--- /dev/null
+From f8204f0ddd62966a0e79c2804963a21e3540dd82 Mon Sep 17 00:00:00 2001
+From: Alexander Usyskin <alexander.usyskin@intel.com>
+Date: Fri, 4 Oct 2019 21:17:22 +0300
+Subject: mei: avoid FW version request on Ibex Peak and earlier
+
+From: Alexander Usyskin <alexander.usyskin@intel.com>
+
+commit f8204f0ddd62966a0e79c2804963a21e3540dd82 upstream.
+
+The fixed MKHI client on PCH 6 gen platforms
+does not support fw version retrieval.
+The error is not fatal, but it fills up the kernel logs and
+slows down the driver start.
+This patch disables requesting FW version on GEN6 and earlier platforms.
+
+Fixes warning:
+[ 15.964298] mei mei::55213584-9a29-4916-badf-0fb7ed682aeb:01: Could not read FW version
+[ 15.964301] mei mei::55213584-9a29-4916-badf-0fb7ed682aeb:01: version command failed -5
+
+Cc: <stable@vger.kernel.org> +v4.18
+Cc: Paul Menzel <pmenzel@molgen.mpg.de>
+Signed-off-by: Alexander Usyskin <alexander.usyskin@intel.com>
+Signed-off-by: Tomas Winkler <tomas.winkler@intel.com>
+Link: https://lore.kernel.org/r/20191004181722.31374-1-tomas.winkler@intel.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/misc/mei/bus-fixup.c | 14 +++++++++++---
+ drivers/misc/mei/hw-me.c | 21 ++++++++++++++++++---
+ drivers/misc/mei/hw-me.h | 8 ++++++--
+ drivers/misc/mei/mei_dev.h | 4 ++++
+ drivers/misc/mei/pci-me.c | 10 +++++-----
+ 5 files changed, 44 insertions(+), 13 deletions(-)
+
+--- a/drivers/misc/mei/bus-fixup.c
++++ b/drivers/misc/mei/bus-fixup.c
+@@ -218,13 +218,21 @@ static void mei_mkhi_fix(struct mei_cl_d
+ {
+ int ret;
+
++ /* No need to enable the client if nothing is needed from it */
++ if (!cldev->bus->fw_f_fw_ver_supported &&
++ !cldev->bus->hbm_f_os_supported)
++ return;
++
+ ret = mei_cldev_enable(cldev);
+ if (ret)
+ return;
+
+- ret = mei_fwver(cldev);
+- if (ret < 0)
+- dev_err(&cldev->dev, "FW version command failed %d\n", ret);
++ if (cldev->bus->fw_f_fw_ver_supported) {
++ ret = mei_fwver(cldev);
++ if (ret < 0)
++ dev_err(&cldev->dev, "FW version command failed %d\n",
++ ret);
++ }
+
+ if (cldev->bus->hbm_f_os_supported) {
+ ret = mei_osver(cldev);
+--- a/drivers/misc/mei/hw-me.c
++++ b/drivers/misc/mei/hw-me.c
+@@ -1355,6 +1355,8 @@ static bool mei_me_fw_type_sps(struct pc
+ #define MEI_CFG_FW_SPS \
+ .quirk_probe = mei_me_fw_type_sps
+
++#define MEI_CFG_FW_VER_SUPP \
++ .fw_ver_supported = 1
+
+ #define MEI_CFG_ICH_HFS \
+ .fw_status.count = 0
+@@ -1392,31 +1394,41 @@ static const struct mei_cfg mei_me_ich10
+ MEI_CFG_ICH10_HFS,
+ };
+
+-/* PCH devices */
+-static const struct mei_cfg mei_me_pch_cfg = {
++/* PCH6 devices */
++static const struct mei_cfg mei_me_pch6_cfg = {
+ MEI_CFG_PCH_HFS,
+ };
+
++/* PCH7 devices */
++static const struct mei_cfg mei_me_pch7_cfg = {
++ MEI_CFG_PCH_HFS,
++ MEI_CFG_FW_VER_SUPP,
++};
++
+ /* PCH Cougar Point and Patsburg with quirk for Node Manager exclusion */
+ static const struct mei_cfg mei_me_pch_cpt_pbg_cfg = {
+ MEI_CFG_PCH_HFS,
++ MEI_CFG_FW_VER_SUPP,
+ MEI_CFG_FW_NM,
+ };
+
+ /* PCH8 Lynx Point and newer devices */
+ static const struct mei_cfg mei_me_pch8_cfg = {
+ MEI_CFG_PCH8_HFS,
++ MEI_CFG_FW_VER_SUPP,
+ };
+
+ /* PCH8 Lynx Point with quirk for SPS Firmware exclusion */
+ static const struct mei_cfg mei_me_pch8_sps_cfg = {
+ MEI_CFG_PCH8_HFS,
++ MEI_CFG_FW_VER_SUPP,
+ MEI_CFG_FW_SPS,
+ };
+
+ /* Cannon Lake and newer devices */
+ static const struct mei_cfg mei_me_pch12_cfg = {
+ MEI_CFG_PCH8_HFS,
++ MEI_CFG_FW_VER_SUPP,
+ MEI_CFG_DMA_128,
+ };
+
+@@ -1428,7 +1440,8 @@ static const struct mei_cfg *const mei_c
+ [MEI_ME_UNDEF_CFG] = NULL,
+ [MEI_ME_ICH_CFG] = &mei_me_ich_cfg,
+ [MEI_ME_ICH10_CFG] = &mei_me_ich10_cfg,
+- [MEI_ME_PCH_CFG] = &mei_me_pch_cfg,
++ [MEI_ME_PCH6_CFG] = &mei_me_pch6_cfg,
++ [MEI_ME_PCH7_CFG] = &mei_me_pch7_cfg,
+ [MEI_ME_PCH_CPT_PBG_CFG] = &mei_me_pch_cpt_pbg_cfg,
+ [MEI_ME_PCH8_CFG] = &mei_me_pch8_cfg,
+ [MEI_ME_PCH8_SPS_CFG] = &mei_me_pch8_sps_cfg,
+@@ -1473,6 +1486,8 @@ struct mei_device *mei_me_dev_init(struc
+ mei_device_init(dev, &pdev->dev, &mei_me_hw_ops);
+ hw->cfg = cfg;
+
++ dev->fw_f_fw_ver_supported = cfg->fw_ver_supported;
++
+ return dev;
+ }
+
+--- a/drivers/misc/mei/hw-me.h
++++ b/drivers/misc/mei/hw-me.h
+@@ -20,11 +20,13 @@
+ * @fw_status: FW status
+ * @quirk_probe: device exclusion quirk
+ * @dma_size: device DMA buffers size
++ * @fw_ver_supported: is fw version retrievable from FW
+ */
+ struct mei_cfg {
+ const struct mei_fw_status fw_status;
+ bool (*quirk_probe)(struct pci_dev *pdev);
+ size_t dma_size[DMA_DSCR_NUM];
++ u32 fw_ver_supported:1;
+ };
+
+
+@@ -62,7 +64,8 @@ struct mei_me_hw {
+ * @MEI_ME_UNDEF_CFG: Lower sentinel.
+ * @MEI_ME_ICH_CFG: I/O Controller Hub legacy devices.
+ * @MEI_ME_ICH10_CFG: I/O Controller Hub platforms Gen10
+- * @MEI_ME_PCH_CFG: Platform Controller Hub platforms (Up to Gen8).
++ * @MEI_ME_PCH6_CFG: Platform Controller Hub platforms (Gen6).
++ * @MEI_ME_PCH7_CFG: Platform Controller Hub platforms (Gen7).
+ * @MEI_ME_PCH_CPT_PBG_CFG:Platform Controller Hub workstations
+ * with quirk for Node Manager exclusion.
+ * @MEI_ME_PCH8_CFG: Platform Controller Hub Gen8 and newer
+@@ -77,7 +80,8 @@ enum mei_cfg_idx {
+ MEI_ME_UNDEF_CFG,
+ MEI_ME_ICH_CFG,
+ MEI_ME_ICH10_CFG,
+- MEI_ME_PCH_CFG,
++ MEI_ME_PCH6_CFG,
++ MEI_ME_PCH7_CFG,
+ MEI_ME_PCH_CPT_PBG_CFG,
+ MEI_ME_PCH8_CFG,
+ MEI_ME_PCH8_SPS_CFG,
+--- a/drivers/misc/mei/mei_dev.h
++++ b/drivers/misc/mei/mei_dev.h
+@@ -426,6 +426,8 @@ struct mei_fw_version {
+ *
+ * @fw_ver : FW versions
+ *
++ * @fw_f_fw_ver_supported : fw feature: fw version supported
++ *
+ * @me_clients_rwsem: rw lock over me_clients list
+ * @me_clients : list of FW clients
+ * @me_clients_map : FW clients bit map
+@@ -506,6 +508,8 @@ struct mei_device {
+
+ struct mei_fw_version fw_ver[MEI_MAX_FW_VER_BLOCKS];
+
++ unsigned int fw_f_fw_ver_supported:1;
++
+ struct rw_semaphore me_clients_rwsem;
+ struct list_head me_clients;
+ DECLARE_BITMAP(me_clients_map, MEI_CLIENTS_MAX);
+--- a/drivers/misc/mei/pci-me.c
++++ b/drivers/misc/mei/pci-me.c
+@@ -61,13 +61,13 @@ static const struct pci_device_id mei_me
+ {MEI_PCI_DEVICE(MEI_DEV_ID_ICH10_3, MEI_ME_ICH10_CFG)},
+ {MEI_PCI_DEVICE(MEI_DEV_ID_ICH10_4, MEI_ME_ICH10_CFG)},
+
+- {MEI_PCI_DEVICE(MEI_DEV_ID_IBXPK_1, MEI_ME_PCH_CFG)},
+- {MEI_PCI_DEVICE(MEI_DEV_ID_IBXPK_2, MEI_ME_PCH_CFG)},
++ {MEI_PCI_DEVICE(MEI_DEV_ID_IBXPK_1, MEI_ME_PCH6_CFG)},
++ {MEI_PCI_DEVICE(MEI_DEV_ID_IBXPK_2, MEI_ME_PCH6_CFG)},
+ {MEI_PCI_DEVICE(MEI_DEV_ID_CPT_1, MEI_ME_PCH_CPT_PBG_CFG)},
+ {MEI_PCI_DEVICE(MEI_DEV_ID_PBG_1, MEI_ME_PCH_CPT_PBG_CFG)},
+- {MEI_PCI_DEVICE(MEI_DEV_ID_PPT_1, MEI_ME_PCH_CFG)},
+- {MEI_PCI_DEVICE(MEI_DEV_ID_PPT_2, MEI_ME_PCH_CFG)},
+- {MEI_PCI_DEVICE(MEI_DEV_ID_PPT_3, MEI_ME_PCH_CFG)},
++ {MEI_PCI_DEVICE(MEI_DEV_ID_PPT_1, MEI_ME_PCH7_CFG)},
++ {MEI_PCI_DEVICE(MEI_DEV_ID_PPT_2, MEI_ME_PCH7_CFG)},
++ {MEI_PCI_DEVICE(MEI_DEV_ID_PPT_3, MEI_ME_PCH7_CFG)},
+ {MEI_PCI_DEVICE(MEI_DEV_ID_LPT_H, MEI_ME_PCH8_SPS_CFG)},
+ {MEI_PCI_DEVICE(MEI_DEV_ID_LPT_W, MEI_ME_PCH8_SPS_CFG)},
+ {MEI_PCI_DEVICE(MEI_DEV_ID_LPT_LP, MEI_ME_PCH8_CFG)},
--- /dev/null
+From 4d86dfd38285c83a6df01093b8547f742e3b2470 Mon Sep 17 00:00:00 2001
+From: Tomas Winkler <tomas.winkler@intel.com>
+Date: Wed, 2 Oct 2019 02:59:57 +0300
+Subject: mei: me: add comet point (lake) LP device ids
+
+From: Tomas Winkler <tomas.winkler@intel.com>
+
+commit 4d86dfd38285c83a6df01093b8547f742e3b2470 upstream.
+
+Add Comet Point devices IDs for Comet Lake U platforms.
+
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Tomas Winkler <tomas.winkler@intel.com>
+Link: https://lore.kernel.org/r/20191001235958.19979-1-tomas.winkler@intel.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/misc/mei/hw-me-regs.h | 3 +++
+ drivers/misc/mei/pci-me.c | 3 +++
+ 2 files changed, 6 insertions(+)
+
+--- a/drivers/misc/mei/hw-me-regs.h
++++ b/drivers/misc/mei/hw-me-regs.h
+@@ -79,6 +79,9 @@
+ #define MEI_DEV_ID_CNP_H 0xA360 /* Cannon Point H */
+ #define MEI_DEV_ID_CNP_H_4 0xA364 /* Cannon Point H 4 (iTouch) */
+
++#define MEI_DEV_ID_CMP_LP 0x02e0 /* Comet Point LP */
++#define MEI_DEV_ID_CMP_LP_3 0x02e4 /* Comet Point LP 3 (iTouch) */
++
+ #define MEI_DEV_ID_ICP_LP 0x34E0 /* Ice Lake Point LP */
+
+ #define MEI_DEV_ID_TGP_LP 0xA0E0 /* Tiger Lake Point LP */
+--- a/drivers/misc/mei/pci-me.c
++++ b/drivers/misc/mei/pci-me.c
+@@ -96,6 +96,9 @@ static const struct pci_device_id mei_me
+ {MEI_PCI_DEVICE(MEI_DEV_ID_CNP_H, MEI_ME_PCH12_CFG)},
+ {MEI_PCI_DEVICE(MEI_DEV_ID_CNP_H_4, MEI_ME_PCH8_CFG)},
+
++ {MEI_PCI_DEVICE(MEI_DEV_ID_CMP_LP, MEI_ME_PCH12_CFG)},
++ {MEI_PCI_DEVICE(MEI_DEV_ID_CMP_LP_3, MEI_ME_PCH8_CFG)},
++
+ {MEI_PCI_DEVICE(MEI_DEV_ID_ICP_LP, MEI_ME_PCH12_CFG)},
+
+ {MEI_PCI_DEVICE(MEI_DEV_ID_TGP_LP, MEI_ME_PCH12_CFG)},
--- /dev/null
+From a553add0846f355a28ed4e81134012e4a1e280c2 Mon Sep 17 00:00:00 2001
+From: Randy Dunlap <rdunlap@infradead.org>
+Date: Mon, 16 Sep 2019 16:12:23 -0700
+Subject: serial: uartlite: fix exit path null pointer
+
+From: Randy Dunlap <rdunlap@infradead.org>
+
+commit a553add0846f355a28ed4e81134012e4a1e280c2 upstream.
+
+Call uart_unregister_driver() conditionally instead of
+unconditionally, only if it has been previously registered.
+
+This uses driver.state, just as the sh-sci.c driver does.
