commit 6ab3eda153b603d578a83e75dd1a58270ebfe3f2 Author: Greg Kroah-Hartman Date: Fri Mar 3 11:56:18 2023 +0100 Linux 6.2.2 Link: https://lore.kernel.org/r/20230301180653.263532453@linuxfoundation.org Tested-by: Ronald Warsow Tested-by: Luna Jernberg Tested-by: Florian Fainelli Tested-by: Justin M. Forbes Tested-by: Shuah Khan Tested-by: Bagas Sanjaya Tested-by: Jon Hunter Tested-by: Conor Dooley Tested-by: Sudip Mukherjee Tested-by: Ron Economos Tested-by: Linux Kernel Functional Testing Tested-by: Slade Watkins Tested-by: Guenter Roeck Signed-off-by: Greg Kroah-Hartman commit 1bcb238c54a9c6dc4bded06b06ba7458a5eefa87 Author: Alan Stern Date: Tue Jan 31 15:49:04 2023 -0500 USB: core: Don't hold device lock while reading the "descriptors" sysfs file commit 45bf39f8df7f05efb83b302c65ae3b9bc92b7065 upstream. Ever since commit 83e83ecb79a8 ("usb: core: get config and string descriptors for unauthorized devices") was merged in 2013, there has been no mechanism for reallocating the rawdescriptors buffers in struct usb_device after the initial enumeration. Before that commit, the buffers would be deallocated when a device was deauthorized and reallocated when it was authorized and enumerated. This means that the locking in the read_descriptors() routine is not needed, since the buffers it reads will never be reallocated while the routine is running. This locking can interfere with user programs trying to read a hub's descriptors via sysfs while new child devices of the hub are being initialized, since the hub is locked during this procedure. Since the locking in read_descriptors() hasn't been needed for over nine years, we can remove it. Reported-and-tested-by: Troels Liebe Bentsen Signed-off-by: Alan Stern CC: stable@vger.kernel.org Link: https://lore.kernel.org/r/Y9l+wDTRbuZABzsE@rowland.harvard.edu Signed-off-by: Greg Kroah-Hartman commit f2205558dd7832adda21467637a92174409672d8 Author: Saranya Gopal Date: Tue Feb 14 17:15:42 2023 +0530 usb: typec: pd: Remove usb_suspend_supported sysfs from sink PDO commit e4e7b2dc27c4bb877d850eaff69d41410b2f4237 upstream. As per USB PD specification, 28th bit of fixed supply sink PDO represents "higher capability" attribute and not "usb suspend supported" attribute. So, this patch removes the usb_suspend_supported attribute from sink PDO. Fixes: 662a60102c12 ("usb: typec: Separate USB Power Delivery from USB Type-C") Cc: stable Reported-by: Rajaram Regupathy Signed-off-by: Saranya Gopal Reviewed-by: Heikki Krogerus Link: https://lore.kernel.org/r/20230214114543.205103-1-saranya.gopal@intel.com Signed-off-by: Greg Kroah-Hartman commit 0d4a8a7ec4eed7dae87cc58b77953cac8f498007 Author: Kunihiko Hayashi Date: Tue Feb 7 11:14:29 2023 +0900 arm64: dts: uniphier: Fix property name in PXs3 USB node commit 2508d5efd7a588d07915a762e1731173854525f9 upstream. The property "snps,usb2_gadget_lpm_disable" is wrong. It should be fixed to "snps,usb2-gadget-lpm-disable". Cc: stable@vger.kernel.org Fixes: 19fee1a1096d ("arm64: dts: uniphier: Add USB-device support for PXs3 reference board") Signed-off-by: Kunihiko Hayashi Link: https://lore.kernel.org/r/20230207021429.28925-1-hayashi.kunihiko@socionext.com Signed-off-by: Arnd Bergmann Signed-off-by: Greg Kroah-Hartman commit 44e004f757a7ae13dfebaadbcfdb1a6f98c10377 Author: Prashanth K Date: Mon Feb 13 23:00:38 2023 +0530 usb: gadget: u_serial: Add null pointer check in gserial_resume commit 5ec63fdbca604568890c577753c6f66c5b3ef0b5 upstream. Consider a case where gserial_disconnect has already cleared gser->ioport. And if