--- /dev/null
+From 4d8654e81db7346f915eca9f1aff18f385cab621 Mon Sep 17 00:00:00 2001
+From: Yorick de Wid <ydewid@gmail.com>
+Date: Sat, 13 Feb 2021 15:49:02 +0100
+Subject: Goodix Fingerprint device is not a modem
+
+From: Yorick de Wid <ydewid@gmail.com>
+
+commit 4d8654e81db7346f915eca9f1aff18f385cab621 upstream.
+
+The CDC ACM driver is false matching the Goodix Fingerprint device
+against the USB_CDC_ACM_PROTO_AT_V25TER.
+
+The Goodix Fingerprint device is a biometrics sensor that should be
+handled in user-space. libfprint has some support for Goodix
+fingerprint sensors, although not for this particular one. It is
+possible that the vendor allocates a PID per OEM (Lenovo, Dell etc).
+If this happens to be the case then more devices from the same vendor
+could potentially match the ACM modem module table.
+
+Signed-off-by: Yorick de Wid <ydewid@gmail.com>
+Cc: stable <stable@vger.kernel.org>
+Link: https://lore.kernel.org/r/20210213144901.53199-1-ydewid@gmail.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/class/cdc-acm.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+--- a/drivers/usb/class/cdc-acm.c
++++ b/drivers/usb/class/cdc-acm.c
+@@ -1986,6 +1986,11 @@ static const struct usb_device_id acm_id
+ .driver_info = SEND_ZERO_PACKET,
+ },
+
++ /* Exclude Goodix Fingerprint Reader */
++ { USB_DEVICE(0x27c6, 0x5395),
++ .driver_info = IGNORE_DEVICE,
++ },
++
+ /* control interfaces without any protocol set */
+ { USB_INTERFACE_INFO(USB_CLASS_COMM, USB_CDC_SUBCLASS_ACM,
+ USB_CDC_PROTO_NONE) },
s390-dasd-fix-hanging-dasd-driver-unbind.patch
s390-dasd-fix-hanging-io-request-during-dasd-driver-unbind.patch
mmc-core-fix-partition-switch-time-for-emmc.patch
+goodix-fingerprint-device-is-not-a-modem.patch
+usb-gadget-u_ether-fix-a-configfs-return-code.patch
+usb-gadget-f_uac2-always-increase-endpoint-max_packet_size-by-one-audio-slot.patch
+usb-gadget-f_uac1-stop-playback-on-function-disable.patch
+usb-renesas_usbhs-clear-pipecfg-for-re-enabling-pipe-with-other-epnum.patch
+xhci-improve-detection-of-device-initiated-wake-signal.patch
+usb-xhci-fix-asmedia-asm1042a-and-asm3242-dma-addressing.patch
+usb-serial-io_edgeport-fix-memory-leak-in-edge_startup.patch
+usb-serial-ch341-add-new-product-id.patch
+usb-serial-cp210x-add-id-for-acuity-brands-nlight-air-adapter.patch
+usb-serial-cp210x-add-some-more-ge-usb-ids.patch
+usbip-fix-stub_dev-to-check-for-stream-socket.patch
+usbip-fix-vhci_hcd-to-check-for-stream-socket.patch
+usbip-fix-vudc-to-check-for-stream-socket.patch
+usbip-fix-stub_dev-usbip_sockfd_store-races-leading-to-gpf.patch
+usbip-fix-vhci_hcd-attach_store-races-leading-to-gpf.patch
--- /dev/null
+From cc2ac63d4cf72104e0e7f58bb846121f0f51bb19 Mon Sep 17 00:00:00 2001
+From: Ruslan Bilovol <ruslan.bilovol@gmail.com>
+Date: Mon, 1 Mar 2021 13:49:32 +0200
+Subject: usb: gadget: f_uac1: stop playback on function disable
+
+From: Ruslan Bilovol <ruslan.bilovol@gmail.com>
+
+commit cc2ac63d4cf72104e0e7f58bb846121f0f51bb19 upstream.
+
+There is missing playback stop/cleanup in case of
+gadget's ->disable callback that happens on
+events like USB host resetting or gadget disconnection
+
+Fixes: 0591bc236015 ("usb: gadget: add f_uac1 variant based on a new u_audio api")
+Cc: <stable@vger.kernel.org> # 4.13+
+Signed-off-by: Ruslan Bilovol <ruslan.bilovol@gmail.com>
+Link: https://lore.kernel.org/r/1614599375-8803-3-git-send-email-ruslan.bilovol@gmail.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/gadget/function/f_uac1.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/usb/gadget/function/f_uac1.c
++++ b/drivers/usb/gadget/function/f_uac1.c
+@@ -503,6 +503,7 @@ static void f_audio_disable(struct usb_f
+ uac1->as_out_alt = 0;
+ uac1->as_in_alt = 0;
+
++ u_audio_stop_playback(&uac1->g_audio);
+ u_audio_stop_capture(&uac1->g_audio);
+ }
+
--- /dev/null
+From 789ea77310f0200c84002884ffd628e2baf3ad8a Mon Sep 17 00:00:00 2001
+From: Ruslan Bilovol <ruslan.bilovol@gmail.com>
+Date: Mon, 1 Mar 2021 13:49:31 +0200
+Subject: usb: gadget: f_uac2: always increase endpoint max_packet_size by one audio slot
+
+From: Ruslan Bilovol <ruslan.bilovol@gmail.com>
+
+commit 789ea77310f0200c84002884ffd628e2baf3ad8a upstream.
+
+As per UAC2 Audio Data Formats spec (2.3.1.1 USB Packets),
+if the sampling rate is a constant, the allowable variation
+of number of audio slots per virtual frame is +/- 1 audio slot.
+
+It means that endpoint should be able to accept/send +1 audio
+slot.