+
+Fixes this null pointer dereference in tty_unregister_driver(),
+since the 'driver' argument is null:
+
+ general protection fault: 0000 [#1] PREEMPT SMP KASAN PTI
+ RIP: 0010:tty_unregister_driver+0x25/0x1d0
+
+Fixes: 238b8721a554 ("[PATCH] serial uartlite driver")
+Signed-off-by: Randy Dunlap <rdunlap@infradead.org>
+Cc: stable <stable@vger.kernel.org>
+Cc: Peter Korsgaard <jacmet@sunsite.dk>
+Link: https://lore.kernel.org/r/9c8e6581-6fcc-a595-0897-4d90f5d710df@infradead.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/tty/serial/uartlite.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/tty/serial/uartlite.c
++++ b/drivers/tty/serial/uartlite.c
+@@ -897,7 +897,8 @@ static int __init ulite_init(void)
+ static void __exit ulite_exit(void)
+ {
+ platform_driver_unregister(&ulite_platform_driver);
+- uart_unregister_driver(&ulite_uart_driver);
++ if (ulite_uart_driver.state)
++ uart_unregister_driver(&ulite_uart_driver);
+ }
+
+ module_init(ulite_init);
--- /dev/null
+From 5e9bd2d70ae7c00a95a22994abf1eef728649e64 Mon Sep 17 00:00:00 2001
+From: Michal Simek <michal.simek@xilinx.com>
+Date: Fri, 4 Oct 2019 15:04:11 +0200
+Subject: serial: uartps: Fix uartps_major handling
+
+From: Michal Simek <michal.simek@xilinx.com>
+
+commit 5e9bd2d70ae7c00a95a22994abf1eef728649e64 upstream.
+
+There are two parts which should be fixed. The first one is to assigned
+uartps_major at the end of probe() to avoid complicated logic when
+something fails.
+The second part is initialized uartps_major number to 0 when last device is
+removed. This will ensure that on next probe driver will ask for new
+dynamic major number.
+
+Fixes: ab262666018d ("serial: uartps: Use the same dynamic major number for all ports")
+Reported-by: Paul Thomas <pthomas8589@gmail.com>
+Cc: stable <stable@vger.kernel.org>
+Signed-off-by: Michal Simek <michal.simek@xilinx.com>
+Link: https://lore.kernel.org/r/d2652cda992833315c4f96f06953eb547f928918.1570194248.git.michal.simek@xilinx.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/tty/serial/xilinx_uartps.c | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+--- a/drivers/tty/serial/xilinx_uartps.c
++++ b/drivers/tty/serial/xilinx_uartps.c
+@@ -1550,7 +1550,6 @@ static int cdns_uart_probe(struct platfo
+ goto err_out_id;
+ }
+
+- uartps_major = cdns_uart_uart_driver->tty_driver->major;
+ cdns_uart_data->cdns_uart_driver = cdns_uart_uart_driver;
+
+ /*
+@@ -1680,6 +1679,7 @@ static int cdns_uart_probe(struct platfo
+ console_port = NULL;
+ #endif
+
++ uartps_major = cdns_uart_uart_driver->tty_driver->major;
+ cdns_uart_data->cts_override = of_property_read_bool(pdev->dev.of_node,
+ "cts-override");
+ return 0;
+@@ -1741,6 +1741,12 @@ static int cdns_uart_remove(struct platf
+ console_port = NULL;
+ #endif
+
++ /* If this is last instance major number should be initialized */
++ mutex_lock(&bitmap_lock);
++ if (bitmap_empty(bitmap, MAX_UART_INSTANCES))
++ uartps_major = 0;
++ mutex_unlock(&bitmap_lock);
++
+ uart_unregister_driver(cdns_uart_data->cdns_uart_driver);
+ return rc;
+ }
usb-rio500-remove-rio-500-kernel-driver.patch
usb-yurex-don-t-retry-on-unexpected-errors.patch
usb-yurex-fix-null-derefs-on-disconnect.patch
+usb-usb-skeleton-fix-runtime-pm-after-driver-unbind.patch
+usb-usb-skeleton-fix-null-deref-on-disconnect.patch
+xhci-fix-false-warning-message-about-wrong-bounce-buffer-write-length.patch
+xhci-prevent-device-initiated-u1-u2-link-pm-if-exit-latency-is-too-long.patch
+xhci-check-all-endpoints-for-lpm-timeout.patch
+xhci-fix-usb-3.1-capability-detection-on-early-xhci-1.1-spec-based-hosts.patch
+usb-xhci-wait-for-cnr-controller-not-ready-bit-in-xhci-resume.patch
+xhci-prevent-deadlock-when-xhci-adapter-breaks-during-init.patch
+xhci-increase-sts_save-timeout-in-xhci_suspend.patch
+xhci-fix-null-pointer-dereference-in-xhci_clear_tt_buffer_complete.patch
+usb-adutux-fix-use-after-free-on-disconnect.patch
+usb-adutux-fix-null-derefs-on-disconnect.patch
+usb-adutux-fix-use-after-free-on-release.patch
+usb-iowarrior-fix-use-after-free-on-disconnect.patch
+usb-iowarrior-fix-use-after-free-on-release.patch
+usb-iowarrior-fix-use-after-free-after-driver-unbind.patch
+usb-usblp-fix-runtime-pm-after-driver-unbind.patch
+usb-chaoskey-fix-use-after-free-on-release.patch
+usb-ldusb-fix-null-derefs-on-driver-unbind.patch
+serial-uartlite-fix-exit-path-null-pointer.patch
+serial-uartps-fix-uartps_major-handling.patch
+usb-serial-keyspan-fix-null-derefs-on-open-and-write.patch
+usb-serial-ftdi_sio-add-device-ids-for-sienna-and-echelon-pl-20.patch
+usb-serial-option-add-telit-fn980-compositions.patch
+usb-serial-option-add-support-for-cinterion-cls8-devices.patch
+usb-serial-fix-runtime-pm-after-driver-unbind.patch
+usb-usblcd-fix-i-o-after-disconnect.patch
+usb-microtek-fix-info-leak-at-probe.patch
+usb-dummy-hcd-fix-power-budget-for-superspeed-mode.patch
+usb-renesas_usbhs-gadget-do-not-discard-queues-in-usb_ep_set_-halt-wedge.patch
+usb-renesas_usbhs-gadget-fix-usb_ep_set_-halt-wedge-behavior.patch
+usb-typec-tcpm-usb-typec-tcpm-fix-a-signedness-bug-in-tcpm_fw_get_caps.patch
+usb-typec-ucsi-ccg-remove-run_isr-flag.patch
+usb-typec-ucsi-displayport-fix-for-the-mode-entering-routine.patch
+usb-legousbtower-fix-slab-info-leak-at-probe.patch
+usb-legousbtower-fix-deadlock-on-disconnect.patch
+usb-legousbtower-fix-potential-null-deref-on-disconnect.patch
+usb-legousbtower-fix-open-after-failed-reset-request.patch
+usb-legousbtower-fix-use-after-free-on-release.patch
+mei-me-add-comet-point-lake-lp-device-ids.patch
+mei-avoid-fw-version-request-on-ibex-peak-and-earlier.patch
--- /dev/null
+From b2fa7baee744fde746c17bc1860b9c6f5c2eebb7 Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Wed, 25 Sep 2019 11:29:13 +0200
+Subject: USB: adutux: fix NULL-derefs on disconnect
+
+From: Johan Hovold <johan@kernel.org>
+
+commit b2fa7baee744fde746c17bc1860b9c6f5c2eebb7 upstream.
+
+The driver was using its struct usb_device pointer as an inverted
+disconnected flag, but was setting it to NULL before making sure all
+completion handlers had run. This could lead to a NULL-pointer
+dereference in a number of dev_dbg statements in the completion handlers
+which relies on said pointer.
+
+The pointer was also dereferenced unconditionally in a dev_dbg statement
+release() something which would lead to a NULL-deref whenever a device
+was disconnected before the final character-device close if debugging
+was enabled.
+
+Fix this by unconditionally stopping all I/O and preventing
+resubmissions by poisoning the interrupt URBs at disconnect and using a
+dedicated disconnected flag.
+
+This also makes sure that all I/O has completed by the time the
+disconnect callback returns.
+
+Fixes: 1ef37c6047fe ("USB: adutux: remove custom debug macro and module parameter")
+Fixes: 66d4bc30d128 ("USB: adutux: remove custom debug macro")
+Cc: stable <stable@vger.kernel.org> # 3.12
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Link: https://lore.kernel.org/r/20190925092913.8608-2-johan@kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/misc/adutux.c | 16 ++++++++++------
+ 1 file changed, 10 insertions(+), 6 deletions(-)
+
+--- a/drivers/usb/misc/adutux.c
++++ b/drivers/usb/misc/adutux.c
+@@ -75,6 +75,7 @@ struct adu_device {
+ char serial_number[8];
+
+ int open_count; /* number of times this port has been opened */
++ unsigned long disconnected:1;
+
+ char *read_buffer_primary;
+ int read_buffer_length;
+@@ -116,7 +117,7 @@ static void adu_abort_transfers(struct a
+ {
+ unsigned long flags;
+
+- if (dev->udev == NULL)
++ if (dev->disconnected)
+ return;
+
+ /* shutdown transfer */
+@@ -243,7 +244,7 @@ static int adu_open(struct inode *inode,
+ }
+
+ dev = usb_get_intfdata(interface);
+- if (!dev || !dev->udev) {
++ if (!dev) {
+ retval = -ENODEV;
+ goto exit_no_device;
+ }
+@@ -326,7 +327,7 @@ static int adu_release(struct inode *ino
+ }
+
+ adu_release_internal(dev);
+- if (dev->udev == NULL) {
++ if (dev->disconnected) {
+ /* the device was unplugged before the file was released */
+ if (!dev->open_count) /* ... and we're the last user */
+ adu_delete(dev);
+@@ -354,7 +355,7 @@ static ssize_t adu_read(struct file *fil
+ return -ERESTARTSYS;
+
+ /* verify that the device wasn't unplugged */
+- if (dev->udev == NULL) {
++ if (dev->disconnected) {
+ retval = -ENODEV;
+ pr_err("No device or device unplugged %d\n", retval);
+ goto exit;
+@@ -518,7 +519,7 @@ static ssize_t adu_write(struct file *fi
+ goto exit_nolock;
+
+ /* verify that the device wasn't unplugged */
+- if (dev->udev == NULL) {
++ if (dev->disconnected) {
+ retval = -ENODEV;
+ pr_err("No device or device unplugged %d\n", retval);
+ goto exit;
+@@ -764,11 +765,14 @@ static void adu_disconnect(struct usb_in
+
+ usb_deregister_dev(interface, &adu_class);
+
++ usb_poison_urb(dev->interrupt_in_urb);
++ usb_poison_urb(dev->interrupt_out_urb);
++
+ mutex_lock(&adutux_mutex);
+ usb_set_intfdata(interface, NULL);
+
+ mutex_lock(&dev->mtx); /* not interruptible */
+- dev->udev = NULL; /* poison */
++ dev->disconnected = 1;
+ mutex_unlock(&dev->mtx);
+
+ /* if the device is not opened, then we clean up right now */
--- /dev/null
+From 44efc269db7929f6275a1fa927ef082e533ecde0 Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Wed, 25 Sep 2019 11:29:12 +0200
+Subject: USB: adutux: fix use-after-free on disconnect
+
+From: Johan Hovold <johan@kernel.org>
+
+commit 44efc269db7929f6275a1fa927ef082e533ecde0 upstream.
+
+The driver was clearing its struct usb_device pointer, which it used as
+an inverted disconnected flag, before deregistering the character device
+and without serialising against racing release().
+
+This could lead to a use-after-free if a racing release() callback
+observes the cleared pointer and frees the driver data before
+disconnect() is finished with it.
+
+This could also lead to NULL-pointer dereferences in a racing open().
+
+Fixes: f08812d5eb8f ("USB: FIx locks and urb->status in adutux (updated)")
+Cc: stable <stable@vger.kernel.org> # 2.6.24
+Reported-by: syzbot+0243cb250a51eeefb8cc@syzkaller.appspotmail.com
+Tested-by: syzbot+0243cb250a51eeefb8cc@syzkaller.appspotmail.com
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Link: https://lore.kernel.org/r/20190925092913.8608-1-johan@kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/misc/adutux.c | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+--- a/drivers/usb/misc/adutux.c
++++ b/drivers/usb/misc/adutux.c
+@@ -762,14 +762,15 @@ static void adu_disconnect(struct usb_in
+
+ dev = usb_get_intfdata(interface);
+
+- mutex_lock(&dev->mtx); /* not interruptible */
+- dev->udev = NULL; /* poison */
+ usb_deregister_dev(interface, &adu_class);
+- mutex_unlock(&dev->mtx);
+
+ mutex_lock(&adutux_mutex);
+ usb_set_intfdata(interface, NULL);
+
++ mutex_lock(&dev->mtx); /* not interruptible */
++ dev->udev = NULL; /* poison */
++ mutex_unlock(&dev->mtx);
++
+ /* if the device is not opened, then we clean up right now */
+ if (!dev->open_count)
+ adu_delete(dev);
--- /dev/null
+From 123a0f125fa3d2104043697baa62899d9e549272 Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Wed, 9 Oct 2019 17:38:44 +0200
+Subject: USB: adutux: fix use-after-free on release
+
+From: Johan Hovold <johan@kernel.org>
+
+commit 123a0f125fa3d2104043697baa62899d9e549272 upstream.
+
+The driver was accessing its struct usb_device in its release()
+callback without holding a reference. This would lead to a
+use-after-free whenever the device was disconnected while the character
+device was still open.
+
+Fixes: 66d4bc30d128 ("USB: adutux: remove custom debug macro")
+Cc: stable <stable@vger.kernel.org> # 3.12
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Link: https://lore.kernel.org/r/20191009153848.8664-2-johan@kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/misc/adutux.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/usb/misc/adutux.c
++++ b/drivers/usb/misc/adutux.c
+@@ -149,6 +149,7 @@ static void adu_delete(struct adu_device
+ kfree(dev->read_buffer_secondary);
+ kfree(dev->interrupt_in_buffer);
+ kfree(dev->interrupt_out_buffer);
++ usb_put_dev(dev->udev);
+ kfree(dev);
+ }
+
+@@ -664,7 +665,7 @@ static int adu_probe(struct usb_interfac
+
+ mutex_init(&dev->mtx);
+ spin_lock_init(&dev->buflock);
+- dev->udev = udev;
++ dev->udev = usb_get_dev(udev);
+ init_waitqueue_head(&dev->read_wait);
+ init_waitqueue_head(&dev->write_wait);
+
--- /dev/null
+From 93ddb1f56ae102f14f9e46a9a9c8017faa970003 Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Wed, 9 Oct 2019 17:38:45 +0200
+Subject: USB: chaoskey: fix use-after-free on release
+
+From: Johan Hovold <johan@kernel.org>
+
+commit 93ddb1f56ae102f14f9e46a9a9c8017faa970003 upstream.
+
+The driver was accessing its struct usb_interface in its release()
+callback without holding a reference. This would lead to a
+use-after-free whenever the device was disconnected while the character
+device was still open.
+
+Fixes: 66e3e591891d ("usb: Add driver for Altus Metrum ChaosKey device (v2)")
+Cc: stable <stable@vger.kernel.org> # 4.1
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Link: https://lore.kernel.org/r/20191009153848.8664-3-johan@kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/misc/chaoskey.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+--- a/drivers/usb/misc/chaoskey.c
++++ b/drivers/usb/misc/chaoskey.c
+@@ -98,6 +98,7 @@ static void chaoskey_free(struct chaoske
+ usb_free_urb(dev->urb);
+ kfree(dev->name);
+ kfree(dev->buf);
++ usb_put_intf(dev->interface);
+ kfree(dev);
+ }
+ }
+@@ -145,6 +146,8 @@ static int chaoskey_probe(struct usb_int
+ if (dev == NULL)
+ goto out;
+
++ dev->interface = usb_get_intf(interface);
++
+ dev->buf = kmalloc(size, GFP_KERNEL);
+
+ if (dev->buf == NULL)
+@@ -174,8 +177,6 @@ static int chaoskey_probe(struct usb_int
+ goto out;
+ }
+
+- dev->interface = interface;
+-
+ dev->in_ep = in_ep;
+
+ if (le16_to_cpu(udev->descriptor.idVendor) != ALEA_VENDOR_ID)
--- /dev/null
+From 2636d49b64671d3d90ecc4daf971b58df3956519 Mon Sep 17 00:00:00 2001
+From: "Jacky.Cao@sony.com" <Jacky.Cao@sony.com>
+Date: Thu, 5 Sep 2019 04:11:57 +0000
+Subject: USB: dummy-hcd: fix power budget for SuperSpeed mode
+
+From: Jacky.Cao@sony.com <Jacky.Cao@sony.com>
+
+commit 2636d49b64671d3d90ecc4daf971b58df3956519 upstream.
