From 31555112f08c874809096bf81fd762de9b19ce4c Mon Sep 17 00:00:00 2001 From: Tony Jones Date: May 27 2025 20:03:12 +0000 Subject: Merge remote-tracking branch 'origin/users/oneukum/SLE15-SP6/for-next' into SLE15-SP6 --- diff --git a/blacklist.conf b/blacklist.conf index f8cdebe..bbfaaef 100644 --- a/blacklist.conf +++ b/blacklist.conf @@ -828,3 +828,5 @@ e36a93e1723eb09c8393604ddc8ef2966f592597 # Already applied d931cf9b38da0f533cacfe51c863a9912e67822f # Wrong fixes tag 244f8aa46fa9e2f4ea5fe0e04988b395d5e30fc7 # Wrong fixes tag d0831edcd87ee4cbf1b8cc5669d9d07c71577477 # cleanup requiring prereq patches not in SLE15-SP6 +c99b38c412343053e9af187e595793c8805bb9b8 # needed for audio offload, not a fix +9c0c11bb87b09a8b7cdc21ca1090e7b36abe9d09 # needed for audio offload, not a fix diff --git a/patches.kabi/struct-typec_port-move-nre-mutex-to-end.patch b/patches.kabi/struct-typec_port-move-nre-mutex-to-end.patch new file mode 100644 index 0000000..3eb5f91 --- /dev/null +++ b/patches.kabi/struct-typec_port-move-nre-mutex-to-end.patch @@ -0,0 +1,36 @@ +From c8fbb2a6ccb47e0db824ea6e923f8eb431c20d3c Mon Sep 17 00:00:00 2001 +From: Oliver Neukum +Date: Tue, 27 May 2025 13:56:13 +0200 +Subject: [PATCH] struct typec_port: move nre mutex to end +Patch-mainline: never (kABI fixup) +References: bsc#1242856 CVE-2025-37809 + +--- + drivers/usb/typec/class.h | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/usb/typec/class.h b/drivers/usb/typec/class.h +index 0b96652f9..8503e5676 100644 +--- a/drivers/usb/typec/class.h ++++ b/drivers/usb/typec/class.h +@@ -59,7 +59,6 @@ struct typec_port { + enum typec_pwr_opmode pwr_opmode; + enum typec_port_type port_type; + struct mutex port_type_lock; +- struct mutex partner_link_lock; + + enum typec_orientation orientation; + struct typec_switch *sw; +@@ -82,6 +81,9 @@ struct typec_port { + struct device *usb3_dev; + + void *suse_kabi_padding; ++#ifndef __GENKSYMS__ ++ struct mutex partner_link_lock; ++#endif + }; + + #define to_typec_port(_dev_) container_of(_dev_, struct typec_port, dev) +-- +2.49.0 + diff --git a/patches.suse/usb-typec-class-Fix-NULL-pointer-access.patch b/patches.suse/usb-typec-class-Fix-NULL-pointer-access.patch new file mode 100644 index 0000000..a5eb5f9 --- /dev/null +++ b/patches.suse/usb-typec-class-Fix-NULL-pointer-access.patch @@ -0,0 +1,119 @@ +From ec27386de23a511008c53aa2f3434ad180a3ca9a Mon Sep 17 00:00:00 2001 +From: Andrei Kuchynski +Date: Fri, 21 Mar 2025 14:37:26 +0000 +Subject: [PATCH] usb: typec: class: Fix NULL pointer access +Git-commit: ec27386de23a511008c53aa2f3434ad180a3ca9a +References: bsc#1242856 CVE-2025-37809 +Patch-mainline: v6.15-rc4 + +Concurrent calls to typec_partner_unlink_device can lead to a NULL pointer +dereference. This patch adds a mutex to protect USB device pointers and +prevent this issue. The same mutex protects both the device pointers and +the partner device registration. + +Cc: stable@vger.kernel.org +Fixes: 59de2a56d127 ("usb: typec: Link enumerated USB devices with Type-C partner") +Signed-off-by: Andrei Kuchynski +Reviewed-by: Benson Leung +Reviewed-by: Heikki Krogerus +Link: https://lore.kernel.org/r/20250321143728.4092417-2-akuchynski@chromium.org +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Oliver Neukum + +--- + drivers/usb/typec/class.c | 15 +++++++++++++-- + drivers/usb/typec/class.h | 1 + + 2 files changed, 14 insertions(+), 2 deletions(-) + +--- a/drivers/usb/typec/class.c ++++ b/drivers/usb/typec/class.c +@@ -916,6 +916,7 @@ struct typec_partner *typec_register_par + partner->dev.type = &typec_partner_dev_type; + dev_set_name(&partner->dev, "%s-partner", dev_name(&port->dev)); + ++ mutex_lock(&port->partner_link_lock); + ret = device_register(&partner->dev); + if (ret) { + dev_err(&port->dev, "failed to register partner (%d)\n", ret); +@@ -927,6 +928,7 @@ struct typec_partner *typec_register_par + typec_partner_link_device(partner, port->usb2_dev); + if (port->usb3_dev) + typec_partner_link_device(partner, port->usb3_dev); ++ mutex_unlock(&port->partner_link_lock); + + return partner; + } +@@ -947,12 +949,14 @@ void typec_unregister_partner(struct typ + + port = to_typec_port(partner->dev.parent); + ++ mutex_lock(&port->partner_link_lock); + if (port->usb2_dev) + typec_partner_unlink_device(partner, port->usb2_dev); + if (port->usb3_dev) + typec_partner_unlink_device(partner, port->usb3_dev); + + device_unregister(&partner->dev); ++ mutex_unlock(&port->partner_link_lock); + } + EXPORT_SYMBOL_GPL(typec_unregister_partner); + +@@ -1846,25 +1850,30 @@ static struct typec_partner *typec_get_p + static void typec_partner_attach(struct typec_connector *con, struct device *dev) + { + struct typec_port *port = container_of(con, struct typec_port, con); +- struct typec_partner *partner = typec_get_partner(port); ++ struct typec_partner *partner; + struct usb_device *udev = to_usb_device(dev); + ++ mutex_lock(&port->partner_link_lock); + if (udev->speed < USB_SPEED_SUPER) + port->usb2_dev = dev; + else + port->usb3_dev = dev; + ++ partner = typec_get_partner(port); + if (partner) { + typec_partner_link_device(partner, dev); + put_device(&partner->dev); + } ++ mutex_unlock(&port->partner_link_lock); + } + + static void typec_partner_deattach(struct typec_connector *con, struct device *dev) + { + struct typec_port *port = container_of(con, struct typec_port, con); +- struct typec_partner *partner = typec_get_partner(port); ++ struct typec_partner *partner; + ++ mutex_lock(&port->partner_link_lock); ++ partner = typec_get_partner(port); + if (partner) { + typec_partner_unlink_device(partner, dev); + put_device(&partner->dev); +@@ -1874,6 +1883,7 @@ static void typec_partner_deattach(struc + port->usb2_dev = NULL; + else if (port->usb3_dev == dev) + port->usb3_dev = NULL; ++ mutex_unlock(&port->partner_link_lock); + } + + /** +@@ -2350,6 +2360,7 @@ struct typec_port *typec_register_port(s + + ida_init(&port->mode_ids); + mutex_init(&port->port_type_lock); ++ mutex_init(&port->partner_link_lock); + + port->id = id; + port->ops = cap->ops; +--- a/drivers/usb/typec/class.h ++++ b/drivers/usb/typec/class.h +@@ -55,6 +55,7 @@ struct typec_port { + enum typec_pwr_opmode pwr_opmode; + enum typec_port_type port_type; + struct mutex port_type_lock; ++ struct mutex partner_link_lock; + + enum typec_orientation orientation; + struct typec_switch *sw; diff --git a/patches.suse/usb-typec-class-Invalidate-USB-device-pointers-on-pa.patch b/patches.suse/usb-typec-class-Invalidate-USB-device-pointers-on-pa.patch index 6ecaaa1..765fe78 100644 --- a/patches.suse/usb-typec-class-Invalidate-USB-device-pointers-on-pa.patch +++ b/patches.suse/usb-typec-class-Invalidate-USB-device-pointers-on-pa.patch @@ -26,7 +26,7 @@ Signed-off-by: Oliver Neukum --- a/drivers/usb/typec/class.c +++ b/drivers/usb/typec/class.c -@@ -923,10 +923,14 @@ struct typec_partner *typec_register_par +@@ -924,10 +924,14 @@ struct typec_partner *typec_register_par return ERR_PTR(ret); } @@ -40,6 +40,6 @@ Signed-off-by: Oliver Neukum typec_partner_link_device(partner, port->usb3_dev); + port->usb3_dev = NULL; + } + mutex_unlock(&port->partner_link_lock); return partner; - } diff --git a/patches.suse/usb-typec-class-Unlocked-on-error-in-typec_register_.patch b/patches.suse/usb-typec-class-Unlocked-on-error-in-typec_register_.patch new file mode 100644 index 0000000..6816d9a --- /dev/null +++ b/patches.suse/usb-typec-class-Unlocked-on-error-in-typec_register_.patch @@ -0,0 +1,39 @@ +From 429a98abfc01d3d4378b7a00969437dc3e8f647c Mon Sep 17 00:00:00 2001 +From: Dan Carpenter +Date: Tue, 15 Apr 2025 13:45:08 +0300 +Subject: [PATCH] usb: typec: class: Unlocked on error in + typec_register_partner() +Git-commit: 429a98abfc01d3d4378b7a00969437dc3e8f647c +References: bsc#1242856 CVE-2025-37809 +Patch-mainline: v6.15-rc4 + +We recently added some locking to this function but this error path +was accidentally missed. Unlock before returning. + +Fixes: ec27386de23a ("usb: typec: class: Fix NULL pointer access") +Cc: stable +Signed-off-by: Dan Carpenter +Reviewed-by: Heikki Krogerus +Link: https://lore.kernel.org/r/Z_44tOtmml89wQcM@stanley.mountain +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Oliver Neukum + +--- + drivers/usb/typec/class.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/usb/typec/class.c b/drivers/usb/typec/class.c +index 3df3e3736916..67a533e35150 100644 +--- a/drivers/usb/typec/class.c ++++ b/drivers/usb/typec/class.c +@@ -1056,6 +1056,7 @@ struct typec_partner *typec_register_partner(struct typec_port *port, + ret = device_register(&partner->dev); + if (ret) { + dev_err(&port->dev, "failed to register partner (%d)\n", ret); ++ mutex_unlock(&port->partner_link_lock); + put_device(&partner->dev); + return ERR_PTR(ret); + } +-- +2.49.0 + diff --git a/patches.suse/xhci-Add-helper-to-set-an-interrupters-interrupt-mod.patch b/patches.suse/xhci-Add-helper-to-set-an-interrupters-interrupt-mod.patch new file mode 100644 index 0000000..d997b9f --- /dev/null +++ b/patches.suse/xhci-Add-helper-to-set-an-interrupters-interrupt-mod.patch @@ -0,0 +1,82 @@ +From ace21625878f78708b75b7a872ec7a0e2ed15ca4 Mon Sep 17 00:00:00 2001 +From: Mathias Nyman +Date: Fri, 16 Feb 2024 16:09:28 -0800 +Subject: [PATCH] xhci: Add helper to set an interrupters interrupt moderation + interval +Git-commit: ace21625878f78708b75b7a872ec7a0e2ed15ca4 +References: git-fixes +Patch-mainline: v6.9-rc1 + +Add a helper to set the interrupt moderation interval for an interrupter. +Each interrupter can have its own moderation value. + +Hardware has a 16bit register for the moderation value, each step is 250ns. + +Helper function imod_interval argument is in nanoseconds. + +Values from 0 to 16383750 (250 x 0xffff) are accepted. +0 means no interrupt throttling. + +Signed-off-by: Mathias Nyman +Signed-off-by: Wesley Cheng +Link: https://lore.kernel.org/r/20240217001017.29969-3-quic_wcheng@quicinc.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Oliver Neukum + +--- + drivers/usb/host/xhci.c | 25 ++++++++++++++++++------- + 1 file changed, 18 insertions(+), 7 deletions(-) + +diff --git a/drivers/usb/host/xhci.c b/drivers/usb/host/xhci.c +index 0886829d53e5..b405b8236134 100644 +--- a/drivers/usb/host/xhci.c ++++ b/drivers/usb/host/xhci.c +@@ -346,6 +346,23 @@ static int xhci_disable_interrupter(struct xhci_interrupter *ir) + return 0; + } + ++/* interrupt moderation interval imod_interval in nanoseconds */ ++static int xhci_set_interrupter_moderation(struct xhci_interrupter *ir, ++ u32 imod_interval) ++{ ++ u32 imod; ++ ++ if (!ir || !ir->ir_set || imod_interval > U16_MAX * 250) ++ return -EINVAL; ++ ++ imod = readl(&ir->ir_set->irq_control); ++ imod &= ~ER_IRQ_INTERVAL_MASK; ++ imod |= (imod_interval / 250) & ER_IRQ_INTERVAL_MASK; ++ writel(imod, &ir->ir_set->irq_control); ++ ++ return 0; ++} ++ + static void compliance_mode_recovery(struct timer_list *t) + { + struct xhci_hcd *xhci; +@@ -528,7 +545,6 @@ static int xhci_run_finished(struct xhci_hcd *xhci) + */ + int xhci_run(struct usb_hcd *hcd) + { +- u32 temp; + u64 temp_64; + int ret; + struct xhci_hcd *xhci = hcd_to_xhci(hcd); +@@ -551,12 +567,7 @@ int xhci_run(struct usb_hcd *hcd) + xhci_dbg_trace(xhci, trace_xhci_dbg_init, + "ERST deq = 64'h%0lx", (long unsigned int) temp_64); + +- xhci_dbg_trace(xhci, trace_xhci_dbg_init, +- "// Set the interrupt modulation register"); +- temp = readl(&ir->ir_set->irq_control); +- temp &= ~ER_IRQ_INTERVAL_MASK; +- temp |= (xhci->imod_interval / 250) & ER_IRQ_INTERVAL_MASK; +- writel(temp, &ir->ir_set->irq_control); ++ xhci_set_interrupter_moderation(ir, xhci->imod_interval); + + if (xhci->quirks & XHCI_NEC_HOST) { + struct xhci_command *command; +-- +2.49.0 + diff --git a/patches.suse/xhci-split-free-interrupter-into-separate-remove-and.patch b/patches.suse/xhci-split-free-interrupter-into-separate-remove-and.patch new file mode 100644 index 0000000..bed17c1 --- /dev/null +++ b/patches.suse/xhci-split-free-interrupter-into-separate-remove-and.patch @@ -0,0 +1,96 @@ +From 47f503cf5f799ec02e5f4b7c3b9afe145eca2aef Mon Sep 17 00:00:00 2001 +From: Mathias Nyman +Date: Thu, 19 Oct 2023 13:29:21 +0300 +Subject: [PATCH] xhci: split free interrupter into separate remove and free + parts +Git-commit: 47f503cf5f799ec02e5f4b7c3b9afe145eca2aef +References: git-fixes +Patch-mainline: v6.7-rc1 + +The current function that both removes and frees an interrupter isn't +optimal when using several interrupters. The array of interrupters need +to be protected with a lock while removing interrupters, but the default +xhci spin lock can't be used while freeing the interrupters event ring +segment table as dma_free_coherent() should be called with IRQs enabled. + +There is no need to free the interrupter under the lock, so split this +code into separate unlocked free part, and a lock protected remove part. + +Signed-off-by: Mathias Nyman +Link: https://lore.kernel.org/r/20231019102924.2797346-17-mathias.nyman@linux.intel.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Oliver Neukum + +--- + drivers/usb/host/xhci-mem.c | 32 +++++++++++++++++++++----------- + 1 file changed, 21 insertions(+), 11 deletions(-) + +diff --git a/drivers/usb/host/xhci-mem.c b/drivers/usb/host/xhci-mem.c +index 4d0b1c0e61a8..62116586848b 100644 +--- a/drivers/usb/host/xhci-mem.c ++++ b/drivers/usb/host/xhci-mem.c +@@ -1807,22 +1807,13 @@ static int xhci_alloc_erst(struct xhci_hcd *xhci, + } + + static void +-xhci_free_interrupter(struct xhci_hcd *xhci, struct xhci_interrupter *ir) ++xhci_remove_interrupter(struct xhci_hcd *xhci, struct xhci_interrupter *ir) + { +- struct device *dev = xhci_to_hcd(xhci)->self.sysdev; +- size_t erst_size; + u32 tmp; + + if (!ir) + return; + +- erst_size = sizeof(struct xhci_erst_entry) * ir->erst.num_entries; +- if (ir->erst.entries) +- dma_free_coherent(dev, erst_size, +- ir->erst.entries, +- ir->erst.erst_dma_addr); +- ir->erst.entries = NULL; +- + /* + * Clean out interrupter registers except ERSTBA. Clearing either the + * low or high 32 bits of ERSTBA immediately causes the controller to +@@ -1835,10 +1826,28 @@ xhci_free_interrupter(struct xhci_hcd *xhci, struct xhci_interrupter *ir) + + xhci_write_64(xhci, ERST_EHB, &ir->ir_set->erst_dequeue); + } ++} ++ ++static void ++xhci_free_interrupter(struct xhci_hcd *xhci, struct xhci_interrupter *ir) ++{ ++ struct device *dev = xhci_to_hcd(xhci)->self.sysdev; ++ size_t erst_size; ++ ++ if (!ir) ++ return; ++ ++ erst_size = sizeof(struct xhci_erst_entry) * ir->erst.num_entries; ++ if (ir->erst.entries) ++ dma_free_coherent(dev, erst_size, ++ ir->erst.entries, ++ ir->erst.erst_dma_addr); ++ ir->erst.entries = NULL; + +- /* free interrrupter event ring */ ++ /* free interrupter event ring */ + if (ir->event_ring) + xhci_ring_free(xhci, ir->event_ring); ++ + ir->event_ring = NULL; + + kfree(ir); +@@ -1851,6 +1860,7 @@ void xhci_mem_cleanup(struct xhci_hcd *xhci) + + cancel_delayed_work_sync(&xhci->cmd_timer); + ++ xhci_remove_interrupter(xhci, xhci->interrupter); + xhci_free_interrupter(xhci, xhci->interrupter); + xhci->interrupter = NULL; + xhci_dbg_trace(xhci, trace_xhci_dbg_init, "Freed primary event ring"); +-- +2.49.0 + diff --git a/series.conf b/series.conf index 34c3812..2837f8d 100644 --- a/series.conf +++ b/series.conf @@ -17146,6 +17146,7 @@ patches.suse/xhci-Simplify-event-ring-dequeue-pointer-update-for-.patch patches.suse/xhci-Loosen-RPM-as-default-policy-to-cover-for-AMD-x.patch patches.suse/xhci-Enable-RPM-on-controllers-that-support-low-powe.patch + patches.suse/xhci-split-free-interrupter-into-separate-remove-and.patch patches.suse/usb-xhci-Implement-xhci_handshake_check_state-helper.patch patches.suse/usb-host-xhci-plat-fix-possible-kernel-oops-while-re.patch patches.suse/usb-host-xhci-Avoid-XHCI-resume-delay-if-SSUSB-devic.patch @@ -23566,6 +23567,7 @@ patches.suse/remoteproc-virtio-Fix-wdg-cannot-recovery-remote-pro.patch patches.suse/remoteproc-stm32-Fix-incorrect-type-assignment-retur.patch patches.suse/usb-audio-v2-Correct-comments-for-struct-uac_clock_s.patch + patches.suse/xhci-Add-helper-to-set-an-interrupters-interrupt-mod.patch patches.suse/xhci-remove-unnecessary-event_ring_deq-parameter-fro.patch patches.suse/xhci-update-event-ring-dequeue-pointer-position-to-c.patch patches.suse/xhci-add-helper-that-checks-for-unhandled-events-on-.patch @@ -31619,6 +31621,7 @@ patches.suse/misc-microchip-pci1xxxx-Fix-incorrect-IRQ-status-han.patch patches.suse/serial-msm-Configure-correct-working-mode-before-sta.patch patches.suse/serial-sifive-lock-port-in-startup-shutdown-callback.patch + patches.suse/usb-typec-class-Fix-NULL-pointer-access.patch patches.suse/usb-typec-class-Invalidate-USB-device-pointers-on-pa.patch patches.suse/usb-chipidea-ci_hdrc_imx-fix-call-balance-of-regulat.patch patches.suse/usb-chipidea-ci_hdrc_imx-implement-usb_phy_init-erro.patch @@ -31634,6 +31637,7 @@ patches.suse/USB-wdm-wdm_wwan_port_tx_complete-mutex-in-atomic-co.patch patches.suse/USB-wdm-add-annotation.patch patches.suse/usb-quirks-Add-delay-init-quirk-for-SanDisk-3.2Gen1-.patch + patches.suse/usb-typec-class-Unlocked-on-error-in-typec_register_.patch patches.suse/USB-serial-option-add-Sierra-Wireless-EM9291.patch patches.suse/USB-serial-ftdi_sio-add-support-for-Abacus-Electrics.patch patches.suse/USB-serial-simple-add-OWON-HDS200-series-oscilloscop.patch @@ -32452,6 +32456,7 @@ patches.kabi/kABI-sctp-transport-fix.patch patches.kabi/ax25-rcu-protect-dev-ax25_ptr.patch patches.kabi/kabi-perf-aux-Fix-AUX-buffer-serialization.patch + patches.kabi/struct-typec_port-move-nre-mutex-to-end.patch ######################################################## # SLE15-SP3 OOT performance patches evaluated but left