+
+Previous endpoint max_packet_size calculation code
+was adding sometimes +1 audio slot due to DIV_ROUND_UP
+behaviour which was rounding up to closest integer.
+However this doesn't work if the numbers are divisible.
+
+It had no any impact with Linux hosts which ignore
+this issue, but in case of more strict Windows it
+caused rejected enumeration
+
+Thus always add +1 audio slot to endpoint's max packet size
+
+Fixes: 913e4a90b6f9 ("usb: gadget: f_uac2: finalize wMaxPacketSize according to bandwidth")
+Cc: Peter Chen <peter.chen@freescale.com>
+Cc: <stable@vger.kernel.org> #v4.3+
+Signed-off-by: Ruslan Bilovol <ruslan.bilovol@gmail.com>
+Link: https://lore.kernel.org/r/1614599375-8803-2-git-send-email-ruslan.bilovol@gmail.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/gadget/function/f_uac2.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/usb/gadget/function/f_uac2.c
++++ b/drivers/usb/gadget/function/f_uac2.c
+@@ -486,7 +486,7 @@ static int set_ep_max_packet_size(const
+ }
+
+ max_size_bw = num_channels(chmask) * ssize *
+- DIV_ROUND_UP(srate, factor / (1 << (ep_desc->bInterval - 1)));
++ ((srate / (factor / (1 << (ep_desc->bInterval - 1)))) + 1);
+ ep_desc->wMaxPacketSize = cpu_to_le16(min_t(u16, max_size_bw,
+ max_size_ep));
+
--- /dev/null
+From 650bf52208d804ad5ee449c58102f8dc43175573 Mon Sep 17 00:00:00 2001
+From: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Mon, 15 Feb 2021 15:57:16 +0000
+Subject: USB: gadget: u_ether: Fix a configfs return code
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+commit 650bf52208d804ad5ee449c58102f8dc43175573 upstream.
+
+If the string is invalid, this should return -EINVAL instead of 0.
+
+Fixes: 73517cf49bd4 ("usb: gadget: add RNDIS configfs options for class/subclass/protocol")
+Cc: stable <stable@vger.kernel.org>
+Acked-by: Lorenzo Colitti <lorenzo@google.com>
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Link: https://lore.kernel.org/r/YCqZ3P53yyIg5cn7@mwanda
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/gadget/function/u_ether_configfs.h | 5 ++---
+ 1 file changed, 2 insertions(+), 3 deletions(-)
+
+--- a/drivers/usb/gadget/function/u_ether_configfs.h
++++ b/drivers/usb/gadget/function/u_ether_configfs.h
+@@ -172,12 +172,11 @@ out: \
+ size_t len) \
+ { \
+ struct f_##_f_##_opts *opts = to_f_##_f_##_opts(item); \
+- int ret; \
++ int ret = -EINVAL; \
+ u8 val; \
+ \
+ mutex_lock(&opts->lock); \
+- ret = sscanf(page, "%02hhx", &val); \
+- if (ret > 0) { \
++ if (sscanf(page, "%02hhx", &val) > 0) { \
+ opts->_n_ = val; \
+ ret = len; \
+ } \
--- /dev/null
+From b1d25e6ee57c2605845595b6c61340d734253eb3 Mon Sep 17 00:00:00 2001
+From: Yoshihiro Shimoda <yoshihiro.shimoda.uh@renesas.com>
+Date: Mon, 8 Mar 2021 10:55:38 +0900
+Subject: usb: renesas_usbhs: Clear PIPECFG for re-enabling pipe with other EPNUM
+
+From: Yoshihiro Shimoda <yoshihiro.shimoda.uh@renesas.com>
+
+commit b1d25e6ee57c2605845595b6c61340d734253eb3 upstream.
+
+According to the datasheet, this controller has a restriction
+which "set an endpoint number so that combinations of the DIR bit and
+the EPNUM bits do not overlap.". However, since the udc core driver is
+possible to assign a bulk pipe as an interrupt endpoint, an endpoint
+number may not match the pipe number. After that, when user rebinds
+another gadget driver, this driver broke the restriction because
+the driver didn't clear any configuration in usb_ep_disable().
+
+Example:
+ # modprobe g_ncm
+ Then, EP3 = pipe 3, EP4 = pipe 4, EP5 = pipe 6
+ # rmmod g_ncm
+ # modprobe g_hid
+ Then, EP3 = pipe 6, EP4 = pipe 7.
+ So, pipe 3 and pipe 6 are set as EP3.
+
+So, clear PIPECFG register in usbhs_pipe_free().
+
+Fixes: dfb87b8bfe09 ("usb: renesas_usbhs: gadget: fix re-enabling pipe without re-connecting")
+Cc: stable <stable@vger.kernel.org>
+Signed-off-by: Yoshihiro Shimoda <yoshihiro.shimoda.uh@renesas.com>
+Link: https://lore.kernel.org/r/1615168538-26101-1-git-send-email-yoshihiro.shimoda.uh@renesas.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/renesas_usbhs/pipe.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/usb/renesas_usbhs/pipe.c
++++ b/drivers/usb/renesas_usbhs/pipe.c
+@@ -746,6 +746,8 @@ struct usbhs_pipe *usbhs_pipe_malloc(str
+
+ void usbhs_pipe_free(struct usbhs_pipe *pipe)
+ {
++ usbhsp_pipe_select(pipe);
++ usbhsp_pipe_cfg_set(pipe, 0xFFFF, 0);
+ usbhsp_put_pipe(pipe);
+ }
+
--- /dev/null
+From 5563b3b6420362c8a1f468ca04afe6d5f0a8d0a3 Mon Sep 17 00:00:00 2001
+From: Niv Sardi <xaiki@evilgiggle.com>
+Date: Mon, 1 Mar 2021 17:16:12 -0300
+Subject: USB: serial: ch341: add new Product ID
+
+From: Niv Sardi <xaiki@evilgiggle.com>
+
+commit 5563b3b6420362c8a1f468ca04afe6d5f0a8d0a3 upstream.
