From: Greg Kroah-Hartman Date: Sun, 15 Oct 2023 19:05:11 +0000 (+0200) Subject: 6.5-stable patches X-Git-Tag: v5.15.136~26 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=bf32ad4b5cdaf3de38558ca151378f9836a2eb3f;p=thirdparty%2Fkernel%2Fstable-queue.git 6.5-stable patches added patches: acpi-ec-add-quirk-for-the-hp-pavilion-gaming-15-dk1xxx.patch acpi-resource-add-tongfang-gm6bgeq-gm6bg5q-and-gm6bg0q-to-irq1_edge_low_force_override.patch acpi-resource-skip-irq-override-on-asus-expertbook-b1402cba.patch arm64-dts-mediatek-mt8195-demo-fix-the-memory-size-to-8gb.patch arm64-dts-mediatek-mt8195-demo-update-and-reorder-reserved-memory-regions.patch binder-fix-memory-leaks-of-spam-and-pending-work.patch block-don-t-invalidate-pagecache-for-invalid-falloc-modes.patch can-sja1000-always-restart-the-tx-queue-after-an-overrun.patch ceph-fix-incorrect-revoked-caps-assert-in-ceph_fill_file_size.patch ceph-fix-type-promotion-bug-on-32bit-systems.patch cgroup-remove-duplicates-in-cgroup-v1-tasks-file.patch coresight-fix-run-time-warnings-while-reusing-etr-buffer.patch counter-chrdev-fix-getting-array-extensions.patch counter-microchip-tcb-capture-fix-the-use-of-internal-gclk-logic.patch dma-buf-add-dma_fence_timestamp-helper.patch dmaengine-stm32-dma-fix-residue-in-case-of-mdma-chaining.patch dmaengine-stm32-dma-fix-stm32_dma_prep_slave_sg-in-case-of-mdma-chaining.patch dmaengine-stm32-mdma-abort-resume-if-no-ongoing-transfer.patch dmaengine-stm32-mdma-set-in_flight_bytes-in-case-crqa-flag-is-set.patch dmaengine-stm32-mdma-use-link-address-register-to-compute-residue.patch drm-amd-display-don-t-set-dpms_off-for-seamless-boot.patch drm-amdgpu-add-missing-null-check.patch drm-atomic-helper-relax-unregistered-connector-check.patch drm-do-not-overrun-array-in-drm_gem_get_pages.patch drm-tiny-correctly-print-struct-resource-on-error.patch drm-vmwgfx-keep-a-gem-reference-to-user-bos-in-surfaces.patch iio-adc-ad7192-correct-reference-voltage.patch iio-adc-imx8qxp-fix-address-for-command-buffer-registers.patch iio-addac-kconfig-update-ad74413r-selections.patch iio-admv1013-add-mixer_vgate-corner-cases.patch iio-cros_ec-fix-an-use-after-free-in-cros_ec_sensors_push_data.patch iio-dac-ad3552r-correct-device-ids.patch iio-imu-bno055-fix-missing-kconfig-dependencies.patch iio-pressure-bmp280-fix-null-pointer-exception.patch iio-pressure-dps310-adjust-timeout-settings.patch iio-pressure-ms5611-ms5611_prom_is_valid-false-negative-bug.patch input-goodix-ensure-int-gpio-is-in-input-for-gpio_count-1-gpio_int_idx-0-case.patch input-i8042-add-fujitsu-lifebook-e5411-to-i8042-quirk-table.patch input-powermate-fix-use-after-free-in-powermate_config_complete.patch input-psmouse-fix-fast_reconnect-function-for-ps-2-mode.patch input-xpad-add-hyperx-clutch-gladiate-support.patch input-xpad-add-pxn-v900-support.patch ksmbd-not-allow-to-open-file-if-delelete-on-close-bit-is-set.patch libceph-use-kernel_connect.patch mcb-remove-is_added-flag-from-mcb_device-struct.patch mctp-perform-route-lookups-under-a-rcu-read-side-lock.patch media-subdev-don-t-report-v4l2_subdev_cap_streams-when-the-streams-api-is-disabled.patch net-usb-dm9601-fix-uninitialized-variable-use-in-dm9601_mdio_read.patch nfp-flower-avoid-rmmod-nfp-crash-issues.patch ovl-temporarily-disable-appending-lowedirs.patch perf-x86-lbr-filter-vsyscall-addresses.patch pinctrl-avoid-unsafe-code-pattern-in-find_pinctrl.patch power-supply-qcom_battmgr-fix-battery_id-type.patch power-supply-qcom_battmgr-fix-enable-request-endianness.patch powerpc-47x-fix-47x-syscall-return-crash.patch powerpc-pseries-fix-stk_param-access-in-the-hcall-tracing-code.patch risc-v-fix-wrong-use-of-config_have_softirq_on_own_stack.patch riscv-only-consider-swbp-ss-handlers-for-correct-privileged-mode.patch riscv-remove-duplicate-objcopy-flag.patch scsi-ufs-core-correct-clear-tm-error-log.patch serial-8250_omap-fix-errors-with-no_console_suspend.patch serial-core-fix-checks-for-tx-runtime-pm-state.patch serial-reduce-spinlocked-portion-of-uart_rs485_config.patch tee-amdtee-fix-use-after-free-vulnerability-in-amdtee_close_session.patch thunderbolt-check-that-lane-1-is-in-cl0-before-enabling-lane-bonding.patch thunderbolt-correct-tmu-mode-initialization-from-hardware.patch thunderbolt-restart-xdomain-discovery-handshake-after-failure.patch thunderbolt-workaround-an-iommu-fault-on-certain-systems-with-intel-maple-ridge.patch usb-cdns3-modify-the-return-value-of-cdns_set_active-to-void-when-config_pm_sleep-is-disabled.patch usb-cdnsp-fixes-issue-with-dequeuing-not-queued-requests.patch usb-dwc3-soft-reset-phy-on-probe-for-host.patch usb-gadget-ncm-handle-decoding-of-multiple-ntb-s-in-unwrap-call.patch usb-gadget-udc-xilinx-replace-memcpy-with-memcpy_toio.patch usb-hub-guard-against-accesses-to-uninitialized-bos-descriptors.patch usb-misc-onboard_hub-add-support-for-microchip-usb2412-usb-2.0-hub.patch usb-musb-get-the-musb_qh-poniter-after-musb_giveback.patch usb-musb-modify-the-hwvers-register-address.patch usb-typec-altmodes-displayport-signal-hpd-low-when-exiting-mode.patch usb-typec-qcom-update-the-logic-of-regulator-enable-and-disable.patch usb-typec-ucsi-clear-event_pending-bit-if-ucsi_send_command-fails.patch usb-typec-ucsi-fix-missing-link-removal.patch usb-typec-ucsi-use-get_capability-attributes-data-to-set-power-supply-scope.patch usb-xhci-xhci-ring-use-sysdev-for-mapping-bounce-buffer.patch x86-alternatives-disable-kasan-in-apply_alternatives.patch x86-cpu-fix-amd-erratum-1485-on-zen4-based-cpus.patch xhci-clear-ehb-bit-only-at-end-of-interrupt-handler.patch xhci-preserve-rsvdp-bits-in-erstba-register-correctly.patch xhci-track-port-suspend-state-correctly-in-unsuccessful-resume-cases.patch --- diff --git a/queue-6.5/acpi-ec-add-quirk-for-the-hp-pavilion-gaming-15-dk1xxx.patch b/queue-6.5/acpi-ec-add-quirk-for-the-hp-pavilion-gaming-15-dk1xxx.patch new file mode 100644 index 00000000000..73aff0a75c8 --- /dev/null +++ b/queue-6.5/acpi-ec-add-quirk-for-the-hp-pavilion-gaming-15-dk1xxx.patch @@ -0,0 +1,44 @@ +From cd4aece493f99f95d41edcce32927d70a5dde923 Mon Sep 17 00:00:00 2001 +From: Hans de Goede +Date: Wed, 20 Sep 2023 15:05:06 +0200 +Subject: ACPI: EC: Add quirk for the HP Pavilion Gaming 15-dk1xxx + +From: Hans de Goede + +commit cd4aece493f99f95d41edcce32927d70a5dde923 upstream. + +Added GPE quirk entry for the HP Pavilion Gaming 15-dk1xxx. +There is a quirk entry for 2 15-c..... laptops, this is +for a new version which has 15-dk1xxx as identifier. + +This fixes the LID switch and rfkill and brightness hotkeys +not working. + +Closes: https://github.com/systemd/systemd/issues/28942 +Signed-off-by: Hans de Goede +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Greg Kroah-Hartman +--- + drivers/acpi/ec.c | 11 +++++++++++ + 1 file changed, 11 insertions(+) + +--- a/drivers/acpi/ec.c ++++ b/drivers/acpi/ec.c +@@ -1915,6 +1915,17 @@ static const struct dmi_system_id ec_dmi + }, + { + /* ++ * HP Pavilion Gaming Laptop 15-dk1xxx ++ * https://github.com/systemd/systemd/issues/28942 ++ */ ++ .callback = ec_honor_dsdt_gpe, ++ .matches = { ++ DMI_MATCH(DMI_SYS_VENDOR, "HP"), ++ DMI_MATCH(DMI_PRODUCT_NAME, "HP Pavilion Gaming Laptop 15-dk1xxx"), ++ }, ++ }, ++ { ++ /* + * Samsung hardware + * https://bugzilla.kernel.org/show_bug.cgi?id=44161 + */ diff --git a/queue-6.5/acpi-resource-add-tongfang-gm6bgeq-gm6bg5q-and-gm6bg0q-to-irq1_edge_low_force_override.patch b/queue-6.5/acpi-resource-add-tongfang-gm6bgeq-gm6bg5q-and-gm6bg0q-to-irq1_edge_low_force_override.patch new file mode 100644 index 00000000000..501a31c8347 --- /dev/null +++ b/queue-6.5/acpi-resource-add-tongfang-gm6bgeq-gm6bg5q-and-gm6bg0q-to-irq1_edge_low_force_override.patch @@ -0,0 +1,73 @@ +From f9b3ea02555e67e2e7bf95219953b88d122bd275 Mon Sep 17 00:00:00 2001 +From: Hans de Goede +Date: Mon, 9 Oct 2023 14:11:01 +0200 +Subject: ACPI: resource: Add TongFang GM6BGEQ, GM6BG5Q and GM6BG0Q to irq1_edge_low_force_override[] + +From: Hans de Goede + +commit f9b3ea02555e67e2e7bf95219953b88d122bd275 upstream. + +The TongFang GM6BGEQ, GM6BG5Q and GM6BG0Q are 3 GPU variants of a TongFang +barebone design which is sold under various brand names. + +The ACPI IRQ override for the keyboard IRQ must be used on these AMD Zen +laptops in order for the IRQ to work. + +Adjust the pcspecialist_laptop[] DMI match table for this: + +1. Drop the sys-vendor match from the existing PCSpecialist Elimina Pro 16 + entry for the GM6BGEQ (RTX3050 GPU) model so that it will also match + the laptop when sold by other vendors such as hyperbook.pl. + +2. Add board-name matches for the GM6BG5Q (RTX4050) and GM6B0Q (RTX4060) + models. + +Note the .ident values of the dmi_system_id structs are left unset +since these are not used. + +Suggested-by: August Wikerfors +Reported-by: Francesco +Closes: https://bugzilla.kernel.org/show_bug.cgi?id=217394 +Link: https://laptopparts4less.frl/index.php?route=product/search&filter_name=GM6BG +Link: https://hyperbook.pl/en/content/14-hyperbook-drivers +Link: https://linux-hardware.org/?probe=bfa70344e3 +Link: https://bbs.archlinuxcn.org/viewtopic.php?id=13313 +Signed-off-by: Hans de Goede +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Greg Kroah-Hartman +--- + drivers/acpi/resource.c | 19 +++++++++++++------ + 1 file changed, 13 insertions(+), 6 deletions(-) + +--- a/drivers/acpi/resource.c ++++ b/drivers/acpi/resource.c +@@ -507,16 +507,23 @@ static const struct dmi_system_id mainge + + static const struct dmi_system_id pcspecialist_laptop[] = { + { +- .ident = "PCSpecialist Elimina Pro 16 M", +- /* +- * Some models have product-name "Elimina Pro 16 M", +- * others "GM6BGEQ". Match on board-name to match both. +- */ ++ /* TongFang GM6BGEQ / PCSpecialist Elimina Pro 16 M, RTX 3050 */ + .matches = { +- DMI_MATCH(DMI_SYS_VENDOR, "PCSpecialist"), + DMI_MATCH(DMI_BOARD_NAME, "GM6BGEQ"), + }, + }, ++ { ++ /* TongFang GM6BG5Q, RTX 4050 */ ++ .matches = { ++ DMI_MATCH(DMI_BOARD_NAME, "GM6BG5Q"), ++ }, ++ }, ++ { ++ /* TongFang GM6BG0Q / PCSpecialist Elimina Pro 16 M, RTX 4060 */ ++ .matches = { ++ DMI_MATCH(DMI_BOARD_NAME, "GM6BG0Q"), ++ }, ++ }, + { } + }; + diff --git a/queue-6.5/acpi-resource-skip-irq-override-on-asus-expertbook-b1402cba.patch b/queue-6.5/acpi-resource-skip-irq-override-on-asus-expertbook-b1402cba.patch new file mode 100644 index 00000000000..137bc4e8282 --- /dev/null +++ b/queue-6.5/acpi-resource-skip-irq-override-on-asus-expertbook-b1402cba.patch @@ -0,0 +1,41 @@ +From c1ed72171ed580fbf159e703b77685aa4b0d0df5 Mon Sep 17 00:00:00 2001 +From: Hans de Goede +Date: Tue, 12 Sep 2023 12:08:27 +0200 +Subject: ACPI: resource: Skip IRQ override on ASUS ExpertBook B1402CBA + +From: Hans de Goede + +commit c1ed72171ed580fbf159e703b77685aa4b0d0df5 upstream. + +Like various other ASUS ExpertBook-s, the ASUS ExpertBook B1402CBA +has an ACPI DSDT table that describes IRQ 1 as ActiveLow while +the kernel overrides it to EdgeHigh. + +This prevents the keyboard from working. To fix this issue, add this laptop +to the skip_override_table so that the kernel does not override IRQ 1. + +Closes: https://bugzilla.kernel.org/show_bug.cgi?id=217901 +Cc: stable@vger.kernel.org +Signed-off-by: Hans de Goede +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Greg Kroah-Hartman +--- + drivers/acpi/resource.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +--- a/drivers/acpi/resource.c ++++ b/drivers/acpi/resource.c +@@ -440,6 +440,13 @@ static const struct dmi_system_id asus_l + }, + }, + { ++ .ident = "Asus ExpertBook B1402CBA", ++ .matches = { ++ DMI_MATCH(DMI_SYS_VENDOR, "ASUSTeK COMPUTER INC."), ++ DMI_MATCH(DMI_BOARD_NAME, "B1402CBA"), ++ }, ++ }, ++ { + .ident = "Asus ExpertBook B1502CBA", + .matches = { + DMI_MATCH(DMI_SYS_VENDOR, "ASUSTeK COMPUTER INC."), diff --git a/queue-6.5/arm64-dts-mediatek-mt8195-demo-fix-the-memory-size-to-8gb.patch b/queue-6.5/arm64-dts-mediatek-mt8195-demo-fix-the-memory-size-to-8gb.patch new file mode 100644 index 00000000000..a524e680f5c --- /dev/null +++ b/queue-6.5/arm64-dts-mediatek-mt8195-demo-fix-the-memory-size-to-8gb.patch @@ -0,0 +1,35 @@ +From 25389c03c21c9587dd21c768d1cbfa514a3ca211 Mon Sep 17 00:00:00 2001 +From: Macpaul Lin +Date: Tue, 3 Oct 2023 13:13:44 +0200 +Subject: arm64: dts: mediatek: mt8195-demo: fix the memory size to 8GB + +From: Macpaul Lin + +commit 25389c03c21c9587dd21c768d1cbfa514a3ca211 upstream. + +The onboard dram of mt8195-demo board is 8GB. + +Cc: stable@vger.kernel.org # 6.1, 6.4, 6.5 +Fixes: 6147314aeedc ("arm64: dts: mediatek: Add device-tree for MT8195 Demo board") +Signed-off-by: Macpaul Lin +Reviewed-by: AngeloGioacchino Del Regno +Signed-off-by: AngeloGioacchino Del Regno +Link: https://lore.kernel.org/r/20230905034511.11232-1-macpaul.lin@mediatek.com +Link: https://lore.kernel.org/r/20231003-mediatek-fixes-v6-7-v1-2-dad7cd62a8ff@collabora.com +Signed-off-by: Arnd Bergmann +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm64/boot/dts/mediatek/mt8195-demo.dts | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/arm64/boot/dts/mediatek/mt8195-demo.dts ++++ b/arch/arm64/boot/dts/mediatek/mt8195-demo.dts +@@ -48,7 +48,7 @@ + + memory@40000000 { + device_type = "memory"; +- reg = <0 0x40000000 0 0x80000000>; ++ reg = <0 0x40000000 0x2 0x00000000>; + }; + + reserved-memory { diff --git a/queue-6.5/arm64-dts-mediatek-mt8195-demo-update-and-reorder-reserved-memory-regions.patch b/queue-6.5/arm64-dts-mediatek-mt8195-demo-update-and-reorder-reserved-memory-regions.patch new file mode 100644 index 00000000000..e9adc0bd347 --- /dev/null +++ b/queue-6.5/arm64-dts-mediatek-mt8195-demo-update-and-reorder-reserved-memory-regions.patch @@ -0,0 +1,88 @@ +From 6cd2a30b96a4b2d270bc1ef1611429dc3fa63327 Mon Sep 17 00:00:00 2001 +From: Macpaul Lin +Date: Tue, 3 Oct 2023 13:13:45 +0200 +Subject: arm64: dts: mediatek: mt8195-demo: update and reorder reserved memory regions + +From: Macpaul Lin + +commit 6cd2a30b96a4b2d270bc1ef1611429dc3fa63327 upstream. + +The dts file of the MediaTek MT8195 demo board has been updated to include +new reserved memory regions. +These reserved memory regions are: + - SCP + - VPU, + - Sound DMA + - APU. + +These regions are defined with the "shared-dma-pool" compatible property. +In addition, the existing reserved memory regions have been reordered by +their addresses to improve readability and maintainability of the DTS +file. + +Cc: stable@vger.kernel.org # 6.1, 6.4, 6.5 +Fixes: e4a417520101 ("arm64: dts: mediatek: mt8195-demo: fix the memory size of node secmon") +Signed-off-by: Macpaul Lin +Reviewed-by: AngeloGioacchino Del Regno +Signed-off-by: AngeloGioacchino Del Regno +Link: https://lore.kernel.org/r/20230905034511.11232-2-macpaul.lin@mediatek.com +Link: https://lore.kernel.org/r/20231003-mediatek-fixes-v6-7-v1-3-dad7cd62a8ff@collabora.com +Signed-off-by: Arnd Bergmann +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm64/boot/dts/mediatek/mt8195-demo.dts | 37 +++++++++++++++++++++------ + 1 file changed, 30 insertions(+), 7 deletions(-) + +--- a/arch/arm64/boot/dts/mediatek/mt8195-demo.dts ++++ b/arch/arm64/boot/dts/mediatek/mt8195-demo.dts +@@ -56,13 +56,8 @@ + #size-cells = <2>; + ranges; + +- /* 2 MiB reserved for ARM Trusted Firmware (BL31) */ +- bl31_secmon_reserved: secmon@54600000 { +- no-map; +- reg = <0 0x54600000 0x0 0x200000>; +- }; +- +- /* 12 MiB reserved for OP-TEE (BL32) ++ /* ++ * 12 MiB reserved for OP-TEE (BL32) + * +-----------------------+ 0x43e0_0000 + * | SHMEM 2MiB | + * +-----------------------+ 0x43c0_0000 +@@ -75,6 +70,34 @@ + no-map; + reg = <0 0x43200000 0 0x00c00000>; + }; ++ ++ scp_mem: memory@50000000 { ++ compatible = "shared-dma-pool"; ++ reg = <0 0x50000000 0 0x2900000>; ++ no-map; ++ }; ++ ++ vpu_mem: memory@53000000 { ++ compatible = "shared-dma-pool"; ++ reg = <0 0x53000000 0 0x1400000>; /* 20 MB */ ++ }; ++ ++ /* 2 MiB reserved for ARM Trusted Firmware (BL31) */ ++ bl31_secmon_mem: memory@54600000 { ++ no-map; ++ reg = <0 0x54600000 0x0 0x200000>; ++ }; ++ ++ snd_dma_mem: memory@60000000 { ++ compatible = "shared-dma-pool"; ++ reg = <0 0x60000000 0 0x1100000>; ++ no-map; ++ }; ++ ++ apu_mem: memory@62000000 { ++ compatible = "shared-dma-pool"; ++ reg = <0 0x62000000 0 0x1400000>; /* 20 MB */ ++ }; + }; + }; + diff --git a/queue-6.5/binder-fix-memory-leaks-of-spam-and-pending-work.patch b/queue-6.5/binder-fix-memory-leaks-of-spam-and-pending-work.patch new file mode 100644 index 00000000000..ca71acc7fd9 --- /dev/null +++ b/queue-6.5/binder-fix-memory-leaks-of-spam-and-pending-work.patch @@ -0,0 +1,70 @@ +From 1aa3aaf8953c84bad398adf6c3cabc9d6685bf7d Mon Sep 17 00:00:00 2001 +From: Carlos Llamas +Date: Fri, 22 Sep 2023 17:51:37 +0000 +Subject: binder: fix memory leaks of spam and pending work + +From: Carlos Llamas + +commit 1aa3aaf8953c84bad398adf6c3cabc9d6685bf7d upstream. + +A transaction complete work is allocated and queued for each +transaction. Under certain conditions the work->type might be marked as +BINDER_WORK_TRANSACTION_ONEWAY_SPAM_SUSPECT to notify userspace about +potential spamming threads or as BINDER_WORK_TRANSACTION_PENDING when +the target is currently frozen. + +However, these work types are not being handled in binder_release_work() +so they will leak during a cleanup. This was reported by syzkaller with +the following kmemleak dump: + +BUG: memory leak +unreferenced object 0xffff88810e2d6de0 (size 32): + comm "syz-executor338", pid 5046, jiffies 4294968230 (age 13.590s) + hex dump (first 32 bytes): + e0 6d 2d 0e 81 88 ff ff e0 6d 2d 0e 81 88 ff ff .m-......m-..... + 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ + backtrace: + [] kmalloc_trace+0x25/0x90 mm/slab_common.c:1114 + [] kmalloc include/linux/slab.h:599 [inline] + [] kzalloc include/linux/slab.h:720 [inline] + [] binder_transaction+0x573/0x4050 drivers/android/binder.c:3152 + [] binder_thread_write+0x6b5/0x1860 drivers/android/binder.c:4010 + [] binder_ioctl_write_read drivers/android/binder.c:5066 [inline] + [] binder_ioctl+0x1b2c/0x3cf0 drivers/android/binder.c:5352 + [] vfs_ioctl fs/ioctl.c:51 [inline] + [] __do_sys_ioctl fs/ioctl.c:871 [inline] + [] __se_sys_ioctl fs/ioctl.c:857 [inline] + [] __x64_sys_ioctl+0xf2/0x140 fs/ioctl.c:857 + [] do_syscall_x64 arch/x86/entry/common.c:50 [inline] + [] do_syscall_64+0x38/0xb0 arch/x86/entry/common.c:80 + [] entry_SYSCALL_64_after_hwframe+0x63/0xcd + +Fix the leaks by kfreeing these work types in binder_release_work() and +handle them as a BINDER_WORK_TRANSACTION_COMPLETE cleanup. + +Cc: stable@vger.kernel.org +Fixes: 0567461a7a6e ("binder: return pending info for frozen async txns") +Fixes: a7dc1e6f99df ("binder: tell userspace to dump current backtrace when detected oneway spamming") +Reported-by: syzbot+7f10c1653e35933c0f1e@syzkaller.appspotmail.com +Closes: https://syzkaller.appspot.com/bug?extid=7f10c1653e35933c0f1e +Suggested-by: Alice Ryhl +Signed-off-by: Carlos Llamas +Reviewed-by: Alice Ryhl +Acked-by: Todd Kjos +Link: https://lore.kernel.org/r/20230922175138.230331-1-cmllamas@google.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/android/binder.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/android/binder.c ++++ b/drivers/android/binder.c +@@ -4812,6 +4812,8 @@ static void binder_release_work(struct b + "undelivered TRANSACTION_ERROR: %u\n", + e->cmd); + } break; ++ case BINDER_WORK_TRANSACTION_PENDING: ++ case BINDER_WORK_TRANSACTION_ONEWAY_SPAM_SUSPECT: + case BINDER_WORK_TRANSACTION_COMPLETE: { + binder_debug(BINDER_DEBUG_DEAD_TRANSACTION, + "undelivered TRANSACTION_COMPLETE\n"); diff --git a/queue-6.5/block-don-t-invalidate-pagecache-for-invalid-falloc-modes.patch b/queue-6.5/block-don-t-invalidate-pagecache-for-invalid-falloc-modes.patch new file mode 100644 index 00000000000..89ba384e9a4 --- /dev/null +++ b/queue-6.5/block-don-t-invalidate-pagecache-for-invalid-falloc-modes.patch @@ -0,0 +1,71 @@ +From 1364a3c391aedfeb32aa025303ead3d7c91cdf9d Mon Sep 17 00:00:00 2001 +From: Sarthak Kukreti +Date: Wed, 11 Oct 2023 13:12:30 -0700 +Subject: block: Don't invalidate pagecache for invalid falloc modes + +From: Sarthak Kukreti + +commit 1364a3c391aedfeb32aa025303ead3d7c91cdf9d upstream. + +Only call truncate_bdev_range() if the fallocate mode is supported. This +fixes a bug where data in the pagecache could be invalidated if the +fallocate() was called on the block device with an invalid mode. + +Fixes: 25f4c41415e5 ("block: implement (some of) fallocate for block devices") +Cc: stable@vger.kernel.org +Reported-by: "Darrick J. Wong" +Signed-off-by: Sarthak Kukreti +Reviewed-by: Christoph Hellwig +Reviewed-by: "Darrick J. Wong" +Signed-off-by: Mike Snitzer +Fixes: line? I've never seen those wrapped. +Link: https://lore.kernel.org/r/20231011201230.750105-1-sarthakkukreti@chromium.org +Signed-off-by: Jens Axboe +Signed-off-by: Greg Kroah-Hartman +--- + block/fops.c | 21 ++++++++++++++++----- + 1 file changed, 16 insertions(+), 5 deletions(-) + +--- a/block/fops.c ++++ b/block/fops.c +@@ -659,24 +659,35 @@ static long blkdev_fallocate(struct file + + filemap_invalidate_lock(inode->i_mapping); + +- /* Invalidate the page cache, including dirty pages. */ +- error = truncate_bdev_range(bdev, file_to_blk_mode(file), start, end); +- if (error) +- goto fail; +- ++ /* ++ * Invalidate the page cache, including dirty pages, for valid ++ * de-allocate mode calls to fallocate(). ++ */ + switch (mode) { + case FALLOC_FL_ZERO_RANGE: + case FALLOC_FL_ZERO_RANGE | FALLOC_FL_KEEP_SIZE: ++ error = truncate_bdev_range(bdev, file_to_blk_mode(file), start, end); ++ if (error) ++ goto fail; ++ + error = blkdev_issue_zeroout(bdev, start >> SECTOR_SHIFT, + len >> SECTOR_SHIFT, GFP_KERNEL, + BLKDEV_ZERO_NOUNMAP); + break; + case FALLOC_FL_PUNCH_HOLE | FALLOC_FL_KEEP_SIZE: ++ error = truncate_bdev_range(bdev, file_to_blk_mode(file), start, end); ++ if (error) ++ goto fail; ++ + error = blkdev_issue_zeroout(bdev, start >> SECTOR_SHIFT, + len >> SECTOR_SHIFT, GFP_KERNEL, + BLKDEV_ZERO_NOFALLBACK); + break; + case FALLOC_FL_PUNCH_HOLE | FALLOC_FL_KEEP_SIZE | FALLOC_FL_NO_HIDE_STALE: ++ error = truncate_bdev_range(bdev, file_to_blk_mode(file), start, end); ++ if (error) ++ goto fail; ++ + error = blkdev_issue_discard(bdev, start >> SECTOR_SHIFT, + len >> SECTOR_SHIFT, GFP_KERNEL); + break; diff --git a/queue-6.5/can-sja1000-always-restart-the-tx-queue-after-an-overrun.patch b/queue-6.5/can-sja1000-always-restart-the-tx-queue-after-an-overrun.patch new file mode 100644 index 00000000000..1eada7c9d6b --- /dev/null +++ b/queue-6.5/can-sja1000-always-restart-the-tx-queue-after-an-overrun.patch @@ -0,0 +1,85 @@ +From b5efb4e6fbb06da928526eca746f3de243c12ab2 Mon Sep 17 00:00:00 2001 +From: Miquel Raynal +Date: Mon, 2 Oct 2023 18:02:06 +0200 +Subject: can: sja1000: Always restart the Tx queue after an overrun + +From: Miquel Raynal + +commit b5efb4e6fbb06da928526eca746f3de243c12ab2 upstream. + +Upstream commit 717c6ec241b5 ("can: sja1000: Prevent overrun stalls with +a soft reset on Renesas SoCs") fixes an issue with Renesas own SJA1000 +CAN controller reception: the Rx buffer is only 5 messages long, so when +the bus loaded (eg. a message every 50us), overrun may easily +happen. Upon an overrun situation, due to a possible internal crosstalk +situation, the controller enters a frozen state which only can be +unlocked with a soft reset (experimentally). The solution was to offload +a call to sja1000_start() in a threaded handler. This needs to happen in +process context as this operation requires to sleep. sja1000_start() +basically enters "reset mode", performs a proper software reset and +returns back into "normal mode". + +Since this fix was introduced, we no longer observe any stalls in +reception. However it was sporadically observed that the transmit path +would now freeze. Further investigation blamed the fix mentioned above, +and especially the reset operation. Reproducing the reset in a loop +helped identifying what could possibly go wrong. The sja1000 is a single +Tx queue device, which leverages the netdev helpers to process one Tx +message at a time. The logic is: the queue is stopped, the message sent +to the transceiver, once properly transmitted the controller sets a +status bit which triggers an interrupt, in the interrupt handler the +transmission status is checked and the queue woken up. Unfortunately, if +an overrun happens, we might perform the soft reset precisely between +the transmission of the buffer to the transceiver and the advent of the +transmission status bit. We would then stop the transmission operation +without re-enabling the queue, leading to all further transmissions to +be ignored. + +The reset interrupt can only happen while the device is "open", and +after a reset we anyway want to resume normal operations, no matter if a +packet to transmit got dropped in the process, so we shall wake up the +queue. Restarting the device and waking-up the queue is exactly what +sja1000_set_mode(CAN_MODE_START) does. In order to be consistent about +the queue state, we must acquire a lock both in the reset handler and in +the transmit path to ensure serialization of both operations. It turns +out, a lock is already held when entering the transmit path, so we can +just acquire/release it as well with the regular net helpers inside the +threaded interrupt handler and this way we should be safe. As the +reset handler might still be called after the transmission of a frame to +the transceiver but before it actually gets transmitted, we must ensure +we don't leak the skb, so we free it (the behavior is consistent, no +matter if there was an skb on the stack or not). + +Fixes: 717c6ec241b5 ("can: sja1000: Prevent overrun stalls with a soft reset on Renesas SoCs") +Cc: stable@vger.kernel.org +Signed-off-by: Miquel Raynal +Link: https://lore.kernel.org/all/20231002160206.190953-1-miquel.raynal@bootlin.com +[mkl: fixed call to can_free_echo_skb()] +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/can/sja1000/sja1000.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/can/sja1000/sja1000.c b/drivers/net/can/sja1000/sja1000.c +index 0ada0e160e93..743c2eb62b87 100644 +--- a/drivers/net/can/sja1000/sja1000.c ++++ b/drivers/net/can/sja1000/sja1000.c +@@ -392,7 +392,13 @@ static irqreturn_t sja1000_reset_interrupt(int irq, void *dev_id) + struct net_device *dev = (struct net_device *)dev_id; + + netdev_dbg(dev, "performing a soft reset upon overrun\n"); +- sja1000_start(dev); ++ ++ netif_tx_lock(dev); ++ ++ can_free_echo_skb(dev, 0, NULL); ++ sja1000_set_mode(dev, CAN_MODE_START); ++ ++ netif_tx_unlock(dev); + + return IRQ_HANDLED; + } +-- +2.42.0 + diff --git a/queue-6.5/ceph-fix-incorrect-revoked-caps-assert-in-ceph_fill_file_size.patch b/queue-6.5/ceph-fix-incorrect-revoked-caps-assert-in-ceph_fill_file_size.patch new file mode 100644 index 00000000000..ec29bd06262 --- /dev/null +++ b/queue-6.5/ceph-fix-incorrect-revoked-caps-assert-in-ceph_fill_file_size.patch @@ -0,0 +1,44 @@ +From 15c0a870dc44ed14e01efbdd319d232234ee639f Mon Sep 17 00:00:00 2001 +From: Xiubo Li +Date: Wed, 6 Sep 2023 14:22:07 +0800 +Subject: ceph: fix incorrect revoked caps assert in ceph_fill_file_size() + +From: Xiubo Li + +commit 15c0a870dc44ed14e01efbdd319d232234ee639f upstream. + +When truncating the inode the MDS will acquire the xlock for the +ifile Locker, which will revoke the 'Frwsxl' caps from the clients. +But when the client just releases and flushes the 'Fw' caps to MDS, +for exmaple, and once the MDS receives the caps flushing msg it +just thought the revocation has finished. Then the MDS will continue +truncating the inode and then issued the truncate notification to +all the clients. While just before the clients receives the cap +flushing ack they receive the truncation notification, the clients +will detecte that the 'issued | dirty' is still holding the 'Fw' +caps. + +Cc: stable@vger.kernel.org +Link: https://tracker.ceph.com/issues/56693 +Fixes: b0d7c2231015 ("ceph: introduce i_truncate_mutex") +Signed-off-by: Xiubo Li +Reviewed-by: Milind Changire +Signed-off-by: Ilya Dryomov +Signed-off-by: Greg Kroah-Hartman +--- + fs/ceph/inode.c | 4 +--- + 1 file changed, 1 insertion(+), 3 deletions(-) + +--- a/fs/ceph/inode.c ++++ b/fs/ceph/inode.c +@@ -655,9 +655,7 @@ int ceph_fill_file_size(struct inode *in + ci->i_truncate_seq = truncate_seq; + + /* the MDS should have revoked these caps */ +- WARN_ON_ONCE(issued & (CEPH_CAP_FILE_EXCL | +- CEPH_CAP_FILE_RD | +- CEPH_CAP_FILE_WR | ++ WARN_ON_ONCE(issued & (CEPH_CAP_FILE_RD | + CEPH_CAP_FILE_LAZYIO)); + /* + * If we hold relevant caps, or in the case where we're diff --git a/queue-6.5/ceph-fix-type-promotion-bug-on-32bit-systems.patch b/queue-6.5/ceph-fix-type-promotion-bug-on-32bit-systems.patch new file mode 100644 index 00000000000..be2db2fe659 --- /dev/null +++ b/queue-6.5/ceph-fix-type-promotion-bug-on-32bit-systems.patch @@ -0,0 +1,35 @@ +From 07bb00ef00ace88dd6f695fadbba76565756e55c Mon Sep 17 00:00:00 2001 +From: Dan Carpenter +Date: Sat, 7 Oct 2023 11:52:39 +0300 +Subject: ceph: fix type promotion bug on 32bit systems + +From: Dan Carpenter + +commit 07bb00ef00ace88dd6f695fadbba76565756e55c upstream. + +In this code "ret" is type long and "src_objlen" is unsigned int. The +problem is that on 32bit systems, when we do the comparison signed longs +are type promoted to unsigned int. So negative error codes from +do_splice_direct() are treated as success instead of failure. + +Cc: stable@vger.kernel.org +Fixes: 1b0c3b9f91f0 ("ceph: re-org copy_file_range and fix some error paths") +Signed-off-by: Dan Carpenter +Reviewed-by: Xiubo Li +Signed-off-by: Ilya Dryomov +Signed-off-by: Greg Kroah-Hartman +--- + fs/ceph/file.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/fs/ceph/file.c ++++ b/fs/ceph/file.c +@@ -2559,7 +2559,7 @@ static ssize_t __ceph_copy_file_range(st + ret = do_splice_direct(src_file, &src_off, dst_file, + &dst_off, src_objlen, flags); + /* Abort on short copies or on error */ +- if (ret < src_objlen) { ++ if (ret < (long)src_objlen) { + dout("Failed partial copy (%zd)\n", ret); + goto out; + } diff --git a/queue-6.5/cgroup-remove-duplicates-in-cgroup-v1-tasks-file.patch b/queue-6.5/cgroup-remove-duplicates-in-cgroup-v1-tasks-file.patch new file mode 100644 index 00000000000..642e953ec97 --- /dev/null +++ b/queue-6.5/cgroup-remove-duplicates-in-cgroup-v1-tasks-file.patch @@ -0,0 +1,52 @@ +From 1ca0b605150501b7dc59f3016271da4eb3e96fce Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Michal=20Koutn=C3=BD?