]> git.ipfire.org Git - thirdparty/kernel/stable-queue.git/commitdiff
4.19-stable patches
authorGreg Kroah-Hartman <gregkh@linuxfoundation.org>
Mon, 8 Feb 2021 10:26:42 +0000 (11:26 +0100)
committerGreg Kroah-Hartman <gregkh@linuxfoundation.org>
Mon, 8 Feb 2021 10:26:42 +0000 (11:26 +0100)
added patches:
cifs-report-error-instead-of-invalid-when-revalidating-a-dentry-fails.patch
genirq-msi-activate-multi-msi-early-when-msi_flag_activate_early-is-set.patch
kretprobe-avoid-re-registration-of-the-same-kretprobe-earlier.patch
mac80211-fix-station-rate-table-updates-on-assoc.patch
ovl-fix-dentry-leak-in-ovl_get_redirect.patch
usb-dwc2-fix-endpoint-direction-check-in-ep_from_windex.patch
usb-dwc3-fix-clock-issue-during-resume-in-otg-mode.patch
usb-gadget-legacy-fix-an-error-code-in-eth_bind.patch
usb-renesas_usbhs-clear-pipe-running-flag-in-usbhs_pkt_pop.patch
usb-usblp-don-t-call-usb_set_interface-if-there-s-a-single-alt.patch
xhci-fix-bounce-buffer-usage-for-non-sg-list-case.patch

12 files changed:
queue-4.19/cifs-report-error-instead-of-invalid-when-revalidating-a-dentry-fails.patch [new file with mode: 0644]
queue-4.19/genirq-msi-activate-multi-msi-early-when-msi_flag_activate_early-is-set.patch [new file with mode: 0644]
queue-4.19/kretprobe-avoid-re-registration-of-the-same-kretprobe-earlier.patch [new file with mode: 0644]
queue-4.19/mac80211-fix-station-rate-table-updates-on-assoc.patch [new file with mode: 0644]
queue-4.19/ovl-fix-dentry-leak-in-ovl_get_redirect.patch [new file with mode: 0644]
queue-4.19/series
queue-4.19/usb-dwc2-fix-endpoint-direction-check-in-ep_from_windex.patch [new file with mode: 0644]
queue-4.19/usb-dwc3-fix-clock-issue-during-resume-in-otg-mode.patch [new file with mode: 0644]
queue-4.19/usb-gadget-legacy-fix-an-error-code-in-eth_bind.patch [new file with mode: 0644]
queue-4.19/usb-renesas_usbhs-clear-pipe-running-flag-in-usbhs_pkt_pop.patch [new file with mode: 0644]
queue-4.19/usb-usblp-don-t-call-usb_set_interface-if-there-s-a-single-alt.patch [new file with mode: 0644]
queue-4.19/xhci-fix-bounce-buffer-usage-for-non-sg-list-case.patch [new file with mode: 0644]

diff --git a/queue-4.19/cifs-report-error-instead-of-invalid-when-revalidating-a-dentry-fails.patch b/queue-4.19/cifs-report-error-instead-of-invalid-when-revalidating-a-dentry-fails.patch
new file mode 100644 (file)
index 0000000..898dc0a
--- /dev/null
@@ -0,0 +1,74 @@
+From 21b200d091826a83aafc95d847139b2b0582f6d1 Mon Sep 17 00:00:00 2001
+From: Aurelien Aptel <aaptel@suse.com>
+Date: Fri, 5 Feb 2021 15:42:48 +0100
+Subject: cifs: report error instead of invalid when revalidating a dentry fails
+
+From: Aurelien Aptel <aaptel@suse.com>
+
+commit 21b200d091826a83aafc95d847139b2b0582f6d1 upstream.
+
+Assuming
+- //HOST/a is mounted on /mnt
+- //HOST/b is mounted on /mnt/b
+
+On a slow connection, running 'df' and killing it while it's
+processing /mnt/b can make cifs_get_inode_info() returns -ERESTARTSYS.
+
+This triggers the following chain of events:
+=> the dentry revalidation fail
+=> dentry is put and released
+=> superblock associated with the dentry is put
+=> /mnt/b is unmounted
+
+This patch makes cifs_d_revalidate() return the error instead of 0
+(invalid) when cifs_revalidate_dentry() fails, except for ENOENT (file
+deleted) and ESTALE (file recreated).
