From: Greg Kroah-Hartman Date: Mon, 21 Nov 2022 12:01:09 +0000 (+0100) Subject: 5.4-stable patches X-Git-Tag: v4.19.266~29 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=cb6c7dfa9736f96ec2cd3164195c30aec18409ba;p=thirdparty%2Fkernel%2Fstable-queue.git 5.4-stable patches added patches: dm-ioctl-fix-misbehavior-if-list_versions-races-with-module-loading.patch iio-adc-at91_adc-fix-possible-memory-leak-in-at91_adc_allocate_trigger.patch iio-pressure-ms5611-changed-hardcoded-spi-speed-to-value-limited.patch iio-trigger-sysfs-fix-possible-memory-leak-in-iio_sysfs_trig_init.patch input-iforce-invert-valid-length-check-when-fetching-device-ids.patch scsi-zfcp-fix-double-free-of-fsf-request-when-qdio-send-fails.patch serial-8250-fall-back-to-non-dma-rx-if-iir_rdi-occurs.patch serial-8250_lpss-configure-dma-also-w-o-dma-filter.patch slimbus-stream-correct-presence-rate-frequencies.patch speakup-fix-a-segfault-caused-by-switching-consoles.patch usb-add-no_lpm-quirk-for-realforce-87u-keyboard.patch usb-chipidea-fix-deadlock-in-ci_otg_del_timer.patch usb-serial-option-add-fibocom-fm160-0x0111-composition.patch usb-serial-option-add-sierra-wireless-em9191.patch usb-serial-option-add-u-blox-lara-l6-modem.patch usb-serial-option-add-u-blox-lara-r6-00b-modem.patch usb-serial-option-remove-old-lara-r6-pid.patch --- diff --git a/queue-5.4/dm-ioctl-fix-misbehavior-if-list_versions-races-with-module-loading.patch b/queue-5.4/dm-ioctl-fix-misbehavior-if-list_versions-races-with-module-loading.patch new file mode 100644 index 00000000000..ae9e64f36b7 --- /dev/null +++ b/queue-5.4/dm-ioctl-fix-misbehavior-if-list_versions-races-with-module-loading.patch @@ -0,0 +1,70 @@ +From 4fe1ec995483737f3d2a14c3fe1d8fe634972979 Mon Sep 17 00:00:00 2001 +From: Mikulas Patocka +Date: Tue, 1 Nov 2022 16:53:35 -0400 +Subject: dm ioctl: fix misbehavior if list_versions races with module loading + +From: Mikulas Patocka + +commit 4fe1ec995483737f3d2a14c3fe1d8fe634972979 upstream. + +__list_versions will first estimate the required space using the +"dm_target_iterate(list_version_get_needed, &needed)" call and then will +fill the space using the "dm_target_iterate(list_version_get_info, +&iter_info)" call. Each of these calls locks the targets using the +"down_read(&_lock)" and "up_read(&_lock)" calls, however between the first +and second "dm_target_iterate" there is no lock held and the target +modules can be loaded at this point, so the second "dm_target_iterate" +call may need more space than what was the first "dm_target_iterate" +returned. + +The code tries to handle this overflow (see the beginning of +list_version_get_info), however this handling is incorrect. + +The code sets "param->data_size = param->data_start + needed" and +"iter_info.end = (char *)vers+len" - "needed" is the size returned by the +first dm_target_iterate call; "len" is the size of the buffer allocated by +userspace. + +"len" may be greater than "needed"; in this case, the code will write up +to "len" bytes into the buffer, however param->data_size is set to +"needed", so it may write data past the param->data_size value. The ioctl +interface copies only up to param->data_size into userspace, thus part of +the result will be truncated. + +Fix this bug by setting "iter_info.end = (char *)vers + needed;" - this +guarantees that the second "dm_target_iterate" call will write only up to +the "needed" buffer and it will exit with "DM_BUFFER_FULL_FLAG" if it +overflows the "needed" space - in this case, userspace will allocate a +larger buffer and retry. + +Note that there is also a bug in list_version_get_needed - we need to add +"strlen(tt->name) + 1" to the needed size, not "strlen(tt->name)". + +Cc: stable@vger.kernel.org +Signed-off-by: Mikulas Patocka +Signed-off-by: Mike Snitzer +Signed-off-by: Greg Kroah-Hartman +--- + drivers/md/dm-ioctl.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/md/dm-ioctl.c ++++ b/drivers/md/dm-ioctl.c +@@ -573,7 +573,7 @@ static void list_version_get_needed(stru + size_t *needed = needed_param; + + *needed += sizeof(struct dm_target_versions); +- *needed += strlen(tt->name); ++ *needed += strlen(tt->name) + 1; + *needed += ALIGN_MASK; + } + +@@ -638,7 +638,7 @@ static int __list_versions(struct dm_ioc + iter_info.old_vers = NULL; + iter_info.vers = vers; + iter_info.flags = 0; +- iter_info.end = (char *)vers+len; ++ iter_info.end = (char *)vers + needed; + + /* + * Now loop through filling out the names & versions. diff --git a/queue-5.4/iio-adc-at91_adc-fix-possible-memory-leak-in-at91_adc_allocate_trigger.patch b/queue-5.4/iio-adc-at91_adc-fix-possible-memory-leak-in-at91_adc_allocate_trigger.patch new file mode 100644 index 00000000000..0687c505fe0 --- /dev/null +++ b/queue-5.4/iio-adc-at91_adc-fix-possible-memory-leak-in-at91_adc_allocate_trigger.patch @@ -0,0 +1,37 @@ +From 65f20301607d07ee279b0804d11a05a62a6c1a1c Mon Sep 17 00:00:00 2001 +From: Yang Yingliang +Date: Mon, 24 Oct 2022 16:45:11 +0800 +Subject: iio: adc: at91_adc: fix possible memory leak in at91_adc_allocate_trigger() + +From: Yang Yingliang + +commit 65f20301607d07ee279b0804d11a05a62a6c1a1c upstream. + +If iio_trigger_register() returns error, it should call iio_trigger_free() +to give up the reference that hold in iio_trigger_alloc(), so that it can +call iio_trig_release() to free memory when the refcount hit to 0. + +Fixes: 0e589d5fb317 ("ARM: AT91: IIO: Add AT91 ADC driver.") +Signed-off-by: Yang Yingliang +Link: https://lore.kernel.org/r/20221024084511.815096-1-yangyingliang@huawei.com +Cc: +Signed-off-by: Jonathan Cameron +Signed-off-by: Greg Kroah-Hartman +--- + drivers/iio/adc/at91_adc.