= +Date: Mon, 9 Oct 2023 15:58:11 +0200 +Subject: cgroup: Remove duplicates in cgroup v1 tasks file +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Michal Koutný + +commit 1ca0b605150501b7dc59f3016271da4eb3e96fce upstream. + +One PID may appear multiple times in a preloaded pidlist. +(Possibly due to PID recycling but we have reports of the same +task_struct appearing with different PIDs, thus possibly involving +transfer of PID via de_thread().) + +Because v1 seq_file iterator uses PIDs as position, it leads to +a message: +> seq_file: buggy .next function kernfs_seq_next did not update position index + +Conservative and quick fix consists of removing duplicates from `tasks` +file (as opposed to removing pidlists altogether). It doesn't affect +correctness (it's sufficient to show a PID once), performance impact +would be hidden by unconditional sorting of the pidlist already in place +(asymptotically). + +Link: https://lore.kernel.org/r/20230823174804.23632-1-mkoutny@suse.com/ +Suggested-by: Firo Yang +Signed-off-by: Michal Koutný +Signed-off-by: Tejun Heo +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + kernel/cgroup/cgroup-v1.c | 5 ++--- + 1 file changed, 2 insertions(+), 3 deletions(-) + +--- a/kernel/cgroup/cgroup-v1.c ++++ b/kernel/cgroup/cgroup-v1.c +@@ -360,10 +360,9 @@ static int pidlist_array_load(struct cgr + } + css_task_iter_end(&it); + length = n; +- /* now sort & (if procs) strip out duplicates */ ++ /* now sort & strip out duplicates (tgids or recycled thread PIDs) */ + sort(array, length, sizeof(pid_t), cmppid, NULL); +- if (type == CGROUP_FILE_PROCS) +- length = pidlist_uniq(array, length); ++ length = pidlist_uniq(array, length); + + l = cgroup_pidlist_find_create(cgrp, type); + if (!l) { diff --git a/queue-6.5/coresight-fix-run-time-warnings-while-reusing-etr-buffer.patch b/queue-6.5/coresight-fix-run-time-warnings-while-reusing-etr-buffer.patch new file mode 100644 index 00000000000..e6902dd58b6 --- /dev/null +++ b/queue-6.5/coresight-fix-run-time-warnings-while-reusing-etr-buffer.patch @@ -0,0 +1,115 @@ +From bd2767ec3df2775bc336f441f9068a989ccb919d Mon Sep 17 00:00:00 2001 +From: Linu Cherian +Date: Wed, 23 Aug 2023 09:59:48 +0530 +Subject: coresight: Fix run time warnings while reusing ETR buffer + +From: Linu Cherian + +commit bd2767ec3df2775bc336f441f9068a989ccb919d upstream. + +Fix the below warning by avoding calls to tmc_etr_enable_hw, +if we are reusing the ETR buffer for multiple sources in sysfs mode. + +echo 1 > /sys/bus/coresight/devices/tmc_etr0/enable_sink +echo 1 > /sys/bus/coresight/devices/ete1/enable_source +echo 1 > /sys/bus/coresight/devices/ete2/enable_source +[ 166.918290] ------------[ cut here ]------------ +[ 166.922905] WARNING: CPU: 4 PID: 2288 at +drivers/hwtracing/coresight/coresight-tmc-etr.c:1037 +tmc_etr_enable_hw+0xb0/0xc8 +[ 166.933862] Modules linked in: +[ 166.936911] CPU: 4 PID: 2288 Comm: bash Not tainted 6.5.0-rc7 #132 +[ 166.943084] Hardware name: Marvell CN106XX board (DT) +[ 166.948127] pstate: 834000c9 (Nzcv daIF +PAN -UAO +TCO +DIT -SSBS +BTYPE=--) +[ 166.955083] pc : tmc_etr_enable_hw+0xb0/0xc8 +[ 166.959345] lr : tmc_enable_etr_sink+0x134/0x210 +snip.. + 167.038545] Call trace: +[ 167.040982] tmc_etr_enable_hw+0xb0/0xc8 +[ 167.044897] tmc_enable_etr_sink+0x134/0x210 +[ 167.049160] coresight_enable_path+0x160/0x278 +[ 167.053596] coresight_enable+0xd4/0x298 +[ 167.057510] enable_source_store+0x54/0xa0 +[ 167.061598] dev_attr_store+0x20/0x40 +[ 167.065254] sysfs_kf_write+0x4c/0x68 +[ 167.068909] kernfs_fop_write_iter+0x128/0x200 +[ 167.073345] vfs_write+0x1ac/0x2f8 +[ 167.076739] ksys_write+0x74/0x110 +[ 167.080132] __arm64_sys_write+0x24/0x38 +[ 167.084045] invoke_syscall.constprop.0+0x58/0xf8 +[ 167.088744] do_el0_svc+0x60/0x160 +[ 167.092137] el0_svc+0x40/0x170 +[ 167.095273] el0t_64_sync_handler+0x100/0x130 +[ 167.099621] el0t_64_sync+0x190/0x198 +[ 167.103277] ---[ end trace 0000000000000000 ]--- +-bash: echo: write error: Device or resource busy + +Fixes: 296b01fd106e ("coresight: Refactor out buffer allocation function for ETR") +Signed-off-by: Linu Cherian +Reviewed-by: James Clark +Signed-off-by: Suzuki K Poulose +Link: https://lore.kernel.org/r/20230823042948.12879-1-lcherian@marvell.com +Signed-off-by: Greg Kroah-Hartman +--- + .../hwtracing/coresight/coresight-tmc-etr.c | 24 ++++++++++--------- + 1 file changed, 13 insertions(+), 11 deletions(-) + +diff --git a/drivers/hwtracing/coresight/coresight-tmc-etr.c b/drivers/hwtracing/coresight/coresight-tmc-etr.c +index 66dc5f97a009..6132c5b3db9c 100644 +--- a/drivers/hwtracing/coresight/coresight-tmc-etr.c ++++ b/drivers/hwtracing/coresight/coresight-tmc-etr.c +@@ -1173,16 +1173,6 @@ static struct etr_buf *tmc_etr_get_sysfs_buffer(struct coresight_device *csdev) + goto out; + } + +- /* +- * In sysFS mode we can have multiple writers per sink. Since this +- * sink is already enabled no memory is needed and the HW need not be +- * touched, even if the buffer size has changed. +- */ +- if (drvdata->mode == CS_MODE_SYSFS) { +- atomic_inc(&csdev->refcnt); +- goto out; +- } +- + /* + * If we don't have a buffer or it doesn't match the requested size, + * use the buffer allocated above. Otherwise reuse the existing buffer. +@@ -1204,7 +1194,7 @@ static struct etr_buf *tmc_etr_get_sysfs_buffer(struct coresight_device *csdev) + + static int tmc_enable_etr_sink_sysfs(struct coresight_device *csdev) + { +- int ret; ++ int ret = 0; + unsigned long flags; + struct tmc_drvdata *drvdata = dev_get_drvdata(csdev->dev.parent); + struct etr_buf *sysfs_buf = tmc_etr_get_sysfs_buffer(csdev); +@@ -1213,12 +1203,24 @@ static int tmc_enable_etr_sink_sysfs(struct coresight_device *csdev) + return PTR_ERR(sysfs_buf); + + spin_lock_irqsave(&drvdata->spinlock, flags); ++ ++ /* ++ * In sysFS mode we can have multiple writers per sink. Since this ++ * sink is already enabled no memory is needed and the HW need not be ++ * touched, even if the buffer size has changed. ++ */ ++ if (drvdata->mode == CS_MODE_SYSFS) { ++ atomic_inc(&csdev->refcnt); ++ goto out; ++ } ++ + ret = tmc_etr_enable_hw(drvdata, sysfs_buf); + if (!ret) { + drvdata->mode = CS_MODE_SYSFS; + atomic_inc(&csdev->refcnt); + } + ++out: + spin_unlock_irqrestore(&drvdata->spinlock, flags); + + if (!ret) +-- +2.42.0 + diff --git a/queue-6.5/counter-chrdev-fix-getting-array-extensions.patch b/queue-6.5/counter-chrdev-fix-getting-array-extensions.patch new file mode 100644 index 00000000000..ed4d4ec2c34 --- /dev/null +++ b/queue-6.5/counter-chrdev-fix-getting-array-extensions.patch @@ -0,0 +1,50 @@ +From 3170256d7bc1ef81587caf4b83573eb1f5bb4fb6 Mon Sep 17 00:00:00 2001 +From: Fabrice Gasnier +Date: Tue, 29 Aug 2023 15:40:22 +0200 +Subject: counter: chrdev: fix getting array extensions + +From: Fabrice Gasnier + +commit 3170256d7bc1ef81587caf4b83573eb1f5bb4fb6 upstream. + +When trying to watch a component array extension, and the array isn't the +first extended element, it fails as the type comparison is always done on +the 1st element. Fix it by indexing the 'ext' array. + +Example on a dummy struct counter_comp: +static struct counter_comp dummy[] = { + COUNTER_COMP_DIRECTION(..), + ..., + COUNTER_COMP_ARRAY_CAPTURE(...), +}; +static struct counter_count dummy_cnt = { + ... + .ext = dummy, + .num_ext = ARRAY_SIZE(dummy), +} + +Currently, counter_get_ext() returns -EINVAL when trying to add a watch +event on one of the capture array element in such example. + +Fixes: d2011be1e22f ("counter: Introduce the COUNTER_COMP_ARRAY component type") +Signed-off-by: Fabrice Gasnier +Link: https://lore.kernel.org/r/20230829134029.2402868-2-fabrice.gasnier@foss.st.com +Signed-off-by: William Breathitt Gray +Signed-off-by: Greg Kroah-Hartman +--- + drivers/counter/counter-chrdev.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/counter/counter-chrdev.c ++++ b/drivers/counter/counter-chrdev.c +@@ -247,8 +247,8 @@ static int counter_get_ext(const struct + if (*id == component_id) + return 0; + +- if (ext->type == COUNTER_COMP_ARRAY) { +- element = ext->priv; ++ if (ext[*ext_idx].type == COUNTER_COMP_ARRAY) { ++ element = ext[*ext_idx].priv; + + if (component_id - *id < element->length) + return 0; diff --git a/queue-6.5/counter-microchip-tcb-capture-fix-the-use-of-internal-gclk-logic.patch b/queue-6.5/counter-microchip-tcb-capture-fix-the-use-of-internal-gclk-logic.patch new file mode 100644 index 00000000000..bff6b09a846 --- /dev/null +++ b/queue-6.5/counter-microchip-tcb-capture-fix-the-use-of-internal-gclk-logic.patch @@ -0,0 +1,35 @@ +From df8fdd01c98b99d04915c04f3a5ce73f55456b7c Mon Sep 17 00:00:00 2001 +From: Dharma Balasubiramani +Date: Tue, 5 Sep 2023 15:38:35 +0530 +Subject: counter: microchip-tcb-capture: Fix the use of internal GCLK logic +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Dharma Balasubiramani + +commit df8fdd01c98b99d04915c04f3a5ce73f55456b7c upstream. + +As per the datasheet, the clock selection Bits 2:0 – TCCLKS[2:0] should +be set to 0 while using the internal GCLK (TIMER_CLOCK1). + +Fixes: 106b104137fd ("counter: Add microchip TCB capture counter") +Signed-off-by: Dharma Balasubiramani +Link: https://lore.kernel.org/r/20230905100835.315024-1-dharma.b@microchip.com +Signed-off-by: William Breathitt Gray +Signed-off-by: Greg Kroah-Hartman +--- + drivers/counter/microchip-tcb-capture.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/counter/microchip-tcb-capture.c ++++ b/drivers/counter/microchip-tcb-capture.c +@@ -98,7 +98,7 @@ static int mchp_tc_count_function_write( + priv->qdec_mode = 0; + /* Set highest rate based on whether soc has gclk or not */ + bmr &= ~(ATMEL_TC_QDEN | ATMEL_TC_POSEN); +- if (priv->tc_cfg->has_gclk) ++ if (!priv->tc_cfg->has_gclk) + cmr |= ATMEL_TC_TIMER_CLOCK2; + else + cmr |= ATMEL_TC_TIMER_CLOCK1; diff --git a/queue-6.5/dma-buf-add-dma_fence_timestamp-helper.patch b/queue-6.5/dma-buf-add-dma_fence_timestamp-helper.patch new file mode 100644 index 00000000000..064cb1ba8aa --- /dev/null +++ b/queue-6.5/dma-buf-add-dma_fence_timestamp-helper.patch @@ -0,0 +1,122 @@ +From b83ce9cb4a465b8f9a3fa45561b721a9551f60e3 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Christian=20K=C3=B6nig?= +Date: Fri, 8 Sep 2023 10:27:23 +0200 +Subject: dma-buf: add dma_fence_timestamp helper +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Christian König + +commit b83ce9cb4a465b8f9a3fa45561b721a9551f60e3 upstream. + +When a fence signals there is a very small race window where the timestamp +isn't updated yet. sync_file solves this by busy waiting for the +timestamp to appear, but on other ocassions didn't handled this +correctly. + +Provide a dma_fence_timestamp() helper function for this and use it in +all appropriate cases. + +Another alternative would be to grab the spinlock when that happens. + +v2 by teddy: add a wait parameter to wait for the timestamp to show up, in case + the accurate timestamp is needed and/or the timestamp is not based on + ktime (e.g. hw timestamp) +v3 chk: drop the parameter again for unified handling + +Signed-off-by: Yunxiang Li +Signed-off-by: Christian König +Fixes: 1774baa64f93 ("drm/scheduler: Change scheduled fence track v2") +Reviewed-by: Alex Deucher +CC: stable@vger.kernel.org +Link: https://patchwork.freedesktop.org/patch/msgid/20230929104725.2358-1-christian.koenig@amd.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/dma-buf/dma-fence-unwrap.c | 13 ++++--------- + drivers/dma-buf/sync_file.c | 9 +++------ + drivers/gpu/drm/scheduler/sched_main.c | 2 +- + include/linux/dma-fence.h | 19 +++++++++++++++++++ + 4 files changed, 27 insertions(+), 16 deletions(-) + +--- a/drivers/dma-buf/dma-fence-unwrap.c ++++ b/drivers/dma-buf/dma-fence-unwrap.c +@@ -76,16 +76,11 @@ struct dma_fence *__dma_fence_unwrap_mer + dma_fence_unwrap_for_each(tmp, &iter[i], fences[i]) { + if (!dma_fence_is_signaled(tmp)) { + ++count; +- } else if (test_bit(DMA_FENCE_FLAG_TIMESTAMP_BIT, +- &tmp->flags)) { +- if (ktime_after(tmp->timestamp, timestamp)) +- timestamp = tmp->timestamp; + } else { +- /* +- * Use the current time if the fence is +- * currently signaling. +- */ +- timestamp = ktime_get(); ++ ktime_t t = dma_fence_timestamp(tmp); ++ ++ if (ktime_after(t, timestamp)) ++ timestamp = t; + } + } + } +--- a/drivers/dma-buf/sync_file.c ++++ b/drivers/dma-buf/sync_file.c +@@ -268,13 +268,10 @@ static int sync_fill_fence_info(struct d + sizeof(info->driver_name)); + + info->status = dma_fence_get_status(fence); +- while (test_bit(DMA_FENCE_FLAG_SIGNALED_BIT, &fence->flags) && +- !test_bit(DMA_FENCE_FLAG_TIMESTAMP_BIT, &fence->flags)) +- cpu_relax(); + info->timestamp_ns = +- test_bit(DMA_FENCE_FLAG_TIMESTAMP_BIT, &fence->flags) ? +- ktime_to_ns(fence->timestamp) : +- ktime_set(0, 0); ++ dma_fence_is_signaled(fence) ? ++ ktime_to_ns(dma_fence_timestamp(fence)) : ++ ktime_set(0, 0); + + return info->status; + } +--- a/drivers/gpu/drm/scheduler/sched_main.c ++++ b/drivers/gpu/drm/scheduler/sched_main.c +@@ -929,7 +929,7 @@ drm_sched_get_cleanup_job(struct drm_gpu + + if (next) { + next->s_fence->scheduled.timestamp = +- job->s_fence->finished.timestamp; ++ dma_fence_timestamp(&job->s_fence->finished); + /* start TO timer for next job */ + drm_sched_start_timeout(sched); + } +--- a/include/linux/dma-fence.h ++++ b/include/linux/dma-fence.h +@@ -568,6 +568,25 @@ static inline void dma_fence_set_error(s + fence->error = error; + } + ++/** ++ * dma_fence_timestamp - helper to get the completion timestamp of a fence ++ * @fence: fence to get the timestamp from. ++ * ++ * After a fence is signaled the timestamp is updated with the signaling time, ++ * but setting the timestamp can race with tasks waiting for the signaling. This ++ * helper busy waits for the correct timestamp to appear. ++ */ ++static inline ktime_t dma_fence_timestamp(struct dma_fence *fence) ++{ ++ if (WARN_ON(!test_bit(DMA_FENCE_FLAG_SIGNALED_BIT, &fence->flags))) ++ return ktime_get(); ++ ++ while (!test_bit(DMA_FENCE_FLAG_TIMESTAMP_BIT, &fence->flags)) ++ cpu_relax(); ++ ++ return fence->timestamp; ++} ++ + signed long dma_fence_wait_timeout(struct dma_fence *, + bool intr, signed long timeout); + signed long dma_fence_wait_any_timeout(struct dma_fence **fences, diff --git a/queue-6.5/dmaengine-stm32-dma-fix-residue-in-case-of-mdma-chaining.patch b/queue-6.5/dmaengine-stm32-dma-fix-residue-in-case-of-mdma-chaining.patch new file mode 100644 index 00000000000..ed914feb8a5 --- /dev/null +++ b/queue-6.5/dmaengine-stm32-dma-fix-residue-in-case-of-mdma-chaining.patch @@ -0,0 +1,58 @@ +From 67e13e89742c3b21ce177f612bf9ef32caae6047 Mon Sep 17 00:00:00 2001 +From: Amelie Delaunay +Date: Wed, 4 Oct 2023 17:50:24 +0200 +Subject: dmaengine: stm32-dma: fix residue in case of MDMA chaining + +From: Amelie Delaunay + +commit 67e13e89742c3b21ce177f612bf9ef32caae6047 upstream. + +In case of MDMA chaining, DMA is configured in Double-Buffer Mode (DBM) +with two periods, but if transfer has been prepared with _prep_slave_sg(), +the transfer is not marked cyclic (=!chan->desc->cyclic). However, as DBM +is activated for MDMA chaining, residue computation must take into account +cyclic constraints. + +With only two periods in MDMA chaining, and no update due to Transfer +Complete interrupt masked, n_sg is always 0. If DMA current memory address +(depending on SxCR.CT and SxM0AR/SxM1AR) does not correspond, it means n_sg +should be increased. +Then, the residue of the current period is the one read from SxNDTR and +should not be overwritten with the full period length. + +Fixes: 723795173ce1 ("dmaengine: stm32-dma: add support to trigger STM32 MDMA") +Signed-off-by: Amelie Delaunay +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/r/20231004155024.2609531-2-amelie.delaunay@foss.st.com +Signed-off-by: Vinod Koul +Signed-off-by: Greg Kroah-Hartman +--- + drivers/dma/stm32-dma.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +--- a/drivers/dma/stm32-dma.c ++++ b/drivers/dma/stm32-dma.c +@@ -1389,11 +1389,12 @@ static size_t stm32_dma_desc_residue(str + + residue = stm32_dma_get_remaining_bytes(chan); + +- if (chan->desc->cyclic && !stm32_dma_is_current_sg(chan)) { ++ if ((chan->desc->cyclic || chan->trig_mdma) && !stm32_dma_is_current_sg(chan)) { + n_sg++; + if (n_sg == chan->desc->num_sgs) + n_sg = 0; +- residue = sg_req->len; ++ if (!chan->trig_mdma) ++ residue = sg_req->len; + } + + /* +@@ -1403,7 +1404,7 @@ static size_t stm32_dma_desc_residue(str + * residue = remaining bytes from NDTR + remaining + * periods/sg to be transferred + */ +- if (!chan->desc->cyclic || n_sg != 0) ++ if ((!chan->desc->cyclic && !chan->trig_mdma) || n_sg != 0) + for (i = n_sg; i < desc->num_sgs; i++) + residue += desc->sg_req[i].len; + diff --git a/queue-6.5/dmaengine-stm32-dma-fix-stm32_dma_prep_slave_sg-in-case-of-mdma-chaining.patch b/queue-6.5/dmaengine-stm32-dma-fix-stm32_dma_prep_slave_sg-in-case-of-mdma-chaining.patch new file mode 100644 index 00000000000..ce841adeaa9 --- /dev/null +++ b/queue-6.5/dmaengine-stm32-dma-fix-stm32_dma_prep_slave_sg-in-case-of-mdma-chaining.patch @@ -0,0 +1,37 @@ +From 2df467e908ce463cff1431ca1b00f650f7a514b4 Mon Sep 17 00:00:00 2001 +From: Amelie Delaunay +Date: Wed, 4 Oct 2023 17:50:23 +0200 +Subject: dmaengine: stm32-dma: fix stm32_dma_prep_slave_sg in case of MDMA chaining + +From: Amelie Delaunay + +commit 2df467e908ce463cff1431ca1b00f650f7a514b4 upstream. + +Current Target (CT) have to be reset when starting an MDMA chaining use +case, as Double Buffer mode is activated. It ensures the DMA will start +processing the first memory target (pointed with SxM0AR). + +Fixes: 723795173ce1 ("dmaengine: stm32-dma: add support to trigger STM32 MDMA") +Signed-off-by: Amelie Delaunay +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/r/20231004155024.2609531-1-amelie.delaunay@foss.st.com +Signed-off-by: Vinod Koul +Signed-off-by: Greg Kroah-Hartman +--- + drivers/dma/stm32-dma.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/drivers/dma/stm32-dma.c ++++ b/drivers/dma/stm32-dma.c +@@ -1113,8 +1113,10 @@ static struct dma_async_tx_descriptor *s + chan->chan_reg.dma_scr &= ~STM32_DMA_SCR_PFCTRL; + + /* Activate Double Buffer Mode if DMA triggers STM32 MDMA and more than 1 sg */ +- if (chan->trig_mdma && sg_len > 1) ++ if (chan->trig_mdma && sg_len > 1) { + chan->chan_reg.dma_scr |= STM32_DMA_SCR_DBM; ++ chan->chan_reg.dma_scr &= ~STM32_DMA_SCR_CT; ++ } + + for_each_sg(sgl, sg, sg_len, i) { + ret = stm32_dma_set_xfer_param(chan, direction, &buswidth, diff --git a/queue-6.5/dmaengine-stm32-mdma-abort-resume-if-no-ongoing-transfer.patch b/queue-6.5/dmaengine-stm32-mdma-abort-resume-if-no-ongoing-transfer.patch new file mode 100644 index 00000000000..2cb6eaa67d7 --- /dev/null +++ b/queue-6.5/dmaengine-stm32-mdma-abort-resume-if-no-ongoing-transfer.patch @@ -0,0 +1,37 @@ +From 81337b9a72dc58a5fa0ae8a042e8cb59f9bdec4a Mon Sep 17 00:00:00 2001 +From: Amelie Delaunay +Date: Wed, 4 Oct 2023 18:35:28 +0200 +Subject: dmaengine: stm32-mdma: abort resume if no ongoing transfer + +From: Amelie Delaunay + +commit 81337b9a72dc58a5fa0ae8a042e8cb59f9bdec4a upstream. + +chan->desc can be null, if transfer is terminated when resume is called, +leading to a NULL pointer when retrieving the hwdesc. +To avoid this case, check that chan->desc is not null and channel is +disabled (transfer previously paused or terminated). + +Fixes: a4ffb13c8946 ("dmaengine: Add STM32 MDMA driver") +Signed-off-by: Amelie Delaunay +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/r/20231004163531.2864160-1-amelie.delaunay@foss.st.com +Signed-off-by: Vinod Koul +Signed-off-by: Greg Kroah-Hartman +--- + drivers/dma/stm32-mdma.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/drivers/dma/stm32-mdma.c ++++ b/drivers/dma/stm32-mdma.c +@@ -1237,6 +1237,10 @@ static int stm32_mdma_resume(struct dma_ + unsigned long flags; + u32 status, reg; + ++ /* Transfer can be terminated */ ++ if (!chan->desc || (stm32_mdma_read(dmadev, STM32_MDMA_CCR(chan->id)) & STM32_MDMA_CCR_EN)) ++ return -EPERM; ++ + hwdesc = chan->desc->node[chan->curr_hwdesc].hwdesc; + + spin_lock_irqsave(&chan->vchan.lock, flags); diff --git a/queue-6.5/dmaengine-stm32-mdma-set-in_flight_bytes-in-case-crqa-flag-is-set.patch b/queue-6.5/dmaengine-stm32-mdma-set-in_flight_bytes-in-case-crqa-flag-is-set.patch new file mode 100644 index 00000000000..46110682fb5 --- /dev/null +++ b/queue-6.5/dmaengine-stm32-mdma-set-in_flight_bytes-in-case-crqa-flag-is-set.patch @@ -0,0 +1,68 @@ +From 584970421725b7805db84714b857851fdf7203a9 Mon Sep 17 00:00:00 2001 +From: Amelie Delaunay +Date: Wed, 4 Oct 2023 18:35:30 +0200 +Subject: dmaengine: stm32-mdma: set in_flight_bytes in case CRQA flag is set + +From: Amelie Delaunay + +commit 584970421725b7805db84714b857851fdf7203a9 upstream. + +CRQA flag is set by hardware when the channel request become active and +the channel is enabled. It is cleared by hardware, when the channel request +is completed. +So when it is set, it means MDMA is transferring bytes. +This information is useful in case of STM32 DMA and MDMA chaining, +especially when the user pauses DMA before stopping it, to trig one last +MDMA transfer to get the latest bytes of the SRAM buffer to the +destination buffer. +STM32 DCMI driver can then use this to know if the last MDMA transfer in +case of chaining is done. + +Fixes: 696874322771 ("dmaengine: stm32-mdma: add support to be triggered by STM32 DMA") +Signed-off-by: Amelie Delaunay +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/r/20231004163531.2864160-3-amelie.delaunay@foss.st.com +Signed-off-by: Vinod Koul +Signed-off-by: Greg Kroah-Hartman +--- + drivers/dma/stm32-mdma.c | 14 +++++++++----- + 1 file changed, 9 insertions(+), 5 deletions(-) + +--- a/drivers/dma/stm32-mdma.c ++++ b/drivers/dma/stm32-mdma.c +@@ -1319,7 +1319,8 @@ static int stm32_mdma_slave_config(struc + + static size_t stm32_mdma_desc_residue(struct stm32_mdma_chan *chan, + struct stm32_mdma_desc *desc, +- u32 curr_hwdesc) ++ u32 curr_hwdesc, ++ struct dma_tx_state *state) + { + struct stm32_mdma_device *dmadev = stm32_mdma_get_dev(chan); + struct stm32_mdma_hwdesc *hwdesc; +@@ -1343,6 +1344,10 @@ static size_t stm32_mdma_desc_residue(st + cbndtr = stm32_mdma_read(dmadev, STM32_MDMA_CBNDTR(chan->id)); + residue += cbndtr & STM32_MDMA_CBNDTR_BNDT_MASK; + ++ state->in_flight_bytes = 0; ++ if (chan->chan_config.m2m_hw && (cisr & STM32_MDMA_CISR_CRQA)) ++ state->in_flight_bytes = cbndtr & STM32_MDMA_CBNDTR_BNDT_MASK; ++ + if (!chan->mem_burst) + return residue; + +@@ -1372,11 +1377,10 @@ static enum dma_status stm32_mdma_tx_sta + + vdesc = vchan_find_desc(&chan->vchan, cookie); + if (chan->desc && cookie == chan->desc->vdesc.tx.cookie) +- residue = stm32_mdma_desc_residue(chan, chan->desc, +- chan->curr_hwdesc); ++ residue = stm32_mdma_desc_residue(chan, chan->desc, chan->curr_hwdesc, state); + else if (vdesc) +- residue = stm32_mdma_desc_residue(chan, +- to_stm32_mdma_desc(vdesc), 0); ++ residue = stm32_mdma_desc_residue(chan, to_stm32_mdma_desc(vdesc), 0, state); ++ + dma_set_residue(state, residue); + + spin_unlock_irqrestore(&chan->vchan.lock, flags); diff --git a/queue-6.5/dmaengine-stm32-mdma-use-link-address-register-to-compute-residue.patch b/queue-6.5/dmaengine-stm32-mdma-use-link-address-register-to-compute-residue.patch new file mode 100644 index 00000000000..29ac9ed9720 --- /dev/null +++ b/queue-6.5/dmaengine-stm32-mdma-use-link-address-register-to-compute-residue.patch @@ -0,0 +1,64 @@ +From a4b306eb83579c07b63dc65cd5bae53b7b4019d0 Mon Sep 17 00:00:00 2001 +From: Amelie Delaunay +Date: Wed, 4 Oct 2023 18:35:29 +0200 +Subject: dmaengine: stm32-mdma: use Link Address Register to compute residue + +From: Amelie Delaunay + +commit a4b306eb83579c07b63dc65cd5bae53b7b4019d0 upstream. + +Current implementation relies on curr_hwdesc index. But to keep this index +up to date, Block Transfer interrupt (BTIE) has to be enabled. +If it is not, curr_hwdesc is not updated, and then residue is not reliable. +Rely on Link Address Register instead. And disable BTIE interrupt +in stm32_mdma_setup_xfer() because it is no more needed in case of +_prep_slave_sg() to maintain curr_hwdesc up to date. +It avoids extra interrupts and also ensures a reliable residue. These +improvements are required for STM32 DCMI camera capture use case, which +need STM32 DMA and MDMA chaining for good performance. + +Fixes: 696874322771 ("dmaengine: stm32-mdma: add support to be triggered by STM32 DMA") +Signed-off-by: Amelie Delaunay +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/r/20231004163531.2864160-2-amelie.delaunay@foss.st.com +Signed-off-by: Vinod Koul +Signed-off-by: Greg Kroah-Hartman +--- + drivers/dma/stm32-mdma.c | 15 +++++++++++---- + 1 file changed, 11 insertions(+), 4 deletions(-) + +--- a/drivers/dma/stm32-mdma.c ++++ b/drivers/dma/stm32-mdma.c +@@ -778,8 +778,6 @@ static int stm32_mdma_setup_xfer(struct + /* Enable interrupts */ + ccr &= ~STM32_MDMA_CCR_IRQ_MASK; + ccr |= STM32_MDMA_CCR_TEIE | STM32_MDMA_CCR_CTCIE; +- if (sg_len > 1) +- ccr |= STM32_MDMA_CCR_BTIE; + desc->ccr = ccr; + + return 0; +@@ -1325,12 +1323,21 @@ static size_t stm32_mdma_desc_residue(st + { + struct stm32_mdma_device *dmadev = stm32_mdma_get_dev(chan); + struct stm32_mdma_hwdesc *hwdesc; +- u32 cbndtr, residue, modulo, burst_size; ++ u32 cisr, clar, cbndtr, residue, modulo, burst_size; + int i; + ++ cisr = stm32_mdma_read(dmadev, STM32_MDMA_CISR(chan->id)); ++ + residue = 0; +- for (i = curr_hwdesc + 1; i < desc->count; i++) { ++ /* Get the next hw descriptor to process from current transfer */ ++ clar = stm32_mdma_read(dmadev, STM32_MDMA_CLAR(chan->id)); ++ for (i = desc->count - 1; i >= 0; i--) { + hwdesc = desc->node[i].hwdesc; ++ ++ if (hwdesc->clar == clar) ++ break;/* Current transfer found, stop cumulating */ ++ ++ /* Cumulate residue of unprocessed hw descriptors */ + residue += STM32_MDMA_CBNDTR_BNDT(hwdesc->cbndtr); + } + cbndtr = stm32_mdma_read(dmadev, STM32_MDMA_CBNDTR(chan->id)); diff --git a/queue-6.5/drm-amd-display-don-t-set-dpms_off-for-seamless-boot.patch b/queue-6.5/drm-amd-display-don-t-set-dpms_off-for-seamless-boot.patch new file mode 100644 index 00000000000..e8939735909 --- /dev/null +++ b/queue-6.5/drm-amd-display-don-t-set-dpms_off-for-seamless-boot.patch @@ -0,0 +1,41 @@ +From 23645bca98304a2772f0de96f97370dd567d0ae6 Mon Sep 17 00:00:00 2001 +From: Daniel Miess +Date: Fri, 29 Sep 2023 13:04:33 -0400 +Subject: drm/amd/display: Don't set dpms_off for seamless boot + +From: Daniel Miess + +commit 23645bca98304a2772f0de96f97370dd567d0ae6 upstream. + +[Why] +eDPs fail to light up with seamless boot enabled + +[How] +When seamless boot is enabled don't configure dpms_off +in disable_vbios_mode_if_required. + +Reviewed-by: Charlene Liu +Cc: Mario Limonciello +Cc: Alex Deucher +Cc: stable@vger.kernel.org +Acked-by: Tom Chung +Signed-off-by: Daniel Miess +Tested-by: Daniel Wheeler +Signed-off-by: Alex Deucher +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/amd/display/dc/core/dc.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/gpu/drm/amd/display/dc/core/dc.c ++++ b/drivers/gpu/drm/amd/display/dc/core/dc.c +@@ -1263,6 +1263,9 @@ static void disable_vbios_mode_if_requir + if (stream == NULL) + continue; + ++ if (stream->apply_seamless_boot_optimization) ++ continue; ++ + // only looking for first odm pipe + if (pipe->prev_odm_pipe) + continue; diff --git a/queue-6.5/drm-amdgpu-add-missing-null-check.patch b/queue-6.5/drm-amdgpu-add-missing-null-check.patch new file mode 100644 index 00000000000..1fe1c55ef23 --- /dev/null +++ b/queue-6.5/drm-amdgpu-add-missing-null-check.patch @@ -0,0 +1,35 @@ +From ff89f064dca38e2203790bf876cc7756b8ab2961 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Christian=20K=C3=B6nig?= +Date: Fri, 6 Oct 2023 14:04:04 +0200 +Subject: drm/amdgpu: add missing NULL check +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Christian König + +commit ff89f064dca38e2203790bf876cc7756b8ab2961 upstream. + +bo->tbo.resource can easily be NULL here. + +Link: https://gitlab.freedesktop.org/drm/amd/-/issues/2902 +Signed-off-by: Christian König +Reviewed-by: Alex Deucher +Signed-off-by: Alex Deucher +CC: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/amd/amdgpu/amdgpu_object.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_object.h ++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_object.h +@@ -250,7 +250,7 @@ static inline bool amdgpu_bo_in_cpu_visi + struct amdgpu_device *adev = amdgpu_ttm_adev(bo->tbo.bdev); + struct amdgpu_res_cursor cursor; + +- if (bo->tbo.resource->mem_type != TTM_PL_VRAM) ++ if (!bo->tbo.resource || bo->tbo.resource->mem_type != TTM_PL_VRAM) + return false; + + amdgpu_res_first(bo->tbo.resource, 0, amdgpu_bo_size(bo), &cursor); diff --git a/queue-6.5/drm-atomic-helper-relax-unregistered-connector-check.patch b/queue-6.5/drm-atomic-helper-relax-unregistered-connector-check.patch new file mode 100644 index 00000000000..cebf74235f5 --- /dev/null +++ b/queue-6.5/drm-atomic-helper-relax-unregistered-connector-check.patch @@ -0,0 +1,90 @@ +From 2b7947bd32e243c52870d54141d3b4ea6775e63d Mon Sep 17 00:00:00 2001 +From: Simon Ser +Date: Thu, 5 Oct 2023 13:16:32 +0000 +Subject: drm/atomic-helper: relax unregistered connector check +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Simon Ser + +commit 2b7947bd32e243c52870d54141d3b4ea6775e63d upstream. + +The driver might pull connectors which weren't submitted by +user-space into the atomic state. For instance, +intel_dp_mst_atomic_master_trans_check() pulls in connectors +sharing the same DP-MST stream. However, if the connector is +unregistered, this later fails with: + + [ 559.425658] i915 0000:00:02.0: [drm:drm_atomic_helper_check_modeset] [CONNECTOR:378:DP-7] is not registered + +Skip the unregistered connector check to allow user-space to turn +off connectors one-by-one. + +See this wlroots issue: +https://gitlab.freedesktop.org/wlroots/wlroots/-/issues/3407 + +Previous discussion: +https://lore.kernel.org/intel-gfx/Y6GX7z17WmDSKwta@ideak-desk.fi.intel.com/ + +Signed-off-by: Simon Ser +Cc: stable@vger.kernel.org +Reviewed-by: Ville Syrjälä +Reviewed-by: Lyude Paul +Cc: Jani Nikula +Cc: Imre Deak +Link: https://patchwork.freedesktop.org/patch/msgid/20231005131623.114379-1-contact@emersion.fr +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/drm_atomic_helper.c | 17 +++++++++++++---- + 1 file changed, 13 insertions(+), 4 deletions(-) + +--- a/drivers/gpu/drm/drm_atomic_helper.c ++++ b/drivers/gpu/drm/drm_atomic_helper.c +@@ -290,7 +290,8 @@ static int + update_connector_routing(struct drm_atomic_state *state, + struct drm_connector *connector, + struct drm_connector_state *old_connector_state, +- struct drm_connector_state *new_connector_state) ++ struct drm_connector_state *new_connector_state, ++ bool added_by_user) + { + const struct drm_connector_helper_funcs *funcs; + struct drm_encoder *new_encoder; +@@ -339,9 +340,13 @@ update_connector_routing(struct drm_atom + * there's a chance the connector may have been destroyed during the + * process, but it's better to ignore that then cause + * drm_atomic_helper_resume() to fail. ++ * ++ * Last, we want to ignore connector registration when the connector ++ * was not pulled in the atomic state by user-space (ie, was pulled ++ * in by the driver, e.g. when updating a DP-MST stream). + */ + if (!state->duplicated && drm_connector_is_unregistered(connector) && +- crtc_state->active) { ++ added_by_user && crtc_state->active) { + drm_dbg_atomic(connector->dev, + "[CONNECTOR:%d:%s] is not registered\n", + connector->base.id, connector->name); +@@ -620,7 +625,10 @@ drm_atomic_helper_check_modeset(struct d + struct drm_connector *connector; + struct drm_connector_state *old_connector_state, *new_connector_state; + int i, ret; +- unsigned int connectors_mask = 0; ++ unsigned int connectors_mask = 0, user_connectors_mask = 0; ++ ++ for_each_oldnew_connector_in_state(state, connector, old_connector_state, new_connector_state, i) ++ user_connectors_mask |= BIT(i); + + for_each_oldnew_crtc_in_state(state, crtc, old_crtc_state, new_crtc_state, i) { + bool has_connectors = +@@ -685,7 +693,8 @@ drm_atomic_helper_check_modeset(struct d + */ + ret = update_connector_routing(state, connector, + old_connector_state, +- new_connector_state); ++ new_connector_state, ++ BIT(i) & user_connectors_mask); + if (ret) + return ret; + if (old_connector_state->crtc) { diff --git a/queue-6.5/drm-do-not-overrun-array-in-drm_gem_get_pages.patch b/queue-6.5/drm-do-not-overrun-array-in-drm_gem_get_pages.patch new file mode 100644 index 00000000000..d629cd0e6ad --- /dev/null +++ b/queue-6.5/drm-do-not-overrun-array-in-drm_gem_get_pages.patch @@ -0,0 +1,52 @@ +From b7fd68ab1538e3adb665670414bea440f399fda9 Mon Sep 17 00:00:00 2001 +From: "Matthew Wilcox (Oracle)" +Date: Thu, 5 Oct 2023 14:56:47 +0100 +Subject: drm: Do not overrun array in drm_gem_get_pages() + +From: Matthew Wilcox (Oracle) + +commit b7fd68ab1538e3adb665670414bea440f399fda9 upstream. + +If the shared memory object is larger than the DRM object that it backs, +we can overrun the page array. Limit the number of pages we install +from each folio to prevent this. + +Signed-off-by: "Matthew Wilcox (Oracle)" +Reported-by: Oleksandr Natalenko +Tested-by: Oleksandr Natalenko +Link: https://lore.kernel.org/lkml/13360591.uLZWGnKmhe@natalenko.name/ +Fixes: 3291e09a4638 ("drm: convert drm_gem_put_pages() to use a folio_batch") +Cc: stable@vger.kernel.org # 6.5.x +Signed-off-by: Maxime Ripard +Link: https://patchwork.freedesktop.org/patch/msgid/20231005135648.2317298-1-willy@infradead.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/drm_gem.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/drivers/gpu/drm/drm_gem.c ++++ b/drivers/gpu/drm/drm_gem.c +@@ -537,7 +537,7 @@ struct page **drm_gem_get_pages(struct d + struct page **pages; + struct folio *folio; + struct folio_batch fbatch; +- int i, j, npages; ++ long i, j, npages; + + if (WARN_ON(!obj->filp)) + return ERR_PTR(-EINVAL); +@@ -561,11 +561,13 @@ struct page **drm_gem_get_pages(struct d + + i = 0; + while (i < npages) { ++ long nr; + folio = shmem_read_folio_gfp(mapping, i, + mapping_gfp_mask(mapping)); + if (IS_ERR(folio)) + goto fail; +- for (j = 0; j < folio_nr_pages(folio); j++, i++) ++ nr = min(npages - i, folio_nr_pages(folio)); ++ for (j = 0; j < nr; j++, i++) + pages[i] = folio_file_page(folio, i); + + /* Make sure shmem keeps __GFP_DMA32 allocated pages in the diff --git a/queue-6.5/drm-tiny-correctly-print-struct-resource-on-error.patch b/queue-6.5/drm-tiny-correctly-print-struct-resource-on-error.patch new file mode 100644 index 00000000000..bbf7bc8ae5d --- /dev/null +++ b/queue-6.5/drm-tiny-correctly-print-struct-resource-on-error.patch @@ -0,0 +1,50 @@ +From c1165df2be2fffe3adeeaa68f4ee4325108c5e4e Mon Sep 17 00:00:00 2001 +From: Joey Gouly +Date: Tue, 10 Oct 2023 18:46:52 +0100 +Subject: drm/tiny: correctly print `struct resource *` on error + +From: Joey Gouly + +commit c1165df2be2fffe3adeeaa68f4ee4325108c5e4e upstream. + +The `res` variable is already a `struct resource *`, don't take the address of it. + +Fixes incorrect output: + + simple-framebuffer 9e20dc000.framebuffer: [drm] *ERROR* could not acquire memory range [??? 