From 5c2059ba38c913328016feb223ad0e65f4379c26 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Mon, 31 Jul 2023 14:21:49 +0200 Subject: [PATCH] 6.1-stable patches added patches: acpi-iort-remove-erroneous-id_count-check-in-iort_node_get_rmr_info.patch alsa-hda-realtek-support-asus-g713pv-laptop.patch alsa-hda-relatek-enable-mute-led-on-hp-250-g8.patch btrfs-account-block-group-tree-when-calculating-global-reserve-size.patch btrfs-check-for-commit-error-at-btrfs_attach_transaction_barrier.patch btrfs-check-if-the-transaction-was-aborted-at-btrfs_wait_for_commit.patch can-gs_usb-gs_can_close-add-missing-set-of-can-state-to-can_state_stopped.patch documentation-security-bugs.rst-clarify-cve-handling.patch documentation-security-bugs.rst-update-preferences-when-dealing-with-the-linux-distros-group.patch file-always-lock-position-for-fmode_atomic_pos.patch hwmon-k10temp-enable-amd3255-proc-to-show-negative-temperature.patch hwmon-nct7802-fix-for-temp6-peci1-processed-even-if-peci1-disabled.patch kvm-grab-a-reference-to-kvm-for-vm-and-vcpu-stats-file-descriptors.patch kvm-vmx-don-t-fudge-cr0-and-cr4-for-restricted-l2-guest.patch kvm-x86-disallow-kvm_set_sregs-2-if-incoming-cr0-is-invalid.patch nfsd-remove-incorrect-check-in-nfsd4_validate_stateid.patch revert-usb-dwc3-core-enable-autoretry-feature-in-the-controller.patch revert-usb-gadget-tegra-xudc-fix-error-check-in-tegra_xudc_powerdomain_init.patch revert-usb-xhci-tegra-fix-error-check.patch revert-xhci-add-quirk-for-host-controllers-that-don-t-update-endpoint-dcs.patch serial-8250_dw-preserve-original-value-of-dlf-register.patch serial-qcom-geni-drop-bogus-runtime-pm-state-update.patch serial-sifive-fix-sifive_serial_console_setup-section.patch staging-ks7010-potential-buffer-overflow-in-ks_wlan_set_encode_ext.patch staging-r8712-fix-memory-leak-in-_r8712_init_xmit_priv.patch tpm_tis-explicitly-check-for-error-code.patch tty-n_gsm-fix-uaf-in-gsm_cleanup_mux.patch usb-cdns3-fix-incorrect-calculation-of-ep_buf_size-when-more-than-one-config.patch usb-dwc3-don-t-reset-device-side-if-dwc3-was-configured-as-host-only.patch usb-dwc3-pci-skip-byt-gpio-lookup-table-for-hardwired-phy.patch usb-gadget-call-usb_gadget_check_config-to-verify-udc-capability.patch usb-gadget-core-remove-unbalanced-mutex_unlock-in-usb_gadget_activate.patch usb-gadget-fix-the-memory-leak-in-raw_gadget-driver.patch usb-misc-ehset-fix-wrong-if-condition.patch usb-ohci-at91-fix-the-unhandle-interrupt-when-resume.patch usb-quirks-add-quirk-for-focusrite-scarlett.patch usb-serial-option-add-quectel-ec200a-module-support.patch usb-serial-option-support-quectel-em060k_128.patch usb-serial-simple-add-kaufmann-rks-can-vcp.patch usb-serial-simple-sort-driver-entries.patch usb-typec-iterate-pds-array-when-showing-the-pd-list.patch usb-typec-set-port-pd-before-adding-device-for-typec_port.patch usb-typec-use-sysfs_emit_at-when-concatenating-the-string.patch usb-xhci-mtk-set-the-dma-max_seg_size.patch x86-mce-amd-decrement-threshold_bank-refcount-when-removing-threshold-blocks.patch --- ...ount-check-in-iort_node_get_rmr_info.patch | 44 ++++ ...a-realtek-support-asus-g713pv-laptop.patch | 33 +++ ...relatek-enable-mute-led-on-hp-250-g8.patch | 31 +++ ...when-calculating-global-reserve-size.patch | 39 ++++ ...-at-btrfs_attach_transaction_barrier.patch | 53 +++++ ...was-aborted-at-btrfs_wait_for_commit.patch | 35 +++ ...et-of-can-state-to-can_state_stopped.patch | 42 ++++ ...curity-bugs.rst-clarify-cve-handling.patch | 42 ++++ ...dealing-with-the-linux-distros-group.patch | 56 +++++ ...s-lock-position-for-fmode_atomic_pos.patch | 57 +++++ ...55-proc-to-show-negative-temperature.patch | 82 +++++++ ...ci1-processed-even-if-peci1-disabled.patch | 34 +++ ...r-vm-and-vcpu-stats-file-descriptors.patch | 89 ++++++++ ...-cr0-and-cr4-for-restricted-l2-guest.patch | 88 ++++++++ ...t_sregs-2-if-incoming-cr0-is-invalid.patch | 204 ++++++++++++++++++ ...rect-check-in-nfsd4_validate_stateid.patch | 38 ++++ ...-autoretry-feature-in-the-controller.patch | 98 +++++++++ ...check-in-tegra_xudc_powerdomain_init.patch | 54 +++++ ...evert-usb-xhci-tegra-fix-error-check.patch | 54 +++++ ...llers-that-don-t-update-endpoint-dcs.patch | 146 +++++++++++++ ...serve-original-value-of-dlf-register.patch | 53 +++++ ...i-drop-bogus-runtime-pm-state-update.patch | 42 ++++ ...-sifive_serial_console_setup-section.patch | 34 +++ queue-6.1/series | 45 ++++ ...r-overflow-in-ks_wlan_set_encode_ext.patch | 37 ++++ ...memory-leak-in-_r8712_init_xmit_priv.patch | 127 +++++++++++ ..._tis-explicitly-check-for-error-code.patch | 48 +++++ ...tty-n_gsm-fix-uaf-in-gsm_cleanup_mux.patch | 100 +++++++++ ...p_buf_size-when-more-than-one-config.patch | 47 ++++ ...-if-dwc3-was-configured-as-host-only.patch | 41 ++++ ...-gpio-lookup-table-for-hardwired-phy.patch | 69 ++++++ ...heck_config-to-verify-udc-capability.patch | 41 ++++ ...-mutex_unlock-in-usb_gadget_activate.patch | 32 +++ ...the-memory-leak-in-raw_gadget-driver.patch | 78 +++++++ ...sb-misc-ehset-fix-wrong-if-condition.patch | 60 ++++++ ...x-the-unhandle-interrupt-when-resume.patch | 43 ++++ ...rks-add-quirk-for-focusrite-scarlett.patch | 66 ++++++ ...on-add-quectel-ec200a-module-support.patch | 64 ++++++ ...al-option-support-quectel-em060k_128.patch | 73 +++++++ ...rial-simple-add-kaufmann-rks-can-vcp.patch | 54 +++++ ...sb-serial-simple-sort-driver-entries.patch | 157 ++++++++++++++ ...e-pds-array-when-showing-the-pd-list.patch | 52 +++++ ...-before-adding-device-for-typec_port.patch | 47 ++++ ...mit_at-when-concatenating-the-string.patch | 36 ++++ ...sb-xhci-mtk-set-the-dma-max_seg_size.patch | 35 +++ ...count-when-removing-threshold-blocks.patch | 93 ++++++++ 46 files changed, 2893 insertions(+) create mode 100644 queue-6.1/acpi-iort-remove-erroneous-id_count-check-in-iort_node_get_rmr_info.patch create mode 100644 queue-6.1/alsa-hda-realtek-support-asus-g713pv-laptop.patch create mode 100644 queue-6.1/alsa-hda-relatek-enable-mute-led-on-hp-250-g8.patch create mode 100644 queue-6.1/btrfs-account-block-group-tree-when-calculating-global-reserve-size.patch create mode 100644 queue-6.1/btrfs-check-for-commit-error-at-btrfs_attach_transaction_barrier.patch create mode 100644 queue-6.1/btrfs-check-if-the-transaction-was-aborted-at-btrfs_wait_for_commit.patch create mode 100644 queue-6.1/can-gs_usb-gs_can_close-add-missing-set-of-can-state-to-can_state_stopped.patch create mode 100644 queue-6.1/documentation-security-bugs.rst-clarify-cve-handling.patch create mode 100644 queue-6.1/documentation-security-bugs.rst-update-preferences-when-dealing-with-the-linux-distros-group.patch create mode 100644 queue-6.1/file-always-lock-position-for-fmode_atomic_pos.patch create mode 100644 queue-6.1/hwmon-k10temp-enable-amd3255-proc-to-show-negative-temperature.patch create mode 100644 queue-6.1/hwmon-nct7802-fix-for-temp6-peci1-processed-even-if-peci1-disabled.patch create mode 100644 queue-6.1/kvm-grab-a-reference-to-kvm-for-vm-and-vcpu-stats-file-descriptors.patch create mode 100644 queue-6.1/kvm-vmx-don-t-fudge-cr0-and-cr4-for-restricted-l2-guest.patch create mode 100644 queue-6.1/kvm-x86-disallow-kvm_set_sregs-2-if-incoming-cr0-is-invalid.patch create mode 100644 queue-6.1/nfsd-remove-incorrect-check-in-nfsd4_validate_stateid.patch create mode 100644 queue-6.1/revert-usb-dwc3-core-enable-autoretry-feature-in-the-controller.patch create mode 100644 queue-6.1/revert-usb-gadget-tegra-xudc-fix-error-check-in-tegra_xudc_powerdomain_init.patch create mode 100644 queue-6.1/revert-usb-xhci-tegra-fix-error-check.patch create mode 100644 queue-6.1/revert-xhci-add-quirk-for-host-controllers-that-don-t-update-endpoint-dcs.patch create mode 100644 queue-6.1/serial-8250_dw-preserve-original-value-of-dlf-register.patch create mode 100644 queue-6.1/serial-qcom-geni-drop-bogus-runtime-pm-state-update.patch create mode 100644 queue-6.1/serial-sifive-fix-sifive_serial_console_setup-section.patch create mode 100644 queue-6.1/staging-ks7010-potential-buffer-overflow-in-ks_wlan_set_encode_ext.patch create mode 100644 queue-6.1/staging-r8712-fix-memory-leak-in-_r8712_init_xmit_priv.patch create mode 100644 queue-6.1/tpm_tis-explicitly-check-for-error-code.patch create mode 100644 queue-6.1/tty-n_gsm-fix-uaf-in-gsm_cleanup_mux.patch create mode 100644 queue-6.1/usb-cdns3-fix-incorrect-calculation-of-ep_buf_size-when-more-than-one-config.patch create mode 100644 queue-6.1/usb-dwc3-don-t-reset-device-side-if-dwc3-was-configured-as-host-only.patch create mode 100644 queue-6.1/usb-dwc3-pci-skip-byt-gpio-lookup-table-for-hardwired-phy.patch create mode 100644 queue-6.1/usb-gadget-call-usb_gadget_check_config-to-verify-udc-capability.patch create mode 100644 queue-6.1/usb-gadget-core-remove-unbalanced-mutex_unlock-in-usb_gadget_activate.patch create mode 100644 queue-6.1/usb-gadget-fix-the-memory-leak-in-raw_gadget-driver.patch create mode 100644 queue-6.1/usb-misc-ehset-fix-wrong-if-condition.patch create mode 100644 queue-6.1/usb-ohci-at91-fix-the-unhandle-interrupt-when-resume.patch create mode 100644 queue-6.1/usb-quirks-add-quirk-for-focusrite-scarlett.patch create mode 100644 queue-6.1/usb-serial-option-add-quectel-ec200a-module-support.patch create mode 100644 queue-6.1/usb-serial-option-support-quectel-em060k_128.patch create mode 100644 queue-6.1/usb-serial-simple-add-kaufmann-rks-can-vcp.patch create mode 100644 queue-6.1/usb-serial-simple-sort-driver-entries.patch create mode 100644 queue-6.1/usb-typec-iterate-pds-array-when-showing-the-pd-list.patch create mode 100644 queue-6.1/usb-typec-set-port-pd-before-adding-device-for-typec_port.patch create mode 100644 queue-6.1/usb-typec-use-sysfs_emit_at-when-concatenating-the-string.patch create mode 100644 queue-6.1/usb-xhci-mtk-set-the-dma-max_seg_size.patch create mode 100644 queue-6.1/x86-mce-amd-decrement-threshold_bank-refcount-when-removing-threshold-blocks.patch diff --git a/queue-6.1/acpi-iort-remove-erroneous-id_count-check-in-iort_node_get_rmr_info.patch b/queue-6.1/acpi-iort-remove-erroneous-id_count-check-in-iort_node_get_rmr_info.patch new file mode 100644 index 00000000000..c44e1dba1a0 --- /dev/null +++ b/queue-6.1/acpi-iort-remove-erroneous-id_count-check-in-iort_node_get_rmr_info.patch @@ -0,0 +1,44 @@ +From 003e6b56d780095a9adc23efc9cb4b4b4717169b Mon Sep 17 00:00:00 2001 +From: Guanghui Feng +Date: Mon, 17 Jul 2023 19:33:45 +0800 +Subject: ACPI/IORT: Remove erroneous id_count check in iort_node_get_rmr_info() + +From: Guanghui Feng + +commit 003e6b56d780095a9adc23efc9cb4b4b4717169b upstream. + +According to the ARM IORT specifications DEN 0049 issue E, +the "Number of IDs" field in the ID mapping format reports +the number of IDs in the mapping range minus one. + +In iort_node_get_rmr_info(), we erroneously skip ID mappings +whose "Number of IDs" equal to 0, resulting in valid mapping +nodes with a single ID to map being skipped, which is wrong. + +Fix iort_node_get_rmr_info() by removing the bogus id_count +check. + +Fixes: 491cf4a6735a ("ACPI/IORT: Add support to retrieve IORT RMR reserved regions") +Signed-off-by: Guanghui Feng +Cc: # 6.0.x +Acked-by: Lorenzo Pieralisi +Tested-by: Hanjun Guo +Link: https://lore.kernel.org/r/1689593625-45213-1-git-send-email-guanghuifeng@linux.alibaba.com +Signed-off-by: Catalin Marinas +Signed-off-by: Greg Kroah-Hartman +--- + drivers/acpi/arm64/iort.c | 3 --- + 1 file changed, 3 deletions(-) + +--- a/drivers/acpi/arm64/iort.c ++++ b/drivers/acpi/arm64/iort.c +@@ -998,9 +998,6 @@ static void iort_node_get_rmr_info(struc + for (i = 0; i < node->mapping_count; i++, map++) { + struct acpi_iort_node *parent; + +- if (!map->id_count) +- continue; +- + parent = ACPI_ADD_PTR(struct acpi_iort_node, iort_table, + map->output_reference); + if (parent != iommu) diff --git a/queue-6.1/alsa-hda-realtek-support-asus-g713pv-laptop.patch b/queue-6.1/alsa-hda-realtek-support-asus-g713pv-laptop.patch new file mode 100644 index 00000000000..8795ce5e4de --- /dev/null +++ b/queue-6.1/alsa-hda-realtek-support-asus-g713pv-laptop.patch @@ -0,0 +1,33 @@ +From 8019a4ab3d80c7af391a646cccff953753fc025f Mon Sep 17 00:00:00 2001 +From: Pavel Asyutchenko +Date: Thu, 27 Jul 2023 01:37:32 +0300 +Subject: ALSA: hda/realtek: Support ASUS G713PV laptop + +From: Pavel Asyutchenko + +commit 8019a4ab3d80c7af391a646cccff953753fc025f upstream. + +This laptop has CS35L41 amp connected via I2C. + +With this patch speakers begin to work if the +missing _DSD properties are added to ACPI tables. + +Signed-off-by: Pavel Asyutchenko +Cc: +Link: https://lore.kernel.org/r/20230726223732.20775-1-svenpavel@gmail.com +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman +--- + sound/pci/hda/patch_realtek.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/sound/pci/hda/patch_realtek.c ++++ b/sound/pci/hda/patch_realtek.c +@@ -9580,6 +9580,7 @@ static const struct snd_pci_quirk alc269 + SND_PCI_QUIRK(0x1043, 0x1c62, "ASUS GU603", ALC289_FIXUP_ASUS_GA401), + SND_PCI_QUIRK(0x1043, 0x1c92, "ASUS ROG Strix G15", ALC285_FIXUP_ASUS_G533Z_PINS), + SND_PCI_QUIRK(0x1043, 0x1ccd, "ASUS X555UB", ALC256_FIXUP_ASUS_MIC), ++ SND_PCI_QUIRK(0x1043, 0x1d1f, "ASUS ROG Strix G17 2023 (G713PV)", ALC287_FIXUP_CS35L41_I2C_2), + SND_PCI_QUIRK(0x1043, 0x1d42, "ASUS Zephyrus G14 2022", ALC289_FIXUP_ASUS_GA401), + SND_PCI_QUIRK(0x1043, 0x1d4e, "ASUS TM420", ALC256_FIXUP_ASUS_HPE), + SND_PCI_QUIRK(0x1043, 0x1e02, "ASUS UX3402", ALC245_FIXUP_CS35L41_SPI_2), diff --git a/queue-6.1/alsa-hda-relatek-enable-mute-led-on-hp-250-g8.patch b/queue-6.1/alsa-hda-relatek-enable-mute-led-on-hp-250-g8.patch new file mode 100644 index 00000000000..cbbfd804a1a --- /dev/null +++ b/queue-6.1/alsa-hda-relatek-enable-mute-led-on-hp-250-g8.patch @@ -0,0 +1,31 @@ +From d510acb610e6aa07a04b688236868b2a5fd60deb Mon Sep 17 00:00:00 2001 +From: Luka Guzenko +Date: Tue, 25 Jul 2023 13:15:09 +0200 +Subject: ALSA: hda/relatek: Enable Mute LED on HP 250 G8 + +From: Luka Guzenko + +commit d510acb610e6aa07a04b688236868b2a5fd60deb upstream. + +This HP Notebook used ALC236 codec with COEF 0x07 idx 1 controlling +the mute LED. Enable already existing quirk for this device. + +Signed-off-by: Luka Guzenko +Cc: +Link: https://lore.kernel.org/r/20230725111509.623773-1-l.guzenko@web.de +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman +--- + sound/pci/hda/patch_realtek.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/sound/pci/hda/patch_realtek.c ++++ b/sound/pci/hda/patch_realtek.c +@@ -9457,6 +9457,7 @@ static const struct snd_pci_quirk alc269 + SND_PCI_QUIRK(0x103c, 0x880d, "HP EliteBook 830 G8 Notebook PC", ALC285_FIXUP_HP_GPIO_LED), + SND_PCI_QUIRK(0x103c, 0x8811, "HP Spectre x360 15-eb1xxx", ALC285_FIXUP_HP_SPECTRE_X360_EB1), + SND_PCI_QUIRK(0x103c, 0x8812, "HP Spectre x360 15-eb1xxx", ALC285_FIXUP_HP_SPECTRE_X360_EB1), ++ SND_PCI_QUIRK(0x103c, 0x881d, "HP 250 G8 Notebook PC", ALC236_FIXUP_HP_MUTE_LED_COEFBIT2), + SND_PCI_QUIRK(0x103c, 0x8846, "HP EliteBook 850 G8 Notebook PC", ALC285_FIXUP_HP_GPIO_LED), + SND_PCI_QUIRK(0x103c, 0x8847, "HP EliteBook x360 830 G8 Notebook PC", ALC285_FIXUP_HP_GPIO_LED), + SND_PCI_QUIRK(0x103c, 0x884b, "HP EliteBook 840 Aero G8 Notebook PC", ALC285_FIXUP_HP_GPIO_LED), diff --git a/queue-6.1/btrfs-account-block-group-tree-when-calculating-global-reserve-size.patch b/queue-6.1/btrfs-account-block-group-tree-when-calculating-global-reserve-size.patch new file mode 100644 index 00000000000..51e7fffc71a --- /dev/null +++ b/queue-6.1/btrfs-account-block-group-tree-when-calculating-global-reserve-size.patch @@ -0,0 +1,39 @@ +From 8dbfc14fc736eb701089aff09645c3d4ad3decb1 Mon Sep 17 00:00:00 2001 +From: Filipe Manana +Date: Thu, 20 Jul 2023 12:44:33 +0100 +Subject: btrfs: account block group tree when calculating global reserve size + +From: Filipe Manana + +commit 8dbfc14fc736eb701089aff09645c3d4ad3decb1 upstream. + +When using the block group tree feature, this tree is a critical tree just +like the extent, csum and free space trees, and just like them it uses the +delayed refs block reserve. + +So take into account the block group tree, and its current size, when +calculating the size for the global reserve. + +CC: stable@vger.kernel.org # 6.1+ +Signed-off-by: Filipe Manana +Reviewed-by: David Sterba +Signed-off-by: David Sterba +Signed-off-by: Greg Kroah-Hartman +--- + fs/btrfs/block-rsv.