From d4735a29d35082b724aea7b6171b164110932ee7 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Mon, 21 Nov 2022 13:05:12 +0100 Subject: [PATCH] 5.15-stable patches added patches: dm-ioctl-fix-misbehavior-if-list_versions-races-with-module-loading.patch iio-adc-at91_adc-fix-possible-memory-leak-in-at91_adc_allocate_trigger.patch iio-adc-mp2629-fix-potential-array-out-of-bound-access.patch iio-adc-mp2629-fix-wrong-comparison-of-channel.patch iio-pressure-ms5611-changed-hardcoded-spi-speed-to-value-limited.patch iio-trigger-sysfs-fix-possible-memory-leak-in-iio_sysfs_trig_init.patch input-iforce-invert-valid-length-check-when-fetching-device-ids.patch maccess-fix-writing-offset-in-case-of-fault-in-strncpy_from_kernel_nofault.patch net-phy-marvell-add-sleep-time-after-enabling-the-loopback-bit.patch scsi-zfcp-fix-double-free-of-fsf-request-when-qdio-send-fails.patch serial-8250-fall-back-to-non-dma-rx-if-iir_rdi-occurs.patch serial-8250-flush-dma-rx-on-rlsi.patch serial-8250_lpss-configure-dma-also-w-o-dma-filter.patch slimbus-qcom-ngd-fix-build-error-when-config_slim_qcom_ngd_ctrl-y-config_qcom_rproc_common-m.patch slimbus-stream-correct-presence-rate-frequencies.patch speakup-fix-a-segfault-caused-by-switching-consoles.patch usb-add-no_lpm-quirk-for-realforce-87u-keyboard.patch usb-bcma-make-gpio-explicitly-optional.patch usb-cdns3-host-fix-endless-superspeed-hub-port-reset.patch usb-chipidea-fix-deadlock-in-ci_otg_del_timer.patch usb-serial-option-add-fibocom-fm160-0x0111-composition.patch usb-serial-option-add-sierra-wireless-em9191.patch usb-serial-option-add-u-blox-lara-l6-modem.patch usb-serial-option-add-u-blox-lara-r6-00b-modem.patch usb-serial-option-remove-old-lara-r6-pid.patch usb-typec-mux-enter-safe-mode-only-when-pins-need-to-be-reconfigured.patch --- ...t_versions-races-with-module-loading.patch | 70 ++++++ ...ry-leak-in-at91_adc_allocate_trigger.patch | 37 ++++ ...-potential-array-out-of-bound-access.patch | 34 +++ ...2629-fix-wrong-comparison-of-channel.patch | 34 +++ ...hardcoded-spi-speed-to-value-limited.patch | 32 +++ ...e-memory-leak-in-iio_sysfs_trig_init.patch | 55 +++++ ...ength-check-when-fetching-device-ids.patch | 56 +++++ ...fault-in-strncpy_from_kernel_nofault.patch | 37 ++++ ...time-after-enabling-the-loopback-bit.patch | 49 +++++ ...-of-fsf-request-when-qdio-send-fails.patch | 200 ++++++++++++++++++ ...back-to-non-dma-rx-if-iir_rdi-occurs.patch | 53 +++++ .../serial-8250-flush-dma-rx-on-rlsi.patch | 41 ++++ ...ss-configure-dma-also-w-o-dma-filter.patch | 66 ++++++ queue-5.15/series | 26 +++ ...gd_ctrl-y-config_qcom_rproc_common-m.patch | 46 ++++ ...am-correct-presence-rate-frequencies.patch | 38 ++++ ...egfault-caused-by-switching-consoles.patch | 61 ++++++ ...lpm-quirk-for-realforce-87u-keyboard.patch | 50 +++++ ...b-bcma-make-gpio-explicitly-optional.patch | 65 ++++++ ...ix-endless-superspeed-hub-port-reset.patch | 131 ++++++++++++ ...dea-fix-deadlock-in-ci_otg_del_timer.patch | 56 +++++ ...add-fibocom-fm160-0x0111-composition.patch | 57 +++++ ...al-option-add-sierra-wireless-em9191.patch | 58 +++++ ...rial-option-add-u-blox-lara-l6-modem.patch | 73 +++++++ ...-option-add-u-blox-lara-r6-00b-modem.patch | 38 ++++ ...serial-option-remove-old-lara-r6-pid.patch | 45 ++++ ...ly-when-pins-need-to-be-reconfigured.patch | 72 +++++++ 27 files changed, 1580 insertions(+) create mode 100644 queue-5.15/dm-ioctl-fix-misbehavior-if-list_versions-races-with-module-loading.patch create mode 100644 queue-5.15/iio-adc-at91_adc-fix-possible-memory-leak-in-at91_adc_allocate_trigger.patch create mode 100644 queue-5.15/iio-adc-mp2629-fix-potential-array-out-of-bound-access.patch create mode 100644 queue-5.15/iio-adc-mp2629-fix-wrong-comparison-of-channel.patch create mode 100644 queue-5.15/iio-pressure-ms5611-changed-hardcoded-spi-speed-to-value-limited.patch create mode 100644 queue-5.15/iio-trigger-sysfs-fix-possible-memory-leak-in-iio_sysfs_trig_init.patch create mode 100644 queue-5.15/input-iforce-invert-valid-length-check-when-fetching-device-ids.patch create mode 100644 queue-5.15/maccess-fix-writing-offset-in-case-of-fault-in-strncpy_from_kernel_nofault.patch create mode 100644 queue-5.15/net-phy-marvell-add-sleep-time-after-enabling-the-loopback-bit.patch create mode 100644 queue-5.15/scsi-zfcp-fix-double-free-of-fsf-request-when-qdio-send-fails.patch create mode 100644 queue-5.15/serial-8250-fall-back-to-non-dma-rx-if-iir_rdi-occurs.patch create mode 100644 queue-5.15/serial-8250-flush-dma-rx-on-rlsi.patch create mode 100644 queue-5.15/serial-8250_lpss-configure-dma-also-w-o-dma-filter.patch create mode 100644 queue-5.15/slimbus-qcom-ngd-fix-build-error-when-config_slim_qcom_ngd_ctrl-y-config_qcom_rproc_common-m.patch create mode 100644 queue-5.15/slimbus-stream-correct-presence-rate-frequencies.patch create mode 100644 queue-5.15/speakup-fix-a-segfault-caused-by-switching-consoles.patch create mode 100644 queue-5.15/usb-add-no_lpm-quirk-for-realforce-87u-keyboard.patch create mode 100644 queue-5.15/usb-bcma-make-gpio-explicitly-optional.patch create mode 100644 queue-5.15/usb-cdns3-host-fix-endless-superspeed-hub-port-reset.patch create mode 100644 queue-5.15/usb-chipidea-fix-deadlock-in-ci_otg_del_timer.patch create mode 100644 queue-5.15/usb-serial-option-add-fibocom-fm160-0x0111-composition.patch create mode 100644 queue-5.15/usb-serial-option-add-sierra-wireless-em9191.patch create mode 100644 queue-5.15/usb-serial-option-add-u-blox-lara-l6-modem.patch create mode 100644 queue-5.15/usb-serial-option-add-u-blox-lara-r6-00b-modem.patch create mode 100644 queue-5.15/usb-serial-option-remove-old-lara-r6-pid.patch create mode 100644 queue-5.15/usb-typec-mux-enter-safe-mode-only-when-pins-need-to-be-reconfigured.patch diff --git a/queue-5.15/dm-ioctl-fix-misbehavior-if-list_versions-races-with-module-loading.patch b/queue-5.15/dm-ioctl-fix-misbehavior-if-list_versions-races-with-module-loading.patch new file mode 100644 index 00000000000..278a38e5d45 --- /dev/null +++ b/queue-5.15/dm-ioctl-fix-misbehavior-if-list_versions-races-with-module-loading.patch @@ -0,0 +1,70 @@ +From 4fe1ec995483737f3d2a14c3fe1d8fe634972979 Mon Sep 17 00:00:00 2001 +From: Mikulas Patocka +Date: Tue, 1 Nov 2022 16:53:35 -0400 +Subject: dm ioctl: fix misbehavior if list_versions races with module loading + +From: Mikulas Patocka + +commit 4fe1ec995483737f3d2a14c3fe1d8fe634972979 upstream. + +__list_versions will first estimate the required space using the +"dm_target_iterate(list_version_get_needed, &needed)" call and then will +fill the space using the "dm_target_iterate(list_version_get_info, +&iter_info)" call. Each of these calls locks the targets using the +"down_read(&_lock)" and "up_read(&_lock)" calls, however between the first +and second "dm_target_iterate" there is no lock held and the target +modules can be loaded at this point, so the second "dm_target_iterate" +call may need more space than what was the first "dm_target_iterate" +returned. + +The code tries to handle this overflow (see the beginning of +list_version_get_info), however this handling is incorrect. + +The code sets "param->data_size = param->data_start + needed" and +"iter_info.end = (char *)vers+len" - "needed" is the size returned by the +first dm_target_iterate call; "len" is the size of the buffer allocated by +userspace. + +"len" may be greater than "needed"; in this case, the code will write up +to "len" bytes into the buffer, however param->data_size is set to +"needed", so it may write data past the param->data_size value. The ioctl +interface copies only up to param->data_size into userspace, thus part of +the result will be truncated. + +Fix this bug by setting "iter_info.end = (char *)vers + needed;" - this +guarantees that the second "dm_target_iterate" call will write only up to +the "needed" buffer and it will exit with "DM_BUFFER_FULL_FLAG" if it +overflows the "needed" space - in this case, userspace will allocate a +larger buffer and retry. + +Note that there is also a bug in list_version_get_needed - we need to add +"strlen(tt->name) + 1" to the needed size, not "strlen(tt->name)". + +Cc: stable@vger.kernel.org +Signed-off-by: Mikulas Patocka +Signed-off-by: Mike Snitzer +Signed-off-by: Greg Kroah-Hartman +--- + drivers/md/dm-ioctl.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/md/dm-ioctl.c ++++ b/drivers/md/dm-ioctl.c +@@ -655,7 +655,7 @@ static void list_version_get_needed(stru + size_t *needed = needed_param; + + *needed += sizeof(struct dm_target_versions); +- *needed += strlen(tt->name); ++ *needed += strlen(tt->name) + 1; + *needed += ALIGN_MASK; + } + +@@ -720,7 +720,7 @@ static int __list_versions(struct dm_ioc + iter_info.old_vers = NULL; + iter_info.vers = vers; + iter_info.flags = 0; +- iter_info.end = (char *)vers+len; ++ iter_info.end = (char *)vers + needed; + + /* + * Now loop through filling out the names & versions. diff --git a/queue-5.15/iio-adc-at91_adc-fix-possible-memory-leak-in-at91_adc_allocate_trigger.patch b/queue-5.15/iio-adc-at91_adc-fix-possible-memory-leak-in-at91_adc_allocate_trigger.patch new file mode 100644 index 00000000000..3b324bad848 --- /dev/null +++ b/queue-5.15/iio-adc-at91_adc-fix-possible-memory-leak-in-at91_adc_allocate_trigger.patch @@ -0,0 +1,37 @@ +From 65f20301607d07ee279b0804d11a05a62a6c1a1c Mon Sep 17 00:00:00 2001 +From: Yang Yingliang +Date: Mon, 24 Oct 2022 16:45:11 +0800 +Subject: iio: adc: at91_adc: fix possible memory leak in at91_adc_allocate_trigger() + +From: Yang Yingliang + +commit 65f20301607d07ee279b0804d11a05a62a6c1a1c upstream. + +If iio_trigger_register() returns error, it should call iio_trigger_free() +to give up the reference that hold in iio_trigger_alloc(), so that it can +call iio_trig_release() to free memory when the refcount hit to 0. + +Fixes: 0e589d5fb317 ("ARM: AT91: IIO: Add AT91 ADC driver.") +Signed-off-by: Yang Yingliang +Link: https://lore.kernel.org/r/20221024084511.815096-1-yangyingliang@huawei.com +Cc: +Signed-off-by: Jonathan Cameron +Signed-off-by: Greg Kroah-Hartman +--- + drivers/iio/adc/at91_adc.