-virt_efi_reset_system-to-down_trylock.patch b/queue-5.4/efi-change-down_interruptible-in-virt_efi_reset_system-to-down_trylock.patch new file mode 100644 index 00000000000..d9ec1d88222 --- /dev/null +++ b/queue-5.4/efi-change-down_interruptible-in-virt_efi_reset_system-to-down_trylock.patch @@ -0,0 +1,67 @@ +From 38fa3206bf441911258e5001ac8b6738693f8d82 Mon Sep 17 00:00:00 2001 +From: Zhang Jianhua +Date: Thu, 23 Sep 2021 10:53:40 +0800 +Subject: efi: Change down_interruptible() in virt_efi_reset_system() to down_trylock() + +From: Zhang Jianhua + +commit 38fa3206bf441911258e5001ac8b6738693f8d82 upstream. + +While reboot the system by sysrq, the following bug will be occur. + +BUG: sleeping function called from invalid context at kernel/locking/semaphore.c:90 +in_atomic(): 0, irqs_disabled(): 128, non_block: 0, pid: 10052, name: rc.shutdown +CPU: 3 PID: 10052 Comm: rc.shutdown Tainted: G W O 5.10.0 #1 +Call trace: + dump_backtrace+0x0/0x1c8 + show_stack+0x18/0x28 + dump_stack+0xd0/0x110 + ___might_sleep+0x14c/0x160 + __might_sleep+0x74/0x88 + down_interruptible+0x40/0x118 + virt_efi_reset_system+0x3c/0xd0 + efi_reboot+0xd4/0x11c + machine_restart+0x60/0x9c + emergency_restart+0x1c/0x2c + sysrq_handle_reboot+0x1c/0x2c + __handle_sysrq+0xd0/0x194 + write_sysrq_trigger+0xbc/0xe4 + proc_reg_write+0xd4/0xf0 + vfs_write+0xa8/0x148 + ksys_write+0x6c/0xd8 + __arm64_sys_write+0x18/0x28 + el0_svc_common.constprop.3+0xe4/0x16c + do_el0_svc+0x1c/0x2c + el0_svc+0x20/0x30 + el0_sync_handler+0x80/0x17c + el0_sync+0x158/0x180 + +The reason for this problem is that irq has been disabled in +machine_restart() and then it calls down_interruptible() in +virt_efi_reset_system(), which would occur sleep in irq context, +it is dangerous! Commit 99409b935c9a("locking/semaphore: Add +might_sleep() to down_*() family") add might_sleep() in +down_interruptible(), so the bug info is here. down_trylock() +can solve this problem, cause there is no might_sleep. + +-------- + +Cc: +Signed-off-by: Zhang Jianhua +Signed-off-by: Ard Biesheuvel +Signed-off-by: Greg Kroah-Hartman +--- + drivers/firmware/efi/runtime-wrappers.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/firmware/efi/runtime-wrappers.c ++++ b/drivers/firmware/efi/runtime-wrappers.c +@@ -414,7 +414,7 @@ static void virt_efi_reset_system(int re + unsigned long data_size, + efi_char16_t *data) + { +- if (down_interruptible(&efi_runtime_lock)) { ++ if (down_trylock(&efi_runtime_lock)) { + pr_warn("failed to invoke the reset_system() runtime service:\n" + "could not get exclusive access to the firmware\n"); + return; diff --git a/queue-5.4/efi-cper-use-stack-buffer-for-error-record-decoding.patch b/queue-5.4/efi-cper-use-stack-buffer-for-error-record-decoding.patch new file mode 100644 index 00000000000..fcb7c6b0307 --- /dev/null +++ b/queue-5.4/efi-cper-use-stack-buffer-for-error-record-decoding.patch @@ -0,0 +1,50 @@ +From b3a72ca80351917cc23f9e24c35f3c3979d3c121 Mon Sep 17 00:00:00 2001 +From: Ard Biesheuvel +Date: Wed, 1 Sep 2021 08:33:19 +0200 +Subject: efi/cper: use stack buffer for error record decoding + +From: Ard Biesheuvel + +commit b3a72ca80351917cc23f9e24c35f3c3979d3c121 upstream. + +Joe reports that using a statically allocated buffer for converting CPER +error records into human readable text is probably a bad idea. Even +though we are not aware of any actual issues, a stack buffer is clearly +a better choice here anyway, so let's move the buffer into the stack +frames of the two functions that refer to it. + +Cc: +Reported-by: Joe Perches +Signed-off-by: Ard Biesheuvel +Signed-off-by: Greg Kroah-Hartman +--- + drivers/firmware/efi/cper.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/firmware/efi/cper.c ++++ b/drivers/firmware/efi/cper.c +@@ -25,8 +25,6 @@ + #include + #include + +-static char rcd_decode_str[CPER_REC_LEN]; +- + /* + * CPER record ID need to be unique even after reboot, because record + * ID is used as index for ERST storage, while CPER records from +@@ -299,6 +297,7 @@ const char *cper_mem_err_unpack(struct t + struct cper_mem_err_compact *cmem) + { + const char *ret = trace_seq_buffer_ptr(p); ++ char rcd_decode_str[CPER_REC_LEN]; + + if (cper_mem_err_location(cmem, rcd_decode_str)) + trace_seq_printf(p, "%s", rcd_decode_str); +@@ -313,6 +312,7 @@ static void cper_print_mem(const char *p + int len) + { + struct cper_mem_err_compact cmem; ++ char