From 8deba33eae0d99cc9ba16c84b3da46e445200623 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Tue, 6 Sep 2022 08:45:46 +0200 Subject: [PATCH] drop some dwc3 patches from queue --- queue-5.10/series | 2 - ...d-helper-functions-to-enable-disable.patch | 107 ------------------ ...x-use-after-free-on-runtime-pm-wakeu.patch | 82 -------------- queue-5.15/series | 2 - ...d-helper-functions-to-enable-disable.patch | 107 ------------------ ...x-use-after-free-on-runtime-pm-wakeu.patch | 82 -------------- queue-5.19/series | 2 - ...d-helper-functions-to-enable-disable.patch | 107 ------------------ ...x-use-after-free-on-runtime-pm-wakeu.patch | 82 -------------- 9 files changed, 573 deletions(-) delete mode 100644 queue-5.10/usb-dwc3-qcom-add-helper-functions-to-enable-disable.patch delete mode 100644 queue-5.10/usb-dwc3-qcom-fix-use-after-free-on-runtime-pm-wakeu.patch delete mode 100644 queue-5.15/usb-dwc3-qcom-add-helper-functions-to-enable-disable.patch delete mode 100644 queue-5.15/usb-dwc3-qcom-fix-use-after-free-on-runtime-pm-wakeu.patch delete mode 100644 queue-5.19/usb-dwc3-qcom-add-helper-functions-to-enable-disable.patch delete mode 100644 queue-5.19/usb-dwc3-qcom-fix-use-after-free-on-runtime-pm-wakeu.patch diff --git a/queue-5.10/series b/queue-5.10/series index 62521a60af7..cdc7023daf0 100644 --- a/queue-5.10/series +++ b/queue-5.10/series @@ -4,7 +4,6 @@ drm-msm-dsi-fix-number-of-regulators-for-msm8996_dsi.patch drm-msm-dsi-fix-number-of-regulators-for-sdm660.patch platform-x86-pmc_atom-fix-slp_typx-bitfield-mask.patch iio-adc-mcp3911-make-use-of-the-sign-bit.patch -usb-dwc3-qcom-add-helper-functions-to-enable-disable.patch bpf-cgroup-fix-kernel-bug-in-purge_effective_progs.patch ieee802154-adf7242-defer-destroy_workqueue-call.patch alsa-hda-intel-nhlt-remove-use-of-__func__-in-dev_db.patch @@ -31,7 +30,6 @@ misc-fastrpc-fix-memory-corruption-on-probe.patch misc-fastrpc-fix-memory-corruption-on-open.patch usb-serial-ftdi_sio-add-omron-cs1w-cif31-device-id.patch binder-fix-uaf-of-ref-proc-caused-by-race-condition.patch -usb-dwc3-qcom-fix-use-after-free-on-runtime-pm-wakeu.patch drm-i915-reg-fix-spelling-mistake-unsupport-unsuppor.patch clk-core-honor-clk_ops_parent_enable-for-clk-gate-op.patch revert-clk-core-honor-clk_ops_parent_enable-for-clk-.patch diff --git a/queue-5.10/usb-dwc3-qcom-add-helper-functions-to-enable-disable.patch b/queue-5.10/usb-dwc3-qcom-add-helper-functions-to-enable-disable.patch deleted file mode 100644 index b1377371d79..00000000000 --- a/queue-5.10/usb-dwc3-qcom-add-helper-functions-to-enable-disable.patch +++ /dev/null @@ -1,107 +0,0 @@ -From 9eeb2d8aded7ceb9c5c9d0c8d40bd1b5705fb099 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Mon, 13 Jun 2022 10:00:52 +0530 -Subject: usb: dwc3: qcom: Add helper functions to enable,disable wake irqs - -From: Sandeep Maheswaram - -[ Upstream commit 360e8230516de94d74d30c64f0cdcf228b8e8b67 ] - -Adding helper functions