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/drivers/iio/adc/at91_adc.c ++++ b/drivers/iio/adc/at91_adc.c +@@ -634,8 +634,10 @@ static struct iio_trigger *at91_adc_allo + trig->ops = &at91_adc_trigger_ops; + + ret = iio_trigger_register(trig); +- if (ret) ++ if (ret) { ++ iio_trigger_free(trig); + return NULL; ++ } + + return trig; + } diff --git a/queue-5.15/iio-adc-mp2629-fix-potential-array-out-of-bound-access.patch b/queue-5.15/iio-adc-mp2629-fix-potential-array-out-of-bound-access.patch new file mode 100644 index 00000000000..08ce931d055 --- /dev/null +++ b/queue-5.15/iio-adc-mp2629-fix-potential-array-out-of-bound-access.patch @@ -0,0 +1,34 @@ +From ca1547ab15f48dc81624183ae17a2fd1bad06dfc Mon Sep 17 00:00:00 2001 +From: Saravanan Sekar +Date: Sat, 29 Oct 2022 11:29:55 +0200 +Subject: iio: adc: mp2629: fix potential array out of bound access + +From: Saravanan Sekar + +commit ca1547ab15f48dc81624183ae17a2fd1bad06dfc upstream. + +Add sentinel at end of maps to avoid potential array out of +bound access in iio core. + +Fixes: 7abd9fb64682 ("iio: adc: mp2629: Add support for mp2629 ADC driver") +Signed-off-by: Saravanan Sekar +Link: https://lore.kernel.org/r/20221029093000.45451-4-sravanhome@gmail.com +Cc: +Signed-off-by: Jonathan Cameron +Signed-off-by: Greg Kroah-Hartman +--- + drivers/iio/adc/mp2629_adc.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/iio/adc/mp2629_adc.c ++++ b/drivers/iio/adc/mp2629_adc.c +@@ -56,7 +56,8 @@ static struct iio_map mp2629_adc_maps[] + MP2629_MAP(SYSTEM_VOLT, "system-volt"), + MP2629_MAP(INPUT_VOLT, "input-volt"), + MP2629_MAP(BATT_CURRENT, "batt-current"), +- MP2629_MAP(INPUT_CURRENT, "input-current") ++ MP2629_MAP(INPUT_CURRENT, "input-current"), ++ { } + }; + + static int mp2629_read_raw(struct iio_dev *indio_dev, diff --git a/queue-5.15/iio-adc-mp2629-fix-wrong-comparison-of-channel.patch b/queue-5.15/iio-adc-mp2629-fix-wrong-comparison-of-channel.patch new file mode 100644 index 00000000000..29131c183a2 --- /dev/null +++ b/queue-5.15/iio-adc-mp2629-fix-wrong-comparison-of-channel.patch @@ -0,0 +1,34 @@ +From 1eb20332a082fa801fb89c347c5e62de916a4001 Mon Sep 17 00:00:00 2001 +From: Saravanan Sekar +Date: Sat, 29 Oct 2022 11:29:53 +0200 +Subject: iio: adc: mp2629: fix wrong comparison of channel + +From: Saravanan Sekar + +commit 1eb20332a082fa801fb89c347c5e62de916a4001 upstream. + +Input voltage channel enum is compared against iio address instead +of the channel. + +Fixes: 7abd9fb64682 ("iio: adc: mp2629: Add support for mp2629 ADC driver") +Signed-off-by: Saravanan Sekar +Reviewed-by: Andy Shevchenko +Link: https://lore.kernel.org/r/20221029093000.45451-2-sravanhome@gmail.com +Cc: +Signed-off-by: Jonathan Cameron +Signed-off-by: Greg Kroah-Hartman +--- + drivers/iio/adc/mp2629_adc.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/iio/adc/mp2629_adc.c ++++ b/drivers/iio/adc/mp2629_adc.c +@@ -73,7 +73,7 @@ static int mp2629_read_raw(struct iio_de + if (ret) + return ret; + +- if (chan->address == MP2629_INPUT_VOLT) ++ if (chan->channel == MP2629_INPUT_VOLT) + rval &= GENMASK(6, 0); + *val = rval; + return IIO_VAL_INT; diff --git a/queue-5.15/iio-pressure-ms5611-changed-hardcoded-spi-speed-to-value-limited.patch b/queue-5.15/iio-pressure-ms5611-changed-hardcoded-spi-speed-to-value-limited.patch new file mode 100644 index 00000000000..007fff30093 --- /dev/null +++ b/queue-5.15/iio-pressure-ms5611-changed-hardcoded-spi-speed-to-value-limited.patch @@ -0,0 +1,32 @@ +From 741cec30cc52058d1c10d415f3b98319887e4f73 Mon Sep 17 00:00:00 2001 +From: Mitja Spes +Date: Fri, 21 Oct 2022 15:58:21 +0200 +Subject: iio: pressure: ms5611: changed hardcoded SPI speed to value limited + +From: Mitja Spes + +commit 741cec30cc52058d1c10d415f3b98319887e4f73 upstream. + +Don't hardcode the ms5611 SPI speed, limit it instead. + +Signed-off-by: Mitja Spes +Fixes: c0644160a8b5 ("iio: pressure: add support for MS5611 pressure and temperature sensor") +Link: https://lore.kernel.org/r/20221021135827.1444793-3-mitja@lxnav.com +Cc: +Signed-off-by: Jonathan Cameron +Signed-off-by: Greg Kroah-Hartman +--- + drivers/iio/pressure/ms5611_spi.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/iio/pressure/ms5611_spi.c ++++ b/drivers/iio/pressure/ms5611_spi.c +@@ -94,7 +94,7 @@ static int ms5611_spi_probe(struct spi_d + spi_set_drvdata(spi, indio_dev); + + spi->mode = SPI_MODE_0; +- spi->max_speed_hz = 20000000; ++ spi->max_speed_hz = min(spi->max_speed_hz, 20000000U); + spi->bits_per_word = 8; + ret = spi_setup(spi); + if (ret < 0) diff --git a/queue-5.15/iio-trigger-sysfs-fix-possible-memory-leak-in-iio_sysfs_trig_init.patch b/queue-5.15/iio-trigger-sysfs-fix-possible-memory-leak-in-iio_sysfs_trig_init.patch new file mode 100644 index 00000000000..d9c923b18f9 --- /dev/null +++ b/queue-5.15/iio-trigger-sysfs-fix-possible-memory-leak-in-iio_sysfs_trig_init.patch @@ -0,0 +1,55 @@ +From efa17e90e1711bdb084e3954fa44afb6647331c0 Mon Sep 17 00:00:00 2001 +From: Yang Yingliang +Date: Sat, 22 Oct 2022 15:42:12 +0800 +Subject: iio: trigger: sysfs: fix possible memory leak in iio_sysfs_trig_init() + +From: Yang Yingliang + +commit efa17e90e1711bdb084e3954fa44afb6647331c0 upstream. + +dev_set_name() allocates memory for name, it need be freed +when device_add() fails, call put_device() to give up the +reference that hold in device_initialize(), so that it can +be freed in kobject_cleanup() when the refcount hit to 0. + +Fault injection test can trigger this: + +unreferenced object 0xffff8e8340a7b4c0 (size 32): + comm "modprobe", pid 243, jiffies 4294678145 (age 48.845s) + hex dump (first 32 bytes): + 69 69 6f 5f 73 79 73 66 73 5f 74 72 69 67 67 65 iio_sysfs_trigge + 72 00 a7 40 83 8e ff ff 00 86 13 c4 f6 ee ff ff r..@............ + backtrace: + [<0000000074999de8>] __kmem_cache_alloc_node+0x1e9/0x360 + [<00000000497fd30b>] __kmalloc_node_track_caller+0x44/0x1a0 + [<000000003636c520>] kstrdup+0x2d/0x60 + [<0000000032f84da2>] kobject_set_name_vargs+0x1e/0x90 + [<0000000092efe493>] dev_set_name+0x4e/0x70 + +Fixes: 1f785681a870 ("staging:iio:trigger sysfs userspace trigger rework.") +Signed-off-by: Yang Yingliang +Cc: +Link: https://lore.kernel.org/r/20221022074212.1386424-1-yangyingliang@huawei.com +Signed-off-by: Jonathan Cameron +Signed-off-by: Greg Kroah-Hartman +--- + drivers/iio/trigger/iio-trig-sysfs.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +--- a/drivers/iio/trigger/iio-trig-sysfs.c ++++ b/drivers/iio/trigger/iio-trig-sysfs.c +@@ -208,9 +208,13 @@ static int iio_sysfs_trigger_remove(int + + static int __init iio_sysfs_trig_init(void) + { ++ int ret; + device_initialize(&iio_sysfs_trig_dev); + dev_set_name(&iio_sysfs_trig_dev, "iio_sysfs_trigger"); +- return device_add(&iio_sysfs_trig_dev); ++ ret = device_add(&iio_sysfs_trig_dev); ++ if (ret) ++ put_device(&iio_sysfs_trig_dev); ++ return ret; + } + module_init(iio_sysfs_trig_init); + diff --git a/queue-5.15/input-iforce-invert-valid-length-check-when-fetching-device-ids.patch b/queue-5.15/input-iforce-invert-valid-length-check-when-fetching-device-ids.patch new file mode 100644 index 00000000000..5815d37a916 --- /dev/null +++ b/queue-5.15/input-iforce-invert-valid-length-check-when-fetching-device-ids.patch @@ -0,0 +1,56 @@ +From b8ebf250997c5fb253582f42bfe98673801ebebd Mon Sep 17 00:00:00 2001 +From: Tetsuo Handa +Date: Mon, 7 Nov 2022 10:21:40 -0800 +Subject: Input: iforce - invert valid length check when fetching device IDs + +From: Tetsuo Handa + +commit b8ebf250997c5fb253582f42bfe98673801ebebd upstream. + +syzbot is reporting uninitialized value at iforce_init_device() [1], for +commit 6ac0aec6b0a6 ("Input: iforce - allow callers supply data buffer +when fetching device IDs") is checking that valid length is shorter than +bytes to read. Since iforce_get_id_packet() stores valid length when +returning 0, the caller needs to check that valid length is longer than or +equals to bytes to read. + +Reported-by: syzbot +Signed-off-by: Tetsuo Handa +Fixes: 6ac0aec6b0a6 ("Input: iforce - allow callers supply data buffer when fetching device IDs") +Link: https://lore.kernel.org/r/531fb432-7396-ad37-ecba-3e42e7f56d5c@I-love.SAKURA.ne.jp +Cc: stable@vger.kernel.org +Signed-off-by: Dmitry Torokhov +Signed-off-by: Greg Kroah-Hartman +--- + drivers/input/joystick/iforce/iforce-main.