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/drivers/iio/adc/at91_adc.c ++++ b/drivers/iio/adc/at91_adc.c +@@ -616,8 +616,10 @@ static struct iio_trigger *at91_adc_allo + trig->ops = &at91_adc_trigger_ops; + + ret = iio_trigger_register(trig); +- if (ret) ++ if (ret) { ++ iio_trigger_free(trig); + return NULL; ++ } + + return trig; + } diff --git a/queue-5.4/iio-pressure-ms5611-changed-hardcoded-spi-speed-to-value-limited.patch b/queue-5.4/iio-pressure-ms5611-changed-hardcoded-spi-speed-to-value-limited.patch new file mode 100644 index 00000000000..f008a9e744d --- /dev/null +++ b/queue-5.4/iio-pressure-ms5611-changed-hardcoded-spi-speed-to-value-limited.patch @@ -0,0 +1,32 @@ +From 741cec30cc52058d1c10d415f3b98319887e4f73 Mon Sep 17 00:00:00 2001 +From: Mitja Spes +Date: Fri, 21 Oct 2022 15:58:21 +0200 +Subject: iio: pressure: ms5611: changed hardcoded SPI speed to value limited + +From: Mitja Spes + +commit 741cec30cc52058d1c10d415f3b98319887e4f73 upstream. + +Don't hardcode the ms5611 SPI speed, limit it instead. + +Signed-off-by: Mitja Spes +Fixes: c0644160a8b5 ("iio: pressure: add support for MS5611 pressure and temperature sensor") +Link: https://lore.kernel.org/r/20221021135827.1444793-3-mitja@lxnav.com +Cc: +Signed-off-by: Jonathan Cameron +Signed-off-by: Greg Kroah-Hartman +--- + drivers/iio/pressure/ms5611_spi.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/iio/pressure/ms5611_spi.c ++++ b/drivers/iio/pressure/ms5611_spi.c +@@ -92,7 +92,7 @@ static int ms5611_spi_probe(struct spi_d + spi_set_drvdata(spi, indio_dev); + + spi->mode = SPI_MODE_0; +- spi->max_speed_hz = 20000000; ++ spi->max_speed_hz = min(spi->max_speed_hz, 20000000U); + spi->bits_per_word = 8; + ret = spi_setup(spi); + if (ret < 0) diff --git a/queue-5.4/iio-trigger-sysfs-fix-possible-memory-leak-in-iio_sysfs_trig_init.patch b/queue-5.4/iio-trigger-sysfs-fix-possible-memory-leak-in-iio_sysfs_trig_init.patch new file mode 100644 index 00000000000..b22f3654458 --- /dev/null +++ b/queue-5.4/iio-trigger-sysfs-fix-possible-memory-leak-in-iio_sysfs_trig_init.patch @@ -0,0 +1,55 @@ +From efa17e90e1711bdb084e3954fa44afb6647331c0 Mon Sep 17 00:00:00 2001 +From: Yang Yingliang +Date: Sat, 22 Oct 2022 15:42:12 +0800 +Subject: iio: trigger: sysfs: fix possible memory leak in iio_sysfs_trig_init() + +From: Yang Yingliang + +commit efa17e90e1711bdb084e3954fa44afb6647331c0 upstream. + +dev_set_name() allocates memory for name, it need be freed +when device_add() fails, call put_device() to give up the +reference that hold in device_initialize(), so that it can +be freed in kobject_cleanup() when the refcount hit to 0. + +Fault injection test can trigger this: + +unreferenced object 0xffff8e8340a7b4c0 (size 32): + comm "modprobe", pid 243, jiffies 4294678145 (age 48.845s) + hex dump (first 32 bytes): + 69 69 6f 5f 73 79 73 66 73 5f 74 72 69 67 67 65 iio_sysfs_trigge + 72 00 a7 40 83 8e ff ff 00 86 13 c4 f6 ee ff ff r..@............ + backtrace: + [<0000000074999de8>] __kmem_cache_alloc_node+0x1e9/0x360 + [<00000000497fd30b>] __kmalloc_node_track_caller+0x44/0x1a0 + [<000000003636c520>] kstrdup+0x2d/0x60 + [<0000000032f84da2>] kobject_set_name_vargs+0x1e/0x90 + [<0000000092efe493>] dev_set_name+0x4e/0x70 + +Fixes: 1f785681a870 ("staging:iio:trigger sysfs userspace trigger rework.") +Signed-off-by: Yang Yingliang +Cc: +Link: https://lore.kernel.org/r/20221022074212.1386424-1-yangyingliang@huawei.com +Signed-off-by: Jonathan Cameron +Signed-off-by: Greg Kroah-Hartman +--- + drivers/iio/trigger/iio-trig-sysfs.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +--- a/drivers/iio/trigger/iio-trig-sysfs.c ++++ b/drivers/iio/trigger/iio-trig-sysfs.c +@@ -209,9 +209,13 @@ static int iio_sysfs_trigger_remove(int + + static int __init iio_sysfs_trig_init(void) + { ++ int ret; + device_initialize(&iio_sysfs_trig_dev); + dev_set_name(&iio_sysfs_trig_dev, "iio_sysfs_trigger"); +- return device_add(&iio_sysfs_trig_dev); ++ ret = device_add(&iio_sysfs_trig_dev); ++ if (ret) ++ put_device(&iio_sysfs_trig_dev); ++ return ret; + } + module_init(iio_sysfs_trig_init); + diff --git a/queue-5.4/input-iforce-invert-valid-length-check-when-fetching-device-ids.patch b/queue-5.4/input-iforce-invert-valid-length-check-when-fetching-device-ids.patch new file mode 100644 index 00000000000..5815d37a916 --- /dev/null +++ b/queue-5.4/input-iforce-invert-valid-length-check-when-fetching-device-ids.patch @@ -0,0 +1,56 @@ +From b8ebf250997c5fb253582f42bfe98673801ebebd Mon Sep 17 00:00:00 2001 +From: Tetsuo Handa +Date: Mon, 7 Nov 2022 10:21:40 -0800 +Subject: Input: iforce - invert valid length check when fetching device IDs + +From: Tetsuo Handa + +commit b8ebf250997c5fb253582f42bfe98673801ebebd upstream. + +syzbot is reporting uninitialized value at iforce_init_device() [1], for +commit 6ac0aec6b0a6 ("Input: iforce - allow callers supply data buffer +when fetching device IDs") is checking that valid length is shorter than +bytes to read. Since iforce_get_id_packet() stores valid length when +returning 0, the caller needs to check that valid length is longer than or +equals to bytes to read. + +Reported-by: syzbot +Signed-off-by: Tetsuo Handa +Fixes: 6ac0aec6b0a6 ("Input: iforce - allow callers supply data buffer when fetching device IDs") +Link: https://lore.kernel.org/r/531fb432-7396-ad37-ecba-3e42e7f56d5c@I-love.SAKURA.ne.jp +Cc: stable@vger.kernel.org +Signed-off-by: Dmitry Torokhov +Signed-off-by: Greg Kroah-Hartman +--- + drivers/input/joystick/iforce/iforce-main.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +--- a/drivers/input/joystick/iforce/iforce-main.c ++++ b/drivers/input/joystick/iforce/iforce-main.c +@@ -273,22 +273,22 @@ int iforce_init_device(struct device *pa + * Get device info. + */ + +- if (!iforce_get_id_packet(iforce, 'M', buf, &len) || len < 3) ++ if (!iforce_get_id_packet(iforce, 'M', buf, &len) && len >= 3) + input_dev->id.vendor = get_unaligned_le16(buf + 1); + else + dev_warn(&iforce->dev->dev, "Device does not respond to id packet M\n"); + +- if (!iforce_get_id_packet(iforce, 'P', buf, &len) || len < 3) ++ if (!iforce_get_id_packet(iforce, 'P', buf, &len) && len >= 3) + input_dev->id.product = get_unaligned_le16(buf + 1); + else + dev_warn(&iforce->dev->dev, "Device does not respond to id packet P\n"); + +- if (!iforce_get_id_packet(iforce, 'B', buf, &len) || len < 3) ++ if (!iforce_get_id_packet(iforce, 'B', buf, &len) && len >= 3) + iforce->device_memory.end = get_unaligned_le16(buf + 1); + else + dev_warn(&iforce->dev->dev, "Device does not respond to id packet