--- /dev/null
+From 2acf25f13ebe8beb40e97a1bbe76f36277c64f1e Mon Sep 17 00:00:00 2001
+From: Takashi Iwai <tiwai@suse.de>
+Date: Sat, 1 Feb 2020 09:05:30 +0100
+Subject: ALSA: dummy: Fix PCM format loop in proc output
+
+From: Takashi Iwai <tiwai@suse.de>
+
+commit 2acf25f13ebe8beb40e97a1bbe76f36277c64f1e upstream.
+
+The loop termination for iterating over all formats should contain
+SNDRV_PCM_FORMAT_LAST, not less than it.
+
+Fixes: 9b151fec139d ("ALSA: dummy - Add debug proc file")
+Cc: <stable@vger.kernel.org>
+Link: https://lore.kernel.org/r/20200201080530.22390-3-tiwai@suse.de
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/drivers/dummy.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/sound/drivers/dummy.c
++++ b/sound/drivers/dummy.c
+@@ -925,7 +925,7 @@ static void print_formats(struct snd_dum
+ {
+ int i;
+
+- for (i = 0; i < SNDRV_PCM_FORMAT_LAST; i++) {
++ for (i = 0; i <= SNDRV_PCM_FORMAT_LAST; i++) {
+ if (dummy->pcm_hw.formats & (1ULL << i))
+ snd_iprintf(buffer, " %s", snd_pcm_format_name(i));
+ }
--- /dev/null
+From 4282dc057d750c6a7dd92953564b15c26b54c22c Mon Sep 17 00:00:00 2001
+From: Navid Emamdoost <navid.emamdoost@gmail.com>
+Date: Sat, 14 Dec 2019 19:51:14 -0600
+Subject: brcmfmac: Fix memory leak in brcmf_usbdev_qinit
+
+From: Navid Emamdoost <navid.emamdoost@gmail.com>
+
+commit 4282dc057d750c6a7dd92953564b15c26b54c22c upstream.
+
+In the implementation of brcmf_usbdev_qinit() the allocated memory for
+reqs is leaking if usb_alloc_urb() fails. Release reqs in the error
+handling path.
+
+Fixes: 71bb244ba2fd ("brcm80211: fmac: add USB support for bcm43235/6/8 chipsets")
+Signed-off-by: Navid Emamdoost <navid.emamdoost@gmail.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/wireless/brcm80211/brcmfmac/usb.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/net/wireless/brcm80211/brcmfmac/usb.c
++++ b/drivers/net/wireless/brcm80211/brcmfmac/usb.c
+@@ -426,6 +426,7 @@ fail:
+ usb_free_urb(req->urb);
+ list_del(q->next);
+ }
++ kfree(reqs);
+ return NULL;
+
+ }
tcp-clear-tp-segs_-in-out-in-tcp_disconnect.patch
media-uvcvideo-avoid-cyclic-entity-chains-due-to-malformed-usb-descriptors.patch
mfd-dln2-more-sanity-checking-for-endpoints.patch
+brcmfmac-fix-memory-leak-in-brcmf_usbdev_qinit.patch
+usb-gadget-legacy-set-max_speed-to-super-speed.patch
+usb-gadget-f_ncm-use-atomic_t-to-track-in-flight-request.patch
+usb-gadget-f_ecm-use-atomic_t-to-track-in-flight-request.patch
+alsa-dummy-fix-pcm-format-loop-in-proc-output.patch
--- /dev/null
+From d710562e01c48d59be3f60d58b7a85958b39aeda Mon Sep 17 00:00:00 2001
+From: Bryan O'Donoghue <bryan.odonoghue@linaro.org>
+Date: Thu, 9 Jan 2020 13:17:22 +0000
+Subject: usb: gadget: f_ecm: Use atomic_t to track in-flight request
+
+From: Bryan O'Donoghue <bryan.odonoghue@linaro.org>
+
+commit d710562e01c48d59be3f60d58b7a85958b39aeda upstream.
+
+Currently ecm->notify_req is used to flag when a request is in-flight.
+ecm->notify_req is set to NULL and when a request completes it is
+subsequently reset.
+
+This is fundamentally buggy in that the unbind logic of the ECM driver will
+unconditionally free ecm->notify_req leading to a NULL pointer dereference.
