From 0c241edadfc33e96ab3081f95b32e11b3499a87b Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Mon, 3 Jan 2022 10:52:59 +0100 Subject: [PATCH] 5.15-stable patches added patches: binder-fix-async_free_space-accounting-for-empty-parcels.patch fs-mount_setattr-always-cleanup-mount_kattr.patch input-appletouch-initialize-work-before-device-registration.patch input-spaceball-fix-parsing-of-movement-data-packets.patch mm-damon-dbgfs-fix-struct-pid-leaks-in-dbgfs_target_ids_write.patch net-fix-use-after-free-in-tw_timer_handler.patch nitro_enclaves-use-get_user_pages_unlocked-call-to-handle-mmap-assert.patch perf-intel-pt-fix-parsing-of-vm-time-correlation-arguments.patch perf-script-fix-cpu-filtering-of-a-script-s-switch-events.patch perf-scripts-python-intel-pt-events.py-fix-printing-of-switch-events.patch scsi-vmw_pvscsi-set-residual-data-length-conditionally.patch usb-gadget-f_fs-clear-ffs_eventfd-in-ffs_data_clear.patch usb-mtu3-add-memory-barrier-before-set-gpd-s-hwo.patch usb-mtu3-fix-list_head-check-warning.patch usb-mtu3-set-interval-of-fs-intr-and-isoc-endpoint.patch xhci-fresco-fl1100-controller-should-not-have-broken_msi-quirk-set.patch --- ...e_space-accounting-for-empty-parcels.patch | 46 +++++++ ...t_setattr-always-cleanup-mount_kattr.patch | 44 +++++++ ...lize-work-before-device-registration.patch | 50 ++++++++ ...fix-parsing-of-movement-data-packets.patch | 57 +++++++++ ...-pid-leaks-in-dbgfs_target_ids_write.patch | 55 +++++++++ ...x-use-after-free-in-tw_timer_handler.patch | 85 +++++++++++++ ..._unlocked-call-to-handle-mmap-assert.patch | 64 ++++++++++ ...ing-of-vm-time-correlation-arguments.patch | 53 ++++++++ ...iltering-of-a-script-s-switch-events.patch | 35 ++++++ ...nts.py-fix-printing-of-switch-events.patch | 92 ++++++++++++++ ...t-residual-data-length-conditionally.patch | 69 +++++++++++ queue-5.15/series | 16 +++ ...-clear-ffs_eventfd-in-ffs_data_clear.patch | 115 ++++++++++++++++++ ...-memory-barrier-before-set-gpd-s-hwo.patch | 55 +++++++++ ...usb-mtu3-fix-list_head-check-warning.patch | 47 +++++++ ...nterval-of-fs-intr-and-isoc-endpoint.patch | 36 ++++++ ...should-not-have-broken_msi-quirk-set.patch | 50 ++++++++ 17 files changed, 969 insertions(+) create mode 100644 queue-5.15/binder-fix-async_free_space-accounting-for-empty-parcels.patch create mode 100644 queue-5.15/fs-mount_setattr-always-cleanup-mount_kattr.patch create mode 100644 queue-5.15/input-appletouch-initialize-work-before-device-registration.patch create mode 100644 queue-5.15/input-spaceball-fix-parsing-of-movement-data-packets.patch create mode 100644 queue-5.15/mm-damon-dbgfs-fix-struct-pid-leaks-in-dbgfs_target_ids_write.patch create mode 100644 queue-5.15/net-fix-use-after-free-in-tw_timer_handler.patch create mode 100644 queue-5.15/nitro_enclaves-use-get_user_pages_unlocked-call-to-handle-mmap-assert.patch create mode 100644 queue-5.15/perf-intel-pt-fix-parsing-of-vm-time-correlation-arguments.patch create mode 100644 queue-5.15/perf-script-fix-cpu-filtering-of-a-script-s-switch-events.patch create mode 100644 queue-5.15/perf-scripts-python-intel-pt-events.py-fix-printing-of-switch-events.patch create mode 100644 queue-5.15/scsi-vmw_pvscsi-set-residual-data-length-conditionally.patch create mode 100644 queue-5.15/usb-gadget-f_fs-clear-ffs_eventfd-in-ffs_data_clear.patch create mode 100644 queue-5.15/usb-mtu3-add-memory-barrier-before-set-gpd-s-hwo.patch create mode 100644 queue-5.15/usb-mtu3-fix-list_head-check-warning.patch create mode 100644 queue-5.15/usb-mtu3-set-interval-of-fs-intr-and-isoc-endpoint.patch create mode 100644 queue-5.15/xhci-fresco-fl1100-controller-should-not-have-broken_msi-quirk-set.patch diff --git a/queue-5.15/binder-fix-async_free_space-accounting-for-empty-parcels.patch b/queue-5.15/binder-fix-async_free_space-accounting-for-empty-parcels.patch new file mode 100644 index 00000000000..b27fd1878e4 --- /dev/null +++ b/queue-5.15/binder-fix-async_free_space-accounting-for-empty-parcels.patch @@ -0,0 +1,46 @@ +From cfd0d84ba28c18b531648c9d4a35ecca89ad9901 Mon Sep 17 00:00:00 2001 +From: Todd Kjos +Date: Mon, 20 Dec 2021 11:01:50 -0800 +Subject: binder: fix async_free_space accounting for empty parcels + +From: Todd Kjos + +commit cfd0d84ba28c18b531648c9d4a35ecca89ad9901 upstream. + +In 4.13, commit 74310e06be4d ("android: binder: Move buffer out of area shared with user space") +fixed a kernel structure visibility issue. As part of that patch, +sizeof(void *) was used as the buffer size for 0-length data payloads so +the driver could detect abusive clients sending 0-length asynchronous +transactions to a server by enforcing limits on async_free_size. + +Unfortunately, on the "free" side, the accounting of async_free_space +did not add the sizeof(void *) back. The result was that up to 8-bytes of +async_free_space were leaked on every async transaction of 8-bytes or +less. These small transactions are uncommon, so this accounting issue +has gone undetected for several years. + +The fix is to use "buffer_size" (the allocated buffer size) instead of +"size" (the logical buffer size) when updating the async_free_space +during the free operation. These are the same except for this +corner case of asynchronous transactions with payloads < 8 bytes. + +Fixes: 74310e06be4d ("android: binder: Move buffer out of area shared with user space") +Signed-off-by: Todd Kjos +Cc: stable@vger.kernel.org # 4.14+ +Link: https://lore.kernel.org/r/20211220190150.2107077-1-tkjos@google.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/android/binder_alloc.