B\n"); + +- if (!iforce_get_id_packet(iforce, 'N', buf, &len) || len < 2) ++ if (!iforce_get_id_packet(iforce, 'N', buf, &len) && len >= 2) + ff_effects = buf[1]; + else + dev_warn(&iforce->dev->dev, "Device does not respond to id packet N\n"); diff --git a/queue-5.4/scsi-zfcp-fix-double-free-of-fsf-request-when-qdio-send-fails.patch b/queue-5.4/scsi-zfcp-fix-double-free-of-fsf-request-when-qdio-send-fails.patch new file mode 100644 index 00000000000..79b271c596a --- /dev/null +++ b/queue-5.4/scsi-zfcp-fix-double-free-of-fsf-request-when-qdio-send-fails.patch @@ -0,0 +1,200 @@ +From 0954256e970ecf371b03a6c9af2cf91b9c4085ff Mon Sep 17 00:00:00 2001 +From: Benjamin Block +Date: Wed, 16 Nov 2022 11:50:37 +0100 +Subject: scsi: zfcp: Fix double free of FSF request when qdio send fails + +From: Benjamin Block + +commit 0954256e970ecf371b03a6c9af2cf91b9c4085ff upstream. + +We used to use the wrong type of integer in 'zfcp_fsf_req_send()' to cache +the FSF request ID when sending a new FSF request. This is used in case the +sending fails and we need to remove the request from our internal hash +table again (so we don't keep an invalid reference and use it when we free +the request again). + +In 'zfcp_fsf_req_send()' we used to cache the ID as 'int' (signed and 32 +bit wide), but the rest of the zfcp code (and the firmware specification) +handles the ID as 'unsigned long'/'u64' (unsigned and 64 bit wide [s390x +ELF ABI]). For one this has the obvious problem that when the ID grows +past 32 bit (this can happen reasonably fast) it is truncated to 32 bit +when storing it in the cache variable and so doesn't match the original ID +anymore. The second less obvious problem is that even when the original ID +has not yet grown past 32 bit, as soon as the 32nd bit is set in the +original ID (0x80000000 = 2'147'483'648) we will have a mismatch when we +cast it back to 'unsigned long'. As the cached variable is of a signed +type, the compiler will choose a sign-extending instruction to load the 32 +bit variable into a 64 bit register (e.g.: 'lgf %r11,188(%r15)'). So once +we pass the cached variable into 'zfcp_reqlist_find_rm()' to remove the +request again all the leading zeros will be flipped to ones to extend the +sign and won't match the original ID anymore (this has been observed in +practice). + +If we can't successfully remove the request from the hash table again after +'zfcp_qdio_send()' fails (this happens regularly when zfcp cannot notify +the adapter about new work because the adapter is already gone during +e.g. a ChpID toggle) we will end up with a double free. We unconditionally +free the request in the calling function when 'zfcp_fsf_req_send()' fails, +but because the request is still in the hash table we end up with a stale +memory reference, and once the zfcp adapter is either reset during recovery +or shutdown we end up freeing the same memory twice. + +The resulting stack traces vary depending on the kernel and have no direct +correlation to the place where the bug occurs. Here are three examples that +have been seen in practice: + + list_del corruption. next->prev should be 00000001b9d13800, but was 00000000dead4ead. (next=00000001bd131a00) + ------------[ cut here ]------------ + kernel BUG at lib/list_debug.c:62! + monitor event: 0040 ilc:2 [#1] PREEMPT SMP + Modules linked in: ... + CPU: 9 PID: 1617 Comm: zfcperp0.0.1740 Kdump: loaded + Hardware name: ... + Krnl PSW : 0704d00180000000 00000003cbeea1f8 (__list_del_entry_valid+0x98/0x140) + R:0 T:1 IO:1 EX:1 Key:0 M:1 W:0 P:0 AS:3 CC:1 PM:0 RI:0 EA:3 + Krnl GPRS: 00000000916d12f1 0000000080000000 000000000000006d 00000003cb665cd6 + 0000000000000001 0000000000000000 0000000000000000 00000000d28d21e8 + 00000000d3844000 00000380099efd28 00000001bd131a00 00000001b9d13800 + 00000000d3290100 0000000000000000 00000003cbeea1f4 00000380099efc70 + Krnl Code: 00000003cbeea1e8: c020004f68a7 larl %r2,00000003cc8d7336 + 00000003cbeea1ee: c0e50027fd65 brasl %r14,00000003cc3e9cb8 + #00000003cbeea1f4: af000000 mc 0,0 + >00000003cbeea1f8: c02000920440 larl %r2,00000003cd12aa78 + 00000003cbeea1fe: c0e500289c25 brasl %r14,00000003cc3fda48 + 00000003cbeea204: b9040043 lgr %r4,%r3 + 00000003cbeea208: b9040051 lgr %r5,%r1 + 00000003cbeea20c: b9040032 lgr %r3,%r2 + Call Trace: + [<00000003cbeea1f8>] __list_del_entry_valid+0x98/0x140 + ([<00000003cbeea1f4>] __list_del_entry_valid+0x94/0x140) + [<000003ff7ff502fe>] zfcp_fsf_req_dismiss_all+0xde/0x150 [zfcp] + [<000003ff7ff49cd0>] zfcp_erp_strategy_do_action+0x160/0x280 [zfcp] + [<000003ff7ff4a22e>] zfcp_erp_strategy+0x21e/0xca0 [zfcp] + [<000003ff7ff4ad34>] zfcp_erp_thread+0x84/0x1a0 [zfcp] + [<00000003cb5eece8>] kthread+0x138/0x150 + [<00000003cb557f3c>] __ret_from_fork+0x3c/0x60 + [<00000003cc4172ea>] ret_from_fork+0xa/0x40 + INFO: lockdep is turned off. + Last Breaking-Event-Address: + [<00000003cc3e9d04>] _printk+0x4c/0x58 + Kernel panic - not syncing: Fatal exception: panic_on_oops + +or: + + Unable to handle kernel pointer dereference in virtual kernel address space + Failing address: 6b6b6b6b6b6b6000 TEID: 6b6b6b6b6b6b6803 + Fault in home space mode while using kernel ASCE. + AS:0000000063b10007 R3:0000000000000024 + Oops: 0038 ilc:3 [#1] SMP + Modules linked in: ... + CPU: 10 PID: 0 Comm: swapper/10 Kdump: loaded + Hardware name: ... + Krnl PSW : 0404d00180000000 000003ff7febaf8e (zfcp_fsf_reqid_check+0x86/0x158 [zfcp]) + R:0 T:1 IO:0 EX:0 Key:0 M:1 W:0 P:0 AS:3 CC:1 PM:0 RI:0 EA:3 + Krnl GPRS: 5a6f1cfa89c49ac3 00000000aff2c4c8 6b6b6b6b6b6b6b6b 00000000000002a8 + 0000000000000000 0000000000000055 0000000000000000 00000000a8515800 + 0700000000000000 00000000a6e14500 00000000aff2c000 000000008003c44c + 000000008093c700 0000000000000010 00000380009ebba8 00000380009ebb48 + Krnl Code: 000003ff7febaf7e: a7f4003d brc 15,000003ff7febaff8 + 000003ff7febaf82: e32020000004 lg %r2,0(%r2) + #000003ff7febaf88: ec2100388064 cgrj %r2,%r1,8,000003ff7febaff8 + >000003ff7febaf8e: e3b020100020 cg %r11,16(%r2) + 000003ff7febaf94: a774fff7 brc 7,000003ff7febaf82 + 000003ff7febaf98: ec280030007c cgij %r2,0,8,000003ff7febaff8 + 