From: Greg Kroah-Hartman Date: Mon, 12 Aug 2024 09:40:53 +0000 (+0200) Subject: 6.10-stable patches X-Git-Tag: v6.1.105~89 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=f6581e83c0676ce825b4c67173c11c876fbe06e0;p=thirdparty%2Fkernel%2Fstable-queue.git 6.10-stable patches added patches: alsa-hda-add-hp-mp9-g4-retail-system-ams-to-force-connect-list.patch alsa-hda-hdmi-yet-more-pin-fix-for-hp-elitedesk-800-g4.patch alsa-hda-realtek-add-framework-laptop-13-intel-core-ultra-to-quirks.patch alsa-line6-fix-racy-access-to-midibuf.patch drm-amd-display-skip-recompute-dsc-params-if-no-stream-on-link.patch drm-amdgpu-forward-soft-recovery-errors-to-userspace.patch drm-client-fix-null-pointer-dereference-in-drm_client_modeset_probe.patch drm-i915-display-correct-dual-pps-handling-for-mtl_pch.patch drm-i915-gem-adjust-vma-offset-for-framebuffer-mmap-offset.patch drm-i915-gem-fix-virtual-memory-mapping-boundaries-calculation.patch drm-test-fix-the-gem-shmem-test-to-map-the-sg-table.patch io_uring-net-don-t-pick-multiple-buffers-for-non-bundle-send.patch io_uring-net-ensure-expanded-bundle-recv-gets-marked-for-cleanup.patch io_uring-net-ensure-expanded-bundle-send-gets-marked-for-cleanup.patch usb-serial-debug-do-not-echo-input-by-default.patch usb-typec-fsa4480-check-if-the-chip-is-really-there.patch usb-vhci-hcd-do-not-drop-references-before-new-references-are-gained.patch --- diff --git a/queue-6.10/alsa-hda-add-hp-mp9-g4-retail-system-ams-to-force-connect-list.patch b/queue-6.10/alsa-hda-add-hp-mp9-g4-retail-system-ams-to-force-connect-list.patch new file mode 100644 index 00000000000..bb73c2dff69 --- /dev/null +++ b/queue-6.10/alsa-hda-add-hp-mp9-g4-retail-system-ams-to-force-connect-list.patch @@ -0,0 +1,35 @@ +From 7e1e206b99f4b3345aeb49d94584a420b7887f1d Mon Sep 17 00:00:00 2001 +From: Steven 'Steve' Kendall +Date: Tue, 6 Aug 2024 00:08:24 +0000 +Subject: ALSA: hda: Add HP MP9 G4 Retail System AMS to force connect list + +From: Steven 'Steve' Kendall + +commit 7e1e206b99f4b3345aeb49d94584a420b7887f1d upstream. + +In recent HP UEFI firmware (likely v2.15 and above, tested on 2.27), +these pins are incorrectly set for HDMI/DP audio. Tested on +HP MP9 G4 Retail System AMS. Tested audio with two monitors connected +via DisplayPort. + +Link: https://forum.manjaro.org/t/intel-cannon-lake-pch-cavs-conexant-cx20632-no-sound-at-hdmi-or-displayport/133494 +Link: https://bbs.archlinux.org/viewtopic.php?id=270523 +Signed-off-by: Steven 'Steve' Kendall +Cc: +Link: https://patch.msgid.link/20240806-hdmi-audio-hp-wrongpins-v2-1-d9eb4ad41043@chromium.org +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman +--- + sound/pci/hda/patch_hdmi.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/sound/pci/hda/patch_hdmi.c ++++ b/sound/pci/hda/patch_hdmi.c +@@ -1989,6 +1989,7 @@ static int hdmi_add_cvt(struct hda_codec + } + + static const struct snd_pci_quirk force_connect_list[] = { ++ SND_PCI_QUIRK(0x103c, 0x83ef, "HP MP9 G4 Retail System AMS", 1), + SND_PCI_QUIRK(0x103c, 0x870f, "HP", 1), + SND_PCI_QUIRK(0x103c, 0x871a, "HP", 1), + SND_PCI_QUIRK(0x103c, 0x8711, "HP", 1), diff --git a/queue-6.10/alsa-hda-hdmi-yet-more-pin-fix-for-hp-elitedesk-800-g4.patch b/queue-6.10/alsa-hda-hdmi-yet-more-pin-fix-for-hp-elitedesk-800-g4.patch new file mode 100644 index 00000000000..e3c95f1daee --- /dev/null +++ b/queue-6.10/alsa-hda-hdmi-yet-more-pin-fix-for-hp-elitedesk-800-g4.patch @@ -0,0 +1,30 @@ +From 176fd1511dd9086ab4fa9323cb232177c6235288 Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Tue, 6 Aug 2024 08:49:16 +0200 +Subject: ALSA: hda/hdmi: Yet more pin fix for HP EliteDesk 800 G4 + +From: Takashi Iwai + +commit 176fd1511dd9086ab4fa9323cb232177c6235288 upstream. + +HP EliteDesk 800 G4 (PCI SSID 103c:83e2) is another Kabylake machine +where BIOS misses the HDMI pin initializations. Add the quirk entry. + +Cc: +Link: https://patch.msgid.link/20240806064918.11132-1-tiwai@suse.de +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman +--- + sound/pci/hda/patch_hdmi.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/sound/pci/hda/patch_hdmi.c ++++ b/sound/pci/hda/patch_hdmi.c +@@ -1989,6 +1989,7 @@ static int hdmi_add_cvt(struct hda_codec + } + + static const struct snd_pci_quirk force_connect_list[] = { ++ SND_PCI_QUIRK(0x103c, 0x83e2, "HP EliteDesk 800 G4", 1), + SND_PCI_QUIRK(0x103c, 0x83ef, "HP MP9 G4 Retail System AMS", 1), + SND_PCI_QUIRK(0x103c, 0x870f, "HP", 1), + SND_PCI_QUIRK(0x103c, 0x871a, "HP", 1), diff --git a/queue-6.10/alsa-hda-realtek-add-framework-laptop-13-intel-core-ultra-to-quirks.patch b/queue-6.10/alsa-hda-realtek-add-framework-laptop-13-intel-core-ultra-to-quirks.patch new file mode 100644 index 00000000000..2fce88d84ef --- /dev/null +++ b/queue-6.10/alsa-hda-realtek-add-framework-laptop-13-intel-core-ultra-to-quirks.patch @@ -0,0 +1,32 @@ +From eb91c456f3714c336f0812dccab422ec0e72bde4 Mon Sep 17 00:00:00 2001 +From: "Dustin L. Howett" +Date: Tue, 6 Aug 2024 21:33:51 -0500 +Subject: ALSA: hda/realtek: Add Framework Laptop 13 (Intel Core Ultra) to quirks + +From: Dustin L. Howett + +commit eb91c456f3714c336f0812dccab422ec0e72bde4 upstream. + +The Framework Laptop 13 (Intel Core Ultra) has an ALC285 that ships in a +similar configuration to the ALC295 in previous models. It requires the +same quirk for headset detection. + +Signed-off-by: Dustin L. Howett +Cc: +Link: https://patch.msgid.link/20240806-alsa-hda-realtek-add-framework-laptop-13-intel-core-ultra-to-quirks-v1-1-42d6ce2dbf14@howett.net +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman +--- + sound/pci/hda/patch_realtek.