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/fs/btrfs/block-rsv.c ++++ b/fs/btrfs/block-rsv.c +@@ -377,6 +377,11 @@ void btrfs_update_global_block_rsv(struc + } + read_unlock(&fs_info->global_root_lock); + ++ if (btrfs_fs_compat_ro(fs_info, BLOCK_GROUP_TREE)) { ++ num_bytes += btrfs_root_used(&fs_info->block_group_root->root_item); ++ min_items++; ++ } ++ + /* + * But we also want to reserve enough space so we can do the fallback + * global reserve for an unlink, which is an additional 5 items (see the diff --git a/queue-6.1/btrfs-check-for-commit-error-at-btrfs_attach_transaction_barrier.patch b/queue-6.1/btrfs-check-for-commit-error-at-btrfs_attach_transaction_barrier.patch new file mode 100644 index 00000000000..fc0ddbd6c04 --- /dev/null +++ b/queue-6.1/btrfs-check-for-commit-error-at-btrfs_attach_transaction_barrier.patch @@ -0,0 +1,53 @@ +From b28ff3a7d7e97456fd86b68d24caa32e1cfa7064 Mon Sep 17 00:00:00 2001 +From: Filipe Manana +Date: Fri, 21 Jul 2023 10:49:21 +0100 +Subject: btrfs: check for commit error at btrfs_attach_transaction_barrier() + +From: Filipe Manana + +commit b28ff3a7d7e97456fd86b68d24caa32e1cfa7064 upstream. + +btrfs_attach_transaction_barrier() is used to get a handle pointing to the +current running transaction if the transaction has not started its commit +yet (its state is < TRANS_STATE_COMMIT_START). If the transaction commit +has started, then we wait for the transaction to commit and finish before +returning - however we completely ignore if the transaction was aborted +due to some error during its commit, we simply return ERR_PT(-ENOENT), +which makes the caller assume everything is fine and no errors happened. + +This could make an fsync return success (0) to user space when in fact we +had a transaction abort and the target inode changes were therefore not +persisted. + +Fix this by checking for the return value from btrfs_wait_for_commit(), +and if it returned an error, return it back to the caller. + +Fixes: d4edf39bd5db ("Btrfs: fix uncompleted transaction") +CC: stable@vger.kernel.org # 4.19+ +Reviewed-by: Qu Wenruo +Signed-off-by: Filipe Manana +Reviewed-by: David Sterba +Signed-off-by: David Sterba +Signed-off-by: Greg Kroah-Hartman +--- + fs/btrfs/transaction.c | 9 +++++++-- + 1 file changed, 7 insertions(+), 2 deletions(-) + +--- a/fs/btrfs/transaction.c ++++ b/fs/btrfs/transaction.c +@@ -814,8 +814,13 @@ btrfs_attach_transaction_barrier(struct + + trans = start_transaction(root, 0, TRANS_ATTACH, + BTRFS_RESERVE_NO_FLUSH, true); +- if (trans == ERR_PTR(-ENOENT)) +- btrfs_wait_for_commit(root->fs_info, 0); ++ if (trans == ERR_PTR(-ENOENT)) { ++ int ret; ++ ++ ret = btrfs_wait_for_commit(root->fs_info, 0); ++ if (ret) ++ return ERR_PTR(ret); ++ } + + return trans; + } diff --git a/queue-6.1/btrfs-check-if-the-transaction-was-aborted-at-btrfs_wait_for_commit.patch b/queue-6.1/btrfs-check-if-the-transaction-was-aborted-at-btrfs_wait_for_commit.patch new file mode 100644 index 00000000000..42e7e1cdd18 --- /dev/null +++ b/queue-6.1/btrfs-check-if-the-transaction-was-aborted-at-btrfs_wait_for_commit.patch @@ -0,0 +1,35 @@ +From bf7ecbe9875061bf3fce1883e3b26b77f847d1e8 Mon Sep 17 00:00:00 2001 +From: Filipe Manana +Date: Fri, 21 Jul 2023 10:49:20 +0100 +Subject: btrfs: check if the transaction was aborted at btrfs_wait_for_commit() + +From: Filipe Manana + +commit bf7ecbe9875061bf3fce1883e3b26b77f847d1e8 upstream. + +At btrfs_wait_for_commit() we wait for a transaction to finish and then +always return 0 (success) without checking if it was aborted, in which +case the transaction didn't happen due to some critical error. Fix this +by checking if the transaction was aborted. + +Fixes: 462045928bda ("Btrfs: add START_SYNC, WAIT_SYNC ioctls") +CC: stable@vger.kernel.org # 4.19+ +Reviewed-by: Qu Wenruo +Signed-off-by: Filipe Manana +Reviewed-by: David Sterba +Signed-off-by: David Sterba +Signed-off-by: Greg Kroah-Hartman +--- + fs/btrfs/transaction.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/fs/btrfs/transaction.c ++++ b/fs/btrfs/transaction.c +@@ -919,6 +919,7 @@ int btrfs_wait_for_commit(struct btrfs_f + } + + wait_for_commit(cur_trans, TRANS_STATE_COMPLETED); ++ ret = cur_trans->aborted; + btrfs_put_transaction(cur_trans); + out: + return ret; diff --git a/queue-6.1/can-gs_usb-gs_can_close-add-missing-set-of-can-state-to-can_state_stopped.patch b/queue-6.1/can-gs_usb-gs_can_close-add-missing-set-of-can-state-to-can_state_stopped.patch new file mode 100644 index 00000000000..875781919e4 --- /dev/null +++ b/queue-6.1/can-gs_usb-gs_can_close-add-missing-set-of-can-state-to-can_state_stopped.patch @@ -0,0 +1,42 @@ +From f8a2da6ec2417cca169fa85a8ab15817bccbb109 Mon Sep 17 00:00:00 2001 +From: Marc Kleine-Budde +Date: Tue, 18 Jul 2023 11:43:54 +0200 +Subject: can: gs_usb: gs_can_close(): add missing set of CAN state to CAN_STATE_STOPPED + +From: Marc Kleine-Budde + +commit f8a2da6ec2417cca169fa85a8ab15817bccbb109 upstream. + +After an initial link up the CAN device is in ERROR-ACTIVE mode. Due +to a missing CAN_STATE_STOPPED in gs_can_close() it doesn't change to +STOPPED after a link down: + +| ip link set dev can0 up +| ip link set dev can0 down +| ip --details link show can0 +| 13: can0: mtu 16 qdisc pfifo_fast state DOWN mode DEFAULT group default qlen 10 +| link/can promiscuity 0 allmulti 0 minmtu 0 maxmtu 0 +| can state ERROR-ACTIVE restart-ms 1000 + +Add missing assignment of CAN_STATE_STOPPED in gs_can_close(). + +Cc: stable@vger.kernel.org +Fixes: d08e973a77d1 ("can: gs_usb: Added support for the GS_USB CAN devices") +Link: https://lore.kernel.org/all/20230718-gs_usb-fix-can-state-v1-1-f19738ae2c23@pengutronix.de +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/can/usb/gs_usb.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/net/can/usb/gs_usb.c ++++ b/drivers/net/can/usb/gs_usb.c +@@ -989,6 +989,8 @@ static int gs_can_close(struct net_devic + usb_kill_anchored_urbs(&dev->tx_submitted); + atomic_set(&dev->active_tx_urbs, 0); + ++ dev->can.state = CAN_STATE_STOPPED; ++ + /* reset the device */ + rc = gs_cmd_reset(dev); + if (rc < 0) diff --git a/queue-6.1/documentation-security-bugs.rst-clarify-cve-handling.patch b/queue-6.1/documentation-security-bugs.rst-clarify-cve-handling.patch new file mode 100644 index 00000000000..6032de00b45 --- /dev/null +++ b/queue-6.1/documentation-security-bugs.rst-clarify-cve-handling.patch @@ -0,0 +1,42 @@ +From 3c1897ae4b6bc7cc586eda2feaa2cd68325ec29c Mon Sep 17 00:00:00 2001 +From: Greg Kroah-Hartman +Date: Fri, 30 Jun 2023 09:14:21 +0200 +Subject: Documentation: security-bugs.rst: clarify CVE handling + +From: Greg Kroah-Hartman + +commit 3c1897ae4b6bc7cc586eda2feaa2cd68325ec29c upstream. + +The kernel security team does NOT assign CVEs, so document that properly +and provide the "if you want one, ask MITRE for it" response that we +give on a weekly basis in the document, so we don't have to constantly +say it to everyone who asks. + +Link: https://lore.kernel.org/r/2023063022-retouch-kerosene-7e4a@gregkh +Signed-off-by: Greg Kroah-Hartman +--- + Documentation/admin-guide/security-bugs.rst | 13 ++++++------- + 1 file changed, 6 insertions(+), 7 deletions(-) + +--- a/Documentation/admin-guide/security-bugs.rst ++++ b/Documentation/admin-guide/security-bugs.rst +@@ -79,13 +79,12 @@ not contribute to actually fixing any po + CVE assignment + -------------- + +-The security team does not normally assign CVEs, nor do we require them +-for reports or fixes, as this can needlessly complicate the process and +-may delay the bug handling. If a reporter wishes to have a CVE identifier +-assigned ahead of public disclosure, they will need to contact the private +-linux-distros list, described above. When such a CVE identifier is known +-before a patch is provided, it is desirable to mention it in the commit +-message if the reporter agrees. ++The security team does not assign CVEs, nor do we require them for ++reports or fixes, as this can needlessly complicate the process and may ++delay the bug handling. If a reporter wishes to have a CVE identifier ++assigned, they should find one by themselves, for example by contacting ++MITRE directly. However under no circumstances will a patch inclusion ++be delayed to wait for a CVE identifier to arrive. + + Non-disclosure agreements + ------------------------- diff --git a/queue-6.1/documentation-security-bugs.rst-update-preferences-when-dealing-with-the-linux-distros-group.patch b/queue-6.1/documentation-security-bugs.rst-update-preferences-when-dealing-with-the-linux-distros-group.patch new file mode 100644 index 00000000000..fc43d0d1d72 --- /dev/null +++ b/queue-6.1/documentation-security-bugs.rst-update-preferences-when-dealing-with-the-linux-distros-group.patch @@ -0,0 +1,56 @@ +From 4fee0915e649bd0cea56dece6d96f8f4643df33c Mon Sep 17 00:00:00 2001 +From: Greg Kroah-Hartman +Date: Fri, 30 Jun 2023 09:14:20 +0200 +Subject: Documentation: security-bugs.rst: update preferences when dealing with the linux-distros group + +From: Greg Kroah-Hartman + +commit 4fee0915e649bd0cea56dece6d96f8f4643df33c upstream. + +Because the linux-distros group forces reporters to release information +about reported bugs, and they impose arbitrary deadlines in having those +bugs fixed despite not actually being kernel developers, the kernel +security team recommends not interacting with them at all as this just +causes confusion and the early-release of reported security problems. + +Reviewed-by: Kees Cook +Link: https://lore.kernel.org/r/2023063020-throat-pantyhose-f110@gregkh +Signed-off-by: Greg Kroah-Hartman +--- + Documentation/admin-guide/security-bugs.rst | 24 +++++++++++------------- + 1 file changed, 11 insertions(+), 13 deletions(-) + +--- a/Documentation/admin-guide/security-bugs.rst ++++ b/Documentation/admin-guide/security-bugs.rst +@@ -63,20 +63,18 @@ information submitted to the security li + of the report are treated confidentially even after the embargo has been + lifted, in perpetuity. + +-Coordination +------------- ++Coordination with other groups ++------------------------------ + +-Fixes for sensitive bugs, such as those that might lead to privilege +-escalations, may need to be coordinated with the private +- mailing list so that distribution vendors +-are well prepared to issue a fixed kernel upon public disclosure of the +-upstream fix. Distros will need some time to test the proposed patch and +-will generally request at least a few days of embargo, and vendor update +-publication prefers to happen Tuesday through Thursday. When appropriate, +-the security team can assist with this coordination, or the reporter can +-include linux-distros from the start. In this case, remember to prefix +-the email Subject line with "[vs]" as described in the linux-distros wiki: +- ++The kernel security team strongly recommends that reporters of potential ++security issues NEVER contact the "linux-distros" mailing list until ++AFTER discussing it with the kernel security team. Do not Cc: both ++lists at once. You may contact the linux-distros mailing list after a ++fix has been agreed on and you fully understand the requirements that ++doing so will impose on you and the kernel community. ++ ++The different lists have different goals and the linux-distros rules do ++not contribute to actually fixing any potential security problems. + + CVE assignment + -------------- diff --git a/queue-6.1/file-always-lock-position-for-fmode_atomic_pos.patch b/queue-6.1/file-always-lock-position-for-fmode_atomic_pos.patch new file mode 100644 index 00000000000..094dc8912cf --- /dev/null +++ b/queue-6.1/file-always-lock-position-for-fmode_atomic_pos.patch @@ -0,0 +1,57 @@ +From 20ea1e7d13c1b544fe67c4a8dc3943bb1ab33e6f Mon Sep 17 00:00:00 2001 +From: Christian Brauner +Date: Mon, 24 Jul 2023 17:00:49 +0200 +Subject: file: always lock position for FMODE_ATOMIC_POS + +From: Christian Brauner + +commit 20ea1e7d13c1b544fe67c4a8dc3943bb1ab33e6f upstream. + +The pidfd_getfd() system call allows a caller with ptrace_may_access() +abilities on another process to steal a file descriptor from this +process. This system call is used by debuggers, container runtimes, +system call supervisors, networking proxies etc. So while it is a +special interest system call it is used in common tools. + +That ability ends up breaking our long-time optimization in fdget_pos(), +which "knew" that if we had exclusive access to the file descriptor +nobody else could access it, and we didn't need the lock for the file +position. + +That check for file_count(file) was always fairly subtle - it depended +on __fdget() not incrementing the file count for single-threaded +processes and thus included that as part of the rule - but it did mean +that we didn't need to take the lock in all those traditional unix +process contexts. + +So it's sad to see this go, and I'd love to have some way to re-instate +the optimization. At the same time, the lock obviously isn't ever +contended in the case we optimized, so all we were optimizing away is +the atomics and the cacheline dirtying. Let's see if anybody even +notices that the optimization is gone. + +Link: https://lore.kernel.org/linux-fsdevel/20230724-vfs-fdget_pos-v1-1-a4abfd7103f3@kernel.org/ +Fixes: 8649c322f75c ("pid: Implement pidfd_getfd syscall") +Cc: stable@kernel.org +Signed-off-by: Christian Brauner +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman +--- + fs/file.c | 6 ++---- + 1 file changed, 2 insertions(+), 4 deletions(-) + +--- a/fs/file.c ++++ b/fs/file.c +@@ -1042,10 +1042,8 @@ unsigned long __fdget_pos(unsigned int f + struct file *file = (struct file *)(v & ~3); + + if (file && (file->f_mode & FMODE_ATOMIC_POS)) { +- if (file_count(file) > 1) { +- v |= FDPUT_POS_UNLOCK; +- mutex_lock(&file->f_pos_lock); +- } ++ v |= FDPUT_POS_UNLOCK; ++ mutex_lock(&file->f_pos_lock); + } + return v; + } diff --git a/queue-6.1/hwmon-k10temp-enable-amd3255-proc-to-show-negative-temperature.patch b/queue-6.1/hwmon-k10temp-enable-amd3255-proc-to-show-negative-temperature.patch new file mode 100644 index 00000000000..4162a0df7ed --- /dev/null +++ b/queue-6.1/hwmon-k10temp-enable-amd3255-proc-to-show-negative-temperature.patch @@ -0,0 +1,82 @@ +From e146503ac68418859fb063a3a0cd9ec93bc52238 Mon Sep 17 00:00:00 2001 +From: Baskaran Kannan +Date: Thu, 27 Jul 2023 11:21:59 -0500 +Subject: hwmon: (k10temp) Enable AMD3255 Proc to show negative temperature + +From: Baskaran Kannan + +commit e146503ac68418859fb063a3a0cd9ec93bc52238 upstream. + +Industrial processor i3255 supports temperatures -40 deg celcius +to 105 deg Celcius. The current implementation of k10temp_read_temp +rounds off any negative temperatures to '0'. To fix this, +the following changes have been made. + +A flag 'disp_negative' is added to struct k10temp_data to support +AMD i3255 processors. Flag 'disp_negative' is set if 3255 processor +is found during k10temp_probe. Flag 'disp_negative' is used to +determine whether to round off negative temperatures to '0' in +k10temp_read_temp. + +Signed-off-by: Baskaran Kannan +Link: https://lore.kernel.org/r/20230727162159.1056136-1-Baski.Kannan@amd.com +Fixes: aef17ca12719 ("hwmon: (k10temp) Only apply temperature offset if result is positive") +Cc: stable@vger.kernel.org +[groeck: Fixed multi-line comment] +Signed-off-by: Guenter Roeck +Signed-off-by: Greg Kroah-Hartman +--- + drivers/hwmon/k10temp.c | 17 +++++++++++++++-- + 1 file changed, 15 insertions(+), 2 deletions(-) + +--- a/drivers/hwmon/k10temp.c ++++ b/drivers/hwmon/k10temp.c +@@ -77,6 +77,13 @@ static DEFINE_MUTEX(nb_smu_ind_mutex); + #define ZEN_CUR_TEMP_RANGE_SEL_MASK BIT(19) + #define ZEN_CUR_TEMP_TJ_SEL_MASK GENMASK(17, 16) + ++/* ++ * AMD's Industrial processor 3255 supports temperature from -40 deg to 105 deg Celsius. ++ * Use the model name to identify 3255 CPUs and set a flag to display negative temperature. ++ * Do not round off to zero for negative Tctl or Tdie values if the flag is set ++ */ ++#define AMD_I3255_STR "3255" ++ + struct k10temp_data { + struct pci_dev *pdev; + void (*read_htcreg)(struct pci_dev *pdev, u32 *regval); +@@ -86,6 +93,7 @@ struct k10temp_data { + u32 show_temp; + bool is_zen; + u32 ccd_offset; ++ bool disp_negative; + }; + + #define TCTL_BIT 0 +@@ -204,12 +212,12 @@ static int k10temp_read_temp(struct devi + switch (channel) { + case 0: /* Tctl */ + *val = get_raw_temp(data); +- if (*val < 0) ++ if (*val < 0 && !data->disp_negative) + *val = 0; + break; + case 1: /* Tdie */ + *val = get_raw_temp(data) - data->temp_offset; +- if (*val < 0) ++ if (*val < 0 && !data->disp_negative) + *val = 0; + break; + case 2 ... 