000003ff7febaf9e: e31020080004 lg %r1,8(%r2) + 000003ff7febafa4: e33020000004 lg %r3,0(%r2) + Call Trace: + [<000003ff7febaf8e>] zfcp_fsf_reqid_check+0x86/0x158 [zfcp] + [<000003ff7febbdbc>] zfcp_qdio_int_resp+0x6c/0x170 [zfcp] + [<000003ff7febbf90>] zfcp_qdio_irq_tasklet+0xd0/0x108 [zfcp] + [<0000000061d90a04>] tasklet_action_common.constprop.0+0xdc/0x128 + [<000000006292f300>] __do_softirq+0x130/0x3c0 + [<0000000061d906c6>] irq_exit_rcu+0xfe/0x118 + [<000000006291e818>] do_io_irq+0xc8/0x168 + [<000000006292d516>] io_int_handler+0xd6/0x110 + [<000000006292d596>] psw_idle_exit+0x0/0xa + ([<0000000061d3be50>] arch_cpu_idle+0x40/0xd0) + [<000000006292ceea>] default_idle_call+0x52/0xf8 + [<0000000061de4fa4>] do_idle+0xd4/0x168 + [<0000000061de51fe>] cpu_startup_entry+0x36/0x40 + [<0000000061d4faac>] smp_start_secondary+0x12c/0x138 + [<000000006292d88e>] restart_int_handler+0x6e/0x90 + Last Breaking-Event-Address: + [<000003ff7febaf94>] zfcp_fsf_reqid_check+0x8c/0x158 [zfcp] + Kernel panic - not syncing: Fatal exception in interrupt + +or: + + Unable to handle kernel pointer dereference in virtual kernel address space + Failing address: 523b05d3ae76a000 TEID: 523b05d3ae76a803 + Fault in home space mode while using kernel ASCE. + AS:0000000077c40007 R3:0000000000000024 + Oops: 0038 ilc:3 [#1] SMP + Modules linked in: ... + CPU: 3 PID: 453 Comm: kworker/3:1H Kdump: loaded + Hardware name: ... + Workqueue: kblockd blk_mq_run_work_fn + Krnl PSW : 0404d00180000000 0000000076fc0312 (__kmalloc+0xd2/0x398) + R:0 T:1 IO:0 EX:0 Key:0 M:1 W:0 P:0 AS:3 CC:1 PM:0 RI:0 EA:3 + Krnl GPRS: ffffffffffffffff 523b05d3ae76abf6 0000000000000000 0000000000092a20 + 0000000000000002 00000007e49b5cc0 00000007eda8f000 0000000000092a20 + 00000007eda8f000 00000003b02856b9 00000000000000a8 523b05d3ae76abf6 + 00000007dd662000 00000007eda8f000 0000000076fc02b2 000003e0037637a0 + Krnl Code: 0000000076fc0302: c004000000d4 brcl 0,76fc04aa + 0000000076fc0308: b904001b lgr %r1,%r11 + #0000000076fc030c: e3106020001a algf %r1,32(%r6) + >0000000076fc0312: e31010000082 xg %r1,0(%r1) + 0000000076fc0318: b9040001 lgr %r0,%r1 + 0000000076fc031c: e30061700082 xg %r0,368(%r6) + 0000000076fc0322: ec59000100d9 aghik %r5,%r9,1 + 0000000076fc0328: e34003b80004 lg %r4,952 + Call Trace: + [<0000000076fc0312>] __kmalloc+0xd2/0x398 + [<0000000076f318f2>] mempool_alloc+0x72/0x1f8 + [<000003ff8027c5f8>] zfcp_fsf_req_create.isra.7+0x40/0x268 [zfcp] + [<000003ff8027f1bc>] zfcp_fsf_fcp_cmnd+0xac/0x3f0 [zfcp] + [<000003ff80280f1a>] zfcp_scsi_queuecommand+0x122/0x1d0 [zfcp] + [<000003ff800b4218>] scsi_queue_rq+0x778/0xa10 [scsi_mod] + [<00000000771782a0>] __blk_mq_try_issue_directly+0x130/0x208 + [<000000007717a124>] blk_mq_request_issue_directly+0x4c/0xa8 + [<000003ff801302e2>] dm_mq_queue_rq+0x2ea/0x468 [dm_mod] + [<0000000077178c12>] blk_mq_dispatch_rq_list+0x33a/0x818 + [<000000007717f064>] __blk_mq_do_dispatch_sched+0x284/0x2f0 + [<000000007717f44c>] __blk_mq_sched_dispatch_requests+0x1c4/0x218 + [<000000007717fa7a>] blk_mq_sched_dispatch_requests+0x52/0x90 + [<0000000077176d74>] __blk_mq_run_hw_queue+0x9c/0xc0 + [<0000000076da6d74>] process_one_work+0x274/0x4d0 + [<0000000076da7018>] worker_thread+0x48/0x560 + [<0000000076daef18>] kthread+0x140/0x160 + [<000000007751d144>] ret_from_fork+0x28/0x30 + Last Breaking-Event-Address: + [<0000000076fc0474>] __kmalloc+0x234/0x398 + Kernel panic - not syncing: Fatal exception: panic_on_oops + +To fix this, simply change the type of the cache variable to 'unsigned +long', like the rest of zfcp and also the argument for +'zfcp_reqlist_find_rm()'. This prevents truncation and wrong sign extension +and so can successfully remove the request from the hash table. + +Fixes: e60a6d69f1f8 ("[SCSI] zfcp: Remove function zfcp_reqlist_find_safe") +Cc: #v2.6.34+ +Signed-off-by: Benjamin Block +Link: https://lore.kernel.org/r/979f6e6019d15f91ba56182f1aaf68d61bf37fc6.1668595505.git.bblock@linux.ibm.com +Reviewed-by: Steffen Maier +Signed-off-by: Martin K. Petersen +Signed-off-by: Greg Kroah-Hartman +--- + drivers/s390/scsi/zfcp_fsf.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/s390/scsi/zfcp_fsf.c ++++ b/drivers/s390/scsi/zfcp_fsf.c +@@ -755,7 +755,7 @@ static int zfcp_fsf_req_send(struct zfcp + const bool is_srb = zfcp_fsf_req_is_status_read_buffer(req); + struct zfcp_adapter *adapter = req->adapter; + struct zfcp_qdio *qdio = adapter->qdio; +- int req_id = req->req_id; ++ unsigned long req_id = req->req_id; + + zfcp_reqlist_add(adapter->req_list, req); + diff --git a/queue-5.4/serial-8250-fall-back-to-non-dma-rx-if-iir_rdi-occurs.patch b/queue-5.4/serial-8250-fall-back-to-non-dma-rx-if-iir_rdi-occurs.patch new file mode 100644 index 00000000000..4d1be02f82f --- /dev/null +++ b/queue-5.4/serial-8250-fall-back-to-non-dma-rx-if-iir_rdi-occurs.patch @@ -0,0 +1,53 @@ +From a931237cbea256aff13bb403da13a97b2d1605d9 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Ilpo=20J=C3=A4rvinen?= +Date: Tue, 8 Nov 2022 14:19:49 +0200 +Subject: serial: 8250: Fall back to non-DMA Rx if IIR_RDI occurs +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Ilpo Järvinen + +commit a931237cbea256aff13bb403da13a97b2d1605d9 upstream. + +DW UART sometimes triggers IIR_RDI during DMA Rx when IIR_RX_TIMEOUT +should have been triggered instead. Since IIR_RDI has higher priority +than IIR_RX_TIMEOUT, this causes the Rx to hang into interrupt loop. +The problem seems to occur at least with some combinations of +small-sized transfers (I've reproduced the problem on Elkhart Lake PSE +UARTs). + +If there's already an on-going Rx DMA and IIR_RDI triggers, fall +graciously back to non-DMA Rx. That is, behave as if IIR_RX_TIMEOUT had +occurred. + +8250_omap already considers IIR_RDI similar to this change so its +nothing unheard of. + +Fixes: 75df022b5f89 ("serial: 8250_dma: Fix RX handling") +Cc: +Co-developed-by: Srikanth Thokala +Signed-off-by: Srikanth Thokala +Co-developed-by: Aman Kumar +Signed-off-by: Aman Kumar +Signed-off-by: Ilpo Järvinen +Reviewed-by: Andy Shevchenko +Link: https://lore.kernel.org/r/20221108121952.5497-2-ilpo.jarvinen@linux.intel.