+
+The power budget for SuperSpeed mode should be 900 mA
+according to USB specification, so set the power budget
+to 900mA for dummy_start_ss which is only used for
+SuperSpeed mode.
+
+If the max power consumption of SuperSpeed device is
+larger than 500 mA, insufficient available bus power
+error happens in usb_choose_configuration function
+when the device connects to dummy hcd.
+
+Signed-off-by: Jacky Cao <Jacky.Cao@sony.com>
+Acked-by: Alan Stern <stern@rowland.harvard.edu>
+Cc: stable <stable@vger.kernel.org>
+Link: https://lore.kernel.org/r/16EA1F625E922C43B00B9D82250220500871CDE5@APYOKXMS108.ap.sony.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/gadget/udc/dummy_hcd.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/usb/gadget/udc/dummy_hcd.c
++++ b/drivers/usb/gadget/udc/dummy_hcd.c
+@@ -48,6 +48,7 @@
+ #define DRIVER_VERSION "02 May 2005"
+
+ #define POWER_BUDGET 500 /* in mA; use 8 for low-power port testing */
++#define POWER_BUDGET_3 900 /* in mA */
+
+ static const char driver_name[] = "dummy_hcd";
+ static const char driver_desc[] = "USB Host+Gadget Emulator";
+@@ -2432,7 +2433,7 @@ static int dummy_start_ss(struct dummy_h
+ dum_hcd->rh_state = DUMMY_RH_RUNNING;
+ dum_hcd->stream_en_ep = 0;
+ INIT_LIST_HEAD(&dum_hcd->urbp_list);
+- dummy_hcd_to_hcd(dum_hcd)->power_budget = POWER_BUDGET;
++ dummy_hcd_to_hcd(dum_hcd)->power_budget = POWER_BUDGET_3;
+ dummy_hcd_to_hcd(dum_hcd)->state = HC_STATE_RUNNING;
+ dummy_hcd_to_hcd(dum_hcd)->uses_new_polling = 1;
+ #ifdef CONFIG_USB_OTG
--- /dev/null
+From b5f8d46867ca233d773408ffbe691a8062ed718f Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Wed, 9 Oct 2019 12:48:43 +0200
+Subject: USB: iowarrior: fix use-after-free after driver unbind
+
+From: Johan Hovold <johan@kernel.org>
+
+commit b5f8d46867ca233d773408ffbe691a8062ed718f upstream.
+
+Make sure to stop also the asynchronous write URBs on disconnect() to
+avoid use-after-free in the completion handler after driver unbind.
+
+Fixes: 946b960d13c1 ("USB: add driver for iowarrior devices.")
+Cc: stable <stable@vger.kernel.org> # 2.6.21: 51a2f077c44e ("USB: introduce usb_anchor")
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Link: https://lore.kernel.org/r/20191009104846.5925-4-johan@kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/misc/iowarrior.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+--- a/drivers/usb/misc/iowarrior.c
++++ b/drivers/usb/misc/iowarrior.c
+@@ -87,6 +87,7 @@ struct iowarrior {
+ char chip_serial[9]; /* the serial number string of the chip connected */
+ int report_size; /* number of bytes in a report */
+ u16 product_id;
++ struct usb_anchor submitted;
+ };
+
+ /*--------------*/
+@@ -425,11 +426,13 @@ static ssize_t iowarrior_write(struct fi
+ retval = -EFAULT;
+ goto error;
+ }
++ usb_anchor_urb(int_out_urb, &dev->submitted);
+ retval = usb_submit_urb(int_out_urb, GFP_KERNEL);
+ if (retval) {
+ dev_dbg(&dev->interface->dev,
+ "submit error %d for urb nr.%d\n",
+ retval, atomic_read(&dev->write_busy));
++ usb_unanchor_urb(int_out_urb);
+ goto error;
+ }
+ /* submit was ok */
+@@ -770,6 +773,8 @@ static int iowarrior_probe(struct usb_in
+ iface_desc = interface->cur_altsetting;
+ dev->product_id = le16_to_cpu(udev->descriptor.idProduct);
+
++ init_usb_anchor(&dev->submitted);
++
+ res = usb_find_last_int_in_endpoint(iface_desc, &dev->int_in_endpoint);
+ if (res) {
+ dev_err(&interface->dev, "no interrupt-in endpoint found\n");
+@@ -885,6 +890,7 @@ static void iowarrior_disconnect(struct
+ Deleting the device is postponed until close() was called.
+ */
+ usb_kill_urb(dev->int_in_urb);
++ usb_kill_anchored_urbs(&dev->submitted);
+ wake_up_interruptible(&dev->read_wait);
+ wake_up_interruptible(&dev->write_wait);
+ mutex_unlock(&dev->mutex);
--- /dev/null
+From edc4746f253d907d048de680a621e121517f484b Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Wed, 9 Oct 2019 12:48:41 +0200
+Subject: USB: iowarrior: fix use-after-free on disconnect
+
+From: Johan Hovold <johan@kernel.org>
+
+commit edc4746f253d907d048de680a621e121517f484b upstream.
+
+A recent fix addressing a deadlock on disconnect introduced a new bug
+by moving the present flag out of the critical section protected by the
+driver-data mutex. This could lead to a racing release() freeing the
+driver data before disconnect() is done with it.
+
+Due to insufficient locking a related use-after-free could be triggered
+also before the above mentioned commit. Specifically, the driver needs
+to hold the driver-data mutex also while checking the opened flag at
+disconnect().
+
+Fixes: c468a8aa790e ("usb: iowarrior: fix deadlock on disconnect")
+Fixes: 946b960d13c1 ("USB: add driver for iowarrior devices.")
+Cc: stable <stable@vger.kernel.org> # 2.6.21
+Reported-by: syzbot+0761012cebf7bdb38137@syzkaller.appspotmail.com
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Link: https://lore.kernel.org/r/20191009104846.5925-2-johan@kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/misc/iowarrior.c | 7 +++----
+ 1 file changed, 3 insertions(+), 4 deletions(-)
+
+--- a/drivers/usb/misc/iowarrior.c
++++ b/drivers/usb/misc/iowarrior.c
+@@ -866,8 +866,6 @@ static void iowarrior_disconnect(struct
+ dev = usb_get_intfdata(interface);
+ mutex_lock(&iowarrior_open_disc_lock);
+ usb_set_intfdata(interface, NULL);
+- /* prevent device read, write and ioctl */
+- dev->present = 0;
+
+ minor = dev->minor;
+ mutex_unlock(&iowarrior_open_disc_lock);
+@@ -878,8 +876,7 @@ static void iowarrior_disconnect(struct
+ mutex_lock(&dev->mutex);
+
+ /* prevent device read, write and ioctl */
+-
+- mutex_unlock(&dev->mutex);
++ dev->present = 0;
+
+ if (dev->opened) {
+ /* There is a process that holds a filedescriptor to the device ,
+@@ -889,8 +886,10 @@ static void iowarrior_disconnect(struct
+ usb_kill_urb(dev->int_in_urb);
+ wake_up_interruptible(&dev->read_wait);
+ wake_up_interruptible(&dev->write_wait);
++ mutex_unlock(&dev->mutex);
+ } else {
+ /* no process is using the device, cleanup now */
++ mutex_unlock(&dev->mutex);
+ iowarrior_delete(dev);
+ }
+
--- /dev/null
+From 80cd5479b525093a56ef768553045741af61b250 Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Wed, 9 Oct 2019 12:48:42 +0200
+Subject: USB: iowarrior: fix use-after-free on release
+
+From: Johan Hovold <johan@kernel.org>
+
+commit 80cd5479b525093a56ef768553045741af61b250 upstream.
+
+The driver was accessing its struct usb_interface from its release()
+callback without holding a reference. This would lead to a
+use-after-free whenever debugging was enabled and the device was
+disconnected while its character device was open.
+
+Fixes: 549e83500b80 ("USB: iowarrior: Convert local dbg macro to dev_dbg")
+Cc: stable <stable@vger.kernel.org> # 3.16
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Link: https://lore.kernel.org/r/20191009104846.5925-3-johan@kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/misc/iowarrior.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/usb/misc/iowarrior.c
++++ b/drivers/usb/misc/iowarrior.c
+@@ -243,6 +243,7 @@ static inline void iowarrior_delete(stru
+ kfree(dev->int_in_buffer);
+ usb_free_urb(dev->int_in_urb);
+ kfree(dev->read_queue);
++ usb_put_intf(dev->interface);
+ kfree(dev);
+ }
+
+@@ -764,7 +765,7 @@ static int iowarrior_probe(struct usb_in
+ init_waitqueue_head(&dev->write_wait);
+
+ dev->udev = udev;
+- dev->interface = interface;
++ dev->interface = usb_get_intf(interface);
+
+ iface_desc = interface->cur_altsetting;
+ dev->product_id = le16_to_cpu(udev->descriptor.idProduct);
--- /dev/null
+From 58ecf131e74620305175a7aa103f81350bb37570 Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Wed, 9 Oct 2019 17:38:46 +0200
+Subject: USB: ldusb: fix NULL-derefs on driver unbind
+
+From: Johan Hovold <johan@kernel.org>
+
+commit 58ecf131e74620305175a7aa103f81350bb37570 upstream.
+
+The driver was using its struct usb_interface pointer as an inverted
+disconnected flag, but was setting it to NULL before making sure all
+completion handlers had run. This could lead to a NULL-pointer
+dereference in a number of dev_dbg, dev_warn and dev_err statements in
+the completion handlers which relies on said pointer.
+
+Fix this by unconditionally stopping all I/O and preventing
+resubmissions by poisoning the interrupt URBs at disconnect and using a
+dedicated disconnected flag.
+
+This also makes sure that all I/O has completed by the time the
+disconnect callback returns.
+
+Fixes: 2824bd250f0b ("[PATCH] USB: add ldusb driver")
+Cc: stable <stable@vger.kernel.org> # 2.6.13
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Link: https://lore.kernel.org/r/20191009153848.8664-4-johan@kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/misc/ldusb.c | 24 ++++++++++++------------
+ 1 file changed, 12 insertions(+), 12 deletions(-)
+
+--- a/drivers/usb/misc/ldusb.c
++++ b/drivers/usb/misc/ldusb.c
+@@ -153,6 +153,7 @@ MODULE_PARM_DESC(min_interrupt_out_inter
+ struct ld_usb {
+ struct mutex mutex; /* locks this structure */
+ struct usb_interface *intf; /* save off the usb interface pointer */
++ unsigned long disconnected:1;
+
+ int open_count; /* number of times this port has been opened */
+
+@@ -192,12 +193,10 @@ static void ld_usb_abort_transfers(struc
+ /* shutdown transfer */
+ if (dev->interrupt_in_running) {
+ dev->interrupt_in_running = 0;
+- if (dev->intf)
+- usb_kill_urb(dev->interrupt_in_urb);
++ usb_kill_urb(dev->interrupt_in_urb);
+ }
+ if (dev->interrupt_out_busy)
+- if (dev->intf)
+- usb_kill_urb(dev->interrupt_out_urb);
++ usb_kill_urb(dev->interrupt_out_urb);
+ }
+
+ /**
+@@ -205,8 +204,6 @@ static void ld_usb_abort_transfers(struc
+ */
+ static void ld_usb_delete(struct ld_usb *dev)
+ {
+- ld_usb_abort_transfers(dev);
+-
+ /* free data structures */
+ usb_free_urb(dev->interrupt_in_urb);
+ usb_free_urb(dev->interrupt_out_urb);
+@@ -263,7 +260,7 @@ static void ld_usb_interrupt_in_callback
+
+ resubmit:
+ /* resubmit if we're still running */
+- if (dev->interrupt_in_running && !dev->buffer_overflow && dev->intf) {
++ if (dev->interrupt_in_running && !dev->buffer_overflow) {
+ retval = usb_submit_urb(dev->interrupt_in_urb, GFP_ATOMIC);
+ if (retval) {
+ dev_err(&dev->intf->dev,
+@@ -392,7 +389,7 @@ static int ld_usb_release(struct inode *
+ retval = -ENODEV;
+ goto unlock_exit;
+ }
+- if (dev->intf == NULL) {
++ if (dev->disconnected) {
+ /* the device was unplugged before the file was released */
+ mutex_unlock(&dev->mutex);
+ /* unlock here as ld_usb_delete frees dev */
+@@ -423,7 +420,7 @@ static __poll_t ld_usb_poll(struct file
+
+ dev = file->private_data;
+
+- if (!dev->intf)
++ if (dev->disconnected)
+ return EPOLLERR | EPOLLHUP;
+
+ poll_wait(file, &dev->read_wait, wait);
+@@ -462,7 +459,7 @@ static ssize_t ld_usb_read(struct file *
+ }
+
+ /* verify that the device wasn't unplugged */
+- if (dev->intf == NULL) {
++ if (dev->disconnected) {
+ retval = -ENODEV;
+ printk(KERN_ERR "ldusb: No device or device unplugged %d\n", retval);
+ goto unlock_exit;
+@@ -542,7 +539,7 @@ static ssize_t ld_usb_write(struct file
+ }
+
+ /* verify that the device wasn't unplugged */
+- if (dev->intf == NULL) {
++ if (dev->disconnected) {
+ retval = -ENODEV;
+ printk(KERN_ERR "ldusb: No device or device unplugged %d\n", retval);
+ goto unlock_exit;
+@@ -764,6 +761,9 @@ static void ld_usb_disconnect(struct usb
+ /* give back our minor */
+ usb_deregister_dev(intf, &ld_usb_class);
+
++ usb_poison_urb(dev->interrupt_in_urb);
++ usb_poison_urb(dev->interrupt_out_urb);
++
+ mutex_lock(&dev->mutex);
+
+ /* if the device is not opened, then we clean up right now */
+@@ -771,7 +771,7 @@ static void ld_usb_disconnect(struct usb
+ mutex_unlock(&dev->mutex);
+ ld_usb_delete(dev);
+ } else {
+- dev->intf = NULL;
++ dev->disconnected = 1;
+ /* wake up pollers */
+ wake_up_interruptible_all(&dev->read_wait);
+ wake_up_interruptible_all(&dev->write_wait);
--- /dev/null
+From 33a7813219f208f4952ece60ee255fd983272dec Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Thu, 19 Sep 2019 10:30:37 +0200
+Subject: USB: legousbtower: fix deadlock on disconnect
+
+From: Johan Hovold <johan@kernel.org>
+
+commit 33a7813219f208f4952ece60ee255fd983272dec upstream.
+
+Fix a potential deadlock if disconnect races with open.
+
+Since commit d4ead16f50f9 ("USB: prevent char device open/deregister
+race") core holds an rw-semaphore while open is called and when
+releasing the minor number during deregistration. This can lead to an
+ABBA deadlock if a driver takes a lock in open which it also holds
+during deregistration.