+
+Add PID for CH340 that's found on cheap programmers.
+
+The driver works flawlessly as soon as the new PID (0x9986) is added to it.
+These look like ANU232MI but ship with a ch341 inside. They have no special
+identifiers (mine only has the string "DB9D20130716" printed on the PCB and
+nothing identifiable on the packaging. The merchant i bought it from
+doesn't sell these anymore).
+
+the lsusb -v output is:
+Bus 001 Device 009: ID 9986:7523
+Device Descriptor:
+ bLength 18
+ bDescriptorType 1
+ bcdUSB 1.10
+ bDeviceClass 255 Vendor Specific Class
+ bDeviceSubClass 0
+ bDeviceProtocol 0
+ bMaxPacketSize0 8
+ idVendor 0x9986
+ idProduct 0x7523
+ bcdDevice 2.54
+ iManufacturer 0
+ iProduct 0
+ iSerial 0
+ bNumConfigurations 1
+ Configuration Descriptor:
+ bLength 9
+ bDescriptorType 2
+ wTotalLength 0x0027
+ bNumInterfaces 1
+ bConfigurationValue 1
+ iConfiguration 0
+ bmAttributes 0x80
+ (Bus Powered)
+ MaxPower 96mA
+ Interface Descriptor:
+ bLength 9
+ bDescriptorType 4
+ bInterfaceNumber 0
+ bAlternateSetting 0
+ bNumEndpoints 3
+ bInterfaceClass 255 Vendor Specific Class
+ bInterfaceSubClass 1
+ bInterfaceProtocol 2
+ iInterface 0
+ Endpoint Descriptor:
+ bLength 7
+ bDescriptorType 5
+ bEndpointAddress 0x82 EP 2 IN
+ bmAttributes 2
+ Transfer Type Bulk
+ Synch Type None
+ Usage Type Data
+ wMaxPacketSize 0x0020 1x 32 bytes
+ bInterval 0
+ Endpoint Descriptor:
+ bLength 7
+ bDescriptorType 5
+ bEndpointAddress 0x02 EP 2 OUT
+ bmAttributes 2
+ Transfer Type Bulk
+ Synch Type None
+ Usage Type Data
+ wMaxPacketSize 0x0020 1x 32 bytes
+ bInterval 0
+ Endpoint Descriptor:
+ bLength 7
+ bDescriptorType 5
+ bEndpointAddress 0x81 EP 1 IN
+ bmAttributes 3
+ Transfer Type Interrupt
+ Synch Type None
+ Usage Type Data
+ wMaxPacketSize 0x0008 1x 8 bytes
+ bInterval 1
+
+Signed-off-by: Niv Sardi <xaiki@evilgiggle.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/serial/ch341.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/usb/serial/ch341.c
++++ b/drivers/usb/serial/ch341.c
+@@ -88,6 +88,7 @@ static const struct usb_device_id id_tab
+ { USB_DEVICE(0x1a86, 0x7522) },
+ { USB_DEVICE(0x1a86, 0x7523) },
+ { USB_DEVICE(0x4348, 0x5523) },
++ { USB_DEVICE(0x9986, 0x7523) },
+ { },
+ };
+ MODULE_DEVICE_TABLE(usb, id_table);
--- /dev/null
+From ca667a33207daeaf9c62b106815728718def60ec Mon Sep 17 00:00:00 2001
+From: Karan Singhal <karan.singhal@acuitybrands.com>
+Date: Tue, 16 Feb 2021 11:03:10 -0500
+Subject: USB: serial: cp210x: add ID for Acuity Brands nLight Air Adapter
+
+From: Karan Singhal <karan.singhal@acuitybrands.com>
+
+commit ca667a33207daeaf9c62b106815728718def60ec upstream.
+
+IDs of nLight Air Adapter, Acuity Brands, Inc.:
+vid: 10c4
+pid: 88d8
+
+Signed-off-by: Karan Singhal <karan.singhal@acuitybrands.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/serial/cp210x.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/usb/serial/cp210x.c
++++ b/drivers/usb/serial/cp210x.c
+@@ -149,6 +149,7 @@ static const struct usb_device_id id_tab
+ { USB_DEVICE(0x10C4, 0x8857) }, /* CEL EM357 ZigBee USB Stick */
+ { USB_DEVICE(0x10C4, 0x88A4) }, /* MMB Networks ZigBee USB Device */
+ { USB_DEVICE(0x10C4, 0x88A5) }, /* Planet Innovation Ingeni ZigBee USB Device */
++ { USB_DEVICE(0x10C4, 0x88D8) }, /* Acuity Brands nLight Air Adapter */
+ { USB_DEVICE(0x10C4, 0x88FB) }, /* CESINEL MEDCAL STII Network Analyzer */
+ { USB_DEVICE(0x10C4, 0x8938) }, /* CESINEL MEDCAL S II Network Analyzer */
+ { USB_DEVICE(0x10C4, 0x8946) }, /* Ketra N1 Wireless Interface */
--- /dev/null
+From 42213a0190b535093a604945db05a4225bf43885 Mon Sep 17 00:00:00 2001
+From: Sebastian Reichel <sebastian.reichel@collabora.com>
+Date: Tue, 23 Feb 2021 17:44:18 +0100
+Subject: USB: serial: cp210x: add some more GE USB IDs
+
+From: Sebastian Reichel <sebastian.reichel@collabora.com>
+
+commit 42213a0190b535093a604945db05a4225bf43885 upstream.
+
+GE CS1000 has some more custom USB IDs for CP2102N; add them
+to the driver to have working auto-probing.