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/tty/serial/8250/8250_port.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/drivers/tty/serial/8250/8250_port.c ++++ b/drivers/tty/serial/8250/8250_port.c +@@ -1820,6 +1820,10 @@ EXPORT_SYMBOL_GPL(serial8250_modem_statu + static bool handle_rx_dma(struct uart_8250_port *up, unsigned int iir) + { + switch (iir & 0x3f) { ++ case UART_IIR_RDI: ++ if (!up->dma->rx_running) ++ break; ++ fallthrough; + case UART_IIR_RX_TIMEOUT: + serial8250_rx_dma_flush(up); + /* fall-through */ diff --git a/queue-5.4/serial-8250_lpss-configure-dma-also-w-o-dma-filter.patch b/queue-5.4/serial-8250_lpss-configure-dma-also-w-o-dma-filter.patch new file mode 100644 index 00000000000..19a244d390d --- /dev/null +++ b/queue-5.4/serial-8250_lpss-configure-dma-also-w-o-dma-filter.patch @@ -0,0 +1,66 @@ +From 1bfcbe5805d0cfc83c3544dcd01e0a282c1f6790 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Ilpo=20J=C3=A4rvinen?= +Date: Tue, 8 Nov 2022 14:19:50 +0200 +Subject: serial: 8250_lpss: Configure DMA also w/o DMA filter +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Ilpo Järvinen + +commit 1bfcbe5805d0cfc83c3544dcd01e0a282c1f6790 upstream. + +If the platform doesn't use DMA device filter (as is the case with +Elkhart Lake), whole lpss8250_dma_setup() setup is skipped. This +results in skipping also *_maxburst setup which is undesirable. +Refactor lpss8250_dma_setup() to configure DMA even if filter is not +setup. + +Cc: stable +Signed-off-by: Ilpo Järvinen +Reviewed-by: Andy Shevchenko +Link: https://lore.kernel.org/r/20221108121952.5497-3-ilpo.jarvinen@linux.intel.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/tty/serial/8250/8250_lpss.c | 15 +++++++++++---- + 1 file changed, 11 insertions(+), 4 deletions(-) + +--- a/drivers/tty/serial/8250/8250_lpss.c ++++ b/drivers/tty/serial/8250/8250_lpss.c +@@ -258,8 +258,13 @@ static int lpss8250_dma_setup(struct lps + struct dw_dma_slave *rx_param, *tx_param; + struct device *dev = port->port.dev; + +- if (!lpss->dma_param.dma_dev) ++ if (!lpss->dma_param.dma_dev) { ++ dma = port->dma; ++ if (dma) ++ goto out_configuration_only; ++ + return 0; ++ } + + rx_param = devm_kzalloc(dev, sizeof(*rx_param), GFP_KERNEL); + if (!rx_param) +@@ -270,16 +275,18 @@ static int lpss8250_dma_setup(struct lps + return -ENOMEM; + + *rx_param = lpss->dma_param; +- dma->rxconf.src_maxburst = lpss->dma_maxburst; +- + *tx_param = lpss->dma_param; +- dma->txconf.dst_maxburst = lpss->dma_maxburst; + + dma->fn = lpss8250_dma_filter; + dma->rx_param = rx_param; + dma->tx_param = tx_param; + + port->dma = dma; ++ ++out_configuration_only: ++ dma->rxconf.src_maxburst = lpss->dma_maxburst; ++ dma->txconf.dst_maxburst = lpss->dma_maxburst; ++ + return 0; + } + diff --git a/queue-5.4/series b/queue-5.4/series index e3cda73291b..4e25059bfd6 100644 --- a/queue-5.4/series +++ b/queue-5.4/series @@ -114,3 +114,20 @@ ftrace-fix-null-pointer-dereference-in-ftrace_add_mod.patch ring_buffer-do-not-deactivate-non-existant-pages.patch alsa-usb-audio-drop-snd_bug_on-from-snd_usbmidi_output_open.patch revert-usb-dwc3-disable-usb-core-phy-management.patch +slimbus-stream-correct-presence-rate-frequencies.patch +speakup-fix-a-segfault-caused-by-switching-consoles.patch +usb-serial-option-add-sierra-wireless-em9191.patch +usb-serial-option-remove-old-lara-r6-pid.patch +usb-serial-option-add-u-blox-lara-r6-00b-modem.patch +usb-serial-option-add-u-blox-lara-l6-modem.patch +usb-serial-option-add-fibocom-fm160-0x0111-composition.patch +usb-add-no_lpm-quirk-for-realforce-87u-keyboard.patch +usb-chipidea-fix-deadlock-in-ci_otg_del_timer.patch +iio-adc-at91_adc-fix-possible-memory-leak-in-at91_adc_allocate_trigger.patch +iio-trigger-sysfs-fix-possible-memory-leak-in-iio_sysfs_trig_init.patch +iio-pressure-ms5611-changed-hardcoded-spi-speed-to-value-limited.patch +dm-ioctl-fix-misbehavior-if-list_versions-races-with-module-loading.patch +serial-8250-fall-back-to-non-dma-rx-if-iir_rdi-occurs.patch +serial-8250_lpss-configure-dma-also-w-o-dma-filter.patch +input-iforce-invert-valid-length-check-when-fetching-device-ids.patch +scsi-zfcp-fix-double-free-of-fsf-request-when-qdio-send-fails.patch diff --git a/queue-5.4/slimbus-stream-correct-presence-rate-frequencies.patch b/queue-5.4/slimbus-stream-correct-presence-rate-frequencies.patch new file mode 100644 index 00000000000..a43d3b24258 --- /dev/null +++ b/queue-5.4/slimbus-stream-correct-presence-rate-frequencies.patch @@ -0,0 +1,38 @@ +From b9c1939627f8185dec8ba6d741e9573a4c7a5834 Mon Sep 17 00:00:00 2001 +From: Krzysztof Kozlowski +Date: Thu, 29 Sep 2022 18:52:02 +0200 +Subject: slimbus: stream: correct presence rate frequencies + +From: Krzysztof Kozlowski + +commit b9c1939627f8185dec8ba6d741e9573a4c7a5834 upstream. + +Correct few frequencies in presence rate table - multiplied by 10 +(110250 instead of 11025 Hz). + +Fixes: abb9c9b8b51b ("slimbus: stream: add stream support") +Cc: +Signed-off-by: Krzysztof Kozlowski +Link: https://lore.kernel.org/r/20220929165202.410937-1-krzysztof.kozlowski@linaro.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/slimbus/stream.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +--- a/drivers/slimbus/stream.c ++++ b/drivers/slimbus/stream.c +@@ -67,10 +67,10 @@ static const int slim_presence_rate_tabl + 384000, + 768000, + 0, /* Reserved */ +- 110250, +- 220500, +- 441000, +- 882000, ++ 11025, ++ 22050, ++ 44100, ++ 88200, + 176400, + 352800, + 705600, diff --git a/queue-5.4/speakup-fix-a-segfault-caused-by-switching-consoles.patch b/queue-5.4/speakup-fix-a-segfault-caused-by-switching-consoles.patch new file mode 100644 index 00000000000..00107f6bc16 --- /dev/null +++ b/queue-5.4/speakup-fix-a-segfault-caused-by-switching-consoles.patch @@ -0,0 +1,61 @@ +From 0fc801f8018000c8e64a275a20cb1da7c54e46df Mon Sep 17 00:00:00 2001 +From: Mushahid Hussain +Date: Mon, 10 Oct 2022 21:57:20 +0500 +Subject: speakup: fix a segfault caused by switching consoles + +From: Mushahid Hussain + +commit 0fc801f8018000c8e64a275a20cb1da7c54e46df upstream. + +This patch fixes a