+
+Fixes: da741b8c56d6 ("usb ethernet gadget: split CDC Ethernet function")
+Cc: stable <stable@vger.kernel.org>
+Signed-off-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org>
+Signed-off-by: Felipe Balbi <balbi@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/gadget/function/f_ecm.c | 16 ++++++++++++----
+ 1 file changed, 12 insertions(+), 4 deletions(-)
+
+--- a/drivers/usb/gadget/function/f_ecm.c
++++ b/drivers/usb/gadget/function/f_ecm.c
+@@ -56,6 +56,7 @@ struct f_ecm {
+ struct usb_ep *notify;
+ struct usb_request *notify_req;
+ u8 notify_state;
++ atomic_t notify_count;
+ bool is_open;
+
+ /* FIXME is_open needs some irq-ish locking
+@@ -384,7 +385,7 @@ static void ecm_do_notify(struct f_ecm *
+ int status;
+
+ /* notification already in flight? */
+- if (!req)
++ if (atomic_read(&ecm->notify_count))
+ return;
+
+ event = req->buf;
+@@ -424,10 +425,10 @@ static void ecm_do_notify(struct f_ecm *
+ event->bmRequestType = 0xA1;
+ event->wIndex = cpu_to_le16(ecm->ctrl_id);
+
+- ecm->notify_req = NULL;
++ atomic_inc(&ecm->notify_count);
+ status = usb_ep_queue(ecm->notify, req, GFP_ATOMIC);
+ if (status < 0) {
+- ecm->notify_req = req;
++ atomic_dec(&ecm->notify_count);
+ DBG(cdev, "notify --> %d\n", status);
+ }
+ }
+@@ -452,17 +453,19 @@ static void ecm_notify_complete(struct u
+ switch (req->status) {
+ case 0:
+ /* no fault */
++ atomic_dec(&ecm->notify_count);
+ break;
+ case -ECONNRESET:
+ case -ESHUTDOWN:
++ atomic_set(&ecm->notify_count, 0);
+ ecm->notify_state = ECM_NOTIFY_NONE;
+ break;
+ default:
+ DBG(cdev, "event %02x --> %d\n",
+ event->bNotificationType, req->status);
++ atomic_dec(&ecm->notify_count);
+ break;
+ }
+- ecm->notify_req = req;
+ ecm_do_notify(ecm);
+ }
+
+@@ -909,6 +912,11 @@ static void ecm_unbind(struct usb_config
+
+ usb_free_all_descriptors(f);
+
++ if (atomic_read(&ecm->notify_count)) {
++ usb_ep_dequeue(ecm->notify, ecm->notify_req);
++ atomic_set(&ecm->notify_count, 0);
++ }
++
+ kfree(ecm->notify_req->buf);
+ usb_ep_free_request(ecm->notify, ecm->notify_req);
+ }
--- /dev/null
+From 5b24c28cfe136597dc3913e1c00b119307a20c7e Mon Sep 17 00:00:00 2001
+From: Bryan O'Donoghue <bryan.odonoghue@linaro.org>
+Date: Thu, 9 Jan 2020 13:17:21 +0000
+Subject: usb: gadget: f_ncm: Use atomic_t to track in-flight request
+
+From: Bryan O'Donoghue <bryan.odonoghue@linaro.org>
+
+commit 5b24c28cfe136597dc3913e1c00b119307a20c7e upstream.
+
+Currently ncm->notify_req is used to flag when a request is in-flight.
+ncm->notify_req is set to NULL and when a request completes it is
+subsequently reset.
+
+This is fundamentally buggy in that the unbind logic of the NCM driver will
+unconditionally free ncm->notify_req leading to a NULL pointer dereference.
+
+Fixes: 40d133d7f542 ("usb: gadget: f_ncm: convert to new function interface with backward compatibility")
+Cc: stable <stable@vger.kernel.org>
+Signed-off-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org>
+Signed-off-by: Felipe Balbi <balbi@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/gadget/function/f_ncm.c | 17 +++++++++++++----
+ 1 file changed, 13 insertions(+), 4 deletions(-)
+
+--- a/drivers/usb/gadget/function/f_ncm.c
++++ b/drivers/usb/gadget/function/f_ncm.c
+@@ -57,6 +57,7 @@ struct f_ncm {
+ struct usb_ep *notify;
+ struct usb_request *notify_req;
+ u8 notify_state;
++ atomic_t notify_count;
+ bool is_open;
+
+ const struct ndp_parser_opts *parser_opts;
+@@ -480,7 +481,7 @@ static void ncm_do_notify(struct f_ncm *
+ int status;
+
+ /* notification already in flight? */
+- if (!req)
++ if (atomic_read(&ncm->notify_count))
+ return;
+
+ event = req->buf;