rcd_decode_str[CPER_REC_LEN]; + + /* Don't trust UEFI 2.1/2.2 structure with bad validation bits */ + if (len == sizeof(struct cper_sec_mem_err_old) && diff --git a/queue-5.4/input-xpad-add-support-for-another-usb-id-of-nacon-gc-100.patch b/queue-5.4/input-xpad-add-support-for-another-usb-id-of-nacon-gc-100.patch new file mode 100644 index 00000000000..015eeed92f2 --- /dev/null +++ b/queue-5.4/input-xpad-add-support-for-another-usb-id-of-nacon-gc-100.patch @@ -0,0 +1,39 @@ +From 3378a07daa6cdd11e042797454c706d1c69f9ca6 Mon Sep 17 00:00:00 2001 +From: Michael Cullen +Date: Fri, 15 Oct 2021 13:17:50 -0700 +Subject: Input: xpad - add support for another USB ID of Nacon GC-100 + +From: Michael Cullen + +commit 3378a07daa6cdd11e042797454c706d1c69f9ca6 upstream. + +The Nacon GX100XF is already mapped, but it seems there is a Nacon +GC-100 (identified as NC5136Wht PCGC-100WHITE though I believe other +colours exist) with a different USB ID when in XInput mode. + +Signed-off-by: Michael Cullen +Link: https://lore.kernel.org/r/20211015192051.5196-1-michael@michaelcullen.name +Signed-off-by: Dmitry Torokhov +Signed-off-by: Greg Kroah-Hartman +--- + drivers/input/joystick/xpad.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/input/joystick/xpad.c ++++ b/drivers/input/joystick/xpad.c +@@ -331,6 +331,7 @@ static const struct xpad_device { + { 0x24c6, 0x5b03, "Thrustmaster Ferrari 458 Racing Wheel", 0, XTYPE_XBOX360 }, + { 0x24c6, 0x5d04, "Razer Sabertooth", 0, XTYPE_XBOX360 }, + { 0x24c6, 0xfafe, "Rock Candy Gamepad for Xbox 360", 0, XTYPE_XBOX360 }, ++ { 0x3285, 0x0607, "Nacon GC-100", 0, XTYPE_XBOX360 }, + { 0x3767, 0x0101, "Fanatec Speedster 3 Forceshock Wheel", 0, XTYPE_XBOX }, + { 0xffff, 0xffff, "Chinese-made Xbox Controller", 0, XTYPE_XBOX }, + { 0x0000, 0x0000, "Generic X-Box pad", 0, XTYPE_UNKNOWN } +@@ -447,6 +448,7 @@ static const struct usb_device_id xpad_t + XPAD_XBOXONE_VENDOR(0x24c6), /* PowerA Controllers */ + XPAD_XBOXONE_VENDOR(0x2e24), /* Hyperkin Duke X-Box One pad */ + XPAD_XBOX360_VENDOR(0x2f24), /* GameSir Controllers */ ++ XPAD_XBOX360_VENDOR(0x3285), /* Nacon GC-100 */ + { } + }; + diff --git a/queue-5.4/mei-me-add-ice-lake-n-device-id.patch b/queue-5.4/mei-me-add-ice-lake-n-device-id.patch new file mode 100644 index 00000000000..11a8b501c1f --- /dev/null +++ b/queue-5.4/mei-me-add-ice-lake-n-device-id.patch @@ -0,0 +1,44 @@ +From 75c10c5e7a715550afdd51ef8cfd1d975f48f9e1 Mon Sep 17 00:00:00 2001 +From: Andy Shevchenko +Date: Fri, 1 Oct 2021 20:36:44 +0300 +Subject: mei: me: add Ice Lake-N device id. + +From: Andy Shevchenko + +commit 75c10c5e7a715550afdd51ef8cfd1d975f48f9e1 upstream. + +Add Ice Lake-N device ID. + +The device can be found on MacBookPro16,2 [1]. + +[1]: https://linux-hardware.org/?probe=f1c5cf0c43 + +Signed-off-by: Andy Shevchenko +Cc: stable +Link: https://lore.kernel.org/r/20211001173644.16068-1-andriy.shevchenko@linux.intel.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/misc/mei/hw-me-regs.h | 1 + + drivers/misc/mei/pci-me.c | 1 + + 2 files changed, 2 insertions(+) + +--- a/drivers/misc/mei/hw-me-regs.h ++++ b/drivers/misc/mei/hw-me-regs.h +@@ -90,6 +90,7 @@ + #define MEI_DEV_ID_CDF 0x18D3 /* Cedar Fork */ + + #define MEI_DEV_ID_ICP_LP 0x34E0 /* Ice Lake Point LP */ ++#define MEI_DEV_ID_ICP_N 0x38E0 /* Ice Lake Point N */ + + #define MEI_DEV_ID_TGP_LP 0xA0E0 /* Tiger Lake Point LP */ + +--- a/drivers/misc/mei/pci-me.c ++++ b/drivers/misc/mei/pci-me.c +@@ -103,6 +103,7 @@ static const struct pci_device_id mei_me + {MEI_PCI_DEVICE(MEI_DEV_ID_CMP_H_3, MEI_ME_PCH8_CFG)}, + + {MEI_PCI_DEVICE(MEI_DEV_ID_ICP_LP, MEI_ME_PCH12_CFG)}, ++ {MEI_PCI_DEVICE(MEI_DEV_ID_ICP_N, MEI_ME_PCH12_CFG)}, + + {MEI_PCI_DEVICE(MEI_DEV_ID_TGP_LP, MEI_ME_PCH12_CFG)}, + diff --git a/queue-5.4/nvmem-fix-shift-out-of-bound-ubsan-with-byte-size-cells.patch b/queue-5.4/nvmem-fix-shift-out-of-bound-ubsan-with-byte-size-cells.patch new file mode 100644 index 00000000000..f00d423a104 --- /dev/null +++ b/queue-5.4/nvmem-fix-shift-out-of-bound-ubsan-with-byte-size-cells.patch @@ -0,0 +1,85 @@ +From 5d388fa01fa6eb310ac023a363a6cb216d9d8fe9 Mon Sep 17 00:00:00 2001 +From: Stephen Boyd +Date: Wed, 13 Oct 2021 13:45:11 +0100 +Subject: nvmem: Fix shift-out-of-bound (UBSAN) with byte size cells + +From: Stephen Boyd + +commit 5d388fa01fa6eb310ac023a363a6cb216d9d8fe9 upstream. + +If a cell has 'nbits' equal to a multiple of BITS_PER_BYTE the logic + + *p &= GENMASK((cell->nbits%BITS_PER_BYTE) - 1, 0); + +will become undefined behavior because nbits modulo BITS_PER_BYTE is 0, and we +subtract one from that making a large number that is then shifted more than the +number of bits that fit into an unsigned long. + +UBSAN reports this problem: + + UBSAN: shift-out-of-bounds in drivers/nvmem/core.c:1386:8 + shift exponent 64 is too large for 64-bit type 'unsigned long' + CPU: 6 PID: 7 Comm: kworker/u16:0 Not tainted 5.15.0-rc3+ #9 + Hardware name: Google Lazor (rev3+) with KB Backlight (DT) + Workqueue: events_unbound deferred_probe_work_func + Call trace: + dump_backtrace+0x0/0x170 + show_stack+0x24/0x30 + dump_stack_lvl+0x64/0x7c + dump_stack+0x18/0x38 + ubsan_epilogue+0x10/0x54 + __ubsan_handle_shift_out_of_bounds+0x180/0x194 + __nvmem_cell_read+0x1ec/0x21c + nvmem_cell_read+0x58/0x94 + nvmem_cell_read_variable_common+0x4c/0xb0 + nvmem_cell_read_variable_le_u32+0x40/0x100 + a6xx_gpu_init+0x170/0x2f4 + adreno_bind+0x174/0x284 + component_bind_all+0xf0/0x264 + msm_drm_bind+0x1d8/0x7a0 + try_to_bring_up_master+0x164/0x1ac + __component_add+0xbc/0x13c + component_add+0x20/0x2c + dp_display_probe+0x340/0x384 + platform_probe+0xc0/0x100 + really_probe+0x110/0x304 + __driver_probe_device+0xb8/0x120 + driver_probe_device+0x4c/0xfc + __device_attach_driver+0xb0/0x128 + bus_for_each_drv+0x90/0xdc + __device_attach+0xc8/0x174 + device_initial_probe+0x20/0x2c + bus_probe_device+0x40/0xa4 + deferred_probe_work_func+0x7c/0xb8 + process_one_work+0x128/0x21c + process_scheduled_works+0x40/0x54 + worker_thread+0x1ec/0x2a8 + kthread+0x138/0x158 + ret_from_fork+0x10/0x20 + +Fix it by making sure there are any bits to mask out. + +Fixes: 69aba7948cbe ("nvmem: Add a simple NVMEM framework for consumers") +Cc: Douglas Anderson +Cc: stable@vger.kernel.org +Signed-off-by: Stephen Boyd +Signed-off-by: Srinivas Kandagatla +Link: https://lore.kernel.org/r/20211013124511.18726-1-srinivas.kandagatla@linaro.org +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Greg Kroah-Hartman +--- + drivers/nvmem/core.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/nvmem/core.c ++++ b/drivers/nvmem/core.c +@@ -954,7 +954,8 @@ static void nvmem_shift_read_buffer_in_p + *p-- = 0; + + /* clear msb bits if any leftover in the last byte */ +- *p &= GENMASK((cell->nbits%BITS_PER_BYTE) - 1, 0); ++ if (cell->nbits % BITS_PER_BYTE) ++ *p &= GENMASK((cell->nbits % BITS_PER_BYTE) - 1, 0); + } + + static int __nvmem_cell_read(struct nvmem_device *nvmem, diff --git a/queue-5.4/series b/queue-5.4/series index 3cb65893fbf..439d42b1972 100644 --- a/queue-5.4/series +++ b/queue-5.4/series @@ -15,3 +15,19 @@ btrfs-deal-with-errors-when-adding-inode-reference-during-log-replay.patch btrfs-check-for-error-when-looking-up-inode-during-dir-entry-replay.patch watchdog-orion-use-0-for-unset-heartbeat.patch x86-resctrl-free-the-ctrlval-arrays-when-domain_setup_mon_state-fails.patch +mei-me-add-ice-lake-n-device-id.patch +xhci-guard-accesses-to-ep_state-in-xhci_endpoint_reset.patch +xhci-fix-command-ring-pointer-corruption-while-aborting-a-command.patch +xhci-enable-trust-tx-length-quirk-for-fresco-fl11-usb-controller.patch +cb710-avoid-null-pointer-subtraction.patch +efi-cper-use-stack-buffer-for-error-record-decoding.patch +efi-change-down_interruptible-in-virt_efi_reset_system-to-down_trylock.patch +usb-musb-dsps-fix-the-probe-error-path.patch +input-xpad-add-support-for-another-usb-id-of-nacon-gc-100.patch +usb-serial-qcserial-add-em9191-qdl-support.patch +usb-serial-option-add-quectel-ec200s-cn-module-support.patch +usb-serial-option-add-telit-le910cx-composition-0x1204.patch +usb-serial-option-add-prod.-id-for-quectel-eg91.patch +virtio-write-back-f_version_1-before-validate.patch +edac-armada-xp-fix-output-of-uncorrectable-error-counter.patch +nvmem-fix-shift-out-of-bound-ubsan-with-byte-size-cells.patch diff --git a/queue-5.4/usb-musb-dsps-fix-the-probe-error-path.patch b/queue-5.4/usb-musb-dsps-fix-the-probe-error-path.patch new file mode 100644 index 00000000000..97330ec2355 --- /dev/null +++ b/queue-5.4/usb-musb-dsps-fix-the-probe-error-path.patch @@ -0,0 +1,65 @@ +From c2115b2b16421d93d4993f3fe4c520e91d6fe801 Mon Sep 17 00:00:00 2001 +From: Miquel Raynal +Date: Wed, 6 Oct 2021 00:16:31 +0200 +Subject: usb: musb: dsps: Fix the probe error path + +From: Miquel Raynal + +commit c2115b2b16421d93d4993f3fe4c520e91d6fe801 upstream. + +Commit 