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/sound/pci/hda/patch_realtek.c ++++ b/sound/pci/hda/patch_realtek.c +@@ -10671,6 +10671,7 @@ static const struct snd_pci_quirk alc269 + SND_PCI_QUIRK(0x8086, 0x3038, "Intel NUC 13", ALC295_FIXUP_CHROME_BOOK), + SND_PCI_QUIRK(0xf111, 0x0001, "Framework Laptop", ALC295_FIXUP_FRAMEWORK_LAPTOP_MIC_NO_PRESENCE), + SND_PCI_QUIRK(0xf111, 0x0006, "Framework Laptop", ALC295_FIXUP_FRAMEWORK_LAPTOP_MIC_NO_PRESENCE), ++ SND_PCI_QUIRK(0xf111, 0x0009, "Framework Laptop", ALC295_FIXUP_FRAMEWORK_LAPTOP_MIC_NO_PRESENCE), + + #if 0 + /* Below is a quirk table taken from the old code. diff --git a/queue-6.10/alsa-line6-fix-racy-access-to-midibuf.patch b/queue-6.10/alsa-line6-fix-racy-access-to-midibuf.patch new file mode 100644 index 00000000000..903a0d329f3 --- /dev/null +++ b/queue-6.10/alsa-line6-fix-racy-access-to-midibuf.patch @@ -0,0 +1,60 @@ +From 15b7a03205b31bc5623378c190d22b7ff60026f1 Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Mon, 5 Aug 2024 15:01:28 +0200 +Subject: ALSA: line6: Fix racy access to midibuf + +From: Takashi Iwai + +commit 15b7a03205b31bc5623378c190d22b7ff60026f1 upstream. + +There can be concurrent accesses to line6 midibuf from both the URB +completion callback and the rawmidi API access. This could be a cause +of KMSAN warning triggered by syzkaller below (so put as reported-by +here). + +This patch protects the midibuf call of the former code path with a +spinlock for avoiding the possible races. + +Reported-by: syzbot+78eccfb8b3c9a85fc6c5@syzkaller.appspotmail.com +Closes: https://lore.kernel.org/00000000000000949c061df288c5@google.com +Cc: +Link: https://patch.msgid.link/20240805130129.10872-1-tiwai@suse.de +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman +--- + sound/usb/line6/driver.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/sound/usb/line6/driver.c ++++ b/sound/usb/line6/driver.c +@@ -286,12 +286,14 @@ static void line6_data_received(struct u + { + struct usb_line6 *line6 = (struct usb_line6 *)urb->context; + struct midi_buffer *mb = &line6->line6midi->midibuf_in; ++ unsigned long flags; + int done; + + if (urb->status == -ESHUTDOWN) + return; + + if (line6->properties->capabilities & LINE6_CAP_CONTROL_MIDI) { ++ spin_lock_irqsave(&line6->line6midi->lock, flags); + done = + line6_midibuf_write(mb, urb->transfer_buffer, urb->actual_length); + +@@ -300,12 +302,15 @@ static void line6_data_received(struct u + dev_dbg(line6->ifcdev, "%d %d buffer overflow - message skipped\n", + done, urb->actual_length); + } ++ spin_unlock_irqrestore(&line6->line6midi->lock, flags); + + for (;;) { ++ spin_lock_irqsave(&line6->line6midi->lock, flags); + done = + line6_midibuf_read(mb, line6->buffer_message, + LINE6_MIDI_MESSAGE_MAXLEN, + LINE6_MIDIBUF_READ_RX); ++ spin_unlock_irqrestore(&line6->line6midi->lock, flags); + + if (done <= 0) + break; diff --git a/queue-6.10/drm-amd-display-skip-recompute-dsc-params-if-no-stream-on-link.patch b/queue-6.10/drm-amd-display-skip-recompute-dsc-params-if-no-stream-on-link.patch new file mode 100644 index 00000000000..4cc7e21d397 --- /dev/null +++ b/queue-6.10/drm-amd-display-skip-recompute-dsc-params-if-no-stream-on-link.patch @@ -0,0 +1,75 @@ +From 50e376f1fe3bf571d0645ddf48ad37eb58323919 Mon Sep 17 00:00:00 2001 +From: Fangzhi Zuo +Date: Fri, 12 Jul 2024 16:30:03 -0400 +Subject: drm/amd/display: Skip Recompute DSC Params if no Stream on Link + +From: Fangzhi Zuo + +commit 50e376f1fe3bf571d0645ddf48ad37eb58323919 upstream. + +[why] +Encounter NULL pointer dereference uner mst + dsc setup. + +BUG: kernel NULL pointer dereference, address: 0000000000000008 + PGD 0 P4D 0 + Oops: 0000 [#1] PREEMPT SMP NOPTI + CPU: 4 PID: 917 Comm: sway Not tainted 6.3.9-arch1-1 #1 124dc55df4f5272ccb409f39ef4872fc2b3376a2 + Hardware name: LENOVO 20NKS01Y00/20NKS01Y00, BIOS R12ET61W(1.31 ) 07/28/2022 + RIP: 0010:drm_dp_atomic_find_time_slots+0x5e/0x260 [drm_display_helper] + Code: 01 00 00 48 8b 85 60 05 00 00 48 63 80 88 00 00 00 3b 43 28 0f 8d 2e 01 00 00 48 8b 53 30 48 8d 04 80 48 8d 04 c2 48 8b 40 18 <48> 8> + RSP: 0018:ffff960cc2df77d8 EFLAGS: 00010293 + RAX: 0000000000000000 RBX: ffff8afb87e81280 RCX: 0000000000000224 + RDX: ffff8afb9ee37c00 RSI: ffff8afb8da1a578 RDI: ffff8afb87e81280 + RBP: ffff8afb83d67000 R08: 0000000000000001 R09: ffff8afb9652f850 + R10: ffff960cc2df7908 R11: 0000000000000002 R12: 0000000000000000 + R13: ffff8afb8d7688a0 R14: ffff8afb8da1a578 R15: 0000000000000224 + FS: 00007f4dac35ce00(0000) GS:ffff8afe30b00000(0000) knlGS:0000000000000000 + CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 + CR2: 0000000000000008 CR3: 000000010ddc6000 CR4: 00000000003506e0 + Call Trace: + + ? __die+0x23/0x70 + ? page_fault_oops+0x171/0x4e0 + ? plist_add+0xbe/0x100 + ? exc_page_fault+0x7c/0x180 + ? asm_exc_page_fault+0x26/0x30 + ? drm_dp_atomic_find_time_slots+0x5e/0x260 [drm_display_helper 0e67723696438d8e02b741593dd50d80b44c2026] + ? drm_dp_atomic_find_time_slots+0x28/0x260 [drm_display_helper 0e67723696438d8e02b741593dd50d80b44c2026] + compute_mst_dsc_configs_for_link+0x2ff/0xa40 [amdgpu 62e600d2a75e9158e1cd0a243bdc8e6da040c054] + ? fill_plane_buffer_attributes+0x419/0x510 [amdgpu 62e600d2a75e9158e1cd0a243bdc8e6da040c054] + compute_mst_dsc_configs_for_state+0x1e1/0x250 [amdgpu 62e600d2a75e9158e1cd0a243bdc8e6da040c054] + amdgpu_dm_atomic_check+0xecd/0x1190 [amdgpu 62e600d2a75e9158e1cd0a243bdc8e6da040c054] + drm_atomic_check_only+0x5c5/0xa40 + drm_mode_atomic_ioctl+0x76e/0xbc0 + +[how] +dsc recompute should be skipped if no mode change detected on the new +request. If detected, keep checking whether the stream is already on +current state or not. + +Cc: Mario Limonciello +Cc: Alex Deucher +Cc: stable@vger.kernel.org +Reviewed-by: Rodrigo Siqueira +Signed-off-by: Fangzhi Zuo +Signed-off-by: Wayne Lin +Tested-by: Daniel Wheeler +Signed-off-by: Alex Deucher +(cherry picked from commit 8151a6c13111b465dbabe07c19f572f7cbd16fef) +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_mst_types.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_mst_types.c ++++ b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_mst_types.c +@@ -1264,6 +1264,9 @@ static bool is_dsc_need_re_compute( + } + } + ++ if (new_stream_on_link_num == 0) ++ return false; ++ + /* check current_state if there stream on link but it is not in + * new request state + */ diff --git a/queue-6.10/drm-amdgpu-forward-soft-recovery-errors-to-userspace.patch b/queue-6.10/drm-amdgpu-forward-soft-recovery-errors-to-userspace.patch new file mode 100644 index 00000000000..5d23bcd5981 --- /dev/null +++ b/queue-6.10/drm-amdgpu-forward-soft-recovery-errors-to-userspace.patch @@ -0,0 +1,42 @@ +From 829798c789f567ef6ba4b084c15b7b5f3bd98d51 Mon Sep 17 00:00:00 2001 +From: Joshua Ashton +Date: Thu, 7 Mar 2024 19:04:31 +0000 +Subject: drm/amdgpu: Forward soft recovery errors to userspace +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Joshua Ashton + +commit 829798c789f567ef6ba4b084c15b7b5f3bd98d51 upstream. + +As we discussed before[1], soft recovery should be +forwarded to userspace, or we can get into a really +bad state where apps will keep submitting hanging +command buffers cascading us to a hard reset. + +1: https://lore.kernel.org/all/bf23d5ed-9a6b-43e7-84ee-8cbfd0d60f18@froggi.es/ +Signed-off-by: Joshua Ashton +Reviewed-by: Marek Olšák +Signed-off-by: Christian König +Signed-off-by: Alex Deucher +(cherry picked from commit 434967aadbbbe3ad9103cc29e9a327de20fdba01) +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/amd/amdgpu/amdgpu_job.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_job.c ++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_job.c +@@ -262,9 +262,8 @@ amdgpu_job_prepare_job(struct drm_sched_ + struct dma_fence *fence = NULL; + int r; + +- /* Ignore soft recovered fences here */ + r = drm_sched_entity_error(s_entity); +- if (r && r != -ENODATA) ++ if (r) + goto error; + + if (!fence && job->gang_submit) diff --git a/queue-6.10/drm-client-fix-null-pointer-dereference-in-drm_client_modeset_probe.patch b/queue-6.10/drm-client-fix-null-pointer-dereference-in-drm_client_modeset_probe.patch new file mode 100644 index 00000000000..48401511a34 --- /dev/null +++ b/queue-6.10/drm-client-fix-null-pointer-dereference-in-drm_client_modeset_probe.patch @@ -0,0 +1,38 @@ +From 113fd6372a5bb3689aba8ef5b8a265ed1529a78f Mon Sep 17 00:00:00 2001 +From: Ma Ke +Date: Fri, 2 Aug 2024 12:47:36 +0800 +Subject: drm/client: fix null pointer dereference in drm_client_modeset_probe + +From: Ma Ke + +commit 113fd6372a5bb3689aba8ef5b8a265ed1529a78f upstream. + +In drm_client_modeset_probe(), the return value of drm_mode_duplicate() is +assigned to modeset->mode, which will lead to a possible NULL pointer +dereference on failure of drm_mode_duplicate(). Add a check to avoid npd. + +Cc: stable@vger.kernel.org +Fixes: cf13909aee05 ("drm/fb-helper: Move out modeset config code") +Signed-off-by: Ma Ke +Reviewed-by: Thomas Zimmermann +Signed-off-by: Thomas Zimmermann +Link: https://patchwork.freedesktop.org/patch/msgid/20240802044736.1570345-1-make24@iscas.ac.cn +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/drm_client_modeset.