0xffff4be88a387d00-0xfffffefffde0a240 flags 0x0]: -16 + +To be correct: + + simple-framebuffer 9e20dc000.framebuffer: [drm] *ERROR* could not acquire memory range [mem 0x9e20dc000-0x9e307bfff flags 0x200]: -16 + +Signed-off-by: Joey Gouly +Fixes: 9a10c7e6519b ("drm/simpledrm: Add support for system memory framebuffers") +Cc: Thomas Zimmermann +Cc: Thierry Reding +Cc: Javier Martinez Canillas +Cc: dri-devel@lists.freedesktop.org +Cc: # v6.3+ +Reviewed-by: Thomas Zimmermann +Signed-off-by: Thomas Zimmermann +Link: https://patchwork.freedesktop.org/patch/msgid/20231010174652.2439513-1-joey.gouly@arm.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/tiny/simpledrm.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/tiny/simpledrm.c b/drivers/gpu/drm/tiny/simpledrm.c +index ff86ba1ae1b8..8ea120eb8674 100644 +--- a/drivers/gpu/drm/tiny/simpledrm.c ++++ b/drivers/gpu/drm/tiny/simpledrm.c +@@ -745,7 +745,7 @@ static struct simpledrm_device *simpledrm_device_create(struct drm_driver *drv, + + ret = devm_aperture_acquire_from_firmware(dev, res->start, resource_size(res)); + if (ret) { +- drm_err(dev, "could not acquire memory range %pr: %d\n", &res, ret); ++ drm_err(dev, "could not acquire memory range %pr: %d\n", res, ret); + return ERR_PTR(ret); + } + +-- +2.42.0 + diff --git a/queue-6.5/drm-vmwgfx-keep-a-gem-reference-to-user-bos-in-surfaces.patch b/queue-6.5/drm-vmwgfx-keep-a-gem-reference-to-user-bos-in-surfaces.patch new file mode 100644 index 00000000000..6e8ac002a43 --- /dev/null +++ b/queue-6.5/drm-vmwgfx-keep-a-gem-reference-to-user-bos-in-surfaces.patch @@ -0,0 +1,456 @@ +From 91398b413d03660fd5828f7b4abc64e884b98069 Mon Sep 17 00:00:00 2001 +From: Zack Rusin +Date: Thu, 28 Sep 2023 00:13:55 -0400 +Subject: drm/vmwgfx: Keep a gem reference to user bos in surfaces + +From: Zack Rusin + +commit 91398b413d03660fd5828f7b4abc64e884b98069 upstream. + +Surfaces can be backed (i.e. stored in) memory objects (mob's) which +are created and managed by the userspace as GEM buffers. Surfaces +grab only a ttm reference which means that the gem object can +be deleted underneath us, especially in cases where prime buffer +export is used. + +Make sure that all userspace surfaces which are backed by gem objects +hold a gem reference to make sure they're not deleted before vmw +surfaces are done with them, which fixes: +------------[ cut here ]------------ +refcount_t: underflow; use-after-free. +WARNING: CPU: 2 PID: 2632 at lib/refcount.c:28 refcount_warn_saturate+0xfb/0x150 +Modules linked in: overlay vsock_loopback vmw_vsock_virtio_transport_common vmw_vsock_vmci_transport vsock snd_ens1371 snd_ac97_codec ac97_bus snd_pcm gameport> +CPU: 2 PID: 2632 Comm: vmw_ref_count Not tainted 6.5.0-rc2-vmwgfx #1 +Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 11/12/2020 +RIP: 0010:refcount_warn_saturate+0xfb/0x150 +Code: eb 9e 0f b6 1d 8b 5b a6 01 80 fb 01 0f 87 ba e4 80 00 83 e3 01 75 89 48 c7 c7 c0 3c f9 a3 c6 05 6f 5b a6 01 01 e8 15 81 98 ff <0f> 0b e9 6f ff ff ff 0f b> +RSP: 0018:ffffbdc34344bba0 EFLAGS: 00010286 +RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000027 +RDX: ffff960475ea1548 RSI: 0000000000000001 RDI: ffff960475ea1540 +RBP: ffffbdc34344bba8 R08: 0000000000000003 R09: 65646e75203a745f +R10: ffffffffa5b32b20 R11: 72657466612d6573 R12: ffff96037d6a6400 +R13: ffff9603484805b0 R14: 000000000000000b R15: ffff9603bed06060 +FS: 00007f5fd8520c40(0000) GS:ffff960475e80000(0000) knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: 00007f5fda755000 CR3: 000000010d012005 CR4: 00000000003706e0 +Call Trace: + + ? show_regs+0x6e/0x80 + ? refcount_warn_saturate+0xfb/0x150 + ? __warn+0x91/0x150 + ? refcount_warn_saturate+0xfb/0x150 + ? report_bug+0x19d/0x1b0 + ? handle_bug+0x46/0x80 + ? exc_invalid_op+0x1d/0x80 + ? asm_exc_invalid_op+0x1f/0x30 + ? refcount_warn_saturate+0xfb/0x150 + drm_gem_object_handle_put_unlocked+0xba/0x110 [drm] + drm_gem_object_release_handle+0x6e/0x80 [drm] + drm_gem_handle_delete+0x6a/0xc0 [drm] + ? __pfx_vmw_bo_unref_ioctl+0x10/0x10 [vmwgfx] + vmw_bo_unref_ioctl+0x33/0x40 [vmwgfx] + drm_ioctl_kernel+0xbc/0x160 [drm] + drm_ioctl+0x2d2/0x580 [drm] + ? __pfx_vmw_bo_unref_ioctl+0x10/0x10 [vmwgfx] + ? do_vmi_munmap+0xee/0x180 + vmw_generic_ioctl+0xbd/0x180 [vmwgfx] + vmw_unlocked_ioctl+0x19/0x20 [vmwgfx] + __x64_sys_ioctl+0x99/0xd0 + do_syscall_64+0x5d/0x90 + ? syscall_exit_to_user_mode+0x2a/0x50 + ? do_syscall_64+0x6d/0x90 + ? handle_mm_fault+0x16e/0x2f0 + ? exit_to_user_mode_prepare+0x34/0x170 + ? irqentry_exit_to_user_mode+0xd/0x20 + ? irqentry_exit+0x3f/0x50 + ? exc_page_fault+0x8e/0x190 + entry_SYSCALL_64_after_hwframe+0x6e/0xd8 +RIP: 0033:0x7f5fda51aaff +Code: 00 48 89 44 24 18 31 c0 48 8d 44 24 60 c7 04 24 10 00 00 00 48 89 44 24 08 48 8d 44 24 20 48 89 44 24 10 b8 10 00 00 00 0f 05 <41> 89 c0 3d 00 f0 ff ff 7> +RSP: 002b:00007ffd536a4d30 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 +RAX: ffffffffffffffda RBX: 00007ffd536a4de0 RCX: 00007f5fda51aaff +RDX: 00007ffd536a4de0 RSI: 0000000040086442 RDI: 0000000000000003 +RBP: 0000000040086442 R08: 000055fa603ada50 R09: 0000000000000000 +R10: 0000000000000001 R11: 0000000000000246 R12: 00007ffd536a51b8 +R13: 0000000000000003 R14: 000055fa5ebb4c80 R15: 00007f5fda90f040 + +---[ end trace 0000000000000000 ]--- + +A lot of the analyis on the bug was done by Murray McAllister and +Ian Forbes. + +Reported-by: Murray McAllister +Cc: Ian Forbes +Signed-off-by: Zack Rusin +Fixes: a950b989ea29 ("drm/vmwgfx: Do not drop the reference to the handle too soon") +Cc: # v6.2+ +Reviewed-by: Martin Krastev +Link: https://patchwork.freedesktop.org/patch/msgid/20230928041355.737635-1-zack@kde.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/vmwgfx/vmwgfx_bo.c | 7 ++++--- + drivers/gpu/drm/vmwgfx/vmwgfx_bo.h | 17 ++++++++++++----- + drivers/gpu/drm/vmwgfx/vmwgfx_cotable.c | 6 +++--- + drivers/gpu/drm/vmwgfx/vmwgfx_drv.h | 4 ++++ + drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c | 10 ++++++---- + drivers/gpu/drm/vmwgfx/vmwgfx_gem.c | 18 +++++++++++++++--- + drivers/gpu/drm/vmwgfx/vmwgfx_kms.c | 6 +++--- + drivers/gpu/drm/vmwgfx/vmwgfx_overlay.c | 2 +- + drivers/gpu/drm/vmwgfx/vmwgfx_resource.c | 12 ++++++------ + drivers/gpu/drm/vmwgfx/vmwgfx_shader.c | 4 ++-- + drivers/gpu/drm/vmwgfx/vmwgfx_surface.c | 31 ++++++++++++------------------- + 11 files changed, 68 insertions(+), 49 deletions(-) + +--- a/drivers/gpu/drm/vmwgfx/vmwgfx_bo.c ++++ b/drivers/gpu/drm/vmwgfx/vmwgfx_bo.c +@@ -34,6 +34,8 @@ + + static void vmw_bo_release(struct vmw_bo *vbo) + { ++ WARN_ON(vbo->tbo.base.funcs && ++ kref_read(&vbo->tbo.base.refcount) != 0); + vmw_bo_unmap(vbo); + drm_gem_object_release(&vbo->tbo.base); + } +@@ -497,7 +499,7 @@ static int vmw_user_bo_synccpu_release(s + if (!(flags & drm_vmw_synccpu_allow_cs)) { + atomic_dec(&vmw_bo->cpu_writers); + } +- vmw_user_bo_unref(vmw_bo); ++ vmw_user_bo_unref(&vmw_bo); + } + + return ret; +@@ -539,7 +541,7 @@ int vmw_user_bo_synccpu_ioctl(struct drm + return ret; + + ret = vmw_user_bo_synccpu_grab(vbo, arg->flags); +- vmw_user_bo_unref(vbo); ++ vmw_user_bo_unref(&vbo); + if (unlikely(ret != 0)) { + if (ret == -ERESTARTSYS || ret == -EBUSY) + return -EBUSY; +@@ -612,7 +614,6 @@ int vmw_user_bo_lookup(struct drm_file * + } + + *out = to_vmw_bo(gobj); +- ttm_bo_get(&(*out)->tbo); + + return 0; + } +--- a/drivers/gpu/drm/vmwgfx/vmwgfx_bo.h ++++ b/drivers/gpu/drm/vmwgfx/vmwgfx_bo.h +@@ -195,12 +195,19 @@ static inline struct vmw_bo *vmw_bo_refe + return buf; + } + +-static inline void vmw_user_bo_unref(struct vmw_bo *vbo) ++static inline struct vmw_bo *vmw_user_bo_ref(struct vmw_bo *vbo) + { +- if (vbo) { +- ttm_bo_put(&vbo->tbo); +- drm_gem_object_put(&vbo->tbo.base); +- } ++ drm_gem_object_get(&vbo->tbo.base); ++ return vbo; ++} ++ ++static inline void vmw_user_bo_unref(struct vmw_bo **buf) ++{ ++ struct vmw_bo *tmp_buf = *buf; ++ ++ *buf = NULL; ++ if (tmp_buf) ++ drm_gem_object_put(&tmp_buf->tbo.base); + } + + static inline struct vmw_bo *to_vmw_bo(struct drm_gem_object *gobj) +--- a/drivers/gpu/drm/vmwgfx/vmwgfx_cotable.c ++++ b/drivers/gpu/drm/vmwgfx/vmwgfx_cotable.c +@@ -432,7 +432,7 @@ static int vmw_cotable_resize(struct vmw + * for the new COTable. Initially pin the buffer object to make sure + * we can use tryreserve without failure. + */ +- ret = vmw_bo_create(dev_priv, &bo_params, &buf); ++ ret = vmw_gem_object_create(dev_priv, &bo_params, &buf); + if (ret) { + DRM_ERROR("Failed initializing new cotable MOB.\n"); + goto out_done; +@@ -502,7 +502,7 @@ static int vmw_cotable_resize(struct vmw + + vmw_resource_mob_attach(res); + /* Let go of the old mob. */ +- vmw_bo_unreference(&old_buf); ++ vmw_user_bo_unref(&old_buf); + res->id = vcotbl->type; + + ret = dma_resv_reserve_fences(bo->base.resv, 1); +@@ -521,7 +521,7 @@ out_map_new: + out_wait: + ttm_bo_unpin(bo); + ttm_bo_unreserve(bo); +- vmw_bo_unreference(&buf); ++ vmw_user_bo_unref(&buf); + + out_done: + MKS_STAT_TIME_POP(MKSSTAT_KERN_COTABLE_RESIZE); +--- a/drivers/gpu/drm/vmwgfx/vmwgfx_drv.h ++++ b/drivers/gpu/drm/vmwgfx/vmwgfx_drv.h +@@ -853,6 +853,10 @@ static inline bool vmw_resource_mob_atta + /** + * GEM related functionality - vmwgfx_gem.c + */ ++struct vmw_bo_params; ++int vmw_gem_object_create(struct vmw_private *vmw, ++ struct vmw_bo_params *params, ++ struct vmw_bo **p_vbo); + extern int vmw_gem_object_create_with_handle(struct vmw_private *dev_priv, + struct drm_file *filp, + uint32_t size, +--- a/drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c ++++ b/drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c +@@ -1151,7 +1151,7 @@ static int vmw_translate_mob_ptr(struct + SVGAMobId *id, + struct vmw_bo **vmw_bo_p) + { +- struct vmw_bo *vmw_bo; ++ struct vmw_bo *vmw_bo, *tmp_bo; + uint32_t handle = *id; + struct vmw_relocation *reloc; + int ret; +@@ -1164,7 +1164,8 @@ static int vmw_translate_mob_ptr(struct + } + vmw_bo_placement_set(vmw_bo, VMW_BO_DOMAIN_MOB, VMW_BO_DOMAIN_MOB); + ret = vmw_validation_add_bo(sw_context->ctx, vmw_bo); +- vmw_user_bo_unref(vmw_bo); ++ tmp_bo = vmw_bo; ++ vmw_user_bo_unref(&tmp_bo); + if (unlikely(ret != 0)) + return ret; + +@@ -1206,7 +1207,7 @@ static int vmw_translate_guest_ptr(struc + SVGAGuestPtr *ptr, + struct vmw_bo **vmw_bo_p) + { +- struct vmw_bo *vmw_bo; ++ struct vmw_bo *vmw_bo, *tmp_bo; + uint32_t handle = ptr->gmrId; + struct vmw_relocation *reloc; + int ret; +@@ -1220,7 +1221,8 @@ static int vmw_translate_guest_ptr(struc + vmw_bo_placement_set(vmw_bo, VMW_BO_DOMAIN_GMR | VMW_BO_DOMAIN_VRAM, + VMW_BO_DOMAIN_GMR | VMW_BO_DOMAIN_VRAM); + ret = vmw_validation_add_bo(sw_context->ctx, vmw_bo); +- vmw_user_bo_unref(vmw_bo); ++ tmp_bo = vmw_bo; ++ vmw_user_bo_unref(&tmp_bo); + if (unlikely(ret != 0)) + return ret; + +--- a/drivers/gpu/drm/vmwgfx/vmwgfx_gem.c ++++ b/drivers/gpu/drm/vmwgfx/vmwgfx_gem.c +@@ -111,6 +111,20 @@ static const struct drm_gem_object_funcs + .vm_ops = &vmw_vm_ops, + }; + ++int vmw_gem_object_create(struct vmw_private *vmw, ++ struct vmw_bo_params *params, ++ struct vmw_bo **p_vbo) ++{ ++ int ret = vmw_bo_create(vmw, params, p_vbo); ++ ++ if (ret != 0) ++ goto out_no_bo; ++ ++ (*p_vbo)->tbo.base.funcs = &vmw_gem_object_funcs; ++out_no_bo: ++ return ret; ++} ++ + int vmw_gem_object_create_with_handle(struct vmw_private *dev_priv, + struct drm_file *filp, + uint32_t size, +@@ -126,12 +140,10 @@ int vmw_gem_object_create_with_handle(st + .pin = false + }; + +- ret = vmw_bo_create(dev_priv, ¶ms, p_vbo); ++ ret = vmw_gem_object_create(dev_priv, ¶ms, p_vbo); + if (ret != 0) + goto out_no_bo; + +- (*p_vbo)->tbo.base.funcs = &vmw_gem_object_funcs; +- + ret = drm_gem_handle_create(filp, &(*p_vbo)->tbo.base, handle); + out_no_bo: + return ret; +--- a/drivers/gpu/drm/vmwgfx/vmwgfx_kms.c ++++ b/drivers/gpu/drm/vmwgfx/vmwgfx_kms.c +@@ -1471,8 +1471,8 @@ static int vmw_create_bo_proxy(struct dr + /* Reserve and switch the backing mob. */ + mutex_lock(&res->dev_priv->cmdbuf_mutex); + (void) vmw_resource_reserve(res, false, true); +- vmw_bo_unreference(&res->guest_memory_bo); +- res->guest_memory_bo = vmw_bo_reference(bo_mob); ++ vmw_user_bo_unref(&res->guest_memory_bo); ++ res->guest_memory_bo = vmw_user_bo_ref(bo_mob); + res->guest_memory_offset = 0; + vmw_resource_unreserve(res, false, false, false, NULL, 0); + mutex_unlock(&res->dev_priv->cmdbuf_mutex); +@@ -1666,7 +1666,7 @@ static struct drm_framebuffer *vmw_kms_f + err_out: + /* vmw_user_lookup_handle takes one ref so does new_fb */ + if (bo) +- vmw_user_bo_unref(bo); ++ vmw_user_bo_unref(&bo); + if (surface) + vmw_surface_unreference(&surface); + +--- a/drivers/gpu/drm/vmwgfx/vmwgfx_overlay.c ++++ b/drivers/gpu/drm/vmwgfx/vmwgfx_overlay.c +@@ -451,7 +451,7 @@ int vmw_overlay_ioctl(struct drm_device + + ret = vmw_overlay_update_stream(dev_priv, buf, arg, true); + +- vmw_user_bo_unref(buf); ++ vmw_user_bo_unref(&buf); + + out_unlock: + mutex_unlock(&overlay->mutex); +--- a/drivers/gpu/drm/vmwgfx/vmwgfx_resource.c ++++ b/drivers/gpu/drm/vmwgfx/vmwgfx_resource.c +@@ -141,7 +141,7 @@ static void vmw_resource_release(struct + if (res->coherent) + vmw_bo_dirty_release(res->guest_memory_bo); + ttm_bo_unreserve(bo); +- vmw_bo_unreference(&res->guest_memory_bo); ++ vmw_user_bo_unref(&res->guest_memory_bo); + } + + if (likely(res->hw_destroy != NULL)) { +@@ -338,7 +338,7 @@ static int vmw_resource_buf_alloc(struct + return 0; + } + +- ret = vmw_bo_create(res->dev_priv, &bo_params, &gbo); ++ ret = vmw_gem_object_create(res->dev_priv, &bo_params, &gbo); + if (unlikely(ret != 0)) + goto out_no_bo; + +@@ -457,11 +457,11 @@ void vmw_resource_unreserve(struct vmw_r + vmw_resource_mob_detach(res); + if (res->coherent) + vmw_bo_dirty_release(res->guest_memory_bo); +- vmw_bo_unreference(&res->guest_memory_bo); ++ vmw_user_bo_unref(&res->guest_memory_bo); + } + + if (new_guest_memory_bo) { +- res->guest_memory_bo = vmw_bo_reference(new_guest_memory_bo); ++ res->guest_memory_bo = vmw_user_bo_ref(new_guest_memory_bo); + + /* + * The validation code should already have added a +@@ -551,7 +551,7 @@ out_no_reserve: + ttm_bo_put(val_buf->bo); + val_buf->bo = NULL; + if (guest_memory_dirty) +- vmw_bo_unreference(&res->guest_memory_bo); ++ vmw_user_bo_unref(&res->guest_memory_bo); + + return ret; + } +@@ -727,7 +727,7 @@ int vmw_resource_validate(struct vmw_res + goto out_no_validate; + else if (!res->func->needs_guest_memory && res->guest_memory_bo) { + WARN_ON_ONCE(vmw_resource_mob_attached(res)); +- vmw_bo_unreference(&res->guest_memory_bo); ++ vmw_user_bo_unref(&res->guest_memory_bo); + } + + return 0; +--- a/drivers/gpu/drm/vmwgfx/vmwgfx_shader.c ++++ b/drivers/gpu/drm/vmwgfx/vmwgfx_shader.c +@@ -180,7 +180,7 @@ static int vmw_gb_shader_init(struct vmw + + res->guest_memory_size = size; + if (byte_code) { +- res->guest_memory_bo = vmw_bo_reference(byte_code); ++ res->guest_memory_bo = vmw_user_bo_ref(byte_code); + res->guest_memory_offset = offset; + } + shader->size = size; +@@ -809,7 +809,7 @@ static int vmw_shader_define(struct drm_ + shader_type, num_input_sig, + num_output_sig, tfile, shader_handle); + out_bad_arg: +- vmw_user_bo_unref(buffer); ++ vmw_user_bo_unref(&buffer); + return ret; + } + +--- a/drivers/gpu/drm/vmwgfx/vmwgfx_surface.c ++++ b/drivers/gpu/drm/vmwgfx/vmwgfx_surface.c +@@ -686,9 +686,6 @@ static void vmw_user_surface_base_releas + container_of(base, struct vmw_user_surface, prime.base); + struct vmw_resource *res = &user_srf->srf.res; + +- if (res->guest_memory_bo) +- drm_gem_object_put(&res->guest_memory_bo->tbo.base); +- + *p_base = NULL; + vmw_resource_unreference(&res); + } +@@ -855,23 +852,21 @@ int vmw_surface_define_ioctl(struct drm_ + * expect a backup buffer to be present. + */ + if (dev_priv->has_mob && req->shareable) { +- uint32_t backup_handle; +- +- ret = vmw_gem_object_create_with_handle(dev_priv, +- file_priv, +- res->guest_memory_size, +- &backup_handle, +- &res->guest_memory_bo); ++ struct vmw_bo_params params = { ++ .domain = VMW_BO_DOMAIN_SYS, ++ .busy_domain = VMW_BO_DOMAIN_SYS, ++ .bo_type = ttm_bo_type_device, ++ .size = res->guest_memory_size, ++ .pin = false ++ }; ++ ++ ret = vmw_gem_object_create(dev_priv, ++ ¶ms, ++ &res->guest_memory_bo); + if (unlikely(ret != 0)) { + vmw_resource_unreference(&res); + goto out_unlock; + } +- vmw_bo_reference(res->guest_memory_bo); +- /* +- * We don't expose the handle to the userspace and surface +- * already holds a gem reference +- */ +- drm_gem_handle_delete(file_priv, backup_handle); + } + + tmp = vmw_resource_reference(&srf->res); +@@ -1512,7 +1507,7 @@ vmw_gb_surface_define_internal(struct dr + if (ret == 0) { + if (res->guest_memory_bo->tbo.base.size < res->guest_memory_size) { + VMW_DEBUG_USER("Surface backup buffer too small.\n"); +- vmw_bo_unreference(&res->guest_memory_bo); ++ vmw_user_bo_unref(&res->guest_memory_bo); + ret = -EINVAL; + goto out_unlock; + } else { +@@ -1526,8 +1521,6 @@ vmw_gb_surface_define_internal(struct dr + res->guest_memory_size, + &backup_handle, + &res->guest_memory_bo); +- if (ret == 0) +- vmw_bo_reference(res->guest_memory_bo); + } + + if (unlikely(ret != 0)) { diff --git a/queue-6.5/iio-adc-ad7192-correct-reference-voltage.patch b/queue-6.5/iio-adc-ad7192-correct-reference-voltage.patch new file mode 100644 index 00000000000..d08da4dbe6e --- /dev/null +++ b/queue-6.5/iio-adc-ad7192-correct-reference-voltage.patch @@ -0,0 +1,73 @@ +From 7e7dcab620cd6d34939f615cac63fc0ef7e81c72 Mon Sep 17 00:00:00 2001 +From: Alisa-Dariana Roman +Date: Sun, 24 Sep 2023 18:21:48 +0300 +Subject: iio: adc: ad7192: Correct reference voltage + +From: Alisa-Dariana Roman + +commit 7e7dcab620cd6d34939f615cac63fc0ef7e81c72 upstream. + +The avdd and the reference voltage are two different sources but the +reference voltage was assigned according to the avdd supply. + +Add vref regulator structure and set the reference voltage according to +the vref supply from the devicetree. + +In case vref supply is missing, reference voltage is set according to +the avdd supply for compatibility with old devicetrees. + +Fixes: b581f748cce0 ("staging: iio: adc: ad7192: move out of staging") +Signed-off-by: Alisa-Dariana Roman +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/r/20230924152149.41884-1-alisadariana@gmail.com +Signed-off-by: Jonathan Cameron +Signed-off-by: Greg Kroah-Hartman +--- + drivers/iio/adc/ad7192.c | 29 +++++++++++++++++++++++++---- + 1 file changed, 25 insertions(+), 4 deletions(-) + +--- a/drivers/iio/adc/ad7192.c ++++ b/drivers/iio/adc/ad7192.c +@@ -177,6 +177,7 @@ struct ad7192_chip_info { + struct ad7192_state { + const struct ad7192_chip_info *chip_info; + struct regulator *avdd; ++ struct regulator *vref; + struct clk *mclk; + u16 int_vref_mv; + u32 fclk; +@@ -1014,10 +1015,30 @@ static int ad7192_probe(struct spi_devic + if (ret) + return dev_err_probe(&spi->dev, ret, "Failed to enable specified DVdd supply\n"); + +- ret = regulator_get_voltage(st->avdd); +- if (ret < 0) { +- dev_err(&spi->dev, "Device tree error, reference voltage undefined\n"); +- return ret; ++ st->vref = devm_regulator_get_optional(&spi->dev, "vref"); ++ if (IS_ERR(st->vref)) { ++ if (PTR_ERR(st->vref) != -ENODEV) ++ return PTR_ERR(st->vref); ++ ++ ret = regulator_get_voltage(st->avdd); ++ if (ret < 0) ++ return dev_err_probe(&spi->dev, ret, ++ "Device tree error, AVdd voltage undefined\n"); ++ } else { ++ ret = regulator_enable(st->vref); ++ if (ret) { ++ dev_err(&spi->dev, "Failed to enable specified Vref supply\n"); ++ return ret; ++ } ++ ++ ret = devm_add_action_or_reset(&spi->dev, ad7192_reg_disable, st->vref); ++ if (ret) ++ return ret; ++ ++ ret = regulator_get_voltage(st->vref); ++ if (ret < 0) ++ return dev_err_probe(&spi->dev, ret, ++ "Device tree error, Vref voltage undefined\n"); + } + st->int_vref_mv = ret / 1000; + diff --git a/queue-6.5/iio-adc-imx8qxp-fix-address-for-command-buffer-registers.patch b/queue-6.5/iio-adc-imx8qxp-fix-address-for-command-buffer-registers.patch new file mode 100644 index 00000000000..e56bc17434e --- /dev/null +++ b/queue-6.5/iio-adc-imx8qxp-fix-address-for-command-buffer-registers.patch @@ -0,0 +1,56 @@ +From 850101b3598277794f92a9e363a60a66e0d42890 Mon Sep 17 00:00:00 2001 +From: Philipp Rossak +Date: Tue, 5 Sep 2023 00:02:04 +0200 +Subject: iio: adc: imx8qxp: Fix address for command buffer registers + +From: Philipp Rossak + +commit 850101b3598277794f92a9e363a60a66e0d42890 upstream. + +The ADC Command Buffer Register high and low are currently pointing to +the wrong address and makes it impossible to perform correct +ADC measurements over all channels. + +According to the datasheet of the imx8qxp the ADC_CMDL register starts +at address 0x100 and the ADC_CMDH register starts at address 0x104. + +This bug seems to be in the kernel since the introduction of this +driver. + +This can be observed by checking all raw voltages of the adc and they +are all nearly identical: + +cat /sys/bus/iio/devices/iio\:device0/in_voltage*_raw +3498 +3494 +3491 +3491 +3489 +3490 +3490 +3490 + +Fixes: 1e23dcaa1a9fa ("iio: imx8qxp-adc: Add driver support for NXP IMX8QXP ADC") +Signed-off-by: Philipp Rossak +Acked-by: Haibo Chen +Link: https://lore.kernel.org/r/20230904220204.23841-1-embed3d@gmail.com +Cc: +Signed-off-by: Jonathan Cameron +Signed-off-by: Greg Kroah-Hartman +--- + drivers/iio/adc/imx8qxp-adc.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/iio/adc/imx8qxp-adc.c ++++ b/drivers/iio/adc/imx8qxp-adc.c +@@ -38,8 +38,8 @@ + #define IMX8QXP_ADR_ADC_FCTRL 0x30 + #define IMX8QXP_ADR_ADC_SWTRIG 0x34 + #define IMX8QXP_ADR_ADC_TCTRL(tid) (0xc0 + (tid) * 4) +-#define IMX8QXP_ADR_ADC_CMDH(cid) (0x100 + (cid) * 8) +-#define IMX8QXP_ADR_ADC_CMDL(cid) (0x104 + (cid) * 8) ++#define IMX8QXP_ADR_ADC_CMDL(cid) (0x100 + (cid) * 8) ++#define IMX8QXP_ADR_ADC_CMDH(cid) (0x104 + (cid) * 8) + #define IMX8QXP_ADR_ADC_RESFIFO 0x300 + #define IMX8QXP_ADR_ADC_TST 0xffc + diff --git a/queue-6.5/iio-addac-kconfig-update-ad74413r-selections.patch b/queue-6.5/iio-addac-kconfig-update-ad74413r-selections.patch new file mode 100644 index 00000000000..231961d3141 --- /dev/null +++ b/queue-6.5/iio-addac-kconfig-update-ad74413r-selections.patch @@ -0,0 +1,35 @@ +From b120dd3a15582fb7a959cecb05e4d9814fcba386 Mon Sep 17 00:00:00 2001 +From: Antoniu Miclaus +Date: Tue, 12 Sep 2023 11:54:21 +0300 +Subject: iio: addac: Kconfig: update ad74413r selections + +From: Antoniu Miclaus + +commit b120dd3a15582fb7a959cecb05e4d9814fcba386 upstream. + +Building ad74413r without selecting IIO_BUFFER and +IIO_TRIGGERED_BUFFER generates error with respect to the iio trigger +functions that are used within the driver. +Update the Kconfig accordingly. + +Fixes: fea251b6a5db ("iio: addac: add AD74413R driver") +Signed-off-by: Antoniu Miclaus +Link: https://lore.kernel.org/r/20230912085421.51102-1-antoniu.miclaus@analog.com +Cc: +Signed-off-by: Jonathan Cameron +Signed-off-by: Greg Kroah-Hartman +--- + drivers/iio/addac/Kconfig | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/iio/addac/Kconfig ++++ b/drivers/iio/addac/Kconfig +@@ -24,6 +24,8 @@ config AD74413R + depends on GPIOLIB && SPI + select REGMAP_SPI + select CRC8 ++ select IIO_BUFFER ++ select IIO_TRIGGERED_BUFFER + help + Say yes here to build support for Analog Devices AD74412R/AD74413R + quad-channel software configurable input/output solution. diff --git a/queue-6.5/iio-admv1013-add-mixer_vgate-corner-cases.patch b/queue-6.5/iio-admv1013-add-mixer_vgate-corner-cases.patch new file mode 100644 index 00000000000..a275540f005 --- /dev/null +++ b/queue-6.5/iio-admv1013-add-mixer_vgate-corner-cases.patch @@ -0,0 +1,41 @@ +From 287d998af24326b009ae0956820a3188501b34a0 Mon Sep 17 00:00:00 2001 +From: Antoniu Miclaus +Date: Mon, 7 Aug 2023 17:38:05 +0300 +Subject: iio: admv1013: add mixer_vgate corner cases + +From: Antoniu Miclaus + +commit 287d998af24326b009ae0956820a3188501b34a0 upstream. + +Include the corner cases in the computation of the MIXER_VGATE register +value. + +According to the datasheet: The MIXER_VGATE values follows the VCM such +as, that for a 0V to 1.8V VCM, MIXER_VGATE = 23.89 VCM + 81, and for a > +1.8V to 2.6V VCM, MIXER_VGATE = 23.75 VCM + 1.25. + +Fixes: da35a7b526d9 ("iio: frequency: admv1013: add support for ADMV1013") +Signed-off-by: Antoniu Miclaus +Reviewed-by: Nuno Sa +Link: https://lore.kernel.org/r/20230807143806.6954-1-antoniu.miclaus@analog.com +Cc: +Signed-off-by: Jonathan Cameron +Signed-off-by: Greg Kroah-Hartman +--- + drivers/iio/frequency/admv1013.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/iio/frequency/admv1013.c ++++ b/drivers/iio/frequency/admv1013.c +@@ -351,9 +351,9 @@ static int admv1013_update_mixer_vgate(s + if (vcm < 0) + return vcm; + +- if (vcm < 1800000) ++ if (vcm <= 1800000) + mixer_vgate = (2389 * vcm / 1000000 + 8100) / 100; +- else if (vcm > 1800000 && vcm < 2600000) ++ else if (vcm > 1800000 && vcm <= 2600000) + mixer_vgate = (2375 * vcm / 1000000 + 125) / 100; + else + return -EINVAL; diff --git a/queue-6.5/iio-cros_ec-fix-an-use-after-free-in-cros_ec_sensors_push_data.patch b/queue-6.5/iio-cros_ec-fix-an-use-after-free-in-cros_ec_sensors_push_data.patch new file mode 100644 index 00000000000..8a49d35768f --- /dev/null +++ b/queue-6.5/iio-cros_ec-fix-an-use-after-free-in-cros_ec_sensors_push_data.patch @@ -0,0 +1,68 @@ +From 7771c8c80d62ad065637ef74ed2962983f6c5f6d Mon Sep 17 00:00:00 2001 +From: Tzung-Bi Shih +Date: Tue, 29 Aug 2023 11:06:22 +0800 +Subject: iio: cros_ec: fix an use-after-free in cros_ec_sensors_push_data() + +From: Tzung-Bi Shih + +commit 7771c8c80d62ad065637ef74ed2962983f6c5f6d upstream. + +cros_ec_sensors_push_data() reads `indio_dev->active_scan_mask` and +calls iio_push_to_buffers_with_timestamp() without making sure the +`indio_dev` stays in buffer mode. There is a race if `indio_dev` exits +buffer mode right before cros_ec_sensors_push_data() accesses them. + +An use-after-free on `indio_dev->active_scan_mask` was observed. The +call trace: +[...] + _find_next_bit + cros_ec_sensors_push_data + cros_ec_sensorhub_event + blocking_notifier_call_chain + cros_ec_irq_thread + +It was caused by a race condition: one thread just freed +`active_scan_mask` at [1]; while another thread tried to access the +memory at [2]. + +Fix it by calling iio_device_claim_buffer_mode() to ensure the +`indio_dev` can't exit buffer mode during cros_ec_sensors_push_data(). + +[1]: https://elixir.bootlin.com/linux/v6.5/source/drivers/iio/industrialio-buffer.c#L1189 +[2]: https://elixir.bootlin.com/linux/v6.5/source/drivers/iio/common/cros_ec_sensors/cros_ec_sensors_core.c#L198 + +Cc: stable@vger.kernel.org +Fixes: aa984f1ba4a4 ("iio: cros_ec: Register to cros_ec_sensorhub when EC supports FIFO") +Signed-off-by: Tzung-Bi Shih +Reviewed-by: Guenter Roeck +Reviewed-by: Stephen Boyd +Link: https://lore.kernel.org/r/20230829030622.1571852-1-tzungbi@kernel.org +Signed-off-by: Jonathan Cameron +Signed-off-by: Greg Kroah-Hartman +--- + drivers/iio/common/cros_ec_sensors/cros_ec_sensors_core.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +--- a/drivers/iio/common/cros_ec_sensors/cros_ec_sensors_core.c ++++ b/drivers/iio/common/cros_ec_sensors/cros_ec_sensors_core.c +@@ -190,8 +190,11 @@ int cros_ec_sensors_push_data(struct iio + /* + * Ignore samples if the buffer is not set: it is needed if the ODR is + * set but the buffer is not enabled yet. ++ * ++ * Note: iio_device_claim_buffer_mode() returns -EBUSY if the buffer ++ * is not enabled. + */ +- if (!iio_buffer_enabled(indio_dev)) ++ if (iio_device_claim_buffer_mode(indio_dev) < 0) + return 0; + + out = (s16 *)st->samples; +@@ -210,6 +213,7 @@ int cros_ec_sensors_push_data(struct iio + iio_push_to_buffers_with_timestamp(indio_dev, st->samples, + timestamp + delta); + ++ iio_device_release_buffer_mode(indio_dev); + return 0; + } + EXPORT_SYMBOL_GPL(cros_ec_sensors_push_data); diff --git a/queue-6.5/iio-dac-ad3552r-correct-device-ids.patch b/queue-6.5/iio-dac-ad3552r-correct-device-ids.patch new file mode 100644 index 00000000000..a178af93c33 --- /dev/null +++ b/queue-6.5/iio-dac-ad3552r-correct-device-ids.patch @@ -0,0 +1,37 @@ +From 9a85653ed3b9a9b7b31d95a34b64b990c3d33ca1 Mon Sep 17 00:00:00 2001 +From: Marcelo Schmitt +Date: Thu, 3 Aug 2023 16:56:23 -0300 +Subject: iio: dac: ad3552r: Correct device IDs + +From: Marcelo Schmitt + +commit 9a85653ed3b9a9b7b31d95a34b64b990c3d33ca1 upstream. + +Device IDs for AD3542R and AD3552R were swapped leading to unintended +collection of DAC output ranges being used for each design. +Change device ID values so they are correct for each DAC chip. + +Fixes: 8f2b54824b28 ("drivers:iio:dac: Add AD3552R driver support") +Signed-off-by: Marcelo Schmitt +Reported-by: Chandrakant Minajigi +Link: https://lore.kernel.org/r/011f480220799fbfabdd53896f8a2f251ad995ad.1691091324.git.marcelo.schmitt1@gmail.com +Cc: +Signed-off-by: Jonathan Cameron +Signed-off-by: Greg Kroah-Hartman +--- + drivers/iio/dac/ad3552r.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/iio/dac/ad3552r.c ++++ b/drivers/iio/dac/ad3552r.c +@@ -140,8 +140,8 @@ enum ad3552r_ch_vref_select { + }; + + enum ad3542r_id { +- AD3542R_ID = 0x4008, +- AD3552R_ID = 0x4009, ++ AD3542R_ID = 0x4009, ++ AD3552R_ID = 0x4008, + }; + + enum ad3552r_ch_output_range { diff --git a/queue-6.5/iio-imu-bno055-fix-missing-kconfig-dependencies.patch b/queue-6.5/iio-imu-bno055-fix-missing-kconfig-dependencies.patch new file mode 100644 index 00000000000..933f7721f51 --- /dev/null +++ b/queue-6.5/iio-imu-bno055-fix-missing-kconfig-dependencies.patch @@ -0,0 +1,42 @@ +From c9b9cfe7d342683f624a89c3b617be18aff879e8 Mon Sep 17 00:00:00 2001 +From: Jonathan Cameron +Date: Sun, 3 Sep 2023 12:30:52 +0100 +Subject: iio: imu: bno055: Fix missing Kconfig dependencies + +From: Jonathan Cameron + +commit c9b9cfe7d342683f624a89c3b617be18aff879e8 upstream. + +This driver uses IIO triggered buffers so it needs to select them in +Kconfig. + +on riscv-32bit: + +/opt/crosstool/gcc-13.2.0-nolibc/riscv32-linux/bin/riscv32-linux-ld: drivers/iio/imu/bno055/bno055.o: in function `.L367': +bno055.c:(.text+0x2c96): undefined reference to `devm_iio_triggered_buffer_setup_ext' + +Reported-by: Randy Dunlap +Closes: https://lore.kernel.org/linux-next/40566b4b-3950-81fe-ff14-871d8c447627@infradead.org/ +Fixes: 4aefe1c2bd0c ("iio: imu: add Bosch Sensortec BNO055 core driver") +Cc: Andrea Merello +Acked-by: Randy Dunlap +Tested-by: Randy Dunlap +Link: https://lore.kernel.org/r/20230903113052.846298-1-jic23@kernel.org +Cc: +Signed-off-by: Jonathan Cameron +Signed-off-by: Greg Kroah-Hartman +--- + drivers/iio/imu/bno055/Kconfig | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/iio/imu/bno055/Kconfig ++++ b/drivers/iio/imu/bno055/Kconfig +@@ -2,6 +2,8 @@ + + config BOSCH_BNO055 + tristate ++ select IIO_BUFFER ++ select IIO_TRIGGERED_BUFFER + + config BOSCH_BNO055_SERIAL + tristate "Bosch BNO055 attached via UART" diff --git a/queue-6.5/iio-pressure-bmp280-fix-null-pointer-exception.patch b/queue-6.5/iio-pressure-bmp280-fix-null-pointer-exception.patch new file mode 100644 index 00000000000..15dc822b720 --- /dev/null +++ b/queue-6.5/iio-pressure-bmp280-fix-null-pointer-exception.patch @@ -0,0 +1,35 @@ +From 85dfb43bf69281adb1f345dfd9a39faf2e5a718d Mon Sep 17 00:00:00 2001 +From: Phil Elwell +Date: Fri, 11 Aug 2023 16:58:29 +0100 +Subject: iio: pressure: bmp280: Fix NULL pointer exception + +From: Phil Elwell + +commit 85dfb43bf69281adb1f345dfd9a39faf2e5a718d upstream. + +The bmp085 EOC IRQ support is optional, but the driver's common probe +function queries the IRQ properties whether or not it exists, which +can trigger a NULL pointer exception. Avoid any exception by making +the query conditional on the possession of a valid IRQ. + +Fixes: aae953949651 ("iio: pressure: bmp280: add support for BMP085 EOC interrupt") +Signed-off-by: Phil Elwell +Reviewed-by: Linus Walleij +Link: https://lore.kernel.org/r/20230811155829.51208-1-phil@raspberrypi.com +Signed-off-by: Jonathan Cameron +Signed-off-by: Greg Kroah-Hartman +--- + drivers/iio/pressure/bmp280-core.