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/android/binder_alloc.c ++++ b/drivers/android/binder_alloc.c +@@ -671,7 +671,7 @@ static void binder_free_buf_locked(struc + BUG_ON(buffer->user_data > alloc->buffer + alloc->buffer_size); + + if (buffer->async_transaction) { +- alloc->free_async_space += size + sizeof(struct binder_buffer); ++ alloc->free_async_space += buffer_size + sizeof(struct binder_buffer); + + binder_alloc_debug(BINDER_DEBUG_BUFFER_ALLOC_ASYNC, + "%d: binder_free_buf size %zd async free %zd\n", diff --git a/queue-5.15/fs-mount_setattr-always-cleanup-mount_kattr.patch b/queue-5.15/fs-mount_setattr-always-cleanup-mount_kattr.patch new file mode 100644 index 00000000000..62bc8948780 --- /dev/null +++ b/queue-5.15/fs-mount_setattr-always-cleanup-mount_kattr.patch @@ -0,0 +1,44 @@ +From 012e332286e2bb9f6ac77d195f17e74b2963d663 Mon Sep 17 00:00:00 2001 +From: Christian Brauner +Date: Thu, 30 Dec 2021 20:23:09 +0100 +Subject: fs/mount_setattr: always cleanup mount_kattr + +From: Christian Brauner + +commit 012e332286e2bb9f6ac77d195f17e74b2963d663 upstream. + +Make sure that finish_mount_kattr() is called after mount_kattr was +succesfully built in both the success and failure case to prevent +leaking any references we took when we built it. We returned early if +path lookup failed thereby risking to leak an additional reference we +took when building mount_kattr when an idmapped mount was requested. + +Cc: linux-fsdevel@vger.kernel.org +Cc: stable@vger.kernel.org +Fixes: 9caccd41541a ("fs: introduce MOUNT_ATTR_IDMAP") +Signed-off-by: Christian Brauner +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman +--- + fs/namespace.c | 9 ++++----- + 1 file changed, 4 insertions(+), 5 deletions(-) + +--- a/fs/namespace.c ++++ b/fs/namespace.c +@@ -4263,12 +4263,11 @@ SYSCALL_DEFINE5(mount_setattr, int, dfd, + return err; + + err = user_path_at(dfd, path, kattr.lookup_flags, &target); +- if (err) +- return err; +- +- err = do_mount_setattr(&target, &kattr); ++ if (!err) { ++ err = do_mount_setattr(&target, &kattr); ++ path_put(&target); ++ } + finish_mount_kattr(&kattr); +- path_put(&target); + return err; + } + diff --git a/queue-5.15/input-appletouch-initialize-work-before-device-registration.patch b/queue-5.15/input-appletouch-initialize-work-before-device-registration.patch new file mode 100644 index 00000000000..2bda623f6fb --- /dev/null +++ b/queue-5.15/input-appletouch-initialize-work-before-device-registration.patch @@ -0,0 +1,50 @@ +From 9f3ccdc3f6ef10084ceb3a47df0961bec6196fd0 Mon Sep 17 00:00:00 2001 +From: Pavel Skripkin +Date: Thu, 30 Dec 2021 20:57:46 -0800 +Subject: Input: appletouch - initialize work before device registration + +From: Pavel Skripkin + +commit 9f3ccdc3f6ef10084ceb3a47df0961bec6196fd0 upstream. + +Syzbot has reported warning in __flush_work(). This warning is caused by +work->func == NULL, which means missing work initialization. + +This may happen, since input_dev->close() calls +cancel_work_sync(&dev->work), but dev->work initalization happens _after_ +input_register_device() call. + +So this patch moves dev->work initialization before registering input +device + +Fixes: 5a6eb676d3bc ("Input: appletouch - improve powersaving for Geyser3 devices") +Reported-and-tested-by: syzbot+b88c5eae27386b252bbd@syzkaller.appspotmail.com +Signed-off-by: Pavel Skripkin +Link: https://lore.kernel.org/r/20211230141151.17300-1-paskripkin@gmail.com +Cc: stable@vger.kernel.org +Signed-off-by: Dmitry Torokhov +Signed-off-by: Greg Kroah-Hartman +--- + drivers/input/mouse/appletouch.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/input/mouse/appletouch.c ++++ b/drivers/input/mouse/appletouch.c +@@ -916,6 +916,8 @@ static int atp_probe(struct usb_interfac + set_bit(BTN_TOOL_TRIPLETAP, input_dev->keybit); + set_bit(BTN_LEFT, input_dev->keybit); + ++ INIT_WORK(&dev->work, atp_reinit); ++ + error = input_register_device(dev->input); + if (error) + goto err_free_buffer; +@@ -923,8 +925,6 @@ static int atp_probe(struct usb_interfac + /* save our data pointer in this interface device */ + usb_set_intfdata(iface, dev); + +- INIT_WORK(&dev->work, atp_reinit); +- + return 0; + + err_free_buffer: diff --git a/queue-5.15/input-spaceball-fix-parsing-of-movement-data-packets.patch b/queue-5.15/input-spaceball-fix-parsing-of-movement-data-packets.patch new file mode 100644 index 00000000000..140cde9a272 --- /dev/null +++ b/queue-5.15/input-spaceball-fix-parsing-of-movement-data-packets.patch @@ -0,0 +1,57 @@ +From bc7ec91718c49d938849697cfad98fcd9877cc26 Mon Sep 17 00:00:00 2001 +From: "Leo L. Schwab" +Date: Thu, 30 Dec 2021 21:05:00 -0800 +Subject: Input: spaceball - fix parsing of movement data packets + +From: Leo L. Schwab + +commit bc7ec91718c49d938849697cfad98fcd9877cc26 upstream. + +The spaceball.c module was not properly parsing the movement reports +coming from the device. The code read axis data as signed 16-bit +little-endian values starting at offset 2. + +In fact, axis data in Spaceball movement reports are signed 16-bit +big-endian values starting at offset 3. This was determined first by +visually inspecting the data packets, and later verified by consulting: +http://spacemice.org/pdf/SpaceBall_2003-3003_Protocol.pdf + +If this ever worked properly, it was in the time before Git... + +Signed-off-by: Leo L. Schwab +Link: https://lore.kernel.org/r/20211221101630.1146385-1-ewhac@ewhac.org +Cc: stable@vger.kernel.org +Signed-off-by: Dmitry Torokhov +Signed-off-by: Greg Kroah-Hartman +--- + drivers/input/joystick/spaceball.c | 11 +++++++++-- + 1 file changed, 9 insertions(+), 2 deletions(-) + +--- a/drivers/input/joystick/spaceball.c ++++ b/drivers/input/joystick/spaceball.c +@@ -19,6 +19,7 @@ + #include + #include + #include ++#include + + #define DRIVER_DESC "SpaceTec SpaceBall 2003/3003/4000 FLX driver" + +@@ -75,9 +76,15 @@ static void spaceball_process_packet(str + + case 