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/drivers/gpu/drm/drm_client_modeset.c ++++ b/drivers/gpu/drm/drm_client_modeset.c +@@ -880,6 +880,11 @@ int drm_client_modeset_probe(struct drm_ + + kfree(modeset->mode); + modeset->mode = drm_mode_duplicate(dev, mode); ++ if (!modeset->mode) { ++ ret = -ENOMEM; ++ break; ++ } ++ + drm_connector_get(connector); + modeset->connectors[modeset->num_connectors++] = connector; + modeset->x = offset->x; diff --git a/queue-6.10/drm-i915-display-correct-dual-pps-handling-for-mtl_pch.patch b/queue-6.10/drm-i915-display-correct-dual-pps-handling-for-mtl_pch.patch new file mode 100644 index 00000000000..21a524e8dfa --- /dev/null +++ b/queue-6.10/drm-i915-display-correct-dual-pps-handling-for-mtl_pch.patch @@ -0,0 +1,61 @@ +From 1b85bdb0fadb42f5ef75ddcd259fc1ef13ec04de Mon Sep 17 00:00:00 2001 +From: Dnyaneshwar Bhadane +Date: Thu, 1 Aug 2024 16:41:41 +0530 +Subject: drm/i915/display: correct dual pps handling for MTL_PCH+ + +From: Dnyaneshwar Bhadane + +commit 1b85bdb0fadb42f5ef75ddcd259fc1ef13ec04de upstream. + +On the PCH side the second PPS was introduced in ICP+.Add condition +On MTL_PCH and greater platform also having the second PPS. + +Note that DG1/2 south block only has the single PPS, so need +to exclude the fake DG1/2 PCHs + +Closes: https://gitlab.freedesktop.org/drm/i915/kernel/-/issues/11488 +Fixes: 93cbc1accbce ("drm/i915/mtl: Add fake PCH for Meteor Lake") +Cc: # v6.9+ +Signed-off-by: Dnyaneshwar Bhadane +Reviewed-by: Jani Nikula +Signed-off-by: Jani Nikula +Link: https://patchwork.freedesktop.org/patch/msgid/20240801111141.574854-1-dnyaneshwar.bhadane@intel.com +(cherry picked from commit da1878b61c8d480c361ba6a39ce8a31c80b65826) +Signed-off-by: Joonas Lahtinen +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/i915/display/intel_backlight.c | 3 +++ + drivers/gpu/drm/i915/display/intel_pps.c | 3 +++ + 2 files changed, 6 insertions(+) + +diff --git a/drivers/gpu/drm/i915/display/intel_backlight.c b/drivers/gpu/drm/i915/display/intel_backlight.c +index 071668bfe5d1..6c3333136737 100644 +--- a/drivers/gpu/drm/i915/display/intel_backlight.c ++++ b/drivers/gpu/drm/i915/display/intel_backlight.c +@@ -1449,6 +1449,9 @@ bxt_setup_backlight(struct intel_connector *connector, enum pipe unused) + + static int cnp_num_backlight_controllers(struct drm_i915_private *i915) + { ++ if (INTEL_PCH_TYPE(i915) >= PCH_MTL) ++ return 2; ++ + if (INTEL_PCH_TYPE(i915) >= PCH_DG1) + return 1; + +diff --git a/drivers/gpu/drm/i915/display/intel_pps.c b/drivers/gpu/drm/i915/display/intel_pps.c +index 42306bc4ba86..7ce926241e83 100644 +--- a/drivers/gpu/drm/i915/display/intel_pps.c ++++ b/drivers/gpu/drm/i915/display/intel_pps.c +@@ -351,6 +351,9 @@ static int intel_num_pps(struct drm_i915_private *i915) + if (IS_GEMINILAKE(i915) || IS_BROXTON(i915)) + return 2; + ++ if (INTEL_PCH_TYPE(i915) >= PCH_MTL) ++ return 2; ++ + if (INTEL_PCH_TYPE(i915) >= PCH_DG1) + return 1; + +-- +2.46.0 + diff --git a/queue-6.10/drm-i915-gem-adjust-vma-offset-for-framebuffer-mmap-offset.patch b/queue-6.10/drm-i915-gem-adjust-vma-offset-for-framebuffer-mmap-offset.patch new file mode 100644 index 00000000000..e7dd9f19e76 --- /dev/null +++ b/queue-6.10/drm-i915-gem-adjust-vma-offset-for-framebuffer-mmap-offset.patch @@ -0,0 +1,44 @@ +From 1ac5167b3a90c9820daa64cc65e319b2d958d686 Mon Sep 17 00:00:00 2001 +From: Andi Shyti +Date: Fri, 2 Aug 2024 10:38:49 +0200 +Subject: drm/i915/gem: Adjust vma offset for framebuffer mmap offset + +From: Andi Shyti + +commit 1ac5167b3a90c9820daa64cc65e319b2d958d686 upstream. + +When mapping a framebuffer object, the virtual memory area (VMA) +offset ('vm_pgoff') should be adjusted by the start of the +'vma_node' associated with the object. This ensures that the VMA +offset is correctly aligned with the corresponding offset within +the GGTT aperture. + +Increment vm_pgoff by the start of the vma_node with the offset= +provided by the user. + +Suggested-by: Chris Wilson +Signed-off-by: Andi Shyti +Reviewed-by: Jonathan Cavitt +Reviewed-by: Rodrigo Vivi +Cc: # v4.9+ +[Joonas: Add Cc: stable] +Signed-off-by: Joonas Lahtinen +Link: https://patchwork.freedesktop.org/patch/msgid/20240802083850.103694-2-andi.shyti@linux.intel.com +(cherry picked from commit 60a2066c50058086510c91f404eb582029650970) +Signed-off-by: Joonas Lahtinen +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/i915/gem/i915_gem_mman.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/gpu/drm/i915/gem/i915_gem_mman.c ++++ b/drivers/gpu/drm/i915/gem/i915_gem_mman.c +@@ -1125,6 +1125,8 @@ int i915_gem_fb_mmap(struct drm_i915_gem + mmo = mmap_offset_attach(obj, mmap_type, NULL); + if (IS_ERR(mmo)) + return PTR_ERR(mmo); ++ ++ vma->vm_pgoff += drm_vma_node_start(&mmo->vma_node); + } + + /* diff --git a/queue-6.10/drm-i915-gem-fix-virtual-memory-mapping-boundaries-calculation.patch b/queue-6.10/drm-i915-gem-fix-virtual-memory-mapping-boundaries-calculation.patch new file mode 100644 index 00000000000..8afc38f746c --- /dev/null +++ b/queue-6.10/drm-i915-gem-fix-virtual-memory-mapping-boundaries-calculation.patch @@ -0,0 +1,126 @@ +From 8bdd9ef7e9b1b2a73e394712b72b22055e0e26c3 Mon Sep 17 00:00:00 2001 +From: Andi Shyti +Date: Fri, 2 Aug 2024 10:38:50 +0200 +Subject: drm/i915/gem: Fix Virtual