+
+This effectively reverts commit 78663ecc344b ("USB: disconnect open race
+in legousbtower") which needlessly introduced this issue after a generic
+fix for this race had been added to core by commit d4ead16f50f9 ("USB:
+prevent char device open/deregister race").
+
+Fixes: 78663ecc344b ("USB: disconnect open race in legousbtower")
+Cc: stable <stable@vger.kernel.org> # 2.6.24
+Reported-by: syzbot+f9549f5ee8a5416f0b95@syzkaller.appspotmail.com
+Tested-by: syzbot+f9549f5ee8a5416f0b95@syzkaller.appspotmail.com
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Link: https://lore.kernel.org/r/20190919083039.30898-3-johan@kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/misc/legousbtower.c | 19 ++-----------------
+ 1 file changed, 2 insertions(+), 17 deletions(-)
+
+--- a/drivers/usb/misc/legousbtower.c
++++ b/drivers/usb/misc/legousbtower.c
+@@ -179,7 +179,6 @@ static const struct usb_device_id tower_
+ };
+
+ MODULE_DEVICE_TABLE (usb, tower_table);
+-static DEFINE_MUTEX(open_disc_mutex);
+
+ #define LEGO_USB_TOWER_MINOR_BASE 160
+
+@@ -332,18 +331,14 @@ static int tower_open (struct inode *ino
+ goto exit;
+ }
+
+- mutex_lock(&open_disc_mutex);
+ dev = usb_get_intfdata(interface);
+-
+ if (!dev) {
+- mutex_unlock(&open_disc_mutex);
+ retval = -ENODEV;
+ goto exit;
+ }
+
+ /* lock this device */
+ if (mutex_lock_interruptible(&dev->lock)) {
+- mutex_unlock(&open_disc_mutex);
+ retval = -ERESTARTSYS;
+ goto exit;
+ }
+@@ -351,12 +346,10 @@ static int tower_open (struct inode *ino
+
+ /* allow opening only once */
+ if (dev->open_count) {
+- mutex_unlock(&open_disc_mutex);
+ retval = -EBUSY;
+ goto unlock_exit;
+ }
+ dev->open_count = 1;
+- mutex_unlock(&open_disc_mutex);
+
+ /* reset the tower */
+ result = usb_control_msg (dev->udev,
+@@ -423,10 +416,9 @@ static int tower_release (struct inode *
+
+ if (dev == NULL) {
+ retval = -ENODEV;
+- goto exit_nolock;
++ goto exit;
+ }
+
+- mutex_lock(&open_disc_mutex);
+ if (mutex_lock_interruptible(&dev->lock)) {
+ retval = -ERESTARTSYS;
+ goto exit;
+@@ -456,10 +448,7 @@ static int tower_release (struct inode *
+
+ unlock_exit:
+ mutex_unlock(&dev->lock);
+-
+ exit:
+- mutex_unlock(&open_disc_mutex);
+-exit_nolock:
+ return retval;
+ }
+
+@@ -912,7 +901,6 @@ static int tower_probe (struct usb_inter
+ if (retval) {
+ /* something prevented us from registering this driver */
+ dev_err(idev, "Not able to get a minor for this device.\n");
+- usb_set_intfdata (interface, NULL);
+ goto error;
+ }
+ dev->minor = interface->minor;
+@@ -944,16 +932,13 @@ static void tower_disconnect (struct usb
+ int minor;
+
+ dev = usb_get_intfdata (interface);
+- mutex_lock(&open_disc_mutex);
+- usb_set_intfdata (interface, NULL);
+
+ minor = dev->minor;
+
+- /* give back our minor */
++ /* give back our minor and prevent further open() */
+ usb_deregister_dev (interface, &tower_class);
+
+ mutex_lock(&dev->lock);
+- mutex_unlock(&open_disc_mutex);
+
+ /* if the device is not opened, then we clean up right now */
+ if (!dev->open_count) {
--- /dev/null
+From 0b074f6986751361ff442bc1127c1648567aa8d6 Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Thu, 19 Sep 2019 10:30:39 +0200
+Subject: USB: legousbtower: fix open after failed reset request
+
+From: Johan Hovold <johan@kernel.org>
+
+commit 0b074f6986751361ff442bc1127c1648567aa8d6 upstream.
+
+The driver would return with a nonzero open count in case the reset
+control request failed. This would prevent any further attempts to open
+the char dev until the device was disconnected.
+
+Fix this by incrementing the open count only on successful open.
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Cc: stable <stable@vger.kernel.org>
+Link: https://lore.kernel.org/r/20190919083039.30898-5-johan@kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/misc/legousbtower.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/usb/misc/legousbtower.c
++++ b/drivers/usb/misc/legousbtower.c
+@@ -348,7 +348,6 @@ static int tower_open (struct inode *ino
+ retval = -EBUSY;
+ goto unlock_exit;
+ }
+- dev->open_count = 1;
+
+ /* reset the tower */
+ result = usb_control_msg (dev->udev,
+@@ -388,13 +387,14 @@ static int tower_open (struct inode *ino
+ dev_err(&dev->udev->dev,
+ "Couldn't submit interrupt_in_urb %d\n", retval);
+ dev->interrupt_in_running = 0;
+- dev->open_count = 0;
+ goto unlock_exit;
+ }
+
+ /* save device in the file's private structure */
+ file->private_data = dev;
+
++ dev->open_count = 1;
++
+ unlock_exit:
+ mutex_unlock(&dev->lock);
+
--- /dev/null
+From cd81e6fa8e033e7bcd59415b4a65672b4780030b Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Thu, 19 Sep 2019 10:30:38 +0200
+Subject: USB: legousbtower: fix potential NULL-deref on disconnect
+
+From: Johan Hovold <johan@kernel.org>
+
+commit cd81e6fa8e033e7bcd59415b4a65672b4780030b upstream.
+
+The driver is using its struct usb_device pointer as an inverted
+disconnected flag, but was setting it to NULL before making sure all
+completion handlers had run. This could lead to a NULL-pointer
+dereference in a number of dev_dbg and dev_err statements in the
+completion handlers which relies on said pointer.
+
+Fix this by unconditionally stopping all I/O and preventing
+resubmissions by poisoning the interrupt URBs at disconnect and using a
+dedicated disconnected flag.
+
+This also makes sure that all I/O has completed by the time the
+disconnect callback returns.
+
+Fixes: 9d974b2a06e3 ("USB: legousbtower.c: remove err() usage")
+Fixes: fef526cae700 ("USB: legousbtower: remove custom debug macro")
+Fixes: 4dae99638097 ("USB: legotower: remove custom debug macro and module parameter")
+Cc: stable <stable@vger.kernel.org> # 3.5
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Link: https://lore.kernel.org/r/20190919083039.30898-4-johan@kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/misc/legousbtower.c | 26 +++++++++++++++-----------
+ 1 file changed, 15 insertions(+), 11 deletions(-)
+
+--- a/drivers/usb/misc/legousbtower.c
++++ b/drivers/usb/misc/legousbtower.c
+@@ -190,6 +190,7 @@ struct lego_usb_tower {
+ unsigned char minor; /* the starting minor number for this device */
+
+ int open_count; /* number of times this port has been opened */
++ unsigned long disconnected:1;
+
+ char* read_buffer;
+ size_t read_buffer_length; /* this much came in */
+@@ -289,8 +290,6 @@ static inline void lego_usb_tower_debug_
+ */
+ static inline void tower_delete (struct lego_usb_tower *dev)
+ {
+- tower_abort_transfers (dev);
+-
+ /* free data structures */
+ usb_free_urb(dev->interrupt_in_urb);
+ usb_free_urb(dev->interrupt_out_urb);
+@@ -430,7 +429,8 @@ static int tower_release (struct inode *
+ retval = -ENODEV;
+ goto unlock_exit;
+ }
+- if (dev->udev == NULL) {
++
++ if (dev->disconnected) {
+ /* the device was unplugged before the file was released */
+
+ /* unlock here as tower_delete frees dev */
+@@ -466,10 +466,9 @@ static void tower_abort_transfers (struc
+ if (dev->interrupt_in_running) {
+ dev->interrupt_in_running = 0;
+ mb();
+- if (dev->udev)
+- usb_kill_urb (dev->interrupt_in_urb);
++ usb_kill_urb(dev->interrupt_in_urb);
+ }
+- if (dev->interrupt_out_busy && dev->udev)
++ if (dev->interrupt_out_busy)
+ usb_kill_urb(dev->interrupt_out_urb);
+ }
+
+@@ -505,7 +504,7 @@ static __poll_t tower_poll (struct file
+
+ dev = file->private_data;
+
+- if (!dev->udev)
++ if (dev->disconnected)
+ return EPOLLERR | EPOLLHUP;
+
+ poll_wait(file, &dev->read_wait, wait);
+@@ -552,7 +551,7 @@ static ssize_t tower_read (struct file *
+ }
+
+ /* verify that the device wasn't unplugged */
+- if (dev->udev == NULL) {
++ if (dev->disconnected) {
+ retval = -ENODEV;
+ pr_err("No device or device unplugged %d\n", retval);
+ goto unlock_exit;
+@@ -638,7 +637,7 @@ static ssize_t tower_write (struct file
+ }
+
+ /* verify that the device wasn't unplugged */
+- if (dev->udev == NULL) {
++ if (dev->disconnected) {
+ retval = -ENODEV;
+ pr_err("No device or device unplugged %d\n", retval);
+ goto unlock_exit;
+@@ -748,7 +747,7 @@ static void tower_interrupt_in_callback
+
+ resubmit:
+ /* resubmit if we're still running */
+- if (dev->interrupt_in_running && dev->udev) {
++ if (dev->interrupt_in_running) {
+ retval = usb_submit_urb (dev->interrupt_in_urb, GFP_ATOMIC);
+ if (retval)
+ dev_err(&dev->udev->dev,
+@@ -813,6 +812,7 @@ static int tower_probe (struct usb_inter
+
+ dev->udev = udev;
+ dev->open_count = 0;
++ dev->disconnected = 0;
+
+ dev->read_buffer = NULL;
+ dev->read_buffer_length = 0;
+@@ -938,6 +938,10 @@ static void tower_disconnect (struct usb
+ /* give back our minor and prevent further open() */
+ usb_deregister_dev (interface, &tower_class);
+
++ /* stop I/O */
++ usb_poison_urb(dev->interrupt_in_urb);
++ usb_poison_urb(dev->interrupt_out_urb);
++
+ mutex_lock(&dev->lock);
+
+ /* if the device is not opened, then we clean up right now */
+@@ -945,7 +949,7 @@ static void tower_disconnect (struct usb
+ mutex_unlock(&dev->lock);
+ tower_delete (dev);
+ } else {
+- dev->udev = NULL;
++ dev->disconnected = 1;
+ /* wake up pollers */
+ wake_up_interruptible_all(&dev->read_wait);
+ wake_up_interruptible_all(&dev->write_wait);
--- /dev/null
+From 1d427be4a39defadda6dd8f4659bc17f7591740f Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Thu, 19 Sep 2019 10:30:36 +0200
+Subject: USB: legousbtower: fix slab info leak at probe
+
+From: Johan Hovold <johan@kernel.org>
+
+commit 1d427be4a39defadda6dd8f4659bc17f7591740f upstream.
+
+Make sure to check for short transfers when retrieving the version
+information at probe to avoid leaking uninitialised slab data when
+logging it.
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Cc: stable <stable@vger.kernel.org>
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Link: https://lore.kernel.org/r/20190919083039.30898-2-johan@kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/misc/legousbtower.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+--- a/drivers/usb/misc/legousbtower.c
++++ b/drivers/usb/misc/legousbtower.c
+@@ -891,8 +891,10 @@ static int tower_probe (struct usb_inter
+ get_version_reply,
+ sizeof(*get_version_reply),
+ 1000);
+- if (result < 0) {
+- dev_err(idev, "LEGO USB Tower get version control request failed\n");
++ if (result < sizeof(*get_version_reply)) {
++ if (result >= 0)
++ result = -EIO;
++ dev_err(idev, "get version request failed: %d\n", result);
+ retval = result;
+ goto error;
+ }
--- /dev/null
+From 726b55d0e22ca72c69c947af87785c830289ddbc Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Wed, 9 Oct 2019 17:38:47 +0200
+Subject: USB: legousbtower: fix use-after-free on release
+
+From: Johan Hovold <johan@kernel.org>
+
+commit 726b55d0e22ca72c69c947af87785c830289ddbc upstream.
+
+The driver was accessing its struct usb_device in its release()
+callback without holding a reference. This would lead to a
+use-after-free whenever the device was disconnected while the character
+device was still open.
+
+Fixes: fef526cae700 ("USB: legousbtower: remove custom debug macro")
+Cc: stable <stable@vger.kernel.org> # 3.12
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Link: https://lore.kernel.org/r/20191009153848.8664-5-johan@kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/misc/legousbtower.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/usb/misc/legousbtower.c
++++ b/drivers/usb/misc/legousbtower.c
+@@ -296,6 +296,7 @@ static inline void tower_delete (struct
+ kfree (dev->read_buffer);
+ kfree (dev->interrupt_in_buffer);
+ kfree (dev->interrupt_out_buffer);
++ usb_put_dev(dev->udev);
+ kfree (dev);
+ }
+
+@@ -810,7 +811,7 @@ static int tower_probe (struct usb_inter
+
+ mutex_init(&dev->lock);
+
+- dev->udev = udev;
++ dev->udev = usb_get_dev(udev);
+ dev->open_count = 0;
+ dev->disconnected = 0;
+
--- /dev/null
+From 177238c3d47d54b2ed8f0da7a4290db492f4a057 Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Thu, 3 Oct 2019 09:09:31 +0200
+Subject: USB: microtek: fix info-leak at probe
+
+From: Johan Hovold <johan@kernel.org>
+
+commit 177238c3d47d54b2ed8f0da7a4290db492f4a057 upstream.
+
+Add missing bulk-in endpoint sanity check to prevent uninitialised stack
+data from being reported to the system log and used as endpoint
+addresses.
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Cc: stable <stable@vger.kernel.org>
+Reported-by: syzbot+5630ca7c3b2be5c9da5e@syzkaller.appspotmail.com
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Acked-by: Oliver Neukum <oneukum@suse.com>
+Link: https://lore.kernel.org/r/20191003070931.17009-1-johan@kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/image/microtek.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/drivers/usb/image/microtek.c
++++ b/drivers/usb/image/microtek.c
+@@ -716,6 +716,10 @@ static int mts_usb_probe(struct usb_inte
+
+ }
+
++ if (ep_in_current != &ep_in_set[2]) {
++ MTS_WARNING("couldn't find two input bulk endpoints. Bailing out.\n");
++ return -ENODEV;
++ }
+
+ if ( ep_out == -1 ) {
+ MTS_WARNING( "couldn't find an output bulk endpoint. Bailing out.\n" );
--- /dev/null
+From 1aae1394294cb71c6aa0bc904a94a7f2f1e75936 Mon Sep 17 00:00:00 2001
+From: Yoshihiro Shimoda <yoshihiro.shimoda.uh@renesas.com>
+Date: Tue, 1 Oct 2019 19:10:32 +0900
+Subject: usb: renesas_usbhs: gadget: Do not discard queues in usb_ep_set_{halt,wedge}()
+
+From: Yoshihiro Shimoda <yoshihiro.shimoda.uh@renesas.com>
+
+commit 1aae1394294cb71c6aa0bc904a94a7f2f1e75936 upstream.