7c75bde329d7 ("usb: musb: musb_dsps: request_irq() after +initializing musb") has inverted the calls to +dsps_setup_optional_vbus_irq() and dsps_create_musb_pdev() without +updating correctly the error path. dsps_create_musb_pdev() allocates and +registers a new platform device which must be unregistered and freed +with platform_device_unregister(), and this is missing upon +dsps_setup_optional_vbus_irq() error. + +While on the master branch it seems not to trigger any issue, I observed +a kernel crash because of a NULL pointer dereference with a v5.10.70 +stable kernel where the patch mentioned above was backported. With this +kernel version, -EPROBE_DEFER is returned the first time +dsps_setup_optional_vbus_irq() is called which triggers the probe to +error out without unregistering the platform device. Unfortunately, on +the Beagle Bone Black Wireless, the platform device still living in the +system is being used by the USB Ethernet gadget driver, which during the +boot phase triggers the crash. + +My limited knowledge of the musb world prevents me to revert this commit +which was sent to silence a robot warning which, as far as I understand, +does not make sense. The goal of this patch was to prevent an IRQ to +fire before the platform device being registered. I think this cannot +ever happen due to the fact that enabling the interrupts is done by the +->enable() callback of the platform musb device, and this platform +device must be already registered in order for the core or any other +user to use this callback. + +Hence, I decided to fix the error path, which might prevent future +errors on mainline kernels while also fixing older ones. + +Fixes: 7c75bde329d7 ("usb: musb: musb_dsps: request_irq() after initializing musb") +Cc: stable@vger.kernel.org +Signed-off-by: Miquel Raynal +Link: https://lore.kernel.org/r/20211005221631.1529448-1-miquel.raynal@bootlin.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/musb/musb_dsps.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/drivers/usb/musb/musb_dsps.c ++++ b/drivers/usb/musb/musb_dsps.c +@@ -899,11 +899,13 @@ static int dsps_probe(struct platform_de + if (usb_get_dr_mode(&pdev->dev) == USB_DR_MODE_PERIPHERAL) { + ret = dsps_setup_optional_vbus_irq(pdev, glue); + if (ret) +- goto err; ++ goto unregister_pdev; + } + + return 0; + ++unregister_pdev: ++ platform_device_unregister(glue->musb); + err: + pm_runtime_disable(&pdev->dev); + iounmap(glue->usbss_base); diff --git a/queue-5.4/usb-serial-option-add-prod.-id-for-quectel-eg91.patch b/queue-5.4/usb-serial-option-add-prod.-id-for-quectel-eg91.patch new file mode 100644 index 00000000000..c35f870bee4 --- /dev/null +++ b/queue-5.4/usb-serial-option-add-prod.-id-for-quectel-eg91.patch @@ -0,0 +1,62 @@ +From c184accc4a42c7872dc8e8d0fc97a740dc61fe24 Mon Sep 17 00:00:00 2001 +From: Tomaz Solc +Date: Wed, 6 Oct 2021 14:57:50 +0200 +Subject: USB: serial: option: add prod. id for Quectel EG91 + +From: Tomaz Solc + +commit c184accc4a42c7872dc8e8d0fc97a740dc61fe24 upstream. + +Adding support for Quectel EG91 LTE module. + +The interface layout is same as for EG95. + +usb-devices output: +T: Bus=01 Lev=02 Prnt=02 Port=00 Cnt=01 Dev#= 3 Spd=480 MxCh= 0 +D: Ver= 2.00 Cls=ef(misc ) Sub=02 Prot=01 MxPS=64 #Cfgs= 1 +P: Vendor=2c7c ProdID=0191 Rev=03.18 +S: Manufacturer=Android +S: Product=Android +C: #Ifs= 5 Cfg#= 1 Atr=a0 MxPwr=500mA +I: If#=0x0 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=ff Driver=(none) +I: If#=0x1 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=(none) +I: If#=0x2 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=(none) +I: If#=0x3 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=(none) +I: If#=0x4 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=ff Driver=qmi_wwan + +Interfaces: + +0: Diag +1: GNSS +2: AT-command interface/modem +3: Modem +4: QMI + +Signed-off-by: Tomaz Solc +Cc: stable@vger.kernel.org +Signed-off-by: Johan Hovold +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/serial/option.