Memory mapping boundaries calculation + +From: Andi Shyti + +commit 8bdd9ef7e9b1b2a73e394712b72b22055e0e26c3 upstream. + +Calculating the size of the mapped area as the lesser value +between the requested size and the actual size does not consider +the partial mapping offset. This can cause page fault access. + +Fix the calculation of the starting and ending addresses, the +total size is now deduced from the difference between the end and +start addresses. + +Additionally, the calculations have been rewritten in a clearer +and more understandable form. + +Fixes: c58305af1835 ("drm/i915: Use remap_io_mapping() to prefault all PTE in a single pass") +Reported-by: Jann Horn +Co-developed-by: Chris Wilson +Signed-off-by: Chris Wilson +Signed-off-by: Andi Shyti +Cc: Joonas Lahtinen +Cc: Matthew Auld +Cc: Rodrigo Vivi +Cc: # v4.9+ +Reviewed-by: Jann Horn +Reviewed-by: Jonathan Cavitt +[Joonas: Add Requires: tag] +Requires: 60a2066c5005 ("drm/i915/gem: Adjust vma offset for framebuffer mmap offset") +Signed-off-by: Joonas Lahtinen +Link: https://patchwork.freedesktop.org/patch/msgid/20240802083850.103694-3-andi.shyti@linux.intel.com +(cherry picked from commit 97b6784753da06d9d40232328efc5c5367e53417) +Signed-off-by: Joonas Lahtinen +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/i915/gem/i915_gem_mman.c | 53 +++++++++++++++++++++++++++---- + 1 file changed, 47 insertions(+), 6 deletions(-) + +--- a/drivers/gpu/drm/i915/gem/i915_gem_mman.c ++++ b/drivers/gpu/drm/i915/gem/i915_gem_mman.c +@@ -290,6 +290,41 @@ out: + return i915_error_to_vmf_fault(err); + } + ++static void set_address_limits(struct vm_area_struct *area, ++ struct i915_vma *vma, ++ unsigned long obj_offset, ++ unsigned long *start_vaddr, ++ unsigned long *end_vaddr) ++{ ++ unsigned long vm_start, vm_end, vma_size; /* user's memory parameters */ ++ long start, end; /* memory boundaries */ ++ ++ /* ++ * Let's move into the ">> PAGE_SHIFT" ++ * domain to be sure not to lose bits ++ */ ++ vm_start = area->vm_start >> PAGE_SHIFT; ++ vm_end = area->vm_end >> PAGE_SHIFT; ++ vma_size = vma->size >> PAGE_SHIFT; ++ ++ /* ++ * Calculate the memory boundaries by considering the offset ++ * provided by the user during memory mapping and the offset ++ * provided for the partial mapping. ++ */ ++ start = vm_start; ++ start -= obj_offset; ++ start += vma->gtt_view.partial.offset; ++ end = start + vma_size; ++ ++ start = max_t(long, start, vm_start); ++ end = min_t(long, end, vm_end); ++ ++ /* Let's move back into the "<< PAGE_SHIFT" domain */ ++ *start_vaddr = (unsigned long)start << PAGE_SHIFT; ++ *end_vaddr = (unsigned long)end << PAGE_SHIFT; ++} ++ + static vm_fault_t vm_fault_gtt(struct vm_fault *vmf) + { + #define MIN_CHUNK_PAGES (SZ_1M >> PAGE_SHIFT) +@@ -302,14 +337,18 @@ static vm_fault_t vm_fault_gtt(struct vm + struct i915_ggtt *ggtt = to_gt(i915)->ggtt; + bool write = area->vm_flags & VM_WRITE; + struct i915_gem_ww_ctx ww; ++ unsigned long obj_offset; ++ unsigned long start, end; /* memory boundaries */ + intel_wakeref_t wakeref; + struct i915_vma *vma; + pgoff_t page_offset; ++ unsigned long pfn; + int srcu; + int ret; + +- /* We don't use vmf->pgoff since that has the fake offset */ ++ obj_offset = area->vm_pgoff - drm_vma_node_start(&mmo->vma_node); + page_offset = (vmf->address - area->vm_start) >> PAGE_SHIFT; ++ page_offset += obj_offset; + + trace_i915_gem_object_fault(obj, page_offset, true, write); + +@@ -402,12 +441,14 @@ retry: + if (ret) + goto err_unpin; + ++ set_address_limits(area, vma, obj_offset, &start, &end); ++ ++ pfn = (ggtt->gmadr.start + i915_ggtt_offset(vma)) >> PAGE_SHIFT; ++ pfn += (start - area->vm_start) >> PAGE_SHIFT; ++ pfn += obj_offset - vma->gtt_view.partial.offset; ++ + /* Finally, remap it using the new GTT offset */ +- ret = remap_io_mapping(area, +- area->vm_start + (vma->gtt_view.partial.offset << PAGE_SHIFT), +- (ggtt->gmadr.start + i915_ggtt_offset(vma)) >> PAGE_SHIFT, +- min_t(u64, vma->size, area->vm_end - area->vm_start), +- &ggtt->iomap); ++ ret = remap_io_mapping(area, start, pfn, end - start, &ggtt->iomap); + if (ret) + goto err_fence; + diff --git a/queue-6.10/drm-test-fix-the-gem-shmem-test-to-map-the-sg-table.patch b/queue-6.10/drm-test-fix-the-gem-shmem-test-to-map-the-sg-table.patch new file mode 100644 index 00000000000..3bd061eaab3 --- /dev/null +++ b/queue-6.10/drm-test-fix-the-gem-shmem-test-to-map-the-sg-table.patch @@ -0,0 +1,49 @@ +From 62b45bab010d1b0cea6166f818f1cd0666a6d8d8 Mon Sep 17 00:00:00 2001 +From: Dave Airlie +Date: Mon, 15 Jul 2024 18:35:51 +1000 +Subject: drm/test: fix the gem shmem test to map the sg table. + +From: Dave Airlie + +commit 62b45bab010d1b0cea6166f818f1cd0666a6d8d8 upstream. + +The test here creates an sg table, but never maps it, when +we get to drm_gem_shmem_free, the helper tries to unmap and this +causes warnings on some platforms and debug kernels. + +This also sets a 64-bit dma mask, as I see an swiotlb warning if I +stick with the default 32-bit one. + +Fixes: 93032ae634d4 ("drm/test: add a test suite for GEM objects backed by shmem") +Cc: stable@vger.kernel.org +Signed-off-by: Dave Airlie +Reviewed-by: Michael J. Ruhl +Acked-by: Daniel Vetter +Reviewed-by: Marco Pagani +Link: https://patchwork.freedesktop.org/patch/msgid/20240715083551.777807-1-airlied@gmail.com +Signed-off-by: Maxime Ripard +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/tests/drm_gem_shmem_test.c | 11 +++++++++++ + 1 file changed, 11 insertions(+) + +--- a/drivers/gpu/drm/tests/drm_gem_shmem_test.c ++++ b/drivers/gpu/drm/tests/drm_gem_shmem_test.c +@@ -102,6 +102,17 @@ static void drm_gem_shmem_test_obj_creat + + sg_init_one(sgt->sgl, buf, TEST_SIZE); + ++ /* ++ * Set the DMA mask to 64-bits and map the sgtables ++ * otherwise drm_gem_shmem_free will cause a warning ++ * on debug kernels. ++ */ ++ ret = dma_set_mask(drm_dev->dev, DMA_BIT_MASK(64)); ++ KUNIT_ASSERT_EQ(test, ret, 0); ++ ++ ret = dma_map_sgtable(drm_dev->dev, sgt, DMA_BIDIRECTIONAL, 0); ++ KUNIT_ASSERT_EQ(test, ret, 0); ++ + /* Init a mock DMA-BUF */ + buf_mock.size = TEST_SIZE; + attach_mock.dmabuf = &buf_mock; diff --git a/queue-6.10/io_uring-net-don-t-pick-multiple-buffers-for-non-bundle-send.patch b/queue-6.10/io_uring-net-don-t-pick-multiple-buffers-for-non-bundle-send.patch new file mode 100644 index 00000000000..fb1c62b2381 --- /dev/null +++ b/queue-6.10/io_uring-net-don-t-pick-multiple-buffers-for-non-bundle-send.patch @@ -0,0 +1,43 @@ +From 8fe8ac24adcd76b12edbfdefa078567bfff117d4 Mon Sep 17 00:00:00 2001 +From: Jens Axboe +Date: Wed, 7 Aug 2024 15:09:33 -0600 +Subject: io_uring/net: don't pick multiple buffers for non-bundle send + +From: Jens Axboe + +commit 8fe8ac24adcd76b12edbfdefa078567bfff117d4 upstream. + +If a send is issued marked with IOSQE_BUFFER_SELECT for selecting a +buffer, unless it's a bundle, it should not select multiple buffers. + +Cc: stable@vger.kernel.org +Fixes: a05d1f625c7a ("io_uring/net: support bundles for send") +Signed-off-by: Jens Axboe +Signed-off-by: Greg Kroah-Hartman +--- + io_uring/net.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +--- a/io_uring/net.c ++++ b/io_uring/net.c +@@ -591,17 +591,18 @@ retry_bundle: + .iovs = &kmsg->fast_iov, + .max_len = INT_MAX, + .nr_iovs = 1, +- .mode = KBUF_MODE_EXPAND, + }; + + if (kmsg->free_iov) { + arg.nr_iovs = kmsg->free_iov_nr; + arg.iovs = kmsg->free_iov; +- arg.mode |= KBUF_MODE_FREE; ++ arg.mode = KBUF_MODE_FREE; + } + + if (!(sr->flags & IORING_RECVSEND_BUNDLE)) + arg.nr_iovs = 1; ++ else ++ arg.mode |= KBUF_MODE_EXPAND; + + ret = io_buffers_select(req, &arg, issue_flags); + if (unlikely(ret < 0)) diff --git a/queue-6.10/io_uring-net-ensure-expanded-bundle-recv-gets-marked-for-cleanup.patch b/queue-6.10/io_uring-net-ensure-expanded-bundle-recv-gets-marked-for-cleanup.patch new file mode 100644 index 00000000000..b231b68c10c --- /dev/null +++ b/queue-6.10/io_uring-net-ensure-expanded-bundle-recv-gets-marked-for-cleanup.patch @@ -0,0 +1,31 @@ +From 11893e144ed75be55d99349760513ca104781fc0 Mon Sep 17 00:00:00 2001 +From: Jens Axboe +Date: Wed, 7 Aug 2024 15:06:45 -0600 +Subject: io_uring/net: ensure expanded bundle recv gets marked for cleanup + +From: Jens Axboe + +commit 11893e144ed75be55d99349760513ca104781fc0 upstream. + +If the iovec inside the kmsg isn't already allocated AND one gets +expanded beyond the fixed size, then the request may not already have +been marked for cleanup. Ensure that it is. + +Cc: stable@vger.kernel.org +Fixes: 2f9c9515bdfd ("io_uring/net: support bundles for recv") +Signed-off-by: Jens Axboe +Signed-off-by: Greg Kroah-Hartman +--- + io_uring/net.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/io_uring/net.c ++++ b/io_uring/net.c +@@ -1084,6 +1084,7 @@ static int io_recv_buf_select(struct io_ + if (arg.iovs != &kmsg->fast_iov && arg.iovs != kmsg->free_iov) { + kmsg->free_iov_nr = ret; + kmsg->free_iov = arg.iovs; ++ req->flags |= REQ_F_NEED_CLEANUP; + } + } else { + void __user *buf; diff --git a/queue-6.10/io_uring-net-ensure-expanded-bundle-send-gets-marked-for-cleanup.patch b/queue-6.10/io_uring-net-ensure-expanded-bundle-send-gets-marked-for-cleanup.patch new file mode 100644 index 00000000000..718f5e9860e --- /dev/null +++ b/queue-6.10/io_uring-net-ensure-expanded-bundle-send-gets-marked-for-cleanup.patch @@ -0,0 +1,31 @@ +From 70ed519ed59da3a92c3acedeb84a30e5a66051ce Mon Sep 17 00:00:00 2001 +From: Jens Axboe +Date: Wed, 7 Aug 2024 15:08:17 -0600 +Subject: io_uring/net: ensure expanded bundle send gets marked for cleanup + +From: Jens Axboe + +commit 70ed519ed59da3a92c3acedeb84a30e5a66051ce upstream. + +If the iovec inside the kmsg isn't already allocated AND one gets +expanded beyond the fixed size, then the request may not already have +been marked for cleanup. Ensure that it is. + +Cc: stable@vger.kernel.org +Fixes: a05d1f625c7a ("io_uring/net: support bundles for send") +Signed-off-by: Jens Axboe +Signed-off-by: Greg Kroah-Hartman +--- + io_uring/net.