13: /* Tccd{1-12} */ +@@ -405,6 +413,11 @@ static int k10temp_probe(struct pci_dev + data->pdev = pdev; + data->show_temp |= BIT(TCTL_BIT); /* Always show Tctl */ + ++ if (boot_cpu_data.x86 == 0x17 && ++ strstr(boot_cpu_data.x86_model_id, AMD_I3255_STR)) { ++ data->disp_negative = true; ++ } ++ + if (boot_cpu_data.x86 == 0x15 && + ((boot_cpu_data.x86_model & 0xf0) == 0x60 || + (boot_cpu_data.x86_model & 0xf0) == 0x70)) { diff --git a/queue-6.1/hwmon-nct7802-fix-for-temp6-peci1-processed-even-if-peci1-disabled.patch b/queue-6.1/hwmon-nct7802-fix-for-temp6-peci1-processed-even-if-peci1-disabled.patch new file mode 100644 index 00000000000..f4c26188947 --- /dev/null +++ b/queue-6.1/hwmon-nct7802-fix-for-temp6-peci1-processed-even-if-peci1-disabled.patch @@ -0,0 +1,34 @@ +From 54685abe660a59402344d5045ce08c43c6a5ac42 Mon Sep 17 00:00:00 2001 +From: Gilles Buloz +Date: Mon, 24 Jul 2023 08:04:44 +0000 +Subject: hwmon: (nct7802) Fix for temp6 (PECI1) processed even if PECI1 disabled + +From: Gilles Buloz + +commit 54685abe660a59402344d5045ce08c43c6a5ac42 upstream. + +Because of hex value 0x46 used instead of decimal 46, the temp6 +(PECI1) temperature is always declared visible and then displayed +even if disabled in the chip + +Signed-off-by: Gilles Buloz +Link: https://lore.kernel.org/r/DU0PR10MB62526435ADBC6A85243B90E08002A@DU0PR10MB6252.EURPRD10.PROD.OUTLOOK.COM +Fixes: fcdc5739dce03 ("hwmon: (nct7802) add temperature sensor type attribute") +Cc: stable@vger.kernel.org +Signed-off-by: Guenter Roeck +Signed-off-by: Greg Kroah-Hartman +--- + drivers/hwmon/nct7802.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/hwmon/nct7802.c ++++ b/drivers/hwmon/nct7802.c +@@ -725,7 +725,7 @@ static umode_t nct7802_temp_is_visible(s + if (index >= 38 && index < 46 && !(reg & 0x01)) /* PECI 0 */ + return 0; + +- if (index >= 0x46 && (!(reg & 0x02))) /* PECI 1 */ ++ if (index >= 46 && !(reg & 0x02)) /* PECI 1 */ + return 0; + + return attr->mode; diff --git a/queue-6.1/kvm-grab-a-reference-to-kvm-for-vm-and-vcpu-stats-file-descriptors.patch b/queue-6.1/kvm-grab-a-reference-to-kvm-for-vm-and-vcpu-stats-file-descriptors.patch new file mode 100644 index 00000000000..a12e79bad99 --- /dev/null +++ b/queue-6.1/kvm-grab-a-reference-to-kvm-for-vm-and-vcpu-stats-file-descriptors.patch @@ -0,0 +1,89 @@ +From eed3013faa401aae662398709410a59bb0646e32 Mon Sep 17 00:00:00 2001 +From: Sean Christopherson +Date: Tue, 11 Jul 2023 16:01:25 -0700 +Subject: KVM: Grab a reference to KVM for VM and vCPU stats file descriptors + +From: Sean Christopherson + +commit eed3013faa401aae662398709410a59bb0646e32 upstream. + +Grab a reference to KVM prior to installing VM and vCPU stats file +descriptors to ensure the underlying VM and vCPU objects are not freed +until the last reference to any and all stats fds are dropped. + +Note, the stats paths manually invoke fd_install() and so don't need to +grab a reference before creating the file. + +Fixes: ce55c049459c ("KVM: stats: Support binary stats retrieval for a VCPU") +Fixes: fcfe1baeddbf ("KVM: stats: Support binary stats retrieval for a VM") +Reported-by: Zheng Zhang +Closes: https://lore.kernel.org/all/CAC_GQSr3xzZaeZt85k_RCBd5kfiOve8qXo7a81Cq53LuVQ5r=Q@mail.gmail.com +Cc: stable@vger.kernel.org +Cc: Kees Cook +Signed-off-by: Sean Christopherson +Reviewed-by: Kees Cook +Message-Id: <20230711230131.648752-2-seanjc@google.com> +Signed-off-by: Paolo Bonzini +Signed-off-by: Greg Kroah-Hartman +--- + virt/kvm/kvm_main.c | 24 ++++++++++++++++++++++++ + 1 file changed, 24 insertions(+) + +--- a/virt/kvm/kvm_main.c ++++ b/virt/kvm/kvm_main.c +@@ -4032,8 +4032,17 @@ static ssize_t kvm_vcpu_stats_read(struc + sizeof(vcpu->stat), user_buffer, size, offset); + } + ++static int kvm_vcpu_stats_release(struct inode *inode, struct file *file) ++{ ++ struct kvm_vcpu *vcpu = file->private_data; ++ ++ kvm_put_kvm(vcpu->kvm); ++ return 0; ++} ++ + static const struct file_operations kvm_vcpu_stats_fops = { + .read = kvm_vcpu_stats_read, ++ .release = kvm_vcpu_stats_release, + .llseek = noop_llseek, + }; + +@@ -4054,6 +4063,9 @@ static int kvm_vcpu_ioctl_get_stats_fd(s + put_unused_fd(fd); + return PTR_ERR(file); + } ++ ++ kvm_get_kvm(vcpu->kvm); ++ + file->f_mode |= FMODE_PREAD; + fd_install(fd, file); + +@@ -4658,8 +4670,17 @@ static ssize_t kvm_vm_stats_read(struct + sizeof(kvm->stat), user_buffer, size, offset); + } + ++static int kvm_vm_stats_release(struct inode *inode, struct file *file) ++{ ++ struct kvm *kvm = file->private_data; ++ ++ kvm_put_kvm(kvm); ++ return 0; ++} ++ + static const struct file_operations kvm_vm_stats_fops = { + .read = kvm_vm_stats_read, ++ .release = kvm_vm_stats_release, + .llseek = noop_llseek, + }; + +@@ -4678,6 +4699,9 @@ static int kvm_vm_ioctl_get_stats_fd(str + put_unused_fd(fd); + return PTR_ERR(file); + } ++ ++ kvm_get_kvm(kvm); ++ + file->f_mode |= FMODE_PREAD; + fd_install(fd, file); + diff --git a/queue-6.1/kvm-vmx-don-t-fudge-cr0-and-cr4-for-restricted-l2-guest.patch b/queue-6.1/kvm-vmx-don-t-fudge-cr0-and-cr4-for-restricted-l2-guest.patch new file mode 100644 index 00000000000..730e8bbe03b --- /dev/null +++ b/queue-6.1/kvm-vmx-don-t-fudge-cr0-and-cr4-for-restricted-l2-guest.patch @@ -0,0 +1,88 @@ +From c4abd7352023aa96114915a0bb2b88016a425cda Mon Sep 17 00:00:00 2001 +From: Sean Christopherson +Date: Tue, 13 Jun 2023 13:30:36 -0700 +Subject: KVM: VMX: Don't fudge CR0 and CR4 for restricted L2 guest + +From: Sean Christopherson + +commit c4abd7352023aa96114915a0bb2b88016a425cda upstream. + +Stuff CR0 and/or CR4 to be compliant with a restricted guest if and only +if KVM itself is not configured to utilize unrestricted guests, i.e. don't +stuff CR0/CR4 for a restricted L2 that is running as the guest of an +unrestricted L1. Any attempt to VM-Enter a restricted guest with invalid +CR0/CR4 values should fail, i.e. in a nested scenario, KVM (as L0) should +never observe a restricted L2 with incompatible CR0/CR4, since nested +VM-Enter from L1 should have failed. + +And if KVM does observe an active, restricted L2 with incompatible state, +e.g. due to a KVM bug, fudging CR0/CR4 instead of letting VM-Enter fail +does more harm than good, as KVM will often neglect to undo the side +effects, e.g. won't clear rmode.vm86_active on nested VM-Exit, and thus +the damage can easily spill over to L1. On the other hand, letting +VM-Enter fail due to bad guest state is more likely to contain the damage +to L2 as KVM relies on hardware to perform most guest state consistency +checks, i.e. KVM needs to be able to reflect a failed nested VM-Enter into +L1 irrespective of (un)restricted guest behavior. + +Cc: Jim Mattson +Cc: stable@vger.kernel.org +Fixes: bddd82d19e2e ("KVM: nVMX: KVM needs to unset "unrestricted guest" VM-execution control in vmcs02 if vmcs12 doesn't set it") +Signed-off-by: Sean Christopherson +Message-Id: <20230613203037.1968489-3-seanjc@google.com> +Signed-off-by: Paolo Bonzini +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/kvm/vmx/vmx.c | 13 +++++++++---- + 1 file changed, 9 insertions(+), 4 deletions(-) + +--- a/arch/x86/kvm/vmx/vmx.c ++++ b/arch/x86/kvm/vmx/vmx.c +@@ -1461,6 +1461,11 @@ void vmx_set_rflags(struct kvm_vcpu *vcp + struct vcpu_vmx *vmx = to_vmx(vcpu); + unsigned long old_rflags; + ++ /* ++ * Unlike CR0 and CR4, RFLAGS handling requires checking if the vCPU ++ * is an unrestricted guest in order to mark L2 as needing emulation ++ * if L1 runs L2 as a restricted guest. ++ */ + if (is_unrestricted_guest(vcpu)) { + kvm_register_mark_available(vcpu, VCPU_EXREG_RFLAGS); + vmx->rflags = rflags; +@@ -3169,7 +3174,7 @@ void vmx_set_cr0(struct kvm_vcpu *vcpu, + old_cr0_pg = kvm_read_cr0_bits(vcpu, X86_CR0_PG); + + hw_cr0 = (cr0 & ~KVM_VM_CR0_ALWAYS_OFF); +- if (is_unrestricted_guest(vcpu)) ++ if (enable_unrestricted_guest) + hw_cr0 |= KVM_VM_CR0_ALWAYS_ON_UNRESTRICTED_GUEST; + else { + hw_cr0 |= KVM_VM_CR0_ALWAYS_ON; +@@ -3197,7 +3202,7 @@ void vmx_set_cr0(struct kvm_vcpu *vcpu, + } + #endif + +- if (enable_ept && !is_unrestricted_guest(vcpu)) { ++ if (enable_ept && !enable_unrestricted_guest) { + /* + * Ensure KVM has an up-to-date snapshot of the guest's CR3. If + * the below code _enables_ CR3 exiting, vmx_cache_reg() will +@@ -3328,7 +3333,7 @@ void vmx_set_cr4(struct kvm_vcpu *vcpu, + unsigned long hw_cr4; + + hw_cr4 = (cr4_read_shadow() & X86_CR4_MCE) | (cr4 & ~X86_CR4_MCE); +- if (is_unrestricted_guest(vcpu)) ++ if (enable_unrestricted_guest) + hw_cr4 |= KVM_VM_CR4_ALWAYS_ON_UNRESTRICTED_GUEST; + else if (vmx->rmode.vm86_active) + hw_cr4 |= KVM_RMODE_VM_CR4_ALWAYS_ON; +@@ -3348,7 +3353,7 @@ void vmx_set_cr4(struct kvm_vcpu *vcpu, + vcpu->arch.cr4 = cr4; + kvm_register_mark_available(vcpu, VCPU_EXREG_CR4); + +- if (!is_unrestricted_guest(vcpu)) { ++ if (!enable_unrestricted_guest) { + if (enable_ept) { + if (!is_paging(vcpu)) { + hw_cr4 &= ~X86_CR4_PAE; diff --git a/queue-6.1/kvm-x86-disallow-kvm_set_sregs-2-if-incoming-cr0-is-invalid.patch b/queue-6.1/kvm-x86-disallow-kvm_set_sregs-2-if-incoming-cr0-is-invalid.patch new file mode 100644 index 00000000000..74ffc37ec36 --- /dev/null +++ b/queue-6.1/kvm-x86-disallow-kvm_set_sregs-2-if-incoming-cr0-is-invalid.patch @@ -0,0 +1,204 @@ +From 26a0652cb453c72f6aab0974bc4939e9b14f886b Mon Sep 17 00:00:00 2001 +From: Sean Christopherson +Date: Tue, 13 Jun 2023 13:30:35 -0700 +Subject: KVM: x86: Disallow KVM_SET_SREGS{2} if incoming CR0 is invalid + +From: Sean Christopherson + +commit 26a0652cb453c72f6aab0974bc4939e9b14f886b upstream. + +Reject KVM_SET_SREGS{2} with -EINVAL if the incoming CR0 is invalid, +e.g. due to setting bits 63:32, illegal combinations, or to a value that +isn't allowed in VMX (non-)root mode. The VMX checks in particular are +"fun" as failure to disallow Real Mode for an L2 that is configured with +unrestricted guest disabled, when KVM itself has unrestricted guest +enabled, will result in KVM forcing VM86 mode to virtual Real Mode for +L2, but then fail to unwind the related metadata when synthesizing a +nested VM-Exit back to L1 (which has unrestricted guest enabled). + +Opportunistically fix a benign typo in the prototype for is_valid_cr4(). + +Cc: stable@vger.kernel.org +Reported-by: syzbot+5feef0b9ee9c8e9e5689@syzkaller.appspotmail.com +Closes: https://lore.kernel.org/all/000000000000f316b705fdf6e2b4@google.com +Signed-off-by: Sean Christopherson +Message-Id: <20230613203037.1968489-2-seanjc@google.com> +Signed-off-by: Paolo Bonzini +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/include/asm/kvm-x86-ops.h | 1 + + arch/x86/include/asm/kvm_host.h | 3 ++- + arch/x86/kvm/svm/svm.c | 6 ++++++ + arch/x86/kvm/vmx/vmx.c | 28 +++++++++++++++++++++------- + arch/x86/kvm/x86.c | 34 ++++++++++++++++++++++------------ + 5 files changed, 52 insertions(+), 20 deletions(-) + +--- a/arch/x86/include/asm/kvm-x86-ops.h ++++ b/arch/x86/include/asm/kvm-x86-ops.h +@@ -36,6 +36,7 @@ KVM_X86_OP(get_segment) + KVM_X86_OP(get_cpl) + KVM_X86_OP(set_segment) + KVM_X86_OP(get_cs_db_l_bits) ++KVM_X86_OP(is_valid_cr0) + KVM_X86_OP(set_cr0) + KVM_X86_OP_OPTIONAL(post_set_cr3) + KVM_X86_OP(is_valid_cr4) +--- a/arch/x86/include/asm/kvm_host.h ++++ b/arch/x86/include/asm/kvm_host.h +@@ -1488,9 +1488,10 @@ struct kvm_x86_ops { + void (*set_segment)(struct kvm_vcpu *vcpu, + struct kvm_segment *var, int seg); + void (*get_cs_db_l_bits)(struct kvm_vcpu *vcpu, int *db, int *l); ++ bool (*is_valid_cr0)(struct kvm_vcpu *vcpu, unsigned long cr0); + void (*set_cr0)(struct kvm_vcpu *vcpu, unsigned long cr0); + void (*post_set_cr3)(struct kvm_vcpu *vcpu, unsigned long cr3); +- bool (*is_valid_cr4)(struct kvm_vcpu *vcpu, unsigned long cr0); ++ bool (*is_valid_cr4)(struct kvm_vcpu *vcpu, unsigned long cr4); + void (*set_cr4)(struct kvm_vcpu *vcpu, unsigned long cr4); + int (*set_efer)(struct kvm_vcpu *vcpu, u64 efer); + void (*get_idt)(struct kvm_vcpu *vcpu, struct desc_ptr *dt); +--- a/arch/x86/kvm/svm/svm.c ++++ b/arch/x86/kvm/svm/svm.c +@@ -1763,6 +1763,11 @@ static void sev_post_set_cr3(struct kvm_ + } + } + ++static bool svm_is_valid_cr0(struct kvm_vcpu *vcpu, unsigned long cr0) ++{ ++ return true; ++} ++ + void svm_set_cr0(struct kvm_vcpu *vcpu, unsigned long cr0) + { + struct vcpu_svm *svm = to_svm(vcpu); +@@ -4749,6 +4754,7 @@ static struct kvm_x86_ops svm_x86_ops __ + .set_segment = svm_set_segment, + .get_cpl = svm_get_cpl, + .get_cs_db_l_bits = svm_get_cs_db_l_bits, ++ .is_valid_cr0 = svm_is_valid_cr0, + .set_cr0 = svm_set_cr0, + .post_set_cr3 = sev_post_set_cr3, + .is_valid_cr4 = svm_is_valid_cr4, +--- a/arch/x86/kvm/vmx/vmx.c ++++ b/arch/x86/kvm/vmx/vmx.c +@@ -2975,6 +2975,15 @@ static void enter_rmode(struct kvm_vcpu + struct vcpu_vmx *vmx = to_vmx(vcpu); + struct kvm_vmx *kvm_vmx = to_kvm_vmx(vcpu->kvm); + ++ /* ++ * KVM should never use VM86 to virtualize Real Mode when L2 is active, ++ * as using VM86 is unnecessary if unrestricted guest is enabled, and ++ * if unrestricted guest is disabled, VM-Enter (from L1) with CR0.PG=0 ++ * should VM-Fail and KVM should reject userspace attempts to stuff ++ * CR0.PG=0 when L2 is active. ++ */ ++ WARN_ON_ONCE(is_guest_mode(vcpu)); ++ + vmx_get_segment(vcpu, &vmx->rmode.segs[VCPU_SREG_TR], VCPU_SREG_TR); + vmx_get_segment(vcpu, &vmx->rmode.segs[VCPU_SREG_ES], VCPU_SREG_ES); + vmx_get_segment(vcpu, &vmx->rmode.segs[VCPU_SREG_DS], VCPU_SREG_DS); +@@ -3165,6 +3174,17 @@ void ept_save_pdptrs(struct kvm_vcpu *vc + #define CR3_EXITING_BITS (CPU_BASED_CR3_LOAD_EXITING | \ + CPU_BASED_CR3_STORE_EXITING) + ++static bool vmx_is_valid_cr0(struct kvm_vcpu *vcpu, unsigned long cr0) ++{ ++ if (is_guest_mode(vcpu)) ++ return nested_guest_cr0_valid(vcpu, cr0); ++ ++ if (to_vmx(vcpu)->nested.vmxon) ++ return nested_host_cr0_valid(vcpu, cr0); ++ ++ return true; ++} ++ + void vmx_set_cr0(struct kvm_vcpu *vcpu, unsigned long cr0) + { + struct vcpu_vmx *vmx = to_vmx(vcpu); +@@ -5316,18 +5336,11 @@ static int handle_set_cr0(struct kvm_vcp + val = (val & ~vmcs12->cr0_guest_host_mask) | + (vmcs12->guest_cr0 & vmcs12->cr0_guest_host_mask); + +- if (!nested_guest_cr0_valid(vcpu, val)) +- return 1; +- + if (kvm_set_cr0(vcpu, val)) + return 1; + vmcs_writel(CR0_READ_SHADOW, orig_val); + return 0; + } else { +- if (to_vmx(vcpu)->nested.vmxon && +- !nested_host_cr0_valid(vcpu, val)) +- return 1; +- + return kvm_set_cr0(vcpu, val); + } + } +@@ -8117,6 +8130,7 @@ static struct kvm_x86_ops vmx_x86_ops __ + .set_segment = vmx_set_segment, + .get_cpl = vmx_get_cpl, + .get_cs_db_l_bits = vmx_get_cs_db_l_bits, ++ .is_valid_cr0 = vmx_is_valid_cr0, + .set_cr0 = vmx_set_cr0, + .is_valid_cr4 = vmx_is_valid_cr4, + .set_cr4 = vmx_set_cr4, +--- a/arch/x86/kvm/x86.c ++++ b/arch/x86/kvm/x86.c +@@ -908,6 +908,22 @@ int load_pdptrs(struct kvm_vcpu *vcpu, u + } + EXPORT_SYMBOL_GPL(load_pdptrs); + ++static bool kvm_is_valid_cr0(struct kvm_vcpu *vcpu, unsigned long cr0) ++{ ++#ifdef CONFIG_X86_64 ++ if (cr0 & 0xffffffff00000000UL) ++ return false; ++#endif ++ ++ if ((cr0 & X86_CR0_NW) && !(cr0 & X86_CR0_CD)) ++ return false; ++ ++ if ((cr0 & X86_CR0_PG) && !(cr0 & X86_CR0_PE)) ++ return false; ++ ++ return static_call(kvm_x86_is_valid_cr0)(vcpu, cr0); ++} ++ + void kvm_post_set_cr0(struct kvm_vcpu *vcpu, unsigned long old_cr0, unsigned long cr0) + { + /* +@@ -948,20 +964,13 @@ int kvm_set_cr0(struct kvm_vcpu *vcpu, u + { + unsigned long old_cr0 = kvm_read_cr0(vcpu); + +- cr0 |= X86_CR0_ET; +- +-#ifdef CONFIG_X86_64 +- if (cr0 & 0xffffffff00000000UL) ++ if (!kvm_is_valid_cr0(vcpu, cr0)) + return 1; +-#endif +- +- cr0 &= ~CR0_RESERVED_BITS; + +- if ((cr0 & X86_CR0_NW) && !(cr0 & X86_CR0_CD)) +- return 1; ++ cr0 |= X86_CR0_ET; + +- if ((cr0 & X86_CR0_PG) && !