'D': /* Ball data */ + if (spaceball->idx != 15) return; +- for (i = 0; i < 6; i++) ++ /* ++ * Skip first three bytes; read six axes worth of data. ++ * Axis values are signed 16-bit big-endian. ++ */ ++ data += 3; ++ for (i = 0; i < ARRAY_SIZE(spaceball_axes); i++) { + input_report_abs(dev, spaceball_axes[i], +- (__s16)((data[2 * i + 3] << 8) | data[2 * i + 2])); ++ (__s16)get_unaligned_be16(&data[i * 2])); ++ } + break; + + case 'K': /* Button data */ diff --git a/queue-5.15/mm-damon-dbgfs-fix-struct-pid-leaks-in-dbgfs_target_ids_write.patch b/queue-5.15/mm-damon-dbgfs-fix-struct-pid-leaks-in-dbgfs_target_ids_write.patch new file mode 100644 index 00000000000..d7760e47bb5 --- /dev/null +++ b/queue-5.15/mm-damon-dbgfs-fix-struct-pid-leaks-in-dbgfs_target_ids_write.patch @@ -0,0 +1,55 @@ +From ebb3f994dd92f8fb4d70c7541091216c1e10cb71 Mon Sep 17 00:00:00 2001 +From: SeongJae Park +Date: Thu, 30 Dec 2021 20:12:34 -0800 +Subject: mm/damon/dbgfs: fix 'struct pid' leaks in 'dbgfs_target_ids_write()' + +From: SeongJae Park + +commit ebb3f994dd92f8fb4d70c7541091216c1e10cb71 upstream. + +DAMON debugfs interface increases the reference counts of 'struct pid's +for targets from the 'target_ids' file write callback +('dbgfs_target_ids_write()'), but decreases the counts only in DAMON +monitoring termination callback ('dbgfs_before_terminate()'). + +Therefore, when 'target_ids' file is repeatedly written without DAMON +monitoring start/termination, the reference count is not decreased and +therefore memory for the 'struct pid' cannot be freed. This commit +fixes this issue by decreasing the reference counts when 'target_ids' is +written. + +Link: https://lkml.kernel.org/r/20211229124029.23348-1-sj@kernel.org +Fixes: 4bc05954d007 ("mm/damon: implement a debugfs-based user space interface") +Signed-off-by: SeongJae Park +Cc: [5.15+] +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman +--- + mm/damon/dbgfs.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +--- a/mm/damon/dbgfs.c ++++ b/mm/damon/dbgfs.c +@@ -185,6 +185,7 @@ static ssize_t dbgfs_target_ids_write(st + const char __user *buf, size_t count, loff_t *ppos) + { + struct damon_ctx *ctx = file->private_data; ++ struct damon_target *t, *next_t; + char *kbuf, *nrs; + unsigned long *targets; + ssize_t nr_targets; +@@ -224,6 +225,13 @@ static ssize_t dbgfs_target_ids_write(st + goto unlock_out; + } + ++ /* remove previously set targets */ ++ damon_for_each_target_safe(t, next_t, ctx) { ++ if (targetid_is_pid(ctx)) ++ put_pid((struct pid *)t->id); ++ damon_destroy_target(t); ++ } ++ + err = damon_set_targets(ctx, targets, nr_targets); + if (err) { + if (targetid_is_pid(ctx)) diff --git a/queue-5.15/net-fix-use-after-free-in-tw_timer_handler.patch b/queue-5.15/net-fix-use-after-free-in-tw_timer_handler.patch new file mode 100644 index 00000000000..946527e54d2 --- /dev/null +++ b/queue-5.15/net-fix-use-after-free-in-tw_timer_handler.patch @@ -0,0 +1,85 @@ +From e22e45fc9e41bf9fcc1e92cfb78eb92786728ef0 Mon Sep 17 00:00:00 2001 +From: Muchun Song +Date: Tue, 28 Dec 2021 18:41:45 +0800 +Subject: net: fix use-after-free in tw_timer_handler + +From: Muchun Song + +commit e22e45fc9e41bf9fcc1e92cfb78eb92786728ef0 upstream. + +A real world panic issue was found as follow in Linux 5.4. + + BUG: unable to handle page fault for address: ffffde49a863de28 + PGD 7e6fe62067 P4D 7e6fe62067 PUD 7e6fe63067 PMD f51e064067 PTE 0 + RIP: 0010:tw_timer_handler+0x20/0x40 + Call Trace: + + call_timer_fn+0x2b/0x120 + run_timer_softirq+0x1ef/0x450 + __do_softirq+0x10d/0x2b8 + irq_exit+0xc7/0xd0 + smp_apic_timer_interrupt+0x68/0x120 + apic_timer_interrupt+0xf/0x20 + +This issue was also reported since 2017 in the thread [1], +unfortunately, the issue was still can be reproduced after fixing +DCCP. + +The ipv4_mib_exit_net is called before tcp_sk_exit_batch when a net +namespace is destroyed since tcp_sk_ops is registered befrore +ipv4_mib_ops, which means tcp_sk_ops is in the front of ipv4_mib_ops +in the list of pernet_list. There will be a use-after-free on +net->mib.net_statistics in tw_timer_handler after ipv4_mib_exit_net +if there are some inflight time-wait timers. + +This bug is not introduced by commit f2bf415cfed7 ("mib: add net to +NET_ADD_STATS_BH") since the net_statistics is a global variable +instead of dynamic allocation and freeing. Actually, commit +61a7e26028b9 ("mib: put net statistics on struct net") introduces +the bug since it put net statistics on struct net and free it when +net namespace is destroyed. + +Moving init_ipv4_mibs() to the front of tcp_init() to fix this bug +and replace pr_crit() with panic() since continuing is meaningless +when init_ipv4_mibs() fails. + +[1] https://groups.google.com/g/syzkaller/c/p1tn-_Kc6l4/m/smuL_FMAAgAJ?pli=1 + +Fixes: 61a7e26028b9 ("mib: put net statistics on struct net") +Signed-off-by: Muchun Song +Cc: Cong Wang +Cc: Fam Zheng +Cc: +Link: https://lore.kernel.org/r/20211228104145.9426-1-songmuchun@bytedance.