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/io_uring/net.c ++++ b/io_uring/net.c +@@ -613,6 +613,7 @@ retry_bundle: + if (arg.iovs != &kmsg->fast_iov && arg.iovs != kmsg->free_iov) { + kmsg->free_iov_nr = ret; + kmsg->free_iov = arg.iovs; ++ req->flags |= REQ_F_NEED_CLEANUP; + } + } + diff --git a/queue-6.10/series b/queue-6.10/series index 1d9e824a159..cfe69b143ef 100644 --- a/queue-6.10/series +++ b/queue-6.10/series @@ -169,3 +169,20 @@ asoc-meson-axg-fifo-fix-irq-scheduling-issue-with-pr.patch cifs-cifs_inval_name_dfs_link_error-correct-the-chec.patch module-warn-about-excessively-long-module-waits.patch module-make-waiting-for-a-concurrent-module-loader-i.patch +drm-i915-gem-fix-virtual-memory-mapping-boundaries-calculation.patch +drm-amd-display-skip-recompute-dsc-params-if-no-stream-on-link.patch +drm-amdgpu-forward-soft-recovery-errors-to-userspace.patch +drm-i915-gem-adjust-vma-offset-for-framebuffer-mmap-offset.patch +drm-client-fix-null-pointer-dereference-in-drm_client_modeset_probe.patch +drm-i915-display-correct-dual-pps-handling-for-mtl_pch.patch +drm-test-fix-the-gem-shmem-test-to-map-the-sg-table.patch +io_uring-net-ensure-expanded-bundle-recv-gets-marked-for-cleanup.patch +io_uring-net-ensure-expanded-bundle-send-gets-marked-for-cleanup.patch +io_uring-net-don-t-pick-multiple-buffers-for-non-bundle-send.patch +alsa-line6-fix-racy-access-to-midibuf.patch +alsa-hda-add-hp-mp9-g4-retail-system-ams-to-force-connect-list.patch +alsa-hda-realtek-add-framework-laptop-13-intel-core-ultra-to-quirks.patch +alsa-hda-hdmi-yet-more-pin-fix-for-hp-elitedesk-800-g4.patch +usb-vhci-hcd-do-not-drop-references-before-new-references-are-gained.patch +usb-serial-debug-do-not-echo-input-by-default.patch +usb-typec-fsa4480-check-if-the-chip-is-really-there.patch diff --git a/queue-6.10/usb-serial-debug-do-not-echo-input-by-default.patch b/queue-6.10/usb-serial-debug-do-not-echo-input-by-default.patch new file mode 100644 index 00000000000..95f068c36c4 --- /dev/null +++ b/queue-6.10/usb-serial-debug-do-not-echo-input-by-default.patch @@ -0,0 +1,69 @@ +From 00af4f3dda1461ec90d892edc10bec6d3c50c554 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Marek=20Marczykowski-G=C3=B3recki?= + +Date: Mon, 15 Jul 2024 12:44:53 +0200 +Subject: USB: serial: debug: do not echo input by default +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Marek Marczykowski-Górecki + +commit 00af4f3dda1461ec90d892edc10bec6d3c50c554 upstream. + +This driver is intended as a "client" end of the console connection. +When connected to a host it's supposed to receive debug logs, and +possibly allow to interact with whatever debug console is available +there. Feeding messages back, depending on a configuration may cause log +messages be executed as shell commands (which can be really bad if one +is unlucky, imagine a log message like "prevented running `rm -rf +/home`"). In case of Xen, it exposes sysrq-like debug interface, and +feeding it its own logs will pretty quickly hit 'R' for "instant +reboot". + +Contrary to a classic serial console, the USB one cannot be configured +ahead of time, as the device shows up only when target OS is up. And at +the time device is opened to execute relevant ioctl, it's already too +late, especially when logs start flowing shortly after device is +initialized. +Avoid the issue by changing default to no echo for this type of devices. + +Signed-off-by: Marek Marczykowski-Górecki +[ johan: amend summary; disable also ECHONL ] +Cc: stable@vger.kernel.org +Signed-off-by: Johan Hovold +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/serial/usb_debug.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +--- a/drivers/usb/serial/usb_debug.c ++++ b/drivers/usb/serial/usb_debug.c +@@ -76,6 +76,11 @@ static void usb_debug_process_read_urb(s + usb_serial_generic_process_read_urb(urb); + } + ++static void usb_debug_init_termios(struct tty_struct *tty) ++{ ++ tty->termios.c_lflag &= ~(ECHO | ECHONL); ++} ++ + static struct usb_serial_driver debug_device = { + .driver = { + .owner = THIS_MODULE, +@@ -85,6 +90,7 @@ static struct usb_serial_driver debug_de + .num_ports = 1, + .bulk_out_size = USB_DEBUG_MAX_PACKET_SIZE, + .break_ctl = usb_debug_break_ctl, ++ .init_termios = usb_debug_init_termios, + .process_read_urb = usb_debug_process_read_urb, + }; + +@@ -96,6 +102,7 @@ static struct usb_serial_driver dbc_devi + .id_table = dbc_id_table, + .num_ports = 1, + .break_ctl = usb_debug_break_ctl, ++ .init_termios = usb_debug_init_termios, + .process_read_urb = usb_debug_process_read_urb, + }; + diff --git a/queue-6.10/usb-typec-fsa4480-check-if-the-chip-is-really-there.patch b/queue-6.10/usb-typec-fsa4480-check-if-the-chip-is-really-there.patch new file mode 100644 index 00000000000..5dc4d5fface --- /dev/null +++ b/queue-6.10/usb-typec-fsa4480-check-if-the-chip-is-really-there.patch @@ -0,0 +1,69 @@ +From e885f5f1f2b43575aa8e4e31404132d77d6663d1 Mon Sep 17 00:00:00 2001 +From: Konrad Dybcio +Date: Mon, 29 Jul 2024 10:42:58 +0200 +Subject: usb: typec: fsa4480: Check if the chip is