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/drivers/usb/serial/option.c ++++ b/drivers/usb/serial/option.c +@@ -246,6 +246,7 @@ static void option_instat_callback(struc + /* These Quectel products use Quectel's vendor ID */ + #define QUECTEL_PRODUCT_EC21 0x0121 + #define QUECTEL_PRODUCT_EC25 0x0125 ++#define QUECTEL_PRODUCT_EG91 0x0191 + #define QUECTEL_PRODUCT_EG95 0x0195 + #define QUECTEL_PRODUCT_BG96 0x0296 + #define QUECTEL_PRODUCT_EP06 0x0306 +@@ -1112,6 +1113,9 @@ static const struct usb_device_id option + { USB_DEVICE_AND_INTERFACE_INFO(QUECTEL_VENDOR_ID, QUECTEL_PRODUCT_EC25, 0xff, 0xff, 0xff), + .driver_info = NUMEP2 }, + { USB_DEVICE_AND_INTERFACE_INFO(QUECTEL_VENDOR_ID, QUECTEL_PRODUCT_EC25, 0xff, 0, 0) }, ++ { USB_DEVICE_AND_INTERFACE_INFO(QUECTEL_VENDOR_ID, QUECTEL_PRODUCT_EG91, 0xff, 0xff, 0xff), ++ .driver_info = NUMEP2 }, ++ { USB_DEVICE_AND_INTERFACE_INFO(QUECTEL_VENDOR_ID, QUECTEL_PRODUCT_EG91, 0xff, 0, 0) }, + { USB_DEVICE_AND_INTERFACE_INFO(QUECTEL_VENDOR_ID, QUECTEL_PRODUCT_EG95, 0xff, 0xff, 0xff), + .driver_info = NUMEP2 }, + { USB_DEVICE_AND_INTERFACE_INFO(QUECTEL_VENDOR_ID, QUECTEL_PRODUCT_EG95, 0xff, 0, 0) }, diff --git a/queue-5.4/usb-serial-option-add-quectel-ec200s-cn-module-support.patch b/queue-5.4/usb-serial-option-add-quectel-ec200s-cn-module-support.patch new file mode 100644 index 00000000000..01643bd0332 --- /dev/null +++ b/queue-5.4/usb-serial-option-add-quectel-ec200s-cn-module-support.patch @@ -0,0 +1,52 @@ +From 2263eb7370060bdb0013bc14e1a7c9bf33617a55 Mon Sep 17 00:00:00 2001 +From: Yu-Tung Chang +Date: Thu, 30 Sep 2021 10:11:12 +0800 +Subject: USB: serial: option: add Quectel EC200S-CN module support + +From: Yu-Tung Chang + +commit 2263eb7370060bdb0013bc14e1a7c9bf33617a55 upstream. + +Add usb product id of the Quectel EC200S-CN module. + +usb-devices output for 0x6002: +T: Bus=01 Lev=01 Prnt=01 Port=00 Cnt=01 Dev#= 3 Spd=480 MxCh= 0 +D: Ver= 2.00 Cls=ef(misc ) Sub=02 Prot=01 MxPS=64 #Cfgs= 1 +P: Vendor=2c7c ProdID=6002 Rev=03.18 +S: Manufacturer=Android +S: Product=Android +S: SerialNumber=0000 +C: #Ifs= 5 Cfg#= 1 Atr=e0 MxPwr=500mA +I: If#=0x0 Alt= 0 #EPs= 1 Cls=02(commc) Sub=06 Prot=00 Driver=cdc_ether +I: If#=0x1 Alt= 1 #EPs= 2 Cls=0a(data ) Sub=00 Prot=00 Driver=cdc_ether +I: If#=0x2 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=00 Prot=00 Driver=(none) +I: If#=0x3 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=(none) +I: If#=0x4 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=(none) + +Signed-off-by: Yu-Tung Chang +Link: https://lore.kernel.org/r/20210930021112.330396-1-mtwget@gmail.com +Cc: stable@vger.kernel.org +Signed-off-by: Johan Hovold +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/serial/option.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/usb/serial/option.c ++++ b/drivers/usb/serial/option.c +@@ -251,6 +251,7 @@ static void option_instat_callback(struc + #define QUECTEL_PRODUCT_EP06 0x0306 + #define QUECTEL_PRODUCT_EM12 0x0512 + #define QUECTEL_PRODUCT_RM500Q 0x0800 ++#define QUECTEL_PRODUCT_EC200S_CN 0x6002 + #define QUECTEL_PRODUCT_EC200T 0x6026 + + #define CMOTECH_VENDOR_ID 0x16d8 +@@ -1128,6 +1129,7 @@ static const struct usb_device_id option + { USB_DEVICE_AND_INTERFACE_INFO(QUECTEL_VENDOR_ID, QUECTEL_PRODUCT_RM500Q, 0xff, 0, 0) }, + { USB_DEVICE_AND_INTERFACE_INFO(QUECTEL_VENDOR_ID, QUECTEL_PRODUCT_RM500Q, 0xff, 0xff, 0x10), + .driver_info = ZLP }, ++ { USB_DEVICE_AND_INTERFACE_INFO(QUECTEL_VENDOR_ID, QUECTEL_PRODUCT_EC200S_CN, 0xff, 0, 0) }, + { USB_DEVICE_AND_INTERFACE_INFO(QUECTEL_VENDOR_ID, QUECTEL_PRODUCT_EC200T, 0xff, 0, 0) }, + + { USB_DEVICE(CMOTECH_VENDOR_ID, CMOTECH_PRODUCT_6001) }, diff --git a/queue-5.4/usb-serial-option-add-telit-le910cx-composition-0x1204.patch b/queue-5.4/usb-serial-option-add-telit-le910cx-composition-0x1204.patch new file mode 100644 index 00000000000..142085857c7 --- /dev/null +++ b/queue-5.4/usb-serial-option-add-telit-le910cx-composition-0x1204.patch @@ -0,0 +1,33 @@ +From f5a8a07edafed8bede17a95ef8940fe3a57a77d5 Mon Sep 17 00:00:00 2001 +From: Daniele Palmas +Date: Mon, 4 Oct 2021 12:56:55 +0200 +Subject: USB: serial: option: add Telit LE910Cx composition 0x1204 + +From: Daniele Palmas + +commit f5a8a07edafed8bede17a95ef8940fe3a57a77d5 upstream. + +Add the following Telit LE910Cx composition: + +0x1204: tty, adb, mbim, tty, tty, tty, tty + +Signed-off-by: Daniele Palmas +Link: https://lore.kernel.org/r/20211004105655.8515-1-dnlplm@gmail.com +Cc: stable@vger.kernel.org +Signed-off-by: Johan Hovold +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/serial/option.