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +--- a/drivers/input/joystick/iforce/iforce-main.c ++++ b/drivers/input/joystick/iforce/iforce-main.c +@@ -273,22 +273,22 @@ int iforce_init_device(struct device *pa + * Get device info. + */ + +- if (!iforce_get_id_packet(iforce, 'M', buf, &len) || len < 3) ++ if (!iforce_get_id_packet(iforce, 'M', buf, &len) && len >= 3) + input_dev->id.vendor = get_unaligned_le16(buf + 1); + else + dev_warn(&iforce->dev->dev, "Device does not respond to id packet M\n"); + +- if (!iforce_get_id_packet(iforce, 'P', buf, &len) || len < 3) ++ if (!iforce_get_id_packet(iforce, 'P', buf, &len) && len >= 3) + input_dev->id.product = get_unaligned_le16(buf + 1); + else + dev_warn(&iforce->dev->dev, "Device does not respond to id packet P\n"); + +- if (!iforce_get_id_packet(iforce, 'B', buf, &len) || len < 3) ++ if (!iforce_get_id_packet(iforce, 'B', buf, &len) && len >= 3) + iforce->device_memory.end = get_unaligned_le16(buf + 1); + else + dev_warn(&iforce->dev->dev, "Device does not respond to id packet B\n"); + +- if (!iforce_get_id_packet(iforce, 'N', buf, &len) || len < 2) ++ if (!iforce_get_id_packet(iforce, 'N', buf, &len) && len >= 2) + ff_effects = buf[1]; + else + dev_warn(&iforce->dev->dev, "Device does not respond to id packet N\n"); diff --git a/queue-5.15/maccess-fix-writing-offset-in-case-of-fault-in-strncpy_from_kernel_nofault.patch b/queue-5.15/maccess-fix-writing-offset-in-case-of-fault-in-strncpy_from_kernel_nofault.patch new file mode 100644 index 00000000000..139842653f4 --- /dev/null +++ b/queue-5.15/maccess-fix-writing-offset-in-case-of-fault-in-strncpy_from_kernel_nofault.patch @@ -0,0 +1,37 @@ +From 8678ea06852cd1f819b870c773d43df888d15d46 Mon Sep 17 00:00:00 2001 +From: Alban Crequy +Date: Thu, 10 Nov 2022 09:56:13 +0100 +Subject: maccess: Fix writing offset in case of fault in strncpy_from_kernel_nofault() + +From: Alban Crequy + +commit 8678ea06852cd1f819b870c773d43df888d15d46 upstream. + +If a page fault occurs while copying the first byte, this function resets one +byte before dst. +As a consequence, an address could be modified and leaded to kernel crashes if +case the modified address was accessed later. + +Fixes: b58294ead14c ("maccess: allow architectures to provide kernel probing directly") +Signed-off-by: Alban Crequy +Signed-off-by: Andrii Nakryiko +Tested-by: Francis Laniel +Reviewed-by: Andrew Morton +Cc: [5.8] +Link: https://lore.kernel.org/bpf/20221110085614.111213-2-albancrequy@linux.microsoft.com +Signed-off-by: Greg Kroah-Hartman +--- + mm/maccess.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/mm/maccess.c ++++ b/mm/maccess.c +@@ -99,7 +99,7 @@ long strncpy_from_kernel_nofault(char *d + return src - unsafe_addr; + Efault: + pagefault_enable(); +- dst[-1] = '\0'; ++ dst[0] = '\0'; + return -EFAULT; + } + #else /* HAVE_GET_KERNEL_NOFAULT */ diff --git a/queue-5.15/net-phy-marvell-add-sleep-time-after-enabling-the-loopback-bit.patch b/queue-5.15/net-phy-marvell-add-sleep-time-after-enabling-the-loopback-bit.patch new file mode 100644 index 00000000000..c01e5d5de10 --- /dev/null +++ b/queue-5.15/net-phy-marvell-add-sleep-time-after-enabling-the-loopback-bit.patch @@ -0,0 +1,49 @@ +From 18c532e44939caa17f1fa380f7ac50dbc0718dbb Mon Sep 17 00:00:00 2001 +From: Aminuddin Jamaluddin +Date: Mon, 14 Nov 2022 14:53:02 +0800 +Subject: net: phy: marvell: add sleep time after enabling the loopback bit + +From: Aminuddin Jamaluddin + +commit 18c532e44939caa17f1fa380f7ac50dbc0718dbb upstream. + +Sleep time is added to ensure the phy to be ready after loopback +bit was set. This to prevent the phy loopback test from failing. + +Fixes: 020a45aff119 ("net: phy: marvell: add Marvell specific PHY loopback") +Cc: # 5.15.x +Signed-off-by: Muhammad Husaini Zulkifli +Signed-off-by: Aminuddin Jamaluddin +Link: https://lore.kernel.org/r/20221114065302.10625-1-aminuddin.jamaluddin@intel.com +Signed-off-by: Paolo Abeni +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/phy/marvell.c | 16 +++++++++------- + 1 file changed, 9 insertions(+), 7 deletions(-) + +--- a/drivers/net/phy/marvell.c ++++ b/drivers/net/phy/marvell.c +@@ -1976,14 +1976,16 @@ static int m88e1510_loopback(struct phy_ + if (err < 0) + return err; + +- /* FIXME: Based on trial and error test, it seem 1G need to have +- * delay between soft reset and loopback enablement. +- */ +- if (phydev->speed == SPEED_1000) +- msleep(1000); ++ err = phy_modify(phydev, MII_BMCR, BMCR_LOOPBACK, ++ BMCR_LOOPBACK); + +- return phy_modify(phydev, MII_BMCR, BMCR_LOOPBACK, +- BMCR_LOOPBACK); ++ if (!err) { ++ /* It takes some time for PHY device to switch ++ * into/out-of loopback mode. ++ */ ++ msleep(1000); ++ } ++ return err; + } else { + err = phy_modify(phydev, MII_BMCR, BMCR_LOOPBACK, 0); + if (err < 0) diff --git a/queue-5.15/scsi-zfcp-fix-double-free-of-fsf-request-when-qdio-send-fails.patch b/queue-5.15/scsi-zfcp-fix-double-free-of-fsf-request-when-qdio-send-fails.patch new file mode 100644 index 00000000000..128ed965b56 --- /dev/null +++ b/queue-5.15/scsi-zfcp-fix-double-free-of-fsf-request-when-qdio-send-fails.patch @@ -0,0 +1,200 @@ +From 0954256e970ecf371b03a6c9af2cf91b9c4085ff Mon Sep 17 00:00:00 2001 +From: Benjamin Block +Date: Wed, 16 Nov 2022 11:50:37 +0100 +Subject: scsi: zfcp: Fix double free of FSF request when qdio send fails + +From: Benjamin Block + +commit 0954256e970ecf371b03a6c9af2cf91b9c4085ff upstream. + +We used to use the wrong type of integer in 'zfcp_fsf_req_send()' to cache +the FSF request ID when sending a new FSF request. This is used in case the +sending fails and we need to remove the request from our internal hash +table again (so we don't keep an invalid reference and use it when we free +the request again). + +In 'zfcp_fsf_req_send()' we used to cache the ID as 'int' (signed and 32 +bit wide), but the rest of the zfcp code (and the firmware specification) +handles the ID as 'unsigned long'/'u64' (unsigned and 64 bit wide [s390x +ELF ABI]). For one this has the obvious problem that when the ID grows +past 32 bit (this can happen reasonably fast) it is truncated to 32 bit +when storing it in the cache variable and so doesn't match the original ID +anymore. The second less obvious problem is that even when the original ID +has not yet grown past 32 bit, as soon as the 32nd bit is set in the +original ID (0x80000000 = 2'147'483'648) we will have a mismatch when we +cast it back to 'unsigned long'. As the cached variable is of a signed +type, the compiler will choose a sign-extending instruction to load the 32 +bit variable into a 64 bit register (e.g.: 'lgf %r11,188(%r15)'). So once +we pass the cached variable into 'zfcp_reqlist_find_rm()' to remove the +request again all the leading zeros will be flipped to ones to extend the +sign and won't match the original ID anymore (this has been observed in +practice). + +If we can't successfully remove the request from the hash table again after +'zfcp_qdio_send()' fails (this happens regularly when zfcp cannot notify +the adapter about new work because the adapter is already gone during +e.g. a ChpID toggle) we will end up with a double free. We unconditionally +free the request in the calling function when 'zfcp_fsf_req_send()' fails, +but because the request is still in the hash table we end up with a stale +memory reference, and once the zfcp adapter is either reset during recovery +or shutdown we end up freeing the same memory twice. + +The resulting stack traces vary depending on the kernel and have no direct +correlation to the place where the bug occurs. Here are three examples that +have been seen in practice: + + list_del corruption. next->prev should be 00000001b9d13800, but was 00000000dead4ead. (next=00000001bd131a00) + ------------[ cut here ]------------ + kernel BUG at lib/list_debug.c:62! + monitor event: 0040 ilc:2 [#1] PREEMPT SMP + Modules linked in: ... + CPU: 9 PID: 1617 Comm: zfcperp0.0.1740 Kdump: loaded + Hardware name: ... + Krnl PSW : 0704d00180000000 00000003cbeea1f8 (__list_del_entry_valid+0x98/0x140) + R:0 T:1 IO:1 EX:1 Key:0 M:1 W:0 P:0 AS:3 CC:1 PM:0 RI:0 EA:3 + Krnl GPRS: 00000000916d12f1 0000000080000000 000000000000006d 00000003cb665cd6 + 0000000000000001 0000000000000000 0000000000000000 00000000d28d21e8 + 00000000d3844000 00000380099efd28 00000001bd131a00 00000001b9d13800 + 00000000d3290100 0000000000000000 00000003cbeea1f4 00000380099efc70 + Krnl Code: 00000003cbeea1e8: c020004f68a7 larl %r2,00000003cc8d7336 + 00000003cbeea1ee: c0e50027fd65 brasl %r14,00000003cc3e9cb8 + #00000003cbeea1f4: af000000 mc 0,0 + >00000003cbeea1f8: c02000920440 larl %r2,00000003cd12aa78 + 00000003cbeea1fe: c0e500289c25 brasl %r14,00000003cc3fda48 + 00000003cbeea204: b9040043 lgr %r4,%r3 + 00000003cbeea208: b9040051 lgr %r5,%r1 + 00000003cbeea20c: b9040032 lgr %r3,%r2 + Call Trace: + [<00000003cbeea1f8>] __list_del_entry_valid+0x98/0x140 + ([<00000003cbeea1f4>] __list_del_entry_valid+0x94/0x140) + [<000003ff7ff502fe>] zfcp_fsf_req_dismiss_all+0xde/0x150 [zfcp] + [<000003ff7ff49cd0>] zfcp_erp_strategy_do_action+0x160/0x280 [zfcp] + [<000003ff7ff4a22e>] zfcp_erp_strategy+0x21e/0xca0 [zfcp] + [<000003ff7ff4ad34>] zfcp_erp_thread+0x84/0x1a0 [zfcp] + [<00000003cb5eece8>] kthread+0x138/0x150 + [<00000003cb557f3c>] __ret_from_fork+0x3c/0x60 + [<00000003cc4172ea>] ret_from_fork+0xa/0x40 + INFO: lockdep is turned off. + Last Breaking-Event-Address: + [<00000003cc3e9d04>] _printk+0x4c/0x58 + Kernel panic - not syncing: Fatal exception: panic_on_oops + +or: + + Unable to handle kernel pointer dereference in virtual kernel address space + Failing address: 6b6b6b6b6b6b6000 TEID: 6b6b6b6b6b6b6803 + Fault in home space mode while using kernel ASCE. + AS:0000000063b10007 R3:0000000000000024 + Oops: 0038 ilc:3 [#1] SMP + Modules linked in: ... + CPU: 10 PID: 0 Comm: swapper/10 Kdump: loaded + Hardware name: ... + Krnl PSW : 0404d00180000000 000003ff7febaf8e (zfcp_fsf_reqid_check+0x86/0x158 [zfcp]) + R:0 T:1 IO:0 EX:0 Key:0 M:1 W:0 P:0 AS:3 CC:1 PM:0 RI:0 EA:3 + Krnl GPRS: 5a6f1cfa89c49ac3 00000000aff2c4c8 6b6b6b6b6b6b6b6b 00000000000002a8 + 0000000000000000 0000000000000055 0000000000000000 00000000a8515800 + 0700000000000000 00000000a6e14500 00000000aff2c000 000000008003c44c + 000000008093c700 0000000000000010 00000380009ebba8 00000380009ebb48 + Krnl Code: 000003ff7febaf7e: a7f4003d brc 15,000003ff7febaff8 + 000003ff7febaf82: e32020000004 lg %r2,0(%r2) + #000003ff7febaf88: ec2100388064 cgrj %r2,%r1,8,000003ff7febaff8 + >000003ff7febaf8e: e3b020100020 cg %r11,16(%r2) + 000003ff7febaf94: a774fff7 brc 7,000003ff7febaf82 + 000003ff7febaf98: ec280030007c cgij %r2,0,8,000003ff7febaff8 + 000003ff7febaf9e: e31020080004 lg %r1,8(%r2) + 000003ff7febafa4: e33020000004 lg %r3,0(%r2) + Call Trace: + [<000003ff7febaf8e>] zfcp_fsf_reqid_check+0x86/0x158 [zfcp] + [<000003ff7febbdbc>] zfcp_qdio_int_resp+0x6c/0x170 [zfcp] + [<000003ff7febbf90>] zfcp_qdio_irq_tasklet+0xd0/0x108 [zfcp] + [<0000000061d90a04>] tasklet_action_common.constprop.0+0xdc/0x128 + [<000000006292f300>] __do_softirq+0x130/0x3c0 + [<0000000061d906c6>] irq_exit_rcu+0xfe/0x118 + [<000000006291e818>] do_io_irq+0xc8/0x168 + [<000000006292d516>] io_int_handler+0xd6/0x110 + [<000000006292d596>] psw_idle_exit+0x0/0xa + ([<0000000061d3be50>] arch_cpu_idle+0x40/0xd0) + [<000000006292ceea>] default_idle_call+0x52/0xf8 + [<0000000061de4fa4>] do_idle+0xd4/0x168 + [<0000000061de51fe>] cpu_startup_entry+0x36/0x40 + [<0000000061d4faac>] smp_start_secondary+0x12c/0x138 + [<000000006292d88e>] restart_int_handler+0x6e/0x90 + Last Breaking-Event-Address: + [<000003ff7febaf94>] zfcp_fsf_reqid_check+0x8c/0x158 [zfcp] + Kernel panic - not syncing: Fatal exception in interrupt + +or: + + Unable to handle kernel pointer dereference in virtual kernel address space + Failing address: 523b05d3ae76a000 TEID: 523b05d3ae76a803 + Fault in home space mode while using kernel ASCE. + AS:0000000077c40007 R3:0000000000000024 + Oops: 0038 ilc:3 [#1] SMP + Modules linked in: ... + CPU: 3 PID: 453 Comm: kworker/3:1H Kdump: loaded + Hardware name: ... + Workqueue: kblockd blk_mq_run_work_fn + Krnl PSW : 0404d00180000000 0000000076fc0312 (__kmalloc+0xd2/0x398) + R:0 T:1 IO:0 EX:0 Key:0 M:1 W:0 P:0 AS:3 CC:1 PM:0 RI:0 EA:3 + Krnl GPRS: ffffffffffffffff 523b05d3ae76abf6 0000000000000000 0000000000092a20 + 0000000000000002 00000007e49b5cc0 00000007eda8f000 0000000000092a20 + 00000007eda8f000 00000003b02856b9 00000000000000a8 523b05d3ae76abf6 + 00000007dd662000 00000007eda8f000 0000000076fc02b2 000003e0037637a0 + Krnl Code: 0000000076fc0302: c004000000d4 brcl 0,76fc04aa + 0000000076fc0308: b904001b lgr %r1,%r11 + #0000000076fc030c: e3106020001a algf %r1,32(%r6) + >0000000076fc0312: e31010000082 xg %r1,0(%r1) + 0000000076fc0318: b9040001 lgr %r0,%r1 + 0000000076fc031c: e30061700082 xg %r0,368(%r6) + 0000000076fc0322: ec59000100d9 aghik %r5,%r9,1 + 0000000076fc0328: e34003b80004 lg %r4,952 + Call Trace: + [<0000000076fc0312>] __kmalloc+0xd2/0x398 + [<0000000076f318f2>] mempool_alloc+0x72/0x1f8 + [<000003ff8027c5f8>] zfcp_fsf_req_create.isra.7+0x40/0x268 [zfcp] + [<000003ff8027f1bc>] zfcp_fsf_fcp_cmnd+0xac/0x3f0 [zfcp] + [<000003ff80280f1a>] zfcp_scsi_queuecommand+0x122/0x1d0 [zfcp] + [<000003ff800b4218>] scsi_queue_rq+0x778/0xa10 [scsi_mod] + [<00000000771782a0>] __blk_mq_try_issue_directly+0x130/0x208 + [<000000007717a124>] blk_mq_request_issue_directly+0x4c/0xa8 + [<000003ff801302e2>] dm_mq_queue_rq+0x2ea/0x468 [dm_mod] + [<0000000077178c12>] blk_mq_dispatch_rq_list+0x33a/0x818 + [<000000007717f064>] __blk_mq_do_dispatch_sched+0x284/0x2f0 + [<000000007717f44c>] __blk_mq_sched_dispatch_requests+0x1c4/0x218 + [<000000007717fa7a>] blk_mq_sched_dispatch_requests+0x52/0x90 + [<0000000077176d74>] __blk_mq_run_hw_queue+0x9c/0xc0 + [<0000000076da6d74>] process_one_work+0x274/0x4d0 + [<0000000076da7018>] worker_thread+0x48/0x560 + [<0000000076daef18>] kthread+0x140/0x160 + [<000000007751d144>] ret_from_fork+0x28/0x30 + Last Breaking-Event-Address: + [<0000000076fc0474>] __kmalloc+0x234/0x398 + Kernel panic - not syncing: Fatal exception: panic_on_oops + +To fix this, simply change the type of the cache variable to 'unsigned +long', like the rest of zfcp and also the argument for +'zfcp_reqlist_find_rm()'. This prevents truncation and wrong sign extension +and so can successfully remove the request from the hash table. + +Fixes: e60a6d69f1f8 ("[SCSI] zfcp: Remove function zfcp_reqlist_find_safe") +Cc: #v2.6.34+ +Signed-off-by: Benjamin Block +Link: https://lore.kernel.org/r/979f6e6019d15f91ba56182f1aaf68d61bf37fc6.1668595505.git.bblock@linux.ibm.com +Reviewed-by: Steffen Maier +Signed-off-by: Martin K. Petersen +Signed-off-by: Greg Kroah-Hartman +--- + drivers/s390/scsi/zfcp_fsf.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/s390/scsi/zfcp_fsf.c ++++ b/drivers/s390/scsi/zfcp_fsf.c +@@ -884,7 +884,7 @@ static int zfcp_fsf_req_send(struct zfcp + const bool is_srb = zfcp_fsf_req_is_status_read_buffer(req); + struct zfcp_adapter *adapter = req->adapter; + struct zfcp_qdio *qdio = adapter->qdio; +- int req_id = req->req_id; ++ unsigned long req_id = req->req_id; + + zfcp_reqlist_add(adapter->req_list, req); + diff --git a/queue-5.15/serial-8250-fall-back-to-non-dma-rx-if-iir_rdi-occurs.patch b/queue-5.15/serial-8250-fall-back-to-non-dma-rx-if-iir_rdi-occurs.patch new file mode 100644 index 00000000000..415e6ec19b7 --- /dev/null +++ b/queue-5.15/serial-8250-fall-back-to-non-dma-rx-if-iir_rdi-occurs.patch @@ -0,0 +1,53 @@ +From a931237cbea256aff13bb403da13a97b2d1605d9 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Ilpo=20J=C3=A4rvinen?= +Date: Tue, 8 Nov 2022 14:19:49 +0200 +Subject: serial: 8250: Fall back to non-DMA Rx if IIR_RDI occurs +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Ilpo Järvinen + +commit a931237cbea256aff13bb403da13a97b2d1605d9 upstream. + +DW UART sometimes triggers IIR_RDI during DMA Rx when IIR_RX_TIMEOUT +should have been triggered instead. Since IIR_RDI has higher priority +than IIR_RX_TIMEOUT, this causes the Rx to hang into interrupt loop. +The problem seems to occur at least with some combinations of +small-sized transfers (I've reproduced the problem on Elkhart Lake PSE +UARTs). + +If there's already an on-going Rx DMA and IIR_RDI triggers, fall +graciously back to non-DMA Rx. That is, behave as if IIR_RX_TIMEOUT had +occurred. + +8250_omap already considers IIR_RDI similar to this change so its +nothing unheard of. + +Fixes: 75df022b5f89 ("serial: 8250_dma: Fix RX handling") +Cc: +Co-developed-by: Srikanth Thokala +Signed-off-by: Srikanth Thokala +Co-developed-by: Aman Kumar +Signed-off-by: Aman Kumar +Signed-off-by: Ilpo Järvinen +Reviewed-by: Andy Shevchenko +Link: https://lore.kernel.org/r/20221108121952.5497-2-ilpo.jarvinen@linux.intel.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/tty/serial/8250/8250_port.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/drivers/tty/serial/8250/8250_port.c ++++ b/drivers/tty/serial/8250/8250_port.c +@@ -1885,6 +1885,10 @@ EXPORT_SYMBOL_GPL(serial8250_modem_statu + static bool handle_rx_dma(struct uart_8250_port *up, unsigned int iir) + { + switch (iir & 0x3f) { ++ case UART_IIR_RDI: ++ if (!up->dma->rx_running) ++ break; ++ fallthrough; + case UART_IIR_RX_TIMEOUT: + serial8250_rx_dma_flush(up); + fallthrough; diff --git a/queue-5.15/serial-8250-flush-dma-rx-on-rlsi.patch b/queue-5.15/serial-8250-flush-dma-rx-on-rlsi.patch new file mode 100644 index 00000000000..ff335dec0e2 --- /dev/null +++ b/queue-5.15/serial-8250-flush-dma-rx-on-rlsi.patch @@ -0,0 +1,41 @@ +From 1980860e0c8299316cddaf0992dd9e1258ec9d88 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Ilpo=20J=C3=A4rvinen?= +Date: Tue, 8 Nov 2022 14:19:52 +0200 +Subject: serial: 8250: Flush DMA Rx on RLSI +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Ilpo Järvinen + +commit 1980860e0c8299316cddaf0992dd9e1258ec9d88 upstream. + +Returning true from handle_rx_dma() without flushing DMA first creates +a data ordering hazard. If DMA Rx has handled any character at the +point when RLSI occurs, the non-DMA path handles any pending characters +jumping them ahead of those characters that are pending under DMA. + +Fixes: 75df022b5f89 ("serial: 8250_dma: Fix RX handling") +Cc: +Signed-off-by: Ilpo Järvinen +Reviewed-by: Andy Shevchenko +Link: https://lore.kernel.org/r/20221108121952.5497-5-ilpo.jarvinen@linux.intel.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/tty/serial/8250/8250_port.