to enable,disable wake irqs to make -the code simple and readable. - -Reviewed-by: Matthias Kaehlcke -Reviewed-by: Pavankumar Kondeti -Signed-off-by: Sandeep Maheswaram -Signed-off-by: Krishna Kurapati -Link: https://lore.kernel.org/r/1655094654-24052-4-git-send-email-quic_kriskura@quicinc.com -Signed-off-by: Greg Kroah-Hartman -Signed-off-by: Sasha Levin ---- - drivers/usb/dwc3/dwc3-qcom.c | 58 ++++++++++++++++-------------------- - 1 file changed, 26 insertions(+), 32 deletions(-) - -diff --git a/drivers/usb/dwc3/dwc3-qcom.c b/drivers/usb/dwc3/dwc3-qcom.c -index 915fa4197d770..1ae854d1d1d83 100644 ---- a/drivers/usb/dwc3/dwc3-qcom.c -+++ b/drivers/usb/dwc3/dwc3-qcom.c -@@ -296,50 +296,44 @@ static void dwc3_qcom_interconnect_exit(struct dwc3_qcom *qcom) - icc_put(qcom->icc_path_apps); - } - -+static void dwc3_qcom_enable_wakeup_irq(int irq) -+{ -+ if (!irq) -+ return; -+ -+ enable_irq(irq); -+ enable_irq_wake(irq); -+} -+ -+static void dwc3_qcom_disable_wakeup_irq(int irq) -+{ -+ if (!irq) -+ return; -+ -+ disable_irq_wake(irq); -+ disable_irq_nosync(irq); -+} -+ - static void dwc3_qcom_disable_interrupts(struct dwc3_qcom *qcom) - { -- if (qcom->hs_phy_irq) { -- disable_irq_wake(qcom->hs_phy_irq); -- disable_irq_nosync(qcom->hs_phy_irq); -- } -+ dwc3_qcom_disable_wakeup_irq(qcom->hs_phy_irq); - -- if (qcom->dp_hs_phy_irq) { -- disable_irq_wake(qcom->dp_hs_phy_irq); -- disable_irq_nosync(qcom->dp_hs_phy_irq); -- } -+ dwc3_qcom_disable_wakeup_irq(qcom->dp_hs_phy_irq); - -- if (qcom->dm_hs_phy_irq) { -- disable_irq_wake(qcom->dm_hs_phy_irq); -- disable_irq_nosync(qcom->dm_hs_phy_irq); -- } -+ dwc3_qcom_disable_wakeup_irq(qcom->dm_hs_phy_irq); - -- if (qcom->ss_phy_irq) { -- disable_irq_wake(qcom->ss_phy_irq); -- disable_irq_nosync(qcom->ss_phy_irq); -- } -+ dwc3_qcom_disable_wakeup_irq(qcom->ss_phy_irq); - } - - static void dwc3_qcom_enable_interrupts(struct dwc3_qcom *qcom) - { -- if (qcom->hs_phy_irq) { -- enable_irq(qcom->hs_phy_irq); -- enable_irq_wake(qcom->hs_phy_irq); -- } -+ dwc3_qcom_enable_wakeup_irq(qcom->hs_phy_irq); - -- if (qcom->dp_hs_phy_irq) { -- enable_irq(qcom->dp_hs_phy_irq); -- enable_irq_wake(qcom->dp_hs_phy_irq); -- } -+ dwc3_qcom_enable_wakeup_irq(qcom->dp_hs_phy_irq); - -- if (qcom->dm_hs_phy_irq) { -- enable_irq(qcom->dm_hs_phy_irq); -- enable_irq_wake(qcom->dm_hs_phy_irq); -- } -+ dwc3_qcom_enable_wakeup_irq(qcom->dm_hs_phy_irq); - -- if (qcom->ss_phy_irq) { -- enable_irq(qcom->ss_phy_irq); -- enable_irq_wake(qcom->ss_phy_irq); -- } -+ dwc3_qcom_enable_wakeup_irq(qcom->ss_phy_irq); - } - - static int dwc3_qcom_suspend(struct dwc3_qcom *qcom) --- -2.35.1 - diff --git a/queue-5.10/usb-dwc3-qcom-fix-use-after-free-on-runtime-pm-wakeu.patch b/queue-5.10/usb-dwc3-qcom-fix-use-after-free-on-runtime-pm-wakeu.patch deleted file mode 100644 index 644cbce159e..00000000000 --- a/queue-5.10/usb-dwc3-qcom-fix-use-after-free-on-runtime-pm-wakeu.patch +++ /dev/null @@ -1,82 +0,0 @@ -From b8447ef07dee432cb7d4f393d1230478fdccf1da Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Thu, 4 Aug 2022 17:09:56 +0200 -Subject: usb: dwc3: qcom: fix use-after-free on runtime-PM wakeup - -From: Johan Hovold - -[ Upstream commit a872ab303d5ddd4c965f9cd868677781a33ce35a ] - -The Qualcomm dwc3 runtime-PM implementation checks the xhci -platform-device pointer in the wakeup-interrupt handler to determine -whether the controller is in host mode and if so triggers a resume. - -After a role switch in OTG mode the xhci platform-device would have been -freed and the next wakeup from runtime suspend would access the freed -memory. - -Note that role switching is executed from a freezable workqueue, which -guarantees that the pointer is stable during suspend. - -Also note that runtime PM has been broken since commit 2664deb09306 -("usb: dwc3: qcom: Honor wakeup enabled/disabled state"), which -incidentally also prevents this issue from being triggered. - -Fixes: a4333c3a6ba9 ("usb: dwc3: Add Qualcomm DWC3 glue driver") -Cc: stable@vger.kernel.org # 4.18 -Reviewed-by: Matthias Kaehlcke -Reviewed-by: Manivannan Sadhasivam -Signed-off-by: Johan Hovold -Link: https://lore.kernel.org/r/20220804151001.23612-5-johan+linaro@kernel.org -Signed-off-by: Greg Kroah-Hartman -Signed-off-by: Sasha Levin ---- - drivers/usb/dwc3/dwc3-qcom.c | 14 +++++++++++++- - drivers/usb/dwc3/host.c | 1 + - 2 files changed, 14 insertions(+), 1 deletion(-) - -diff --git a/drivers/usb/dwc3/dwc3-qcom.c b/drivers/usb/dwc3/dwc3-qcom.c -index 1ae854d1d1d83..adf3d046152ef 100644 ---- a/drivers/usb/dwc3/dwc3-qcom.c -+++ b/drivers/usb/dwc3/dwc3-qcom.c -@@ -296,6 +296,14 @@ static void dwc3_qcom_interconnect_exit(struct dwc3_qcom *qcom) - icc_put(qcom->icc_path_apps); - } - -+/* Only usable in contexts where the role can not change. */ -+static bool dwc3_qcom_is_host(struct dwc3_qcom *qcom) -+{ -+ struct dwc3 *dwc = platform_get_drvdata(qcom->dwc3); -+ -+ return dwc->xhci; -+} -+ - static void dwc3_qcom_enable_wakeup_irq(int irq) - { - if (!irq) -@@ -405,7 +413,11 @@ static irqreturn_t qcom_dwc3_resume_irq(int irq, void *data) - if (qcom->pm_suspended) - return IRQ_HANDLED; - -- if (dwc->xhci) -+ /* -+ * This is safe as role switching is done from a freezable workqueue -+ * and the wakeup interrupts are disabled as part of resume. -+ */ -+ if (dwc3_qcom_is_host(qcom)) - pm_runtime_resume(&dwc->xhci->dev); - - return IRQ_HANDLED; -diff --git a/drivers/usb/dwc3/host.c b/drivers/usb/dwc3/host.c -index e195176580de1..b06ab85f8187e 100644 ---- a/drivers/usb/dwc3/host.c -+++ b/drivers/usb/dwc3/host.c -@@ -130,4 +130,5 @@ int dwc3_host_init(struct dwc3 *dwc) - void dwc3_host_exit(struct dwc3 *dwc) - { - platform_device_unregister(dwc->xhci); -+ dwc->xhci = NULL; - } --- -2.35.1 - diff --git a/queue-5.15/series b/queue-5.15/series index 10dcfe056c6..bdf57c7cf14 100644 --- a/queue-5.15/series +++ b/queue-5.15/series @@ -6,7 +6,6 @@ platform-x86-pmc_atom-fix-slp_typx-bitfield-mask.patch iio-adc-mcp3911-make-use-of-the-sign-bit.patch skmsg-fix-wrong-last-sg-check-in-sk_msg_recvmsg.patch bpf-restrict-bpf_sys_bpf-to-cap_perfmon.patch -usb-dwc3-qcom-add-helper-functions-to-enable-disable.patch bpf-cgroup-fix-kernel-bug-in-purge_effective_progs.patch ieee802154-adf7242-defer-destroy_workqueue-call.patch drm-i915-backlight-extract-backlight-code-to-a-separ.patch @@ -47,7 +46,6 @@ mmc-core-fix-inconsistent-sd3_bus_mode-at-uhs-i-sd-voltage-switch-failure.patch binder-fix-uaf-of-ref-proc-caused-by-race-condition.patch binder-fix-alloc-vma_vm_mm-null-ptr-dereference.patch cifs-fix-small-mempool-leak-in-smb2_negotiate.patch -usb-dwc3-qcom-fix-use-after-free-on-runtime-pm-wakeu.patch kvm-vmx-heed-the-msr-argument-in-msr_write_intercept.patch drm-i915-reg-fix-spelling-mistake-unsupport-unsuppor.patch clk-core-honor-clk_ops_parent_enable-for-clk-gate-op.patch diff --git a/queue-5.15/usb-dwc3-qcom-add-helper-functions-to-enable-disable.patch b/queue-5.15/usb-dwc3-qcom-add-helper-functions-to-enable-disable.patch deleted file mode 100644 index 29d54ad038f..00000000000 --- a/queue-5.15/usb-dwc3-qcom-add-helper-functions-to-enable-disable.patch +++ /dev/null @@ -1,107 +0,0 @@ -From 6c4f7ff5731662959b2642de424a88a90aaeec42 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Mon, 13 Jun 2022 10:00:52 +0530 -Subject: usb: dwc3: qcom: Add helper functions to enable,disable wake irqs - -From: Sandeep Maheswaram - -[ Upstream commit 360e8230516de94d74d30c64f0cdcf228b8e8b67 ] - -Adding helper functions to enable,disable wake irqs to make -the code simple and readable. - -Reviewed-by: Matthias Kaehlcke -Reviewed-by: Pavankumar Kondeti -Signed-off-by: Sandeep Maheswaram -Signed-off-by: Krishna Kurapati -Link: https://lore.kernel.org/r/1655094654-24052-4-git-send-email-quic_kriskura@quicinc.com -Signed-off-by: Greg Kroah-Hartman -Signed-off-by: Sasha Levin ---- - drivers/usb/dwc3/dwc3-qcom.c | 58 ++++++++++++++++-------------------- - 1 file changed, 26 insertions(+), 32 deletions(-) - -diff --git a/drivers/usb/dwc3/dwc3-qcom.c b/drivers/usb/dwc3/dwc3-qcom.c -index 873bf5041117f..74895cf57dd54 100644 ---- a/drivers/usb/dwc3/dwc3-qcom.c -+++ b/drivers/usb/dwc3/dwc3-qcom.c -@@ -296,50 +296,44 @@ static void dwc3_qcom_interconnect_exit(struct dwc3_qcom *qcom) - icc_put(qcom->icc_path_apps); - } - -+static void dwc3_qcom_enable_wakeup_irq(int irq) -+{ -+ if (!irq) -+ return; -+ -+ enable_irq(irq); -+ enable_irq_wake(irq); -+} -+ -+static void dwc3_qcom_disable_wakeup_irq(int irq) -+{ -+ if (!irq) -+ return; -+ -+ disable_irq_wake(irq); -+ disable_irq_nosync(irq); -+} -+ - static void dwc3_qcom_disable_interrupts(struct dwc3_qcom *qcom) - { -- if (qcom->hs_phy_irq) { -- disable_irq_wake(qcom->hs_phy_irq); -- disable_irq_nosync(qcom->hs_phy_irq); -- } -+ dwc3_qcom_disable_wakeup_irq(qcom->hs_phy_irq); - -- if (qcom->dp_hs_phy_irq) { -- disable_irq_wake(qcom->dp_hs_phy_irq); -- disable_irq_nosync(qcom->dp_hs_phy_irq); -- } -+ dwc3_qcom_disable_wakeup_irq(qcom->dp_hs_phy_irq); - -- if (qcom->dm_hs_phy_irq) { -- disable_irq_wake(qcom->dm_hs_phy_irq); -- disable_irq_nosync(qcom->dm_hs_phy_irq); -- } -+ dwc3_qcom_disable_wakeup_irq(qcom->dm_hs_phy_irq); - -- if (qcom->ss_phy_irq) { -- disable_irq_wake(qcom->ss_phy_irq); -- disable_irq_nosync(qcom->ss_phy_irq); -- } -+ dwc3_qcom_disable_wakeup_irq(qcom->ss_phy_irq); - } - - static void dwc3_qcom_enable_interrupts(struct dwc3_qcom *qcom) - { -- if (qcom->hs_phy_irq) { -- enable_irq(qcom->hs_phy_irq); -- enable_irq_wake(qcom->hs_phy_irq); -- } -+ dwc3_qcom_enable_wakeup_irq(qcom->hs_phy_irq); - -- if (qcom->dp_hs_phy_irq) { -- enable_irq(qcom->dp_hs_phy_irq); -- enable_irq_wake(qcom->dp_hs_phy_irq); -- } -+ dwc3_qcom_enable_wakeup_irq(qcom->dp_hs_phy_irq); - -- if (qcom->dm_hs_phy_irq) { -- enable_irq(qcom->dm_hs_phy_irq); -- enable_irq_wake(qcom->dm_hs_phy_irq); -- } -+ dwc3_qcom_enable_wakeup_irq(qcom->dm_hs_phy_irq); - -- if (qcom->ss_phy_irq) { -- enable_irq(qcom->ss_phy_irq); -- enable_irq_wake(qcom->ss_phy_irq); -- } -+ dwc3_qcom_enable_wakeup_irq(qcom->ss_phy_irq); - } - - static int dwc3_qcom_suspend(struct dwc3_qcom *qcom) --- -2.35.1 - diff --git a/queue-5.15/usb-dwc3-qcom-fix-use-after-free-on-runtime-pm-wakeu.patch b/queue-5.15/usb-dwc3-qcom-fix-use-after-free-on-runtime-pm-wakeu.patch deleted file mode 100644 index 3f14ee33f79..00000000000 --- a/queue-5.15/usb-dwc3-qcom-fix-use-after-free-on-runtime-pm-wakeu.patch +++ /dev/null @@ -1,82 +0,0 @@ -From 0f84676e57dd543c4857a810a8911bf7a1abee4e Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Thu, 4 Aug 2022 17:09:56 +0200 -Subject: usb: dwc3: qcom: fix use-after-free on runtime-PM wakeup - -From: Johan Hovold - -[ Upstream commit a872ab303d5ddd4c965f9cd868677781a33ce35a ] - -The Qualcomm dwc3 runtime-PM implementation checks the xhci -platform-device pointer in the wakeup-interrupt handler to determine -whether the controller is in host mode and if so triggers a resume. - -After a role switch in OTG mode the xhci platform-device would have been -freed and the next wakeup from runtime suspend would access the freed -memory. - -Note that role switching is executed from a freezable workqueue, which -guarantees that the pointer is stable during suspend. - -Also note that runtime PM has been broken since commit 2664deb09306 -("usb: dwc3: qcom: Honor wakeup enabled/disabled state"), which -incidentally also prevents this issue from being triggered. - -Fixes: a4333c3a6ba9 ("usb: dwc3: Add Qualcomm DWC3 glue driver") -Cc: stable@vger.kernel.org # 4.18 -Reviewed-by: Matthias Kaehlcke -Reviewed-by: Manivannan Sadhasivam -Signed-off-by: Johan Hovold -Link: https://lore.kernel.org/r/20220804151001.23612-5-johan+linaro@kernel.org -Signed-off-by: Greg Kroah-Hartman -Signed-off-by: Sasha Levin ---- - drivers/usb/dwc3/dwc3-qcom.c | 14 +++++++++++++- - drivers/usb/dwc3/host.c | 1 + - 2 files changed, 14 insertions(+), 1 deletion(-) - -diff --git a/drivers/usb/dwc3/dwc3-qcom.c b/drivers/usb/dwc3/dwc3-qcom.c -index 74895cf57dd54..725291d7cbe37 100644 ---- a/drivers/usb/dwc3/dwc3-qcom.c -+++ b/drivers/usb/dwc3/dwc3-qcom.c -@@ -296,6 +296,14 @@ static void dwc3_qcom_interconnect_exit(struct dwc3_qcom *qcom) - icc_put(qcom->icc_path_apps); - } - -+/* Only usable in contexts where the role can not change. */ -+static bool dwc3_qcom_is_host(struct dwc3_qcom *qcom) -+{ -+ struct dwc3 *dwc = platform_get_drvdata(qcom->dwc3); -+ -+ return dwc->xhci; -+} -+ - static void dwc3_qcom_enable_wakeup_irq(int irq) - { - if (!irq) -@@ -405,7 +413,11 @@ static irqreturn_t qcom_dwc3_resume_irq(int irq, void *data) - if (qcom->pm_suspended) - return IRQ_HANDLED; - -- if (dwc->xhci) -+ /* -+ * This is safe as role switching is done from a freezable workqueue -+ * and the wakeup interrupts are disabled as part of resume. -+ */ -+ if (dwc3_qcom_is_host(qcom)) - pm_runtime_resume(&dwc->xhci->dev); - - return IRQ_HANDLED; -diff --git a/drivers/usb/dwc3/host.c b/drivers/usb/dwc3/host.c -index f29a264635aa1..2078e9d702923 100644 ---- a/drivers/usb/dwc3/host.c -+++ b/drivers/usb/dwc3/host.c -@@ -130,4 +130,5 @@ int dwc3_host_init(struct dwc3 *dwc) - void dwc3_host_exit(struct dwc3 *dwc) - { - platform_device_unregister(dwc->xhci); -+ dwc->xhci = NULL; - } --- -2.35.1 - diff --git a/queue-5.19/series b/queue-5.19/series index 2b8e378873f..b871e73bfbc 100644 --- a/queue-5.19/series +++ b/queue-5.19/series @@ -12,7 +12,6 @@ peci-aspeed-fix-error-check-return-value-of-platform.patch iio-adc-mcp3911-make-use-of-the-sign-bit.patch skmsg-fix-wrong-last-sg-check-in-sk_msg_recvmsg.patch bpf-restrict-bpf_sys_bpf-to-cap_perfmon.patch -usb-dwc3-qcom-add-helper-functions-to-enable-disable.patch ip_tunnel-respect-tunnel-key-s-flow_flags-in-ip-tunn.patch bpf-cgroup-fix-kernel-bug-in-purge_effective_progs.patch drm-i915-gvt-fix-comet-lake.patch @@ -81,7 +80,6 @@ mmc-core-fix-inconsistent-sd3_bus_mode-at-uhs-i-sd-voltage-switch-failure.patch binder-fix-uaf-of-ref-proc-caused-by-race-condition.patch binder-fix-alloc-vma_vm_mm-null-ptr-dereference.patch cifs-fix-small-mempool-leak-in-smb2_negotiate.patch -usb-dwc3-qcom-fix-use-after-free-on-runtime-pm-wakeu.patch kvm-vmx-heed-the-msr-argument-in-msr_write_intercept.patch riscv-kvm-move-extern-sbi_ext-declarations-to-a-head.patch clk-ti-fix-missing-of_node_get-ti_find_clock_provide.patch diff --git a/queue-5.19/usb-dwc3-qcom-add-helper-functions-to-enable-disable.patch b/queue-5.19/usb-dwc3-qcom-add-helper-functions-to-enable-disable.patch deleted file mode 100644 index 874ec961001..00000000000 --- a/queue-5.19/usb-dwc3-qcom-add-helper-functions-to-enable-disable.patch +++ /dev/null @@ -1,107 +0,0 @@ -From 47eede1934128173679d2079830cb4187e7ea525 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Mon, 13 Jun 2022 10:00:52 +0530 -Subject: usb: dwc3: qcom: Add helper