+
+Signed-off-by: Aurelien Aptel <aaptel@suse.com>
+Suggested-by: Shyam Prasad N <nspmangalore@gmail.com>
+Reviewed-by: Shyam Prasad N <nspmangalore@gmail.com>
+CC: stable@vger.kernel.org
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/cifs/dir.c |   22 ++++++++++++++++++++--
+ 1 file changed, 20 insertions(+), 2 deletions(-)
+
+--- a/fs/cifs/dir.c
++++ b/fs/cifs/dir.c
+@@ -840,6 +840,7 @@ static int
+ cifs_d_revalidate(struct dentry *direntry, unsigned int flags)
+ {
+       struct inode *inode;
++      int rc;
+       if (flags & LOOKUP_RCU)
+               return -ECHILD;
+@@ -849,8 +850,25 @@ cifs_d_revalidate(struct dentry *direntr
+               if ((flags & LOOKUP_REVAL) && !CIFS_CACHE_READ(CIFS_I(inode)))
+                       CIFS_I(inode)->time = 0; /* force reval */
+-              if (cifs_revalidate_dentry(direntry))
+-                      return 0;
++              rc = cifs_revalidate_dentry(direntry);
++              if (rc) {
++                      cifs_dbg(FYI, "cifs_revalidate_dentry failed with rc=%d", rc);
++                      switch (rc) {
++                      case -ENOENT:
++                      case -ESTALE:
++                              /*
++                               * Those errors mean the dentry is invalid
++                               * (file was deleted or recreated)
++                               */
++                              return 0;
++                      default:
++                              /*
++                               * Otherwise some unexpected error happened
++                               * report it as-is to VFS layer
++                               */
++                              return rc;
++                      }
++              }
+               else {
+                       /*
+                        * If the inode wasn't known to be a dfs entry when
diff --git a/queue-4.19/genirq-msi-activate-multi-msi-early-when-msi_flag_activate_early-is-set.patch b/queue-4.19/genirq-msi-activate-multi-msi-early-when-msi_flag_activate_early-is-set.patch
new file mode 100644 (file)
index 0000000..3f58470
--- /dev/null
@@ -0,0 +1,123 @@
+From 4c457e8cb75eda91906a4f89fc39bde3f9a43922 Mon Sep 17 00:00:00 2001
+From: Marc Zyngier <maz@kernel.org>
+Date: Sat, 23 Jan 2021 12:27:59 +0000
+Subject: genirq/msi: Activate Multi-MSI early when MSI_FLAG_ACTIVATE_EARLY is set
+
+From: Marc Zyngier <maz@kernel.org>
+
+commit 4c457e8cb75eda91906a4f89fc39bde3f9a43922 upstream.
+
+When MSI_FLAG_ACTIVATE_EARLY is set (which is the case for PCI),
+__msi_domain_alloc_irqs() performs the activation of the interrupt (which
+in the case of PCI results in the endpoint being programmed) as soon as the
+interrupt is allocated.
+
+But it appears that this is only done for the first vector, introducing an
+inconsistent behaviour for PCI Multi-MSI.
+
+Fix it by iterating over the number of vectors allocated to each MSI
+descriptor. This is easily achieved by introducing a new
+"for_each_msi_vector" iterator, together with a tiny bit of refactoring.
+
+Fixes: f3b0946d629c ("genirq/msi: Make sure PCI MSIs are activated early")
+Reported-by: Shameer Kolothum <shameerali.kolothum.thodi@huawei.com>
+Signed-off-by: Marc Zyngier <maz@kernel.org>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Tested-by: Shameer Kolothum <shameerali.kolothum.thodi@huawei.com>
+Cc: stable@vger.kernel.org
+Link: https://lore.kernel.org/r/20210123122759.1781359-1-maz@kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/linux/msi.h |    6 ++++++
+ kernel/irq/msi.c    |   44 ++++++++++++++++++++------------------------
+ 2 files changed, 26 insertions(+), 24 deletions(-)
+
+--- a/include/linux/msi.h
++++ b/include/linux/msi.h
+@@ -118,6 +118,12 @@ struct msi_desc {
+       list_for_each_entry((desc), dev_to_msi_list((dev)), list)
+ #define for_each_msi_entry_safe(desc, tmp, dev)       \
+       list_for_each_entry_safe((desc), (tmp), dev_to_msi_list((dev)), list)
++#define for_each_msi_vector(desc, __irq, dev)                         \
++      for_each_msi_entry((desc), (dev))                               \
++              if ((desc)->irq)                                        \
++                      for (__irq = (desc)->irq;                       \
++                           __irq < ((desc)->irq + (desc)->nvec_used); \
++                           __irq++)
+ #ifdef CONFIG_PCI_MSI
+ #define first_pci_msi_entry(pdev)     first_msi_entry(&(pdev)->dev)
+--- a/kernel/irq/msi.c
++++ b/kernel/irq/msi.c
+@@ -437,22 +437,22 @@ int msi_domain_alloc_irqs(struct irq_dom
+       can_reserve = msi_check_reservation_mode(domain, info, dev);
+-      for_each_msi_entry(desc, dev) {
+-              virq = desc->irq;
+-              if (desc->nvec_used == 1)
+-                      dev_dbg(dev, "irq %d for MSI\n", virq);
+-              else
++      /*
++       * This flag is set by the PCI layer as we need to activate
++       * the MSI entries before the PCI layer enables MSI in the
++       * card. Otherwise the card latches a random msi message.
++       */
++      if (!(info->flags & MSI_FLAG_ACTIVATE_EARLY))
++              goto skip_activate;
++
++      for_each_msi_vector(desc, i, dev) {
++              if (desc->irq == i) {
++                      virq = desc->irq;
+                       dev_dbg(dev, "irq [%d-%d] for MSI\n",
+                               virq, virq + desc->nvec_used - 1);
+-              /*
+-               * This flag is set by the PCI layer as we need to activate
+-               * the MSI entries before the PCI layer enables MSI in the
+-               * card. Otherwise the card latches a random msi message.