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +--- a/drivers/tty/serial/8250/8250_port.c ++++ b/drivers/tty/serial/8250/8250_port.c +@@ -1889,10 +1889,9 @@ static bool handle_rx_dma(struct uart_82 + if (!up->dma->rx_running) + break; + fallthrough; ++ case UART_IIR_RLSI: + case UART_IIR_RX_TIMEOUT: + serial8250_rx_dma_flush(up); +- fallthrough; +- case UART_IIR_RLSI: + return true; + } + return up->dma->rx_dma(up); diff --git a/queue-5.15/serial-8250_lpss-configure-dma-also-w-o-dma-filter.patch b/queue-5.15/serial-8250_lpss-configure-dma-also-w-o-dma-filter.patch new file mode 100644 index 00000000000..924a33b9bc9 --- /dev/null +++ b/queue-5.15/serial-8250_lpss-configure-dma-also-w-o-dma-filter.patch @@ -0,0 +1,66 @@ +From 1bfcbe5805d0cfc83c3544dcd01e0a282c1f6790 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Ilpo=20J=C3=A4rvinen?= +Date: Tue, 8 Nov 2022 14:19:50 +0200 +Subject: serial: 8250_lpss: Configure DMA also w/o DMA filter +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Ilpo Järvinen + +commit 1bfcbe5805d0cfc83c3544dcd01e0a282c1f6790 upstream. + +If the platform doesn't use DMA device filter (as is the case with +Elkhart Lake), whole lpss8250_dma_setup() setup is skipped. This +results in skipping also *_maxburst setup which is undesirable. +Refactor lpss8250_dma_setup() to configure DMA even if filter is not +setup. + +Cc: stable +Signed-off-by: Ilpo Järvinen +Reviewed-by: Andy Shevchenko +Link: https://lore.kernel.org/r/20221108121952.5497-3-ilpo.jarvinen@linux.intel.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/tty/serial/8250/8250_lpss.c | 15 +++++++++++---- + 1 file changed, 11 insertions(+), 4 deletions(-) + +--- a/drivers/tty/serial/8250/8250_lpss.c ++++ b/drivers/tty/serial/8250/8250_lpss.c +@@ -278,8 +278,13 @@ static int lpss8250_dma_setup(struct lps + struct dw_dma_slave *rx_param, *tx_param; + struct device *dev = port->port.dev; + +- if (!lpss->dma_param.dma_dev) ++ if (!lpss->dma_param.dma_dev) { ++ dma = port->dma; ++ if (dma) ++ goto out_configuration_only; ++ + return 0; ++ } + + rx_param = devm_kzalloc(dev, sizeof(*rx_param), GFP_KERNEL); + if (!rx_param) +@@ -290,16 +295,18 @@ static int lpss8250_dma_setup(struct lps + return -ENOMEM; + + *rx_param = lpss->dma_param; +- dma->rxconf.src_maxburst = lpss->dma_maxburst; +- + *tx_param = lpss->dma_param; +- dma->txconf.dst_maxburst = lpss->dma_maxburst; + + dma->fn = lpss8250_dma_filter; + dma->rx_param = rx_param; + dma->tx_param = tx_param; + + port->dma = dma; ++ ++out_configuration_only: ++ dma->rxconf.src_maxburst = lpss->dma_maxburst; ++ dma->txconf.dst_maxburst = lpss->dma_maxburst; ++ + return 0; + } + diff --git a/queue-5.15/series b/queue-5.15/series index a369d835cda..ab616f6ce5b 100644 --- a/queue-5.15/series +++ b/queue-5.15/series @@ -119,3 +119,29 @@ alsa-usb-audio-drop-snd_bug_on-from-snd_usbmidi_output_open.patch alsa-hda-realtek-fix-speakers-for-samsung-galaxy-book-pro.patch alsa-hda-realtek-fix-the-speaker-output-on-samsung-galaxy-book-pro-360.patch revert-usb-dwc3-disable-usb-core-phy-management.patch +slimbus-qcom-ngd-fix-build-error-when-config_slim_qcom_ngd_ctrl-y-config_qcom_rproc_common-m.patch +slimbus-stream-correct-presence-rate-frequencies.patch +speakup-fix-a-segfault-caused-by-switching-consoles.patch +usb-bcma-make-gpio-explicitly-optional.patch +usb-serial-option-add-sierra-wireless-em9191.patch +usb-serial-option-remove-old-lara-r6-pid.patch +usb-serial-option-add-u-blox-lara-r6-00b-modem.patch +usb-serial-option-add-u-blox-lara-l6-modem.patch +usb-serial-option-add-fibocom-fm160-0x0111-composition.patch +usb-add-no_lpm-quirk-for-realforce-87u-keyboard.patch +usb-chipidea-fix-deadlock-in-ci_otg_del_timer.patch +usb-cdns3-host-fix-endless-superspeed-hub-port-reset.patch +usb-typec-mux-enter-safe-mode-only-when-pins-need-to-be-reconfigured.patch +iio-adc-at91_adc-fix-possible-memory-leak-in-at91_adc_allocate_trigger.patch +iio-trigger-sysfs-fix-possible-memory-leak-in-iio_sysfs_trig_init.patch +iio-adc-mp2629-fix-wrong-comparison-of-channel.patch +iio-adc-mp2629-fix-potential-array-out-of-bound-access.patch +iio-pressure-ms5611-changed-hardcoded-spi-speed-to-value-limited.patch +dm-ioctl-fix-misbehavior-if-list_versions-races-with-module-loading.patch +serial-8250-fall-back-to-non-dma-rx-if-iir_rdi-occurs.patch +serial-8250-flush-dma-rx-on-rlsi.patch +serial-8250_lpss-configure-dma-also-w-o-dma-filter.patch +input-iforce-invert-valid-length-check-when-fetching-device-ids.patch +maccess-fix-writing-offset-in-case-of-fault-in-strncpy_from_kernel_nofault.patch +net-phy-marvell-add-sleep-time-after-enabling-the-loopback-bit.patch +scsi-zfcp-fix-double-free-of-fsf-request-when-qdio-send-fails.patch diff --git a/queue-5.15/slimbus-qcom-ngd-fix-build-error-when-config_slim_qcom_ngd_ctrl-y-config_qcom_rproc_common-m.patch b/queue-5.15/slimbus-qcom-ngd-fix-build-error-when-config_slim_qcom_ngd_ctrl-y-config_qcom_rproc_common-m.patch new file mode 100644 index 00000000000..eb2e5ea6314 --- /dev/null +++ b/queue-5.15/slimbus-qcom-ngd-fix-build-error-when-config_slim_qcom_ngd_ctrl-y-config_qcom_rproc_common-m.patch @@ -0,0 +1,46 @@ +From e54fad8044db18cc400df8d01bfb86cada08b7cb Mon Sep 17 00:00:00 2001 +From: Zheng Bin +Date: Thu, 27 Oct 2022 17:59:04 +0800 +Subject: slimbus: qcom-ngd: Fix build error when CONFIG_SLIM_QCOM_NGD_CTRL=y && CONFIG_QCOM_RPROC_COMMON=m + +From: Zheng Bin + +commit e54fad8044db18cc400df8d01bfb86cada08b7cb upstream. + +If CONFIG_SLIM_QCOM_NGD_CTRL=y, CONFIG_QCOM_RPROC_COMMON=m, COMPILE_TEST=y, +bulding fails: + +drivers/slimbus/qcom-ngd-ctrl.o: In function `qcom_slim_ngd_ctrl_probe': +qcom-ngd-ctrl.c:(.text+0x330): undefined reference to `qcom_register_ssr_notifier' +qcom-ngd-ctrl.c:(.text+0x5fc): undefined reference to `qcom_unregister_ssr_notifier' +drivers/slimbus/qcom-ngd-ctrl.o: In function `qcom_slim_ngd_remove': +qcom-ngd-ctrl.c:(.text+0x90c): undefined reference to `qcom_unregister_ssr_notifier' + +Make SLIM_QCOM_NGD_CTRL depends on QCOM_RPROC_COMMON || (COMPILE_TEST && !QCOM_RPROC_COMMON) to fix this. + +Fixes: e291691c6977 ("slimbus: qcom-ngd-ctrl: allow compile testing without QCOM_RPROC_COMMON") +Cc: stable +Signed-off-by: Zheng Bin +Reviewed-by: Krzysztof Kozlowski +Link: https://lore.kernel.org/r/20221027095904.3388959-1-zhengbin13@huawei.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/slimbus/Kconfig | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/slimbus/Kconfig b/drivers/slimbus/Kconfig +index 2ed821f75816..a0fdf9d792cb 100644 +--- a/drivers/slimbus/Kconfig ++++ b/drivers/slimbus/Kconfig +@@ -23,7 +23,7 @@ config SLIM_QCOM_CTRL + config SLIM_QCOM_NGD_CTRL + tristate "Qualcomm SLIMbus Satellite Non-Generic Device Component" + depends on HAS_IOMEM && DMA_ENGINE && NET +- depends on QCOM_RPROC_COMMON || COMPILE_TEST ++ depends on QCOM_RPROC_COMMON || (COMPILE_TEST && !QCOM_RPROC_COMMON) + depends on ARCH_QCOM || COMPILE_TEST + select QCOM_QMI_HELPERS + select QCOM_PDR_HELPERS +-- +2.38.1 + diff --git a/queue-5.15/slimbus-stream-correct-presence-rate-frequencies.patch b/queue-5.15/slimbus-stream-correct-presence-rate-frequencies.patch new file mode 100644 index 00000000000..a43d3b24258 --- /dev/null +++ b/queue-5.15/slimbus-stream-correct-presence-rate-frequencies.patch @@ -0,0 +1,38 @@ +From b9c1939627f8185dec8ba6d741e9573a4c7a5834 Mon Sep 17 00:00:00 2001 +From: Krzysztof Kozlowski +Date: Thu, 29 Sep 2022 18:52:02 +0200 +Subject: slimbus: stream: correct presence rate frequencies + +From: Krzysztof Kozlowski + +commit b9c1939627f8185dec8ba6d741e9573a4c7a5834 upstream. + +Correct few frequencies in presence rate table - multiplied by 10 +(110250 instead of 11025 Hz). + +Fixes: abb9c9b8b51b ("slimbus: stream: add stream support") +Cc: +Signed-off-by: Krzysztof Kozlowski +Link: https://lore.kernel.org/r/20220929165202.410937-1-krzysztof.kozlowski@linaro.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/slimbus/stream.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +--- a/drivers/slimbus/stream.c ++++ b/drivers/slimbus/stream.c +@@ -67,10 +67,10 @@ static const int slim_presence_rate_tabl + 384000, + 768000, + 0, /* Reserved */ +- 110250, +- 220500, +- 441000, +- 882000, ++ 11025, ++ 22050, ++ 44100, ++ 88200, + 176400, + 352800, + 705600, diff --git a/queue-5.15/speakup-fix-a-segfault-caused-by-switching-consoles.patch b/queue-5.15/speakup-fix-a-segfault-caused-by-switching-consoles.patch new file mode 100644 index 00000000000..a6076a2b11e --- /dev/null +++ b/queue-5.15/speakup-fix-a-segfault-caused-by-switching-consoles.patch @@ -0,0 +1,61 @@ +From 0fc801f8018000c8e64a275a20cb1da7c54e46df Mon Sep 17 00:00:00 2001 +From: Mushahid Hussain +Date: Mon, 10 Oct 2022 21:57:20 +0500 +Subject: speakup: fix a segfault caused by switching consoles + +From: Mushahid Hussain + +commit 0fc801f8018000c8e64a275a20cb1da7c54e46df upstream. + +This patch fixes a segfault by adding a null check on synth in +speakup_con_update(). The segfault can be reproduced as follows: + + - Login into a text console + + - Load speakup and speakup_soft modules + + - Remove speakup_soft + + - Switch to a graphics console + +This is caused by lack of a null check on `synth` in +speakup_con_update(). + +Here's the sequence that causes the segfault: + + - When we remove the speakup_soft, synth_release() sets the synth + to null. + + - After that, when we change the virtual console to graphics + console, vt_notifier_call() is fired, which then calls + speakup_con_update(). + + - Inside speakup_con_update() there's no null check on synth, + so it calls synth_printf(). + + - Inside synth_printf(), synth_buffer_add() and synth_start(), + both access synth, when it is null and causing a segfault. + +Therefore adding a null check on synth solves the issue. + +Fixes: 2610df41489f ("staging: speakup: Add pause command used on switching to graphical mode") +Cc: stable +Signed-off-by: Mushahid Hussain +Signed-off-by: Samuel Thibault +Link: https://lore.kernel.org/r/20221010165720.397042-1-mushi.shar@gmail.