--- /dev/null
+From 3e4f8e21c4f27bcf30a48486b9dcc269512b79ff Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Thu, 19 Dec 2019 17:10:16 +0100
+Subject: USB: core: fix check for duplicate endpoints
+
+From: Johan Hovold <johan@kernel.org>
+
+commit 3e4f8e21c4f27bcf30a48486b9dcc269512b79ff upstream.
+
+Amend the endpoint-descriptor sanity checks to detect all duplicate
+endpoint addresses in a configuration.
+
+Commit 0a8fd1346254 ("USB: fix problems with duplicate endpoint
+addresses") added a check for duplicate endpoint addresses within a
+single alternate setting, but did not look for duplicate addresses in
+other interfaces.
+
+The current check would also not detect all duplicate addresses when one
+endpoint is as a (bi-directional) control endpoint.
+
+This specifically avoids overwriting the endpoint entries in struct
+usb_device when enabling a duplicate endpoint, something which could
+potentially lead to crashes or leaks, for example, when endpoints are
+later disabled.
+
+Cc: stable <stable@vger.kernel.org>
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Acked-by: Alan Stern <stern@rowland.harvard.edu>
+Link: https://lore.kernel.org/r/20191219161016.6695-1-johan@kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/core/config.c | 70 ++++++++++++++++++++++++++++++++++++++--------
+ 1 file changed, 58 insertions(+), 12 deletions(-)
+
+--- a/drivers/usb/core/config.c
++++ b/drivers/usb/core/config.c
+@@ -203,9 +203,58 @@ static const unsigned short super_speed_
+ [USB_ENDPOINT_XFER_INT] = 1024,
+ };
+
+-static int usb_parse_endpoint(struct device *ddev, int cfgno, int inum,
+- int asnum, struct usb_host_interface *ifp, int num_ep,
+- unsigned char *buffer, int size)
++static bool endpoint_is_duplicate(struct usb_endpoint_descriptor *e1,
++ struct usb_endpoint_descriptor *e2)
++{
++ if (e1->bEndpointAddress == e2->bEndpointAddress)
++ return true;
++
++ if (usb_endpoint_xfer_control(e1) || usb_endpoint_xfer_control(e2)) {
++ if (usb_endpoint_num(e1) == usb_endpoint_num(e2))
++ return true;
++ }
++
++ return false;
++}
++
++/*
++ * Check for duplicate endpoint addresses in other interfaces and in the
++ * altsetting currently being parsed.
++ */
++static bool config_endpoint_is_duplicate(struct usb_host_config *config,
++ int inum, int asnum, struct usb_endpoint_descriptor *d)
++{
++ struct usb_endpoint_descriptor *epd;
++ struct usb_interface_cache *intfc;
++ struct usb_host_interface *alt;
++ int i, j, k;
++
++ for (i = 0; i < config->desc.bNumInterfaces; ++i) {
++ intfc = config->intf_cache[i];
++
++ for (j = 0; j < intfc->num_altsetting; ++j) {
++ alt = &intfc->altsetting[j];
++
++ if (alt->desc.bInterfaceNumber == inum &&
++ alt->desc.bAlternateSetting != asnum)
++ continue;
++
++ for (k = 0; k < alt->desc.bNumEndpoints; ++k) {
++ epd = &alt->endpoint[k].desc;
++
++ if (endpoint_is_duplicate(epd, d))
++ return true;
++ }
++ }
++ }
++
++ return false;
++}
++
++static int usb_parse_endpoint(struct device *ddev, int cfgno,
++ struct usb_host_config *config, int inum, int asnum,
++ struct usb_host_interface *ifp, int num_ep,
++ unsigned char *buffer, int size)
+ {
+ unsigned char *buffer0 = buffer;
+ struct usb_endpoint_descriptor *d;
+@@ -242,13 +291,10 @@ static int usb_parse_endpoint(struct dev
+ goto skip_to_next_endpoint_or_interface_descriptor;
+
+ /* Check for duplicate endpoint addresses */
+- for (i = 0; i < ifp->desc.bNumEndpoints; ++i) {
+- if (ifp->endpoint[i].desc.bEndpointAddress ==
+- d->bEndpointAddress) {
+- dev_warn(ddev, "config %d interface %d altsetting %d has a duplicate endpoint with address 0x%X, skipping\n",
+- cfgno, inum, asnum, d->bEndpointAddress);
+- goto skip_to_next_endpoint_or_interface_descriptor;
+- }
++ if (config_endpoint_is_duplicate(config, inum, asnum, d)) {
++ dev_warn(ddev, "config %d interface %d altsetting %d has a duplicate endpoint with address 0x%X, skipping\n",
++ cfgno, inum, asnum, d->bEndpointAddress);
++ goto skip_to_next_endpoint_or_interface_descriptor;
+ }
+
+ endpoint = &ifp->endpoint[ifp->desc.bNumEndpoints];
+@@ -522,8 +568,8 @@ static int usb_parse_interface(struct de
+ if (((struct usb_descriptor_header *) buffer)->bDescriptorType
+ == USB_DT_INTERFACE)
+ break;
+- retval = usb_parse_endpoint(ddev, cfgno, inum, asnum, alt,
+- num_ep, buffer, size);
++ retval = usb_parse_endpoint(ddev, cfgno, config, inum, asnum,
++ alt, num_ep, buffer, size);
+ if (retval < 0)
+ return retval;
+ ++n;
--- /dev/null
+From ea0d762775e20aaff7909a3f0866ff1688b1c618 Mon Sep 17 00:00:00 2001
+From: Thinh Nguyen <Thinh.Nguyen@synopsys.com>
+Date: Fri, 13 Dec 2019 18:40:45 -0800
+Subject: usb: dwc3: gadget: Fix request complete check
+
+From: Thinh Nguyen <Thinh.Nguyen@synopsys.com>
+
+commit ea0d762775e20aaff7909a3f0866ff1688b1c618 upstream.