+-               */
+-              if (!(info->flags & MSI_FLAG_ACTIVATE_EARLY))
+-                      continue;
++              }
+-              irq_data = irq_domain_get_irq_data(domain, desc->irq);
++              irq_data = irq_domain_get_irq_data(domain, i);
+               if (!can_reserve) {
+                       irqd_clr_can_reserve(irq_data);
+                       if (domain->flags & IRQ_DOMAIN_MSI_NOMASK_QUIRK)
+@@ -463,28 +463,24 @@ int msi_domain_alloc_irqs(struct irq_dom
+                       goto cleanup;
+       }
++skip_activate:
+       /*
+        * If these interrupts use reservation mode, clear the activated bit
+        * so request_irq() will assign the final vector.
+        */
+       if (can_reserve) {
+-              for_each_msi_entry(desc, dev) {
+-                      irq_data = irq_domain_get_irq_data(domain, desc->irq);
++              for_each_msi_vector(desc, i, dev) {
++                      irq_data = irq_domain_get_irq_data(domain, i);
+                       irqd_clr_activated(irq_data);
+               }
+       }
+       return 0;
+ cleanup:
+-      for_each_msi_entry(desc, dev) {
+-              struct irq_data *irqd;
+-
+-              if (desc->irq == virq)
+-                      break;
+-
+-              irqd = irq_domain_get_irq_data(domain, desc->irq);
+-              if (irqd_is_activated(irqd))
+-                      irq_domain_deactivate_irq(irqd);
++      for_each_msi_vector(desc, i, dev) {
++              irq_data = irq_domain_get_irq_data(domain, i);
++              if (irqd_is_activated(irq_data))
++                      irq_domain_deactivate_irq(irq_data);
+       }
+       msi_domain_free_irqs(domain, dev);
+       return ret;
diff --git a/queue-4.19/kretprobe-avoid-re-registration-of-the-same-kretprobe-earlier.patch b/queue-4.19/kretprobe-avoid-re-registration-of-the-same-kretprobe-earlier.patch
new file mode 100644 (file)
index 0000000..43e5ea8
--- /dev/null
@@ -0,0 +1,52 @@
+From 0188b87899ffc4a1d36a0badbe77d56c92fd91dc Mon Sep 17 00:00:00 2001
+From: Wang ShaoBo <bobo.shaobowang@huawei.com>
+Date: Thu, 28 Jan 2021 20:44:27 +0800
+Subject: kretprobe: Avoid re-registration of the same kretprobe earlier
+
+From: Wang ShaoBo <bobo.shaobowang@huawei.com>
+
+commit 0188b87899ffc4a1d36a0badbe77d56c92fd91dc upstream.
+
+Our system encountered a re-init error when re-registering same kretprobe,
+where the kretprobe_instance in rp->free_instances is illegally accessed
+after re-init.
+
+Implementation to avoid re-registration has been introduced for kprobe
+before, but lags for register_kretprobe(). We must check if kprobe has
+been re-registered before re-initializing kretprobe, otherwise it will
+destroy the data struct of kretprobe registered, which can lead to memory
+leak, system crash, also some unexpected behaviors.
+
+We use check_kprobe_rereg() to check if kprobe has been re-registered
+before running register_kretprobe()'s body, for giving a warning message
+and terminate registration process.
+
+Link: https://lkml.kernel.org/r/20210128124427.2031088-1-bobo.shaobowang@huawei.com
+
+Cc: stable@vger.kernel.org
+Fixes: 1f0ab40976460 ("kprobes: Prevent re-registration of the same kprobe")
+[ The above commit should have been done for kretprobes too ]
+Acked-by: Naveen N. Rao <naveen.n.rao@linux.vnet.ibm.com>
+Acked-by: Ananth N Mavinakayanahalli <ananth@linux.ibm.com>
+Acked-by: Masami Hiramatsu <mhiramat@kernel.org>
+Signed-off-by: Wang ShaoBo <bobo.shaobowang@huawei.com>
+Signed-off-by: Cheng Jian <cj.chengjian@huawei.com>
+Signed-off-by: Steven Rostedt (VMware) <rostedt@goodmis.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ kernel/kprobes.c |    4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/kernel/kprobes.c
++++ b/kernel/kprobes.c
+@@ -1945,6 +1945,10 @@ int register_kretprobe(struct kretprobe
+       if (!kprobe_on_func_entry(rp->kp.addr, rp->kp.symbol_name, rp->kp.offset))
+               return -EINVAL;
++      /* If only rp->kp.addr is specified, check reregistering kprobes */
++      if (rp->kp.addr && check_kprobe_rereg(&rp->kp))
++              return -EINVAL;
++
+       if (kretprobe_blacklist_size) {
+               addr = kprobe_addr(&rp->kp);
+               if (IS_ERR(addr))
diff --git a/queue-4.19/mac80211-fix-station-rate-table-updates-on-assoc.patch b/queue-4.19/mac80211-fix-station-rate-table-updates-on-assoc.patch
new file mode 100644 (file)
index 0000000..28c5275
--- /dev/null
@@ -0,0 +1,51 @@
+From 18fe0fae61252b5ae6e26553e2676b5fac555951 Mon Sep 17 00:00:00 2001
+From: Felix Fietkau <nbd@nbd.name>
+Date: Mon, 1 Feb 2021 09:33:24 +0100
+Subject: mac80211: fix station rate table updates on assoc
+
+From: Felix Fietkau <nbd@nbd.name>
+
+commit 18fe0fae61252b5ae6e26553e2676b5fac555951 upstream.