+@@ -520,7 +521,8 @@ static void ncm_do_notify(struct f_ncm *
+ event->bmRequestType = 0xA1;
+ event->wIndex = cpu_to_le16(ncm->ctrl_id);
+
+- ncm->notify_req = NULL;
++ atomic_inc(&ncm->notify_count);
++
+ /*
+ * In double buffering if there is a space in FIFO,
+ * completion callback can be called right after the call,
+@@ -530,7 +532,7 @@ static void ncm_do_notify(struct f_ncm *
+ status = usb_ep_queue(ncm->notify, req, GFP_ATOMIC);
+ spin_lock(&ncm->lock);
+ if (status < 0) {
+- ncm->notify_req = req;
++ atomic_dec(&ncm->notify_count);
+ DBG(cdev, "notify --> %d\n", status);
+ }
+ }
+@@ -565,17 +567,19 @@ static void ncm_notify_complete(struct u
+ case 0:
+ VDBG(cdev, "Notification %02x sent\n",
+ event->bNotificationType);
++ atomic_dec(&ncm->notify_count);
+ break;
+ case -ECONNRESET:
+ case -ESHUTDOWN:
++ atomic_set(&ncm->notify_count, 0);
+ ncm->notify_state = NCM_NOTIFY_NONE;
+ break;
+ default:
+ DBG(cdev, "event %02x --> %d\n",
+ event->bNotificationType, req->status);
++ atomic_dec(&ncm->notify_count);
+ break;
+ }
+- ncm->notify_req = req;
+ ncm_do_notify(ncm);
+ spin_unlock(&ncm->lock);
+ }
+@@ -1559,6 +1563,11 @@ static void ncm_unbind(struct usb_config
+ ncm_string_defs[0].id = 0;
+ usb_free_all_descriptors(f);
+
++ if (atomic_read(&ncm->notify_count)) {
++ usb_ep_dequeue(ncm->notify, ncm->notify_req);
++ atomic_set(&ncm->notify_count, 0);
++ }
++
+ kfree(ncm->notify_req->buf);
+ usb_ep_free_request(ncm->notify, ncm->notify_req);
+ }
--- /dev/null
+From 463f67aec2837f981b0a0ce8617721ff59685c00 Mon Sep 17 00:00:00 2001
+From: Roger Quadros <rogerq@ti.com>
+Date: Mon, 23 Dec 2019 08:47:35 +0200
+Subject: usb: gadget: legacy: set max_speed to super-speed
+
+From: Roger Quadros <rogerq@ti.com>
+
+commit 463f67aec2837f981b0a0ce8617721ff59685c00 upstream.
+
+These interfaces do support super-speed so let's not
+limit maximum speed to high-speed.
+
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Roger Quadros <rogerq@ti.com>
+Signed-off-by: Felipe Balbi <balbi@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/gadget/legacy/cdc2.c | 2 +-
+ drivers/usb/gadget/legacy/g_ffs.c | 2 +-
+ drivers/usb/gadget/legacy/multi.c | 2 +-
+ drivers/usb/gadget/legacy/ncm.c | 2 +-
+ 4 files changed, 4 insertions(+), 4 deletions(-)
+
+--- a/drivers/usb/gadget/legacy/cdc2.c
++++ b/drivers/usb/gadget/legacy/cdc2.c
+@@ -229,7 +229,7 @@ static struct usb_composite_driver cdc_d
+ .name = "g_cdc",
+ .dev = &device_desc,
+ .strings = dev_strings,
+- .max_speed = USB_SPEED_HIGH,
++ .max_speed = USB_SPEED_SUPER,
+ .bind = cdc_bind,
+ .unbind = cdc_unbind,
+ };
+--- a/drivers/usb/gadget/legacy/g_ffs.c
++++ b/drivers/usb/gadget/legacy/g_ffs.c
+@@ -153,7 +153,7 @@ static struct usb_composite_driver gfs_d
+ .name = DRIVER_NAME,
+ .dev = &gfs_dev_desc,
+ .strings = gfs_dev_strings,
+- .max_speed = USB_SPEED_HIGH,
++ .max_speed = USB_SPEED_SUPER,
+ .bind = gfs_bind,
+ .unbind = gfs_unbind,
+ };
+--- a/drivers/usb/gadget/legacy/multi.c
++++ b/drivers/usb/gadget/legacy/multi.c
+@@ -486,7 +486,7 @@ static struct usb_composite_driver multi
+ .name = "g_multi",
+ .dev = &device_desc,
+ .strings = dev_strings,
+- .max_speed = USB_SPEED_HIGH,
++ .max_speed = USB_SPEED_SUPER,
+ .bind = multi_bind,
+ .unbind = multi_unbind,
+ .needs_serial = 1,
+--- a/drivers/usb/gadget/legacy/ncm.c
++++ b/drivers/usb/gadget/legacy/ncm.c
+@@ -203,7 +203,7 @@ static struct usb_composite_driver ncm_d
+ .name = "g_ncm",
+ .dev = &device_desc,
+ .strings = dev_strings,
+- .max_speed = USB_SPEED_HIGH,
++ .max_speed = USB_SPEED_SUPER,
+ .bind = gncm_bind,
+ .unbind = gncm_unbind,
+ };
projects / thirdparty / kernel / stable-queue.git / commitdiff