segfault by adding a null check on synth in +speakup_con_update(). The segfault can be reproduced as follows: + + - Login into a text console + + - Load speakup and speakup_soft modules + + - Remove speakup_soft + + - Switch to a graphics console + +This is caused by lack of a null check on `synth` in +speakup_con_update(). + +Here's the sequence that causes the segfault: + + - When we remove the speakup_soft, synth_release() sets the synth + to null. + + - After that, when we change the virtual console to graphics + console, vt_notifier_call() is fired, which then calls + speakup_con_update(). + + - Inside speakup_con_update() there's no null check on synth, + so it calls synth_printf(). + + - Inside synth_printf(), synth_buffer_add() and synth_start(), + both access synth, when it is null and causing a segfault. + +Therefore adding a null check on synth solves the issue. + +Fixes: 2610df41489f ("staging: speakup: Add pause command used on switching to graphical mode") +Cc: stable +Signed-off-by: Mushahid Hussain +Signed-off-by: Samuel Thibault +Link: https://lore.kernel.org/r/20221010165720.397042-1-mushi.shar@gmail.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/staging/speakup/main.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/staging/speakup/main.c ++++ b/drivers/staging/speakup/main.c +@@ -1781,7 +1781,7 @@ static void speakup_con_update(struct vc + { + unsigned long flags; + +- if (!speakup_console[vc->vc_num] || spk_parked) ++ if (!speakup_console[vc->vc_num] || spk_parked || !synth) + return; + if (!spin_trylock_irqsave(&speakup_info.spinlock, flags)) + /* Speakup output, discard */ diff --git a/queue-5.4/usb-add-no_lpm-quirk-for-realforce-87u-keyboard.patch b/queue-5.4/usb-add-no_lpm-quirk-for-realforce-87u-keyboard.patch new file mode 100644 index 00000000000..b039f361698 --- /dev/null +++ b/queue-5.4/usb-add-no_lpm-quirk-for-realforce-87u-keyboard.patch @@ -0,0 +1,50 @@ +From 181135bb20dcb184edd89817831b888eb8132741 Mon Sep 17 00:00:00 2001 +From: Nicolas Dumazet +Date: Wed, 9 Nov 2022 13:29:46 +0100 +Subject: usb: add NO_LPM quirk for Realforce 87U Keyboard + +From: Nicolas Dumazet + +commit 181135bb20dcb184edd89817831b888eb8132741 upstream. + +Before adding this quirk, this (mechanical keyboard) device would not be +recognized, logging: + + new full-speed USB device number 56 using xhci_hcd + unable to read config index 0 descriptor/start: -32 + chopping to 0 config(s) + +It would take dozens of plugging/unpuggling cycles for the keyboard to +be recognized. Keyboard seems to simply work after applying this quirk. + +This issue had been reported by users in two places already ([1], [2]) +but nobody tried upstreaming a patch yet. After testing I believe their +suggested fix (DELAY_INIT + NO_LPM + DEVICE_QUALIFIER) was probably a +little overkill. I assume this particular combination was tested because +it had been previously suggested in [3], but only NO_LPM seems +sufficient for this device. + +[1]: https://qiita.com/float168/items/fed43d540c8e2201b543 +[2]: https://blog.kostic.dev/posts/making-the-realforce-87ub-work-with-usb30-on-Ubuntu/ +[3]: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1678477 + +Cc: stable@vger.kernel.org +Signed-off-by: Nicolas Dumazet +Link: https://lore.kernel.org/r/20221109122946.706036-1-ndumazet@google.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/core/quirks.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/usb/core/quirks.c ++++ b/drivers/usb/core/quirks.c +@@ -362,6 +362,9 @@ static const struct usb_device_id usb_qu + { USB_DEVICE(0x0781, 0x5583), .driver_info = USB_QUIRK_NO_LPM }, + { USB_DEVICE(0x0781, 0x5591), .driver_info = USB_QUIRK_NO_LPM }, + ++ /* Realforce 87U Keyboard */ ++ { USB_DEVICE(0x0853, 0x011b), .driver_info = USB_QUIRK_NO_LPM }, ++ + /* M-Systems Flash Disk Pioneers */ + { USB_DEVICE(0x08ec, 0x1000), .driver_info = USB_QUIRK_RESET_RESUME }, + diff --git a/queue-5.4/usb-chipidea-fix-deadlock-in-ci_otg_del_timer.patch b/queue-5.4/usb-chipidea-fix-deadlock-in-ci_otg_del_timer.patch new file mode 100644 index 00000000000..f15216f44c7 --- /dev/null +++ b/queue-5.4/usb-chipidea-fix-deadlock-in-ci_otg_del_timer.patch @@ -0,0 +1,56 @@ +From 7a58b8d6021426b796eebfae80983374d9a80a75 Mon Sep 17 00:00:00 2001 +From: Duoming Zhou +Date: Sun, 18 Sep 2022 11:33:12 +0800 +Subject: usb: chipidea: fix deadlock in ci_otg_del_timer + +From: Duoming Zhou + +commit 7a58b8d6021426b796eebfae80983374d9a80a75 upstream. + +There is a deadlock in ci_otg_del_timer(), the process is +shown below: + + (thread 1) | (thread 2) +ci_otg_del_timer() | ci_otg_hrtimer_func() + ... | + spin_lock_irqsave() //(1) | ... + ... | + hrtimer_cancel() | spin_lock_irqsave() //(2) + (block forever) + +We hold ci->lock in position (1) and use hrtimer_cancel() to +wait ci_otg_hrtimer_func() to stop, but ci_otg_hrtimer_func() +also need ci->lock in position (2). As a result, the +hrtimer_cancel() in ci_otg_del_timer() will be blocked forever. + +This patch extracts hrtimer_cancel() from the protection of +spin_lock_irqsave() in order that the ci_otg_hrtimer_func() +could obtain the ci->lock. + +What`s more, there will be no race happen. Because the +"next_timer" is always under the protection of +spin_lock_irqsave() and we only check whether "next_timer" +equals to NUM_OTG_FSM_TIMERS in the following code. + +Fixes: 3a316ec4c91c ("usb: chipidea: use hrtimer for otg fsm timers") +Cc: stable +Signed-off-by: Duoming Zhou +Link: https://lore.kernel.org/r/20220918033312.94348-1-duoming@zju.edu.cn +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/chipidea/otg_fsm.