From 2650c0e73463f5fccb7fb3bc1b16b87ea2c7dca6 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Mon, 17 Jun 2024 11:13:39 +0200 Subject: [PATCH] 6.9-stable patches added patches: kcov-usb-disable-interrupts-in-kcov_remote_start_usb_softirq.patch landlock-fix-d_parent-walk.patch mei-me-release-irq-in-mei_me_pci_resume-error-path.patch mei-vsc-don-t-stop-restart-mei-device-during-system-suspend-resume.patch serial-8250_pxa-configure-tx_loadsz-to-match-fifo-irq-level.patch serial-port-don-t-block-system-suspend-even-if-bytes-are-left-to-xmit.patch tty-n_tty-fix-buffer-offsets-when-lookahead-is-used.patch usb-class-cdc-wdm-fix-cpu-lockup-caused-by-excessive-log-messages.patch usb-typec-tcpm-fix-use-after-free-case-in-tcpm_register_source_caps.patch usb-typec-tcpm-ignore-received-hard-reset-in-toggling-state.patch usb-xen-hcd-traverse-host-when-config_usb_xen_hcd-is-selected.patch --- ...pts-in-kcov_remote_start_usb_softirq.patch | 141 ++++++++++++++++++ queue-6.9/landlock-fix-d_parent-walk.patch | 64 ++++++++ ...-irq-in-mei_me_pci_resume-error-path.patch | 35 +++++ ...-device-during-system-suspend-resume.patch | 92 ++++++++++++ ...re-tx_loadsz-to-match-fifo-irq-level.patch | 35 +++++ ...spend-even-if-bytes-are-left-to-xmit.patch | 67 +++++++++ queue-6.9/series | 11 ++ ...uffer-offsets-when-lookahead-is-used.patch | 67 +++++++++ ...kup-caused-by-excessive-log-messages.patch | 78 ++++++++++ ...ee-case-in-tcpm_register_source_caps.patch | 48 ++++++ ...eceived-hard-reset-in-toggling-state.patch | 54 +++++++ ...-when-config_usb_xen_hcd-is-selected.patch | 33 ++++ 12 files changed, 725 insertions(+) create mode 100644 queue-6.9/kcov-usb-disable-interrupts-in-kcov_remote_start_usb_softirq.patch create mode 100644 queue-6.9/landlock-fix-d_parent-walk.patch create mode 100644 queue-6.9/mei-me-release-irq-in-mei_me_pci_resume-error-path.patch create mode 100644 queue-6.9/mei-vsc-don-t-stop-restart-mei-device-during-system-suspend-resume.patch create mode 100644 queue-6.9/serial-8250_pxa-configure-tx_loadsz-to-match-fifo-irq-level.patch create mode 100644 queue-6.9/serial-port-don-t-block-system-suspend-even-if-bytes-are-left-to-xmit.patch create mode 100644 queue-6.9/tty-n_tty-fix-buffer-offsets-when-lookahead-is-used.patch create mode 100644 queue-6.9/usb-class-cdc-wdm-fix-cpu-lockup-caused-by-excessive-log-messages.patch create mode 100644 queue-6.9/usb-typec-tcpm-fix-use-after-free-case-in-tcpm_register_source_caps.patch create mode 100644 queue-6.9/usb-typec-tcpm-ignore-received-hard-reset-in-toggling-state.patch create mode 100644 queue-6.9/usb-xen-hcd-traverse-host-when-config_usb_xen_hcd-is-selected.patch diff --git a/queue-6.9/kcov-usb-disable-interrupts-in-kcov_remote_start_usb_softirq.patch b/queue-6.9/kcov-usb-disable-interrupts-in-kcov_remote_start_usb_softirq.patch new file mode 100644 index 00000000000..615fe50e0a4 --- /dev/null +++ b/queue-6.9/kcov-usb-disable-interrupts-in-kcov_remote_start_usb_softirq.patch @@ -0,0 +1,141 @@ +From f85d39dd7ed89ffdd622bc1de247ffba8d961504 Mon Sep 17 00:00:00 2001 +From: Andrey Konovalov +Date: Mon, 27 May 2024 19:35:38 +0200 +Subject: kcov, usb: disable interrupts in kcov_remote_start_usb_softirq + +From: Andrey Konovalov + +commit f85d39dd7ed89ffdd622bc1de247ffba8d961504 upstream. + +After commit 8fea0c8fda30 ("usb: core: hcd: Convert from tasklet to BH +workqueue"), usb_giveback_urb_bh() runs in the BH workqueue with +interrupts enabled. + +Thus, the remote coverage collection section in usb_giveback_urb_bh()-> +__usb_hcd_giveback_urb() might be interrupted, and the interrupt handler +might invoke __usb_hcd_giveback_urb() again. + +This breaks KCOV, as it does not support nested remote coverage collection +sections within the same context (neither in task nor in softirq). + +Update kcov_remote_start/stop_usb_softirq() to disable interrupts for the +duration of the coverage collection section to avoid nested sections in +the softirq context (in addition to such in the task context, which are +already handled). + +Reported-by: Tetsuo Handa +Closes: https://lore.kernel.org/linux-usb/0f4d1964-7397-485b-bc48-11c01e2fcbca@I-love.SAKURA.ne.jp/ +Closes: https://syzkaller.appspot.com/bug?extid=0438378d6f157baae1a2 +Suggested-by: Alan Stern +Fixes: 8fea0c8fda30 ("usb: core: hcd: Convert from tasklet to BH workqueue") +Cc: stable@vger.kernel.org +Acked-by: Dmitry Vyukov +Signed-off-by: Andrey Konovalov +Link: https://lore.kernel.org/r/20240527173538.4989-1-andrey.konovalov@linux.dev +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/core/hcd.c | 12 +++++++----- + include/linux/kcov.h | 47 ++++++++++++++++++++++++++++++++++++++--------- + 2 files changed, 45 insertions(+), 14 deletions(-) + +--- a/drivers/usb/core/hcd.c ++++ b/drivers/usb/core/hcd.c +@@ -1623,6 +1623,7 @@ static void __usb_hcd_giveback_urb(struc + struct usb_hcd *hcd = bus_to_hcd(urb->dev->bus); + struct usb_anchor *anchor = urb->anchor; + int status = urb->unlinked; ++ unsigned long flags; + + urb->hcpriv = NULL; + if (unlikely((urb->transfer_flags & URB_SHORT_NOT_OK) && +@@ -1640,13 +1641,14 @@ static void __usb_hcd_giveback_urb(struc + /* pass ownership to the completion handler */ + urb->status = status; + /* +- * This function can be called in task context inside another remote +- * coverage collection section, but kcov doesn't support that kind of +- * recursion yet. Only collect coverage in softirq context for now. ++ * Only collect coverage in the softirq context and disable interrupts ++ * to avoid scenarios with nested remote coverage collection sections ++ * that KCOV does not support. ++ * See the comment next to kcov_remote_start_usb_softirq() for details. + */ +- kcov_remote_start_usb_softirq((u64)urb->dev->bus->busnum); ++ flags = kcov_remote_start_usb_softirq((u64)urb->dev->bus->busnum); + urb->complete(urb); +- kcov_remote_stop_softirq(); ++ kcov_remote_stop_softirq(flags); + + usb_anchor_resume_wakeups(anchor); + atomic_dec(&urb->use_count); +--- a/include/linux/kcov.h ++++ b/include/linux/kcov.h +@@ -55,21 +55,47 @@ static inline void kcov_remote_start_usb + + /* + * The softirq flavor of kcov_remote_*() functions is introduced as a temporary +- * work around for kcov's lack of nested remote coverage sections support in +- * task context. Adding support for nested sections is tracked in: +- * https://bugzilla.kernel.org/show_bug.cgi?id=210337 ++ * workaround for KCOV's lack of nested remote coverage sections support. ++ * ++ * Adding support is tracked in https://bugzilla.kernel.org/show_bug.cgi?id=210337. ++ * ++ * kcov_remote_start_usb_softirq(): ++ * ++ * 1. Only collects coverage when called in the softirq context. This allows ++ * avoiding nested remote coverage collection sections in the task context. ++ * For example, USB/IP calls usb_hcd_giveback_urb() in the task context ++ * within an existing remote coverage collection section. Thus, KCOV should ++ * not attempt to start collecting coverage within the coverage collection ++ * section in __usb_hcd_giveback_urb() in this case. ++ * ++ * 2. Disables interrupts for the duration of the coverage collection section. ++ * This allows avoiding nested remote coverage collection sections in the ++ * softirq context (a softirq might occur during the execution of a work in ++ * the BH workqueue, which runs with in_serving_softirq() > 0). ++ * For example, usb_giveback_urb_bh() runs in the BH workqueue with ++ * interrupts enabled, so __usb_hcd_giveback_urb() might be interrupted in ++ * the middle of its remote coverage collection section, and the interrupt ++ * handler might invoke __usb_hcd_giveback_urb() again. + */ + +-static inline void kcov_remote_start_usb_softirq(u64 id) ++static inline unsigned long kcov_remote_start_usb_softirq(u64 id) + { +- if (in_serving_softirq()) ++ unsigned long flags = 0; ++ ++ if (in_serving_softirq()) { ++ local_irq_save(flags); + kcov_remote_start_usb(id); ++ } ++ ++ return flags; + } + +-static inline void kcov_remote_stop_softirq(void) ++static inline void kcov_remote_stop_softirq(unsigned long flags) + { +- if (in_serving_softirq()) ++ if (in_serving_softirq()) { + kcov_remote_stop(); ++ local_irq_restore(flags); ++ } + } + + #ifdef CONFIG_64BIT +@@ -103,8 +129,11 @@ static inline u64 kcov_common_handle(voi + } + static inline void kcov_remote_start_common(u64 id) {} + static inline void kcov_remote_start_usb(u64 id) {} +-static inline void kcov_remote_start_usb_softirq(u64 id) {} +-static inline void kcov_remote_stop_softirq(void) {} ++static inline unsigned long kcov_remote_start_usb_softirq(u64 id) ++{ ++ return 0; ++} ++static inline void kcov_remote_stop_softirq(unsigned long flags) {} + + #endif /* CONFIG_KCOV */ + #endif /* _LINUX_KCOV_H */ diff --git a/queue-6.9/landlock-fix-d_parent-walk.patch b/queue-6.9/landlock-fix-d_parent-walk.patch new file mode 100644 index 00000000000..0d7bc643328 --- /dev/null +++ b/queue-6.9/landlock-fix-d_parent-walk.patch @@ -0,0 +1,64 @@ +From 88da52ccd66e65f2e63a6c35c9dff55d448ef4dc Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Micka=C3=ABl=20Sala=C3=BCn?