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/iio/pressure/bmp280-core.c ++++ b/drivers/iio/pressure/bmp280-core.c +@@ -2179,7 +2179,7 @@ int bmp280_common_probe(struct device *d + * however as it happens, the BMP085 shares the chip ID of BMP180 + * so we look for an IRQ if we have that. + */ +- if (irq > 0 || (chip_id == BMP180_CHIP_ID)) { ++ if (irq > 0 && (chip_id == BMP180_CHIP_ID)) { + ret = bmp085_fetch_eoc_irq(dev, name, irq, data); + if (ret) + return ret; diff --git a/queue-6.5/iio-pressure-dps310-adjust-timeout-settings.patch b/queue-6.5/iio-pressure-dps310-adjust-timeout-settings.patch new file mode 100644 index 00000000000..d0f100eb2f8 --- /dev/null +++ b/queue-6.5/iio-pressure-dps310-adjust-timeout-settings.patch @@ -0,0 +1,55 @@ +From 901a293fd96fb9bab843ba4cc7be3094a5aa7c94 Mon Sep 17 00:00:00 2001 +From: Lakshmi Yadlapati +Date: Tue, 29 Aug 2023 13:02:22 -0500 +Subject: iio: pressure: dps310: Adjust Timeout Settings + +From: Lakshmi Yadlapati + +commit 901a293fd96fb9bab843ba4cc7be3094a5aa7c94 upstream. + +The DPS310 sensor chip has been encountering intermittent errors while +reading the sensor device across various system designs. This issue causes +the chip to become "stuck," preventing the indication of "ready" status +for pressure and temperature measurements in the MEAS_CFG register. + +To address this issue, this commit fixes the timeout settings to improve +sensor stability: +- After sending a reset command to the chip, the timeout has been extended + from 2.5 ms to 15 ms, aligning with the DPS310 specification. +- The read timeout value of the MEAS_CFG register has been adjusted from + 20ms to 30ms to match the specification. + +Signed-off-by: Lakshmi Yadlapati +Fixes: 7b4ab4abcea4 ("iio: pressure: dps310: Reset chip after timeout") +Link: https://lore.kernel.org/r/20230829180222.3431926-2-lakshmiy@us.ibm.com +Cc: +Signed-off-by: Jonathan Cameron +Signed-off-by: Greg Kroah-Hartman +--- + drivers/iio/pressure/dps310.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +--- a/drivers/iio/pressure/dps310.c ++++ b/drivers/iio/pressure/dps310.c +@@ -57,8 +57,8 @@ + #define DPS310_RESET_MAGIC 0x09 + #define DPS310_COEF_BASE 0x10 + +-/* Make sure sleep time is <= 20ms for usleep_range */ +-#define DPS310_POLL_SLEEP_US(t) min(20000, (t) / 8) ++/* Make sure sleep time is <= 30ms for usleep_range */ ++#define DPS310_POLL_SLEEP_US(t) min(30000, (t) / 8) + /* Silently handle error in rate value here */ + #define DPS310_POLL_TIMEOUT_US(rc) ((rc) <= 0 ? 1000000 : 1000000 / (rc)) + +@@ -402,8 +402,8 @@ static int dps310_reset_wait(struct dps3 + if (rc) + return rc; + +- /* Wait for device chip access: 2.5ms in specification */ +- usleep_range(2500, 12000); ++ /* Wait for device chip access: 15ms in specification */ ++ usleep_range(15000, 55000); + return 0; + } + diff --git a/queue-6.5/iio-pressure-ms5611-ms5611_prom_is_valid-false-negative-bug.patch b/queue-6.5/iio-pressure-ms5611-ms5611_prom_is_valid-false-negative-bug.patch new file mode 100644 index 00000000000..30844b4801b --- /dev/null +++ b/queue-6.5/iio-pressure-ms5611-ms5611_prom_is_valid-false-negative-bug.patch @@ -0,0 +1,50 @@ +From fd39d9668f2ce9f4b05ad55e8c8d80c098073e0b Mon Sep 17 00:00:00 2001 +From: Alexander Zangerl +Date: Wed, 20 Sep 2023 10:01:10 +1000 +Subject: iio: pressure: ms5611: ms5611_prom_is_valid false negative bug + +From: Alexander Zangerl + +commit fd39d9668f2ce9f4b05ad55e8c8d80c098073e0b upstream. + +The ms5611 driver falsely rejects lots of MS5607-02BA03-50 chips +with "PROM integrity check failed" because it doesn't accept a prom crc +value of zero as legitimate. + +According to the datasheet for this chip (and the manufacturer's +application note about the PROM CRC), none of the possible values for the +CRC are excluded - but the current code in ms5611_prom_is_valid() ends with + +return crc_orig != 0x0000 && crc == crc_orig + +Discussed with the driver author (Tomasz Duszynski) and he indicated that +at that time (2015) he was dealing with some faulty chip samples which +returned blank data under some circumstances and/or followed example code +which indicated CRC zero being bad. + +As far as I can tell this exception should not be applied anymore; We've +got a few hundred custom boards here with this chip where large numbers +of the prom have a legitimate CRC value 0, and do work fine, but which the +current driver code wrongly rejects. + +Signed-off-by: Alexander Zangerl +Fixes: c0644160a8b5 ("iio: pressure: add support for MS5611 pressure and temperature sensor") +Link: https://lore.kernel.org/r/2535-1695168070.831792@Ze3y.dhYT.s3fx +Cc: +Signed-off-by: Jonathan Cameron +Signed-off-by: Greg Kroah-Hartman +--- + drivers/iio/pressure/ms5611_core.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/iio/pressure/ms5611_core.c ++++ b/drivers/iio/pressure/ms5611_core.c +@@ -76,7 +76,7 @@ static bool ms5611_prom_is_valid(u16 *pr + + crc = (crc >> 12) & 0x000F; + +- return crc_orig != 0x0000 && crc == crc_orig; ++ return crc == crc_orig; + } + + static int ms5611_read_prom(struct iio_dev *indio_dev) diff --git a/queue-6.5/input-goodix-ensure-int-gpio-is-in-input-for-gpio_count-1-gpio_int_idx-0-case.patch b/queue-6.5/input-goodix-ensure-int-gpio-is-in-input-for-gpio_count-1-gpio_int_idx-0-case.patch new file mode 100644 index 00000000000..4a64a87203a --- /dev/null +++ b/queue-6.5/input-goodix-ensure-int-gpio-is-in-input-for-gpio_count-1-gpio_int_idx-0-case.patch @@ -0,0 +1,87 @@ +From 423622a90abb243944d1517b9f57db53729e45c4 Mon Sep 17 00:00:00 2001 +From: Hans de Goede +Date: Wed, 4 Oct 2023 07:18:31 -0700 +Subject: Input: goodix - ensure int GPIO is in input for gpio_count == 1 && gpio_int_idx == 0 case + +From: Hans de Goede + +commit 423622a90abb243944d1517b9f57db53729e45c4 upstream. + +Add a special case for gpio_count == 1 && gpio_int_idx == 0 to +goodix_add_acpi_gpio_mappings(). + +It seems that on newer x86/ACPI devices the reset and irq GPIOs are no +longer listed as GPIO resources instead there is only 1 GpioInt resource +and _PS0 does the whole reset sequence for us. + +This means that we must call acpi_device_fix_up_power() on these devices +to ensure that the chip is reset before we try to use it. + +This part was already fixed in commit 3de93e6ed2df ("Input: goodix - call +acpi_device_fix_up_power() in some cases") by adding a call to +acpi_device_fix_up_power() to the generic "Unexpected ACPI resources" +catch all. + +But it turns out that this case on some hw needs some more special +handling. Specifically the firmware may bootup with the IRQ pin in +output mode. The reset sequence from ACPI _PS0 (executed by +acpi_device_fix_up_power()) should put the pin in input mode, +but the GPIO subsystem has cached the direction at bootup, causing +request_irq() to fail due to gpiochip_lock_as_irq() failure: + +[ 9.119864] Goodix-TS i2c-GDIX1002:00: Unexpected ACPI resources: gpio_count 1, gpio_int_idx 0 +[ 9.317443] Goodix-TS i2c-GDIX1002:00: ID 911, version: 1060 +[ 9.321902] input: Goodix Capacitive TouchScreen as /devices/pci0000:00/0000:00:17.0/i2c_designware.4/i2c-5/i2c-GDIX1002:00/input/input8 +[ 9.327840] gpio gpiochip0: (INT3453:00): gpiochip_lock_as_irq: tried to flag a GPIO set as output for IRQ +[ 9.327856] gpio gpiochip0: (INT3453:00): unable to lock HW IRQ 26 for IRQ +[ 9.327861] genirq: Failed to request resources for GDIX1002:00 (irq 131) on irqchip intel-gpio +[ 9.327912] Goodix-TS i2c-GDIX1002:00: request IRQ failed: -5 + +Fix this by adding a special case for gpio_count == 1 && gpio_int_idx == 0 +which adds an ACPI GPIO lookup table for the int GPIO even though we cannot +use it for reset purposes (as there is no reset GPIO). + +Adding the lookup will make the gpiod_int = gpiod_get(..., GPIOD_IN) call +succeed, which will explicitly set the direction to input fixing the issue. + +Note this re-uses the acpi_goodix_int_first_gpios[] lookup table, since +there is only 1 GPIO in the ACPI resources the reset entry in that +lookup table will amount to a no-op. + +Reported-and-tested-by: Michael Smith <1973.mjsmith@gmail.com> +Signed-off-by: Hans de Goede +Link: https://lore.kernel.org/r/20231003215144.69527-1-hdegoede@redhat.com +Signed-off-by: Dmitry Torokhov +Signed-off-by: Greg Kroah-Hartman +--- + drivers/input/touchscreen/goodix.c | 19 +++++++++++++++++++ + 1 file changed, 19 insertions(+) + +--- a/drivers/input/touchscreen/goodix.c ++++ b/drivers/input/touchscreen/goodix.c +@@ -900,6 +900,25 @@ static int goodix_add_acpi_gpio_mappings + dev_info(dev, "No ACPI GpioInt resource, assuming that the GPIO order is reset, int\n"); + ts->irq_pin_access_method = IRQ_PIN_ACCESS_ACPI_GPIO; + gpio_mapping = acpi_goodix_int_last_gpios; ++ } else if (ts->gpio_count == 1 && ts->gpio_int_idx == 0) { ++ /* ++ * On newer devices there is only 1 GpioInt resource and _PS0 ++ * does the whole reset sequence for us. ++ */ ++ acpi_device_fix_up_power(ACPI_COMPANION(dev)); ++ ++ /* ++ * Before the _PS0 call the int GPIO may have been in output ++ * mode and the call should have put the int GPIO in input mode, ++ * but the GPIO subsys cached state may still think it is ++ * in output mode, causing gpiochip_lock_as_irq() failure. ++ * ++ * Add a mapping for the int GPIO to make the ++ * gpiod_int = gpiod_get(..., GPIOD_IN) call succeed, ++ * which will explicitly set the direction to input. ++ */ ++ ts->irq_pin_access_method = IRQ_PIN_ACCESS_NONE; ++ gpio_mapping = acpi_goodix_int_first_gpios; + } else { + dev_warn(dev, "Unexpected ACPI resources: gpio_count %d, gpio_int_idx %d\n", + ts->gpio_count, ts->gpio_int_idx); diff --git a/queue-6.5/input-i8042-add-fujitsu-lifebook-e5411-to-i8042-quirk-table.patch b/queue-6.5/input-i8042-add-fujitsu-lifebook-e5411-to-i8042-quirk-table.patch new file mode 100644 index 00000000000..1fb7257b19e --- /dev/null +++ b/queue-6.5/input-i8042-add-fujitsu-lifebook-e5411-to-i8042-quirk-table.patch @@ -0,0 +1,47 @@ +From 80f39e1c27ba9e5a1ea7e68e21c569c9d8e46062 Mon Sep 17 00:00:00 2001 +From: Szilard Fabian +Date: Wed, 4 Oct 2023 05:47:01 -0700 +Subject: Input: i8042 - add Fujitsu Lifebook E5411 to i8042 quirk table + +From: Szilard Fabian + +commit 80f39e1c27ba9e5a1ea7e68e21c569c9d8e46062 upstream. + +In the initial boot stage the integrated keyboard of Fujitsu Lifebook E5411 +refuses to work and it's not possible to type for example a dm-crypt +passphrase without the help of an external keyboard. + +i8042.nomux kernel parameter resolves this issue but using that a PS/2 +mouse is detected. This input device is unused even when the i2c-hid-acpi +kernel module is blacklisted making the integrated ELAN touchpad +(04F3:308A) not working at all. + +Since the integrated touchpad is managed by the i2c_designware input +driver in the Linux kernel and you can't find a PS/2 mouse port on the +computer I think it's safe to not use the PS/2 mouse port at all. + +Signed-off-by: Szilard Fabian +Link: https://lore.kernel.org/r/20231004011749.101789-1-szfabian@bluemarch.art +Signed-off-by: Dmitry Torokhov +Signed-off-by: Greg Kroah-Hartman +--- + drivers/input/serio/i8042-acpipnpio.h | 8 ++++++++ + 1 file changed, 8 insertions(+) + +--- a/drivers/input/serio/i8042-acpipnpio.h ++++ b/drivers/input/serio/i8042-acpipnpio.h +@@ -619,6 +619,14 @@ static const struct dmi_system_id i8042_ + .driver_data = (void *)(SERIO_QUIRK_NOMUX) + }, + { ++ /* Fujitsu Lifebook E5411 */ ++ .matches = { ++ DMI_MATCH(DMI_SYS_VENDOR, "FUJITSU CLIENT COMPUTING LIMITED"), ++ DMI_MATCH(DMI_PRODUCT_NAME, "LIFEBOOK E5411"), ++ }, ++ .driver_data = (void *)(SERIO_QUIRK_NOAUX) ++ }, ++ { + /* Gigabyte M912 */ + .matches = { + DMI_MATCH(DMI_SYS_VENDOR, "GIGABYTE"), diff --git a/queue-6.5/input-powermate-fix-use-after-free-in-powermate_config_complete.patch b/queue-6.5/input-powermate-fix-use-after-free-in-powermate_config_complete.patch new file mode 100644 index 00000000000..71610951b72 --- /dev/null +++ b/queue-6.5/input-powermate-fix-use-after-free-in-powermate_config_complete.patch @@ -0,0 +1,39 @@ +From 5c15c60e7be615f05a45cd905093a54b11f461bc Mon Sep 17 00:00:00 2001 +From: Javier Carrasco +Date: Fri, 13 Oct 2023 20:11:33 -0700 +Subject: Input: powermate - fix use-after-free in powermate_config_complete + +From: Javier Carrasco + +commit 5c15c60e7be615f05a45cd905093a54b11f461bc upstream. + +syzbot has found a use-after-free bug [1] in the powermate driver. This +happens when the device is disconnected, which leads to a memory free from +the powermate_device struct. When an asynchronous control message +completes after the kfree and its callback is invoked, the lock does not +exist anymore and hence the bug. + +Use usb_kill_urb() on pm->config to cancel any in-progress requests upon +device disconnection. + +[1] https://syzkaller.appspot.com/bug?extid=0434ac83f907a1dbdd1e + +Signed-off-by: Javier Carrasco +Reported-by: syzbot+0434ac83f907a1dbdd1e@syzkaller.appspotmail.com +Link: https://lore.kernel.org/r/20230916-topic-powermate_use_after_free-v3-1-64412b81a7a2@gmail.com +Signed-off-by: Dmitry Torokhov +Signed-off-by: Greg Kroah-Hartman +--- + drivers/input/misc/powermate.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/input/misc/powermate.c ++++ b/drivers/input/misc/powermate.c +@@ -425,6 +425,7 @@ static void powermate_disconnect(struct + pm->requires_update = 0; + usb_kill_urb(pm->irq); + input_unregister_device(pm->input); ++ usb_kill_urb(pm->config); + usb_free_urb(pm->irq); + usb_free_urb(pm->config); + powermate_free_buffers(interface_to_usbdev(intf), pm); diff --git a/queue-6.5/input-psmouse-fix-fast_reconnect-function-for-ps-2-mode.patch b/queue-6.5/input-psmouse-fix-fast_reconnect-function-for-ps-2-mode.patch new file mode 100644 index 00000000000..5c3e999ece3 --- /dev/null +++ b/queue-6.5/input-psmouse-fix-fast_reconnect-function-for-ps-2-mode.patch @@ -0,0 +1,58 @@ +From e2cb5cc822b6c9ee72c56ce1d81671b22c05406a Mon Sep 17 00:00:00 2001 +From: Jeffery Miller +Date: Fri, 13 Oct 2023 15:23:49 -0700 +Subject: Input: psmouse - fix fast_reconnect function for PS/2 mode + +From: Jeffery Miller + +commit e2cb5cc822b6c9ee72c56ce1d81671b22c05406a upstream. + +When the SMBus connection is attempted psmouse_smbus_init() sets +the fast_reconnect pointer to psmouse_smbus_reconnecti(). If SMBus +initialization fails, elantech_setup_ps2() and synaptics_init_ps2() will +fallback to PS/2 mode, replacing the psmouse private data. This can cause +issues on resume, since psmouse_smbus_reconnect() expects to find an +instance of struct psmouse_smbus_dev in psmouse->private. + +The issue was uncovered when in 92e24e0e57f7 ("Input: psmouse - add +delay when deactivating for SMBus mode") psmouse_smbus_reconnect() +started attempting to use more of the data structure. The commit was +since reverted, not because it was at fault, but because there was found +a better way of doing what it was attempting to do. + +Fix the problem by resetting the fast_reconnect pointer in psmouse +structure in elantech_setup_ps2() and synaptics_init_ps2() when the PS/2 +mode is used. + +Reported-by: Thorsten Leemhuis +Tested-by: Thorsten Leemhuis +Signed-off-by: Jeffery Miller +Fixes: bf232e460a35 ("Input: psmouse-smbus - allow to control psmouse_deactivate") +Link: https://lore.kernel.org/r/20231005002249.554877-1-jefferymiller@google.com +Signed-off-by: Dmitry Torokhov +Signed-off-by: Greg Kroah-Hartman +--- + drivers/input/mouse/elantech.c | 1 + + drivers/input/mouse/synaptics.c | 1 + + 2 files changed, 2 insertions(+) + +--- a/drivers/input/mouse/elantech.c ++++ b/drivers/input/mouse/elantech.c +@@ -2114,6 +2114,7 @@ static int elantech_setup_ps2(struct psm + psmouse->protocol_handler = elantech_process_byte; + psmouse->disconnect = elantech_disconnect; + psmouse->reconnect = elantech_reconnect; ++ psmouse->fast_reconnect = NULL; + psmouse->pktsize = info->hw_version > 1 ? 6 : 4; + + return 0; +--- a/drivers/input/mouse/synaptics.c ++++ b/drivers/input/mouse/synaptics.c +@@ -1623,6 +1623,7 @@ static int synaptics_init_ps2(struct psm + psmouse->set_rate = synaptics_set_rate; + psmouse->disconnect = synaptics_disconnect; + psmouse->reconnect = synaptics_reconnect; ++ psmouse->fast_reconnect = NULL; + psmouse->cleanup = synaptics_reset; + /* Synaptics can usually stay in sync without extra help */ + psmouse->resync_time = 0; diff --git a/queue-6.5/input-xpad-add-hyperx-clutch-gladiate-support.patch b/queue-6.5/input-xpad-add-hyperx-clutch-gladiate-support.patch new file mode 100644 index 00000000000..8df96c1dc27 --- /dev/null +++ b/queue-6.5/input-xpad-add-hyperx-clutch-gladiate-support.patch @@ -0,0 +1,40 @@ +From e28a0974d749e5105d77233c0a84d35c37da047e Mon Sep 17 00:00:00 2001 +From: Max Nguyen +Date: Sun, 17 Sep 2023 22:21:53 -0700 +Subject: Input: xpad - add HyperX Clutch Gladiate Support + +From: Max Nguyen + +commit e28a0974d749e5105d77233c0a84d35c37da047e upstream. + +Add HyperX controller support to xpad_device and xpad_table. + +Suggested-by: Chris Toledanes +Reviewed-by: Carl Ng +Signed-off-by: Max Nguyen +Reviewed-by: Rahul Rameshbabu +Link: https://lore.kernel.org/r/20230906231514.4291-1-hphyperxdev@gmail.com +Signed-off-by: Dmitry Torokhov +Signed-off-by: Greg Kroah-Hartman +--- + drivers/input/joystick/xpad.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/input/joystick/xpad.c ++++ b/drivers/input/joystick/xpad.c +@@ -130,6 +130,7 @@ static const struct xpad_device { + { 0x0079, 0x18d4, "GPD Win 2 X-Box Controller", 0, XTYPE_XBOX360 }, + { 0x03eb, 0xff01, "Wooting One (Legacy)", 0, XTYPE_XBOX360 }, + { 0x03eb, 0xff02, "Wooting Two (Legacy)", 0, XTYPE_XBOX360 }, ++ { 0x03f0, 0x0495, "HyperX Clutch Gladiate", 0, XTYPE_XBOXONE }, + { 0x044f, 0x0f00, "Thrustmaster Wheel", 0, XTYPE_XBOX }, + { 0x044f, 0x0f03, "Thrustmaster Wheel", 0, XTYPE_XBOX }, + { 0x044f, 0x0f07, "Thrustmaster, Inc. Controller", 0, XTYPE_XBOX }, +@@ -458,6 +459,7 @@ static const struct usb_device_id xpad_t + { USB_INTERFACE_INFO('X', 'B', 0) }, /* Xbox USB-IF not-approved class */ + XPAD_XBOX360_VENDOR(0x0079), /* GPD Win 2 controller */ + XPAD_XBOX360_VENDOR(0x03eb), /* Wooting Keyboards (Legacy) */ ++ XPAD_XBOXONE_VENDOR(0x03f0), /* HP HyperX Xbox One controllers */ + XPAD_XBOX360_VENDOR(0x044f), /* Thrustmaster Xbox 360 controllers */ + XPAD_XBOX360_VENDOR(0x045e), /* Microsoft Xbox 360 controllers */ + XPAD_XBOXONE_VENDOR(0x045e), /* Microsoft Xbox One controllers */ diff --git a/queue-6.5/input-xpad-add-pxn-v900-support.patch b/queue-6.5/input-xpad-add-pxn-v900-support.patch new file mode 100644 index 00000000000..3a27b92ce21 --- /dev/null +++ b/queue-6.5/input-xpad-add-pxn-v900-support.patch @@ -0,0 +1,38 @@ +From a65cd7ef5a864bdbbe037267c327786b7759d4c6 Mon Sep 17 00:00:00 2001 +From: Matthias Berndt +Date: Fri, 13 Oct 2023 15:04:36 -0700 +Subject: Input: xpad - add PXN V900 support + +From: Matthias Berndt + +commit a65cd7ef5a864bdbbe037267c327786b7759d4c6 upstream. + +Add VID and PID to the xpad_device table to allow driver to use the PXN +V900 steering wheel, which is XTYPE_XBOX360 compatible in xinput mode. + +Signed-off-by: Matthias Berndt +Link: https://lore.kernel.org/r/4932699.31r3eYUQgx@fedora +Signed-off-by: Dmitry Torokhov +Signed-off-by: Greg Kroah-Hartman +--- + drivers/input/joystick/xpad.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/input/joystick/xpad.c ++++ b/drivers/input/joystick/xpad.c +@@ -271,6 +271,7 @@ static const struct xpad_device { + { 0x1038, 0x1430, "SteelSeries Stratus Duo", 0, XTYPE_XBOX360 }, + { 0x1038, 0x1431, "SteelSeries Stratus Duo", 0, XTYPE_XBOX360 }, + { 0x11c9, 0x55f0, "Nacon GC-100XF", 0, XTYPE_XBOX360 }, ++ { 0x11ff, 0x0511, "PXN V900", 0, XTYPE_XBOX360 }, + { 0x1209, 0x2882, "Ardwiino Controller", 0, XTYPE_XBOX360 }, + { 0x12ab, 0x0004, "Honey Bee Xbox360 dancepad", MAP_DPAD_TO_BUTTONS, XTYPE_XBOX360 }, + { 0x12ab, 0x0301, "PDP AFTERGLOW AX.1", 0, XTYPE_XBOX360 }, +@@ -475,6 +476,7 @@ static const struct usb_device_id xpad_t + XPAD_XBOX360_VENDOR(0x1038), /* SteelSeries controllers */ + XPAD_XBOXONE_VENDOR(0x10f5), /* Turtle Beach Controllers */ + XPAD_XBOX360_VENDOR(0x11c9), /* Nacon GC100XF */ ++ XPAD_XBOX360_VENDOR(0x11ff), /* PXN V900 */ + XPAD_XBOX360_VENDOR(0x1209), /* Ardwiino Controllers */ + XPAD_XBOX360_VENDOR(0x12ab), /* Xbox 360 dance pads */ + XPAD_XBOX360_VENDOR(0x1430), /* RedOctane Xbox 360 controllers */ diff --git a/queue-6.5/ksmbd-not-allow-to-open-file-if-delelete-on-close-bit-is-set.patch b/queue-6.5/ksmbd-not-allow-to-open-file-if-delelete-on-close-bit-is-set.patch new file mode 100644 index 00000000000..78dd6c21d8a --- /dev/null +++ b/queue-6.5/ksmbd-not-allow-to-open-file-if-delelete-on-close-bit-is-set.patch @@ -0,0 +1,57 @@ +From f43328357defc0dc9d28dbd06dc3361fd2b22e28 Mon Sep 17 00:00:00 2001 +From: Namjae Jeon +Date: Fri, 6 Oct 2023 10:41:36 +0900 +Subject: ksmbd: not allow to open file if delelete on close bit is set +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Namjae Jeon + +commit f43328357defc0dc9d28dbd06dc3361fd2b22e28 upstream. + +Cthon test fail with the following error. + +check for proper open/unlink operation +nfsjunk files before unlink: + -rwxr-xr-x 1 root root 0 9월 25 11:03 ./nfs2y8Jm9 +./nfs2y8Jm9 open; unlink ret = 0 +nfsjunk files after unlink: + -rwxr-xr-x 1 root root 0 9월 25 11:03 ./nfs2y8Jm9 +data compare ok +nfsjunk files after close: + ls: cannot access './nfs2y8Jm9': No such file or directory +special tests failed + +Cthon expect to second unlink failure when file is already unlinked. +ksmbd can not allow to open file if flags of ksmbd inode is set with +S_DEL_ON_CLS flags. + +Cc: stable@vger.kernel.org +Signed-off-by: Namjae Jeon +Signed-off-by: Steve French +Signed-off-by: Greg Kroah-Hartman +--- + fs/smb/server/vfs_cache.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/fs/smb/server/vfs_cache.c ++++ b/fs/smb/server/vfs_cache.c +@@ -106,7 +106,7 @@ int ksmbd_query_inode_status(struct inod + ci = __ksmbd_inode_lookup(inode); + if (ci) { + ret = KSMBD_INODE_STATUS_OK; +- if (ci->m_flags & S_DEL_PENDING) ++ if (ci->m_flags & (S_DEL_PENDING | S_DEL_ON_CLS)) + ret = KSMBD_INODE_STATUS_PENDING_DELETE; + atomic_dec(&ci->m_count); + } +@@ -116,7 +116,7 @@ int ksmbd_query_inode_status(struct inod + + bool ksmbd_inode_pending_delete(struct ksmbd_file *fp) + { +- return (fp->f_ci->m_flags & S_DEL_PENDING); ++ return (fp->f_ci->m_flags & (S_DEL_PENDING | S_DEL_ON_CLS)); + } + + void ksmbd_set_inode_pending_delete(struct ksmbd_file *fp) diff --git a/queue-6.5/libceph-use-kernel_connect.patch b/queue-6.5/libceph-use-kernel_connect.patch new file mode 100644 index 00000000000..ca8a6efeda0 --- /dev/null +++ b/queue-6.5/libceph-use-kernel_connect.patch @@ -0,0 +1,46 @@ +From 7563cf17dce0a875ba3d872acdc63a78ea344019 Mon Sep 17 00:00:00 2001 +From: Jordan Rife +Date: Wed, 4 Oct 2023 18:38:27 -0500 +Subject: libceph: use kernel_connect() + +From: Jordan Rife + +commit 7563cf17dce0a875ba3d872acdc63a78ea344019 upstream. + +Direct calls to ops->connect() can overwrite the address parameter when +used in conjunction with BPF SOCK_ADDR hooks. Recent changes to +kernel_connect() ensure that callers are insulated from such side +effects. This patch wraps the direct call to ops->connect() with +kernel_connect() to prevent unexpected changes to the address passed to +ceph_tcp_connect(). + +This change was originally part of a larger patch targeting the net tree +addressing all instances of unprotected calls to ops->connect() +throughout the kernel, but this change was split up into several patches +targeting various trees. + +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/netdev/20230821100007.559638-1-jrife@google.com/ +Link: https://lore.kernel.org/netdev/9944248dba1bce861375fcce9de663934d933ba9.camel@redhat.com/ +Fixes: d74bad4e74ee ("bpf: Hooks for sys_connect") +Signed-off-by: Jordan Rife +Reviewed-by: Ilya Dryomov +Signed-off-by: Ilya Dryomov +Signed-off-by: Greg Kroah-Hartman +--- + net/ceph/messenger.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/net/ceph/messenger.c ++++ b/net/ceph/messenger.c +@@ -459,8 +459,8 @@ int ceph_tcp_connect(struct ceph_connect + set_sock_callbacks(sock, con); + + con_sock_state_connecting(con); +- ret = sock->ops->connect(sock, (struct sockaddr *)&ss, sizeof(ss), +- O_NONBLOCK); ++ ret = kernel_connect(sock, (struct sockaddr *)&ss, sizeof(ss), ++ O_NONBLOCK); + if (ret == -EINPROGRESS) { + dout("connect %s EINPROGRESS sk_state = %u\n", + ceph_pr_addr(&con->peer_addr), diff --git a/queue-6.5/mcb-remove-is_added-flag-from-mcb_device-struct.patch b/queue-6.5/mcb-remove-is_added-flag-from-mcb_device-struct.patch new file mode 100644 index 00000000000..5ffa3d9f113 --- /dev/null +++ b/queue-6.5/mcb-remove-is_added-flag-from-mcb_device-struct.patch @@ -0,0 +1,79 @@ +From 0f28ada1fbf0054557cddcdb93ad17f767105208 Mon Sep 17 00:00:00 2001 +From: Jorge Sanjuan Garcia +Date: Wed, 6 Sep 2023 11:49:26 +0000 +Subject: mcb: remove is_added flag from mcb_device struct + +From: Jorge Sanjuan Garcia + +commit 0f28ada1fbf0054557cddcdb93ad17f767105208 upstream. + +When calling mcb_bus_add_devices(), both mcb devices and the mcb +bus will attempt to attach a device to a driver because they share +the same bus_type. This causes an issue when trying to cast the +container of the device to mcb_device struct using to_mcb_device(), +leading to a wrong cast when the mcb_bus is added. A crash occurs +when freing the ida resources as the bus numbering of mcb_bus gets +confused with the is_added flag on the mcb_device struct. + +The only reason for this cast was to keep an is_added flag on the +mcb_device struct that does not seem necessary. The function +device_attach() handles already bound devices and the mcb subsystem +does nothing special with this is_added flag so remove it completely. + +Fixes: 18d288198099 ("mcb: Correctly initialize the bus's device") +Cc: stable +Signed-off-by: Jorge Sanjuan Garcia +Co-developed-by: Jose Javier Rodriguez Barbarin +Signed-off-by: Jose Javier Rodriguez Barbarin +Link: https://lore.kernel.org/r/20230906114901.63174-2-JoseJavier.Rodriguez@duagon.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/mcb/mcb-core.c | 10 +++------- + drivers/mcb/mcb-parse.c | 2 -- + include/linux/mcb.h | 1 - + 3 files changed, 3 insertions(+), 10 deletions(-) + +--- a/drivers/mcb/mcb-core.c ++++ b/drivers/mcb/mcb-core.c +@@ -387,17 +387,13 @@ EXPORT_SYMBOL_NS_GPL(mcb_free_dev, MCB); + + static int __mcb_bus_add_devices(struct device *dev, void *data) + { +- struct mcb_device *mdev = to_mcb_device(dev); + int retval; + +- if (mdev->is_added) +- return 0; +- + retval = device_attach(dev); +- if (retval < 0) ++ if (retval < 0) { + dev_err(dev, "Error adding device (%d)\n", retval); +- +- mdev->is_added = true; ++ return retval; ++ } + + return 0; + } +--- a/drivers/mcb/mcb-parse.c ++++ b/drivers/mcb/mcb-parse.c +@@ -99,8 +99,6 @@ static int chameleon_parse_gdd(struct mc + mdev->mem.end = mdev->mem.start + size - 1; + mdev->mem.flags = IORESOURCE_MEM; + +- mdev->is_added = false; +- + ret = mcb_device_register(bus, mdev); + if (ret < 0) + goto err; +--- a/include/linux/mcb.h ++++ b/include/linux/mcb.h +@@ -63,7 +63,6 @@ static inline struct mcb_bus *to_mcb_bus + struct mcb_device { + struct device dev; + struct mcb_bus *bus; +- bool is_added; + struct mcb_driver *driver; + u16 id; + int inst; diff --git a/queue-6.5/mctp-perform-route-lookups-under-a-rcu-read-side-lock.patch b/queue-6.5/mctp-perform-route-lookups-under-a-rcu-read-side-lock.patch new file mode 100644 index 00000000000..083f19b8d68 --- /dev/null +++ b/queue-6.5/mctp-perform-route-lookups-under-a-rcu-read-side-lock.patch @@ -0,0 +1,84 @@ +From 5093bbfc10ab6636b32728e35813cbd79feb063c Mon Sep 17 00:00:00 2001 +From: Jeremy Kerr +Date: Mon, 9 Oct 2023 15:56:45 +0800 +Subject: mctp: perform route lookups under a RCU read-side lock + +From: Jeremy Kerr + +commit 5093bbfc10ab6636b32728e35813cbd79feb063c upstream. + +Our current route lookups (mctp_route_lookup and mctp_route_lookup_null) +traverse the net's route list without the RCU read lock held. This means +the route lookup is subject to preemption, resulting in an potential +grace period expiry, and so an eventual kfree() while we still have the +route pointer. + +Add the proper read-side critical section locks around the route +lookups, preventing premption and a possible parallel kfree. + +The remaining net->mctp.routes accesses are already under a +rcu_read_lock, or protected by the RTNL for updates. + +Based on an analysis from Sili Luo , where +introducing a delay in the route lookup could cause a UAF on +simultaneous sendmsg() and route deletion. + +Reported-by: Sili Luo +Fixes: 889b7da23abf ("mctp: Add initial routing framework") +Cc: stable@vger.kernel.org +Signed-off-by: Jeremy Kerr +Reviewed-by: Eric Dumazet +Link: https://lore.kernel.org/r/29c4b0e67dc1bf3571df3982de87df90cae9b631.1696837310.git.jk@codeconstruct.com.au +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + net/mctp/route.c | 22 ++++++++++++++++------ + 1 file changed, 16 insertions(+), 6 deletions(-) + +--- a/net/mctp/route.c ++++ b/net/mctp/route.c +@@ -737,6 +737,8 @@ struct mctp_route *mctp_route_lookup(str + { + struct mctp_route *tmp, *rt = NULL; + ++ rcu_read_lock(); ++ + list_for_each_entry_rcu(tmp, &net->mctp.routes, list) { + /* TODO: add metrics */ + if (mctp_rt_match_eid(tmp, dnet, daddr)) { +@@ -747,21 +749,29 @@ struct mctp_route *mctp_route_lookup(str + } + } + ++ rcu_read_unlock(); ++ + return rt; + } + + static struct mctp_route *mctp_route_lookup_null(struct net *net, + struct net_device *dev) + { +- struct mctp_route *rt; ++ struct mctp_route *tmp, *rt = NULL; ++ ++ rcu_read_lock(); + +- list_for_each_entry_rcu(rt, &net->mctp.routes, list) { +- if (rt->dev->dev == dev && rt->type == RTN_LOCAL && +- refcount_inc_not_zero(&rt->refs)) +- return rt; ++ list_for_each_entry_rcu(tmp, &net->mctp.routes, list) { ++ if (tmp->dev->dev == dev && tmp->type == RTN_LOCAL && ++ refcount_inc_not_zero(&tmp->refs)) { ++ rt = tmp; ++ break; ++ } + } + +- return NULL; ++ rcu_read_unlock(); ++ ++ return rt; + } + + static int mctp_do_fragment_route(struct mctp_route *rt, struct sk_buff *skb, diff --git a/queue-6.5/media-subdev-don-t-report-v4l2_subdev_cap_streams-when-the-streams-api-is-disabled.patch b/queue-6.5/media-subdev-don-t-report-v4l2_subdev_cap_streams-when-the-streams-api-is-disabled.patch new file mode 100644 index 00000000000..c6e9c92d0bb --- /dev/null +++ b/queue-6.5/media-subdev-don-t-report-v4l2_subdev_cap_streams-when-the-streams-api-is-disabled.patch @@ -0,0 +1,50 @@ +From 4800021c630210ea0b19434a1fb56ab16385f2b3 Mon Sep 17 00:00:00 2001 +From: Hans de Goede +Date: Tue, 10 Oct 2023 12:24:58 +0200 +Subject: media: subdev: Don't report V4L2_SUBDEV_CAP_STREAMS when the streams API is disabled + +From: Hans de Goede + +commit 4800021c630210ea0b19434a1fb56ab16385f2b3 upstream. + +Since the stream API is still experimental it is currently locked away +behind the internal, default disabled, v4l2_subdev_enable_streams_api flag. + +Advertising V4L2_SUBDEV_CAP_STREAMS when the streams API is disabled +confuses userspace. E.g. it causes the following libcamera error: + +ERROR SimplePipeline simple.cpp:1497 Failed to reset routes for + /dev/v4l-subdev1: Inappropriate ioctl for device + +Don't report V4L2_SUBDEV_CAP_STREAMS when the streams API is disabled +to avoid problems like this. + +Reported-by: Dennis Bonke +Fixes: 9a6b5bf4c1bb ("media: add V4L2_SUBDEV_CAP_STREAMS") +Cc: stable@vger.kernel.org # for >= 6.3 +Signed-off-by: Hans de Goede +Acked-by: Sakari Ailus +Reviewed-by: Laurent Pinchart +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Hans Verkuil +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/v4l2-core/v4l2-subdev.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +--- a/drivers/media/v4l2-core/v4l2-subdev.c ++++ b/drivers/media/v4l2-core/v4l2-subdev.c +@@ -517,6 +517,13 @@ static long subdev_do_ioctl(struct file + V4L2_SUBDEV_CLIENT_CAP_STREAMS; + int rval; + ++ /* ++ * If the streams API is not enabled, remove V4L2_SUBDEV_CAP_STREAMS. ++ * Remove this when the API is no longer experimental. ++ */ ++ if (!v4l2_subdev_enable_streams_api) ++ streams_subdev = false; ++ + switch (cmd) { + case VIDIOC_SUBDEV_QUERYCAP: { + struct v4l2_subdev_capability *cap = arg; diff --git a/queue-6.5/net-usb-dm9601-fix-uninitialized-variable-use-in-dm9601_mdio_read.patch b/queue-6.5/net-usb-dm9601-fix-uninitialized-variable-use-in-dm9601_mdio_read.patch new file mode 100644 index 00000000000..fd6d54469ea --- /dev/null +++ b/queue-6.5/net-usb-dm9601-fix-uninitialized-variable-use-in-dm9601_mdio_read.patch @@ -0,0 +1,54 @@ +From 8f8abb863fa5a4cc18955c6a0e17af0ded3e4a76 Mon Sep 17 00:00:00 2001 +From: Javier Carrasco +Date: Tue, 10 Oct 2023 00:26:14 +0200 +Subject: net: usb: dm9601: fix uninitialized variable use in dm9601_mdio_read + +From: Javier Carrasco + +commit 8f8abb863fa5a4cc18955c6a0e17af0ded3e4a76 upstream. + +syzbot has found an uninit-value bug triggered by the dm9601 driver [1]. + +This error happens because the variable res is not updated if the call +to dm_read_shared_word returns an error. In this particular case -EPROTO +was returned and res stayed uninitialized. + +This can be avoided by checking the return value of dm_read_shared_word +and propagating the error if the read operation failed. + +[1] https://syzkaller.appspot.com/bug?extid=1f53a30781af65d2c955 + +Cc: stable@vger.kernel.org +Signed-off-by: Javier Carrasco +Reported-and-tested-by: syzbot+1f53a30781af65d2c955@syzkaller.appspotmail.com +Acked-by: Peter Korsgaard +Fixes: d0374f4f9c35cdfbee0 ("USB: Davicom DM9601 usbnet driver") +Link: https://lore.kernel.org/r/20231009-topic-dm9601_uninit_mdio_read-v2-1-f2fe39739b6c@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/usb/dm9601.