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/usb/chipidea/otg_fsm.c ++++ b/drivers/usb/chipidea/otg_fsm.c +@@ -256,8 +256,10 @@ static void ci_otg_del_timer(struct ci_h + ci->enabled_otg_timer_bits &= ~(1 << t); + if (ci->next_otg_timer == t) { + if (ci->enabled_otg_timer_bits == 0) { ++ spin_unlock_irqrestore(&ci->lock, flags); + /* No enabled timers after delete it */ + hrtimer_cancel(&ci->otg_fsm_hrtimer); ++ spin_lock_irqsave(&ci->lock, flags); + ci->next_otg_timer = NUM_OTG_FSM_TIMERS; + } else { + /* Find the next timer */ diff --git a/queue-5.4/usb-serial-option-add-fibocom-fm160-0x0111-composition.patch b/queue-5.4/usb-serial-option-add-fibocom-fm160-0x0111-composition.patch new file mode 100644 index 00000000000..806032da675 --- /dev/null +++ b/queue-5.4/usb-serial-option-add-fibocom-fm160-0x0111-composition.patch @@ -0,0 +1,57 @@ +From 148f4b32b4504d8a32cf82049b7b9499a4b299ab Mon Sep 17 00:00:00 2001 +From: Reinhard Speyerer +Date: Wed, 9 Nov 2022 22:24:15 +0100 +Subject: USB: serial: option: add Fibocom FM160 0x0111 composition + +From: Reinhard Speyerer + +commit 148f4b32b4504d8a32cf82049b7b9499a4b299ab upstream. + +Add support for the following Fibocom FM160 composition: + +0x0111: MBIM + MODEM + DIAG + AT + +T: Bus=01 Lev=02 Prnt=125 Port=01 Cnt=02 Dev#= 93 Spd=480 MxCh= 0 +D: Ver= 2.10 Cls=00(>ifc ) Sub=00 Prot=00 MxPS=64 #Cfgs= 1 +P: Vendor=2cb7 ProdID=0111 Rev= 5.04 +S: Manufacturer=Fibocom +S: Product=Fibocom FM160 Modem_SN:12345678 +S: SerialNumber=12345678 +C:* #Ifs= 5 Cfg#= 1 Atr=a0 MxPwr=500mA +A: FirstIf#= 0 IfCount= 2 Cls=02(comm.) Sub=0e Prot=00 +I:* If#= 0 Alt= 0 #EPs= 1 Cls=02(comm.) Sub=0e Prot=00 Driver=cdc_mbim +E: Ad=81(I) Atr=03(Int.) MxPS= 64 Ivl=32ms +I: If#= 1 Alt= 0 #EPs= 0 Cls=0a(data ) Sub=00 Prot=02 Driver=cdc_mbim +I:* If#= 1 Alt= 1 #EPs= 2 Cls=0a(data ) Sub=00 Prot=02 Driver=cdc_mbim +E: Ad=8e(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=0f(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms +I:* If#= 2 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=40 Driver=option +E: Ad=83(I) Atr=03(Int.) MxPS= 10 Ivl=32ms +E: Ad=82(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=01(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms +I:* If#= 3 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=30 Driver=option +E: Ad=02(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=84(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms +I:* If#= 4 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=40 Driver=option +E: Ad=86(I) Atr=03(Int.) MxPS= 10 Ivl=32ms +E: Ad=85(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=03(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms + +Signed-off-by: Reinhard Speyerer +Cc: stable@vger.kernel.org +Signed-off-by: Johan Hovold +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/serial/option.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/usb/serial/option.c ++++ b/drivers/usb/serial/option.c +@@ -2179,6 +2179,7 @@ static const struct usb_device_id option + { USB_DEVICE_INTERFACE_CLASS(0x2cb7, 0x010a, 0xff) }, /* Fibocom MA510 (ECM mode) */ + { USB_DEVICE_AND_INTERFACE_INFO(0x2cb7, 0x010b, 0xff, 0xff, 0x30) }, /* Fibocom FG150 Diag */ + { USB_DEVICE_AND_INTERFACE_INFO(0x2cb7, 0x010b, 0xff, 0, 0) }, /* Fibocom FG150 AT */ ++ { USB_DEVICE_INTERFACE_CLASS(0x2cb7, 0x0111, 0xff) }, /* Fibocom FM160 (MBIM mode) */ + { USB_DEVICE_INTERFACE_CLASS(0x2cb7, 0x01a0, 0xff) }, /* Fibocom NL668-AM/NL652-EU (laptop MBIM) */ + { USB_DEVICE_INTERFACE_CLASS(0x2cb7, 0x01a2, 0xff) }, /* Fibocom FM101-GL (laptop MBIM) */ + { USB_DEVICE_INTERFACE_CLASS(0x2cb7, 0x01a4, 0xff), /* Fibocom FM101-GL (laptop MBIM) */ diff --git a/queue-5.4/usb-serial-option-add-sierra-wireless-em9191.patch b/queue-5.4/usb-serial-option-add-sierra-wireless-em9191.patch new file mode 100644 index 00000000000..45f65f9760e --- /dev/null +++ b/queue-5.4/usb-serial-option-add-sierra-wireless-em9191.patch @@ -0,0 +1,58 @@ +From df3414b0a245f43476061fddd78cee7d6cff797f Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Beno=C3=AEt=20Monin?= +Date: Thu, 13 Oct 2022 16:26:48 +0200 +Subject: USB: serial: option: add Sierra Wireless EM9191 +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Benoît Monin + +commit df3414b0a245f43476061fddd78cee7d6cff797f upstream. + +Add support for the AT and diag ports, similar to other qualcomm SDX55 +modems. In QDL mode, the modem uses a different device ID and support +is provided by qcserial in commit 11c52d250b34 ("USB: serial: qcserial: +add EM9191 QDL support"). + +T: Bus=08 Lev=01 Prnt=01 Port=01 Cnt=01 Dev#= 3 Spd=5000 MxCh= 0 +D: Ver= 3.20 Cls=00(>ifc ) Sub=00 Prot=00 MxPS= 9 #Cfgs= 1 +P: Vendor=1199 ProdID=90d3 Rev=00.06 +S: Manufacturer=Sierra Wireless, Incorporated +S: Product=Sierra Wireless EM9191 +S: SerialNumber=xxxxxxxxxxxxxxxx +C: #Ifs= 4 Cfg#= 1 Atr=a0 MxPwr=896mA +I: If#=0x0 Alt= 0 #EPs= 1 Cls=02(commc) Sub=0e Prot=00 Driver=cdc_mbim +I: If#=0x1 Alt= 1 #EPs= 2 Cls=0a(data ) Sub=00 Prot=02 Driver=cdc_mbim +I: If#=0x3 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=(none) +I: If#=0x4 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=30 Driver=(none) + +Signed-off-by: Benoît Monin +Cc: stable@vger.kernel.org +Signed-off-by: Johan Hovold +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/serial/option.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/drivers/usb/serial/option.c ++++ b/drivers/usb/serial/option.c +@@ -581,6 +581,9 @@ static void option_instat_callback(struc + #define OPPO_VENDOR_ID 0x22d9 + #define OPPO_PRODUCT_R11 0x276c + ++/* Sierra Wireless products */ ++#define SIERRA_VENDOR_ID 0x1199 ++#define SIERRA_PRODUCT_EM9191 0x90d3 + + /* Device flags */ + +@@ -2176,6 +2179,8 @@ static const struct usb_device_id option + { USB_DEVICE_INTERFACE_CLASS(0x305a, 0x1405, 0xff) }, /* GosunCn GM500 MBIM */ + { USB_DEVICE_INTERFACE_CLASS(0x305a, 0x1406, 0xff) }, /* GosunCn GM500 ECM/NCM */ + { USB_DEVICE_AND_INTERFACE_INFO(OPPO_VENDOR_ID, OPPO_PRODUCT_R11, 0xff, 0xff, 0x30) }, ++ { USB_DEVICE_AND_INTERFACE_INFO(SIERRA_VENDOR_ID, SIERRA_PRODUCT_EM9191, 0xff, 0xff, 0x30) }, ++ { USB_DEVICE_AND_INTERFACE_INFO(SIERRA_VENDOR_ID, SIERRA_PRODUCT_EM9191, 0xff, 0, 0) }, + { } /* Terminating entry */ + }; + MODULE_DEVICE_TABLE(usb, option_ids); diff --git a/queue-5.4/usb-serial-option-add-u-blox-lara-l6-modem.patch b/queue-5.4/usb-serial-option-add-u-blox-lara-l6-modem.patch new file mode 100644 index 00000000000..0d930af4907 --- /dev/null +++ b/queue-5.4/usb-serial-option-add-u-blox-lara-l6-modem.patch @@ -0,0 +1,73 @@ +From c1547f12df8b8e9ca2686accee43213ecd117efe