From: Greg Kroah-Hartman Date: Tue, 11 Jul 2023 20:13:57 +0000 (+0200) Subject: 5.10-stable patches X-Git-Tag: v6.1.39~124 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=f027b955d8c9a27aa9d47d46b9e0bccdd5aa8047;p=thirdparty%2Fkernel%2Fstable-queue.git 5.10-stable patches added patches: io_uring-ensure-iopoll-locks-around-deferred-work.patch phy-tegra-xusb-clear-the-driver-reference-in-usb-phy-dev.patch usb-dwc3-gadget-propagate-core-init-errors-to-udc-during-pullup.patch usb-serial-option-add-lara-r6-01b-pids.patch --- diff --git a/queue-5.10/io_uring-ensure-iopoll-locks-around-deferred-work.patch b/queue-5.10/io_uring-ensure-iopoll-locks-around-deferred-work.patch new file mode 100644 index 00000000000..bce4e368e7c --- /dev/null +++ b/queue-5.10/io_uring-ensure-iopoll-locks-around-deferred-work.patch @@ -0,0 +1,82 @@ +From dc27db64bb7d431a853e5dcc5da01718b58bdd29 Mon Sep 17 00:00:00 2001 +From: Jens Axboe +Date: Tue, 11 Jul 2023 09:35:30 -0600 +Subject: io_uring: ensure IOPOLL locks around deferred work + +From: Jens Axboe + +No direct upstream commit exists for this issue. It was fixed in +5.18 as part of a larger rework of the completion side. + +io_commit_cqring() writes the CQ ring tail to make it visible, but it +also kicks off any deferred work we have. A ring setup with IOPOLL +does not need any locking around the CQ ring updates, as we're always +under the ctx uring_lock. But if we have deferred work that needs +processing, then io_queue_deferred() assumes that the completion_lock +is held, as it is for !IOPOLL. + +Add a lockdep assertion to check and document this fact, and have +io_iopoll_complete() check if we have deferred work and run that +separately with the appropriate lock grabbed. + +Cc: stable@vger.kernel.org # 5.10, 5.15 +Reported-by: dghost david +Signed-off-by: Jens Axboe +Signed-off-by: Greg Kroah-Hartman +--- + io_uring/io_uring.c | 25 +++++++++++++++++++++---- + 1 file changed, 21 insertions(+), 4 deletions(-) + +--- a/io_uring/io_uring.c ++++ b/io_uring/io_uring.c +@@ -1521,6 +1521,8 @@ static void io_kill_timeout(struct io_ki + + static void io_queue_deferred(struct io_ring_ctx *ctx) + { ++ lockdep_assert_held(&ctx->completion_lock); ++ + while (!list_empty(&ctx->defer_list)) { + struct io_defer_entry *de = list_first_entry(&ctx->defer_list, + struct io_defer_entry, list); +@@ -1572,14 +1574,24 @@ static void __io_commit_cqring_flush(str + io_queue_deferred(ctx); + } + +-static inline void io_commit_cqring(struct io_ring_ctx *ctx) ++static inline bool io_commit_needs_flush(struct io_ring_ctx *ctx) ++{ ++ return ctx->off_timeout_used || ctx->drain_active; ++} ++ ++static inline void __io_commit_cqring(struct io_ring_ctx *ctx) + { +- if (unlikely(ctx->off_timeout_used || ctx->drain_active)) +- __io_commit_cqring_flush(ctx); + /* order cqe stores with ring update */ + smp_store_release(&ctx->rings->cq.tail, ctx->cached_cq_tail); + } + ++static inline void io_commit_cqring(struct io_ring_ctx *ctx) ++{ ++ if (unlikely(io_commit_needs_flush(ctx))) ++ __io_commit_cqring_flush(ctx); ++ __io_commit_cqring(ctx); ++} ++ + static inline bool io_sqring_full(struct io_ring_ctx *ctx) + { + struct io_rings *r = ctx->rings; +@@ -2518,7 +2530,12 @@ static void io_iopoll_complete(struct io + io_req_free_batch(&rb, req, &ctx->submit_state); + } + +- io_commit_cqring(ctx); ++ if (io_commit_needs_flush(ctx)) { ++ spin_lock(&ctx->completion_lock); ++ __io_commit_cqring_flush(ctx); ++ spin_unlock(&ctx->completion_lock); ++ } ++ __io_commit_cqring(ctx); + io_cqring_ev_posted_iopoll(ctx); + io_req_free_batch_finish(ctx, &rb); + } diff --git a/queue-5.10/phy-tegra-xusb-clear-the-driver-reference-in-usb-phy-dev.patch b/queue-5.10/phy-tegra-xusb-clear-the-driver-reference-in-usb-phy-dev.patch new file mode 100644 index 00000000000..4266f954b6b --- /dev/null +++ b/queue-5.10/phy-tegra-xusb-clear-the-driver-reference-in-usb-phy-dev.patch @@ -0,0 +1,40 @@ +From c0c2fcb1325d0d4f3b322b5ee49385f8eca2560d Mon Sep 17 00:00:00 2001 +From: EJ Hsu +Date: Fri, 9 Jun 2023 14:29:32 +0800 +Subject: phy: tegra: xusb: Clear the driver reference in usb-phy dev + +From: EJ Hsu + +commit c0c2fcb1325d0d4f3b322b5ee49385f8eca2560d upstream. + +For the dual-role port, it will assign the phy dev to usb-phy dev and +use the port dev driver as the dev driver of usb-phy. + +When we try to destroy the port dev, it will destroy its dev driver +as well. But we did not remove the reference from usb-phy dev. This +might cause the use-after-free issue in KASAN. + +Fixes: e8f7d2f409a1 ("phy: tegra: xusb: Add usb-phy support") +Cc: stable@vger.kernel.org + +Signed-off-by: EJ Hsu +Signed-off-by: Haotien Hsu +Acked-by: Thierry Reding +Acked-by: Jon Hunter +Link: https://lore.kernel.org/r/20230609062932.3276509-1-haotienh@nvidia.com +Signed-off-by: Vinod Koul +Signed-off-by: Greg Kroah-Hartman +--- + drivers/phy/tegra/xusb.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/phy/tegra/xusb.c ++++ b/drivers/phy/tegra/xusb.c +@@ -556,6 +556,7 @@ static void tegra_xusb_port_unregister(s + usb_role_switch_unregister(port->usb_role_sw); + cancel_work_sync(&port->usb_phy_work); + usb_remove_phy(&port->usb_phy); ++ port->usb_phy.dev->driver = NULL; + } + + if (port->ops->remove) diff --git a/queue-5.10/series b/queue-5.10/series index 91fb00d3630..cef83081403 100644 --- a/queue-5.10/series +++ b/queue-5.10/series @@ -211,3 +211,7 @@ nfsv4.1-freeze-the-session-table-upon-receiving-nfs4.patch dax-fix-dax_mapping_release-use-after-free.patch dax-introduce-alloc_dev_dax_id.patch hwrng-st-keep-clock-enabled-while-hwrng-is-registere.patch +io_uring-ensure-iopoll-locks-around-deferred-work.patch +usb-serial-option-add-lara-r6-01b-pids.patch +usb-dwc3-gadget-propagate-core-init-errors-to-udc-during-pullup.patch +phy-tegra-xusb-clear-the-driver-reference-in-usb-phy-dev.patch diff --git a/queue-5.10/usb-dwc3-gadget-propagate-core-init-errors-to-udc-during-pullup.patch b/queue-5.10/usb-dwc3-gadget-propagate-core-init-errors-to-udc-during-pullup.patch new file mode 100644 index 00000000000..bb6f51e78cd --- /dev/null +++ b/queue-5.10/usb-dwc3-gadget-propagate-core-init-errors-to-udc-during-pullup.patch @@ -0,0 +1,52 @@ +From c0aabed9cabe057309779a9e26fe86a113d24dad Mon Sep 17 00:00:00 2001 +From: Krishna Kurapati +Date: Sun, 18 Jun 2023 17:39:49 +0530 +Subject: usb: dwc3: gadget: Propagate core init errors to UDC during pullup + +From: Krishna Kurapati + +commit c0aabed9cabe057309779a9e26fe86a113d24dad upstream. + +In scenarios where pullup relies on resume (get sync) to initialize +the controller and set the run stop bit, then core_init is followed by +gadget_resume which will eventually set run stop bit. + +But in cases where the core_init fails, the return value is not sent +back to udc appropriately. So according to UDC the controller has +started but in reality we never set the run stop bit. + +On systems like Android, there are uevents sent to HAL depending on +whether the configfs_bind / configfs_disconnect were invoked. In the +above mentioned scnenario, if the core init fails, the run stop won't +be set and the cable plug-out won't result in generation of any +disconnect