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/accessibility/speakup/main.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/accessibility/speakup/main.c ++++ b/drivers/accessibility/speakup/main.c +@@ -1778,7 +1778,7 @@ static void speakup_con_update(struct vc + { + unsigned long flags; + +- if (!speakup_console[vc->vc_num] || spk_parked) ++ if (!speakup_console[vc->vc_num] || spk_parked || !synth) + return; + if (!spin_trylock_irqsave(&speakup_info.spinlock, flags)) + /* Speakup output, discard */ diff --git a/queue-5.15/usb-add-no_lpm-quirk-for-realforce-87u-keyboard.patch b/queue-5.15/usb-add-no_lpm-quirk-for-realforce-87u-keyboard.patch new file mode 100644 index 00000000000..b039f361698 --- /dev/null +++ b/queue-5.15/usb-add-no_lpm-quirk-for-realforce-87u-keyboard.patch @@ -0,0 +1,50 @@ +From 181135bb20dcb184edd89817831b888eb8132741 Mon Sep 17 00:00:00 2001 +From: Nicolas Dumazet +Date: Wed, 9 Nov 2022 13:29:46 +0100 +Subject: usb: add NO_LPM quirk for Realforce 87U Keyboard + +From: Nicolas Dumazet + +commit 181135bb20dcb184edd89817831b888eb8132741 upstream. + +Before adding this quirk, this (mechanical keyboard) device would not be +recognized, logging: + + new full-speed USB device number 56 using xhci_hcd + unable to read config index 0 descriptor/start: -32 + chopping to 0 config(s) + +It would take dozens of plugging/unpuggling cycles for the keyboard to +be recognized. Keyboard seems to simply work after applying this quirk. + +This issue had been reported by users in two places already ([1], [2]) +but nobody tried upstreaming a patch yet. After testing I believe their +suggested fix (DELAY_INIT + NO_LPM + DEVICE_QUALIFIER) was probably a +little overkill. I assume this particular combination was tested because +it had been previously suggested in [3], but only NO_LPM seems +sufficient for this device. + +[1]: https://qiita.com/float168/items/fed43d540c8e2201b543 +[2]: https://blog.kostic.dev/posts/making-the-realforce-87ub-work-with-usb30-on-Ubuntu/ +[3]: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1678477 + +Cc: stable@vger.kernel.org +Signed-off-by: Nicolas Dumazet +Link: https://lore.kernel.org/r/20221109122946.706036-1-ndumazet@google.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/core/quirks.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/usb/core/quirks.c ++++ b/drivers/usb/core/quirks.c +@@ -362,6 +362,9 @@ static const struct usb_device_id usb_qu + { USB_DEVICE(0x0781, 0x5583), .driver_info = USB_QUIRK_NO_LPM }, + { USB_DEVICE(0x0781, 0x5591), .driver_info = USB_QUIRK_NO_LPM }, + ++ /* Realforce 87U Keyboard */ ++ { USB_DEVICE(0x0853, 0x011b), .driver_info = USB_QUIRK_NO_LPM }, ++ + /* M-Systems Flash Disk Pioneers */ + { USB_DEVICE(0x08ec, 0x1000), .driver_info = USB_QUIRK_RESET_RESUME }, + diff --git a/queue-5.15/usb-bcma-make-gpio-explicitly-optional.patch b/queue-5.15/usb-bcma-make-gpio-explicitly-optional.patch new file mode 100644 index 00000000000..d74c9353833 --- /dev/null +++ b/queue-5.15/usb-bcma-make-gpio-explicitly-optional.patch @@ -0,0 +1,65 @@ +From cd136706b4f925aa5d316642543babac90d45910 Mon Sep 17 00:00:00 2001 +From: Linus Walleij +Date: Mon, 7 Nov 2022 10:07:53 +0100 +Subject: USB: bcma: Make GPIO explicitly optional +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Linus Walleij + +commit cd136706b4f925aa5d316642543babac90d45910 upstream. + +What the code does is to not check the return value from +devm_gpiod_get() and then avoid using an erroneous GPIO descriptor +with IS_ERR_OR_NULL(). + +This will miss real errors from the GPIO core that should not be +ignored, such as probe deferral. + +Instead request the GPIO as explicitly optional, which means that +if it doesn't exist, the descriptor returned will be NULL. + +Then we can add error handling and also avoid just doing this on +the device tree path, and simplify the site where the optional +GPIO descriptor is used. + +There were some problems with cleaning up this GPIO descriptor +use in the past, but this is the proper way to deal with it. + +Cc: Rafał Miłecki +Cc: Chuhong Yuan +Signed-off-by: Linus Walleij +Cc: stable +Link: https://lore.kernel.org/r/20221107090753.1404679-1-linus.walleij@linaro.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/host/bcma-hcd.c | 10 ++++++---- + 1 file changed, 6 insertions(+), 4 deletions(-) + +--- a/drivers/usb/host/bcma-hcd.c ++++ b/drivers/usb/host/bcma-hcd.c +@@ -285,7 +285,7 @@ static void bcma_hci_platform_power_gpio + { + struct bcma_hcd_device *usb_dev = bcma_get_drvdata(dev); + +- if (IS_ERR_OR_NULL(usb_dev->gpio_desc)) ++ if (!usb_dev->gpio_desc) + return; + + gpiod_set_value(usb_dev->gpio_desc, val); +@@ -406,9 +406,11 @@ static int bcma_hcd_probe(struct bcma_de + return -ENOMEM; + usb_dev->core = core; + +- if (core->dev.of_node) +- usb_dev->gpio_desc = devm_gpiod_get(&core->dev, "vcc", +- GPIOD_OUT_HIGH); ++ usb_dev->gpio_desc = devm_gpiod_get_optional(&core->dev, "vcc", ++ GPIOD_OUT_HIGH); ++ if (IS_ERR(usb_dev->gpio_desc)) ++ return dev_err_probe(&core->dev, PTR_ERR(usb_dev->gpio_desc), ++ "error obtaining VCC GPIO"); + + switch (core->id.id) { + case BCMA_CORE_USB20_HOST: diff --git a/queue-5.15/usb-cdns3-host-fix-endless-superspeed-hub-port-reset.patch b/queue-5.15/usb-cdns3-host-fix-endless-superspeed-hub-port-reset.patch new file mode 100644 index 00000000000..6585208f2b1 --- /dev/null +++ b/queue-5.15/usb-cdns3-host-fix-endless-superspeed-hub-port-reset.patch @@ -0,0 +1,131 @@ +From 9d5333c931347005352d5b8beaa43528c94cfc9c Mon Sep 17 00:00:00 2001 +From: Li Jun +Date: Wed, 26 Oct 2022 15:07:49 -0400 +Subject: usb: cdns3: host: fix endless superspeed hub port reset + +From: Li Jun + +commit 9d5333c931347005352d5b8beaa43528c94cfc9c upstream. + +When usb 3.0 hub connect with one USB 2.0 device and NO USB 3.0 device, +some usb hub reports endless port reset message. + +[ 190.324169] usb 2-1: new SuperSpeed USB device number 88 using xhci-hcd +[ 190.352834] hub 2-1:1.0: USB hub found +[ 190.356995] hub 2-1:1.0: 4 ports detected +[ 190.700056] usb 2-1: USB disconnect, device number 88 +[ 192.472139] usb 2-1: new SuperSpeed USB device number 89 using xhci-hcd +[ 192.500820] hub 2-1:1.0: USB hub found +[ 192.504977] hub 2-1:1.0: 4 ports detected +[ 192.852066] usb 2-1: USB disconnect, device number 89 + +The reason is the runtime pm state of USB2.0 port is active and +USB 3.0 port is suspend, so parent device is active state. + + cat /sys/bus/platform/devices/5b110000.usb/5b130000.usb/xhci-hcd.1.auto/usb2/power/runtime_status + + suspended + + cat /sys/bus/platform/devices/5b110000.usb/5b130000.usb/xhci-hcd.1.auto/usb1/power/runtime_status + + active + + cat /sys/bus/platform/devices/5b110000.usb/5b130000.usb/xhci-hcd.1.auto/power/runtime_status + + active + + cat /sys/bus/platform/devices/5b110000.usb/5b130000.usb/power/runtime_status + + active + +So xhci_cdns3_suspend_quirk() have not called. U3 configure is not applied. + +move U3 configure into host start. Reinit again in resume function in case +controller power lost during suspend. + +Cc: stable@vger.kernel.org 5.10 +Signed-off-by: Li Jun +Signed-off-by: Frank Li +Reviewed-by: Peter Chen +Acked-by: Alexander Stein +Link: https://lore.kernel.org/r/20221026190749.2280367-1-Frank.Li@nxp.