+
+The commit 97664a207bc2 ("usb: renesas_usbhs: shrink spin lock area")
+had added a usbhsg_pipe_disable() calling into
+__usbhsg_ep_set_halt_wedge() accidentally. But, this driver should
+not call the usbhsg_pipe_disable() because the function discards
+all queues. So, this patch removes it.
+
+Fixes: 97664a207bc2 ("usb: renesas_usbhs: shrink spin lock area")
+Cc: <stable@vger.kernel.org> # v3.1+
+Signed-off-by: Yoshihiro Shimoda <yoshihiro.shimoda.uh@renesas.com>
+Link: https://lore.kernel.org/r/1569924633-322-2-git-send-email-yoshihiro.shimoda.uh@renesas.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/renesas_usbhs/mod_gadget.c | 2 --
+ 1 file changed, 2 deletions(-)
+
+--- a/drivers/usb/renesas_usbhs/mod_gadget.c
++++ b/drivers/usb/renesas_usbhs/mod_gadget.c
+@@ -723,8 +723,6 @@ static int __usbhsg_ep_set_halt_wedge(st
+ struct device *dev = usbhsg_gpriv_to_dev(gpriv);
+ unsigned long flags;
+
+- usbhsg_pipe_disable(uep);
+-
+ dev_dbg(dev, "set halt %d (pipe %d)\n",
+ halt, usbhs_pipe_number(pipe));
+
--- /dev/null
+From 4d599cd3a097a85a5c68a2c82b9a48cddf9953ec Mon Sep 17 00:00:00 2001
+From: Yoshihiro Shimoda <yoshihiro.shimoda.uh@renesas.com>
+Date: Tue, 1 Oct 2019 19:10:33 +0900
+Subject: usb: renesas_usbhs: gadget: Fix usb_ep_set_{halt,wedge}() behavior
+
+From: Yoshihiro Shimoda <yoshihiro.shimoda.uh@renesas.com>
+
+commit 4d599cd3a097a85a5c68a2c82b9a48cddf9953ec upstream.
+
+According to usb_ep_set_halt()'s description,
+__usbhsg_ep_set_halt_wedge() should return -EAGAIN if the IN endpoint
+has any queue or data. Otherwise, this driver is possible to cause
+just STALL without sending a short packet data on g_mass_storage driver,
+and then a few resetting a device happens on a host side during
+a usb enumaration.
+
+Fixes: 2f98382dcdfe ("usb: renesas_usbhs: Add Renesas USBHS Gadget")
+Cc: <stable@vger.kernel.org> # v3.0+
+Signed-off-by: Yoshihiro Shimoda <yoshihiro.shimoda.uh@renesas.com>
+Link: https://lore.kernel.org/r/1569924633-322-3-git-send-email-yoshihiro.shimoda.uh@renesas.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/renesas_usbhs/common.h | 1 +
+ drivers/usb/renesas_usbhs/fifo.c | 2 +-
+ drivers/usb/renesas_usbhs/fifo.h | 1 +
+ drivers/usb/renesas_usbhs/mod_gadget.c | 16 +++++++++++++++-
+ drivers/usb/renesas_usbhs/pipe.c | 15 +++++++++++++++
+ drivers/usb/renesas_usbhs/pipe.h | 1 +
+ 6 files changed, 34 insertions(+), 2 deletions(-)
+
+--- a/drivers/usb/renesas_usbhs/common.h
++++ b/drivers/usb/renesas_usbhs/common.h
+@@ -211,6 +211,7 @@ struct usbhs_priv;
+ /* DCPCTR */
+ #define BSTS (1 << 15) /* Buffer Status */
+ #define SUREQ (1 << 14) /* Sending SETUP Token */
++#define INBUFM (1 << 14) /* (PIPEnCTR) Transfer Buffer Monitor */
+ #define CSSTS (1 << 12) /* CSSTS Status */
+ #define ACLRM (1 << 9) /* Buffer Auto-Clear Mode */
+ #define SQCLR (1 << 8) /* Toggle Bit Clear */
+--- a/drivers/usb/renesas_usbhs/fifo.c
++++ b/drivers/usb/renesas_usbhs/fifo.c
+@@ -89,7 +89,7 @@ static void __usbhsf_pkt_del(struct usbh
+ list_del_init(&pkt->node);
+ }
+
+-static struct usbhs_pkt *__usbhsf_pkt_get(struct usbhs_pipe *pipe)
++struct usbhs_pkt *__usbhsf_pkt_get(struct usbhs_pipe *pipe)
+ {
+ return list_first_entry_or_null(&pipe->list, struct usbhs_pkt, node);
+ }
+--- a/drivers/usb/renesas_usbhs/fifo.h
++++ b/drivers/usb/renesas_usbhs/fifo.h
+@@ -97,5 +97,6 @@ void usbhs_pkt_push(struct usbhs_pipe *p
+ void *buf, int len, int zero, int sequence);
+ struct usbhs_pkt *usbhs_pkt_pop(struct usbhs_pipe *pipe, struct usbhs_pkt *pkt);
+ void usbhs_pkt_start(struct usbhs_pipe *pipe);
++struct usbhs_pkt *__usbhsf_pkt_get(struct usbhs_pipe *pipe);
+
+ #endif /* RENESAS_USB_FIFO_H */
+--- a/drivers/usb/renesas_usbhs/mod_gadget.c
++++ b/drivers/usb/renesas_usbhs/mod_gadget.c
+@@ -722,6 +722,7 @@ static int __usbhsg_ep_set_halt_wedge(st
+ struct usbhs_priv *priv = usbhsg_gpriv_to_priv(gpriv);
+ struct device *dev = usbhsg_gpriv_to_dev(gpriv);
+ unsigned long flags;
++ int ret = 0;
+
+ dev_dbg(dev, "set halt %d (pipe %d)\n",
+ halt, usbhs_pipe_number(pipe));
+@@ -729,6 +730,18 @@ static int __usbhsg_ep_set_halt_wedge(st
+ /******************** spin lock ********************/
+ usbhs_lock(priv, flags);
+
++ /*
++ * According to usb_ep_set_halt()'s description, this function should
++ * return -EAGAIN if the IN endpoint has any queue or data. Note
++ * that the usbhs_pipe_is_dir_in() returns false if the pipe is an
++ * IN endpoint in the gadget mode.
++ */
++ if (!usbhs_pipe_is_dir_in(pipe) && (__usbhsf_pkt_get(pipe) ||
++ usbhs_pipe_contains_transmittable_data(pipe))) {
++ ret = -EAGAIN;
++ goto out;
++ }
++
+ if (halt)
+ usbhs_pipe_stall(pipe);
+ else
+@@ -739,10 +752,11 @@ static int __usbhsg_ep_set_halt_wedge(st
+ else
+ usbhsg_status_clr(gpriv, USBHSG_STATUS_WEDGE);
+
++out:
+ usbhs_unlock(priv, flags);
+ /******************** spin unlock ******************/
+
+- return 0;
++ return ret;
+ }
+
+ static int usbhsg_ep_set_halt(struct usb_ep *ep, int value)
+--- a/drivers/usb/renesas_usbhs/pipe.c
++++ b/drivers/usb/renesas_usbhs/pipe.c
+@@ -277,6 +277,21 @@ int usbhs_pipe_is_accessible(struct usbh
+ return -EBUSY;
+ }
+
++bool usbhs_pipe_contains_transmittable_data(struct usbhs_pipe *pipe)
++{
++ u16 val;
++
++ /* Do not support for DCP pipe */
++ if (usbhs_pipe_is_dcp(pipe))
++ return false;
++
++ val = usbhsp_pipectrl_get(pipe);
++ if (val & INBUFM)
++ return true;
++
++ return false;
++}
++
+ /*
+ * PID ctrl
+ */
+--- a/drivers/usb/renesas_usbhs/pipe.h
++++ b/drivers/usb/renesas_usbhs/pipe.h
+@@ -83,6 +83,7 @@ void usbhs_pipe_clear(struct usbhs_pipe
+ void usbhs_pipe_clear_without_sequence(struct usbhs_pipe *pipe,
+ int needs_bfre, int bfre_enable);
+ int usbhs_pipe_is_accessible(struct usbhs_pipe *pipe);
++bool usbhs_pipe_contains_transmittable_data(struct usbhs_pipe *pipe);
+ void usbhs_pipe_enable(struct usbhs_pipe *pipe);
+ void usbhs_pipe_disable(struct usbhs_pipe *pipe);
+ void usbhs_pipe_stall(struct usbhs_pipe *pipe);
--- /dev/null
+From d51bdb93ca7e71d7fb30a572c7b47ed0194bf3fe Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Tue, 1 Oct 2019 10:49:07 +0200
+Subject: USB: serial: fix runtime PM after driver unbind
+
+From: Johan Hovold <johan@kernel.org>
+
+commit d51bdb93ca7e71d7fb30a572c7b47ed0194bf3fe upstream.
+
+Since commit c2b71462d294 ("USB: core: Fix bug caused by duplicate
+interface PM usage counter") USB drivers must always balance their
+runtime PM gets and puts, including when the driver has already been
+unbound from the interface.
+
+Leaving the interface with a positive PM usage counter would prevent a
+later bound driver from suspending the device.
+
+Fixes: c2b71462d294 ("USB: core: Fix bug caused by duplicate interface PM usage counter")
+Cc: stable <stable@vger.kernel.org>
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Link: https://lore.kernel.org/r/20191001084908.2003-4-johan@kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/serial/usb-serial.c | 5 +----
+ 1 file changed, 1 insertion(+), 4 deletions(-)
+
+--- a/drivers/usb/serial/usb-serial.c
++++ b/drivers/usb/serial/usb-serial.c
+@@ -314,10 +314,7 @@ static void serial_cleanup(struct tty_st
+ serial = port->serial;
+ owner = serial->type->driver.owner;
+
+- mutex_lock(&serial->disc_mutex);
+- if (!serial->disconnected)
+- usb_autopm_put_interface(serial->interface);
+- mutex_unlock(&serial->disc_mutex);
++ usb_autopm_put_interface(serial->interface);
+
+ usb_serial_put(serial);
+ module_put(owner);
--- /dev/null
+From 357f16d9e0194cdbc36531ff88b453481560b76a Mon Sep 17 00:00:00 2001
+From: Beni Mahler <beni.mahler@gmx.net>
+Date: Thu, 5 Sep 2019 00:26:20 +0200
+Subject: USB: serial: ftdi_sio: add device IDs for Sienna and Echelon PL-20
+
+From: Beni Mahler <beni.mahler@gmx.net>
+
+commit 357f16d9e0194cdbc36531ff88b453481560b76a upstream.
+
+Both devices added here have a FTDI chip inside. The device from Echelon
+is called 'Network Interface' it is actually a LON network gateway.
+
+ ID 0403:8348 Future Technology Devices International, Ltd
+ https://www.eltako.com/fileadmin/downloads/de/datenblatt/Datenblatt_PL-SW-PROF.pdf
+
+ ID 0920:7500 Network Interface
+ https://www.echelon.com/products/u20-usb-network-interface
+
+Signed-off-by: Beni Mahler <beni.mahler@gmx.net>
+Cc: stable <stable@vger.kernel.org>
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/serial/ftdi_sio.c | 3 +++
+ drivers/usb/serial/ftdi_sio_ids.h | 9 +++++++++
+ 2 files changed, 12 insertions(+)
+
+--- a/drivers/usb/serial/ftdi_sio.c
++++ b/drivers/usb/serial/ftdi_sio.c
+@@ -1030,6 +1030,9 @@ static const struct usb_device_id id_tab
+ /* EZPrototypes devices */
+ { USB_DEVICE(EZPROTOTYPES_VID, HJELMSLUND_USB485_ISO_PID) },
+ { USB_DEVICE_INTERFACE_NUMBER(UNJO_VID, UNJO_ISODEBUG_V1_PID, 1) },
++ /* Sienna devices */
++ { USB_DEVICE(FTDI_VID, FTDI_SIENNA_PID) },
++ { USB_DEVICE(ECHELON_VID, ECHELON_U20_PID) },
+ { } /* Terminating entry */
+ };
+
+--- a/drivers/usb/serial/ftdi_sio_ids.h
++++ b/drivers/usb/serial/ftdi_sio_ids.h
+@@ -39,6 +39,9 @@
+
+ #define FTDI_LUMEL_PD12_PID 0x6002
+
++/* Sienna Serial Interface by Secyourit GmbH */
++#define FTDI_SIENNA_PID 0x8348
++
+ /* Cyber Cortex AV by Fabulous Silicon (http://fabuloussilicon.com) */
+ #define CYBER_CORTEX_AV_PID 0x8698
+
+@@ -689,6 +692,12 @@
+ #define BANDB_ZZ_PROG1_USB_PID 0xBA02
+
+ /*
++ * Echelon USB Serial Interface
++ */
++#define ECHELON_VID 0x0920
++#define ECHELON_U20_PID 0x7500
++
++/*
+ * Intrepid Control Systems (http://www.intrepidcs.com/) ValueCAN and NeoVI
+ */
+ #define INTREPID_VID 0x093C
--- /dev/null
+From 7d7e21fafdbc7fcf0854b877bd0975b487ed2717 Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Thu, 3 Oct 2019 15:49:58 +0200
+Subject: USB: serial: keyspan: fix NULL-derefs on open() and write()
+
+From: Johan Hovold <johan@kernel.org>
+
+commit 7d7e21fafdbc7fcf0854b877bd0975b487ed2717 upstream.
+
+Fix NULL-pointer dereferences on open() and write() which can be
+triggered by a malicious USB device.
+
+The current URB allocation helper would fail to initialise the newly
+allocated URB if the device has unexpected endpoint descriptors,
+something which could lead NULL-pointer dereferences in a number of
+open() and write() paths when accessing the URB. For example:
+
+ BUG: kernel NULL pointer dereference, address: 0000000000000000
+ ...
+ RIP: 0010:usb_clear_halt+0x11/0xc0
+ ...
+ Call Trace:
+ ? tty_port_open+0x4d/0xd0
+ keyspan_open+0x70/0x160 [keyspan]
+ serial_port_activate+0x5b/0x80 [usbserial]
+ tty_port_open+0x7b/0xd0
+ ? check_tty_count+0x43/0xa0
+ tty_open+0xf1/0x490
+
+ BUG: kernel NULL pointer dereference, address: 0000000000000000
+ ...
+ RIP: 0010:keyspan_write+0x14e/0x1f3 [keyspan]
+ ...
+ Call Trace:
+ serial_write+0x43/0xa0 [usbserial]
+ n_tty_write+0x1af/0x4f0
+ ? do_wait_intr_irq+0x80/0x80
+ ? process_echoes+0x60/0x60
+ tty_write+0x13f/0x2f0
+
+ BUG: kernel NULL pointer dereference, address: 0000000000000000
+ ...
+ RIP: 0010:keyspan_usa26_send_setup+0x298/0x305 [keyspan]
+ ...