a wakeup interrupt triggers afterwards, gserial_resume gets called, which will lead to accessing of gser->ioport and thus causing null pointer dereference.Add a null pointer check to prevent this. Added a static spinlock to prevent gser->ioport from becoming null after the newly added check. Fixes: aba3a8d01d62 ("usb: gadget: u_serial: add suspend resume callbacks") Cc: stable Signed-off-by: Prashanth K Acked-by: Alan Stern Link: https://lore.kernel.org/r/1676309438-14922-1-git-send-email-quic_prashk@quicinc.com Signed-off-by: Greg Kroah-Hartman commit 9942d418a3cff953f81a615d7ad8d091205ef328 Author: Florian Zumbiehl Date: Mon Feb 6 02:04:28 2023 +0100 USB: serial: option: add support for VW/Skoda "Carstick LTE" commit 617c331d91077f896111044628c096802551dc66 upstream. Add support for VW/Skoda "Carstick LTE" D: Ver= 2.00 Cls=00(>ifc ) Sub=00 Prot=00 MxPS=64 #Cfgs= 1 P: Vendor=1c9e ProdID=7605 Rev=02.00 S: Manufacturer=USB Modem S: Product=USB Modem C: #Ifs= 4 Cfg#= 1 Atr=e0 MxPwr=500mA I: If#=0x0 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=ff Driver=(none) I: If#=0x1 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=ff Driver=(none) I: If#=0x2 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=ff Driver=(none) I: If#=0x3 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=ff Driver=(none) The stick has AT command interfaces on interfaces 1, 2, and 3, and does PPP on interface 3. Signed-off-by: Florian Zumbiehl Cc: stable@vger.kernel.org Signed-off-by: Johan Hovold Signed-off-by: Greg Kroah-Hartman commit 60f19e600d35d0004a715acd63c1f5d5dbdce3a8 Author: Heikki Krogerus Date: Wed Feb 15 15:27:11 2023 +0200 usb: dwc3: pci: add support for the Intel Meteor Lake-M commit 8e5248c3a8778f3e394e9a19195bc7a48f567ca2 upstream. This patch adds the necessary PCI IDs for Intel Meteor Lake-M devices. Signed-off-by: Heikki Krogerus Cc: stable@vger.kernel.org Link: https://lore.kernel.org/r/20230215132711.35668-1-heikki.krogerus@linux.intel.com Signed-off-by: Greg Kroah-Hartman commit 709f329ea51c229e56991076fa67f7046400d84e Author: Sascha Hauer Date: Fri Feb 10 12:16:32 2023 +0100 wifi: rtw88: usb: drop now unnecessary URB size check commit 462c8db6a01160836c68e262d25566f2447148d9 upstream. Now that we send URBs with the URB_ZERO_PACKET flag set we no longer need to make sure that the URB sizes are not multiple of the bulkout_size. Drop the check. Signed-off-by: Sascha Hauer Reviewed-by: Ping-Ke Shih Signed-off-by: Kalle Valo Link: https://lore.kernel.org/r/20230210111632.1985205-4-s.hauer@pengutronix.de Signed-off-by: Greg Kroah-Hartman commit b30dbecf891fb22c512d01ea40235cc45683971b Author: Sascha Hauer Date: Fri Feb 10 12:16:31 2023 +0100 wifi: rtw88: usb: send Zero length packets if necessary commit 07ce9fa6ab0e5e4cb5516a1f7c754ab2758fe5cd upstream. Zero length packets are necessary when sending URBs with size multiple of bulkout_size, otherwise the hardware just stalls. Fixes: a82dfd33d1237 ("wifi: rtw88: Add common USB chip support") Signed-off-by: Sascha Hauer Reviewed-by: Ping-Ke Shih Signed-off-by: Kalle Valo Link: https://lore.kernel.org/r/20230210111632.1985205-3-s.hauer@pengutronix.de Signed-off-by: Greg Kroah-Hartman commit 3bcc9db63336ee4a2d10b92a8ed15d64246cf910 Author: Sascha Hauer Date: Fri Feb 10 12:16:30 2023 +0100 wifi: rtw88: usb: Set qsel correctly commit 7869b834fb07c79933229840c98b02bbb7bd0d75 upstream. We have to extract qsel from the skb before doing skb_push() on it, otherwise qsel will always be 0. Fixes: a82dfd33d1237 ("wifi: rtw88: Add common USB chip