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +--- a/drivers/net/usb/dm9601.c ++++ b/drivers/net/usb/dm9601.c +@@ -222,13 +222,18 @@ static int dm9601_mdio_read(struct net_d + struct usbnet *dev = netdev_priv(netdev); + + __le16 res; ++ int err; + + if (phy_id) { + netdev_dbg(dev->net, "Only internal phy supported\n"); + return 0; + } + +- dm_read_shared_word(dev, 1, loc, &res); ++ err = dm_read_shared_word(dev, 1, loc, &res); ++ if (err < 0) { ++ netdev_err(dev->net, "MDIO read error: %d\n", err); ++ return err; ++ } + + netdev_dbg(dev->net, + "dm9601_mdio_read() phy_id=0x%02x, loc=0x%02x, returns=0x%04x\n", diff --git a/queue-6.5/nfp-flower-avoid-rmmod-nfp-crash-issues.patch b/queue-6.5/nfp-flower-avoid-rmmod-nfp-crash-issues.patch new file mode 100644 index 00000000000..7f783aaf073 --- /dev/null +++ b/queue-6.5/nfp-flower-avoid-rmmod-nfp-crash-issues.patch @@ -0,0 +1,270 @@ +From 14690995c14109852c7ba6e316045c02e4254272 Mon Sep 17 00:00:00 2001 +From: Yanguo Li +Date: Mon, 9 Oct 2023 13:21:55 +0200 +Subject: nfp: flower: avoid rmmod nfp crash issues +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Yanguo Li + +commit 14690995c14109852c7ba6e316045c02e4254272 upstream. + +When there are CT table entries, and you rmmod nfp, the following +events can happen: + +task1: + nfp_net_pci_remove + ↓ + nfp_flower_stop->(asynchronous)tcf_ct_flow_table_cleanup_work(3) + ↓ + nfp_zone_table_entry_destroy(1) + +task2: + nfp_fl_ct_handle_nft_flow(2) + +When the execution order is (1)->(2)->(3), it will crash. Therefore, in +the function nfp_fl_ct_del_flow, nf_flow_table_offload_del_cb needs to +be executed synchronously. + +At the same time, in order to solve the deadlock problem and the problem +of rtnl_lock sometimes failing, replace rtnl_lock with the private +nfp_fl_lock. + +Fixes: 7cc93d888df7 ("nfp: flower-ct: remove callback delete deadlock") +Cc: stable@vger.kernel.org +Signed-off-by: Yanguo Li +Signed-off-by: Louis Peens +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/netronome/nfp/flower/cmsg.c | 10 ++++--- + drivers/net/ethernet/netronome/nfp/flower/conntrack.c | 19 +++++++++----- + drivers/net/ethernet/netronome/nfp/flower/main.h | 2 + + drivers/net/ethernet/netronome/nfp/flower/metadata.c | 2 + + drivers/net/ethernet/netronome/nfp/flower/offload.c | 24 +++++++++++++----- + drivers/net/ethernet/netronome/nfp/flower/qos_conf.c | 20 +++++++++------ + 6 files changed, 54 insertions(+), 23 deletions(-) + +--- a/drivers/net/ethernet/netronome/nfp/flower/cmsg.c ++++ b/drivers/net/ethernet/netronome/nfp/flower/cmsg.c +@@ -210,6 +210,7 @@ nfp_flower_cmsg_merge_hint_rx(struct nfp + unsigned int msg_len = nfp_flower_cmsg_get_data_len(skb); + struct nfp_flower_cmsg_merge_hint *msg; + struct nfp_fl_payload *sub_flows[2]; ++ struct nfp_flower_priv *priv; + int err, i, flow_cnt; + + msg = nfp_flower_cmsg_get_data(skb); +@@ -228,14 +229,15 @@ nfp_flower_cmsg_merge_hint_rx(struct nfp + return; + } + +- rtnl_lock(); ++ priv = app->priv; ++ mutex_lock(&priv->nfp_fl_lock); + for (i = 0; i < flow_cnt; i++) { + u32 ctx = be32_to_cpu(msg->flow[i].host_ctx); + + sub_flows[i] = nfp_flower_get_fl_payload_from_ctx(app, ctx); + if (!sub_flows[i]) { + nfp_flower_cmsg_warn(app, "Invalid flow in merge hint\n"); +- goto err_rtnl_unlock; ++ goto err_mutex_unlock; + } + } + +@@ -244,8 +246,8 @@ nfp_flower_cmsg_merge_hint_rx(struct nfp + if (err == -ENOMEM) + nfp_flower_cmsg_warn(app, "Flow merge memory fail.\n"); + +-err_rtnl_unlock: +- rtnl_unlock(); ++err_mutex_unlock: ++ mutex_unlock(&priv->nfp_fl_lock); + } + + static void +--- a/drivers/net/ethernet/netronome/nfp/flower/conntrack.c ++++ b/drivers/net/ethernet/netronome/nfp/flower/conntrack.c +@@ -2130,8 +2130,6 @@ nfp_fl_ct_offload_nft_flow(struct nfp_fl + struct nfp_fl_ct_flow_entry *ct_entry; + struct netlink_ext_ack *extack = NULL; + +- ASSERT_RTNL(); +- + extack = flow->common.extack; + switch (flow->command) { + case FLOW_CLS_REPLACE: +@@ -2177,9 +2175,13 @@ int nfp_fl_ct_handle_nft_flow(enum tc_se + + switch (type) { + case TC_SETUP_CLSFLOWER: +- rtnl_lock(); ++ while (!mutex_trylock(&zt->priv->nfp_fl_lock)) { ++ if (!zt->nft) /* avoid deadlock */ ++ return err; ++ msleep(20); ++ } + err = nfp_fl_ct_offload_nft_flow(zt, flow); +- rtnl_unlock(); ++ mutex_unlock(&zt->priv->nfp_fl_lock); + break; + default: + return -EOPNOTSUPP; +@@ -2207,6 +2209,7 @@ int nfp_fl_ct_del_flow(struct nfp_fl_ct_ + struct nfp_fl_ct_flow_entry *ct_entry; + struct nfp_fl_ct_zone_entry *zt; + struct rhashtable *m_table; ++ struct nf_flowtable *nft; + + if (!ct_map_ent) + return -ENOENT; +@@ -2225,8 +2228,12 @@ int nfp_fl_ct_del_flow(struct nfp_fl_ct_ + if (ct_map_ent->cookie > 0) + kfree(ct_map_ent); + +- if (!zt->pre_ct_count) { +- zt->nft = NULL; ++ if (!zt->pre_ct_count && zt->nft) { ++ nft = zt->nft; ++ zt->nft = NULL; /* avoid deadlock */ ++ nf_flow_table_offload_del_cb(nft, ++ nfp_fl_ct_handle_nft_flow, ++ zt); + nfp_fl_ct_clean_nft_entries(zt); + } + break; +--- a/drivers/net/ethernet/netronome/nfp/flower/main.h ++++ b/drivers/net/ethernet/netronome/nfp/flower/main.h +@@ -297,6 +297,7 @@ struct nfp_fl_internal_ports { + * @predt_list: List to keep track of decap pretun flows + * @neigh_table: Table to keep track of neighbor entries + * @predt_lock: Lock to serialise predt/neigh table updates ++ * @nfp_fl_lock: Lock to protect the flow offload operation + */ + struct nfp_flower_priv { + struct nfp_app *app; +@@ -339,6 +340,7 @@ struct nfp_flower_priv { + struct list_head predt_list; + struct rhashtable neigh_table; + spinlock_t predt_lock; /* Lock to serialise predt/neigh table updates */ ++ struct mutex nfp_fl_lock; /* Protect the flow operation */ + }; + + /** +--- a/drivers/net/ethernet/netronome/nfp/flower/metadata.c ++++ b/drivers/net/ethernet/netronome/nfp/flower/metadata.c +@@ -528,6 +528,8 @@ int nfp_flower_metadata_init(struct nfp_ + if (err) + goto err_free_stats_ctx_table; + ++ mutex_init(&priv->nfp_fl_lock); ++ + err = rhashtable_init(&priv->ct_zone_table, &nfp_zone_table_params); + if (err) + goto err_free_merge_table; +--- a/drivers/net/ethernet/netronome/nfp/flower/offload.c ++++ b/drivers/net/ethernet/netronome/nfp/flower/offload.c +@@ -1009,8 +1009,6 @@ int nfp_flower_merge_offloaded_flows(str + u64 parent_ctx = 0; + int err; + +- ASSERT_RTNL(); +- + if (sub_flow1 == sub_flow2 || + nfp_flower_is_merge_flow(sub_flow1) || + nfp_flower_is_merge_flow(sub_flow2)) +@@ -1727,19 +1725,30 @@ static int + nfp_flower_repr_offload(struct nfp_app *app, struct net_device *netdev, + struct flow_cls_offload *flower) + { ++ struct nfp_flower_priv *priv = app->priv; ++ int ret; ++ + if (!eth_proto_is_802_3(flower->common.protocol)) + return -EOPNOTSUPP; + ++ mutex_lock(&priv->nfp_fl_lock); + switch (flower->command) { + case FLOW_CLS_REPLACE: +- return nfp_flower_add_offload(app, netdev, flower); ++ ret = nfp_flower_add_offload(app, netdev, flower); ++ break; + case FLOW_CLS_DESTROY: +- return nfp_flower_del_offload(app, netdev, flower); ++ ret = nfp_flower_del_offload(app, netdev, flower); ++ break; + case FLOW_CLS_STATS: +- return nfp_flower_get_stats(app, netdev, flower); ++ ret = nfp_flower_get_stats(app, netdev, flower); ++ break; + default: +- return -EOPNOTSUPP; ++ ret = -EOPNOTSUPP; ++ break; + } ++ mutex_unlock(&priv->nfp_fl_lock); ++ ++ return ret; + } + + static int nfp_flower_setup_tc_block_cb(enum tc_setup_type type, +@@ -1778,6 +1787,7 @@ static int nfp_flower_setup_tc_block(str + repr_priv = repr->app_priv; + repr_priv->block_shared = f->block_shared; + f->driver_block_list = &nfp_block_cb_list; ++ f->unlocked_driver_cb = true; + + switch (f->command) { + case FLOW_BLOCK_BIND: +@@ -1876,6 +1886,8 @@ nfp_flower_setup_indr_tc_block(struct ne + nfp_flower_internal_port_can_offload(app, netdev))) + return -EOPNOTSUPP; + ++ f->unlocked_driver_cb = true; ++ + switch (f->command) { + case FLOW_BLOCK_BIND: + cb_priv = nfp_flower_indr_block_cb_priv_lookup(app, netdev); +--- a/drivers/net/ethernet/netronome/nfp/flower/qos_conf.c ++++ b/drivers/net/ethernet/netronome/nfp/flower/qos_conf.c +@@ -523,25 +523,31 @@ int nfp_flower_setup_qos_offload(struct + { + struct netlink_ext_ack *extack = flow->common.extack; + struct nfp_flower_priv *fl_priv = app->priv; ++ int ret; + + if (!(fl_priv->flower_ext_feats & NFP_FL_FEATS_VF_RLIM)) { + NL_SET_ERR_MSG_MOD(extack, "unsupported offload: loaded firmware does not support qos rate limit offload"); + return -EOPNOTSUPP; + } + ++ mutex_lock(&fl_priv->nfp_fl_lock); + switch (flow->command) { + case TC_CLSMATCHALL_REPLACE: +- return nfp_flower_install_rate_limiter(app, netdev, flow, +- extack); ++ ret = nfp_flower_install_rate_limiter(app, netdev, flow, extack); ++ break; + case TC_CLSMATCHALL_DESTROY: +- return nfp_flower_remove_rate_limiter(app, netdev, flow, +- extack); ++ ret = nfp_flower_remove_rate_limiter(app, netdev, flow, extack); ++ break; + case TC_CLSMATCHALL_STATS: +- return nfp_flower_stats_rate_limiter(app, netdev, flow, +- extack); ++ ret = nfp_flower_stats_rate_limiter(app, netdev, flow, extack); ++ break; + default: +- return -EOPNOTSUPP; ++ ret = -EOPNOTSUPP; ++ break; + } ++ mutex_unlock(&fl_priv->nfp_fl_lock); ++ ++ return ret; + } + + /* Offload tc action, currently only for tc police */ diff --git a/queue-6.5/ovl-temporarily-disable-appending-lowedirs.patch b/queue-6.5/ovl-temporarily-disable-appending-lowedirs.patch new file mode 100644 index 00000000000..acee3f07977 --- /dev/null +++ b/queue-6.5/ovl-temporarily-disable-appending-lowedirs.patch @@ -0,0 +1,95 @@ +From beae836e9c61ee039e367a94b14f7fea08f0ad4c Mon Sep 17 00:00:00 2001 +From: Amir Goldstein +Date: Sat, 14 Oct 2023 22:30:04 +0300 +Subject: ovl: temporarily disable appending lowedirs + +From: Amir Goldstein + +commit beae836e9c61ee039e367a94b14f7fea08f0ad4c upstream. + +Kernel v6.5 converted overlayfs to new mount api. +As an added bonus, it also added a feature to allow appending lowerdirs +using lowerdir=:/lower2,lowerdir=::/data3 syntax. + +This new syntax has raised some concerns regarding escaping of colons. +We decided to try and disable this syntax, which hasn't been in the wild +for so long and introduce it again in 6.7 using explicit mount options +lowerdir+=/lower2,datadir+=/data3. + +Suggested-by: Miklos Szeredi +Link: https://lore.kernel.org/r/CAJfpegsr3A4YgF2YBevWa6n3=AcP7hNndG6EPMu3ncvV-AM71A@mail.gmail.com/ +Fixes: b36a5780cb44 ("ovl: modify layer parameter parsing") +Signed-off-by: Amir Goldstein +Signed-off-by: Greg Kroah-Hartman +--- + fs/overlayfs/params.c | 52 ++------------------------------------------------ + 1 file changed, 3 insertions(+), 49 deletions(-) + +--- a/fs/overlayfs/params.c ++++ b/fs/overlayfs/params.c +@@ -284,12 +284,6 @@ static void ovl_parse_param_drop_lowerdi + * Set "/lower1", "/lower2", and "/lower3" as lower layers and + * "/data1" and "/data2" as data lower layers. Any existing lower + * layers are replaced. +- * (2) lowerdir=:/lower4 +- * Append "/lower4" to current stack of lower layers. This requires +- * that there already is at least one lower layer configured. +- * (3) lowerdir=::/lower5 +- * Append data "/lower5" as data lower layer. This requires that +- * there's at least one regular lower layer present. + */ + static int ovl_parse_param_lowerdir(const char *name, struct fs_context *fc) + { +@@ -311,49 +305,9 @@ static int ovl_parse_param_lowerdir(cons + return 0; + } + +- if (strncmp(name, "::", 2) == 0) { +- /* +- * This is a data layer. +- * There must be at least one regular lower layer +- * specified. +- */ +- if (ctx->nr == 0) { +- pr_err("data lower layers without regular lower layers not allowed"); +- return -EINVAL; +- } +- +- /* Skip the leading "::". */ +- name += 2; +- data_layer = true; +- /* +- * A data layer is automatically an append as there +- * must've been at least one regular lower layer. +- */ +- append = true; +- } else if (*name == ':') { +- /* +- * This is a regular lower layer. +- * If users want to append a layer enforce that they +- * have already specified a first layer before. It's +- * better to be strict. +- */ +- if (ctx->nr == 0) { +- pr_err("cannot append layer if no previous layer has been specified"); +- return -EINVAL; +- } +- +- /* +- * Once a sequence of data layers has started regular +- * lower layers are forbidden. +- */ +- if (ctx->nr_data > 0) { +- pr_err("regular lower layers cannot follow data lower layers"); +- return -EINVAL; +- } +- +- /* Skip the leading ":". */ +- name++; +- append = true; ++ if (*name == ':') { ++ pr_err("cannot append lower layer"); ++ return -EINVAL; + } + + dup = kstrdup(name, GFP_KERNEL); diff --git a/queue-6.5/perf-x86-lbr-filter-vsyscall-addresses.patch b/queue-6.5/perf-x86-lbr-filter-vsyscall-addresses.patch new file mode 100644 index 00000000000..d062376d57f --- /dev/null +++ b/queue-6.5/perf-x86-lbr-filter-vsyscall-addresses.patch @@ -0,0 +1,71 @@ +From e53899771a02f798d436655efbd9d4b46c0f9265 Mon Sep 17 00:00:00 2001 +From: JP Kobryn +Date: Fri, 6 Oct 2023 11:57:26 -0700 +Subject: perf/x86/lbr: Filter vsyscall addresses + +From: JP Kobryn + +commit e53899771a02f798d436655efbd9d4b46c0f9265 upstream. + +We found that a panic can occur when a vsyscall is made while LBR sampling +is active. If the vsyscall is interrupted (NMI) for perf sampling, this +call sequence can occur (most recent at top): + + __insn_get_emulate_prefix() + insn_get_emulate_prefix() + insn_get_prefixes() + insn_get_opcode() + decode_branch_type() + get_branch_type() + intel_pmu_lbr_filter() + intel_pmu_handle_irq() + perf_event_nmi_handler() + +Within __insn_get_emulate_prefix() at frame 0, a macro is called: + + peek_nbyte_next(insn_byte_t, insn, i) + +Within this macro, this dereference occurs: + + (insn)->next_byte + +Inspecting registers at this point, the value of the next_byte field is the +address of the vsyscall made, for example the location of the vsyscall +version of gettimeofday() at 0xffffffffff600000. The access to an address +in the vsyscall region will trigger an oops due to an unhandled page fault. + +To fix the bug, filtering for vsyscalls can be done when +determining the branch type. This patch will return +a "none" branch if a kernel address if found to lie in the +vsyscall region. + +Suggested-by: Alexei Starovoitov +Signed-off-by: JP Kobryn +Signed-off-by: Ingo Molnar +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/events/utils.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +--- a/arch/x86/events/utils.c ++++ b/arch/x86/events/utils.c +@@ -1,5 +1,6 @@ + // SPDX-License-Identifier: GPL-2.0 + #include ++#include + + #include "perf_event.h" + +@@ -132,9 +133,9 @@ static int get_branch_type(unsigned long + * The LBR logs any address in the IP, even if the IP just + * faulted. This means userspace can control the from address. + * Ensure we don't blindly read any address by validating it is +- * a known text address. ++ * a known text address and not a vsyscall address. + */ +- if (kernel_text_address(from)) { ++ if (kernel_text_address(from) && !in_gate_area_no_mm(from)) { + addr = (void *)from; + /* + * Assume we can get the maximum possible size diff --git a/queue-6.5/pinctrl-avoid-unsafe-code-pattern-in-find_pinctrl.patch b/queue-6.5/pinctrl-avoid-unsafe-code-pattern-in-find_pinctrl.patch new file mode 100644 index 00000000000..5338409f4be --- /dev/null +++ b/queue-6.5/pinctrl-avoid-unsafe-code-pattern-in-find_pinctrl.patch @@ -0,0 +1,63 @@ +From c153a4edff6ab01370fcac8e46f9c89cca1060c2 Mon Sep 17 00:00:00 2001 +From: Dmitry Torokhov +Date: Wed, 20 Sep 2023 11:09:10 -0700 +Subject: pinctrl: avoid unsafe code pattern in find_pinctrl() + +From: Dmitry Torokhov + +commit c153a4edff6ab01370fcac8e46f9c89cca1060c2 upstream. + +The code in find_pinctrl() takes a mutex and traverses a list of pinctrl +structures. Later the caller bumps up reference count on the found +structure. Such pattern is not safe as pinctrl that was found may get +deleted before the caller gets around to increasing the reference count. + +Fix this by taking the reference count in find_pinctrl(), while it still +holds the mutex. + +Cc: stable@vger.kernel.org +Signed-off-by: Dmitry Torokhov +Link: https://lore.kernel.org/r/ZQs1RgTKg6VJqmPs@google.com +Signed-off-by: Linus Walleij +Signed-off-by: Greg Kroah-Hartman +--- + drivers/pinctrl/core.c | 16 +++++++++------- + 1 file changed, 9 insertions(+), 7 deletions(-) + +--- a/drivers/pinctrl/core.c ++++ b/drivers/pinctrl/core.c +@@ -1012,17 +1012,20 @@ static int add_setting(struct pinctrl *p + + static struct pinctrl *find_pinctrl(struct device *dev) + { +- struct pinctrl *p; ++ struct pinctrl *entry, *p = NULL; + + mutex_lock(&pinctrl_list_mutex); +- list_for_each_entry(p, &pinctrl_list, node) +- if (p->dev == dev) { +- mutex_unlock(&pinctrl_list_mutex); +- return p; ++ ++ list_for_each_entry(entry, &pinctrl_list, node) { ++ if (entry->dev == dev) { ++ p = entry; ++ kref_get(&p->users); ++ break; + } ++ } + + mutex_unlock(&pinctrl_list_mutex); +- return NULL; ++ return p; + } + + static void pinctrl_free(struct pinctrl *p, bool inlist); +@@ -1130,7 +1133,6 @@ struct pinctrl *pinctrl_get(struct devic + p = find_pinctrl(dev); + if (p) { + dev_dbg(dev, "obtain a copy of previously claimed pinctrl\n"); +- kref_get(&p->users); + return p; + } + diff --git a/queue-6.5/power-supply-qcom_battmgr-fix-battery_id-type.patch b/queue-6.5/power-supply-qcom_battmgr-fix-battery_id-type.patch new file mode 100644 index 00000000000..a0f0534b71f --- /dev/null +++ b/queue-6.5/power-supply-qcom_battmgr-fix-battery_id-type.patch @@ -0,0 +1,41 @@ +From 383eba9f9a7f4cd639d367ea5daa6df2be392c54 Mon Sep 17 00:00:00 2001 +From: Sebastian Reichel +Date: Tue, 19 Sep 2023 14:42:22 +0200 +Subject: power: supply: qcom_battmgr: fix battery_id type + +From: Sebastian Reichel + +commit 383eba9f9a7f4cd639d367ea5daa6df2be392c54 upstream. + +qcom_battmgr_update_request.battery_id is written to using cpu_to_le32() +and should be of type __le32, just like all other 32bit integer requests +for qcom_battmgr. + +Cc: stable@vger.kernel.org # 6.3 +Reported-by: kernel test robot +Closes: https://lore.kernel.org/oe-kbuild-all/202309162149.4owm9iXc-lkp@intel.com/ +Fixes: 29e8142b5623 ("power: supply: Introduce Qualcomm PMIC GLINK power supply") +Reviewed-by: Johan Hovold +Link: https://lore.kernel.org/r/20230919124222.1155894-1-sebastian.reichel@collabora.com +Signed-off-by: Sebastian Reichel +Signed-off-by: Greg Kroah-Hartman +--- + drivers/power/supply/qcom_battmgr.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/power/supply/qcom_battmgr.c b/drivers/power/supply/qcom_battmgr.c +index de77df97b3a4..a05fd00711f6 100644 +--- a/drivers/power/supply/qcom_battmgr.c ++++ b/drivers/power/supply/qcom_battmgr.c +@@ -105,7 +105,7 @@ struct qcom_battmgr_property_request { + + struct qcom_battmgr_update_request { + struct pmic_glink_hdr hdr; +- u32 battery_id; ++ __le32 battery_id; + }; + + struct qcom_battmgr_charge_time_request { +-- +2.42.0 + diff --git a/queue-6.5/power-supply-qcom_battmgr-fix-enable-request-endianness.patch b/queue-6.5/power-supply-qcom_battmgr-fix-enable-request-endianness.patch new file mode 100644 index 00000000000..6ed01f814dc --- /dev/null +++ b/queue-6.5/power-supply-qcom_battmgr-fix-enable-request-endianness.patch @@ -0,0 +1,46 @@ +From 8894b432548851f705f72ff135d3dcbd442a18d1 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Fri, 29 Sep 2023 12:16:49 +0200 +Subject: power: supply: qcom_battmgr: fix enable request endianness + +From: Johan Hovold + +commit 8894b432548851f705f72ff135d3dcbd442a18d1 upstream. + +Add the missing endianness conversion when sending the enable request so +that the driver will work also on a hypothetical big-endian machine. + +This issue was reported by sparse. + +Fixes: 29e8142b5623 ("power: supply: Introduce Qualcomm PMIC GLINK power supply") +Cc: stable@vger.kernel.org # 6.3 +Cc: Bjorn Andersson +Signed-off-by: Johan Hovold +Reviewed-by: Andrew Halaney +Link: https://lore.kernel.org/r/20230929101649.20206-1-johan+linaro@kernel.org +Signed-off-by: Sebastian Reichel +Signed-off-by: Greg Kroah-Hartman +--- + drivers/power/supply/qcom_battmgr.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/drivers/power/supply/qcom_battmgr.c b/drivers/power/supply/qcom_battmgr.c +index a05fd00711f6..ec163d1bcd18 100644 +--- a/drivers/power/supply/qcom_battmgr.c ++++ b/drivers/power/supply/qcom_battmgr.c +@@ -1282,9 +1282,9 @@ static void qcom_battmgr_enable_worker(struct work_struct *work) + { + struct qcom_battmgr *battmgr = container_of(work, struct qcom_battmgr, enable_work); + struct qcom_battmgr_enable_request req = { +- .hdr.owner = PMIC_GLINK_OWNER_BATTMGR, +- .hdr.type = PMIC_GLINK_NOTIFY, +- .hdr.opcode = BATTMGR_REQUEST_NOTIFICATION, ++ .hdr.owner = cpu_to_le32(PMIC_GLINK_OWNER_BATTMGR), ++ .hdr.type = cpu_to_le32(PMIC_GLINK_NOTIFY), ++ .hdr.opcode = cpu_to_le32(BATTMGR_REQUEST_NOTIFICATION), + }; + int ret; + +-- +2.42.0 + diff --git a/queue-6.5/powerpc-47x-fix-47x-syscall-return-crash.patch b/queue-6.5/powerpc-47x-fix-47x-syscall-return-crash.patch new file mode 100644 index 00000000000..f03495015b7 --- /dev/null +++ b/queue-6.5/powerpc-47x-fix-47x-syscall-return-crash.patch @@ -0,0 +1,95 @@ +From f0eee815babed70a749d2496a7678be5b45b4c14 Mon Sep 17 00:00:00 2001 +From: Michael Ellerman +Date: Tue, 10 Oct 2023 22:47:50 +1100 +Subject: powerpc/47x: Fix 47x syscall return crash +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Michael Ellerman + +commit f0eee815babed70a749d2496a7678be5b45b4c14 upstream. + +Eddie reported that newer kernels were crashing during boot on his 476 +FSP2 system: + + kernel tried to execute user page (b7ee2000) - exploit attempt? (uid: 0) + BUG: Unable to handle kernel instruction fetch + Faulting instruction address: 0xb7ee2000 + Oops: Kernel access of bad area, sig: 11 [#1] + BE PAGE_SIZE=4K FSP-2 + Modules linked in: + CPU: 0 PID: 61 Comm: mount Not tainted 6.1.55-d23900f.ppcnf-fsp2 #1 + Hardware name: ibm,fsp2 476fpe 0x7ff520c0 FSP-2 + NIP:  b7ee2000 LR: 8c008000 CTR: 00000000 + REGS: bffebd83 TRAP: 0400   Not tainted (6.1.55-d23900f.ppcnf-fs p2) + MSR:  00000030   CR: 00001000  XER: 20000000 + GPR00: c00110ac bffebe63 bffebe7e bffebe88 8c008000 00001000 00000d12 b7ee2000 + GPR08: 00000033 00000000 00000000 c139df10 48224824 1016c314 10160000 00000000 + GPR16: 10160000 10160000 00000008 00000000 10160000 00000000 10160000 1017f5b0 + GPR24: 1017fa50 1017f4f0 1017fa50 1017f740 1017f630 00000000 00000000 1017f4f0 + NIP [b7ee2000] 0xb7ee2000 + LR [8c008000] 0x8c008000 + Call Trace: + Instruction dump: + XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX + XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX + ---[ end trace 0000000000000000 ]--- + +The problem is in ret_from_syscall where the check for +icache_44x_need_flush is done. When the flush is needed the code jumps +out-of-line to do the flush, and then intends to jump back to continue +the syscall return. + +However the branch back to label 1b doesn't return to the correct +location, instead branching back just prior to the return to userspace, +causing bogus register values to be used by the rfi. + +The breakage was introduced by commit 6f76a01173cc +("powerpc/syscall: implement system call entry/exit logic in C for PPC32") which +inadvertently removed the "1" label and reused it elsewhere. + +Fix it by adding named local labels in the correct locations. Note that +the return label needs to be outside the ifdef so that CONFIG_PPC_47x=n +compiles. + +Fixes: 6f76a01173cc ("powerpc/syscall: implement system call entry/exit logic in C for PPC32") +Cc: stable@vger.kernel.org # v5.12+ +Reported-by: Eddie James +Tested-by: Eddie James +Link: https://lore.kernel.org/linuxppc-dev/fdaadc46-7476-9237-e104-1d2168526e72@linux.ibm.com/ +Signed-off-by: Michael Ellerman +Reviewed-by: Christophe Leroy +Link: https://msgid.link/20231010114750.847794-1-mpe@ellerman.id.au +Signed-off-by: Greg Kroah-Hartman +--- + arch/powerpc/kernel/entry_32.S | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +--- a/arch/powerpc/kernel/entry_32.S ++++ b/arch/powerpc/kernel/entry_32.S +@@ -138,8 +138,9 @@ ret_from_syscall: + lis r4,icache_44x_need_flush@ha + lwz r5,icache_44x_need_flush@l(r4) + cmplwi cr0,r5,0 +- bne- 2f ++ bne- .L44x_icache_flush + #endif /* CONFIG_PPC_47x */ ++.L44x_icache_flush_return: + kuep_unlock + lwz r4,_LINK(r1) + lwz r5,_CCR(r1) +@@ -173,10 +174,11 @@ syscall_exit_finish: + b 1b + + #ifdef CONFIG_44x +-2: li r7,0 ++.L44x_icache_flush: ++ li r7,0 + iccci r0,r0 + stw r7,icache_44x_need_flush@l(r4) +- b 1b ++ b .L44x_icache_flush_return + #endif /* CONFIG_44x */ + + .globl ret_from_fork diff --git a/queue-6.5/powerpc-pseries-fix-stk_param-access-in-the-hcall-tracing-code.patch b/queue-6.5/powerpc-pseries-fix-stk_param-access-in-the-hcall-tracing-code.patch new file mode 100644 index 00000000000..a135fbab9bb --- /dev/null +++ b/queue-6.5/powerpc-pseries-fix-stk_param-access-in-the-hcall-tracing-code.patch @@ -0,0 +1,131 @@ +From 3b678768c0458e6d8d45fadf61423e44effed4cb Mon Sep 17 00:00:00 2001 +From: Athira Rajeev +Date: Fri, 29 Sep 2023 22:53:36 +0530 +Subject: powerpc/pseries: Fix STK_PARAM access in the hcall tracing code + +From: Athira Rajeev + +commit 3b678768c0458e6d8d45fadf61423e44effed4cb upstream. + +In powerpc pseries system, below behaviour is observed while +enabling tracing on hcall: + # cd /sys/kernel/debug/tracing/ + # cat events/powerpc/hcall_exit/enable + 0 + # echo 1 > events/powerpc/hcall_exit/enable + + # ls + -bash: fork: Bad address + +Above is from power9 lpar with latest kernel. Past this, softlockup +is observed. Initially while attempting via perf_event_open to +use "PERF_TYPE_TRACEPOINT", kernel panic was observed. + +perf config used: +================ + memset(&pe[1],0,sizeof(struct perf_event_attr)); + pe[1].type=PERF_TYPE_TRACEPOINT; + pe[1].size=96; + pe[1].config=0x26ULL; /* 38 raw_syscalls/sys_exit */ + pe[1].sample_type=0; /* 0 */ + pe[1].read_format=PERF_FORMAT_TOTAL_TIME_ENABLED|PERF_FORMAT_TOTAL_TIME_RUNNING|PERF_FORMAT_ID|PERF_FORMAT_GROUP|0x10ULL; /* 1f */ + pe[1].inherit=1; + pe[1].precise_ip=0; /* arbitrary skid */ + pe[1].wakeup_events=0; + pe[1].bp_type=HW_BREAKPOINT_EMPTY; + pe[1].config1=0x1ULL; + +Kernel panic logs: +================== + + Kernel attempted to read user page (8) - exploit attempt? (uid: 0) + BUG: Kernel NULL pointer dereference on read at 0x00000008 + Faulting instruction address: 0xc0000000004c2814 + Oops: Kernel access of bad area, sig: 11 [#1] + LE PAGE_SIZE=64K MMU=Hash SMP NR_CPUS=2048 NUMA pSeries + Modules linked in: nfnetlink bonding tls rfkill sunrpc dm_service_time dm_multipath pseries_rng xts vmx_crypto xfs libcrc32c sd_mod t10_pi crc64_rocksoft crc64 sg ibmvfc scsi_transport_fc ibmveth dm_mirror dm_region_hash dm_log dm_mod fuse + CPU: 0 PID: 1431 Comm: login Not tainted 6.4.0+ #1 + Hardware name: IBM,8375-42A POWER9 (raw) 0x4e0202 0xf000005 of:IBM,FW950.30 (VL950_892) hv:phyp pSeries + NIP page_remove_rmap+0x44/0x320 + LR wp_page_copy+0x384/0xec0 + Call Trace: + 0xc00000001416e400 (unreliable) + wp_page_copy+0x384/0xec0 + __handle_mm_fault+0x9d4/0xfb0 + handle_mm_fault+0xf0/0x350 + ___do_page_fault+0x48c/0xc90 + hash__do_page_fault+0x30/0x70 + do_hash_fault+0x1a4/0x330 + data_access_common_virt+0x198/0x1f0 + --- interrupt: 300 at 0x7fffae971abc + +git bisect tracked this down to below commit: +'commit baa49d81a94b ("powerpc/pseries: hvcall stack frame overhead")' + +This commit changed STACK_FRAME_OVERHEAD (112 ) to +STACK_FRAME_MIN_SIZE (32 ) since 32 bytes is the minimum size +for ELFv2 stack. With the latest kernel, when running on ELFv2, +STACK_FRAME_MIN_SIZE is used to allocate stack size. + +During plpar_hcall_trace, first call is made to HCALL_INST_PRECALL +which saves the registers and allocates new stack frame. In the +plpar_hcall_trace code, STK_PARAM is accessed at two places. + 1. To save r4: std r4,STK_PARAM(R4)(r1) + 2. To access r4 back: ld r12,STK_PARAM(R4)(r1) + +HCALL_INST_PRECALL precall allocates a new stack frame. So all +the stack parameter access after the precall, needs to be accessed +with +STACK_FRAME_MIN_SIZE. So the store instruction should be: + std r4,STACK_FRAME_MIN_SIZE+STK_PARAM(R4)(r1) + +If the "std" is not updated with STACK_FRAME_MIN_SIZE, we will +end up with overwriting stack contents and cause corruption. +But instead of updating 'std', we can instead remove it since +HCALL_INST_PRECALL already saves it to the correct location. + +similarly load instruction should be: + ld r12,STACK_FRAME_MIN_SIZE+STK_PARAM(R4)(r1) + +Fix the load instruction to correctly access the stack parameter +with +STACK_FRAME_MIN_SIZE and remove the store of r4 since the +precall saves it correctly. + +Cc: stable@vger.kernel.org # v6.2+ +Fixes: baa49d81a94b ("powerpc/pseries: hvcall stack frame overhead") +Co-developed-by: Naveen N Rao +Signed-off-by: Naveen N Rao +Signed-off-by: Athira Rajeev +Signed-off-by: Michael Ellerman +Link: https://msgid.link/20230929172337.7906-1-atrajeev@linux.vnet.ibm.com +Signed-off-by: Greg Kroah-Hartman +--- + arch/powerpc/platforms/pseries/hvCall.S | 4 +--- + 1 file changed, 1 insertion(+), 3 deletions(-) + +--- a/arch/powerpc/platforms/pseries/hvCall.S ++++ b/arch/powerpc/platforms/pseries/hvCall.S +@@ -185,7 +185,6 @@ _GLOBAL_TOC(plpar_hcall) + plpar_hcall_trace: + HCALL_INST_PRECALL(R5) + +- std r4,STK_PARAM(R4)(r1) + mr r0,r4 + + mr r4,r5 +@@ -197,7 +196,7 @@ plpar_hcall_trace: + + HVSC + +- ld r12,STK_PARAM(R4)(r1) ++ ld r12,STACK_FRAME_MIN_SIZE+STK_PARAM(R4)(r1) + std r4,0(r12) + std r5,8(r12) + std r6,16(r12) +@@ -297,7 +296,6 @@ _GLOBAL_TOC(plpar_hcall9) + plpar_hcall9_trace: + HCALL_INST_PRECALL(R5) + +- std r4,STK_PARAM(R4)(r1) + mr r0,r4 + + mr r4,r5 diff --git a/queue-6.5/risc-v-fix-wrong-use-of-config_have_softirq_on_own_stack.patch b/queue-6.5/risc-v-fix-wrong-use-of-config_have_softirq_on_own_stack.patch new file mode 100644 index 00000000000..7d9a2bcb67e --- /dev/null +++ b/queue-6.5/risc-v-fix-wrong-use-of-config_have_softirq_on_own_stack.patch @@ -0,0 +1,62 @@ +From 07a27665754bf649b5de8e55c655e4d6837406be Mon Sep 17 00:00:00 2001 +From: Jiexun Wang +Date: Wed, 13 Sep 2023 13:29:40 +0800 +Subject: RISC-V: Fix wrong use of CONFIG_HAVE_SOFTIRQ_ON_OWN_STACK + +From: Jiexun Wang + +commit 07a27665754bf649b5de8e55c655e4d6837406be upstream. + +If configuration options SOFTIRQ_ON_OWN_STACK and PREEMPT_RT +are enabled simultaneously under RISC-V architecture, +it will result in a compilation failure: + +arch/riscv/kernel/irq.c:64:6: error: redefinition of 'do_softirq_own_stack' + 64 | void do_softirq_own_stack(void) + | ^~~~~~~~~~~~~~~~~~~~ +In file included from ./arch/riscv/include/generated/asm/softirq_stack.h:1, + from arch/riscv/kernel/irq.c:15: +./include/asm-generic/softirq_stack.h:8:20: note: previous definition of 'do_softirq_own_stack' was here + 8 | static inline void do_softirq_own_stack(void) + | ^~~~~~~~~~~~~~~~~~~~ + +After changing CONFIG_HAVE_SOFTIRQ_ON_OWN_STACK to CONFIG_SOFTIRQ_ON_OWN_STACK, +compilation can be successful. + +Fixes: dd69d07a5a6c ("riscv: stack: Support HAVE_SOFTIRQ_ON_OWN_STACK") +Reviewed-by: Guo Ren +Signed-off-by: Jiexun Wang +Reviewed-by: Samuel Holland +Link: https://lore.kernel.org/r/20230913052940.374686-1-wangjiexun@tinylab.org +Cc: stable@vger.kernel.org +Signed-off-by: Palmer Dabbelt +Signed-off-by: Greg Kroah-Hartman +--- + arch/riscv/kernel/irq.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/arch/riscv/kernel/irq.c b/arch/riscv/kernel/irq.c +index a8efa053c4a5..9cc0a7669271 100644 +--- a/arch/riscv/kernel/irq.c ++++ b/arch/riscv/kernel/irq.c +@@ -60,7 +60,7 @@ static void init_irq_stacks(void) + } + #endif /* CONFIG_VMAP_STACK */ + +-#ifdef CONFIG_HAVE_SOFTIRQ_ON_OWN_STACK ++#ifdef CONFIG_SOFTIRQ_ON_OWN_STACK + void do_softirq_own_stack(void) + { + #ifdef CONFIG_IRQ_STACKS +@@ -92,7 +92,7 @@ void do_softirq_own_stack(void) + #endif + __do_softirq(); + } +-#endif /* CONFIG_HAVE_SOFTIRQ_ON_OWN_STACK */ ++#endif /* CONFIG_SOFTIRQ_ON_OWN_STACK */ + + #else + static void init_irq_stacks(void) {} +-- +2.42.0 + diff --git a/queue-6.5/riscv-only-consider-swbp-ss-handlers-for-correct-privileged-mode.patch b/queue-6.5/riscv-only-consider-swbp-ss-handlers-for-correct-privileged-mode.patch new file mode 100644 index 00000000000..38eef00c5b2 --- /dev/null +++ b/queue-6.5/riscv-only-consider-swbp-ss-handlers-for-correct-privileged-mode.patch @@ -0,0 +1,139 @@ +From 9f564b92cf6d0ecb398f9348600a7d8a7f8ea804 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Bj=C3=B6rn=20T=C3=B6pel?