(cr0 & X86_CR0_PE)) +- return 1; ++ /* Write to CR0 reserved bits are ignored, even on Intel. */ ++ cr0 &= ~CR0_RESERVED_BITS; + + #ifdef CONFIG_X86_64 + if ((vcpu->arch.efer & EFER_LME) && !is_paging(vcpu) && +@@ -11532,7 +11541,8 @@ static bool kvm_is_valid_sregs(struct kv + return false; + } + +- return kvm_is_valid_cr4(vcpu, sregs->cr4); ++ return kvm_is_valid_cr4(vcpu, sregs->cr4) && ++ kvm_is_valid_cr0(vcpu, sregs->cr0); + } + + static int __set_sregs_common(struct kvm_vcpu *vcpu, struct kvm_sregs *sregs, diff --git a/queue-6.1/nfsd-remove-incorrect-check-in-nfsd4_validate_stateid.patch b/queue-6.1/nfsd-remove-incorrect-check-in-nfsd4_validate_stateid.patch new file mode 100644 index 00000000000..f9e6452e2b8 --- /dev/null +++ b/queue-6.1/nfsd-remove-incorrect-check-in-nfsd4_validate_stateid.patch @@ -0,0 +1,38 @@ +From f75546f58a70da5cfdcec5a45ffc377885ccbee8 Mon Sep 17 00:00:00 2001 +From: Trond Myklebust +Date: Tue, 18 Jul 2023 08:38:37 -0400 +Subject: nfsd: Remove incorrect check in nfsd4_validate_stateid + +From: Trond Myklebust + +commit f75546f58a70da5cfdcec5a45ffc377885ccbee8 upstream. + +If the client is calling TEST_STATEID, then it is because some event +occurred that requires it to check all the stateids for validity and +call FREE_STATEID on the ones that have been revoked. In this case, +either the stateid exists in the list of stateids associated with that +nfs4_client, in which case it should be tested, or it does not. There +are no additional conditions to be considered. + +Reported-by: "Frank Ch. Eigler" +Fixes: 7df302f75ee2 ("NFSD: TEST_STATEID should not return NFS4ERR_STALE_STATEID") +Cc: stable@vger.kernel.org # v5.7+ +Signed-off-by: Trond Myklebust +Reviewed-by: Jeff Layton +Signed-off-by: Chuck Lever +Signed-off-by: Greg Kroah-Hartman +--- + fs/nfsd/nfs4state.c | 2 -- + 1 file changed, 2 deletions(-) + +--- a/fs/nfsd/nfs4state.c ++++ b/fs/nfsd/nfs4state.c +@@ -6269,8 +6269,6 @@ static __be32 nfsd4_validate_stateid(str + if (ZERO_STATEID(stateid) || ONE_STATEID(stateid) || + CLOSE_STATEID(stateid)) + return status; +- if (!same_clid(&stateid->si_opaque.so_clid, &cl->cl_clientid)) +- return status; + spin_lock(&cl->cl_lock); + s = find_stateid_locked(cl, stateid); + if (!s) diff --git a/queue-6.1/revert-usb-dwc3-core-enable-autoretry-feature-in-the-controller.patch b/queue-6.1/revert-usb-dwc3-core-enable-autoretry-feature-in-the-controller.patch new file mode 100644 index 00000000000..e1fa07646bc --- /dev/null +++ b/queue-6.1/revert-usb-dwc3-core-enable-autoretry-feature-in-the-controller.patch @@ -0,0 +1,98 @@ +From 734ae15ab95a18d3d425fc9cb38b7a627d786f08 Mon Sep 17 00:00:00 2001 +From: Jakub Vanek +Date: Fri, 14 Jul 2023 14:24:19 +0200 +Subject: Revert "usb: dwc3: core: Enable AutoRetry feature in the controller" + +From: Jakub Vanek + +commit 734ae15ab95a18d3d425fc9cb38b7a627d786f08 upstream. + +This reverts commit b138e23d3dff90c0494925b4c1874227b81bddf7. + +AutoRetry has been found to sometimes cause controller freezes when +communicating with buggy USB devices. + +This controller feature allows the controller in host mode to send +non-terminating/burst retry ACKs instead of terminating retry ACKs +to devices when a transaction error (CRC error or overflow) occurs. + +Unfortunately, if the USB device continues to respond with a CRC error, +the controller will not complete endpoint-related commands while it +keeps trying to auto-retry. [3] The xHCI driver will notice this once +it tries to abort the transfer using a Stop Endpoint command and +does not receive a completion in time. [1] +This situation is reported to dmesg: + +[sda] tag#29 uas_eh_abort_handler 0 uas-tag 1 inflight: CMD IN +[sda] tag#29 CDB: opcode=0x28 28 00 00 69 42 80 00 00 48 00 +xhci-hcd: xHCI host not responding to stop endpoint command +xhci-hcd: xHCI host controller not responding, assume dead +xhci-hcd: HC died; cleaning up + +Some users observed this problem on an Odroid HC2 with the JMS578 +USB3-to-SATA bridge. The issue can be triggered by starting +a read-heavy workload on an attached SSD. After a while, the host +controller would die and the SSD would disappear from the system. [1] + +Further analysis by Synopsys determined that controller revisions +other than the one in Odroid HC2 are also affected by this. +The recommended solution was to disable AutoRetry altogether. +This change does not have a noticeable performance impact. [2] + +Revert the enablement commit. This will keep the AutoRetry bit in +the default state configured during SoC design [2]. + +Fixes: b138e23d3dff ("usb: dwc3: core: Enable AutoRetry feature in the controller") +Link: https://lore.kernel.org/r/a21f34c04632d250cd0a78c7c6f4a1c9c7a43142.camel@gmail.com/ [1] +Link: https://lore.kernel.org/r/20230711214834.kyr6ulync32d4ktk@synopsys.com/ [2] +Link: https://lore.kernel.org/r/20230712225518.2smu7wse6djc7l5o@synopsys.com/ [3] +Cc: stable@vger.kernel.org +Cc: Mauro Ribeiro +Cc: Krzysztof Kozlowski +Suggested-by: Thinh Nguyen +Signed-off-by: Jakub Vanek +Acked-by: Thinh Nguyen +Link: https://lore.kernel.org/r/20230714122419.27741-1-linuxtardis@gmail.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/dwc3/core.c | 16 ---------------- + drivers/usb/dwc3/core.h | 3 --- + 2 files changed, 19 deletions(-) + +--- a/drivers/usb/dwc3/core.c ++++ b/drivers/usb/dwc3/core.c +@@ -1241,22 +1241,6 @@ static int dwc3_core_init(struct dwc3 *d + dwc3_writel(dwc->regs, DWC3_GUCTL1, reg); + } + +- if (dwc->dr_mode == USB_DR_MODE_HOST || +- dwc->dr_mode == USB_DR_MODE_OTG) { +- reg = dwc3_readl(dwc->regs, DWC3_GUCTL); +- +- /* +- * Enable Auto retry Feature to make the controller operating in +- * Host mode on seeing transaction errors(CRC errors or internal +- * overrun scenerios) on IN transfers to reply to the device +- * with a non-terminating retry ACK (i.e, an ACK transcation +- * packet with Retry=1 & Nump != 0) +- */ +- reg |= DWC3_GUCTL_HSTINAUTORETRY; +- +- dwc3_writel(dwc->regs, DWC3_GUCTL, reg); +- } +- + /* + * Must config both number of packets and max burst settings to enable + * RX and/or TX threshold. +--- a/drivers/usb/dwc3/core.h ++++ b/drivers/usb/dwc3/core.h +@@ -254,9 +254,6 @@ + #define DWC3_GCTL_GBLHIBERNATIONEN BIT(1) + #define DWC3_GCTL_DSBLCLKGTNG BIT(0) + +-/* Global User Control Register */ +-#define DWC3_GUCTL_HSTINAUTORETRY BIT(14) +- + /* Global User Control 1 Register */ + #define DWC3_GUCTL1_DEV_DECOUPLE_L1L2_EVT BIT(31) + #define DWC3_GUCTL1_TX_IPGAP_LINECHECK_DIS BIT(28) diff --git a/queue-6.1/revert-usb-gadget-tegra-xudc-fix-error-check-in-tegra_xudc_powerdomain_init.patch b/queue-6.1/revert-usb-gadget-tegra-xudc-fix-error-check-in-tegra_xudc_powerdomain_init.patch new file mode 100644 index 00000000000..d8f5d0b6582 --- /dev/null +++ b/queue-6.1/revert-usb-gadget-tegra-xudc-fix-error-check-in-tegra_xudc_powerdomain_init.patch @@ -0,0 +1,54 @@ +From a8291be6b5dd465c22af229483dbac543a91e24e Mon Sep 17 00:00:00 2001 +From: Dan Carpenter +Date: Tue, 4 Jul 2023 17:09:09 +0300 +Subject: Revert "usb: gadget: tegra-xudc: Fix error check in tegra_xudc_powerdomain_init()" + +From: Dan Carpenter + +commit a8291be6b5dd465c22af229483dbac543a91e24e upstream. + +This reverts commit f08aa7c80dac27ee00fa6827f447597d2fba5465. + +The reverted commit was based on static analysis and a misunderstanding +of how PTR_ERR() and NULLs are supposed to work. When a function +returns both pointer errors and NULL then normally the NULL means +"continue operating without a feature because it was deliberately +turned off". The NULL should not be treated as a failure. If a driver +cannot work when that feature is disabled then the KConfig should +enforce that the function cannot return NULL. We should not need to +test for it. + +In this driver, the bug means that probe cannot succeed when CONFIG_PM +is disabled. + +Signed-off-by: Dan Carpenter +Fixes: f08aa7c80dac ("usb: gadget: tegra-xudc: Fix error check in tegra_xudc_powerdomain_init()") +Cc: stable +Link: https://lore.kernel.org/r/ZKQoBa84U/ykEh3C@moroto +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/gadget/udc/tegra-xudc.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +--- a/drivers/usb/gadget/udc/tegra-xudc.c ++++ b/drivers/usb/gadget/udc/tegra-xudc.c +@@ -3695,15 +3695,15 @@ static int tegra_xudc_powerdomain_init(s + int err; + + xudc->genpd_dev_device = dev_pm_domain_attach_by_name(dev, "dev"); +- if (IS_ERR_OR_NULL(xudc->genpd_dev_device)) { +- err = PTR_ERR(xudc->genpd_dev_device) ? : -ENODATA; ++ if (IS_ERR(xudc->genpd_dev_device)) { ++ err = PTR_ERR(xudc->genpd_dev_device); + dev_err(dev, "failed to get device power domain: %d\n", err); + return err; + } + + xudc->genpd_dev_ss = dev_pm_domain_attach_by_name(dev, "ss"); +- if (IS_ERR_OR_NULL(xudc->genpd_dev_ss)) { +- err = PTR_ERR(xudc->genpd_dev_ss) ? : -ENODATA; ++ if (IS_ERR(xudc->genpd_dev_ss)) { ++ err = PTR_ERR(xudc->genpd_dev_ss); + dev_err(dev, "failed to get SuperSpeed power domain: %d\n", err); + return err; + } diff --git a/queue-6.1/revert-usb-xhci-tegra-fix-error-check.patch b/queue-6.1/revert-usb-xhci-tegra-fix-error-check.patch new file mode 100644 index 00000000000..602015192d6 --- /dev/null +++ b/queue-6.1/revert-usb-xhci-tegra-fix-error-check.patch @@ -0,0 +1,54 @@ +From 288b4fa1798e3637a9304c6e90a93d900e02369c Mon Sep 17 00:00:00 2001 +From: Dan Carpenter +Date: Tue, 4 Jul 2023 17:08:27 +0300 +Subject: Revert "usb: xhci: tegra: Fix error check" + +From: Dan Carpenter + +commit 288b4fa1798e3637a9304c6e90a93d900e02369c upstream. + +This reverts commit 18fc7c435be3f17ea26a21b2e2312fcb9088e01f. + +The reverted commit was based on static analysis and a misunderstanding +of how PTR_ERR() and NULLs are supposed to work. When a function +returns both pointer errors and NULL then normally the NULL means +"continue operating without a feature because it was deliberately +turned off". The NULL should not be treated as a failure. If a driver +cannot work when that feature is disabled then the KConfig should +enforce that the function cannot return NULL. We should not need to +test for it. + +In this code, the patch means that certain tegra_xusb_probe() will +fail if the firmware supports power-domains but CONFIG_PM is disabled. + +Signed-off-by: Dan Carpenter +Fixes: 18fc7c435be3 ("usb: xhci: tegra: Fix error check") +Cc: stable +Link: https://lore.kernel.org/r/8baace8d-fb4b-41a4-ad5f-848ae643a23b@moroto.mountain +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/host/xhci-tegra.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +--- a/drivers/usb/host/xhci-tegra.c ++++ b/drivers/usb/host/xhci-tegra.c +@@ -1010,15 +1010,15 @@ static int tegra_xusb_powerdomain_init(s + int err; + + tegra->genpd_dev_host = dev_pm_domain_attach_by_name(dev, "xusb_host"); +- if (IS_ERR_OR_NULL(tegra->genpd_dev_host)) { +- err = PTR_ERR(tegra->genpd_dev_host) ? : -ENODATA; ++ if (IS_ERR(tegra->genpd_dev_host)) { ++ err = PTR_ERR(tegra->genpd_dev_host); + dev_err(dev, "failed to get host pm-domain: %d\n", err); + return err; + } + + tegra->genpd_dev_ss = dev_pm_domain_attach_by_name(dev, "xusb_ss"); +- if (IS_ERR_OR_NULL(tegra->genpd_dev_ss)) { +- err = PTR_ERR(tegra->genpd_dev_ss) ? : -ENODATA; ++ if (IS_ERR(tegra->genpd_dev_ss)) { ++ err = PTR_ERR(tegra->genpd_dev_ss); + dev_err(dev, "failed to get superspeed pm-domain: %d\n", err); + return err; + } diff --git a/queue-6.1/revert-xhci-add-quirk-for-host-controllers-that-don-t-update-endpoint-dcs.patch b/queue-6.1/revert-xhci-add-quirk-for-host-controllers-that-don-t-update-endpoint-dcs.patch new file mode 100644 index 00000000000..ddc9120625d --- /dev/null +++ b/queue-6.1/revert-xhci-add-quirk-for-host-controllers-that-don-t-update-endpoint-dcs.patch @@ -0,0 +1,146 @@ +From 5bef4b3cb95a5b883dfec8b3ffc0d671323d55bb Mon Sep 17 00:00:00 2001 +From: Oliver Neukum +Date: Thu, 13 Jul 2023 13:28:10 +0200 +Subject: Revert "xhci: add quirk for host controllers that don't update endpoint DCS" + +From: Oliver Neukum + +commit 5bef4b3cb95a5b883dfec8b3ffc0d671323d55bb upstream. + +This reverts commit 5255660b208aebfdb71d574f3952cf48392f4306. + +This quirk breaks at least the following hardware: + +0b:00.0 0c03: 1106:3483 (rev 01) (prog-if 30 [XHCI]) + Subsystem: 1106:3483 + Control: I/O+ Mem+ BusMaster+ SpecCycle- MemWINV- VGASnoop- ParErr- Stepping- SERR- FastB2B- DisINTx+ + Status: Cap+ 66MHz- UDF- FastB2B- ParErr- DEVSEL=fast >TAbort- SERR- +Fixes: 5255660b208a ("xhci: add quirk for host controllers that don't update endpoint DCS") +Cc: stable +Link: https://lore.kernel.org/r/20230713112830.21773-1-oneukum@suse.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/host/xhci-pci.c | 4 +--- + drivers/usb/host/xhci-ring.c | 25 +------------------------ + 2 files changed, 2 insertions(+), 27 deletions(-) + +--- a/drivers/usb/host/xhci-pci.c ++++ b/drivers/usb/host/xhci-pci.c +@@ -293,10 +293,8 @@ static void xhci_pci_quirks(struct devic + pdev->device == 0x3432) + xhci->quirks |= XHCI_BROKEN_STREAMS; + +- if (pdev->vendor == PCI_VENDOR_ID_VIA && pdev->device == 0x3483) { ++ if (pdev->vendor == PCI_VENDOR_ID_VIA && pdev->device == 0x3483) + xhci->quirks |= XHCI_LPM_SUPPORT; +- xhci->quirks |= XHCI_EP_CTX_BROKEN_DCS; +- } + + if (pdev->vendor == PCI_VENDOR_ID_ASMEDIA && + pdev->device == PCI_DEVICE_ID_ASMEDIA_1042_XHCI) { +--- a/drivers/usb/host/xhci-ring.c ++++ b/drivers/usb/host/xhci-ring.c +@@ -592,11 +592,8 @@ static int xhci_move_dequeue_past_td(str + struct xhci_ring *ep_ring; + struct xhci_command *cmd; + struct xhci_segment *new_seg; +- struct xhci_segment *halted_seg = NULL; + union xhci_trb *new_deq; + int new_cycle; +- union xhci_trb *halted_trb; +- int index = 0; + dma_addr_t addr; + u64 hw_dequeue; + bool cycle_found = false; +@@ -634,27 +631,7 @@ static int xhci_move_dequeue_past_td(str + hw_dequeue = xhci_get_hw_deq(xhci, dev, ep_index, stream_id); + new_seg = ep_ring->deq_seg; + new_deq = ep_ring->dequeue; +- +- /* +- * Quirk: xHC write-back of the DCS field in the hardware dequeue +- * pointer is wrong - use the cycle state of the TRB pointed to by +- * the dequeue pointer. +- */ +- if (xhci->quirks & XHCI_EP_CTX_BROKEN_DCS && +- !(ep->ep_state & EP_HAS_STREAMS)) +- halted_seg = trb_in_td(xhci, td->start_seg, +- td->first_trb, td->last_trb, +- hw_dequeue & ~0xf, false); +- if (halted_seg) { +- index = ((dma_addr_t)(hw_dequeue & ~0xf) - halted_seg->dma) / +- sizeof(*halted_trb); +- halted_trb = &halted_seg->trbs[index]; +- new_cycle = halted_trb->generic.field[3] & 0x1; +- xhci_dbg(xhci, "Endpoint DCS = %d TRB index = %d cycle = %d\n", +- (u8)(hw_dequeue & 0x1), index, new_cycle); +- } else { +- new_cycle = hw_dequeue & 0x1; +- } ++ new_cycle = hw_dequeue & 0x1; + + /* + * We want to find the pointer, segment and cycle state of the new trb diff --git a/queue-6.1/serial-8250_dw-preserve-original-value-of-dlf-register.patch b/queue-6.1/serial-8250_dw-preserve-original-value-of-dlf-register.patch new file mode 100644 index 00000000000..cf4eff07a78 --- /dev/null +++ b/queue-6.1/serial-8250_dw-preserve-original-value-of-dlf-register.patch @@ -0,0 +1,53 @@ +From 748c5ea8b8796ae8ee80b8d3a3d940570b588d59 Mon Sep 17 00:00:00 2001 +From: Ruihong Luo +Date: Thu, 13 Jul 2023 08:42:36 +0800 +Subject: serial: 8250_dw: Preserve original value of DLF register +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Ruihong Luo + +commit 748c5ea8b8796ae8ee80b8d3a3d940570b588d59 upstream. + +Preserve the original value of the Divisor Latch Fraction (DLF) register. +When the DLF register is modified without preservation, it can disrupt +the baudrate settings established by firmware or bootloader, leading to +data corruption and the generation of unreadable or distorted characters. + +Fixes: 701c5e73b296 ("serial: 8250_dw: add fractional divisor support") +Cc: stable +Signed-off-by: Ruihong Luo +Link: https://lore.kernel.org/stable/20230713004235.35904-1-colorsu1922%40gmail.com +Reviewed-by: Ilpo Järvinen +Reviewed-by: Andy Shevchenko +Link: https://lore.kernel.org/r/20230713004235.35904-1-colorsu1922@gmail.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/tty/serial/8250/8250_dwlib.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/drivers/tty/serial/8250/8250_dwlib.c ++++ b/drivers/tty/serial/8250/8250_dwlib.c +@@ -244,7 +244,7 @@ void dw8250_setup_port(struct uart_port + struct dw8250_port_data *pd = p->private_data; + struct dw8250_data *data = to_dw8250_data(pd); + struct uart_8250_port *up = up_to_u8250p(p); +- u32 reg; ++ u32 reg, old_dlf; + + pd->hw_rs485_support = dw8250_detect_rs485_hw(p); + if (pd->hw_rs485_support) { +@@ -270,9 +270,11 @@ void dw8250_setup_port(struct uart_port + dev_dbg(p->dev, "Designware UART version %c.