+ Call Trace:
+ keyspan_open+0x10f/0x160 [keyspan]
+ serial_port_activate+0x5b/0x80 [usbserial]
+ tty_port_open+0x7b/0xd0
+ ? check_tty_count+0x43/0xa0
+ tty_open+0xf1/0x490
+
+Fixes: fdcba53e2d58 ("fix for bugzilla #7544 (keyspan USB-to-serial converter)")
+Cc: stable <stable@vger.kernel.org> # 2.6.21
+Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/serial/keyspan.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/usb/serial/keyspan.c
++++ b/drivers/usb/serial/keyspan.c
+@@ -1741,8 +1741,8 @@ static struct urb *keyspan_setup_urb(str
+
+ ep_desc = find_ep(serial, endpoint);
+ if (!ep_desc) {
+- /* leak the urb, something's wrong and the callers don't care */
+- return urb;
++ usb_free_urb(urb);
++ return NULL;
+ }
+ if (usb_endpoint_xfer_int(ep_desc)) {
+ ep_type_name = "INT";
--- /dev/null
+From dfbac2f4da6a0c4a8f6b4d715a4077a7b8df53ad Mon Sep 17 00:00:00 2001
+From: Reinhard Speyerer <rspmn@arcor.de>
+Date: Thu, 3 Oct 2019 18:53:21 +0200
+Subject: USB: serial: option: add support for Cinterion CLS8 devices
+
+From: Reinhard Speyerer <rspmn@arcor.de>
+
+commit dfbac2f4da6a0c4a8f6b4d715a4077a7b8df53ad upstream.
+
+Add support for the serial ports of Cinterion CLS8 devices.
+
+T: Bus=01 Lev=03 Prnt=05 Port=01 Cnt=02 Dev#= 25 Spd=480 MxCh= 0
+D: Ver= 2.00 Cls=00(>ifc ) Sub=00 Prot=00 MxPS=64 #Cfgs= 1
+P: Vendor=1e2d ProdID=00b0 Rev= 3.18
+S: Manufacturer=GEMALTO
+S: Product=USB Modem
+C:* #Ifs= 5 Cfg#= 1 Atr=80 MxPwr=500mA
+I:* If#= 0 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=42 Prot=01 Driver=(none)
+E: Ad=01(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
+E: Ad=81(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
+I:* If#= 1 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
+E: Ad=83(I) Atr=03(Int.) MxPS= 10 Ivl=32ms
+E: Ad=82(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
+E: Ad=02(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
+I:* If#= 2 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
+E: Ad=85(I) Atr=03(Int.) MxPS= 10 Ivl=32ms
+E: Ad=84(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
+E: Ad=03(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
+I:* If#= 3 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
+E: Ad=87(I) Atr=03(Int.) MxPS= 10 Ivl=32ms
+E: Ad=86(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
+E: Ad=04(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
+I:* If#= 4 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=ff Driver=qmi_wwan
+E: Ad=89(I) Atr=03(Int.) MxPS= 8 Ivl=32ms
+E: Ad=88(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
+E: Ad=05(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
+
+Signed-off-by: Reinhard Speyerer <rspmn@arcor.de>
+Cc: stable <stable@vger.kernel.org>
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/serial/option.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/usb/serial/option.c
++++ b/drivers/usb/serial/option.c
+@@ -419,6 +419,7 @@ static void option_instat_callback(struc
+ #define CINTERION_PRODUCT_PH8_AUDIO 0x0083
+ #define CINTERION_PRODUCT_AHXX_2RMNET 0x0084
+ #define CINTERION_PRODUCT_AHXX_AUDIO 0x0085
++#define CINTERION_PRODUCT_CLS8 0x00b0
+
+ /* Olivetti products */
+ #define OLIVETTI_VENDOR_ID 0x0b3c
+@@ -1855,6 +1856,8 @@ static const struct usb_device_id option
+ .driver_info = RSVD(4) },
+ { USB_DEVICE_INTERFACE_CLASS(CINTERION_VENDOR_ID, CINTERION_PRODUCT_AHXX_2RMNET, 0xff) },
+ { USB_DEVICE_INTERFACE_CLASS(CINTERION_VENDOR_ID, CINTERION_PRODUCT_AHXX_AUDIO, 0xff) },
++ { USB_DEVICE_INTERFACE_CLASS(CINTERION_VENDOR_ID, CINTERION_PRODUCT_CLS8, 0xff),
++ .driver_info = RSVD(0) | RSVD(4) },
+ { USB_DEVICE(CINTERION_VENDOR_ID, CINTERION_PRODUCT_HC28_MDM) },
+ { USB_DEVICE(CINTERION_VENDOR_ID, CINTERION_PRODUCT_HC28_MDMNET) },
+ { USB_DEVICE(SIEMENS_VENDOR_ID, CINTERION_PRODUCT_HC25_MDM) },
--- /dev/null
+From 5eb3f4b87a0e7e949c976f32f296176a06d1a93b Mon Sep 17 00:00:00 2001
+From: Daniele Palmas <dnlplm@gmail.com>
+Date: Mon, 23 Sep 2019 12:23:28 +0200
+Subject: USB: serial: option: add Telit FN980 compositions
+
+From: Daniele Palmas <dnlplm@gmail.com>
+
+commit 5eb3f4b87a0e7e949c976f32f296176a06d1a93b upstream.
+
+This patch adds the following Telit FN980 compositions:
+
+0x1050: tty, adb, rmnet, tty, tty, tty, tty
+0x1051: tty, adb, mbim, tty, tty, tty, tty
+0x1052: rndis, tty, adb, tty, tty, tty, tty
+0x1053: tty, adb, ecm, tty, tty, tty, tty
+
+Signed-off-by: Daniele Palmas <dnlplm@gmail.com>
+Cc: stable <stable@vger.kernel.org>
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/serial/option.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+--- a/drivers/usb/serial/option.c
++++ b/drivers/usb/serial/option.c
+@@ -1154,6 +1154,14 @@ static const struct usb_device_id option
+ .driver_info = NCTRL(0) | RSVD(1) | RSVD(2) | RSVD(3) },
+ { USB_DEVICE_INTERFACE_CLASS(TELIT_VENDOR_ID, TELIT_PRODUCT_LE922_USBCFG5, 0xff),
+ .driver_info = RSVD(0) | RSVD(1) | NCTRL(2) | RSVD(3) },
++ { USB_DEVICE_INTERFACE_CLASS(TELIT_VENDOR_ID, 0x1050, 0xff), /* Telit FN980 (rmnet) */
++ .driver_info = NCTRL(0) | RSVD(1) | RSVD(2) },
++ { USB_DEVICE_INTERFACE_CLASS(TELIT_VENDOR_ID, 0x1051, 0xff), /* Telit FN980 (MBIM) */
++ .driver_info = NCTRL(0) | RSVD(1) },
++ { USB_DEVICE_INTERFACE_CLASS(TELIT_VENDOR_ID, 0x1052, 0xff), /* Telit FN980 (RNDIS) */
++ .driver_info = NCTRL(2) | RSVD(3) },
++ { USB_DEVICE_INTERFACE_CLASS(TELIT_VENDOR_ID, 0x1053, 0xff), /* Telit FN980 (ECM) */
++ .driver_info = NCTRL(0) | RSVD(1) },
+ { USB_DEVICE(TELIT_VENDOR_ID, TELIT_PRODUCT_ME910),
+ .driver_info = NCTRL(0) | RSVD(1) | RSVD(3) },
+ { USB_DEVICE(TELIT_VENDOR_ID, TELIT_PRODUCT_ME910_DUAL_MODEM),
--- /dev/null
+From 7101949f36fc77b530b73e4c6bd0066a2740d75b Mon Sep 17 00:00:00 2001
+From: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Tue, 1 Oct 2019 15:01:17 +0300
+Subject: usb: typec: tcpm: usb: typec: tcpm: Fix a signedness bug in tcpm_fw_get_caps()
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+commit 7101949f36fc77b530b73e4c6bd0066a2740d75b upstream.
+
+The "port->typec_caps.data" and "port->typec_caps.type" variables are
+enums and in this context GCC will treat them as an unsigned int so they
+can never be less than zero.
+
+Fixes: ae8a2ca8a221 ("usb: typec: Group all TCPCI/TCPM code together")
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Cc: stable <stable@vger.kernel.org>
+Reviewed-by: Guenter Roeck <linux@roeck-us.net>
+Reviewed-by: Heikki Krogerus <heikki.krogerus@linux.intel.com>
+Link: https://lore.kernel.org/r/20191001120117.GA23528@mwanda
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/typec/tcpm/tcpm.c | 14 ++++++++------
+ 1 file changed, 8 insertions(+), 6 deletions(-)
+
+--- a/drivers/usb/typec/tcpm/tcpm.c
++++ b/drivers/usb/typec/tcpm/tcpm.c
+@@ -4416,18 +4416,20 @@ static int tcpm_fw_get_caps(struct tcpm_
+ /* USB data support is optional */
+ ret = fwnode_property_read_string(fwnode, "data-role", &cap_str);
+ if (ret == 0) {
+- port->typec_caps.data = typec_find_port_data_role(cap_str);
+- if (port->typec_caps.data < 0)
+- return -EINVAL;
++ ret = typec_find_port_data_role(cap_str);
++ if (ret < 0)
++ return ret;
++ port->typec_caps.data = ret;
+ }
+
+ ret = fwnode_property_read_string(fwnode, "power-role", &cap_str);
+ if (ret < 0)
+ return ret;
+
+- port->typec_caps.type = typec_find_port_power_role(cap_str);
+- if (port->typec_caps.type < 0)
+- return -EINVAL;
++ ret = typec_find_port_power_role(cap_str);
++ if (ret < 0)
++ return ret;
++ port->typec_caps.type = ret;
+ port->port_type = port->typec_caps.type;
+
+ if (port->port_type == TYPEC_PORT_SNK)
--- /dev/null
+From 8530e4e20ec2355c273f4dba9002969e68275e5f Mon Sep 17 00:00:00 2001
+From: Heikki Krogerus <heikki.krogerus@linux.intel.com>
+Date: Fri, 4 Oct 2019 13:02:18 +0300
+Subject: usb: typec: ucsi: ccg: Remove run_isr flag
+
+From: Heikki Krogerus <heikki.krogerus@linux.intel.com>
+
+commit 8530e4e20ec2355c273f4dba9002969e68275e5f upstream.
+
+The "run_isr" flag is used for preventing the driver from
+calling the interrupt service routine in its runtime resume
+callback when the driver is expecting completion to a
+command, but what that basically does is that it hides the
+real problem. The real problem is that the controller is
+allowed to suspend in the middle of command execution.
+
+As a more appropriate fix for the problem, using autosuspend
+delay time that matches UCSI_TIMEOUT_MS (5s). That prevents
+the controller from suspending while still in the middle of
+executing a command.
+
+This fixes a potential deadlock. Both ccg_read() and
+ccg_write() are called with the mutex already taken at least
+from ccg_send_command(). In ccg_read() and ccg_write, the
+mutex is only acquired so that run_isr flag can be set.
+
+Fixes: f0e4cd948b91 ("usb: typec: ucsi: ccg: add runtime pm workaround")
+Cc: stable@vger.kernel.org
+Signed-off-by: Heikki Krogerus <heikki.krogerus@linux.intel.com>
+Link: https://lore.kernel.org/r/20191004100219.71152-2-heikki.krogerus@linux.intel.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/typec/ucsi/ucsi_ccg.c | 42 +++-----------------------------------
+ 1 file changed, 4 insertions(+), 38 deletions(-)
+
+--- a/drivers/usb/typec/ucsi/ucsi_ccg.c
++++ b/drivers/usb/typec/ucsi/ucsi_ccg.c
+@@ -195,7 +195,6 @@ struct ucsi_ccg {
+
+ /* fw build with vendor information */
+ u16 fw_build;
+- bool run_isr; /* flag to call ISR routine during resume */
+ struct work_struct pm_work;
+ };
+
+@@ -224,18 +223,6 @@ static int ccg_read(struct ucsi_ccg *uc,
+ if (quirks && quirks->max_read_len)
+ max_read_len = quirks->max_read_len;
+
+- if (uc->fw_build == CCG_FW_BUILD_NVIDIA &&
+- uc->fw_version <= CCG_OLD_FW_VERSION) {
+- mutex_lock(&uc->lock);
+- /*
+- * Do not schedule pm_work to run ISR in
+- * ucsi_ccg_runtime_resume() after pm_runtime_get_sync()
+- * since we are already in ISR path.
+- */
+- uc->run_isr = false;
+- mutex_unlock(&uc->lock);
+- }
+-
+ pm_runtime_get_sync(uc->dev);
+ while (rem_len > 0) {
+ msgs[1].buf = &data[len - rem_len];
+@@ -278,18 +265,6 @@ static int ccg_write(struct ucsi_ccg *uc
+ msgs[0].len = len + sizeof(rab);
+ msgs[0].buf = buf;
+
+- if (uc->fw_build == CCG_FW_BUILD_NVIDIA &&
+- uc->fw_version <= CCG_OLD_FW_VERSION) {
+- mutex_lock(&uc->lock);
+- /*
+- * Do not schedule pm_work to run ISR in
+- * ucsi_ccg_runtime_resume() after pm_runtime_get_sync()
+- * since we are already in ISR path.
+- */
+- uc->run_isr = false;
+- mutex_unlock(&uc->lock);
+- }
+-
+ pm_runtime_get_sync(uc->dev);
+ status = i2c_transfer(client->adapter, msgs, ARRAY_SIZE(msgs));
+ if (status < 0) {
+@@ -1133,7 +1108,6 @@ static int ucsi_ccg_probe(struct i2c_cli
+ uc->ppm.sync = ucsi_ccg_sync;
+ uc->dev = dev;
+ uc->client = client;
+- uc->run_isr = true;
+ mutex_init(&uc->lock);
+ INIT_WORK(&uc->work, ccg_update_firmware);
+ INIT_WORK(&uc->pm_work, ccg_pm_workaround_work);
+@@ -1195,6 +1169,8 @@ static int ucsi_ccg_probe(struct i2c_cli
+
+ pm_runtime_set_active(uc->dev);
+ pm_runtime_enable(uc->dev);
++ pm_runtime_use_autosuspend(uc->dev);
++ pm_runtime_set_autosuspend_delay(uc->dev, 5000);
+ pm_runtime_idle(uc->dev);
+
+ return 0;
+@@ -1237,7 +1213,6 @@ static int ucsi_ccg_runtime_resume(struc
+ {
+ struct i2c_client *client = to_i2c_client(dev);
+ struct ucsi_ccg *uc = i2c_get_clientdata(client);
+- bool schedule = true;
+
+ /*
+ * Firmware version 3.1.10 or earlier, built for NVIDIA has known issue
+@@ -1245,17 +1220,8 @@ static int ucsi_ccg_runtime_resume(struc
+ * Schedule a work to call ISR as a workaround.
+ */
+ if (uc->fw_build == CCG_FW_BUILD_NVIDIA &&
+- uc->fw_version <= CCG_OLD_FW_VERSION) {
+- mutex_lock(&uc->lock);
+- if (!uc->run_isr) {
+- uc->run_isr = true;
+- schedule = false;
+- }
+- mutex_unlock(&uc->lock);
+-
+- if (schedule)
+- schedule_work(&uc->pm_work);
+- }
++ uc->fw_version <= CCG_OLD_FW_VERSION)
++ schedule_work(&uc->pm_work);
+
+ return 0;
+ }
--- /dev/null
+From f2372b87c386871b16d7dbda680d98d4092ab708 Mon Sep 17 00:00:00 2001
+From: Heikki Krogerus <heikki.krogerus@linux.intel.com>
+Date: Fri, 4 Oct 2019 13:02:19 +0300
+Subject: usb: typec: ucsi: displayport: Fix for the mode entering routine
+
+From: Heikki Krogerus <heikki.krogerus@linux.intel.com>
+
+commit f2372b87c386871b16d7dbda680d98d4092ab708 upstream.
+
+Making sure that ucsi_displayport_enter() function does not
+return an error if the displayport alternate mode has
+already been entered. It's normal that the firmware (or
+controller) has already entered the alternate mode by the
+time the operating system is notified about the device.