= +Date: Tue, 12 Sep 2023 08:56:19 +0200 +Subject: riscv: Only consider swbp/ss handlers for correct privileged mode +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Björn Töpel + +commit 9f564b92cf6d0ecb398f9348600a7d8a7f8ea804 upstream. + +RISC-V software breakpoint trap handlers are used for {k,u}probes. + +When trapping from kernelmode, only the kernelmode handlers should be +considered. Vice versa, only usermode handlers for usermode +traps. This is not the case on RISC-V, which can trigger a bug if a +userspace process uses uprobes, and a WARN() is triggered from +kernelmode (which is implemented via {c.,}ebreak). + +The kernel will trap on the kernelmode {c.,}ebreak, look for uprobes +handlers, realize incorrectly that uprobes need to be handled, and +exit the trap handler early. The trap returns to re-executing the +{c.,}ebreak, and enter an infinite trap-loop. + +The issue was found running the BPF selftest [1]. + +Fix this issue by only considering the swbp/ss handlers for +kernel/usermode respectively. Also, move CONFIG ifdeffery from traps.c +to the asm/{k,u}probes.h headers. + +Note that linux/uprobes.h only include asm/uprobes.h if CONFIG_UPROBES +is defined, which is why asm/uprobes.h needs to be unconditionally +included in traps.c + +Link: https://lore.kernel.org/linux-riscv/87v8d19aun.fsf@all.your.base.are.belong.to.us/ # [1] +Fixes: 74784081aac8 ("riscv: Add uprobes supported") +Reviewed-by: Guo Ren +Reviewed-by: Nam Cao +Tested-by: Puranjay Mohan +Signed-off-by: Björn Töpel +Link: https://lore.kernel.org/r/20230912065619.62020-1-bjorn@kernel.org +Signed-off-by: Palmer Dabbelt +Signed-off-by: Greg Kroah-Hartman +--- + arch/riscv/include/asm/kprobes.h | 9 +++++++++ + arch/riscv/include/asm/uprobes.h | 11 +++++++++++ + arch/riscv/kernel/traps.c | 28 ++++++++++++++++++---------- + 3 files changed, 38 insertions(+), 10 deletions(-) + +--- a/arch/riscv/include/asm/kprobes.h ++++ b/arch/riscv/include/asm/kprobes.h +@@ -40,6 +40,15 @@ void arch_remove_kprobe(struct kprobe *p + int kprobe_fault_handler(struct pt_regs *regs, unsigned int trapnr); + bool kprobe_breakpoint_handler(struct pt_regs *regs); + bool kprobe_single_step_handler(struct pt_regs *regs); ++#else ++static inline bool kprobe_breakpoint_handler(struct pt_regs *regs) ++{ ++ return false; ++} + ++static inline bool kprobe_single_step_handler(struct pt_regs *regs) ++{ ++ return false; ++} + #endif /* CONFIG_KPROBES */ + #endif /* _ASM_RISCV_KPROBES_H */ +--- a/arch/riscv/include/asm/uprobes.h ++++ b/arch/riscv/include/asm/uprobes.h +@@ -34,7 +34,18 @@ struct arch_uprobe { + bool simulate; + }; + ++#ifdef CONFIG_UPROBES + bool uprobe_breakpoint_handler(struct pt_regs *regs); + bool uprobe_single_step_handler(struct pt_regs *regs); ++#else ++static inline bool uprobe_breakpoint_handler(struct pt_regs *regs) ++{ ++ return false; ++} + ++static inline bool uprobe_single_step_handler(struct pt_regs *regs) ++{ ++ return false; ++} ++#endif /* CONFIG_UPROBES */ + #endif /* _ASM_RISCV_UPROBES_H */ +--- a/arch/riscv/kernel/traps.c ++++ b/arch/riscv/kernel/traps.c +@@ -13,6 +13,8 @@ + #include + #include + #include ++#include ++#include + #include + #include + #include +@@ -246,22 +248,28 @@ static inline unsigned long get_break_in + return GET_INSN_LENGTH(insn); + } + ++static bool probe_single_step_handler(struct pt_regs *regs) ++{ ++ bool user = user_mode(regs); ++ ++ return user ? uprobe_single_step_handler(regs) : kprobe_single_step_handler(regs); ++} ++ ++static bool probe_breakpoint_handler(struct pt_regs *regs) ++{ ++ bool user = user_mode(regs); ++ ++ return user ? uprobe_breakpoint_handler(regs) : kprobe_breakpoint_handler(regs); ++} ++ + void handle_break(struct pt_regs *regs) + { +-#ifdef CONFIG_KPROBES +- if (kprobe_single_step_handler(regs)) ++ if (probe_single_step_handler(regs)) + return; + +- if (kprobe_breakpoint_handler(regs)) +- return; +-#endif +-#ifdef CONFIG_UPROBES +- if (uprobe_single_step_handler(regs)) ++ if (probe_breakpoint_handler(regs)) + return; + +- if (uprobe_breakpoint_handler(regs)) +- return; +-#endif + current->thread.bad_cause = regs->cause; + + if (user_mode(regs)) diff --git a/queue-6.5/riscv-remove-duplicate-objcopy-flag.patch b/queue-6.5/riscv-remove-duplicate-objcopy-flag.patch new file mode 100644 index 00000000000..8ca6a50c266 --- /dev/null +++ b/queue-6.5/riscv-remove-duplicate-objcopy-flag.patch @@ -0,0 +1,40 @@ +From 505b02957e74f0c5c4655647ccb04bdc945d18f6 Mon Sep 17 00:00:00 2001 +From: Song Shuai +Date: Thu, 14 Sep 2023 17:13:34 +0800 +Subject: riscv: Remove duplicate objcopy flag + +From: Song Shuai + +commit 505b02957e74f0c5c4655647ccb04bdc945d18f6 upstream. + +There are two duplicate `-O binary` flags when objcopying from vmlinux +to Image/xipImage. + +RISC-V set `-O binary` flag in both OBJCOPYFLAGS in the top-level riscv +Makefile and OBJCOPYFLAGS_* in the boot/Makefile, and the objcopy cmd +in Kbuild would join them together. + +The `-O binary` flag is only needed for objcopying Image, so remove the +OBJCOPYFLAGS in the top-level riscv Makefile. + +Fixes: c0fbcd991860 ("RISC-V: Build flat and compressed kernel images") +Signed-off-by: Song Shuai +Reviewed-by: Palmer Dabbelt +Link: https://lore.kernel.org/r/20230914091334.1458542-1-songshuaishuai@tinylab.org +Cc: stable@vger.kernel.org +Signed-off-by: Palmer Dabbelt +Signed-off-by: Greg Kroah-Hartman +--- + arch/riscv/Makefile | 1 - + 1 file changed, 1 deletion(-) + +--- a/arch/riscv/Makefile ++++ b/arch/riscv/Makefile +@@ -6,7 +6,6 @@ + # for more details. + # + +-OBJCOPYFLAGS := -O binary + LDFLAGS_vmlinux := -z norelro + ifeq ($(CONFIG_RELOCATABLE),y) + LDFLAGS_vmlinux += -shared -Bsymbolic -z notext --emit-relocs diff --git a/queue-6.5/scsi-ufs-core-correct-clear-tm-error-log.patch b/queue-6.5/scsi-ufs-core-correct-clear-tm-error-log.patch new file mode 100644 index 00000000000..9a6cd48e25f --- /dev/null +++ b/queue-6.5/scsi-ufs-core-correct-clear-tm-error-log.patch @@ -0,0 +1,33 @@ +From a20c4350c6a12405b7f732b3ee6801ffe2cc45ce Mon Sep 17 00:00:00 2001 +From: Peter Wang +Date: Tue, 3 Oct 2023 10:20:02 +0800 +Subject: scsi: ufs: core: Correct clear TM error log + +From: Peter Wang + +commit a20c4350c6a12405b7f732b3ee6801ffe2cc45ce upstream. + +The clear TM function error log status was inverted. + +Fixes: 4693fad7d6d4 ("scsi: ufs: core: Log error handler activity") +Signed-off-by: Peter Wang +Link: https://lore.kernel.org/r/20231003022002.25578-1-peter.wang@mediatek.com +Reviewed-by: Bart Van Assche +Reviewed-by: Stanley Chu +Signed-off-by: Martin K. Petersen +Signed-off-by: Greg Kroah-Hartman +--- + drivers/ufs/core/ufshcd.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/ufs/core/ufshcd.c ++++ b/drivers/ufs/core/ufshcd.c +@@ -6955,7 +6955,7 @@ static int ufshcd_clear_tm_cmd(struct uf + mask, 0, 1000, 1000); + + dev_err(hba->dev, "Clearing task management function with tag %d %s\n", +- tag, err ? "succeeded" : "failed"); ++ tag, err < 0 ? "failed" : "succeeded"); + + out: + return err; diff --git a/queue-6.5/serial-8250_omap-fix-errors-with-no_console_suspend.patch b/queue-6.5/serial-8250_omap-fix-errors-with-no_console_suspend.patch new file mode 100644 index 00000000000..d41f6fd3b02 --- /dev/null +++ b/queue-6.5/serial-8250_omap-fix-errors-with-no_console_suspend.patch @@ -0,0 +1,91 @@ +From 560706eff7c8e5621b0d63afe0866e0e1906e87e Mon Sep 17 00:00:00 2001 +From: Tony Lindgren +Date: Tue, 26 Sep 2023 09:13:17 +0300 +Subject: serial: 8250_omap: Fix errors with no_console_suspend + +From: Tony Lindgren + +commit 560706eff7c8e5621b0d63afe0866e0e1906e87e upstream. + +We now get errors on system suspend if no_console_suspend is set as +reported by Thomas. The errors started with commit 20a41a62618d ("serial: +8250_omap: Use force_suspend and resume for system suspend"). + +Let's fix the issue by checking for console_suspend_enabled in the system +suspend and resume path. + +Note that with this fix the checks for console_suspend_enabled in +omap8250_runtime_suspend() become useless. We now keep runtime PM usage +count for an attached kernel console starting with commit bedb404e91bb +("serial: 8250_port: Don't use power management for kernel console"). + +Fixes: 20a41a62618d ("serial: 8250_omap: Use force_suspend and resume for system suspend") +Cc: stable +Cc: Udit Kumar +Reported-by: Thomas Richard +Signed-off-by: Tony Lindgren +Tested-by: Thomas Richard +Reviewed-by: Dhruva Gole +Link: https://lore.kernel.org/r/20230926061319.15140-1-tony@atomide.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/tty/serial/8250/8250_omap.c | 25 ++++++++++--------------- + 1 file changed, 10 insertions(+), 15 deletions(-) + +--- a/drivers/tty/serial/8250/8250_omap.c ++++ b/drivers/tty/serial/8250/8250_omap.c +@@ -1618,7 +1618,7 @@ static int omap8250_suspend(struct devic + { + struct omap8250_priv *priv = dev_get_drvdata(dev); + struct uart_8250_port *up = serial8250_get_port(priv->line); +- int err; ++ int err = 0; + + serial8250_suspend_port(priv->line); + +@@ -1628,7 +1628,8 @@ static int omap8250_suspend(struct devic + if (!device_may_wakeup(dev)) + priv->wer = 0; + serial_out(up, UART_OMAP_WER, priv->wer); +- err = pm_runtime_force_suspend(dev); ++ if (uart_console(&up->port) && console_suspend_enabled) ++ err = pm_runtime_force_suspend(dev); + flush_work(&priv->qos_work); + + return err; +@@ -1637,11 +1638,15 @@ static int omap8250_suspend(struct devic + static int omap8250_resume(struct device *dev) + { + struct omap8250_priv *priv = dev_get_drvdata(dev); ++ struct uart_8250_port *up = serial8250_get_port(priv->line); + int err; + +- err = pm_runtime_force_resume(dev); +- if (err) +- return err; ++ if (uart_console(&up->port) && console_suspend_enabled) { ++ err = pm_runtime_force_resume(dev); ++ if (err) ++ return err; ++ } ++ + serial8250_resume_port(priv->line); + /* Paired with pm_runtime_resume_and_get() in omap8250_suspend() */ + pm_runtime_mark_last_busy(dev); +@@ -1718,16 +1723,6 @@ static int omap8250_runtime_suspend(stru + + if (priv->line >= 0) + up = serial8250_get_port(priv->line); +- /* +- * When using 'no_console_suspend', the console UART must not be +- * suspended. Since driver suspend is managed by runtime suspend, +- * preventing runtime suspend (by returning error) will keep device +- * active during suspend. +- */ +- if (priv->is_suspending && !console_suspend_enabled) { +- if (up && uart_console(&up->port)) +- return -EBUSY; +- } + + if (priv->habit & UART_ERRATA_CLOCK_DISABLE) { + int ret; diff --git a/queue-6.5/serial-core-fix-checks-for-tx-runtime-pm-state.patch b/queue-6.5/serial-core-fix-checks-for-tx-runtime-pm-state.patch new file mode 100644 index 00000000000..809866138d8 --- /dev/null +++ b/queue-6.5/serial-core-fix-checks-for-tx-runtime-pm-state.patch @@ -0,0 +1,56 @@ +From 81a61051e0ce5fd7e09225c0d5985da08c7954a7 Mon Sep 17 00:00:00 2001 +From: Tony Lindgren +Date: Thu, 5 Oct 2023 10:56:42 +0300 +Subject: serial: core: Fix checks for tx runtime PM state + +From: Tony Lindgren + +commit 81a61051e0ce5fd7e09225c0d5985da08c7954a7 upstream. + +Maximilian reported that surface_serial_hub serdev tx does not work during +system suspend. During system suspend, runtime PM gets disabled in +__device_suspend_late(), and tx is unable to wake-up the serial core port +device that we use to check if tx is safe to start. Johan summarized the +regression noting that serdev tx no longer always works as earlier when the +serdev device is runtime PM active. + +The serdev device and the serial core controller devices are siblings of +the serial port hardware device. The runtime PM usage count from serdev +device does not propagate to the serial core device siblings, it only +propagates to the parent. + +In addition to the tx issue for suspend, testing for the serial core port +device can cause an unnecessary delay in enabling tx while waiting for the +serial core port device to wake-up. The serial core port device wake-up is +only needed to flush pending tx when the serial port hardware device was +in runtime PM suspended state. + +To fix the regression, we need to check the runtime PM state of the parent +serial port hardware device for tx instead of the serial core port device. + +As the serial port device drivers may or may not implement runtime PM, we +need to also add a check for pm_runtime_enabled(). + +Reported-by: Maximilian Luz +Cc: stable +Fixes: 84a9582fd203 ("serial: core: Start managing serial controllers to enable runtime PM") +Signed-off-by: Tony Lindgren +Tested-by: Maximilian Luz +Reviewed-by: Andy Shevchenko +Link: https://lore.kernel.org/r/20231005075644.25936-1-tony@atomide.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/tty/serial/serial_core.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/tty/serial/serial_core.c ++++ b/drivers/tty/serial/serial_core.c +@@ -157,7 +157,7 @@ static void __uart_start(struct tty_stru + * enabled, serial_port_runtime_resume() calls start_tx() again + * after enabling the device. + */ +- if (pm_runtime_active(&port_dev->dev)) ++ if (!pm_runtime_enabled(port->dev) || pm_runtime_active(port->dev)) + port->ops->start_tx(port); + pm_runtime_mark_last_busy(&port_dev->dev); + pm_runtime_put_autosuspend(&port_dev->dev); diff --git a/queue-6.5/serial-reduce-spinlocked-portion-of-uart_rs485_config.patch b/queue-6.5/serial-reduce-spinlocked-portion-of-uart_rs485_config.patch new file mode 100644 index 00000000000..5c623cd1819 --- /dev/null +++ b/queue-6.5/serial-reduce-spinlocked-portion-of-uart_rs485_config.patch @@ -0,0 +1,114 @@ +From 8679328eb859d06a1984ab48d90ac35d11bbcaf1 Mon Sep 17 00:00:00 2001 +From: Lukas Wunner +Date: Thu, 21 Sep 2023 16:52:33 +0200 +Subject: serial: Reduce spinlocked portion of uart_rs485_config() + +From: Lukas Wunner + +commit 8679328eb859d06a1984ab48d90ac35d11bbcaf1 upstream. + +Commit 44b27aec9d96 ("serial: core, 8250: set RS485 termination GPIO in +serial core") enabled support for RS485 termination GPIOs behind i2c +expanders by setting the GPIO outside of the critical section protected +by the port spinlock. Access to the i2c expander may sleep, which +caused a splat with the port spinlock held. + +Commit 7c7f9bc986e6 ("serial: Deassert Transmit Enable on probe in +driver-specific way") erroneously regressed that by spinlocking the +GPIO manipulation again. + +Fix by moving uart_rs485_config() (the function manipulating the GPIO) +outside of the spinlocked section and acquiring the spinlock inside of +uart_rs485_config() for the invocation of ->rs485_config() only. + +This gets us one step closer to pushing the spinlock down into the +->rs485_config() callbacks which actually need it. (Some callbacks +do not want to be spinlocked because they perform sleepable register +accesses, see e.g. sc16is7xx_config_rs485().) + +Stack trace for posterity: + + Voluntary context switch within RCU read-side critical section! + WARNING: CPU: 0 PID: 56 at kernel/rcu/tree_plugin.h:318 rcu_note_context_switch + Call trace: + rcu_note_context_switch + __schedule + schedule + schedule_timeout + wait_for_completion_timeout + bcm2835_i2c_xfer + __i2c_transfer + i2c_transfer + i2c_transfer_buffer_flags + regmap_i2c_write + _regmap_raw_write_impl + _regmap_bus_raw_write + _regmap_write + _regmap_update_bits + regmap_update_bits_base + pca953x_gpio_set_value + gpiod_set_raw_value_commit + gpiod_set_value_nocheck + gpiod_set_value_cansleep + uart_rs485_config + uart_add_one_port + pl011_register_port + pl011_probe + +Fixes: 7c7f9bc986e6 ("serial: Deassert Transmit Enable on probe in driver-specific way") +Suggested-by: Lino Sanfilippo +Signed-off-by: Lukas Wunner +Cc: stable@vger.kernel.org # v6.1+ +Link: https://lore.kernel.org/r/f3a35967c28b32f3c6432d0aa5936e6a9908282d.1695307688.git.lukas@wunner.de +Signed-off-by: Greg Kroah-Hartman +--- + drivers/tty/serial/serial_core.c | 13 +++++++++---- + 1 file changed, 9 insertions(+), 4 deletions(-) + +--- a/drivers/tty/serial/serial_core.c ++++ b/drivers/tty/serial/serial_core.c +@@ -1410,12 +1410,18 @@ static void uart_set_rs485_termination(s + static int uart_rs485_config(struct uart_port *port) + { + struct serial_rs485 *rs485 = &port->rs485; ++ unsigned long flags; + int ret; + ++ if (!(rs485->flags & SER_RS485_ENABLED)) ++ return 0; ++ + uart_sanitize_serial_rs485(port, rs485); + uart_set_rs485_termination(port, rs485); + ++ spin_lock_irqsave(&port->lock, flags); + ret = port->rs485_config(port, NULL, rs485); ++ spin_unlock_irqrestore(&port->lock, flags); + if (ret) + memset(rs485, 0, sizeof(*rs485)); + +@@ -2480,11 +2486,10 @@ int uart_resume_port(struct uart_driver + if (ret == 0) { + if (tty) + uart_change_line_settings(tty, state, NULL); ++ uart_rs485_config(uport); + spin_lock_irq(&uport->lock); + if (!(uport->rs485.flags & SER_RS485_ENABLED)) + ops->set_mctrl(uport, uport->mctrl); +- else +- uart_rs485_config(uport); + ops->start_tx(uport); + spin_unlock_irq(&uport->lock); + tty_port_set_initialized(port, true); +@@ -2593,10 +2598,10 @@ uart_configure_port(struct uart_driver * + port->mctrl &= TIOCM_DTR; + if (!(port->rs485.flags & SER_RS485_ENABLED)) + port->ops->set_mctrl(port, port->mctrl); +- else +- uart_rs485_config(port); + spin_unlock_irqrestore(&port->lock, flags); + ++ uart_rs485_config(port); ++ + /* + * If this driver supports console, and it hasn't been + * successfully registered yet, try to re-register it. diff --git a/queue-6.5/series b/queue-6.5/series index 29ccabb460a..6cc0771e37e 100644 --- a/queue-6.5/series +++ b/queue-6.5/series @@ -90,3 +90,91 @@ rswitch-fix-renesas_eth_sw_remove-implementation.patch rswitch-fix-imbalance-phy_power_off-calling.patch workqueue-override-implicit-ordered-attribute-in-wor.patch riscv-signal-fix-sigaltstack-frame-size-checking.patch +ovl-temporarily-disable-appending-lowedirs.patch +dmaengine-stm32-mdma-abort-resume-if-no-ongoing-transfer.patch +dmaengine-stm32-dma-fix-stm32_dma_prep_slave_sg-in-case-of-mdma-chaining.patch +dmaengine-stm32-dma-fix-residue-in-case-of-mdma-chaining.patch +dmaengine-stm32-mdma-use-link-address-register-to-compute-residue.patch +dmaengine-stm32-mdma-set-in_flight_bytes-in-case-crqa-flag-is-set.patch +usb-xhci-xhci-ring-use-sysdev-for-mapping-bounce-buffer.patch +xhci-track-port-suspend-state-correctly-in-unsuccessful-resume-cases.patch +xhci-clear-ehb-bit-only-at-end-of-interrupt-handler.patch +xhci-preserve-rsvdp-bits-in-erstba-register-correctly.patch +net-usb-dm9601-fix-uninitialized-variable-use-in-dm9601_mdio_read.patch +usb-dwc3-soft-reset-phy-on-probe-for-host.patch +usb-cdns3-modify-the-return-value-of-cdns_set_active-to-void-when-config_pm_sleep-is-disabled.patch +usb-hub-guard-against-accesses-to-uninitialized-bos-descriptors.patch +usb-musb-get-the-musb_qh-poniter-after-musb_giveback.patch +usb-musb-modify-the-hwvers-register-address.patch +iio-pressure-bmp280-fix-null-pointer-exception.patch +iio-imu-bno055-fix-missing-kconfig-dependencies.patch +iio-cros_ec-fix-an-use-after-free-in-cros_ec_sensors_push_data.patch +iio-adc-imx8qxp-fix-address-for-command-buffer-registers.patch +iio-dac-ad3552r-correct-device-ids.patch +iio-admv1013-add-mixer_vgate-corner-cases.patch +iio-pressure-dps310-adjust-timeout-settings.patch +iio-pressure-ms5611-ms5611_prom_is_valid-false-negative-bug.patch +iio-adc-ad7192-correct-reference-voltage.patch +iio-addac-kconfig-update-ad74413r-selections.patch +media-subdev-don-t-report-v4l2_subdev_cap_streams-when-the-streams-api-is-disabled.patch +arm64-dts-mediatek-mt8195-demo-fix-the-memory-size-to-8gb.patch +arm64-dts-mediatek-mt8195-demo-update-and-reorder-reserved-memory-regions.patch +drm-do-not-overrun-array-in-drm_gem_get_pages.patch +drm-tiny-correctly-print-struct-resource-on-error.patch +drm-atomic-helper-relax-unregistered-connector-check.patch +drm-amdgpu-add-missing-null-check.patch +drm-amd-display-don-t-set-dpms_off-for-seamless-boot.patch +drm-vmwgfx-keep-a-gem-reference-to-user-bos-in-surfaces.patch +acpi-resource-skip-irq-override-on-asus-expertbook-b1402cba.patch +acpi-resource-add-tongfang-gm6bgeq-gm6bg5q-and-gm6bg0q-to-irq1_edge_low_force_override.patch +acpi-ec-add-quirk-for-the-hp-pavilion-gaming-15-dk1xxx.patch +serial-reduce-spinlocked-portion-of-uart_rs485_config.patch +serial-8250_omap-fix-errors-with-no_console_suspend.patch +serial-core-fix-checks-for-tx-runtime-pm-state.patch +binder-fix-memory-leaks-of-spam-and-pending-work.patch +ksmbd-not-allow-to-open-file-if-delelete-on-close-bit-is-set.patch +perf-x86-lbr-filter-vsyscall-addresses.patch +x86-cpu-fix-amd-erratum-1485-on-zen4-based-cpus.patch +x86-alternatives-disable-kasan-in-apply_alternatives.patch +mcb-remove-is_added-flag-from-mcb_device-struct.patch +thunderbolt-workaround-an-iommu-fault-on-certain-systems-with-intel-maple-ridge.patch +thunderbolt-check-that-lane-1-is-in-cl0-before-enabling-lane-bonding.patch +thunderbolt-correct-tmu-mode-initialization-from-hardware.patch +thunderbolt-restart-xdomain-discovery-handshake-after-failure.patch +powerpc-pseries-fix-stk_param-access-in-the-hcall-tracing-code.patch +powerpc-47x-fix-47x-syscall-return-crash.patch +libceph-use-kernel_connect.patch +ceph-fix-incorrect-revoked-caps-assert-in-ceph_fill_file_size.patch +ceph-fix-type-promotion-bug-on-32bit-systems.patch +input-powermate-fix-use-after-free-in-powermate_config_complete.patch +input-psmouse-fix-fast_reconnect-function-for-ps-2-mode.patch +input-xpad-add-pxn-v900-support.patch +input-i8042-add-fujitsu-lifebook-e5411-to-i8042-quirk-table.patch +input-xpad-add-hyperx-clutch-gladiate-support.patch +input-goodix-ensure-int-gpio-is-in-input-for-gpio_count-1-gpio_int_idx-0-case.patch +tee-amdtee-fix-use-after-free-vulnerability-in-amdtee_close_session.patch +mctp-perform-route-lookups-under-a-rcu-read-side-lock.patch +block-don-t-invalidate-pagecache-for-invalid-falloc-modes.patch +nfp-flower-avoid-rmmod-nfp-crash-issues.patch +can-sja1000-always-restart-the-tx-queue-after-an-overrun.patch +power-supply-qcom_battmgr-fix-battery_id-type.patch +power-supply-qcom_battmgr-fix-enable-request-endianness.patch +usb-typec-ucsi-use-get_capability-attributes-data-to-set-power-supply-scope.patch +cgroup-remove-duplicates-in-cgroup-v1-tasks-file.patch +dma-buf-add-dma_fence_timestamp-helper.patch +pinctrl-avoid-unsafe-code-pattern-in-find_pinctrl.patch +scsi-ufs-core-correct-clear-tm-error-log.patch +riscv-only-consider-swbp-ss-handlers-for-correct-privileged-mode.patch +counter-chrdev-fix-getting-array-extensions.patch +counter-microchip-tcb-capture-fix-the-use-of-internal-gclk-logic.patch +coresight-fix-run-time-warnings-while-reusing-etr-buffer.patch +riscv-remove-duplicate-objcopy-flag.patch +risc-v-fix-wrong-use-of-config_have_softirq_on_own_stack.patch +usb-typec-ucsi-fix-missing-link-removal.patch +usb-typec-altmodes-displayport-signal-hpd-low-when-exiting-mode.patch +usb-typec-ucsi-clear-event_pending-bit-if-ucsi_send_command-fails.patch +usb-gadget-udc-xilinx-replace-memcpy-with-memcpy_toio.patch +usb-gadget-ncm-handle-decoding-of-multiple-ntb-s-in-unwrap-call.patch +usb-cdnsp-fixes-issue-with-dequeuing-not-queued-requests.patch +usb-typec-qcom-update-the-logic-of-regulator-enable-and-disable.patch +usb-misc-onboard_hub-add-support-for-microchip-usb2412-usb-2.0-hub.patch diff --git a/queue-6.5/tee-amdtee-fix-use-after-free-vulnerability-in-amdtee_close_session.patch b/queue-6.5/tee-amdtee-fix-use-after-free-vulnerability-in-amdtee_close_session.patch new file mode 100644 index 00000000000..c395f436dfa --- /dev/null +++ b/queue-6.5/tee-amdtee-fix-use-after-free-vulnerability-in-amdtee_close_session.patch @@ -0,0 +1,81 @@ +From f4384b3e54ea813868bb81a861bf5b2406e15d8f Mon Sep 17 00:00:00 2001 +From: Rijo Thomas +Date: Fri, 29 Sep 2023 12:30:24 +0530 +Subject: tee: amdtee: fix use-after-free vulnerability in amdtee_close_session + +From: Rijo Thomas + +commit f4384b3e54ea813868bb81a861bf5b2406e15d8f upstream. + +There is a potential race condition in amdtee_close_session that may +cause use-after-free in amdtee_open_session. For instance, if a session +has refcount == 1, and one thread tries to free this session via: + + kref_put(&sess->refcount, destroy_session); + +the reference count will get decremented, and the next step would be to +call destroy_session(). However, if in another thread, +amdtee_open_session() is called before destroy_session() has completed +execution, alloc_session() may return 'sess' that will be freed up +later in destroy_session() leading to use-after-free in +amdtee_open_session. + +To fix this issue, treat decrement of sess->refcount and removal of +'sess' from session list in destroy_session() as a critical section, so +that it is executed atomically. + +Fixes: 757cc3e9ff1d ("tee: add AMD-TEE driver") +Cc: stable@vger.kernel.org +Signed-off-by: Rijo Thomas +Reviewed-by: Sumit Garg +Signed-off-by: Jens Wiklander +Signed-off-by: Greg Kroah-Hartman +--- + drivers/tee/amdtee/core.c | 10 ++++++---- + 1 file changed, 6 insertions(+), 4 deletions(-) + +--- a/drivers/tee/amdtee/core.c ++++ b/drivers/tee/amdtee/core.c +@@ -217,12 +217,12 @@ unlock: + return rc; + } + ++/* mutex must be held by caller */ + static void destroy_session(struct kref *ref) + { + struct amdtee_session *sess = container_of(ref, struct amdtee_session, + refcount); + +- mutex_lock(&session_list_mutex); + list_del(&sess->list_node); + mutex_unlock(&session_list_mutex); + kfree(sess); +@@ -272,7 +272,8 @@ int amdtee_open_session(struct tee_conte + if (arg->ret != TEEC_SUCCESS) { + pr_err("open_session failed %d\n", arg->ret); + handle_unload_ta(ta_handle); +- kref_put(&sess->refcount, destroy_session); ++ kref_put_mutex(&sess->refcount, destroy_session, ++ &session_list_mutex); + goto out; + } + +@@ -290,7 +291,8 @@ int amdtee_open_session(struct tee_conte + pr_err("reached maximum session count %d\n", TEE_NUM_SESSIONS); + handle_close_session(ta_handle, session_info); + handle_unload_ta(ta_handle); +- kref_put(&sess->refcount, destroy_session); ++ kref_put_mutex(&sess->refcount, destroy_session, ++ &session_list_mutex); + rc = -ENOMEM; + goto out; + } +@@ -331,7 +333,7 @@ int amdtee_close_session(struct tee_cont + handle_close_session(ta_handle, session_info); + handle_unload_ta(ta_handle); + +- kref_put(&sess->refcount, destroy_session); ++ kref_put_mutex(&sess->refcount, destroy_session, &session_list_mutex); + + return 0; + } diff --git a/queue-6.5/thunderbolt-check-that-lane-1-is-in-cl0-before-enabling-lane-bonding.patch b/queue-6.5/thunderbolt-check-that-lane-1-is-in-cl0-before-enabling-lane-bonding.patch new file mode 100644 index 00000000000..952d1c48368 --- /dev/null +++ b/queue-6.5/thunderbolt-check-that-lane-1-is-in-cl0-before-enabling-lane-bonding.patch @@ -0,0 +1,44 @@ +From a9fdf5f933a6f2b358fad0194b1287b67f6704b1 Mon Sep 17 00:00:00 2001 +From: Mika Westerberg +Date: Tue, 22 Aug 2023 16:36:18 +0300 +Subject: thunderbolt: Check that lane 1 is in CL0 before enabling lane bonding +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Mika Westerberg + +commit a9fdf5f933a6f2b358fad0194b1287b67f6704b1 upstream. + +Marek reported that when BlackMagic UltraStudio device is connected the +kernel repeatedly tries to enable lane bonding without success making +the device non-functional. It looks like the device does not have lane 1 +connected at all so even though it is enabled we should not try to bond +the lanes. For this reason check that lane 1 is in fact CL0 (connected, +active) before attempting to bond the lanes. + +Reported-by: Marek Å anta +Closes: https://bugzilla.kernel.org/show_bug.cgi?id=217737 +Cc: stable@vger.kernel.org +Signed-off-by: Mika Westerberg +Signed-off-by: Greg Kroah-Hartman +--- + drivers/thunderbolt/switch.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +--- a/drivers/thunderbolt/switch.c ++++ b/drivers/thunderbolt/switch.c +@@ -2724,6 +2724,13 @@ int tb_switch_lane_bonding_enable(struct + !tb_port_is_width_supported(down, TB_LINK_WIDTH_DUAL)) + return 0; + ++ /* ++ * Both lanes need to be in CL0. Here we assume lane 0 already be in ++ * CL0 and check just for lane 1. ++ */ ++ if (tb_wait_for_port(down->dual_link_port, false) <= 0) ++ return -ENOTCONN; ++ + ret = tb_port_lane_bonding_enable(up); + if (ret) { + tb_port_warn(up, "failed to enable lane bonding\n"); diff --git a/queue-6.5/thunderbolt-correct-tmu-mode-initialization-from-hardware.patch b/queue-6.5/thunderbolt-correct-tmu-mode-initialization-from-hardware.patch new file mode 100644 index 00000000000..da8b191e03b --- /dev/null +++ b/queue-6.5/thunderbolt-correct-tmu-mode-initialization-from-hardware.patch @@ -0,0 +1,42 @@ +From e19f714ea63f861d95d3d92d45d5fd5ca2e05c8c Mon Sep 17 00:00:00 2001 +From: Mika Westerberg +Date: Thu, 31 Aug 2023 14:10:46 +0300 +Subject: thunderbolt: Correct TMU mode initialization from hardware + +From: Mika Westerberg + +commit e19f714ea63f861d95d3d92d45d5fd5ca2e05c8c upstream. + +David reported that cppcheck found following possible copy & paste +error from tmu_mode_init(): + + tmu.c:385:50: style: Expression is always false because 'else if' condition matches previous condition at line 383. [multiCondition] + +And indeed this is a bug. Fix it to use correct index +(TB_SWITCH_TMU_MODE_HIFI_UNI). + +Reported-by: David Binderman +Fixes: d49b4f043d63 ("thunderbolt: Add support for enhanced uni-directional TMU mode") +Cc: stable@vger.kernel.org +Signed-off-by: Mika Westerberg +Signed-off-by: Greg Kroah-Hartman +--- + drivers/thunderbolt/tmu.