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv4/af_inet.c | 10 ++++------ + 1 file changed, 4 insertions(+), 6 deletions(-) + +--- a/net/ipv4/af_inet.c ++++ b/net/ipv4/af_inet.c +@@ -2004,6 +2004,10 @@ static int __init inet_init(void) + + ip_init(); + ++ /* Initialise per-cpu ipv4 mibs */ ++ if (init_ipv4_mibs()) ++ panic("%s: Cannot init ipv4 mibs\n", __func__); ++ + /* Setup TCP slab cache for open requests. */ + tcp_init(); + +@@ -2034,12 +2038,6 @@ static int __init inet_init(void) + + if (init_inet_pernet_ops()) + pr_crit("%s: Cannot init ipv4 inet pernet ops\n", __func__); +- /* +- * Initialise per-cpu ipv4 mibs +- */ +- +- if (init_ipv4_mibs()) +- pr_crit("%s: Cannot init ipv4 mibs\n", __func__); + + ipv4_proc_init(); + diff --git a/queue-5.15/nitro_enclaves-use-get_user_pages_unlocked-call-to-handle-mmap-assert.patch b/queue-5.15/nitro_enclaves-use-get_user_pages_unlocked-call-to-handle-mmap-assert.patch new file mode 100644 index 00000000000..9f28a598fff --- /dev/null +++ b/queue-5.15/nitro_enclaves-use-get_user_pages_unlocked-call-to-handle-mmap-assert.patch @@ -0,0 +1,64 @@ +From 3a0152b219523227c2a62a0a122cf99608287176 Mon Sep 17 00:00:00 2001 +From: Andra Paraschiv +Date: Mon, 20 Dec 2021 19:58:56 +0000 +Subject: nitro_enclaves: Use get_user_pages_unlocked() call to handle mmap assert + +From: Andra Paraschiv + +commit 3a0152b219523227c2a62a0a122cf99608287176 upstream. + +After commit 5b78ed24e8ec ("mm/pagemap: add mmap_assert_locked() +annotations to find_vma*()"), the call to get_user_pages() will trigger +the mmap assert. + +static inline void mmap_assert_locked(struct mm_struct *mm) +{ + lockdep_assert_held(&mm->mmap_lock); + VM_BUG_ON_MM(!rwsem_is_locked(&mm->mmap_lock), mm); +} + +[ 62.521410] kernel BUG at include/linux/mmap_lock.h:156! +........................................................... +[ 62.538938] RIP: 0010:find_vma+0x32/0x80 +........................................................... +[ 62.605889] Call Trace: +[ 62.608502] +[ 62.610956] ? lock_timer_base+0x61/0x80 +[ 62.614106] find_extend_vma+0x19/0x80 +[ 62.617195] __get_user_pages+0x9b/0x6a0 +[ 62.620356] __gup_longterm_locked+0x42d/0x450 +[ 62.623721] ? finish_wait+0x41/0x80 +[ 62.626748] ? __kmalloc+0x178/0x2f0 +[ 62.629768] ne_set_user_memory_region_ioctl.isra.0+0x225/0x6a0 [nitro_enclaves] +[ 62.635776] ne_enclave_ioctl+0x1cf/0x6d7 [nitro_enclaves] +[ 62.639541] __x64_sys_ioctl+0x82/0xb0 +[ 62.642620] do_syscall_64+0x3b/0x90 +[ 62.645642] entry_SYSCALL_64_after_hwframe+0x44/0xae + +Use get_user_pages_unlocked() when setting the enclave memory regions. +That's a similar pattern as mmap_read_lock() used together with +get_user_pages(). + +Fixes: 5b78ed24e8ec ("mm/pagemap: add mmap_assert_locked() annotations to find_vma*()") +Cc: stable@vger.kernel.org +Signed-off-by: Andra Paraschiv +Link: https://lore.kernel.org/r/20211220195856.6549-1-andraprs@amazon.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/virt/nitro_enclaves/ne_misc_dev.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +--- a/drivers/virt/nitro_enclaves/ne_misc_dev.c ++++ b/drivers/virt/nitro_enclaves/ne_misc_dev.c +@@ -886,8 +886,9 @@ static int ne_set_user_memory_region_ioc + goto put_pages; + } + +- gup_rc = get_user_pages(mem_region.userspace_addr + memory_size, 1, FOLL_GET, +- ne_mem_region->pages + i, NULL); ++ gup_rc = get_user_pages_unlocked(mem_region.userspace_addr + memory_size, 1, ++ ne_mem_region->pages + i, FOLL_GET); ++ + if (gup_rc < 0) { + rc = gup_rc; + diff --git a/queue-5.15/perf-intel-pt-fix-parsing-of-vm-time-correlation-arguments.patch b/queue-5.15/perf-intel-pt-fix-parsing-of-vm-time-correlation-arguments.patch new file mode 100644 index 00000000000..8ee39a49154 --- /dev/null +++ b/queue-5.15/perf-intel-pt-fix-parsing-of-vm-time-correlation-arguments.patch @@ -0,0 +1,53 @@ +From a78abde220243d6f44a265fe36c49957f6fa9851 Mon Sep 17 00:00:00 2001 +From: Adrian Hunter +Date: Wed, 15 Dec 2021 10:06:34 +0200 +Subject: perf intel-pt: Fix parsing of VM time correlation arguments + +From: Adrian Hunter + +commit a78abde220243d6f44a265fe36c49957f6fa9851 upstream. + +Parser did not take ':' into account. + +Example: + + Before: + + $ perf record -e intel_pt//u uname + Linux + [ perf record: Woken up 1 times to write data ] + [ perf record: Captured and wrote 0.026 MB perf.data ] + $ perf inject -i perf.data --vm-time-correlation="dry-run 123" + $ perf inject -i perf.data --vm-time-correlation="dry-run 123:456" + Failed to parse VM Time Correlation options + 0x620 [0x98]: failed to process type: 70 [Invalid argument] + $ + + After: + + $ perf inject -i perf.data --vm-time-correlation="dry-run 123:456" + $ + +Fixes: e3ff42bdebcfeb5f ("perf intel-pt: Parse VM Time Correlation options and set up decoding") +Signed-off-by: Adrian Hunter +Acked-by: Namhyung Kim +Cc: Jiri Olsa +Cc: Riccardo Mancini +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/r/20211215080636.149562-2-adrian.hunter@intel.com +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Greg Kroah-Hartman +--- + tools/perf/util/intel-pt.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/tools/perf/util/intel-pt.c ++++ b/tools/perf/util/intel-pt.c +@@ -3540,6 +3540,7 @@ static int intel_pt_parse_vm_tm_corr_arg + *args = p; + return 0; + } ++ p += 1; + while (1) { + vmcs = strtoull(p, &p, 0); + if (errno) diff --git a/queue-5.15/perf-script-fix-cpu-filtering-of-a-script-s-switch-events.patch b/queue-5.15/perf-script-fix-cpu-filtering-of-a-script-s-switch-events.patch new file mode 100644 index 00000000000..becc6c68ab6 --- /dev/null +++ b/queue-5.15/perf-script-fix-cpu-filtering-of-a-script-s-switch-events.patch @@ -0,0 +1,35 @@ +From 5e0c325cdb714409a5b242c9e73a1b61157abb36 Mon Sep 17 00:00:00 2001 +From: Adrian Hunter +Date: Wed, 15 Dec 2021 10:06:35 +0200 +Subject: perf script: Fix CPU filtering of a script's switch events + +From: Adrian Hunter + +commit 5e0c325cdb714409a5b242c9e73a1b61157abb36 upstream. + +CPU filtering was not being applied to a script's switch events. + +Fixes: 5bf83c29a0ad2e78 ("perf script: Add scripting operation process_switch()") +Signed-off-by: Adrian Hunter +Acked-by: Namhyung Kim +Cc: Jiri Olsa +Cc: Riccardo Mancini +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/r/20211215080636.149562-3-adrian.hunter@intel.com +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Greg Kroah-Hartman +--- + tools/perf/builtin-script.