really there + +From: Konrad Dybcio + +commit e885f5f1f2b43575aa8e4e31404132d77d6663d1 upstream. + +Currently, the driver will happily register the switch/mux devices, and +so long as the i2c master doesn't complain, the user would never know +there's something wrong. + +Add a device id check (based on [1]) and return -ENODEV if the read +fails or returns nonsense. + +Checking the value on a Qualcomm SM6115P-based Lenovo Tab P11 tablet, +the ID mentioned in the datasheet does indeed show up: + fsa4480 1-0042: Found FSA4480 v1.1 (Vendor ID = 0) + +[1] https://www.onsemi.com/pdf/datasheet/fsa4480-d.pdf + +Fixes: 1dc246320c6b ("usb: typec: mux: Add On Semi fsa4480 driver") +Cc: stable +Reviewed-by: Dmitry Baryshkov +Signed-off-by: Konrad Dybcio +Link: https://lore.kernel.org/r/20240729-topic-fs4480_check-v3-1-f5bf732d3424@kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/typec/mux/fsa4480.c | 14 ++++++++++++++ + 1 file changed, 14 insertions(+) + +--- a/drivers/usb/typec/mux/fsa4480.c ++++ b/drivers/usb/typec/mux/fsa4480.c +@@ -13,6 +13,10 @@ + #include + #include + ++#define FSA4480_DEVICE_ID 0x00 ++ #define FSA4480_DEVICE_ID_VENDOR_ID GENMASK(7, 6) ++ #define FSA4480_DEVICE_ID_VERSION_ID GENMASK(5, 3) ++ #define FSA4480_DEVICE_ID_REV_ID GENMASK(2, 0) + #define FSA4480_SWITCH_ENABLE 0x04 + #define FSA4480_SWITCH_SELECT 0x05 + #define FSA4480_SWITCH_STATUS1 0x07 +@@ -251,6 +255,7 @@ static int fsa4480_probe(struct i2c_clie + struct typec_switch_desc sw_desc = { }; + struct typec_mux_desc mux_desc = { }; + struct fsa4480 *fsa; ++ int val = 0; + int ret; + + fsa = devm_kzalloc(dev, sizeof(*fsa), GFP_KERNEL); +@@ -268,6 +273,15 @@ static int fsa4480_probe(struct i2c_clie + if (IS_ERR(fsa->regmap)) + return dev_err_probe(dev, PTR_ERR(fsa->regmap), "failed to initialize regmap\n"); + ++ ret = regmap_read(fsa->regmap, FSA4480_DEVICE_ID, &val); ++ if (ret || !val) ++ return dev_err_probe(dev, -ENODEV, "FSA4480 not found\n"); ++ ++ dev_dbg(dev, "Found FSA4480 v%lu.%lu (Vendor ID = %lu)\n", ++ FIELD_GET(FSA4480_DEVICE_ID_VERSION_ID, val), ++ FIELD_GET(FSA4480_DEVICE_ID_REV_ID, val), ++ FIELD_GET(FSA4480_DEVICE_ID_VENDOR_ID, val)); ++ + /* Safe mode */ + fsa->cur_enable = FSA4480_ENABLE_DEVICE | FSA4480_ENABLE_USB; + fsa->mode = TYPEC_STATE_SAFE; diff --git a/queue-6.10/usb-vhci-hcd-do-not-drop-references-before-new-references-are-gained.patch b/queue-6.10/usb-vhci-hcd-do-not-drop-references-before-new-references-are-gained.patch new file mode 100644 index 00000000000..6e5d67ec555 --- /dev/null +++ b/queue-6.10/usb-vhci-hcd-do-not-drop-references-before-new-references-are-gained.patch @@ -0,0 +1,78 @@ +From afdcfd3d6fcdeca2735ca8d994c5f2d24a368f0a Mon Sep 17 00:00:00 2001 +From: Oliver Neukum +Date: Tue, 9 Jul 2024 13:38:41 +0200 +Subject: usb: vhci-hcd: Do not drop references before new references are gained + +From: Oliver Neukum + +commit afdcfd3d6fcdeca2735ca8d994c5f2d24a368f0a upstream. + +At a few places the driver carries stale pointers +to references that can still be used. Make sure that does not happen. +This strictly speaking closes ZDI-CAN-22273, though there may be +similar races in the driver. + +Signed-off-by: Oliver Neukum +Cc: stable +Acked-by: Shuah Khan +Link: https://lore.kernel.org/r/20240709113851.14691-1-oneukum@suse.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/usbip/vhci_hcd.c | 9 ++++++--- + 1 file changed, 6 insertions(+), 3 deletions(-) + +--- a/drivers/usb/usbip/vhci_hcd.c ++++ b/drivers/usb/usbip/vhci_hcd.c +@@ -745,6 +745,7 @@ static int vhci_urb_enqueue(struct usb_h + * + */ + if (usb_pipedevice(urb->pipe) == 0) { ++ struct usb_device *old; + __u8 type = usb_pipetype(urb->pipe); + struct usb_ctrlrequest *ctrlreq = + (struct usb_ctrlrequest *) urb->setup_packet; +@@ -755,14 +756,15 @@ static int vhci_urb_enqueue(struct usb_h + goto no_need_xmit; + } + ++ old = vdev->udev; + switch (ctrlreq->bRequest) { + case USB_REQ_SET_ADDRESS: + /* set_address may come when a device is reset */ + dev_info(dev, "SetAddress Request (%d) to port %d\n", + ctrlreq->wValue, vdev->rhport); + +- usb_put_dev(vdev->udev); + vdev->udev = usb_get_dev(urb->dev); ++ usb_put_dev(old); + + spin_lock(&vdev->ud.lock); + vdev->ud.status = VDEV_ST_USED; +@@ -781,8 +783,8 @@ static int vhci_urb_enqueue(struct usb_h + usbip_dbg_vhci_hc( + "Not yet?:Get_Descriptor to device 0 (get max pipe size)\n"); + +- usb_put_dev(vdev->udev); + vdev->udev = usb_get_dev(urb->dev); ++ usb_put_dev(old); + goto out; + + default: +@@ -1067,6 +1069,7 @@ static void vhci_shutdown_connection(str + static void vhci_device_reset(struct usbip_device *ud) + { + struct vhci_device *vdev = container_of(ud, struct vhci_device, ud); ++ struct usb_device *old = vdev->udev; + unsigned long flags; + + spin_lock_irqsave(&ud->lock, flags); +@@ -1074,8 +1077,8 @@ static void vhci_device_reset(struct usb + vdev->speed = 0; + vdev->devid = 0; + +- usb_put_dev(vdev->udev); + vdev->udev = NULL; ++ usb_put_dev(old); + + if (ud->tcp_socket) { + sockfd_put(ud->tcp_socket);