+
+Signed-off-by: Sebastian Reichel <sebastian.reichel@collabora.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/serial/cp210x.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/usb/serial/cp210x.c
++++ b/drivers/usb/serial/cp210x.c
+@@ -206,6 +206,8 @@ static const struct usb_device_id id_tab
+ { USB_DEVICE(0x1901, 0x0194) }, /* GE Healthcare Remote Alarm Box */
+ { USB_DEVICE(0x1901, 0x0195) }, /* GE B850/B650/B450 CP2104 DP UART interface */
+ { USB_DEVICE(0x1901, 0x0196) }, /* GE B850 CP2105 DP UART interface */
++ { USB_DEVICE(0x1901, 0x0197) }, /* GE CS1000 Display serial interface */
++ { USB_DEVICE(0x1901, 0x0198) }, /* GE CS1000 M.2 Key E serial interface */
+ { USB_DEVICE(0x199B, 0xBA30) }, /* LORD WSDA-200-USB */
+ { USB_DEVICE(0x19CF, 0x3000) }, /* Parrot NMEA GPS Flight Recorder */
+ { USB_DEVICE(0x1ADB, 0x0001) }, /* Schweitzer Engineering C662 Cable */
--- /dev/null
+From cfdc67acc785e01a8719eeb7012709d245564701 Mon Sep 17 00:00:00 2001
+From: Pavel Skripkin <paskripkin@gmail.com>
+Date: Tue, 2 Mar 2021 02:01:52 +0300
+Subject: USB: serial: io_edgeport: fix memory leak in edge_startup
+
+From: Pavel Skripkin <paskripkin@gmail.com>
+
+commit cfdc67acc785e01a8719eeb7012709d245564701 upstream.
+
+sysbot found memory leak in edge_startup().
+The problem was that when an error was received from the usb_submit_urb(),
+nothing was cleaned up.
+
+Reported-by: syzbot+59f777bdcbdd7eea5305@syzkaller.appspotmail.com
+Signed-off-by: Pavel Skripkin <paskripkin@gmail.com>
+Fixes: 6e8cf7751f9f ("USB: add EPIC support to the io_edgeport driver")
+Cc: stable@vger.kernel.org # 2.6.21: c5c0c55598ce
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/serial/io_edgeport.c | 26 ++++++++++++++++----------
+ 1 file changed, 16 insertions(+), 10 deletions(-)
+
+--- a/drivers/usb/serial/io_edgeport.c
++++ b/drivers/usb/serial/io_edgeport.c
+@@ -3025,26 +3025,32 @@ static int edge_startup(struct usb_seria
+ response = -ENODEV;
+ }
+
+- usb_free_urb(edge_serial->interrupt_read_urb);
+- kfree(edge_serial->interrupt_in_buffer);
+-
+- usb_free_urb(edge_serial->read_urb);
+- kfree(edge_serial->bulk_in_buffer);
+-
+- kfree(edge_serial);
+-
+- return response;
++ goto error;
+ }
+
+ /* start interrupt read for this edgeport this interrupt will
+ * continue as long as the edgeport is connected */
+ response = usb_submit_urb(edge_serial->interrupt_read_urb,
+ GFP_KERNEL);
+- if (response)
++ if (response) {
+ dev_err(ddev, "%s - Error %d submitting control urb\n",
+ __func__, response);
++
++ goto error;
++ }
+ }
+ return response;
++
++error:
++ usb_free_urb(edge_serial->interrupt_read_urb);
++ kfree(edge_serial->interrupt_in_buffer);
++
++ usb_free_urb(edge_serial->read_urb);
++ kfree(edge_serial->bulk_in_buffer);
++
++ kfree(edge_serial);
++
++ return response;
+ }
+
+
--- /dev/null
+From b71c669ad8390dd1c866298319ff89fe68b45653 Mon Sep 17 00:00:00 2001
+From: Forest Crossman <cyrozap@gmail.com>
+Date: Thu, 11 Mar 2021 13:53:52 +0200
+Subject: usb: xhci: Fix ASMedia ASM1042A and ASM3242 DMA addressing
+
+From: Forest Crossman <cyrozap@gmail.com>
+
+commit b71c669ad8390dd1c866298319ff89fe68b45653 upstream.
+
+I've confirmed that both the ASMedia ASM1042A and ASM3242 have the same
+problem as the ASM1142 and ASM2142/ASM3142, where they lose some of the
+upper bits of 64-bit DMA addresses. As with the other chips, this can
+cause problems on systems where the upper bits matter, and adding the
+XHCI_NO_64BIT_SUPPORT quirk completely fixes the issue.