support") Signed-off-by: Sascha Hauer Reviewed-by: Ping-Ke Shih Signed-off-by: Kalle Valo Link: https://lore.kernel.org/r/20230210111632.1985205-2-s.hauer@pengutronix.de Signed-off-by: Greg Kroah-Hartman commit e29c9dbd99f2ec5dd7d07ef08426ebab9e065b88 Author: Carlos Llamas Date: Wed Feb 15 18:38:50 2023 +0000 scripts/tags.sh: fix incompatibility with PCRE2 commit 6ec363fc6142226b9ab5a6528f65333d729d2b6b upstream. Starting with release 10.38 PCRE2 drops default support for using \K in lookaround patterns as described in [1]. Unfortunately, scripts/tags.sh relies on such functionality to collect all_compiled_soures() leading to the following error: $ make COMPILED_SOURCE=1 tags GEN tags grep: \K is not allowed in lookarounds (but see PCRE2_EXTRA_ALLOW_LOOKAROUND_BSK) The usage of \K for this pattern was introduced in commit 4f491bb6ea2a ("scripts/tags.sh: collect compiled source precisely") which speeds up the generation of tags significantly. In order to fix this issue without compromising the performance we can switch over to an equivalent sed expression. The same matching pattern is preserved here except \K is replaced with a backreference \1. [1] https://www.pcre.org/current/doc/html/pcre2syntax.html#SEC11 Cc: Greg Kroah-Hartman Cc: Cristian Ciocaltea Cc: Masahiro Yamada Cc: Jialu Xu Cc: Vipin Sharma Cc: stable@vger.kernel.org Fixes: 4f491bb6ea2a ("scripts/tags.sh: collect compiled source precisely") Signed-off-by: Carlos Llamas Link: https://lore.kernel.org/r/20230215183850.3353198-1-cmllamas@google.com Signed-off-by: Greg Kroah-Hartman commit 83d403e773a851c9447e4d1847a6f1df91604d43 Author: Stylon Wang Date: Tue Jan 10 14:38:33 2023 +0800 drm/amd/display: Properly reuse completion structure commit 0cf8307adbc6beb5ff3b8a76afedc6e4e0b536a9 upstream. [Why] Connecting displays to TBT3 docks often produces invalid replies for DPIA AUX requests. It turns out the completion structure was not re-initialized before reusing it, resulting in immature wake up to completion. [How] Properly call reinit_completion() on reused completion structure. Cc: stable@vger.kernel.org Reviewed-by: Solomon Chiu Acked-by: Alan Liu Signed-off-by: Stylon Wang Tested-by: Daniel Wheeler Signed-off-by: Alex Deucher Cc: "Limonciello, Mario" Signed-off-by: Greg Kroah-Hartman commit 9c591e6a027053460b61d63c239df4391fbce98f Author: Nicholas Kazlauskas Date: Mon Jan 23 14:59:28 2023 -0500 drm/amd/display: Move DCN314 DOMAIN power control to DMCUB commit e383b12709e32d6494c948422070c2464b637e44 upstream. [Why] DOMAIN power gating control is now required to be done via firmware due to interlock with other power features. This is to avoid intermittent issues in the LB memories. [How] If the firmware supports the command then use the new firmware as the sequence can avoid potential display corruption issues. The command will be ignored on firmware that does not support DOMAIN power control and the pipes will remain always on - frequent PG cycling can cause the issue to occur on the old sequence, so we should avoid it. Reviewed-by: Hansen Dsouza Acked-by: Qingqing Zhuo Signed-off-by: Nicholas Kazlauskas Tested-by: Daniel Wheeler Signed-off-by: Alex Deucher Cc: "Limonciello, Mario" Signed-off-by: Greg Kroah-Hartman commit 8417e002b7165bdde96ef6af48708ad8de6fe194 Author: Thomas Weißschuh Date: Mon Feb 20 06:46:12 2023 +0000 vc_screen: don't clobber return value in vcs_read commit ae3419fbac845b4d3f3a9fae4cc80c68d82cdf6e upstream. Commit 226fae124b2d ("vc_screen: move load of struct vc_data pointer in vcs_read() to avoid