= +Date: Thu, 16 May 2024 20:19:34 +0200 +Subject: landlock: Fix d_parent walk +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Mickaël Salaün + +commit 88da52ccd66e65f2e63a6c35c9dff55d448ef4dc upstream. + +The WARN_ON_ONCE() in collect_domain_accesses() can be triggered when +trying to link a root mount point. This cannot work in practice because +this directory is mounted, but the VFS check is done after the call to +security_path_link(). + +Do not use source directory's d_parent when the source directory is the +mount point. + +Cc: Günther Noack +Cc: Paul Moore +Cc: stable@vger.kernel.org +Reported-by: syzbot+bf4903dc7e12b18ebc87@syzkaller.appspotmail.com +Fixes: b91c3e4ea756 ("landlock: Add support for file reparenting with LANDLOCK_ACCESS_FS_REFER") +Closes: https://lore.kernel.org/r/000000000000553d3f0618198200@google.com +Link: https://lore.kernel.org/r/20240516181935.1645983-2-mic@digikod.net +[mic: Fix commit message] +Signed-off-by: Mickaël Salaün +Signed-off-by: Greg Kroah-Hartman +--- + security/landlock/fs.c | 13 +++++++++++-- + 1 file changed, 11 insertions(+), 2 deletions(-) + +--- a/security/landlock/fs.c ++++ b/security/landlock/fs.c +@@ -950,6 +950,7 @@ static int current_check_refer_path(stru + bool allow_parent1, allow_parent2; + access_mask_t access_request_parent1, access_request_parent2; + struct path mnt_dir; ++ struct dentry *old_parent; + layer_mask_t layer_masks_parent1[LANDLOCK_NUM_ACCESS_FS] = {}, + layer_masks_parent2[LANDLOCK_NUM_ACCESS_FS] = {}; + +@@ -997,9 +998,17 @@ static int current_check_refer_path(stru + mnt_dir.mnt = new_dir->mnt; + mnt_dir.dentry = new_dir->mnt->mnt_root; + ++ /* ++ * old_dentry may be the root of the common mount point and ++ * !IS_ROOT(old_dentry) at the same time (e.g. with open_tree() and ++ * OPEN_TREE_CLONE). We do not need to call dget(old_parent) because ++ * we keep a reference to old_dentry. ++ */ ++ old_parent = (old_dentry == mnt_dir.dentry) ? old_dentry : ++ old_dentry->d_parent; ++ + /* new_dir->dentry is equal to new_dentry->d_parent */ +- allow_parent1 = collect_domain_accesses(dom, mnt_dir.dentry, +- old_dentry->d_parent, ++ allow_parent1 = collect_domain_accesses(dom, mnt_dir.dentry, old_parent, + &layer_masks_parent1); + allow_parent2 = collect_domain_accesses( + dom, mnt_dir.dentry, new_dir->dentry, &layer_masks_parent2); diff --git a/queue-6.9/mei-me-release-irq-in-mei_me_pci_resume-error-path.patch b/queue-6.9/mei-me-release-irq-in-mei_me_pci_resume-error-path.patch new file mode 100644 index 00000000000..64f4918d3cb --- /dev/null +++ b/queue-6.9/mei-me-release-irq-in-mei_me_pci_resume-error-path.patch @@ -0,0 +1,35 @@ +From 283cb234ef95d94c61f59e1cd070cd9499b51292 Mon Sep 17 00:00:00 2001 +From: Tomas Winkler +Date: Tue, 4 Jun 2024 12:07:28 +0300 +Subject: mei: me: release irq in mei_me_pci_resume error path + +From: Tomas Winkler + +commit 283cb234ef95d94c61f59e1cd070cd9499b51292 upstream. + +The mei_me_pci_resume doesn't release irq on the error path, +in case mei_start() fails. + +Cc: +Fixes: 33ec08263147 ("mei: revamp mei reset state machine") +Signed-off-by: Tomas Winkler +Link: https://lore.kernel.org/r/20240604090728.1027307-1-tomas.winkler@intel.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/misc/mei/pci-me.