+
+If the driver uses .sta_add, station entries are only uploaded after the sta
+is in assoc state. Fix early station rate table updates by deferring them
+until the sta has been uploaded.
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Felix Fietkau <nbd@nbd.name>
+Link: https://lore.kernel.org/r/20210201083324.3134-1-nbd@nbd.name
+[use rcu_access_pointer() instead since we won't dereference here]
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/mac80211/driver-ops.c |    5 ++++-
+ net/mac80211/rate.c       |    3 ++-
+ 2 files changed, 6 insertions(+), 2 deletions(-)
+
+--- a/net/mac80211/driver-ops.c
++++ b/net/mac80211/driver-ops.c
+@@ -128,8 +128,11 @@ int drv_sta_state(struct ieee80211_local
+       } else if (old_state == IEEE80211_STA_AUTH &&
+                  new_state == IEEE80211_STA_ASSOC) {
+               ret = drv_sta_add(local, sdata, &sta->sta);
+-              if (ret == 0)
++              if (ret == 0) {
+                       sta->uploaded = true;
++                      if (rcu_access_pointer(sta->sta.rates))
++                              drv_sta_rate_tbl_update(local, sdata, &sta->sta);
++              }
+       } else if (old_state == IEEE80211_STA_ASSOC &&
+                  new_state == IEEE80211_STA_AUTH) {
+               drv_sta_remove(local, sdata, &sta->sta);
+--- a/net/mac80211/rate.c
++++ b/net/mac80211/rate.c
+@@ -941,7 +941,8 @@ int rate_control_set_rates(struct ieee80
+       if (old)
+               kfree_rcu(old, rcu_head);
+-      drv_sta_rate_tbl_update(hw_to_local(hw), sta->sdata, pubsta);
++      if (sta->uploaded)
++              drv_sta_rate_tbl_update(hw_to_local(hw), sta->sdata, pubsta);
+       ieee80211_sta_set_expected_throughput(pubsta, sta_get_expected_throughput(sta));
diff --git a/queue-4.19/ovl-fix-dentry-leak-in-ovl_get_redirect.patch b/queue-4.19/ovl-fix-dentry-leak-in-ovl_get_redirect.patch
new file mode 100644 (file)
index 0000000..d120eab
--- /dev/null
@@ -0,0 +1,91 @@
+From e04527fefba6e4e66492f122cf8cc6314f3cf3bf Mon Sep 17 00:00:00 2001
+From: Liangyan <liangyan.peng@linux.alibaba.com>
+Date: Tue, 22 Dec 2020 11:06:26 +0800
+Subject: ovl: fix dentry leak in ovl_get_redirect
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Liangyan <liangyan.peng@linux.alibaba.com>
+
+commit e04527fefba6e4e66492f122cf8cc6314f3cf3bf upstream.
+
+We need to lock d_parent->d_lock before dget_dlock, or this may
+have d_lockref updated parallelly like calltrace below which will
+cause dentry->d_lockref leak and risk a crash.
+
+     CPU 0                                CPU 1
+ovl_set_redirect                       lookup_fast
+  ovl_get_redirect                       __d_lookup
+    dget_dlock
+      //no lock protection here            spin_lock(&dentry->d_lock)
+      dentry->d_lockref.count++            dentry->d_lockref.count++
+
+[   49.799059] PGD 800000061fed7067 P4D 800000061fed7067 PUD 61fec5067 PMD 0
+[   49.799689] Oops: 0002 [#1] SMP PTI
+[   49.800019] CPU: 2 PID: 2332 Comm: node Not tainted 4.19.24-7.20.al7.x86_64 #1
+[   49.800678] Hardware name: Alibaba Cloud Alibaba Cloud ECS, BIOS 8a46cfe 04/01/2014
+[   49.801380] RIP: 0010:_raw_spin_lock+0xc/0x20
+[   49.803470] RSP: 0018:ffffac6fc5417e98 EFLAGS: 00010246
+[   49.803949] RAX: 0000000000000000 RBX: ffff93b8da3446c0 RCX: 0000000a00000000
+[   49.804600] RDX: 0000000000000001 RSI: 000000000000000a RDI: 0000000000000088
+[   49.805252] RBP: 0000000000000000 R08: 0000000000000000 R09: ffffffff993cf040
+[   49.805898] R10: ffff93b92292e580 R11: ffffd27f188a4b80 R12: 0000000000000000
+[   49.806548] R13: 00000000ffffff9c R14: 00000000fffffffe R15: ffff93b8da3446c0
+[   49.807200] FS:  00007ffbedffb700(0000) GS:ffff93b927880000(0000) knlGS:0000000000000000
+[   49.807935] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+[   49.808461] CR2: 0000000000000088 CR3: 00000005e3f74006 CR4: 00000000003606a0
+[   49.809113] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+[   49.809758] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
+[   49.810410] Call Trace:
+[   49.810653]  d_delete+0x2c/0xb0
+[   49.810951]  vfs_rmdir+0xfd/0x120
+[   49.811264]  do_rmdir+0x14f/0x1a0
+[   49.811573]  do_syscall_64+0x5b/0x190