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/usb/serial/option.c ++++ b/drivers/usb/serial/option.c +@@ -1229,6 +1229,8 @@ static const struct usb_device_id option + .driver_info = NCTRL(0) | RSVD(1) | RSVD(2) }, + { USB_DEVICE_INTERFACE_CLASS(TELIT_VENDOR_ID, 0x1203, 0xff), /* Telit LE910Cx (RNDIS) */ + .driver_info = NCTRL(2) | RSVD(3) }, ++ { USB_DEVICE_INTERFACE_CLASS(TELIT_VENDOR_ID, 0x1204, 0xff), /* Telit LE910Cx (MBIM) */ ++ .driver_info = NCTRL(0) | RSVD(1) }, + { USB_DEVICE(TELIT_VENDOR_ID, TELIT_PRODUCT_LE910_USBCFG4), + .driver_info = NCTRL(0) | RSVD(1) | RSVD(2) | RSVD(3) }, + { USB_DEVICE(TELIT_VENDOR_ID, TELIT_PRODUCT_LE920), diff --git a/queue-5.4/usb-serial-qcserial-add-em9191-qdl-support.patch b/queue-5.4/usb-serial-qcserial-add-em9191-qdl-support.patch new file mode 100644 index 00000000000..e6b1001e166 --- /dev/null +++ b/queue-5.4/usb-serial-qcserial-add-em9191-qdl-support.patch @@ -0,0 +1,40 @@ +From 11c52d250b34a0862edc29db03fbec23b30db6da Mon Sep 17 00:00:00 2001 +From: Aleksander Morgado +Date: Thu, 7 Oct 2021 14:25:01 +0200 +Subject: USB: serial: qcserial: add EM9191 QDL support + +From: Aleksander Morgado + +commit 11c52d250b34a0862edc29db03fbec23b30db6da upstream. + +When the module boots into QDL download mode it exposes the 1199:90d2 +ids, which can be mapped to the qcserial driver, and used to run +firmware upgrades (e.g. with the qmi-firmware-update program). + + T: Bus=01 Lev=03 Prnt=08 Port=03 Cnt=01 Dev#= 10 Spd=480 MxCh= 0 + D: Ver= 2.10 Cls=00(>ifc ) Sub=00 Prot=00 MxPS=64 #Cfgs= 1 + P: Vendor=1199 ProdID=90d2 Rev=00.00 + S: Manufacturer=Sierra Wireless, Incorporated + S: Product=Sierra Wireless EM9191 + S: SerialNumber=8W0382004102A109 + C: #Ifs= 1 Cfg#= 1 Atr=a0 MxPwr=2mA + I: If#=0x0 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=10 Driver=qcserial + +Signed-off-by: Aleksander Morgado +Cc: stable@vger.kernel.org +Signed-off-by: Johan Hovold +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/serial/qcserial.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/usb/serial/qcserial.c ++++ b/drivers/usb/serial/qcserial.c +@@ -165,6 +165,7 @@ static const struct usb_device_id id_tab + {DEVICE_SWI(0x1199, 0x907b)}, /* Sierra Wireless EM74xx */ + {DEVICE_SWI(0x1199, 0x9090)}, /* Sierra Wireless EM7565 QDL */ + {DEVICE_SWI(0x1199, 0x9091)}, /* Sierra Wireless EM7565 */ ++ {DEVICE_SWI(0x1199, 0x90d2)}, /* Sierra Wireless EM9191 QDL */ + {DEVICE_SWI(0x413c, 0x81a2)}, /* Dell Wireless 5806 Gobi(TM) 4G LTE Mobile Broadband Card */ + {DEVICE_SWI(0x413c, 0x81a3)}, /* Dell Wireless 5570 HSPA+ (42Mbps) Mobile Broadband Card */ + {DEVICE_SWI(0x413c, 0x81a4)}, /* Dell Wireless 5570e HSPA+ (42Mbps) Mobile Broadband Card */ diff --git a/queue-5.4/virtio-write-back-f_version_1-before-validate.patch b/queue-5.4/virtio-write-back-f_version_1-before-validate.patch new file mode 100644 index 00000000000..9000da86d8f --- /dev/null +++ b/queue-5.4/virtio-write-back-f_version_1-before-validate.patch @@ -0,0 +1,80 @@ +From 2f9a174f918e29608564c7a4e8329893ab604fb4 Mon Sep 17 00:00:00 2001 +From: Halil Pasic +Date: Mon, 11 Oct 2021 07:39:21 +0200 +Subject: virtio: write back F_VERSION_1 before validate + +From: Halil Pasic + +commit 2f9a174f918e29608564c7a4e8329893ab604fb4 upstream. + +The virtio specification virtio-v1.1-cs01 states: "Transitional devices +MUST detect Legacy drivers by detecting that VIRTIO_F_VERSION_1 has not +been acknowledged by the driver." This is exactly what QEMU as of 6.1 +has done relying solely on VIRTIO_F_VERSION_1 for detecting that. + +However, the specification also says: "... the driver MAY read (but MUST +NOT write) the device-specific configuration fields to check that it can +support the device ..." before setting FEATURES_OK. + +In that case, any transitional device relying solely on +VIRTIO_F_VERSION_1 for detecting legacy drivers will return data in +legacy format. In particular, this implies that it is in big endian +format for big endian guests. This naturally confuses the driver which +expects little endian in the modern mode. + +It is probably a good idea to amend the spec to clarify that +VIRTIO_F_VERSION_1 can only be relied on after the feature negotiation +is complete. Before validate callback existed, config space was only +read after FEATURES_OK. However, we already have two regressions, so +let's address this here as well. + +The regressions affect the VIRTIO_NET_F_MTU feature of virtio-net and +the VIRTIO_BLK_F_BLK_SIZE feature of virtio-blk for BE guests when +virtio 1.0 is used on both sides. The latter renders virtio-blk unusable +with DASD backing, because things simply