+
+Fixes: af8622f6a585 ("usb: typec: ucsi: Support for DisplayPort alt mode")
+Cc: stable@vger.kernel.org
+Signed-off-by: Heikki Krogerus <heikki.krogerus@linux.intel.com>
+Link: https://lore.kernel.org/r/20191004100219.71152-3-heikki.krogerus@linux.intel.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/typec/ucsi/displayport.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/usb/typec/ucsi/displayport.c
++++ b/drivers/usb/typec/ucsi/displayport.c
+@@ -75,6 +75,8 @@ static int ucsi_displayport_enter(struct
+
+ if (cur != 0xff) {
+ mutex_unlock(&dp->con->lock);
++ if (dp->con->port_altmode[cur] == alt)
++ return 0;
+ return -EBUSY;
+ }
+
--- /dev/null
+From bed5ef230943863b9abf5eae226a20fad9a8ff71 Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Wed, 9 Oct 2019 19:09:42 +0200
+Subject: USB: usb-skeleton: fix NULL-deref on disconnect
+
+From: Johan Hovold <johan@kernel.org>
+
+commit bed5ef230943863b9abf5eae226a20fad9a8ff71 upstream.
+
+The driver was using its struct usb_interface pointer as an inverted
+disconnected flag and was setting it to NULL before making sure all
+completion handlers had run. This could lead to NULL-pointer
+dereferences in the dev_err() statements in the completion handlers
+which relies on said pointer.
+
+Fix this by using a dedicated disconnected flag.
+
+Note that this is also addresses a NULL-pointer dereference at release()
+and a struct usb_interface reference leak introduced by a recent runtime
+PM fix, which depends on and should have been submitted together with
+this patch.
+
+Fixes: 4212cd74ca6f ("USB: usb-skeleton.c: remove err() usage")
+Fixes: 5c290a5e42c3 ("USB: usb-skeleton: fix runtime PM after driver unbind")
+Cc: stable <stable@vger.kernel.org>
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Link: https://lore.kernel.org/r/20191009170944.30057-2-johan@kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/usb-skeleton.c | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+--- a/drivers/usb/usb-skeleton.c
++++ b/drivers/usb/usb-skeleton.c
+@@ -59,6 +59,7 @@ struct usb_skel {
+ spinlock_t err_lock; /* lock for errors */
+ struct kref kref;
+ struct mutex io_mutex; /* synchronize I/O with disconnect */
++ unsigned long disconnected:1;
+ wait_queue_head_t bulk_in_wait; /* to wait for an ongoing read */
+ };
+ #define to_skel_dev(d) container_of(d, struct usb_skel, kref)
+@@ -236,7 +237,7 @@ static ssize_t skel_read(struct file *fi
+ if (rv < 0)
+ return rv;
+
+- if (!dev->interface) { /* disconnect() was called */
++ if (dev->disconnected) { /* disconnect() was called */
+ rv = -ENODEV;
+ goto exit;
+ }
+@@ -418,7 +419,7 @@ static ssize_t skel_write(struct file *f
+
+ /* this lock makes sure we don't submit URBs to gone devices */
+ mutex_lock(&dev->io_mutex);
+- if (!dev->interface) { /* disconnect() was called */
++ if (dev->disconnected) { /* disconnect() was called */
+ mutex_unlock(&dev->io_mutex);
+ retval = -ENODEV;
+ goto error;
+@@ -569,7 +570,7 @@ static void skel_disconnect(struct usb_i
+
+ /* prevent more I/O from starting */
+ mutex_lock(&dev->io_mutex);
+- dev->interface = NULL;
++ dev->disconnected = 1;
+ mutex_unlock(&dev->io_mutex);
+
+ usb_kill_anchored_urbs(&dev->submitted);
--- /dev/null
+From 5c290a5e42c3387e82de86965784d30e6c5270fd Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Tue, 1 Oct 2019 10:49:05 +0200
+Subject: USB: usb-skeleton: fix runtime PM after driver unbind
+
+From: Johan Hovold <johan@kernel.org>
+
+commit 5c290a5e42c3387e82de86965784d30e6c5270fd upstream.
+
+Since commit c2b71462d294 ("USB: core: Fix bug caused by duplicate
+interface PM usage counter") USB drivers must always balance their
+runtime PM gets and puts, including when the driver has already been
+unbound from the interface.
+
+Leaving the interface with a positive PM usage counter would prevent a
+later bound driver from suspending the device.
+
+Fixes: c2b71462d294 ("USB: core: Fix bug caused by duplicate interface PM usage counter")
+Cc: stable <stable@vger.kernel.org>
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Link: https://lore.kernel.org/r/20191001084908.2003-2-johan@kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/usb-skeleton.c | 8 +++-----
+ 1 file changed, 3 insertions(+), 5 deletions(-)
+
+--- a/drivers/usb/usb-skeleton.c
++++ b/drivers/usb/usb-skeleton.c
+@@ -71,6 +71,7 @@ static void skel_delete(struct kref *kre
+ struct usb_skel *dev = to_skel_dev(kref);
+
+ usb_free_urb(dev->bulk_in_urb);
++ usb_put_intf(dev->interface);
+ usb_put_dev(dev->udev);
+ kfree(dev->bulk_in_buffer);
+ kfree(dev);
+@@ -122,10 +123,7 @@ static int skel_release(struct inode *in
+ return -ENODEV;
+
+ /* allow the device to be autosuspended */
+- mutex_lock(&dev->io_mutex);
+- if (dev->interface)
+- usb_autopm_put_interface(dev->interface);
+- mutex_unlock(&dev->io_mutex);
++ usb_autopm_put_interface(dev->interface);
+
+ /* decrement the count on our device */
+ kref_put(&dev->kref, skel_delete);
+@@ -505,7 +503,7 @@ static int skel_probe(struct usb_interfa
+ init_waitqueue_head(&dev->bulk_in_wait);
+
+ dev->udev = usb_get_dev(interface_to_usbdev(interface));
+- dev->interface = interface;
++ dev->interface = usb_get_intf(interface);
+
+ /* set up the endpoint information */
+ /* use only the first bulk-in and bulk-out endpoints */
--- /dev/null
+From eb7f5a490c5edfe8126f64bc58b9ba2edef0a425 Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Thu, 26 Sep 2019 11:12:25 +0200
+Subject: USB: usblcd: fix I/O after disconnect
+
+From: Johan Hovold <johan@kernel.org>
+
+commit eb7f5a490c5edfe8126f64bc58b9ba2edef0a425 upstream.
+
+Make sure to stop all I/O on disconnect by adding a disconnected flag
+which is used to prevent new I/O from being started and by stopping all
+ongoing I/O before returning.
+
+This also fixes a potential use-after-free on driver unbind in case the
+driver data is freed before the completion handler has run.
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Cc: stable <stable@vger.kernel.org> # 7bbe990c989e
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Link: https://lore.kernel.org/r/20190926091228.24634-7-johan@kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/misc/usblcd.c | 33 +++++++++++++++++++++++++++++++--
+ 1 file changed, 31 insertions(+), 2 deletions(-)
+
+--- a/drivers/usb/misc/usblcd.c
++++ b/drivers/usb/misc/usblcd.c
+@@ -18,6 +18,7 @@
+ #include <linux/slab.h>
+ #include <linux/errno.h>
+ #include <linux/mutex.h>
++#include <linux/rwsem.h>
+ #include <linux/uaccess.h>
+ #include <linux/usb.h>
+
+@@ -57,6 +58,8 @@ struct usb_lcd {
+ using up all RAM */
+ struct usb_anchor submitted; /* URBs to wait for
+ before suspend */
++ struct rw_semaphore io_rwsem;
++ unsigned long disconnected:1;
+ };
+ #define to_lcd_dev(d) container_of(d, struct usb_lcd, kref)
+
+@@ -142,6 +145,13 @@ static ssize_t lcd_read(struct file *fil
+
+ dev = file->private_data;
+
++ down_read(&dev->io_rwsem);
++
++ if (dev->disconnected) {
++ retval = -ENODEV;
++ goto out_up_io;
++ }
++
+ /* do a blocking bulk read to get data from the device */
+ retval = usb_bulk_msg(dev->udev,
+ usb_rcvbulkpipe(dev->udev,
+@@ -158,6 +168,9 @@ static ssize_t lcd_read(struct file *fil
+ retval = bytes_read;
+ }
+
++out_up_io:
++ up_read(&dev->io_rwsem);
++
+ return retval;
+ }
+
+@@ -237,11 +250,18 @@ static ssize_t lcd_write(struct file *fi
+ if (r < 0)
+ return -EINTR;
+
++ down_read(&dev->io_rwsem);
++
++ if (dev->disconnected) {
++ retval = -ENODEV;
++ goto err_up_io;
++ }
++
+ /* create a urb, and a buffer for it, and copy the data to the urb */
+ urb = usb_alloc_urb(0, GFP_KERNEL);
+ if (!urb) {
+ retval = -ENOMEM;
+- goto err_no_buf;
++ goto err_up_io;
+ }
+
+ buf = usb_alloc_coherent(dev->udev, count, GFP_KERNEL,
+@@ -278,6 +298,7 @@ static ssize_t lcd_write(struct file *fi
+ the USB core will eventually free it entirely */
+ usb_free_urb(urb);
+
++ up_read(&dev->io_rwsem);
+ exit:
+ return count;
+ error_unanchor:
+@@ -285,7 +306,8 @@ error_unanchor:
+ error:
+ usb_free_coherent(dev->udev, count, buf, urb->transfer_dma);
+ usb_free_urb(urb);
+-err_no_buf:
++err_up_io:
++ up_read(&dev->io_rwsem);
+ up(&dev->limit_sem);
+ return retval;
+ }
+@@ -325,6 +347,7 @@ static int lcd_probe(struct usb_interfac
+
+ kref_init(&dev->kref);
+ sema_init(&dev->limit_sem, USB_LCD_CONCURRENT_WRITES);
++ init_rwsem(&dev->io_rwsem);
+ init_usb_anchor(&dev->submitted);
+
+ dev->udev = usb_get_dev(interface_to_usbdev(interface));
+@@ -422,6 +445,12 @@ static void lcd_disconnect(struct usb_in
+ /* give back our minor */
+ usb_deregister_dev(interface, &lcd_class);
+
++ down_write(&dev->io_rwsem);
++ dev->disconnected = 1;
++ up_write(&dev->io_rwsem);
++
++ usb_kill_anchored_urbs(&dev->submitted);
++
+ /* decrement our usage count */
+ kref_put(&dev->kref, lcd_delete);
+
--- /dev/null
+From 9a31535859bfd8d1c3ed391f5e9247cd87bb7909 Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Tue, 1 Oct 2019 10:49:06 +0200
+Subject: USB: usblp: fix runtime PM after driver unbind
+
+From: Johan Hovold <johan@kernel.org>
+
+commit 9a31535859bfd8d1c3ed391f5e9247cd87bb7909 upstream.
+
+Since commit c2b71462d294 ("USB: core: Fix bug caused by duplicate
+interface PM usage counter") USB drivers must always balance their
+runtime PM gets and puts, including when the driver has already been
+unbound from the interface.
+
+Leaving the interface with a positive PM usage counter would prevent a
+later bound driver from suspending the device.
+
+Fixes: c2b71462d294 ("USB: core: Fix bug caused by duplicate interface PM usage counter")
+Cc: stable <stable@vger.kernel.org>
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Link: https://lore.kernel.org/r/20191001084908.2003-3-johan@kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/class/usblp.c | 8 +++++---
+ 1 file changed, 5 insertions(+), 3 deletions(-)
+
+--- a/drivers/usb/class/usblp.c
++++ b/drivers/usb/class/usblp.c
+@@ -461,10 +461,12 @@ static int usblp_release(struct inode *i
+
+ mutex_lock(&usblp_mutex);
+ usblp->used = 0;
+- if (usblp->present) {
++ if (usblp->present)
+ usblp_unlink_urbs(usblp);
+- usb_autopm_put_interface(usblp->intf);
+- } else /* finish cleanup from disconnect */
++
++ usb_autopm_put_interface(usblp->intf);
++
++ if (!usblp->present) /* finish cleanup from disconnect */
+ usblp_cleanup(usblp);
+ mutex_unlock(&usblp_mutex);
+ return 0;
--- /dev/null
+From a70bcbc322837eda1ab5994d12db941dc9733a7d Mon Sep 17 00:00:00 2001
+From: Rick Tseng <rtseng@nvidia.com>
+Date: Fri, 4 Oct 2019 14:59:30 +0300
+Subject: usb: xhci: wait for CNR controller not ready bit in xhci resume
+
+From: Rick Tseng <rtseng@nvidia.com>
+
+commit a70bcbc322837eda1ab5994d12db941dc9733a7d upstream.
+
+NVIDIA 3.1 xHCI card would lose power when moving power state into D3Cold.
+Thus we need to wait for CNR bit to clear in xhci resume, just as in
+xhci init.
+
+[Minor changes to comment and commit message -Mathias]
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Rick Tseng <rtseng@nvidia.com>
+Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com>
+Link: https://lore.kernel.org/r/1570190373-30684-6-git-send-email-mathias.nyman@linux.intel.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/host/xhci.c | 12 ++++++++++++
+ 1 file changed, 12 insertions(+)
+
+--- a/drivers/usb/host/xhci.c
++++ b/drivers/usb/host/xhci.c
+@@ -1108,6 +1108,18 @@ int xhci_resume(struct xhci_hcd *xhci, b
+ hibernated = true;
+
+ if (!hibernated) {
++ /*
++ * Some controllers might lose power during suspend, so wait
++ * for controller not ready bit to clear, just as in xHC init.
++ */
++ retval = xhci_handshake(&xhci->op_regs->status,
++ STS_CNR, 0, 10 * 1000 * 1000);
++ if (retval) {
++ xhci_warn(xhci, "Controller not ready at resume %d\n",
++ retval);
++ spin_unlock_irq(&xhci->lock);
++ return retval;
++ }
+ /* step 1: restore register */
+ xhci_restore_registers(xhci);
+ /* step 2: initialize command ring buffer */
--- /dev/null
+From d500c63f80f2ea08ee300e57da5f2af1c13875f5 Mon Sep 17 00:00:00 2001
+From: Jan Schmidt <jan@centricular.com>
+Date: Fri, 4 Oct 2019 14:59:28 +0300
+Subject: xhci: Check all endpoints for LPM timeout
+
+From: Jan Schmidt <jan@centricular.com>
+
+commit d500c63f80f2ea08ee300e57da5f2af1c13875f5 upstream.
+
+If an endpoint is encountered that returns USB3_LPM_DEVICE_INITIATED, keep
+checking further endpoints, as there might be periodic endpoints later
+that return USB3_LPM_DISABLED due to shorter service intervals.
+
+Without this, the code can set too high a maximum-exit-latency and
+prevent the use of multiple USB3 cameras that should be able to work.
+
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Jan Schmidt <jan@centricular.com>
+Tested-by: Philipp Zabel <p.zabel@pengutronix.de>
+Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com>
+Link: https://lore.kernel.org/r/1570190373-30684-4-git-send-email-mathias.nyman@linux.intel.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/host/xhci.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+--- a/drivers/usb/host/xhci.c
++++ b/drivers/usb/host/xhci.c
+@@ -4673,12 +4673,12 @@ static int xhci_update_timeout_for_endpo
+ alt_timeout = xhci_call_host_update_timeout_for_endpoint(xhci, udev,
+ desc, state, timeout);
+
+- /* If we found we can't enable hub-initiated LPM, or
++ /* If we found we can't enable hub-initiated LPM, and
+ * the U1 or U2 exit latency was too high to allow
+- * device-initiated LPM as well, just stop searching.