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Forest Crossman <cyrozap@gmail.com>
+Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com>
+Link: https://lore.kernel.org/r/20210311115353.2137560-4-mathias.nyman@linux.intel.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/host/xhci-pci.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+--- a/drivers/usb/host/xhci-pci.c
++++ b/drivers/usb/host/xhci-pci.c
+@@ -63,6 +63,7 @@
+ #define PCI_DEVICE_ID_ASMEDIA_1042A_XHCI 0x1142
+ #define PCI_DEVICE_ID_ASMEDIA_1142_XHCI 0x1242
+ #define PCI_DEVICE_ID_ASMEDIA_2142_XHCI 0x2142
++#define PCI_DEVICE_ID_ASMEDIA_3242_XHCI 0x3242
+
+ static const char hcd_name[] = "xhci_hcd";
+
+@@ -236,11 +237,14 @@ static void xhci_pci_quirks(struct devic
+ pdev->device == PCI_DEVICE_ID_ASMEDIA_1042_XHCI)
+ xhci->quirks |= XHCI_BROKEN_STREAMS;
+ if (pdev->vendor == PCI_VENDOR_ID_ASMEDIA &&
+- pdev->device == PCI_DEVICE_ID_ASMEDIA_1042A_XHCI)
++ pdev->device == PCI_DEVICE_ID_ASMEDIA_1042A_XHCI) {
+ xhci->quirks |= XHCI_TRUST_TX_LENGTH;
++ xhci->quirks |= XHCI_NO_64BIT_SUPPORT;
++ }
+ if (pdev->vendor == PCI_VENDOR_ID_ASMEDIA &&
+ (pdev->device == PCI_DEVICE_ID_ASMEDIA_1142_XHCI ||
+- pdev->device == PCI_DEVICE_ID_ASMEDIA_2142_XHCI))
++ pdev->device == PCI_DEVICE_ID_ASMEDIA_2142_XHCI ||
++ pdev->device == PCI_DEVICE_ID_ASMEDIA_3242_XHCI))
+ xhci->quirks |= XHCI_NO_64BIT_SUPPORT;
+
+ if (pdev->vendor == PCI_VENDOR_ID_ASMEDIA &&
--- /dev/null
+From 47ccc8fc2c9c94558b27b6f9e2582df32d29e6e8 Mon Sep 17 00:00:00 2001
+From: Shuah Khan <skhan@linuxfoundation.org>
+Date: Sun, 7 Mar 2021 20:53:26 -0700
+Subject: usbip: fix stub_dev to check for stream socket
+
+From: Shuah Khan <skhan@linuxfoundation.org>
+
+commit 47ccc8fc2c9c94558b27b6f9e2582df32d29e6e8 upstream.
+
+Fix usbip_sockfd_store() to validate the passed in file descriptor is
+a stream socket. If the file descriptor passed was a SOCK_DGRAM socket,
+sock_recvmsg() can't detect end of stream.
+
+Cc: stable@vger.kernel.org
+Suggested-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
+Signed-off-by: Shuah Khan <skhan@linuxfoundation.org>
+Link: https://lore.kernel.org/r/e942d2bd03afb8e8552bd2a5d84e18d17670d521.1615171203.git.skhan@linuxfoundation.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/usbip/stub_dev.c | 12 +++++++++++-
+ 1 file changed, 11 insertions(+), 1 deletion(-)
+
+--- a/drivers/usb/usbip/stub_dev.c
++++ b/drivers/usb/usbip/stub_dev.c
+@@ -83,8 +83,16 @@ static ssize_t store_sockfd(struct devic
+ }
+
+ socket = sockfd_lookup(sockfd, &err);
+- if (!socket)
++ if (!socket) {
++ dev_err(dev, "failed to lookup sock");
+ goto err;
++ }
++
++ if (socket->type != SOCK_STREAM) {
++ dev_err(dev, "Expecting SOCK_STREAM - found %d",
++ socket->type);
++ goto sock_err;
++ }
+
+ sdev->ud.tcp_socket = socket;
+ sdev->ud.sockfd = sockfd;
+@@ -114,6 +122,8 @@ static ssize_t store_sockfd(struct devic
+
+ return count;
+
++sock_err:
++ sockfd_put(socket);
+ err:
+ spin_unlock_irq(&sdev->ud.lock);
+ return -EINVAL;
--- /dev/null
+From 9380afd6df70e24eacbdbde33afc6a3950965d22 Mon Sep 17 00:00:00 2001
+From: Shuah Khan <skhan@linuxfoundation.org>
+Date: Sun, 7 Mar 2021 20:53:29 -0700
+Subject: usbip: fix stub_dev usbip_sockfd_store() races leading to gpf
+
+From: Shuah Khan <skhan@linuxfoundation.org>
+
+commit 9380afd6df70e24eacbdbde33afc6a3950965d22 upstream.
+
+usbip_sockfd_store() is invoked when user requests attach (import)
+detach (unimport) usb device from usbip host. vhci_hcd sends import
+request and usbip_sockfd_store() exports the device if it is free
+for export.
+
+Export and unexport are governed by local state and shared state
+- Shared state (usbip device status, sockfd) - sockfd and Device
+ status are used to determine if stub should be brought up or shut
+ down.
+- Local state (tcp_socket, rx and tx thread task_struct ptrs)
+ A valid tcp_socket controls rx and tx thread operations while the
+ device is in exported state.
+- While the device is exported, device status is marked used and socket,
+ sockfd, and thread pointers are valid.
+
+Export sequence (stub-up) includes validating the socket and creating
+receive (rx) and transmit (tx) threads to talk to the client to provide
+access to the exported device. rx and tx threads depends on local and
+shared state to be correct and in sync.
+
+Unexport (stub-down) sequence shuts the socket down and stops the rx and
+tx threads. Stub-down sequence relies on local and shared states to be
+in sync.
+
+There are races in updating the local and shared status in the current
+stub-up sequence resulting in crashes. These stem from starting rx and
+tx threads before local and global state is updated correctly to be in
+sync.
+
+1. Doesn't handle kthread_create() error and saves invalid ptr in local
+ state that drives rx and tx threads.
+2. Updates tcp_socket and sockfd, starts stub_rx and stub_tx threads
+ before updating usbip_device status to SDEV_ST_USED. This opens up a
+ race condition between the threads and usbip_sockfd_store() stub up
+ and down handling.
+
+Fix the above problems:
+- Stop using kthread_get_run() macro to create/start threads.
+- Create threads and get task struct reference.
+- Add kthread_create() failure handling and bail out.
+- Hold usbip_device lock to update local and shared states after
+ creating rx and tx threads.
+- Update usbip_device status to SDEV_ST_USED.
+- Update usbip_device tcp_socket, sockfd, tcp_rx, and tcp_tx
+- Start threads after usbip_device (tcp_socket, sockfd, tcp_rx, tcp_tx,
+ and status) is complete.