don't work with the default. +See Fixes tags for relevant commits. + +For QEMU, we can work around the issue by writing out the feature bits +with VIRTIO_F_VERSION_1 bit set. We (ab)use the finalize_features +config op for this. This isn't enough to address all vhost devices since +these do not get the features until FEATURES_OK, however it looks like +the affected devices actually never handled the endianness for legacy +mode correctly, so at least that's not a regression. + +No devices except virtio net and virtio blk seem to be affected. + +Long term the right thing to do is to fix the hypervisors. + +Cc: #v4.11 +Signed-off-by: Halil Pasic +Fixes: 82e89ea077b9 ("virtio-blk: Add validation for block size in config space") +Fixes: fe36cbe0671e ("virtio_net: clear MTU when out of range") +Reported-by: markver@us.ibm.com +Reviewed-by: Cornelia Huck +Link: https://lore.kernel.org/r/20211011053921.1198936-1-pasic@linux.ibm.com +Signed-off-by: Michael S. Tsirkin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/virtio/virtio.c | 11 +++++++++++ + 1 file changed, 11 insertions(+) + +--- a/drivers/virtio/virtio.c ++++ b/drivers/virtio/virtio.c +@@ -225,6 +225,17 @@ static int virtio_dev_probe(struct devic + driver_features_legacy = driver_features; + } + ++ /* ++ * Some devices detect legacy solely via F_VERSION_1. Write ++ * F_VERSION_1 to force LE config space accesses before FEATURES_OK for ++ * these when needed. ++ */ ++ if (drv->validate && !virtio_legacy_is_little_endian() ++ && device_features & BIT_ULL(VIRTIO_F_VERSION_1)) { ++ dev->features = BIT_ULL(VIRTIO_F_VERSION_1); ++ dev->config->finalize_features(dev); ++ } ++ + if (device_features & (1ULL << VIRTIO_F_VERSION_1)) + dev->features = driver_features & device_features; + else diff --git a/queue-5.4/xhci-enable-trust-tx-length-quirk-for-fresco-fl11-usb-controller.patch b/queue-5.4/xhci-enable-trust-tx-length-quirk-for-fresco-fl11-usb-controller.patch new file mode 100644 index 00000000000..af20e3ad7b9 --- /dev/null +++ b/queue-5.4/xhci-enable-trust-tx-length-quirk-for-fresco-fl11-usb-controller.patch @@ -0,0 +1,43 @@ +From ea0f69d8211963c4b2cc1998b86779a500adb502 Mon Sep 17 00:00:00 2001 +From: Nikolay Martynov +Date: Fri, 8 Oct 2021 12:25:47 +0300 +Subject: xhci: Enable trust tx length quirk for Fresco FL11 USB controller + +From: Nikolay Martynov + +commit ea0f69d8211963c4b2cc1998b86779a500adb502 upstream. + +Tested on SD5200T TB3 dock which has Fresco Logic FL1100 USB 3.0 Host +Controller. +Before this patch streaming video from USB cam made mouse and keyboard +connected to the same USB bus unusable. Also video was jerky. +With this patch streaming video doesn't have any effect on other +periferals and video is smooth. + +Cc: stable@vger.kernel.org +Signed-off-by: Nikolay Martynov +Signed-off-by: Mathias Nyman +Link: https://lore.kernel.org/r/20211008092547.3996295-6-mathias.nyman@linux.intel.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/host/xhci-pci.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/usb/host/xhci-pci.c ++++ b/drivers/usb/host/xhci-pci.c +@@ -28,6 +28,7 @@ + #define PCI_VENDOR_ID_FRESCO_LOGIC 0x1b73 + #define PCI_DEVICE_ID_FRESCO_LOGIC_PDK 0x1000 + #define PCI_DEVICE_ID_FRESCO_LOGIC_FL1009 0x1009 ++#define PCI_DEVICE_ID_FRESCO_LOGIC_FL1100 0x1100 + #define PCI_DEVICE_ID_FRESCO_LOGIC_FL1400 0x1400 + + #define PCI_VENDOR_ID_ETRON 0x1b6f +@@ -98,6 +99,7 @@ static void xhci_pci_quirks(struct devic + /* Look for vendor-specific quirks */ + if (pdev->vendor == PCI_VENDOR_ID_FRESCO_LOGIC && + (pdev->device == PCI_DEVICE_ID_FRESCO_LOGIC_PDK || ++ pdev->device == PCI_DEVICE_ID_FRESCO_LOGIC_FL1100 || + pdev->device == PCI_DEVICE_ID_FRESCO_LOGIC_FL1400)) { + if (pdev->device == PCI_DEVICE_ID_FRESCO_LOGIC_PDK && + pdev->revision == 0x0) { diff --git a/queue-5.4/xhci-fix-command-ring-pointer-corruption-while-aborting-a-command.patch b/queue-5.4/xhci-fix-command-ring-pointer-corruption-while-aborting-a-command.patch new file mode 100644 index 00000000000..1e04cf11ba6 --- /dev/null +++ b/queue-5.4/xhci-fix-command-ring-pointer-corruption-while-aborting-a-command.patch @@ -0,0 +1,60 @@ +From ff0e50d3564f33b7f4b35cadeabd951d66cfc570 Mon Sep 17 00:00:00 2001 +From: Pavankumar Kondeti +Date: Fri, 8 Oct 2021 12:25:46 +0300 +Subject: xhci: Fix command ring pointer corruption while aborting a command + +From: Pavankumar Kondeti + +commit ff0e50d3564f33b7f4b35cadeabd951d66cfc570 