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/thunderbolt/tmu.c b/drivers/thunderbolt/tmu.c +index 747f88703d5c..11f2aec2a5d3 100644 +--- a/drivers/thunderbolt/tmu.c ++++ b/drivers/thunderbolt/tmu.c +@@ -382,7 +382,7 @@ static int tmu_mode_init(struct tb_switch *sw) + } else if (ucap && tb_port_tmu_is_unidirectional(up)) { + if (tmu_rates[TB_SWITCH_TMU_MODE_LOWRES] == rate) + sw->tmu.mode = TB_SWITCH_TMU_MODE_LOWRES; +- else if (tmu_rates[TB_SWITCH_TMU_MODE_LOWRES] == rate) ++ else if (tmu_rates[TB_SWITCH_TMU_MODE_HIFI_UNI] == rate) + sw->tmu.mode = TB_SWITCH_TMU_MODE_HIFI_UNI; + } else if (rate) { + sw->tmu.mode = TB_SWITCH_TMU_MODE_HIFI_BI; +-- +2.42.0 + diff --git a/queue-6.5/thunderbolt-restart-xdomain-discovery-handshake-after-failure.patch b/queue-6.5/thunderbolt-restart-xdomain-discovery-handshake-after-failure.patch new file mode 100644 index 00000000000..b741ed86fa2 --- /dev/null +++ b/queue-6.5/thunderbolt-restart-xdomain-discovery-handshake-after-failure.patch @@ -0,0 +1,135 @@ +From 308092d080852f8997126e5b3507536162416f4a Mon Sep 17 00:00:00 2001 +From: Mika Westerberg +Date: Thu, 7 Sep 2023 16:02:30 +0300 +Subject: thunderbolt: Restart XDomain discovery handshake after failure + +From: Mika Westerberg + +commit 308092d080852f8997126e5b3507536162416f4a upstream. + +Alex reported that after rebooting the other host the peer-to-peer link +does not come up anymore. The reason for this is that the host that was +not rebooted tries to send the UUID request only 10 times according to +the USB4 Inter-Domain spec and gives up if it does not get reply. Then +when the other side is actually ready it cannot get the link established +anymore. The USB4 Inter-Domain spec requires that the discovery protocol +is restarted in that case so implement this now. + +Reported-by: Alex Balcanquall +Fixes: 8e1de7042596 ("thunderbolt: Add support for XDomain lane bonding") +Cc: stable@vger.kernel.org +Signed-off-by: Mika Westerberg +Signed-off-by: Greg Kroah-Hartman +--- + drivers/thunderbolt/xdomain.c | 58 +++++++++++++++++++++++++++++------------- + 1 file changed, 41 insertions(+), 17 deletions(-) + +--- a/drivers/thunderbolt/xdomain.c ++++ b/drivers/thunderbolt/xdomain.c +@@ -703,6 +703,27 @@ out_unlock: + mutex_unlock(&xdomain_lock); + } + ++static void start_handshake(struct tb_xdomain *xd) ++{ ++ xd->state = XDOMAIN_STATE_INIT; ++ queue_delayed_work(xd->tb->wq, &xd->state_work, ++ msecs_to_jiffies(XDOMAIN_SHORT_TIMEOUT)); ++} ++ ++/* Can be called from state_work */ ++static void __stop_handshake(struct tb_xdomain *xd) ++{ ++ cancel_delayed_work_sync(&xd->properties_changed_work); ++ xd->properties_changed_retries = 0; ++ xd->state_retries = 0; ++} ++ ++static void stop_handshake(struct tb_xdomain *xd) ++{ ++ cancel_delayed_work_sync(&xd->state_work); ++ __stop_handshake(xd); ++} ++ + static void tb_xdp_handle_request(struct work_struct *work) + { + struct xdomain_request_work *xw = container_of(work, typeof(*xw), work); +@@ -765,6 +786,15 @@ static void tb_xdp_handle_request(struct + case UUID_REQUEST: + tb_dbg(tb, "%llx: received XDomain UUID request\n", route); + ret = tb_xdp_uuid_response(ctl, route, sequence, uuid); ++ /* ++ * If we've stopped the discovery with an error such as ++ * timing out, we will restart the handshake now that we ++ * received UUID request from the remote host. ++ */ ++ if (!ret && xd && xd->state == XDOMAIN_STATE_ERROR) { ++ dev_dbg(&xd->dev, "restarting handshake\n"); ++ start_handshake(xd); ++ } + break; + + case LINK_STATE_STATUS_REQUEST: +@@ -1521,6 +1551,13 @@ static void tb_xdomain_queue_properties_ + msecs_to_jiffies(XDOMAIN_SHORT_TIMEOUT)); + } + ++static void tb_xdomain_failed(struct tb_xdomain *xd) ++{ ++ xd->state = XDOMAIN_STATE_ERROR; ++ queue_delayed_work(xd->tb->wq, &xd->state_work, ++ msecs_to_jiffies(XDOMAIN_DEFAULT_TIMEOUT)); ++} ++ + static void tb_xdomain_state_work(struct work_struct *work) + { + struct tb_xdomain *xd = container_of(work, typeof(*xd), state_work.work); +@@ -1547,7 +1584,7 @@ static void tb_xdomain_state_work(struct + if (ret) { + if (ret == -EAGAIN) + goto retry_state; +- xd->state = XDOMAIN_STATE_ERROR; ++ tb_xdomain_failed(xd); + } else { + tb_xdomain_queue_properties_changed(xd); + if (xd->bonding_possible) +@@ -1612,7 +1649,7 @@ static void tb_xdomain_state_work(struct + if (ret) { + if (ret == -EAGAIN) + goto retry_state; +- xd->state = XDOMAIN_STATE_ERROR; ++ tb_xdomain_failed(xd); + } else { + xd->state = XDOMAIN_STATE_ENUMERATED; + } +@@ -1623,6 +1660,8 @@ static void tb_xdomain_state_work(struct + break; + + case XDOMAIN_STATE_ERROR: ++ dev_dbg(&xd->dev, "discovery failed, stopping handshake\n"); ++ __stop_handshake(xd); + break; + + default: +@@ -1833,21 +1872,6 @@ static void tb_xdomain_release(struct de + kfree(xd); + } + +-static void start_handshake(struct tb_xdomain *xd) +-{ +- xd->state = XDOMAIN_STATE_INIT; +- queue_delayed_work(xd->tb->wq, &xd->state_work, +- msecs_to_jiffies(XDOMAIN_SHORT_TIMEOUT)); +-} +- +-static void stop_handshake(struct tb_xdomain *xd) +-{ +- cancel_delayed_work_sync(&xd->properties_changed_work); +- cancel_delayed_work_sync(&xd->state_work); +- xd->properties_changed_retries = 0; +- xd->state_retries = 0; +-} +- + static int __maybe_unused tb_xdomain_suspend(struct device *dev) + { + stop_handshake(tb_to_xdomain(dev)); diff --git a/queue-6.5/thunderbolt-workaround-an-iommu-fault-on-certain-systems-with-intel-maple-ridge.patch b/queue-6.5/thunderbolt-workaround-an-iommu-fault-on-certain-systems-with-intel-maple-ridge.patch new file mode 100644 index 00000000000..54557a04d4f --- /dev/null +++ b/queue-6.5/thunderbolt-workaround-an-iommu-fault-on-certain-systems-with-intel-maple-ridge.patch @@ -0,0 +1,228 @@ +From 582620d9f6b352552bc9a3316fe2b1c3acd8742d Mon Sep 17 00:00:00 2001 +From: Mika Westerberg +Date: Fri, 18 Aug 2023 15:27:46 +0300 +Subject: thunderbolt: Workaround an IOMMU fault on certain systems with Intel Maple Ridge + +From: Mika Westerberg + +commit 582620d9f6b352552bc9a3316fe2b1c3acd8742d upstream. + +On some systems the IOMMU blocks the first couple of driver ready +messages to the connection manager firmware as can be seen in below +excerpts: + + thunderbolt 0000:06:00.0: AMD-Vi: Event logged [IO_PAGE_FAULT domain=0x0010 address=0xbb0e3400 flags=0x0020] + +or + + DMAR: DRHD: handling fault status reg 2 + DMAR: [DMA Write] Request device [04:00.0] PASID ffffffff fault addr 69974000 [fault reason 05] PTE Write access is not set + +The reason is unknown and hard to debug because we were not able to +reproduce this locally. This only happens on certain systems with Intel +Maple Ridge Thunderbolt controller. If there is a device connected when +the driver is loaded the issue does not happen either. Only when there +is nothing connected (so typically when the system is booted up). + +We can work this around by sending the driver ready several times. After +a couple of retries the message goes through and the controller works +just fine. For this reason make the number of retries a parameter for +icm_request() and then for Maple Ridge (and Titan Ridge as they us the +same function but this should not matter) increase number of retries +while shortening the timeout accordingly. + +Reported-by: Werner Sembach +Reported-by: Konrad J Hambrick +Reported-by: Calvin Walton +Closes: https://bugzilla.kernel.org/show_bug.cgi?id=214259 +Cc: stable@vger.kernel.org +Signed-off-by: Mika Westerberg +Signed-off-by: Greg Kroah-Hartman +--- + drivers/thunderbolt/icm.c | 40 ++++++++++++++++++++-------------------- + 1 file changed, 20 insertions(+), 20 deletions(-) + +--- a/drivers/thunderbolt/icm.c ++++ b/drivers/thunderbolt/icm.c +@@ -41,6 +41,7 @@ + #define PHY_PORT_CS1_LINK_STATE_SHIFT 26 + + #define ICM_TIMEOUT 5000 /* ms */ ++#define ICM_RETRIES 3 + #define ICM_APPROVE_TIMEOUT 10000 /* ms */ + #define ICM_MAX_LINK 4 + +@@ -296,10 +297,9 @@ static bool icm_copy(struct tb_cfg_reque + + static int icm_request(struct tb *tb, const void *request, size_t request_size, + void *response, size_t response_size, size_t npackets, +- unsigned int timeout_msec) ++ int retries, unsigned int timeout_msec) + { + struct icm *icm = tb_priv(tb); +- int retries = 3; + + do { + struct tb_cfg_request *req; +@@ -410,7 +410,7 @@ static int icm_fr_get_route(struct tb *t + return -ENOMEM; + + ret = icm_request(tb, &request, sizeof(request), switches, +- sizeof(*switches), npackets, ICM_TIMEOUT); ++ sizeof(*switches), npackets, ICM_RETRIES, ICM_TIMEOUT); + if (ret) + goto err_free; + +@@ -463,7 +463,7 @@ icm_fr_driver_ready(struct tb *tb, enum + + memset(&reply, 0, sizeof(reply)); + ret = icm_request(tb, &request, sizeof(request), &reply, sizeof(reply), +- 1, ICM_TIMEOUT); ++ 1, ICM_RETRIES, ICM_TIMEOUT); + if (ret) + return ret; + +@@ -488,7 +488,7 @@ static int icm_fr_approve_switch(struct + memset(&reply, 0, sizeof(reply)); + /* Use larger timeout as establishing tunnels can take some time */ + ret = icm_request(tb, &request, sizeof(request), &reply, sizeof(reply), +- 1, ICM_APPROVE_TIMEOUT); ++ 1, ICM_RETRIES, ICM_APPROVE_TIMEOUT); + if (ret) + return ret; + +@@ -515,7 +515,7 @@ static int icm_fr_add_switch_key(struct + + memset(&reply, 0, sizeof(reply)); + ret = icm_request(tb, &request, sizeof(request), &reply, sizeof(reply), +- 1, ICM_TIMEOUT); ++ 1, ICM_RETRIES, ICM_TIMEOUT); + if (ret) + return ret; + +@@ -543,7 +543,7 @@ static int icm_fr_challenge_switch_key(s + + memset(&reply, 0, sizeof(reply)); + ret = icm_request(tb, &request, sizeof(request), &reply, sizeof(reply), +- 1, ICM_TIMEOUT); ++ 1, ICM_RETRIES, ICM_TIMEOUT); + if (ret) + return ret; + +@@ -577,7 +577,7 @@ static int icm_fr_approve_xdomain_paths( + + memset(&reply, 0, sizeof(reply)); + ret = icm_request(tb, &request, sizeof(request), &reply, sizeof(reply), +- 1, ICM_TIMEOUT); ++ 1, ICM_RETRIES, ICM_TIMEOUT); + if (ret) + return ret; + +@@ -1020,7 +1020,7 @@ icm_tr_driver_ready(struct tb *tb, enum + + memset(&reply, 0, sizeof(reply)); + ret = icm_request(tb, &request, sizeof(request), &reply, sizeof(reply), +- 1, 20000); ++ 1, 10, 2000); + if (ret) + return ret; + +@@ -1053,7 +1053,7 @@ static int icm_tr_approve_switch(struct + + memset(&reply, 0, sizeof(reply)); + ret = icm_request(tb, &request, sizeof(request), &reply, sizeof(reply), +- 1, ICM_APPROVE_TIMEOUT); ++ 1, ICM_RETRIES, ICM_APPROVE_TIMEOUT); + if (ret) + return ret; + +@@ -1081,7 +1081,7 @@ static int icm_tr_add_switch_key(struct + + memset(&reply, 0, sizeof(reply)); + ret = icm_request(tb, &request, sizeof(request), &reply, sizeof(reply), +- 1, ICM_TIMEOUT); ++ 1, ICM_RETRIES, ICM_TIMEOUT); + if (ret) + return ret; + +@@ -1110,7 +1110,7 @@ static int icm_tr_challenge_switch_key(s + + memset(&reply, 0, sizeof(reply)); + ret = icm_request(tb, &request, sizeof(request), &reply, sizeof(reply), +- 1, ICM_TIMEOUT); ++ 1, ICM_RETRIES, ICM_TIMEOUT); + if (ret) + return ret; + +@@ -1144,7 +1144,7 @@ static int icm_tr_approve_xdomain_paths( + + memset(&reply, 0, sizeof(reply)); + ret = icm_request(tb, &request, sizeof(request), &reply, sizeof(reply), +- 1, ICM_TIMEOUT); ++ 1, ICM_RETRIES, ICM_TIMEOUT); + if (ret) + return ret; + +@@ -1170,7 +1170,7 @@ static int icm_tr_xdomain_tear_down(stru + + memset(&reply, 0, sizeof(reply)); + ret = icm_request(tb, &request, sizeof(request), &reply, sizeof(reply), +- 1, ICM_TIMEOUT); ++ 1, ICM_RETRIES, ICM_TIMEOUT); + if (ret) + return ret; + +@@ -1496,7 +1496,7 @@ icm_ar_driver_ready(struct tb *tb, enum + + memset(&reply, 0, sizeof(reply)); + ret = icm_request(tb, &request, sizeof(request), &reply, sizeof(reply), +- 1, ICM_TIMEOUT); ++ 1, ICM_RETRIES, ICM_TIMEOUT); + if (ret) + return ret; + +@@ -1522,7 +1522,7 @@ static int icm_ar_get_route(struct tb *t + + memset(&reply, 0, sizeof(reply)); + ret = icm_request(tb, &request, sizeof(request), &reply, sizeof(reply), +- 1, ICM_TIMEOUT); ++ 1, ICM_RETRIES, ICM_TIMEOUT); + if (ret) + return ret; + +@@ -1543,7 +1543,7 @@ static int icm_ar_get_boot_acl(struct tb + + memset(&reply, 0, sizeof(reply)); + ret = icm_request(tb, &request, sizeof(request), &reply, sizeof(reply), +- 1, ICM_TIMEOUT); ++ 1, ICM_RETRIES, ICM_TIMEOUT); + if (ret) + return ret; + +@@ -1604,7 +1604,7 @@ static int icm_ar_set_boot_acl(struct tb + + memset(&reply, 0, sizeof(reply)); + ret = icm_request(tb, &request, sizeof(request), &reply, sizeof(reply), +- 1, ICM_TIMEOUT); ++ 1, ICM_RETRIES, ICM_TIMEOUT); + if (ret) + return ret; + +@@ -1626,7 +1626,7 @@ icm_icl_driver_ready(struct tb *tb, enum + + memset(&reply, 0, sizeof(reply)); + ret = icm_request(tb, &request, sizeof(request), &reply, sizeof(reply), +- 1, 20000); ++ 1, ICM_RETRIES, 20000); + if (ret) + return ret; + +@@ -2298,7 +2298,7 @@ static int icm_usb4_switch_op(struct tb_ + + memset(&reply, 0, sizeof(reply)); + ret = icm_request(tb, &request, sizeof(request), &reply, sizeof(reply), +- 1, ICM_TIMEOUT); ++ 1, ICM_RETRIES, ICM_TIMEOUT); + if (ret) + return ret; + diff --git a/queue-6.5/usb-cdns3-modify-the-return-value-of-cdns_set_active-to-void-when-config_pm_sleep-is-disabled.patch b/queue-6.5/usb-cdns3-modify-the-return-value-of-cdns_set_active-to-void-when-config_pm_sleep-is-disabled.patch new file mode 100644 index 00000000000..49924c78364 --- /dev/null +++ b/queue-6.5/usb-cdns3-modify-the-return-value-of-cdns_set_active-to-void-when-config_pm_sleep-is-disabled.patch @@ -0,0 +1,39 @@ +From 9f35d612da5592f1bf1cae44ec1e023df37bea12 Mon Sep 17 00:00:00 2001 +From: Xiaolei Wang +Date: Tue, 26 Sep 2023 15:53:33 +0800 +Subject: usb: cdns3: Modify the return value of cdns_set_active () to void when CONFIG_PM_SLEEP is disabled + +From: Xiaolei Wang + +commit 9f35d612da5592f1bf1cae44ec1e023df37bea12 upstream. + +The return type of cdns_set_active () is inconsistent +depending on whether CONFIG_PM_SLEEP is enabled, so the +return value is modified to void type. + +Reported-by: Pavel Machek +Closes: https://lore.kernel.org/all/ZP7lIKUzD68XA91j@duo.ucw.cz/ +Fixes: 2319b9c87fe2 ("usb: cdns3: Put the cdns set active part outside the spin lock") +Cc: stable@vger.kernel.org +Signed-off-by: Xiaolei Wang +Reviewed-by: Pavel Machek +Reviewed-by: Roger Quadros +Acked-by: Peter Chen +Link: https://lore.kernel.org/r/20230926075333.1791011-1-xiaolei.wang@windriver.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/cdns3/core.h | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +--- a/drivers/usb/cdns3/core.h ++++ b/drivers/usb/cdns3/core.h +@@ -131,8 +131,7 @@ void cdns_set_active(struct cdns *cdns, + #else /* CONFIG_PM_SLEEP */ + static inline int cdns_resume(struct cdns *cdns) + { return 0; } +-static inline int cdns_set_active(struct cdns *cdns, u8 set_active) +-{ return 0; } ++static inline void cdns_set_active(struct cdns *cdns, u8 set_active) { } + static inline int cdns_suspend(struct cdns *cdns) + { return 0; } + #endif /* CONFIG_PM_SLEEP */ diff --git a/queue-6.5/usb-cdnsp-fixes-issue-with-dequeuing-not-queued-requests.patch b/queue-6.5/usb-cdnsp-fixes-issue-with-dequeuing-not-queued-requests.patch new file mode 100644 index 00000000000..fedda3fe1fb --- /dev/null +++ b/queue-6.5/usb-cdnsp-fixes-issue-with-dequeuing-not-queued-requests.patch @@ -0,0 +1,36 @@ +From 34f08eb0ba6e4869bbfb682bf3d7d0494ffd2f87 Mon Sep 17 00:00:00 2001 +From: Pawel Laszczak +Date: Thu, 13 Jul 2023 04:14:29 -0400 +Subject: usb: cdnsp: Fixes issue with dequeuing not queued requests + +From: Pawel Laszczak + +commit 34f08eb0ba6e4869bbfb682bf3d7d0494ffd2f87 upstream. + +Gadget ACM while unloading module try to dequeue not queued usb +request which causes the kernel to crash. +Patch adds extra condition to check whether usb request is processed +by CDNSP driver. + +cc: stable@vger.kernel.org +Fixes: 3d82904559f4 ("usb: cdnsp: cdns3 Add main part of Cadence USBSSP DRD Driver") +Signed-off-by: Pawel Laszczak +Acked-by: Peter Chen +Link: https://lore.kernel.org/r/20230713081429.326660-1-pawell@cadence.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/cdns3/cdnsp-gadget.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/usb/cdns3/cdnsp-gadget.c ++++ b/drivers/usb/cdns3/cdnsp-gadget.c +@@ -1125,6 +1125,9 @@ static int cdnsp_gadget_ep_dequeue(struc + unsigned long flags; + int ret; + ++ if (request->status != -EINPROGRESS) ++ return 0; ++ + if (!pep->endpoint.desc) { + dev_err(pdev->dev, + "%s: can't dequeue to disabled endpoint\n", diff --git a/queue-6.5/usb-dwc3-soft-reset-phy-on-probe-for-host.patch b/queue-6.5/usb-dwc3-soft-reset-phy-on-probe-for-host.patch new file mode 100644 index 00000000000..95a72dbbc48 --- /dev/null +++ b/queue-6.5/usb-dwc3-soft-reset-phy-on-probe-for-host.patch @@ -0,0 +1,82 @@ +From 8bea147dfdf823eaa8d3baeccc7aeb041b41944b Mon Sep 17 00:00:00 2001 +From: Thinh Nguyen +Date: Wed, 13 Sep 2023 00:52:15 +0000 +Subject: usb: dwc3: Soft reset phy on probe for host + +From: Thinh Nguyen + +commit 8bea147dfdf823eaa8d3baeccc7aeb041b41944b upstream. + +When there's phy initialization, we need to initiate a soft-reset +sequence. That's done through USBCMD.HCRST in the xHCI driver and its +initialization, However, the dwc3 driver may modify core configs before +the soft-reset. This may result in some connection instability. So, +ensure the phy is ready before the controller updates the GCTL.PRTCAPDIR +or other settings by issuing phy soft-reset. + +Note that some host-mode configurations may not expose device registers +to initiate the controller soft-reset (via DCTL.CoreSftRst). So we reset +through GUSB3PIPECTL and GUSB2PHYCFG instead. + +Cc: stable@vger.kernel.org +Fixes: e835c0a4e23c ("usb: dwc3: don't reset device side if dwc3 was configured as host-only") +Reported-by: Kenta Sato +Closes: https://lore.kernel.org/linux-usb/ZPUciRLUcjDywMVS@debian.me/ +Signed-off-by: Thinh Nguyen +Tested-by: Kenta Sato +Link: https://lore.kernel.org/r/70aea513215d273669152696cc02b20ddcdb6f1a.1694564261.git.Thinh.Nguyen@synopsys.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/dwc3/core.c | 39 ++++++++++++++++++++++++++++++++++++++- + 1 file changed, 38 insertions(+), 1 deletion(-) + +--- a/drivers/usb/dwc3/core.c ++++ b/drivers/usb/dwc3/core.c +@@ -279,9 +279,46 @@ int dwc3_core_soft_reset(struct dwc3 *dw + * XHCI driver will reset the host block. If dwc3 was configured for + * host-only mode or current role is host, then we can return early. + */ +- if (dwc->dr_mode == USB_DR_MODE_HOST || dwc->current_dr_role == DWC3_GCTL_PRTCAP_HOST) ++ if (dwc->current_dr_role == DWC3_GCTL_PRTCAP_HOST) + return 0; + ++ /* ++ * If the dr_mode is host and the dwc->current_dr_role is not the ++ * corresponding DWC3_GCTL_PRTCAP_HOST, then the dwc3_core_init_mode ++ * isn't executed yet. Ensure the phy is ready before the controller ++ * updates the GCTL.PRTCAPDIR or other settings by soft-resetting ++ * the phy. ++ * ++ * Note: GUSB3PIPECTL[n] and GUSB2PHYCFG[n] are port settings where n ++ * is port index. If this is a multiport host, then we need to reset ++ * all active ports. ++ */ ++ if (dwc->dr_mode == USB_DR_MODE_HOST) { ++ u32 usb3_port; ++ u32 usb2_port; ++ ++ usb3_port = dwc3_readl(dwc->regs, DWC3_GUSB3PIPECTL(0)); ++ usb3_port |= DWC3_GUSB3PIPECTL_PHYSOFTRST; ++ dwc3_writel(dwc->regs, DWC3_GUSB3PIPECTL(0), usb3_port); ++ ++ usb2_port = dwc3_readl(dwc->regs, DWC3_GUSB2PHYCFG(0)); ++ usb2_port |= DWC3_GUSB2PHYCFG_PHYSOFTRST; ++ dwc3_writel(dwc->regs, DWC3_GUSB2PHYCFG(0), usb2_port); ++ ++ /* Small delay for phy reset assertion */ ++ usleep_range(1000, 2000); ++ ++ usb3_port &= ~DWC3_GUSB3PIPECTL_PHYSOFTRST; ++ dwc3_writel(dwc->regs, DWC3_GUSB3PIPECTL(0), usb3_port); ++ ++ usb2_port &= ~DWC3_GUSB2PHYCFG_PHYSOFTRST; ++ dwc3_writel(dwc->regs, DWC3_GUSB2PHYCFG(0), usb2_port); ++ ++ /* Wait for clock synchronization */ ++ msleep(50); ++ return 0; ++ } ++ + reg = dwc3_readl(dwc->regs, DWC3_DCTL); + reg |= DWC3_DCTL_CSFTRST; + reg &= ~DWC3_DCTL_RUN_STOP; diff --git a/queue-6.5/usb-gadget-ncm-handle-decoding-of-multiple-ntb-s-in-unwrap-call.patch b/queue-6.5/usb-gadget-ncm-handle-decoding-of-multiple-ntb-s-in-unwrap-call.patch new file mode 100644 index 00000000000..937e66c7909 --- /dev/null +++ b/queue-6.5/usb-gadget-ncm-handle-decoding-of-multiple-ntb-s-in-unwrap-call.patch @@ -0,0 +1,106 @@ +From 427694cfaafa565a3db5c5ea71df6bc095dca92f Mon Sep 17 00:00:00 2001 +From: Krishna Kurapati +Date: Wed, 27 Sep 2023 16:28:58 +0530 +Subject: usb: gadget: ncm: Handle decoding of multiple NTB's in unwrap call +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Krishna Kurapati + +commit 427694cfaafa565a3db5c5ea71df6bc095dca92f upstream. + +When NCM is used with hosts like Windows PC, it is observed that there are +multiple NTB's contained in one usb request giveback. Since the driver +unwraps the obtained request data assuming only one NTB is present, we +loose the subsequent NTB's present resulting in data loss. + +Fix this by checking the parsed block length with the obtained data +length in usb request and continue parsing after the last byte of current +NTB. + +Cc: stable@vger.kernel.org +Fixes: 9f6ce4240a2b ("usb: gadget: f_ncm.c added") +Signed-off-by: Krishna Kurapati +Reviewed-by: Maciej Å»enczykowski +Link: https://lore.kernel.org/r/20230927105858.12950-1-quic_kriskura@quicinc.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/gadget/function/f_ncm.c | 26 +++++++++++++++++++------- + 1 file changed, 19 insertions(+), 7 deletions(-) + +--- a/drivers/usb/gadget/function/f_ncm.c ++++ b/drivers/usb/gadget/function/f_ncm.c +@@ -1171,7 +1171,8 @@ static int ncm_unwrap_ntb(struct gether + struct sk_buff_head *list) + { + struct f_ncm *ncm = func_to_ncm(&port->func); +- __le16 *tmp = (void *) skb->data; ++ unsigned char *ntb_ptr = skb->data; ++ __le16 *tmp; + unsigned index, index2; + int ndp_index; + unsigned dg_len, dg_len2; +@@ -1184,6 +1185,10 @@ static int ncm_unwrap_ntb(struct gether + const struct ndp_parser_opts *opts = ncm->parser_opts; + unsigned crc_len = ncm->is_crc ? sizeof(uint32_t) : 0; + int dgram_counter; ++ int to_process = skb->len; ++ ++parse_ntb: ++ tmp = (__le16 *)ntb_ptr; + + /* dwSignature */ + if (get_unaligned_le32(tmp) != opts->nth_sign) { +@@ -1230,7 +1235,7 @@ static int ncm_unwrap_ntb(struct gether + * walk through NDP + * dwSignature + */ +- tmp = (void *)(skb->data + ndp_index); ++ tmp = (__le16 *)(ntb_ptr + ndp_index); + if (get_unaligned_le32(tmp) != ncm->ndp_sign) { + INFO(port->func.config->cdev, "Wrong NDP SIGN\n"); + goto err; +@@ -1287,11 +1292,11 @@ static int ncm_unwrap_ntb(struct gether + if (ncm->is_crc) { + uint32_t crc, crc2; + +- crc = get_unaligned_le32(skb->data + ++ crc = get_unaligned_le32(ntb_ptr + + index + dg_len - + crc_len); + crc2 = ~crc32_le(~0, +- skb->data + index, ++ ntb_ptr + index, + dg_len - crc_len); + if (crc != crc2) { + INFO(port->func.config->cdev, +@@ -1318,7 +1323,7 @@ static int ncm_unwrap_ntb(struct gether + dg_len - crc_len); + if (skb2 == NULL) + goto err; +- skb_put_data(skb2, skb->data + index, ++ skb_put_data(skb2, ntb_ptr + index, + dg_len - crc_len); + + skb_queue_tail(list, skb2); +@@ -1331,10 +1336,17 @@ static int ncm_unwrap_ntb(struct gether + } while (ndp_len > 2 * (opts->dgram_item_len * 2)); + } while (ndp_index); + +- dev_consume_skb_any(skb); +- + VDBG(port->func.config->cdev, + "Parsed NTB with %d frames\n", dgram_counter); ++ ++ to_process -= block_len; ++ if (to_process != 0) { ++ ntb_ptr = (unsigned char *)(ntb_ptr + block_len); ++ goto parse_ntb; ++ } ++ ++ dev_consume_skb_any(skb); ++ + return 0; + err: + skb_queue_purge(list); diff --git a/queue-6.5/usb-gadget-udc-xilinx-replace-memcpy-with-memcpy_toio.patch b/queue-6.5/usb-gadget-udc-xilinx-replace-memcpy-with-memcpy_toio.patch new file mode 100644 index 00000000000..175aa16e89f --- /dev/null +++ b/queue-6.5/usb-gadget-udc-xilinx-replace-memcpy-with-memcpy_toio.patch @@ -0,0 +1,155 @@ +From 3061b6491f491197a35e14e49f805d661b02acd4 Mon Sep 17 00:00:00 2001 +From: Piyush Mehta +Date: Fri, 29 Sep 2023 17:45:14 +0530 +Subject: usb: gadget: udc-xilinx: replace memcpy with memcpy_toio + +From: Piyush Mehta + +commit 3061b6491f491197a35e14e49f805d661b02acd4 upstream. + +For ARM processor, unaligned access to device memory is not allowed. +Method memcpy does not take care of alignment. + +USB detection failure with the unalingned address of memory, with +below kernel crash. To fix the unalingned address kernel panic, +replace memcpy with memcpy_toio method. + +Kernel crash: +Unable to handle kernel paging request at virtual address ffff80000c05008a +Mem abort info: + ESR = 0x96000061 + EC = 0x25: DABT (current EL), IL = 32 bits + SET = 0, FnV = 0 + EA = 0, S1PTW = 0 + FSC = 0x21: alignment fault +Data abort info: + ISV = 0, ISS = 0x00000061 + CM = 0, WnR = 1 +swapper pgtable: 4k pages, 48-bit VAs, pgdp=000000000143b000 +[ffff80000c05008a] pgd=100000087ffff003, p4d=100000087ffff003, +pud=100000087fffe003, pmd=1000000800bcc003, pte=00680000a0010713 +Internal error: Oops: 96000061 [#1] SMP +Modules linked in: +CPU: 0 PID: 0 Comm: swapper/0 Not tainted 5.15.19-xilinx-v2022.1 #1 +Hardware name: ZynqMP ZCU102 Rev1.0 (DT) +pstate: 200000c5 (nzCv daIF -PAN -UAO -TCO -DIT -SSBS BTYPE=--) +pc : __memcpy+0x30/0x260 +lr : __xudc_ep0_queue+0xf0/0x110 +sp : ffff800008003d00 +x29: ffff800008003d00 x28: ffff800009474e80 x27: 00000000000000a0 +x26: 0000000000000100 x25: 0000000000000012 x24: ffff000800bc8080 +x23: 0000000000000001 x22: 0000000000000012 x21: ffff000800bc8080 +x20: 0000000000000012 x19: ffff000800bc8080 x18: 0000000000000000 +x17: ffff800876482000 x16: ffff800008004000 x15: 0000000000004000 +x14: 00001f09785d0400 x13: 0103020101005567 x12: 0781400000000200 +x11: 00000000c5672a10 x10: 00000000000008d0 x9 : ffff800009463cf0 +x8 : ffff8000094757b0 x7 : 0201010055670781 x6 : 4000000002000112 +x5 : ffff80000c05009a x4 : ffff000800a15012 x3 : ffff00080362ad80 +x2 : 0000000000000012 x1 : ffff000800a15000 x0 : ffff80000c050088 +Call trace: + __memcpy+0x30/0x260 + xudc_ep0_queue+0x3c/0x60 + usb_ep_queue+0x38/0x44 + composite_ep0_queue.constprop.0+0x2c/0xc0 + composite_setup+0x8d0/0x185c + configfs_composite_setup+0x74/0xb0 + xudc_irq+0x570/0xa40 + __handle_irq_event_percpu+0x58/0x170 + handle_irq_event+0x60/0x120 + handle_fasteoi_irq+0xc0/0x220 + handle_domain_irq+0x60/0x90 + gic_handle_irq+0x74/0xa0 + call_on_irq_stack+0x2c/0x60 + do_interrupt_handler+0x54/0x60 + el1_interrupt+0x30/0x50 + el1h_64_irq_handler+0x18/0x24 + el1h_64_irq+0x78/0x7c + arch_cpu_idle+0x18/0x2c + do_idle+0xdc/0x15c + cpu_startup_entry+0x28/0x60 + rest_init+0xc8/0xe0 + arch_call_rest_init+0x10/0x1c + start_kernel+0x694/0x6d4 + __primary_switched+0xa4/0xac + +Fixes: 1f7c51660034 ("usb: gadget: Add xilinx usb2 device support") +Reported-by: kernel test robot +Closes: https://lore.kernel.org/all/202209020044.CX2PfZzM-lkp@intel.com/ +Cc: stable@vger.kernel.org +Signed-off-by: Piyush Mehta +Link: https://lore.kernel.org/r/20230929121514.13475-1-piyush.mehta@amd.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/gadget/udc/udc-xilinx.c | 20 ++++++++++++-------- + 1 file changed, 12 insertions(+), 8 deletions(-) + +--- a/drivers/usb/gadget/udc/udc-xilinx.c ++++ b/drivers/usb/gadget/udc/udc-xilinx.c +@@ -499,11 +499,13 @@ static int xudc_eptxrx(struct xusb_ep *e + /* Get the Buffer address and copy the transmit data.*/ + eprambase = (u32 __force *)(udc->addr + ep->rambase); + if (ep->is_in) { +- memcpy(eprambase, bufferptr, bytestosend); ++ memcpy_toio((void __iomem *)eprambase, bufferptr, ++ bytestosend); + udc->write_fn(udc->addr, ep->offset + + XUSB_EP_BUF0COUNT_OFFSET, bufferlen); + } else { +- memcpy(bufferptr, eprambase, bytestosend); ++ memcpy_toio((void __iomem *)bufferptr, eprambase, ++ bytestosend); + } + /* + * Enable the buffer for transmission. +@@ -517,11 +519,13 @@ static int xudc_eptxrx(struct xusb_ep *e + eprambase = (u32 __force *)(udc->addr + ep->rambase + + ep->ep_usb.maxpacket); + if (ep->is_in) { +- memcpy(eprambase, bufferptr, bytestosend); ++ memcpy_toio((void __iomem *)eprambase, bufferptr, ++ bytestosend); + udc->write_fn(udc->addr, ep->offset + + XUSB_EP_BUF1COUNT_OFFSET, bufferlen); + } else { +- memcpy(bufferptr, eprambase, bytestosend); ++ memcpy_toio((void __iomem *)bufferptr, eprambase, ++ bytestosend); + } + /* + * Enable the buffer for transmission. +@@ -1023,7 +1027,7 @@ static int __xudc_ep0_queue(struct xusb_ + udc->addr); + length = req->usb_req.actual = min_t(u32, length, + EP0_MAX_PACKET); +- memcpy(corebuf, req->usb_req.buf, length); ++ memcpy_toio((void __iomem *)corebuf, req->usb_req.buf, length); + udc->write_fn(udc->addr, XUSB_EP_BUF0COUNT_OFFSET, length); + udc->write_fn(udc->addr, XUSB_BUFFREADY_OFFSET, 1); + } else { +@@ -1752,7 +1756,7 @@ static void xudc_handle_setup(struct xus + + /* Load up the chapter 9 command buffer.*/ + ep0rambase = (u32 __force *) (udc->addr + XUSB_SETUP_PKT_ADDR_OFFSET); +- memcpy(&setup, ep0rambase, 8); ++ memcpy_toio((void __iomem *)&setup, ep0rambase, 8); + + udc->setup = setup; + udc->setup.wValue = cpu_to_le16(setup.wValue); +@@ -1839,7 +1843,7 @@ static void xudc_ep0_out(struct xusb_udc + (ep0->rambase << 2)); + buffer = req->usb_req.buf + req->usb_req.actual; + req->usb_req.actual = req->usb_req.actual + bytes_to_rx; +- memcpy(buffer, ep0rambase, bytes_to_rx); ++ memcpy_toio((void __iomem *)buffer, ep0rambase, bytes_to_rx); + + if (req->usb_req.length == req->usb_req.actual) { + /* Data transfer completed get ready for Status stage */ +@@ -1915,7 +1919,7 @@ static void xudc_ep0_in(struct xusb_udc + (ep0->rambase << 2)); + buffer = req->usb_req.buf + req->usb_req.actual; + req->usb_req.actual = req->usb_req.actual + length; +- memcpy(ep0rambase, buffer, length); ++ memcpy_toio((void __iomem *)ep0rambase, buffer, length); + } + udc->write_fn(udc->addr, XUSB_EP_BUF0COUNT_OFFSET, count); + udc->write_fn(udc->addr, XUSB_BUFFREADY_OFFSET, 1); diff --git a/queue-6.5/usb-hub-guard-against-accesses-to-uninitialized-bos-descriptors.patch b/queue-6.5/usb-hub-guard-against-accesses-to-uninitialized-bos-descriptors.patch new file mode 100644 index 00000000000..a0aaf1b7f59 --- /dev/null +++ b/queue-6.5/usb-hub-guard-against-accesses-to-uninitialized-bos-descriptors.patch @@ -0,0 +1,130 @@ +From f74a7afc224acd5e922c7a2e52244d891bbe44ee Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Ricardo=20Ca=C3=B1uelo?= +Date: Wed, 30 Aug 2023 12:04:18 +0200 +Subject: usb: hub: Guard against accesses to uninitialized BOS descriptors +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Ricardo Cañuelo + +commit f74a7afc224acd5e922c7a2e52244d891bbe44ee upstream. + +Many functions in drivers/usb/core/hub.c and drivers/usb/core/hub.h +access fields inside udev->bos without checking if it was allocated and +initialized. If usb_get_bos_descriptor() fails for whatever +reason, udev->bos will be NULL and those accesses will result in a +crash: + +BUG: kernel NULL pointer dereference, address: 0000000000000018 +PGD 0 P4D 0 +Oops: 0000 [#1] PREEMPT SMP NOPTI +CPU: 5 PID: 17818 Comm: kworker/5:1 Tainted: G W 5.15.108-18910-gab0e1cb584e1 #1 +Hardware name: Google Kindred/Kindred, BIOS Google_Kindred.12672.413.0 02/03/2021 +Workqueue: usb_hub_wq hub_event +RIP: 0010:hub_port_reset+0x193/0x788 +Code: 89 f7 e8 20 f7 15 00 48 8b 43 08 80 b8 96 03 00 00 03 75 36 0f b7 88 92 03 00 00 81 f9 10 03 00 00 72 27 48 8b 80 a8 03 00 00 <48> 83 78 18 00 74 19 48 89 df 48 8b 75 b0 ba 02 00 00 00 4c 89 e9 +RSP: 0018:ffffab740c53fcf8 EFLAGS: 00010246 +RAX: 0000000000000000 RBX: ffffa1bc5f678000 RCX: 0000000000000310 +RDX: fffffffffffffdff RSI: 0000000000000286 RDI: ffffa1be9655b840 +RBP: ffffab740c53fd70 R08: 00001b7d5edaa20c R09: ffffffffb005e060 +R10: 0000000000000001 R11: 0000000000000000 R12: 0000000000000000 +R13: ffffab740c53fd3e R14: 0000000000000032 R15: 0000000000000000 +FS: 0000000000000000(0000) GS:ffffa1be96540000(0000) knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: 0000000000000018 CR3: 000000022e80c005 CR4: 00000000003706e0 +Call Trace: +hub_event+0x73f/0x156e +? hub_activate+0x5b7/0x68f +process_one_work+0x1a2/0x487 +worker_thread+0x11a/0x288 +kthread+0x13a/0x152 +? process_one_work+0x487/0x487 +? kthread_associate_blkcg+0x70/0x70 +ret_from_fork+0x1f/0x30 + +Fall back to a default behavior if the BOS descriptor isn't accessible +and skip all the functionalities that depend on it: LPM support checks, +Super Speed capabilitiy checks, U1/U2 states setup. + +Signed-off-by: Ricardo Cañuelo +Cc: stable +Link: https://lore.kernel.org/r/20230830100418.1952143-1-ricardo.canuelo@collabora.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/core/hub.c | 25 ++++++++++++++++++++++--- + drivers/usb/core/hub.h | 2 +- + 2 files changed, 23 insertions(+), 4 deletions(-) + +--- a/drivers/usb/core/hub.c ++++ b/drivers/usb/core/hub.c +@@ -151,6 +151,10 @@ int usb_device_supports_lpm(struct usb_d + if (udev->quirks & USB_QUIRK_NO_LPM) + return 0; + ++ /* Skip if the device BOS descriptor couldn't be read */ ++ if (!udev->bos) ++ return 0; ++ + /* USB 2.1 (and greater) devices indicate LPM support through + * their USB 2.0 Extended Capabilities BOS descriptor. + */ +@@ -327,6 +331,10 @@ static void usb_set_lpm_parameters(struc + if (!udev->lpm_capable || udev->speed < USB_SPEED_SUPER) + return; + ++ /* Skip if the device BOS descriptor couldn't be read */ ++ if (!udev->bos) ++ return; ++ + hub = usb_hub_to_struct_hub(udev->parent); + /* It doesn't take time to transition the roothub into U0, since it + * doesn't have an upstream link. +@@ -2720,13 +2728,17 @@ out_authorized: + static enum usb_ssp_rate get_port_ssp_rate(struct usb_device *hdev, + u32 ext_portstatus) + { +- struct usb_ssp_cap_descriptor *ssp_cap = hdev->bos->ssp_cap; ++ struct usb_ssp_cap_descriptor *ssp_cap; + u32 attr; + u8 speed_id; + u8 ssac; + u8 lanes; + int i; + ++ if (!hdev->bos) ++ goto out; ++ ++ ssp_cap = hdev->bos->ssp_cap; + if (!ssp_cap) + goto out; + +@@ -4244,8 +4256,15 @@ static void usb_enable_link_state(struct + enum usb3_link_state state) + { + int timeout; +- __u8 u1_mel = udev->bos->ss_cap->bU1devExitLat; +- __le16 u2_mel = udev->bos->ss_cap->bU2DevExitLat; ++ __u8 u1_mel; ++ __le16 u2_mel; ++ ++ /* Skip if the device BOS descriptor couldn't be read */ ++ if (!udev->bos) ++ return; ++ ++ u1_mel = udev->bos->ss_cap->bU1devExitLat; ++ u2_mel = udev->bos->ss_cap->bU2DevExitLat; + + /* If the device says it doesn't have *any* exit latency to come out of + * U1 or U2, it's probably lying. Assume it doesn't implement that link +--- a/drivers/usb/core/hub.h ++++ b/drivers/usb/core/hub.h +@@ -153,7 +153,7 @@ static inline int hub_is_superspeedplus( + { + return (hdev->descriptor.bDeviceProtocol == USB_HUB_PR_SS && + le16_to_cpu(hdev->descriptor.bcdUSB) >= 0x0310 && +- hdev->bos->ssp_cap); ++ hdev->bos && hdev->bos->ssp_cap); + } + + static inline unsigned hub_power_on_good_delay(struct usb_hub *hub) diff --git a/queue-6.5/usb-misc-onboard_hub-add-support-for-microchip-usb2412-usb-2.0-hub.patch b/queue-6.5/usb-misc-onboard_hub-add-support-for-microchip-usb2412-usb-2.0-hub.patch new file mode 100644 index 00000000000..a71945a1902 --- /dev/null +++ b/queue-6.5/usb-misc-onboard_hub-add-support-for-microchip-usb2412-usb-2.0-hub.patch @@ -0,0 +1,46 @@ +From e59e38158c61162f2e8beb4620df21a1585117df Mon Sep 17 00:00:00 2001 +From: Javier Carrasco +Date: Mon, 11 Sep 2023 10:22:38 +0200 +Subject: usb: misc: onboard_hub: add support for Microchip USB2412 USB 2.0 hub + +From: Javier Carrasco + +commit e59e38158c61162f2e8beb4620df21a1585117df upstream. + +The USB2412 is a 2-Port USB 2.0 hub controller that provides a reset pin +and a single 3v3 powre source, which makes it suitable to be controlled +by the onboard_hub driver. + +This hub has the same reset timings as USB2514/2517 and the same +onboard hub specific-data can be reused for USB2412. + +Signed-off-by: Javier Carrasco +Cc: stable +Acked-by: Matthias Kaehlcke +Link: https://lore.kernel.org/r/20230911-topic-2412_onboard_hub-v1-1-7704181ddfff@wolfvision.net +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/misc/onboard_usb_hub.c | 1 + + drivers/usb/misc/onboard_usb_hub.h | 1 + + 2 files changed, 2 insertions(+) + +--- a/drivers/usb/misc/onboard_usb_hub.c ++++ b/drivers/usb/misc/onboard_usb_hub.c +@@ -409,6 +409,7 @@ static void onboard_hub_usbdev_disconnec + static const struct usb_device_id onboard_hub_id_table[] = { + { USB_DEVICE(VENDOR_ID_GENESYS, 0x0608) }, /* Genesys Logic GL850G USB 2.0 */ + { USB_DEVICE(VENDOR_ID_GENESYS, 0x0610) }, /* Genesys Logic GL852G USB 2.0 */ ++ { USB_DEVICE(VENDOR_ID_MICROCHIP, 0x2412) }, /* USB2412 USB 2.0 */ + { USB_DEVICE(VENDOR_ID_MICROCHIP, 0x2514) }, /* USB2514B USB 2.0 */ + { USB_DEVICE(VENDOR_ID_MICROCHIP, 0x2517) }, /* USB2517 USB 2.0 */ + { USB_DEVICE(VENDOR_ID_REALTEK, 0x0411) }, /* RTS5411 USB 3.1 */ +--- a/drivers/usb/misc/onboard_usb_hub.h ++++ b/drivers/usb/misc/onboard_usb_hub.h +@@ -35,6 +35,7 @@ static const struct onboard_hub_pdata vi + }; + + static const struct of_device_id onboard_hub_match[] = { ++ { .compatible = "usb424,2412", .data = µchip_usb424_data, }, + { .compatible = "usb424,2514", .data = µchip_usb424_data, }, + { .compatible = "usb424,2517", .data = µchip_usb424_data, }, + { .compatible = "usb451,8140", .data = &ti_tusb8041_data, }, diff --git a/queue-6.5/usb-musb-get-the-musb_qh-poniter-after-musb_giveback.patch b/queue-6.5/usb-musb-get-the-musb_qh-poniter-after-musb_giveback.patch new file mode 100644 index 00000000000..f9fd35ecf3e --- /dev/null +++ b/queue-6.5/usb-musb-get-the-musb_qh-poniter-after-musb_giveback.patch @@ -0,0 +1,57 @@ +From 33d7e37232155aadebe4145dcc592f00dabd7a2b Mon Sep 17 00:00:00 2001 +From: Xingxing Luo +Date: Tue, 19 Sep 2023 11:30:55 +0800 +Subject: usb: musb: Get the musb_qh poniter after musb_giveback + +From: Xingxing Luo + +commit 33d7e37232155aadebe4145dcc592f00dabd7a2b upstream. + +When multiple threads are performing USB transmission, musb->lock will be +unlocked when musb_giveback is executed. At this time, qh may be released +in the dequeue process in other threads, resulting in a wild pointer, so +it needs to be here get qh again, and judge whether qh is NULL, and when +dequeue, you need to set qh to NULL. + +Fixes: dbac5d07d13e ("usb: musb: host: don't start next rx urb if current one failed") +Cc: stable@vger.kernel.org +Signed-off-by: Xingxing Luo +Link: https://lore.kernel.org/r/20230919033055.14085-1-xingxing.luo@unisoc.