%c%c\n", + (reg >> 24) & 0xff, (reg >> 16) & 0xff, (reg >> 8) & 0xff); + ++ /* Preserve value written by firmware or bootloader */ ++ old_dlf = dw8250_readl_ext(p, DW_UART_DLF); + dw8250_writel_ext(p, DW_UART_DLF, ~0U); + reg = dw8250_readl_ext(p, DW_UART_DLF); +- dw8250_writel_ext(p, DW_UART_DLF, 0); ++ dw8250_writel_ext(p, DW_UART_DLF, old_dlf); + + if (reg) { + pd->dlf_size = fls(reg); diff --git a/queue-6.1/serial-qcom-geni-drop-bogus-runtime-pm-state-update.patch b/queue-6.1/serial-qcom-geni-drop-bogus-runtime-pm-state-update.patch new file mode 100644 index 00000000000..56608f2cb76 --- /dev/null +++ b/queue-6.1/serial-qcom-geni-drop-bogus-runtime-pm-state-update.patch @@ -0,0 +1,42 @@ +From 4dd8752a14ca0303fbdf0a6c68ff65f0a50bd2fa Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Thu, 13 Jul 2023 16:57:41 +0200 +Subject: serial: qcom-geni: drop bogus runtime pm state update + +From: Johan Hovold + +commit 4dd8752a14ca0303fbdf0a6c68ff65f0a50bd2fa upstream. + +The runtime PM state should not be changed by drivers that do not +implement runtime PM even if it happens to work around a bug in PM core. + +With the wake irq arming now fixed, drop the bogus runtime PM state +update which left the device in active state (and could potentially +prevent a parent device from suspending). + +Fixes: f3974413cf02 ("tty: serial: qcom_geni_serial: Wakeup IRQ cleanup") +Cc: 5.6+ # 5.6+ +Signed-off-by: Johan Hovold +Reviewed-by: Tony Lindgren +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Greg Kroah-Hartman +--- + drivers/tty/serial/qcom_geni_serial.c | 7 ------- + 1 file changed, 7 deletions(-) + +--- a/drivers/tty/serial/qcom_geni_serial.c ++++ b/drivers/tty/serial/qcom_geni_serial.c +@@ -1495,13 +1495,6 @@ static int qcom_geni_serial_probe(struct + if (ret) + return ret; + +- /* +- * Set pm_runtime status as ACTIVE so that wakeup_irq gets +- * enabled/disabled from dev_pm_arm_wake_irq during system +- * suspend/resume respectively. +- */ +- pm_runtime_set_active(&pdev->dev); +- + if (port->wakeup_irq > 0) { + device_init_wakeup(&pdev->dev, true); + ret = dev_pm_set_dedicated_wake_irq(&pdev->dev, diff --git a/queue-6.1/serial-sifive-fix-sifive_serial_console_setup-section.patch b/queue-6.1/serial-sifive-fix-sifive_serial_console_setup-section.patch new file mode 100644 index 00000000000..72d2fe179b4 --- /dev/null +++ b/queue-6.1/serial-sifive-fix-sifive_serial_console_setup-section.patch @@ -0,0 +1,34 @@ +From 9b8fef6345d5487137d4193bb0a0eae2203c284e Mon Sep 17 00:00:00 2001 +From: Samuel Holland +Date: Fri, 23 Jun 2023 23:01:59 -0700 +Subject: serial: sifive: Fix sifive_serial_console_setup() section + +From: Samuel Holland + +commit 9b8fef6345d5487137d4193bb0a0eae2203c284e upstream. + +This function is called indirectly from the platform driver probe +function. Even if the driver is built in, it may be probed after +free_initmem() due to deferral or unbinding/binding via sysfs. +Thus the function cannot be marked as __init. + +Fixes: 45c054d0815b ("tty: serial: add driver for the SiFive UART") +Cc: stable +Signed-off-by: Samuel Holland +Link: https://lore.kernel.org/r/20230624060159.3401369-1-samuel.holland@sifive.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/tty/serial/sifive.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/tty/serial/sifive.c ++++ b/drivers/tty/serial/sifive.c +@@ -832,7 +832,7 @@ static void sifive_serial_console_write( + local_irq_restore(flags); + } + +-static int __init sifive_serial_console_setup(struct console *co, char *options) ++static int sifive_serial_console_setup(struct console *co, char *options) + { + struct sifive_serial_port *ssp; + int baud = SIFIVE_DEFAULT_BAUD_RATE; diff --git a/queue-6.1/series b/queue-6.1/series index b7180f87200..cb17833e271 100644 --- a/queue-6.1/series +++ b/queue-6.1/series @@ -143,3 +143,48 @@ ublk-fail-to-recover-device-if-queue-setup-is-interr.patch ata-pata_ns87415-mark-ns87560_tf_read-static.patch ring-buffer-fix-wrong-stat-of-cpu_buffer-read.patch tracing-fix-warning-in-trace_buffered_event_disable.patch +revert-usb-gadget-tegra-xudc-fix-error-check-in-tegra_xudc_powerdomain_init.patch +usb-gadget-call-usb_gadget_check_config-to-verify-udc-capability.patch +usb-gadget-fix-the-memory-leak-in-raw_gadget-driver.patch +usb-gadget-core-remove-unbalanced-mutex_unlock-in-usb_gadget_activate.patch +kvm-grab-a-reference-to-kvm-for-vm-and-vcpu-stats-file-descriptors.patch +kvm-vmx-don-t-fudge-cr0-and-cr4-for-restricted-l2-guest.patch +kvm-x86-disallow-kvm_set_sregs-2-if-incoming-cr0-is-invalid.patch +serial-qcom-geni-drop-bogus-runtime-pm-state-update.patch +serial-8250_dw-preserve-original-value-of-dlf-register.patch +serial-sifive-fix-sifive_serial_console_setup-section.patch +usb-serial-option-support-quectel-em060k_128.patch +usb-serial-option-add-quectel-ec200a-module-support.patch +usb-serial-simple-add-kaufmann-rks-can-vcp.patch +usb-serial-simple-sort-driver-entries.patch +can-gs_usb-gs_can_close-add-missing-set-of-can-state-to-can_state_stopped.patch +usb-typec-set-port-pd-before-adding-device-for-typec_port.patch +usb-typec-iterate-pds-array-when-showing-the-pd-list.patch +usb-typec-use-sysfs_emit_at-when-concatenating-the-string.patch +revert-usb-dwc3-core-enable-autoretry-feature-in-the-controller.patch +usb-dwc3-pci-skip-byt-gpio-lookup-table-for-hardwired-phy.patch +usb-dwc3-don-t-reset-device-side-if-dwc3-was-configured-as-host-only.patch +usb-misc-ehset-fix-wrong-if-condition.patch +usb-ohci-at91-fix-the-unhandle-interrupt-when-resume.patch +usb-quirks-add-quirk-for-focusrite-scarlett.patch +usb-cdns3-fix-incorrect-calculation-of-ep_buf_size-when-more-than-one-config.patch +usb-xhci-mtk-set-the-dma-max_seg_size.patch +revert-usb-xhci-tegra-fix-error-check.patch +documentation-security-bugs.rst-update-preferences-when-dealing-with-the-linux-distros-group.patch +documentation-security-bugs.rst-clarify-cve-handling.patch +staging-r8712-fix-memory-leak-in-_r8712_init_xmit_priv.patch +staging-ks7010-potential-buffer-overflow-in-ks_wlan_set_encode_ext.patch +tty-n_gsm-fix-uaf-in-gsm_cleanup_mux.patch +revert-xhci-add-quirk-for-host-controllers-that-don-t-update-endpoint-dcs.patch +alsa-hda-realtek-support-asus-g713pv-laptop.patch +alsa-hda-relatek-enable-mute-led-on-hp-250-g8.patch +hwmon-k10temp-enable-amd3255-proc-to-show-negative-temperature.patch +hwmon-nct7802-fix-for-temp6-peci1-processed-even-if-peci1-disabled.patch +btrfs-account-block-group-tree-when-calculating-global-reserve-size.patch +btrfs-check-if-the-transaction-was-aborted-at-btrfs_wait_for_commit.patch +btrfs-check-for-commit-error-at-btrfs_attach_transaction_barrier.patch +x86-mce-amd-decrement-threshold_bank-refcount-when-removing-threshold-blocks.patch +file-always-lock-position-for-fmode_atomic_pos.patch +nfsd-remove-incorrect-check-in-nfsd4_validate_stateid.patch +acpi-iort-remove-erroneous-id_count-check-in-iort_node_get_rmr_info.patch +tpm_tis-explicitly-check-for-error-code.patch diff --git a/queue-6.1/staging-ks7010-potential-buffer-overflow-in-ks_wlan_set_encode_ext.patch b/queue-6.1/staging-ks7010-potential-buffer-overflow-in-ks_wlan_set_encode_ext.patch new file mode 100644 index 00000000000..1d1959ad89c --- /dev/null +++ b/queue-6.1/staging-ks7010-potential-buffer-overflow-in-ks_wlan_set_encode_ext.patch @@ -0,0 +1,37 @@ +From 5f1c7031e044cb2fba82836d55cc235e2ad619dc Mon Sep 17 00:00:00 2001 +From: Zhang Shurong +Date: Sun, 9 Jul 2023 13:50:07 +0800 +Subject: staging: ks7010: potential buffer overflow in ks_wlan_set_encode_ext() + +From: Zhang Shurong + +commit 5f1c7031e044cb2fba82836d55cc235e2ad619dc upstream. + +The "exc->key_len" is a u16 that comes from the user. If it's over +IW_ENCODING_TOKEN_MAX (64) that could lead to memory corruption. + +Fixes: b121d84882b9 ("staging: ks7010: simplify calls to memcpy()") +Cc: stable +Signed-off-by: Zhang Shurong +Reviewed-by: Dan Carpenter +Link: https://lore.kernel.org/r/tencent_5153B668C0283CAA15AA518325346E026A09@qq.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/staging/ks7010/ks_wlan_net.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/drivers/staging/ks7010/ks_wlan_net.c ++++ b/drivers/staging/ks7010/ks_wlan_net.c +@@ -1584,8 +1584,10 @@ static int ks_wlan_set_encode_ext(struct + commit |= SME_WEP_FLAG; + } + if (enc->key_len) { +- memcpy(&key->key_val[0], &enc->key[0], enc->key_len); +- key->key_len = enc->key_len; ++ int key_len = clamp_val(enc->key_len, 0, IW_ENCODING_TOKEN_MAX); ++ ++ memcpy(&key->key_val[0], &enc->key[0], key_len); ++ key->key_len = key_len; + commit |= (SME_WEP_VAL1 << index); + } + break; diff --git a/queue-6.1/staging-r8712-fix-memory-leak-in-_r8712_init_xmit_priv.patch b/queue-6.1/staging-r8712-fix-memory-leak-in-_r8712_init_xmit_priv.patch new file mode 100644 index 00000000000..1766a60cb0a --- /dev/null +++ b/queue-6.1/staging-r8712-fix-memory-leak-in-_r8712_init_xmit_priv.patch @@ -0,0 +1,127 @@ +From ac83631230f77dda94154ed0ebfd368fc81c70a3 Mon Sep 17 00:00:00 2001 +From: Larry Finger +Date: Fri, 14 Jul 2023 12:54:17 -0500 +Subject: staging: r8712: Fix memory leak in _r8712_init_xmit_priv() + +From: Larry Finger + +commit ac83631230f77dda94154ed0ebfd368fc81c70a3 upstream. + +In the above mentioned routine, memory is allocated in several places. +If the first succeeds and a later one fails, the routine will leak memory. +This patch fixes commit 2865d42c78a9 ("staging: r8712u: Add the new driver +to the mainline kernel"). A potential memory leak in +r8712_xmit_resource_alloc() is also addressed. + +Fixes: 2865d42c78a9 ("staging: r8712u: Add the new driver to the mainline kernel") +Reported-by: syzbot+cf71097ffb6755df8251@syzkaller.appspotmail.com +Closes: https://syzkaller.appspot.com/x/log.txt?x=11ac3fa0a80000 +Cc: stable@vger.kernel.org +Cc: Nam Cao +Signed-off-by: Larry Finger +Reviewed-by: Nam Cao +Link: https://lore.kernel.org/r/20230714175417.18578-1-Larry.Finger@lwfinger.net +Signed-off-by: Greg Kroah-Hartman +--- + drivers/staging/rtl8712/rtl871x_xmit.c | 43 ++++++++++++++++++++++++++------- + drivers/staging/rtl8712/xmit_linux.c | 6 ++++ + 2 files changed, 40 insertions(+), 9 deletions(-) + +--- a/drivers/staging/rtl8712/rtl871x_xmit.c ++++ b/drivers/staging/rtl8712/rtl871x_xmit.c +@@ -21,6 +21,7 @@ + #include "osdep_intf.h" + #include "usb_ops.h" + ++#include + #include + + static const u8 P802_1H_OUI[P80211_OUI_LEN] = {0x00, 0x00, 0xf8}; +@@ -55,6 +56,7 @@ int _r8712_init_xmit_priv(struct xmit_pr + sint i; + struct xmit_buf *pxmitbuf; + struct xmit_frame *pxframe; ++ int j; + + memset((unsigned char *)pxmitpriv, 0, sizeof(struct xmit_priv)); + spin_lock_init(&pxmitpriv->lock); +@@ -117,11 +119,8 @@ int _r8712_init_xmit_priv(struct xmit_pr + _init_queue(&pxmitpriv->pending_xmitbuf_queue); + pxmitpriv->pallocated_xmitbuf = + kmalloc(NR_XMITBUFF * sizeof(struct xmit_buf) + 4, GFP_ATOMIC); +- if (!pxmitpriv->pallocated_xmitbuf) { +- kfree(pxmitpriv->pallocated_frame_buf); +- pxmitpriv->pallocated_frame_buf = NULL; +- return -ENOMEM; +- } ++ if (!pxmitpriv->pallocated_xmitbuf) ++ goto clean_up_frame_buf; + pxmitpriv->pxmitbuf = pxmitpriv->pallocated_xmitbuf + 4 - + ((addr_t)(pxmitpriv->pallocated_xmitbuf) & 3); + pxmitbuf = (struct xmit_buf *)pxmitpriv->pxmitbuf; +@@ -129,13 +128,17 @@ int _r8712_init_xmit_priv(struct xmit_pr + INIT_LIST_HEAD(&pxmitbuf->list); + pxmitbuf->pallocated_buf = + kmalloc(MAX_XMITBUF_SZ + XMITBUF_ALIGN_SZ, GFP_ATOMIC); +- if (!pxmitbuf->pallocated_buf) +- return -ENOMEM; ++ if (!pxmitbuf->pallocated_buf) { ++ j = 0; ++ goto clean_up_alloc_buf; ++ } + pxmitbuf->pbuf = pxmitbuf->pallocated_buf + XMITBUF_ALIGN_SZ - + ((addr_t) (pxmitbuf->pallocated_buf) & + (XMITBUF_ALIGN_SZ - 1)); +- if (r8712_xmit_resource_alloc(padapter, pxmitbuf)) +- return -ENOMEM; ++ if (r8712_xmit_resource_alloc(padapter, pxmitbuf)) { ++ j = 1; ++ goto clean_up_alloc_buf; ++ } + list_add_tail(&pxmitbuf->list, + &(pxmitpriv->free_xmitbuf_queue.queue)); + pxmitbuf++; +@@ -146,6 +149,28 @@ int _r8712_init_xmit_priv(struct xmit_pr + init_hwxmits(pxmitpriv->hwxmits, pxmitpriv->hwxmit_entry); + tasklet_setup(&pxmitpriv->xmit_tasklet, r8712_xmit_bh); + return 0; ++ ++clean_up_alloc_buf: ++ if (j) { ++ /* failure happened in r8712_xmit_resource_alloc() ++ * delete extra pxmitbuf->pallocated_buf ++ */ ++ kfree(pxmitbuf->pallocated_buf); ++ } ++ for (j = 0; j < i; j++) { ++ int k; ++ ++ pxmitbuf--; /* reset pointer */ ++ kfree(pxmitbuf->pallocated_buf); ++ for (k = 0; k < 8; k++) /* delete xmit urb's */ ++ usb_free_urb(pxmitbuf->pxmit_urb[k]); ++ } ++ kfree(pxmitpriv->pallocated_xmitbuf); ++ pxmitpriv->pallocated_xmitbuf = NULL; ++clean_up_frame_buf: ++ kfree(pxmitpriv->pallocated_frame_buf); ++ pxmitpriv->pallocated_frame_buf = NULL; ++ return -ENOMEM; + } + + void _free_xmit_priv(struct xmit_priv *pxmitpriv) +--- a/drivers/staging/rtl8712/xmit_linux.c ++++ b/drivers/staging/rtl8712/xmit_linux.c +@@ -112,6 +112,12 @@ int r8712_xmit_resource_alloc(struct _ad + for (i = 0; i < 8; i++) { + pxmitbuf->pxmit_urb[i] = usb_alloc_urb(0, GFP_KERNEL); + if (!pxmitbuf->pxmit_urb[i]) { ++ int k; ++ ++ for (k = i - 1; k >= 0; k--) { ++ /* handle allocation errors part way through loop */ ++ usb_free_urb(pxmitbuf->pxmit_urb[k]); ++ } + netdev_err(padapter->pnetdev, "pxmitbuf->pxmit_urb[i] == NULL\n"); + return -ENOMEM; + } diff --git a/queue-6.1/tpm_tis-explicitly-check-for-error-code.patch b/queue-6.1/tpm_tis-explicitly-check-for-error-code.patch new file mode 100644 index 00000000000..b125b4ce5a7 --- /dev/null +++ b/queue-6.1/tpm_tis-explicitly-check-for-error-code.patch @@ -0,0 +1,48 @@ +From 513253f8c293c0c8bd46d09d337fc892bf8f9f48 Mon Sep 17 00:00:00 2001 +From: Alexander Steffen +Date: Tue, 13 Jun 2023 20:02:56 +0200 +Subject: tpm_tis: Explicitly check for error code + +From: Alexander Steffen + +commit 513253f8c293c0c8bd46d09d337fc892bf8f9f48 upstream. + +recv_data either returns the number of received bytes, or a negative value +representing an error code. Adding the return value directly to the total +number of received bytes therefore looks a little weird, since it might add +a negative error code to a sum of bytes. + +The following check for size < expected usually makes the function return +ETIME in that case, so it does not cause too many problems in practice. But +to make the code look cleaner and because the caller might still be +interested in the original error code, explicitly check for the presence of +an error code and pass that through. + +Cc: stable@vger.kernel.org +Fixes: cb5354253af2 ("[PATCH] tpm: spacing cleanups 2") +Signed-off-by: Alexander Steffen +Reviewed-by: Jarkko Sakkinen +Signed-off-by: Jarkko Sakkinen +Signed-off-by: Greg Kroah-Hartman +--- + drivers/char/tpm/tpm_tis_core.c | 9 +++++++-- + 1 file changed, 7 insertions(+), 2 deletions(-) + +--- a/drivers/char/tpm/tpm_tis_core.c ++++ b/drivers/char/tpm/tpm_tis_core.c +@@ -356,8 +356,13 @@ static int tpm_tis_recv(struct tpm_chip + goto out; + } + +- size += recv_data(chip, &buf[TPM_HEADER_SIZE], +- expected - TPM_HEADER_SIZE); ++ rc = recv_data(chip, &buf[TPM_HEADER_SIZE], ++ expected - TPM_HEADER_SIZE); ++ if (rc < 0) { ++ size = rc; ++ goto out; ++ } ++ size += rc; + if (size < expected) { + dev_err(&chip->dev, "Unable to read remainder of result\n"); + size = -ETIME; diff --git a/queue-6.1/tty-n_gsm-fix-uaf-in-gsm_cleanup_mux.patch b/queue-6.1/tty-n_gsm-fix-uaf-in-gsm_cleanup_mux.patch new file mode 100644 index 00000000000..df4cc818db2 --- /dev/null +++ b/queue-6.1/tty-n_gsm-fix-uaf-in-gsm_cleanup_mux.patch @@ -0,0 +1,100 @@ +From 9b9c8195f3f0d74a826077fc1c01b9ee74907239 Mon Sep 17 00:00:00 2001 +From: Chaoyuan Peng +Date: Tue, 18 Jul 2023 04:39:43 +0000 +Subject: tty: n_gsm: fix UAF in gsm_cleanup_mux + +From: Chaoyuan Peng + +commit 9b9c8195f3f0d74a826077fc1c01b9ee74907239 upstream. + +In gsm_cleanup_mux() the 'gsm->dlci' pointer was not cleaned properly, +leaving it a dangling pointer after gsm_dlci_release. +This leads to use-after-free where 'gsm->dlci[0]' are freed and accessed +by the subsequent gsm_cleanup_mux(). + +Such is the case