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/drivers/misc/mei/pci-me.c ++++ b/drivers/misc/mei/pci-me.c +@@ -385,8 +385,10 @@ static int mei_me_pci_resume(struct devi + } + + err = mei_restart(dev); +- if (err) ++ if (err) { ++ free_irq(pdev->irq, dev); + return err; ++ } + + /* Start timer if stopped in suspend */ + schedule_delayed_work(&dev->timer_work, HZ); diff --git a/queue-6.9/mei-vsc-don-t-stop-restart-mei-device-during-system-suspend-resume.patch b/queue-6.9/mei-vsc-don-t-stop-restart-mei-device-during-system-suspend-resume.patch new file mode 100644 index 00000000000..5f47de7fd68 --- /dev/null +++ b/queue-6.9/mei-vsc-don-t-stop-restart-mei-device-during-system-suspend-resume.patch @@ -0,0 +1,92 @@ +From 9b5e045029d8bded4c6979874ed3abc347c1415c Mon Sep 17 00:00:00 2001 +From: Wentong Wu +Date: Mon, 27 May 2024 20:38:35 +0800 +Subject: mei: vsc: Don't stop/restart mei device during system suspend/resume + +From: Wentong Wu + +commit 9b5e045029d8bded4c6979874ed3abc347c1415c upstream. + +The dynamically created mei client device (mei csi) is used as one V4L2 +sub device of the whole video pipeline, and the V4L2 connection graph is +built by software node. The mei_stop() and mei_restart() will delete the +old mei csi client device and create a new mei client device, which will +cause the software node information saved in old mei csi device lost and +the whole video pipeline will be broken. + +Removing mei_stop()/mei_restart() during system suspend/resume can fix +the issue above and won't impact hardware actual power saving logic. + +Fixes: f6085a96c973 ("mei: vsc: Unregister interrupt handler for system suspend") +Cc: stable@vger.kernel.org # for 6.8+ +Reported-by: Hao Yao +Signed-off-by: Wentong Wu +Reviewed-by: Sakari Ailus +Tested-by: Jason Chen +Tested-by: Sakari Ailus +Acked-by: Tomas Winkler +Link: https://lore.kernel.org/r/20240527123835.522384-1-wentong.wu@intel.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/misc/mei/platform-vsc.c | 39 +++++++++++++++------------------------ + 1 file changed, 15 insertions(+), 24 deletions(-) + +--- a/drivers/misc/mei/platform-vsc.c ++++ b/drivers/misc/mei/platform-vsc.c +@@ -399,41 +399,32 @@ static void mei_vsc_remove(struct platfo + + static int mei_vsc_suspend(struct device *dev) + { +- struct mei_device *mei_dev = dev_get_drvdata(dev); +- struct mei_vsc_hw *hw = mei_dev_to_vsc_hw(mei_dev); ++ struct mei_device *mei_dev; ++ int ret = 0; + +- mei_stop(mei_dev); ++ mei_dev = dev_get_drvdata(dev); ++ if (!mei_dev) ++ return -ENODEV; + +- mei_disable_interrupts(mei_dev); ++ mutex_lock(&mei_dev->device_lock); + +- vsc_tp_free_irq(hw->tp); ++ if (!mei_write_is_idle(mei_dev)) ++ ret = -EAGAIN; + +- return 0; ++ mutex_unlock(&mei_dev->device_lock); ++ ++ return ret; + } + + static int mei_vsc_resume(struct device *dev) + { +- struct mei_device *mei_dev = dev_get_drvdata(dev); +- struct mei_vsc_hw *hw = mei_dev_to_vsc_hw(mei_dev); +- int ret; +- +- ret = vsc_tp_request_irq(hw->tp); +- if (ret) +- return ret; +- +- ret = mei_restart(mei_dev); +- if (ret) +- goto err_free; ++ struct mei_device *mei_dev; + +- /* start timer if stopped in suspend */ +- schedule_delayed_work(&mei_dev->timer_work, HZ); ++ mei_dev = dev_get_drvdata(dev); ++ if (!mei_dev) ++ return -ENODEV; + + return 0; +- +-err_free: +- vsc_tp_free_irq(hw->tp); +- +- return ret; + } + + static DEFINE_SIMPLE_DEV_PM_OPS(mei_vsc_pm_ops, mei_vsc_suspend, mei_vsc_resume); diff --git a/queue-6.9/serial-8250_pxa-configure-tx_loadsz-to-match-fifo-irq-level.patch b/queue-6.9/serial-8250_pxa-configure-tx_loadsz-to-match-fifo-irq-level.patch new file mode 100644 index 00000000000..83c7484d961 --- /dev/null +++ b/queue-6.9/serial-8250_pxa-configure-tx_loadsz-to-match-fifo-irq-level.patch @@ -0,0 +1,35 @@ +From 5208e7ced520a813b4f4774451fbac4e517e78b2 Mon Sep 17 00:00:00 2001 +From: Doug Brown +Date: Sun, 19 May 2024 12:19:30 -0700 +Subject: serial: 8250_pxa: Configure tx_loadsz to match FIFO IRQ level + +From: Doug Brown + +commit 5208e7ced520a813b4f4774451fbac4e517e78b2 upstream. + +The FIFO is 64 bytes, but the FCR is configured to fire the TX interrupt +when the FIFO is half empty (bit 3 = 0). Thus, we should only write 32 +bytes when a TX interrupt occurs. + +This fixes a problem observed on the PXA168 that dropped a bunch of TX +bytes during large transmissions. + +Fixes: ab28f51c77cd ("serial: rewrite pxa2xx-uart to use 8250_core") +Signed-off-by: Doug Brown +Link: https://lore.kernel.org/r/20240519191929.122202-1-doug@schmorgal.com +Cc: stable +Signed-off-by: Greg Kroah-Hartman +--- + drivers/tty/serial/8250/8250_pxa.