functions to enable,disable wake irqs - -From: Sandeep Maheswaram - -[ Upstream commit 360e8230516de94d74d30c64f0cdcf228b8e8b67 ] - -Adding helper functions to enable,disable wake irqs to make -the code simple and readable. - -Reviewed-by: Matthias Kaehlcke -Reviewed-by: Pavankumar Kondeti -Signed-off-by: Sandeep Maheswaram -Signed-off-by: Krishna Kurapati -Link: https://lore.kernel.org/r/1655094654-24052-4-git-send-email-quic_kriskura@quicinc.com -Signed-off-by: Greg Kroah-Hartman -Signed-off-by: Sasha Levin ---- - drivers/usb/dwc3/dwc3-qcom.c | 58 ++++++++++++++++-------------------- - 1 file changed, 26 insertions(+), 32 deletions(-) - -diff --git a/drivers/usb/dwc3/dwc3-qcom.c b/drivers/usb/dwc3/dwc3-qcom.c -index 3582fd6dfa141..27ff18aeea266 100644 ---- a/drivers/usb/dwc3/dwc3-qcom.c -+++ b/drivers/usb/dwc3/dwc3-qcom.c -@@ -296,50 +296,44 @@ static void dwc3_qcom_interconnect_exit(struct dwc3_qcom *qcom) - icc_put(qcom->icc_path_apps); - } - -+static void dwc3_qcom_enable_wakeup_irq(int irq) -+{ -+ if (!irq) -+ return; -+ -+ enable_irq(irq); -+ enable_irq_wake(irq); -+} -+ -+static void dwc3_qcom_disable_wakeup_irq(int irq) -+{ -+ if (!irq) -+ return; -+ -+ disable_irq_wake(irq); -+ disable_irq_nosync(irq); -+} -+ - static void dwc3_qcom_disable_interrupts(struct dwc3_qcom *qcom) - { -- if (qcom->hs_phy_irq) { -- disable_irq_wake(qcom->hs_phy_irq); -- disable_irq_nosync(qcom->hs_phy_irq); -- } -+ dwc3_qcom_disable_wakeup_irq(qcom->hs_phy_irq); - -- if (qcom->dp_hs_phy_irq) { -- disable_irq_wake(qcom->dp_hs_phy_irq); -- disable_irq_nosync(qcom->dp_hs_phy_irq); -- } -+ dwc3_qcom_disable_wakeup_irq(qcom->dp_hs_phy_irq); - -- if (qcom->dm_hs_phy_irq) { -- disable_irq_wake(qcom->dm_hs_phy_irq); -- disable_irq_nosync(qcom->dm_hs_phy_irq); -- } -+ dwc3_qcom_disable_wakeup_irq(qcom->dm_hs_phy_irq); - -- if (qcom->ss_phy_irq) { -- disable_irq_wake(qcom->ss_phy_irq); -- disable_irq_nosync(qcom->ss_phy_irq); -- } -+ dwc3_qcom_disable_wakeup_irq(qcom->ss_phy_irq); - } - - static void dwc3_qcom_enable_interrupts(struct dwc3_qcom *qcom) - { -- if (qcom->hs_phy_irq) { -- enable_irq(qcom->hs_phy_irq); -- enable_irq_wake(qcom->hs_phy_irq); -- } -+ dwc3_qcom_enable_wakeup_irq(qcom->hs_phy_irq); - -- if (qcom->dp_hs_phy_irq) { -- enable_irq(qcom->dp_hs_phy_irq); -- enable_irq_wake(qcom->dp_hs_phy_irq); -- } -+ dwc3_qcom_enable_wakeup_irq(qcom->dp_hs_phy_irq); - -- if (qcom->dm_hs_phy_irq) { -- enable_irq(qcom->dm_hs_phy_irq); -- enable_irq_wake(qcom->dm_hs_phy_irq); -- } -+ dwc3_qcom_enable_wakeup_irq(qcom->dm_hs_phy_irq); - -- if (qcom->ss_phy_irq) { -- enable_irq(qcom->ss_phy_irq); -- enable_irq_wake(qcom->ss_phy_irq); -- } -+ dwc3_qcom_enable_wakeup_irq(qcom->ss_phy_irq); - } - - static int dwc3_qcom_suspend(struct dwc3_qcom *qcom) --- -2.35.1 - diff --git a/queue-5.19/usb-dwc3-qcom-fix-use-after-free-on-runtime-pm-wakeu.patch b/queue-5.19/usb-dwc3-qcom-fix-use-after-free-on-runtime-pm-wakeu.patch deleted