event and userspace would never get any uevent regarding +cable plug out and we never call pullup(0) again. Furthermore none of +the next Plug-In/Plug-Out's would be known to configfs. + +Return back the appropriate result to UDC to let the userspace/ +configfs know that the pullup failed so they can take appropriate +action. + +Fixes: 77adb8bdf422 ("usb: dwc3: gadget: Allow runtime suspend if UDC unbinded") +Cc: stable +Signed-off-by: Krishna Kurapati +Acked-by: Thinh Nguyen +Message-ID: <20230618120949.14868-1-quic_kriskura@quicinc.com> +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/dwc3/gadget.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/drivers/usb/dwc3/gadget.c ++++ b/drivers/usb/dwc3/gadget.c +@@ -2215,7 +2215,9 @@ static int dwc3_gadget_pullup(struct usb + ret = pm_runtime_get_sync(dwc->dev); + if (!ret || ret < 0) { + pm_runtime_put(dwc->dev); +- return 0; ++ if (ret < 0) ++ pm_runtime_set_suspended(dwc->dev); ++ return ret; + } + + if (dwc->pullups_connected == is_on) { diff --git a/queue-5.10/usb-serial-option-add-lara-r6-01b-pids.patch b/queue-5.10/usb-serial-option-add-lara-r6-01b-pids.patch new file mode 100644 index 00000000000..2e014e97597 --- /dev/null +++ b/queue-5.10/usb-serial-option-add-lara-r6-01b-pids.patch @@ -0,0 +1,65 @@ +From ffa5f7a3bf28c1306eef85d4056539c2d4b8eb09 Mon Sep 17 00:00:00 2001 +From: Davide Tronchin +Date: Thu, 22 Jun 2023 11:29:21 +0200 +Subject: USB: serial: option: add LARA-R6 01B PIDs + +From: Davide Tronchin + +commit ffa5f7a3bf28c1306eef85d4056539c2d4b8eb09 upstream. + +The new LARA-R6 product variant identified by the "01B" string can be +configured (by AT interface) in three different USB modes: + +* Default mode (Vendor ID: 0x1546 Product ID: 0x1311) with 4 serial +interfaces + +* RmNet mode (Vendor ID: 0x1546 Product ID: 0x1312) with 4 serial +interfaces and 1 RmNet virtual network interface + +* CDC-ECM mode (Vendor ID: 0x1546 Product ID: 0x1313) with 4 serial +interface and 1 CDC-ECM virtual network interface +The first 4 interfaces of all the 3 USB configurations (default, RmNet, +CDC-ECM) are the same. + +In default mode LARA-R6 01B exposes the following interfaces: +If 0: Diagnostic +If 1: AT parser +If 2: AT parser +If 3: AT parser/alternative functions + +In RmNet mode LARA-R6 01B exposes the following interfaces: +If 0: Diagnostic +If 1: AT parser +If 2: AT parser +If 3: AT parser/alternative functions +If 4: RMNET interface + +In CDC-ECM mode LARA-R6 01B exposes the following interfaces: +If 0: Diagnostic +If 1: AT parser +If 2: AT parser +If 3: AT parser/alternative functions +If 4: CDC-ECM interface + +Signed-off-by: Davide Tronchin +Link: https://lore.kernel.org/r/20230622092921.12651-1-davide.tronchin.94@gmail.com +Cc: stable@vger.kernel.org +Signed-off-by: Johan Hovold +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/serial/option.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/drivers/usb/serial/option.c ++++ b/drivers/usb/serial/option.c +@@ -1151,6 +1151,10 @@ static const struct usb_device_id option + { USB_DEVICE(QUALCOMM_VENDOR_ID, 0x90fa), + .driver_info = RSVD(3) }, + /* u-blox products */ ++ { USB_DEVICE(UBLOX_VENDOR_ID, 0x1311) }, /* u-blox LARA-R6 01B */ ++ { USB_DEVICE(UBLOX_VENDOR_ID, 0x1312), /* u-blox LARA-R6 01B (RMNET) */ ++ .driver_info = RSVD(4) }, ++ { USB_DEVICE_INTERFACE_CLASS(UBLOX_VENDOR_ID, 0x1313, 0xff) }, /* u-blox LARA-R6 01B (ECM) */ + { USB_DEVICE(UBLOX_VENDOR_ID, 0x1341) }, /* u-blox LARA-L6 */ + { USB_DEVICE(UBLOX_VENDOR_ID, 0x1342), /* u-blox LARA-L6 (RMNET) */ + .driver_info = RSVD(4) },