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/tools/perf/builtin-script.c ++++ b/tools/perf/builtin-script.c +@@ -2463,7 +2463,7 @@ static int process_switch_event(struct p + if (perf_event__process_switch(tool, event, sample, machine) < 0) + return -1; + +- if (scripting_ops && scripting_ops->process_switch) ++ if (scripting_ops && scripting_ops->process_switch && !filter_cpu(sample)) + scripting_ops->process_switch(event, sample, machine); + + if (!script->show_switch_events) diff --git a/queue-5.15/perf-scripts-python-intel-pt-events.py-fix-printing-of-switch-events.patch b/queue-5.15/perf-scripts-python-intel-pt-events.py-fix-printing-of-switch-events.patch new file mode 100644 index 00000000000..ebdc5ea1a72 --- /dev/null +++ b/queue-5.15/perf-scripts-python-intel-pt-events.py-fix-printing-of-switch-events.patch @@ -0,0 +1,92 @@ +From 0f80bfbf4919e32f52fe1312c3900ff4fbb7eeb9 Mon Sep 17 00:00:00 2001 +From: Adrian Hunter +Date: Wed, 15 Dec 2021 10:06:36 +0200 +Subject: perf scripts python: intel-pt-events.py: Fix printing of switch events + +From: Adrian Hunter + +commit 0f80bfbf4919e32f52fe1312c3900ff4fbb7eeb9 upstream. + +The intel-pt-events.py script displays only the last of consecutive switch +statements but that may not be the last switch event for the CPU. Fix by +keeping a dictionary of last context switch keyed by CPU, and make it +possible to see all switch events by adding option --all-switch-events. + +Fixes: a92bf335fd82eeee ("perf scripts python: intel-pt-events.py: Add branches to script") +Signed-off-by: Adrian Hunter +Cc: Jiri Olsa +Cc: Namhyung Kim +Cc: Riccardo Mancini +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/r/20211215080636.149562-4-adrian.hunter@intel.com +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Greg Kroah-Hartman +--- + tools/perf/scripts/python/intel-pt-events.py | 23 +++++++++++++---------- + 1 file changed, 13 insertions(+), 10 deletions(-) + +--- a/tools/perf/scripts/python/intel-pt-events.py ++++ b/tools/perf/scripts/python/intel-pt-events.py +@@ -32,8 +32,7 @@ try: + except: + broken_pipe_exception = IOError + +-glb_switch_str = None +-glb_switch_printed = True ++glb_switch_str = {} + glb_insn = False + glb_disassembler = None + glb_src = False +@@ -70,6 +69,7 @@ def trace_begin(): + ap = argparse.ArgumentParser(usage = "", add_help = False) + ap.add_argument("--insn-trace", action='store_true') + ap.add_argument("--src-trace", action='store_true') ++ ap.add_argument("--all-switch-events", action='store_true') + global glb_args + global glb_insn + global glb_src +@@ -256,10 +256,6 @@ def print_srccode(comm, param_dict, samp + print(start_str, src_str) + + def do_process_event(param_dict): +- global glb_switch_printed +- if not glb_switch_printed: +- print(glb_switch_str) +- glb_switch_printed = True + event_attr = param_dict["attr"] + sample = param_dict["sample"] + raw_buf = param_dict["raw_buf"] +@@ -274,6 +270,11 @@ def do_process_event(param_dict): + dso = get_optional(param_dict, "dso") + symbol = get_optional(param_dict, "symbol") + ++ cpu = sample["cpu"] ++ if cpu in glb_switch_str: ++ print(glb_switch_str[cpu]) ++ del glb_switch_str[cpu] ++ + if name[0:12] == "instructions": + if glb_src: + print_srccode(comm, param_dict, sample, symbol, dso, True) +@@ -336,8 +337,6 @@ def auxtrace_error(typ, code, cpu, pid, + sys.exit(1) + + def context_switch(ts, cpu, pid, tid, np_pid, np_tid, machine_pid, out, out_preempt, *x): +- global glb_switch_printed +- global glb_switch_str + if out: + out_str = "Switch out " + else: +@@ -350,6 +349,10 @@ def context_switch(ts, cpu, pid, tid, np + machine_str = "" + else: + machine_str = "machine PID %d" % machine_pid +- glb_switch_str = "%16s %5d/%-5d [%03u] %9u.%09u %5d/%-5d %s %s" % \ ++ switch_str = "%16s %5d/%-5d [%03u] %9u.%09u %5d/%-5d %s %s" % \ + (out_str, pid, tid, cpu, ts / 1000000000, ts %1000000000, np_pid, np_tid, machine_str, preempt_str) +- glb_switch_printed = False ++ if glb_args.all_switch_events: ++ print(switch_str); ++ else: ++ global glb_switch_str ++ glb_switch_str[cpu] = switch_str diff --git a/queue-5.15/scsi-vmw_pvscsi-set-residual-data-length-conditionally.patch b/queue-5.15/scsi-vmw_pvscsi-set-residual-data-length-conditionally.patch new file mode 100644 index 00000000000..4e963459ecc --- /dev/null +++ b/queue-5.15/scsi-vmw_pvscsi-set-residual-data-length-conditionally.patch @@ -0,0 +1,69 @@ +From 142c779d05d1fef75134c3cb63f52ccbc96d9e1f Mon Sep 17 00:00:00 2001 +From: Alexey Makhalov +Date: Mon, 20 Dec 2021 11:05:14 -0800 +Subject: scsi: vmw_pvscsi: Set residual data length conditionally + +From: Alexey Makhalov + +commit 142c779d05d1fef75134c3cb63f52ccbc96d9e1f upstream. + +The PVSCSI implementation in the VMware hypervisor under specific +configuration ("SCSI Bus Sharing" set to "Physical") returns zero dataLen +in the completion descriptor for READ CAPACITY(16). As a result, the kernel +can not detect proper disk geometry. This can be recognized by the kernel +message: + + [ 0.776588] sd 1:0:0:0: [sdb] Sector size 0 reported, assuming 512. + +The PVSCSI implementation in QEMU does not set dataLen at all, keeping it +zeroed. This leads to a boot hang as was reported by Shmulik Ladkani. + +It is likely that the controller returns the garbage at the end of the +buffer. Residual length should be set by the driver in that case. The SCSI +layer will erase corresponding data. See commit bdb2b8cab439 ("[SCSI] erase +invalid data returned by device") for details. + +Commit e662502b3a78 ("scsi: vmw_pvscsi: Set correct residual data length") +introduced the issue by setting residual length unconditionally, causing +the SCSI layer to erase the useful payload beyond dataLen when this value +is returned as 0. + +As a result, considering existing issues in implementations of PVSCSI +controllers, we do not want to call scsi_set_resid() when dataLen == +0. Calling scsi_set_resid() has no effect if dataLen equals buffer length. + +Link: https://lore.kernel.org/lkml/20210824120028.30d9c071@blondie/ +Link: https://lore.kernel.org/r/20211220190514.55935-1-amakhalov@vmware.com +Fixes: e662502b3a78 ("scsi: vmw_pvscsi: Set correct residual data length") +Cc: Matt Wang +Cc: Martin K. Petersen +Cc: Vishal Bhakta +Cc: VMware PV-Drivers +Cc: James E.J. Bottomley +Cc: linux-scsi@vger.kernel.org +Cc: stable@vger.kernel.org +Reported-and-suggested-by: Shmulik Ladkani +Signed-off-by: Alexey Makhalov +Signed-off-by: Martin K. Petersen +Signed-off-by: Greg Kroah-Hartman +--- + drivers/scsi/vmw_pvscsi.