+[   49.811917]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
+[   49.812385] RIP: 0033:0x7ffbf505ffd7
+[   49.814404] RSP: 002b:00007ffbedffada8 EFLAGS: 00000297 ORIG_RAX: 0000000000000054
+[   49.815098] RAX: ffffffffffffffda RBX: 00007ffbedffb640 RCX: 00007ffbf505ffd7
+[   49.815744] RDX: 0000000004449700 RSI: 0000000000000000 RDI: 0000000006c8cd50
+[   49.816394] RBP: 00007ffbedffaea0 R08: 0000000000000000 R09: 0000000000017d0b
+[   49.817038] R10: 0000000000000000 R11: 0000000000000297 R12: 0000000000000012
+[   49.817687] R13: 00000000072823d8 R14: 00007ffbedffb700 R15: 00000000072823d8
+[   49.818338] Modules linked in: pvpanic cirrusfb button qemu_fw_cfg atkbd libps2 i8042
+[   49.819052] CR2: 0000000000000088
+[   49.819368] ---[ end trace 4e652b8aa299aa2d ]---
+[   49.819796] RIP: 0010:_raw_spin_lock+0xc/0x20
+[   49.821880] RSP: 0018:ffffac6fc5417e98 EFLAGS: 00010246
+[   49.822363] RAX: 0000000000000000 RBX: ffff93b8da3446c0 RCX: 0000000a00000000
+[   49.823008] RDX: 0000000000000001 RSI: 000000000000000a RDI: 0000000000000088
+[   49.823658] RBP: 0000000000000000 R08: 0000000000000000 R09: ffffffff993cf040
+[   49.825404] R10: ffff93b92292e580 R11: ffffd27f188a4b80 R12: 0000000000000000
+[   49.827147] R13: 00000000ffffff9c R14: 00000000fffffffe R15: ffff93b8da3446c0
+[   49.828890] FS:  00007ffbedffb700(0000) GS:ffff93b927880000(0000) knlGS:0000000000000000
+[   49.830725] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+[   49.832359] CR2: 0000000000000088 CR3: 00000005e3f74006 CR4: 00000000003606a0
+[   49.834085] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+[   49.835792] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
+
+Cc: <stable@vger.kernel.org>
+Fixes: a6c606551141 ("ovl: redirect on rename-dir")
+Signed-off-by: Liangyan <liangyan.peng@linux.alibaba.com>
+Reviewed-by: Joseph Qi <joseph.qi@linux.alibaba.com>
+Suggested-by: Al Viro <viro@zeniv.linux.org.uk>
+Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/overlayfs/dir.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/fs/overlayfs/dir.c
++++ b/fs/overlayfs/dir.c
+@@ -946,8 +946,8 @@ static char *ovl_get_redirect(struct den
+               buflen -= thislen;
+               memcpy(&buf[buflen], name, thislen);
+-              tmp = dget_dlock(d->d_parent);
+               spin_unlock(&d->d_lock);
++              tmp = dget_parent(d);
+               dput(d);
+               d = tmp;
index 4ecd8fe072f32fecd07df75b17ae677fbec9a75b..fed9875e0633d18d31be6ca9cf860dbeaed9518a 100644 (file)
@@ -8,3 +8,14 @@ arm64-dts-ls1046a-fix-dcfg-address-range.patch
 net-lapb-copy-the-skb-before-sending-a-packet.patch
 net-mvpp2-tcam-entry-enable-should-be-written-after-.patch
 memblock-do-not-start-bottom-up-allocations-with-ker.patch
+usb-gadget-legacy-fix-an-error-code-in-eth_bind.patch
+usb-usblp-don-t-call-usb_set_interface-if-there-s-a-single-alt.patch
+usb-renesas_usbhs-clear-pipe-running-flag-in-usbhs_pkt_pop.patch
+usb-dwc2-fix-endpoint-direction-check-in-ep_from_windex.patch
+usb-dwc3-fix-clock-issue-during-resume-in-otg-mode.patch
+ovl-fix-dentry-leak-in-ovl_get_redirect.patch
+mac80211-fix-station-rate-table-updates-on-assoc.patch
+kretprobe-avoid-re-registration-of-the-same-kretprobe-earlier.patch
+genirq-msi-activate-multi-msi-early-when-msi_flag_activate_early-is-set.patch
+xhci-fix-bounce-buffer-usage-for-non-sg-list-case.patch
+cifs-report-error-instead-of-invalid-when-revalidating-a-dentry-fails.patch
diff --git a/queue-4.19/usb-dwc2-fix-endpoint-direction-check-in-ep_from_windex.patch b/queue-4.19/usb-dwc2-fix-endpoint-direction-check-in-ep_from_windex.patch
new file mode 100644 (file)
index 0000000..38ab054
--- /dev/null
@@ -0,0 +1,74 @@
+From f670e9f9c8cac716c3506c6bac9e997b27ad441a Mon Sep 17 00:00:00 2001
+From: Heiko Stuebner <heiko.stuebner@theobroma-systems.com>
+Date: Wed, 27 Jan 2021 11:39:19 +0100
+Subject: usb: dwc2: Fix endpoint direction check in ep_from_windex
+
+From: Heiko Stuebner <heiko.stuebner@theobroma-systems.com>
+
+commit f670e9f9c8cac716c3506c6bac9e997b27ad441a upstream.
+
+dwc2_hsotg_process_req_status uses ep_from_windex() to retrieve
+the endpoint for the index provided in the wIndex request param.