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/tty/serial/8250/8250_pxa.c ++++ b/drivers/tty/serial/8250/8250_pxa.c +@@ -125,6 +125,7 @@ static int serial_pxa_probe(struct platf + uart.port.iotype = UPIO_MEM32; + uart.port.regshift = 2; + uart.port.fifosize = 64; ++ uart.tx_loadsz = 32; + uart.dl_write = serial_pxa_dl_write; + + ret = serial8250_register_8250_port(&uart); diff --git a/queue-6.9/serial-port-don-t-block-system-suspend-even-if-bytes-are-left-to-xmit.patch b/queue-6.9/serial-port-don-t-block-system-suspend-even-if-bytes-are-left-to-xmit.patch new file mode 100644 index 00000000000..5867288eb56 --- /dev/null +++ b/queue-6.9/serial-port-don-t-block-system-suspend-even-if-bytes-are-left-to-xmit.patch @@ -0,0 +1,67 @@ +From ca84cd379b45e9b1775b9e026f069a3a886b409d Mon Sep 17 00:00:00 2001 +From: Douglas Anderson +Date: Fri, 31 May 2024 08:09:18 -0700 +Subject: serial: port: Don't block system suspend even if bytes are left to xmit + +From: Douglas Anderson + +commit ca84cd379b45e9b1775b9e026f069a3a886b409d upstream. + +Recently, suspend testing on sc7180-trogdor based devices has started +to sometimes fail with messages like this: + + port a88000.serial:0.0: PM: calling pm_runtime_force_suspend+0x0/0xf8 @ 28934, parent: a88000.serial:0 + port a88000.serial:0.0: PM: dpm_run_callback(): pm_runtime_force_suspend+0x0/0xf8 returns -16 + port a88000.serial:0.0: PM: pm_runtime_force_suspend+0x0/0xf8 returned -16 after 33 usecs + port a88000.serial:0.0: PM: failed to suspend: error -16 + +I could reproduce these problems by logging in via an agetty on the +debug serial port (which was _not_ used for kernel console) and +running: + cat /var/log/messages +...and then (via an SSH session) forcing a few suspend/resume cycles. + +Tracing through the code and doing some printf()-based debugging shows +that the -16 (-EBUSY) comes from the recently added +serial_port_runtime_suspend(). + +The idea of the serial_port_runtime_suspend() function is to prevent +the port from being _runtime_ suspended if it still has bytes left to +transmit. Having bytes left to transmit isn't a reason to block +_system_ suspend, though. If a serdev device in the kernel needs to +block system suspend it should block its own suspend and it can use +serdev_device_wait_until_sent() to ensure bytes are sent. + +The DEFINE_RUNTIME_DEV_PM_OPS() used by the serial_port code means +that the system suspend function will be pm_runtime_force_suspend(). +In pm_runtime_force_suspend() we can see that before calling the +runtime suspend function we'll call pm_runtime_disable(). This should +be a reliable way to detect that we're called from system suspend and +that we shouldn't look for busyness. + +Fixes: 43066e32227e ("serial: port: Don't suspend if the port is still busy") +Cc: stable@vger.kernel.org +Reviewed-by: Tony Lindgren +Signed-off-by: Douglas Anderson +Link: https://lore.kernel.org/r/20240531080914.v3.1.I2395e66cf70c6e67d774c56943825c289b9c13e4@changeid +Signed-off-by: Greg Kroah-Hartman +--- + drivers/tty/serial/serial_port.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +--- a/drivers/tty/serial/serial_port.c ++++ b/drivers/tty/serial/serial_port.c +@@ -63,6 +63,13 @@ static int serial_port_runtime_suspend(s + if (port->flags & UPF_DEAD) + return 0; + ++ /* ++ * Nothing to do on pm_runtime_force_suspend(), see ++ * DEFINE_RUNTIME_DEV_PM_OPS. ++ */ ++ if (!pm_runtime_enabled(dev)) ++ return 0; ++ + uart_port_lock_irqsave(port, &flags); + if (!port_dev->tx_enabled) { + uart_port_unlock_irqrestore(port, flags); diff --git a/queue-6.9/series b/queue-6.9/series index 8127b249872..a37fdf85a6b 100644 --- a/queue-6.9/series +++ b/queue-6.9/series @@ -82,3 +82,14 @@ eventfs-update-all-the-eventfs_inodes-from-the-event.patch .editorconfig-remove-trim_trailing_whitespace-option.patch io_uring-rsrc-don-t-lock-while-task_running.patch io_uring-fix-cancellation-overwriting-req-flags.patch +usb-class-cdc-wdm-fix-cpu-lockup-caused-by-excessive-log-messages.patch +kcov-usb-disable-interrupts-in-kcov_remote_start_usb_softirq.patch +usb-xen-hcd-traverse-host-when-config_usb_xen_hcd-is-selected.patch +usb-typec-tcpm-fix-use-after-free-case-in-tcpm_register_source_caps.patch +usb-typec-tcpm-ignore-received-hard-reset-in-toggling-state.patch +mei-me-release-irq-in-mei_me_pci_resume-error-path.patch +mei-vsc-don-t-stop-restart-mei-device-during-system-suspend-resume.patch +tty-n_tty-fix-buffer-offsets-when-lookahead-is-used.patch +serial-8250_pxa-configure-tx_loadsz-to-match-fifo-irq-level.patch +serial-port-don-t-block-system-suspend-even-if-bytes-are-left-to-xmit.patch +landlock-fix-d_parent-walk.patch diff --git a/queue-6.9/tty-n_tty-fix-buffer-offsets-when-lookahead-is-used.patch b/queue-6.9/tty-n_tty-fix-buffer-offsets-when-lookahead-is-used.patch new file mode 100644 index 00000000000..5440611fd71 --- /dev/null +++ b/queue-6.9/tty-n_tty-fix-buffer-offsets-when-lookahead-is-used.patch @@ -0,0 +1,67 @@ +From b19ab7ee2c4c1ec5f27c18413c3ab63907f7d55c Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Ilpo=20J=C3=A4rvinen?= +Date: Tue, 14 May 2024 17:04:29 +0300 +Subject: tty: n_tty: Fix buffer offsets when lookahead is used +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Ilpo Järvinen + +commit b19ab7ee2c4c1ec5f27c18413c3ab63907f7d55c upstream. + +When lookahead has "consumed" some characters (la_count > 0), +n_tty_receive_buf_standard() and n_tty_receive_buf_closing() for +characters beyond the la_count are given wrong cp/fp offsets which +leads to duplicating and losing some characters. + +If la_count > 0, correct buffer pointers and make count consistent too +(the latter is not strictly necessary to fix the issue but seems more +logical to adjust all variables immediately to keep state consistent). + +Reported-by: Vadym Krevs +Fixes: 6bb6fa6908eb ("tty: Implement lookahead to process XON/XOFF timely") +Closes: https://bugzilla.kernel.org/show_bug.cgi?id=218834 +Tested-by: Vadym Krevs +Cc: stable@vger.kernel.org +Signed-off-by: Ilpo Järvinen +Link: https://lore.kernel.org/r/20240514140429.12087-1-ilpo.jarvinen@linux.intel.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/tty/n_tty.c | 22 ++++++++++++++++------ + 1 file changed, 16 insertions(+), 6 deletions(-) + +--- a/drivers/tty/n_tty.c ++++ b/drivers/tty/n_tty.c +@@ -1619,15 +1619,25 @@ static void __receive_buf(struct tty_str + else if (ldata->raw || (L_EXTPROC(tty) && !preops)) + n_tty_receive_buf_raw(tty, cp, fp, count); + else if (tty->closing && !L_EXTPROC(tty)) { +- if (la_count > 0) ++ if (la_count > 0) { + n_tty_receive_buf_closing(tty, cp, fp, la_count, true); +- if (count > la_count) +- n_tty_receive_buf_closing(tty, cp, fp, count - la_count, false); ++ cp += la_count; ++ if (fp) ++ fp += la_count; ++ count -= la_count; ++ } ++ if (count > 0) ++ n_tty_receive_buf_closing(tty, cp, fp, count, false); + } else { +- if (la_count > 0) ++ if (la_count > 0) { + n_tty_receive_buf_standard(tty, cp, fp, la_count, true); +- if (count > la_count) +- n_tty_receive_buf_standard(tty, cp, fp, count - la_count, false); ++ cp += la_count; ++ if (fp) ++ fp += la_count; ++ count -= la_count; ++ } ++ if (count > 0) ++ n_tty_receive_buf_standard(tty, cp, fp, count, false); + + flush_echoes(tty); + if (tty->ops->flush_chars) diff --git a/queue-6.9/usb-class-cdc-wdm-fix-cpu-lockup-caused-by-excessive-log-messages.patch b/queue-6.9/usb-class-cdc-wdm-fix-cpu-lockup-caused-by-excessive-log-messages.patch new file mode 100644 index 00000000000..8558bedaa3d --- /dev/null +++ b/queue-6.9/usb-class-cdc-wdm-fix-cpu-lockup-caused-by-excessive-log-messages.patch @@ -0,0 +1,78 @@ +From 22f00812862564b314784167a89f27b444f82a46 Mon Sep 17 00:00:00 2001 +From: Alan Stern +Date: Thu, 13 Jun 2024 21:30:43 -0400 +Subject: USB: class: cdc-wdm: Fix CPU lockup caused by excessive log messages + +From: Alan Stern + +commit 22f00812862564b314784167a89f27b444f82a46 upstream. + +The syzbot fuzzer found that the interrupt-URB completion callback in +the cdc-wdm driver was taking too long, and the driver's immediate +resubmission of interrupt URBs with -EPROTO status combined with the +dummy-hcd emulation to cause a CPU lockup: + +cdc_wdm 1-1:1.0: nonzero urb status received: -71 +cdc_wdm 1-1:1.0: wdm_int_callback - 0 bytes +watchdog: BUG: soft lockup - CPU#0 stuck for 26s! [syz-executor782:6625] +CPU#0 Utilization every 4s during lockup: + #1: 98% system, 0% softirq, 3% hardirq, 0% idle + #2: 98% system, 0% softirq, 3% hardirq, 0% idle + #3: 98% system, 0% softirq, 3% hardirq, 0% idle + #4: 98% system, 0% softirq, 3% hardirq, 0% idle + #5: 98% system, 1% softirq, 3% hardirq, 0% idle +Modules linked in: +irq event stamp: 73096 +hardirqs last enabled at (73095): [] console_emit_next_record kernel/printk/printk.c:2935 [inline] +hardirqs last enabled at (73095): [] console_flush_all+0x650/0xb74 kernel/printk/printk.c:2994 +hardirqs last disabled at (73096): [] __el1_irq arch/arm64/kernel/entry-common.c:533 [inline] +hardirqs last disabled at (73096): [] el1_interrupt+0x24/0x68 arch/arm64/kernel/entry-common.c:551 +softirqs last enabled at (73048): [] softirq_handle_end kernel/softirq.c:400 [inline] +softirqs last enabled at (73048): [] handle_softirqs+0xa60/0xc34 kernel/softirq.c:582 +softirqs last disabled at (73043): [] __do_softirq+0x14/0x20 kernel/softirq.c:588 +CPU: 0 PID: 6625 Comm: syz-executor782 Tainted: G W 6.10.0-rc2-syzkaller-g8867bbd4a056 #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/02/2024 + +Testing showed that the problem did not occur if the two error +messages -- the first two lines above -- were removed; apparently adding +material to the kernel log takes a surprisingly large amount of time. + +In any case, the best approach for preventing these lockups and to +avoid spamming the log with thousands of error messages per second is +to ratelimit the two dev_err() calls. Therefore we replace them with +dev_err_ratelimited(). + +Signed-off-by: Alan Stern +Suggested-by: Greg KH +Reported-and-tested-by: syzbot+5f996b83575ef4058638@syzkaller.appspotmail.com +Closes: https://lore.kernel.org/linux-usb/00000000000073d54b061a6a1c65@google.com/ +Reported-and-tested-by: syzbot+1b2abad17596ad03dcff@syzkaller.appspotmail.com +Closes: https://lore.kernel.org/linux-usb/000000000000f45085061aa9b37e@google.com/ +Fixes: 9908a32e94de ("USB: remove err() macro from usb class drivers") +Link: https://lore.kernel.org/linux-usb/40dfa45b-5f21-4eef-a8c1-51a2f320e267@rowland.harvard.edu/ +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/r/29855215-52f5-4385-b058-91f42c2bee18@rowland.harvard.edu +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/class/cdc-wdm.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/usb/class/cdc-wdm.c ++++ b/drivers/usb/class/cdc-wdm.c +@@ -266,14 +266,14 @@ static void wdm_int_callback(struct urb + dev_err(&desc->intf->dev, "Stall on int endpoint\n"); + goto sw; /* halt is cleared in work */ + default: +- dev_err(&desc->intf->dev, ++ dev_err_ratelimited(&desc->intf->dev, + "nonzero urb status received: %d\n", status); + break; + } + } + + if (urb->actual_length < sizeof(struct usb_cdc_notification)) { +- dev_err(&desc->intf->dev, "wdm_int_callback - %d bytes\n", ++ dev_err_ratelimited(&desc->intf->dev, "wdm_int_callback - %d bytes\n", + urb->actual_length); + goto exit; + } diff --git a/queue-6.9/usb-typec-tcpm-fix-use-after-free-case-in-tcpm_register_source_caps.patch b/queue-6.9/usb-typec-tcpm-fix-use-after-free-case-in-tcpm_register_source_caps.patch new file mode 100644 index 00000000000..cff5a5f40b8 --- /dev/null +++ b/queue-6.9/usb-typec-tcpm-fix-use-after-free-case-in-tcpm_register_source_caps.patch @@ -0,0 +1,48 @@ +From e7e921918d905544500ca7a95889f898121ba886 Mon Sep 17 00:00:00 2001 +From: Amit Sunil Dhamne +Date: Tue, 14 May 2024 15:01:31 -0700 +Subject: usb: typec: tcpm: fix use-after-free case in tcpm_register_source_caps + +From: Amit Sunil Dhamne + +commit e7e921918d905544500ca7a95889f898121ba886 upstream. + +There could be a potential use-after-free case in +tcpm_register_source_caps(). This could happen when: + * new (say invalid) source caps are advertised + * the existing source caps are unregistered + * tcpm_register_source_caps() returns with an error as + usb_power_delivery_register_capabilities() fails + +This causes port->partner_source_caps to hold on to the now freed source +caps. + +Reset port->partner_source_caps value to NULL after unregistering +existing source caps. + +Fixes: 230ecdf71a64 ("usb: typec: tcpm: unregister existing source caps before re-registration") +Cc: stable@vger.kernel.org +Signed-off-by: Amit Sunil Dhamne +Reviewed-by: Ondrej Jirman +Reviewed-by: Heikki Krogerus +Reviewed-by: Dmitry Baryshkov +Link: https://lore.kernel.org/r/20240514220134.2143181-1-amitsd@google.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/typec/tcpm/tcpm.