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/cdns3/host.c | 56 +++++++++++++++++++++++------------------------ + 1 file changed, 28 insertions(+), 28 deletions(-) + +--- a/drivers/usb/cdns3/host.c ++++ b/drivers/usb/cdns3/host.c +@@ -23,11 +23,37 @@ + #define CFG_RXDET_P3_EN BIT(15) + #define LPM_2_STB_SWITCH_EN BIT(25) + +-static int xhci_cdns3_suspend_quirk(struct usb_hcd *hcd); ++static void xhci_cdns3_plat_start(struct usb_hcd *hcd) ++{ ++ struct xhci_hcd *xhci = hcd_to_xhci(hcd); ++ u32 value; ++ ++ /* set usbcmd.EU3S */ ++ value = readl(&xhci->op_regs->command); ++ value |= CMD_PM_INDEX; ++ writel(value, &xhci->op_regs->command); ++ ++ if (hcd->regs) { ++ value = readl(hcd->regs + XECP_AUX_CTRL_REG1); ++ value |= CFG_RXDET_P3_EN; ++ writel(value, hcd->regs + XECP_AUX_CTRL_REG1); ++ ++ value = readl(hcd->regs + XECP_PORT_CAP_REG); ++ value |= LPM_2_STB_SWITCH_EN; ++ writel(value, hcd->regs + XECP_PORT_CAP_REG); ++ } ++} ++ ++static int xhci_cdns3_resume_quirk(struct usb_hcd *hcd) ++{ ++ xhci_cdns3_plat_start(hcd); ++ return 0; ++} + + static const struct xhci_plat_priv xhci_plat_cdns3_xhci = { + .quirks = XHCI_SKIP_PHY_INIT | XHCI_AVOID_BEI, +- .suspend_quirk = xhci_cdns3_suspend_quirk, ++ .plat_start = xhci_cdns3_plat_start, ++ .resume_quirk = xhci_cdns3_resume_quirk, + }; + + static int __cdns_host_init(struct cdns *cdns) +@@ -89,32 +115,6 @@ err1: + return ret; + } + +-static int xhci_cdns3_suspend_quirk(struct usb_hcd *hcd) +-{ +- struct xhci_hcd *xhci = hcd_to_xhci(hcd); +- u32 value; +- +- if (pm_runtime_status_suspended(hcd->self.controller)) +- return 0; +- +- /* set usbcmd.EU3S */ +- value = readl(&xhci->op_regs->command); +- value |= CMD_PM_INDEX; +- writel(value, &xhci->op_regs->command); +- +- if (hcd->regs) { +- value = readl(hcd->regs + XECP_AUX_CTRL_REG1); +- value |= CFG_RXDET_P3_EN; +- writel(value, hcd->regs + XECP_AUX_CTRL_REG1); +- +- value = readl(hcd->regs + XECP_PORT_CAP_REG); +- value |= LPM_2_STB_SWITCH_EN; +- writel(value, hcd->regs + XECP_PORT_CAP_REG); +- } +- +- return 0; +-} +- + static void cdns_host_exit(struct cdns *cdns) + { + kfree(cdns->xhci_plat_data); diff --git a/queue-5.15/usb-chipidea-fix-deadlock-in-ci_otg_del_timer.patch b/queue-5.15/usb-chipidea-fix-deadlock-in-ci_otg_del_timer.patch new file mode 100644 index 00000000000..f15216f44c7 --- /dev/null +++ b/queue-5.15/usb-chipidea-fix-deadlock-in-ci_otg_del_timer.patch @@ -0,0 +1,56 @@ +From 7a58b8d6021426b796eebfae80983374d9a80a75 Mon Sep 17 00:00:00 2001 +From: Duoming Zhou +Date: Sun, 18 Sep 2022 11:33:12 +0800 +Subject: usb: chipidea: fix deadlock in ci_otg_del_timer + +From: Duoming Zhou + +commit 7a58b8d6021426b796eebfae80983374d9a80a75 upstream. + +There is a deadlock in ci_otg_del_timer(), the process is +shown below: + + (thread 1) | (thread 2) +ci_otg_del_timer() | ci_otg_hrtimer_func() + ... | + spin_lock_irqsave() //(1) | ... + ... | + hrtimer_cancel() | spin_lock_irqsave() //(2) + (block forever) + +We hold ci->lock in position (1) and use hrtimer_cancel() to +wait ci_otg_hrtimer_func() to stop, but ci_otg_hrtimer_func() +also need ci->lock in position (2). As a result, the +hrtimer_cancel() in ci_otg_del_timer() will be blocked forever. + +This patch extracts hrtimer_cancel() from the protection of +spin_lock_irqsave() in order that the ci_otg_hrtimer_func() +could obtain the ci->lock. + +What`s more, there will be no race happen. Because the +"next_timer" is always under the protection of +spin_lock_irqsave() and we only check whether "next_timer" +equals to NUM_OTG_FSM_TIMERS in the following code. + +Fixes: 3a316ec4c91c ("usb: chipidea: use hrtimer for otg fsm timers") +Cc: stable +Signed-off-by: Duoming Zhou +Link: https://lore.kernel.org/r/20220918033312.94348-1-duoming@zju.edu.cn +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/chipidea/otg_fsm.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/usb/chipidea/otg_fsm.c ++++ b/drivers/usb/chipidea/otg_fsm.c +@@ -256,8 +256,10 @@ static void ci_otg_del_timer(struct ci_h + ci->enabled_otg_timer_bits &= ~(1 << t); + if (ci->next_otg_timer == t) { + if (ci->enabled_otg_timer_bits == 0) { ++ spin_unlock_irqrestore(&ci->lock, flags); + /* No enabled timers after delete it */ + hrtimer_cancel(&ci->otg_fsm_hrtimer); ++ spin_lock_irqsave(&ci->lock, flags); + ci->next_otg_timer = NUM_OTG_FSM_TIMERS; + } else { + /* Find the next timer */ diff --git a/queue-5.15/usb-serial-option-add-fibocom-fm160-0x0111-composition.patch b/queue-5.15/usb-serial-option-add-fibocom-fm160-0x0111-composition.patch new file mode 100644 index 00000000000..806032da675 --- /dev/null +++ b/queue-5.15/usb-serial-option-add-fibocom-fm160-0x0111-composition.patch @@ -0,0 +1,57 @@ +From 148f4b32b4504d8a32cf82049b7b9499a4b299ab Mon Sep 17 00:00:00 2001 +From: Reinhard Speyerer +Date: Wed, 9 Nov 2022 22:24:15 +0100 +Subject: USB: serial: option: add Fibocom FM160 0x0111 composition + +From: Reinhard Speyerer + +commit 148f4b32b4504d8a32cf82049b7b9499a4b299ab upstream. + +Add support for the following Fibocom FM160 composition: + +0x0111: MBIM + MODEM + DIAG + AT + +T: Bus=01 Lev=02 Prnt=125 Port=01 Cnt=02 Dev#= 93 Spd=480 MxCh= 0 +D: Ver= 2.10 Cls=00(>ifc ) Sub=00 Prot=00 MxPS=64 #Cfgs= 1 +P: Vendor=2cb7 ProdID=0111 Rev= 5.04 +S: Manufacturer=Fibocom +S: Product=Fibocom FM160 Modem_SN:12345678 +S: SerialNumber=12345678 +C:* #Ifs= 5 Cfg#= 1 Atr=a0 MxPwr=500mA +A: FirstIf#= 0 IfCount= 2 Cls=02(comm.) Sub=0e Prot=00 +I:* If#= 0 Alt= 0 #EPs= 1 Cls=02(comm.) Sub=0e Prot=00 Driver=cdc_mbim +E: Ad=81(I) Atr=03(Int.) MxPS= 64 Ivl=32ms +I: If#= 1 Alt= 0 #EPs= 0 Cls=0a(data ) Sub=00 Prot=02 Driver=cdc_mbim +I:* If#= 1 Alt= 1 #EPs= 2 Cls=0a(data ) Sub=00 Prot=02 Driver=cdc_mbim +E: Ad=8e(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=0f(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms +I:* If#= 2 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=40 Driver=option +E: Ad=83(I) Atr=03(Int.) MxPS= 10 Ivl=32ms +E: Ad=82(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=01(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms +I:* If#= 3 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=30 Driver=option +E: Ad=02(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=84(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms +I:* If#= 4 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=40 Driver=option +E: Ad=86(I) Atr=03(Int.) MxPS= 10 Ivl=32ms +E: Ad=85(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=03(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms + +Signed-off-by: Reinhard Speyerer +Cc: stable@vger.kernel.org +Signed-off-by: Johan Hovold +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/serial/option.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/usb/serial/option.c ++++ b/drivers/usb/serial/option.c +@@ -2179,6 +2179,7 @@ static const struct usb_device_id option + { USB_DEVICE_INTERFACE_CLASS(0x2cb7, 0x010a, 0xff) }, /* Fibocom MA510 (ECM mode) */ + { USB_DEVICE_AND_INTERFACE_INFO(0x2cb7, 0x010b, 0xff, 0xff, 0x30) }, /* Fibocom FG150 Diag */ + { USB_DEVICE_AND_INTERFACE_INFO(0x2cb7, 0x010b, 0xff, 0, 0) }, /* Fibocom FG150 AT */ ++ { USB_DEVICE_INTERFACE_CLASS(0x2cb7, 0x0111, 0xff) }, /* Fibocom FM160 (MBIM mode) */ + { USB_DEVICE_INTERFACE_CLASS(0x2cb7, 0x01a0, 0xff) }, /* Fibocom NL668-AM/NL652-EU (laptop MBIM) */ + { USB_DEVICE_INTERFACE_CLASS(0x2cb7, 0x01a2, 0xff) }, /* Fibocom FM101-GL (laptop MBIM) */ + { USB_DEVICE_INTERFACE_CLASS(0x2cb7, 0x01a4, 0xff), /* Fibocom FM101-GL (laptop MBIM) */ diff --git a/queue-5.15/usb-serial-option-add-sierra-wireless-em9191.patch b/queue-5.15/usb-serial-option-add-sierra-wireless-em9191.patch new file mode 100644 index 00000000000..45f65f9760e --- /dev/null +++ b/queue-5.15/usb-serial-option-add-sierra-wireless-em9191.patch @@ -0,0 +1,58 @@ +From df3414b0a245f43476061fddd78cee7d6cff797f Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Beno=C3=AEt=20Monin?= +Date: Thu, 13 Oct 2022 16:26:48 +0200 +Subject: USB: serial: option: add Sierra Wireless EM9191 +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Benoît Monin + +commit df3414b0a245f43476061fddd78cee7d6cff797f upstream. + +Add support for the AT and diag ports, similar to other qualcomm SDX55 +modems. In QDL mode, the modem uses a different device ID and support +is provided by qcserial in commit 11c52d250b34 ("USB: serial: qcserial: +add EM9191 QDL support"). + +T: Bus=08 Lev=01 Prnt=01 Port=01 Cnt=01 Dev#= 3 Spd=5000 MxCh= 0 +D: Ver= 3.20 Cls=00(>ifc ) Sub=00 Prot=00 MxPS= 9 #Cfgs= 1 +P: Vendor=1199 ProdID=90d3 Rev=00.06 +S: Manufacturer=Sierra Wireless, Incorporated +S: Product=Sierra Wireless EM9191 +S: SerialNumber=xxxxxxxxxxxxxxxx +C: #Ifs= 4 Cfg#= 1 Atr=a0 MxPwr=896mA +I: If#=0x0 Alt= 0 #EPs= 1 Cls=02(commc) Sub=0e Prot=00 Driver=cdc_mbim +I: If#=0x1 Alt= 1 #EPs= 2 Cls=0a(data ) Sub=00 Prot=02 Driver=cdc_mbim +I: If#=0x3 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=(none) +I: If#=0x4 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=30 Driver=(none) + +Signed-off-by: Benoît Monin +Cc: stable@vger.kernel.org +Signed-off-by: Johan Hovold +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/serial/option.