in the following call trace: + + + __dump_stack lib/dump_stack.c:88 [inline] + dump_stack_lvl+0x1e3/0x2cb lib/dump_stack.c:106 + print_address_description+0x63/0x3b0 mm/kasan/report.c:248 + __kasan_report mm/kasan/report.c:434 [inline] + kasan_report+0x16b/0x1c0 mm/kasan/report.c:451 + gsm_cleanup_mux+0x76a/0x850 drivers/tty/n_gsm.c:2397 + gsm_config drivers/tty/n_gsm.c:2653 [inline] + gsmld_ioctl+0xaae/0x15b0 drivers/tty/n_gsm.c:2986 + tty_ioctl+0x8ff/0xc50 drivers/tty/tty_io.c:2816 + vfs_ioctl fs/ioctl.c:51 [inline] + __do_sys_ioctl fs/ioctl.c:874 [inline] + __se_sys_ioctl+0xf1/0x160 fs/ioctl.c:860 + do_syscall_x64 arch/x86/entry/common.c:50 [inline] + do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80 + entry_SYSCALL_64_after_hwframe+0x61/0xcb + + +Allocated by task 3501: + kasan_save_stack mm/kasan/common.c:38 [inline] + kasan_set_track mm/kasan/common.c:46 [inline] + set_alloc_info mm/kasan/common.c:434 [inline] + ____kasan_kmalloc+0xba/0xf0 mm/kasan/common.c:513 + kasan_kmalloc include/linux/kasan.h:264 [inline] + kmem_cache_alloc_trace+0x143/0x290 mm/slub.c:3247 + kmalloc include/linux/slab.h:591 [inline] + kzalloc include/linux/slab.h:721 [inline] + gsm_dlci_alloc+0x53/0x3a0 drivers/tty/n_gsm.c:1932 + gsm_activate_mux+0x1c/0x330 drivers/tty/n_gsm.c:2438 + gsm_config drivers/tty/n_gsm.c:2677 [inline] + gsmld_ioctl+0xd46/0x15b0 drivers/tty/n_gsm.c:2986 + tty_ioctl+0x8ff/0xc50 drivers/tty/tty_io.c:2816 + vfs_ioctl fs/ioctl.c:51 [inline] + __do_sys_ioctl fs/ioctl.c:874 [inline] + __se_sys_ioctl+0xf1/0x160 fs/ioctl.c:860 + do_syscall_x64 arch/x86/entry/common.c:50 [inline] + do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80 + entry_SYSCALL_64_after_hwframe+0x61/0xcb + +Freed by task 3501: + kasan_save_stack mm/kasan/common.c:38 [inline] + kasan_set_track+0x4b/0x80 mm/kasan/common.c:46 + kasan_set_free_info+0x1f/0x40 mm/kasan/generic.c:360 + ____kasan_slab_free+0xd8/0x120 mm/kasan/common.c:366 + kasan_slab_free include/linux/kasan.h:230 [inline] + slab_free_hook mm/slub.c:1705 [inline] + slab_free_freelist_hook+0xdd/0x160 mm/slub.c:1731 + slab_free mm/slub.c:3499 [inline] + kfree+0xf1/0x270 mm/slub.c:4559 + dlci_put drivers/tty/n_gsm.c:1988 [inline] + gsm_dlci_release drivers/tty/n_gsm.c:2021 [inline] + gsm_cleanup_mux+0x574/0x850 drivers/tty/n_gsm.c:2415 + gsm_config drivers/tty/n_gsm.c:2653 [inline] + gsmld_ioctl+0xaae/0x15b0 drivers/tty/n_gsm.c:2986 + tty_ioctl+0x8ff/0xc50 drivers/tty/tty_io.c:2816 + vfs_ioctl fs/ioctl.c:51 [inline] + __do_sys_ioctl fs/ioctl.c:874 [inline] + __se_sys_ioctl+0xf1/0x160 fs/ioctl.c:860 + do_syscall_x64 arch/x86/entry/common.c:50 [inline] + do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80 + entry_SYSCALL_64_after_hwframe+0x61/0xcb + +Fixes: aa371e96f05d ("tty: n_gsm: fix restart handling via CLD command") +Signed-off-by: Chaoyuan Peng +Cc: stable +Signed-off-by: Greg Kroah-Hartman +--- + drivers/tty/n_gsm.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/drivers/tty/n_gsm.c ++++ b/drivers/tty/n_gsm.c +@@ -2508,8 +2508,10 @@ static void gsm_cleanup_mux(struct gsm_m + gsm->has_devices = false; + } + for (i = NUM_DLCI - 1; i >= 0; i--) +- if (gsm->dlci[i]) ++ if (gsm->dlci[i]) { + gsm_dlci_release(gsm->dlci[i]); ++ gsm->dlci[i] = NULL; ++ } + mutex_unlock(&gsm->mutex); + /* Now wipe the queues */ + tty_ldisc_flush(gsm->tty); diff --git a/queue-6.1/usb-cdns3-fix-incorrect-calculation-of-ep_buf_size-when-more-than-one-config.patch b/queue-6.1/usb-cdns3-fix-incorrect-calculation-of-ep_buf_size-when-more-than-one-config.patch new file mode 100644 index 00000000000..5f99c0edb53 --- /dev/null +++ b/queue-6.1/usb-cdns3-fix-incorrect-calculation-of-ep_buf_size-when-more-than-one-config.patch @@ -0,0 +1,47 @@ +From 2627335a1329a0d39d8d277994678571c4f21800 Mon Sep 17 00:00:00 2001 +From: Frank Li +Date: Fri, 7 Jul 2023 19:00:15 -0400 +Subject: usb: cdns3: fix incorrect calculation of ep_buf_size when more than one config + +From: Frank Li + +commit 2627335a1329a0d39d8d277994678571c4f21800 upstream. + +Previously, the cdns3_gadget_check_config() function in the cdns3 driver +mistakenly calculated the ep_buf_size by considering only one +configuration's endpoint information because "claimed" will be clear after +call usb_gadget_check_config(). + +The fix involves checking the private flags EP_CLAIMED instead of relying +on the "claimed" flag. + +Fixes: dce49449e04f ("usb: cdns3: allocate TX FIFO size according to composite EP number") +Cc: stable +Reported-by: Ravi Gunasekaran +Signed-off-by: Frank Li +Acked-by: Peter Chen +Tested-by: Ravi Gunasekaran +Link: https://lore.kernel.org/r/20230707230015.494999-2-Frank.Li@nxp.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/cdns3/cdns3-gadget.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/drivers/usb/cdns3/cdns3-gadget.c ++++ b/drivers/usb/cdns3/cdns3-gadget.c +@@ -3012,12 +3012,14 @@ static int cdns3_gadget_udc_stop(struct + static int cdns3_gadget_check_config(struct usb_gadget *gadget) + { + struct cdns3_device *priv_dev = gadget_to_cdns3_device(gadget); ++ struct cdns3_endpoint *priv_ep; + struct usb_ep *ep; + int n_in = 0; + int total; + + list_for_each_entry(ep, &gadget->ep_list, ep_list) { +- if (ep->claimed && (ep->address & USB_DIR_IN)) ++ priv_ep = ep_to_cdns3_ep(ep); ++ if ((priv_ep->flags & EP_CLAIMED) && (ep->address & USB_DIR_IN)) + n_in++; + } + diff --git a/queue-6.1/usb-dwc3-don-t-reset-device-side-if-dwc3-was-configured-as-host-only.patch b/queue-6.1/usb-dwc3-don-t-reset-device-side-if-dwc3-was-configured-as-host-only.patch new file mode 100644 index 00000000000..4c432ff793a --- /dev/null +++ b/queue-6.1/usb-dwc3-don-t-reset-device-side-if-dwc3-was-configured-as-host-only.patch @@ -0,0 +1,41 @@ +From e835c0a4e23c38531dcee5ef77e8d1cf462658c7 Mon Sep 17 00:00:00 2001 +From: Jisheng Zhang +Date: Wed, 28 Jun 2023 00:20:18 +0800 +Subject: usb: dwc3: don't reset device side if dwc3 was configured as host-only + +From: Jisheng Zhang + +commit e835c0a4e23c38531dcee5ef77e8d1cf462658c7 upstream. + +Commit c4a5153e87fd ("usb: dwc3: core: Power-off core/PHYs on +system_suspend in host mode") replaces check for HOST only dr_mode with +current_dr_role. But during booting, the current_dr_role isn't +initialized, thus the device side reset is always issued even if dwc3 +was configured as host-only. What's more, on some platforms with host +only dwc3, aways issuing device side reset by accessing device register +block can cause kernel panic. + +Fixes: c4a5153e87fd ("usb: dwc3: core: Power-off core/PHYs on system_suspend in host mode") +Cc: stable +Signed-off-by: Jisheng Zhang +Acked-by: Thinh Nguyen +Link: https://lore.kernel.org/r/20230627162018.739-1-jszhang@kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/dwc3/core.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/usb/dwc3/core.c ++++ b/drivers/usb/dwc3/core.c +@@ -277,9 +277,9 @@ int dwc3_core_soft_reset(struct dwc3 *dw + /* + * We're resetting only the device side because, if we're in host mode, + * XHCI driver will reset the host block. If dwc3 was configured for +- * host-only mode, then we can return early. ++ * host-only mode or current role is host, then we can return early. + */ +- if (dwc->current_dr_role == DWC3_GCTL_PRTCAP_HOST) ++ if (dwc->dr_mode == USB_DR_MODE_HOST || dwc->current_dr_role == DWC3_GCTL_PRTCAP_HOST) + return 0; + + reg = dwc3_readl(dwc->regs, DWC3_DCTL); diff --git a/queue-6.1/usb-dwc3-pci-skip-byt-gpio-lookup-table-for-hardwired-phy.patch b/queue-6.1/usb-dwc3-pci-skip-byt-gpio-lookup-table-for-hardwired-phy.patch new file mode 100644 index 00000000000..e5a8b1fb126 --- /dev/null +++ b/queue-6.1/usb-dwc3-pci-skip-byt-gpio-lookup-table-for-hardwired-phy.patch @@ -0,0 +1,69 @@ +From b32b8f2b9542d8039f5468303a6ca78c1b5611a5 Mon Sep 17 00:00:00 2001 +From: Gratian Crisan +Date: Wed, 26 Jul 2023 13:45:56 -0500 +Subject: usb: dwc3: pci: skip BYT GPIO lookup table for hardwired phy + +From: Gratian Crisan + +commit b32b8f2b9542d8039f5468303a6ca78c1b5611a5 upstream. + +Hardware based on the Bay Trail / BYT SoCs require an external ULPI phy for +USB device-mode. The phy chip usually has its 'reset' and 'chip select' +lines connected to GPIOs described by ACPI fwnodes in the DSDT table. + +Because of hardware with missing ACPI resources for the 'reset' and 'chip +select' GPIOs commit 5741022cbdf3 ("usb: dwc3: pci: Add GPIO lookup table +on platforms without ACPI GPIO resources") introduced a fallback +gpiod_lookup_table with hard-coded mappings for Bay Trail devices. + +However there are existing Bay Trail based devices, like the National +Instruments cRIO-903x series, where the phy chip has its 'reset' and +'chip-select' lines always asserted in hardware via resistor pull-ups. On +this hardware the phy chip is always enabled and the ACPI dsdt table is +missing information not only for the 'chip-select' and 'reset' lines but +also for the BYT GPIO controller itself "INT33FC". + +With the introduction of the gpiod_lookup_table initializing the USB +device-mode on these hardware now errors out. The error comes from the +gpiod_get_optional() calls in dwc3_pci_quirks() which will now return an +-ENOENT error due to the missing ACPI entry for the INT33FC gpio controller +used in the aforementioned table. + +This hardware used to work before because gpiod_get_optional() will return +NULL instead of -ENOENT if no GPIO has been assigned to the requested +function. The dwc3_pci_quirks() code for setting the 'cs' and 'reset' GPIOs +was then skipped (due to the NULL return). This is the correct behavior in +cases where the phy chip is hardwired and there are no GPIOs to control. + +Since the gpiod_lookup_table relies on the presence of INT33FC fwnode +in ACPI tables only add the table if we know the entry for the INT33FC +gpio controller is present. This allows Bay Trail based devices with +hardwired dwc3 ULPI phys to continue working. + +Fixes: 5741022cbdf3 ("usb: dwc3: pci: Add GPIO lookup table on platforms without ACPI GPIO resources") +Cc: stable +Signed-off-by: Gratian Crisan +Reviewed-by: Hans de Goede +Link: https://lore.kernel.org/r/20230726184555.218091-2-gratian.crisan@ni.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/dwc3/dwc3-pci.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/drivers/usb/dwc3/dwc3-pci.c ++++ b/drivers/usb/dwc3/dwc3-pci.c +@@ -233,10 +233,12 @@ static int dwc3_pci_quirks(struct dwc3_p + + /* + * A lot of BYT devices lack ACPI resource entries for +- * the GPIOs, add a fallback mapping to the reference ++ * the GPIOs. If the ACPI entry for the GPIO controller ++ * is present add a fallback mapping to the reference + * design GPIOs which all boards seem to use. + */ +- gpiod_add_lookup_table(&platform_bytcr_gpios); ++ if (acpi_dev_present("INT33FC", NULL, -1)) ++ gpiod_add_lookup_table(&platform_bytcr_gpios); + + /* + * These GPIOs will turn on the USB2 PHY. Note that we have to diff --git a/queue-6.1/usb-gadget-call-usb_gadget_check_config-to-verify-udc-capability.patch b/queue-6.1/usb-gadget-call-usb_gadget_check_config-to-verify-udc-capability.patch new file mode 100644 index 00000000000..afebe6f963b --- /dev/null +++ b/queue-6.1/usb-gadget-call-usb_gadget_check_config-to-verify-udc-capability.patch @@ -0,0 +1,41 @@ +From f4fc01af5b640bc39bd9403b5fd855345a2ad5f8 Mon Sep 17 00:00:00 2001 +From: Frank Li +Date: Fri, 7 Jul 2023 19:00:14 -0400 +Subject: usb: gadget: call usb_gadget_check_config() to verify UDC capability + +From: Frank Li + +commit f4fc01af5b640bc39bd9403b5fd855345a2ad5f8 upstream. + +The legacy gadget driver omitted calling usb_gadget_check_config() +to ensure that the USB device controller (UDC) has adequate resources, +including sufficient endpoint numbers and types, to support the given +configuration. + +Previously, usb_add_config() was solely invoked by the legacy gadget +driver. Adds the necessary usb_gadget_check_config() after the bind() +operation to fix the issue. + +Fixes: dce49449e04f ("usb: cdns3: allocate TX FIFO size according to composite EP number") +Cc: stable +Reported-by: Ravi Gunasekaran +Signed-off-by: Frank Li +Link: https://lore.kernel.org/r/20230707230015.494999-1-Frank.Li@nxp.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/gadget/composite.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/drivers/usb/gadget/composite.c ++++ b/drivers/usb/gadget/composite.c +@@ -1029,6 +1029,10 @@ int usb_add_config(struct usb_composite_ + goto done; + + status = bind(config); ++ ++ if (status == 0) ++ status = usb_gadget_check_config(cdev->gadget); ++ + if (status < 0) { + while (!list_empty(&config->functions)) { + struct usb_function *f; diff --git a/queue-6.1/usb-gadget-core-remove-unbalanced-mutex_unlock-in-usb_gadget_activate.patch b/queue-6.1/usb-gadget-core-remove-unbalanced-mutex_unlock-in-usb_gadget_activate.patch new file mode 100644 index 00000000000..6515161958d --- /dev/null +++ b/queue-6.1/usb-gadget-core-remove-unbalanced-mutex_unlock-in-usb_gadget_activate.patch @@ -0,0 +1,32 @@ +From 6237390644fb92b81f5262877fe545d0d2c7b5d7 Mon Sep 17 00:00:00 2001 +From: Michael Grzeschik +Date: Sat, 22 Jul 2023 00:22:56 +0200 +Subject: usb: gadget: core: remove unbalanced mutex_unlock in usb_gadget_activate + +From: Michael Grzeschik + +commit 6237390644fb92b81f5262877fe545d0d2c7b5d7 upstream. + +Commit 286d9975a838 ("usb: gadget: udc: core: Prevent soft_connect_store() race") +introduced one extra mutex_unlock of connect_lock in the usb_gadget_active function. + +Fixes: 286d9975a838 ("usb: gadget: udc: core: Prevent soft_connect_store() race") +Cc: stable +Signed-off-by: Michael Grzeschik +Reviewed-by: Alan Stern +Link: https://lore.kernel.org/r/20230721222256.1743645-1-m.grzeschik@pengutronix.de +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/gadget/udc/core.c | 1 - + 1 file changed, 1 deletion(-) + +--- a/drivers/usb/gadget/udc/core.c ++++ b/drivers/usb/gadget/udc/core.c +@@ -851,7 +851,6 @@ int usb_gadget_activate(struct usb_gadge + */ + if (gadget->connected) + ret = usb_gadget_connect_locked(gadget); +- mutex_unlock(&gadget->udc->connect_lock); + + unlock: + mutex_unlock(&gadget->udc->connect_lock); diff --git a/queue-6.1/usb-gadget-fix-the-memory-leak-in-raw_gadget-driver.patch b/queue-6.1/usb-gadget-fix-the-memory-leak-in-raw_gadget-driver.patch new file mode 100644 index 00000000000..f9d3c76cd77 --- /dev/null +++ b/queue-6.1/usb-gadget-fix-the-memory-leak-in-raw_gadget-driver.patch @@ -0,0 +1,78 @@ +From 83e30f2bf86ef7c38fbd476ed81a88522b620628 Mon Sep 17 00:00:00 2001 +From: Zqiang +Date: Fri, 14 Jul 2023 15:40:11 +0800 +Subject: USB: gadget: Fix the memory leak in raw_gadget driver + +From: Zqiang + +commit 83e30f2bf86ef7c38fbd476ed81a88522b620628 upstream. + +Currently, increasing raw_dev->count happens before invoke the +raw_queue_event(), if the raw_queue_event() return error, invoke +raw_release() will not trigger the dev_free() to be called. + +[ 268.905865][ T5067] raw-gadget.0 gadget.0: failed to queue event +[ 268.912053][ T5067] udc dummy_udc.0: failed to start USB Raw Gadget: -12 +[ 268.918885][ T5067] raw-gadget.0: probe of gadget.0 failed with error -12 +[ 268.925956][ T5067] UDC core: USB Raw Gadget: couldn't find an available UDC or it's busy +[ 268.934657][ T5067] misc raw-gadget: fail, usb_gadget_register_driver returned -16 + +BUG: memory leak + +[] kmalloc_trace+0x24/0x90 mm/slab_common.c:1076 +[] kmalloc include/linux/slab.h:582 [inline] +[] kzalloc include/linux/slab.h:703 [inline] +[] dev_new drivers/usb/gadget/legacy/raw_gadget.c:191 [inline] +[] raw_open+0x45/0x110 drivers/usb/gadget/legacy/raw_gadget.c:385 +[] misc_open+0x1a9/0x1f0 drivers/char/misc.c:165 + +[] kmalloc_trace+0x24/0x90 mm/slab_common.c:1076 +[] kmalloc include/linux/slab.h:582 [inline] +[] raw_ioctl_init+0xdf/0x410 drivers/usb/gadget/legacy/raw_gadget.c:460 +[] raw_ioctl+0x5f9/0x1120 drivers/usb/gadget/legacy/raw_gadget.c:1250 +[] vfs_ioctl fs/ioctl.c:51 [inline] + +[] kmalloc_trace+0x24/0x90 mm/slab_common.c:1076 +[] kmalloc include/linux/slab.h:582 [inline] +[] kzalloc include/linux/slab.h:703 [inline] +[] dummy_alloc_request+0x5a/0xe0 drivers/usb/gadget/udc/dummy_hcd.c:665 +[] usb_ep_alloc_request+0x22/0xd0 drivers/usb/gadget/udc/core.c:196 +[] gadget_bind+0x6d/0x370 drivers/usb/gadget/legacy/raw_gadget.c:292 + +This commit therefore invoke kref_get() under the condition that +raw_queue_event() return success. + +Reported-by: syzbot+feb045d335c1fdde5bf7@syzkaller.appspotmail.com +Cc: stable +Closes: https://syzkaller.appspot.com/bug?extid=feb045d335c1fdde5bf7 +Signed-off-by: Zqiang +Reviewed-by: Andrey Konovalov +Tested-by: Andrey Konovalov +Link: https://lore.kernel.org/r/20230714074011.20989-1-qiang.zhang1211@gmail.