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/drivers/usb/typec/tcpm/tcpm.c ++++ b/drivers/usb/typec/tcpm/tcpm.c +@@ -3014,8 +3014,10 @@ static int tcpm_register_source_caps(str + memcpy(caps.pdo, port->source_caps, sizeof(u32) * port->nr_source_caps); + caps.role = TYPEC_SOURCE; + +- if (cap) ++ if (cap) { + usb_power_delivery_unregister_capabilities(cap); ++ port->partner_source_caps = NULL; ++ } + + cap = usb_power_delivery_register_capabilities(port->partner_pd, &caps); + if (IS_ERR(cap)) diff --git a/queue-6.9/usb-typec-tcpm-ignore-received-hard-reset-in-toggling-state.patch b/queue-6.9/usb-typec-tcpm-ignore-received-hard-reset-in-toggling-state.patch new file mode 100644 index 00000000000..732f7e50c67 --- /dev/null +++ b/queue-6.9/usb-typec-tcpm-ignore-received-hard-reset-in-toggling-state.patch @@ -0,0 +1,54 @@ +From fc8fb9eea94d8f476e15f3a4a7addeb16b3b99d6 Mon Sep 17 00:00:00 2001 +From: Kyle Tso +Date: Mon, 20 May 2024 23:48:58 +0800 +Subject: usb: typec: tcpm: Ignore received Hard Reset in TOGGLING state + +From: Kyle Tso + +commit fc8fb9eea94d8f476e15f3a4a7addeb16b3b99d6 upstream. + +Similar to what fixed in Commit a6fe37f428c1 ("usb: typec: tcpm: Skip +hard reset when in error recovery"), the handling of the received Hard +Reset has to be skipped during TOGGLING state. + +[ 4086.021288] VBUS off +[ 4086.021295] pending state change SNK_READY -> SNK_UNATTACHED @ 650 ms [rev2 NONE_AMS] +[ 4086.022113] VBUS VSAFE0V +[ 4086.022117] state change SNK_READY -> SNK_UNATTACHED [rev2 NONE_AMS] +[ 4086.022447] VBUS off +[ 4086.022450] state change SNK_UNATTACHED -> SNK_UNATTACHED [rev2 NONE_AMS] +[ 4086.023060] VBUS VSAFE0V +[ 4086.023064] state change SNK_UNATTACHED -> SNK_UNATTACHED [rev2 NONE_AMS] +[ 4086.023070] disable BIST MODE TESTDATA +[ 4086.023766] disable vbus discharge ret:0 +[ 4086.023911] Setting usb_comm capable false +[ 4086.028874] Setting voltage/current limit 0 mV 0 mA +[ 4086.028888] polarity 0 +[ 4086.030305] Requesting mux state 0, usb-role 0, orientation 0 +[ 4086.033539] Start toggling +[ 4086.038496] state change SNK_UNATTACHED -> TOGGLING [rev2 NONE_AMS] + +// This Hard Reset is unexpected +[ 4086.038499] Received hard reset +[ 4086.038501] state change TOGGLING -> HARD_RESET_START [rev2 HARD_RESET] + +Fixes: f0690a25a140 ("staging: typec: USB Type-C Port Manager (tcpm)") +Cc: stable@vger.kernel.org +Signed-off-by: Kyle Tso +Reviewed-by: Heikki Krogerus +Link: https://lore.kernel.org/r/20240520154858.1072347-1-kyletso@google.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/typec/tcpm/tcpm.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/usb/typec/tcpm/tcpm.c ++++ b/drivers/usb/typec/tcpm/tcpm.c +@@ -6174,6 +6174,7 @@ static void _tcpm_pd_hard_reset(struct t + port->tcpc->set_bist_data(port->tcpc, false); + + switch (port->state) { ++ case TOGGLING: + case ERROR_RECOVERY: + case PORT_RESET: + case PORT_RESET_WAIT_OFF: diff --git a/queue-6.9/usb-xen-hcd-traverse-host-when-config_usb_xen_hcd-is-selected.patch b/queue-6.9/usb-xen-hcd-traverse-host-when-config_usb_xen_hcd-is-selected.patch new file mode 100644 index 00000000000..0ceca952d2a --- /dev/null +++ b/queue-6.9/usb-xen-hcd-traverse-host-when-config_usb_xen_hcd-is-selected.patch @@ -0,0 +1,33 @@ +From 8475ffcfb381a77075562207ce08552414a80326 Mon Sep 17 00:00:00 2001 +From: John Ernberg +Date: Fri, 17 May 2024 11:43:52 +0000 +Subject: USB: xen-hcd: Traverse host/ when CONFIG_USB_XEN_HCD is selected + +From: John Ernberg + +commit 8475ffcfb381a77075562207ce08552414a80326 upstream. + +If no other USB HCDs are selected when compiling a small pure virutal +machine, the Xen HCD driver cannot be built. + +Fix it by traversing down host/ if CONFIG_USB_XEN_HCD is selected. + +Fixes: 494ed3997d75 ("usb: Introduce Xen pvUSB frontend (xen hcd)") +Cc: stable@vger.kernel.org # v5.17+ +Signed-off-by: John Ernberg +Link: https://lore.kernel.org/r/20240517114345.1190755-1-john.ernberg@actia.se +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/Makefile | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/usb/Makefile ++++ b/drivers/usb/Makefile +@@ -35,6 +35,7 @@ obj-$(CONFIG_USB_R8A66597_HCD) += host/ + obj-$(CONFIG_USB_FSL_USB2) += host/ + obj-$(CONFIG_USB_FOTG210_HCD) += host/ + obj-$(CONFIG_USB_MAX3421_HCD) += host/ ++obj-$(CONFIG_USB_XEN_HCD) += host/ + + obj-$(CONFIG_USB_C67X00_HCD) += c67x00/ + -- 2.47.3