+
+Credit goes to syzbot and Tetsuo Handa for finding and root-causing the
+kthread_get_run() improper error handling problem and others. This is a
+hard problem to find and debug since the races aren't seen in a normal
+case. Fuzzing forces the race window to be small enough for the
+kthread_get_run() error path bug and starting threads before updating the
+local and shared state bug in the stub-up sequence.
+
+Tested with syzbot reproducer:
+- https://syzkaller.appspot.com/text?tag=ReproC&x=14801034d00000
+
+Fixes: 9720b4bc76a83807 ("staging/usbip: convert to kthread")
+Cc: stable@vger.kernel.org
+Reported-by: syzbot <syzbot+a93fba6d384346a761e3@syzkaller.appspotmail.com>
+Reported-by: syzbot <syzbot+bf1a360e305ee719e364@syzkaller.appspotmail.com>
+Reported-by: syzbot <syzbot+95ce4b142579611ef0a9@syzkaller.appspotmail.com>
+Reported-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
+Signed-off-by: Shuah Khan <skhan@linuxfoundation.org>
+Link: https://lore.kernel.org/r/268a0668144d5ff36ec7d87fdfa90faf583b7ccc.1615171203.git.skhan@linuxfoundation.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/usbip/stub_dev.c | 32 +++++++++++++++++++++++++-------
+ 1 file changed, 25 insertions(+), 7 deletions(-)
+
+--- a/drivers/usb/usbip/stub_dev.c
++++ b/drivers/usb/usbip/stub_dev.c
+@@ -60,6 +60,8 @@ static ssize_t store_sockfd(struct devic
+ int sockfd = 0;
+ struct socket *socket;
+ int rv;
++ struct task_struct *tcp_rx = NULL;
++ struct task_struct *tcp_tx = NULL;
+
+ if (!sdev) {
+ dev_err(dev, "sdev is null\n");
+@@ -94,20 +96,36 @@ static ssize_t store_sockfd(struct devic
+ goto sock_err;
+ }
+
+- sdev->ud.tcp_socket = socket;
+- sdev->ud.sockfd = sockfd;
+-
++ /* unlock and create threads and get tasks */
+ spin_unlock_irq(&sdev->ud.lock);
++ tcp_rx = kthread_create(stub_rx_loop, &sdev->ud, "stub_rx");
++ if (IS_ERR(tcp_rx)) {
++ sockfd_put(socket);
++ return -EINVAL;
++ }
++ tcp_tx = kthread_create(stub_tx_loop, &sdev->ud, "stub_tx");
++ if (IS_ERR(tcp_tx)) {
++ kthread_stop(tcp_rx);
++ sockfd_put(socket);
++ return -EINVAL;
++ }
+
+- sdev->ud.tcp_rx = kthread_get_run(stub_rx_loop, &sdev->ud,
+- "stub_rx");
+- sdev->ud.tcp_tx = kthread_get_run(stub_tx_loop, &sdev->ud,
+- "stub_tx");
++ /* get task structs now */
++ get_task_struct(tcp_rx);
++ get_task_struct(tcp_tx);
+
++ /* lock and update sdev->ud state */
+ spin_lock_irq(&sdev->ud.lock);
++ sdev->ud.tcp_socket = socket;
++ sdev->ud.sockfd = sockfd;
++ sdev->ud.tcp_rx = tcp_rx;
++ sdev->ud.tcp_tx = tcp_tx;
+ sdev->ud.status = SDEV_ST_USED;
+ spin_unlock_irq(&sdev->ud.lock);
+
++ wake_up_process(sdev->ud.tcp_rx);
++ wake_up_process(sdev->ud.tcp_tx);
++
+ } else {
+ dev_info(dev, "stub down\n");
+
--- /dev/null
+From 718ad9693e3656120064b715fe931f43a6201e67 Mon Sep 17 00:00:00 2001
+From: Shuah Khan <skhan@linuxfoundation.org>
+Date: Sun, 7 Mar 2021 20:53:30 -0700
+Subject: usbip: fix vhci_hcd attach_store() races leading to gpf
+
+From: Shuah Khan <skhan@linuxfoundation.org>
+
+commit 718ad9693e3656120064b715fe931f43a6201e67 upstream.
+
+attach_store() is invoked when user requests import (attach) a device
+from usbip host.
+
+Attach and detach are governed by local state and shared state
+- Shared state (usbip device status) - Device status is used to manage
+ the attach and detach operations on import-able devices.
+- Local state (tcp_socket, rx and tx thread task_struct ptrs)
+ A valid tcp_socket controls rx and tx thread operations while the
+ device is in exported state.
+- Device has to be in the right state to be attached and detached.
+
+Attach sequence includes validating the socket and creating receive (rx)
+and transmit (tx) threads to talk to the host to get access to the
+imported device. rx and tx threads depends on local and shared state to
+be correct and in sync.
+
+Detach sequence shuts the socket down and stops the rx and tx threads.
+Detach sequence relies on local and shared states to be in sync.
+
+There are races in updating the local and shared status in the current
+attach sequence resulting in crashes. These stem from starting rx and
+tx threads before local and global state is updated correctly to be in
+sync.
+
+1. Doesn't handle kthread_create() error and saves invalid ptr in local
+ state that drives rx and tx threads.
+2. Updates tcp_socket and sockfd, starts stub_rx and stub_tx threads
+ before updating usbip_device status to VDEV_ST_NOTASSIGNED. This opens
+ up a race condition between the threads, port connect, and detach
+ handling.
+
+Fix the above problems:
+- Stop using kthread_get_run() macro to create/start threads.
+- Create threads and get task struct reference.
+- Add kthread_create() failure handling and bail out.
+- Hold vhci and usbip_device locks to update local and shared states after
+ creating rx and tx threads.