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/gadget/legacy/raw_gadget.c | 10 ++++++---- + 1 file changed, 6 insertions(+), 4 deletions(-) + +--- a/drivers/usb/gadget/legacy/raw_gadget.c ++++ b/drivers/usb/gadget/legacy/raw_gadget.c +@@ -310,13 +310,15 @@ static int gadget_bind(struct usb_gadget + dev->eps_num = i; + spin_unlock_irqrestore(&dev->lock, flags); + +- /* Matches kref_put() in gadget_unbind(). */ +- kref_get(&dev->count); +- + ret = raw_queue_event(dev, USB_RAW_EVENT_CONNECT, 0, NULL); +- if (ret < 0) ++ if (ret < 0) { + dev_err(&gadget->dev, "failed to queue event\n"); ++ set_gadget_data(gadget, NULL); ++ return ret; ++ } + ++ /* Matches kref_put() in gadget_unbind(). */ ++ kref_get(&dev->count); + return ret; + } + diff --git a/queue-6.1/usb-misc-ehset-fix-wrong-if-condition.patch b/queue-6.1/usb-misc-ehset-fix-wrong-if-condition.patch new file mode 100644 index 00000000000..8c21cd4a6f7 --- /dev/null +++ b/queue-6.1/usb-misc-ehset-fix-wrong-if-condition.patch @@ -0,0 +1,60 @@ +From 7f2327666a9080e428166964e37548b0168cd5e9 Mon Sep 17 00:00:00 2001 +From: Xu Yang +Date: Wed, 5 Jul 2023 17:52:31 +0800 +Subject: usb: misc: ehset: fix wrong if condition + +From: Xu Yang + +commit 7f2327666a9080e428166964e37548b0168cd5e9 upstream. + +A negative number from ret means the host controller had failed to send +usb message and 0 means succeed. Therefore, the if logic is wrong here +and this patch will fix it. + +Fixes: f2b42379c576 ("usb: misc: ehset: Rework test mode entry") +Cc: stable +Signed-off-by: Xu Yang +Link: https://lore.kernel.org/r/20230705095231.457860-1-xu.yang_2@nxp.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/misc/ehset.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +--- a/drivers/usb/misc/ehset.c ++++ b/drivers/usb/misc/ehset.c +@@ -77,7 +77,7 @@ static int ehset_probe(struct usb_interf + switch (test_pid) { + case TEST_SE0_NAK_PID: + ret = ehset_prepare_port_for_testing(hub_udev, portnum); +- if (!ret) ++ if (ret < 0) + break; + ret = usb_control_msg_send(hub_udev, 0, USB_REQ_SET_FEATURE, + USB_RT_PORT, USB_PORT_FEAT_TEST, +@@ -86,7 +86,7 @@ static int ehset_probe(struct usb_interf + break; + case TEST_J_PID: + ret = ehset_prepare_port_for_testing(hub_udev, portnum); +- if (!ret) ++ if (ret < 0) + break; + ret = usb_control_msg_send(hub_udev, 0, USB_REQ_SET_FEATURE, + USB_RT_PORT, USB_PORT_FEAT_TEST, +@@ -95,7 +95,7 @@ static int ehset_probe(struct usb_interf + break; + case TEST_K_PID: + ret = ehset_prepare_port_for_testing(hub_udev, portnum); +- if (!ret) ++ if (ret < 0) + break; + ret = usb_control_msg_send(hub_udev, 0, USB_REQ_SET_FEATURE, + USB_RT_PORT, USB_PORT_FEAT_TEST, +@@ -104,7 +104,7 @@ static int ehset_probe(struct usb_interf + break; + case TEST_PACKET_PID: + ret = ehset_prepare_port_for_testing(hub_udev, portnum); +- if (!ret) ++ if (ret < 0) + break; + ret = usb_control_msg_send(hub_udev, 0, USB_REQ_SET_FEATURE, + USB_RT_PORT, USB_PORT_FEAT_TEST, diff --git a/queue-6.1/usb-ohci-at91-fix-the-unhandle-interrupt-when-resume.patch b/queue-6.1/usb-ohci-at91-fix-the-unhandle-interrupt-when-resume.patch new file mode 100644 index 00000000000..e1bd31df46b --- /dev/null +++ b/queue-6.1/usb-ohci-at91-fix-the-unhandle-interrupt-when-resume.patch @@ -0,0 +1,43 @@ +From c55afcbeaa7a6f4fffdbc999a9bf3f0b29a5186f Mon Sep 17 00:00:00 2001 +From: Guiting Shen +Date: Mon, 26 Jun 2023 23:27:13 +0800 +Subject: usb: ohci-at91: Fix the unhandle interrupt when resume + +From: Guiting Shen + +commit c55afcbeaa7a6f4fffdbc999a9bf3f0b29a5186f upstream. + +The ohci_hcd_at91_drv_suspend() sets ohci->rh_state to OHCI_RH_HALTED when +suspend which will let the ohci_irq() skip the interrupt after resume. And +nobody to handle this interrupt. + +According to the comment in ohci_hcd_at91_drv_suspend(), it need to reset +when resume from suspend(MEM) to fix by setting "hibernated" argument of +ohci_resume(). + +Signed-off-by: Guiting Shen +Cc: stable +Reviewed-by: Alan Stern +Link: https://lore.kernel.org/r/20230626152713.18950-1-aarongt.shen@gmail.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/host/ohci-at91.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +--- a/drivers/usb/host/ohci-at91.c ++++ b/drivers/usb/host/ohci-at91.c +@@ -673,7 +673,13 @@ ohci_hcd_at91_drv_resume(struct device * + else + at91_start_clock(ohci_at91); + +- ohci_resume(hcd, false); ++ /* ++ * According to the comment in ohci_hcd_at91_drv_suspend() ++ * we need to do a reset if the 48Mhz clock was stopped, ++ * that is, if ohci_at91->wakeup is clear. Tell ohci_resume() ++ * to reset in this case by setting its "hibernated" flag. ++ */ ++ ohci_resume(hcd, !ohci_at91->wakeup); + + return 0; + } diff --git a/queue-6.1/usb-quirks-add-quirk-for-focusrite-scarlett.patch b/queue-6.1/usb-quirks-add-quirk-for-focusrite-scarlett.patch new file mode 100644 index 00000000000..e68b9f2759f --- /dev/null +++ b/queue-6.1/usb-quirks-add-quirk-for-focusrite-scarlett.patch @@ -0,0 +1,66 @@ +From 9dc162e22387080e2d06de708b89920c0e158c9a Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?=C5=81ukasz=20Bartosik?= +Date: Mon, 24 Jul 2023 13:29:11 +0200 +Subject: USB: quirks: add quirk for Focusrite Scarlett +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Łukasz Bartosik + +commit 9dc162e22387080e2d06de708b89920c0e158c9a upstream. + +The Focusrite Scarlett audio device does not behave correctly during +resumes. Below is what happens during every resume (captured with +Beagle 5000): + + + +// + + + +The Scarlett disconnects and is enumerated again. + +However from time to time it drops completely off the USB bus during +resume. Below is captured occurrence of such an event: + + + +// +// + + + + +To fix the condition a user has to unplug and plug the device again. + +With USB_QUIRK_RESET_RESUME applied ("usbcore.quirks=1235:8211:b") +for the Scarlett audio device the issue still reproduces. + +Applying USB_QUIRK_DISCONNECT_SUSPEND ("usbcore.quirks=1235:8211:m") +fixed the issue and the Scarlett audio device didn't drop off the USB +bus for ~5000 suspend/resume cycles where originally issue reproduced in +~100 or less suspend/resume cycles. + +Signed-off-by: Łukasz Bartosik +Cc: stable +Link: https://lore.kernel.org/r/20230724112911.1802577-1-lb@semihalf.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/core/quirks.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/drivers/usb/core/quirks.c ++++ b/drivers/usb/core/quirks.c +@@ -436,6 +436,10 @@ static const struct usb_device_id usb_qu + /* novation SoundControl XL */ + { USB_DEVICE(0x1235, 0x0061), .driver_info = USB_QUIRK_RESET_RESUME }, + ++ /* Focusrite Scarlett Solo USB */ ++ { USB_DEVICE(0x1235, 0x8211), .driver_info = ++ USB_QUIRK_DISCONNECT_SUSPEND }, ++ + /* Huawei 4G LTE module */ + { USB_DEVICE(0x12d1, 0x15bb), .driver_info = + USB_QUIRK_DISCONNECT_SUSPEND }, diff --git a/queue-6.1/usb-serial-option-add-quectel-ec200a-module-support.patch b/queue-6.1/usb-serial-option-add-quectel-ec200a-module-support.patch new file mode 100644 index 00000000000..05f72278932 --- /dev/null +++ b/queue-6.1/usb-serial-option-add-quectel-ec200a-module-support.patch @@ -0,0 +1,64 @@ +From 857ea9005806e2a458016880278f98715873e977 Mon Sep 17 00:00:00 2001 +From: Mohsen Tahmasebi +Date: Mon, 10 Jul 2023 11:22:18 +0330 +Subject: USB: serial: option: add Quectel EC200A module support + +From: Mohsen Tahmasebi + +commit 857ea9005806e2a458016880278f98715873e977 upstream. + +Add Quectel EC200A "DIAG, AT, MODEM": + +0x6005: ECM / RNDIS + DIAG + AT + MODEM + +T: Bus=01 Lev=01 Prnt=02 Port=05 Cnt=01 Dev#= 8 Spd=480 MxCh= 0 +D: Ver= 2.00 Cls=ef(misc ) Sub=02 Prot=01 MxPS=64 #Cfgs= 1 +P: Vendor=2c7c ProdID=6005 Rev=03.18 +S: Manufacturer=Android +S: Product=Android +S: SerialNumber=0000 +C: #Ifs= 5 Cfg#= 1 Atr=e0 MxPwr=500mA +I: If#= 0 Alt= 0 #EPs= 1 Cls=02(commc) Sub=06 Prot=00 Driver=cdc_ether +E: Ad=87(I) Atr=03(Int.) MxPS= 64 Ivl=4096ms +I: If#= 1 Alt= 1 #EPs= 2 Cls=0a(data ) Sub=00 Prot=00 Driver=cdc_ether +E: Ad=0c(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=83(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms +I: If#= 2 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=00 Prot=00 Driver=option +E: Ad=0b(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=82(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms +I: If#= 3 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option +E: Ad=0f(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=86(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=89(I) Atr=03(Int.) MxPS= 64 Ivl=4096ms +I: If#= 4 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option +E: Ad=0a(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=81(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=88(I) Atr=03(Int.) MxPS= 64 Ivl=4096ms + +Signed-off-by: Mohsen Tahmasebi +Tested-by: Mostafa Ghofrani +Cc: stable@vger.kernel.org +Signed-off-by: Johan Hovold +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/serial/option.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/usb/serial/option.c ++++ b/drivers/usb/serial/option.c +@@ -269,6 +269,7 @@ static void option_instat_callback(struc + #define QUECTEL_PRODUCT_RM520N 0x0801 + #define QUECTEL_PRODUCT_EC200U 0x0901 + #define QUECTEL_PRODUCT_EC200S_CN 0x6002 ++#define QUECTEL_PRODUCT_EC200A 0x6005 + #define QUECTEL_PRODUCT_EM061K_LWW 0x6008 + #define QUECTEL_PRODUCT_EM061K_LCN 0x6009 + #define QUECTEL_PRODUCT_EC200T 0x6026 +@@ -1229,6 +1230,7 @@ static const struct usb_device_id option + { USB_DEVICE_AND_INTERFACE_INFO(QUECTEL_VENDOR_ID, QUECTEL_PRODUCT_RM520N, 0xff, 0, 0) }, + { USB_DEVICE_AND_INTERFACE_INFO(QUECTEL_VENDOR_ID, 0x0900, 0xff, 0, 0), /* RM500U-CN */ + .driver_info = ZLP }, ++ { USB_DEVICE_AND_INTERFACE_INFO(QUECTEL_VENDOR_ID, QUECTEL_PRODUCT_EC200A, 0xff, 0, 0) }, + { USB_DEVICE_AND_INTERFACE_INFO(QUECTEL_VENDOR_ID, QUECTEL_PRODUCT_EC200U, 0xff, 0, 0) }, + { USB_DEVICE_AND_INTERFACE_INFO(QUECTEL_VENDOR_ID, QUECTEL_PRODUCT_EC200S_CN, 0xff, 0, 0) }, + { USB_DEVICE_AND_INTERFACE_INFO(QUECTEL_VENDOR_ID, QUECTEL_PRODUCT_EC200T, 0xff, 0, 0) }, diff --git a/queue-6.1/usb-serial-option-support-quectel-em060k_128.patch b/queue-6.1/usb-serial-option-support-quectel-em060k_128.patch new file mode 100644 index 00000000000..a2eb00eb16e --- /dev/null +++ b/queue-6.1/usb-serial-option-support-quectel-em060k_128.patch @@ -0,0 +1,73 @@ +From 4f7cab49cecee16120d27c1734cfdf3d6c0e5329 Mon Sep 17 00:00:00 2001 +From: Jerry Meng +Date: Thu, 29 Jun 2023 17:35:22 +0800 +Subject: USB: serial: option: support Quectel EM060K_128 + +From: Jerry Meng + +commit 4f7cab49cecee16120d27c1734cfdf3d6c0e5329 upstream. + +EM060K_128 is EM060K's sub-model, having the same name "Quectel EM060K-GL" + +MBIM + GNSS + DIAG + NMEA + AT + QDSS + DPL + +T: Bus=03 Lev=01 Prnt=01 Port=01 Cnt=02 Dev#= 8 Spd=480 MxCh= 0 +D: Ver= 2.00 Cls=00(>ifc ) Sub=00 Prot=00 MxPS=64 #Cfgs= 1 +P: Vendor=2c7c ProdID=0128 Rev= 5.04 +S: Manufacturer=Quectel +S: Product=Quectel EM060K-GL +S: SerialNumber=f6fa08b6 +C:* #Ifs= 8 Cfg#= 1 Atr=a0 MxPwr=500mA +A: FirstIf#= 0 IfCount= 2 Cls=02(comm.) Sub=0e Prot=00 +I:* If#= 0 Alt= 0 #EPs= 1 Cls=02(comm.) Sub=0e Prot=00 Driver=cdc_mbim +E: Ad=81(I) Atr=03(Int.) MxPS= 64 Ivl=32ms +I: If#= 1 Alt= 0 #EPs= 0 Cls=0a(data ) Sub=00 Prot=02 Driver=cdc_mbim +I:* If#= 1 Alt= 1 #EPs= 2 Cls=0a(data ) Sub=00 Prot=02 Driver=cdc_mbim +E: Ad=8e(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=0f(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms +I:* If#= 2 Alt= 0 #EPs= 1 Cls=ff(vend.) Sub=ff Prot=ff Driver=(none) +E: Ad=82(I) Atr=03(Int.) MxPS= 64 Ivl=32ms +I:* If#= 3 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=30 Driver=option +E: Ad=01(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=83(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms +I:* If#= 4 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=40 Driver=option +E: Ad=85(I) Atr=03(Int.) MxPS= 10 Ivl=32ms +E: Ad=84(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=02(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms +I:* If#= 5 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=40 Driver=option +E: Ad=87(I) Atr=03(Int.) MxPS= 10 Ivl=32ms +E: Ad=86(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=03(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms +I:* If#= 6 Alt= 0 #EPs= 1 Cls=ff(vend.) Sub=ff Prot=70 Driver=(none) +E: Ad=88(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms +I:* If#= 7 Alt= 0 #EPs= 1 Cls=ff(vend.) Sub=ff Prot=80 Driver=(none) +E: Ad=8f(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms + +Signed-off-by: Jerry Meng +Cc: stable@vger.kernel.org +Signed-off-by: Johan Hovold +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/serial/option.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/drivers/usb/serial/option.c ++++ b/drivers/usb/serial/option.c +@@ -251,6 +251,7 @@ static void option_instat_callback(struc + #define QUECTEL_PRODUCT_EM061K_LTA 0x0123 + #define QUECTEL_PRODUCT_EM061K_LMS 0x0124 + #define QUECTEL_PRODUCT_EC25 0x0125 ++#define QUECTEL_PRODUCT_EM060K_128 0x0128 + #define QUECTEL_PRODUCT_EG91 0x0191 + #define QUECTEL_PRODUCT_EG95 0x0195 + #define QUECTEL_PRODUCT_BG96 0x0296 +@@ -1197,6 +1198,9 @@ static const struct usb_device_id option + { USB_DEVICE_AND_INTERFACE_INFO(QUECTEL_VENDOR_ID, QUECTEL_PRODUCT_EM060K, 0xff, 0x00, 0x40) }, + { USB_DEVICE_AND_INTERFACE_INFO(QUECTEL_VENDOR_ID, QUECTEL_PRODUCT_EM060K, 0xff, 0xff, 0x30) }, + { USB_DEVICE_AND_INTERFACE_INFO(QUECTEL_VENDOR_ID, QUECTEL_PRODUCT_EM060K, 0xff, 0xff, 0x40) }, ++ { USB_DEVICE_AND_INTERFACE_INFO(QUECTEL_VENDOR_ID, QUECTEL_PRODUCT_EM060K_128, 0xff, 0xff, 0x30) }, ++ { USB_DEVICE_AND_INTERFACE_INFO(QUECTEL_VENDOR_ID, QUECTEL_PRODUCT_EM060K_128, 0xff, 0x00, 0x40) }, ++ { USB_DEVICE_AND_INTERFACE_INFO(QUECTEL_VENDOR_ID, QUECTEL_PRODUCT_EM060K_128, 0xff, 0xff, 0x40) }, + { USB_DEVICE_AND_INTERFACE_INFO(QUECTEL_VENDOR_ID, QUECTEL_PRODUCT_EM061K_LCN, 0xff, 0xff, 0x30) }, + { USB_DEVICE_AND_INTERFACE_INFO(QUECTEL_VENDOR_ID, QUECTEL_PRODUCT_EM061K_LCN, 0xff, 0x00, 0x40) }, + { USB_DEVICE_AND_INTERFACE_INFO(QUECTEL_VENDOR_ID, QUECTEL_PRODUCT_EM061K_LCN, 0xff, 0xff, 0x40) }, diff --git a/queue-6.1/usb-serial-simple-add-kaufmann-rks-can-vcp.patch b/queue-6.1/usb-serial-simple-add-kaufmann-rks-can-vcp.patch new file mode 100644 index 00000000000..3419b0dd5c8 --- /dev/null +++ b/queue-6.1/usb-serial-simple-add-kaufmann-rks-can-vcp.patch @@ -0,0 +1,54 @@ +From dd92c8a1f99bcd166204ffc219ea5a23dd65d64f Mon Sep 17 00:00:00 2001 +From: Oliver Neukum +Date: Wed, 12 Jul 2023 16:16:41 +0200 +Subject: USB: serial: simple: add Kaufmann RKS+CAN VCP + +From: Oliver Neukum + +commit dd92c8a1f99bcd166204ffc219ea5a23dd65d64f upstream. + +Add the device and product ID for this CAN bus interface / license +dongle. The device is usable either directly from user space or can be +attached to a kernel CAN interface with slcan_attach. + +Reported-by: Kaufmann Automotive GmbH +Tested-by: Kaufmann Automotive GmbH +Signed-off-by: Oliver Neukum +[ johan: amend commit message and move entries in sort order ] +Cc: stable@vger.kernel.org +Signed-off-by: Johan Hovold +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/serial/usb-serial-simple.