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/drivers/usb/serial/option.c ++++ b/drivers/usb/serial/option.c +@@ -581,6 +581,9 @@ static void option_instat_callback(struc + #define OPPO_VENDOR_ID 0x22d9 + #define OPPO_PRODUCT_R11 0x276c + ++/* Sierra Wireless products */ ++#define SIERRA_VENDOR_ID 0x1199 ++#define SIERRA_PRODUCT_EM9191 0x90d3 + + /* Device flags */ + +@@ -2176,6 +2179,8 @@ static const struct usb_device_id option + { USB_DEVICE_INTERFACE_CLASS(0x305a, 0x1405, 0xff) }, /* GosunCn GM500 MBIM */ + { USB_DEVICE_INTERFACE_CLASS(0x305a, 0x1406, 0xff) }, /* GosunCn GM500 ECM/NCM */ + { USB_DEVICE_AND_INTERFACE_INFO(OPPO_VENDOR_ID, OPPO_PRODUCT_R11, 0xff, 0xff, 0x30) }, ++ { USB_DEVICE_AND_INTERFACE_INFO(SIERRA_VENDOR_ID, SIERRA_PRODUCT_EM9191, 0xff, 0xff, 0x30) }, ++ { USB_DEVICE_AND_INTERFACE_INFO(SIERRA_VENDOR_ID, SIERRA_PRODUCT_EM9191, 0xff, 0, 0) }, + { } /* Terminating entry */ + }; + MODULE_DEVICE_TABLE(usb, option_ids); diff --git a/queue-5.15/usb-serial-option-add-u-blox-lara-l6-modem.patch b/queue-5.15/usb-serial-option-add-u-blox-lara-l6-modem.patch new file mode 100644 index 00000000000..0d930af4907 --- /dev/null +++ b/queue-5.15/usb-serial-option-add-u-blox-lara-l6-modem.patch @@ -0,0 +1,73 @@ +From c1547f12df8b8e9ca2686accee43213ecd117efe Mon Sep 17 00:00:00 2001 +From: Davide Tronchin +Date: Wed, 16 Nov 2022 16:59:50 +0100 +Subject: USB: serial: option: add u-blox LARA-L6 modem + +From: Davide Tronchin + +commit c1547f12df8b8e9ca2686accee43213ecd117efe upstream. + +Add LARA-L6 PIDs for three different USB compositions. + +LARA-L6 module can be configured (by AT interface) in three different +USB modes: +* Default mode (Vendor ID: 0x1546 Product ID: 0x1341) with 4 serial +interfaces +* RmNet mode (Vendor ID: 0x1546 Product ID: 0x1342) with 4 serial +interfaces and 1 RmNet virtual network interface +* CDC-ECM mode (Vendor ID: 0x1546 Product ID: 0x1343) with 4 serial +interface and 1 CDC-ECM virtual network interface + +In default mode LARA-L6 exposes the following interfaces: +If 0: Diagnostic +If 1: AT parser +If 2: AT parser +If 3: AT parser/alternative functions + +In RmNet mode LARA-L6 exposes the following interfaces: +If 0: Diagnostic +If 1: AT parser +If 2: AT parser +If 3: AT parset/alternative functions +If 4: RMNET interface + +In CDC-ECM mode LARA-L6 exposes the following interfaces: +If 0: Diagnostic +If 1: AT parser +If 2: AT parser +If 3: AT parset/alternative functions +If 4: CDC-ECM interface + +Signed-off-by: Davide Tronchin +[ johan: drop PID defines in favour of comments ] +Cc: stable@vger.kernel.org +Signed-off-by: Johan Hovold +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/serial/option.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +--- a/drivers/usb/serial/option.c ++++ b/drivers/usb/serial/option.c +@@ -162,6 +162,8 @@ static void option_instat_callback(struc + #define NOVATELWIRELESS_PRODUCT_G2 0xA010 + #define NOVATELWIRELESS_PRODUCT_MC551 0xB001 + ++#define UBLOX_VENDOR_ID 0x1546 ++ + /* AMOI PRODUCTS */ + #define AMOI_VENDOR_ID 0x1614 + #define AMOI_PRODUCT_H01 0x0800 +@@ -1130,6 +1132,12 @@ static const struct usb_device_id option + .driver_info = RSVD(4) }, + { USB_DEVICE(QUALCOMM_VENDOR_ID, 0x90fa), + .driver_info = RSVD(3) }, ++ /* u-blox products */ ++ { USB_DEVICE(UBLOX_VENDOR_ID, 0x1341) }, /* u-blox LARA-L6 */ ++ { USB_DEVICE(UBLOX_VENDOR_ID, 0x1342), /* u-blox LARA-L6 (RMNET) */ ++ .driver_info = RSVD(4) }, ++ { USB_DEVICE(UBLOX_VENDOR_ID, 0x1343), /* u-blox LARA-L6 (ECM) */ ++ .driver_info = RSVD(4) }, + /* Quectel products using Quectel vendor ID */ + { USB_DEVICE_AND_INTERFACE_INFO(QUECTEL_VENDOR_ID, QUECTEL_PRODUCT_EC21, 0xff, 0xff, 0xff), + .driver_info = NUMEP2 }, diff --git a/queue-5.15/usb-serial-option-add-u-blox-lara-r6-00b-modem.patch b/queue-5.15/usb-serial-option-add-u-blox-lara-r6-00b-modem.patch new file mode 100644 index 00000000000..56524c9253a --- /dev/null +++ b/queue-5.15/usb-serial-option-add-u-blox-lara-r6-00b-modem.patch @@ -0,0 +1,38 @@ +From d9e37a5c4d80ea25a7171ab8557a449115554e76 Mon Sep 17 00:00:00 2001 +From: Davide Tronchin +Date: Wed, 16 Nov 2022 16:59:49 +0100 +Subject: USB: serial: option: add u-blox LARA-R6 00B modem + +From: Davide Tronchin + +commit d9e37a5c4d80ea25a7171ab8557a449115554e76 upstream. + +The official LARA-R6 (00B) modem uses 0x908b PID. LARA-R6 00B does not +implement a QMI interface on port 4, the reservation (RSVD(4)) has been +added to meet other companies that implement QMI on that interface. + +LARA-R6 00B USB composition exposes the following interfaces: +If 0: Diagnostic +If 1: AT parser +If 2: AT parser +If 3: AT parser/alternative functions + +Signed-off-by: Davide Tronchin +Cc: stable@vger.kernel.org +Signed-off-by: Johan Hovold +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/serial/option.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/usb/serial/option.c ++++ b/drivers/usb/serial/option.c +@@ -1126,6 +1126,8 @@ static const struct usb_device_id option + /* u-blox products using Qualcomm vendor ID */ + { USB_DEVICE(QUALCOMM_VENDOR_ID, UBLOX_PRODUCT_R410M), + .driver_info = RSVD(1) | RSVD(3) }, ++ { USB_DEVICE(QUALCOMM_VENDOR_ID, 0x908b), /* u-blox LARA-R6 00B */ ++ .driver_info = RSVD(4) }, + { USB_DEVICE(QUALCOMM_VENDOR_ID, 0x90fa), + .driver_info = RSVD(3) }, + /* Quectel products using Quectel vendor ID */ diff --git a/queue-5.15/usb-serial-option-remove-old-lara-r6-pid.patch b/queue-5.15/usb-serial-option-remove-old-lara-r6-pid.patch new file mode 100644 index 00000000000..008ccba30c7 --- /dev/null +++ b/queue-5.15/usb-serial-option-remove-old-lara-r6-pid.patch @@ -0,0 +1,45 @@ +From 2ec106b96afc19698ff934323b633c0729d4c7f8 Mon Sep 17 00:00:00 2001 +From: Davide Tronchin +Date: Wed, 16 Nov 2022 16:59:48 +0100 +Subject: USB: serial: option: remove old LARA-R6 PID + +From: Davide Tronchin + +commit 2ec106b96afc19698ff934323b633c0729d4c7f8 upstream. + +Remove the UBLOX_PRODUCT_R6XX 0x90fa association since LARA-R6 00B final +product uses a new USB composition with different PID. 0x90fa PID used +only by LARA-R6 internal prototypes. + +Move 0x90fa PID directly in the option_ids array since used by other +Qualcomm based modem vendors as pointed out in: + + https://lore.kernel.org/all/6572c4e6-d8bc-b8d3-4396-d879e4e76338@gmail.com + +Signed-off-by: Davide Tronchin +Cc: stable@vger.kernel.org +Signed-off-by: Johan Hovold +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/serial/option.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +--- a/drivers/usb/serial/option.c ++++ b/drivers/usb/serial/option.c +@@ -240,7 +240,6 @@ static void option_instat_callback(struc + #define QUECTEL_PRODUCT_UC15 0x9090 + /* These u-blox products use Qualcomm's vendor ID */ + #define UBLOX_PRODUCT_R410M 0x90b2 +-#define UBLOX_PRODUCT_R6XX 0x90fa + /* These Yuga products use Qualcomm's vendor ID */ + #define YUGA_PRODUCT_CLM920_NC5 0x9625 + +@@ -1127,7 +1126,7 @@ static const struct usb_device_id option + /* u-blox products using Qualcomm vendor ID */ + { USB_DEVICE(QUALCOMM_VENDOR_ID, UBLOX_PRODUCT_R410M), + .driver_info = RSVD(1) | RSVD(3) }, +- { USB_DEVICE(QUALCOMM_VENDOR_ID, UBLOX_PRODUCT_R6XX), ++ { USB_DEVICE(QUALCOMM_VENDOR_ID, 0x90fa), + .driver_info = RSVD(3) }, + /* Quectel products using Quectel vendor ID */ + { USB_DEVICE_AND_INTERFACE_INFO(QUECTEL_VENDOR_ID, QUECTEL_PRODUCT_EC21, 0xff, 0xff, 0xff), diff --git a/queue-5.15/usb-typec-mux-enter-safe-mode-only-when-pins-need-to-be-reconfigured.patch b/queue-5.15/usb-typec-mux-enter-safe-mode-only-when-pins-need-to-be-reconfigured.patch new file mode 100644 index 00000000000..e177ad11f6e --- /dev/null +++ b/queue-5.15/usb-typec-mux-enter-safe-mode-only-when-pins-need-to-be-reconfigured.patch @@ -0,0 +1,72 @@ +From 40bf8f162d0f95e0716e479d7db41443d931765c Mon Sep 17 00:00:00 2001 +From: Rajat Khandelwal +Date: Mon, 24 Oct 2022 22:46:11 +0530 +Subject: usb: typec: mux: Enter safe mode only when pins need to be reconfigured + +From: Rajat Khandelwal + +commit 40bf8f162d0f95e0716e479d7db41443d931765c upstream. + +There is no point to enter safe mode during DP/TBT configuration +if the DP/TBT was already configured in mux. This is because safe +mode is only applicable when there is a need to reconfigure the +pins in order to avoid damage within/to port partner. + +In some chrome systems, IOM/mux is already configured before OS +comes up. Thus, when driver is probed, it blindly enters safe +mode due to PD negotiations but only after gfx driver lowers +dp_phy_ownership, will the IOM complete safe mode and send an +ack to PMC. +Since, that never happens, we see IPC timeout. + +Hence, allow safe mode only when pin reconfiguration is not +required, which makes sense. + +Fixes: 43d596e32276 ("usb: typec: intel_pmc_mux: Check the port status before connect") +Cc: stable +Signed-off-by: Rajat Khandelwal +Signed-off-by: Lee Shawn C +Reviewed-by: Heikki Krogerus +Link: https://lore.kernel.org/r/20221024171611.181468-1-rajat.khandelwal@linux.intel.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/typec/mux/intel_pmc_mux.c | 15 +++++++++++++-- + 1 file changed, 13 insertions(+), 2 deletions(-) + +--- a/drivers/usb/typec/mux/intel_pmc_mux.c ++++ b/drivers/usb/typec/mux/intel_pmc_mux.c +@@ -352,13 +352,24 @@ pmc_usb_mux_usb4(struct pmc_usb_port *po + return pmc_usb_command(port, (void *)&req, sizeof(req)); + } + +-static int pmc_usb_mux_safe_state(struct pmc_usb_port *port) ++static int pmc_usb_mux_safe_state(struct pmc_usb_port *port, ++ struct typec_mux_state *state) + { + u8 msg; + + if (IOM_PORT_ACTIVITY_IS(port->iom_status, SAFE_MODE)) + return 0; + ++ if ((IOM_PORT_ACTIVITY_IS(port->iom_status, DP) || ++ IOM_PORT_ACTIVITY_IS(port->iom_status, DP_MFD)) && ++ state->alt && state->alt->svid == USB_TYPEC_DP_SID) ++ return 0; ++ ++ if ((IOM_PORT_ACTIVITY_IS(port->iom_status, TBT) || ++ IOM_PORT_ACTIVITY_IS(port->iom_status, ALT_MODE_TBT_USB)) && ++ state->alt && state->alt->svid == USB_TYPEC_TBT_SID) ++ return 0; ++ + msg = PMC_USB_SAFE_MODE; + msg |= port->usb3_port << PMC_USB_MSG_USB3_PORT_SHIFT; + +@@ -426,7 +437,7 @@ pmc_usb_mux_set(struct typec_mux *mux, s + return 0; + + if (state->mode == TYPEC_STATE_SAFE) +- return pmc_usb_mux_safe_state(port); ++ return pmc_usb_mux_safe_state(port, state); + if (state->mode == TYPEC_STATE_USB) + return pmc_usb_connect(port, port->role); + -- 2.47.3