+
+In a test-case with a rndis gadget running and sending a malformed
+packet to it like:
+    dev.ctrl_transfer(
+        0x82,      # bmRequestType
+        0x00,       # bRequest
+        0x0000,     # wValue
+        0x0001,     # wIndex
+        0x00       # wLength
+    )
+it is possible to cause a crash:
+
+[  217.533022] dwc2 ff300000.usb: dwc2_hsotg_process_req_status: USB_REQ_GET_STATUS
+[  217.559003] Unable to handle kernel read from unreadable memory at virtual address 0000000000000088
+...
+[  218.313189] Call trace:
+[  218.330217]  ep_from_windex+0x3c/0x54
+[  218.348565]  usb_gadget_giveback_request+0x10/0x20
+[  218.368056]  dwc2_hsotg_complete_request+0x144/0x184
+
+This happens because ep_from_windex wants to compare the endpoint
+direction even if index_to_ep() didn't return an endpoint due to
+the direction not matching.
+
+The fix is easy insofar that the actual direction check is already
+happening when calling index_to_ep() which will return NULL if there
+is no endpoint for the targeted direction, so the offending check
+can go away completely.
+
+Fixes: c6f5c050e2a7 ("usb: dwc2: gadget: add bi-directional endpoint support")
+Cc: stable@vger.kernel.org
+Reported-by: Gerhard Klostermeier <gerhard.klostermeier@syss.de>
+Signed-off-by: Heiko Stuebner <heiko.stuebner@theobroma-systems.com>
+Link: https://lore.kernel.org/r/20210127103919.58215-1-heiko@sntech.de
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/dwc2/gadget.c |    8 +-------
+ 1 file changed, 1 insertion(+), 7 deletions(-)
+
+--- a/drivers/usb/dwc2/gadget.c
++++ b/drivers/usb/dwc2/gadget.c
+@@ -1453,7 +1453,6 @@ static void dwc2_hsotg_complete_oursetup
+ static struct dwc2_hsotg_ep *ep_from_windex(struct dwc2_hsotg *hsotg,
+                                           u32 windex)
+ {
+-      struct dwc2_hsotg_ep *ep;
+       int dir = (windex & USB_DIR_IN) ? 1 : 0;
+       int idx = windex & 0x7F;
+@@ -1463,12 +1462,7 @@ static struct dwc2_hsotg_ep *ep_from_win
+       if (idx > hsotg->num_of_eps)
+               return NULL;
+-      ep = index_to_ep(hsotg, idx, dir);
+-
+-      if (idx && ep->dir_in != dir)
+-              return NULL;
+-
+-      return ep;
++      return index_to_ep(hsotg, idx, dir);
+ }
+ /**
diff --git a/queue-4.19/usb-dwc3-fix-clock-issue-during-resume-in-otg-mode.patch b/queue-4.19/usb-dwc3-fix-clock-issue-during-resume-in-otg-mode.patch
new file mode 100644 (file)
index 0000000..7f058a4
--- /dev/null
@@ -0,0 +1,41 @@
+From 0e5a3c8284a30f4c43fd81d7285528ece74563b5 Mon Sep 17 00:00:00 2001
+From: Gary Bisson <gary.bisson@boundarydevices.com>
+Date: Mon, 25 Jan 2021 17:19:34 +0100
+Subject: usb: dwc3: fix clock issue during resume in OTG mode
+
+From: Gary Bisson <gary.bisson@boundarydevices.com>
+
+commit 0e5a3c8284a30f4c43fd81d7285528ece74563b5 upstream.
+
+Commit fe8abf332b8f ("usb: dwc3: support clocks and resets for DWC3
+core") introduced clock support and a new function named
+dwc3_core_init_for_resume() which enables the clock before calling
+dwc3_core_init() during resume as clocks get disabled during suspend.
+
+Unfortunately in this commit the DWC3_GCTL_PRTCAP_OTG case was forgotten
+and therefore during resume, a platform could call dwc3_core_init()
+without re-enabling the clocks first, preventing to resume properly.
+
+So update the resume path to call dwc3_core_init_for_resume() as it
+should.
+
+Fixes: fe8abf332b8f ("usb: dwc3: support clocks and resets for DWC3 core")
+Cc: stable@vger.kernel.org
+Signed-off-by: Gary Bisson <gary.bisson@boundarydevices.com>
+Link: https://lore.kernel.org/r/20210125161934.527820-1-gary.bisson@boundarydevices.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/dwc3/core.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/usb/dwc3/core.c
++++ b/drivers/usb/dwc3/core.c
+@@ -1700,7 +1700,7 @@ static int dwc3_resume_common(struct dwc
+               if (PMSG_IS_AUTO(msg))
+                       break;
+-              ret = dwc3_core_init(dwc);
++              ret = dwc3_core_init_for_resume(dwc);
+               if (ret)
+                       return ret;
diff --git a/queue-4.19/usb-gadget-legacy-fix-an-error-code-in-eth_bind.patch b/queue-4.19/usb-gadget-legacy-fix-an-error-code-in-eth_bind.patch
new file mode 100644 (file)
index 0000000..b17f71a
--- /dev/null
@@ -0,0 +1,35 @@
+From 3e1f4a2e1184ae6ad7f4caf682ced9554141a0f4 Mon Sep 17 00:00:00 2001
+From: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Thu, 28 Jan 2021 12:33:42 +0300
+Subject: USB: gadget: legacy: fix an error code in eth_bind()
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+commit 3e1f4a2e1184ae6ad7f4caf682ced9554141a0f4 upstream.