UAF") moved the call to vcs_vc() into the loop. While doing this it also moved the unconditional assignment of ret = -ENXIO; This unconditional assignment was valid outside the loop but within it it clobbers the actual value of ret. To avoid this only assign "ret = -ENXIO" when actually needed. [ Also, the 'goto unlock_out" needs to be just a "break", so that it does the right thing when it exits on later iterations when partial success has happened - Linus ] Reported-by: Storm Dragon Link: https://lore.kernel.org/lkml/Y%2FKS6vdql2pIsCiI@hotmail.com/ Fixes: 226fae124b2d ("vc_screen: move load of struct vc_data pointer in vcs_read() to avoid UAF") Signed-off-by: Thomas Weißschuh Link: https://lore.kernel.org/lkml/64981d94-d00c-4b31-9063-43ad0a384bde@t-8ch.de/ Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit d00615dc5053d7a8737c73cf6a3a3b1b8846ffae Author: Martin KaFai Lau Date: Thu Feb 16 16:41:48 2023 -0800 bpf: bpf_fib_lookup should not return neigh in NUD_FAILED state commit 1fe4850b34ab512ff911e2c035c75fb6438f7307 upstream. The bpf_fib_lookup() helper does not only look up the fib (ie. route) but it also looks up the neigh. Before returning the neigh, the helper does not check for NUD_VALID. When a neigh state (neigh->nud_state) is in NUD_FAILED, its dmac (neigh->ha) could be all zeros. The helper still returns SUCCESS instead of NO_NEIGH in this case. Because of the SUCCESS return value, the bpf prog directly uses the returned dmac and ends up filling all zero in the eth header. This patch checks for NUD_VALID and returns NO_NEIGH if the neigh is not valid. Signed-off-by: Martin KaFai Lau Signed-off-by: Daniel Borkmann Link: https://lore.kernel.org/bpf/20230217004150.2980689-3-martin.lau@linux.dev Signed-off-by: Greg Kroah-Hartman commit 766651b3780bde37629dc75798e51ec9164b53ae Author: Herbert Xu Date: Thu Feb 2 16:33:47 2023 +0800 crypto: arm64/sm4-gcm - Fix possible crash in GCM cryption commit 4e4a08868f15897ca236528771c3733fded42c62 upstream. An often overlooked aspect of the skcipher walker API is that an error is not just indicated by a non-zero return value, but by the fact that walk->nbytes is zero. Thus it is an error to call skcipher_walk_done after getting back walk->nbytes == 0 from the previous interaction with the walker. This is because when walk->nbytes is zero the walker is left in an undefined state and any further calls to it may try to free uninitialised stack memory. The sm4 arm64 ccm code gets this wrong and ends up calling skcipher_walk_done even when walk->nbytes is zero. This patch rewrites the loop in a form that resembles other callers. Reported-by: Tianjia Zhang Fixes: ae1b83c7d572 ("crypto: arm64/sm4 - add CE implementation for GCM mode") Signed-off-by: Herbert Xu Tested-by: Tianjia Zhang Signed-off-by: Herbert Xu Cc: Nathan Chancellor Signed-off-by: Greg Kroah-Hartman commit 971acf26560ff34b2263b854ea9897b70726977e Author: Vitaly Rodionov Date: Mon Feb 13 14:50:06 2023 +0000 ALSA: hda: cs35l41: Correct error condition handling commit 943f4e64ee177cf44d7f2c235281fcda7c32bb28 upstream. Function cs_dsp_coeff_write_ctrl() can return 3 possible values: 0 - no change, 1 - value has changed and -1 - error, so positive value is not an error. Fixes: 7406bdbc4fb8 ("ASoC: wm_adsp: Return whether changed when writing controls") Signed-off-by: Vitaly Rodionov Signed-off-by: Stefan Binding Link: https://lore.kernel.org/r/20230213145008.1215849-2-sbinding@opensource.cirrus.com Signed-off-by: Takashi Iwai Cc: Richard Fitzgerald Signed-off-by: Greg Kroah-Hartman