++ * device-initiated LPM as well, then we will disable LPM
++ * for this device, so stop searching any further.
+ */
+- if (alt_timeout == USB3_LPM_DISABLED ||
+- alt_timeout == USB3_LPM_DEVICE_INITIATED) {
++ if (alt_timeout == USB3_LPM_DISABLED) {
+ *timeout = alt_timeout;
+ return -E2BIG;
+ }
--- /dev/null
+From c03101ff4f74bb30679c1a03d551ecbef1024bf6 Mon Sep 17 00:00:00 2001
+From: Mathias Nyman <mathias.nyman@linux.intel.com>
+Date: Fri, 4 Oct 2019 14:59:26 +0300
+Subject: xhci: Fix false warning message about wrong bounce buffer write length
+
+From: Mathias Nyman <mathias.nyman@linux.intel.com>
+
+commit c03101ff4f74bb30679c1a03d551ecbef1024bf6 upstream.
+
+The check printing out the "WARN Wrong bounce buffer write length:"
+uses incorrect values when comparing bytes written from scatterlist
+to bounce buffer. Actual copied lengths are fine.
+
+The used seg->bounce_len will be set to equal new_buf_len a few lines later
+in the code, but is incorrect when doing the comparison.
+
+The patch which added this false warning was backported to 4.8+ kernels
+so this should be backported as far as well.
+
+Cc: <stable@vger.kernel.org> # v4.8+
+Fixes: 597c56e372da ("xhci: update bounce buffer with correct sg num")
+Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com>
+Link: https://lore.kernel.org/r/1570190373-30684-2-git-send-email-mathias.nyman@linux.intel.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/host/xhci-ring.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/usb/host/xhci-ring.c
++++ b/drivers/usb/host/xhci-ring.c
+@@ -3202,10 +3202,10 @@ static int xhci_align_td(struct xhci_hcd
+ if (usb_urb_dir_out(urb)) {
+ len = sg_pcopy_to_buffer(urb->sg, urb->num_sgs,
+ seg->bounce_buf, new_buff_len, enqd_len);
+- if (len != seg->bounce_len)
++ if (len != new_buff_len)
+ xhci_warn(xhci,
+ "WARN Wrong bounce buffer write length: %zu != %d\n",
+- len, seg->bounce_len);
++ len, new_buff_len);
+ seg->bounce_dma = dma_map_single(dev, seg->bounce_buf,
+ max_pkt, DMA_TO_DEVICE);
+ } else {
--- /dev/null
+From cfbb8a84c2d2ef49bccacb511002bca4f6053555 Mon Sep 17 00:00:00 2001
+From: Mathias Nyman <mathias.nyman@linux.intel.com>
+Date: Fri, 4 Oct 2019 14:59:33 +0300
+Subject: xhci: Fix NULL pointer dereference in xhci_clear_tt_buffer_complete()
+
+From: Mathias Nyman <mathias.nyman@linux.intel.com>
+
+commit cfbb8a84c2d2ef49bccacb511002bca4f6053555 upstream.
+
+udev stored in ep->hcpriv might be NULL if tt buffer is cleared
+due to a halted control endpoint during device enumeration
+
+xhci_clear_tt_buffer_complete is called by hub_tt_work() once it's
+scheduled, and by then usb core might have freed and allocated a
+new udev for the next enumeration attempt.
+
+Fixes: ef513be0a905 ("usb: xhci: Add Clear_TT_Buffer")
+Cc: <stable@vger.kernel.org> # v5.3
+Reported-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com>
+Link: https://lore.kernel.org/r/1570190373-30684-9-git-send-email-mathias.nyman@linux.intel.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/host/xhci.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+--- a/drivers/usb/host/xhci.c
++++ b/drivers/usb/host/xhci.c
+@@ -5237,8 +5237,16 @@ static void xhci_clear_tt_buffer_complet
+ unsigned int ep_index;
+ unsigned long flags;
+
++ /*
++ * udev might be NULL if tt buffer is cleared during a failed device
++ * enumeration due to a halted control endpoint. Usb core might
++ * have allocated a new udev for the next enumeration attempt.
++ */
++
+ xhci = hcd_to_xhci(hcd);
+ udev = (struct usb_device *)ep->hcpriv;
++ if (!udev)
++ return;
+ slot_id = udev->slot_id;
+ ep_index = xhci_get_endpoint_index(&ep->desc);
+
--- /dev/null
+From 47f50d61076523e1a0d5a070062c2311320eeca8 Mon Sep 17 00:00:00 2001
+From: Mathias Nyman <mathias.nyman@linux.intel.com>
+Date: Fri, 4 Oct 2019 14:59:29 +0300
+Subject: xhci: Fix USB 3.1 capability detection on early xHCI 1.1 spec based hosts
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Mathias Nyman <mathias.nyman@linux.intel.com>
+
+commit 47f50d61076523e1a0d5a070062c2311320eeca8 upstream.
+
+Early xHCI 1.1 spec did not mention USB 3.1 capable hosts should set
+sbrn to 0x31, or that the minor revision is a two digit BCD
+containing minor and sub-minor numbers.
+This was later clarified in xHCI 1.2.
+
+Some USB 3.1 capable hosts therefore have sbrn set to 0x30, or minor
+revision set to 0x1 instead of 0x10.
+
+Detect the USB 3.1 capability correctly for these hosts as well
+
+Fixes: ddd57980a0fd ("xhci: detect USB 3.2 capable host controllers correctly")
+Cc: <stable@vger.kernel.org> # v4.18+
+Cc: Loïc Yhuel <loic.yhuel@gmail.com>
+Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com>
+Link: https://lore.kernel.org/r/1570190373-30684-5-git-send-email-mathias.nyman@linux.intel.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/host/xhci.c | 15 +++++++++++----
+ 1 file changed, 11 insertions(+), 4 deletions(-)
+
+--- a/drivers/usb/host/xhci.c
++++ b/drivers/usb/host/xhci.c
+@@ -5078,11 +5078,18 @@ int xhci_gen_setup(struct usb_hcd *hcd,
+ hcd->has_tt = 1;
+ } else {
+ /*
+- * Some 3.1 hosts return sbrn 0x30, use xhci supported protocol
+- * minor revision instead of sbrn. Minor revision is a two digit
+- * BCD containing minor and sub-minor numbers, only show minor.
++ * Early xHCI 1.1 spec did not mention USB 3.1 capable hosts
++ * should return 0x31 for sbrn, or that the minor revision
++ * is a two digit BCD containig minor and sub-minor numbers.
++ * This was later clarified in xHCI 1.2.
++ *
++ * Some USB 3.1 capable hosts therefore have sbrn 0x30, and
++ * minor revision set to 0x1 instead of 0x10.
+ */
+- minor_rev = xhci->usb3_rhub.min_rev / 0x10;
++ if (xhci->usb3_rhub.min_rev == 0x1)
++ minor_rev = 1;
++ else
++ minor_rev = xhci->usb3_rhub.min_rev / 0x10;
+
+ switch (minor_rev) {
+ case 2:
--- /dev/null
+From ac343366846a445bb81f0a0e8f16abb8bd5d5d88 Mon Sep 17 00:00:00 2001
+From: Kai-Heng Feng <kai.heng.feng@canonical.com>
+Date: Fri, 4 Oct 2019 14:59:32 +0300
+Subject: xhci: Increase STS_SAVE timeout in xhci_suspend()
+
+From: Kai-Heng Feng <kai.heng.feng@canonical.com>
+
+commit ac343366846a445bb81f0a0e8f16abb8bd5d5d88 upstream.
+
+After commit f7fac17ca925 ("xhci: Convert xhci_handshake() to use
+readl_poll_timeout_atomic()"), ASMedia xHCI may fail to suspend.
+
+Although the algorithms are essentially the same, the old max timeout is
+(usec + usec * time of doing readl()), and the new max timeout is just
+usec, which is much less than the old one.
+
+Increase the timeout to make ASMedia xHCI able to suspend again.
+
+BugLink: https://bugs.launchpad.net/bugs/1844021
+Fixes: f7fac17ca925 ("xhci: Convert xhci_handshake() to use readl_poll_timeout_atomic()")
+Cc: <stable@vger.kernel.org> # v5.2+
+Signed-off-by: Kai-Heng Feng <kai.heng.feng@canonical.com>
+Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com>
+Link: https://lore.kernel.org/r/1570190373-30684-8-git-send-email-mathias.nyman@linux.intel.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/host/xhci.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/usb/host/xhci.c
++++ b/drivers/usb/host/xhci.c
+@@ -1032,7 +1032,7 @@ int xhci_suspend(struct xhci_hcd *xhci,
+ writel(command, &xhci->op_regs->command);
+ xhci->broken_suspend = 0;
+ if (xhci_handshake(&xhci->op_regs->status,
+- STS_SAVE, 0, 10 * 1000)) {
++ STS_SAVE, 0, 20 * 1000)) {
+ /*
+ * AMD SNPS xHC 3.0 occasionally does not clear the
+ * SSS bit of USBSTS and when driver tries to poll
--- /dev/null
+From 8de66b0e6a56ff10dd00d2b0f2ae52e300178587 Mon Sep 17 00:00:00 2001
+From: Bill Kuzeja <William.Kuzeja@stratus.com>
+Date: Fri, 4 Oct 2019 14:59:31 +0300
+Subject: xhci: Prevent deadlock when xhci adapter breaks during init
+
+From: Bill Kuzeja <William.Kuzeja@stratus.com>
+
+commit 8de66b0e6a56ff10dd00d2b0f2ae52e300178587 upstream.
+
+The system can hit a deadlock if an xhci adapter breaks while initializing.
+The deadlock is between two threads: thread 1 is tearing down the
+adapter and is stuck in usb_unlocked_disable_lpm waiting to lock the
+hcd->handwidth_mutex. Thread 2 is holding this mutex (while still trying
+to add a usb device), but is stuck in xhci_endpoint_reset waiting for a
+stop or config command to complete. A reboot is required to resolve.
+
+It turns out when calling xhci_queue_stop_endpoint and
+xhci_queue_configure_endpoint in xhci_endpoint_reset, the return code is
+not checked for errors. If the timing is right and the adapter dies just
+before either of these commands get issued, we hang indefinitely waiting
+for a completion on a command that didn't get issued.
+
+This wasn't a problem before the following fix because we didn't send
+commands in xhci_endpoint_reset:
+
+commit f5249461b504 ("xhci: Clear the host side toggle manually when
+ endpoint is soft reset")
+
+With the patch I am submitting, a duration test which breaks adapters
+during initialization (and which deadlocks with the standard kernel) runs
+without issue.
+
+Fixes: f5249461b504 ("xhci: Clear the host side toggle manually when endpoint is soft reset")
+Cc: <stable@vger.kernel.org> # v4.17+
+Cc: Torez Smith <torez@redhat.com>
+Signed-off-by: Bill Kuzeja <william.kuzeja@stratus.com>
+Signed-off-by: Torez Smith <torez@redhat.com>
+Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com>
+Link: https://lore.kernel.org/r/1570190373-30684-7-git-send-email-mathias.nyman@linux.intel.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/host/xhci.c | 23 +++++++++++++++++++++--
+ 1 file changed, 21 insertions(+), 2 deletions(-)
+
+--- a/drivers/usb/host/xhci.c
++++ b/drivers/usb/host/xhci.c
+@@ -3095,6 +3095,7 @@ static void xhci_endpoint_reset(struct u
+ unsigned int ep_index;
+ unsigned long flags;
+ u32 ep_flag;
++ int err;
+
+ xhci = hcd_to_xhci(hcd);
+ if (!host_ep->hcpriv)
+@@ -3154,7 +3155,17 @@ static void xhci_endpoint_reset(struct u
+ xhci_free_command(xhci, cfg_cmd);
+ goto cleanup;
+ }
+- xhci_queue_stop_endpoint(xhci, stop_cmd, udev->slot_id, ep_index, 0);
++
++ err = xhci_queue_stop_endpoint(xhci, stop_cmd, udev->slot_id,
++ ep_index, 0);
++ if (err < 0) {
++ spin_unlock_irqrestore(&xhci->lock, flags);
++ xhci_free_command(xhci, cfg_cmd);
++ xhci_dbg(xhci, "%s: Failed to queue stop ep command, %d ",
++ __func__, err);
++ goto cleanup;
++ }
++
+ xhci_ring_cmd_db(xhci);
+ spin_unlock_irqrestore(&xhci->lock, flags);
+
+@@ -3168,8 +3179,16 @@ static void xhci_endpoint_reset(struct u
+ ctrl_ctx, ep_flag, ep_flag);
+ xhci_endpoint_copy(xhci, cfg_cmd->in_ctx, vdev->out_ctx, ep_index);
+
+- xhci_queue_configure_endpoint(xhci, cfg_cmd, cfg_cmd->in_ctx->dma,
++ err = xhci_queue_configure_endpoint(xhci, cfg_cmd, cfg_cmd->in_ctx->dma,
+ udev->slot_id, false);
++ if (err < 0) {
++ spin_unlock_irqrestore(&xhci->lock, flags);
++ xhci_free_command(xhci, cfg_cmd);
++ xhci_dbg(xhci, "%s: Failed to queue config ep command, %d ",
++ __func__, err);
++ goto cleanup;
++ }
++
+ xhci_ring_cmd_db(xhci);
+ spin_unlock_irqrestore(&xhci->lock, flags);
+
--- /dev/null
+From cd9d9491e835a845c1a98b8471f88d26285e0bb9 Mon Sep 17 00:00:00 2001
+From: Mathias Nyman <mathias.nyman@linux.intel.com>
+Date: Fri, 4 Oct 2019 14:59:27 +0300
+Subject: xhci: Prevent device initiated U1/U2 link pm if exit latency is too long
+
+From: Mathias Nyman <mathias.nyman@linux.intel.com>
+
+commit cd9d9491e835a845c1a98b8471f88d26285e0bb9 upstream.
+
+If host/hub initiated link pm is prevented by a driver flag we still must
+ensure that periodic endpoints have longer service intervals than link pm
+exit latency before allowing device initiated link pm.
+
+Fix this by continue walking and checking endpoint service interval if
+xhci_get_timeout_no_hub_lpm() returns anything else than USB3_LPM_DISABLED
+
+While at it fix the split line error message
+
+Tested-by: Jan Schmidt <jan@centricular.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com>
+Link: https://lore.kernel.org/r/1570190373-30684-3-git-send-email-mathias.nyman@linux.intel.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/host/xhci.c | 10 ++++++----
+ 1 file changed, 6 insertions(+), 4 deletions(-)
+
+--- a/drivers/usb/host/xhci.c
++++ b/drivers/usb/host/xhci.c
+@@ -4789,10 +4789,12 @@ static u16 xhci_calculate_lpm_timeout(st
+ if (intf->dev.driver) {
+ driver = to_usb_driver(intf->dev.driver);
+ if (driver && driver->disable_hub_initiated_lpm) {
+- dev_dbg(&udev->dev, "Hub-initiated %s disabled "
+- "at request of driver %s\n",
+- state_name, driver->name);
+- return xhci_get_timeout_no_hub_lpm(udev, state);
++ dev_dbg(&udev->dev, "Hub-initiated %s disabled at request of driver %s\n",
++ state_name, driver->name);
++ timeout = xhci_get_timeout_no_hub_lpm(udev,
++ state);
++ if (timeout == USB3_LPM_DISABLED)
++ return timeout;
+ }
+ }
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