+
+This code should return -ENOMEM if the allocation fails but it currently
+returns success.
+
+Fixes: 9b95236eebdb ("usb: gadget: ether: allocate and init otg descriptor by otg capabilities")
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Link: https://lore.kernel.org/r/YBKE9rqVuJEOUWpW@mwanda
+Cc: stable <stable@vger.kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/gadget/legacy/ether.c |    4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/drivers/usb/gadget/legacy/ether.c
++++ b/drivers/usb/gadget/legacy/ether.c
+@@ -403,8 +403,10 @@ static int eth_bind(struct usb_composite
+               struct usb_descriptor_header *usb_desc;
+               usb_desc = usb_otg_descriptor_alloc(gadget);
+-              if (!usb_desc)
++              if (!usb_desc) {
++                      status = -ENOMEM;
+                       goto fail1;
++              }
+               usb_otg_descriptor_init(gadget, usb_desc);
+               otg_desc[0] = usb_desc;
+               otg_desc[1] = NULL;
diff --git a/queue-4.19/usb-renesas_usbhs-clear-pipe-running-flag-in-usbhs_pkt_pop.patch b/queue-4.19/usb-renesas_usbhs-clear-pipe-running-flag-in-usbhs_pkt_pop.patch
new file mode 100644 (file)
index 0000000..92aa805
--- /dev/null
@@ -0,0 +1,33 @@
+From 9917f0e3cdba7b9f1a23f70e3f70b1a106be54a8 Mon Sep 17 00:00:00 2001
+From: Yoshihiro Shimoda <yoshihiro.shimoda.uh@renesas.com>
+Date: Mon, 1 Feb 2021 21:47:20 +0900
+Subject: usb: renesas_usbhs: Clear pipe running flag in usbhs_pkt_pop()
+
+From: Yoshihiro Shimoda <yoshihiro.shimoda.uh@renesas.com>
+
+commit 9917f0e3cdba7b9f1a23f70e3f70b1a106be54a8 upstream.
+
+Should clear the pipe running flag in usbhs_pkt_pop(). Otherwise,
+we cannot use this pipe after dequeue was called while the pipe was
+running.
+
+Fixes: 8355b2b3082d ("usb: renesas_usbhs: fix the behavior of some usbhs_pkt_handle")
+Reported-by: Tho Vu <tho.vu.wh@renesas.com>
+Signed-off-by: Yoshihiro Shimoda <yoshihiro.shimoda.uh@renesas.com>
+Link: https://lore.kernel.org/r/1612183640-8898-1-git-send-email-yoshihiro.shimoda.uh@renesas.com
+Cc: stable <stable@vger.kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/renesas_usbhs/fifo.c |    1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/usb/renesas_usbhs/fifo.c
++++ b/drivers/usb/renesas_usbhs/fifo.c
+@@ -126,6 +126,7 @@ struct usbhs_pkt *usbhs_pkt_pop(struct u
+               }
+               usbhs_pipe_clear_without_sequence(pipe, 0, 0);
++              usbhs_pipe_running(pipe, 0);
+               __usbhsf_pkt_del(pkt);
+       }
diff --git a/queue-4.19/usb-usblp-don-t-call-usb_set_interface-if-there-s-a-single-alt.patch b/queue-4.19/usb-usblp-don-t-call-usb_set_interface-if-there-s-a-single-alt.patch
new file mode 100644 (file)
index 0000000..96bef7e
--- /dev/null
@@ -0,0 +1,51 @@
+From d8c6edfa3f4ee0d45d7ce5ef18d1245b78774b9d Mon Sep 17 00:00:00 2001
+From: Jeremy Figgins <kernel@jeremyfiggins.com>
+Date: Sat, 23 Jan 2021 18:21:36 -0600
+Subject: USB: usblp: don't call usb_set_interface if there's a single alt
+
+From: Jeremy Figgins <kernel@jeremyfiggins.com>
+
+commit d8c6edfa3f4ee0d45d7ce5ef18d1245b78774b9d upstream.
+
+Some devices, such as the Winbond Electronics Corp. Virtual Com Port
+(Vendor=0416, ProdId=5011), lockup when usb_set_interface() or
+usb_clear_halt() are called. This device has only a single
+altsetting, so it should not be necessary to call usb_set_interface().