Mon Sep 17 00:00:00 2001 +From: Davide Tronchin +Date: Wed, 16 Nov 2022 16:59:50 +0100 +Subject: USB: serial: option: add u-blox LARA-L6 modem + +From: Davide Tronchin + +commit c1547f12df8b8e9ca2686accee43213ecd117efe upstream. + +Add LARA-L6 PIDs for three different USB compositions. + +LARA-L6 module can be configured (by AT interface) in three different +USB modes: +* Default mode (Vendor ID: 0x1546 Product ID: 0x1341) with 4 serial +interfaces +* RmNet mode (Vendor ID: 0x1546 Product ID: 0x1342) with 4 serial +interfaces and 1 RmNet virtual network interface +* CDC-ECM mode (Vendor ID: 0x1546 Product ID: 0x1343) with 4 serial +interface and 1 CDC-ECM virtual network interface + +In default mode LARA-L6 exposes the following interfaces: +If 0: Diagnostic +If 1: AT parser +If 2: AT parser +If 3: AT parser/alternative functions + +In RmNet mode LARA-L6 exposes the following interfaces: +If 0: Diagnostic +If 1: AT parser +If 2: AT parser +If 3: AT parset/alternative functions +If 4: RMNET interface + +In CDC-ECM mode LARA-L6 exposes the following interfaces: +If 0: Diagnostic +If 1: AT parser +If 2: AT parser +If 3: AT parset/alternative functions +If 4: CDC-ECM interface + +Signed-off-by: Davide Tronchin +[ johan: drop PID defines in favour of comments ] +Cc: stable@vger.kernel.org +Signed-off-by: Johan Hovold +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/serial/option.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +--- a/drivers/usb/serial/option.c ++++ b/drivers/usb/serial/option.c +@@ -162,6 +162,8 @@ static void option_instat_callback(struc + #define NOVATELWIRELESS_PRODUCT_G2 0xA010 + #define NOVATELWIRELESS_PRODUCT_MC551 0xB001 + ++#define UBLOX_VENDOR_ID 0x1546 ++ + /* AMOI PRODUCTS */ + #define AMOI_VENDOR_ID 0x1614 + #define AMOI_PRODUCT_H01 0x0800 +@@ -1130,6 +1132,12 @@ static const struct usb_device_id option + .driver_info = RSVD(4) }, + { USB_DEVICE(QUALCOMM_VENDOR_ID, 0x90fa), + .driver_info = RSVD(3) }, ++ /* u-blox products */ ++ { USB_DEVICE(UBLOX_VENDOR_ID, 0x1341) }, /* u-blox LARA-L6 */ ++ { USB_DEVICE(UBLOX_VENDOR_ID, 0x1342), /* u-blox LARA-L6 (RMNET) */ ++ .driver_info = RSVD(4) }, ++ { USB_DEVICE(UBLOX_VENDOR_ID, 0x1343), /* u-blox LARA-L6 (ECM) */ ++ .driver_info = RSVD(4) }, + /* Quectel products using Quectel vendor ID */ + { USB_DEVICE_AND_INTERFACE_INFO(QUECTEL_VENDOR_ID, QUECTEL_PRODUCT_EC21, 0xff, 0xff, 0xff), + .driver_info = NUMEP2 }, diff --git a/queue-5.4/usb-serial-option-add-u-blox-lara-r6-00b-modem.patch b/queue-5.4/usb-serial-option-add-u-blox-lara-r6-00b-modem.patch new file mode 100644 index 00000000000..56524c9253a --- /dev/null +++ b/queue-5.4/usb-serial-option-add-u-blox-lara-r6-00b-modem.patch @@ -0,0 +1,38 @@ +From d9e37a5c4d80ea25a7171ab8557a449115554e76 Mon Sep 17 00:00:00 2001 +From: Davide Tronchin +Date: Wed, 16 Nov 2022 16:59:49 +0100 +Subject: USB: serial: option: add u-blox LARA-R6 00B modem + +From: Davide Tronchin + +commit d9e37a5c4d80ea25a7171ab8557a449115554e76 upstream. + +The official LARA-R6 (00B) modem uses 0x908b PID. LARA-R6 00B does not +implement a QMI interface on port 4, the reservation (RSVD(4)) has been +added to meet other companies that implement QMI on that interface. + +LARA-R6 00B USB composition exposes the following interfaces: +If 0: Diagnostic +If 1: AT parser +If 2: AT parser +If 3: AT parser/alternative functions + +Signed-off-by: Davide Tronchin +Cc: stable@vger.kernel.org +Signed-off-by: Johan Hovold +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/serial/option.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/usb/serial/option.c ++++ b/drivers/usb/serial/option.c +@@ -1126,6 +1126,8 @@ static const struct usb_device_id option + /* u-blox products using Qualcomm vendor ID */ + { USB_DEVICE(QUALCOMM_VENDOR_ID, UBLOX_PRODUCT_R410M), + .driver_info = RSVD(1) | RSVD(3) }, ++ { USB_DEVICE(QUALCOMM_VENDOR_ID, 0x908b), /* u-blox LARA-R6 00B */ ++ .driver_info = RSVD(4) }, + { USB_DEVICE(QUALCOMM_VENDOR_ID, 0x90fa), + .driver_info = RSVD(3) }, + /* Quectel products using Quectel vendor ID */ diff --git a/queue-5.4/usb-serial-option-remove-old-lara-r6-pid.patch b/queue-5.4/usb-serial-option-remove-old-lara-r6-pid.patch new file mode 100644 index 00000000000..008ccba30c7 --- /dev/null +++ b/queue-5.4/usb-serial-option-remove-old-lara-r6-pid.patch @@ -0,0 +1,45 @@ +From 2ec106b96afc19698ff934323b633c0729d4c7f8 Mon Sep 17 00:00:00 2001 +From: Davide Tronchin +Date: Wed, 16 Nov 2022 16:59:48 +0100 +Subject: USB: serial: option: remove old LARA-R6 PID + +From: Davide Tronchin + +commit 2ec106b96afc19698ff934323b633c0729d4c7f8 upstream. + +Remove the UBLOX_PRODUCT_R6XX 0x90fa association since LARA-R6 00B final +product uses a new USB composition with different PID. 0x90fa PID used +only by LARA-R6 internal prototypes. + +Move 0x90fa PID directly in the option_ids array since used by other +Qualcomm based modem vendors as pointed out in: + + https://lore.kernel.org/all/6572c4e6-d8bc-b8d3-4396-d879e4e76338@gmail.com + +Signed-off-by: Davide Tronchin +Cc: stable@vger.kernel.org +Signed-off-by: Johan Hovold +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/serial/option.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +--- a/drivers/usb/serial/option.c ++++ b/drivers/usb/serial/option.c +@@ -240,7 +240,6 @@ static void option_instat_callback(struc + #define QUECTEL_PRODUCT_UC15 0x9090 + /* These u-blox products use Qualcomm's vendor ID */ + #define UBLOX_PRODUCT_R410M 0x90b2 +-#define UBLOX_PRODUCT_R6XX 0x90fa + /* These Yuga products use Qualcomm's vendor ID */ + #define YUGA_PRODUCT_CLM920_NC5 0x9625 + +@@ -1127,7 +1126,7 @@ static const struct usb_device_id option + /* u-blox products using Qualcomm vendor ID */ + { USB_DEVICE(QUALCOMM_VENDOR_ID, UBLOX_PRODUCT_R410M), + .driver_info = RSVD(1) | RSVD(3) }, +- { USB_DEVICE(QUALCOMM_VENDOR_ID, UBLOX_PRODUCT_R6XX), ++ { USB_DEVICE(QUALCOMM_VENDOR_ID, 0x90fa), + .driver_info = RSVD(3) }, + /* Quectel products using Quectel vendor ID */ + { USB_DEVICE_AND_INTERFACE_INFO(QUECTEL_VENDOR_ID, QUECTEL_PRODUCT_EC21, 0xff, 0xff, 0xff),