file mode 100644 index 2e1a62958ac..00000000000 --- a/queue-5.19/usb-dwc3-qcom-fix-use-after-free-on-runtime-pm-wakeu.patch +++ /dev/null @@ -1,82 +0,0 @@ -From d0d68ca32c3ec05384bc0114da1197921b6f5a4d Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Thu, 4 Aug 2022 17:09:56 +0200 -Subject: usb: dwc3: qcom: fix use-after-free on runtime-PM wakeup - -From: Johan Hovold - -[ Upstream commit a872ab303d5ddd4c965f9cd868677781a33ce35a ] - -The Qualcomm dwc3 runtime-PM implementation checks the xhci -platform-device pointer in the wakeup-interrupt handler to determine -whether the controller is in host mode and if so triggers a resume. - -After a role switch in OTG mode the xhci platform-device would have been -freed and the next wakeup from runtime suspend would access the freed -memory. - -Note that role switching is executed from a freezable workqueue, which -guarantees that the pointer is stable during suspend. - -Also note that runtime PM has been broken since commit 2664deb09306 -("usb: dwc3: qcom: Honor wakeup enabled/disabled state"), which -incidentally also prevents this issue from being triggered. - -Fixes: a4333c3a6ba9 ("usb: dwc3: Add Qualcomm DWC3 glue driver") -Cc: stable@vger.kernel.org # 4.18 -Reviewed-by: Matthias Kaehlcke -Reviewed-by: Manivannan Sadhasivam -Signed-off-by: Johan Hovold -Link: https://lore.kernel.org/r/20220804151001.23612-5-johan+linaro@kernel.org -Signed-off-by: Greg Kroah-Hartman -Signed-off-by: Sasha Levin ---- - drivers/usb/dwc3/dwc3-qcom.c | 14 +++++++++++++- - drivers/usb/dwc3/host.c | 1 + - 2 files changed, 14 insertions(+), 1 deletion(-) - -diff --git a/drivers/usb/dwc3/dwc3-qcom.c b/drivers/usb/dwc3/dwc3-qcom.c -index 27ff18aeea266..4f053d9736e30 100644 ---- a/drivers/usb/dwc3/dwc3-qcom.c -+++ b/drivers/usb/dwc3/dwc3-qcom.c -@@ -296,6 +296,14 @@ static void dwc3_qcom_interconnect_exit(struct dwc3_qcom *qcom) - icc_put(qcom->icc_path_apps); - } - -+/* Only usable in contexts where the role can not change. */ -+static bool dwc3_qcom_is_host(struct dwc3_qcom *qcom) -+{ -+ struct dwc3 *dwc = platform_get_drvdata(qcom->dwc3); -+ -+ return dwc->xhci; -+} -+ - static void dwc3_qcom_enable_wakeup_irq(int irq) - { - if (!irq) -@@ -405,7 +413,11 @@ static irqreturn_t qcom_dwc3_resume_irq(int irq, void *data) - if (qcom->pm_suspended) - return IRQ_HANDLED; - -- if (dwc->xhci) -+ /* -+ * This is safe as role switching is done from a freezable workqueue -+ * and the wakeup interrupts are disabled as part of resume. -+ */ -+ if (dwc3_qcom_is_host(qcom)) - pm_runtime_resume(&dwc->xhci->dev); - - return IRQ_HANDLED; -diff --git a/drivers/usb/dwc3/host.c b/drivers/usb/dwc3/host.c -index f56c30cf151e4..f6f13e7f1ba14 100644 ---- a/drivers/usb/dwc3/host.c -+++ b/drivers/usb/dwc3/host.c -@@ -135,4 +135,5 @@ int dwc3_host_init(struct dwc3 *dwc) - void dwc3_host_exit(struct dwc3 *dwc) - { - platform_device_unregister(dwc->xhci); -+ dwc->xhci = NULL; - } --- -2.35.1 - -- 2.47.3