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/musb/musb_host.c | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) + +diff --git a/drivers/usb/musb/musb_host.c b/drivers/usb/musb/musb_host.c +index a02c29216955..bc4507781167 100644 +--- a/drivers/usb/musb/musb_host.c ++++ b/drivers/usb/musb/musb_host.c +@@ -321,10 +321,16 @@ static void musb_advance_schedule(struct musb *musb, struct urb *urb, + musb_giveback(musb, urb, status); + qh->is_ready = ready; + ++ /* ++ * musb->lock had been unlocked in musb_giveback, so qh may ++ * be freed, need to get it again ++ */ ++ qh = musb_ep_get_qh(hw_ep, is_in); ++ + /* reclaim resources (and bandwidth) ASAP; deschedule it, and + * invalidate qh as soon as list_empty(&hep->urb_list) + */ +- if (list_empty(&qh->hep->urb_list)) { ++ if (qh && list_empty(&qh->hep->urb_list)) { + struct list_head *head; + struct dma_controller *dma = musb->dma_controller; + +@@ -2398,6 +2404,7 @@ static int musb_urb_dequeue(struct usb_hcd *hcd, struct urb *urb, int status) + * and its URB list has emptied, recycle this qh. + */ + if (ready && list_empty(&qh->hep->urb_list)) { ++ musb_ep_set_qh(qh->hw_ep, is_in, NULL); + qh->hep->hcpriv = NULL; + list_del(&qh->ring); + kfree(qh); +-- +2.42.0 + diff --git a/queue-6.5/usb-musb-modify-the-hwvers-register-address.patch b/queue-6.5/usb-musb-modify-the-hwvers-register-address.patch new file mode 100644 index 00000000000..8ad667873b2 --- /dev/null +++ b/queue-6.5/usb-musb-modify-the-hwvers-register-address.patch @@ -0,0 +1,36 @@ +From 6658a62e1ddf726483cb2d8bf45ea3f9bd533074 Mon Sep 17 00:00:00 2001 +From: Xingxing Luo +Date: Fri, 22 Sep 2023 15:59:29 +0800 +Subject: usb: musb: Modify the "HWVers" register address + +From: Xingxing Luo + +commit 6658a62e1ddf726483cb2d8bf45ea3f9bd533074 upstream. + +musb HWVers rgister address is not 0x69, if we operate the +wrong address 0x69, it will cause a kernel crash, because +there is no register corresponding to this address in the +additional control register of musb. In fact, HWVers has +been defined in musb_register.h, and the name is +"MUSB_HWVERS", so We need to use this macro instead of 0x69. + +Fixes: c2365ce5d5a0 ("usb: musb: replace hard coded registers with defines") +Cc: stable@vger.kernel.org +Signed-off-by: Xingxing Luo +Link: https://lore.kernel.org/r/20230922075929.31074-1-xingxing.luo@unisoc.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/musb/musb_debugfs.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/usb/musb/musb_debugfs.c ++++ b/drivers/usb/musb/musb_debugfs.c +@@ -39,7 +39,7 @@ static const struct musb_register_map mu + { "IntrUsbE", MUSB_INTRUSBE, 8 }, + { "DevCtl", MUSB_DEVCTL, 8 }, + { "VControl", 0x68, 32 }, +- { "HWVers", 0x69, 16 }, ++ { "HWVers", MUSB_HWVERS, 16 }, + { "LinkInfo", MUSB_LINKINFO, 8 }, + { "VPLen", MUSB_VPLEN, 8 }, + { "HS_EOF1", MUSB_HS_EOF1, 8 }, diff --git a/queue-6.5/usb-typec-altmodes-displayport-signal-hpd-low-when-exiting-mode.patch b/queue-6.5/usb-typec-altmodes-displayport-signal-hpd-low-when-exiting-mode.patch new file mode 100644 index 00000000000..7b82a5f3297 --- /dev/null +++ b/queue-6.5/usb-typec-altmodes-displayport-signal-hpd-low-when-exiting-mode.patch @@ -0,0 +1,41 @@ +From 89434b069e460967624903b049e5cf5c9e6b99b9 Mon Sep 17 00:00:00 2001 +From: RD Babiera +Date: Mon, 9 Oct 2023 21:00:58 +0000 +Subject: usb: typec: altmodes/displayport: Signal hpd low when exiting mode + +From: RD Babiera + +commit 89434b069e460967624903b049e5cf5c9e6b99b9 upstream. + +Upon receiving an ACK for a sent EXIT_MODE message, the DisplayPort +driver currently resets the status and configuration of the port partner. +The hpd signal is not updated despite being part of the status, so the +Display stack can still transmit video despite typec_altmode_exit placing +the lanes in a Safe State. + +Set hpd to low when a sent EXIT_MODE message is ACK'ed. + +Fixes: 0e3bb7d6894d ("usb: typec: Add driver for DisplayPort alternate mode") +Cc: stable@vger.kernel.org +Signed-off-by: RD Babiera +Acked-by: Heikki Krogerus +Link: https://lore.kernel.org/r/20231009210057.3773877-2-rdbabiera@google.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/typec/altmodes/displayport.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/drivers/usb/typec/altmodes/displayport.c ++++ b/drivers/usb/typec/altmodes/displayport.c +@@ -304,6 +304,11 @@ static int dp_altmode_vdm(struct typec_a + typec_altmode_update_active(alt, false); + dp->data.status = 0; + dp->data.conf = 0; ++ if (dp->hpd) { ++ drm_connector_oob_hotplug_event(dp->connector_fwnode); ++ dp->hpd = false; ++ sysfs_notify(&dp->alt->dev.kobj, "displayport", "hpd"); ++ } + break; + case DP_CMD_STATUS_UPDATE: + dp->data.status = *vdo; diff --git a/queue-6.5/usb-typec-qcom-update-the-logic-of-regulator-enable-and-disable.patch b/queue-6.5/usb-typec-qcom-update-the-logic-of-regulator-enable-and-disable.patch new file mode 100644 index 00000000000..c5ce4715d43 --- /dev/null +++ b/queue-6.5/usb-typec-qcom-update-the-logic-of-regulator-enable-and-disable.patch @@ -0,0 +1,69 @@ +From 76750f1dcad3e1af2295cdf2f9434e06e3178ef3 Mon Sep 17 00:00:00 2001 +From: Hui Liu +Date: Thu, 31 Aug 2023 18:19:45 +0800 +Subject: usb: typec: qcom: Update the logic of regulator enable and disable + +From: Hui Liu + +commit 76750f1dcad3e1af2295cdf2f9434e06e3178ef3 upstream. + +Removed the call logic of disable and enable regulator +in reset function. Enable the regulator in qcom_pmic_typec_start +function and disable it in qcom_pmic_typec_stop function to +avoid unbalanced regulator disable warnings. + +Fixes: a4422ff22142 ("usb: typec: qcom: Add Qualcomm PMIC Type-C driver") +Cc: stable +Reviewed-by: Bryan O'Donoghue +Acked-by: Bryan O'Donoghue +Tested-by: Bryan O'Donoghue # rb5 +Signed-off-by: Hui Liu +Reviewed-by: Heikki Krogerus +Link: https://lore.kernel.org/r/20230831-qcom-tcpc-v5-1-5e2661dc6c1d@quicinc.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/typec/tcpm/qcom/qcom_pmic_typec_pdphy.c | 12 ++++++------ + 1 file changed, 6 insertions(+), 6 deletions(-) + +--- a/drivers/usb/typec/tcpm/qcom/qcom_pmic_typec_pdphy.c ++++ b/drivers/usb/typec/tcpm/qcom/qcom_pmic_typec_pdphy.c +@@ -383,10 +383,6 @@ static int qcom_pmic_typec_pdphy_enable( + struct device *dev = pmic_typec_pdphy->dev; + int ret; + +- ret = regulator_enable(pmic_typec_pdphy->vdd_pdphy); +- if (ret) +- return ret; +- + /* PD 2.0, DR=TYPEC_DEVICE, PR=TYPEC_SINK */ + ret = regmap_update_bits(pmic_typec_pdphy->regmap, + pmic_typec_pdphy->base + USB_PDPHY_MSG_CONFIG_REG, +@@ -424,8 +420,6 @@ static int qcom_pmic_typec_pdphy_disable + ret = regmap_write(pmic_typec_pdphy->regmap, + pmic_typec_pdphy->base + USB_PDPHY_EN_CONTROL_REG, 0); + +- regulator_disable(pmic_typec_pdphy->vdd_pdphy); +- + return ret; + } + +@@ -449,6 +443,10 @@ int qcom_pmic_typec_pdphy_start(struct p + int i; + int ret; + ++ ret = regulator_enable(pmic_typec_pdphy->vdd_pdphy); ++ if (ret) ++ return ret; ++ + pmic_typec_pdphy->tcpm_port = tcpm_port; + + ret = pmic_typec_pdphy_reset(pmic_typec_pdphy); +@@ -469,6 +467,8 @@ void qcom_pmic_typec_pdphy_stop(struct p + disable_irq(pmic_typec_pdphy->irq_data[i].irq); + + qcom_pmic_typec_pdphy_reset_on(pmic_typec_pdphy); ++ ++ regulator_disable(pmic_typec_pdphy->vdd_pdphy); + } + + struct pmic_typec_pdphy *qcom_pmic_typec_pdphy_alloc(struct device *dev) diff --git a/queue-6.5/usb-typec-ucsi-clear-event_pending-bit-if-ucsi_send_command-fails.patch b/queue-6.5/usb-typec-ucsi-clear-event_pending-bit-if-ucsi_send_command-fails.patch new file mode 100644 index 00000000000..c629c883dfb --- /dev/null +++ b/queue-6.5/usb-typec-ucsi-clear-event_pending-bit-if-ucsi_send_command-fails.patch @@ -0,0 +1,37 @@ +From a00e197daec52bcd955e118f5f57d706da5bfe50 Mon Sep 17 00:00:00 2001 +From: Prashanth K +Date: Mon, 11 Sep 2023 14:34:15 +0530 +Subject: usb: typec: ucsi: Clear EVENT_PENDING bit if ucsi_send_command fails + +From: Prashanth K + +commit a00e197daec52bcd955e118f5f57d706da5bfe50 upstream. + +Currently if ucsi_send_command() fails, then we bail out without +clearing EVENT_PENDING flag. So when the next connector change +event comes, ucsi_connector_change() won't queue the con->work, +because of which none of the new events will be processed. + +Fix this by clearing EVENT_PENDING flag if ucsi_send_command() +fails. + +Cc: stable@vger.kernel.org # 5.16 +Fixes: 512df95b9432 ("usb: typec: ucsi: Better fix for missing unplug events issue") +Signed-off-by: Prashanth K +Acked-by: Heikki Krogerus +Link: https://lore.kernel.org/r/1694423055-8440-1-git-send-email-quic_prashk@quicinc.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/typec/ucsi/ucsi.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/usb/typec/ucsi/ucsi.c ++++ b/drivers/usb/typec/ucsi/ucsi.c +@@ -885,6 +885,7 @@ static void ucsi_handle_connector_change + if (ret < 0) { + dev_err(ucsi->dev, "%s: GET_CONNECTOR_STATUS failed (%d)\n", + __func__, ret); ++ clear_bit(EVENT_PENDING, &con->ucsi->flags); + goto out_unlock; + } + diff --git a/queue-6.5/usb-typec-ucsi-fix-missing-link-removal.patch b/queue-6.5/usb-typec-ucsi-fix-missing-link-removal.patch new file mode 100644 index 00000000000..d8b70df9eb8 --- /dev/null +++ b/queue-6.5/usb-typec-ucsi-fix-missing-link-removal.patch @@ -0,0 +1,40 @@ +From dddb91cde52b4a57fa06a332b230fca3b11b885f Mon Sep 17 00:00:00 2001 +From: Heikki Krogerus +Date: Tue, 10 Oct 2023 17:17:49 +0300 +Subject: usb: typec: ucsi: Fix missing link removal + +From: Heikki Krogerus + +commit dddb91cde52b4a57fa06a332b230fca3b11b885f upstream. + +The link between the partner device and its USB Power +Delivery instance was never removed which prevented the +device from being released. Removing the link always when +the partner is unregistered. + +Fixes: b04e1747fbcc ("usb: typec: ucsi: Register USB Power Delivery Capabilities") +Cc: stable +Reported-by: Douglas Gilbert +Closes: https://lore.kernel.org/linux-usb/ZSUMXdw9nanHtnw2@kuha.fi.intel.com/ +Signed-off-by: Heikki Krogerus +Link: https://lore.kernel.org/r/20231010141749.3912016-1-heikki.krogerus@linux.intel.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/typec/ucsi/ucsi.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/usb/typec/ucsi/ucsi.c b/drivers/usb/typec/ucsi/ucsi.c +index 509c67c94a70..61b64558f96c 100644 +--- a/drivers/usb/typec/ucsi/ucsi.c ++++ b/drivers/usb/typec/ucsi/ucsi.c +@@ -787,6 +787,7 @@ static void ucsi_unregister_partner(struct ucsi_connector *con) + + typec_set_mode(con->port, TYPEC_STATE_SAFE); + ++ typec_partner_set_usb_power_delivery(con->partner, NULL); + ucsi_unregister_partner_pdos(con); + ucsi_unregister_altmodes(con, UCSI_RECIPIENT_SOP); + typec_unregister_partner(con->partner); +-- +2.42.0 + diff --git a/queue-6.5/usb-typec-ucsi-use-get_capability-attributes-data-to-set-power-supply-scope.patch b/queue-6.5/usb-typec-ucsi-use-get_capability-attributes-data-to-set-power-supply-scope.patch new file mode 100644 index 00000000000..801d860eb5f --- /dev/null +++ b/queue-6.5/usb-typec-ucsi-use-get_capability-attributes-data-to-set-power-supply-scope.patch @@ -0,0 +1,54 @@ +From c9ca8de2eb15f9da24113e652980c61f95a47530 Mon Sep 17 00:00:00 2001 +From: Mario Limonciello +Date: Mon, 9 Oct 2023 13:46:43 -0500 +Subject: usb: typec: ucsi: Use GET_CAPABILITY attributes data to set power supply scope + +From: Mario Limonciello + +commit c9ca8de2eb15f9da24113e652980c61f95a47530 upstream. + +On some OEM systems, adding a W7900 dGPU triggers RAS errors and hangs +at a black screen on startup. This issue occurs only if `ucsi_acpi` has +loaded before `amdgpu` has loaded. The reason for this failure is that +`amdgpu` uses power_supply_is_system_supplied() to determine if running +on AC or DC power at startup. If this value is reported incorrectly the +dGPU will also be programmed incorrectly and trigger errors. + +power_supply_is_system_supplied() reports the wrong value because UCSI +power supplies provided as part of the system don't properly report the +scope as "DEVICE" scope (not powering the system). + +In order to fix this issue check the capabilities reported from the UCSI +power supply to ensure that it supports charging a battery and that it can +be powered by AC. Mark the scope accordingly. + +Cc: stable@vger.kernel.org +Fixes: a7fbfd44c020 ("usb: typec: ucsi: Mark dGPUs as DEVICE scope") +Link: https://www.intel.com/content/www/us/en/products/docs/io/universal-serial-bus/usb-type-c-ucsi-spec.html p28 +Reviewed-by: Sebastian Reichel +Signed-off-by: Mario Limonciello +Acked-by: Heikki Krogerus +Link: https://lore.kernel.org/r/20231009184643.129986-1-mario.limonciello@amd.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/typec/ucsi/psy.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +--- a/drivers/usb/typec/ucsi/psy.c ++++ b/drivers/usb/typec/ucsi/psy.c +@@ -37,6 +37,15 @@ static int ucsi_psy_get_scope(struct ucs + struct device *dev = con->ucsi->dev; + + device_property_read_u8(dev, "scope", &scope); ++ if (scope == POWER_SUPPLY_SCOPE_UNKNOWN) { ++ u32 mask = UCSI_CAP_ATTR_POWER_AC_SUPPLY | ++ UCSI_CAP_ATTR_BATTERY_CHARGING; ++ ++ if (con->ucsi->cap.attributes & mask) ++ scope = POWER_SUPPLY_SCOPE_SYSTEM; ++ else ++ scope = POWER_SUPPLY_SCOPE_DEVICE; ++ } + val->intval = scope; + return 0; + } diff --git a/queue-6.5/usb-xhci-xhci-ring-use-sysdev-for-mapping-bounce-buffer.patch b/queue-6.5/usb-xhci-xhci-ring-use-sysdev-for-mapping-bounce-buffer.patch new file mode 100644 index 00000000000..ad37bdaf926 --- /dev/null +++ b/queue-6.5/usb-xhci-xhci-ring-use-sysdev-for-mapping-bounce-buffer.patch @@ -0,0 +1,54 @@ +From 41a43013d2366db5b88b42bbcd8e8f040b6ccf21 Mon Sep 17 00:00:00 2001 +From: Wesley Cheng +Date: Fri, 15 Sep 2023 17:31:05 +0300 +Subject: usb: xhci: xhci-ring: Use sysdev for mapping bounce buffer + +From: Wesley Cheng + +commit 41a43013d2366db5b88b42bbcd8e8f040b6ccf21 upstream. + +As mentioned in: + commit 474ed23a6257 ("xhci: align the last trb before link if it is +easily splittable.") + +A bounce buffer is utilized for ensuring that transfers that span across +ring segments are aligned to the EP's max packet size. However, the device +that is used to map the DMA buffer to is currently using the XHCI HCD, +which does not carry any DMA operations in certain configrations. +Migration to using the sysdev entry was introduced for DWC3 based +implementations where the IOMMU operations are present. + +Replace the reference to the controller device to sysdev instead. This +allows the bounce buffer to be properly mapped to any implementations that +have an IOMMU involved. + +cc: stable@vger.kernel.org +Fixes: 4c39d4b949d3 ("usb: xhci: use bus->sysdev for DMA configuration") +Signed-off-by: Wesley Cheng +Signed-off-by: Mathias Nyman +Link: https://lore.kernel.org/r/20230915143108.1532163-2-mathias.nyman@linux.intel.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/host/xhci-ring.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/usb/host/xhci-ring.c ++++ b/drivers/usb/host/xhci-ring.c +@@ -798,7 +798,7 @@ static void xhci_giveback_urb_in_irq(str + static void xhci_unmap_td_bounce_buffer(struct xhci_hcd *xhci, + struct xhci_ring *ring, struct xhci_td *td) + { +- struct device *dev = xhci_to_hcd(xhci)->self.controller; ++ struct device *dev = xhci_to_hcd(xhci)->self.sysdev; + struct xhci_segment *seg = td->bounce_seg; + struct urb *urb = td->urb; + size_t len; +@@ -3469,7 +3469,7 @@ static u32 xhci_td_remainder(struct xhci + static int xhci_align_td(struct xhci_hcd *xhci, struct urb *urb, u32 enqd_len, + u32 *trb_buff_len, struct xhci_segment *seg) + { +- struct device *dev = xhci_to_hcd(xhci)->self.controller; ++ struct device *dev = xhci_to_hcd(xhci)->self.sysdev; + unsigned int unalign; + unsigned int max_pkt; + u32 new_buff_len; diff --git a/queue-6.5/x86-alternatives-disable-kasan-in-apply_alternatives.patch b/queue-6.5/x86-alternatives-disable-kasan-in-apply_alternatives.patch new file mode 100644 index 00000000000..6990cf15929 --- /dev/null +++ b/queue-6.5/x86-alternatives-disable-kasan-in-apply_alternatives.patch @@ -0,0 +1,76 @@ +From d35652a5fc9944784f6f50a5c979518ff8dacf61 Mon Sep 17 00:00:00 2001 +From: "Kirill A. Shutemov" +Date: Thu, 12 Oct 2023 13:04:24 +0300 +Subject: x86/alternatives: Disable KASAN in apply_alternatives() + +From: Kirill A. Shutemov + +commit d35652a5fc9944784f6f50a5c979518ff8dacf61 upstream. + +Fei has reported that KASAN triggers during apply_alternatives() on +a 5-level paging machine: + + BUG: KASAN: out-of-bounds in rcu_is_watching() + Read of size 4 at addr ff110003ee6419a0 by task swapper/0/0 + ... + __asan_load4() + rcu_is_watching() + trace_hardirqs_on() + text_poke_early() + apply_alternatives() + ... + +On machines with 5-level paging, cpu_feature_enabled(X86_FEATURE_LA57) +gets patched. It includes KASAN code, where KASAN_SHADOW_START depends on +__VIRTUAL_MASK_SHIFT, which is defined with cpu_feature_enabled(). + +KASAN gets confused when apply_alternatives() patches the +KASAN_SHADOW_START users. A test patch that makes KASAN_SHADOW_START +static, by replacing __VIRTUAL_MASK_SHIFT with 56, works around the issue. + +Fix it for real by disabling KASAN while the kernel is patching alternatives. + +[ mingo: updated the changelog ] + +Fixes: 6657fca06e3f ("x86/mm: Allow to boot without LA57 if CONFIG_X86_5LEVEL=y") +Reported-by: Fei Yang +Signed-off-by: Kirill A. Shutemov +Signed-off-by: Ingo Molnar +Acked-by: Peter Zijlstra (Intel) +Cc: Linus Torvalds +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/r/20231012100424.1456-1-kirill.shutemov@linux.intel.com +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/kernel/alternative.c | 13 +++++++++++++ + 1 file changed, 13 insertions(+) + +--- a/arch/x86/kernel/alternative.c ++++ b/arch/x86/kernel/alternative.c +@@ -403,6 +403,17 @@ void __init_or_module noinline apply_alt + u8 insn_buff[MAX_PATCH_LEN]; + + DPRINTK(ALT, "alt table %px, -> %px", start, end); ++ ++ /* ++ * In the case CONFIG_X86_5LEVEL=y, KASAN_SHADOW_START is defined using ++ * cpu_feature_enabled(X86_FEATURE_LA57) and is therefore patched here. ++ * During the process, KASAN becomes confused seeing partial LA57 ++ * conversion and triggers a false-positive out-of-bound report. ++ * ++ * Disable KASAN until the patching is complete. ++ */ ++ kasan_disable_current(); ++ + /* + * The scan order should be from start to end. A later scanned + * alternative code can overwrite previously scanned alternative code. +@@ -452,6 +463,8 @@ void __init_or_module noinline apply_alt + + text_poke_early(instr, insn_buff, insn_buff_sz); + } ++ ++ kasan_enable_current(); + } + + static inline bool is_jcc32(struct insn *insn) diff --git a/queue-6.5/x86-cpu-fix-amd-erratum-1485-on-zen4-based-cpus.patch b/queue-6.5/x86-cpu-fix-amd-erratum-1485-on-zen4-based-cpus.patch new file mode 100644 index 00000000000..0f3f0e90e37 --- /dev/null +++ b/queue-6.5/x86-cpu-fix-amd-erratum-1485-on-zen4-based-cpus.patch @@ -0,0 +1,72 @@ +From f454b18e07f518bcd0c05af17a2239138bff52de Mon Sep 17 00:00:00 2001 +From: "Borislav Petkov (AMD)" +Date: Sat, 7 Oct 2023 12:57:02 +0200 +Subject: x86/cpu: Fix AMD erratum #1485 on Zen4-based CPUs +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Borislav Petkov (AMD) + +commit f454b18e07f518bcd0c05af17a2239138bff52de upstream. + +Fix erratum #1485 on Zen4 parts where running with STIBP disabled can +cause an #UD exception. The performance impact of the fix is negligible. + +Reported-by: René Rebe +Signed-off-by: Borislav Petkov (AMD) +Tested-by: René Rebe +Cc: +Link: https://lore.kernel.org/r/D99589F4-BC5D-430B-87B2-72C20370CF57@exactcode.com +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/include/asm/msr-index.h | 9 +++++++-- + arch/x86/kernel/cpu/amd.c | 8 ++++++++ + 2 files changed, 15 insertions(+), 2 deletions(-) + +--- a/arch/x86/include/asm/msr-index.h ++++ b/arch/x86/include/asm/msr-index.h +@@ -637,12 +637,17 @@ + /* AMD Last Branch Record MSRs */ + #define MSR_AMD64_LBR_SELECT 0xc000010e + +-/* Fam 17h MSRs */ +-#define MSR_F17H_IRPERF 0xc00000e9 ++/* Zen4 */ ++#define MSR_ZEN4_BP_CFG 0xc001102e ++#define MSR_ZEN4_BP_CFG_SHARED_BTB_FIX_BIT 5 + ++/* Zen 2 */ + #define MSR_ZEN2_SPECTRAL_CHICKEN 0xc00110e3 + #define MSR_ZEN2_SPECTRAL_CHICKEN_BIT BIT_ULL(1) + ++/* Fam 17h MSRs */ ++#define MSR_F17H_IRPERF 0xc00000e9 ++ + /* Fam 16h MSRs */ + #define MSR_F16H_L2I_PERF_CTL 0xc0010230 + #define MSR_F16H_L2I_PERF_CTR 0xc0010231 +--- a/arch/x86/kernel/cpu/amd.c ++++ b/arch/x86/kernel/cpu/amd.c +@@ -80,6 +80,10 @@ static const int amd_div0[] = + AMD_LEGACY_ERRATUM(AMD_MODEL_RANGE(0x17, 0x00, 0x0, 0x2f, 0xf), + AMD_MODEL_RANGE(0x17, 0x50, 0x0, 0x5f, 0xf)); + ++static const int amd_erratum_1485[] = ++ AMD_LEGACY_ERRATUM(AMD_MODEL_RANGE(0x19, 0x10, 0x0, 0x1f, 0xf), ++ AMD_MODEL_RANGE(0x19, 0x60, 0x0, 0xaf, 0xf)); ++ + static bool cpu_has_amd_erratum(struct cpuinfo_x86 *cpu, const int *erratum) + { + int osvw_id = *erratum++; +@@ -1149,6 +1153,10 @@ static void init_amd(struct cpuinfo_x86 + pr_notice_once("AMD Zen1 DIV0 bug detected. Disable SMT for full protection.\n"); + setup_force_cpu_bug(X86_BUG_DIV0); + } ++ ++ if (!cpu_has(c, X86_FEATURE_HYPERVISOR) && ++ cpu_has_amd_erratum(c, amd_erratum_1485)) ++ msr_set_bit(MSR_ZEN4_BP_CFG, MSR_ZEN4_BP_CFG_SHARED_BTB_FIX_BIT); + } + + #ifdef CONFIG_X86_32 diff --git a/queue-6.5/xhci-clear-ehb-bit-only-at-end-of-interrupt-handler.patch b/queue-6.5/xhci-clear-ehb-bit-only-at-end-of-interrupt-handler.patch new file mode 100644 index 00000000000..9df59b4b6d4 --- /dev/null +++ b/queue-6.5/xhci-clear-ehb-bit-only-at-end-of-interrupt-handler.patch @@ -0,0 +1,93 @@ +From 15f3ef070933817fac2bcbdb9c85bff9e54e9f80 Mon Sep 17 00:00:00 2001 +From: Lukas Wunner +Date: Fri, 15 Sep 2023 17:31:07 +0300 +Subject: xhci: Clear EHB bit only at end of interrupt handler + +From: Lukas Wunner + +commit 15f3ef070933817fac2bcbdb9c85bff9e54e9f80 upstream. + +The Event Handler Busy bit shall be cleared by software when the Event +Ring is empty. The xHC is thereby informed that it may raise another +interrupt once it has enqueued new events (sec 4.17.2). + +However since commit dc0ffbea5729 ("usb: host: xhci: update event ring +dequeue pointer on purpose"), the EHB bit is already cleared after half +a segment has been processed. + +As a result, spurious interrupts may occur: + +- xhci_irq() processes half a segment, clears EHB, continues processing + remaining events. +- xHC enqueues new events. Because EHB has been cleared, xHC sets + Interrupt Pending bit. Interrupt moderation countdown begins. +- Meanwhile xhci_irq() continues processing events. Interrupt + moderation countdown reaches zero, so an MSI interrupt is signaled. +- xhci_irq() empties the Event Ring, clears EHB again and is done. +- Because an MSI interrupt has been signaled, xhci_irq() is run again. + It discovers there's nothing to do and returns IRQ_NONE. + +Avoid by clearing the EHB bit only at the end of xhci_irq(). + +Fixes: dc0ffbea5729 ("usb: host: xhci: update event ring dequeue pointer on purpose") +Signed-off-by: Lukas Wunner +Cc: stable@vger.kernel.org # v5.5+ +Cc: Peter Chen +Signed-off-by: Mathias Nyman +Link: https://lore.kernel.org/r/20230915143108.1532163-4-mathias.nyman@linux.intel.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/host/xhci-ring.c | 12 +++++++----- + 1 file changed, 7 insertions(+), 5 deletions(-) + +diff --git a/drivers/usb/host/xhci-ring.c b/drivers/usb/host/xhci-ring.c +index 98389b568633..3e5dc0723a8f 100644 +--- a/drivers/usb/host/xhci-ring.c ++++ b/drivers/usb/host/xhci-ring.c +@@ -2996,7 +2996,8 @@ static int xhci_handle_event(struct xhci_hcd *xhci, struct xhci_interrupter *ir) + */ + static void xhci_update_erst_dequeue(struct xhci_hcd *xhci, + struct xhci_interrupter *ir, +- union xhci_trb *event_ring_deq) ++ union xhci_trb *event_ring_deq, ++ bool clear_ehb) + { + u64 temp_64; + dma_addr_t deq; +@@ -3017,12 +3018,13 @@ static void xhci_update_erst_dequeue(struct xhci_hcd *xhci, + return; + + /* Update HC event ring dequeue pointer */ +- temp_64 &= ERST_PTR_MASK; ++ temp_64 &= ERST_DESI_MASK; + temp_64 |= ((u64) deq & (u64) ~ERST_PTR_MASK); + } + + /* Clear the event handler busy flag (RW1C) */ +- temp_64 |= ERST_EHB; ++ if (clear_ehb) ++ temp_64 |= ERST_EHB; + xhci_write_64(xhci, temp_64, &ir->ir_set->erst_dequeue); + } + +@@ -3103,7 +3105,7 @@ irqreturn_t xhci_irq(struct usb_hcd *hcd) + while (xhci_handle_event(xhci, ir) > 0) { + if (event_loop++ < TRBS_PER_SEGMENT / 2) + continue; +- xhci_update_erst_dequeue(xhci, ir, event_ring_deq); ++ xhci_update_erst_dequeue(xhci, ir, event_ring_deq, false); + event_ring_deq = ir->event_ring->dequeue; + + /* ring is half-full, force isoc trbs to interrupt more often */ +@@ -3113,7 +3115,7 @@ irqreturn_t xhci_irq(struct usb_hcd *hcd) + event_loop = 0; + } + +- xhci_update_erst_dequeue(xhci, ir, event_ring_deq); ++ xhci_update_erst_dequeue(xhci, ir, event_ring_deq, true); + ret = IRQ_HANDLED; + + out: +-- +2.42.0 + diff --git a/queue-6.5/xhci-preserve-rsvdp-bits-in-erstba-register-correctly.patch b/queue-6.5/xhci-preserve-rsvdp-bits-in-erstba-register-correctly.patch new file mode 100644 index 00000000000..1001d57cd6f --- /dev/null +++ b/queue-6.5/xhci-preserve-rsvdp-bits-in-erstba-register-correctly.patch @@ -0,0 +1,55 @@ +From cf97c5e0f7dda2edc15ecd96775fe6c355823784 Mon Sep 17 00:00:00 2001 +From: Lukas Wunner +Date: Fri, 15 Sep 2023 17:31:08 +0300 +Subject: xhci: Preserve RsvdP bits in ERSTBA register correctly + +From: Lukas Wunner + +commit cf97c5e0f7dda2edc15ecd96775fe6c355823784 upstream. + +xhci_add_interrupter() erroneously preserves only the lowest 4 bits when +writing the ERSTBA register, not the lowest 6 bits. Fix it. + +Migrate the ERST_BASE_RSVDP macro to the modern GENMASK_ULL() syntax to +avoid a u64 cast. + +This was previously fixed by commit 8c1cbec9db1a ("xhci: fix event ring +segment table related masks and variables in header"), but immediately +undone by commit b17a57f89f69 ("xhci: Refactor interrupter code for +initial multi interrupter support."). + +Fixes: b17a57f89f69 ("xhci: Refactor interrupter code for initial multi interrupter support.") +Signed-off-by: Lukas Wunner +Cc: stable@vger.kernel.org # v6.3+ +Signed-off-by: Mathias Nyman +Link: https://lore.kernel.org/r/20230915143108.1532163-5-mathias.nyman@linux.intel.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/host/xhci-mem.c | 4 ++-- + drivers/usb/host/xhci.h | 2 +- + 2 files changed, 3 insertions(+), 3 deletions(-) + +--- a/drivers/usb/host/xhci-mem.c ++++ b/drivers/usb/host/xhci-mem.c +@@ -2288,8 +2288,8 @@ xhci_add_interrupter(struct xhci_hcd *xh + writel(erst_size, &ir->ir_set->erst_size); + + erst_base = xhci_read_64(xhci, &ir->ir_set->erst_base); +- erst_base &= ERST_PTR_MASK; +- erst_base |= (ir->erst.erst_dma_addr & (u64) ~ERST_PTR_MASK); ++ erst_base &= ERST_BASE_RSVDP; ++ erst_base |= ir->erst.erst_dma_addr & ~ERST_BASE_RSVDP; + xhci_write_64(xhci, erst_base, &ir->ir_set->erst_base); + + /* Set the event ring dequeue address of this interrupter */ +--- a/drivers/usb/host/xhci.h ++++ b/drivers/usb/host/xhci.h +@@ -514,7 +514,7 @@ struct xhci_intr_reg { + #define ERST_SIZE_MASK (0xffff << 16) + + /* erst_base bitmasks */ +-#define ERST_BASE_RSVDP (0x3f) ++#define ERST_BASE_RSVDP (GENMASK_ULL(5, 0)) + + /* erst_dequeue bitmasks */ + /* Dequeue ERST Segment Index (DESI) - Segment number (or alias) diff --git a/queue-6.5/xhci-track-port-suspend-state-correctly-in-unsuccessful-resume-cases.patch b/queue-6.5/xhci-track-port-suspend-state-correctly-in-unsuccessful-resume-cases.patch new file mode 100644 index 00000000000..97b4d866260 --- /dev/null +++ b/queue-6.5/xhci-track-port-suspend-state-correctly-in-unsuccessful-resume-cases.patch @@ -0,0 +1,74 @@ +From d7cdfc319b2bcf6899ab0a05eec0958bc802a9a1 Mon Sep 17 00:00:00 2001 +From: Mathias Nyman +Date: Fri, 15 Sep 2023 17:31:06 +0300 +Subject: xhci: track port suspend state correctly in unsuccessful resume cases + +From: Mathias Nyman + +commit d7cdfc319b2bcf6899ab0a05eec0958bc802a9a1 upstream. + +xhci-hub.c tracks suspended ports in a suspended_port bitfield. +This is checked when responding to a Get_Status(PORT) request to see if a +port in running U0 state was recently resumed, and adds the required +USB_PORT_STAT_C_SUSPEND change bit in those cases. + +The suspended_port bit was left uncleared if a device is disconnected +during suspend. The bit remained set even when a new device was connected +and enumerated. The set bit resulted in a incorrect Get_Status(PORT) +response with a bogus USB_PORT_STAT_C_SUSPEND change +bit set once the new device reached U0 link state. + +USB_PORT_STAT_C_SUSPEND change bit is only used for USB2 ports, but +xhci-hub keeps track of both USB2 and USB3 suspended ports. + +Cc: stable@vger.kernel.org +Reported-by: Wesley Cheng +Closes: https://lore.kernel.org/linux-usb/d68aa806-b26a-0e43-42fb-b8067325e967@quicinc.com/ +Fixes: 1d5810b6923c ("xhci: Rework port suspend structures for limited ports.") +Tested-by: Wesley Cheng +Signed-off-by: Mathias Nyman +Link: https://lore.kernel.org/r/20230915143108.1532163-3-mathias.nyman@linux.intel.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/host/xhci-hub.c | 19 ++++++++++--------- + 1 file changed, 10 insertions(+), 9 deletions(-) + +--- a/drivers/usb/host/xhci-hub.c ++++ b/drivers/usb/host/xhci-hub.c +@@ -1062,19 +1062,19 @@ static void xhci_get_usb3_port_status(st + *status |= USB_PORT_STAT_C_CONFIG_ERROR << 16; + + /* USB3 specific wPortStatus bits */ +- if (portsc & PORT_POWER) { ++ if (portsc & PORT_POWER) + *status |= USB_SS_PORT_STAT_POWER; +- /* link state handling */ +- if (link_state == XDEV_U0) +- bus_state->suspended_ports &= ~(1 << portnum); +- } + +- /* remote wake resume signaling complete */ +- if (bus_state->port_remote_wakeup & (1 << portnum) && ++ /* no longer suspended or resuming */ ++ if (link_state != XDEV_U3 && + link_state != XDEV_RESUME && + link_state != XDEV_RECOVERY) { +- bus_state->port_remote_wakeup &= ~(1 << portnum); +- usb_hcd_end_port_resume(&hcd->self, portnum); ++ /* remote wake resume signaling complete */ ++ if (bus_state->port_remote_wakeup & (1 << portnum)) { ++ bus_state->port_remote_wakeup &= ~(1 << portnum); ++ usb_hcd_end_port_resume(&hcd->self, portnum); ++ } ++ bus_state->suspended_ports &= ~(1 << portnum); + } + + xhci_hub_report_usb3_link_state(xhci, status, portsc); +@@ -1131,6 +1131,7 @@ static void xhci_get_usb2_port_status(st + usb_hcd_end_port_resume(&port->rhub->hcd->self, portnum); + } + port->rexit_active = 0; ++ bus_state->suspended_ports &= ~(1 << portnum); + } + } +