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +--- a/drivers/usb/serial/usb-serial-simple.c ++++ b/drivers/usb/serial/usb-serial-simple.c +@@ -63,6 +63,11 @@ DEVICE(flashloader, FLASHLOADER_IDS); + 0x01) } + DEVICE(google, GOOGLE_IDS); + ++/* KAUFMANN RKS+CAN VCP */ ++#define KAUFMANN_IDS() \ ++ { USB_DEVICE(0x16d0, 0x0870) } ++DEVICE(kaufmann, KAUFMANN_IDS); ++ + /* Libtransistor USB console */ + #define LIBTRANSISTOR_IDS() \ + { USB_DEVICE(0x1209, 0x8b00) } +@@ -124,6 +129,7 @@ static struct usb_serial_driver * const + &funsoft_device, + &flashloader_device, + &google_device, ++ &kaufmann_device, + &libtransistor_device, + &vivopay_device, + &moto_modem_device, +@@ -142,6 +148,7 @@ static const struct usb_device_id id_tab + FUNSOFT_IDS(), + FLASHLOADER_IDS(), + GOOGLE_IDS(), ++ KAUFMANN_IDS(), + LIBTRANSISTOR_IDS(), + VIVOPAY_IDS(), + MOTO_IDS(), diff --git a/queue-6.1/usb-serial-simple-sort-driver-entries.patch b/queue-6.1/usb-serial-simple-sort-driver-entries.patch new file mode 100644 index 00000000000..b4b5fbd732e --- /dev/null +++ b/queue-6.1/usb-serial-simple-sort-driver-entries.patch @@ -0,0 +1,157 @@ +From d245aedc00775c4d7265a9f4522cc4e1fd34d102 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Thu, 20 Jul 2023 09:53:57 +0200 +Subject: USB: serial: simple: sort driver entries + +From: Johan Hovold + +commit d245aedc00775c4d7265a9f4522cc4e1fd34d102 upstream. + +Sort the driver symbols alphabetically in order to make it more obvious +where new driver entries should be added. + +Cc: stable@vger.kernel.org +Acked-by: Greg Kroah-Hartman +Signed-off-by: Johan Hovold +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/serial/usb-serial-simple.c | 66 ++++++++++++++++----------------- + 1 file changed, 33 insertions(+), 33 deletions(-) + +--- a/drivers/usb/serial/usb-serial-simple.c ++++ b/drivers/usb/serial/usb-serial-simple.c +@@ -38,16 +38,6 @@ static struct usb_serial_driver vendor## + { USB_DEVICE(0x0a21, 0x8001) } /* MMT-7305WW */ + DEVICE(carelink, CARELINK_IDS); + +-/* ZIO Motherboard USB driver */ +-#define ZIO_IDS() \ +- { USB_DEVICE(0x1CBE, 0x0103) } +-DEVICE(zio, ZIO_IDS); +- +-/* Funsoft Serial USB driver */ +-#define FUNSOFT_IDS() \ +- { USB_DEVICE(0x1404, 0xcddc) } +-DEVICE(funsoft, FUNSOFT_IDS); +- + /* Infineon Flashloader driver */ + #define FLASHLOADER_IDS() \ + { USB_DEVICE_INTERFACE_CLASS(0x058b, 0x0041, USB_CLASS_CDC_DATA) }, \ +@@ -55,6 +45,11 @@ DEVICE(funsoft, FUNSOFT_IDS); + { USB_DEVICE(0x8087, 0x0801) } + DEVICE(flashloader, FLASHLOADER_IDS); + ++/* Funsoft Serial USB driver */ ++#define FUNSOFT_IDS() \ ++ { USB_DEVICE(0x1404, 0xcddc) } ++DEVICE(funsoft, FUNSOFT_IDS); ++ + /* Google Serial USB SubClass */ + #define GOOGLE_IDS() \ + { USB_VENDOR_AND_INTERFACE_INFO(0x18d1, \ +@@ -63,6 +58,11 @@ DEVICE(flashloader, FLASHLOADER_IDS); + 0x01) } + DEVICE(google, GOOGLE_IDS); + ++/* HP4x (48/49) Generic Serial driver */ ++#define HP4X_IDS() \ ++ { USB_DEVICE(0x03f0, 0x0121) } ++DEVICE(hp4x, HP4X_IDS); ++ + /* KAUFMANN RKS+CAN VCP */ + #define KAUFMANN_IDS() \ + { USB_DEVICE(0x16d0, 0x0870) } +@@ -73,11 +73,6 @@ DEVICE(kaufmann, KAUFMANN_IDS); + { USB_DEVICE(0x1209, 0x8b00) } + DEVICE(libtransistor, LIBTRANSISTOR_IDS); + +-/* ViVOpay USB Serial Driver */ +-#define VIVOPAY_IDS() \ +- { USB_DEVICE(0x1d5f, 0x1004) } /* ViVOpay 8800 */ +-DEVICE(vivopay, VIVOPAY_IDS); +- + /* Motorola USB Phone driver */ + #define MOTO_IDS() \ + { USB_DEVICE(0x05c6, 0x3197) }, /* unknown Motorola phone */ \ +@@ -106,10 +101,10 @@ DEVICE(nokia, NOKIA_IDS); + { USB_DEVICE(0x09d7, 0x0100) } /* NovAtel FlexPack GPS */ + DEVICE_N(novatel_gps, NOVATEL_IDS, 3); + +-/* HP4x (48/49) Generic Serial driver */ +-#define HP4X_IDS() \ +- { USB_DEVICE(0x03f0, 0x0121) } +-DEVICE(hp4x, HP4X_IDS); ++/* Siemens USB/MPI adapter */ ++#define SIEMENS_IDS() \ ++ { USB_DEVICE(0x908, 0x0004) } ++DEVICE(siemens_mpi, SIEMENS_IDS); + + /* Suunto ANT+ USB Driver */ + #define SUUNTO_IDS() \ +@@ -117,47 +112,52 @@ DEVICE(hp4x, HP4X_IDS); + { USB_DEVICE(0x0fcf, 0x1009) } /* Dynastream ANT USB-m Stick */ + DEVICE(suunto, SUUNTO_IDS); + +-/* Siemens USB/MPI adapter */ +-#define SIEMENS_IDS() \ +- { USB_DEVICE(0x908, 0x0004) } +-DEVICE(siemens_mpi, SIEMENS_IDS); ++/* ViVOpay USB Serial Driver */ ++#define VIVOPAY_IDS() \ ++ { USB_DEVICE(0x1d5f, 0x1004) } /* ViVOpay 8800 */ ++DEVICE(vivopay, VIVOPAY_IDS); ++ ++/* ZIO Motherboard USB driver */ ++#define ZIO_IDS() \ ++ { USB_DEVICE(0x1CBE, 0x0103) } ++DEVICE(zio, ZIO_IDS); + + /* All of the above structures mushed into two lists */ + static struct usb_serial_driver * const serial_drivers[] = { + &carelink_device, +- &zio_device, +- &funsoft_device, + &flashloader_device, ++ &funsoft_device, + &google_device, ++ &hp4x_device, + &kaufmann_device, + &libtransistor_device, +- &vivopay_device, + &moto_modem_device, + &motorola_tetra_device, + &nokia_device, + &novatel_gps_device, +- &hp4x_device, +- &suunto_device, + &siemens_mpi_device, ++ &suunto_device, ++ &vivopay_device, ++ &zio_device, + NULL + }; + + static const struct usb_device_id id_table[] = { + CARELINK_IDS(), +- ZIO_IDS(), +- FUNSOFT_IDS(), + FLASHLOADER_IDS(), ++ FUNSOFT_IDS(), + GOOGLE_IDS(), ++ HP4X_IDS(), + KAUFMANN_IDS(), + LIBTRANSISTOR_IDS(), +- VIVOPAY_IDS(), + MOTO_IDS(), + MOTOROLA_TETRA_IDS(), + NOKIA_IDS(), + NOVATEL_IDS(), +- HP4X_IDS(), +- SUUNTO_IDS(), + SIEMENS_IDS(), ++ SUUNTO_IDS(), ++ VIVOPAY_IDS(), ++ ZIO_IDS(), + { }, + }; + MODULE_DEVICE_TABLE(usb, id_table); diff --git a/queue-6.1/usb-typec-iterate-pds-array-when-showing-the-pd-list.patch b/queue-6.1/usb-typec-iterate-pds-array-when-showing-the-pd-list.patch new file mode 100644 index 00000000000..1177d9b8802 --- /dev/null +++ b/queue-6.1/usb-typec-iterate-pds-array-when-showing-the-pd-list.patch @@ -0,0 +1,52 @@ +From 4b642dc9829507e4afabc03d32a18abbdb192c5e Mon Sep 17 00:00:00 2001 +From: Kyle Tso +Date: Fri, 23 Jun 2023 23:10:35 +0800 +Subject: usb: typec: Iterate pds array when showing the pd list + +From: Kyle Tso + +commit 4b642dc9829507e4afabc03d32a18abbdb192c5e upstream. + +The pointers of each usb_power_delivery handles are stored in "pds" +array returned from the pd_get ops but not in the adjacent memory +calculated from "pd". Get the handles from "pds" array directly instead +of deriving them from "pd". + +Fixes: a7cff92f0635 ("usb: typec: USB Power Delivery helpers for ports and partners") +Cc: stable@vger.kernel.org +Signed-off-by: Kyle Tso +Acked-by: Heikki Krogerus +Link: https://lore.kernel.org/r/20230623151036.3955013-3-kyletso@google.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/typec/class.c | 11 +++++------ + 1 file changed, 5 insertions(+), 6 deletions(-) + +--- a/drivers/usb/typec/class.c ++++ b/drivers/usb/typec/class.c +@@ -1258,8 +1258,7 @@ static ssize_t select_usb_power_delivery + { + struct typec_port *port = to_typec_port(dev); + struct usb_power_delivery **pds; +- struct usb_power_delivery *pd; +- int ret = 0; ++ int i, ret = 0; + + if (!port->ops || !port->ops->pd_get) + return -EOPNOTSUPP; +@@ -1268,11 +1267,11 @@ static ssize_t select_usb_power_delivery + if (!pds) + return 0; + +- for (pd = pds[0]; pd; pd++) { +- if (pd == port->pd) +- ret += sysfs_emit(buf + ret, "[%s] ", dev_name(&pd->dev)); ++ for (i = 0; pds[i]; i++) { ++ if (pds[i] == port->pd) ++ ret += sysfs_emit(buf + ret, "[%s] ", dev_name(&pds[i]->dev)); + else +- ret += sysfs_emit(buf + ret, "%s ", dev_name(&pd->dev)); ++ ret += sysfs_emit(buf + ret, "%s ", dev_name(&pds[i]->dev)); + } + + buf[ret - 1] = '\n'; diff --git a/queue-6.1/usb-typec-set-port-pd-before-adding-device-for-typec_port.patch b/queue-6.1/usb-typec-set-port-pd-before-adding-device-for-typec_port.patch new file mode 100644 index 00000000000..45fe8ad2e77 --- /dev/null +++ b/queue-6.1/usb-typec-set-port-pd-before-adding-device-for-typec_port.patch @@ -0,0 +1,47 @@ +From b33ebb2415e7e0a55ee3d049c2890d3a3e3805b6 Mon Sep 17 00:00:00 2001 +From: Kyle Tso +Date: Fri, 23 Jun 2023 23:10:34 +0800 +Subject: usb: typec: Set port->pd before adding device for typec_port + +From: Kyle Tso + +commit b33ebb2415e7e0a55ee3d049c2890d3a3e3805b6 upstream. + +When calling device_add in the registration of typec_port, it will do +the NULL check on usb_power_delivery handle in typec_port for the +visibility of the device attributes. It is always NULL because port->pd +is set in typec_port_set_usb_power_delivery which is later than the +device_add call. + +Set port->pd before device_add and only link the device after that. + +Fixes: a7cff92f0635 ("usb: typec: USB Power Delivery helpers for ports and partners") +Cc: stable@vger.kernel.org +Signed-off-by: Kyle Tso +Acked-by: Heikki Krogerus +Link: https://lore.kernel.org/r/20230623151036.3955013-2-kyletso@google.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/typec/class.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/drivers/usb/typec/class.c ++++ b/drivers/usb/typec/class.c +@@ -2259,6 +2259,8 @@ struct typec_port *typec_register_port(s + return ERR_PTR(ret); + } + ++ port->pd = cap->pd; ++ + ret = device_add(&port->dev); + if (ret) { + dev_err(parent, "failed to register port (%d)\n", ret); +@@ -2266,7 +2268,7 @@ struct typec_port *typec_register_port(s + return ERR_PTR(ret); + } + +- ret = typec_port_set_usb_power_delivery(port, cap->pd); ++ ret = usb_power_delivery_link_device(port->pd, &port->dev); + if (ret) { + dev_err(&port->dev, "failed to link pd\n"); + device_unregister(&port->dev); diff --git a/queue-6.1/usb-typec-use-sysfs_emit_at-when-concatenating-the-string.patch b/queue-6.1/usb-typec-use-sysfs_emit_at-when-concatenating-the-string.patch new file mode 100644 index 00000000000..db2b38648dd --- /dev/null +++ b/queue-6.1/usb-typec-use-sysfs_emit_at-when-concatenating-the-string.patch @@ -0,0 +1,36 @@ +From 609fded3f91972ada551c141c5d04a71704f8967 Mon Sep 17 00:00:00 2001 +From: Kyle Tso +Date: Fri, 23 Jun 2023 23:10:36 +0800 +Subject: usb: typec: Use sysfs_emit_at when concatenating the string + +From: Kyle Tso + +commit 609fded3f91972ada551c141c5d04a71704f8967 upstream. + +The buffer address used in sysfs_emit should be aligned to PAGE_SIZE. +Use sysfs_emit_at instead to offset the buffer. + +Fixes: a7cff92f0635 ("usb: typec: USB Power Delivery helpers for ports and partners") +Cc: stable@vger.kernel.org +Signed-off-by: Kyle Tso +Acked-by: Heikki Krogerus +Link: https://lore.kernel.org/r/20230623151036.3955013-4-kyletso@google.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/typec/class.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/usb/typec/class.c ++++ b/drivers/usb/typec/class.c +@@ -1269,9 +1269,9 @@ static ssize_t select_usb_power_delivery + + for (i = 0; pds[i]; i++) { + if (pds[i] == port->pd) +- ret += sysfs_emit(buf + ret, "[%s] ", dev_name(&pds[i]->dev)); ++ ret += sysfs_emit_at(buf, ret, "[%s] ", dev_name(&pds[i]->dev)); + else +- ret += sysfs_emit(buf + ret, "%s ", dev_name(&pds[i]->dev)); ++ ret += sysfs_emit_at(buf, ret, "%s ", dev_name(&pds[i]->dev)); + } + + buf[ret - 1] = '\n'; diff --git a/queue-6.1/usb-xhci-mtk-set-the-dma-max_seg_size.patch b/queue-6.1/usb-xhci-mtk-set-the-dma-max_seg_size.patch new file mode 100644 index 00000000000..ab2237ecff7 --- /dev/null +++ b/queue-6.1/usb-xhci-mtk-set-the-dma-max_seg_size.patch @@ -0,0 +1,35 @@ +From 9fd10829a9eb482e192a845675ecc5480e0bfa10 Mon Sep 17 00:00:00 2001 +From: Ricardo Ribalda +Date: Wed, 19 Jul 2023 13:01:04 +0000 +Subject: usb: xhci-mtk: set the dma max_seg_size + +From: Ricardo Ribalda + +commit 9fd10829a9eb482e192a845675ecc5480e0bfa10 upstream. + +Allow devices to have dma operations beyond 64K, and avoid warnings such +as: + +DMA-API: xhci-mtk 11200000.usb: mapping sg segment longer than device claims to support [len=98304] [max=65536] + +Fixes: 0cbd4b34cda9 ("xhci: mediatek: support MTK xHCI host controller") +Cc: stable +Tested-by: Zubin Mithra +Reported-by: Zubin Mithra +Signed-off-by: Ricardo Ribalda +Link: https://lore.kernel.org/r/20230628-mtk-usb-v2-1-c8c34eb9f229@chromium.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/host/xhci-mtk.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/usb/host/xhci-mtk.c ++++ b/drivers/usb/host/xhci-mtk.c +@@ -590,6 +590,7 @@ static int xhci_mtk_probe(struct platfor + } + + device_init_wakeup(dev, true); ++ dma_set_max_seg_size(dev, UINT_MAX); + + xhci = hcd_to_xhci(hcd); + xhci->main_hcd = hcd; diff --git a/queue-6.1/x86-mce-amd-decrement-threshold_bank-refcount-when-removing-threshold-blocks.patch b/queue-6.1/x86-mce-amd-decrement-threshold_bank-refcount-when-removing-threshold-blocks.patch new file mode 100644 index 00000000000..2f8e7a1a885 --- /dev/null +++ b/queue-6.1/x86-mce-amd-decrement-threshold_bank-refcount-when-removing-threshold-blocks.patch @@ -0,0 +1,93 @@ +From 3ba2e83334bed2b1980b59734e6e84dfaf96026c Mon Sep 17 00:00:00 2001 +From: Yazen Ghannam +Date: Mon, 6 Jun 2022 19:45:56 +0000 +Subject: x86/MCE/AMD: Decrement threshold_bank refcount when removing threshold blocks + +From: Yazen Ghannam + +commit 3ba2e83334bed2b1980b59734e6e84dfaf96026c upstream. + +AMD systems from Family 10h to 16h share MCA bank 4 across multiple CPUs. +Therefore, the threshold_bank structure for bank 4, and its threshold_block +structures, will be initialized once at boot time. And the kobject for the +shared bank will be added to each of the CPUs that share it. Furthermore, +the threshold_blocks for the shared bank will be added again to the bank's +kobject. These additions will increase the refcount for the bank's kobject. + +For example, a shared bank with two blocks and shared across two CPUs will +be set up like this: + + CPU0 init + bank create and add; bank refcount = 1; threshold_create_bank() + block 0 init and add; bank refcount = 2; allocate_threshold_blocks() + block 1 init and add; bank refcount = 3; allocate_threshold_blocks() + CPU1 init + bank add; bank refcount = 3; threshold_create_bank() + block 0 add; bank refcount = 4; __threshold_add_blocks() + block 1 add; bank refcount = 5; __threshold_add_blocks() + +Currently in threshold_remove_bank(), if the bank is shared then +__threshold_remove_blocks() is called. Here the shared bank's kobject and +the bank's blocks' kobjects are deleted. This is done on the first call +even while the structures are still shared. Subsequent calls from other +CPUs that share the structures will attempt to delete the kobjects. + +During kobject_del(), kobject->sd is removed. If the kobject is not part of +a kset with default_groups, then subsequent kobject_del() calls seem safe +even with kobject->sd == NULL. + +Originally, the AMD MCA thresholding structures did not use default_groups. +And so the above behavior was not apparent. + +However, a recent change implemented default_groups for the thresholding +structures. Therefore, kobject_del() will go down the sysfs_remove_groups() +code path. In this case, the first kobject_del() may succeed and remove +kobject->sd. But subsequent kobject_del() calls will give a WARNing in +kernfs_remove_by_name_ns() since kobject->sd == NULL. + +Use kobject_put() on the shared bank's kobject when "removing" blocks. This +decrements the bank's refcount while keeping kobjects enabled until the +bank is no longer shared. At that point, kobject_put() will be called on +the blocks which drives their refcount to 0 and deletes them and also +decrementing the bank's refcount. And finally kobject_put() will be called +on the bank driving its refcount to 0 and deleting it. + +The same example above: + + CPU1 shutdown + bank is shared; bank refcount = 5; threshold_remove_bank() + block 0 put parent bank; bank refcount = 4; __threshold_remove_blocks() + block 1 put parent bank; bank refcount = 3; __threshold_remove_blocks() + CPU0 shutdown + bank is no longer shared; bank refcount = 3; threshold_remove_bank() + block 0 put block; bank refcount = 2; deallocate_threshold_blocks() + block 1 put block; bank refcount = 1; deallocate_threshold_blocks() + put bank; bank refcount = 0; threshold_remove_bank() + +Fixes: 7f99cb5e6039 ("x86/CPU/AMD: Use default_groups in kobj_type") +Reported-by: Mikulas Patocka +Signed-off-by: Yazen Ghannam +Signed-off-by: Borislav Petkov (AMD) +Tested-by: Mikulas Patocka +Cc: +Link: https://lore.kernel.org/r/alpine.LRH.2.02.2205301145540.25840@file01.intranet.prod.int.rdu2.redhat.com +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/kernel/cpu/mce/amd.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/arch/x86/kernel/cpu/mce/amd.c ++++ b/arch/x86/kernel/cpu/mce/amd.c +@@ -1265,10 +1265,10 @@ static void __threshold_remove_blocks(st + struct threshold_block *pos = NULL; + struct threshold_block *tmp = NULL; + +- kobject_del(b->kobj); ++ kobject_put(b->kobj); + + list_for_each_entry_safe(pos, tmp, &b->blocks->miscj, miscj) +- kobject_del(&pos->kobj); ++ kobject_put(b->kobj); + } + + static void threshold_remove_bank(struct threshold_bank *bank) -- 2.47.3