upstream. + +The command ring pointer is located at [6:63] bits of the command +ring control register (CRCR). All the control bits like command stop, +abort are located at [0:3] bits. While aborting a command, we read the +CRCR and set the abort bit and write to the CRCR. The read will always +give command ring pointer as all zeros. So we essentially write only +the control bits. Since we split the 64 bit write into two 32 bit writes, +there is a possibility of xHC command ring stopped before the upper +dword (all zeros) is written. If that happens, xHC updates the upper +dword of its internal command ring pointer with all zeros. Next time, +when the command ring is restarted, we see xHC memory access failures. +Fix this issue by only writing to the lower dword of CRCR where all +control bits are located. + +Cc: stable@vger.kernel.org +Signed-off-by: Pavankumar Kondeti +Signed-off-by: Mathias Nyman +Link: https://lore.kernel.org/r/20211008092547.3996295-5-mathias.nyman@linux.intel.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/host/xhci-ring.c | 14 ++++++++++---- + 1 file changed, 10 insertions(+), 4 deletions(-) + +--- a/drivers/usb/host/xhci-ring.c ++++ b/drivers/usb/host/xhci-ring.c +@@ -339,16 +339,22 @@ static void xhci_handle_stopped_cmd_ring + /* Must be called with xhci->lock held, releases and aquires lock back */ + static int xhci_abort_cmd_ring(struct xhci_hcd *xhci, unsigned long flags) + { +- u64 temp_64; ++ u32 temp_32; + int ret; + + xhci_dbg(xhci, "Abort command ring\n"); + + reinit_completion(&xhci->cmd_ring_stop_completion); + +- temp_64 = xhci_read_64(xhci, &xhci->op_regs->cmd_ring); +- xhci_write_64(xhci, temp_64 | CMD_RING_ABORT, +- &xhci->op_regs->cmd_ring); ++ /* ++ * The control bits like command stop, abort are located in lower ++ * dword of the command ring control register. Limit the write ++ * to the lower dword to avoid corrupting the command ring pointer ++ * in case if the command ring is stopped by the time upper dword ++ * is written. ++ */ ++ temp_32 = readl(&xhci->op_regs->cmd_ring); ++ writel(temp_32 | CMD_RING_ABORT, &xhci->op_regs->cmd_ring); + + /* Section 4.6.1.2 of xHCI 1.0 spec says software should also time the + * completion of the Command Abort operation. If CRR is not negated in 5 diff --git a/queue-5.4/xhci-guard-accesses-to-ep_state-in-xhci_endpoint_reset.patch b/queue-5.4/xhci-guard-accesses-to-ep_state-in-xhci_endpoint_reset.patch new file mode 100644 index 00000000000..7eba6e492a5 --- /dev/null +++ b/queue-5.4/xhci-guard-accesses-to-ep_state-in-xhci_endpoint_reset.patch @@ -0,0 +1,51 @@ +From a01ba2a3378be85538e0183ae5367c1bc1d5aaf3 Mon Sep 17 00:00:00 2001 +From: Jonathan Bell +Date: Fri, 8 Oct 2021 12:25:43 +0300 +Subject: xhci: guard accesses to ep_state in xhci_endpoint_reset() + +From: Jonathan Bell + +commit a01ba2a3378be85538e0183ae5367c1bc1d5aaf3 upstream. + +See https://github.com/raspberrypi/linux/issues/3981 + +Two read-modify-write cycles on ep->ep_state are not guarded by +xhci->lock. Fix these. + +Fixes: f5249461b504 ("xhci: Clear the host side toggle manually when endpoint is soft reset") +Cc: stable@vger.kernel.org +Signed-off-by: Jonathan Bell +Signed-off-by: Mathias Nyman +Link: https://lore.kernel.org/r/20211008092547.3996295-2-mathias.nyman@linux.intel.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/host/xhci.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/drivers/usb/host/xhci.c ++++ b/drivers/usb/host/xhci.c +@@ -3173,10 +3173,13 @@ static void xhci_endpoint_reset(struct u + return; + + /* Bail out if toggle is already being cleared by a endpoint reset */ ++ spin_lock_irqsave(&xhci->lock, flags); + if (ep->ep_state & EP_HARD_CLEAR_TOGGLE) { + ep->ep_state &= ~EP_HARD_CLEAR_TOGGLE; ++ spin_unlock_irqrestore(&xhci->lock, flags); + return; + } ++ spin_unlock_irqrestore(&xhci->lock, flags); + /* Only interrupt and bulk ep's use data toggle, USB2 spec 5.5.4-> */ + if (usb_endpoint_xfer_control(&host_ep->desc) || + usb_endpoint_xfer_isoc(&host_ep->desc)) +@@ -3262,8 +3265,10 @@ static void xhci_endpoint_reset(struct u + xhci_free_command(xhci, cfg_cmd); + cleanup: + xhci_free_command(xhci, stop_cmd); ++ spin_lock_irqsave(&xhci->lock, flags); + if (ep->ep_state & EP_SOFT_CLEAR_TOGGLE) + ep->ep_state &= ~EP_SOFT_CLEAR_TOGGLE; ++ spin_unlock_irqrestore(&xhci->lock, flags); + } + + static int xhci_check_streams_endpoint(struct xhci_hcd *xhci,