+- Update usbip_device status to VDEV_ST_NOTASSIGNED.
+- Update usbip_device tcp_socket, sockfd, tcp_rx, and tcp_tx
+- Start threads after usbip_device (tcp_socket, sockfd, tcp_rx, tcp_tx,
+ and status) is complete.
+
+Credit goes to syzbot and Tetsuo Handa for finding and root-causing the
+kthread_get_run() improper error handling problem and others. This is
+hard problem to find and debug since the races aren't seen in a normal
+case. Fuzzing forces the race window to be small enough for the
+kthread_get_run() error path bug and starting threads before updating the
+local and shared state bug in the attach sequence.
+- Update usbip_device tcp_rx and tcp_tx pointers holding vhci and
+ usbip_device locks.
+
+Tested with syzbot reproducer:
+- https://syzkaller.appspot.com/text?tag=ReproC&x=14801034d00000
+
+Fixes: 9720b4bc76a83807 ("staging/usbip: convert to kthread")
+Cc: stable@vger.kernel.org
+Reported-by: syzbot <syzbot+a93fba6d384346a761e3@syzkaller.appspotmail.com>
+Reported-by: syzbot <syzbot+bf1a360e305ee719e364@syzkaller.appspotmail.com>
+Reported-by: syzbot <syzbot+95ce4b142579611ef0a9@syzkaller.appspotmail.com>
+Reported-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
+Signed-off-by: Shuah Khan <skhan@linuxfoundation.org>
+Link: https://lore.kernel.org/r/bb434bd5d7a64fbec38b5ecfb838a6baef6eb12b.1615171203.git.skhan@linuxfoundation.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/usbip/vhci_sysfs.c | 29 +++++++++++++++++++++++++----
+ 1 file changed, 25 insertions(+), 4 deletions(-)
+
+--- a/drivers/usb/usbip/vhci_sysfs.c
++++ b/drivers/usb/usbip/vhci_sysfs.c
+@@ -326,6 +326,8 @@ static ssize_t store_attach(struct devic
+ struct vhci *vhci;
+ int err;
+ unsigned long flags;
++ struct task_struct *tcp_rx = NULL;
++ struct task_struct *tcp_tx = NULL;
+
+ /*
+ * @rhport: port number of vhci_hcd
+@@ -374,9 +376,24 @@ static ssize_t store_attach(struct devic
+ return -EINVAL;
+ }
+
+- /* now need lock until setting vdev status as used */
++ /* create threads before locking */
++ tcp_rx = kthread_create(vhci_rx_loop, &vdev->ud, "vhci_rx");
++ if (IS_ERR(tcp_rx)) {
++ sockfd_put(socket);
++ return -EINVAL;
++ }
++ tcp_tx = kthread_create(vhci_tx_loop, &vdev->ud, "vhci_tx");
++ if (IS_ERR(tcp_tx)) {
++ kthread_stop(tcp_rx);
++ sockfd_put(socket);
++ return -EINVAL;
++ }
++
++ /* get task structs now */
++ get_task_struct(tcp_rx);
++ get_task_struct(tcp_tx);
+
+- /* begin a lock */
++ /* now begin lock until setting vdev status set */
+ spin_lock_irqsave(&vhci->lock, flags);
+ spin_lock(&vdev->ud.lock);
+
+@@ -386,6 +403,8 @@ static ssize_t store_attach(struct devic
+ spin_unlock_irqrestore(&vhci->lock, flags);
+
+ sockfd_put(socket);
++ kthread_stop_put(tcp_rx);
++ kthread_stop_put(tcp_tx);
+
+ dev_err(dev, "port %d already used\n", rhport);
+ /*
+@@ -404,14 +423,16 @@ static ssize_t store_attach(struct devic
+ vdev->speed = speed;
+ vdev->ud.sockfd = sockfd;
+ vdev->ud.tcp_socket = socket;
++ vdev->ud.tcp_rx = tcp_rx;
++ vdev->ud.tcp_tx = tcp_tx;
+ vdev->ud.status = VDEV_ST_NOTASSIGNED;
+
+ spin_unlock(&vdev->ud.lock);
+ spin_unlock_irqrestore(&vhci->lock, flags);
+ /* end the lock */
+
+- vdev->ud.tcp_rx = kthread_get_run(vhci_rx_loop, &vdev->ud, "vhci_rx");
+- vdev->ud.tcp_tx = kthread_get_run(vhci_tx_loop, &vdev->ud, "vhci_tx");
++ wake_up_process(vdev->ud.tcp_rx);
++ wake_up_process(vdev->ud.tcp_tx);
+
+ rh_port_connect(vdev, speed);
+
--- /dev/null
+From f55a0571690c4aae03180e001522538c0927432f Mon Sep 17 00:00:00 2001
+From: Shuah Khan <skhan@linuxfoundation.org>
+Date: Sun, 7 Mar 2021 20:53:27 -0700
+Subject: usbip: fix vhci_hcd to check for stream socket
+
+From: Shuah Khan <skhan@linuxfoundation.org>
+
+commit f55a0571690c4aae03180e001522538c0927432f upstream.
+
+Fix attach_store() to validate the passed in file descriptor is a
+stream socket. If the file descriptor passed was a SOCK_DGRAM socket,
+sock_recvmsg() can't detect end of stream.