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +--- a/drivers/scsi/vmw_pvscsi.c ++++ b/drivers/scsi/vmw_pvscsi.c +@@ -586,9 +586,12 @@ static void pvscsi_complete_request(stru + * Commands like INQUIRY may transfer less data than + * requested by the initiator via bufflen. Set residual + * count to make upper layer aware of the actual amount +- * of data returned. ++ * of data returned. There are cases when controller ++ * returns zero dataLen with non zero data - do not set ++ * residual count in that case. + */ +- scsi_set_resid(cmd, scsi_bufflen(cmd) - e->dataLen); ++ if (e->dataLen && (e->dataLen < scsi_bufflen(cmd))) ++ scsi_set_resid(cmd, scsi_bufflen(cmd) - e->dataLen); + cmd->result = (DID_OK << 16); + break; + diff --git a/queue-5.15/series b/queue-5.15/series index 97c235c927e..af3242913cf 100644 --- a/queue-5.15/series +++ b/queue-5.15/series @@ -55,3 +55,19 @@ drm-nouveau-wait-for-the-exclusive-fence-after-the-shared-ones-v2.patch drm-amdgpu-when-the-vcn-1.0-block-is-suspended-powergating-is-explicitly-enabled.patch drm-amdgpu-add-support-for-ip-discovery-gc_info-table-v2.patch drm-amd-display-changed-pipe-split-policy-to-allow-for-multi-display-pipe-split.patch +xhci-fresco-fl1100-controller-should-not-have-broken_msi-quirk-set.patch +usb-gadget-f_fs-clear-ffs_eventfd-in-ffs_data_clear.patch +usb-mtu3-add-memory-barrier-before-set-gpd-s-hwo.patch +usb-mtu3-fix-list_head-check-warning.patch +usb-mtu3-set-interval-of-fs-intr-and-isoc-endpoint.patch +nitro_enclaves-use-get_user_pages_unlocked-call-to-handle-mmap-assert.patch +binder-fix-async_free_space-accounting-for-empty-parcels.patch +scsi-vmw_pvscsi-set-residual-data-length-conditionally.patch +input-appletouch-initialize-work-before-device-registration.patch +input-spaceball-fix-parsing-of-movement-data-packets.patch +mm-damon-dbgfs-fix-struct-pid-leaks-in-dbgfs_target_ids_write.patch +net-fix-use-after-free-in-tw_timer_handler.patch +fs-mount_setattr-always-cleanup-mount_kattr.patch +perf-intel-pt-fix-parsing-of-vm-time-correlation-arguments.patch +perf-script-fix-cpu-filtering-of-a-script-s-switch-events.patch +perf-scripts-python-intel-pt-events.py-fix-printing-of-switch-events.patch diff --git a/queue-5.15/usb-gadget-f_fs-clear-ffs_eventfd-in-ffs_data_clear.patch b/queue-5.15/usb-gadget-f_fs-clear-ffs_eventfd-in-ffs_data_clear.patch new file mode 100644 index 00000000000..493cce4612f --- /dev/null +++ b/queue-5.15/usb-gadget-f_fs-clear-ffs_eventfd-in-ffs_data_clear.patch @@ -0,0 +1,115 @@ +From b1e0887379422975f237d43d8839b751a6bcf154 Mon Sep 17 00:00:00 2001 +From: Vincent Pelletier +Date: Sat, 18 Dec 2021 02:18:40 +0000 +Subject: usb: gadget: f_fs: Clear ffs_eventfd in ffs_data_clear. + +From: Vincent Pelletier + +commit b1e0887379422975f237d43d8839b751a6bcf154 upstream. + +ffs_data_clear is indirectly called from both ffs_fs_kill_sb and +ffs_ep0_release, so it ends up being called twice when userland closes ep0 +and then unmounts f_fs. +If userland provided an eventfd along with function's USB descriptors, it +ends up calling eventfd_ctx_put as many times, causing a refcount +underflow. +NULL-ify ffs_eventfd to prevent these extraneous eventfd_ctx_put calls. + +Also, set epfiles to NULL right after de-allocating it, for readability. + +For completeness, ffs_data_clear actually ends up being called thrice, the +last call being before the whole ffs structure gets freed, so when this +specific sequence happens there is a second underflow happening (but not +being reported): + +/sys/kernel/debug/tracing# modprobe usb_f_fs +/sys/kernel/debug/tracing# echo ffs_data_clear > set_ftrace_filter +/sys/kernel/debug/tracing# echo function > current_tracer +/sys/kernel/debug/tracing# echo 1 > tracing_on +(setup gadget, run and kill function userland process, teardown gadget) +/sys/kernel/debug/tracing# echo 0 > tracing_on +/sys/kernel/debug/tracing# cat trace + smartcard-openp-436 [000] ..... 1946.208786: ffs_data_clear <-ffs_data_closed + smartcard-openp-431 [000] ..... 1946.279147: ffs_data_clear <-ffs_data_closed + smartcard-openp-431 [000] .n... 1946.905512: ffs_data_clear <-ffs_data_put + +Warning output corresponding to above trace: +[ 1946.284139] WARNING: CPU: 0 PID: 431 at lib/refcount.c:28 refcount_warn_saturate+0x110/0x15c +[ 1946.293094] refcount_t: underflow; use-after-free. +[ 1946.298164] Modules linked in: usb_f_ncm(E) u_ether(E) usb_f_fs(E) hci_uart(E) btqca(E) btrtl(E) btbcm(E) btintel(E) bluetooth(E) nls_ascii(E) nls_cp437(E) vfat(E) fat(E) bcm2835_v4l2(CE) bcm2835_mmal_vchiq(CE) videobuf2_vmalloc(E) videobuf2_memops(E) sha512_generic(E) videobuf2_v4l2(E) sha512_arm(E) videobuf2_common(E) videodev(E) cpufreq_dt(E) snd_bcm2835(CE) brcmfmac(E) mc(E) vc4(E) ctr(E) brcmutil(E) snd_soc_core(E) snd_pcm_dmaengine(E) drbg(E) snd_pcm(E) snd_timer(E) snd(E) soundcore(E) drm_kms_helper(E) cec(E) ansi_cprng(E) rc_core(E) syscopyarea(E) raspberrypi_cpufreq(E) sysfillrect(E) sysimgblt(E) cfg80211(E) max17040_battery(OE) raspberrypi_hwmon(E) fb_sys_fops(E) regmap_i2c(E) ecdh_generic(E) rfkill(E) ecc(E) bcm2835_rng(E) rng_core(E) vchiq(CE) leds_gpio(E) libcomposite(E) fuse(E) configfs(E) ip_tables(E) x_tables(E) autofs4(E) ext4(E) crc16(E) mbcache(E) jbd2(E) crc32c_generic(E) sdhci_iproc(E) sdhci_pltfm(E) sdhci(E) +[ 