+
+We can only check for IN direction if the request had completed. For OUT
+direction, it's perfectly fine that the host can send less than the
+setup length. Let's return true fall all cases of OUT direction.
+
+Fixes: e0c42ce590fe ("usb: dwc3: gadget: simplify IOC handling")
+Cc: stable@vger.kernel.org
+Signed-off-by: Thinh Nguyen <thinhn@synopsys.com>
+Link: https://lore.kernel.org/r/ac5a3593a94fdaa3d92e6352356b5f7a01ccdc7c.1576291140.git.thinhn@synopsys.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/dwc3/gadget.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+--- a/drivers/usb/dwc3/gadget.c
++++ b/drivers/usb/dwc3/gadget.c
+@@ -2271,6 +2271,13 @@ static int dwc3_gadget_ep_reclaim_trb_li
+
+ static bool dwc3_gadget_ep_request_completed(struct dwc3_request *req)
+ {
++ /*
++ * For OUT direction, host may send less than the setup
++ * length. Return true for all OUT requests.
++ */
++ if (!req->direction)
++ return true;
++
+ return req->request.actual == req->request.length;
+ }
+
--- /dev/null
+From 1530f6f5f5806b2abbf2a9276c0db313ae9a0e09 Mon Sep 17 00:00:00 2001
+From: Qi Zhou <atmgnd@outlook.com>
+Date: Sat, 4 Jan 2020 11:02:01 +0000
+Subject: usb: missing parentheses in USE_NEW_SCHEME
+
+From: Qi Zhou <atmgnd@outlook.com>
+
+commit 1530f6f5f5806b2abbf2a9276c0db313ae9a0e09 upstream.
+
+According to bd0e6c9614b9 ("usb: hub: try old enumeration scheme first
+for high speed devices") the kernel will try the old enumeration scheme
+first for high speed devices. This can happen when a high speed device
+is plugged in.
+
+But due to missing parentheses in the USE_NEW_SCHEME define, this logic
+can get messed up and the incorrect result happens.
+
+Acked-by: Alan Stern <stern@rowland.harvard.edu>
+Signed-off-by: Qi Zhou <atmgnd@outlook.com>
+Link: https://lore.kernel.org/r/ht4mtag8ZP-HKEhD0KkJhcFnVlOFV8N8eNjJVRD9pDkkLUNhmEo8_cL_sl7xy9mdajdH-T8J3TFQsjvoYQT61NFjQXy469Ed_BbBw_x4S1E=@protonmail.com
+[ fixup changelog text - gregkh]
+Cc: stable <stable@vger.kernel.org>
+Fixes: bd0e6c9614b9 ("usb: hub: try old enumeration scheme first for high speed devices")
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/core/hub.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/usb/core/hub.c
++++ b/drivers/usb/core/hub.c
+@@ -2657,7 +2657,7 @@ static unsigned hub_is_wusb(struct usb_h
+ #define SET_ADDRESS_TRIES 2
+ #define GET_DESCRIPTOR_TRIES 2
+ #define SET_CONFIG_TRIES (2 * (use_both_schemes + 1))
+-#define USE_NEW_SCHEME(i, scheme) ((i) / 2 == (int)scheme)
++#define USE_NEW_SCHEME(i, scheme) ((i) / 2 == (int)(scheme))
+
+ #define HUB_ROOT_RESET_TIME 60 /* times are in msec */
+ #define HUB_SHORT_RESET_TIME 10
--- /dev/null
+From 0d3010fa442429f8780976758719af05592ff19f Mon Sep 17 00:00:00 2001
+From: Daniele Palmas <dnlplm@gmail.com>
+Date: Fri, 13 Dec 2019 14:56:15 +0100
+Subject: USB: serial: option: add Telit ME910G1 0x110a composition
+
+From: Daniele Palmas <dnlplm@gmail.com>
+
+commit 0d3010fa442429f8780976758719af05592ff19f upstream.
+
+This patch adds the following Telit ME910G1 composition:
+
+0x110a: tty, tty, tty, rmnet
+
+Signed-off-by: Daniele Palmas <dnlplm@gmail.com>
+Cc: stable <stable@vger.kernel.org>
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/serial/option.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/usb/serial/option.c
++++ b/drivers/usb/serial/option.c
+@@ -1172,6 +1172,8 @@ static const struct usb_device_id option
+ .driver_info = NCTRL(0) | RSVD(3) },
+ { USB_DEVICE_INTERFACE_CLASS(TELIT_VENDOR_ID, 0x1102, 0xff), /* Telit ME910 (ECM) */
+ .driver_info = NCTRL(0) },
++ { USB_DEVICE_INTERFACE_CLASS(TELIT_VENDOR_ID, 0x110a, 0xff), /* Telit ME910G1 */
++ .driver_info = NCTRL(0) | RSVD(3) },
+ { USB_DEVICE(TELIT_VENDOR_ID, TELIT_PRODUCT_LE910),
+ .driver_info = NCTRL(0) | RSVD(1) | RSVD(2) },
+ { USB_DEVICE(TELIT_VENDOR_ID, TELIT_PRODUCT_LE910_USBCFG4),
projects / thirdparty / kernel / stable-queue.git / commitdiff