+
+Acked-by: Pete Zaitcev <zaitcev@redhat.com>
+Signed-off-by: Jeremy Figgins <kernel@jeremyfiggins.com>
+Link: https://lore.kernel.org/r/YAy9kJhM/rG8EQXC@watson
+Cc: stable <stable@vger.kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/class/usblp.c |   19 +++++++++++--------
+ 1 file changed, 11 insertions(+), 8 deletions(-)
+
+--- a/drivers/usb/class/usblp.c
++++ b/drivers/usb/class/usblp.c
+@@ -1327,14 +1327,17 @@ static int usblp_set_protocol(struct usb
+       if (protocol < USBLP_FIRST_PROTOCOL || protocol > USBLP_LAST_PROTOCOL)
+               return -EINVAL;
+-      alts = usblp->protocol[protocol].alt_setting;
+-      if (alts < 0)
+-              return -EINVAL;
+-      r = usb_set_interface(usblp->dev, usblp->ifnum, alts);
+-      if (r < 0) {
+-              printk(KERN_ERR "usblp: can't set desired altsetting %d on interface %d\n",
+-                      alts, usblp->ifnum);
+-              return r;
++      /* Don't unnecessarily set the interface if there's a single alt. */
++      if (usblp->intf->num_altsetting > 1) {
++              alts = usblp->protocol[protocol].alt_setting;
++              if (alts < 0)
++                      return -EINVAL;
++              r = usb_set_interface(usblp->dev, usblp->ifnum, alts);
++              if (r < 0) {
++                      printk(KERN_ERR "usblp: can't set desired altsetting %d on interface %d\n",
++                              alts, usblp->ifnum);
++                      return r;
++              }
+       }
+       usblp->bidir = (usblp->protocol[protocol].epread != NULL);
diff --git a/queue-4.19/xhci-fix-bounce-buffer-usage-for-non-sg-list-case.patch b/queue-4.19/xhci-fix-bounce-buffer-usage-for-non-sg-list-case.patch
new file mode 100644 (file)
index 0000000..3ede33d
--- /dev/null
@@ -0,0 +1,82 @@
+From d4a610635400ccc382792f6be69427078541c678 Mon Sep 17 00:00:00 2001
+From: Mathias Nyman <mathias.nyman@linux.intel.com>
+Date: Wed, 3 Feb 2021 13:37:02 +0200
+Subject: xhci: fix bounce buffer usage for non-sg list case
+
+From: Mathias Nyman <mathias.nyman@linux.intel.com>
+
+commit d4a610635400ccc382792f6be69427078541c678 upstream.
+
+xhci driver may in some special cases need to copy small amounts
+of payload data to a bounce buffer in order to meet the boundary
+and alignment restrictions set by the xHCI specification.
+
+In the majority of these cases the data is in a sg list, and
+driver incorrectly assumed data is always in urb->sg when using
+the bounce buffer.
+
+If data instead is contiguous, and in urb->transfer_buffer, we may still
+need to bounce buffer a small part if data starts very close (less than
+packet size) to a 64k boundary.
+
+Check if sg list is used before copying data to/from it.
+
+Fixes: f9c589e142d0 ("xhci: TD-fragment, align the unsplittable case with a bounce buffer")
+Cc: stable@vger.kernel.org
+Reported-by: Andreas Hartmann <andihartmann@01019freenet.de>
+Tested-by: Andreas Hartmann <andihartmann@01019freenet.de>
+Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com>
+Link: https://lore.kernel.org/r/20210203113702.436762-2-mathias.nyman@linux.intel.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/host/xhci-ring.c |   31 ++++++++++++++++++++-----------
+ 1 file changed, 20 insertions(+), 11 deletions(-)
+
+--- a/drivers/usb/host/xhci-ring.c
++++ b/drivers/usb/host/xhci-ring.c
+@@ -670,11 +670,16 @@ static void xhci_unmap_td_bounce_buffer(
+       dma_unmap_single(dev, seg->bounce_dma, ring->bounce_buf_len,
+                        DMA_FROM_DEVICE);
+       /* for in tranfers we need to copy the data from bounce to sg */
+-      len = sg_pcopy_from_buffer(urb->sg, urb->num_sgs, seg->bounce_buf,
+-                           seg->bounce_len, seg->bounce_offs);
+-      if (len != seg->bounce_len)
+-              xhci_warn(xhci, "WARN Wrong bounce buffer read length: %zu != %d\n",
+-                              len, seg->bounce_len);
++      if (urb->num_sgs) {
++              len = sg_pcopy_from_buffer(urb->sg, urb->num_sgs, seg->bounce_buf,
++                                         seg->bounce_len, seg->bounce_offs);
++              if (len != seg->bounce_len)
++                      xhci_warn(xhci, "WARN Wrong bounce buffer read length: %zu != %d\n",
++                                len, seg->bounce_len);
++      } else {
++              memcpy(urb->transfer_buffer + seg->bounce_offs, seg->bounce_buf,
++                     seg->bounce_len);
++      }
+       seg->bounce_len = 0;
+       seg->bounce_offs = 0;
+ }
+@@ -3180,12 +3185,16 @@ static int xhci_align_td(struct xhci_hcd
+       /* create a max max_pkt sized bounce buffer pointed to by last trb */
+       if (usb_urb_dir_out(urb)) {
+-              len = sg_pcopy_to_buffer(urb->sg, urb->num_sgs,
+-                                 seg->bounce_buf, new_buff_len, enqd_len);
+-              if (len != new_buff_len)
+-                      xhci_warn(xhci,
+-                              "WARN Wrong bounce buffer write length: %zu != %d\n",
+-                              len, new_buff_len);
++              if (urb->num_sgs) {
++                      len = sg_pcopy_to_buffer(urb->sg, urb->num_sgs,
++                                               seg->bounce_buf, new_buff_len, enqd_len);
++                      if (len != new_buff_len)
++                              xhci_warn(xhci, "WARN Wrong bounce buffer write length: %zu != %d\n",
++                                        len, new_buff_len);
++              } else {
++                      memcpy(seg->bounce_buf, urb->transfer_buffer + enqd_len, new_buff_len);
++              }
++
+               seg->bounce_dma = dma_map_single(dev, seg->bounce_buf,
+                                                max_pkt, DMA_TO_DEVICE);
+       } else {