1946.399633] CPU: 0 PID: 431 Comm: smartcard-openp Tainted: G C OE 5.15.0-1-rpi #1 Debian 5.15.3-1 +[ 1946.417950] Hardware name: BCM2835 +[ 1946.425442] Backtrace: +[ 1946.432048] [] (dump_backtrace) from [] (show_stack+0x20/0x24) +[ 1946.448226] r7:00000009 r6:0000001c r5:c04a948c r4:c0a64e2c +[ 1946.458412] [] (show_stack) from [] (dump_stack+0x28/0x30) +[ 1946.470380] [] (dump_stack) from [] (__warn+0xe8/0x154) +[ 1946.482067] r5:c04a948c r4:c0a71dc8 +[ 1946.490184] [] (__warn) from [] (warn_slowpath_fmt+0xa0/0xe4) +[ 1946.506758] r7:00000009 r6:0000001c r5:c0a71dc8 r4:c0a71e04 +[ 1946.517070] [] (warn_slowpath_fmt) from [] (refcount_warn_saturate+0x110/0x15c) +[ 1946.535309] r8:c0100224 r7:c0dfcb84 r6:ffffffff r5:c3b84c00 r4:c24a17c0 +[ 1946.546708] [] (refcount_warn_saturate) from [] (eventfd_ctx_put+0x48/0x74) +[ 1946.564476] [] (eventfd_ctx_put) from [] (ffs_data_clear+0xd0/0x118 [usb_f_fs]) +[ 1946.582664] r5:c3b84c00 r4:c2695b00 +[ 1946.590668] [] (ffs_data_clear [usb_f_fs]) from [] (ffs_data_closed+0x9c/0x150 [usb_f_fs]) +[ 1946.609608] r5:bf54d014 r4:c2695b00 +[ 1946.617522] [] (ffs_data_closed [usb_f_fs]) from [] (ffs_fs_kill_sb+0x2c/0x30 [usb_f_fs]) +[ 1946.636217] r7:c0dfcb84 r6:c3a12260 r5:bf54d014 r4:c229f000 +[ 1946.646273] [] (ffs_fs_kill_sb [usb_f_fs]) from [] (deactivate_locked_super+0x54/0x9c) +[ 1946.664893] r5:bf54d014 r4:c229f000 +[ 1946.672921] [] (deactivate_locked_super) from [] (deactivate_super+0x60/0x64) +[ 1946.690722] r5:c2a09000 r4:c229f000 +[ 1946.698706] [] (deactivate_super) from [] (cleanup_mnt+0xe4/0x14c) +[ 1946.715553] r5:c2a09000 r4:00000000 +[ 1946.723528] [] (cleanup_mnt) from [] (__cleanup_mnt+0x1c/0x20) +[ 1946.739922] r7:c0dfcb84 r6:c3a12260 r5:c3a126fc r4:00000000 +[ 1946.750088] [] (__cleanup_mnt) from [] (task_work_run+0x84/0xb8) +[ 1946.766602] [] (task_work_run) from [] (do_work_pending+0x470/0x56c) +[ 1946.783540] r7:5ac3c35a r6:c0d0424c r5:c200bfb0 r4:c200a000 +[ 1946.793614] [] (do_work_pending) from [] (slow_work_pending+0xc/0x20) +[ 1946.810553] Exception stack(0xc200bfb0 to 0xc200bff8) +[ 1946.820129] bfa0: 00000000 00000000 000000aa b5e21430 +[ 1946.837104] bfc0: bef867a0 00000001 bef86840 00000034 bef86838 bef86790 bef86794 bef867a0 +[ 1946.854125] bfe0: 00000000 bef86798 b67b7a1c b6d626a4 60000010 b5a23760 +[ 1946.865335] r10:00000000 r9:c200a000 r8:c0100224 r7:00000034 r6:bef86840 r5:00000001 +[ 1946.881914] r4:bef867a0 +[ 1946.888793] ---[ end trace 7387f2a9725b28d0 ]--- + +Fixes: 5e33f6fdf735 ("usb: gadget: ffs: add eventfd notification about ffs events") +Cc: stable +Signed-off-by: Vincent Pelletier +Link: https://lore.kernel.org/r/f79eeea29f3f98de6782a064ec0f7351ad2f598f.1639793920.git.plr.vincent@gmail.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/gadget/function/f_fs.c | 9 ++++++--- + 1 file changed, 6 insertions(+), 3 deletions(-) + +--- a/drivers/usb/gadget/function/f_fs.c ++++ b/drivers/usb/gadget/function/f_fs.c +@@ -1773,11 +1773,15 @@ static void ffs_data_clear(struct ffs_da + + BUG_ON(ffs->gadget); + +- if (ffs->epfiles) ++ if (ffs->epfiles) { + ffs_epfiles_destroy(ffs->epfiles, ffs->eps_count); ++ ffs->epfiles = NULL; ++ } + +- if (ffs->ffs_eventfd) ++ if (ffs->ffs_eventfd) { + eventfd_ctx_put(ffs->ffs_eventfd); ++ ffs->ffs_eventfd = NULL; ++ } + + kfree(ffs->raw_descs_data); + kfree(ffs->raw_strings); +@@ -1790,7 +1794,6 @@ static void ffs_data_reset(struct ffs_da + + ffs_data_clear(ffs); + +- ffs->epfiles = NULL; + ffs->raw_descs_data = NULL; + ffs->raw_descs = NULL; + ffs->raw_strings = NULL; diff --git a/queue-5.15/usb-mtu3-add-memory-barrier-before-set-gpd-s-hwo.patch b/queue-5.15/usb-mtu3-add-memory-barrier-before-set-gpd-s-hwo.patch new file mode 100644 index 00000000000..266288d1f96 --- /dev/null +++ b/queue-5.15/usb-mtu3-add-memory-barrier-before-set-gpd-s-hwo.patch @@ -0,0 +1,55 @@ +From a7aae769ca626819a7f9f078ebdc69a8a1b00c81 Mon Sep 17 00:00:00 2001 +From: Chunfeng Yun +Date: Sat, 18 Dec 2021 17:57:47 +0800 +Subject: usb: mtu3: add memory barrier before set GPD's HWO + +From: Chunfeng Yun + +commit a7aae769ca626819a7f9f078ebdc69a8a1b00c81 upstream. + +There is a seldom issue that the controller access invalid address +and trigger devapc or emimpu violation. That is due to memory access +is out of order and cause gpd data is not correct. +Add mb() to prohibit compiler or cpu from reordering to make sure GPD +is fully written before setting its HWO. + +Fixes: 48e0d3735aa5 ("usb: mtu3: supports new QMU format") +Cc: stable@vger.kernel.org +Reported-by: Eddie Hung +Signed-off-by: Chunfeng Yun +Link: https://lore.kernel.org/r/20211218095749.6250-2-chunfeng.yun@mediatek.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/mtu3/mtu3_qmu.