+
+Cc: stable@vger.kernel.org
+Suggested-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
+Signed-off-by: Shuah Khan <skhan@linuxfoundation.org>
+Link: https://lore.kernel.org/r/52712aa308915bda02cece1589e04ee8b401d1f3.1615171203.git.skhan@linuxfoundation.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/usbip/vhci_sysfs.c | 10 +++++++++-
+ 1 file changed, 9 insertions(+), 1 deletion(-)
+
+--- a/drivers/usb/usbip/vhci_sysfs.c
++++ b/drivers/usb/usbip/vhci_sysfs.c
+@@ -363,8 +363,16 @@ static ssize_t store_attach(struct devic
+
+ /* Extract socket from fd. */
+ socket = sockfd_lookup(sockfd, &err);
+- if (!socket)
++ if (!socket) {
++ dev_err(dev, "failed to lookup sock");
+ return -EINVAL;
++ }
++ if (socket->type != SOCK_STREAM) {
++ dev_err(dev, "Expecting SOCK_STREAM - found %d",
++ socket->type);
++ sockfd_put(socket);
++ return -EINVAL;
++ }
+
+ /* now need lock until setting vdev status as used */
+
--- /dev/null
+From 6801854be94fe8819b3894979875ea31482f5658 Mon Sep 17 00:00:00 2001
+From: Shuah Khan <skhan@linuxfoundation.org>
+Date: Sun, 7 Mar 2021 20:53:28 -0700
+Subject: usbip: fix vudc to check for stream socket
+
+From: Shuah Khan <skhan@linuxfoundation.org>
+
+commit 6801854be94fe8819b3894979875ea31482f5658 upstream.
+
+Fix usbip_sockfd_store() to validate the passed in file descriptor is
+a stream socket. If the file descriptor passed was a SOCK_DGRAM socket,
+sock_recvmsg() can't detect end of stream.
+
+Cc: stable@vger.kernel.org
+Suggested-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
+Signed-off-by: Shuah Khan <skhan@linuxfoundation.org>
+Link: https://lore.kernel.org/r/387a670316002324113ac7ea1e8b53f4085d0c95.1615171203.git.skhan@linuxfoundation.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/usbip/vudc_sysfs.c | 10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+--- a/drivers/usb/usbip/vudc_sysfs.c
++++ b/drivers/usb/usbip/vudc_sysfs.c
+@@ -24,6 +24,7 @@
+ #include <linux/usb/ch9.h>
+ #include <linux/sysfs.h>
+ #include <linux/kthread.h>
++#include <linux/file.h>
+ #include <linux/byteorder/generic.h>
+
+ #include "usbip_common.h"
+@@ -150,6 +151,13 @@ static ssize_t store_sockfd(struct devic
+ goto unlock_ud;
+ }
+
++ if (socket->type != SOCK_STREAM) {
++ dev_err(dev, "Expecting SOCK_STREAM - found %d",
++ socket->type);
++ ret = -EINVAL;
++ goto sock_err;
++ }
++
+ udc->ud.tcp_socket = socket;
+
+ spin_unlock_irq(&udc->ud.lock);
+@@ -189,6 +197,8 @@ static ssize_t store_sockfd(struct devic
+
+ return count;
+
++sock_err:
++ sockfd_put(socket);
+ unlock_ud:
+ spin_unlock_irq(&udc->ud.lock);
+ unlock:
--- /dev/null
+From 253f588c70f66184b1f3a9bbb428b49bbda73e80 Mon Sep 17 00:00:00 2001
+From: Mathias Nyman <mathias.nyman@linux.intel.com>
+Date: Thu, 11 Mar 2021 13:53:51 +0200
+Subject: xhci: Improve detection of device initiated wake signal.
+
+From: Mathias Nyman <mathias.nyman@linux.intel.com>
+
+commit 253f588c70f66184b1f3a9bbb428b49bbda73e80 upstream.
+
+A xHC USB 3 port might miss the first wake signal from a USB 3 device
+if the port LFPS reveiver isn't enabled fast enough after xHC resume.
+
+xHC host will anyway be resumed by a PME# signal, but will go back to
+suspend if no port activity is seen.
+The device resends the U3 LFPS wake signal after a 100ms delay, but
+by then host is already suspended, starting all over from the
+beginning of this issue.
+
+USB 3 specs say U3 wake LFPS signal is sent for max 10ms, then device
+needs to delay 100ms before resending the wake.
+
+Don't suspend immediately if port activity isn't detected in resume.
+Instead add a retry. If there is no port activity then delay for 120ms,
+and re-check for port activity.
+
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com>
+Link: https://lore.kernel.org/r/20210311115353.2137560-3-mathias.nyman@linux.intel.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/host/xhci.c | 16 +++++++++++++---
+ 1 file changed, 13 insertions(+), 3 deletions(-)
+
+--- a/drivers/usb/host/xhci.c
++++ b/drivers/usb/host/xhci.c
+@@ -1021,6 +1021,7 @@ int xhci_resume(struct xhci_hcd *xhci, b
+ struct usb_hcd *secondary_hcd;
+ int retval = 0;
+ bool comp_timer_running = false;
++ bool pending_portevent = false;
+
+ if (!hcd->state)
+ return 0;
+@@ -1154,13 +1155,22 @@ int xhci_resume(struct xhci_hcd *xhci, b
+
+ done:
+ if (retval == 0) {
+- /* Resume root hubs only when have pending events. */
+- if (xhci_pending_portevent(xhci)) {
++ /*
++ * Resume roothubs only if there are pending events.
++ * USB 3 devices resend U3 LFPS wake after a 100ms delay if
++ * the first wake signalling failed, give it that chance.
++ */
++ pending_portevent = xhci_pending_portevent(xhci);
++ if (!pending_portevent) {
++ msleep(120);
++ pending_portevent = xhci_pending_portevent(xhci);
++ }
++
++ if (pending_portevent) {
+ usb_hcd_resume_root_hub(xhci->shared_hcd);
+ usb_hcd_resume_root_hub(hcd);
+ }
+ }
+-
+ /*
+ * If system is subject to the Quirk, Compliance Mode Timer needs to
+ * be re-initialized Always after a system resume. Ports are subject
projects / thirdparty / kernel / stable-queue.git / commitdiff