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +--- a/drivers/usb/mtu3/mtu3_qmu.c ++++ b/drivers/usb/mtu3/mtu3_qmu.c +@@ -273,6 +273,8 @@ static int mtu3_prepare_tx_gpd(struct mt + gpd->dw3_info |= cpu_to_le32(GPD_EXT_FLAG_ZLP); + } + ++ /* prevent reorder, make sure GPD's HWO is set last */ ++ mb(); + gpd->dw0_info |= cpu_to_le32(GPD_FLAGS_IOC | GPD_FLAGS_HWO); + + mreq->gpd = gpd; +@@ -306,6 +308,8 @@ static int mtu3_prepare_rx_gpd(struct mt + gpd->next_gpd = cpu_to_le32(lower_32_bits(enq_dma)); + ext_addr |= GPD_EXT_NGP(mtu, upper_32_bits(enq_dma)); + gpd->dw3_info = cpu_to_le32(ext_addr); ++ /* prevent reorder, make sure GPD's HWO is set last */ ++ mb(); + gpd->dw0_info |= cpu_to_le32(GPD_FLAGS_IOC | GPD_FLAGS_HWO); + + mreq->gpd = gpd; +@@ -445,7 +449,8 @@ static void qmu_tx_zlp_error_handler(str + return; + } + mtu3_setbits(mbase, MU3D_EP_TXCR0(mep->epnum), TX_TXPKTRDY); +- ++ /* prevent reorder, make sure GPD's HWO is set last */ ++ mb(); + /* by pass the current GDP */ + gpd_current->dw0_info |= cpu_to_le32(GPD_FLAGS_BPS | GPD_FLAGS_HWO); + diff --git a/queue-5.15/usb-mtu3-fix-list_head-check-warning.patch b/queue-5.15/usb-mtu3-fix-list_head-check-warning.patch new file mode 100644 index 00000000000..774ca2fa518 --- /dev/null +++ b/queue-5.15/usb-mtu3-fix-list_head-check-warning.patch @@ -0,0 +1,47 @@ +From 8c313e3bfd9adae8d5c4ba1cc696dcbc86fbf9bf Mon Sep 17 00:00:00 2001 +From: Chunfeng Yun +Date: Sat, 18 Dec 2021 17:57:48 +0800 +Subject: usb: mtu3: fix list_head check warning + +From: Chunfeng Yun + +commit 8c313e3bfd9adae8d5c4ba1cc696dcbc86fbf9bf upstream. + +This is caused by uninitialization of list_head. + +BUG: KASAN: use-after-free in __list_del_entry_valid+0x34/0xe4 + +Call trace: +dump_backtrace+0x0/0x298 +show_stack+0x24/0x34 +dump_stack+0x130/0x1a8 +print_address_description+0x88/0x56c +__kasan_report+0x1b8/0x2a0 +kasan_report+0x14/0x20 +__asan_load8+0x9c/0xa0 +__list_del_entry_valid+0x34/0xe4 +mtu3_req_complete+0x4c/0x300 [mtu3] +mtu3_gadget_stop+0x168/0x448 [mtu3] +usb_gadget_unregister_driver+0x204/0x3a0 +unregister_gadget_item+0x44/0xa4 + +Fixes: 83374e035b62 ("usb: mtu3: add tracepoints to help debug") +Cc: stable@vger.kernel.org +Reported-by: Yuwen Ng +Signed-off-by: Chunfeng Yun +Link: https://lore.kernel.org/r/20211218095749.6250-3-chunfeng.yun@mediatek.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/mtu3/mtu3_gadget.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/usb/mtu3/mtu3_gadget.c ++++ b/drivers/usb/mtu3/mtu3_gadget.c +@@ -235,6 +235,7 @@ struct usb_request *mtu3_alloc_request(s + mreq->request.dma = DMA_ADDR_INVALID; + mreq->epnum = mep->epnum; + mreq->mep = mep; ++ INIT_LIST_HEAD(&mreq->list); + trace_mtu3_alloc_request(mreq); + + return &mreq->request; diff --git a/queue-5.15/usb-mtu3-set-interval-of-fs-intr-and-isoc-endpoint.patch b/queue-5.15/usb-mtu3-set-interval-of-fs-intr-and-isoc-endpoint.patch new file mode 100644 index 00000000000..666c60204fc --- /dev/null +++ b/queue-5.15/usb-mtu3-set-interval-of-fs-intr-and-isoc-endpoint.patch @@ -0,0 +1,36 @@ +From 43f3b8cbcf93da7c2755af4a543280c31f4adf16 Mon Sep 17 00:00:00 2001 +From: Chunfeng Yun +Date: Sat, 18 Dec 2021 17:57:49 +0800 +Subject: usb: mtu3: set interval of FS intr and isoc endpoint + +From: Chunfeng Yun + +commit 43f3b8cbcf93da7c2755af4a543280c31f4adf16 upstream. + +Add support to set interval also for FS intr and isoc endpoint. + +Fixes: 4d79e042ed8b ("usb: mtu3: add support for usb3.1 IP") +Cc: stable@vger.kernel.org +Signed-off-by: Chunfeng Yun +Link: https://lore.kernel.org/r/20211218095749.6250-4-chunfeng.yun@mediatek.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/mtu3/mtu3_gadget.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +--- a/drivers/usb/mtu3/mtu3_gadget.c ++++ b/drivers/usb/mtu3/mtu3_gadget.c +@@ -93,6 +93,13 @@ static int mtu3_ep_enable(struct mtu3_ep + mult = usb_endpoint_maxp_mult(desc) - 1; + } + break; ++ case USB_SPEED_FULL: ++ if (usb_endpoint_xfer_isoc(desc)) ++ interval = clamp_val(desc->bInterval, 1, 16); ++ else if (usb_endpoint_xfer_int(desc)) ++ interval = clamp_val(desc->bInterval, 1, 255); ++ ++ break; + default: + break; /*others are ignored */ + } diff --git a/queue-5.15/xhci-fresco-fl1100-controller-should-not-have-broken_msi-quirk-set.patch b/queue-5.15/xhci-fresco-fl1100-controller-should-not-have-broken_msi-quirk-set.patch new file mode 100644 index 00000000000..126c90dc59b --- /dev/null +++ b/queue-5.15/xhci-fresco-fl1100-controller-should-not-have-broken_msi-quirk-set.patch @@ -0,0 +1,50 @@ +From e4844092581ceec22489b66c42edc88bc6079783 Mon Sep 17 00:00:00 2001 +From: Mathias Nyman +Date: Tue, 21 Dec 2021 13:28:25 +0200 +Subject: xhci: Fresco FL1100 controller should not have BROKEN_MSI quirk set. + +From: Mathias Nyman + +commit e4844092581ceec22489b66c42edc88bc6079783 upstream. + +The Fresco Logic FL1100 controller needs the TRUST_TX_LENGTH quirk like +other Fresco controllers, but should not have the BROKEN_MSI quirks set. + +BROKEN_MSI quirk causes issues in detecting usb drives connected to docks +with this FL1100 controller. +The BROKEN_MSI flag was apparently accidentally set together with the +TRUST_TX_LENGTH quirk + +Original patch went to stable so this should go there as well. + +Fixes: ea0f69d82119 ("xhci: Enable trust tx length quirk for Fresco FL11 USB controller") +Cc: stable@vger.kernel.org +cc: Nikolay Martynov +Signed-off-by: Mathias Nyman +Link: https://lore.kernel.org/r/20211221112825.54690-2-mathias.nyman@linux.intel.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/host/xhci-pci.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +--- a/drivers/usb/host/xhci-pci.c ++++ b/drivers/usb/host/xhci-pci.c +@@ -123,7 +123,6 @@ static void xhci_pci_quirks(struct devic + /* Look for vendor-specific quirks */ + if (pdev->vendor == PCI_VENDOR_ID_FRESCO_LOGIC && + (pdev->device == PCI_DEVICE_ID_FRESCO_LOGIC_PDK || +- pdev->device == PCI_DEVICE_ID_FRESCO_LOGIC_FL1100 || + pdev->device == PCI_DEVICE_ID_FRESCO_LOGIC_FL1400)) { + if (pdev->device == PCI_DEVICE_ID_FRESCO_LOGIC_PDK && + pdev->revision == 0x0) { +@@ -158,6 +157,10 @@ static void xhci_pci_quirks(struct devic + pdev->device == PCI_DEVICE_ID_FRESCO_LOGIC_FL1009) + xhci->quirks |= XHCI_BROKEN_STREAMS; + ++ if (pdev->vendor == PCI_VENDOR_ID_FRESCO_LOGIC && ++ pdev->device == PCI_DEVICE_ID_FRESCO_LOGIC_FL1100) ++ xhci->quirks |= XHCI_TRUST_TX_LENGTH; ++ + if (pdev->vendor == PCI_VENDOR_ID_NEC) + xhci->quirks |= XHCI_NEC_HOST; + -- 2.47.3